Archive - October 2011

U.S. Advises Secure Control Systems Against Anonymous
Zeus Trojan P2P update makes take-downs harder
Malware victim loses net connection to iCode

U.S. Advises Secure Control Systems Against Anonymous

The latest report provides an assessment of Anonymous’ capability to penetrate Industry Control Systems (ICS) and gain access to infrastructural networks, which follows up on a previous?report?that investigated the group’s ability to develop new cyber attack tools.

According to the current evaluation, the government believes that Anonymous has shown that it can access ICS, but may not have the ability to actually understand the structure and inner workings of such software yet. There is speculation that Anonymous may be interested in gaining that knowledge, especially through freely available sources: “Free educational opportunities (conferences, classes), presentations at hacker conferences, and other high profile events/media coverage have raised awareness to ICS vulnerabilities, and likely shortened the time needed to develop sufficient tactics, techniques, and procedures (TTPs) to disrupt ICS,” the report states.

However, the government’s concern is that the simple capability of “recognizing and posting code”, which Anonymous has done, for example, in the case of Siemens Simatic control software, “could gain the attention of those knowledgeable in control systems”. However, at least in this unclassified report, there is no clear answer why the government believes that Anonymous appears to have increased interest in ICS, especially those that are tied to its “hacktivist” campaigns.

The report concludes:

“While Anonymous recently expressed intent to target ICS, they have not demonstrated a capability to inflict damage to these systems, instead choosing to harass and embarrass their targets using rudimentary attack methods, readily available to the research community. Anonymous does have the ability to impact aspects of critical infrastructure that run on common, internet accessible systems (such as web-based applications and windows systems) by employing tactics such as denial of service.”

The advice to ICS owners is to make sure their security needs of their control system assets are addressed.

Zeus Trojan P2P update makes take-downs harder

The Zeus financial malware has been updated with peer-to-peer functionality that makes it much more resilient to take-down efforts and gives its controllers flexibility in how they run their fraud operations.

The new version of the infamous banking Trojan was discovered and analyzed [] by Swiss security expert Roman Hssy, the creator of the Zeus and SpyEye tracking services.

One year ago security researchers from antivirus vendor Trend Micro managed to link a file infector dubbed LICAT to Zeus, concluding that it serves as a delivery platform for the Trojan and is designed to prolong its infections.

LICAT uses a special algorithm to generate random domain names for updating purposes in a similar manner to the Conficker worm. Its creators know in advance what domains the malware will check on a certain date and can register them if they need to distribute a new version.

“A few weeks ago I’ve noticed that no new murofet/LICAT C&C [command and control] domain names have been registered by the criminals. I was a little bit confused and decided to analyse a recent Zeus sample (spread through a Spam campaign targeting US citizens),” Hssy wrote on his blog on Monday.

“When I ran the binary in my sandbox, I’ve seen some weird UDP traffic. My first guess was: This is not ZeuS. But after I’ve analysed the infection I came to the conclusion that it is actually ZeuS,” he noted.

Once installed on a computer, the new Zeus variant queries a set of hardcoded IP addresses that correspond to other infected systems. The Trojan downloads an updated set of IPs from them and if those computers are also running a newer version, it updates itself.

Zeus is one of the oldest and most popular crimeware toolkits available on the underground market. Up until this year the Trojan could only be acquired for significant sums of money from its original author. However, a few months ago the source code leaked online and now anyone with the proper knowledge can create variations of the malware.

Hssy believes that this new version is a custom build used by a particular fraud gang or a very small number of cybercriminal groups. Fortunately, the variant still relies on a single domain for receiving commands and submitting stolen data, and this allows researchers to hijack the botnet temporarily, at least until it is updated to use another domain via the P-to-P system.

Using this method, which is known as sinkholing, Hssy managed to count 100,000 unique IP addresses in 24 hours. This doesn’t reflect the exact size of the botnet, because infected LAN computers can use the same IP on the Internet, while others might get new IP addresses assigned to them by their internet service providers on each restart.

The effort did, however, allow the Swiss researcher to determine that the biggest number of computers infected with this new Zeus variant are located in India, Italy and the U.S.

“We all know that the fight between criminals and security researchers is a cat and mouse game. I’m sure this wasn’t the last change made to ZeuS and we will continue to see efforts from criminals to make their malware stay more under the radar,” Hssy concluded.

According to a recent report from security vendor Trusteer, Zeus and SpyEye are the biggest threats faced by financial institutions, the company estimating that the number of Zeus infections exceeds that of SpyEye four to one.

Malware victim loses net connection to iCode

An Australian woman this month has had her internet connection cut off under the iCode initiative after she received 42 consecutive emails warning that her computer was infected.

The customer of a small unnamed telco had her machine hijacked by a botnet, rendering it what is known as a zombie machine. It then pumped malicious traffic over her internet connection which alerted her ISP.

The woman had struggled to remove the notoriously stubborn malicious?fake anti-virus program? because it had disabled her legitimate anti-virus software and prevented her from executing applications.

Her internet connection was cut to all but a single web page with the provider, referred to as a walled garden, after she failed to remove the infection.

The telco then phoned her to assist in the removal of the malware.

Internet connections were cut only in the “most severe” cases, iCode chief and former director of the Internet Industry Association (IIA) Peter Coroneos said.

Normally customers would be contacted by phone or email after ISPs detected malicious botnet traffic from their accounts, and then direct to a web page which contains security tools.

Large internet providers typically implemented network traffic analysis and automated email alerts to detect and warn customers of infections.

Smaller telcos often manually examined data, sinkholed botnet traffic and phoned compromised users, Coroneos said.

Recent information from the Australian Communications and Media Authority found the average number of daily reported botnet infections had declined from 16,000, between June 2010 and 2011, to 11500 in July alone this year.

The IIA did not have figures detailing the number of machines cleaned by telcos operating under the iCode.

Heading offshore

Australia’s voluntary internet industry iCode may be adopted in the US and will be trialled in South Africa under an increasing drive by governments and industry to wipe out botnets.

Some ISPs in South Africa would soon begin trials of the code, Coroneos said.

The US Department of Homeland Security may also adopt the iCode. It flagged the strategy in request for information document issued this month to research ways to reduce botnet infections.

Also flagged was a similar government-run initiative in Japan where botnet infections were discovered in honeypots.

In both initiatives, compromised customers were directed to a web page to download security tools that could remove the infections.

Coroneos said he thought the iCode would fit well with US legal frameworks because the country’s largest telco, Comcast, had already implemented a similar in-house framework.

“The internet providers have far from won the fight against botnets, but there is progress and customers are accepting of the iCode,” Coroneos said.

The code was pushed out to pre-empt looming government regulation that may have made providers responsible for the security of end-users.

Copyright © 2013. Created by Meks. Powered by WordPress.