- Email: [email protected]
Wins and losses in the botnet war
NEWS ...Continued from front page Editorial Office: Elsevier Ltd The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom Fax: +44 (0)1865 843973 Web: www.networksecuritynewsletter.com Publisher: Laurence Zipson E-mail: [email protected] Editor: Steve Mansfield-Devine E-mail: [email protected] Senior Editor: Sarah Gordon International Editoral Advisory Board: Dario Forte, Edward Amoroso, AT&T Bell Laboratories; Fred Cohen, Fred Cohen & Associates; Jon David, The Fortress; Bill Hancock, Exodus Communications; Ken Lindup, Consultant at Cylink; Dennis Longley, Queensland University of Technology; Tim Myers, Novell; Tom Mulhall; Padget Petterson, Martin Marietta; Eugene Schultz, Hightower; Eugene Spafford, Purdue University; Winn Schwartau, Inter.Pact Production Support Manager: Lin Lucas E-mail: [email protected] Subscription Information An annual subscription to Network Security includes 12 printed issues and online access for up to 5 users. Prices: 1059 for all European countries & Iran US$1185 for all countries except Europe and Japan ¥140 500 for Japan (Prices valid until 31 December 2010) To subscribe send payment to the address above. Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 Email: [email protected], or via www.networksecuritynewsletter.com Subscriptions run for 12 months, from the date payment is received. Periodicals postage is paid at Rahway, NJ 07065, USA. Postmaster send all USA address corrections to: Network Security, 365 Blair Road, Avenel, NJ 07001, USA Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 843830, fax: +44 1865 853333, email: [email protected]. You may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; tel: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and email addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.
02158 Pre-press/Printed by Mayfield Press (Oxford) Limited
2
Network Security
At first, it was thought that it exploited a single zero-day vulnerability in Windows, spreading via USB flashdrives. Microsoft issued an emergency patch to block that route. However, researchers now know that it uses a sophisticated multi-vector approach, exploiting at least four zero-day vulnerabilities – with two targeting Escalation of Privileges (EoP) bugs and one a print spooler flaw. Microsoft has since patched the latter. The worm also attempts to use a vulnerability patched (with the MS08-067 update) in 2008 that was also exploited by Conficker. However, SCADA systems often have poor security, no logging and long patch cycles, making it possible that some may still not have implemented MS08-067. The worm attempts to use that particular exploit only when it recognises a SCADA environment. The worm has only primitive command and control capabilities but does provide access to the SCADA and PLC systems to outside attackers. Whether this access could be used to control the systems, or simply monitor them, is unclear. Stuxnet seeks out Simatic WinCC and PCS 7 SCADA systems, attempting to hijack them using default passwords programmed into them by vendor Siemens. The attacks are made more effective by the use of two stolen digital certificates assigned to Realtek and JMicron. Siemens has issued warnings to all customers of its SCADA products. According to Symantec, as of July, nearly two-thirds of infected machines were in Iran. Other systems have been compromised in the US, South Korea and the UK. Later, it was found that systems in Germany had been compromised, accounting for a third of all 15 infections discovered to date. The worm’s code was developed using multiple programming languages and is nearly half a megabyte – very large by malware standards. Researchers have also speculated that its development would have required access to SCADA hardware for testing.
Wins and losses in the botnet war
S
ecurity researchers have had some limited successes in taking down botnets. However, new ones are emerging and business, it seems, is booming.
The combined efforts of several security researchers succeeded in partially taking down the Pushdo botnet, which was being used to spread spam using the Cutwail spamming module. The effort was led by Thorsten Holz, senior threat analyst at LastLine and an assistant professor of computer science at Ruhr-University Bochum, Germany. He and a number of colleagues are undertaking a research project that matches infected IP addresses with botnets such as Pushdo, MegaD, Lethic and Rustock. The decision to take down Pushdo’s Command and Control (C&C) servers was part of this research. Of the 30 C&C servers that had been identified as belonging to the botnet, 20 were taken offline when their ISPs were notified of the activity. Half of the servers were hosted by one ISP. Spamming activity from the botnet initially dropped to zero, said TrendLabs, which previously published an analysis of Pushdo/Cutwail in 2009. Later reports suggest that it continues to send spam, but at a greatly reduced level. M86 Security Labs estimated that Pushdo was responsible for about 10% of global spam before the takedown, so overall levels have not been significantly affected. The Malware Research blog reported that it had seen the appearance of several new Cutwail C&C servers and TrendLabs spotted new Facebook spam being distributed through the botnet, with 5,000 messages being sent in 30 minutes. Microsoft has achieved further successes in its novel approach to taking down botnets. A US federal judge agreed to transfer ownership to Microsoft of 276 domain names used by the Waledac botnet – unless the botnet owners come forward to claim them. By the time of publication, the domains should be Microsoft’s by default. Earlier, in Continued on page 19...
September 2010
FEATURE creates a memory-isolated instance of Firefox and, when the browser is closed, all traces of it are erased from the computer’s memory. With technologies like this, passwords are likely to have a finite life. Eventually it will be possible to authenticate yourself to a device, locally or remotely, on a one-time TAN basis, using the highest possible levels of encryption.
About the author
References
Steve Gold has been a business journalist and technology writer for 26 years. A qualified accountant and former auditor, he has specialised in IT s ecurity, business matters, the Internet and communications for most of that time. He is technical editor of Infosecurity and lectures regularly on criminal psychology and cybercrime.
1. Weber, Richard. ‘The Statistical Security of GrIDsure’. University of Cambridge, June 2006.. 2. ElcomSoft. 2010. . 3. Dell KACE secure browser.
...Continued from page 2
available to anyone. It has become one of the world’s largest botnets – within four months of initial testing Damballa saw a peak of 25,000 machines attempting to resolve the IP address of the botnet’s C&C servers. The majority of the infected machines that comprise the botnet are in China, but it also includes machines around the world, including a number of major corporate networks. “The commercial nature of this botnet and the rapid growth and ultimate size are what make this discovery interesting,” said Gunter Ollmann, vice president of research for Damballa. “The public website hosting the DDoS service offering, with various ‘plans’ and attack options, speaks to the ease with which anyone can leverage criminal infrastructure. The malware used is simplistic, yet it was successful in spreading rapidly. And while it appears to be primarily a DDoS delivery platform, the size of the botnet reached impressive proportions, certainly large enough to wreak major havoc on any victim organisation should it be pointed in the right direction.” Damballa has published an analysis here:. Meanwhile, the Mexico-based Mehika botnet is the latest to use Twitter as its C&C channel, a technique first detected in summer 2009 but still
pretty rare. Using this method means that the botnet operators don’t need to establish a dedicated C&C server that could be taken down or require the use of sophisticated protection techniques. The control messages themselves are difficult to spot in the high volumes of traffic on Twitter. Mehika went silent the same day it was spotted. It is one of four botnets analysed in a new report by Trend Micro – ‘Discerning Relationships: The Mexican Botnet Connection’ (PDF):
February 2010, Microsoft had obtained a court order allowing VeriSign, as the registry for the domains, to deactivate 277 domains (one was subsequently claimed by a legitimate owner whose site had been compromised). This effectively shut down the botnet, which has since failed to reappear. This means Microsoft’s legal approach has proved to be one of the most successful takedowns to date and may be a model for future action. In spite of these setbacks, the malware and botnet industries seem to be doing good business. EMC’s RSA security division has issued its latest fraud report – ‘Prices of Goods and Services offered in the Cybercriminal Underground’ – which puts price tags on various elements of this underground activity. Bulletproof hosting, it says, can be had for $87-179 a month. The SpyEye trojan kit will cost you $1,000 and the Zeus trojan kit three times that. The report is here (PDF): There are new botnets on the scene, too. Security specialist Damballa recently unearthed the IMDDOS botnet, based in China, which is offering Distributed Denial of Service (DDoS) attacks as a pay-for-delivery service
September 2010
Corporate attacks focus on web
M
ore than 80% of attacks against corporate networks target web systems, claims a new report by HP TippingPoint’s Digital Vaccine Labs (DVLabs). And the number of attacks is rising rapidly.
The ‘Cyber Security Risks Report’ covers the first half of 2010 and, says DVLabs, is based on real security event data. Attacks on web servers, using SQL injection, PHP File Include or other techniques, have doubled in the past six months, says the report. Those using browser-based flaws, such as QuickTime and Flash vulnerabilities, have tripled and now constitute the main entry point for hackers into corporate networks. Continued on page 20...
Network Security
19
02158 Pre-press/Printed by Mayfield Press (Oxford) Limited
2
Network Security
At first, it was thought that it exploited a single zero-day vulnerability in Windows, spreading via USB flashdrives. Microsoft issued an emergency patch to block that route. However, researchers now know that it uses a sophisticated multi-vector approach, exploiting at least four zero-day vulnerabilities – with two targeting Escalation of Privileges (EoP) bugs and one a print spooler flaw. Microsoft has since patched the latter. The worm also attempts to use a vulnerability patched (with the MS08-067 update) in 2008 that was also exploited by Conficker. However, SCADA systems often have poor security, no logging and long patch cycles, making it possible that some may still not have implemented MS08-067. The worm attempts to use that particular exploit only when it recognises a SCADA environment. The worm has only primitive command and control capabilities but does provide access to the SCADA and PLC systems to outside attackers. Whether this access could be used to control the systems, or simply monitor them, is unclear. Stuxnet seeks out Simatic WinCC and PCS 7 SCADA systems, attempting to hijack them using default passwords programmed into them by vendor Siemens. The attacks are made more effective by the use of two stolen digital certificates assigned to Realtek and JMicron. Siemens has issued warnings to all customers of its SCADA products. According to Symantec, as of July, nearly two-thirds of infected machines were in Iran. Other systems have been compromised in the US, South Korea and the UK. Later, it was found that systems in Germany had been compromised, accounting for a third of all 15 infections discovered to date. The worm’s code was developed using multiple programming languages and is nearly half a megabyte – very large by malware standards. Researchers have also speculated that its development would have required access to SCADA hardware for testing.
Wins and losses in the botnet war
S
ecurity researchers have had some limited successes in taking down botnets. However, new ones are emerging and business, it seems, is booming.
The combined efforts of several security researchers succeeded in partially taking down the Pushdo botnet, which was being used to spread spam using the Cutwail spamming module. The effort was led by Thorsten Holz, senior threat analyst at LastLine and an assistant professor of computer science at Ruhr-University Bochum, Germany. He and a number of colleagues are undertaking a research project that matches infected IP addresses with botnets such as Pushdo, MegaD, Lethic and Rustock. The decision to take down Pushdo’s Command and Control (C&C) servers was part of this research. Of the 30 C&C servers that had been identified as belonging to the botnet, 20 were taken offline when their ISPs were notified of the activity. Half of the servers were hosted by one ISP. Spamming activity from the botnet initially dropped to zero, said TrendLabs, which previously published an analysis of Pushdo/Cutwail in 2009. Later reports suggest that it continues to send spam, but at a greatly reduced level. M86 Security Labs estimated that Pushdo was responsible for about 10% of global spam before the takedown, so overall levels have not been significantly affected. The Malware Research blog reported that it had seen the appearance of several new Cutwail C&C servers and TrendLabs spotted new Facebook spam being distributed through the botnet, with 5,000 messages being sent in 30 minutes. Microsoft has achieved further successes in its novel approach to taking down botnets. A US federal judge agreed to transfer ownership to Microsoft of 276 domain names used by the Waledac botnet – unless the botnet owners come forward to claim them. By the time of publication, the domains should be Microsoft’s by default. Earlier, in Continued on page 19...
September 2010
FEATURE creates a memory-isolated instance of Firefox and, when the browser is closed, all traces of it are erased from the computer’s memory. With technologies like this, passwords are likely to have a finite life. Eventually it will be possible to authenticate yourself to a device, locally or remotely, on a one-time TAN basis, using the highest possible levels of encryption.
About the author
References
Steve Gold has been a business journalist and technology writer for 26 years. A qualified accountant and former auditor, he has specialised in IT s ecurity, business matters, the Internet and communications for most of that time. He is technical editor of Infosecurity and lectures regularly on criminal psychology and cybercrime.
1. Weber, Richard. ‘The Statistical Security of GrIDsure’. University of Cambridge, June 2006.
...Continued from page 2
available to anyone. It has become one of the world’s largest botnets – within four months of initial testing Damballa saw a peak of 25,000 machines attempting to resolve the IP address of the botnet’s C&C servers. The majority of the infected machines that comprise the botnet are in China, but it also includes machines around the world, including a number of major corporate networks. “The commercial nature of this botnet and the rapid growth and ultimate size are what make this discovery interesting,” said Gunter Ollmann, vice president of research for Damballa. “The public website hosting the DDoS service offering, with various ‘plans’ and attack options, speaks to the ease with which anyone can leverage criminal infrastructure. The malware used is simplistic, yet it was successful in spreading rapidly. And while it appears to be primarily a DDoS delivery platform, the size of the botnet reached impressive proportions, certainly large enough to wreak major havoc on any victim organisation should it be pointed in the right direction.” Damballa has published an analysis here:
pretty rare. Using this method means that the botnet operators don’t need to establish a dedicated C&C server that could be taken down or require the use of sophisticated protection techniques. The control messages themselves are difficult to spot in the high volumes of traffic on Twitter. Mehika went silent the same day it was spotted. It is one of four botnets analysed in a new report by Trend Micro – ‘Discerning Relationships: The Mexican Botnet Connection’ (PDF):
February 2010, Microsoft had obtained a court order allowing VeriSign, as the registry for the domains, to deactivate 277 domains (one was subsequently claimed by a legitimate owner whose site had been compromised). This effectively shut down the botnet, which has since failed to reappear. This means Microsoft’s legal approach has proved to be one of the most successful takedowns to date and may be a model for future action. In spite of these setbacks, the malware and botnet industries seem to be doing good business. EMC’s RSA security division has issued its latest fraud report – ‘Prices of Goods and Services offered in the Cybercriminal Underground’ – which puts price tags on various elements of this underground activity. Bulletproof hosting, it says, can be had for $87-179 a month. The SpyEye trojan kit will cost you $1,000 and the Zeus trojan kit three times that. The report is here (PDF):
September 2010
Corporate attacks focus on web
M
ore than 80% of attacks against corporate networks target web systems, claims a new report by HP TippingPoint’s Digital Vaccine Labs (DVLabs). And the number of attacks is rising rapidly.
The ‘Cyber Security Risks Report’ covers the first half of 2010 and, says DVLabs, is based on real security event data. Attacks on web servers, using SQL injection, PHP File Include or other techniques, have doubled in the past six months, says the report. Those using browser-based flaws, such as QuickTime and Flash vulnerabilities, have tripled and now constitute the main entry point for hackers into corporate networks. Continued on page 20...
Network Security
19