CybercrimeCOMPUTER NEWS, INFORMATION AND REVIEW OF PRODUCTS

Showing posts with label Cybercrime. Show all posts

Wednesday, October 3, 2012

Malnets lead the cyberattack pack

In politics, the future may belong to green energy and better education, but in the world of cybercrime, it looks like it increasingly belongs to malicious networks, or malnets.

That is the key finding of Blue Coat Security Lab's Mid-Year Malware Report, eleased Tuesday. The company said the number of malnets now stands at more than 1,500, an increase of 300% in the past six months, and it expects they will be, "responsible for two-thirds of all malicious cyberattacks in 2012."

Malnets are distributed infrastructures within the Internet that are built, managed and maintained by cybercriminals for the purpose of launching persistent, extended attacks on computer users. That infrastructure generally includes several thousand unique domains, servers and websites that work together to lure users to a malware payload.

They are increasingly popular, Blue Coat said, because they are so effective. In what it calls a five-stage "vicious cycle," a malnet first drives a user to malware, through any number of means, including drive-by downloads, email from trusted sources or trusted websites.

"Then the user's computer is infected with a Trojan," the report said. "Once the computer is compromised it can be used by the botnet to lure new users into the malnet by using the infected machine to send spam to email contact lists, for example."

"A compromised system can also be used to steal the victim's personal information or money, and, in some cases, can also function as a jumping-off point for attacks on neighboring machines," the report said.

Tim Van Der Horst, malware researcher at Blue Coat Systems, said this demonstrates what the report calls the "organic ... self perpetuating" nature of malnets, which is one of the things that makes them so difficult to eradicate.

"When users are infected, they become a bot in a botnet," Van Der Horst said. "They communicate with a command-and-control server, and send results to the bad guys."

In short, all the capabilities of the compromised computer are in the criminals' hands. "If the computer can do it, the bad guy can make the computer do it," Van Der Horst said. "It can steal online banking credentials or leverage the machine to launch new attacks, like sending email as you to your contacts, so they're getting it from a trusted source."

[See also: Virtual analysis misses a third of malware]

Malnets are also geographically dispersed, which means that even if they are shut down in one country, they can continue operating in others, and launch simultaneous attacks. Unlike advanced persistent threats (APT), the goal of malnets is, "not to target one million people with a single search term but instead target one million people with one million different search terms," the report said.

It targets them at what Blue Coat calls the "watering holes" of the Internet -- more than a third of the requests for web content go to search engines, but social networking and audio/video clips are also popular categories.

"According to the Cisco Visual Networking Index, by 2016 all types of video will account for 86% of global consumer traffic," the report said. "With the growth of video traffic, tried and true socially engineered attacks like fake video codecs have an opportunity to dupe users into downloading malware."

They also can change host names frequently. Shnakule, the largest malnet in the world, changed the host names of its command-and-control servers more than 56,000 times in the first nine months of the year.

In the face of such attacks, tradition, signature-based defenses are not enough, Blue Coat said, noting that one of the ways enterprises should protect themselves is with better education of their employees.

Among ways to avoid poisoned search engine results are to stay away from any that appear to be hosted in other countries, such as .IN, .RU, .TK, unless the search is related to that country; avoid results with teaser text that reads as if it was constructed by a machine; and if a result looks suspicious, click on one of the other many results that were returned, the report said.

Another simple but too-frequently ignored security practice is to apply patches and other security updates as soon as they are issued. "The availability of a patch doesn't mean that users have applied it," the report said. "The Conficker/Downandup botnet has been alive for nearly four years now, with infected systems still receiving instructions."

Van Der Horst said the most effective way to defend against malnets is not to wait for a new threat to emerge and then block it, but to identify the malnet infrastructure delivering the attacks and block them at the source. This aims to prevent new attacks before they are launched -- what the company calls Negative Day Defense.

It doesn't matter what the specific threat is, since the defense is aimed at blocking the threat delivery mechanism, he said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Saturday, September 29, 2012

Pirate Bay founder's detention extended as tax hack investigation continues

Pirate Bay founder Gottfrid Svartholm Warg will remain in detention for at least two more weeks while Swedish prosecutors investigate his alleged involvement in the hacking of IT company Logica, a Swedish court ruled Friday.

Svartholm Warg was arrested in Cambodia on Aug. 30 and subsequently deported to Sweden. Swedish authorities arrested him on Sept. 11 on suspicion of hacking, although he has not been charged. On Sept. 14 a court ordered that he be detained for another two weeks.

This week Henrik Olin, the public prosecutor dealing with the case, asked the court to extend Svartholm Warg's detention.

"The court decided to prolong the detention for another two-week period," Olin said Friday on leaving the courtroom.

"The investigation is ongoing," he said, referring to the theft of sensitive tax records for people with protected identities from a government IT contractor, Logica.

"He is suspected of this breach of data security. The court ruled that there is a risk he could affect the evidence in the investigation, and that there is a risk he could be committing crimes again," he said.

When Svartholm Warg was arrested in Cambodia, many thought it was because of his role in creating the Pirate Bay. He and the other founders of the popular torrent-tracking site were found guilty of offenses relating to copyright infringement, fined and sentenced to prison. Svartholm Warg did not attend an appeal hearing, pleading illness, and moved to Cambodia, a country with which Sweden does not have an extradition treaty.

No charges have yet been made against him in the Logica case, Olin said.

"According to the Swedish system, when the preliminary investigation is finished, I as prosecutor will decide whether to prosecute him. [...] In the Swedish system it is quite usual for people to be detained on this legal ground, and it gives me the possibility to prevent him from having contact with other people."

Olin said it is unlikely that he will have completed his preliminary investigation within the next two weeks, and so expects to return to the court to ask for another extension to Svartholm Warg's detention.

Peter Sayer covers open source software, European intellectual property legislation and general technology breaking news for IDG News Service. Send comments and news tips to Peter at peter_sayer@idg.com.

Friday, September 28, 2012

Criminals hack Adobe certificate server

Criminals have broken into an Adobe server and provided two pieces of malware with a digital certificate that attest to them being legitimate code.

As a result of the breach, the company will revoke the certificate next Thursday and will update legitimate Adobe software that has been signed by the same certificate since July 10.

MORE ADOBE WOES: Adobe releases six critical patches for Flash, AIR

Adobe says that its legitimate software signed by the certificate is not at risk and that the hijacked certificate does not pose a general security threat.

"The evidence we have seen has been limited to a single isolated discovery of two malicious utilities signed using the certificate and indicates that the certificate was not used to sign widespread malware," Adobe says in an FAQ on the situation.

But there could be another shoe or two yet to drop, says Andrew Storms, director of security operations for security vendor nCircle. "It seems probable that this situation is the result of a breach of Adobe's software release process," Storms says in a written statement. "If that's the case there could be other serious problems that haven't been found yet."

Adobe says it is working with security vendors so their products will be able to detect the malware that was signed by the compromised certificate and protect end users from the malware.

Adobe didn't say exactly what the malware was capable of doing, but noted that in general using stolen certificates to legitimize malware is a tactic used by sophisticated adversaries carrying out targeted attacks.

"As a result, we believe the vast majority of users are not at risk," Adobe says in a blog. Once executed such malware can escalate privileges for compromised machines and move the malware from machine to machine within a network.

Products that need updating are:

" Adobe Application Manager - Enterprise Edition;

" Adobe Provisioning Toolkit Enterprise Edition;

" Report Builder - Digital Marketing Suite;

" SiteCatalyst Real-Time Dashboard - Digital Marketing Suite;

" Adobe Update Server Setup Tool;

" Flash Media Server 4.5.3;

" ColdFusion 10;

" Flash Player;

" Reader.

Also affected are three Adobe AIR applications - Adobe Muse and Adobe Story AIR applications as well as Acrobat.com desktop services that run on both Windows and Macintosh

The company has issued instructions here on how IT administrators can update affected products.

Hackers compromise Adobe server, use it to digitally sign malicious files

Adobe is taking steps to revoke the certificate used to create the signatures

The story, "Hackers compromise Adobe server, use it to digitally sign malicious files," was inadvertently posted to the wire Friday during the editing process.

The story has been fixed on the wire, and the corrected paragraphs seven, eight and 19 follow:

Paragraphs seven and eight:

Brad Arkin, Adobe's senior director of security for products and services, wrote in a blog post that the rogue code samples have been shared with the Microsoft Active Protection Program (MAPP) so security vendors can detect them. Adobe believes "the vast majority of users are not at risk" because tools like the ones that were signed are normally used during "highly targeted attacks," not widespread ones, he wrote.

"At the moment, we have flagged all the received samples as malicious and we continue monitoring their geographical distribution," Botezatu said. BitDefender is one of the security vendors enrolled in MAPP.

Paragraph 19:

It's hard to determine the implications of this incident, because we can't be sure that only the shared samples were signed without authorization, Botezatu said. "If the password dumper application and the open-source SSL library are relatively innocuous, the rogue ISAPI filter can be used for man-in-the-middle attacks - typical attacks that manipulate the traffic from the user to the server and vice-versa, among others," he said.

Hackers compromise Adobe server, use it to digitally sign malicious files

Adobe is taking steps to revoke the certificate used to create the signatures

The story, "Hackers compromise Adobe server, use it to digitally sign malicious files," was inadvertently posted to the wire Friday during the editing process.

The story has been fixed on the wire, and the corrected paragraphs seven, eight and 19 follow:

Paragraphs seven and eight:

Paragraph 19:

As promised, Islamic hacktivists disrupt PNC Bank

PNC Bank's website was disrupted on Thursday by a group of Islamic hactivists who have also claimed responsibility for downing the sites this week of Wells Fargo and U.S. Bank.

The latest attack is identical to the other two in that hundreds of thousands of computers are used to overwhelm the sites' bandwidth, said Atif Mushtaq, a security researcher for FireEye who has been monitoring the attacks.

The hactivists also claim to be behind the distributed denial of service (DDoS) attacks last week against Bank of America and JPMorgan Chase, as well as U.S. bank yesterday.

PNC has confirmed the attack. Spokesman Fred Solomon told The Chicago Tribune that the disruption affected some online customers. "We are working to restore full service to everyone," he said.

Based on the kind of traffic Mushtaq has seen, the banks' sites are being overwhelmed by requests from the computers of supporters of the hacktivists. The group, which calls itself "Mrt. Izz ad-Din al-Qassam Cyber Fighters," has used social networks, including Google+; underground sites, and their own website to recruit sympathizers.

"I'm not surprised that there are thousands and thousands of people performing this type of DDoS," Mushtaq said.

[Related stories: Hacktivists strike U.S. Bank with volunteer-powered DDoS | Banks can only hope for best with DDoS attacks | Islamic hacktivists' bank attack claims gain credibility | Wells Fargo recovers after site outage | Theories mount on bank attacks, but experts stress defense | Arab hackers attack Western websites over film]

The hactivists have said that the attacks are in retaliation for a video trailer denigrating the Prophet Muhammad. The amateurish YouTube video made in the U.S. has sparked violent protests in the Middle East and other regions.

To participate in the hactivists' campaign, a supporter goes to one of two file-sharing sites and downloads a program written in a scripting language that runs in a web browser.

Once the program is running, a person only has to click on a "start attack" button to send continuous requests to the target's website. All of the traffic seen by FireEye has come from Web browsers, an indication that the attackers are not using a network of compromised machines, called a botnet. Such networks are also a popular method for launching distributed denial of service attacks, which are said to be crude but still effective.

"The bad part about this attack is it's so simple," Mushtaq said. "They're not using any botnet. They're using browsers."

Rob Rachwald, director of security for Imperva, said an all-volunteer army launching such an attack is in unusual. Hacktivists often use a combination of supporters and botnets, he said. In addition, rather than try to overwhelm the bandwidth of a large bank, attackers often find a vulnerable component in the site first and target traffic to just that area.

While he hasn't monitored the recent attacks, Rachwald said he believes the attackers are much more sophisticated. An indication of that is the fact that the hactivists posted warnings in advance, naming the targeted banks. Nevertheless, the banks were unable to prevent disruption.

"It tells you that more than likely the attackers were pretty sophisticated," he said. "They're using some new technique, or variation of older techniques to bring the sites down."

None of the banks have given details of the attacks.

Ideologically motivated hacktivism was the primary motivation behind DDoS attacks last year, according to Arbor Networks' annual survey of Internet Service Providers. The number of high-bandwidth DDoS attacks increased significantly, with 25% exceeding the total bandwidth into a data center.

At the same time, there are a variety of DDoS attack tools and services available in the underground, Arbor said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

ACLU: Electronic surveillance by US agencies skyrocketing

The civil rights group calls on Congress to require more judicial oversight on pen register and trap-and-trace orders

U.S. law enforcement surveillance of email and other Internet communication has skyrocketed in the last two years, according to data obtained by the American Civil Liberties Union.

The number of so-called pen register and trap-and-trace orders obtained by federal law enforcement agencies has increased 361 percent between 2009 and 2011, the ACLU said. The U.S. Department of Justice released the data to the ACLU after the civil rights group sued the agency under the Freedom of Information Act.

Pen registers capture outgoing data from a surveillance subject, while trap-and-trace orders capture incoming data, including the addresses of email messages who the subject is talking with on instant messages. The two types of surveillance are not supposed to record the contents of conversations.

Including the targets of telephone surveillance, "more people were subjected to pen register and trap-and-trace surveillance in the past two years than in the entire previous decade," Naomi Gilens, a legal assistant with the ACLU's Speech, Privacy, and Technology Project, wrote in a blog post.

U.S. law enforcement agencies obtained about 250 pen register orders for email and Internet communications in 2009 and about 200 trap-and-trace orders, the ACLU said. In 2011, U.S. agencies received more than 800 of each order.

A DOJ spokesman noted that a federal judge authorizes each pen register and trap-and-trace order. "As criminals increasingly use new and more sophisticated technologies, the use of orders issued by a judge and explicitly authorized by Congress to obtain noncontent information is essential for federal law enforcement officials to carry out their duty to protect the public and investigate violations of federal laws," said spokesman Dean Boyd.

The ACLU called for the U.S. Congress to require more judicial oversight of pen register and trap-and-trace orders. While wiretap orders need a judge to approve a warrant, pen register and trap-and-trace orders require agencies only to submit a certification to a court saying they seek information relevant to an ongoing criminal investigation.

In addition, Congress should put more pressure on the DOJ to release the surveillance reports. The DOJ is supposed to release an annual report on the use of these surveillance devices, but the ACLU and other groups have only obtained the reports after Freedom of Information Act requests, or, in this case, a lawsuit, Gilens wrote.

The DOJ did release the 2010 and 2011 reports to Congress, but lawmakers didn't release them to the public, she added.

"Unfortunately, Congress has done nothing at all to inform the public about the federal government's use of these invasive surveillance powers," she wrote. "Rather than publishing the reports online, they appear to have filed them away in an office somewhere on Capitol Hill."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.

ACLU: Electronic surveillance by US agencies skyrocketing

The civil rights group calls on Congress to require more judicial oversight on pen register and trap-and-trace orders

U.S. law enforcement surveillance of email and other Internet communication has skyrocketed in the last two years, according to data obtained by the American Civil Liberties Union.

A DOJ spokesman declined to comment on the ACLU's report.

The DOJ did release the 2010 and 2011 reports to Congress, but lawmakers didn't release them to the public, she added.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.

Exploring cybercriminal minds, safeguarding privacy among $50M worth of new NSF research projects

The National Science Foundation (NSF) this week awarded $50 million for more than 70 research projects focused on securing cyberspace in the United States.

The Secure and Trustworthy Cyberspace awards are aimed at protecting critical infrastructure from cyberthreats.

IN THE LAB: 25 of today's coolest network and computer technology research projects

"Securing cyberspace is key to America's global economic competitiveness and prosperity," said NSF Director Subra Suresh, in a statement. "NSF's investment in the fundamental research of cybersecurity is core to national security and economic vitality that embraces efficiency while also maintaining privacy."

The two biggest awards, dubbed Frontier Awards, are:

* Beyond Technical Security: Developing an Empirical Basis for Socio-Economic Perspectives, involving the University of California-San Diego, the International Computer Science Institute at UC Berkeley and George Mason University. This five-year, $10 million project involves mapping out illicit activities taking place over the Internet and trying to understand how the cybercriminal mind works. The researchers, including social scientists, will dive into how cybercrooks make money and interact with victims and defenders in an effort to determine how to curtail their activities. The researchers will investigate how criminals use mainstream social networks as well as underground ones.

* Privacy Tools for Sharing Research Data, involving a multidisciplinary team of researchers at Harvard University, is a four-year, $5 million grant to foster creation of tools and policies for collecting, analyzing and sharing data across the Web without impinging on individual privacy. Researchers with expertise in math, government, technology and law will join forces on this project, which could have implications for everything from public health to e-commerce.

Bob Brown tracks network research in his Alpha Doggs blog and Facebook page, as well on Twitter and Google +.

Read more about wide area network in Network World's Wide Area Network section.

	Share on Facebook
	Share on Twitter
	Bookmark on Google
	Share on StumbleUpon
	Share on Delicious

Wednesday, October 3, 2012

Malnets lead the cyberattack pack

Saturday, September 29, 2012

Pirate Bay founder's detention extended as tax hack investigation continues

Friday, September 28, 2012

Criminals hack Adobe certificate server

Hackers compromise Adobe server, use it to digitally sign malicious files

Hackers compromise Adobe server, use it to digitally sign malicious files

As promised, Islamic hacktivists disrupt PNC Bank

ACLU: Electronic surveillance by US agencies skyrocketing

ACLU: Electronic surveillance by US agencies skyrocketing

Exploring cybercriminal minds, safeguarding privacy among $50M worth of new NSF research projects

Popular Posts

Share Our Site

Subscribe to our newsletter

Followers

Blogroll

Categories

Blog Archive