I was analyzing a piece of malware the other day and came across a unique method to place malware locally on a host without using the network to transfer it. This is something that is so simple in design, and yet so effective in its delivery. Let’s take a closer look.

To get the malicious file, one would simply need to visit or open malicious HTML content. Okay, we’ve heard of this before: bad sites and unexpected emails are breeding grounds for bad stuff. Of course you know to stay away from those things, and of course you should have the Internet security settings locked down, or at the least have them set to warn.

In fact, when viewing the HTML in Internet Explorer, we do get the warning about restricting the file from showing active content.

Cool. That offers a bit of relief to those who have taken some precautions or at least have left the Internet Explorer defaults, so they will have a forewarning. (A little social engineering may still allow success, but that’s a whole other discussion.)

Let’s say for argument’s sake that you didn’t have minimum protection, or got social-engineered. (This would never happen, right?)

If you did allow the content to run, the malware would start to build a text file using simple commands by echoing and then piping hex into a file. In the code below you will notice the MZ header being added:

objShell.Run “cmd /c echo 4d 5a… >> textfile.hex”

The malware continues until the file is complete:

objShell.Run “cmd /c echo c6 08 d1 00 3a 00 00 00 00 00… >> textfile.hex

etc… etc..

So now we have a full hex text file, built from the HTML commands and placed onto your desktop. All is done locally. There is no traffic going across the wire; thus this process would bypass network IDS or other network monitors that you may have.

So what does this malicious HTML do next?

I don’t want to go into too many details, but suffice it to say a method is used to turn this hex file into a binary using just two commands.

The only thing left is to run the executable.

It’s as simple as:

objShell.Run “cmd /c Malicious_File.exe”

In the sample I analyzed, the executable was corrupted and could not run. Had it worked, however, the host would now be infected, with no sign of a download.

The take-away is to be sure you are cautious of active content when visiting websites. This also shows us that malware does not have to be overly technical to bypass certain controls. Ingenuity counts for much; therefore, the fight continues.

As always, browse safely.

Oh, yes we do detect the malicious HTML file as Generic Dropper.xa in our supported DATs.

Today, McAfee released a report based on a survey of more than 1,000 decision-makers about the use of Web 2.0 technology for business. The report reveals some interesting results (for example, who would have thought the United States is among the countries with the lowest adoption rate, and Germany is the country with the most companies not having policies governing the use of Web 2.0 in place?) and the unsurprising finding that security concerns are the greatest hindrance to adopting Web 2.0 and social networking.

Business leaders worldwide see the value of Web 2.0 in supporting productivity and driving new revenue, but they remain deeply concerned about security threats associated with deploying the technology. The survey of decision-makers in 17 countries found that half of businesses were concerned about the security of Web 2.0 applications such as social media, microblogging, collaborative platforms, web mail, and content-sharing tools. 60 percent were concerned about loss of reputation as a result of Web 2.0 misuse. Six out of ten organizations have already suffered losses averaging US$2 million, for a collective loss of more than US$1.1 billion in security-related incidents last year. Brazil, Spain, and India led in adoption of Web 2.0 technology for business, while adoption was lowest in Canada, Australia, the United States, and the United Kingdom.

The report, “Web 2.0: A Complex Balancing Act–The First Global Study on Web 2.0 Usage, Risks and Best Practices,” was commissioned by McAfee and authored by faculty affiliated with the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University in Indiana, examines the drivers for Web 2.0 and social networking use in business, and assesses their benefits and risks. Overall, the research highlights that although organizations see the potential value of Web 2.0 tools, decision makers continue to debate whether or how to allow employee usage of the technology in the workplace. “Web 2.0 technologies are impacting all aspects of the way businesses work,” said George Kurtz, chief technology officer for McAfee. “As Web 2.0 technologies gain popularity, organizations are faced with a choice: They can allow them to propagate unchecked, they can block them, or they can embrace them and the benefits they provide while managing them in a secure way.”

Key Report Findings:

• Web 2.0 adoption rates vary across countries. Overall, Web 2.0 adoption rates are high, reaching 90 percent or above in Brazil, Spain, and India. Adoption is lowest in the United States, United Kingdom, Australia, and Canada.
• New revenue streams are the highest driver of Web 2.0 adoption. Three out of four organizations reported that expanded use of Web 2.0 technologies creates new revenue streams, while 40 percent said the tools have boosted productivity and enhanced effective marketing strategies.
• Security is the leading concern. Half of respondents named security as their primary concern for Web 2.0. One-third identified fear of security issues as the main reason Web 2.0 applications are not used more widely in their businesses. Companies’ top four perceived threats from employee use of Web 2.0 are malicious software (35 percent), viruses (15 percent), overexposure of information (11 percent), and spyware (10 percent).
• Reputation damage is the biggest business consequence. Sixty percent of companies reported that the most significant consequence from inappropriate Web 2.0 and social media usage is loss of reputation, brand, clients, or confidence. One-third of respondents reported unplanned investments related to workarounds related to social media in the workplace. Fourteen percent of organizations reported litigation or legal threats caused by employees disclosing confidential or sensitive information, with more than 60 percent of those threats caused by social media disclosures.
• Many businesses block Web 2.0 rather than put policies in place. Worldwide, 13 percent of organizations block all Web 2.0 activity, while 81 percent restrict the use of at least one Web 2.0 tool because they are concerned about security. Yet almost one-third of organizations reported that they do not have any social media policy in place. A quarter of organizations monitor how staff use social media and 66 percent have introduced social media policies, 71 percent of which use technology to enforce them.

Executives and industry experts who contributed to the research agreed that successful organizational use of Web 2.0 is a complex balancing act. Enterprises must analyze business challenges and opportunities while mitigating the risks and ensure staff training and robust technologies are in place to avoid cyberattacks.

“Web 2.0 and social networking technologies can be used effectively for business,” said Eugene H. Spafford, founder and Executive Director of CERIAS. “But to reap the benefits of Web 2.0, organizations must be proactive about understanding and managing the challenges. That involves putting the right policies in place, and deploying the technology that can enforce those policies.”

McAfee will host a webcast, “Bridging the Web 2.0 Security Gap,” on October 6 at 2 p.m. Eastern time, with Chenxi Wang of Forrester Research. This webcast will cover a recent Forrester Web 2.0 security trends study commissioned by McAfee. The session will help educate enterprise users on protecting their businesses while successfully using Web 2.0 technologies.

“Web 2.0: A Complex Balancing Act–The First Global Study on Web 2.0 Usage, Risks and Best Practices” is available for download at www.mcafee.com.

Stuxnet has received a lot of attention since McAfee first blogged about it in July. This post will answer some of the frequently asked questions we’ve received.

Q: What is Stuxnet?
A: Stuxnet is a highly complex virus targeting Siemens’ SCADA software. The threat exploits a previously unpatched vulnerability in Siemens SIMATIC WinCC/STEP 7 (CVE-2010-2772) and four vulnerabilities in Microsoft Windows, two of which have been patched at this time (CVE-2010-2568, CVE-2010-2729).  It also uses a rootkit to conceal its presence, as well as two stolen digital certificates.  Additional information is provided in the Mcafee Virus Information Library.

Q: When did it first appear and where was it first reported?
A: The threat was discovered in July, but is believed to have been released a year before. McAfee Global Threat Intelligence (GTI) File Reputation first became aware of Stuxnet components starting in January and several File Reputation detections took place before Stuxnet became widely known in July (Artemis!97FD438F25A4, Artemis!4589EF6876E9, Artemis!CC1DB5360109). Early telemetry showed the highest concentration in the Middle East.

Q: What is McAfee’s product coverage for the threat?
A: There are many aspects to Stuxnet, including two recently patched vulnerabilities, and two yet-to-be patched privilege-escalation vulnerabilities. Coverage of the two announced vulnerabilities follows:

CVE-2010-2568

Product	Coverage
DAT FILES	Coverage for known exploits is provided as “Stuxnet” and “Exploit-CVE2010-2568″ in the current DATs. Updated coverage is provided as Downloader-CJX.gen.g in the 6057 DATs, released July 28.
VIRUS SCAN ENTERPRISE SCAN BOP	Out of scope
HOST IPS	Out of scope
NETWORK SECURITY PLATFORM	The sigset release of December 29, 2005, includes the signature “SMTP: Suspicious .Lnk Attachment Found.” The sigset releases of July 20 include the signatures “HTTP: Windows Shell Shortcut LNK File Parsing Vulnerability,” “HTTP: lnk File Download Detected,” and “NETBIOS-SS: lnk File Access Detected.” All four provide coverage.
VULNERABILITY MANAGER	The FSL/MVM package of July 16 includes a vulnerability check to assess if your systems are at risk.
WEB GATEWAY	Coverage for known exploits is provided as “Stuxnet,” “Downloader-CJX.gen.g,” and “Exploit-CVE2010-2568″ in the current Gateway Anti-Malware Database update.
REMEDIATION MANAGER	The V-Flash of July 23 contains a remedy for this issue.
FIREWALL ENTERPRISE	Partial coverage is provided via the McAfee Firewall Enterprise’s TrustedSource component, which will filter or block URLs associated with known exploits and malware. Detection for known exploits (and malware variants) is available via the anti-virus component of McAfee Firewall Enterprise.
MCAFEE APPLICATION CONTROL	Proactively secures against this new malware vector by virtue of whitelisting and memory-protection capabilities. McAfee Application Control will not allow any driver to load or execute unless it is specifically on the whitelist.

CVE-2010-2729

Product	Coverage
DAT FILES	Out of scope
VIRUS SCAN ENTERPRISE SCAN BOP	Out of scope
HOST IPS	Out of scope
NETWORK SECURITY PLATFORM	Signature 2272, “Possible Print Spooler Service Impersonation Attempt Detected,” provides coverage for code-execution exploits. The sigset release of September 14 includes the signature “NETBIOS-SS: Microsoft Windows Print Spooler Service Impersonation Vulnerability,” which provides coverage.
VULNERABILITY MANAGER	The FSL/MVM package of September 14 includes a vulnerability check to assess if your systems are at risk.
REMEDIATION MANAGER	An upcoming V-Flash will contain a remedy for this issue.
MCAFEE APPLICATION CONTROL	Proactively secures against this new malware vector by virtue of whitelisting and memory-protection capabilities. McAfee Application Control will not allow any driver to load or execute unless it is specifically on the whitelist.

Coverage of the malware itself:

Stuxnet

Product	Coverage
DAT FILES	Initial coverage of “Stuxnet” was included in the 6045 DAT files, released July 16.  Expanded coverage was last updated in the 6053 DAT release of July 24. Rootkit components will be detected as “Generic Rootkit.d.”
WEB GATEWAY	Coverage is provided as “Stuxnet” in the current Gateway Anti-Malware Database update.
MCAFEE APPLICATION CONTROL	Proactively secures against this new malware vector by virtue of whitelisting and memory-protection capabilities. McAfee Application Control will not allow any driver to load or execute unless it is specifically on the whitelist.

Product coverage information has been previously communicated through the free McAfee Labs Threat Advisory service and Virus Information Library.

Q: How does McAfee Global Threat Intelligence (GTI) help protect me against this threat?
A: McAfee GTI File Reputation can identify and block all malware files associated with the Stuxnet worm. In addition, GTI Web Reputation and Network Connection Reputation prevent outbound connectivity to Stuxnet’s command servers, which are used for uploading confidential SCADA data collected by Stuxnet malware from industrial-control systems.

Q: If I have discovered a file identified as Stuxnet on my computer or in my environment, does that mean I was targeted by the creators of the threat?
A: Not necessarily, for a couple of reasons:

1. Although Stuxnet targeted SCADA systems, it also spread through removable media, such as USB devices, via a previously unknown Windows vulnerability, allowing nontargeted systems to be a carrier of the virus. Thousands of McAfee consumer product users have reported binaries that were intended to target systems running Siemens industrial-control systems.
2. Once the Stuxnet attack vector became known, unrelated attackers starting exploiting the same vector. Generic detection signatures can overlap with the initial attack such that other attacks are detected by the Stuxnet name. Although McAfee chose to name generic signatures separately from the signature detecting the original attack binaries, other vendors may not have done so. More than 1,000 binaries have been flagged by various vendors as Stuxnet over the past few months.

Tune in later for additional Stuxnet-related information.

McAfee Labs has been monitoring a spam run that was launched earlier today. The message follows:

Subject: A very warm invitation to you Body: Hello, Hope your week has been wonderfull well.  I would like to extend a very warm invitation to you to the Verbum Dei Missionary Festival this Sunday, September 19. With a lot of support and collaboration from groups of people we work with in the Bay Area, an international spread of food will be served at the festival.  Besides the spread, cultural and folkloric performances, music, games for children, and activities will be part of the day’s programme. This once a year event brings all of our friends and family from around the Bay Area, an expression of the internationality of our community, mission and work here.  At the same time, the festival is also a fund-raising initiative open to all, which is important for us in the ongoing Verbum Dei mission here in the Bay Area. I really look forward to your coming to be able to catch up more.  More details are in the attached invitation, I hope the directions woul be helpful in navigating the way to the St. Thomas More parish. With joy and peace to you, Collin Vaughan Attachment: #####vacation.html (most typically, but can also be many other names, such as #####.xls.html, #####wachovia summons.html, #####randolph-revisedplans.html, and others)

The attachments are all the same and contain an encoded JavaScript, which redirects to a web page on the numerouno-india.com domain.

The destination page does a redirect (to a page on the scaner-g.cz.cc domain) and also contains an iframe (with a target of a page on the arestyute.com domain).

The redirect domain displays the standard fake anti-virus scanning animated image and subsequent prompt to download an executable:

fake scanning image

download prompt

icon used by executable

The iframe leads to a cocktail of exploits, including a Java Development Toolkit exploit (CVE-2010-0886), as well as exploits targeting Adobe Flash and PDF vulnerabilities, including CVE-2007-5659, CVE-2008-2992, CVE-2010-0188.

The payload of these exploits is a password-stealing Trojan, which copies itself using a randomly named folder and file in the %AppData% directory and creates a registry run key to load the file at start-up, for example:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  “{608F1285-57B7-C631-DE51-8A99508CC7A9}” = “C:\Documents and Settings\Administrator\Application Data\Ezudi\oqek.exe”

This password stealer injects into the iexplorer.exe process and targets dozens of mainstream financial institutions.  It also contacts the domains ohmaebahsh.ru and eexiziedai.ru.

• This fake AV executable was detected by Global Threat Intelligence File Reputation at the time of this blogging when running at Very Low sensitivity or higher.
• The first-stage domain (numerouno-india.com) is rated RED by TrustedSource and SiteAdvisor
• The second-stage domains (arestyute.com, and scaner-g.cz.cc) are rated RED by TrustedSource and SiteAdvisor
• The third-stage domains (ohmaebahsh.ru and eexiziedai.ru) have been rated RED by TrustedSouce and SiteAdvisor for weeks
• DAT file coverage is being added under the following names:
  • PWS-Zbot
  • FakeAlert-PE
  • JS/Downloader.gen
  • JS/FakeAlert-AB.dldr

Customers may download updated signatures using the extra.dat request page: https://www.webimmune.net/extra/getextra.aspx. These are also available in the beta DATs.

– Latest updates moved to the bottom  –
McAfee Labs is currently investigating a new threat commonly referred to as the “Here you have” virus due to the email subject line the worm uses during propagation.  It looks like multiple variants may be spreading and may take some time to work through them all to paint a clearer picture.  Here’s what we know thus far.

Infectious email messages may have the following properties:

---

Subject: Here you have or Just For you
Body:

Hello:

This is The Document I told you about,you can find it Here.
http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf

Please check it and reply as soon as possible.

Cheers,

or

Hello:

This is The Free Dowload Sex Movies,you can find it Here.
http://www.sharemovies.com/library/SEX21.025542010.wmv

Enjoy Your Time.

Cheers,

---

The URL does not actually lead to a PDF document, but rather an executable in disguise, such as PDF_Document21_025542010_pdf.scr served from a different domain, such as members.multimania.co.uk this URL is no longer active and the email propagation vector is believed to be crippled at this time (though already infected hosts may continue to spread email messages).

Here is some additional information on the threat behavior:
Generic.dx!tsp!2BDE56D8FB2D – http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=275352
W32/VBMania@MM – http://vil.nai.com/vil/content/v_275435.htm

When a user chooses to manually follow the hyperlink, they will be prompted to download or execute the virus.  When run, the virus installs itself to the Windows directory as CSRSS.EXE (not to be confused with the valid CSRSS.EXE file within the Windows System directory).   Once infected the worm attempts to send the aforementioned message to email address book recipients.  It can also spread through accessible remote machines, mapped drives, and removable media via Autorun replication.

Accessible remote machines
The virus may be found at the following locations:

• c:\N73.Image12.03.2009.JPG.scr
• d:\N73.Image12.03.2009.JPG.scr
• E:\N73.Image12.03.2009.JPG.scr
• F:\N73.Image12.03.2009.JPG.scr
• G:\N73.Image12.03.2009.JPG.scr
• H:\N73.Image12.03.2009.JPG.scr
• New Folder\N73.Image12.03.2009.JPG.scr
• music\N73.Image12.03.2009.JPG.scr
• print\N73.Image12.03.2009.JPG.scr

Mapped drives and removable media
Other drives may contain an Autorun.inf file pointing to the created open.exe copy of the worm.

The virus attempts to stop and delete security services

• 0053591272669638mcinstcleanup
• AntiVirFirewallService
• AntiVirMailGuard
• AntiVirSchedulerService
• AntiVirService
• Arrakis3
• aswUpdSv
• Avast! Antivirus
• avast! Mail Scanner
• avast! Web Scanner
• AVG Security Toolbar Service
• avg9wd
• Avgfws9
• AVGIDSAgent
• AVP
• Gwmsrv
• LIVESRV
• Mc0DS
• Mc0obeSv
• McAfee SiteAdvisor Service
• McMPFSvc
• mcmscsvc
• McNASvc
• McProxy
• McShield
• mfefire
• mfevtp
• MSK80Service
• NIS
• Panda Software Controller
• PAVFNSVR
• PavPrSrv
• PAVSRV
• prlo
• PSHost
• PSIMSVC
• PskSvcRetail
• scan
• sdAuxService
• sdCoreService
• SfCtlCom
• TMBMServer
• TmProxy
• TPSrv
• VSSERV

The virus attempts to download several files, such as:

• ff.iq
• gc.iq
• ie.iq
• im.iq
• m.iq
• op.iq
• pspv.iq
• rd.iq
• w.iq
• SendEmail.iq
• hst.iq
• tryme.iq

These files were not available at the time of this writing, but files with these names include UPX packed password recovery tools (ChromePass, OperaPassview) and a UPX packed Sysinternals tool (PSExec) and a malicious HOSTS file.

Additional information is provided in the VIL: W32/VBMania@MM – http://vil.nai.com/vil/content/v_275435.htm

(coverage information moved to the bullets at the bottom)

McAfee Global Threat Intelligence File Reputation (aka Artemis / Network Security Heuristic) has coverage for at least the main variant at the Very Low sensitivity level or higher.

Emergency McAfee DAT files will be released later today have been released (6101).  An Extra.dat file is available for this threat and may be downloaded here: https://www.webimmune.net/extra/getextra.aspx

The McAfee Beta DAT files have been updated: http://vil.nai.com/vil/virus-4d.aspx

The McAfee Stinger stand-alone tool has been released for W32/VBMania@MM to detect and repair this threat: http://vil.nai.com/vil/vbm/stinger.exe

A related Corporate KnowledgeBase article has been written: How to block mass emails containing a link to a virus infected .SCR file

– Updated Sep 15  –
The aforementioned email propagation information was associated with one variant.  Many truncated and corrupted instances of the viruses were identified that are associated with the variant.  Other variants that did not contain the same email propagation information have been identified.  Reports of those variants are considerably less.

McAfee product coverage is as follows:

• DAT FILES    Coverage is provided as “W32/VBMania@MM” in the 6101 DATs, released September 9. The McAfee Labs Stinger has also been updated to include coverage for this threat.
• VULNERABILITY MANAGER: The MVM/FSL release of September 9 includes a check to assess if your systems show signs of infection.
• WEB GATEWAY    Coverage will be provided in the current Gateway Anti-Malware Database Update.
• REMEDIATION MANAGER    Remediation Manager will run the McAfee Labs Stinger tool to scan hosts for possible infections.
• FIREWALL ENTERPRISE    McAfee’s Global Threat Intelligence blocks this attack across multiple threat vectors using TrustedSource reputation, including the email message that delivers the link, the URLs associated with the malware, and the reputation of the malware file itself. This coverage extends to McAfee Email Gateway, Email and Web Security appliance, SaaS Email and Web Security Email Protection Service, McAfee Web Gateway, McAfee Firewall Enterprise, and a variety of other TrustedSource-enabled products.
• MCAFEE NETWORK SECURITY PLATFORM   Versions with Artemis enabled will detect/block malware file transfers when downloaded over HTTP, without the need of signature updates. The UDS release of September 11 contains the signature “UDS-WORM: W32 VBMania@MM,” which provides additional coverage on the email messages containing malicious links.

Malware has reached its highest levels, making the first six months of 2010 the most active half-year ever for total malware production. At the same time, spam leveled out, with only 2.5 percent growth from last quarter.

Malware continued to soar in the second quarter, as there were 10 million new pieces cataloged in the first half of this year. Consistent with last quarter, threats on portable storage devices took the lead as the most popular malware, followed by fake anti-virus software and social media malware. With approximately 55,000 new pieces of malware appearing every day, globally AutoRun malware and password-stealing Trojans round out the Top 2 malware threats.

“Our latest threat report depicts that malware has been on a steady incline in the first half of 2010,” said Mike Gallagher, senior vice president and chief technology officer of Global Threat Intelligence for McAfee. “It’s also obvious that cybercriminals are becoming more in tune with what the general public is passionate about from a technology perspective and using it to lure unsuspecting victims. These findings indicate that not only should cybercrime education be more widespread, but that security organizations should move from a reactive to a predictive security strategy.”

After reaching its highest point in the third quarter last year, with nearly 175 billion messages per day, spam rates have hit a plateau. Cybercriminals took advantage of the hype surrounding the FIFA World Cup in South Africa, and used various methods to promote scams and search-engine “poisoning.” Globally, the most popular types of spam varied from country to country with some interesting findings. For instance, delivery status notifications, or nondelivery-receipt spam, were the most popular in United States, Italy, Spain, China, Great Britain, Brazil, Germany, and Australia. Malware spam, or anything that comes with a virus or Trojan attachment urging you to visit an infected website, was the most popular in Colombia, India, South Korea, Russia, and Vietnam. Argentina had the most variety in spam, with 16 topic areas, ranging from drugs to “lonely women” to diplomas. Italy came in with the least variety, with just six types of widely popular spam.

Attackers leveraged major events such as the World Cup and Middle East conflicts to poison Internet searches, although the BP oil spill in the Gulf of Mexico was surprisingly absent from the Top 20 toxic search terms. McAfee Labs also saw a resurrection of two “dead” botnets: Storm Worm and Kraken, once considered to be among the biggest botnets on the planet, are again on the rise.

For a full copy of the McAfee Threats Report, Second Quarter in nine languages, please visit: http://www.mcafee.com/us/threat_center/white_paper.html

The Anti-Malware Testing Standards Organization (AMTSO) is a coalition of security professionals, including many anti-malware product vendors, product testing organizations and publishers, and some interested individuals. Given the highly technical nature of its activities, it is inevitable that the organization owes some of its authority to the expertise of the security specialists within its ranks, but that doesn’t make it a vendor lobby group. As Kurt Wismer (not himself a member) points out here (http://anti-virus-rants.blogspot.com/2010/06/nss-labs-vs-amtso.html) “many of them are employed by vendors precisely because that’s one of the primary places where one with expertise in this field would find employment.” Given some recent negative publicity aimed at AMTSO (example: http://kevtownsend.wordpress.com/2010/06/27/anti-malware-testing-standards-organization-a-dissenting-view/), we want to collectively clarify the following points on behalf the anti-malware industry, where we come from, and indirectly on behalf of AMTSO.
We find it strange that expertise in the testing field is somehow seen as a disqualification, given the specialist expertise that characterizes the group.

Although some distrust anything a vendor says and accept uncritically anything a tester says, others are puzzled that different tests can vary so dramatically in their evaluation of the same product. Though this may sometimes be simply due to poor testing practices, there are other, deep-seated reasons, one being the high volume of malware and new attacks seen every day. Vendors work hard to close the gap between the ideal of 100 percent detection and what is actually achievable–by developing a range of technologies, both proactive and reactive. The capabilities of products can change, while tests using broadly similar methodology can generate dramatically “conflicting” results due to different approaches to the selection, classification, and validation of samples and URLs, among other factors.

AMTSO aims to promote precisely the kinds of tests that clearly demonstrate these variations, and its members were flying the flag for real-world testing before AMTSO ever formally existed, believing that sound testing benefits vendors and customers as well as testers. As an industry, we are all too aware that we cannot currently offer detection of all known and unknown malware. The relatively high scores achieved in established tests by major vendors do not necessarily reflect real-world performance, but real-world detection cannot be measured in product comparisons with no checks on selection, classification, and validation of malicious samples and URLs.

Another misconception is that AMTSO members simply don’t like tests done by non-AMTSO members. This is not the case: None of the undersigned have a problem with labs that intend to provide objective, real-world testing. (However, other testers are entitled to object vehemently when one company claims to be the only one doing live, Internet-connected testing, and that all other testers are doing static testing based on the WildList.)

However, charging consultancy fees for the release of any information relating to a test (even to participants) is very different to the transparency that AMTSO advocates, although we recognize that full-time testers must generate revenue like any other business. However, when a tester claims to have shared information about methodology in advance and subsequently fails to provide methodological and sample data, even to vendors prepared to pay the escalating consultancy fees required for such information, this suggests that the tester is not prepared to expose its methodology to informed scrutiny and validation. This stance compromises the tester’s aspirations to be taken seriously as a testing organization in the same league as the mainstream testing organizations committed to working with AMTSO.

No one believes that AMTSO has all the answers and can “fix” testing all by itself, but the organization has compiled and generated resources that have made good testing practices far more practicable and understandable. The way for testers (and others) to improve those resources is by talking to and working with AMTSO in a spirit of cooperation: The need for transparency is not going to go away.

Roel Schouwenberg, Kaspersky Lab
Luis Corrons, Panda Security
David Harley, ESET
Mark Kennedy, Symantec
Igor Muttik, McAfee

Today McAfee released the results from our survey “Secret Life of Teens,” which provides a detailed snapshot of online teen behavior. It reveals that 85 percent of teens go online somewhere other than at home and under the supervision of their parents, nearly a third (32 percent) of teens say they don’t tell their parents what they do while they are online, and 28 percent engage with strangers online. The survey results should serve as a wake-up call for many parents.

Kids today are using mobile devices more than ever to get connected, which means increased opportunities for unsupervised usage. Is this a bad thing? Not necessarily, but it can become one easily. I truly believe it comes down to values. It is not that young people today do not value privacy or security but rather that they value openness much more. To protect young people, we need education and technology, both of which are firmly in the hands of us parents. Kids cannot teach themselves to be safe online.

We commissioned Harris Interactive to conduct the survey and in it we detail some pretty startling facts:

69 percent of teens divulged their physical location
28 percent chatted with strangers

Of those teens who chatted with strangers, defined as people whom they did not know in the offline world:

43 percent shared their first name
24 percent shared their email address
18 percent posted photos of themselves
12 percent posted their cell phone number

As the parent of a teenage girl, I found the results eye-opening that girls make themselves targets more often than boys: 32% of the girl respondents indicated they chat with strangers online vs. 24% of boy respondents. Byron Acohido of The Last Watchdog, has a great write-up of the report as well.

Times and technology have changed. It is very easy to be a cybercriminal and predator. Download and read this survey (I linked the copy on The Last Watchdog website). Share it with everyone you know who has children. Read it with your own children. Teachable moments are a great thing. This is a teachable moment.

Take back the Internet.

The news that Google is supposedly dropping Microsoft Windows is spreading like wildfire all over the Internet today. Without getting into any “which OS is better or more secure” holy war, let’s review some facts to see if this “decision” has any basis in reality. (I caution readers to remember this is not confirmed, even if it is true.)

The supposed cause of this change is Operation Aurora, the attack that affected Google and many other companies. From the McAfee Labs Threat Center:

“Operation Aurora was a coordinated attack which included a piece of computer code that exploits the Microsoft Internet Explorer vulnerability to gain access to computer systems. This exploit is then extended to download and activate malware within the systems. The attack, which was initiated surreptitiously when targeted users accessed a malicious web page (likely because they believed it to be reputable), ultimately connected those computer systems to a remote server. That connection was used to steal company intellectual property and, according to Google, additionally gain access to user accounts.”

What many people fail to realize is that Operation Aurora was not really about any technical issues.

But you may ask “Marcus, how can you possibly say that? Have you gone mad? Aurora 0wned multiple computers on multiple networks! They were all running that evil Microsoft Windows. Surely removing Windows will solve all the problems!”

These objections are not even close to the real issue. Sure, the attackers used a very effective zero-day vulnerability. And, certainly, they used lots of evasion techniques in delivering the payload? But the real vulnerability has not been discussed.

People were the weak link.

The attackers who launched Operation Aurora knew their targets well from both corporate and personal viewpoints. They knew what their victims were running and what their roles were. The attackers even knew what application versions they used. (Ever wonder why the zero-day was limited in effectiveness to Internet Explorer Version 6 when the attack commenced? The attackers knew that was all they needed.)

The intel that the attackers gathered to make Operation Aurora work is what made it a success–not the operating system involved. The targets were the people.

Would it make any difference if the victims were running Linux or any other operating system if an attacker builds such a sophisticated profile? Not remotely. Linux, Windows, Mac, whatever–everything has weaknesses. Especially the users of those systems.

When an attacker knows the details of a company’s technical deployment and personnel to the level we saw in Operation Aurora, the difference between one operating system and another is irrelevant. Any system or network can be technically compromised. Likewise, malware can be written for any operating system.

If determined attackers and gatherers of intelligence invest the time to get to know their targets–their behaviors, likes, dislikes, technical backgrounds, job roles, etc.–the actual exploit is trivial. All they have to do is get their victims to click a link. The more they know about their targets, the more likely users will click it.

Social engineering and intelligence gathering trumps technology every time. It always has and always will.

Concern about security threats and such as malware and data loss is common and certainly warranted. But understanding of where threats come from varies. Most know Phishing, Spam, Adware, and PUPs are likely culprits and understand that any given site may become infected. But many don’t realize that some content types, even those welcomed into and used within business networks present specific risks.

Many of the risks I’m referring to are understood, but do we consider the scope of risk over a long period of time? One example is toolbars. It seems everyone has a toolbar and we have to choose which are most relevant to our needs or we’d have a hundred installed and compromise overall speed and performance. We know many toolbars really cross the line into Spyware or function as Adware, or come bundled with PUPs (Potentially Unwanted Programs). This should be a prime consideration in our toolbar selection process. Many toolbars from legitimate companies are certainly helpful, but also consider the primary use within a network. What will your use or overall employee usage of a toolbar reveal about your network; reveal about your habits or intellectual property?

Online translators should be another consideration. There are those that translate websites which usually embed the destination URL, which can circumvent filtering. This can expose a user or a company to any type of risk, whether it be liability, employee productivity, bandwidth hogs, or security threats. Then there are those that translate blocks of text. We assume companies that provide such service will provide safe legitimate service or they won’t stay in business long, but still, what are we revealing when we paste blocks of text into a translator and hit send? I know I’ve personally opted to use unverified text translation when the more well known and trusted ones didn’t cover the language I needed.

Webpage translation, as mentioned, brings us to Anonymizers. There are many types, and several of them route traffic to unverified places. Consider who may be part of a TOR network or who may have created their free proxy site. What are their motives? What data are they collecting? Then of course the most obvious risk, circumventing network policy through an Anonymizer, again exposing a network to any degree of risk, as well as circumventing potential safeguards that may have warned a user about a security threat had it not been obscured.

How about Interactive Web Applications? This includes a very broad range of sites, features, and risks, and seems to be exacerbated as they move to cloud computing. The potential for data loss can be significant, whether it be a buggy application, a crashing browser, or an accidental backdoor. I have a very popular web application in mind provided by a high profile trusted company. I won’t give names, but as I searched for usage help tips, I found that some users had experienced unauthorized parties being able to see and access their data. This pertained to images and videos. Hopefully this company has fixed this, but this illustrates the potential risk.

How about some business related content such as Remote Access? That’s legitimate, right? Well, you may be surprised. If anyone can sign up for an account, what are your employees accessing from within your network? Is proprietary information being stored outside the network, or what is being brought into your network? This brings to mind Personal Network Storage. Sure, it’s geared for businesses, but anyone can sign up. What is exiting and entering your network?

Oh, you have a GUI for your employees to input data? Hm… how about that toolbar or HTTP debugging application also running? Are your proprietary servers being revealed? What hits are being counted from your network IPs? There are many considerations. Of course we can’t seal off all incoming and outbound traffic for safety. Some things have to be left to trust in an employer/employee relationship. But as we go about protecting our networks and personal information, understanding some of these risks can help us choose effective access policies, even if it does mean implementing policies that allow more specific exceptions, to at least limit risk, or purchasing legitimate service instead of allowing employees to find their own through free versions that may come bundled with risks. It can also be worthwhile contacting service vendors to explain concerns. Many are willing to work with you. Perhaps your traffic can be routed through a company specific domain that is allowed within your network, meanwhile other independent usage of the service can be restricted.