3rd quarter 2010

SKELETON KEYS
Modern Day Keylogging Techniques’

THE SOUND OF DECEPTION

Internet fraud is becoming more ingenious

A NEW ROUND OF CONFRONTATION

How to fight crimeware more effectively

THE DOWNSIDE OF UBIQUITY

What to do about Adobe’s software vulnerabilities

THE EXPERTS
COMMENT
MAJOR POSSIBLE THREATS OF 2010: More widespread and more complex

CONTENTS
NEWS
Breakthroughs and trends
in the IT security industry
REPORT
Infosecurity Europe: Catch
up on all the latest
developments from London
TOP STORY
Skeleton Keys: Everything you
should know about current
keylogging techniques
ANALYTICS
The Sound of Deception:
Modern Internet fraud
The Downside of Ubiquity:
Vulnerabilities in
Adobe software
A New Round of Confrontation:
Fighting crimeware
TECHNOLOGY
Somewhere Between Black
and White: Whitelisting
technology uncovered
FORECASTS
More Widespread and More
Complex: Threatscape 2010
INTERVIEW
Challenging Rootkits: Complex
threats of today and tomorrow
by Vyacheslav Rusakov
SECUREVIEW Magazine Editor-in-Chief: Alexander Ivanyuk
3rd Quarter 2010 Editor: Darya Skilyazhneva
Design: Svetlana Shatalova,
Roman Mironov
SECUREVIEW
A WORD FROM THE EDITOR
Dear Readers,
I am very pleased to be able to bring you the
first issue of SECUREVIEW, a magazine dedicated
4-7 to all aspects of the IT security industry. We hope
that you will find it interesting and informative and
we look forward to receiving your feedback.
The News section at the beginning of our
magazine will bring you right up to date with all
the latest trends and exciting discoveries in the
field of information security. There will be reports
8-9 from recently held conferences and exhibitions,
many of which will set the course for the industry’s Editor-in-Chief
development in the year ahead. Alexander Ivanyuk
In this issue our Top Story is dedicated to
the important subject of the theft of personal
data using keyloggers, something that will be
of particular interest to representatives of the
10-15 corporate sector. In the coming issues we will
be bringing you detailed analyses of the hottest
topics in the industry, reflecting the interests of
users’ right across the board.
In our Analytics column some of the world’s
leading experts and journalists will share the results
16-19 of their research into the field of digital safety with
you, examining the burning issues of the day and
providing solutions to those IT security problems so
often encountered by people in the field.
Technological knowhow is very important for
20-23 the IT security industry and that is why in every
issue our Technology section will cover the most
interesting solutions from the last few years that
24-27 we think have seriously influenced the computer
security market. Then there’s our Forecasts
section, which we are confident will appeal to a
very wide audience.
Finally, for dessert we’ll be putting the industry’s
experts in the hotseat and getting their responses
to some pretty tough computer security related
28-31 questions in our Interview section.
We hope that the topics covered in this first
issue of our magazine will appeal to you and most
importantly, if you are working within the industry,
we hope that you will be inspired to share your own
knowledge and experiences with our readers –
32-34 we always welcome new authors. You will be
rewarded for your efforts and interesting articles
will definitely be published! Please, contact us at:
editorial@secureviewmag.com, to leave feedback,
submit an article, or tell us what topics you would
like to see covered in the future.
See you next issue!
36
Alexander Ivanyuk
Editorial matters: Production Assistants: The opinion of the Editor may
editorial@secureviewmag.com Rano Kravchenko, not necessarily agree with that
http:// www.secureviewmag.com Ryan Naraine of the author.

ENCRYPTION
Cracking 56-bit DES
Pico Computing based in
Seattle, Washington, announced
that it has achieved the highest-
known benchmark speeds for
56-bit DES decryption.
The company reported a
throughput of over 280 billion
keys per second achieved with
the use of a single, hardware-
accelerated server. The FPGA
computing platform assembled
for this demonstration was
based on 11 Pico EX-Series
cards, and fits into a single off-
the-shelf 4U server.
The massively parallel DES
cracking algorithm used brute
force methods to analyze the
entire DES 56-bit key-space. It
iteratively decrypted fixed-size
blocks of data to find keys that
decrypt into ASCII numbers.
Jigsaw Puzzles
Scientists from South Korea,
the USA and India have invented
a novel scheme for securing
the transfer of data across
computer networks.
The typical security method
for preventing data from falling
into the wrong hands is by the
use of encryption. However, the
cost of implementing encryption
on a network is high due to its
computational complexity.
The essence of the proposed
scheme is to break the data
to be transferred into many
smaller parts. When put back
Source: http://arxiv.org/ftp/arxiv/papers/1002/1002.4530.pdf
|
4 SECUREVIEW 3rd quarter 2010
NEWS
This technique is often used for
recovering the keys of encrypted
files containing known types of
data. The candidate keys that
are found in this way can then
be more thoroughly tested to
determine which candidate key
is correct.
The 56-bit Data Encryption
Standard (DES) is now considered
obsolete, having been replaced
by newer and more secure
Advanced Encryption Standard
(AES) encryption methods.
Nonetheless DES continues
to serve an important role in
cryptographic research and in
the development and auditing of
current and future block-based
encryption algorithms.
Source: www.picocomputing.com
together, these parts become
the original piece of data again,
but only if they are reassembled
in a particular way, just like
a jigsaw puzzle. The correct
method for reassembling the
pieces is known only to the
recipient for whom the data
is intended. Any unauthorized
entity that intercepts the
message fragments will not
have sufficient information
to correctly reassemble the
component parts of the
communication and thus will not
be able to read the message.
NEWS
CODING MOBILE SECURIT Y
Despite these measures,
The 25 Most Dangerous Unsecured Android scientist identified five high-risk
threats that need attention.
The main security issue that
Programming Errors Israeli scientists from
the Ben-Gurion University
range of security threats.
Google has implemented the
they raised is the fact that
Android is an open-source
reviewed the security system Portable Operating System platform whose source code
The ‘Common Weakness The list is compiled by more of the prospective Android Interface (POSIX) which gives was published after the first
Enumeration’ initiative from the than 50 experts from such software framework from each application a user ID, this Android-powered devices were
non-profit MITRE Corporation respected IT-organizations as Google. The researchers prevents different applications released onto the market.
includes its 2010 list of The SANS Institute, RSA, defined the main threats, high- from affecting each other. This increased the chance of
the 25 most dangerous Red Hat, Sun, Microsoft risk vulnerabilities, existing Setting each application as a revealing vulnerabilities in low-
programming errors. and others. protection tools and relevant different user prevents one level components (such as in
security solutions. application from accessing the Linux kernel, core libraries
Table 1. The incorporation of integrated files and signals from another or the Dalvik virtual machine).
‘SANS/MITRE’s Top 25 Most Dangerous Programming Errors’ Internet services on mobile and distributes the selected Moreover, several vulnerabilities
devices increases their kernel’s CPU consumption were identified in the Android
1 Failure to preserve web page structure (‘Cross-site Scripting’) exposure to damage inflicted evenly by default. Additional permission mechanism which
Improper sanitization of special elements used in an SQL command by various types of malware. security features are provided greatly increases the risk of
2
(‘SQL Injection’) The risk is amplified by the fact through the permission-granting malware infection.
3 Buffer copy without checking size of input (‘Classic Buffer Overflow’) that as a smartphone, Android mechanism that enforces The researchers proposed
4 Cross-site request forgery (CSRF) devices are expected to handle restrictions on the specific several security mechanisms
personal data and provide PC- operations that a particular that can mitigate these high- of granted permissions. The
5 Improper access control (Authorization)
compliant functionality, thereby application can perform. risk threats. authors subsequently gave
6 Reliance on untrusted inputs in a security decision
exposing the user to all the Signing applications is another It is highly important to highest priority to such things
Improper limitation of a pathname to a restricted directory (‘Path attacks that threaten users of significant security feature. incorporate a mechanism, as the SELinux tools, a firewall,
7
Traversal’) personal computers. The authors also looked such as the SELinux access Intrusion Detection System,
8 Unrestricted upload of file with dangerous type Google Android is a at what additional security control system, that can Automated Static Analysis
Improper sanitization of special elements used in an OS command comprehensive piece mechanisms could be applied prevent potential damage and Code Verification and the
9
(‘OS Command Injection’) of software for mobile on Android-based handsets, resulting from an attack on Context Aware Access Control
10 Missing encryption of sensitive data communication devices. The such as porting SELinux into the Linux kernel layer. Also, solutions. They placed Data
11 Use of hard-coded credentials Android framework includes an Android and activating a security better protection should be Encryption and the Selective
operating system, middleware policy, enabling a net-filter- added for strengthening the Android Permission systems
12 Buffer access with incorrect length value
and a set of key applications. based firewall and an Intrusion Android permission mechanism lower down the list
Improper control of filename for include/require statement in PHP
13 The review indicates that the Detection System based on and for detecting the misuse of priorities.
program (‘PHP File Inclusion’)
security mechanisms embedded anomaly detection (termed
14 Improper validation of array index in Android address a broad Andromaly), etc. Source: http://arxiv.org/ftp/arxiv/papers/0912/0912.5101.pdf
15 Improper check for unusual or exceptional conditions
16 Information exposure through an error message
17 Integer overflow or wraparound THREATS THE EXPERTS COMMENT
Large DDoS Attacks Still a Serious Problem
18 Incorrect calculation of buffer size
19 Missing authentication for critical function
20 Download of code without integrity check
21 Incorrect permission assignment for critical resource In the world of botnets and denial- Today, most enterprises and preparation often leaves folks
22 Allocation of resources without limits or throttling of-service attacks, 2009 was a online properties don’t traditionally scurrying about madly when DDoS-
23 URL redirection to untrusted site (‘Open Redirect’) very interesting year. The analysts factor DDoS attacks in risk related incidents do occur, as
at Arbor Networks recently looked planning and management related they’re not considered until you’ve
24 Use of a broken or risky cryptographic algorithm
back at the data collected by processes. That is, while they go been hit at least once.
25 Race condition
about 100 of their ISP customers to great lengths to periodically Most reasonably sized organizations
on DDoS attacks in 2009 and obtain coveted compliance check have a comprehensive plan for
The most critical programming Cross-site scripting (XSS), SQL found that there were more than marks related to data integrity dealing with network outages
errors that can lead to serious injection, and Buffer overflow 20,000 attacks that peaked above and confidentiality, the third pillar, caused by natural disasters. But
software vulnerabilities are are considered to be the most one Gbps of traffic, and nearly availability, often takes a backseat. many of them may not know what
arranged in the list according hazardous of all the listed errors. 3,000 attacks that hit 10 Gbps. This is perhaps largely driven to do if they’re targeted by a major
Dennis Fisher is
to their importance. All noted The rating also contains That’s a lot of traffic, especially by auditors with fairly static and DDoS attack. But, as Arbor’s data Technology Evangelist
flaws are dangerous because detailed technical descriptions when you consider that “many, quantifiable lists of controls that shows, large DDoS attacks are not for Kaspersky Lab’s
they frequently allow attackers of the flaws, code examples indeed most, enterprises remain can be put in place to contain the rarity they once were and it’s US Office.
to completely take over the and related attack patterns, as connected to the Internet at 1 risks associated with traditional probably better to know who’s going
software, steal data, or prevent well as their methods of error Gbps or slower speeds,” as Arbor’s vulnerabilities. Unfortunately, to do what and when before an
the software from working. prevention and mitigation. Danny McPherson points out. lack of foresight and appropriate attack happens, than afterward.
Source: http://cwe.mitre.org/top25/ Source: http://threatpost.com/en_us/blogs/large-ddos-attacks-still-serious-problem-011110
www.secureviewmag.com www.secureviewmag.com 3rd quarter 2010 SECUREVIEW |5

SECURIT Y THREATS
Dangerous Clouds
The non-profit Cloud Security
Alliance has published a report
defining the foremost cloud
security threats.
Cloud computing is a kind of
distributed system whereby all
computer resources are provided
to the users in the form of Internet
services. As the technology
becomes more and more popular,
criminals use it to improve their
reach, avoid detection and
increase the effectiveness of their
activities. Enterprise and home
users need to better understand
the risks associated with the
adoption of cloud computing.
The authors of the report
identified the following
seven threats:
1. Abuse and nefarious
use of cloud computing
Providers of infrastructure as a
service offer their customers the
illusion of unlimited compute,
network and storage capacity,
often coupled with a frictionless
registration process where
anyone with a valid credit card
can register and immediately
begin using cloud services.
Some providers even offer free
limited trial periods. By abusing
the relative anonymity behind
these registration and usage
models, spammers, malicious
SOCIAL NETWORKING
Risky Communication
An international group of
scientists has demonstrated
the possibility of stripping away
the anonymity from significant
numbers of users of popular
social networking sites.
Any technology allowing the
identification of users of social
networking sites, the collection
of data about their habits and
the prediction of their behavior
can be used to cause harm. For
example, such data can reveal
a user’s sexual habits, or render
somebody open to blackmail. But
despite the fact that this threat is
|
6 SECUREVIEW 3rd quarter 2010
NEWS
code authors and other criminals
have been able to conduct their
activities with relative impunity.
2. Insecure Application
Programming Interfaces
Cloud computing providers
expose a set of APIs that
customers use to manage and
interact with cloud services.
Provisioning, management,
orchestration and monitoring
are all performed using these
interfaces. The security and
availability of general cloud
services is dependent upon the
security of these basic APIs.
3.Malicious insiders
This threat is amplified for
consumers of cloud services
by the convergence of IT
services and customers under
a single management domain,
combined with a general lack
of transparency into provider
process and procedure.
4. Shared technology
vulnerabilities
Cloud computing vendors deliver
their services in a scalable way
by sharing infrastructure. Often,
the underlying components
that make up this infrastructure
were not designed to offer
strong isolation properties for
a multi-tenant architecture. To
address this gap, a virtualization
well known, very little has been
done to prevent it.
The researchers demonstrated
the possibility of this type of
attack by identifying a user who
was simply browsing the web. An
attacker can probe the victim’s
browser history for any URLs
that may reveal membership of
any social networking groups.
By combining this information
with previously collected data it
is possible to identify any user of
a social network who happens
to visit the attacker’s website.
In many cases, this allows the
hypervisor mediates access
between guest operating systems
and the physical compute
resources. Still, even hypervisors
have exhibited flaws that have
enabled guest operating systems
to gain inappropriate levels
of control or influence on the
underlying platform.
5. Data loss/leakage
The threat of data compromise
increases in the cloud.
Examples include insufficient
authentication, authorization or
audit controls, operational failures
and data center reliability.
6. Account, service
& traffic hijacking
Cloud solutions add a new
threat to the landscape. If an
attacker gains access to your
credentials in the cloud, they can
manipulate data, eavesdrop on
your activities and transactions,
return falsified information
Source: http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
attacker running the malicious
website to uniquely identify his
visitors by the names which they
use in their corresponding social
networking profiles.
Source: http://www.iseclab.org/papers/sonda-TR.pdf
and redirect your clients to
illegitimate sites. Your account or
service instances may become
a new base for the attacker.
From here, they may leverage
the power of your reputation to
launch subsequent attacks
7. Unknown risk profile
One of the ideas of Cloud
Computing is the reduction
of hardware and software
ownership and maintenance
to allow companies to focus on
their core business. This has
clear financial and operational
benefits, which must be
weighed carefully against the
contradictory security concerns —
complicated by the fact that
cloud deployments are driven by
groups who may lose track of the
security ramifications.
As the authors stressed, the
threats described are not listed
in order of severity.
This type of attack requires very
little effort to carry out and has the
potential to affect many millions of
registered social networking users
who have group memberships.
www.secureviewmag.com
BOTNETS
Child of Storm Botnet
‘Waledac’ Is Expansive
In an undercover mission to
learn more about the size and
scope of the son of the infamous
Storm botnet, Waledac, German
researchers have discovered the
spamming botnet is much larger
and more efficient than
previously thought.
The team from the Universities
of Mannheim and Vienna boldly
Transition to http
According to estimates by Team
Cymru Research, the number
of botnets controlled by http-
channels has doubled during the
past half year.
American researchers
associate that tendency with the
widespread availability of ready-
ONLINE THREATS THE EXPERTS COMMENT
Here’s How to Fix Online Banking Fraud
Over the last few months there
have been quite a few news
reports about Banker Trojans
emptying the online bank
accounts of small businesses
in the U.S.
The MitE Banker Trojans
reached its peak of ‘maximum
sophistication’ back in 2007.
This specific subset of Banker
Trojans was - and still is - extremely
sophisticated and will exploit
bank-specific vulnerabilities in the
implementation of two-
factor authentication.
A lot of banks still don’t employ
two-factor authentication for
making transactions. Or, when
they do, it’s a very weak form of
two-factor authentication.
Secure online banking requires
multi-factor authentication. The
authentication code needs to be
received or generated on a device
Source: http://threatpost.com/en_us/blogs/heres-how-fix-online-banking-fraud-022510
www.secureviewmag.com
infiltrated the Waledac botnet
from 6 Aug to 1 Sept of last
year using a cloned Waledac
bot that they built and code-
named “Walowdac.” They found
Waledac runs a minimum of
55,000 bots a day, with a total
of 390,000 bots - much larger
than the previous estimates of
20,000 or so bots.
made kits for cyber-attacks.
Additionally, the very user-friendly
interfaces play a significant role
in allowing those without and any
specialist skills and knowledge to
operate http-botnets.
According to the results of
their research, the number of
which is not connected to the
device that’s doing the transaction.
Ideally, not only should the
transaction authorization code
be generated dynamically, but
also the password for logging
onto the banking site. One thing
to bear in mind here is that the
cryptographic response algorithm
needs to be different for logging
on and approving transactions.
The solution to this huge problem
is actually quite simple. Make the
receiving bank account number
a part of the authentication
process. Either send the
number by SMS, or use it as an
(additional) challenge when using
a token. The user knows where
the money is supposed to go.
What we also need to bear in
mind is that since 2006/2007,
a lot has changed. The average
piece of malware has become
NEWS
The researchers were also able actually a conservative estimate,
to measure the success rates
of various spam campaigns
they said in their report (PDF) on
the experiment.
launched by Waledac, and
were able to observe up-close
Waledac’s newer features, such
Waledac changes its malware
variants approximately every two
weeks the researchers observed,
as its ability to steal credentials and the U.S. is home to the majority
from bot-infected machines. of the bots and repeaters, with 17.34
The German researchers percent of the spamming bots and
calculated from their research 19.5 percent of the repeaters. It
that Waledac could theoretically was also discovered that around
send more than 1.5 billion spam 90 percent of the Waledac bots
messages per day, and that’s were 32-bit XP machines.
Source: http://www.darkreading.com/security/vulnerabilities/showArticle.
jhtml?articleID=222200371
botnets exploiting IRC-traffic
remains unchanged. Most of their
command and control centers
(except India). They are apparently
attracted by the fact that the
financial situation and rapidly-
are situated in the USA and growing economic development
Western Europe. The USA aside, in China, Russia, and Brazil
many http-botnet owners take means that those governments
advantage of hosting-services cannot make sufficient resources
provided by the BRIC countries available for fighting cybercrime.
Source: http://www.team-cymru.org/ReadingRoom/Whitepapers/2010/
developing-botnets.pdf
a lot more sophisticated. Form
grabbers, for example, are pretty
much standard. In fact, we
live in an age where Microsoft
decided to pull a patch because
of problems which turned out
to be caused by the extremely
advanced TDSS rootkit.
This means that we need online
systems in place that are resilient
Roel Schouwenberg
to such powerful malware.
The state of online banking in is a Senior Antivirus
some ways resembles that of Researcher for
the Internet. For many banks, Kaspersky Lab’s
online banking was not directly Global Research &
designed with proper safety in
Analysis Team.
mind. Convenience is the major
driver. The Internet was built on
very much the same principles.
I’d argue that solving the online
banking problem is an infinitely
easier task than fixing the
fundamental weaknesses in the
infrastructure of the Internet.
3rd quarter 2010 SECUREVIEW |7

SECURIT Y THREATS
Very Weak Passwords
are Still Very Popular
The shorter and more
simplistic a password is, the
more susceptible it will be to
basic, brute force password
attacks. This in turn leaves
the users’ data vulnerable and
hackers are rapidly adopting ever
more smart brute force password
cracking techniques. Despite
this however, users continue to
choose very weak passwords.
The Imperva Application
Defense Center has analyzed the
strength of many user passwords.
The results of the investigation
have been published in their
‘Consumer Password Worst
Practices’ report.
The key findings
of the report are:
• About 30% of users chose
weak passwords the length
of which was equal to, or
below, six characters
• Almost 60% of users chose their
passwords from a limited range
of alpha-numeric characters
• Nearly 50% of users chose
names, slang words, everyday
words or passwords using such
easily-guessed constructions
DIGITAL CERTIFICATES
Farewell to a Thousand-and-
One Passwords?
The French government has
suggested an initiative to
replace all user passwords with
a single digital certificate that
provides access to all of the
nation’s web services.
According to the project’s
authors, the introduction
of a universal identifier or
‘IdeNum’ as it would be
known, could put an end to
the tiresome necessity of
memorizing a huge number
of difficult alpha-numeric and
symbol combinations that are
supposed to provide security
when surfing the web. According
|
8 SECUREVIEW 3rd quarter 2010
NEWS
as consecutive digits and
adjacent keyboard keys, for
example’123456’, ‘12345’,
‘123456789’ and ‘Password’.
It is recommended that users:
1. Choose a strong password
for sites that store personal
information that they value
highly. Bruce Schneier’s advice
is useful. He says: “Take a
sentence and turn it into a
password. Something like “This
little piggy went to market”
might become “tlpWENT2m”.
That nine-character password
won’t be in anyone’s dictionary.
2. Use a different password
for each site – even for the ones
where privacy isn’t an issue. To
help remember the passwords,
again, following Bruce Schneier’s
advice is recommended: “If you
can’t remember your passwords,
write them down and put the
paper in your wallet. But just
write the sentence – or better
still – a hint that will help you to
remember your sentence”.
3. Never trust a third party
with your important passwords
(webmail, banking, medical etc.).
to statistics provided by
Trusteer, 73% of those polled
admitted that they use their
bank passwords for entering
other online services as well.
The integration of an IdeNum
system would make the
authorization process shorter
for users of any private or
public resources participating
in the scheme and would
also automate the process of
completing online forms. The
multi-functional identifier could
be kept on a separate device,
which may be a flash, smart,
or SIM-card.
It is recommended that
administrators should:
1. Enforce a strong password
policy – if you give the users a
choice, it is very likely that they
will choose weak passwords.
2. Make sure passwords are not
transmitted in clear text. Always
use https for logins. Make sure
passwords are not stored in clear
text. Always encrypt passwords
before storing them in a database.
3. Employ aggressive, anti-
brute force mechanisms to detect
and mitigate brute force attacks
on login credentials. It makes
brute force attacks too prolonged
Source: http://www.imperva.com/docs/WP_Consumer_Password_Worst_
Practices.pdf
At present, more than 20
national institutes including
The Union of French bankers,
The Association of Insurance
Companies and the French
postal service have all expressed
their readiness to take part in
the research. A prototype of the
authentication system is planned
to be unveiled by the middle
of this year, followed by the
introduction of a fully-functional
system in 2011. The lifespan of a
digital certificate will probably be
limited to between 3 and 5 years.
There is no doubt that the
realization of such a difficult
project will take a lot of
resources and financing.
This is in large part due to
Source: http://countermeasures.trendmicro.eu/french-government-to-bid-
adieu-to-online-passwords/
to serve any practical purpose,
even against shorter passwords.
You should actively put obstacles
in the way of a brute-force
attacker – such as CAPTCHAs and
computational challenges, etc.
4. Employ a password change
policy. Trigger the policy either
according to a predetermined
schedule, or immediately when
suspicion of a compromise arises.
5. Allow and encourage
passphrases instead of passwords.
Although sentences may be longer,
they may be easier to remember.
With added characters, they
become more difficult to break.
the fact that the system of
authentication must not only
certify the users’ identity, but
must also ensure that data
security is maintained as well.
That last issue becomes more
and more relevant due to the
appearance of banking Trojans.
These are able to intercept
transactions in real-time and
change the information therein
without being noticed by any
of the participants. Protecting
digital certificates from theft
is a serious challenge. That
“Key to the Kingdom” will surely
become the ultimate prize for
those whose hunting domain is
the Internet and whose prey is
the funds of the unwary.
www.secureviewmag.com
SOCIAL NETWORKS
The Expansion of Internet Dangers
According to a poll by Sophos,
the amount of spam and harmful
messages on social networks
has increased by 70% during the
last 12 months.
By the end of the year more than
five hundred organizations had
taken part in the poll. Some 57%
of corporate users said that they
had received spam whilst visiting
social networking sites, 36%
reported harmful programs and
30% suffered phishing attacks.
MALWARE TESTING THE EXPERTS COMMENT
On the Way to Better Testing
Have you ever found a false
positive when uploading a file
to a website like VirusTotal?
Sometimes it happens that not
just one scanner detects the
file, but several. This leads to an
absurd situation where every
product which doesn’t detect this
file automatically looks bad to
users who don’t understand that
it’s just false positives.
Sadly you will find the same
situation in a lot of AV tests,
especially in static on-demand
tests where sometimes hundreds
of thousands of samples are
scanned. Naturally, validating
such a huge number of samples
requires a lot of resources. That’s
why most testers can only verify a
subset of the files they use.
Since good test results are a key
factor for AV companies, this has
led to the rise of multi-scanner
based detection. Naturally AV
vendors, including Kaspersky Lab,
have been scanning suspicious
files with each others’ scanners
for years now. Obviously knowing
what verdicts are produced by
other AV vendors is useful.
This is why a German computer
magazine conducted an
experiment along these lines,
and the results of this experiment
were presented at a security
conference last October. The
experimenters created a clean file,
Source: http://threatpost.com/en_us/blogs/way-better-malware-testing-020110
www.secureviewmag.com
Of the participants polled,
72% expressed awareness
that the irresponsible use of
social networks by employees
could pose a significant risk to
corporate security, with 60%
of the criticism being directed
towards Facebook. It is clear that
of all of the social networking
websites available in the west,
Facebook has the largest
number of members. According
to Sophos, most of the social
asked us to add a false detection
for it and finally uploaded it to
VirusTotal. Some months later this
file was detected by more than
20 scanners on VirusTotal. After
the presentation, representatives
from several AV vendors at the
event agreed that a solution
needed to be found. However,
multi-scanner based detection is
just the symptom not the cause -
the root of the problem is the test
methodology itself.
Improving test methodologies
was also the reasons why
two years ago a number of AV
companies (including Kaspersky
Lab), independent researchers
and testers founded AMTSO
(Anti-Malware Testing Standards
Organization). We decided to
illustrate the problem during our
recent press tour in Moscow
where we welcomed journalists
from all around the world.
Naturally the goal was to highlight
the negative effect of cheap,
static on-demand tests.
What we did pretty much
replicated what the German
computer magazine did last year,
only with more samples. We
created 20 clean files and added a
fake detection to 10 of them. Over
the next few days we re-uploaded
all twenty files to VirusTotal to see
what would happen. After ten days,
all of our modified (but not actually
NEWS
networking providers are much network allowing users to seek
more interested in increasing
their market share than they ever
are in the question of protecting
out useful business contacts) is
not believed to be a direct danger
to corporate business, personal
their users from cybercrime.
It seems paradoxical then that
information published on that
server may be of a great value to
half of the respondents (13% the cybercriminals. It is because
more than last year) allow their it is used mostly by professionals
personnel to visit Facebook from that LinkedIn could easily
their place of work without the become some sort of directory of
imposition of any restrictions. companies’ personnel resources
Experts continue to mention which may provide information
that although LinkedIn (A social for targeted cyber-attacks.
Source: http://www.sophos.com/pressoffice/news/articles/2010/02/
security-report-2010.html
malicious) files were detected by
up to 14 other AV companies - in
some cases false detection was
probably the result of aggressive
heuristics, but multi-scanning
obviously influenced some of the
results. We handed out all the
samples used to the journalists
so that they could test it
for themselves. Magnus Kalkuhl is a
So where should we go
Senior Virus Analyst
from here? The good news is
that in the last few months, for Kaspersky Lab’s
some testers have already Global Research &
started to work on new testing Analysis Team
methodologies. Instead of static
on-demand scanning they try to
test the whole chain of detection
components: anti-spam-module
-> in the cloud protection ->
signature based detection ->
emulation -> behavior-based real-
time analysis, etc. Ultimately of
course, it’s up to the magazines
to apply this type of test and to
abandon approaches that are
simply outdated and outmoded.
If we get rid of static on-
demand tests with their mass of
invalidated samples, the copying
of classifications will at least be
significantly reduced, test results
will correspond more closely to
reality (even if that means saying
good bye to 99.x% detection
rates) and in the end everyone
will benefit: the press, the users
and of course us as well.
3rd quarter 2010 SECUREVIEW |9

Security defies the ash clouds
The Infosecurity Europe 2010 event attracted a huge number of visitors
despite the chaos to European airspace caused by the eruption of the
Icelandic volcano. This year the focus was on data loss, Cloud Security
and Web 2.0. There were very many popular exhibition stands at this
year’s event, but the thing that really seemed to pull in the crowds were
the various workshops and presentations that covered everything from
the latest industry technologies through to business strategy.
Article by
Elmar Török
Elmar Török has been
working in the IT-Industry
since 1989. He became
an author and technical
journalist in 1993 while
studying electrical
engineering in Munich
and Kempten. Since then
he has written hundreds
of articles for just about
every major computer and
networking publication
in Germany. Elmar
specialises in IT-Security
and storage issues,
has a solid knowledge
of server-related topics
and knows his way
around virtualization.
He is the Editor-in-
Chief of the security
periodical “Infodienst
IT-Grundschutz” and
is involved in the final
acceptance process of
new material for the IT-
Grundschutz Catalogues
of the Federal Office for
Information Security.
|
10 SECUREVIEW 3rd quarter 2010
REPORT | Infosecurity Europe 2010
There was no mistaking the result of this
particular match: Infosecurity Europe 1 - Ash
cloud 0! Despite all the disruption to the airspace
over Europe, the UK’s most important security
event, now in its 15th year, drew in a record
number of exhibitors and visitors. Over 12,500
eager attendees turned up to take advantage
of what was on offer from the event’s 324
exhibitors. Many of the visitors were drawn by
the quantity of very well-known and respected
speakers delivering the keynote speeches and
holding workshops, not to mention the fact that
a number of companies chose the event to make
some pretty major announcements. Among them
were Symantec who announced the purchase
of encryption company PGP and GuardianEdge
for a cool $370 million [US]. Two lectures in
particular garnered a great deal of attention:
Pricewaterhouse Coopers (PwC) announced the
results of their study on data loss, whilst David
Smith, Deputy Commissioner for the Information
Commissioner’s Office (ICO), announced tougher
penalties for the loss of customer data.
Earls Court: The Place to be for Infosecurity Europe 2010
CONCEPT: EXHIBITION
AND LECTURES
As they have in previous years, the organizers
of Infosecurity 2010 pursued a two-tier approach.
The central exhibition hall was the venue for the
exhibiting companies, with booths designed to
allow visitors and company representatives to
hold discussions away from all the hustle and
bustle. Both sides, exhibitors and visitors, rated
the layout very highly. Nina Malchus, Director of
Publishing for SecuMedia and a regular at the
event gave her impression of the exhibition hall:
“The hall is very busy and makes a big impression
on the visitor. There is an awful lot to see,
observe and experience, but it’s possible to get
round everything in a good day.”
David Tomlinson, Managing Director of Data
Encryption Systems was similarly impressed. “Our
booth was visited by many visitors who were very
keen to do business. The event is an ideal place to
meet new clients.” Analysts confirm that impression.
www.secureviewmag.com
David Smith, Deputy Commissioner for the Information
Commissioner’s Office during his keynote
Nigel Stanley, Practice Leader of IT Security
at Bloor Research said, “As an analyst I
feel that Infosecurity Europe is the most
important event of the year. It’s here that
you meet with the manufacturers and get
to know about all the latest industry trends.
For me, it is certainly time well spent.” That
the event draws such large numbers of
visitors and manufacturers is due to both
the professionalism of Claire Sellick, Event
Director for Infosecurity Europe, and the
greatly increased threat levels existing in
the field of IT security these days. After
several years of relative stagnation, British
firms are now facing a punishing new wave
of cyberattacks, the impact of which is
estimated to be in excess of £10 billion
[Sterling] per year. “This raises awareness of
IT security management quite considerably,”
Sellick is convinced.
OPENING KEYNOTE
TARGETS DATA LOSS
In his keynote address, David Smith,
Deputy Commissioner for the Information
Commissioner’s Office (ICO) painted the
following picture: “In little more than two
years, 960 instances of data loss were
recorded, that averages out to about 30
per month,” said Smith. According to his
information, the UK’s National Health
Service (NHS) alone accounted for about
30 percent of the total. He believes that
“It is very probable that in the nearest
future it will be a legal requirement in the
United Kingdom to notify the authorities
of any data losses” Even a study by
Pricewaterhouse Coopers had little to
report that offered any hope. A worrying
92 percent of all large enterprises
suffered a security incident or data
www.secureviewmag.com
Infosecurity Europe 2010 |
loss last year. The study, ‘A Survey of
Information Security Breaches’ found
that cybercriminals were themselves
becoming increasingly organized along
traditional business lines and this is
driving a demand from industry for
adequate means of protection. However,
many enterprises remain woefully
unprepared or only partially ready to
meet the incumbent threat.
For many visitors to Info Security
2010, the workshops on offer were the
real highlight. The organizers divided
the event into three sections: keynotes,
business strategy and technology. The
business strategy presentations earned
consistent praise. With their limited
duration of 45 minutes they were ideally
suited to visitors who wanted to grab as
much information as possible in a short
space of time. The audience very much
appreciated the fact that the sessions
were not usurped for the purposes
of marketing and sales. Ian Mann’s
talk on Social Engineering came in for
particularly high praise. The author of
‘Hacking the Human’ provided several
amusing anecdotes in which he explained
why the human animal sitting in front of
the screen is the biggest security risk for
most companies.
EUGENE KASPERSKY
ENTERS THE IT HALL
OF FAME
Much applause was also heaped upon
the keynote ‘Cyber Warfare - War Stories
from the Front Lines’. The long queues
outside the entrance were a surefire
indication that something special was
Where Products and News Abound: Companies present their wares in the exhibition hall
REPORT
about to take place there. What the two
speakers, Marc Kirby and Sean Hanna,
subsequently delivered was probably
the most entertaining and exciting event
of Infosecurity Europe 2010. Eugene
Kaspersky, CEO of Kaspersky Labs also
took to the stage to share his vision of
what the future might hold in terms of
IT technologies. According to Eugene, in
the future the smartphone will be king,
with everybody owning and using one.
Kaspersky, who during Infosec 2010 was
inducted into the Hall of Fame, stated
emphatically that the world will see an
explosion in the development of hardware
and software for smartphones. “I believe
that in the nearest future, smartphones
will have enough memory and computing
power to hold all our personal data, as well
as movies, pictures and other information.”
He stated. “There will be no reason to use a
computer any more. Why would you? All you
need is a keyboard, a screen and a network
connection.” Such a revolution would
increase the attacks on mobile devices
considerably. However, these are far easier
to protect against due to the centralized
nature of the providers’ infrastructure.
As evidenced by the continuing
increase in visitor and exhibitor numbers,
Infosecurity Europe is very much on the
right track. Claire Sellick sees the growing
success of the event as being due to
companies realizing that IT security is
now as essential prerequisite for new and
profitable products and services. Events
like this that bring together suppliers and
customers so that each may appreciate the
wishes and expectations of the other will no
doubt shape the future of the IT industry.
Sellick stated that 82 percent of the stands
available for Infosecurity Europe 2011 have
already been booked. RE
3rd quarter 2010 SECUREVIEW | 11
 TOP STORY | Keyloggers Keyloggers | TOP STORY

Skeleton Keys SOFTWARE

KEYLOGGERS
The general modus operandi of a
keylogging program is that it is loaded
onto a PC where it resides quietly and
monitors keyboard inputs, whilst at
the same time performing a range of
The ability to monitor what a PC user does on their computer is of great accompanying tasks such as avoiding
detection and passing on any collected
interest to the cybercriminals, primarily for the purposes of espionage and protocols and data etc. There are a large
the stealing of passwords, but it can also be a positive thing, assisting number of free commercial keyloggers
available, as well as specialized catalogue
with legitimate tasks such as managing staff productivity and protecting sites containing the results of keylogger
tests and their descriptions. A perfect
a company from the unwanted disclosure of information. It has long been example of such a resource can be found
understood that where demand exists, supply is sure to follow, and thus at: http://www.keylogger.org

the market is rich in espionage technologies, of which some are free and
others are not. The largest demand within this market is for keyloggers.
Article by
Oleg Zaitsev
Chief Technology Expert
at Kaspersky Lab
Oleg joined Kaspersky
Lab in 2007 as a
Developer in the Complex
Threat Analysis Group.
He was promoted to
Technology Expert
in November 2008
and is responsible for
carrying out research
into new detection and
disinfection technologies,
investigating and
disinfecting remote
systems and analyzing
the behavior of malware.
The first Keyloggers appeared a very long time ago.
During the MS DOS era at the end of the 80s and
the beginning of the 90s there were a huge amount
of keyloggers about, most of which were written in
assembly language and used the INT9h interrupt
and INT16h capture. Along with the development
and distribution of Windows came the Windows
keyloggers. Their creation was made simpler by
the fact that the Windows GUI already included
a standard keyboard event capture mechanism
and keyloggers based on this system where very
simple and contained no more than thirty to fifty
lines of code. Additionally, such Windows features
as multitasking and multi-window applications
interfaces have made the spies’ task wider. In order
to simplify protocol analyses, today’s data spies have
to determine to which window and which particular
application an input belongs. They can track a user’s
Internet activity, trace IM correspondence, take
screenshots of the display and the active windows
and perform a whole host of similar nefarious
actions, right up to secretly activating the microphone
and webcam. As a result, the majority of modern
keyloggers could more accurately be described as
’universal loggers’ or ‘universal spies’. It should be
noted that most modern keyloggers will actively
disguise their presence on a system, usually with the
help of rootkit technologies.
THE PURPOSE OF
KEYLOGGERS AND THEIR
FIELDS OF APPLICATION
The main purpose of any keylogger is to
secretly record all of the keystrokes made by the
user. The recorded information usually relates
to whatever is happening in the active window. It
is important for protocol analysis as a Windows
user may randomly change the active window a
number of times. Another thing that has to be
borne in mind when working with text in present-
day applications is the possible use of the
Windows clipboard. Thus a keylogger has to keep
track of the clipboard contents and incorporate
it into the protocol when a ‘paste’ command
is detected. The protocol recorded during a
keylogging session then has to be analyzed either
automatically or by the person who installed
the keylogger for the purposes of recovering the
desired data. Typically this will include passwords,
account and credit card login credentials or
specific behavior, such as the entry of data into a
password field or form on a given website.
Statistically keyloggers are more often than
not used as follows:
• Domestic usage: parents spy on children;
husbands and wives spy on each other, etc. In
this situation we are talking about the home PC,
where installing a keylogger and analyzing its
protocol is relatively easy.
• In a business environment keyloggers can be
used for different tasks:
□ It can be used by an insider as an instrument
to secretly spy on their colleagues. The worst
scenario is when the insider is a member
of the IT department, which allows them to
install a keylogger on a user’s computers and
gain access to the recorded data later on
without any problems.
□ A security department may install keyloggers
to spy on users for any number of reasons. The
detection of improper PC use, the collection of
data in internal investigations, the monitoring
of users correspondence and IM traffic, etc.
SpyAgent allows you to monitor virtually everything users do on your computer
□ A keylogger can be an espionage
device when installed onto a rival’s
system by a competitor.
• Keyloggers can be used by private
detective agencies, special services
and criminal organizations as a means
of spying on users.
• Keyloggers can be part of a malware
program and can be used for the
detection of passwords, credit card
numbers and other such important
information. This type of keylogger can
operate automatically, becoming active
only when certain application windows
or websites are open.
When a keylogger is employed by a
cybercriminal it becomes a very significant
threat to the user, as most importantly, it
allows the acquisition of a user’s passwords
which then provide unauthorized access
to the user’s email, social networking and
online bank accounts.
THE LIFECYCLE OF
A KEYLOGGER
Just as with any spyware, the lifecycle of
a keylogger consists of three main stages:
1. System penetration. This operation
can be performed manually and it is
typical for the majority of commercial
keyloggers. To do this the cybercriminal
needs remote or local access to
the PC. The second variant is the
installation of a keylogger with the help
of programs such as Trojan-Dropper and
Trojan-Downloader. It is very common
knowledge that a lot of Trojan samples
contain keylogger functionality built in for
the purposes of spying on users, usually
for the harvesting of passwords or credit
card numbers.
2. Spying on users. During this process it
is very important for the keylogger to
remain undetected, and several methods
exist to achieve this.
3. Passing the collected data to the
cybercriminal. This process is greatly
simplified where the criminal has access
to the target PC. When access does not
exist, commercial keyloggers offer a rich
choice of possibilities. Data can be sent
via email, passed over a network, or
downloaded from an FTP server.
Antivirus programs, for example Kaspersky Internet Security 2010, react unequivocally to cyclic interrogation
from the hidden window
Keyloggers that
operate according to the
interrogation cycle principle
This type of keylogger is the simplest
of all and is based on the system of
assigning a number of API-functions to
the applications for interrogating the
keys on the keyboard. For example,
the GetAsyncKeyState function shows
whether the named key is pressed or
released, and GetKeyboardState returns
an array of 256 elements with the state
of each key on the keyboard, but works
only with GUI applications. This method is
very simple to perform and undetectable
as there is no embedding of DLLs or
hardwired installation, however for better
results it is necessary to use high speed
interrogation, in the order of no less than
10-20 polls per second, otherwise data
can be missed.
Countermeasures: Detecting cyclic
interrogation in itself is not difficult. The
main problem is how to tell whet her it is
a keylogger or a legitimate program doing

|
12 SECUREVIEW 3rd quarter 2010 www.secureviewmag.com www.secureviewmag.com 3rd quarter 2010 SECUREVIEW | 13
 TOP STORY | Keyloggers
the polling, for example, a computer game.
Typically, the approach used is that if an
application window is open, visible and
remains as the input focus – it is considered
that such a poll is legitimate. When the
window is minimized or another application
window has the input focus – then such
behavior is considered suspicious and is
usually automatically blocked.
Keyloggers working as traps
Keyloggers based on a trap mechanism
(Hook) are considered the classic method
for the creation of keyboard spyware
and this approach is well documented
and works only for GUI applications.
Traps allow the keylogger not to trace
the keystrokes themselves, but to track
messages that are processed in the
windows of other GUI applications. The
hook handling code has to be placed in
a DLL, with installation and removal of
the hooks being performed with the help
of the API functions SetWindowsHookEx,
for installation of the hook, and
UnhookWindowsHookEx for removal of the
hook. When SetWindowsHookEx is being
called, the type of message is specified
as one of the parameters for which
the hook handler should be called; in
particular WH_KEYBOARD is designated
for the logging of keyboard events and
WH_MOUSE for mouse events. The hook
can be installed for a particular flow or for
all of the flows in the system.
From a technical point of view, after
registration of the hook the following
AVZ Analyzer is able to describe keylogger behavior in detail
|
14 SECUREVIEW 3rd quarter 2010
The principle of operation of the UserMode keylogger is quite simple
happens: after the GUI application
receives the first message that meets the
conditions for hook activation, the DLL
containing the hook code is loaded into
the process’ address space. After that the
hook code receives full privileges.
Countermeasures: The hook’s
installation is not hard to detect and block
with the help of a behavioral analyzer;
also it is not difficult to study the behavior
of the hook code and its reaction to a
keyboard input. The main problem is how
to tell the difference between a keylogger
and a legitimate program, for example, a
keyboard format switcher.
Rootkit-keyloggers
This is relatively rare, but one of the
most dangerous keyboard spies. Its
principle of operation is based on its
ability to capture any set of functions
responsible for message processing or
processing of the inputted text. In the
simplest case, this method is based
on the capture of the GetMessage,
PeekMessage and TranslateMessage
library User32.dll functions, which allows
the monitoring of any messages received
by the GUI applications.
The danger of this keylogger is that
interception can be carried out with
the help of various methods, the set
of captured functions are not known in
advance. ‘Targeted capture’ is possible
when the capture code is inserted only
into specific applications and only under
certain circumstances, for example, when
a password input window is displayed.
Another dangerous feature of the rootkit
keylogger is that virtual keyboards cannot
provide protection from them.
Countermeasures: The embedding
of the capture code is a potentially
dangerous and suspicious action, which
is why it can be detected and neutralized
by antivirus programs during penetration
and at the stage of heuristic checking, for
example, during emulation before launch.
Kernel-mode keyloggers
Spyware of this class are based on the
following three principles:
• Installation of a driver-filter for the
keyboard driver. The method of writing
these drivers has been documented,
for example, it is possible to find
relevant information in the DDK (Driver
Development Kit) on the Microsoft
website (article ID 176417) as well
as an example, Ctrl2Cap, on http://
www.sysinternals.com. After loading,
the spyware must connect to the
keyboard driver stack with the help of
the IoCreateDevice and IoAttachDevice
functions. The important point is that
the driver-filter will not register IRPs
(I/O Request Packets) with data about
keystrokes, but IRPs with requests
for data from the Kbdclass driver.
Information about keystrokes will be
available from the moment that the
Kbdclass driver finishes the IRP and
transfers the requested data to the
IRP buffer. Therefore the keylogger
filter has to install its own termination
www.secureviewmag.com
Modern hardware keylogger is not hard to make
procedure for every IRP of the IRP_
MJ_READ type. The keylogger does
this with the help of the API function
IoSetCompletionRoutine. During the
termination procedure the keylogger has
to analyze the received keystroke data
and then enter it into the protocol or
transfer it to the User Mode component
for further analyses and recording.
• Substitution of the system keyboard
driver with the keylogger driver.
• The use of rootkit technologies. This
approach equates to a User Mode
rootkit keylogger and can intercept
PeekMessage in win32k.sys functions
by means of searching for and modifying
their addresses in the system table
KeServiceDescriptorTableShadow.
Countermeasures: Preventing kernel-
mode keyloggers is more difficult as an
application that installed its own driver
can control the system. However it is
possible. As a minimum, antivirus programs
can block the installation of unidentified
drivers, especially if it is a hidden
installation. Additionally, interception
analyses are possible (for the detection of
rootkit-keyloggers) as well as analyses of
the chain of keyboard driver driver-filters.
HARDWARE KEYLOGGERS
A hardware keylogger is a device
that performs the logging of keystroke
information and is hardware-based
and does not rely on the installation of
any software. The main danger of the
hardware keylogger is that it makes it
www.secureviewmag.com
Keyloggers | TOP STORY
impossible to detect the keylogger using
an antivirus or antikeylogger solution.
Additionally, some types of hardware
keyloggers do not even require a physical
connection to the PC at all. By its
principle of operation and information
acquisition methods, the hardware
keyloggers can be classified according to
several categories.
Connected to the keyboard
Often these keyloggers are connected
to the keyboard interface cable. They are
universal and usually connected without
the need to cut any cables. Generally, these
keyloggers take the form of a miniature
device with a PS/2 or USB input connector
for connection of the keyboard and an
output connector for connection to the PC.
Because of its miniature size, a keylogger
is often disguised as something familiar
to the user, for example, a ferrite filter
for the suppression of electromagnetic
interference, or a converter of some
description. The advantage of this type of
keylogger is that its connection requires
literally only a few seconds and this
operation can be performed by unqualified
staff, for example, a cleaner. Such
keyloggers accumulate recorded data on
their internal flash memory (This is the
classic solution. The amount of memory can
vary from around 2 Megabytes up to a few
Gigabytes), or they can transfer the data
via a radio link, for example with the help
of Wi-Fi or Bluetooth. It is important to note
that keyloggers such as this may contain
custom programs too, for example, to carry
Corporate keyloggers
Separate mention should be made of
that specialized category of keyboard
spies - keyloggers for the corporate
network. As a rule, they contain a
means for their automatic centralized
installation and online management
and can be integrated with the
domain controller and the personnel
record databases. The transmission
of data from such a keylogger on the
management server can be in real-time.
The keylogger’s controller is also placed
on the server as well as the database
for the accumulation of any results and
the analysis tools necessary to examine
the collected data. Analysis, as a rule,
takes the form of searches for passwords
and expressions and input data on the
frequency and densities of the detection
of the assigned samples. One additional
interesting feature of similar keyloggers is
the system’s reaction to specific patterns
of behavior - for example, the input of
a company’s accounting data into an
open SAP R3 window is considered a
normal action, the input of the same data
into the ICQ window causes the system
to react immediately by notifying the
company’s security services.
out audio recording. These keyloggers draw
their power directly from the PC.
At the present moment hardware
keyloggers cost around $200-400.
A number of companies have set up
production lines for their manufacture.
There are keyloggers that sit inside
the keyboard or system block. This type
Examples of commercial hardware keyloggers
3rd quarter 2010 SECUREVIEW | 15
 TOP STORY | Keyloggers
of keylogger is more difficult to detect,
but naturally, it is more difficult to install.
Usually it is installed in the same way
as a classical keylogger, but inside the
keyboard rather than in line with its cable.
It is possible to use a specially designed
frameless model of keylogger that was
created specifically for embedding, or
to create your own basic keylogger, as
can be seen at: http://www.keelog.
com/diy.html which is based on the
AT89C2051microcontroller. Using this
chip, even a schoolboy with an elementary
knowledge of electronics can manufacture
their own keylogger. Additionally, some
companies produce keyboards with
keyloggers already built in which are
indistinguishable from normal ones. (See:
http://www.keelog.com/usb_hardware_
keylogger.html).
Countermeasures: It is very difficult
to protect against hardware keyloggers
as they are almost undetectable using
software tools. The word ‘almost’ is used
here as hardware keyloggers contain
software components that interface with
the hardware. As for the rest, the protection
measures available are pretty low-tech
and include protecting keyboard frames by
using labels and seals along the assembly
joints, the placing of sticky labels on the
points of connection of the cables to the
system block and sealing the system
block itself. Keeping a label log and doing
periodical label audits is then necessary.
Keyloggers operating without
connection to the keyboard
This type of keylogger is much more
exotic than the rest and is utilized when
the acquisition of immensely desirable
information is required and when it is not
possible to use commercially produced
hardware solutions.
Essentially, these keyloggers capture
the secondary electromagnetic radiation
emanating from keyboards and their
A keylogger can be installed inside a keyboard without it being noticeable
|
16 SECUREVIEW 3rd quarter 2010
associated cabling. The main problem
with using these keyloggers is that the
secondary radiation coming from a
keyboard is of such low signal strength
that it is difficult to pick up from a long way
away. The task is even more difficult to
perform in a room where there are several
computers, each with identical keyboards.
However, stories about the successful
capture of data from distances of 10-20
meters as well as about the development
of such equipment appear in the popular
press from time to time. For example, the
article http://lasecwww.epfl.ch/keyboard/
even contains a video demonstration of
just such a process.
Countermeasures: Countermeasures
are common for Secondary Electromagnetic
Radiation and Induction (SERI). Screening
and good earthing decrease the level of
SERI and special disturbance generators
make it significantly more difficult for
cybercriminals to intercept and identify any
useful information.
Another well known method is simpler
to perform and based on the capture and
analysis of the sound produced by the
individual keystrokes. Scientists from the
University of Berkeley in California carried
out significant amounts of research in this
field and in their results published in 2005
they showed that it is possible to recognize
between 60 and 90% of keystrokes using
ordinary sound recording techniques.
Countermeasures: The main method
of protection in this case is to advise
personnel of the risks and explain that
inputting their password when a mobile
phone is on the table nearby is not the
best way to ensure security.
Secretly observing input
This method becomes more and more
topical because of the fact that modern
portable autonomous video recorders are
no larger than a box of matches in size
and come in many guises: watches, pens,
A spy pen with an embedded video camera and recorder
for 3 hours of continuous recording can ‘accidentally’
be placed on the Director’s desk if his company is under
attack from commercial spies
lighters, packs of cigarettes, car alarm/
locking fobs, calculators, organizers and
other small devices that do not attract
any special attention. The criminal can
‘accidentally’ leave such a recorder on
somebody’s table and come back to pick
it up a couple of hours later. It is important
to say that just a few years ago this type
of devices could only be seen in spy
movies, now they are being manufactured
commercially. Therefore it is not unusual
to come across such devices in the hands
of the cybercriminals. They range in price
from $100 to $400. Such devices are
mainly used in the corporate sphere,
where the probability of commercial
espionage is quite high.
Countermeasures: The main method is
to train and instruct personnel that there
should be no unauthorized devices at their
workstation and particularly in the vicinity
of the screen and keyboard, especially
those left by ‘forgetful’ visitors.
PROTECTIVE MEASURES
As you already know, there is a large
number of keyloggers of different types,
each with its own set of dangers. Let’s have
a look at the main universal methodologies
that can be used to combat keyloggers. It
is important to note that maximum effect
is achieved when a combination of the
measures discussed are used.
Antivirus products
An antivirus solution offers a minimum of
two lines of protection, signature detection
and detection by the various heuristic
procedures which analyze the behavior of the
application. It should be noted that signature
detection is not very effective for a number
of reasons, the two most basic being:
• The standard keylogger is extremely
simple in design and can be written by a
student in 1-2 days (plus on the Internet
www.secureviewmag.com
there are many complete source
codes available). Consequently, the
signature detection of such home-made
keyloggers will be relatively ineffective;
• Strictly speaking the keylogger is
not a harmful program. It can be a
commercial application with a license
agreement and an installer and the
detection of this application is not
entirely warranted, especially if we are
talking about a corporate product;
Accordingly, heuristic analysis on the
basis of emulation data or behavioral
analysis for example, is not subject to the
drawbacks mentioned above.
Virtual keyboard
Virtual keyboard is an application
(either stand-alone or part of a protection
package), intended for emulation of the
keyboard. The keys of the virtual keyboard
are pressed with the help of a mouse.
Generally, use of a virtual keyboard
makes it possible to evade all forms of
hardware keyloggers as in this case, the
normal keyboard is not used. However, it
does not provide protection from many
software-based keyloggers and other
espionage measures, such as the taking
of screenshots. However, antivirus or
anti-keylogger virtual keyboards will
activate a number of additional measures
to enhance protection, such as blocking
traps, the prevention of screenshots and
other similar activities. The range and type
of these countermeasures are specific to
each product.
Password Managers
A password manager is an application
which contains a database of the user’s
login credentials. Generally the database will
be encrypted and a master password known
only to the user is required for access to
and decryption of the database’s contents.
Sometimes biometric authorization or a
USB-token can serve as a password. The
benefit of password managers is that
passwords are not entered manually each
time, which completely excludes their
interception by all forms of hardware and
software keyloggers.
Rejecting the usual
passwords and PIN codes
The means of protection described
above can be supplemented with the
following methods, which guarantee an
additional level of safety.
• The use of code tables. A code table
is a normal table, which can be stored
in the form of a picture or printout and
www.secureviewmag.com
Keyloggers |
Kaspersky Internet Security 2010’s virtual keyboard prevents the taking of screenshots
contains X times Y number of cells.
Generally anything from 10 x 10 to 16
x 16 is used. A table is generated by
the server and a copy is sent to the
user for printing (or a copy is sent via
registered post). When carrying out
the authorization process the user
is prompted to enter the contents of
certain cells selected at random by the
server. This process can either take
the place of a password or can be in
addition to it. It can be seen that the
interception of a specific combination
will make it possible to learn the
value of two or three cells from the
possible hundred-plus and that during
subsequent authorization sessions,
other cells will be requested. However,
the keylogger is unable to fix the
requested cells position - and so the
criminals will not know which cells were
involved without resorting to taking a
screenshot. The benefit of this method
lies in its simplicity. Similar technology
is used by the Russian payment
transfer system Yandex Money.
• Use of one-time passwords. This
method is similar to the previous one,
but in this case the user receives a
table of one-time passwords, and
once used, that password is then
crossed out. The method can be used
in reverse, with the user removing
the opaque protective coating from a
sequential password list printed on
a card. In this method the danger of
password interception with the aid
of a keylogger is completely avoided.
However, the quantity of passwords
is limited and it will be necessary to
obtain a new list at some point.
• Use of a password generator. An
electronic token is used for the
generation of passwords, the
generated passwords are not repeated
and they are produced according to a
specific algorithm. It is considered that
the algorithm and the secret key within
cannot be deciphered based on just a
few intercepted passwords.
• Adopting two-factor authorization, for
example, with the use of an eToken. In
this case the theft of passwords is not
TOP STORY
dangerous, since it is useless without
the accompanying token. The reverse
also applies. The eToken is useless
without the password.
CONCLUSION
Thus we have examined the basics
of software and hardware keyboard
spies. In summing up it is worthwhile
mentioning that the situation in this
area of technology is changing radically
by the day. Two or three years ago
hardware keyloggers were some sort of
techno-marvel, now they are produced
commercially with many different
models available, beginning with the
basic 32 KB types, right up to devices
with several GB of memory and wireless
control. It should be assumed that the
development of the hardware keylogger
market will continue and possibly in the
very near future we will see an entirely
new generation of ‘software-hardware
spies’ which will not require access to
the victim’s computer at all. RE
Wireless keyboards - convenience
for the user or paydirt for the spy?
The developers of wireless devices
usually employ a standard interface
for the transmission of data (most
frequently Bluetooth), or use their own
bespoke system of wireless connection,
integrating a transceiver into the
keyboard, connected to the USB or PS/2
socket. In both cases, information is
broadcast about which keys have been
pressed and this can be intercepted
by a cybercriminal. Unfortunately, the
protection algorithms employed in these
circumstances often does not provide
guaranteed security. As a result, it was
only matter of time before the ‘radio
sniffer’ and ‘wireless keylogger’ was sure
to appear. Moreover, one of the most well
known practical manifestations is freely
available at http://www.remote-exploit.
org/Keykeriki.html.
3rd quarter 2010 SECUREVIEW | 17
 ANALYTICS | Internet fraud Internet fraud | ANALYTICS

The Sound of Deception

On the one hand this led to the rapid
spreading of ‘audio drugs’ among Korean
and Chinese users. On the other, the
largest part of the information about
‘audio drugs’ available on the Internet was
not of a commercial nature, but rather
Are you afraid of something? Do you have hopes and dreams? Got any contained the opinions of those that had
experimented with the new product.
complexes? Are you a curious person? If the answer is ‘yes’ to any of But the party ended as quickly as it
started – by summer when the audio
those questions, then you are a potential victim of the so-called ‘Social narcotic wave hit Russia, those in
Engineers’. These ‘social engineers’ use their advanced knowledge of China had already recognized that the
phenomenon was nothing more than
the psychological weaknesses of humans to lever unwary users into another fraudulent attempt to part
fools from their money and any mention
sending them login credentials for their social networking accounts, of it practically disappeared from the
give them access to their PC’s, or to unwittingly ‘share’ the use of their newspapers and blogs overnight.
credit card. Additionally, social engineering is used for the shrewd
placement of product advertisements designed to generate income for
ARRIVAL IN RUSSIA
the spammers in the future. In June, when audio drugs were first
launched onto the Russian Internet, the
sellers started to operate according to their
The fraudsters didn’t stint on creating attractive, good-looking advertising for their websites
old ways, with mass spam mailings sent
via instant messaging programs, social
Article by is what causes the range of feelings that the of any wide-scale promotional campaign networks and email.
Maria Namestnikova SCIENTIFIC APPROACH user is supposed to experience. The ability of AMERICAN PROTOTYPE didn’t help either, and nearly all the users Such mailings went on for the entire
Spam Analyst
at Kaspersky Lab
those kinds of rhythms to produce a relaxing who tried the program left feedback about year, but the effect from the very first wave
During 2009, the social engineering fraternity effect has been common knowledge for a long Those websites offering audio drugs the lack of any effect at all, not even a of spam was such that within the first
put their dubious talents to work advertising a time already. It is used, in particular, in special contain an explanation that “Audio headache, caused by using the program. week the need to advertise was negated –
very interesting ‘invention’ - ‘audio drugs’. More music designed for meditation purposes due to drugs have only appeared in Russia Thus, the popularity of this new product news of the audio drugs had started
precisely, they used their talents slightly earlier, its calming effect. Actually, that kind of reaction quite recently. They were developed by in the US and Europe quickly subsided, but spreading via word of mouth. Thus by 01
inventing the whole concept themselves and has far more to do with a repetitious binaural American scientists and are in great the idea itself continued to live on in the June, Yandex’s “pulse of the blogosphere“
then building the websites to fit their rather rhythm. Everybody knows, for example, that it is demand on the local market”. This minds of the ‘social engineers’. peaked with a total of 94 mentions of
twisted purpose. easy to fell asleep listening to the clickety-clack statement is disputable as this product audio drugs, sound drugs and electronic
So, what on earth are ‘audio drugs’? The answer of a train’s wheels– repeating a binaural rhythm has never been heard of in the US, at drugs. In any case, every website offering
to that question is available on any website that is the same thing. The question as to whether least in the form that was used for selling EXPANSION EASTWARD narcotics was stuffed full of feedback
sells ‘audios’, the now-common slang word for these and how such monotonous binaural rhythms it in Russia. It is necessary, however, from supposed clients who’d already
drugs. According to one site: “Audio drugs are files produce the sexual effects claimed by the to make one exception here. Back in At first the fraudsters decided to look to experienced the sensation. Sure enough,
Maria has worked for which imitate, during the listening process, the website owners remains open however. 1980 The American Monroe Institute did the east – Korea and China. Audio drugs all of the comments were not just positive,
Kaspersky Lab since effects of popular drugs, or heighten sexual feelings Now that we’ve got to the bottom of what popularize binaural waves as a means of appeared there around the end of 2008 but highly enthusiastic. Sometimes though
August 2008, firstly as or produce any altered states or moods by using the ‘binaural’ really means, let’s move on and take a beneficially influencing the human psyche. and the beginning of 2009. In these the site’s authors took it too far and
a Junior Spam Analyst, binaural effect”. The binaural effect is the ability of look at how the creators presented their product to They sold tens of thousands of records countries the social engineers copied enthusiasm turned into something quite
then rising to become a human or animal to locate an object through the us: “Audio drugs don’t damage your body and won’t and influenced others to produce records the general concept of I-Doser, offering farfetched and absurd.
one of the Company’s
fully-fledged Spam use of sound emanating from the object. The ability turn you into an addict, but they do have a relaxing and generators of allegedly binaural downloads of audio files for money On top of that, ghost-users would often
Analysts. Her main duties to do this is simply due to each of us possessing two effect on your body, giving you all the feelings that signals that claimed to produce effective that could then be listened to with the pop up on message forums, or they would
include the analysis of audio receivers – our ears. So what the peddlers you get using real drugs, but without the harmful synchronization of brain waves. assistance of special programs. However, create a blog and add lots of people as
German-language spam, of this material are telling us is that the effect of side-effects”. In general, this part corresponds to At the peak of the popularity of binaural later on the situation was considerably friends, in order to share the supposed
completing monthly popular drugs can be synthesized using sound. the ideas about using binaural rhythms in music rhythms in the US, a special I-Doser simplified for these and many other Asian ‘euphoria’ that they had gained from
analytical spam reports As part of their ‘completely scientific’ for meditation – which too is believed to have program was created which became the websites with the appearance of audio using the electronic marihuana. Against a
and participating in the
many Kaspersky Lab explanation of these audio drugs, some websites a positive influence on the body. What isn’t so prototype for ‘audio drugs in MP3 format’. drugs in the popular MP3 format. background of such powerful advertising
educational initiatives. mention the principle of ‘binaural rhythms’ or clear, however, is how it’s supposed to leave you I-Doser was supposed to induce an effect Those websites that were offering by the sellers, messages coming from real
‘binaural waves’. Those rhythms are a bit more feeling ‘positive and relaxed’ as real drugs can analogous to audio drugs – to cause audio drugs in China and Korea stated users stating “I spent money, downloaded
complex, as one website explains: “Binaural do, albeit synthetically. Additionally, the authors sensations, states of mind, emotions that the product appeared first in an audio drug, listened to it and got
rhythms are two tones which vary slightly in of the websites promise us auditory and visual imitating the effects of various chemical Italy. Instructions for the usage of nothing at all from it” or “All I got was a
frequency, each tone being delivered separately, hallucinations. It’s no secret that hallucinations are drugs, etc. The program had the binaural the files were close to the Russian migraine” were largely ignored by everyone
one to each ear. This way, the rhythms are not in any way associated with a healthy mind. So, rhythms theme right at its heart. Obviously version in many instances (‘put on your except the friends of the user. At worst,
perceived as being formed inside your head”. can audio drugs ‘positively’ cause psychological I-Doser was sold online, but the program headphones, close your eyes, relax…etc’) even the users’ friends passed it off as
Without going into details, it’s quite possible that problems? What about the warnings on the itself was free of charge and the download but the principle of action was described “It’s all right, it’s nothing unusual. Some
those rhythms are really being used in sound websites saying “We do not recommend that also contained a few melodies. The in maybe a little more details. The cost feel it while others don’t.”
drugs. But not in quite such a simplistic way… people with existing psychological problems listen program gained a certain popularity in of one ‘narcotic’ track started at around The instructions given to the users
Research shows that binaural rhythms do not to binaural waves as it could exacerbate their the US and some European countries, but $3, but many users uploaded tracks that by the suppliers stated that any users
synchronize brain waves at all. But the creators condition.” So, a relaxing effect that damages your certainly wasn’t the fireworks party that they had purchased to their blogs, which wanting to experience the sensation for
of the websites claim that they do, and that this mind – that sounds a little strange. the creators had hoped for. The absence others then downloaded for free. themselves only needed a player, some

|
18 SECUREVIEW 3rd quarter 2010 www.secureviewmag.com www.secureviewmag.com 3rd quarter 2010 SECUREVIEW | 19
 ANALYTICS | Internet fraud
The I-Doser program was even available as an iPhone app!
stereo headphones and a mobile phone.
Wait a minute…What’s a mobile phone
for? To pay for the product of course! To
receive a narcotic track a user sends an
SMS to a four or five-digit number and
then enters the code they receive into a
special field, which is not an unusual way
of doing things in Russia.
RUSSIA CAN’T
BE UNDERSTOOD....
So, what was the net effect of audio
drugs on the Russian Internet? It was –
it has to be said, overwhelming. Just a
couple of weeks after they appeared, the
young and progressive Internet community
no longer considered audio drugs a
sensation. Some tried it and leant their
expert opinion of the experience to the
knowledge-hungry public, whilst others
were keen to try it, but backed off again on
the grounds of health concerns, and yet
another group were conceptually against
drugs as a phenomenon overall, including
audio drugs in particular. Those hearing
this word combination for the first time
became more and more rare. In blogs,
forums and chats audio drugs became the
hottest topic around.
Unfortunately it was teenagers who
happened to make up the main part of the
electronic drug barons’ target audience,
and as is well known, teenagers are
fairly easily persuaded to try new things,
regardless of their parents’ advice to the
contrary. Tell the younger generation who
have just entered the so-called ‘awkward
age’ that smoking is cool and predictably–
half the school will be hiding from the
teachers and having a cigarette. They do it
to demonstrate the “I am cool” message
to others. The same goes for audio drugs.
|
20 SECUREVIEW 3rd quarter 2010
Whether it was part of the ‘engineers’ plan
or just happenstance, who knows, but the
major part of their Russia audience turned
out to be between 13 and 16 years old.
Teenagers tried the audio drugs just so
that they could turn up at school with the
appearance of being a sophisticated drug
user and report on their “sensational”
experience. Also discussions seen on some
teenagers’ forums often used another very
appropriate word - ‘autosuggestion’. This
is another vulnerability that the ‘social
engineers’ exploited. In other words, those
‘sophisticated drug users’ of 13-16 years
old often did really believe that they ‘got
a kick’ from what they listened to. They
convinced themselves that they had had all
the sensations that they believed a person
should experience having used one of the
more well-known drugs. So by listening to
monotonous binaural rhythms they only
managed to get excited and hyped up
instead of calming down and relaxing.
However the desire to look cool in
front of one’s peers and the attraction to
forbidden fruits are simple human vices,
characteristic not only of teenagers, but
adults as well. It cannot be forgotten
either that many people, when hearing
the words ‘audio drugs’, would have felt
curiosity and a desire to try something
new, thus we can state with confidence
that the ‘social engineers’ received quite
a wide audience ready to pay for their
‘engineering miracles’. Ostentatious
pseudo-science also helped the criminals
not by chance, but in strict accordance
with their plans. The bait was swallowed
not only by schoolchildren, students
and ordinary Internet users, but also
journalists, including those working in big
news and analytical web publications.
It’s interesting to note that the majority
of publications, especially in the first two
months, did not try to understand the
deeper nature of this phenomenon, nor
did they try to explain to their readers what
audio drugs really were. Most articles
published during July and August were
based on the information provided by the
websites distributing the electronic drugs,
and the majority of user reviews in the
publications were just the usual crop of
very artificial ‘bait’-type materials which
the ‘social engineers’ had placed on the
Russian Internet themselves. The only
threat presented to the readers of those
publications was the line that audio drugs
couldn’t be any more dangerous than
traditional chemical ones. The first articles
that brought people round to believing that
audio drugs were nothing more than simple
fraud appeared only at the end of summer,
after an article called “Attention! A new kind
of fraud” was published on the website
of the Interior Ministry on 27 August.
Unfortunately by that time “A new kind of
fraud” was not new anymore and it was
quite difficult to convince many people of it.
In a few months after the appearance
of ‘the miracle’ on the Russian
Internet, it attracted the attention of
the authorities of some regions. On 23
September 2009 in St.Petersburg, audio
drugs were treated almost the same
as pornography and their distribution
among the under-aged strictly forbidden.
As was announced by the Kommersant-
SPB newspaper (№ 177 (4232) of
24.09.2009)”…trading in such products
is banned within a radius of 150 meters
from child-care and educational facilities,
including high schools and universities”
The loud noise in the press also
played right into the hands of the
criminals distributing the stuff. The
scare-mongering titles of the Internet
newspapers and independent analytical
articles only attracted more of the curious
to it. The ‘social engineers’ themselves
started to use ’scandal’ topics to attract
attention to their product. “Danger: audio
drugs can be downloaded for free!”, “Audio
drugs affect brains” and “Audio drugs in
MP3 format cause harm” – screamed
the subject line of one of the posts on a
popular blogging resource. However, the
same post then went on to say that audio
drugs are “cool” and provided links to
some respective sites where one could
find one’s own proof.
The Chinese press was quick to pick up
on the topic of audio drugs
www.secureviewmag.com
Some Russian spam simply contained a link for users to click on, without even mentioning the product in the text
THE CROP IS GATHERED IN
Audio drugs as we all know only too
well were very successful for the ‘social
engineers’. Certainly, behind all the noise
and doubts about ‘High – or no high’,
‘Harmful – or not harmful’ there lies a
simple thirst for profit. The abundance
of similarly-styled websites appearing
en-masse on the Internet at the time
were nothing more than the fruits
of partner program activity. It’s well
recognized that many of the participants
of partner programs certainly don’t hide
their activities and openly share their
impressions of their associations with all
and sundry.
It was thus in a blog on one of the
partner program websites during mid-July
that the following information appeared.
“As far as audio drugs go – when it was
new the theme was great! I tried this
theme a month ago and very quickly
hit 100K Roubles a day! The author
goes on to describe in detail which
tools were used to promote it on which
websites, before eventually admitting
to making “20-60 of Dollars per day”.
So popular has this theme proved, that
cybercriminals were willing to shovel
money at it, whilst journalists, deputies
and simple users continued their
ideological disputes about whether audio
drugs were harmful or not.
SOMETHING NOVEL?
By the autumn of 2009, largely due to
the recession, the fever had died down.
It was time for the social engineers’ to
come up with their next big thing and it
needed to be bigger and better than their
previous brainchild. This time it wasn’t
long in the making, driven by their urge
to earn big bucks. Adding a new twist to
their previously successful scam, they
www.secureviewmag.com
Internet fraud | ANALYTICS
introduced ‘Stereohypnosis’ and to make
sure everyone knew about their latest
novelty, they spammed just as many as
they could by every available means.
The theme of audio drugs undoubtedly
had become very noticeable very quickly.
Despite that, it was already possible to
search Google and find websites offering
video files for download which supposedly
acted on the subconscious, this time,
by means of ‘stereohypnosis’. The name
has become more lengthy and complex
if you notice. ‘Social engineers’ have
long continued to play up the pseudo-
scientific nature of their ‘inventions’. With
stereohypnosis they went one step further,
making it better and more interesting-
sounding than plain old audio drugs. An
explanation consisting of scientific terms
and offering descriptions of its principles
lends itself as well to the electronic page
as it does to the printed page.
Stereohypnosis’ – the next big thing for the gullible
Exactly as with the audio drug websites,
stereohypnosis it was claimed, caused
altered states of consciousness– from
offering relaxation after a long day’s work,
to the heightening of sexual stimulation.
Among the many websites offering various
methods to heighten sexual sensations it’s
not difficult to find many selling ‘A stereo
version of viagra‘.
Creditable reviews from those exalting
the power of hypnosis have long since
appeared on numerous web pages and
websites, and in abundance on the
websites distributing ‘stereohypnosis’.
CONCLUSION
Whatever they do, there are large
doubts that the ‘social engineers’ will
repeat their earlier triumphs, advertising
got underway at the beginning of March
and since then there’s been a distinct
lack of noise from either the electronic
mass-media or the Internet communities.
It seems to prove that the spam mass-
mailings were not as effective as in the
past and that the ‘social engineers’ may
have miscalculated. Firstly, over the past
few months many people have started to
associate payment by SMS-messaging
to short numbers with being ripped off.
Secondly, ‘stereohypnosis’ does not
actually offer anything new under the
sun, and besides, the similarities of the
websites just reinforce peoples’ feelings
of distrust, not to mention the statement
itself, ‘Safe Drugs’ proving an oxymoron
for just too many. RE
3rd quarter 2010 SECUREVIEW | 21

The Downside of Ubiquity
Three years ago, attackers favored Microsoft Office as their vector
of choice for compromising systems. Now, Adobe’s products are
under the microscope.
Article by
Robert Lemos
Robert Lemos is a veteran
technology journalist
of more than 13 years,
focusing on computer
security, cybercrime, and
enterprise issues. Mr.
Lemos spent eight years
as a staff writer at ZDNet
News and as a senior
staff writer at CNET News.
com, which purchased
ZDNet in 2000. He acted
as editor-at-large for
SecurityFocus, a security
news and information site
owned by Symantec Corp.,
from April 2005 to August
2009, providing daily
independent journalism
and investigative
articles covering security
incidents, malicious
code, vulnerabilities
and cybercrime.
|
22 SECUREVIEW 3rd quarter 2010
ANALYTICS | Vulnerabilities in Adobe Software
When security consultant Charlie Miller
decided to look for vulnerabilities in popular file
types, selecting the portable document format
was a no-brainer.
"Something like 90 percent of computers have
Adobe Reader on them," he says. "These are
programs that are ubiquitous in use, but have
a track record of security problems on them,
and that makes them interesting." Miller found
that a fairly "dumb" script that tries different
combinations of PDF file inputs can cause a
Adobe created webpage that contains important information regarding security vulnerabilities that may affect specific versions of Adobe
products and solutions
large number of possibly-exploitable crashes in
Adobe Reader and Apple's Preview PDF viewer.
Miller, a Principal Consultant at Independent
Security Evaluators, is not alone in his interest.
A week after Miller's presentation, researcher
Didier Stevens reported that the warning
message displayed by the command for
launching external applications from Adobe's
Reader and Acrobat could be modified, allowing
malicious applications to be run from a single
PDF file with a watered-down warning message.
www.secureviewmag.com
Vulnerabilities in Adobe Software |
A day later, Jeremy Conway, a Researcher
and Product Manager with NitroSecurity,
demonstrated a way to copy the
embedded executable from one PDF
file to another using Adobe Reader,
opening up the possibility
of a PDF worm.
"It's a beautiful target, if you want to do
some damage," Conway says. "I don't know
of any target larger than Acrobat Reader."
Welcome to Adobe's world. The
popularity of the portable document
format has made Adobe's Reader and
Acrobat top targets of researchers' and
attackers' efforts to find and exploit any
application flaws. The company's other
ubiquitous platform, Flash, has attracted
similar attention from attackers focused
on exploiting victims through the web.
Typical attacks either focus on the
browser or popular browser extensions,
such as Flash Player.
"In that bucket, Flash is at the top of the
list," says Michael Sutton, Vice President
of Research for web security firm Zscaler.
The attention of attackers spells out a
big problem for Adobe. Last year, Adobe
Acrobat and Reader became the No. 1
target among flaw finders focused on
file-format vulnerabilities. While attackers
and researchers ramped up research
on Microsoft Office starting in 2006, the
number of vulnerabilities disclosed in Office
formats peaked in 2008. Now, Adobe
Acrobat and Reader are the top targets. Last
year, researchers found 48 vulnerabilities in
Acrobat and 38 in Reader. Security issues in
Office had dropped to 35.
The trend looks likely to continue this
year, with Adobe's two products on track to
see more flaws and Microsoft Office less.
UNDER ATTACK
It's not only researchers that have
taken a greater interest in Adobe
products. Malicious emails using Adobe's
PDF format account for 61 percent of
all the targeted attacks seen so far
in 2010, according to antivirus firm
F-Secure. Overall, targeted attacks are
set to double this year, according to
Sean Sullivan, a Security Advisor with the
company's North American Labs.
"We are seeing a higher percentage of
attacks using PDFs and more attacks as
well," Sullivan says.
Attackers also have Adobe's Flash
platform in their sights. In the last half
of 2008, a vulnerability in Flash Player
became the most exploited browser
security issue, according to Microsoft's
Security Intelligence Report. In the first
half of 2009, the most recent data
www.secureviewmag.com
Vulnerabilities Disclosed
60
Microsoft Office
Adobe Acrobat
Adobe Reader
45
Adobe Flash Player
30
15
0
2004 2005
National Vulnerability Database statistics data
available, the trend continued with
17.5 percent of browser-based exploits
attacking one flaw in Adobe's Flash Player.
The trend comes as no surprise. Over
the last decade, researchers have moved
away from finding operating systems
vulnerabilities and focused instead on
applications, where flaws are easier to find.
"Applications now make up the vast
majority of vulnerabilities." Jeff Williams,
Principal Group Program Manager for
Microsoft's Malware Protection Center,
told Threatpost in a statement.
The increased attention has put Adobe
products and their development process
in the spotlight.
Microsoft found itself in a similar
position a decade ago. In 2001, the
double tap of the Code Red and Nimda
worms, which exploited a handful of flaws
in Microsoft products, led to the company
creating its Strategic Technology
Protection Program and to CEO Bill Gates'
decision to turn the Microsoft juggernaut
around and focus on security. The
company did not have a chance to lose
its resolve either. The spread of Slammer
in 2003 led to Microsoft committing to
improving the quality of its patches and
simplifying its autoupdate process. Two
months after that, MSBlast infected
millions of Windows PCs, prompting
Microsoft to focus its next service pack
for Windows XP on security.
"Microsoft climbed that learning curve
ahead of other vendors," says Zscaler's
Sutton. "Adobe is definitely on that
ANALYTICS
2006 2007 2008 2009
slope – again, because they had to be.
There is a negative reputation that the
security in Reader and Flash are in need
of improvement."
FROM REACTION
TO ACTION
For Adobe, the turning point came in
2008. While Microsoft and its Office
applications continued to take the brunt
of researchers' and attackers' efforts to
find flaws in file formats, the number of
vulnerabilities disclosed in Acrobat and
Reader had hit an all time high.
Revamping the company's approach to
security became a top priority at Adobe.
In August 2008, the company hired
Brad Arkin – a former manager from
Symantec and @Stake – to head efforts
to secure their products. In December,
the company opened up communications
with the security community with a
statement simply titled: "We care."
"It is very clear to Adobe that we are
receiving increased attention from the
security community," Peleus Uhley, a
Senior Security Researcher at the firm,
wrote in the blog post at the time. "Adobe
has been responding to this increased
attention over the course of the last year
by proactively investing in both internal
and external security measures to further
protect our customers."
As part of its efforts, about half the
company has gone through a security
3rd quarter 2010 SECUREVIEW | 23
 ANALYTICS | Vulnerabilities in Adobe Software
The Adobe Product Security Incident Response Team (PSIRT) blog. The page was created to provide users with security-
related information about Adobe products
certification program to make sure
they understand the basics of secure
programming and the consequences of
flaws. The system focuses on a karate-
like belt system: Eight hours to a white
belt and 12 hours to a green belt. Brown
and black belts are reserved for those
employees that have completed more
advanced projects and research.
“With 100 major projects and some
200 in development, changing the way
programmers write code or quality
assurance testers inspect code is
difficult,” said Arkin. "We want everyone -
no matter if they are a programmer,
a manager, or a code tester – to
understand these issues."
Similar to Microsoft's design and
coding process, the Secure Development
Lifecycle, Adobe launched its own focus
on integrating security into its products,
the Secure Product Lifecycle (SPLC). The
results of code reviews and the progress
of the company's product teams toward
eliminating vulnerabilities is tracked with
a number of metrics and gets pushed
up to the executive suite in the form
of a dashboard.
Yet, results of Adobe's efforts are not
readily evident. While the company has
its own internal metrics, ISE's Miller
points to the ease with which he found
flaws as signs that Adobe's focus on
| www.av-school.com
24 SECUREVIEW 3rd quarter 2010
security is not paying dividends. The
security consultant claims he found 33
potentially exploitable issues through a
fairly straightforward fuzzing process.
Adobe has released two updates since
Miller's initial findings, closing only two
of the more minor issues, he says. While
the company did an order of magnitude
better than Apple's Preview in his tests,
Miller contends that a great deal of work
still needs to be done."Just because
someone is worse, that does not mean
that you should be bad too." he says.
PATCH PRIORI
Adobe is trying to improve its security
in another area as well: The delay
between when a patch is released and
when most users apply the fix.
Over the past six years, the time that
a user waits before applying a patch to
an operating system flaw has remained
steady at nearly 30 days, according to
data from vulnerability scanning firm
Qualys. However, vulnerabilities in
Microsoft Office, Adobe Acrobat and
Reader and Sun's Java are patched much
more slowly. While half of the installed
base of Internet Explorer is patched in
less than two weeks, it takes more than
six weeks on average for half of all users
to plug holes in Acrobat, according to a
presentation given by Qualys at the Black
Hat Security Briefings last year.
Adobe has recognized the situation as
a major problem and decided to change
their updater to silently install patches
by default on unmanaged desktop
systems. Starting with its quarterly
patch in April, the company installed
many updates automatically.
"We saw that a lot of people were not
updating as soon as they could have,
so they were extending their window of
vulnerability," Adobe's Arkin says. He
argues that the old updater would ask
people to apply a patch at the worst
times. "People would be offered the
update right in the middle of something
that they were doing."
Adobe is not alone in tackling the
security problems inherent in PDF files.
Foxit, which produces competitors to
Adobe's Acrobat and Reader programs,
has made security a priority as well.
The company has set internal goals of
responding to any security report within
seven days and fixing the issue within
two weeks. Attackers and researchers
will continue to hammer on the security
of the format, says Eugene Xiong, CEO
of the firm.
"Most people tend to think of PDF as an
electronic document, a scanned page,"
he says. "But it really is a programming
platform. They are not aware that some
kind of logic can be embedded in the file."
Some researchers recommend
that a stripped-down or sandboxed
viewer could help prevent many of the
vulnerabilities from being exploited.
The approach could solve many security
issues by reducing the attack surface
area of Reader and Acrobat. Foxit is
currently researching whether such an
approach could work, Xiong says.
"We are trying to work with the
standards community ... so we can come
up with a subset of trustworthy features
and a set of not-so-trustworthy features
that might need some special handling in
the future," he says.
Adobe's Arkin knows the company's
engineers will be facing determined
attackers for some time, but warns that
the trend toward targeted attacks could
change the vulnerability landscape.
"The bad guys and the threat
landscape will continue to evolve – the
attackers will always go where the
targets are," Arkin says. "In the future,
that could be other applications or
mobile handsets or devices.", "The
lesson is that doing security right is
important for anyone who is developing
software," he says. RE
www.av-school.ru www.av-school.pl
www.secureviewmag.com
 ANALYTICS | Crimeware Crimeware | ANALYTICS

A new round of confrontation than 50% of malware distributed by the

In these modern times, is it possible to effectively stem the tide of
constantly increasing malware attacks on the financial services industry?
The antivirus industry’s constant battle with financial malware, also
known as crimeware, is one of the hottest topics around at the present
moment. Defending online banking clients from harm is a very complex
process and at present, response times from the IT security industry to
the cybercriminals’ attacks is not always as immediate as many would like
it to be. Additionally, the financial institutions are not always that ready to
cooperate openly with the antivirus companies.
Article by
Yury Mashevsky
CYBERCRIMINAL ATTACKS
Strategic Technology
Development Group Manager All too often lately we hear about the
at Kaspersky Lab
cybercriminals’ successful attacks on the clients of
some or other financial organization. The strategy
employed by the cybercriminals to attack the
clients of a financial organization usually follows a
well-trodden path. The search for a suitable victim,
the introduction of a virus infection, the acquisition
of the victim’s online banking login credentials, and
finally, stealing the victim’s money.
One of the most infamous examples of just such
an attack is connected with the ZBot-toolkit (or
ZeuS) family of malware. This particular malicious
Yury joined Kaspersky entity was purpose-built to steal a user’s login
Lab in 2003 as a Virus
Analyst. In 2007, he was
appointed Head of the
Analysis and Statistics
Group, specializing in the
provision of statistical
data illustrating the
evolution of malware.
The geographical location of the ZBot/ZeuS botnet control centers
Information courtesy of ZeuS Tracker
credentials with the express intention of then
accessing their online banking services. It all started
back in 2009 and is still going strong, as no-one
has yet been able to close the ZeuS botnet down.
According to information provided by the Center for
ZeuS Tracking https://zeustracker.abuse.ch,
at the end of March 2010 the botnet contained
more than 1,300 control centres for the zombie
computers. From that 1,300, more than 700
control centres have remained constantly
active; with each centre controlling an average
of between twenty and fifty thousand infected
computers. Knowing these figures, it is easy to
get a good idea about the number of potential
victims. The geographic locations of the botnet
control centres are very widespread.
Many financial organizations, and in particular banks, put additional measures in place long ago for the
electronic authentication of their clients, but unfortunately, even these precautionary measures do not
appear to present a problem to the cybercriminals
Such widespread geographic diversity
ensures the longevity of the botnet. As
recent practice has shown, the botnet
cannot be destroyed by merely closing down
a few of the hosting sites. On 09 March,
Roman Husse who was monitoring the
botnet with the assistance of ZeuS Tracker
noticed an abrupt decrease in the number
of control centers and saw that it correlated
with the disconnection of an Internet Service
Provider by the name of Troyak. By 11
March the number of control centers had
decreased to 104, however, two days later
Troyak found a new teleservices provider
and by 13 March the number of control
centers had increased to more than 700
again, so the joy was premature.
The ZeuS family of malware is a long way
from being the only toolkit that has been
designed for stealing users’ login credentials
with the aim of gaining access to their online
finances. For example, the Spy Eye toolkit
is not only capable of stealing the required
data, but can also destroy its ZBot/Zeus
competitor, meaning that there is a virtual
war going on under our very noses. Another
similarly shining example is the Mariposa
botnet, which included some 13 million
computers located all over the world. That
botnet, however, was completely destroyed
by Spanish police in December 2009.
On the control panel of the Spy Eye botnet,
the cybercriminals had chosen icons in the
style of ‘sacks of money’ to represent each
user of an infected computer in the botnet.
These botnets act as greenhouses for the
propagation of financial malware. It is with
this kind of malware that the cybercriminals
steal users’ money most readily. Figures
demonstrate very vividly the dramatic
increase in the quantity of malware that is
used for stealing the online banking details
of clients.
The figures provided show an exponential
quarterly increase in financial malware from
the moment when it first appeared to the
present moment. What makes the situation
worse is the fact that a large percentage
of the malware in question cannot be
detected by the antivirus programs of the
majority of manufacturers at the moment of
its first appearance. For example, according
to information provided by the ZeuS Tracker
Center, during the middle of March more
ZBot/Zeus botnet has not been detected.
That means that the malware attack was
successful. By the time that users received
adequate protection from the antivirus
companies, the cybercriminals had already
made off with all the information that
they needed.
FINANCIAL
ORGANIZATIONS:
PROTECTING CLIENTS
Sometimes when antivirus updates lag
noticeably behind the contemporary threat
level, financial organizations try establishing
and implementing their own methods of
client authentication in order to minimize
risk and maximize their resistance to the
efforts of the cybercriminals.
It must be acknowledged that of late,
many leading financial organizations
have started to introduce additional
solutions and methods for the electronic
authentication of their clients. Some of
these are listed below:
• TAN codes (Transaction Authorization
Number - A one-shot password for the
confirmation of transactions)
• Virtual keyboards
• Binding clients to fixed IP-addresses
• Secret questions and keywords
• The use of hardware-based keys for
additional authentication
• Biometric systems of authentication
We are not going to stop and talk about
the methods that the cybercriminals use to
overcome these obstacles, but we ought to
point out though, that they know how to ‘cheat’
the protection systems in place and that their
methods are indeed quite successful.
Certainly, the measures taken by the
financial institutions have made life for
the cybercriminals much more difficult,
but at the same time, these measures
have not become a panacea. News about
such losses continues to flow in much
the same way that reports continue to be
received from any front line.
• FDIC: During the third quarter of 2009,
American companies lost $120 million
(almost all of these losses connected
with malicious code);
• UK Cards Association: Losses from the
online banking sector in the UK during
2009 have grown by 14%, totaling
some 60 million UK pounds;
• FBI: in 2009 in the USA cybercriminals
stole more than half a billion dollars
from users, which is twice as much
as in 2008.
According to data from Kaspersky Lab
based on the results for Q1 of 2010,

|
26 SECUREVIEW 3rd quarter 2010 www.secureviewmag.com www.secureviewmag.com 3rd quarter 2010 SECUREVIEW | 27
 ANALYTICS | Crimeware
the list of the most popular financial
organizations targeted by the
cybercriminals is as follows: (See Table)
This list has remained practically
unchanged for the last few years.
According to available data, the number
of banks that suffered from similar
attacks during the period of the first three
months of 2010 is approaching 1000.
Thus it is obvious that the cybercriminals
are constantly finding new and more
sophisticated ways of getting their hands
on the users’ information, despite the
introduction of additional protective
measures taken by the banking fraternity
to protect their online clients.
DO VIABLE
SOLUTIONS EXIST?
Is it possible to fight back against
crimeware in these modern times? Yes,
it is. The technologies are constantly
developing and today’s leading antivirus
companies do have solutions capable
of repelling the attacks of
the cybercriminals.
At this moment, some of the players
in the antivirus market are already using
in-the-cloud technologies. These assist
greatly in detecting and blocking malware
Name of the Company
Bradesco group
Banco Santander group
Banco do Brasil
Citibank
Banco Itau
Caixa
Banco de Sergipe
Bank Of America
ABN AMRO banking group
Banco Nossa Caixa
Others
The top ten most popular financial organizations to be hit by cybercriminal attacks
Data courtesy of Kaspersky Lab
|
28 SECUREVIEW 3rd quarter 2010
A dramatic increase in the quantity of malware used for stealing users’ financial information
Data courtesy of Kaspersky Lab
content, as well as limiting the sources of This technology differs from antivirus
its expansion. Here we are speaking about database detection methods in how it
client-server technologies that analyze analyses the sample. The antivirus engine
metadata containing information about can only analyze a sample according to fixed
malware activity on the users’ computers. rules, such as recognizing odd behavior
However, the metadata can only be sent patterns for example. The online analysis
with the permission of the user and does of metadata received from many users
not contain any private information. simultaneously allows the detection of
’suspicious activity’ and the consequent
blocking of the detected threat, thereby
preventing the problem from spreading. In
% from the total number of attacks practice, users of such distributed networks
can receive protection just a few minutes
after the appearance of any threats.
6,65% It’s for this reason that applying antivirus
measures to in-the-cloud technologies has
4,71% a range of advantages:
• Fast detection within minutes of a threat’s
3,92% appearance (antivirus databases require
up to a few hours between updates);
• A significant increase in the level of
3,74% threat detection, as in addition to existing
technologies, new and highly efficient
3,33% ones can be used;
• Not only the immediate detection and
2,93% blocking of the threats themselves, but
the limitation of their expansion as well;
• Additionally, employing these technologies
2,84% provides a complete understanding of
the overall situation: what time, where,
2,36% who has attacked, how many users have
suffered, the number of users that have
2,28% been protected, etc
So what does it bring to the financial
1,98% organizations? The solutions described
can warn the financial institutions about
the appearance of any new threats aimed
65,27% at their clients automatically and in real-
time. Such warnings may contain detailed
information about such threats and
instructions on how to fight them.
www.secureviewmag.com
Another service that is currently very much
in demand by financial organizations is the
ability to access so called ’situation rooms’.
These are web-based resources which can
be accessed by corporate clients using
a personalized login and password. They
contain much larger volumes of relevant
information than a client could possibly
receive in, for example, a notification
by email. Such information may include
reports and analytical articles related to an
organization or region and identify potential
sources of threats to clients.
However, there are a number of reasons
that these notification systems cannot or
might not be adopted:
• Not every online banking client has an
antivirus program installed on their PC,
making it impossible to put together a
complete picture of all of the threats
out there.
• In order to analyze the information
centrally and comprehensively it would
be necessary for every online banking
user to have the same antivirus product
installed, which is simply impossible on
a practical level.
• Financial institutions strictly forbid the
sending of any client-related information
to external companies due to the high
risk of losing the valuable data or
penetration of their networks.
All of this makes detection of the
targeted attacks more difficult.
To get a complete picture of the
cybercriminals’ actions in relation to the
banking world, the most opportune method
is direct cooperation between the antivirus
companies and the financial institutions.
• It is feasible to integrate a malware
detection solution into the client side
of online banking as no personal
data would be required for this. The
introduction of this kind of a service
could be integrated into a safety policy,
which would reduce the banks’ outgoings
on insurance compensation and
penalties in the future.
• Banking security departments could
control data centers that perform the
preliminary automatic analyses of
threats, thereby allowing them to carry
out the necessary analyses themselves.
Large financial corporations already have
such IT-departments. By controlling all of
the data received, security departments
can decide what information is alright
to pass on to an antivirus company
for analysis and what is not. It has to
be understood that the establishment
of such IT centers within a company’s
existing structure is feasible only if the
company wishes to control the total flow
of the data received. This solution will
be most attractive for the big market
www.secureviewmag.com
Crimeware |
players for all the reason mentioned
before, ie, the presence of a company IT
department dealing with the analyses of
external threats.
• Users of online banking services
would receive timely information from
the analytical centers about of the
neutralization of new threats and
their sources
Therefore, more efficient cooperation
between the antivirus and financial
organizations would allow the killing
of two birds with one stone. Financial
organizations would minimize their risks
and pay-outs related to incidents, whilst
for antivirus companies, this cooperation
would lead to the neutralization of targeted
attacks in the most effective way.
STATE SUPPORT
Up to this point we have been looking at
two parties who are locked in combat with
the cybercriminals: the antivirus companies
and the financial organizations. However,
there is one more participant who despite
all the opportunities it has to become
involved is not playing anything like an
active enough role – it is the state.
Without state support the possibility of
defeating the cybercriminals is minimal.
Countries have borders, but the Internet
does not and this gives the cybercriminals
complete freedom to act at will. For
example, is it possible for a Korean bank
to quickly shut down a Brazilian malware
host, sticking strictly to all the procedures
of state and respecting international
law along the way? Or is it possible for a
Brazilian bank to do the same in China?
The answer is obvious: in both cases it
is a resounding ‘No!’ To take the fight to
Government support is essential in the fight against cyberterrorism. In some countries there are already
authorities that support financial and others organisations in finding solutions to these problems
ANALYTICS
the cybercriminals without any efficient
mechanisms for the cooperation of the
necessary authorities from the different
countries is problematic to say the least.
Such a struggle resembles a tug-of-war.
As soon as any new technologies appear
that target the cybercriminals activities, the
cybercriminals respond by developing some
new means to bypass it. The process then
starts all over again, ad infinitum.
CONCLUSION
We have described just some of the
difficulties faced by the antivirus companies
and the financial organizations in their battle
with the cybercriminals who want only steal
money from online banking clients. One
possible solution was considered.
The solution offered could be applied not
only to the sphere of online banking, but
could also prove to be effective at detecting
threats aimed at users of online games,
electronic money systems and exchange
points. We would like to point out that those
kinds of attacks are registered much more
often than online banking systems attacks.
It is thoroughly necessary to mention
once again the major role that the state
should be playing in this field. Without state
support very little will ever be accomplished
in the fight against cybercrime. The problem
will remain unresolved until such times
that effective and efficient mechanisms
exist for the necessary communication
and interaction to take place between the
relevant authorities. RE
You can read the complete article at
http://www.securelist.com/en/
analysis/204792115/Crimeware_A_new_
round_of_confrontation_begins
3rd quarter 2010 SECUREVIEW | 29
 TECHNOLOGY | Whitelisting Whitelisting | TECHNOLOGY

EXPERT COMMENTS

Somewhere Between Black and White Nikolay Grebennikov

Chief Technology Officer at
Kaspersky Lab
The conventional approach to protecting computers from threats is to
maintain a blacklist of untrustworthy software and to block any programs
from running if they appears on that list. However, this approach does not
provide adequate protection as it only detects malware that is already
known to the malware analysts, whereas in the real world users are
confronted with an ever growing number of new malicious programs. New
malware appears so frequently and has such a wide range of variants
Today the number of
that maintaining up-to-date blacklists is becoming an extremely complex, websites hosting malware
continues to grow
if not impossible, task. The solution lies in a whitelisting approach. exponentially. Our company
actively uses a range of
Whitelisting operates without the user being aware and only requires an Internet connection effective technologies in
order to limit this explosion,
of which whitelisting is one.
Article by Whitelisting technology, which involves spam messages which then have to be examined Whitelisting operates without the user being up-to-date and precise as it is processed using The whitelisting system,
Elmar Török which is integrated into
maintaining ‘white’ lists of trustworthy objects, manually. Similarly, whitelists of legitimate aware and only requires an Internet connection powerful, expert systems. Kaspersky Lab’s solutions,
complements blacklisting technology perfectly. domains allow the user access to trusted websites Whitelisting can be implemented as a cloud Whitelist technology significantly accelerates rates an application
In a whitelisting approach, the network operator, only, seriously limiting the amount of navigable computing technology where the information antivirus scanning because known and trusted according to one of four
software manufacturer, or the ordinary user resources on the Internet available to the user. is accessed through a simple Internet service. objects are excluded from examination. Therefore, categories: Trusted, Low
creates and maintains lists containing data Then the data about the latest approved provided that false positives are low, whitelisting is Restricted, High Restricted
about known, legitimate applications, websites, WHITELISTING objects – programs and websites – can more user-friendly and can protect the users more and Untrusted. The trusted
programs typically form the
email addresses, or other trusted resources. The be instantly retrieved by the user from the effectively than content-based detection alone.
whitelisting system allows the identification of IN PERSPECTIVE centralized server without resorting to resource-
whitelist. The applications
falling into the low or high
computer-based objects, for example all of the intensive localized analyses.
executable files on a system, and any object that However, whitelisting is spreading fast as an These days, new programs and websites CONCLUSION restricted categories
are not considered to
does not appear on the list is flagged as invalid efficient security technology. Whitelisting is used appear very quickly and in huge numbers, so be malicious, but are
and rejected, thereby guaranteeing safety. in the malware industry to control the activity of even hourly security database updates on local Companies and home users need protection restricted in their activities.
Elmar Török has been In addition to these four
hostile and unauthorized programs while allowing machines cannot keep pace. Cloud whitelisting against the latest threats that are as yet unknown groups, the settings for
working in the IT-Industry
safe software the freedom it deserves. solves this problem with instant access to an to the security specialists. The best solution is
since 1989. He became
an author and technical
THE PROS AND CONS Antivirus systems that employ whitelisting online, centralized database of the latest data through a combination of whitelist, blacklist and
each individual application
can be customized to
journalist in 1993 while techniques categorize applications according on approved objects. There is no need to spend heuristic technologies. Whitelists provide a secure permit an activity, prohibit
studying electrical One way of using whitelisting is to block the to their trustworthiness and then grant them time and resources analyzing the same program digital environment with full control over any an activity, or prompt the
engineering in Munich activities of any object that does not appear on the an appropriate amount of access to system or website on each local computer; all that is undesirable objects. The conventional blacklisting user for action.
and Kempten. Since then Apart from whitelisting
lists. This keeps the system free of any dangerous resources. In order to decrease storage space, necessary is to retrieve the relevant data from method is complemented by the whitelisting data, the application
he has written hundreds
objects that are unknown to the analysts. speed up the matching process and prove object the centralized server. Retrieved data is always concept rather than replaced by it. RE control module also uses
of articles for just about
every major computer and Through the use of whitelisting, IT-administrators integrity, they commonly use the digital signatures data from other sources
networking publication can manage what code is allowed to run on of the identified resources (MD5, SHA-1, etc.). such as the database of
in Germany. Elmar their workstations and can thus create a fully An object coming from a trusted source, a untrusted applications and
specialises in IT-Security manageable, secure working space. legitimate software vendor for example, can be the heuristic analyzer. This
and storage issues, produces a more balanced
However, this approach cannot immediately distinguished from a dangerous object by the use and objective approach
has a solid knowledge
be adopted widely as it would block any newer of digital signature verification. Software vendors than blocking all software
of server-related topics
and knows his way versions of legitimate resources that had still to normally provide users with a digital signature for that is not recorded in the
around virtualization. find their way onto the whitelist. Modern software the software which verifies that the software was trusted list, and provides
He is the Editor-in- constantly changes due to the emergence of sent by the claimed sender and was not modified a high malware detection
Chief of the security new programs, different versions, patches and during transit. level with a minimal
periodical “Infodienst amount of false positives
updates. The Internet is rapidly increasing in An effective application whitelist repository generated by new versions
IT-Grundschutz” and
volume and it is impossible to maintain a whitelist should contain a large number of entries and of legitimate software.
is involved in the final
acceptance process of that covers the entire Internet and every piece should be stored in a secure environment. Thus the advanced
new material for the IT- of legitimate software. Security companies and Maintaining a whitelist is usually tedious and whitelisting technology
Grundschutz Catalogues organizations cannot be aware of every new irritating work for a computer user. That is why integrated into Kaspersky
of the Federal Office for program and website ahead of the developers. any antivirus vendor must keep, maintain and Lab’s solutions reaches
Information Security. way beyond categorizing
Email whitelisting is highly effective at blocking enlarge the repository themselves, or must use software as simply ’black’
unwanted messages by filtering out any emails an adequate public repository. Antivirus vendors or ’white’ and provides
that do not appear on the approved lists. But it and software manufacturers should cooperate the user with a far more
too shows similar shortcomings, placing an extra for the purposes of creating highly representative In response to the ever-increasing amount flexible tool to control
burden on the users by filtering out many non- whitelists on a global scale. of malware on public networks, Kaspersky Lab has initiated a program to create a knowledge database of all available trusted software application activity.

|
30 SECUREVIEW 3rd quarter 2010 www.secureviewmag.com www.secureviewmag.com 3rd quarter 2010 SECUREVIEW | 31

More widespread and more complex
Article by
Aleks Gostev
Chief Security Expert
at Kaspersky Lab
Aleks specializes in all
aspects of information
security, including mobile
malware. His responsibilities
include detecting and
analyzing new malware.
Stefan Tanase
Senior Regional Researcher,
EEMEA at Kaspersky Lab
Stefan is responsible for
monitoring the local threat
landscape and specializes in
web security, malware 2.0,
and threats which target
Internet banking systems,
including phishing.
Darya Gudkova
Head of Spam Analyst Group
at Kaspersky Lab
Darya is responsible for
providing information on the
spam landscape, future trends
and mass mailing techniques.
|
32 SECUREVIEW 3rd quarter 2010
FORECASTS| |Complex
INTERVIEW Major possible
threatsthreats
of today
ofand
2010
tomorrow
2009 was the latest milestone both in the history of malware and in
the history of cybercrime, with a marked change in direction in both
areas. This year laid the foundation of what we will see in the future.
The number of malicious programs in the Kaspersky Lab collection
reached 33.9 million. So, what will we see in 2010?
In 2010 the following issues and events are
likely to come to the fore: There will be a shift in
the attack vectors used, with a move away from
the web to file-sharing networks. This is the latest
step in the evolutionary chain: between 2000 and
2005 attacks were carried out via email; between
2005 and 2006 the main attack vector was the
Internet; and between 2006 and 2009 attacks
were carried out via web sites (including social
networks). In 2009, mass epidemics were caused
by malicious files being spread via torrent sites. It
wasn’t only well -known threats such as TDSS and
Virut which were spread in this way but also the
first backdoors for Mac OS. In 2010, the number
of incidents involving P2P networks is likely to
increase significantly.
THE BATTLE FOR TRAFFIC
Cybercriminals are making increasing efforts
to legalize their business, and the Internet offers
Information courtesy of Kaspersky Lab
a multitude of opportunities to earn money by
creating large volumes of targeted traffic. Such
traffic can be created by using botnets. While
at the moment it is openly criminal groupings
involved in the battle for botnet traffic, it
seems likely that grey services will appear
in this market in the future. So-called affiliate
programs provide botnet owners with the
opportunity to realize their assets, even if criminal
services such as spam, DoS attacks, or spreading
malware are not being offered.
EPIDEMICS
As previously, the identification of
vulnerabilities will be the major cause of
epidemics, and this applies both to non-
Microsoft software (Adobe, Apple) and the
recently released Windows 7. It should be noted
that third-party developers have recently started
www.secureviewmag.com
Major possible threats of 2010 |
devoting more effort to identifying
errors in their products. If no serious
vulnerabilities are identified, in terms
of security 2010 could be one of the
quietest years in recent history.
MALWARE
Malware will become ever more complex.
At the moment there are threats in existence
which use modern file-infecting techniques
and rootkit functionality. Many antivirus
solutions are unable to disinfect systems
infected by such malware. On one hand,
antivirus technologies will develop in such a
way as to prevent threats from penetrating a
system in the first place; on the other hand,
the threats which are able to evade security
solutions will be almost invulnerable.
FAKE ANTIVIRUS
SOLUTIONS
There will be a drop in the number
of fake antivirus solutions, mirroring
the decrease in the number of gaming
Trojans. These programs which first
appeared in 2007 reached a peak in
2009, and were linked to a number of
major epidemics. The rogue antivirus
market is now saturated, and the profits
made by cybercriminals are negligible.
With the antivirus industry and law
enforcement agencies focussing their
attention on such rogue solutions, it
will be increasingly difficult for such
programs to survive.
GOOGLE WAVE
Google Wave and attacks conducted
via this service will undoubtedly be a hot
topic in 2010. Such attacks are likely
to evolve in a standard way, starting
with spam, moving to phishing attacks,
and then a shift to vulnerabilities being
exploited and malware being spread. The
release of ChromeOS is also a matter
of great interest, but it’s unlikely that
cybercriminals will focus their efforts on
this platform in the coming year.
MOBILE MALWARE
2010 is likely to be a difficult year
for the iPhone and Android platforms.
The appearance of the first threats
targeting these platforms in 2009
demonstrates that cybercriminals are
starting to examine these platforms
and the opportunities they offer. While
www.secureviewmag.com
FORECASTS
Google Wave and attacks conducted via this service will undoubtedly be a hot topic in 2010
it is only jailbroken iPhones which are
at risk, there are no such limitations
in the case of Android, as applications
from any source can be installed. The
growing popularity of Android phones in
China, and weak monitoring of published
applications will lead to a number of
serious virus incidents in 2010.
SOCIAL NETWORKING
THREATS
The evolution of threats targeting
social networking sites was a major
trend in the cyberthreat landscape in
2009. The explosive growth of social
networks popularity has affected the
spectrum of threats we are dealing
with, as these networks became the
main mode of their transmission. The
scenario is standard – at first it was
spam, then came the search of social
networks brittleness’s and today we face
mass virus and fishing attacks in these
networks. This year there were several
series of virus epidemics in Facebook,
Twitter, and other popular networks.
At the current time we are seeing
a rise in these threats to a new level
involving automated targeted attacks
against users. As social networks
continue to grow, the threats associated
with them will obviously escalate. The
number and complexity of threats that
exploit web 2.0 platforms will continue
to grow too. Now social networks are
opening up new ways for automated
targeted attacks against individuals and
it will be very hard for social networks to
do better: unfortunately, their business
means usability, not security.
SPAM
2009 was a year of financial crisis and
was a difficult one for many businesses.
Spammers also felt the squeeze, as the
number of orders dropped significantly mid-
year. However, the amount of spam in email
traffic did not decrease, since spammers
changed tactics by actively participating in
partner programs. Furthermore, throughout
the course of the year, the amount of spam
in email traffic served as a kind of indicator
of the crisis, allowing us to make some
predictions about spam in the future.
2010 will most probably be a much less
eventful year for the spam business. The
amount of spam in total email traffic will
remain at approximately the same level it is
now or increase slightly. The text message
scams which were so widespread in
2009 may become less common in 2010,
especially if cellular service providers
take a proactive stance in battling them.
However, it will only be a matter of time
before we see new scams emerge.
Methods such as using video and audio
files in spam probably won’t become too
common: the balance between message
size, bypassing filters and making emails
attractive for users clearly does not work
in the spammers’ favor in this case. They
will continue to use tried and tested
tactics. Users can also expect spammers
to continue to take advantage of social
networking sites, where the amount of
spam may well increase. RE
3rd quarter 2010 SECUREVIEW | 33
 INTERVIEW | Complex threats of today and tomorrow

Challenging rootkits
It’s certainly no coincidence that the word ‘rootkit’ has started to crop up more
and more often when someone starts talking about large-scale epidemics,
botnets or other exceptionally serious IT security threats. Indeed, right now this
type of malicious software is considered to be amongst the most harmful for PC
users and is a major contributor to the problems that the antivirus companies
face in their struggle against those who write such programs.
We have asked Vyacheslav Rusakov – a Software Expert of Complex Malware Research group at Kaspersky Lab to
tell us how the antivirus companies deal with this type of malware and what the outlook is for the immediate future.

SV: Over the last couple of years we have
been hearing more and more about
how complex malware such as rootkits
can threaten our digital lives. Just
how serious a problem is it? What are
the major difficulties involved with
combating such a threat?
V: Complex malware has always existed
alongside its simpler cousins. The majority of
malicious programs are not very complicated
from a technological standpoint and rootkits are
certainly no different. There are in fact only a
handful of complex rootkits.
The most common varieties consist of elementary,
kernel-mode drivers that hide or limit access to
system files and registry branches and obscure the
malicious program’s own nefarious processes. It
is this type of behavior that consequently makes
it troublesome for some antivirus products to
detect and eliminate the rootkit’s malicious code.
However, for the majority of the more sophisticated
antivirus products, that type of rootkit is quite easy
to detect, analyze and remedy.
The situation becomes far more involved when
dealing with rootkits of a more complex nature.
Fortunately, at the present time complex rootkits
do not exist in large numbers and this is mainly
due to the technological complexity of their
manufacture. However, it is just such rootkits as
these that are incorporated into the malware that
the cybercriminals use to create their large-scale
botnets, and unfortunately, they spread very
quickly. Cybercriminals take the task of rootkit
creation very seriously, and this complicates the
virus analyst’s job from as early on in the process
as performing a static analysis of the malicious
software. To compound the problem even
more, the rootkits’ authors use obfuscation and
polymorphism to further conceal the nefarious
nature of the executable code. Where a rootkit
is designed specifically to infect system files,
the situation becomes extremely difficult as it
is necessary to define how the virus infection
operates before beginning to outline an algorithm
capable of neutralizing the threat.
Having completed the static analysis, the
next step for the analyst is to perform a dynamic
analysis and that is carried out in a special
test area. The results obtained from dynamic
analysis should confirm any information received
during the static analysis and provide additional
information too. This information will be used later
on for the performance of memory detection and
deactivation of the active rootkit. Sometimes the
detection of a rootkit can lead to the development
of a completely new and unique set of technologies
for the detection and treatment of malware.
SV: What devious methods do the
cybercriminals use to try to infect a
user’s system?
V: The latest and most noteworthy trend is
infection of the kernel-mode drivers and MBR.
These types of rootkits actively conceal their
presence on a victim’s computer very carefully
and are highly resistant to treatment. Kaspersky
Lab has developed its own special methods and
procedures for the detection and treatment of
computers infected with this type of threat. For
the more dangerous of these rootkits, namely
Bootkit and TDSS (TDL3), highly specialized and
innovative technology has been developed that
will allow the detection of any rootkits employing
similar operational methodologies in the future.
SV: There are rumors about the possibility
that BIOS infections may be starting to
do the rounds. What do you think about
this? Is it possible?
V: Unfortunately, it’s more than just rumors.
Proof of concept of this technology does exist.
A computer’s BIOS is the perfect launch pad for
rootkits. This method of virus infection allows
the rootkit to become active even before the
operating system has had a chance to load.
Theoretically, the appearance of such rootkits is a
distinct possibility, however their creation is a very
laborious process due to the nuts and bolts of the
prerequisite technology. First of all the BIOS has
to be reprogrammed, which in itself is a very tricky
operation as local access to the PC is required,
secondly one has to bear in mind the fact that a
BIOS produced by one manufacturer will differ
from that of another manufacturer and therefore a
universal method of infection cannot really exist. I
am not saying that the problem is insurmountable,
but at the present time it is very difficult to perform.
It is not really possible to give a single, definitive
answer. I’m afraid it’s a case of let’s wait and see.
However, I can promise you that if this kind of
malware should appear, the antivirus laboratories
that do not have a sufficient number of suitably
qualified personnel will face a very difficult time.
SV: What would happen if the malicious
code made it into the firmware of
various components? For example,
network or video cards?
V: I think that the most realistic scenario involves
exploiting the vulnerabilities of the drivers that
service these devices. Looking at it from another
angle though, if the malicious code has the ability
to take control by using this type of virus infection,
then that option has to be given very serious
consideration indeed. I think that it’s worth
pointing out here that the cybercriminals main
aim is to make money. The simpler the methods
used, the lower their overheads are. That is
why the complex technologies will only prevail
once the less advanced methods have become
obsolete and unprofitable. Until that time, only a
relatively small amount of specialist researchers
will continue working with this problem.
SV: Is it possible to use the CPU’s
vulnerabilities for the creation of
virtually undetectable rootkits?
Would antivirus companies be able to
combat this type of threat?
V: Mistakes occur with any type of software and
the microcode of the CPU is no exception. However,
the practical exploitation of such mistakes is
doubtful. The thing is, exploiting vulnerabilities
of this kind is very complicated technologically.
It is necessary to take into account the many
challenges that would need to be met in creating
a universally-adaptable exploit. In any case, I am
sure that if such a threat does in fact emerge,
the antivirus companies will pull out all the stops
to provide their users with an up-to-date product
capable of meeting the threat head-on. RE

|
34 SECUREVIEW 3rd quarter 2010 www.secureviewmag.com