Sunday, April 20, 2008

Keeping an Eye on Malware

Major Server Malware Seeding Break

SANS-ISC Handlers Diary has a must-read article regarding The 10,000 web sites infection mystery solved.  If you recall, back in January, there was a rush of web sites being compromised with malware.  Visitors to these sites, who had vulnerable browsers or systems, would risk malware download and installation onto their systems.

Turns out the detectives finally got a break in the case.  Not only did they find yet another server infected, this one contained the actual executable file being used to compromise the sites.

The article goes into depth looking at the utility and methods used.  Really fascinating dissection.

heiseSecurity provides a summary:

It's a Windows tool with a user interface in Chinese, and it uses the Google search engine to hunt for vulnerable servers on which it then carries out an SQL injection attack. This inserts an iframe that pushes the attacking code on visitors to the web pages affected.

The crafted iframe in the tool contains the link that turned up on a great many manipulated web sites in January. The attacks appear to be tailored to Microsoft SQL Server and Internet Information Server. According to the analyses by the ISC, the tool also contacts another server in China before attacking, apparently to trigger a payment procedure.

Top Threat Lists

One other story I found interesting was a quick dialog that got stirred up regarding the usefulness and end-value of "threat-lists."

These lists provided by many anti-virus/anti-malware fighting companies attempt to rank current security threats seen in the wild.

Aussie security company PC Tools CEO Simon Clausen is credited in a Techworld story by John Dunn with the following statement:

"Threat analysis is highly complex. There was a time when volume alone was an acceptable indicator of the level of threat. But the threat landscape has changed significantly, and there are a number of additional parameters, besides volume, which are equally, if not more important in identifying and classifying top threats," said PC Tools CEO Simon Clausen.

Somehow, in what seems like a otherwise straightforward and brief article discussing the merits and value of "threat-lists" for risk-assessment, it appears an over-eager copy editor chose the following angry and baiting title: "Malware threat lists slammed as 'useless'"


I didn't catch that tone in the comments.  Sure, there was the only other un-attributed quote from PC Tools in the article that I could find where these lists were referred to as "of no practical use for the security industry or consumers."

In my hood, calling someone's stuff "of no practical use" isn't even close to "slamming" them.  Sounds like a call for dialog down at the local Dairy Queen.

Other Opinions

And I have to generally agree with the statement. Seems pretty fair.  Knowing rankings of malware that various security product vendors discover and track is interesting, but for a desktop support guy like myself, my focus remains on patching operating systems, and updating versions of software that have vulnerabilities and patches to correct them.  While good for discussion at our lunch-table and certainly valuable to computer security researchers and labs, the lists otherwise don't shape our responses very much.  And were I to sample a collection of home-users on the value of the lists and their weekly contents, I have little doubt eyes would glaze over.

Sunbelt Blog-er Alex Eckelberry bit on the story and responded: PC Tools slams "top threat" lists.

I do agree with his statements from an security company insider position:

They have a point. But irritating pieces of malware, like Srizbi (315,000 bots active) and Storm (85,000 bots active), have great exposure in security circles but aren’t nearly as widespread as, say, fake codecs. Fake codecs are a plague, and frankly, probably provide a lot of bread and butter money to security companies.

So what do we do? I suppose categorizing based on complexity is a reasonable idea. But these “top 10” lists are useful, to gauge prevalence, and they should not be thrown out. Look, would we want Billboard Magazine to list “most complex or interesting bands” rather than “most sold bands”? There’s room for both.

Agreed! But not really so much at the average pc consumer level.

Microsoft MVP Donna Buenaventura wades in as well on the "pro-threat-list" side on her SecurityFlash blog: I like Top threats list.  She also highlights that different vendors will often see things differently; thus resulting in different list rankings.

Again, the average consumer (who even takes the time to look) is likely to be confused and depending on the data presented, find it overwhelming and of little use.

An Example of Effective Threat List Presentation

I recently found a vendor, SRI International, that actually did present a series of lists that could be darn useful to consumers and researchers alike. 

Take a look at their SRI Malware Threat Center.

Here's what I like:

  1. Each list subject area present is clearly explained and defined up front.  Examples

    • Most Aggressive Malware Attack Source and Filters: rank = 30-day importance ranking (1 to 100) of most aggressive infection sources

    • Most Effective Malware-Related Snort Signatures: detects = 30-day signature detection rates based on exposure to 1268 malware infections.

    • Most Prolific BotNet Command and Control Servers and Filters: domain names and IP addresses clearly provided.

    • Most Observed Malware-Related DNS Names: embeds = number of malware binaries in which this DNS name was discovered, lookups = number of observed infections in which this DNS name was looked up, rank = 30-day importance ranking (1 to 100) of most prolific malware-related DNS names.

    • Most Effective Antivirus Tools Against New Malware Binaries: detects = Antivirus system overall detection rate based on exposure to 1030 malware binaries

  2. The lists are updated daily (if not more frequent than this).

  3. The lists all have "more" links to display deeper detail and list content numbers, if so desired.

As a system admin or even a home-pc user, I can use the IP addresses or domain names to drop into HOSTS files to block these sites if I see a threat.  If I find a potential threat that my AV protection didn't, I can generate an MD5 string and compare it against the list provided by SRI.

Finally, and of the best value as a consumer, I can monitor their Most Effective Antivirus Tools Against New Malware Binaries page and see just how well various anti-malware/anti-virus vendor's products stack up against a set list of 1030 malware binaries.

That is valuable information from a consumer standpoint.  Granted, depending on what the binaries are (undisclosed by SRI) some vendors may feel that this comparison may not be fair or representative of their product's strength, but as a consumer, if I monitor this list over time, it might just give me a good gauge on the relative effectiveness of such security product vendors.

If PC security vendors and "threat-list" makers aren't careful, they may run the risk of ending up like the DHS - Homeland Security Advisory System which has become quite maligned in its true value and worth.

I like the lists, I would just encourage all security vendors and organizations which publish them to work hard to make a difference by presenting them in a way that has the consumer or daily system administrator tasked with cleaning and protecting systems from this junk in mind, and not just a sterile list for list-making sake.

To the Threat-Lists

OK, if you do like these "threat-lists" or you just want to see what the fuss is about and draw your own conclusions, here is a sample list of "threat-lists" presented in alphabetical order.  If you know of any others that might be valuable, please feel free to leave tips in the comments.



No comments: