Sony has used rootkit-like technology in one of its products - again. The company first made this mistake when some of its music CDs installed DRM software on Windows PCs. Now F-Secure has discovered that the software used with Sony's USB memory sticks, specifically the MicroVault models with fingerprint recognition, features similar sneaky features.
Essentially the software creates a hidden folder to keep its fingerprint authentication data safe. However, adding this kind of feature to a PC is not always the best idea because it can be abused by malicious users or intruders. McAfee has provided an interesting video that demonstrates the trouble this can cause (see below).
Wednesday, 29 August 2007
Tuesday, 14 August 2007
Malware all over the world
An interesting little post at McAfee's Avert Labs Blog notes that researchers have detected malware that downloads a different file onto victims' PCs depending on which country they are located in. This could cause problems for anti-virus companies and even those who test anti-virus software.
Why is this important? For one, it makes things more complicated for security companies, who try to stay up to date with the latest threats. It's already known that some sites provide freshly generated malware on a regular basis, sometimes creating a new variant within minutes, or even for every download.
Anti-virus companies need to gain access to samples of bad programs so that they can create signature files, which then allow their products to recognise the virus should a customer encounter one. They get samples of malware in a variety of ways, often by scanning email, websites and receiving files from customers. But if the company is small and does not have customers and malware collection systems in different countries then it could miss out on the latest threats.
Let's say that company X's customers are based mainly in South East Asia, which was also where the company's data collection operation works from. By and large this arrangement will work out because both the company and its customers will be exposed to malware customised to the Asian 'market'. With any luck, the variants will be similar enough for the company to create a generic signature.
However, when a customer travels to Europe (where company X does little business and has no data collection servers) he or she may visit the very same malicious websites but will receive a different file, one that has been designated for European victims. Unless this file is very similar to the Asian version, there is a high risk that the anti-virus software will fail to recognise it. That is, unless the product in question can recognise the original malware downloader or the new, downloaded malware's behaviour.
This method of spreading malware variants is not the most important development ever, because large companies have the resources and global customer base to detect geographically targetted malware. However, there is a chance that an anti-virus product could work perfectly well in one country but become less accurate in another.
For anti-virus testers this raises an interesting question: where do you download your malware from? Results from a test based in Germany, where all the samples have been downloaded from a German-located server, may be different to exactly the same test when run with samples downloaded from the same malware-loaded sites using computers based in the US or even the UK.
Does this mean that anti-virus tests will now need a geographic label such as, "100 per cent detection (North America, South Africa, Iceland)"?
Why is this important? For one, it makes things more complicated for security companies, who try to stay up to date with the latest threats. It's already known that some sites provide freshly generated malware on a regular basis, sometimes creating a new variant within minutes, or even for every download.
Anti-virus companies need to gain access to samples of bad programs so that they can create signature files, which then allow their products to recognise the virus should a customer encounter one. They get samples of malware in a variety of ways, often by scanning email, websites and receiving files from customers. But if the company is small and does not have customers and malware collection systems in different countries then it could miss out on the latest threats.
Let's say that company X's customers are based mainly in South East Asia, which was also where the company's data collection operation works from. By and large this arrangement will work out because both the company and its customers will be exposed to malware customised to the Asian 'market'. With any luck, the variants will be similar enough for the company to create a generic signature.
However, when a customer travels to Europe (where company X does little business and has no data collection servers) he or she may visit the very same malicious websites but will receive a different file, one that has been designated for European victims. Unless this file is very similar to the Asian version, there is a high risk that the anti-virus software will fail to recognise it. That is, unless the product in question can recognise the original malware downloader or the new, downloaded malware's behaviour.
This method of spreading malware variants is not the most important development ever, because large companies have the resources and global customer base to detect geographically targetted malware. However, there is a chance that an anti-virus product could work perfectly well in one country but become less accurate in another.
For anti-virus testers this raises an interesting question: where do you download your malware from? Results from a test based in Germany, where all the samples have been downloaded from a German-located server, may be different to exactly the same test when run with samples downloaded from the same malware-loaded sites using computers based in the US or even the UK.
Does this mean that anti-virus tests will now need a geographic label such as, "100 per cent detection (North America, South Africa, Iceland)"?
Monday, 6 August 2007
Powerful personal firewall dies
BlackICE PC Protection, the accurate and well-featured personal firewall, is to be discontinued.
Originally developed by Network ICE, BlackICE Defender (as it was then) was one of the first well-known desktop personal firewall programs, alongside Zone Alarm. In fact, at the start of its life it was not really a firewall but an intrusion detection system (IDS). This distinction was lost on some customers and reviewers, notably Steve Gibson of GRC.com fame. He criticised it and Network ICE responded, saying that he had missed the point and that it was not designed to stop outbound traffic.
When I took ISS' Ethical Hacking course in 2001, the instructor also expressed a dismissive view of the product. By the end of the week, after ISS had acquired Network ICE (and BlackICE Defender), he was singing its praises. I believe that some of Network ICE's technology was built into ISS' RealSecure IDS products.
Later it was renamed BlackICE PC Protection and application control was added to detect unauthorised outbound traffic. In fact, it had a pretty hardcore option that created checksums of all the systems applications and applied close control of what could run and access the network. This was fairly annoying to use because it was so restrictive.
The years passed and the desktop product appeared to be on the shelf, with no major updates and with only a fairly decent price drop to entice new users. Then, in August 2006, IBM bought ISS. Almost exactly a year later it canned BlackICE PC Protection.
IBM will continue to supply updates to current users until September 2009, after which there will be no further updates. The FAQ notes that perpetual licenses are for the use of the product and not for service and support. "Service and support may only be purchased up to September 19, 2007."
IBM/ISS does not produce a replacement product for consumer customers. However, Sunbelt Software is. It is offering a free copy of its Sunbelt Personal Firewall (previously Kerio Personal Firewall) to all BlackICE PC Protection users.
Subscribe to:
Posts (Atom)
