Category - Uncategorized

Anonymous DDoS and shutdown London Stock Exchange for two hours
U.S. Spending Heavily to Counter Deadly DDoS Cyber Attacks by Foreign Foes
Popular VPN service fights back against DDoS ransom demand
New Wave of Hacker Attacks Coming
India becomes top spam-sending nation in the world: Trend Micro
The war on botnets
Kaspersky and cyber terrorism
U.S. Advises Secure Control Systems Against Anonymous
Zeus Trojan P2P update makes take-downs harder
Malware victim loses net connection to iCode

Anonymous DDoS and shutdown London Stock Exchange for two hours

Anonymous hacktivists take down the London Stock Exchange website for more than two hours as part of protest against world?s banks

The online hacktivist group, Anonymous reportedly shut down the London Stock Exchange (LSE) website last week for more than two hours as part of a protest against world?s banks and financial institutions.

According to the Mail on Sunday, the attack was carried out by Philippines unit of Anonymous on June 2 at 9am. Previous targets have included the Bank of Greece, the Central Bank of the Dominican Republic and the Dutch Central Bank.

The newspaper says: ?Anonymous claims the incident was one of 67 successful attacks it has launched in the past month on the websites of major institutions, with targets including the Swiss National Bank, the Central Bank of Venezuela and the Federal Reserve Bank of San Francisco.?

A spokesperson for the LSE declined to comment on the incident, however, the attack most likely took the form of a distributed denial of service (DDoS) attack, meaning trading would not have been affected and no sensitive data would have been compromised.

In the 24 hours before the LSE site went down, the group also claims that the attack on the LSE was the latest in a series that has also seen it target the websites of NYSE Euronext, the parent company of the New York Stock Exchange and the Turkey Stock Exchange, as part of a campaign called Operation Icarus.

According to the newspaper, City of London Police said it was not informed that the LSE website had gone down and had no knowledge of the attack.

However, the latest attack may not be a complete surprise.

In a video posted to YouTube on May 4, a member of the amorphous group announced in that ?central bank sites across the world? would be attacked as part of a month-long Operation Icarus campaign.

The video statement said: ?We will not let the banks win, we will be attacking the banks with one of the most massive attacks ever seen in the history of Anonymous.?

By using a distributed-denial-of-service (DDoS) cyberattack, the group also successfully disrupted the Greek central bank?s website.

In light of that event, a separate video was posted to YouTube on May 2.

The masked individual representing Anonymous group said: ?Olympus will fall. How fitting that Icarus found his way back to Greece. Today, we have continuously taken down the website of the Bank of Greece. Today, Operation Icarus has moved into the next phase.?

The Anonymous spokesperson added: ?Like Icarus, the powers that be have flown too close to the sun, and the time has come to set the wings of their empire ablaze, and watch the system their power relies on come to a grinding halt and come crashing down around them. We must strike at the heart of their empire by once again throwing a wrench into the machine, but this time we face a much bigger target ? the global financial system.?


U.S. Spending Heavily to Counter Deadly DDoS Cyber Attacks by Foreign Foes

The U.S. Defense?Advanced Research?Projects Agency (DARPA) is spending heavily to?automate?the cyber defense responses of the U.S. military to counter distributed denial-of-service (DDoS) attacks that are widely expected to precede a limited armed conflict or a full-scale war with another nation.

DARPA’s answer to this deadly threat is Extreme?DDoS?Defense or XD3. This program will alter the way the military protects its networks from high- and low-speed?DDoS?attacks. The general public and private business firms will also benefit from this program.

A?DDoS?attack occurs when multiple systems flood the?bandwidth?or resources of a targeted system such as the Pentagon’s using one or more web servers. These attacks are difficult to thwart since multiple machines are used to overwhelm a target. It’s also difficult to deal with since responses to?DDoS?attacks are usually delayed and manually driven.

Over the past seven months, DARPA has awarded seven XD3 multi-million dollar contracts to Georgia Tech, George Mason University, Invincea Labs, Raytheon BBN, Vencore Labs and the University of Pennsylvania.

DARPA said the nature of?DDoS?attacks span a wide range. Botnet-induced volumetric attacks, which can generate hundreds of gigabits per second of malicious traffic, are perhaps the best-known form of?DDoS.

“However, low-volume?DDoS?attacks can be even more pernicious and problematic from a defensive standpoint. Such attacks target specific applications, protocols or state-machine behaviors while relying on traffic sparseness (or seemingly innocuous message transmission) to evade traditional intrusion-detection techniques.”

DARPA noted the current art in?DDoS?defense generally relies on?combinations?of network-based filtering, traffic diversion and “scrubbing” or replication of stored data (or the logical points of connectivity used to access the data) to dilute volumetric attacks and provide diverse access for legitimate users.

It said these approaches fall well short of desired capabilities in terms of response times and the ability to identify and to thwart low-volume?DDoS. Current methods also don’t have the ability to stop?DDoS?within encrypted traffic. There is also the need to defend real-time transactional services such as those associated with and military command and control.

DARPA laments that responses to?DDoS?attacks are too slow and manually driven.

Diagnosis and formulation of filtering rules often take hours to formulate and execute. This means a clear need exists for fundamentally new?DDoS?defenses with far greater resilience to?DDoS?attacks across a broader range of contexts, than existing approaches or evolutionary extensions.


Popular VPN service fights back against DDoS ransom demand

But today ? a full five days before the ransom demand came due ? the company struck back, going public with the demand and promising to withstand any attack criminals attempted. “We apologize for any disruption as a result of these attacks; please know that we will do everything in our power to thwart them,” the company wrote in a blog post today. “But let us reiterate: no matter what happens, we simply will not pay these garden-variety thugs.” (The line was?later removed.)

It’s a common scheme for web criminals, who often see small services as more likely to comply with the demands. In recent years, similar attacks have targeted Meetup, Feedly, Fastmail, and even Greek banks, often demanding higher and higher sums the longer sites wait to pay. There are a number of paid and open-source protections against denial-of-service attacks, but unpatched servers and other devices have made it easy for criminals to keep pace, ever larger attacks in recent years.



New Wave of Hacker Attacks Coming

Smarter hackers, and a new generation of “hacktivists” will launch attacks on mobile banking apps, virtual currency and even your local supermarket in 2012.

All my buddy Mario wanted was a can of beans to have for lunch one day last month. What he got, though, was a big pain in the bank account, when it turned out that his ATM card may have been one of the thousands of credit and debit cards potentially comprised by a devilishly clever band of hackers in Northern California. Mario, who lives in San Carlos, a suburb a bit south of San Francisco, had swiped his card at the self-serve check out counter in his local Lucky’s market.

It appears that the information on his card, along with that of thousands of other shoppers, may have been collected by a device called a skimmer that was surreptitiously installed on card readers at the store. The skimmer reads information on the card and broadcasts it back to the hackers. As soon as they discovered the hack, Lucky’s management advised customers who used the checkout kiosks recently to close bank accounts linked to cards they swiped.

The lesson of the Lucky’s attack is clear to anyone who follows computer security. Hackers are moving away from the traditional attacks on PCs accessing the Internet, to a wider variety of devices and applications. Researchers at McAfee this week issued the company’s annual report on cyber threats likely to hit in the coming year. And while it’s obvious that McAfee, which makes its living selling security software, has lots of skin in this game, it’s worth taking the company’s report seriously.

Highlights include:

Attacks on mobile banking apps:?One of the really insidious things about today’s hackers is their ability to adapt very quickly to measure taken by the security community. According to the report, security researcher Ryan Sherstobitoff in July discussed how the transactions performed by criminals using Zeus and SpyEye could be tracked since they looked nothing like those of legitimate users. Last month, though, he showed how criminals had adapted and now can programmatically steal from victims while they are still logged on.

Hackers, predicts McAfee, will adapt what they’ve learned about attacking online banking conducted via PCs to the mobile world. “As we use our mobile devices ever more for banking, we will see attackers bypass PCs and go straight after mobile-banking apps. We expect to see attacks that leverage this type of programmatic technique in greater frequency as more and more users handle their finances on mobile devices,” the report states.

At the moment, there are few apps designed to protect smartphones, but that’s likely to change in the coming year. It’s also worth noting that so far, at least, there have been few, if any, documented attacks on mobile banking users.

Hacktivist attacks: On Christmas Eve, the hackers of Anonymous broke into databases of Stratfor, a security think tank and stole thousands of credit card numbers, passwords and email addresses, and then demanded that the company donate $1 million to charity as a form of ransom. Whether you agree with the politics of Anonymous or not, your personal information could become collateral damage in the war between authorities and the cyber radicals.

According to the report, “The ‘true’ Anonymous (that is, its historical wing) will reinvent themselves and their scene or die out. If the Anonymous circles of influence are unable to become organized — with clear calls for action and responsibility claims — all those labeling themselves Anonymous will eventually run the risk of becoming marginalized. Either way, we will see a large increase in such attacks. Distributed denial of service (DDoS) and personal data disclosures justified by a political conscience will continue to grow.”

Virtual currency: Virtual currency, sometimes called cybercurrency, has become a popular way for people to exchange money online. These online ?wallets? are not encrypted and the transactions are public, making them an attractive target for cybercriminals. There have already been attacks directed at users of Bitcoin, one of the largest virtual currencies, said Dave Marcus, McAfee’s director of advanced research and threat intelligence. “Our concern isn’t confined to Bitcoin. Virtual currencies seem almost designed to attract hackers,” he told me.

McAfee Labs expects to see this threat evolve into spam, data theft, tools, support networks and other associated services dedicated to solely exploiting virtual currencies, in order to steal money from unsuspecting victims or to spread malware.

Rogue certificates: Digital certificates tell your browser and sometimes your computer’s operating system that a certain Web site or downloaded file is safe. But now hackers are finding ways to counterfeit them, and use the access they enable to spread malware.

Some of these threats are hard to avoid, while others can be easily defanged by keeping your security software up to date, and keeping an eye on your online accounts for fraudulent charges.? In our discussion, Marcus was careful to note that “We’re not predicting doomsday. We’re not trying to scare people away from technology.” So don’t panic. But as they used to say on Hill Street Blues, “Be careful out there.”

India becomes top spam-sending nation in the world: Trend Micro

India’s Internet base may be swelling but so are the online risks. India, it turns out, has become the top spam-sending nation in the world, according to the latest report by IT security company Trend Micro.

India ranked second in this list of spamming countries during the first quarter of 2011, fell to third position in the following quarter, before finally rising to the pole position in the just-concluded quarter. Previously, it was the US and South Korea which were placed on top of the list in the first and second quarter, respectively.

?As in the previous quarter, India and South Korea continued to be part of the top three spam-sending countries. Surprisingly, however, the US, which commonly takes the top spot was not on the top 10 spam-sending countries list,? said the report. India’s share in the global spam statistics was an alarming 12 per cent and that of South Korea was 9 per cent.

As the top spam-sending countries are also the most spambot-infected ones, the US’ drop in ranking possibly indicates a lower infection level, the report said adding that ?this may be a result of the botnet takedowns that occurred in the last few months.?


As it is, even in the past, reports by various other security vendors have revealed that India continues to be a hotbed for ?bots’. If anything, India’s share in the worldwide spam bots has only gone up. ?Bots’ are software programs that run automated tasks over the internet.

This type of malware allows an attacker to get full control of the affected computer to use it to launch attacks against Web site. Spambot is an automated computer program which assists the attacker in sending out spams.

?If a computer is vulnerable and becomes part of a ?botnet’ community, the infected computer may be sending out multiple spams without the user being actually aware of it. In India, we are not protected enough, and people do not realise seriousness of the security threats,? said Mr Amit Nath, Country Manager India and SAARC at Trend Micro.


For India, this unhappy milestone in the online threat landscape comes at a time when the increasing affordability of computers and the Internet have pushed up the country’s Internet base to 100 million users in September. India is projected to have 121 million Internet users by December 2011, estimates Internet and Mobile Association of India.

The Trend Micro report further said that Google has replaced Microsoft as the software vendor with the greatest number of reported vulnerabilities for the quarter – 82.

Meanwhile, in a written reply in the Lok Sabha, the Minister of State for Communications and IT, Mr Sachin Pilot, said that Indian Computer Emergency Response Team in co-ordination with the industry and service providers is working towards disablement of ?spam bots’ located in India to curb span sources.

The war on botnets

This week saw one of the most significant successes ever in the fight against cyber crime when the DNS Changer botnet was dismantled and seven people were charged.

It followed a slew of botnet takedowns achieved in the past two years alone. It’s a good time to be a crime fighter on the internet.

Yet during the eight years between the birth of malicious networks at the turn of the millennium and the decapitation of major botnet-hoster McColo in 2008, the security industry and law enforcement were in the doldrums.

Unable to cooperate efficiently or find a way to counter cyber criminals and their megalithic botnets, they were looking as hopeless as Eeyore on a hangover.

It took far longer for the industry and police forces to find some answers than it did for hackers to up their skills and exponentially increase the sophistication and size of their networks. But answers did nevertheless arrive and since 2008 we’ve seen just how dramatically the pendulum has swung in the favour of the ‘good guys.’

When McColo was shut down, taking with it a tonne of malware and botnet activity, the impact was immediately felt. Spam levels fell by as much as 80 per cent.

Mariposa, which had infected 13 million PCs, and Mega-D were the first major botnets to fall after the McColo operation. Then came Waledac and Bredolab in 2010 ?bringing down two massively powerful botnets surreptitiously controlling tens of millions of machines.

What seemed like a freak spate of successes for the anti-botnet warriors soon became a roll. This year saw Coreflood, which had compromised millions of Windows machines, taken out by the FBI. The crowning moment came in March, with the head of Rustock. Again, a massive drop in spam was recorded following the takedown.

The winning streak didn’t stop there either. Just last month, it emerged the Kelihos botnet was terminated, with legal action taken against 24 individuals in connection with the case. And now DNS Changer.

The tide has evidently turned. We are learning how to fight the war on botnets. More importantly, we are learning how to win key battles.

The McColo failure

Data sharing and?collaboration?has been at the heart of this shift. Yet prior to 2008, there was little cooperation whatsoever.

It was when McColo was shut down that the broken system really became apparent. Despite McColo’s success, it showed how poorly data was being used. Ultimately, the operation was a failure.

“When the McColo takedown happened people really understood just how much intelligence was lost in the lack of coordination,” Alex Lanstein, FireEye’s senior security researcher, told?IT Pro. “Here you have the biggest malicious data centre in the history of the internet. It gets wiped out and there wasn’t a single arrest. A lot of people watching were asking how could they have blown it so badly.”

In the days before and during McColo’s demise, efforts to kill botnets were hampered by a “willy-nilly approach” where members of different bodies could be investigating the same threat without any joined up coordination, Lanstein said.

In some cases, companies were fighting the botnet war for more unscrupulous, self-serving means, only exacerbating the situation. “If you were just trying to get a little PR, you might not necessarily have spent the amount of time digging into the malware as you should have,” Lanstein continued.

“If you take down the first level of infrastructure, all the bots are going to automatically failover to another [infrastructure]. Not only are you not going to have any operational impact, you’re going to have a tonne of negative impact in that the bad guys will know someone is targeting them.”

Cyber criminals are nimble. Once they become alerted to a concerted effort to crack their operations, they will move fast to up their resiliency. Hence why in the old days, when bodies didn’t work with one another on tackling botnets, they did just half the work and unwittingly supported their common enemies.

To kill botnets, you need to go the whole way and dismantle the entire infrastructure. And to do that, you need as much information and cooperation as you can get.

Microsoft to the rescue

To bring the different sides together, the security industry needed a big player to step up the plate. Microsoft did just that. It took on the role of chief botnet slayer.

Microsoft hasn’t always been the friendliest giant – ? just look at its various ongoing squabbles with Google – but the Redmond firm has been the linchpin in many significant battles against botnets. It was responsible for drawing together industry players and law enforcement in smashing Waledac, Rustock and Kelihos. All have formed part of Project Microsoft Active Response for Security (MARS), which has one core aim: “To annihilate botnets and help make the internet a safer place.”

“Microsoft has really stepped up in a lot of different ways to try to bring together multiple groups that might not have known each other,” Lanstein added. “They’ve really put a lot of money in going after botnets and it has worked.”

The MARS team has worked with a host of security companies, including Kaspersky and FireEye, to share information relating to infections. In the case of Kelihos, Kaspersky loaned Microsoft its live botnet tracking system. The Russian company also led the operation to reverse-engineer the bot malware, crack the communication protocol and develop tools to take apart the botnet’s the peer-to-peer infrastructure. It was another truly communal effort.

Microsoft should be proud of its work here. No other tech vendor has initiated such a concerted campaign against botnets. That’s not to say others haven’t played a big part, however. There have been some significant successes that haven’t involved Microsoft. The software behemoth was not part of two of the most significant botnet shutdowns in history – Mariposa and DNS Changer. Both of those led to complete disarmament of the bot masters and arrests of suspects.

Microsoft has shown what is possible when everyone cooperates – others have subsequently proven that point: the simple act of sharing is key in identifying botnets and successfully destroying them.

The long arm of the law

Collaboration?might be vital, but the nail in the coffin of any botnet is only hammered in if arrests and prosecutions follow. In the past year, a plethora of suspects have been apprehended, but why now? Largely because tech companies and law enforcement have worked out how to twist judges’ arms into opening up legal pathways to take botnet infrastructure down before warning its owners.

Just a few years back, efforts to end botnets were not only hampered by an industry as fractious as the Greek Government – the legal system was doing the good guys no favours either. Instead of immediately asking registrars to shut down domains or ordering datacentre owners to allow police to switch off servers helping run botnets, courts required bot-herders be sent warning first.

Now, cyber criminals aren?t so lucky. The cases of Waledac and Rustock have set legal precedents that will be of huge benefit to the good guys in the long run. In the case of the former, Microsoft convinced a judge to issue an ex parte temporary restraining order (TRO), which meant Verisign, the administrator of the .com domain registry, had to hand the 276 domains used by Waledac for its command-and-control operations over to the Redmond company. Microsoft achieved this simply by pointing to the continuing harm that would be caused by the botnet if immediate action was not taken.

With Rustock, Microsoft filed a lawsuit against the anonymous operators of the botnet, basing its argument in part on the abuse of Microsoft trademarks in the bot?s spam. These clever legal manoeuvres are necessary to open the door to complete botnet destuction.

?As a private company we can only use civil process – we do not pretend to be law enforcement. But we wanted to do something proactively to protect our customers,? said Richard Boscovich, senior attorney for the Microsoft Digital Crimes Unit.

?We looked at the body of laws that were in place in the civil world in the US and asked ?how could we adopt these to be able to confront some of these 21st centutry problems?? There is always a cry for new laws and new legislation, but the reality is there are a lot of good laws on the books that were passed for other purposes ? that are easily translatable.?

It?s all about creative use of the current laws, rather than begging for fresh legislation, Boscovich argues. In this week?s DNS Changer takedown, courts were again convinced to let law enforcement take a botnet apart. Datacentres in Chicago and New York were raided and dirty servers replaced with clean ones all thanks to a court order. If the perpetrators had been warned in that case, it could have ruined five years? worth of work.

Indeed, the ?company? responsible for running the botnet, an Estonian organisation called Rove Digital, had previously moved servers when they sensed law enforcement was closing in on some of its other suspicious operations, according to Trend Micro. Imagine if they?d been given notice again. Four million computers would still be infected and the crooks would continue making millions fraudulently.

The future

Whilst the work of law enforcement, industry and others involved in the war on botnets is more than commendable, it would be unwise to get carried away. There remain some major obstacles to overcome. The first is how to tackle the subdomain issue.

At the current time, there is no requirement for domain hosts to know anything about those using their subdomains. In the case of Kelihos, Microsoft got a little lucky. Dominique Alexander Piatti of Czech domain hoster dotFREE Group was accused, along with a number of unidentified suspects, of owning a domain and using it to register other subdomains which were running the Kelihos botnet.

Yet Microsoft dropped a lawsuit against Piatti late last month as it seemed dotFREE was simply being used by Kelihos?s controllers. Anyone hoping the case would inspire law makers to create fresh legislation were to be sorely disappointed. Domain hosts will still not be forced into knowing who their customers are. The crooked ones will simply turn a blind eye to pernicious activity on their servers.

?There are a lot of domains hosting hundreds of thousands of subdomains that are really hosting nasty stuff,? said Boscovich. He explained dotFREE had been highly proactive in cleaning up its game and learning about its customers. The domain industry should follow suit, he said. Either that or extra regulation is required.

?We would really like to see either the other subdomainers employ the same kind of business practices or maybe even have ICAAN require that if you?re going to provide subdomains that you?re required to get the same information registrars are asked to get,” he added.

?It is time for the community to put more rules in place internationally through ICANN, hopefully, to get more transparency as to who is really behind these domains and subdomains that are causing a lot of problems.?

Subdomainers aren?t the only ones who need to be brought into line. The young up-starts of the info-sec world need to be convinced to join the party too. The divisions between the new players and the old guard could mean certain important data isn?t being shared. If these schisms aren?t dealt with, ironically, industry in-fighting will only benefit the cyber criminals.

In essence, it?s all about greater and greater?collaboration. The war against botnets will always be one of attrition. As in the real world, you can?t ever completely kill crime. Yet if you can build a sizeable enough army, and keep its various factions at peace with one another, you?ll be winning the fight even if you won?t win outright.

Kaspersky and cyber terrorism

Of all the pronouncements coming out of the London Cyber Summit this week, the?statements?of Eugene Kaspersky are the most provocative.? Rather than pile on and criticize him for uttering the words ?cyber terrorism? it is worth taking a deep breath and considering what could give rise to his statements.

Kaspersky of course is the founder of anti-virus powerhouse?Kaspersky Lab, responsible for some of the best research into malware and the cyber criminals who create it.? It is safe to assume that he has pretty good insight into the world of cyber threats.? He is rather flamboyant and has led a turbulent life; most recently?rescuing his son?from kidnappers in Russia.? So yes, he may be prone to making controversial statements.

Sky News provides the following quotes:

?I don?t want to speak about it. I don?t even want to think about it,? he said.
?But we are close, very close, to cyber terrorism. Perhaps already the criminals have sold their skills to the terrorists ? and then?oh, God.?
?There is already cyber espionage, cyber crime, hacktivisim? soon we will be facing cyber terrorism,?

Before the semantic police jump all over this (Terrorism involves death and destruction! You can?t do that over the Internet!)? let?s define our terms.? What would we call it when terrorists engage in cyber attacks?? I am going to assume Kaspersky thinks along the lines I do.? Cyber terrorism would be cyber attacks carried out by terrorist organizations.? Is that possible? Has it happened? Is it likely to happen soon?

First, is it possible for terrorist organizations to engage in cyber attacks? Of course.? Denial of Service, defacements, doxing (publishing private information about public figures),? extortion, cyber crime,? even Stuxnet-like cyber sabotage, could all be carried out by terrorists as easily as by the current bad actors (organized crime, Anonymous, Lulzsec, etc).? I think the ease with which terrorists could engage in cyber attacks is what spurred Kaspersky to say what he did.

Have terrorists engaged in cyber attacks??? In 2006 a popular e-commerce site received an email claiming to be from Islamic Jihad and demanding that they take offensive material, offered by one of their resellers, off of their site.?? When they elected to ignore the demands their domain was subjected to a DDoS (Distributed Denial of Service) attack that took them down for several days. Forensics verified that the attacks originated in the Mid-East.? I understand they reported the attacks to the FBI but never publicized the event, although it was clearly visible in up-time records kept by Netcraft.

This year the?CommodoHacker, who claims to be a supporter of the Iranian regime, broke in to the Dutch Certificate Authority DigiNotar and created signed certificates for at least 500 organizations including CIA, MI6, Facebook, Microsoft, Skype, and Twitter.?? These fake certificates were used by Iran to spy on its own populace who use Google for email.

And of course trying to keep track of the hacking that goes on in the Mid-East against Israel is an overwhelming task.? But just because a hacker supports the same cause as terrorist organizations is a tenuous claim of cyber terrorism.?? At the same time just follow the ?Tango Down? posts of?Th3J35t3r on Twitter?to see all of the Jihadi recruitment sites that he has tasked himself with taking down.? There is no question that terrorists use the Internet.

The final question of will terrorists engage in cyber attacks depends on their motivations more than their abilities, since the tools and capabilities are easily acquired.? Will disrupting the Internet, major stock exchanges, banks, or government web sites be attractive to them? Since the costs and risks are so low you can see why Kaspersky is concerned.


U.S. Advises Secure Control Systems Against Anonymous

The latest report provides an assessment of Anonymous’ capability to penetrate Industry Control Systems (ICS) and gain access to infrastructural networks, which follows up on a previous?report?that investigated the group’s ability to develop new cyber attack tools.

According to the current evaluation, the government believes that Anonymous has shown that it can access ICS, but may not have the ability to actually understand the structure and inner workings of such software yet. There is speculation that Anonymous may be interested in gaining that knowledge, especially through freely available sources: “Free educational opportunities (conferences, classes), presentations at hacker conferences, and other high profile events/media coverage have raised awareness to ICS vulnerabilities, and likely shortened the time needed to develop sufficient tactics, techniques, and procedures (TTPs) to disrupt ICS,” the report states.

However, the government’s concern is that the simple capability of “recognizing and posting code”, which Anonymous has done, for example, in the case of Siemens Simatic control software, “could gain the attention of those knowledgeable in control systems”. However, at least in this unclassified report, there is no clear answer why the government believes that Anonymous appears to have increased interest in ICS, especially those that are tied to its “hacktivist” campaigns.

The report concludes:

“While Anonymous recently expressed intent to target ICS, they have not demonstrated a capability to inflict damage to these systems, instead choosing to harass and embarrass their targets using rudimentary attack methods, readily available to the research community. Anonymous does have the ability to impact aspects of critical infrastructure that run on common, internet accessible systems (such as web-based applications and windows systems) by employing tactics such as denial of service.”

The advice to ICS owners is to make sure their security needs of their control system assets are addressed.

Zeus Trojan P2P update makes take-downs harder

The Zeus financial malware has been updated with peer-to-peer functionality that makes it much more resilient to take-down efforts and gives its controllers flexibility in how they run their fraud operations.

The new version of the infamous banking Trojan was discovered and analyzed [] by Swiss security expert Roman Hssy, the creator of the Zeus and SpyEye tracking services.

One year ago security researchers from antivirus vendor Trend Micro managed to link a file infector dubbed LICAT to Zeus, concluding that it serves as a delivery platform for the Trojan and is designed to prolong its infections.

LICAT uses a special algorithm to generate random domain names for updating purposes in a similar manner to the Conficker worm. Its creators know in advance what domains the malware will check on a certain date and can register them if they need to distribute a new version.

“A few weeks ago I’ve noticed that no new murofet/LICAT C&C [command and control] domain names have been registered by the criminals. I was a little bit confused and decided to analyse a recent Zeus sample (spread through a Spam campaign targeting US citizens),” Hssy wrote on his blog on Monday.

“When I ran the binary in my sandbox, I’ve seen some weird UDP traffic. My first guess was: This is not ZeuS. But after I’ve analysed the infection I came to the conclusion that it is actually ZeuS,” he noted.

Once installed on a computer, the new Zeus variant queries a set of hardcoded IP addresses that correspond to other infected systems. The Trojan downloads an updated set of IPs from them and if those computers are also running a newer version, it updates itself.

Zeus is one of the oldest and most popular crimeware toolkits available on the underground market. Up until this year the Trojan could only be acquired for significant sums of money from its original author. However, a few months ago the source code leaked online and now anyone with the proper knowledge can create variations of the malware.

Hssy believes that this new version is a custom build used by a particular fraud gang or a very small number of cybercriminal groups. Fortunately, the variant still relies on a single domain for receiving commands and submitting stolen data, and this allows researchers to hijack the botnet temporarily, at least until it is updated to use another domain via the P-to-P system.

Using this method, which is known as sinkholing, Hssy managed to count 100,000 unique IP addresses in 24 hours. This doesn’t reflect the exact size of the botnet, because infected LAN computers can use the same IP on the Internet, while others might get new IP addresses assigned to them by their internet service providers on each restart.

The effort did, however, allow the Swiss researcher to determine that the biggest number of computers infected with this new Zeus variant are located in India, Italy and the U.S.

“We all know that the fight between criminals and security researchers is a cat and mouse game. I’m sure this wasn’t the last change made to ZeuS and we will continue to see efforts from criminals to make their malware stay more under the radar,” Hssy concluded.

According to a recent report from security vendor Trusteer, Zeus and SpyEye are the biggest threats faced by financial institutions, the company estimating that the number of Zeus infections exceeds that of SpyEye four to one.

Malware victim loses net connection to iCode

An Australian woman this month has had her internet connection cut off under the iCode initiative after she received 42 consecutive emails warning that her computer was infected.

The customer of a small unnamed telco had her machine hijacked by a botnet, rendering it what is known as a zombie machine. It then pumped malicious traffic over her internet connection which alerted her ISP.

The woman had struggled to remove the notoriously stubborn malicious?fake anti-virus program? because it had disabled her legitimate anti-virus software and prevented her from executing applications.

Her internet connection was cut to all but a single web page with the provider, referred to as a walled garden, after she failed to remove the infection.

The telco then phoned her to assist in the removal of the malware.

Internet connections were cut only in the “most severe” cases, iCode chief and former director of the Internet Industry Association (IIA) Peter Coroneos said.

Normally customers would be contacted by phone or email after ISPs detected malicious botnet traffic from their accounts, and then direct to a web page which contains security tools.

Large internet providers typically implemented network traffic analysis and automated email alerts to detect and warn customers of infections.

Smaller telcos often manually examined data, sinkholed botnet traffic and phoned compromised users, Coroneos said.

Recent information from the Australian Communications and Media Authority found the average number of daily reported botnet infections had declined from 16,000, between June 2010 and 2011, to 11500 in July alone this year.

The IIA did not have figures detailing the number of machines cleaned by telcos operating under the iCode.

Heading offshore

Australia’s voluntary internet industry iCode may be adopted in the US and will be trialled in South Africa under an increasing drive by governments and industry to wipe out botnets.

Some ISPs in South Africa would soon begin trials of the code, Coroneos said.

The US Department of Homeland Security may also adopt the iCode. It flagged the strategy in request for information document issued this month to research ways to reduce botnet infections.

Also flagged was a similar government-run initiative in Japan where botnet infections were discovered in honeypots.

In both initiatives, compromised customers were directed to a web page to download security tools that could remove the infections.

Coroneos said he thought the iCode would fit well with US legal frameworks because the country’s largest telco, Comcast, had already implemented a similar in-house framework.

“The internet providers have far from won the fight against botnets, but there is progress and customers are accepting of the iCode,” Coroneos said.

The code was pushed out to pre-empt looming government regulation that may have made providers responsible for the security of end-users.

Copyright © 2013. Created by Meks. Powered by WordPress.