Contents in This Issue
Total Page:16
File Type:pdf, Size:1020Kb
APRIL 2014 Covering the global threat landscape CONTENTS IN THIS ISSUE 2 COMMENT THE END OF AN ERA – THE START Threat intelligence sharing: tying one hand OF A NEW CHAPTER behind our backs Momentous changes are in the pipeline for VB – with an exciting future ahead. Helen Martin 3 ANNOUNCEMENT announces the changes that are in store for the The shape of things to come publication and the company. page 3 MALWARE ANALYSES CHINKS IN THE ARMOUR 4 The curse of Necurs, part 1 The Necurs rootkit is composed of a kernel-mode 6 More fast or more dirty? driver and a user-mode component. The rootkit 10 Tofsee botnet makes use of some very powerful techniques, but fortunately it also has some chinks in its armour. Peter Ferrie describes its strengths and weaknesses. 14 TECHNICAL FEATURE page 4 Back to VBA FILLING THE GAP 22 COMMENTARY Last month’s issue of Virus Bulletin featured a Is the IT security industry up to the new detailed analysis of the Polarbot (a.k.a. Solarbot) challenges to come? trojan. The article covered just about everything you could ever want to know about it – except for one 24 SPOTLIGHT thing: how does a computer end up being infected with this creation? Gabor Szappanos fi lls the gap Greetz from academe: no place to Hyde by detailing one of the infi ltration methods that was used extensively in the attack. 25 END NOTES & NEWS page 14 ISSN 1749-7027 COMMENT ‘We will need to and technical barriers, as well as lack of interest from cybersecurity stakeholders. In my own experience, collaborate and setting up sharing arrangements with corporate and implement standardized government entities involves a bespoke tangle of legal agreements. Once you’re over the legal hurdles, you’re threat data sharing.’ faced with a technical thicket of formats and data Chad Loeven, RSA exchange methods, with no single default standard. THREAT INTELLIGENCE Even within enterprises, data silos are the norm – as we found out recently in trying to set up a sharing SHARING: TYING ONE HAND arrangement with another security vendor. Different BEHIND OUR BACKS product groups each had their own sets of threat data in their own formats, covered by their own partner and The lifeblood of a security vendor is threat data. We sharing agreements, and those were entirely separate consume it, transform it (into threat intelligence), publish from threat data available from the vendor’s own CERT, it and act on it. Regardless of whether our products are which was separate from its customer-facing threat in the consumer space, enterprise, cloud or all of the centre – all this within one enterprise. above, the capacity of our technologies to act effectively in protecting our customers is either driven or validated This is hardly exceptional – the ENISA report noted that (or both) by threat intelligence. email was the primary method for exchange of threat data. Anti-virus vendors have collaborated since the early There’s no shortage of technical standards for exchanging days of the industry, using VirusTotal and other forums threat data – IODEF, STIX, OpenIOCs, and more for sharing malware samples and URLs. But as AV – and certainly secure web services offer better ways of vendors evolve and merge with other security vendors intelligently sharing and updating threat data. So why do and technologies into some variation of ‘advanced threat so many organizations default to email, or perhaps only protection and/or detection’, the shortcomings of current slightly better, dumping fi les to each other via FTP? threat-data-sharing arrangements are becoming apparent. My view is that, while well intentioned, initiatives Despite an alphabet soup of technical standards and like Mitre’s TAXII (Trusted Automated eXchange of 2 3 initiatives, the sharing of threat data remains essentially Indicator Information) protocol and FS-ISAC for an ad-hoc and bespoke process. This is especially true of the fi nancial services industry are too complex, too sharing amongst security vendors and CERTs, if we view fragmented amongst different groups, or both, to achieve the key stakeholders in threat sharing as divided into the widespread adoption they need to be truly effective. four groups: national and government CERTs; security Microsoft recently issued a virtual call to arms4 for vendors; enterprise end-users; and consumer end-users. better industry collaboration with the goal of not just With few exceptions, consumer and enterprise end-users minimizing, but eliminating whole classes of malware. consume threat intelligence indirectly via vendors’ That’s a goal we as an industry can all support. However, products. The real challenge lies where CERTs, agencies in order to be successful, we will need to collaborate and and vendors generate and consume the raw data. implement standardized threat data sharing that is: According to a recent report by ENISA1, the key • Simple enough to accommodate and incorporate problems for effective information sharing are legal existing sample- and URL-sharing arrangements. • Flexible enough to layer on optional sharing of threat 1 http://www.enisa.europa.eu/activities/cert. metadata. Editor: Helen Martin • Able to support sharing of threat metadata through Technical Editor: Dr Morton Swimmer widely adopted and straightforward standards such as Test Team Director: John Hawes OpenIOC and Yara rules. Anti-Spam Test Director: Martijn Grooten Security Test Engineer: Scott James • Able to provide for secure, granular access only by Sales Executive: Allison Sketchley trusted parties. Perl Developer: Tom Gracey I’m up for it. Let’s talk and make it happen. Consulting Editors: 2 Nick FitzGerald, AVG, NZ http://www.mitre.org/capabilities/cybersecurity/partnership. Ian Whalley, Google, USA 3 https://www.fsisac.com/. Dr Richard Ford, Florida Institute of Technology, USA 4 http://www.darkreading.com/vulnerability/microsoft-calls-for- industry-collaborati/240165888. 2 APRIL 2014 VIRUS BULLETIN www.virusbtn.com ANNOUNCEMENT THE SHAPE OF THINGS TO COME they will be released on www.virusbtn.com on a much more frequent (weekly at a minimum) basis. Helen Martin Virus Bulletin Alongside the change in format will be another radical change: from 1 July 2014, all Virus Bulletin content will be freely available to all – subscription fees will no longer The saying goes ‘all good things must come to an end’, but apply1 and there will be no barriers to accessing VB’s in this case impending changes within VB mark not so much content on www.virusbtn.com. an end as a subtle shift in gear for VB. We often talk of knowledge being a powerful weapon in the fi ght against cybercrime – and we hope that making SHAPE SHIFTING VB accessible to all will prove an effective way to reach a First, after 25 years, the format, schedule and subscription signifi cantly wider audience. model of VB’s publications is set to change: the June 2014 issue will be the 300th and fi nal issue of Virus Bulletin in NEW ADVENTURES & FAMILIAR FACES traditional, monthly ‘magazine’ format. Alongside the changes in the format In 1989, when the very fi rst and schedule of the publication are Virus Bulletin rolled off the press some equally momentous changes on a (produced in a black-and-white, more personal scale. After 13 years as printed pamphlet style), there was Editor of Virus Bulletin, the time has only one subscriber and there were come for me to pass the baton on. only 14 viruses known for the IBM PC. For me, the last 13 years have run the full gamut from daunting to Five years on (by which time editor challenging, exhilarating and rewarding Richard Ford was writing about – but now it is time for someone else to embark on that the ‘over 3,000 viruses known to adventure and for me to begin a new one. researchers’), the magazine saw its fi rst layout change – brought The future for VB is tremendously exciting, with two about following feedback from familiar faces stepping up to take on new roles and the magazine’s readership in a bid responsibilities. to provide a better way to get the The role of Editor will be fi lled by message across. Martijn Grooten, who will have overall It was another ten years before VB responsibility for all of VB’s content. saw its next makeover, but it was worth the wait – the now familiar Martijn came to VB in 2007 as a web full-colour design made its entrance developer, but it very soon became clear in 2003 with the intention of giving that his skills, interests and aptitude went the publication an image that would far beyond sprucing up the company’s endure long into the 21st century. web presence. Little more than a year after joining Virus Bulletin he set about designing the Finally, in 2005 we announced methodology for VB’s comparative reviews of anti-spam what would be the greatest products, and he has run the VBSpam tests ever since. change the magazine had seen: in During the last few years he has also worked on developing January 2006, VB embraced the the soon-to-be-introduced VBWeb web fi lter tests, delivered digital age and became a wholly papers at numerous conferences and maintained VB’s blog electronic publication, changing the and social media presence. subscription model and waving a fond farewell to the hard copy pamphlets. Meanwhile, John Hawes will become VB’s Chief of Operations. John will have overall responsibility for It now falls to me to announce even more far-reaching steering the company, as well as continuing to coordinate all changes: from 1st July 2014, while VB will continue to of VB’s testing and certifi cation activity.