Page 33 of 47
MS Word has been dethroned:
Files based on Reader were exploited in almost 49 per cent of the targeted attacks of 2009, compared with about 39 per cent that took aim at Microsoft Word. By comparison, in 2008, Acrobat was targeted in almost 29 per cent of attacks and Word was exploited by almost 35 per cent.
The Spanish police arrested three people in connection with the 13-million-computer Mariposa botnet.
There was a big U.S. cyberattack exercise this week. We didn’t do so well:
In a press release issued today, the Bipartisan Policy Center (BPC)—which organized “Cyber Shockwave” using a group of former government officials and computer simulations—concluded the U.S is “unprepared for cyber threats.”
[…]
…the U.S. defenders had difficulty identifying the source of the simulated attack, which in turn made it difficult to take action.
“During the exercise, a server hosting the attack appeared to be based in Russia,” said one report. “However, the developer of the malware program was actually in the Sudan. Ultimately, the source of the attack remained unclear during the event.”
The simulation envisioned an attack that unfolds during a single day in July 2011. When the council convenes to face this crisis, 20 million of the nation’s smartphones have already stopped working. The attack—the result of a malware program that had been planted in phones months earlier through a popular “March Madness” basketball bracket application—disrupts mobile service for millions. The attack escalates, shutting down an electronic energy trading platform and crippling the power grid on the Eastern seaboard.
This is, I think, an eyewitness report.
A new Trojan Horse named Spy Eye has code that kills Zeus, a rival botnet.
Interesting research: “Countering Kernel Rootkits with Lightweight Hook Protection,” by Zhi Wang, Xuxian Jiang, Weidong Cui, and Peng Ning.
Abstract: Kernel rootkits have posed serious security threats due to their stealthy manner. To hide their presence and activities, many rootkits hijack control flows by modifying control data or hooks in the kernel space. A critical step towards eliminating rootkits is to protect such hooks from being hijacked. However, it remains a challenge because there exist a large number of widely-scattered kernel hooks and many of them could be dynamically allocated from kernel heap and co-located together with other kernel data. In addition, there is a lack of flexible commodity hardware support, leading to the socalled protection granularity gap kernel hook protection requires byte-level granularity but commodity hardware only provides pagelevel protection.
To address the above challenges, in this paper, we present HookSafe, a hypervisor-based lightweight system that can protect thousands of kernel hooks in a guest OS from being hijacked. One key observation behind our approach is that a kernel hook, once initialized, may be frequently “read”-accessed, but rarely “write”-accessed. As such, we can relocate those kernel hooks to a dedicated page-aligned memory space and then regulate accesses to them with hardware-based page-level protection. We have developed a prototype of HookSafe and used it to protect more than 5, 900 kernel hooks in a Linux guest. Our experiments with nine real-world rootkits show that HookSafe can effectively defeat their attempts to hijack kernel hooks. We also show that HookSafe achieves such a large-scale protection with a small overhead (e.g., around 6% slowdown in performance benchmarks).
The research will be presented at the 16th ACM Conference on Computer and Communications Security this week. Here’s an article on the research.
It was unattended in a hotel room at the time:
Israel’s Mossad espionage agency used Trojan Horse programs to gather intelligence about a nuclear facility in Syria the Israel Defense Forces destroyed in 2007, the German magazine Der Spiegel reported Monday.
According to the magazine, Mossad agents in London planted the malware on the computer of a Syrian official who was staying in the British capital; he was at a hotel in the upscale neighborhood of Kensington at the time.
The program copied the details of Syria’s illicit nuclear program and sent them directly to the Mossad agents’ computers, the report said.
Remember the evil maid attack: if an attacker gets hold of your computer temporarily, he can bypass your encryption software.
Earlier this month, Joanna Rutkowska implemented the “evil maid” attack against TrueCrypt. The same kind of attack should work against any whole-disk encryption, including PGP Disk and BitLocker. Basically, the attack works like this:
Step 1: Attacker gains access to your shut-down computer and boots it from a separate volume. The attacker writes a hacked bootloader onto your system, then shuts it down.
Step 2: You boot your computer using the attacker’s hacked bootloader, entering your encryption key. Once the disk is unlocked, the hacked bootloader does its mischief. It might install malware to capture the key and send it over the Internet somewhere, or store it in some location on the disk to be retrieved later, or whatever.
You can see why it’s called the “evil maid” attack; a likely scenario is that you leave your encrypted computer in your hotel room when you go out to dinner, and the maid sneaks in and installs the hacked bootloader. The same maid could even sneak back the next night and erase any traces of her actions.
This attack exploits the same basic vulnerability as the “Cold Boot” attack from last year, and the “Stoned Boot” attack from earlier this year, and there’s no real defense to this sort of thing. As soon as you give up physical control of your computer, all bets are off.
Similar hardware-based attacks were among the main reasons why Symantec’s CTO Mark Bregman was recently advised by “three-letter agencies in the US Government” to use separate laptop and mobile device when traveling to China, citing potential hardware-based compromise.
PGP sums it up in their blog.
No security product on the market today can protect you if the underlying computer has been compromised by malware with root level administrative privileges. That said, there exists well-understood common sense defenses against “Cold Boot,” “Stoned Boot” “Evil Maid,” and many other attacks yet to be named and publicized.
The defenses are basically two-factor authentication: a token you don’t leave in your hotel room for the maid to find and use. The maid could still corrupt the machine, but it’s more work than just storing the password for later use. Putting your data on a thumb drive and taking it with you doesn’t work; when you return you’re plugging your thumb into a corrupted machine.
The real defense here is trusted boot, something Trusted Computing is supposed to enable. But Trusted Computing has its own problems, which is why we haven’t seen anything out of Microsoft in the seven-plus years they have been working on it (I wrote this in 2002 about what they then called Palladium).
In the meantime, people who encrypt their hard drives, or partitions on their hard drives, have to realize that the encryption gives them less protection than they probably believe. It protects against someone confiscating or stealing their computer and then trying to get at the data. It does not protect against an attacker who has access to your computer over a period of time during which you use it, too.
EDITED TO ADD (10/23): A few readers have pointed out that BitLocker, the one thing that has come out of Microsoft’s Trusted Computing initiative in the seven-plus years they’ve been working on it, can prevent these sorts of attacks if the computer has a TPM module, version 1.2 or later, on the motherboard. (Note: Not all computers do.) I actually knew that; I just didn’t remember it.
EDITED TO ADD (11/12): Peter Kleissner’s Stoned Boot attacks on TrueCrypt.
EDITED TO ADD (12/9): A similar attack is possible against BitLocker with a TPM.
Good essay: “Malware to crimeware: How far have they gone, and how do we catch up?” ;login:, August 2009:
I have surveyed over a decade of advances in delivery of malware. Over this period, attackers have shifted to using complex, multi-phase attacks based on
subtle social engineering tactics, advanced cyptographic techniques to defeat takeover and analysis, and highly targeted attacks that are intended to fly below the radar of
current technical defenses. I will show how malicious technology combined with social manipulation is used against us and conclude that this understanding might even help us design our own combination of technical and social mechanisms to better protect us.
This is brilliant:
The sophisticated hack uses a Trojan horse program installed on the victim’s machine that alters html coding before it’s displayed in the user’s browser, to either erase evidence of a money transfer transaction entirely from a bank statement, or alter the amount of money transfers and balances.
Another article.
If there’s a moral here, it’s that banks can’t rely on the customer to detect fraud. But we already knew that.
Sidebar photo of Bruce Schneier by Joe MacInnis.
