lucas1985
April 19th, 2008, 04:25 PM
I've stumbled upon a very interesting blog entry (http://www.f-secure.com/weblog/archives/00001408.html) made by the folks at F-Secure. I will quote the most interesting bits and analyze them according to my knowledge:
{QUOTE-> A year or two ago, most malware was spread via e-mail attachments, which resulted in mass outbreaks such as Bagle, Mydoom, and Warezov. Nowadays sending .EXE attachments in e-mail doesn't work so well for criminals because almost every company and organization is filtering out such risky attachments from their e-mail traffic. <-QUOTE}
Pretty simple, isn't it? Use a mail provider which filters spam and executable attachments (GMail does this). Configure your mail client to display file extensions and MIME types. Don't open unsolicited attachments. Attachments coming fron trusted peers should be handled very carefully, your friends may be infected. If you didn't solicite the content, don't open it. If you solicited it, save the attachment to disk and scan it with your local AV and a service like Virustotal/Jotti. Another option is running that content inside a sandbox or, better yet, a VM.
{QUOTE-> The criminals' new preferred way of spreading malware is via drive-by downloads on the Web. These attacks often still start with an e-mail spam run but the attachment in the e-mail has been replaced by a web link, which takes you to the malicious web site. So instead of getting infected over SMTP, you get infected over HTTP. <-QUOTE}
{QUOTE-> There are several methods criminals use to gather traffic to malicious websites. A common approach is to launch an e-mail spam campaign containing messages that tempt people to click on a link. Messages such as "There is a video of you on YouTube", or "You have received a greeting card", or "Thank you for your order" have been popular baits. <-QUOTE}
Now that malicious attachments aren't working well for the gangs, they try to trick you in clicking a link which takes you to the malicious/compromised site. Common computer sense says that you shouldn't click on random links, specially if they come in unsolicited/bulk/spam email and contain obvious social engineering tricks.
{QUOTE-> Infection by a drive-by download can happen automatically just by visiting a website, unless you have a fully patched operating system, browser, and browser plug-ins. Unfortunately, most people have some vulnerabilities in their systems. <-QUOTE}
{QUOTE-> Another method used by criminals is to create many web pages with thousands of different keywords which are indexed by Google, and then simply wait for people to visit these sites. So when you do a search for something innocuous such as "knitting mittens" (as a random example), and click on a search result that looks just like all the others, you are actually getting your computer infected. Typically, an infection by an automatic exploit happens without you realizing it or seeing anything strange on the computer screen. <-QUOTE}
Drive-by downloads aren't black magic. They require that you:
- Visit a malicious or compromised website. You can avoid the former by not visiting warez and cracking websites and other types of dodgy sites. The compromise of legitimate sites is on the rise, but (IMO) we are far away from reaching epidemic proportions.
- Happen to have a vulnerable application waiting to be exploited. Just enable DEP (http://en.wikipedia.org/wiki/Data_Execution_Prevention) for all your applications to prevent the most common types of buffer overflows (a kind of vulnerability) and keep up-to-date wich patches for every applications that deals with untrusted content, specially if it comes fron Internet. This includes the operating system, the browser(s), the mail client(s), the office suite (Microsoft Office, Open Office, etc), the PDF reader (Adobe Reader, etc), the archiver (WinZiip, WinRAR, 7-Zip, etc), the image viewers (XnView, FastStone Image Viewer, Irfanview, etc), the multimedia players (Winamp, Media Player Classic, VLC, PowerDVD, WinDVD, Windows Media Player, Real Player, Quick Time Player, Nero, etc), the runtime libraries (.NET Framework, Java, etc), P2P applications (Emule, BitTorrent clients, Shareaza, etc) and browser plug-ins (Java, Flash, Shockwave, Quick Time, Windows Media, Real, Silverlight, etc)
0-day vulnerabilities (i.e. vulnerabilities which are being exploited by the bad guys before a patch is avalable or the vulnerability is acknowledged by the vendor) are much less common than some ones may think. Also, when a 0-day is "in the wild" you can apply temporary workarounds offered in websites dedicated to information security.
{QUOTE-> Infection can also take place when you are fooled into manually clicking on a download and running a program from the web page that contains the malware. <-QUOTE}
Common computer sense says that you shouldn't trust strange and unexpected executables. If you have installed the most common codecs from a trusted source, you shouldn't need an ActiveX codec or another browser plug-in.
{QUOTE-> Another vector for drive-by downloads are infiltrated ad networks. We are seeing more and more advertising displayed on high-profile websites. By infiltrating the ad networks, the criminals don't have to hack a site but their exploit code will still be shown to millions of users, often without the knowledge of the webmaster of those sites. <-QUOTE}
No matter what somebody wants you to believe, ads not only are annoying, a waste of (often scarce) bandwidth and sometimes a violation of privacy, they're also a security risk. Often, ads are combined with social engineering tricks to incite you to click them (the famous messages of system errors and alerts of infections). The bad guys are even deploying rogue ad networks. So, use a pop-up blocker (built-in into your browser) and filter ads with a browser plug-in or a local proxy. Only accept ads from sites you want to support and you trust in their security skills.
{QUOTE-> The third method of distributing malware involves the criminals hacking into existing high profile, high traffic web sites. Unlike the joke defacements that some hackers played on the front pages of prominent web sites in the past, today's criminal hackers don't change the front page at all. They simply insert a line of JavaScript on the front page which uses an exploit to infect your machine when you visit. Everything works and looks as normal.
This has happened to the websites of some popular magazines that can have a million users every single day. People trust sites that are part of their daily routine, and they don't suspect that anything bad could happen when they go there. <-QUOTE}
As I've said before, hacking of legitimate sites is on the rise, but it's far away from an epidemic. Depending on your comfort level and abilities/skills, you may consider the whitelisting (i.e. only allow what you deem good/trustworthy and deny the rest) the web content, specially scripts and multimedia plug-ins. This will provide your first line of defense against a sudden compromise of a trusted/legitimate site. The general measures of avoiding executable content, enabling DEP, patching your whole system and avoiding risky sites also apply here.
As you've seen, you can secure most of the threat-gates with simple measures and avoid most of the junkware/malware with just some common computer sense without even using security software.
But you need security software to close any potential hole, be it a high-profile 0-day without workarounds or unknowingly trusting malicious content or whatever happens:
- Enable the Windows firewall (XP and Vista) to prevent exploitation of system services which listen for incoming connections. Actually, this is a low-risk threat, but it was a popular one in the past (think about Blaster, Sasser, Code Red and other worms) and new vulnerabilities on these services may arise again. If you have multiple PCs, consider buying a NAT/SPI router and configure it appropiately (change the default password, disable the remote admin feature, disable the UPnP service, enable the SPI, etc)
- Disable the AutoRun/AutoPlay feature from every removable device (CD/DVD, USB disks, pen drives, etc) on every user account. It isn't uncommon to buy an infected pen drive or digital frame or infect your pen drive when you use it on someone else PC.
- Create and use a standard/limited user account for daily activities and leave the admin accounts for administration purposes (installing hardware and software, applying patches, changing system settings, etc)
A limited account prevents malware from tampering with your system, disabling your security software and manipulating the kernel to hide from security tools and you. This makes recovery much easier and it also eliminates the risks of kernel rootkits, the most dangerous kind of malware. See here (http://www.wilderssecurity.com/showthread.php?t=196737) for more info.
- Since most malware is of executable nature (be it a mail attachment, the result of a drive-by download, a file launched by the autorun trick or something else), consider the whitelisting of your trusted executables (Windows and Program Files) and deny the rest. This can be done with applications like Faronics' Anti-Executable or using Software Restriction Policies (http://www.wilderssecurity.com/showthread.php?t=200772).
- Install an AV and configure it to the recommended settings. Then check that it's working normally going to the EICAR site and then schedule weekly scans. Advanced users may want to stop using a real-time malware scanner and go for applications like behaviours blockers and leave the AV to do only on-demand scans. If it's possible, scan downloaded content at sites like Virustotal or Jotti.
- Isolate the vectors of attack. Sandboxing your browser is an effective way of dealing with drive-by downloads.
- Backup your system and information to ensure a painless recovery if you ever manage to get infected. Backups also protect against hardware failures, user mistakes, natural disasters (if you have offsite protected backups) and thief.
Mods: if you think that this is not the appropriate sub-forum, feel free to move the thread, although I think it should be here due to the higher exposure it can get.
{QUOTE-> A year or two ago, most malware was spread via e-mail attachments, which resulted in mass outbreaks such as Bagle, Mydoom, and Warezov. Nowadays sending .EXE attachments in e-mail doesn't work so well for criminals because almost every company and organization is filtering out such risky attachments from their e-mail traffic. <-QUOTE}
Pretty simple, isn't it? Use a mail provider which filters spam and executable attachments (GMail does this). Configure your mail client to display file extensions and MIME types. Don't open unsolicited attachments. Attachments coming fron trusted peers should be handled very carefully, your friends may be infected. If you didn't solicite the content, don't open it. If you solicited it, save the attachment to disk and scan it with your local AV and a service like Virustotal/Jotti. Another option is running that content inside a sandbox or, better yet, a VM.
{QUOTE-> The criminals' new preferred way of spreading malware is via drive-by downloads on the Web. These attacks often still start with an e-mail spam run but the attachment in the e-mail has been replaced by a web link, which takes you to the malicious web site. So instead of getting infected over SMTP, you get infected over HTTP. <-QUOTE}
{QUOTE-> There are several methods criminals use to gather traffic to malicious websites. A common approach is to launch an e-mail spam campaign containing messages that tempt people to click on a link. Messages such as "There is a video of you on YouTube", or "You have received a greeting card", or "Thank you for your order" have been popular baits. <-QUOTE}
Now that malicious attachments aren't working well for the gangs, they try to trick you in clicking a link which takes you to the malicious/compromised site. Common computer sense says that you shouldn't click on random links, specially if they come in unsolicited/bulk/spam email and contain obvious social engineering tricks.
{QUOTE-> Infection by a drive-by download can happen automatically just by visiting a website, unless you have a fully patched operating system, browser, and browser plug-ins. Unfortunately, most people have some vulnerabilities in their systems. <-QUOTE}
{QUOTE-> Another method used by criminals is to create many web pages with thousands of different keywords which are indexed by Google, and then simply wait for people to visit these sites. So when you do a search for something innocuous such as "knitting mittens" (as a random example), and click on a search result that looks just like all the others, you are actually getting your computer infected. Typically, an infection by an automatic exploit happens without you realizing it or seeing anything strange on the computer screen. <-QUOTE}
Drive-by downloads aren't black magic. They require that you:
- Visit a malicious or compromised website. You can avoid the former by not visiting warez and cracking websites and other types of dodgy sites. The compromise of legitimate sites is on the rise, but (IMO) we are far away from reaching epidemic proportions.
- Happen to have a vulnerable application waiting to be exploited. Just enable DEP (http://en.wikipedia.org/wiki/Data_Execution_Prevention) for all your applications to prevent the most common types of buffer overflows (a kind of vulnerability) and keep up-to-date wich patches for every applications that deals with untrusted content, specially if it comes fron Internet. This includes the operating system, the browser(s), the mail client(s), the office suite (Microsoft Office, Open Office, etc), the PDF reader (Adobe Reader, etc), the archiver (WinZiip, WinRAR, 7-Zip, etc), the image viewers (XnView, FastStone Image Viewer, Irfanview, etc), the multimedia players (Winamp, Media Player Classic, VLC, PowerDVD, WinDVD, Windows Media Player, Real Player, Quick Time Player, Nero, etc), the runtime libraries (.NET Framework, Java, etc), P2P applications (Emule, BitTorrent clients, Shareaza, etc) and browser plug-ins (Java, Flash, Shockwave, Quick Time, Windows Media, Real, Silverlight, etc)
0-day vulnerabilities (i.e. vulnerabilities which are being exploited by the bad guys before a patch is avalable or the vulnerability is acknowledged by the vendor) are much less common than some ones may think. Also, when a 0-day is "in the wild" you can apply temporary workarounds offered in websites dedicated to information security.
{QUOTE-> Infection can also take place when you are fooled into manually clicking on a download and running a program from the web page that contains the malware. <-QUOTE}
Common computer sense says that you shouldn't trust strange and unexpected executables. If you have installed the most common codecs from a trusted source, you shouldn't need an ActiveX codec or another browser plug-in.
{QUOTE-> Another vector for drive-by downloads are infiltrated ad networks. We are seeing more and more advertising displayed on high-profile websites. By infiltrating the ad networks, the criminals don't have to hack a site but their exploit code will still be shown to millions of users, often without the knowledge of the webmaster of those sites. <-QUOTE}
No matter what somebody wants you to believe, ads not only are annoying, a waste of (often scarce) bandwidth and sometimes a violation of privacy, they're also a security risk. Often, ads are combined with social engineering tricks to incite you to click them (the famous messages of system errors and alerts of infections). The bad guys are even deploying rogue ad networks. So, use a pop-up blocker (built-in into your browser) and filter ads with a browser plug-in or a local proxy. Only accept ads from sites you want to support and you trust in their security skills.
{QUOTE-> The third method of distributing malware involves the criminals hacking into existing high profile, high traffic web sites. Unlike the joke defacements that some hackers played on the front pages of prominent web sites in the past, today's criminal hackers don't change the front page at all. They simply insert a line of JavaScript on the front page which uses an exploit to infect your machine when you visit. Everything works and looks as normal.
This has happened to the websites of some popular magazines that can have a million users every single day. People trust sites that are part of their daily routine, and they don't suspect that anything bad could happen when they go there. <-QUOTE}
As I've said before, hacking of legitimate sites is on the rise, but it's far away from an epidemic. Depending on your comfort level and abilities/skills, you may consider the whitelisting (i.e. only allow what you deem good/trustworthy and deny the rest) the web content, specially scripts and multimedia plug-ins. This will provide your first line of defense against a sudden compromise of a trusted/legitimate site. The general measures of avoiding executable content, enabling DEP, patching your whole system and avoiding risky sites also apply here.
As you've seen, you can secure most of the threat-gates with simple measures and avoid most of the junkware/malware with just some common computer sense without even using security software.
But you need security software to close any potential hole, be it a high-profile 0-day without workarounds or unknowingly trusting malicious content or whatever happens:
- Enable the Windows firewall (XP and Vista) to prevent exploitation of system services which listen for incoming connections. Actually, this is a low-risk threat, but it was a popular one in the past (think about Blaster, Sasser, Code Red and other worms) and new vulnerabilities on these services may arise again. If you have multiple PCs, consider buying a NAT/SPI router and configure it appropiately (change the default password, disable the remote admin feature, disable the UPnP service, enable the SPI, etc)
- Disable the AutoRun/AutoPlay feature from every removable device (CD/DVD, USB disks, pen drives, etc) on every user account. It isn't uncommon to buy an infected pen drive or digital frame or infect your pen drive when you use it on someone else PC.
- Create and use a standard/limited user account for daily activities and leave the admin accounts for administration purposes (installing hardware and software, applying patches, changing system settings, etc)
A limited account prevents malware from tampering with your system, disabling your security software and manipulating the kernel to hide from security tools and you. This makes recovery much easier and it also eliminates the risks of kernel rootkits, the most dangerous kind of malware. See here (http://www.wilderssecurity.com/showthread.php?t=196737) for more info.
- Since most malware is of executable nature (be it a mail attachment, the result of a drive-by download, a file launched by the autorun trick or something else), consider the whitelisting of your trusted executables (Windows and Program Files) and deny the rest. This can be done with applications like Faronics' Anti-Executable or using Software Restriction Policies (http://www.wilderssecurity.com/showthread.php?t=200772).
- Install an AV and configure it to the recommended settings. Then check that it's working normally going to the EICAR site and then schedule weekly scans. Advanced users may want to stop using a real-time malware scanner and go for applications like behaviours blockers and leave the AV to do only on-demand scans. If it's possible, scan downloaded content at sites like Virustotal or Jotti.
- Isolate the vectors of attack. Sandboxing your browser is an effective way of dealing with drive-by downloads.
- Backup your system and information to ensure a painless recovery if you ever manage to get infected. Backups also protect against hardware failures, user mistakes, natural disasters (if you have offsite protected backups) and thief.
Mods: if you think that this is not the appropriate sub-forum, feel free to move the thread, although I think it should be here due to the higher exposure it can get.