STE WILLIAMS

Romanian dragon-wolves aim for virtualised security

BitDefender is focusing on providing better security for virtualised environments and says expansion into emerging markets is key to its plans for growth.

The Romanian firm wants to help firms implementing server consolidation projects to improve their security with a virtual appliance so that companies do not have to run anti-malware instances on virtual machines. The products, developed for virtual desktops (eg Citrix) as well as server farms, allow sysadmins to scan virtual machines on the same system in sequence rather than all at the same time.

Traditional scheduled security scans in virtualised environments take up too many resources. As a result, sysadmins sometimes turn off such scans, leaving a security gap that BitDefender aims to bridge. Beta versions of the BitDefender Security for Virtualised Environments do not check patching levels, but this feature may be introduced over time.

The technology also creates a mechanism to scan older copies of virtual machine builds offline.

The main markets for BitDefender, which claims 400 million users, include Romania, France and the US. The firm is seeking to grow further by targeting emerging economies such as Brazil, Russia, India and China. Part of this strategy invokes a rebranding of the security firm, with a new Dragon-Wolf logo (which looks more like a wolf-snake). Symbols of the Dragon Wolf were worn on the armour of ancestors of Romanian locals, the Dacians, at the time they fought the Romans (they fell to the empire in 106 AD).

BitDefender wants to inspire the creation of more IT jobs in Romania, a country whose economy is dominated by oil and steel. Although numerous consultants and IT integrators exist, it is the only IT developer of any size in the country. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/14/bitdefender_security_strategy/

Malware burrows deep into computer BIOS to escape AV

Researchers have discovered one of the first pieces of malware ever used in the wild that modifies the software on the motherboard of infected computers to ensure the infection can’t be easily eradicated.

Known as Trojan.Mebromi, the rootkit reflashes the BIOS of computers it attacks to add malicious instructions that are executed early in a computer’s boot-up sequence. The instructions, in turn, alter a computer’s MBR, or master boot record, another system component that gets executed prior to the loading of the operating system of an infected machine. By corrupting the processes that run immediately after a PC starts, the malware stands a better chance of surviving attempts by antivirus programs to remove it.

In addition to posing a threat to end users, Mebroot could create serious obstacles to antivirus developers in producing products that scrub computers clean of detected threats without harming the underlying system.

A flowchart from Symantec detailing Mebromi’s BIOS tampering process.

“Storing the malicious code inside the BIOS ROM could actually become more than just a problem for security software, giv[en] the fact that even if antivirus detect[s] and clean[s] the MBR infection, it will be restored at the next system startup when the malicious BIOS payload would overwrite the MBR code again,” Webroot researcher Marco Giuliani wrote in a blog post published Tuesday. “Developing an antivirus utility able to clean the BIOS code is a challenge, because it needs to be totally error-proof, to avoid rendering the system unbootable at all.”

He went on to say the job of ridding malicious instructions added to the BIOS ultimately should be left to the makers of the motherboards that store the startup code. Because the BIOS is stored on a ROM, or read-only-memory chip, modifications have the potential to render a computer largely inoperable.

The discovery represents one of the only times researchers have documented malware used in the wild that modifies the BIOS. In the late 1990s, malware known as CIH/Chernobyl did much the same thing on machines running Windows 9x by exploiting a privilege escalation bug in the Microsoft operating systems. In 2007, proof-of-concept software known as IceLord also reportedly made changes to the BIOS of infected machines, but there are no reports it has ever been used in actual attacks.

Mebromi is able to attack only BIOS ROMs made by Award, a manufacturer that was purchased by Phoenix in the late 1990s. The malware checks the BIOS ROM each time the PC boots up. If it’s made by Award and the malicious instructions aren’t found, Mebromi adds the code by reflashing the chip on the motherboard. According to Giuliani, it was first documented by the Chinese security company Qihoo 360, and primarily infects computers in that country.

Symantec researchers have more about Mebromi here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/

Notorious SpyEye trojan puts Android in crosshairs

Developers of the SpyEye banking trojan have started bundling it with malware for phones running Google’s Android operating system to intercept text messages many financial institutions use to prevent fraud, researchers said.

The trojan known as Spitmo is SpyEye’s first in-the-wild malware to target Android, Ayelet Heyman, a researcher for Trusteer, wrote in a blog post published Tuesday. It’s offered to people already infected with the desktop version of SpyEye under the guise that Android phones must install security software to work with a bank’s online services. The SMS messages of those who take the bait are then continuously intercepted and sent to a website under the control of the attackers.

Heyman said Trusteer researchers who infiltrated a command and control server that stored the purloined data found evidence that very few people have been infected by the malicious Android app. But its discovery suggests that SpyEye designers are busy augmenting the trojan to get around a key defense many banks have adopted to thwart current generations of password-logging software: the use of one-time pass codes sent by text message to a customer’s phone. Trusteer uncovered Spitmo in late July after analyzing a computer that was infected by SpyEye.

SpyEye made its debut in December 2009 in Russian underground forums and has been drawing attention for its sophistication and moxie ever since. In February 2010, it was updated with a “ZeuS killer” feature that scanned computers it had infected for signs that they were already compromised by rival ZeuS banking trojan. When ZeuS was found, SpyEye removed it.

In January, researchers unearthed evidence that the source code for SpyEye and ZeuS had been merged, signaling competing developers had decided to join forces. More recently, SpyEye was caught tapping Amazon’s S3 cloud services for command-and-control support.

SpyEye’s Android component appears similar to a separate “man-in-the-mobile” app the banking trojan used to steal SMS messages from smartphones running the Symbian operating system.

For now, the smartphone components don’t appear to be making much headway. But with mainstream websites such as Google and Facebook using smartphone to deliver one-time passwords, it wouldn’t be surprising to see a proliferation of malicious apps that perfect the art of stealing SMS messages. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/14/spyeye_targets_android_phones/

“Find My Car” finds anyone’s car

An iPhone app released a few days ago called “Find My Car” has just turned into a PR disaster for shopping centre operator Westfield.

The idea seemed neat enough: download the app, and if you lose your car, just enter the number plate, which Westfield’s cameras had captured and indexed. Someone forgetting where they’d parked their car can then be shown a photo of where the car is.

As blogger Troy Hunt points out in this blog post, anyone can view anyone’s car.

Worse, he writes, the application can easily be unpicked to download the location, plates, entry and exit times of every vehicle in the Bondi shopping centre in which the service was first rolled out.

Picking the application apart, he says, shows that Westfield is “storing and making publicly accessible the time of entry and number plate of every single vehicle in the centre.”

Moreover, he demonstrates that access to this data isn’t just confined to someone using the “Find My Car” app: it’s on “public display to anyone with an Internet connection”.

It’s even possible that the underlying Park Assist service has been handled carelessly for longer than Hunt believes, with code purported to be from Park Assist posted to pastie.org back in April.

Not surprisingly, the service is offline at the moment. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/14/find_my_car_fail/

Bittorrent.com’s software download hacked to serve malware

Bittorrent.com’s software download hacked to serve malware

  • alert
  • print
  • comment
  • tweet

File-sharing with fake AV

Free whitepaper – Smarter Networking for a smarter data centre

Attackers hijacked two popular Bittorrent websites and tampered with their download mechanisms, causing visitors trying to obtain file-sharing software to instead receive malware.

The hacks on bittorrent.com and utorrent.com replaced the sites’ standard software downloads with a piece of fake antivirus software known as Security Shield, an advisory warned. Anyone who downloaded and installed software from those sites between 4:20 a.m. California time and 6:10 a.m. should scan their systems immediately for infections.

Once installed, Security Shield delivers false reports that a computer is infected with multiple pieces of malware and prompts the user for payment before claiming to disinfect the machine. The attack affected only users who downloaded and installed software from bittorrent.com and utorrent.com during the hour-and-fifty-minute window that the sites were compromised. Those who installed software previously are unaffected.

“We take the security of our systems and the safety of our users very seriously,” the Bittorrent advisory stated. “We sincerely apologize to any users who were affected.” ®

Free whitepaper – The Changing Requirements of WAN Optimization

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/13/bittorrent_malware_hack/

Minister seeks to rip ‘Like’ buttons off German gov web

Germany’s consumer protection minister Ilse Aigner is once again calling on her peers to ditch the use of Facebook by government officials, citing what she believes are valid “justified legal doubts” raised about the social network.

In a letter to German newspaper Spiegel, Aigner wrote to urge her cabinet colleagues to “no longer use the Facebook button on all official government internet sites under our control”.

She cited “an extensive legal probe” to back up her concerns about data protection.

Aigner asked all government ministries in Germany to stop using fan pages on Facebook – a practice that has become commonplace by central and local gov departments in the UK.

The German minister killed her own Facebook profile last year and this isn’t the first time she has sounded off against the Mark Zuckerberg-run company.

She complained about tweaks to Facebook’s privacy permissions in 2010, after the social network confirmed it would share data with what it described as a small number of carefully selected third-party websites.

Aigner said German politicos should “set a good example and show that they give a high priority to the protection of personal data”.

In August, Facebook was criticised by a data protection authority in Germany for siphoning off information about the country’s citizens to servers based in the US.

On that occasion the company’s “Like” button and “Pages” feature were attacked by data protection officers in the Northern German federal state of Schleswig-Holstein.

Germany’s Independent Centre for Privacy Protection (ULD) called on website operators based in that region to “shut down their fan pages on Facebook and remove social plug-ins such as the ‘like’-button from their websites”.

A source at Facebook later tried to play down the row by pointing out that it was “a really small local data protection authority” in Germany causing a fuss.

Late last week, the Wall Street Journal reported that Facebook’s EMEA policy wonk Richard Allan was working on a voluntary code of conduct with German officials in a clear effort to appease ministers in Germany who have expressed data protection fears about the popular network. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/13/german_minister_facebook_richard_allan_privacy_code/

Murdoch to reappear before MPs in phone-hack case

MPs are expected to grill James Murdoch for a second time, but no date has been set by the media, culture and sports committee yet.

The News International chairman, son of News Corp mogul Rupert Murdoch, will be asked in to Parliament again only after the MPs Tom Watson, Louise Mensch and their committee colleagues have heard evidence from Les Hinton, an unnamed representative from Farrer Co solicitors and lawyer Mark Lewis.

A media, culture and sports committee spokeswoman confirmed to The Register that no date had been set for either session yet.

She added that James Murdoch would only be recalled after his father’s right-hand man for 52 years, Hinton – who resigned in July amid allegations of widespread phone-hacking at the now-defunct NI Sunday tabloid News of the World – had appeared before the MPs.

Lewis, who represents murder victim Milly Dowler’s family, and Farrer Co – which acted for NI subsidiary News Group Newspapers in handling claims issued by former Football Association boss Gordon Taylor – will also be asked to give evidence before Murdoch is asked to reappear before the committee.

Separately, it has been reported by the Guardian that the mother of 7/7 bombing victim Christian Small is to pursue a civil case against NI over alleged voicemail interception. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/13/james_murdoch_parliamentary_hearing_recall/

State-sponsored spies collaborate with crimeware gang

Hackers sponsored by the Chinese government and other nations are collaborating with profit-driven malware gangs to infiltrate corporate networks storing government secrets and other sensitive data, researchers say.

In many ways, the relationship between state-sponsored actors and organized crime groups that target online bank accounts resembles the kind of mutually benefiting alliances found in nature everyday. Just as human intestines create the ideal environment for certain types of bacteria – and in turn receive crucial nutrients and digestive assistance – crimeware operators often cooperate with government-backed spies perpetrating the kinds of APTs, or advanced persistent threats, that have pillaged Google, RSA Security, and other US companies.

To the potential benefit of state-sponsored hackers, profit-driven malware gangs frequently have control of large numbers of infected machines belonging to government contractors and Fortune 500 companies. Because most of the machines never conduct business online, they may not represent much of an asset to the criminal gangs, which often allow the infected machines to sit dormant for months or years.

The same machines, however, can be a goldmine to spies hoping to plant APTs that steal weapons blueprints or other sensitive government data from adversaries. So rather than build an exploit from scratch, the APT actors can simply use botnets controlled by the attackers to access an infected machine on a sensitive network the spies want to infiltrate.

“Almost always, it’s cheaper for them to do the latter,” said Darien Kindlund, a senior staff scientist at FireEye, a network security firm. “What this means is there’s an actually symbiotic relationship here.”

In exchange for access to already-infected machines inside government contractors, state-sponsored actors often give malware gangs attack code that exploits previously unknown flaws in Microsoft’s Internet Explorer and other widely used applications. As these zero-day vulnerabilities become known to people defending government contractor networks, the exploits quickly lose their value to APT actors. The same code, however, often has plenty of currency among gangs preying on smaller businesses and mom-and-pop end users.

Kindlund got the chance to document one such quid-pro-quo exchange a few months ago when he was helping to secure the network of a sensitive government contractor. In March, FireEye researchers detected a sophisticated trojan used by members of “Ghostnet,” a spy ring researchers say is sympathetic to the Chinese government and has been known to target supporters of the Dali Lama and corporations and governments in more than 100 countries.

On March 15, FireEye researchers identified a unique fingerprint Wermud leaves on networks it infects and devised a means to neutralize the threat. Less than three weeks later, according to this sample from VirusTotal, criminal malware known as Trojan.FakeAV.BU was circulating in the wild that generated the same signature on networks it infected.

“This happens regularly,” Kindlund told The Register. “It typically occurs in a multi-month cycle. We suspect this window will get shorter, but if you’re dealing with exploits that take a long time to patch, then we could see that window being even longer.”

In exchange for passing along malware hand-me-downs that are no longer needed, Kindlund said, APT groups get access to botnets operated by the criminal malware operators. For support, he cited a recently presented research from computer scientist Stefan Savage of the University of California at San Diego, and articles such as this one from security journalist Brian Krebs.

Both Savage and Krebs document the availability of compromised hosts in underground markets. Kindlund said APT actors frequently make use of these services. He went on to say the cooperation between the groups is so common that brokers now exist to help make trades it more efficient. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/13/apt_botnet_symbiosis/

Linux.com pwned in fresh round of cyber break-ins

Just a month after kernel.org – the nerve centre of Linux kernel development – fell victim to a malware attack, the Penguinista community is reeling from another bout of security breaches.

“Linux Foundation infrastructure including LinuxFoundation.org, Linux.com and their subdomains are down for maintenance due to a security breach that was discovered on September 8, 2011,” the holding page on the sites says. “We believe this breach was connected to the intrusion on kernel.org.”

Last month, a trojan was discovered on the PC of one of the kernel’s developers and was later spotted lurking on kernel.org servers. The malware had gained root access, modified system software and logged passwords and transactions of the servers’ users. The attack started on August 12th but wasn’t discovered until the 28th, and the kernel.org site is still “down for maintenance”.

The Linux Foundation is checking over its systems, and it remains cautious about how much information the hackers may have got their hands on, advising people that their passwords and SSH keys might be compromised.

“If you have reused these passwords on other sites, please change them immediately,” the holding page urges.

The official Linux Foundation Twitter feed says that it is “working around the clock to investigate and resolve” the issue and that it will issue updates when it has them. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/12/more_linux_sites_down/

Team HP: Cloud Police

When HP announced it was exploring options for its PC business, the company said it’d move into the more profitable arena of enterprise solutions. From a speech given at HP’s yearly Security conference yesterday, the titan is eyeing up cloud security as a big growth area.

Policing the cloud and monitoring employee mobiles are two of the big challenges faced by businesses in the next few years, said Tom Reilly, HP VP and general manager for Enterprise Security Products. HP wants to be there, selling them ways to help them fix it.

Business will need help storing information safely in the cloud and the increasing numbers of staff bringing smartphones and tablets into work makes for another security headache, Reilly said, according to a report of the speech on AllThingsD.

This is the seventh year of HP’s annual cybersecurity symposium Protect 2011 and the largest to date, according to their press release. Reilly himself is a buy-in from cyber-security firm ArcSight which HP acquired in 2009.

HP has signalled its interest in the cloud before: CEO Leo Apotheker talked cloud in March this year at the HP Summit in San Francisco. Though some of their efforts to become a cloud-computing business have come under criticism – as The Reg explores here, this is the area the company is propelling itself into after deciding – probably – to drop the personal-system hardware side of its business in August.

A recent spate of press releases by Hewlett Packard emphasise its focus on cloud services – particularly cloud security services: “Government leaders talk cloud, cost savings with HP“; “Innovating today for the network demands of tomorrow“; and “HP Research Reveals 56 Percent Rise in Cost of Cybercrime“.

Looks like that’s where they see the money. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/12/hp_position_themselves_as_the_cops_of_the_cloud/