Tag Archive for Botnet

| September 22, 2012
Comments Off

SmartPhone Zombie Apocalypse

Cellphone malwareIf you have a smartphone, online criminals may soon have your number. Smart phone malware is getting increasingly sophisticated, and MIT‘s Technology Review reports that a security researcher has created software that turns a smart phone into a “zombie” that can be controlled remotely. The blog says Georgia Weidman created the program, which controls a Google (GOOG) Android phone via short message service (SMS) to bring about a smartphone zombie apocalypse.

Georgia WeidmanOnce only theoretical, real-world cell-phone viruses are becoming more common. The article reports the most famous was a scam in Russia tricked users into installing malicious software on Android phones, and using the SMS functionality to send messages to a number that charged a premium fee. In late 2010, a Chinese virus for Android devices was used to steal personal data according to the article.

Botnets have become a staple of Internet crime. They can be used to attack other systems, host attack tools, send spam, or just steal data. The blog says this type of attack has been rare with mobile devices, but that seems to be changing. “We have been taking down Internet botnets for years now, but there is not as much understanding [of telecom networking],” Weidman says. “I definitely see criminals going more and more toward using the telco’s network.”

TR explains that Weidman’s program is one of the first known to turn SmartPhone Zombie Apocalypsesmartphones into zombie nodes of a botnet. Her attack works like this: After infecting a phone with a rootkit, she uses that phone to send spam text messages, take part in a denial-of-service, or degrade the communications of the phone—all without the user knowing. The techniques apply to any smart phone, Weidman says.

Today’s smart phones have multiple layers of defense. For one, they can block malicious applications. They also have managed channels, such as the Apple (AAPL) App Store and Google’s Android Marketplace, for applications.

As a result, Weidman says, infecting a smartphone is not easy. “TRobby the Robothe hurdle with any malware is infecting the phone,” she told Technology Review, noting that the methods used by cybercriminals usually do not work. “More of what you see of malware is peoplee downloading applications for their phone that are infected,” she says.

The problem of cybercriminals targeting consumers’ phones will only get worse Kevin Mahaffey, chief technology officer of mobile-security startup Lookout told the author. Because the control of phones is so easy to turn into cash via premium text messages, criminals will be drawn to attack the devices.

Lookout mobile security logo“I always tend to look at the economics of the problem to ask myself whether it will continue in the future,” the CTO explained. “And because there is an incentive for attackers to compromise mobile phones, and the cost of compromising is not that high, that says it will become more prevalent in the future.”

Using the telecommunications network, rather than the Internet, for botnet control allows attackers to hide their actions from users. When the attacker does it using malicious software, the user has little chance of detecting it, says Weidman.

Botnet“When I infected a phone in my botnet—my lab botnet—with malware, the smart phone would receive a message through SMS and I would check to see if it has botnet instructions in it,” she says. “If it does, it would perform the functionality requests, and then it would swallow the message, so the user does not know that there was a message at all.”

While phones do not have the computing power of more traditional computers, they are hefty enough to handle many of the tasks that cybercriminals desire, she says. She adds that the sheer number of smart phones means that any botnet could be “a real threat” to create a smartphone zombie apocalypse.

Related articles
Category: Security | Tags: , , , , , , ,
| April 12, 2012
2 comments

What is Malware?

MalwareMost users I talk to about malware seem to use the following terms interchangeably; malware, virus, trojan, keylogger, worm, backdoor, bot, rootkit, ransomware, adware, spyware and dialer. Raymond.cc offers some standard definitions to clarify the conversations.

MalwareMalware is short for Malicious Software where all the terms above falls into this category because they are all malicious. The different term being used instead of just plain virus is to categorize what the malicious software is capable of doing.

Virus spreads on its own by smuggling its code into application software. The name is in analogy to its biological archetype. Not only does a computer virus spread many times and make the host software unusable, but also runs malicious routines.

Trojan horseTrojan horse/Trojan is a type of malware disguised as useful software. The aim is that the user executes the Trojan, which gives it full control of your PC and the possibility to use it for its own purposes. Most of times, more malware will be installed in your system, such as backdoors or key loggers.

Worms are malicious software that aim at spreading as fast as possible once your PC has been infected. Unlike viruses, it is not other programs that are used to spread the worms, but storage devices such as USB sticks, communication media such as e-mail or vulnerabilities in your OS. Their propagation slows down performance of PCs and networks, or direct malicious routines will be implemented.

Key loggerKey loggers log any keyboard input without you even noticing, which enables pirates to get their hands on passwords or other important data such as online banking details.

Dialers are relics from a time when modems or ISDN were still used to go online. They dialed expensive premium-rates numbers and thus caused your telephone bill to reach astronomic amounts. Dialers have no effect on ADSL or cable connections, but they are making a comeback with mobile devices and QR codes (I covered Attaging here).

BotnetBackdoor / Bots is usually a piece of software implemented by the authors themselves that enables access to your PC or any kind of protected function of a computer program. Backdoors are often installed once Trojans have been executed, so whoever attacks your PC will gain direct access to your PC. The infected PC, also called “bot”, will become part of a bot net.

Exploits are used to systematically exploit vulnerabilities of a computer program. Whoever attacks your PC will gain control of your PC or at least of parts of it.

Spyware is software that spies on you, i.e. collects different user data from your PC without you even noticing.

AdwareAdware is derived from “advertisement”. Beside the actual function of the software, the user will see advertisements. Adware itself is not dangerous, but tons of displayed adverts are considered a nuisance and thus are detected by good anti-malware solutions.

Rootkit mostly consists of several parts that will grant unauthorized access to your PC. Plus, processes and program parts will be hidden. They can be installed, for instance, through an exploit or a Trojan.

Rogues / Scareware are also know as “Rogue Anti-Spyware” or “Rogue Anti-Virus”, rogues pretend to be security software. Often, fake warnings are used to make you purchase the security software, which the pirates profit from.

RansomwareRansomware “Ransom” is just what you think it is. Ransomware will encrypt personal user data or block your entire PC. Once you have paid the “ransom” through an anonymous service, your PC will be unblocked.

Although there are different categories of malware but the author says that most of the malware today combines different kinds of malware to achieve a higher rate of infection and giving more control to the hacker. Most malwares are invisible that runs silently without your knowledge to avoid detection except for a ransomware and adware.

Using “virus” as a catch-all phrase to include all types of malware is no longer accurate. The correct word to use should be malware. However don’t expect the big anti-virus companies to rebrand their products to Kaspersky Anti-Malware or Bitdefender Anti-Malware because doing that may risk losing their brand identity even if they do offer a complete anti-malware solution.

The blog says it doesn’t mean that you’re safe if you don’t see it so it is important to run an anti-virus software from reputable brands such as Kaspersky, ESET, Avast, Avira, AVG (at one time AVG was installing a Yahoo toolbar without notice) MSE together with a second opinion anti-malware such as HitmanPro, Malwarebytes Anti-Malware and SUPERAntiSpyware. As for Emsisoft Anti-Malware, it comes with its own Anti-Malware engine and Ikarus Anti-Virus Engine.

Related articles
Category: Security | Tags: , , , , , , , ,
| December 29, 2011
3 comments

40 Years of Malware – Part 4

2011 marks the 40th anniversary of the computer virus. Help Net Security notes that over the last four decades, malware instances have grown from 1,300 in 1990, to 50,000 in 2000, to over 200 million in 2010. Fortinet (FTNT) marks this dubious milestone with an article which counts down some of the malware evolution low-lights. The Sunnyvale,CA network security firm says that viruses evolved from an academic proof of concepts, to geek pranks which have evolved into cybercriminal tools. By 2005, the virus scene had been monetized, and almost all viruses developed for the sole purpose of making money via more or less complex business models. According to FortiGuard Labs, the most significant computer viruses over the last 40 years are:

- See Part 1 Here  - See Part 2 Here  – See Part 3 Here  – See Part 4 Here

Storm2007 – By 2007, Botnets have infected millions world-wide using Zombie systems send spam to generate Denial of Service (DoS) attacks, compromise passwords and data. By 2007 cybercriminals had developed a lucrative business models they were protecting. The attackers became more concerned about protecting their zombie computers. Until 2007, botnets lacked robustness, by neutralizing its unique Control Center (PDF), a botnet could be taken down, because Zombies didn’t have anyone to report to (and take commands from) anymore. The Storm botnet was the first to feature a peer-to-peer architecture (PDF) to decentralize its command and control functions. At the peak of the outbreak, the Storm Botnet was more powerful than many supercomputers and accounted for 8% of all malware running in the world according to FortiGuard.

Koobface2008Koobface (an anagram for Facebook) spreads by pretending to be the infected user on social networks, prompting friends to download an update to their Flash player to view a video. The update is a copy of the virus. Once infected, users would serve as both vectors of infection for other social network contacts and as human robots to solve CAPTCHA challenges for cyber-criminals, among other things. Koobface is also the first botnet to recruit its Zombie computers across multiple social networks (Facebook, MySpace, hi5, Bebo, Friendster, etc). FortiGuard estimates that over 500,000 Koobface zombies are online at the same time.

Conficker2009Conficker (aka Downadup) is a particularly sophisticated and long-lived virus, as it’s both a worm, much like Sasser, and an ultra-resilient botnet, which download destructive code from a random Internet servers. (We still see it pop-up from time to time at work). Conficker targeted the Microsoft Windows OS and used Windows flaws and Dictionary attacks on admin passwords to crack machines and link them to a computer under the control of the attacker. Conficker’s weakness is its propagation algorithm is poorly calibrated, causing it to be discovered more often according to Fortinet. In 2009 some networks were so saturated by Conficker, that it caused planes to be grounded, hospitals and military bases were impacted. Conficker infected bout 7 million systems worldwide.

Advanced Persistent ThreatAdvanced Persistent Threat (aka APT, Operation Aurora) was a cyber attack which began in mid-2009 and continued through December 2009. The attack was first publicly disclosed by Google (GOOG) on January 12, 2010, in a blog post. In the blog post, Google said the attack originated in China and were both sophisticated and well resourced and consistent with an advanced persistent threat attack. According to Wikipedia the attack also included Adobe (ADBE), Dow Chemical (DOW), Juniper Networks (JNPR),Morgan Stanley (MS), Northrop Grumman,(NOC), Rackspace (RAX), Symantec (SYMC) and Yahoo (YHOO).  There is speculation that the primary goal of the attack was to gain access to and potentially change source code repositories at these high-tech, security and defense contractor companies.

The definition of an Advanced Persistent Threat depends on who you ask, Greg Hoglund, CEO at HBGary told Network World an Advanced Persistent Threat is a nice way for the Air Force and DoD to not have to keep saying “Chinese state-sponsored threat.” He says,” APT is “the Chinese government’s state-sponsored espionage that’s been going on for 20 years,” Mr. Hoglund told Network World.

Stuxnet USB2010 - Stuxnet‘s discovery in September 2010 ushered in the era of cyber war. According to most threat researchers today, only governments have the necessary resources to design and implement a virus of such complexity.Stuxnet is the first piece of malware specifically designed to sabotage nuclear power plants. It can be regarded as the first advanced tool of cyber-warfare. Stuxnet was almost certainly a joint U.S. / Israeli creation for damaging the Iranian nuclear weapons program, which it did, by destroying a thousand centrifuges used for uranium enrichment.

To spread, Stuxnet exploited several critical vulnerabilities in Microsoft (MSFT) Windows, which, until then, were unknown, including one guaranteeing its execution when inserting an infected USB key into the target system, even if a systems autorun capabilities were disabled. From the infected system, Stuxnet was then able to spread into an internal network, until it reached its target: a Siemens industrial software system that run Iran’s Bushehr nuclear reactor and most likely intended to destroy or neutralize the industrial system.

Duqu2011Duqu is the current star in the world of malware but, as history shows, that fame will be short-lived. Just like fashion models, modern malware has a lifespan in the media eye of a couple of weeks to a couple of months, tops. They then fade into the shadow of more dangerous and sophisticated tools, according to Help Net Security.

Gary Warner, director of Research in Computer Forensics in the UAB College of Arts and Sciences blogged that Duqu is a data stealing program that shares several blocks of code with Stuxnet. In fact, one of the two pieces of malware we’ve seen that is described as being Duqu is also detected as Stuxnet by some AV vendors.

Symantec disclosed in their report that one of the infections they were analyzing had been infected via a Word Document that exploited the system using a previously unknown 0-day attack.

On November 3, 2011, Microsoft released a Microsoft Security Advisory (2639658) Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege. The advisory starts with an executive summary which says, in part:

Microsoft is investigating a vulnerability in a Microsoft Windows component, the Win32k TrueType font parsing engine. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time. This vulnerability is related to the Duqu malware.

rb-

Every couple of years a new malware is crowned the most innovative or dangerous cyber threat in the wild. The anti-malware industry is built on a game of chicken between malware creators and the anti-malware creators, with end users stuck squarely in the middle. As this series of article as shown this game has been going on for 40 years since computers were bigger than many houses and were as user friendly as the DMV.

 

Related articles
Category: Malware, Security | Tags: , , , , , , , , , ,
| February 9, 2011
2 comments

Who Moved My SPAM?

SPAm logoAnalysis of the spam trends by security vendor Commtouch reveals a significant drop in global spam levels according to the Help Net Security.  The article say that the average spam level for Q4 2010 was 83% down from 88% in Q3 2010. The beginning of December saw a low of nearly 74%. The New York Times also noted the decline in SPAM during Q4 2010. The NYT cites data from MessageLabs that global spam volumes dropped to about 30 billion messages a day from about 70 billion before Christmas. MessageLabs says the decline added to a downward trend under way since August, when spam peaked at some 200 billion spam messages a day, or 92.2 percent of all e-mail.

Symantec SPAM levels

computer spamThere are several theories why SPAM is drying up. One theory in the NYT article for why the botnets stopped spamming is that an important source of business may have dried up. September 2010 saw the Russians close down SpamIt, the organization allegedly behind much of the worlds pharmacy spam. Without SpamIt, “at least for now, there’s no content to fill the spamming cannons that Rustock has,” John Reid, of Spamhaus, a nonprofit group that tracks spammers, told the NYT.

Another theory put forward is that the botnet operators are intimidated. The NYT reports that in addition to going after SpamIt, Russian authorities recently arrested two spammers in Taganrog,in southern Russia, who had a database of nearly two billion United States and European Union e-mail addresses they had used to spread malicious programs, according to the HostExploit blog. “Even if the people were unrelated, the chilling effect of arrests can cause others to lay-low for a while,” Mr. Reid said, adding, “But all this is speculation.”

Symantec MessageLabsMatt Sergeant, senior anti-spam technologist at MessageLabs, a unit of the security-software maker Symantec (SYMC) wrote in a blog post, “Did the people in charge of these botnets suddenly go on vacation? Currently there are no explanations on why these botnets stopped spamming.”

Another theory could be that SPAMmers are changing tactics. The botnet operators appear to be shifting their focus to more lucrative social networking and mobile channels. Jamie Tomasello, Abuse Operations Manager at Cloudmark, told Help Net Security that these platforms allow SPAMmers to reach more responsive recipients compared with traditional email messages.

In a survey of Facebook users by F-Secure, the anti-malware firm, found that social networking spam is now a problem for three out of four Facebook users reported by ITNewsLink. F-Secure also found that 78 percent think spam is a problem on the site and 49 percent report they frequently see something in their newsfeed that they consider spam.

cloudmarkMs. Tomasello explains that technically, a botnet can send any kind of content and so they are increasingly being used to send messages that spoof content from social networking sites. This works in a similar way to email phishing attacks, where a message would drive the recipient to a malicious payload, or to a website to capture the recipient’s social network credentials. The cybercriminal could then log in to the social networking site with the compromised credentials and send spam via the platform to the compromised recipient’s friends.

Cloudmark’s Tomasello says that these messages can be much more convincing than email spam messages because social networks, and the friends a user is connected with, are often well trusted. Once a cybercriminal has compromised credentials they will use them to try to gain access to other e-commerce, social network, email or bank accounts, because many internet users use the same username and password combination across multiple web sites.

Mobile devices are also seeing increased threats. Gareth Maclachlan, Chief Operating Officer of AdaptiveMobile, a mobile security firm told ITnewslink “With the increasing pervasiveness of Smartphone devices, 2010 has undoubtedly been the year that fraudsters have truly turned their attention to mobile platforms.” Mr. Maclachlan continues:

With Smartphone penetration reported to reach 37 per cent in Europe and 44 per cent in the US by 2012, we predict that the number of threats targeted at unsuspecting mobile users will continue to increase at an exponential rate throughout the course of 2011. Even more significantly, the nature of the threats we are seeing will increase in sophistication. … next year will see the emergence of the ‘compound threat’ – intelligent scams designed to exploit multiple phone capabilities in order to reap maximum reward for the criminals, before the user even realises they have become a victim.

rb-

My SPAM data tracks with what the big boys are saying. The average number of SPAM emails I receive has dropped to a near record low 12.3 SPAM messages per day in January 2011 from a high of 77.5 SPAM messages in May of 2009.  The record low monthly average was 11.0 SPAM messages in May 2010. The number of SPAM messages I get on my Blackberry has been minimal, but the number of junk email’s I get even through LinkedIn has climbed.

Average Daily SPAMAre SPAMmers taking a break or reloading?

What are you doing to prevent SPAM on mobile devices?

Related articles
Category: Networking, Security, Social Networking, Wireless | Tags: , , , , ,
| August 31, 2010
Comments Off

CAPTCHAs Broken

Mims Bits on MIT‘s Technology Review reports that researcher from UC San Diego have figured out how spammers use low-cost workers in Russia, Southeast Asia, and China to solve millions of CAPTCHAs in near real-time.

A CAPTCHA is that bit of distorted text you have to type back at a webpage when you’re trying to sign up for a new email account or leave a comment on a blog.  In order to prevent spammers from flooding the web with their malware researchers developed CAPTCHAs. CAPTCHAs are designed to be easy for humans to solve but challenging enough for computers to get right that automated systems would not be effective.

In what Mims calls an epic new analysis by the UC San Diego researchers, they uncovered the “seedy underbelly” of a sophisticated, highly automated, world-wide network of services that help spammers get past the CAPTCHAs. The article says that the inventors of CAPTCHA probably didn’t expect thousands of laborers working for less than $50 a month would be recruited by spammers to solve an endless stream of CAPTCHAs.  Automated middlemen deliver the  CAPTCHAs to the workers by and then sell the results to spammers in real-time, so that their spam bots can use those solutions to post to blogs and set up fraudulent email accounts according to a paper (PDF) delivered at the USENIX Security 10 Symposium.

The UC San Diego researchers analyzed where the workers involved in this scheme were located and found that they are based in India, Russia, Southeast Asia and China. The system is so efficient at delivering CAPTCHAs to workers in these remote locales that the average time for delivery of a solution hovers around 20 seconds. ImageToText, one of the CAPTCHA services the researchers experimented with was able to deliver correct results in “a remarkable range of languages,” including Dutch, Korean, Vietnamese, Greek and Arabic.

Even setting the sample CAPTCHAs to Klingon , as a control in their experiment, could not stop ImageToText, according to Technology Review. The workers managed to solve a handful of the Klingon CAPTCHAs despite odds of less than one in one thousand of their randomly getting the right answer.

The results of this landmark study, says Mims,  show that a number of sites, including those run by Microsoft (MSFT), AOLGoogle (GOOG) and the widely used reCAPTCHA, are regularly compromised by spammers employing these services. The researchers conclude that their investigation with an anonymous “Mr. E” who actually runs one of these services, proves that for advanced spammers, CAPTCHAs aren’t so much a barrier as a cost of doing business.

DarkReading has a report that independent security researcher Chad Houck recently demonstrated his work on solving Google’s (NASDAQ: GOOG) reCAPTCHA. reCAPTCHA was designed to stop software bots attempts to create free accounts on the Google services for their malware ways.  Despite recent enhancements made by Google, DarkReading says Houck came up with algorithms that could beat reCAPTCHA 30 percent of the time.

A 30% success rate means that automated software using Mr. Houck’s algorithm will be able to create one Google account out of just three attempts. Multiply those odds by the endless attempts by tens of thousands of zombies in a typical botnet, reCAPTCHA is broken.

In the DarkReading article, Houck notes that “[ReCAPTCHA] has never been wholly secure. There are always ways to crack it.” The researcher has since published a white paper on it, and has also released his algorithms online. For now at least, a Google spokesperson says there has not been any sign of this particular attack being actively used.

Related articles
Category: Malware, Security | Tags: , , , , , ,
« Older Entries  

Switch to our mobile site