Security threats evolving at breakneck pace

8 posts in this topic

Posted

The most recent threat landscape report from Forrester claims the gap between hacker threats and suitable security defenses is widening, at a faster pace than ever before. ...threats are coming from “highly organized, well-funded” crime networks, or even state-sponsored actors. ... “The attacks are much more targeted, sophisticated, and resourceful” ... “Attackers go after the network, then the applications, and then the data, covering all traces of their presence as they penetrate”, the authors noted, adding that “the ultimate goal is to modify the application in some way so that [attackers] get a consistent source of revenue”. ... it acknowledged that “security technology vendors in general have overpromised and underdelivered”. Instead they advocated for a layered security defense that does not rely on any one particular technology to address a single risk area.

17 August 2010












The Infosecurity Article is available for your review

Share this post


Link to post
Share on other sites

Posted (edited)

There is a really nasty variant of the Saily Virus very active now. I'm seeing it with Win32/Heur and this family has many of the same characteristics of Virut. This is the one exploiting the LNK Vulnerability- "currently unpatched Windows shortcut vulnerability". Microsoft reports a surge in related attack traffic generated by threats from the Sality family of malware.

The virus also includes an autorun worm component that allows it to spread to any removable or discoverable drive. In addition, Sality includes a downloader Trojan component that installs additional malware via the Web.

Edited by Bobbye
sp

Share this post


Link to post
Share on other sites

Posted

Best bet with these is to format/reinstall for 2 main reasons:

1) File infector's such as Sailty or Virut can cause the system to become unbootable, better to backup and format before it's too late.


2) Once they infect a legitimate file, they will invalidate that file's digital signature.

That means that ANY program file on this machine will NOT verify as signed my microsoft after a sality infection.

With any Backdoor Trojan:
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infections can be identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with these type of trojans, the best course of action would be a reformat and reinstall of the OS.

Share this post


Link to post
Share on other sites

Posted

Many experts in the security community believe that once infected with these type of trojans, the best course of action would be a reformat and reinstall of the OS.

The proper configuration of a G O O D firewall will allow monitoring of ALL sessions, including all outbound connections.
  1. disconnect from the Internet
  2. set the FW to ASK for all outbound connections
  3. reset all 'approved applications' which will force your approval for every outbound connection
  4. look for connections to unknown sites or ip addresses.
Most keyloggers will use email, ftp, or http connections to 'phone home'
(ports 25, 21, 80 respectively) and you only need to understand

did I initiate this action?

For those who are careless enough to access the Internet using a login with Admin priv's - -
then perhaps you need to take extremely disruptive action.

Again, personally, with financial and business data on the system,
Wipe Clean and Start Over is a 0.001% probability for me and this
would be at least two levels of embarrassment:

  1. that I was infected at all and ...
  2. I had no means to control the network data flow which would allow further exposures.
Please pull the level on the trap door and just hang me on the spot.

In the commercial world, a person from the Help Desk department might be asked to stop by to resolve a problem from time to time.
If I ever heard the comment that the recommended action was to re image the system (aka; wipe and start over) I would ask them to leave and tell them flatly,

If you can't solve the problem the please don't compound the situation . . . I'll learn how for myself even if it causes me extra hours w/o pay.

Invested some time (ie learned a lot) but never suffered the pain of wipe and reinstall either.

Share this post


Link to post
Share on other sites

Posted

We would not be infected in the first place, and if by some chance you were, your information would still be secure. Many of the logs posted here on the site show gaping holes in the users security.

I would prefer they have appropriate protection ahead of time, and follow all of the security guides we have posted, but the fact is many user's won't find us until after the fact.

For these users, I am not saying they can't backup data, but as stated above with these particular infections ANY program file on these machines will NOT verify as signed my microsoft after a sality infection. With virut the infection spreads faster than can be contained by any antivirus. It's a file infector, which infects legitimate files.

More specifically, all programs and zipped files need removed, as well as the operating system itself. You can backup your documents, images, music, ect.

1) How comfortable would you feel knowing you couldn't verify signatures on those files?

2) Had you preformed internet banking, made a purchase with credit card, or revealed other sensitive info over the web while infected, what's to say your information has not already been compromised.

I'll learn how for myself even if it causes me extra hours w/o pay.
In my opinion, it's better safe than sorry. Plus, how long does it take to backup your data and format/reinstall? Last time I did it (not due to infection), it took less than an hour. I personally don't keep important data on the same drive as my OS on any of my systems.

Share this post


Link to post
Share on other sites

Posted (edited)

knoI don't know whether to laugh or cry at what some think they need for security! I almost always find one of three situations in a malware log:

1. There is no antivirus and/or firewall-or-FW is incoming only.
2. There is too much security. Especially multiple AV programs and multiple suites.
3. The majority of users don't understand what they need or how to use it! Most common is complaint is of security 'blocking' sites> don't understand the difference between incoming and outgoing> don't understand that blocking bad sites is a good thing> or that they have a button they can click on for 'Don't show me alerts'.

It is a very scary place on the internet when so many readily admit 'I don't know anything about computers.'!
And so few ask 'how can I learn?' It's a big soap box stance for me.

Edited by Bobbye
Correction

Share this post


Link to post
Share on other sites

Posted

As can be expected;

YOU ARE SPOT ON in your observations


I'm equally dismayed to see how so many are naively using their Admin Login to surf the net!

Share this post


Link to post
Share on other sites

Posted

This is one area I wouldn't mind being proven wrong! But I don't see it happening.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now