Professional Documents
Culture Documents
SKELETON KEYS
Modern Day Keylogging Techniques’
THE EXPERTS
COMMENT
MAJOR POSSIBLE THREATS OF 2010: More widespread and more complex
SECUREVIEW
Dear Readers,
NEWS I am very pleased to be able to bring you the
Breakthroughs and trends first issue of SECUREVIEW, a magazine dedicated
in the IT security industry 4-7 to all aspects of the IT security industry. We hope
that you will find it interesting and informative and
we look forward to receiving your feedback.
REPORT The News section at the beginning of our
magazine will bring you right up to date with all
Infosecurity Europe: Catch the latest trends and exciting discoveries in the
up on all the latest field of information security. There will be reports
developments from London 8-9 from recently held conferences and exhibitions,
many of which will set the course for the industry’s Editor-in-Chief
development in the year ahead. Alexander Ivanyuk
TOP STORY In this issue our Top Story is dedicated to
the important subject of the theft of personal
Skeleton Keys: Everything you data using keyloggers, something that will be
should know about current of particular interest to representatives of the
keylogging techniques 10-15 corporate sector. In the coming issues we will
be bringing you detailed analyses of the hottest
topics in the industry, reflecting the interests of
ANALYTICS users’ right across the board.
In our Analytics column some of the world’s
The Sound of Deception: leading experts and journalists will share the results
Modern Internet fraud 16-19 of their research into the field of digital safety with
you, examining the burning issues of the day and
providing solutions to those IT security problems so
The Downside of Ubiquity: often encountered by people in the field.
Vulnerabilities in Technological knowhow is very important for
Adobe software 20-23 the IT security industry and that is why in every
issue our Technology section will cover the most
A New Round of Confrontation: interesting solutions from the last few years that
Fighting crimeware 24-27 we think have seriously influenced the computer
security market. Then there’s our Forecasts
section, which we are confident will appeal to a
TECHNOLOGY very wide audience.
Finally, for dessert we’ll be putting the industry’s
Somewhere Between Black experts in the hotseat and getting their responses
and White: Whitelisting to some pretty tough computer security related
technology uncovered 28-31 questions in our Interview section.
We hope that the topics covered in this first
issue of our magazine will appeal to you and most
FORECASTS importantly, if you are working within the industry,
we hope that you will be inspired to share your own
More Widespread and More knowledge and experiences with our readers –
Complex: Threatscape 2010 32-34 we always welcome new authors. You will be
rewarded for your efforts and interesting articles
will definitely be published! Please, contact us at:
INTERVIEW editorial@secureviewmag.com, to leave feedback,
submit an article, or tell us what topics you would
Challenging Rootkits: Complex like to see covered in the future.
threats of today and tomorrow
See you next issue!
by Vyacheslav Rusakov 36
Alexander Ivanyuk
SECUREVIEW Magazine Editor-in-Chief: Alexander Ivanyuk Editorial matters: Production Assistants: The opinion of the Editor may
3rd Quarter 2010 Editor: Darya Skilyazhneva editorial@secureviewmag.com Rano Kravchenko, not necessarily agree with that
Design: Svetlana Shatalova, http:// www.secureviewmag.com Ryan Naraine of the author.
Roman Mironov
NEWS NEWS
Cracking 56-bit DES The 25 Most Dangerous Unsecured Android scientist identified five high-risk
threats that need attention.
The main security issue that
Pico Computing based in
Seattle, Washington, announced
This technique is often used for
recovering the keys of encrypted
Programming Errors Israeli scientists from
the Ben-Gurion University
range of security threats.
Google has implemented the
they raised is the fact that
Android is an open-source
that it has achieved the highest- files containing known types of reviewed the security system Portable Operating System platform whose source code
known benchmark speeds for data. The candidate keys that The ‘Common Weakness The list is compiled by more of the prospective Android Interface (POSIX) which gives was published after the first
56-bit DES decryption. are found in this way can then Enumeration’ initiative from the than 50 experts from such software framework from each application a user ID, this Android-powered devices were
The company reported a be more thoroughly tested to non-profit MITRE Corporation respected IT-organizations as Google. The researchers prevents different applications released onto the market.
throughput of over 280 billion determine which candidate key includes its 2010 list of The SANS Institute, RSA, defined the main threats, high- from affecting each other. This increased the chance of
keys per second achieved with is correct. the 25 most dangerous Red Hat, Sun, Microsoft risk vulnerabilities, existing Setting each application as a revealing vulnerabilities in low-
the use of a single, hardware- The 56-bit Data Encryption programming errors. and others. protection tools and relevant different user prevents one level components (such as in
accelerated server. The FPGA Standard (DES) is now considered security solutions. application from accessing the Linux kernel, core libraries
computing platform assembled obsolete, having been replaced Table 1. The incorporation of integrated files and signals from another or the Dalvik virtual machine).
for this demonstration was by newer and more secure ‘SANS/MITRE’s Top 25 Most Dangerous Programming Errors’ Internet services on mobile and distributes the selected Moreover, several vulnerabilities
based on 11 Pico EX-Series Advanced Encryption Standard devices increases their kernel’s CPU consumption were identified in the Android
cards, and fits into a single off- (AES) encryption methods. 1 Failure to preserve web page structure (‘Cross-site Scripting’) exposure to damage inflicted evenly by default. Additional permission mechanism which
the-shelf 4U server. Nonetheless DES continues Improper sanitization of special elements used in an SQL command by various types of malware. security features are provided greatly increases the risk of
2
The massively parallel DES to serve an important role in (‘SQL Injection’) The risk is amplified by the fact through the permission-granting malware infection.
cracking algorithm used brute cryptographic research and in 3 Buffer copy without checking size of input (‘Classic Buffer Overflow’) that as a smartphone, Android mechanism that enforces The researchers proposed
force methods to analyze the the development and auditing of 4 Cross-site request forgery (CSRF) devices are expected to handle restrictions on the specific several security mechanisms
entire DES 56-bit key-space. It current and future block-based personal data and provide PC- operations that a particular that can mitigate these high- of granted permissions. The
5 Improper access control (Authorization)
iteratively decrypted fixed-size encryption algorithms. compliant functionality, thereby application can perform. risk threats. authors subsequently gave
6 Reliance on untrusted inputs in a security decision
blocks of data to find keys that exposing the user to all the Signing applications is another It is highly important to highest priority to such things
decrypt into ASCII numbers. Source: www.picocomputing.com Improper limitation of a pathname to a restricted directory (‘Path attacks that threaten users of significant security feature. incorporate a mechanism, as the SELinux tools, a firewall,
7
Traversal’) personal computers. The authors also looked such as the SELinux access Intrusion Detection System,
8 Unrestricted upload of file with dangerous type Google Android is a at what additional security control system, that can Automated Static Analysis
Improper sanitization of special elements used in an OS command comprehensive piece mechanisms could be applied prevent potential damage and Code Verification and the
Jigsaw Puzzles
9
(‘OS Command Injection’) of software for mobile on Android-based handsets, resulting from an attack on Context Aware Access Control
10 Missing encryption of sensitive data communication devices. The such as porting SELinux into the Linux kernel layer. Also, solutions. They placed Data
11 Use of hard-coded credentials Android framework includes an Android and activating a security better protection should be Encryption and the Selective
Scientists from South Korea, together, these parts become operating system, middleware policy, enabling a net-filter- added for strengthening the Android Permission systems
12 Buffer access with incorrect length value
the USA and India have invented the original piece of data again, and a set of key applications. based firewall and an Intrusion Android permission mechanism lower down the list
Improper control of filename for include/require statement in PHP
a novel scheme for securing but only if they are reassembled 13 The review indicates that the Detection System based on and for detecting the misuse of priorities.
program (‘PHP File Inclusion’)
the transfer of data across in a particular way, just like security mechanisms embedded anomaly detection (termed
computer networks. a jigsaw puzzle. The correct 14 Improper validation of array index in Android address a broad Andromaly), etc. Source: http://arxiv.org/ftp/arxiv/papers/0912/0912.5101.pdf
The typical security method method for reassembling the 15 Improper check for unusual or exceptional conditions
for preventing data from falling pieces is known only to the 16 Information exposure through an error message
into the wrong hands is by the recipient for whom the data 17 Integer overflow or wraparound THREATS THE EXPERTS COMMENT
use of encryption. However, the is intended. Any unauthorized
|
4 SECUREVIEW 3rd quarter 2010 www.secureviewmag.com www.secureviewmag.com 3rd quarter 2010 SECUREVIEW |5
NEWS NEWS
|
6 SECUREVIEW 3rd quarter 2010 www.secureviewmag.com www.secureviewmag.com 3rd quarter 2010 SECUREVIEW |7
NEWS NEWS
|
8 SECUREVIEW 3rd quarter 2010 www.secureviewmag.com www.secureviewmag.com 3rd quarter 2010 SECUREVIEW |9
REPORT | Infosecurity Europe 2010 Infosecurity Europe 2010 | REPORT
Security defies the ash clouds loss last year. The study, ‘A Survey of
Information Security Breaches’ found
that cybercriminals were themselves
becoming increasingly organized along
about to take place there. What the two
speakers, Marc Kirby and Sean Hanna,
subsequently delivered was probably
the most entertaining and exciting event
traditional business lines and this is of Infosecurity Europe 2010. Eugene
The Infosecurity Europe 2010 event attracted a huge number of visitors driving a demand from industry for Kaspersky, CEO of Kaspersky Labs also
adequate means of protection. However, took to the stage to share his vision of
despite the chaos to European airspace caused by the eruption of the many enterprises remain woefully what the future might hold in terms of
Icelandic volcano. This year the focus was on data loss, Cloud Security unprepared or only partially ready to
meet the incumbent threat.
IT technologies. According to Eugene, in
the future the smartphone will be king,
and Web 2.0. There were very many popular exhibition stands at this For many visitors to Info Security with everybody owning and using one.
2010, the workshops on offer were the Kaspersky, who during Infosec 2010 was
year’s event, but the thing that really seemed to pull in the crowds were real highlight. The organizers divided inducted into the Hall of Fame, stated
the various workshops and presentations that covered everything from the event into three sections: keynotes, emphatically that the world will see an
business strategy and technology. The explosion in the development of hardware
the latest industry technologies through to business strategy. business strategy presentations earned and software for smartphones. “I believe
consistent praise. With their limited that in the nearest future, smartphones
duration of 45 minutes they were ideally will have enough memory and computing
suited to visitors who wanted to grab as power to hold all our personal data, as well
David Smith, Deputy Commissioner for the Information much information as possible in a short as movies, pictures and other information.”
Article by
Elmar Török
There was no mistaking the result of this
particular match: Infosecurity Europe 1 - Ash
CONCEPT: EXHIBITION Commissioner’s Office during his keynote space of time. The audience very much
appreciated the fact that the sessions
He stated. “There will be no reason to use a
computer any more. Why would you? All you
cloud 0! Despite all the disruption to the airspace AND LECTURES Nigel Stanley, Practice Leader of IT Security were not usurped for the purposes need is a keyboard, a screen and a network
over Europe, the UK’s most important security at Bloor Research said, “As an analyst I of marketing and sales. Ian Mann’s connection.” Such a revolution would
event, now in its 15th year, drew in a record As they have in previous years, the organizers feel that Infosecurity Europe is the most talk on Social Engineering came in for increase the attacks on mobile devices
number of exhibitors and visitors. Over 12,500 of Infosecurity 2010 pursued a two-tier approach. important event of the year. It’s here that particularly high praise. The author of considerably. However, these are far easier
eager attendees turned up to take advantage The central exhibition hall was the venue for the you meet with the manufacturers and get ‘Hacking the Human’ provided several to protect against due to the centralized
of what was on offer from the event’s 324 exhibiting companies, with booths designed to to know about all the latest industry trends. amusing anecdotes in which he explained nature of the providers’ infrastructure.
exhibitors. Many of the visitors were drawn by allow visitors and company representatives to For me, it is certainly time well spent.” That why the human animal sitting in front of As evidenced by the continuing
the quantity of very well-known and respected hold discussions away from all the hustle and the event draws such large numbers of the screen is the biggest security risk for increase in visitor and exhibitor numbers,
speakers delivering the keynote speeches and bustle. Both sides, exhibitors and visitors, rated visitors and manufacturers is due to both most companies. Infosecurity Europe is very much on the
holding workshops, not to mention the fact that the layout very highly. Nina Malchus, Director of the professionalism of Claire Sellick, Event right track. Claire Sellick sees the growing
a number of companies chose the event to make Publishing for SecuMedia and a regular at the Director for Infosecurity Europe, and the EUGENE KASPERSKY success of the event as being due to
Elmar Török has been some pretty major announcements. Among them event gave her impression of the exhibition hall: greatly increased threat levels existing in companies realizing that IT security is
working in the IT-Industry were Symantec who announced the purchase “The hall is very busy and makes a big impression the field of IT security these days. After ENTERS THE IT HALL now as essential prerequisite for new and
since 1989. He became
of encryption company PGP and GuardianEdge on the visitor. There is an awful lot to see, several years of relative stagnation, British profitable products and services. Events
an author and technical
journalist in 1993 while for a cool $370 million [US]. Two lectures in observe and experience, but it’s possible to get firms are now facing a punishing new wave OF FAME like this that bring together suppliers and
studying electrical particular garnered a great deal of attention: round everything in a good day.” of cyberattacks, the impact of which is customers so that each may appreciate the
engineering in Munich Pricewaterhouse Coopers (PwC) announced the David Tomlinson, Managing Director of Data estimated to be in excess of £10 billion Much applause was also heaped upon wishes and expectations of the other will no
and Kempten. Since then results of their study on data loss, whilst David Encryption Systems was similarly impressed. “Our [Sterling] per year. “This raises awareness of the keynote ‘Cyber Warfare - War Stories doubt shape the future of the IT industry.
he has written hundreds Smith, Deputy Commissioner for the Information booth was visited by many visitors who were very IT security management quite considerably,” from the Front Lines’. The long queues Sellick stated that 82 percent of the stands
of articles for just about
Commissioner’s Office (ICO), announced tougher keen to do business. The event is an ideal place to Sellick is convinced. outside the entrance were a surefire available for Infosecurity Europe 2011 have
every major computer and
networking publication penalties for the loss of customer data. meet new clients.” Analysts confirm that impression. indication that something special was already been booked. RE
in Germany. Elmar OPENING KEYNOTE
specialises in IT-Security
and storage issues, TARGETS DATA LOSS
has a solid knowledge
of server-related topics
In his keynote address, David Smith,
and knows his way
around virtualization. Deputy Commissioner for the Information
He is the Editor-in- Commissioner’s Office (ICO) painted the
Chief of the security following picture: “In little more than two
periodical “Infodienst years, 960 instances of data loss were
IT-Grundschutz” and recorded, that averages out to about 30
is involved in the final
per month,” said Smith. According to his
acceptance process of
new material for the IT- information, the UK’s National Health
Grundschutz Catalogues Service (NHS) alone accounted for about
of the Federal Office for 30 percent of the total. He believes that
Information Security. “It is very probable that in the nearest
future it will be a legal requirement in the
United Kingdom to notify the authorities
of any data losses” Even a study by
Pricewaterhouse Coopers had little to
report that offered any hope. A worrying
92 percent of all large enterprises
Earls Court: The Place to be for Infosecurity Europe 2010 suffered a security incident or data Where Products and News Abound: Companies present their wares in the exhibition hall
|
10 SECUREVIEW 3rd quarter 2010 www.secureviewmag.com www.secureviewmag.com 3rd quarter 2010 SECUREVIEW | 11
TOP STORY | Keyloggers Keyloggers | TOP STORY
the market is rich in espionage technologies, of which some are free and Keyloggers that
others are not. The largest demand within this market is for keyloggers. operate according to the
interrogation cycle principle
This type of keylogger is the simplest
of all and is based on the system of
SpyAgent allows you to monitor virtually everything users do on your computer assigning a number of API-functions to
Article by The first Keyloggers appeared a very long time ago. to whatever is happening in the active window. It the applications for interrogating the
Oleg Zaitsev During the MS DOS era at the end of the 80s and is important for protocol analysis as a Windows □ A keylogger can be an espionage Trojan-Downloader. It is very common keys on the keyboard. For example,
Chief Technology Expert
at Kaspersky Lab
the beginning of the 90s there were a huge amount user may randomly change the active window a device when installed onto a rival’s knowledge that a lot of Trojan samples the GetAsyncKeyState function shows
of keyloggers about, most of which were written in number of times. Another thing that has to be system by a competitor. contain keylogger functionality built in for whether the named key is pressed or
assembly language and used the INT9h interrupt borne in mind when working with text in present- • Keyloggers can be used by private the purposes of spying on users, usually released, and GetKeyboardState returns
and INT16h capture. Along with the development day applications is the possible use of the detective agencies, special services for the harvesting of passwords or credit an array of 256 elements with the state
and distribution of Windows came the Windows Windows clipboard. Thus a keylogger has to keep and criminal organizations as a means card numbers. of each key on the keyboard, but works
keyloggers. Their creation was made simpler by track of the clipboard contents and incorporate of spying on users. 2. Spying on users. During this process it only with GUI applications. This method is
the fact that the Windows GUI already included it into the protocol when a ‘paste’ command • Keyloggers can be part of a malware is very important for the keylogger to very simple to perform and undetectable
a standard keyboard event capture mechanism is detected. The protocol recorded during a program and can be used for the remain undetected, and several methods as there is no embedding of DLLs or
and keyloggers based on this system where very keylogging session then has to be analyzed either detection of passwords, credit card exist to achieve this. hardwired installation, however for better
simple and contained no more than thirty to fifty automatically or by the person who installed numbers and other such important 3. Passing the collected data to the results it is necessary to use high speed
lines of code. Additionally, such Windows features the keylogger for the purposes of recovering the information. This type of keylogger can cybercriminal. This process is greatly interrogation, in the order of no less than
as multitasking and multi-window applications desired data. Typically this will include passwords, operate automatically, becoming active simplified where the criminal has access 10-20 polls per second, otherwise data
Oleg joined Kaspersky interfaces have made the spies’ task wider. In order account and credit card login credentials or only when certain application windows to the target PC. When access does not can be missed.
Lab in 2007 as a to simplify protocol analyses, today’s data spies have specific behavior, such as the entry of data into a or websites are open. exist, commercial keyloggers offer a rich Countermeasures: Detecting cyclic
Developer in the Complex to determine to which window and which particular password field or form on a given website. When a keylogger is employed by a choice of possibilities. Data can be sent interrogation in itself is not difficult. The
Threat Analysis Group. application an input belongs. They can track a user’s Statistically keyloggers are more often than cybercriminal it becomes a very significant via email, passed over a network, or main problem is how to tell whet her it is
He was promoted to Internet activity, trace IM correspondence, take not used as follows: threat to the user, as most importantly, it downloaded from an FTP server. a keylogger or a legitimate program doing
Technology Expert
screenshots of the display and the active windows • Domestic usage: parents spy on children; allows the acquisition of a user’s passwords
in November 2008
and is responsible for and perform a whole host of similar nefarious husbands and wives spy on each other, etc. In which then provide unauthorized access
carrying out research actions, right up to secretly activating the microphone this situation we are talking about the home PC, to the user’s email, social networking and
into new detection and and webcam. As a result, the majority of modern where installing a keylogger and analyzing its online bank accounts.
disinfection technologies, keyloggers could more accurately be described as protocol is relatively easy.
investigating and
disinfecting remote
’universal loggers’ or ‘universal spies’. It should be • In a business environment keyloggers can be THE LIFECYCLE OF
noted that most modern keyloggers will actively used for different tasks:
systems and analyzing
the behavior of malware. disguise their presence on a system, usually with the □ It can be used by an insider as an instrument A KEYLOGGER
help of rootkit technologies. to secretly spy on their colleagues. The worst
scenario is when the insider is a member Just as with any spyware, the lifecycle of
THE PURPOSE OF of the IT department, which allows them to a keylogger consists of three main stages:
install a keylogger on a user’s computers and 1. System penetration. This operation
KEYLOGGERS AND THEIR gain access to the recorded data later on can be performed manually and it is
without any problems. typical for the majority of commercial
FIELDS OF APPLICATION □ A security department may install keyloggers keyloggers. To do this the cybercriminal
to spy on users for any number of reasons. The needs remote or local access to
The main purpose of any keylogger is to detection of improper PC use, the collection of the PC. The second variant is the
secretly record all of the keystrokes made by the data in internal investigations, the monitoring installation of a keylogger with the help Antivirus programs, for example Kaspersky Internet Security 2010, react unequivocally to cyclic interrogation
user. The recorded information usually relates of users correspondence and IM traffic, etc. of programs such as Trojan-Dropper and from the hidden window
|
12 SECUREVIEW 3rd quarter 2010 www.secureviewmag.com www.secureviewmag.com 3rd quarter 2010 SECUREVIEW | 13
TOP STORY | Keyloggers Keyloggers | TOP STORY
|
14 SECUREVIEW 3rd quarter 2010 www.secureviewmag.com www.secureviewmag.com 3rd quarter 2010 SECUREVIEW | 15
TOP STORY | Keyloggers Keyloggers | TOP STORY
of keylogger is more difficult to detect, associated cabling. The main problem there are many complete source
but naturally, it is more difficult to install. with using these keyloggers is that the codes available). Consequently, the
Usually it is installed in the same way secondary radiation coming from a signature detection of such home-made
as a classical keylogger, but inside the keyboard is of such low signal strength keyloggers will be relatively ineffective;
keyboard rather than in line with its cable. that it is difficult to pick up from a long way • Strictly speaking the keylogger is
It is possible to use a specially designed away. The task is even more difficult to not a harmful program. It can be a
frameless model of keylogger that was perform in a room where there are several commercial application with a license
created specifically for embedding, or computers, each with identical keyboards. agreement and an installer and the
to create your own basic keylogger, as However, stories about the successful detection of this application is not
can be seen at: http://www.keelog. capture of data from distances of 10-20 entirely warranted, especially if we are Kaspersky Internet Security 2010’s virtual keyboard prevents the taking of screenshots
com/diy.html which is based on the meters as well as about the development talking about a corporate product;
AT89C2051microcontroller. Using this of such equipment appear in the popular Accordingly, heuristic analysis on the
chip, even a schoolboy with an elementary press from time to time. For example, the A spy pen with an embedded video camera and recorder basis of emulation data or behavioral contains X times Y number of cells. dangerous, since it is useless without
knowledge of electronics can manufacture article http://lasecwww.epfl.ch/keyboard/ for 3 hours of continuous recording can ‘accidentally’ analysis for example, is not subject to the Generally anything from 10 x 10 to 16 the accompanying token. The reverse
their own keylogger. Additionally, some even contains a video demonstration of be placed on the Director’s desk if his company is under drawbacks mentioned above. x 16 is used. A table is generated by also applies. The eToken is useless
attack from commercial spies
companies produce keyboards with just such a process. the server and a copy is sent to the without the password.
keyloggers already built in which are Countermeasures: Countermeasures Virtual keyboard user for printing (or a copy is sent via
indistinguishable from normal ones. (See: are common for Secondary Electromagnetic lighters, packs of cigarettes, car alarm/ registered post). When carrying out
http://www.keelog.com/usb_hardware_ Radiation and Induction (SERI). Screening locking fobs, calculators, organizers and Virtual keyboard is an application the authorization process the user CONCLUSION
keylogger.html). and good earthing decrease the level of other small devices that do not attract (either stand-alone or part of a protection is prompted to enter the contents of
Countermeasures: It is very difficult SERI and special disturbance generators any special attention. The criminal can package), intended for emulation of the certain cells selected at random by the Thus we have examined the basics
to protect against hardware keyloggers make it significantly more difficult for ‘accidentally’ leave such a recorder on keyboard. The keys of the virtual keyboard server. This process can either take of software and hardware keyboard
as they are almost undetectable using cybercriminals to intercept and identify any somebody’s table and come back to pick are pressed with the help of a mouse. the place of a password or can be in spies. In summing up it is worthwhile
software tools. The word ‘almost’ is used useful information. it up a couple of hours later. It is important Generally, use of a virtual keyboard addition to it. It can be seen that the mentioning that the situation in this
here as hardware keyloggers contain Another well known method is simpler to say that just a few years ago this type makes it possible to evade all forms of interception of a specific combination area of technology is changing radically
software components that interface with to perform and based on the capture and of devices could only be seen in spy hardware keyloggers as in this case, the will make it possible to learn the by the day. Two or three years ago
the hardware. As for the rest, the protection analysis of the sound produced by the movies, now they are being manufactured normal keyboard is not used. However, it value of two or three cells from the hardware keyloggers were some sort of
measures available are pretty low-tech individual keystrokes. Scientists from the commercially. Therefore it is not unusual does not provide protection from many possible hundred-plus and that during techno-marvel, now they are produced
and include protecting keyboard frames by University of Berkeley in California carried to come across such devices in the hands software-based keyloggers and other subsequent authorization sessions, commercially with many different
using labels and seals along the assembly out significant amounts of research in this of the cybercriminals. They range in price espionage measures, such as the taking other cells will be requested. However, models available, beginning with the
joints, the placing of sticky labels on the field and in their results published in 2005 from $100 to $400. Such devices are of screenshots. However, antivirus or the keylogger is unable to fix the basic 32 KB types, right up to devices
points of connection of the cables to the they showed that it is possible to recognize mainly used in the corporate sphere, anti-keylogger virtual keyboards will requested cells position - and so the with several GB of memory and wireless
system block and sealing the system between 60 and 90% of keystrokes using where the probability of commercial activate a number of additional measures criminals will not know which cells were control. It should be assumed that the
block itself. Keeping a label log and doing ordinary sound recording techniques. espionage is quite high. to enhance protection, such as blocking involved without resorting to taking a development of the hardware keylogger
periodical label audits is then necessary. Countermeasures: The main method Countermeasures: The main method is traps, the prevention of screenshots and screenshot. The benefit of this method market will continue and possibly in the
of protection in this case is to advise to train and instruct personnel that there other similar activities. The range and type lies in its simplicity. Similar technology very near future we will see an entirely
Keyloggers operating without personnel of the risks and explain that should be no unauthorized devices at their of these countermeasures are specific to is used by the Russian payment new generation of ‘software-hardware
connection to the keyboard inputting their password when a mobile workstation and particularly in the vicinity each product. transfer system Yandex Money. spies’ which will not require access to
phone is on the table nearby is not the of the screen and keyboard, especially • Use of one-time passwords. This the victim’s computer at all. RE
This type of keylogger is much more best way to ensure security. those left by ‘forgetful’ visitors. Password Managers method is similar to the previous one,
exotic than the rest and is utilized when but in this case the user receives a
the acquisition of immensely desirable A password manager is an application table of one-time passwords, and
information is required and when it is not
Secretly observing input PROTECTIVE MEASURES which contains a database of the user’s once used, that password is then Wireless keyboards - convenience
possible to use commercially produced This method becomes more and more login credentials. Generally the database will crossed out. The method can be used for the user or paydirt for the spy?
hardware solutions. topical because of the fact that modern As you already know, there is a large be encrypted and a master password known in reverse, with the user removing The developers of wireless devices
Essentially, these keyloggers capture portable autonomous video recorders are number of keyloggers of different types, only to the user is required for access to the opaque protective coating from a usually employ a standard interface
the secondary electromagnetic radiation no larger than a box of matches in size each with its own set of dangers. Let’s have and decryption of the database’s contents. sequential password list printed on for the transmission of data (most
emanating from keyboards and their and come in many guises: watches, pens, a look at the main universal methodologies Sometimes biometric authorization or a a card. In this method the danger of frequently Bluetooth), or use their own
that can be used to combat keyloggers. It USB-token can serve as a password. The password interception with the aid bespoke system of wireless connection,
is important to note that maximum effect benefit of password managers is that of a keylogger is completely avoided. integrating a transceiver into the
is achieved when a combination of the passwords are not entered manually each However, the quantity of passwords keyboard, connected to the USB or PS/2
measures discussed are used. time, which completely excludes their is limited and it will be necessary to socket. In both cases, information is
interception by all forms of hardware and obtain a new list at some point. broadcast about which keys have been
Antivirus products software keyloggers. • Use of a password generator. An pressed and this can be intercepted
electronic token is used for the by a cybercriminal. Unfortunately, the
An antivirus solution offers a minimum of Rejecting the usual generation of passwords, the protection algorithms employed in these
two lines of protection, signature detection passwords and PIN codes generated passwords are not repeated circumstances often does not provide
and detection by the various heuristic and they are produced according to a guaranteed security. As a result, it was
procedures which analyze the behavior of the The means of protection described specific algorithm. It is considered that only matter of time before the ‘radio
application. It should be noted that signature above can be supplemented with the the algorithm and the secret key within sniffer’ and ‘wireless keylogger’ was sure
detection is not very effective for a number following methods, which guarantee an cannot be deciphered based on just a to appear. Moreover, one of the most well
of reasons, the two most basic being: additional level of safety. few intercepted passwords. known practical manifestations is freely
• The standard keylogger is extremely • The use of code tables. A code table • Adopting two-factor authorization, for available at http://www.remote-exploit.
simple in design and can be written by a is a normal table, which can be stored example, with the use of an eToken. In org/Keykeriki.html.
A keylogger can be installed inside a keyboard without it being noticeable student in 1-2 days (plus on the Internet in the form of a picture or printout and this case the theft of passwords is not
|
16 SECUREVIEW 3rd quarter 2010 www.secureviewmag.com www.secureviewmag.com 3rd quarter 2010 SECUREVIEW | 17
ANALYTICS | Internet fraud Internet fraud | ANALYTICS
|
18 SECUREVIEW 3rd quarter 2010 www.secureviewmag.com www.secureviewmag.com 3rd quarter 2010 SECUREVIEW | 19
ANALYTICS | Internet fraud Internet fraud | ANALYTICS
Whether it was part of the ‘engineers’ plan of the Interior Ministry on 27 August. Exactly as with the audio drug websites,
or just happenstance, who knows, but the Unfortunately by that time “A new kind of stereohypnosis it was claimed, caused
major part of their Russia audience turned fraud” was not new anymore and it was altered states of consciousness– from
out to be between 13 and 16 years old. quite difficult to convince many people of it. offering relaxation after a long day’s work,
Teenagers tried the audio drugs just so In a few months after the appearance to the heightening of sexual stimulation.
that they could turn up at school with the of ‘the miracle’ on the Russian Among the many websites offering various
appearance of being a sophisticated drug Internet, it attracted the attention of methods to heighten sexual sensations it’s
user and report on their “sensational” the authorities of some regions. On 23 not difficult to find many selling ‘A stereo
experience. Also discussions seen on some September 2009 in St.Petersburg, audio version of viagra‘.
teenagers’ forums often used another very drugs were treated almost the same Creditable reviews from those exalting
appropriate word - ‘autosuggestion’. This as pornography and their distribution the power of hypnosis have long since
is another vulnerability that the ‘social among the under-aged strictly forbidden. appeared on numerous web pages and
engineers’ exploited. In other words, those As was announced by the Kommersant- websites, and in abundance on the
‘sophisticated drug users’ of 13-16 years SPB newspaper (№ 177 (4232) of websites distributing ‘stereohypnosis’.
old often did really believe that they ‘got 24.09.2009)”…trading in such products Some Russian spam simply contained a link for users to click on, without even mentioning the product in the text
a kick’ from what they listened to. They is banned within a radius of 150 meters
convinced themselves that they had had all from child-care and educational facilities, CONCLUSION
the sensations that they believed a person including high schools and universities” introduced ‘Stereohypnosis’ and to make
should experience having used one of the The loud noise in the press also THE CROP IS GATHERED IN sure everyone knew about their latest Whatever they do, there are large
The I-Doser program was even available as an iPhone app!
more well-known drugs. So by listening to played right into the hands of the novelty, they spammed just as many as doubts that the ‘social engineers’ will
monotonous binaural rhythms they only criminals distributing the stuff. The Audio drugs as we all know only too they could by every available means. repeat their earlier triumphs, advertising
stereo headphones and a mobile phone. managed to get excited and hyped up scare-mongering titles of the Internet well were very successful for the ‘social The theme of audio drugs undoubtedly got underway at the beginning of March
Wait a minute…What’s a mobile phone instead of calming down and relaxing. newspapers and independent analytical engineers’. Certainly, behind all the noise had become very noticeable very quickly. and since then there’s been a distinct
for? To pay for the product of course! To However the desire to look cool in articles only attracted more of the curious and doubts about ‘High – or no high’, Despite that, it was already possible to lack of noise from either the electronic
receive a narcotic track a user sends an front of one’s peers and the attraction to to it. The ‘social engineers’ themselves ‘Harmful – or not harmful’ there lies a search Google and find websites offering mass-media or the Internet communities.
SMS to a four or five-digit number and forbidden fruits are simple human vices, started to use ’scandal’ topics to attract simple thirst for profit. The abundance video files for download which supposedly It seems to prove that the spam mass-
then enters the code they receive into a characteristic not only of teenagers, but attention to their product. “Danger: audio of similarly-styled websites appearing acted on the subconscious, this time, mailings were not as effective as in the
special field, which is not an unusual way adults as well. It cannot be forgotten drugs can be downloaded for free!”, “Audio en-masse on the Internet at the time by means of ‘stereohypnosis’. The name past and that the ‘social engineers’ may
of doing things in Russia. either that many people, when hearing drugs affect brains” and “Audio drugs in were nothing more than the fruits has become more lengthy and complex have miscalculated. Firstly, over the past
the words ‘audio drugs’, would have felt MP3 format cause harm” – screamed of partner program activity. It’s well if you notice. ‘Social engineers’ have few months many people have started to
RUSSIA CAN’T curiosity and a desire to try something the subject line of one of the posts on a recognized that many of the participants long continued to play up the pseudo- associate payment by SMS-messaging
new, thus we can state with confidence popular blogging resource. However, the of partner programs certainly don’t hide scientific nature of their ‘inventions’. With to short numbers with being ripped off.
BE UNDERSTOOD.... that the ‘social engineers’ received quite same post then went on to say that audio their activities and openly share their stereohypnosis they went one step further, Secondly, ‘stereohypnosis’ does not
a wide audience ready to pay for their drugs are “cool” and provided links to impressions of their associations with all making it better and more interesting- actually offer anything new under the
So, what was the net effect of audio ‘engineering miracles’. Ostentatious some respective sites where one could and sundry. sounding than plain old audio drugs. An sun, and besides, the similarities of the
drugs on the Russian Internet? It was – pseudo-science also helped the criminals find one’s own proof. It was thus in a blog on one of the explanation consisting of scientific terms websites just reinforce peoples’ feelings
it has to be said, overwhelming. Just a not by chance, but in strict accordance partner program websites during mid-July and offering descriptions of its principles of distrust, not to mention the statement
couple of weeks after they appeared, the with their plans. The bait was swallowed that the following information appeared. lends itself as well to the electronic page itself, ‘Safe Drugs’ proving an oxymoron
young and progressive Internet community not only by schoolchildren, students “As far as audio drugs go – when it was as it does to the printed page. for just too many. RE
no longer considered audio drugs a and ordinary Internet users, but also new the theme was great! I tried this
sensation. Some tried it and leant their journalists, including those working in big theme a month ago and very quickly
expert opinion of the experience to the news and analytical web publications. hit 100K Roubles a day! The author
knowledge-hungry public, whilst others It’s interesting to note that the majority goes on to describe in detail which
were keen to try it, but backed off again on of publications, especially in the first two tools were used to promote it on which
the grounds of health concerns, and yet months, did not try to understand the websites, before eventually admitting
another group were conceptually against deeper nature of this phenomenon, nor to making “20-60 of Dollars per day”.
drugs as a phenomenon overall, including did they try to explain to their readers what So popular has this theme proved, that
audio drugs in particular. Those hearing audio drugs really were. Most articles cybercriminals were willing to shovel
this word combination for the first time published during July and August were money at it, whilst journalists, deputies
became more and more rare. In blogs, based on the information provided by the and simple users continued their
forums and chats audio drugs became the websites distributing the electronic drugs, ideological disputes about whether audio
hottest topic around. and the majority of user reviews in the drugs were harmful or not.
Unfortunately it was teenagers who publications were just the usual crop of
happened to make up the main part of the very artificial ‘bait’-type materials which
electronic drug barons’ target audience, the ‘social engineers’ had placed on the SOMETHING NOVEL?
and as is well known, teenagers are Russian Internet themselves. The only
fairly easily persuaded to try new things, threat presented to the readers of those By the autumn of 2009, largely due to
regardless of their parents’ advice to the publications was the line that audio drugs the recession, the fever had died down.
contrary. Tell the younger generation who couldn’t be any more dangerous than It was time for the social engineers’ to
have just entered the so-called ‘awkward traditional chemical ones. The first articles come up with their next big thing and it
age’ that smoking is cool and predictably– that brought people round to believing that needed to be bigger and better than their
half the school will be hiding from the audio drugs were nothing more than simple previous brainchild. This time it wasn’t
teachers and having a cigarette. They do it fraud appeared only at the end of summer, long in the making, driven by their urge
to demonstrate the “I am cool” message after an article called “Attention! A new kind The Chinese press was quick to pick up to earn big bucks. Adding a new twist to
to others. The same goes for audio drugs. of fraud” was published on the website on the topic of audio drugs their previously successful scam, they Stereohypnosis’ – the next big thing for the gullible
|
20 SECUREVIEW 3rd quarter 2010 www.secureviewmag.com www.secureviewmag.com 3rd quarter 2010 SECUREVIEW | 21
ANALYTICS | Vulnerabilities in Adobe Software Vulnerabilities in Adobe Software | ANALYTICS
|
22 SECUREVIEW 3rd quarter 2010 www.secureviewmag.com www.secureviewmag.com 3rd quarter 2010 SECUREVIEW | 23
ANALYTICS | Vulnerabilities in Adobe Software
|
26 SECUREVIEW 3rd quarter 2010 www.secureviewmag.com www.secureviewmag.com 3rd quarter 2010 SECUREVIEW | 27
ANALYTICS | Crimeware Crimeware | ANALYTICS
the list of the most popular financial Another service that is currently very much players for all the reason mentioned the cybercriminals without any efficient
organizations targeted by the in demand by financial organizations is the before, ie, the presence of a company IT mechanisms for the cooperation of the
cybercriminals is as follows: (See Table) ability to access so called ’situation rooms’. department dealing with the analyses of necessary authorities from the different
This list has remained practically These are web-based resources which can external threats. countries is problematic to say the least.
unchanged for the last few years. be accessed by corporate clients using • Users of online banking services Such a struggle resembles a tug-of-war.
According to available data, the number a personalized login and password. They would receive timely information from As soon as any new technologies appear
of banks that suffered from similar contain much larger volumes of relevant the analytical centers about of the that target the cybercriminals activities, the
attacks during the period of the first three information than a client could possibly neutralization of new threats and cybercriminals respond by developing some
months of 2010 is approaching 1000. receive in, for example, a notification their sources new means to bypass it. The process then
Thus it is obvious that the cybercriminals by email. Such information may include Therefore, more efficient cooperation starts all over again, ad infinitum.
are constantly finding new and more reports and analytical articles related to an between the antivirus and financial
sophisticated ways of getting their hands organization or region and identify potential organizations would allow the killing
on the users’ information, despite the sources of threats to clients. of two birds with one stone. Financial CONCLUSION
introduction of additional protective However, there are a number of reasons organizations would minimize their risks
measures taken by the banking fraternity that these notification systems cannot or and pay-outs related to incidents, whilst We have described just some of the
to protect their online clients. might not be adopted: for antivirus companies, this cooperation difficulties faced by the antivirus companies
• Not every online banking client has an would lead to the neutralization of targeted and the financial organizations in their battle
DO VIABLE antivirus program installed on their PC, attacks in the most effective way. with the cybercriminals who want only steal
making it impossible to put together a money from online banking clients. One
SOLUTIONS EXIST? complete picture of all of the threats possible solution was considered.
A dramatic increase in the quantity of malware used for stealing users’ financial information
out there. STATE SUPPORT The solution offered could be applied not
Is it possible to fight back against Data courtesy of Kaspersky Lab • In order to analyze the information only to the sphere of online banking, but
crimeware in these modern times? Yes, centrally and comprehensively it would Up to this point we have been looking at could also prove to be effective at detecting
it is. The technologies are constantly be necessary for every online banking two parties who are locked in combat with threats aimed at users of online games,
developing and today’s leading antivirus content, as well as limiting the sources of This technology differs from antivirus user to have the same antivirus product the cybercriminals: the antivirus companies electronic money systems and exchange
companies do have solutions capable its expansion. Here we are speaking about database detection methods in how it installed, which is simply impossible on and the financial organizations. However, points. We would like to point out that those
of repelling the attacks of client-server technologies that analyze analyses the sample. The antivirus engine a practical level. there is one more participant who despite kinds of attacks are registered much more
the cybercriminals. metadata containing information about can only analyze a sample according to fixed • Financial institutions strictly forbid the all the opportunities it has to become often than online banking systems attacks.
At this moment, some of the players malware activity on the users’ computers. rules, such as recognizing odd behavior sending of any client-related information involved is not playing anything like an It is thoroughly necessary to mention
in the antivirus market are already using However, the metadata can only be sent patterns for example. The online analysis to external companies due to the high active enough role – it is the state. once again the major role that the state
in-the-cloud technologies. These assist with the permission of the user and does of metadata received from many users risk of losing the valuable data or Without state support the possibility of should be playing in this field. Without state
greatly in detecting and blocking malware not contain any private information. simultaneously allows the detection of penetration of their networks. defeating the cybercriminals is minimal. support very little will ever be accomplished
’suspicious activity’ and the consequent All of this makes detection of the Countries have borders, but the Internet in the fight against cybercrime. The problem
blocking of the detected threat, thereby targeted attacks more difficult. does not and this gives the cybercriminals will remain unresolved until such times
preventing the problem from spreading. In To get a complete picture of the complete freedom to act at will. For that effective and efficient mechanisms
Name of the Company % from the total number of attacks practice, users of such distributed networks cybercriminals’ actions in relation to the example, is it possible for a Korean bank exist for the necessary communication
can receive protection just a few minutes banking world, the most opportune method to quickly shut down a Brazilian malware and interaction to take place between the
after the appearance of any threats. is direct cooperation between the antivirus host, sticking strictly to all the procedures relevant authorities. RE
Bradesco group 6,65% It’s for this reason that applying antivirus companies and the financial institutions. of state and respecting international
measures to in-the-cloud technologies has • It is feasible to integrate a malware law along the way? Or is it possible for a You can read the complete article at
Banco Santander group 4,71% a range of advantages: detection solution into the client side Brazilian bank to do the same in China? http://www.securelist.com/en/
• Fast detection within minutes of a threat’s of online banking as no personal The answer is obvious: in both cases it analysis/204792115/Crimeware_A_new_
Banco do Brasil 3,92% appearance (antivirus databases require data would be required for this. The is a resounding ‘No!’ To take the fight to round_of_confrontation_begins
up to a few hours between updates); introduction of this kind of a service
• A significant increase in the level of could be integrated into a safety policy,
Citibank 3,74% threat detection, as in addition to existing which would reduce the banks’ outgoings
technologies, new and highly efficient on insurance compensation and
Banco Itau 3,33% ones can be used; penalties in the future.
• Not only the immediate detection and • Banking security departments could
Caixa 2,93% blocking of the threats themselves, but control data centers that perform the
the limitation of their expansion as well; preliminary automatic analyses of
• Additionally, employing these technologies threats, thereby allowing them to carry
Banco de Sergipe 2,84% provides a complete understanding of out the necessary analyses themselves.
the overall situation: what time, where, Large financial corporations already have
Bank Of America 2,36% who has attacked, how many users have such IT-departments. By controlling all of
suffered, the number of users that have the data received, security departments
ABN AMRO banking group 2,28% been protected, etc can decide what information is alright
So what does it bring to the financial to pass on to an antivirus company
Banco Nossa Caixa 1,98% organizations? The solutions described for analysis and what is not. It has to
can warn the financial institutions about be understood that the establishment
the appearance of any new threats aimed of such IT centers within a company’s
Others 65,27% at their clients automatically and in real- existing structure is feasible only if the
time. Such warnings may contain detailed company wishes to control the total flow
The top ten most popular financial organizations to be hit by cybercriminal attacks information about such threats and of the data received. This solution will Government support is essential in the fight against cyberterrorism. In some countries there are already
Data courtesy of Kaspersky Lab instructions on how to fight them. be most attractive for the big market authorities that support financial and others organisations in finding solutions to these problems
|
28 SECUREVIEW 3rd quarter 2010 www.secureviewmag.com www.secureviewmag.com 3rd quarter 2010 SECUREVIEW | 29
TECHNOLOGY | Whitelisting Whitelisting | TECHNOLOGY
EXPERT COMMENTS
|
30 SECUREVIEW 3rd quarter 2010 www.secureviewmag.com www.secureviewmag.com 3rd quarter 2010 SECUREVIEW | 31
FORECASTS| |Complex
INTERVIEW Major possible
threatsthreats
of today
ofand
2010
tomorrow Major possible threats of 2010 | FORECASTS
Article by
Aleks Gostev
2009 was the latest milestone both in the history of malware and in MALWARE
Chief Security Expert
at Kaspersky Lab
the history of cybercrime, with a marked change in direction in both
Malware will become ever more complex.
areas. This year laid the foundation of what we will see in the future. At the moment there are threats in existence
The number of malicious programs in the Kaspersky Lab collection which use modern file-infecting techniques
and rootkit functionality. Many antivirus
reached 33.9 million. So, what will we see in 2010? solutions are unable to disinfect systems
infected by such malware. On one hand,
antivirus technologies will develop in such a
way as to prevent threats from penetrating a
In 2010 the following issues and events are a multitude of opportunities to earn money by system in the first place; on the other hand,
likely to come to the fore: There will be a shift in creating large volumes of targeted traffic. Such the threats which are able to evade security
the attack vectors used, with a move away from traffic can be created by using botnets. While solutions will be almost invulnerable.
the web to file-sharing networks. This is the latest at the moment it is openly criminal groupings
Aleks specializes in all
aspects of information
step in the evolutionary chain: between 2000 and
2005 attacks were carried out via email; between
involved in the battle for botnet traffic, it FAKE ANTIVIRUS Google Wave and attacks conducted via this service will undoubtedly be a hot topic in 2010
seems likely that grey services will appear
security, including mobile
malware. His responsibilities 2005 and 2006 the main attack vector was the in this market in the future. So-called affiliate SOLUTIONS
include detecting and Internet; and between 2006 and 2009 attacks programs provide botnet owners with the
analyzing new malware. were carried out via web sites (including social opportunity to realize their assets, even if criminal There will be a drop in the number it is only jailbroken iPhones which are do better: unfortunately, their business
networks). In 2009, mass epidemics were caused services such as spam, DoS attacks, or spreading of fake antivirus solutions, mirroring at risk, there are no such limitations means usability, not security.
by malicious files being spread via torrent sites. It malware are not being offered. the decrease in the number of gaming in the case of Android, as applications
Stefan Tanase wasn’t only well -known threats such as TDSS and Trojans. These programs which first from any source can be installed. The
Senior Regional Researcher,
EEMEA at Kaspersky Lab Virut which were spread in this way but also the appeared in 2007 reached a peak in growing popularity of Android phones in SPAM
first backdoors for Mac OS. In 2010, the number EPIDEMICS 2009, and were linked to a number of China, and weak monitoring of published
of incidents involving P2P networks is likely to major epidemics. The rogue antivirus applications will lead to a number of 2009 was a year of financial crisis and
increase significantly. As previously, the identification of market is now saturated, and the profits serious virus incidents in 2010. was a difficult one for many businesses.
vulnerabilities will be the major cause of made by cybercriminals are negligible. Spammers also felt the squeeze, as the
THE BATTLE FOR TRAFFIC epidemics, and this applies both to non- With the antivirus industry and law SOCIAL NETWORKING number of orders dropped significantly mid-
Microsoft software (Adobe, Apple) and the enforcement agencies focussing their year. However, the amount of spam in email
Cybercriminals are making increasing efforts recently released Windows 7. It should be noted attention on such rogue solutions, it THREATS traffic did not decrease, since spammers
to legalize their business, and the Internet offers that third-party developers have recently started will be increasingly difficult for such changed tactics by actively participating in
programs to survive. The evolution of threats targeting partner programs. Furthermore, throughout
social networking sites was a major the course of the year, the amount of spam
trend in the cyberthreat landscape in in email traffic served as a kind of indicator
Stefan is responsible for GOOGLE WAVE 2009. The explosive growth of social of the crisis, allowing us to make some
monitoring the local threat
landscape and specializes in networks popularity has affected the predictions about spam in the future.
web security, malware 2.0, Google Wave and attacks conducted spectrum of threats we are dealing 2010 will most probably be a much less
and threats which target via this service will undoubtedly be a hot with, as these networks became the eventful year for the spam business. The
Internet banking systems, topic in 2010. Such attacks are likely main mode of their transmission. The amount of spam in total email traffic will
including phishing. to evolve in a standard way, starting scenario is standard – at first it was remain at approximately the same level it is
with spam, moving to phishing attacks, spam, then came the search of social now or increase slightly. The text message
Darya Gudkova and then a shift to vulnerabilities being networks brittleness’s and today we face scams which were so widespread in
Head of Spam Analyst Group exploited and malware being spread. The mass virus and fishing attacks in these 2009 may become less common in 2010,
at Kaspersky Lab release of ChromeOS is also a matter networks. This year there were several especially if cellular service providers
of great interest, but it’s unlikely that series of virus epidemics in Facebook, take a proactive stance in battling them.
cybercriminals will focus their efforts on Twitter, and other popular networks. However, it will only be a matter of time
this platform in the coming year. At the current time we are seeing before we see new scams emerge.
a rise in these threats to a new level Methods such as using video and audio
involving automated targeted attacks files in spam probably won’t become too
MOBILE MALWARE against users. As social networks common: the balance between message
continue to grow, the threats associated size, bypassing filters and making emails
2010 is likely to be a difficult year with them will obviously escalate. The attractive for users clearly does not work
for the iPhone and Android platforms. number and complexity of threats that in the spammers’ favor in this case. They
The appearance of the first threats exploit web 2.0 platforms will continue will continue to use tried and tested
targeting these platforms in 2009 to grow too. Now social networks are tactics. Users can also expect spammers
Darya is responsible for
providing information on the demonstrates that cybercriminals are opening up new ways for automated to continue to take advantage of social
spam landscape, future trends starting to examine these platforms targeted attacks against individuals and networking sites, where the amount of
and mass mailing techniques. Information courtesy of Kaspersky Lab and the opportunities they offer. While it will be very hard for social networks to spam may well increase. RE
|
32 SECUREVIEW 3rd quarter 2010 www.secureviewmag.com www.secureviewmag.com 3rd quarter 2010 SECUREVIEW | 33
INTERVIEW | Complex threats of today and tomorrow
Challenging rootkits
It’s certainly no coincidence that the word ‘rootkit’ has started to crop up more
and more often when someone starts talking about large-scale epidemics,
botnets or other exceptionally serious IT security threats. Indeed, right now this
type of malicious software is considered to be amongst the most harmful for PC
users and is a major contributor to the problems that the antivirus companies
face in their struggle against those who write such programs.
We have asked Vyacheslav Rusakov – a Software Expert of Complex Malware Research group at Kaspersky Lab to
tell us how the antivirus companies deal with this type of malware and what the outlook is for the immediate future.
SV: Over the last couple of years we have analysis and that is carried out in a special universal method of infection cannot really exist. I
been hearing more and more about test area. The results obtained from dynamic am not saying that the problem is insurmountable,
how complex malware such as rootkits analysis should confirm any information received but at the present time it is very difficult to perform.
can threaten our digital lives. Just during the static analysis and provide additional It is not really possible to give a single, definitive
how serious a problem is it? What are information too. This information will be used later answer. I’m afraid it’s a case of let’s wait and see.
the major difficulties involved with on for the performance of memory detection and However, I can promise you that if this kind of
combating such a threat? deactivation of the active rootkit. Sometimes the malware should appear, the antivirus laboratories
V: Complex malware has always existed detection of a rootkit can lead to the development that do not have a sufficient number of suitably
alongside its simpler cousins. The majority of of a completely new and unique set of technologies qualified personnel will face a very difficult time.
malicious programs are not very complicated for the detection and treatment of malware.
from a technological standpoint and rootkits are SV: What would happen if the malicious
certainly no different. There are in fact only a SV: What devious methods do the code made it into the firmware of
handful of complex rootkits. cybercriminals use to try to infect a various components? For example,
The most common varieties consist of elementary, user’s system? network or video cards?
kernel-mode drivers that hide or limit access to V: The latest and most noteworthy trend is V: I think that the most realistic scenario involves
system files and registry branches and obscure the infection of the kernel-mode drivers and MBR. exploiting the vulnerabilities of the drivers that
malicious program’s own nefarious processes. It These types of rootkits actively conceal their service these devices. Looking at it from another
is this type of behavior that consequently makes presence on a victim’s computer very carefully angle though, if the malicious code has the ability
it troublesome for some antivirus products to and are highly resistant to treatment. Kaspersky to take control by using this type of virus infection,
detect and eliminate the rootkit’s malicious code. Lab has developed its own special methods and then that option has to be given very serious
However, for the majority of the more sophisticated procedures for the detection and treatment of consideration indeed. I think that it’s worth
antivirus products, that type of rootkit is quite easy computers infected with this type of threat. For pointing out here that the cybercriminals main
to detect, analyze and remedy. the more dangerous of these rootkits, namely aim is to make money. The simpler the methods
The situation becomes far more involved when Bootkit and TDSS (TDL3), highly specialized and used, the lower their overheads are. That is
dealing with rootkits of a more complex nature. innovative technology has been developed that why the complex technologies will only prevail
Fortunately, at the present time complex rootkits will allow the detection of any rootkits employing once the less advanced methods have become
do not exist in large numbers and this is mainly similar operational methodologies in the future. obsolete and unprofitable. Until that time, only a
due to the technological complexity of their relatively small amount of specialist researchers
manufacture. However, it is just such rootkits as SV: There are rumors about the possibility will continue working with this problem.
these that are incorporated into the malware that that BIOS infections may be starting to
the cybercriminals use to create their large-scale do the rounds. What do you think about SV: Is it possible to use the CPU’s
botnets, and unfortunately, they spread very this? Is it possible? vulnerabilities for the creation of
quickly. Cybercriminals take the task of rootkit V: Unfortunately, it’s more than just rumors. virtually undetectable rootkits?
creation very seriously, and this complicates the Proof of concept of this technology does exist. Would antivirus companies be able to
virus analyst’s job from as early on in the process A computer’s BIOS is the perfect launch pad for combat this type of threat?
as performing a static analysis of the malicious rootkits. This method of virus infection allows V: Mistakes occur with any type of software and
software. To compound the problem even the rootkit to become active even before the the microcode of the CPU is no exception. However,
more, the rootkits’ authors use obfuscation and operating system has had a chance to load. the practical exploitation of such mistakes is
polymorphism to further conceal the nefarious Theoretically, the appearance of such rootkits is a doubtful. The thing is, exploiting vulnerabilities
nature of the executable code. Where a rootkit distinct possibility, however their creation is a very of this kind is very complicated technologically.
is designed specifically to infect system files, laborious process due to the nuts and bolts of the It is necessary to take into account the many
the situation becomes extremely difficult as it prerequisite technology. First of all the BIOS has challenges that would need to be met in creating
is necessary to define how the virus infection to be reprogrammed, which in itself is a very tricky a universally-adaptable exploit. In any case, I am
operates before beginning to outline an algorithm operation as local access to the PC is required, sure that if such a threat does in fact emerge,
capable of neutralizing the threat. secondly one has to bear in mind the fact that a the antivirus companies will pull out all the stops
Having completed the static analysis, the BIOS produced by one manufacturer will differ to provide their users with an up-to-date product
next step for the analyst is to perform a dynamic from that of another manufacturer and therefore a capable of meeting the threat head-on. RE
|
34 SECUREVIEW 3rd quarter 2010 www.secureviewmag.com