Threatscape 2.1 and other dispatches from the computer security front
by
Alan Zisman (c) 2010 First published in
Business
in Vancouver date and issue #
High Tech Office column
Call them PDFs, Adobe Acrobat documents or whatever you want.
The files that you get as e-mail attachments or view or download from
websites are hard to edit but look just like printed versions and are
so useful that they’ve become a de facto standard. (Business in
Vancouver, for instance, makes PDFs of each week’s issue available
online to subscribers.)
But in February California security firm ScanSafe suggested that
vulnerabilities in Adobe Acrobat and the company’s free Reader software
were the most frequently targeted in 2009, with malicious PDF documents
growing to 80% of all exploits by late in the year.
Derek Manky, Burnaby-based cyber security and threat researcher for
Fortinet’s FortiGuard Labs, agrees that there’s been an upswing in
PDF-based computer attacks along with a similar increase in attacks
using malicious Flash files – another widely used Adobe standard
format. Overall, the company’s January Threatscape report identifies a
two-fold increase in malware.
Neither ScanSafe nor Manky blame Adobe for the upswing in attacks. They
both noted that software to read the PDF and Flash formats is almost
universally installed by computer users. Manky said these sorts of
exploits are done for profit and that “traffic equals money.”
He points out that Adobe has responded to the upsurge of exploits by
fast-tracking efforts to patch the company’s Acrobat, Reader and Flash
software. Patches are only an effective defence, however, if users
install them. Faced with update pop-ups seemingly every time we log on,
many users have gotten into the habit of clicking “later.”
As a result, Manky pointed out that Confickr, a Windows attack that was
widespread a year ago, remains Fortinet’s most-detected exploit more
than 18 months after the patch preventing it was released.
Along with staying current on patches, Manky suggested users should
disable Javascript in their Adobe Acrobat or Reader preferences and
consider alternatives to Adobe Reader. A variety are listed at
pdfreaders.org. (Mac users can use Apple’s Preview, already installed,
to read PDFs.)
A year ago, Manky discussed what we called Threatscape 2.0 – 2008-09’s
range of online perils. One of the most common afflictions at that time
was scareware: false warnings popping up claiming that your computer
was infected and offering to disinfect it, for a price.
While scareware is still widespread, Manky is now seeing more
aggressive “ransomware.” This, in effect, holds your computer or data
for ransom. With some infestations, applications don’t run. Instead,
users see a request for payment. In other examples, document files and
folders are encrypted, and users must pay to get the key to decrypt
them.
Users are being tricked into infecting their systems with this
ransomware by a variety of techniques, among them attachments included
with spam e-mails and phony online greeting cards. Fake Facebook user
agreements complete with malicious attachments are just one of a number
of ways that newly popular social networks are being used.
What’s a user to do?
Manky noted that along with keeping operating systems and applications
patched, Windows XP users should consider moving to Windows 7, which
has more features like address randomization and data execution
prevention (DEP). He said that while a new exploit defeats DEP,
Microsoft has released a patch for that.
While ignoring or postponing patch requests is a poor idea, Manky noted
that the flip-side – clicking OK to anything that pops up – is at least
as dangerous. That’s how many users allow their systems to be infected.
Instead, he urges users to always take the time to read the messages that pop onto their screen before clicking anything.
Backups remain a valuable resource, at least if you haven’t overwritten them by backing up your infected system!
Fortinet has begun publishing a blog with its latest security research and threatscape reports: blog.fortinet.com.