The Coming Mac Threat (Revisited)

Foreword

The following article was written and published in 2008. The first iPhones were less than six months old and Apple's OS X operating system was just seven years old. The previous year Apple launched a version of OS X that could run on Intel systems. The following year OS X could *only* run on Intel systems. This could have made life easier for attackers, as they faced a familiar underlying system.

A lot has changed since then. According to some statistics the use of OS X (now MacOS) has risen between 2009 and 2021 from below 4% to around 16%. This is clearly a significant rise, but with around 75% of computer users still staring at Windows, the value to an attacker of MacOS exploits is still relatively low.

Attackers have targets and the chances of a valuable one using a Mac is now five times as likely. We've seen news reports of exploits targeted Apple-based devices. NSO's Pegasus spyware is now widely recognised as being a threat that targeted civilians, including journalists.

Pre-infected smartphones

Some Android mobile phones are being sold pre-infected with malware.

According to a blog post by Lookout's Jeremy Linden, "DeathRing is a Chinese Trojan that is pre-installed on a number of smartphones most popular in Asian and African countries."

Some of the most important points from his report include:

• Detections are moderate in volume.
• Detections are global.
• The Trojan pretends to be a ringtone app.
• The Trojan downloads SMS and WAP content.
• The downloaded content can be used to trick users.
• Most of the affected devices are counterfeit or uncommon models (in the West).
• Anti-malware software cannot remove it.

The main lesson to learn here is to buy non-counterfeit devices from reputable sources. You might also consider installing an anti-malware product to alert you to problems. And watch for unexpected charges on your mobile phone bill.

[Image: Sad Android by Justin Marden]

Regin: When did protection start?

Regin, advanced malware that is most likely a government espionage tool, is making headlines.

This is because it's a very well-constructed set of tools and also because observers are surprised at how successful it was. It also targeted GSM networks, which is novel.

The big question is, how could the major anti-malware firms have missed this threat for so long?

Or, one might ask, did they really miss it or quietly detect it?

Some people appear to believe that, as Regin was probably created and used by Western governments, then Western anti-malware companies colluded to ignore the threat.

Symantec seems to have been slow to notice Regin because its write-up of Backdoor.Regin claims that it was discovered in December 2013, which is much later than March 2011, when Microsoft updated its definitions to include Regin.A.

In an effort to find a history of Symantec's detection of this malware I obtained an archive of Regin samples from security researcher Claudio Guarnieri and asked the kind folk at VirusTotal to discover when, if ever, Symantec's scanner first detected each sample.

Before we look at these results I want to be clear about what these results mean and what they do not because VirusTotal data is easily abused and dodgy conclusions readily-reached.

The table below indicates that Symantec's technology was capable of detecting most of the samples as being at least suspicious from February 2010. It then made a clearer classification of being a 'Trojan' from March 2011.

Only yesterday (24th November 2014) did it officially label the threat as 'Regin'. This corresponded to its announcement of the Regin threat.

Usually the problem with using VirusTotal is that someone will upload some files, show that product X failed to recognise them and then conclude that the product, or the entire anti-virus industry, is useless.

In this case we can see dates relating to when the product detected the files as threats. Possibly the product would have protected against these files even earlier, and possibly those that appear as having been missed (Classification = 'nothing') would have been stopped through some other layer of protection not related to file signatures.

So I see the following as a worst-case scenario. Symantec's scanner recognised most of these files as threats from around 2011 onwards. Maybe it was capable of stopping them and maybe not - we can't know that for sure. But it's fair to assume that if a signature-based scanner can recognise a file then it will probably generate an alert at the very least.

I've focussed one Symantec simply because it first announced the Regin malware, minutes before other vendors joined in.

Whodunnit? APT attribution is hard

Discovering who is behind a computer-based attack is hard because you don't know which clues are real and which have been planted as misinformation.

When well-resourced entities are thought to be behind an attack campaign the sky is the limit as far as red herrings are concerned.

Yesterday security firms started talking about a new attack called Regin.

It's not truly new, though, as the attacks have been ongoing for at least six years. Kaspersky Lab claims to have seen traces of the threat from as far back as 2003.

What's new is its discovery.

Currently Symantec has released some analysis [PDF] that includes details on how the malware is structured. However, where it came from and how it first arrived on the scene is still unknown:

"A reproducible infection vector is unconfirmed at time of writing."

Online commentators are speculating that the software involved is so advanced that it has to have been created by a nation state.

So who is behind this malware?

Symantec hints that it's a nation-state, noting similarities in sophistication between Regin and past threats such as Flame(r) and Duqu/Stuxnet. These are generally believed to be state-sponsored.

Kaspersky Labs goes further, guessing openly that, "Considering the complexity and cost of Regin development, it is likely that this operation is supported by a nation-state."

It notes that the malware affects victims in certain countries. Notable non-victims include the USA, UK, Canada, New Zealand and Australia, the so-called "Five Eyes" nations.

Most victims seem to be in Asia and the middle east, with Russia and Saudi Arabia being the worst affected.

Could Regin be a Western campaign aimed primarily at those two countries?

The problem with attribution is that it's almost impossible to be certain about who did what. Spies mislead as a rule and the opportunities for leaving false clues are numerous.

Kaspersky Labs' report notes the times of day during which the software was most heavily developed. It seems that most development took place between 1300 - 2000 GMT. The report invites readers to draw their own conclusions, warning that such times can be changed easily.

It's also worth noting that programmers often do not keep regular office hours.

Postscript:

To solve this problem I have developed an APT attribution generator. Please feel free to use the tool below whenever you want to know who is behind a specific 'APT' attack.

You can customise your own using the Dice Maker website.

Credit: The physical tool shown at the top of this page was constructed and photographed by Yonathan Klijnsma from Fox-IT.

QR code drive-by one step closer?

A vulnerability in the majority of Android devices allows an attacker to take remote control of a victim's phone or tablet.

According to a blog post by Rapid7's Tod Beardsley, researchers have demonstrated a combination of a QR code and malicious Javascript that can provide an attacker with a remote shell to the target.

Just to get some facts clear, the attack is not QR code-based. We're not talking about exploiting a QR code scanner to launch an attack. The user still has to choose a browser and proceed to a website that contains the malicious Javascript.

However, it makes sense to initiate the attack with a QR code because that's one way mobile device users visit websites. QR codes are also very visual and so help make demonstration videos more dramatic.

The really important point to take away from this attack is that users do not have to allow any new (malicious) application to run. This is not a social engineering attack in which the user is tricked into installing a malicious application.

They simply need to visit a website (QR code-initiated or not) and the attacker is able to run commands on their device.

It is possible that there are earlier demonstrations of Android-based automatic (aka 'drive-by') attacks, but I've not seen any until now.

Exploring web threats

How to examine malicious websites and their effects - for professional beginners.

If you want to capture a live sample of a phishing website, or a site that is infected with malware, the techniques covered will help.

These tips are particularly useful considering how malicious websites can come and go very quickly.

I wrote this presentation for a customer who wanted a way to analyse some of the main threats to its users and to help when problems occurred. The solutions and threats included:

1. Phishing websites designed to steal account details.
2. Sites hosting exploits and malware designed for stealing account details.
3. Malware infection detection.
4. Malware removal tips.

You can download a free PDF of the presentation I gave.

If you just want an introduction to HTTPReplay and Fiddler2 then this might be helpful also.

Secure Windows XP after updates end

Sticking with Windows XP? Here's how to secure your system to a reasonable standard.

We'll cover:

1. How attackers work.
2. The significance this has for Windows XP users who will no longer receive updates to their operating system.
3. Free solutions to help secure your PC.

2014/01/14: This article has been updated, correcting NetMarketShare figures regarding how many people use different versions of Windows. In practical terms there is little difference.

Microsoft will soon stop issuing security updates for Windows XP.

At the same time it will cease issuing updates for its anti-malware product (Microsoft Security Essentials) for Windows XP.

This is significant because a very large minority of PC users still have Windows XP installed. Should they buy a new Windows 8 PC or can they maintain a decent level of security once they are abandoned by Microsoft?

In April 2014 Microsoft will end support for Windows XP and its free anti-malware protection. However, in December 2013 29 per cent of Windows users were still running Windows XP.

To put things into perspective 44.5 per cent were running Windows 7 and only 11 per cent were running Windows 8 and Windows 8.1 combined. These figures are provided by NetMarketShare.

Clearly such a large number of people are not going to switch to Windows 7 or 8 in the next three months.

The following article explains what the threats are for Windows XP users, how they work and ways in which users can secure their old computers without having to upgrade the operating system.

How hackers do it

There are two common ways for hackers to attempt to gain access to desktop computers.

Social engineering

The first is so-called social-engineering, in which they trick victims into running a malicious program. This program may be designed to steal information, such as passwords, from the system. Let’s call this type of software ‘spyware’.

Alternatively the software might try to further trick or blackmail the victim, perhaps by claiming (ironically) that it has detected a malware infection or by locking the PC and demanding payment for releasing the system back into the user’s control. These types of threats are called ‘rogue anti-virus’ and ‘ransomware’ respectively.

For social engineering to work the user usually has to be convinced to run a program. If they are sufficiently convinced that they need to download and run a certain program (or insert a strange USB storage device) then they will probably carry on regardless of what their anti-virus program tells them.

Some may check themselves if they see a warning like, “This file is a Trojan. We recommend you should delete it.” but clearly enough users are fooled for the criminals to continue with this tactic.

No amount of patching Windows will change this situation so, for Windows XP users, this type of threat remains as significant (but probably no worse) as before.

Software exploitation

The second method is to gain access to the system using automatic attacks. These usually involve the victim visiting a website that contains some malicious code. This code, known as an exploit, runs on the target computer and gains a temporary level of control. It uses its new-found position of power to download and install malicious software, such as the aforementioned spyware, rogue security software and ransomware.

Automatic exploits only work because there are security holes, aka ‘vulnerabilities’, in the software on the victim’s computer. Vulnerabilities can exist in the applications that come included with Windows, such as Internet Explorer; in third-party applications such as Java, Flash and Adobe Reader; and even in hardware drivers (last month researchers published an exploit for Nvidia’s display driver).

If vulnerable software is updated to make it less vulnerable then exploits are less likely to work. For example, if you are still using Java version 6.x then your system is very open to attack because there are lots of known vulnerabilities for that software. Upgrading to the latest version 7.x will help, because there are fewer known vulnerabilities in the latest version of Java.

It is neither safe nor accurate to assume that any program has no vulnerabilities at all. Usually it’s just a matter of time before someone finds a new one. If a program is popular then there is more motivation for researchers to look for security holes because they affect the most number of potential victims.

Most popular exploits

It is hard to say whether attackers prefer to exploit vulnerabilities in Windows’ own files or those belonging to third-party software but, according to an update by the security blog Contagio, the exploit kits used by criminals in recent months seem very focussed on Adobe Reader, Adobe Flash and Oracle’s Java.

There are some exploits aimed at Internet Explorer 10 and earlier, many of which could affect Windows XP users. Switching from Internet Explorer to a browser that has continued Windows XP support (such as Google Chrome, Mozilla Firefox and Opera Software’s Opera browsers), and updating all other third-party applications would be a sensible move if you want to stick with Windows XP.

Updating automatically

Microsoft makes updating Windows reasonably convenient thanks to the Windows Update service. However, this does not usually provide updates for third-party software (although it does sometimes). Fortunately there is a free application that behaves in much the same way as Windows Update but for non-Microsoft programs.

Secunia’s Personal Software Inspector (SPI) will scan your PC for vulnerable applications and can automatically download and update those for which updates exist. You can also opt to have it download the updates but wait until you instruct it to install them, and you can even have it simply scan and inform you about available updates, rather than downloading anything.

How this affects users of Windows XP beyond April 2014

If Microsoft sticks to its plans then Windows XP will no longer receive security updates after April 2014. This means that any future vulnerabilities detected in Windows XP system files and the applications that come with it will remain unfixed. This appears to be great news for the attackers, who can locate security holes and use them without fear that their activities will be hindered by an impending fix.

The solution(s)

However, this is just one facet of the situation. Third-party applications and hardware drivers will still be updateable as long as their developers continue to provide support. Additionally, certain anti-malware software, including Kaspersky Internet Security and Symantec Norton Internet Security, are capable of detecting many types of exploits and can prevent them from taking control of the system.

I put together a list of anti-malware products that will continue to protect Windows XP after Microsoft withdraws support. Most, at the time of writing, were committed to the foreseeable future.

While Java is notoriously popular with hackers, you don’t need to remove it completely in order to secure your PC. You can keep Minecraft running happily on your system but simply disallow Java in the web browser.

There are at least five free and easy ways to protect against viruses and spyware. Windows XP users won’t be able to follow point #4 (i.e. update Windows) from that linked article but the rest are relevant for those sticking with XP.

Microsoft has a tool that helps to prevent the exploitation of vulnerabilities in its own software and those created by third parties. The Enhanced Mitigation Experience Toolkit is probably a little too tricky to use for everyday users but experts and the inquisitive can download it for free.

So while it is always best to fix the problem, by patching the security hole (or uninstalling the vulnerable application if you don’t need it!), there are ways to prevent the bad guys from gaining access even though the holes continue to exist.

Smartphone security

In 1999 a PC this powerful
would cost twice as much and
be 100 times bigger

At the moment we are, in terms of mobile malware development, in 1998.

Remember when we all used Windows 95 and connected with modems? The threats of the day were Trojans that would dial premium numbers to generate/steal money from victims.

As far as I can tell, that’s where we are today with smartphones.

Modern, powerful mobile handsets are essentially PCs with a modem, run by users who access banks and other financially-connected sites. I've yet to see any evidence of iOS or Android-compatible drive-by attacks so right now social engineering seems to be the most significant threat.

As such, a slight variation on the advice we used to give in the late 1990s is probably suitable:

1. Keep your phone’s firmware up to date (updates from vendor, via Android Settings).
2. Keep your software up to date (via Google Play updates). These updates can be set to run automatically.
3. Only install from official stores such as Google Play. Don’t side-load (i.e. install from removable media).
4. Ensure the software comes from the original developer. Google Play lists the developer and highlights very popular ones with the ‘Top Developer’ label.
5. Check the reviews of each application you want.
6. Check the permissions that each application requires and reject it if it wants too much (in your opinion).
7. When updating manually, review any new permissions the updated application requires.
8. Avoid pirated/cracked software, whatever the source.
9. Install an anti-malware product. After all, even the official stores have been found to host malicious files.

While all this will help, I doubt that normal people will neither bother nor be able to fully understand or remember the details. That's not their fault, though. It's the fault of the mobile industry. It should be easier to be more secure.

This article updates last year's notes on Android security tips.

What is a malware sample?

Malware samples come in many
forms. This is not one of them.

After we run an anti-malware test some security companies request the malware samples that their products failed to recognise.

I'm never quite sure what they mean when they use the phrase 'sample' because it can mean different things.

Here's a short list of the most common options.

1. Malicious program
2. Hash of a malicious program
3. URL
4. Hash of URL
5. Network capture, aka 'pcap'
6. Web session, aka 'replay'

At Dennis Technology Labs we deal mainly with the sixth option - the web session. In addition to providing web session replays we also make the fifth (pcap) option available in some cases.

As we test all layers of security, from web reputation systems down to file detection scanners, providing samples like this enable security vendors to verify our results and possibly improve their products.


1. Malicious program

Usually such samples are referred to as a binary, an executable (aka an 'exe') or a PE file. In practical terms these types of samples are either a downloader or the payload downloaded by the downloader. You would expect to see files named in a similar way to those below:

0132787483643.exe
foto(4).exe
xyz-britney.scr
winlive.exe


2. Hash of a malicious program

Instead of sending collections of malicious files around the internet, sometimes it's sufficient to simply identify the file using a mathematical hash.

This can be useful because most anti-malware vendors have massive databases containing details of all known (to them) malware and these database records usually include a hash for each file.

You can generate a hash of a file using one of many free utilities, such as MD5sums. To discover the MD5 hash value of a file called test.txt you might type the following command in Windows:

C:\> md5sums test.txt

The output would look something like this:

MD5sums 1.2 freeware for Win9x/ME/NT/2000/XP+
Copyright (C) 2001-2005 Jem Berkes - http://www.pc-tools.net/
Type md5sums -h for help

[Path] / filename  MD5 sum
---------------------------------------------------
[C:\]
test.txt           a0895e00f4d49c355f4f33f69475f963

3. URL

This could be as simple as www.example.com, or a more detailed (and arguably more useful) example could be www.example.com/dir/bad.exe or www.example.com/dir/script.php.

Some testers download files from the web to enable web reputation systems to protect the system. This is a good idea, although using drive-by download and social-engineering pages is more realistic than a direct download taken out of context, such as typing www.example.com/dir/bad.exe into the browser, rather than clicking on it from a malicious email or internet messaging message.

4. Hash of URL

As with files, it is possible to generate hashes of URLs (see '2. Hash of a malicious program' above).

5. Network capture, aka 'pcap'

Saving all of the network traffic generated during an attack makes it possible to recover downloaded files and to understand why a product may not have been working properly. If it fails to send a successful query to its back-end database, for example, the pcap file may contain evidence to help uncover this issue.

Packet capture files, which is where the name 'pcap' comes from, contain as much or as little information as you choose when you start monitoring the network. We capture every packet, so the files are large but contain everything. Capturing just the packet headers is useful for troubleshooting but you can't pull binaries out of the resulting (tiny) files.

6. Web session, aka 'replay'

It's possible to capture a complete web session using a tool like Fiddler. Such capture files include any exploit code used in a web attack as well as programs that are downloaded.

The benefit for security companies is that they can reproduce the same attack as when we used it to test anti-malware products. You can't do that with just the program itself, or a hash of that program.

To replay a Fiddler capture file you can use a utility like Microsoft's HTTPREPLAY.

Introduction to malware forensics

Earlier this month I was delighted to sit on a discussion panel at Kaspersky Lab's reviewers workshop in Lisbon.

I later demonstrated some tools and techniques for analysing the behaviour of malware. I have provided links to the tools and some other useful resources.

(left to right) Peter Stelzhammer, Sveta Miladinov, Simon Edwards and Andreas Marx

The area that I focussed on involved detecting rootkit-related malware in tests. Usually you can't tell if there are hidden processes running using conventional tools.

At Dennis Technology Labs we always check for hidden processes using some advanced techniques usually reserved for malware analysts and forensics investigators.

To get a short insight into how we do that (and how you can), take a look at the link above.

Following a series of interviews, Arne Arnold from PC-Welt wrote an interesting article that shows the difference in opinions of testers and analysts. [Original (German); a poor Google Translation (English)]

Seagate website infects visitors

A website run by hard disk manufacturer Seagate has been infecting visitors with malware for nearly a month (at least).

According to a report from Sophos:

SophosLabs has been tracking an infection of Mal/Iframe-AL on Seagate's blog since late February.

SophosLabs informed Seagate of the issue back in February, but at the time of writing the site remains infected.

Apparently the technical culprit is a couple of dodgy web server components (Apache modules) that are directing visitors to malicious websites using iFrames.

The malicious sites are using Blackhole exploit toolkits to infect victims' systems.

Howto: Handle a hacked email account

If your friends complain that you have sent them spam, your email account has probably been compromised.

First I'll explain what has happened, then what hasn't and, finally, what you should do about it.

What has happened?

Someone has obtained the password to your web-based email account. They have logged in and sent spam, quite possibly in the form of links to dubious or even dangerous websites, to contacts you have saved in your online address book.

Your password may have been stolen when you logged into your email account, possibly because you used a public wireless service at some stage. If so you almost certainly were not logged in using an encrypted connection.

An alternative way in which an attacker can acquire your email password is to send you a fake email that purports to come from your email service (e.g. Yahoo!). Such 'phishing' emails ask that you log into a fake website. When you type in your password it saves it and the person operating the site now has your details.

Sometimes an email service will be hacked and user's passwords stolen. This happened to Yahoo! last summer. In Yahoo!'s case the passwords appear to have been stored unencrypted, which is surprisingly unprofessional if true.

What has not happened?

The attacker has not just written emails and labelled them with your email address. While such 'spoofing' is possible, the fact that the spam was sent to your contacts indicates that the attacker has accessed your account.

There is no reason to assume that a hacker or a virus has compromised your personal computer. You can discover if the email was sent by your computer or someone else's by comparing email messages you sent yourself to the spam messages received by your contacts.

To find out how to do this, see Who sent the email? below.

What can you to to fix the problem?

1. Log into your email service and enable encrypted connections if available. The setting may be labelled HTTPS or SSL. Yahoo! Mail only offered this option in January this year, and it's not on by default. This article shows how to secure a Yahoo! Mail account.

2. Once you have addressed step one, and not before, change your password to something new and not obvious. For password tips, and a reason not to re-use the same one on different sites, see here.

(If you change your password before enabling encryption your new password will travel over the internet in plain text, which increases the chance that it could be stolen.)

3. Some email accounts let you specify an associated email account. If you lock yourself out of your main email service access may be granted via this secondary account. Check that the attacker has not changed this address to one that he controls.

4. Continue to be aware of phishing email threats and avoid falling for their tricks.

5. Be wary of using public WiFi just as a general rule.

6. To guard against having your details stolen or leaked change your passwords regularly.

Who sent the email?

All email messages contain technical details about the systems that they touch, from their origin to their destination. Look at the 'headers' to see who really sent the message.

In the following example message #1 was sent by the spammer, while message #2 was sent legitimately by the victim. I've trimmed out a lot of unnecessary headers below. Look at the underlined parts. I have changed some details to protect the innocent.

MESSAGE #1
Delivered-To: simon@h@k.me
...
Received: from [77.255.73.226] by web162906.mail.bf1.yahoo.com via HTTP; Mon, 14 Jan 2013 04:15:46 PST


MESSAGE #2
Delivered-To: simon@h@k.me
...

Received: from [64.40.54.xxx] by web162904.mail.bf1.yahoo.com via HTTP; Mon, 14 Jan 2013 10:44:51 PST

What these tell us is that both the attacker and the victim used Yahoo! Mail using the web (HTTP) interface.

We can also see that the spammer was operating from an IP address of 77.255.73.226, while the victim was using 64.40.54.xxx.

Using an online tool like http://whois.domaintools.com we can find out where these people are based.

At the time of the attack the spammer was based in Warsaw. The tool reports the following (and more):

IP Information for 77.255.73.226

IP Location: Poland Warsaw Netia Sa

ASN: AS12741

Resolve Host: 77-255-73-226.adsl.inetia.pl

IP Address: 77.255.73.226

The victim's IP address, on the other hand, leads us to believe (correctly) that he was working from Seattle.

Thus we can conclude that the spammer was accessing the compromised email account using a web interface from Poland, rather than via the victim's PC in Seattle.

Film scanner bundled with botnet

German coffee chain Tchibo has admitted to selling a film slide scanner that is infected with malware.

The company, which carries a range of gadgets alongside hot drinks, distributed a Hama scanner, the drivers for which were infected with the Conficker worm.

The is not the first time that consumer electronics have been accompanied by malicious code:

18/03/2010 Energizer Trojan keeps going

09/10/2008 Infected Asus Eee PCs

14/03/2008 Pre-installed viruses

Computer virus danger to hospital patients

Would you trust a heart monitor
running Windows 98?

Hospital medical equipment running old versions of Windows is often infected with malware.

Some fear that patient safety could be affected if critical systems run too slowly or fail altogether.

Medical facilities always face the risk of exposing already vulnerable patients to infection, but the BBC reports that hospital computers in the US and UK host malware that is "rampant" on their systems.

The core problem seems to be that very important systems are left alone and not updated, presumably because any change could adversely affect how they work.

This is similar to the security approach taken with industrial control systems. The priority is constant operation and, as security expert Eugene Kaspersky notes in his blog, those who run such systems have this attitude:

"Rule #1 is 'Do not touch. Ever.'"

According to the BBC, Kevin Fu ("a leading expert in medical technology"), can imagine a situation in which a heart-monitoring system running Windows could slow down due to a malware infection and malfunction. In reality, though, he notes that,

"there is no evidence as yet that the malware is reaching medical machines as a result of being targeted by criminals."

Should you ditch Internet Explorer?

There is a very new software flaw in Internet Explorer, one of the world's most popular web browsers.

Microsoft has not yet fixed this security hole and, as a result, the German government is warning people (in German) to switch to another browser.

The press release says, in translated form, "A security update from the manufacturer [Microsoft] is currently unavailable. The BSI recommends all Internet Explorer users choose an alternative browser for internet use until the manufacturer has released a security update."

This advice has been repeated in the mainstream and technical press over the last 24 hours, while security companies have also been proponents of dumping Internet Explorer (IE).

Lazy advice?

But is this good and realistic advice, or is it a short-term and lazy approach to security, that at best will only affect a small number of very interested users?

Anti-virus firm F-Secure says that the problem is so severe that even users of its own anti-virus software, which it says prevents this specific threat from infecting systems, should change browsers anyway.

McAfee takes a different view saying, "The advice to stop using IE is only valid if you don’t have any protection from exploits." Naturally McAfee also claims its products defend against such things.

Advising the switch from Internet Explorer to another browser brings a number of problems.

For such an approach to work the following needs to be true:

1. Users need to know about this issue.
2. Users need to understand something about software vulnerabilities and exploits.
3. They also need to care about these things, and understand the consequences.
4. Users need to know what a web browser is.
5. Users need to know what brand and version of web browser they are using.
6. Users need to know how to install, run and use new software.
7. The bad guys need to retain their focus on Internet Explorer and ignore the browsers to which most users switch.

I don't believe that many of the points above are true for the majority of web users. However, let's assume that every internet user in the world is as savvy as you and I (despite the fact that I write a computer security blog and you are reading one, whereas most don't).

Let's also assume that we are talking about consumers and not people using business computers, which may be under the control of an IT department.

So, take the last point in the list above.

The bad guys need to retain their focus on Internet Explorer and ignore the browsers to which most users switch.

The bad guys want to access computers and the data on those computers. To achieve this they often access systems through popular software vulnerabilities using exploits.

The people who find and exploit the vulnerabilities first tend to target the most popular software, because that is the most efficient approach. Why focus on some obscure application when everyone else is using something else? If everyone switches from Internet Explorer to Browser X, the bad guys will inevitably start work on exploiting Browser X.

You could end up switching browsers every few weeks just to stay ahead. That is not a practical approach to the problem.

Day Zero

Every time a new vulnerability is found, and an exploit for it is developed, a zero-day is found. Zero-day threats are basically just new exploits that are not generally known about. This makes them very attractive to hackers and the media.

Renowned security researcher David Litchfield responded to Germany's advice by saying, "If we stopped using software because it is exposed to a zero-day flaw we'd be left with just a big, grey paperweight."

In the case of Internet Explorer the threat is now known so really it is not a zero-day any more. Nevertheless, Internet Explorer remains vulnerable unless you apply a special fix from Microsoft, This will not be installed automatically, as with normal security updates, so it's safe to predict that the majority of normal people on the internet will ignore it.

A History of Vulnerability

Avast's Jindrich Kubec maintains that it is worth ditching Internet Explorer because of its history of flaws. He says that despite a steep learning curve involved for normal people, the losses will be "minimal" and "none of the [other browsers have] the same 'history'"

I thought that was an interesting observation. Windows and particularly Internet Explorer has a bad reputation when it comes to security, so I checked the the National Vulnerability Database to see which browsers had the most known vulnerabilities. Does Internet Explorer have a terrible security history, at least in recent months?

The following results are from searches I ran for browser vulnerabilities in the last 12 months (September 2011 to September 2012), for all versions of each browser, on all platforms and with all levels of threat (low to high):

Microsoft Internet Explorer
Eight vulnerabilities (seven of which were 'high')
[ref.]

Mozilla Firefox
139 vulnerabilities (80 high)
[ref.]

Google Chrome
275 vulnerabilities (152 high)
[ref.]

Those figures indicate that there have been nearly twice as many vulnerabilities for Google Chrome than for Internet Explorer and Firefox combined. Internet Explorer itself has had far fewer than Firefox.

So, after all that should you ditch Internet Explorer?

If you want to be immune to the current single threat under discussion then the answer is obviously yes. Alternatively, if you've read this far, you're probably willing and able to install Microsoft's fix, so do that instead.

Having done either of these things don't assume that your new or fixed browser will remain free from vulnerabilities.

Computer attack statistics

Did you know that global cost of cyber crime is $1 trillion?

Or that buying counterfeit software DVDs is likely to contain malware?

The great $1 trillion scandal

$1 trillion is a lot of money, especially considering that the United States makes around $14 trillion a year.

It is possible, of course, that this figure is not accurate. In fact, it is very likely that this amount is wrong.

This has not stopped the media, leading politicians and other high-profile figures from quoting it.

Notable persons include US President Obama and NSA director General Keith Alexander. And security firm McAfee, which dropped the figure into a report it published last year.

Wired has published an insightful article that investigates the origin of the $1 trillion figure for money lost to cyber crime.

It found that a number of researchers and other experts had contributed in one way or another to the report, and that few of them recognised the veracity of the figure.

Here are some of their comments when asked about it:

Ross Anderson, security engineering professor, University of Cambridge

“I would have objected at the time had I known about it. The intellectual quality of this [$1 trillion number] is below abysmal.”

 Jackie Rees Ulmer, associate professor, ProPublica

"I expressed my concern with the number as we did not generate it... It is almost certainly the case that I would have told them the number was unsupportable."

Sal Viveros, a McAfee's PR person who oversaw an older McAfee report, said that the figure was calculated as a result of a survey. The company took the total lost revenue that was reported and "multiplied it by the number of similar companies in the countries we studied," according to Viveros.

Does pirated software put you at risk of identity theft?

In October 2007 I met with Michala Alexander, then Microsoft's UK head of anti-piracy. I was news editor of Computer Shopper.

She claimed to have research that found, depending on which country you visit, that there was a good chance pirated software on physical media would be infected with malware.

Alexander told me, "People who buy pirated software are putting themselves at risk of cyber crime and identity theft."

The research did not appear to be available from Microsoft, though, and I discovered that the figures came from an IDC report called The Risks of Obtaining and Using Pirated Software. This seemed promising because, although the report was sponsored by Microsoft, IDC is both respected and independent.

However, IDC's report was based on research that involved software downloads. It explicitly did not address physical disks on sale abroad.

"IDC did not test physical media. We did, however, review the work Microsoft conducted earlier in the year analyzing disks obtained by Microsoft employees who purchased mid-grade counterfeit software in various countries around the world."

And so we return full circle to Microsoft, which provided some data for the same IDC report that it had sponsored.

Microsoft's own research does not support its own headline conclusions of heavy malware infections. In fact it does not mention malware at all, although it does refer to additional program files and tools used to bypass copy protection controls.

Microsoft placed research on physical counterfeit media into a report otherwise wholly dedicated to the malware threat of downloading counterfeit software. This made a close association, causing Microsoft to make incorrect conclusions in its press releases and press briefings.

Today Microsoft's anti-piracy web page states things a little more clearly:

"In an IDC study, 25% of web sites studied that offered counterfeit or pirated software also attempted to install spyware or Trojans... In studies conducted on counterfeit versions of Microsoft software... more than 40% of the... counterfeit disks installed contained additional programs or binaries with known vulnerabilities."

It's interesting to note that installing any version of Windows, even from trustworthy media, will install programs with known vulnerabilities.

OS X security (2002)

Ten years ago I wrote an article about OS X security for Mac User magazine.

The article noted that Mac users were now using a new operating system that was far more likely to face threats such as malware.

In light of the recent Flashback threat, and the resultant interest in Mac threats, I've pasted it below. Most of it is still relevant today.

[Note: If you are worried about the Flashback threat, you can check and clean your system using one or more of these tools.]

Securing Mac OS X

by Simon Edwards

Mac OS X opens more potential security holes to hackers. So how do you protect yourself?

Your Mac is at risk from hacker attacks, now more than ever. And if you don't take active steps to secure it you will be used as a Spam gateway, an unwitting accomplice of further hacker attacks or even a stooge in a bank robbery.

This isn't hype, it's reality. When Apple started shipping Macs loaded with OS X it was making a very powerful operating system available to thousands of users. But while people rejoiced in a new user interface and greater stability, many have not realised that by adopting a well-known operating system (UNIX) they have also opened themselves up to a raft of old and new security vulnerabilities.

The reason that Macs have been relatively free of remotely exploitable security holes is because the people who find and use such holes are only interested in the operating systems that they will commonly find on the Internet. Mac OS 9 is not common in comparison with Solaris, AIX, Windows NT and Linux operating systems, which is why the latter have been plagued by hackers for what feels like forever.

But OS X works in much the same way as Linux, Solaris and other UNIX-based systems. It can use the same software and, therefore, inherits the same benefits and vulnerabilities. The solution is not to revert to OS9, though. Instead, read this feature and you'll be able to lock down your Mac OS X machine against the most prevalent attacks.

First line of defence

OS X is a multi-user operating system, which means that many different people can use the computer at different times. Their application settings, e-mail and other files are kept separate so that one user cannot delete another's important data, or read his e-mail. While this means that the system is potentially more secure than a Mac OS 9 system, with regards to local users, the level of that security is only as good as the users' passwords. A recent survey found that 25 per cent of users believe that 'banana' is a strong password. This is incorrect for a number of reasons.

Firstly, banana is a real word that can easily be guessed by a password-cracking tool. Cracking tools work using dictionaries, and only resort to the very slow method of brute-forcing after all dictionary words have been tried. The brute force approach works like this: the cracker starts at 'a' and works through the alphabet, then adds another letter and continues through every permutation of letters, numbers and punctuation marks. This can take months, and it took our 700MHz system 28 days to crack the simple password 'rumble9'.

If you insist on using passwords of less than eight characters (not recommended), at least change them every month. That way you will foil this kind of attack most of the time. You should also use a mixture of capital and lower-case letters, numbers and punctuation marks. 'Mac_+Us3r01' is a good password but 'macuser' is not.

Service included

Programs such as a Web server, FTP server or a remote access utility are known as services. An Internet host is of little use unless if provides at least one service, but by doing so it is exposing itself to attack. A hacker needs something to hack at, and an old SMTP (mail), DNS, or Web server is sometimes all that is necessary. The trick is to run only those services that are really necessary.

Allowing remote access with older versions of Mac OS X meant enabling Telnet. This service lets you log in from a terminal on another computer, be it a Mac, PC or even PDA, and control the server as if using its own keyboard.

While this may seem like a very useful feature, Telnet is not a secure method of working. The problem is that when you log on using Telnet you have to enter your username and password, which is sent across the network (and maybe even the Internet, if you are logging in to a Web server installed in another building). Telnet sends these details in plain text, which can be intercepted by a hacker using a network sniffer. He will see 'user fred.bloggs' followed by 'password BaNa_na9'. Even though Fred has used a strong password, the hacker now knows it and can hack the system.

Mac OS X v.10.0.1 has replaced Telnet with SSH (Secure Shell), which is much better. It encrypts the connection so that instead of seeing the username and password, the hacker just sees digital garbage instead.

FTP also suffers from the same plaintext vulnerability as Telnet. You can replace FTP with the SSH equivalent, SFTP (Secure FTP) or SCP (Secure Copy). For details on setting up and using SSH, see the walkthrough below.

Updates

As we've already seen, updating your software can avoid some major problems. But even if you have a perfectly working Web server with SSH installed, things are not always as safe as they seem. New security holes emerge all the time and you'd be wise to subscribe to the main security mailing lists if you intend your Internet-connected Mac to survive. The best ones include the large selection at SecurityFocus (www.securityfocus.com).

For example, during the month in which this article was written, security updates were released to fix holes found in the Apache Web server, SSH, the Web scripting language PHP, the printing system, Internet Explorer 5.1, crontab, fetchmail, the firewall software ipfw, Telnet and a whole load of others. Failing to updates any of these packages could result in a hacker taking remote control of your computer, which is the ultimate goal for them and the ultimate nightmare for you.

The best way to update your software is to set the Software Update program to check for updates every day, or every week if you only connect to the Internet sporadically. To run this utility open the System Preferences and select Software Update option.

Buffer overflows

Security holes come in a number of shapes and sizes, and you can even create your own if you're not careful. The most common threat comes from buffer overflow attacks. The principle behind these is that a program installed on your system is written in such a way that when an attacker feeds it too much information it crashes.

In an analogy where the computer's memory is an empty glass and the incoming data is a flow of milk, a buffer overflow would occur if you tried to pour a pint of milk into a half-pint glass. Obviously some milk is going to spill onto the table, which results in a mess - or a crash, in the case of a computer system. But a clever hacker can cause the overflowing data to move into another part of the computer's memory, where it will be run. This is how they gain access to your system without even bothering about cracking your passwords.

Firewalls

One way to restrict a hacker's access to your system is by using a firewall. This program decides which information can flow out of and into your system. You can use a firewall to allow Internet users to access your Mac on port 80, which is the networking port used by most Web servers, but to deny access to any other port. SSH usually runs on port 22, so you'll probably want to allow external access to this port as well, if you want to administer the Web server from any Internet-connected location in the world.

But your file sharing ports, networked printer port and ports for other services that should only be available to the local network, not the Internet, need to be blocked off. Disallow all but the most necessary ports for outbound traffic too. That way you prevent malicious applications from sending important data out to an attacker on the Internet (see Viruses and backdoors below).

For a detailed description of setting up the firewall supplied with Mac OS X, see Configuring Mac OX X's firewall with BrickHouse, 19 April 2002, p79.

Wireless networks

While wireless networks are doubtless very cool and quite useful, remember that they increase the range of your network beyond your office. If you don't use encrypted networking (such as with SSH) you might as well stick a network port on the wall outside and wait for the hackers to jack in. There are plenty of tools that hackers can use to locate and crack your wireless network, but with a little care you can make it not worth their while to try.

If you're running a seriously expensive business over a wireless network consider setting up a virtual private network (VPN) to provide the encryption, and place dedicated firewalls between the wireless section of the network and other workstations. By treating the wireless part as an untrusted network, just as you would treat the Internet, you reduce the risk of a wireless attack massively.

Viruses and backdoors

While there are not many viruses that can affect UNIX operating systems directly, they are more than capable to moving through UNIX mail servers and onto the Mac and PC systems further down the chain. If your Mac is being used as an e-mail server you should consider installing an anti-virus program, which will strip out viruses intend on damaging your users' OS 9 Macs and Windows PCs. McAfee and Symantec have released Mac OS X anti-virus programs that will do the job.

The direct danger to Mac OS X systems is that once a hacker has compromised the security, using a buffer overflow attack or by exploiting some other weakness, he will install a backdoor that will allow him to return more easily. You can patch your system until you're blue in the face, but if you don't know about the backdoor you might as well give up.

When a hacker installs a backdoor he may replace some of your useful files with doctored versions that seem to behave properly but are actually helping to hide the hacker's files and activities. For example, he might have placed a stash of useful files in a directory called /hacks. The less command would display this directory, but a doctored version could be made that displayed every directory except this one.

We need a way to discover if files have been changed. CheckMate is a program that can scan essential files and create a special index of them, using checksums (see the Jargon box). If an important file is replaced the checksum will change and CheckMate will notify you that something is up. Knowing that your system has been compromised this heavily will help you save time when trying to work out what's wrong. If you find your basic files have been replaced there is only one thing to do - reinstall. Then install every possible update and run CheckMate again before connecting to the Internet.

File encryption

When you send an e-mail across the Internet it can be read by a large number of people, whether you know it or not. E-mail is created, sent and received in plain text, and passes through a number of systems on its journey to the intended recipient. Hackers with snuffer programs, mail system administrators and people with access to the computer used by your contact can all read the message, which is why sensitive information should always be encrypted.

Files stored on your hard disk should also be encrypted if they are sufficiently important. For example, if you've used CheckMate to generate an index of checksums you'll need to be sure that the hacker hasn't edited it to avoid an alert. Encrypt it and he's locked out. To encrypt e-mail and local files you'll need a good encryption package like PGP or GnuPG. The former is very easy to use and comes with a graphical installer, the latter is free but needs to be loaded from the Terminal command line.

To do this you'll need to download the GNU Privacy Guard file (GnuPGOSX1.0.6r6.dmg.gz) from http://macgpg.sourceforge.net, as well as the Darwin patch, which is called gnupg-1.0.6-darwin. Next, type:

tar -ax gnupg-1.0.6.tar.gz
To copy the Darwin patch into the folder that this creates, patch the software and install it type the following lines in order:

cp gnupg-1.0.6-darwin.diff gnupg-1.0.6/
cd gnupg-1.0.6/
patch -p 1 < gnupg-1.0.6-darwin.diff
./configure
make
sudo make install
You can now download the plethora of GUI helper tools from the same site. Or download the non-commercial version of PGP from pgpi.com.

Conclusion

If this article has started you worrying about Internet security, it has done its job. But while the Internet can be a hostile place, taking the simple steps listed here will make you almost invulnerable to the most common attacks. Just being aware of the risks puts you in a minority, and it's a good club to join.

Talk the talk

Buffer overflow A common but highly technical type of hacker attack, that is avoided by keeping software on the computer as up-to-date as possible. A successful attack allows the hacker to run commands on your system at the highest possible level of authority.

Checksum A checksum is a code that can be generated to represent a file. It is virtually impossible for two different files to have the same checksum, so it can be thought of as a fingerprint or DNA profile. This makes check summing an ideal technique for detecting if a file has been changed by a hacker.

Encryption The scrambling of a file or message so that it is readable only by the person for which it is intended. Encryption can be used for Internet traffic too (see SSH below), and is most commonly encountered when buying from a Web site - those yellow padlocks are indicative of an encrypted Web session.

Firewall A software program or hardware device that controls the type of network traffic able to pass through it. Usually used to protect computers or even whole networks from the Internet, they are now being installed by some to keep wireless networks safe.

Ports Different Internet services running on the same computer use different ports. This means that someone trying to connect to a system using FTP won't interfere with the Web server on the same machine. FTP uses port 21 whereas Web servers usually run on port 80. Services: A server is a computer that provides services to other users. Examples included POP3 mail, telnet or SSH remote access and Domain Name Services (DNS). Services are controlled by a file called /etc/inetd.conf.

SSH The Secure Shell creates an encrypted connection to your Mac, which means that hackers cannot see what you're up to, or what your password is. SSH can also be used to create virtual private networks (VPNs) across the very unprivate Internet.

Trojan A file that looks like something you want to run, but carries a less pleasant payload such as a computer virus or backdoor that creates a secret entry point for a hacker into your system.

UNIX These days UNIX is considered to mean a type of operating system, rather than a specific one. Solaris, Linux, FreeBSD and AIX are all types of UNIX, or are based on UNIX. Mac OS X is based on Darwin, which in turn is a version of BSD UNIX.

Using SSH

For security purposes, a server is any computer hooked up to the Internet that's capable of providing network services such as Web, FTP or mail. If you want to control your Mac OS X server remotely you'll need to use SSH, which has replaced the less secure Telnet originally shipped with the operating system. If you've never updated your installation you won't have SSH. You are strongly advised to download the very latest updates as soon as possible, particularly if your system spends any time at all connected to the Internet - even using a dial-up modem connection.

In this walkthrough we are assuming that your system is fully up to date and that you want to administer your computer from somewhere else on the local network. There is no real difference between doing this and coming in from the Internet. If you want to do connect from the Net you will need to ensure that any protective firewalls between you and the Internet will allow connections through port 22 or it won't work.

STEP ONE

Enabling remote access

Go to the Sharing System Preferences panel and choose the Sharing option from the Internet and Network section. Tick the Allow Remote Login box, which enables the Secure Shell (SSH) service. This operates on port 22, which is the default used by just about everybody. You absolutely must ensure that you are using Mac OS X version 10.0.1 or later, otherwise your remote access will be provided via Telnet, which is significantly less safe to use. We are using version 10.1.4 here.

STEP TWO

Establish a connection

Here we are assuming that you have two computers connected to the same network, one allowing remote access and that has an IP address of 10.0.0.1. You can determine the IP address of your remote server by going to System Preferences, choosing Network and viewing the settings for Built-in Ethernet. Start a terminal session on the non-remote access Mac (Terminal is available from the Utilities folder) Type: 'ssh username@10.0.0.1'. Use your own username and enter your password when prompted. Answer 'yes' when asked if you want to connect.

STEP THREE

Run commands

You can now administer your computer over the network, or even over the Internet. You'll need to have administrator rights to be able to change the system. These are provided in System Preferences from the Users option. Running 'top' will show you what processes (programs and background operations) are running. You can use the sudo command to run critical commands that require the ultimate level of authority. To reboot the Mac type 'sudo shutdown -r'.

STEP FOUR

Copying a file

Use the scp to copy a file from the server. Here we typed 'scp spge@10.1.22.23:backup backup', which has the effect of running scp, connecting to the server at 10.1.22.23, grabbing a file called backup and saving it as 'backup' on our system. The following line in the screenshot lists all files beginning with the letter 'b'. Using the list command (ls) with the -l switch shows more information, such as the file size, the date of its creation and who has permission to read or edit it.

Further information

Pretty Good Privacy (PGP) E-mail and general file encryption utility that can make your files unreadable to everyone but yourself
Free, for personal use
http://www.pgpi.com

GNU Privacy Guard Essentially a free version of PGP, you'll also need to download some other utilities to make it extra friendly to use.
Freeware, even for commercial use
http://macgpg.sourceforge.net

CheckMate Generate and compare checksums of essential files to discover if a hacker has altered your system.
Free, while in beta
http://personalpages.tds.net/~brian_hill/checkmate.html

Hints and tips

Watch your logs!

When a hacker takes over you system is won't be quietly, but unless you look through your log files you'll never know what's happened. It is necessary to know how a hacker broke in, even if you are going to reinstall your whole system, because that way you can fix the problem. Reinstalling will just reset your computer and the hacker can come back in the same way he did before. You'll find your logs in the directory called /var/log. Type 'last' from the terminal to see who's been logging in, and when.

Keep an eye on your users

If only you and a couple of other people are using the Mac there should only be a handful of names in the user list accessible from System Preferences - Users. If odd entries appear you can be sure that someone has administrator-level control of your system. If you want to know who's logged in at any one time type: w from the terminal command line to see a list. You should also check the /Users directory to see if any extra sub-directories have been created. This would indicate that someone has gained access to your system.

First Published in MacUser, Vol 18 No 13, 28 June 2002.

The above article is © Dennis Publishing Limited 2002. UK property of Dennis Publishing Ltd. This article may not be reproduced or transmitted in any form in whole or in part without the written consent of the publishers.

Malware attacks both PC and Mac

This month security companies discovered a threat that attacks both Windows PCs and Macs running OS X.

The threat, called JAVA_RHINO.AE by Trend Micro, arrives via infected websites, which means that potential victims won't notice anything amiss unless their security software detects it. It exploits a vulnerability in Java*.

Java is commonly found on both types of computer, which is interesting in itself. Its presence reduces the difference between a PC and a Mac by some way. There are, of course, other very significant similarities that I've mentioned before.

Here is the really interesting part, though. When it runs the threat determines whether it is running on a Mac or a PC and behaves differently depending on what it finds.

In the words of Trend Micro:

"Once it successfully exploits the said vulnerability, it drops and executes the following file:

• On Windows: %User Temp%\file.tmp - detected as TROJ_RHINO.AE

• On Mac OS X: /tmp/file.tmp - detected as OSX_RHINO.AE"

-----
Related news: Security company AlienVault, which is investigating Mac malware at the moment, has found a new Trojan containing a relatively ancient Linux backdoor from 1999.
-----

* UPDATE: I have just noticed that this vulnerability has been included in the Metasploit Framework since November 2011.

Ranked as 'Excellent' (which means that it works very reliably), the exploit is described thus:

"This module exploits a vulnerability in the Rhino Script Engine that can be used by a Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability affects version 7 and version 6 update 27 and earlier, and should work on any browser that supports Java (for example: IE, Firefox, Google Chrome, etc)"

Why even experts need antivirus

[This article is written in response to Wired's recent article, Is Antivirus Software a Waste of Money? As is usually the case, when you see a headline posed as a question, the answer is usually "no".]

"I don't run anti-virus, actually," he said, "and I've never had a virus."

"Really?" I asked. "How do you know?"

"I think I'd know," he scoffed.

I had that conversation with the UK head of marketing for an anti-virus company that, while not one of the top brands, is certainly quite well known in Europe. We probably spoke around 2008.

Scroll back to the eighties and possibly even early nineties and he'd probably be at least half right. Viruses might hide for a while but they usually gave away their presence at some stage, possibly by deleting or encrypting files, sending a cheeky message or producing a graphic effect that was hard to ignore.

In the later parts of the nineties things started to change. Malware began to commercialise, and it made sense for these malicious programs to be more subtle. Dialers were one of the first such threats. They resided silently on victims' systems and made phone calls to premium numbers.

Once malware started to hide, the game changed. Without appropriate tools even an expert would not know that a system was infected. Even then, sensible behaviour, such as avoiding pirated software, license key generators and pornography websites was sufficient to avoid most problems.

Halfway through the noughties (around 2005-6) a new approach rendered the classic advice of "be careful" fairly useless.

Criminals started compromising legitimate websites, loading malware from otherwise innocent sites onto visitors' computers. In many cases users would have no idea that this was happening. Even a paranoid expert would have a tough time using the internet in a useful way without exposing their computer to such threats.

Rootkits are also now prevalent. It is hard to detect these threats even with specialised software, let alone some sort of tuned-in, Jedi-like human virus-detector sense.

In Wired's article Is Antivirus Software a Waste of Money? a startup CEO called Dan Guido was quoted as saying, "If it weren’t for [compliance] nobody in the security industry would run [anti-virus]."

I contacted Dan to see if he was happy with the angle of the article. He was, by and large, and claimed that,

"The issue with AV is that their virus detection capabilities only become effective after tens of thousands of people have been compromised with the same virus and days or weeks after that virus was first observed."

Having seen how some anti-malware tackles new attacks, sometimes involving zero day exploits, I don't agree with his blanket statement. He went on to make other very general assumptions about how anti-virus software works. One notable point of view was,

"At the time of infection, every major attack group has procedures that allow it to avoid all the known checks that AV runs through."

In other words, criminals check their malicious software before releasing it, checking to see if anti-virus will catch it. This is certainly true.

Underground versions of VirusTotal-style services exist but I find it hard to believe even the most advanced attacker is capable of running a full end-to-end test to ensure success without alerting the anti-virus vendors.

For example, they must either allow or block cloud service queries. Block these queries and the test is not complete. Allow them and information is fed back about the new threat to the vendor.

I polled a few security professionals, in an admittedly unscientific study, and found that they all used anti-virus. No one believes that anti-virus is a panacea. It's just daft to run without it.

Despite this Lance Spitzner sent me a Twitter message, guessing that maybe experts don't use anti-virus "because most security professionals use a Mac :)" Having been to very many security conferences I have to admit that he has a point.

The fake anti-virus business: in pictures

Ever wondered what the point of fake utilities like anti-virus was? Or how online crime really works?

Trend Micro has put together a handy illustration that shows how different criminals work together to steal money from victims.

It's worth noting how the different jobs are split, as is the personal risk of those involved. Plenty of individuals are contributing to the process but only a few are exposed to arrest. These will be the carders and the money mules. You can bet they will be the worst paid of the lot. 

Click on the image to see the larger, readable version.