The new owners of the acquired HIPS products never improved to address today’s threats.  Designed to address the malware for Windows 95 and Windows 2000, these HIPS products stayed frozen in time.  As Windows evolved over a decade, with Vista and Windows 7, Microsoft introduced new protection capabilities including DEP (Data Execution Prevention), ASLR (Address Space Load Randomization), preventing arbitrary code execution in exception handling paths, and UAC. After all these changes, HIPS’s decade old defenses primarily developed for Windows 95 and Windows 2000 era malware became irrelevant. As the Windows protections improved, HIPS solutions were helpless and useless in tackling new generation malware that no longer needed local administrative rights to cause damage.

HIPS products were too focused on the antiquated application anomalies of the Windows 2000 era and on unpredictable application behaviors. This resulted in per application tuning of rules, false positives, and asking users to make advanced security decision through pop up dialog boxes. Rules and exceptions needed to be formed per application.  As the applications needed updating this created a tremendous burden on administrators to manage the thousands of applications on a day to day basis  The millions of events generated on a  daily basis paralyzed administrators of even the smallest of deployments.

THE MYTH OF WHITELISTING AND THE NEED FOR THE NEXT GENERATION OF WHITELISTING

Today, the same experts led us to HIPS Cul-de-sac are now telling audiences that the traditional White Listing is the silver bullet for malware defense. Although HIPS and the traditional White Listing are vastly different technologies, they both have the same weakness: both have significant administrative overhead for day-to-day operations to a point that the management of the product itself becomes central point as oppose to protecting the enterprise. While HIPS administrators had to worry about constantly tuning HIPS rules, traditional White Listing products require administrators to be concerned about software updates and security patches and ensuring new signatures are available to end points before the patches and updates can be applied.
The traditional White Listing solutions rely on a myth that if an application is signed and approved, the application is safe. Today malware can easily highjack perfectly legitimate and signed White Listed applications in run time. The high jacked application can encrypt user’s data and ask for ransom for an encryption key. A high jacked application can “migrate” to another perfectly White Listed application by altering Windows registries, by performing code injection, or by modifying the memory of a running process. Or a White Listed application could peek into the memory of an important financial application to steal financial data or steal content of user’s files by reading and uploading to a server on Internet.

THE NEXT GENERATION SOLUTION

Enterprises and consumers deserve to have better protection to confront today’s ever evolving malware. One that offers the dynamic White Listing that not only worries if the application is genuine to start but also protects the application in run time from being high-jacked. Draconian techniques used by HIPS and traditional White Listing solutions are not usable. The next generation solution should not hinder users from downloading and running applications of their choice.  Nor should they need to worry about if a downloaded PDF or Word document has malicious content. Next generation solutions should provide users with freedom yet protect the entire system from user downloaded content or user downloaded programs.

Application Whitelisting is a Pre-Launch Control, Allowing/Denying Application Launches

Application whitelisting determines what may launch, suppressing anything else, including malware missed by AntiVirus. This stops malicious code attacks without dependence on the hopeless race to update signature databases as rapidly as cyber criminals create and/or re-craft malware with different “fingerprints”.

Pre-Launch Application Controls Alone Miss Sophisticated Attack Vectors

All applications have inherent vulnerabilities. Malicious code attacks exploit these vulnerabilities, effectively hijacking an application. These hijacked applications are coerced into downloading and launching a malicious executable, which either installs persistent malware or conducts malicious operations itself. Pre-launch application controls typically block these launches.

However, more sophisticated attacks do not rely on launching an executable. Instead, they either coerce the hijacked application itself to do the work or they conduct memory code injections that essentially transform other whitelisted applications into something else. Pre-launch controls do not stop these attacks.

Whitelisted Applications Cannot be Trusted, Post-Launch Controls Are Needed

With commonly whitelisted applications such as Adobe Reader frequently getting exploited in many different ways, one can see why applications cannot be trusted after they launch. Application post-launch controls are needed to prevent them from harming computers. Such controls primarily block write operations to a relatively small list of common targets, which seldom changes. Hence, administration can be easy and a major protection gap in application whitelisting is closed. Look for controls that do not need to know in advance the DLLs used and the executables spawned by applications.

Executive View: Simplify Whitelisting by Dividing it into User-Space and System-Space

• System-Space: operating system, Windows registry, 3rd party software, etc.
• User-space: user’s documents, ‘Desktop’, and some software such as GotoMeeting

Over 95% of the effort to deploy a typical whitelisting product is spent enumerating and updating the system-space whitelist (i.e., what may launch). The user-space whitelist is trivial in comparison, typically less than a dozen applications and trusted publishers (i.e., allow launches of executables signed by specified software publishers). If only user-space had to be whitelisted, then deployments could be easier than enterprise email administration.

Combined Pre/Post-Launch Controls Slashes Level of Effort, Increases Protection

The net result of combined pre-launch and post-launch application controls can reduce the required level of effort to less than 10% of that of typical whitelisting products. User-space whitelisting requires less than 5%. Post-launch controls require less than 5% also. This combination actually yields a net improvement in protection assurance from even the most sophisticated, targeted malicious code attacks facing the enterprise today and tomorrow.

What if System-Space is Compromised Prior to Deployment?

If malicious code is already in system-space, then it is almost certainly rootkit malware. Third generation rootkits, are practically undetectable and are a preferred tool in targeted enterprise attacks. If attackers can penetrate system-space, then they are motivated to use third generation rootkits. Even system-space whitelisting with binary file hash checksum integrity checks are ineffective. There are promising possibilities in the future but none exist now. The executive bottom line: the operational cost of system-space whitelisting far outweighs its value in comparison to solutions that effectively combine pre-launch and post-launch controls. Prevention is critical!

Gartner has Identified Blue Ridge as an Emerging Vendor in Application Whitelisting and Control

Our advocacy of emphasizing usability in the application of cyber security is paying off. Customers can deploy and administer AppGuard Enterprise, with its pre-launch and post-launch controls, at a fraction of the effort of other application whitelisting products, yet with greater effective protection. Those that also need to monitor and enforce endpoint security postures on and off the enterprise can find all that integrated in our AppGuard Enterprise Plus centrally managed software. Both AppGuard Enterprise and AppGuard Enterprise Plus support domain and non-domain Windows computers. All of these capabilities are available as a Managed Endpoint Security Service.

The highly publicized and vaunted Stuxnet attack on Iranian nuclear infrastructure computers consisted of four exploits in a single package.  Most consumer and even targeted enterprise attacks only use one.  Some use two attack exploits.  More on that later.  Attacks with one or two exploits are typically quite sufficient for cyber criminals because the vast majority of consumer and enterprise computers are protected by software and/or network appliances that rely on virus signatures and heuristics.  These technologies limit protection to stopping malware that has been seen before by anti-virus vendors.

Cyber criminals employ easy to use software called ‘malware kits’ that alter the appearance of attack code.  The result is unsettling.  Against malware samples a week or less old, Cyveillance measured an average detection rate of just 19% for AV products.  AV-Comparatives conducted a similar test that also included heuristics, which have similar limitations.  They reported a rate of 44%.  Both used actual samples found in the wild, meaning something must have detected them.  Secunia took a different approach using unique malware samples that it created, resulting in a detection rate of under 10%.  This has caused a shift towards post-infection detection, making those AV full scans that typically run at night increasingly too important to ignore.  So, keep those PCs on at night!  This alone won’t solve the problem.  There are more and more polymorphic malware code available for sale on the black market.  This stuff changes itself periodically to avoid post-infection detection.

Check out more endpoint security articles here.

Do you know what percentage of your reported AV detections are from full scans versus real-time detections?  How long were these full scan detected infections running?  What is the average, highest, and lowest number of days between full scans for your computer population?  How often do you scan a statistically significant sample of your computers with a boot AV product to test your security posture?  These questions and others were very important long before Stuxnet was reported.  However, Stuxnet means that infections can be a lot more lethal.

Stuxnet and the ensuing copy cats are lethal because they include at least a second attack code binary that exploits a privilege escalation vulnerability.  These vulnerabilities don’t always get a high priority in patch management because many don’t consider them a major risk alone.  But combined, they enable the attackers to dig deeper into a targeted PC, rooting malware such that no host-based software can detect it (i.e., 3rd generation rootkit).  Stuxnet included not one but two privilege escalation exploits in its cocktail so they could systematically compromise any computer.

Stuxnet featured another aspect that is relevant to enterprises in many but not all industries.  It sought to hijack control software made by Siemens, presumably to damage costly nuclear infrastructure run by Iran.  This was probably accomplished this via inter-process code injections into the control software from malware running in the same PC.  This does NOT require that there be a vulnerability (i.e., programming mistake) in the control software; Windows APIs facilitate this routinely.  Very few security products effectively block these inter-process code injections either because they cannot or they are too disruptive and complex.  Inter-process code injection attacks effectively transform an application into something else, or selectively alter its behavior.  The latter requires sophisticated analysis of the targeted application’s idiosyncrasies and is uncommon but increasingly affordable in the cyber crime world.  Stuxnet-like threats are particularly relevant to energy/utility industries, which can suffer serious damage to their infrastructure.  Healthcare and manufacturing face similar risks.  In addition the already widespread online banking fraud per Banking Trojans, Stuxnet-like malware can readily compromise enterprise financial systems.

The Enterprise Needs Another Layer of Protection in its Security Posture

There are a variety of products from many vendors that might stop Stuxnet attacks. Forget about host intrusion prevention system (HIPS) standalone products or HIPS features included in an endpoint security software suite.  Deployed HIPS features/products are either disabled completely or severely under-utilized because they are too complex and disruptive.  The much hyped Aurora attacks on three dozen large enterprises in early 2010 reportedly included Symantec according to the Washington Post.  If Symantec isn’t using its HIPS capabilities to effectively stop attacks, then forget HIPS.  Many folk have, including Cisco, which end-of-lifed its HIPS product.

Application whitelisting products show greater promise than HIPS products.  Still, there are some points that IT personnel should consider.  First, what is the level of effort required to enumerate all of the things on a PC that may launch (i.e., run)?  Commercial whitelists help administrators with the daunting task of enumerating what we call pre-launch controls.  Even so, creating and maintaining whitelists for the system-space (i.e., Windows and Program Files directories) is far from a trivial effort.  Seek explicit level of effort quotes from organizations that have done this.  Second, look for application whitelisting products with post-launch controls.  As mentioned earlier, applications can be hijacked and coerced to do harm.  We cannot trust our software applications!  A few application whitelisting products provide what some call ‘write protection’.  This means that the files that make up the whitelisted applications cannot be altered.  Further narrow your search by choosing from these few that not only ‘write protect’ whitelisted ’stuff” but also prevent the addition of unknown files/code into system-space.  Third, choose a product whereby both its pre-launch and post-launch application controls are enforced by kernel-level mechanisms.  Fourth, your choice must include post-launch controls that block malicious inter-process code injections as well as block modifications to critical system resources such as the master boot record (MBR).

A point worth repeating: the level of effort to deploy and maintain is extremely important.  In deploying an application whitelisting and control product, one is NOT replacing existing security assets (e.g., anti-virus/spyware, firewall, intrusion detection/prevention, patch management, endpoint security policy enforcement, data loss prevention, information asset inventory systems, next-generation firewall, etc.) but adding an additional layer.

Why AppGuard Enterprise is Probably the Easiest and Most Effective Application Whitelisting and Control Solution

The default AppGuard Enterprise policy blocks a Stuxnet-like attack.

Over 90% of the effort required to maintain application whitelists (i.e., pre-launch controls) involves enumerating what may run in system-space.  AppGuard Enterprise radically diminishes the importance of doing this for system-space because of its extensive post-launch application controls.  Administrators still must define whitelists for user-space (i.e., where least privilege users/processes can write).  Such lists are 1000s of times smaller than system-space whitelists, typically just a few items per policy group.  Next, administrators need to view the results from a process audit that identifies applications in use that are not subject to AppGuard post-launch controls.  These prevent an application and any executable/process it spawns from harming the PC.  They also can prevent an application from stealing sensitive documents in user folders designated private.  So, assume the audit identifies a half-dozen applications in use that are not ‘guarded’.  Adding these to the ‘guard list’ merely requires their full path name.  However, not all of these applications even need to be guarded, though you can.  Essentially, one only needs to guard at-risk applications such as web browsers, email, popular productivity software (e.g., MS Office), media players, instant messengers.  But most of these are already on the ‘guard list’ by default.  Defining the pre-launch and post-launch controls for a policy group can literally take just a few minutes. And, this combination of pre-launch and post-launch controls yields more robust protection from malware and other data loss risks.

In just one phone call, we can define a highly effective protection policy for an organization as a managed service or just a free trial before doing it yourself.

There are millions of “parked” websites.  Visitors reach them by arbitrarily typing in a URL, misspelling, clicking on an erroneous link, or clicking on a search result link.  Firms such as Network Solutions Inc. will host these “parked” websites, placing advertisements and other stuff on them.  In this horror story, a Javascript “widget” called “Small Business Success Index” was hosted on these “parked” websites.  This had been altered by attackers to launch drive-by download attacks on visitors, exploiting zero day vulnerabilities in either Internet Explorer or Adobe Acrobat/Reader.  Network Solutions Inc asserts that its in-house investigation has found no examples of its hosted live websites carrying this nasty “widget”.  They dispute reports of 500,000 to 5,000,000 affected URLs, saying the figure is around 120,000 known.  Network Solutions has removed all known instances of the widget and has issued an advisory to all others to remove the “widget”.

Victims fell prey to an ordinary drive-by download attack where simply visiting a web page was all that was required of the end-user.  Once there the “widget” served an exploit of either an Internet Explorer or an Adobe Reader/Acrobat vulnerability.  This would result in Internet Explorer or Adobe Reader/Acrobat placing a “downloader” application in the visitors PC, somewhere in “user-space”.  Drive-by download attacks usually place their “downloader” in user-space because they can always do so.  They can only place the “downloader” in “system-space” if the end-user of the PC is logged in with local admin rights.  Once the “downloader” launches, it will download and install persistent malware best suited for the host and the objectives of those behind the attack.

The less than 50% of the antivirus products that detected the attack characterized it as a generic Trojan horse install or a member of the Koobface worm family.  Researchers have said the persistent malware consists of something called lsass.exe, which monitors web browsing.  When it detects certain keywords, it modifies redirects users to particular pay-per-click advertising sites.  While its doing this job, it also looks to enlist more victims by inserting malware onto file shares and into peer-to-peer file sharing directories.

AppGuard Protected Computers from these Attacks

This was an unremarkable drive-by download attack routinely stopped by AppGuard or AppGuard Enterprise but missed by half of the different antivirus software products on the market.  Depending on how polymorphic this attack code is, the antivirus products that missed these attacks may have signatures to detect them within a month.  Then again, cyber criminals are on to this and discontinuing the use of malware code samples after less than 48 hours to severely reduce the odds of there ever being a signature for detection.  AppGuard closes the gap, whether the vulnerability gap is days, weeks, or months.  AppGuard prevents these malware attacks from operating at all.  This raises a question to computer users living within this gap, what passwords, documents, or other stuff might a cyber criminal want from your computer in a typical one week or one month, or one year time period?  If there’s nothing, then no worries.  If there’s something, then your traditional antivirus is not enough.  You should add something like AppGuard.

What is PowerShell?

PowerShell is Microsoft’s task automation framework, consisting of a command-line shell and associated scripting language built on top of, and integrated with, the .NET Framework.  It is extremely powerful; hence it is aptly named.  Thus, if a malicious PowerShell script is allowed to run, it can do extreme harm.

What Windows Operating Systems Are Affected by this Vulnerability?

Microsoft released PowerShell v2.0 in August 2009.  It is an integral part of Windows 7 and Windows Server 2008 R2. Versions of PowerShell for Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008 were released in October 2009 and are available for download for both 32-bit and 64-bit platforms.

PowerShell Vulnerability Enables Attackers to Elude Built-in Security Restrictions

Endowing it with so much power, Microsoft wisely designed it with execution policies to prevent malicious PowerShell based attacks.  By default, execution policies are set by default to “restricted”.  Except for some specific commands, this prevents non-local PowerShell scripts from running.  A more restrictive policy called  “AllSigned” allows only signed scripts to be executed.  They must be from a trusted publisher.  A less restrictive policy called “RemoteSigned” allows signed scripts as well as local ones (i.e., already on the PC).

The crux of the researcher’s work is that these restriction mechanisms can be circumvented.  He presented and demonstrated his findings at the Black Hat and DefCon 2010 conferences.  He’s also released MetaSploit modules.  Cyber criminals are undoubtedly developing and distributing malicious PowerShell based malware attacks that researchers say cannot be stopped by antivirus, HIPS, SRP, or just about any other security software product that you may have on your computer.  Further, the researcher and cyber criminals are working on using PowerShell for process/code injection attacks, which make them even more elusive to security software.

As for security appliances/servers defeating such attacks, they’ll only stop those for which a virus signature already exists.  And as altering attack code signatures is trivial, forget it!

The obvious workaround is to remove PowerShell.exe from computers.  However, this cannot be done for Windows 7 because it is embedded in the operating system.

Expected Attack Vectors

For the most part, PowerShell attacks will piggy-back atop other vulnerabilities that are used to deliver the PowerShell payload.  For example, a vulnerability in Adobe Reader, Internet Explorer, or any other software application on a PC with a vulnerability that enables an attacker to drop a downloader into user-space.  Or, in sophisticated attacks on high value targets, the attacked software application itself is used to execute the PowerShell attack.  This means the following vectors deliver the attack (ordered according to most likely vector):

• Visit a malicious/compromised website
• Open an spiked email attachment seemingly from someone you know
• Insert an infected USB thumbdrive
• Open a document, seemingly from someone you know, with an embedded PowerShell script
• Mount a network drive with an aut0-run attack
• View a network drive, USB drive, or hard drive with a Windows LNK vulnerability exploit (patch issued by Microsoft 3 August 2010, except for Windows 2000 and Win XP SP2)

AppGuard Protects Computers from PowerShell Worm/Trojan Malware

AppGuard has always been capable of defeating PowerShell attacks.  To improve ease of use, the recently released beta of AppGuard (version 2.0.6) blocks PowerShell script (.pn1) launches from user-space by default.  This blocks the most common vector (vast majority) for PowerShell based attacks.

AppGuard Enterprise administrators and as well as AppGuard users can increase protection even more by adding powershell.exe to the ‘guard list’.  Doing so blocks a less commonly used vector whereby an application such as Adobe Reader, Internet Explorer, or others are coerced by an attack to execute a PowerShell script.  This method tends to only be employed by sophisticated attackers on high value targets such as large corporations or government organizations.

As for when the code injection variants of PowerShell attacks strike, the MemoryGuard protection feature of AppGuard blocks them even if all other protection features are disabled.

Beta Participants Get Free Lifetime License for AppGuard Zero Day Protection

Free Lifetime License to Beta Participants, up to 3 PC’s

Vulnerability/Exploit Background

The vulnerability involves those short-cuts most commonly found on a PC’s desktop and application tray. Actually, any short-cut, which is actually a file with an LNK extension, located anywhere, can be used. Most exploits in the wild are found on USB drives, and utilize the Windows Auto-Play functionality to activate the short-cut upon USB insertion. Similarly, in the enterprise, attackers drop these LNK files onto network drives to get the same Auto-play effect.

A malware name most commonly associated with this exploit is Stuxnet. There’s also a downloader (i.e., a generic malware application that attackers download and launch from user space when they have exploited a software vulnerability, it then assesses the host, downloads persistent malware and files, and finally installs them for permanent use) that implants malicious LNK files as well as an executable. This downloader also attempts to alter the Windows registry (HKCU/…/Run) to automatically launch the permanent malware executable when Windows launches. Also of interest, with each use, the hash checksum, or signature, of this download changes, making detection by traditional anti-virus/spyware highly unlikely. Names for the downloader include: W32.Changeup (Symantec), W32/Autorun.BFG (Sophos), Win32/AutoRun.VB.RD (Eset), Worm:Win32/Vobfus.R (Microsoft), Download-CJX (McAfee), TR/Dldr.Gaat.B (Avira).

The most important thing for enterprise desktop administrators or advanced home users to know is that this vulnerability enables an attacker to launch an arbitrary executable. However, the executable must already be present in the host. Otherwise, a malicious short-cut is moot. Think of this vulnerability as a trigger, which is useless without a bullet (i.e., a malicious executable). Does the LNK vulnerability alone represent a zero day threat? No. But combined with other vulnerabilities it can be zero day.

Microsoft recommends disabling short-cuts, among other workarounds. AppGuard and AppGuard Enterprise need not implement these workarounds. But, they do add another layer of protection.

How AppGuard Defeats LNK Exploits

A Stuxnet or similar malware attack usually begins somewhere in user-space, which is any hard drive or removable media location where an end-user without local admin rights can write. User-space is the preferred initial landing site for any attack because its always accessible whereas system-space is inaccessible when the target PC is running without local admin rights.

AppGuard only allows executables to launch from within user-space if they are on the ‘guard list’, which may be regarded as a white list. So, the malicious executable cannot launch from user-space, period. This includes USB drives too. AppGuard Enterprise, where PC’s frequently encounter network drives, treats these drives as user-space as well.

The attackers must therefore get their malicious executable into system-space before their LNK trigger can be of use. System-space is defined as the Windows and Program Files directories and their children. AppGuard places applications at-risk ‘under guard’. Typically one guards web browsers, email applications, Adobe Reader, Microsoft Office, and others that consumer files and communications from potentially unknown origins. ‘Guarded’ applications can neither write into system-space nor Windows registry where it can trigger executable launches.

So, attackers cannot launch malicious executables from user-space. They cannot exploit vulnerabilities in software applications to plant an advanced persistent [malware] threat (APT, i.e., malicious executable) into system-space. Therefore, the LNK Windows vulnerability poses little risk to AppGuard or AppGuard Enterprise protected computers.

Update: New Zero Day Protection Feature Called MemoryGuard Alone Kills Some Windows LNK Based Attacks

We tested the downloader mentioned above with drive-by download protection disabled (this feature prevents executable launches from user-space) and allowed the downloader to run with nothing restricting it but the MemoryGuard protection feature, currently out in beta.  The result was MemoryGuard blocking the downloader’s attempts to launch code injection attacks on all available processes in the test host.  Below is a screenshot:

Zero Day Protection from Advanced Code Injection Attacks

Can AppGuard Do Even More?

Yes, AppGuard users and administrators can add three executables to the ‘guard list’.

• rundll32.exe
• cmd.exe
• regsrv32.exe

With the forthcoming summer releases of AppGuard and AppGuard Enterprise, these will be guarded by default. We doing so because these Windows facilities are sometimes used by attackers.

Legitimate software installations and patches use these facilities too. Thus, one should suspend all AppGuard protections when doing so. Consumers need only right-click on the AppGuard tray icon and select ‘suspend all’. Enterprise users should always test installs. They have an additional feature whereby they can define power applications, such as patch management or desktop configuration software, which tells AppGuard to allow them to what they wish.

There is no password that locks AppGuard policies. We wish to avoid issues associated with lost passwords. Instead, our approach leverages the existing Windows user account credentials on a PC. So, “family” computers must have at least two Windows user accounts to utilize our parental controls, which SHOULD always be so, though it isn’t. Folks new to having a separate local admin account should make certain their password is never lost as consequences can be disastrous (a public service announcement!).

Let’s clarify something regarding this ‘two Windows user accounts’ minimum requirement for our parental controls.

• Each and every Windows (or Mac or Linux for that matter) must have at least one account with local admin rights
• Each and every Windows (or Mac or Linux for that matter) PC should have at least one non-admin account for day-to-day use of the PC
• This adds up to two unique login accounts per PC, if one follows Microsoft recommended practices
• AppGuard requires nothing more

Getting Started with Parental Controls

Until a user clicks on the AppGuard ‘Advanced’ button and activates the ‘Parental Controls’, no user is restricted in what may be done via AppGuard. Once ‘parental controls’ are activated, one must enter “super user mode” to edit parental controls. The Windows account used to first activate parental controls is endowed with “super user mode” privileges. AppGuard associates those that may run “super user mode” with Windows user accounts, which are not required to possess Windows local admin rights. To enter “super user mode”, one must click on the AppGuard “Advanced” button, answer the Windows authentication challenge (does not involve logging in or out of a Windows account), and then the parental controls dialog is displayed.  BTW, by leveraging Windows authentication and authorization infrastructure, we keep AppGuard lean.

Parental control is a variant of our TamperGuard technology. Only a Windows account with local admin rights and with “super user mode” enabled may uninstall AppGuard. If AppGuard detects that there are no longer any “super user” accounts, the uninstall feature as well as parental controls in general would be disabled.

A user that has simply logged into a Windows account that is authorized to employ “super user mode” has not yet enabled this mode. One must click on a button in the AppGuard GUI, which initiates a Windows authentication challenge prompt, “super user mode” is activated, and then one may edit parental controls, allowing one to:
- Enable, disable, and edit parental controls
- Uninstall AppGuard
- Designated specific Windows accounts as having “super user mode” privileges

Thus, from an AppGuard parental controls perspective, there are two types of AppGuard users (or Windows user accounts), those with and those without the “super user mode” privilege. Windows accounts with the “super user mode” privilege are in no way restricted by parental controls; other Windows accounts are.

If someone without “super user mode” privileges needs assistance from someone with the privileges to temporarily remove an obstacle, that person with the privileges does not have to log out of that person’s account and into their own. Instead, that person simply navigates to AppGuard, clicks on the ‘Advanced’ button, gets an authentication challenge, and then has “super user mode” enabled. When no longer needed, return there and log out of there (not the Windows account) to return things to normal.

Ideal for Families with Kids Playing Games that Require ‘Local Admin Rights’

For reasons that escape me (I’m not a computer gamer), many computer games cannot be fully utilized unless run via a Windows user account that possess local admin rights.  Maybe the game needs to be able to write something into its respective ‘Program Files’ directory, maybe something else.  Whatever the reason, this motivates folk to run a PC with local admin rights on a daily basis.  This is a very bad security practice.  AppGuard does a very good job of removing the risks.  But, as a security solutions vendor for over 15 years, we always recommend layered defenses.  And this means, try to run PC’s without local admin rights, unless installing, configuring, or updating software.

With parental controls in place, a family member can do far less harm through direct action or foolishness.  They cannot uninstall AppGuard.  And, when combined with a new feature also coming in version 2.0 called InstallGuard, they cannot install most software, even though they have local admin rights.  They also cannot launch potentially dangers applications (executables) from user-space (e.g., My Documents, Desktop, etc.) if the parental control settings of AppGuard say otherwise.

This blog post was inspired by an article at GCN (Government Computer News) called “5 Top Security Suites for Teleworks”, 17 June 2010.  The author Carlos Soto reviewed leading consumer anti-virus/spyware software so that federal agencies inclined to subsidize or somehow require the use of such software on employees telecommuting via home computers could choose the best software for the job.  On the surface, its sound advise.  A safer PC reduces federal data leak and malware intrusion risks, right?  But, what if this advice is akin to encouraging federal agencies to doing something foolish such as going into harm’s way with a target on your back and nothing but a helmet?

Employee-owned Windows PCs are more likely to be already infested than not. And those not, soon will be. Consider this, Cyveillance and AV-Comparatives measured the effectiveness of numerous antivirus products against newly created malware finding average detection rates of 25% and 44% in 2010, respectively.

And as more than half of these PCs operate with local admin rights accounts, they may well be infested with rootkit based malware. Such infestations are detectable when sloppy code is used by cyber criminals. Otherwise, where 3rd generation rootkits are used (available on the black market cheap), when the AV asks the OS for a list of files in a directory to be scanned, for example, the AV receives an incomplete list because the OS has been ‘brainwashed’ and coerced to lie on behalf of the malware.

So, if federal agencies intend to practice safe telework, its not simply a matter of are employees practicing safe-computing from now on but whether they have always practiced safe-computing.

While an employee’s computer is untrustworthy until you know otherwise, this has no bearing on the integrity of the employee itself.

I’m afraid matters are even more complicated. More and more households have multiple computers operating within a home network. One infected PC leads to infections of the others. However, from the federal agency perspective, the ‘other’ infected PCs are a severe data leak risk. They can launch a DNS poisoning attack, an SSL man-in-the-middle attack, a man-in-the-browser attack, or numerous others that effectively steal sensitive data from all other computers in the home network. In other words, federal agencies must consider home networks untrustworthy.  In short, federal telecommuting solutions must regard both the employee-owned computer as well as the employee-managed home network as untrustworthy!

There’s yet more. Each of us values convenience. What percentage of federal telecommuting employees are saving work documents on their home computers? Each employee home computer represents a potentially embarrassing security breach.  For these reasons and others, agencies that can afford to provide telecommuters with laptops. Ones hopes these include properly configured full disk encryption based on two factor authentication. Anything less means not only data loss from a lost or stolen laptop but also another potential security breach.  A key walk-away point to consider here is that any data or document that is free to leave the enterprise becomes a potential liability to it as well, or in other words, an asset to be managed but usually not.

Getting Practical

Blue Ridge offers a solution called EdgeGuard that allows for the safe use of employee-owned computers with virtually no malware or data leak risks. An employee inserts the EdgeGuard USB device into their PC, EdgeGuard generates a virtual workspace, securely connected to the enterprise via a virtual VPN appliance, and when the employee is finished doing whatever one might do from a typical Microsoft Office environment with access to all of the user’s network drives, no data or document from the telecommuting session remains on the employee’s PC. No malware from the employee’s PC sneaks in, and no sensitive data or document leaks out from the federal government leaks.  If you’d like to know more about how this works, look at this page on EdgeGuard Telework.  If you’d like to speak with another federal organization already using EdgeGuard, contact us and we’ll make an introduction.

Banking Trojans Targeting SMB Are Sweeping Across America

A recent survey of over 500 SMB organizations surfaced some alarming statistics (conducted by the Ponemon Institute and Guardian Analytics):

• 55% of the SMBs experienced a fraud attack in the last year
• 58% of the incidents involved online banking
• Over 50% experienced multiple incidents
• 87% failed to fully recover lost funds

From a separate study of 50 SMBs that fell prey to online banking Trojans in 2009, they initially lost $157,000 on average.  Those that discovered the fraudulent bank transfers and notified their banks within 24 hours recovered significantly more than those that did not.  On average, the victim SMBs recovered approximately 44% of their initial losses.

Risks to SMBs Under-Reported Due to Lack of Government Oversight

SMB decision-makers are unaware of their growing risks from online banking fraud because no government entity tracks and reports on the number of victim organizations and the amounts lost.  Until Banks start losing money, the Federal Deposit Insurance Corporation (FDIC) will not seek permission from the White House to require banks to submit incident reports. 

[Update] We have summarized a series of banking Trojan Loss incidents reported by the Washington Post in the summer of 2009, whose columnist Brian Krebbs may have collected more incident reports than federal organizations.

Banks Not Obligated to Cover Commercial Online Banking Fraud

“Commercial deposit accounts do not receive the reimbursement protection that consumer accounts have, so a lot of small businesses and non-profits have suffered some relatively large losses”, said David Nelson, an examination specialist with the FDIC. 

Banks are not required to reimburse enterprise victims of Banking Trojans.  They will work with a victim to try to reverse fraudulent transfers.  However, after 24 hours, the odds of succeeding diminish greatly.  Ultimately, the customer is required to discover and report the fraudulent bank transfers to their bank within that 24 hour period.

Such was the case for Little & King LLC, a marketing company that is facing bankruptcy due to a computer virus infection that siphoned $164,000 from their commercial bank accounts.

Cyber criminals are targeting small to medium businesses because they do not have the checks and balances in place to monitor their commercial bank accounts on a daily basis.  Further, smaller organizations have fewer defenses in place.

Update: FBI Does Not Open a Case for a Victim that Lost Less than $500,000

Brian Krebs recently reported that a dental practice in Springfield, Missouri fell prey to a Banking Trojan that stole $205,000.  The office manager said that the FBI told him that they do not open a case for lossess under $500,000.  However, the FBI said a task force in Omaha, Nebraska investigating similar cases would include the information from the dental practice in their efforts.  One hopes this task force stationed in the great metropolis of Omaha is well resourced.  What do you think?   Me too. 

 Your Up-to-Date Anti-Virus/Spyware Will Not Detect Today’s Banking Trojans

An information security firm that finds malware on legitimate websites, in part by observing certain types of changes to the website, conducted a six month long study on the effectiveness of leading anti-virus/spyware products.  At the end of each day, they’d collect hundreds of new malware samples, then they tested the ability of 14 leading anti-virus/spyware products to detect the samples.  The daily average detection rate was a mere 25%, tabulated below.

DIY Zeus Banking Trojan Kits Mean Any Idiot Can Empty Your Commercial Bank Accounts

Panda Labs reported finding 77% more unique Banking Trojans in 2009 than in 2008.  The widespread availability and affordability of malware kits that automate the creation of unique Banking Trojans will mean that Panda Labs will certainly be reporting a much higher growth rate next year.  Anyone with the skills to use iTunes can use one of these kits to steal hundreds of thousands of dollars from an SMB commercial bank account.  Basic kits cost $400 to $700.  They enable a person you wouldn’t hire to wash your windows to send you day-old Banking Trojans that elude your traditional anti-virus/spyware products.  Actually, the malware that will infect your computer will likely be less than 10 minutes old. 

Every petty criminal in the world is hearing stories of others making a lot of money with very little risk.  For example, a German cyber gang called Cosmos made $7 million from just a week’s worth of attacks. 

Most organizations have thus far not been attacked by Day-Old or Zero-Day malware because there were so many other fish in the barrel for those with the required skills to attack .  Malware kits are a game-changer.

 Two Factor Authentication Does Not Deter Today’s Banking Trojans

“Online banking customers are getting too reliant on authentication and practicing layers of controls”, says FDIC David Nelson.

Today’s banking Trojans, such as the Zeus family, employ several different techniques to circumvent one-time pass code tokens, such as a man-in-the-middle or more aptly called a man-in-the-browser attack.  In short, when users enter the six character code into a form, they’re actually entering it into a fake form that is dynamically generated within the users’ web browser.  Another technique involves stealing the “session cookie”.  So, when the user thinks she’s logged off, the banking Trojan has not and continues to conduct fraudulent transfers.

A New Hampshire based IT consulting firm, Cynxsure LLC,  employed a fingerprint scanner for authentication to mitigate risks from password-stealing malware.  However, Cynxsure lost nearly $100,000 February 2010.  Zeus family Banking Trojans include a feature called “form grabber” that effectively steals the fingerprint authentication data before the web browser can encrypt.  Consequently, after just one use, such a Trojan can use it later.  Two factor authentication implicitly assumes its host computer is not compromised.

Blue Ridge Enterprise Solutions

Online Banking from Enterprise-Owned Computers

AppGuard can triple you’re your effective computer protection by blocking the new malware attacks that elude traditional anti-virus/spyware software.   Different organizations can choose different forms of AppGuard protection: centrally managed do-it-yourself, managed security service, or employee self-managed.

Online Banking from Employee-Owned Computers

EdgeGuard provides a virtual workspace that is locked-down and malware-free for safely conducting online banking.

More exploits attacking more vulnerabilities in Internet Explorer, as well as Firefox, Chrome, Safari, and Opera are coming in 2010.  Predicting more malware attacks is equivalent to telling Seattle residents to expect rain in 2010.  If you’re curious as to why this is so, check out this explanation:

Never Ending Vulnerabilities for Web Browsers

Microsoft reports they’ve only seen exploits in the wild that successfully attack Internet Explorer 6 (six) users.  However, various security intelligence organizations as well as the alert Microsoft posted indicates that pretty much every version of Internet Explorer is affected.

McAfee reported that the recently publicized attacks on Google by Chinese hackers to gain information on Chinese dissidents exploited this vulnerability.  It seems unlikely that Google would be using IE6 because organizations that do tend to be stuck with a web application they’d developed in-house that only works on IE6.  So, this goes beyond IE6 to the newer versions.

Reports indicate 30 more enterprise organizations have been targeted with this exploit.  The number of organizations targeted by these attacks will grow as more malware developers create attack code and sell it to the 1000’s of malware distributors.  Remember, as any industry matures, specialization breaks out.  So, the malware creators tend to make their money selling their binaries to malware distributors in the form of web kits, which are automated software tools that enable non-technical people to launch and manage malware attacks and Botnets.

What Puts You Most at Risk from These Zero Day Exploit Attacks?

Just use Internet Explorer to visit websites!  Its not just the sordid websites, any website that you normally use.

This is because cyber criminals have been using their malware to find and infect the computers used by the webmasters that maintain websites.  As webmasters and most other people foolishly believe that their anti-virus software would let them know if they were infected, or that their computer would suddenly slow down and behave oddly.  Organizations should require webmasters to re-image their computers twice a year or more, unless they’re willing to get security software protection that stop zero-day malware attacks.

To those visiting this blog for the first time, and are unfamiliar with the term zero-day, if your computer protection requires ‘virus definition files’ or signature updates, consider yourself unprotected!  There are loads of blog posts here on the subject.

Some Attack Details on CVE-2010-0249 (or Microsoft Knowledge Base Article 979352)

From Microsoft, “The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.”  In short, when an Internet Explorer user visits a compromised website they become a victim of a drive-by download attack that drops an executable somewhere in user-space.  This temporary executable launches and assess your computer: what operating system, user’s login privileges, installed security software, etc.  It then downloads and installs the permanent malware ideal for your computer.  As most cyber criminals do not create their own malware any more but instead buy it from professionals, if you get hit with a zero-day drive-by download attack like this, you won’t notice a thing before, during, or after.  In other words, your computer won’t slow down.  That happens when your computer has multiple infections.

Microsoft has already updated their alert page on this exploit and will likely do so again.  As of January 15, there were no practical precautions one could take to avoid one of these attacks.

What Can You Do to Protect Yourself and others from these Zero Day Attacks?

Install some zero-day protection software!

Blue Ridge offers software for consumers and organizations that would stop these and other zero-day drive-by download attacks, and more.  Consumers should get AppGuard, which can be tried for free for 30 days.  Organizations should investigate AppGuard Enterprise.  These recently won “Best Anti-Malware Product” from GSN’s Homeland Security Awards.  Those that need to lockdown and audit the computers in their organization might look at AppGuard Enterprise Plus , which includes the protections of AppGuard as well as the controls and audit capabilities an enterprise needs to plug data leaks and curb insider theft risks.