Tuesday, February 23, 2010

IT firm looses...a lot!

I caught a very interesting post on Brian Krebs' site this morning...you'll find it here.

As an incident responder, the first thing that caught my eye was:

Since the incident, he has conducted numerous scans with a variety of anti-virus and anti-malware products – which he said turned up no sign of malicious software.

Ouch! When I read things like that, I hope that it's not all (nor the first thing) that was done, and that it's a gross, over-simplification of the summation of response activities. Most times, though, it isn't.

I've read Brian's stuff for years, and I think that he's done a great job of bringing some very technical issues into the public eye without subjecting them to the glitz and hoopla that you see in shows like CSI. For example, while Brian mentioned some specific malware that could have been involved, he also made a very clear statement at the beginning of a paragraph that it has not been confirmed that this or any other malware had been involved. I think that's very important when presenting these kinds of stories.

So, look at the situation...the IT firm had a dedicated system with extra protective measures that was used to perform online banking. Even with those measures in place (I did some research on biometric devices back in 2001, and they don't provide the level of protection one would think), a bank official "...said the bank told him that whoever initiated the bogus transaction did so from another Internet address in New Hampshire, and successfully answered two of his secret questions."

I think that Brian's story is a very good illustration of what many of us see in the response community.

Malware may have been associated with what happened, but no one knows for sure. Many of us have been on-site, working with victims, and AV scans can't find anything, but the victims were clearly (and we later determine it to be true) subject to some sort of malware infection. It's interesting how an AV scan won't find anything, but check a few Registry keys and you start to find all sorts of interesting things.

Many of the "protection measures" that folks have in place are easily circumvented, or worse, lead the victims themselves to not consider that as an avenue of infection or compromise, because of the fact that they do have that "protection".

Finally, if malware was involved in this situation, it's a great illustration of how attacks are becoming smarter...for example, rather than logging keystrokes, as pointed out in the article, the malware will read the contents of the form fields; when it comes to online banking and some of the protective measures that have been put in place, this approach makes sense.


S Cochran said...

Current AV is woefully in adequate for the current day virus and malware attacks. Hackers are finding other attack vectors and are learning there is more value in hiding than showing your presence. I was once told that if a virus hit's your system32 folder, even if your AV says it caught it...your probably compromised and will never find them. It is often more important to simply wipe and replace in most cases of infections. Building more agile networks that can store data and OS's separately that can dynamically build or rebuild devices through the use of virtualization or deployment scenarios are going to need to become more and more prevalent.

H. Carvey said...


I don't think that attack vectors are changing, per se; from what I've seen, yes, vectors have evolved over time, but that just makes sense as we moved from joy riding on the information superhighway to an economic motive behind what's going on.

It is often more important to simply wipe and replace in most cases of infections.

I would agree with that, but ONLY as long as you've taken steps to perform a root cause analysis, such as acquiring an image, first. If you don't know, or care...and when I say know, I'm not talking about speculation...how the bad guy originally got in, then what's going to stop them from getting in again? Even the bad guys can tell when all someone does is wipe and replace.

leadZERO said...