Re: mac trojan in-the-wild

["Roger A. Grimes" <roger () banneretcs com>]

I included any exploit that took any end-user's interaction into the 86%
number. I included the list of exploits and what I considered a
client-side attack (versus truly remote) in the article:

http://weblog.infoworld.com/securityadviser/archives/WindowsExploitAnaly
sis.xls 

It's not perfect, and may even contain a few mistakes. However, I don't
think any of the mistakes would change the overall numbers much. The
exploit chart (I listed two years of vulnerabilities, not three as I
mistakenly said earlier) lists publicly disclosed Windows
vulnerabilities by CVE number and MS number (where it exists).  I did
not care about whether it was trivial to exploit or hard to exploit.
Per a report the Microsoft Security Response Center (MSRC) released
recently, exploits are trending to become less trivial to exploit, but
not incredibly so. My simple analysis was a very crude, binary analysis.
If the user had to click one thing or ten things to pull off the
exploit, I called it client-side.

I mostly agree, "If I can get you to run my malicious program, it is
always game over" and not always a "security problem", but it is the
reality a computer security professional has to manage, whether we like
it or not.  And yes, I don't consider a threat where the user
intentionally installs a malicious program and supplies their root or
administrator password a huge threat, but it is a risk we have to manage
either way.  

One way to manage some of the risk in an environment can be to not let
our users know root or admin passwords...or not to let them install any
unauthorized programs. Personally, I don't give as much value to end
user education as others do.  It works, but not nearly quite as well as
we wish it would.

I consider all client-side threats into my security defense
consideration. For example, if users begin installing unauthorized P2P
programs, it's part of my risk management strategy to reduce the risk
from this sort of threat, regardless of whether it is a true security
vulnerability...because it is a security threat to any environment.

Roger

*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist 
*CPA, CISSP, CISA, MCSE: Security (2000/2003), CEH, yada...yada...
*email: roger_grimes () infoworld com or roger () banneretcs com
*Author of Windows Vista Security: Securing Vista Against Malicious
Attacks (Wiley)
*http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470
101555
*****************************************************************


-----Original Message-----
From: Thor (Hammer of God) [mailto:thor () hammerofgod com] 
Sent: Friday, November 02, 2007 1:19 AM
To: Roger A. Grimes; bugtraq () securityfocus com;
full-disclosure () lists grok org uk
Cc: Alex Eckelberry; Gadi Evron
Subject: RE: mac trojan in-the-wild

That's an interesting figure (86% that is).  Can you give us some
insight into what you define as "user interaction"?

If it is clicking a link or reading an HTML email, then OK.  If it is
opening an .exe from an email, I'd like to see what client you are
talking about and what environment (meaning, what OS/email client and
what did they have to do to get it to run).  But specifically, how many
were exploits where a user had to visit an untrusted site, download an
executable, run it, and explicitly give it administrative credentials to
run?  Not just people running as administrator, but typing in the admin
account credentials to run it as administrator as one has to do on OSX?
My guess (and I'd really like to see details on your findings) is that
most "interactive" issues are the more "trivial" interactive issues
(like clicking a link and launching a vulnerable version of IE). 

But more importantly, let's look at things from the other side.  Let's
say I'm wrong, and that Gadi is right on target with his "hit hard"
prediction and that we should be very concerned with this.  Given the
requirements here, that again being flagrant ignorance where all the
above steps are executed (including the explicit admin part)-- what
exactly are we supposed to do?  If people are willing and able to go
through the motions above what can we as security people do to prevent
it?  Far too many people in this industry are far too quick to point out
how desperate the situation is at all turns, but I don't see many people
offering real solutions.  But you know, I have to say...  If we are
really going to consider this "serious," and we are really going to
define part of our jobs as being responsible for stopping people who
have absolutely no concerns for what they do and are willing to enter
their admin credentials into any box that asks for it, then I'd say that
there is a *serious* misunderstanding about what security is, and what
can be done about it-- either that, or I'm just in the wrong business.

t


> -----Original Message-----
> From: Roger A. Grimes [mailto:roger () banneretcs com]
> Sent: Thursday, November 01, 2007 5:37 PM
> To: Alex Eckelberry; Thor (Hammer of God); Gadi Evron; 
> bugtraq () securityfocus com; full-disclosure () lists grok org uk
> Subject: RE: mac trojan in-the-wild
>
> Actually, on that same note, I recently did an analysis of the last 
> three years of published Windows vulnerabilities.
>
> 86% required local end-user interaction (i.e. social engineering) to
be
> pulled off.
> http://www.infoworld.com/article/07/10/19/42OPsecadvise-insider-
> threats_
> 1.html
>
> I didn't analyze Linux or BSD threats, but my gut feeling puts them at

> the same level or even higher.
>
> With 86% or more of the past threats requiring social engineering to 
> pull off, we can safely say the "future" you state below is here now.
>
> Now, what is interesting is that any exploit requiring social 
> engineering to work has so far been less of a problem than the vast 
> majority of "remote buffer overflow" exploits like the Blaster and SQL

> worms.  Social engineering-required malware still works, and works 
> well, but not with the same success of remote buffer overflow malware.

> There is very little we in the security space can point to as a
success...but
> the overall decrease in remote buffer overflows is one.
Unfortunately,
> the social engineering malware is getting better day-by-day. We can no

> longer count on mispellings (sic) and bad grammar to be malware 
> indicators. Our users, regardless of the OS, are ready as ever to
click
> on interesting content, malicious or not. We've got to design our 
> defenses to pay more attention to client-side attacks, but it is the 
> weak point now, not in the future.
>
> Roger
>
> *****************************************************************
> *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, CISA, 
> MCSE: Security (2000/2003), CEH, yada...yada...
> *email: roger_grimes () infoworld com or roger () banneretcs com *Author of 
> Windows Vista Security: Securing Vista Against Malicious Attacks 
> (Wiley)
> *http://www.amazon.com/Windows-Vista-Security-Securing-
> Malicious/dp/0470
> 101555
> *****************************************************************
>
>
> -----Original Message-----
> From: Alex Eckelberry [mailto:AlexE () sunbelt-software com]
> Sent: Thursday, November 01, 2007 5:49 PM
> To: Thor (Hammer of God); Gadi Evron; bugtraq () securityfocus com; 
> full-disclosure () lists grok org uk
> Subject: RE: mac trojan in-the-wild
>
> The future of malware is going to be largely through social 
> engineering.
> Does that mean we ignore every threat that comes out because it 
> requires user interaction?  Seems like whistling past the graveyard to

> me.
>
> Alex

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/