Picure of The Week: G20 Protests
Protesters photograph riot police outside a Lloyds Bank in London, on April 1, 2009.
(ADRIAN DENNIS/AFP/Getty Images)
Via The Boston Globe's "Big Picture".
April 1st is behind us and nothing really happened with Conficker. But it is never boring in the antimalware world. We have found a new exploit of MS08-067 other than Conficker. We also discovered that we already detected and protected users against this new malware. We added information about mitigations against this malware at the end of this blog post.More here.
Neeris is a worm that has been active for a few years. Some of its variants used to exploit MS06-040 which addressed a vulnerability in the same Server service as MS08-067. However it looks like the authors of Neeris have been taking notes from Conficker. A new variant of the Neeris worm has been launched this week. It has some interesting similarities to Conficker:
- The new variant of Neeris has been updated to exploit MS08-067. Also, after the successful exploitation, the victim machine downloads a copy of the worm from the attacking machine using HTTP.
- Neeris spreads via autorun. The new Neeris variant even adds the same ‘Open folder to view files’ AutoPlay option that Conficker does.
- Neeris uses a driver to patch the TCP/IP layer of the system in order to remove the outgoing connection limits from XPSP2
It is interesting to note that this new variant of Neeris spiked on late March 31st and during April 1st. However it was not downloaded by any Conficker variant and there’s no evidence that it’s related to Conficker.D’s April 1 domain algorithm activation.
The earliest samples of Neeris date back to May of 2005, so it seems the Conficker authors may be the copycats here. But the Neeris authors added the MS08-067 vector later. Therefore it is possible that these miscreants somehow collaborate or at least are aware of each other’s "products".
Our current definition files were already detecting this new variant with a generic signature: Worm:Win32/Neeris.gen!C. Neeris began as an IRC bot which spreads itself by sending links through MSN Messenger. It still operates as an IRC bot, but over time, new spreading methods have been added. The latest variants can spread via removable drives, SQL servers with weak passwords, exploiting MS06-040, and finally exploiting MS08-067 in the latest variant.
The new variant tries to connect to a command and control server over port 449. The server password it uses to log-in was used by other bots last February.
Rob Lemos writes on SecurityFocus:
A telltale e-mail address in the GhostNet report led two researchers to the online home of a seemingly low-level Chinese hacker, according to an analysis posted on Thursday, but an author of the original report stressed that the cyber criminal is likely only related to a lesser piece of malware.More here.
The latest analysis follows the online trail from an e-mail address turned up by researchers as part of their investigation into GhostNet, a cyber espionage network that spanned 1,295 compromised systems including computers belonging to embassies and dissident groups. The e-mail address led to a twenty-something Chinese hacker born in Chengdu City in the Chinese province of Sichuan, according to a blog post by Scott Henderson, a blogger who follows the Chinese hacking community.
However, the e-mail address was found only on two of the computers analyzed for the investigation, said Nart Villeneuve, a researcher at the CitizenLab and one of the authors of the GhostNet report. Both computers had been infected with a second piece of malware, separate from the gh0st remote access tool (gh0stRAT) that formed the backbone of the surveillance network, he said.
"That is a valid piece of malware but it is not the one related to the malware that connected to the admin interface for the gh0stRAT," Villeneuve said.
John Fontana writes on NetworkWorld:
Federal legislation introduced in the Senate this week would give President Obama the power to declare a cybersecurity emergency and then shut down both public and private networks including Internet traffic coming to and from compromised systems.More here.
The proposed legislation [.pdf], introduced April 1, also would give the President the power to “order the disconnection of any Federal government or United States critical infrastructure information systems or networks in the interest of national security.”
Some critics of the bill say that phrase needs to be more clearly defined.
“We are confident that the communication networks and the Internet would be so designated [as critical infrastructure], so in the interest of national security the president could order them disconnected.,” said Leslie Harris, president and CEO at the Center for Democracy and Technology (CDT), which promotes democratic values and constitutional liberties for the digital age.
Harris and the CDT don’t think such sweeping power is good news for anyone, including private networks that could be shut down by government order. Those same networks would be subject to government mandated security standards and technical configurations.
"First, god bless the National Security Archive."
- Nick Thompson, writing in the "Danger Room" Blog.
An AP newswire article by Pamela Hess, via MSNBC, reports that:
The national intelligence director and defense secretary are asking the Obama administration to approve a new top-secret U.S. spy satellite program that could cost more than $10 billion, according to government, military and industry officials.More here.
The program calls for building two sophisticated satellites equal to or better than the huge, high-resolution secret satellites now in orbit. At the same time, the government would also commit to spend enough money on commercial satellite imagery sufficient to pay for the construction and launch of two new commercial satellites.
The proposal is going to the White House for discussion and a decision was expected as soon as next week, the officials said.
In opting to go with what they describe as the "2+2" program," National Intelligence Director Dennis Blair and Defense Secretary Robert Gates rejected an alternate satellite proposal from military officials at the Pentagon.
Jeremy Kirk writes on PC World:
Two Nigerians and a Frenchman were sentenced to prison Thursday for swindling people out of more than US$1.2 million in a massive e-mail scam, the U.S. Department of Justice said.More here.
Nnamdi Chizuba Anisiobi, 31, of Nigeria was sentenced to 87 months in prison, while Anthony Friday Ehis, 34, of France and Kesandu Egwuonwu, 35, of Nigeria were sentenced to 57 months. They were sentenced in U.S. District Court for the Eastern District of New York.
After being arrested in Amsterdam in February 2006, all three were extradited to the U.S. The DOJ said all three pleaded guilty to one count of conspiracy, eight counts of wire fraud and one count of mail fraud. Mail and wire fraud carry maximum possible sentences of 20 years in prison, while conspiracy has a maximum penalty of five years.
The three men executed so-called advance fee frauds. Victims were told their help was needed distributing money for charity. In exchange, victims were promised they would get a commission that would go to the charity of their choice, the DOJ said.
Robert McMillan writes on PC World:
U.S. Federal Bureau of Investigation agents have raided a Dallas ISP, knocking the company and almost 50 of its clients offline.More here.
The early morning Thursday raid closed down the operations of Core IP Networks, which operated out of two floors of a Telx collocation facility at 2323 Bryan Street in Dallas. The raid had to do with the activities of a former customer, according to Matthew Simpson, Core IP's CEO. "The FBI is investigating a company that has purchased services from Core IP in the past," he wrote in a note posted to a Google Sites page. "This company does not even collocate with us anywhere, much less 2323 Bryan Street Datacenter."
He did not name the company that is allegedly at the center of the FBI investigation.
FBI spokesman Mark White confirmed that agents had executed a search warrant at the 2323 Bryan Street address on Thursday, but declined to comment further on the matter.
U.S. government cybersecurity is an insecure mess, and fixing it is going to take considerable attention and resources. Trying to make sense of this, President Barack Obama ordered a 60-day review of government cybersecurity initiatives. Meanwhile, the U.S. House Subcommittee on Emerging Threats, Cybersecurity, Science and Technology is holding hearings on the same topic.More here.
One of the areas of contention is who should be in charge. The FBI, DHS and DoD -- specifically, the NSA -- all have interests here. Earlier this month, Rod Beckström resigned from his position as director of the DHS's National Cybersecurity Center, warning of a power grab by the NSA.
Putting national cybersecurity in the hands of the NSA is an incredibly bad idea. An entire parade of people, ranging from former FBI director Louis Freeh to Microsoft's Trusted Computing Group Vice President and former Justice Department computer crime chief Scott Charney, have told Congress the same thing at this month's hearings.
Cybersecurity isn't a military problem, or even a government problem -- it's a universal problem. All networks, military, government, civilian and commercial, use the same computers, the same networking hardware, the same Internet protocols and the same software packages. We all are the targets of the same attack tools and tactics. It's not even that government targets are somehow more important; these days, most of our nation's critical IT infrastructure is in commercial hands. Government-sponsored Chinese hackers go after both military and civilian targets.
Matthew Harwood writes on Security Management:
A constitutional and international lawyer told lawmakers yesterday that the United States should dismantle state-run intelligence fusion centers, which have grown dramatically since 9-11 with the assistance of the federal government. Police and federal officials defended fusion centers and described measures being taken to protect citizens’ privacy and civil liberties.
Bruce Fein, of Bruce Fein & Associates and The Lichfield Group, compared [.pdf] state fusions centers to the Soviet Union’s KGB and East Germany’s Stasi and called for the United States to “abandon fusion centers that engage 800,000 state and local law enforcement officers in the business of gathering and sharing allegedly domestic or international terrorism intelligence."
Fusion centers bring together law enforcement and intelligence personnel from state, local, and federal government to collect, analyze, vet, and disseminate intelligence to first responders on the ground in an effort to disrupt terrorist or criminal activity. The Department of Homeland Security recognizes 70 fusion centers nationwide but because states operate fusion centers, no two are exactly alike.
Fein was also critical of suspicious activity reports (SARs), whereby police officers and concerned citizens report unusual behavior that may indicate a terrorist or criminal conspiracy. These reports typically flow to fusion centers.
“To an intelligence agent, informant, or law enforcement officer,” Fein said, “everything unconventional or unorthodox looks like at least a pre-embryonic terrorist danger.”
Patrick Walters writes on Australian IT:
Chinese spies have directly targeted Kevin Rudd, repeatedly attempting to infiltrate prime ministerial email and mobile phone communications.More here.
The Australian understands Mr Rudd and his travelling party were under constant cyber attack during his latest trip to China, in August last year, with authorities trying to access the laptop computers and mobile phones used by the Australians.
The blatant nature of Beijing's electronic espionage is understood to have alarmed the Rudd Government and led to a further tightening of communications security procedures for senior government figures travelling to China.
Intelligence sources said Beijing had made repeated attempts to break into government and business IT networks, as well as foreign embassies based in Canberra.
Brian Prince writes on eWeek:
Hackers are launching attacks against an unpatched vulnerability in Microsoft Office PowerPoint, the company's popular presentation program.More here.
Microsoft described the attacks in an advisory as “limited and targeted” in scope, but cautioned that a successful exploit could allow a hacker to execute arbitrary code with the rights of the logged on user.
“The vulnerability is caused when Microsoft Office PowerPoint accesses an invalid object in memory when parsing a specially-crafted PowerPoint file,” according to the advisory. “This creates a condition that allows the attacker to execute arbitrary code.”
According to Microsoft, the malicious PowerPoint files are detected by the Windows Live OneCare safety scanner as Exploit:Win32/Apptom.gen. The products impacted by the bug are: Microsoft Office PowerPoint 2000 Service Pack 3, Microsoft Office PowerPoint 2002 Service Pack 3 and Microsoft Office PowerPoint 2003 Service Pack 3. Microsoft Office PowerPoint 2007 is unaffected.
Brian Prince writes on eWeek:
While U.S. lawmakers discuss new data security requirements, cyber-thieves are making a killing.More here.
Statistics [.pdf] released by the FBI on Internet fraud contain more bad news. In a report issued earlier this week, the FBI revealed that Internet fraud complaints to the agency by consumers increased more than 33 percent last year. A total of 275,284 complaints were filed in 2008 with the Internet Crime Complaint Center (IC3), a joint effort between the FBI and the National White Collar Crime Center. In 2007, the IC3 received 206,844 complaints.
Of the total, 72,940 cases of fraud were referred to federal, state and local law enforcement. The total loss suffered by consumers in those cases was $246.6 million, up from $239.1 million in reported losses in 2007. According to the report, the highest median dollar losses came from check fraud, to the tune of $3,000 per incident. Confidence fraud and the well-known West African 419 scams were second and third, with median dollar losses of $2,000 and $1,650, respectively.
Robert McMillan writes on InfoWorld:
The Conficker worm may have infected more machines than previously thought, according to Internet infrastructure provider OpenDNS.More here.
The company said Wednesday that 500,000 of its users have been infected with the latest variant of the worm, called Conficker.C. OpenDNS has more than 10 million users worldwide, the company said.
OpenDNS wouldn't say exactly what percentage of its users were infected by the worm, but the Conficker.C infections it counted were much higher than expected, according to David Ulevitch, the founder of OpenDNS.
Conficker.C began using a new algorithm on Wednesday to look for instructions from its creator, prompting speculation that it might be readying for an attack. According to security experts, however, the worm has been quiet so far.
Previous estimates had placed the number of Conficker infections, including all variants, at anywhere between a few million and 10 million PCs, but according to Ulevitch the worm is "probably bigger than people think, based on what we're seeing here."
More Mark Fiore brilliance.
Via The San Francisco Chronicle.
If it were only an April Fool's joke...
Joby Warrick and Walter Pincus write on The Washington Post:
Key lawmakers are pushing to dramatically escalate U.S. defenses against cyberattacks, crafting proposals that would empower the government to set and enforce security standards for private industry for the first time.More here.
The proposals, in Senate legislation that could be introduced as early as today, would broaden the focus of the government's cybersecurity efforts to include not only military networks but also private systems that control essentials such as electricity and water distribution. At the same time, the bill would add regulatory teeth to ensure industry compliance with the rules, congressional officials familiar with the plan said yesterday.
Addressing what intelligence officials describe as a gaping vulnerability, the legislation also calls for the appointment of a White House cybersecurity "czar" with unprecedented authority to shut down computer networks, including private ones, if a cyberattack is underway, the officials said.
How industry groups will respond is unclear. Jim Dempsey, vice president for public policy at the Center for Democracy and Technology, which represents private companies and civil liberties advocates, said that mandatory standards have long been the "third rail of cybersecurity policy." Dempsey said regulation could also stifle creativity by forcing companies to adopt a uniform approach.
Sumner Lemon writes on InfoWorld:
An expected activation of the Conficker.c worm at midnight on April 1 passed without incident, despite sensationalized fears that the Internet itself might be affected, but security researchers said users aren't out of the woods yet.More here.
"These guys have no designs, I think, on taking down the infrastructure, because that would separate them from their victims," said Paul Ferguson, a threat researcher at antivirus vendor Trend Micro, calling the technology and design of Conficker.c as "pretty much state of the art."
"They want to keep the infrastructure up and in place to make it much harder for good guys to counter and mitigate what they've orchestrated," he said.
Conficker.c was programmed to establish a link from infected host computers with command-and-control servers at midnight GMT on April 1. To reach these control servers, Conficker.c generates a list of 50,000 domain names and then selects 500 domain names to contact. That process has started, researchers said.
Carolyn Duffy Marsan writes on NetworkWorld:
NeuStar confirmed that its UltraDNS managed DNS service was knocked offline for several hours Tuesday morning by a distributed denial of service attack.More here.
"Early this morning, our monitoring systems detected a significant denial of service attack, which affected a small subset of our customers, in some cases for as long as a few hours," the Reston, Va. company said in a statement. "While we continue to investigate the cause, the extent, and the duration of the attack, service was completely restored by 10 a.m. EST."
NeuStar is a leading provider of high-availability DNS services to e-retailers including J.Jill and Diamond.com as well as high-tech companies such as Oracle and Juniper.
Ben Bain writes on FCW.com:
It's unclear whether cyber crime is increasing or simply being reported more often — or a combination of the two. But as the number of cyber crime cases increase, state and local law enforcement agencies are taking an increasingly active role in investigating them.More here.
The number of complaints that individuals filed with the Internet Crime Complaint Center jumped more than 30 percent from 2007 to 2008 and corporate cyber crimes continues to make headlines. The FBI, nonprofit National White Collar Crime Center and Bureau of Justice Assistance jointly operate the IC3.
“There are not that many lawyers who understand these types of crimes, especially on the state level,” said Domingo Rivera, a defense attorney in Richmond, Va., who has a technology background and has worked on cases at the federal and state levels.
Defense attorneys might need to brace for an onslaught. Federal agencies provide training for state and local law enforcement organizations that are continually increasing their abilities to investigate and prosecute cases.
Kevin Poulsen writes on Threat Intel:
A former teenage hacker who served prison time for an online stock-trading scheme is back in jail again, after allegedly gaining administrative access to a New York-based currency exchange service and gifting himself more than $100,000.More here.
Van T. Dinh, now 25, was charged Friday with two counts of computer fraud in federal court in Manhattan.
The Pennsylvania-based Dinh gained notoriety in 2003, when, as a 19-year-old stock trader, he found a novel way to unload a bad investment in thousands of worthless stock derivatives: He hacked into another trader's account, and bought the options from his own account.
The gambit made Dinh the first person charged by Securities and Exchange Commission with a fraud involving both computer hacking and identity theft. He was sentenced in 2004 to 13 months in prison, followed by three years of supervised release.
David Kravets writes on Threat Level:
The first foreigner convicted of phishing in the United States was sentenced to 50 months in federal prison Monday.More here.
Defendant Ovidiu-Ionut Nicola-Roman is a Romanian citizen arrested two years ago in Bulgaria and extradited to the United States. Nicola-Roman, who pleaded guilty last year to one count of U.S. computer access fraud, was part of an overseas phishing group the authorities said was responsible for ripping off more than $1 million from Americans.
The 2005 to 2007 plot was simple: send unsolicited e-mails posing as various banks. The messages informed e-mail recipients there was a security problem with their account. The e-mails requested recipients to forward credit card information, dates of birth, Social Security numbers, phone numbers and PIN numbers. Hundreds responded, leading the group to reproduce credit cards and ATM cards.
While those with a minimal level of online sophistication understand the perils of phishing and can recognize when they are a target, the general populace does not. Gartner estimates that, in 2007, about $3.2 billion was stolen via phishing in the United States alone.
John Markon writes on The Washington Post:
The U.S. Supreme Court today declined to consider reinstating Virginia's tough anti-spam law, leaving in place a lower court ruling that threw out the measure as unconstitutional.More here.
The high court's decision ends the legal odyssey of the 2003 law, one of the nation's first, which was intended to crack down on people who send masses of unwanted e-mail. The Virginia Supreme Court in September ruled that the law violated the First Amendment right to freedom of speech.
Robert F. McDonnell, a Republican candidate for governor who was then the Virginia attorney general, pushed to appeal the case to the Supreme Court, calling the law an innovative act that broke new ground in protecting citizens. Internet service providers have estimated that 90 percent of e-mail is spam.
But First Amendment scholars said the state court's decision was legally sound. In addition, Internet law experts said it is not likely to increase spam in Virginia because federal law also prohibits spam, spam filters screen much of it and expert spammers often are out of the country. The Supreme Court, as is its custom, did not give a reason today for declining to take the case.
Brian Krebs writes on Security Fix:
Experts have discovered a security hole in the computer code that powers the Conficker worm, an aggressive contagion that has spread to more than 12 million Microsoft Windows systems worldwide. The security community is treading lightly with this news, because while the discovery could make it easier to isolate infected systems, it could also give criminals a way to quietly hijack millions of systems.
Conficker spreads mostly by exploiting a security vulnerability in Microsoft Windows systems, one that the software giant issued a patch to fix last October - just days before the first version of Conficker struck. Experts have known for some time now that Conficker applies its own version of that patch shortly after infecting a host system. This tactic not only prevents other malicious software from infiltrating the host via that vulnerability, but it also makes it difficult to for system administrators to find potentially infected systems simply by scanning their networks for PCs that are missing that critical software update.
But according to research to be published later this week by the Honeynet Project, a volunteer organization that tracks Internet attacks, the Conficker worm doesn't completely close the hole that allows it to wiggle into infected systems in the first place.
Omar El Akkad writes in The Globe and Mail:
Against the backdrop of humming computers in the underground lab in Toronto's Munk Centre for International Studies, a screen flickered, and the most politically explosive cyber-spy network in the world began to reveal itself.More here.
It was March 6, 12:33 p.m., and Nart Villeneuve was getting frustrated. The 34-year-old international relations student and part-time tech geek had tried everything to track down a piece of malicious software that had infected computers around the world, including those in the offices of the Dalai Lama.
Finally, he turned to the ultimate hacker's tool: He entered some of the code from those infected computers into Google. Just like that, he found one of the cyber-spy network's control servers, then another, and another. From that Eureka moment came a flood of information, almost all of it suggesting the ring originated in China.
A team of Canadian researchers revealed this weekend a network, dubbed GhostNet, of more than 1,200 infected computers worldwide that includes such “high-value targets” as Indonesia's Ministry of Foreign Affairs and the Indian Embassy in Kuwait, as well as a dozen computers in Canada.
Michael Smith writes on The Times Online:
Intelligence chiefs have warned that China may have gained the capability to shut down Britain by crippling its telecoms and utilities.More here.
They have told ministers of their fears that equipment installed by Huawei, the Chinese telecoms giant, in BT’s new communications network could be used to halt critical services such as power, food and water supplies.
The warnings coincide with growing cyberwarfare attacks on Britain by foreign governments, particularly Russia and China.
A confidential document circulating in Whitehall says that while BT has taken steps to reduce the risk of attacks by hackers or organised crime, “we believe that the mitigating measures are not effective against deliberate attack by China”.
It is understood that Alex Allan, chairman of the Joint Intelligence Committee (JIC), briefed members of the ministerial committee on national security about the threat from China at a top-secret Whitehall meeting in January.
According to Whitehall sources, the meeting, led by Jacqui Smith, the home secretary, heard that ministers had “not paid sufficient attention to the threat in the past”, despite repeated warnings from the intelligence services. These included warnings from the security arm of GCHQ, which expressed concern because government departments, the intelligence services and the military will all use the new BT network.
A Whitehall report is understood to warn that, although there is at present a “low” risk of China exploiting its capability, “the impact would be very high”.
The Internet is infected. Malicious computer hackers have been creating more and more weapons that they plant on the Internet. They call their weapons viruses and worms - they're creepy, crawly toxic software that contaminate our computers without our ever knowing it. You can be infected by simply visiting your favorite Web site, or just by leaving your computer on, overnight while you're asleep.More here.
And the problem is growing, exponentially. Last year the number of infections tripled. And an entire industry of computer security professionals is in a race to keep the hackers from their goal, which is usually to steal your money.
One of the most dangerous threats ever, a computer worm known as "Conficker," is spreading through the Internet right now. By some estimates, 10 million computers have been infected worldwide.
Paul Maidment writes on Forbes.com:
The Information Warfare Monitor, a Canadian cyber-espionage watchdog, goes to pains not to point the finger of blame at the Chinese government for a massive China-based cyberspy ring it has uncovered. "While our analysis reveals that numerous politically sensitive and high-value computer systems were compromised in ways that circumstantially point to China as the culprit," it writes in a report issued March 29, "we do not know the exact motivation or the identity of the attacker(s), or how to accurately characterize this network of infections as a whole."More here.
Beijing has always officially denied undertaking such electronic espionage. But given that the IWM has identified at least 1,295 computers in 103 countries, mostly in the foreign ministries or embassies of various Asian governments; that its investigation was triggered by a request from Beijing's adversary, exiled Tibetan leader the Dalai Lama, who was concerned the computers of his network had been hacked; and past accusations that Beijing has engaged in cyberspying, including against the U.S., the old suspicions will not only be reawakened but intensified.