Monthly Archives: August 2014

ESET

Android security mystery – ‘fake’ cellphone towers found in U.S.

Leave a comment

[There have been many comments to this story from people who are assuming that these ‘towers’ are physical installations. There’s no reason to assume this is the case: it’s far likelier that they are mobile installations of the kind used not only by law enforcement and government agencies, but also by scammers and other criminals. (David Harley)]

Seventeen mysterious cellphone towers have been found in America which look like ordinary towers, and can only be identified by a heavily customized handset built for Android security – but have a much more malicious purpose, according to Popular Science.

The fake ‘towers’ – computers which wirelessly attack cellphones via the “baseband” chips built to allow them to communicate with their networks, can eavesdrop and even install spyware, ESD claims. They are a known technology – but the surprise is that they are in active use.

The towers were found by users of the CryptoPhone 500, one of several ultra-secure handsets that have come to market in the last couple of years, after an executive noticed his handset was “leaking” data regularly.

Its American manufacturer boasts that the handset has a “hardened” version of Android which removes 468 vulnerabilities from the OS.

Android Security: Towers throughout the US

Despite its secure OS, Les Goldsmith of the handset’s US manufacturer ESD found that his personal Android security handset’s firewall showed signs of attack “80 to 90” times per hour.

The leaks were traced to the mysterious towers. Despite having some of the functions of normal cellphone towers, Goldsmith says their function is rather different. He describes them as “interceptors” and says that various models can eavesdrop and even push spyware to devices. Normal cellphones cannot detect them – only specialized hardware such as ESD’s Android security handsets.

Who created the towers and maintains them is unknown, Goldsmith says.

Origin of towers ‘unknown’

“Interceptor use in the U.S. is much higher than people had anticipated,” Goldsmith says.  “One of our customers took a road trip from Florida to North Carolina and he found eight different interceptors on that trip.  We even found one at South Point Casino in Las Vegas.” [Editor’s note: Goldsmith has asked us to stress that the tower was actually in the vicinity of the casino, not within the casino itself.]

Their existence can only be seen on specialized devices, such as the custom Android security OS used by Cryptophone, which includes various security features – including “baseband attack detection.”

The handset, based on a Samsung Galaxy SIII, is described as offering, a “Hardened Android operating system” offering extra security. “Baseband firewall protects against over-the-air attacks with constant monitoring of baseband processor activity, baseband attack detection, and automated initiation of countermeasures”, claims the site.

“What we find suspicious is that a lot of these interceptors are right on top of U.S. military bases.” says Goldsmith.  “Whose interceptor is it?  Who are they, that’s listening to calls around military bases?  The point is: we don’t really know whose they are.”

Baseband attacks are considered extremely difficult – the details of the chips are closely guarded. “Interceptors” are costly devices – and hacking baseband chips is thought to be technically advanced beyond the reach of “ordinary” hackers, ESD says. The devices vary in form, and are sold to government agencies and others, but are computers with specialized software designed to defeat the encryption of cellphone networks. The towers target the “Baseband” operating system of cellphones – a secondary OS which sits “between” iOS or Android, for instance, and the cellular network.

Goldsmith says that the devices cost “less than $100,000” and does not mention what level or type of device his team has detected. Most are still out of reach of average hackers, although freely advertised. One model is the VME Dominator, which is described as, “a real time GSM A5.1 cell phone interceptor. It cannot be detected. It allows interception of voice and text. It also allows voice manipulation, up or down channel blocking, text intercept and modification, calling & sending text on behalf of the user, and directional finding of a user during random monitoring of calls.”

What has come as a surprise is how many “interceptors” are in active use in the U.S., and that their purpose remains mysterious.

The post Android security mystery – ‘fake’ cellphone towers found in U.S. appeared first on We Live Security.

ESET

Anyone want to know my Social Security Number?

Leave a comment

Let me tell you about yet another brain-dead Facebook meme* about ‘your [something or other] name’ games. These games are the sort of round-robin post that tell you how to generate your very own witness protection name, your soap character name, and similar richly meaningful concepts.

It’s Only Rock and Roll

Apparently the rock star name meme has been around since at least 2007, but I somehow managed to miss it for most of that time. Clearly I should consider dedicating what is left of my twilight years to Facebook so that I don’t miss anything.

Perhaps this one has something to do with the way rock stars, footballers, and movie stars, worried that alternatively pampering and neglecting their offspring might not be the optimum parenting methodology, give them ludicrous names like Leafmould Cheesecake. Or I suppose it might be a way of generating a name that will get you mistaken for a celebrity and ensure that you get into nightclubs and pay a larger than normal deposit on hotel rooms. Anyway, most of the examples I’ve seen (thank you so much, Google, for brightening my life yet again) are generated by combining the name of your first pet and something like your current car, your first car, or the street where you live. (I apologize if I’ve increased the danger that some future reader will be christened Tiddley Widdley 2CV.)

Security content coming up. (Finally.)

It may not have escaped your notice that those elements are very similar to those secret questions that banks and such want us to use to supplement those passwords that they take such good care of. Sometimes. (Here’s a list of other name ‘games’, several of which have a disquieting tendency to be based on ‘secret question’ data.)

I started looking into this social phenomenon when I recently came across a variation on the rock star meme: this one offers us the following way to find our own rock star names. Ready, steady, type:

  1. Your mother’s maiden name
  2. Your first pet’s name
  3. The model of your first car
  4. Your High School mascot
  5. Your favourite uncle
  6. The last four digits of your Social Security Number (SSN)

Several of my friends in the security business found this meme extremely amusing. As you probably will too, knowing that this is a parody – or an extreme example – of the kind of ‘secret questions’ that financial providers and others are fond of passing off as additional security. In fact, the first three are common – even stereotypical – secret questions proposed by real service providers. 4 and 5, maybe not so much. But SSNs are commonly used in the US as authentication, so there’s certainly possible value there for someone trying to harvest useful information about you.

Still, surely no-one could fail to recognize the danger there? Well, some people who commented clearly thought it would be worth putting it out there to see who (or how many) fell for it, if only out of curiosity. No ethical qualms there, then.

Friendship and Fiendship

I’ve talked before (for Virus Bulletin) about the potential of the Facebook meme for collecting data that could be used for malicious purposes. One datum addressed there was your date of birth  (mildly obfuscated, but if I could find out how it worked, so could any bad guy who could use a search engine). Another was the instance cited by Graham Cluley of the Royal Wedding in 2011, inviting Facebook users to generate their ‘royal wedding guest name’ by combining an aristocratic title, one of their grandparent’s names, and the name of their first pet ‘double-barrelled’ with the name of the street they grew up on. I can assure you that if I absent-mindedly sign this article as Lord Melvin Sundance-Acacia, I won’t be giving any sensitive data away. After 25 years in security, I’m not naïve enough to think that everyone who’s a friend on social media – or a reader of my blogs – is to be trusted with personal data. I don’t think there are many burglars or identity thieves in my immediate circle of acquaintance, but friends of friends of friends are another matter. In any case, I’m pretty sure that some of my friends aren’t as paranoid with their – or my – posts and data as I am. Furthermore, I’m no fan of the way that various social networks try to insist on my giving them far more personal information than they really need to know.

Not, of course, that I’m advocating a general policy of dishonesty in social networking profiles, but as I commented in that article and elsewhere, these are organizations who regard subscribers not as customers but as sources of commoditized data. Big names in the social media are constant targets for hacking, and don’t always take the care over securing sensitive data that you might expect. In fact, they often have an agenda that is at heart anti-privacy, since our data is exactly what matters to the retail organizations and service providers who are their real customers. While we the subscribers are all too willing to give away the sort of material targeted in a data aggregation (or data inference) attack, where individual items may seem harmless, but an aggregation of such items gives an attacker all he needs to indulge in a little identity theft.

Social Insecurity

But let’s talk about SSNs. Is giving away just part of your SSN really dangerous? In a paper published in 2009 by Alessandro Acquisti and Ralph Gross in the Proceedings of the National Academy of Sciences of the United States of America, it was claimed (as I summarized here) that there is:

a correlation between an SSN and the birthdate of its “owner” that makes it feasible to infer the SSN, given knowledge of that birthdate and … public access to the Social Security Administration’s Death Master File … to determine SSN allocation patterns based on the zip code of their birthplace and the date of issue.

So how secure is your Social Security Number? Well, here a couple of issues:

  • Some legitimate, convenient-to-subscribe-to organizations may require it who are, nevertheless, not “entitled” to it.
  • The difference between legitimate and illicit organizations (or their web pages, URLs and so on) is not always as pronounced as you might think – otherwise, we wouldn’t have to worry about phishing.

A Social Security Number (like a National Insurance Number in the United Kingdom) is an identifier, not an authenticator, because it isn’t secret: many people know (or at least could gain access to) your SSN. But a problem arises whether or not an organization providing some kind of service to you insists on using it as an authenticator rather than as an identifier.  Even if a criminal doesn’t have direct access to an SSN, he may be able to guess it based on information aggregated from other sources.

The Social Security Office has stated in the past (apparently in the hope of making it easier to spot a fake) that the 9 digits of the Social Security Number are grouped as follows.

  • The first three digits represent the Area Number
  • The next two digits represent the Group Number
  • The four digits at the end are called the Serial Number

And, of course, it’s exactly those four final digits that are under discussion. According to an article in the LA Times from 2009, Acquisti and Gross were able”to identify all nine digits for 8.5% of people born after 1988 in fewer than 1,000 attempts. For people born recently in smaller states, researchers sometimes needed just 10 or fewer attempts to predict all nine digits.” However, the Social Security Office stated at that time that it was moving over to a more randomized SSN allocation system. Unfortunately, that probably hasn’t decreased the risk for many people whose SSN was already allocated by the time such changes were introduced.

Hopefully, most sites that ask for SSN info won’t allow unlimited guesses. Even more hopefully, few people will fall for a blatant, exaggerated data harvesting/phishing attempt resembling the meme described above.

The Sum of the Parts

But how about a story recently passed on by one of my colleagues in the security industry? He related how one of his friends received what appears to have been an automated phone call claiming that his or her debit card had been locked for fraud. Such calls are actually quite common, as in the cases described here, where the recording asks for the target to press 1 and then to ‘unlock’ their card by inputting sensitive financial information including the card number and the PIN associated with it in chip and PIN transactions. This isn’t a new threat, of course. A post at Scamcallfighters indicates that characteristically:

The automated system will ask the victim to key-in, card number, name, date of birth and even the security code! And at the end of it, it will declare that your card is reactivated!

In this case, however, the first thing requested was to input a full 9-digit SSN. Fortunately, the intended victim in this instance knew better than to actually give that information. I suspect, however, that a less greedy scammer might get quite a good hit rate in the right context.

By ‘less greedy’ I don’t just mean not asking for so many data items that even the most naïve end user might start to get suspicious, but also being prepared to do some data aggregation. After all, a victim who just volunteered 2-3 potentially useful data items is probably more likely than average to volunteer further items the second time round. And while a partial SSN requires more effort to build into a full SSN, the trade-off is that a victim is less likely to be scared off by a request for too much information.

After all, we’re conditioned to think that when a bank or other agency asks us to identify ourselves by giving part of an identifier or authenticator – “the 1st, 3rd and 4th character of your special word” or “the last four digits of your credit card number”, they already have the whole identifier/authenticator. Of course, this isn’t necessarily true at all. A scammer might even camouflage a harvesting probe by ‘sacrificing’ a data item that can’t be fully established so as to establish a context of trust in which the victim will:

  • Not take the trouble to check that the call is genuine by ending the call and calling back to a known-genuine number.
  • Go on to supply data items that can be used to implement some form of fraud.

However, in this case, a partial SSN might actually be enough to establish yet another useful (in terms of identity theft) data item.

Sadly, this use of automation for fraudulent purposes is another case where well-meaning (but not necessarily well-implemented) attempts by banks to reduce the impact of fraud has actually been perverted by criminals into an attack.

Technology versus Education

In the security industry, there’s a longstanding debate between those who advocate more user education and those who say that if education was going to fix the cybercrime problem it would have worked by now. (Randy Abrams and I discussed that debate at some length back in 2008: People Patching: Is User Education Of Any Use At All?

This particular threat exemplifies that conflict/tension: the efficiency of a technical solution – automated detection of fraudulent (or at least unusual) transactions – is compromised because card users are not well enough informed to distinguish between legitimate and fraudulent phone calls.

David Harley
ESET Senior Research Fellow

* Meme: An idea, behaviour, style, or usage that spreads from person to person within a culture. (Merriam-Webster)

The post Anyone want to know my Social Security Number? appeared first on We Live Security.

Panda Security

WhatsApp. Beware of cyber-crooks and scams!

Leave a comment

whatsapp app

 

This week, WhatsApp has announced that it now has 600 million active users.

The news was released by Jan Koum, the CEO and co-founder of WhatsApp, through his Twitter page. Koum made it very clear that this figure refers to the number of active, not registered, users, which means that WhatsApp’s user growth may actually be larger.

whatsapp

 

The term ‘active users’ refers to the number of users who have used the app at least once in the last month.

WhatsApp security

Despite the doubts raised a few months ago when Facebook bought WhatsApp, it seems that the messaging app continues to be as popular as ever. The figure of 600 million users affirms WhatsApp as the world’s most widely used instant-messaging application, well ahead of rivals like Line or Telegram.

But this success has also placed it in the crosshairs of cyber-criminals who, over the last few months, have come up with countless ways to exploit the app as a means to attack users.

Want to know how? Discover the most dangerous WhatsApp scams and beware of malicious messages!

The post WhatsApp. Beware of cyber-crooks and scams! appeared first on MediaCenter Panda Security.

ESET

Google dorks – FBI warning about dangerous ‘new’ search tool

Leave a comment

The FBI has issued a warning to police and other emergency response personnel about a lethal new tool which ‘malicious actors’ have been using to deadly effect against American government institutions – Google dorks.

The warning, reported by Ars Technica, refers specifically to ‘Google dorks’  or “Google dorking” – ie the use of specialized search syntax,  using terms such as “filetype:sql”.

‘Google dorks’ refers to search syntax which allow users to search within a specific website (using the term in:url) or for specific file types, and can thus be used to search databases. Such search terms are widely known, and legal – the warning alerts units who may not be aware of the technique to secure databases properly.

Google dorks: Weapon of the ‘malicious’?

“In October 2013, unidentified attackers used Google dorks to find websites running vulnerable versions of a proprietary internet message board software product, according to security researchers,” the FBI warning says.

“After searching for vulnerable software identifiers, the attackers compromised 35,000 websites and were able to create new administrator accounts. ”

“For example, a simple “operator:keyword” syntax, such as “filetype:xls intext:username,” in the standard search box would retrieve Excel spreadsheets containing usernames. Additionally, freely available online tools can run automated scans using multiple dork queries.”

The warning refers to several online resources commonly used to automate “Google dork” queries – and offers advice on the scope of such search terms.syntax.

Shock as web users employ ‘search’

The warning also offers a useful link to Google’s own testing centre for pre-empting such attacks, the Google Hacking Database. Webmasters can use this to check whether files are “visible” to Google dorks, then hide them if they wish.

Ars Technica points out that the warning refers to “malicious cyber actors” and refers to a notorious case in which reporters were accused of “hacking” a website by using freely available information and an automated tool, GNUGet.

However, as Ars explains, the warning is not really meant to highlight a “new” technique, i.e Google dorks, but to warn webmasters to make their websites more secure.

“This warning from the DHS and the FBI was mostly intended to give law enforcement and other organizations a sense of urgency to take a hard look at their own websites’ security,” Ars comments. “Local police departments have increasingly become the target of “hacktivists.” Recent examples include attacks on the Albuquerque Police Department’s network in March following the shooting of a homeless man and attacks on St. Louis County police networks in response to the recent events in Ferguson, Missouri.”

The warning says, “Ensure sensitive websites are not indexed in search engines. Google USPER provides webmaster tools to remove entire sites, individual URLs, cached copies, and directories from Google’s index.”

The post Google dorks – FBI warning about dangerous ‘new’ search tool appeared first on We Live Security.

Security

Google Releases Security Updates for Chrome

Leave a comment

Original release date: August 27, 2014

Google has released Chrome 37.0.2062.94 for Windows, Mac and Linux. This update includes 50 security fixes some of which could allow a remote attacker to obtain unauthorized access or cause a denial of service.

US-CERT encourages users and administrators to review the Google Chrome release blog and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Panda Security

Hackers reveal their secrets on Twitch, the gamers’ streaming platform

Leave a comment

twitch

Twitch was set up in 2011 as a video streaming platform yet, unlike YouTube, it is mostly videos of games and playthroughs that are broadcast on the channel. Another distinguishing feature is that Twitch doesn’t use any copyright system to establish payments: it operates with voluntary donations to those who provide content and share their experiences with other Internet users.

With a view to complementing its offer with such content, Amazon has invested an incredible US$970 million (735 million euros) in purchasing the company. Google and Yahoo had also bid to take over the company, though in the end it was the online store that managed to take this highly-coveted asset.

This fierce competition over Twitch is not without motive. The channel already had 3.2 million active users in its first month of existence. It now has over 50 million users, each of whom spends an average of 106 minutes watching its content.

The website, founded by the American Justin Kan (also responsible for Justin.tv) was initially set up to broadcast conventional content. However, another of the site’s founders, Emmett Shear, who had a passion for computer games, decided to change focus go for another type of content.

The platform allows users to take part in the broadcasts and form a community, one of the keys to success on the Web, especially when it comes to online gaming: the channel’s now famous ‘eSports’, are real competitions between gaming professionals.

twitch games

Given its content, it’s hardly surprising that it’s mainly young people who visit the channel. Over half the users are under 25, although the average age of those taking part in competitions is somewhat higher, around 40 years old. However, all of them are keen Internet users.

So far, so good. But what happens when those who broadcast their online adventures are not just gamers, but also hackers?

George Hotz and Ricky Zhou, two renowned hackers, have started broadcasting the resolution to different challenges, which can last up to five hours. The first of these was largely aimed at overcoming certain levels of Vortex, a game designed for hackers. The challenges are resolved by commands written in code.

twitch code

In the second challenge, dubbed ‘The Great CVE Race‘ (CVE stands for Common Vulnerabilities and Exposures), the participants tried to exploit a security hole in the Firefox browser. The CVE database is maintained by MITRE, a US NGO, and contains all the known bugs or vulnerabilities for many software programs.

After selecting the security flaw, the hackers design an exploit: a tool or technique that takes advantage of the software error to prevent the program from running properly or to allow third party access to the service. This can include anything from a computer virus to alterations to the software’s code, for example, a set of instructions to run the program in a different way.

Client-side exploits are strategies aimed at vulnerabilities in applications normally used on any operating system, such as a Web browser. The tool is applied to a file that the program has to open, such as an email.

When this modified file is run by the user and there is no antivirus security control, the hacker can access the user’s information. This is exactly what Hotz and Zhoy are showing in their videos: how to create an exploit for Firefox.

twitch security

If hackers were to follow their instructions, they would learn how to take control of the program or change some aspects of one version of Firefox without the developer’s consent.

Although Twitch doesn’t monitor content and gives free rein to those who broadcast videos, the creation of such tools can even be illegal, as they don’t have the administrator’s authorization and they interfere with the activity of third parties. The platform may have to think about keeping a closer eye on what is published on the site.

The post Hackers reveal their secrets on Twitch, the gamers’ streaming platform appeared first on MediaCenter Panda Security.

ESET

Data breach in South Korea hits 27 million – half the population

Leave a comment

A data breach of staggering proportions has hit South Korea – involving 27 million people and 220 million private records – and affecting 70% of the population between the ages of 15 and 65, according to Forbes.

Sixteen hackers were arrested for the attack, which targeted registration pages and passwords for six online gaming sites – with the aim of selling game currency. South Korea has a strong online gaming culture, and people of all ages indulge in the hobby.

South Korean authorities said that the gang had stolen 220 million items of personally identifying information, with the goal of breaking into online game accounts. A 24-year-old man, surname Kim, bought these records from a Chinese hacker he met in another online game in 2011, according to the Korea JoonGang Daily.

Data breach hit 70% of adults

According to police, Kim reportedly received 220 million personal information items from a data breach of unknown origin, including the names, resident registration numbers, account names and passwords, of the 27 million people from a Chinese hacker he met in an online game in 2011.

Kim and his associates are thought to have used a hacking tool known as an “extractor” to log in to accounts and steal virtual currency to and items to sell – earning in the process 400 million won ($390,919).

The Register reports that, “Kim bagged almost $400,000 by hacking six online games using the details and gave the Chinese cracker a $130,000 cut. The buyer used the creds to steal items from gaming accounts and sold off to other players.”

Hacking tool known as ‘extractor’

Police estimate that secondary damages from the data breach cost at least $2m.

When Kim’s gang could not break into accounts, they bought yet more personal information including identity cards from a cellphone retailer in Daegu, and then changed passwords to gain access.

Kim is also accused of having sold his hoard of personally identifying information to mortgage fraudsters and illegal gambling advertisers.

 

The post Data breach in South Korea hits 27 million – half the population appeared first on We Live Security.

ESET

Surveillance fears over systems which ‘follow’ cellphone users

Leave a comment

Concern is growing over the export of surveillance equipment which can track the movements of anyone carrying a cellphone – from town to town and even into other countries.  Such technologies are freely on sale not only to oppressive regimes, but also to criminal gangs, according to a report by the Washington Post.

Third-party surveillance apps are, of course, widely available which allow suspicious spouses and more nefarious individuals to track the owner of a phone by surreptitiously installing and hiding such an app. Such ‘domestic spyware’ is often involved in domestic violence cases.

The technology used by repressive regimes is much higher-level surveillance: specifically, the governments, gangs and other individuals monitor telecoms networks for their location records.

Surveillance systems map people for weeks

“Surveillance systems are secretly collecting these records to map people’s travels over days, weeks or longer, according to company marketing documents and experts in surveillance technology,” the Washington Post reports.

The use of such equipment is highlighted in a report, Big Brother Inc, by Privacy International, which claims that the surveillance industry has grown to be worth $5 billion per year, and that export control regulations have not kept pace with developments in such technology.

Capabilities of surveillance have grown hugely

“The capabilities of surveillance technology have grown hugely in the past decade – in the hands of a repressive regime, this equipment eradicates free speech, quashes dissent and places dissidents at the mercy of ruling powers as effectively as guns and bombs, if not more so,” Privacy International says in its report.

Mark James, security specialist at ESET, says there is a broader issue about the ownership of the data generated by such devices, and in particular the rights of the end user.

“The main concern here is the lack of international laws to protect the end user,” says James. “Without a global policy in place there will always be some countries that can be used to track people’s locations and activity.”

“With users now requiring the latest technology advancements in their mobile devices which include GPS location, mobile internet and the ability to be contacted wherever they are, it is often overlooked that this technology is two-way.

“Even if in your contract there were to be a paragraph stating that you can be monitored whenever and wherever, the likelihood of you reading it and acknowledging it exists is remote, and let’s be honest would you refuse to have the phone if this were made clear to you when you purchased it in the first place? I honestly think not.”

“This type of surveillance has been around for a while and it’s not going anywhere, all we can do is put measures in place for an independent organization to monitor its use and work harder to have an international  agreement in place to limit where this data ends up.”

Privacy International is now campaigning for more regulation of the surveillance industry, and in particular to restrict the sale of such technologies to repressive regimes. The group points to some limited successes, such as the EU Parliament’s resolution calling for stricter oversight of surveillance technology exports, and President Obama’s  executive order to prevent such exports to Syria and Iran.

The group says, “Export control regulations have not kept pace with this development, nor have companies taken it upon themselves to vet the governments to whom they sell their technology. The situation has now reached a crisis point: countries must enact strict export controls now, or be guilty of a staggering and continued hypocrisy with regard to global human rights.”

The post Surveillance fears over systems which ‘follow’ cellphone users appeared first on We Live Security.

Avira

Science @ Avira, the ITES project

Leave a comment

It is well known that classical computer architectures were not designed with security in mind. We intend to change that. The ITES project is creating a system purposefully built for high-security environments.

The current ITES system deploys verified compartments via Virtual Machines for different tasks. A compartment contains an operating system and the required programs (e.g. email client). Each compartment has restricted permissions that are unique. For example the browser compartment does not have access to the business plan, so if an exploited browser is running on a different OS than the email client, which has access to critical information, the impact of an attack is reduced.

ites

 

 

 

Our goal in the ITES research project has been to extend the compartments system to identify hacked Virtual Machines and start countermeasures. We identify hacked machines by observing them with different sensors (user-space hooking, memory forensics and VMI – Virtual Machine Introspection).

After gathering information about the current situation in Virtual Machines, a central component will classify the state of the machines into ‘trustworthy’ or ‘suspicious’. Depending on the decision, the machine can be stopped, analyzed, repaired or restored from a snapshot.

The goal of a scientific project is to learn by building a „Demonstrator“ (an Alpha Prototype) – it is not to create a product. The operating system is split into several compartments with Antivirus (AV) technology and hypervisor sensors attached.

However, many of the pioneering technologies we developed to build Demonstrator are or will soon be integrated into our internal processes. One of our backend systems in the Virus Lab at Avira is now classifying samples for our customers based on this new technology.

Classification

Identifying malicious files is the Virus Lab’s first task when encountering unknown software.
Three methods are usually deployed to identify malicious code.

1. Static

This is Avira’s traditional forte and is how we’ve been identifying malicious code for years. Malware is, for example, identified by exact hash, fuzzy hash, byte patterns, structural generics, or by an AI while the engine complements the analysis by gathering behavioral patterns. It is not part of the ITES project.

2. Dynamic

Dynamic analysis monitors the behavior of malware. You can do it on the end-user’s system (behavior analysis performed by the AV software) or using specific analysis systems (e.g. Analysis Sandbox like Cuckoosandbox or our internal cloud-enabled Autodumper tool).

Depending on the type of the malware, we will have to monitor it in different ways. By monitoring the User-Space API, we are able to detect the Dropper of malware. Sensors in Kernel Space or below are required to identify rootkits. Kernel space sensors are drivers, and you get those with your AV software.

They will have a different (less detailed) point of view, but cannot be easily tricked by the malware in the User-Space API. Monitoring the OS from outside of the Virtual Machine is even better. One existing tool that does this is Volatility. It uses a memory snapshot of a real machine or a virtual machine and checks for anomalies in the OS data structures. As a part of the ITES project, we integrated Volatility into a Cuckoo Sandbox and use it as a second sensor.

A disadvantage of Volatility is that it only uses a snapshot, so it is possible to observe the effects of the infection, but not the process of the system being infected. Additionally User-Space events are not observed at an acceptable level of quality.

Virtual Machine Introspection (VMI) takes this approach to the next level and is currently being researched by the RUB (Ruhr University Bochum) & IFIS (Institute For Internet Security) as part of the ITES project. By monitoring the system through the hypervisor we could achieve a similar perspective as with Volatility, but without having to create snapshots. Soon we will know what granularity of data will be possible.

3. Reputation

Having a cloud service and large databases on our backend servers, it is possible to identify specific spread patterns that are typical for malware. Suspicious patterns can be defined by scripts. Rules might look like

  • If a user is running a sample, which has not been seen by the cloud yet, and is strangely packed:  trigger a warning
  • If a computer executed an unknown file, after the user visited a suspiscious page on a freehoster, and the computer is running an outdated PDF reader program: trigger a warning

You get the idea. The ITES project does not cover this area.

There will be more blog posts covering the details soon.

TL;DR

Avira is investing into scientific research to deliver superior protection to our customers.

For Science,
Thorsten Sick

Sponsored_by_Federal_Ministry_of_Education_and_Research

The post Science @ Avira, the ITES project appeared first on Avira Blog.

Microsft

MS14-045 – Important: Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege (2984615) – Version: 3.0

Leave a comment

Severity Rating: Important
Revision Note: V3.0 (August 27, 2014): Bulletin rereleased to announce the replacement of the 2982791 update with the 2993651 update for all supported releases of Microsoft Windows. See the Update FAQ for details.
Summary: This security update resolves three privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities.