Security Watch

Malware Not Taking Hold

Heads shake to as why but nod to the results.

• By Russ Cooper
• 12/13/2004

It's interesting to see how many new pieces of malware are not getting anywhere. It's difficult to figure out why, as no single thing seems to account for it. It would be nice to believe that home users are getting more savvy about suspicious e-mails, but there's no reason—other than hope—to believe this is the case.

The use of more and improved heuristics could explain the situation, as most anti-virus products certainly are doing a better job of catching suspect stuff via heuristics.

Heuristics, which vary by anti-virus vendor, are intended to use artificial intelligence to look for signs that something may be malware. Generally they're not simple tests—for example, does a reference to the Filesystem Scripting Object exist?—but instead elaborate test sequences that result in an object being deemed unsafe. Once suspected, the object is then treated like known malware. Most installations, however, don't turn on heuristics by default.

ISPs are another possible contributor to the trend. Numerous large ISPs, like AOL, Earthlink, Cable Vision and NetZero have implemented more stringent security offerings for their customers. As large segments of the home user market become more protected, it stands to reason that malware won't spread as much.

On the other hand, the significant increase in the volume of unique pieces of malware should have made it more likely for some of it to make serious inroads. This hasn't happened, and we're scratching our heads to figure out why. Let's hope it lasts, whatever the reason.

Two new versions of cell-phone virus Cabir were announced. Expect to see these become a more significant issue next year, as there are significantly more cell-phones than PCs. So far the limiter has been the fact that these viruses only spread to one other phone each time the phone is turned on.

Hacking
Due to the way Apple has implemented Bash, a shell used in Mac OS X, it's possible to create a local root exploit if practically any Adobe product is installed. The Adobe products install with scripts that are suid (Set User ID to) root, and don't verify what they are processing, so you can use them to do pretty much anything you want.

A rather annoying vulnerability has been found in the new Windows XP SP2 popup blocker, which would allow a site to bypass its capabilities. If popups continue to be a popular mechanism, it wouldn't surprise me if we see sites switch to this new method. It's not so much that the popup blocker is vulnerable, as it doesn't attempt to prevent this new method from being used.

Denial of Service
Both Savis and Level 3, two of the larger Internet Service Providers in the U.S., were cited as having some problems last Wednesday, with between 40 percent and 80 percent packet loss. There was some speculation that it may have had something to do with a fire in Chicago.

I experienced a significant increase in TCP135 traffic around the same time. The spike I saw was about three times higher than normal, with a corresponding drop in TCP139 and 445 traffic. TCP135 is the RPC End Point Mapper port, a historically common port for worms. What I saw were attacks against random IP addresses. The spike was seen by other monitor points also, but no explanation has yet been made. We're watching for something new using that port.

Privacy/Governance
The Peer-to-Peer program Imesh installs a Web proxy from a company called Marketscore. The Marketscore caching Web proxy is touted as being an Internet accelerator. They also state "that we receive and gather additional data about you to develop anonymous market research reports that help Internet companies and others understand consumer preferences and purchase dynamics." They say they strip all personal information.

The thing I'm troubled by is the fact that they install their own Trusted Root Certificate. As such, they're able to monitor your SSL traffic. When you establish a connection with an SSL site, such as your bank, with the Marketscore tool installed, you actually trust the certificate of Marketscore, and not your bank. They establish the SSL session to the bank between the Marketscore proxy and the bank. This makes them privy to all the communications you believe are encrypted between you and your choice of SSL sites.

In my opinion, this is a practice which shouldn't be tolerated by a piece of software which is installed as part of another product's installation.

Last week the U.S. Congress approved the Intelligence Reform Bill. It now awaits approval by the president, although there may be additional changes to it when the House reconvenes next Jan. 4.

Among the potential outcomes from the bill is the possibility of a National ID card for U.S. citizens. If that happens, designating someone a terrorist becomes easier. Once designated as a terrorist, there is no need for probable cause or a warrant, and wire-tapping becomes easier. Some organizations, like the ACLU, believe there are insufficient counter-checks to ensure abuses don't occur. Under the Patriot Act, some ISPs and companies have been forced to turn over computer equipment and backups without being able to consult a lawyer. This bill is seen by some as extending the powers of the Patriot Act, and making it more powerful.