A cautionary tale - one antivirus tool is not enough!

Last night I decided to test Microsoft Security Essentials v4 Beta against a "safe" threat. The results I achieved resulted in running similar tests on other products then and finally to this post.


Let me start by adding a caveat to this report: I do not have the tools or time available to thoroughly test. However, I do have many years of field experience across a range of platforms & systems and although (among other services) I resell various Antimalware tools, this report is neither intended to endorse any one tool nor to compare the absolute performance of one against another.


Summary
OK, now I have your attention, what got me so bothered?


To my surprise the majority of tools recommended by many people failed to detect the threat. Those few that did detect failed to fully contain all of it's features in the first pass.


Test Details
The host machine was a fully patched Vista 32bit SP2 running under VirtualBox (I do not advise trying this type of test unless you can safely hose your system - a virtual platform is a good start). The OS had a pre-existing MSE v2 (production release) installed.


The attacking tool was the All-in-One Keylogger from Relytec. The keylogger is a commercial tool offered for business and residential customers. In residential uses it is most often used for parental control, child protection and "marriage breakup" scenarios. I installed the 7-day trial version.


The tool appears to obfuscate itself in an randomly named executable in a hidden directory and registers a randomly named service that links to a dll located in the System32 directory. The tool comes with ample help, good vendor support, plus an easy to use uninstaller. It's not malware pushed by criminals.


Upon downloading, I installed it using the least stealthy settings so as to leave entries in the start menu and on the desktop, plus a quick launch icon in the taskbar. I had intended to progress from least stealthy toward most stealthy until the tool could not be discovered.


Where possible, for each tool used, I enabled realtime file system and spyware protection, plus used scanning on maximum settings in each case. If there was any detection during real-time use or scanning, I rebooted the virtual machine check for start-up detection.


After each test run, I reverted the VM to its original state, removed the pre-existing MSE v2 and installed the next test candidate.


Test Results
I'll try to summarise the results here rather than end up with a huge ammount of detail in one post.

• MSE v2 : No detection in real-time or in full scan
• MSE v4 Beta: No detectrion in real-time or full scan
• MalwareBytes AntiMalware Pro Trial: No detection in real-time or in full scan
• SuperAntiSpyware Trial: No detection in full scan - real-time not available in the trial
• AVG 2012 Free: No detection in real-time or in full scan
• Avast Free v6: No detection in real-time or in full scan
• Avira Free: No detection in real-time or deepest system scan
• Windows Defender: No detection in real-time or full scan
• Spybot S&D: Detection of the Start Menu entry and Desktop Shortcut only. No detection of registry entries, nor of active keylogging, screen capture or application tracking.
• TDSS Killer: No detection during scan.
• Online Armor ++ 30-day Trial: Detection of the Start Menu item. Detection of the randomly named hidden executable, but no initial detection of the keylogging. After reboot, OA++ detected the randomly named start-up service as a keylogger and offered to block. Blocking was successful for the keylogger, but the screen capturing and application tracking and logging were still active. This may have been because of the way to tool launches
• Autoruns: Ability to disable the randomly named start up service, which prevented the tool from launching any logging - this was different from the behaviour when OA++ offered to block the start-up service. However, it should be noted that for most people, it would have been nearly impossible to locate the obfuscated service in the autorun report and there would have been no reason to run autoruns unless suspicious activity had already been noted - in other words, I knew what I was looking for by then.
• Bundled uninstaller: Removed the tool completely.

Conclusion
The Keylogger used is a genuine tool which serves a valid and useful purpose. It clearly states restrictions of use in its T's and C's. However, in the wrong hands, tools such as this could be used maliciously and evade detection.  More specifically, there are classes of Malware that can evade most commonly used tools that are recommended by the "man-in-the-street".


Most importantly, no single tool can detect all malware. If any single tool gives a positive result, it should be carefully investigated with a range of other tools - some antimalware only found the shortcuts, not the active components.


Finally, just to re-iterate: this is not an advert for any specific tool or product, and not to compare absolute performance, but to highlight the dangers of complacency and illustrate a class of potential malware that can go undetected by many common AV tools.

How to generate and remember secure passwords

How many websites do you login into?....5...10....15....more?

Start counting, there's the supermarket (3 or 4 of them), your online clothes shops (lots), forums, tax returns, banks etc...

Some sources suggest that on average we have 20 passwords that we need to remember.  I'm betting that this is slightly out of date and that some of us (me included) have to remember many more.

So how do we do that?

Well, recent hacking activity has exposed some interesting data.  When analysis of leaked passwords posted to hacking sites is undertaken some shocking truths are uncovered.

Most of us use simple names, or worse passwords like "12345" or "password".  Others use names followed by a number.  There are dictionaries of these weak passwords that hackers can use to greatly speed up attacks.

The best passwords are those that are random, comprising upper and lower case letter, numbers and symbols !"£$%^&*():? etc.  The longer the password the better.  A good password might look like  !Whd%59doPS2mj.-K4G, but how on earth are you going to remember that!

Well there are some letter tricks that can be used and there are some technical solutions too.

The letter tricks first.

Obfuscate letters and numbers - transpose 5 for S 3 for E, 1 for L etc.  Using that technique the word password can become Pa55w0rd which reads easily and is quite straightforward to remember.  However, don't be tempted to try this one as it will be in the hackers dictionary already! 

Try choosing a location or memorable event, take the first one or two letters of a memorable sentence and use the obfuscation above.  So "Mum was born in London and Dad was born in Glasgow" can become MwbiLaDwbiG.  Adding the obfuscation it becomes Mwbi1aDwbiG.  It's still not long enough and doesn't contain symbols.  So add year of birth with the corresponding symbols above the numbers on the keyboard: "Mum was born in London in 64 and Dad was born in Glasgow in 62" becomes Mwbi1i^$aDwbiGi^" . Now, that is looking better.

Great, so we have ourselves a strong password, but should we use the same one on all our sites?  No, you don't want you banking passwords mixed up with forum passwords that are often stored unencrypted and sent over plain text links: did you know the default login on Facebook is over an unencrypted link that anyone can intercept.  Use the same email and password on that as your bank and you are asking for trouble.

So personlise each password to the website.  Perhaps take the first and last letter of the website and add them to you password as first and last characters: Facebook could be FMwbi1i^$aDwbiGi^"k, while the bank HBOS might be HMwbi1i^$aDwbiGi^"S.  You have to be careful with this technique, but it can be used effectively.

Now to the technical measures  - Password Managers.

There are several relatively cheap password managers that you can purchase.

The best ones are those that allow you to generate truly random passwords of variable length, that store these in an encrypted form on your system or over the internet.  For those on the move, look for programs that have natching apps for your smartphones.

Some suggestions in this category are iAccounts/iBackup for smartphone and PC, KeePass, LastPass and Roboform.

My personal choice is iAccounts backed up with iBackup.  With this very inexpensive app, I can have all my secure details in an encrypted database stored on the iPhone behind a very secure password.  If I get the login password of the app wrong 5 times in a row the database is destroyed.  Using iBackup, I can sync the database with my workstation over the air.  Opening iBackup, I can copy and paste from the database to login boxes on the workstation whenever I need to.  To further backup the database on the workstation, I export a csv copy of it every time I add a new password.  The csv is in plain text, but I export it to a TrueCrypt container file which is AES encrypted.  Better still that container file is in a folder that goes into the nightly backup of the entire system.  This way, if the phone is lost I can be safe in the knowledge my credentials are safe and if i have finger trouble with the PC, I can recover the database from any day over the past year.

More about TrueCrypt in another post.

Shock revelation: Apple iPhone tracking your location!

So, the news-wires have been humming the last day or two with revelations about a tracking feature embedded in the Apple iPhone.  Reports suggest that the iPhone stores your location at regular intervals without using the in-built GPS receiver.

This data is stored in a file called consolidated.db and is sync'd to your PC or Mac using iTunes when you connect the iPhone.

Salacious stories abound of how Apple are collecting this data for their own purposes and how police officers can search the data if they stop you.

The blogosphere has been alight with the masses up in arms.

Well, I'm going to buck the trend and illuminate some critical facts that are overlooked by some of those media outlets.

Firstly, the storage of you location is required by certain apps, such as geo-location services, the camera, shopping etc.  The method used is a triangulation approximation using GSM radio towers that your phone can detect.  Note, this is an approximation and nowhere near as accurate as the GPS receiver.

Secondly, there is no great conspiracy or cover-up in the capture or storage of this data.  Rather like the mass hysteria regarding Google intercepting unencrypted data from wifi channels as their StreetView cars pass by, the capturing of this data is not being hovered up into a central Apple database to be used against you in some future point in time.  Yes, it is sync'd to your computer, but it is not transferred to Apple - it is against California State Law for them to do so.  Before people say "when did the law make any difference", consider the hundreds of millions of iPhones in use and think about it for one moment: would Apple really risk a law suit that could bankrupt them due to the scale of products sold if they were tracking users locations?

Thirdly, the storage of this data is in fact not new!  It has only been recently re-discovered, but was publicized in 2010 and discussed in several papers at the time.  The data file has been moved to a more readily accessible location, but that is only to allow apps to access the data more easily.

To put all this in context, some years ago, I happened to be first on the scene of an accident between a car full of young lads and a tractor on a rural road in Southern Scotland.  Grabbing my mobile (it was not a iPhone, in fact it was not even a smartphone - just a first generation GSM phone), I dialed 999. Being distracted for a moment by the occupants of the car, I could not think clearly if I was on the A70 or A71.  On calling the emergency services, I said, I'm on the A71, to which the operator said, "I think sir you are on the A70, is that right?"

The point being, the emergency services were geo-locating my position based on GSM radio signals and were able to confirm my location.  No big brother, no paranoia, just a straightforward use of technology for a useful purpose.  I'm sure the young driver of the car was thankful the ambulance arrived at the right location rather than 20 miles away on the A71!

Now, I'm no Apple "fanboi".  I use some of their products for business because they help me get my job done.  I do have concerns about some of their business practices, tying users into using iTunes and the App Store, but that is another story for another time.  In this case Apple are being hounded for being a successful company and there may well be an element on those who complain the loudest being just a tiny wee bit jealous of a successful product.