4 posts categorized "pdf"

About This Blog

The Content Security Research Team's Mission: Deliver security research and intelligence that educates, supports and strengthens the security community, and drives innovation in our eSafe solutions.

Learn More

Follow Us on Twitter


The Evolution of eCrime

It took almost 40 years from the first computer bug in 1947, to the first PC virus in 1986, which marked the beginning of eCrime.  But even then it took more than 10 years for criminals to realize that they can make more money infecting computers than selling drugs.  The advent of the Internet and easy reach to millions of computers around the world, created endless opportunities for criminals to make money with almost zero risk. They took things seriously and the sophistication and the professionalism of the eCrime that we see today would have looked as science fiction just 10 years ago.

Threats Evolution
As the Internet has evolved into the dynamic, collaborative and wide-open Web 2.0, the business of eCrime has evolved along with it. eCrime is now a highly profitable and targeted business model that capitalizes on the weaknesses of an open Web and human’s naïve nature.  Carefully crafted and socially engineered spam messages lurk for those naïve and unsuspicious internet users guiding them to infected websites.

The Motive - It’s all about money…
The money making process is structured and thorough:

  • Finding the opportunities
  • Researching security vulnerabilities of most commonly used applications like PDF reading, Internet Explorer, etc.
  • Choosing the tools and methods of operation usually writing code to exploit security vulnerabilities and inject malware into users computer
  • Operating and feeding the food chain (through money laundering) by selling exploits and malware to operators that control networks of infected computers (BOTNET)
  • Making money by sending spam and phishing email via infected computers that are part of the controlled BOTNET

The Food Chain

  • Cybercriminals are paying researchers that sometimes work as a group to scrutinize commonly used internet-enabled applications and find vulnerabilities
  • They then pay code writers to write malware that exploits found vulnerability
  • They distribute malware by paying people for each infected computer that joins their BOTNET
  • All this is fueled by selling spam advertisement for questionable or bootlegged products
  • This spam is being sent out through the BOTNET of infected computers around the world

Cybercriminals are developing malware that has been purpose-built to find its way around traditional security measures.  The race will always be between security solutions and eCrime professionals/amateurs. Security companies are developing new technologies to stop them and Cybercriminals are developing new technologies to bypass security.


Weekly Security News – November 4, 2010

1. Police To Get Facebook Lessons
Read More

2.  Facebook discovers and "punishes" UID-selling developers
Read More

3. Guarding Your Business Against Social Networking Hacks
Read More

4. Spying app kicked out of Android Market
Read More

5. Russian-Armenian botnet suspect raked in $140,000 a month
Read More

6. Adobe Accelerates Patch Schedule for Critical Flash Bug
Read More

7. Turkey reinstates YouTube ban
Read More

8. Perverted Facebook hacker targeted women
Read More

9. Five LinkedIn privacy settings you need to know about
Read More

10. Police leak risks security catastrophe
Read More

11. Where did all the Viagra spam go?
Read More

12. Internet Explorer users warned of new zero-day attacks
Read More

13. DDOS Attack on Myanmar Takes the Country Offline
Read More


100% protection promises by Shimon Gruper, CISSP

Recently I have talked to a customer who said that he chose a certain vendor for his email security gateway product because he promised him 100% blocking of all viruses. After looking closer at the SLA (service level agreement) of this vendor I found out that the promise was to block 100% of “email-based” viruses.

This statement made me realize how good the marketing department of this vendor is and how easy it is to provide empty promises to customers who are not experts in security.

A short history – email-based viruses were prevalent about 10 years ago when the famous LoveBug was spreading all over the world cluttering mail servers and mail boxes.

Fortunately we learned a lot from it. Since then Microsoft has built many security safeguards into Exchange and Outlook (for example you cannot open by default executable attachments), every organization has an email security gateway or a service that cleans viruses before they arrive to your inbox. Even for individual users, email anti-virus is a standard thing. Gmail gives it for free as well as many ISPs and web-mail providers. The anti-spam measures we are using today also very effectively block viruses, since they have a distribution pattern of spam.

Unfortunately hackers and other malicious people learned a lot as well. They understood that creating email viruses is not worthwhile because the number of computers they will be able to infect will be very small and that there is no ROI here. Thus they moved on to a less protected medium, which is the world-wide-web.

Today, the majority of infections happen from the web by unknowingly downloading malicious programs or even by simply visiting malicious websites that will try to exploit security vulnerabilities in your browser, or in one of its plug-ins.

Have you noticed the dramatic increase in the number of patches and updates Adobe is releasing for its PDF reader?  The PDF format was one of the main targets of hackers. They were able to find bugs in the way the PDF reader interprets the PDF file format and exploit those bugs to inject malicious code and eventually infect computers. 

It is not uncommon to receive an email, sometimes with a nice socially engineered message, that will ask you to click on a link, open your browser and… be infected by an exploit embedded in the visited web page.

In a simplified scenario, you receive an email with a PDF attachment that can even come from somebody you know. You open the attachment that contains a small exploit code, which in turn downloads the real virus from the web. 

Now back to the promise of 100% email-based virus protection – is this PDF an email-based virus? No, technically there is no virus in the PDF it is just a malformatted file which exploits a bug. The real virus is coming from the web, which is obviously not covered by this bogus 100% email-based virus blocking promise.

Again and again, our decisions are affected by nice marketing messages that hide the real issue: that having the best email anti-virus in the world will provide you almost no protection. Today it is necessary to include also a Web Security Gateway, which will make sure that those email exploits will not be able to download their malicious payload from the web.


About the Author: Shimon Gruper, CISSP
Strategic Consultant - eSafe Content Security
Shimon is a noted worldwide expert in the fields of Anti-Virus, Security, and Anti-Vandal software. As one of the first to discover malicious code contained in Active-X, Java, etc. he is often sought out by professional journals for advice and comments on Internet security issues.
Shimon is responsible for all eSafe development and technologies and is the "creator" of the generic process to trap and nullify malicious code and vandals.


Google vs. China - Round 1

The Google-China relationship has been the subject of many recent articles and debates in the media. Across the globe, thousands have protested against Google, claiming that the renowned web browser is lending a hand to the trampling of human rights in China by allowing the Chinese government to filter search results. Last Tuesday Google announced that it was considering exiting the Chinese market as the result of a sophisticated online attack targeted at Google systems – especially Gmail – in order to penetrate the accounts of pro-democracy activists in China. In the beginning, the assumption was that the hackers(reported by some as being funded by the Chinese government), used a zero-day Adobe Acrobat Reader vulnerability. However, according to McAfee, there is evidence that they used a new IE zero-day vulnerability instead. More information about the IE zero-day vulnerability can be found here: http://www.microsoft.com/technet/security/advisory/979352.mspx Link to the Adobe blog post referring the attack: http://blogs.adobe.com/conversations/2010/01/adobe_investigates_corporate_n.html It will be interesting to see if Google will carry out its threat to leave the Chinese market. My bet is that it won’t. In the meantime, it is important to note that eSafe customers are protected against both exploits – the Adobe Acrobat exploit and the new IE zero-day exploit.