Internet Security 2008

[wige]

2008 was an interesting year in Internet Security, as new threats and new types of threats became prominent. Malware was put to new uses, and new means of infection became prominent. Some highlights:

• New goals – Traditionally, malware had any of several goals. Hackers may try to commit identity theft, or to use a compromised computer as part of a botnet to send spam, or to steal usernames and passwords to online bank accounts. In 2008, however, it is estimated that between 50 and 75 percent of attacks were aimed at stealing online gaming accounts, mostly for World of Warcraft. Blizzard Entertainment (maker of WoW) has responded with numerous security advisories and enhancements, including the release of a hardware authenticator that can be used to lock down accounts. Blizzard has reported that 2008 saw the highest subscription rate as World of Warcraft became one of the most played games in history, and 2008 also saw the highest rate of account compromise.
• New types of malware – In addition to the more familiar malware, such as adware, spyware, keyloggers and Trojans, two new classes of threats became common during 2008; extortionware and scareware. Extortionware is a class of virus that encrypts all files of a specific type on the infected system with a high level of encryption, and then gives the victim instructions where to pay to get the decryption key. Scareware infects the system with a fake antivirus system that warns the user of multiple infections, in an effort to coerce the user into purchasing the antivirus product, which is a fake application that installs keyloggers and other malware.
• New methods of infection – Missing in 2008 were stories about widespread, net traversing e-mail viruses. Instead, most of the infections in 2008 resulted from hacked web sites. Even as search engines tried to combat the problem by warning users of potentially malicious links in their own results, the search engines themselves were used as a tool to spread infections, as forwarders on well known and trusted sites were abused to put malicious links at the top of the search engine results.
• New ways to hide hacks – Hackers that attacked web sites employed new methods in 2008 to hide their attacks from site owners, abusing .htaccess rules on attacked sites to cause attack code to only be displayed to users following links from the major search engines. This method leaves the attack code virtually invisible to the search engine spiders that attempt to warn users about malware, and to the owners of the web site, who would rarely use a search engine to visit their own site, and would thus never be exposed to the attack code.

As the threats have intensified, new defensive measures began to gain popularity to combat the wide range of emerging threats.

• Hardware authentication – To combat the high rate of account compromise, Blizzard became the first company to implement on a large scale a hardware authentication mechanism. Although similar technology has been proposed on smaller scales by banks for their customers, or implemented on a small scale by companies to secure internal information, 2008 saw the first major push by a large corporation to introduce and implement this technology.
• Web site prescreening – Many of the larger anti-virus providers began incorporating technology to scan web pages before they were loaded by the visitor. For some systems, this meant that the antivirus company would check the page before it was requested by the user. For others, it means that the page would be loaded into a “secure” area of the computer’s memory to be scanned before being rendered by the browser. This helped alleviate some of the threat of hacked web sites. However, the technology still has not become prevalent.

As the threats have intensified, a robust, multi-tiered approach to security remains essential. Anti-virus software is no longer enough to protect a network. Numerous components working together are required to ensure the security of any system or network.

• An external hardware firewall or router – The external firewall/router is the first line of defense for any network, hiding the network from drive-by attacks by blocking unsolicited incoming network traffic.
• Internal software firewalls – All systems on the network should be protected by robust software firewalls that can monitor traffic between connected systems looking for suspicious traffic. Free software firewalls include Zone Alarm and Comodo Pro. The firewall included with Windows is not sufficient for this.
• Strong Anti-virus – a strong antivirus application is required on every computer on the network. This software must be kept up to date, checking for updates at least once a day. One of the top rated Anti-virus applications currently is Kapersky. There are some highly rated free AV applications such as Avast!, however these applications generally do not have all the features of a commercial product.
• Anti-Spyware – A commercial or freeware anti-spyware application should be run regularly to look for malware that might have been missed by the antivirus software. This can happen with new viruses, as malware may take days or weeks to be identified and added to the scan lists of different antivirus products.
• Regular updates – As patches are released for security software, browsers, operating systems, and software, it is essential that they be applied immediately. Almost any vulnerable application can be used to attack your system, so patches must be applied as soon as they become available.

It is no longer enough to simply rely on your wits, avoiding potentially dangerous places on the web to stay safe. Any trusted web site can be compromised and become a threat to the safety of your computer and network. Only by keeping up to date with your patches and employing proper security measures can you protect yourself.

Its not paranoia. They are out to get you.

So, what issues and threats have you seen this year? What new defenses have you seen/heard about/tried?

[SnerdeyWebs]

Wow... that is one heck of a post!

I believe that we as host providers and web designers are in for an increase and new threats of all kinds above and beyond the ones you mentioned. There are so many attempts to client email accounts and most just do not read the emails and click away their user / pass to many of these fake request. The younger generation is going to provide new and creative ways of taking down any server they can get into. It's not enough to just lock the doors you almost have to throw away the key!!

We've seen an increase of denial of service attacks and one practically melted the data center. I don't know why they would spend so much time taking down sites when they can make a MINT with their skills using them for legit projects.

Good luck in 2009 my friends.

Happy New Year!
Snerdey

[khurramali]

Some of my clients systems where infected with fake antivirus and scare ware.

the only solution was at that time to format the systems.

[langsor]

So who can tell me of an actual incident of a website compromising my system through a web browser (say Firefox)?

I might not be looking for such threats, but I have not actually heard of any either.

Is it just when you download a file from a site, or save it and load it through an email -- like in the 'good 'ol days'?

Sorry for my ignorance but I would love an actual case example of one of these threats.

Cheers

[Grinler]

I am heavily involved in malware removal and Internet security and I can definitely say 2008 was the worst year yet.

Infections are no longer easy to remove and most of the aggressive ones heavily utilize rootkits and other tricky infestation tactics that make it very hard, if not impossible, for most people to remove. An example of this infection is the TDDS adware. This infection is so aggressive and deep-rooting that most users, and antivirus software for that matter, have no way of removing it. Instead we have to use manual removal techniques to remove it.

We have also seen an increase in rogue security programs. These are programs that pretend to be legitimate programs, but instead display fake results in order to scare you into thinking you have a security problem. You are then required to purchase the software in order to remove these "supposed" infections. They are also typically bundled with Trojans that display fake alerts, that look like Windows Security Center alerts, stating you have a security problem and advising you purchase the particular rogue installed. These installations are big big big money makers for the crime syndicates and it is becoming and will be a bigger problem for 2009 as well.

Quote:

Is it just when you download a file from a site, or save it and load it through an email -- like in the 'good 'ol days'?

Nope..installation vectors have changed greatly from the good 'ol days. Now, true drive-by downloads occur. These are typically caused by certain program versions that have security exploits running on your computer such as Shockwave, flash, Java. or even IE7. For example, Vundo is known to install through the use of old versions of Sun Java that have security exploits in it. This malware is an epidemic with millions of people infected. A recent IE 7 exploit has also been used on websites that are hacked, or just setup for these exploits, that automatically install password and information stealing Trojans on your computer. If you update windows regularly, this vulnerability should be patched on your computer at this point.

Last, but not least, web site hacks are a huge installation vector these days. With a web site being so accessible to people of all computer experience levels, that also means people do not really know how to keep their sites secure. This causes people to continue using outdated blogging programs, CMS, and custom programs that have known security risks that can be exploited. The experienced hackers are not changing the sites at all, so most owners do not even know they are hacked. All they are doing is inserting a bit of javascript or iframes to have them launch exploits that infect the site's visitors.

So overall, 2008 has been a tough year for computer security. Unfortunately, next year is promising to be worse.

[wige]

Quote:

Originally Posted by langsor

So who can tell me of an actual incident of a website compromising my system through a web browser (say Firefox)?

I can give you a few examples that I have personally witnessed. Between trolling gaming forums (as games have become a major target lately) and assisting web masters and web hosts, I have been able to see quite a few attacks over the past several years. The following examples are from the past year only.

The first is an attack aimed at World of Warcraft players. In this case, hackers attacked the ad server for one of the more popular World of Warcraft guide sites, adding a flash-based ad that would download and install a keylogger. This keylogger would bind itself to the WoW executable, and report back to the attackers the login credentials of the users. Since this targetted a Flash vulnerability, and was delivered through the ad server, it was difficult for the web developers to find since it was not in the code of any of their pages, anti-virus and firewall systems considered the Flash traffic normal so they allowed the keylogger to install, and as a zero-day exploit, it took a few weeks for Adobe to patch the Flash players to eliminate the vulnerablility. Several thousand accounts were compromised as a result.

Another example is one that a relative of mine encountered. The virus is commonly referred to simply as "AntiVirus 2009". It is a suprisingly sophisticated scareware virus. As far as I was able to determine, the virus came from a trusted web site that was compromised and used a malicious Active X control on Internet Explorer to install the virus. As soon as the virus was in place, it installed a DNS and web server on the computer, and pointed the computer's DNS at itself. It then deleted the antivirus definitions. When the antivirus software attempted to update, it would alter the DNS request so that the AV software would download an empty definitions file. Any attempt to visit a known antivirus company's web site would take the user to the virus' web server that was installed on the computer (in other words, a request to "mcaffee.com" would resolve to 127.0.0.1, which is the loopback address, and would take you to a page asking you to buy the virus software). In addition, installation of new antivirus software was impossible since the virus would detect the installer, and kill the process.

There are less exploits that attack Firefox directly, at least as far as I have seen. Recently, a lot of the attacks have been centering on other systems - media players like RealPlayer or QuickTime, or have targeted other very common software like Flash or the Java Runtime Engine. By attacking these types of systems, it doesn't matter what type of browser the visitor is using, the attack will still work.

[deepsand]

Re. "AntiVirus 2008/2009," I've witnessed several links posted here at WPW which resolved to attempts to install said. Additionally, I have for some time now observed that Google is indexing an alarming number of IBLs originating from such scare-ware sites. When I find the time, I intend to try to determine how long such links live in the Googleverse.

On the upside, attempts to install this particular threat are both easy to spot, and defeating them is a trivial task - one need only close the window which launched the download, thus interrupting it. Of course, this assumes that the user is both observant and sufficiently knowledgeable so as to recognize what is happening and act promptly. I've opened a countless number of such links with no ill effects.

[MrGamm]

Quote:

Originally Posted by SnerdeyWebs

The younger generation is going to provide new and creative ways of taking down any server they can get into.

My favorites are the step by step video tutorials on YouTube...

"SQL Injection/ Hack How to Getting To The Admin Control Panel"
YouTube - SQL Injection/ Hack How to Getting To The Admin Control Panel

"Learn how to hack OSCOMMERCE"
YouTube - Learn how to hack OSCOMMERCE

"How to Hack a Wordpress Forum [Intermediate]"
YouTube - How to Hack a Wordpress Forum [Intermediate]



Unfortunately these are not new and creative ways to hack into anything. They are very old methods which people have not learned to secure properly with their programming.

[innominds]

Quote:

Originally Posted by khurramali

Some of my clients systems where infected with fake antivirus and scare ware.

the only solution was at that time to format the systems.

When did it happen? I think we had good internet security suites even before. You should have tried them before formatting the hard drive.

[wige]

With some of these malware programs, installers for new antivirus software may be disabled, and existing protection is sometimes defeated as well. I posted a more full writeup on AV2009 on my blog (see sig), with links to several tutorials on cleaning the infection, which work with varying levels of success, depending on the version involved.

[joyblogs]

Spyware is not only annoying, but also a threat to your personal security. Spyware programs can be installed on your computer without you ever finding out, so you need to regularly search for them using reliable software.
The most important thing is to find out which spyware remover programs you should use.

Top 5 Spyware Programs review

[Jenniferlinn]

Quote:

Originally Posted by wige

2008 was an interesting year in Internet Security, as new threats and new types of threats became prominent. Malware was put to new uses, and new means of infection became prominent. Some highlights:

• New goals – Traditionally, malware had any of several goals. Hackers may try to commit identity theft, or to use a compromised computer as part of a botnet to send spam, or to steal usernames and passwords to online bank accounts. In 2008, however, it is estimated that between 50 and 75 percent of attacks were aimed at stealing online gaming accounts, mostly for World of Warcraft. Blizzard Entertainment (maker of WoW) has responded with numerous security advisories and enhancements, including the release of a hardware authenticator that can be used to lock down accounts. Blizzard has reported that 2008 saw the highest subscription rate as World of Warcraft became one of the most played games in history, and 2008 also saw the highest rate of account compromise.
• New types of malware – In addition to the more familiar malware, such as adware, spyware, keyloggers and Trojans, two new classes of threats became common during 2008; extortionware and scareware. Extortionware is a class of virus that encrypts all files of a specific type on the infected system with a high level of encryption, and then gives the victim instructions where to pay to get the decryption key. Scareware infects the system with a fake antivirus system that warns the user of multiple infections, in an effort to coerce the user into purchasing the antivirus product, which is a fake application that installs keyloggers and other malware.
• New methods of infection – Missing in 2008 were stories about widespread, net traversing e-mail viruses. Instead, most of the infections in 2008 resulted from hacked web sites. Even as search engines tried to combat the problem by warning users of potentially malicious links in their own results, the search engines themselves were used as a tool to spread infections, as forwarders on well known and trusted sites were abused to put malicious links at the top of the search engine results.
• New ways to hide hacks – Hackers that attacked web sites employed new methods in 2008 to hide their attacks from site owners, abusing .htaccess rules on attacked sites to cause attack code to only be displayed to users following links from the major search engines. This method leaves the attack code virtually invisible to the search engine spiders that attempt to warn users about malware, and to the owners of the web site, who would rarely use a search engine to visit their own site, and would thus never be exposed to the attack code.

As the threats have intensified, new defensive measures began to gain popularity to combat the wide range of emerging threats.

• Hardware authentication – To combat the high rate of account compromise, Blizzard became the first company to implement on a large scale a hardware authentication mechanism. Although similar technology has been proposed on smaller scales by banks for their customers, or implemented on a small scale by companies to secure internal information, 2008 saw the first major push by a large corporation to introduce and implement this technology.
• Web site prescreening – Many of the larger anti-virus providers began incorporating technology to scan web pages before they were loaded by the visitor. For some systems, this meant that the antivirus company would check the page before it was requested by the user. For others, it means that the page would be loaded into a “secure” area of the computer’s memory to be scanned before being rendered by the browser. This helped alleviate some of the threat of hacked web sites. However, the technology still has not become prevalent.

As the threats have intensified, a robust, multi-tiered approach to security remains essential. Anti-virus software is no longer enough to protect a network. Numerous components working together are required to ensure the security of any system or network.

• An external hardware firewall or router – The external firewall/router is the first line of defense for any network, hiding the network from drive-by attacks by blocking unsolicited incoming network traffic.
• Internal software firewalls – All systems on the network should be protected by robust software firewalls that can monitor traffic between connected systems looking for suspicious traffic. Free software firewalls include Zone Alarm and Comodo Pro. The firewall included with Windows is not sufficient for this.
• Strong Anti-virus – a strong antivirus application is required on every computer on the network. This software must be kept up to date, checking for updates at least once a day. One of the top rated Anti-virus applications currently is Kapersky. There are some highly rated free AV applications such as Avast!, however these applications generally do not have all the features of a commercial product.
• Anti-Spyware – A commercial or freeware anti-spyware application should be run regularly to look for malware that might have been missed by the antivirus software. This can happen with new viruses, as malware may take days or weeks to be identified and added to the scan lists of different antivirus products.
• Regular updates – As patches are released for security software, browsers, operating systems, and software, it is essential that they be applied immediately. Almost any vulnerable application can be used to attack your system, so patches must be applied as soon as they become available.

It is no longer enough to simply rely on your wits, avoiding potentially dangerous places on the web to stay safe. Any trusted web site can be compromised and become a threat to the safety of your computer and network. Only by keeping up to date with your patches and employing proper security measures can you protect yourself.

Its not paranoia. They are out to get you.

So, what issues and threats have you seen this year? What new defenses have you seen/heard about/tried?

Interesting and what about internet security 2009

[mikmik]

The Best Security Suites for 2009
Antivirus software, business software & computer software reviews - CNET Reviews
Internet Security Suites Software Review 2009 - TopTenREVIEWS
Annoyances.org
PC Hell: Computer Hints and Tips to bring you back from the edge

Personally, I like the first one and last two links. I mean, PC Hell! You can't go wrong.
There are others like, I think, spywareweekly, tomcoyote, but I haven't looked recently.
tomcoyote is now What the Tech | formerly TomCoyote
scratch spyware weekly
this one fave fave The home of Spybot-S&D!