Tag Archive for Trend Micro

| July 7, 2014
Comments Off on Conficker Worm – Still Alive

Conficker Worm – Still Alive

Conficker Worm - Still AliveAfter 6 years Conficker remains one of the top 3 malware that affects enterprises and small and medium businesses according to Trend Micro’s (TMICY) TrendLab. They say 45% of malware-related spam emails they detected were related to Conficker. Trend Micro attributes this to the fact that a number of companies are still using Microsoft’s (MSFT) Windows XP, which is susceptible to this threat.

6 years old Conficker

For those that don’t remember our old friend Conficker (Trend calls it DOWNAD) it can infect an entire network via a malicious URL, spam email, and removable drives. Larry Seltzer at ZDNet’s Zero Day blog recalls that Conficker was a big deal back in late 2008 and early 2009. The base vulnerability caused Microsoft to release an out-of-band update (MS08-067 “Vulnerability in Server Service Could Allow Remote Code Execution”) in October 2008. In addition, Conficker has its own domain generation algorithm that allows it to create randomly generated URLs.  It then connects to these created URLs to download files on the system.

Technically, Windows Vista and the beta of Windows 7, were vulnerable, but their default firewall configuration mitigated the threat. It was Windows XP that was really in danger. Mr. Seltzer says that despite Microsoft’s patch, everyone knew that a major worm event was coming. When it came it was big enough that a special industry group (Conficker Working Group) was formed to coordinate a response.

45% of malware related spam mails are delivered by machines infected by the Conficker wormDespite the unprecedented industry effort, Trend Micro observed that six years later (2014 Q2), more than 45% of malware-related spam mails are delivered by machines infected by the Conficker worm. Analysis by the AV firm of spam campaigns delivering FAREIT, MYTOB, and LOVGATE  payload in email attachments are attributed to Conficker infected machines.

Over 1.1 million IPs related to Conficker.

On Thursday, July 3 the Conficker Working Group detected +/- 1,131,799 unique IPs related to Conficker. Whatever the number,  it’s still a big number, for a 6-year old malware with a patch. Trend explains that the IPs use various ports and are randomly generated via the DGA ability of the malware. A number of machines are still infected by this threat and leveraged to send the spammed messages to further increase the number of infected systems.

rb-

With Microsoft ending the support for Windows XP this year, we can expect that systems with this OS will be infected by threats like Conficker for a long time to come. It is going to take years to work XP out of the system.

End Of Support Changes Little About Windows XP's Popularity

Even with an ancient OS, there are ways to prevent Conficker

  1. Upgrade – Kudos to MSFT, Windows 7 has been resilient so far
  2. Patch your systems
  3. Keep Anti-Malware up to date
  4. Stay away from shady places on the web
  5. Be wary of email attachments – Don’t open what you don’t know
  6. The Conficker Working Group has an easy way to check if your machine is infected with Conficker here
Related articles
  • Mobile malware: Past and current rends, prevention strategies (cloudentr.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
| October 18, 2011
One comment

Staff End Runs Security

When I am reclining in my Bach Seat, contemplating sharing tech services, my mind wanders to the consumerization of IT. The iPads have made an official beachhead and Skype has made it inside the perimeter. So I should not feel alone being concerned about security according to recent reports from Trend Micro and Cisco (CSCO).

employees bypass security roadblocks to engage in social networkingHelp Net Security reports that despite more workplaces regulating social networking site access, employees bypass security roadblocks to engage in social networking. The research by Trend Micro says that employees are finding ways around security roadblocks, making social networking a way of office life around the world. Trend Micro’s 2010 corporate end-user survey, found that globally, social networking at the workplace steadily rose from 19 percent in 2008 to 24 percent in 2010.

The survey also found that laptop users are much more likely than desktop users to visit social networking sites. Globally, social networking usage via laptops went up by 8 percent from 2008 to 2010. In the U.S., it increased by 10 percent In 2010, 29 percent of laptop users versus 18 percent of desktop users surveyed said they frequented these sites at work.

social networking is one of their organization's three greatest security risksThe survey also found that laptop users who can connect to the Internet outside of the company network are more likely to share confidential information via instant messenger, Webmail, and social media applications than those who are always connected to a company’s network.

A 2010 Cisco survey, which looked at the security impact of personal gadgets and social networking in the workplace, found that employees are consistently (Cisco’s words) finding ways around security policies. 68 percent of those surveyed by Cisco said that employees use unsupported social networking applications. Heavy use of unsupported collaboration, P2P, and cloud applications were also reported. More than half said social networking is one of their organization’s three greatest security risks. More than a third reported that their company lost data or experienced a breach because of employees using unsupported devices.

rb-

So why is Facebook such a problem for enterprises? For one, it is a huge time waster. Datacenter Knowledge reports that Facebook users spend a total of more than 16 billion minutes on social networking site Facebook per day. Facebook VP of Technical Operations Jonathan Heiliger stated that 3 billion photos are uploaded to Facebook each month and users view more than 1 million photos every second during a presentation at the Velocity 2010 conference

The more popular the social network, the more effective social networks become as malware distribution platforms. KOOBFACE, the “largest Web 2.0 botnet,” controls and commands compromised machines globally. This demonstrates the scale of the threat and emphasizes the need to educate users and implement strong policies.

Trend Micro says that trying to just prevent users from accessing social networks from work could potentially increase the risk to an organization as users look for ways around computer security possibly increasing the chance of exposure to security threats. The lesson, in Cisco’s view, is that you better find the technologies–and resources–to support personal devices and applications because they will be used regardless. “The best strategic approach is to focus less on restricting usage and more on effective solutions to ensure highly secure, responsible use,” said Fred Kost, Cisco’s director of security solutions.

Call me old-school but it seems that employees have always learned to work within reasonable company boundaries. Another option for those organizations that need web 2.0 in the organization should take a look at Palo Alto Networks who have developed a firewall that can block the wasteful parts of social media and leave some parts of the web 2.0 app accessible.

Consumer technologies evolve faster than the IT department budget, and it could be a constant game of catch-up trying to accommodate the latest rogue gadgets and widgets. Ultimately, rogue IT use is not so much a failure of technology, but a failure of policy and policy enforcement.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| July 13, 2010
Comments Off on Free Antivirus Rules Market

Free Antivirus Rules Market

Free Antivirus Rules MarketOPSWAT, Inc. a provider of integration technologies to software developers and vendors recently released a report on the use of antivirus applications. According to the report, free products control 42% of the product market, and vendors that primarily offer a free product have a 48% market share.

The top 10 Windows antivirus applications for January to May 2010 according to OPSWAT were:

  • avast! Free Antivirus 11.45%
  • Avira AntiVir Personal – Free Antivirus 9.19%
  • AVG AntiVirus Free 8.6%
  • Microsoft Security Essentials 7.48%
  • avast! Antivirus 5.4%
  • Kaspersky Internet Security 4.48%
  • Norton AntiVirus 4.24%
  • ESET NOD32 Antivirus 3.84%
  • avast! Antivirus Professional 3.5%
  • McAfee VirusScan 3.26%

opswat AV market share graph 2010

This data indicates that free products account for 42% of the market. From a vendor perspective, European vendors, total just over 50% of the market which include:

  • AVAST,
  • Avira,
  • AVG,
  • ESET,
  • Panda,
  • BitDefender,
  • G Data and
  • Sophos.

Whereas US-based vendors, make up just over 30% include:

Vendors that primarily offer a free product have a 48% market share.

The top 10 Windows antivirus vendors by market share for January to May 2010 according to OPSWAT were:

rb-

According to the firm’s website, OPSWAT collected information from tens of thousands of volunteers out of the 50 million endpoints that use the OESIS Framework and the free Am I OESIS OK? online utility with which end users can check the interoperability and quality level of their applications.  I have said this before, with other fun factoids like this, the adoption rate of the vendor’s tools may skew the results. Nonetheless, it is notable that

  • Microsoft, not usually seen as a security vendor has captured a significant share with their recent anti-virus solutions and could be a legitimate challenger to pure-play security players Symantec and McAfee.
  • Symantec and McAfee who are often seen as the top choices in the U.S. do not do well in this list. This data seems to show that AV competition is alive and well in the highly fragmented consumer sector.
  • The fragmented marketplace may help keep innovation active in the AV market, which is a good thing in the face of the increasing variety of threats from malware.

So despite the claims of this or that vendor to dominate a market based on sales numbers, the OPSWAT data seems to show that end-users have developed a degree of trust in free antivirus applications to keep them secure as they do with paid antivirus.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , ,
| February 26, 2010
Comments Off on IPv6 Malware

IPv6 Malware

IPv6 MalwareIn a December 2009 report, The Future of Threats and Threat Technologies: How the Landscape Is Changing, anti-malware vendor Trend Micro, predicts that IPv6 changes to the Internet infrastructure will widen the playing field for cyber-criminals.

Trend MicroOne of the changes Trend Micro predicts is the IPv6 Malware Experimentation Stage. The anti-virus firm points out that many weaknesses were discovered in IPv4 during the mid-to-late-1990s as the Internet came into its own. The vendor predicts IPv6 will have a similar pattern of growth.

As the IPv6 user base expands, weaknesses will be discovered in the IPv6 protocol and its implementation. The anti-virus firm believes that the current low IPv6 adoption rate and the increased awareness of IPv4 exhaustion will delay any wide-scale IPv6 malware beyond 2010. However, as users start to explore IPv6, so will the cyber-criminals. The vendor says that users can expect to find some proof-of-concept elements in IPv6 during 2010. Possible IPv6 abuse includes new covert channels or Command and Control (C&C) for botnets.

IPv6 tunneling protocols pose threats

IPv6One attack vector that will open up as users start experimenting with IPv6, are tunneling protocols according to Ben April an Advanced Threat Researcher at Trend Micro. Mr. April points out on the Trend Micro Malware Blog that the 6to4 (RFC 3056) and Teredo (RFC 4380) tunneling protocols pose threats to networks as they transition to IPv6.

Trend’s April says that neither protocol claims to offer any significant security protection. According to the blog, 6to4 tunneling requires that the user endpoint exist in a publicly routable IP space and be directly reachable by any 6to4 serving device with the risk of having to trust traffic coming from any address claiming to support the protocol for full functionality. 6to4 can also support routes to networks behind the endpoint. Endpoints have an IPv6 address which includes the IPv4 address of the endpoint converted to hex. According to April, a server on the IPv6 Internet should also be fortified against both IPv4 and IPv6 threats. 6to4 comes with an entire RFC (RFC 396) devoted to security considerations.

The Teredo RFC goes so far as to call itself the IPv6 Provider of Last Resort. The blog says this label comes primarily from the crazy stunts required to successfully traverse multiple NAT gateways. Unlike 6to4, however, only one host can exist behind the endpoint. April points out the risks that Teredo creates by tunneling from the public Internet to a host inside a NATed environment. This creates the need for a well-protected host. This protocol also allows endpoint address leakage which would aid an attacker. Teredo encodes the IPv4 exit point of the NAT gateway, the UDP port used by the external NAT session, and the IPv4 address of the tunnel endpoint used by the client in a well-known slightly obfuscated way.

Fortinet logoOne answer to the IPv6 security issues could come from network security and unified threat management (UTM) provider Fortinet. In December 2009, the vendor announced that it had achieved 56 Gbps of IPv6 throughput on its FortiGate’-5140 multi-threat chassis-based system. The 56 Gbps for IPv6 throughput is based on its proprietary FortiASIC technologies that accelerate security processing of the FortiGate-5000 Series blades and modules. The FortiASIC processors are security processors that accelerate the processing of network traffic focusing on security enforcement including firewall policies and other content inspection requirements.

The IPv6 performance of the equipment was benchmarked and validated with a BreakingPoint Elite resiliency testing chassis with multiple 10 GbE interfaces. Fortinet’s FortiOS firmware has fulfilled all requirements for IPv6 Phase-2 Core Support as a router product. This certification, awarded by the IPv6 Ready Logo Program.

As Trend Micro’s April says, “IPv4 firewall rules don’t do anything to IPv6 traffic.”

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , ,
| January 10, 2009
Comments Off on Ransomware Gets Tougher

Ransomware Gets Tougher

Ransomware Gets TougherAnti-malware vendor Trend Micro has noted an increase in ransomware. According to Wikipedia ransomware is a type of malware that encrypts the data belonging to an individual on a computer, demanding a ransom for its restoration.

This type of ransom attack can be accomplished by (for example) attaching a specially crafted file/program to an e-mail message and sending this to the victim. If the victim opens/executes the attachment, the program encrypts a number of files on the victim’s computer. A ransom note is then left for the victim. The victim will be unable to open the encrypted files without the correct decryption key.

Once the ransom demanded in the ransom note is paid, the attacker may (or may not) send the decryption key, enabling decryption of the “kidnapped” files.

Recently, Trend Micro Advanced Threats Researcher Ivan Macalintal reported that a new version of the GPcode ransomware has surfaced, It is said that Gpcode[dot]ag utilizes a 660-bit RSA public modulus. Attackers appear to be upping the ante, in early June 2008, another Gpcode variant, Gpcode [dor]ak, has been detected and researchers believe it utilizes an RSA encryption algorithm with a 1024-bit public key. “We estimate it would take around 15 million modern computers, running for about a year, to crack such a key,” writes Aleks Gostev, senior virus analyst at Kaspersky, on the company’s blog.

The rise of ransomware makes regular successful data backups even more important. With current backups, you can delete the files in question, restore them from your backup and let someone else pay the attacker.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,