Online Virus / Malware News

 
In the wake of the highly publicised “highly sophisticated and targeted” attacks on Google, at least three major governments have issued advisories urging their citizens to switch browsers away from Microsoft Internet Explorer. A well-known security company has redesigned their web sites to include a large ominous “Operation Aurora” graphic (that links to trial downloads of pre-existing software). The attacks have been described as “changing the world” by the CTO of that same security company and as “something quite different” by Google.
 
How much of this is real, justified and proportionate?
 
So what do we know so far? Well according to Google “In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google“. They go on to say “As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses–including the Internet, finance, technology, media and chemical sectors–have been similarly targeted. We are currently in the process of notifying those companies“.
 
Subsequent external conjecture, comment and analysis has blamed unpatched vulnerabilities in Internet Explorer and also in Acrobat Reader, the malware involved has been identified both as variants of the Hydraq Trojan and also as new malware, dubbed by McAfee as Roarur.dr and as TROJ_PIDIEF.SHK. The attack vectors have been identified as mail with malicious PDF attachments and drive-by downloads.
 
Google, who were hit by the zero-day vulnerability in Internet Explorer, state that at least 20 other companies were victimised, and iDefense who have customers who were hit by the zero-day vulnerability in Acrobat Reader state that 33 companies were affected.
 
The motivation for the attack has been described both as an attempt to steal intellectual property and also as an attempt to breach the security of email accounts belonging to Chinese human rights activists. The attacks “appear to have been launched from at least six Internet addresses located in Taiwan” according to James Mulvenon, director of the Center for Intelligence Research and Analysis at Defense Group Inc
 
“Changing the world”? I say not.
 
The attacks are not the first to use zero-day vulnerabilities, in fact we have most often seen zero-day exploits being first used in targeted attacks before becoming more widely spread and widely abused.
 
The attacks are not the first to use drive-by download or malicious PDF attachments to achieve their goal.
 
The attacks are not the most complex multi-component system yet seen, you want complex, look at Koobface!
 
This is not the first time that warnings have been given to use alternative browsers until a patch becomes available.
 
This is not the first time that the finger has been pointed at China for a widespread globally distributed espionage attack.
 
There is no doubt that this attack, or these attacks are methodologically sophisticated. The bad guys were visibly successful at delivering their malicious payloads to the right people in the right companies to get access to things like source code and email accounts, but I don’t see anything here that changes the world.
 
Social engineering, lack of awareness of the threat landscape, a willingness to share too much information, the highly developed underground economy will all have contributed to the possibility and the success of these attacks.
 
What can companies and individuals do to try to avoid falling victim to these kinds of attack?

• Educate yourselves and your users, clicking a link is enough, opening a PDF is enough to infect you, even on a fully patched system.

 

• That being said make sure all applications and systems are fully patched, if that is not possible, use host-based intrusion prevention to “virtually patch” systems and to secure against zero-day exploits.

 

• When an unpatched vulnerability is identified be sure to follow vendor advice to minimise the risk as soon as possible.

 

• Encrypt valuable personal and intellectual property at file level, that way, even if it is stolen it is of limited value or use.

 

• Consider the deployment of data leakage prevention technologies that will recognise and stop sensitive content from leaving your network.

 

• Rethink your security model from an outside in approach, to an inside out one. Secure data, secure access rights, secure applications. Your perimeter only exists on a network diagram.

 

• At the risk of repeating myself, educate your users not to share too much personal information regarding employers, job roles, contact details. Currently far too many targets are far too visible.

 

• Don’t let Chicken Little run your security.

It seems to be the season for defacements and hacktivity. The week began with the Cross Site Scripting attack on the Spanish EU website and the defacement hack of Iranian President Ahmadinejad’s Official site and it closes with a high profile hack of the Pakistani National Response Center for Cyber Crimes, part of the Federal Investigation Authority.

The web site was compromised and defaced as below

 Unfortunately for the Pakistani FIA though this attack appears to go beyond a simple defacement. The hacker “zombie_ksa” also states on the defaced page

“your whole database and e-mails are leaked …. i was really excited to read, see what the f__k is private in here lOl“

 At first glance this could well seem like idle l33t H4×0r bragging so I did a bit of digging to see if the boast could be substantiated. In a forum posting, zombie_ksa said

“I was Browsing! today Propakistani.pk So i saw post about” how to register complaint with fia cyber crime”! so i feel to check there Security, and i started Penetration Test On there Webserver, unfortunately I GOT access!! And they got Pwned!! !! thats Sounds crazy ! I got whole database! and e-mail Backup! everything!”

 

The hacker then posted two screen shots, one of the hacked site and second one, below demonstrating his access to their email database (I have sanitised the email addresses here)

So it seems that from an amateur penetration test a hacker has access at least to the full email database and possibly the backups, of a National Response Center for Cyber Crimes in a highly politically sensitive country. The forum post was made at 4 in the afternoon yesterday and the hack is still live at the time of writing. To say this hack has national security implications would not be overstating the matter.

Any organisation holding material this sensitive should, as a priority, make sure all Internet facing servers are hardened and fully patched, the servers should also be regularly audited, preferably daily to look for evidence of new vulnerabilities as they arise. Web application firewalls should be used to look for evidence of and block anomalous or malicious behaviour.

But perhaps most importantly emails dealing with matters this sensitive should not be connected with, or stored on your public web server and they should always be stored in a secure encrypted format.

On the 1st of January this year German employers became subject to a new legal requirement, one that has their own Data Protection Authorities, Trade Unions and Civil Rights groups appalled.

 

From the beginning of 2010 every German employer must now submit detailed information on a monthly basis to the so-called ELENA database, ELENA is an acronym for Eleketronischer Entgeltnachweis which loosely translates to Electronic Payslip. This sounds innocent enough until you consider exactly what information employers are obliged to provide.

The information will cover every worker’s salary, all absenteeism and their participation in strike action whether legal or illegal. This data is to be submitted to a central hub and from 2012 it will be used to determine whether to pay out or refuse social benefits. Plans are in place to relieve employers of the necessity of printing paper-based pay statements for their employees and instead issuing each worker with a plastic “jobcard” again by 2012. This card would then need to be produced should the holder ever need to apply for benefits allowing for data retrieval to determine eligibility.

Peter Schaar, the German Information Commissioner is reported as saying

“I’ve got a big problem with this. Until now, such information on salary declarations has not appeared, and their general storage in a central file is not legally nor constitutionally allowed.”

 

My own (German) wife’s reaction to this news was more succinct “I thought these people had agreed that the Stasi was a bad thing?”. The German blogs I could find seemed to be equally opposed to the idea.

For now though, the legislation has entered into force and the reporting has begun. We can only hope that appropriate measures have been taken to store the data in a secure location, using appropriate encryption, that the data entry and retrieval mechanisms are protected with strong encryption and multi-factor authentication and that the appropriate organisational policies and procedures have been put in place to protect this highly sensitive data.

It is an absolute certainty that a centralised data repository of this size and significance will attract the hacking and cracking attentions of criminals, script-kiddies and “hobbyists” alike.

 

2009 has been a notable year for malware and malicious online activity for a number of reasons and several of them relate to what is known as botnets. A zombie, or a bot, is a PC infected by malware that brings it under the remote control of a criminal. Criminals run networks that can range from thousands to millions of infected machines and they use them to power most of the cybercrime we see today including spam, DDoS, scareware, phishing, and malicious or illegal website hosting. They have a finger in every cybercriminal pie.

 

In the first half of the year, the Conficker worm (also known as Downadup or Kido) stole all the headlines in the malware world. Eventually the Conficker botnet was seen to deliver standard cybercriminal payloads, such as spambots and Fake AV (or scareware), much to the disappointment of some of the more hysterical commentators. Just because the outbreak received so much coverage that died away just as rapidly, don’t be fooled into thinking this threat has gone away. The Conficker Working Group, an alliance of security vendors, researchers and other commercial organisations is currently showing around 6 million unique IP addresses as appearing to be infected with this malware.

 

An unrelated, but important trend in 2009 was the exponential increase in the abuse of social networking providers for malicious purposes. The enormous active user populations on sites like Facebook, Twitter and MySpace prove a very attractive lure to organised online crime and its attendant money-making, bot recruitment and Fake AV pushing scams. Facebook has been abused by rogue Apps, designed to fool users into clicking links that reward the creator through pay-per-click affiliate advertising networks. It has also been used to spread malware through many means; malicious links in wall posts and messages, malware designed specifically to hijack accounts and by external compromise of legitimate Facebook Apps. The Koobface family of malware (also a botnet) has evolved over the course of 2009; it was initially spread through malicious messages and wall posts with links to fake YouTube sites punting a supposed codec in order to view the video. The codec of course was nothing of the sort and led to infection and account hijacking. Koobface now though has evolved to the point where it is fully capable of creating its own fake Facebook profile pages, complete with confirmed Gmail address, photo and biographical data. These fake accounts then set about joining networks and sending friend requests again all in a completely automated fashion.

 

Here’s where it gets interesting, in addition to spamming and malware, web 2.0 sites have been abused in new and concerning ways over the course of 2009. Twitter and Google Reader have been used as the landing page in spam campaigns, to attempt to overcome URL filtering in email messages. In recent months Twitter, Facebook, Pastebin, Google Groups and a Google AppEngine have all been used as surrogate Command & Control servers for botnets, and just last week it was reported that a Zeus botnet was leveraging compromised servers inside Amazon’s EC2 cloud for command and contro. These public forums have been configured to issue obfuscated commands to globally distributed botnets, these commands often contain further URLs which the bot then accesses to download commands or components.

 

The attraction with these sites and services lies in the fact that they offer a public, open, scalable, highly-available and relatively anonymous means of maintaining a command and control infrastructure, which at the same time further reduces the chance of detection by traditional technologies. Whilst network content inspection solutions could reasonably be expected to pick up on compromised endpoints that are communicating with known-bad sites (command & control servers), or over suspicious or unwanted channels such as IRC; it has been historically safe to assume that a PC making a standard HTTP GET request, over port 80 to a content provider such as Facebook, Google or Twitter, even several times every day, is as acting entirely normally. However, as botnet owners and criminal outfits seek to further dissipate their command and control infrastructure and blend into the general white noise of the internet, that is no longer the case.

 

It is no coincidence that much the innovation in 2009 has been around command & control systems for botnets. The vast majority of old-school IRC controlled botnets are shut down within 24 hours and peer-to-peer bots often leave visible signatures too, leading to their neutralisation at machine level. One factor of web 2.0 botnet controls that I would expect cybercriminals to be currently evaluating is the single point of failure represented by relying on a single provider such as Facebook or Google–shut down the malicious Facebook page and you disable the botnet. Botnet creators have invested significant amounts of time and code in distributing their management infrastructure, in fast-flux and in peer-to-peer protocols. We can fully expect them to carry these lessons learned into the newer “cloud-enabled” botnet. It is entirely possible that the capability of the latest Koobface variant to create multiple automated profiles could be leveraged to mitigate against the single point of failure inherent in using a single Facebook or Twitter profile as a covert channel.

When it comes to botnets it would be really nice to be able to say “it’s getting better”.  It’s not.  More and more computers are being infected, and they are staying infected for longer.

British law enforcement today completed a project dubbed Operation Papworth, aimed at reducing the exposure of the British online shopping public to fraudulent websites in the run up to Christmas. The Metropolitan Police Central e-Crime Unit have been widely reported in the media as “shutting down” or “taking down” more than 1200 websites peddling fraudulent designer goods such as Ugg boots, ghd hair straighteners and Tiffany jewellery at temptingly low prices. I’m sure in many cases you’ve seen the “tempting” spam for yourselves.

 

The sites were registered with .co.uk domain names so as to appear more credible and attractive to UK based buyers, even though in many cases both the sites and the domain registrations themselves were outside the UK. Obviously people tempted into buying from these shops risked not only receiving sub-standard goods with no chance of recompense, but also having their financial details or identities stolen, abused and/or traded on the underground economy. So before I go on, let me make it clear that despite my reservations about its effectiveness, I applaud and support this initiative by UK law enforcement (I’m sure they’ll be relieved to hear that).

 

But (and you knew there was going to be a “but”) this represents at best a stopgap measure and at worst a simple waste of time. The root cause remains unaddressed and I fully expect these same sites to reappear under different names in the very near future. The sites themselves have not been “taken down” at all as far as I can tell. What has happened is that Nominet, the body responsible for the .uk top-level domain has simply broken the link between the domain name and the server the site is based on. What does that mean? It means when you type www.globalugg.co.uk into your browser it doesn’t go anywhere anymore.

 

If it was your criminal operation, what would you do? You’d register another domain name of course!

 

Here are the current details for a dodgy looking site, notice the Registration status is SUSPENDED, perhaps this was one of those 1200 sites.

 

 

There are a few other interesting bits to this registration though, look at the Registrant’s address, how can they be a “UK individual”? Notice too that the domain was not even registered in the UK, the Registrar is eNom Inc. a (totally legitimate) US-based registrar. The Name servers responsible for this domain belong to US Web Hosting, another totally above board US provider. So we have a scammer with a Chinese address, registering a .co.uk domain with an American registrar and hosting their server with another US outfit.

 

To bring my whole scam back to life all I have to do is register a new domain and point it to the same server as before, maybe just for variety’s sake this time with a Ukrainian registrar, just like this:

 

 

And that is the real issue, far too many DNS domains, including .co.uk and those of many other countries, are operated as “open” domains and in the words of Nominet:

“We do not impose restrictions on your status as applicant for the registration of a Domain Name in the following SLDs (“Open SLDs”):

   1. 4.4.1 .co.uk; or

   2. 4.4.2 .org.uk.

In the SLD Charter of the SLD Rules for the Open SLDs we do set out certain intentions regarding the class of applicant or use of registrations of the Domain Name which we assume you will comply with when applying for a registration of a Domain Name within an Open SLD. However, we do not forbid applications, and will take no action in respect of registrations that do not comply with the SLD Charters“

 

Until regulation is tightened and international cooperation is improved then well-intentioned initiatives like Operation Papworth will be um, micturating in the tempest.