The attack model based on botnet-generated Distributed Denials of Service is opportunistic. The botmaster selects a target, gathers as many resources as possible among his army of zombie machines, and when he realizes to have achieved enough firepower, simply selects a target and pushes the attack button. After this the target is inevitably flooded by packets generated by the bots, while the unaware owners of the zombie machines perform their normal work or fun activities with their infected computers.
In theory there is only a weak point in this opportunistic model and it consists on the fact that the botmaster controls the compromised machines but cannot control their availability. Simply said, if a user has not switched on his computer while the botmaster needs that machine to execute a DDoS attack, the machine is not available, and there is not so much to do.
Of course this is essentially a theoretical weak point since, quoting a famous phrase, we could say that on botnet empire the sun never sets: indeed botnets are so huge and widespread to be in practice always available (they span different continents and different time zones) and constantly grant enough firepower.
But what happens if some global events or some global festivities make a larger number of computers to be turned off? Quite simple apparently! The firepower of the botnet is hugely affected and the number of DDoS attack drops. This is one of the paradoxical conclusions that can be derived from a paper presented few days ago at the Virus Bulletin 2012 International Conference by Cloudflare (probably the main CDN company in the world), about which an interesting post by Naked Security has provided additional details.
Apparently the number of IP addresses used to execute Layer 7 DDoS attacks in 2012 showed the minimum values just in those days of events or vacations which kept the users away from their Personal Computers. The minimum values occurred in days such as Mardi Gras, Earth Day (the 22nd of April when one billion people around the world chose to keep their computers turned off to reduce energy consumption), the Memorial Day weekend on the 29th May and 28th June, just before US Independence Day celebrations.
Quoting the Naked Security article, the conclusion is quite amusing: if everyone turned off their computers each night, it might not just be good for the environment because of the lower levels of energy being consumed… it could also mean a reduction in botnet attacks.
In the last few days I have received a couple of advises regarding the fact that some URL filter engines flagged several pages of my blog as malicious. One page in particular appears to have been inserted inside the category of Malicious sites.
Unfortunately so far I have not been able to identify the URL Filter technology that has categorized that page as malicious and. Of course, I would greatly appreciate if someone who encountered the same problem could be so kind to provide me some additional details. In any case I believe that the semantics of the site (probably full of long links and terms as “malware”, “hacking”, and so on) has tricked the content filter engine (why apparently just that specific page has been affected, is something I cannot explain right now).
In any case I want to give you a couple of useful suggestions to handle similar occurrences and to make reasonably sure that a web page does not hide web based exploits.
If you have similar doubts for unknown binaries, you can analogously submit them to Anubis (Analyzing Unknown Binaries), a cloud-based service with a sandbox for analyzing malware, which provides a complete and detailed report about malware activity (it executes the binary on-the-fly hence does not need a-priori knowledge). Anubis may also check if a certain URL is the vector for a possible drive-by download or similar attack, by showing the Activity of the page inside Internet Explorer.
Android APKs may be also submitted to its variant Andrubis, which runs them inside an Android sandbox providing a detailed report (the icon is really pretty cool isn’t it?).
All the above services are free for internal use and have been brought to the next level by Lastline, Inc., my current company, which has developed a commercial version of the same technologies in its advanced malware detection and mitigation solution.
Of course I checked the incriminated page of my blog with Wepawet, and I did not find any web-based exploit… At least so far… Meanwhile, if you encounter the same issue on one of my blog pages, I would greatly appreciate if you could notify me.
Adobe is the latest victim of a targeted attack. The news has been reported in a blog post by Brad Arkin, Director of product security and privacy at Adobe.
According to Mr. Arking the company has recently received two malware strains in disguise of malicious utilities that appeared to be digitally signed using a valid Adobe code signing certificate and has identified the possible reason for the illegitimate code signing in a compromised build server with access to the Adobe code signing infrastructure as part of the build server.
The first malicious utility is called pwdump7 v7.1 and extracts password hashes from the Windows OS as a single file that statically links the OpenSSL library libeay32.dll. The second malicious utility, dubbed myGeeksmail.dll, is a malicious ISAPI filter.
Of course the forensic investigation is ongoing. To date Adobe has identified the presence of malware on the build server (although the details of the machine’s configuration were not to Adobe corporate standards for a build server, this was not caught during the normal provisioning process”) and the likely mechanism used to first gain access. Although the forensic investigation has found evidence linking the build server to the signing of the malicious utilities, it appears that the private key required for generating valid digital signatures was not extracted from the HSM, which is kept in physically secure facilities. Even, so far there is no evidence that the source code was compromised or stolen.
As a natural consequence the company has changed the signing process and has deployed an interim solution including an offline human verification to ensure that all files scheduled for signature are valid Adobe software. Furthermore the company is also designing and deploying a new, permanent signing solution.
All the certificates signed with the impacted key since July 10, 2012 will be revoked on Thursday October 4, 2012 (does this means that the build server has been compromised, undetected, for more than two months?). Potentially there could be 5127 applications signed with the compromised key.
According to the available information, we are in front of a typical targeted attack:
We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software.
Moreover “Targeted Attacks generate Targeted Attacks” since the malware samples discovered (most of all in case of the pwdump7 “utility”) show the typical features used by Advanced Persistent Threats: compromise one machine, extract information to escalate privileges (see password) and use the initial entry point as a bridgehead to harvest the target network.
So at the end Adobe is the latest high-profile target to join the group of the companies hit by targeted attack: “Through this process we learned a great deal about current issues with code signing and the impact of the inappropriate use of a code signing certificate. We plan to share our lessons learned as well as foster a conversation within the industry about the best way to protect users and minimize the impact on users in cases where the revocation of a certificate becomes necessary (as in this example).”
“Please stay tuned for more details in the coming weeks.”
- Inappropriate Use of Adobe Code Signing Certificate (blogs.adobe.com)
I know, September is nearly gone, but it is the time for the cyber stats related to the first half of September. As you know, they are derived from my Cyber Attack Timeline.
A look at the Motivations Behind Attacks chart, shows that apparently the Sun of August is the best period for hacktivism, since September has shown the overtake of Cyber Crime motivated attacks which reported the 56% of occurrences inside the analyzed sample.
The Distribution Of Attack Techniques confirms the domain od SQL Injection with nearly the 50% of the attacks. The fall of DDoS in this unwelcome charts is attributable to the minor number of attacks Motivated by Hacktivism
After all, apparently the Governments keep on investing an inadequate amount of money for securing their infrastructure: in fact they continue to lead the Distribution of Targets chart with the 30% of occurrences, nearly twice than the industry sector which ranks at number two with the 16%. Among the single targets (in fact the sectors od industries and organizations are higly fragmented) the edcuational institutions are the most targeted afer governments. Online activities (miscellaneous services, online games, online gambling and e-commerce sites), summed together reach the considerable number of 14%.
As usual, I will never get tired of repeating that data must be taken very carefully since they do refer only to discovered attacks (the so-called tip of the iceberg), and hence do not pretend to be exhaustive but only aim to provide an high level overview of the “cyber landscape” of the considered period.
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), and follow @paulsparrows on Twitter for the latest updates.
Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).
Cyber Crime, and in particular botmasters, never cease to amaze. If you were (not so much) surprised in discovering the compromised supply chain behind the Nitol Botnet (that allowed Chinese manufacturers to sell compromised computers pre-installed with the botnet), you’d better have a look at the ZeroAccess Botnet, which has recently been analyzed by Sophos.
ZeroAccess has some impressive “state-of-the-art” features such as:
- Pure User-Mode on 32-bit Windows platforms;
- A Peer-to-peer protocol for communicating with other members of the Botnet to receive updates and downlad plugins;
- A modular architecture (via plugins) that allows to generate revenues for Botnet owners in different ways: Click Fraud or Bitcoin Mining (revenues that the security firms estimates in USD 100,000 per day with the botnet at full power);
- A compromised population of over 9 million of PCs infected.
Really impressive features indeed, even if I must confess they were not the ones that impressed me most.
One of the challenges of a “successful” botnet is the capability to spread as quickly as possible, and infect and insert in the botnet (read enroll) the largest number of hosts in the shortest possible time.
Cyber Criminals are becoming increasingly aware of this, and hence, have developed a lucrative Pay-Per-Install
partnership affiliate scheme to distribute the dropper. This affiliate scheme (I like to call it Partnership program) foresees wall paid revenues for affiliates who are able to execute successful installation of the dropper. This is exactly what happens in case of ZeroAccess and it is the reason of its large-scale extent.
The scheme is typically advertised on underground forums and, in case of ZeroAccess, the revenues are differentiated based on the country (probably US victims are the most lucrative, since US gets paid the most, then UK, Canada and Australia), and also on the access rights of the infected user (Admin gets paid more).
After the discovery of compromised supply chains and programs that foresee revenues for botnet distributors, have you still doubts about the fact that Cyber Crime is really becoming an industry?
In the last wave, Yourikan has taken down 106 Iranian sites, defacing them with a message against the Nuclear Strategy of Iran.
He also claims to have deleted the backend databases.
This is only the latest occurrence of the mutual attacks between the two cyber factions. My sixth sense and one half tells me that more are to come…
After the jump you find the complete list (at the time of writing, in many cases the defaced pages have already been removed).
Here it is the usual compilation for the Cyber Attacks in the first half of September, a period which has apparently confirmed the revamping of hacktivism seen in August.
Several operations such as #OpFreeAssange (in support of Julian Assange), #OpTPB2 against the arrest of The Pirate Bay Co-Founder Gottfrid Svartholm Warg, and #OpIndipendencia in Mexico have characterized the first half of September. Curiously the hacktivists have also characterized this period for a couple of controversial events: the alleged leak of 1 million of UDIDs from FBI (later proven to be fake) and the alleged attack to GoDaddy (later proven to be a network issue, that is the reason why I not even mentioned it in this timeline). Other actions motivated by hacktivists have been carried on by Pro-Syrian hackers.
From a Cyber Crime perspective, there are two events particularly interesting (even if well different): the alleged leak of Mitt Romney’s tax returns and yet another breach against a Bitcoin Exchange (Bitfloor), worthing the equivalent of 250,000 USD which forced the operator to suspend the operations.
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 and the related statistics (regularly updated), and follow @paulsparrows on Twitter for the latest updates.
Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).
Probably there’s something more in the Next Step Of Botnets besides BlackHole 2.0 and Tor C&C mentioned in my previous post. I mentioned the takedown of the Nitol Botnet by Microsoft as one of the most important infosec events of the last week, but I forgot to mention one important aspect related to this event: the malware supply chain.
As a matter of fact, in case of Nitol, Microsoft discovered a real botnet factory, that is a compromised supply chain, based in China, that allowed new computers (to be sold to unaware consumers) to come pre-installed with malware embedded with counterfeit version of Microsft OS.
A step forward in the Cyber Crime industry with the advantage for cyber crooks to setup an “army” of zombie machines without enforcing time consuming drive-by attacks or spam campaigns. I used the term army since the main features of Nitol are the capability to execute on-demand DDoS attacks (besides to offer a backdoor to cyber criminals for taking control of the infected machines).
Unfortunately, what’s especially disturbing according to Microsoft, is that the counterfeit software embedded with malware could have infiltrated the chain at any point.
If you still have doubts that Cyber Crime has become a real industry there’s no better example to demonstrate it. Moreover I cannot help but think that, once upon a time, new computers came out with antivirus software embedded, today they are sold directly with malware.
- The Next Step of Botnets (hackmageddon.com)
This information security week has offered many interesting points: the brand new CRIME attack against SSL/TLS, the release of BlackHole Exploit Kit 2.0 that promises new stealth vectors of Drive-By download infections, the takedown of the emerging Nitol botnet by Microsoft, and, last but not least, the first (?) known example of a new generation of a C&C Server leveraging the anonymization granted by Tor Service.
The latter is in my opinion the news with the most important consequences for the Information Security community, since delineates the next step of Botnets’ evolution, after the common, consolidated, C&C communication schema, and its natural evolution consisting in Peer-to-Peer (P2P) communication.
The first (I wonder if it is really the first) discovery of a Botnet command server hidden in Tor, using IRC protocol to communicates with its zombies, has been announced in a blog post by G-Data. Of course the advantages of such a similar communication schema are quite simple: the Botnet may use the anonymity granted by the Deep Web to prevent the identification and the likely takedown of the server, and the encryption of the Tor protocol to make traffic identification harder by traditional layers of defense. Two advantages that greatly exceed the Tor latency which represents the weakness of this communication schema.
Maybe it was only a matter of time, in any case it is not a coincidence that in the same weeks researchers have discovered BlackHole 2.0 and the first (maybe) C&C infrastructure hidden inside the Deep Web: Cyber Criminals are continuously developing increasingly sophisticated methods to elude law enforcement agencies and to evade the security controls of the traditional bastions, and the botnets are confirming more than ever to be the modern biblical plague for the Web…
And even if every now and then good guys are able to obtain a victory (as the Nitol takedown), the war is far from over.
More details have been released about CRIME, the brand new attack against TLS developed by Juliano Rizzo and Thai Duong.
The attack takes advantage of a flaw in the compression ratio of TLS requests wich allows the attacker to decrypt the requests made by the client to the server. The attacker is able to steal the user’s login cookie and then hijack the user’s session, impersonating him on other destinations such as banks or e-commerce sites.
Not only the attack works on any version of TLS, but also the number of requests needed for the attack to be sucessful is quite small, as low as six requests per cookie byte.
Each browsers that implements either TLS or SPDY compression (SPDY is an open standard developed by Google to speed up Web-page load times) is vulnerable. The list includes Google Chrome, Mozilla Firefox, and Amazon Silk. The attack also works against several popular Web services, such as Gmail, Twitter, Dropbox and Yahoo Mail. In any case Google and Mozilla have already developed patches to defend against the CRIME attack.
Meanwhile the researchers have released a video with the exploit in action against Dropbox and Github (which patched the servers before the release of the video).
Best way to protect yourself? Upgrade browsers to the latest version and disable compression on servers.
- A CRIME Against SSL/TLS Encryption (hackmageddon.com)