- Email: [email protected]
Five years for Californian botmaster
June 2006 ISSN 1353-4858
Featured this month Trojans – cyber-blackmailers draw on that Greek legacy The ancient Greeks have a lot to answer for. Three thousand years after the wooden horse idea entered their heads (and Troy), three quarters of malware threats today are trojan programs based on the same idea. Cyber-blackmail is now one of the key criminal motives. The first three months of 2006 saw a significant increase in the incidence of cyber-blackmail whereby virus writers use malicious programs such as trojans to penetrate victims’ machines and encrypt their data. The victim is then informed that the data will only be decrypted once payment has been received – usually between $50 and $2,500. The most striking examples of this type of cyber-blackmail, carried out in the second half of 2005, are the trojans, GpCode and Krotten. The latest variant of GpCode which appeared in January 2006 differed radically from its predecessors in that it used one of the best known and most secure public encryption algorithms, RSA. It has raised the game, as we hear from a malware tracking specialist. Turn to page 4...
The elusive mobile security policy – time to nail it down New research by the Economist Intelligence Unit carried out for Symantec highlights serious weaknesses in firms’ current security arrangements for mobile devices, worldwide Use of mobile devices in companies is rocketing but most organizations do not have a coherent security policy for mobile data, as the research amongst 248 executives shows. Many companies were shown to have already suffered financial damage as a result of security breaches involving mobile devices, but only a minority have actually investigated security risks relating to PDAs, smart phones and other mobile devices. Most executives see security as the biggest obstacle to mobilising workers – ranking it far higher than other barriers, such as cost and the complexity of implementing mobile data solutions. Yet virus writers are starting to turn their attention more towards mobile devices, with an example being Cabir which spread via Bluetooth on phones. What can be done? Turn to page 8...
Five years for Californian botmaster
Contents NEWS Five years for Californian botmaster Real world security model for infosec? Trojan uses pornography trap to steal bank details
1 2 2
FEATURES Focus on trojans – holding data to ransom David Emm, from Kaspersky Labs, argues that trojans are more dangerous than viruses or worms, even though they cannot replicate themselves 4
Endpoint and perimeter security: a new symbiosis Maximum integration and flexibility are now in demand by customers looking at their security architecture, believes Dario Forte
7
Pinning down a security policy for mobile data The Economist Intelligence Unit's new research finds weaknesses in mobile data security policy. Terry Ernest-Jones looks into the issues
8
Trusted Computing – closing that lingering doubt Mark Crosbie from Hewlett-Packard tries to ease the IT security managers worried minds when it comes to network behaviour
13
Maintaining state in Web applications Securing these sites can be tricky – David Morgan looks at how dealing with session IDs can help
16
Botnets – zombies get smarter A 21 year-old California man is the first botmaster to go down for nearly five years for controlling 400,000 bots to send spam, conduct DDOS attacks and install adware for profit. Jeanson James Ancheta, whom authorities describe as a "well known member of the botmaster underground" was sentenced to 57 months in prison in a Los Angeles court. Ancheta's sentence is the longest yet for the spreading of computer viruses according to a Department of Justice statement. He directed compomised computers to an Internet Relay Chat channel, where they received commands to scan for other vulnerable computers. Turn to page 2...
Andy McKewan traces the impact and character of a botnet behind a DDoS attack
18
REGULARS News in brief Events
3 20
ISSN 1353-4858/06 © 2006 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.
NEWS ...continued from page 1 Editorial office: Elsevier Advanced Technology PO Box 150 Kidlington, Oxford OX5 1AS, United Kingdom Tel:+31 20 485 2145 Fax: +44 (0)1865 853971 E-mail: [email protected] Website: www.compseconline.com Editor: Terry Ernest-Jones Senior Editor: Sarah Gordon International Editoral Advisory Board: Dario Forte, Edward Amoroso, AT&T Bell Laboratories; Fred Cohen, Fred Cohen & Associates; Jon David, The Fortress; Bill Hancock, Exodus Communications; Ken Lindup, Consultant at Cylink; Dennis Longley, Queensland University of Technology; Tim Myers, Novell; Tom Mulhall; Padget Petterson, Martin Marietta; Eugene Schultz, Hightower; Eugene Spafford, Purdue University; Winn Schwartau, Inter.Pact Production/Design Controller: Colin Williams Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, e-mail: permissions@elsevier. com. You may also contact Global Rights directly through Elsevier’s home page (http:// www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (+1) (978) 7508400, fax: (+1) (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) (0) 20 7631 5555; fax: (+44) (0) 20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02158 Printed by Mayfield Press (Oxford) LImited
2
Network Security
Five years for Californian botmaster By Sarah Hilley Judge Klausner said to Ancheta at the end of the sentencing: “Your worst enemy is your own intellectual arrogance that somehow the world cannot touch you on this.” He said that Ancheta’s crimes are “extensive, serious and sophisticated.” In January he pleaded guilty to conspiring to violate the Computer Fraud Abuse Act and the CAN-SPAM Act. Ancheta made more than $107,000 for himself and an unindicted co-conspirator by downloading adware to the zombies he controlled. Advertising companies paid him for every download. He managed to trick the advertisers into thinking the downloads were legitimate by varying download times and rates of adware installations. He also redirected the bots back and forth between servers set up to install different types of tampered adware. He also earned $3000 for renting out his zombies. Others used the botnet to send spam and launch distributed denial of service (DDOS) attacks. Ancheta discussed the attacks and spamming services that the bots were needed for. He advised the clients on how many bots were necessary and how to get the best results. Ancheta also damaged computers at the Weapons Division of the United States Naval Air Warfare Center in China Lake and the Defense Information Systems Agency. He has to pay the agencies $15,000. Ancheta’s BMW automobile, computers and $60,000 in cash have been seized by the Government. After release from prison Ancheta will serve three years on supervised release. He will only be allowed very limited surfing on the Internet when that time comes.
Real world security model for infosec, says Microsoft security guru Brian McKenna "Security is not about locking things up”, Microsoft security guru Butler
Lampson told the SEC 2006 conference in Karlstad, Sweden. “The fundamental reason people don’t break in to most of our houses is that the risk of punishment is too great”.
Lampson was speaking on receipt of the 2006 Kristian Beckman Award, given each year by IFIP Technical Committee 11, a UN information security body. “We need security on the internet to be the same as it is in the real world, where detection and punishment work well enough. “But it is not like that today. There isn’t the same accountability. We can’t identify the bad guys, so we can’t deter them”. Lampson postulated an end to spam in the form of a required link in non-white list email that would, if clicked on, generate a dollar for charity. In order to balance freedom and accountability in the internet he also proposed a partitioning of the world of computing into red and green. ‘Red’ computing environments would store less valuable asssets, while ‘green’ environments would contain the more valuable. In the green zone users would only talk to “good guys”; in the red zone they’d take the risk of talking to anyone. “Be ready to just blow away broken systems”, he said. “And don’t tickle the bugs in the green zone”. As for enterprise networks, he said, the internal should be treated as green and the external red. Lampson is the fourth American recipient of the Beckman Award, of which there have been eleven since 1993.
Trojan uses pornography trap to steal bank details A trojan called Briz.F trojan has appeared, designed to steal data related to online banking services, by tempting users to pornographic web pages. The virus then installs itself on users’ PCs. The web pages hosting Briz.F are designed to automatically download the malware onto the computers of users visiting these pages by exploiting several software vulnerabilities, says Spain’s PandaLabs. (It is also possible to encounter this Trojan through other means, such as e-mail messages.) ...continued on back page
June 2006
Featured this month Trojans – cyber-blackmailers draw on that Greek legacy The ancient Greeks have a lot to answer for. Three thousand years after the wooden horse idea entered their heads (and Troy), three quarters of malware threats today are trojan programs based on the same idea. Cyber-blackmail is now one of the key criminal motives. The first three months of 2006 saw a significant increase in the incidence of cyber-blackmail whereby virus writers use malicious programs such as trojans to penetrate victims’ machines and encrypt their data. The victim is then informed that the data will only be decrypted once payment has been received – usually between $50 and $2,500. The most striking examples of this type of cyber-blackmail, carried out in the second half of 2005, are the trojans, GpCode and Krotten. The latest variant of GpCode which appeared in January 2006 differed radically from its predecessors in that it used one of the best known and most secure public encryption algorithms, RSA. It has raised the game, as we hear from a malware tracking specialist. Turn to page 4...
The elusive mobile security policy – time to nail it down New research by the Economist Intelligence Unit carried out for Symantec highlights serious weaknesses in firms’ current security arrangements for mobile devices, worldwide Use of mobile devices in companies is rocketing but most organizations do not have a coherent security policy for mobile data, as the research amongst 248 executives shows. Many companies were shown to have already suffered financial damage as a result of security breaches involving mobile devices, but only a minority have actually investigated security risks relating to PDAs, smart phones and other mobile devices. Most executives see security as the biggest obstacle to mobilising workers – ranking it far higher than other barriers, such as cost and the complexity of implementing mobile data solutions. Yet virus writers are starting to turn their attention more towards mobile devices, with an example being Cabir which spread via Bluetooth on phones. What can be done? Turn to page 8...
Five years for Californian botmaster
Contents NEWS Five years for Californian botmaster Real world security model for infosec? Trojan uses pornography trap to steal bank details
1 2 2
FEATURES Focus on trojans – holding data to ransom David Emm, from Kaspersky Labs, argues that trojans are more dangerous than viruses or worms, even though they cannot replicate themselves 4
Endpoint and perimeter security: a new symbiosis Maximum integration and flexibility are now in demand by customers looking at their security architecture, believes Dario Forte
7
Pinning down a security policy for mobile data The Economist Intelligence Unit's new research finds weaknesses in mobile data security policy. Terry Ernest-Jones looks into the issues
8
Trusted Computing – closing that lingering doubt Mark Crosbie from Hewlett-Packard tries to ease the IT security managers worried minds when it comes to network behaviour
13
Maintaining state in Web applications Securing these sites can be tricky – David Morgan looks at how dealing with session IDs can help
16
Botnets – zombies get smarter A 21 year-old California man is the first botmaster to go down for nearly five years for controlling 400,000 bots to send spam, conduct DDOS attacks and install adware for profit. Jeanson James Ancheta, whom authorities describe as a "well known member of the botmaster underground" was sentenced to 57 months in prison in a Los Angeles court. Ancheta's sentence is the longest yet for the spreading of computer viruses according to a Department of Justice statement. He directed compomised computers to an Internet Relay Chat channel, where they received commands to scan for other vulnerable computers. Turn to page 2...
Andy McKewan traces the impact and character of a botnet behind a DDoS attack
18
REGULARS News in brief Events
3 20
ISSN 1353-4858/06 © 2006 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.
NEWS ...continued from page 1 Editorial office: Elsevier Advanced Technology PO Box 150 Kidlington, Oxford OX5 1AS, United Kingdom Tel:+31 20 485 2145 Fax: +44 (0)1865 853971 E-mail: [email protected] Website: www.compseconline.com Editor: Terry Ernest-Jones Senior Editor: Sarah Gordon International Editoral Advisory Board: Dario Forte, Edward Amoroso, AT&T Bell Laboratories; Fred Cohen, Fred Cohen & Associates; Jon David, The Fortress; Bill Hancock, Exodus Communications; Ken Lindup, Consultant at Cylink; Dennis Longley, Queensland University of Technology; Tim Myers, Novell; Tom Mulhall; Padget Petterson, Martin Marietta; Eugene Schultz, Hightower; Eugene Spafford, Purdue University; Winn Schwartau, Inter.Pact Production/Design Controller: Colin Williams Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, e-mail: permissions@elsevier. com. You may also contact Global Rights directly through Elsevier’s home page (http:// www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (+1) (978) 7508400, fax: (+1) (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) (0) 20 7631 5555; fax: (+44) (0) 20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02158 Printed by Mayfield Press (Oxford) LImited
2
Network Security
Five years for Californian botmaster By Sarah Hilley Judge Klausner said to Ancheta at the end of the sentencing: “Your worst enemy is your own intellectual arrogance that somehow the world cannot touch you on this.” He said that Ancheta’s crimes are “extensive, serious and sophisticated.” In January he pleaded guilty to conspiring to violate the Computer Fraud Abuse Act and the CAN-SPAM Act. Ancheta made more than $107,000 for himself and an unindicted co-conspirator by downloading adware to the zombies he controlled. Advertising companies paid him for every download. He managed to trick the advertisers into thinking the downloads were legitimate by varying download times and rates of adware installations. He also redirected the bots back and forth between servers set up to install different types of tampered adware. He also earned $3000 for renting out his zombies. Others used the botnet to send spam and launch distributed denial of service (DDOS) attacks. Ancheta discussed the attacks and spamming services that the bots were needed for. He advised the clients on how many bots were necessary and how to get the best results. Ancheta also damaged computers at the Weapons Division of the United States Naval Air Warfare Center in China Lake and the Defense Information Systems Agency. He has to pay the agencies $15,000. Ancheta’s BMW automobile, computers and $60,000 in cash have been seized by the Government. After release from prison Ancheta will serve three years on supervised release. He will only be allowed very limited surfing on the Internet when that time comes.
Real world security model for infosec, says Microsoft security guru Brian McKenna "Security is not about locking things up”, Microsoft security guru Butler
Lampson told the SEC 2006 conference in Karlstad, Sweden. “The fundamental reason people don’t break in to most of our houses is that the risk of punishment is too great”.
Lampson was speaking on receipt of the 2006 Kristian Beckman Award, given each year by IFIP Technical Committee 11, a UN information security body. “We need security on the internet to be the same as it is in the real world, where detection and punishment work well enough. “But it is not like that today. There isn’t the same accountability. We can’t identify the bad guys, so we can’t deter them”. Lampson postulated an end to spam in the form of a required link in non-white list email that would, if clicked on, generate a dollar for charity. In order to balance freedom and accountability in the internet he also proposed a partitioning of the world of computing into red and green. ‘Red’ computing environments would store less valuable asssets, while ‘green’ environments would contain the more valuable. In the green zone users would only talk to “good guys”; in the red zone they’d take the risk of talking to anyone. “Be ready to just blow away broken systems”, he said. “And don’t tickle the bugs in the green zone”. As for enterprise networks, he said, the internal should be treated as green and the external red. Lampson is the fourth American recipient of the Beckman Award, of which there have been eleven since 1993.
Trojan uses pornography trap to steal bank details A trojan called Briz.F trojan has appeared, designed to steal data related to online banking services, by tempting users to pornographic web pages. The virus then installs itself on users’ PCs. The web pages hosting Briz.F are designed to automatically download the malware onto the computers of users visiting these pages by exploiting several software vulnerabilities, says Spain’s PandaLabs. (It is also possible to encounter this Trojan through other means, such as e-mail messages.) ...continued on back page
June 2006