Tag Archives: malware

A few days ago Microsoft announced a large scale raid on the dynamic DNS service No-IP, as a result of which 22 of its domains were seized. The guys in Redmond said there were very good reasons for this: No-IP hosts all kinds of unpleasant malware; No-IP is a breeding ground of cybercriminals; No-IP is an epicenter for targeted attacks; and No-IP never agrees to working with anyone else on trying to root out all the badness.

Like in most conflicts, the sides have exchanged the contradictory volleys of announcements in the eternal tradition of ‘it’s his fault – no she started it’.

In particular, No-IP has said it’s a real goody-two-shoes and always willing to cooperate in eliminating sources of cyberattacks, while its clients are most displeased with the raid and consider it an illegal attack on legal business – since it’s possible to find malware practically anywhere, so interrupting services through a court is simply not on.

Is it legal to shut down a service because of #malware found?… When it can be found everywhere?…Tweet

In the meantime, the result of the raid has been rather far-reaching: more than four million sites were pulled, including both malicious and harmless ones – affecting 1.8 million users. Microsoft is trying to sieve the wheat from the chaff and get the clean sites back up and running; however, many users are still complaining about ongoing disruption.

To work out who’s to blame is a thankless and probably hopeless task. I’ll leave the journalistic investigations to… the journalists. Instead, here let me give you some food for thought: dry, raw facts and figures – so maybe/hopefully you’ll be able to come to your own conclusions about the legality and ethicality of MS’s actions, based on those facts and figures…

1)      Shutting down 22 No-IP domains affected the operations of around 25% of the targeted attacks that we keep track of here at KL. That’s thousands of spy and cybercriminal operations ongoing for the last three years. Approximately a quarter of those have at least one command and control center (C&C) with this host. For example, hacker groups like the Syrian Electronic Army and Gaza Team use only No-IP, while Turla uses it for 90% of its hosts.

2)      We can confirm that out of all large providers the No-IP dynamic DNS was the most unwilling to cooperate. For example, they ignored all our emails about a botnet sinkhole.

3)      Our analysis of current malware shows that No-IP is often used by the cyberswine for botnet control centers. A simple search via the Virustotal scanning engine confirms this fact with a cold hard figure: a total of 4.5 million unique malware samples sprout from No-IP.

4)      However, the latest numbers from our security cloud (KSN) show something not quite so cut and dry. Here’s a table showing detections of cyberattacks from dozens of the largest dynamic DNS services:

So – No-IP isn’t leading in the number of detections, even though they’re still really high compared to most.

Here’s some more info for comparison: the % of malware hosts in the .com zone makes up 0.03% of the total; in the .ru zone – 0.39%; but in No-IP the figure’s 27.5%!

And now for other figures that add a bit of a different perspective: in one week, malware domains on No-IP generated around 30,000 detections, while in the same week on one of the most malicious domains in the .com zone, the figure was 429,000 – almost 14 times higher. Also: the tenth most infected domain in the .ru zone generated 146,000 detections – that is, about the same as the first ten providers of dynamic DNS mentioned above put together!

To summarize…

On the one hand, blocking popular services that are used by thousands – if not millions – of typical users: it ain’t right. On the other hand, closing spawning grounds for malware is right – and noble.

The takedown of No-IP domains. Was it right or wrong? Ambiguity with a big ATweet

But then mathematics takes on the role of devil’s advocate, and proves:

Quantitatively, closing all the domains of No-IP is no more effective in combatting the distribution of malware than closing one single top malware domain in one of the popular zones, i.e., .com, .net, or even .ru. Simpler put, even if you were to shut down all providers of dynamic DNS – the Internet still wouldn’t become ‘cleaner’ enough to notice the difference.

So there you have it – ambiguity with a big A. 

It leaves anyone in their right and honest-with-themselves mind to admit things are far from black and white here, and as regards the right and wrong, or good and bad, or Nietzsche’s thing – who can tell?

Still, another thought comes to mind at some point while reflecting on all this…

It’s further evidence that as soon as the quantity of piracy or degree of criminality gets above a certain threshold, the ‘powers that be’ get involved all of a sudden and start closing services, ignoring any notions of Internet freedom or freedom to do business. It’s just the way things are, a rule of life of human society: If it stinks, sooner or later it’ll get cleaned up.

The list of blocked services is already rather long: Napster, KaZaA, eMule, Pirate Bay and so on. Now No-IP‘s been added to the list.

Who’s next?

// Bitcoin? It’s already begun.

Stock market hacks for microsecond delays.

Cyber-swindling gets everywhere. Even the stock market. First, a bit of history…

The profession of stockbroker was once not only respected and honorable, but also extremely tough. Dealers in stocks and shares once toiled away on the packed floors of stock exchanges and worked silly hours a week, stressed to the limit by relentless high pressure decisions all day (and night). They bought and sold securities, stocks, bonds, derivatives, or whatever they’re called, always needing to do so at just the right moment while riding the waves of exchange rates and prices, all the while edging nearer and nearer to serious heart conditions or some other burn-out caused illness. Other times they simply jumped out of windows to bring a swift end to it all. In short – hardly the world’s best job.

Anyway, all that was long ago. All that hard manual labor has been replaced by automation. Now thinking hard, stressing and sweating aren’t needed: a large proportion of the work today is carried out by robots – special programs that automatically determine the very best moments to buy or sell. In other words, the profession of stockbroker has in large part been boiled down to the training of bots. And to these bots reaction times – to the microsecond – are vital to take advantage of this or that market swing. So speed literally depends on the quality of an Internet connection to the electronic stock exchange. That is, the nearer a robot is physically located to the exchange, the higher its chances of being the first with a bid. And vice versa – robots on the periphery will always be outsiders, just as will those not using the very latest progressive algorithms.

These critical reaction times were recently tampered with by unknown cyber-assailants. A hedge fund’s system was infected with malware to delay trading ability by a few hundred microseconds – which can – and probably did – make all the difference between clinching deals and losing them.

Read on: Your password for a Twix?…

On June 15, 2004, at precisely 19:17 Moscow time something happened that started a new era in computer security. We discovered the first malware created for smartphones.

It was Cabir, which was infecting Symbian-powered Nokia devices by spreading via unsecured Bluetooth connections. With its discovery the world learned that there was now malware not just for computers – which everyone already knew too well about (save for the odd hermit or monk) – but also for smartphones. Yes, many were scratching their heads at first – “viruses infecting my phone? Yeah, pull the other leg” – but the simple truth of the matter did finally sink in sooner (= months) or later (= years a decade!) for most people (some still aren’t aware). Meantime, our analysts made it into the history books!

Why did we christen this malware Cabir? Why was a special screened secure room created at our Moscow HQ? And how did Cabir end up in the pocket of an F-Secure employee? These and other questions were recently put to Aleks Gostev, our chief security expert, in a interview for our Intranet, which I thought I’d share with you here; might as well have it from the horse’s woodpecker’s mouth…

Incidentally, the story started really running when we used these two devices to analyze the malware:

…but more about those below…

Read on: An unusual file n the inbox…

True to my word, herewith, the second installment of my new weekly (or so) series, ‘dark news from the cyber-side’, or something like that…

Today the main topic will be about the security of critical infrastructure; in particular, about the problems and dangers to be on the watch for regarding it. Things like attacks on manufacturing & nuclear installations, transportation, power grid and other industrial control systems (ICS).

Actually, it’s not quite ‘news’ here, just kinda news – from last week: fortunately critical infrastructure security issues don’t crop up on a weekly basis – at least, not the really juicy bits worthy of a mention. But then, the reason for that is that probably that most issues are kept secret (understandable, but worrying all the same) or simply no one is aware of them (attacks can be carried out on the quiet – even more worrying).

So, below, a collection of curious facts to demonstrate the current situation and trends as regards critical infrastructure security issues, and pointers to what needs to be done in face of the corresponding threats.

Turns out there are plenty of reasons to be bowled over by critical infrastructure issues…

The motto of engineers who make and install ICS  is ‘ensure stable, constant operation, and leave the heck alone!’ So if a vulnerability in the controller is found through which a hacker can seize control of the system, or the system is connected to the Internet, or the password is actually, really, seriously… 12345678 – they don’t care! They only care about the system still running constantly and smoothly and at the same temperature!

After all, patching or some other interference can and does cause systems to stop working for a time, and this is just anathema to ICS engineers. Yep, that’s still today just the way it is with critical infrastructure – no seeing the gray between the black and the white. Or is it having heads firmly stuck in the sand?

In September last year we set up a honeypot, which we connected to the Internet and pretended was an industrial system on duty. The result? In one month it was successfully breached 422 times, and several times the cyber-baddies got as far as the Programmable Logical Controllers (PLC) inside, with one bright spark even reprogramming them (like Stuxnet). What our honeypot experiment showed was that if ICS is connected to the Internet, that comes with an almost 100% guarantee of its being hacked on the first day. And what can be done with hacked ICS… yes, it’s fairly OMG. Like a Hollywood action movie script. And ICS comes in many different shapes and sizes. For example, the following:

Nuclear malware

Source

Read on: absence of light will only be the result of burned out bulbs and nothing else…

Greetings droogs!

It seems ages since I’ve touched upon a cyber-maliciousness topic on these here pages – what’s hot and what’s not, what’s in and out, and all that… You might even think we’re twiddling our thumbs here seeing as I stay shtum on topics relating to our raison d’être…

Well just let me reassure you that we are on top of EVERYTHING going on in the cyber-jungle; it’s just that we publish all the detailed information we have on dedicated techy news resources.

The only problem with that is very few folks actually read them! Maybe that’s understandable: the detail can get tiresome – especially to non-tech-heads. Not that that’s a reason not to publish it – far from it. However here on this blog, I don’t bog the reader down with too much tech. I just give you the most oddly curious, amusing and entertaining morsels of cybernews from around the world.

Sooo, what was curiously odd, entertaining and bizarre last week?…

“He hit me!” “He started it!”

The sparring between the USA and China about cyber-espionage has taken a new turn…

This time the Americans took their swipe with photographs and names of ‘guilty’ individuals: five Chinese military specialists have ended up on the latest classic Wild West-inspired FBI ‘Wanted’ poster for allegedly breaking into networks of US companies and stealing secrets.

Read on: An example of some seriously perplexing cyber-alchemy…

How can you locate and destroy ALL the maliciousness hiding in the sleeping jungles of your computer?

In particular, the extra nasty maliciousness that’s never ever been seen before, which also happens to have a mega-high malevolent-IQ (and is often state sponsored)?

Easy. The answer’s simple: you can’t.

Well, you can at least have a good go at it; but to find the proverbial black malware cat in a pitch black room you need a handful of top-notch pros to do the task manually: expensive. But to do it automatically with a boxed antivirus product – that’s a whole different matter altogether: you normally just get as far as getting on to the scent of super sophisticated infections, but that’s about it. That is, at least, using the old-school AV approach that uses classic antivirus signatures and file scanners.

So what’s the solution?

Again, simple: put some mega brains to hard work – to automate sophisticated-infection seek-and-destroy functions in an AV product.

Read on: So how we do that?…

Woo-hoo! One more torpedo released by the cyber-delinquents against Microsoft Office has been thwarted by our cunningly tenacious cyber-protection.

Recently a new but fairly common-or-garden attack was discovered: When opening Word documents malicious code was unnoticeably injected into the computer. This wouldn’t have made it into the headlines but for one circumstance: this was a zero-day attack, i.e., one that used a previously unknown vulnerability in MS Office for which there weren’t any remedying patches, and which most antiviruses let slip through their nets. You guessed it – our AV grabbed it with its tightly thatched net in one fell swoop!

What happened was our Automatic Exploit Prevention (AEP) technology detected anomalous behavior and proactively blocked the corresponding attacks. No updates, no waiting, no messing. Zapped immediately.

Zero-days represent a real serious threat these days.

They need to be tackled head on with full force. However, many AVs are fairly useless against the future risk zero-days pose, as they work based mostly on signatures, with ‘protection from future threats’ only ‘provided’ on paper/the box (albeit very pretty paper/a very glossy box:). But of course! After all, genuine – effective! – protection from future threats requires whopping doses of both brain power and development resources. Not every vendor has the former, while even if a vendor has the latter – that doesn’t always clinch it. And this is sooooo not copyable tech we’re talking here…

Unlike what Buddha and new-agers say is a good idea for individuals, we’ve always believed that in IT security you can’t live for today – in the moment. IT Security needs to constantly look to the future and foresee what will be going on in the minds of the cyber-felons – before events occur. A bit like in Minority Report. That’s why ‘proactive’ was on our agenda as far back as the early 90s – back then we cut a dash from the rest of the IT Sec crowd by, among other things, developing heuristics and our emulator. Forward thinking runs in KL blood!

Since then the tech was reinvented, fine-tuned and souped-up, and then around two and a half years ago all the features for protection from exploitation of known and unknown vulnerabilities were all brought together under the umbrella of AEP. And just in time too. For with its help we’ve been able to proactively uncover a whole hodge-podge of targeted attacks, including Red October, MiniDuke and Icefog.

Then came a sudden surge of unhealthy interest in Oracle’s Java, but AEP was ready once again: it did its stuff in combatting all the unhealthiness. Leading AEP into battle was its Java2SW module – specially designed for detecting attacks via Java.

And it’s this module I’ll be telling you about here in the rest of this post.

The software landscape inside a typical computer is a bit like a very old patchwork quilt: loads of patches and as many holes! Vulnerabilities are regularly found in software (and the more popular the product, the more are found and more frequently) and the companies that make the software need to secure them by releasing patches…

…But No. 1: Software developers don’t release patches straight away; some sit on their hands for months!

But No. 2: Most users forget, or simply don’t care, about installing patches, and continue to work with holey software.

However No. 1: The vast majority of computers in the world have antivirus software installed!

So what’s to be done? Simple: Get Java2SW onto the stage. Why? Because it kills two birds with one stone in the Java domain.

Overall, from the standpoint of security Java architecture is rather advanced. Each program is executed in an isolated environment (JVM – Java Virtual Machine), under the supervision of a Security Manager. However, alas, Java became the victim of its own popularity – no matter how well protected the system was, soon enough (in direct proportion to its popularity) vulnerabilities were found. Vulnerabilities are always found sooner or later, and every software vendor needs to be prepared for that, in particular (i) by timely developing protective technologies, (ii) by being real quick in terms of reaction times, and (iii) by informing users how important updating with patches is.

Thing is, with regard to Java, Oracle didn’t make a great job of the just-mentioned prep. In fact they did such shoddy job of it that users en masse started to delete Java from their browsers – no matter how more cumbersome it made opening certain websites.

Judge for yourself: The number of vulnerabilities found in Java in 2010 – 52; in 2011 – 59; in 2012 – 60; in 2013 – 180 (and the year isn’t over yet)! While the number of attacks via vulnerabilities in Java grew in a similarly worrisome way:

Read on: So what’s so great about Java2SW?…

“The person needs to be brought round to the idea that he has to part with his money. He needs to be morally disarmed, and his proprietary instincts need to be stifled.”

No, not Don Draper; this is a quote of Ostap Bender, a classic fictional hero from 1930s Russian literature. And no, there’s no relation to the other famous Bender!

Thus, it would appear that, curiously, Mr. Bender knew a thing or two about capitalism, despite being from a Communist country. Hmmm…

Anyway, what he knew is that it’s sometimes possible to make folks part with their hard-earned shekels if they are manipulated the right way – the folks, that is.

Fast-forward to today… and we find this kind of manipulation alive and well – in a modern, hi-tech, cyber kinda way: Today, folks gladly hand over their Benjamins to the crims behind blockers, aka ransomware, an especially sneaky form of computer malevolence. But have no fear, KL users: in the new version of KIS, we’ve got a nice surprise waiting for the blocking blockheads and their blockers.

The principle and tech behind blockers/ransomware are rather simple.

Using one of the various means available (for example, via a software vulnerability), a malicious program is sneaked into computer, which then displays an amusing (not) photo with scary (not – with KIS:) – text, and blocks the desktop and all other programs’ windows.

Unblocking is only possible (well, was possible – see below) by entering a unique code, which of course you can only get from the cyber-tricksters who infected the comp in the first place, and of course – for a fee, through premium SMS numbers or online payment systems. Until you pay the ransom, the comp remains kidnapped – no matter what you do (including Ctrl+Alt+Del), and no matter what programs you try to run (including antivirus); all you see is something like this:

The rise, the decline & the return of ransomware…

My power over you
grows stronger yet
(с) Andrew Lloyd Webber – Phantom Of The Opera

In the ongoing battle between malware and anti-malware technologies, there’s an interesting game that keeps getting played over and over – king of the castle.

The rules are simple: the winner is the one who loads itself into the computer memory first, seizes control of the ‘levers’, and protects itself from other applications. And from the top of the castle you can calmly survey all around and guard the order in the system (or, if you’re malicious, on the contrary – you can cause chaos, which goes both unnoticed and unpunished).

In short, the winner takes all, i.e., control over the computer.

And the list of applications wanting to do the boot process first begins with (as the name might suggest) the boot sector – a special section of the disk that stores all the instructions for what, when and where to load. And, terror of terrors, even the operating system sticks to this list! No wonder cybercriminals have long taken an unhealthy interest in this sector, since abusing it is the ideal way to get first out of the blocks while completely hiding the fact that the computer is infected. And the cybercriminals are helped in this by a particular class of malware – bootkits.

How your computer loads

To find out what bootkits are and how we protect you against them – read on…

More: the prosperity, the fall and the return of bootkits…

My work has me rushing all over the world, speaking at events, getting together with fellow experts to tell my own stories and listen to theirs. One day I thought, why not share them here as well? So, here are some very different “funny” (literally and figuratively) stories from the world of IT security.

Story 1. Secret files with home delivery.

More: Myths of Ancient Greece and other stories…