Subscribe

Be afraid, be very afraid

Company PCs could be under the control of hackers (through so-called botnets), without the company ever knowing it; employees may be hiding malicious code on PCs` flash memory (BIOS); and Gartner warns that Oracle`s software "can no longer be considered a bastion of security".
By Mariette du Plessis, Events Programme Director
Johannesburg, 03 Feb 2006

Appetisers on this week`s security menu are worms and software flaws. For the main course, choose between botnets, instant messaging (IM), rootkits and VOIP networks.

This is not the menu at the hacker caf'e around the corner. These less-than-appetising dishes are being served up around the world, as hackers go all-out to find ways and means to anonymously launch denial of service (DOS) attacks.

VOIP networks such as Skype, IM and rootkits capable of storing key attack functions on a PC`s basic input/output system (BIOS) in flash memory, are just some of the ways hackers can gain control of a company`s infrastructure and cause havoc on another organisation`s.

Ever considered the legal implications if a company`s IT resources were used to launch DOS attacks that brought down a bank`s network, resulting in downtime and potential loss of business totalling millions of rand?

You should be afraid. Very afraid!

Tools of the bot trade

Companies could be at the disposal of cyber-crooks and their PCs under the control of hackers (through so-called botnets), without ever knowing it, according to security firm PandaLabs.

The firm reported this week that bots represented more than 20% of new malware detected in 2005 and the number of malicious bots appearing on the Internet increased more than 175% between 2004 and 2005.

The week`s security bad boy must be Oracle, which is earning unfavourable comparisons with Microsoft - the industry`s traditional security whipping boy.

Mariette Du Plessis, events programme director, ITWeb

Bots are so called for their ability to infect and take up residence on the PC of an unknowing user, where they await further commands.

The greatest threat, however, is when bots are deployed to build extensive networks, popularly known as botnets, which are then used by their creators to take large-scale actions, such as sending spam or distributing other malware.

Some "bot herders" even hire out the botnet to spammers, blackmailers and other profiteers to distribute spyware, send spam or launch DOS attacks.

Even scarier is news that VOIP networks such as Skype might also be used to control networks of compromised machines because of security shortcomings that give hackers a better opportunity to cover their tracks. Botnets are generally controlled using IRC networks and attack commands might be sent via IM, but now researchers at the Communications Research Network say VOIP applications provide a means to anonymously launch DOS attacks.

If control traffic is buried in streaming IP telephony packets it will be far harder to trace its origins, and catching those responsible for DOS attacks would become much more difficult.

If this is not enough to make every IT manager disconnect PCs from the Internet, it seems that insider attacks and industrial espionage potentially represent an even bigger risk. Insider attacks are becoming stealthier by hiding malicious code in the core system functions available in a motherboard`s flash memory, says UK-based Next-Generation Security Software.

A collection of functions for power management, known as the advanced configuration and power interface, has its own high-level interpreted language that could be used to code a rootkit and store key attack functions in the BIOS flash memory, according to the company.

The cherry on top of the week`s dose of bad news is the warning from IM specialist Postini: spammers will increasingly use images as a substitute for text to circumvent first-generation spam filters, while the interoperability of public IM networks will enable worms to propagate faster and spread more widely.

Oracle takes flack

The week`s security bad boy must be Oracle, which is earning unfavourable comparisons with Microsoft - the industry`s traditional security whipping boy.

Recently uncovered critical Oracle vulnerabilities were followed by a Gartner warning that the firm`s software "can no longer be considered a bastion of security". Even scarier: "Experts say the problems could worsen with Project Fusion".

The warning comes after Oracle released its critical patch update on 17 January, which included patches for 82 vulnerabilities across multiple product lines.

In an effort to bring the database giant`s vulnerabilities to light, security expert Alexander Kornbrust is working on version two of an Oracle rootkit that would allow inclusion of malicious code without altering database views. He plans to roll it out at July`s Black Hat Conference.

Want Vista? Better have OneCare too

This does not mean Microsoft is off the industry`s radar screens, however. Security expert Roger Grimes has alleged the firewall in Microsoft`s forthcoming OneCare security suite fails to stop two potentially harmful data streams.

The firewall will allow any Java application or Java script to contact the Internet, Grimes claims, and is also set up to trust any application that uses a digital certificate.

Microsoft`s OneCare suite, announced in May last year, bundles anti-virus, anti-spyware, back-up software and a two-way firewall that filters incoming and outgoing traffic. The firewall built into Windows XP SP2 only filters incoming traffic.

Of course, Microsoft has denied this is the case. "It is highly unusual for malware to be signed," Yoav Schwartz, lead programme manager for OneCare, wrote in response to Grimes`s claims. Schwartz maintains the suite`s anti-virus and anti-spyware technology adds a defence layer designed to stop malware from infecting computer systems in the first place.

Let`s hope Microsoft does have its OneCare ducks in a row, considering news this week that anti-virus protection will NOT be included in Vista, the next version of Windows - for unspecified business (not technical) reasons. Instead, Microsoft plans to sell anti-virus protection to consumers through its OneCare online backup and security service, Jim Allchin, co-president of Microsoft`s platform products and services division, told reseller magazine CRN.

Friday is Blackworm day

There`s also been no slow down in virus activities this year and, according to UK-based security firm Sophos. Virus authors in January alone created 2 312 new malware variants - a third higher than December. Most of these attacks were financially motivated and designed to steal sensitive information from compromised PCs.

<B>ITWeb Security Summit 2006</B>

At the ITWeb Security Summit 2006, to be held on 8 and 9 March, top international security experts from MasterCard International, Gartner, Microsoft, Symantec, McAfee, Cisco, Check Point, Computer Associates and OpenHand will join forces to help you understand the insider threat to your business, as well as the strategies, technology and processes most effective in dealing with this changing threat environment.

In two separate keynote sessions at the conference, well-known author and ex-hacker, Kevin Mitnick will offer an exclusive insider`s view of the low-tech threats to high-tech security, with advice for preventing "social engineering" hacks and how to mitigate the risk that wireless networks pose to sensitive corporate data.

More information about the conference and delegate bookings is available online at www.itweb.co.za/securitysummit or by contacting Denise Breytenbach at (011) 807-3294 or denise@itweb.co.za.

But it was the return of an old-school "trash your Windows PC" worm that captured the most headlines this week, with the Kama Sutra worm (AKA Nyxem-D or Blackworm) scheduled to begin wiping files on infected PCs today (Friday, 3 February).

On the third of each month the worm will activate 30 minutes after the computer is booted up and overwrite all files with the extensions DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP. Corrupted files contain the text `DATA Error [47 0F 94 93 F4 F5]`.

The e-mails containing the malware use a variety of social engineering hooks to get the recipient to activate the worm, predominantly of a sexual nature.

If activated, Blackworm tries to disable security software. It also tries to harvest e-mail addresses from infected PCs in a routine designed to draw up a hit list of targets for infection. Blackworm is programmed to download updates of its code onto infected PCs.

Nonetheless, according to Sophos, the old-timers continue to top the January virus charts. Sober-Z remains in the number one spot, despite a fix being available since November. Netsky-P made it back to number two, despite a cure being available for nearly two years and Zafi-B, first detected in June 2004 has made a comeback at number three.

United we stand, or fall

Once again, we end the weekly security round up on a slightly more positive note. The good news of the week is the industry seems to have finally recognised that collaboration may be the only lasting defence against the ever-increasing security onslaught.

This week the three biggest anti-virus vendors - Trend Micro, Symantec and McAfee - have teamed up with ICSA Labs and Thompson Cyber Security Labs in a bid to standardise methods for sharing spyware samples and testing anti-spyware products and services.

The effort is aimed at curtailing a possible source of user confusion before it becomes a problem, as well as driving up standards for detection across the anti-spyware industry (check out www.Spywaretesting.org).

The initiative is one of a number of cross industry efforts aimed at co-ordinating the fight against spyware. Last week Google and others agreed to back a scheme to put pressure on purveyors of unsavoury programs through a name and shame initiative, called StopBadware.org, and earlier this month, the Anti-Spyware Coalition (ASC) agreed on a set of guidelines for detecting invasive finalised spyware.

Sources used: ITWeek, ZDNet, The Register.

Share