Threatscape 2.1 and other dispatches from the computer security front

by  Alan Zisman (c) 2010 First published in Business in Vancouver date and issue #

High Tech Office column


Call them PDFs, Adobe Acrobat documents or whatever you want.

The files that you get as e-mail attachments or view or download from websites are hard to edit but look just like printed versions and are so useful that they’ve become a de facto standard. (Business in Vancouver, for instance, makes PDFs of each week’s issue available online to subscribers.)

But in February California security firm ScanSafe suggested that vulnerabilities in Adobe Acrobat and the company’s free Reader software were the most frequently targeted in 2009, with malicious PDF documents growing to 80% of all exploits by late in the year.

Derek Manky, Burnaby-based cyber security and threat researcher for Fortinet’s FortiGuard Labs, agrees that there’s been an upswing in PDF-based computer attacks along with a similar increase in attacks using malicious Flash files – another widely used Adobe standard format. Overall, the company’s January Threatscape report identifies a two-fold increase in malware.

Neither ScanSafe nor Manky blame Adobe for the upswing in attacks. They both noted that software to read the PDF and Flash formats is almost universally installed by computer users. Manky said these sorts of exploits are done for profit and that “traffic equals money.”

He points out that Adobe has responded to the upsurge of exploits by fast-tracking efforts to patch the company’s Acrobat, Reader and Flash software. Patches are only an effective defence, however, if users install them. Faced with update pop-ups seemingly every time we log on, many users have gotten into the habit of clicking “later.”

As a result, Manky pointed out that Confickr, a Windows attack that was widespread a year ago, remains Fortinet’s most-detected exploit more than 18 months after the patch preventing it was released.

Along with staying current on patches, Manky suggested users should disable Javascript in their Adobe Acrobat or Reader preferences and consider alternatives to Adobe Reader. A variety are listed at pdfreaders.org. (Mac users can use Apple’s Preview, already installed, to read PDFs.)

A year ago, Manky discussed what we called Threatscape 2.0 – 2008-09’s range of online perils. One of the most common afflictions at that time was scareware: false warnings popping up claiming that your computer was infected and offering to disinfect it, for a price.

While scareware is still widespread, Manky is now seeing more aggressive “ransomware.” This, in effect, holds your computer or data for ransom. With some infestations, applications don’t run. Instead, users see a request for payment. In other examples, document files and folders are encrypted, and users must pay to get the key to decrypt them.

Users are being tricked into infecting their systems with this ransomware by a variety of techniques, among them attachments included with spam e-mails and phony online greeting cards. Fake Facebook user agreements complete with malicious attachments are just one of a number of ways that newly popular social networks are being used.
What’s a user to do?

Manky noted that along with keeping operating systems and applications patched, Windows XP users should consider moving to Windows 7, which has more features like address randomization and data execution prevention (DEP). He said that while a new exploit defeats DEP, Microsoft has released a patch for that.

While ignoring or postponing patch requests is a poor idea, Manky noted that the flip-side – clicking OK to anything that pops up – is at least as dangerous. That’s how many users allow their systems to be infected.

Instead, he urges users to always take the time to read the messages that pop onto their screen before clicking anything.
Backups remain a valuable resource, at least if you haven’t overwritten them by backing up your infected system!

Fortinet has begun publishing a blog with its latest security research and threatscape reports: blog.fortinet.com.