Jan 04 2013

Controls against industrial Malware

Category: MalwareDISC @ 11:43 pm

Malicious software is called a malware and malware may include viruses, worms and trojans. A virus is a piece of code which is capable of replicating itself and mainly it depends on a host file (a document) to reach its target. However worm does not rely on the host file to reach the target but it does replicate. Main property of Trojan is concealment of code and ultimately used to get control of target system.

Modern day malware Stuxnet can manipulate Programmable Logic Controllers (PLCs) of critical infrastructure. Industrial Control System (ICS), SCADA, and manufactruing insdutry infrastructure is controled by the PLCs. Another malware, named Duqu, Flame by its discoverers, is similar to Stuxnet in many respects. Like modern trojans Duqu communicates with a command and control server in encrypted form which gives you an idea of sophistication to develop this malware. In the past year the discovery of the Stuxnet malware – and subsequently of the Flame, Duqu and most recently Gauss malware – has brought the issue of state-sponsored cyberwarfare into sharp focus in security community which are simply known as modern day (WMD) weapon of mass destruction.

The discovery of these modern day malware caused an uproar among the security community when it was found that these malware had been specifically designed as a highly targeted industrial espionage tool. Perhaps this create a frenzy out there to deveop these kind of tools but that bring out some questions which I’m unable to answer. Is it legal for a state to develop these tools? Is it legal for a state to use these tools in offense? do we have any international charter on the legality of these tools, otherwise Stuxnet, Duqu and Flame may set a wrong legal precedence of what’s good for the goose is good for the gander.

Main sources of malware infection may be USB drive, CD Rom, internet and unaware users but basically malware can install itself on your computer by simply visiting an infected/implanted website (pirated software, web sites with illegal content)

An organization should perform a comprehensive risk assessment on their malware policy to determine if they will accept the risk of adobe attachment and other executable files to pass through their perimeter gateway. Organization may need to consider all the possible sources of malware threats in their risk assessment which may include but not limited to spyware.

Malware Controls:
• High level formal malware policy and procedure. There should be a formal policy and procedure for USB drives if risk assessment determines that USB drive risk is not acceptable to business. Then there is a need to implement a control (policy, procedure, technical or training) or multiple of these controls to mitigate this risk to acceptable level.
• Anti-Virus policy which makes it mandatory to install, and signature file updates should take place on a regular interval (daily)
• Patch policy for all the latest patches, fixes and service packs that are published by the vendors
• Regular audit or review of anti-malware software and data file on the system
• All email attachment, software downloads should be checked for malware at the perimeter and adobe attachment and executable treated based on the risk assessment (drop, pass)
• User awareness training to possible infected email, spyware and infected website
• There should be a business continuity plan to recover from a possible malware attack

Related Books

Malware Titles from DISC InfoSec Store
Anti-Malware Software from DISC Infosec store
Anti-Virus software from DISC InfoSec Store
Anti-Malware Titles from eBay

Free Online Virus Scan

Norton Virus Scan | McAfee Virus Scan | Analyze suspicious files

Tags: anti virus, Malicious Software, Malware, Security, Spyware and Adware, trojan, Trojan Horses, Viruses


Mar 26 2009

Conficker C worm and April fool

Category: MalwareDISC @ 3:24 pm

My creation! (APRIL FOOL)
Image by david ian roberts via Flickr

Worm like conficker is a digital time bomb which is hard coded to trigger on April 1 (April fool’s day). Antivirus companies are doing their best to minimize the impact of conficker worm. Conficker first variant was introduced few months back and have already caused significant amount of damage to businesses. Conficker is using MD6 hash algorithm, first known case where this new algorithm has been used. Across the globe, there are about 15 million computer infected with conficker worm.

“In computer, a worm is a self replicating virus that does not alter files but resides in active memory and duplicates itself”

This happens to be third variant of conficker in the wild which is named “conficker c” which pose a significant threat to businesses and security expert are still trying to figure out the potential impact of this worm. In new variant, the worm has tendency to morph into something else which makes it harder for antivirus software to detect it. What is known about this worm so far is that at a predefined time on April 1st the infected machine will execute the worm which will be later be exploited by the worm originator. The originator or controller of the worm will control the infected machines and it’s anybody’s guess right now what commands will be given to these zombies. It can be to steal private and personal information, spam, DDoS, or simply wipe the infected machine hard drive. Also bad guys don’t have to give the commands to zombie machines on April 1st, it can be any time after April 1st.

Possible countermeasures:
• Keep up-to-date patches (Microsoft Ms08-067 security update)
• Keep antivirus signature files up-to-date (latest DAT)
• Disable Auto run
• Try different antivirus software to verify and take advantage of McAfee free online scan services
Free Sophos Conficker clean-up tool
• Make sure your machine is not infected with “conficker c” then you don’t have to worry about April 1st

Microsoft is offering a $250,000 reward for information that leads to the arrest and conviction of the conficker worm’s makers.

[TABLE=12]

httpv://www.youtube.com/watch?v=YqMt7aNBTq8

Reblog this post [with Zemanta]

Tags: Antivirus software, April Fools Day, conficker, Malicious Software, McAfee, Microsoft, Security, Viruses