Social Networking Dangers Exposed
Feb 14, 2009 Security News
For many people, social networking has become as much of a daily routine as brewing coffee and brushing teeth. IT administrators dislike it and cyber crooks depend on it.
That’s because most of the time people spend on MySpace, Facebook, LinkedIn, Twitter and elsewhere is during work hours — on work machines.
At the ShmooCon 2009 security conference in the nation’s capital this weekend, two security researchers demonstrated the many reasons why this is bad.
In a presentation called “Fail 2.0: Further Musings on Attacking Social Networks,” Nathan Hamiel and Shawn Moyer guided attendees through attacks made easy because of the very nature of these sites, where users can upload and exchange pictures, text, music and other content with little effort.
“Social networking sites are meant to get as many users in one place as possible on one platform, and for attackers there’s a lot of return-on-investment in going after them,” Moyer said, describing the climate as a perfect storm of social engineering and bad programming.
Through a variety of easy tricks, attackers can hijack a person’s social network account to use as a launching pad for additional attacks against other users, other Web 2.0-based applications, and so on. Social networks can also be incorporated into micro botnets and, by rummaging through a page of misfired direct messages on Twitter, a motivated attacker can unearth the cell phone numbers of prominent people.
Hamiel noted that the trouble begins with so much creative power being put in the hands of those who have little or no tech savvy.
“Any application can be used to attack other applications and an application can be used to view your entire file if the privacy settings are off,” he said. “Even if you put the privacy settings in place, you should assume you are screwed.”
Read more at CSO Online
Shadowserver Foundation team-up with Microsoft to take down the Conficker Botnet
Feb 13, 2009 Security News
The fine folks at the Shadowserver Foundation have announced a cooperative agreement with Microsoft to go after the Conficker Worm creators and their botnet.
There is some very interesting information at their site regarding what could be done to bring down their systems:
Botnets almost always are run off of domain names that have been created by the botnet operator for the sole purpose of providing the drones a place to call home. In one instance, if a C&C server is identified in a particular network space, it can be shut down, however the DNS records for the domain can simply be pointed to another server and the botnet remains active. In another case, the C&C might be running on a network that is complicit to the malicious activity, and can’t be shut down. As you can see, a key way to attack the botnet problem is at the domain registration level.
Shadowserver and other researchers regularly see domains used solely for malicious purposes. Taking the domains down would cut the legs right out from the net, so the drones have no place to call home. Traditionally we’ve seen malware that have the domain names evident within the code of the specimen. It’s relatively easy to identify and enumerate those domains that are or will be used by a botnet. A newer technique that is gaining momentum is for the malware to generate the domain names that will be used on a week-to-week, month-to-month basis. By determining the algorithm, one can identify and create a list of the domain names that will be used.
If these domains can be identified, and have their DNS pointed to a friendly server instead of the C&C, you accomplish several good things. First, you’ve essentially crippled the botnet, and second you’re now able to identify all the infected drones trying to connect to the C&C since they are now attempting connections to that friendly server. Shadowserver has employed various processes to identify the domain names, act as that friendly server, and enumerate the orphaned drones. We add this data to our freely distributed report process which notifies the appropriate network operators that there are infected machines on their network. In the case of Conficker/Downadup, we’ve actually been watching this for some time, and playing the role of a ‘friendly’ server for over a month.
Go read the whole thing HERE
Microsoft offers $250,000 reward for Conficker arrest and conviction
Feb 13, 2009 Security News
Things must be heating up in Redmond for this kind of response:
REDMOND, Wash., Feb. 12 /PRNewswire-FirstCall/ — Today, Microsoft Corp. announced a partnership with technology industry leaders and academia to implement a coordinated, global response to the Conficker (aka Downadup) worm. Together with security researchers, Internet Corporation for Assigned Names and Numbers (ICANN) and operators within the Domain Name System, Microsoft coordinated a response designed to disable domains targeted by Conficker. Microsoft also announced a $250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet.
(Logo: http://www.newscom.com/cgi-bin/prnh/20000822/MSFTLOGO)
“As part of Microsoft’s ongoing security efforts, we constantly look for ways to use a diverse set of tools and develop methodologies to protect our customers,” said George Stathakopoulos, general manager of the Trustworthy Computing Group at Microsoft. “By combining our expertise with that of the broader community we can expand the boundaries of defense to better protect people worldwide.”
As cyberthreats have rapidly evolved, a greater level of industry coordination and new tactics for communication and threat mitigation are required. To optimize the multiple initiatives being employed across the security industry and within academia, Microsoft helped unify these broad efforts to implement a community-based defense to disrupt the spread of Conficker.
Along with Microsoft, organizations involved in this collaborative effort include ICANN, NeuStar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, the Shadowserver Foundation, Arbor Networks and Support Intelligence.
“The best way to defeat potential botnets like Conficker/Downadup is by the security and Domain Name System communities working together,” said Greg Rattray, chief Internet security advisor at ICANN. “ICANN represents a community that’s all about coordinating those kinds of efforts to keep the Internet globally secure and stable.”
“Microsoft’s approach combines technology innovation and effective cross- sector partnerships to help protect people from cybercriminals,” Stathakopoulos said. “We hope these efforts help to contain the threat posed by Conficker, as well as hold those who illegally launch malware accountable.”
More information about how to protect yourself from Conficker can be found at http://www.microsoft.com/conficker. Customers interested in learning more about staying safe online can visit http://www.microsoft.com/protect.
Microsoft’s reward offer stems from the company’s recognition that the Conficker worm is a criminal attack. Microsoft wants to help the authorities catch the criminals responsible for it. Residents of any country are eligible for the reward, according to the laws of that country, because Internet viruses affect the Internet community worldwide. Individuals with information about the Conficker worm should contact their international law enforcement agencies.
While I am no fan of Microsoft, I do believe this was the right thing to do. This worm is out of control and may end up going down in history as the the fastest spreading, most damaging malware in computer history.
I do wonder, however, if these sort of bounties will spawn large-scale internet vigilantism.
How Botnets Work
Feb 12, 2009 Security News
Ever wonder how a botnet works? Well, here is your chance to find out:
An interesting aspect of botnet study is to attempt to learn the motives behind building a particular botnet or trying to find the intent of the criminal mind controlling all the zombies. When it comes to botnet payloads, many different motives come to mind like DDOS, vulnerability exploitations, key logging, SPAM etc. But not all botnets are capable of doing everything especially when it comes to vulnerability exploitations, DDOS and password stealing. Amazingly most of the biggest botnets in recent times have been dedicated to sending SPAM. Take for example Srizbi, Rustock, Storm(mostly), Grum and now Waledac.
IRC bots were the first breed of malware to build multi-purpose botnets. These IRC Bots started to emerge as the next generation of malware after nifty worm breakouts like Blaster, Sasser and Slammer.
Here at Fire Eye Labs we monitor the communication of different types of bots with their command and control servers in a controlled environment. The fun part of monitoring IRC CnC is that most of the time this communication is real-time, plain text and self descriptive. Most commonly IRC Bot masters communicate their commands using IRC channel topics and/or through Private Messages. Today I will discuss some of these bot commands extracted from my lab logs. Lets see what these puppet masters are trying to do today:
Read more at FireEye
New And Improved Storm Botnet Morphing Valentine’s Malware
Feb 12, 2009 Security News
The botnet formerly known as Storm is ramping up its ability to evade detection by automatically generating thousands of different variants of its malware each day as it spreads and recruit more bots.
Waledac — the new and improved Storm — is using its favorite holiday, Valentine’s Day, to spread the love with signature phony greeting cards and romance-themed email that Storm so infamously spread in the past. “Over the last 24 hours, we’ve seen over 1,000 new variants [of Waledac code],” says Pierre-Marc Bureau, a senior researcher with Eset, which expects Waledac to eventually pump out thousands of variants a day. “It was a bit lower than what we are expecting. It may not have reached many of our clients yet.” That said, it’s still a big jump from the around 10 new versions a day Eset had seen the botnet creating, he adds.
Read more at Dark Reading
