Computer Viruses Evolve

New malware morphs into different shapes unattended by humans

Now this is quite a fascinating story, it seems the latest development is the accidental development of new super-malware strains created by viruses infecting executable files of worms. Worms are generally executable files and well, viruses infect executables – so you can imagine what happens.

Ten years ago, there was a clear-cut distinction between Trojans, viruses and worms. They all had their own features specific to one family of malware only. As more people connected to the internet, cyber-criminals started mixing ingredients to maximize impact. And here I’m thinking Trojans with worm capabilities or viruses with Trojan features, and so on. (more…)

No Recovery For You!

When consumers purchase personal computers, they should be given the means to restore/repair their operating system via an included LIVE CD/DVD, in NOT doing so by the OEM is just plain stupid. Bear in mind that as a Microsoft Windows licensee, meaning YOU, the thing with a Windows license is that you DO NOT OWN the software, you DO NOT OWN the product, that you are paying for and by receiving a license to use that software under the terms given, you must abide by them, whether you like it or not. That doesn’t sound to user friendly does it?

What you typically have included with you computer, is a recovery CD (best case), perhaps a recovery partition that just re-images your partition setting everything back to the way it was originally or nothing at all (worst case), none of these truly do fix anything. Normally the best way to accomplish this feat is to boot from a Linux LiveCD to recover your files. (more…)

Windows Patch Tuesday – January 2012

For the swiss cheese of operating systems, Microsoft plans to start 2012 with a surprisingly large Patch Tuesday that covers seven security bulletins which collectively address eight separate vulnerabilities. Previous January releases have normally featured only one or two bulletins. The solitary critical bulletin in the batch fixes a remote code execution issue in Media Player. The remaining six “important” bulletins due next Tuesday handle the BEAST SSL issue, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts.

In the patch are other various information disclosure bugs, escalation of privilege issues and an update to Microsoft’s SEHOP (Structured Exception Handler Overwrite Protection) technology to enhance the defence-in-depth capability that it can offers to legacy applications. The first six bulletins affect various versions of the Windows Operating System, from XP SP3 up to the newest versions Windows 7 and Windows 2008 R2. The seventh bulletin covers Microsoft Developer Tools.

The “important” rather than critical status for the Beast SSL issue is at least debatable. The BEAST attack affects web servers that support SSLv3/TLSv1 encryption. Microsoft has already published a workaround, which involves using the non-affected RC4 cipher in SSL installations. A patch was originally promised in December but delayed until this month due to problems uncovered during testing. “Despite all of the hype over ‘The Beast’, attacks have simply never materialised and the issue has retained its ‘important’ classification from Microsoft,” notes Paul Henry, a security and forensic analyst at Lumension. Adobe and Oracle have both timetabled quarterly updates, on 10 January and 17 January, respectively in what promises to be a busy month for patching

Bypass Wireless Security

Summary: Security Flaw Found in Wi-Fi Protected Setup (WPS) that allows Brute Force Hack of PIN in Roughly Two Hours

The Wi-Fi Protected Setup (WPS) was a standard launched in 2007 by the Wi-Fi Alliance to simplify connecting to a wireless network — and simplify setting up encryption. With so many people failing to set up a router password because they found it too confusing, the standard implemented either/and a single button setup option, in addition to a simplified eight-digit PIN used by the AP and connecting devices. However, security researcher Stefan Viehbock has discovered a new security hole in the standard that allows a hacker to use brute force to access a WPS PIN-protected router — in roughly around two hours. (more…)

Windows Patch Tuesday – December 2011

Patch up warmly this winter if you’re running Java, as Oracle’s software platform is the single biggest target for hackers. Java proved the single most popular target in the 12-month period to the end of June, according to Microsoft’s latest Security Intelligence Report has found here. Running Java as a Web-browser Plugin is much more dangerous than Flash, and you should disable the Java Applet Plugin.

Microsoft today issued software updates to patch at least 19 security holes in Windows XP, Vista, 2003 and 7 (no surprise there), including three flaws that earned the company’s most serious “critical” rating. Separately, Oracle released a security update that fixes several issues in its Java software. (more…)

Apple iOS exploited

A major security flaw in Apple’s iOS operating system that could allow hackers to remotely gain unauthorized access to an iPhone, iPod touch or iPad has been uncovered by a security expert. Described by Forbes as a “serial Mac hacker,” Accuvant LABS computer security researcher Charlie Miller has uncovered a security flaw that allows hackers to build apps that look legitimate and pass through Apple’s App Store approval process. Using a code-signing vulnerability, however, the malicious apps will automatically connect to a remote server following installation and download new unapproved code that might grant hackers access to system files, personal data and a host of unauthorized functionality. Read on for more.

Apple’s closed App Store approval process has been touted by security experts and pundits alike as a much more secure option than an open system like Google’s Android Market. While Apple has been largely successful in keeping malicious software out of its iOS App Store, this newly revealed vulnerability illustrates that no system is ever fully secure. “Now you could have a program in the App Store like Angry Birds that can run new code on your phone that Apple never had a chance to check,” Miller told Forbes in an interview. “With this bug, you can’t be assured of anything you download from the App Store behaving nicely.”

Miller isn’t just talking the talk, either. The security expert actually planted an app in Apple’s App Store that utilizes the exploit he detailed. Miller submitted the app to Apple for approval using his developer account and, following Apple’s standard testing and approval process, the app became available in the App Store. Miller then recorded a video illustrating some of the many functions a hacker would be able to perform using this exploit, which include executing a payload that will give the hacker complete control of an iOS device from a remote terminal.

The security expert’s app has since been removed from the App Store and his developer account has been suspended. Miller’s video follows below. Miller plans to describe the flaw in detail at the SysCan conference in Taiwan, but the gist is that mobile Safari’s “Nitro” JavaScript engine, released with iOS 4.3, requires the privilege of running unapproved code in a region of the iPhone’s memory. Miller’s exploit extends this privilege to other apps, which are usually barred from running unapproved code in the same way as Safari for security reasons.

iPhone users needn’t panic; the offending app is already gone, and Miller expects Apple to squash the security bug to prevent legitimate attacks. Still, this exploit proves that the App Store’s strict security measures aren’t impenetrable. Security researchers have been saying this for years, but Miller has actually demonstrated it in the real world.

It’s not really the smartest move as I’m pretty sure anyone as smart as Charlie Miller still has plenty of options – use another person’s account, sign up another account with a different identity, hack the phone without the developer program access and so on..Really it’s quite a harsh move from Apple and it’s not going to make them any friends in the security industry.

In a way though, you have to agree that Miller did violate the very specific developer program agreement by hiding the PoC inside a legitimate application. That probably wasn’t his smartest idea, but then again it’s helping Apple and he’s not doing it in a malicious way to infect people – he’s doing it as a security researcher.

Apple should be more proactive on working with people like this, people who are actually fixing bugs in their products for free and improving the user experience. It’s the way Apple operates though, secretive, exclusive, domineering etc. If you don’t do things their way, screw you. The way in which Miller uncovered the flaw once again shows his technical brilliance – something which Apple really should be harnessing rather than turning away.

A lot of people noticed changes with iOS 4.3, but couldn’t actually figure out what was going on. Well that’s what we know in the public realm anyway, no doubt the bad guys had their eyes on it and were digging in with much more malicious exploits.

It basically seems like a way to bypass any kind of code validation by Apple and execute arbitrary code from an attack server – dangerous indeed.

Windows Patch Tuesday – November 2011

It is that time again! Adobe, Apple, Microsoft and Mozilla all released updates on Tuesday to fix critical security flaws in their products. Adobe issued a patch that corrects four vulnerabilities in Shockwave Player, while Redmond pushed updates to address four Windows flaws. Apple slipped out an update that mends at least 17 security holes in its version of Java, and Mozilla issued yet another major Firefox release, Firefox 8. If there have been 17 security holes in Java just since the last release If that doesn’t convince a person to uninstall Java, I’m not sure what will.

The only “critical” patch from Microsoft this month is a dangerous Windows flaw that could be triggered remotely to install malicious software just by sending the target system specially crafted packets of data. Microsoft says this vulnerability may be difficult to reliably exploit, but it should be patched immediately. Information on the other three flaws fixed this week is here. The fixes are available via Windows Updates for most supported versions of the operating system, including XP, Vista and Windows 7.

Adobe’s Shockwave update also fixes critical flaws, but users should check to see if they have this program installed before trying to update it. To test whether you have Shockwave installed, visit this page; if you see an animation, it’s time to update. If you see a prompt to install Shockwave, there is no need to install it. Mozilla Firefox users without Shockwave Player installed may still see “Shockwave Flash” listed in the “Plugins” directory of the browser; this merely indicates that the user has Adobe’s Flash Player installed.

The vulnerabilities fixed by this update exist in versions ofShockwave 11.6.1.629 and earlier. The latest version, v. 11.6.3.633, is available here.  I’m sure it has its uses, but to me Shockwave is just another Adobe program that requires constant care and feeding. What’s more, like Adobe’s Flash Player, Shockwave demands two separate installation procedures for IE and non-IE browsers.

Hat tip to the SANS Internet Storm Center for the heads up on the Java fix from Apple. This update, available via Software Update or Apple Downloads, essentially brings Snow Leopard and Lion up to date with the Oracle patches released last month in Java 6 Update 29 (Apple maintains its own version of Java).

If you use Mozilla Firefox or Thunderbird, you may have noticed that Mozilla is pushing out another major upgrade that includes critical fixes to these programs; both have now been updated to version 8. If you’re still running Firefox version 3.6.x, Mozilla has updated that to3.6.24. Perhaps I’m becoming a curmudgeon, but I’m growing weary of the incessant update prompts from Firefox. It seems that almost every time I start it up it’s asking to restart the browser or to remove plugins that no longer work with the latest version. I’ve been gradually transitioning more of my work over to Google Chrome, which seems faster and updates the browser and any installed plugins silently (and frequently patches oft-targeted plugins like Flash Player even before Adobe officially releases the update).

I switched to Google Chrome when it first came out ago. I love it. It’s faster and makes updating easy and effortless. I still have Firefox, but Chrome is my default browser now on all my computers.

 

Microsoft Word Virus

A new virus has cropped up in various countries across the world and its target appears to be corporate networks. The Duqu virus, first noted last month by a laboratory at Budapest University, has now been spotted in several other countries and appears to be sent via Microsoft Word documents attached as emails. Microsoft has announced that it is working on a fix.

The point of the new virus seems to be to gather corporate information and then send it to some as yet unknown site. Thus, it’s a form of corporate espionage. Chillingly, researchers at Symantec, the giant antivirus company, say it looks like some of the code in the virus is the same as was found in the Stuxnet virus that wreaked havoc on Iran’s nuclear program, indicating that the perpetuators were either able to obtain the code from that virus, or, are the same people.

The virus is activated when a person to whom an infected Word document was sent, opens it. The virus infects that computer then seeks out other computers through the corporate network. As it goes, it collects data and then apparently, seeks a path out to the Internet where it can send the data it’s collected to a predefined destination. Thus far it has relied on a so-named zero day exploit to take advantage of a previously unknown weakness in the Windows kernel, which means getting in and doing its dirty work before victims have a chance to come up with a means of defense against it.

Thus far, it appears that the virus has been targeted at specific types of companies, as the data- collecting part of the virus seems to seek out information pertaining to industrial control-systems. So it’s likely that whoever unleashed the virus, did so in hopes of gaining information on how companies are designing and manufacturing their products; not something the average person would need to worry about, but still enough to cause concern about the growing sophistication of computer viruses.

So far, instances of the virus have been seen in Iran, India, France, Ukraine, the UK and at least eight other countries that have not been specifically identified.

In the mean time, Microsoft has released an advisory and a stopgap fix for the zero-day vulnerability exploited by the “Duqu” Trojan, a highly targeted malware strain that some security experts say could be the most important cyber espionage threat since Stuxnet.

According to the advisory, the critical vulnerability resides in most supported versions of Windows, including Windows XP, Vista and Windows 7. The problem stems from the way Windows parses certain font types. Microsoft says it is aware of targeted attacks exploiting this flaw, but that it believes few users have been affected.

Nevertheless, the flaw is a dangerous one. Microsoft said that an attacker who successfully exploited this vulnerability could run arbitrary code, install programs; view, change, or delete data; or create new accounts with full user rights. The most likely vehicle for the exploit is a poisoned email attachment. This means that a hacker deploying the Duqu Trojan against a Windows machine that hasn’t yet downloaded the temporary fix could gain nearly total access to a person’s computer.

Microsoft is working on developing an official security update to fix the flaw. For now, it has released a point-and-click Fixit tool that allows Windows users to disable the vulnerable component. Enabling this tweak may cause fonts in some applications to display improperly. If you experience problems after applying the Fixit solution, you can always undo it by clicking “disable” image in the Microsoft advisory and following the prompts. So in reality, some of you may not be to may not be able to fix this until the next ‘Patch Tuesday’ in December.

Mac Flashback Trojan

The security by obscurity myth is finally blown out of the water…Mac’s are pretty much mainstream these days and it yet again proves my points about Mac virus resistance, it may be virus resistant, but unless you upgrade the users, no platform is Trojan proof.

Apple has updated the malware protection built into its Mac operating system to flag a recently discovered trojan that hijacks users’ machines by masquerading as a benign document. Malware disguised as an Adobe Flash installer, meanwhile, remained unchecked.

The file quarantine, which Apple snuck into a prerelease version of Snow Leopard in 2009, was updated to include a definition for Trojan-Dropper: OSX/Revir.A, which antivirus provider F-Secure disclosed on Friday. According to an update on F-Secure’s blog, the malware disguises itself as a PDF file in an attempt to trick users into clicking on it.

“The malware then proceeds to install a backdoor, Backdoor:OSX/Imuler.A, in the background,” stated the F-Secure analysis, which was posted Monday. “As of this writing, the C&C of the malware is just a bare Apache installation and is not capable of communicating with the backdoor yet.”

By Tuesday morning, Apple had added a definition for Revir.A into the file quarantine feature, our review of a Mac running OS X Lion, aka 10.7, has shown. By our count, it’s the 10th definition to be included, although two of them cover malware with the identical label of “OSX.HellRTS.” The definitions are stored in a file called XProtect.plist tucked away in the /System/Library/CoreTypes.bundle/Contents/Resources/ folder.

Apple engineers pushed out the update around the same time that a new trojan was discovered menacing Mac users. According to Mac antivirus provider Intego, the Flashback trojan is built on a sophisticated code base that installs a backdoor on infected machines, and covers its tracks by using encryption when communicating with remote servers.

“The backdoor is able to download further software, but, for now, we are not seeing this activity,” Intego’s analysis stated. “It is also able to update itself, and creates an Sha1 hash of the malware to see if it has changed. If the Sha1 of the software version on the server is different from that installed, this means that an update is necessary.”

With the explosive growth of Macs, iPhones, and iPads, malware purveyors have finally begun targeting Apple products after years of almost exclusive focus on Microsoft users. Earlier this year, an outbreak of fraudulent Mac antivirus products ignited a huge spike in support calls from frantic Mac users who had been tricked into installing a piece of malware called MacDefender. Apple eventually added definitions for it to its file quarantine, as well.

I think the difference between Microsoft and Apple here is that Microsoft weren’t the ones to create a condescending “I’m a PC” commercial insinuating that their operating system was virus free…With the amount of braindead Apple fans who claim that Apple Virus / Malware is an oxymoron, that 30 second spot could turn out to be some of history’s most damaging tech-related FUD.

Early I wrote that actually most targeted vulnerabilities are in Flash, PDF or Java these days via Internet Explorer (IE) and once you take IE out of the equation, Windows does quite well, especially given the rich rewards and vast selection of low-hanging fruit users can offer.

Microsoft kills Start menu

Microsoft recently killed the Start Menu, and their explanation for it seems fairly straightforward: no one used it. This may be a bit of an exaggeration, but Microsoft explains that use of the Start menu dipped by 11 percent between Windows Vista and Windows 7, with many specialized Start functions — such as exploring pictures — declining as much as 61 percent.

When you can’t figure out the easy way to launch stuff, look in the Start Menu. This is change for change’s sake. How is someone suppose to use this? You can’t, without much anguish.  Why?..because they didn’t like the look of the big, floor-to-ceiling look of the old XP system, they shrunk it all down so that it only shows 5-6 items at a time and has a scroll-bar. In short, they made it harder to use and less functional than the XP Start Menu, and to everyone’s amazement, people stopped using it, and then they claimed it was some sort of UX triumph.

Ditto with the control panel – rather than one big screen with 100+ tiny icons on it, they reworded a few things (“Display” becaome “Personalization”, and there are 2-3 different UIs rather than the tabs on the old-fashioned XP display.cpl) and made them all look like web-apps. Now that it’s unnavigable with words or icons, everyone uses “search” and it “feels faster”. You can’t write documentation that says Start-Settings-ControlPanel-Display-Screensaver, you have to say “search for ‘screen saver’ and clicky on whatever pops up”… *sigh*

Much like Firefox, most UX innovation is precisely that. If you don’t get the results that match your pet UI design philosophy, move the feature around, and while your users are trying to find the feature you don’t want, accumulate enough telemetry to claim your users aren’t using it as often, then take it away. (Status bar, full URL in the URLbar, etc.)

And the problem fundamentally isn’t that the Start Menu is too complicated. It’s that they’ve never provided a good tool for *managing* it. So the average person, being unaware that it’s just a bunch of directories and shortcut files, suffered with the floor-to-ceiling scrolling menu from hell. M$, on noting their complaints, responded by taking away most of the menu. This led to a different set of complaints, since now no one can find anything and the reaction is to give up on the start menu entirely.

But it still didn’t solve the real problem, which as I said is still that there’s no good tool that average non-savvy users can turn to for *managing* the Start Menu. How hard could it be to make a nice little interface (not relying on drag-and-drop in the live menu, which in my observation is usually a disaster) geared toward letting average folks sort out their programs into reasonable hierarchies, so the Start Menu isn’t always One Huge Mess??

Me being an avid user of Linux Mint , I much prefer using Cairo Dock and Mint Menu, both of which are configurable. I have to chuckle over this, and just shake my head.

It would be fine if I never changed computer, or never needed to re-install the OS, however, any time you used a different computer / OS, you would need to re-organize things, go against the defaults. The other problem I had was that sometimes it was hard to perfectly categorize things. Googles Chrome browser and it’s ChromeOS is working to conquer this aspect.

Without the Start Menu, how do I shutdown? Hold the power button down for ten seconds, just like always. 

So in Windows 8 (for those that tried the demo, yes I downloaded the ISO and setup a VM to try it) they replaced the simple little menu in the start button with a whole screen monstrosity that takes the entire desktop. Taking over my whole desktop because I pushed the start button isn’t the answer to this problem. IMO people don’t use the start menu much because they put icons of their most used programs in the quick launch tool bar and on the desktop itself. Instead they take a simple menu, blow it up full screen and if you decide you don’t want to pick a program and go back to what you have running, there is no logical way to do it (there isn’t a close button that’s obvious, ESC doesn’t work, right click doesn’t work).

Gnome3 and Ubuntu’s Unity solution to doing away with the start button is far better than what Microsoft has cooked up and I don’t really like those either but I can see them working better). If I fail that badly using their “NEW AND IMPROVED” start menu I can’t even comprehend how disastrous this will be for the less computer literate. The best part is, you cannot bring back the old start menu that I could find. It’s not in the control panel, the options are gone from the right click menu, etc.

Microsoft is making a huge mistake overlaying their Windows Phone 7 Metro interface on windows. This is a huge mistake that’s obviously being done to use the windows monopoly against the phone competition. It’s going to backfire and damage windows just like Vista did.

Microsoft killed the Start menu because they want to force everyone to use Windows Phone, even if they aren’t (initially) buying a Windows Phone. They failed for years to sell phones that look like a Windows desktop, so instead they’re changing the Windows desktop to look like their phones, and hoping that iOS and Android end up looking “foreign” to phone users as a result.

People click on the Start menu when they want to find something to Start. Imagine that. The bottom line is that the Windows 95 UI (which is to say, Microsoft’s ripoff of the RiscOS UI [guidebookgallery.org]) was the pinnacle of personal computer desktop UI design. Everything that’s happened since then has been change for change’s sake and has only served to annoy users and get in their way.

There is really nothing wrong with a start menu. Microsoft however never enforced a good practice with their start menu, the signal to noise ratio is VERY low. It’s cluttered with company names, uninstallers and readme files. Why should I have to know the name of the company if I want to use a program, looks very much like advertisement to me. Instead of enforcing a good practice they have extended the start menu with “most used programs” which really doesn’t cure the underlying problem, and to me it’s even more cluttered. They should get rid of everything but the program starters in correct folders, Games in games folder and so on, one program has one menu entry, this was probably how it was meant to be by the original designer but never enforced. Look at Gnome, very simple, and very effective. And now Microsoft have come to the conclusion that nobody uses their cluttered mess of a start menu, and are killing it. I say it could be fixed, but Microsoft doesn’t seem to know what’s wrong with it.