Security

Red means danger. And orange offers plenty of risk, too. (Click for a larger view of the map.)

(Credit: McAfee)

You may want to think twice if you hit a site with a .cm extension. That belongs to Cameroon, pegged by McAfee as the world's riskiest domain.

McAfee's third annual "Mapping the Mal Web" report, released Wednesday, looks at riskiest and safest domains across the globe. The small nation on the west coast of Africa reached the top spot this year with 36.7 percent of its sites posing a security risk. Because .cm is often a typo for .com, McAfee said, cybercrooks like to use that domain to set up typo-squatted sites to hit you with malware.

The generic and widely used .com domain itself isn't much safer, according to McAfee, jumping from ninth last year to second this year in riskiness, with 32.2 percent of its sites potentially hazardous to your PC's health.

(Credit: McAfee)

Romania (.ro) is tagged as the riskiest domain for malicious downloads, with 21 percent of its sites delivering payloads of viruses, spyware, and adware. The information (.info) domain is seen by McAfee as the most "spammy," with 17.2 percent of its sites generating junk mail.

On the positive side, the government (.gov) is the safest generic domain with essentially 0 percent risk, while Japan (.jp) proved the safest country domain with a rating of only 0.1 percent. Last year's riskiest domain, Hong Kong (.hk) dropped to 34th place with a risk rating of only 1.1 percent, which McAfee attributed to the country's aggressive steps to stop scam-related domain registrations.

(Credit: McAfee)

"This report underscores how quickly cybercriminals change tactics to lure in the most victims and avoid being caught. Last year, Hong Kong was the riskiest domain and this year it is dramatically safer," Mike Gallagher, chief technology officer for McAfee Labs, said in a statement. "Cybercriminals target regions where registering sites is cheap and convenient, and pose the least risk of being caught."

Overall, looking at 27 million Web sites and 104 top-level domains, McAfee found that 1.5 million sites, or 5.8 percent, were risky. That's up from 4.1 percent from the past two years, although the comparison is not direct since McAfee said it changed its rating methodology since then.

McAfee noted that cybercriminals who create domains to scam people prefer registrars with cheap prices, volume discounts, and hefty refund policies. Crooks also like registrars with a "no questions asked" policy and that act slowly or not at all when informed of malicious domains.

A story recently surfaced saying malware could plant child porn on innocent people's computers without their knowledge. Just how real is this threat? And how can you keep it from happening to you?

Being accused of possessing child pornography can ruin people's reputations, confront them with overwhelming legal bills and, if convicted, and deprive them of their freedom for years if sentenced to prison time, and perhaps for life, if they're required to register as sex offenders.

That is why, at least in part, a recent case outlined by the Associated Press raised concerns over computer viruses being used to plant child pornography on people's computers. But the innocent have little to fear, according to experts.

The AP story reported about the case of Michael Fiola, a former Massachusetts state employee whose state-owned work computer was found to contain illegal child pornography images. He was fired and charged with possession of child pornography which, had he been convicted, could have landed him in prison for up to five years, according to the AP.

Sexually explicit images of children--who are often being exploited--are not protected by the First Amendment because they may memorialize, celebrate, or encourage sexual crimes against children deemed defenseless victims. Although Fiola avoided a child porn conviction, he reportedly has suffered related indignities, including death threats and friend abandonment. The AP said he and his wife liquidated their savings and spent $250,000 on legal fees.

Ultimately, charges were dropped after Fiola's defense showed that his computer was infected by a virus that was "programmed to visit as many as 40 child porn sites per minute," something that a human couldn't do, even if he or she tried. Other reports about this case indicate that the antivirus software on Fiola's computer was out of date and therefore was not protecting him against malware.

Could it happen to you?
How likely is a case like Fiola's? If viruses are capable of putting illegal content on people's computers, aren't we all at risk of being arrested for serious crimes we never meant to commit? And if it is possible for this to happen, isn't "the virus did it" claim likely to become the mantra of every defense attorney who represents people accused of possessing child pornography?

To help answer these questions, I spoke with security experts, legal scholars, former prosecutors, and Justice Department officials. The consensus? It is indeed possible for malicious software to plant child pornography--or any other type of file, for that matter--on an innocent person's computer, but being possible doesn't mean it's likely. And forensics experts can detect intention.

"It's quite possible for a malware creator to include child pornography as part of the payload on an infected computer," according to Symantec spokeswoman Marian Merritt, but "such payloads are not typical."

Most malware authors, Merritt said, "are motivated by money, and there's no clear indication as to how planting child porn on an unsuspecting person's computer would help generate money for criminals."

One possible motive for remotely using someone else's computer to store child porn is to make it possible to access the contraband without running the risk of it showing up if your PC is seized or searched. Merritt worries that "this could become a possible use for malware, going forward," but Michael Geraghty, executive director of the National Center for Missing & Exploited Children Technology Services Division, said that, while possible, it's not an effective way to store child porn and remain undetected.

"If you put the images on someone else's computer, you might not be able to retrieve them when you want them," Geraghty said. He pointed out that the zombie machine storing the data would have to be turned on and connected for the malware sender to access it. If it weren't online, or the files had been deleted, the files wouldn't be there to retrieve.

Another deterrent, of course, is a potential digital trail between your computer and the one you're using to store it. Although there are ways to evade detection, forensic investigators do have ways to trace Internet Protocol addresses to catch people in the act of uploading and downloading material.

"I've never seen it where child porn was intentionally placed on someone's computer because of a virus," Geraghty said. He has, however, seen cases where "someone was redirected to a site where it could have entered the cache." If someone were to go to a legal adult porn site, it's possible that the browser would "open 100 different windows," including some that could contain child porn. "As a result of that, any images on any of these sites would be cached, and there would be a record that you had been there."

But Geraghty said investigators can tell the difference between someone who deliberately downloaded such images and someone who may have inadvertently downloaded perhaps thousands of images because of a virus or misdirected Web site.

Totality of evidence
"A good forensics expert would try to determine how (the images) got on the computer and who was responsible for putting them there," he said. "That would be determined by looking at the totality of the evidence, not just the fact that there were images there."

Things a good investigator would look into include whether the suspect was sitting at the computer at the time the images were downloaded. Was he using the computer to send e-mail or visit other Web sites at the time? "There is always some type of trail we can follow to determine if the person were likely actively involved in the process of downloading the material," Geraghty said.

Another indicator is the time lapse between image downloads. A virus or Trojan horse is likely to download multiple images at a time, sometimes faster than might be humanly possible to do manually. A person who collects child pornography typically acquires it over a period of time, and a forensic investigation of the computer should reveal that.

Phil Malone, a clinical professor at Harvard Law School and director of its Berkman Center Cyberlaw Clinic, agrees that a good forensic investigator should be able to tell the difference between files placed by a virus and ones deliberately downloaded.

"It's the excuse of the moment for defendants," he said. "Lots of child porn defendants try to blame (images found on their computers) on viruses, but it's almost never true. You can actually figure this out. In the handful of cases that have been problematic, it looks as if everyone moved too quickly. The agency discovered material and immediately jumped to conclusions." Malone added that "good, solid forensics would be able to tell in virtually every case."

Malone agreed with Geraghty, of the National Center for Missing & Exploited Children, that it's fairly common for someone, when viewing adult pornography on a Web site, to inadvertently receive pop-ups that may include images of child porn.

"It's possible to tell if something was opened or saved to a file from the cache," Malone said. Investigators can usually figure out if an image was downloaded intentionally, based on other activity that took place on the computer at the time, he said, adding that it's incumbent on both prosecutors and defense attorneys to launch a thorough investigation that includes analyzing a copy of the hard drive to determine not just which images are stored within, but also how they got there.

Geraghty said it's important to look at other factors. "The computer holds a lot of information about the searches that someone runs. If there were none of those searches and nothing else but some images in the cache, you would question how they got there. You would look for collaborating evidence such as intent to visit the site (and capability) of visiting the site. Did he have knowledge?"

A good investigation will look for exculpatory evidence to see if there are other explanations for the images. That investigation, Geraghty said, should start with making one or more exact copies of the suspect's hard drive and examining those copies to look for evidence of malicious software that could be responsible for the images. Defense attorneys can also gain access to a copy of the drive, but because it may contain illegal child porn images, their experts will probably have to examine the drive at the police station or prosecutor's office; possession of those images--regardless of the reason--is illegal for anyone other than personnel granted immunity.

Burden of proof
"In each case, the prosecution will need to prove (that) the defendant knowingly and intentionally possessed, received, or distributed child pornography," according to Drew Oosterbaan, chief of the Child Exploitation and Obscenity section of the Justice Department. "The proof starts with establishing that the images involved are child pornography and ends with establishing that the person charged is criminally responsible for it. We prove the latter in myriad ways."

Oosterbaan said that when someone is charged with possessing child pornography on his computer, "the computer is, in many ways, a crime scene, and the forensic examination of that computer is critical to meeting the elements of proof in the prosecution." He added that "it's important to remember that in every case, the government carries the burden of proof."

Oosterbaan said he is not aware of any cases in which botnets were used to plant child porn on other people's computers.

A former federal prosecutor now working for a technology company, who requested anonymity, said this may become a bigger issue as we enter the era of cloud computing, in which more and more data is stored on Internet servers instead of hard drives.

"There is no question that perpetrators are going to look for places to hide their criminal activity, including child porn, because they're increasingly aware that if law enforcement comes to their house, they will see the material," the former prosecutor said, adding that companies in the cloud storage business need to be aware that their systems could be used for illegal purposes. "They should reach out to the National Center for Missing & Exploited Children to implement a system to compare uploaded files against hash marks (digital fingerprints) of known child porn images."

As with any other security issue, the best defense is to protect your machine against intrusions. This includes:

• Making sure that your operating system and regularly used software are up-to-date.
• Using good software addressing malware, phishing attacks, and/or spam, and keeping it up to date. Subscriptions to paid programs should be renewed.
• Being cautious about spam and about providing information to sites you navigate to from links within even the most legitimate-appearing e-mails.

Disclosure: I serve without compensation as a board member at the National Center for Missing & Exploited Children, which deals with child porn cases. Still, I don't necessarily agree with all NCMEC policies, nor do I speak on behalf of the organization.

Kaspersky unveiled a new tool on Thursday called "Krab Krawler" that analyzes the millions of tweets posted on Twitter every day and blocks any malware associated with them.

The tool looks at every public post as it appears on Twitter, extracts any URLs in them and analyzes the Web page they lead to, expanding any URLS that have been shortened, Costin Raiu, a senior malware analyst at Kaspersky, said in an interview.

The company is scanning nearly 500,000 new unique URLs that appear in Twitter posts daily, he said. Of those, anywhere between 100 and 1,000 are malware attacks. Twitter has also been targeted by the Koobface virus which posts malicious links from infected users' accounts.

About 26 percent of the total posts contain URLs, and many of those lead to spam sites that are marketing products or services and aren't considered malware, according to Raiu. Tens of thousands of different accounts are posting spam links, most likely from accounts created by bots, he said. The most frequent URLs posted lead to online dating sites, he added.

Twitter has its own filtering system, but some malicious links still manage to get through, Raiu said.

While Kaspersky's regular antivirus software may detect and block 95 percent of the malware Twitter users are threatened with, malware code changes frequently to evade filters and it could take between two and 12 hours for new stuff to be classified as malicious and detected, he said.

While antivirus companies have traditionally focused on protecting e-mail-borne viruses, they are increasingly turning their attention to social-media sites as attackers do.

Trend Micro has technology that monitors Twitter posts for malicious URLs, as well as looks for attack patterns in the posts, such as use of popular terms to indirectly lead people to malicious links, said Morton Swimmer, a senior threat researcher at Trend Micro.

Meanwhile, Finjan offers a free browser plug-in dubbed SecureTweets that warns users when they encounter a malicious URL in Twitter, as well as Gmail, Blogger, MSN, MySpace, Google search, Yahoo, and other sites.

Social-media sites are popular for attackers not only because people are flocking to them, but also because users seem to trust messages that appear to come from friends on those sites more than they trust e-mails, Raiu said.

"People are worried about unsolicited e-mail, so they are careful not to run the programs they get by e-mail, but they aren't prepared to deal with these kinds of new attacks," he said.

The most common piece of malware associated with Twitter links is Trojan-Clicker.HTMLIFrame, a malicious JavaScript that can get downloaded to a computer when it visits a compromised Web site.

(Credit: Kaspersky)

More midsize companies are being attacked by cybercriminals at the same time they're spending less on security, says a McAfee report released Wednesday.

Across the world, more than half of the 900 midsize businesses (51 to 1,000 employees) surveyed by McAfee for its report, The Security Paradox, said they've seen an increase in security breaches over the past year. Despite the threat, the recession has caused most of these companies to freeze their IT security budgets.

(Credit: McAfee)

McAfee found that the costs of dealing with a security attack can be high. Over the last year, one of five midsize companies surveyed lost $41,000 in sales on average as a result of a breach. In China alone, 38 percent of the businesses questioned lost an average of $85,000 due to an attack. And more than 70 percent believe a serious data breach could put them out of business, noted the report.

(Credit: McAfee)

But as the recession has grown, IT budgets have dropped. Almost 40 percent of the companies trimming their IT security budget plan to limit the purchase of new security products. And more than a third are switching to cheaper security software to cut expenses, even though they realize that may put them at greater risk.

"An organization's level of worry and awareness about increasing threats has not overcome the downward pressure on budgets and resources," said Darrell Rodenbaugh, senior vice president of global midmarket for McAfee, in a statement. "But this creates a vicious cycle of breach and repair that costs far more than prevention."

Midsize companies also may underestimate their risk, according to McAfee. Among companies with fewer than 500 employees, more than 90 percent believe they're protected from cybercriminals and feel they don't face the same threats that larger firms do.

But McAfee discovered that businesses with 101 to 500 people had on average 24 security breaches over the past three years, compared to 15 breaches for those with 501 to 1,000 employees.

In the long run, dealing with the aftermath of a security attack eats up a company's time and expenses. The study found that 65 percent of firms spend less than four hours a week on IT security, but around the same percentage have spent more than a day recovering from security breaches.

"Our research shows that organizations that put more effort on preventing attacks can end up spending less than a third as much as those that allow themselves to be at risk," said Rodenbaugh.

The study was conducted by research firm MSI International, which surveyed 100 midsize businesses in each of the following countries: U.S., U.K., Australia, Canada, China, France, Germany, India, and Spain. The results were compared with prior studies done in North America and Europe.

The number of Web sites hosting malicious software, either intentionally or unwittingly, is rising rapidly, according to statistics to be released on Tuesday from Dasient.

More than 640,000 Web sites and about 5.8 million pages are infected with malware, according to Dasient, which was founded by former Googlers to offer services to help Web sites stay malware-free and off blacklists.

That figure for infected pages is nearly double what Microsoft estimated in a report in April.

Meanwhile, the Google blacklist of malware infected sites has more than doubled in the last year, registering as many as 40,000 new sites in one week.

Dasient identified more than 52,000 Web-based malware infections, bringing the total to more than 72,000 unique infections logged by the company since it launched its malware analysis platform early this year.

Infections on newly compromised sites that have 10 pages or more spread to nearly one quarter of the pages on the site, on average. Nearly 40 percent of the infected sites were later reinfected.

Most of the malware infections are accomplished by JavaScript and iFrames being injected into legitimate sites, accounting for nearly 55 percent and 37 percent respectively, said Dasient co-founder Neil Daswani.

The statistics illustrate the growing trend of attackers targeting browsers and Web applications with SQL injections, cross-site scripting and other attacks that can lead to drive-by downloads. Infections can come from anywhere on a site, including widgets and ads.

Dasient will be providing a top 10 list of Web-based malware attacks for each week and other trend information, as well as publishing information about new infections via a Twitter feed.

Dasient is sharing information on the top Web-based malware infections with Web site owners.

(Credit: Dasient)

Updated 1:45am PST Tuesday with pricing information.

McAfee has released a new security suite designed to help businesses better handle security for their growing segment of Macintosh computers.

Targeting small to large companies, McAfee Endpoint Protection for Mac provides antivirus and antispyware features, and both an inbound and outbound firewall, McAfee said Tuesday.

The company is positioning the tool as a plus for IT administrators and for users. Administrators can use the same console to manage McAfee security on both Mac and Windows machines, said the company. The software lets administrators deny or control which applications can run on supported Macs. The suite's ePolicy Orchestrator tool can also generate reports of malicious activity for review.

Some have debated whether the Mac needs security software since it has traditionally been a less visible target than Windows for attack. But with Internet threats continually on the rise, few computer environments are completely immune. Even Apple has advised Mac users to protect themselves with security software.

Antivirus software for the Mac has been sold for a long time by companies such as Symantec and McAfee. But most products have been geared to the individual user.

McAfee sees its Endpoint Protection suite as filling a growing need at schools, companies, and government agencies that have adopted more Macs in recent years.

"The demand for Macintosh in the enterprise is steadily growing, yet organizations are either not using any security technology for these endpoints, or they are using a standalone, non-manageable anti-virus protection solution," Peter Lincoln, IT director at Aquent, said in a statement provided by McAfee. "The use of McAfee Endpoint Protection for Mac enables us to have complete protection on all our endpoints. Using the same integrated management console also allows us to lower our operational cost and ensure security and compliance."

A survey conducted last year by ITIC showed that a greater number of companies were planning to allow Macs into their workforce.

McAfee Endpoint Protection for Mac is compatible with the latest release of Apple's Snow Leopard as well as existing Leopard and Tiger environments. A McAfee spokesperson said the product's retail price would be $55.08 per computer for a network of 500 - 1000 computers. The pricing includes one year of Gold technical support.

Lavasoft has updated its popular malware and spyware detection and removal tool Ad-Aware. Rather than a dramatic redo, version 8.1 builds on the improvements made in the previous version. The new version is faster, has better removal abilities, and introduces a behavioral detection engine.

Ad-Aware 8

Called Genotype, Ad-Aware's heuristic-based behavioral detection engine isn't explicitly called out in the interface. However, I noticed that files that had been flagged falsely as threats in earlier versions were no longer called out as such, and the Quick Scan was able to complete in about three minutes, as opposed to 10 minutes in the previous version. These are empirical observations, of course, but this version's improvements should be easy to see for longtime users of Ad-Aware.

Removal techniques have also been improved. Lavasoft is calling the new system Neutralizer, although it's not called out as such in the program interface. What users will see is a "family" of grouped similar threats, such as cookies, the category of the threat, and the action taken. The program defaults to the Recommended action, which means you need to click on the drop-down menu to the right of the listing to see what action will be taken on a per-threat basis. The big action buttons introduced in version 8 still reside at the bottom of the window, which feels further than necessary--it'd be better to have the action button closer to where the mouse already is, at the top of the window.

There is one big change to the interface in v8.1. At the bottom left corner of the window, there's a toggle to switch between Simple mode and Advanced mode. Simple mode is for users who are set-it-and-forget-it types, with fewer options displayed. Advanced mode allows for deeper settings customization. There's also a gaming mode, so that full protection continues to run while you play games or watch videos, but detected threats won't interrupt your entertainment until you're done.

Ad-Aware's new Advanced mode, presenting more options by default.

(Credit: Screenshot by Seth Rosenblatt/CNET)

Fans of personalization get more skin action in this version, too. In addition to the included skins, the community support offered at MyLavaSoft now includes community-sourced translations and skins.

However, fans of the free version do not get all the features available in the paid upgrades. Antivirus is only for paying customers, and while rootkit detection is present, behavior-based heuristics and real-time registry protection are not. Ad-Aware Free cannot scan networked drives, and even a basic feature like the scheduler remains off-limits in the free version. The Ad-Aware toolbox for system tweaks is only available in the Pro version. I encountered a pop-up for the upgrade, although Lavasoft told me that this was an infrequent occurrence. Ad-Aware Plus is available for $26.95, and Ad-Aware Pro is $39.95, and both have a 30-day trial.

Microsoft 's new Security Essentials software has passed at least one exam so far--a review by security testing firm AV-Test.org.

Using the latest version and definition updates of Microsoft Security Essentials (MSSE) downloaded from the Web, AV-Test ran the product through a series of tests on Sept. 29 and 30 to judge its effectiveness at fighting malware.

(Credit: AV-Test.org)

To check static known malware, AV-Test pitted Security Essentials against the most recent WildList, a sampling of 3,732 viruses and other threats compiled by the WildList Organization. Microsoft's product successfully detected and blocked all of the samples in both manual and active scanning.

AV-Test also threw its current set of 545,034 viruses, worms, Trojans, and other threats at Security Essentials. MSSE successfully caught 536,535 samples for an overall good detection score of 98.44 percent.

In AV-Test's battle against adware and spyware, Security Essentials stopped 12,935 out of 14,222 samples, earning a detection grade of 90.95 percent. No false positives came up in a scan of over 600,000 clean files from Windows, MS Office, and other commonly used programs.

To check dynamic malware, which is based on its behavior rather than static lists, AV-Test found that MSSE had no "dynamic detection" in place as the software failed to find any of the recently released malware used in the test. AV-Test noted that other standalone antivirus products don't include behavior-based detection either, although that feature is typically found in full security suites.

MSSE also found and eliminated all 25 rootkits that AV-Test threw at it.

Security Essentials did only a fair job of cleaning up infections. Facing 25 different malware samples, the product removed all active components as part of its repair process. But in many cases, some remnants of the malware were left behind, as inactive executable files or empty Registry keys.

Finally, AV-Test found that the speed of Security Essentials scanning was about average compared with that of other security products.

AV-Test's review of Security Essentials was run on Windows XP with SP3, Windows Vista with SP2, and Windows 7 RTM, both the U.S. English and German 32-bit editions. A series of papers on the methodology used by AV-Test in its testing process are at the company's Web site.

CNET's Seth Rosenblatt also looked at Security Essentials this week, while CNET News reporter Ina Fried has said the beta version of the product recently saved her from a Koobface attack.

A rise in malware has caused the number of infected PCs worldwide to increase 15 percent just from August to September, says a report released Tuesday from antivirus vendor Panda Security.

Across the globe, the average number of PCs hit by malware now stands around 59 percent, an all-time high for the year. Among 29 countries tracked, the U.S. ranked ninth with slightly more than 58 percent of its PCs infected. Taiwan hit first place with an infection ratio of 69 percent, while Norway came in lowest with only 39 percent of its PCs attacked by malware.

(Credit: Panda Security)

The study found that in the U.S., Trojans and Adware were the two most pernicious types of malware, followed by worms and viruses.

(Credit: Panda Security)

"This is a clear sign that hackers are becoming more and more sophisticated," said PandaLabs Technical Director Luis Corrons. "Cybercriminals have found news ways to spread their creations, frequently exploiting the latest news stories to launch attacks through social networks, videos, and e-mail. The huge amount of Trojans in circulation is due to the spectacular increase in the number of banker Trojans aimed at stealing user data."

The company based its results on data taken from users who scanned their PCs with the free Panda ActiveScan online tool. The results for September were gathered from August 28 to September 28 and compared with the results from July 28 to August 27.