Related Posts

No related posts.

Introduction

The term Man-in-the-middle in a security context refers to an attack where someone/-thing is inserted between two endpoints and intercepts the communication between those. The intent is usually to obtain information and use this for illegitimate purposes.

Recently the term Man-in-the-mobile, abbreviated as Mitmo, emerged.

New functionality in the ZeuS/Zbot malware

Overview

The Man-in-the-mobile term was cleverly used by the security company S21sec to describe a new functionality in the ZeuS/Zbot family of financial malware.

ZeuS/Zbot has been the focus for much discussion since its arrival, and it is an advanced piece of malware, which primarily targets financial systems, typically banks. The malware was also the basis for one of our security article earlier this year – Cyber crime imitates legitimate business.

The new functionality that ZeuS/Zbot uses, focuses on the fact that many authentication techniques (also popular in banking systems) use two sets of authentication. One of these is sent to e.g. the bank account owner’s mobile phone.

The new scheme is that the account owner’s mobile phone is infected by a piece of malware, which forwards the authentication code to another device. This code, combined with the account owner’s other credentials (obtained through a computer infected by ZeuS/Zbot) are then used to perform illegitimate bank transactions.

Infecting the mobile phone

The mobile phone is infected by use of social engineering techniques.

The ZeuS/Zbot malware, which has compromised the computer, requests information about mobile phone number and type of phone. After the phone owner has submitted this information a message is sent to the phone requesting a security certificate to be installed. Instead of a security certificate, however, a malicious program is installed.

The mobile phones that are vulnerable for this ZeuS/Zbot technique are Symbian and Blackberry. Apple’s (non-jailbroken) iPhones are not vulnerable due to Apple’s restrictions to disallow applications not downloaded through App Store. Malware variants targeting Android-based mobile phones may perhaps be expected.

Please see the link in the References section for a more detailed analysis of the mobile phone malware.

Food for thought

There are some interesting general observations to make from this new ZeuS/Zbot variant.

Combined infections of two types of hardware

In order for the scheme outlined above to succeed, two different types of devices must be infected (computer and mobile phone). Both must have a malicious program installed. This is not usual for malicious software. In other cases where additional devices are used, their functionality is as carriers of the malware, rather than as hosts for independent malware components; one typical type of malware carrier is USB sticks with AUTORUN functionality.

Infecting devices regarded as relatively safe

Mobile and handheld devices have so far not been seen as particularly vulnerable for malware (see our security article Systems prime for exploitation? for a more in-depth discussion about this).

Users of these devices will therefore “by default” be less inclined to apply their inherent skepticism against allowing new software (disguised as a certificate in this case) to be installed.

This problem has been discussed in several of our previous (and most likely also upcoming) security articles. See for example Self-protection from malware – part I.

No systems are safe

The technique with two different sets of authentication, one of which expires after a short time, has traditionally been seen as quite safe (although not fool-proof). The new ZeuS/Zbot variant shows that this security measures can be circumvented by a technique that is not very complicated to set into action.

It is interesting to note that this new ZeuS/Zbot variant is released not long after another presumed safe system was compromised by the advanced Stuxnet malware – see our security article last week: A new generation of malware

References

• Zeus Mitmo: Man-in-the mobile (blog items about this from S21sec’s blog)

Related Posts

No related posts.

Microsoft has released an out-of-band security update for an important vulnerability in ASP.NET. Exploits that utilize this vulnerability have been reported in-the-wild.

Important is Microsoft’s second highest vulnerability serverity.

More information is available in Microsoft’s Security Bulletin MS10-070.

Note that this security update will initially only be available as a download from Microsoft Download Center. According to Microsoft the security update will be available as an ordinary Windows update within in a few days.

Users who are runnings systems that are vulnerable are recommended to deploy the update from Microsoft Download Center as soon as possible in order to be protected from exploits.

Related Posts

No related posts.

Introduction

Computer software evolves, and popular interpretation is to introduce new generations whenever fundamental changes arrive. If one looks at malware in the same manner, one may also classify different types into various generations.

One such classification might be based on the motivations to those who are the initiators of the malware. If we use this approach, a classification might be like this:

• Generation I: Malware, where the motivation was to show how clever the authors were.
  Malware was in its infancy and its authors were few. The antivirus vendors arrived on the scene at this stage.
   
• Generation II: Malware, where the motivation was to spread the malicious software as much as possible and as quickly as possible (and to some extent also to ruin systems).
  The hugely widespread worms from early this century belong to this category.
   
• Generation III: Malware, where the motivation was economically motivated.
  Most malware developed in later years, belong to this category. Using vulnerabilities in software combined with social engineering techniques are the main propagation vectors.
   
• Generation IV: Malware, very sophisticated, aimed against a particular target or targets.
  The malware that belongs to this category is not primarily used to gain money, rather as a weapon against something.
  This will be the focus of this security article.

Seen in a time-frame these four generations overlap to some degree. Malware belonging to the first generation is still being developed, the recent Twitter worm may be viewed as an example. It further seems safe to assume that third generation malware will be around for quite a long time, although those behind the malware may start using technology from the fourth malware generation.

Stuxnet – the most sophisticated malware

Stuxnet is a piece of malware that belongs to generation four above. We will in this article not provide a technical analysis of Stuxnet, but look at it from a broader point of view.

Highlights

Stuxnet was first discovered by the Belarus security company VirusBlokAda in June this year. However, it is assumed that the malware was created and released in the wild months before.

Soon after Stuxnet was discovered, security organizations started their malware analysis as usual. Norman published a description of Stuxnet in the beginning of July.

However, as weeks and months passed, the analyses of Stuxnet continued and revealed increasingly new characteristics and sophistication. Some of the features and techniques used by Stuxnet are:

• Stuxnet’s initial spreading mechanism is by USB sticks using the .LNK vulnerability, for which Microsoft released an out-of-band security update 2 August.
• Stuxnet uses four different software vulnerabilities. One of the vulnerabilities it uses was closed by a security update from Microsoft in its monthly set of updates in September (although information about this vulnerability has been known more than one year).
• Stuxnet uses rootkit technologies to avoid detection.
• Stuxnet targets a particular type of industrial control systems (ICS) - Supervisory Control And Data Acquisition (SCADA) from Siemens, and attempts to infect the Programmable Logic Controller (PLC). Since Simenes’ systems seem to be the main target, Siemens has published an advisory for users with potentially vulnerable Siemens software.

Stuxnet is not a mass spreader. Interestingly it seems that more than half of the infected systems were based in Iran, which lead to some intriguing speculation (see below).

Speculation

Stuxnet is probably the most advanced piece of malware ever created, or at least released in the wild. This has led to conjectures that those behind this malware are not “the usual cybercriminals”.

This hypothesis seems quite likely. It would require substantial amounts of money and advanced programming resources to investigate finding (or buying) the used vulnerabilities. Stuxnet is also a complex and sophisticated piece of software, which would require programming skills not freely available. Finally Stuxnet uses techniques, which indicate intimate knowledge of the industrial control systems that are targeted.

One theory that has emerged publicly lately, and received much acclaim, is that Stuxnet is targeted against a particular nuclear plant in Iran. This first emerged in a web article from Ralph Lagner, which is being updated continuously. Supposedly the attack has already taken place and was successful.

Who stands behind?

The answer to this question is also of a speculative character. We can disregard the traditional usual suspects whenever malware is involved: the cybercriminals with economical motives. There seems to be no monetary gain from Stuxnet.

Another potential initiator/creator is an intelligence agency or a nation. This seems more likely as these would have the resources that creating Stuxnet requires. Some nations may also see it as part of their vital interests to sabotage a nuclear facility in Iran.
Seen from this perspective, Stuxnet may be viewed as a cyberweapon – perhaps the first we have ever seen used.

It will be interesting to see if/when we ever get an answer to who the originators behind the Stuxnet malware were.

Consequences

We started this article by claiming that Stuxnet belonged to the fourth generation of malware. Depending on its ultimate target, it may or may not have been a success.

Regardless of Stuxnet’s successfulness, it is a fact that the techniques used by this malware have been and will be analyzed and published. Stuxnet’s ways to approach systems that so far were perceived as “safe”, and the potential for targeting completely different systems using ideas derived from Stuxnet, will be studied and implemented in new malware belonging to “the Stuxnet generation of malware”

With Stuxnet a completely new use of malware has been introduced.

We live in interesting times! 

Related Posts

No related posts.

Introduction

Last week in our article Ways to use botnets, we discussed among other issues, botnets for hire. One example we mentioned in our article was the company Aiplex Software, which was hired to try stop illegal distribution of copyrighted material. Aiplex Software used some unorthodox means to accomplish this, including Distributed Denial of Service (DDoS) technology to disrupt the sites that served the material.

Payback time

It did not take long however, before parts of the Internet community made a counter-move. A group, called ”Anonymous”, which was angry about Aiplex’ behavior, set up a coordinated counter attack, and Aiplex Software’s web site was taken down by a retaliated Distributed Denial of Service attack (RDDoS, might be an appropriate abbreviation for this phenomenon). As of this writing, Aiplex Software’s web site still does not respond to web requests.

The counterattacks did not end by this success, however.

After Airplex was taken off the net, the group set up new attacks against the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA). Both of these were also more or less unavailable during the next days.

“Anonymous” posted a letter online, in which the group describes the actions and the reasoning behind what was named “Operation: Payback is a Bitch”.

(…) Anonymous is sick and tired of these corporations seeking to control the internet in their pursuit of profit. Anonymous cannot sit by and do nothing while these organizations stifle the spread of ideas and attack those who wish to exercise their rights to share with others. (…)

The letter is available here.

Participants in Anonymous’ attacks

During the hours before the coordinated attacks, information about this, as well as requests to participate, were posted on the Internet.

We may guess that some people who normally do not engage in cybercrime, but who sympathized with the idea of freely available Internet content, volunteered to take part in the attack. The invitation had detailed instructions regarding how to do this.

Those who were willing to participate in the attack could do so with little effort. Furthermore, participating in such an attack, which probably would be illegal in most jurisdictions, had little chance of resulting in any (serious) consequences for the participants.

Compared to “old-fashioned” demonstrations where one can get physically hurt or arrested, participating in virtual protests require less effort and risk, but still poses a very significant threat to the party that is focused upon, as the cases mentioned above clearly show. Even if someone participating in a botnet, which were used for DDoS attacking, were found out, the option to use the “standard malware excuse” (*) is an option difficult to refute.

Preventive action points

As we mentioned in our previous security article taking down botnets is difficult. 

Endpoint defense - like antimalware software and firewalls - will help, but it is a fact that these measures do not fully suffice. Coordinated efforts from organizations operating at a higher level in the Internet infrastructure (e.g. Internet Service Providers and Registrars) have so far proved to be quite effective, although these efforts are resource-demanding and require highly skilled security expertise in order to pinpoint the culprits and avoid “false positives”. Such coordinated actions may not be feasible to combat smaller botnets of an ad hoc type.

We will continue to investigate and analyze botnets and the ongoing struggle against this threat. For sure, this is not the final security article from Norman in which botnets are discussed.

(*) 
Standard malware excuse: Arguing that the reason why malicious programs and/or content (e.g. botnet software)  were found on the computer is because it was infected without the owner’s knowledge.

Related Posts

No related posts.

Introduction

A “bot” is an abbreviation for “robot”. Bots are the many single computers that participate in a “botnet”. A botnet is controlled through a command and control center, by other bots and/or by an individual/organization. The bots in a botnet are usually “recruited” through infection techniques, and the computer owners are normally not aware of the fact that the computer participates in a (or several) botnet(s).

Botnets can be very sophisticated and complex, but obviously there is a person or an organization, which ultimately control the bots/botnet.

Two common ways to use botnets are

• to send spam/malware
• to participate in DDoS attacks

There are however, in principle no restrictions regarding how a botnet owner may use the bots that are under her command.

This article will not go in depth with regard to how the different botnets function technically. We shall rather examine some of the ways botnets may be used, study one successful method used for fighting this threat, and finally discuss the idea of botnets used for benign purposes.

Examples

DDoS attack as a service to be purchased

The security company Damballa has analyzed a botnet called IMDDOS. This is a relatively new botnet among the larger ones, and is estimated to have originated in March this year. When Damballa’s analysis was made, IMDDOS is calculated to be among the most widespread botnets.

The interesting thing about IMDDOS in our context is that this is marketed as a commercial “service”.  It is possible to buy this service on a monthly, annually, or lifetime basis. Lifetime customers get 24×7 technical support. It is also possible to rent a part of the botnet – the price for this depends e.g on the desired computing power.  IMDDOS also recruits agents to promote its business and sell the service.

IMDDOS seems to be based in China. Infected computers that are part of the IMDDOS botnet are found all over the world.

This shows another example of a type of malicious activity, which has evolved into a business handled in a similar was as ordinary, legitimate, businesses. We refer to our article – Cyber crime imitates legitimate business – for another example.

DDoS attack as a method to prevent illegal copying

Several Internet news sites report that Indian film industry in Bollywood uses DDoS attacks against web sites that host piracy movies.

According to Daily News and Analysis, the Indian company Aiplex Software has been hired to launch DDoS attacks on web sites hosting pirated movies that don’t respond to copyright infringement notices sent to them by the film industry.

Managing director Girish Kumar was quoted:

When we detect a website offering a link or a download, we contact the server hosts and intimate them about the illegal activity. They issue a notice to the site owner. If the site owner does not comply, the site is either suspended or dismissed. (…)
The problem is with torrent sites, which usually do not oblige. In such cases, we flood the website with lakhs of requests, which results in database error, causing denial of service as each server has a fixed bandwidth capacity. At times, we have to go an extra mile and attack the site and destroy the data to stop the movie from circulating further.

To implement such drastic actions, in this case to protect against illegal use of copyrighted materiel, is coined e-vigilantism. Although it is admittedly not an ideal or recommended solution, it shows how far someone is willing to go when they feel that their business model is threatened.

Terminating botnets 

One of the problems with botnets is that they are so difficult to take down. Antimalware companies, like Norman, will continuously detect new files that infect the computers (making them bots). However, it is a known fact that not everyone uses updated antimalware products, which makes it almost impossible to completely wipe out a botnet this way. Modern botnets also often use techniques to update themselves with new modules, which may not (yet) be detected by antimalware products.

Terminating botnets by focusing on the bots as the only focus is therefore not seen as a viable technique. 

In our security article from late 2008 – Fighting malware on two ends – we discussed two successful examples on how to stop malicious/unwanted activities. Both targeted the problem at a higher level than the end users.

Microsoft’s takedown of Waledac botnet

Another example is the Waledac botnet.

Earlier this year, Microsoft in cooperation with other security experts, were able to take down the huge Waledac botnet. This was accomplished by cutting off traffic to Waledac at the domain level, which resulted in severing the connection between the command and control centers of the botnet and the many bot computers around the world. A federal judge in the U.S. District Court of Eastern Virginia, USA, granted a temporary restraining order, which cut off almost 300 Internet domains in the Waledac botnet.

Early September the U.S. District Court of Eastern Virginia granted a motion, which aims to give Microsoft permanent ownership of the Waledac domains. The domain owners have 14 days to object and, if they do not (which seems unlikely in this case), the ruling will be final.

This example shows that an initiative from private organizations (Microsoft and others) resulted in legal actions, which effectively crippled a huge botnet setup.

It seems safe to assume that similar initiatives will be taken towards malicious botnets, which turn out to be difficult to stop by other means.
Microsoft comments on its official blog:

(…), the courts and the security community have paved the way for future takedowns in cases where criminals are abusing anonymity to victimize computer users around the world.

Benign botnets?

One possible idea based on our discussion above, might be:

• How about setting up a benign botnet based on the presupposition that most individuals and organizations are interested in combating cyber crime?
• The botnet’s only purpose would be to attack Internet sites and domains that engage in criminal activity.
• Participation in the botnet would be on a voluntary basis.

One may imagine a setup which slightly resembles the seti@home system where volunteers install a client and contribute computer resources to Search for Extra-Terrestrial Intelligence (SETI). Instead of searching “outer space”, the computers participating in such a network could be used to attack Internet resources that are used for malicious purposes.

Even though such a setup might seem like a captivating idea, there are for sure severe counter-arguments, for example:

• do we want an organization (or whatever entity that has the role) to have a role normally conducted by organizations under national or supranational control (police, court systems etc.)?
• who identify the offending Internet resources?
• what is defined as malicious and should therefore be taken down?
• who should be in charge of such a network and issue commands to the “bots” to attack an offender?
• what if someone is able to take over the network?
• how can a user know if an invitation to join a benign botnet is legitimate (and not an attempt to lure him to join a malign botnet)?

Our skepticism to such a system overrides the beguiling first impressions. E-vigilantism in any form should not be encouraged. 

References

• The IMDDOS Botnet: Discovery and Analysis (Damballa Threat Research)
• Bollywood hiring cyber hitmen to combat piracy (Daily News and Analysis)
• Cracking Down on Botnets (Microsoft On The Issues blog)
• Microsoft vs. John Does (Complaint filed by Microsoft)
• Microsoft gets legal might to target spamming botnets (USA Today)
• R.I.P. Waledac: Undoing the damage of a botnet (The Official Microsoft Blog)
• SETI@Home web site

Related Posts

No related posts.

In its security bulletin summary for September 2010 Microsoft has published four updates for critical and five updates for important vulnerabilities in its operating systems / applications.

Critical is Microsoft’s highest vulnerability rating.

A summary describing briefly the vulnerabilities is available from Microsoft’s Security Bulletin Summary for September 2010.
From this page you will also find links to more detailed information in Microsoft’s Security Bulletins MS10-061- MS10-069.

The critical updates address the following issues:

• One publicly disclosed vulnerability in the Print Spooler service.
• One privately reported vulnerability in MPEG-4 codec.
• One privately reported vulnerability in the Unicode Scripts Processor.
• One privately reported vulnerability in Microsoft Outlook.

Updates that fixes the vulnerabilities are available from Windows automatic update mechanism for systems that support this. Alternatively, one may download updates from http://windowsupdate.microsoft.com.

Norman advices all affected users to download the relevant security updates as soon as possible, to be protected from potential exploits.

Related Posts

No related posts.

A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions. Adobe Reader and Acrobat version 9.3.4 and earlier versions are also vulnerable.

This is another vulnerability than the one reported last week – see our Security advisory 9 September.

Critical is Adobe’s highest vulnerability rating and could when exploited allow malicious native-code to execute, potentially without a user being aware.

There are reports that this vulnerability is being actively exploited. As of this writing no updates are available.

Adobe has announced that security updates are being prepared for release:

• week 39 for Adobe Flash Player
• week 40 for Adobe Reader and Acrobat

More information is available in Adobe’s security advisory 10-03. 

This security advisory will be updated when more information is available.

Related Posts

No related posts.

Introduction

Fake antimalware software has become an increasing problem for end users and corporations. The creators of these rogue applications are able to earn easy money and are constantly searching for new ways to exploit their victims.

A new technique has recently been seen. We shall look at this in more detail in this security article, and attempt to point to some general considerations regarding this type of software and malware in general.

Case study

One of the newer attempts to trick users into installing rogue antimalware software is to use the web browser as the trigger.

When a user visits a web page that is infected (usually without the web owner’s knowledge), a warning page appears. This warning is made to look similar to the general warning page the browser will show whenever it encounters a web site/page that is “flagged” as malicious.

The warnings look like this for the two most popular web browsers:

Firefox

Internet explorer

The main difference from the browsers’ normal warning pages is the option to ”upgrade” to a reliable solution for malware scanning.

This, however turns out to download one of the usual fake antimalware scanners, which family should be familiar. In this particular case, Win7 AV is the culprit. As usual the fake antimalware product “finds” that the computer is infected (which may have nothing to do with reality), and encourages purchase of the complete product.

Interestingly, the fake antimalware’s product page closely resembles Microsoft’s page for the security software Microsoft Security Essentials, another trick on the author’s side to make the scam easier to buy into.  

Generalization

Of course it has value in itself to be aware of this particular piece of malware and its spreading mechanism. Incidentally Norman’s security software detects this as W32/MSIL/Zeven.A.

It would however, be even more useful is if we are able to learn something which can be used in a more general manner.

There are some characteristics of this particular scheme that are of a general character and therefore worth focusing upon:

• The initial bait uses a perversion of a security mechanism in the browsers – a trusted security instrument for most users.
• The next step in the scheme uses a standard trick: Implying that there is a security issue on your computer (when there is none).
• Step three uses a web page that is made to look like a quite well-known security page (from Microsoft).

Whenever one encounters an issue like this, it is wise to stop, think, and, if relevant, proceed with caution.

Ask yourself some control questions:

• Is this the way the vendors of web browsers inform their users that security updates are available?

  Generalization: Beware of unusual behavior!  
   

• Would big software vendors (in this case Microsoft, Mozilla, Google) link to a third-party web site for product downloads/purchases?

  Generalization: Check the URL in your browser!  Does it comply with the web site the link suggested?
   

• Does anything seems strange? (Are there spelling mistakes or strange wordings, which may imply that professional software vendors are not involved.)

  Generalization: Watch out for unprofessionalism!  

Related Posts

No related posts.

Related Posts

No related posts.