The Biggest Security Vulnerability: The Wetware – Input Output
If you try to keep up on the latest in security developments, then you know those three dreaded words: Zero-day threat. It has become a commonly-used phrase, one that makes for great headlines.
A zero-day exploit is one where there is no time – zero days – between the time the vulnerability is discovered by hackers and when the first attack takes place. There is usually no defense against these security vulnerabilities since no one has invented a patch or other fix – or even knew, until today, that one was necessary.
So you’d think that with all the screaming headlines on tech news sites about new zero-day exploits found in the wild, along with reports about how Microsoft (or whichever company) is scrambling to find a fix, that these security breaches would be a major source of computer security problems IT has to deal with on a daily basis.
And you’d be wrong, says Microsoft.
Twice a year, the company releases…..
via The Biggest Security Vulnerability: The Wetware – Input Output.
Indestructible rootkit enslaves 4.5m PCs in 3 months
One of the worlds stealthiest pieces of malware infected more than 4.5 million PCs in just three months, making it possible for its authors to force keyloggers, adware, and other malicious programs on the compromised machines at any time.The TDSS rootkit burst on the scene in 2008 and quickly earned the begrudging respect of security experts for its long list of highly advanced features. It is virtually undetectable by antivirus software, and its use of low-level instructions makes it extremely hard for researchers to conduct reconnaissance on it. A built-in encryption scheme prevents network monitoring tools from intercepting communications sent between control servers and infected machines……..
via Indestructible rootkit enslaves 4.5m PCs in 3 months • The Register.
Microsoft Standalone System Sweeper Beta | Microsoft Connect
LiveCD, DVD, or USB -bootable media-
Microsoft Standalone System Sweeper Beta, a recovery tool that can help you start an infected PC and perform an offline scan to help identify and remove rootkits and other advanced malware. In addition, Microsoft Standalone System Sweeper Beta can be used if you cannot install or start an antivirus solution on your PC, or if the installed solution can’t detect or remove malware on your PC.
Microsoft Standalone System Sweeper Beta | Microsoft Connect.
Is Your Computer Listed “For Rent”?
Is Your Computer Listed “For Rent”?
When it’s time to book a vacation or a quick getaway, many of us turn to travel reservation sites like Expedia, Travelocity and other comparison services. But there’s a cybercrime-friendly booking service that is not well-known. When cyber crooks want to get away — with a crime — increasingly they are turning to underground online booking services that make it easy for crooks to rent hacked PCs that can help them ply their trade anonymously.
We often hear about hacked, remote-controlled PCs or “bots” being used to send spam or to host malicious Web sites, but seldom do security researchers delve into the mechanics behind one of the most basic uses for a bot: To serve as a node in an anonymization service that allows paying customers to proxy their Internet connections through one or more compromised systems…..
Limiting Exploit Capabilities by Using Windows Integrity Levels
What Are Windows Integrity Levels?
Microsoft designed Windows integrity levels as a mechanism for enforcing mandatory access controls, which apply even when access would be granted according to the traditional discretionary controls that we’re accustomed to. According to Microsoft:
“The integrity level is a representation of the trustworthiness of running application processes and objects, such as files created by the application. The integrity mechanism provides the ability for resource managers, such as the file system, to use pre-defined policies that block processes of lower integrity, or lower trustworthiness, from reading or modifying objects of higher integrity. The integrity mechanism allows the Windows security model to enforce new access control restrictions that cannot be defined by granting user or group permissions in access control lists (ACLs).”
This means that integrity levels can restrict one process from interacting with another process even if both processes are running under the same user account and even if the user has administrative privileges.
via Limiting Exploit Capabilities by Using Windows Integrity Levels.
Cleaning house
There are times as a security professional you have to roll up the sleeves and get your hands dirty to make sure some of the basics are applied to the environment we’re looking after. As a common example, most of us have had to patch the odd Windows machine, or three, to help out a friend to make sure they’re safe and up to date from the various nasties out there.
What happens when you’re presented with forty seven Windows XP computers: all networked, in a Windows workgroup, have varying levels of patches installed, hardly any internet connectivity and a limited time frame to get them to a current patch level? Now throw in every machine is infected and the infections is causing embarrassing and crippling problems to the users.
Here’s my solution; if you have a better one, or helpful pointers, feel free to
comment.
Yet another rogue anti-virus
Remember four years ago when the “Fake Codec” scam managed to infect even large corporations? The bad guys still try this approach every now and then, but their most successful “invention” to date is clearly the fake anti-virus. We’ve been covering it repeatedly for the past two, three years now, and still is going strong. If an attack vector stays the same for years, it can only mean one thing: It is netting the bad guys enough money that they don’t feel the urge to innovate.
Balancing Risk
Balancing RiskSecurity continues to be a balance between providing users with features and mitigating risk. . Client-side vulnerabilities seem to be the hole that many of us are stuck spinning our wheels in.
Rogue Turning Retrovirus | Symantec Connect
It’s fairly well known that different types of malware can “kill” security products in various ways. These kinds of malware are known as retroviruses. In order to step things up a notch, some risks are utilizing legitimate software uninstallers to trick users into uninstalling legitimate security products. A new variant of the Trojan.FakeAV threat has been using this technique to install a newly released clone of the CoreGuard Antivirus security risk, called “AnVi Antivirus”. In this case, the Trojan is utilizing this social engineering technique to trick users into uninstalling many well-known security products, including solutions by Symantec, Microsoft, AVG, Spyware Doctor, and Zone Labs, before installing AnVi Antivirus…….
MS: Some Observations on Rootkits
Getting hit by a live rootkit infection is among the more unfortunate fates that can befall an unsuspecting computer user. A rootkit burrows deep into the system, modifying it at a low-level in order to hide itself and other malware, and from there fights off attempts at deactivation and removal. While real-time protection can block the rootkit from becoming active to begin with, if the computer is already infected by a rootkit, things get more interesting. Antimalware technologies must use sophisticated techniques to scan for and detect, and finally to remove, a lurking rootkit. In reviewing the telemetry we receive from some of our antirootkit-related features, a few interesting things stand out.
http://blogs.technet.com/mmpc/archive/2010/01/07/some-observations-on-rootkits.aspx