In a recent blog post, security guru Bruce Schneier draws a bleak picture for supporters of universal identification on the net. According to him, anonymity has always been here and is also here to stay mainly because of the structure of the web, making each packet of data incredibly difficult (if not impossible) to truly track down to a person. In particular, he refers to ‘onion routing’, a technique that uses multiple intermediaries (bouncing off servers, or proxies) which renders identification of the originator ever so complex.

While I agree with the technical challenges, I do not believe we should give up on the goals behind  personal identification. There must be a social responsibility for having a device (whether it be a Mac, PC, smart-phone etc.) and how it is being used. Sure enough, you can’t always figure out who is using the device (for example at a kiosk) but you can track down where the machine is located, what ISP it belongs too, and ultimately who owns that machine.

Continuing on this, the lack of knowledge or care,  is not an excuse for having an infected PC sending spam, for example. Whether or not the machine owner is also the criminal, having a computer that is a bot, makes you responsible for it.

The thing is, we do have this information today. We know which machines are bots, through their IP addresses. It is not that complex to track them down. What is more difficult is to take action. In a perfect world, you would notify the Internet Service Provider (ISP) that one of their customer has a machine participating in malicious activities, and the ISP would promptly warn its customer to get their machine offline and cleaned, otherwise they would take action and directly cut their Internet access.

Unfortunately, this is not the case. Granted, some ISPs are more involved now than they were a few years ago. We see partnerships between ISPs and security firms that do result in take downs. However, there are many regions in the world where things happen and not much can be done about them. In fact, some ISPs are fully aware of the malicious activities of some of their customers, but that is also how they sign them up, allowing criminals total impunity.

Let’s not throw our arms up in the air though. We, security researchers are doing an important job to make the work of criminals more difficult and hopefully more risky. By exposing the bad guys and working with the authorities we are making their activities less worthy. Since criminals are smart enough to hide behind good people’s infected PCs, let’s take those away from them. The more we educate end-users, the more we get those machines cleaned, the less resources and impact can the bad guys have.

Jerome Segura

We’ve had a lot of requests for our URL Clearing House service. When I first announced the service some people got upset because it required a veto process where we would grant access to whom we wanted. Some folks complained that the information (the URLs) is public domain, and so we should share it for free anyway.

Well, almost everybody has been given access, except for those few who failed to reply to our email for more details about them. Oh, and maybe for those emails that have been lost in cyberspace (if it’s the case, please contact me directly).

Anyway, we’ve got people from all other the world. Some folks are working for big name companies, others are researchers or students.

The chart below gives you an idea of where most of them come from (click to enlarge):

We are continually working on making the site better. Lately there have been some URLs that have been “polluting” the rest, especially coming from the same domain, so we’re working on filtering those out, to only show the most relevant ones.
We’ve also had a few requests from people to have the option to download all files at once, rather than clicking on each icon. We are considering this feature and others as we are developing the back end code.

Another feature I’d like to point out is the ability for you to share URLs (or malware) with us by clicking the following button:

The next page will allow you to paste a URL or attach any files you may wish to send.

I hope you like the service and feel free to share your feedback and suggestions with us!

Jerome Segura

Beware if a site warns you that you need a patch to play a video.

Many rogue security programs are using this trick to get you to download and run a piece of malware.

Some sites may even go as far as just enabling sound, but showing no picture. If you really, really need to watch the video and think the site is legit, then please download the file but do not run it right away!

Send it up to VirusTotal.com where the file will be checked against a large panel of anti-virus solutions. Why not just use your current AV to scan it locally? Well, most of those files are new and cleverly packed to avoid detection, therefore it is likely that your AV software will not detect it. For example the file illustrated in this example was only detected by 8 out of 41 AV engines, with some of industry’s big guns failing. Virus Total analysis here.

On a side note about this site hosted at white-xxxx{sanitized}.biz, several of the fake comments were in French… All the rest in English of course, but still I wonder why that French touch?

Security researchers that want to download this malware sample and more can get it at: http://mdl.paretologic.com

Jerome Segura

I was asked to give tips about Online Dating. So here is what I have, as a security researcher:

Online dating sites have made it into mainstream as an acceptable way of finding one’s soul mate. For example, you can now see TV adverts during prime time, something that was not very common few years back.

However, certain precautions ought to be taken before signing up for a dating service.

-          Never trust a site that came as a pop-up while you were browsing.

-          Never click on an ad from a Torrent / Warez / Streaming site.

-          Beware of ads about Eastern European women (Russian Brides well known scams).

-          If you sign up for one site, complete a basic profile at first to check it out. Then over time, you can enter more personal information.

-          Look around, maybe Lady Luck lives just next door!

 Jerome Segura

Some of the most prevalent and annoying malware today is rogue anti-spyware. These pests are hard to get rid of and a lot of people will usually give up and give in (pay for a license) to have their computer back to normal.

Here is an example of a rogue called “Control Center”, also known as PrivacyCenter. Upon starting up your PC, you are greeted with a screen full of icons and red warnings, on a black background.

You can try to close the program by clicking on the X, but to no avail.

At that point, a lot of people will get so frustrated that they will just do whatever the program is asking them to do. And that, usually involves money!

So, here are a few tricks to get back on your feet:

Press Ctrl+Alt+Del on your keyboard as illustrated below:

Depending on your version of Windows you may see one of the following screens:

Click the item that says Task Manager.

If you’re lucky (that is the malware hasn’t disabled it) you should see the Task Manager panel:

Click on File and then (New Task) Run and type explorer:

After clicking on OK, you should have your Desktop back.

Once there, you are good to run your favorite Anti-Virus program and get rid of the rogueware.

Here is a little video I made that shows the steps described above:

Jerome Segura

We’ve updated a few things with our HoneyPots and you should notice the impact on the URL Clearing House as more *files* are getting caught.

So far we’ve had a lot of URLs with their source code which we flagged as malicious, but not too many files. I know a lot of you guys like those binaries, which we cache so that even if the link goes down, we still have a copy.

We’ve made a few changes to our engine so that it is able to grab a lot of php pages that download an executable or a PDF.

Anyway, we’re still running the tool in debug mode but hopefully we get some stable results:

You can access/join our site here: http://mdl.paretologic.com/

Jerome Segura

Malware authors are taking advantage of top headlines such as the Haiti earthquake to distribute their malware.

This file comes as a “screensaver”.

A quick upload to VirusTotal confirms that it is malicious:

If you want to download this file and many others, join our URL Clearing House:

Jerome Segura

If you see this:

you may start panicking and wonder how to get rid of it.

Then, as you surf the net, you may see what appears to be a Godsend:

This phone line is for a premium number. You will be paying big bucks and your frustration level will skyrocket.

This site actually stole its design from a legit AV vendor, namely McAfee:

Now about the whole phone support: I admire people who work in this industry. You must be really, really patient!
The thing is, I think offering phone support is a huge challenge. Occasionally I help my parents (who live on the other side of the planet) with their computer over the phone. But some things that to me are simple can actually be nightmares. To give you an example, a simple command that I could do if I was sitting in front of the PC may take half an hour or more instead of thirty seconds.

So why is it so difficult:

- people have different Operating Systems, and customized menus etc. That button you’re trying to have them click on may actually not show up on their screen!

- the language barrier: both technical and linguistic. You may have to really get down to earth (“yes, this thing called a mouse, you slide it on the table and right click… wait! What you don’t have a right button?”). Linguistic, well some people may not be native English.

- getting someone to do something is actually a lot harder than people think. There are a lot of misinterpretations and confusion.

So, if you still want to get phone support after that, make sure to do some serious checking before hand. Do a full background check about the company, do a Google search of the phone number etc…

Thanks to Brendon for the links to the screens.

Jerome Segura

Brian Krebs has an interesting (and a little scary) post on his blog. Krebs, whilst at the bank, noticed that the bank manager’s computer was running Internet Explorer 6 (which we know is vulnerable to many attacks, including the current 0 day exploit). How does that make you feel as a customer of that bank?

The common excuses always follow: Computer is already too slow, we’re waiting for an upgrade, the IT department is too busy doing whatever, we don’t have time, etc.

Maybe, people also have been running their programs on that browser for years, and they fear that if they switch they’ll stop working (which actually can be true).

I could see a great business idea (too bad it already exists), a consultancy firm that not only assesses your current security and transitions all your programs, backups etc… without worry of data loss and downtime.

The thing is, if you’re a bank or other sensitive institution you may not want external parties to access your data. Makes sense. But you can’t always count on your local IT group, who may be unqualified for that job.

It happens that I too was at the bank yesterday. I always like to take a look at what they’ve got
One thing that struck me is how easy it would be to compromise one of their machines. The central unit should not be within reach from the customers sitting down at an appointment. Well, in my case the back on the PC was near my foot, with USB ports readily accessible. What about those infected USB keys with backdoor trojans?

And pretty much everywhere you go (hospital, dentist office etc.) you will find PCs on the floor collecting dust, totally accessible!

Now last night (after my bank appointment) I was watching a documentary on National Geographic about prisons and how much stuff goes on (drug deals, weapons, corruption) and how you had to watch your back. Anyway, one of the prisoners got his mom to send him a TV that they (I guess the prison guards) locked inside a hard plastic case, thus making it hard to smuggle drugs or other objects inside.

We could imagine something similar for a PC, although you want air circulation and the like. All in all, that’s a reminder that physical security is as important as software security.

Jerome Segura

There have been a lot of talks about the latest 0 day vulnerability affecting Internet Explorer.

According to this article from the BBC, the French and German governments have urged their people to find an alternative to Internet Explorer to keep their computers secure.

The fact of the matter is whether or not you use Internet Explorer, you can still be at risk. Telling people to use a different browser is a way too simplistic measure. It may protect you from this vulnerability but there are many more that apply to all browsers.

A more sensible approach would be to inform people about the risks and if possible provide a temporary solution to mitigate the attack. It may be as simple as tuning off a feature or enabling another one.

People should also think of security as layers. If Internet Explorer fails, most of the time something else will prevail, such as a good AV product.

Jerome Segura