Security Tips - Windows 8, Flamer, IE Fixes

Symantec on Flamer

Symantec has published the findings of a forensic analysis of two of the command and control servers behind the W32.Flamer attacks.

Following are our key findings:
  • The malware was under development by a group of at least four developers as early as 2006.
  • It’s likely the server itself has been used for more attacks than just those related to the Flamer malware.
  • The attackers used multiple encryption techniques and made a concerted effort to securely wipe data from the server on a periodic basis.
All this is an indication of the significant sophistication of the group behind the attacks and the tremendous resources at their disposal. Thus, it is likely the Flamer malware and the C&C server we analyzed are tied to a well-funded group.

Flamer C & C server whitepaper.

Sophos Raises Threat Level to HIGH as Microsoft Critical Internet Explorer Hole

Experts at SophosLabs have raised their threat level to "High" in response to an as-yet unpatched security vulnerability in Internet Explorer.

The zero day threat, which was uncovered at the weekend and impacts most versions of Windows, has already resulted in the German government advising users to stop using Internet Explorer.

The rise in the SophosLabs internet threat barometer comes in response to in-the-wild detections that the team has seen in attacks exploiting the CVE-2012-4969 vulnerability in Microsoft's popular web browser.

Kaspersky on Flamer

Kaspersky Lab announces the results of new research related to the discovery of the sophisticated nation-state sponsored Flame cyber-espionage campaign. During the research, conducted by Kaspersky Lab in partnership with International Telecommunication Union’s cybersecurity executing arm - IMPACT, CERT-Bund/BSI and Symantec, a number of Command and Control (C&C) servers used by Flame’s creators were analyzed in detail. The analysis revealed new, groundbreaking facts about Flame. Particularly, traces of three yet undiscovered malicious programs were found, and it was discovered that the development of the Flame platform dates back to 2006.

Main findings:
  • The development of Flame’s Command and Control platform started as early as December 2006.
  • The C&C servers were disguised to look like a common Content Management System, to hide the true nature of the project from hosting providers or random investigations.
  • The servers were able to receive data from infected machines using four different protocols; only one of them servicing computers attacked with Flame.
  • The existence of three additional protocols not used by Flame provides proof that at least three other Flame-related malicious programs were created; their nature is currently unknown.
  • One of these Flame-related unknown malicious objects is currently operating in the wild.
  • There were signs that the C&C platform was still under development; one communication scheme named “Red Protocol” is mentioned but not yet implemented.
  • There is no sign that the Flame C&Cs were used to control other known malware such as Stuxnet or Gauss.

Sophos has released its top 8 security tips for Windows 8, which is due to be released within the next few weeks.

1. Exercise caution with apps for the new Windows 8 user interface (formerly known as Metro)

Some familiar applications have been completely re-written for the new Windows 8 user interface (UI). As a result they may work completely differently, despite looking the same. For example, an application historically delivered as an executable could now be entirely web-based. This impacts the visibility your existing security and monitoring tools have into these apps.

2. Use the Windows 8 style UI version of Internet Explorer

By default, plugins are disabled, blocking a major target for exploit kits and Blackhole attacks.

3. Make sure your security vendor can flag malicious Windows 8 UI apps

Windows 8 UI apps have important differences from regular applications, and your security product should be able to distinguish the two. The security product should correctly flag malicious or modified Windows 8 UI applications (tampered, modified, invalid license).

4. Disable hard drive encryption hibernation

Hard drive encryption is a cornerstone of data protection. If possible, disable the hibernation option in Windows 8 through group policy, as it doesn’t always work well with encryption.

5. Make sure your hardware carries the “Designed for Windows 8” logo

To carry this logo, hardware must be UEFI compliant. This means you can take advantage of the secure boot functionality available in Windows 8. Secure boot is designed to ensure the pre-OS environment is secure in order to minimize the risk from boot loader attacks.

6. Make application control a priority

The Windows 8 app store makes application control increasingly important for both malware prevention and productivity control. While the Windows Store will be secured, history shows that malicious apps are likely to slip through. Disable the use of apps that aren’t relevant to your organization.

7. Treat Windows RT (ARM) devices like any other mobile devices

Make sure you impose the same security levels on Windows RT devices as all others. You should have the ability to control, track, remote wipe and encrypt them.

8. Block near field communications features you don’t need

Windows 8 now caters for near field communications within the operating system. Because it uses Wi-Fi it is another potential vector for security attacks. Block or disable features you don’t need to close unnecessary security holes.

Bonus tip: Don’t allow sign-in to Windows 8 PCs with a Live ID

Live ID sign-on lets your users personalize their computer based on their own settings, regardless of which computer they sign on to. In doing so, all Windows 8 Style UI apps will be reacquired along with their settings, and apps will be automatically signed in where they use a Windows Live ID. This opens the potential for accidental data loss. Of course, all the old security rules also apply with Window 8. It’s still a bad idea to disable the lock screen or allow automatic log-on. Keep to your principles and, above all, remain vigilant.

Comments