Archive for the ‘Anti-Virus’ Category

Microsoft disrupts ZeroAccess web fraud botnet

Friday, December 6th, 2013

ZeroAccess, one of the world’s largest botnets – a network of computers infected with malware to trigger online fraud – has been disrupted by Microsoft and law enforcement agencies.

ZeroAccess hijacks web search results and redirects users to potentially dangerous sites to steal their details.

It also generates fraudulent ad clicks on infected computers then claims payouts from duped advertisers.

Also called Sirefef botnet, ZeroAccess, has infected two million computers.

The botnet targets search results on Google, Bing and Yahoo search engines and is estimated to cost online advertisers $2.7m (£1.7m) per month.

Microsoft said it had been authorised by US regulators to “block incoming and outgoing communications between computers located in the US and the 18 identified Internet Protocol (IP) addresses being used to commit the fraudulent schemes”.

In addition, the firm has also taken control of 49 domains associated with ZeroAccess.

David Finn, executive director of Microsoft Digital Crimes Unit, said the disruption “will stop victims’ computers from being used for fraud and help us identify the computers that need to be cleaned of the infection”.

‘Most robust’

The ZeroAccess botnet relies on waves of communication between groups of infected computers, instead of being controlled by a few servers.

This allows cyber criminals to control the botnet remotely from a range of computers, making it difficult to tackle.

According to Microsoft, more than 800,000 ZeroAccess-infected computers were active on the internet on any given day as of October this year.

“Due to its botnet architecture, ZeroAccess is one of the most robust and durable botnets in operation today and was built to be resilient to disruption efforts,” Microsoft said.

However, the firm said its latest action is “expected to significantly disrupt the botnet’s operation, increasing the cost and risk for cyber criminals to continue doing business and preventing victims’ computers from committing fraudulent schemes”.

Microsoft said its Digital Crimes Unit collaborated with the US Federal Bureau of Investigation (FBI) and Europol’s European Cybercrime Centre (EC3) to disrupt the operations.

Earlier this year, security firm Symantec said it had disabled nearly 500,000 computers infected by ZeroAccess and taken them out of the botnet.

Source: BBC

Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps

Friday, November 1st, 2013

Three years ago, security consultant Dragos Ruiu was in his lab when he noticed something highly unusual: his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused. He also found that the machine could delete data and undo configuration changes with no prompting. He didn’t know it then, but that odd firmware update would become a high-stakes malware mystery that would consume most of his waking hours.

In the following months, Ruiu observed more odd phenomena that seemed straight out of a science-fiction thriller. A computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting. His network transmitted data specific to the Internet’s next-generation IPv6 networking protocol, even from computers that were supposed to have IPv6 completely disabled. Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed. Further investigation soon showed that the list of affected operating systems also included multiple variants of Windows and Linux.

“We were like, ‘Okay, we’re totally owned,’” Ruiu told Ars. “‘We have to erase all our systems and start from scratch,’ which we did. It was a very painful exercise. I’ve been suspicious of stuff around here ever since.”

In the intervening three years, Ruiu said, the infections have persisted, almost like a strain of bacteria that’s able to survive extreme antibiotic therapies. Within hours or weeks of wiping an infected computer clean, the odd behavior would return. The most visible sign of contamination is a machine’s inability to boot off a CD, but other, more subtle behaviors can be observed when using tools such as Process Monitor, which is designed for troubleshooting and forensic investigations.

Another intriguing characteristic: in addition to jumping “airgaps” designed to isolate infected or sensitive machines from all other networked computers, the malware seems to have self-healing capabilities.

“We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD,” Ruiu said. “At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we’re using to attack it? This is an air-gapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys.”

Over the past two weeks, Ruiu has taken to Twitter, Facebook, and Google Plus to document his investigative odyssey and share a theory that has captured the attention of some of the world’s foremost security experts. The malware, Ruiu believes, is transmitted though USB drives to infect the lowest levels of computer hardware. With the ability to target a computer’s Basic Input/Output System (BIOS), Unified Extensible Firmware Interface (UEFI), and possibly other firmware standards, the malware can attack a wide variety of platforms, escape common forms of detection, and survive most attempts to eradicate it.

But the story gets stranger still. In posts here, here, and here, Ruiu posited another theory that sounds like something from the screenplay of a post-apocalyptic movie: “badBIOS,” as Ruiu dubbed the malware, has the ability to use high-frequency transmissions passed between computer speakers and microphones to bridge airgaps.

Bigfoot in the age of the advanced persistent threat

At times as I’ve reported this story, its outline has struck me as the stuff of urban legend, the advanced persistent threat equivalent of a Bigfoot sighting. Indeed, Ruiu has conceded that while several fellow security experts have assisted his investigation, none has peer reviewed his process or the tentative findings that he’s beginning to draw. (A compilation of Ruiu’s observations is here.)

Also unexplained is why Ruiu would be on the receiving end of such an advanced and exotic attack. As a security professional, the organizer of the internationally renowned CanSecWest and PacSec conferences, and the founder of the Pwn2Own hacking competition, he is no doubt an attractive target to state-sponsored spies and financially motivated hackers. But he’s no more attractive a target than hundreds or thousands of his peers, who have so far not reported the kind of odd phenomena that has afflicted Ruiu’s computers and networks.

In contrast to the skepticism that’s common in the security and hacking cultures, Ruiu’s peers have mostly responded with deep-seated concern and even fascination to his dispatches about badBIOS.

“Everybody in security needs to follow @dragosr and watch his analysis of #badBIOS,” Alex Stamos, one of the more trusted and sober security researchers, wrote in a tweet last week. Jeff Moss—the founder of the Defcon and Blackhat security conferences who in 2009 began advising Department of Homeland Security Secretary Janet Napolitano on matters of computer security—retweeted the statement and added: “No joke it’s really serious.” Plenty of others agree.

“Dragos is definitely one of the good reliable guys, and I have never ever even remotely thought him dishonest,” security researcher Arrigo Triulzi told Ars. “Nothing of what he describes is science fiction taken individually, but we have not seen it in the wild ever.”

Been there, done that

Triulzi said he’s seen plenty of firmware-targeting malware in the laboratory. A client of his once infected the UEFI-based BIOS of his Mac laptop as part of an experiment. Five years ago, Triulzi himself developed proof-of-concept malware that stealthily infected the network interface controllers that sit on a computer motherboard and provide the Ethernet jack that connects the machine to a network. His research built off of work by John Heasman that demonstrated how to plant hard-to-detect malware known as a rootkit in a computer’s peripheral component interconnect, the Intel-developed connection that attaches hardware devices to a CPU.

It’s also possible to use high-frequency sounds broadcast over speakers to send network packets. Early networking standards used the technique, said security expert Rob Graham. Ultrasonic-based networking is also the subject of a great deal of research, including this project by scientists at MIT.

Of course, it’s one thing for researchers in the lab to demonstrate viable firmware-infecting rootkits and ultra high-frequency networking techniques. But as Triulzi suggested, it’s another thing entirely to seamlessly fuse the two together and use the weapon in the real world against a seasoned security consultant. What’s more, use of a USB stick to infect an array of computer platforms at the BIOS level rivals the payload delivery system found in the state-sponsored Stuxnet worm unleashed to disrupt Iran’s nuclear program. And the reported ability of badBIOS to bridge airgaps also has parallels to Flame, another state-sponsored piece of malware that used Bluetooth radio signals to communicate with devices not connected to the Internet.

“Really, everything Dragos reports is something that’s easily within the capabilities of a lot of people,” said Graham, who is CEO of penetration testing firm Errata Security. “I could, if I spent a year, write a BIOS that does everything Dragos said badBIOS is doing. To communicate over ultrahigh frequency sound waves between computers is really, really easy.”

Coincidentally, Italian newspapers this week reported that Russian spies attempted to monitor attendees of last month’s G20 economic summit by giving them memory sticks and recharging cables programmed to intercept their communications.

Eureka

For most of the three years that Ruiu has been wrestling with badBIOS, its infection mechanism remained a mystery. A month or two ago, after buying a new computer, he noticed that it was almost immediately infected as soon as he plugged one of his USB drives into it. He soon theorized that infected computers have the ability to contaminate USB devices and vice versa.

“The suspicion right now is there’s some kind of buffer overflow in the way the BIOS is reading the drive itself, and they’re reprogramming the flash controller to overflow the BIOS and then adding a section to the BIOS table,” he explained.

He still doesn’t know if a USB stick was the initial infection trigger for his MacBook Air three years ago, or if the USB devices were infected only after they came into contact with his compromised machines, which he said now number between one and two dozen. He said he has been able to identify a variety of USB sticks that infect any computer they are plugged into. At next month’s PacSec conference, Ruiu said he plans to get access to expensive USB analysis hardware that he hopes will provide new clues behind the infection mechanism.

He said he suspects badBIOS is only the initial module of a multi-staged payload that has the ability to infect the Windows, Mac OS X, BSD, and Linux operating systems.

“It’s going out over the network to get something or it’s going out to the USB key that it was infected from,” he theorized. “That’s also the conjecture of why it’s not booting CDs. It’s trying to keep its claws, as it were, on the machine. It doesn’t want you to boot another OS it might not have code for.”

To put it another way, he said, badBIOS “is the tip of the warhead, as it were.”

“Things kept getting fixed”

Ruiu said he arrived at the theory about badBIOS’s high-frequency networking capability after observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine’s power cord so it ran only on battery to rule out the possibility that it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed the internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped.

With the speakers and mic intact, Ruiu said, the isolated computer seemed to be using the high-frequency connection to maintain the integrity of the badBIOS infection as he worked to dismantle software components the malware relied on.

“The airgapped machine is acting like it’s connected to the Internet,” he said. “Most of the problems we were having is we were slightly disabling bits of the components of the system. It would not let us disable some things. Things kept getting fixed automatically as soon as we tried to break them. It was weird.”

It’s too early to say with confidence that what Ruiu has been observing is a USB-transmitted rootkit that can burrow into a computer’s lowest levels and use it as a jumping off point to infect a variety of operating systems with malware that can’t be detected. It’s even harder to know for sure that infected systems are using high-frequency sounds to communicate with isolated machines. But after almost two weeks of online discussion, no one has been able to rule out these troubling scenarios, either.

“It looks like the state of the art in intrusion stuff is a lot more advanced than we assumed it was,” Ruiu concluded in an interview. “The take-away from this is a lot of our forensic procedures are weak when faced with challenges like this. A lot of companies have to take a lot more care when they use forensic data if they’re faced with sophisticated attackers.”

Source:  arstechnica.com

Microsoft and Symantec push to combat key, code-signed malware

Wednesday, October 23rd, 2013

Code-signed malware hot spots said to be China, Brazil, South Korea

An alarming growth in malware signed with fraudulently obtained keys and code-signing certificates in order to trick users to download harmful code is prompting Microsoft and Symantec to push for tighter controls in the way the world’s certificate authorities issue these keys used in code-signing.

It’s not just stolen keys that are the problem in code-signed malware but “keys issued to people who aren’t who they say they are,” says Dean Coclin, senior director of business development in the trust services division at Symantec.

Coclin says China, Brazil and South Korea are the hot spots today where the problem of malware signed with certificates and keys obtained from certificate authorities is the worst right now. “We need a uniform way to vet companies and individuals around the world,” says Coclin. He says that doesn’t really exist today for certificates used in code-signing, but Microsoft and Symantec are about to float a plan that might change that.

Code-signed malware appears to be aimed mostly at Microsoft Windows and Java, maintained by Oracle, says Coclin, adding that malicious code-signing of Android apps has also quickly become a lawless “Wild West.”

Under the auspices of the Certificate Authority/ Browser Forum, an industry group in which Microsoft and Symantec are members, the two companies next month plan to put forward what Coclin describes as proposed new “baseline requirements and audit guidelines” that certificate authorities would have to follow to verify the identity of purchasers of code-signing certificates. Microsoft is keenly interested in this effort because “Microsoft is out to protect Windows,” says Coclin.

These new identity-proofing requirements will be detailed next month in the upcoming CAB Forum document from its Code-Signing Group. The underlying concept is that certificate authorities would have to follow more stringent practices related to proofing identity, Coclin says.

The CAB Forum includes the main Internet browser software makers, Microsoft, Google, Opera Software and The Mozilla Foundation, combined with many of the major certificate authorities, including Symantec’s  own certificate authority units Thawte and VeriSign, which earlier acquired GeoTrust.

Several other certificate authorities, including Comodo, GoDaddy, GlobalSign, Trustwave and Network Solutions, are also CAB Forum members, plus a number of certificate authorities based abroad, such as Chunghwa Telecom Co. Ltd., Swisscom, TURKTRUST and TAIWAN-CA, Inc. It’s part of a vast and larger commercial certificate authority global infrastructure with numerous sub-authorities operating in a root-based chain of trust. Outside this commercial certificate authority structure, governments and enterprises also use their own controlled certificate authority systems to issue and manage digital certificates for code-signing purposes.

Use of digital certificates for code-signing isn’t as widespread as that for SSL, for example, but as detailed in the new White Paper on the topic from the industry group called the CA Security Council, code-signing is intended to assure the identity of software publishers and ensure that the signed code has not been tampered with.

Coclin, who is co-chair of the CAB Forum, says precise details about new anti-fraud measures for proofing the identity of those buying code-signing certificates from certificate authorities will be unveiled next month and subject to a 60-day comment period. These new proposed identity-proofing requirements will be discussed at a meeting planned in February at Google before any adoption of them.

The CAB Forum’s code-signing group is expected to espouse changes related to security that may impact software vendors and enterprises that use code-signing in their software development efforts so the CAB Forum wants maximum feedback before going ahead with its ideas on improving security in certificate issuance.

Coclin points out that commercial certificate authorities today must pass certain audits done by KPMG or PricewaterhouseCoopers, for example. In the future, if new requirements say certificate authorities have to verify the identity of customers in a certain way and they don’t do it properly, that information could be shared with an Internet browser maker like Microsoft, which makes the Internet Explorer browser. Because browsers play a central role in the certificate-based code-signing process, Microsoft, for example, could take action to ensure its browser and OS do not recognize certificates issued by certificate authorities that violate any new identity-proofing procedures. But how any of this shake out remains to be seen.

McAfee, which unlike Symantec doesn’t have a certificate authority business unit and is not a member of the CAB Forum, last month at its annual user conference presented its own research about how legitimate certificates are increasingly being used to sign malware in order to trick victims into downloading malicious code.

“The certificates aren’t actually malicious — they’re not forged or stolen, they’re abused,” said McAfee researcher Dave Marcus. He said in many instances, according to McAfee’s research on code-signed malware, the attacker has gone out and obtained legitimate certificates from a company associated with top-root certificate authorities such as Comodo, Thawte or VeriSign. McAfee has taken to calling this the problem of “abused certificates,” an expression that’s not yet widespread in the industry as a term to describe the threat.

Coclin notes that one idea that would advance security would be to have a “code-signing portal” where a certificate authority could scan the submitted code to be checked for signs of malware before it was signed. He also said a good practice is hardware-based keys and security modules to better protect private keys used as part of the code-signing process.

Source:  networkworld.com

Symantec disables 500,000 botnet-infected computers

Tuesday, October 1st, 2013

Symantec has disabled part of one of the world’s largest networks of infected computers.

About 500,000 hijacked computers have been taken out of the 1.9 million strong ZeroAccess botnet, the security company said.

The zombie computers were used for advertising and online currency fraud and to infect other machines.

Security experts warned that any benefits from the takedown might be short-lived.

The cybercriminals behind the network had not yet been identified, said Symantec.

“We’ve taken almost a quarter of the botnet offline,” Symantec security operations manager Orla Cox told the BBC. “That’s taken away a quarter of [the criminals'] earnings.”

The ZeroAccess network is used to generate illegal cash through a type of advertising deception known as “click fraud”.

Communications poisoned

Zombie computers are commanded to download online adverts and generate artificial mouse clicks on the ads to mimic legitimate users and generate payouts from advertisers.

The computers are also used to create an online currency called Bitcoin which can be used to pay for goods and services.

The ZeroAccess botnet is not controlled by one or two servers, but relies on waves of communications between groups of infected computers to do the bidding of the criminals.

The decentralised nature of the botnet made it difficult to act against, said Symantec.

In July, the company started poisoning the communications between the infected computers, permanently cutting them off from the rest of the hijacked network, said Ms Cox.

The company had set the ball in motion after noticing that a new version of the ZeroAccess software was being distributed through the network.

The updated version of the ZeroAccess Trojan contained modifications that made it more difficult to disrupt communications between peers in the infected network.

Symantec built its own mini-ZeroAccess botnet to study effective ways of taking down the network, and tested different takedown methods for two weeks.

The company studied the botnet and disabled the computers as part of its research operations, which feed into product development, said Ms Cox.

“Hopefully this will help us in the future to build up better protection,” she said.

Internet service providers have been informed which machines were taken out of the botnet in an effort to let the owners of the computers know that their machine was a zombie.

Resilient zombies

Although a quarter of the zombie network has been taken out of action, the upgraded version of the botnet will be more difficult to take down, said Ms Cox.

“These are professional cybercriminals,” she said. “They will likely be looking for ways to get back up to strength.”

In the long term, the zombie network could grow back to its previous size, security experts said.

“Every time a botnet is taken down, but the people who run it are not arrested, there is a chance they can rebuild the botnet,” said Vincent Hanna, a researcher for non-profit anti-spam project Spamhaus.

The remaining resilient part of the network may continue to be used for fraud, and could start spreading the upgraded ZeroAccess Trojan, Mr Hanna warned.

Taking down infected networks is a “thankless task”, according to Sophos, a rival to Symantec.

“It’s a bit like trying to deal with the rabbit problem in Australia – you know you’re unlikely ever to win, but you also know that you have to keep trying, or you will definitely lose,” said Sophos head of technology Paul Ducklin.

Source:  BBC

Stop securing your virtualized servers like another laptop or PC

Tuesday, September 24th, 2013
Many IT managers don’t take the additional steps to secure their virtual servers, but rather leave them vulnerable to attacks with only antivirus software and data loss prevention packages. Here are the most common mistakes made and how to prevent them.

Most virtual environments have the same security requirements as the physical world with additions defined by the use of virtual networking and shared storage. However, many IT managers don’t take the additional steps to secure their virtual servers, but rather leave them vulnerable to attacks with only antivirus software and data loss prevention packages.

We asked two security pros a couple of questions specific to ensuring security on virtual servers. Here’s what they said:

TechRepublic: What mistakes do IT managers make most often when securing their virtual servers?

Answered by Min Wang, CEO and founder AIP US

Wang: Most virtual environments have the same security requirements as the physical world with additions defined by the use of virtual networking and shared storage. However, many IT managers don’t take the additional steps to secure their virtual servers, but rather leave them vulnerable to attacks with only antivirus software and data loss prevention packages.

Here are some more specific mistakes IT managers make regularly:

1.  IT managers rely too much on the hypervisor layer to provide security. Instead, they should be taking a 360 degree approach rather than a looking at one section or layer.

2.  When transitioning to virtual servers, too often they misconfigure their servers and the underlying network. This causes things to get even more out of whack when new servers are created and new apps are added.

3.  There’s increased complexity and many IT managers  don’t fully understand how the components interwork and how to properly secure the entire system, not just parts of it.

TechRepublic: Can you provide some tips on what IT managers can do moving forward to ensure their servers remain hack free?

Answered by Praveen Bahethi, CTO of Shilpa Systems

Bahethi:

1.  Logins into the Xen, HyperV, KVM, and ESXi servers, as well as the VMs created within them, should be mapped to a central database such as Active Directory to ensure that all logins are logged.  These login logs should be reviewed for failures on a regular basis as the organization’s security policy defines. By using a centralized login service, the administrative staff can quickly and easily remove privileges to all VMs and the servers by disabling the central account. Password Policies applied in the Centralized Login Servers can then be enforced across the virtualized environment.

2.  The virtual host servers should have a separate physical network interface controller (NIC) for network console and management operations that is tied into a separate out of band network solution or maintained via VLAN separation.  Physical access to the servers and their storage is controlled and monitored. All patches and updates that are being applied are verified to come from the vendors of the software and have been properly vetted with checksums.

3.  Within the virtualized environment, steps should be taken to ensure that the VMs are only able to see traffic destined for them by mapping them to the proper VLAN and vSwitch. The VMs cannot modify their MAC addresses nor have their virtual NICs engaged in snooping the wire with Promiscuous mode. The VMs themselves are not able to copy/paste operations via the console, no extraneous HW is associated with them, and VM to VM communication outside of the network operations is disabled.

4.  The VMs must have proper firewall and anti-malware, anti-virus, and url-filtering in place so that accessing outside data that contains threats can be mitigated. The use of security software with the hosts using plug-ins that enable security features such as firewalls and intrusion prevention are to be added. As with any proactive security measures, review of logs and policies for handling events need to be clearly defined.

5.  The shared storage should require unique login credentials for each virtual server and the network should be segregated from the normal application data and Out of Band console traffic. This segregation can be done using VLANs or completely separate physical network connections.

6.  The upstream network should only allow traffic required for the hosts and their VMs to only pass their switch ports, dropping all other extraneous traffic. Layer 2 and Layer 3 configuration should be in place for DHCP, Spanning Tree, and routing protocol attacks. Some vendors provide additional features in their third party vSwitches which can also be used to mitigate attacks with a VM server.

Source:  techrepublic.com

New OS X Trojan found and blocked by Apple’s XProtect

Tuesday, September 24th, 2013

A new command-and-control Trojan for OS X appears to be associated with the Syrian Electronic Army.

Security company Intego recently found a new malware package for OS X, called OSX/Leverage.A, which appears to be yet another targeted command-and-control Trojan horse, this time with apparent associations with the Syrian Electronic Army; however, Apple has blocked its ability to run with an XProtect update only days after its discovery.

The Trojan horse is distributed as an application disguised as a picture of two people kissing, presumably a scene from the television show “Leverage,” hence the name of the Trojan.

When the Trojan’s installer is opened, it will open an embedded version of the image in Apple’s Preview program, in an attempt to maintain the idea that it is just a picture, while the program installs the true Trojan in the background. In addition, the Trojan is built with a couple of code modifications that prevent it from showing up as a running application in the user’s Dock or in the Command-Tab application switch list.

The Trojan itself will be a program called UserEvent.app and will be placed in the /Users/Shared/ directory. It will then install a launch agent called UserEvent.System.plist in the current user’s LaunchAgents directory, which is used to keep the program running whenever the user is logged in. These two locations do not require authentication for any user to access, so the Trojan can place these files without prompting for an admin username and password.

Syrian Electronic ArmyOnce installed, the running Trojan will, among standard command-and-control activity like grabbing personal information, attempt to download an image associating the nefarious activity with the Syrian Electronic Army, a relatively new hacking group associated with the Assad regime in Syria. When contacted by Mashable, the group claimed that it is not associated with the Trojan.

While this new malware is out there and has affected a few people, it is not a major threat at this time, one reason being that the command and control servers it connects to appear to be offline. In addition, though for now the exact mode of distribution is unknown, if done through a Web browser or Apple’s Mail e-mail client, then Gatekeeper in OS X will issue a warning about the program not being a signed package. Additionally, Apple has recently updated its XProtect anti-malware scanner to specifically detect and quarantine this malware.

Beyond these security measures, you can take some additional steps to help secure your system from similar Trojans. Since most malware attempts in OS X have used various Launch Agent scripts to keep themselves running, you can use Apple’s Folder Actions feature to set up a launch agent monitor that will notify you of anytime such scripts are being set up in the system.

Source: CNET

Spear phishing poses threat to industrial control systems

Tuesday, August 27th, 2013

Hackers don’t need Stuxnet or Flame to turn off a city’s lights, say security experts

While the energy industry may fear the appearance of another Stuxnet on the systems they use to keep oil and gas flowing and the electric grid powered, an equally devastating attack could come from a much more mundane source: phishing.

Rather than worry about exotic cyber weapons like Stuxnet and its big brother, Flame, companies that have Supervisory Control and Data Acquisition (SCADA) systems — computer systems that monitor and control industrial processes — should make sure that their anti-phishing programs are in order, say security experts.

“The way malware is getting into these internal networks is by social engineering people via email,” Rohyt Belani, CEO and co-founder of the anti-phishing training firm PhishMe, said in an interview.

“You send them something that’s targeted, that contains a believable story, not high-volume spam, and people will act on it by clicking a link or opening a file attached to it,” he said. “Then, boom, the attackers get that initial foothold they’re looking for.”

In a case study cited by Belani, he recalled a very narrow attack on a single employee working the night shift monitoring his company’s SCADA systems.

The attacker researched the worker’s background on the Internet and used the fact he had four children to craft a bogus email from the company’s human resources department with a special health insurance offer for families with three or more kids.

The employee clicked a malicious link in the message and infected his company’s network with malware. “Engineers are pretty vulnerable to phishing attacks,” Tyler Klinger, a researcher with Critical Intelligence, said in an interview.

He recalled an experiment he conducted with several companies on engineers and others with access to SCADA systems in which 26 percent of the spear phishing attacks on them were successful.

Success means that the target clicked on a malicious link in the phishing mail. Klinger’s experiment ended with those clicks. In real life, those clicks would just be the beginning of the story and would not necessarily end in success for the attacker.

“If it’s a common Joe or script kiddie, a company’s IDS [Intrusion Detection Systems] systems will probably catch the attack,” Klinger said. “If they’re using a Java zero-day or something like that, there would be no defense against it.”

In addition, phishing attacks are aimed at a target’s email, which are usually located on a company’s IT network. Companies with SCADA systems typically segregate them from their IT networks with an “air gap.”

That air gap is designed to insulate the SCADA systems from the kinds of infections perpetrated by spear phishing attacks. “Air gaps are a mess these days,” Klinger said. “Stuxnet taught us that.”

“Once you’re in an engineer’s email, it’s just a matter of cross-contamination,” he added. “Eventually an engineer is going to have to access the Internet to update something on the SCADA and that’s when you get cross-contamination.”

Phishing attacks on SCADA systems are likely rare, said Raj Samani, vice president and CTO of McAfee’s EMEA.

“I would anticipate that the majority of spear phishing attacks against employees would be focused against the IT network,” Samani said in an interview. “The espionage attacks on IT systems would dwarf those against SCADA equipment.”

Still, the attacks are happening. “These are very targeted attacks and not something widely publicized,” said Dave Jevans chairman and CTO of Marble Security and chairman of the Anti-Phishing Work Group.

Jevans acknowledged, though, that most SCADA attacks involve surveillance of the systems and not infection of them. “They’re looking for how it works, can a backdoor be maintained into the system so they can use it in the future,” he said.

“Most of those SCADA systems have no real security,” Jevans said. “They rely on not being directly connected to the Internet, but there’s always some Internet connection somewhere.”

Some companies even still have dial-in numbers for connection to their systems with a modem. “Their security on that system is, ‘Don’t tell anybody the phone number,’” he said.

Source:  csoonline.com

FBI, Microsoft takedown program blunts most Citadel botnets

Friday, July 26th, 2013

Microsoft estimates that 88% of botnets running the Citadel financial malware were disrupted as a result of a takedown operation launched by the company in collaboration with the FBI and partners in technology and financial services. The operation was originally announced on June 5.

Since then, almost 40% of Citadel-infected computers that were part of the targeted botnets have been cleaned, Richard Domingues Boscovich, an assistant general counsel with Microsoft’s Digital Crimes Unit, said Thursday in a blog post.

Microsoft did not immediately respond to an inquiry seeking information about how those computers were cleaned and the number of computers that remain infected with the malware.

However, Boscovich said in a different blog post on June 21 that Microsoft observed almost 1.3 million unique IP addresses connecting to a “sinkhole” system put in place by the company to replace the Citadel command-and-control servers used by attackers.

After analyzing unique IP addresses and user-agent information sent by botnet clients when connecting to the sinkhole servers, the company estimated that more than 1.9 million computers were part of the targeted botnets, Boscovich said at the time, noting that multiple computers can connect through a single IP address.

He also said that Microsoft was working with other researchers and anti-malware organizations like the Shadowserver Foundation in order to support victim notification and remediation.

The Shadowserver Foundation is an organization that works with ISPs, as well as hosting and Domain Name System (DNS) providers to identify and mitigate botnet threats.

According to statistics released Thursday by Boscovich, the countries with the highest number of IP addresses corresponding to Citadel infections between June 2 and July 21 were: Germany with 15% of the total, Thailand with 13%, Italy with 10%, India with 9% and Australia and Poland with 6% each. Five percent of Citadel-infected IP addresses were located in the U.S.

Boscovich praised the collaboration between public and private sector organizations to disrupt the Citadel botnet.

“By combining our collective expertise and taking coordinated steps to dismantle the botnets, we have been able to significantly diminish Citadel’s operation, rescue victims from the threat, and make it more costly for the cybercriminals to continue doing business,” he said Thursday in the blog post.

However, not everyone in the security research community was happy with how the takedown effort was implemented.

Shortly after the takedown, a security researcher who runs the abuse.ch botnet tracking services estimated that around 1,000 of approximately 4,000 Citadel-related domain names seized by Microsoft during the operation were already under the control of security researchers who were using them to monitor and gather information about the botnets.

Furthermore, he criticized Microsoft for sending configuration files to Citadel-infected computers that were connecting to its sinkhole servers, saying that this action implicitly modifies settings on those computers without their owners’ consent. “In most countries, this is violating local law,” he said in a blog post on June 7.

“Citadel blocked its victims’ ability to access many legitimate anti-virus and anti-malware sites in order to prevent them from being able to remove the malware from their computer,” Boscovich said on June 11 in an emailed statement. “In order for victims to clean their computers, the court order from the U.S. District Court for the Western District of North Carolina allowed Microsoft to unblock these sites when computers from around the world checked into the command and control structure for Citadel which is hosted in the U.S.”

Source:  computerworld.com

Unusual file-infecting malware steals FTP credentials

Thursday, July 18th, 2013

A new version of a file-infecting malware program that’s being distributed through drive-by download attacks is also capable of stealing FTP (File Transfer Protocol) credentials, according to security researchers from antivirus firm Trend Micro.

The newly discovered variant is part of the PE_EXPIRO family of file infectors that was identified in 2010, the Trend Micro researchers said Monday in a blog post. However, this version’s information theft routine is unusual for this type of malware.

The new threat is distributed by luring users to malicious websites that host Java and PDF exploits as part of an exploit toolkit. If visitors’ browser plug-ins are not up to date, the malware will be installed on their computers.

The Java exploits are for the CVE-2012-1723 and CVE-2013-1493 remote code execution vulnerabilities that were patched by Oracle in June 2012 and March 2013 respectively.

Based on information shared by Trend Micro via email, a spike in infections with this new EXPIRO variant was recorded on July 11. “About 70 percent of total infections are within the United States,” the researchers said in the blog post.

Once the new EXPIRO variant runs on a system, it searches for .EXE files on all local, removable and networked drives, and adds its malicious code to them. In addition, it collects information about the system and its users, including Windows log-in credentials, and steals FTP credentials from a popular open-source FTP client called FileZilla.

The stolen information is stored in a file with a .DLL extension and is uploaded to the malware’s command and control servers.

“The combination of threats used is highly unusual and suggests that this attack was not an off-the-shelf attack that used readily available cybercrime tools,” the Trend Micro researchers said.

The theft of FTP credentials suggests that the attackers are either trying to compromise websites or are trying to steal information from organizations that is stored on FTP servers. However, it doesn’t appear that this threat is targeting any industry in particular, the Trend Micro researchers said via email.

Source:  csoonline.com

Mobile malware, mainly aimed at Android devices, jumps 614% in a year

Friday, July 12th, 2013

The threat to corporate data continues to grow as Android devices come under attack

The number of mobile malware apps has jumped 614% in the last year, according to studies conducted by McAfee and Juniper Networks.

The Juniper study — its third annual Mobile Threats Report — showed that the majority of attacks are directed at Android devices, as the Android market continues to grow. Malware aimed specifically at Android devices has increased at a staggering rate since 2010, growing from 24% of all mobile malware that year to 92% by March 2013.

According to data from Juniper’s Mobile Threat Center (MTC) research facility, the number of malicious mobile apps jumped 614% in the last year to 276,259, which demonstrates “an exponentially higher cyber criminal interest in exploiting mobile devices.”

“Malware writers are increasingly behaving like profit-motivated businesses when designing new attacks and malware distribution strategies,” Juniper said in a statement. “Attackers are maximizing their return on investment by focusing 92% of all MTC detected threats at Android, which has a commanding share of the global smartphone market.

In addition to malicious apps, Juniper Networks found several legitimate free applications that could allow corporate data to leak out. The study found that free mobile apps sampled by the MTC are three times more likely to track location and 2.5 times more likely to access user address books than their paid counterparts. Free applications requesting/gaining access to account information nearly doubled from 5.9% in October 2012 to 10.5% in May 2013.

McAfee’s study found that a type of SMS malware known as a Fake Installer can be used to charge a typical premium rate of $4 per message once installed on a mobile device. A “free” Fake Installer app can cost up to $28 since each one can tell a consumer’s device to send or receive up to seven messages from a premium rate SMS number.

Seventy-three percent of all known malware involves Fake Installers, according to the report.

“These threats trick people into sending SMS messages to premium-rate numbers set up by attackers,” the report states. “Based on research by the MTC, each successful attack instance can yield approximately $10 in immediate profit. The MTC also found that more sophisticated attackers are developing intricate botnets and targeted attacks capable of disrupting and accessing high-value data on corporate networks.”

Juniper’s report identified more than 500 third-party Android application stores worldwide, most with very low levels of accountability or oversight, that are known to host mobile malware — preying on unsuspecting mobile users as well as those with jail-broken iOS mobile devices. Of the malicious third-party stores identified by the MTC, 60% originate from either China or Russia.

According to market research firm ComScore, Android now has a 52.4% market share worldwide, up 0.7% from February. As Samsung has been taking market share from Apple, Android use is expected to continue to grow, according to ComScore.

According to market analyst firm Canalys, Android representedalmost 60% of the mobile devices shipped in 2012. Apple accounted for 19.3% of devices shipped last year, while Microsoft had 18.1%.

Source:  computerworld.com

Espionage malware infects raft of governments, industries around the world

Friday, June 7th, 2013

http://cdn.arstechnica.net/wp-content/uploads/2013/06/nettraveler_02.1-640x452.png

“NetTraveler” stole data on space exploration, nanotechnology, energy, and more.

Security researchers have blown the whistle on a computer-espionage campaign that over the past eight years has successfully compromised more than 350 high-profile targets in 40 countries.

“NetTraveler,” named after a string included in an early version of the malware, has targeted a number of industries and organizations, according to a blog post published Tuesday by researchers from antivirus provider Kaspersky Lab. Targets include oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies, military contractors, and Tibetan/Uyghur activists. Most recently the group behind NetTraveler has focused most of its efforts on obtaining data concerning space exploration, nanotechnology, energy production, nuclear power, lasers, medicine, and communications.

“Based on collected intelligence, we estimate the group size to be about 50 individuals, most of which speak Chinese natively and have working knowledge of the English language,” the researchers wrote. “NetTraveler is designed to steal sensitive data as well as log keystrokes and retrieve file system listings and various Office and PDF documents.”

The highest number of infections were found in Mongolia, followed by India and Russia. Other countries with infections include Kazakhstan, Kyrgyzstan, Tajikistan, South Korea, Spain, Germany, the United States, Canada, the United Kingdom, Chile, Morocco, Greece, Belgium, Austria, Ukraine, Lithuania, Belarus, Australia, Hong Kong, Japan, China, Iran, Turkey, Pakistan, Thailand, Qatar, and Jordan. The earliest known samples of the malware are dated to 2005, but there are references that indicate it existed as early as 2004, Kaspersky said. The largest number of observed samples were created from 2010 to 2013.

Six of the NetTraveler victims were also compromised by Red October, the much larger espionage campaign that went undetected for five years. With more than 1,000 distinct modules, the operators were able to craft highly advanced infections that were tailored to the unique configurations of infected machines and the profiles of those who used them.

For a much deeper dive into NetTraveler, see the full Kaspersky report.

Source:  arstechnica.com

Malware that drains your bank account thriving on Facebook

Monday, June 3rd, 2013

In case you needed further evidence that the White Hats are losing the war on cybercrime, a six-year-old so-called Trojan horse program that drains bank accounts is alive and well on Facebook.

Zeus is a particularly nasty Trojan horse that has infected millions of computers, most of them in the United States. Once Zeus has compromised a computer, it stays dormant until a victim logs into a bank site, and then it steals the victim’s passwords and drains the victim’s accounts. In some cases, it can even replace a bank’s Web site with its own page, in order to get even more information– such as a Social Security number– that can be sold on the black market.

The Trojan, which was first detected in 2007, is only getting more active. According to researchers at the security firm Trend Micro, incidents of Zeus have risen steadily this year and peaked in May. Eric Feinberg, founder of the advocacy group Fans Against Kounterfeit Enterprise (FAKE), has noticed an uptick in Zeus-serving malicious links on popular N.F.L. Facebook fan pages such as one created by a group called “Bring the N.F.L. To Los Angeles.”

Mr. Feinberg said he had noticed an increase in such pages and malicious links in recent weeks. He sent those links to Malloy Labs, a security lab, which confirmed that the links on these pages were serving up Zeus malware. The malware was being hosted from computers known to be controlled by a Russian criminal gang known as the Russian Business Network, which has been linked to various online criminal activities, ranging from malware and identity theft to child pornography.

Mr. Feinberg said he has tried to alert Facebook to the problem, with increased urgency, but wasn’t satisfied with their response. A Facebook spokesman directed this reporter to a previous Facebook statement reminding users that it actively scans for malware and offering users the opportunity to enroll in self-remediation procedures such as a “Scan-And-Repair malware scan” that can scan for and remove malware from their devices.

Mr. Feinberg said that after-the-fact approach was hardly sufficient. “If you really want to hack someone, the easiest place to start is a fake Facebook profile– it’s so simple, it’s stupid.”

“They’re not listening,” Mr. Feinberg added. “We need oversight on this.”

Source:  nytimes.com

U.S. Department of Labor website infected with malware

Wednesday, May 1st, 2013

The malware has been linked to a China-based hacking campaign that struck a Fortune 500 company in 2011

A subdomain of a U.S. Department of Labor website appeared offline on Wednesday after an apparent hack that looks similar to a known China-based hacking campaign nicknamed DeepPanda.

The tampered page, called Site Exposure Matrices (SEM), contains information on toxic substances at U.S. Department of Energy facilities, according to security vendors AlienVault and Invincea.

Hackers planted code on the main SEM page which redirected victims to other pages within the department’s website that attacked visitors’ computers. Invincea wrote that the site has been fixed, but it appeared to be offline late Wednesday.

When someone was redirected to an infected page, a script surveyed the computer to figure out what versions of software such as Microsoft Office, Adobe Systems’ Reader, Java or various antivirus programs it is running, wrote Jamie Blasco, director of AlienVault’s Labs.

The attack code then tries to exploit a vulnerability in older versions of Internet Explorer, wrote Anup Ghosh, founder and CEO of Invincea. The vulnerability, CVE-2012-4792, has been patched by Microsoft.

The style of attack is known as a drive-by download. It is particularly dangerous since potential victims merely need to visit a site in order for the attack to be executed.

Once installed, the malicious software attempts to contact a command-and-control server using a protocol linked with “a known chinese actor called DeepPanda,” Blasco wrote.

The department could not be immediately reached for comment.

The security company CrowdStrike published a white paper that described DeepPanda as a China-based operation that tried to attack a large Fortune 500 company in December 2011. That attack sought to install remote-access Trojans (RATs), which would allow hackers to steal information from an infected computer.

The U.S. and China have clashed in recent months over cybersecurity. U.S. companies have become increasingly vocal over what they say are technically sophisticated long-term infiltration campaigns originating from within China.

Source:  computerworld.com

Attack hitting Apache websites is invisible to the naked eye

Monday, April 29th, 2013

Newly discovered Linux/Cdorked evades detection by running in shared memory.

Ongoing exploits infecting tens of thousands of reputable sites running the Apache Web server have only grown more powerful and stealthy since Ars first reported on them four weeks ago. Researchers have now documented highly sophisticated features that make these exploits invisible without the use of special forensic detection methods.

Linux/Cdorked.A, as the backdoor has been dubbed, turns Apache-run websites into platforms that surreptitiously expose visitors to powerful malware attacks. According to a blog post published Friday by researchers from antivirus provider Eset, virtually all traces of the backdoor are stored in the shared memory of an infected server, making it extremely hard for administrators to know their machine has been hacked. This gives attackers a new and stealthy launchpad for client-side attacks included in Blackhole, a popular toolkit in the underground that exploits security bugs in Oracle’s Java, Adobe’s Flash and Reader, and dozens of other programs used by end users. There may be no way for typical server admins to know they’re infected.

“Unless a person really has some deep-dive knowledge on the incident response team, the first thing they’re going to do is kill the evidence,” Cameron Camp, a security researcher at Eset North America, told Ars. “If you run a large hosting company you’re not going to send a guy in who’s going to do memory dumps, you’re going to go on their with your standard tool sets and destroy the evidence.”

Linux/Cdorked.A leaves no traces of compromised hosts on the hard drive other than its modified HTTP daemon binary. Its configuration is delivered by the attacker through obfuscated HTTP commands that aren’t logged by normal Apache systems. All attacker-controlled data is encrypted. Those measures make it all but impossible for administrators to know anything is amiss unless they employ special methods to peer deep inside an infected machine. The backdoor analyzed by Eset was programmed to receive 70 different encrypted commands, a number that could give attackers fairly granular control. Attackers can invoke the commands by manipulating the URLs sent to an infected website.

“The thing is receiving commands,” Camp said. “That means that suddenly you have a new vector that is difficult to detect but is receiving commands. Blackhole is a tricky piece of malware anyway. Now suddenly you have a slick delivery method.”

In addition to hiding evidence in memory, the backdoor is programmed to mask its malicious behavior in other ways. End users who request addresses that contain “adm,” “webmaster,” “support,” and similar words often used to denote special administrator webpages aren’t exposed to the client exploits. Also, to make detection harder, users who have previously been attacked are not exposed in the future.

It remains unclear what the precise relationship is between Linux/Cdorked.A and Darkleech, the Apache plug-in module conservatively estimated to have hijacked at least 20,000 sites. It’s possible they’re the same module, different versions of the same module, or different modules that both expose end users to Blackhole exploits. It also remains unclear exactly how legitimate websites are coming under the spell of the malicious plugins. While researchers from Sucuri speculate it takes hold after attackers brute-force the secure-shell access used by administrators, a researcher from Cisco Systems said he found evidence that vulnerable configurations of the Plesk control panel are being exploited to spread Darkleech. Other researchers who have investigated the ongoing attack in the past six months include AV provider Sophos and those from the Malware Must Die blog.

The malicious Apache modules are proving difficult to disinfect. Many of the modules take control of the secure shell mechanism that legitimate administrators use to make technical changes and update content to a site. That means attackers often regain control of machines that are only partially disinfected. The larger problem, of course, is that the highly sophisticated behavior of the infections makes them extremely hard to detect.

Eset researchers have released a tool that can be used by administrators who suspect their machine is infected with Linux/Cdorked.A. The free python script examines the shared memory of a sever running Apache and looks for commands issued by the stealthy backdoor. Eset’s cloud-based Livegrid system has already detected hundreds of servers that are infected. Because Livegrid works only with a small percentage of machines on the Internet, the number of compromised Apache servers is presumed to be much higher.

Source:  arstechnica.com

Cyberwar risks clamity, Eugene Kaspersky warns UK Government and spooks

Monday, April 29th, 2013

State-of-the-art cyberweapons are now powerful enough to severely disrupt nations and the organisations responsible for their critical infrastructure, Kaspersky Lab founder and CEO Eugene Kaspersky has warned in a speech to a select audience of UK police, politicians and CSOs.

That Kaspersky was invited to give the speech to such a high-level gathering is a clear signal that the message accords with the Government and UK security establishment’s view of the threat posed by cyber-weapons.

“Today, sophisticated malicious programs – cyberweapons – have the power to disable companies, cripple governments and bring whole nations to their knees by attacking critical infrastructure in sectors such as communications, finance, transportation and utilities. The consequences for human populations could, as a result, be literally catastrophic,” said Kaspersky.

As an illustration of his point, the number of malware samples analysed by Kaspersky Lab had risen from 700 per day in 2006 to 7,000 per day by 2011. Today the number including polymorphic variants had reached 200,000 each day, enough to overwhelm the defences of even well-defended firms.

The sophistication of threats had also risen dramatically since 2010 with the discovery of state-sponsored threats such as Red October, Flame, MiniFlame, Gauss, Stuxnet, Duqu, Shamoon and Wiper, some of which had been uncovered by Kaspersky Lab itself..

Countering this would be impossible as long as organisations tackled the problem one by one, each in isolation from others. Intelligence sharing was no longer a luxury and had become essential.

This would require intimate cooperation between the private sector and government bodies, he said. The heads of organisations had to internalise this as a new reality.

“But why should state intelligence and defence bother cooperating with the private sector? In the words of Francis Maude, UK Minister of the Cabinet Office, ‘We need to team up to fight common enemies but the key to cooperating, in a spirit of openness and sharing, are guarantees to maintain the confidentiality of data shared,” said Kaspersky.

Audience members included, City of London Police Commissioner Adrian Leppard, National Fraud Authority head Stephen Harrison, former Counter Terrorism and Security Minister Pauline Neville Jones, Minister for Crime and Security James Brokenshire, and CSOs from HSBC, Unilever, Vodafone and Barclays.

Although best known as a celebrity icon of the company that bears his name, Kaspersky has in recent times become vocal on issues of cyber-weapons and their geo-political as well as technical implications.

Although ostensibly preaching the orthodox position that cyber-defence should be a coalition of forces, his words contain nuances, warnings about the dangers of state-sponsored cyber-weapons, including those from the UK and its allies.

Most of the most advanced cyber-weapons uncovered by Kaspersky’s company are suspected of being created by the US, the early-adopter of such offensive capabilities. His point seems to be that the US and its allies will find themselves on the receiving end of the same if international standards of cyber-etiquette are not established.

Earlier this year, Interpol announced that Kaspersky Lab would be a key partner in its new Global Complex for Innovation (IGCI) in Singapore cybercrime fighting hub in Singapore, due for completion next year.

Source:  pcadvisor.com

Malware found scattered by cyber espionage attacks

Monday, April 29th, 2013

 

Researchers following a cyberespionage campaign apparently bent on stealing drone-related technology secrets have found additional malware related to the targeted attacks.FireEye researchers have been tracking so-called “Operation Beebus” for months, but only last week reported the connection to unmanned aircraft often used in spying. Drones have also been used by the Obama administration to assassinate leaders of the Al-Qaeda terrorist group.

Malware linked to spying

FireEye researcher James Bennett, who was the first to make the drone connection, said last week that he has found two new malware associated with the attack, bringing the total to four.

The first two were versions of the same malware called Mutter. The new malware includes one that uses the same custom encryption scheme, but a different command-and-control protocol. The fourth malware is completely different from Mutter, but uses the same C&C infrastructure.

Bennett has yet to fully analyze the new malware, which he hopes will provide “more threads to follow.”

Operation Beebus is a cyberespionage campaign that FireEye has linked to the infamous Comment Crew, which security firm Mandiant has identified as a secret unit of China’s People Liberation Army. The hacker group attempts to steal information from international companies and foreign governments.

Bennett reported in a blog last week that he had uncovered evidence of cyberattacks against a dozen organizations in the U.S. and India. The attacks against academia, government agencies, and the aerospace, defense and telecommunication industries targeted individuals knowledgeable in drone technology.

The spear-phishing campaign included sending email that contained decoy documents meant to trick recipients into clicking on the file, which would download the malware. One such document was an article about Pakistan’s unmanned aerial vehicle industry written by Aditi Malhotra, an Indian writer and associate fellow at the Centre for Land Warfare Studies in New Delhi.

How it worked

Once downloaded, the Mutter malware opened a backdoor to the infected systems in order to receive instructions from C&C servers and to send stolen information. To avoid detection, Mutter is capable of remaining dormant for long periods of time, so that it will eventually be categorized as benign by malware analysis systems.

Despite the exposure, Operation Beebus is still active, although its infrastructure has changed. All but one of the domain names studied by Bennett is no longer in use, but several IP addresses are still active, probably being used with other domains.

“We are still seeing active communications going out with this Mutter malware, so we do know that it’s still going,” Bennett said.

One in five data breaches are the result of cyberespionage campaigns, according to the latest study by Verizon. More than 95 percent of cases originated from China, with targets showing an almost fifty-fifty split between large and small organizations.

Source:  pcworld.com

 

Recent reports of DHS-themed ransomware

Monday, March 25th, 2013

US-CERT has received reports of apparently DHS-themed ransomware occurring in the wild. Users who are being targeted by the ransomware receive an email message claiming that use of their computer has been suspended and that the user must pay a fine to unblock it. The ransomware falsely claims to be from the U.S. Department of Homeland Security and the National Cyber Security Division.

Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware, or perform a clean reinstallation of their OS after formatting their computer’s hard drive.

US-CERT and DHS encourage users and administrators to use caution when encountering these types of email messages and take the following preventive measures to protect themselves from phishing scams and malware campaigns that attempt to frighten and deceive a recipient for the purpose of illegal gain.

  • Do not click on or submit any information to webpages.
  • Do not follow unsolicited web links in email messages.
  • Use caution when opening email attachments. Refer to the Security Tip Using Caution with Email Attachments for more information on safely handling email attachments.
  • Maintain up-to-date antivirus software.
  • Users who are infected should change all passwords AFTER removing the malware from their system.
  • Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
  • Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

Source:  US-CERT

Symantec finds Linux wiper malware used in S. Korean attacks

Friday, March 22nd, 2013

The cyber attacks used malware called Jokra and also targeted Windows computers’ master boot records

Security vendors analyzing the code used in the cyber attacks against South Korea are finding nasty components designed to wreck infected computers.

Tucked inside a piece of Windows malware used in the attacks is a component that erases Linux machines, an analysis from Symantec has found. The malware, which it called Jokra, is unusual, Symantec said.

“We do not normally see components that work on multiple operating systems, so it is interesting to discover that the attackers included a component to wipe Linux machines inside a Windows threat,” the company said on its blog.

Jokra also checks computers running Windows XP and 7 for a program called mRemote, which is a remote access tool that can used to manage devices on different platforms, Symantec said.

South Korea is investigating the Wednesday attacks that disrupted at least three television stations and four banks. Government officials reportedly cautioned against blaming North Korea.

McAfee also published an analysis of the attack code, which wrote over a computer’s master boot record, which is the first sector of the computer’s hard drive that the computer checks before the operating system is booted.

A computer’s MBR is overwritten with either one of two similar strings: “PRINCPES” or “PR!NCPES.” The damage can be permanent, McAfee wrote. If the MBR is corrupted, the computer won’t start.

“The attack also overwrote random parts of the file system with the same strings, rendering several files unrecoverable,” wrote Jorge Arias and Guilherme Venere, both malware analysts at McAfee. “So even if the MBR is recovered, the files on disk will be compromised too.”

The malware also attempts to shut down two South Korean antivirus products made by the companies Ahnlab and Hauri. Another component, a BASH shell script, attempts to erase partitions Unix systems, including Linux and HP-UX.

Security vendor Avast wrote on its blog that the attacks against South Korean banks originated from the website of the Korean Software Property Right Council.

The site had been hacked to serve up an iframe that delivered an attack hosted on another website, Avast said. The actual attack code exploits a vulnerability in Internet Explorer dating from July 2012, which has been patched by Microsoft.

Source:  infoworld.com

FCC invests $10M in new network security but leaves backdoor unlocked

Wednesday, February 13th, 2013

GAO finds job was rushed, sloppy—some problems too severe to share with public.

In August of 2011, while in the middle of upgrading its network security monitoring, the Federal Communications Commission discovered it had already been hacked. Over the next month, the commission’s IT staff and outside contractors worked to identify the source of the breach, finding an unspecified number of PCs infected with backdoor malware.

After pulling the infected systems from the network, the FCC determined it needed to do something dramatic to fix the significant security holes in its internal networks that allowed the malware in. The organization began pulling together a $10 million “Enhanced Secured Network” project to accomplish that.

But things did not go well with ESN. In January, a little less than a year after the FCC presented its plan of action to the House and Senate’s respective Appropriations Committees, a Government Accountability Office audit of the project, released publicly last week, found that the FCC essentially dumped that $10 million in a hole. The ESN effort failed to properly implement the fixes, and it left software and systems put in place misconfigured—even failing to take advantage of all the features of the malware protection the commission had selected, leaving its workstations still vulnerable to attack. In fact, the full extent of the problems is so bad the GAO’s entire findings have been restricted to limited distribution.

“As a result of these and other deficiencies, FCC faces an unnecessary risk that individuals could gain unauthorized access to its sensitive systems and information,” the report concluded. And much of the work done to deploy the security system must be redone before the FCC’s systems approach anything resembling the security goals set for the project.

The FCC’s leadership acknowledges there’s a lot left to be done. “The GAO’s review of this project covers a period of time during which the Commission faced an unusual level of urgency, and we look forward to sharing our further progress with Congress and GAO at a later time, when these security initiatives are more fully deployed and developed,” FCC Managing Director David Robbins wrote in response to the GAO’s findings. But the commission also has some personnel issues to address—all of this is transpiring as the FCC looks for a new chief information officer. Ironically, the FCC’s CIO Robert Naylor stepped down in January to take a new job; he is now the CIO of a cyber security firm that caters to the intelligence community.

Measure once, cut twice

The FCC is a small organization as government agencies go, with about 2,000 employees and a budget request for 2013 of $340 million. It relies heavily on outside help for its IT operations—and on more outside help to figure out how to buy that help. The aquisition of the  ESN project was managed by Octo Consulting Group, a company led by three former Gartner executives and the former CIO of the Department of Agriculture’s Forest Service. The company claims on its website to have “designed the FCC Cyber Security Strategy, and managed and executed three defining Cyber Security contracts.” The consulting firm also provided contracting support for the FCC’s CIO as all of its major IT support contracts were preparing to expire mid-2012.

Update: “Octo was responsible for providing ‘acquisition support to the FCC’ for the ESN contract  (i.e. Assisting FCC Acquisition & Contracts personnel with developing the Statement of Work used to acquire the hardware and services for the $10M ESN contract you referenced),” Octo Consulting Group president Mehul Sanghani said in an email to Ars. “”Once the contract was awarded, Octo was also tasked with providing project management support to supplement the FCC IT staff that was tasked with overseeing the work.” The actual work on ESN was done by MicroTech and subcontractor Booz Allen Hamilton.

At the time of the discovery of the network intrusion in 2011, the FCC’s network security was dated at best. The ESN project, which was originally projected to be completed this month, is intended to “enhance and augment FCC’s existing security controls through changes to the network architecture and by implementing, among other things, additional intrusion detection tools, network firewalls, and audit and monitoring tools,” according to the GAO. The program was also supposed to provide the FCC with an ongoing “cyber threat analysis and mitigation program” that would do continuous risk assessment and reduction and control the damage from attacks that managed to breach the commission’s security measures.

Contracts to do the work on ESN were awarded in April of 2012, just two months after plans for the project were submitted to Congress. By June, all of the security hardware and software licenses had been purchased. Implementation was in full swing.

But apparently the work was done so quickly that no one bothered to check it. While new security hardware and software was deployed, the GAO found that “FCC did not effectively implement or securely configure key security tools and devices to protect these users and its information against cyber attacks… Certain boundary protection controls were configured in a manner that limited the effectiveness of network monitoring controls.”

The rush to get things in place also led to some other sloppy work. The GAO’s auditors found that passwords to gain access to some of the network monitoring systems “were not always strongly encrypted.” And while tools had been put in place to detect malware and block malicious network traffic, the tools had been left only partially configured.

The mishandling of security is being raised as an issue by some who do business with the FCC, especially because news of the original breach was never disclosed to the public—even as the FCC was formulating a proposed a rule that would require people with commercial interests in broadcast stations to submit their social security numbers to an FCC database. As Harry Cole, a communications lawyer with the firm Fletcher, Heald, and Hildreth put it in a post to the firm’s blog,” it seems extraordinarily inappropriate for the Commission, knowing of those vulnerabilities, to then propose that a huge number of folks must provide to the FCC the crown jewels of their identity, their social security numbers.”

Source:

Massive search fraud botnet seized by Microsoft and Symantec

Thursday, February 7th, 2013

Hundreds of thousands of Bamital bots made ring of 18 operators over $1M a year.

Users with computers infected by the Bamital botnet malware will see this page every time they click a search result.

A botnet that redirected clicks from millions of PCs has been, at least for the moment, shut down by Microsoft and Symantec. Based on the fraudulent traffic generated by the Bamital botnet, the two companies estimate that its operators netted more than $1 million a year by redirecting unsuspecting computer users to websites they didn’t intend to go, cashing in on the traffic with online advertising networks.

Acting on a court order they obtained from the US District Court in Alexandria, technicians from the two companies—accompanied by federal marshals—showed up at two data centers today to take down the servers controlling the Bamital botnet. A server in an ISPrime data center in Weehawken, New Jersey was seized, while the operators of a LeaseWeb data center in Manassas, Virginia voluntarily shut down a server at the company’s headquarters in the Netherlands. LeaseWeb is providing an image of that server to Microsoft and Symantec. ”These servers were command and control servers, and were also absorbing the malicious traffic the botnet was creating,” said Vikram Thakur,  Principal Security Response Manager at Symantec in an interview with Ars.

Richard Boscovich, Microsoft’s General Counsel, said that while the malware had been identified as far back as 2011, nailing down the exact servers they needed to go after took some time. “The malware was morphing back and forth, so it made difficullt to identify the targets,” he said. But when the botnet stabilized a few months ago, “it offered a window of opportunity to go after them. The legal portion took about two months.”

Based on forensic evidence collected from infected computers by Symantec and Microsoft, there have been several generations of Bamital, with activity dating back at least three years. Early variants of the malware attacked users’ Web browsers with HTML injection. “They injected an iframe into every page,” Thakur said, “so whatever page loaded also loaded content from the bad guys.”

In later variants of Bamital, the malware simply redirected any click on a search page to the botnet’s own servers, which in turn used HTML redirects to feed the victims’ traffic into an advertising network. That network acted as a clearinghouse for other advertiser networks, so a click could go through several sets of redirects before it actually landed on a website—and not the one the user expected.

Because of the nature of Bamital, Microsoft is now in a position that’s different from some of its previous botnet takedowns—it has a direct line to victims of the malware. “One of things we’re doing a little differently in this case is we’re doing direct victim notification,” Boscovich said. Users with systems infected by Bamital will now be redirected to a Microsoft webpage offering tools to help remove the Bamital malware—as wellas any other malware that’s out there. “There are AV signatures out there for this malware already,” Boscovich said.

“They may have an OS that’s unpatched, or antivirus software that’s outdated. We’re taking control of the command and control network so that every time someone types in a search query, they’re going to get redirected to a page directly by Microsoft.”

Thakur said that the Bamital malware was initially delivered by a combination of methods, including in packages over peer-to-peer filesharing networks disguised as other content. But the majority of systems infected were the victim of “driveby downloads” from websites configured with malicious software intended to exploit browser security flaws. “We have evidence of [the botnet operators] polluting search engine results for certain search terms with links to servers with exploits,” he said.

As new variants of the botnet were developed, the operators made efforts to “upgrade” systems they had already infected. “But along the way they seemed to have left behind a number of people,” Thakur said. The older servers that had been used with previous versions of the malware appear to have been abandoned as well.

In 2011, Microsoft and Symantec were able to monitor the traffic going to one of the botnet’s servers. “We got back data that showed that 3 million clicks were being hijacked by that server on a daily basis,” Thakur said. Based on a conservative estimate of a payment for one-tenth of a percent of the advertising value for each click, the companies determined the fraud ring was pulling in over $1 million a year from advertising networks.  “And it could have been 2 or 3 times that much,” he said.

The advertising networks connected to Bamital themselves may be completely fraudulent.  They acted as clearinghouses for the traffic, and resold it to other, legitimate advertising networks and affiliate programs.  “Bamital went through several ad networks before it even displayed content,” Thakur said. “It was super convoluted.”

Microsoft and Symantec are hoping the data obtained through the seizure of the server in New Jersey will help them get a better understanding of the underground ecosystem of advertising networks that drives botnets like Bamital.  But it’s too early to tell if it will help catch the actual perpetrators. “We still have to go through the evidence,” Boscovich said, but he noted that Microsoft had had some success in the past in identifying botnet operators, as it did with Kelihos.

Source:  arstechnica.com