Perimeter is the trusted market leader of information security services that delivers enterprise-class protection and compliance for businesses of any size
The three guys that were arrested for the Mariposa botnet may never go to jail.
Apparently if you are going to operate a botnet, Spain is the perfect place to do it because there are currently no laws around the their alleged crimes. Now prosecutors are trying to link their activity to other crimes that there are laws for. So I guess botnet owners have perhaps found a “safe haven”.
A very large botnet named “Mariposa” was recently shut down with the arrest of 3 of the main administrators. More arrests are expected in other countries.
Mariposa is said to have as many as 12.7 million compromised computers (Zombies) worldwide. The software acted as a Trojan horse and captured login credentials for online bank accounts. Following the arrests, police recovered personal information of more than 800,000 people. Zombies were in many of the Fortune 1000 companies as well as in 40 major banks. The Mariposa Working Group, which is a coalition of security experts, academics and law enforcement, were the ones who got it shut down.
More things are coming to light about the Aurora cyber attackers who targeted Google and other companies. This is really pretty interesting stuff (if your geek-o-meter pegs solidly in the red). McAfee released a paper at RSA last week that says that the Aurora cyber attackers had been going after source-code management systems. These are software systems that house, manage, and control the source code for companies. Keeping track of source code can be a big task. Imagine all the different developers, different versions, etc. These systems are the life blood of development organizations. If a hacker could gain access to these systems, they could modify code, inject trojans and malware potentially, and certainly steal code (intellectual property).
According to the paper released by McAfee, the source code system was virtually “wide open” which tells us they had a severe lack in their security. But here is where it gets interesting. Remember that other companies were targeted by the same Aurora group at the same time? Well they were all using the same code management system…with likely all the same security vulnerabilities. Someone might ask how cyber criminals could determine which companies were using which code management systems. There was a lot of talk about “Google Hacking” a few years ago. This is different than hacking Google, but rather using Google’s search engine to hack others…or maybe Google as well. Google and other search engines are such amazing indexing tools that often they can find bits of code or web pages that indicate what software a particular company uses. This is most often the case with web applications, web servers, etc. You can run specific queries in Google and it will tell you exactly who uses what. I don’t know for sure that is what was used here, but it seems like a perfect application of such a tactic.
The cyber criminals had to get on the inside of the organization because code management systems are never connected to the Internet (or at least they definitely shouldn’t be). So they used targeted (spear) phishing attacks to do it. Basically the bad guys knew if they could get some insider to fall prey to their phishing attack, they would essentially have the keys to the kingdom…which essentially they did.
Perhaps some of you watched the Cyber Attack Simulation on CNN on Sunday night (Feb 21). It was a cyber attack simulation in which former US federal officials played roles as cabinet members. It began with a mobile phone worm that spreads to the Internet subsequently shutting down the financial markets. Then is what was assumed as a coordinated attack, physical bombs were detonated on key power grid points that shut down much of the eastern united states. Throughout the course of the 2 hour event, it illustrated just how ill prepared the U.S. is for a variety of scenarios like this.
What I liked about the program was learning about the policy limitations we have in the U.S. that make mitigation and damage control possible. It was also interesting to see just how focused they are on perception of the public and fear of public back lash later for either doing to much or to little. I don’t doubt that meetings like this are very concerned with those very things rather than getting the problem taken care of.
What I didn’t like is how unrealistic the simulation was. First, it is possible that a worm designed for mobile phones could spread to PCs and the Internet at large, but that isn’t likely…at least not right now. That would have to be a pretty flexible worm, and flexibility means large in size, which means it probably wouldn’t have originated on mobile phones. But it isn’t out of the question. Second, they were talking about millions of people without mobile phones the cause of which would be an “act of war” etc. That is silly. There have been many times in the last several years that mobile phone networks have had issues, and I doubt it is even something discussed at a cabinet meeting. There have been many times that worms, viruses, malware, or botnets rage on the Internet and no one calls a special cabinet session to figure out our “response”. They made mention that emails were taking hours to be delivered. Some people call that “Wednesday”. That by itself simply doesn’t have enough weight to be worried about by the administration. Then this cascaded into the shutdown of the financial markets, which from my limited understanding is quite separate from the Internet and there is little chance that a worm that is designed to spread from mobile phones to the Internet could then spread and take down the financial markets. They are very separate things, with very different back end systems that do not have the same vulnerabilities that could be exploited by a single piece of malware. Individual traders that use the Internet to buy and sell shares would likely have delays or no access. But they could always call their broker and get them to trade on their behalf…unless they try to do that from their mobile phone. But then in the simulation they said that it could spread to the regular phone network. While communications companies are using and sharing more and more equipment for both data and voice communications, I don’t think a botnet/worm of nearly any imaginable size could take out the entire voice network disabling all communications. Then there were the power outages. They never said that the power outages were caused by the cyber attack, but referenced localized explosions at key points in the power grid. If what the government and utility companies have told us in the past is true, then this may be possible. When the northeast had their power outages a few years ago, they blamed it on overgrown trees in Ohio…although some speculate that it was the work of a cyber attack. What I didn’t like about this portion was when a private power company notified the NSA that they were going to divert power from them to other customers that were without power. While this may be a hypothetical scenario, I just can’t believe it would happen like that.
Overall, I didn’t think the scenario was very credible or realistic and clearly those that designed and played parts in it were not up to speed on how attacks like this are likely conducted, but it did shine light on interesting policy limitations that the government has that will make future real scenarios very interesting.
The Chinese police have arrested 3 in conjunction with a hacker site called Black Hawk. This site had been (among other things) selling membership fees totaling more than $1 million US. This group has been known to threaten businesses such as Internet cafés telling them they would be shut down with a DDOS attack if they didn’t pay them. Ultimately the Chinese authorities found them by tracking the phone number given to these businesses to pay Black Hawk.
What is really happening here is that the Chinese government feels the pressure as a result of the Google hacks and wants to appear like they are really cracking down on cybercrime. The truth is, these bozos at Black Hawk aren’t anywhere near the level of sophistication as the Google hacks (which many believe were in face Chinese state sponsored). So this really is nothing more than perception management by the Chinese, which likely means they are feeling a bit of pressure but ultimately have no intention of changing their behavior at the government level.
I came across the following in the December issue of the SANS Newsletter. I wanted to share because it’s so true!
Melissa Hathaway, who earlier this year prepared the Cyberspace Policy Review for the Obama administration, says that we as individuals, organizations, governments and a nation need to shatter long-held myths about cyber space security and take steps to mitigate threats. Some of the myths behind which these threats lurk include the notion that firewalls and antivirus software offer adequate protection from breaches; the idea that the government has solutions for cyber security problems; and the idea that “laws are keeping pace with technological innovation.”
Melissa’s Blog Post – 5 Myths About Cybersecurity
Worried about botnets? Well the IETF published a new document on their recommendation for botnet remediation. It sounds like they have written several methods to help internet service providers identify compromised systems and perhaps even redirect users to notification sites directing them to get their systems fixed. The truth is, it isn’t terribly difficult to identify infected systems, but until the ISP’s have motivation and money to do this, it will likely not get installed very many places. It also doesn’t address what would happen to users that refuse to clean up their systems (for whatever reason). So this really sounds like one of those really good ideas that isn’t going to go anywhere.
I am often asked to describe legitimate business uses for social networking services. There are many legitimate uses. I have heard some neat processes that use Twitter for disaster recovery alerts and Facebook to promote a companies products and services. But I always find it interesting when criminals use technology for their purposes. In this article the criminal was using Twitter to send botnet command and control signals. In other words, the criminal would post something to Twitter and the zombies (compromised computers) would listen on Twitter for messages to come through that could perform various desired commands. A botnet may update software, launch attacks such as DDOS, spread to other systems, relay SPAM, and other nefarious acts.
A few more details that were uncovered on the Golden Cash Bot that can be leased by individuals for $5 to $100 for 1000 compromised PCs. Once under your control, you can use it to steal data, send SPAM or any number of other nefarious purposes.
They call it Golden Cash because it is “Your money-making machine”. Customers pay for the ability to install different types of malware on the Golden Cash bots, which are recycled for new jobs and new customers afterward. Prices are higher for compromised PCs in western countries. In their examples 1,000 bots in Australia go for $100, but 1,000 bots in Vietnam go for a mere $5.
There was a good breakdown of the most common ways you can be infected “a cyber criminal creates a botnet by hiding malicious code in a legitimate Web site that is used to turn Web surfing PCs into zombies. The code, typically an iFrame, points the PCs to a separate Web site where they are then infected with a Trojan backdoor that reports back to the Golden Cash command and control server. Then the Golden Cash server installs an FTP (file transfer protocol) grabber on new zombies to steal credentials used by the computers to run Web sites, giving the server control over additional legitimate Web sites. Approximately 100,000 domains, including corporate domains from around the world, were identified among the stolen FTP credentials under Golden Cash’s control.” 100,000 domains is a whole lot of compromised websites. Think how many hundreds, thousands, and millions of users hit these various websites daily. For those interested, the Trojan name is “Trojan-Spy.Win32.Agent.amdz”.
Some people wonder how the use of botnets is facilitated. Certainly those that exploit systems effectively turning them into “Zombies” and placing them in a botnet can’t be the ones that always utilize these compromised systems, can they? Well researches recently uncovered what they believe to be a “clearninghosue” for botnets and malware. It is called “Golden Cash” and allows those with less then pure motives to rent time on botnet network. This clearninghouse allows controllers to buy, sell, collect data, share malware, and development tools. It is believed that Golden Cash is run by the Russian Business Network.
This is been quite a week with several celebrities that have passed away including Ed Mcmahon, Farrah Fawcett, and of course Michael Jackson. As a result there are of course a flury of scams that are attempting to get people to click on links, open attachments and an assortment of other things. In addition to this, we are seeing people taking advantage of the media, and how quickly bad information can be spread in our “instant information” society. Stars that in fact are alive and well had passed away supposidly according to Internet blogs, web posts, Twitter, Facebook, and even some television stations. A hacker even broke into Britney Spears Twitter account and and posted this message to all those that follow her “Britney has passed today. It is a sad day for everyone. More news to come”.
Manipulating media…in other words Media Hacking or “Macking” (as we have decided to call it) is becoming quite popular. There are of course many ways this can be facilitated. I love the example on September 8, 2008 when old news report from December of 2002 was rehashed by someone about the bankrupcy of American Airlines and posted to Google who then applied a current date to the article (because it didn’t have one of its own). The article was picked up by a 3rd party analyst and posted to the Bloomberg news network and within minutes the stock had plumeted more than 80% and the SEC had to halt trading on it.
Macking can be very profitable for cyber criminals, and in this day in age when search engines can be manipulated, botnets can send billions of email messages, social networking sites have works and viruses that can spread messages, it is easy to see why they do this.
In my opinion, Macking is the lowest of the low hanging fruit. It is practically the fruit that falls off the tree and rolls to your feet.
Botnets are becoming a bigger and bigger threat, with relatively few people understanding why it is a big deal. The following quote is from an article posted on NetworkWorld.com.
“Research from security vendor Finjan Inc. suggests enterprise IT shops are losing the war against those who would hijack company computers for botnets. Almost half the victims appear to be in the U.S. — most using Microsoft’s Internet Explorer (IE) browser.”
You can read the full article at the NetworkWorld.com site here. The article has some good information regarding the botnet threat.
Several days ago I posted an article based on an announcement by Websense regarding a series of attacks that were compromising websites. Since that time, the attack has infected and compromised more than 30,000 websites. This is a pharming attack using website compromise that redirects to a malicious site.
Keep in mind that it isn’t just 30,000 sites that get infected, but rather how many individual users access these sites while they are compromised. These users are redirected and potentially compromised themselves. If just 1000 users are compromised from each site, we are talking about 30,000,000 new systems under remote command and control. You can see why and how botnets grow so quickly.
For more details from Webense, click here.
In a previous post, I mentioned how botnets have grown in size and sophistication that we should gear up for some real attacks coming from them. I think we will begin to see more attacks like the one that happened a couple of weeks ago in China. A DDOS attack against a popular domain registrer in China. The DDOS attack was specifically against the domain name servers (DNS). The DNS servers resolve the friendly name like www.mydomain.com to the numbered IP address that is assigned to the web server. When a system like this comes under attack, it makes it so other cannot get to the system, and therefore cannot resolve the name. Effectively this blocks their access to the site…even though the site itself wasn’t attacked. As time goes on and with the continual growth of botnets, we will see more attacks like this.
According to McAfee, “Cybercriminals have taken control of almost 12 million new IP addresses in Q1 2009, a 50 percent increase over the previous quarter. The United States is now home to the largest percentage of botnet-infected computers, hosting 18 percent of all “zombie” machines.” In their Global Threats Report, it shows Austrailia being #3 in the world for most infected computers.
Microsoft reports are quite a bit different. See chart. I don’t think it much matters who is in the lead or falling behind. Several years ago when we attempted to implement blacklists based on world geography, it could have helped. However those days are long gone in that we are truly a global society. What I think is important to note here is that everyone agrees that the number of infected systems is going up at an alarming rate.
We at Perimeter E-Security of course monitor this traffic and behavior as well. For those that are interested, our finding more closely match those of Microsoft and not McAfee in that Australia is close to the bottom on our list.
There might be several reasons for the discrepancy between McAfee and Microsoft. Microsoft’s seems to me a better indicator because their tool is free and globally distributed and used. McAfee, while having a very large user base, is not as equally distributed. So their findings are likely skewed.
Botnets have been around for a long time. For those not familiar, a botnet is a number of compromised computers put under the command and control of a single individual or group. Individually compromised computers are known as zombies. These systems are anywhere and everywhere in the world. They can be the machine you are reading this from. They can be a home or work computer.
It was only a couple of years ago that Vint Cerf, one of the original developers of the Internet estimated that one out of every four computers had malware and potentially part of a botnet. At the same time the number of Internet enabled computers worldwide was about 600 million. Today, F-Secure estimates the number of Internet accessible systems to be about double that at 1.2 billion systems. F-Secure claims that Finland has the lowest malware/botnet infection rate at about 1 percent of all systems. So likely, the number is somewhere between 1 percent and 25 percent. While that is a big spread, what is bigger is the number of systems that represents where 1 percent is over 12 million systems alone.
The Conficker botnet has lots of estimates on its size being anywhere from about 3 million to 12 million systems strong…and is likely one of the very biggest. But Conficker is just one single botnet and there are many.
Systems in the U.S. account for only about 6 percent of Conficker computers. This is likely a similar percentage of infection across other botnets as well. This is primarily due to the high rate in which we have legal versions of operating systems and applications and can patch them. In other areas of the world where software pirating is a huge problem, there is a much higher infection rate because those systems are not allowed to recieve patches and updates.
These botnets have very sophisticated communications with different methods including web access, peer-to-peer, etc. This gives the botnet a secure (encrypted) method as well as differing methods to give and accept command and control instructions.
The scary thing about botnets is that with that many systems under the control of one individual, they could do a tremendous amount of damage to segments of the Internet or any business they targeted. This would likely include distributed denial of service attacks (DDOS). To date, botnets have been used to distribute SPAM which is why SPAM now accounts for more than 90% of all email sent. When the controllers decide to do something really malicious…watch out!
On April 1st, 2009 Conficker went into a new mode that enhanced its capabilities. Some thought this would lead to some instructions (or payload) that would launch some attack. In reality, nothing happened for about a week. Then the first update came instructing Conficker systems to begin harvesting new systems. So they began scanning other systems looking for unpatched systems to compromise and spread to. I think what scared some professionals was that previous to it getting its April 1 update, it had stopped all activity. So some thought that might be a sign of the quiet before the storm. Others thought that the botnet controllers were negotiating for the use of the botnet once April 1st hit. While this may be true, with the new instructions for the systems to begin harvesting other computers, it may be that those negotiations ended. It may mean nothing at all.
While the new instructions are timed to end in May, we must remember that the controllers can send a payload anytime they want to these systems to use new instructions.
With (likely) tens of millions of systems in botnets, I believe we are at a tipping point where the threat they impose is formitable and we need to be more aware of the threat. While there isn’t a lot we can do to stop they once they take action against us, we can do a lot to keep our systems from joining the ranks of a botnet.
First, you should check if your systems are already infected. There are many ways to do this. For Conficker, there is a really easy method described here. Most system virus and spyware protection packages can detect most botnet worms and infections. Other applcations like Spybot Search and Destroy and Adaware as well as the free tool from Microsoft are also helpful. But don’t make the mistake of assuming you only need one tool.
Second, keep the worms out and off your systems. This takes a layered security approach and no one single solution. Talk with a security professional about the best ways to protect yourself from botnet infections.
© 2010 Perimeter E-Security™ All Rights Reserved.
The trademarks used herein are the registered trademarks of their respective owners.
|
|
|
|
|
|