Articles by Daniel Nyström

… by car. Falun is a quite small city in the Swedish landscape Dalarna.

Using my new 3G/HSDPA USB stick and it works great. I’m in the middle of nowhere and I got a high strength signal. Makes me think of how much wireless technology has evolved during the last 5 years and how widely accessible it is.

In other news, participated in my first “Readers panel” over at The Local. The questions posed are mostly about the Swedish society and this month the question was “What do you think about the Swedish alcohol policy?”. As usual I was too serious about it and ended up sounding like a politician

In Sweden the FRA-law moves ahead without any of the amendments being implemented as these are scheduled to be included in October 2009. Not good, but really no news. This was announced at the same time that the amendments were presented so I don’t really feel surprised. Same fascistic law anyhow, with or without the pink bow.

PS. For those new to this blog, posts that starts with “Q.P.” are “QuickPosts”. This means that I’m most often on the move while writing them and they won’t have any nice, illustrative, images like most of my other posts. .DS

Photo: labanex on Flickr.

Apparently the suggested surveillance and “corporate police” laws weren’t enough for Sony.

From TheLocal.se:

“Sony Pictures in Sweden has employed methods worthy of James Bond in an attempt to protect against the pirating of Quantum of Solace.

The film company is using special night vision goggles to keep an eye on moviegoers attending showings of the latest Bond film at 149 cinemas around Sweden, reports entertainment news agency TT-Spektra.”

Oh - my - god. That’s the words that best describes my immediate reaction.

If I were to be informed that someone would be lokoing at me with night vision goggles while I was enjoying a movie I had paid good money to see, I would probably sue them. Possibly just file a complaint with the police as that easily qualifies as harrasment (or is it OK to look at Sony employees in the dark with night vision goggles?).

Sick.

More here, here, here and here.

 
Received some samples of the malware exploiting MS08-067 earlier today and decided to set up a little lab where I’m more or less manually installed the worm in a controlled environment.
 
Does not seem to be very advanced, but then again it’s just a dropper with worm functionality. The server that this sample tries to contact is down and therefore it cannot download the “stage 2″ software pack or send back any information. If it had been able to do so, the picture probably would have been different.
 
Recorded one of my attempts with Jing, but didn’t turn out too good. Jing ate a lot of CPU (and my testmachine is not made of muscles directly ) which made any quick movements very jumpy and in the video it looks like everything goes extremely fast in some sections. This behavior made it miss the fast, and failed, attempts to exploit another box in this subnet… argh..
 
Anyways, click here to see the video! And yeah, sorry about the Swedish OS…
 
A good technical analysis of the Gimmiv.A trojan/worm can be found on the ThreatExpert blog. More information from Microsoft and The Register.
 

Warning: Panda Security/work related post. This is a personal blog but from time to time I’m posting things that may relate to my employer. Read “About this blog”.

Photo: tricky ™ on Flickr.

Found an interesting article by Martin McKeay through “Security Bloggers Network” which discusses PCI compliance and the implications of hosting applications and data in the cloud.

He boils everything down to one simple point; If you store/transmit/handle cardholder data in a service provider’s network, that network becomes part of the cardholder data environment and needs to be PCI compliant:

“So I made several comments on the post, most of which boil down to referencing PCI requirement 12.8: If you’re sharing cardholder information, i.e. credit card numbers, with a third party service provider, you need to have a clause in your contract that makes the service provider responsible for the PCI compliance of their systems. With the example given, Amazon’s EC2, the chances of getting such a clause in your contract are almost non-existent.”

A subject similar to this has been of interest for me before as Panda MalwareRadar is a cloud service where files deemed interesting are ‘fingerprinted’. Those fingerprints are then communicated to our Collective Intelligence servers in order to be analyzed deeper. For more info on CI, see this whitepaper by Panda Research.

In other words no complete files ever leave the client’s network, but some clients that are in the process of becoming PCI compliant are unsure of what implications services such as this might have. Their general feeling is that they aren’t 100% comfortable handing out fingerprints of possibly malicious processes or files, as it might (theoretically at least) be a false positive. This will lead to unforeseen information disclosure to a third party (PandaLabs and CI servers). We also do inventory of the current patchstatus with the same tool and the same thing goes for that.

I trust our systems with the information gathered, but I understand their position as well as they have to be able to prove compliance. But is there any need to worry?

It all seems to come down to two questions; “Can you trust your security vendor?” and “What requirements in PCI DSS might be implicated by this type of services?”.

Personally I think that some level of trust must exist between a security vendor and their customers so for me the answer to the first one is Yes. Many security products and services are placed in such sensitive locations that it would be impossible to use them otherwise (not only talking about anti-malware here).

I’m unsure about the second one though and would appreciate any comments on this. From what I’ve been able to find information on, there really shouldn’t be any problems. The one thing that might be troubling is the patchstatus information, but the information sent can be anonymized to not include data such as computernames or IP-adresses so that you only get an overview of the current situation (same goes for the malware detections).

Any PCI DSS experts that feel like commenting on what their experiences are with Collective- or Herd-intelligence technologies and services such as this?

EDITED TO ADD: Mike at Aegenis comments below and recommends reading his follow-up post.

My colleague Johan brought in a new UMPC to the office today. He’s helping the distributor (a friend of his) getting an Ubuntu based linux distribution working on it as a private project, so he has it for testing purposes.

The name of the unit is “Posh-Book” (view link in IE…) and I must say it’s a bit out there. Remember me bragging about being able to handle a pink sleeve for my A1, well, I’m not sure I could carry something described as “posh”. Hehe

In all other aspects it seems to be quite competent both in hardware and design. It ships with a 10″ screen, VIA C7®-M 1.6GHz Processor (NaNo), 1 GB memory and a 2.5″ 120GB SATA drive. One cool thing is that it’s operating system specification read “GNU Linux operating systems (MS Windows Compatible)”, that is GNU first and MS second

For me, the processor being a VIA is a plus as I love everything that’s not entirely standard. On the downside it has been described as a bit hungrier for power and therefor shortening battery life.

Even though it carries a 10″ screen it’s resolution is set to 1024×600, same as Aspire One (9″ screen) and others. It’s weight is estimated by the manufacturer to around 1.3kg, including a three cell li-on battery which is estimated to deliver 2.5 hours of power. No HSDPA/3G module is built-in, so if you’re in need of such solutions you’ll still have to carry your 3G-dongle.

Something I liked was the color of the keyboard that broke of cleanly from the white shell. They orange notations on the keys looked ok IRL as well.

The unit will ship in two different versions, and the number of available USB ports is one of the thing that differs. This is the P102 model I’m guessing as it only had 2 USB ports. See the full spec. for more info.

The keyboard worked quite OK and it passed the “I can write ‘Daniel’ without breaking any fingers”-test. Not a very scientific test, but it worked out OK for me in the past when selecting a netbook

And finally some pics comparing my A1 to the Posh:

New toys are fun to look at… Too bad I didn’t get to break it open, that would have made my day complete

Cheers,

From PRQ.SE:

“Till alla kunder!

PRQs verksamhet har nu avyttrats till en grupp utländska investerare. Verksamheten kommer fortsätta precis som tidigare men den dagliga driften kommer ej hanteras av samma personer förutom under en övergångsperiod. Den största skillnaden kommer vara att företaget nu har betydligt bättre resurser. Mer information följer inom kort. Har du några frågor så är du väkommen att kontakta oss.”

In english (my translation):

“To all customers!

PRQ’s operations has now been sold to a group of foreign investors. The business will continue as usual but the daily operations will not be handled by the same people except for a limited period during the transition. The biggest change will be that the company now has much better resources. More information will follow shortly. If you have any questions you are welcome to contact us.”

What is special about this then? PRQ AB is owned (and up until now operated) by the same guys that run The Pirate Bay and hosts some of the worlds most attacked and controversial sites.

Some of the organizations that utilize their services are Wikileaks, The Piracy Bureau, and Kavkaz Center.

More news later on, as their website says.

UPDATE: Previous swedish blog entries on this: Free and thinking, Fajaf. Regular media articles: ComputerSweden

Photo: shanewarne_60000 on Flickr.

An old friend of mine contacted me today asking if I liked DRM. My answer was “haha, not much Do you?”.

Apparently he had purchased the game “Far Cry 2” from Ubisoft which ships with the SecuROM rootkit, whoops, DRM-software. During installation from DVD his free AVG antivirus protection blocked something leaving a log that looks like this:

“Trojan horse Generic11.BIAK”;”C:\Users\[CENSORED]\AppData\Local\Temp\mtka_tmp\matroschka_launcher.exe”;”Deleted”;”2008-10-27, 20:24:46″;

Edited the above line to fit, view a screenshot here.

Remember that this is a game purchased in a store. With money. Hard earned, double-taxed, money. He however ignored the warning thinking that it probably didn’t matter too much and continued on with the installation.

When the game was fully installed he tried to run it and was met by an error sign saying that Daemon Tools was installed and that the game wouldn’t run as long as it was. Disabling the Daemon Tools services did not remedy this problem and he was forced to uninstall his legitimate image opening software.

Alright, now the game should run right? “No more hassle!” like the signs say in the Turkish tourist site Marmaris.

But no. The game still would not run and a generic warning sign is shown. The sign instructs him to download a fix from Ubisoft, and he follows all instructions to the point. No luck, the game still won’t run.

So he figures it’s time for some creative troubleshooting and visits TPB and downloads a crack for the game.

This solves all of his problems. Once again DRM software has failed to secure applications and once again has the legitimate users been punished for actually paying for the game.

The real reason to all of his problems was that the SecuROM application matroschka_launcher.exe (what kind of name is that anyways?) looks so weird that the generic trojan detection in AVG triggers a “false positive” (or possibly an intentional detection by AVG?).

This is however not an excuse for Ubisoft as there are threads on gaming forums all over the internet, even on their own user forum, about similar problems with the same application. SecuROM is a really badly built rootkit, whoops, DRM-tool and should not be used for any serious applications. I feel the same for all DRM crap though, so nothing special with this one.

For me it feels very strange that major game vendors such as Ubisoft (which makes a lot of kick-ass games) can fail this hard. Why not put the money spent on DRM into marketing instead, and generate a hype surrounding the launch.

To actually alienate users to the stage where they have to visit piracy sites just to get their purchased games to work.

This is the wrong way to do it people…

Photo: mugley on Flickr.

For those that doesn’t know this already, Australia is one of the countries that are actively filtering and censoring the internet. They are doing this to “protect” their citizens from the big bad wolves that reside in the internet tubes without giving their citizens liberty even a second glance.

Read this on the Australian security firm Sûnnet Beskerming’s blog:

“In the lead up to last year’s national election in Australia there were a range of promises made by the incumbent government, under the name NetAlert, which was reported to be for a range of projects including Internet blocking software at the user end, tracking down online predators, and filtering of traffic on the network.

It seems that the new government has now taken the proposals one step further, moving to enforce the legislation that they pushed through at the start of this year. At the time of the NetAlert announcements, the opposition (now the government) were seen to be tacitly approving of the initial presentation and the Labor party had previously been ridiculed over their approaches to, and ideas of, online censorship.

Although the Federal Government has promised to listen to “the best advice”, it seems that they are only listening to the advice that validates and otherwise affirms their approach to online censorship.”

[...]

“There can be no other way to put it other than to suggest that these efforts are being pushed through out of an ignorance of the structure and nature of the Internet, even when accurate information is readily available.”

It’s really frightening to see how fast things can go bad. So far we have not seen this kind of lunacy here in Sweden but it feels like we’re getting there.

The internet’s content is not to be controlled by any unique institution or governing organization, as the whole idea of it is then lost. The Internet is a place that should be a free, unbiased, space for information of all kinds from all sources. Sure some will be hostile, but this is not a reason to filter it.

Doesn’t the Australian politicians relate what they’re doing to what dictatorships are doing? Can’t they see that they’re heading down a very dangerous path by restricting free speech? Besides this being a anti-democratic thing, remember that a society that closes on itself and censors it’s citizens never can evolve at the same speed as the world surrounding them, and therefor the country will suffer both economically and culturally.

The Internet was born free and should remain that way. If we can’t do that, then the whole idea behind it is dead and it’s time to form a new network.

Are you with me?

 
Just want to give everyone a pointer at this great WP plugin:
 
WordPress Automatic Upgrade
 
So far I’ve gone through three Wordpress upgrades with this plugin and it works great. It allows for easy backup of both files and databases and makes the transition between versions very seamless and smooth.
 
Credits to Keith Dsouza!
 

Photo: avlxyz on Flickr.

The debate on what internet security would look like in the year 2020 at Internetdagarna ‘08 made me think.

What will the malware landscape look like in 12 years?

Well, if we look at our history it’s quite hard to see a larger trend as our selection really doesn’t range that long back. Viruses and worms has been present ever since people started networking computers, and some ever longer. However, there has always been a very opportunistic area and the “bad guys” has adapted quite easily to the different challenges we’ve put them up to.

Previously the attacks were almost always aimed at being large scale and make as much noise as possible. We had the CIH virus, Loveletter, Melissa, Blaster, Sasser and so on. This type of malware did a lot of damage, caused a lot of headache, made people cry over lost images and cost companies millions of hours in overtime.

But still no one was really hurt. There wasn’t any money missing and everyone kept their identity for themselves. The game was more or less “See mee! PLZ!” and “1′m 4 b3773r VX-coder than you, mother*beep*, our cr3w rule the w0rld!!!1!!!“. Media attention was the holy grail.

This has changed though.

Some years ago (~5 yrs?) we started seeing targeted, financially motivated, malware and organizations that profited from these directly. Back then the malware authors were still learning and a lot of mistakes could be observed. We may have laughed at their worms that had bugs earlier but today it’s not that funny. They’ve learnt from their mistakes and today their cashflow enables them to do real Quality Assurance on their code.

Today almost all types of malware circulating is financially motivated in one way or another. They are adapting their methods of infection and follow world and market trends to identify the times at which hard distribution is most effective.

As my colleague Sebastian Zabala puts it; “For them it’s ‘Money talks and bullshit walks‘“. In other words, if it does not generate immediate cash return it is not the least interesting and terms as ARPIU (Average Revenue Per Infected User) are being used. This has been the single most dominant motivator for the malware evolution that we’ve seen in the past couple of years.

Several prominent groups has been mapped over the last four-five years, and one of them is the notorious Russian Business Network. They seem to have relocated now, but at one point last year (2007) a very large portion of the malware being distributed was coming from their network. This is probably the same now but from other, more separated, locations that isn’t as easily distinguished.

The methods of distribution was previously very direct and the bad guys were satisfied with the distribution method of one host infecting another but this has also changed a lot. Much of this change is probably motivated by their need to continuosly modify the malware to keep as much code as possible out of AV-vendors signature files. Today, a very large percent of infection happens through web browsers that get exploited by trusted websites. These websites has been hacked in one way or another in order to add HTML that loads malicious code through invisible iframe’s or scripts.

These attacks are made possible by insecure server-side code which enables attackers to do SQL injections for example. We are also starting to see signs of social networking applications being exploited for the same purpose and a possible method of infection here is XSS (Cross-site scripting). There’s a myriad of different attacks on the same theme, but it’s the same thing here really, insecure server-side code with a twist making the client essential. All in the true spirit of Web 2.0.

But the method of infection really isn’t that important. There will always be vulnerabilities waiting to be exploited. If not in insecure code, then in user behavior. Just look at the latest waves of fake security products. These often use social engineering to get installed on it’s victims computers, such as faking a windows desktop and tricking the user to click OK or taking other actions to install the malware. These applications alone are estimated to bring in multi-million numbers to the guys behind them this year.

A couple of years back, malware on the windows platform also started to come packed with rootkits and other methods of concealment. These technologies has been more widely deployed during the last year and we are seeing them being used in layers. For example, the droppers that first reach the systems often do not come with rootkit functionality but load (injects dll’s) themselves into system processes in order to stay hidden. The malicious software pack that is later downloaded more often than not come with real rootkits often in the form of system drivers. My guess is that this is meant to make users believe that once they’ve managed to clean out the malware they are in the clear, but only hours later the dropper sucks down another pack of crap and installs it.

From our (AV-vendors) point of view we are seeing steep increases in the number of samples (different versions of the same malware) being distributed and to cope with this problem we are inventing different technologies that either make our signature less important or help us analyze samples. For example Panda has TruPrevent for behavioral analysis and Collective Intelligence for malware identification and faster analysis.

This race will continue. When we establish an effective countermeasure to their latest move, they will change their business model or malware structure. When they do so, we will change our take on the problem.

So… What will the malware scene look like in 12 years?

Well, I don’t really know… I don’t think anyone really knows.

As technology evolves so will the parasitic creatures that feed upon it. My guess is that the malware will be more user tied and that more of the malicious code will be built upon pre-built frameworks that enable faster development. Maybe this already exist?

The Storm botnet that followed us from 2007 into 2008 and still is alive and well is a good example of what the future will have in store. The malicious code relies heavily on social engineering for distribution and installation, and the underlying structure is both stable and agile. They use fast DNS fluxing and double-fluxing in order to keep it alive and also varies communications method between IRC, P2P (eDonkey) and HTTP.

I’m not saying we’ll see more of the same, but rather more malware being based on the same thoughts; Great stability, Good control, Improved anonymity and excellent networking.

Platform independence will probably become more and more important for malicious software as well, as the array of different units used to access the internet is getting bigger every day. By platform I mean both hardware and software.

The challenge for us anti-malware vendors is to keep up. How we’ll be doing that is based on future experiences but in an ideal situation we come as close as we can to a silver bullet for every new twist that the bad guys throw at us. Our real challenge here is to be equally adaptable to new situations as they are. We need to be able to react quickly and hard without impacting the stability of our customers it-systems.

I also think that the user knowledge angle will be more and more important and this will have a big effect on malware distribution. Today I’m seeing younger people just laughing when they stumble upon a strange website and fire up ProcessExplorer to see if something bad happened. This would not have happened five years ago and it changes the way that malware authors have to think.

Hopefully we are up for a cleaner internet tomorrow, but there are no guarantees.

In a worst case scenario the internet might be clogged with garbage, which forces ISPs and national institutions to do filtering in order to isolate the countries that cannot control the organizations behind the malware. This is not something that we want to see and I hope it never goes that far with all of my heart.

Please comment with your thoughts on what the future has in store for us

Cheers,