Thursday, October 1, 2009

Hostageware Hits the Mainstream

Creative Commons Attribution licensed image courtesy Alan Miles NYC

The New York Times was recently hit with a hostageware ad that switched from a seemingly legitimate Vonage ad to virus warnings. The Times believed they were trusting a vendor that they had previously worked with, and allowed un-vetted servers to serve ads to their site. The Times isn't the only major site to have this occur, and my security threats crystal ball says that since we've all locked our computers down to prevent worms, the bad guys are going to target the places that they know that we go - and trust.

As the New York Times article notes, "These so-called affiliates can mimic the advertisements of legitimate companies, learn their techniques for submitting ads to networks and sites, meddle with ad servers and then go so far as to provide customer support for people who install the software, keeping the scam running as long as possible."

In my own recent experience, this type of ad is increasingly prevalent as a threat to users, and the malware itself is taking advantage of a number of browser bugs and plugin bugs to slide past users defenses. With threats that take advantage of PDF vulnerabilities, Java vulnerabilities, and more, users who navigate to trusted sites may still be compromised. This also means that the standard habits that we have taught users for years are no longer a panacea - simply not going to untrusted sites and not opening unexpected emails, or avoiding clicking untrusted links isn't the shield it was.

Home users who find themselves staring at a popup screen that offers to save them from the malware that their PC is infected with can find some solace in the fact that capable anti-malware products like MalwareBytes is available for free. Sadly, mainstream AV seems to have real problems with many of these hostageware packages, so a second layer of defense is key.

So, what can you do from a corporate perspective? That's a bit tougher. Here's what I'm looking at:
  • First, full patching for systems that includes browser plugins is really essential. I continue to see systems that have full OS patches that are behind on browser plugins. Comprehensive, system wide software management is becoming even more of a corporate necessity.
  • Second, enterprise AV can still be helpful, even if only for detection. Remember to have your support staffers check out machines that show continued issues, as some components of malware often gets removed, but the remaining parts can restore them. I've had organizations using central AV notice large numbers of their machines disappearing, which resulted in investigation that showed a widespread compromise. Not exactly how they expected to leverage their AV management console, but well worth the price of admission.
  • Third, investigate enterprise licenses for useful tools. MalwareBytes and other vendors do offer attractive pricing for enterprise licensing. I've found that a quick Google results survey can often indicate what secondary package is most recommended, and that can really help.
  • Fourth, monitoring outbound traffic for hits on known malware and scam sites gives you a chance to find infected hosts before they become problems.
  • Finally, user training and awareness is still key. Finding out when these hostageware programs are showing up, and what the user was doing when they got infected can help prevent widespread infections.
How is your enterprise handling hostageware?

No comments: