Wordfence: Block Bad Logins

There are dozens of computers trying to login to this site over the course of a day. It’s not an important site, not a site that’s chock full of credit card information, and not a site that matters to anyone but me. (Yes, I put out my lower lip while typing that last one.) Nonetheless, the login attempts continue.

The attempts are coming from bots… computers that are infected with malware that puts them under the direction of various command and control servers. They scan, look for WordPress sites, and try to login. If they succeed, they let someone upstream know, and then push malware onto the system.

I have blogged about this before. I’m using WordFence as one of the defense layers for this system. It locks out anyone who tries to login with incorrect information. The login settings are:

 


c
lick to enlarge

Anti-Virus on my Mac – Planning for the low probability event

Despite the large number of people who say that (1) there are no viruses targeting the Mac and (2) even if there were, the Mac's near perfection would prevent them from infecting any machines, I believe that there is stuff out there and it's just a matter of time before someone develops a really effective bit of malware targeting Macs.* It's debatable whether one needs an antivirus program on a Mac, but on a cost/benefit basis, it seems to me that one ought to be protected.

I'm currently testing the free Home Edition for the Mac from Sophos.  It seems to have a fairly light footprint and doesn't seem to interfere with normal processing.  I did tell the auto-protect subsystem to ignore the VMWare files. There's no point in scanning those, and I'm using a Windows AV program inside the Windows XP virtual machine.

I had previously tried the Norton Internet Security suite. That stayed on my computer for about 12 hours.  It was intrusive and it noticeably slowed the system.  It was difficult to turn off the parts I didn't want (e.g., firewall) and conflicted with TimeMachine and mail. These problems are not present with Sophos.

The biggest plus I see is that Sophos is very up front about supporting an open user forum.  The first step in the installation takes you to the user forums so you can see if others are having problems before installing.  I learned that there was a problem with TimeMachine, but it was fixed in a recent update. That's good stuff to know.  It also demonstrates that Sophos is staying on top of the user comments and complaints.

 

* The folks at Sophos, who clearly have something to gain, have several videos detailing existing threats to the Mac environment.  Other warnings are here and here. According to at GigaOm, "The reasons why Macs don’t get many viruses are as much based on luck and market conditions, as they are on inherent security."

Rogue security, Search Engine Optimization, and some darn clever folks

1 Comment

A couple of weeks ago, Sarah Silverman was on Bill Maher’s Friday night show on HBO, where she showed her latest video. The next morning, I hopped on to Google to find it and forward it to some friends who had probably missed the show. The first 10 links on Google were sites that informed me my computer was infected by a virus, then downloaded a setup.exe file to the system to “clean” the viral infection.

Running a Linux system, I wasn’t afraid to download the files. I then submitted several to VirusTotal, a site that runs them through multiple anti-virus scanners. Only of of the samples was tagged as being “potentially” bad that Saturday morning.

Symantec has released a white paper about sites that install rogue security software, the characteristics of such software, and the methods of description. The report is well worth reading. It’s not the software I find interesting but what must be the highly automated systems that were able to mutate a trojan-dropper program to make it undetectable, determine hot search terms, and get pages up across the internet in a way that they turned up at the very top of the Google search results. Anyone with a web site struggles with Search Engine Optimization (SEO), the art and science of getting your web site noticed by search engines and returned near the top of any search that is relevant to your content. The evil doers who distribute the malware have this absolutely nailed.

The first step, I suppose, is to monitor topics of increasing interest using sites like Google Trends, Bing xRank, and TweetStats. As topics rise in trends, the next step is to enlist a web of web sites (see the Symantec white paper for more about these) and publish pages with matching terms on the page and in the keyword META construct, and then use the search engine submission APIs to push these pages into the search engines. I suspect that the sites involved appear to be blogs, because those are more frequently spidered and pushed into the result stream than sites with static content. In parallel with this, there needs to be an engine that’s mutating the malware payload of the sites to evade detection by the anti-virus systems. This requires its own ecology of mutators, base programs, and testing machines that use the anti-virus engines themselves to kill off the mutants that won’t survive in the wild. The final step is a system that tears all of this down after a day or so, as the search engines determine the sites to be malware hosts, the anti-virus systems develop antibodies for the malware, and legitimate sites begin to move up in the search engine results.

Symantec and other security providers have a number of ways for individuals, search engine providers, and system administrators to reduce the threat from such sites. Ultimately, it comes down to the message from X Files, “Trust No One”. Undermining trust and a feeling of safety is what terrorism is all about.

Why can’t the minds behind this use their powers for good instead of evil?