There've been a few articles lately about the potential for security breaches using various devices that frequently get excluded from consideration of an organization's security policies. This is a good indication of a greater security problem, as it applies to not only things like printers and Blackberries, but also things like iPods, PDAs, mobile phones and thumb-drives. Anything that can store data from your network can potentially be used to compromise your network. The more data from your network it can access or store, the more dangerous it could obviously be.

Things like Blackberries and printers require some network connectivity which means they can be used to gain some access to network traffic or information like network topology. PDAs, mobile phones, iPods and thumb-drives are generally just used to synch data with the device but this means that they can be effectively used as a separate hard-drive which can be used to add or subtract files or information.

In a sense, this is no scarier a prospect than any other machine which is typically attached to a corporate network. Where this is problematic is that these devices are considered more like toys than proper machines, and are not given the same security concern.

This would be somewhat analogous to letting random kids from around town into your house. Sure they may be pint-sized and adorable but that doesn't mean these kids couldn't (or wouldn't) sneak the $20 out of your wallet when you aren't around to see. At this point, most people keep their houses well closed, and are reasonably particular about requiring an invitation or level of trust of people they let in. And once they're inside, people are then pretty attentive about what sorts of things people are "allowed" to do while they're there. For instance, you wouldn't allow guests at a party access to a personal safe or your financial records (perhaps not even some family members!), but you might grant your CPA to access the latter.

Network security by and large hasn't quite gotten to this level for most organizations, who instead leave the metaphorical windows and doors open for anyone to come in with the exception of a few known offenders (assuming they haven't found a sneaky alternate way in). At this point it'd generally be best for most organizations to think more along the lines of white-listing or grey-listing rather than simply black-listing: Not just excluding traffic from "known-bad" ports or file types, giving equal scrutiny to devices which aren't your standard PC/server machines, matching user's actual needs with their access levels, etc. As more OS and application-level 0-day exploits are found, a wider variety of file types are considered potentially suspect, and security hacks for devices are published, this becomes unequivocally the case for a larger and larger percentage of the population.

Gone are the days when dumpster diving or going through waste printer paper in the trash was used to gain sensitive information about an organization. The paper shredder was a cheap and cost effective solution to the problem of dumpster diving. Although the occasional confidential printout still pops up here and there due to a failed print job, but for that we can blame it on the faulty ink cartridge!

Today's printer are state of the art multi-function devices that also serve as fax machines, photocopiers or even mini file servers. They come with their own stripped down operating systems usually Linux/NetBSD and support most network protocols namely IP, IPX and AppleTalk. However, few organization take measures to secure their printing devices. Both physically and on the network.

Most printer can be reset to their factory default by certain key combinations or via a hard reboot, depending on the vendor and model. Usually the default username and passwords to configure the printer via the web administration or SNMP interface is freely available on the internet. Once reset and logged in, an attacker could re-configure the printer to dump every job sent to the print spool to disk.

More recently at the just concluded Black Hat conference, a security researcher demonstrated how to run unauthorized software on the printer, compromise network traffic, and access sensitive information being printed, by taking advantage of a configuration error in the printer's web interface.With the kind of sensitive information being sent to the printers, it does becomes a soft target for an attacker to eavesdrop on sensitive company data.

To date, software and firmware upgrades for printer were unheard off unless something went really wrong with the printer. The wake up call has now been sounded for IT managers to revisit printers and secure them physically and via software security measures.

Wiki is a type of website that allows users to freely add, remove or edit available content, mostly without the need for registration. With Wiki being a frequently visited site for information, it also becomes an attractive target for malware authors for targeting unsuspecting victims.

Given that most pages can be changed without any user authentication, the following attack scenarios are possible:

• Legitimate hyperlinks in Wiki are modified to point to malware executables.
• Legitimate hyperlinks are modified to point to websites that install malware via drive by downloads using browser vulnerabilities.

In the first scenario, we could have a worm that installs an illegal web server on compromised machines on the internet to host further copies of the worm. Instead of spamming users the worm could then target vulnerable users on Internet Relay Chat (IRC) or popular Instant Messengers (IM). This worm could also traverse and modify pages in Wiki to point to yet a different web server hosting a copy of the worm.

The second scenario is far more alarming as innocent users who click links in Wiki could get re-directed to questionable sites and have malware installed on their systems using zero-day browser vulnerabilities.

A proof of concept that exploits the first scenario has been published which modifies every link in a Wiki page to point to a copy of the worm. To get random wiki pages for infecting, it uses this URL to get to a random topic everytime.

Most people trust Wiki links as it is a great resource for information. Unfortunately the lack of authentication or the usage of a gimpy to edit topics in Wiki, leaves it open for such attacks. Its only a matter of time before Samy meets Wiki.

When Microsoft released the monthly security bulletins on August 8, we blogged that the Windows Server Service vulnerability (MS06-040) was a worm candidate. Exploit code was released to the Internet community on August 10, and the first IRC bots to exploit this vulnerability were discovered in the wild on August 12, all in 4 days.

Without surprise, the bot, IRC-MocBot!MS06-040, is apparently a quick hack from its precedent, IRC-MocBot, with an updated exploit module using publicly available code. It uses the same replication mechanism and even connects to the same hostnames as it did in October 2005.

At the time of writing, the exploit used in two similar variants of this threat are targeting Windows 2000 systems which are not equipped with default Windows firewall or memory protection - both features introduced in Windows XP Service Pack 2 and Windows 2003 Service Pack 1. Even so, this threat may still infect other systems by enticing users into downloading the malware by means of instant messaging, e-mail or other vectors. Once infected, it can then scan for vulnerable systems in your corporate networks.

IRC-MocBot!MS06-040 variants can be detected by McAfee VirusScan using the latest DAT set. More information on IRC-MocBot!MS06-040 is available at http://vil.nai.com/vil/Content/v_140394.htm.

The exploit contained in this threat will not affect you if your Windows systems are updated with the latest MS06-040 patches from Microsoft. Reiterating Monty’s advice from his blog, there is no better reason to review your deployments now.

In the last year phishing emails have increased by aproximately 25%. Fraudsters are still targeting the high profile Banks, Financial Institutions and e-commerce sites that they have been targeting in the past, but in many cases they are changing the content of the phishing mails from the "change your password now" type phishing scams that have been prevalent in the past, to more varied and directed messages.

In addition to attacking these well known companies, fraudsters are increasingly targeting smaller European and American financial institutions, and the targets are changing almost daily.

The old rules still apply to these new types of phish; always visit your Banks website by typing the name directly into your browser, or from a bookmark in your browser, rather than following a link in an email.

The e-commerce phish has also become more directed; much of the phish targeting popular online auction sites appears to have been sent from another user rather than from the auction site. For example, many of the phish are fake messages claiming that you bought an item and have not paid, or the other user has raised a dispute against you, or is enquiring about an item for sale. In all these cases if you think that the message may be genuine then if you log directly into the auction site (do not click on the links in the email) you can see if anyone has tried to contact you.

Even though the content of the phishing messages has become more varied, the social engineering techniques used are still the same, and can be avoided by visiting the financial site directly rather than clicking a link in an email.

A Website called ConsumerReports.org today published an article (strangely it was dated “September 2006) about a test they conducted involving 5,500 samples of artificially created virus samples.

There are several things here that do not seem right:

1. It is claimed that created viruses were “the kind you’d most likely encounter in real life” which is, of course, something the testers cannot know.
2. Creating new viruses for the purpose of testing and education is generally not considered a good idea - viruses can leak and cause real trouble (you can read an open letter on the AVIEN site about that).
3. There is a more scientific way of measuring real proactive detection of AV products on future malware - it is called “proactive testing” or “retrospective testing”. The idea is to measure, say, 3-month old AV product against real field viruses that appeared within these last 3 months. The discussion of the methodology of such tests can be found here and some real test results with common AV products are on the AV-comparatives.org site.
4. Objection #1, that ConsumerReports.org cannot know what viruses we are going to face in future could be moot as their testing team apparently invented a time machine and shifted themselves forward to September .

McAfee Avert Labs received several worms implemented in a scripting language called ‘Lua’ (see http://www.lua.org/). It is a free scripting language first version of which was released in 1994!

There are two things that make this an interesting development. Firstly, this language is widely used for online gaming (”World of Warcraft”, “Garry’s Mod”, “Illarion”, “Escape From Monkey Island”, “Daimonin” MMORPG and many others). The list of games using ‘Lua’ is quite long (see full list of projects at http://www.lua.org/uses.html).

Secondly - two of the recently discovered worms were written to find and remove other ‘Lua’ worms! We have seen W32/Netsky and W32/Bagle families fighting each other in 2004 but we really hope that the history would not repeat itself with worm-wars in online gaming.

Some of the games execute ‘Lua’ scripts on the server side which can potentially compromise the security of the server that thousands of users are currently connected to. Servers used for gaming are nearly always trusted to install and run programs on the client computers (game extensions and updates) thus paving a way to a rapid deployment of malware should a server becomes infected.

Detection of all currently known ‘Lua’ worms is included in the latest DAT update. Avert Lab’s recommendation is to use updated AV, properly configure permissions and introduce file change-control which is particularly important for all user-facing server systems.

McAfee Avert Labs has received samples of a new mass-mailing worm that we call http://vil.nai.com/vil/content/v_140497.htm. What makes it noteworthy is that this worm sometimes sends itself as a usual binary zipped attachment but sometimes mass-mails out Exploit-WMF with itself inside (zipped or non-zipped). The worm is packed inside a modified UPX container and is 78,336 bytes long.

The now ubiquitous WMF exploit first appeared in December 2005 and since then it was one of the most common attack vectors for home users. McAfee AV products have provided proactive detection of known malformed WMF files that can exploit the WMF vulnerability.

Some cell phone users have started receiving SMS messages along these lines: “We’re confirming you’ve signed up for our dating service. You will be charged $2/day unless you cancel your order: www.smishinglink.com“. (This is an example and was not a real url at the time of writing)
This phenomena, which we at McAfee Avert Labs are dubbing “SMiShing” (phishing via SMS), is yet another indicator that cell phones and mobile devices are becoming increasingly used by perpetrators of malware, viruses and scams.

While some might recognize this as a scam, many unsuspecting users would not. Fearful of incurring premium rates on their cell phone bill, they visit the Web site highlighted in the message. Once they arrive at the URL, they are prompted to download a program which is actually a Trojan horse that turns the computer into a zombie, allowing it to be controlled by hackers. The computer then becomes part of a bot network, which can then be used to launch denial of service attacks, install keylogging software and steal personal account information and other malicious activities. Because monitoring botnet activity is complex, it is challeging to know the current scope of the problem.

Imagine the threat to enterprise networks once hackers learn how to fully exploit SMiShing techniques. Most large enterprises have thousands of employees, using a variety of devices to access their networks. Despite their best efforts to issue safety guidelines, IT security staff cannot control human behaviour-especially in light of the fact that mobile-users have not (yet) learned to treat their phones with the same level of concern that they apply to their laptops. Mobile devices present a serious challenge to data security, with the potential to infect both carrier and enterprise networks.

Enterprises would be wise to keep a close eye on this issue and think about policies for securing their mobile devices ahead of time, rather than playing catch up when it hits them, and begin to educate their employees about the potential risk now.

Only a little while ago we were discussing the possibility of someone taking the techniques of phishing by email and porting them to SMS. SMiShing instead of phishing.

While the name is catchy, don’t be misled, it’s actually based on a real event. A number of SMS messages were sent out to users in Iceland and Australia telling them they would be charged $2 a day for membership on a dating website. Victims attempting to “unsubscribe” from the site and daily charge get their computers infected with a backdoor trojan. The South Australia Office of Consumer and Business Affairs (OCBA) even put out a warning to consumers about the scam.

Considering that this Smishing event occurred a few months ago with nothing since, one might reasonably relax. We at McAfee Avert Labs would agree with you except that we’ve just received a sample of a mass-mailing worm that performs a Smishing attack. VBS/Eliles.A.

This is a standard VBS worm that skips the loading of a backdoor trojan and simply opens a backdoor on the victims system. Most of the code is in Spanish, with a few comments in German. That incongruence along with variations in coding style of the various internal functions implies that this worm is composed from disparate sources. Very script kiddie.

The interesting part is that it includes a routine to send Smishing messages to users of two Mobile Phone providers in Spain. Rather than calculating random IP addresses to send messages, this worm generates phone numbers within the ranges used by mobile phones. Eliles.A sends its smish message free of charge through the mobile phone providers’ SMS-email gateways.

Unlike the previous smishing episode, Eliles.A does not use the error in billing ploy. Instead this worm tries to be helpful by offering the victim free “antivirus” software for their phone, supposedly from their mobile phone provider. The smishing message specifically targets Nokia Series 60 phones. Users that download and install the software from the link in the SMS find themselves infected with malware. Fortunately, the download link is now dead.

We were startled to see a smishing attack turn up in a simple mass mailing worm. A malware writer who spends time researching a new attack will usually write custom code for it rather than reuse someone else’s code. Over time the attack gets packaged into standard routines and eventually included in the script kiddie’s toolbox. The transition from brand new to script kiddie use can take months. This is the malware equivalent of finding a machine gun in the stone age.

The genie is out of the bottle with regard to smishing. Now that the script kiddies are involved, we’re bound to see a rise in the numbers of smishing attempts in the coming months. So much for relaxation.