The three guys that were arrested for the Mariposa botnet may never go to jail.

Apparently if you are going to operate a botnet, Spain is the perfect place to do it because there are currently no laws around the their alleged crimes. Now prosecutors are trying to link their activity to other crimes that there are laws for.  So I guess botnet owners have perhaps found a “safe haven”.

Mariposa is said to have as many as 12.7 million compromised computers (Zombies) worldwide. The software acted as a Trojan horse and captured login credentials for online bank accounts. Following the arrests, police recovered personal information of more than 800,000 people. Zombies were in many of the Fortune 1000 companies as well as in 40 major banks. The Mariposa Working Group, which is a coalition of security experts, academics and law enforcement, were the ones who got it shut down.

More things are coming to light about the Aurora cyber attackers who targeted Google and other companies. This is really pretty interesting stuff (if your geek-o-meter pegs solidly in the red). McAfee released a paper at RSA last week that says that the Aurora cyber attackers had been going after source-code management systems. These are software systems that house, manage, and control the source code for companies. Keeping track of source code can be a big task. Imagine all the different developers, different versions, etc. These systems are the life blood of development organizations. If a hacker could gain access to these systems, they could modify code, inject trojans and malware potentially, and certainly steal code (intellectual property).

According to the paper released by McAfee, the source code system was virtually “wide open” which tells us they had a severe lack in their security. But here is where it gets interesting. Remember that other companies were targeted by the same Aurora group at the same time? Well they were all using the same code management system…with likely all the same security vulnerabilities. Someone might ask how cyber criminals could determine which companies were using which code management systems. There was a lot of talk about “Google Hacking” a few years ago. This is different than hacking Google, but rather using Google’s search engine to hack others…or maybe Google as well. Google and other search engines are such amazing indexing tools that often they can find bits of code or web pages that indicate what software a particular company uses. This is most often the case with web applications, web servers, etc. You can run specific queries in Google and it will tell you exactly who uses what. I don’t know for sure that is what was used here, but it seems like a perfect application of such a tactic.

The cyber criminals had to get on the inside of the organization because code management systems are never connected to the Internet (or at least they definitely shouldn’t be). So they used targeted (spear) phishing attacks to do it. Basically the bad guys knew if they could get some insider to fall prey to their phishing attack, they would essentially have the keys to the kingdom…which essentially they did.

Perhaps some of you watched the Cyber Attack Simulation on CNN on Sunday night (Feb 21). It was a cyber attack simulation in which former US federal officials played roles as cabinet members. It began with a mobile phone worm that spreads to the Internet subsequently shutting down the financial markets. Then is what was assumed as a coordinated attack, physical bombs were detonated on key power grid points that shut down much of the eastern united states. Throughout the course of the 2 hour event, it illustrated just how ill prepared the U.S. is for a variety of scenarios like this.

What I liked about the program was learning about the policy limitations we have in the U.S. that make mitigation and damage control possible. It was also interesting to see just how focused they are on perception of the public and fear of public back lash later for either doing to much or to little. I don’t doubt that meetings like this are very concerned with those very things rather than getting the problem taken care of.

What I didn’t like is how unrealistic the simulation was. First, it is possible that a worm designed for mobile phones could spread to PCs and the Internet at large, but that isn’t likely…at least not right now. That would have to be a pretty flexible worm, and flexibility means large in size, which means it probably wouldn’t have originated on mobile phones. But it isn’t out of the question. Second, they were talking about millions of people without mobile phones the cause of which would be an “act of war” etc. That is silly. There have been many times in the last several years that mobile phone networks have had issues, and I doubt it is even something discussed at a cabinet meeting. There have been many times that worms, viruses, malware, or botnets rage on the Internet and no one calls a special cabinet session to figure out our “response”. They made mention that emails were taking hours to be delivered. Some people call that “Wednesday”. That by itself simply doesn’t have enough weight to be worried about by the administration. Then this cascaded into the shutdown of the financial markets, which from my limited understanding is quite separate from the Internet and there is little chance that a worm that is designed to spread from mobile phones to the Internet could then spread and take down the financial markets. They are very separate things, with very different back end systems that do not have the same vulnerabilities that could be exploited by a single piece of malware. Individual traders that use the Internet to buy and sell shares would likely have delays or no access. But they could always call their broker and get them to trade on their behalf…unless they try to do that from their mobile phone.  But then in the simulation they said that it could spread to the regular phone network. While communications companies are using and sharing more and more equipment for both data and voice communications, I don’t think a botnet/worm of nearly any imaginable size could take out the entire voice network disabling all communications. Then there were the power outages. They never said that the power outages were caused by the cyber attack, but referenced localized explosions at key points in the power grid. If what the government and utility companies have told us in the past is true, then this may be possible. When the northeast had their power outages a few years ago, they blamed it on overgrown trees in Ohio…although some speculate that it was the work of a cyber attack. What I didn’t like about this portion was when a private power company notified the NSA that they were going to divert power from them to other customers that were without power. While this may be a hypothetical scenario, I just can’t believe it would happen like that.

Overall, I didn’t think the scenario was very credible or realistic and clearly those that designed and played parts in it were not up to speed on how attacks like this are likely conducted, but it did shine light on interesting policy limitations that the government has that will make future real scenarios very interesting.

The Chinese police have arrested 3 in conjunction with a hacker site called Black Hawk.  This site had been (among other things) selling membership fees totaling more than $1 million US.  This group has been known to threaten businesses such as Internet cafés telling them they would be shut down with a DDOS attack if they didn’t pay them.  Ultimately the Chinese authorities found them by tracking the phone number given to these businesses to pay Black Hawk.

What is really happening here is that the Chinese government feels the pressure as a result of the Google hacks and wants to appear like they are really cracking down on cybercrime.  The truth is, these bozos at Black Hawk aren’t anywhere near the level of sophistication as the Google hacks (which many believe were in face Chinese state sponsored).  So this really is nothing more than perception management by the Chinese, which likely means they are feeling a bit of pressure but ultimately have no intention of changing their behavior at the government level.

I came across the following in the December issue of the SANS Newsletter.  I wanted to share because it’s so true!

Melissa Hathaway, who earlier this year prepared the Cyberspace Policy Review for the Obama administration, says that we as individuals, organizations, governments and a nation need to shatter long-held myths about cyber space security and take steps to mitigate threats.  Some of the myths behind which these threats lurk include the notion that firewalls and antivirus software offer adequate protection from breaches; the idea that the government has solutions for cyber security problems; and the idea that “laws are keeping pace with technological innovation.”

Melissa’s Blog Post – 5 Myths About Cybersecurity

They call it Golden Cash because it is “Your money-making machine”. Customers pay for the ability to install different types of malware on the Golden Cash bots, which are recycled for new jobs and new customers afterward. Prices are higher for compromised PCs in western countries. In their examples 1,000 bots in Australia go for $100, but 1,000 bots in Vietnam go for a mere $5.

There was a good breakdown of the most common ways you can be infected “a cyber criminal creates a botnet by hiding malicious code in a legitimate Web site that is used to turn Web surfing PCs into zombies. The code, typically an iFrame, points the PCs to a separate Web site where they are then infected with a Trojan backdoor that reports back to the Golden Cash command and control server. Then the Golden Cash server installs an FTP (file transfer protocol) grabber on new zombies to steal credentials used by the computers to run Web sites, giving the server control over additional legitimate Web sites. Approximately 100,000 domains, including corporate domains from around the world, were identified among the stolen FTP credentials under Golden Cash’s control.”  100,000 domains is a whole lot of compromised websites.  Think how many hundreds, thousands, and millions of users hit these various websites daily.  For those interested, the Trojan name is “Trojan-Spy.Win32.Agent.amdz”.

(Read the CNET.com article here)

Manipulating media…in other words Media Hacking or “Macking” (as we have decided to call it)  is becoming quite popular.  There are of course many ways this can be facilitated.  I love the example on September 8, 2008 when old news report from December of 2002 was rehashed by someone about the bankrupcy of American Airlines and posted to Google who then applied a current date to the article (because it didn’t have one of its own).  The article was picked up by a 3rd party analyst and posted to the Bloomberg news network and within minutes the stock had plumeted more than 80% and the SEC had to halt trading on it.

Macking can be very profitable for cyber criminals, and in this day in age when search engines can be manipulated, botnets can send billions of email messages, social networking sites have works and viruses that can spread messages, it is easy to see why they do this.

In my opinion, Macking is the lowest of the low hanging fruit.  It is practically the fruit that falls off the tree and rolls to your feet.

“Research from security vendor Finjan Inc. suggests enterprise IT shops are losing the war against those who would hijack company computers for botnets. Almost half the victims appear to be in the U.S. — most using Microsoft’s Internet Explorer (IE) browser.”

You can read the full article at the NetworkWorld.com site here. The article has some good information regarding the botnet threat.

Keep in mind that it isn’t just 30,000 sites that get infected, but rather how many individual users access these sites while they are compromised.  These users are redirected and potentially compromised themselves.  If just 1000 users are compromised from each site, we are talking about 30,000,000 new systems under remote command and control.  You can see why and how botnets grow so quickly.

For more details from Webense, click here.

Article

Microsoft reports are quite a bit different.  See chart.  I don’t think it much matters who is in the lead or falling behind.  Several years ago when we attempted to implement blacklists based on world geography, it could have helped.  However those days are long gone in that we are truly a global society.  What I think is important to note here is that everyone agrees that the number of infected systems is going up at an alarming rate.

We at Perimeter E-Security of course monitor this traffic and behavior as well.  For those that are interested, our finding more closely match those of Microsoft and not McAfee in that Australia is close to the bottom on our list.

There might be several reasons for the discrepancy between McAfee and Microsoft.  Microsoft’s seems to me a better indicator because their tool is free and globally distributed and used.  McAfee, while having a very large user base, is not as equally distributed.  So their findings are likely skewed.

It was only a couple of years ago that Vint Cerf, one of the original developers of the Internet estimated that one out of every four computers had malware and potentially part of a botnet.  At the same time the number of Internet enabled computers worldwide was about 600 million.  Today, F-Secure estimates the number of Internet accessible systems to be about double that at 1.2 billion systems.  F-Secure claims that Finland has the lowest malware/botnet infection rate at about 1 percent of all systems.  So likely, the number is somewhere between 1 percent and 25 percent.  While that is a big spread, what is bigger is the number of systems that represents where 1 percent is over 12 million systems alone.

The Conficker botnet has lots of estimates on its size being anywhere from about 3 million to 12 million systems strong…and is likely one of the very biggest.  But Conficker is just one single botnet and there are many.

Systems in the U.S. account for only about 6 percent of Conficker computers.  This is likely a similar percentage of infection across other botnets as well.  This is primarily due to the high rate in which we have legal versions of operating systems and applications and can patch them.  In other areas of the world where software pirating is a huge problem, there is a much higher infection rate because those systems are not allowed to recieve patches and updates.

These botnets have very sophisticated communications with different methods including web access, peer-to-peer, etc.  This gives the botnet a secure (encrypted) method as well as differing methods to give and accept command and control instructions.

The scary thing about botnets is that with that many systems under the control of one individual, they could do a tremendous amount of damage to segments of the Internet or any business they targeted.  This would likely include distributed denial of service attacks (DDOS).  To date, botnets have been used to distribute SPAM which is why SPAM now accounts for more than 90% of all email sent.  When the controllers decide to do something really malicious…watch out!

On April 1st, 2009 Conficker went into a new mode that enhanced its capabilities.  Some thought this would lead to some instructions (or payload) that would launch some attack.  In reality, nothing happened for about a week.  Then the first update came instructing Conficker systems to begin harvesting new systems.  So they began scanning other systems looking for unpatched systems to compromise and spread to.  I think what scared some professionals was that previous to it getting its April 1 update, it had stopped all activity.  So some thought that might be a sign of the quiet before the storm.  Others thought that the botnet controllers were negotiating for the use of the botnet once April 1st hit.  While this may be true, with the new instructions for the systems to begin harvesting other computers, it may be that those negotiations ended.  It may mean nothing at all.

While the new instructions are timed to end in May, we must remember that the controllers can send a payload anytime they want to these systems to use new instructions.

With (likely) tens of millions of systems in botnets, I believe we are at a tipping point where the threat they impose is formitable and we need to be more aware of the threat.  While there isn’t a lot we can do to stop they once they take action against us, we can do a lot to keep our systems from joining the ranks of a botnet.

First, you should check if your systems are already infected.  There are many ways to do this.  For Conficker, there is a really easy method described here.  Most system virus and spyware protection packages can detect most botnet worms and infections.  Other applcations like Spybot Search and Destroy and Adaware as well as the free tool from Microsoft are also helpful.  But don’t make the mistake of assuming you only need one tool.

Second, keep the worms out and off your systems.  This takes a layered security approach and no one single solution.  Talk with a security professional about the best ways to protect yourself from botnet infections.