Defence Intelligence

7 Security Resolutions for 2012

2012-01-09T12:38:00.002-05:00

I have spoken before about how we in the security industry need to spend less time talking amongst ourselves and more time trying to educate the average computer user. The following 7 security resolutions for 2012 are part of that pledge.

For anyone in the industry, there is nothing new here. Having said that, security experts are just as guilty as most when it comes to some of the basics. Do you really use a unique password everywhere? Have you never clicked on a shortened link?

We often talk about being proactive and not reactive. Now is the chance to practice what we preach. We created the following hoping that people would send it to that aunt that keeps forwarding the powerpoint slideshows. That friend on messenger that keeps getting "hacked". Instead of helping them clean up their infested computers when it's too late, maybe we can help keep them from being compromised in the first place.

http://www.defintel.com/images/security%20resolutions.png

Happy New Year!

DNS Changer Malware / Operation Ghost Click

2011-11-10T11:15:00.001-05:00

Trend Micro recently announced, along with the FBI, the dismantling of a cyber criminal gang based out of Estonia. The gang was allegedly responsible for compromising millions of computers and redirecting them to online ads through the implementation of rogue DNS servers.

Over four million computers across 100 countries had inadvertently downloaded malware onto their systems, many through installing what they thought was a needed codec to view certain movies online. Compromised systems would then have their DNS settings altered to use servers controlled by the gang, rerouting the end users to locations on the Internet they never intended to visit.

These locations contain ads which, upon click-through or even viewing, generated revenue for the gang, resulting in over $14 million made through advertising fraud. The U.S. Attorney's Office is seeking to extradite the gang for prosecution, likely due to the large number of U.S. government and businesses systems compromised by the gang and the fact that some of the rogue DNS servers were based in Chicago and New York.

DNS provides the IP address location of a website so a user who types "google.com" into a browser is actually taken to "72.14.204.103" (or one of their other IP locations). By forcing a system to use a specific DNS server, like this gang did, users would receive false IP address locations for websites they were trying to visit or ads they normally would have viewed, benefiting the gang while not maliciously harming the user. Examples provided during the indictment of the six Estonian members of the gang included:

"When the user of an infected computer clicked on a domain name link for Netflix, the user was instead taken to a website for an unrelated business called 'BudgetMatch.'"

"When the user of an infected computer visited the home page of the Wall Street Journal, a featured advertisement for the American Express 'Plum Card' had been fraudulently replaced with an ad for 'Fashion Girl LA.'"

The malware which compromised these systems also prevented updates to anti-virus software and the operating system. This helped the malware stay on the compromised systems over an extended period of time. For those concerned that they may be compromised the FBI has provided a document which aids in understanding the malware and how to check for DNS settings changes on your computer, for both Windows and Mac systems.
The FBI doc

In this document the IP address ranges of the known rogue DNS servers are listed, indicating server locations in Russia, Ukraine, U.S., and Amsterdam. You can see the ranges below:

85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

-Matt Sully

Security through the eyes of a teenager. Part 2

2011-11-03T15:08:00.000-04:00

Are young people more knowledgeable about information security than their elders?

I believe that young people are more knowledgeable when it comes to security. The reason being that my generation has been brought up with daily use of computers. We have more experience than most of the older population. This does not mean that everyone from my generation knows how to stay secure while online.

Are young people concerned about privacy online?

Everyone says they are worried about their privacy, but young people have already posted all kinds of information about themselves on Facebook, Twitter, and many other social networks Even if the settings on that site lower the visibility to the public eye, they are still there. I’m not sure if young people believe privacy of their information to be important since it is already up there. If it is banking information then we worry, but if not, then it is less of a concern.

How concerned about information security are young people?

Personally, I don’t believe that young people are worried about information security at all. We all fret when something goes wrong, but before something happens, security is not always important. I think the reason for this is that we are not the ones paying for it. It also depends on what kind of computer they are using, and the marketing out there. I remember when I got my MacBook, I thought it was immune to harmful internet malware. I started downloading more movies and music, something I would have not done on my old laptop which was a PC.

Here are the results of the survey that I sent to my friends:

-Montana

Security through the eyes of a teenager. Part 1

2011-10-24T17:25:00.000-04:00

It's often assumed that younger generations are more aware of online threats than us old folks. The notion being that since they've grown up on the internet, they are more knowledgeable and tech savvy. We decided to put this theory to the test.

As part of a co-op initiative, Defence Intelligence has recently been joined by a 17 year old high school student named Montana. We thought this would be a great chance to get some insight into what young people really think about information security. As part of her work here, she's going to be doing some research on awareness amongst her peers. Over the next couple of weeks, she'll be taking over our blog and posting her findings. Here she is with her introduction. - Keith

My name is Montana, and I am a student at West Carleton Secondary School in Dunrobin, Ontario. I signed up for co-op last year to gain an understanding of a specific field that could possibly open many opportunities. I take co-op for five days a week, three hours a day.

I first decided I was going to take the co-op course at my school when a friend informed me about her experience. I was interested in learning more about a possible career, and began to think what field I would be interested in. I have taken an interest in working with computers but I was uncertain of which direction. After doing some research I discovered Defence Intelligence – a small Ottawa based information security company. I was fortunate to be able to have such a unique Co-op placement.

My first day of co-op started by getting myself lost on the OC Transpo bus routes. Once I found the place, I was confused just by the terminology, let alone the work I was doing. After a few days of adjustment and the help of Mr. Sully’s patient explanations, I became more comfortable.

I was first given a project to research the top 25 websites I visited most often. I learned how to use many online resources, the threat analyst interface, and Google search in an effective way. I was able to identify what information is valuable when making a decision about the safety of a website. Each day I was getting better and faster by expanding my intake of knowledge. I was eager to learn as much as possible and to test out my abilities.

Back at school, many students were interested when I got to describe my job and share what I do. It made me sound pretty technical, although I had no previous experience with internet security before.

After many weeks, I gave a presentation to my co-workers.

That’s what I enjoy about working here. I get the opportunity to make an actual business presentation where I am relied on to demonstrate my understanding. I learned how to speak to people and how to present myself with the comprehension I gained. The subject was the threat analyst interface, which has been an ongoing project since I joined Defence Intelligence. I was not nervous about presenting in front of everyone, but was afraid of not giving a clear explanation. I did fairly well, but with some improvements needed.

When I walked in one afternoon, I was told that I was to be moved around to get a feel for all parts of the business. I am not only learning about the specialty of the business, but the sales side and much more. I was also given a project to create a survey for my friends to answer.

This survey was intended to get feedback from teenagers about internet security and if they really cared about it. The survey was made up of 10 questions. The first time I mentioned the survey was on Facebook. I posted the survey as a disguised link. This way I was able to see the amount of people who will click on an unknown (potentially untrustworthy) link. I will later repost the link and ask my friends to complete the survey.

Mrs. Stewart, my co-op teacher, came in one day to see how things were going at my work placement. She was pleased to hear that I was enjoying my time at Defence Intelligence. She was also impressed with the variety of areas that I would be working in.

My co-op placement has lived up to my expectations and I am learning more than what a class in school could teach me – business techniques, management, working with others, communications skills, and so much more. I’m really thankful to Defence Intelligence for taking me on as a co-op student and feeding me with incredible amounts of knowledge.

- Montana

It's only an option if you know you have a choice

2011-08-24T10:41:00.000-04:00

I have backlogs everywhere and am probably the worst person in the world at keeping up with my social networking updates. If people only knew about my life through my sporadic social updates, they'd think I was still "Having a good time at Steak and Ale, about to go see this new Gladiator movie."

In one of my few and far between surfacings for air, I saw some important offerings in the blogging world addressing privacy and security issues of our currently beloved social tools, Twitter and Linkedin.

Graham Cluley put out a blog this morning about Twitter's efforts to begin default HTTPS usage, starting with a small percentage of users. The option to choose an HTTPS connection, however, is available to all Twitter users, and can be enabled through the settings page (at the bottom).

HTTPS encrypts your normal HTTP traffic across the network, protecting the data being exchanged and the identification of the exchanging parties. This was publicly popularized for banking and purchasing transactions but is making its way into other facets of the internet.

It's always a smart move to choose HTTPS for your connections into social networking sites. No matter who you are or what sort of details you share with others, every user should be concerned about their privacy and protection of the ownership over their own accounts. For those who like to connect to public wi-fi spots, this is especially important, as open wi-fi leaves you vulnerable to eavesdropping by others.

Facebook offers HTTPS as well, so search out this setting and enable it if it isn't already enabled. HTTPS is of course important to your security, but there are plenty more settings on Facebook and elsewhere that may be of concern to you regarding usage of your private data.

Rik Ferguson recently blogged about Linkedin settings dealing with social advertising, which would use your own personal information in some of the ads put out across the Linkedin site. This would include your name and profile photo integrated right into the advertisement, giving the appearance that you personally endorse a product or service. I already have a big enough issue with buying shirts smeared with the name of the department store. Where's my discount for free advertising? They should pay ME to wear these shirts.

To disable these advertising options on Linkedin, go to your settings page and click on "account" in the bottom left. Rik walks you through it on his blog here.

Spend some time today, and periodically (new defaults pop up all the time), digging through your social networking settings and opt out of what you don't want. Pay attention to what you're agreeing to when you sign up for a new service. Your safety and privacy could be at risk. And stop buying T-shirts with the store name on them. That's just wrong.

Matt Sully

Defcon 19 Cell Hack

2011-08-10T16:07:00.000-04:00

Hackers from around the globe recently met in Vegas for the 19th Defcon hacking conference. This is a huge event for those interested in security and more importantly, the holes in current security products and tactics, as well as next generation vulnerabilities. So naturally, one might be wary of freely using their laptop or smart phone around so many hacking enthusiasts. Throwing caution to the digital wind however, perhaps through arrogance, confidence, or disregard, people still actively connected, but mostly through their cell phones instead of their laptops.

Though little is confirmed about a legitimate hack, while at the conference people were expressing concern over strange occurrences on their phones, including degraded signal and well timed multiple suggested software updates. Degraded service where thousands of 4G users are bombarding towers all at the same time may be reasonably expected. According to a post on seclists.org, however, a "weapon" may have been used to gain access to thousands of what should have been suspecting cell phone users' phones and computers at Defcon.

In the seclists.org post by coderman, he says the attack was designed for mass exploitation, reconnaissance, [data] exfiltration, and eavesdropping, using a variety of exploits and techniques across CDMA and 4G connections.

He offers in the same post symptoms or actions that may indicate a victim of the Defcon cell attack. Some of the symptoms are vague and include an Android crash or charging troubles, which could be caused by normal issues. Other symptoms, which may still be benign, include full signal but poor bandwidth, or slow download speeds but fast upload speeds. Most concerning, though possibly excluding phones, he mentions the presence of an ssh process that can't be killed.

Fake charging stations, believed to be a delivery method for the malware mentioned here, were sprinkled throughout the area. Many were wise enough to spot and avoid them, but plugging in anywhere while at Defcon was a generally recognized bad idea, but apparently not recognized enough.

I am disappointed by the lack of paranoia/caution displayed by the people who attended this event. They should know better than to trust leaving anything open to compromise when going to a conference like this, from their wallets to their cell phones. Attendees were even advised by staff not to use the available wifi. Even hackers are victims from time to time.

IT Security Isn't Important - Part 1 of 3

2011-07-28T13:45:00.003-04:00

That's right, it isn't important. I realize that it matters to most of the people reading this. What I have recently realized, however, is that it really doesn't matter to most. We in the industry are in denial about our place in the scheme of things. It's self-evident to us that information security is of vital importance. We talk about the massive market for IT security, the amount of press breaches are given, and the big push for compliance and increased security across all standards. Still, it's just not that important to enough people. Symantec had roughly $6b in revenue last year. While they were doing that, Avon sold $11b worth of cosmetics using a network of door to door salespeople. Think about it.

The IT security market is considerable. Gartner estimates it to be in the realm of $85b a year. $85b is a lot of money. Having said that, there was more money spent on commercial cleaning and garbage removal last year than there was on IT security. So really, how important are we? While the threat of a dirty office is no laughing matter, I don't think it is quite as important as keeping your data secure.

We talk a lot about user awareness and training, and yet I think we've failed in that it's something that we mention to people and then forget. It's very much a "do as I say and not as I do" mentality. We speak to organizations and groups about awareness, but do little ourselves to spread that awarenes. I'm as guilty as anyone in this regard. Three years in, and the most my friends and family can say of my business is that I do "fancy anti-virus or something". This is usually followed up by a request to "speed their computer up". The number one question I get from the average consumer? "Is it safe to use my credit card online?" Nearly twenty years on, and we still haven't answered a single question for the general public.

Most people have a very good knowledge of “real world” crimes. It makes sense, they’ve been around longer and get all the good TV shows. What we need to do is translate cyber crimes into “real world” crimes. Most people think they know what a virus is, or what a hacker does. Mostly though, they just don’t. I have had far too many conversations with C-level execs and VPs who have absolutely no clue. It's disheartening when you speak to the CIO of a Fortune 50 company who doesn't know what a botnet is. It's disheartening, but it's also enlightening. We need people to understand that what happens online affects the real world, and them directly. In short, we need to make information security important to them personally.

It’s up to us as security professionals to make it important to everyone. It’s up to us to help people understand. We need to step outside of the security groups and the IT crowd. We need to talk to the business leaders, the financial teams, the HR groups, all of them. We should be talking to our friends, our colleagues, that aunt that keeps sending out the cute slideshows. If we ever want the average user to “get it”, we need to help them do so. Until then, it just won’t be important.

While we need to exchange ideas and information with our peers, what I think is even more crucial is that we spend more time talking to the uninitiated. It's great to see all the experts at an event, but what would help our industry more is to see the non-experts at these events. If we keep talking to other experts and rely on them to spread the word, we'll continue to fail.

So do we start at the top? Should we try to get the government to mandate the hell out of security and force people's hands? Do we harass CEOs to institute appropriate policies and then enforce them? I don't think so. Good policy is important, but even the best policy is easily ignored by those who care little for it. I think we all know enough users who skirt their employers facebook policy. If people don't understand the policy and the reasoning behind it, they will never back it, and they will never adhere to it.

Defence Intelligence has run a number of informational seminars in the past. These have mostly been aimed at specific threats or technologies, and were designed for security experts. What I'm asking myself now is, why have we never done a far more basic seminar for the layman? We feel the pain of the security staff while they try to justify their budget, but what have we done to help them? I've been frustrated many times while trying to explain why "we have a firewall" is not a legitimate security stance. Really, though, how much have I done to correct it?

We’re going to change. We’re going to start offering basic informational seminars and training to both our clients and our potential clients. No fees, no product pitch, just basic information, awareness and policy for anyone who might be interested. At least then we’ll be able to say that we’re doing our part to make security important.

Part 2 coming soon - Why IT Security Isn't Important

Mariposa Redux

2011-07-25T17:24:00.002-04:00

It seems that long after we identified and took down Mariposa, bad folks are still using the butterfly kit behind it to build large botnets.

There’s been some coverage around the EvilFistSquad/Metulji takedown recently, and given the relationship to Mariposa, I thought I’d say a few words.

A few points:

Mariposa is back?

EvilFistSquad/Metulji is not Mariposa. It is similar in intent and based on the same butterfly kit.

How big is it?

Like Mariposa, it’s impossible to tell for certain. Even if all command and control domains were seized, dynamic ips, NATs/firewalls, etc. make it impossible to be sure. By all accounts, it’s big.

Who is behind it?

The FBI and Interpol arrested two individuals earlier this month in connection with this botnet. It is unclear, but likely, that other operators are still at large.

Is it still active?

Some of the command and control domains have been taken down, but not all. Compromised systems are still losing data.

What we can learn from this:

What this takedown shows us is that you needn’t be technically proficient or even all that clever to amass millions of victims. Think about it:

The creator of butterfly was arrested and had his equipment seized. The authorities have all his transaction details and know who purchased the kit.

The botmasters raised suspicions by extravagant spending.

The botmasters used their real names and addresses in some cases.

As Luis Carrons from Panda was quoted as saying: "Obviously, those bot masters are either not concerned about going to jail or just plain stupid.”

This case also goes to show just how difficult these botnets can be to dismantle. Even when the malware is known, even when the attackers are less than gifted, it can still be incredibly difficult to take down a botnet. Mariposa was a rare slam dunk in that we were able to gain control of all of the C&C domains simultaneously and redirect them to our space.

Working with Panda and the FBI for the Mariposa takedown was a pleasure, and I’m glad to see that they’re staying on top of all the butterflies out there. This is another example of how Law Enforcement, Researchers, and the private sector can work together to be more effective in the fight against online crime.

Congratulations to all those who worked on this, keep up the good fight.

Keith Murphy
CEO

Google Plus Anti-Malware

2011-07-20T10:32:00.000-04:00

Google never rests, and is always mixing up something new to try out on its users. Some efforts have been failures and others have been welcomed by many. Recently, Google announced a seemingly one-time attempt at informing specific users of a possible malware compromise on their systems.

Currently they are a bit vague on the malware involved, but state in their blog that this particular malware uses a limited number of proxies to send traffic to Google. When a user compromised by this malware visits Google they are displayed a message at the top of their browsers saying, "Your computer appears to be infected."

It must really be a very specific and limited means of terminating traffic that ends up at Google through these proxies for the company to display these messages with confidence. A wide range of malware utilizes Google in some way to carry out functions or as a form of communication. Some use Google resources as a way to spread malware, through fake Blogspot pages or highjacked web searches. Some malware just checks Google to make sure the compromised system has an internet connection.

This may only be a one time event, but I wouldn't put it past Google that this is an introduction into future areas of exploration into the anti-virus field. Why not? They dip their fingers into every other internet pot. Google safe browsing is already a sight people have grown accustomed to and understand as well as embrace. Is Google going to capitalize on their already existing involvement in the malware world by taking the extra step toward their end users? Is Google AV on the horizon?

Matt Sully

Defence Intelligence

2011-06-14T15:40:00.000-04:00

And we're back.

Not that we really went anywhere, we've just neglected the blog for awhile as we concentrated on improving our flagship product, reworking our website and brand, hiring some new talent, and widening our malware dragnet to keep our clients safer. Needless to say, we've been rather busy.

The last year has been a whirlwind for all of us here at Defence Intelligence. As with most IT startups, we were not without our share of growing pains. We have spent most of the last year narrowing our focus and clearly defining our space and goals. We've had some personnel changes, some product changes, and even split off part of our business. Having said all of that, we're finally ready to put ourselves out there again, and we'll be updating this blog on a regular basis.

You'll notice our new logo, our new website, and our new version of Nemesis over at www.defintel.com. With all of the changes we've made, we wanted our brand to reflect our growth and advances while retaining ties to our roots. I think the talented folks at Owly Design did a great job, and can't recommend them enough. Feel free to let us know what you think of their work.

The biggest news is Nemesis 2.0. It's been a long time coming. I can't tell you how happy I am to be able to announce the release of this product. This is what we've been working so hard on for what seems like an eternity. This is the product that we always wanted to give our clients. Nemesis 2.0 is truly a revolutionary approach to malware protection, and it is quite simply the most effective anti-malware tool on the market. We've made lots of improvements, but some of the most obvious are as follows:

Improved compromise detection and protection capabilities
A web based management console that provides real time awareness of malicious activity on the client network
Client defined rule creation to immediately block suspicious network communication
Event history search and custom filtering options to find details behind Nemesis protection events
Easy summary/situational reporting generation and download

You can learn more at: http://defintel.com/solutions-nemesis.php or contact us for a free trial.

We'll be rolling out more improvements to Nemesis in the near future, keep an eye on our blog for details. As always, all additions and upgrades to our products are free of charge to our clients.

I'd like to thank our clients, our partners and our friends for their support during all of this, it is much appreciated. I'd also like to thank all of our team for their work on 2.0. Eric and Matt in particular have gone above and beyond the call of duty, and I know that it hasn't been easy. Now I get to start harassing them for 2.1. ;)

If you haven't looked at Nemesis or Defence Intelligence before, now is the time. Malware has evolved. So have we.

All the best,

Keith Murphy
CEO
www.defintel.com

Cloudy Skies

2010-04-30T10:35:00.001-04:00

Image by premasagar via Flickr

Storm talk is thundering across the security blog horizon. Despite the consensus that this spam monster is indeed a Storm relative, there is some argument over just how NEW this new Storm is.

Several people have taken a look at the spam spewing samples, digging into the malware's functionality as well as its communication, and the templates used for generating the various spam emails. They have found major similarities between several aspects of the new and old Storm fronts, including filename usage and user-agent typos (Windoss instead of Windows), but the more recent version has excluded the peer to peer portion of the code.

Atif Mushtaq at FireEye writes that these are all details he observed on a Storm variant back in 2008. So is this old news? Nothing about what is being called Pecoan (another name in the long list: Nuwar, Peacomm, Zhelatin, Dorf) is really more sophisticated than its predecessor and the samples I ran only connected with one static IP, so I don't think this Storm will be as violent as the last. The creators of the original Storm have had enough time to code a better botnet so perhaps this is just a rediscovery of a forgotten remnant.

Right now compromised systems are sending out online pharmacy, adult dating, and nude celebrity emails. The template design allows for a wide array of sender names, subjects, message content, and destination URLs. The malware harvests email addresses from the victim machines and sends Base64 encoded POSTS to pass information and report in to its C&C.

As always, be cautious while online and when in doubt, don't click.

Matt Sully
Director
Threat Research & Analysis

Private Discussion

2010-04-21T10:49:00.000-04:00

User privacy is of major concern to just about everyone, because just about everyone needs some level of privacy. Google, with its massive user following and array of product offerings, has a huge responsibility to keep their users' data confidential and safe. The Google Buzz bungle is an example of how Google's handling of private user information doesn't always live up to expectations.

Privacy/Data/Information commissioners from 10 countries sent a joint letter to Google CEO Eric Schmidt on April 20, expressing their concern that "the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications."

The letter made various statements like Google Buzz "betrayed a disappointing disregard for fundamental privacy norms and laws" and that "launching a product in “beta” form is not a substitute for ensuring that new services comply with fair information principles before they are introduced." Also included were suggested principles to be used by Google to ensure user privacy, such as "collecting and processing only the minimum amount of personal information necessary to achieve the identified purpose of the product or service" and "ensuring that all personal data is adequately protected."

While the letter seems well intentioned, its message is a bit late to the stage. U.S. congressmen John Barrow penned his own joint letter to the Federal Trade Commission at the end of March over the same Buzz/privacy issues. Congressman Barrow's letter cites the Electronic Privacy Information Center's (EPIC) previously filed complaint "alleging that Google Buzz violates federal privacy law." In a manner of public response, Google issued a letter to the Federal Trade Commission regarding their policies on information privacy. In this ten page letter, Google shared their efforts to "develop products that reflect strong privacy standards and practices." They also stated their support for "strong industry commitments to ensure transparency, user control, and security in Internet services for consumers" as well as "strengthened protections from government intrusion."

To demonstrate a small history of various government "intrusion", Google created the government requests page (http://www.google.com/governmentrequests/). The page maps out content removal requests and user data requests made by government agencies for the second half of 2009. The leaders in user data requests are Brazil (3663), the U.S. (3580), the U.K. (1166) and India (1061).

Also displayed through this map is the inclusion of every country who signed the privacy letter to Google. Government agencies from France, Germany, Israel, Italy, Ireland, Netherlands, New Zealand, Spain, Canada and the United Kingdom all scolded Google for inadvertently disclosing personal user information, but prodded them for the same information months earlier.

Though data protection departments may not be the ones who made the requests, government is often looked at as a collective entity, causing some to consider these actions as hypocrisy. In the FAQ for the government requests page, Google says "the statistics primarily cover requests in criminal matters." Does this justify cooperation from Google? When is it okay to abandon privacy for the sake of law enforcement? I don't know. It is a difficult balance for Google and world governments in protecting both privacy and national laws.

The Electronic Communications Privacy Act (ECPA) is a key part of finding this balance. Find out more:
www.digitaldueprocess.org

If you want to see what Google has on you, start with:
www.google.com/dashboard

Matt Sully
Director
Threat Research & Analysis

Bitdefender Gets a Bit Too Defensive

2010-03-24T14:33:00.007-04:00

Image via Wikipedia

Bitdefender antivirus unwittingly released a signature update to its users on March 20th that detected and quarantined key Windows system files as malware, causing general OS failures.

Bitdefender had this statement on the news portion of their site:

"Saturday around 8:20am PST, an update that we were working on was uploaded prematurely in our servers. This update affected only products running on Windows 64-bit systems."

The premature update caused various .exe and .dll files to be quarantined for both the Windows software and the Bitdefender software, each file detected as Trojan.FakeAlert.5.

"Consequently, for some systems, BitDefender did not run anymore, applications did not work or Windows could not start."

This caused quite an uproar among the AV's users as well as Bullguard antivirus users, whose software relies on Bitdefender's engine and signatures. Though both companies have offered assistance in remediating the situation, many customers are outraged, especially when the only compensation offered to users so far has been free usage of the very software that caused the problem. A blunder like this also does nothing for the image of AV whose credibility and effectiveness has been in question for the last few years.

Detection rates by some AV groups is often low and the gap between release of new malware and its detection by AV is currently too significant, allowing for the growth of large botnets like Mariposa. False alarms, especially when automatically quarantined, can disrupt or severely damage home user and business systems, as it has with this update mishap.

I'm sure many of the Bitdefender/Bullguard users will be jumping ship, scouting alternative antivirus software, but how will they know which one to choose and which one to trust? A lot of AV company blogs end with something like, make sure you are completely updated with the latest signatures or software versions to ensure your protection.

Well, that's not working for Bitdefender. What are they going to say now?

Bitdefender's help page:
http://www.bitdefender.com/site/KnowledgeBase/consumer/#638

Bullguard's help page:
http://bullguard.com/support/system-status.aspx

Matt Sully
Director
Threat Research & Analysis

Malware Spread Optimization

2010-03-18T15:08:00.007-04:00

Image by slworking2 via Flickr

When I heard of Corey Haim's death, shortly after fond recollections of License to Drive and The Lost Boys cinema moments, I wondered how soon the unfortunate news would be used in the spread of malware. Well it didn't take long. Hours after the announcement of Haim's death, search results for his name came up with domains used to spread rogue antivirus software.

Using search engine optimization (SEO), online criminals force their malware hosting sites into higher billing slots within search engine results. Often a series of redirection sites are traveled through by the user before the final malicious domain is contacted. This creates a level of separation from the actual malware and allows a variety of domains to be constantly created, altered, and moved around, evading detection and termination. Using timely and highly popular topics of interest. domains referring to these topics stay in the leading search engine results. Recent topics covered in SEO campaigns include the Haiti disaster, the Olympics, the Oscars, and unnamed Facebook applications.

So why do these attacks work so well? Amazingly there is still a level of trust by users for top resulting sites of search engine queries. It is common for people to see familiar sites time and again on the first page of search results, and popular sites deemed primarily benign usually take dominant billing. Perhaps this is why folks rarely question clicking on the initial links provided by their favorite search engines. They hadn't been burned in the past when trusting the top resulting URLs, so why should they now question the validity and intention of every suggested link? Malware is why.

I don't always keep up with the latest events, but with a little social interaction and casual reading I hear about most events I find interesting and usually several others I don't, all within a reasonable amount of time. When I want to receive my news from a specific source I usually go to one location online or watch Robin Meade on HLN in the mornings. (There's no such thing as bad news when Robin reads it.) I use search engines like everyone else to gather information on various inquiries but I don't do grab bag research, blindly clicking on any keyword matching domains. I've never used the "I'm feeling Lucky" button because I never felt that lucky about randomly visiting unknown domains across the internet, and I certainly don't want to be a punk. (nod to Dirty Harry in case that was missed)

Choosing a default news site to read about all things newsworthy would seem to be an obvious point to suggest here, just as a safety precaution. However, the simple facts behind these breaking stories are not commonly what people are after. There is usually a promise of a sex tape or footage of a celebrity's death, which can't be found on CNN. What they can't find on news sites is what sends users searching, which is ironic because most people only go searching for this bonus material after reading about its availability outside of regular news sites. Maybe news site restriction or loyalty would keep more users safe from attack. But then there's always Facebook and Twitter and forums/comment/email spam to shield your eyes from as well.

When I want to know what people are searching for I go to Google Trends: http://www.google.com/trends. I assume this is what criminals intent on spreading their malware also do. Topics that are "On Fire" and "Volcanic" are being queried the most and make for prime targets. If you want to try a little safer searching, wait for topics to cool down a little before clicking around. Even better, find a news site you trust and go there for your news. Anything outside of seeking the facts may just land you in some fire of your own.

Matt Sully
Director
Threat Research & Analysis

Lightning Crashes

2010-03-10T16:23:00.011-05:00

statistical chart from zeustracker.abuse.ch

Zeus is undoubtedly one of the most prevalent malware being used for web based criminal activity. It has compromised thousands of systems and, though an exact count is unknown, an example like the Kneber/Zeus botnet reported by Netwitness showed that one collection of infected computers consisted of "75,000 systems in 2,500 organizations around the world." There have certainly been larger botnets concentrated on data theft, but with fluxing configurations, binaries and the domains used for hosting, the array of zeus botnets have remained both widespread and dangerous. Then, on March 9th 2010, Zeus took a big hit to its infrastructure.

Abuse.ch, who runs the ZeusTracker project, reported a significant drop in the active number of Zeus command and control servers, falling from 249 to 181 overnight. What they discovered was that the ISP Troyak (AS50215), and its dependent networks, had essentially been taken offline. These networks had been considered bulletproof hosting for Zeus domains, which means the hosting groups involved were believed to actively protect the malicious activity, ignore requests for ending it, or otherwise assumed by its users to be a safe zone for malicious domains.

While disconnecting thousands of compromised systems from their C&C domains is a great win, though likely a temporary one, no one knows who to congratulate. Security researchers assume it was an external takedown, but no one has stepped forward to be recognized. What is even more interesting, as mentioned by Brian Krebs, is that, 11 days prior to the Troyak switch-off, spam promoting Zeus also went into decline. On February 27th, as stated in Kreb's blog, a large Zeus spamming gang stopped sending new spam.

For now we'll just have to wonder who is behind this mysterious crusade against Zeus. It seems unlikely that it was the work of any security group or company as it is generally in our favor to promote such efforts. Perhaps a rival gang was involved and the "Zeus killer" feature in SpyEye wasn't enough for them, or maybe somebody just thought to quit while they were ahead. That would be a novel idea.

Matt Sully
Director
Threat Research & Analysis

Update:
Moments after posting this, Troyak found a new upstream provider and got back online. They have since moved to yet another provider, trying to evade a second disruption of "services." Some would say they're on the run.

Mariposa Dead.

2010-03-03T10:34:00.008-05:00

For more information:
http://defintel.com/mariposa.shtml

For more on the press coverage:
http://defintel.com/media.shtml

Browser Bingo

2010-02-24T18:36:00.008-05:00

Image by hownowdesign via Flickr

Way back in 2007 the European Commission and Microsoft began a legal dispute over competition concerns regarding Microsoft's domination in the European user space. In December of 2009 the dialogue between the EC and Microsoft ended, culminating in a resolution that would aid in easy interoperability with various software and force Microsoft to force browser choice on its current European users.

A large part of the agreements by Microsoft deals with browser choice for OEMs and end users on Windows 7, XP, and Vista operating systems. Starting the week of March 1st, users in 30 European nations with IE as their default browser may start seeing an introductory screen pop up on their machines. This introductory screen, only seen after installing the relevant Microsoft update and restarting their systems, will explain the purpose behind the subsequent choice screen.

The choice screen will display 12 of the most used browsers in random order, with the top 5 highest ranked browsers displayed randomly in the first positions. The idea behind the settlement is to prevent monopoly holdings for any one vendor and create a fair presentation of consumer options, but this top 5 configuration will obviously give the bigger guns a better aim at end user installment. Internet Explorer, as a major holder of the browsing community, will then always be listed in the first few slots.

So, what will user reaction be to all this? I'm guessing more confusion than anything else. Part of the update being sent out will allow IE to be turned off, it will "unpin" the IE icon from the taskbar and, where IE is turned off, "no icons, links or shortcuts or any other means will appear within Windows to start a download or installation of Internet Explorer." (microsoft commitments document) Then users will be given a choice to select their browser.

I know that some people need to be presented their options in a supermarket fashion, like side by side sodas in the snacks aisle, where Coke is next to Pepsi and the generic version, but I don't think this is an ultimate solution to the problem. For the less clueful users who "just want to get on the internet", this may just create problems. Those same users, who are now presented with a browser lineup, may not understand or try to understand what their options actually are. In all likelihood they will recognize Internet Explorer from the list given them and click on install without reading the additional information.

For the users who already understand the choice of browser usage, they have already made their choice. They don't need any more education and, likely not having IE as their default browser, won't see the new choice screen. Efforts like this to change bias will likely be ineffective in producing real change or raising awareness to the right people. The bias of users comes from long term ignorance, disinterest, marketing inundation, and comfort level on the internet. None of this will be reversed by what many users will just view as more pop ups.

Matt Sully
Director
Threat Research & Analysis

sources:
Microsoft On the Issues
Microsoft.com

Buzz Words

2010-02-18T13:03:00.005-05:00

Image by cliff1066™ via Flickr

Google Buzz is definitely the buzz word of the week and, in this industry, has been quickly put under the microscope. As a result, a cross-site scripting vulnerability was already discovered and fixed in the mobile version of the buzz utility. I'm sure close examination will continue to reveal additional security or operational flaws in Buzz, but security minded folks were not the only active critics of the social networking tool from Google.

Initial users were upset by Buzz's default "all inclusive" settings. These automatic features included adding yourself as a follower of those you most contact through email or chat, (allowing them to automatically follow you as well), displaying all users involved in the follow-fest on your Google Profile, and instant sharing of activity on your other Google sites like Picasa and Reader. Providing easy display of a lot of information to potentially a lot of people, all of these features raised a lot of concern over privacy issues. In addition, new Buzzers were disappointed with the difficulty in finding settings options regarding these features, most while trying desperately to disable them.

While some may not be all that concerned, instant exposure of this information to user contacts without giving expressed permission has been more than disappointing. Some social circles are meant to be separated. Facebook users have been forced to explore this friends and family cross communication fiasco due to multi-generational interest in the social networking world. For many users this is uncomfortable at best.

Complete testing before release may have prevented the scramble for alterations that Google is now the middle of, but the feasible protection of online privacy is the real issue here. In our efforts to connect with the world, can we expect to keep secrets or achieve selective and exclusive information sharing? When we type something into our network connected devices, can we blame anyone but ourselves when that information spreads beyond the originally intended parties?

Anonymity while on the internet is becoming progressively harder to maintain. With photo tagging and friends who gossip across Facebook, even people who never participate in social networking sites have an online profile, in a sense. While reluctant or non users are losing control over just how much the online world can find out about them, self surveillance is now commonplace. We've become comfortable with sharing information about ourselves and living and working online, making us vulnerable to attack over the internet and in the physical world. If the Buzzing is getting a little too close you could be in danger of getting stung.

For those interested in de-Buzzing, the links below can guide you through the process:

http://news.cnet.com/8301-17939_109-10451703-2.html
http://securitylabs.websense.com/content/Blogs/3553.aspx

For those sticking with it:

http://gmailblog.blogspot.com/2010/02/new-buzz-start-up-experience-based-on.html
http://gmailblog.blogspot.com/2010/02/5-buzz-tips.html

Matt Sully
Director
Threat Research & Analysis

RUmblar

2010-02-10T18:59:00.006-05:00

Image by elmada via Flickr

Gumblar, the massive iframe injection attack that made and sustained front page security news in early 2009, appears to still be going strong. Only slightly altered in its approach, the ongoing attack is still injecting malicious domains into sites on a fairly large scale, each site having the intention of spreading malware to the end user.

Gumblar domains were previously injected into iframes of otherwise benign sites using stolen FTP credentials. The new domains are likely still injected using stolen credentials but are now using obfuscated scripts to generate a formulaic Russian domain. The obfuscated scripts are appended to javascript files and html files within script tags and create rather lengthy domain names.

The second level domains for these are plentiful. Amazingly, the following list is incomplete and will likely remain so with the constant generation of new redirection domains:

18-plus.ru	bluejackmusic.ru	mozg-testing.ru	thegiftsale.ru
airseasite.ru	blueseaguide.ru	mozgilla.ru	thelaceweb.ru
allnewface.ru	brownbagbar.ru	musicboxpro.ru	thelifetag.ru
allpropro.ru	brynetka.ru	mygreatsale.ru	themobisite.ru
ampsguide.ru	carswebnet.ru	newhavenparks.ru	thetruehelp.ru
authentictype.ru	cobalttrueblue.ru	newlifeworld.ru	toplinemarine.ru
avattop.ru	cometruestar.ru	pastanotherlife.ru	truelifefamily.ru
b-i-o-v.ru	counterbest.ru	recentmexico.ru	urlnext.ru
battop.ru	cyberprotech.ru	red-wolf.ru	videosaleonline.ru
beeeo.ru	easylifedirect.ru	saletradeonline.ru	viewhomesale.ru
before-this-life.ru	easytabletennis.ru	seasilvercoop.ru	votrelib.ru
beofree.ru	ezpoh.ru	shoozi.ru	warbest.ru
bestage.ru	funwebmail.ru	simplehomelink.ru	webdesktopnet.ru
bestbio.ru	gametopsite.ru	simpleworldhouse.ru	weblessnet.ru
bestbondsite.ru	genuinecolors.ru	sitesages.ru	webnetenglish.ru
bestseasilver.ru	genuinehollywood.ru	sugaryhome.ru	webpowerguide.ru
bi-test.ru	genuinehollywood.ru	superhighest.ru	webworldshop.ru
biltop.ru	greatsalecenter.ru	superore.ru	whosaleonline.ru
bio-age.ru	guidebat.ru	superseatoddy.ru	wintersaleonline.ru
bio-free.ru	halfsite.ru	superseawind.ru	worldhighspeed.ru
bio-oib.ru	homesaleplus.ru	supertruelife.ru	worldsouth.ru
bio-tube.ru	homesitedesigns.ru	supertruelife.ru	worldwebworld.ru
bio-z.ru	huntalong.ru	susance.ru	xboxliveweb.ru
bionaft.ru	huzzahwebdesign.ru	teenwebdesign.ru	yourasite.ru
biovoz.ru	inother.ru	theanotherlife.ru	yourauthentic.ru
biozavr.ru	lagworld.ru	theantimatrix.ru	yourhotelsite.ru
biozov.ru	maxserviceworld.ru	theatticsale.ru	yourtagheuer.ru
bitest.ru	mindgameworks.ru	theaworld.ru	yourtruegame.ru
bluejackin.ru	mingleas.ru	thechocolateweb.ru	yourtruemate.ru

Though the groupings here are obviously all .ru domains, other researchers indicate countless other domains being used in the same way. Many are using dynamic dns 2lds while others have a similar structure to the domains above, only with .cn TLDs, as was the original gumblar.cn. Others appear to have no theme and are using .cz, .dk, .de, .nl, and several other country code TLDs. The IPs behind these domains are just as widespread and varied. This list is also likely incomplete:

188.138.24.133	77.68.44.169	89.110.147.181	91.121.86.130
188.40.118.68	78.31.107.49	89.149.202.142	91.121.88.218
188.72.199.24	78.41.156.236	89.149.244.211	91.121.96.181
188.72.211.253	80.69.74.73	91.121.1.99	92.48.124.212
195.242.98.212	82.165.194.22	91.121.108.53	92.48.78.252
212.117.165.149	82.165.47.29	91.121.112.227	94.228.219.11
213.186.57.19	82.192.88.35	91.121.121.6	94.23.11.38
213.251.164.84	82.98.231.25	91.121.142.111	94.23.14.110
213.251.184.114	84.16.227.72	91.121.166.221	94.23.199.154
217.160.110.21	84.201.9.32	91.121.167.41	94.23.206.229
217.23.5.27	85.14.202.210	91.121.211.226	94.23.211.214
62.212.74.148	85.184.10.80	91.121.24.139	94.23.4.164
62.250.9.105	85.25.152.241	91.121.4.99	94.23.89.95
62.4.85.229	85.25.73.243	91.121.49.129	95.168.170.89
62.75.184.40	87.106.247.193	91.121.7.26	95.211.10.130
62.75.218.192	87.118.90.76	91.121.74.84	95.211.4.193
77.37.19.43	89.105.199.130	91.121.79.191

The full unobfuscated domains look something like this, containing popular domain name snippets in an effort to appear legitimate:

foxsports-com.google.cn.spiegel-de.avattop.ru
yomiuri-co-jp.google.cz.playstation-com.yourtagheuer.ru
theplanet-com.1133.cc.nikkansports-com.bestnewhaven.ru

The full URLs will include file requests similar to:
:8080/ts/in.cgi?pepsi[variable numbers]
:8080/cache/readme.pdf
:8080/cache/flash.swf
:8080/filez/java.html
:8080/filez/Show.class
:8080/filez/win.jpg

The files are designed to exploit vulnerabilities in Acrobat, Flash, and Office, and redirect to the final domain for download of the actual malware, which consistently appears to be Bredolab.

The Bredolab downloader has been tied to Gumblar from the beginning and is still being served by the malicious domains, ultimately serving up rogue AV and information theft end-goal malware. The information theft malware is to grab the FTP credentials to perpetuate the whole cycle. Bredolab has also been found in mass spam campaigns since late last year, attached to emails purporting to represent DHL, UPS, Facebook, Western Union, ISPs fake ecard senders and "potential girlfriends."

You may have come across one like:

Subject: Facebook Password Reset Confirmation.

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
The Facebook Team

If many benign sites are hosting the final malware download due to the highjacking mechanism, blocking the redirection attempts would to be the best course of action. It is necessary for the owners of the highjacked sites to clean up the injected redirection domains or malicious files, and the end user to keep their software updated in an effort to negate exploits.

The Pepsi Challenge
Many of the files requested on the redirect domains have something similar to
":8080/ts/in.cgi?pepsi18":

18-plus.ru:8080/ts/in.cgi?pepsi18
inother.ru:8080/ts/in.cgi?pepsi18
test-health.ru:8080/ts/in.cgi?pepsi18

I just find this amusing, because one of the Gumblar sites reported here hosted "/rimages/coke.php". It's nice that we have a choice of malicious beverage and, while I prefer Coke, it seems Pepsi is the choice of the new "Rumblar" generation of domains.

Matt Sully
Director
Threat Research & Analysis

AV Plays Catch Up

2010-02-03T17:40:00.007-05:00

No security or AV company is equipped with a procedure, independent of hardware or personnel requirements, that can easily keep up with the daily barrage of newborn threats. Shadowserver shows they receive daily unique binaries numbering in the tens of thousands. With the mass amount of malware being created and distributed across the internet, each security company is left with the burden of being unable to "catch 'em all."

They must then employ a prioritization method of analysis, often leaving data too long in the queue, some collecting dust. Some security companies concentrate on searching for malicious domains and IPs while others concentrate on binary identification, many using a hybrid approach. All, however, are in search of a way to efficiently label these variables as malicious or benign, trying desperately to keep pace with the release of new malware.

AV companies have of course felt the strain of keeping up with the Joneses and for fear of looking inferior have made the choice to often "borrow" the conclusions made by other AV groups.

According to this "Analyst's Diary" entry at Kaspersky Lab, an experiment was used to show just how often AV groups rely on one another to categorize samples as malicious in order to appear up to date. From the blog:

"We created 20 clean files and added a fake detection for 10 of them. Over the next few days we re-uploaded all twenty files to VirusTotal to see what would happen. After ten days, all of our detected (but not actually malicious) files were detected by up to 14 other AV companies..."

I can't exactly blame those copycat AV companies for trying to stay on par with others. There is constant pressure, of which all security groups are aware, to try and balance reputation, integrity, and effectiveness. Trying to avoid false positives means evil may slip by unnoticed, while avoiding false negatives means sacrifices in accuracy. A series of check systems could be put in place but often there is insufficient detail or time for quality assurance, and delays in the conviction process detracts from the goal of real-time protection.

Security researchers often collaborate in some way, perhaps only in certain circles, but we do so because each performs their own independent analysis in their own area of expertise, bringing unique input to the table. Our products should behave no differently. Only shared information that meets certain quality requirements should be used, according to the individual company's ruleset. If a company or security product has nothing to contribute and only relies on the work of others then it has little purpose in this industry, (yet may find success with the right marketing). However, a company will struggle greatly if they dismiss or completely separate themselves from the security zeitgeist.

In recognition of this need for both dependence and originality, Defence Intelligence is working to bring security and internet architecture groups together to create something new and more complete. We want to make a product that takes a more global approach to the threats we're facing, but also bring a confidence and purpose back to our industry that seems to have waned. A strong offence may rely on a good defence but we need both if we're ever going to make real advancement on this battleground.

Matt Sully
Director
Threat Research & Analysis

Rumor has it.

2010-01-27T14:33:00.015-05:00

Facebook users are being targeted again, but in a more roundabout manner. Rumors are spreading, as rumors do, that an "unnamed app" is integrated into user accounts which is responsible for slowing down facebook and is being used to spy on user activity. (These rumors have not been proven true.)

Users are then advised in the form of ALERTS to delete this unnamed app. The interesting part is that user suspicion of these messages is what gives them their malicious power. A Facebook user would then Google the alert or the keywords "unnamed app" and be directed through several sites to ones serving rogue AV. Using SEO techniques many of the top sites listed are the key redirection sites in this process.

One such site, at the number three spot in our google search:
"http://kittingservice.com/canst.php?avi=facebook-unnamed-app"

The domain kittingservice.com is found at 62.93.239.41.

Using javascript redirection, we are taken to:
"http://onlinetechnicals.ru/sm/r.php"
at 212.95.58.37

It looks like the referrer might be necessary for the redirection: "Referer: http://www.google.ca/search?hl=en&source=hp&q=facebook+unnamed+app&meta=&aq=f&oq=" Otherwise a page comes up with the multiple facebook and SEO terms planted throughout, including some of the original instigating Facebook alert phrases:

"Has your facebook been slow today? Check your application settings, go into " added to profile". If you see one in there called "unnamed app" delete it."

"There is a " Unnamed App " spybot on facebook and it may be slowing down Facebook applications or it may be work as a Spyware."

The onlinetechnicals.ru page then uses another javascript to direct us to uscaau.com:

uscaau.com 212.95.58.37

Looking up uscaau.com/back.php comes back with the location of: "http://battlestartedsecurity.com/hitin.php?land=20&affid=94801"

battlestartedsecurity.com
109.232.225.22

and "hitin.php?land=20&affid=94801"
is said to be at the location:
"index.php?affid=94801"

This is where we finally download the beginnings of the Rogue AV. A pop up window tells us that "Your computer contaigns various signs of viruses and malware programs presence...." Our browser window has also seemingly disappeared but if you move the warning slightly you can see it resized to hide behind the pop up.

Agreeing to the scan displays the fake scan of our system, going back to battlestartedsecurity.com for the necessary visual items.

A few more agreements to clean up our system advises us to download "install.exe", currently only detected by 7 of 41 AV groups.

Other researchers have indicated different redirection paths being taken and different end result fake security tools.

As for the unnamed app it is said to just be the "boxes" tab on your Facebook profile.
"The Boxes tab contains application profile boxes. A user or Page will have a Boxes tab added to their new profile by default if they currently have application boxes that do not support integration with the main profile/Page left column or if they have more profile boxes than can fit into the main profile/Page left column (more than 5)." (http://wiki.developers.facebook.com/index.php/Tabbed_Profile)

Removing it seems to be both nondestructive and reversible. According to
(http://answers.yahoo.com/question/index?qid=20100126190431AAJkPoW)
"to put back your boxes tab:

1. go back to the page where you removed the Unnamed App from.
2. select "edit settings" for an app under the "added profile boxes" section
3. click remove, then click add when it appears."

Matt Sully
Director
Threat Research & Analysis

CN Less Clearly

2009-12-16T15:20:00.008-05:00

On December 11, the China Internet Network Information Center (CNNIC) announced that individuals hoping to register .CN domain names are now required to provide a written application. This written application must be stamped with a business seal, and a photocopy of the applicant's business license and ID must be included. This effort is touted as simply part of a greater effort to remove a significant amount of pornographic content from the web.

The reality is far more complex.

China has long used the Great Firewall of China to block any material it deems offensive, including pornographic material, so-called biased news sources and political commentary. Facebook, Twitter, and thousands of other sites are blocked and cannot be accessed from within China. As reported by Rebecca McKinnon, Assistant Professor, University of Hong Kong:

"People who work for Chinese Internet companies continue to complain that they remain under heavy pressure to be more thorough about the way in which they police and censor blogging platforms, social networking sites, discussion forums, and any form of user-generated content. "

By restricting the .CN TLD to businesses that must meet with approval by a governing body, China is reigning in control over the Internet at a time when people are increasingly looking to the web for freedom of expression, political action, and news and information from a wide variety of sources all with their own particular bias.

Since the announcement, the information security community has been abuzz with the notion that this new restriction will result in fewer malicious domains registered at .CN. That would certainly be good news for China, which has long been considered a pernicious purveyor of malicious content.

Unfortunately, it isn't true.

Looking at the original notice, it is clear that following the initial online submission and subsequent allocation of a domain name, individuals then have 5 days to provide the appropriate governing body with the required written material. If after 5 days or if the applicant is rejected, the domain will be revoked.

It doesn't require much thought to see how this system can easily be abused. Individuals with criminal intent can simply register for a domain and generate and propagate as much malicious content as desired over the course of the next 120 hours. It is also likely, though unknown at this time, that any money spent of the domain registration would be refunded so as not to unduly penalize legitimate businesses who may simply make an error on their forms, be rejected, and have to resubmit. To be clear, I find it unlikely that the CNNIC would require people to pay for domains that they do not own. Criminals can simply use a domain for free for 5 days and then move onto the next.

On that same note, will there be any process in place to permanently ban individuals who continually register domains only to be rejected? And does the CNNIC really expect to be able to intake and process what is potentially thousands of applications a day? What happens when that 5 day window becomes 10 days? Much to the dismay of the security world, criminals may rejoice at this announcement.

So, while cybercriminals need only a few minutes to distribute malicious content, individuals within China whose views are not in accordance with their governments' need many words, many pages, and much support to leverage the power of the Internet to engage and enlighten the world. It is these people who will be most affected and individuals of all sorts, not just security professionals, should lament any moment when the Internet becomes a little less free, a little less open.

Meaghan Molloy

Threat Analyst

Mariposa and BlackEnergy DDOS

2009-11-06T13:37:00.001-05:00

Talk of Mariposa may have faded, but the botnet is still very active. Some new occurrences have been observed here and merit reporting for those still following the story.

The origins of the Mariposa botnet for Defence Intelligence goes back to the observance of a suspicious domain that was being queried for quite frequently.

Butterfly.bigmoney.biz had popped up in our radar as unusual in both its name and the volume of queries for it that were being made. With some fairly extensive analysis, our investigation revealed some other domains of interest:

butterfly.sinip.es
bfisback.sinip.es
qwertasdfg.sinip.es

These four, butterfly.bigmoney.biz included, had proved to be command and control domains for the botnet.

On October 4th an update occurred and new domains were contacted.

lalundelau.sinip.es
bf2back.sinip.es
thejacksonfive.mobi

The latter of these has taken on a much different role over time. Communication to 200.74.244.84, where thejacksonfive.mobi was also pointed, was readily seen after the 4th. Various commands to Mariposa were being issued from this IP, including one to spread itself across MSN using the drop site URL http://obamawebcam.com/load.php. The file to be dropped was named bin.exe but the spread on our test system was ineffective at the time. A Virustotal report showed detections as palevo as many of the malware behind Mariposa are labeled. Several other binaries were also downloaded, most of them from rapidshare.com.

Recently, on November 3rd, a new binary was grabbed from rapidshare as instructed by butterfly.bigmoney.biz. This file, named blackjackson.exe, was found to be version 1.92 of the BlackEnergy DDOS bot and along with its installation came a new C&C domain, thejacksonfive.us. Both thejacksonfive.us and thejacksonfive.mobi are now also used as web based GUI controls for BlackEnergy.

A good writeup on BlackEnergy can be found in Arbor's BlackEnergy+DDoS+Bot+Analysis.pdf. A third related domain, tamiflux.net, is also used as a web interface for the DDOS malware and is currently the only one blacklisted by Firefox.

On November 4th, thejacksonfive.us issued a command to begin an HTTP GET request flood of three domains and one IP:

al-hora.net
saaid.net
islamlight.net
74.86.18.4 (the IP address for saaid.net)

These Saudi Arabian sites appear to be forums for religious and regional political discussion so the motivation behind the attacks may also be religious or political. Al-hora.com has been targeted for "censorship" for quite some time now and has apparently been kept offline since December 2007. Read more at www.rsf.org. Currently, of the sites being targeted, only saaid.net has managed to recover from the attacks.

On November 5th, thejacksonfive.us site changed orders to alter the attack slightly, using a syn flood instead of a GET request flood and only targeting islamlight.net and saaid.net. This alteration was likely made in response to saaid.net's sustained presence online. (They talk about the attack on the home page.) Tamiflux.net is HTTP flooding the same domains.

Gaining some insight into the attacks we've discovered that the DDOS botnet has about 5500 members under active control at any given time, and over 60,000 unique compromised systems. This is rather small however compared to the 1.5 million unique computers we believe to be members of the Mariposa botnet.

The Mariposa botnet has continued to grow in size since we first observed it in May and has far surpassed our original estimation of 150 to 200k compromised systems. The distribution of compromised systems is fairly wide but concentrations are obvious in Central America, Europe and South Korea.

MaCatte's Green roots are showing.

2009-11-05T11:08:00.012-05:00

As an update to my previous post on GreenAV, it seems that they are still trying to "Save the green forests of Amazonia" by having you install rogue antivirus.

MaCatte is the newest rogue AV to appear and has ties to the GreenAV software that was recently promoted , all the websites sharing the same IP 174.142.96.2

express.greencustomersupport.com
green-av-2010-pro.com
green-av-2010.com
green-av-pre.com
green-av-pro.com
macatte.com
my-green-av-pre.com
my-green-av-pro.com
my-green-av.com
p4678z.my-green-av.com
progresivescan.info
zp4.green-av.com
zp45.green-av-pro.com

In fact, going to express.greencustomerssupport.com will take you to the MaCatte homepage. MaCatte, like so many other rogue AVs, runs fake scans on the machine and advises the user that the machine is infected, and that they will gladly remove the infections as long as one pays to register the product for $99. Macatte is propagating in the same manner as GreenAV through torrent sites, website redirection and freeware.

MaCatte seems to be attempting to ride the coat tails of McAfee, with the similar name, logo and also similar website design. Included features on the site are a lovely challange-response captcha in the support section to ensure that the support requests are generated by an actual person and not a machine. There is a "Latest Threads Detected" box that lists a few common threats such as Conficker, and if you actually want to buy the product for $99 there is a link to plimus.com's payment processing. (At the time of writing, the order page at plimus.com was currently unavailable.) It would be interesting to see stats on how many people actually land on that payment page for MaCatte.

Plimus.com is a company that offers payment processing for online businesses and takes a commission rate from each sale. Your own conclusions can be drawn regarding Plimus' track record after reading Google's Safe Browsing diagnostic page for Plimus also the reviews on Web of Trust. Norton did have the site flagged as unsafe for selling key logger software but has since changed its rating to safe. Also, the Plimus site does show a McAfee and Verisign Secure logo at the bottom of their page. I am unsure at this time if the Plimus website is in fact MaCatte secure or not.

MaCatte offers to detect, block, and remove viruses, spyware and rootkits with a quick scan. The program also has an anti-phishing component that is supposed to warn you before accessing dangerous scam websites like their own. The feature that looks the most interesting is the Identity Protection. “Let's you shop, bank and trade online safely by asking permission before personally identifiable information like PIN'S, Bank accounts, Social Security numbers are sent from your machine.” I do not believe the effectiveness or honesty behind these statements.

Currently there are no removal tools readily available to the public, but for now you are able to do a system restore back to a `pre-infection` restore point. Although there have been reports that MaCatte has added a feature to block attempts to do a system restore. So if you are infected with MaCatte Rogue AV, you might as well reformat.

MaCatte is just another rendition of Rogue Antivirus using fake scans and scareware tactics to con people into paying for their software while selling off their information as an added bonus. But hey, they do have a refund policy.

B.Kilrea
Threat Analyst

Blogspot Whammies

2009-10-30T14:57:00.005-04:00

Image via Wikipedia

I enjoy seeing what the world has to say from time to time and to give everyone's voice a fair shake I will often click "Next Blog" in Blogspot's standard blog header. I know that Blogspot pages are now a popular point of redirection for initiating malware download, especially with Koobface. I also know that rogue AV is the gravy train of scam software and is now being promoted through Koobface. Now when I go gambling I never win anything, but it appears the Blogspot "Next Blog" slot machine has shown up all cherries. Well, maybe lemons.

In a very swift redirection I was brought to "antivirusn.com/scan1/?pid=156&engine=%3DnQyzTjuNjgyLjIzLjI4JnRpbWU9MTI1MTgxMI0OaA%3DN". This was supposed to perform a "scan" of my computer as is customary with rogue AV, but Firefox was kind enough to report this as a "Reported Attack Site!"
Let's take a peek at "antivirusn.com" and see what this family of rogue AV looks like. Maybe I know some of your relatives.

antivirusn.com A 83.133.119.154
antivirusn.com A 91.212.107.7
antivirusn.com NS ns1.everydns.net
antivirusn.com NS ns2.everydns.net
antivirusn.com NS ns3.everydns.net
antivirusn.com NS ns4.everydns.net

Registrant:
Name: Lian S Richard
Address: Overhogdal 25
City: MOLNLYCKE
Province/state: MOLNLYCKE
Country: SE
Postal Code: 43510

Administrative Contact:
Name: Lian S Richard
Organization: n/a
Address: Overhogdal 25
City: MOLNLYCKE
Province/state: MOLNLYCKE
Country: SE
Postal Code: 43510
Phone: +5.3017560166
Fax: +5.3017560166
Email: info@airlineshun.be

Technical Contact:
Name: Lian S Richard
Organization: n/a
Address: Overhogdal 25
City: MOLNLYCKE
Province/state: MOLNLYCKE
Country: SE
Postal Code: 43510

Nameserver Information:
ns1.everydns.net
ns2.everydns.net
ns3.everydns.net
ns4.everydns.net

Create: 2009-10-28 18:44:36
Update: 2009-10-29
Expired: 2010-10-28

What else is going on at these IPs?

Passive DNS over at www.bfk.de reveals the following:

virus-detect01.com A 83.133.119.154
bestantispyware11.com A 83.133.119.154
top-scanner11.com A 83.133.119.154
detect-spyware1.com A 83.133.119.154
top-scanner02.com A 83.133.119.154
top-scanner2.com A 83.133.119.154
virus-detect2.com A 83.133.119.154
top-scanner04.com A 83.133.119.154
virus-detect04.com A 83.133.119.154
detect-spyware5.com A 83.133.119.154
virus-detect6.com A 83.133.119.154
detect-spyware7.com A 83.133.119.154
virus-detect08.com A 83.133.119.154
bestantispyware09.com A 83.133.119.154
detect-spyware9.com A 83.133.119.154
top-scanner9.com A 83.133.119.154
kill-virusc.com A 83.133.119.154
kill-virusd.com A 83.133.119.154
scannerg.com A 83.133.119.154
scannerh.com A 83.133.119.154
antivirusk.com A 83.133.119.154
antivirusm.com A 83.133.119.154
antivirusn.com A 83.133.119.154
scannerr.com A 83.133.119.154
scanneru.com A 83.133.119.154
154.119.133.83.in-addr.arpa PTR id1148.rdso.ru

virus-detect01.com A 85.12.24.12
bestantispyware11.com A 85.12.24.12
top-scanner11.com A 85.12.24.12
top-scanner02.com A 85.12.24.12
top-scanner2.com A 85.12.24.12
top-scanner04.com A 85.12.24.12
bestantispyware09.com A 85.12.24.12
top-scanner9.com A 85.12.24.12

And we find another IP: 91.212.107.7

virus-detect01.com A 91.212.107.7
bestantispyware11.com A 91.212.107.7
top-scanner11.com A 91.212.107.7
detect-spyware1.com A 91.212.107.7
top-scanner02.com A 91.212.107.7
top-scanner2.com A 91.212.107.7
virus-detect2.com A 91.212.107.7
top-scanner04.com A 91.212.107.7
virus-detect04.com A 91.212.107.7
detect-spyware5.com A 91.212.107.7
virus-detect6.com A 91.212.107.7
detect-spyware7.com A 91.212.107.7
virus-detect08.com A 91.212.107.7
bestantispyware09.com A 91.212.107.7
detect-spyware9.com A 91.212.107.7
top-scanner9.com A 91.212.107.7
kill-virusc.com A 91.212.107.7
kill-virusd.com A 91.212.107.7
scannerg.com A 91.212.107.7
scannerh.com A 91.212.107.7
antivirusk.com A 91.212.107.7
antivirusm.com A 91.212.107.7
antivirusn.com A 91.212.107.7
scannerr.com A 91.212.107.7
scanneru.com A 91.212.107.7

Well, rogue AV is obviously the name of the game here. Let's look on a larger scale at the AS level.

83.133.119.154 is under AS13237 (LAMBDANET)

MalwareURL.com reports 200 domains under Lambdanet, the majority of which relate to rogue AV.

85.12.24.12 points to AS34305 (EUROACCESS)

They are small time with only 23 domains reported by MalwareURL.com. They consist of rogue AV and Zbot.

The big guy comes with AS49038 (RICCOM) which was over the IP 91.212.107.7.

326 Riccom domains were reported by MalwareURL.com, and only about seven were unrelated to rogue software.

There's a dozen other IPs mixed in here going back to March, but most notable is 91.212.107.103 which also comes up under AS29550 (EUROCONNEX). This IP gem has hundreds of domains pointed to it in relation to rogue software, such as:
windoptimizer.com A 91.212.107.103
woptimizer.com A 91.212.107.103
goscandir.com A 91.212.107.103
in5cs.com A 91.212.107.103
general-antivirus.com A 91.212.107.103
www.general-antivirus.com A 91.212.107.103
generalantivirus.com A 91.212.107.103
goscanneat.com A 91.212.107.103
in5ct.com A 91.212.107.103
in5it.com A 91.212.107.103
wopayment.com A 91.212.107.103
goscanrest.com A 91.212.107.103
ereuqba.cn A 91.212.107.103
dycotda.cn A 91.212.107.103

just to list a few. This also leads back to Koobface and the "2008 ali baba and 40, LLC" which you can read about in Dancho's blog from September. It looks like antivirusn.com was part of a large family after all. No surprise there. I'm sure I'll be bumping into you again.

Matt Sully
Director
Threat Research & Analysis

ICANN and IDNs

2009-10-29T12:38:00.014-04:00

ICANN is meeting in Korea this week to discuss several issues regarding domain management, including post-expiration domain name recovery, registration abuse policies, new gTLDs and IDN ccTLDs. While all of this is interesting, I started to think about how many of English-as-their-only-language web users are even aware of this final issue. Did you ever consider that while the Internet is dominated by English focused websites, 60% of its users are non-English speakers? How many of you were aware that a URL could even be written in Chinese?

IDNs are internationalized domain names that are written using local language characters, not just limited to Latin or ASCII based script. The second level domains have been available for some time, such as "日本語ドメイン.com" but are currently limited to 2LDs and on, leaving the ASCII familiar TLDs (top-level domains) like ".com" to remain as a foreign language appendix. What we are likely to see very soon however, thanks to the ICANN discussions, is domains completely constructed using just one language.

ICANN has set up a test page at idn.icann.org. Here you can see the same example.test domain in Arabic, Greek, Cyrillic, and Hebrew.

So what does this mean for DNS which performs its Q&A based on the ASCII code? In order for DNS to understand and interpret these IDNs the unicode domain string is encoded using punycode, transforming it into ASCII so it can resolve properly. A full explanation of the punycode bootstring algorithm can be found here.

For every domain there is a label assigned to it. The DNS stored label is usually the same as the displayed label for Latin based domain names, but with IDNs and punycode we see a more significant difference between the two. A displayed label is called a U-label for unicode and its stored version is an A-label for ASCII. The result now, that most consumers will never realize, is you can have "'example.test', displayed as 'пример.испытание', (in cyrillic) but is stored as 'xn--e1afmkfd.xn--80akhbyknj4f'"(example from ICANN). Every punycode version of these IDNs will begin with "xn--".

It's great that ICANN is making this movement for a more internationally conscious and applicable Internet, but it seems very delayed. How much has an English dominated Internet kept the rest of the world out of the loop? A couple of examples provided by ICANN documents bring up everyday situations many of us take for granted. If I read a billboard or advertisement that has an accompanying web address, I go there for more information. But what if that URL was in Chinese or Hindi? I wouldn't be able to remember the address or use my keyboard to even reproduce it. I would of course prefer to have the web address in the same language as everything else I'm reading. This change will be especially advantageous for script such as Arabic that reads from right to left. You can imagine how confusing that is currently for conveying a URL properly to international consumers.

There are three programs for obtaining entire native language IDNs. The proposed launch date for the IDN ccTLD Fast Track Process is November 16, 2009.

For some application and browser IDN handling issues, check out IDNnews.com.

Matt Sully
Director
Threat Research & Analysis

Wireshark Plugin for Mariposa Botnet Command and Control

2009-10-28T11:36:00.004-04:00

"Yamata Li of the Palo Alto Networks Threat Research Team has developed a Wireshark plugin that will allow you to view obfuscated pcaps of traffic from a Mariposa infected client and actually decrypt them within Wireshark."

http://www.paloaltonetworks.com/researchcenter/2009/10/mariposa-tool/

Thanks Yamata, the time and effort you have put into this plug-in is much appreciated.

B.Kilrea
Threat Analyst

Mariposa Botnet Analysis

2009-10-09T16:24:00.009-04:00

*** Update ***

An updated version of the Mariposa Technical Analysis can be found at http://defintel.com/docs/Mariposa_Analysis.pdf

***

Mariposa was first observed in May of 2009 by Defence Intelligence as an emerging botnet. In recent months, Mariposa has shown a significant increase in beaconing traffic to its command and control servers. This is indicative of an increasingly high number of compromised computers actively participating in the Mariposa botnet.

The most dangerous capability of this botnet is that arbitrary executable programs are downloaded and executed on command. This allows the bot master to infinitely extend the functionality of the malicious software beyond what is implemented during the initial compromise. In addition, the malware can be updated on command to a new variant of the binary, effectively reducing or eliminating the detection rates of traditional host detection methods.

Commands from the botnet master may be directed at participants in a specific country, individual computers, or all computers. As a result, the observation of the live command and control channel may not include all of the activity and capabilities of Mariposa.

The command and control channel employs custom encrypted UDP datagrams to receive instructions and transmit data. A detailed analysis of the encryption and message formats used by the protocol are presented in this paper.

During empirical analysis of internal controlled compromised systems, the following DNS domain names were observed as the command and control servers:

lalundelau.sinip.es
bf2back.sinip.es
thejacksonfive.mobi
butterfly.BigMoney.biz
bfisback.sinip.es
qwertasdfg.sinip.es

Over the last two weeks of analysis, two unique malicious programs were downloaded and executed on the compromised computers. One malware update was received during this period, introducing new command and control domain names, adding a ‘confirmation of download’ message, and renaming ASCII commands.

It has also been observed that the botnet participants are receiving Google custom search engine URL fragments in a command from the bot master. This indicates a possible hijacking of Google AdSense advertisement revenue.

This paper details the result of static binary analysis, a review of the command and control protocols including a breakdown of the encryption, and empirical behaviour analysis findings.

The full Mariposa Botnet Analysis is available in PDF form at defintel.com

Mariposa Defined

2009-10-01T10:30:00.004-04:00

Defence Intelligence has received quite a few responses to our story on the Mariposa botnet. They have run the gamut from polite information inquiries to accusations of falsifying our findings for media coverage, and thinly veiled threats of legal action. A response of our own has become necessary and we hope it at least answers some common questions many of you have asked.

Who is Defence Intelligence?

To begin with we are not an anti-virus company. We have spent the last 14 years protecting companies from hackers, not viruses. Until just a few years ago a virus and a hacker had very little to do with each other. Viruses are annoying and at times destructive but pose very little actual threat to a company or government's information and its assets. A hacker's goal on the other hand is to stealthily gain control of a targeted system with the intent of stealing data, attacking the internal network, or using the controlled system to attack an external network.

In the last few years these two distinct threats have blended. Hackers have discovered that direct external attacks are unnecessary and risky. It is now easier to engineer malicious software that is delivered to a system remotely through various means. Once that malicious software is on an internal computer, it then communicates outbound to the hacker, handing them complete control of the affected system.

When a system is compromised in this manner the attack is all too often misunderstood and dismissed as a mere virus, not just by the victim but by those providing that victim’s system security.

The Defence Intelligence team comes from an information security background, and not an anti-virus background, which means we view things differently. Within incident response, multiple events form an incident and events are constructed using various components. IP addresses, domain names, binaries, people, companies, and networks are all parts of this particular incident, which in this case, is a botnet.

What is Mariposa?

Mariposa is a collection of compromised computers that are directly under the control of a single malicious entity. In the security industry we call this a botnet.

Mariposa is NOT a virus, or a worm, or a trojan or any other dated designation still inappropriately assigned to modern day malware. The malicious software used by Mariposa, and any other botnet, actively evolves to become whatever is needed by its controller and is not limited by the boundaries of antivirus labels. This means that a trojan can be told to spread like a worm. It means that malware designed to send spam can be instructed to steal banking information.

Modern malware can no longer be classified by its perceived purpose or propagation method because those change in an instant. This software is engineered to gain access to and maintain control over the victim machine, and infiltrating a user’s computer is not difficult. Using a variety of software exploits and social engineering tactics, an attacker will find a way to distribute his malware to his victims.

Panda Security released a report this week showing that almost 60% of all PCs that scanned their computer this month had malware of some kind on their system.

Once the malware is on the system it seeks communication with its controlling entity. With communication to the controlling entity, any compromised machine can be capable of carrying out any order issued by the botnet controller and any data on the compromised machine can be extracted for use, sale or distribution by the attacker.

Why did you call it Mariposa?

Our naming of this botnet as Mariposa has been a cause of concern for some. The confusion comes when antivirus companies or those using antivirus, search for the Mariposa name only to find no results. This is because Mariposa refers to the botnet and not the malware it utilizes.

The malware used by Mariposa goes by many names, and this is part of the problem. Even amongst antivirus groups and within their own companies it is difficult to find a common name for any one family of malware.

Below are some of the names attributed to binaries which are used within Mariposa that are detected by McAfee and Trend. This provides a quality example for the current confusion in botnet malware identification.

McAfee	Trend
W32/Autorun.worm.zzq	WORM_AUTORUN.ZRO
W32/Virut.n.gen	WORM_Generic.DIT
Downloader-BQP	TROJ_Generic.DIT
W32/Autorun.worm.zzk	PE_VIRUX.A
PWS-Zbot	WORM_PALEVO.T
Generic.dx!dpk	WORM_PALEVO.AZ
Downloader-BRW	WORM_PALEVO.AS
W32/Virut.j	WORM_AUTORUN.EUC
W32/Autorun.worm.fq	WORM_AUTORUN.EPB
W32/Autorun.worm.c	TSPY_ZBOT.SMQ
W32/Autorun.worm!bf	PE_VIRUX.F-1
Generic.dx!la	PE_VIRUX.E
Generic.dx!ha	PE_VIRUX.D
Generic.dx!dqe	PE_VIRUX.C-1
	PE_VIRUX.A-3
	PE_VIRUT.AP
	BKDR_VOTWUP.D

It is our hope that perhaps not in our terminology, but with our methodology, that Defence Intelligence can provide some guidance to improve upon the multiple naming convention, allowing a clearer arena for botnet discussion and understanding.

Why didn’t my AV pick this up?

Using signatures and automated classification, especially when involving heuristics, results in a cacophony of naming options for every distinct variant of a given piece of malware. That said, many AV companies have had the ability to detect some variations of the malware behind Mariposa long before we became aware of this botnet’s activity.

With our approach to compromise detection, utilized by our Nemesis software, we can detect the botnet which allows the organization to track down systems affected by the malware, regardless of the variant or antivirus identification ability. While AV companies look at single binaries and classify based upon discrete behavior of code, or the packer that is used to obfuscate the binary, we look at the threat holistically, a macro versus micro approach.

At Defence Intelligence we consider the code used within Mariposa as only one identifying factor. Command structure is another. This is defined by domain names, IP addresses, and communication protocols and the fluctuation of each. We also consider the end point organization or individual over the botnet, ultimately any indicator as to who is responsible for the formation and/or control of the hosts affected by this malware.

With perpetual addition of variants and updates, the reliance on AV detection to keep pace is not advised. Virustotal is a free web based service that analyzes files through multiple antivirus engines, revealing their detection capability of any suspected malware. The following is a virustotal output on one of the malicious binaries related to Mariposa.

Antivirus	Version	Last Update	Result
a-squared	4.5.0.24	2009.07.24	-
AhnLab-V3	5.0.0.2	2009.07.24	-
AntiVir	7.9.0.228	2009.07.24	-
Antiy-AVL	2.0.3.7	2009.07.24	-
Authentium	5.1.2.4	2009.07.24	-
Avast	4.8.1335.0	2009.07.24	-
AVG	8.5.0.387	2009.07.24	-
BitDefender	7.2	2009.07.24	-
CAT-QuickHeal	10	2009.07.24	-
ClamAV	0.94.1	2009.07.24	-
Comodo	1742	2009.07.24	-
DrWeb	5.0.0.12182	2009.07.24	-
eSafe	7.0.17.0	2009.07.23	Suspicious File
eTrust-Vet	31.6.6637	2009.07.24	-
F-Prot	4.4.4.56	2009.07.23	-
F-Secure	8.0.14470.0	2009.07.24	-
Fortinet	3.120.0.0	2009.07.24	-
GData	19	2009.07.24	-
Ikarus	T3.1.1.64.0	2009.07.24	-
Jiangmin	11.0.800	2009.07.24	-
K7AntiVirus	7.10.800	2009.07.23	-
Kaspersky	7.0.0.125	2009.07.24	-
McAfee	5686	2009.07.23	-
McAfee+Artemis	5686	2009.07.23	-
McAfee-GW-Edition	6.8.5	2009.07.24	Heuristic.LooksLike.Worm.Palevo.B
Microsoft	1.4903	2009.07.24	-
NOD32	4273	2009.07.24	-
Norman		2009.07.22	-
nProtect	2009.1.8.0	2009.07.24	-
Panda	10.0.0.14	2009.07.24	-
PCTools	4.4.2.0	2009.07.23	-
Prevx	3	2009.07.24	-
Rising	21.39.42.00	2009.07.24	Trojan.Win32.DangerGL.a
Sophos	4.44.0	2009.07.24	Mal/EncPk-IY
Sunbelt	3.2.1858.2	2009.07.23	-
Symantec	1.4.4.12	2009.07.24	-
TheHacker	6.3.4.3.373	2009.07.24	-
TrendMicro	8.950.0.1094	2009.07.24	PAK_Generic.001
VBA32	3.12.10.9	2009.07.24	suspected of Malware-Cryptor.Win32.General.3
ViRobot	2009.7.24.1851	2009.07.24	-
VirusBuster	4.6.5.0	2009.07.23	-

Additional information

File size: 123392 bytes

MD5 : 6939c088f59258da7410f66837c62192

SHA1 : 500bb963602d45584303a4dc3f6fd6052a6752d8

SHA256: 996c2667b2bcf86c9c7c20d7c79a3024131c84e0d82d5338db99812830ad778a

As you can see, only 6 of the 41 antivirus groups was able to detect the malware. Once again, the naming is inconsistent. Given time however, most antivirus companies are able to identify the same binary.

Antivirus	Version	Last Update	Result
a-squared	4.5.0.24	2009.09.29	P2P-Worm.Win32.Palevo!IK
AhnLab-V3	5.0.0.2	2009.09.29	-
AntiVir	7.9.1.27	2009.09.29	-
Antiy-AVL	2.0.3.7	2009.09.29	-
Authentium	5.1.2.4	2009.09.29	-
Avast	4.8.1351.0	2009.09.28	Win32:MalOb-H
AVG	8.5.0.412	2009.09.29	SHeur2.ASQE
BitDefender	7.2	2009.09.29	Trojan.Generic.2263367
CAT-QuickHeal	10.00	2009.09.29	-
ClamAV	0.94.1	2009.09.29	-
Comodo	2469	2009.09.29	Heur.Suspicious
DrWeb	5.0.0.12182	2009.09.29	Trojan.Packed.541
eSafe	7.0.17.0	2009.09.29	Suspicious File
eTrust-Vet	31.6.6768	2009.09.29	-
F-Prot	4.5.1.85	2009.09.29	-
F-Secure	8.0.14470.0	2009.09.29	Packed.Win32.Krap.y
Fortinet	3.120.0.0	2009.09.29	-
GData	19	2009.09.29	Trojan.Generic.2263367
Ikarus	T3.1.1.72.0	2009.09.29	P2P-Worm.Win32.Palevo
Jiangmin	11.0.800	2009.09.27	-
K7AntiVirus	7.10.856	2009.09.29	P2P-Worm.Win32.Palevo.jaz
Kaspersky	7.0.0.125	2009.09.29	Packed.Win32.Krap.y
McAfee	5755	2009.09.28	W32/Autorun.worm.zzq
McAfee+Artemis	5755	2009.09.28	W32/Autorun.worm.zzq
McAfee-GW-Edition	6.8.5	2009.09.29	Heuristic.LooksLike.Win32.NewMalware.B
Microsoft	1.5005	2009.09.23	VirTool:Win32/Obfuscator.FL
NOD32	4467	2009.09.29	a variant of Win32/Kryptik.LR
Norman	6.01.09	2009.09.29	-
nProtect	2009.1.8.0	2009.09.29	Trojan/W32.Agent.123392.EB
Panda	10.0.2.2	2009.09.28	Trj/CI.A
PCTools	4.4.2.0	2009.09.29	-
Prevx	3.0	2009.09.29	Medium Risk Malware
Rising	21.49.14.00	2009.09.29	Trojan.Win32.DangerGL.a
Sophos	4.45.0	2009.09.29	Mal/EncPk-IY
Sunbelt	3.2.1858.2	2009.09.29	Trojan.Win32.Generic!BT
Symantec	1.4.4.12	2009.09.29	Spyware.Screenspy
TheHacker	6.5.0.2.021	2009.09.28	-
TrendMicro	8.500.0.1002	2009.09.29	WORM_AUTORUN.ZRO
VBA32	3.12.10.11	2009.09.29	Malware-Cryptor.Win32.General.3
ViRobot	2009.9.29.1963	2009.09.29	-
VirusBuster	4.6.5.0	2009.09.29	-

File size: 123392 bytes

MD5 : 6939c088f59258da7410f66837c62192

SHA1 : 500bb963602d45584303a4dc3f6fd6052a6752d8

SHA256: 996c2667b2bcf86c9c7c20d7c79a3024131c84e0d82d5338db99812830ad778a

So I just need to wait for an update to my AV then?

If malware were to remain static and unchanged an identification and removal option would eventually be provided by your antivirus of choice. At that point, however, the malware has likely fulfilled any of its initial goals and its removal would be a futile and meaningless task. Unfortunately, Mariposa does not use static malware.

Malware authors often update their code to evade detection as well as try different configurations, all of which result in a new malware variant. Mariposa has over 70 variants, resulting in a persistent and dynamic botnet.

One example is this update file recently dropped onto a compromised system as instructed by the Mariposa botnet controller. Virustotal shows that only two of the 41 AV groups currently detect it.

File svc.exe received on 2009.09.29 15:27:36 (UTC)

Current status: finished

Result: 2/41 (4.88%)

http://www.virustotal.com/analisis/7987d324cedbfeb9df94f7cbaf0ed2091431d6443c5b5fbff6ad7a7c380bf8d3-1254238056

A signature may soon come out for this code from your AV vendor, but by that time, a new piece of code may be written and downloaded that bypasses AV yet again.

Well, how do I stop this thing?

As IPs, ports, and domains involved in the command structure of Mariposa are changing, it becomes difficult for security administrators to mitigate the ability of this botnet. At this time we suggest an approach of tracking down the compromised systems rather than establish rules to block the communication to the botnet controller. UDP connections are still actively used for Mariposa communication, so observance of your network activity is the best place to start. If one system is frequently sending data across the outbound UDP protocol, regardless of port, mark it as suspicious and consider removing it from the network. Your own remediation technique is up to you but reimaging, though time consuming, is the only confident way to cleanse a compromised machine.

So what is Defence Intelligence doing about this?

As before we are contacting companies that have been affected by Mariposa. We also have other researchers and companies looking to help out in this mitigation effort and the formation of a small working group with these individuals is taking place. Updates on this and other Mariposa details will follow.

Mariposa FAQ

2009-09-28T11:42:00.002-04:00

In response to a number of questions, we have prepared a short Q&A.

Q. How big is the botnet?
A. We estimate there to be between 150 to 200k compromised systems across 40,000 unique networks.

Q. What does it do?
A. It is designed for information theft, stealing passwords and personal credentials, but malware like this can be configured to do anything the attacker wants.

Q. Who created it?
A. That is still being investigated and we will work with law enforcement on the details.

Q. What banks/companies are involved? Who have you talked with?
A. We can't release any specific names. We have contacted or attempted to contact all critical groups affected.

Q. When did you find it?
A. We have been tracking it since May of this year.

Q. What does Defence Intelligence do?
A. We specialize in compromise detection and prevention. www.defintel.com

Q. How does it spread?
A. By default, the malware is designed to spread across instant messenger programs, USB keys, and P2P networks.

Q. What is Mariposa's growth rate?
A. It's current growth rate is 7,000 new compromised systems each day.

Q. Does AV detect it?
A. With 70 variants, some of them will be detected and some won't.

Q. How to detect and fix it?
A. Until AV catches up, removal techniques will have to be determined by the individual.

Half of Fortune 100 Companies Compromised by New Information Stealing Trojan

2009-09-23T18:00:00.003-04:00

The Butterfly Effect: Say Hello to Mariposa

Defence Intelligence has been tracking the growth of a new information stealing botnet we’ve named Mariposa. 50 of the world’s Fortune 100 companies are actively participating in this botnet as well as hundreds of government agencies, financial institutions, universities and corporate networks worldwide.

Since its discovery in May of 2009 we’ve identified Mariposa activity in tens of thousands of unique corporate networks. Over 70 variants have been identified with varying degrees of security and purpose, including code injection into known processes, email address harvesting, and additional malware downloads. The purpose behind so many variants may only be functionality differences or efforts at avoiding AV detection, but it does not reveal the number of controllers or the exact motivation behind the overall threat.

Believed to stem from the butterfly bot kit, formerly sold at bfsecurity.net, this botnet is successfully spreading across thousands of corporate networks, just as it was designed to do. From the bfsecurity.net site, butterflybot is a

“Security tool designed to stealthy run on winnt based systems (win2k to winvista) and to stealthy and efficiently spread with 3 spreaders, which were specially designed and improved compared to already known public methods.[sic]” The three spreaders are MSN, USB, and P2P. Listed P2P networks were “ares, bearshare, imesh, shareaza, kazaa, dcplusplus, emule, emuleplus, limewire.[sic]”

Other methods may now be in place for propagation as well as capabilities for the bf botkit, but the original add-on features included Firefox and IE password harvesting, and TCP/UDP flooding. NetBIOS worm propagation and email address harvesting also appear to have become common additions.

Detection

Analysis of this botnet has revealed only one commonly identifiable piece of information. Companies wishing to determine if they have been compromised can watch for DNS queries to the domain:

butterfly.sinip.es

Additionally, monitor for high DNS query volume to domains containing the keywords of “butterfly” or “bf” and/or mass UDP connection attempts to any of the following IPs:

96.9.170.133
62.128.52.191
87.106.179.75
82.165.205.104
212.48.121.23
66.96.201.74

For further information regarding this botnet, please contact info@defintel.com.

Riding the Green Wave.

2009-09-11T14:30:00.014-04:00

Considering how many people are talking about what is and is not good for the health of this planet and that everyone should be doing their part to help the environment, you shouldn't be surprised to hear that even cyber crime is going green.

Staying relevant and socially aware are key in effective malware propagation, so criminals are adding `green` gimmickry to their rogue AV sales pitch. The cyber criminals' have marketing departments too. Cyber criminals have re-branded their fake antivirus software so that it appeals to the environmentalists by having an "Environment care program. $2 from every sale we make will be sent on saving green forests in Amazonia." It seems they need to work on their English translations.

They also claim that when your computer has malware on it, your machine slows down, which means that it takes you longer to do things, and it uses more power. Using Green AV, they say, will clean and speed up your computer so that you don't need to go out and buy a new one! Wow, that is really nice of them, and for only $99USD !!! What a deal! I am saving the environment one piece of malware at a time.

Of the people that do end up downloading the software it does an unrequested fake scan and shows you bogus results that indicate that your machine is infected with a plethora of various trojans and does the opposite of what they say it will do, opening up a backdoor for them to have complete control of your machine.

It's humorous that they have a picture of a secure lock at the top of the page that says "Secure SLL Connection 100% Privacy Guarantee." I am unsure what an SLL connection is but I believe they mean SSL (Secure Socket Layer). 100% Privacy when giving your information to the criminals is also false security. I guess this is so other criminals can't get your information... real secure.

The criminal underworld has evolved over the years, offering various product improvements like bug testing, constant updates to avoid detection, and even Windows-like "send error report" pop-ups that send crash information back to the malware creator so they can improve on their faults. I hate to give credit to the enemy, but they seem to be doing a better job than most of the good guys that are trying to stop them.

That being said, you should be scared, or if you are too proud to be scared, you should at least be concerned. With detection rates as low as they are, the AV companies are being overwhelmed by over thirty thousand new pieces of malware a day.

A Finjan report from March estimated that fake antivirus distributors can make more than $10,000 a day. PandaLabs estimates there could be as many as 35 million computers infected per month with rogue antivirus programs.

Fake antivirus software is everywhere and this environmentally focused approach will likely be 'recycled' by other criminal proponents of its spread. Remember though, just because it says it's `green` it doesn't mean it is good for you.

B.Kilrea
Threat Analyst

The Future is Friendly

2009-09-04T14:45:00.009-04:00

Just as so-called 'early adopters' and techno-geeks are always on the lookout for the latest and greatest in flashy technology, sophisticated botnet administration suites are the current must-have for cybercriminals. As bot malware becomes increasingly easy to propagate and successfully compromise massive network linked machines, the problem becomes not how to create a botnet, but how to control it. These administration suites provide better handling, control, and efficient management than their predecessors, giving their users a leg up on the competition.

The Fragus Exploit kit is a newcomer to the market, having improved upon the trend started by authors of such suites as the Liberty Exploit System and the Exp Eleonore Pack, Fragus is a grab bag of exploits for vulnerabilities in multiple software components. Similarities abound among these suites, from which vulnerabilities they exploit, to the layout and handling of the control panel, to the domains and IPs from which they can be downloaded. Liberty and Eleonore are both slightly older exploit kits whose latest versions have been updated to include much of the same functionality and easy-of-use as Fragus.

For the low price of 800 USD, Fragus is designed to simplify the administration of your bot network. It boasts support for English and Russian, statistical breakdowns of your botnet by browser, operating system (including version), by country, and by what's euphemistically referred to as your "clients".

Fragus comes pre-installed and ready to exploit:

MDAC - MS07-009, a vulnerability in MS Data Access Components which can allow remote code execution.

PDF - Targets 3 vulnerabilities in Acrobat Reader, util.printf, Collab.getIcon, and Collab.collectEmailInfo (CVE-2008-2992, CVE-2009-0927, and CVE-2007-5659, respectively)

DirectShow - MS09-032, exploits the MS Video (DirectShow) ActiveX Control vulnerability.

Internet Explorer - MS09-002, a critical vulnerability in IE7 that allows for memory corruption and remote code execution.

Spreadsheet - MS09-043, an ActiveX Control vulnerability is MS Office Web Components.

AOL WinAmp - another system vulnerable to an ActiveX Control exploit, (CVE-2007-6250)

Snapshot - MS08-041, an exploit targeted at MS Access Snapshot Viewer's ActiveX Control vulnerability.

Flash - targets an integer flow vulnerability in Adobe Flash Player (CVE-2007-0071)

Some of the vulnerabilities have been patched for months or even years but their inclusion here indicates a high probability that numerous systems remain unpatched. Of greater interest is the MS09-043 vulnerability which, as of Fragus' release, was only one month old. Increasingly, criminals are making use of recently released exploits. Obviously this tactic greatly increases their chances of success as many (if not most) people fall behind in their updates and will likely still be vulnerable to such a recent exploit.

For people concerned over spending $800 on an exploit pack only to have its payload identified by antivirus programs, for an extra $150 you will receive a proprietary encryption program specifically designed to evade detection.

Unsurprisingly, many of the domains and IPs at which Fragus is available have at one time or another hosted other sorts of malware, including the LIberty Exploit System, the Zeus trojan, and various other PDF and flash exploits.

The future of botnet administration is here now... and it sure is easy to use.

Meaghan Molloy

Threat Analyst

For a far more eloquent presentation of the facts, check out Paul Royal's work at Purewire.

ConfickerC Update

2009-04-03T10:55:00.005-04:00

OK just a quick update regarding ConfickerC numbers.

I have seen published numbers that are all over the place *cough IBM/ISS cough*.

Over the last 30 hours or so we recorded 9,795,101 raw (not unique IP) http connections to the sinkhole.

As unique IPs go we recorded a total of 1,071,132 unique IPs from with in that 9+M. Now keep in mind, we have to think about DHCP churn, NAT (Firewalls, gateways, proxies, etc) So the number is obviously not a 100% true representation.

Here is what the PER HOUR numbers look like from the sinkhole:

PIFTS

2009-03-10T12:55:00.007-04:00

Something is rotten in the state of security.

Users of Symantec's Norton AV have been reporting instances of a file named PIFTS.exe trying to connect out to the Norton updates.

This wouldn't be news in and of itself, but it seems that Symantec doesn't want to discuss the issue. All questions regarding PIFTS are removed from the message board within minutes of being posted. Some users have been banned after attempting to repost.

Since they can't turn to Symantec for answers, many users have turned to the communal knowledge of the web. Unfortunately, the bad guys have also noticed the influx of searches for PIFTS.exe and some of the top results in Google are actually malicious, attempting to infect any visitors with rogue anti-virus Malware. DO NOT DOWNLOAD ANYTHING from those sites.

ThreatExpert has a breakdown of PIFTS and its attempt to phone home here

VirusTotal shows no hits

Brian Krebs @ The Washington Post is trying to get some answers.

SANS Internet Storm Center writes that they've been contacted by a Symantec employee who claimed ownership of the file and tried to make clear that it isn't intended to do any harm.

Nice of them to respond...

But won't they let people talk about it on the msg boards?

Why the secrecy Symantec?

**Update** (courtesy of Brian Krebs @ The Washington Post)

"David Cole, senior director of product management at Symantec, said the PIFTS file was part of a 'diagnostics patch' shipped to Norton customers on Monday evening. The purpose of the update, Cole said, was to help determine how many customers would need to be migrated to newer versions of its software as more Windows users upgrade to Windows 7."

As to why Symantec was deleting forums posts and banning users for mentioning PIFTS, Cole says, "hundreds of new users began registering on the forum, leaving inane and sometimes abusive comments."

This is a lame excuse. Though the forums do seem to have been hit by the 4chan crowd, the first people to ask questions were very polite and straightforward. They asked simple questions, like 'hey, how come part of your software wants to access the Internet?'

Not exactly ban-worthy behaviour.

A forum moderator could have simply (easily!) answered the question and closed the thread. Wouldn't that have saved everyone a lot of trouble?

Coin Toss

2009-03-03T10:47:00.004-05:00

http://tinyurl.com/akvagb

Go. Read the article.

Anti-virus software vendors like to proclaim that their products achieve success rates in the 90%+ range. This is false and misleading.

It is inconceivable that end users (and many corporate entities) still believe that AV software is the catch all for security.

A 50% success rate is unacceptable. It is a coin toss - 50/50 chance - that your network is secure.

"The average delay in detection and remediation was 54 days."

54 days?! Two months?!

The bottom line here is that Malware created for non-commercial purposes simply does not exist anymore. It hasn't in over two years.

Modern Malware is specifically designed to operate quietly and unobtrusively for as long as possible. The bad guys are after our social insurance numbers, credit card numbers, bank account details, credit equity, customer lists, a jump on the quarterly earnings, our emails, online payment accounts, access to our social network of friends, ANYTHING they can get their hands on.

Think about it: the average delay in detection is 54 days. For almost two months the bad guys have access to your system.

This isn't like having your house robbed.

It's like having your house broken into and the robbers moving in and hiding in your closet for two months.

From home users to large corporate networks, we must - MUST - move beyond our tired notions of network security. The bad guys are always evolving, adapting their Malware to evade detection and improve levels of compromise. Why haven't the good guys evolved?

The numbers speak for themselves:

"About 3 to 5 percent of all systems in an enterprise are infected with bot-related malware -- even within organizations running up-to-date antimalware tools."

"Antivirus software immediately discovered only 53 percent of malware samples."

"Another 32 percent were found later on, and 15 percent were not detected at all."

Now you may be thinking that 15% doesn't sound like a lot, that maybe that's an acceptable level of risk. Consider this:

Security researchers around the world analyze anywhere from 20-30,000 pieces of Malware every day. Every day!

The Shadowserver Foundation has analyzed over 19 million Malware samples in the past 12 months alone.

15% of 19 million is a big number.

You really want to take that chance?

Building a Botnet

2009-02-20T16:30:00.003-05:00

Is your computer watching you?

2009-01-30T12:12:00.003-05:00

SecureWorks has a posting up discussing the Ozdok/Mega-D trojan and its ability to capture screenshots on the systems it's infected. We've been talking about this for months! Ozdok is certainly not the only trojan with this ability, and the researchers are specifically talking about screenshots, but what about systems with webcams?

Think the bad guys know how to turn those on?

Check out the video posted in our Facebook group and find out!

24/7

2009-01-28T20:36:00.005-05:00

We're opening the office doors:

Defintel's on Twitter. Check it out, drop us a line.

Facebook too. Join the Defintel group for botnet building videos, photos, and a chance to ask us questions about computers, security, videos games, comics, and just about anything else.

From the whole Definel team:

Welcome!

Explorer Exiled

2008-12-17T07:36:00.006-05:00

There is a 0day exploit currently exploiting a critical flaw in Microsoft's Internet Explorer.

If this is the first you're hearing of this flaw, check out the link below to hear Defintel's CEO, Chris Davis explain the situation:

CTV News - Exploiting Explorer

Researchers estimate that more than 10,000 sites are compromised. While in-the-wild exploits are currently targeting IE 7 on Windows XP SP2 and SP3, Windows Server 2003 SP1 and SP2, Windows Vista (including SP1) and Windows Server 2008, it's important to remember that all versions of Internet Explorer, from IE5 all the way to IE8 Beta 2, are affected.

If a user visits a compromised site, malicious JavaScript code is injected into the browser, and Malware is downloaded onto the user's computer. The Malware that gets installed on the user's computer will likely remain nearly invisible to the average user. The goal of the attacker is not to disrupt a user's online experience, but rather to remain inconspicuous for as long as possible. The Malware allows the attacker complete access to user's computer and allows him to track everything you type into your keyboard.

Visit your legitimate online banking site and enter your user information? Now he's got it.
Visit your favourite social networking site and chat with some friends? Now he's got that too.

Microsoft intends to release a critical patch today, the second patch coming on Exploit Wednesday instead of Patch Tuesday in as many months. Back in October, Microsoft was forced to release an out-of-band patch to mitigate the extremely critical flaw in several Windows OS'.

In the meantime, users should use other browsers - FireFox, Chrome, Safari - whatever you like! Just not IE.

The general public is completely ill-equipped to deal with security events. Who knows how long it will be before the AV companies have signatures developed for this new exploit. And Microsoft surely isn't losing any market share over yet another security debacle.

Why do we still treat online security as though the Internet only encompasses six guys at Berkeley? Everyone is online, from 5 year old girls to 95 year old men - they can't all be expected to keep up to date with these vulnerabilities and exploits.

So, how do we help them?

The Enemy Within

2008-11-30T20:48:00.003-05:00

Two weeks ago, users of AVG's virus scanner awoke to a nasty surprise: their supposed security software had been updated to identify the file named user32.dll as malicious. Those people most keen to protect their computer systems followed the instructions as directed and deleted the file - only to find that they were now stuck in an endless cycle of reboots.

User32.dll is a core Windows file; and not, as identified by AVG, a Trojan Horse named PSW.Banker4.APSA or Generic9TBN. This is not the first time AVG has struggled with misidentifying Malware, nor is it the first time an Anti Virus company has recommended users remove core Windows files.

In December of last year, Anti Virus company Kaspersky Labs decided that a Virus existed within Windows Explorer, the graphical user interface for Windows itself. Thankfully, Kaspersky managed to catch the error before the damage was too widespread; though, I imagine the employees at the UK enterprise that was affected would tell a different story.

Even Microsoft is guilty of such casual coding. In 2007, Microsoft's OneCare, an Anti Virus product, when used with Internet Explorer 7, was flagging Google's Gmail as a Virus. Even Microsoft's own product weren't safe, with OneCare regularly quarantining or deleting all of the email in a user's inbox.

AV companies tout their wares as the silver bullet for personal protection. You know this isn't true. I know this isn't true. So, why doesn't everybody else?

It was bad enough that the generic, non-technical computer user didn't know that his Anti Virus software is only protecting him from a small percentage of modern threats. Now we also have to let them in on the secret that their "protection" might sometimes do more harm than good.

Fun with Dick and Jane

2008-10-27T12:45:00.005-04:00

Fail too fast in bed?

Looking to revive your sleep desires?

What is money in comparison to your potency?

To anyone with an email address those phrases might seem awfully familiar. I'm talking about spam: the scourge of system administrators, the friendly pharmacy to the misinformed. It arrives unrequested, unavoidable, unimaginably hilarious. Now, you too can get in on the game, spamming friends, family, and foes alike thanks to the user-friendly Set-X Mail Service, courtesy of the Set-X Corporation.

Straight from the press release announcing the service:

“- Flexible and convenient Web based interface, detailed statistics while sending, changing any settings (mail databases, texts, macros)

- User-friendly web based interface - start spamming from day one

- Automatic “spamming capabilities” assessments of the bot allowing you to think about your business and not about the technical details behind it

- Daily malware updates, four programmers allocated for every server, sending automatic ICQ notifications whenever the malware gets updated

- Automatic optimization of the spam campaign by first allocating the bots with clean IP reputation

- Optional is the option to chose whether or not a dedicated “spamming engineer” should be allocated to your server

- His responsibilities include introducing a higher number of bots if requested, ensuring that dead bots get disconnected from your server, and providing personal advice on optimizing your campaigns and bypassing anti-spam filtering through the built-in multi RBL checking feature

A brief description of the system:

1. The system is automatically harvesting the outgoing and incoming email addresses on the infected hosts and the associated accounting data, supporting the following clients :
- Mozilla Thunderbird
- Outlook Express
- MS Outlook
- The Bat
- Opera

2. The bot automatically defines its MX and PTR records, if they are present it switches to Direct SMTP mailing which means that it can send the spam directly to the recipients using the MX and PTR DNS records of the bot, enforcing direct sending even without MX and PTR records is also possible

3. The bot automatically defines its MX and PTR records, if they are present it switches to Direct SMTP mailing which means that it can send the spam directly to the recipients using the MX and PTR DNS records of the bot, enforcing direct sending even without MX and PTR records is also possible

4. The central control server automatically assigns different regional servers to the bots, and rotates them periodically for security purposes

5. All the information about the spam campaigns and the bots can be exported and syndicated with another regional server as requested, with the regional server dynamically establishing links with other regional servers so that it never really knows the address of the central command server

6. There are several different ways of sending spam using this service :

1) Direct spamming from the legitimate email accounts of the infected computers, with the system automatically syndicating all the available legitimate emails whose accounting data naturally stolen due to the malware infection is again, automatically integrated in a “unique legitimate senders” database. Full support for web based email accounts in the form of domain:username:password

2) Sending via Direct SMTP: send messages directly using the MX and PTR records of the infected host’s gateway

3) Sending to direct recipient

4) Sending through open relays and socks servers, both of which can provided at an additional cost

7. SET-X Mail System is highly modular, with unique features easily coded and implemented as requested by the customer

The average speed from one server is 5000/7000 emails per minute, over 1 million emails per day, and if requested you can purchase as many servers as you would like. The price of rent per month is $2000 with additional $1000 for each additional server if the servers are ordered at the same time.”

Capable of creating clever tag lines? Got a couple of thousand bucks lying around? Sign up now and you too can irritate millions of strangers every day.

Thanks to Dancho Danchev for translating the material from Russian.

Cyber Security Event for the Government of Canada and IT Industry

2008-09-08T11:31:00.006-04:00

Dear Friends and Colleagues:

On behalf of the Canadian Internet Registration Authority (CIRA), I am pleased to invite you to attend a special Cyber Security meeting to be held at the Crown Plaza Ottawa, September 23, 2008.

Cyber Security is critical to ensuring the integrity of the network infrastructure of the federal government. This Cyber Security meeting offers an opportunity to discuss, share and learn what we can do and what we should do to respond to modern Cyber Security threats. It will be comprised of four sessions ranging from cyber-attacks, evolution of the modern malware, latest updates on the Kaminsky DNS Vulnerability and Electronic Espionage. Is the Government of Canada well safeguarded against these threats?

Topics include:

Update on the Kaminsky DNS Vulnerability

Christopher Davis, CEO Defence Intelligence

The Evolution of the Threat: From Fun to Profit

Christopher Davis, CEO Defence Intelligence

Meaghan Molloy, Threat Analyst Defence Intelligence

Information Protection Capability Gap

Aron Feuer/Wayne Boone, Cygnos IT Security

Cyber-Attacks: Experiences From the Trenches

Bill Woodcock, Packet Clearing House

We are delighted to welcome Mr. Bill Woodcockto this meeting. Bill Woodcock is research director of Packet Clearing House, a non-profit research institute dedicated to understanding and supporting Internet traffic exchange technology, policy, and economics. Bill has operated national and international Internet service provision and content delivery networks since 1989, and currently spends most of his time building Internet exchanges in developing countries.

This is a meeting not to be missed!

This CIRA Cyber Security event is limited to 60 participants. We urge you to register!

Sincerely,

Norm Ritchie

Chief Information Officer
Canadian Internet Registration Authority (CIRA)

Web experts scrambling to patch security flaw

2008-08-20T12:27:00.001-04:00

Code published that could allow hackers to direct surfers to fake websites

Jessey Bird

The Ottawa Citizen

Thursday, July 24, 2008

Security experts are urging Internet server administrators to act quickly to head off what they are calling the "single largest threat to Internet security."

They say a critical flaw in the system used to route Internet traffic could let hackers redirect users to dangerous websites, and then steal their personal information.

While the flaw was discovered six months ago, and a fix released two weeks ago, the exact nature of the problem was kept secret.

That was until yesterday, when a program to exploit the flaw was posted on the Internet, allowing anyone around the world to simply download it and run it.

According to Christopher Davis, chief executive of Ottawa-based Defence Intelligence, the "exploit" allows hackers to replace search engines, social-networking sites and even banking websites with their own "malicious" content.

So far, government and Internet service provider officials say they are taking the threat to their domain-name servers seriously, but do not have any actual examples of the attack, which is called "DNS cache poisoning," to report.

The attack is aimed at how Internet addresses function, particularly the domain-name servers (DNS) that route Internet traffic.

While websites are all identified by addresses using words that are easy for people to remember -- like google.ca or facebook.com -- they are also identified by addresses of just numbers. Domain-name servers serve as the translator in between -- connecting a user that types in a web address to the correct computer.

"DNS is kind of the 411 for the Internet," said IOActive security researcher Dan Kaminsky, who discovered the flaw six months ago.

What he realized was that in just seconds, a malicious hacker could poison a domain-name server and reroute users to different websites from the ones they are seeking. Hackers could also route people to copycat websites that would enable them to steal people's personal information.

"This attack works very, very well," he said. "Any website that you trust is not necessarily the website that you are looking for. Every e-mail you send is not necessarily going where you think." Even people who take precautions could be fooled.

At the time of the discovery, Mr. Kaminsky and industry giants such as Microsoft and Cisco acted quickly to create a patch for the flaw, while keeping the exact nature of the problem secret. They released their fix two weeks ago.

Mr. Kaminsky promised to discuss the problem at a technical conference in August, so other security experts could learn from his work; that would give Internet providers about a month to install the fix. But after another expert's public speculation on the details of the DNS flaw hit too close to home on Monday and the details of the flaw were leaked, Mr. Kaminsky and Mr. Davis say they are worried hackers might know enough to cause problems -- and service providers haven't had enough time to install the patch.

"The majority of DNS servers have not yet been patched," said Mr. Kaminsky.

"It is a serious vulnerability," said Bruce Schneier, chief security technology officer for British Telecom. "It is one that can be used by criminals to steal identity."

Mr. Schneier also stressed that there is no need for the public to panic.

"Kaminsky was hoping there would be a full month for people to patch their system," said Mr. Schneier, adding that the leak has made Internet users "more vulnerable."

"But let's face it -- you're not going to die," he said. "Money is stolen out of banks every day. This is another way to do that.

"Is it a worse way than all the other ways? Probably not," he continued. "Is it a serious way? Yes. Have there been other serious ways? Yes. Are we still here? Yes."

"It is not armageddon," he said. "We are not going to die."

Officials from Rogers Cable Inc., one of Ontario's major Internet providers, said they haven't detected any problems with their system.

"Built into our network today are intrusion detection and prevention systems," said Nancy Cottenden, director of communications for Rogers Cable, adding that Rogers monitors vulnerabilities on a "regular basis."

Ms. Cottenden also said Rogers is in the midst of installing Mr. Kaminsky's patch.

"It takes some time," said Ms. Cottenden. "Any vendor will tell you it takes some time. The good news is, it is being loaded."

Bernard Beckhoff, spokesman for Public Safety Canada, said there have been "no confirmed incidences of the threat being applied in Canada or elsewhere."

The Canadian Cyber Incident Response Centre will continue to monitor the threat, said Mr. Beckhoff.

Mr. Davis said that while the Canadian government has been quick to respond, many are still downplaying the issue.

He urged Internet users to contact their service providers to find out whether they've patched their systems.

"It scares the hell out of us," said Mr. Davis. "And we know what we're doing."

Major Security Flaw Discovered: Internet Privacy Compromised at All Levels

2008-08-20T12:25:00.001-04:00

OTTAWA, ONTARIO--(Marketwire - July 22, 2008) - Yesterday, details were leaked of possibly the single largest threat to Internet security. Earlier this year, Dan Kaminsky, director of penetration testing for IOactive, discovered a major flaw in how Internet addresses function. The issue is in the design of the Domain Name System (DNS) and is not limited to any single product. An attacker could easily take over portions of the Internet and redirect users to arbitrary and malicious locations to engage in identity theft. For example, an attacker could target an Internet Service Provider (ISP) replacing search engines, social networks, banks, and other sites with their own malicious content. Against corporate or government environments, an attacker could disrupt or monitor operations by rerouting network traffic, capturing emails and other sensitive data.

Kaminsky immediately reported the issue to major authorities, including the United States Computer Emergency Response Team (part of the Department of Homeland Security), and began working on a coordinated fix; a patch was released July 8th, 2008. Chris Davis, CEO of Ottawa-based Defence Intelligence, has been working in coordination with Kaminsky to brief key agencies in the Canadian government. Details of the vulnerability were to remain a closely held secret until Kaminsky's public presentation on August 6th, 2008 in order to provide organizations with enough time to protect themselves. However, this window was drastically reduced due to the accidental posting of the details by an uninvolved party.

Defence Intelligence is determined to make Canadian companies fully aware of the flaw and the steps they can take to protect themselves. The general public should be particularly vigilant while conducting business online. Kaminsky is urging people to act quickly, "Patch. Today. Now. Yes, stay late."

"This may be the worst information security vulnerability ever, and I'm very impressed at the speed and agility with which the Canadian government is responding," said Davis. The common goal of all involved parties is the implementation of the patch and monitoring of networks to ensure security.