Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Lamiabiocasa

Published: 2012-11-02
Last Updated: 2012-11-02 20:11:51 UTC
by Daniel Wesemann (Version: 1)
1 comment(s)

Earlier today, ISC reader Travis noticed that his proxy server was blocking some images from BusinessWeek Business Exchange (bx.businessweek.com). On closer inspection of the blocked content, he found that some files indeed had peculiar contents:

 
A company from Italy that sells log cabins probably cannot afford to advertise for their services on Businessweek...
 
The "lamiabiocasa" site is currently not returning any malware (at least not when we tried to investigate). A Google search for the same URL reveals though that plenty other sites are similarly affected, so this IFRAME is obviously part of an injection attack that must have been going on for a while.
 
On Businessweek, it is their 404 Error page that currently seems to be affected. It returns an "Under Construction" message that includes the nasty iframe.  According to passive DNS, there are currently more than 10'000 DNS domain names pointing to the one IP address that is also used by Lamiabiocasa (195.110.124.133). Chances are this ain't good...
 
 
Keywords: iframe malware
1 comment(s)
ISC StormCast for Friday, November 2nd 2012 http://isc.sans.edu/podcastdetail.html?id=2914

The shortcomings of anti-virus software

Published: 2012-11-02
Last Updated: 2012-11-02 00:57:10 UTC
by Daniel Wesemann (Version: 1)
10 comment(s)

No, this isn't about lousy detection rate. I think we're pretty much resigned to that, irrespective of the latest fancy marketing terms the industry uses to sell us the same failed concept. This is about the forensic quality, or rather lack thereof, of anti-virus.

Let's say your anti-virus (AV) happens to find a Spyware. Something like the spyware that I described in yesterday's ISC diary. What does it do with it? If your AV is anything like the products that I've seen in use, it will display a Halloween-like scary pop-up ("Danger! Virus!") and will delete or quarantine the threat.

So far so good.  This used to be cool back when all we wanted our anti-virus to do was to get rid of the threat. But these days are over. Increasingly now, anti-virus alerts us (maybe) to a persistent threat that has been on the system for days, weeks, heck, even months. And deleting or quarantining such a threat causes a serious problem:  It modifies or eradicates evidence. Yes, we get an alert, but then we are like the CSI guys who get called to a murder scene that doesn't have a body. Sure we can spend hours trying to lift DNA off cigarette stubs, but things would be so much easier if the caller could tell us what exactly he has seen where, and where the body was?

In other words: If anti-virus removes a registry key to unhook a DLL, why can't the AV log tell me (a) where this registry key was and (b) when it was created?  You know, this would give a first indication on how far back we have to dig to determine what data was stolen. The same holds true for the actual threat files that get deleted or quarantined: A full MAC (modify/access/create) timestamp in the logs shouldn't be too much to ask for?  Maybe garnished with an MD5 checksum for good measure, so that the analyst can tell right away if the exact same threat has been seen on another PC already?

I don't think the AV companies have caught on to this yet - they seem to be deleting and quarantining threats with the same casual indifference like they did 20 years ago, stomping all over the crime scene, and wiping out or contaminating important forensic evidence in the process.  

If your enterprise-grade anti-virus software does any better in forensics than described above, please let us know via the contact page.  If it has the same shortcomings, please let us know as well, but more importantly, please let your AV vendor know. Maybe, someone listens.

 
 
Keywords: antivirus forensics
10 comment(s)
Diary Archives