Archive for September, 2012

Even Botnets Go on Holidays!

September 30, 2012 Leave a comment

The attack model based on botnet-generated Distributed Denials of Service is opportunistic. The botmaster selects a target, gathers as many resources as possible among his army of zombie machines, and when he realizes to have achieved enough firepower, simply selects a target and pushes the attack button. After this the target is inevitably flooded by packets generated by the bots, while the unaware owners of the zombie machines perform their normal work or fun activities with their infected computers.

In theory there is only a weak point in this opportunistic model and it consists on the fact that the botmaster controls the compromised machines but cannot control their availability. Simply said, if a user has not switched on his computer while the botmaster needs that machine to execute a DDoS attack, the machine is not available, and there is not so much to do.

Of course this is essentially a theoretical weak point since, quoting a famous phrase, we could say that on botnet empire the sun never sets: indeed botnets are so huge and widespread to be in practice always available (they span different continents and different time zones) and constantly grant enough firepower.

But what happens if some global events or some global festivities make a larger number of computers to be turned off? Quite simple apparently! The firepower of the botnet is hugely affected and the number of DDoS attack drops. This is one of the paradoxical conclusions that can be derived from a paper presented few days ago at the Virus Bulletin 2012 International Conference by Cloudflare (probably the main CDN company in the world), about which an interesting post by Naked Security has provided additional details.

Apparently the number of IP addresses used to execute Layer 7 DDoS attacks in 2012 showed the minimum values just in those days of events or vacations which kept the users away from their Personal Computers. The minimum values occurred in days such as Mardi Gras, Earth Day (the 22nd of April when one billion people around the world chose to keep their computers turned off to reduce energy consumption), the Memorial Day weekend on the 29th May and 28th June, just before US Independence Day celebrations.

Quoting the Naked Security article, the conclusion is quite amusing: if everyone turned off their computers each night, it might not just be good for the environment because of the lower levels of energy being consumed… it could also mean a reduction in botnet attacks.

Web Based Threats and False Positives

September 29, 2012 Leave a comment

In the last few days I have received a couple of advises regarding the fact that some URL filter engines flagged several pages of my blog as malicious. One page in particular appears to have been inserted inside the category of Malicious sites.

Unfortunately so far I have not been able to identify the URL Filter technology that has categorized that page as malicious and. Of course, I would greatly appreciate if someone who encountered the same problem could be so kind to provide me some additional details. In any case I believe that the semantics of the site (probably full of long links and terms as “malware”, “hacking”, and so on) has tricked the content filter engine (why apparently just that specific page has been affected, is something I cannot explain right now).

In any case I want to give you a couple of useful suggestions to handle similar occurrences and to make reasonably sure that a web page does not hide web based exploits.

If you have any doubt about the content of a page or a link received inside a suspicious email message, I suggest you, before clicking, to submit it to Wepawet, a cloud-based service for detecting and analyzing web-based threats (iFrame injections, Drive-by, etc.) embedded in Flash objects, JavaScript code, and PDF files. You will probaly remember Wepawet because it was able to discover the (since then unknown) 0-day vulnerability behind Operation Aurora.

If you have similar doubts for unknown binaries, you can analogously submit them to Anubis (Analyzing Unknown Binaries), a cloud-based service with a sandbox for analyzing malware, which provides a complete and detailed report about malware activity (it executes the binary on-the-fly hence does not need a-priori knowledge). Anubis may also check if a certain URL is the vector for a possible drive-by download or similar attack, by showing the Activity of the page inside Internet Explorer.

Android APKs may be also submitted to its variant Andrubis, which runs them inside an Android sandbox providing a detailed report (the icon is really pretty cool isn’t it?).

All the above services are free for internal use and have been brought to the next level by Lastline, Inc., my current company, which has developed a commercial version of the same technologies in its advanced malware detection and mitigation solution.

Of course I checked the incriminated page of my blog with Wepawet, and I did not find any web-based exploit… At least so far… Meanwhile, if you encounter the same issue on one of my blog pages, I would greatly appreciate if you could notify me.

Adobe Persistent Threat

September 28, 2012 Leave a comment

Adobe is the latest victim of a targeted attack. The news has been reported in a blog post by Brad Arkin, Director of product security and privacy at Adobe.

According to Mr. Arking the company has recently received two malware strains in disguise of malicious utilities that appeared to be digitally signed using a valid Adobe code signing certificate and has identified the possible reason for the illegitimate code signing in a compromised build server with access to the Adobe code signing infrastructure as part of the build server.

The first malicious utility is called pwdump7 v7.1 and extracts password hashes from the Windows OS as a single file that statically links the OpenSSL library libeay32.dll.  The second malicious utility, dubbed myGeeksmail.dll, is a malicious ISAPI filter.

Of course the forensic investigation is ongoing. To date Adobe has identified the presence of malware on the build server (although the details of the machine’s configuration were not to Adobe corporate standards for a build server, this was not caught during the normal provisioning process”) and the likely mechanism used to first gain access. Although the forensic investigation has found evidence linking the build server to the signing of the malicious utilities, it appears that the private key required for generating valid digital signatures was not extracted from the HSM, which is kept in physically secure facilities. Even, so far there is no evidence that the source code was compromised or stolen.

As a natural consequence the company has changed the signing process and has deployed an interim solution including an offline human verification to ensure that all files scheduled for signature are valid Adobe software. Furthermore the company is also designing and deploying a new, permanent signing solution.

All the certificates signed with the impacted key since July 10, 2012 will be revoked on Thursday October 4, 2012 (does this means that the build server has been compromised, undetected, for more than two months?). Potentially there could be 5127 applications signed with the compromised key.

According to the available information, we are in front of a typical targeted attack:

We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software.

Moreover “Targeted Attacks generate Targeted Attacks” since the malware samples discovered (most of all in case of the pwdump7 “utility”) show the typical features used by Advanced Persistent Threats: compromise one machine, extract information to escalate privileges (see password) and use the initial entry point as a bridgehead to harvest the target network.

So at the end Adobe is the latest high-profile target to join the group of the companies hit by targeted attack: “Through this process we learned a great deal about current issues with code signing and the impact of the inappropriate use of a code signing certificate. We plan to share our lessons learned as well as foster a conversation within the industry about the best way to protect users and minimize the impact on users in cases where the revocation of a certificate becomes necessary (as in this example).”

“Please stay tuned for more details in the coming weeks.”

1-15 September Cyber Attacks Statistics

September 27, 2012 Leave a comment

I know, September is nearly gone, but it is the time for the cyber stats related to the first half of September. As you know, they are derived from my Cyber Attack Timeline.

A look at the Motivations Behind Attacks chart, shows that apparently the Sun of August is the best period for hacktivism, since September has shown the overtake of Cyber Crime motivated attacks which reported the 56% of occurrences inside the analyzed sample.

The Distribution Of Attack Techniques confirms the domain od SQL Injection with nearly the 50% of the attacks. The fall of DDoS in this unwelcome charts is attributable to the minor number of attacks Motivated by Hacktivism

After all, apparently the Governments keep on investing an inadequate amount of money for securing their infrastructure: in fact they continue to lead the Distribution of Targets chart with the 30% of occurrences, nearly twice than the industry sector which ranks at number two with the 16%. Among the single targets (in fact the sectors od industries and organizations are higly fragmented) the edcuational institutions are the most targeted afer governments. Online activities (miscellaneous services, online games, online gambling and e-commerce sites), summed together reach the considerable number of 14%.

As usual, I will never get tired of repeating that data must be taken very carefully since they do refer only to discovered attacks (the so-called tip of the iceberg), and hence do not pretend to be exhaustive but only aim to provide an high level overview of the “cyber landscape” of the considered period.

If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), and follow @paulsparrows on Twitter for the latest updates.

Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).

Value Added Distributors of Botnets

September 22, 2012 Leave a comment

Cyber Crime, and in particular botmasters, never cease to amaze. If you were (not so much) surprised in discovering the compromised supply chain behind the Nitol Botnet (that allowed Chinese manufacturers to sell compromised computers pre-installed with the botnet), you’d better have a look at the ZeroAccess Botnet, which has recently been analyzed by Sophos.

ZeroAccess has some impressive “state-of-the-art” features such as:

  • Pure User-Mode on 32-bit Windows platforms;
  • A Peer-to-peer protocol for communicating with other members of the Botnet to receive updates and downlad plugins;
  • A modular architecture (via plugins) that allows to generate revenues for Botnet owners in different ways: Click Fraud or Bitcoin Mining (revenues that the security firms estimates in USD 100,000 per day with the botnet at full power);
  • A compromised population of over 9 million of PCs infected.

Really impressive features indeed, even if I must confess they were not the ones that impressed me most.

One of the challenges of a “successful” botnet is the capability to spread as quickly as possible, and infect and insert in the botnet (read enroll) the largest number of hosts in the shortest possible time.

Cyber Criminals are becoming increasingly aware of this, and hence, have developed a lucrative Pay-Per-Install partnership affiliate scheme to distribute the dropper. This affiliate scheme (I like to call it Partnership program) foresees wall paid revenues for affiliates who are able to execute successful installation of the dropper. This is exactly what happens in case of ZeroAccess and it is the reason of its large-scale extent.

The scheme is typically advertised on underground forums and, in case of ZeroAccess, the revenues are differentiated based on the country (probably US victims are the most lucrative, since US gets paid the most, then UK, Canada and Australia), and also on the access rights of the infected user (Admin gets paid more).

After the discovery of compromised supply chains and programs that foresee revenues for botnet distributors, have you still doubts about the fact that Cyber Crime is really becoming an industry?

The Cyber Battle in Middle East Continues…

September 20, 2012 Leave a comment

In the last wave, Yourikan has taken down 106 Iranian sites, defacing them with a message against the Nuclear Strategy of Iran.

He also claims to have deleted the backend databases.

This is only the latest occurrence of the mutual attacks between the two cyber factions. My sixth sense and one half tells me that more are to come…

After the jump you find the complete list (at the time of writing, in many cases the defaced pages have already been removed).

Read more…

1-15 September 2012 Cyber Attacks Timeline

September 19, 2012 Leave a comment

Here it is the usual compilation for the Cyber Attacks in the first half of September, a period which has apparently confirmed the revamping of hacktivism seen in August.

Several operations such as #OpFreeAssange (in support of Julian Assange), #OpTPB2 against the arrest of The Pirate Bay Co-Founder Gottfrid Svartholm Warg, and #OpIndipendencia in Mexico have characterized the first half of September. Curiously the hacktivists have also characterized this period for a couple of controversial events: the alleged leak of 1 million of UDIDs from FBI (later proven to be fake) and the alleged attack to GoDaddy (later proven to be a network issue, that is the reason why I not even mentioned it in this timeline). Other actions motivated by hacktivists have been carried on by Pro-Syrian hackers.

From a Cyber Crime perspective, there are two events particularly interesting (even if well different): the alleged leak of Mitt Romney’s tax returns and yet another breach against a Bitcoin Exchange (Bitfloor), worthing the equivalent of 250,000 USD which forced the operator to suspend the operations.

If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 and the related statistics (regularly updated), and follow @paulsparrows on Twitter for the latest updates.

Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).

Read more…


Get every new post delivered to your Inbox.

Join 3,710 other followers