About This Blog

The Content Security Research Team's Mission: Deliver security research and intelligence that educates, supports and strengthens the security community, and drives innovation in our eSafe solutions.

Follow Us on Twitter


Protecting the perimeter in SMB’s

A few weeks ago, a research was published regarding the response time of AV products. They compared several of the main and known products, and checked how much time it took them to release an update for their virus definition in order to detect new threats.

While reading it, I asked myself: will this research interest anyone apart from the AV companies themselves? Does a customer who is about to buy an AV/security product really care about it? And most importantly, what are the parameters that a customer should consider when looking for a new security solution?

When buying a network and local security solution for SMB’s, you probably will not be looking to purchase variety of specialized solutions for each security domain. It is more likely that you will combine between several modules and features that will provide the best security solution for your perimeter.

Today, there are various products that combine several modules, with each module being developed separately as a standalone module.

4 important things to consider before choosing a security solution for your SMB:

  1. AV Engines - 10 minutes, 5 minutes or maybe 6 minute? Is it relay relevant? No. If the malware was not detected, it is not important if the detection definitions for it were released 5 or 8 minutes after it has been detected. It only means that the customer was exposed to infection.
    There is no 100% detection. Yet, if the product has more than 1 engine, it improves the statistics for detecting new malicious code. Saying that, bear in mind that a product could have 20 engines, but it will cost in performance, so it is not necessarily the bigger the better.

  2. Support – maybe the most important parameter when checking for a new security solution. False positives, false negatives, updates, installations, network architecture and so on. Since these products are installed on networks, which don’t always have a straight or typical topology, the support quality that is given by the software manufacturer is crucial.

  3. Additional Features – more features and modules that provide more capabilities, should also be carefully considered. Some of the content security products have features that help strengthen  your security and make up for AV response time, for example:
    1. Application filtering – the ability to block specific applications and protocols. In some cases you have the ability to block specific features/operations of an application and not the whole application.
    2. DLP – Data Leak Prevention. A very hot trend in the content security field. Helps prevent leakage of important data from our perimeter, be it unintentional or with malicious intent.
    3. URL filtering – the ability to block groups of web sites, based on their content.
    4. Anti spam – an integrated module, that combines technology and provides both real-time reputation and deep content analysis technologies, will give you a better solution.
  4. Management and Reporting – in large scale networks, where there is a need to install several units of the product, in order to prevent traffic overload, it is important to have a central management platform, to configure, maintain and get reports for all the units.

As I mentioned above, there is no AV or content security product that gives you 100% protection. It always reminds me the “Die Hard” movie, where the criminals were trying to penetrate a vault with 7 locks. In order to do that, they had to break each lock in a different way; this is why it took them so long and we all know what happened in the end…

Same goes for a security solution. There is no one mega product that will give you a 100% protection; you need to put several locks, different locks (features/modules), in order to make the hacker’s life harder.


100% protection promises by Shimon Gruper, CISSP

Recently I have talked to a customer who said that he chose a certain vendor for his email security gateway product because he promised him 100% blocking of all viruses. After looking closer at the SLA (service level agreement) of this vendor I found out that the promise was to block 100% of “email-based” viruses.

This statement made me realize how good the marketing department of this vendor is and how easy it is to provide empty promises to customers who are not experts in security.

A short history – email-based viruses were prevalent about 10 years ago when the famous LoveBug was spreading all over the world cluttering mail servers and mail boxes.

Fortunately we learned a lot from it. Since then Microsoft has built many security safeguards into Exchange and Outlook (for example you cannot open by default executable attachments), every organization has an email security gateway or a service that cleans viruses before they arrive to your inbox. Even for individual users, email anti-virus is a standard thing. Gmail gives it for free as well as many ISPs and web-mail providers. The anti-spam measures we are using today also very effectively block viruses, since they have a distribution pattern of spam.

Unfortunately hackers and other malicious people learned a lot as well. They understood that creating email viruses is not worthwhile because the number of computers they will be able to infect will be very small and that there is no ROI here. Thus they moved on to a less protected medium, which is the world-wide-web.

Today, the majority of infections happen from the web by unknowingly downloading malicious programs or even by simply visiting malicious websites that will try to exploit security vulnerabilities in your browser, or in one of its plug-ins.

Have you noticed the dramatic increase in the number of patches and updates Adobe is releasing for its PDF reader?  The PDF format was one of the main targets of hackers. They were able to find bugs in the way the PDF reader interprets the PDF file format and exploit those bugs to inject malicious code and eventually infect computers. 

It is not uncommon to receive an email, sometimes with a nice socially engineered message, that will ask you to click on a link, open your browser and… be infected by an exploit embedded in the visited web page.

In a simplified scenario, you receive an email with a PDF attachment that can even come from somebody you know. You open the attachment that contains a small exploit code, which in turn downloads the real virus from the web. 

Now back to the promise of 100% email-based virus protection – is this PDF an email-based virus? No, technically there is no virus in the PDF it is just a malformatted file which exploits a bug. The real virus is coming from the web, which is obviously not covered by this bogus 100% email-based virus blocking promise.

Again and again, our decisions are affected by nice marketing messages that hide the real issue: that having the best email anti-virus in the world will provide you almost no protection. Today it is necessary to include also a Web Security Gateway, which will make sure that those email exploits will not be able to download their malicious payload from the web.


About the Author: Shimon Gruper, CISSP
Strategic Consultant - eSafe Content Security
Shimon is a noted worldwide expert in the fields of Anti-Virus, Security, and Anti-Vandal software. As one of the first to discover malicious code contained in Active-X, Java, etc. he is often sought out by professional journals for advice and comments on Internet security issues.
Shimon is responsible for all eSafe development and technologies and is the "creator" of the generic process to trap and nullify malicious code and vandals.


Stunext demonstration at the Virus Bulletin 2010

Symantec gave a presentation yesterday (30 Sept, 2010) at the VB2010 – Vancouver Conference. This time it was not just a presentation of slides describing the virus’ work, we actually had a live demonstration.

Symantec did an absolutely great job, analyzing the virus. All the information can be found here:
Symantec's Stunext analyze paper

Symantec’s team brought a PLC machine, which is the one the virus targets, and connected to it a blower with a balloon at the end. The PLC machine in its clean state was programmed to pump the balloon for 2 seconds and then stop.

Then, the PLC machine has been infected with the POC of the virus and the blower started to work, and... it got into an endless loop and never stopped, the balloon was blown eventually.

The demonstration was photographed by the Sophos team:



Following that, the Symantec team explained that the virus was mostly found in Iran, it has a flag that "tells" the virus to turn on or off, and the key name is 05091979 which is 05/09/1979. On this date a Jewish business man by the name of Habib Elghanian was executed in Iran.

They also said that it was a very meaningful date in Jewish history, and about that I am sorry to say - not really. If you will ask Israelis about the Habib Elghanian case, it is most likely that they will not know what you are talking about.

To conclude, nobody really knows what exactly the virus was intended to do, except for the fact that it looks for specific SCADA systems configuration and it is giving the ability to change these configurations.

Was it written by the Israelis? maybe and maybe not. One thing is certain, this was not written by a script kiddy, it was written by a funded organization and by several engineers.

Oren Medini, at VC2010 – Vancouver.


Will Cyber Crime Affect Our Lives Outside the Cyber Space?

Up to a few weeks ago, computer viruses were an issue for every person who uses a computer. People knew that they exist and people have been getting infected by them daily. Yet, for the regular John Doe, who is not an IT guy, it looked like another problem that can be solved by using an anti virus software or in the worst case, by formatting the machine and re-installing the OS.

Then, if you’ve been keeping a proper backup, you had less worries, but in the bottom line, computer viruses, in the eye of the regular user, have their own domain, which is the internet.

Last June we started hearing about a new virus – the Stunext, a Trojan/Worm, which is able to affect specific Siemens control systems. This virus was not written in order to use a person’s email/computer power or to steal passwords. This virus was able to monitor, track, update and change the operation parameters of real systems that we use in our daily life (not the cyber life). It could change train traffic, power plants and even nuclear plants.

There is no doubt that this specific Trojan was written for a specific use and in order to target specific systems in specific countries. The question it raises is, what will be next?

Will a crime organization be able to take control of our train systems? Maybe it will be able to shut down a whole city power supply?

The Stunext Trojan/Worm is only marking the beginning of a new era in cyber crime, a new generation of viruses that will affect our lives offline, outside the cyber space.


Weekly Security News – September 16, 2010

1. ‘Stuxnet’ Worm Far More Sophisticated Than Previously Thought
Read More

2. Report: More Than 1 Million Web Sites Serving Malware in Q2
Read More

3. UK teen banned from US after sending threatening Obama email
Read More

4. Houston, We Have a Problem - Spam Virus Hits NASA
Read More

5. UK plans increased spending on cyber-security
Read More

6. Global botnet offering DDoS services
Read More

7. Crims use hacked email to steal house
Read More

8. Malwarians at the Gate: Banks, Businesses and ACH Fraud
Read More

9. A One-Stop Money Mule Fraud Shop
Read More

10. Identity Theft Targets Hispanic Community
Read More

11. Russia Uses Microsoft to Suppress Dissent
Read More

12. Web threats are so prevalent that 65 per cent of online users have been hit by an attack, figures show.
Read More

13. Rogue employees sell passport data of World Cup fans
Read More

14. Hotel systems breached and card info stolen all over the U.S.
Read More


Weekly Security News – September 5, 2010

1. Apple Forgot to Filter Spam On New Ping Service
    Read More

2. Labor Day phishing warning
    Read More

3. Is Your Kid Ready for Email?
    Read More

4. Nigerian Advance-fee Scammer Gets 12 Years
    Read More

5. Investigators Find Famous DJ's Credit Card Details for Sale
    Read More

6. Fake surveys harvest personal information
    Read More

7. Cyber Thieves Steal Nearly $1,000,000 from University of Virginia College
    Read More

8. Malware protection tips for social media users
    Read More

9. Crooks Who Stole $600,000 From Catholic Diocese Said Money Was for Clergy Sex Abuse Victims
    Read More

10. Pizza deliveries lead to ID theft arrest for Georgia woman
Read More

11. Cyberwarfare - Fact or Fiction?
  Read More


Weekly Security News – August 19, 2010

1.  Fake dislike button Facebook scam
Read More

2.  Who is the typical Russian hacker?
Read More

3.  BlackBerry gives in, to provide access to encrypted data
Read More

4.  Resourceful attackers continue to make the web insecure
Read More

5.  Most attacks on federal networks financially motivated
Read More

6.  5 reasons IT pros should be paranoid
Read More

7.  Security software market to grow 11% this year
Read More

8.  Source of recent malicious malware campaigns
Read More

9.  TICKET SHARKS: 60 000 names sold on the black market
Read More

10.  Doherty Hotel’s database fraudulently accessed; 150 credit cards subject of probe
Read More

11.  Hackers steal customer data by accessing supermarket database
Read More


New ICQ Trojan is spreading in the wild

Since this morning we've started to see a new ICQ Trojan that spreads rapidly. The Trojan is spreading via ICQ, by sending a file - snatch.exe to all the infected machine's ICQ contacts.

It also has the ability to have a conversation with the user. It has some built-in phrases so when the potential infected user will say “Hello”, the Trojan will send him a "Hello" message back.

Most of the infected users we've seen till now are Russian speakers.


Weekly Security News – August 12, 2010

1. India plans to raise own cyber army
Read More

2. How Much Private Information Do you Reveal?
Read More

3. Hackers Wirelessly Crash Car's Computer At Highway Speeds
Read More

4. Healthcare Suffers More Data Breaches Than Financial Services So Far This Year
Read More

5. Loss of personal information as stressful as losing a job
Read More

6. 126,000 college students and employees notified of breach
Read More

7. Phishers offer false security in exchange for your Facebook password
Read More

8. Private browsing modes not as private as one might wish
Read More

9. Is Your Company Vulnerable to Social Engineering?
Read More

10. How can I know if my computer is infected? 10 signs of infection
Read More


Weekly Security News – August 5, 2010

1.   U.K. government nixes 'kill IE6' campaign
    Read Article

2.   Facebook's 500 millionth member highlights risks
  Read Article

3.   Summer holiday security checklist
  Read More

4.   63% consider international cyber-espionage acceptable
  Read More

5.   Hong Kong e-payment firm admits selling customer data
  Read More

6.   Seven myths about zero day vulnerabilities debunked
  Read More

7.   US Still Number One Malware Producer
  Read More

8.   Microsoft patches the critical Windows LNK vulnerability
  Read More

9.   Cyber War is not the Cold War
  Read More

10. China Called a Hacker's Marketplace
   Read More

11. Brothers admit spam campaign against college students
   Read More

12. DeepWater Horizon (BP oil spill) appears to be a control system cyber incident
   Read More

13. US at High Risk for Computer Attack
  Read More

14. Android wallpaper app stealing user data and sending it to China
   Read More

15. Turkish pranksters load Facebook Translate with swears
  Read More