I've been using the tag line "information security is worse than you think" for several years. Every once in awhile, I meet with a security vendor who backs up my words with scary metrics. Last week in New York, Trend Micro filled this role.
According to Trend Micro's Chief Technology Officer Raimund Genes, the volume and potency of Web-based threats is now exceeding the industry's capacity to fight back. For example, Trend Micro says that it added approximately 50 new anti-malware patterns to its database each day in 2005. In 2008, the volume has grown 100 times, Trend Micro adds about 5,000 new patterns a day. As Phil Rizzuto used to say, "holy cow."
With traditional security software, vendors like Trend Micro develop new patterns or signatures and then upload them to customers running their software. The more patterns the vendors write, the more network bandwidth, storage, memory, and processor resources they use. Pretty soon your PC is using an inordinate amount of its horsepower for security.
Trend Micro believes this model is not sustainable and proposes an alternative. Its new service (aka Trend Micro Smart Protection Network) uses a lightweight client to communicate with Trend reputation services in the cloud. Reputation services proactively scan Web, e-mail, and file content, identify attack patterns, and then block this content in the network. The goal here is to use network connectivity and real-time communication to block bad stuff from happening in the cloud rather than relying on local pattern-matching databases and manual scans. The company says it believes it can provide better security with its new cloud-based model while freeing up resources on endpoints. A true win-win.
So will it work? Yup. Whether it's Trend Micro or its competitors, many security vendors are creating new hybrid models that enhance native endpoint security safeguards with additional network intelligence. The company may be the first vendor to walk down this road but it certainly won't be the last. All in all, this is a beneficial trend. Everyone wants strong security but when it takes 10 minutes to boot your PC each day, something is wrong with the current model.
Have you ever, I mean ever, copied software, a CD, a DVD, or a video tape without permission or paying? How about downloading music, video, pictures, or art?
If you answered yes, congratulations, you're just like everybody else.
On the other hand, you probably also think U.S. screenwriters are being screwed by the studios. And that China and other countries shouldn't be illegally copying and selling material copyrighted in the U.S.
That, my friend, is called a double standard.
Something else to consider:
Did you read this post about Trend Micro suing Barracuda Networks for patent infringement. Do you agree with the blogger? Do you think companies like Qualcomm, Rambus, or Trend Micro are patent trolls that unjustly enrich their shareholders at the expense of consumers? ... Read more
We're used to patent trolls being shifty little bozo operations like Acacia Research that serve no useful purpose beyond proving that some life forms never evolve. Sometimes, however, patent trolls come in larger sizes and have otherwise legitimate businesses. Such is the case today with Trend Micro's apparently specious lawsuit against Barracuda Networks and, indeed, the entire open-source community.
As Justin Mason, vice president of the Apache Software Foundation, notes:
Trend Micro's actions are clearly an attack on free and open-source software and its users, as well as on Barracuda Networks. The '600 patent covers a trivial method, one which was obvious to anyone skilled in the art at the time (the patent was written), and should be rendered invalid as soon as possible.
Unfortunately, our patent system only makes sense on paper. Once it hits the courts, all bets are off. This is why repudiating silly claims like Trend Micro's is so important, and why a collective response is critical.
Here's what happened in a nutshell:
... Read moreSecurity experts warned on Wednesday of a new rootkit aimed at users of the Windows operating system.
The rootkit hides in the Master Boot Record (MBR), or Sector 0 of the hard disk drive where the primary partition entries in its partition table are stored. According to Verisign's iDefense research unit, the rootkit overwrites the existing MBR, making discovery very difficult. A rootkit is a program or group of programs designed to take root or administrator control of a computer without the user knowing.
Trend Micro and Sunbelt indicate that infection rates appear low, especially if end users have applied all available Windows updates to their system.
According to iDefense, the samples of this MBR rootkit were first reported in mid-December, with the first wave hitting 1,800 computers on December 17 and a second wave hitting 3,000 computers on December 19. On December 22, the code was released into the wild, with iDefense reporting a total of 5,000 infections worldwide through January 7.
The current rootkit code appears to be based on two theoretical stealth rootkit presentations, one given by eEye security researchers Derek Soeder and Ryan Permeh (PDF file) for Windows NT machines at Black Hat USA 2005, and by independent security researchers Nitin Kumar and Vipin Kumar (PDF file) for Windows Vista machines at Black Hat USA 2007. A comparison of the demonstration codes used in the presentation alongside the actual MBR rootkit code can be found on the GMER site. GMER is the nickname of a researcher who makes an application that detects and removes rootkits.
Infection occurs when a user visits an infected Web site. The infected site contains an iframe that links to a server hosting several exploits. If the user's machine is vulnerable to any of the following exploits, it will become infected:
- Microsoft JVM ByteVerify (MS03-011)
- Microsoft MDAC (MS06-014)
- Microsoft Internet Explorer Vector Markup Language (MS06-055)
- Microsoft XML CoreServices (MS06-071)
According to GMER, detection of this rootkit requires a comparison of current MBR to a stored image. If the comparison is not identical, then the machine has most likely been infected. Removal requires reverting the infect system back to an uninfected version of the MBR.
A number of phishing sites have cropped up within the last day using domains previously attributed to the Storm worm botnet. Last fall, Storm was used in a series of pump-and-dump stock spam blasts, including a unique MP3-based spam blast, but researchers at F-Secure don't think the original authors of Storm are necessarily trying something new. F-Secure said Tuesday that "October brought evidence of Storm variations using unique security keys. The unique keys...allow the botnet to be segmented allowing 'space for rent.'" They think phishers are leasing parts of the larger botnet.
F-Secure cites a Halifax bank as one of the phishing targets, while Trend Micro identifies the Royal Bank of Scotland as another. What connects these sites are the server domains hosting the pages. Trend Micro said Tuesday it detected the hosts "while watching domain activity normally associated with suspected RBN (Russian Business Network) -associated activities."
The original Storm worm code, so named because it coincided with a severe winter storm in Europe, will celebrate its first anniversary next week, on or around January 19.
In my last posting about DropMyRights, I used the Trend Micro Transaction Guard utility as an example of a Java applet installing software while running inside a restricted instance of Firefox.
Transaction Guard was only used to illustrate a point, the reference was not an endorsement of the product, which I have hardly any experience with. Since writing the last posting, I have tried to use Transaction Guard many times from three different Windows XP machines over the space of two days. Not once have I been able to install it. It consistently fails with the "network connection not available" error shown below.
But that's only the beginning.
Just days after describing how a restricted mode Web browser can run Java applets, I run into the warning below, issued when Transaction Guard starts to download and run a Java applet from within Firefox.
This is not true. The installation of a Java applet does not require administrator privileges. How can Java programmers not know the conditions needed to run the applet they programmed? And if you're not sure, it's pretty easy to verify (or in this case disprove). How can Trend Micro make a mistake like this?
Another mistake in the sentence is that the word "applet" is not capitalized. For reference see What is Java? by Sun Microsystems and Wikipedia. Also, "Java" and "applet" are two words, not one, but we all make typos (no spell check?).
Other instructions in the Transaction Guard Install Help window are also wrong. (See a full-size screenshot.) When it comes to authorizing their applet to run, it says "Click 'yes' or 'always' to allow this JavaApplet run on this computer." But the two buttons in the Security Warning window displayed by Java 1.5.0_12 when run by Firefox version 2.0.0.6 are labeled Run and Cancel.
In fact, the whole Security Warning window looks nothing at all like the sample. I made a side-by-side screenshot showing the sample on the left and the actual window on the right. It's not even close.
Trend Micro is a fairly large company, with either "over 2,000 employees" or "over 3,000 employees," depending on which of their Web pages you read. Yet, they are writing Java applets and, literally, they can't spell it.
ActiveX in Internet Explorer
When Transaction Guard is run from Internet Explorer, it uses ActiveX instead of Java. The instructions say "Installation of ActiveX requires administrator privileges." True enough.
What it doesn't say however, is that without administrator privileges, the installation of the ActiveX control will hang. No errors are issued; it just stops.
I'm not an ActiveX programmer, but it doesn't have to be this way. That is, the inability to install an ActiveX program (normally called a "control") can be detected and the user told about the problem in an informative way. For example, PC Pitstop has an ActiveX test page that immediately detects that a restricted instance of Internet Explorer does not support ActiveX.
Finally, despite the fact that the utility is called Transaction Guard, the name of both the ActiveX control and the Java applet is TmHcmsX, not the most user-friendly name.
All in all, a quality improvement opportunity.
Update: August 21, 2007. I tried to install Transaction Guard again today and it failed with the same "Network connection not available" error. Even worse, it hung Firefox 2.0.0.6 such that Windows XP said it was not responding and it had to be killed with Task Manager.
Expanding on its consumer-software-as-a-service efforts, Trend Micro announced on Sunday SecureCloud for small and midsize businesses and the enterprise market. The idea is to provide clients with a range of services without requiring them to install software.
Services available include e-mail reputation, e-mail hosting, and botnet ID service. The latter will allow ISPs to filter command and control messages sent by customer's compromised machines. One feature on the site is an IP reputation search; type in an IP address and Trend Micro will tell you whether the address can be trusted.
At present only two servers in the U.S.--east and west--are up and running. Plans include additional servers in Europe/Middle East/Africa region in the third quarter, Taiwan in the fourth quarter, and Japan in first quarter of 2008.
Trend Micro today released Trend Micro OS Protection beta for its Trend Micro Internet Security 2007 customers. OS protection includes Trend Micro Firewall Booster and Trend Micro Pre-Startup Scan. Rather than rail against various kernel changes within Windows Vista as Symantec and other did last fall, Trend Micro says it wanted to work in cooperation with Microsoft. Trend Micro OS Protection works on both the 32-bit and 64-bit editions of Windows Vista.
The chief benefit from Trend Micro Firewall Booster is Windows Vista users won't have dual firewall technologies running. Firewall Booster leverages existing Windows Vista Firewall capabilities, adding protection provided by Trend Micro. Trend Micro Pre-Startup Scan runs before Windows Vista boots, ferreting out sleeping malware such as rootkits before engaging the operating system. Pre-Startup includes a system restore checkpoint, so that a user can always roll back any changes made. The process is not automatic, allowing the user to decide when and how the scans will be done. Quick Scan takes only a few minutes and identifies rootkits and any browser-related malware. Full Scan performs a thorough scan all of the files on the system. While Full Scan can take up to a half hour to complete (all the while Windows Vista is not running), there is an option to shut down the system afterward so Full Scans can be run late at night.
Trend Micro OS Protection beta is available in addition to the existing certified by Microsoft as Windows Vista compatible firewall protection within Trend Micro Internet Security 2007. OS Protection is designed for more advanced Trend Micro users who want a more powerful firewall and is not necessary for average Internet users. Available for download from the TrendSecure site, OS Protection is free of charge to existing Trend Micro Internet Security 2007 customers.
The IFrame code that leads to drive-by exploits.
(Credit: Trend Micro)Over the weekend, thousands of legitimate English-language Italian Web sites fell victim to one line of code. Taking advantage of the trust the users have in the sites they visit, the malicious code silently redirects browsers via JavaScript to servers containing a variety of drive-by exploits. If the visiting computer is unpatched for a variety of operating system, browser, and specific application flaws, malicious code is downloaded. Once installed, the new software can then be used to steal personal information or enlist a compromised machine in attacks on other machines. According to security vendor Websense, the attack now affects over 10,000 Web sites worldwide, and that list continues to grow. According to Trend Micro, servers hosting some of the malicious code have been traced to Chicago, the San Francisco Bay Area, and Hong Kong.
Steps used by Mpack
(Credit: Trend Micro)Fortunately, there are a number of variables here. First, you must accidentally happen upon a vulnerable site, then your computer must have one of several browser vulnerabilities present for the attack to take root. According to Trend Micro, the component that serves up the browser vulnerabilities is browser aware, able to infect your specific browser of choice. Assuming it can, the attack then downloads various Trojans designed to steal personal information.
To prevent such an attack, Trend Micro urges everyone to be aware of sites requiring software installation; do not allow software installation unless you trust the site and the provider of the software. Keep your PC software fully patched and be sure your antivirus protection is updating properly. And, of course, be wary of any unexpected e-mail and e-mail attachments.
For more on this specific attack, antivirus vendor Panda has prepared a 28-page PDF that provides granular detail.
- prev
- 1
- next
