Personal Security – What Can Be Done?

Uncategorized
1

Introduction

It’s no secret that keeping your computer free from malware has become much harder. I remember about 12 years ago my friend showing me a CD and announcing that it was an antivirus, which would keep his computer free of all viruses. Back then having an antivirus would pretty much make your computer untouchable, antiviruses were unicorns and rainbows to anyone who had the money to spend, But sadly times have changed. 

The Problem With Antiviruses

To the average end-user, antiviruses are a false sense of security. This isn’t the fault of the antivirus company, their job is to play catch up with the professional malware developers. Generally when a new piece of advanced malware is created: The antivirus company must first acquire a sample, reverse engineer and research how to deal with it, followed by finally writing or updating some software to combat it. With certain threats such as bootkits ,which do not store files within the file-system, it is not a case of just updating the signature database and saying goodbye to the infection, it is usually required that special tools are constructed to remove the threat (TDSSKiller is a good example of one of these special tools). 
Of-course antiviruses do employ methods to combat future malware as-well. proactive protection is a good example of this, however it has its’ limits. A common goal of professional malware developers is to make the malware seem as legitimate as possible, this makes it hard for antiviruses to distinguish between advanced malware and legitimate software, The antivirus could just alert the user to any possible sign of a threat then let them decide what to do, however for the average end user-this is likely to cause many issues. 
Antivirus companies need to appeal to the masses, which means making the software as user friendly as possible. Sadly the average user doesn’t know what they’re doing when it comes to security, so the result is the antivirus only being able to offer some protection. Even the more advanced computer users are still not aware that keeping your antivirus up to date, not opening risky email attachments, and not downloading software from non-trusted publishers just won’t cut it.

Drive-by Exploits

Drive-by Exploits are the root of all evil when it comes to security, who’d have thought you could get infected by visiting your favorite site or clicking a link that appears to have been sent by a friend. For the few of you who don’t know, a Drive-by Exploit is the use of  web-browser or web-browser plugin based exploits to execute malicious code. The exploit can be in the form of any page or document a web-browser might view, triggered by your visiting a page, and the end result being attacker specified code getting executed on your computer, all with no signs that anything is wrong. 
There’s already a large attack surface if you think about all the sites that could be hacked and loaded with malicious code, however, it doesn’t stop there. Many sites host 3rd party adverts to generate revenue, these 3rd party ad-distributed can be hacked, but even simpler, an attacker can sign up with the company, then pay them to distribute an advert that they may or may not know contains malicious code. There’s also people spreading links on hacked social network or email accounts.

Staying Safe (Anti-Malware Edition)

Here are some of the methods I use to minimize risk of infection and malware related loss. Some will appeal to the more technical PC users, while others are aimed at the average user. 
Adblock
Adblock is a pretty self explanatory plugin that blocks nearly all adverts on a webpage, this reduces the attack surface for drive-by exploits. Obviously there are some ethical issues with adblock: you are causing multi-billion dollar companies, that care greatly about your well being, losses in the 10s of dollars. Ok that was a joke, but some small companies and individuals also use adverts to generate revenue, ads can sometimes be their only source of income and helps keep their services free. It is however possible to customize adblock and only block ad-distributors which are known not to put any security measures in place.
Browser Plugins
Let’s face it, you don’t need that plugin to tell you what the weather is currently like outside. It is beneficial, from a security standpoint, to disable ALL plugins you don’t desperately need. Web-browsers such as chrome allow you to set the browser to ask you before it uses a plugin, this allows you to set the plugins you do need (flash player, PDF Reader, etc), to only be run when you want them to be (Eg. Only on trusted sites). I also recommend you consider moving to detroit and leaving your front door open all night, before you consider installing java into your browser.
Javascript
Personally I have my browser set to only run javascript on white-listed sites. Going through and having to white-list every site you trust or that requires javascript is a pain, but it does add a nice layer of protection. I’m sure there are some nice plugins that make it easier to stop unwanted javascript being executed, but I have opted to keep with the old-school method. 
Virtual Machines
In my opinion, this method of security beats all the rest put together. A virtual machine (VM) is software that is used to provide a savable, contained, and virtual instance of a computer. You can install windows and it will behave exactly like a real computer, except for one difference: You can save, rollback, roll forward and suspend the virtual computer. This is not like windows restore, it is literally as if someone replaced the content of you hard drive and RAM with the content that existed during the save. Because of such functionality it is possible to get infected, then rollback the VM to a snapshot you saved before you were infected, it will be like nothing ever happened. 
A screenshot of a VM, in-case my terrible explanation didn’t quite cut it.
I recommend creating 2 virtual machines, they do not need any more than 512mb of ram and 20gb of disk space. 1 VM will be for running software you don’t trust, you always assume this system is infected and only use it to run non-trusted software, you never use it to login to any accounts you wouldn’t want stolen. The other VM will be for logging into valuable accounts (no, not facebook), ideally this VM will only be used for bank accounts or any highly sensitive information. For this VM I recommend installing a clean copy of windows, setting up the internet connection, downloading your favorite browser, then immediately creating a snapshot of the current state. This state is your non-infected state, you will login to your account, do what you need to do, then revert the VM to the non-infected state. Reverting the VM after each use is a safety measure, if somehow you managed to visit a site and get infected, the malware will be lost in the revert, preventing it from stealing any details from your next use. 
Other PC Users
Just because someone is using a limited or guest user account, it doesn’t mean any malware they introduce to the system isn’t capable of elevating privilege and infecting your account. It is important to educate everyone who regularly uses your computer and keep an eye on those who don’t, family members and friends make for great malware infection-vectors. 
USB
Although the days of autorun.inf exploits are long gone, some USB infection methods still exist. The most common USB infection method at the moment requires the user to be tricked into running a malicious file. Look out for any files, shortcuts, or folders you don’t remember putting there. Remember that it’s not just exe files you have to be weary of, it is possible for malware to create or redirect shortcuts in order to run an executable. I would probably go as far as not having any shortcuts on my USB drive.
Common Sense
This is mans’ best defense against just about anything. Here is a list of common sense tips.
  • If an email seems to good to be true, it is. 
  • Just because a file or link was sent from a friends account, it doesn’t mean they sent it.
  • Any popup telling you to download or run a file is fake.
  • Only use flash player, if a site insists you need to download their video player, they can go F themselves.
  • Any files that are downloaded automatically when you visit a page should be deleted and not run. 
  • Watch out for fake buttons. Some download sites have fake “download” buttons that lead to malware, if the file doesn’t look like the file you expected, it probably isn’t. 
  • Don’t download software from sites that aren’t trusted.
  • Don’t go clicking links without thinking, if someone sends you a link and doesn’t specify what it is, it’s probably something you don’t want to visit. 
File Extensions
Don’t trust a file just because it doesn’t end in exe: html, pdf, bat, com, scr and lnk are just a few of the possibly malicious files. It is also a good idea to disable “hide known file extensions”, it makes it easier for an attacker to disguise files. A jpg file icon and an name of image.jpg.exe is all it takes. 
Page Modification
It is possible for malware to modify webpages, if you notice the page is asking you for information that it didn’t before, check the page on another computer, if it’s not the same, there is a good chance your computer is infected. 

Conclusion

These are just a couple of my tips from preventing malware damage or infection, I will likely update the list as i remember more. It is important to have a good antivirus and firewall, however you should still act as if you have no software to protect you. 
Paranoia is a naive persons’ word for cautious. 
Uncategorized
9
Why Open Source Ransomware is Such a Problem

A while back 2sec4u posted a poll asking if people considered open source ransomware helpful to detection and prevention, with 46% voting yes. Although the poll wasn’t limited to people working in the antimalware industry, 46% is scarily high. Trying to prove a point, help me out Twitter. Is open source ransomware helping …

Uncategorized
1
Mapping Mirai: A Botnet Case Study

Mirai is a piece of malware designed to hijack busybox systems (commonly used on IoT devices) in order to perform DDoS attacks, it’s also the bot used in the 620 Gbps DDoS attack on Brian Kreb’s blog and the 1.1 Tbps attack on OVH a few days later. Although Mirai isn’t even close to …

Uncategorized
1
Dridex Returns to the UK With Updated TTPs

With the exception of a few unconfirmed reports of Dridex targeting Baltic countries (which doesn’t make much sense economically), infection campaigns have ceased since mid August when Dridex briefly resumed spreading to propagate multiple new botnets aimed at Switzerland. This morning a friend of mine, Liam, reported receiving a malicious email which unusually didn’t …