On Wednesday April 6th the Federal Bureau of Investigation (FBI) seized control of 5 servers used to control as many as 2 million computers infected with Coreflood malware. This malware, also known as AFCore, quietly steals personal and financial information from the computer and forwards the information to the criminal ring leaders. The attackers use the information collected by AFCore to conduct fraudulent wire transfers, emptying the users’ bank accounts.  The botnet is suspected to have existed since at least 2002, and has evolved over the years from using IRC based command and control and selling DDOS/anonymity services, to HTTP based command and control and performing fraud.

Using a similar approach used to take down the Bredolab botnet, US federal investigators were granted special authorization by the Department of Justice to substitute their own Command and Control server for the hosts operated by the criminal organization.  When the bot of the infected machine checks into the new C&C it is simply given a command to shutdown.  The DNS records used by the bots have also been pointed to Shadowserver’s sinkholes.

Seizing control of the C&C servers by law enforcement is now preventing the criminals from accessing any information already harvested by the infected computers.  It also keeps them from covering their tracks by deleting files and terminating processes.  However, the millions of Coreflood infections remain intact and still require intervention by a trained security analyst or antivirus program with signatures to detect it. Investigators are also alerting the Internet Service Providers of the compromised machines and requesting they inform their customers.

More information about the takedown can be found here:

• Botnet Operation Disabled: FBI Seizes Servers to Stop Cyber Fraud
• Bold FBI Move Shutters COREFLOOD Bot

Perimeter’s Security Operations Center is actively monitoring for outbound activity known to be associated with the Coreflood botnet.  In one instance, minutes after adding inspection for the redirected C&C check-in, alerts indicated a single customer network to have 17 actively compromised hosts. Here’s a sample screenshot from our SOC’s Security and Information Event Management System:

Coreflood Botnet Traffic, from Perimeter SOC

Looking at the raw event logs, we can see that the compromised host is attempting direct HTTP connections to a sinkhole IP. The URI confirms the activity to be related to a bot C&C check-in:

Recommendations for Perimeter customers

Although the FBI has taken ownership of the Command and Control and are issuing shutdown commands to the active bots, the malware is still installed on the compromised machines and reactivated at bootup.  Analysis of this Coreflood variant indicates the C&C domains change monthly and have been pre-registered in countries that are outside of United States jurisdiction.  There still remains a possiblity of the criminal ring regaining control of the botnet.  Perimeter strongly recommends customers take the following actions to stay protected:

• Use Web Content Filtering to lockdown Internet usage by enforcing user authentication and blocking of categories not critical to business
• In particular, customers are strongly advised to block access to unclassified sites, which commonly harbor malware and C&C servers
• Use standard best practices such as Network IPS and Network/Desktop AV to help prevent infections
• In cases where infections do occur, a strong WCF policy will help prevent theft of data, and will provide additional logging information used by the Perimeter’s Security Operations Center

Thanks for your time and attention, and stay safe.

Last week I hosted a webinar called “5 Data Security Predictions for 2011.” The webinar was my first of many for Perimeter. It was lots of fun. I received some excellent questions from the audience. And I was gratified to see that we had several hundred registered attendees, too!

For those of you who couldn’t make the webinar, you can click on this link to view the replay. But if you are allergic to multimedia, I thought I’d summarize the topics I covered in the webinar here. Last week’s webinar had three goals:

• To take a look back at the key security trends from 2010
• To summarize the three most interesting security events of the last year, and the lessons we learned from them
• To predict five data security trends for 2011

This post covers the first item on the agenda: looking back at 2010.

2010: The Year of Living Dangerously

With many apologies to the actor formerly known as Mel Gibson, 2010 extended and deepened four trends we’ve seen in previous years. These should seem familiar to you, but there are a few twists that make them worthy of comment. In 2010, we observed:

• Multiplying threats. It should come as no surprise to astute security professionals that malware has continued to proliferate. As with previous years, the number of circulating malware samples increased, by some counts, by a factor of 10 over the previous year. McAfee, for example, estimates the the number of samples has exceeded 50 million. Other AV vendors have reported similar figures. The reason for the increases is simple: attackers are creating malware in smaller “batch sizes” (but with a larger number of batches) to evade detection by anti-virus engines. We are getting close to what I call “designer malware”: one signature, one victim. It’s not hard to understand why that strategy would work for the bad guys: if you can create unique malware for each victim, you can slide under the radar screen of the AV labs because the prevalence is nearly zero.  The low-and-slow attack vector for modern malware is a difficult challenge for everyone in the industry. And it is clearly successful. From Perimeter’s perspective as an MSSP, we have been tracking nearly 25 botnets that we’ve observed in action inside our customers’ networks. We expect to track more incursions in the future.
• Migration of malware to the web. Hand-in-hand with the explosion in malware samples is the change in attack tactics. Instead of mailing infected attachments to their intended victims, the bad guys are much more likely to send e-mails with hyperlinks in them, which they then induce the recipient to click on. When clicked on, the link leads to a site that dynamically generates “drive-by” malware that is custom-made for the victim. Again, this goes back to the “designer malware” comment in the previous bullet. Some of the vendors I’ve worked with in the past (like WebSense) have noted the movement of malware away from e-mail and towards the web. As an MSSP with content filtering services, we’ve noticed it too. What it means for our customers is that web content-filtering becomes a lot more important than it used to be. Keeping inbound web traffic free from malware becomes as critical for security (indeed, more so) than the outbound stuff. Never mind whether Johnny in Accounting is spending too much time on ESPN’s website — you should care just as much if he’s getting 0wned when he goes there.
• Mobile security fears. From the iPad to those newfangled Android devices, every enterprise I’ve spoken with is worried about what modern Post-PC devices will do to their security posture. The urgency stems from two sources. First, managers want to know how to apply security controls to consumer-grade gear being brought into the workplace by employees and executives. They want to know what kind of password and data protection policies they need, and how to apply them to gear that isn’t named BlackBerry. Second, companies have concerns about the iPad in particular, because of business initiatives outside IT. Both scenarios are equally important. You can read about my perspective on Apple devices in this Forrester report, which I wrote last summer, and in press accounts of it here and here.
• More compliance pressures. Compliance and security are often conflated, but it’s best to view the kinds of security activities enterprises do for compliance purposes as a kind of tax they have to pay to stay in business. And every year, the “tax rate” goes up. For example, with the passage of the HITECH provisions of the American Recovery and Reinvestment Act (ARRA) of 2009 (aka “the stimulus bill”), health care Covered Entities (hospitals and providers of medical care) and their Business Associates (insurers, and other partners) are subject to more stringent rules on what they must do to safeguard personal protected health information (PHI). For retailers, recent revisions to the Payment Card Industry’s Data Security Standard (PCI-DSS) means that businesses that accept and process credit cards must tighten up their wireless networks, manage their server log files better and audit their web-facing applications. And in the banking sector, new rules from FINRA around social media means that employers must monitor their employees’ use of Facebook and other outside websites.

All four of these trends are top-of-mind concerns for just about every security professional and CISO I speak with. What is most interesting for me, as an observer, student of security and CTO is the mix of concerns. Threats and compliance pressures are perennial concerns: they are always with us, and always need tending to. The attackers won’t stop brewing up increasingly lethal doses of malware for consumption by the unwitting, and the auditors won’t put down their clipboards. But the new evergreen issues on this list — mobile security, and the increased lethality of web content — could cause rapid shifts in company security postures very quickly if they aren’t dealt with. How we respond to these two issues is the key.

And on that note, we’re at a good breaking point for this post. The next posts will summarize what we learned from 2010′s three most interesting events, and offer predictions for  2011.

The following table summarizes the November security bulletins that affect Microsoft Windows in order of severity.

Affected Software

^[1]The security updates for Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac are unavailable at this time.

To avoid being affected by these vulnerabilities, our security experts recommend installing the necessary update on your machines which can be found on the Microsoft website.

Here is the link for more information.
http://www.microsoft.com/technet/security/bulletin/ms10-087.mspx

The Perimeter Security Operations Center has recently discovered that upon visiting these sites you may be presented with either a fake Adobe Reader 8 Install prompt or a Microsoft Security Essentials “Infection Found” pop-up window.  Neither of these are legitimate.

This ad based drive-by download presents itself as ThinkPoint.  The file may use a legitimate name such as hotfix.exe or mstsc.exe and is saved to a temp directory.  It then picks out random files, claims they are infected and forces you to “clean” these false threats.  ThinkPoint will state that you need a heuristic program to fix the problems and offers to sell one for $99.90.  Do not purchase ThinkPoint; this program is fraudulent!

Anti-viruses may detect this as FakeAV, FakeAlert, or a generic Trojan.  A full list can be found here:

http://www.virustotal.com/file-scan/report.html?id=c049d274905ac80c9377e1cb0c291a5e67c33876ce256454db29dea953e44e4a-1287696527

There is a surprising lack of information about this trojan variant, considering how popular the sites are that are helping spread it.  We have found one reputable anti-virus vendor with insight:

http://www.f-secure.com/weblog/archives/00002053.html

For Perimeter’s ITC customers we have added a Null Route to blacklist the IP address of the domain actually serving the malware.  The advertising domain has also been submitted to Fortinet to be recategorized as Malware until this issue can be resolved by the primary domains using the advertisements.

For customers using Fortigate, additional steps of preventing this kind of infection include subscribing to Web Content Filtering while blocking the Advertising and Unrated categories, and subscribing to network anti-virus with download of Executables blocked.

The three guys that were arrested for the Mariposa botnet may never go to jail.

Apparently if you are going to operate a botnet, Spain is the perfect place to do it because there are currently no laws around the their alleged crimes. Now prosecutors are trying to link their activity to other crimes that there are laws for.  So I guess botnet owners have perhaps found a “safe haven”.

Mariposa is said to have as many as 12.7 million compromised computers (Zombies) worldwide. The software acted as a Trojan horse and captured login credentials for online bank accounts. Following the arrests, police recovered personal information of more than 800,000 people. Zombies were in many of the Fortune 1000 companies as well as in 40 major banks. The Mariposa Working Group, which is a coalition of security experts, academics and law enforcement, were the ones who got it shut down.

More things are coming to light about the Aurora cyber attackers who targeted Google and other companies. This is really pretty interesting stuff (if your geek-o-meter pegs solidly in the red). McAfee released a paper at RSA last week that says that the Aurora cyber attackers had been going after source-code management systems. These are software systems that house, manage, and control the source code for companies. Keeping track of source code can be a big task. Imagine all the different developers, different versions, etc. These systems are the life blood of development organizations. If a hacker could gain access to these systems, they could modify code, inject trojans and malware potentially, and certainly steal code (intellectual property).

According to the paper released by McAfee, the source code system was virtually “wide open” which tells us they had a severe lack in their security. But here is where it gets interesting. Remember that other companies were targeted by the same Aurora group at the same time? Well they were all using the same code management system…with likely all the same security vulnerabilities. Someone might ask how cyber criminals could determine which companies were using which code management systems. There was a lot of talk about “Google Hacking” a few years ago. This is different than hacking Google, but rather using Google’s search engine to hack others…or maybe Google as well. Google and other search engines are such amazing indexing tools that often they can find bits of code or web pages that indicate what software a particular company uses. This is most often the case with web applications, web servers, etc. You can run specific queries in Google and it will tell you exactly who uses what. I don’t know for sure that is what was used here, but it seems like a perfect application of such a tactic.

The cyber criminals had to get on the inside of the organization because code management systems are never connected to the Internet (or at least they definitely shouldn’t be). So they used targeted (spear) phishing attacks to do it. Basically the bad guys knew if they could get some insider to fall prey to their phishing attack, they would essentially have the keys to the kingdom…which essentially they did.

Perhaps some of you watched the Cyber Attack Simulation on CNN on Sunday night (Feb 21). It was a cyber attack simulation in which former US federal officials played roles as cabinet members. It began with a mobile phone worm that spreads to the Internet subsequently shutting down the financial markets. Then is what was assumed as a coordinated attack, physical bombs were detonated on key power grid points that shut down much of the eastern united states. Throughout the course of the 2 hour event, it illustrated just how ill prepared the U.S. is for a variety of scenarios like this.

What I liked about the program was learning about the policy limitations we have in the U.S. that make mitigation and damage control possible. It was also interesting to see just how focused they are on perception of the public and fear of public back lash later for either doing to much or to little. I don’t doubt that meetings like this are very concerned with those very things rather than getting the problem taken care of.

What I didn’t like is how unrealistic the simulation was. First, it is possible that a worm designed for mobile phones could spread to PCs and the Internet at large, but that isn’t likely…at least not right now. That would have to be a pretty flexible worm, and flexibility means large in size, which means it probably wouldn’t have originated on mobile phones. But it isn’t out of the question. Second, they were talking about millions of people without mobile phones the cause of which would be an “act of war” etc. That is silly. There have been many times in the last several years that mobile phone networks have had issues, and I doubt it is even something discussed at a cabinet meeting. There have been many times that worms, viruses, malware, or botnets rage on the Internet and no one calls a special cabinet session to figure out our “response”. They made mention that emails were taking hours to be delivered. Some people call that “Wednesday”. That by itself simply doesn’t have enough weight to be worried about by the administration. Then this cascaded into the shutdown of the financial markets, which from my limited understanding is quite separate from the Internet and there is little chance that a worm that is designed to spread from mobile phones to the Internet could then spread and take down the financial markets. They are very separate things, with very different back end systems that do not have the same vulnerabilities that could be exploited by a single piece of malware. Individual traders that use the Internet to buy and sell shares would likely have delays or no access. But they could always call their broker and get them to trade on their behalf…unless they try to do that from their mobile phone.  But then in the simulation they said that it could spread to the regular phone network. While communications companies are using and sharing more and more equipment for both data and voice communications, I don’t think a botnet/worm of nearly any imaginable size could take out the entire voice network disabling all communications. Then there were the power outages. They never said that the power outages were caused by the cyber attack, but referenced localized explosions at key points in the power grid. If what the government and utility companies have told us in the past is true, then this may be possible. When the northeast had their power outages a few years ago, they blamed it on overgrown trees in Ohio…although some speculate that it was the work of a cyber attack. What I didn’t like about this portion was when a private power company notified the NSA that they were going to divert power from them to other customers that were without power. While this may be a hypothetical scenario, I just can’t believe it would happen like that.

Overall, I didn’t think the scenario was very credible or realistic and clearly those that designed and played parts in it were not up to speed on how attacks like this are likely conducted, but it did shine light on interesting policy limitations that the government has that will make future real scenarios very interesting.

The Chinese police have arrested 3 in conjunction with a hacker site called Black Hawk.  This site had been (among other things) selling membership fees totaling more than $1 million US.  This group has been known to threaten businesses such as Internet cafés telling them they would be shut down with a DDOS attack if they didn’t pay them.  Ultimately the Chinese authorities found them by tracking the phone number given to these businesses to pay Black Hawk.

What is really happening here is that the Chinese government feels the pressure as a result of the Google hacks and wants to appear like they are really cracking down on cybercrime.  The truth is, these bozos at Black Hawk aren’t anywhere near the level of sophistication as the Google hacks (which many believe were in face Chinese state sponsored).  So this really is nothing more than perception management by the Chinese, which likely means they are feeling a bit of pressure but ultimately have no intention of changing their behavior at the government level.

I came across the following in the December issue of the SANS Newsletter.  I wanted to share because it’s so true!

Melissa Hathaway, who earlier this year prepared the Cyberspace Policy Review for the Obama administration, says that we as individuals, organizations, governments and a nation need to shatter long-held myths about cyber space security and take steps to mitigate threats.  Some of the myths behind which these threats lurk include the notion that firewalls and antivirus software offer adequate protection from breaches; the idea that the government has solutions for cyber security problems; and the idea that “laws are keeping pace with technological innovation.”

Melissa’s Blog Post – 5 Myths About Cybersecurity

They call it Golden Cash because it is “Your money-making machine”. Customers pay for the ability to install different types of malware on the Golden Cash bots, which are recycled for new jobs and new customers afterward. Prices are higher for compromised PCs in western countries. In their examples 1,000 bots in Australia go for $100, but 1,000 bots in Vietnam go for a mere $5.

There was a good breakdown of the most common ways you can be infected “a cyber criminal creates a botnet by hiding malicious code in a legitimate Web site that is used to turn Web surfing PCs into zombies. The code, typically an iFrame, points the PCs to a separate Web site where they are then infected with a Trojan backdoor that reports back to the Golden Cash command and control server. Then the Golden Cash server installs an FTP (file transfer protocol) grabber on new zombies to steal credentials used by the computers to run Web sites, giving the server control over additional legitimate Web sites. Approximately 100,000 domains, including corporate domains from around the world, were identified among the stolen FTP credentials under Golden Cash’s control.”  100,000 domains is a whole lot of compromised websites.  Think how many hundreds, thousands, and millions of users hit these various websites daily.  For those interested, the Trojan name is “Trojan-Spy.Win32.Agent.amdz”.

(Read the CNET.com article here)

Manipulating media…in other words Media Hacking or “Macking” (as we have decided to call it)  is becoming quite popular.  There are of course many ways this can be facilitated.  I love the example on September 8, 2008 when old news report from December of 2002 was rehashed by someone about the bankrupcy of American Airlines and posted to Google who then applied a current date to the article (because it didn’t have one of its own).  The article was picked up by a 3rd party analyst and posted to the Bloomberg news network and within minutes the stock had plumeted more than 80% and the SEC had to halt trading on it.

Macking can be very profitable for cyber criminals, and in this day in age when search engines can be manipulated, botnets can send billions of email messages, social networking sites have works and viruses that can spread messages, it is easy to see why they do this.

In my opinion, Macking is the lowest of the low hanging fruit.  It is practically the fruit that falls off the tree and rolls to your feet.

“Research from security vendor Finjan Inc. suggests enterprise IT shops are losing the war against those who would hijack company computers for botnets. Almost half the victims appear to be in the U.S. — most using Microsoft’s Internet Explorer (IE) browser.”

You can read the full article at the NetworkWorld.com site here. The article has some good information regarding the botnet threat.

Keep in mind that it isn’t just 30,000 sites that get infected, but rather how many individual users access these sites while they are compromised.  These users are redirected and potentially compromised themselves.  If just 1000 users are compromised from each site, we are talking about 30,000,000 new systems under remote command and control.  You can see why and how botnets grow so quickly.

For more details from Webense, click here.

Article

Microsoft reports are quite a bit different.  See chart.  I don’t think it much matters who is in the lead or falling behind.  Several years ago when we attempted to implement blacklists based on world geography, it could have helped.  However those days are long gone in that we are truly a global society.  What I think is important to note here is that everyone agrees that the number of infected systems is going up at an alarming rate.

We at Perimeter E-Security of course monitor this traffic and behavior as well.  For those that are interested, our finding more closely match those of Microsoft and not McAfee in that Australia is close to the bottom on our list.

There might be several reasons for the discrepancy between McAfee and Microsoft.  Microsoft’s seems to me a better indicator because their tool is free and globally distributed and used.  McAfee, while having a very large user base, is not as equally distributed.  So their findings are likely skewed.

It was only a couple of years ago that Vint Cerf, one of the original developers of the Internet estimated that one out of every four computers had malware and potentially part of a botnet.  At the same time the number of Internet enabled computers worldwide was about 600 million.  Today, F-Secure estimates the number of Internet accessible systems to be about double that at 1.2 billion systems.  F-Secure claims that Finland has the lowest malware/botnet infection rate at about 1 percent of all systems.  So likely, the number is somewhere between 1 percent and 25 percent.  While that is a big spread, what is bigger is the number of systems that represents where 1 percent is over 12 million systems alone.

The Conficker botnet has lots of estimates on its size being anywhere from about 3 million to 12 million systems strong…and is likely one of the very biggest.  But Conficker is just one single botnet and there are many.

Systems in the U.S. account for only about 6 percent of Conficker computers.  This is likely a similar percentage of infection across other botnets as well.  This is primarily due to the high rate in which we have legal versions of operating systems and applications and can patch them.  In other areas of the world where software pirating is a huge problem, there is a much higher infection rate because those systems are not allowed to recieve patches and updates.

These botnets have very sophisticated communications with different methods including web access, peer-to-peer, etc.  This gives the botnet a secure (encrypted) method as well as differing methods to give and accept command and control instructions.

The scary thing about botnets is that with that many systems under the control of one individual, they could do a tremendous amount of damage to segments of the Internet or any business they targeted.  This would likely include distributed denial of service attacks (DDOS).  To date, botnets have been used to distribute SPAM which is why SPAM now accounts for more than 90% of all email sent.  When the controllers decide to do something really malicious…watch out!

On April 1st, 2009 Conficker went into a new mode that enhanced its capabilities.  Some thought this would lead to some instructions (or payload) that would launch some attack.  In reality, nothing happened for about a week.  Then the first update came instructing Conficker systems to begin harvesting new systems.  So they began scanning other systems looking for unpatched systems to compromise and spread to.  I think what scared some professionals was that previous to it getting its April 1 update, it had stopped all activity.  So some thought that might be a sign of the quiet before the storm.  Others thought that the botnet controllers were negotiating for the use of the botnet once April 1st hit.  While this may be true, with the new instructions for the systems to begin harvesting other computers, it may be that those negotiations ended.  It may mean nothing at all.

While the new instructions are timed to end in May, we must remember that the controllers can send a payload anytime they want to these systems to use new instructions.

With (likely) tens of millions of systems in botnets, I believe we are at a tipping point where the threat they impose is formitable and we need to be more aware of the threat.  While there isn’t a lot we can do to stop they once they take action against us, we can do a lot to keep our systems from joining the ranks of a botnet.

First, you should check if your systems are already infected.  There are many ways to do this.  For Conficker, there is a really easy method described here.  Most system virus and spyware protection packages can detect most botnet worms and infections.  Other applcations like Spybot Search and Destroy and Adaware as well as the free tool from Microsoft are also helpful.  But don’t make the mistake of assuming you only need one tool.

Second, keep the worms out and off your systems.  This takes a layered security approach and no one single solution.  Talk with a security professional about the best ways to protect yourself from botnet infections.