During the course of security research we often acquire new malware samples. We typically first try to determine what we have acquired and if it is a new or otherwise unknown malware sample or if it is a mutation of something that we have already seen. There are several ways in which a sample can be tested, but the simplest way is to compare the MD5 checksum of the malware sample against other known checksums — several services exist where you can look up the hash of a sample, such as Malware Hash Registry by Team Cymru, VirusTotal, and MalwareHash. These services work by analyzing samples against antivirus products from several vendors (often thirty or forty different products). If the sample has previously been analyzed, the results will often tell what percentage of antivirus products detect the sample. Most of the time this method is sufficient on samples that are more than a few days old; however, on samples that are recent (perhaps discovered within the last twenty-four hours) the effectiveness of this method is marginal, illustrating the highly reactive nature of the industry.
Since antivirus products are often used as a cure for poor user discretion, I thought I would track the effectiveness of antivirus products on new malware samples that we received and test some of the samples a week later to note how the coverage improved. I think the results will show that new malware samples have a window of opportunity where end users are particularly vulnerable to the new malware strains.
Read More »
Social media security has been a major focus of the Cisco Security blog in the past several months. We believe so strongly in sharing the message of using social media in a secure way that it was also a prominent focus in the 2009 Cisco Annual Security Report. In the 2009 report, we discussed how criminals, like predators in the wild, migrate to where their victims can be found. Recently, that has been on social networking sites and services.
Now, Google has moved to include microblogging and other recent search index updates in their Real Time Search section (“Latest results for…”) of a standard search results page. Just as the existence of community lends trustworthiness to content found on social networks, the association with Google’s search results also lends validity to content.
Read More »
These days botnets are all over the news. Often we hear them described in vague, ominous terms designed to grab people’s attention. In simple terms, a botnet is a group of computers networked together running a piece of malicious software that allows them to be controlled by a remote attacker, better known as a botmaster. Often I think people abuse their readers to a certain extent by over-hyping certain threats. I would like to take a more reasonable approach here.
Our team has a lab dedicated to running malicious software that we refer to as our malware lab. We use the lab to ensure our security products work against various real-world threats. Basically, we do things like intentionally leaving hosts un-patched behind security devices and purposefully infect and attack boxes protected by various devices. This helps to ensure that in a worst-case scenario we know our products work. To that end, I periodically track down new samples of malware. Recently, I came across a sample that could be used to create your own botnet.
I will explain exactly what this bot does; I’ll even show you some of the code. This is a very simple and generic example of a bot and is very likely no threat to your network. It’s designed as a kit to be distributed to inexperienced botmasters. It’s the Easy-Bake Oven of botnets, but the concepts I will cover extend to the most complex botnets.
This will be the first in a series of posts exploring a bot written in the Java programming language. Because the Java is easier to read than most, throughout this series we will explore the actual code for the more interesting features.
Read More »
I’ve covered the proliferation of digital traces, as well as how those footprints can be combined to de-anonymize data, eroding the privacy of users. This week, we see another chapter emerge in this storyline, with a report from Computerworld about tools for mining social networks and other open sources. In this week’s Cyber Risk Report, we talked about the risks posed by these tools to organizations, and I’d like to expand on that, as well as some benefits, here in this post.
Read More »
Today we are releasing the 2009 Cisco Annual Security Report, which pulls together a full year’s worth of cyber security-focused collaboration from across the entire Cisco Security Intelligence Operations team. The 2009 Cisco Annual Security Report is a comprehensive look back at the year’s highlights with an eye towards what we can expect to see going forward.
Throughout 2009 we saw a host of new threat developments, gripping front line skirmishes, inspirational cases of the White Hats locking arms to combat evil, and alarming new levels of cybercrime audacity and sophistication.
With this report the Cisco Security team is introducing new tools to help customers better assess the evolving threat landscape. To address IT security professionals’ demands for better insights on the threat pipeline, we are introducing The Cisco Cybercrime Return on Investment Matrix (CROI), which is a framework for quickly assessing techniques and business models criminals will be investing and divesting from. Uniquely, the CROI Matrix is built from the perspective of the cybercriminal and how they rate their portfolio of scams and techniques from an investment perspective. We believe this approach is fundamental to understanding how the threat landscape will look in the coming year.
Read More »