Security Shouldn’t take a Backseat to Virtualization

March 31, 2008

I will be presenting on the subject of why security shouldn’t take a back seat to virtualization on April 30th at the Wall Street Technology Association. This event is located at the Raddision Martinique in New York City.


Security Shouldn’t Take a Backseat to Virtualization
Ryan Sherstobitoff, Chief Corporate Evangelist

Companies are widely adopting server virtualization in an effort to improve operational efficiency and increase cost savings. While transitioning to this standardization across multiple platforms, security measures can oftentimes take a backseat, putting company assets at risk.

Cyber crime is at its highest level to date and industry experts estimate that 4,000 new malware strains surface on a daily basis. Hackers have become clever in creating root-kits that subvert the host operating system, and attacking all endpoints of the network. Better security controls need to be taken into consideration when deploying end-point protection for virtualized resources.


This presentation will educate attendees on:


· How to assess inadequacies when conducting security audits and if assets are already being compromised with undetected malware


· How to prevent the occurrence of malware infections on virtualized networks


· How to evolve security best practices to include better assessment methodologies that take into consideration crimeware innovations and locate unnoticed infection points


Think Your Protected? Think Again. Study Reveals Hidden Cyber-Crime Breaches

March 28, 2008

Over a five month period, Panda Security conducted several audits with a large state agency in the United States to assess the level of risk pertaining to hidden and undetected infection points. Due to the confidential nature of this customer, we cannot disclose the agency name. The information learned from this case is a great demonstration of how even the “well-protected” networks require more effective tools to fend off the latest generation of malware.

This agency by nature is obligated to enforce rigorous security policies to protect against unauthorized activity, especially when they are responsible for securing a large network of sensitive information. Some of the restrictions the agency enforces on its users include:

 – Users have limited rights to the network

 – Users can’t modify anything within the system directory

 – Users must access the Internet through a secured proxy.

In such a secure environment, it should be extremely difficult for malware to cause any harm to the network. Unfortunately, even with these strict access rules, Panda Security found various dangerous intrusions in the agency’s network caused by malware.  

The following case study covers an audit spanning more then 4,500 PCs with active, up-to-date anti-malware software from a leading vendor. These PCs were analyzed against a set criteria consisting of hidden active or latent malware along with their associated vulnerabilities.

For more information please see the attached study:  Case Study

Web-Site Defacements

March 28, 2008

Recently I came across an interesting site ( that displays statistical information on web page defacement. It also shows information on the sites that were hacked and provides a mirror to them.


However; some of these “defacement” sites are questionable and some contain “iframe” exploits; in our case a malicious packer was included in one of the mirrored sites hacked.


This particular site belonged to a branch of the Brazilian Government.




When I clicked on the domain “” on the title bar shown above I was redirected to a mirror in which the hacked site was displayed. Furthermore; the Panda Security permanent protection notified me of the potential iframe and packer trying to attack my machine (this is an example of using generic unpacking routines to detect malware using packers).


 Further examination of the site shows an iframe tag that appears to be obfuscated and heavily garbled.




Hackers have become increasingly sophisicated and are using new techniques to evade anti-virus analysis. Packers are one of them. 

Application Scam Sites

March 26, 2008

Recently Panda Security was notified regarding an on-line scam currently in production claiming to offer Panda Security, McAfee, Symantec and Adobe products in addition to a product known as error mechanic. 


The site and the following associated domains are part of this scam:

Some words of caution: This site and the domains are not supported or in anyways affiliated with Panda Security and may contain hidden infections, therefore; we strongly advise to refrain from visiting any of these domains.

Fortunely our testing indicates that the potential malware reported to reside on these pages has been removed, thus, it is still recommended to perform a scan at to be 100% you are not infected.

Furthermore; when making software purchases it is advisable to purchase from the recognized vendor’s web-site or from an authorized partner. Otherewise you may become a victim of ID Theft.

Click-Fraud: The lesser known evil

March 25, 2008

I came across this interesting article that talks about a Trojan; not any Trojan but a  Trojan that automates PPC click-fraud that is currently targeting Google and Yahoo (

What’s interesting about click-fraud is the little amount of attention that it receives in the media in comparison to Identity Theft and the other horrors of the Internet. In fact you are more likely to see news on the latest and greatest zombie-bot net then click-fraud.

However; many companies who have paid good money for Pay-Per-Click (PPC) advertising are falling victim to false impressions due to the rising click-fraud movement in America.

According to Click Forensics the annual click-fraud rate has grown by 28.3%; that’s nearly a quarter of all on-line advertising

For the worst part bot-nets are being used to automate PPC clicks in order to ensure that the activity looks authentic.

So this leaves us with one question, is your PC part of a click-net.

Behavioral Blocking: An effective means of stopping 0-day

March 25, 2008

Behavioral blocking (a.k.a kernel rules / system rules) can provide the first layer of defense against emerging threats exploiting 0-day vulnerabilities. Exploits commonly take advantage of mistakes made by programmers and thus good applications can turn bad in an instant.

Malformed documents have accounted for a good number of these attacks (PDF, MDB, DOC, etc) recently. Take for example the new vulnerability discovered in Microsoft Access reported by Ismael Briones from PandaLabs (

All in all a bit of clever social engineering can result in successful exploitation, thus, resulting in confidential information being stolen from a user’s system.

An effective use of behavioral blocking can mitigate the risks of a 0-day threat. This works by monitoring the behavior of applications and applying such rules as: “Adobe Acrobat shouldn’t spawn a command shell“, or “Internet Explorer should not inject threads into other processes.”

This way one can proactively block new exploits (including the one for MS Access) without the actual need to analyze the threat and produce detection for it. However; it is still crucial that other protection layers exist (behavioral analysis, system hardening, IPS firewall, etc) as behavioral blocking alone is not 100%.

Regulatory Compliance & the Real Risk of Undetected Malware

March 20, 2008

With the emergence of regulatory laws borne out of experience from a variety of embarrassing security breaches, today’s corporate leaders face a myriad of repercussions. These range from serious fines to jail time when found not in compliance with regulations such as Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley (GLB), and Payment Card Industry (PCI), etc.

These regulations are designed to protect the privacy of individuals and to ensure the proper internal controls are in place to maintain confidentiality and integrity of sensitive information.

For example it mandates in the Sarbanes-Oxley act section 404 that any publicly traded corporation must maintain adequate internal controls, ranging from proper financial reporting to the protection of critical assets. This includes designing controls around the premise of protecting consumer data from an information security perspective.

Normally, these controls are defined and established through a risk analysis that identifies potential threats and weaknesses. The development of a policy framework based on this audit untimely drives the definition of what would be considered “adequate” controls.

However, in 2007 the industry suffered a record-breaking loss of information stemming from data security breaches ranging from stolen laptops to hijacked advertising as seen in the attack. It’s estimated that over 79 million records were exposed last year alone. 

Despite established security policy, these breaches lead to public dismay and a loss of consumer confidence. Take for example the TJ Maxx incident that led to an exposure of 45 million credit card numbers and eventually cost the retailer over 200 million dollars in both hard costs incurred and stock value reduction.

These incidents raise several interesting questions. Were these security breaches a result of undetected malware, perhaps a targeted attack orchestrated by a foreign hacker group? Why did the internal controls, established according to company policy, fail to protect assets from being compromised? And what are the real risks and implications of undetected malware as it pertains to regulatory compliance?

These are all good questions, especially concerning the changing crimeware landscape and its evolution from curiosity to financial gain. Not surprisingly, this trend has a considerable part do with the dramatic increase in information exposure in 2007.

For example a majority of identity theft and financial fraud incidents in 2007 were related to Banker Trojans that infected individual consumers, thus, stealing credentials and other personal information that could be used to gain profit.

Furthermore, if we put this into perspective we are more at risk then we were a few years ago when the primary concern was the prevention of network worms that caused data destruction.

In that day and age, controls were designed around the need to ensure the integrity and availability of information assets. CIOs and IT Managers designed and implemented systems that had the primary goal of ensuring that their users had access to information. At that time security was a secondary concern in this scenario, because the threats were different and much less sophisticated.

Today we face a new breed of threats with different motives: financial gain through targeted attacks. In fact targeted attacks in 2007 showed a marked increase over previous years with respect to online fraud.

The mentality of CIOs and IT Managers has shifted to a security focused mind-set, especially with the advent of recent high-profile security breaches. What’s alarming is the rate at which malware is developed and released to infect victims on a daily basis. For example, PandaLabs and other major AV labs see over 4000 new strains per day.

This is mainly due to the overwhelming inability for security vendors to respond to this ever increasing rate of new malware strains. We are witnessing a literal denial of service against vendor resources.

The rapid pace at which cyber criminals seed the industry with new threats contributes to the overall problem that is causing technical safeguards to fail, thus, putting the corporation at risk of violating regulatory standards which untimely will lead to serious consequences if sensitive information is leaked.

For example, in a health care organization one undetected Trojan could make a case for a serious risk of violation of HIPAA §164.308(a) (4) that pertains to protecting health information: “implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a) (4) [Information Access Management]”

A False Sense of Security – Audit and Assessment Standards

When doing a security audit to ensure that adequate controls are in place from an information security perspective, the auditor is normally looking at whether the corporation is in adherence to a defined policy. Furthermore, a security audit encompasses some of the following questions:

– Are passwords difficult to break?
– Are computers up-to-date with the latest security patches?
– Do any vulnerabilities exist in the operating system or applications installed?
– Are there Access Control Lists (ACLs) implemented on shared resources to control access to them?
– Have unnecessary services or applications been removed from computers that could potentially expose the resource?
– Are computers regularly scanned for malware?

The missing element in a security audit, however, is assessing for sophisticated active threats (e.g. kernel-mode root-kits, stealth Trojans, key-loggers, etc). Therefore the current assessment tools and verification methodologies used to validate controls rely mostly on identifying weaknesses or potential risk to assets; for example, a vulnerability scan or untimely a penetration test will tell the auditor of potential avenues for attack. But, the number one question to ask is: are assets already compromised with undetected malware?

There are a wide range of technical safeguards that can be implemented to significantly reduce potential exposure and the organization’s overall risk; however hackers have devised ways to circumvent these. For example the most common infection vector is via the web through malware laced web-sites that have been compromised and altered in some way, shape or form.

Therefore, a majority of malware (if not detected via signatures or proactively by other technologies) will simply evade perimeter defenses (firewalls, network intrusion prevention, etc.) and make its way to the end-point, especially if it is “targeted” in nature, and with a limited number of hosts designated to be infected.

There are certainly other ways to reduce risk. For example, corporations can implement a policy that limits the administrative access a user has to his or her own PC and other resources on the network. While this reduces the overall risk of unauthorized access, it is not the final solution as hackers tend to abuse system privileges (going around established ACLs) by exploiting applications and other flaws in the operating system.

Proactive defenses such as Host Based Intrusion Prevention (HIPS) can substantially raise the bar in terms of detection, anywhere between 80 and 90 percent. With malware 1.0 this model was acceptable; but with the rate and volume of new threats emerging on a daily basis hundreds or even thousands of threats over time can be missed.

Public companies that must adhere to regulatory laws, must also adopt better internal controls to ensure that hidden infection points are discovered and removed before any exposure occurs. Better yet, modern assessments must take into consideration the possibility of assets already compromised by hidden and undetected malware.


Regulatory compliance is an interesting but challenging topic that every public corporation, no matter what size or shape, is untimely affected by. Organizations must evolve their security best practices to include better assessment methodologies that take into consideration crimeware innovations and available technologies that not only assess weaknesses, but locate active unnoticed infection points.