Tag Archive for Malware

| June 26, 2010
Comments Off on Detroit PC’s Cleaner Than Most

Detroit PC’s Cleaner Than Most

Detroit PC's Cleaner Than MostHelp Net Security reports that Detroit has one of the lowest malware infection rates in the US, based on information from Enigma Software Group. An analysis of more than one million malware infections in the United States shows that only PC’s in Boise, ID and Memphis, TN have malware infection rates less than Motown’s.

Enigma recently pulled a 30-day history of infections in the 100 largest cities in the United States. Not surprisingly, New York City had the most infections, because New York has the most computers. However, after the number of infections as a percentage of a city’s population was considered, Atlanta, GA and Birmingham, AL have the highest malware infection rates in the United States.

“Malware makers are becoming more and more sophisticated, and the risk they pose to your computer and your valuable personal information is growing,” says Enigma Software Group CEO Alvin Estevez told Help Net Security. “We think it’s important to keep an eye on where the malware is doing the most damage and our Malware Tracker map (link broken a the far end) helps us and consumers know what’s going on.

According to this data, the cities with the highest PC malware infection rates are:

  1. Atlanta, GA
  2. Birmingham, AL
  3. Denver, CO
  4. Chesapeake, VA
  5. Madison, WI.

Other notable cities included:

28. Dallas
35. San Francisco
51. Houston
63. Los Angeles
64. Chicago
84. Phoenix
85. New York City
89. Philadelphia

Enigma Software Group’s Malware Tracker uses data from its SpyHunter software to estimate how many computers have worms and Trojan infecting them. After collecting the data, it uses the Google Maps API, to zoom into specific neighborhoods and find out who’s infected. The data can also be separated into different types of malware.

rb-

While it is always a plus to have good things to say about Detroit, it does not take much analysis to know these stats do not mean that Detroiters are better PC drivers than the rest of the world. The first thing I noticed about the Enigma map was that Ontario had more outbreaks reported than most of the U.S. east coast. I would attribute that to the degree of market penetration by Enigma’s software.

A second cause, which I wrote about last March when Symantec declared Detroit the least risky online city, is that the depression global financial crisis turns these stats on their head. Symantec found that Detroit ranked last in categories like:

  • WiFi and hotspots per capita,
  • Annual expenditures per household on Internet Access and Computers,
  • Adult Internet use.

All of which will cut the number of personal PC’s with malware infections.

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , ,
| June 18, 2010
Comments Off on Full AV Needed for MacOS

Full AV Needed for MacOS

The Mac antivirus vendor Intego has identified a new malware threat for MacOS. On the Mac Security Blog, the firm calls the threat, OSX/OpinionSpy, a “high risk.” According to their blog, the main distribution channel for the malware through screen saver programs downloadable from reputable download sites including MacUpdate, VersionTracker, and Softpedia. The malicious code does the typical malware things like scan files, record user activity, create a backdoor, and send stolen data to remote servers.

SeacrchSecurity quotes security expert and SANS Institute instructor, Rob VandenBrink, writing on the SANS Internet Storm Center Diary, who said the malware is a simple bolt-on to other freely downloadable applications. “The neat thing about this malware is that it passes most static scan tests – the downloaded software itself is clean, the malware is downloaded as part of the installation process,” VandenBrink wrote. “This highlights the requirement for an on-access virus scanner for your OSX computers.”

rb-

Many people have long-held that macOS is more secure than Windows. macOS and its underlying *NIX OS have their own issues. The recent announcement by Google to increase its use of non-Windows OS’s (here and here) has made macOS security thru obscurity mute. Mickey Boodaei, CEO of security vendor Trusteer, told SC Magazine, “Mac and Linux are not more secure than Windows. They’re less targeted. There is a big difference.”

This announcement weakens the theory that using MacOS computers is the best way to secure online financial transactions. For the time being, a * NIX-based live CD is probably the safest bet to secure your online financial transactions.

macOS users should get a real anti-malware package that includes an on-access scanner.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| May 11, 2010
Comments Off on Microsoft Security Report

Microsoft Security Report

Microsoft Security ReportMicrosoft (NASDAQ MSFT) released the latest Microsoft Security Intelligence Report (SIRv8) on April 26, 2010. Data for SIRv8  came from 500 million PCs across the globe between July and December 2009 and for the first time separates enterprise user and consumer user malware trend data. The data included in the 250-page report says that enterprises and consumers each suffer from different types of malware threats.

Microsft security goog news

Microsoft logoThe good Microsoft security news from the SIR 8 report is that newer operating systems and up-to-date applications are the most secure. Windows 7 and Vista Service Pack 2 have the lowest infection rates per 1,000 executions of the Microsoft Malicious Software Removal Tool (MSRT) in the second half of last year. (pg. 85). Microsoft runs the Malicious Software Removal Tool before installing Windows updates.

Windows OSPC's cleaned/1,000 MSRT
XP SP121.7
XP SP214.5
Win 7 32-bit2.8
Vista SP2 32-bit2.2
Vista SP2 64-bit1.4
Win 7 64-bit1.4

The report shows that the more recent versions of Microsoft Windows are less vulnerable to attack. Cliff Evans, Microsoft UK’s head of security and privacy says only about 5% of the vulnerabilities are in Microsoft software. This has led to a shift in emphasis to targeting third-party programs and utilities. In XP, around 45% of attacks exploited third-party (i.e. non-Microsoft) code, with Vista and Windows 7 it’s around 75% according to an article in the Guardian.

Application attacks continue to increase. Running updated software decreases the attack surface and increases Microsoft security robustness. The report shows that attackers target Internet Explorer 6 (IE 6) up to four times more often than the newer version IE 7 (pg.33). Matt Thomlinson, general manager of product security in Microsoft’s Trustworthy Computing group told DarkReading, “With Internet Explorer, IE 6 is four times more targeted in drive-by attacks.” Thomlinson says SIR 8 provides the first real results to illustrate this.

Browser attacks

The Microsoft security report says that nearly 75% of the browser-based exploits encountered in 2H09, were third-party applications, including Adobe Reader, RealPlayer, Apple QuickTime, and AOL software (pg.26). This means Windows Update is not enough to protect users, who must also install updates from Adobe, Apple, and other software suppliers.

Attacks against Microsoft Office make use of older vulnerabilities that have mostly been fixed and can easily be avoided by keeping the software suite up to date. The majority of Office file format attacks can be avoided by applying service packs (pg. 43). For example, 75.8% of the attacks on Microsoft Office files exploited a single vulnerability (CVE-2006-2492, the Malformed Object Pointer Vulnerability in Microsoft Office Word), which was found in 2006.

The report found that enterprise users contract more worms, “In the enterprise, worms are more of a problem, which is not a surprise in that you have networks with trusted file shares and USB devices, and they are more susceptible to those transmission mechanisms,” Thomlinson told DarkReading. “This is the first time we’ve had data allowing us to separate [enterprise and consumer machines] and show differences [in malware prevalence.]” Worms were found in 32 percent of enterprise PCs.

ThreatPresent %
Worms32
Miscellaneous Trojans18
Unwanted software16
Trojan down-loaders and droppers13
Password-stealers and monitoring tools7
Backdoor programs 5
Viruses 4
Exploits 3
Adware3
Spyware1

Rogue anti-virus attacks

Windows in both the enterprise and the consumer markets were hit hard by rogue anti-virus attacks last year. Rogue security software was found on 7.8 million up 46% from 5.3 million in the second half of last year. The most detected rogue security software family, Win32/FakeXPA, was also the third-most prevalent overall threat detected by Microsoft worldwide in 2H09. Three other rouge software families were also widely detected:

  • Win32/Yektel,
  • Win32/ FakeSpypro, and
  • Win32/Winwebsec.

MSFT claims that attacks are now motivated by financial gain, with a “black economy” of malware authors, botnet herders, and other criminals working together to exploit vulnerabilities in Windows PCs. “We’re seeing that the criminals are more professional and organized,” Thomlinson says. “This is really about criminals in shirts and ties, not with tattoos.” Criminals are becoming more specialized in different aspects of cybercrime. They are then coordinating with criminals with other specialties. He says. “Threats are being packaged together and sold as commodities and kits,” he says. “It struck us as we looked at botnets that this is an early version of cloud computing: There is computing available for whatever use they have in mind, and they are taking advantage of many machines to do that. This is the ‘black cloud’ of computing.

rb-
The next report will be interesting as attackers focus their attention on Win7 as it becomes wider deployed. The takeaway from the report is:
  • Keep your installed software patched to current levels.
  • Running old versions of operating systems, browsers, and application software exposes companies to additional unnecessary risks (Ask Google).
  • Invest into initiatives that get systems upgraded to the newest technology available.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , ,
| March 27, 2010
Comments Off on Detroit Least Risky Online City

Detroit Least Risky Online City

Detroit Least Risky Online City Symantec has declared Detroit as the least risky online city in America. In a joint study with Sperling’s BestPlaces, Symantec released a report Norton’s Top 10 Riskiest Online Cities The U.S. cities under the greatest threat from cybercrime (PDF) (03-22-10) of the 50 riskiest places in America to be online and at the bottom of the list is Detroit.

DetroitThe report indicates that Detroit is the least risky online city, with residents less likely to take part in risky online behavior. Detroit has low levels of Internet access, expenditures on computer equipment, and wireless Internet access. The city also ranked low in cybercrime, wireless Internet access, and Internet access generally compared to other cities. El Paso, Texas, and Memphis were the second and third safest cities, respectively as reported by eWeek.

Data from several sources were used to determine the rankings. The data came from Symantec Security Response as well as third-party data about online behavior, such as accessing WiFi hot-spots and online banking. Each city was scored across several categories. For example the number of malicious attacks per capita, prevalence of Internet use, and the number of bot-infected machines per capita.

Symantec logoDetroit ranked last in all categories including:

  • Individual cybercrimes,
  • WiFi and hotspots per capita,
  • Annual expenditures per household on Internet Access and Computers,
  • Adult Internet use.

rb-

Up is down and down is up in Detroit. These are not promising statistics for Detroit. The depression “global financial crisis” has ravaged Detroit and southeastern Michigan for the past 11 years. These results are just another indicator of how far Detroit has fallen. Low levels of Internet access, not buying computer equipment along with slow and limited wireless Internet access cause the city to rank low in cybercrime. This is just like driving a car, the more you drive the more risks you take. Until the Motor City gets on the information super-highway there is little chance of Detroit moving forward.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
| February 26, 2010
Comments Off on IPv6 Malware

IPv6 Malware

IPv6 MalwareIn a December 2009 report, The Future of Threats and Threat Technologies: How the Landscape Is Changing, anti-malware vendor Trend Micro, predicts that IPv6 changes to the Internet infrastructure will widen the playing field for cyber-criminals.

Trend MicroOne of the changes Trend Micro predicts is the IPv6 Malware Experimentation Stage. The anti-virus firm points out that many weaknesses were discovered in IPv4 during the mid-to-late-1990s as the Internet came into its own. The vendor predicts IPv6 will have a similar pattern of growth.

As the IPv6 user base expands, weaknesses will be discovered in the IPv6 protocol and its implementation. The anti-virus firm believes that the current low IPv6 adoption rate and the increased awareness of IPv4 exhaustion will delay any wide-scale IPv6 malware beyond 2010. However, as users start to explore IPv6, so will the cyber-criminals. The vendor says that users can expect to find some proof-of-concept elements in IPv6 during 2010. Possible IPv6 abuse includes new covert channels or Command and Control (C&C) for botnets.

IPv6 tunneling protocols pose threats

IPv6One attack vector that will open up as users start experimenting with IPv6, are tunneling protocols according to Ben April an Advanced Threat Researcher at Trend Micro. Mr. April points out on the Trend Micro Malware Blog that the 6to4 (RFC 3056) and Teredo (RFC 4380) tunneling protocols pose threats to networks as they transition to IPv6.

Trend’s April says that neither protocol claims to offer any significant security protection. According to the blog, 6to4 tunneling requires that the user endpoint exist in a publicly routable IP space and be directly reachable by any 6to4 serving device with the risk of having to trust traffic coming from any address claiming to support the protocol for full functionality. 6to4 can also support routes to networks behind the endpoint. Endpoints have an IPv6 address which includes the IPv4 address of the endpoint converted to hex. According to April, a server on the IPv6 Internet should also be fortified against both IPv4 and IPv6 threats. 6to4 comes with an entire RFC (RFC 396) devoted to security considerations.

The Teredo RFC goes so far as to call itself the IPv6 Provider of Last Resort. The blog says this label comes primarily from the crazy stunts required to successfully traverse multiple NAT gateways. Unlike 6to4, however, only one host can exist behind the endpoint. April points out the risks that Teredo creates by tunneling from the public Internet to a host inside a NATed environment. This creates the need for a well-protected host. This protocol also allows endpoint address leakage which would aid an attacker. Teredo encodes the IPv4 exit point of the NAT gateway, the UDP port used by the external NAT session, and the IPv4 address of the tunnel endpoint used by the client in a well-known slightly obfuscated way.

Fortinet logoOne answer to the IPv6 security issues could come from network security and unified threat management (UTM) provider Fortinet. In December 2009, the vendor announced that it had achieved 56 Gbps of IPv6 throughput on its FortiGate’-5140 multi-threat chassis-based system. The 56 Gbps for IPv6 throughput is based on its proprietary FortiASIC technologies that accelerate security processing of the FortiGate-5000 Series blades and modules. The FortiASIC processors are security processors that accelerate the processing of network traffic focusing on security enforcement including firewall policies and other content inspection requirements.

The IPv6 performance of the equipment was benchmarked and validated with a BreakingPoint Elite resiliency testing chassis with multiple 10 GbE interfaces. Fortinet’s FortiOS firmware has fulfilled all requirements for IPv6 Phase-2 Core Support as a router product. This certification, awarded by the IPv6 Ready Logo Program.

As Trend Micro’s April says, “IPv4 firewall rules don’t do anything to IPv6 traffic.”

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , ,
« Older Entries   Recent Entries »