Trojan.Spy.YEK Espionage Agent

BitDefender reports that Trojan.Spy.YEK has both spying and backdoor features, making it a very serious threat to businesses.  It sniffs for critical data and archives that may hold private information and sends them back to an attacker. 

With an encrypted dll in its overlay, this Trojan is easily saved into the windows\system32 directory (as netconf32.dll), and injects itself into explorer.exe.   The backdoor component registers as a listening service to receive and follow instructions from a command and control server, while the spyware component sends away target data, file, process and operating system information, and screenshots.

The Trojan appears to run equally well on all versions of Windows up to and including 7, and the fact that it targets private business data, seeking out all information linked to archives, e-mails, address books, databases and documents makes Trojan.Spy.YEK a prime agent of corporate espionage .


Canadian Anti-Fraud Centre Awareness Campaign

The Canadian Anti-Fraud Centre (CAFC) began life in 1993 as PhoneBusters.  Since then, they have grown to become Canada’s one-stop-shop for all matters related to fraud.  CAFC is a combined effort of the RCMP, the Ontario Provincial Police (OPP) and the Competition Bureau Canada.  The Honourable Vic Toews, Minister of Public Safety, made the following statement in recognition of the launch of the RCMP’s fraud awareness campaign and the CAFC’s new website.

“Fraud has a devastating impact on individuals, families, businesses and damages Canada’s economic integrity,” said Minister Toews. “The RCMP and the CAFC efforts bring awareness to this pervasive and growing problem. Educating the public and the media about various types of frauds and how to avoid falling victim to them is key to fraud prevention.”

The 6 week media campaign, running from the beginning of November to mid-December 2010, teh CAFC aims to draw attention to how serious a problem fraud is in Canada.  The CAFC’s new website will provide the latest information on emerging fraud trends and fraud prevention advice.

Verizon To Offer Security Incident Reporting Site

The Verizon Risk Team and ICSA LAbs are launching a public Web site for reporting security incidents that could illuminate the self-defeating secrecy of data breaches.  No business wants to advertise that it has experienced a serious security issue, so intelligence about incidents, responses, and IR metrics remains sketchy at best. 

VERIS stands for Verizon Enterprise Risk and Incident Sharing, and is focused on collecting data and offering participanting organizations analysis.  It is designed to create metrics from the details of an information security incident, while introducing a common language and structured, repeatable process to allow organizations to objectively classify security incidents.  This common language is critical, as there is currently no universal way to consistently describe security incidents from organization to organization, or an accepted industry standard for the development of incident related risk metrics.  The VERIS Project was introduced in March of this year when Verizon publicly released the research framework used for the company’s landmark “Data Breach Investigations Reports.”

The damage from an actual security incident may be insignificant compared to the damage taken from press coverage and public ridicule.  Once a company’s reputation has been damaged, it can be an up-hill journey to re-establish trust and assurance with customers and win new ones.  So, why would a business bother using this new “VERIS” service?  Isn’t it better to just shutup and say nothing than to risk exposure through such a service?   Not if you value free information regarding best practices, details about how other people are handling incidents, the potential to identify specific attack models and trends, and the sharing of information about attackers that they already have about small to medium sized businesses.  You and I will only get out of it what we actually put into it.

Isn’t there already an OpenSource effort to handle this sort of thing?  Yes, and no.  The Open Security Foundation’s DataLossDB offers statistics on data breaches, and anyone can post information there that they read about on news sites and other places, so it’s generally limited to what’s already been publicly disclosed.  I use it and often reference it in blog articles found here.  It does not however, offer the potential insights and guidance that this service may offer.

In my opinion, SMB’s and even larger companies can gain significant benefit from the VERIS online application. Through VERIS, organizations can generate incident reports that can be distributed and analyzed within their organization, while maintaining their privacy.  For example, participating enterprises will know whether their incident was a rare event or one commonly experienced by others.  This information can help determine if this was part of a larger attack, what, if anything, should be done to prevent similar events in the future, and can offer guidance and insight into actual costs incurred in remediating a specific incident.  That last point is something that I personally have always struggled with when developing C-Level reports for Incident Response.

Participating organizations need to complete the online form when reporting incidents, which consists of the following areas:

  • Demographics – Submitters describe (but do not identify) the entity affected by the incident to enable comparative analytics.
  • Incident classification – Describes the role of the threat agent, the agent’s actions and their impact o on the information assets.
  • Discovery and Mitigation: Focuses on events immediately following the incident, as well as lessons learned from the response process.
  • Impact Classification: The submitter provides a description and measures the consequences of the incident on the impacted organization.