TechyTrends

Security experts are downplaying the potential impact of a virus which some believe is set to strike on 1 April.

Conficker has infected up to 15 million computers to date and is set to change the way it works .There have been some reports the worm could trigger poisoned machines to access personal files, send spam, clog networks or crash sites.

Origins

Conficker, also known as Downadup or Kido, first appeared last November. The worm is self-replicating and has attacked a vulnerability in machines using Microsoft's Windows operating system, the software that runs most computers.

It can infect machines via a net connection or by hiding on USB memory drives used to ferry data from one computer to another. Once in a computer, it digs deeps, setting up defences making it hard to extract.

Microsoft put up $250,000 to catch those behind Conficker

Among those affected by the virus have been the House of Commons and the defence forces of the UK, Germany and France.

The reason for the hype and the concern around Conficker is that 1 April is the day the worm is set to change the way it updates itself, moving to a system that is much harder to combat.

Five months ago a consortium of web security firms banded together to form the Conficker Working Group, to learn more about the worm and to try to stop it.

Last weekend the team located what they call a "fingerprint" or "signature" for the virus that means they can detect how an infected machine can be identified on a network much quicker than previously.

Security researcher Dan Kaminsky, a member of the group and director of penetration testing at IOActive, told the BBC this was a major breakthrough.

"We know these bad guys are in places they really shouldn't be. With this new trick it is much easier to find them. It means we can say, OK, I don't know what will happen but I can tell you 10,000 systems are under the control of the bad guys and here they are."

Lucrative

While no-one in the industry is 100% sure of the aim of Conficker, they are positive the people behind it are more concerned about making money than causing mayhem.

That is a view backed by PC Magazine editor-in-chief Lance Ulanoff.

"People write malware today not because they want to make a public splash. It's old school to want to make computer screens turn red and say Love Bug.

The worm has also been able to spread via USB flash drives.

"Today crime syndicates run these things because they are interested in making money and if they are not making money there is no point in it."

A recent report by security firm Finjan claimed that cybercrime is as lucrative a business as drug trafficking.

Its Cybercrime Intelligence Report found that a single hacker could make as much as $10,800 (£7,300) a day, which the company extrapolated to $3.9m (£2.6m) a year.

Finjan's chief technology officer Yuval Ben-Itzhak said: "Cybercrime today is a very, very big business and those behind Conficker have spent a lot of money organising, writing code and securing these machines so they will be looking for a return soon.

"This type of cybercrime activity is here to stay and will grow because there is so much money involved and its hard to get caught."

"Arms race"

In February Microsoft put up a bounty of $250,000 to anyone who could help identify those behind Conficker. It also issued patches to address the vulnerability.

Industry experts say consumers and companies should regularly update their security software and apply Windows updates as well as protect computers and files with strong passwords.

Conficker is an aggressive worm that has crawled into millions of machines

Symantec has issued a free trial version of its products that will detect and remove the worm.

VeriSign, one of the guardians of the networked world, believes these bugs exist because the general level of security is just not high enough.

"This is a testament to making consumer products useable and user friendly, which means security has to be relaxed a little," said VeriSign's chief technology officer Ken Silva.

"If all the security measures were deployed that should be deployed, they would become too annoying and too difficult for most consumers."

Many in the industry describe Conficker as one of the worst worms they have seen for years and certainly one of the more aggressive.

"This is an arms race," said Mr Kaminsky. "We have to find these guys. We have done it in the past. I can do what I can as a geek but there is as much need for law enforcement and state action as there is for technical creativity.

"But people should feel good because the good guys are working to stop these bad guys."

Security analysts at F-Secure believe more than 8.9 million computers have been infected by the virus, a worm, which is known variously as Conficker, Kido or Downadup, and targets the Windows operating system. Microsoft said that the worm searches for a Windows file called “services.exe”, and then embeds itself as part of that code. From there, it is able to burrow deep into the operating system, even changing the System Registry, which stores settings and options for Windows, to trick the machine into running the infected program.

The majority of computers infected by the worm, which was first identified in October, are in Russia, China, Brazil and India. Once the worm is running on the computer, it makes it very hard for users to restore their machine to a safe point before their operating system was infected, and automatically starts to download more malicious programs, that further compromise the PC, from hackers’ websites.

Anti-virus experts at F-Secure said the level of infections by the worm was “skyrocketing” and the situation was “getting worse”. The company has warned that tracing the hackers’ websites the worm ‘phones home’ to is incredibly difficult, because they are constantly changing their domain names.

Eddy Willems, a security analyst with anti-virus firm Kaspersky Labs, told the BBC that a new strain of the worm was causing additional problems.

“There was a new variant released less than two weeks ago and that’s the one causing most of the problems,” said Mr Willems

“The replication methods are quite good. It’s using multiple mechanisms, including USB sticks, so if someone got an infection from one company and then takes his USB stick to another firm, it could infect that network too. It also downloads lots of content and creating new variants though this mechanism.”

Computers users are advised to ensure their anti-virus software, operating system and firewall is up to date, and that they have installed a Microsoft patch designed to combat the problem, MS08-067, which is available from the Microsoft site.

The worm, also known as Downadup and Kido, affects Microsoft’s Windows operating system, and burrows deep into the computer’s System Registry to open up a ‘back door’ in to machines that hackers and spammers could use to commit further malicious attacks or steal personal data.

Symantec says the new version of the Conficker worm gives infected machines more powerful means to disable antivirus software, among other things. The virus, identified as W32.Downadup.C, is not attempting to self-replicate, and behaves more like a Trojan than a worm, said Vincent Weafer, vice president of security response at Symantec.

“Think of it as an updated module that’s more aggressive, more robust in defending itself,” he said. “It’s more aggressive, it has more services.”

The new strain first came to light on Friday, and is being tested by Symantec to identify its capabilities. The security company said that it had not yet seen the worm ‘in the wild’ in customer networks as yet.

W32.Downadup.C is designed as a supplementary virus for already infected machines, and makes it harder for antivirus software to root out and eradicate the worm.

Last month, Microsoft issued a $250,000 reward for information leading to the capture and conviction of Conficker’s authors. The company has also released a set of removal tools and software patches to combat the worm, but these may not offer protection against new strains of the virus.

USB memory sticks are helping to spread the Windows worm that has infected around 10 million computers worldwide, say security experts.

The virus – known variously as Downadup, Conficker, and Kido – is spreading at a rate of one million machines per day, according to anti-virus experts at F-Secure.

The worm, which targets the Windows operating system, is able to bury its way deep into a computer’s software, and makes it hard for users to restore their machine to a safe point before the virus struck. Once installed on a computer, it communicates remotely with hackers’ websites, automatically downloading more malicious software that could further compromise the integrity of the PC.

Although security firms have been tracking the worm for months, and Microsoft issued a security patch to combat the virus in October, many users have failed to patch their machines, leaving them vulnerable to attack, especially from new variants of the worm.

Security experts say that the virus is being unwittingly spread by computer users who are using USB memory sticks. The virus is easily transferred from an infected machine to a clean machine if the same USB stick is plugged into each.

F-Secure said that the worm takes advantage of the Windows operating system’s “Autoplay” function, which searches for programs stored on removable drives, such as memory sticks. The worm wriggles its way into this process, creating a fake folder on removable drives that users believe they can legitimately open. Once that folder is clicked on, the worm is activated and installed on the computer’s operating system, burrowing its way deep into the machine’s software.

“The replication methods are quite good,” warned Eddy Willems, a security analyst with anti-virus firm Kaspersky Labs. “It’s using multiple mechanisms, including USB sticks, so if someone got an infection from one company and then takes his USB stick to another firm, it could infect that network too. It also downloads lots of content and creating new variants though this mechanism.”

Some security experts fear that the rapid spread of the worm is helping to create a giant “botnet” – a series of compromised computers running malicious software that could allow hackers to remotely take control of machines, enabling them to steal login information, security details and other sensitive data.

Computer users are advised to ensure their anti-virus software, operating system and firewall is up to date, and that they have installed a Microsoft patch designed to combat the problem, MS08-067 , which is available from the Microsoft site. There is also a recently issued Microsoft removal tool that may be able to restore machines already infected by the worm.

Symantec said Tuesday that it is looking into allegations that a call center in India leaked credit card numbers of its customers to someone who then sold them to BBC News reporters in an undercover investigation.

The company has informed U.K. privacy authorities and attorneys general and officials in eight U.S. states and Puerto Rico of the allegations that three U.K. customers had credit card information leaked and that about 200 U.S. customers may have been affected because of interactions with the call center, said Symantec spokesman Cris Paden.

"We nailed it down to one agent at the call center" who handled the Symantec customers, he said. That agent was put on administrative leave pending the investigation, he added.

In addition to Puerto Rico, the states contacted were: New Hampshire, Maryland, New Jersey, Maine, Massachusetts, New York, Virginia, North Carolina, Paden said.

It was unclear how the data of the three UK customers got from the call center and into the hands of the man who the BBC News said sold the credit card numbers. Nor was it clear whether any data from the U.S. customers had been leaked. Paden said there was no evidence that any U.S. data was exposed.

In a letter to New Hampshire Attorney General Kelly Ayotte dated March 24, the security vendor said it was "investigating a potential security incident involving a small number of customers' credit card information."

The letter said Symantec was sending a notice to an unnamed customer in New Hampshire who may have been affected by the alleged incident, even though the company does not believe a security breach as defined by New Hampshire statue had occurred.

The company said even though it has no evidence that credit card information of any U.S. residents was actually compromised, it was offering its customers one year of identity protection services through Debix as a precautionary measure, and reviewing its "security processes and third-party vendor protocols."

The BBC News reported on March 19 that undercover reporters posing as fraudsters had gone to Delhi to buy 50 credit card numbers, at $10 a card, from a man who claimed to have gotten them from a call center. They filmed the interaction. The man denied any wrongdoing, the BBC said.

When the reporters contacted some of the card owners, three of them said they had bought Norton software from Symantec over the phone using their cards and the purchases were found to have been made within hours of each other and the numbers were sent to the BBC shortly thereafter, the report said.

Symantec has set up an e-mail address for customers to contact to get more information at global_purchase_query@symantec.com.

The BBC recently got flack for purchasing a botnet and using it in some tests to show the dangers Web surfers face.

Back in the old days when TVs and radios had tubes, it took a couple of minutes for a set to warm up before you could watch or listen. But even then, you could turn it off instantly. That's not true with Windows PCs. Not only does it sometimes take seemingly forever for them to boot, but it can take several minutes for one to shut down. Even worse, if a program stops responding, you may or may not be able to shut it down. And even if it does terminate, it may take awhile.

And by the way, I'm not just talking about Windows XP and Vista. I'm having the same problem with Windows 7, though, to be fair, the new operating system is still in beta so it's possible that Microsoft could amaze and delight me by fixing this in the final version.

I can understand why it takes at least some time for a PC to boot from a power-off situation because the operating system and some software and drivers have to be copied from storage into memory. But I can't understand why it takes more than a few seconds for the computer or one of its applications to shut down. I realize that sometimes there is a bit of housekeeping to do in the form of closing files but--give me a break--should that really have to take up to five minutes? And there have been countless times in my experience when it simply never shuts down, forcing me to hold the power button for several seconds. I've even had laptops that were so stubborn that I had to remove the battery to turn them off.

I'm particularly annoyed at how Windows often fails to terminate programs that have crashed. In theory, pressing Ctrl Alt and Delete to bring up the Task Manager followed by clicking End Task should simply stop the program and return you to the operating system. But that doesn't always work. Sometimes the program just hangs there forever, sometimes it quits after a random period of time and sometimes the entire computer just crashes. Imagine if you had a lamp in your house that was malfunctioning and the only way to turn it off was to turn off all the power to your house from the main breaker.

I haven't raised this particular issue with people at Microsoft, but a couple of years ago- when I was researching a story for The New York Times on technology energy hogs, the standard response from folks in Redmond was to blame third party applications and drivers for the fact that Windows machines often fail to properly go to or wake up from from sleep mode. Third party applications may very well be to blame, but it's no excuse. One of Windows strongest selling points is its ability to work with software and hardware from thousands of sources so it seems to me that a company with the resources and experience of Microsoft should have by now figured out how to handle errant programs and drivers.

I do like many of the improvements in Windows 7 and appreciate that it boots a little faster and--at least on my machine--seems better at going to sleep and waking up. Now all I want is the ability to turn off the darn machine and terminate a misbehaving program without having to dedicate my entire afternoon to the task.

Let's assume you're on the receiving end of the worst April Fool's Day joke of 2009: your computer's been infected with the Conficker virus. It's a frustrating but not insurmountable problem. This guide will walk you through how to cleanse your computer and inoculate against other Conficker variants.

First off, make sure that you are actually infected. There aren't many warning signs, but a few will stand out if you know what to look for. One fast way to check is to try to visit any major security software publisher's Web site. If you've cleared your browser cache beforehand, and you can load the sites of Symantec, Eset, Avira, or AVG, you're clean because Conficker blocks access to them.

Another good litmus test is to check on the status and functionality of Windows services such as Automatic Updates, the Background Intelligent Transfer Service, Windows Defender, and Error Reporting Services. If any of those have been disabled without your consent, or if your account lockout policies have changed without approval, you might be infected. Other warning signs include unusually high traffic on your local area network, and domain controllers responding slowly to client requests.

If you're running an up-to-date virus scanner, it's unlikely you'll get infected unless you've configured your computer to not receive automatic Windows updates. Checking your list of installed updates for security update MS08-067 (KB 958644) is not recommended because the worm, alternatively known as Kido, Downup, or Downadup, fakes the patch job.

Assuming you've got the virus, the next step is to download one of several free removal clients. The Conficker-specific tools are McAfee's Stinger, Eset's Win32/Conficker Worm Removal Tool, Symantec's W32.Downadup Removal Tool, and Sophos' Conficker Cleanup Tool.

Avira specifically mentions on their Web site that Antivir will prevent infection and remove the virus if you have it, although I don't have an infected machine to confirm this against. AVG states that AVG Free will protect you against the virus, but doesn't say if it can remove it once you've been infected.

If none of these programs work for you, Avira also offers Conficker-specific instructions on how to use their rescue CD to fix your computer. This requires a secondary computer so you can create the CD, if you haven't done so prior to infection.

It is strongly recommended that if you're infected and you have the luxury of a second machine, disconnect the infected computer from the Internet and install any repair programs or other fixes via CD or USB key.

One of the most common infection vectors for Conflicker and its ilk is the Windows AutoRun feature. Eset claims that one out of every 15 threats they detected in 2008 used autorun.inf. Unfortunately, disabling it is not as simple as you may think, because even when disabled through conventional means it still parses most of the autorun.inf file, instead of not reading it at all.

To disable it completely, users will need to copy the text below into Notepad. It should be one line from the left bracket to the final quotation mark.

REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\IniFileMapping\Autorun.inf]@="@SYS:DoesNotExist"

Save it as something memorable, such as StopAutoRun.REG. Double-click on the saved file, and you close the AutoRun loophole. You also won't be able to automatically play DVDs just by putting them in the disc drive, but that seems a reasonable price to pay for slamming the door on this gaping security flaw.

Once you've gotten your computer clean and killed off the AutoRun feature, there's still more to do. These changes, however, are behavioral. Stay on top of Windows security updates from Microsoft, do not under any circumstances click on any Web-based ''free virus scan'' offers, and make sure you're not only running a reputable security suite, but that it's configured for daily virus definition file updates.

Synopsis: It is possible to protect an ELF binary against f-prot by corrupting its ELF header, while letting the binary completely functional. F-prot will crash when analyzing the file, letting the possible Malware undetected.

Affected Software: f-prot version 4.6.8 for GNU/Linux

Impact: Remote DoS, possibly remote code execution.

Vendor response: No vendor response

Credits: This vulnerability was discovered by Security Researcher Jonathan Brossard from iViZ Techno Solutions Pvt. Ltd.

Reference: http://www.ivizsecurity.com/security-advisory.html

iViZ Green Cloud Security's patent-pending technology provides you comprehensive, exhaustive security coverage and vulnerability management to help your IT organization to effectively prioritize and remediate security threats. This helps to keep all security vulnerabilities affecting the vulnerability management of the organization in place.

Reconnaissance (Information Gathering) -iViZ Green Cloud Security solution collects all possible information about the target organization, its people and the network components. The information is collected automatically from different internet channels where the disclosed information on security vulnerability has been through by trusted sources.

Vulnerability Analysis -In this phase initial port scanning, OS Fingerprinting, Service Fingerprinting and the vulnerability analysis is conducted.

Threat modeling -The system models the threats keeping in consideration the technology, people and the business processes of the organization. All possible threats are enumerated using our patent-pending algorithms, thereby making a fool proof web vulnerability system

Intelligent Attack Planning -Using the above mentioned information, the system computes the optimal attack plans just like an intelligent human hacker (and in many cases, better than a human hacker)

Launching the Attack - The system launches the attack in this phase:

• Multi Stage Attack Paths Simulation
• Automated Exploitation
• Threat Modeling

Self Replication -Once a system is compromised, an agent is installed and that system starts behaving like an intelligent human hacker..

Community driven coordinated attacks -Several agents form a community of hackers and it mutually collaborates to break further into the network.

Post Attack Analysis -After the attack is complete a comprehensive analysis is done on the vulnerabilities found and the different attack vectors possible.

Reporting - The final reporting is done based on the vulnerabilities found and their corresponding remedies. The system also provides with comprehensive proof that it has broken into remotes systems by leaving proof in.

iViZ, an information security company that offers "Green Cloud Security", the world's only on-demand penetration testing for applications, networks and compliance, has announced that it has discovered new classes of vulnerabilities in many popular commercial and open source antivirus software. These vulnerabilities can potentially allow attackers to break into systems using such antivirus software.

Bala Girisaballa, Vice President, Head of Product Management and Marketing

iViZ "Green Cloud Security" Vulnerability Research team conducts extensive research on new vulnerability discovery and attack techniques. Using variety of file fuzzing techniques it has discovered abnormal behavior in several security tools when handling complex or unusual executable header data especially in the case of executables packed with 3rd party packers like UPX, FSG etc. In such events, multiple bugs were found in antivirus software while processing malformed packed executables. Some of these bugs proved to be security vulnerabilities which could make the antivirus itself as a back door for hackers. The affected antivirus software vendors were informed of this anomalous behavior.

The affected software include many popular commercial and open source antivirus software such as AVG, F-Prot, Sophos, ClamAV, BitDefender & Avast. Other software could also be vulnerable. Organizations can learn more on technical details, potential impact and remediation recommendations on iViZ “Green Cloud Security” website www.greencloudsecurity.com.

To ensure user security iViZ "Green Cloud Security" follows the practice of responsible disclosure. The vulnerability details are disclosed first to the affected vendor before being made public. Bikash Barai said “We work closely with the vendors to help them with details and also in developing the solution. The vulnerability is disclosed in public only after coordinating with vendors and ensuring their users’ safety. To ensure that our research cannot be maliciously used by attackers, the proof of concept exploits that demonstrate such real attacks in public are not released.”

Companies and businesses in sectors such as banking, finance and insurance, IT/ITES and consulting, online retail, e-commerce, manufacturing, telecommunications, R&D, media among others are highly susceptible to such risks and should make it mandatory to conduct periodic penetration testing to assess the security of their systems and networks. Networks and Applications could include off-the-shelf products (operating systems, applications, databases, networking equipment etc), bespoke development (dynamic web sites, in-house applications etc) and wireless (WIFI, Bluetooth, IR, GSM, and RFID).

Introducing Green Cloud Security and highlighting on how organizations can safeguard themselves against these emerging threats, Bikash Barai, CEO iViZpenetration testing can help companies combat the constantly evolving vulnerabilities and threats. Today there is a need for a more educated and alert user, and a vision to look beyond conventional security mechanisms in corporate information security.” explained how hackers can target a seemingly secure system and break into it by exploiting its antivirus software. “An attacker first crafts an email with malicious payload and sends it to the target user. When the email is scanned by the vulnerable antivirus software it can either crash the antivirus software or execute arbitrary code resulting in complete security bypass and remote system compromise” he added. said, “Regular periodic

About iViZ “Green Cloud Security”:

iViZ is an information security company that has developed the world's first artificial intelligence based “human hacker simulation” technology to find all possible attack paths by which intruders can compromise applications and networks. This technology can detect attack paths which are otherwise missed out in traditional testing and also suggest suitable remedies. Using this patent pending technology it provides "Green Cloud Security"– a Software-as-a-Service based on-demand penetration testing solutions for applications, networks and compliance. iViZ “Green Cloud Security” technology has won several global recognitions by Intel, University of California, Berkeley, London Business School, US Navy, US Homeland Security, Red Herring, Business Today and Nasscom. iViZ is credited to have consistently discovered numerous security vulnerabilities for the first time in the world in the products of several organizations like Microsoft, Intel, HP, McAfee, Lenovo etc. GreenCloud Security solution has been used to conduct more than 1200 Penetration Tests and has been adopted by organizations like British Telecom, Makemytrip.com, Yatra.com, Reliance, TCS, Airtel, NSDL, Indian Defence and leading media group. Originating from IIT Kharagpur, iViZ is funded by IDG Ventures, a global venture capital fund which has previously invested in companies like Netscape, MySpace, Baidu, Ctrip, Sohu, F5 etc. For more information, visit www.greencloudsecurity.com or www.ivizsecurity.com

Fully-automated, on-demand, comprehensive penetration testing solution for applications, networks

Most businesses across the world are repeatedly compromised by hackers, in spite of effective information security practices and assessment tools. To address this problem, Gartner has recommended “penetration testing [ethical hacking] that goes beyond simple vulnerability assessment and should be conducted regularly.”

Most enterprises use conventional penetration testing, which is time-intensive, manual, expensive and prone to human errors. Manual scanning cannot comprehensively identify all possible ways a network may be compromised by hackers. Labour-intensiveness puts a burden on the company’s resources and, hence, it defaults on regular testing.

iViZ, an information security company, has launched “iViZ’s automated multistage attack simulation,” a fully-automated, on-demand, comprehensive penetration testing solution for applications, networks and compliance.

Fast, accurate

iViZ penetration testing tool offers easy and affordable testing. An enterprise can avail itself of it anytime using a software-as-a-service based subscription model without buying or installing any software, says Bikash Barai, co-founder and chief executive officer. It is a fast, accurate and multistage attack path provider, giving comprehensive solutions.

Built-in compliance

It has a built-in compliance reporting for third-party certification from various international organisations. iViZ technology has been used to detect vulnerabilities in several products of Microsoft , McAfee, Intel, HP, Lenovo, AVG and Sophos.

iViZ’s on-demand penetration testing uses an artificial engine to check the intelligence of human hackers and plug the holes in the software that are missed by scanners and in manual approach. It can automatically conduct social engineering attacks to measure security awareness and also train the users.

Expensive tools no more

According to Mr. Barai, normal tools and manual methods miss out on several indirect ways in which hackers break into a network. The software-as-a-service (SaaS) approach adopted by iViz to provide on-demand penetration testing eliminates the need for expensive tools and professionals.

The subscription-based, on-demand solution addresses security and cost-effectiveness, he says. iViZ charges customers a subscription fee for conducting penetration testing. Based on the number and frequency of scans and servers or applications, customers can opt for a regular periodic subscription or choose a one-time service. The pricing, Mr. Barai says, largely dependents on the size of applications and frequency of tests.

A one-time testing for an application could cost between Rs. 30,000 and Rs. 3 lakh. It could cost more for any complex product. A yearly subscription with a package of monthly or weekly tests, could be more attractive.

The idea of creating the on-demand penetration testing was born when iViz started to provide security testing and audit to companies with significant IT exposure.

Artificial intelligence

Conventional penetration testing fails to detect the complex multistage attack-paths. The company, therefore, explored the use of artificial intelligence to simulate all multistage attack possibilities. A prototype was built and stabilised after it was tested in several environments.

This technology is currently under “patent pending” with the United States Patents & Trademark Office.

Today, the product has been installed in Airtel, Reliance, British Telecom, ING Vaisya, Fiat, Sasken, CNN IBN, CNBC, Makemytrip, Yatra, and the Defence Ministry.