This is one of the latest sophisticated additions found in the Zeus malware configuration. This addition has been recently discovered, analyzed and reported by Trusteer.

Malware such as Zeus place their focus in online banking fraud. Online banking fraud is a serious affair judging by last year’s UK annual report, which showed a total loss of £365.4 (million) resulting mainly from online banking fraud.

Banks have done much in the past to prevent or to reduce the risk of becoming a victim of online banking fraud; however, malware is smart and tries to find new approaches to steal money online. Banner injections are the latest attempt when it comes to this type of fraud.

The Zeus malware is targeted towards people who visit leading trusted websites with high traffic such as AOL, Amazon, Apple, etc. Whenever a user browses one of these sites, the malware will create a customized banner on the infected machine and it will embed the banner into the target content.

An average user would assume that the banner is genuine and legitimately belongs to the target content, because the banner has been embedded and integrated fully into the highly trusted website. The banner is fully adapted to the target content by having the right colour, the correct font type and a style that is similar to the website.

Banner example:

A click on this banner will lead the user to a professional looking website that offers lucrative business investment opportunities to wealthy people and sells profitable investment schemes securely over SSL – that is nothing more than a fraud scheme. The injection code has been seen as a simple banner on a trusted website, but it has also been discovered as a full site text where the trusted owner of the website is making an explicit recommendation to invest money into this fraud scheme.

Unlike many other malware attacks this approach is new, because it does not focus on attack codes. The new approach is more about selling fraud schemes (scam) that appear very legitimate and trustworthy on leading websites. The interesting point with this fraud website is that an average user will hardly notice this scam.

That’s why it would affect many thousands of users who would have invested large sums of money into this scam voluntarily. There is no need for hackers to collect sensitive data from a remote machine as a user is voluntarily transferring money to them.

As the use of online banking increases, it is more than essential to invest money into affordable web security products such as anti-virus and web filtering. Web filtering would have prevented the user from accessing such phishing and scam websites (if the website has already been marked and listed as scam).

Web filtering in general classifies websites into good and bad websites. Professional web filters do more than this. They classify websites into different sub categories such as “Entertainment”, “Social Marketing” and more. This would allow the administrator to have greater differentiation when deciding whether sites should be allowed or blocked.

A good professional web filtering product would have blocked thousands of access requests that leaded to the scam website and is just another step in preventing such losses due to online banking fraud.

Updating software does not only bring new features into the product, it may also contain patches or bug fixes for your appliance that are necessary and important. Besides fixing malfunctions in a software product, patches also close severe security holes in the appliance or change the way in which the affected appliance collaborates with 3rd party products.

Attacks on code are a real risk for small and medium sized companies, and as we have seen in the recent global Sony event we have learnt that any reasonable measures such as patching your system or updating your appliance is one important step to boost your IT defence protection or prevent cybercriminals from harming your company’s reputation.

Not keeping your IT system secure may bring about major downtimes, increased expenses in system maintenance and could negatively affect your business. It is obvious that patch management is an essential part of maintaining your IT infrastructure.

Do you have a strategy for your patch management?

No? A strategy for patch management is very important as entering patch management territory blind may harm your system infrastructure and also your business. There are different approaches you can take to add quality to your patch management strategy and I’ll be tackling one such approach.

• Read Me

Before applying any updates or patches on software, it is essential to carefully read and understand the “Read Me” file. A “Read Me” file contains important pieces of information about the patch itself, and explains the main purpose for which the patch was built. Furthermore, it will list the relevant requirements for the installation procedure that must be fulfilled (before you decide to apply this patch on your system).

It is always recommended to do some research about the patch you wish to install on your system. Forums, knowledge base articles and search engines provide valuable information about the patch. A patch may solve the main issue, but it may also introduce new problems into your system. Users report problems they have experienced recently with the patch.

Get a first impression about the patch and consider the advice from experienced users that were given on the forum. If you have questions about the patch, then ask them on the forum.

• Scheduling

There are thousands of patches available for software and since you will (obviously) not be able to apply all patches at once, try to classify the patches into different severity categories. Consider patches that are relevant for your system and try to prioritize the relevance of patches that you wish to install.

Never install a patch immediately into your productive environment. Always try to schedule a suitable time where you may install the patch without affecting your business and try to have sufficient time for a possible roll back, if something should go wrong.

Use the opportunity to test the patch in your test installation, because this will minimize the likelihood that something will go wrong into your productive environment. Testing prevents stress for IT administrators in critical situations.

There are many ways in which malicious code can be inserted successfully without anyone noticing.

1. Software is never bug free and software patches are not immediately available by the manufacturer.  That’s why any type of severe vulnerabilities in software is exploited immediately by hackers.
2. Common software is very popular. Injection of malicious code in common software can reach millions of victims in a very short amount of time.
3. Trusted websites attract billions of visitors. Smart injection of malicious code remains unnoticed by the website administrator.
4. Standard protocols such as HTTP or FTP are open for use by default. A firewall does not block them by default, because internet browsing requires HTTP for data exchange. That’s why malicious code mostly exchange sensible data through standard protocol like HTTP.

Running malicious code on remote machines is one big risk, but data theft is understood as the bigger risk for a corporate organization.

What can a systems administrator do to monitor, track and block such intrusion attempts around the clock?

Internet monitoring is one solution that extends the strengths of common firewalls. Internet monitoring does not only include the manual monitoring of in- and outbound data transfers, it should also include features such as multiple antivirus engines that scan and automatically control downloads requested by client machines.

Downloads can be anything, such as a malformed image, that has been requested by a software application running on a remote machine. If the download is controlled by professional web monitoring software, then this approach would contribute to reduce the risk of the insertion of malicious code into a corporate network. As a download control is fully automated on a 24/7 basis it saves time and reduces the worries of a systems administrator.

A web filtering module (that complements the web monitoring module) prevents the access of “bad” websites before it comes to download the webpage from the bad URL. But what happens if malicious web content starts to appear on good websites? It isn’t sufficient if web filtering only works on categories like “yes” or “no”.

A good web filtering module should be able to update its database automatically and dynamically detect malicious code on good and bad sites automatically. Such features would be very innovative and would benefit web control. Not all web risks can be fully controlled and blocked by web monitoring software so the manual intervention of a web administrator is required to fully archive the reduction of web threats.

Reporting is a basic foundation of web monitoring software to evaluate the performance of the defence software but also helps to detects new anomalies in corporate environments.

It is well known that the internet is not the safest of media as intrusions into foreign networks have become very easy and too convenient for hackers. Nowadays a large number of bots (developed and implemented by hackers) scan networks, and insert and infect fully automated malicious code into foreign remote machines.

Putting additional safety measurements in place is therefore an important requirement to minimize the risk of possible identity theft in a corporate environment. Identity theft often leads to data theft under the victim’s name which can lead to serious repercussions should the case end up in court where a judge has to decide whether the offence was committed by the victim himself or by a professional hacker who just misused the identity of the poor victim.

Recent statistics about economic crime in online media show a strong increase of registered intrusion activities in corporate environments which is now taken very seriously by both governments and major corporate organizations as well as individuals.

So how does a common intrusion happen in corporate environments?

The scenario is very simple. A hacker tries to insert a malformed common file into a trusted well visited website. Let’s say he has created an image file that has been malformed with the purpose to exploit a severe vulnerability of a specific web browser.

In this example the malformed image file will display the logo of the trusted website. Now the hacker tries to replace this original image logo of the target trusted website with his own malformed image. As both image files look the same, the replacement of the image file will not be noticed immediately.

Whenever a visitor opens the trusted website with his specific web browser, the web browser (of the visitor’s client remote machine) will automatically download the webpage including the infected image on his hard disk.

The web browser will process the website including the malformed image logo. By opening this malformed image logo an exploitation of a severe vulnerability of the client’s web browser will take place.

What has happened?

In many cases the web browser will crash immediately and the visitor will be notified with an error message that an unexpected error has occurred. This is a common sign which may indicate that a malformed file has been processed and caused an exception on the web browser level.

However the visitor may not understand why the web browser has crashed and what effects the crash could have for him and for his system. Usually a web browser crash means that the malicious code can now run outside his web browser. So any safety measurement of the web browser will fail, because the crash of the web browser has terminated the existence of the web browser and its own safety measurement.

Any malicious code can run freely outside the sandbox meaning that the malicious code will run with full access rights of the user account (of the visitor). For any system administrator it will look like the malicious code has been run by the victim himself, although in reality the actions were the result of an infected file placed by a hacker (who is sitting somewhere outside the corporate network). As the hacker can implement any type of malicious code he has a free reign to open any doors for data theft on the target machine.

In the next instalment of this blog series we’ll look further into intruder detection and the ways it can happen.

Endpoint security software does not only protect and safeguard business secrets, valuable assets and economic resources, they also actively prevent severe damage to the company’s reputation which may be ruined were confidential company information (possibly provided by a former employee) to be leaked.

There are various reasons why an employee or an insider might behave harmfully towards the management or the corporate organization. Employment contracts or confidentiality agreements are, in today’s world, not sufficient to effectively minimize the risk of malicious actions. This is one of the main concerns of management and a real challenge to keep such risks to a minimum.

But what can a system administrator do:

1. To detect and monitor anomalies in user access activities?
2. To control and promptly block malicious acts?
3. To prevent damage to and the theft of confidential data?

I strongly believe that an end point security software would be the right answer for all three questions.

An end point security software would assist a system administrator to effectively manage user/device access rights, to actively control the access of portable devices and to monitor and detect anomalies and occurrences in the corporate network, such as an employee attempting to copy confidential corporate information onto a USB stick.

Today’s portable devices are very smart; they offer large storage and are able to communicate through multiple standard interfaces. This makes it a real challenge for software manufacturers to develop sophisticated end point security solutions that are up-to-date and always capable of controlling these new portable devices.

An ideal end point security solution offers the ability to scan for new unknown devices and to manage them in a centralised device database, as well as the ability to control and instantly block a portable device accessed on a client machine (e.g. laptop) which is temporarily offline and is not a member of the corporate network.

A good end point security software builds on a smart client – server architecture. In such architectures administration servers mainly focus on the configuration, both in the update and in the management of individual agent protection policies. In such scenarios agents are deployed, installed and run independently on different client machines that require protection.

A very good approach is when an agent communicates periodically with the main administration server, so that the agent can retrieve important updates or perform certain instructions immediately. Furthermore malicious activities should be reported immediately to the administrator where a breach of an existing protection policy has occurred on an agent machine.

Reporting is always an essential instrument to keep the administrator up-to-date. But how should the administrator be informed about a breach of a security policy? An SMS via mobile device would be smart; but classic alternatives such as email or a network message are sufficient. Furthermore, a log entry in the activity database or a note on the dashboard would be a great feature for the system administrator.

If you want to protect your network from portable devices such as USB drives, iPods and PDAs, check out GFI EndPoint Security. Download your free 30-day trial.

Generally patches are software updates which fix certain bugs in the software. Nowadays theses patches also contain hot fixes which safely close security vulnerabilities in software.

It is highly recommended to install available patches when they’re released; however, it is always wise to study the technical release note. A technical release note provides some important information about the software patch itself such as the requirements, conditions and full description of the patch.

“Never touch a running system” is a common slogan known by system administrators, and it’s because of this slogan that some system administrators prefer not to install a patch immediately into their productive environment as soon as it has been officially released.

In many cases the system administrator will be happy to install a certain patch, if he/she comes to the conclusion that they have no other option available to fix a noticeable malfunction in the software which is causing trouble in his productive environment.

But many system administrators are not aware that patches also fix severe security bugs in the software which may not be directly visible to them and a delay in patching the software means keeping their corporate network unsecure. Security holes in software are a real danger in corporate environments as it opens doors for hackers and spammers. It does not take long for a hacker or spammer to identify and take advantage of such vulnerabilities, often with a system administrator not even realizing this.

Therefore I strongly believe that keeping software up-to-date contributes greatly to keeping your corporate network safer and there are many reasons why professional patch management software can be of great assistance to a systems administrator.

1. It keeps you automatically informed about new patch releases. Each release note for a different product can be viewed conveniently from one centralised user interface. It saves me a lot of time and I do not need to worry anymore about missed patches thereby keeping my network safer.
2. Patches can be downloaded easily, fully automated and completely without requiring my presence. Furthermore, I can control the patch deployment workflow for my whole corporate network from my desktop.
3. The planning and deployment of software installations is much faster requiring just a few clicks.
4. Monthly reports are common in the industry but creating a professional report consumes a lot of time and requires some effort to collect the necessary data. Monthly inventory reports can be scheduled with professional patch management software. Furthermore, reports are customizable and the parameters can easily be changed.

Let us say that there are three main applications (a mail server, a database management system and a fax server) installed on one main server. These applications are very common in a productive environment and it is obvious that these applications must be responsive around the clock.

So the primary target of the prevention plan of a possible IT disaster will be to ensure that all main applications are fully available 24/7.

For this we need to find out what type of risks could harm the availability of these main applications. There are several risks such as low capacity of hard disk or memory availability.

For example low memory availability may cause a delay in processing tasks or even cause a failure of performing large operations. In general capacity restrictions are not logged by default in the event logs, so we should verify how extensive logging can be enabled within the main application. The logging procedures are different and depend mainly on the application itself. Sometimes the main application contains its own health system which you may take advantage of.

You may decide to create individual rules (trigger) within the main application where a specific type of event should be written in a log file if certain events occur during the normal operation time which later can be used for analysis purposes by events monitoring.

Since log files are (generally) file size restricted, the log files are overwritten periodically. Therefore we need to ensure that the events monitoring software collects all relevant log files in time and stores them safely in a centralised database.

Good events monitoring software allows you to create individual pre-processing rules depending on the event source and event type. Furthermore pre-processing rules ensures that only certain events will be collected and stored, and certain actions will be triggered in the occurrences of certain events.

E.g. if the IMAP service stops unexpectedly, then a notification will be sent automatically to the system administrator by the events monitoring software. If possible, the events monitoring software will try to restart the IMAP service and report the result of the action in a timely manner.

Automation allows system administrators to simplify routine duties such as restarting a service automatically when it stops, which, in most cases, faster than a manual interaction of a system administrator. Furthermore it saves time and reduces administration cost.

Not all events correspond to a possible system failure, so sometimes the judgement of the system administrator may be required. In these cases, dashboards and reports are very helpful as they summarize the main data into a visual chart making it convenient to read. Reports and dashboards are generally customizable, so it makes sense to build individual reports and create dashboards that apply to the individual viewers. Some events monitoring software allow scheduling reports so that a system administrator receives specific reports on daily, weekly or monthly basis.

Events monitoring contributes greatly to preventing IT disasters as the right events are monitored in the right time and actions based on the events are triggered in a timely fashion manner.

In the first part of this blog post we saw how events monitoring can be a very powerful, effective and at the same time affordable means to prevent system failures in a corporate environment.

I believe that the process of pre-processing events represents the most important part of events monitoring, because this process will decide whether the collected event will “go” or “stay”.

In other words the quality of a report (that has been built on available data) will mainly depend on the decision which has been made (independently) by the implemented events monitoring framework.

Quality in data provides the right picture of the current health level of your IT infrastructure

Therefore the process must ensure that the right event will be collected at the right time. It also should store the events safely in the database management system.

Both requirements are very tough to fulfil, because

• it is not really obvious to identify in real time whether the current event might be relevant and useful for the “target” purpose and
• it requires a logical formula to determine instantly the estimated value for each event.

As the database size is strictly limited and it only keeps a limited amount of data for a short period it is very essential to store only those events which will deliver the highest value for the “target” purpose.

It is very important to deal with such primary key questions before one decides to implement an events monitoring solution in his infrastructure; good planning saves both time and money and it also avoids common mistakes and ensures that you build an efficient events monitoring framework in your IT infrastructure.

Database management systems play an important role in events monitoring as they bring the required capacity to store large amount of data, but not all the database management systems are same. They have differences in performance and also in the size of storage. Retrieval of archived data must be easy, fast and safe.

What does the ideal world of a system administrator look like?

I would say that system administrators prefer:

• a one click instant report that keeps the admin always up-to-date
• a fully automated system that collects, pre-processes and delivers the right output at the right time
• a system that learns continuously from previous decisions
• a system that involves low maintenance and administration duties

In the next and final part of this blog post we’ll look at further events manager solutions to help prevent IT disasters.

In general IT disasters leave their marks on businesses which people remember and learn their lesson from. While it is true that IT disasters are not fully avoidable, risks of such events can be minimized.

‘Planning ahead’ is a key element to prevent or to at least minimize risks in your IT infrastructure.

Events monitoring can be a very powerful, effective and at the same time affordable means to prevent system failures in a corporate environment.

Ultimately IT disasters do not happen suddenly.

You will always find useful traces, pieces of information and sometimes tiny ‘red’ signals in your IT infrastructure. So why not collect, analyze and assess such data which may be supervised by your system administrator?

I believe that a good assessment of available system data may help system administrators monitor, track and manage events, but more importantly will help prevent system failures more effectively and in a timely manner.

It’s no secret that there is currently a real demand for professional monitoring tools for corporate purposes. So what should you know about events monitoring in general?

A system can produce millions of events in a second. So obviously it is not possible to collect and store all events in one centralized database. Therefore, it is very important to understand how system failures can be recognized in the early stages.

Questions such as “What are the key parameters that lead to a system failure?”, “How can I make these parameters visible?”  and “Where will I find such parameters in my infrastructure?” are very important.

Such questions help you make the right decision when it comes to implementing an events monitoring process for your business.

When you have figured out possible leaks or risks in your IT infrastructure it is very important to work out whether there are useful system traces or events logs which may describe early signs that may indicate (directly or indirectly) a possible critical system failure.

As a system produces millions of different types of logs that are kept for a small amount of time it is very important to understand which log files may be relevant for analysis purposes. Furthermore, it is sometimes necessary to enable the logging of a system component as these options may be disabled by default.

It’s also a good idea to verify whether the system component allows you to customize the type and the format of events that should be stored (especially for analysis purpose) in a log file.

In general log files have a specific file size limitation, so it’s not possible to store all events in a log file. And it is known that log files are overwritten regularly as this is a normal part of keeping the file size small.

That is why it is necessary to collect the log files in time and to store the relevant events regularly in a centralised database. A good event monitoring software allows you to define a set of processing rules which should apply before events are stored finally in a centralised database. Furthermore, a real-time dashboard which indicates leaks or high risks requires some information based on the calculation of the pre-processed events.

Look out for part 2 of this article for more information about events monitoring and the assets of implementing it in your organization.

But the great thing is that fax reports in general have been acknowledged by some major courts in Germany as an acceptable proof for delivery. This would explain why faxing is still a favourite option for urgent delivery in corporate environments.

During the last decade many companies have decided to replace their old analogue fax devices with professional fax software. The most common reasons for making such changes in the infrastructure are:

1. Process Automation – integration of fax software solutions in ERP systems, implementation of large mail, faxing campaigns, etc.
2. Minimize Cost and Save Time – less spending and costs in repairing and maintaining hardware devices and accessories; the ability to process send or receive fax procedure completely electronically.
3. Maximize Performance – gaining efficiency in work performance and in communication flow.

Nowadays fax software solutions are a piece of smart software which in most cases run on virtualized machines. Because of this there is a high demand for FOIP support which is provided by manufactures of fax software solutions.

If you plan to implement specific FOIP software to enhance your fax software solution, then it would be a good idea to check if there are any known compatibility issues with the FOIP software and your current PABX, your operating system and/or your fax software solution.

In a productive environment (where high peaks comes and go) it is critical for corporate organizations to ensure that all fax software installations run in stable conditions while running in a dynamic mixed environment.

Changes in environment happen quite often, at least every three to five years; especially when a system upgrade is planned or a technical upgrade is required and this may affect your fax software installation.

So the main question in such situations remains:

1. Does the current fax software installation support the new upgraded system?
2. If not, what options does the user have? Will any updates for the current fax software installation be available soon? Is there any workaround meanwhile?

These are questions where you can measure how flexible your fax software is in reality. At this stage questions like this become very important and have an important role in the planning of changes in the current infrastructures.

In critical situations such as system crashes, hardware failures, etc. the quality of the technical support team becomes a crucial element for the survival of small companies.  Companies depend and rely on the software itself as well as the knowledge of the technical support team.