Archive for Security

Nov
10

Conficker: In Retrospect

Posted by: | Comments (0)

There are a few cardinal rules when it comes to computer security. These rules are easy to follow and can prevent quite a lot of computer viruses and malware infections. The first rule of course is to use strong passwords. The second rule is to update your software. The third rule is to use some form of anti-malware tools. These three rules are basic and have been around for decades now. What is surprising is how few users follow these three simple rules and because of the lack of adherence the stage was set for the virus Conficker to infect 4% of all PCs in the world at its zenith.

The Three Functions of Conficker

Conficker (a.k.a Downup, Downandup, and Kido) first surfaced near at the tail end of November in 2008. It was a rather simple virus with only three main functions: self-propagate, shutdown security, and report back to the command servers.

In order to self-propagate, the worm used a Windows buffer overrun vulnerability. It does so by sending out an RPC (remote procedure call) request and once the overrun occurs it launches code to download the worm file and install it on the new machine. But in order to get to that part in the first place the worm uses brute force attacks to get the Administrator password. Sadly the brute force password table the worm uses includes such heavy passwords as 1, 1111, 1234567, admin, test, and the like.

Once the virus has gained access to the new computer, it ensures its own survival by shutting down the wuauserv (Windows Update Service) and the BITS (Background Intelligence Transfer Service) service. Windows uses both services to download updates. With the services shutdown, Conficker creates a block list for web sites containing certain keywords such as threatexpert, pctools, eset, norton, mcafee, sophos, trendmicro, and the list goes on. Essentially, any web site where you can get tools to scan your system become blacklisted.

The last function of Conficker is to report back to the master control server and receive updates, information, and further commands. It is this function that makes the Conficker an agent for one of the largest botnets in the world. What is surprising though, is that this botnet is still dormant.

The exploits that Conficker uses are all easily fixed. In fact, if Windows users were only using the bare minimum of security protection (e.g. following the three rules), Conficker would probably have been DOA. The Windows vulnerability Conficker exploits to cause a buffer run was already patched by Microsoft the previous month. It does not generate passwords for it brute force attack, instead it uses a table of passwords and the passwords in that table are the type of passwords that no self-respecting PC user would ever use. Lastly, many of the big name anti-virus software companies were able to clean the threat the moment it went live. Several other anti-virus vendors issued updates to their software within days of the initial sighting.

That is how Conficker could have ended. The reality however is much, much different.

Rise of a Botnet Super Power

Conficker first surfaced November 21st, 2008. In the beginning of January, some reports estimated the number of infected computers to be around the 3 million mark. Other reports state it around 2.4 million. F-Secure, an anti-virus security firm, estimated the number to be closer to 9 million on January 19th. Infections were, and still are, difficult to track considering the ease at which the virus spreads and how quickly it can be removed once discovered.

Security experts managed to hack the Conficker virus and made a list of the servers it calls to for updates and instructions. This break through leads investigators to determine that the author of the Conficker virus has something planned for April 1st, 2009. Media scramble to release the information. Although more computer users are actively searching and removing infections, some researchers conclude that month of January ends with roughly 15 million infected computers.

Spearheading the movement to shutdown Conficker, a group of researchers formed the Conficker Work Group. One of the goals of the Work Group was to learn the algorithm Conficker used to contact domains to receive instructions. Upon learning the algorithm, the Work Group set out to use the information to track infections and to shut down the command servers. Without instructions, Conficker would be doomed to extinction. In retaliation, the author of Conficker built variant C.

Variant C used p2p technology with each infected computer becoming a node in a massive update web. If one node received instructions than, it would rapidly pass to all the other infection computers. Removing the need for a centralized computer, the author essentially shutdown the Work Groups ability to deactivate Conficker. What’s more, instructions were encoded with a digital signature to prevent others from sending their own instructions to the new worm.

The beginning of February shows a different side to the Conficker virus. Originally, media believed that only home, small to midsized business, and a few data center users had been infected. However, reports begin coming out that the French naval air force, Great Britain’s RAF and Royal Navy as well as a number of Fortune 1000 companies were affected by the virus. The virus effectively stopped the French from flying their Rafael multi-role combat interceptors for a number of days and the infection managed to get into the French Intramar navy computer network. In the UK, infections hit more than 24 RAF bases and 75% of the Royal Navy Fleet. Estimations of the number of infections ranges between 9 and 15 million.

April Fool’s day comes and goes without much fanfare. The expected bombshell everyone was waiting for happens without a single shot fired. The fact that the programmed event did not occur means that the Conficker botnet has received new instructions. The new instructions could mean that anything is possible. The media response on the other hand, likens Conficker to the Y2K bug and in several articles explain how the Conficker threat was exaggerated. By mid-April the estimates fluctuate wildly between an estimated 4.6 million infected PCs to as many as 4% of the entire PC population.

At the end of April, Conficker makes its move. The botnet downloads a second virus, which sends out email spam. Conficker then downloads a third virus that warns the computer user that their computer is infected by a harmful computer virus and requires the faux anti-virus software Spyware Protect 2009. After a user purchases the software for $49.95, their credit card information is stolen and the new program goes on to perform more mischief on the user’s computer.

Since then, Conficker has remained unstoppable and uncapturable. The amount of infections has reached the 7 million (unlike previous estimations this estimation has received a vast consensus) mark. It has also remained fairly quite considering its size and its abilities to run malicious code on command.

It is threats like Conficker that show how important protecting your PC truly is. If users had been updating their software, if users had been using strong passwords, and if users had been using security software, Conficker would not have even emerged as a threat, nor would it be in the position of power it is today.

Categories : Security
Comments (0)
Sep
30

Partnerka: Get Paid for Infecting Macs

Posted by: | Comments (0)

Reading the blogs from Sophos, I came upon a gem, Earn 43 cents every time you infect a Mac. What is even more spectacular about this is the fact that I just read (maybe a week or two ago) a news article that asks do Mac users really need to have anti-virus software?

When I first read it I was flabbergasted (the article not the blog). That sort of question is like asking, your car – does it really need seat belts? For the most part when you drive you will not be in a life and death situation. Seatbelts are used in case an accident occurs not because accidents happen 20-30 times out of your day. Anti-virus software for a Mac is a prevention tool not something to be considered after all the information has been formatted and your the system as become a spambot zombie.

Now when I see this 43 cents per infected Mac, well now here is the ammo I need if the last argument wasn’t good enough (we do have people who drive without seatbelts, text while speeding down the highway and read newspapers while in traffic, so you never know). The Russian spamming and malware mob (partnerka) is after your Mac!

To elaborate further, Sophos’ Paul Ducklin, posted a blog linking to Dmitry Samosseiko’s (security researcher and analyst extraordinaire from Sophos Canada) paper on partnerka. Its a good read, the link to the blog and a link to the paper. In the paper, Dmitry discusses the lucrative industry of Mac malware scams with many would-be malware spreaders making roughly $5k in some 11 days of effort.

Before the Internet, when we moved files via floppies, null modem connections, and the like, even then it was good policy to have anti-virus software on your system. I can’t tell you how many computers I saw fail on March 6th, cause people didn’t do a simple virus scan for the Michelangelo virus.

It doesn’t matter the OS, the type of system (desktop, laptop, blade server), or even if its connected to the Internet, a computer should have security programs on it at the very least. You should have anti-virus, anti-malware, and some sort of firewall.

Categories : Security
Comments (0)
Sep
18

Botnet Causes Click Fraud

Posted by: | Comments (0)

The Bahama botnet, so coined from Click Forensics, has found a means to mask their clicks and traffic as legitimate clicks and because of this click fraud will be seeing a surge.

It is really an elegant solution. First off its a botnet, so these clicks are coming from a variety of IPs which gets past the basic click fraud filter (too many clicks from the same IP automatically gets flagged as fraudulent). Second the botnet masks the source of the clicks. So instead of the PPC networking seeing the clicks come from some non-disclosed location in the Bahamas, the network sees the click as coming from a university, government office, or even libraries. Thirdly, this is not a strong arm tactic, the intervals between fraudulent clicks is interspersed, thus the network could click an ad then wait an hour to click it again or it could wait six minutes or 38 minutes, whatever.

The means by which the infection spread was also equally elegant. Remember not too long ago that the New York Times was tricked into putting a malicious ad on their web site? That had a hand in this. Also the Facebook virus scare dubbed Fan Check likewise had a hand in this. The malware used in the virus removal kits for the Fan Check “virus” and the malware used with the Times ad are eerily similar to the malware used with the Bahama botnet.

The problem with an attack like this is, its very hard to determine what is fraud and what isn’t. I would liken it to spam. Some spam is very easy to catch just like some click fraud is clumsy and easily found. Its when the fraud begins to mimic normal human patterns is where you have the difficulty and if the code for the Bahama botnet becomes more refined it may be nigh impossible to separate fraud from truth.

Categories : Security
Comments (0)
Aug
23

Next Generation of Email Security

Posted by: | Comments (0)


The more I read about the “next generation” of anything I feel that the term next generation is overused. Nonetheless, let’s look into what the next generation of email security would entail.

The bulk of vendors using the next generation moniker when it comes to email are anti-spam companies and let’s face it, there is a very good reason for that. The first generation of anti-spam software did not solve the problem. Nor did they slow the problem. In fact, the bulk of anti-spam countermeasures have done next to nothing.

At Hostingcon 2009, I was at a session where representatives from Rackspace and Cloudmark were discussing anti-spam software and someone posted on the Twitter board that they thought the next generation of email security would be passwords and encryption.

I have to beg to differ with this reasoning. Password and encrypted email technologies have been around for a very long time. The only thing that is needed in that department is adoption not necessarily more tools. There are tools already that add an encryption layer to programs such as Microsoft Exchange. The only failure for those tools is that very few people actually use them.

Spam on the other hand has three major problems that have not been addressed. First off, high levels of spam flood networks and use up server and network resources. Second, spam can be a vector for malware. Third, current anti-spam products have a problem with false positives and by putting legitimate business email into a spam folder or even trash, spam makes employees waste countless time sifting through these junk folders to find emails that are necessary to their work.

According to a report by Symantec back in May of this year, spam accounts for 90% of all email. With that large of an amount, spam doesn’t just hassle users, it costs data centers hundreds of millions if not billions of dollars in power, maintenance, and hardware costs each year, globally.

When we look at the security threats that email is faced with everyday, spam IS the highest priority and therefore the future of email security will be anti-spam software until the problem is resolved, if ever. Now a solution like Cloudmark’s Cloudfilter is very much an innovative means of solving the spam problem, but also all of its side issues. By removing spam before it gets to a network mail server, CloudFilter saves the data center a great deal of money and protects users by keeping malware out of their inboxes.

So when Cloudmark says they are offering the next generation of email security… well I am inclined to agree.

Categories : Security
Comments (0)

The attacks that hijacked more than 130 million credit and debit cards were easily preventable. TJX, Heartland, and Hannaford breaches used some of the most basic of hacker technologies and should never have gone the distance.

130 million cards, damages in the billions, if not the hundreds of billions of dollars were caused by SQL injections, sniffers, and backdoor malware. These were not overly complicated code written by world class hackers these were moderately difficult techniques that are employed on a constant basis.

Indeed the Web Hacking Incident Database labels the SQL injection as the most commonly exploited flaw on a Web application.Sniffers were deployed to capture credit card data and were used in concert with breaches to the database to collect necessary information. Backdoor malware used to transmit the data back to their servers. Once the initial breach was made, the hackers “installed” the sniffers and the malware to complete the process of collecting card information and sending it back.

What’s even more amazing about this, is the fact that the FBI and Secret Service sent out a warning that talked about the various ways hackers will exploit known problems to capture card data. Security experts who looked at these three cases determined that the warning was almost an exact blueprint of each breach.

You may not have access to several million credit cards. Your web site might not be a financial institution. Your web site might only have a modest amount of customers and be a relatively minor player in your industry. Regardless of what your site is, you owe it to your customers, readership, and yourself to provide a secure environment. The tools for prevention of SQL injections. XSS, malware distribution and the like are available. Get educated and get secure.

Categories : Security
Comments (0)

About Us

WebHostBlog comes from the creators and staff of Web Host Magazine & Buyer's Guide (WebHostMagazine.com). WebHostBlog has been a source for Web hosting information and marketing tips for three years. Along with news and information on the Web hosting industry WebHostBlog.com has covered topics such as business strategy and marketing and continues to be a quality resource for host related subjects. Read More

Contact Us

We work long hours, however we are always interested in hearing what you have to say. So if you have any ideas, comments, questions, death threats, or have a business proposal let us know!

For information on getting a hold of us, you can find our contact information on our Contact Us page

Special Thanks

WebHostBlog uses a modified version of the Flexx Theme by iThemes. WebHostBlog proudly uses Meta SEO Pack from Poradnik Webmastera for the tweaking of all SEO related stuff on the site.

WebHostBlog runs on Layered Tech Servers with power provided by WordPress.
- - - - - -