Tag Archive: virus

Targeted Trojans

A very particular problem that we face is around customised malware, aka targeted Trojans. These malicious programs are written specifically to avoid detection by our current anti-virus systems and are sent to carefully selected people within the institution. The purpose of these programs can only be inferred by the recipients.

LSE uses MessageLabs to protect our inbound email, primarily to reduce  the flood of spam to as small a trickle as possible. One of the systems that MessageLabs use is something called skeptic, that tries to identify previously unseen malicious software and to block it.

We think that this has been quite successful, although it is impossible to know how many attacks have managed to get through. Using the information we get from this system, we can discuss the implications of being on the list with the people being targeted.

The uncomfortable facts are that:

  1. LSE is a major target
  2. academia is being systemically attacked by a number of groups
  3. the threat is growing all of the time

There is no foolproof way of blocking every attack, but the intelligence gained from knowing the areas of interest of the attackers allows us to focus our efforts of the people at highest risk.

If you want more information on this or are at LSE and want specific advice, please contact me.

UPDATE: Martin Lee and I are proposing doing a talk about this at the RSA Conference 2012 in San Francisco. See the teaser trailer here.

Human beings are natural risk assessors. Every decision we take, from when to cross the road, to what food to eat is, at least in part, based on an innate risk assessment.

People are able to do this because in the real world it is possible to see, or imagine, the consequences of an action going wrong. So, when crossing the road, people tend not to walk out in front of a moving car.

Children are the exception; they often undertake risky activities because they don’t have the experience to be able to judge whether what they’re doing is dangerous.

When using a computer, connected to the Internet, it is very difficult to judge the threat level or understand the risk because there is such a lack of information available to help inform.

Companies have spent years trying to work out the level of warning before “click-fatigue” takes over. I remember using an early iteration of ZoneAlarm’s firewall, where every minute, a pop-up would appear asking to authorise a particular app, or to tell me I was being port-scanned. While I knew the difference between allowing inbound NetBIOS and outbound POP3 access, the vast majority of people don’t. Nor do they know the significance of being port-scanned, having their anti-virus block a Trojan horse or what issues they face on an unsecured wireless network.

There needs to be a recognition that there’s a difference between technical risks that can result in the compromise of the person’s computer and associated data, and activities that lead to identity theft.

I’d like to see a simple “threat-o-meter” on computers that takes information from the various systems in place on most people’s computers, like the firewall, anti-virus software and the type of network connected to, and displays a simple coloured chart to indicate how worried the user should be.

It could be extended to take information from vulnerability scanning tools, like Secunia, or rate the severity of seeing a particular piece of malware. Add this to some basic information on the configuration of the machine, like password length, firewall configuration or whether auto-updates are enabled and it could provide really useful feedback to the user on how to reduce risk.

All of this information is about the context of the device. Most users don’t want to be information security professionals.

Comments welcome.

An interesting story on Slashdot this morning is about a Brazilian report [and here in the original Portuguese] into the effectiveness of free anti-virus software against non-English threats. Admittedly, they only tested six, all of which were free, but the results were pretty disappointing, especially compared to a set of independent statistics (taken from “Virus Bulletin“):

Name % detected (in the report) % detected (independent stats1)
Avira 78% 99.7%
AVG 75% 93%
Panda Cloud 70.6% NDA
Avast! 69.8% 98.2%
PC Tools 64.7% NDA
Microsoft Security Essentials 13.4% 87.1%

1 These results are from 2009, but give an indication.

So, there are a number of things to draw from this, aside from the fact that no paid-for software was tested. Even if there is a large margin of error, the discrepancy in the results is quite stark and might make large organisations, particularly multi-nationals, re-consider their AV protection. What works in one part of the world may not be quite so effective in another.

It’s also worth mentioning that most anti-virus products will use a variety of techniques to detect malicious software, from signatures to heuristics and these results will almost certainly not reflect real-world detection rates if everything is turned on and additional software, like firewalls and anti-spyware products are used.

STUXNET: Updated

Just a short post to report that Iran has admitted that some malicious software did, in fact, interfere with its uranium enrichment programme, which I would assume implies STUXNET. If it hadn’t spread so widely, it’s debatable whether it would have been noticed.

I have more about this in my previous post.

A news item that keeps bubbling up in the information security world is about STUXNET, a malicious piece of software that was originally said to target nuclear reactors in Iran. This might seem a bit odd, as most malicious software is pretty random, infecting anything it comes across. This malware seems to have had a very particular purpose.

It has been well known since its discovery that STUXNET targeted SCADA (Supervisor Control and Data Acquisition) systems, which are used in industrial process control environments, essentially providing electro-mechanical control over a logical network, be that the Internet or via a dial-up modem. SCADA systems are used all over the place, controlling sluice gates, traffic lights and in nuclear reactors. In general, these systems are kept as far away from public networks as possible, to prevent the infection of the networks they reside on, as the results can often be catastrophic.

However, an article in The Register, referencing a Symantec blog, detailed that this malware was even more specifically targeted. In summary, the article explains how STUXNET was aimed at frequency converter drives made by Fararo Paya of Iran and Vacon of Finland, both, presumably, used in the Iranian nuclear programme. Not only that, but only those drives that operate at very high speeds, between 807 Hz and 1210 Hz. It also had the capability to spread via USB sticks, thereby not being dependent on an accessible process control network.

The code reveals that the malware would change the output of the drives, intermittently, over a period of months, thereby disrupting whatever they were controlling, albeit subtly. Interestingly, this type of equipment has export restrictions placed on it by the US as they can be used in the centrifuges that enrich uranium.

One has to assume that the purpose of the malware was to sabotage the Iranian uranium enrichment programme in such a way as to not be discovered.

The reason it got discovered was that it was too successful. Tens of thousands of systems across the world have been infected by STUXNET, notably in Indonesia.

Given the level of targeting and pre-requisite knowledge of uranium enrichment, was this written by the regular clan of virus writers, whose main aim is quick profit? Unlikely.

Hoax Malware

If you’ve had an email account for any length of time, you will have received an email that probably starts along the lines of:


This information arrived this morning, from Microsoft and Norton. Please send it to everybody you know who accesses the Internet.

You may receive an apparently harmless email with a PowerPoint presentation called “Life is beautiful.pps.”

If you receive it DO NOT OPEN THE FILE UNDER ANY CIRCUMSTANCES, and delete it immediately.

If you open this file, a message will appear on your screen saying: “It is too late now, your life is no longer beautiful”, subsequently you will LOSE EVERYTHING IN YOUR PC and the person who sent it to you will gain access to your name, email and password.

There are lots of these hoaxes floating around on the Internet; you just need to search for “hoax” at Symantec’s Security Center to see that there are hundreds. What people don’t appreciate is that the hoaxes do also cause damage. People can panic when not fully aware of facts and Chinese whispers can distort a fairly benign situation into something seemingly far worse.

An example of this is today’s announcement by Facebook Security that rumours have started about a virus that was affecting user profiles called the “knob face virus” (full article is here). The full text states:

Virusspreading like wildfire onFaceBook!! It is a trojan worm called “knob face”. It will steal your info, invade your system and shut it down! Do NOT open the link “Barack Obama Clinton Scandal”! If “SmartGirl15” adds you, don’t accept it; it is a virus. If somebody on your list adds her, ……then……. you get the …………virus too!! Copy and paste to your wall

So, the advice? Don’t forward or post anything like this without checking it out. All it does is create fear and clog up inboxes.

%d bloggers like this: