Well, Joanna Rutkowska, in this “short philosophical comment” claims exactly that. Joanna believes that digitally signing all executables would have been a much more “elegant” solution than building file Anti-Virus scanners. In fact, she goes on to claim:

“I hear all the counter arguments: that many programs out there are still not digitally signed, that users are too stupid to decide which certificates to trust, that sometimes the bad guys might be able to obtain a legitimate certificate, etc… But all those minor problems can be solved and probably will eventually be solved in the coming years. Moreover, solving all those problems will probably cost much less then all the research on file infectors cost over the last 20 year. But that also means no money for the A/V vendors.”

What exactly are you saying here Joanna? It sounds a bit like you’re saying Anti-Virus vendors have concocted an elaborate conspiracy over the past couple of decades to extort innocent users! I don’t think you have to be a security industry insider to recognize the insanity of this accusation.

Now let’s for a moment leave all the historical background on how file Anti-Virus scanners were born at a time when computing infrastructure couldn’t support widespread adoption of digitally signed executables. Let’s even ignore how these scanners organically evolved into what they are today, adapting every step of the way to protect users from the latest threats. We could also leave out how, for the past couple of decades, billions of users all over the world enjoyed a safer computing environment made possible by these solutions. We’ll just take a look at what’s involved in relying entirely on digitally signed executables in a world without fancy-schmancy file Anti-Virus scanners.

To do that, we have to imagine a world where all executable content could be digitally signed, not just some types of executable files (as it is the case today). We could also imagine a utopia where every executable file producer signs their own executables. And of course, all executable file producers in this reality, we know and trust to have our best interest at heart. Would this actually be a world where we could put our old faithful file Anti-Virus scanner to rest?

There are literally millions executable files out there, from various vendors. These vendors range from multi-billion dollar corporations with hefty security budgets to the most humble open source projects with virtually no additional resources to divert towards securing their infrastructure. As long as we know that the executable content came from any one of these vendors (who we’ve assumed wishes nothing but what is best for us), could we be sure it’s safe? Are we really willing to assume that the security at these vendors are so impenetrable that bad guys couldn’t possibly have messed with the content at the production end? With Joanna’s “elegant” solution, all that a cybercriminal needs to do is to compromise an application vendor to create an infected binary, signed by the vendors certificate and viola! Users will trust the signature and run the executable without asking any questions. In fact, the cybercriminal doesn’t even have to spend time developing new malware because the old ones will work just fine. There are no file Anti-Virus scanners anywhere to identify the infection after all! Yes, in one word, ridiculous.

Even in the highly unlikely utopian reality we imagined for the sake of the argument, it is clearly evident that Joanna’s “elegant” solution is in fact far from being a solution. Besides, file Anti-Virus scanners are increasingly being augmented by cutting edge behavioral scanners, to protect users from “malicious intent” no matter where the executable content comes from. I personally prefer a world where my client security infrastructure protects my computing environment from malicious activity, rather than asking me to place my trust on hundreds of external sources and assume all is well.

I have much respect for Joanna’s technical abilities. However, I think as responsible security professionals, we all need to stay focused on protecting users from digital threats.

W32/Nuwar aka the Storm worm ever since it debut in Nov 2006 has relentlessly flooded internet users with its ever-changing email campaigns. With the storm worm authors having this uncanny knack of using sensationalist themes that draw public attention, the morbid curiosity it has generated has ensured that is the most blogged about piece of malware this year!

The latest campaign is an HTML formatted email using the Labor Day theme, inviting users to view an online greeting card. A copy of the spammed email is as follows:

The authors have used anchor tags in HTML to mask the greeting card link so that an unsuspecting user does not notice that it actually points to a malicious ip address. Hovering the mouse over this disguised link is a quick and dirty way to reveal the real destination address. Users who fall for this bait are directed to the following Happy Labor Day page.

Everything looks hunky-dory except an unsuspecting user is served an xor’ed exploit cocktail in the background. In addition to the usual Microsoft exploits, QuickTime and WinZip buffer overflow exploits are also attempted on a user’s machine. Given the slim likelihood of vulnerable third party applications being up to date on a user’s machine, it increases the attacker’s chances of a successful exploitation. Especially since most applications do not support automated updates and it is left up to the users to first find out if they have a vulnerable version of the application and then manually patch it.

Enterprise customers have the bandwidth and resources to ensure every machine on the corporate network is fully patched. It is usually home consumers – the low hanging fruit that fall prey to these malicious tactics. For users wanting to check if third party applications on their systems are vulnerable, a free online resource to visit would be the Secunia Software Inspector. Happy Patching

Recently the website of the Bank of India was attacked and used to distribute malware. If there’s one site you’re likely to trust, it’s your Bank’s site. Phishing(and smishing) takes advantage of this trust to separate you from your login information and/or your money.

Online banking is already under attack by crooks and they are also likely turning their eyes toward mobile banking. McAfee Avert Labs has been following mobile payment and mobile banking security for quite a while. We’ve also seen how mobile internet sites(WAP) and the newly created .mobi domain can be used for malware distribution.

Apart from dedicated mobile banking sites, banks are using Transaction Authorization Codes sent by text messaging(SMS) to add an extra layer of security to online banking. Transaction Authorization Codes are used by a number of banks in Asia.

Transaction Authorization Codes: How they work

Transaction Authorization Code(TAC) are single or multiple use passwords. TACs are only required for certain transactions such as money transfers or setting up automatic bill payments. The codes are usually valid for two hours after they’re issued. To make things easier for customers, it’s common for banks to allow multiple transactions to be made with the same TAC.

1. Mr. Blue wishes to setup automatic bill payment for his utility bill. He requests a TAC from his bank, Green Bank.

2. Green Bank sends the TAC to Mr. Blue’s cellphone via SMS.

3. Mr. Blue can now setup payments for his utility bill.

What can go wrong

1. Mr. Blue is tricked into following a link to a malicious site with his mobile browser. The malicious site convinces Mr. Blue to install mobile spyware such as SymbOS/Mobispy.A. The site, belonging to Mr. Red, also fools Mr. Blue into entering his bank account information.

2. Later on Mr. Blue visits Green Bank’s site and requests TAC. Green Bank sends the TAC by SMS. Mr. Red receives copy of the TAC.

3. Mr. Blue performs a transaction requiring a TAC. Mr. Red uses the same TAC to transfer money from Mr. Blue’s account to his own.

Banks have been active in the creation of user friendly mobile banking sites. Many services are promoted to be accessible both on smart phones and ordinary cell phones. As computer criminals expand their reach towards mobile banking, McAfee recommends:

• Individuals should never allow their phone out of their control and always use a PIN code with their phone.
• Banks are advised to discuss the above scenarios and current level of device and service protection with carriers.
• Mobile carriers should consider protection for all devices that can access mobile internet services.

Maybe this is an old news to some people, but I just knew that Compuware would no longer be continuing the development of NUMEGA Soft Ice. http://biz.yahoo.com/prnews/070611/clm093.html

Starting from 1988 through 2003, I used Soft Ice almost on a daily basis. Without Soft Ice I do not know where I would have been with my career. I purchased almost every single release of Soft Ice. I still have at least four or five boxes of Soft ice and also Driver Works. I personally and other people did many magical things to the Windows systems (DOS, Windows 3.1, Windows 95, Windows Millennium, Windows NT 3.1, Windows NT 4.5, and Windows 2000) using Soft Ice. SoftIce will be greatly missed.

Certainly, Soft Ice will remain as the most powerful debugger ever built for personal computer systems. It is the only debugger that allowed us to do live kernel debugging on the same machine by just pressing Ctrl+D. I  still miss those days when I used to have two monitors connected to my computer, one CGA/EGA monitor connected to a CGA/EGA card for Soft Ice output and another VGA monitor connected to the VGA card for the regular Windows output.

Not sure how many people today will have missed Soft Ice like me, but certainly Soft Ice inspired many generations of personal computer system programmers, and computer hackers as well . Nowadays everyone uses WinDBG which, IMHO, is far less capable than Soft Ice.

More than ten years ago, kernel debugging using WinDBG was very painful, as it required two machines connected to each other via a null modem cable. During those days, SoftIce was the only option for live kernel debugging on the same system. SoftIce has a rich set of debugging commands to debug device drivers as well as the Windowing system. Nowadays kernel debugger and reverse engineering seems to be easier by using a virtual environment like VMWare Workstation or Virtual PC. Microsoft has also made the Windows public symbols available a couple of years ago. So reverse engineering is simpler these days. Nonetheless, nothing similar to the magic of hitting Ctrl+D and jumping immediately into the kernel debugger.

I can only wish that Compuware turns Soft ice into an open source project so that it does not die completely.

The Rugby World Cup is a premier international rugby union competition. It is a major event in France where we support our blue shirts of the national team. Today, will be the first match! The opening game will see hosts France take on Argentina in Paris, while Ireland’s first clash will be against Namibia on Sunday.

This morning the famous French online news site Zataz announced that this event interested a Turkish hacker who broke into a French car manufacturer sponsor’s website, perhaps hoping to find some tickets for himself or for resale.

An anonymous correspondent gave to the reporter some screenshots available on a US server. They demonstrated that this intruder, nicknamed Turkish Defacer, was able to access identity, e-mail address and electronic ticket belonging to the 288 VIP guests that the sponsor invited.

Collected data (the 2 next screenshots are from Zataz) were found on a UK server with others pieces of banking information (branch, account number, etc.) from various French partners of one of the world’s largest steel producers.

Perhaps some cybercriminals love sports, but the money lure is never far away!

Terry Zink has found a spammer that had a valid SPF record and managed to get his advertisement into his field of attention. I don’t buy the “not that it helps” bit since it got as far as his blog and after all anyone sending from this domain would get an SPF PASS when tested and would require further testing of its legitimacy and content.

I’ll get back to my point; This is not an “odd” thing!…

Schalk did a study some time ago on SPF but neglected to point out one important statistic that Terrys post reminded me about. Nearly 9% of the SPF records in his study were +all records. An SPF record of +all means anyone can send email for a domain, and the study covered what we term “domains in focus” (basically domains that we’ve seen used pretty recently and kept an eye on). We’ve kept an eye on this sort of thing for a long time since spammers were the first to adopt SPF for obvious reasons (+all loophole being the main one).

So for anyone that has got this far and doesn’t see the point yet… +all SPF records mean “I don’t care”

I firmly believe that not enough domain owners publish SPF records, so here is a quick guide to SPF for the-little-guy (All you big companies already have them right?).

Situation 1 – Your domain is hosted on a cpanel account (other $5/month hosting products are available) or your a single server company handling your own inbound mail :

"v=spf1 mx -all"

This SPF record says: Only my mail server can send mail for my domain.

Situation 2 – Mail is routed out (smarthosted) by your ISP:

"v=spf1 mx a:smtp.example.com -all"

This SPF record says: Only my mail server and the host smtp.example.com can send mail for my domain.
or

"v=spf1 mx ip4:172.16.25.25 -all"

This SPF record says: Only my mail server and the host with the IP address 172.16.25.25 can send mail for my domain.
or

"v=spf1 mx redirect:example.com -all"

This SPF record says: Only my mail server and any SPF host for example.com can send mail for my domain.

So there you go. That’s how you can help protect your domain from being forged by spammers. All we need to do now is have the rest of the world check them. Shoot anyone with a +all record type and convince any online auction and payment processing sites to make theirs less broken, so it actually works too (RFC 4408,10.1/6) .

Last year, McAfee Avert Labs had predicted an increase in malware targeting VOIP particularly Skype, given the APIs of Skype are well documented in their SDK. With Skype becoming increasingly popular, it is an attractive target for malware authors.

The W32/Stration family of worms which started out as a mass mailing family, later used IM with reasonable success to spread. And Skype was the first IM protocol to be targeted by this worm, followed by MSN and ICQ.

As predicted earlier, McAfee Avert Labs has recently received multiple submissions of the W32/Pykse.worm.b spreading via Skype. This worm uses clever social engineering to spread via Skype chat messages.

Upon execution on the victim’s machine, it launches the “soap bubbles.bmp” from the default windows directory to deceive user to believe that it is an image file.

In the meantime, the worm changes the status of Skype to “Do Not Disturb” and starts sending messages to everyone in the Skype’s contacts list, without the user’s knowledge. One of the messages sent, will be a URL pointing to a copy of the worm. The following screenshot shows chat the messages used as bait by this worm.

This worm can also prevent security related tools and programs from being launched and modifies the hosts file to prevent access to Antivirus websites.

Following image shows the APIs used by the worm to spread using Skype.

More information on this threat can be viewed at our virus information library.
http://vil.nai.com/vil/content/v_143083.htm

Today we released the first of our new MS Tuesday podcasts from AudioParasitics! Instead of focusing on coverage or products statements during these podcasts we will be discussing and dissecting the vulnerabilities themselves. During this episode Jim Walter, Craig Schmugar and myself discuss the MSN Messenger and the Microsoft Agent vulnerabilities. We cover the possibilities of use in exploitation, developing IM threat trends and forced upgrades along with our usual banter.

For those of you who are already subscribed to our podcast you will automatically receive it. For those who are not yet subscribed, there is no better time! Available through the following:

iTunes, EveryZing, AudioParasitics, RSSFeed

Today Microsoft patched four vulnerabilities. You will have no choice other than to accept the patch for the vulnerability in MSN Messenger since the service is not available otherwise. This particular vulnerability was disclosed back in January so attackers did have time to exploit it but we never became aware of any active exploitation.

Of the remaining three vulnerabilities, the one in the Windows Agent is rated critical but only affects Windows 2000 SP4. The other two vulnerabilities, both rated important, relate to a Crystal Reports component in Visual Studio and to Windows Services for Unix.

Think this month was boring? Look at the graph below. Traditionally the month of September contains fewer patches to be followed by an up tick in the Fall so stay prepared!

There are two trends which seem to be heading for an inevitable conflict.

• increasing use of virtualization in the market place
• increasing detection of debuggers and virtual environments by malcode

Virtualization, while once relatively small is expanding in the market, driven by cost cutting measures, affordability, and disaster recovery to name just a few.  Large players (VmWare, IBM, Microsoft, and others) are offering competing platforms to serve the customer need.  Public information and general interest lead one to believe in a moderate rate of adoption.

On the other hand malware often times is encapsulated with Anti-VM technologies (e.g. Themida), or uses code to detect the virtual environment (e.g. Nuwar) and then exits the application.  This has been a generally increasing in an attempt to irritate security researchers who find virtual machines a convenient way to analyse malware quickly.

VM technologies present their own security hurdles in the future, but in the short term these trends probably make Virtual machines more secure (at least from a malware perspective) than physical ones.  These trends will eventually force malware authors to make a decision.  Write code to make it harder for security researchers to analyse, or expand platform support to virtual environments.