Category Archives: Virus

Attack of the Mutant Zombie Flesh Eating Chickens From Mars

Yesterday there was widespread reportage of one of those periodic stories that make media types drool; and make security experts cringe in despair.

However, this ‘summer slow day news story’ was so widely (mis)reported, that it does bear commenting on. The story in question was titled (by the BBC) as “First Human Infected with Computer Virus“. This of course conjures up the idea of a person getting sick, by means of malicious computer code (a claim that is, and will remain for a significant amount of time, well within the realm of science fiction).

What actually happened is much more mundane. It appears that the ‘researcher’ placed a piece of replicating code onto an RFID chip, and used that to infect the reader control system which then (at least in theory) could then pass the code back to other similar RFID devices. So far, so boring. We know that it is possible to have storage devices contain code (malicious or not) and pass that code between themselves via other systems. The difference in this case is that the researcher then injected the ‘infected’ (rather bizzarely he refers to this as ‘corrupted’ making me doubt that it was even a virus) chip into his hand, and claimed that this made him infected.

The news stories all got caught up with the fact that this gave him special Jedi powers enabling him to open doors with a simple wave of his hands (ok, maybe they didn’t exactly say that, but hand waving was involved), or…horror of all horrors….activate his mobile phone. Surely a deadly device if one had ever been made. So; we already know that RFID chips can open doors (after all, that’s a valid use for many of them) and they can carry code. The ONLY difference is that this ‘researcher’ inserted the chip into his flesh. To claim that this makes him ‘infected by a computer virus’ is a bit like saying that if I dropped the same chip into a cup of coffee, a steaming fresh cow pat, or even a mutant zombie flesh eating chicken from Mars, those would also be ‘infected’.

As Graham Cluley pointed out, the only interest that this story might have generated otherwise would be in a security research into vulnerabilities of RFID readers. You need a vulnerable reader to get affected by the code, and then you need to be able to read the other RFID tags/chips with that reader to ‘infect’ them. There’s a valid point in that RFID exploits could be used to compromise security and or privacy – but that’s not new knowledge, we’ve known that for many years.

As Chris Boyd (@paperghost on Twitter) nicely summed up “In conclusion then, “man infected with computer virus” is basically “device for opening doors works as intended”.”

Andrew Lee
AVIEN CEO / CTO K7 Computing

Breaking up is never easy…LoveBug, the day after.

The LoveBug/Loveletter/Iloveyou worm (much more geekishly called VBS/Loveletter.a@mm by, well, AV geeks) has become one of those legendary events in malware history. The fact that 10 years on we’re still writing about it. Not only that, but many of us will remember exactly where we were and what we were doing when we first heard about it – in fact many more might remember it than were actually there :).

Still, I remember exactly where I was – I was in Reading, at Microsoft headquarters attending a security seminar and my Blackberry (one of the very early ones, with a greyscale LCD screen), started to go off regularly. I grabbed the next train back to Dorset, got into work, and spent the next ten hours ensuring that nothing bad was going to happen on our network. Many other people have written about their memories of the day – 10 years ago yesterday – including Graham Cluley and Mikko Hypponen, and indeed our own David Harley, and I’ve nothing to add to that. You see – we were using Lotus Notes (~shudder~) and not one single system got infected – although we did get a tremendous amount of email, which very quickly got blocked once we knew the attachment name. No, I remember the Loveletter for what happened 10 years ago TODAY, the 5th of May. And, it is a tale I felt worth sharing, about how even good information about one situation is not necessarily applicable across the board.

Although they were not directly under my responsibility, my team had involvement with the IT systems of all the schools across Dorset, and while none of the systems we were responsible for were affected by Loveletter, this was not true of other systems within the schools, which were under supervision of the school’s own IT personnel. On the morning of the 5th of May, I sent out a message to everyone on our network to the effect that “Our network was not affected by the VBS/Loveletter worm, and no damage resulted from any mails that were opened within our network, but we request that you remain vigilant and avoid opening attachments that are not work related. We also suggest that you install an Anti-virus product at home, and ensure that any mails with the subject “ILOVEYOU” are deleted without being opened” This was the very last time I ever sent out such a message, not because it was incorrect, but because the information ended up being spread outside of our organisation – particularly in schools, where I’m sure people felt they were being helpful by forwarding my email – at which point I got several very angry phonecalls and emails abusing me for my lack of intelligence. The reason? The information was only true of our organisation, and those whose networks DID end up getting affected (Loveletter also deleted .jpg/jpeg images) were angry that I so downplayed the risks of the worm while they were watching it eat through all the images on their servers and workstations. In fact, many of the schools were running Microsoft Exchange and Outlook, and once their systems were infected, many pupils lost work.

This highlights the fact that information is often specific, it isn’t necessarily relevant to all situations. Think of it like fire extinguishers; they have specific uses on specific types of fires – don’t go spraying a water extinguisher onto an electrical or fat fire, you will get burned.

User education is often very difficult, and one of the reasons it is so is that there are so many variables, so many different ways that things can go wrong. In a way the Loveletter worm was one of the first Phishing attacks – it combined clever social engineering with malicious code to steal passwords. David Harley and I have written fairly extensively on Phishing, including examining whether the sort of ‘anti-phishing’ quizzes we’ve seen on some security sites are actually of any use. As far as I’m concerned, the jury is still out – there’s far too little common sense, too much irrelevant information, and it takes (literally) a lifetime to become a security expert; you can’t expect people to learn in five minutes.

As David mentioned yesterday, AVIEN was formed out of the need for non-vendors working in the AV industry to get fast and accurate information about spreading threats – I was glad to find that the instances where such information got so wildly misconstrued as in my Loveletter incident were few and far between. AVIEN also has its 10th birthday this year – more of that later in the year.

As an aside, I later applied for a job at one of the schools that had been affected, imagine how my heart sank when my interviewer turned out to be one of the people who had written me an angry email…no, I didn’t get the job! Anyway, it’s all water under the bridge, and since it is the 5th of May, my greetings to all my Mexican/Southern Californian friends, who will no doubt be regretting their today’s activities tomorrow morning.

Andrew Lee CISSP
AVIEN CEO / CTO K7 Computing

Another Anniversary

As I’ve pointed out elsewhere, it’s been something of a year of anniversaries. And as Mikko Hypponen has pointed out at http://www.f-secure.com/weblog/archives/00001846.html, around this time ten years ago we were preparing for global chaos as the Millennium Bug bit.

Well, actually, it largely passed me by. The institution I worked for decided that Y2K had no security implications, and in fact wasn’t really an IT issue, so they handed it over to the library to manage, though the IT department still did all the actual work, as far as I remember. In the event, I believe one piece of lab equipment misfunctioned when everything was switched on again after an enforced break over the New Year: not, as I remember, in any critical way, but it was ten years ago.

In fact, my principle memories are of going to bed early on New Year’s Eve and being awoken by a thunderous firework display over East London, and of fielding an awful lot of questions about those Y2K viruses that never turned up. And of being rapped over the knuckles after the event for hinting in an article for an in-house publication that there had ever been any risk of an unforeseen event. It’s always reassuring to work for people who know everything about everything.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

Virus Proofing

Randy Abrams put up a blog yesterday at http://www.eset.com/threat-center/blog/2009/11/20/what-if-your-virusproof-computer-catches-a-virus about “Virus Proof Computers”: I guess he was referring to the PCs and laptops being marketed  by an Australian company called Setup Complete , a merry band of PC techs based in Sydney.

After reading Randy’s article, I thought I’d take a look myself.

The page at http://virusproofcomputers.com.au/how_it_works.htm tells me that I don’t need to know “HOW it works, just that it DOES work!” Nice. Old time antivirus marketing hype in a nutshell. “Trust me, I’m a vendor.” No wonder Randy was a little acerbic. (No, it isn’t true that ESET personnel are required to take a course in advanced sarcasm before they’re allowed to blog, but it might not be a bad idea.)

There is a little information there including, it turns out, a brief Youtube video that gives you a bit of an idea of what’s happening. It seems to be a dual boot arrangement, where you boot into zone 1 (Virus Proof Surfing) or zone 2, which is “just computing that we can’t sort out with the virus proof [settings?]”. The zone 1 desktop as shown in the video is nearly unreadable on my screen, but appears to be based on the use of Foxpro for surfing and, by the look, an open-source office package for other jobs like editing Word documents.

The five-year warranty as “additional protection” is mentioned  in the press release here: http://www.seekingmedia.com.au/news.php?newsid=857&g=-1

Despite the statement that “We know that our computers are totally virus proof, but as an added protection we are offering any customers who buy the computers a full five-year warranty that they will not contract a virus within that time” it seems that restitution is limited to restoring the machine to the condition it was in when originally shipped.

Does this sound as if I’m less than impressed? Not at all. It appears from http://www.setupcomplete.com/spyware.html that the company were not only able to clean spyware from an infected computer (heck, we can do that and we’re only an anti-malware company), but also to get the owner’s bank to restore $3,700 that was stolen from him. (Not, presumably by the bank, and not, presumably, from a Virus Proof PC.) 

Now getting that sort of banking service is impressive. 😉

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

The Death of the Virus

Yet again, New Scientist shows us the way to put ourselves out of business. (Yippee, retirement at last!)

Years ago on alt.comp.virus, someone came up with an astonishing solution to the virus problem. Since all virus detection is signature-based (ahem! really?), why not generate all the possible malware signatures proactively, so that viruses would be detected before they’re written? I did try to explain the difficulties of that approach at the time, but I was handicapped by gales of helpless laughter that seriously impaired my typing.

Now those tremendously clever chaps at Qinetiq have invented a whole new wheel. They’re in the process of patenting a process that will “intercept every file that could possibly hide a virus” (cool: they could call it something like, oh I don’t know, generic filtering…) and “and add a string of computer code to it” (another cool idea: perhaps they could call it “immunization”). Not just any computer code, but (gasp) machine code (please stop tittering at the back there) which will be inserted into the file headers to stop it executing, in the event of its turning out to be a program. If it isn’t a program, apparently the code will have no effect (I’m sure we can assume that no application worth having will be confused by having aliencode inserted into data file headers…) If it is a program, it will either be stopped in its tracks or sent into an infinite loop. Would that be an infinite binary loop, then? I guess they’re borrowing some code from Good Times.

Apparently this countermeasure will be introduced onto mailservers, on account of all those pesky attachments. Presumably, once this is implemented as an actual product, they’ll resume work on eliminating the millennium bug before they start on Trojans.

Originally, I was planning to insert a few satirical comments here. But somehow it seems like redundant effort.

Tip of the hat to @DaleInnis for drawing my attention to this gem.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/