Online Virus / Malware News

 
In the wake of the highly publicised “highly sophisticated and targeted” attacks on Google, at least three major governments have issued advisories urging their citizens to switch browsers away from Microsoft Internet Explorer. A well-known security company has redesigned their web sites to include a large ominous “Operation Aurora” graphic (that links to trial downloads of pre-existing software). The attacks have been described as “changing the world” by the CTO of that same security company and as “something quite different” by Google.
 
How much of this is real, justified and proportionate?
 
So what do we know so far? Well according to Google “In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google“. They go on to say “As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses–including the Internet, finance, technology, media and chemical sectors–have been similarly targeted. We are currently in the process of notifying those companies“.
 
Subsequent external conjecture, comment and analysis has blamed unpatched vulnerabilities in Internet Explorer and also in Acrobat Reader, the malware involved has been identified both as variants of the Hydraq Trojan and also as new malware, dubbed by McAfee as Roarur.dr and as TROJ_PIDIEF.SHK. The attack vectors have been identified as mail with malicious PDF attachments and drive-by downloads.
 
Google, who were hit by the zero-day vulnerability in Internet Explorer, state that at least 20 other companies were victimised, and iDefense who have customers who were hit by the zero-day vulnerability in Acrobat Reader state that 33 companies were affected.
 
The motivation for the attack has been described both as an attempt to steal intellectual property and also as an attempt to breach the security of email accounts belonging to Chinese human rights activists. The attacks “appear to have been launched from at least six Internet addresses located in Taiwan” according to James Mulvenon, director of the Center for Intelligence Research and Analysis at Defense Group Inc
 
“Changing the world”? I say not.
 
The attacks are not the first to use zero-day vulnerabilities, in fact we have most often seen zero-day exploits being first used in targeted attacks before becoming more widely spread and widely abused.
 
The attacks are not the first to use drive-by download or malicious PDF attachments to achieve their goal.
 
The attacks are not the most complex multi-component system yet seen, you want complex, look at Koobface!
 
This is not the first time that warnings have been given to use alternative browsers until a patch becomes available.
 
This is not the first time that the finger has been pointed at China for a widespread globally distributed espionage attack.
 
There is no doubt that this attack, or these attacks are methodologically sophisticated. The bad guys were visibly successful at delivering their malicious payloads to the right people in the right companies to get access to things like source code and email accounts, but I don’t see anything here that changes the world.
 
Social engineering, lack of awareness of the threat landscape, a willingness to share too much information, the highly developed underground economy will all have contributed to the possibility and the success of these attacks.
 
What can companies and individuals do to try to avoid falling victim to these kinds of attack?

• Educate yourselves and your users, clicking a link is enough, opening a PDF is enough to infect you, even on a fully patched system.

 

• That being said make sure all applications and systems are fully patched, if that is not possible, use host-based intrusion prevention to “virtually patch” systems and to secure against zero-day exploits.

 

• When an unpatched vulnerability is identified be sure to follow vendor advice to minimise the risk as soon as possible.

 

• Encrypt valuable personal and intellectual property at file level, that way, even if it is stolen it is of limited value or use.

 

• Consider the deployment of data leakage prevention technologies that will recognise and stop sensitive content from leaving your network.

 

• Rethink your security model from an outside in approach, to an inside out one. Secure data, secure access rights, secure applications. Your perimeter only exists on a network diagram.

 

• At the risk of repeating myself, educate your users not to share too much personal information regarding employers, job roles, contact details. Currently far too many targets are far too visible.

 

• Don’t let Chicken Little run your security.

On the 1st of January this year German employers became subject to a new legal requirement, one that has their own Data Protection Authorities, Trade Unions and Civil Rights groups appalled.

 

From the beginning of 2010 every German employer must now submit detailed information on a monthly basis to the so-called ELENA database, ELENA is an acronym for Eleketronischer Entgeltnachweis which loosely translates to Electronic Payslip. This sounds innocent enough until you consider exactly what information employers are obliged to provide.

The information will cover every worker’s salary, all absenteeism and their participation in strike action whether legal or illegal. This data is to be submitted to a central hub and from 2012 it will be used to determine whether to pay out or refuse social benefits. Plans are in place to relieve employers of the necessity of printing paper-based pay statements for their employees and instead issuing each worker with a plastic “jobcard” again by 2012. This card would then need to be produced should the holder ever need to apply for benefits allowing for data retrieval to determine eligibility.

Peter Schaar, the German Information Commissioner is reported as saying

“I’ve got a big problem with this. Until now, such information on salary declarations has not appeared, and their general storage in a central file is not legally nor constitutionally allowed.”

 

My own (German) wife’s reaction to this news was more succinct “I thought these people had agreed that the Stasi was a bad thing?”. The German blogs I could find seemed to be equally opposed to the idea.

For now though, the legislation has entered into force and the reporting has begun. We can only hope that appropriate measures have been taken to store the data in a secure location, using appropriate encryption, that the data entry and retrieval mechanisms are protected with strong encryption and multi-factor authentication and that the appropriate organisational policies and procedures have been put in place to protect this highly sensitive data.

It is an absolute certainty that a centralised data repository of this size and significance will attract the hacking and cracking attentions of criminals, script-kiddies and “hobbyists” alike.

British law enforcement today completed a project dubbed Operation Papworth, aimed at reducing the exposure of the British online shopping public to fraudulent websites in the run up to Christmas. The Metropolitan Police Central e-Crime Unit have been widely reported in the media as “shutting down” or “taking down” more than 1200 websites peddling fraudulent designer goods such as Ugg boots, ghd hair straighteners and Tiffany jewellery at temptingly low prices. I’m sure in many cases you’ve seen the “tempting” spam for yourselves.

 

The sites were registered with .co.uk domain names so as to appear more credible and attractive to UK based buyers, even though in many cases both the sites and the domain registrations themselves were outside the UK. Obviously people tempted into buying from these shops risked not only receiving sub-standard goods with no chance of recompense, but also having their financial details or identities stolen, abused and/or traded on the underground economy. So before I go on, let me make it clear that despite my reservations about its effectiveness, I applaud and support this initiative by UK law enforcement (I’m sure they’ll be relieved to hear that).

 

But (and you knew there was going to be a “but”) this represents at best a stopgap measure and at worst a simple waste of time. The root cause remains unaddressed and I fully expect these same sites to reappear under different names in the very near future. The sites themselves have not been “taken down” at all as far as I can tell. What has happened is that Nominet, the body responsible for the .uk top-level domain has simply broken the link between the domain name and the server the site is based on. What does that mean? It means when you type www.globalugg.co.uk into your browser it doesn’t go anywhere anymore.

 

If it was your criminal operation, what would you do? You’d register another domain name of course!

 

Here are the current details for a dodgy looking site, notice the Registration status is SUSPENDED, perhaps this was one of those 1200 sites.

 

 

There are a few other interesting bits to this registration though, look at the Registrant’s address, how can they be a “UK individual”? Notice too that the domain was not even registered in the UK, the Registrar is eNom Inc. a (totally legitimate) US-based registrar. The Name servers responsible for this domain belong to US Web Hosting, another totally above board US provider. So we have a scammer with a Chinese address, registering a .co.uk domain with an American registrar and hosting their server with another US outfit.

 

To bring my whole scam back to life all I have to do is register a new domain and point it to the same server as before, maybe just for variety’s sake this time with a Ukrainian registrar, just like this:

 

 

And that is the real issue, far too many DNS domains, including .co.uk and those of many other countries, are operated as “open” domains and in the words of Nominet:

“We do not impose restrictions on your status as applicant for the registration of a Domain Name in the following SLDs (“Open SLDs”):

   1. 4.4.1 .co.uk; or

   2. 4.4.2 .org.uk.

In the SLD Charter of the SLD Rules for the Open SLDs we do set out certain intentions regarding the class of applicant or use of registrations of the Domain Name which we assume you will comply with when applying for a registration of a Domain Name within an Open SLD. However, we do not forbid applications, and will take no action in respect of registrations that do not comply with the SLD Charters“

 

Until regulation is tightened and international cooperation is improved then well-intentioned initiatives like Operation Papworth will be um, micturating in the tempest.