econoTwist's

Posts Tagged ‘Malware’

Microsoft Spot New Antivirus Blocking Trojan

In Uncategorized on 22.01.11 at 04:05

A new Trojan has been spotted by Microsoft researchers in China that neutralize antivirus products that rely on cloud-based technology. The cloud technology is a relatively new technology, specially used in security software. Upon running, it targets major Chinese AV vendors and other international security brands by blocking their internet access at the network driver layer.

“Engineering it is not trivial.”

Kurt Baumgartner


Of particular concern here is the sophistication of the so-called “Bohu” Trojan, which blocks the cloud-based antivirus software by means of a Windows Sockets service provider interface (SPI) filter, itself made possible by the installation of an NDIS driver. The malware employs social engineering techniques to trick users into executing it.

The use of cloud-based technologies is becoming more prevalent, as traditional antivirus companies adopt techniques that allow them to detect and neutralize malware infestations in minutes rather than in days.

Speaking to eWeek, Kurt Baumgartner, who is a senior malware researcher at Kaspersky Lab acknowledged that engineering it is “not trivial.”

This effectively gives Bohu the ability to perform deep packet inspection on the network data, which it uses to modify search terms sent to sogou.com, and cookies belong to the top search engines.

For now, Microsoft says it has already contacted the affected vendors about the Bohu threat.

More on this story:
article at eWeek
article at Computer Weekly
article at IT Pro

Related:

Microsoft tool now scans for the Zeus Trojan
Security loopholes surfaces on Mac App Store
Zeus Trojan mules used fake names, passports
Evidence of Zeus Trojan found in majority of Fortune 500 companies

Related by The Swapper:

Student Design Software to Combat Modern Cyber Crime

In Financial Markets, Health and Environment, International Econnomic Politics, Law & Regulations, National Economic Politics, Technology on 15.11.10 at 00:58

Deian Stefan, now a graduate student in the computer science department at Stanford University, have developed an authentication framework called “Telling Human and Bot Apart” (TUBA) – a remote biometrics system based on keystroke-dynamics information. The software is able to determine if a file is malicious or not by analyzing the way its creator/programmer have been using  the computer keys. According to the recently graduated computer scientist, the so-called botnet are run by organized cyber criminals.

“Keystroke dynamics is an inexpensive biometric mechanism that has been proven accurate in distinguishing individuals.”

Daphne Yao


One of the serious threats to a user’s computer is a software program that might cause unwanted keystroke sequences to occur in order to hack someone’s identity. This form of an attack is increasing, infecting enterprise and personal computers, and caused by “organized malicious botnet,” according to Daphne Yao, now assistant professor of computer science at Virginia Tech.

To combat the “spoofing attacks,” Yao and her former student, Deian Stefan, now a graduate student in the computer science department at Stanford University, developed an authentication framework called “Telling Human and Bot Apart” (TUBA), a remote biometrics system based on keystroke-dynamics information.

Yao holds a patent on her human-behavior driven malware detection technology, including this keystroke anti-spoofing technique.

Her technology for PC security is currently being transferred to a company.

The license agreement between the company, Rutgers University (Yao’s former institution), and Virginia Tech is expected to be finalized in the coming weeks, according to ScienceDaily.com.

Internet bots are often described as web robots.

They act as software applications that run automated tasks over the internet. Bots usually perform simple and repetitive tasks, but at a much higher rate than would be possible for a human alone. (When used for malicious purposes they are described as malware).

How a botnet infection works

“Keystroke dynamics is an inexpensive biometric mechanism that has been proven accurate in distinguishing individuals,” Yao explains, and most researchers working with keystroke dynamics have focused previously on an attacker being a person.

The uniqueness of Yao and Stefan’s research is they studied how to identify when a computer program designed by a hacker was producing keystroke sequences in order to “spoof” others, they say.

Then they created TUBA to monitor a user’s typing patterns.

Using TUBA, Yao and Stefan tested the keystroke dynamics of 20 individuals, and used the results as a way to authenticate who might be using a computer.

“Our work shows that keystroke dynamics is robust against the synthetic forgery attacks studied, where the attacker draws statistical samples from a pool of available keystroke datasets other than the target,” Yao says.

Yao and Stefan also describe in their paper, “Keystroke-Dynamics Authentication Against Synthetic Forgeries”  – how keystroke dynamics can be used as a tool to identify anomalous activities on a personal computer including activities that can be due to malicious software.

Their work won a best paper award at CollaborateCom ’10, the 6th International Conference on Collaborative Computing, held in Chicago and sponsored by the Institute of Electrical and Electronic Engineers‘ Computer Society, Create-Net, and the Institute for Computer Sciences.

When The Bots Attack

The 2007 Cyber Attack On Estonia

If you want to bring down a country’s information infrastructure and you don’t want anyone to know who did it, the weapon of choice is a distributed denial of service attack.
Using rented botnet, you can launch hundreds of thousands — even millions — of infobombs at a target, all while maintaining total deniability.
In this hypothetical scenario, a single attack launched by China against the US lasts only a few hours, but a full-scale assault lasting days or weeks could bring an entire modern information economy to its knees.
.
1. Attacker
In this scenario, tension over proposed US legislation to raise tariffs on Chinese imports triggers a crisis. Beijing orders a limited attack on the computer systems of US congress members and corporations that support the bill. Chinese security officials hire criminal bot herders to launch the denial of service attacks. Payments are routed via anonymous services like PayPal (often using branches based in Latin America). Target IP addresses and email accounts (harvested in earlier operations) are distributed through private chat rooms used by criminal hackers. Once the attack is under way, a Chinese media and diplo matic campaign will portray the attackers as cybervigilantes operating on their own.
.
2. Bot Herder
Freelance computer hackers function as the project managers for the DDoS attacks. Typically, a hacker or a syndicate of hackers control one or more giant botnet, worldwide networks that can include 100,000 computers. Each machine has been surreptitiously infected by the bot herder with a bot, a remotely controlled piece of malicious software. Herders usually make their living by renting these networks out for commercial spam, phishing fraud, and denial-of-service extortion. On the bot herder’s signal, his network of bots can launch millions of packets of information toward a single target, overwhelming its defenses and either crashing it or driving its owners to shut it down as a defensive precaution.
.
3. Zombie
Once an ordinary computer is infected by a bot, it becomes one of the unwitting drones that make up a global botnet. When these machines, known as zombies, receive a signal from the bot herder, the bot takes control of its host and sends out multiple packets of information — usually spam — to designated targets. Thanks to the distributed nature of these networks, attacks appear to be coming from random personal computers located all over the world. In this scenario, many will even be from within the US. And if you’re wondering if your PC is infected, detection isn’t easy. Fortunately, new versions of home security software, like Norton AntiBot, are targeting this new strain of malware. But bots keep mutating, so the game is far from over.
.
4. Target
A full-scale DDoS attack meant as an act of war might target military and government servers, civilian email, banks, and phone companies. But in this more likely scenario, the targets are Web sites and email systems of congress members and corporations that support higher trade barriers. These groups blame the Chinese government, but can’t prove it. Nevertheless, targets will be effectively shut down while they undergo security upgrades and damage assessment, inhibiting their ability to work on behalf of the legislation.
(Source: www.wired.com)

Related by The Swapper:

Europe: Cyber Criminals Attack Critical Water, Oil and Gas Systems

In Financial Markets, Health and Environment, International Econnomic Politics, National Economic Politics on 29.08.10 at 21:34

For the first time, Norwegian companies are being targeted by a new kind of computer attacks, aimed at critical social management systems, like water oil and gas supply systems. The attacks was first discovered in Germany and Belarus in June. Since then, at least 6000 infected computers have been confirmed.

“A malicious foreign power  – given €86 million, 750 people and two years to prepare – could launch a devastating cyber attack on the EU.”

Charlie Miller


This summer the Norwegian National Security Authority (NSM) discovered for the first time targeted computer attacks directed against internal process and control systems to ensure supply of electricity and water. Similar attacks was discovered in Germany and Belarus. EU’s cyber-security unit, ENISA, will in late October or early November carry out the first ever pan-European cyber security exercise.

According to the Norwegian newspaper, Aftenposten, the National Security Authority confirms that Norwegian companies have been attacked, but will not say which.

“It’s the first time we see this Trojans, specifically designed to take control of the process and control systems. We know that other companies are affected, besides the Norwegians,” Christophe Birkeland at the NSM says.

Malicious software that comes into these systems, stealing business critical information, and in worst cases, destroy or take over control of the systems. We know Norwegian companies have gotten this Trojan into some of their systems,” he says.

NSM emphasizes that it is not reported any injuries at the moment.

However, NSM are now sending out a new warning against what they perceive as a serious threat to a number of critical social actors in Norway:

* Government and the national institutions.

* Power producers and suppliers.

* The oil companies.

* Water supply and treatment plants.

* Transport companies.

Going For The Most Advanced

In the operational center of Hafslund in Oslo,  computers provide electric power for about 1.4 million people in the area.

The Hafslund central is one of the world’s most advanced power systems.

“We have also experienced attempts to hack into our office support systems. We are fully focused on this, and it is a very familiar problem,” information officer, Morten Schau, at Hafslund says.

Faximile: Aftenposten, paper edition 08292010.

Customized Trojan

Behind the seemingly innocent file name “% System% \ drivers \ mrxnet” is the malicious, and highly sophisticated,  computer virus “Stuxnet,” which this summer has been a hot topic amongst computer security experts.

The attacks may have been going on for many months before it was discovered in Germany and Belarus in June.

One of the many technical features is the fact that the Trojan hides itself very well. Since June, at least 6.000 computers have been confirmed infected by “Stuxnet”.

The cyber criminals have exploited vulnerabilities in Windows, but first in early August did Microsoft create a security update that plugged the hole.

Siemens System Infected

The attack has been directed towards a management system supplied by Siemens – Simatic WinCC.

WinCC is used to control everything from pizza ovens to oil platforms.

In Norway, the system is in use in at least 200 oil companies, power suppliers, and metal and food industries.

Siemens admits that 12 companies have been affected, but stresses that this is not its Norwegian customers.

“Those customers who were infected was quickly helped, and the problem is now fixed,” information officer, Christian Jahr, at Siemens says.

“What happened was that an employee has used a USB stick outside the office, or in other private places. This became infected with the virus, which is activated when used on a PC with WinCC installed. This goes to show that you have to be awake and updated to ensure the best security facilities possible,” Jahr says.

Who’s Fighting Who?

No one knows who is behind the attacks, or what country they come from.

Worldwide companies in Indonesia, India, Iran and the US are being hit the hardest.

There are also several different theories about what the goal is:

* Industrial Espionage.

* Blackmail.

* Sabotage attempts.

The most important way to protect themselves is to make absolutely watertight bulkhead between the data networks used to control machines, and computer systems used for communication with the outside world, according to the experts.

One must also prevent careless use of memory sticks and other USB devices.

Previously, both the police, governments, health institutions, banks and industrial companies have been hit by computer criminals.

Able To Crash The Whole EU

A malicious foreign power – given €86 million, 750 people and two years to prepare – could launch a devastating cyber attack on the EU, a US security expert says.

Charlie Miller, a mathematician who served for five years at the US’ National Security Agency stress-testing foreign targets’ computer systems and designing network intrusion detection tools,” calculated the EU scenario on the basis of a more detailed study of US vulnerability.

This is how it can be done:

Got 100 Million Dollar?

The assault would begin with a member of staff at, say, the London Stock Exchange or the French electricity grid operator, RTE, opening a PDF attachment in an email which looks as if it had been sent by a colleague.

Take down the EU, or buy a famous piece of art? (The price tag is about the same).

The PDF would contain software enabling a hacker on a different continent to silently take over his computer.

Over time, the hacker would monitor the employees’ keystrokes, sniff out passwords, and use the information to take over computers higher up the command chain, eventually putting him in a position to switch off the target’s firewalls, leaving it open to DOS (Denial of Service) attacks, and to install RATs (Remote Administration Tools), which control its hardware.

Around 18 to 21 months down the line, with enough targets compromised, the assault could take place, the EUobserver.com writes.

The EU 27 countries would wake up to find electricity power stations shut down; communication by phone and Internet disabled; air, rail and road transport impossible; stock exchanges and day-to-day bank transactions frozen.

Crucial data in governments and financial institutions are scrambled and military units at home and abroad cut off from central command or sent fake orders.

Normal life could be restarted in a few days’ time. But the damage done to administrative capacity, consumer confidence and the economy by loss of vital data would last for years.

Mr Miller says the bulk of the money –  €83 million ($105 million) would be used to pay an army of 750 hackers, with just €3 million spent on hardware – a testing lab with 50 computers, another two computers each per hacker and assorted smart-phones and network equipment.

* 100 million dollar are just small change for some of our current dictators and drug barons.

* You can win a 100 million dollar at one single game of poker in Las Vegas.

* You can earn 100 million dollars in one year as a  commodities trader at Citigroup.

* 100 million dollar is what Tiger Woods paid for his divorce settlement.

Money won’t be a problem, but organizing the the right people for the operation might be.

Army Of Hackers

An elite corps would consist of 20 world class experts whose main job would be to find “0-day exploits” – previously undetected security gaps in popular software such as Windows, Java or Adobe.

The experts would have to be paid a small fortune –  over €200.000 ($250.000) – each a year.

Or extorted, Dr. Miller adds.

Another 40 people, drawn from the enemy country’s secret services or recruited inside EU member states, would get inside “air-gapped” facilities – the most secure targets, such as military command structures or air traffic control bodies, which are physically cut-off from the Internet in order to prevent cyber attacks.

When the time came, the agents would un-airgap targets by connecting them to the Internet via 3G modems and satellite phones.

The rest of the cyber army, 690 people, mostly computer science graduates and post-graduates from inside the hostile state, would use the 0-day exploits to take over target networks.

They would also collect, maintain, create and test “bots” – software which secretly uses computers in ordinary people’s homes to run automated tasks, such as DOS attacks, which bombard target systems with overwhelming amounts of data.

The final assault would require 500 million bots in diverse locations, according to the calculations.

Dr. Miller, who currently works for the Baltimore, an US-based company, Independent Security Evaluators, admits that internet scare stories like this helps his firm to get business.

But he also underlines that classic intelligence gathering is the best line of defense, rather than hiring IT experts.

“It’s really hard to defend against an attack that’s well equipped and carried out by smart people. But you do have years to detect it before it happens. If you have an elaborate intelligence gathering network you could detect it, not technically because you can see it, but because you have human intel,” he says.

“If you want to spend your money well, spend it on your intelligence services.”

Here’s a copy of  the US National Security Agency stress testing of US and foreign computer systems.

EU’s First Cyber War Exercise

The threat of cyber war against EU targets became clear on 27 April 2007 when hackers crashed Estonian online news agencies with DOS attacks in the middle of an Estonia-Russia political dispute.

The assault gathered pace over the next three weeks disrupting online banking services and government communications.

Three and a half years down the line there is no hard evidence linking the attack to a foreign power, although activists in the pro-Kremlin youth group, Nashi, claim to have taken part.

“If these cyber attacks were used to test the Estonian cyber defense capabilities, much more sophisticated attacks could possibly follow, based on the knowledge acquired during the attacks,” a report on the 2007 events by the Estonian government’s Computer Emergency Response Team says.

NATO and EU countries are now putting more resources than ever into joint cyber-security projects.

EU’s cyber-security unit, the Crete-based European Network and Information Security Agency (ENISA), will in late October or early November carry out the first ever pan-EU cyber security exercise.

ENISA spokesman, Ulf Bergstrom, says the exercise will look at disrupting normal internet operations in the EU’s internal market and the way EU member states’ authorities co-operate across the union’s internal borders.

Mr Bergstrom notes that ENISA’s initial mandate, which covers security of e-commerce, online banking and mobile phones, is being expanded to cover cyber criminality.

“We have been given political signals, for example by information society commissioner Neelie Kroes, to work more closely with agencies like Europol and Interpol,” he says.

“Cyber security is vital for the economy of Europe, to protect the businesses and operations of ordinary citizens. This is the digital society that we take for granted, like water out of the tap, which we need to defend.”

Related by the Econotwist:

Hackers Steal CO2-emission Permits Worth $4bn

Another Carbon Fraud Raid Reveals Firearms, Piles Of Cash

Most Polluting Companies Makes Billions On Carbon Trade

Julian Assange: Journalist, Activist or Informant?

We Give You Merkel – You Give Us Batman

*

Keep your confidential data from falling into the wrong hands.