Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog - Merry Christmas, and beware of digital hitchhikers! InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Merry Christmas, and beware of digital hitchhikers!

Published: 2008-12-25
Last Updated: 2008-12-25 02:07:56 UTC
by Maarten Van Horenbeeck (Version: 1)
0 comment(s)

For those of us who celebrate it, Christmas not only has religious meaning, it is also synonymous to gift giving. Though still a small percentage, every year the number of “connected” gifts increases: photo frames, USB sticks, cameras. Each of these now has a USB interface to connect to your desktop computer. This is a powerful innovation: combining these tools makes them much more powerful than each of them individually.
 
One disadvantage of such interconnectedness is the risk of malicious code hitching along with them. This is a problem of all ages: floppy disks were for a while a potent means of transmission for boot-sector viruses, downloads, and even CD-ROMs with infected installers all have been or are still important infection vectors. Just in the last few weeks, Samsung reportedly shipped photo frames with an infected CD in the package.

There are many common pathways for malicious code to make its way onto USB hardware, even though it looks like it may come straight “out of the box”. Generally, during assembly a small number of devices will get pulled out of production for quality assurance testing. An infection of equipment in the QA environment would be noticed far less quickly than in the production environment, as the set of affected samples would be drastically less.

In addition, vendors want to offer their customers a bright shopping experience, and this generally includes giving them the ability to return items that would turn out to be a misbuy. In almost all cases, these items will be tested for functionality, but that is never a 100% guarantee that its state is identical to the newly manufactured item. What happened while in possession of a customer after the initial purchase is somewhat unclear, and could include introduction of unexpected code.

The good news, however, is that most Autorun malware spreads relatively rapidly – making it something the anti virus companies stay on top of. If you are running up-to-date anti virus software, it’s unlikely you will be at much risk of any of the major Autorun malware families.

If you’d like to provide some additional protection to your family members for the holidays, you may want to consider running a behavioral based anti malware product in addition to your regular anti virus. These applications apply a techniqua called behavioral profiling. They do not detect viruses based on a signature applied to every binary, but instead look at the behavior of every binary running on the system.

Every “suspicious” action, such as writing to windows\system32, installing a service, or making an internet connection is given a specific rating, and once that rating exceeds a preset threshold for a binary, the solution will flag the process as potentially malicious and will alert the user. While we can't recommend vendors, common solutions include Threatfire, Primary Response SafeConnect and NovaShield. Some common anti virus packages even include this functionality, so talk to your existing vendor as well. Combining this with signature based anti virus provides the best of both worlds on end user platforms, where the owner of the system needs to be able to have full control and ability to install whatever code he wishes. Known malicious code will be stopped before execution and identified, and unknown malicious code will be blocked before it does too much harm.

From all of us here at the SANS Internet Storm Center, have a great holiday season!

Cheers,
Maarten

0 comment(s)
Diary Archives