I Have Anti-Virus Installed – Why Am I Still Getting Infected?

More and more frequently, we’re hearing the question: “I’ve got anti-virus software installed – why am I [or, alternately, why are my users] still getting infected?”

To understand the answer, we have to understand how the threat landscape has been changing over the last few years. The fact is that malware delivered as an email attachment is no longer the primary threat vector we have to worry about. The MooseGuard^TM spam/virus filter for this author’s personal email account blocks anywhere from 300 to 800 spam messages per week. I can’t remember the last time one of them actually contained a virus payload. Instead, the primary threat vector these days is malware delivered over the Web – usually malware that we unwittingly install ourselves.

One of the realities of corporate computing is that it is very difficult to get permission to truly lock down the corporate PC desktop. Sometimes this is because there are legitimate applications that require the user to have some level of local administrative rights in order to function properly. But even when that is not the case, the pushback from users (often users in the executive suite) who want to be able to install their own MP3 player software, their own desktop wallpaper, their own fill-in-the-blank applications, can be extreme. So we end up backing down and giving users local admin rights to their PCs.

The problem is that if you have the necessary rights to install iTunes® on your PC, you also have the rights to install malware. So the game is all about tricking you into approving the installation without realizing what you’re doing. This is generally called “social engineering,” and it’s based on the concept that it’s easier to get people to give up information voluntarily than it is to take it by force.

Here are just a couple of examples that my spam filter caught this week. (Click on the image to view full-size.) First, a bogus credit card alert:

This is obviously designed to scare me into thinking that someone is trying to use one of my credit card accounts. Of course, the first giveway to me is the fact that the email address to which this was sent does not exist at manage-ops.com. But if this had arrived in someone’s personal email account with their correct email address, I can envision some number of people immediately shifting into “Oh, my God!” mode, and clicking on the link to see what happened.

What is not obvious from the image above is that the link is disguised. What appears on the surface to be a link to something.visa.com is in reality a link to something.visa.com.sucipa.vc. I was not able to track down the owner of “sucipa.vc” – in fact, it appears that the domain may have already been de-activated – but I was able to determine that “.vc” is the domain suffix for St. Vincent and the Grenadines. Not a likely place for Visa to be hosting important Web sites. No doubt the “VISA Card Holder Form” would have asked me to provide things like my account number, name on the card, expiration date, in short everything that a criminal would need to start using my card.

The next example plays on simple greed:

It’s telling me that I have a “503.15$” tax refund coming, and I need to submit the “Tax Refund Request Form” to claim it. One again, there are a couple of obvious (to me, anyway) tip-offs. First, “info@manage-ops.com” doesn’t file tax returns. Second, in this country it is customary to place the dollar sign before the amount rather than after it. And, once again, the link is disguised: The “Tax Refund Request Form” is apparently being hosted on a domain called “state-ri.us” – not a domain I would expect to be associated with the IRS. This form would, no doubt, have asked me for my name, address, and social security number.

Unfortunately, there are attack vectors out there that are much more sophisticated than these two examples:

• “Malvertising” – sometimes the bad guys purchase banner ads on legitimate Web sites and load them with, for example, an Adobe Flash exploit. If the Web site simply accepts the banner ad without somehow checking it for a malicious script, you have a recipe for infection.
• “Clickjacking” – You may see a page that says something like, “Do you agree with Obama’s Health Care proposal?” with big “Yes” and “No” buttons. What you don’t see is the invisible layer of code in front of those buttons, so that when you click on what you think is a button, you’re actually clicking on a link that you can’t even see.
• Social Networking exploits – One of the recent classic scams involved compromised Facebook accounts that were used to send direct messages to other Facebook users that said something like, “LOL. You’ve been catched on hidden cam, yo.” If you succumb to curiosity and click through the link, you’ll be taken to a page with what looks like an embedded video, but when you click on it, you will be prompted to download and install a “plugin” so you can view the video. Guess what? It’s not a plugin – it’s malware.
• CSRF, a.k.a. “Cross Site Request Forgery” – This one should scare the heck out of you. Let’s say you’ve logged into your banking site. The site is probably set to log you out automatically after some period of inactivity, but in the meantime, you can probably even go to a different site and come back and still be logged in. Why? Because the site has set a “cookie” in your browser that identifies your banking session. Now let’s say you’re using a modern browser that allows you to have multiple tabs open to different sites. You have one tab open looking at your banking site, but you’re multi-tasking, and you have another tab open interacting with some forum somewhere. It is possible for malicious code in the forum site to send requests to your banking site without your knowledge – and because you’re legitimately logged into your banking site, the requests will be executed. So don’t multi-task when you’re browsing a site that’s important to you.

Malware these days is all about money. Sometimes the people who gather your information aren’t out to use it themselves. Rather than run the risk of being caught and arrested for being directly involved in fraudulent activity, they compile and sell the information to others. There’s a robust marketplace on the Internet for stolen data. According to Symantec, it’s possible to buy:

• Bank accounts for $10 – $1,000 each
• Credit cards for $0.40 – $20 each
• Full identities for $1 – $15 each
• Email passwords for $4 – $30 each
• “Malware-as-a-Service” – some folks will host your malware for between $2.50 and $50 per week.

According to MessageLabs, you can get paid for infecting other people’s computers. In the US, you can get as much as $50 per 1,000 downloads.

Check out the video below. It’s a 10 minute excerpt (because 10 minutes is the maximum limit for a YouTube video) of a talk given last year by Lenny Zeltser. Zeltser is an incident handler at the SANS Internet Storm Center. He’s also a SANS faculty member, a member of their Board of Directors, and he leads a security consulting team at Savvis – so he knows what he’s talking about:

If this caught your interest, I would strongly recommend that you invest an hour and watch his complete presentation. You can find it on the Wolf’s Lair blog site. (Note: We have no affiliation whatsoever with the author of this blog, but we’d like to thank him for making these videos available!)

So…what can you do to protect yourself?

First of all, recognize that humans and their behavior are still the weakest links in the security chain, and the most sophisticated anti-malware software in the world can’t protect you against people doing dumb things. It is critical to educate your users. (Hint: Ask them to read this blog post.)

Second, if you’re still running Windows XP, you should be planning to migrate to Windows 7 as soon as you possibly can. Microsoft’s “User Account Control” really can help protect you against “zero-day” exploits and careless surfing. Yes, the implementation in Vista was annoyingly intrusive and heavy-handed. The implementation in Windows 7 is customizable at a more granular level. The point is that having a window pop up and ask, “Are you sure you really want to do this?” can be the difference between being compromised and not being compromised.

Third, find ways to lock down your users’ desktops. Yes, this will in some cases be politically difficult. But you really need to do it. In some cases, moving to thin clients on the desktop can help. You may also want to take a good look at XenDesktop 4, since a desktop OS that’s being provisioned from a common, read-only image is not as vulnerable as a traditional, locally-installed desktop.

Finally, understand the need for a layered approach to security. The threats to your organization are many and varied, and one point solution (like anti-virus software on the desktop) simply cannot protect you from all of them.

The Internet is a dangerous place, and we will, for the foreseeable future, be locked in an arms race between the people who write malware and the people who come up with defenses against it. Most of all, you need to stay informed about security issues. We’ll do our best to help you do that.

Edit 2/4/10: Just saw an article on pcworld.com that talks about this very subject. It’s worth a read.