Posts Tagged: team cymru


2
Nov 16

Computer Virus Cripples UK Hospital System

Citing a computer virus outbreak, a hospital system in the United Kingdom has canceled all planned operations and diverted major trauma cases to neighboring facilities. The incident came as U.K. leaders detailed a national cyber security strategy that promises billions in cybersecurity spending, new special police units to pursue organized online gangs, and the possibility of retaliation for major attacks.

In a “major incident” alert posted to its Web site, the National Health Service’s Lincolnshire and Goole trust said it made the decision to cancel surgeries and divert trauma patients after a virus infected its electronic systems on Sunday, October 30.

A portion of an alert posted to the NHS's home page.

A portion of the alert posted to the NHS’s home page.

“We have taken the decision, following expert advise, to shut down the majority of our systems so we can isolate and destroy it,” the NHS said, of the unspecified malware infection. “All planned operations, outpatient appointments and diagnostic procedures have been cancelled for Wednesday, Nov. 2 with a small number of exceptions.”

The advisory continued:

“Inpatients will continue to be cared for and discharged as soon as they are medically fit. Major trauma cases will continue to be diverted to neighboring hospitals as will high risk women in labour.”

Although the NHS didn’t say what kind of virus infected its systems, it is likely an infestation of ransomware — a malware scourge whose purveyors have taken to targeting hospitals and healthcare facilities.

Ransomware scours an infected computer for documents, audio files, pictures and other things likely to be of value to the system’s owner, and then encrypts that data with very powerful encryption software. Most ransomware variants also scour the local network for other systems or network shares to infect. Victims usually can only get their files back after paying a specified ransom demand using a virtual currency, such as Bitcoin. Continue reading →


5
Jan 15

Who’s Attacking Whom? Realtime Attack Trackers

It seems nearly every day we’re reading about Internet attacks aimed at knocking sites offline and breaking into networks, but it’s often difficult to visualize this type of activity. In this post, we’ll take a look at multiple ways of tracking online attacks and attackers around the globe and in real-time.

A couple of notes about these graphics. Much of the data that powers these live maps is drawn from a mix of actual targets and “honeypots,” decoy systems that security firms deploy to gather data about the sources, methods and frequency of online attacks. Also, the organizations referenced in some of these maps as “attackers” typically are compromised systems within those organizations that are being used to relay attacks launched from someplace else.

The Cyber Threat Map from FireEye recently became famous in a 60 Minutes story on cyberattacks against retailers and their credit card systems. This graphic reminds me of the ICBM monitors from NORAD, as featured in the 1984 movie War Games (I’m guessing that association is intentional). Not a lot of raw data included in this map, but it’s fun to watch.

FireEye's "Cyber Threat Map"

FireEye’s “Cyber Threat Map”

My favorite — and perhaps the easiest way to lose track of half your workday (and bandwidth) comes from the folks at Norse Corp. Their map — IPViking — includes a wealth of data about each attack, such as the attacking organization name and Internet address, the target’s city and service being attacked, as well as the most popular target countries and origin countries.

Norse's IPViking attack map is fun to watch, but very resource-intensive.

Norse’s IPViking attack map is eye candy-addictive, but very resource-intensive.

Continue reading →


19
Aug 10

WinMHR: (Re)Introducing the Malware Hash Registry

Microsoft Windows users seeking more certainty about the security and integrity of downloaded files should take a look at a free new offering from Internet security research firm Team Cymru (pronounced kum-ree) that provides a solid backup to anti-virus scans.

The tool, called “WinMHR,” is an extension of the “Malware Hash Registry” (MHR), an anti-malware service that Team Cymru has offered for several years. The MHR is a large repository of the unique fingerprints or “hashes” that correspond to millions of files that have been identified as malicious by dozens of anti-virus firms and other security experts over the years.

The MHR has been a valuable tool for malware analysts, but until now its Web-based and command-line interface has placed it just outside the reach of most average computers users. WinMHR, on the other hand, is essentially a more user-friendly, point-and-click interface for the traditional MHR service, which Team Cyrmu described this way:

“While your AV posture helps you perform detection based on signatures, heuristics and polymorphism, the MHR provides you additional layer of detection, for known badness. Based on our research, AV packages have trouble detecting every possible piece of malware when it first appears. The MHR leverages multiple AV packages and our own malware analysis sandbox to help aid your detection rate. Coupled with AV, the MHR helps identify known problems so you can take action.”

Continue reading →


27
Jan 10

The Rise of Point-and-Click Botnets

The graphic above is from a report out today by Team Cymru, a group that monitors studies online attacks and other badness in the underground economy. It suggests an increasing divergence in the way criminals are managing botnets, those large amalgamations of hacked PCs that are used for everything from snarfing up passwords to relaying spam and anonymizing traffic for the bad guys, to knocking the targeted host or Web site offline.

The bottom line in the graphic shows the prevalence of botnets that are managed using Internet relay chat (IRC) control channels (think really basic text-based instant message communications). The blue line trending upward depicts the number of Web-based botnets, those that the botmaster can control with point-and-click ease using a regular Web browser.

Continue reading →