Malware Using White Lists, Forgery, Kernel Attacks To Stay Alive

BARCELONA -- Rootkit programs are increasingly mimicking anti virus programs: adopting self protection features and even application whitelists to maintain control over the systems they control, according to a presentation at the annual Virus Bulletin Conference.

Rachit Mathur, a research scientist at McAfee, told an audience of anti virus researchers here that self protection features have become common in many leading families of rootkits, such as the TDSS and TDL4 rootkit. Application white lists that allow only applications approved by the rootkit authors to run are used to disable hostile programs, while built-in monitoring features to shut down anti malware programs and prevent critical malware components from being disabled have also been observed in newer generation rootkits.

Mathur said McAfee researchers are increasingly finding evidence of attempts to kill anti virus and anti rootkit drivers using attacks at the kernel level of an infected system. While malware attempts to shut down anti virus programs within the user mode environment have been well documented, kernel mode attacks to snuff out AV programs are a newer development, and much harder to thwart, Mathur said.

Self protection features are just a few of the techniques malware authors are using to make their software harder to detect and, once detected, impossible to remove. Mathur said that techniques like file forging - in which rootkit authors hide malicious code within existing, legitimate system files have become common in malware families like TDSS and BlackEnergy. File forging can make it difficult for rootkit detection programs to spot the malicious code. Malware authors are also experimenting with memory forging - directly altering the infected system's kernel memory to throw off scanners.

Easy access to the Windows kernel is one reason for the continued effectiveness of evasion techniques, said Mathur, who co-authored the paper with fellow McAfee researcher Aditya Kapoor. "Once the rootkits enter the kernel they seem invincible and they can easily circumvent any and every protection that is in place," the authors wrote.

In contrast, most malware detection is still reactive - relying on a known malware "signature" or behaviors to betray the malware after it has already infected a system. The authors call for proactive detection tools that can catch the rootkit or provide a trusted view of the infected system that would reveal the presence of a rootkit, Trojan horse or other malicious program.

Rootkit programs are general purpose toolkits that give remote attackers total control over a host system. They have shown rapid evolution since they first appeared in the late 1990s and early Millenial period, Mathur said. In recent years, rootkits like TDSS have developed new features to help them spread between infected systems on a network and, then, evade detection. Read More...

Mozilla advises Firefox users to disable McAfee plugin

McAfee ScriptScan could cause stability or security problems and is responsible for browser crashes, according to Mozilla

It's the last thing McAfee would want users to hear about one of its products, but the Firefox browser is advising users to disable McAfee's ScriptScan software, saying that it could cause "stability or security problems."

SriptScan ships with McAfee's VirusScan antivirus program. It's designed to keep Web surfers safe by scanning for any malicious scripting code that might be running in the browser. But according to Mozilla it has an unintended side-effect: It can cause Firefox to crash... a lot.

[ Get your websites up to speed with HTML5 today using the techniques in InfoWorld's HTML5 Deep Dive PDF how-to report. | Learn how to secure your Web browsers in InfoWorld's "Web Browser Security Deep Dive" PDF guide. ]

In a note posted to its website, Mozilla said that the add-on "causes a high volume of crashes," and is "strongly encouraging" users to disable the software. The warning applies to all users of version 14.4.0 and below of the plugin, Mozilla said.

The Firefox browser started popping up warning messages Monday, advising that users disable the software
In McAfee user forums, there is a smattering of complaints about the Firefox problem.

The problem affects Firefox 7 users, according to Francie Coulter, a McAfee spokeswoman. "McAfee has identified the cause and is working actively with the Firefox team to resolve this issue and expects to roll out an update shortly," she said in an email message.

 

Read More...

September Adobe Flash update patches critical vulnerabilities

Adobe has just released an update (APSB11-26) to its ubiquitous Flash software, revving it to version 10.3.183.10 for Windows, Mac, Solaris and Linux, and to version 10.3.186.7 for Android.

Today's release fixes six vulnerabilities in Flash Player, one of which was being used in targeted attacks (CVE-2011-2444). This bug is a cross-site scripting flaw which could allow malicious web pages to take actions on behalf of the logged in user.

Adobe has rated this update as Critical. SophosLabs has assigned it a High rating.
SophosLabs has yet to see any samples in the wild, and notes that CVE-2011-2444 is not straightforward to exploit. Nevertheless, as Adobe reports, this vulnerability has been exploited, albeit only in targeted attacks so far.

Windows, Mac, Solaris and Linux users can download the latest Flash player from http://get.adobe.com/flashplayer.

Do watch out though. If adding the bloat of Flash to your browsing experience isn't enough for you, Adobe has decided to default to bundling it with the Google Toolbar or McAfee trialware for Windows users.



You can untick the box before downloading if you don't want these options.
Maybe that's why Apple won't support Flash on iDevices. No portable versions of Google Toolbar or McAfee?

Android users can download the latest Flash Player from the Android Marketplace and Google Chrome users were automatically updated on September 20, 2011 with protection against these flaws.

nb : nakedsecurity.sophos

Read More...

McAfee Delivers Comprehensive Protection for Mobile Devices

Just when you were starting to get ahead of the curve when it comes to locking down the network and protecting PCs, everything went mobile. Not just laptops--but tablets, and smartphones that run unique operating systems and applications on completely different hardware. To help you combat the dramatic rise in mobile security threats, McAfee has developed Enterprise Mobility Management.

Smartphones and tablets have enjoyed some degree of security by obscurity. Although it has always been theoretically possible to hack or compromise mobile devices one way or another, the incentive wasn't there. But, with smartphones and tablets storing 32GB, 64GB or more of data, and providing access to sensitive resources, malware developers are paying more attention.

McAfee EMM takes a three-pronged approach to protecting mobile devices and data.The nascent nature of mobile device hardware and software, though, make it new territory for you to wrestle with and try to protect. As if that isn't enough, the very point of mobile devices is to be mobile--so there is no pretense of a "perimeter" to hide inside. These devices are out there roaming about, and you need tools to protect the information they contain.

Another challenge you face is the sheer diversity of platforms. Businesses typically have some degree of standardization when it comes to PC hardware, operating system, Web browser, and installed software. But, with mobile devices you might be dealing with iOS, Android, BlackBerry, Windows Phone, and more--plus the diversity of hardware and apps that come with each mobile platform.

"Mobile device adoption is exploding, and unfortunately, so are the threats targeting mobile platforms. If McAfee’s historical experience analyzing threats on numerous platforms is any indication, we believe that the emerging mobile malware we are seeing today is just the beginning," said John Dasher, senior director, mobile security for McAfee. "It’s a whole new world, and a challenge for IT to craft security policies that make sense while updating their infrastructure. At McAfee, we’re working hard to create new technology to help enterprises address the challenge of securely incorporating these new mobile platforms into their environment."

McAfee Enterprise Mobility Management (EMM) uses a three-pronged approach to mobile security--protecting the device itself, the data it contains, and the apps that run on it. The device protection brings the familiar controls and security measures from McAfee desktop security solutions and applies it to mobile devices. The device protection also includes VirusScan Mobile to guard against malware, and McAfee Site Advisor to protect mobile devices from malicious websites and phishing attacks.

McAfee EMM has data leak prevention controls. McAfee claims that data remains protected even on jailbroken or rooted devices. The data protection measures also include remote backup, lock, and wipe functionality to protect data if the device is lost or stolen, and McAfee is working on additional controls to separate business data from personal data.

The apps that run on these mobile devices can be a security threat in and of itself. Some platforms are more susceptible than others to rogue, malicious apps. The McAfee EMM app protection includes McAfee App Alert which lets users know how they apps are accessing or using personal data. McAfee is also expanding the Global Threat Intelligence network to include mobile app reputation services to help identify potentially malicious apps.

Mobile threats will continue to escalate and proliferate, so the sooner you get a security framework in place to protect your mobile devices and the data they contain, the better. Visit McAfee Mobile Security Solutions for more details on Enterprise Mobility Management.

nb : pcworld Read More...

Intel, McAfee link security to chips

DeepSafe offers a glimpse at future Intel-McAfee security products

Nearly seven months after Intel shelled out $7.68 billion for antivirus vendor McAfee, the two companies are offering a glimpse of their future.

At the Intel Developer Forum in San Francisco Tuesday, McAfee will provide an early look of its new effort to build security protections outside of the OS, using Intel's chip-level hooks that allow McAfee's Endpoint Protection Software to get a better look at malicious software such as rootkits.

[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

Called DeepSafe, the software is something new for the antivirus industry, said Candace Worley, senior vice president and general manager of McAfee Endpoint Security. "This level of technology has never existed before," she said. "It's brand new; it's been jointly developed between the two companies."

DeepSafe is McAfee's answer to advanced hacking technologies, such as rootkits, that seem to be getting better and better at slipping malicious software onto PCs unnoticed.

"Most antivirus products today reside at the same level in the system as the operating system," Worley said. "What we're finding is a lot of the antivirus is simply not seeing a rootkit that's installed at that level of the system."

Rootkits use all kinds of sneaky tricks to cover their tracks, rewriting file names, and even modifying data in system monitoring tools so that everything seems normal.

In fact, it's somewhat of an open secret in the security industry that determined cyberattackers can skirt antivirus detection almost at will. Some victims go years without detecting so-called APT (advanced persistent threat) infections, even with their antivirus software up-to-date.

That's left vendors such as McAfee scrambling to make things harder for the bad guys

Worley describes DeepSafe as a "technology foundation," for future products. The first of these products will be an add-on to McAfee Endpoint Protection that will focus on rootkit detection for the enterprise. That's who's most interested in this kind of technology right now, Worley said. The product, yet unnamed, will be launched at McAfee's Focus conference in Las Vegas next month, "and as time progresses we will migrate this to the consumer space," she said.

McAfee was vague about how DeepSafe will actually work, but the company started working on the technology prior to the Intel acquisition, Worley said.
The product will work in VMware installations, but Microsoft and Citrix customers will have to wait a bit longer. "We're still working out how this system will work with those technologies over time," Worley said.

Although McAfee will be the first major antivirus vendor out of the gate with this type of technology, it isn't the only company going in this direction, said Lawrence Pingree, a Gartner research director. "What's going to happen is they're going to release this and then others are going to follow suit," he said.

DeepSafe is interesting, but it still isn't the kind of breakthrough technology that will justify McAfee's multibillion dollar price tag. "We're still waiting for real hard technology to come out of this merger that will really be a big innovation," he said.

nb : infoworld

 

Read More...