The volume of government requests to Google for user data is continuing to increase, something that should come as no surprise in the current climate. In its latest transparency report, the company said that it received more than 25,000 requests for user data in the first six months of 2013, an increase of about 18 percent.
As is normally the case, the huge majority of the requests that Google received through June of this year came from the United States, with 10,918 requests. Interestingly, India came in with the second-most requests, with 2,691. Germany, France and the U.K. rounded out the top five. The number of requests in which Google handed over some of the data demanded by the government is quite high, especially with regard to U.S. requests, where Google provided data in 83 percent of requests.
The kinds of data that Google, and other companies that move and store similar kinds of user information, must disclose to law enforcement agencies can vary quite a bit, depending upon the kind of request or order it receives. It can range from simple name, email and phone number information to email content, private message content and IP address data. Google and many of its peers have petitioned the government in recent months for the ability to publish more information about the kinds of requests they get for user data, specifically National Security Letters. Right now, companies are only permitted to disclose those numbers in ranges of 1,000.
NSLs are special orders served by the FBI on companies that require the recipient to produce data as part of a national-security related investigation. They are secret and typically the recipient isn’t permitted to disclose that it has even received an NSL. Google, Yahoo and Facebook have asked the government to allow them to publish specific numbers of NSLs.
In all, Google received 25,879 requests for user data in the first six months of 2013 covering more than 42,000 total accounts. The company produced some data in 65 percent of those requests, for all governments.
Google’s new report, published this week, also includes quite a bit of data on malware distribution, phishing sites, attack sites and compromised sites. One of the key pieces of this puzzle is the Safe Browsing API that Google publishes and is used by all of the major browsers. The system scans large chunks of the Web constantly, looking for various kinds of malicious sites and incorporating the results into the browsers’ security warnings to users. For example, of the more than 35 million sites in the U.S. scanned during the reporting period, less than one percent were found to be hosting malware. By comparison, six percent of the 275,000 sites scanned in Canada were hosting malware and in Myanmar–which you may know as Burma–only one site was found hosting malware.
UPDATE: The math in this and other reports was simply tabulated incorrectly.
New American presidents often are measured by what they accomplish in their first 100 days. By that yardstick, the crew behind the CryptoLocker ransomware have been a raging success. The unknown group of attackers have already infected between 200,000 and 250,000 systems worldwide and likely raked far greater than $30o,ooo in ransom to date, according to researchers at Dell SecureWorks CTU, who published a deep analysis on the malware this week.
In a blog posted Wednesday, Keith Jarvis, a Senior Security Researcher with Dell SecureWorks, discussed the history of CryptoLocker and described how the malware is able to encrypt its victims’ files until they pay a ransom, usually around $300.
While all of the research is an interesting read, it’s especially noteworthy that the analysis has finally given us an idea how many computers have been infected since the malware surfaced shortly after the beginning of September.
It was reported the malware was sent to “tens of millions” of online banking customers in the U.K. in November but at the time it wasn’t certain just how many machines had actually opened the malicious attachment and were legitimately infected.
Now it’s clear that somewhere between 200,000 and 250,000 systems have been infected globally in the threat’s first 100 days, with the bulk of the attacks targeting machines in the United States.
CryptoLocker infections have surged over the last few months with officials from the US-CERT and the U.K.’s National Crime Agency’s National Cyber Crime Unit warning computer users in their regions about CryptoLocker infections in October and November, respectively.
While both nations sounded the alarm, it was the U.S., at least from October 22 to November 1, that saw the lion’s share of infections. The United States saw 22,360 infections, accounting for a staggering 70.2 percent of the total infections over that time period. Great Britain came in a distant second with almost 2,000 infected systems, or about 5.5 percent of total infections.
As expected, the jump in infections coincided with a barrage of spam from the Cutwail botnet. Attackers used emails sent out in October by botnets like Cutwail as vehicles for malware like Zeus Gameover that distributed and delivered CryptoLocker.
CryptoLocker infections have faded somewhat over the last week or so though, and allowed the U.S. and the U.K. to more or less even up with each other. From December 9 to December 16, the United States tallied 24 percent of all infections while the U.K. accounted for 19 percent of all infections.
While it was already established that CryptoLocker relies on multiple payment platforms — electronic methods like MoneyPak, CashU, Ukash and Paysafecard — to facilitate ransom, it wasn’t until October that it was discovered that the malware had also begun accepting Bitcoin, the all-the-rage-these-days digital crypto-currency, to let users decrypt their files.
SecureWorks estimates that if the malware creators had actually cashed in the 1,216 BTC (Bitcoin) they collected over this period they could’ve made $380,000. Since Bitcoin conversion rates fluctuate wildly though, that’s a far cry from what they could’ve earned if they had held onto it until today. The attackers’ Bitcoins could fetch around $980,000 currently according to Jarvis, who used the current weighted price of $804/BTC in his calculations.
Jarvis stresses that this is still a “conservative estimate” though and goes on to note that a tiny fraction of CryptoLocker victims, only 0.4%, actually pay the ransom.
At that rate however it’s likely that the CryptoLocker gang managed to convince at least 1,000 or so victims to pay up. At $300 a pop, that’s a cool $300,000 the attackers earned in just over 100 days, a profit they’ve clearly managed to conceal.
“Based on the duration and scale of attacks, they also appear to have the established and substantial ‘real world’ infrastructure necessary to ‘cash out’ ransoms and launder the proceeds,” Jarvis said, crediting the attackers’ prowess.
Dennis Fisher talks with Brian Donohue, Threatpost’s Washington, D.C. writer, about the new report from the NSA reform panel and whether any of the recommended changes will ever be implemented.http://threatpost.com/files/2013/12/digital_underground_138.mp3
A presidentially appointed, five member panel issued a more than 300-page report yesterday calling for nearly 50 recommendations for changes in the way that the National Security Agency conducts its increasingly public and controversial sweeping surveillance programs.
The entire report hinges on the oft-repeated notion that the country must strike a healthy balance between two adversarial desires; the necessity of maintaining constant vigilance in the face of international terrorism and other threats, and the hope that such protections will not erode the United Nations-recognized universal human right to personal privacy.
More specifically, the writers of the report urge its readers to carefully consider the following four principles:
- The United States Government must protect, at once, two different forms of security: national security and personal privacy.
- The central task is one of risk management; multiple risks are involved, and all of them must be considered.
- The idea of “balancing” has an important element of truth, but it is also inadequate and misleading.
- The government should base its decisions on a careful analysis of consequences, including both benefits and costs (to the extent feasible).
From the very beginning, the U.S. government has justified its surveillance programs by claiming its only intention is to target non-U.S. citizens for intelligence gathering. They have claimed there is no value in blindly collecting the email and other communications of U.S. citizens. Oddly, much of the media’s coverage has focussed not on the ethics of mass spying in general, but rather on the collateral impact such practices may have U.S. citizens. Beyond that, there have been constant accusations that NSA statements do not reflect reality, and that the communications-data of U.S. citizens are indiscriminately swept into the NSA dragnet as well.
Refreshingly, the report attempts to give equal consideration for those surveilled at home and abroad:
“We recommend that, in the absence of a specific and compelling showing, the US Government should follow the model of the Department of Homeland Security and apply the Privacy Act of 1974 in the same way to both US persons and non-US persons.”
Each time the NSA would like to monitor the communications of a non-U.S. person, the reports urges that it must be authorized by duly enacted laws or properly authorized executive orders; it must be directed exclusively at protecting national security interests; it must not be directed at illicit or illegitimate ends (such as the theft of intellectual property); it must not target any non-U.S. person based solely on that person’s views, religious, political, or otherwise; it must not disseminate irrelevant information; and it must be subject to careful oversight and transparency.
The panel consisted of Richard Clark, one-time deputy Central Intelligence Agency director Micheal Morell, former Chicago Law School dean and American Civil Liberties Union advisory board member Geoffrey Stone, legal scholar and former administrator of the Office of Information and Regulatory Affairs Cass Sunstein, and privacy law expert from the Georgia Institute of Technology Peter Swire.
Broadly speaking, regarding the collecting of information related to the communications of U.S. citizenry, the panel suggests several significant changes. First, an end to default metadata collection. Such information, they claim, should be stored privately – by companies or other third-party groups, but not by the NSA or the government directly. Second, the panel endorses more stringent protections of communication-data between U.S. and non-U.S. citizens. Third, they call for more limitations on the ability of the Foreign Intelligence Surveillance Court to compel the disclosure of data from third-parties to the government, both through National Security Letters and other means. Lastly, the group calls for legislative action aimed at promoting transparency on the part of the government and also those companies that receive government requests for data.
In order to curb frivolous data collection, the panel advises that the president create a new process, requiring highest-level approval of all sensitive intelligence requirements and the methods that the intelligence community will use to meet them. Those involved in this process should consider whether the information they seek to collect is truly valuable in the context of national security. They should also discuss the aims and means of their surveillance of foreign citizens and governments with the relevant leaders of closely allied nations.
The panel also calls for a number of organizational NSA reforms: they believe that the NSA director should be a Senate-confirmed position and urge the president to seriously consider appointing a civilian as the next director. However, that’s unlikely, given that the White House recently confirmed that the NSA director will retain oversight of Cyber Command, too, a military position. Furthermore, they argue the NSA should be clearly designated as a foreign intelligence organization, thus differentiating between the organizations responsible for offensive and defensive operations. Other missions (including that of NSA’s Information Assurance Directorate) should generally be assigned elsewhere. The head of the military unit, US Cyber Command, and the Director of NSA, they claim, should not be a single official. The report also asks for the creation of a public interest advocate to sit in on all FISC hearings.
Lastly, the report argues that the U.S. Government should take substantial steps toward bolstering international communication security.
“The US Government should take additional steps to promote security, by (1) fully supporting and not undermining efforts to create encryption standards; (2) making clear that it will not in any way subvert, undermine, weaken, or make vulnerable generally available commercial encryption; and (3) supporting efforts to encourage the greater use of encryption technology for data in transit, at rest, in the cloud, and in storage. Among other measures relevant to the Internet, the US Government should also support international norms or agreements to increase confidence in the security of online communications.”
As for the information that meets the stated criteria and is collected by the government, the report says it must be better protected. They say the government should altogether eliminate the use of for-profit companies in the process of conducting personnel investigations and that the government needs to reexamine its system of security clearances, including the implementation of continual monitoring for individuals with high-level clearances.
Former NSA research scientist and current CTO of Immunity Inc., Dave Aitel, wrote in an analysis of the NSA report on his Daily Dave email list that the security clearance system is clearly and obviously broken, but he asserts that this document’s recommendations fail to address the real problems with that system and ultimately will not fix it. The real issue, he says, everywhere in the intelligence community is one of resources. As in all American companies, he writes, there is simply a shortage of qualified technical people.
The splitting of Cyber Command from the Information Assurance Directorate, Aitel says, would further exacerbate this lack of talent by restricting the mobility of skilled workers from positions in one division to position in the other.
One aspect of the report that hasn’t received as much attention as the bits about surveillance reform is the section on the purchase and usage of zero days. The panel says that it’s usually in the best interest of Americans for the government to fix bugs rather than use them for offensive purposes, an assertion that Aitel disputes.
“It is demonstrably true,” Aitel writes in his analysis, “that the IC fixes vulnerabilities in both government and commercial systems that it deems a great threat – but the document describes a process that would unilaterally disarm our offensive teams for no clear defensive benefit. Likewise, the US Govt does not always have the intellectual property rights to 0days that would allow it to disclose them to a vendor – and should it start ignoring the agreements with its supply chain, the supply chain (which may be individuals, companies, other governments, other parts of the USG, academic institutions, etc.) will quickly find other customers.
“The paper states without any supporting evidence ‘In almost all instances, for widely used code, it is in the national interest to eliminate software vulnerabilities rather than to use them for US intelligence collection.’ This is demonstrably not true since without these vulnerabilities a large segment of extremely valuable targeted collection would go blind and fixing all USG known vulnerabilities does not necessarily decrease the risk from running buggy commercial software.”
*Antenna image via Rikard Fröberg‘s Flickr photostream, Creative Commons
On the same day that a panel of experts delivered a report to the United States president recommending sweeping changes to the way that the National Security Agency collects, handles and stores intelligence, the United Nations unanimously adopted a resolution calling for the protection of users’ right to privacy and emphasizing their right to be free from online surveillance.
The action by the U.N. comes in response to the avalanche of documents and information that have been made public since June regarding the capabilities and methods of the NSA and some of the intelligence agencies in other countries, including the United Kingdom and Canada. Documents leaked by former NSA contractor Edward Snowden have revealed the agency’s metadata collection program, the PRISM Internet traffic collection system and many others, which, taken together, form a picture of large-scale surveillance of Internet users’ movements and activities. The leaks have disturbed many in the privacy and human rights communities, especially, and have been the catalyst for calls for intelligence reform and greater oversight of what’s being collected and stored.
The resolution passed by the U.N. condemns the sweeping surveillance of innocent citizens of member states and demands that they “respect and protect the right to privacy, including in the context of digital communication.”
The resolution is the work of representatives from Germany and Brazil, and Navi Pillay, the U.N. high commissioner for human rights, said that the operations revealed by Snowden have emphasized the importance of ensuring that basic human rights, including the right to privacy, extend to the online world.
“Snowden’s case has shown the need to protect persons disclosing information on matters that have implications for human rights, as well as the importance of ensuring respect for the right to privacy,” she said.
“The right to privacy, the right to access to information and freedom of expression are closely linked. The public has the democratic right to take part in the public affairs and this right cannot be effectively exercised by solely relying on authorized information.”
The resolution also requires that Pillay put together a report on the protection of the right to privacy online, particularly in the context of mass surveillance, and deliver it to the General Assembly. The measure, which the United States lobbied to modify, also asks member states to look at their intelligence and data-collection programs with an eye on privacy and see wether modifications are needed.
Image from Flickr photos of PAVDW.
Dennis Fisher and Mike Mimoso discuss the happenings in the security world of late, including the latest NSA revelations, the odd DGA Changer malware and the response of attackers to the death of Blackhole.http://threatpost.com/files/2013/12/digital_underground_137.mp3
A trio of scientists have verified that results they first presented nearly 10 years ago are in fact valid, proving that they can extract a 4096-bit RSA key from a laptop using an acoustic side-channel attack that enables them to record the noise coming from the laptop during decryption, using a smartphone placed nearby. The attack, laid out in a new paper, can be used to reveal a large RSA key in less than an hour.
In one of the cleverer bits of research seen in recent years, three scientists from Israel improved on some preliminary results they presented in 2004 that revealed the different sound patterns that different RSA keys generate. Back then, they couldn’t figure out a method for extracting the keys from a machine, but that has now changed. The research, which involves Adi Shamir, one of the inventors of the RSA algorithm and a professor at Weizmann Institute of Science, and two other academic researchers from Tel Aviv University, lays out a method through which an attacker can use a smartphone placed near a laptop to record the sounds generated by the machine during a decryption process using the GnuPG software.
“In this paper we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG’s current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away,” the researchers said in the paper, “RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis”, published Wednesday.
The attack relies on a number of factors, including proximity to the machine performing the decryption operation and being able to develop chosen ciphertexts that incite certain observable numerical cancellations in the GnuPG algorithm. Over several thousand repetitions of the algorithm’s operation, the researchers discovered that there was sound leakage they could record over the course of fractions of a second and interpret, resulting in the discovery of the RSA key in use.
“We observe that GnuPG’s RSA signing (or decryption) operations are readily identified by their acoustic frequency spectrum. Moreover, the spectrum is often key-dependent, so that secret keys can be distinguished by the sound made when they are used. The same applies to ElGamal decryption. We devise and demonstrate a key extraction attack that can reveal 4096-bit RSA secret keys when used by GnuPG running on a laptop computer, within an hour, by analyzing the sound generated by the computer during decryption of chosen ciphertexts. We demonstrate the attack on various targets and by various methods, including the internal microphone of a plain mobile phone placed next to the computer, and using a sensitive microphone from a distance of 4 meters,” the paper says.
To test their attack, the researchers performed it against GnuPG using OpenPGP messages containing their chosen chiphertext. OpenPGP will, in some cases, automatically decrypt incoming email messages.
“In this case, an attacker can e-mail suitably-crafted messages to the victims, wait until they reach the target computer, and observe the acoustic signature of their decryption, thereby closing the adaptive attack loop,” the researchers said.
Their attack works against a number of laptop models and they said that there are a number of ways that they could implement it, including through a malicious smartphone app running on a device near a target machine. They could also implement it through software on a compromised mobile device of through the kind of eavesdropping bugs used by intelligence agencies and private investigators.
The developers of GnuPG have developed a patch for the vulnerability that the Israeli researchers used, implementing a technique known as blinding. The patch is included in version 1.4.16 of GnuPG. Shamir and his co-authors, Daniel Genkin and Eran Tromer, said that they also could perform their attack from a greater distance using a parabolic microphone and may also work with a laser microphone or vibrometer.
Image from Flickr photos of Tess Watson.
One of the systems I have been running collects all our web malware detections for .ES domains. I usually check it out every morning, just in case I see something especially interesting or relevant. And when I find something, I like to create some statistics to have a global overview.
There are some things that I find every time I check my stats, like URLs that have been infected for more than 200 days, even being notified. That speaks of the lack of security awareness on some companies, and how some websites just get abandoned and become a hive of malware.
However one of the things that drew my attention was the detection of many PHP Backdoors with not-so-common extensions, such as JPG or MP3. Maybe a false positive? Worth taking a look!
UPDATE – TJX and Heartland Payment Systems may soon have company atop the list of the worst retail data breaches in U.S. history after reports surfaced that Target Corp. was breached around Black Friday and millions of credit and debit cards were stolen.
Target confirmed the breach this morning and in a statement said 40 million credit and debit cards were accessed starting the day before Thanksgiving and that hackers had access to the company’s systems until Dec. 15. Target said the issue has been resolved and the company is working with law enforcement and had hired a forensics firm to help with the investigation. It is also working with financial services organizations and credit card companies in order to notify affected customers.
“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause,” said Gregg Steinhafel, Target chairman, president and chief executive officer. “We take this matter very seriously and are working with law enforcement to bring those responsible to justice.”
Krebs on Security reported Wednesday afternoon that the breach began on or around Nov. 29, Black Friday, the kickoff to the Christmas shopping season and could have lasted as long as Dec. 15. The Wall Street Journal also reported on the breach, corroborating many of the same facts.
The breach affects only those customers who shopped at physical Target locations, and sources told blogger Brian Krebs that nearly all Target locations in the U.S. could be involved. Online shoppers at Target.com were not impacted, sources said.
Few details are available, but it appears the hackers made off with track data, or personal information stored on the magnetic strips on credit cards. It’s unclear whether PIN numbers were stolen as well, but if they were, ATM cards could be replicated and used to withdraw money.
Sources told Krebs that the breach could be among the largest retail breaches in U.S. history.
More than 45 million credit cards were stolen in the TJX hack; in 2010 Albert Gonzalez of Miami was sentenced to 20 years in prison for his orchestration of the breach. He was also sentenced in the Heartland Payment Systems breach which involved tens of millions more credit card numbers stolen from a number of retailers.
The TJX hack is the poster child of retail data breaches. Gonzalez’s ring was on the TJX network for as long as two years and affected customers who shopped in any of TJX Company’s retail operations going as far back as 2003 until December 2006.
This article was updated at 7 a.m. with comments from Target Corp., and clarifications throughout.
The arrest of alleged hacker Paunch and the subsequent dismantling of the Blackhole Exploit Kit operation has cybercrime groups scrambling to find another automated means of delivering exploits.
In the meantime, some are settling for old-school tactics that include infected email attachments and an increased investment in the social engineering used to entice users into double-clicking and executing the malware stored in the attachment.
The most recent evidence of this comes from a major cybercrime group reliant on the Cutwail botnet to send out spam that had been fiddling with a relatively new exploit kit called Magnitude before deciding to go the direct-attachment route.
Researchers at Websense said that since Paunch’s arrest, reported in early October, the company has captured emails with links that used to redirect to Blackhole now redirecting to Magnitude and others redirecting to phishing pages with American Express, work from home and diet remedy themes.
Apparently, however, Magnitude didn’t serve the attackers’ needs sufficiently as more and more samples included direct attachments, said director of research Alex Watson.
“That gives us an interesting look at the criminal community that leaves you open to speculate why they experimented with Magnitude and then moved away,” Watson told Threatpost. While the group was using Blackhole, the number of Cutwail messages containing malicious URLs was markedly higher than post-Blackhole when the number of emails containing infected ZIP files shot up.
“The overall levels of malicious activity have stayed somewhat consistent, but I would say the success of campaigns since moving to direct attachments and things like that is dramatically lower,” Watson said. “We’ve seen slightly more sophisticated social engineering attacks that are more convincing to users, but not nearly the same success rates they had when Blackhole was available for use.”
Cutwail is one of the most established spam botnets and most prolific, sending at one point, millions of spam messages daily. It was two million compromised machines strong and used to distribute spam and financial malware targeting not only credit card data but credentials. The Cutwail emails often included links that would lead victims to sites hosting Blackhole, which would then inject downloaders for other malware such as ZeroAccess or Zeus.
The arrest of Paunch and the Blackhole takedown has turned cybercrime economics on its ear in some parts. Attackers have been forced to find other avenues to recover lost revenue.
“They’ve had to put more work into the social engineering and having sophisticated-looking emails to get users to click,” Watson said. “A second thing we’ve noticed is an increased aggressiveness with malware installations on computers that are compromised.”
Where attackers would be satisfied with leaner attacks because the volume provided by Blackhole web injections was so high, that’s now changed.
“Often we’ll see a Pony downloader which will steal credentials, which will then download Zeus, which will then download Cryptolocker, all in the matter of a couple of minutes,” Watson said. “So you’re looking at very aggressive installation of malware on computers that are targeted, which could be another way of making up lost revenue due to not infecting as many machines.”
Compromised computers are more than ever cash cows for attackers, some of whom invest significant money in purchasing exploit kits such as Blackhole. When that goes away, a number of infection vectors go away with it. Some of that dynamic has given rise to ransomware in recent months, in particular Cryptolocker, which encrypts files on shared drives in return for a ransom. Other malware variants have taken to anonymity networks such as Tor or I2P to hide communication and hopefully preserve the longevity of their enterprise.
Ransomware, however, gives an attacker an immediate shot at collecting a payout, Watson said.
“With Cryptolocker, I think there have been some cases where it’s been very successful,” he said. “If you look smaller companies that don’t have really strong controls around file sharing or backup, and those businesses that don’t really have an established disaster recovery plan would be vulnerable to this.”
Researchers at Arbor Networks have identified a new DDoS bot with a fancy for ferrets.
Following a clue in a tweet, researcher Dennis Schwarz found Trojan.Ferret, including a command and control panel with some insight into targets. To date, a relatively small number of malware samples and command and control servers have been uncovered, Schwarz said, indicating that the full scope of the campaign is not clear yet.
“Some of the targeted site types [are] real estate companies, electronics shop, a wedding dress shop, a Panamanian politician, and a news site,” Schwarz told Threatpost. Victims have been found in the Netherlands, Russia, the United States and Germany.
Trojan.Ferret is written in the Delphi programming language and includes a number of self-preservation capabilities, including UPX packing, string obfuscation, anti-virtual machine and anti-debugging measures, self-modifying code and process hollowing.
The fact that the samples captured by Arbor Networks are written in Delphi indicates a likely Russian origin, Schwarz said.
“There exists a malware stereotype that if it’s written in Delphi, it’s of ‘Russian’ origin,” Schwarz said. “Empirically, it tends to pan out. I have a theory that when the current generation of ‘Russian’ malware authors (or who they base their code on) was going through their computer science curriculums that Delphi was the language of choice. So, that’s what they know and that’s what they’re comfortable with.”
Schwarz said that the malware author’s choice of Delphi also helps keep it viable.
“For a reverse engineer, the major disadvantage of Delphi is that it is a very messy language to disassemble,” he said. “It’s almost an art separating the wheat from the chaff.”
Trojan.Ferret uses two obfuscation methods, both combining base64 and XOR encryption to mask what’s happening under the covers. Different encryption keys are used for different parts of the malware code base, Schwarz said, adding that one method is used mostly to encrypt strings in the malware code, while the other hides communication back and forth with the command and control server.
Command and control communication is done over HTTP, and the bot comes equipped with a phone-home capability as well as a number of commands. The particular server infiltrated by Arbor is in Ukraine.
Schwarz’s research so far has identified 18 commands with this bot, most of them flood commands used to overwhelm websites with fraudulent traffic. Other commands download bots on infected computers, send updates to either all bots, specific bots or just bots running on particular operating systems. There are also removal commands.
“For the DDoS commands, I would say Ferret implements the core set of floods,” Schwarz said. “Missing from the command set are the standard suite of application layer attacks such as Slowloris, Apache Killer, and RUDY.”
Schwarz gained access to the command and control panel and learned from the dashboard—in addition to the author calling bots “ferrets,” that there are close to 3,000 compromised machines out there and the attackers know how many are active within any 24-hour or seven-day period.
Image courtesy Arbor Networks
Malware authors have been using domain-generation algorithms for a few years now, often in botnet-related malware that needs to stay one step ahead of takedown attempts and law enforcement agencies. Now, researchers have discovered that a strain of malware that may have been part of the attack in October on PHP.net is employing a DGA tactic that enables the malware to change the seed it uses to generate the random domains.
Domain-generation algorithms are used by malware to generate new, random domains rapidly that the malware can use for command and control. The idea is to avoid having static C2 domains that are easy targets for security researchers and law-enforcement agencies looking to take down the command infrastructure that the attackers use to communicate with infected machines. DGAs often are seen in botnets, but have become fashionable for more mundane malware as well in recent years. After infecting a new machine, the DGA Changer malware, as Seculert has named this piece of software, sends a variety of data back to the attackers, including the OS information, the DGA seed, the version of Adobe Flash running on the machine and whether the malware is running in a virtual machine.
Aviv Raff, CTO of Seculert, said that after digging into the malware used in the PHP.net attack, it appears that the malware also uses some more conventional tactics, but likely is just the first stage of a more extensive attack.
“We have first noticed the DGA changing capability on the same day of the php.net attack. However, there might have been different variants of the this downloader without this new technique, used by the same attackers, beforehand,” Raff said.
“This is most probably a pay-per-install service, which instead of selling by region, it targets specific organizations.”
Seculert researchers said that there are DGA Changer infections around the world, but that most of them so far have been found in the United States. What the malware is going to do in the future remains to be seen, but researchers say that the ability to change the DGA seed is a good indication that there’s more to come.
“Strangely, DGA.Changer doesn’t appear to be downloading anything of value yet. In fact, the only thing it has downloaded so far is a file that…you guessed it…does absolutely nothing. Our speculation is that the adversaries behind DGA.Changer are likely selling bots on a pay-per- install basis from specific companies, and installing other malware only on their machines,” they said in a blog post.
“Why would adversaries deploy a malware which downloads nothing, on a site used by software developers, and then engineer it so that it can receive commands from a C2 server to change the DGA seed? It makes no sense – and that worrisome. Not all adversaries are geniuses, but they typically have an agenda. We have no doubt that this is only the beginning of the DGA.Changer story.”
Security weaknesses on the Santander Group BillPay website and mobile banking application have been addressed by the financial services organization’s developer Headland after they were exposed less than a week ago.
U.K. consultant Paul Moore of Cressona Corp., reported a number of serious vulnerabilities on the Santander website and mobile application; Santander Group recently acquired Sovereign Bank in the United States and has 718 branches nationwide serving 1.7 million customers. The vulnerabilities included weaknesses in the online app that made it susceptible to man-in-the-middle attacks, denial-of-service attacks and older protocols opening it up to a number of other attacks.
Moore said last Friday that Santander and Headland had resolved all outstanding issues aside from a weak password storage flaw that requires code and database changes by the development agency, he said.
Moore noted a number of problems, most worrisome were improperly installed SSL certificates guaranteeing the encryption and security of online transactions. A vulnerability scan showed that the Web app did not support a number of baseline SSL protocol implementations including secure session renegotiation, TLS compression, Forward Secrecy, Strict Transport Security; it did, however, support the outdated RC4 encryption algorithm that a number of experts have urged organizations to move away from.
Moore also discovered issues with password storage; the app had initiated a maximum length of 50 characters per password, indicating it may not be hashing passwords securely. Moore attempted a password reset, but instead was offered a reminder email in which his password was delivered in plain text.
The site also suffered from a serious cross-site scripting vulnerability on a payment gateway hosted under the BillPay website that allowed attackers to inject content at will, including fake payment forms or other hacks that would lead to a loss of data or funds.
As for the mobile app, Moore said he was able to, using the tool Fiddler, run a man-in-the-middle attack against himself that captured his credentials. The app failed to alert to a phony SSL certificate generated by the Fiddler tool and executed the log-in. The same scenario was true for the Santander Group’s mobile business app.
On the plus side, Moore said Santander Group and Headland resolved the issues within 72 hours of them being reported. The SSL implementation was addressed first with support for RC4 removed. Also, support for insecure renegotiations was removed. Shortly thereafter, those fixes were followed with a resolution of the SSL certificate issues.
“There’s an unnecessary root anchor which will increase handshake latency but from a security standpoint, it’s much safer. Not class-leading, but good enough,” Moore said, adding that the vulnerable mobile apps were still reachable on Google Play. “It should also be noted that Santander have investigated and resolved the vast majority of issues within 72hrs of this article going live. Although it doesn’t allay my concerns completely, it certainly helps restore faith in their approach to security.”
The Tor network may provide a lead-lined cover for Internet users seeking a measure of privacy online, but it also has proven to be an attractive shelter for attackers.
A number of malware campaigns have been able to successfully maneuver on Tor, using the anonymity network as a communication infrastructure that hides stolen data and malicious instructions as they’re sent between bots and the command and control server.
However, the fact that we’re hearing more about these campaigns running on Tor also means they’re being found out.
The latest to be exposed has been nicknamed Chewbacca by researchers at Kaspersky Lab’s Global Research and Analysis Team. Chewbacca finds running processes on compromised computers, reads process memory, drops a keylogger and is able to move that information off of infected machines.
Marco Preuss, director of the Kaspersky research team in Europe, said this malware is not available in public underground forums, unlike others such as Zeus; Kaspersky researchers recently found a 64-bit version of the infamous banking malware that uses Tor as a communication highway.
“Maybe this is in development or the malware is just privately used or shared,” Preuss wrote on the Securelist blog. “It seems that Tor is attracting some criminals to host their infrastructure, as it promises more ‘security’ for C&Cs – but this holds drawbacks.”
Because of the encryption securing communication on Tor between multiple proxy hops, hackers must contend with additional complexity and latency on the network. Also, hackers running a botnet on Tor run a greater risk of being found out because the addition of copious amounts of traffic could slow down the network and alert watchers that something is amiss.
This is exactly what brought down the Mevade botnet. Researchers speculate the Mevade gang moved the botnet to Tor to hamper takedown attempts by law enforcement, but all they did was spike Tor traffic literally overnight, alerting Tor handlers to the illicit activity.
Kaspersky researchers did not reveal how they discovered Chewbacca, nor the extent to which it has spread. The malware is a PE32 executable compiled with Free Pascal 2.7.1; its 5 MB file includes the Tor executable. The malware, once executed, drops as spoolsv.exe into the victim machine’s startup folder. It then launches its keylogger and stores all keystrokes to a log created by the malware, Preuss said.
It then relies on two php scripts extract information from the infected computer and send it to the attacker, although as of now, only one is functioning.
Preuss said that the command and control server is also hosted on a Tor .onion domain. The front end of the server is a log-in interface overlaying an image of Chewbacca from Star Wars. Kaspersky detects the Chewbacca Trojan as Trojan.Win32.Fsysna.fej.
It’s likely there are additional malware campaigns operating on Tor; recent research activity has uncovered not only the 64-bit version of Zeus and Mevade, but also an exploit kit known as Atrax that not only steals data from browsers, but can also launch denial-of-service attacks and carry out Bitcoin mining.
Tor isn’t the only option for attackers. Russian criminals were using a different darknet called I2P, or the Invisible Internet Project, as a communication protocol for the i2Ninja financial malware. I2Ninja is similar to other banking Trojans in that it has HTTP injection capabilities, email, FTP and form grabbers, but it also promotes 24/7 support for a price.
*Chewbacca image via Pierre Guinoiseau‘s Flickr photostream, Creative Commons.
Dennis Fisher talks with Ron Deibert of the University of Toronto and Citizen Lab about his group’s research into cyber espionage campaigns, the surveillance landscape and his recent book, Black Code.http://threatpost.com/files/2013/12/digital_underground_136.mp3
Apple updated its Mac OS X Mavericks platform yesterday with a number of security fixes for the Safari browser and WebKit layout engine.
The operating system update will move users to OS X Mavericks version 10.9.1. It appears that the broad operating system release is merely a repackaging of a bulletin fixing a single vulnerability in Apple’s Safari browser and a second bulletin addressing eight vulnerabilities in the Cupertino, California-based company’s WebKit rendering engine.
The Safari patch fixes CVE-2013-5227, which was reported to Apple by Niklas Malmgren, a front-end developer for the mobile payments firm Klarna AB. The vulnerability relates to a bug in Safari’s autofill feature that was pushing usernames and passwords into a subframe from a domain separate from the main frame containing the field where such information should have been entered. In other words, the Safari browser was leaking user credentials to an unexpected site with its autofill feature. Apple fixed the problem by improving the browser’s origin tracking system.
The WebKit bulletin resolves CVE-2013-2909, reported by Atte Kettunen of the Oulu University Secure Programming Group, CVE-2013-5196, 5917, and 5225, reported by the Google Chrome security team, CVE-2013-5228, reported by the Keen Team working alongside H-P’s Zero-Day Initiative, and CVE-2013-5195,5198, and 5199, each of which was reported internally by Apple. The vulnerabilities represent a series of memory corruption flaws in the WebKit layout engine. These vulnerabilities can be exploited on unpatched machines if users visit a maliciously crafted site, which can in turn lead to unexpected application termination or arbitrary code execution. They resolved these issues by implementing better memory handling.
The ICS-CERT is warning users about a reflected cross-site scripting vulnerability in a control interface for a wind-farm control portal manufactured by Nordex. The bug is remotely exploitable and could enable an attacker to run code on a vulnerable machine.
The Nordex NC2 is a control portal for a series of wind turbines manufactured by the company. Nordex Control 2 enables a user to control the settings and operations of wind turbines remotely. A researcher named Darius Freamon discovered a reflected XSS vulnerability in the software and published some details of it in the fall. ICS-CERT’s advisory says that the disclosure was not coordinated with the vendor or the CERT.
“NCCIC/ICS-CERT is aware of a public report of a Cross-Site Scripting vulnerability affecting the Nordex Control 2 (NC2) application, a supervisory control and data acquisition/human-machine interface (SCADA/HMI) product. According to this report, the vulnerability is exploitable by allowing a specially crafted request that could execute arbitrary script code. This report was released without coordination with either the vendor or NCCIC/ICS-CERT,” the advisory says.
The vulnerability was originally disclosed in October, but no fix has been made available and the details of the bug are available on the OSVDB site, as well.
“Nordex NC2 Wind Farm Portal contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the application does not validate the ‘userName’ parameter upon submission to the /login script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser within the trust relationship between their browser and the server,” the OSVDB advisory says.
Nordex NC2 is a software application that gives users a portal to control the wind turbines they manage and receive data and reports from them. The researcher discovered the portal to be accessible on the Shodan search engine.
Image from Flickr photos of Robert Sharp.