ESET Threat Blog

While serving in the Marine Corps, one activity that I felt was effective in preparing both myself and my unit to be able to handle real-world scenarios, was getting as much experience as possible from military training exercises. In most cases multiple branches worked together or, as in the case with NATO exercises, multiple countries worked together. The goal was always to prepare us for various potential scenarios as well as learning to quickly adapt due to the impossible-to-calculate number of permutations of attacker, weapons, target, collateral damage, etc. 

Today the Bipartisan Policy Center (BPC) held a simulated cyber attack against the United States. The goal was to take a group of former high-ranking Cabinet and national security officials and successfully complete the mission of advising the president throughout the crisis. Their responses will be in real-time as will be  the intelligence and news feeds. The full list of participants is available from the PRNewsWire press release (http://www.prnewswire.com/news-releases/cyber-shockwave-hits-washington-83570087.html). 

The exercise began at 10 am EST and lasted for three hours. During that time, the attack escalated from cellular networks to electrical utilities. The exercise was designed by former CIA Director Michael Hayden in partnership with the BPC. 

To understand the scope and capabilities of the adversaries we are facing in today's connected world, I selected what I thought was a very applicable report: Annual Threat Assessment of the US Intelligence Community for the Senate Select Committee on Intelligence. This report is from the congressional testimony on February 2, 2010, by US Director of National Intelligence, Dennis Blair. Below are samplings of his comments: 

"The cyber criminal sector in particular has displayed remarkable technical innovation with an agility presently exceeding the response capability of network defenders. Criminals are developing new, difficult-to-counter tools."

"Criminals are collaborating globally and exchanging tools and expertise to circumvent defensive efforts, which makes it increasingly difficult for network defenders and law enforcement to detect and disrupt malicious activities."

The full testimony (PDF) is available here (http://www.dni.gov/testimonies/20100202_testimony.pdf)

This brings to mind the old adage, "fight fire with fire" – which is applicable when combating cybercrime and cyber attackers. Continually increasing global cooperation (for instance: laws, extradition agreements, criminal sentences) coupled with fast-paced innovation can have the direct impact of not only closing the gap, but also plain and simply putting them in a "hurt locker" (aka "world of hurt") since, in many cases, cybercriminals/attackers don't feel pain commensurate with the scale and scope of their crimes. 

I brought up cybercrime because a number of the tools and techniques are similar or identical between cybercriminals and those that would wage cyber warfare. In fact, if you were to follow the money trail of all cybercrime activity there is a very high probability that you will ultimately encounter an adversary that is planning, or conducting, cyber attacks against the United States.  

By now you can read about operation Cyber ShockWave from just about anywhere on the 'net. You can also go to the Bipartisan Policy Center's web site directly: http://www.bipartisanpolicy.org/events/cyber2010. This weekend CNN will be providing special coverage of Cyber ShockWave (Saturday February 20). 

Hopefully this exercise provided realistic attacks and the video coverage will show the decision-makers "making the call" in different scenarios. For obvious reasons, the "big gaping holes" shouldn't be exposed to the world, but at the very least, it does bring awareness to a problem that governments across the world face on a daily basis – how to handle the dynamic nature of threats as they continually evolve. 

Jeff Debrosse

Sr. Research Director

I recently learned a new acronym: SODDI (Some Other Dude Did It). What this refers to is the defense that criminals routinely use (plausible deniability) – and even more so when it comes to illicit activities on the Internet.

On Sunday, November 8th 2009 the Associated Press published an article regarding an individual that was accused of possessing child pornography. After 11 months, and at a personal expense of $250,000, computer forensics proved that the computer had become infected with malware that was designed to download illegal content. Malicious software was the culprit at work behind the scenes.

This activity is a topic that had been discussed for quite a few years as a potential liability for any computer that has been infected. Software that is designed to conduct remote operations can surreptitiously download any kind of digital material to a person’s machine or establish connections (or probe/attack) any target. This would cause the owner of the infected computer to appear to have broken one, or more, of many laws including illegally accessing a network, theft of intellectual property (IP) and child pornography – to name a few. Basically, any action that an attacker or criminal can directly perform on the Internet, can also be duplicated and executed from a victim’s computer. The end result is truly horrific for the victims who have to defend themselves when the trail leads to them – and seemingly stops at their computers.

There are numerous examples of this occurring. For instance, substitute school teacher Julie Amero’s life was undeniably, and tragically, altered after the school computer she was using in a 7th grade classroom started displaying pornographic images to her students. After significant expense, loss of a teaching career and other losses she was finally convicted of a lesser charge (in 2008) and a reduced fine.

Cases like these are where several (of many) cybercrime issues converge:

• Laws: many legal systems still struggle to catch up with cybercrimes
• Plausible deniability: the challenge of proving that a person is the one that used their computer to commit an act (usually a criminal act)
• Attribution: lack of attribution across the Internet impairs the ability to accurately, and with a high degree of confidence, trace internet connections/packets back to their source(s)

When two or more of these elements are combined, the end result is typically a confusing, and potentially indefensible, gathering of forensic data that can both let a criminal “walk” or cause an innocent person to be charged, tried and sentenced.

In any war there is a term known as “collateral damage”. In the war against cybercriminals, the collateral damage is clear and unmistakable. As a society, when we  gain more overall forensic analysis experience and systems are capable of providing more accurate attributable information, we should see a diminishing number of cases of innocent victims and more/stiffer convictions for the bad guys.
   
Jeff Debrosse
Senior Research Director

Conficker

• If you have not already done so, deploy Microsoft’s MS08-067 patch for the vulnerability initially used by the worm to infect systems.  It is also a good idea to install the MS08-068 and MS09-001 patches as well.
• Disable AutoRun on removable media.  More about this below.
• Use strong passwords.  The Conficker worm contains a set of commonly-used passwords in order to make it easier for the worm to spread across network shares.  A list is mentioned in this news article.  For more information about choosing good passwords, see these three earlier ThreatBlog articles here, here and here.  We also have a white paper on the subject.

Worms continue to spread quick as a flash

Conclusion

Aryeh Goretsky MVP, ZCSE
Distinguished Researcher

"Now may I suggest some of the things we must do if we are to make the American dream a reality. First, I think all of us must develop a world perspective if we are to survive. The American dream will not become a reality devoid of the larger dream of brotherhood and peace and goodwill. The world in which we live is a world of geographical oneness…" - Dr. Martin Luther King, from a speech delivered at Lincoln University, Pennsylvania, June 6, 1961

If Dr. King had still been alive today to see the wonders of the global connectivity of the Internet, he would probably consider the quoted portion of his speech as a "statement before its time."

Today the current global Internet penetration rate stands at approximately 24%. With a global population of 6.7 billion, that equates to roughly 1.6 billion users on the Internet across the globe. At the current penetration rate, cybercrime has become pervasive, pandemic and increasingly connected with other parts of the criminal ecosystem. It ranges from the theft of an individual’s identity to the complete disruption of a country’s Internet connectivity due to a massive distributed attack against its networking and computing resources.

With the remaining 5 billion users to connect to the Internet, there are significant challenges – one of which is cybercrime (via its many methods). There are technological preventative measures that help mitigate cybercrime attacks, but technology alone is not the answer.

The next one billion users on the Internet will not come from developed countries, but rather mostly from developing countries. Awareness, even simple levels of awareness, of various types of risks and cybercrime attacks can yield positive results. This is primarily due to the fact that the weakest link in the “security chain” is, correctly, always quoted as being the end user. The additional one billion users on the Internet will be considered “fresh targets” by the cybercriminals.

The target of cybercrime centers on information – the data that is electronically stored for retrieval and subsequent use. For instance, even with varying levels of per-capita income, the amount of money that stands to be lost to a cybercrime called “phishing” (one of the most common online attacks where a person is socially engineered to provide personally identifiable information by someone posing to be a trusted source) has the potential to be quite significant due to the sheer number of users at risk (unaware).

A real-world example of the scope of the threat: cybercrimes, like phishing and data breaches, are a scalable threat to the United States. These threats are so severe they are detailed as national security threats in the 2009 Annual Threat Assessment Intelligence Briefing to the Senate Intelligence Committee. This representes the scope of one cybercrime problem in a single country, whose users have had several years of exposure to the Internet. New Internet users will face the same difficulties – but from cybercriminals that have had also years of experience and that have optimized their attack and evasion techniques. 

Infrastructure build-out, deployment and subsequent end-user connectivity should be coupled with effective cybersecurity awareness training – in addition to application usage training. It is the ignorance of on-line risks that poses the greatest threat to the new generation of global Internet citizens. Coordinated global efforts in effective awareness training will transform these new Internet citizens from potential victims to increasingly aware, and less vulnerable, people as a whole.

Jeff Debrosse
Senior Research Director

Securing Our eCity community initiative: http://www.securingourecity.org/

Mac security firm Intego blogged about Apple’s decision to include an antimalware component in Mac OS X 10.6 "Snow Leopard" and we agree that it is a good step, security-wise, to provide some basic protection against malware.  Apple has long mocked Microsoft, up to and including this 2006 advertisement which implied there were no viruses for Macs.  While the nature of threats constantly evolves and viruses have long been supplanted by bots, Trojan horses, spyware and other threats as the dominant form of malware, it is important to keep in mind that two decades ago this was not the case. 

At the close of the 1980s, there were more Mac-based viruses than there were for DOS.  While simplistic and slow to replicate by today’s standards, viruses like INIT19, the MacMag Peace virus, MBDF, MDEF, nVIR, Scores and so forth were in the wild and did cause disruption when found.  While the virus explosion that took place in the 1990s was primarily for Microsoft platforms (DOS, then 32-bit Windows and Office) there were still worms, Trojan horses, HyperCard infectors (a type of scripting toolkit) being created for MacOS and even some Microsoft Office macro viruses were portable.  While these Macintosh threats never reached the epidemic and pandemic proportions of malware seen on Windows, they were nuisances, especially to those who had to disinfect a lab of computers.

Today’s malware for Mac OS X is starting off as a dribble, however, as the Mac gains in popularity it is a given that the criminals who steal using malicious software will follow.  After all, they care far less about your operating system than the credentials for your bank account.  In the last year, two proof of concept rootkits have been released, one by Dino Dai Zovi at Blackhat and one by nemo in the infamous Phrack magazine.  ESET has responded by adding detection for around eight different families of malware specifically targeting Mac OS X.
 

Aryeh Goretsky
Distinguished Researcher
 

In previous blogs, I mentioned that some of the presentations from the CARO workshop a couple of weeks ago were likely to be made available publicly.

Unfortunately for non-attendees, most of the presentations are only available to people who were there: however, some can be downloaded by the public from here.

In case I didn’t mention it before, the papers approved at the AMTSO (Anti-Malware Testing Standards Organization) workshop that followed it are now available here.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

As The Register has pointed out, the Microsoft Security Bulletin Advance Notification for March 2009 doesn’t mention a forthcoming patch for the Excel vulnerability we’ve already flagged in this blog here and here and here.

Since, as John Leyden remarks, the exploit is being actively exploited, it may seem that Microsoft are not taking the issue seriously enough, though they have already suggested some ways to reduce the risk, and are presumably aware that some anti-malware vendors are detecting the exploit generically – well, we are.

Additionally, the attacks still seem to be targeted rather than random, which keeps the numbers low (though as we pointed out before, a single compromised machine may cause harm to a great many people, if the attacker targeted the "right" person). However, it’s worth noting that according to a recent study by Phishme, targeted phishing (so-called spear phishing) may be a lot more effective than we realize. (They also note that phishes that use an "authoritative tone" are a lot more effective than phishes that offer some form of reward or inducement: remember my comments about bossy, bureaucratic phishes?)

Still, I’m not sure Leyden is right to assume that we’re not going to see a patch now until April. I don’t know how long it will take Microsoft to produce a patch they’re happy to release (and I don’t think it’s totally unreasonable of them to wait till they get right rather than rush out an incompletely tested fix). However, I’d think the publicity alone generated by this issue is probably enough to ensure that they’ll put up an out-of-cycle patch when they’re ready, if necessary.

Meanwhile, I note that vulnerability researchers are continuing to beaver away at the Acrobat JBIG vulnerability. You might not get too excited at another Proof of Concept PDF that simply crashes Acrobat Reader 9 when it’s read – an application crash is unpleasant, but doesn’t have quite the excitement of something that installs malware – but a video showing three ways of executing malware withut actually opening the PDF is more interesting. Looking at the detail, this turns out to be less dramatic than it sounds, but given this amount of interest, I hope that Adobe are on target with their fixes.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Further to our blog last week on targeted attacks exploiting a vulnerability found in a number of Excel versions including  Mac versions, viewers, and the Open XML File Format Converter for Mac.

While we already have a specific detection for the threat we call X97M/TrojanDropper.Agent.NAI, we also have generic detection for the exploit, flagged as X97M/Exploit.CVE-2009-0238.Gen. This detection was released on Friday evening in our update v.3895, and our ThreatSense.Net threat monitoring system is now returning hits on that detection, indicating that (a) the detection works! (b) further attempts to exploit this vulnerability are already appearing, and more can be expected.

Since it rarely hurts to know what you’re dealing with or to diversity your countermeasures, here’s are some further suggestions from the Microsoft advisory about other ways to mitigate the risk:

• Users without administrative privileges who open a malicious document using this exploit may "be less affected." I’d certainly say that adhering to the "principle of least privilege" – that is, giving end users only the privileges they need to do their work, and no more – may not only mitigate the impact of any threat on their own system, but limit the effectiveness of the attack in reaching other systems and users.
• An affected file has to be opened to be effective, whether received in email as an attachment or left on a malicious web site. Be cautious and be prepared for social engineering attacks.
• Microsoft point out that users of the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before opening a document. I’ve no experience with this tool, but I guess it’s like the "You should only open attachments from a trustworthy source" message in Outlook. Unfortunately, since in a targeted attack the malicious file usually looks as though it is from a trustworthy source, that may not offer much mitigation. Still, I guess it will at least cause a few people to think twice before they go ahead and open it.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

You might have noticed that Conficker (Downadup) is actually standing up rather well to all the attention it’s receiving at the moment.

Heise (a European publisher sending out a weekly security newsletter that’s often worth a closer look) that 2.5 million PCs are already infected. In The Register, Dan Goodin reports that the total has increased dramatically since Heise’s initial report to nearly 9 million. (If anyone is interested in how these figures were arrived at, F-Secure have described the process here: it’s guesswork, but it looks like sound guesswork to me.

(Incidentally, I looked back at our ThreatSense.Net® statistics for December, and notice that Conficker had already made number 5 in our top ten detections of known malware worldwide by the end of that month, so we’re not exactly talking about a brand-new fast-burner!)

If you’ve read Randy’s earlier blog, you’ll know that while we take the present epidemic very seriously, there’s an argument for concentrating less on the alarming figures and attributing them to the supernatural powers of what has been described by some as a Superworm, and paying more attention to the fact that a fairly prosaic malicious program has managed to cause so much damage, simply because so many people and sites aren’t taking the elementary precautions that would have dramatically mitigated Conficker’s impact.

Randy’s also participated in a podcast with Ira Victor that ’s available now: I haven’t looked at it yet, but I’m sure it will be of interest and provide reassurance and sound advice  to anyone feeling down about downadup.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

CNN reported that there a new sleeper virus out there. http://www.cnn.com/2009/TECH/ptech/01/16/virus.downadup/index.html

There is nothing sleepy about the Conficker worm, it is wide awake and looking for people who are asleep at the security wheel.

CNN reports that Conficker could allow hackers to steal personal and financial data, and they also report that it “it is not very serious in terms of what it does. So far it doesn’t try to steal personal information or credit card details.”

Huh? Ok, I’ll follow suit… Conficker could allow hackers to rig elections and shut down critical power and communications infrastructure, but it doesn’t.

What Conficker could allow hackers to do is truly as irrelevant as it gets. The conditions that allow Conficker to spread mean that any semi-skilled hacker or malware author can do the same and much worse with complete and total impunity.

Conficker was one of the first worms to exploit a fairly recent and serious security vulnerability in Windows (MS08-067). Conficker doesn’t stop there though, it also is able to guess passwords set by people who do not understand security (think Twitter admin). Yes, Conficker can guess weak passwords. Conficker also exploits autorun, a vulnerability that Microsoft should have patched a long time ago, but MS insists that auto-infection is a feature. Companies that make digital photo frames, MP3 players, GPS systems, and other assorted USB devices have really embraced the auto-infect technology too!!!

To Microsoft’s credit, most of the infections are coming from the corporate space. Why is this to Microsoft’s credit? Because it means that Windows Update is working pretty well in homes, where it is usually allowed to work.

For businesses this is a dismal finding. This means that standard security basics are not being enforced. There is really sobering news here. Perhaps businesses are not investing in security. An IT person needs some budget and time to do his or her job. Maybe businesses do not know how to evaluate competent security professionals to put in charge. “We needed time to test” is not an excuse for not having deployed the patch for MS08-067. If there is a legitimate reason for not having deployed the patch then there are other many other layers of defense that should be in place for protection.

Conficker should be a complete non-story, and actually it is not the story. The real story is that people are still not doing the basics. Keep your systems patched, keep your applications patched, and require and use strong passwords.

Randy Abrams
Director of Technical Education