WannaCrypt Makes Other Malware Authors WannaCry

 Computing, Security  No Responses »
May 172017
 

It may not be very funny, but the funny thing about WannaCrypt is that it is somewhat of a failure! Unless the authors are spectacularly stupid (not entirely impossible incidentally), they have no way to recover their ill-gotten gains. The pile of looted bitcoins they have acquired is fully visible, so any attempt to use those coins will almost certainly result in them being tracked down – they have attracted too much attention.

Which is another aspect of the WannCrypt malware – it has highlighted the vulnerability (MS17-010) and caused a huge vulnerability hunt. Which is causing those who wrote other malware (such as Adylkuzz) to gnash their teeth, because otherwise their malware would have quietly worked away in the background. The malware authors behind Adylkuzz have probably made more money than the WannaCrypt malware authors … and may well get away with their loot too.

Which is why other malware authors “wannacry” – the attention that WannaCrypt has gotten has ruined MS17-010 for them.

Anti-Virus Is Dead. Long-Live Behavioural Analysis …

 Computing, Security  No Responses »
Jul 142016
 

One of the throw-away statistics I tripped over recently was that there are 5 new malware releases every second.  Now many of those new releases are variations on a theme – there are pieces of software designed to distort a piece of malware into a new piece of malware with the same functionality. This is done deliberately to evade anti-virus software.

And it works. Every so often I feed some strange mail attachments into virustotal to find out how widely it is recognised. It is not uncommon to find that only 2-3 will recognise it as malware out of 50-odd virus checkers on that site. So if you happen to be dumb enough to download and activate the attachment, your anti-virus checker has a roughly 5% chance of protecting you.

Not exactly what you should expect.

I recently sat through a sales pitch for a not-so-new corporate product that does anti-malware protection very differently. Of course it is also insanely expensive, so I will not mention the actual product, but it does offer something new. Protection against malware by checking and blocking behaviour.

Whilst they add all sorts of clever data analysis tricks, fundamentally anti-virus products recognise malware because they recognise the data that makes up the malware. If they don’t recognise the signature of the malware, then they do not know it is malware; so they have an incredibly difficult time recognising new malware releases.

But recognising malware based on behaviour is far more likely to successfully recognise malware – for example by recognising an attempt to make itself persistent in a way that an ordinary application does not do, and blocking it. Which is a far more practicable method of blocking malware (if it works!).

It is also something that should probably be built into operating systems, which to a certain extent already has been.

The New Defence

The New Defence

 

 

Do OSX Users Need Anti-Virus Products?

 Computing, Security  No Responses »
Aug 192011
 

Revised answer: Yes

The longer answer gets a bit more involved. First of all, there is some level of protection built into OSX against malware called File Quarantine. There are limits to how much protection this provides compared with PC anti-virus and anti-malware products as it protects against known malware at the point where the malware is installed or run.

It is also limited by the frequency at which the OSX operating system is updated – OSX is typically updated once a week – unless you put off applying updates whereas a PC-style anti-virus product will typically update it’s virus definitions on an hourly basis. This would seem to make it totally inadequate, but OSX just doesn’t have as much malware as Windows.

There are a number of possible reasons for this including that OSX is inherently more secure and that OSX just doesn’t have enough of a market share for malware authors to bother with. The truth behind the lack of malware for OSX is only known to the malware authors, although it should be noted that OSX viruses do exist (as do Linux ones).

You could take the attitude that a flood of OSX malware is due any day now, and insist on running an anti-virus product in addition to the inbuilt protection OSX has. There are of course people warning that the flood of OSX malware is just around the corner, although they tend to be people connected to the anti-virus industry so are perhaps less than totally disinterested.

Of course if you have some seriously private data to protect, you should probably consider it. But most of us don’t work for the intelligence services, so can be a little less protected … for now. This of course can all change next month, next year, or sometime, so don’t take the word of this blog entry seriously especially if the date on it is a long time ago!

Of course now some time has passed, the situation has changed (with Flashback amongst others), so the answer is that yes you do need an anti-virus product. It is true that Apple has some built-in protection against Malware, but Apple is not an AV company and so they may well react too slowly to protect you.

PC Malware Handling

 Security, Working Notes  No Responses »
Jun 182011
 

This is a series of notes on dealing with PC malware (viruses, worms and the like) gathered because I’m looking into it and published as a way of reminding myself about this stuff. Bear in mind that I’m not an expert but neither am I a complete dunce – I’m normally a Unix or Linux person but I’ve been keeping half an eye on Windows infections for years.

Some links to tools are contained within. However you should be aware that tool recommendations change over time; you will need to check how outdated this document is before following any recommendations blindly.

At present this blog entry is a work in progress … lots of testing needs to be done before being confident this is right.

Cleanup Process

This is not :-

  1. How to approach this forensically – if you’re dealing with an investigation, it’s a whole other ball game and you probably need professional assistance to avoid corrupting evidence.
  2. A technical guide as to which tools to use.

1. For The Ultra Cautious Or When Handling Real Important Data

The process of removal can be destructive, and in the worst cases you can end up cleaning the malware and ending up with a brick. So make an image of the hard disk as it is. Two basic ways this can be done :-

  1. Removing the hard disk from the infected machine, attaching to an appropriate machine (USB->SATA, USB->IDE converters are handy here), and making an image of the disk.
  2. Booting off a “rescue” CD on the infected machine, and imaging the hard disk to a network share of some kind. This is the preferred option.

This will be slow. So be it. Cleaning an infected PC is not going to be a quick job whatever you do. The best you can hope for is that there are many periods where you can leave it churning away and get on with something else.

2. Boot A Rescue CD

There are those who tell you that there is no need to boot off a known uninfected disk to clean an infected machine; their anti-malware/virus product can clean an infected machine “live”. There are others who claim that the only way to be sure is to boot off that disk and clean the machine that way. Both are wrong.

If you are paranoid (and in the presence of malware paranoia is fully justifiable), you will do both.

3. Boot Infected Machine and Clean

As suggested previously after booting off a rescue disk and cleaning, boot the infected machine and clean again.

Tools

The following is a list of rescue CD’s that have been suggested :-

  • UBD4Win. Has to be “built” with the assistance of an XP installation; somewhat tedious but it isn’t the end of the world. However it does need preparing in advance – building a rescue CD with the assistance of an infected machine isn’t the most sensible idea!
  • Knoppix. Graphical, pretty, feature packed, but seems to be lacking in anti-malware tools (for instance the only AV tool included is Clam).
  • Trinity Rescue Disk. Menu interface. Virus definitions update over the net; choice of Clam, F-Prot, Bitdefender, Vexira, AVast (need to obtain license key). Various other utilities.
  • F-Secure Rescue CD.

Some of the above are Windows based; some are Linux based. The choice of which to use should be based on results not whether they tickle your prejudices (or mine!).

The following is a list of “live” tools to be installed that have been suggested :-

Asides

Nothing to do with the main subject. Merely some notes worth mentioning.

It seems that at least some malware can detect it is running within a virtual environment. In some cases it ceases to do anything, and in others may try to “break out”. This indicates that analysing malware within a virtual environment may not give sensible results, and in some cases may be dangerous! That is not to say that using a virtual environment is no longer of any use, but you may need to take special case such as running the virtual environment under Linux and/or ESX rather than Windows. And be careful about negative results.

Network Block Depreciation

 Computing, Security  No Responses »
Apr 142011
 

This is one of those things that I was under the impression was widely understood (at least amongst a certain specialist population of IT people), but apparently not.  As anyone who has ever paid extra for a static IP address, a network block has some notional monetary value. To give you an idea of how much, a quick search shows that a certain ISP (it doesn’t matter which one) charges $2.50 per month for a static IP address.

The scales up to a value of $637 for a /24 network block, $163,000 for a /16 network block, and $41 million for a /8 network block. These values are of course wildly unrealistic given that network blocks can’t be sold (or at least not usually, although I do know people who have sold them). But let’s assume they do have a monetary value – after all with the starvation of IP addresses it is not impossible that network blocks could be traded.

Physical objects are subject to depreciation to represent the declining value to the organisation – a 10 year old server may eventually have an interest to a museum, but an organisation is likely to realise that it makes more sense to replace it.

Network blocks are also subject to depreciation although it is not time dependent but depends on what use is made of that network block. If we assume that network block A has been assigned to a bunch of unrepentant scamming spammers, what is likely to happen ? Well as spam floods their networks and servers, network administrators and system administrators will start to block addresses within network block A.

Some of the blocklists are collectively run, but some are run by individual organisations. In the later case you cannot ensure that these will ever be removed. As a network block gradually acquires more and more entries in numerous blocklists around the world, it becomes of less use to those who want to use it. It decreases in value.

Similarly when a network block (let’s call it “B”) is used for a collection of workstations run by users whose interest does not extend to keeping their machines secure, it will be populated by machines infected with various forms of malware. As such, it is also subject to being cast into the blocklists of the world. In most cases, the users will not notice, but if that network block ever gets reallocated to servers, those servers are subject to problems caused by historical entries in blocklists.

So each malware infection a machine is subject to has a cost associated with it – it has decreased the value of the network address it uses by a tiny amount. Over time and with enough long-lived malware infections, it is possible that a network block will have a much lower value than an unused network block.