Special Edition is the blog for security testing business SE Labs. It explains how we test security products, reports on the internet threats we find and provides security tips for businesses, other organisations and home users.

Friday, 5 August 2016

Anti-malware vs. ransomware: latest reports

Ransomware is a nasty category of attack that we’ve seen dominating the so-called 'threat landscape' in recent months. It can affect every type of computer user including home users, small businesses and even extremely large enterprises. Anyone who stores valuable data on a computer is at risk of this digital extortion racket, which encrypts data files and offers the key to recovery for a hefty price.

Over the last three months we have been monitoring the threats that affect real users and businesses. We've used many of these attacks to test systems protected by a range of different security products, including some very well-known anti-malware programs.

Because we're seeing a lot of ransomware on the internet, and because we believe that testing security products should revolve around the significant threats out there (rather than the very obscure, rare ones), there was a large amount of ransomware used in the test. We are proud to present the results of that work in these reports.

Read about how the leading anti-malware products handle today's threats.
(To access the business reports you need a free account. Register now.)

Large businesses/ enterprises


Small to medium businesses


Home users/ consumers


Monday, 1 August 2016

Defeat ransomware with free backups

Ransomware is a serious problem but protecting your data can be simple and inexpensive - if you choose your cloud storage provider carefully...

I know, I know. You were tired at the time and not really concentrating. You double-clicked an infected attachment and the world suddenly became a very hostile place.

Your files might as well be in Swahili. A ransom note, with a grasp of English you'd normally find endearing, is mocking you for your bad luck. If you don't figure out what a Bitcoin is, and how to send one to a person whom you'd very much like to die a slow and painful death, you'll lose everything forever. Or will you?

You could try to identify the exact strain of the exact family of infection, and see if a kindly anti-virus company or independent researcher has managed to figure out how to decrypt your precious files. If they haven't, what then?

By now, any computer expert worth their salt should be saying, "Wipe the machine and restore last night's backup." Of course, the backups! Cloud storage will save us! But there could be a problem…

If your cloud backup service re-uses space, and has over-written previous backups with the newly encrypted files (which, after all, look just like a bunch of freshly updated documents that need to be backed-up), then technically there is no backup. So, Bitcoins and a seedy alley on the dark web it is.

If you're busy, on the move, or have "non-technical" users to look after, you need backups that will both protect you from ransomware and take care of themselves. For safety from fire and theft, those backups also need to be stored off-site, which is why cloud backup services are ideal.

However, rather than continuously and efficiently updating a single archive, the ransomware threat means that you really need a service that keeps previous versions of everything.

There are many online backup services that offer file versioning, and to the best of my knowledge, the following all provide it on their free plans.
  • Blaucloud includes a versioning app that will keep old versions of files until you run out of space.
  • CrashPlan allows you to set backup frequency and versioning frequency.
  • Cubby contains versioning as standard in the free plan.
  • Dropbox has unlimited versioning as standard.
  • ElephantDrive provides unlimited versioning on its free Lite plan.
  • Google Drive keeps up to 100 versions per file, stored for up to 30 days.
  • iDrive stores up to 30 versions.
  • Mozy stores old versions for up to 30 days
  • pCloud stores old versions and deleted files can be restored.
  • PowerFolder stores the last versions of files.
Ransomware is a 21st century plague, fuelled by greed. How you respond to it is paramount, because not paying the ransom is possibly the only way that will cause it to fall from favour with criminals. Versioning online backups are one way of helping that happy day come sooner.

Author: Jon Thompson (Email: jon@selabs.uk; Twitter: @jon_thompson_uk)

Friday, 17 June 2016

Let's get fuzzical

Why does software seem so insecure? Massive software companies seem incapable of fixing their products for any length of time. Is it their fault, or are they fighting a battle they can't win?

At its core, Windows is the result of several decades of constant development. Despite this, Microsoft is still obliged to observe Patch Tuesday each month, when users receive the latest fixes to installed products. A large number of these updates fix security vulnerabilities.

This month, for example, Patch Tuesday includes 16 security update bundles covering in excess of 40 new security holes found in products as diverse as IIS, Microsoft's web server, and the supposedly secure Edge browser. How can it be that this monthly ritual is still required? After all, it's not like Microsoft is a small company caught out by sudden success, while trying to manage a huge ball of undocumented code. On the contrary, it is literally one of the biggest, best funded tech companies in the history of the planet.

Let's take another case. Adobe's Flash and Reader products are also mature, stable software. Yet black hat hackers love them as the gifts that keep on giving. This week brought news of yet another critical Flash vulnerability, which is already being exploited in the wild.

The complexity of some software, despite its maturity, makes it vulnerable. It needs to be all things to all (wo)men at all times. In the case of Adobe Reader, every PDF document it loads must display perfectly, regardless of its complexity or the limitations of the software used to create it. Anything not explicitly forbidden is, therefore, permissible. Reader will always try to render the file you give it.

Such complexity leads neatly to a fundamental question: If companies such as Adobe and Microsoft can't find all the exploitable bugs in their code, how come private researchers and black hats can?

The answer lies in a technique called fuzz testing, or fuzzing.

In his presentation to CodenomiCON 2010 , Charlie Miller showed that with a little thought, a few lines of Python code and some time, it's possible to use fuzzing, in the form of completely random mutations to a file, to find a number of hitherto unreported and potentially exploitable crashes in Adobe Reader.

He took 80,000 PDFs from the internet and reduced that total to just over 1,500 based on their uniqueness from each other. From these files, he generated 3 million variations containing random mutations.

When loaded into Reader, these corrupted files caused crashes in over 2,500 cases. Miller showed that several crashes revealed exploitable situations, some of which were subsequently found, reported and patched by Adobe, but others were new.

Given that there are a total of 2 ^ NUMBER_OF_BITS theoretical mutations that can be made to a PDF, and the ease with which each mutation can be automatically evaluated, PDF readers alone should remain a goldmine for new exploits for some time. Meanwhile, there are many other programs and file types that can be also attacked with various fuzzing methods.

Bugtraq has been highlighting
software vulnerabilities for years
Take a look at the Bugtraq mailing list archive and you'll see what I mean. Every day brings a new crop of reports and proofs of concept for all kinds of software. In fact, another six were added while I wrote this blog post. Buried amongst the plethora of obscure libraries and applications are often complete howlers in major products. How are these bugs being found? In the case of closed source software, fuzzing techniques can be the primary tools.

Fuzzing comes in many forms, with some methods and frameworks being more intelligent and guided than others, but the aim is always to automate the discovery of exploitable bugs by finding situations for which complex software either hasn't been tested or cannot be tested.

You may be wondering why, with their wealth and resources, major software manufacturers don't fuzz their products to death, as well as performing more traditional testing. The short answer is that they do, but due to the sheer number of possibilities and the time required, all they can do is fuzz as much as possible before the release deadline. The overwhelming majority of possible tests may still remain to be run by other, potentially malicious individuals and groups.

Security holes in software are not going away any time soon, so ensure that the security software you run is capable of protecting you. How? Checking out good anti-malware reviews that include exploit attacks such as ours would be a good start.

Author: Jon Thompson (Email: jon@selabs.uk; Twitter: @jon_thompson_uk)

Tuesday, 7 June 2016

Poor grammar foils spammer

It's great that even if your mastery of a language isn't brilliant, other people from across the planet can still understand you. It's an amazing human ability that brings us together as a species, but when the people writing phishing attacks try to sound plausible in a language they don't sufficiently understand, the results can be unconvincing:
"Please take a few minutes out of your online experience to know why PayPal had to limit your account and know how you are best able to easily restore your access as usual."
It's our old friend the Fake Security Notice phishing attack. This is the opening gambit of a surprisingly old school technique we've been monitoring all week with the SE Labs spam-pot network.

It goes on:
"We need some information from you. We have provided a form for you to complete, please open the attached file in this email in your browser. After our security team reviewed your information, we can then lift the limitations from your PayPal account."
Not very convincing unless you read it too fast, and there's a sort of old fashioned feel to the language. Also, poor grammar and punctuation.

It could be that the targets of this campaign are people who speak English as a second language, some of whom may not spot the problems that mark it out as unusual.

It should, however, go without saying that if you receive an email from someone calling themselves PayPal you should log into and check your PayPal account using your usual method, and not by clicking the link in the email. PayPal (and other financial institutions) never ask for passwords or other private information via email.

Author: Jon Thompson (Email: jon@selabs.uk; Twitter: @jon_thompson_uk)

Friday, 3 June 2016

Ransom-ware: Can pay, won't pay

The FBI's Joseph Bonavolonta had some shocking news about ransomware for Boston's Cyber Security Summit last October. "To be honest," he said, "we often advise people to just pay the ransom."

Cyber-security blogs everywhere exploded at the advice, but a lot has changed in the past six months. A constantly-evolving array of ransomware campaigns roam free, "taxing" online life. One big problem is that there’s no way of knowing what the ransom payments are being used for.

Is the money funding a criminal’s easy life? The development of even worse malware? ISIS, perhaps? After further thinking the FBI is now telling people not to pay up.

The question for most of us is, what happens if you don't pay? To find out, we infected a specially-prepared Windows test system.

Infection time

When we test anti-malware products we find the latest threats that we believe affect most people. These are often automatic 'drive-by' attacks, that use exploits to install malware such as ransomware on victims' computers without requiring user interaction. You just have to visit the site and the attack starts and runs to completion. No clicking required.

For this demonstration we exposed our target, which was not running anti-malware software, to an infected website. After a few minutes of apparent inactivity a pop-up message explained that svchost.exe needed to be installed. We clicked to accept the change and... Bingo! An infection swiftly ensued, turning all of our important files to gibberish and leaving them sporting the dreaded .crypt file extension.

In the background the malware also scanned the local subnet for any other unprotected file shares. This being a test network, there were none, but in a real situation every file you can access on your local network can also potentially be accessed by ransomware. Your movie collections or business files stored on a Network Attached Storage (NAS) device are definitely at risk.

This knowledge is vital when assessing the extent of an attack. If your smartphone is plugged in, it could be at risk. Your carefully curated media server could also be affected, as could your cloud storage.


Rebooting revealed the full horror of the machine's plight. As soon as the Desktop appeared, so did a pop-up unexpectedly asking us to run an installation package. Running, cancelling or dismissing the installation always led to the same result: a ransom note displayed in both the web browser and Windows Photo Viewer. The note explained what had happened and threatened what will happen if we didn't do exactly as instructed (spoiler: the price goes up!). It also contained a set of links to the data-nappers' web site to read detailed instructions for how to pay.

Assessing the Damage

The object of the exercise was to find out what would happen if I were to simply ignore the ransom note and carry on using the machine, so it was time to take stock.

All of our files had been turned to cryptographic porridge. However, the operating system still seemed to be running smoothly. Screen dumps of the ransom note could still be saved and read, as could the other documents we created, implying that there was nothing in the background encrypting newly-created files.

The kidnapping part of the ransom operation was seemingly over.

Of course, there may have been a rootkit lurking somewhere, ready to spring into life if no ransom was paid after a certain date. To test this hypothesis, we set the system clock forwards several weeks and rebooted. Nothing new happened, but without running some forensic tests we'd never be sure.

All that seemed to be left was the demand for money, triggered from the Startup menu every time we logged in. Deleting the relevant Startup entries stopped the ransom note from appearing, but that still left us with no way to access any of the encrypted files, and we couldn't truly trust the operating system any more.

Ransomware doesn't have to hang around causing more trouble for its hapless victim. It's done its foul work and the criminals behind the campaign simply had to wait for the Bitcoins to come rolling in. Other than paying up, our only hope would be that a researcher or anti-malware company has developed a decryption tool for our particular infestation. The development of decryption tools, however, is causing some ransomware developers to revert to locking the entire computer rather than allowing you to see the locked files for yourself.

Protect and Survive

The FBI is right to change its stance on ransomware. Paying up fuels the epidemic and the easy money is attracting criminals like flies around you-know-what. The number of ransomware domains, according to reports, increased by 3,500% in Q1 of 2016 alone and the situation looks like getting worse.

For example, in the past few days Microsoft announced the existence of a 'ransomworm' called ZCryptor. Its payload is contained within emailed Microsoft Office documents. Once delivered, it also installs itself on any USB devices it finds plugged into the victim's computer and alters the autorun information on the device. It will then try to infect any system into which the USB drive is subsequently plugged.

10 ways to stay safe

As usual with online security, prevention is far better than trying to find a cure, but such measures only make sense if you take steps before the fact:
  1. Install a good anti-virus product. Our reports show which are the most effective for businesses and home users. Our work is independent and we only test against current threats, which we catch ourselves in-house.
  2. Educate yourself to treat everything in your inbox as a lie. Even if the sender is known to you, double-check with them before opening attachments.
  3. Switch on automatic updates for all software, including Windows, your antivirus software, your browser, Java, Adobe products, etc.
  4. Regularly download a boot-able rescue disk from your chosen anti-malware provider and let it run overnight to thoroughly examine your computer. Most rescue disks will boot from USB.
  5. Never install 'updates' just because a website tells you to. This type of trickery is a very common infection vector for ransomware.
  6. Consider installing a browser plug-in such as the excellent NoScript for Firefox to prevent JavaScript from automatically running from unknown domains without your explicit say-so. And consider disabling Java in your browser.
  7. Don’t download cracked copies of commercial software, ebooks or media. Again, this is a very common infection vector.
  8. Never use a USB drive you find in a public place. You simply can't trust them or their content. 
  9. Ransomware will try to infect every share to which it can write. Only mount shares as and when needed, and always protect them with passwords. If you don’t need write access, mount as read only.
  10. Above all, get into the habit of performing regular backups to removable media. For a home user, a backup is as simple as dragging and dropping a folder structure (and ejecting afterwards!) onto a freshly quick-formatted USB drive. Use two USB drives and swap between them.
Author: Jon Thompson (Email: jon@selabs.uk; Twitter: @jon_thompson_uk)

Friday, 13 May 2016

Building a security lab (literally)

I've seen a few 'how to build your own security testing lab' documents in the past, but many have struck me as being 'what I would do' rather than 'what I did'.

Having gone through the process myself at least three times over the last 15 years I thought some people might be interested in seeing a series of photos taken while we were literally building SE Labs from scratch.

First things first. You can never have enough boxes. And never throw them away, because they'll come in handy later - such as when you move from your temporary space into the permanent office.

Why not start out and build the lab where you mean to end up? Because having a commercial office space 'fitted out' takes a lot longer than you might imagine. Choosing the right time of year can help speed this up.

Start-up tip #1: Don't plan on anything happening fast over the Thanksgiving/ Christmas/ New Year period. Everyone except you will be on a go-slow/ stop. It will make you angry.

Ideally you would have all of your expensive servers locked away somewhere safe from thieves, vandals and pretty much anyone carrying too many cups of coffee.

Without that luxury you might have to set up on a desk, near the door, and plaster the windows with paper so people can't see your new company's crown jewels sitting vulnerably exposed in an insecure office.

When you work from a serviced office you have a choice: rely on their networking infrastructure or create your own. We created our own because sending exploits over someone else's network is not very friendly and there might be some liability issues too.

One problem with creating your own network in a serviced office is that you can't really run your networking cables under the floor.

This can mean using cardboard, gaffa tape and cable ties to construct a sort-of over-floor networking setup that is fractionally less hazardous than simply having cables looping all over the floor.

At this stage we were at least able to start work, although we quickly discovered the limitation of cheap network switches and, thanks to the speed of Amazon Prime, managed to upgrade without too much disruption.

While the testers were busy attacking systems and logging how the security products handled these threats, we also had to start work designing the award logos that we would eventually hand out to any vendors who did a great job.

Here are the early sketches, made in the Easy Hotel adjacent to the developing office. As you will see from our reports, the design we ended up with was the round badge. Did we make the right decision?

While all of this was going on, the main office was under construction. You can see the progress below, as the main open-plan office, the server room and our corner office take shape.

Why is there no furniture, even right at the end? Because there was a problem with the delivery and our desks were stuck on a boat somewhere near Europe, while we worked from temporary, bolted-together desks. At least we had chairs...

One large, empty shell...
The area to the right will become the server room.

The new server room is visible through the window on the right.
The corner office, full of junk.
A tidy corner office.

The open-plan area starts to take shape.
We moved into the new office with zero days to spare.
Our name is on the door (sort of).

After a busy night we head to the pub. This is now our new home.
(The building in the photo. Not the pub.)
The corner office is now full of junk again.
We have chairs but little else.

The server room starts to take shape.

A working office space!

All systems go. Neatly.
Well, neat on the face of it...

We use physical systems for most tests. So we need a lot of them.
What became of the cardboard boxes? Rumour has it that after the move one of the guys took them all home in a van and built a massive fort for his children.

Tuesday, 10 May 2016

SE Labs: Next-Generation Security Testing

I am proud to announce the first public reports from SE Labs, a new security testing company that tests a whole range of security products, from the sort of anti-malware program you run on your home PC to complex combinations of enterprise endpoint agents and appliances.

The new website will be live in the next day or so, after we've ironed out what I hope will be the last few wrinkles. (Update: 12/05/2016 - the website is live now).

Since January 2016 we've been testing endpoint security products by exposing them to live web threats and targeted attacks. The results are very interesting and will probably cause some controversy.

Targeted attack testing?

How is it possible to test using targeted attacks? We'll go into detail over the coming weeks on this blog but for now I'll say that the tests are run using threats found and used against real targets, and include realistic variations that simulate closely how attackers with a range of resources behave.

If you can make it to the Virus Bulletin conference in Denver this year you can hear me talk about advanced 'next-gen' testing and challenge me in person : )

Startup challenges

We faced significant challenges in bringing the new lab up and running over a relatively short period of time. This involved using serviced offices with fairly restrictive internet connections, cheap hardware that failed fast (thanks to Amazon prime for saving us on many, many occasions) and expensive hardware that also failed badly ('thanks' to Lenovo - avoid ThinkCentre desktops at all costs if you are relying on them to power your new startup! More on this sorry episode later...)

In addition to writing about the threats we see on the internet; the way we handle them; and (most importantly) the way that security products protect against them, I'll also be contributing some advice to those considering starting up their own businesses.

I have a catalogue of "what not to do" tips to share and maybe one or two more positive pieces of advice!

The next step

Please check out our new website (SELabs.uk) and follow us on Twitter (@SELabsUK). We also have email newsletters for the old-skool.