Tuesday, January 10, 2012

Ramnit II - comming to a computer near you 'soon'

Ramnit, it’s an evolution in Malware not a revolution. The creators of this worm have used some of the best features of other Malware to include the very successful older version of Ramnit 1.0 and Frankensteined it into a very efficient credential stealing application.

It is so much easier and quicker to modify a successful malware application than it is to recreate a new program from scratch. Another advantage is since this worm has been already launched in the wild the developers have the advantage of knowing how to change the programs behavior and syntax to make it once again undetectable to modern day IDS/IPS and antivirus programs.

The base design of Ramnit comes from an older worm that had its roots in stealing financial information from compromised computers. The newer version incorporates several plug-ins that include a Man-in-the-Middle (MitM) proxy, HTTP web injection, FTP server, and a communication link to a Command and Control server. Ramnit uses older but proven techniques to infect and hide itself on compromised systems and is very clever in the way it collects and steals information from the unsuspecting user.

Once a user’s system is infected Ramnit will identify when the user visits a site that requires identity verification. Ramnit will then take advantage of the built in MitM capability and inject code (HTTP injector plug-in) into the users session.

Example:
User logs into Facebook. Ramnit identifies the URL and intercepts the Facebook log on page before it is sent to the user’s computer screen. Ramnit will then add and replace fields in the page and then send the user a modified logon page that looks official but in reality will steal the user’s log-in information and send it to a collections server on the Internet to be used at a later date.

This information is later loaded into scripts that crawl the web looking for all banking and financial sites trying all of these captured accounts in hopes of successfully logging in to those sites with legitimate user credentials with the intent of stealing / transferring money.

Ways to reduce your risk.
·         Use multifactor authentication: Example: VeriSign’s free VIP Access App (E-bay, PayPal)
·         Change your passwords often. Use passphrases like AmericanExpressDontLeaveHomeWithoutIt54321 or use the first letter of song lyrics combined with numbers, symbols, and Upper and Lowercase letters: Ptmywygmn665+1 (Try and figure out that song)
·         Do not use the same password for multiple sites.
·         Keep your computer up to date with current patches.
·         Run your e-mail in text mode if possible.
·         Keep your computer up to date with current virus signatures.
·         Scan you e-mail (in text mode) and do not open e-mails from unknown users.
·         Scan you e-mail and do not open untrusted attachments.

Thursday, December 22, 2011

Truth and nothing but the truth.

The BS is starting to flow too deep and the smoke and mirror manufacturers are having a record breaking year thanks to the endless number of security neophytes cashing in on the industry today. These companies and, "Experts", have mastered the art of regurgitating unverified and (more often than not) completely inaccurate security information to the masses at a mind boggling rate. In my opinion this type of activity is borderline criminal when it comes to misleading industries into a false sense of security just to make a quick buck. Numerous security products that make impossible claims to stop hackers in their tracks and companies charging a small fortune offering products and services with claims of having the ability to identify zero day exploits or Advanced Persistent Threats (APT) on computers through log file analysis or signature based scanning is just simply not possible. 

Security marketing has taken over the industry and utilization and profit are the primary focus with security innovation and sound workable solutions taking a back seat. Billions of dollars are spent on security each year and still millions of computers are still being compromised by Malware and hacking attacks. Botnet infections are at an all time high and critical information is being stolen from our networking systems faster than we can create it. 

Don't get me wrong, there are some extremely solid security professionals and organizations out there that are doing their best to fight the good fight even with the odds stack so clearly against them and I will represent their viewpoints and experiences as well. The sad truth is that many in the security industry feel that there is more money in marketing vaporware and empty security services than there is in actually fixing the problems.  

Please stay tuned. More to come.