Researchers say they’ve devised a way to bypass protections built in to dozens of the most popular desktop anti-virus products, including those offered by McAfee, Trend Micro, AVG, and BitDefender.
The method, developed by software security researchers at matousec.com, works by exploiting the driver hooks the anti-virus programs bury deep inside the Windows operating system. In essence, it works by sending them a sample of benign code that passes their security checks and then, before it’s executed, swaps it out with a malicious payload.
The exploit has to be timed just right so the benign code isn’t switched too soon or too late. But for systems running on multicore processors, matousec’s “argument-switch” attack is fairly reliable because one thread is often unable to keep track of other simultaneously running threads. As a result, the vast majority of malware protection offered for Windows PCs can be tricked into allowing malicious code that under normal conditions would be blocked.
All that’s required is that the AV software use SSDT, or System Service Descriptor Table, hooks to modify parts of the OS kernel.
“We have performed tests with [most of] today’s Windows desktop security products,” the researchers wrote. “The results can be summarized in one sentence: If a product uses SSDT hooks or other kind of kernel mode hooks on similar level to implement security features it is vulnerable. In other words, 100% of the tested products were found vulnerable.”
The researchers listed 34 products that they said were susceptible to the attack, but the list was limited by the amount of time they had for testing. “Otherwise, the list would be endless,” they said.
The technique works even when Windows is running under an account with limited privileges.
Still, the exploit has its limitations. It requires a large amount of code to be loaded onto the targeted machine, making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC.
Still, the technique might be combined with an exploit of another piece of software, say, a vulnerable version of Adobe Reader or Oracle’s Java Virtual Machine to install malware without arousing the suspicion of the any AV software the victim was using.
“Realistic scenario: someone uses McAfee or another affected product to secure their desktops,” H D Moore, CSO and Chief Architect of the Metasploit project, told The Register in an instant message. “A malware developer abuses this race condition to bypass the system call hooks, allowing the malware to install itself and remove McAfee. In that case, all of the ‘protection’ offered by the product is basically moot.”
A user without administrative rights could also use the attack to kill an installed and running AV, even though only admin accounts should be able to do this, Charlie Miller, principal security analyst at Independent Security Evaluators, said.
Matousec.com’s research is here. ®
Browser security is a big thing these days. No one wants the kind of trouble that comes from using something that is easily hacked, or the subject of attacks, where the poor souls who use it are in for major problems.
That is why Internet Explorer should die a quick death – now.
An article in PCWorld that came out this weekend claims that Chrome is the most secure browser, and backs the claim with the fact that Chrome uses the concept of sandboxing.
All browser makers should take a page from Google’s Chrome and isolate untrusted data from the rest of the operating system, a noted security researcher said today.
Dino Dai Zovi, a security researcher and co-author of The Mac Hacker’s Handbook , believes that the future of security relies on “sandboxing,” the practice of separating application processes from other applications, the operating system and user data.
In a Wednesday entry on Kaspersky Labs’ ThreatPost blog, Dai Zovi described sandboxing, as well as the lesser security technique of “privilege reduction,” as “[moving] the bull (untrusted data) from the china shop (your data) to the outside where it belongs (a sandbox).”
The idea behind sandboxing is to make it harder for attackers to get their malicious software onto machines. Even if an attacker was able to exploit a browser vulnerability and execute malware, he would still have to exploit another vulnerability in the sandbox technology to break into the operating system and, thus, get to the user’s data.
“Sandboxing raises the bar significantly enough that attackers will have to turn to other [types of attacks], like rogue anti-virus software,” Dai Zovi said today in a telephone interview.
The pervasiveness of Web-based attacks calls for browser sandboxing, Dai Zovi argued. “It’s crucially important because, in my opinion, the browser will become the OS,” he said. ” Google is the first to realize that the browser is the operating system, and Chrome is a huge leap forward with its ground-up rewrite.”
While I am skeptical of the “browser is the operating system” concept, I take the point. That is not to say that the concept won’t be there for some, but those who wish to graduate above the level of web-TV, or those not able to have internet access (which will be many until the internet becomes free, as in free like the air) will not be surrendering the computer to a browser just yet.
– and the article goes on later with –
Currently, Mozilla’s Firefox, Apple ’s Safari and Opera Software’s Opera lack any sandboxing or privilege reduction features. “Apple, for example, has implemented some sandboxing in Snow Leopard , but [although] security researchers were hoping to see some of that technology used in Safari, that hasn’t happened,” Dai Zovi said.
Mozilla is working on Chrome-like sandboxing for Firefox — the project’s dubbed “Electrolysis” — but the feature probably won’t make it into the browser until Firefox 4.0, which is now slated to ship in late 2010 or early 2011.
Dai Zovi sees browser sandboxing as an answer to the flood of exploits that have overwhelmed users in the past year. “This isn’t perfect, but it’s the direction we should be heading in,” he said. “The idea of fixing every vulnerability is clearly not working. We can’t always win the race to patch.”
But sandboxing, or at the least, reducing the browser’s ability to affect the rest of the OS, may be the way to block most attacks. “It adds more defense-in-depth and impedes attackers,” Dai Zovi said.
The article also states that the protected mode of IE7 and IE8 is not really a sandboxed setup, and does not offer the same amount of protection that Chrome does.
I’m sure that many are asking how much utility has to be given up, in order to be safe.
As someone that uses Opera most of the time, but also has SR Ware’s Iron on a couple of machines, I can say I have never been compromised while using Opera, or Iron. I have had problems some years ago with Internet Explorer, but that was also back when I was using Windows 98SE. I can’t remember if I was using IE 5.5 or IE6. Either way, in the time I’ve been using Windows XP or higher, which is 2001 to now, I have not had problems.
I must modify that however, because as soon as I had heard about problems with Internet Explorer, I stopped using it whenever possible, substituting Firefox, or Opera, or now Iron, for it.
Though I believe nothing is foolproof (they keep improving the quality of fools) I think I can say that with reasonable precautions, the user can assure no problems as long as Internet Explorer is avoided.
Web Statistics and Trends
Statistics are important information. From the statistics below, you can see that Internet Explorer and Firefox are the most common browsers.
Browser Statistics Month by Month
I remember that before GOOGLE we already use search in portal for subject that we don’t know the answer for the question. 🙂 I use AltaVista ( for normal search ) and Astalavista ( for serials ), but now the war is more important that simple search queries, of what information is display, NOW is money and adware’s are generate more money that traditional media and that make more interest for the investment, and money generate money.
Google, Bing and Yahoo are the players, but China is making where one search portal (with there technology), Brasil are making the same and India already say that going to develop a different way to search, maybe going to be the big revolution/evolution after altavista to google to wolfram alpha …. ( ??? )
For the ones that never see WOLFRAM ALPHA working, don’t imagine a new google, but a different approach of search, more specific without so many entries, but in my point of view more exact.
In one example I going to try search “siberia”,
Using WolframApha (www.wolframalpha.com) and search only “siberia” automatically show me all the information about the “siberia” land.
In GOOGLE “Siberia” is lot more that land… but it I need to know more about the land I need to refine by search.
And with BING that make a big improvement form last year…”siberia” is similar with Google.
This happen because GOOGLE and BING can use my personal information, form previouses searchs, e-mail, chat that I use:
Google: Gmail, Gtalk, Youtube
Bing: Hotmail, MSN
For that reason I think Wolfram Alpha have a better performance whiout render any of my personal information, because one day the share information with Google, Bing or other going to became a danger of my identity, but that is another subject and going to stay for other day.
Tip: Google Search: “siberia” filetype:doc ( and we going to search only word documents with title siberia )
Tips to help you avoid being scammed:
1) There is no such thing as winning the lottery through your email address. If you receive an email saying you were selected through email or told for any other reason you have won a lottery, it is a scam! Do not reply. No matter how tempting it is, please don’t respond. It is for your own good! Lottery scams come in many forms.
2) If you are selling an item online, do not accept a check and wire money back in return. The check will bounce and you will be out the money you sent plus the amount the check bounces. If the deal looks too good to be true, it likely is a scam.
3) Your long lost cousin, nephew, brother, mother, did not die in a car accident. This relates to the “next of kin” or “inheritance” scam. You will not be collecting millions of dollars because someone shares the same last name. These scammers will always ask for money to pay for this document or that permit for funds release, etc etc. Don’t be fooled, it is a scam!
4) Fred Oboko, George Ubmbuka, or whatever the name of the latest Nigerian Securities and Fuel Efficiencies Committee is not in exile and attempting to transfer a large sum of money out of the country. They do not need your help in transferring the money, they want to scam you out of yours! This is a classical example of the “419” or Nigerian scam.
5) Phishing! Scammers pretending to be legitimate businesses, organizations, institutions, etc. Often a victim will receive an email appearing to look like a “must respond” notice or at times a request to update a password or other information for an account you may hold with a legitimate business. The links in the email are spoofed and when you enter your secret information you are actually sending it right to the scammers. Don’t get caught! A legitimate business will never ask you for your password or private information via email. Always access those sites through your web browser directly, do not use links in an email! Phishing scams likely enter your email inbox daily. Report and delete.
Quantum cryptography, touted by scientists as the ultimate unbreakable code, may turn out to be susceptible to eavesdropping after all when implemented practically, according to a Swedish duo.
”Quantum codes are supposed to guarantee 100 percent security,” says Jan-Ake Larsson, associate professor of mathematics at Linkoeping University, in Sweden. ”If they don’t live up to that promise, that’s a problem.”
Larsson and his former graduate student Jorgen Cederlof, who now works for Google, say they have spotted a flaw in practical quantum codes. Their report on this flaw and a patch for the problem appear in the April issue of the IEEE Transactions on Information Theory.
The most secure codes currently in use rely on public-key cryptography, whose security stems from the fact that computers today cannot factor very large numbers within a useful time period. However, in theory, given sufficiently powerful computers, these codes can be cracked.
Quantum cryptography, in contrast, is supposed to be unbreakable, even in theory, because its security is based on a fundamental tenet of quantum mechanics. It turns out that the very act of measurement in quantum mechanics changes the nature of the quantum system being observed. Thus, if an eavesdropper listens in on a quantum message between two parties, he or she changes the message in a way that is detectable. Through a multistep process, quantum encryption systems–and there are at least three on the market now–use the security of quantum mechanics to generate cryptographic keys. These quantum keys are ciphers used to encode and decode messages.
The process of key generation, though based on quantum physics, also requires exchanging some information on a regular ”classical” channel. Eavesdropping on the classical channel cannot be detected. One of the final steps in setting up a quantum key is to authenticate the communicating parties–determining that Bob is really talking to Alice, not some eavesdropper.
If there is no authentication, Alice and Bob will be open to a ”man in the middle” attack, as it is termed by code breakers. The attack would work like this, Cederlof explains: ”Now Eve comes along, buys a couple of [quantum encryption] devices identical to the ones Alice and Bob have, cuts the cables between Alice and Bob, and connects her devices at both ends. Now Alice will think she is talking to Bob, but in reality she is talking to Eve. Eve just acts as Bob would have, and after a while Alice and Eve have created a shared secret key. The same thing happens between Eve and Bob. When Alice tries to send an encrypted message to Bob, she will encrypt it with a key known only to Eve (but which Alice thinks only Bob knows). Eve intercepts the message, decrypts it, reads it, encrypts it with the key she shares with Bob, and sends it to Bob. Alice and Bob never suspect anything.”
The way around this is to communicate classically and make sure Alice is really talking to Bob. But that is exactly where the vulnerability lies.
”To our surprise, the authentication was not secure,” says Larsson. He and Cederlof say that it is difficult to eavesdrop, but the possibility does exist. In their paper they suggest a patch. ”The modification we propose is basically an extra exchange of a small amount of random bits on the classical channel,” says Larsson.
According to Tassos Nakassis a computer scientist at the National Institute of Standards and Technology (NIST), in Gaithersburg, Md., the error may have originated because quantum cryptography is an emerging interdisciplinary field that combines advanced quantum physics with traditional code making. Authentication and its weaknesses may have gotten lost in the conversation between quantum physicists and classical cryptographers.
The Swedes went looking in just the right place for a vulnerability, according to Bruce Schneier, an expert in cryptography and chief technology officer at BT Counterpane, in Santa Clara, Calif. ”Authentication has always been a problem with quantum crypto,” he says.
Audrius Berzanskis, chief operating officer at the quantum cryptography systems firm MagiQ Technologies, in New York City, claims his firm’s systems are immune to this kind of attack, because they are overly conservative with respect to how they treat errors in the quantum channel–whether or not the errors are caused by an eavesdropper. This conservatism comes at the cost of the rate at which quantum keys are generated. And Berzanskis adds that Larsson and Cederlof’s patch might allow the key rate to increase. Experts from outside quantum cryptography companies agree that the vulnerability is real, but most think it would be impractical to exploit.
”This is an interesting issue and worthy of the awareness of the community,” says physicist Joshua Bienfang, who works on quantum cryptography at NIST. But he notes that Larsson and Cederlof correctly emphasize that the attack relies on Eve capitalizing on opportunities that occur with very low probability. In their worst-case scenario, with a computationally omnipotent Eve, they estimate it would take something on the order of nine months to break the system. And he says that the patch offered should ”firmly shut the door on this type of attack.”
According to a new survey released Centrify, security is the leading roadblock to virtualization, with 46 percent of respondents reporting security as the most likely cause for a virtualization adoption slowdown. Read on for ways to safeguard.
As channel partners look to help their customers roll out new virtulization projects, some of the top objections they’ll encounter before installing a greater density of virtualized infrastructure revolve around security. According to a new survey released at VMworld this week by Sunnyvale, Calif.-based Centrify, security is the leading roadblock to virtualization, with 46 percent of respondents reporting security as the most likely cause for a virtualization adoption slowdown. Only about 20 percent of respondents reported strong confidence in the security of their virtualized data centers.
The major players in virtualization are cognizant of the security conundrum. In fact, security is such a bugaboo that EMC recently put together a panel of experts from its VMware, Ionix and RSA divisions to come up with some guidelines for securing virtualized environments. The result was a report released this week, Security Compliance in a Virtual World, that outlines five best practices necessary to mitigate risks when virtualizing the environment. Channel Insider examines these five points and how they relate to the channel.
Just as your clients need to harden the configuration of their physical boxes, network switches and appliances, they also need to securely set their virtual machines and virtual switches in the same fashion. Not only that, but the administrative hypervisor also needs to be hardened. This includes patching regularly, uninstalling unused components and configuring secure settings.
“Hardening checklists for virtualization platforms are available from several sources,” the report notes. “Organizations should work with internal and external auditors in selecting the right hardening guide for their organization.”
The report recommends guidelines from Center for Internet Security (CIS) and the Defense Information Systems Agency (DISA) as good established best practices to model after.
Channel partners that skill up their practitioners to understand standards such as these and the general principles behind hardening will greatly benefit their customers and lend themselves an edge in virtualization project bake-offs. Offering to develop and enforce hardening guidelines is an excellent value add to layer on top of virtualization integration, implementation and administration.
It’s theoretically possible for hackers to attack the hypervisor layer specifically, or to take over a VM and use it to attack other VMs, according to according to Chris Steffen, principal technical architect at Kroll Factual Data, a credit-reporting and financial-information services agency in Loveland, Colo. But this has never happened “in the wild,” so the threat remains theoretical for now.
“You could also have a virus aimed at the BIOS chip on your machine, but we don’t see too many BIOS viruses, any more,” Steffen says.
The biggest problem with VMs, Steffen and MacDonald say, is the potential for IT or security managers to lose control of them simply by not being able to see the risks as they crop up.
The National Security Agency has taken that concern not only to heart, but to software development labs, coming up with a virtual-server management scheme called NetTop that requires a configuration preventing VMs running on the same machine from interfering with one another. It doesn’t solve all the potential configuration problems, but it does concentrate all the security processes within a specific technology layer and development process.
In 2007, the NSA and contractor General Dynamics expanded that security with a workstation running what it calls the High-Assurance Platform—a virtualized operating system that includes a separate layer of code that is responsible for securing both the virtual operating system and application and the data they use.
Most companies don’t need quite that layer of protection, which was designed for Special Forces groups serving overseas. But they do have a range of pressing security concerns—many of which they either don’t recognize, or don’t appreciate fully, MacDonald says. And that’s the base of the problem.
Here’s a look at the five top virtual server security concerns of the moment.
1. Managing oversight and responsibility
The overarching issue with virtual servers is responsibility, MacDonald says. Unlike physical servers, which are the direct responsibility of the data-center or IT managers in whose physical domain they sit, responsibility for virtual servers is often left up in the air. Should the business-unit that requested it be able to configure and secure it? Should it be the IT manager closest to the physical host? A centralized master sysadmin tasked with management and security for all the virtualized assets in an enterprise?
“People don’t appreciate that when you add virtual servers there’s another layer there of technology in addition to the application and the operating system and the hardware, and you have to secure it, MacDonald says.
2. Patching and maintenance
The most tangible risk that can come out of a lack of responsibility is the failure to keep up with the constant, labor-intensive process of patching, maintaining and securing each virtual server in a company. Unlike the physical servers on which they sit, which are launched and configured by hands-on IT managers who also install the latest patches, virtual machines tend to be launched from server images that may have been created, configured and patched weeks or months before.
Most companies maintain a small number of general-purpose “golden” images from which to launch or relaunch new VMs for many purposes, but also keep dozens or hundreds of server images stored on DVD or disk after being laboriously configured to support specific applications or business requirements, MacDonald says.
“You can take a snapshot of a virtual machine and write it off to disk so you don’t have to recreate it the next time, or for disaster recovery. Just fire off one of these virtual machines sitting in offline libraries. But for the most part they’re not being kept up to date with A/V signatures and patches, ” MacDonald says. “Someone should check when they do launch one, but often they don’t, and there isn’t usually a way to check.”
Both Microsoft and VMware supply patch-management schedules with their base infrastructure products. Both require disk images stored in libraries to be launched periodically so they can be patched.
That’s a tedious process for companies with libraries of hundreds of VM images, however, and does nothing to address the patch status of VMs that are running but might not have been patched or had new antivirus signatures installed for weeks or months. Of course, VMware, HP, and many startup companies are trying to help IT automate much of this work right now with management products.
3. Visibility and compliance
Virtual servers are designed to be, if not invisible, then at least very low profile, at least within the data center. All the storage or bandwidth or floor space or electricity they need comes from the physical server on which they sit. To data-center managers not specifically tasked with monitoring all the minute interactions of the VMs inside each host, a set of virtual servers becomes an invisible network within which there are few controls.
“Virtual switch implementations let the VMs talk to each other, and across the network,” MacDonald says. “But unless you put virtualized security controls—virtual sniffers, virtual firewalls, all the same controls you’d use on a physical server, inside that network, you don’t see what’s going on.”
“There are a lot of compliance and use issues,” McDonald says.”Just because you don’t have a sniffer to see those packets moving between the virtual servers doesn’t mean they’re not there,” MacDonald says. “You could have a HIPPA-controlled workload talking to a non-HIPPA workload, or PCI and non-PCI workloads talking to each other. That puts you in a bad position. You would know if you looked at the packets on that network, but those packets are not coming out of the box for you to look at, so unless you take extra steps, you wouldn’t know.”
Microsoft, VMware and Citrix are all building some level of visibility and control over those interactions into their base products, but the level of function is nowhere near the point that customers will be secure, MacDonald says.
Silicon Valley startup Altor is finding some fans for its virtual firewalls, as is Reflex Systems, which migrated from physical to virtual firewalls to keep up with growth in that market, MacDonald says.
“Cisco’s not there yet, Juniper’s not there; we haven’t reached the tipping point where the traditional networking vendors feel they have to be able to reach into virtual machines,” MacDonald says.
In many cases, customers either don’t know or don’t care about certain risks. A poll of 109 attendees at the RSA Conference 2009 in Las Vegas last month, conducted and published by virtual-security software provider Secure Passage, indicated that 72 percent of respondents have not deployed virtual firewalls of any kind. The most frequent reasons cited: the limited visibility respondents had into virtual networks, the difficulty of managing virtual security and lack of understanding regarding what constitutes a virtual firewall.
VMSafe, the APIs that VMware built into the VSphere version of its virtual infrastructure product, makes it possible for third-party security vendors to apply their applications to VMware VMs. The company also announced at the RSA conference that it had built RSA’s data loss prevention software into vSphere to enhance its security.
“They’re making progress,” MacDonald says of VMware and Microsoft. “They’re not where we need them to be yet.”
Simon Crosby, chief technology officer of Citrix Systems, said during a security debate at the RSA conference that security should be built into the applications, not the hypervisor or virtual-infrastructure management products.
He said paying attention to the security configuration guidelines that Citrix and other hypervisor vendors publish can fix most of the security issues and that industry groups such as the Cloud Security Alliance can extend that guidance to include process-management and policy issues.
4. VM sprawl
Another consequence of the lack of oversight of virtual machines is sprawl—the uncontrolled proliferation of virtual machines launched, and often forgotten, by IT managers, developers or business-unit managers who want extra servers for some specific purpose, and lose track of them later.
VM sprawl wastes resources, creates unmonitored servers that could have access to sensitive data, and sets the company as a whole and IT in particular up for a painful cleanup when a problem crops up later, Steffen says.
“We try to treat the VMs in exactly the same way we do physical machines—with system scans, antivirus, and everything else. That includes going through a procurement process for VMs just as if they were physical machines,” Steffen says.
Forcing business unit managers to fill out requisitions and explain why they want an additional VM, for what, and for how long slows the process down, which could be considered inefficient, but also gives everyone involved time to think about how necessary each new VM is.
“We don’t do that if they need to replace a server they’re already running,” Steffen says. “But with VMs you have the potential for VMs to get completely out of hand and have so many out there you can’t do anything about how secure they are.”
The Secure Passage poll of RSA attendees showed 42 percent were concerned about sprawl, specifically the lack of controls available to keep business unit managers from spawning off new servers at will, rather than coordinating with IT to make sure they are managed and secure.
5. Managing Virtual Appliances
One of the very best things about virtual infrastructures is the ability to buy or test a product from a third-party vendor and have it up and running in minutes, rather than having to clear space on a test server, install the software, get it to talk to the operating system and the network and then, hours later, see whether it does what it’s supposed to, MacDonald says.
Unfortunately, virtual appliances are also virtual pigs in a poke. “There’s an operating system and application in every package, every one with its own configuration and patch status and you have no idea what’s in there or who’s going to maintain it or what the long-term risk is going to be,” MacDonald says. “It has a full application and OS all configured and ready to run. In five minutes you can try out that new anti-spam server. But what OS is in the package and is it patched, and if not, who is going to give you the patch? “