The latest version of the Zeus do-it-yourself crimeware kit goes to
great lengths to thwart would-be pirates by introducing a
hardware-based product activation scheme similar to what's found in
Microsoft Windows.
The newest version with bare-bones capabilities starts at $4,000 and
additional features can fetch as much as $10,000. The new feature is
designed to prevent what Microsoft refers to as "casual copying"
by ensuring that only one computer can run a licensed version of the
program. After it is installed, users must obtain a key that's good for
just that one machine.
To state the obvious, if anyone needed a reminder, the crimeware software industry is big business and maturing.
In addition The Register reported:
The latest version of Zeus is 1.3.3.7, SecureWorks researcher Kevin Stevens told El Reg.
But the authors are already busy working on version 1.4, which is being
beta tested. It offers polymorphic encryption that allows the trojan to
re-encrypt itself each time it infects a victim, giving each one a
unique digital fingerprint. As a result, anti-virus programs, which
already struggle mightily to recognize Zeus infections, have an even harder time detecting the menace.
No information was provided as to where you could submit your feature requests.
Earlier this week Google took the unprecedented step of disclosing a breach which does not legally require disclosure. Google's reasons for the disclosure are tightly linked to its concerns about human rights in China and its views on China's reasons for breaching Google's email systems. These last two points are well worth discussing and are being discussed at length all over the blogosphere. However, I am going to focus on the security and disclosure issues.
First regarding disclosure, IT risk reduction strategies greatly benefit from public breach disclosure information. In other words, organizations learn best what to do and avoid overreacting to vendor scare tactics by understanding the threats that actually result in breaches. This position is best articulated by Adam Shostack and Andrew Stewart in their book, "The New School of Information Security."
I blogged about Verizon Business's forensic team's empirical 2009 Data Breach Investigations Supplemental Report here. This report shows cause-and-effect between threat types and breaches. You could not ask for better data to guide your IT risk reduction strategies.
Organizations have been so reluctant to publicly admit they suffered breaches, the Federal and many state governments had to pass laws to force organizations to disclose breaches when customer or employee personal information was stolen.
Regarding the attack itself, it represents a type of attack that is relatively new called "advanced persistent threats" (APT) which in the past had primarily been focused on governments. Now they are targeting companies to steal intellectual property. McAfee describes the combination of spear fishing, zero-day threats, and crafted malware here. The implications:
The world has changed. Everyone’s threat model now needs to be adapted
to the new reality of these advanced persistent threats. In addition to
worrying about Eastern European cybercriminals trying to siphon off
credit card databases, you have to focus on protecting all of your core
intellectual property, private nonfinancial customer information and
anything else of intangible value.
Gunter Ollman, VP of Research at Damballa, discusses APT's further here, focusing on detecting these attacks by detecting and breaking the Command and Control (CnC) component of the threat. The key point he makes is:
Malware is just a tool. The fundamental element to these (and
any espionage attack) lies with the tether that connects the victim
with the attacker. Advanced Persistent Threats (APT), like their bigger
and more visible brother “botnets”, are meaningless without that tether
– which is more often labeled as Command and Control (CnC).
Jeremiah Grossman points out the implications of Google's breach disclosure for all cloud-based product offerings here, countering Google's announcement of Default https access for Gmail.
Earlier this week PC World reported that a security researcher at FireEye took down a major botnet, Mega-D. However, LonerVamp weighed in with a more objective analysis of what FireEye accomplished.
Symantec's Hon Lau, senior security response manager, is reporting that the Koobface worm/botnet began a new attack using fake Christmas messages to lure Facebook users to download the Koobface malware.
This again shows the flexibility of the command and control function of the Koobface botnet. I previously wrote about Koobface creating new Facebook accounts to lure users to fake Facebook (or YouTube) pages.
These Facebook malware issues are a serious security risk for enterprises. While simply blocking Facebook altogether may seem like the right policy, it may not be for two reasons: 1) No access to Facebook could become a morale problem for a segment of your employees, and 2) Employees may be using Facebook to engage customers in sales/marketing activities.
Network security technology must be able to detect Facebook usage and block threats while allowing productive activity.
TrendMicro's Malware Blog posted information about a new method of luring Facebook users to a fake Facebook or Youtube page to infect the user with the Koobface malware agent.
The Koobfacebotnet has pushed out a new component that automates the following routines:
Registering a Facebook account
Confirming an email address in Gmail to activate the registered Facebook account
Joining random Facebook groups
Adding Facebook friends
Posting messages to Facebook friends’ walls
Overall, this new component behaves like a regular Internet user that starts to connect with friends in Facebook. All Facebook accounts registered by this component are comparable to a regular account made by a human.
Here is yet another example of the risks associated with allowing Facebook to be used within the enterprise.However simply blocking Facebook may not be an option either because (1) it's demotivating to young employees used to accessing Facebook, or (2) it's a good marketing/sales tool you want to take advantage of.
Your network security solution, for example a next generation firewall, must enable you to implement fine grained policy control and threat prevention for social network sites like Facebook.
The "quality" of phishing emails continues to improve. In other words, the attackers continue to make their phishing emails seem legitimate and thus trick more people into taking the emails' suggested actions. An article in Dark Reading this week discusses research done by F-Secure about new, more convincing, phishing attacks generated by the Zbot botnet which attempts to infect victims with the Zeus trojan. I wrote about how the Zeus trojan is used as a keylogger to steal banking credentials which enable funds transfer fraud.
While one might have considered the Dark Reading article a public relations piece for F-Secure, its validity was increased for me by Rich Mogull at Securosis who wrote about "the first phishig email I almost fell for," i.e. one of these Zbot phishing emails.
If a security person like Rich Mogull, who has the requisite security "paranoia DNA" can almost be fooled, then the phishing attackers are indeed improving their social engineering craft.
Web security firm, Finjan, published a report (Issue 2, 2009) this week on a more advanced funds transfer fraud trojan called URLZone. It basically follows the now well understood process I blogged about previously, where:
Web site visitors are infected with a trojan, in this case URLZone.
The trojan is used to collect bank credentials.
Cybercrirminals transfer money from the victims to mules.
The money is transferred from the mules to the cybercriminals.
URLZone is a more advanced trojan because of the level of automation of the funds transfer fraud (direct quotes from the Finjan report):
It hides its fraudulent transaction(s) in the report screen of the compromised account.
Its C&C [Command and Control] server sends instructions over HTTP about the amount to be stolen and where the stolen money should be deposited.
It logs and reports on other web accounts (e.g., Facebook, PayPal, Gmail) and banks from other countries.
In the past, the trojan was merely a keylogger that sent credentials back to the cybercriminal. These exploits were mostly against small businesses and schools where relatively large amounts of money could be stolen. But the URLZone trojan has much more sophisticated command and control which enables a much higher volume of transactions. Finjan reports 6,400 victims in 22 days losing 300,000 Euros. So far all the victims have been in Germany.
If you think your organization is free of botnet controlled hosts (aka zombies), it's only because you don't have the right detection tools! For example, Damballa, a botnet detection company claims that every organization it has tested was infected. And the number of infected hosts is rising – from 5% to 7% last year to 7% to 9% this year.
In one sense, this is a shocking number, i.e. almost 10% of the hosts in your network are controlled by botnets. On the other hand, not so much because I have yet to find an enterprise with hosts not running non-compliant or non-monitored software.
Another interesting finding from Damballa's research is the proliferation of small, customized botnets. Here is a quote from the Dark Reading article:
"The bad guys are also finding that deploying a
small botnet inside a targeted organization is a more efficient way of
stealing information than deploying a traditional exploit on a specific
machine. And [Damballa VP of Research Gunter] Ollmann says many of the smaller botnets appear to have
more knowledge of the targeted organization as well. "They are very
strongly associated with a lot of insider knowledge…and we see a lot
of hands-on command and control with these small botnets," he says.
There are several advanced security tools that can be easily deployed in a couple of days that will pinpoint non-compliant and non-monitored software and network communications.
