Shunning and Stunning Malicious Networks

August 10, 2010

McAfee just published the sixth edition of its Security Journal, which includes a lengthy piece I wrote about the pros and cons of taking down Internet service providers and botnets that facilitate cyber criminal activity. The analysis focuses on several historical examples of what I call “shuns” and “stuns,” or taking out rogue networks either by ostracizing them, or by kneecapping their infrastructure in a coordinated surprise attack, respectively.

The theme of this edition of the journal is finding ways to take security on the offense, and it includes articles from noted security researchers Joe Stewart and Felix “FX” Lindner.

Here’s the lead-in from my contribution:

The security technologies most of us rely on every day — from anti-virus software to firewalls and intrusion detection devices — are reactive. That is, they are effective usually only after a new threat has been identified and classified. The trouble is that, meanwhile, an indeterminate number of individuals and corporations become victims of these unidentified stalkers.

Until quite recently, this “bag ’em and tag ’em” approach to dealing with malicious activity online had become so ingrained in the security community that most of the thought leaders on security were content merely to catalog the Internet’s worst offenders and abide the most hostile networks. Exponential increases in the volume and sophistication of new threats unleashed during the past few years — coupled with a pervasive attitude that fighting criminal activity online is the principal job of law enforcement — have helped to reinforce this bunker mentality.

Then, in the fall of 2007, something remarkable happened that seemed to shake the security industry out of its torpor: a series of investigative stories in the mainstream and technology press about concentrations of cybercrime activity at a Web hosting conglomerate in St. Petersburg known as the Russian Business Network (RBN) caused the ISPs serving the infamous provider to pull the plug. The RBN, which had been a vortex of malicious activity for years, was forced to close up shop and, subsequently, scattered its operations.

This was the first of many examples that would demonstrate the strategic (and, arguably, cathartic) value of identifying and isolating significant, consistent sources of hostile — if not criminal — activity online. I will focus on two popular methods of taking the fight to the enemy and will offer a few thoughts on the long-term viability of these approaches.

Copies of the journal are available from this link.

Foxit Fix for “Jailbreak” PDF Flaw

August 8, 2010

One of the more interesting developments over the past week has been the debut of jailbreakme.com, a Web site that allows Apple customers to jailbreak their devices merely by visiting the site with their iPhone, iPad or iTouch. Researchers soon learned that the page leverages two previously unknown security vulnerabilities in the PDF reader functionality built into Apple’s iOS4.

Adobe was quick to issue a statement saying that the flaws were in Apple’s software and did not exist in its products. Interestingly, though, this same attack does appear to affect Foxit Reader, a free PDF reader that I often recommend as an alternative to Adobe.

According to an advisory Foxit issued last week, Foxit Reader version 4.1.1.0805 “fixes the crash issue caused by the new iPhone/iPad jailbreak program which can be exploited to inject arbitrary code into a system and execute it there.” If you use Foxit, you grab the update from within the application (“Help,” then “Check for Updates Now”) or from this link.

Obviously, from a security perspective the intriguing aspect of a drive-by type jailbreak is that such an attack could easily be used for more nefarious purposes, such as seeding your iPhone with unwanted software. To be clear, nobody has yet seen any attacks like this, but it’s certainly an area to watch closely. F-Secure has a nice Q&A about the pair of PDF reader flaws that allow this attack, and what they might mean going forward. Apple says it plans to release an update to quash the bugs.

I’m left wondering what to call these sorts of vulnerabilities that quite obviously give users the freedom that jailbreaking their device(s) allows (the ability to run applications that are not approved and vetted by Apple) but that necessarily direct the attention of attackers to very potent vulnerabilities that can be used to target jailbreakers and regular users alike. It’s not quite a “featureability,” which describes an intentional software component that opens up customers to attack even as the vendor insists the feature is a useful, by-design ability rather than a liability.

I came up with a few ideas.

– “Apptack”

– “Jailbait” (I know, I know, but it’s catchy)

– “Freedoom”

Maybe KrebsOnSecurity readers can devise a better term? Sound off in the comments below if you come up with any good ones.

Finally, I should note that while Adobe’s products may not be affected by the above-mentioned flaws, the company said last week that it expects to ship an emergency update on Tuesday to fix at least one critical security hole present in the latest version of Adobe Reader for Windows, Mac and Linux systems.

Adobe said the update will fix a flaw that researcher Charlie Miller revealed (PDF!) at last month’s Black Hat security conference in Las Vegas, but it hinted that the update may also include fixes for other flaws. I’ll have more on those updates when they’re released, which should coincide with one of the largest Microsoft Patch Tuesdays ever: Redmond said last week that it expects to issue at least 14 updates on Tuesday. Update, Aug. 10, 5:06 p.m. ET:Adobe won’t be releasing the Reader update until the week of Aug. 16.

Advertisement

Crimepack: Packed with Hard Lessons

August 5, 2010

Exploit packs — slick, prepackaged bundles of commercial software that attackers can use to booby-trap hacked Web sites with malicious software — are popular in part because they turn hacking for profit into a point-and-click exercise that even the dullest can master. I’ve focused so much on these kits because they also make it easy to visually communicate key Internet security concepts that otherwise often fall on deaf ears, such as the importance of keeping your software applications up-to-date with the latest security patches.

One of the best-selling exploit packs on the market today is called Crimepack, and it’s a kit that I have mentioned at least twice in previous blog posts. This time, I’ll take a closer look at the “exploit stats” sections of a few working Crimepack installations to get a better sense of which software vulnerabilities are most productive for Crimepack customers.

Check out the following screen shot, taken in mid-June from the administration page of a working Crimepack exploit kit that targeted mostly German-language Web sites. This page shows that almost 1,800 of the nearly 6,000 people who browsed one of the stable of malicious sites maintained by this criminal got hacked. That means some software component that 30 percent of these visitors were running either in their Web browsers or in the underlying Windows operating system was vulnerable to known software flaws that this kit could exploit in order to install malicious software.

Peering closer at the exploit stats, we see that one exploit was particularly successful: Webstart. This refers to a Java vulnerability that Oracle/Sun patched in April 2010, a powerful and widely-deployed software package that many users aren’t even aware they have on their systems, let alone know they need to keep it updated. (By the way, I got some serious flack for recommending that users who have no need for Java uninstall the program completely, but I stand by that advice.) As seen from the chart, this single Java flaw was responsible for nearly 60 percent of the successful attacks on visitors to these hacked sites.

Continue reading

Patch for Critical Windows Flaw Available

August 2, 2010

Microsoft today released an emergency security update to fix a critical flaw present in all supported versions of Windows. The patch comes as virus writers are starting to ramp up attacks that leverage the vulnerability.

There are a couple of things you should know before installing this update. If you took advantage of the “FixIt” tool that Microsoft shipped last month to blunt the threat from this flaw, you should take a moment now to undo that fix. To do that, visit this link, then click the image below the “Disable Workaround” heading, and follow the prompts. You will need to reboot the system before installing the official fix released today, which is available from Windows Update.

The patch issued today carries the Microsoft Knowledge Base (KB) number KB2286198, in case you’ve just run Windows Update and are checking to see whether this update is available to you yet.

You will need to reboot after installing the patch. After I applied this patch and rebooted the system, Windows Explorer stalled, leaving Windows unresponsive. After a forced restart (powering the system off and then on again), my 64-bit Windows 7 system booted into Windows normally.

When this vulnerability was initially disclosed, it was only being used in targeted attacks online. However, as Microsoft warned and others have confirmed, this vulnerability is now showing up in more mainstream attacks. Please take a moment to apply this update today if you can, particularly if your Windows system is not already protected with the FixIt tool mentioned above.

More information on this update is available from the Microsoft bulletin. And as always, please leave a comment below if you experience any problems installing this update.

Texas Firm Blames Bank for $50,000 Cyber Heist

August 2, 2010

A business telephone equipment company in Texas is trying to force its bank to settle a liability claim over an attack by organized cyber thieves last year that cost the company $50,000.

Attorneys for Dallas-based Hi-Line Supply Inc. recently convinced a state court to require depositions from officials at Community Bank, Inc. of Rockwall, Texas. Hi-Line requested the sworn statements to learn more about what the bank knew in the time surrounding Aug. 20, 2009, when crooks broke into the company’s online bank accounts and transferred roughly $50,000 to four individuals across the country who had no prior business with Hi-Line.

While the contents of that deposition remain closed under a confidentiality order, Hi-Line’s lawyers say the information gleaned in the interviews shows serious security missteps by Community Bank, and that they are ready to sue if the bank does not offer a settlement.

“In the event Community Bank refuses to resolve this matter, now that we have uncovered some of the information obtained by virtue of the court’s order, Hi-Line intends to assert claims for misrepresentation, violations of the Texas Deceptive Trade Practices Act, fraud, and breach of warranties, among other things,” said Michael Lyons, a partner with the Dallas law firm Deans Lyons.

Hi-Line president Gary Evans said the fraud began on Thursday, Aug. 20, about the same time the company processes its normal $25,000 payroll. After Hi-Line submitted that batch of payments to its bank, the unknown intruders attempted two more transfers of nearly identical amounts on Friday and the following Monday, Aug. 24.

Continue reading

Microsoft to Issue Emergency Patch for Critical Windows Bug

July 30, 2010

Microsoft said Thursday that it will issue an out-of-band security update on Monday to fix a critical, remotely-exploitable security hole present in all versions of Windows, which the software giant says is fueling an increasing number of online attacks.

On July 15, KrebsOnSecurity.com first warned that a flaw in the way Windows processes shortcut files (those ending in “.lnk”) was being exploited by highly targeted malicious software called “Stuxnet”. Researchers learned that Stuxnet was aimed at infiltrating Windows computers running Siemens WinCC SCADA software, or machines responsible for controlling the operations of large, distributed systems, such as manufacturing and power plants.

Since then, experts have found several new variants of Stuxnet, while a growing number of more mainstream attacks have been spotted exploiting the underlying Windows flaw.

“We’re able to confirm that, in the past few days, we’ve seen an increase in attempts to exploit the vulnerability,” wrote Christopher Budd, senior security response communications manager at Microsoft, on one of the company’s TechNet blogs. “We firmly believe that releasing the update out of band is the best thing to do to help protect our customers.”

I’m looking forward to applying this fix: About a week ago, Microsoft provided a stopgap “FixIt” tool that blunts the threat from this vulnerability, but it also changes the appearance of certain icons on the Windows desktop, often making it difficult for users to tell one program from the next. For example, here’s a screen shot of my Windows 7 desktop toolbar after I applied the fix:

I’ve found it fascinating to watch the speculation and hype swirl around this Stuxnet worm: Early on, the news media and pundits fixated on the notion that this was proof that other countries were planning cyber attacks on our power grid and other highly complex networks that rely on the types of SCADA systems targeted by Stuxnet. Then, about a week ago, experts began charting where in the world most victims were based. According to Symantec, roughly 60 percent of the systems infected with this family of malware were based in Iran, while computers in Indonesia and India also were hard-hit.

One equally likely scenario that I haven’t heard suggested much yet is that perhaps we are seeing evidence of our country’s own cyber warriors probing the networks of other nations. It is notable that the first definitions that the major anti-virus firms shipped for the Stuxnet malware were issued on or around the same day as my story, and that this malware was first discovered one month earlier by VirusBlokada, a relatively tiny anti-virus firm in Belarus that said it found the worm on computers belonging to one of its Iranian customers. What’s more, it’s unlikely that a malware threat initially directed at Iran would show up on the radar of U.S.-based anti-virus makers, all of whom are prohibited by U.S. trade sanctions from selling products and services to Iran.

Alleged Mariposa Botnet Author Nabbed

July 28, 2010

Police in Slovenia have arrested a 23-year-old man in Maribor believed to be responsible for creating the Mariposa botnet, a collection of hacked PCs that spanned an estimated 12 million computers across the globe, according to reports.

The Associated Press cites FBI officials in Washington, D.C. stating that authorities had arrested “Iserdo,” the nickname used by the hacker alleged to have created Mariposa, a botnet that first surfaced in December 2008 and grew to infect more than half of the Fortune 1,000 companies, as well as at least 40 major banks.

Earlier this year, police in Spain arrested three of Iserdo’s associates, who allegedly used the Mariposa botnet to steal credit card accounts and online banking credentials.

The AP story doesn’t identify Iserdo, saying officials declined to release his name and the exact charges filed against him, but says that the arrest took place about 10 days ago, and that the man has been released on bond.

According to information obtained by KrebsOnSecurity.com, Iserdo’s real name is Dejan Janžekovic. Local Slovenian press reports at the time of his arrest said Iserdo was a former student at the Maribor Faculty of Computer and Information Science, but that information could not be independently confirmed.

Individuals close to the case say Janžekovic charged a few hundred dollars for each copy of the bot kit, and that sales frequently were handled by a former classmate who accepted Western Union transfers on his behalf. According to two sources, one of those who helped with the transactions was a 24-year-old woman named Nuša Čoh, pictured here in her high school photo.

Neither Janžekovic nor Čoh could be immediately reached for comment.

Update, July 29, 4:45 p.m: Janzekovic appears only to have been a person of interest in this investigation, according to a law enforcement official I spoke with today. Also, I heard back from Janzekovic himself, who acknowledged having been investigated by the FBI and Slovenian police in connection with Mariposa, and taken in to the police station for questioning. But he said he is not Iserdo, and that the authorities somehow had him mixed up with someone else. From his e-mail to me:

“I am 23 years old (the picture you found is very outdated). I am single, I work as a senior systems administrator for a telco in Slovenia. Fact is that I love technology, I love life (even though the past two weeks it was hell on earth for me), but most of all – I am innocent. Yes, you read right, innocent. I am smarter than this and such things do interest me only from the technological point, as in how to protect against them.

Oh, not to forget, my net nick was and will never be Iserdo.

It is true, that I had the FBI and Slovenian police investigating me but it is also true, that I had nothing to hide. During the investigation I was very cooperative with authorities – I even gave them password for my encrypted partitions. What was the lead to me? It had to be some kind of mix-up and/or identity theft – the only person known to me in this whole story is the girl who I went to school with (as you have already found out).

Neither of authorities did explain to me how they came to conclusion that I was iserdo. I strongly believe the case was identity theft (obviously someone who knew enough about me, to know that I would easily fit in the case) and/or connection through Nusa. And believe me, it was also to my great surprise, when they woke me up at 6 a.m. to search my home on basis of me selling some ‘nasty code’.

But know this – I do not know any technical details about the botnet, program or anything about the criminal backgrounds as I have never seen it or worked with it.”

Continue reading

Hacked Companies Hit by the Obvious in 2009

July 28, 2010

As a rule, I tend to avoid writing about reports and studies unless they offer truly valuable and actionable insights: Too often, reports have preconceived findings that merely serve to increase hype and drum up business for the companies that commission them. But I always make an exception for the annual data breach report issued by the Verizon Business RISK team, which is consistently so chock full of hype-slaying useful data and conclusions that it is often hard to know what not to write about from its contents.

Once again, some of the best stuff is buried deep in this year’s report and is likely to be missed in the mainstream coverage. But let’s get the headline-grabbing findings out of the way first:

-Verizon’s report on 2009 breaches for the first time includes data from the U.S. Secret Service. Yet, the report tracks a sharp decline in the total number of compromised records (143 million compromised records vs.  285 million in 2008).

-85 percent of records last year were compromised by organized criminal groups (this is virtually unchanged from the previous report).

-94 percent of compromised records were the result of breaches at companies in the financial services industry.

-45 percent of breaches were from external sources only, while 27 percent were solely perpetrated from the inside by trusted employees.

Among the most counter-intuitive findings in the report?

There wasn’t a single confirmed intrusion that exploited a patchable vulnerability. Rather, 85 percent of the breaches involved common configuration errors or weaknesses that led to things like SQL database injection attacks, and did not require the exploitation of a flaw that could be fixed with a software patch. In most cases, the breaches were caused by weaknesses that could be picked up by a free Web vulnerability scanner:

“Organizations exert a great deal of effort around the testing and deployment of patches — and well they should. Vulnerability management is a critical aspect of any security program. However, based on evidence collected over the last six years, we have to wonder if we’re going about it in the most efficient and effective manner. Many organizations treat patching as if it were all they had to do to be secure. We’ve observed multiple companies that were hell-bent on getting patch X deployed by week’s end but hadn’t even glanced at their log files in months.”

Speaking of log files, one of the most interesting sections of the 66-page report comes in a sidebar titled “Of Needles and Haystacks,” which states that 86 percent of all breaches last year could have been prevented if victim companies had simply looked for unusual patterns in the log files created by their Web servers.

Continue reading

Rogue Antivirus Victims Seldom Fight Back

July 27, 2010

Recently I came into possession of a series of documents showing the financial books of an organization that orchestrates the distribution of rogue anti-virus attacks or “scareware,” programs that hijack victim PCs with misleading security alerts in an effort to frighten the user into purchasing worthless security software. I found many interesting details in this data cache, but one pattern in the data explains why scareware continues to be a major scourge: Relatively few people victimized by it dispute the transaction with their bank.

The documents list the amounts charged to more than 2,000 people around the world (the screen shots show the distribution of victims globally and in the United States). Victims paid anywhere from $50 to $100 for the fake anti-virus software. The file lists the amounts charged, partially obscured credit card numbers, and the names, addresses and e-mails of all victims.

More importantly, they show that only 367 victims — fewer than 20 percent — bothered to contact their bank or the scammers to reverse the fraudulent charges after the fact.

A second wave of attacks apparently conducted by the same malware gang in early April shows that only 163 out of 1,678 victims – fewer than 10 percent — initiated chargebacks or disputed the sales (the geographic distribution of victims of this second wave is not included in the Google Maps graphics shown here).

I interviewed more than a dozen victims of the first scareware attack, which occurred between April 12 and April 15. All said their computers became unusable and that the only way they could figure out how to regain control of the machine was to surrender and purchase the software. In each case, immediately after the victims submitted their payment information, the hijacking program disappeared, leaving no trace of itself, and no hint of any fake security program on the victim’s machine.

Some victims reported receiving a follow-up e-mail thanking them for their purchase, and directing support inquiries to support@browsing-solutions.com. Others never got an e-mail, but only saw a charge on their credit card statement from Browsing Solutions, Moscow. Other victims saw charges from an EBD-Software.com.

None of the victims I was able to track down had successfully reversed the charges with their credit card provider, although a few did have the charges canceled after contacting the phone number listed in the customer support e-mail. Some said they had tried to contact their credit card provider or the scam company but got the runaround and simply gave up; others said they were confused because they were in the process of trying to purchase legitimate anti-virus software when their computers were hijacked.

Continue reading