For the last two decades, the RSA Conference has enabled some of the best minds in the security industry to gather and engage in valuable discussions. For engineers like me, however, one goes to security conferences to watch and soak up the industry talk and see real, compelling security issues as they are inspected from all sides. Here, new technologies and technology applications are dissected, connections are made, and secret stories are revealed.

Is antivirus really, truly dead?

Considering some truths already well-known to security practitioners, it may appear quite strange to see a panel entitled, “The Death of Signature-Based AV: How to Stop Today and Tomorrow’s Malware.” We already know that the malware volume is exponentially growing and that just as technology has evolved, the number of threats and the means by which they are delivered have also changed over the years. So, one-to-one signatures are no longer effective overall.

The panel’s title perhaps expresses a final poke at the issue because we do know that the question about whether antivirus is dead has been summed up time and again by several security experts, including our very own Eva Chen in 2008, with a strong “yes.” Or maybe a qualified yes. After all, signature-based antivirus will continue to be a necessary but insufficient element of security measures. However, insofar as using it as the singular strategy to combat malware in the foreseeable future, its heyday is very much over.

The panel comprised executives from some of today’s top security companies (Raimund Genes, Nikolay Grebennikov, George Kurtz, and Stephen Trilling) so anything that was to come out of the discussion would more or less carry some weight. True enough, all of the panelists were in agreement that a silver bullet solution for threats no longer exists. As Trend Micro CTO Raimund Genes said, signature-based technology is only good for system cleanup and in identifying the specific system modifications made in order to restore the system to its original state. Effective threat prevention today requires a more proactive combination of approaches that take various infection vectors into consideration.

Enter: The cloud, etc.

This similar thinking was evident in the overall theme of the tracks for this year’s conference. With cloud computing, virtualization and their various models and implementations, and the consumerization of mobile devices as the industry’s current major “new frontiers,” security experts and users alike need to keep up and take full responsibility for the what, when, where, how, and even why data is transmitted. Consider the entry to the cloud as an opportunity to challenge existing notions about security and to build security from the ground up instead of bolted on as an afterthought.

The discussion ended with the host asking the panelists if they think that after five years they will still be talking about the same topic. All agreed that malware will still be discussed. However, talks will focus more on malware that use different technologies and attack vectors.

As Arthur Coviello said in his keynote speech, we are only as good as the last attack we have withstood. Cloud computing works and it will continue to work as it becomes further integrated into the industry. It is no longer a question of whether the cloud can be trusted to do its job or not. The real challenge is protecting the cloud so it can do its job securely and can enable an effective ecosystem of trust.

Facebook Security is the official Facebook page that the site uses to provide user-friendly security information that is particularly relevant to its users. However, it is now being used in phishing attacks.

Spammed messages purportedly from Facebook Security are being sent to Facebook users. According to the message, the user’s account has been found to be suspicious and has been blocked. Facebook Security’s account was either accessed from an unknown location or was abused.  The message then asks the user to verify and unblock the account by going to a site that turned out to be a phishing page:

Another way users are targeted are via fake Facebook Security profiles. Many profiles seemed to have been registered by Facebook Security with diacritic marks inserted.

As is in this case, be careful about opening messages and websites, even if they supposedly come from official sources such as Facebook Security. One can see that the messages and websites contained several glaring errors in grammar and punctuation–a common issue for phishing attacks in general, and something that should warn users that the site they’re visiting is not legitimate.

Holidays, gifts, decorations, vacation packages… These are just some of the words that come to mind when we hear the word “Christmas.” These are also the words that we are most likely to use as search strings to find the best gifts, travel destinations, and holiday ideas on the Web. And because where users are likely to be at is where cybercriminals will want to be, search string combinations with these words are also what malicious users will poison. As just like legitimate businesses that hope to cater to every user’s need, so will cybercriminals try to trick users to fall for their malicious ploys.

This early, we already found bad links turning up in searches for holiday-/Christmas-related sites:

• Christmas albums
• Christmas decoration
• Christmas e-cards
• Christmas gadgets
• Christmas package
• Christmas travel
• Holiday recipes

The list above comprises just a small sample, however. Cybercriminals can easily add new or take out search strings every minute in a bid to set up traps for early Christmas shoppers, bargain hunters, and well-wishing users.

Poisoning search results in time for one of the most-celebrated holidays worldwide is certainly not a first and should already be expected. Like any other big event or holiday, Christmas is just another means for cybercriminals to spam and scam users into parting with their hard-earned cash or, worse, with their precious credentials.

Instead of gift and travel bargains and ideas, of course, the sites we found either led to fake Adobe Flash Player updates or the now-infamous FAKEAV scan pages. Other users, on the other hand, may end up in spamdexing sites designed to increase the traffic to and the ranking of malicious sites.

Though they say that Christmas is the season to be merry, it is also a time to be more wary. Users should be very careful of the sites they visit. Here are some best practices to follow on your online forays:

1. If you have a fairly good idea what online e-commerce site you want to visit to do your shopping, directly type in its URL in the browser’s address bar to avoid stumbling upon bad links in search engines.
2. Do not click suspicious-looking URLs even if these appear as top search engine results. Consider a link suspicious if any or some of its components (e.g., <protocol>://<domain>/<folder>/<file>?<parameter>) is made up of random characters.
3. Read the overview of the search result (the set of text that appears right after the title page in bold). The search result can also be considered suspicious if the overview does not provide a sensible brief description of the site. A sure sign of blackhat-SEO-related sites is the presence of randomly stuffed keywords in the overview.
4. Install a good URL-filtering program such as Web Protection Add-On that can be integrated into browsers.
5. Keep in mind that the best things in life are hardly ever free. In fact, too many sites that advertise free stuff usually just give you free malware so beware!

Find out what lurks behind spamdexing and doorway pages in the research paper, “The Dark Side of Trusting Web Searches: From Blackhat SEO to System Infection.”

QuickTime Player (version 7.6.6) allows movie files to trigger the download of files and cybercriminals are using this to download malware from malicious websites.

Trend Micro threat research engineer Benson Sy encountered two .MOV files (salt dvdrpi [btjunkie][xtrancex].mov and 001 Dvdrip Salt.mov) that both used the recent movie Salt, starring Angelina Jolie. It looks suspicious enough because of its relatively small size compared with regular movie files.

When the movie files are loaded to QuickTime, it doesn’t show any live action scenes but leads users to download malware pretending to be either an update codec or another player installation. We are still investigating whether the malware is exploiting a vulnerability or using a known functionality to download other malware.

The first .MOV file connects to http://{BLOCKED}.{BLOCKED}.53.196/stat1/pix1.php, which redirects to http://{BLOCKED}.{BLOCKED}.8.120/cms/976/1/QuickTime_Update_KB640110.exe. It then asks the user to save or run the file. Trend Micro detects this as TROJ_TRACUR.SMDI.

On the other hand, the second .MOV file connects to http://play.{BLOCKED}nstaller.com/0.c, which points to http://player.{BLOCKED}nstaller.com/d77.php. It then downloads a file that Trend Micro detects as TROJ_DLOAD.QWK. Similarly, it asks the users to save or run the file.

Trend Micro users are protected from this attack via the Trend Micro^TM Smart Protection Network^TM that blocks the malicious URLs to prevent the download of malicious files onto the system.

Update as of July 30, 2010, 1:57 p.m. (UTC):

Trend Micro detects the two .MOV files (001 Dvdrip Salt.mov and salt dvdrpi [btjunkie][xtrancex].mov) as TROJ_QUICKTM.A. As of this writing, we’ve contacted Apple regarding this issue.

Update as of July 30, 2010, 8:07 p.m. (UTC):

Upon execution, TROJ_DLOAD.QWK downloads a .CAB file, which installs the Tango Toolbar and its components. The said file also contains binaries that Trend Micro detects as TROJ_DLOADR.TAN and TROJ_DLOADR.GAB, respectively.

Update as of July 30, 2010, 8:42 p.m. (UTC):

According to Apple, the two .MOV files do not make use of an exploit, instead “they rely on social engineering to trick the user into downloading the malware disguised as a movie codec. This is not related to the vulnerability reported by Secunia.”

Update as of August 2, 2010, 1:00 p.m. (UTC):

According to Threats Analyst Brian Cortes, these malicious files appear to be using a feature in the Quicktime specification known as wired actions, which allows Quicktime files to take certain actions–in this case, go to a URL. This is roughly analogous to the /launch feature in PDF files that was abused by malware earlier this year.

However, this feature does not appear to be implemented in all media players that are compatible with Quicktime files. Testing with the VLC media player indicates that this particular feature is not implemented.