Ten emerging malware trends for 2007

The bad guys have cranked up their malware-generating machine in the past couple of years, honing their methods to create powerful malicious code. And, the small trickles of advanced malware that we have seen in recent months are indicative of a tumultuous future. Here are 10 trends to keep an eye on from the malware front:


10) Spyware protected by rootkits
Spyware authors primarily make money when their software injects advertisements into a user's surfing experience, sends spam from a user's machine or performs keystroke logging to snag account numbers from a victim. The longer spyware is installed on a system, the more money an attacker can make. Enter rootkits, which alter operating system software so an attacker can hide code while maintaining control of the system. Today's sophisticated rootkits can hide attackers' files, processes and network usage from unsuspecting users and system administrators. This powerful combination, which sticks spyware to the victim machine using rootkit techniques, makes detecting and eradicating malware very difficult indeed. To fend off such attacks, keep antivirus and antispyware tools up-to-date, and utilize free rootkit-detection tools, like Microsoft's Rootkit Revealer, F-Secure Corp's Blacklight, Sophos' Anti-Rootkit, McAfee Inc.'s Rootkit Detective and Trend Micro Inc.'s RootKitBuster.

9) Totally smashing trust with evil certs
When a browser is installed, it contains certain digital certificates of certificate authority companies that your browser vendor believes are trustworthy. These companies can generate certificates for other organizations, such as banks, ecommerce companies and software vendors. Unfortunately, some savvy hackers have started to install alternative, evil certificates into the browsers of infected machines, meaning even after a victim discovers and removes an attacker's spyware, a phony certificate would tell the previously infected machine's browser to trust malicious Web sites, making reinfection easier. To mitigate this threat, I recommend periodically checking the trusted certificate authorities that are configured in your browser, and verify that those companies can be trusted. Internet Explorer users can check these certs by going to Tools then Internet Options then Content then Certificates. Once in the Certificate tab look under Intermediate Certificate Authorities then Trusted Root Certification Authorities then Trusted Publishers.

8) Editing network configurations and disabling antimalware tools in multiple ways
For years, some malware samples have attempted to foil antivirus and antispyware updates by altering a local hosts file to point the domain names of the various antimalware vendors to 127.0.0.1. That way, when the antimalware tool tries to receive its update, it resolves the vendor's domain name to localhost, where, unfortunately, there isn't a server waiting to deliver signature updates. Look for hackers to bring this technique to new levels this year. While altering a host file is pretty blatant, attackers have started using more subtle tactics, like attempting to change personal firewall settings to block access to antimalware sites or running scripts that turn off various antivirus and antispyware tools. Hackers are deploying malware that renders the antimalware tool blind, a tactic that's harder for users to spot. To defend against such attacks, pay attention to the update status of your antivirus tool; verify that it can download new signatures. It is also wise to periodically check your antivirus tool. I recommend using the EIcertificate authorityR's free antivirus test file. If an antimalware tool cannot detect EIcertificate authorityR, in all likelihood, it has been disabled.

7) Self-updating malware and metamorphic code
In an effort to stay ahead of antimalware signature updates and to deploy new functionality to extend the capabilities of their botnets, attackers are increasingly deploying self-updating malware. Such tools poll attacker-controlled Web sites for the latest updates, which bad guys can effortlessly install on hundreds of thousands of machines in just minutes. In effect, the attackers are implementing distributed software distribution, not unlike their own private Windows Server Update Services (WSUS). To stay ahead of this trend, update antivirus and antispyware tools once a day, and use tools like Microsoft Sysinternals' TCPView to look for unusual connection activity going to or from the system.

6) Peer-to-peer botnets
Historically, botnets have been controlled using Internet Relay Chat (IRC). Each bot logs into the same IRC channel as its creator. The attacker issues commands, which all of the bots read and then perform. But, there's a problem with this for the bad guys – there is a single point of failure. If investigators shut down the IRC server or remove the channel, the botnet cannot accept commands, preventing the attacker from communicating with his minions of infected machines. To avoid this, attackers are starting to use peer-to-peer (P2P) protocols to direct botnets without a central point of control. Some cutting-edge criminals are also looking for ways to control botnets using the Waste and Skype protocols used for Internet-based phone calls. These two techniques indicate the attackers are, in effect, creating highly distributed systems and are devising clever mechanisms for managing their distributed empires. To prevent this information security threat, use a tool like TCPView or the netstat command to look for unusual communications streams going to or from the system.

5). Script-based worms for Web 2.0 site
Recently, we've seen attackers exploiting Web services, which often allow one user to post information that thousands of other users can read. These so-called "Web 2.0" services include MySpace, Facebook, Gmail and countless others. Some are vulnerable to cross-site scripting attacks, in which malicious hackers post a script to their page in the service, and trick users into viewing the page via a browser. Once the victim reads the page, his or her browser runs the attacker's script. This script then uses the victim's account to add the script to the victim's own profile. If anyone else were to read this victim's profile, their account will become infected. The contagion then spreads, account to account, using victim's browser as the vehicle to run scripts from other users' profiles. To help defend against Web 2.0 attacks log out of any accounts and browsers when not in use.

4) Client-side exploits
As Microsoft has worked to eliminate server-side exploits, attackers are increasingly hunting for exploitable vulnerabilities in client-side software, including browsers, file viewers and music applications. In 2006, we saw several zero-day attacks in software like Internet Explorer, Microsoft Word, Microsoft PowerPoint and others. After creating an evil file that exploits the given client software, attackers then spew it out in spam or load it onto Web sites around the world, exploiting users who read the email attachment or simply surf to the wrong site. Look for many, many more of these in the future. To defend against them, diligently patch computers and ensure that antimalware software is current; if an enterprise system is vulnerable, detecting and removing malicious code is easier. Finally, consider using host-based intrusion prevention systems (HIPS), such as McAfee's Entercept and Cisco Systems Inc.'s Security Agent. HIPSes can defend against many attacks that haven't been seen by preventing the actions exploitable applications may take.

3) Privilege escalation attacks
With the release of Windows Vista, Microsoft has worked hard to create an operating system that more carefully divides user privileges. With Vista, it should be easier to deploy users in roles that let them get work done, without granting them local administrator privileges. This is certainly a good advance if the Microsoft promises are accurate. Too many organizations today let users surf the Web and read email from admin-based accounts. But if Windows Vista succeeds and eases the deployment of users without admin rights, attackers will most certainly need to develop new techniques. They'll still be able to break in with a client-side exploit, but, because clients have limited privileges, they won't have complete control of victims' machines. Therefore, look for attackers to focus heavily on finding local privilege-escalation attacks that will jack up their non-admin accounts to local system privileges, the most powerful local rights on a Windows machine you can have. To defend against what may be an avalanche of these exploits in 2007, keep Windows patched and deploy antivirus and antispyware tools.

2) Really big botnets (RBBs)
It almost seems quaint to think of the botnets of a decade ago, with one to three hundred systems under control of one malicious hacker. Today, such numbers represent a baby botnet. Hackers have extended their empires so that botnets of 60,000 infected machines are run of the mill. Look for bigger botnets in the future, with several examples tipping the scale over a million systems. With economies of scope at that magnitude, the attackers wield immense computing power. They can direct a flood and knock systems off of the network, crack crypto keys and passwords at rates that used to only be available to highly funded government agencies. To deal with this trend, those responsible for the security of an organization's network should have the emergency number for their ISPs, so if there is a massive attack against an organization, key personnel are notified.

1) Move to non-computer platforms
The vast majority of malware to date has affected PCs. But as more and more processing power is added to non-computer platforms, more generalized operating systems will be able to store sensitive data. In 2007, watch for attacks against cell phones, PDAs and (dare I say it?) even the iPod. As such devices proliferate and are connected to the Internet wirelessly, a whole new malicious code vector will surface. While there aren't a lot of defenses available now, antivirus vendors will realize the need for such tools in this new environment and release products specialized for this realm.

About the author:
Ed Skoudis is a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on SearchSecurity.com, Ed answers your questions relating to information security threats.

from: here

台湾地震暴露光纤通讯系统之脆弱

因台湾附近发生大地震,亚洲地区电话和互联网通讯周三出现中断。这次事故充分表明,仍依赖海底光缆传输数据的全球通讯系统还非常脆弱。

周二晚间在台湾南部海域发生的里氏6.7级地震导致数条光缆断裂,这些电缆负责传输通过亚洲这处关键转接点的通讯数据,香港和东南亚地区连接日本及最终至北美的通讯均需通过该结点。

地震发生后,国际通话服务发生中断或只限于部分地区。中国很多地区的互联网服务速度慢得像是在爬行,许多地区的黑莓和彭博终端的服务也发生暂时中断。部分市场的外汇和其他金融交易被迫中止。

亚洲多数地区的公司表示,他们后来设法找到了其他解决手段。股市未受到影响。东京股市收盘涨0.31%至 17223.15点,香港恒生指数涨2.1%至19725.73点的历史高点。

不过,这场未造成严重实物损坏的自然灾害却引发了大面积的无形纷扰,这充分显示出全球通讯支持系统极其脆弱的一面。

电信企业表示,受损光缆的修复工作可能需要两到三周时间,不过,在这之前,他们会找到一些替代办法尽量改善服务情况。

目前,各大陆间的几乎全部数据通讯都是通过包在绝缘保护层里的极细的光纤束进行的。电信企业将长达数千海里的光缆铺设在海底或让它们浮在海面上。为分摊成本,这些工程通常是由多家电信运营商联合起来完成。

如果这些光缆在枢纽点上(如纽约附近和英国南部的主要转接点)发生纠结,则有可能导致通讯出现大面积瘫痪。

这次受损的光缆分布在台湾至香港间的密集通道上。光缆上面的水域就是连接北亚和东南亚地区的重要水路运输通道。

海底光缆的隐患在亚洲尤其严重,因为该地区是世界地震多发带之一。同时,它也是全球经济增长最快的区域,通讯和海上运输的需求在日益上升。

周 三发生的问题在一定程度上也与近年来全球光缆投资放缓有关。在九十年代电信业热潮时期,电信企业在市场需求爆炸的预期激励下在国内和国家间大量铺设光缆, 但实际需求远远没有达到他们预想的程度,由此使他们在财务上遭受了很大损失,有些企业因此破产,光缆投资也随即放慢下来。

不过,在接下来的数年时间,亚洲地区的互联网和国际通话服务迅速增长,光缆容量越来越吃紧,而且已有光缆常常在技术上已经过时。比如,截至6月份,中国的互联网用户已超过1.23亿,而在2000年初时只有890万。

电 信企业的光缆投资直到近年才开始有所增加。这个月早些时候,Verizon Communications Inc.和另外五家亚洲电信公司(其中包括三家中国企业)宣布将斥资5亿美元建设直接连接中、美的第一条高速海底光缆。目前,两国间已有直接或间接的光缆 连接,不过速度较慢。

北京电信咨询公司BDA China Ltd.董事长邓肯•克拉克(Duncan Clark)说,这次事故重新提出了是否需要再来一次大规模光缆投资的问题。他说,目前,全世界已铺设的光缆主要分布在美国至欧洲和美国至亚洲之间。如果 在欧洲和亚洲之间铺设更多光缆,那么在遇到类似事故时,国际通讯就有了更多的替代途径。

确保光缆通讯正常运转是一体化日益加强的全球经济 得以继续繁荣的基本要求。无论是电子邮件、网页内容还是手机通讯,所有这些都要被转化成数字信号、以超快的光速沿着光纤通道传播。先进的技术使电信运营商 得以将海量信息快速长距离传输,这些信息被打包成不同的组合,然后以数十种不同的光频同时传送出去,相互之间不会发生干扰。

除光纤通讯之外,用于长距离通讯的手段还有卫星通讯,但卫星通讯速度不如光纤快,而且信号容量小,还有就是成本更高。

另 外,卫星通讯也很容易中断。不过,电信运营商有时还是会将卫星通讯作为一种备用手段。据美联社(Associated Press)报导说,中国国家电视台说,中国最大的电信公司中国电信(China Telecom Corp.)已联系美国和欧洲电信商,考虑用卫星线路弥补眼下光缆线路容量的不足。

目前,全世界已铺设了数百条海底光缆,每条光缆都要消耗数亿美元的生产和铺设成本。这些光缆都有自己的名字,比如中美光缆、亚太2号光缆网络等等。这些网络的铺设工程都由专业承包商来完成。

比如亚太2号光缆网络就是由日本电气(NEC Corp.)施工建设的,参与该网络通讯运营的有十多家公司。长达19,000公里的亚太2号光缆网络于2001年完工,耗资11亿美元。

这些光缆很容易发生位移。过去就曾发生渔网和船锚损坏光缆的事情。去年夏天,巴基斯坦境内的互联网服务曾中断12天,原因是之前有一艘渔船刮断了该国唯一的一条海底光缆。

海底光缆大多被设计成有多处接陆点的环路。当网络上有局部线路出现故障时,其他线路仍能正常运转。但这次台湾大地震引发的事故要严重得多,据中国固定电话运营商中国网通(China Netcom)说,有8条光缆受到影响。

修复受损光缆是一件难度很大的工程。经营一条亚洲光缆的Asia Netcom此前表示,到昨天夜里就能恢复服务,而台湾最大的电话公司中华电讯(Chunghwa Telecom Co.)则表示,服务恢复正常最多可能需要三周时间。

在 这同时,电信公司还需找到其他线路为客户传送信号,特别是为那些大型企业客户,周三的通讯阻塞也是由此造成的。这次服务受损最严重的中华电信周三表示,其 美国长途能正常使用的容量只有日常通话量的40%、至东南亚的容量只有正常通话量的不到10%。当天晚些时候,中华电信启用了替代线路。

日本的KDDI Corp.则把受损线路平时应承担的信号转由欧、美线路绕道传输,这是该公司事先制定的应对方案。

韩 国电信运营商也报告说服务发生中断。至昨晚,韩国最大的运营商韩国电气通信公司(KT Corp., 简称:韩国电信)的92家企业客户租用的线路不能使用。于是这些企业被转接到公共线路上,导致传输速度放慢。在香港,霸菱资产管理公司(Baring Asset Management)的交易员只能通过本地数据供应商获得股价,因为他们平常使用的彭博终端已无法正常工作。

这次通讯中断甚至还影响到该地区的海运和物流行业。香港船运公司Kingstar Shipping董事总经理KL Tam说,他无法联系到日本和韩国的客户,在新加坡的部分客户也联系不上了。Kingstar旗下有10艘货轮。

他说,我们一直在想别的办法联系他们,但都没什么效果。Kingstar的船今天基本都有货可运了,但KL Tam说,如果这种情况再持续几天,他们的海外业务就要暂停了。

Jason Dean


from 华尔街日报

中国互联网协会正式公布“恶意软件”八大定义

Chinese internet association finally did something to the flooding malware.

新华网北京11月23日电(记者赵晓辉)中国互联网协会日前正式公布恶意软件的定义,为下一步研究解决对策提供依据。

根据定义,恶意软件是指在未明确提示用户或未经用户许可的情况下,在用户计算机或其他终端上安装运行,侵害用户合法权益的软件,但不包含中国法律法规规定的计算机病毒。

中国互联网协会认为,具有下列特征之一的软件可以被认为是恶意软件:

--强制安装:指未明确提示用户或未经用户许可,在用户计算机或其他终端上安装软件的行为。

--难以卸载:指未提供通用的卸载方式,或在不受其他软件影响、人为破坏的情况下,卸载后仍然有活动程序的行为。

--浏览器劫持:指未经用户许可,修改用户浏览器或其他相关设置,迫使用户访问特定网站或导致用户无法正常上网的行为。

--广告弹出:指未明确提示用户或未经用户许可,利用安装在用户计算机或其他终端上的软件弹出广告的行为。

--恶意收集用户信息:指未明确提示用户或未经用户许可,恶意收集用户信息的行为。

--恶意卸载:指未明确提示用户、未经用户许可,或误导、欺骗用户卸载其他软件的行为。

--恶意捆绑:指在软件中捆绑已被认定为恶意软件的行为。

--其他侵害用户软件安装、使用和卸载知情权、选择权的恶意行为。

中国互联网协会表示,定义恶意软件的目的是通过行业自律的方式约束互联网企业的行为,维护互联网用户合法权益,维护良好网络环境。

据介绍,制定恶意软件的界定标准之后,中国将设立恶意软件举报热线,并审议、确定和发布恶意软件“黑名单”。同时,组织互联网服务提供商签署抵制恶意软件的自律公约,不制作、不传播已经界定的恶意软件。

中国网民数已经达到1.23亿。信息产业部预计,到今年底,中国网民数量有望超过美国居全球首位。

【延伸阅读】

中国首次判决“流氓软件”侵权案 原告败诉

  新华网北京11月17日电(记者李京华)北京市朝阳区人民法院17日判决一起“流氓软件”侵权案,此案是中国有关“流氓软件”侵权案的首次判决。

原告董海萍针对“雅虎助手”软件而向北京阿里巴巴信息技术有限公司、国风因特软件(北京)有限公司提起的诉讼,因证据不足被朝阳法院一审驳回而败诉。>>>点击详细

记者调查

"流氓软件"背后的灰色产业链

记者和一名销售月饼的网友以在网络上做月饼广告的名义来到位于北京市东三环的一家网络广告公司进行暗访。一名姓方的广告员接待了我们,开始向我们推荐他们公司效果最好的网络弹窗广告。

据这名广告员介绍,目前国内像他们这种依靠 “流氓软件”出售广告弹窗的网络广告公司、工作室至少有几百家,而这些网络广告公司正是“流氓软件”产业链连接上游广告主和下游共享软件作者的关键环节, 他们一般用“装机量”来形容自己的广告实力,也就是广告程序侵入电脑的数量,一些大公司的装机量超过2000万台,小的也能做到100万台左右,按照一天 弹出百万次广告计算,每月收入几十万元很正常,年收入过千万元也不足为奇。据这位广告员透露,他们公司已经研制成功的一种新的广告程序即将投入使用,这种 程序可以在用户阅读的文章里嵌入图片或视频广告。

高手建议

慎删流氓软件

我们有时在正常使用电脑,突然杀毒软件报警,某个插件里发现 了病毒,而且这个病毒还无法被杀毒软件自动删除,也无法通过添加删除程序卸载,只能暂时通过杀毒软件进行隔离处理。遇到这种情况,专家并不建议采取直接删 除的方式。如果病毒不在C盘,也许还可以采取删除的手段,但是由于不是通过添加删除程序实现的卸载,所以恶意插件极有可能无法删除干净,未删除部分将极有 可能常驻在电脑里,永远占用宝贵的系统资源。不仅如此,有些恶意插件不删除干净,再次开机后,它会通过网络自动下载被删除部分,并重新安装。

而对于恶意插件存在C盘里的情况,专业人士建议用户不要轻易下手硬性删除。

对于上述问题,高手建议,用户可以根据杀毒软件报告的问题插件或病毒的名称,到搜索引擎里去查找一下它的克星是谁,哪个专杀工具或另外哪个杀毒软件可以专门来处理这个问题。有时候,直接把你现行使用的杀毒软件升级到最新版本,或许也能迅速解决问题。

 温馨提示

学会建立良好的安全习惯

1.建立良好的安全习惯,不打开可疑邮件和可疑网站;

2.很多病毒利用漏洞传播,一定要及时给系统打补丁;

3.安装软件时要仔细查阅许可协议,并仔细查看安装过程中的每一个步骤,防止被安装上广告软件;

4.安装专业的防毒软件升级到最新版本,并打开实时监控程序;

5.安装带有“木马墙”功能的个人防火墙软件,防止密码丢失。

各方评论

相关小常识


来自:新华网

Active FTP vs. Passive FTP

Somethings need to understand in terms of FTP ==> PORT mode, PASV mode.
Read this help file from Microsoft.

Here also has a very useful article explaining the difference between Active FTP and Passive FTP.

The following chart should help admins remember how each FTP mode works:

Active FTP :
command : client >1023 -> server 21
data : client >1023 <- server 20

Passive FTP :
command : client >1023 -> server 21
data : client >1023 -> server >1023
A quick summary of the pros and cons of active vs. passive FTP is also in order:

Active FTP is beneficial to the FTP server admin, but detrimental to the client side admin. The FTP server attempts to make connections to random high ports on the client, which would almost certainly be blocked by a firewall on the client side. Passive FTP is beneficial to the client, but detrimental to the FTP server admin. The client will make both connections to the server, but one of them will be to a random high port, which would almost certainly be blocked by a firewall on the server side.

Luckily, there is somewhat of a compromise. Since admins running FTP servers will need to make their servers accessible to the greatest number of clients, they will almost certainly need to support passive FTP. The exposure of high level ports on the server can be minimized by specifying a limited port range for the FTP server to use. Thus, everything except for this range of ports can be firewalled on the server side. While this doesn't eliminate all risk to the server, it decreases it tremendously. See Appendix 1 for more information.

for details, please go to the website.

elgrithms

This site has some very useful tools.

Chaos MD5
Chaos Mash

and some others.

Solidot 将继续稳定运行

CdrPlum 发表于 2006年9月12日 14时05分 星期二 Printer-friendly Email story
Solidot 这一周来的转让洽谈已经有了结果,与收购方已经达成了意向。收购方是国内一家著名的科技网站,这里暂时先不透露他的名字,但肯定不是三大门户,尽管三大门户中也有人来洽谈。随后几天我们会进行下一步的移交等步骤,待完全完成后,我们会对外公布相关信息。

对方承诺 Solidot 的规则不会变,风格不会变,会继续按照现有的模式发展下去,而且收购后对方将投入硬件和技术上的支持,这会保证 Solidot 更加稳定的运行。

收购后我和几位核心编辑将会继续参与 Solidot 的维护,请众 Geeks 继续支持参与 Solidot, 提交发现的新消息,发表评论,Solidot 日后在新东家的带领下,必将走向更加辉煌!

Jesse "CdrPlum" Lee

robtex