Secureview 3

3rd quarter 2010
MAJOR POSSIBLE THREATS OF 2010: More widespread and more complex
THE SOUND OF DECEPTION
Internet fraud is becoming more ingenious
A NEW ROUND OF CONFRONTATION
How to fight crimeware more effectively
THE DOWNSIDE OF UBIQUITY
What to do about Adobe’s software vulnerabilities
THE EXPERTS
COMMENT
SKELETON KEYS
Modern Day Keylogging Techniques’

CONTENTS
NEWS
Breakthroughs and trends
in the IT security industry 4-7
REPORT
Infosecurity Europe: Catch
up on all the latest
developments from London 8-9
TOP STORY
Skeleton Keys: Everything you
should know about current
keylogging techniques 10-15
ANALYTICS
The Sound of Deception:
Modern Internet fraud 16-19
The Downside of Ubiquity:
Vulnerabilities in
Adobe software 20-23
A New Round of Confrontation:
Fighting crimeware 24-27
TECHNOLOGY
Somewhere Between Black
and White: Whitelisting
technology uncovered 28-31
FORECASTS
More Widespread and More
Complex: Threatscape 2010 32-34
INTERVIEW
Challenging Rootkits: Complex
threats of today and tomorrow
by Vyacheslav Rusakov 36
A WORD FROM THE EDITOR
Dear Readers,
I am very pleased to be able to bring you the
first issue of SECUREVIEW, a magazine dedicated
to all aspects of the IT security industry. We hope
that you will find it interesting and informative and
we look forward to receiving your feedback.
The News section at the beginning of our
magazine will bring you right up to date with all
the latest trends and exciting discoveries in the
field of information security. There will be reports
from recently held conferences and exhibitions,
many of which will set the course for the industry’s
development in the year ahead.
In this issue our Top Story is dedicated to
the important subject of the theft of personal
data using keyloggers, something that will be
of particular interest to representatives of the
corporate sector. In the coming issues we will
be bringing you detailed analyses of the hottest
topics in the industry, reflecting the interests of
users’ right across the board.
In our Analytics column some of the world’s
leading experts and journalists will share the results
of their research into the field of digital safety with
you, examining the burning issues of the day and
providing solutions to those IT security problems so
often encountered by people in the field.
Technological knowhow is very important for
the IT security industry and that is why in every
issue our Technology section will cover the most
interesting solutions from the last few years that
we think have seriously influenced the computer
security market. Then there’s our Forecasts
section, which we are confident will appeal to a
very wide audience.
Finally, for dessert we’ll be putting the industry’s
experts in the hotseat and getting their responses
to some pretty tough computer security related
questions in our Interview section.
We hope that the topics covered in this first
issue of our magazine will appeal to you and most
importantly, if you are working within the industry,
we hope that you will be inspired to share your own
knowledge and experiences with our readers –
we always welcome new authors. You will be
rewarded for your efforts and interesting articles
will definitely be published! Please, contact us at:
editorial@secureviewmag.com, to leave feedback,
submit an article, or tell us what topics you would
like to see covered in the future.
See you next issue!
Alexander Ivanyuk
Editor-in-Chief
Alexander Ivanyuk
SECUREVIEW
SECUREVIEW Magazine
3rd Quarter 2010
Editor-in-Chief: Alexander Ivanyuk
Editor: Darya Skilyazhneva
Design: Svetlana Shatalova,
Roman Mironov
Editorial matters:
editorial@secureviewmag.com
http:// www.secureviewmag.com
Production Assistants:
Rano Kravchenko,
Ryan Naraine
The opinion of the Editor may
not necessarily agree with that
of the author.

NEWS
www.secureviewmag.com4 |SECUREVIEW 3rd
quarter 2010
NEWS
www.secureviewmag.com 3rd
quarter 2010 SECUREVIEW |5
In the world of botnets and denial-
of-service attacks, 2009 was a
very interesting year. The analysts
at Arbor Networks recently looked
back at the data collected by
about 100 of their ISP customers
on DDoS attacks in 2009 and
found that there were more than
20,000 attacks that peaked above
one Gbps of traffic, and nearly
3,000 attacks that hit 10 Gbps.
That’s a lot of traffic, especially
when you consider that “many,
indeed most, enterprises remain
connected to the Internet at 1
Gbps or slower speeds,” as Arbor’s
Danny McPherson points out.
Today, most enterprises and
online properties don’t traditionally
factor DDoS attacks in risk
planning and management related
processes. That is, while they go
to great lengths to periodically
obtain coveted compliance check
marks related to data integrity
and confidentiality, the third pillar,
availability, often takes a backseat.
This is perhaps largely driven
by auditors with fairly static and
quantifiable lists of controls that
can be put in place to contain
risks associated with traditional
vulnerabilities. Unfortunately,
lack of foresight and appropriate
preparation often leaves folks
scurrying about madly when DDoS-
related incidents do occur, as
they’re not considered until you’ve
been hit at least once.
Most reasonably sized organizations
have a comprehensive plan for
dealing with network outages
caused by natural disasters. But
many of them may not know what
to do if they’re targeted by a major
DDoS attack. But, as Arbor’s data
shows, large DDoS attacks are not
the rarity they once were and it’s
probably better to know who’s going
to do what and when before an
attack happens, than afterward.
ENCRYPTION
Pico Computing based in
Seattle, Washington, announced
that it has achieved the highest-
known benchmark speeds for
56-bit DES decryption.
The company reported a
throughput of over 280 billion
keys per second achieved with
the use of a single, hardware-
accelerated server. The FPGA
computing platform assembled
for this demonstration was
based on 11 Pico EX-Series
cards, and fits into a single off-
the-shelf 4U server.
The massively parallel DES
cracking algorithm used brute
force methods to analyze the
entire DES 56-bit key-space. It
iteratively decrypted fixed-size
blocks of data to find keys that
decrypt into ASCII numbers.
This technique is often used for
recovering the keys of encrypted
files containing known types of
data. The candidate keys that
are found in this way can then
be more thoroughly tested to
determine which candidate key
is correct.
The 56-bit Data Encryption
Standard (DES) is now considered
obsolete, having been replaced
by newer and more secure
Advanced Encryption Standard
(AES) encryption methods.
Nonetheless DES continues
to serve an important role in
cryptographic research and in
the development and auditing of
current and future block-based
encryption algorithms.
Source: www.picocomputing.com
Source: http://arxiv.org/ftp/arxiv/papers/1002/1002.4530.pdf
Scientists from South Korea,
the USA and India have invented
a novel scheme for securing
the transfer of data across
computer networks.
The typical security method
for preventing data from falling
into the wrong hands is by the
use of encryption. However, the
cost of implementing encryption
on a network is high due to its
computational complexity.
The essence of the proposed
scheme is to break the data
to be transferred into many
smaller parts. When put back
together, these parts become
the original piece of data again,
but only if they are reassembled
in a particular way, just like
a jigsaw puzzle. The correct
method for reassembling the
pieces is known only to the
recipient for whom the data
is intended. Any unauthorized
entity that intercepts the
message fragments will not
have sufficient information
to correctly reassemble the
component parts of the
communication and thus will not
be able to read the message.
Cracking 56-bit DES
Jigsaw Puzzles
CODING
Source: http://cwe.mitre.org/top25/
The ‘Common Weakness
Enumeration’ initiative from the
non-profit MITRE Corporation
includes its 2010 list of
the 25 most dangerous
programming errors.
The list is compiled by more
than 50 experts from such
respected IT-organizations as
The SANS Institute, RSA,
Red Hat, Sun, Microsoft
and others.
The most critical programming
errors that can lead to serious
software vulnerabilities are
arranged in the list according
to their importance. All noted
flaws are dangerous because
they frequently allow attackers
to completely take over the
software, steal data, or prevent
the software from working.
Cross-site scripting (XSS), SQL
injection, and Buffer overflow
are considered to be the most
hazardous of all the listed errors.
The rating also contains
detailed technical descriptions
of the flaws, code examples
and related attack patterns, as
well as their methods of error
prevention and mitigation.
The 25 Most Dangerous
Programming Errors
Table 1.
‘SANS/MITRE’s Top 25 Most Dangerous Programming Errors’
1 Failure to preserve web page structure (‘Cross-site Scripting’)
2
Improper sanitization of special elements used in an SQL command
(‘SQL Injection’)
3 Buffer copy without checking size of input (‘Classic Buffer Overflow’)
4 Cross-site request forgery (CSRF)
5 Improper access control (Authorization)
6 Reliance on untrusted inputs in a security decision
7
Improper limitation of a pathname to a restricted directory (‘Path
Traversal’)
8 Unrestricted upload of file with dangerous type
9
Improper sanitization of special elements used in an OS command
(‘OS Command Injection’)
10 Missing encryption of sensitive data
11 Use of hard-coded credentials
12 Buffer access with incorrect length value
13
Improper control of filename for include/require statement in PHP
program (‘PHP File Inclusion’)
14 Improper validation of array index
15 Improper check for unusual or exceptional conditions
16 Information exposure through an error message
17 Integer overflow or wraparound
18 Incorrect calculation of buffer size
19 Missing authentication for critical function
20 Download of code without integrity check
21 Incorrect permission assignment for critical resource
22 Allocation of resources without limits or throttling
23 URL redirection to untrusted site (‘Open Redirect’)
24 Use of a broken or risky cryptographic algorithm
25 Race condition
Large DDoS Attacks Still a Serious Problem
Israeli scientists from
the Ben-Gurion University
reviewed the security system
of the prospective Android
software framework from
Google. The researchers
defined the main threats, high-
risk vulnerabilities, existing
protection tools and relevant
security solutions.
The incorporation of integrated
Internet services on mobile
devices increases their
exposure to damage inflicted
by various types of malware.
The risk is amplified by the fact
that as a smartphone, Android
devices are expected to handle
personal data and provide PC-
compliant functionality, thereby
exposing the user to all the
attacks that threaten users of
personal computers.
Google Android is a
comprehensive piece
of software for mobile
communication devices. The
Android framework includes an
operating system, middleware
and a set of key applications.
The review indicates that the
security mechanisms embedded
in Android address a broad
range of security threats.
Google has implemented the
Portable Operating System
Interface (POSIX) which gives
each application a user ID, this
prevents different applications
from affecting each other.
Setting each application as a
different user prevents one
application from accessing
files and signals from another
and distributes the selected
kernel’s CPU consumption
evenly by default. Additional
security features are provided
through the permission-granting
mechanism that enforces
restrictions on the specific
operations that a particular
application can perform.
Signing applications is another
significant security feature.
The authors also looked
at what additional security
mechanisms could be applied
on Android-based handsets,
such as porting SELinux into
Android and activating a security
policy, enabling a net-filter-
based firewall and an Intrusion
Detection System based on
anomaly detection (termed
Andromaly), etc.
Despite these measures,
scientist identified five high-risk
threats that need attention.
The main security issue that
they raised is the fact that
Android is an open-source
platform whose source code
was published after the first
Android-powered devices were
released onto the market.
This increased the chance of
revealing vulnerabilities in low-
level components (such as in
the Linux kernel, core libraries
or the Dalvik virtual machine).
Moreover, several vulnerabilities
were identified in the Android
permission mechanism which
greatly increases the risk of
malware infection.
The researchers proposed
several security mechanisms
that can mitigate these high-
risk threats.
It is highly important to
incorporate a mechanism,
such as the SELinux access
control system, that can
prevent potential damage
resulting from an attack on
the Linux kernel layer. Also,
better protection should be
added for strengthening the
Android permission mechanism
and for detecting the misuse
of granted permissions. The
authors subsequently gave
highest priority to such things
as the SELinux tools, a firewall,
Intrusion Detection System,
Automated Static Analysis
and Code Verification and the
Context Aware Access Control
solutions. They placed Data
Encryption and the Selective
Android Permission systems
lower down the list
of priorities.
Source: http://arxiv.org/ftp/arxiv/papers/0912/0912.5101.pdf
Unsecured Android
MOBILE SECURITY
Dennis Fisher is
Technology Evangelist
for Kaspersky Lab’s
US Office.
Source: http://threatpost.com/en_us/blogs/large-ddos-attacks-still-serious-problem-011110
THREATS THE EXPERTS COMMENT

NEWS
quarter 2010
NEWS
An international group of
scientists has demonstrated
the possibility of stripping away
the anonymity from significant
numbers of users of popular
social networking sites.
Any technology allowing the
identification of users of social
networking sites, the collection
of data about their habits and
the prediction of their behavior
can be used to cause harm. For
example, such data can reveal
a user’s sexual habits, or render
somebody open to blackmail. But
despite the fact that this threat is
well known, very little has been
done to prevent it.
The researchers demonstrated
the possibility of this type of
attack by identifying a user who
was simply browsing the web. An
attacker can probe the victim’s
browser history for any URLs
that may reveal membership of
any social networking groups.
By combining this information
with previously collected data it
is possible to identify any user of
a social network who happens
to visit the attacker’s website.
In many cases, this allows the
attacker running the malicious
website to uniquely identify his
visitors by the names which they
use in their corresponding social
networking profiles.
This type of attack requires very
little effort to carry out and has the
potential to affect many millions of
registered social networking users
who have group memberships.
The non-profit Cloud Security
Alliance has published a report
defining the foremost cloud
security threats.
Cloud computing is a kind of
distributed system whereby all
computer resources are provided
to the users in the form of Internet
services. As the technology
becomes more and more popular,
criminals use it to improve their
reach, avoid detection and
increase the effectiveness of their
activities. Enterprise and home
users need to better understand
the risks associated with the
adoption of cloud computing.
The authors of the report
identified the following
seven threats:
1. Abuse and nefarious
use of cloud computing
Providers of infrastructure as a
service offer their customers the
illusion of unlimited compute,
network and storage capacity,
often coupled with a frictionless
registration process where
anyone with a valid credit card
can register and immediately
begin using cloud services.
Some providers even offer free
limited trial periods. By abusing
the relative anonymity behind
these registration and usage
models, spammers, malicious
code authors and other criminals
have been able to conduct their
activities with relative impunity.
2. Insecure Application
Programming Interfaces
Cloud computing providers
expose a set of APIs that
customers use to manage and
interact with cloud services.
Provisioning, management,
orchestration and monitoring
are all performed using these
interfaces. The security and
availability of general cloud
services is dependent upon the
security of these basic APIs.
3.Malicious insiders
This threat is amplified for
consumers of cloud services
by the convergence of IT
services and customers under
a single management domain,
combined with a general lack
of transparency into provider
process and procedure.
4. Shared technology
vulnerabilities
Cloud computing vendors deliver
their services in a scalable way
by sharing infrastructure. Often,
the underlying components
that make up this infrastructure
were not designed to offer
strong isolation properties for
a multi-tenant architecture. To
address this gap, a virtualization
hypervisor mediates access
between guest operating systems
and the physical compute
resources. Still, even hypervisors
have exhibited flaws that have
enabled guest operating systems
to gain inappropriate levels
of control or influence on the
underlying platform.
5. Data loss/leakage
The threat of data compromise
increases in the cloud.
Examples include insufficient
authentication, authorization or
audit controls, operational failures
and data center reliability.
6. Account, service
& traffic hijacking
Cloud solutions add a new
threat to the landscape. If an
attacker gains access to your
credentials in the cloud, they can
manipulate data, eavesdrop on
your activities and transactions,
return falsified information
and redirect your clients to
illegitimate sites. Your account or
service instances may become
a new base for the attacker.
From here, they may leverage
the power of your reputation to
launch subsequent attacks
7. Unknown risk profile
One of the ideas of Cloud
Computing is the reduction
of hardware and software
ownership and maintenance
to allow companies to focus on
their core business. This has
clear financial and operational
benefits, which must be
weighed carefully against the
contradictory security concerns —
complicated by the fact that
cloud deployments are driven by
groups who may lose track of the
security ramifications.
As the authors stressed, the
threats described are not listed
in order of severity.
Dangerous Clouds
SECURITY THREATS
Risky Communication
SOCIAL NETWORKING
Source: http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
Over the last few months there
have been quite a few news
reports about Banker Trojans
emptying the online bank
accounts of small businesses
in the U.S.
The MitE Banker Trojans
reached its peak of ‘maximum
sophistication’ back in 2007.
This specific subset of Banker
Trojans was - and still is - extremely
sophisticated and will exploit
bank-specific vulnerabilities in the
implementation of two-
factor authentication.
A lot of banks still don’t employ
two-factor authentication for
making transactions. Or, when
they do, it’s a very weak form of
two-factor authentication.
Secure online banking requires
multi-factor authentication. The
authentication code needs to be
received or generated on a device
which is not connected to the
device that’s doing the transaction.
Ideally, not only should the
transaction authorization code
be generated dynamically, but
also the password for logging
onto the banking site. One thing
to bear in mind here is that the
cryptographic response algorithm
needs to be different for logging
on and approving transactions.
The solution to this huge problem
is actually quite simple. Make the
receiving bank account number
a part of the authentication
process. Either send the
number by SMS, or use it as an
(additional) challenge when using
a token. The user knows where
the money is supposed to go.
What we also need to bear in
mind is that since 2006/2007,
a lot has changed. The average
piece of malware has become
a lot more sophisticated. Form
grabbers, for example, are pretty
much standard. In fact, we
live in an age where Microsoft
decided to pull a patch because
of problems which turned out
to be caused by the extremely
advanced TDSS rootkit.
This means that we need online
systems in place that are resilient
to such powerful malware.
The state of online banking in
some ways resembles that of
the Internet. For many banks,
online banking was not directly
designed with proper safety in
mind. Convenience is the major
driver. The Internet was built on
very much the same principles.
I’d argue that solving the online
banking problem is an infinitely
easier task than fixing the
fundamental weaknesses in the
infrastructure of the Internet.
Here’s How to Fix Online Banking Fraud
Roel Schouwenberg
is a Senior Antivirus
Researcher for
Kaspersky Lab’s
Global Research &
Analysis Team.
Source: http://threatpost.com/en_us/blogs/heres-how-fix-online-banking-fraud-022510
ONLINE THREATS THE EXPERTS COMMENT
According to estimates by Team
Cymru Research, the number
of botnets controlled by http-
channels has doubled during the
past half year.
American researchers
associate that tendency with the
widespread availability of ready-
made kits for cyber-attacks.
Additionally, the very user-friendly
interfaces play a significant role
in allowing those without and any
specialist skills and knowledge to
operate http-botnets.
According to the results of
their research, the number of
botnets exploiting IRC-traffic
remains unchanged. Most of their
command and control centers
are situated in the USA and
Western Europe. The USA aside,
many http-botnet owners take
advantage of hosting-services
provided by the BRIC countries
(except India). They are apparently
attracted by the fact that the
financial situation and rapidly-
growing economic development
in China, Russia, and Brazil
means that those governments
cannot make sufficient resources
available for fighting cybercrime.
Source: http://www.team-cymru.org/ReadingRoom/Whitepapers/2010/
developing-botnets.pdf
Transition to http
In an undercover mission to
learn more about the size and
scope of the son of the infamous
Storm botnet, Waledac, German
researchers have discovered the
spamming botnet is much larger
and more efficient than
previously thought.
The team from the Universities
of Mannheim and Vienna boldly
infiltrated the Waledac botnet
from 6 Aug to 1 Sept of last
year using a cloned Waledac
bot that they built and code-
named “Walowdac.” They found
Waledac runs a minimum of
55,000 bots a day, with a total
of 390,000 bots - much larger
than the previous estimates of
20,000 or so bots.
The researchers were also able
to measure the success rates
of various spam campaigns
launched by Waledac, and
were able to observe up-close
Waledac’s newer features, such
as its ability to steal credentials
from bot-infected machines.
The German researchers
calculated from their research
that Waledac could theoretically
send more than 1.5 billion spam
messages per day, and that’s
actually a conservative estimate,
they said in their report (PDF) on
the experiment.
Waledac changes its malware
variants approximately every two
weeks the researchers observed,
and the U.S. is home to the majority
ofthebotsandrepeaters,with 17.34
percent of the spamming bots and
19.5 percent of the repeaters. It
was also discovered that around
90 percent of the Waledac bots
were 32-bit XP machines.
BOTNETS
Source: http://www.darkreading.com/security/vulnerabilities/showArticle.
jhtml?articleID=222200371
Child of Storm Botnet
‘Waledac’ Is Expansive
Source: http://www.iseclab.org/papers/sonda-TR.pdf

NEWS
quarter 2010
NEWS
Have you ever found a false
positive when uploading a file
to a website like VirusTotal?
Sometimes it happens that not
just one scanner detects the
file, but several. This leads to an
absurd situation where every
product which doesn’t detect this
file automatically looks bad to
users who don’t understand that
it’s just false positives.
Sadly you will find the same
situation in a lot of AV tests,
especially in static on-demand
tests where sometimes hundreds
of thousands of samples are
scanned. Naturally, validating
such a huge number of samples
requires a lot of resources. That’s
why most testers can only verify a
subset of the files they use.
Since good test results are a key
factor for AV companies, this has
led to the rise of multi-scanner
based detection. Naturally AV
vendors, including Kaspersky Lab,
have been scanning suspicious
files with each others’ scanners
for years now. Obviously knowing
what verdicts are produced by
other AV vendors is useful.
This is why a German computer
magazine conducted an
experiment along these lines,
and the results of this experiment
were presented at a security
conference last October. The
experimenters created a clean file,
asked us to add a false detection
for it and finally uploaded it to
VirusTotal. Some months later this
file was detected by more than
20 scanners on VirusTotal. After
the presentation, representatives
from several AV vendors at the
event agreed that a solution
needed to be found. However,
multi-scanner based detection is
just the symptom not the cause -
the root of the problem is the test
methodology itself.
Improving test methodologies
was also the reasons why
two years ago a number of AV
companies (including Kaspersky
Lab), independent researchers
and testers founded AMTSO
(Anti-Malware Testing Standards
Organization). We decided to
illustrate the problem during our
recent press tour in Moscow
where we welcomed journalists
from all around the world.
Naturally the goal was to highlight
the negative effect of cheap,
static on-demand tests.
What we did pretty much
replicated what the German
computer magazine did last year,
only with more samples. We
created 20 clean files and added a
fake detection to 10 of them. Over
the next few days we re-uploaded
all twenty files to VirusTotal to see
what would happen. After ten days,
all of our modified (but not actually
malicious) files were detected by
up to 14 other AV companies - in
some cases false detection was
probably the result of aggressive
heuristics, but multi-scanning
obviously influenced some of the
results. We handed out all the
samples used to the journalists
so that they could test it
for themselves.
So where should we go
from here? The good news is
that in the last few months,
some testers have already
started to work on new testing
methodologies. Instead of static
on-demand scanning they try to
test the whole chain of detection
components: anti-spam-module
-> in the cloud protection ->
signature based detection ->
emulation -> behavior-based real-
time analysis, etc. Ultimately of
course, it’s up to the magazines
to apply this type of test and to
abandon approaches that are
simply outdated and outmoded.
If we get rid of static on-
demand tests with their mass of
invalidated samples, the copying
of classifications will at least be
significantly reduced, test results
will correspond more closely to
reality (even if that means saying
good bye to 99.x% detection
rates) and in the end everyone
will benefit: the press, the users
and of course us as well.
MALWARE TESTING THE EXPERTS COMMENT
According to a poll by Sophos,
the amount of spam and harmful
messages on social networks
has increased by 70% during the
last 12 months.
By the end of the year more than
five hundred organizations had
taken part in the poll. Some 57%
of corporate users said that they
had received spam whilst visiting
social networking sites, 36%
reported harmful programs and
30% suffered phishing attacks.
Of the participants polled,
72% expressed awareness
that the irresponsible use of
social networks by employees
could pose a significant risk to
corporate security, with 60%
of the criticism being directed
towards Facebook. It is clear that
of all of the social networking
websites available in the west,
Facebook has the largest
number of members. According
to Sophos, most of the social
networking providers are much
more interested in increasing
their market share than they ever
are in the question of protecting
their users from cybercrime.
It seems paradoxical then that
half of the respondents (13%
more than last year) allow their
personnel to visit Facebook from
their place of work without the
imposition of any restrictions.
Experts continue to mention
that although LinkedIn (A social
network allowing users to seek
out useful business contacts) is
not believed to be a direct danger
to corporate business, personal
information published on that
server may be of a great value to
the cybercriminals. It is because
it is used mostly by professionals
that LinkedIn could easily
become some sort of directory of
companies’ personnel resources
which may provide information
for targeted cyber-attacks.
On the Way to Better Testing
The Expansion of Internet Dangers
Source: http://www.sophos.com/pressoffice/news/articles/2010/02/
security-report-2010.html
SOCIAL NETWORKSSECURITY THREATS
The shorter and more
simplistic a password is, the
more susceptible it will be to
basic, brute force password
attacks. This in turn leaves
the users’ data vulnerable and
hackers are rapidly adopting ever
more smart brute force password
cracking techniques. Despite
this however, users continue to
choose very weak passwords.
The Imperva Application
Defense Center has analyzed the
strength of many user passwords.
The results of the investigation
have been published in their
‘Consumer Password Worst
Practices’ report.
The key findings
of the report are:
• About 30% of users chose
weak passwords the length
of which was equal to, or
below, six characters
• Almost 60% of users chose their
passwords from a limited range
of alpha-numeric characters
• Nearly 50% of users chose
names, slang words, everyday
words or passwords using such
easily-guessed constructions
as consecutive digits and
adjacent keyboard keys, for
example’123456’, ‘12345’,
‘123456789’ and ‘Password’.
It is recommended that users:
1. Choose a strong password
for sites that store personal
information that they value
highly. Bruce Schneier’s advice
is useful. He says: “Take a
sentence and turn it into a
password. Something like “This
little piggy went to market”
might become “tlpWENT2m”.
That nine-character password
won’t be in anyone’s dictionary.
2. Use a different password
for each site – even for the ones
where privacy isn’t an issue. To
help remember the passwords,
again, following Bruce Schneier’s
advice is recommended: “If you
can’t remember your passwords,
write them down and put the
paper in your wallet. But just
write the sentence – or better
still – a hint that will help you to
remember your sentence”.
3. Never trust a third party
with your important passwords
(webmail, banking, medical etc.).
It is recommended that
administrators should:
1. Enforce a strong password
policy – if you give the users a
choice, it is very likely that they
will choose weak passwords.
2. Make sure passwords are not
transmitted in clear text. Always
use https for logins. Make sure
passwords are not stored in clear
text. Always encrypt passwords
before storing them in a database.
3. Employ aggressive, anti-
brute force mechanisms to detect
and mitigate brute force attacks
on login credentials. It makes
brute force attacks too prolonged
to serve any practical purpose,
even against shorter passwords.
You should actively put obstacles
in the way of a brute-force
attacker – such as CAPTCHAs and
computational challenges, etc.
4. Employ a password change
policy. Trigger the policy either
according to a predetermined
schedule, or immediately when
suspicion of a compromise arises.
5. Allow and encourage
passphrases instead of passwords.
Although sentences may be longer,
they may be easier to remember.
With added characters, they
become more difficult to break.
Very Weak Passwords
are Still Very Popular
Source: http://www.imperva.com/docs/WP_Consumer_Password_Worst_
Practices.pdf
The French government has
suggested an initiative to
replace all user passwords with
a single digital certificate that
provides access to all of the
nation’s web services.
According to the project’s
authors, the introduction
of a universal identifier or
‘IdeNum’ as it would be
known, could put an end to
the tiresome necessity of
memorizing a huge number
of difficult alpha-numeric and
symbol combinations that are
supposed to provide security
when surfing the web. According
to statistics provided by
Trusteer, 73% of those polled
admitted that they use their
bank passwords for entering
other online services as well.
The integration of an IdeNum
system would make the
authorization process shorter
for users of any private or
public resources participating
in the scheme and would
also automate the process of
completing online forms. The
multi-functional identifier could
be kept on a separate device,
which may be a flash, smart,
or SIM-card.
At present, more than 20
national institutes including
The Union of French bankers,
The Association of Insurance
Companies and the French
postal service have all expressed
their readiness to take part in
the research. A prototype of the
authentication system is planned
to be unveiled by the middle
of this year, followed by the
introduction of a fully-functional
system in 2011. The lifespan of a
digital certificate will probably be
limited to between 3 and 5 years.
There is no doubt that the
realization of such a difficult
project will take a lot of
resources and financing.
This is in large part due to
the fact that the system of
authentication must not only
certify the users’ identity, but
must also ensure that data
security is maintained as well.
That last issue becomes more
and more relevant due to the
appearance of banking Trojans.
These are able to intercept
transactions in real-time and
change the information therein
without being noticed by any
of the participants. Protecting
digital certificates from theft
is a serious challenge. That
“Key to the Kingdom” will surely
become the ultimate prize for
those whose hunting domain is
the Internet and whose prey is
the funds of the unwary.
DIGITAL CERTIFICATES
Source: http://countermeasures.trendmicro.eu/french-government-to-bid-
adieu-to-online-passwords/
Farewell to a Thousand-and-
One Passwords?
Magnus Kalkuhl is a
Senior Virus Analyst
for Kaspersky Lab’s
Global Research &
Analysis Team
Source: http://threatpost.com/en_us/blogs/way-better-malware-testing-020110

REPORT | Infosecurity Europe 2010
quarter 2010
Infosecurity Europe 2010 | REPORT
Nigel Stanley, Practice Leader of IT Security
at Bloor Research said, “As an analyst I
feel that Infosecurity Europe is the most
important event of the year. It’s here that
you meet with the manufacturers and get
to know about all the latest industry trends.
For me, it is certainly time well spent.” That
the event draws such large numbers of
visitors and manufacturers is due to both
the professionalism of Claire Sellick, Event
Director for Infosecurity Europe, and the
greatly increased threat levels existing in
the field of IT security these days. After
several years of relative stagnation, British
firms are now facing a punishing new wave
of cyberattacks, the impact of which is
estimated to be in excess of £10 billion
[Sterling] per year. “This raises awareness of
IT security management quite considerably,”
Sellick is convinced.
OPENING KEYNOTE
TARGETS DATA LOSS
In his keynote address, David Smith,
Deputy Commissioner for the Information
Commissioner’s Office (ICO) painted the
following picture: “In little more than two
years, 960 instances of data loss were
recorded, that averages out to about 30
per month,” said Smith. According to his
information, the UK’s National Health
Service (NHS) alone accounted for about
30 percent of the total. He believes that
“It is very probable that in the nearest
future it will be a legal requirement in the
United Kingdom to notify the authorities
of any data losses” Even a study by
Pricewaterhouse Coopers had little to
report that offered any hope. A worrying
92 percent of all large enterprises
suffered a security incident or data
loss last year. The study, ‘A Survey of
Information Security Breaches’ found
that cybercriminals were themselves
becoming increasingly organized along
traditional business lines and this is
driving a demand from industry for
adequate means of protection. However,
many enterprises remain woefully
unprepared or only partially ready to
meet the incumbent threat.
For many visitors to Info Security
2010, the workshops on offer were the
real highlight. The organizers divided
the event into three sections: keynotes,
business strategy and technology. The
business strategy presentations earned
consistent praise. With their limited
duration of 45 minutes they were ideally
suited to visitors who wanted to grab as
much information as possible in a short
space of time. The audience very much
appreciated the fact that the sessions
were not usurped for the purposes
of marketing and sales. Ian Mann’s
talk on Social Engineering came in for
particularly high praise. The author of
‘Hacking the Human’ provided several
amusing anecdotes in which he explained
why the human animal sitting in front of
the screen is the biggest security risk for
most companies.
EUGENE KASPERSKY
ENTERS THE IT HALL
OF FAME
Much applause was also heaped upon
the keynote ‘Cyber Warfare - War Stories
from the Front Lines’. The long queues
outside the entrance were a surefire
indication that something special was
about to take place there. What the two
speakers, Marc Kirby and Sean Hanna,
subsequently delivered was probably
the most entertaining and exciting event
of Infosecurity Europe 2010. Eugene
Kaspersky, CEO of Kaspersky Labs also
took to the stage to share his vision of
what the future might hold in terms of
IT technologies. According to Eugene, in
the future the smartphone will be king,
with everybody owning and using one.
Kaspersky, who during Infosec 2010 was
inducted into the Hall of Fame, stated
emphatically that the world will see an
explosion in the development of hardware
and software for smartphones. “I believe
that in the nearest future, smartphones
will have enough memory and computing
power to hold all our personal data, as well
as movies, pictures and other information.”
He stated. “There will be no reason to use a
computer any more. Why would you? All you
need is a keyboard, a screen and a network
connection.” Such a revolution would
increase the attacks on mobile devices
considerably. However, these are far easier
to protect against due to the centralized
nature of the providers’ infrastructure.
As evidenced by the continuing
increase in visitor and exhibitor numbers,
Infosecurity Europe is very much on the
right track. Claire Sellick sees the growing
success of the event as being due to
companies realizing that IT security is
now as essential prerequisite for new and
profitable products and services. Events
like this that bring together suppliers and
customers so that each may appreciate the
wishes and expectations of the other will no
doubt shape the future of the IT industry.
Sellick stated that 82 percent of the stands
available for Infosecurity Europe 2011 have
already been booked. RE
CONCEPT: EXHIBITION
AND LECTURES
As they have in previous years, the organizers
of Infosecurity 2010 pursued a two-tier approach.
The central exhibition hall was the venue for the
exhibiting companies, with booths designed to
allow visitors and company representatives to
hold discussions away from all the hustle and
bustle. Both sides, exhibitors and visitors, rated
the layout very highly. Nina Malchus, Director of
Publishing for SecuMedia and a regular at the
event gave her impression of the exhibition hall:
“The hall is very busy and makes a big impression
on the visitor. There is an awful lot to see,
observe and experience, but it’s possible to get
round everything in a good day.”
David Tomlinson, Managing Director of Data
Encryption Systems was similarly impressed. “Our
booth was visited by many visitors who were very
keen to do business. The event is an ideal place to
meet new clients.” Analysts confirm that impression.
There was no mistaking the result of this
particular match: Infosecurity Europe 1 - Ash
cloud 0! Despite all the disruption to the airspace
over Europe, the UK’s most important security
event, now in its 15th year, drew in a record
number of exhibitors and visitors. Over 12,500
eager attendees turned up to take advantage
of what was on offer from the event’s 324
exhibitors. Many of the visitors were drawn by
the quantity of very well-known and respected
speakers delivering the keynote speeches and
holding workshops, not to mention the fact that
a number of companies chose the event to make
some pretty major announcements. Among them
were Symantec who announced the purchase
of encryption company PGP and GuardianEdge
for a cool $370 million [US]. Two lectures in
particular garnered a great deal of attention:
Pricewaterhouse Coopers (PwC) announced the
results of their study on data loss, whilst David
Smith, Deputy Commissioner for the Information
Commissioner’s Office (ICO), announced tougher
penalties for the loss of customer data.
Security defies the ash clouds
The Infosecurity Europe 2010 event attracted a huge number of visitors
despite the chaos to European airspace caused by the eruption of the
Icelandic volcano. This year the focus was on data loss, Cloud Security
and Web 2.0. There were very many popular exhibition stands at this
year’s event, but the thing that really seemed to pull in the crowds were
the various workshops and presentations that covered everything from
the latest industry technologies through to business strategy.
Elmar Török has been
working in the IT-Industry
since 1989. He became
an author and technical
journalist in 1993 while
studying electrical
engineering in Munich
and Kempten. Since then
he has written hundreds
of articles for just about
every major computer and
networking publication
in Germany. Elmar
specialises in IT-Security
and storage issues,
has a solid knowledge
of server-related topics
and knows his way
around virtualization.
He is the Editor-in-
Chief of the security
periodical “Infodienst
IT-Grundschutz” and
is involved in the final
acceptance process of
new material for the IT-
Grundschutz Catalogues
of the Federal Office for
Information Security.
Article by
Elmar Török
Earls Court: The Place to be for Infosecurity Europe 2010 Where Products and News Abound: Companies present their wares in the exhibition hall
David Smith, Deputy Commissioner for the Information
Commissioner’s Office during his keynote

TOP STORY | Keyloggers
quarter 2010
Keyloggers | TOP STORY
□ A keylogger can be an espionage
device when installed onto a rival’s
system by a competitor.
• Keyloggers can be used by private
detective agencies, special services
and criminal organizations as a means
of spying on users.
• Keyloggers can be part of a malware
program and can be used for the
detection of passwords, credit card
numbers and other such important
information. This type of keylogger can
operate automatically, becoming active
only when certain application windows
or websites are open.
When a keylogger is employed by a
cybercriminal it becomes a very significant
threat to the user, as most importantly, it
allows the acquisition of a user’s passwords
which then provide unauthorized access
to the user’s email, social networking and
online bank accounts.
THE LIFECYCLE OF
A KEYLOGGER
Just as with any spyware, the lifecycle of
a keylogger consists of three main stages:
1. System penetration. This operation
can be performed manually and it is
typical for the majority of commercial
keyloggers. To do this the cybercriminal
needs remote or local access to
the PC. The second variant is the
installation of a keylogger with the help
of programs such as Trojan-Dropper and
Trojan-Downloader. It is very common
knowledge that a lot of Trojan samples
contain keylogger functionality built in for
the purposes of spying on users, usually
for the harvesting of passwords or credit
card numbers.
2. Spying on users. During this process it
is very important for the keylogger to
remain undetected, and several methods
exist to achieve this.
3. Passing the collected data to the
cybercriminal. This process is greatly
simplified where the criminal has access
to the target PC. When access does not
exist, commercial keyloggers offer a rich
choice of possibilities. Data can be sent
via email, passed over a network, or
downloaded from an FTP server.
SOFTWARE
KEYLOGGERS
The general modus operandi of a
keylogging program is that it is loaded
onto a PC where it resides quietly and
monitors keyboard inputs, whilst at
the same time performing a range of
accompanying tasks such as avoiding
detection and passing on any collected
protocols and data etc. There are a large
number of free commercial keyloggers
available, as well as specialized catalogue
sites containing the results of keylogger
tests and their descriptions. A perfect
example of such a resource can be found
at: http://www.keylogger.org
Keyloggers that
operate according to the
interrogation cycle principle
This type of keylogger is the simplest
of all and is based on the system of
assigning a number of API-functions to
the applications for interrogating the
keys on the keyboard. For example,
the GetAsyncKeyState function shows
whether the named key is pressed or
released, and GetKeyboardState returns
an array of 256 elements with the state
of each key on the keyboard, but works
only with GUI applications. This method is
very simple to perform and undetectable
as there is no embedding of DLLs or
hardwired installation, however for better
results it is necessary to use high speed
interrogation, in the order of no less than
10-20 polls per second, otherwise data
can be missed.
Countermeasures: Detecting cyclic
interrogation in itself is not difficult. The
main problem is how to tell whet her it is
a keylogger or a legitimate program doing
The first Keyloggers appeared a very long time ago.
During the MS DOS era at the end of the 80s and
the beginning of the 90s there were a huge amount
of keyloggers about, most of which were written in
assembly language and used the INT9h interrupt
and INT16h capture. Along with the development
and distribution of Windows came the Windows
keyloggers. Their creation was made simpler by
the fact that the Windows GUI already included
a standard keyboard event capture mechanism
and keyloggers based on this system where very
simple and contained no more than thirty to fifty
lines of code. Additionally, such Windows features
as multitasking and multi-window applications
interfaces have made the spies’ task wider. In order
to simplify protocol analyses, today’s data spies have
to determine to which window and which particular
application an input belongs. They can track a user’s
Internet activity, trace IM correspondence, take
screenshots of the display and the active windows
and perform a whole host of similar nefarious
actions, right up to secretly activating the microphone
and webcam. As a result, the majority of modern
keyloggers could more accurately be described as
’universal loggers’ or ‘universal spies’. It should be
noted that most modern keyloggers will actively
disguise their presence on a system, usually with the
help of rootkit technologies.
THE PURPOSE OF
KEYLOGGERS AND THEIR
FIELDS OF APPLICATION
The main purpose of any keylogger is to
secretly record all of the keystrokes made by the
user. The recorded information usually relates
to whatever is happening in the active window. It
is important for protocol analysis as a Windows
user may randomly change the active window a
number of times. Another thing that has to be
borne in mind when working with text in present-
day applications is the possible use of the
Windows clipboard. Thus a keylogger has to keep
track of the clipboard contents and incorporate
it into the protocol when a ‘paste’ command
is detected. The protocol recorded during a
keylogging session then has to be analyzed either
automatically or by the person who installed
the keylogger for the purposes of recovering the
desired data. Typically this will include passwords,
account and credit card login credentials or
specific behavior, such as the entry of data into a
password field or form on a given website.
Statistically keyloggers are more often than
not used as follows:
• Domestic usage: parents spy on children;
husbands and wives spy on each other, etc. In
this situation we are talking about the home PC,
where installing a keylogger and analyzing its
protocol is relatively easy.
• In a business environment keyloggers can be
used for different tasks:
□ It can be used by an insider as an instrument
to secretly spy on their colleagues. The worst
scenario is when the insider is a member
of the IT department, which allows them to
install a keylogger on a user’s computers and
gain access to the recorded data later on
without any problems.
□ A security department may install keyloggers
to spy on users for any number of reasons. The
detection of improper PC use, the collection of
data in internal investigations, the monitoring
of users correspondence and IM traffic, etc.
Skeleton Keys
The ability to monitor what a PC user does on their computer is of great
interest to the cybercriminals, primarily for the purposes of espionage and
the stealing of passwords, but it can also be a positive thing, assisting
with legitimate tasks such as managing staff productivity and protecting
a company from the unwanted disclosure of information. It has long been
understood that where demand exists, supply is sure to follow, and thus
the market is rich in espionage technologies, of which some are free and
others are not. The largest demand within this market is for keyloggers.
Oleg joined Kaspersky
Lab in 2007 as a
Developer in the Complex
Threat Analysis Group.
He was promoted to
Technology Expert
in November 2008
and is responsible for
carrying out research
into new detection and
disinfection technologies,
investigating and
disinfecting remote
systems and analyzing
the behavior of malware.
Article by
Oleg Zaitsev
Chief Technology Expert
at Kaspersky Lab
SpyAgent allows you to monitor virtually everything users do on your computer
Antivirus programs, for example Kaspersky Internet Security 2010, react unequivocally to cyclic interrogation
from the hidden window

quarter 2010
procedure for every IRP of the IRP_
MJ_READ type. The keylogger does
this with the help of the API function
IoSetCompletionRoutine. During the
termination procedure the keylogger has
to analyze the received keystroke data
and then enter it into the protocol or
transfer it to the User Mode component
for further analyses and recording.
• Substitution of the system keyboard
driver with the keylogger driver.
• The use of rootkit technologies. This
approach equates to a User Mode
rootkit keylogger and can intercept
PeekMessage in win32k.sys functions
by means of searching for and modifying
their addresses in the system table
KeServiceDescriptorTableShadow.
Countermeasures: Preventing kernel-
mode keyloggers is more difficult as an
application that installed its own driver
can control the system. However it is
possible. As a minimum, antivirus programs
can block the installation of unidentified
drivers, especially if it is a hidden
installation. Additionally, interception
analyses are possible (for the detection of
rootkit-keyloggers) as well as analyses of
the chain of keyboard driver driver-filters.
HARDWAREKEYLOGGERS
A hardware keylogger is a device
that performs the logging of keystroke
information and is hardware-based
and does not rely on the installation of
any software. The main danger of the
hardware keylogger is that it makes it
impossible to detect the keylogger using
an antivirus or antikeylogger solution.
Additionally, some types of hardware
keyloggers do not even require a physical
connection to the PC at all. By its
principle of operation and information
acquisition methods, the hardware
keyloggers can be classified according to
several categories.
Connected to the keyboard
Often these keyloggers are connected
to the keyboard interface cable. They are
universal and usually connected without
the need to cut any cables. Generally, these
keyloggers take the form of a miniature
device with a PS/2 or USB input connector
for connection of the keyboard and an
output connector for connection to the PC.
Because of its miniature size, a keylogger
is often disguised as something familiar
to the user, for example, a ferrite filter
for the suppression of electromagnetic
interference, or a converter of some
description. The advantage of this type of
keylogger is that its connection requires
literally only a few seconds and this
operation can be performed by unqualified
staff, for example, a cleaner. Such
keyloggers accumulate recorded data on
their internal flash memory (This is the
classic solution. The amount of memory can
vary from around 2 Megabytes up to a few
Gigabytes), or they can transfer the data
via a radio link, for example with the help
of Wi-Fi or Bluetooth. It is important to note
that keyloggers such as this may contain
custom programs too, for example, to carry
out audio recording. These keyloggers draw
their power directly from the PC.
At the present moment hardware
keyloggers cost around $200-400.
A number of companies have set up
production lines for their manufacture.
There are keyloggers that sit inside
the keyboard or system block. This type
the polling, for example, a computer game.
Typically, the approach used is that if an
application window is open, visible and
remains as the input focus – it is considered
that such a poll is legitimate. When the
window is minimized or another application
window has the input focus – then such
behavior is considered suspicious and is
usually automatically blocked.
Keyloggers working as traps
Keyloggers based on a trap mechanism
(Hook) are considered the classic method
for the creation of keyboard spyware
and this approach is well documented
and works only for GUI applications.
Traps allow the keylogger not to trace
the keystrokes themselves, but to track
messages that are processed in the
windows of other GUI applications. The
hook handling code has to be placed in
a DLL, with installation and removal of
the hooks being performed with the help
of the API functions SetWindowsHookEx,
for installation of the hook, and
UnhookWindowsHookEx for removal of the
hook. When SetWindowsHookEx is being
called, the type of message is specified
as one of the parameters for which
the hook handler should be called; in
particular WH_KEYBOARD is designated
for the logging of keyboard events and
WH_MOUSE for mouse events. The hook
can be installed for a particular flow or for
all of the flows in the system.
From a technical point of view, after
registration of the hook the following
happens: after the GUI application
receives the first message that meets the
conditions for hook activation, the DLL
containing the hook code is loaded into
the process’ address space. After that the
hook code receives full privileges.
Countermeasures: The hook’s
installation is not hard to detect and block
with the help of a behavioral analyzer;
also it is not difficult to study the behavior
of the hook code and its reaction to a
keyboard input. The main problem is how
to tell the difference between a keylogger
and a legitimate program, for example, a
keyboard format switcher.
Rootkit-keyloggers
This is relatively rare, but one of the
most dangerous keyboard spies. Its
principle of operation is based on its
ability to capture any set of functions
responsible for message processing or
processing of the inputted text. In the
simplest case, this method is based
on the capture of the GetMessage,
PeekMessage and TranslateMessage
library User32.dll functions, which allows
the monitoring of any messages received
by the GUI applications.
The danger of this keylogger is that
interception can be carried out with
the help of various methods, the set
of captured functions are not known in
advance. ‘Targeted capture’ is possible
when the capture code is inserted only
into specific applications and only under
certain circumstances, for example, when
a password input window is displayed.
Another dangerous feature of the rootkit
keylogger is that virtual keyboards cannot
provide protection from them.
Countermeasures: The embedding
of the capture code is a potentially
dangerous and suspicious action, which
is why it can be detected and neutralized
by antivirus programs during penetration
and at the stage of heuristic checking, for
example, during emulation before launch.
Kernel-mode keyloggers
Spyware of this class are based on the
following three principles:
• Installation of a driver-filter for the
keyboard driver. The method of writing
these drivers has been documented,
for example, it is possible to find
relevant information in the DDK (Driver
Development Kit) on the Microsoft
website (article ID 176417) as well
as an example, Ctrl2Cap, on http://
www.sysinternals.com. After loading,
the spyware must connect to the
keyboard driver stack with the help of
the IoCreateDevice and IoAttachDevice
functions. The important point is that
the driver-filter will not register IRPs
(I/O Request Packets) with data about
keystrokes, but IRPs with requests
for data from the Kbdclass driver.
Information about keystrokes will be
available from the moment that the
Kbdclass driver finishes the IRP and
transfers the requested data to the
IRP buffer. Therefore the keylogger
filter has to install its own terminationAVZ Analyzer is able to describe keylogger behavior in detail
Modern hardware keylogger is not hard to make
The principle of operation of the UserMode keylogger is quite simple
Examples of commercial hardware keyloggers
Corporate keyloggers
Separate mention should be made of
that specialized category of keyboard
spies - keyloggers for the corporate
network. As a rule, they contain a
means for their automatic centralized
installation and online management
and can be integrated with the
domain controller and the personnel
record databases. The transmission
of data from such a keylogger on the
management server can be in real-time.
The keylogger’s controller is also placed
on the server as well as the database
for the accumulation of any results and
the analysis tools necessary to examine
the collected data. Analysis, as a rule,
takes the form of searches for passwords
and expressions and input data on the
frequency and densities of the detection
of the assigned samples. One additional
interesting feature of similar keyloggers is
the system’s reaction to specific patterns
of behavior - for example, the input of
a company’s accounting data into an
open SAP R3 window is considered a
normal action, the input of the same data
into the ICQ window causes the system
to react immediately by notifying the
company’s security services.

quarter 2010
of keylogger is more difficult to detect,
but naturally, it is more difficult to install.
Usually it is installed in the same way
as a classical keylogger, but inside the
keyboard rather than in line with its cable.
It is possible to use a specially designed
frameless model of keylogger that was
created specifically for embedding, or
to create your own basic keylogger, as
can be seen at: http://www.keelog.
com/diy.html which is based on the
AT89C2051microcontroller. Using this
chip, even a schoolboy with an elementary
knowledge of electronics can manufacture
their own keylogger. Additionally, some
companies produce keyboards with
keyloggers already built in which are
indistinguishable from normal ones. (See:
http://www.keelog.com/usb_hardware_
keylogger.html).
Countermeasures: It is very difficult
to protect against hardware keyloggers
as they are almost undetectable using
software tools. The word ‘almost’ is used
here as hardware keyloggers contain
software components that interface with
the hardware. As for the rest, the protection
measures available are pretty low-tech
and include protecting keyboard frames by
using labels and seals along the assembly
joints, the placing of sticky labels on the
points of connection of the cables to the
system block and sealing the system
block itself. Keeping a label log and doing
periodical label audits is then necessary.
Keyloggers operating without
connection to the keyboard
This type of keylogger is much more
exotic than the rest and is utilized when
the acquisition of immensely desirable
information is required and when it is not
possible to use commercially produced
hardware solutions.
Essentially, these keyloggers capture
the secondary electromagnetic radiation
emanating from keyboards and their
associated cabling. The main problem
with using these keyloggers is that the
secondary radiation coming from a
keyboard is of such low signal strength
that it is difficult to pick up from a long way
away. The task is even more difficult to
perform in a room where there are several
computers, each with identical keyboards.
However, stories about the successful
capture of data from distances of 10-20
meters as well as about the development
of such equipment appear in the popular
press from time to time. For example, the
article http://lasecwww.epfl.ch/keyboard/
even contains a video demonstration of
just such a process.
Countermeasures: Countermeasures
are common for Secondary Electromagnetic
Radiation and Induction (SERI). Screening
and good earthing decrease the level of
SERI and special disturbance generators
make it significantly more difficult for
cybercriminals to intercept and identify any
useful information.
Another well known method is simpler
to perform and based on the capture and
analysis of the sound produced by the
individual keystrokes. Scientists from the
University of Berkeley in California carried
out significant amounts of research in this
field and in their results published in 2005
they showed that it is possible to recognize
between 60 and 90% of keystrokes using
ordinary sound recording techniques.
Countermeasures: The main method
of protection in this case is to advise
personnel of the risks and explain that
inputting their password when a mobile
phone is on the table nearby is not the
best way to ensure security.
Secretly observing input
This method becomes more and more
topical because of the fact that modern
portable autonomous video recorders are
no larger than a box of matches in size
and come in many guises: watches, pens,
lighters, packs of cigarettes, car alarm/
locking fobs, calculators, organizers and
other small devices that do not attract
any special attention. The criminal can
‘accidentally’ leave such a recorder on
somebody’s table and come back to pick
it up a couple of hours later. It is important
to say that just a few years ago this type
of devices could only be seen in spy
movies, now they are being manufactured
commercially. Therefore it is not unusual
to come across such devices in the hands
of the cybercriminals. They range in price
from $100 to $400. Such devices are
mainly used in the corporate sphere,
where the probability of commercial
espionage is quite high.
Countermeasures: The main method is
to train and instruct personnel that there
should be no unauthorized devices at their
workstation and particularly in the vicinity
of the screen and keyboard, especially
those left by ‘forgetful’ visitors.
PROTECTIVE MEASURES
As you already know, there is a large
number of keyloggers of different types,
each with its own set of dangers. Let’s have
a look at the main universal methodologies
that can be used to combat keyloggers. It
is important to note that maximum effect
is achieved when a combination of the
measures discussed are used.
Antivirus products
An antivirus solution offers a minimum of
two lines of protection, signature detection
and detection by the various heuristic
procedures which analyze the behavior of the
application. It should be noted that signature
detection is not very effective for a number
of reasons, the two most basic being:
• The standard keylogger is extremely
simple in design and can be written by a
student in 1-2 days (plus on the Internet
there are many complete source
codes available). Consequently, the
signature detection of such home-made
keyloggers will be relatively ineffective;
• Strictly speaking the keylogger is
not a harmful program. It can be a
commercial application with a license
agreement and an installer and the
detection of this application is not
entirely warranted, especially if we are
talking about a corporate product;
Accordingly, heuristic analysis on the
basis of emulation data or behavioral
analysis for example, is not subject to the
drawbacks mentioned above.
Virtual keyboard
Virtual keyboard is an application
(either stand-alone or part of a protection
package), intended for emulation of the
keyboard. The keys of the virtual keyboard
are pressed with the help of a mouse.
Generally, use of a virtual keyboard
makes it possible to evade all forms of
hardware keyloggers as in this case, the
normal keyboard is not used. However, it
does not provide protection from many
software-based keyloggers and other
espionage measures, such as the taking
of screenshots. However, antivirus or
anti-keylogger virtual keyboards will
activate a number of additional measures
to enhance protection, such as blocking
traps, the prevention of screenshots and
other similar activities. The range and type
of these countermeasures are specific to
each product.
Password Managers
A password manager is an application
which contains a database of the user’s
login credentials. Generally the database will
be encrypted and a master password known
only to the user is required for access to
and decryption of the database’s contents.
Sometimes biometric authorization or a
USB-token can serve as a password. The
benefit of password managers is that
passwords are not entered manually each
time, which completely excludes their
interception by all forms of hardware and
software keyloggers.
Rejecting the usual
passwords and PIN codes
The means of protection described
above can be supplemented with the
following methods, which guarantee an
additional level of safety.
• The use of code tables. A code table
is a normal table, which can be stored
in the form of a picture or printout and
contains X times Y number of cells.
Generally anything from 10 x 10 to 16
x 16 is used. A table is generated by
the server and a copy is sent to the
user for printing (or a copy is sent via
registered post). When carrying out
the authorization process the user
is prompted to enter the contents of
certain cells selected at random by the
server. This process can either take
the place of a password or can be in
addition to it. It can be seen that the
interception of a specific combination
will make it possible to learn the
value of two or three cells from the
possible hundred-plus and that during
subsequent authorization sessions,
other cells will be requested. However,
the keylogger is unable to fix the
requested cells position - and so the
criminals will not know which cells were
involved without resorting to taking a
screenshot. The benefit of this method
lies in its simplicity. Similar technology
is used by the Russian payment
transfer system Yandex Money.
• Use of one-time passwords. This
method is similar to the previous one,
but in this case the user receives a
table of one-time passwords, and
once used, that password is then
crossed out. The method can be used
in reverse, with the user removing
the opaque protective coating from a
sequential password list printed on
a card. In this method the danger of
password interception with the aid
of a keylogger is completely avoided.
However, the quantity of passwords
is limited and it will be necessary to
obtain a new list at some point.
• Use of a password generator. An
electronic token is used for the
generation of passwords, the
generated passwords are not repeated
and they are produced according to a
specific algorithm. It is considered that
the algorithm and the secret key within
cannot be deciphered based on just a
few intercepted passwords.
• Adopting two-factor authorization, for
example, with the use of an eToken. In
this case the theft of passwords is not
dangerous, since it is useless without
the accompanying token. The reverse
also applies. The eToken is useless
without the password.
CONCLUSION
Thus we have examined the basics
of software and hardware keyboard
spies. In summing up it is worthwhile
mentioning that the situation in this
area of technology is changing radically
by the day. Two or three years ago
hardware keyloggers were some sort of
techno-marvel, now they are produced
commercially with many different
models available, beginning with the
basic 32 KB types, right up to devices
with several GB of memory and wireless
control. It should be assumed that the
development of the hardware keylogger
market will continue and possibly in the
very near future we will see an entirely
new generation of ‘software-hardware
spies’ which will not require access to
the victim’s computer at all. RE
Kaspersky Internet Security 2010’s virtual keyboard prevents the taking of screenshots
A spy pen with an embedded video camera and recorder
for 3 hours of continuous recording can ‘accidentally’
be placed on the Director’s desk if his company is under
attack from commercial spies
Wireless keyboards - convenience
for the user or paydirt for the spy?
The developers of wireless devices
usually employ a standard interface
for the transmission of data (most
frequently Bluetooth), or use their own
bespoke system of wireless connection,
integrating a transceiver into the
keyboard, connected to the USB or PS/2
socket. In both cases, information is
broadcast about which keys have been
pressed and this can be intercepted
by a cybercriminal. Unfortunately, the
protection algorithms employed in these
circumstances often does not provide
guaranteed security. As a result, it was
only matter of time before the ‘radio
sniffer’ and ‘wireless keylogger’ was sure
to appear. Moreover, one of the most well
known practical manifestations is freely
available at http://www.remote-exploit.
org/Keykeriki.html.
A keylogger can be installed inside a keyboard without it being noticeable

ANALYTICS | Internet fraud
quarter 2010 3rd
quarter 2010 SECUREVIEW |19www.secureviewmag.com
Internet fraud | ANALYTICS
AMERICAN PROTOTYPE
Those websites offering audio drugs
contain an explanation that “Audio
drugs have only appeared in Russia
quite recently. They were developed by
American scientists and are in great
demand on the local market”. This
statement is disputable as this product
has never been heard of in the US, at
least in the form that was used for selling
it in Russia. It is necessary, however,
to make one exception here. Back in
1980 The American Monroe Institute did
popularize binaural waves as a means of
beneficially influencing the human psyche.
They sold tens of thousands of records
and influenced others to produce records
and generators of allegedly binaural
signals that claimed to produce effective
synchronization of brain waves.
At the peak of the popularity of binaural
rhythms in the US, a special I-Doser
program was created which became the
prototype for ‘audio drugs in MP3 format’.
I-Doser was supposed to induce an effect
analogous to audio drugs – to cause
sensations, states of mind, emotions
imitating the effects of various chemical
drugs, etc. The program had the binaural
rhythms theme right at its heart. Obviously
I-Doser was sold online, but the program
itself was free of charge and the download
also contained a few melodies. The
program gained a certain popularity in
the US and some European countries, but
certainly wasn’t the fireworks party that
the creators had hoped for. The absence
of any wide-scale promotional campaign
didn’t help either, and nearly all the users
who tried the program left feedback about
the lack of any effect at all, not even a
headache, caused by using the program.
Thus, the popularity of this new product
in the US and Europe quickly subsided, but
the idea itself continued to live on in the
minds of the ‘social engineers’.
EXPANSION EASTWARD
At first the fraudsters decided to look to
the east – Korea and China. Audio drugs
appeared there around the end of 2008
and the beginning of 2009. In these
countries the social engineers copied
the general concept of I-Doser, offering
downloads of audio files for money
that could then be listened to with the
assistance of special programs. However,
later on the situation was considerably
simplified for these and many other Asian
websites with the appearance of audio
drugs in the popular MP3 format.
Those websites that were offering
audio drugs in China and Korea stated
that the product appeared first in
Italy. Instructions for the usage of
the files were close to the Russian
version in many instances (‘put on your
headphones, close your eyes, relax…etc’)
but the principle of action was described
in maybe a little more details. The cost
of one ‘narcotic’ track started at around
$3, but many users uploaded tracks that
they had purchased to their blogs, which
others then downloaded for free.
On the one hand this led to the rapid
spreading of ‘audio drugs’ among Korean
and Chinese users. On the other, the
largest part of the information about
‘audio drugs’ available on the Internet was
not of a commercial nature, but rather
contained the opinions of those that had
experimented with the new product.
But the party ended as quickly as it
started – by summer when the audio
narcotic wave hit Russia, those in
China had already recognized that the
phenomenon was nothing more than
another fraudulent attempt to part
fools from their money and any mention
of it practically disappeared from the
newspapers and blogs overnight.
ARRIVAL IN RUSSIA
In June, when audio drugs were first
launched onto the Russian Internet, the
sellers started to operate according to their
old ways, with mass spam mailings sent
via instant messaging programs, social
networks and email.
Such mailings went on for the entire
year, but the effect from the very first wave
of spam was such that within the first
week the need to advertise was negated –
news of the audio drugs had started
spreading via word of mouth. Thus by 01
June, Yandex’s “pulse of the blogosphere“
peaked with a total of 94 mentions of
audio drugs, sound drugs and electronic
drugs. In any case, every website offering
narcotics was stuffed full of feedback
from supposed clients who’d already
experienced the sensation. Sure enough,
all of the comments were not just positive,
but highly enthusiastic. Sometimes though
the site’s authors took it too far and
enthusiasm turned into something quite
farfetched and absurd.
On top of that, ghost-users would often
pop up on message forums, or they would
create a blog and add lots of people as
friends, in order to share the supposed
‘euphoria’ that they had gained from
using the electronic marihuana. Against a
background of such powerful advertising
by the sellers, messages coming from real
users stating “I spent money, downloaded
an audio drug, listened to it and got
nothing at all from it” or “All I got was a
migraine” were largely ignored by everyone
except the friends of the user. At worst,
even the users’ friends passed it off as
“It’s all right, it’s nothing unusual. Some
feel it while others don’t.”
The instructions given to the users
by the suppliers stated that any users
wanting to experience the sensation for
themselves only needed a player, some
SCIENTIFIC APPROACH
During 2009, the social engineering fraternity
put their dubious talents to work advertising a
very interesting ‘invention’ - ‘audio drugs’. More
precisely, they used their talents slightly earlier,
inventing the whole concept themselves and
then building the websites to fit their rather
twisted purpose.
So, what on earth are ‘audio drugs’? The answer
to that question is available on any website that
sells ‘audios’, the now-common slang word for these
drugs. According to one site: “Audio drugs are files
which imitate, during the listening process, the
effects of popular drugs, or heighten sexual feelings
or produce any altered states or moods by using the
binaural effect”. The binaural effect is the ability of
a human or animal to locate an object through the
use of sound emanating from the object. The ability
to do this is simply due to each of us possessing two
audio receivers – our ears. So what the peddlers
of this material are telling us is that the effect of
popular drugs can be synthesized using sound.
As part of their ‘completely scientific’
explanation of these audio drugs, some websites
mention the principle of ‘binaural rhythms’ or
‘binaural waves’. Those rhythms are a bit more
complex, as one website explains: “Binaural
rhythms are two tones which vary slightly in
frequency, each tone being delivered separately,
one to each ear. This way, the rhythms are
perceived as being formed inside your head”.
Without going into details, it’s quite possible that
those rhythms are really being used in sound
drugs. But not in quite such a simplistic way…
Research shows that binaural rhythms do not
synchronize brain waves at all. But the creators
of the websites claim that they do, and that this
is what causes the range of feelings that the
user is supposed to experience. The ability of
those kinds of rhythms to produce a relaxing
effect has been common knowledge for a long
time already. It is used, in particular, in special
music designed for meditation purposes due to
its calming effect. Actually, that kind of reaction
has far more to do with a repetitious binaural
rhythm. Everybody knows, for example, that it is
easy to fell asleep listening to the clickety-clack
of a train’s wheels– repeating a binaural rhythm
is the same thing. The question as to whether
and how such monotonous binaural rhythms
produce the sexual effects claimed by the
website owners remains open however.
Now that we’ve got to the bottom of what
‘binaural’ really means, let’s move on and take a
look at how the creators presented their product to
us: “Audio drugs don’t damage your body and won’t
turn you into an addict, but they do have a relaxing
effect on your body, giving you all the feelings that
you get using real drugs, but without the harmful
side-effects”. In general, this part corresponds to
the ideas about using binaural rhythms in music
for meditation – which too is believed to have
a positive influence on the body. What isn’t so
clear, however, is how it’s supposed to leave you
feeling ‘positive and relaxed’ as real drugs can
do, albeit synthetically. Additionally, the authors
of the websites promise us auditory and visual
hallucinations. It’s no secret that hallucinations are
not in any way associated with a healthy mind. So,
can audio drugs ‘positively’ cause psychological
problems? What about the warnings on the
websites saying “We do not recommend that
people with existing psychological problems listen
to binaural waves as it could exacerbate their
condition.” So, a relaxing effect that damages your
mind – that sounds a little strange.
The Sound of Deception
Are you afraid of something? Do you have hopes and dreams? Got any
complexes? Are you a curious person? If the answer is ‘yes’ to any of
those questions, then you are a potential victim of the so-called ‘Social
Engineers’. These ‘social engineers’ use their advanced knowledge of
the psychological weaknesses of humans to lever unwary users into
sending them login credentials for their social networking accounts,
give them access to their PC’s, or to unwittingly ‘share’ the use of their
credit card. Additionally, social engineering is used for the shrewd
placement of product advertisements designed to generate income for
the spammers in the future.
The fraudsters didn’t stint on creating attractive, good-looking advertising for their websites
Maria has worked for
Kaspersky Lab since
August 2008, firstly as
a Junior Spam Analyst,
then rising to become
one of the Company’s
fully-fledged Spam
Analysts. Her main duties
include the analysis of
German-language spam,
completing monthly
analytical spam reports
and participating in the
many Kaspersky Lab
educational initiatives.
Article by
Maria Namestnikova
Spam Analyst
at Kaspersky Lab

quarter 2010
ANALYTICS | Internet fraud
3rd
quarter 2010 SECUREVIEW |21www.secureviewmag.com
Internet fraud | ANALYTICS
stereo headphones and a mobile phone.
Wait a minute…What’s a mobile phone
for? To pay for the product of course! To
receive a narcotic track a user sends an
SMS to a four or five-digit number and
then enters the code they receive into a
special field, which is not an unusual way
of doing things in Russia.
RUSSIA CAN’T
BE UNDERSTOOD....
So, what was the net effect of audio
drugs on the Russian Internet? It was –
it has to be said, overwhelming. Just a
couple of weeks after they appeared, the
young and progressive Internet community
no longer considered audio drugs a
sensation. Some tried it and leant their
expert opinion of the experience to the
knowledge-hungry public, whilst others
were keen to try it, but backed off again on
the grounds of health concerns, and yet
another group were conceptually against
drugs as a phenomenon overall, including
audio drugs in particular. Those hearing
this word combination for the first time
became more and more rare. In blogs,
forums and chats audio drugs became the
hottest topic around.
Unfortunately it was teenagers who
happened to make up the main part of the
electronic drug barons’ target audience,
and as is well known, teenagers are
fairly easily persuaded to try new things,
regardless of their parents’ advice to the
contrary. Tell the younger generation who
have just entered the so-called ‘awkward
age’ that smoking is cool and predictably–
half the school will be hiding from the
teachers and having a cigarette. They do it
to demonstrate the “I am cool” message
to others. The same goes for audio drugs.
Whether it was part of the ‘engineers’ plan
or just happenstance, who knows, but the
major part of their Russia audience turned
out to be between 13 and 16 years old.
Teenagers tried the audio drugs just so
that they could turn up at school with the
appearance of being a sophisticated drug
user and report on their “sensational”
experience. Also discussions seen on some
teenagers’ forums often used another very
appropriate word - ‘autosuggestion’. This
is another vulnerability that the ‘social
engineers’ exploited. In other words, those
‘sophisticated drug users’ of 13-16 years
old often did really believe that they ‘got
a kick’ from what they listened to. They
convinced themselves that they had had all
the sensations that they believed a person
should experience having used one of the
more well-known drugs. So by listening to
monotonous binaural rhythms they only
managed to get excited and hyped up
instead of calming down and relaxing.
However the desire to look cool in
front of one’s peers and the attraction to
forbidden fruits are simple human vices,
characteristic not only of teenagers, but
adults as well. It cannot be forgotten
either that many people, when hearing
the words ‘audio drugs’, would have felt
curiosity and a desire to try something
new, thus we can state with confidence
that the ‘social engineers’ received quite
a wide audience ready to pay for their
‘engineering miracles’. Ostentatious
pseudo-science also helped the criminals
not by chance, but in strict accordance
with their plans. The bait was swallowed
not only by schoolchildren, students
and ordinary Internet users, but also
journalists, including those working in big
news and analytical web publications.
It’s interesting to note that the majority
of publications, especially in the first two
months, did not try to understand the
deeper nature of this phenomenon, nor
did they try to explain to their readers what
audio drugs really were. Most articles
published during July and August were
based on the information provided by the
websites distributing the electronic drugs,
and the majority of user reviews in the
publications were just the usual crop of
very artificial ‘bait’-type materials which
the ‘social engineers’ had placed on the
Russian Internet themselves. The only
threat presented to the readers of those
publications was the line that audio drugs
couldn’t be any more dangerous than
traditional chemical ones. The first articles
that brought people round to believing that
audio drugs were nothing more than simple
fraud appeared only at the end of summer,
after an article called “Attention! A new kind
of fraud” was published on the website
of the Interior Ministry on 27 August.
Unfortunately by that time “A new kind of
fraud” was not new anymore and it was
quite difficult to convince many people of it.
In a few months after the appearance
of ‘the miracle’ on the Russian
Internet, it attracted the attention of
the authorities of some regions. On 23
September 2009 in St.Petersburg, audio
drugs were treated almost the same
as pornography and their distribution
among the under-aged strictly forbidden.
As was announced by the Kommersant-
SPB newspaper (№ 177 (4232) of
24.09.2009)”…trading in such products
is banned within a radius of 150 meters
from child-care and educational facilities,
including high schools and universities”
The loud noise in the press also
played right into the hands of the
criminals distributing the stuff. The
scare-mongering titles of the Internet
newspapers and independent analytical
articles only attracted more of the curious
to it. The ‘social engineers’ themselves
started to use ’scandal’ topics to attract
attention to their product. “Danger: audio
drugs can be downloaded for free!”, “Audio
drugs affect brains” and “Audio drugs in
MP3 format cause harm” – screamed
the subject line of one of the posts on a
popular blogging resource. However, the
same post then went on to say that audio
drugs are “cool” and provided links to
some respective sites where one could
find one’s own proof.
THECROPISGATHEREDIN
Audio drugs as we all know only too
well were very successful for the ‘social
engineers’. Certainly, behind all the noise
and doubts about ‘High – or no high’,
‘Harmful – or not harmful’ there lies a
simple thirst for profit. The abundance
of similarly-styled websites appearing
en-masse on the Internet at the time
were nothing more than the fruits
of partner program activity. It’s well
recognized that many of the participants
of partner programs certainly don’t hide
their activities and openly share their
impressions of their associations with all
and sundry.
It was thus in a blog on one of the
partner program websites during mid-July
that the following information appeared.
“As far as audio drugs go – when it was
new the theme was great! I tried this
theme a month ago and very quickly
hit 100K Roubles a day! The author
goes on to describe in detail which
tools were used to promote it on which
websites, before eventually admitting
to making “20-60 of Dollars per day”.
So popular has this theme proved, that
cybercriminals were willing to shovel
money at it, whilst journalists, deputies
and simple users continued their
ideological disputes about whether audio
drugs were harmful or not.
SOMETHING NOVEL?
By the autumn of 2009, largely due to
the recession, the fever had died down.
It was time for the social engineers’ to
come up with their next big thing and it
needed to be bigger and better than their
previous brainchild. This time it wasn’t
long in the making, driven by their urge
to earn big bucks. Adding a new twist to
their previously successful scam, they
introduced ‘Stereohypnosis’ and to make
sure everyone knew about their latest
novelty, they spammed just as many as
they could by every available means.
The theme of audio drugs undoubtedly
had become very noticeable very quickly.
Despite that, it was already possible to
search Google and find websites offering
video files for download which supposedly
acted on the subconscious, this time,
by means of ‘stereohypnosis’. The name
has become more lengthy and complex
if you notice. ‘Social engineers’ have
long continued to play up the pseudo-
scientific nature of their ‘inventions’. With
stereohypnosis they went one step further,
making it better and more interesting-
sounding than plain old audio drugs. An
explanation consisting of scientific terms
and offering descriptions of its principles
lends itself as well to the electronic page
as it does to the printed page.
Exactly as with the audio drug websites,
stereohypnosis it was claimed, caused
altered states of consciousness– from
offering relaxation after a long day’s work,
to the heightening of sexual stimulation.
Among the many websites offering various
methods to heighten sexual sensations it’s
not difficult to find many selling ‘A stereo
version of viagra‘.
Creditable reviews from those exalting
the power of hypnosis have long since
appeared on numerous web pages and
websites, and in abundance on the
websites distributing ‘stereohypnosis’.
CONCLUSION
Whatever they do, there are large
doubts that the ‘social engineers’ will
repeat their earlier triumphs, advertising
got underway at the beginning of March
and since then there’s been a distinct
lack of noise from either the electronic
mass-media or the Internet communities.
It seems to prove that the spam mass-
mailings were not as effective as in the
past and that the ‘social engineers’ may
have miscalculated. Firstly, over the past
few months many people have started to
associate payment by SMS-messaging
to short numbers with being ripped off.
Secondly, ‘stereohypnosis’ does not
actually offer anything new under the
sun, and besides, the similarities of the
websites just reinforce peoples’ feelings
of distrust, not to mention the statement
itself, ‘Safe Drugs’ proving an oxymoron
for just too many. RE
Some Russian spam simply contained a link for users to click on, without even mentioning the product in the text
Stereohypnosis’ – the next big thing for the gullible
The Chinese press was quick to pick up
on the topic of audio drugs
The I-Doser program was even available as an iPhone app!

ANALYTICS | Vulnerabilities in Adobe Software
quarter 2010
Vulnerabilities in Adobe Software | ANALYTICS
A day later, Jeremy Conway, a Researcher
and Product Manager with NitroSecurity,
demonstrated a way to copy the
embedded executable from one PDF
file to another using Adobe Reader,
opening up the possibility
of a PDF worm.
It's a beautiful target, if you want to do
some damage, Conway says. I don't know
of any target larger than Acrobat Reader.
Welcome to Adobe's world. The
popularity of the portable document
format has made Adobe's Reader and
Acrobat top targets of researchers' and
attackers' efforts to find and exploit any
application flaws. The company's other
ubiquitous platform, Flash, has attracted
similar attention from attackers focused
on exploiting victims through the web.
Typical attacks either focus on the
browser or popular browser extensions,
such as Flash Player.
In that bucket, Flash is at the top of the
list, says Michael Sutton, Vice President
of Research for web security firm Zscaler.
The attention of attackers spells out a
big problem for Adobe. Last year, Adobe
Acrobat and Reader became the No. 1
target among flaw finders focused on
file-format vulnerabilities. While attackers
and researchers ramped up research
on Microsoft Office starting in 2006, the
number of vulnerabilities disclosed in Office
formats peaked in 2008. Now, Adobe
Acrobat and Reader are the top targets. Last
year, researchers found 48 vulnerabilities in
Acrobat and 38 in Reader. Security issues in
Office had dropped to 35.
The trend looks likely to continue this
year, with Adobe's two products on track to
see more flaws and Microsoft Office less.
UNDER ATTACK
It's not only researchers that have
taken a greater interest in Adobe
products. Malicious emails using Adobe's
PDF format account for 61 percent of
all the targeted attacks seen so far
in 2010, according to antivirus firm
F-Secure. Overall, targeted attacks are
set to double this year, according to
Sean Sullivan, a Security Advisor with the
company's North American Labs.
We are seeing a higher percentage of
attacks using PDFs and more attacks as
well, Sullivan says.
Attackers also have Adobe's Flash
platform in their sights. In the last half
of 2008, a vulnerability in Flash Player
became the most exploited browser
security issue, according to Microsoft's
Security Intelligence Report. In the first
half of 2009, the most recent data
available, the trend continued with
17.5 percent of browser-based exploits
attacking one flaw in Adobe's Flash Player.
The trend comes as no surprise. Over
the last decade, researchers have moved
away from finding operating systems
vulnerabilities and focused instead on
applications, where flaws are easier to find.
Applications now make up the vast
majority of vulnerabilities. Jeff Williams,
Principal Group Program Manager for
Microsoft's Malware Protection Center,
told Threatpost in a statement.
The increased attention has put Adobe
products and their development process
in the spotlight.
Microsoft found itself in a similar
position a decade ago. In 2001, the
double tap of the Code Red and Nimda
worms, which exploited a handful of flaws
in Microsoft products, led to the company
creating its Strategic Technology
Protection Program and to CEO Bill Gates'
decision to turn the Microsoft juggernaut
around and focus on security. The
company did not have a chance to lose
its resolve either. The spread of Slammer
in 2003 led to Microsoft committing to
improving the quality of its patches and
simplifying its autoupdate process. Two
months after that, MSBlast infected
millions of Windows PCs, prompting
Microsoft to focus its next service pack
for Windows XP on security.
Microsoft climbed that learning curve
ahead of other vendors, says Zscaler's
Sutton. Adobe is definitely on that
slope – again, because they had to be.
There is a negative reputation that the
security in Reader and Flash are in need
of improvement.
FROM REACTION
TO ACTION
For Adobe, the turning point came in
2008. While Microsoft and its Office
applications continued to take the brunt
of researchers' and attackers' efforts to
find flaws in file formats, the number of
vulnerabilities disclosed in Acrobat and
Reader had hit an all time high.
Revamping the company's approach to
security became a top priority at Adobe.
In August 2008, the company hired
Brad Arkin – a former manager from
Symantec and @Stake – to head efforts
to secure their products. In December,
the company opened up communications
with the security community with a
statement simply titled: We care.
It is very clear to Adobe that we are
receiving increased attention from the
security community, Peleus Uhley, a
Senior Security Researcher at the firm,
wrote in the blog post at the time. Adobe
has been responding to this increased
attention over the course of the last year
by proactively investing in both internal
and external security measures to further
protect our customers.
As part of its efforts, about half the
company has gone through a security
When security consultant Charlie Miller
decided to look for vulnerabilities in popular file
types, selecting the portable document format
was a no-brainer.
Something like 90 percent of computers have
Adobe Reader on them, he says. These are
programs that are ubiquitous in use, but have
a track record of security problems on them,
and that makes them interesting. Miller found
that a fairly dumb script that tries different
combinations of PDF file inputs can cause a
large number of possibly-exploitable crashes in
Adobe Reader and Apple's Preview PDF viewer.
Miller, a Principal Consultant at Independent
Security Evaluators, is not alone in his interest.
A week after Miller's presentation, researcher
Didier Stevens reported that the warning
message displayed by the command for
launching external applications from Adobe's
Reader and Acrobat could be modified, allowing
malicious applications to be run from a single
PDF file with a watered-down warning message.
The Downside of Ubiquity
Three years ago, attackers favored Microsoft Office as their vector
of choice for compromising systems. Now, Adobe’s products are
under the microscope.
Adobe created webpage that contains important information regarding security vulnerabilities that may affect specific versions of Adobe
products and solutions
National Vulnerability Database statistics data
0
15
30
45
60
2004 2005 2006 2007 2008 2009
Vulnerabilities Disclosed
Microsoft Office
Adobe Acrobat
Adobe Reader
Adobe Flash Player
Robert Lemos is a veteran
technology journalist
of more than 13 years,
focusing on computer
security, cybercrime, and
enterprise issues. Mr.
Lemos spent eight years
as a staff writer at ZDNet
News and as a senior
staff writer at CNET News.
com, which purchased
ZDNet in 2000. He acted
as editor-at-large for
SecurityFocus, a security
news and information site
owned by Symantec Corp.,
from April 2005 to August
2009, providing daily
independent journalism
and investigative
articles covering security
incidents, malicious
code, vulnerabilities
and cybercrime.
Article by
Robert Lemos

Secureview 3

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Secureview 3

Similaire à Secureview 3 (20)

Plus de Felipe Prado

Plus de Felipe Prado (20)

Dernier

Dernier (20)

Secureview 3