blog trackingRealtime Web Statistics Detecting Archives | Gregory D. Evans | Worlds No. 1 Security Consultant | Gregory D. Evans | Worlds No. 1 Security Consultant

Posts Tagged ‘Detecting’

Tenable Network Security Podcast Episode 125 – “Detecting Quicktime Vulnerabilities, Hotel Hackers”

Welcome to the Tenable Network Security Podcast Episode 125 Announcements New Nessus Feature Added: CSV Export Tenable Network Security Named Top ‘Cyber Warrior’ at Baltimore SmartCEO VOLT Awards Check out our video channel on YouTube which contains new Nessus and SecurityCenter 4 tutorials. We’re hiring!…

View full post on National Cyber Security

Tenable Network Security Podcast Episode 125 – “Detecting Quicktime Vulnerabilities, Hotel Hackers”

Welcome to the Tenable Network Security Podcast Episode 125 Announcements New Nessus Feature Added: CSV Export Tenable Network Security Named Top ‘Cyber Warrior’ at Baltimore SmartCEO VOLT Awards Check out our video channel on YouTube which contains new Nessus and SecurityCenter 4 tutorials. We’re hiring!…

View full post on National Cyber Security

Detecting and removing the Flashback malware in OS X

Recently a new variant of the Imuler/Revir Trojan malware for OS X was found being distributed disguised as erotic images that, if installed on a
Mac system, would attempt to steal personal information then upload them to remote servers. The malware’s initial variants included offensive political material, but in its recent iteration has been distributed disguised among a collection of cover girl images in an obvious attempt to trick people into opening the application.

While these attempts are relatively easy to avoid, security company F-Secure has been monitoring a more serious threat from the Flashback malware for OS X. This malware, which has been distributed in fake installer application for the popular Adobe Flash Player plug-in, works by modifying the code in Web browsers to launch the malware when they are run, and then try sending information on visited Web pages to remote servers.

Initially this malware was only an OS X installer file that was disguised as Flash Player, but in February of this year, another variant of this malware was found that attempts to take advantage of Java security holes to install without requiring user interaction or being detected.

OS X does not come with Java installed by default, and the latest versions of Java should be patched properly so anyone with new or properly updated systems should be safe from these threats; however, there are likely many people still running older versions of Java on their systems that are still vulnerable.

If you do not use Java on your system, then you can avoid these threats by disabling it in your Web browser, and also by doing so in the Java Preferences utility in your Applications/Utilities/ folder (uncheck any Java runtime listings in the utility to disable them). By doing this, any threats that attempt to take advantage of Java will not work.

If you do this and find Java is required for some of the applications you use, then be sure you have the latest version (currently available via Software Update if you have Java installed).

By running these commands in the Terminal, if you see “does not exist” as part of the output then your system is not infected.

Screenshot by Topher Kessler/CNET)

As with previous variants of the malware, the latest variant of the Flashback malware, called OSX/Flashback.I, works by modifying code within Web browsers that causes it to launch when the browsers are opened and result in modified Web pages being displayed.

Today F-Secure has issued a detailed analysis on the Flashback threat, including how to detect and remove it. The analysis covers the various methods the malware has used to alter Web browser code, and discusses for each how to detect and remove the threat, if your system is infected.

To summarize, the malware has overall adopted two modes of infection. The first is where it requires administrative privileges to alter an embedded information property list within the
Firefox and
Safari Web browsers to contain a variable called “DYLD_INSERT_LIBRARIES” that launches the malware when these applications are run. F-Secure claims the variants of this malware are ultimately harder to detect (provided the user unknowingly supplied administrative privileges when installing the fake Flash Player installer) since it only affects these programs.

The second infection route does not target individual applications, but instead alters a more global version of the property list with the same “DYLD_INSERT_LIBRARIES” variable that will launch the malware whenever any application is opened. Because this modification is done to the user’s account and not to files within the Applications folder, the attack does not require admin privileges to complete; however, it does ultimately result in a more obvious infection that will destabilize the system and lead to crashes.

The malware only works as intended if run within Web browsers, so more-recent variants of the malware have included filtering options that only have it run when Safari is loaded, resulting in a more stable system that is less suspect of being affected by malware.

F-Secure’s analysis offers a detailed method for detecting and ultimately removing the malware from your system, though you can easily detect the malware in its known variants by running the following three commands sequentially in the Terminal:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
defaults read /Applications/ DYLD_INSERT_LIBRARIES
defaults read /Applications/ DYLD_INSERT_LIBRARIES

If your system is not infected then the output of these commands will state in part that the domain/default pair “does not exist”; however, if it is infected then Terminal will output a path that points to the malware, and you can follow the instructions provided in F-Secure’s analysis to remove the malware from your system.

While F-Secure covers how to change affected programs like Safari and Firefox back to their original state, one easy option for doing this is to just redownload Safari and Firefox and install them on your system, or copy them from another system containing the programs, ensuring you delete the old version of the browser. Do keep in mind that this will only be useful for the malware variants that required Admin privileges to install, which are detected by the second and third of the Terminal commands listed above. If the first command is the only one that shows a problem, then you will need to follow F-Secure’s instructions for removing the malware.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.

Article source:

View full post on National Cyber Security » Virus/Malware/Worms

Tenable Network Security Podcast Episode 111 – “Detecting pcAnywhere, browser vulnerabilities, & hacking cars”

Welcome to the Tenable Network Security Podcast Episode 111


  • Paul Asadoorian, Product Evangelist
  • Carlos Perez, Lead Vulnerability Researcher
  • Ron Gula, CEO/CTO
  • Jack Daniel, Product Manager


New & Notable Plugins

Passive Vulnerability Scanner



  • New Drive-By Spam Infects Those Who Open Email — No Attachment Needed — Yet even more reasons to read all of your email in plain text, the way it was intended. Some email clients give you the option, which I really like, so by default it does not load the message in HTML until you tell it to.
  • Cisco Security Appliances at risk from Telnet bug — This is the same nasty Telnet bug we talked about a couple of weeks ago, and it is now found to be installed on Ironport email appliances from Cisco.
  • Symantec publishes pcAnywhere security recommendations — This is the most bizarre warning from a company I have ever seen: “…it warns against using the remote PC control software at all, since malicious parties could use the source code to identify and exploit security vulnerabilities to compromise PCs that use the program.” So wait, if they are hinting towards the fact that their software contains vulnerabilities, why haven’t they fixed them? Have they not been looking? Have they not hired people to find problems in their software? Oh and get this: “…the company ‘knew there was an incident in 2006,’ but that ‘it was inconclusive at the time as to whether or not actual code was taken or that someone had actual code in their hands’.” I am actually speechless. More information from Wired on this topic. If anti-virus companies can’t keep themselves secure, are we all doomed?
  • Why Your Company Needs To Hack Itself — The term “hack” is not fully defined here, but let’s take that as any action against your organization’s systems that will test the security of them. There are, of course, different levels of “hacking.” First, and foremost, let’s look at what may be the easiest, least impactful, and actionable process out there: Scan all of your systems with Nessus that are externally facing and act on the results. The second part is the more difficult of the two as it invokes people, but you must be constantly identifying vulnerabilities and exposures on your Internet-facing systems. I’m stumped as to why more people are not doing this.
  • Hacking Seen as Rising Risk With Car Electronics — Having just bought a new car, I believe this threat is becoming more real. The vehicle emergency system can unlock the doors remotely, identify where the vehicle is located, enable Bluetooth to talk to my phone, and more. The car is becoming more and more like a computer every day, and we as a security community wonder what could happen if we were to start evaluating the security of vehicle systems. Some have, and the results are as expected — features took priority over security.
  • Students busted for hacking computers, changing grades — This is similar to “War Games,” but with a twist. Rather than stealing the password by looking at the paper on the desk, the students stole a master key from a janitor and installed keystroke loggers on the computers. Then, they changed the grades and sold test answers to other students. This is not cool. Kids, if you’re listening, don’t hack into computers at your school without permission as it’s not like in the movies, you will be expelled.
  • Feds say Megaupload user content could be deleted this week — Just a word of caution, if you store your data in the cloud, make sure you have a backup.
  • Shmoocon Demo Shows Easy, Wireless Credit Card Fraud — I watched most of this talk over the live stream, and I just kept thinking that this has been possible for quite some time. I’m a huge fan of Paget’s research into RFID, and I am glad to see this is getting attention. There seems to be some protections in place though, such as, only the credit card number being leaked over RFID, and not the person’s name, PIN, or CVV number.
  • Rootkit has rhythm“Attackers are embedding specially-crafted MIDI files into web pages which are then opened by Internet Explorer using a plugin from Windows Media Player. The sound of background music covers the MIDI file using the vulnerability to execute shell code which installs a rootkit onto the system.” So the big question is: If you were to have theme music to go along with your rootkit, what would it be? (My answer: The Who’s “Don’t Get Fooled Again”)

Download Tenable Network Security Podcast 111 (mp3)

View full post on Tenable Network Security

View full post on National Cyber Security

Understanding and Detecting Mobile Malware Threats

Every couple of years there’s a new “hot threat” in security for which vendors abruptly tout newfangled protection and potential customers clamor for additional defense options. Once upon a time it was spyware, a few years ago it was data leakage, and today it’s mobile malware. It’s a reoccurring cycle, analogous to the “blue is the new black” in fashion — if you fancy adopting a certain cynical tone.

Lying at the heart of the cycle is the fact that these hot threats have never been particularly new. Within the security community, we tend to talk about the evolution of the threat landscape. If you speak with the relevant experts about a particular threat category you’ll uncover that the back story to many of these “hot threats” often goes back a decade or two. Mobile malware threats are certainly no exception.

A history lesson in the evolution of mobile malware is hopefully not required, beyond to say that today’s hot threat has evolved over a couple of decades and poses less of a technical challenge than many believe or commonly portray. But as history so often reveals in these cases, when a new threat is similarly labeled and thrust into the limelight for the first time, there’s all too often a stampede towards apparently novel and threat-specific solutions.

Solutions (and I use that term very loosely) within the mobile malware threat mitigation arena are increasingly difficult to differentiate from one another. In the confusion of defining a new threat and the nomenclature that accompanies it, the underlying technologies and viability of their approaches can get lost rather easily.

What is the “Mobile Threat”?

When I meet with customers, prospects and journalists, I get a lot of questions about the Mobile Threat. In particular, how should businesses work to defend against it? My immediate response tends to be “what do you define as the mobile threat?”

The term “Mobile Threat” is amorphous — it has become a catch-all to encompass anything not physically tethered to a network and happens to be newish from a technology perspective, and likely subject to some new (previously unencountered) formulation of evilness. That sounds like a kind of wishy-washy definition (and it is), but catch-all’s usually are. Instead, I’d rather focus on one aspect of the Mobile Threat — that of the mobile malware threat.

As I described in a blog entry illuminating a handful of security predictions for 2012, mobile malware threats continue to be misunderstood. It’s all too easy to dive deep in to the various technologies that expose mobile devices to new forms of attack and vectors of compromise; just as it’s rather easy to describe the various built-in technologies that the developers and engineers of the mobile devices have included to prevent many of the “legacy” threat categories we’re already all too familiar with.

You could spin a lot of cycles looking into the “what if’s” of mobile security threats but, at the end of the day, if you want to determine which threats and attack vectors are going to be the most immediate and protectable concern for your organization you only need to understand two things — how do your employees really use their mobile devices, and how are cybercriminals going to monetize their control of these devices?

For a moment, think about this. While Smartphones and Tablets often share a common operating system and maybe even the same application markets or stores, they are used in different ways, at different times, to accomplish different tasks. For this reason the attack vectors cybercriminals (and espionage-focused agencies) choose to launch against them are different for each category of mobile device. The tools — of which the most commonly encountered category is “malware” — are likely to be transportable between devices, but the vectors for installation and the type of meaningful information that can be extracted via them are quite different.

When it comes to the cybercriminals that target mobile devices (which constitute the core element of the “Mobile Threat”), it is interesting to note that they’re pretty much the same entities that have been historically successful in targeting traditional non-mobile devices. That shouldn’t really be a surprise to anyone — it’s all about monetizing the victims. If a particular cybercriminal group specializes in online banking fraud and a third of their potential target list shifts to tablet-based banking applications, they need to make a business decision — do they target the new platform or optimize their attacks against the traditional devices. As mobile application use increases, there’s an increasing driver for cybercriminals to invest in new mobile tool development. Similarly, if employees are wirelessly connecting to corporate systems and assets using mobile devices in preference to other traditional platforms, the attackers are forced to target these new devices and develop the appropriate tools.

It’s important to note that, while the end-point device is physically changing and the specifics of the tools the criminals need to develop and install upon the compromised devices is also changing, at the enterprise network and Internet infrastructure level there has been no change in criminal behaviors; nor is any change actually needed by them. The vast majority of CC communications are HTTP-based regardless of the malware family or compromised device type. By speaking the same language, the cybercriminals can keep their existing infrastructure… business as usual!

By Gunter Ollmann, VP of Research at Damballa. Visit the blog maintained by Gunter Ollmann here.

Related topics: Cyberattack, Cybercrime, Malware, Mobile, Security, Wireless

Article source:

View full post on National Cyber Security » Virus/Malware/Worms

Detecting VM sprawl in a private cloud

Learn techniques and tools to track rogue images and inappropriate use.

<img alt="Detecting VM sprawl in a private cloud, Blog, cloud, private, Detecting, sprawl"height="0" width="0" border="0" style="display:none" src="

View full post on SearchCloudSecurity: RSS Feed

View full post on National Cyber Security

Which Antivirus Products Are Best, Worst at Detecting Malware?

Twice a year, independent antivirus testing lab releases a report comparing how well 15 to 20 antivirus products can detect malware in an on-demand scan. In the latest report, quite a few products improved their ratings, though a couple cloud-based tools failed to complete the test. AV-Comparatives also switched to a new method of rating false positives.

Many Improved Ratings
Every product that passes the on-demand scan test rates at least STANDARD. Those that do a bit better than the rest rate ADVANCED, and the very best products rate ADVANCED+. If a product doesn’t pass, it receives the rating TESTED.

Four products that rated ADVANCED in February’s test moved up to ADVANCED+. They are: avast! Free version 6.0, ESET NOD32 Antivirus 5, G Data AntiVirus 2012, and Panda Cloud Anti-Virus 1.5.

AVG Anti-Virus Free 2012 moved up from STANDARD to ADVANCED, and Trend Micro Titanium Antivirus+ 2012 leapt all the way from STANDARD to ADVANCED+.

A Few Going Down
A few products slipped in the ratings. TrustPort Antivirus 2012 and eScan Anti-Virus 11 slipped from ADVANCED+ down to ADVANCED. PC Tools Spyware Doctor with AV 8.0 didn’t pass this time, going from STANDARD to merely TESTED.

Problems in the Cloud
Webroot AntiVirus with Spy Sweeper relies on cloud-based protection supplied by Sophos for enhanced malware detection. During this particular test, the cloud-based backend didn’t work properly, so AV-Comparatives could only estimate scores for Sophos and Webroot. Due to this problem these two products weren’t assigned a rating.

The report states: “The cloud should be considered as an additional benefit/feature to increase detection rates… and not as a full replacement for local offline detection. Vendors should make sure that users are warned in case the connectivity to the cloud gets lost… [This] may affect considerably the provided protection and make… the scan useless.”

Note that the Webroot product tested will be replaced by a completely new product next week. The new Webroot SecureAnywhere Antivirus relies almost 100 percent on cloud-based detection.

Problems with Vendors
The report also noted that some vendors don’t react well to low ratings. “We observed some few vendors potentially are trying to game the tests to get higher scores… Some try disputing every malicious files which are not detected by their own product as ‘unimportant/non-prevalent,’ even if other telemetry shows otherwise… Furthermore, some vendors which see themselves scoring low in a test often aim to get their results removed from a test for marketing reasons. But we do not allow to withdraw from tests as we want to provide results to our readers.”

False Positives Ranked by Prevalence
A false positive occurs when an antivirus tool identifies a good, valid file as malicious. Some testers are very strict about FPs. Virus Bulletin, for example, withholds its VB100 award if a product generates even one FP.

The Anti-Malware Testing Standards Organization (AMTSO) recommends that testers look at the significance of false positives. Erroneously deleting file that’s critical to system operation is more significant than deleting a non-critical application. Deleting a file found on hundreds of thousands of PCs is more significant than deleting a program with just a few users. In addition to criticality and prevalence, the AMTSO document points out that recoverability is an issue.

In this latest test AV-Comparatives has switched from simply counting FPs to rating them by the prevalence of the file involved. McAfee AntiVirus Plus 2011 had no FPs at all. Microsoft Security Essentials 2.0 had just one, at the lowest prevalence (under a hundred users). Kaspersky Anti-Virus 2012 also had just one, but this was a file estimated to have several thousand users.

Near the other end of the scale, Norton had 57 false positives. However, most of these were at the lowest prevalence, a few at the second lowest (hundreds of users), and just one of actual significance (tens of thousands of users). Norton’s File Insight analysis is deliberately designed to strongly suspect very uncommon files of being malicious, so this result isn’t surprising.

You can view the full report at the AV-Comparatives Web site. The document detailing false-positive testing lists every single FP file for every vendor, along with its prevalence.

For the top stories in tech, follow us on Twitter at @PCMag.

Article source:,2817,2393736,00.asp?kc=PCRSS03069TX1K0001121

View full post on National Cyber Security » Virus/Malware/Worms

Cyber-thieves targeting Facebook to spread ‘identity detecting’ malware infections

London, July 6 (ANI): Cyber-thieves are reportedly targeting trusted social networking sites like Facebook by spreading malware infections that can quietly hack users’ passwords as they go about logging into their profiles and bank accounts, with the intention of stealing their identities and money. Although malware infections are nothing new in the online world, they […]

View full post on National Cyber Security » Virus/Malware/Worms

My Twitter

  • RT @NCSbyHTCS: Cyber Security News Today is out! @gregorydevans #hacker
    about 38 mins ago
  • RT @GregoryDEvans: Suspected Russian hackers Fancy Bears targeting Mac OSX with ‘Komplex’ Trojan…
    about 1 hour ago
  • RT @GregoryDEvans: Suspected Russian hackers Fancy Bears targeting Mac OSX with ‘Komplex’ Trojan…
    about 1 hour ago
  • RT @GregoryDEvans: 15 Second Password Hack, Mr. Robot Style – Hak5 2101
    about 3 hours ago
  • RT @GregoryDEvans: 15 Second Password Hack, Mr. Robot Style – Hak5 2101 #security #hacker #HTCS
    about 3 hours ago By Gregory D. Evans

Hacker For Hire By Gregory Evans

Gregory D. Evans On Facebook

Parent Securty By Gregory D. Evans

National Cyber Security By Gregory D. Evans

Dating Scams By Gregory Evans