IT Defense In Depth Part I – Anti-Virus

IT Defense In Depth Part I – Anti-Virus

In the 1930s, France built a trench network called the Maginot Line to rebuff any invasion. The philosophy was simple: if you map out all the places an enemy can attack, and lay down a lot of men and fortifications at those places, you can rebuff any attack. The problem is, you can’t map every possible avenue for attack. What does this have to do with IT defense and security? Today many business owners install an antivirus program as their Maginot Line and call it a day. However there are many ways to get into a network that circumvent antivirus software. Hackers are creating viruses faster than antivirus programs can recognise them (about 100,000 new virus types are released daily), and professional cybercriminals will often test their creations against all commercially available platforms before releasing them onto the net. Even if you had a perfect anti­virus program that could detect and stop every single threat, there are many attacks that circumvent anti­virus programs entirely. For example, if a hacker can get an employee to click on a compromised email or website, or “brute force guess” a weak password, all the antivirus software in the world won’t help you. There several vulnerabilities a hacker can target: the physical layer, the human layer, the network layer, and the mobile layer. You need a defense plan that will allow you to quickly notice and respond to breaches at each level. The physical layer refers to the computers and devices that you have in your office. This is the easiest layer to defend, but is exploited surprisingly often. Here are a few examples:...
CryptoLocker Attack On An Unprepared SMB – Part 2

CryptoLocker Attack On An Unprepared SMB – Part 2

First off, I’d like to open by saying that upon further analysis, it appears that our client may have actually been infected by CryptorBit. CryptorBit is basically just a knock-off of the very profitable Cryptolocker, so from an infection-prevention standpoint, they’re equivalent. This just goes to show how quickly malware evolves! I will continue to use Cryptolocker as the general term, since the behavior of all of the various knockoffs follow roughly the same template. Last week we discussed how Cryptolocker operates, and how to recover from it. This week, we will be going through a few ways to prevent a Cryptolocker infection in the first place, and how to harden a network to mitigate damage should an infection occur. First up, prevention. Preventing Infection Don’t open e-mail attachments from people you don’t know. This is computer safety 101 – there’s no reason for a stranger to send you an e-mail attachment unannounced. At the moment, most Cryptolocker payloads are disguised as packages of invoices from financial institutions, with scary messages about account closures and final notices. Don’t open zip files or other archived from people you DO know, unless they were explicitly expected. E-mail accounts can be compromised, and zip files are the most dangerous sort of attachment. If someone needs to send you something zipped up, then they should let you know beforehand. If you receive a zip file unannounced, call or e-mail the person back to make sure that it’s actually from them. The reverse is also true – if you need to send something zipped to someone, call ahead to let them know to expect...
CryptoLocker Attack On An Unprepared SMB – Part 1

CryptoLocker Attack On An Unprepared SMB – Part 1

Last week one of our clients was hit by Cryptolocker, a nasty piece of ransomware which is currently one of the biggest security threats to unprepared companies all over the world. Luckily, we had this client well prepared to recover from this sort of attack. This will be a two part post, with part one focusing on what happened, and how we recovered from it. Part two will focus on how to properly harden networks against this sort of attack, and how to avoid infection in the first place. Cryptolocker Thursday at 12:41pm the client’s network was attacked by a malicious piece of software called Cryptolocker. This is a particularly virulent strain of ransomware, which takes all of your data files hostage and demands payment. It is currently the leading threat to networks throughout the world, and it is by some reports earning its creators millions of dollars. Briefly, Cryptolocker works like this: A user is tricked into running a malicious program, which begins running in the background on their computer. This program begins encrypting all of the documents it can find, both on the local machine, and anywhere on the network it can reach. Once it’s finished its work, it displays a warning screen, with a 30-day timer counting down. If you don’t send the creators hundreds (Sometimes thousands!) of dollars, they delete the code that would allow you to ever recover your files. Payment is demanded in the form of bitcoin, a novelty cryptocurrency which is very popular in the criminal word due to the extreme difficulty in tracing payments to specific individuals. Reaction Time Is Critical...
Linux Worm Causing Havoc On Mobile Devices

Linux Worm Causing Havoc On Mobile Devices

It’s not often that you hear about a Linux worm going around the Internet. The more you hear about it happening the more you realize it’s happening to both, mobile devices such as Android OS to old, outdated firmware that has not been properly maintained. In this case, I’d like to introduce you to a Linux worm named Linux.Darlloz. A worm that exploits improperly maintained firmware. The Linux Targets Hardware What the worm does is it exploits old, unpatched PHP code found in hardware such as routers, cameras, even older models of smartphones! When I say old, we’re talking only two years old but this vulnerability may have been closed up in firmware updates. If you’re currently running on a phone or router that came out this year the chances are you’re less likely to be affected by this. Hardware purchased within the past two years may have a firmware update that you will want to immediately download and install on your device. Older hardware starts to become an issue however as support may have stopped. How It Works After the worm exploits the code in, as an example a router, it begins generating IP addresses randomly. It then accesses a specific path and then starts trying well known usernames and passwords (an example of well known on a router is “admin” and “admin” for the login name and password.) After it guesses right it opens up a backdoor on your device to download the worm from a malicious server and then begins looking for a new target. Update Your Router Password At this point is where I will...
Avoid Viruses? Adult Sites #1 Culprit On Company Computers

Avoid Viruses? Adult Sites #1 Culprit On Company Computers

Knowing how to avoid viruses is one of the number one questions every workplace has. However, most do not realize that visiting adult websites while on their work network is the number one way to infect the network. Did you know that 40% of all executive’s company workstations that contracted malware got it from a adult site they visited? That’s nearly 1 in every 2 workstations that get cleaned got malware from adult sites. But why is that? Avoid Viruses; Wait Till Your Home Before I go any further I just want to point out that I’m not judgemental about what sites you visit at home off schedule. That’s your business. What I am getting at is why not only can you not wait till you’re at home, but also why use the same workstation you use to do your work to visit adult sites? I may be able to answer the latter question for some of you. 36% of companies have a BYOD policy. So you come into work using your own personal laptop, you assume since it’s your personal laptop that you can do whatever you want with it, right? Well sure, but your laptop or tablet is connected to your company’s network allowing any viruses you may have on your system invade that network and spread to other computers. Don’t Use Work Computers For Personal Use Now for the rest of the work force population who are visiting adult sites on company issued workstations, stop. Just stop. This isn’t even about moral decisions but how to avoid viruses and not put your workstation, and quite possibly...
Android Malware Making Rounds With BadNews

Android Malware Making Rounds With BadNews

Android users beware. There is a malicious code that has been getting into legitimate apps and infecting Android smart phones. The android malware, named BadNews is a trojan designed to slip into legitimate software you have installed through the Google Play’s update functionality. It does not give any indication on your phone anything is wrong, but behind the scenes it is sending personal data out to a rogue server. This data includes things such as phone numbers, your phone’s unique serial number, or your phone’s IMEI (International Mobile Station Equipment Identity.) Not Notification Of The Infection People that have downloaded the malware code may have been prompted to install a program called AlphaSMS. This software is a trojan that when installed sends out text messages to pay services. There is no notification that it happened when it does. Android Malware In The App Store For those that are wondering, “How did this android malware get in the app store in the first place?!” The truth is BadNews is cunning. Google has what’s called Bouncer in place. Bouncer is a cloud based service that scans software that comes through to the Google Play store for malicious code. Legitimate software is making it through Bouncer just fine. However, BadNews gets injected into the software after it has gotten passed Bouncer. Numerous Apps Have Been Infected Google reports that 35 apps have been infected, and the infected apps have been downloaded anywhere between 2 million to 9 million times already. 32 of the 35 apps have been confirmed removed, according to Google. 3 apps remain on Google Play however, and no one...
Skype Ransomware Asks "lol is this your new profile pic?"

Skype Ransomware Asks "lol is this your new profile pic?"

Are you a Skype user? Are you aware of the recent Skype ransomware that’s making it’s rounds? Did you get a message recently that was from one of your contacts and it look something like, “lol is this your new profile pic?” and it have a weird looking URL next to it? If so, please tell me you did not click that link. If you have not gotten this message, you’re fortunate so far. This is a social engineering message that has you download a ZIP file that installs what is called “ransomware.” What Is This Skype Ransomware? Ransomware, like malware is a virus that installs onto your computer that allows a back door into it so that a remote attacker can lock you out of it and force you to pay a ransom in order to regain access to your computer. Ransomware can come from anywhere, this particular one that’s rotating through Skype displays the message that if you do not pay a ransom of $200 within 48 hours files will begin being deleted. Skype officials have already said they are aware of this activity and are working to mitigate the impact but they strongly urge anyone using Skype to upgrade to the latest version of it and to apply updated security features to avoid this Skype ransomware. Don’t Click Suspicious Links So what can we Skype users take away from this incident? The exact same thing applies even here regarding not being socially engineered and not clicking suspicious links. Lets be hypothetical here for a moment and say that the user is online, you just got this...
Mac OS X AntiVirus: 5 Picks To Protect Your Mac

Mac OS X AntiVirus: 5 Picks To Protect Your Mac

The impenetrable, malware invulnerable, virus invinsible Mac OS X has finally shown it is in danger of being infected. The Flashback virus was certainly the biggest example and should be a sign for the need of a Mac OS X AntiVirus. But which one do you chose? Don’t worry. Here are five Anti-virus programs for OS X. 5 Mac OS X AntiVirus Options Kaspersky Mac OS X AntiVirus: Not only is this anti-virus program robust, but Kaspersky literally is as easy to use as the saying, “Push button, receive bacon.” Or in this case, receive protection. Intego VirusBarrier X6: If one button was not enough for you, well what about all the buttons, ever?! Okay maybe not all of the buttons but Intego has a lot more interactive features to it than Kasperksy. For the novice user you may not wanna go with this one as you could get overwhelmed with how many different options there are. It’s also not the most user friendly option. But for what it does (scan for viruses, real time scans, and fraudulent website checks) it does it well. F-Secure Mac OS X AntiVirus – F-Secure really doesn’t sound like that great of an option from what I’ve been researching. It falls in between Kasperksky’s and Intego’s antivirus programs for accessibility. However there are reports stating that F-Secure may do more harm than good. To the point of decreasing performance to noticeable and irreparable levels. I would suggest steering clear of this one, as there are better options. Sophos Mac OS X AntiVirus: First let me mention right away that Sophos is a free...
DNSChanger Malware: Ready For July 9th?

DNSChanger Malware: Ready For July 9th?

Recently news came about that on July 9th, approximately 330,000 computer owners worldwide, PC and Mac alike will not have internet due to the DNSChanger malware. 77,000 of these computers are in the US alone. All because of the DNSChanger malware that hit 4 million systems last year. What it does is it changes the DNS servers your computer sends traffic to to translate a website address to an IP address. Instead of going to, say the DNS servers your ISP has assigned to you it goes to this rogue DNS server. Changing the DNS addresses manually does not work either because it will just revert back to what it was. Why July 9th? Back in November 2011, the FBI arrested the crime ring that was responsible for the malware. However, there was still a number of systems infected with the DNSChanger malware. Since these computers were still directing to the malicious DNS, the FBI setup a temporary fix that allowed the infected computers to still be able to access the Internet. The original date to shut down these servers was March 8th. At that time, there was an estimated 450,000 computers still infected so the date was pushed back to July 9th. Once the FBI removes these servers, any infected computers will not be able to access the Internet. Therefore, it is important that you understand if you are infected with the DNSChanger malware and how to remove it. The DNSChanger Malware Warning On Google At the time of this writing, Google has a post up on their website that only affected users of the DNSChanger malware can...
Number Of Viruses: How Many Are Out There?

Number Of Viruses: How Many Are Out There?

Have you ever wondered why your antivirus seems to update every day, even multiple times a day? Maybe you ask yourself, “How can there possibly be that number of viruses?” In 2008, Computerworld predicted that there the total number of viruses would rise to over 1 million viruses by 2009. In fact, the number of viruses in 2009 was a bit higher– 1.5 million– wholly new viruses detected that year alone. According to the latest reports released from one of the leading Antivirus software makers, Symantec, their current virus definitions file has over 17 million distinct signatures. That sounds completely unreal, is that really the number of viruses floating around out there, though? Number Of Viruses: How Many Are There?! From a base perspective, there aren’t really that many; viruses-makers use a set of techniques called Obfuscation, Packaging, and Other Platforms which skew the numbers. 1.) Obfuscation No matter how it’s achieved, the object of obfuscation is to mask the viruses’ signatures such that your antivirus can’t tell them apart from another, innocuous piece of code. Since computers are such an open platform (you can make anything!), detecting viruses Is tricky. This usually consists of researchers a virus with a honey-pot system (think Winnie the Pooh and his jars), then extracting a signature that they can use to recognize a virus again in the future. By changing the code, the viruses can slip through. 2.) Packaging Another set of detection rules exist for Packaging. These are code ‘wrappers’ that deliver the virus payload to your computer. Often, the writer will tweak the Packaging to net more users, or to...