Most Updated News on How to Protect Against DoS Attacks!

1
WHMCS under renewed DDoS blitz after patching systems
2
GM Food Research Site Hit by Cyber Attack
3
‘SOCA’s weak response to a recent DDoS attack sends the wrong message’
4
UK’s largest hosting biz titsup in DDoS outrage
5
Anonymous Leaks 1.7 GB Justice Department Database
6
Hosters: Is Your Platform Being Used to Launch DDoS Attacks?
7
New Wave of Hacker Attacks Coming
8
India becomes top spam-sending nation in the world: Trend Micro
9
The war on botnets
10
Kaspersky and cyber terrorism

WHMCS under renewed DDoS blitz after patching systems

WHMCS, the UK-based billing and customer support tech supplier, has once again come under denial of service attacks, on this occasion following an upgrade of its systems to defend against a SQL injection vulnerability.

The security patch was applied on Tuesday following reports by KrebsOnSecurity that a hacker was auctioning rights to abuse the vulnerability through an underground hacking forum. The then zero-day blind SQL injection supposedly created a mechanism for miscreants to break into web hosting firms that rely on WHMCS’s technology. The exploit was on offer at $6,000 for sale to a maximum of three buyers.

In a notice accompanying the patch release, WHMCS stated that it was notified about the problem with its systems by an “ethical programmer”.

Within the past few hours, an ethical programmer disclosed to us details of an SQL Injection Vulnerability present in current WHMCS releases.

The potential of this is lessened if you have followed the further security steps, but not entirely avoided.

And so we are releasing an immediate patch before the details become widely known.

Installing the patch is simply a case of uploading a single file to your root WHMCS directory. This one file works for all WHMCS versions V4.0 or Later.

The events of last week have obviously put a lot of focus on WHMCS in recent days from undesirable people. But please rest assured that we take security very seriously in the software we produce, and will never knowingly leave our users at risk. And on that note if any further issues come to light, we will not hesitate to release patches for them – as we hope our past history demonstrates.

The advisory references an incident last week when hackers tricked WHMCS’s own hosting firm into handing over admin credentials to its servers. The crew that pulled off the hack, UGNazi, subsequently extracted the billing company’s database before deleting files, essentially trashing its server and leaving services unavailable for several hours. The compromised server hosted WHCMS’s main website and supported customers’ installations of the technology.

UGNazi also seized access to WHMCS’s Twitter profile, which it used to publicise locations from which the compromised customer records might be downloaded. A total of 500,000 records, including customer credit card details were exposed as a result of the breach. Hacktivists justified the attack via unsubstantiated accusations that WHMCS offered services to internet scammers.

Last week’s breach involved social engineering trickery and wouldn’t appear to be related to the SQL Injection vulnerability patched by WHMCS on Tuesday. Since applying the patch WHMCS has come under attack from a fresh run of denial of service assaults, confirmed via the latest available update to WHMCS’s Twitter feed on Tuesday afternoon.

We’re currently experiencing another heavy DDOS attack – seems somebody doesn’t like us protecting our users with a patch … Back online asap

WHMCS’s website remains difficult to reach, at least from Spain, but its official blog, can be found here.

The firm was unreachable for comment at the time of publication.

Source: http://www.theregister.co.uk/2012/06/01/whmcs_ddos_follows_patching/

GM Food Research Site Hit by Cyber Attack

Rothamsted Research says its Web site appers to have been taken down by a DDoS attack.

The Web site for the UK agricultural institute Rothamsted Research was taken down by a cyber attack on Sunday night.

“The Twitter handle @AnonCrash1 was the first to mention the attack, at 5:18pm on Sunday, tweeting ‘Tango Down www.rothamsted.ac.uk,'” Information Age reports. “Five hours later, @AnonOpsLegion tweeted: ‘TANGO DOWN these guys are like the MONSANTO of the UK www.rothamsted.ac.uk.'”

“The cyber-strike came after hundreds of protestors went to the agricultural research station in Hertfordshire to try to attack the facility’s trial of genetically modified wheat,” writes The Register’s Brid-Aine Parnell. “A large force of mounted police and foot patrols stopped the activists from ripping up the crop, one of the stated aims posted on the protest’s website.”

In a press release, Rothamsted Research stated, “We believe this was a distributed denial-of-service (DDoS) attack but it is unclear who was responsible. The timing of the attack and the information we have seen on Twitter would suggest this attack relates to an experiment being conducted at Rothamsted Research to test wheat which has been genetically modified to repel greenfly and blackfly pests as a sustainable alternative to spraying pesticides.”

“Rothamsted’s wheat contains genes that have been synthesised in the laboratory; a gene will produce a pheromone called E-beta-farnesene that is normally emitted by aphids when they are threatened by something,” BBC News reports. “When aphids smell it, they fly away. Prof John Pickett, a principal investigator at Rothamsted Research, told BBC News there was ‘a very, very remote chance that anything should get out.'”

Source: http://www.esecurityplanet.com/hackers/gm-food-research-site-hit-by-cyber-attack.html

‘SOCA’s weak response to a recent DDoS attack sends the wrong message’

André Stewart, president international at Corero Network Security, argues that the Serious Organised Crime Agency should have taken a recent DDoS attack more seriously…

The response by the Serious Organised Crime Agency (SOCA) to the distributed denial of service (DDoS) attack directed at its public website is somewhat disappointing for the nation’s leading anti-crime organisation. The agency’s statement that it does not consider investing in DDoS defence protection “a good use of taxpayers’ money” fails to take into account potentially serious security consequences. Further, it sends the wrong message to cyber criminals at a time when businesses and organisations in the United Kingdom and around the world operate under continuous threat of attack.

The attack against the SOCA website used a network-layer DDoS attack which is a very publicly visible form of cyber crime. The attackers’ intent is to slow or bring down a website for the entire world to see. The victim organisation has to own up to what has happened and, in the case of government entities, explain why it will not or cannot respond effectively.

However, hacktivist groups and criminals frequently use DDoS attacks as a smokescreen to hide more surreptitious intrusions aimed at stealing data. For example, the theft of 77 million customer records from the Sony PlayStation Network was preceded by a severe DDoS attack. In discussing its 2012 Data Breach Investigations Report, Verizon’s Bryan Sartin said that diversionary DDoS attacks are common practice to mask data theft, including many of the breaches by hacktivists which totalled some 100 million stolen records.

This raises the question about SOCA’s approach to securing its networks and the protection of critical information from more sinister, stealth cyber attacks. Criminals want to create diversions and remain unnoticed while they infiltrate deeper into a network and steal data. Most data breaches go undetected for weeks, months, even years in some cases. Can we be confident, based on SOCA’s response to its public website being hit for the second time in less than a year, that it is addressing more critical security risks? The response to the latest incident could undermine confidence in the quality of the agency’s security program. How deep does its estimable high regard for taxpayer money go?

Just last June, the LulzSec group claimed credit for taking SOCA offline with a DDoS attack. One has to wonder if SOCA is truly dismissive of these attacks or simply has been slow to address the issue. Whilst the agency is dismissive of the latest DDoS attack its inability to protect itself nearly a year after the first public attack plants a seed of doubt about the calibre of its security program.

Perhaps most concerning is that SOCA is conceding the initiative to criminals who are attacking the agency directly. Would the police stand by, for example, while some hooligan scrawled graffiti on a local station with the explanation that they had more important things on which to spend time and money? Would the public tolerate that response?

Whilst putting its foot down on spending public funds is commendable, failing to respond to a direct criminal attack on law enforcement’s public face seems an odd place for SOCA to draw a line in the sand.

Source: http://www.publicservice.co.uk/feature_story.asp?id=19768

UK’s largest hosting biz titsup in DDoS outrage

MASSIVE Chinese web cannons blast 123-reg offline

By Anna Leach

Posted in CIO, 23rd May 2012 12:36 GMT

A “massive” distributed-denial-of-service attack emanating from China has taken down 123-reg, the UK net biz that hosts 1.4 million websites.

In a statement on the its service status page just after midday today, 123-reg blamed attackers in China:

From 11:30 to 22:50 our network was undergoing a massive distributed denial of service attack from China. Due to the nature and size of this attack the firewall systems in place needed to be reconfigured to block the bad traffic and allow the good traffic through.

The attack, which appears to be ongoing, caused patchy service from the sites hosted by the company, which also has more than 4 million domains on its books. 123-reg promised that no emails would be lost, and messages would be queued up by the mail servers and sent shortly.

123-reg’s own site was down too in the aftermath of the traffic blast, which proved to be frustrating for users trying to find out what was going on. A 123-reg tweet at 12.30pm said that they were working through final issues and that services should be returning to normal.

123-reg is a brand name of Webfusion Ltd, part of the Host Europe group. WebFusion isn’t picking up the phone so we can’t get more detail on the hacks at this time. ®
Updated to add

A spokeswoman for 123-reg got in touch this afternoon to say:

We had contained the primary attack within 15 minutes of it happening. As the largest domain provider in the UK, and coupled with the increase of these types of attacks across Europe in particular, we know we are a prime target. We are still in the process of resolving this.

Source: http://www.theregister.co.uk/2012/05/23/123reg_ddos_attack/

Anonymous Leaks 1.7 GB Justice Department Database

Attackers were assisted by Anonymous affiliate AntiS3curityOPS, which launched its own anti-NATO attack against the Chicago Police Department website.

By Mathew J. Schwartz

In what was billed as “Monday Mail Mayhem,” the hacktivist group Anonymous released a 1.7-GB archive that it’s characterizing as “data that used to belong to the United States Bureau of Justice, until now.”

“Within the booty you may find lots of shiny things such as internal emails, and the entire database dump,” according to a statement released by the group. “We Lulzed as they took the website down after being owned, clearly showing they were scared of what inevitably happened.”

That statement was included with a BitTorrent file (named 1.7GB_leaked_from_the_Bureau_of_Justice) uploaded Monday to the Pirate Bay by “AnonymousLeaks,” although multiple downloaders Tuesday complained that the Torrent download was stuck at the 94%-completion point.

Why “dox”–release purloined data from–the Bureau of Justice Statistics? “We are releasing data to spread information, to allow the people to be heard, and to know the corruption in their government,” according to the Anonymous statement. “We are releasing it to end the corruption that exists, and truly make those who are being oppressed free.”

The Bureau of Justice Statistics compiles statistics related to hacking crimes. Except for that fact, the agency would make for an odd attack choice, since it’s devoted to number-crunching “information on crime, criminal offenders, victims of crime, and the operation of justice systems at all levels of government,” according to its website.

The Department of Justice said that it’s investigating the alleged attack. “The department is looking into the unauthorized access of a website server operated by the Bureau of Justice Statistics that contained data from their public website,” said a Department of Justice spokesman via email. “The Bureau of Justice Statistics website has remained operational throughout this time. The department’s main website, justice.gov, was not affected.”

“The department is continuing protection and defensive measures to safeguard information and will refer any activity that is determined to be criminal in nature to law enforcement for investigation,” he said.

In other hacktivism news, Anonymous affiliate AntiS3curityOPS said that it had launched a distributed denial-of-service (DDoS) attack against government websites in Chicago, to support anti-NATO protest marches in the city that saw police officers clash with protestors, resulting in several injuries and 45 arrests. All told, 51 world leaders attended the two-day NATO summit, including President Barack Obama.

On Sunday, prior to the protest marches, the Chicago Police Department and city council websites were knocked offline, and AntiS3curityOPS took credit. “We are actively engaged in actions against the Chicago Police Department and encourage anyone to take up the cause and use the AntiS3curityOPS Anonymous banner,” according to a YouTube video released by the group. “We are in your harbor Chicago, and you will not forget us.”

Interestingly, AntiS3curityOPS said that it had also assisted with the Bureau of Justice Statistics attack. “We were not behind http://justice.gov DB attack. However, we can confirm we ‘helped’ attacked site, and another faction has email spools,” the group said Tuesday via Twitter.

When it comes to DDoS attacks of late, however, hacktivists haven’t been the only actors. Notably, the Pirate Bay–where a Torrent file for downloading the purloined Bureau of Justice Statistics information was uploaded–was itself recently knocked offline for 24 hours by a DDoS attack.

The attack came after the Pirate Bay had criticized an Anonymous-led DDoS campaign against Virgin Media in the United Kingdom, which had begun blocking U.K. access to the Pirate Bay, in compliance with a court order. “We do NOT encourage these actions. We believe in the open and free internets, where anyone can express their views. Even if we strongly disagree with them and even if they hate us,” the Pirate Bay said in its anti-DDoS statement, which was posted to Facebook. “So don’t fight them using their ugly methods. DDOS and blocks are both forms of censorship.”

Interestingly, the Pirate Bay statement included a practical call to arms that stands in sharp contrast to the use of DDoS attacks by Anonymous as a form of online protest. “If you want to help; start a tracker, arrange a manifestation, join or start a pirate party, teach your friends the art of bittorrent, set up a proxy, write your political representatives, develop a new p2p protocol, print some pro piracy posters and decorate your town with, support our promo bay artists, or just be a nice person and give your mom a call to tell her you love her,” recommended the Pirate Bay.

Was Anonymous behind the DDoS attack against the Pirate Bay? While that rumor was circulating online, the Pirate Bay dismissed it. “Just to clarify, we know that it is not Anonymous who is behind the DDoS attack. Stop spreading rumors like that,” it said. “We may not agree with Anonymous in everything, but we both want the internet to be open and free.”

Likewise, Corero Network Security president Andre Stewart emphasized that non-Anonymous actors–a foreign government, record labels, or even a long hacker–were likely to have been behind the attack. “There are a lot of motives out there to bring down a site like The Pirate Bay,” he told PC Pro. “It doesn’t make any sense to be Anonymous … it’s one of the main areas it defends.”

Source: http://www.informationweek.com/news/security/attacks/240000778

Hosters: Is Your Platform Being Used to Launch DDoS Attacks?

May 15, 2012 11:12 AM PDT

As anyone who’s been in the DDoS attack trenches knows, large multi-gigabit attacks have become more prevalent over the last few years. For many organizations, it’s become economically unfeasible to provision enough bandwidth to combat this threat.

How are attackers themselves sourcing so much bandwidth? It’s actually easier than you might think. While botnets comprised of malware-infected computers can be used to launch attacks, you don’t actually need thousands of devices. In some cases, attackers are infiltrating hosting company resources (shared hosting, virtual private servers, dedicated hosting, etc.), availing themselves of bandwidth by using hacked, stolen and fraudulent accounts.

Let’s say that an attacker manages to get his/her hands on 5 hosting accounts with 5 different hosting companies. It’s not unusual for these hosting companies to have 1 Gbps+ of connectivity to the Internet. A lot of hosters don’t look at their outbound traffic all that closely or have difficulty policing what their customers do. All an attacker needs to do is install a script on each account and he/she has easy access to gigabits of connectivity.

For hosters, finding the trouble spot can be like looking for a needle in a haystack (especially if thousands of accounts share resources). While the offender might be found eventually and the account shut down, the damage has already been done.

What can hosters do to help prevent this or detect this better?

Restrict outbound traffic from your customers by using ACLs (Access Control Lists). For example, there are few reasons your customers will ever need to make port 80 UDP connections to other hosts on the Internet. Put policies in place to block all outbound traffic except to specific, acceptable, understood destinations or ports. If customers have legitimate reasons to make an outbound connection from your infrastructure, they should be able to notify you and justify it (this will affect a only tiny percentage of your base) so you can make the appropriate arrangements. Some hosters do not even accommodate these requests.

Throttle outbound traffic from your customers. Even for legitimate outbound connections, most likely they don’t need to take up 500 Mbps of outbound bandwidth. Simply set a lower limit.

Put alarms in place when outbound traffic utilization spikes. If, for example, all of a sudden the amount of data leaving your network increases by 40%, there’s probably an issue somewhere and your tech folks should be investigating.

Restricting and monitoring your outbound traffic will probably save you money on bandwidth costs and decrease the amount of abuse reports. Best of all, attackers will realize they’re not getting what they want out of your platform. The less you have to worry about, the better, right?

Source: http://www.circleid.com/posts/20120514_hosters_is_your_platform_being_used_to_launch_ddos_attacks/

New Wave of Hacker Attacks Coming

Smarter hackers, and a new generation of “hacktivists” will launch attacks on mobile banking apps, virtual currency and even your local supermarket in 2012.

All my buddy Mario wanted was a can of beans to have for lunch one day last month. What he got, though, was a big pain in the bank account, when it turned out that his ATM card may have been one of the thousands of credit and debit cards potentially comprised by a devilishly clever band of hackers in Northern California. Mario, who lives in San Carlos, a suburb a bit south of San Francisco, had swiped his card at the self-serve check out counter in his local Lucky’s market.

It appears that the information on his card, along with that of thousands of other shoppers, may have been collected by a device called a skimmer that was surreptitiously installed on card readers at the store. The skimmer reads information on the card and broadcasts it back to the hackers. As soon as they discovered the hack, Lucky’s management advised customers who used the checkout kiosks recently to close bank accounts linked to cards they swiped.

The lesson of the Lucky’s attack is clear to anyone who follows computer security. Hackers are moving away from the traditional attacks on PCs accessing the Internet, to a wider variety of devices and applications. Researchers at McAfee this week issued the company’s annual report on cyber threats likely to hit in the coming year. And while it’s obvious that McAfee, which makes its living selling security software, has lots of skin in this game, it’s worth taking the company’s report seriously.

Highlights include:

Attacks on mobile banking apps: One of the really insidious things about today’s hackers is their ability to adapt very quickly to measure taken by the security community. According to the report, security researcher Ryan Sherstobitoff in July discussed how the transactions performed by criminals using Zeus and SpyEye could be tracked since they looked nothing like those of legitimate users. Last month, though, he showed how criminals had adapted and now can programmatically steal from victims while they are still logged on.

Hackers, predicts McAfee, will adapt what they’ve learned about attacking online banking conducted via PCs to the mobile world. “As we use our mobile devices ever more for banking, we will see attackers bypass PCs and go straight after mobile-banking apps. We expect to see attacks that leverage this type of programmatic technique in greater frequency as more and more users handle their finances on mobile devices,” the report states.

At the moment, there are few apps designed to protect smartphones, but that’s likely to change in the coming year. It’s also worth noting that so far, at least, there have been few, if any, documented attacks on mobile banking users.

Hacktivist attacks: On Christmas Eve, the hackers of Anonymous broke into databases of Stratfor, a security think tank and stole thousands of credit card numbers, passwords and email addresses, and then demanded that the company donate $1 million to charity as a form of ransom. Whether you agree with the politics of Anonymous or not, your personal information could become collateral damage in the war between authorities and the cyber radicals.

According to the report, “The ‘true’ Anonymous (that is, its historical wing) will reinvent themselves and their scene or die out. If the Anonymous circles of influence are unable to become organized — with clear calls for action and responsibility claims — all those labeling themselves Anonymous will eventually run the risk of becoming marginalized. Either way, we will see a large increase in such attacks. Distributed denial of service (DDoS) and personal data disclosures justified by a political conscience will continue to grow.”

Virtual currency: Virtual currency, sometimes called cybercurrency, has become a popular way for people to exchange money online. These online “wallets” are not encrypted and the transactions are public, making them an attractive target for cybercriminals. There have already been attacks directed at users of Bitcoin, one of the largest virtual currencies, said Dave Marcus, McAfee’s director of advanced research and threat intelligence. “Our concern isn’t confined to Bitcoin. Virtual currencies seem almost designed to attract hackers,” he told me.

McAfee Labs expects to see this threat evolve into spam, data theft, tools, support networks and other associated services dedicated to solely exploiting virtual currencies, in order to steal money from unsuspecting victims or to spread malware.

Rogue certificates: Digital certificates tell your browser and sometimes your computer’s operating system that a certain Web site or downloaded file is safe. But now hackers are finding ways to counterfeit them, and use the access they enable to spread malware.

Some of these threats are hard to avoid, while others can be easily defanged by keeping your security software up to date, and keeping an eye on your online accounts for fraudulent charges.  In our discussion, Marcus was careful to note that “We’re not predicting doomsday. We’re not trying to scare people away from technology.” So don’t panic. But as they used to say on Hill Street Blues, “Be careful out there.”

India becomes top spam-sending nation in the world: Trend Micro

India’s Internet base may be swelling but so are the online risks. India, it turns out, has become the top spam-sending nation in the world, according to the latest report by IT security company Trend Micro.

India ranked second in this list of spamming countries during the first quarter of 2011, fell to third position in the following quarter, before finally rising to the pole position in the just-concluded quarter. Previously, it was the US and South Korea which were placed on top of the list in the first and second quarter, respectively.

“As in the previous quarter, India and South Korea continued to be part of the top three spam-sending countries. Surprisingly, however, the US, which commonly takes the top spot was not on the top 10 spam-sending countries list,” said the report. India’s share in the global spam statistics was an alarming 12 per cent and that of South Korea was 9 per cent.

As the top spam-sending countries are also the most spambot-infected ones, the US’ drop in ranking possibly indicates a lower infection level, the report said adding that “this may be a result of the botnet takedowns that occurred in the last few months.”

SPAMBOT

As it is, even in the past, reports by various other security vendors have revealed that India continues to be a hotbed for ‘bots’. If anything, India’s share in the worldwide spam bots has only gone up. ‘Bots’ are software programs that run automated tasks over the internet.

This type of malware allows an attacker to get full control of the affected computer to use it to launch attacks against Web site. Spambot is an automated computer program which assists the attacker in sending out spams.

“If a computer is vulnerable and becomes part of a ‘botnet’ community, the infected computer may be sending out multiple spams without the user being actually aware of it. In India, we are not protected enough, and people do not realise seriousness of the security threats,” said Mr Amit Nath, Country Manager India and SAARC at Trend Micro.

UNHAPPY MILESTONE

For India, this unhappy milestone in the online threat landscape comes at a time when the increasing affordability of computers and the Internet have pushed up the country’s Internet base to 100 million users in September. India is projected to have 121 million Internet users by December 2011, estimates Internet and Mobile Association of India.

The Trend Micro report further said that Google has replaced Microsoft as the software vendor with the greatest number of reported vulnerabilities for the quarter – 82.

Meanwhile, in a written reply in the Lok Sabha, the Minister of State for Communications and IT, Mr Sachin Pilot, said that Indian Computer Emergency Response Team in co-ordination with the industry and service providers is working towards disablement of ‘spam bots’ located in India to curb span sources.

The war on botnets

This week saw one of the most significant successes ever in the fight against cyber crime when the DNS Changer botnet was dismantled and seven people were charged.

It followed a slew of botnet takedowns achieved in the past two years alone. It’s a good time to be a crime fighter on the internet.

Yet during the eight years between the birth of malicious networks at the turn of the millennium and the decapitation of major botnet-hoster McColo in 2008, the security industry and law enforcement were in the doldrums.

Unable to cooperate efficiently or find a way to counter cyber criminals and their megalithic botnets, they were looking as hopeless as Eeyore on a hangover.

It took far longer for the industry and police forces to find some answers than it did for hackers to up their skills and exponentially increase the sophistication and size of their networks. But answers did nevertheless arrive and since 2008 we’ve seen just how dramatically the pendulum has swung in the favour of the ‘good guys.’

When McColo was shut down, taking with it a tonne of malware and botnet activity, the impact was immediately felt. Spam levels fell by as much as 80 per cent.

Mariposa, which had infected 13 million PCs, and Mega-D were the first major botnets to fall after the McColo operation. Then came Waledac and Bredolab in 2010 ­bringing down two massively powerful botnets surreptitiously controlling tens of millions of machines.

What seemed like a freak spate of successes for the anti-botnet warriors soon became a roll. This year saw Coreflood, which had compromised millions of Windows machines, taken out by the FBI. The crowning moment came in March, with the head of Rustock. Again, a massive drop in spam was recorded following the takedown.

The winning streak didn’t stop there either. Just last month, it emerged the Kelihos botnet was terminated, with legal action taken against 24 individuals in connection with the case. And now DNS Changer.

The tide has evidently turned. We are learning how to fight the war on botnets. More importantly, we are learning how to win key battles.

The McColo failure

Data sharing and collaboration has been at the heart of this shift. Yet prior to 2008, there was little cooperation whatsoever.

It was when McColo was shut down that the broken system really became apparent. Despite McColo’s success, it showed how poorly data was being used. Ultimately, the operation was a failure.

“When the McColo takedown happened people really understood just how much intelligence was lost in the lack of coordination,” Alex Lanstein, FireEye’s senior security researcher, told IT Pro. “Here you have the biggest malicious data centre in the history of the internet. It gets wiped out and there wasn’t a single arrest. A lot of people watching were asking how could they have blown it so badly.”

In the days before and during McColo’s demise, efforts to kill botnets were hampered by a “willy-nilly approach” where members of different bodies could be investigating the same threat without any joined up coordination, Lanstein said.

In some cases, companies were fighting the botnet war for more unscrupulous, self-serving means, only exacerbating the situation. “If you were just trying to get a little PR, you might not necessarily have spent the amount of time digging into the malware as you should have,” Lanstein continued.

“If you take down the first level of infrastructure, all the bots are going to automatically failover to another [infrastructure]. Not only are you not going to have any operational impact, you’re going to have a tonne of negative impact in that the bad guys will know someone is targeting them.”

Cyber criminals are nimble. Once they become alerted to a concerted effort to crack their operations, they will move fast to up their resiliency. Hence why in the old days, when bodies didn’t work with one another on tackling botnets, they did just half the work and unwittingly supported their common enemies.

To kill botnets, you need to go the whole way and dismantle the entire infrastructure. And to do that, you need as much information and cooperation as you can get.

Microsoft to the rescue

To bring the different sides together, the security industry needed a big player to step up the plate. Microsoft did just that. It took on the role of chief botnet slayer.

Microsoft hasn’t always been the friendliest giant – ­ just look at its various ongoing squabbles with Google – but the Redmond firm has been the linchpin in many significant battles against botnets. It was responsible for drawing together industry players and law enforcement in smashing Waledac, Rustock and Kelihos. All have formed part of Project Microsoft Active Response for Security (MARS), which has one core aim: “To annihilate botnets and help make the internet a safer place.”

“Microsoft has really stepped up in a lot of different ways to try to bring together multiple groups that might not have known each other,” Lanstein added. “They’ve really put a lot of money in going after botnets and it has worked.”

The MARS team has worked with a host of security companies, including Kaspersky and FireEye, to share information relating to infections. In the case of Kelihos, Kaspersky loaned Microsoft its live botnet tracking system. The Russian company also led the operation to reverse-engineer the bot malware, crack the communication protocol and develop tools to take apart the botnet’s the peer-to-peer infrastructure. It was another truly communal effort.

Microsoft should be proud of its work here. No other tech vendor has initiated such a concerted campaign against botnets. That’s not to say others haven’t played a big part, however. There have been some significant successes that haven’t involved Microsoft. The software behemoth was not part of two of the most significant botnet shutdowns in history – Mariposa and DNS Changer. Both of those led to complete disarmament of the bot masters and arrests of suspects.

Microsoft has shown what is possible when everyone cooperates – others have subsequently proven that point: the simple act of sharing is key in identifying botnets and successfully destroying them.

The long arm of the law

Collaboration might be vital, but the nail in the coffin of any botnet is only hammered in if arrests and prosecutions follow. In the past year, a plethora of suspects have been apprehended, but why now? Largely because tech companies and law enforcement have worked out how to twist judges’ arms into opening up legal pathways to take botnet infrastructure down before warning its owners.

Just a few years back, efforts to end botnets were not only hampered by an industry as fractious as the Greek Government – the legal system was doing the good guys no favours either. Instead of immediately asking registrars to shut down domains or ordering datacentre owners to allow police to switch off servers helping run botnets, courts required bot-herders be sent warning first.

Now, cyber criminals aren’t so lucky. The cases of Waledac and Rustock have set legal precedents that will be of huge benefit to the good guys in the long run. In the case of the former, Microsoft convinced a judge to issue an ex parte temporary restraining order (TRO), which meant Verisign, the administrator of the .com domain registry, had to hand the 276 domains used by Waledac for its command-and-control operations over to the Redmond company. Microsoft achieved this simply by pointing to the continuing harm that would be caused by the botnet if immediate action was not taken.

With Rustock, Microsoft filed a lawsuit against the anonymous operators of the botnet, basing its argument in part on the abuse of Microsoft trademarks in the bot’s spam. These clever legal manoeuvres are necessary to open the door to complete botnet destuction.

“As a private company we can only use civil process – we do not pretend to be law enforcement. But we wanted to do something proactively to protect our customers,” said Richard Boscovich, senior attorney for the Microsoft Digital Crimes Unit.

“We looked at the body of laws that were in place in the civil world in the US and asked ‘how could we adopt these to be able to confront some of these 21st centutry problems?’ There is always a cry for new laws and new legislation, but the reality is there are a lot of good laws on the books that were passed for other purposes … that are easily translatable.”

It’s all about creative use of the current laws, rather than begging for fresh legislation, Boscovich argues. In this week’s DNS Changer takedown, courts were again convinced to let law enforcement take a botnet apart. Datacentres in Chicago and New York were raided and dirty servers replaced with clean ones all thanks to a court order. If the perpetrators had been warned in that case, it could have ruined five years’ worth of work.

Indeed, the ‘company’ responsible for running the botnet, an Estonian organisation called Rove Digital, had previously moved servers when they sensed law enforcement was closing in on some of its other suspicious operations, according to Trend Micro. Imagine if they’d been given notice again. Four million computers would still be infected and the crooks would continue making millions fraudulently.

The future

Whilst the work of law enforcement, industry and others involved in the war on botnets is more than commendable, it would be unwise to get carried away. There remain some major obstacles to overcome. The first is how to tackle the subdomain issue.

At the current time, there is no requirement for domain hosts to know anything about those using their subdomains. In the case of Kelihos, Microsoft got a little lucky. Dominique Alexander Piatti of Czech domain hoster dotFREE Group was accused, along with a number of unidentified suspects, of owning a domain cz.cc and using it to register other subdomains which were running the Kelihos botnet.

Yet Microsoft dropped a lawsuit against Piatti late last month as it seemed dotFREE was simply being used by Kelihos’s controllers. Anyone hoping the case would inspire law makers to create fresh legislation were to be sorely disappointed. Domain hosts will still not be forced into knowing who their customers are. The crooked ones will simply turn a blind eye to pernicious activity on their servers.

“There are a lot of domains hosting hundreds of thousands of subdomains that are really hosting nasty stuff,” said Boscovich. He explained dotFREE had been highly proactive in cleaning up its game and learning about its customers. The domain industry should follow suit, he said. Either that or extra regulation is required.

“We would really like to see either the other subdomainers employ the same kind of business practices or maybe even have ICAAN require that if you’re going to provide subdomains that you’re required to get the same information registrars are asked to get,” he added.

“It is time for the community to put more rules in place internationally through ICANN, hopefully, to get more transparency as to who is really behind these domains and subdomains that are causing a lot of problems.”

Subdomainers aren’t the only ones who need to be brought into line. The young up-starts of the info-sec world need to be convinced to join the party too. The divisions between the new players and the old guard could mean certain important data isn’t being shared. If these schisms aren’t dealt with, ironically, industry in-fighting will only benefit the cyber criminals.

In essence, it’s all about greater and greater collaboration. The war against botnets will always be one of attrition. As in the real world, you can’t ever completely kill crime. Yet if you can build a sizeable enough army, and keep its various factions at peace with one another, you’ll be winning the fight even if you won’t win outright.

Kaspersky and cyber terrorism

Of all the pronouncements coming out of the London Cyber Summit this week, the statements of Eugene Kaspersky are the most provocative.  Rather than pile on and criticize him for uttering the words “cyber terrorism” it is worth taking a deep breath and considering what could give rise to his statements.

Kaspersky of course is the founder of anti-virus powerhouse Kaspersky Lab, responsible for some of the best research into malware and the cyber criminals who create it.  It is safe to assume that he has pretty good insight into the world of cyber threats.  He is rather flamboyant and has led a turbulent life; most recently rescuing his son from kidnappers in Russia.  So yes, he may be prone to making controversial statements.

Sky News provides the following quotes:

“I don’t want to speak about it. I don’t even want to think about it,” he said.
“But we are close, very close, to cyber terrorism. Perhaps already the criminals have sold their skills to the terrorists – and then…oh, God.”
“There is already cyber espionage, cyber crime, hacktivisim  soon we will be facing cyber terrorism,”

Before the semantic police jump all over this (Terrorism involves death and destruction! You can’t do that over the Internet!)  let’s define our terms.  What would we call it when terrorists engage in cyber attacks?  I am going to assume Kaspersky thinks along the lines I do.  Cyber terrorism would be cyber attacks carried out by terrorist organizations.  Is that possible? Has it happened? Is it likely to happen soon?

First, is it possible for terrorist organizations to engage in cyber attacks? Of course.  Denial of Service, defacements, doxing (publishing private information about public figures),  extortion, cyber crime,  even Stuxnet-like cyber sabotage, could all be carried out by terrorists as easily as by the current bad actors (organized crime, Anonymous, Lulzsec, etc).  I think the ease with which terrorists could engage in cyber attacks is what spurred Kaspersky to say what he did.

Have terrorists engaged in cyber attacks?   In 2006 a popular e-commerce site received an email claiming to be from Islamic Jihad and demanding that they take offensive material, offered by one of their resellers, off of their site.   When they elected to ignore the demands their domain was subjected to a DDoS (Distributed Denial of Service) attack that took them down for several days. Forensics verified that the attacks originated in the Mid-East.  I understand they reported the attacks to the FBI but never publicized the event, although it was clearly visible in up-time records kept by Netcraft.

This year the CommodoHacker, who claims to be a supporter of the Iranian regime, broke in to the Dutch Certificate Authority DigiNotar and created signed certificates for at least 500 organizations including CIA, MI6, Facebook, Microsoft, Skype, and Twitter.   These fake certificates were used by Iran to spy on its own populace who use Google for email.

And of course trying to keep track of the hacking that goes on in the Mid-East against Israel is an overwhelming task.  But just because a hacker supports the same cause as terrorist organizations is a tenuous claim of cyber terrorism.   At the same time just follow the “Tango Down” posts of Th3J35t3r on Twitter to see all of the Jihadi recruitment sites that he has tasked himself with taking down.  There is no question that terrorists use the Internet.

The final question of will terrorists engage in cyber attacks depends on their motivations more than their abilities, since the tools and capabilities are easily acquired.  Will disrupting the Internet, major stock exchanges, banks, or government web sites be attractive to them? Since the costs and risks are so low you can see why Kaspersky is concerned.

 

Copyright © 2014. DoS Protection UK. All Rights Reserved. Website Developed by: 6folds Marketing Inc. | Demo Test