Fake Donations for New Zealand Earthquake Victims

On February 22, 2011, a massive 6.3 magnitude earthquake devastated the New Zealand city of Christchurch. As per the official reports, the death toll has reached 75—a number that may yet increase. Thousands of people in New Zealand have lost their homes and search operations are still in progress. Fraudsters, as usual, are taking advantage of this by sending spam mails that request donations. In January, phishers had used the same ploy of asking for fake donations for victims of the Serrana floods.

 

The phishing site spoofed the Red Cross website for New Zealand and requested help from end users. Firstly, the phishing site gave details of the earthquake, highlighting the extent of the damage in the city. Secondly, details on how to make a secure online donation were given. Users were notified that upon making an online donation, the user would receive a receipt by email for tax purposes. There were three credit card services to choose from.

To make the donation, users were required to enter certain confidential information. The first field was a drop down menu from which the user had to select the cause for which the donation would be made. The causes included New Zealand Earthquake 2011, Annual Appeal 2011, Australian Floods Fund, Landmine Appeal, Pacific Disaster Preparedness Fund, and General Fund Appeal.

The confidential information required was email address, postal address, credit card number, three digit security number, card expiration date, four digit PIN code, driver license number, and date of birth. Upon entering the required information, the Web page redirected victims to the legitimate Red Cross website. The phishing site was hosted on servers based in Wien, Austria.

Internet users are advised to follow best practices to avoid phishing attacks:

•    Do not click on suspicious links in email messages.   

•    Avoid providing any personal information when answering an email.

•    Never enter personal information in a pop-up screen.

•    Frequently update your security software, such as Norton Internet Security 2011, which protects you from online phishing.

 By: Mathew Maniyara - Symantec

Note: My thanks to the co-author of this blog, Ashish Diwakar.

VMware provides end-to-end solutions for Virtual Appliances

Virtual appliances are bringing a sea-change in the paradigm of how software is developed, distributed, deployed, and managed. Since its inception, various definitions for virtual appliances have emerged in the market. The definition that we propose at VMware is "A Virtual Appliance is a pre-built software solution, consisting of one or more virtual machines that is managed, maintained and updated as a unit".

Most of the Virtual Appliances out there on the Virtual Appliances Marketplace are packaged into single VMs. These appliances contain applications that reside on top of a guest operating system. VMware also announce vApp at VMworld 2008. vApp is a new model for defining and managing applications. These vApps contain one or more VMs and provide enhanced user experience and guaranteed service levels at the deployment site. vApps provide a much more general notion of virtual applications that get built by ISVs, SI/VARs, in-house developers and IT Admins at Enterprises and SMB. Virtual Appliances are a kind of vApp built by ISVs.

We are committed to expanding on a VMware Ready ecosystem where appliances that have been validated, provide a better user experience on VMware Infrastructure. The virtual appliance value chain is typically composed of 5 steps: Authoring, distribution, installation/deployment, runtime platform and management. On Sept 15th 2008, we launched a solution suite and a well-defined strategy for all the above steps of the value chain. Under Authoring, we enable the VMware Ready ecosystem through our partners. While VMware provides VMware Studio , we enable our partners like rPath, JumpBox, VirtualAppliances.net, cohesiveFT, SuSE Studio to build VMware Ready appliances. 

The distribution channel that we provide is the world's largest repository of virtual appliances, namely the Virtual Appliances Marketplace which has over 900 listed appliances. We also provide opportunities for OEMing VMware Software and bundling opportunities. We have built in virtual appliance deployment and installation capabilities through Studio and easy deployment of OVF template through VI client. Update management functionality for virtual appliances is provided by a close VMware Infrastructure Integration.

Posted by asahai 

Security designed for virtualization… it really works!!

Since the release of vSphere 4.1 a new API for security is available called EPSEC (End Point Security). Together with the already existing VMSafe API security vendors can make security products designed for virtualized worlds.

You might ask, why do security products need a special virtualization approach? Well of course you do not have to, but certain things will not perform so well. Especially if you talk about desktop virtualization. Imagine running 50+ desktop VMs on a single server and all the virus scanners inside those operating systems decide to do their daily scan at the same time. So Trend and Symantec already have ‘random’ start features in their products to prevent this kind of behavior. But can it be done even more efficient?

Yes! by using this new EPSec API. It allows security vendors to build anti virus/malware solutions in a single virtual appliance that can protect all VMs running on a single server, with NO AGENTS installed inside the VMs it self. Trend Micro is the first to have this to market with their currently available DeepSecurity 7.5 product. Symantec and McAfee will hopefully follow soon as well.

To proof that this new way of implementing AV protection is working efficiently, trend asked the Tolly group to research/benchmark this, and what a results did they found! The ‘old school’ scenario consumed 1.7 to 8.5 times more resources. This resulted in 29% to 275% improved workload density!

Especially if you are currently running a VDI environment or planning soon to implement one, I would highly recommend you read the tolly report and plan your Anti Virus/Malware strategy accordingly.

Download the tolly report here.

by Richard Garsthagen

Introducing Elements Magazine!

Welcome to the first edition of Elements Magazine. As you can see, a lot has changed for Nitro IT Business Solutions over the past year––the biggest change being how we communicate with our clients. 

With the launch of our new brand, our new website, and now our newly created quarterly magazine, it is our goal to inform, educate, and occasionally entertain you through a vast array of materials and topics as they relate to the world of IT.

As you will see in this issue of Elements Magazine, this is not your typical corporate newsletter. We have worked hard at ensuring that you, the reader, are not bombarded with marketing fluff, or the typical corporate sales pitch. Instead, we have brought you a collection of meaningful and insightful articles to spark thought, conversation, and perhaps even a little debate. 

In any case, we feel that this publication will become a much-anticipated document every quarter––perhaps making your job a little lighter, and your IT decisions and direction a little easier.

I hope you enjoy this issue as much as we have enjoyed creating it. Until next quarter, happy reading!

+ Read Elements Magazine.

Sincerely,

Larry Poirier 

Chief Executive Officer 

Nitro IT Business Solutions

The BlackHole Theory

Symantec has been monitoring the BlackHole toolkit, which has a powerful set of exploits and is spreading like wildfire. At present, it is the most prevalent exploit toolkit in the wild and can easily be compared with the likes of Neosploit and Phoenix in terms of the number of affected users.

In recent times, BlackHole has clearly emerged as the most used toolkit among hackers. The following IPS graph proves this fact, since more than 100,000 malicious hits are reported each day:

 

End-to-end Analysis of the BlackHole Exploit Kit

•    When a victim visits a clean site that has been injected with a malicious iframe, the iframe redirects the user to the BlackHole exploit kit server. The figure below shows the obfuscated iframe script:

Here is a decoded version of the script:

•    BlackHole uses the below technique to obfuscate the exploits. The page contains a large array inside the <textarea>. When decoded, the array results in various exploits for popular vulnerabilities such as PDF, JAVA, HCP, MDAC, etc.

The below image shows the code that decodes the array. The variable “ivtl” contains the string “url(data:,va….” after the “.match()” method. The String “wjw = g["e"+ivtl.substr(0,2)+"l"];” results in “eval” as “ivtl.substr(0,2)” evaluates to “va”. String “s”, which contains the decoded script, is passed to “wjw” to be executed.

•    The page contains the code that redirects the user to download a malicious jar file. One of the classes inside the jar file extracts the value passed to it in the script, and then decodes it into a URL:  

 

The below images show the code inside the jar file:

 

 

The decoded string has the pattern “d.php?f=[0-9]{1,2}&e=[0-9]{1,2}”. This URL is then used to perform other malicious downloads.

•    The URL downloads Trojan.Carberp, which is a highly sophisticated Trojan that is being compared to ZeuS because of its ingenious techniques for avoiding detection.

•    The Trojan posts a unique ID to the command-and-control (C&C) server that will be used every time a transaction takes place between the Trojan and the C&C server. The URL has the pattern “/set/task.html”

•    Next, the Trojan will post all of the running processes on the victim’s computer to the C&C server. The URL has the pattern “set/first.html” and the data posted has the pattern “id=(Unique number posted on /set/task.html)&os=(Name-version of OS)&plist=(List of all running processes)”

•    The Trojan then downloads three modules:

1) stopav.plug – This module disables the antivirus installed on the victim’s computer.

2) miniav.plug – Checks for the presence of other Trojans, such as Zeus, and if found, the Trojan deletes its  competitor(s).

3) passw.plug – It will hook the export table of a number of WININET.dll and USER32.dll functions and will log every username/password combination that is typed, as well as any URLs visited.

•    The C&C server sends the “multidownload” command to the Trojan:

 

•    The first file downloaded (1.exe) is Trojan Hiloti (a.k.a. Trojan.Zefarch), which makes requests to a free file-hosting site. One of the patterns of the domain is “[a-z0-9]{12].weirden.com”. The request page has the pattern “/get2.php?c=[A-Z]{8}&d=<long Hex String>”. The server always replies with “File Not Found” upon retrieval of the requested file.

•    The second file downloaded (2.exe) is FakeAV:   

The good news is that Symantec customers are protected from this attack. Symantec IPS and AV engines have generic detections for BlackHole's traffic, exploits, Trojans, and the rogue application FakeAV. Today, the crimeware industry maintains a fully fledged business model and the BlackHole exploit kit is a very good example of the business model's sophistication and distribution. Exploit kits pose a great challenge to security vendors, considering the ever-increasing list of modern exploits and ever-changing obfuscation techniques. Thus, we at Symantec and Nitro IT Business Solutions urge the readers to install all security patches and definitions regularly. 

By: Hardik Suri

Note: My thanks to the co-author of this blog, Parveen Vashishtha.

Snowshoe Spammers Target the British Royal Wedding

With just over two months to go before the wedding of Prince William and Kate Middleton, it’s no surprise to find this significant event is being used to promote products. Emails advertising a replica of Princess Diana’s engagement ring were observed in the past few days, sent by well established spammers.

Although infected botnet machines are responsible for the vast majority of spam sent globally (77% at the end of 2010), these attacks do not fall in that category, and in fact the IP which is sending the spam is the same as the one hosting the domain which is linked to in the email. This domain has also been used in other spam campaigns, such as the long running Who’s Who social networking spam messages (see our May 2008 State of Spam reportfor similar attacks). It was registered on February 9, 2011, using Moniker Privacy Services for anonymity, and since then has been used in at least half a million spam emails. This spammer has registered many different domains across a range of IPs in a technique that is sometimes known as “snowshoe spamming”.

If the user clicks on the link in the email, it firstly redirects to the ‘lynxtrack.com’ domain, which checks that the user’s IP is based in the US, before redirecting to the final destination product site. The product site was registered much earlier, on December 21, 2010, using a different registration service, indicating that the people behind the site might be purchasing spam services rather than sending it themselves.

Symantec Brightmail has had predictive filters in place to block these particular snowshoe  attacks since October 2010; typically, there are at least 350,000 messages per day. As the British Royal wedding gets closer though, we do expect to see it featured in other spam campaigns to attract users’ attention; at the very least in scraped news headlines.

Thank you to Pavlo Prodanchuk for contributed content.

On Ramps to Cloud Service Providers

On my continuing updates on cloud interoperability I thought this would be a good time to talk about the various cloud interfaces that now exist. As I have discussed in previous posts, a lot of work is going on at the US National Institute of Standards and Technology regarding cloud computing to support the governments Cloud First Policy.

One of the key activities now in full swing is the SAJACC (Standards Acceleration to Jumpstart the Adoption of Cloud Computing) program.  At the very end of last year a new work group was launched along with a Wiki to enable the industry and interested participants to start to develop a plan for evaluating current interface standards for cloud computing. As part of that work a Cloud Interface Catalogue of interfaces has been established. This provides a list of some of the cloud computing interfaces and their capabilities and links to more information about these interfaces. This provides a good place for consumers as well as cloud service providers to review what is currently available.

As it would be expected there are a broad range of capabilities and functions available. VMware’s vCloud API has the highest number of funtions listed, not that this is a good gage of capability, but may speak to its level of maturity. One of the things that also will jump out at you is the number of various interfaces that exist. This may indicate that we are still in the early days of cloud computing and consolidation has not occurred.

However, a good thing to notice is that there are some similarities between these interfaces...such as most all of the interfaces are RESTful interfaces. This has become the mode of choice for interacting with clouds.  The other thing to notice is that the functions that have been implemented are similar, but some of the interfaces stronger in one or more functional areas.

I believe this year we will see most of these interfaces tested and analyzed by NIST to validate its capabilities against the list of cloud computing use cases. At the same time work is continuing in the DMTF and other standards development organizations to develop an agreed-upon set of functions and protocols to achieve cloud interoperability by standardizing this onramp. The work will continue throughout 2011 to evaluate and consolidate cloud computing interfaces with goals of reducing complexity, improving interoperability and utlimately improving customer flexibility and choice.

By Winston Bumpus 

VMWare

Understanding Advanced Persistent Threats

This week is the big and uber-cool RSA security conference.  In preparation, I was chatting with Brian Fitzgerald and Nirav Mehta to get a quick synopsis of what they had planned for the show.

Half-jokingly, I asked "what's the big new threat that no one is prepared for?".  A lot of the conversation at the RSA Conference is inevitably along those lines, as you'd expect.

In a millisecond, Brian shot back: "APT -- advanced persistent threats".  I had no idea what he was talking about. He started to explain the basics.  I was fascinated, and asked him to send along some more info. Maybe you'll be fascinated as well -- or at least, maybe a bit concerned?

Some Context

Full disclosure -- I am not a security expert.  I don't even pretend to want to be one.  That being said, as we transition to an information economy, it's fascinating to watch the ever-escalating war between the good guys and bad guys.

Every year, there's more information.  Every year, it's more valuable and hence more attractive as a theft target.  Throw in broader trends like mobile access, virtualization and clouds -- the security war is escalating, and fast.

Historically, many of us have thought in terms of a specific threat: malware, viruses, weak authentication and the like.  And there's still vestiges of old-school perimeter-style security thinking lurking here and there.

Put all of that aside, please ...

Understanding APT

Think back to a favorite big-heist movie.  The plot probably included a large team of specialists, as well as a great deal of patience and planning by the bad guys.  Perhaps there was a systematic exploitation of weaknesses discovered through extensive research.  Maybe even some social engineering angles as well -- targeting specific individuals with specific roles. The perpetrators were likely smart, well-organized, well-funded and very patient.  And they were probably after an extremely valuable target. In a nutshell, that's an advanced persistent threat.  

It isn't a neatly categorized technology issue, more of a systemic pattern of penetration by people who are smart, well-funded, well-organized and very patient -- and going after a very specific target through very specific people.

Is Everyone Vulnerable?

The RSA team has a great soundbite: sooner or later, just like the common cold, just about every organization with something worth stealing will be subject to an APT attack.  

Many organizations have probably been successfully attacked already, and probably don't know it.  Not everyone is highly public in announcing their success in stealing information :)

As I write this from an airplane seat, Fox News is broadcasting a segment on how a group from China successfully hacked into multiple oil companies to steal very specific information using identities of very specific executives.  

More detail will likely come out over time (including the economic impact of the theft, specific means used, etc.) but -- at first glimpse -- it looked like APT to me.

Why Is This Threat Different?

Because APT is essentially a threat based on an organizational pattern, it requires an organizational response.  No specific technology or isolated practice can defeat it -- it requires at least as much investment and effort as the bad guys are bringing to the game!

RSA describes the concept of an "advanced security operations center" (SOC) as a framework for meeting the new threat.  Yes, there are specific technologies identified (including more than a few from RSA), but -- at its heart -- it's an enhanced organization with an enhanced mission to meet a new kind of business challenge.

More importantly, it's how the technologies and processes are used together to combat a persistent threat across multiple fronts using any and all means at the attacker's disposal.

The Road Ahead

I suppose the first question is -- does your organization possess information that's worth stealing?  How valuable (or dangerous) is it in the wrong hands?   Like money in a bank vault, it's a good idea to start with a notion of exactly what's in there.  And -- importantly -- is this likely to be a growing problem over time?

Now, take a hard and cynical look at the governance and risk management processes used by your organization.  I'm not talking about the IT guys, I'm talking about auditors, board of directors, legal counsel and the like.

Does your organization have a strong risk identification and remediation capability at a corporate governance level?  If not, there won't likely be the ability to recognize that the information security game has changed once again, and a new organizational response might be required.

Once the threat is understood, and a leadership response is in hand, it's likely time to start thinking about building (or enhancing) your SOC function.  In particular, their processes (and supporting technologies) must be integrated to support the new style of APT.

Unfortunately, history has shown that many organizations aren't able to recognize and react to new classes of threats.  As a result, they become a likely candidate for yet another prime-time case study for all of us to consider and learn from.

Chuck Hollis

VP -- Global Marketing CTO

EMC Corporation

Can I get my apps and desktops now?

When I think about today's news that Citrix is including HDX WAN optimization in XenDesktop Platinum edition powered by Branch Repeater VPX technology, the first thing I thought of are the Verizon commercials. (large US mobile service provider who feature a technician constantly testing network quality, seemingly every square foot , speaking into his phone, "Can you hear me now?") Verizon's claim to fame is that they have a CDMA network that reaches far into urban and rural markets so that if you spend a lot of time on the road, or live in a rural community, you are very likely to either choose a small regional carrier and pay roaming charges or just go with Verizon. The "Can you hear me now?" commercials had a recent resurgence when Verizon introduced the iPhone to its network last week breaking the AT&T exclusivity on iPhone service in the US. So with Verizon offering the iPhone, Apple will now reach a new customer base that they didn't have access to.

Including HDX WAN optimization technology in XenDesktop Platinum is very likely to have a similar effect. More customers, able to reach the most remote field offices and mobile devices with apps and desktops, with a dramatically improved user experience. And for those existing Citrix XenApp customers, it is one more reason to "trade-up" your existing licenses to XenDesktop Platinum.

Citrix customers have built out their infrastructure to centralize, virtualize, and then deliver business applications and desktops over Wide Area Networks to their users. For these enterprise customers, there just isn't a better way to deliver desktops and apps. They have too many disparate PCs deployed to successfully use their golden images or PC management systems as an application deployment mechanism. They often don't want the data out in remote sites anyway, and now, with the rise of alternative client devices like tablets (i.e. iPad, Galaxy) and smartphones (iPhone, Windows Mobile, Android, Blackberry), they are delighted to find that they had invested in a cross platform application delivery infrastructure solution that they can just "plug-in"to the latest devices entering the workplace with Citrix Receiver.

To make it all work, however, you have to have network. If you can only get adequate performance in less than half of your branch offices, you don't have a solution. So, it is deep in the DNA of Citrix to make the absolute most of available network resources, resulting in HDX WAN optimization powered by Branch Repeater VPX. The Branch Repeater has two functions; 1) Accelerate performance (minimize the impact of latency), and 2) Save bandwidth (reduce the amount of traffic that actually travels over the WAN). What this really means is that:

1) If all you can reasonably get in your field office in Timbuctu, half way around the world and 300 milliseconds away from your datacenter, is a T1 line, you can get to the applications you need.

2) Even if you aren't constrained by the network, you save money by consuming less while continuing to add additional applications, desktops, and users without upgrading expensive network capacity.

3) Regardless of network, users will get better performance.

Up till now, customers had to test and evaluate the network and application or desktop performance to determine if they needed to acquire Branch Repeater technology. Now, all XenDesktop Platinum customers have to do is turn it on.

For existing Citrix XenApp customers who have not yet taken advantage of the Trade-up to XenDesktop Program, this might be just the reason to make the move. The Trade-up to XenDesktop program provides XenApp customers with the most cost-effective, low risk path to leverage their XenApp investment and move to the industry standard in desktop virtualization - XenDesktop. Trade-up now includes three permanent programs (Trade-up, Trade-up PLUS and Trade-up MAX) and a new 2011 promotion (Trade-up RESTART) that can save customers more than 70% on XenDesktop

posted by Kevin Strohmeyer

Citrix

Spam and Phishing Landscape: February 201

The global spam volume, which has been the discussion topic for several months, appears to have finally stopped its decline. The month-over-month global spam volume was down in January again, but this was mostly due to the Rustock botnet shutdown, seen for the first 10 days of the year. We expect to see a month-over-month increase in spam volume in February, which will be a first since August 2010. Overall, spam made up 79.55% of all messages in January, compared with 81.69% in December.  

To find out more, click here the February 2011 State of Spam & Phishing Report, which highlights the following trends:

•    Conclusion of Spam Volume Saga
•    Turmoil in Egypt Shuts Down the Spammers
•    Scammers Seek Support for Serrana Flood Victims
•    Big Brother Brasil Bait is Back
•    January 2011: Spam Subject Line Analysis

Little “Mobile” Shop of Horrors Part II: The Rise of the Unregulated Mobile Market Space

With the projected growth of smart phone sales set to overtake sales of regular featured phones, it’s no surprise to see the emergence of new application market places, app stores, and download sites as demand for content is also expected to grow dramatically; sales in 2011 alone are expected to bring in $15 billion dollars. 

Many telecommunication players are entering the app market arena, converging from their regular business of manufacturing the device, providing the traditional voice service, or just because they feel they can fulfill something that was missing to complete the consumer experience. Taking advantage of the growing demand for content, not to mention the absence of official outlets presences in certain regions, the number of unregulated markets has seen a dramatic rise, providing a perfect incubator and propagation engine for threats such as Android.Geinimi.

From a security analyst’s perspective, the mobile content distribution ecosystem can be broken down roughly into three groups. Group I, the traditional file download site and user forum file share sites. These services have been around as long as the Internet. Primarily starting out with catering to content hungry users looking for software for Windows and Mac users and then adding on download sections for handheld devices as the popularity of PDA and phones with mobile Web browsers grew. 

They may or may not provide file hosting mirrors of the software. User feedback on apps is usually either inconclusive or very basic. On one of these sites, I was able to find a download link to a live threat, right next to an RSS feed of a blog I had written a while ago talking about the threat. Security measures to screen software tends to be limited to using off the shelf antivirus software (in most cases I have seen, the software used is not antivirus software for a mobile device but Windows-based software).

Group II “Vendor certified/Web 2.0 Markets”

With convergence of PDAs and mobile phones, the adoption of mobile devices into the enterprise framework - not to mention the advent of malicious code abusing easy to use API (intentionally designed to improve developer adoption rates) for monetary gains - brought into focus questions on issues such as security, integrity, confidentiality, and data loss prevention. Manufacturers and vendors responded by introducing concepts such as on device signature verification, a single point of distribution, and platform app certification, which sanitized code by extensive and rigorous testing to ensure that software meets not only the manufactures design and platform standards, but also looked into additional concerns, such as privacy, ethical, moral standards, and so on. Certainly by no means is any screening system foolproof and the occasional threat slipped through (once, twice, and even a third time) becoming the focus of many security analyst’s blogs.

The third group (or evolution) tends to be the most interesting from this analyst’s perspective. What can be best described at times as a loose coupling of independent pockets of cloud hosted file repositories brought together via a storefront app (usually only accessible via a mobile device) these fly by night operations seem to be using the same play book used by radio pirates operating off the coast of England in the 70s. Their operations tend to be limited in their broadcast until they are discovered and/or have  to move for one reason or another, at which point the user is required to update the repository list or download a newer version of the app with the location of the file server or repositories.

In regions such as China however, we have noticed these service providers tend to be a little bolder and operate with what can be best described as entrepreneurial flair. In addition to having the usual mobile storefront app, they have also have a strong visible Web presence and they use that visibility and the absences of an official market place to encourage local authors to submit original content; using ad revenue sharing as the monetary incentive, ironically in some cases using the same ad revenue services as managed and/or owned by official marketplaces thus blurring the line even more between legitimate sites dealing with pirated content uploaded by rouge users and an illegal site trying to go legitimate after growing a user base off the back of pirated content sharing.

With projected sales of around $15 billion in 2011, the number of app stores in China will continue to grow at a dramatic rate. As the primary screening mechanisms for content is usually user feedback, pirated or malicious content isn’t immediately flagged and site administrators are quick to point out this fact and disclaim any warranty on damages arising from the usage of downloaded software. From a malicious author’s perspective, these sites tend to be the easiest to target, as the users who patronage these sites have turned off device security checks to allow the installation of unsigned software, also called side loading.

China (followed closely second by Eastern Europe) has long been plagued with threats and Trojanized apps targeting mobile platforms. Threats that silently call or send out SMS messages to premium numbers have become so prevalent that the Chinese government had to take extra measures and setup regulations to crack down on not only the creators but also on unscrupulous handset resellers who were intentionally selling phones preloaded with malware that carried out charge backs. The smaller the charge back, the longer it would take before a user suspects anything is wrong, especially in the case of first time buyers who aren’t used to normal monthly charges for their phone bills.

The creators of Android.Geinimi have a clear understanding of the dynamics of the unregulated market ecosystem. With over 20 app titles that have been reported to contain the Trojan payload, it is unclear if the wide spread availability of the threats was as result of the malicious authors at work or the result of the economics of the unregulated markets at work; in either case the difficulty to determine the answer ensures that the author’s tracks are well covered. Even taken into account was the possibility that a user may find themselves with multiple apps with the Trojanized code and specialized routines were added to maximize effectiveness of the threat to prevent multiple instances of the malicious service all attempting to duplicate work.

Visual summary of Android.Geinimi. Not all of the 20 commands implemented in Geinimi were done with the intention to be remotely executed. Code analysis has revealed that some of the commands were designed to be operated via direct contact with an infected device.

While conducting our investigations into Geinimi and unregulated markets, an additional file came to our attention. The title of the app is “MJ2 New Levels” (a reference to one of the Trojanized versions of Geinimi and also carried the icon from that game). Even though the code breakdown of this sample did not reveal anything spectacular – in fact unlike the other samples this did not contain an app that was Trojanized – it appeared to take advantage of the Davlik sandbox model to hide its tracks. While running it uninstalled itself (user prompted action) before proceeding to uninstall Monkey Jump 2. 

Although at first glance this isn’t a security flaw in itself, the fact that the Davlik file system/sandbox model allows a running program to remove itself from a device and still carry out actions in the same instance (as its still running in the sandbox), does pose a challenge for post forensic investigations as after an incident there are no files left over to examine. Even though we cannot find a direct link to this new sample and Geinimi at this moment in time, this just makes us wonder what other threats are out there in unregulated markets waiting to come to light.

By Irfan Asrar

Symantec

Gartner on Endpoint Security

Gartner just released their annual report on endpoint security (see: Magic Quadrant for Endpoint Protection Platforms, Gartner, 2010)

As you can read in the report, Symantec extended its lead both in terms of vision and ability to execute.  What is really notable, however, is the strong statement Gartner made about the future of endpoint security.  The reports starts with an indictment, "Malware effectiveness continues to accelerate, while vendors are busy polishing increasingly ineffective solutions and doing little to fundamentally reduce the attack surface and protect users."

Gartner goes on to state, "Signature-based malware detection has been limping along on life support for years, yet vendors

seem unwilling to aggressively invest in more-effective solutions, preferring to "tweak" the existing paradigm."

I couldn't agree more.  Last year Symantec encountered more than 240 million unique malware samples.  True, these were mostly minor variants of a far smaller number of malware families.  Also true, most of these variants could be detected through signature scans.  But the point remains that "most" is not good enough.  Malware writers are flooding the internet with automatically generated malware.  Signature scanning isn't dead, it is gravely wounded.  Heuristic/behavioral approaches can help, but results are often inconclusive.  These approaches lack context and history.

Symantec recognized this as far back as 2006 when we started designing Insight (sometimes called Ubiquity), an innovative approach that analyzes files in context, using the age, frequency and source along with other security metrics to expose threats others miss. Insight won't replace signature or heuristic analysis, but it does make those approaches far faster and more effective.  Insight seperates files at risk from those known safe, dramatically reducing the number of files to scan.  It provides a safety rating for each file based on the file's context - allowing heuristics to indict or release files with confidence.  Finally, it gives users confidence as well - confidence that the video codec they downloaded or the free disk utility really is safe.

Our Norton product line, powered by Insight, have dominated the most widely accepted 3rd party detection tests - those from av-comparatives.org and av-test.org.  Recognition of this approach played a big part in Gartner's ranking of Symantec.  Insight will be a cornerstone of all our malware detection products.  Look for it in the next version of SEP.

Mobile Virtualization - Coming to a Smartphone Near You!

1. Smartphones are the next PC: The fundamental role of a mobile phone is changing from being a communication device to an email appliance to a full-on computational device.  Users are now able to do things beyond checking emails/calendar/contacts with many already running a whole slew of applications such as CRM, inventory tracking, expense reporting, HR apps, etc. on their mobile phones.  So for all practical purposes, smartphones are the next generation PC - they won't have a keyboard or a mouse but certainly users will be able to do most of what they need from a mobile device.

Also, accordingly to the latest IDC reports, there will be more smartphones than PCs sold within two years.  It is fair to assume then that more applications, services and data will be consumed from smartphones than PCs.  As this happens, there will be an increased focus on security and manageability as smartphones become first-class and mission-critical devices.

2. SomeOldDude's Law:  Similar to Moore’s Law on x86 platforms, ARM processors are getting faster and cheaper by the day. Qualcomm, TI and others are already offering 1.5GHz dual-core ARM processors for mobile phones.  Most modern day smart phones have at least 512MB of RAM and that is likely to increase as well.  As evidenced today, users will use these devices for more than just checking emails or making phone calls.

3. Consumerization of IT:  The notion of an enterprise buying you a PC and a phone so you can work is becoming an old-school model since most of the millennial folks entering the work force now already have a laptop and a smartphone.  Often times, their personal devices are better than what the corporation provides them so expecting them to use outdated hardware/software is like sending them to Siberia in the middle of winter.  At the same time, many CEOs and CxOs are also bringing these devices to work because they like using them at home and actually prefer to use them at work as well.

It is no wonder then that many CIOs are seeing an increase in employee requests to use personal devices to access corporate content.  While corporate owned devices will not disappear any time soon, employee-owned devices will increase dramatically forcing enterprises to figure out a way to safely and securely provision the right applications, data, services and management policies onto employee-owned devices.

When you put all the above together, you will find that employees will want to run more enterprise applications on their powerful personal smartphones but enterprises will continue to worry about securing and managing enterprise content on these devices.  This is an area where virtualization can help in a significant manner.

Reinventing Mobility

GE illuminates the potential of in-house iPad and iPhone apps. GE may have started with a single bright idea. But its current influence extends far beyond light bulbs and home appliances. GE is one of the world’s largest technology companies, with business units devoted to aviation, clean energy, financial services, media, and health care technology, to name a few. As the company imagines, develops, and builds technologies that transform the way we live, it’s channeling the equally transformative power of iPad, iPhone, and in-house apps to generate new business possibilities.

“Innovating for the future is who we are,” says Linda Boff, GE’s Global Director of Marketing Communications. “We’re always thinking about what’s next. How can technology make lives better and help our customers be more efficient? iPad and iPhone are wonderful ways to inspire us and help us get GE there.”

Productivity to Go

When iPhone was released, GE quickly recognized the business value of enabling its workforce with fast, mobile data access via an easy-to-use interface.

“We were early adopters of mobile technology,” says Dayan Anandappa, Director of Digital Technologies and Collaboration. “Not just for email, but for scheduling, productivity, and getting content anywhere. Before iPhone, travel and meetings always required a laptop. Now you’re no longer tethered to your location — and you’re still productive.”

The introduction of iPad created further opportunities for mobile productivity at GE. “iPad gives me access to email, contacts, PDFs, and PowerPoint presentations,” says Chief Information Officer Vic Bhagat. “I can even get GE-specific data and applications. It’s made things much easier, and a lot more mobile.”

For GE’s sales and marketing staff, the large iPad display makes it a useful interface for sharing business information and presentations, bringing greater immediacy to interactions with customers and colleagues.

“You can use it sitting across from somebody,” says Boff. “It’s not just a more portable laptop — it’s a different technology, and we use it differently. You have this beautiful device, and yet it quickly becomes our device. The apps and data are on iPad, yet it’s very much about GE and the GE brand.”

Business-Building Apps

To maximize its mobile capabilities, GE has established the GE Mobile Center of Excellence, an internal group that develops tools and strategies to make mobile devices more useful for its many business units. The group has already built dozens of apps for in-house use on iPhone and iPad, and has created its own web portal, the GE Mobile App Store, to make it simple for users to find and download apps.

The apps range from industry-specific monitoring and diagnostic tools to business intelligence resources. For example, the company’s Transformer Monitoring app helps manage gas turbine inventory and electric transformers throughout the world, while PDS Movement Planner lets service personnel monitor railway tracks and get diagnostic information on locomotives.

In combination with the unique capabilities of the devices themselves, GE’s custom apps help the company’s core clients accomplish their business goals faster and better.

“The easy flow of information, the ability to flick through pages, the ability to zoom in from a global map to a specific transformer and read all the key performance indicators — these are some of the ‘wow’ moments we get when we launch these apps,” Bhagat says. “Could you do that on a terminal? I don’t think so.”

“GE has some of the best technologies in the world, and now we have the mobile platform to do something different,” Anandappa adds. “The iPhone SDK allows us to seamlessly translate our creative ideas into the technology itself. We can make something easy to use, but the back end can be extremely powerful. The possibilities are endless.”

Post from Apple Blog