CyberInsecure.com

Archive for the ‘Botnets’ Category

People flocked to Google Wednesday evening to figure out what was happening with the UltraDNS service, which suffered a DDoS attack at the height of the last-minute shopping season.

An attack directed at the DNS provider for some of the Internet’s larger e-commerce companies–including Amazon, Wal-Mart, and Expedia–took several Internet shopping sites offline Wednesday evening, two days before Christmas.

Neustar, the company that provides DNS services under the UltraDNS brand name, confirmed an attack took place Wednesday afternoon, taking out sites or rendering them extremely sluggish for about an hour. A representative who answered the customer support line said the attacks were directed against Neustar facilities in Palo Alto and San Jose, Calif., and Allen Goldberg, vice president of corporate communications for Neustar, confirmed that at about 4:45 p.m. PST, “our alarms went off.”

Goldberg said the company received a disproportionately high number of queries coming into the system, and analyzed it as an attack. Neustar deployed “a mitigation response” within minutes of the attack, he said, and brought matters under control within an hour. The response limited the problems to Northern California, he said.

In addition to the high-profile sites, dozens of smaller sites that rely upon Amazon for Web-hosting services were also taken down by the attack. Amazon’s S3 and EC2 services were affected by the problems, according to Jeff Barr, Amazon’s lead Web Evangelist, who retweeted a report to that effect without clarification and confirmed it in later tweets.

For a brief period Wednesday evening, “ultradns” was the top search term on Google, likely as frantic technicians at Web sites attempted to figure out what was going on with their sites.

Web sites need DNS providers to translate the character-based URLs that people can remember to the IP addresses that Web sites actually use to list themselves on the Internet. When a DNS provider is overwhelmed with malicious requests for IP addresses, the system can overload and prevent legitimate users from reaching their destinations.

Amazon’s Web Services Health Dashboard declared an all-clear around 6:40 p.m. PST, saying that DNS resolution had returned to normal. Amazon and several other big sites seemed to recover around 5:40 p.m., but some other sites continued to report problems until around 6 p.m.

Needless to say, the timing of such an outage could not have been much worse, as holiday procrastinators rushed to make sure they could get one-day shipping for gifts to be delivered before Christmas Day on Friday.

UltraDNS suffered a similar attack earlier this year, which took out Amazon, Salesforce.com, and other sites. Goldberg described Wednesday’s attack as smaller than that one, in that it affected fewer customers.

However, Amazon is no small customer. Goldberg declined to comment on specific customers affected by the outage, and said Neustar had not yet determined the source of the attack.

One expert thought the attack might have been more widespread.

“This was wider than just UltraDNS,” said Bill Woodcock, research director at Packet Clearing House, which operates domain name servers and supports Internet exchange points around the globe.

“It’s difficult to tell at this point how much is a DDoS attack and how much is collateral damage from the attack that is being felt in other ways,” like a domino effect, he said. “There were routing problems at some major European exchanges at the same time that caused major Internet service providers’ routers to encounter a higher load and pass fewer packets.”

Credit: CNET News, Webware

The malware writers and criminals who run botnets for years have been using shared hosting platforms and so-called bulletproof hosting providers as bases of operations for their online crimes. But, as law enforcement agencies and security experts have moved to take these providers offline, the criminals have taken the next step and begun setting up their own virtual data centers.

IP address space allocation is handled by five regional Internet registries (RIR), each of which is responsible for a particular group of countries. The RIRs work with large enterprises, ISPs, telecoms and other organizations that need large blocks of IP space. These organizations typically have to go through an application and screening process in order to get these allocations, including providing legal documentation listing the officers of the company, its business and why the address space is needed.

And that’s the way it’s supposed to work everywhere. Applicants who can’t show a need for the IP space are told politely to take a walk. But in some cases, criminals have found a way around this by going through local Internet registries (LIR) or by taking advantage of RIRs that don’t have the resources to investigate every application as fully as they’d like.

The criminals will buy servers and place them in a large data center and then submit an application for a large block of IP space. In some cases, the applicants are asked for nothing more than a letter explaining why they need the IP space, security researchers say. No further investigation is done, and once the criminals have the IP space, they’ve taken a layer of potential problems out of the equation.

“It’s gotten completely out of hand. The bad guys are going to some local registries in Europe and getting massive amounts of IP space and then they just go to a hosting provider and set up their own data centers,” said Alex Lanstein, senior security researcher at FireEye, an antimalware and anti-botnet vendor. “It takes one more level out of it: You own your own IP space and you’re your own ISP at that point.

“If there’s a problem, who are you going to talk to? It’s a different ball game now. These guys are buying their own data centers. These LIRs and RIRs aren’t going to push back if you say you need a /24 or /16. They’re not the Internet police,” Lanstein said.

The most famous example of this is the Russian Business Network case, in which a group of criminals was able to get a large amount of IP space by using an LIR to get an allocation from RIPE, the European RIR. The LIR gave RIPE documentation that supposedly showed a need for the allocation, and that’s as far as it went.

“It is impossible at that stage in the process for the RIPE NCC to determine that a company is involved in illegal activity. The member in question later proved to be a front for RBN,” RIPE said in a statement on the case. But the allocation was made in 2006 and it wasn’t until May 2008 that RIPE was able to close down the LIR and get the IP space back.

In most regions, a new organization requesting a large allocation will have to go through a fairly rigorous process to show the need for the address space. The RIR staff often will request a listing of each machine the organization has and may go as far as to request purchase receipts for the machines, as well, said John Curran, president and CEO of the American Registry for Internet Numbers (ARIN), which is responsible for the U.S., Canada and parts of the Caribbean.

Criminals subverting this process has become a major problem in some regions, particularly parts of Europe and the Caribbean, where there are dozens of jurisdictions and multiple languages, which can lead to confusion and difficulty in tracking down exactly who is doing what online, security experts say.

“There are a lot of instances where they don’t go past the letter of justification,” Lanstein said. “There are plenty of IP allocations I can pull up and look at the domains and see that they’re total BS. U.S. data centers are much better, but in Europe there are so many languages and countries, it’s impossible for them to check everyone. And the bad guys know this.”

This set-up has become a useful tactic for the criminals running botnets and large spam and carding operations. Attackers who own their own large blocks of IP space have a much easier time hiding their activities than do criminals who have to go through legitimate ISPs or hosting providers. There’s no abuse desk to complain to, no recourse for people who find themselves being attacked by a given range of IP addresses.

“The policies for handing out IP space and verifying the people behind and application are global, they apply to all of the RIRs. But within that framework, there’s room for RIRs to set their own local policies too,” said Curran. “The bad news is, those policies are very local. How does someone verify an organization when in some regions they may only have written records and it’s a town of 2,000 people? It’s very difficult in Africa, parts of Europe, parts of the Caribbean. It’s very much the case that parts of our process are very hard to implement in other regions. Other regions have different ways of recording how a company is formed and they recognize very informal structures. The record-keeping is decentralized and it might take a while to determine who is behind a company.”

And once the IP space has been allocated, getting it back can be a long and arduous process. Criminals often will use a certain IP block for as long as it’s useful and profitable for them. But if security researchers and ISPs notice suspicious activity in a certain block, they will sometimes stop accepting traffic from it and block any traffic from their own networks to that block. This can be an effective tactic, but once the criminals abandon the IP space, it can take a long time for a legitimate business to be able to get traffic flowing there again.

“This is part of the problem that’s causing the IPv4 shortage,” Lanstein said, referring to the imminent exhaustion of the IPv4 address space, forecasted to occur in less than two years. “They stop paying the bills, the space gets null-routed and then it’s a mess. There’s clear fraud going on, but who can do something about it?”

Credit: ThreatPost.com

A computer worm that China warned Internet users against is an updated version of the Panda Burning Incense virus, which infected millions of PCs in the country three years ago, according to McAfee.

The original Panda worm, also known as Fujacks, caused widespread damage at a time when public knowledge about online security was low, and led to the country’s first arrests for virus-writing in 2007. The new worm variant, one of many that have appeared since late 2006, adds a malicious component meant to make infection harder to detect, said Vu Nguyen, a McAfee Labs researcher.

“It has gotten more complex with the addition of a rootkit,” said Nguyen. “It definitely makes it more challenging for users to clean up and even to know that their systems have been compromised.” A rootkit burrows into a system to try to hide the existence of malware.

The first Panda worm gained fame in China for switching the icons of infected files with an image of a panda holding three incense sticks. The same image would also flash across a victim’s screen, but the worm’s final goal was to install password-stealing Trojan horses. The worm infected millions of PCs, according to Chinese state media. Its author was ordered to write a removal tool for the worm and later sentenced to four years in prison.

China’s national virus response center warned about the updated worm earlier this week, but it dubbed the virus Worm_Piloyd.B and did not link it to Panda. The center said it had found a worm spreading online that infected executables and html files. The worm blocked a victim’s PC from restoring infected files, turned off active antivirus software and directed the machine to Web sites to download Trojan horses and other malware, the center said. The center urged Internet users to step up defense on their PCs against unknown viruses.

The new worm is unlikely to hit as many PCs as the first one. Chinese companies and Internet users are much more aware of malware than they were a few years ago, partly because of the wake-up call brought by the first Panda worm, said Nguyen.

As in other countries, cybercrime looks increasingly professional in China and labor is often divided along the production chain from virus design to the sale of stolen information. Chinese police are rushing to keep pace and cybercrime arrests have become more common in the country. Police in central Hubei province recently took six suspects into custody for building and selling viruses and attacking victims with a botnet, Chinese state broadcaster CCTV said this week. The group made over 2 million yuan (US$290,000) in about six months from their activities, the report said.

China officially had 338 million Internet users at the end of June, more than the population of the U.S.

Credit: Yahoo! Tech News

The Koobface botnet has pushed out a new component that automates the following routines:

Registering a Facebook account
Confirming an email address in Gmail to activate the registered Facebook account
Joining random Facebook groups
Adding Facebook friends
Posting messages to Facebook friends’ walls

Overall, this new component behaves like a regular Internet user that starts to connect with friends in Facebook. All Facebook accounts registered by this component are comparable to a regular account made by a human. The details provided about the account are complete such as a photo, birth date, favorite music, and favorite books, among others. In addition, every account registered is unique in such a way that the details vary for every account registered.

Koobface accomplishes these malicious activities by automating Internet Explorer to perform the task of creating and registering an account. However, it does not proceed and will terminate the process if the affected user is using Internet Explorer 6. Moreover, it employs a check if it has already reached the maximum friend requests set by Facebook or not. Hence, it keeps itself under the radar and does not cause any alarm to Facebook administrators.

The messages posted through Facebook’s wall contain a link that leads to the usual fake Facebook or YouTube page hosting the Koobface loader component.

Facebook users are advised to be careful and security conscious. For more tips on using Facebook, users may opt to visit Facebook’s safety and security pages: http://www.facebook.com/safety and http://www.facebook.com/security.

Credit: Trend Micro Malware Blog

A botnet that was once responsible for an estimated third of the world’s spam has been knocked out of commission thanks to researchers from security firm FireEye.

After carefully analyzing the machinations of the massive botnet, alternately known as Mega-D and Ozdok, the FireEye employees last week launched a coordinated blitz on dozens of its command and control channels. The channels were used to send new spamming instructions to the legions of zombie machines that make up the network.

Almost immediately, the spam stopped, according to M86 Security blog. Last year, the email security firm estimated the botnet was the leading source of spam until some of its servers were disabled.

The body blow is good news to ISPs that are forced to choke on the torrent of spam sent out by the pesky botnet. But because many email servers already deployed blacklists that filtered emails sent from IP addresses known to be used by Ozdok, end users may not notice much of a change, said Jamie Tomasello, an abuse operations manager at antispam firm Cloudmark.

The takedown effort is significant because it shows that a relatively small company can defeat a for-profit network that took extraordinary measures to ensure it remained operational. Not only did Ozdok reserve a long list of domain names as command and control channels, it also used hard-coded DNS servers. When all else failed, its software was able to dynamically generate new domain names on the fly.

With head chopped off of Ozdok, more than 264,000 IP addresses were found reporting to sinkholes under FireEye’s control, an indicated of the massive number of zombies believed to have belonged to the botnet. FireEye researchers plan to work with the ISPs to identify the owners of the orphaned bots so their owners can clean up the mess.

FireEye researchers said the key to dismantling the giant ring was a coordinated effort that worked in multiple directions all at once so that bot herders didn’t have a chance to counteract. “As it turns out, no matter how many fallback mechanisms are in place, if they aren’t all implemented properly, the botnet is vulnerable,” they wrote.

Credit: The Register

The website of the Swedish Signals Intelligence agency (Försvarets Radioanstalt, or FRA) was taken offline by a massive DDoS attack this week.

Fra.se was intermittently inaccessible from Monday night until Thursday morning, when full service was restored. The agency was in the news recently after Swedish legislators passed a law allowing FRA to tap internet communications networks that pass through Sweden.

The monitoring effectively started last month, reports Finnish security firm F-secure, which notes that Russia’s international internet traffic passes through Sweden.

It’s unclear who’s behind the attacks, but Russian cybercrime operations or possibly file sharers lashing out against the Pirate Bay clampdown are among the possible suspects.

In a statement, (translation via Google here) FRA said that the temporary disruption to its web site had no effect on its work.

An apparently separate denial-of-service attack downed about 40 websites belonging to police and media outlets in Sweden last week.

Credit: The Register

Crimeware distributors have begun using Facebook as a command and control channel for a Trojan that turns compromised Windows PCs into zombie drones.

Zombie clients poll the Notes section of the mobile version of Facebook for instructions. Compromised clients might be instructed to download further code from a specified web site or told to wait for commands, for example.

The Trojan spreads via booby-trapped email attachments that take advantage of well-known PDF or Office flaws to infect unpatched systems. These messages pose as email from courier firms and the like.

This has become a very common strategy for targeted attacks, which have replaced mass mailing worms as the main malware danger to business. What distinguishes this Trojan from run of the mill malware is its (experimental) use of Facebook to receive commands instead of traditional botnet control channels such as Internet Relay Chat (IRC). Most of the heavy lifting - such as uploading stolen data - is still done through a web server, however, Symantec researcher Andrea Lelli explains.

“The Trojan is using a Facebook account to receive URLs to contact, and it may post some timedate stamps back to the account, but nothing more than that,” Lelli writes. “The real command and data processing is done through the remote URL that was received from the notes, and this URL may point anywhere.”

“It [the Trojan] simply uses the standard Facebook functionalities, which in no way are malicious, dangerous or faulty. This particular Trojan is quite limited and seems to be a targeted attack, but it can be considered a precursor of a botnet using a social network as a C&C [command and control] server.”

Symantec found the mobile Facebook account associated with the Trojan, established 16 October, showed very little signs of activity. Either hackers have deleted handshakes from compromised boxes that ought to have been exchanged or else the malware is yet to infect anything.

Virus writers have begun experimenting with varied means of controlling botnet clients over recent months. In August, for example, security researchers at Arbor Networks discovered a botnet that used Twitter to relay commands to compromised hosts.

Credit: The Register

Swedish authorities are no closer to discovering who may have been behind two distributed denial-of-service (DDoS) attacks that downed the websites of the police and some 40 media sites on Thursday.

The media companies affected by the initial attack all rent server space from Swedish IT service provider Basefarm. According to Baseform, the attack was specifically aimed at one of its clients, media IT development company Adeprimo. “Normally, a website with relatively high traffic will receive around 800 requests per second,” said Basefarm CEO Sara Murby Forste in a statement. “During the attack on Adeprimo, we were registering around 400,000 requests per second,” she added.

News websites affiliated with the Stampen media group, which uses Adeprimo’s media platform, were among those hardest hit. These include main Gothenburg newspaper Göteborgs-Posten, whose site was inaccessible from early morning until lunchtime on Thursday.

Basefarm said it did not receive any warning or threat prior to the attack. The company is preparing to submit a report to the police and is continuing an internal investigation into the attack.

“We know from the nature of the attack that they possess a lot of knowledge. This took place in a planned manner, outside Europe, and with serious force,” said Basefarm’s technical manager Stefan Månsby. “There is much to suggest that the traffic came from Asia and the United States. It could well be Asian, bouncing via the US.”

A second attack later in the day knocked out the website of the Swedish police, which was down for a couple of hours hours in the late afternoon. Police IT experts believe the two attacks are almost certainly linked. “I don’t think it’s a coincidence,” said Ann-Marie Alverås, head of the national police’s web security division. “The amount of traffic was exactly the same in both attacks and we too witnessed traffic from the United States. But the saboteur could be anywhere in the world,” she added.

Thursday’s attacks are to be investigated by the police’s IT crimes unit. Ann-Marie Alverås said the purpose of the attacks remained a mystery. “But I can hazard a guess that it was to attract attention,” she said.

Credit: thelocal.se

Malware-infected computers are increasingly being used to perpetrate click fraud, according to a study released Thursday that found their contribution was the highest since researchers began compiling statistics on the crime.

In the third quarter of this year, 42.6 percent of fraudulent clicks were generated by computers that were part of botnets, compared with 36.9 percent the previous quarter and about 27.6 percent in the same period of 2008. The increase comes as criminals trying to profit from click fraud take advantage of new advances in malware that make the practice harder to detect.

“As the botnets get more sophisticated, they’re able to perpetrate more click fraud,” said Paul Pellman, CEO of Click Forensics, the advertising auditing firm that prepared the report. “They’re finding new ways of being distributed, and that’s reflected in the data.”

The jump in botnet use over the past year comes as the overall amount of click fraud dropped, from 16 percent of all paid ads in Q3 of 2008 to 14.1 percent last quarter. That means manual forms of click fraud, in which large numbers of individuals engage in the practice, has decreased by an even larger margin. Many of those people get paid to knowingly gin the advertising results, while others are tricked into it.

The data was compiled by monitoring pay-per-click campaigns on more than 300 ad networks and on advertisers’ web sites.

Click fraud attempts to siphon away the commissions advertisers pay web site operators each time an ad on one of their pages is clicked on by a legitimate visitor. Fraudsters often set up websites with little or no content and then pocket big profits when ads from Google and other providers are viewed through the process.

Automated click fraud has existed for years, but over the past few months, researchers have identified several botnets that prominently offer such capabilities. Both the web-based infection known as Gumblar and the so-called Bahama Botnet contain malware that causes infected PCs to return altered Google results. When users click on them, they are taken to a series of intermediate links before arriving at their final destination.

“It’s in everyone’s best interest in the online community to find and stamp out click fraud,” Pellman said. “The fraudsters are trying to stay a step ahead of those efforts.”

Credit: The Register

Some sections of the popular PBS.org Web site have been hijacked by hackers serving up a cocktail of dangerous exploits, according to researchers at Purewire. Attempts to access certain PBS Web site pages yielded JavaScript that serves exploits from a malicious domain via an iframe.

The malicious JavaScript was found on the “Curious George” page that provides content on the popular animation series. A look at the code on the hijacked site shows malicious activity coming from a third-party qxfcuc.info domain.

The domain qxfcuc.info is part of a malware campaign that includes tens of similar websites hosted off of a handful of common IP addresses. Similar exploit code was served from most of these domains, although a handful (e.g., yyoqny.info) display a message that suggests the criminal behind this campaign is compromising systems to build a botnet he will likely later lease. Translated from Russian, that message tells prospective leasers to “Send a message to ICQ #559156803; stats available under ststst02.”

The URL serves exploits that target a variety of software vulnerabilities, including those in Acrobat Reader (CVE-2008-2992, CVE-2009-0927, and CVE-2007-5659), AOL Radio AmpX (CVE-2007-6250), AOL SuperBuddy (CVE-2006-5820) and Apple QuickTime (CVE-2007-0015).

Purewire said the exploit site is part of a malware campaign that includes tens of similar Web sites hosted off of a handful of common IP addresses.

PBS.org has already removed the malicious javascript from its site.

Credit: ZDnet.com Security Blogs