How Effective Is Anti-Virus Detection?

Posted on 2014-09-02 by mike

Out of amusement I decided to take one of those strange email spams telling me about an order that I never made (“Order no. 7160668120”), and see if the attachment was detected as a virus.

To make things interesting, the attachment was in the form of an unusual archive format – perhaps to make it harder for gateway security products to scan. Installing the arj tool allowed me to unpack it … and surprisingly enough some order data is actually an executable!

It turns out that our standard anti-virus detection doesn’t detect it. To dig further, I uploaded it to Virus Total which ran 55 anti-virus tools against the file and it was detected as a virus just three times. And each time it was detected, it was given a different name :-

  1. Win32.Katusha
  2. Win32/Kryptik.CKEY
  3. Malware.QVM20.Gen

Now these could all be different names for the same thing … or not. And it could be that with such a low detection rate, it is not really a virus. 24-hours later and the detection rate has gone up to 12 out of 39. But it has been delivered to my system (or at least mailbox) in a very suspicious manner.

So let us take a closer look; as it happens Virus Total has a behavioural analysis tab which shows what the uploaded file appears to do when run in a specially configured environment. The details of this are long and tedious, but in brief the code appears to indulge in some “unusual” activity which is almost certainly behaviour only exhibited by malicious code.

So it is a virus … or at least some form of malware.

The moral of the story is that you cannot rely on anti-virus products for protection; ultimately you have to use an anti-virus product alongside other means of determining whether an attachment is a virus or not.

And there were plenty of indications that this email was more than a bit suspicious :-

  1. It was from a sender I’d never corresponded with.
  2. It was from a sender whose company I’d never corresponded with.
  3. It mentioned an order invoice and I’ve not ordered anything recently.
  4. The attachment was an archive format that very few people have heard of (“ARJ”).
  5. The attachment when manually unpacked proved to be an executable.

Plenty of reasons there not to blindly click on the attachment – even if at the time the anti-virus protection wasn’t saying it was nasty.

Posted in Malware, Technical | Comments Off on How Effective Is Anti-Virus Detection?

Staying Safe with USB Storage

Posted on 2014-09-02 by mike

When considering any kind of USB storage, it is worth remembering that encryption is not just required (if you are storing personal data) but a pretty good idea everywhere. If you lose a USB memory stick or a larger USB disk, it is better to know that the data is encrypted without trying to remember what kind of data was on that stick and whether it was encrypted or not.

As a personal preference, I have chosen to go with hardware encrypted storage devices. One is a 16Gbyte USB memory stick :-

And the other is an enclosure for installing old laptop drives :-

 

(Both pictures are links to the relevant Amazon product page; not that this is an endorsement of Amazon!)

In both cases, you have to enter a PIN before you can use the storage. This sounds a bit inconvenient compared to a normal USB memory stick; and it is.

There’s no getting away from the fact that using encrypted storage is just a little bit less convenient than ordinary storage.

But it is safer. There is no risk you’ll need to explain to someone why they are having to write a report to the Information Commissioner, and there is no risk that you’ll wonder what someone will do with your personal data. Can you really be sure there is no data from work on any one of your USB memory sticks? And can you really be sure there is no personal data from work on one of your USB memory sticks?

As for the benefits of hardware encryption, there are two main ones :-

  1. It works everywhere; you do not have to worry about whether the encryption software works on the random old laptop a relative uses. Even if they are really weird and use Linux.
  2. It’s not optional. With most encryption software, the USB memory stick works without the encryption leading to the situation where it’s tempting (especially if you are in a hurry) to not bother with the encryption “just this once”.

In terms of actual usage, the memory stick I’ve indicated has been in use long enough that the fancy black plastic case it comes in has become all shiny as the “black” has worn off. And it still works as well as it did on the first day, and the keypad buttons are still functional.

The Zalman laptop drive case is still a bit new, but does still work fine.

Posted in General | Comments Off on Staying Safe with USB Storage

Diagnosing A Phishing Attack

Posted on 2014-09-01 by mike

People are constantly trying to get your account details in one way or another. One of the ways is to simply ask you to tell them your account details. And one of the most common ways of asking is to send you an email asking you to follow a link to download an attachment, or that they’ve shared a Google drive with you.

One of those phishing emails came into me over the weekend, and I followed the link to see the results :-

2014-09-01-084441_901x974_scrot

 

 

There are a few hints about this web page that indicate that all is not right :-

  1. It looks a bit like a Google login page, but there’s a drop down box to select which email provider you use.
  2. The page is just a little bit too busy to be a Google page.
  3. Since when does Google let people access a Google drive without a Google account?

Lastly, and most significantly, the URL the page is at is all wrong. The following is cut from the above page to highlight the location bar :-

2014-09-01-084441_901x974_scrot-highlight-url

For those who are not aware, the location bar shows the URL of the current page and there is quite a bit to tell from it :-

  1. Right at the beginning of the location bar is a page icon. The one that is showing is just the default, and Google always uses a little blue “g” on every unencrypted web page.
  2. And of course Google is not going to let you log in through an unencrypted web page – their log in pages have a little green padlock instead of the default icon.
  3. The first part of the URL determines the Internet address of the server, and “hotelmetropol.ro” isn’t an address that Google would use.
  4. Even more technically, the part after the server address (“/wp-content/googledrive/”) includes a pathname (“wp-content”) that indicates the presence of WordPress. Which Google isn’t going to be caught using; and even if they did, they wouldn’t reveal it.

Phishing attacks are getting more and more subtle, but even a relatively sophisticated attack like this one has signs to indicate that not is all as it seems. If you have any reasons to be suspicious of something like this, use another means of contacting the person who sent you the link.

Posted in Email | Comments Off on Diagnosing A Phishing Attack

‘Order Number 86514719983′ = malicious email

Posted on 2014-08-28 by robbie

A large-scale malware distribution campaign targeting University staff and users is being reported.   Users might receive an email with the distinctive subject line ‘Order Number 86514719983′; the number seems to be random and many users are reporting many different numbers:

If you see it – then don’t click on the attached  .zip file.  The zip file contains a .dat and a .bat file, which contain strains of malicious software that are currently undetectable to most Anti Virus products.  Sophos are working on it!

See:   http://blogs.it.ox.ac.uk/oxcert/2014/08/27/new-e-mail-malware-campaign-order-number/  – for all the geeky facts

Posted in Email | Comments Off on ‘Order Number 86514719983′ = malicious email

Slaying The Internet Hoaxes

Posted on 2014-08-21 by mike

One of the things you quickly learn about the Internet is that it is full of hoaxes. Things like the following that arrived on my Facebook feed this morning :-

Whilst it is fairly easy to see that this one is a hoax, some are more sophisticated. But if someone posts something like this and you read it, you perhaps need to verify the information before changing your behaviour.

The trick is to search for information about what it contains … this hoax warns about calling numbers beginning with “0809”, so search for that string. The very first few results are links to pages containing information about this hoax confirming that it is a hoax.

And the very first link takes you to a site dedicated to de-bunking Internet hoaxes – which makes a good link to add as a comment to a hoax posting on Facebook.

Whilst not directly related to security, this does introduce the concept of trust – you should not believe everything you read. Even in messages from people you know :-

  1. They could be mistaken about the risk. Especially if they are not experts in the subject – many people pass along warnings about things without taking due care to verify the information.
  2. The message may look to be from the person you know, but it could in fact be forged.

In short, if you have any doubts about a warning, check it with independent sources.

 

 

Comments Off on Slaying The Internet Hoaxes

Ongoing Phishing Attack: “Hello”, “Delivery Failure”, “Secure Adobe”

Posted on 2014-08-06 by superadmin

We are subject to an ongoing phishing attack with emails being sent with the Subject of “Hello” and the contents appearing similar to :-

Hello,

I sent you this document earlier but I notice the failure delivery , so I
had to re-upload using secure adobe. View here
<http://www.backyardlogfurniture.com/Adobes/Adobe/index.htm>
and lo-gin your email to access the document as its very important.

Thank you.

If you click on the link, it takes you to a form to fill out with your email address and password. Once filled in the account details are sent on to a spammer. The form looks like below :-

2014-08-06-112555_786x566_scrot

Because the sender of the spam message is often with an address of something@port.ac.uk or something@myport.ac.uk it may look a bit more trustworthy than normal. However it is not.

Please avoid clicking on email links, and please do not fill in your account details into forms that look suspicious.

When accounts are being compromised by spammers in this way, the accounts are being disabled by Google. We cannot simply re-enable the accounts without appropriate action, or our entire Google App domain is at risk.

Posted in Active Attacks, Email | Comments Off on Ongoing Phishing Attack: “Hello”, “Delivery Failure”, “Secure Adobe”

Have You Changed Your Password Recently?

Posted on 2014-07-18 by mike

When was the last time you changed your account password(s)? More than a year ago? Then it is probably time you changed your password :-

Changing your password regularly accomplishes several things :-

  1. It meets the UoP password policy requirements – you are required to change your password regularly. Even if it is inconvenient. And that isn’t IS saying so; it is the University’s policy.
  2. It updates your password with the latest ideas on what makes a strong password – providing that you are following the advice. A password that was strong 5 years ago is now probably a weak password.
  3. It solves the problem of password “leakage”. If your account password has been disclosed (for whatever reason), or even worse is being used by someone maliciously, then changing your account password fixes this.

The biggest problem with changing your password is remembering all the places where it may be stored :-

  • On all your devices configured to connect to the Eduroam network (including all your phones); as you change your password here, remember to verify that your username is entered as username@port.ac.uk so it will work at remote Eduroam locations.
  • Within your mail client (if you have one).
  • Within your web browser if you have made the mistake of allowing it to remember your password for sites using your University account password.
Posted in Passwords | Comments Off on Have You Changed Your Password Recently?

Dealing with Spyware and Adware

Posted on 2014-07-16 by mike

Malware comes in many different forms, and two of the supposedly less damaging aspects are spyware and adware, which keep track of your activities and display advertising selected by your activities. This sounds relatively harmless, but there are concerns.

Firstly you may not be happy allowing a less than totally scrupulous advertising agency access to your computer and to send them details of your Internet activities. Apart from the gross invasion of privacy, the information can be very revealing in security terms – what bank you use, etc. And there are no guarantees that an advertising agency that uses adware or spyware is going to keep your personal details and information safe.

Secondly, it is very common for a machine that has one spyware install to have more than one … dozens, or hundreds is not impossible. Because spyware is constantly running (or it tries to run constantly), the more spyware you have installed, the slower your machine is.  It is not unknown for people to buy a new machine because they think their old machine is faulty when it is really just overloaded with spyware.

Next, spyware is malware. Although “well behaved” spyware isn’t any more malicious than the stated purpose of spyware, the nastier spyware is, the more likely that it will add more malicious features. Spyware can (and does) act to install additional spyware, and in some cases, it can load genuine malware. So allowing spyware free reign on your machine can sometimes result in much nastier infections.

Possibly including the nastiest form: ransomware.

Surprisingly, anti-virus products do not always protect against spyware and adware. In addition to the fact that anti-virus products are not 100% effective against anything, they do tend to concentrate on viruses specifically and not malware in general.

So having a good anti-virus product is no guarantee that you will not get infected. But you will definitely get infected a great deal quicker without one, so it is of great benefit to check your anti-virus product on a regular basis. Perhaps set up a calendar item to do so every three months.

In some cases of very bad infections that we have seen, the computer owner believed that they were safe because they had anti-virus protection installed, but they had chosen not to renew the anti-virus subscription. So it was running, but not performing any actions.

How Do I Get Infected?

As to how adware/spyware gets installed, it is not possible to say with certainty as there are so many different ways. But some of them are detailed below :-

One of the ways is to entice you into downloading and installing the software itself. Commonly labelled as some sort of helpful utility, or potentially pretending to be some sort of game, the process of installing the utility also installs the adware/spyware.

You have trusted the rogue software installation which has abused that trust. The solution is to only install software from trusted sources. That doesn’t mean not to install anything from the Internet, but software installed from the Internet should be checked to make sure it is from a reasonable site.

The next method that adware/spyware gets installed is via a browser exploit.  Any outdated browser will have some security holes, and some of those security holes allow for the invisible installation of software – including adware/spyware. These invisible installations can be found on the dodgier parts of the web (not necessarily what you’re thinking!), and through advertising banners on quite legitimate sites.

The solution is to keep your browser up to date and attempt to use a less widely used browser, as different exploits are required for different browsers. Whilst inconvenient, it may be necessary to run two browsers – one for particular sites that are fussy about what kind of browser they work with, and one for more general web browsing.

You could try to avoid “dodgy” websites, but in practice it is difficult to identify such sites given that it isn’t really the main content of the website that is dodgy. Even legitimate websites can become “dodgy” if a malicious spyware author breaks into the website to add their spyware.

Finally, one other very commonly used method is to use adware/spyware to install more. If you have a malicious piece of adware/spyware installed, it can itself “call home” to search for additional adware/spyware to install.

Removal – Background

Removal is a difficult task as the authors of adware/spyware do not want you to be able to remove it, and so they take defensive measures. In some cases this means that some adware/spyware is not removable by ordinary people.

And of course this means that the method of removal could be to hand the problem to somebody else (someone whose time you’ve paid for). If you are doing this yourself, the following list a number of methods decreasing in effectiveness.

Doing this yourself is certainly possible, but it is worth setting aside at least a couple of hours for it. It is best done slowly and carefully.

Ultimately the only safe method of removal is a complete re-installation. Wipe the hard disk and start again. Obviously this is a bit extreme, but is worth considering if your computer is misbehaving so badly that you are considering replacing it, or if your computer’s infections are costing you money.

The next most effective method is to boot your computer off a “rescue CD” (or increasingly a USB disk), which can remove viruses and/or other malware in a clean environment. If you allow your computer to boot when it is infected, the infections have the chance of controlling the environment to hide themselves.

Removal – Rescue CD

One of the most popular of such rescue CDs is Kaspersky Rescue CD, although there are a number of others. Once downloaded, it can be written to a CD (or a USB stick), used to boot the computer and follow the on screen instructions. If you want to read up on it first, there are plenty of guides available to walk you through the process.

Protection & Removal – Safe Mode & Anti-Malware

The remaining methods are not guaranteed to remove everything because they operate whilst your normal computer is booted within it’s normal environment. However they can be effective against less pernicious malware, and of course are easier to operate.

You can make the remaining methods more effective by booting in “Safe Mode” where Windows does not start every service it normally does. Safe mode can be enabled by invoking the “Advanced Boot Menu” by holding down F8 whilst the computer boots.

Once that starts, use the arrow keys to select “Safe Mode with Networking”. This will take longer than normal, and look somewhat different too as Windows shows you what is happening rather than display an animation screen. When in safe mode, you can manually start your anti-virus product and anti-malware product and scan your system.

The first thing to have running for protection is of course the much maligned anti-virus product. Whilst this is not a perfect solution as it doesn’t catch everything, it does try and prevent the nastiest forms of malware.

And because recent versions of Windows includes an anti-virus product for free, there is no reason not to be running one. Microsoft Security Essentials is a perfectly adequate anti-virus product for the home computer, and isn’t in danger of running out of it’s subscription period.

If you use an alternative, please check that it is in a healthy state on a regular basis.

It may sound like repeating the same protection, but supplementing an anti-virus product with a second anti-virus product makes a certain amount of sense. In particular if you can select an anti-virus product that concentrates on more general malware – such as Malware Bytes.

The free version of which just performs manual scans of the hard disk. But that can sometimes be enough – if you remember to scan it regularly.

Links

For further information :-

  1. Inspired by: the Purdue SpyWare Best Practice Guide.
  2. Microsoft’s page on SpyWare.
  3. The Wikipedia article.
Posted in Malware | Comments Off on Dealing with Spyware and Adware

Enhancing SSH Server Security

Posted on 2014-06-19 by mike

Every so often after I run security scans, I think about investigating making ssh more secure. Normally I don’t have the time to do it, but this time I have made the time.

It turns out that whilst the ssh protocol is relatively secure, the encryption strength can be improved somewhat. To be fair, the older ssh encryption methods have been around for quite a while now.  And when we say “improving”, the improvement is merely enough to persuade Nessus to hide an alert that is “Low”.

But it isn’t hard to fix, so why not?

The first step is to restrict the ciphers that sshd allows. Edit the file /etc/ssh/sshd_config and add a ciphers line :-

Ciphers aes256-ctr,aes192-ctr,aes128-ctr

The next step is to add a line to restrict what MACs to use :-

MACs hmac-sha1

These two lines are normally next to each other close to the “UsePrivilegeSeparation” line.

Next restart sshd which is normally done with /etc/init.d/ssh restart (if you don’t have that script, look in that directory for any script whose name contains “ssh”). Yes this can be safely done whilst logged in via ssh.

Posted in Technical | Comments Off on Enhancing SSH Server Security

Operation Tovar – Taking Down Zeus-P2P/CryptoLocker

Posted on 2014-06-03 by mike

The mainstream media has been spreading reports about Operation Tovar so it is worth expanding on that information.

Operation Tovar is an international co-operative effort by various anti-crime agencies to take down the Zeus-P2P command and control servers. Whilst valuable, it is expected that the criminal gang that runs the Zeus-P2P malware will shortly (perhaps in two week’s time) establish new command and control servers, so taking action now to isolate and clean-up infected machines would be very valuable.

Various efforts are under way, and we will be taking action ourselves.

The first question to ask, is just how does a criminal get control of your PC? In the case of ZeuS, the criminal sends out spam with an infected attachment. The “hook” to persuade people to click on the attachment is to claim the attachment is an invoice or a voice-mail message from someone you know. So the very first defence is to be very suspicious of emails with any attachments.

The Zeus-P2P network is a huge network of compromised machines mapped by Dell :-

ZeuS P2P Network

Each of those blobs is an infected machine. The network is used by criminals to steal money themselves (one estimate is over $100 million from US victims alone) plus is hired out to other criminal gangs for nefarious purposes. Including the gang that came up with Cryptolocker which is a particularly nasty bit of malware that encrypts your file and refuses to unlock them until you have paid off those who released CryptoLocker.

The number of infected machines out there is an indication that people are not defending their machines properly.

The action taken by the relevant legal authorities has been to target the criminal gangs involved, and have taken down the command and control servers. In combination with that, a number of other organisations have initiated an effort to attempt to persuade people to clean up their infected machines.

What We Are Doing

In the case of centrally managed University computers, the likelihood is that none are infected. Whilst such machines do get infected, the built-in defences normally remove the infection before it becomes effective. In almost all cases where network activity by viruses has been reported, the infection has not been a centrally managed University computer.

In the rare cases where it was a centrally managed University computer, the virus was only able to activate for a short period. Most accounts lack “administrator” rights, so the virus was not able to make it’s presence permanent.

In some ways this is a bad thing, as it does not encourage the first line of defence.

In addition, we have been provided by JANET with a large list of domains that is used by ZeuS and/or CryptoLocker to block. This has been put in place, and should make it less likely that either of these two infections will successfully activate on our network.

Protection

As mentioned previously, the first line of defence against viruses is to be less trusting of emails with attachments – invoices, voice-mail messages, pictures, videos, etc. If you do get an email with such an attachment, make sure it is from someone you definitely know or do business with.

The second defence is to have an anti-virus product installed and kept up to date – we often see people who don’t bother at all, or who installed an anti-virus product once years ago and have not checked that it is still working. Now would be a good time to check that you have anti-virus installed on your personal computers, and that it is still working.

The next level of protection is to run an anti-virus removal tool on your PC such as the Sophos Anti Virus removal tool. Anti-virus products are not infallible (in fact if you pick a bad one they are very fallible), and it makes sense at a time like this to run the removal tool to see if there is anything that has been missed.

For more information:-

Comments Off on Operation Tovar – Taking Down Zeus-P2P/CryptoLocker