Graham Cluley’s blog
From anti-flappertanknibbles to zombies. Get inside the head of a computer security expert. If you like.
Live Aid concert for NASA hacker?
Well, the precedent has been set.
In 1971, ex-Beatle George Harrison got his buddies Eric Clapton and Bob Dylan to join him on stage at Madison State Garden in a benefit concert for Bangladesh.
In 1985, ex-Boomtown Rat Bob Geldof rocked the world with help from Status Quo, Queen, U2 and a galaxy of other stars at Live Aid.
And in 1998, South Park hosted Chef Aid with help from Elton John and Meat Loaf.
Now, supporters of NASA hacker Gary McKinnon are said to be trying to organise their own benefit concert. The keyboardist with Marillion, the progressive rock band most famous for their pop hit “Kayleigh” from 1985, has suggested that he might want to get involved, after organiser Ross Hemsworth wrote to more than 100 bands including the Kaiser Chiefs, Sting, Mark Knopfler and Madonna.
The concert, named “Rock Against Injustice”, is intended to raise awareness about McKinnon’s ongoing legal fight, and the UK’s extradition treaty with the US.
You can’t question the enormous amount of energy that McKinnon’s supporters have put into raising awareness of his plight. Hemsworth, the managing director of Glastonbury Radio, is hopeful that George Michael might record his own version of a song written by Gary McKinnon.
However, having heard McKinnon’s song “Only a Fool” (and watched the video on YouTube) I can’t help but think that’s a little over-optimistic.
Posted on November 21st, 2008 by Graham Cluley, SophosFiled under: Law and Order
Hospital networks back on the mend
The London hospitals struck by a infection of the Mytob worm earlier this week are returning to normal operation, according to The Register.
St Bartholomew’s (Barts) in the City, the Royal London Hospital in Whitechapel and the London Chest Hospital in Bethnal Green had their networks shut down at the beginning of the week, following an outbreak of the computer worm which is capable of stealing information, and giving access to remote hackers.
The case reminds me a little of what happened to the Northwest Hospital and Medical Center in north Seattle in January 2005. When it found 150 of its 1100 computers were infected with a piece of malware, they also put emergency backup measures in place. The facility’s intensive care unit was shut down, doctors’ pagers were prevented from working properly, and nurses are said to have run charts down hallways rather than transferring them electronically.
The following year, a 20-year-old hacker was sentenced to three years in jail and a $250,000 fine after being found guilty of the attack.
Anyone who still thinks that virus-writing is “mostly harmless” and only really impacts the foolish who don’t have backups, should consider what the possible consequences of taking down a hospital network might mean.
Posted on November 21st, 2008 by Graham Cluley, SophosFiled under: Botnet, Malware
Goodbye Petra
It’s a sad day here at Sophos because it’s Petra’s last day.
She’s been working as a senior member of the marketing team for the last 19 years, and has seen the company change and grow enormously during that time. When she joined in October 1989 nobody had email in the office (let alone internet access), mobile phones only came attached to expensive cars, and faxes were considered high tech.
There were a handful of viruses though, and Petra was one of the very first people employed by Sophos (number 5, including the two founders). She claims her main duties at the time were to buy biscuits from the local post office, and make cups of tea.
Today, we see over 20,000 new malicious samples every day, and are approaching 1500 members of staff. Now we get our biscuits delivered and have rather swanky coffee machines. :)
Many veterans of the anti-virus industry may have first met Petra at the Virus Bulletin conference in Jersey in 1991. Keen not to ruin the entertainment at the gala dinner, Petra found herself pretending to be hypnotised in front of an audience of 250 delegates.
I don’t think there’s ever been a larger leaving collection for someone - staff were quick to reach deep into their pockets (pah! what credit crunch?) to show their appreciation for all the hard work she’s put in over the years. What Petra really wanted of course, as she prepares to hand her company mobile phone back in to HR, was an Apple iPhone. And I’m delighted to say that after speeches were given in the pub last night she became the proud owner of a 16GB Apple iPhone 3G.
We’ll all miss Petra a lot, and we’re hoping she’ll pop in often to catch up with gossip.
Posted on November 21st, 2008 by Graham Cluley, SophosFiled under: Clu-blog
Mac malware - mea culpa
Hi everyone.
I owe you all an apology.
Earlier this week, I blogged about some Apple Mac malware that was making minor headlines. In the process I managed to get my wires badly crossed, and confused the Troj/RKOSX Trojan horse that we have been detecting since August, and that Symantec and Trend published information about recently under the name of Lamzev, with a new variant of the Mac OS X worm RSPlug that Intego warned about this week.
So, in truth there do indeed seem to be two separate pieces of OS X malware being talked about at the moment. Intego were talking about RSPlug-D. Symantec and Trend have been talking about Lamzev (now also reported by Intego as OSX.TrojanKit.Malez).
As far as I know there is no link between OSX/RSPlug and Troj/RKOSX (also known as Lamzev or Malez).
So, dear readers, Symantec, Trend and Intego… I apologise.
I always try and get my facts straight on the blog, but I let you down on this occasion. I’ve included a link to this correction from the original blog entry, and we have also fixed Numaan’s entry on the SophosLabs blog to correct an incorrect link to Intego’s website.
Cheers
Posted on November 21st, 2008 by Graham Cluley, SophosFiled under: Apple, Clu-blog, Malware
Danger! UXB details lost on USB
Associated Press is reporting that a soldier has been convicted of negligence by a Swedish court, and fined 21,000 kronor (£1735) for losing a USB memory stick containing details of unexploded bombs in Afghanistan.
The 31-year-old soldier admitted leaving the USB flash drive, which contained classified information he had collected while serving as a peacekeeper in Afghanistan in 2006, in a Stockholm university computer. The data should have been handed back to authorities at the end of his mission, but the device was clearly still being used two years later.
The news comes at the same time as reports indicate that the US Army is cracking down on the use of USB storage devices. According to Wired, the commander of US Strategic Command has ordered the ban of all removable data storage devices, following defence networks being infected by the SillyFDC worm.
There are many variants of the SillyFDC worm, which typically infect Windows PCs by spreading via USB drives, hunting for any removable device connected to the computer. The malware then downloads further code from the internet, opening the potential for identity theft or launching distributed denial-of-service attacks or spam campaigns.
I would recommend that computer users disable the autorun facility of Windows so removable devices such as USB keys and CD ROMs do not automatically launch when they are attached to a PC.
Any storage device which is attached to a computer should be checked for virus and other malware before use. Floppy disks, CD ROMs, USB keys, external hard drives and other devices are all capable of carrying malicious code which could infect the computers of innocent users.
Device control technology can help your company reduce the risk of data leakage and malware infection, by giving administrators control over removable
storage devices.
Filed under: Data leakage, Malware
Might the ghost of Microsoft OneCare haunt us all?
As I blogged last night, Microsoft has announced that it is killing off its Windows Live OneCare security product, and will replace it with a freebie anti-virus product for home users.
In my earlier post I speculated about how this might cause some problems for security hippos Symantec and McAfee, as they will doubtless find consumers more than happy to use a free solution from Microsoft than pay £40 for a copy of McAfee VirusScan or Norton AntiVirus.
Yes, consumers have had the option of using free anti-virus software before (from the likes of AVG, Avira and Avast), but these were from vendors that had nothing like the brand presence possessed by Microsoft.
But what will the impact be on other vendors in the home user space? There are dozens of small security vendors who make a tidy living (often with a good userbase in their own country) from their consumer anti-virus offering, even if they are not one of the largest security firms on a global scale. The availability of a free Microsoft anti-virus product could - if Microsoft is successful in its marketing and promotion - cause them serious problems, and perhaps put them out of business.
I can talk about this fairly freely, as Sophos focuses on the corporate market, and you may not be able to get many other members of the industry comfortable talking about this - but could the death of OneCare and the birth of the free “Morro” replacement actually result ultimately in less choice for consumers?
Don’t get me wrong - anything which encourages more people to protect their home PCs is undoubtedly a good thing. But no-one can predict with any certainty what might happen in this space, and it sure would be a shame to see less companies working in the security field (and the resulting reduction in innovation) if some of the smaller players were to go the way of the Dodo because their home user revenues dried up.
Posted on November 19th, 2008 by Graham Cluley, SophosFiled under: Malware
A new Trojan horse for Mac OS X?
As Numaan points out on the SophosLabs blog, a “new” Trojan horse for the Apple Mac OS X operating system has been discussed in the security community for the last few days.
For instance,
- Trend Micro: New Malware Threatens Mac Users
- Intego: Intego Issues Security Memo about New Variant of RSPlug Trojan Horse
- SecuriTeam: OS X malware family has a new member: OSX.Lamzev.A
The Trojan horse is closely related to the OSX/RSPlug Trojan horse for Mac OS X that we have seen being distributed in the wild since November 2007.
As with RSPlug, this most recent Trojan horse is being spread in an unoriginal way. Joe User visits a website expecting to see a video of something pornographic, but is told that they have to install a ‘missing Video ActiveX object’ before it can be viewed. The downloaded software, however, is in reality a piece of Mac OS X malware.
Of course, Apple Mac malware is still relatively unusual compared to the thousands of new Windows-based samples we see every day - so it’s not a surprise to see people talking about this. But what did surprise us in the labs was that this “new” piece of Apple Mac malware was ..err.. news.
Sophos has been detecting this malware for customers as Troj/RKOSX-A since 29 August 2008.
Following all the new interest, we’re going to have to go back to our analysis and add “Lamzev” as an alias in case our customers are searching for it. It’s a shame the other vendors didn’t scan the file with our Mac anti-virus product before deciding on their own name for this “new” piece of malware.
Correction: Read my correction to this story.
Posted on November 19th, 2008 by Graham Cluley, SophosFiled under: Apple, Malware
Microsoft announces death of OneCare
Microsoft has today announced its intention to kill off its commercial consumer OneCare anti-virus product.
In a move that is sure to send shivers down the spines of vendors like McAfee and Symantec who have traditionally dominated the home user market for paid for anti-virus products, Microsoft has announced its intention to release a free consumer product (codenamed “Morro”) in the second half of 2009.
In other words, it’s time to wave goodbye to OneCare, and say hello to Morro. (Sorry..)
Of course, “Morro” will not be the first anti-virus product given away for free to home users. Vendor like AVG and Avira have made security solutions available for the consumer market at no charge for some time in an attempt to raise brand awareness.
But a free anti-virus program coming from Microsoft is a rather different kettle of fish. They have the brand recognition and marketing muscle to make their free anti-virus software a no-brainer for the average guy in the street.
And lets face it - anything which encourages Joe User to run up-to-date anti-virus software has to be a good thing. For too long all of us have suffered because of the legions of effectively undefended home computers that have been enlisted into a botnet.
What will be fascinating is to see if McAfee and Symantec has been caught napping by Microsoft’s latest announcement. For years, the two security hippopotamuses were the behemoths of the consumer security pond. They had the opportunity to gobble up the end-user market, and yet still millions of home users were infected by malware, spyware and pop-ups each year. When OneCare is killed off next June, will consumers pay for an equivalent Norton or McAfee product?
The cognoscenti may be nervous of running the same anti-virus product as every other home user on the planet, but are they really likely to be running a free security product from Microsoft anyway?
Microsoft protecting home PCs for free might mean knee jerk reactions, and even perhaps more price-cuts and giveaways in an already aggressive market.
Oh, and the other side of this coin, of course, is how will the malware authors react? If budget-conscious home users begin to adopt the freebie “Morro” in droves, then surely the first thing the bad guys will do is make sure their latest creation can slip past Microsoft’s scanner.
Posted on November 19th, 2008 by Graham Cluley, SophosFiled under: Botnet, Malware
BNP membership list posted onto internet
If you don’t live in the UK, chances are that you don’t know who the BNP (British National Party) are.
The group has been no stranger to the newspaper headlines in the past, and tomorrow it is likely to find itself gracing the pages of the popular press once more because its membership list has been posted on the internet.
According to The Daily Telegraph, publication of the list has caused panic amongst members - many of whom are concerned about reprisals from the general public.
The newspaper also reported that the name of a serving policeman is on the list, even though police officers are banned from joining.
In a statement BNP leader Nick Griffin, himself not unused to being embroiled in controversy, promptly issued a statement on the BNP’s website confirming that the membership list was essentially genuine, and blaming former staff of “treachery” for stealing the information.
Although the BNP says it is taking legal action against internet service providers hosting the material, it’s all rather too late for that. The cat is out of the bag, and anti-BNP activists will surely repost the long list of names, addresses and phone numbers of BNP members to other websites and message boards.
Nick Griffin’s message to his members attempts to raise bravado saying “It’s water off a duck’s back to the stout hearts of the British National Party. Let’s enjoy the publicity bonus!” but party supporters are surely going to feel extremely uncomfortable about their personal details being publicised on the internet in this way.
All organisations need to take great care over the information they collect about their staff, partners, customers, and - in this case - members. If strict rules and policies are not in place controlling the access and distribution of the information then it could be your company which is next brought into disrepute.
Posted on November 18th, 2008 by Graham Cluley, SophosFiled under: Data leakage, Identity Theft
Court orders company to stop selling spyware
Florida-based software company CyberSpy Software has been ordered by a US district court to stop selling its RemoteSpy keylogging spyware program.
According to the Federal Trade Commission, CyberSpy gave customers detailed instructions on “how to disguise their spying program as an innocuous file, such as a photo, attached to an email.”
It is claimed that when innocent internet users clicked on the disguised file, the spyware would install itself silently onto the victims’ computer, monitoring every keystroke, email and instant message, and making a record of every website visited.
Data gathered by RemoteSpy was uploaded to a server run by the CyberSpy company, and made available to customers via a password-protected website.
The RemoteSpy and CyberSpy websites appear to be currently offline (presumably at the court’s request) but I managed to find an archived version for the screenshot above.
CyberSpy is far from the only company to work in this apparent “grey” area between legitimate and illegitimate software. Such products typically promote themselves as a way for wives to spy on philandering husbands, or for concerned parents to keep an eye on what their babysitter is up to, rather than more traditional identity theft - but it’s clear that they can be used with a wide variety of motives.
The FTC will be trying to prove that because the RemoteSpy software was installed onto computers without the informed consent of the PC’s owner, and used to secretly steal personal data, that it was in breach of the law. If the FTC is successful in their fight against CyberSpy it could send a warning shot to other vendors selling “legitimate” spyware.
Posted on November 18th, 2008 by Graham Cluley, SophosFiled under: Data leakage, Identity Theft, Law and Order
