For those who can get on location – and can afford it – Richard Bejtlich, from TaoSecurity will give a 2-days course on how to detect and react to an attack on a network. The course will cover those points:
Collection: What data do you need to detect intruders? How can you acquire it? What tools and platforms work, and what doesn’t? Can I build what I need?
Analysis: How do you make sense of data? If intrusion detection systems are dead, what good are they? What is Network Security Monitoring (NSM)? How can I perform network forensics?
Escalation: What do you do when you suspect an intrusion? How can you confirm a compromise? How should you act?
Response: You’re owned — now what? Do you contain, remediate, or play dead? How do intruders react to your actions? Can you ever win?
Black Hat Europe 2009 will occur from April 14 to 17 in Amsterdam and will reunite 20 internationally renowned security specialists worldwide.
A very interesting article on the BBC discussed on how to spammers actually earn money with their system.
Many of us might have asked themselves the question on “why do spammers still sends their e-mails?”, or “how to they make money?” After all, most of computer users know about spam by now. Well it appears that even if spammers gets only one answer for 12.5 million e-mail sent, that’s all they need to make the big bucks. That’s what a team from the International Computer Science Institute found out in their paper “Spamalytics: An Empirical Analysis of Spam Marketing Conversion“.
The researchers hijacked a part of the Storm botnet, which used to be one of the biggest botnet around, and rewrote a part of the command and control module of the bot. In order to measure the success of the spam campaign, the team set up two websites, one being a fake Canadian pharmacy and another was postcard website, used to make the user download malware.
Overall, the computer scientists spawn 8 proxies and 75 869 worker bots. They sent 469 million of spam emails, trying to convince the recipients to buy products from the fake online pharmacy. They also made sure to distinguish the visitors on their website by identifying crawlers and honey clients from genuine clients.
From the 350 million spams sent for the pharmacy website, for a period of 26 days, only 28 people went to visit the purchase page of the fake website.
According to the report:
Under the assumption that our measurements are representative over time (an admittedly dangerous assumption when dealing with such small samples), we can extrapolate that, were it sent continuously at the same rate, Storm-generated pharmaceutical spam would produce roughly 3.5 million dollars of revenue in a year. This number could be even higher if spam-advertised pharmacies experience repeat business. A bit less than “millions of dollars every day”, but certainly a healthy enterprise.
 “Spamalytics: An Empirical Analysis of Spam Marketing Conversion“, Chris Kanich, Christian Kreibich, Kirill Levchenko, Brandon Enright, Geoffrey M. Voelker, Vern Paxson, Stefan Savage, International Computer Science Institute, 2008, p.6
An unnamed senior US official has declared to the Financial Times that the Whitehouse computer network was victim to numerous cyber attacks from China. According to the same official, the attackers had access to e-mails for short periods of time.
The unclassified network of the Whitehouse was breach numerous times by the attackers, which may have stole information. The sensibility of the information accessed is not specified, but since it was on the unclassified network, no data of value should have been viewed by the hackers. The attacks were detected by the National Cyber Investigative Joint Task Force, an agency created in 2007 and under the FBI.
No one from the American and Chinese sides commented on this event. This declaration comes amid many cyber attacks performed in previous years also and every time, blamed on the Chinese or Russians. In 2007, the Pentagon claimed to have been hacked by the cyber division of the People’s Liberation Army (PLA). It has been known for a while not that China has developed advanced cyber warfare capabilities and has gain a lot of experience.
The Register reports that malware creators are already using Mr. Obama’s popularity to distribute the Papras Trojan using spam, social engineering and Google Ads.
Users usually receive an email from what seems a legitimate news sources such as CNN and BBC, inviting users to see the speech of Barack Obama on their website. The content of the email is the following:
Barack Obama Elected 44th President of United States
Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5!
Proceed to the election results news page>>
2008 American Government Official Website
This site delivers information about current U.S. Foreign policy and about American life and culture.
Newsweek reports that the computer systems of M. Obama and M. McCain were both hacked by unknown attackers during their campaigns. Very little information is available, but according to Newsweek, the FBI and the Secret Services claimed that several files from the Obama servers had been compromised by a “foreign entity” in midsummer. The same happened to the McCain campaign.
According to the FBI, documents were stole by foreign powers (probably Russia or China) in order to gather information for future negotiations.
But the former director of technology for the 2004 presidential campaign of Rep. Dennis Kucinich expressed skepticism about the claims. Henry Poole from CivicActions, a firm that offers Internet campaign consulting services, said “It’s unlikely that either campaign would have stored sensitive data on the same servers that were being used for public campaigning purposes“.
It is unclear if anyone got compromised at all. If so, why would the FBI and Secret Services report such events? Hopefully there is more to come on this…
Russian criminals who are selling a fake anti-virus, “Antivirus XP 2008/2009” among others, have made more than 150 000$ in a week, according to the Sydney Morning Herald. If you ever seen those annoying popups warning you that you might be infected with one or more viruses, then you probably came across this scam.
“For most people they might just be browsing the web and suddenly they don’t know why this thing will pop up in their face, telling them they’ve got 309 infections on their computer, it will change their desktop wallpaper, change their screen saver to fake ‘blue screens of death’,” said Joe Stewart, from SecureWorks said.
The software is sold for 49.95 $US and will “detect” various viruses and Trojans on the computer. Stewart shows that Antivirus XP still has some basic anti-malware functionality, but as he explains, it’s mostly in case the authors are brought to court “they might try to claim the program is not truly fraudulent – after all, it can clean computers of at least a few malicious programs“. Only 17 minor threats can be removed, far from the 102,563 viruses the anti-virus claims to clean. And don’t expect a refund for the software.
The entity behind this fraudware is called Bakasoftware, a Russian company that pays affiliates to sell its anti-virus to users. Affiliates can earn between 58% and 90% of the sale price. Criminals are therefore using everyway to trick users into installing the software, including scaring the user into believing that he is infected, even using botnets to push the program into the users’ computers.
“Since it is not hacking people’s computers and only runs the affiliate program, Bakasoftware does not have to worry about being shut down by police“, Stewart said.
Account Balance (USD)
Table 1.0 – Top earners in the Bakasoftware Affiliate Program
Screenshots took from the administrative panel of bakasoftware.com which was hacked by NeoN:
By the time of this writing, http://www.bakasoftware.com/ was not accessible. Another interesting fact, if the Russian language is installed on your computer, there’s a good chance you won’t be considered as a target because of Russian legislation. Apparently the creators have been sued anyway.
Many other fraudware are available, always proposing anti-malware software. Their ads are oven seen on torrents, warez and cracks/serials sites. What’s particularly dangerous is that they can come with other legitimate software or by drive-by downloads. Once they are installed in your computer, they get annoying very fast and can trick you into buying fraudware. Popups can appear that you are infected. Other types of fraudware are those “boost your computer” software.
P.S “baka” means “stupid” in Japanese. A totally appropriate title for the operators of this company.
According to the latest Security Intelligence Report from Microsoft, malicious software installations on computers increased 38% in the U.S for 2008. Also, the number of “High Severity” vulnerabilities detected increased by 13% in the second half of 2007, putting the total of “High Severity” vulnerabilities to 48%.
Downloaders and droppers, accounting for 30% of all malicious software, with around 7 millions computers infected in the United States alone.
And of course, no good Microsoft document would be complete by stating that Vista in more awesome than XP, and therefore the report states that if you own Windows XP SP3, you’re likely to be infected 9 times on 1000 infections, while this number drops to 4 times on 1000 infections for Vista.
“For browser-based attacks on Windows XP-based machines, Microsoft vulnerabilities accounted for 42 percent of the total. On Windows Vista-based machines, however, the proportion of vulnerabilities attacked in Microsoft software was much smaller, accounting for just 6 percent of the total.”
Taken from the report:
Former Yugoslav Republic of Macedonia
United Arab Emirates
Bosnia and Herzegovina
Table 1.0 – Countries with the Highest Infection Rates
Since the 70s, when Deng Xiaoping was the head of China, the People’s Liberation Army tried to modernize itself and cut its size in order to become more efficient. Still, China is still behind when it comes to military even if its defense budget is the second largest after the United States on the planet, with US$57 billion in 2008. According to an article published in Culture Mandala, China could boost its cyber warfare capabilities in order to compensate for their technological backwardness.
It started as soon as in 2003, when it deployed its first cyber warfare units, the “zixunhua budui“. Since, many attacks have been attributed to China, such as Operation Titan Rain in 2003. China hopes that by using asymmetrical warfare, such as information warfare and cyber warfare, it might level other modern armies.
Michael Vickers, Senior Vice President for Strategic Studies at the Center for Strategic and Budgetary Assessments declared that “a Chinese attack on Taiwan could entail special operations and cyber attacks on U.S. regional bases in Japan and South Korea, and might even include cyber attacks on the U.S. homeland that target the U.S. financial, economic, energy, and communications infrastructure“. In the same document, we can read:
“One way to assess this risk is to ask whether a cyber attack by China launched a few days in advance of a clash could prevent U.S. carrier battle groups from deploying to the Taiwan Straits. Launching the attacks too early would create the risk of discovery and countermeasures.“
It is clear to me that a nation with a technologically late compared to modern armies have all the advantage to develop asymmetrical warfare. We can assess its effectiveness in Afghanistan and Iraq. And cyber warfare is a perfect way to destabilize modern armies used to technology in their daily operations. But this is far from being easy for both sides, as talented individuals and highly skills hackers are needed to develop this kind of warfare. Terrorists and groups are unlikely to develop a high quality cyber warfare force, although they still can be efficient. China, on the other hand, can and is smart to do it. After all, if a force can disable communications the enemy’s communications networks, such as GPS, emails and phone networks, it can makes a strong army useless. Like a strong man or woman, if the brain can contact the muscle through the nervous system, the body is powerless…
BBC News reports that a trojan, labeled Sinowal, has been crawling across the Internet. The Trojan is notorious for stealing bank account details. Sean Brady of RSA‘s security division reports that “more than 270,000 banking accounts and 240,000 credit and debit cards have been compromised from financial institutions in countries including the US, UK, Australia and Poland.” According to Sophos researchers, 14 computers per seconds were infected by Sinowal in 2008.
The Trojan is also known as Torpig and Mebroot and has now been discovered 2 years ago, in 2006, which means it has been collecting information for now 2 years. It uses the drive-by download method to download itself, which means it download and install itself without the user’s knowledge. In the case of this particular Trojan, this is done mainly thought malicious links and HTML injection attacks.
The Trojan installs itself on the master boot record and his polymorphic, making it hard to detect and to remove. RSA suspects that the Sinowal had strong ties to a cybercriminal gang known as the Russian Business Network.
“The original intent, according to him, was to gauge the size of the Internet. He released the worm from the Massachusetts Institute of Technology (MIT) to conceal the fact that it actually originated from Cornell. The worm was designed to count how many machines were connected to the Internet. Unknown to Morris, the worm had a design flaw. The worm was programmed to check each computer it found to determine if the infection was already present. However, Morris believed that some administrators might try to defeat his worm by instructing the computer to report a false positive. To compensate for this possibility, Morris directed the worm to copy itself anyway, fourteen percent of the time, no matter the response to the infection-status interrogation.”
Nowadays, worms are notorious for spreading malicious payloads across the entire Internet. It also known as an extremely efficient cyber weapon to mass exploit vulnerabilities on a large scale. Popular worms include Code Red, in 2001, which infected up to 359 000 machines, Klez, Blaster, Sasser are also notorious computer worms. Here is a table of notorious worms from the last decade: