Apparently, a U.S. military installation where pilots command the U.S. military’s UAVs (Unmanned Aerial Vehicles), Creech AFB in Nevada, has been infected by a virus. The virus is apparently logging keystrokes but is not interfering with the pilots’ ability to continue performing the UAV missions. That’s the good news. The bad news is the base IT personnel have been unable to clean the computers without wiping the hard drives and starting from scratch.

The Wired article linked above contains this quote: “We keep wiping it off, and it keeps coming back.” That statement suggests one of two things to me: either the malware has installed a rootkit deep into the operating system’s kernel, in which case cleaning the PC with standard tools will do you no good, or the malware is spreading on the network and the IT personnel have failed to find (and patch) the vulnerability that it is exploiting to do so.

Either way, I’d hate to be those IT guys right now.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

Just about everyone with an Internet connection has heard the term “malware.”  Even most home users (my dear old dad included) have heard the term “spyware,” even if they aren’t sure what it means. But have you heard of “ransomware”? Get ready, I’ve got a feeling it’s going to be the “next big (bad) thing” on the Internet.

Ransomware is a type of malware that attempts to extort money from users it infects.  One of the first samples of ransomware was the AIDS Virus in the late 1980s.  The virus would encrypt and hide disk contents and then ask the user to pay $189 to “license” the decryption software.  It has only been in the last half-decade or so that ransomware has been becoming more prevalent on the Internet.

A new Trojan is now making its way around the usual social-networking sites.  Kaspersky Labs is calling it Trojan.Win32.Agent.ARVP.  This little guy is apparently Russian-language only at the moment, but it attempts to extort 500 rubles (equivalent to about $17 US) out of the user by claiming that it will forward child-pornography evidence to the authorities.  There’s really nothing new about this trojan–using the threat of pornography is certainly not a new concept for ransomware.  However, it is spreading via social networking, and is a very quick translation away from targeting the English-speaking world.

Many users in the corporate world will likely be afraid (or at least hesitant) to report an infection of this ransomware due to the potential HR ramifications of being the user of a computer that may contain pornography.  The pornography threat is likely an empty threat, but it’s enough to give users pause…

I suggest that corporate CISOs send a monthly e-mail to all users reminding them of the necessity of reporting any suspicious behavior on their workstations immediately.  The same e-mail should include a short discussion of ransomware and make it clear that such malware often uses the threat of pornography to scare users, and that even if the malware happened to drop adult content on the computer, the user would not be held liable for the presence of dropped content.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

As you may know, our company provides 24×7 Network Security Monitoring services to many customers.  Our clients vary widely in size, industry, and information security maturity.   Even so, we see many similar successes, failures, and trends in security monitoring alerts between these customers.  Spyware infections tendsto be a significant number of the incident reports we generate.  Today, I would like to write about the reason spyware alerts are a threat to your organization, why you should take them seriously and respond timely, and what you can do to decrease these incidents on your network.

The danger of spyware is two-fold.   First, it indicates a deficiency on the part of the user in general information security knowledge and specific corporate information security policies.  A spyware infection means that the user likely installed unapproved software on his/her system.  Perhaps the user was doing non-business related web surfing and found the “Totally Awesome Change Your Life Toolbar” from hAcme Software, Inc.  Or maybe the user was tricked into installing this software via social engineering.  (“Click here to install a media player to see Jane E. Celebrity in a bikini!”)  Either way, the user was not aware of the dangers of his/her actions wrt. information security and wrt. corporate security policies.  (You do have policies defining acceptable use of corporate information resources and punishment for misuse, right?)

The second danger (related to the first–in fact, the first is a consequence of the second, so maybe I should have reversed these points–oh well) indicated by a spyware infection is that the user has sufficient rights to execute unapproved software on his/her system that can modify his/her settings and hijack information.  With these rights the user may be delivered and subsequently execute much more damaging malware that exfiltrates personal and/or corporate information or receives and executes instructions from external attackers.  This malware may be delivered by the spyware itself.  Regardless of how it is delivered, your organization has a problem, and it needs to be fixed.

For these two reasons above you should take spyware infections seriously and respond to them in a timely manner.  But what can you do to limit future infections?

1. Limit user rights.  Do not make them a member of the local Administrator or Power Users groups.  If you have applications that require Administrator privileges to run (QuickBooks, I’m looking in your diretion), get rid of them.  That is a poorly designed application and is likely going to have far worse flaws.
2. One word: Education.  Provide it to your users.  If you don’t have a sufficiently trained and knowledgeable employee who can teach one day classes on information security, there are plenty of companies that provide that service–and you won’t have to develop the curriculum.  Google is your friend, here.
3. Follow the hardening guidelines from Microsoft, NIST and NSA on how to secure your Windows systems and networks.
4. Use Group Policy or other enforcement mechanisms available from companies like Cisco, Symantec, etc., to whitelist applications.  Only applications listed in the whitelist can be executed by the user. Use Group Policy to disable all but a few approved Internet Explorer BHOs (Browser Helper Objects).  This will prevent a lot of the toolbar spyware software from infecting your systems.
5. Get serious about your corporate information security posture.  Convince upper management to dedicate sufficient time and money to sustaining a CISO position.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

Did anyone notice this story on SecurityFocus? It’s an article discribing a series of attempted malware infections that were first reported by the SANS Internet Storm Center over Christmas. Apparently, three people reported buying digital picture frames made by the same manufacturer from three different Sam’s Club stores. When plugged into a computer, the malware on the picture frames attempted to perform various nasty things.

This type of threat is likely to increase as more and more devices become digitally aware. Your best bet for protecting yourself is to disable the autorun feature in Windows. That way you can scan and examine the devices you attach to your computer before the malware they may be hosting has an opportunity to become a part of your digital life.

Dominic Schulte

Dominic Schulte currently serves as the Managing Director of Security Services & Consulting at TRUE, where he is responsible for the execution of a wide range of security and regulatory compliance services. Previously, Dominic worked with the National Security Agency (NSA) as a Global Network Exploitation and Vulnerability Analyst in the National Security Incident and Response Center (NSIRC). He holds CISSP, QSA and CNSS 4011-4015 certifications.