Many of you practice safe computing – you install security updates from Microsoft and other vendors, you run antivirus and adware/spyware programs and keep them current, your email program has a spam filter and blocks .EXE and other potentially dangerous attachments, and you don’t click on strange links in email messages or on web sites.
You probably haven’t seen a virus or gotten adware on your computer in a long time. You may be wondering what the security fuss is about. Is it really necessary to be so paranoid?
By the end of this year, security experts expect to have identified a total of more than one million viruses. The chief technology officer for Sophos says about 25% of unique malware has been created in the last six months. Another security company executive said it identifies about 25,000 malware samples a day.
As security programs improve, virus writers get less results from email attachments, so they’re switching their focus to creating web sites that can infect unpatched computers automatically just by visiting the site. A couple of years ago those attacks were limited to installing advertising programs and popups, but now malicious software is being installed without the user’s knowledge.
Google owns Postini, a messaging security company, which recently promised that security challenges will grow exponentially in 2008 as the Bad Guys become more skilled at “social engineering” – presenting you with an email message or web site that in some way convinces you to make a fatal click or divulge personal information. There might be references to current events or messages that purport to be from legitimate business agencies – the IRS or Securities & Exchange Commission for example. The Bad Guys are getting better all the time at presenting messages that appear to be genuine. Their grammar is getting better, too.
At one time viruses were designed to break computers. If malware is installed on your computer now you might never know it. The latest exploits are designed to hide away undetected and respond to commands from Bad Guy Central.
The most sophisticated malware authors use compromised computers to send spam. A security researcher just examined 11 “botnets” that send spam and estimated that they control over a million computers and are capable of flooding our mailboxes with more than 100 billion spam messages every day.
Identity theft starts with disclosure of personal information. If you can be persuaded to type in a bank account number or a password, the Bad Guys win.
Read this chilling account by a Symantec researcher about a virus that steals bank account details. The sophistication of the scheme is striking.
“Targeting over 400 banks and having the ability to circumvent two-factor authentication are just two of the features that push Trojan.Silentbanker into the limelight. The scale and sophistication of this emerging banking Trojan is worrying, even for someone who sees banking Trojans on a daily basis.
“This Trojan downloads a configuration file that contains the domain names of over 400 banks. Not only are the usual large American banks targeted but banks in many other countries are also targeted, including France, Spain, Ireland, the UK, Finland, Turkey – the list goes on.
“The ability of this Trojan to perform man-in-the-middle attacks on valid transactions is what is most worrying. The Trojan can intercept transactions that require two-factor authentication. It can then silently change the user-entered destination bank account details to the attacker’s account details instead. Of course the Trojan ensures that the user does not notice this change by presenting the user with the details they expect to see, while all the time sending the bank the attacker’s details instead. Since the user doesn’t notice anything wrong with the transaction, they will enter the second authentication password, in effect handing over their money to the attackers. The Trojan intercepts all of this traffic before it is encrypted, so even if the transaction takes place over SSL the attack is still valid. Unfortunately, we were unable to reproduce exactly such a transaction in the lab. However, through analysis of the Trojan’s code it can be seen that this feature is available to the attackers.
“The Trojan does not use this attack vector for all banks, however. It only uses this route when an easier route is not available. If a transaction can occur at the targeted bank using just a username and password then the Trojan will take that information, if a certificate is also required the Trojan can steal that too, if cookies are required the Trojan will steal those. In fact, even if the attacker is missing a piece of information to conduct a transaction, extra HTML can be added to the page to ask the user for that extra information. (In the example below the user is asked to enter their encryption key, in addition to the regular information.) . . .
“Add to all of the above the ability to steal FTP, POP, Web mail, protected storage, and cached passwords and then we start to see the capabilities of this Trojan.”
PCs VS MACs
Fewer attacks are aimed at Macs than PCs, primarily because PCs have a 90%+ market share. That is sometimes misinterpreted to mean that Macs are less vulnerable and Apple does a better job of addressing security holes. This has not ever been true. Two years ago I highlighted reports that Apple was slow to respond to security flaws when they were discovered, and Apple’s products have required a constant stream of updates to fix security problems. Here’s Paul Thurrott’s report on the most recent study reporting the same results:
“Microsoft actually fixes security vulnerabilities much more quickly than does Apple, meaning that users of Windows are, in fact, better protected by their vendor than are Mac OS X users. Researchers from the Swiss Federal Institute of Technology independently examined six years of data and found that 658 high- and medium-risk vulnerabilities affected Microsoft products during the time period, compared with 738 for Apple products. Then they looked at how well the companies did at fixing these bugs. The conclusion? ‘The number of unpatched vulnerabilities are higher at Apple,’ a researcher involved in the study said. ‘Apple [was] just surprised or not as ready or not as attentive. It looks like Microsoft had good relationships earlier with the security community. Based on our findings, this is hurting [Apple].'”