Slashdot Mirror

No mention of the SecureWorks analysis in the lawsuit..?

https://www.secureworks.com/re...

Was the most interesting assessment.

See subject & my sources my program gets do it @ diff. intervals ALL AROUND THE CLOCK & I go 'above & beyond it' personally - how?

SECURITY SITES I WILL LIST FOR YOU (these are excellent finding all kinds of exploiters & malicious sites/servers galore for ALL types of threats):

http://blog.talosintelligence....
https://www.welivesecurity.com...
https://blog.malwarebytes.com/
https://researchcenter.paloalt...
https://www.bleepingcomputer.c...
https://securityintelligence.c...
https://www.cyren.com/blog
http://garwarner.blogspot.com/
http://www.malwaretech.com/
https://securelist.com/all/?ca...
https://www.fireeye.com/blog/t...
https://www.secureworks.com/re...
https://research.checkpoint.co...
http://blog.trendmicro.com/tre...
https://www.proofpoint.com/us/...
https://blog.comodo.com/catego...

That's 25 sources in total from the security community that UPDATES all the time around the clock - my program makes easy work of consolidating all that data is all! It works (see testimonials I posted in my other replies to you from /. peers).

APK

P.S.=> ... & YOU, personally, have FULL CONTROL OF THE DATA (try that w/ addons OR a REMOTE DNS - good luck on the latter & the former? You'd best know regular expressions)... apk

You're not looking in (or being shown) the right places. As one example, I'll explain the Podesta "hack". Everything I say here comes from a particular thread on Twitter, which does a far better analysis than I will attempt here, or sources linked therein.

Yes, it was phishing. I wouldn't call the phish email "super-obvious", as it matches Google's style pretty much exactly. The key detail is that the phish link went to a bit.ly site, notably created via the bit.ly API, which requires creating an account. From information leaked from that account by researchers at the time, the same phishing campaign went to about 1800 people, individually targeted but using a common framework.

It's primarily from that mass of targets that we can determine motive, and from that we can attribute who had that motive. Almost two thirds of the targets were either military personnel or authors. Of the authors, about half were experts on Russia or the Ukraine. Of the military and government personnel, two thirds were U.S.-based, 14% were linked to NATO, and a few key Syrian rebel personnel were targeted as well.

Basically, the campaign that hit Podesta also targeted a lot of other folks, and the common thread is that Russia would want intelligence on them. There was no malware involved to be dissected, and no attempt to hide the origin of the campaign. In fact, the only way the analysis was possible was because the attackers had not set their bit.ly account private before they were discovered (though they did later). If the account were private, tracing a single victim's attack would have led only to a probably-hijacked server with a .tk domain.

(end citing the Twitter thread)

Similarly, other attacks can be attributed by the infrastructure they use. Some recent attacks on election committees, for example, used C&C servers that had previously been used in other attacks against Turkish and Ukranian governments, strongly indicating that the perpetrators of all the attacks were adversarial to Turkey and Ukraine.

In other attacks where malware and persistence are involved (like the DNC hack), expert analysis usually relies on identifying precisely which APT group is responsible for the attack. Each APT typically operates independently, using their own in-house-developed tools and preferred techniques. That's perfectly reasonable, because when the goal is stealth, an attacker will use the techniques they're most comfortable with to avoid costly mistakes. Once they are identified, though, that becomes a weakness, as the same pattern can be identified in other victim systems.

It is easy to spoof identifiers. Names, strings, and addresses can all be manipulated. What is more difficult to fake are behavior patterns. When a server starts seeing access requests for files starting every day at 2AM and ending at 10AM, it's a decent indicator that somebody with a seven-hour time zone difference is poking at your systems. Yes, that can be manipulated by having the attack teams work at odd hours, but it's just another bit of data. Then there's the localization of tools, exempted targets, and even the order in which tools are deployed.

Remember: These aren't amateurs. The attackers involved are professionals, clocking in and doing a job. There are the good ones, there are the sloppy ones, and there are the managers who make stupid decisions they have to deal with, just like in any other government office. They have their routines they follow to make it through the day, and it's through analysis of those routines that analysts learn about the attackers.

Again, iptables tarpit doesn't use any connection. It handles the tarpitting before initiating a connection by fooling the attacker into believing a connection is open but no connection overhead takes place on the host.

Just read the fine man page:
https://linux.die.net/man/8/ip...:
"TARPIT: Captures and holds incoming TCP connections using no local per-connection resources..."

https://www.secureworks.com/re...

Click on the first link, it's the actual report from SecureWorks
Their evidence is that Russian hackers have, in the past, built Gmail spoofing pages to spearphish people in Ukraine/etc. Because Russians have done a similar campaign before, they assume this is Russians again. They are moderately confident that it is Russian agents. (They leave it ambiguous whether it is state-sponsored or not).

Coreflood, Fareit, NJWorm, Citadel, DNS Changer, Panix, GhostClick:

FAREIT ATTACKS:

http://www.theregister.co.uk/2...

COREFLOOD ATTACKS:

http://www.secureworks.com/cyb...

LAND ATTACKS:

http://www.dshield.org/diary/L...

NJWORM ATTACKS:

http://threatpost.com/njw0rm-a...

CITADEL DNS ATTACKS:

http://www.webopedia.com/TERM/...

PANIX ATTACKS:

http://www.dshield.org/diary/P...

GHOSTCLICK ATTACKS:

http://www.dshield.org/diary/F...

DNS CHANGER:

http://news.slashdot.org/story...
http://www.theregister.co.uk/2...
http://www.theregister.co.uk/2...
http://www.theregister.co.uk/2...
http://www.theregister.co.uk/2...

APK

P.S.=> Next is DNS being abused in SEO DNS piggybacking + ABUSING BGP via DNS... apk

You think those packages that open your Synology box to the web are safe?

http://www.secureworks.com/res...
http://forum.synology.com/enu/...

And others. I like Synology stuff, I use it. But opening anything up to the Internet isn't safe. You may have full control of your data, but so does somebody else.

(feeling karma-guilty now) Some of my previous BGP bookmarks,

The RFC6480 I'm sure you'll want to read this first, every bit of it. Others may wish to skip on to the next chapter which is a good bit and has Marvin the Robot in it.

Introduction to BGP and How BGP best path (by default!)
[2014] spammers squatting on unassigned IP address ranges
  [2014] Using BGP advertisements to gather Bitcoin mining traffic (doing digital money with unsecured protocols, kewl!)
[2012] Packet Pushers #93: Lies and Routing in the Internet great interview with Geoff Huston. Look for the show notes links too.
[2012] Packet Pushers #105: BGP Origin Validation with Resource Public Key Infrastructure (RPKI) with Alex Brand from RIPE. Discussion of attack profiles, resistance and real-world challenges to its implementation.
[2012] Previous Slashdot: Engineers Ponder Easier Fix To Internet Problem
[2013] Denver pings Denver --- via Iceland! Someone's Been Routing Internet Data Through The Great Chefs Of Europe

Here's some confusing BGP routing diagrams to print out and tape to the walls to impress everybody.

• We Live Security blog - Back in BlackEnergy: 2014 Targeted Attacks in Ukraine and Poland
• 2014 Virus Bulletin Conference - Last-minute paper: Back in BlackEnergy: 2014 targeted attacks in the Ukraine and Poland and YouTube video of the presentation
• We Live Security blog - CVE-2014-4114: Details on August BlackEnergy PowerPoint Campaigns
• Virus Radar - description of Win32/Rootkit.BlackEnergy.AA

Hope this is information is useful to anyone who might be concerned they have compromised hosts on their network.

Regards,

Aryeh Goretsky

"This technique is largely designed for targeted attacks, so it's likely most of us will be safe for now — but just one more reminder to use https."

Except if the local proxy is designed to intercept https traffic and replace the senders digital signature with its own. ref

Besides violating over a dozen international treaties...

Untrue. There are exceptions to WTO treaty obligations, one of which includes national security.

...an unsubstantiated claim that there may be espionage/surveillance capability built into some devices.And let me be clear: No government or private agency has come forward with conclusive proof that any product made in China for commercial resale has these capabilities built into it at the direction of the Government.

There were many claims from many different parties that the Chinese government engaged in active spying/covert intelligence gathering on New York Times, Google, RSA. And those are just the ones we know. Lets also not forget the Mandiant Report that caused such a reaction online not too long ago. None of this is conclusive proof but it sure is a great cause for concern.

The economic and political rammifications of this are being glossed over -- this action doesn't just affect our relationship with China, but with any country we do business with, because they signed the same treaties, and now they're looking at our unilateral action and thinking: What makes us think the US won't renege on their deal with us?

The consequences you paint may well be overblown. There is evidence that the US is not the only country worried about China's activities. Australia, for example, has blocked Huawei from bidding for work on its $38 billion national broadband network, for the same security fears. Germany has sent representatives to the Chinese Government to ask them to stop, unofficially. Even the UK is so worried about the China spying problem that Jonathan Evans, director general of MI5 publicly warned that the West now faces an "astonishing" cyber espionage threat on an "industrial scale" from specific nation states.

Given that China itself uses national security as a reason for imposing restrictions on foreign commercial activities on its shores, I really don't think there is any basis to complain about the present measures introduced by the US.

Except that there is another report which has just been released which gives a direct link to China for . If McAfee don't have direct evidence, that means that they have released the report before they completed the work; they should have done something to identify the end point. Someone should discuss with one of the security services to put a poisoned document with an MSWord zero day which phones home when given a chance into one of their document caches and then see where it turns up.

OK so this is how it works. There are websites out there like these which allow you to quickly check your newly infected EXE against all the main AV products out there. Signature based AV is basically obsolete because there are lots of programs out there that will happily scramble your EXE for you, in the scene these are known simply as "crypters" and you will find many people in the PPI world advertising their crypter as being FUD (fully undetectable). Good article on this here. Of course with enough downloads eventually somebody savvy will catch on, unless your work is really good, and then your binary and uploading IP address are usually banned. At which point they do exactly what you'd expect - spin a new binary, get a new IP address and do it all over again.

If you're relying on only 15-20 other downloaders to certify something as "clean" and you regularly download warez you probably already have a rootkit on your system and have no idea it's even there.

click

OK, I've reviewed my posts from your reply to the top of the thread and nowhere did I say it was Microsoft's fault. It is an observed fact. It is, and to Russians to whom the blame belongs is irrelevant. They can choose to use free software or they can choose the risk. Microsoft has backed off some for now and so the risk is less, but eventually the risk will return because the software is not free and their Russian channel can never be reliably honest. In the Russian language corrupt government provisioning is so assumed that the reverse must be made explicit. I believe Chinese languages are similarly cynical. The safe choice is to be free forever. Free contains no risk.

If you want to fix the blame on Microsoft for not dropping the suit after finding out that the affected individual was in no way to blame for the piracy, that's on you. I didn't say that.

As to Microsoft's ROI, well, I don't know what to say here. Given the current state of free I can see how they must struggle to prove where they add value - especially when dealing with the malware ecosystem mounted against them which at some accounts is larger than the Windows market itself. I'm sure it's hard to deliver on this nine year old commitment when you can't even get your network software geeks to check their inputs on the most basic service they provide or even read the licenses of the software they publish.

You should probably check the corkboard on the way out of the blog center. I think there's a note there about me. Take your stuff with you when you go or you might not see it again.

I have often wondered why they haven't followed the money trail to find the people behind the "Antivirus 20xx" nonsense. I know I would certainly like to read a news story about the untimely death of the people involved.

They (FBI, and their equivalents in the dozen other countries widely affected) know exactly where it's coming from, it's just not in their jurisdiction.

Code from within the 2009 version:
"00420214 - Don`t install on Rus:; 00420234 - Russian or Ukrainian Windows detected. Exiting ..." - http://sunbeltblog.blogspot.com/2009/01/russian-don-infect-themselves.html

"In the early and mid-1990s, criminal groups provided protection to businesses and enforced contracts when the state was too weak and corrupt to do so. In the process, they actually helped sustain private enterprise, albeit at a high cost to business. The emergence of an economic market for private protectionâ"in which criminal groups compete among themselves as well as with other newly formed private security agentsâ"has stabilized the business-criminal relationship. Recently, criminal networks have taken a more businesslike approach to maximizing profit" - http://www.worldpolicy.org/journal/articles/wpj04-1/sokolov.htm

The following article is the best writeup I've seen thus far on this threat, and provides some insight on the financials:

"If these stats are to be believed, one affiliate was able to install 154,825 copies of AV XP 08 in ten days' time, and 2,772 of those copies were actually purchased by the victims. This only represents a one to two percent conversion rate, but with the generous commission structure, was enough to earn the affiliate $146,525.25 for that time period. At that rate, the affiliate could be expected to earn over 5 million U.S. dollars a year, simply by maintaining a large botnet and forcing AV XP 08 installs on 10,000 to 20,000 computers a day." - http://www.secureworks.com/research/threats/rogue-antivirus-part-2/

Kinda makes a guy reconsider his chosen career... Until you consider the mortality rate of Mafiya members, and the hordes of angry noobs wherever you go ;)

Well - I'm searching for Linux botnets that have been created by this exploit. Searching . . . searching . . . searching . . .

Dang, I'm not finding any.

How about Windows botnets? WOW, will you just look at all of them? http://www.secureworks.com/research/threats/topbotnets/

I sure wish Linux would get off their dead arses and patch this problem. Sure would be nice if they can get it done in less than a month or six, like Windows!! Oh - wait - what? Linus committed a patch correcting this issue on 13th August 2009.

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98

I guess I'll hold off on pushing the panic button. I see no need to "upgrade" to Windoze, LMAO

Google "DNS recursive amplification" to see what I mean about the evils of open resolvers. Hell, even closing down recursion doesn't stop the madness since root hint amplification is being abused too.

We drop all IP traffic directed to our anycast IPs at our borders. You can't even ping them. query-source is not a listen-on address so it is impossible to get any type of response from our named. I predict most other ISPs being forced to do something similar. The poisoning threats are also ever on the horizon and this is another prudent safeguard.

the washington post article doesn't give you any more information than the summary, you should be reading the trojan analysis which is linked in both the summary and the article.

Conficker Eye Chart

Conficker Eye Chart

How to interpret:

If you see this above:It probably means this:

= Normal/Not Infected by Conficker (or using proxy)
= Possibly Infected by Conficker (C variant or greater)
= Possibly Infected by Conficker A/B variant
= Image loading turned off in browser?
Any other combination= Poor Internet connection?

Explanation:

Conficker (aka Downadup, Kido) is known to block access to over 100 anti-virus and security websites.

If you are blocked from loading the remote images in the first row of the top table above (AV/security sites) but not blocked from loading the remote images in the second row (websites of alternative operating systems) then your Windows PC may be infected by Conficker (or some other malicious software).

If you can see all six images in both rows of the top table, you are either not infected by Conficker, or you may be using a proxy server, in which case you will not be able to use this test to make an accurate determination, since Conficker will be unable to block you from viewing the AV/security sites.

F-Secure and the F-Secure Logo are trademarks of F-Secure Corporation.

SecureWorks and the SecureWorks Logo are registered trademarks of SecureWorks Inc.

Trend Micro and the T-Ball logo are trademarks or registered trademarks of Trend Micro Inc.

Guess you didn't see this: http://www.secureworks.com/research/blog/index.php/2008/07/10/it-can-happen-to-anyone/

% of Attack Traffic by Country seen by Akamai
_# 2008-Q2 2008-Q1 Country
_1 30.07 _3.56 Japan
_2 21.52 14.33 United States
_3 _8.90 16.77 China
_4 _5.56 _1.58 Germany
_5 _2.34 _0.41 Ukraine
_6 _2.25 _3.43 South Korea
_7 _2.21 11.82 Taiwan
_8 _1.89 _0.89 France
_9 _1.64 _0.93 Russia
10 _1.58 _0.83 Poland
-- 22.04 ----- OTHER

http://www.secureworks.com/media/press_releases/20080922-attacks/

This trojan, called Asprox or Danmec, has been around for a few years. It was originally intended as a Spam distribution system but I believe that sometime in 2007 an SQL Injection tool was installed via its botnet. It has been doing the rounds every so often on the Internet since at least January.

http://blogs.zdnet.com/security/?p=1122
http://www.secureworks.com/research/threats/danmecasprox/?threat=danmecasprox

      -dZ.

Point taken, especially as regards botnets used for spamming. Another interesting article on the topic:

http://www.secureworks.com/research/threats/topbotnets/?threat=topbotnets

And on the main topic of the original article, I see:

http://www.theregister.co.uk/2008/04/10/web_mail_throttled/

Ahh! The cache on YOUR dns gets poisoned.

Crist! There's a wikipage out it... ( I digress )

The security rundown on how it happens:

http://www.secureworks.com/research/articles/dns-cache-poisoning/

Step 1 - Attacker sends a large number of quires to the vicum nameserver, all for the sam domain name.
Step 2 - Attacker sedns spoofed replies giving fake answers for the quieris it made.
Get the picture?

Solution: Apply patches to your DNS server. ( i.e. patch your MS Server )

Cert notification:
http://www.kb.cert.org/vuls/id/484649

Anyone notice the URI? ?threat=ronpaul
http://www.secureworks.com/research/threats/ronpaul/?threat=ronpaul

Ron Paul has his own "threat" folder, and he is equal to a threat. Awesome!

Parent 100% correct. Though it's easy to see how people can be mislead, as even some of the security sites are calling it a worm. http://www.secureworks.com/research/threats/view.h tml?threat=storm-worm
gives you some information on how it operates (as of 2/07, and the names of the executables you had to click on to infect yourself have probably changed since then)

The original storm.worm (2001) attacked unpatched MS IIS servers, and actually was a worm.
http://www.securiteam.com/securitynews/5DP0B0K4KG. html

How this got so large is a pretty sad commentary. First off, it's proof that people will still click on attachments without verifying whether they're legitimate. I'm not convinced that any amount of training will ever stop this behavior. It hasn't worked over the *last* ten years, at any rate. Second, several virus scanners would have detected it, if they'd been kept updated. Thirdly, I've seen this running from within a couple of corporate LANs, which implies that even corporations don't always keep anti-virus software up to date, or monitor for P2P traffic, which IMO should very seldom be allowed on a corporate network.

I've noticed some comments to the effect that it's easy to spot because it is a .doc.exe extension on the attachment. Not so! The latest runs of these scams have been EXE files embedded within actual MS Word or RTF files. Inside the document is a PDF icon and a note telling the user to click on the icon to view the invoice (or complaint, depending on the scam). This is a different method of social engineering than we usually see. That plus the targeted nature of the emails is what makes this sophisticated. It may not fool the savvy user, but as many execs haven't seen something of this nature before, they are likely to click and open the embedded executable. Most are just trusting their AV to warn them if there is anything wrong with the file, which is a big mistake these days.

If you work corporate security, make sure you are watching for signs of the data exfiltration on the network. I've written some Snort IDS signatures which are available here:
http://www.secureworks.com/research/threats/bbbphi sh

A researcher at SecureWorks has posted a detailed rebuttal to F-Secure's .bank proposal. Go check it out!
New .TLDs: Panacea for Security?

A researcher at SecureWorks has posted a detailed rebuttal to F-Secure's .bank proposal. Go check it out!
New .TLDs: Panacea for Security?

If you think you're not vulnerable because you won't be downloading an animated cursor, or you're not vulnerable because you have AV software, read this:

http://www.secureworks.com/research/threats/gozi/ ...which has a similar infection vector (by merely visiting a web page you get infected), and went undetected for 54 days.

This latest silent exploit, which can be used by merely visiting a web page, will be used for other similar attacks.

Funnily enough, I just wrote about this:

http://slashdot.org/~Alioth/journal/167405 - includes a link to a major study of a piece of malware which went undetected by the AV companies for months.

Or just go to http://www.secureworks.com/research/threats/gozi/ if you don't want to read my crap.

I've personally witnessed two malware infections where the malware arrived up to a week before the AV companies had updated their definitions.

Me too.
Speaking of Evil Genius(TM):

Researchers: Rootkits headed for BIOS

http://www.securityfocus.com/comments/articles/113 72/33500/threaded#33500

Arhiveus Ransomware Trojan Analysis

http://www.secureworks.com/research/threats/arhive us/

It almost appears that we'd run in to the the "loving" arms of DRM (etc.) to escape future, more powerful variants.
These "guys" (in general) are PhDs/Engineers and are not competing anymore, they're leading the "innovators", (look at AV Companies and the all struggling) OpenSource has been the only real response. ... tap, tap, tap, ... what to do, what to do.

Not much on specifics in TFA, but apparently the major increase in spam (mainly those pump'n'dump stock scams) appears to due to the Spamthru trojan which is being dropped by Warezov.

We've had a few stories on this before here and here.

read the article at
http://www.secureworks.com/analysis/spamthru/
and then see how new you think it is.

and yes it is an interesting virus/trojan ....

NB There is SNORT IDS at end of article.

http://www.secureworks.com/analysis/spamthru/

See, here is the problem. If you read the newsforge article they said "Security researchers Dave Maynor of ISS and Johnny Cache -- a.k.a. Jon Ellch -- demonstrated an exploit that allowed them to install a rootkit on an Apple laptop in less than a minute." In fact, Ellch's new company publically flaunts this. So, is it a real thing? Now, Ellch is backtracking, saying new things. Whatever. He's a Bullshit artist.

He states that the ONLY reason he's saying something now is because he's talking about Intels drivers, not Apples.

They didn't seem to mind talking about how Apple "leaned on them pretty hard" back when they were claiming that the exploit worked on the Apple-supplied driver. You know -- before they admitted that the vulnerability demonstrated used a third-party driver, and not the one that Apple ships?

It's blatantly obvious that Apple's lawyers have come down on him like a ton of bricks, forcing him to be quiet until they get a patch out.

How? On what grounds could they do this?

Also note where Ellch says: "Why am I switching the subject from Apple's bug to Intel's? Because it's patched, and Secureworks has no influence over what I say regarding this one."

"During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers -- mainly because Apple had not fixed the problem yet. Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook drivers. But he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitable. And that is what I reported."

That's not exactly what's being said on their website...
"This video presentation at Black Hat demonstrates vulnerabilities found in wireless device drivers. Although an Apple MacBook was used as the demo platform, it was exploited through a third-party wireless device driver - not the original wireless device driver that ships with the MacBook. As part of a responsible disclosure policy, we are not disclosing the name of the third-party wireless device driver until a patch is available."
http://www.secureworks.com/newsandevents/blackhatc overage.html

I was analyzing something very similar around October of last year when I worked here. They probably aren't installing a virus, per se -- more like an autoproxy which they will use to send spam or install more malware (e.g., to steal passwords or credit card numbers).

All the vulnerabilities mentioned in the article have been known for quite some time. Liu Die Yu's Unpatched IE vulnerabilities page documents several of these in detail, with exploit examples. (Note that some of the links on Liu Die Yu's site may result in popups, ironically.)

When I took a look at it, the proxy flavor of the month was most commonly referred to as ap216.exe the filename is irrelevant, obviously). A good description of it is here, in the context of its use in a phishing scam.

Note that everything done in this attack will blithely go through most firewalls -- almost all connections are initiated from within the network. Firewalls are an increasingly inadequate means of protecting users from organized and motivated attackers. IMO, any network admin who doesn't run deep-packet inspection firewalls, intrusion prevention, or security-minded filtering application proxies is asking for it.

Sure, someone could write something to quietly delete all the files on your hard drive. I'm sure he'd rather have all the spam your machine can send, or all the money from your bank account.

phil

Another company that uses a very similar if not nearly identical solution is Secureworks. They've been around longer than Guardnet, though obviously their marketing isn't great as I've only seen them a few places...

SecureWorks has been selling their iSensor product for some time now. It is also based on OpenSource Software using Snort and IPChains. The product comes with monitoring and constant signature updates for the IDS functionality, so that could be seen as the "value-add" for buying what is basically a bunch of free software in a PC box.