Rockets bursting in air, fireworks everywhere!  Thank you for helping mark the 200,000^th entry into the VirusScan malware (malevolent software) detection database.

But truly, this is not a moment to celebrate.  For, larger and larger numbers of malware is a plague, not a cause to celebrate.  Instead, we mark this moment simply as a milestone in our continual trip to fend off the bad stuff from everyone's machines.

It is alarming that we reach this milestone so soon after September 2004 when the count reached 100,000.  Eighteen years to reach 100,000.  Less than two years to double.  Looking ahead, our researchers expect yet another doubling in a similar timeframe.  So, 100,000 new threats in the past two years, 200,000 new threats to come in the next two years!

 Malware Count and Rate of Growth
 

The last two years have marked a tremendous increase in downloaders and bots, malware that has as its purpose to commandeer the target machine, to be used by the Command and Control machine.  Or rather, the person sitting behind that machine, who has as his motive, $$$$$$$.

In early 2004, a number of viruses like Netsky, Bagle, and Mydoom would infect multiple millions of machines with each release of a new variant.  Many millions of machines would be compromised in a short amount of time causing great financial strife and immediate reaction from IT personnel as well as law enforcement.  Soon, Sven Jaschan was arrested for the creation of the Netsky and Sasser families of viruses.  At about the same time, the author of Gaobot/Agobot and Phatbot was also arrested.  With these two events, we all hoped the arrests would stem the tide on malware.

Instead, malware distribution changed dramatically.  In the first half of 2004, 31 virus outbreaks were rated Medium and above.  The second half of 2004 saw 17 more.  That number fell to 12 for the whole of 2005.  And in 2006, there have been no outbreaks of similar severity!  Instead of huge virus events causing ire from all segments including law enforcement, the preferred method of malware distribution now involves the creation of many minor variants sent through controlled spam efforts.  Good family detection becomes crucial for a less worrisome experience on the Internet.

Another area of concern is the growth of malware targeting mobile telephony.  The numbers are still small, only near 300.  As a result, rates of growth are exaggerated.  However, it will grow.  The worry, as our past experience would show with other forms of malware, the growth will fashion similarly to the above graph.  Except, time will be compressed.  We are still in the era where malware targeting telephony is not yet purposefully stealing money.  And that is the concern.  When the phone becomes the standard means to transfer money, malware targeting telephony will truly explode, much as bots and other means to steal money over the Internet have consumed our energies these past two years.

And so, on this July 4^th, our thanks to the men and women who serve, so we can all enjoy our liberties and pursue happiness.  And thanks also to the cadre of dedicated anti-malware researchers who on this day added that 200,000^th malware detection entry, so we may pursue our enjoyment of the Internet experience with a little less worry.

In some hours, we will make available our latest anti virus definitions for McAfee VirusScan. It will be numbered : DAT-4800.
With this release version the number of threats detected will exceed 200,000 to reach 200,104 detections.

In September 2004 with the DAT-4391 release we reached 100,000 threats detected. We have doubled this figure in less than 2 years !!!

Today our anti-virus not only detect viruses but all kinds of malware :

• Trojans : 31%
• Bots and Windows 32 viruses : 28%
• Scripts and macro viruses : 12%
• Potentially Unwanted Programs (PUPs) : 3%
• Old DOS, boot-sectors, windows 3 .1 and miscellaneous threats : 26%

Yesterday with the DAT-4799, we detected 199,920 viruses. In 24 hours we will have added 184 new detections. Daily updates for anti-virus protection has never been more necessary.

I recently got a bunch of Yahoo instant messages from a few IM buddies. All of them about a geocities page: www.geocities.com/omg_thats_too_funny_3/ Unfortunately, that page was taken down by the time I could check what it was about. Also, my buddies couldn’t recall sending me that link.

It’s essentially a phishing attack delivered over the popular Yahoo instant-messenger network. You might see an offline buddy sign in, send you the above link with a couple of tempting smileys, and quickly log off. The scary part is that it’s sent without their knowledge, frequently when they are not online. They might even remember getting knocked off of the Yahoo IM because “they signed in somewhere else”. This likely meant that their Yahoo accounts had been compromised.

If you look around, you will find quite a few others have been scammed into losing their Yahoo passwords via phishing sites:

http://isc.sans.org/diary.php?storyid=1463
http://www.broadbandreports.com/forum/remark,14377670
http://zigzackly.blogspot.com/2005/10/yahoo-password-hack-warning.html

IMs from buddies are to easily trusted. Many sites that host pictures/videos allow only registered users to view them. So it’s not surprising that this type of attack is so successful.

What’s different about this attack is that it’s not a simple password-stealing attempt from a single targeted user. Once an unsuspecting user compromises her credentials by submitting them at the phishing site, a CGI script on that site uses the YMSG protocol with the stolen credentials, logs on to the Yahoo IM network and gathers the buddy list of that user to propagate the attack further! All buddies on this compromised user account get similar IMs posing as this user.

Theorizing further, it’s not hard to imagine a central attacker controlled dB of stolen Yahoo IM ids (and for the users who fell for the phishing, even their passwords). Such a dB could be really useful for spammers. It can be used to do some fancy data-mining as well (buddy relationships etc). At the very least, it shows which users are security savvy and which ones are not!

The attacker could keep creating newer sites when older ones are taken down/blocked. Yahoo IM’s default-allow policy makes all this even worse – non-buddies (anyone!) can send you an instant message without any previous contact. This is actually the whole point behind using them on social networking sites like Orkut, Myspace etc. So the phishing attacks can’t really be blocked on the network or URL level.

The only solution seems to be to use a “site-key” mechanism on the Yahoo login page(s). Something like a user-specified image/secret that gets displayed before the user even types the username (or password). This image can be selected based on the cookies/Macromedia Flash Objects downloaded through previous sessions. Since only Yahoo can read the content inside these local objects, only Yahoo can generate the right site-key image. The user enters her credentials only on recognizing the right site-key.

Today Microsoft addressed 18 vulnerabilities of which 14 are rated critical. One of the critical vulnerabilities, (MS06-035) Mailslot Heap Buffer Overflow vulnerability, can be remotely exploited by an anonymous user on Windows 2000 SP4 and Windows XP SP1. This vulnerability is the only worm candidate among the patched vulnerabilities today.
The update for our graphs of last month is found below. The top graph shows that this year Microsoft has already addressed more critical vulnerabilities than in the whole of 2005. The bottom graph shows that the number of important vulnerabilities has not changed significantly.

McAfee Avert Labs has given three of the vulnerabilities patched today a rating of High while the others have received a rating of Medium. The ones with a McAfee rating of High are the worm candidate, (MS06-035) Mailslot Heap Buffer Overflow vulnerability, and the Excel and Office vulnerabilities for which exploit code has been published, (MS06-037) Excel Malformed File Vulnerability and (MS06-038) Office Malformed String Parsing Vulnerability.

No need to remind you to review your deployments now!

Virus authors are continuously trying to make life difficult for the antivirus community.

Early worms fired the first warning shot by disabling on access scanning or even deleting antivirus and security related processes on infection, thereby rendering the machine defenseless. Stand alone cleaning tools had to released by antivirus vendors until even these got targeted. Classic case is that of W32/Sober@MM vs. McAfee Stinger.

To prevent researchers from reverse engineering binaries, malwares started using
anti-debugging techniques and would quit execution in presence of a debugger like SoftIce. This made malware analysis more difficult.

For some time we have also seen malwares that are VM (virtual machine) aware. These malwares will not execute on virtual operating environments like VmWare and Microsoft Virtual PC. Researchers were forced to tweak virtual machines at the cost of performance or resort to executing these worm families on real machines. Both methods take up valuable research time when one has to replicate malware dynamically.

The latest salvo is a virus that directly targets the very tools that security researchers use.
Interactive Disassembler Pro (IDA Pro) is a popular disassembler that is used to reverse engineer and decompose binaries. Custom IDC scripts can be written to automate tasks like unpacking a file or running an algorithm.

W32/Gatt is a polymorphic entry point obfuscation virus that infects only scripts associated with IDA Pro. It infects IDC script files found on a machine and replicates when an infected IDC script is executed.

By targeting tools used by antivirus researchers, the author makes an attempt to embarrass the security community.

Researchers are a paranoid lot when dealing with malware and are very careful about the way files are exchanged and executed. What could actually end up happening is a couple of curious wanna be virus writers fooling around with it and getting infected!

A couple of days ago, McAfee-UK released the results of a survey on teens’ attitudes toward safety on the Internet as pertains to accessing free music or videos. Here you can read the press release titled Teenagers Risk PC Security For Free Downloads. But I always prefer the raw data. Unfortunately, this tabulation has already been interpreted and lacks the original questions. But they’re still interesting=85

Sample Size

The research was conducted in June 2006 by ICM Research who conducted 615 interviews with teenagers aged between 13 and 17 in six European countries. The sample breakdown is:

1. % of teenagers unconcerned by the risks of viruses and other threats when downloading music or video content

2. % of teenagers who regularly use illegal (sic) file sharing sites like Kazaa and Limewire

3. % of teenagers who are not worried about internet security when they go online

4. % of teenagers who rarely check to see if their security software is up to date

5. % of teenagers who are entrusted with keeping the family PC secure

6. % of teenagers that purchase digital content from online shops such as iTunes

7. % of teenagers do not scan downloaded files or email attachments for viruses or other threats before opening them

8. % of teenagers who admit to giving out their personal details in chatrooms

9. % of teenagers who are unaware that a breach could cause them to lose all their digitally archived items such as music

10. % of teenagers who did not realise that their PC could be remotely taken over by cyber savvy criminals and used to send spam emails

11. % of teenagers who are unaware that their personal information could be hacked into and stolen

12. % of teenagers aware that their digital content such as music could be lost through infections

13. % of teenagers aware that hackers could steal their personal information

14. % of teenagers who did not know what a phishing scam was

15. % of teenagers who had never heard of spyware

16. % of teenagers who know what phishing is

17. % of teenagers whose family PC is located in their bedroom

18. % of teenagers whose family PC is located in the living room

This is primarily intended as a question for you, the reader, to weigh in on:

In this era of dozens of new variants of common malware families, what is the most important aspect of prevalence to you? Prevalence of individual variants, of specific families, of meta-families?

Historically, prevalence has been based on individual variants, e.g. X number of samples of W97M/Melissa.a or of W32/Bagle.g, etc. As these examples show, this also was primarily based on viruses as it indicated the virus' own spread, rather than counting how many ways a trojan author could spam his own creation.

As frequently-updated trojans and bots become more popular and mass-mailers become less so, it may be that this model needs to be revised.

Do you consider things to be more dangerous or notable when their particular attack-vector is being widely used
("Beware – we see an increase in viruses using a specific vulnerability!"),

or when certain types of malware become more common
("Downloaders are increasing in popularity!"),

or is it still most valuable to you to be alerted when just one specific variant is making the rounds?
("W32/MyLunch.m@MM is everywhere!")

Why do you find that to be the most important aspect? How will that information best assist you in protecting your environment?

Four variants of working Linux/Exploit-PRCTL code has been made available to the Internet over the past 4 days. All of these variants takes advantage of a bug in core dump file handling within Linux Kernel 2.6 that enables local non-privileged users to write into the cron.d folder which they would not normally have write access to. For those unfamiliar with the Linux operating system, the cron.d folder is the Windows Task Scheduler equivalent where tasks or files residing within will be executed on a schedule. To make it relevant, tasks executed in this folder will have privileges of the cron service user – typically root.

This is not the first malware to exploit a Linux kernel vulnerability to gain escalated privileges. But it must be one of the most potent ones in a long while. Despite being limited to only local users, running one of the many vulnerable PHP scripts on a Linux web server could mean quick remote access for those with a malicious intent. One would expect it to be very popular with hackers and PHP worm authors.

Linux 2.6 users should update to the Linux 2.6.17.4 stable release.

An epic transformation in the world of security is upon us. Today, we released the first issue of our semi-annual security magazine Sage. We will leverage this communication vehicle to deliver meaningful and sometime raw content to the masses. We take our responsibility to protect the public from malicious malcontents very seriously and will not shy away from difficult content or taboo topics. Instead, we will share with the world our day-to-day fight and let you decide how important the concepts being broached are to you.

The premiere issue examines the use of open source by the malware writing community. We show the pivotal role that code sharing and full disclosure have played in the evolution of the threat environment, and we anticipate a surge in malware quality and reliability as the malware writers become more professional. Though open source cannot be blamed for how some unsavory individuals may choose to use its tools, techniques, and methodologies, the movement should acknowledge that there are dangers associated with some of its fundamental beliefs.

Sage is meant to be a forum for thought leadership and serious discourse on topical security issues. By drawing on the Labs wealth of data and expertise, and writing challenging security articles, we hope to provoke important discussion about the digital battlefield we have found ourselves in.

Get Sage now from the McAfee Threat Center site:

http://www.mcafee.com/us/threat_center/white_paper.html

There has been some discussion in the last few hours, of a new MySpace virus (JS/SpaceFlash) that has recently been discovered. This is the second to target the MySpace community this year. While the first virus had a significant spread, this one seems to have spread much less. There have also been updates to MySpace this morning, to require a more recent and specific flash-player in order to view videos.

There has been some criticism about the inclusion of active content on sites like MySpace. MySpace is a social networking site that was created with the specific aim of helping musicians post their wares, so that they could gain more exposure without having to have the backing of major labels. This has also recently been expanded to include comedians as well. In light of this aim, it seems necessary that a certain amount of active content be present to achieve this end. What is the point of a site for promoting musicians and comedians without any way to see or hear them?

This situation strikes me as similar to the early days of the addition of macros to MS Office: It's important to balance powerful functionality and security. Despite the best attempts at including security features in any given product, with a large enough user base, it's likely holes will occasionally be found. At that point, the speed and thoroughness of a vendor's response becomes most important.

In the end, macro viruses all but died out, due in large part to the security features added to MS Office, and generic macro-virus detection added by all major antivirus vendors. It will be difficult for MySpace to address things like cross-site scripting and external modification of profiles without hampering users' ability to add content or to use tools to customize their pages. Obviously more still needs to be done on this front, and the battle is far from over.

MySpace has acted reasonably quickly so far, though there's issues left to be addressed in order to keep this sort of thing from happening again in the future. Hopefully they're taking an in-depth look at these issues, particularly external modification of profiles, so that they can minimize the risk of this being done maliciously.