Sicurezza IT proattiva

Blog sulla sicurezza [EN]

Snorre Fagerland's entries

Snorre Fagerland has worked for Norman as malware analyst since 1998. He built Norman's first signature database system, has programmed parts of the Norman Scan Engine

Snorre Fagerland is a frequent speaker on malware issues home and abroad.

Antivirus SSDT hook bypass vulnerability   Commento [0]

Recent reports have detailed a problem with many antivirus solutions that use so-called SSDT hooking to inspect programs for malicious content. Norman also uses this technology, and can at this time be bypassed this way.

The question remains, how big a problem is this for the users?
The effect of the vulnerability is that malicious software may be able to attack running antivirus solutions and aspects of their malware detection and self defense mechanisms. This is achieved by creating a so-called race condition in Windows. Race conditions are not new in Windows but have not been widely used in malicious software so far. One reason they have not been used much is perhaps that they are cumbersome and complex ways of achieving something that usually can be done a lot easier.

The attack can only happen when the malicious software is already running on the target machine. This means that at the stage when the attack is launched, the antivirus solution will already have failed to detect the threat. If the antivirus solution has detection in place, the attack will never be launched because the antivirus blocks the execution of the malicious program. As someone pointed out, it is similar to a thief opening the windows to your house – from within.

Once the malicious program is running, the system is compromised. At this point there is often a multitude of other and easy ways for the malware to debilitate the antivirus software, almost regardless of vendor. Blocking its update mechanism like the Conficker worm does, attacking running security processes like a majority of trojans now do, or outright delete files used by the security product. An active malware running on the system is usually an all-bets-off scenario. This is why we focus our effort on preventing the infection in the first place through proactive technologies; prevention is always preferrable to cleaning.

Nevertheless, we consider such possible attacks serious and monitor their usage closely. We will review our software to improve our handling of these issues.
 

Hoaxing Facebook   Commento [0]

We have received reports of a new scare running among Facebook users. The message is approximately as follows:

Has your facebook been running slow lately? Go to "Settings" and select "application settings", change the dropdown box to "added to profile". If you see one in there called "un named app" delete it ... It's an internal spybot. Pass it on. THIS IS NOT A DRILL!! ------

And indeed, most users will actually have such an application in their “added to profile” box. Relax. Breathe out. This is no virus, it is just the “boxes” tab on your profile. Delete the application, and “boxes” goes away as well. If this is what you want, fine. According to Facebook, the “boxes” tab is going to go away soon anyway : [ http://wiki.developers.facebook.com/index.php/Tabbed_Profile ]

[CVE-2010-0249] Vulnerability in Internet Explorer Could Allow Remote Code Execution   Commento [3]

Microsoft advisory: http://www.microsoft.com/technet/security/advisory/979352.mspx

This security flaw, which was revealed about a week ago, is a threat that we follow closely. As of this writing we and others have seen a limited number of in-the-wild attacks using this. Some of these attacks were quite serious, affecting large targets like Google and Adobe (http://threatpost.com/en_us/blogs/inside-aurora-malware-011910).

The various virus scanners from Norman detect the known malwares that are installed by these. However, there are no guarantees, as it is always possible to create malware to be undetectable for a limited time window.

Apply brain   Commento [0]

The Christmas holiday is almost upon us, and it is a good time to remind people that malware authors are likely to try to exploit periods like this to increase their spread of malware. They usually do this by sending emails and messages with content tailored to the occasion; f.ex. “Christmas e-card” or “Happy new year ”. And of course, to read your greeting you’ll have to install something that claims to be a plugin or similar, but invariably is a malicious program.
Actually, this problem is not specific to Christmas. There are always spam emails targeted at the newsitem du jour. In many cases these are just spam, trying to sell stuff. In other cases there will be trojans attached to the emails.

A blast from the past – the source code virus Induc.A   Commento [0]

Some days ago, Andreas Marx (of av-test.org) sent a copy of a new virus to all antivirus companies, with a warning that infected files were found on some magazine CD/DVD’s. True enough, the virus was new to the attention of antivirus companies. The virus was W32/Induc.A. This is something of a rarity – it is a source code infector. These viruses do not propagate directly from macine to machine, nor to they attach themselves directly to executables found on the victim machine. Instead, they try to use programming environments they encounter by somehow inserting their own source code (f. ex. C or Pascal) into existing innocent code.

Blog tags: Malware