The Emergence of Crimeware as a Service (CaaS)

As the malware threat landscape continues to evolve, hackers are constantly changing techniques to counteract detection technologies vendors develop. By using sophisticated methods to evade antivirus technologies, hackers continue to be relentless in their pursuit of damaging IT systems and gaining access to personal information.

In the past, hackers used polymorphism and metamorphism as tactics to constantly generate new variants of worms. Essentially, through polymorphism, the virus would morph itself into different variations to bypass signature-based technologies. The antivirus industry eventually responded to polymorphism by creating emulation technologies to counteract this new breed of virus. Emulation engines were designed to mimic the properties of the morphed virus so it could be detected by other means (signature and heuristics). This approach was dependent on the researcher's access to the polymorphic engine — meaning the logic had to be decoded before you could develop protection for specific mutations.

Hackers are shifting their interests from fame (among shady peers) to profit and go after financial gain by developing new and innovative ways to slip below the radar. Some of these methods are innovative and are evidence of thinking out of the box when it comes to crime. Hence the development of custom HTML injection by Banker Torjans, for example, to obtain protected information.

As we begin to map the evolution of malware, there are several themes using stealth and camouflage techniques, including:

• Custom run-time packers (compression)
• Server-side polymorphism

A major risk to security is the emergence of server-side polymorphism or “Crimeware as a Service (CaaS)”, in which the polymorphic engine does not reside within the virus code itself, but rather remotely on a server. There are two forms of server-side polymorphism that we know of today: the type that distributes mutated variations of malware into the wild in volume; and PCs that are part of a botnet — a specific bot variant can mutate remotely via a command over HTTP. This is called crimeware as a service because the actual viral code does not actually reside on the host, but in the cloud — similar to a software-as-a-service platform. In other words, CaaS provides malware on demand to the infected host.

For the complete article written by myself please see the posting at SC Magazine online.

So what's all this talk of Clickjacking?

So there has been a lot of talk recently about this new cross-browser vulnerability known as “Clickjacking”, but what is the potential impact of such a vulnerability to users abroad?

Well essentially the exploit allows a hacker to take control of the links that your browser visits and thus if you come in contact with a malicious site or site that is tainted with malicious code (either through spam, some site tainted by a SQL injection, etc), it then gives the hackers the ability to ‘capture’ your clicks and thus trick you into clicking on links you may have not intended on clicking. At this time technical details are a little sketchy in terms of information regarding specific exploit code, but some information is available here and here. 

One could only guess what could happen next once you are forced to click on a link such as installation of a Banker Trojan or other malware is certaintly a possibility

The increase of adware in the third Quarter

Here …more and more Rogue Antivirus, we promised you some figures where we can see the increase of adware in this Quarter.

In this figure you can see the adware has the big increased at the moment. Adware started this year with a 28,58% and now it´s very close to 40%.

This amazing growing is due to the new fake / rogue antivirus applications…

  

Why Companies Should Invest in Cloud Computing

Recently I have been getting a number of questions
concerning the cost savings of a security-as-a-service (SaaS) model versus a
traditional on-premise solution. While there are certainly a number of direct
benefits to the end-user (easier to use and upgrades are usually transparent),
I thought for the purpose of this article to elaborate on the most important
one: “reducing the total cost of ownership (TCO) via the outsourcing of
security services”.

So what is exactly meant by reducing the total cost of ownership?
Well according to industry analysts a good portion of small to medium sized
companies out-source their security services to a 3rd party provider. Obviously
this strategy has real benefits especially to companies who lack the technical
ability to manage and maintain an on-premise anti-malware solution.

As a result, we’re seeing a lot of SMBs outsource their
desktop anti-malware requirements to a managed service provider and/or adopt a
Security-as-a-Service model. This helps reduce complexity and time-to-market
when implementing new security technologies and will not require a high degree
of skill to maintain the solution.

Because SaaS traditionally hasn’t resided on-premise it
takes the overhead of managing and maintaining a complex myriad of technologies
and places the responsibility with the provider.

Take for example a small medicare facility with 100
employees; now if we factor in the following variables into the equation we can
clearly see the reduction in TCO as a SaaS model eliminates a number of
headaches associated with a traditional on-premise model:

* Eliminates the need for additional hardware or resources
required for managing and maintaining a SaaS based anti-malware solution.

* Upgrades are usually transparent, thus, the need for dedicating
time and resources to upgrade from one version to another is no longer present.

Anatomy of a Data Breach

In 2007 and 2008 the industry has seen an upsurge in data breaches affecting millions of consumers and causing corporations to pay heavily in fines.

Data breaches can lead to exposure of consumer information through a number of different ways that vary in complexity. The common perception associated with a data breach is the difference between data being extracted from physical assets stolen and actual breaches in perimeter security (electronic).

While there is certainly a number of cases in which stolen assets account for the breach at hand, however; we are seeing a number of electronic breaches that have accounted for some of the most famous incidents of 2007 and 2008.

1. TJ Maxx 
2. Monster.com 
3. Hannaford Bros

In fact the financial community has experienced twice the many incidents in 2008 then all of 2007 according to a study conducted by the Identity Theft Resource Center (ITRC). These incidents go hand in hand with regulatory laws that were supposedly designed to mitigate and reduce the risk window in an attempt to avoid such embarrassing situations.

Take for example an organization that has been PCI compliant for years, but suffered a data breach that involved hackers placing targeted malware on credit card processing servers at a major retailer. The question the security team has to ask themselves”Why didn’t my current anti-virus solution detect the threat”? I have an interesting hypothesis on this subject that can be found in the article “Regulatory Compliance and the Real Risk of Undetected Malware.”

In 2008 implementing measures to protect against data breaches will be critical to the survival of any corporation in the long term. It’s not a matter of if you will be breached, but a matter of when, therefore; it’s important that the primary goal is to significantly reduce the acceptable loss and mitigate the window of risk.

The risk window can be significantly reduced by implementing better information assurance standards that at minimum address the following:

1. Security audits to include more then just a vulnerability assessment or a penetration test when verifying if controls are adequate. Rather assessing for existing breaches relating to undetected malicious code.
2. Don’t just use anti-virus as that will protect you against a small fraction of potential threats and will not detect targeted attacks. Take advantage of best of breed proactive security (HIPS or Anomaly Detection Systems).
3. Use a multilayer approach when protecting assets (perimeter, messaging and end-point layer).

…more and more Rogue Antivirus

As you probably know, in the last months the amount of new fake / rogue antivirus applications has grown a lot. Right now we are finishing the latest quarterly report, and while playing with statistics we've found out that the Adware detected has grown from about a 22,03% in Q2 to an amazing 37,49%, and it is due to this annoying programs.

I don't know if the current financial crisis has something to do with this, and the bad guys are realizing that banks are not quite healthy right now. Perhaps that's why they are targetting the users in a more straight way, anyway what it's true is that those attacks are growing exponentially.

This is one of the latest ones that has showed up in the lab:

Next week we'll show you some figures and more interesting stuff.

Thanks a lot to Asier Martinez for the sample!!

"Constructing" bad things

In June, we talked about an application (Constructor/Wormer) whose main function was to turn an executable file into a worm, giving it the capacity to spread itself. Even though its aim was to give a Trojan the spread capability of a worm, it worked with any executable file.

And now we have found a new application called Constructor/YFakeCreator

YTFakeCreator allows to create fake YouTube websites with the objective to deceive users and distribute malware through them.

The malware that is distributed can be of any type: worm, Trojan, virus, adware, etc.

This application has a configuration menu (in Spanish) which allows to select the location of the malicious file, the warning message that is displayed in the fake website and the properties of the video, among other options.

The following image belongs to the configuration menu: 

Then, two files are created; one of them belongs to the fake YouTube website (Index.html) and the other to the error website that is displayed once the malware has been downloaded (Error.html):

The fake YouTube websites created with this tool have the following aspect:

 

In this case, the user is required to download a fake plugin, but the message can be different.

If the message is followed, the malware selected with the tool will be downloaded.

Then, an error message like the following is displayed in order to avoid users' suspicion:

 

Microsoft Security Bulletin Summary for September 2008

As every second Tuesday of the month, Microsoft has already published the September security bulletins.

Below you can see the description of the 4 bulletins rated as critical, as well as the links:

 

More info: Microsoft Security Bulletin MS08-054

More info: Microsoft Security Bulletin MS08-052

More info: Microsoft Security Bulletin MS08-053

More Info: Microsoft Security Bulletin MS08-055

We recommend you to update your system as soon as possible.

Playing Chrome

A few days ago Google presented their brand new browser, Google Chrome. As soon as it was released, security researchers from everywhere tried to discover security holes. We've been playing with it as well, and it took us just a few minutes to discover how to make it crash, you can watch it in this video:

It is still in beta version, so it will be probably fixed soon as well as other errors that have been discovered. Many people have already installed it, you can see some nice stats here.

Kudos to David Sánchez Lavado!