In-Depth

In Brief

Forrester pushes personal firewalls, virus writers join forces, Windows rootkits circulate, Symantec sees kid sites awash in adware

• By Mathew Schwartz
• 03/16/2005

Corporate Firewall Thinking Laptop-Bound

“Personal firewall adoption needs to improve” concludes a new report from Forrester Research. The firm surveyed 200 people with IT buying power in January about their organization’s use of personal firewalls.

The findings: while 63 percent of organizations use personal firewalls, only 23 percent deploy them on every one of their machines. At organizations with only partial use of software firewalls, the firewalls tended to be deployed only on laptops or remote systems.

That’s a start, says Forrester, which definitely recommends all systems allowed to leave the organization run a personal firewall. But it says organizations need to think beyond mobile devices.

“Despite conventional thinking, desktops are at risk,” the company notes. “Desktop computers become vulnerable to malicious code the second a remote machine plugs back into the corporate network.” For example, few organizations today actively block remote machines or unknown devices—such as a contractor’s PC—from accessing their network.

Today’s viruses and worms are able to propagate quickly across an internal network, infecting any PC with known vulnerabilities—except, of course, if it encounters a personal firewall on the PC first.

Virus Writers Join Forces

What do Bagle, Netsky, and Zafi have in common? According to antivirus software vendor Kaspersky Lab, the authors of those three pieces of malware are working together.

“In researching the Bagle outbreak, virus analysts have concluded that the authors of Bagle, Zafi and Netsky and others are working closely together; they may not be personally known to each other, but they are all using information provided by the author of Bagle to mass mail their creations,” the vendor warns.

One piece of evidence for this is that “in the space of just two days, approximately 50 modifications [to] a range of malicious programs were mass mailed,” suggesting the writers of these similar but different programs had access to each other’s creations. Furthermore, “the timing of these mailings clearly shows that they are automated or semi-automated,” and could have been planned well in advance.

Expect the trend to continue. “The authors of malicious code are joining forces, exchanging information and techniques, in order to increase the impact of attacks.” More often than not, “network attacks are now automated, take place in several stages, and are carefully timed and planned.”

Watching for Windows Rootkits

Enterprising network attackers often use specialized software to gain administrator-level access to machines they’ve hacked, and then also to hide their tracks. Known as rootkits, today free, open-source tools exist to detect and eliminate them on Unix systems.

In the Window’s world, however, attackers have been using a new generation of rootkits, and these “powerful Windows rootkits have the potential of becoming a major problem in the future,” says Mikko Hypponen, chief research officer at F-Secure. “Rootkit programs gain access to everything on the system and can silently do whatever they want on the computer.” Furthermore, the programs may propagate via viruses, worms, or spyware.

Once the payload is in place, “existing antivirus and anti-spyware products are not able to detect and stop” it, notes Pirkka Palomäki, F-Secure’s vice president of research and development.

To help, F-Secure released a new, free tool—though still in beta—for finding and removing Windows rootkits, called BlackLight.

Symantec Tracks Drive-By Downloads

Which sites are the most dangerous? Symantec recently ran a test, using PCs with clean installations of Windows XP Service Pack 2, to find out.

“We spent one hour surfing well-known websites in the following categories: sports, kids, gaming, news, reseller, shopping and travel. After one hour, we looked at what was left behind, including adware, spyware, hijackers and cookies,” says Symantec.

The top sites for unintentionally getting infected with spyware or hijacker software related to gaming, followed by travel and kids-related sites. The test PC also ended up with 359 pieces of adware just from kids sites alone. The second-worst offender, travel-related sites, accounted for 64 pieces of adware.

“It is interesting to note that the most adware and hijackers were found on kids’ sites, and that shopping sites left very little behind,” says Symantec.