ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Curiosity not only kills the cat, it gets your network pwned

By | December 9, 2010, 12:20pm PST

Summary: Anup Ghosh: We need to protect the network from the user and the user from him or herself. Take security decisions out of the hands of the user, make their mistakes irrelevant to your overall security footing.

Guest editorial by Anup Ghosh

To quote the brilliant comedian Peter Cook, “Mawwiage…mawwiage is what bwings us togetha today.”  Unfortunately, for the security of your network, this particular wedding is not a joyous event.

You might not be aware that Prince William has announced plans to wed his long-time girlfriend, Kate Middleton. However, your users are in the know and many have likely been searching for the latest Kate news or pictures. Some want to get an early glimpse of her wedding dress, others might be more interested in her swimsuit preferences…either way, they are putting your network at risk. As was the case with another famous fairytale wedding, this one involves getting your users to take a bite from the poisoned apple.

Your adversaries are preying on the curiosity of your users, counting on the fact that your defenses are outdated, and using Blackhat SEO techniques in order to pwn your network. Welcome to the age of poisoned SEO, headline malware and the plague of Fake A/V — feel free to replace Kate Middleton with any other trending news — the results will be the same.

What is Fake A/V and Why Should I Care?follow Ryan Naraine on twitter

Fake A/V is a class of malware that actually claims to provide malware protection, and unlike other classes of exploits, it can spread without requiring a vulnerability on the user’s system. Fake A/V just needs to be scary enough to get the user to click a button (OK or Cancel both work, just in case you thought users were making poor decisions)…it relies on panic to get the user to run the software. If you’ve never seen Fake A/V in action, jump here.

As with most malware today, it doesn’t try to break down the castle walls, it asks the user to lower the bridge. A dialog box displaying a warning that the system is infected is often enough to get users to act – they click on the box which in turn downloads and runs the malware. Imagine for a moment how many of your users might fall victim to this scheme.

BlackHat SEO Techniques Put Fake A/V Sites On Top

Fake A/V has been particularly effective in exploiting BlackHat SEO techniques to target users searching on trending popular keywords. BlackHat SEOs take advantage of headline events to propagate what some are calling “headline malware.” Events such as the Royal Wedding, the Brett Favre scandal, the Gulf oil spill, etc. are used to drive search engines to return their Fake A/V image links and domains near the top of the results. This drives traffic to these infected sites, resulting in infections. As the user is often both the first line of defense and the weakest link in your network security, the adversaries simply prey on users’ fear and desire by exploiting search engine optimization to serve up their poisoned apples.

The Takeaway

Fake A/V is growing increasingly pervasive because of its use of BlackHat SEO and PT Barnum’s old saw — “There’s a sucker born every minute.”  That sucker (er, umm, user) is unwittingly infecting your network. Because Fake A/V uses effective social engineering to get users to click through dialog boxes in order to run software from the browser, even patched systems won’t defend against this threat. While the current emphasis on patching and compliance is important, it does not address the threat of users to themselves and the network driven by many of today’s malware writers.

If you are counting on your users to make good security decisions— forget about it. If you are counting on Google or your Web gateway to catch current day infections or infectious sites, forget about it — they can’t keep up with the rapid pace of malware evolution.

We should all know what to do –  stop trusting the user to make good security decisions. They aren’t security professionals – and despite our annual or semi-annual attempts at training them – they never will be. Given the sophistication, sheer volume and rapid evolution of malware, user training is not a realistic solution to keeping malware at bay. We need to introduce and embrace innovative new solutions – a new defense in depth –  that starts with a better model for protecting the user. We need to protect the network from the user and the user from him or herself. Take security decisions out of the hands of the user…make their mistakes irrelevant to your overall security footing.

Give them free reign over the Internet to support their business objectives without fear of what they do leading to your network being pwned.

* Anup Ghosh is founder and chief scientist at Invincea, Inc. He is also research professor and chief scientist in the Center for Secure Information Systems (CSIS) at George Mason University. In his career, he has served as principal investigator on contracts from DARPA, NSA, and NIST’s Advanced Technology Program.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Network, Malware, Fake A/V, Spyware, Adware & Malware, Cyberthreats, Viruses And Worms, Security, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
10
Comments
Add Your Opinion

Join the conversation!

Just In

indeed, even if the user is clueless they can use simple plugins to learn..
~doolittle~ 21st Dec 2010
@LiquidLearner

..like "Web of Trust", I put that on all my windows-based PCs and showed my wife / kids what the alerts & warnings mean. The majority of bad sites just go away. Combined with a filtering app like Blue Coat's "K9" the virus scanner has not had a hit in years.
View in thread
0 Votes
+ -
Interesting read but...
LiquidLearner 9th Dec 2010
Why no suggestions? I read through this expecting to get some insight into better protection mechanisms. Instead it just said to better protect users from themselves.
0 Votes
+ -
indeed, even if the user is clueless they can use simple plugins to learn..
~doolittle~ 21st Dec 2010
@LiquidLearner

..like "Web of Trust", I put that on all my windows-based PCs and showed my wife / kids what the alerts & warnings mean. The majority of bad sites just go away. Combined with a filtering app like Blue Coat's "K9" the virus scanner has not had a hit in years.
0 Votes
+ -
I find it amusing that the ....
Scubajrr 9th Dec 2010
link to see "Fake A/V in action" takes me to a webpage where the video won't load because information bar dialog box that shows "This site wants to install the add on: \Quicktime from Apple Inc." is displayed. While trying to warn us about users adding security vulnerabilities to the network, the author wants us to load the massive security risk of quicktime to show us an example of another securityrisk.
0 Votes
+ -
RE: Curiosity not only kills the cat, it gets your network pwned
anup.ghosh 10th Dec 2010
@Scubajrr It is ironic, isn't it? It also illustrates the quandary users find themselves in. Many sites hosting malicious code ask the user to upgrade their flash player or other media player to see a video. Of course this "upgrade" actually installs malicious software. My point, though not intended by the video player, is users are ill-equipped to decide if installing or upgrading a media player will compromise their machines or not. More often they simply click OK and consequences be what they may be. Counting on users to make good security decisions is a failed strategy to security.

We did replace the video to .wmv format which hopefully works with your native media player without having to upgrade software.

thanks for your valuable commentary.

Anup Ghosh
Invincea
0 Votes
+ -
It is impossible to take decisions out of the hands of the user
Lerianis10 9th Dec 2010
When you do that, the user VERY QUICKLY gets frustrated by not being able to do what he/she feels they should be able to do on the computer.
0 Votes
+ -
RE: Curiosity not only kills the cat, it gets your network pwned
anup.ghosh 10th Dec 2010
@Lerianis10
Good point. Users need to be able to make reasonable set of decisions in order to utilize the full benefits of web applications, but we need to prevent those decisions from compromising their computers. Sound impossible? We don't think so, fully virtualizing applications in a manner that is seamless to the user is one way to let users make poor security decisions without lasting security consequences.

Anup Ghosh
Invincea
0 Votes
+ -
You mean the user doesn't know best?
SonofaSailor Updated - 9th Dec 2010
you say: "stop trusting the user to make good security decisions. They arent security professionals ..."

And you're right...

But yet we keep hearing about how we (IT) should be more open to letting users bring their consumer devices to work and hook 'em up to the network.

Then, when the word 'security' gets brought up, it's just "a farce by people who don't want to embrace change"
0 Votes
+ -
RE: Curiosity not only kills the cat, it gets your network pwned
webtech_z 10th Dec 2010
@SonofaSailor users don't know best so policies must be clear and enforceable. Users who violate the following policies need to be put to task:
- you may not click on or cancel alerts or software update dialogues
- you must have all software approved by IT security
- no flash drives unless cleared by IT
But if bosses don't want to go along with strong security practices, including enforcement, then you will be playing catch-up constantly.
0 Votes
+ -
the problem with the cloud...
sparkle farkle 10th Dec 2010
its on the internet
0 Votes
+ -
Fake A/V, corporate Internet
deja_voodoo@... 12th Dec 2010
My first reaction was the same as LiquidLearner's: Mr Ghosh is yelling "fire" but not reaching for the extinguisher. That we need to educate users, or put up so many restrictions that users cry foul, as Lerianis10 pointed out, is bloody obvious even to me, and I'm just a student in a networking curriculum. (I scream about the restrictions the school puts in, but I understand the need for them.) From what I've seen, there should be a written Internet policy with strong teeth (including termination, and possibly legal actions) in it. Back it up with strong security. If people complain that they can't go to Amazon, remind them that they're on company time. Mobile and home broadband are so commonplace nowadays that people don't have any excuses to be doing private surfing on the company's network.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix