Online Virus / Malware News

The Anti-Malware engine is a critical and core piece of the McAfee anti-malware solutions. As with any core technology, the engine must be rock-solid stable, fast, and functionally rich.

A new McAfee Labs whitepaper outlines these engine technologies and values, covering both endpoint and gateway uses. Beyond introductions to malware detection methodologies–ranging from exact detection to heuristics, and technologies from exploit detection to cloud-based detection, the new paper especially outlines McAfee’s approach to Cooperative Anti-Malware on Endpoint and Gateway. “Cooperative” in this case refers to the added value of combining anti-malware on the endpoint and on the gateway: a true defense-in-depth strategy in action.

In this defense-in-depth implementation we have engine technologies that are optimized for the endpoint and the gateway, respectively, and both are connected through our Global Threat Intelligence back-end, or “cloud.” This combination allows strict enforcement and the highest proactive catch rates at the network perimeter, keeping the majority of threats outside of your network, and effectively and accurately protecting the desktops in an enterprise as well.

Download and read it now!

I was just reading Byron Acohido’s writeup on Microsoft ending security support for patches for Windows XP Service Pack 2 and Windows 2000. Now as I work for a vendor myself I completely understand why Microsoft is going EOL (or is it EOS for end-of-support?? I forget…) for these operating systems – better, more robust OS choices exist and no company has unlimited resources to support application and technologies that have seen better days.

I get that, I really do. I do, however, think some larger issues certainly loom:

1. Legacy applications that will not run on higher patch builds
2. Point-of-Sale and embedded devices (think ATM’s an such….) ESPECIALLY if you have a global deployment
3. Patching and upgrading is never easy anyway
4. The agility of cybercriminals

Now I will also concede that its relatively straightforward to compromise a fully patched system. The tools and techniques are readily and easily available if you have a browser and even limited Google search skills – but let’s also be honest: its WAY easier to own an older unpatched build especially when all the vulnerabilities that XP Service Pack 2 and Windows 2000 have are so well documented and available. Malware also tends to be fairly backwards compatible in many cases.

I am not so certain this will cause a great shift in toolkits or focus of your average malware writer or cybercriminal. I DO think it is an excellent opportunity for scammers tho. Just think of the spam campaigns or link spam possibilities – its a great lure.

“MS has stopped support for XP Service Pack 2 click here for low cost upgrades!!!”
“Your machine seems to be running Windows 2000. Click here to upgrade to Windows 7 for a low price.!”

I can see the spam runs, phishing sites and associated fake-av installs now… Be forewarned my friends. And is it just me or is whitelisting and application control looking better and better??

Last week in Strasbourg, France, the Council of Europe organized the Octopus Interface Conference 2010. More than 300 experts from all over the world, representing governments, law enforcement authorities, international organizations, and the Internet industry gathered to discuss the “Cooperation Against Cybercrime.”

On Tuesday, in the opening session, Maud de Boer Buquicchio, Deputy Secretary General of the Council, reminded the attendees that the international principles of human rights and the rule of law must apply online as well as offline. In this way, the Internet itself is now increasingly considered as a basic right. But in this new environment cybercrime is a greater concern than ever; it threatens those rights. Security and the protection of rights is the responsibility of both public authorities and private sector organizations. After a panel discussion run by countries engaged in the fight against cybercrime, Alexander Seger discussed the Budapest Convention on Cybercrime. Currently used by more than 100 countries around the world, it is the first international treaty on crimes committed via the Internet and other computer networks, dealing particularly with infringements of copyright, computer-related fraud, child pornography, and violations of network security.

Seger recommended the implementation of the convention worldwide to boost legislative reforms already underway in a large number of countries. Nations should consider adopting the policies to make use of the international cooperation provisions of this treaty. Increasing consensus on this treaty as a common framework of reference helps mobilize resources and create partnerships among public- and private-sector organizations. As a result, the ratification of the Budapest Convention by Azerbaijan, Montenegro, and Portugal prior and during the conference, and the expressions of interest from Argentina and other countries serve as examples to other countries.

In the afternoon, I joined a workshop on law enforcement responsibilities. Here, police units from various countries presented their services and discussed their local laws against cybercrime. I was particularly interested, as many of them discussed trends on this matter. In 2009, the Romanian National Police indexed 102 cases (indictments) with 766 offenses, 482 people charged, and 289 people arrested. In that country, 80 percent of IT fraud and phishing attacks are aimed at United States citizens, whereas 80 percent of credit card fraud (skimming) targets West European citizens. In Turkey, the the Organized Crime Department (KOM) made 2,871 arrests in 2009.

However, these figures represent only a small part of the fraud that is committed. In many cases, nobody files a complaint. After fraud is committed and reported, the bank refunds its conned client via their insurance company. The bank is well insured and the victim is compensated. As for the insurance company, its profit is barely affected. There is no need to alert the authorities.

In the second part of this workshop, people from the FBI and SOCA presented three objectives for law enforcement as well as recommendations for ICANN:

1. Due Diligence: ICANN needs to vet potential registrars and registries, through checks of international databases to ascertain an organization’s good standing. Registrars need to validate data received at the time of domain name registration and periodically thereafter.
2. WHOIS: Accurate and public WHOIS is essential. The proxy/privacy registrations have to be limited for private individuals for noncommercial purposes. Companies providing services should be accredited by ICANN.
3. Transparency and accountability: Domain name resellers and all third-party beneficiaries must be held to the same terms and conditions as registrars. ICANN should require all registrars, registries, proxy services, resellers, and all third-party beneficiaries of any contracts or policies of ICANN to publicly display ownership, parent companies, subsidiaries, and business associations.

On Wednesday, I participated in the mapping networks and initiatives workshop. Here, various organizations dealing with cybercrime presented their objectives and initiatives. Among them,the Inhope fight against illegal content (child sexual abuse images, extreme violence, racism and xenophobia, bestiality, online hate and xenophobia websites, adult pornography). Looking at their map representing countries saying “no” to illegal content, the audience realized that there is a long way to go:

In the next workshop, dedicated to technical assistance against cybercrime, two talks grabbed my attention. The first one exposed the situation in India. In this country, only about 10 percent of all cybercrimes committed are actually reported, and fewer than 2 percent result in a conviction. Nevertheless, 30 million judicial actions are pending. The Indian people purchase seven million mobile phones monthly. A large number do not have any traceability mechanism. This is a golden opportunity for terrorists who can use these phones without fear. 

The second talk was given by my colleague Greg Day, Director of Security Strategy for Europe, the Middle East, and Africa at McAfee. He presented various initiatives that industry can use to share intelligence and drive knowledge transfer. Besides training sessions and the direct line to McAfee Labs offered to various police crime units around the world, Day focused on the Industry Connections Security Group. This outfit gathers computer security entities to work on common goals and industry issues. Day sees that cybercriminals have leveraged the underground economy to gain economies of scale and access to specialist tools and services, whereas the security industry has generally responded to threats as individual entities. To tackle this problem, security professional established the ICSG, under the umbrella of the IEEE Standards Association, to pool their experiences and resources in response to the systematic and rapid rise in new malware being introduced to the market.

The last workshop I attended was on Thursday morning. We discussed cloud computing and the law enforcement challenges introduced by this new environment. Christian Aghroum, chief of the French National Unit for Countering Cybercrime, explained the threats facing data and services that are stored somewhere in the “Internet cloud.” His talk was a fitting conclusion for these three days in Strasbourg. Although there are no borders on the Net, the concept of national sovereignty keeps on confronting us. Human rights are acknowledged around the world, international maritime or air rights are usually respected, yet there is no universal right for the extra dimension that is the Internet. Unfortunately the Budapest Convention is far from accepted by all countries worldwide. In everyday police work, this produces a huge gap that greatly favors criminals. If a French neo-Nazi website is hosted in the United States, France really has little possibility of shutting it down. If a company leaves a foreign country after some diplomatic issues, there is no guarantee to ensure the security of its data stored in the cloud. Today, in some cases, we cannot maintain security in our country because of the start of cloud-based services. In one or two years, this will be worse in the “absolute cloud,” which will have no borders. If international laws are not rapidly created, based on the Budapest Convention, the problems will certainly become worse.  

Before ending this post, I have to mention the Nigerian delegation, which offered us a song made by famous Nigerian singers. “Maga No Need Pay!” denounces fraud. (Maga is the Nigerian word for victims of fraud.) To the Nigerian people, the song explains that fraud is not the right way toward a better life. To the rest of the world, it explains that Nigeria is a great country that should not be considered solely corrupt.

Cybercrime must be fought with laws and technology, but it can be also fought with music.

The clip is viewable here.

All over the world, individuals and many organized crime and mafia groups have found that the Internet can help them make a lot of money. Others are motivated by ideology: Manipulated by or acting in accordance with an ethos, they conduct illegal activities against institutions or individuals they consider the “enemy.” Far removed from the isolated individuals acting simply irresponsibly or for amusement, these two groups constitute the double threat we know today as cybercrime and hacktivism.

Last week we published a new report that looks, in great depth, at this phenomenon. The main goal is to explain how these organized groups have become established and what the extent of their activities are. In the first part of this report, after offering some definitions, we present some of the major participants who simply cannot be ignored. The second part deals with various topics including cybercrime and hacktivism, economics, politics, culture, and others. Each topic is illustrated with examples found in the news. Through other examples, the third part of the document deals with prices and the return on investment criminals can expect.

Chinese, Japanese, and Brazilian Portuguese versions are also available from the McAfee Labs Technical White Papers web page.