Ransomware demands are working, fueling an increase in attacks

Infoblox DNS Threat Index finds criminals are creating more ransomware-domains than ever, and predicts a continuing increase in attacks as more criminals rush to cash in. 


Emboldened by the wave of successful ransomware attacks in early 2016, more cybercriminals are rushing to take advantage of this lucrative crime spree.

Networking company Infoblox’s quarterly threat index shows cybercriminals have been busy in the first quarter of 2016 creating new domains and subdomains and hijacking legitimate ones to build up their ransomware operations.

The number of domains serving up ransomware increased 35-fold in the first three months of 2016 compared to the end of 2015, according to the latest Infoblox DNS Threat Index. The index doesn’t measure actual attack volumes but observes malicious infrastructure — the domains used in individual campaigns. Criminals are constantly creating new domains and subdomains to stay ahead of blacklists and other security filters. The fact that the attack infrastructure for ransomware is growing is a good indicator that more cybercriminals are shifting their energies to these operations.

“There is an old adage that success begets success, and it seems to apply to malware as in any other corner of life,” Infoblox researchers wrote in the report.

The threat index hit an all-time high of 137 in the first quarter of 2016, compared to 128 in fourth quarter 2015. While there was a lot of activity creating infrastructure for all types of attacks, including malware, exploit kits, phishing, distributed denial-of-service, and data exfiltration, the explosion of ransomware-specific domains helped propel the overall threat index higher, Infoblox said in its report. Ransomware-related domains, which include those hosting the actual download and those that act as command-and-control servers for infected machines, accounted for 60 percent of the entire malware category.

“Again in simple terms: Ransomware is working,” the report said.

Instead of targeting consumers and small businesses in “small-dollar heists,” cybercriminals are shifting toward “industrial-scale, big-money” attacks on commercial entities, said Rod Rasmussen, vice president of cybersecurity at Infoblox. Cybercriminals don’t need to infect several victims for $500 each if a single hospital can net them $17,000 in bitcoin, for example.

The latest estimates from the FBI show ransomware cost victims $209 million in the first quarter of 2016, compared to $24 million for all of 2015. That doesn’t cover only the ransoms paid out — it also includes costs of downtime, the time required to clean off the infection, and resources spent recovering systems from backup.

Toward the end of 2015, Infoblox researchers observed that cybercriminals appeared to have abandoned the “plant/harvest cycle,” where they spent a few months building up the attack infrastructure, then a few months reaping the rewards before starting all over again. That seems to be the case in 2016, as there was no meaningful lull in newly created threats and new threats — such as ransomware — jumped to new highs. The harvest period seems to be less and less necessary, as criminals get more efficient shifting from task to task, from creating domains, hijacking legitimate domains, creating and distributing malware, stealing data, and generally causing harm to their victims.


“Unfortunately, these elevated threat levels are probably with us for the foreseeable future — it’s only the nature of the threat that will change from quarter to quarter,” Infoblox wrote.

Ransomware may be the fastest-growing segment of attacks, but it still accounts for a small piece of the overall attack infrastructure. Exploit kits remain the biggest threat, accounting for more than 50 percent of the overall index, with Angler leading the way. Angler is the toolkit commonly used in malvertising attacks, where malicious advertisements are injected into third-party advertising networks and victims are compromised by navigating to websites displaying those ads. Neutrino is also gaining popularity among cybercriminals. However, the lines are blurring as Neutrino is jumping into ransomware, as recent campaigns delivered ransomware, such as Locky, Teslacrypt, Cryptolocker2, and Kovter, to victims.

Recently, multiple reports have touted ransomware’s rapid growth, but what gets lost is that ransomware isn’t the most prevalent threat facing enterprises today. Organizations are more likely to see phishing attacks, exploit kits, and other types of malware, such as backdoors, Trojans, and keyloggers. Note Microsoft’s recent research, which noted that in 2015, ransomware accounted for less than 1 percent of malware. The encounter rate for ransomware jumped 50 percent over the second half of 2015, but that is going from 0.26 percent of attacks to 0.4 percent. Even if there are 35 times more attacks in 2016, that’s still a relatively small number compared to all other attacks.

The good news is that staying ahead of ransomware requires the same steps as basic malware prevention: tightening security measures, keeping software up-to-date, and maintaining clean backups.

“Unless and until companies figure out how to guard against ransomware — and certainly not reward the attack — we expect it to continue its successful run,” warned the report.


Source:  http://www.infoworld.com/article/3077859/security/ransomware-demands-are-working-fueling-an-increase-in-attacks.html

Attackers Clobbering Victims with One-Two Punch of Ransomware and DDoS.

Encrypted systems now being added to botnets in the latest incarnations of ransomware attacks, with experts expecting this to become standard practice.

As if ransomware weren’t bad enough, attackers are now making the most of their attacks by adding victimized machines to distributed denial of service (DDoS) botnets at the same time that they’re encrypted and held hostage, according to warnings from several security research organizations in the last week.

This one-two punch is a natural “Gimme” for profit-minded attackers and one which security pundits expect will be standard issue for most ransomware kits in the near future.

Adding DDoS capabilities to ransomware is one of those ‘evil genius’ ideas,” says Stu Sjouwerman, CEO of KnowBe4, which today issued an alert that a new variant of Cerber ransomware has added DDoS capabilities to its payloads. “Renting out DDoS botnets on the Dark Web is a very lucrative business, even if prices have gone down in recent years. You can expect [bundling] it to become a fast-growing trend.”


The new trend was first detailed by researchers with Invincea last week, which found attackers using weaponized Office documents to deliver the threat via a Visual Basic exploit that allows them to conduct a file-less attack. That delivers malware with the underlying binary, giving the bad guys “two attacks for the price of one,” says Ikenna Dike of Invincea.

“First, it is a typical ransomware binary that encrypts the user’s file system and files while displaying a ransom note. Second, the binary could also be used to carry out a DDoS attack,” Dike said in a post. “The observed network traffic looks to be flooding the subnet with UDP packets over port 6892. By spoofing the source address, the host could direct all response traffic from the subnet to a targeted host, causing the host to be unresponsive.”

Seen by many as a perfect example of the mercenary nature of cybercrime, ransomware’s evolution has been driven entirely by black market ROI. According to the FBI, by the end of the year the ransomware market is expected to net the crooks at least $1 billion.

“Relatively high profit margins coupled with the relatively low overhead required to operate a ransomware campaign have bolstered the appeal of this particular attack type, fueling market demand for tools and services corresponding to its propagation,” explained FireEye researchers in an update last week on ransomware activity.

FireEye’s data shows that there was a noticeable spike in ransomware in March this year and that overall figures are on track for ransomware to exceed 2015 levels. This latest trend of DDoS bundling once again shows the lengths to which the criminals will squeeze every last bit of profitability and efficiency from ransomware attacks. It also offers fair warning to enterprises that even with backups, ransomware can pose threats to their endpoints and networks at large.

Even if data is restored on systems plagued by ransomware, there’s no guarantee that a system wouldn’t be used to continue to remain a part of the botnet or be used as a foothold for further attacks if the threat isn’t properly contained.

Source:  http://www.darkreading.com/endpoint/attackers-clobbering-victims-with-one-two-punch-of-ransomware-and-ddos/d/d-id/1325659

DDoS Attacks Slam Finnish Bank

Police in Finland are investigating a series of distributed denial-of-service attacks against the country’s OP Pohjola financial services group that have intermittently shut down online banking and direct debit services.

The attacks, which were first reported by Finland’s YLE news service, began on New Year’s Eve.

Law enforcement officials say the attacks have been launched via malware-infected “zombie” PCs – or bots – located both in Finland and abroad. “This attack came from many different directions. The perpetrators had commandeered [bots], so the incoming data traffic would not necessarily reveal anything about who was behind the attack,” Detective Chief Inspector Timo Piiroinen, who’s with Finland’s National Bureau of Investigation, tells the country’s YLE news outlet. Piiroinen declined to offer further details related to the attack, saying the matter remains an “ongoing investigation” that involves NBI, the bank, as well as the Finnish Communications Regulatory Authority, which is known as Ficora.

Security experts report that numerous services now offer on-demand DDoS attacks. Some services, such as “Darkbooter,” advertise related services for as little as $3.99.

Pohjola, which is based in Helsinki, is the largest financial services group in Finland, boasting 4 million customers in a country that has a population of 5.4 million. The financial services firm, which operates 350 branches, said that while the initial attack was contained by late on Dec. 31, 2014, subsequent attacks have continued to cause intermittent disruptions. The financial services firm has posted contact phone numbers to serve customers who are continuing to face disruptions with accessing services, both from inside and outside the country. The firm says in a Jan. 7 FAQ that due to DDoS defensesthat are now in place, the aggressive filtering of traffic that originates outside Finland is continuing to cause disruptions for customers who are attempting to access banking services from abroad.

CoreSec Claims Credit

A group that calls itself CoreSec has taken responsibility for the DDoS attacks. But the DDoS collective that calls itself Lizard Squad also highlighted the disruption against the banking website, although it’s not clear if the group was involved in the attack.

CoreSec has been tied to previous DDoS extortion campaigns, including an August 2013 campaign against Finland’s Katsomo pay-per-view television website in the midst of ice-hockey playoffs – which the group demanded 10 bitcoins to call off – as well as a 10 bitcoin ransom demand left on the Facebook page of Danske Bank by “Coresec/V£N0M,” reports cybercrime expert Mikko Hypponen, who’s the chief research officer at Helsinki-based anti-virus firm F-Secure. But he says it’s not clear when that demand was made.

In its Dec. 31 post to Pohjola’s Facebook page, meanwhile, CoreSec demanded 100 bitcoins to call off its attack. At that time, those bitcoins would have been worth about $35,000. “Lazers pointed towards #FreeRyan,” the group also posted, referring to a static IP address assigned to Pohjola.

Attackers’ Call to ‘Free Ryan’

 CoreSec’s “FreeRyan” reference, meanwhile, refers to the belief that “Ryan,” a 17-year-old Finn who allegedly participated in the Xbox Live and PlayStation Network disruptions on Christmas Day – for which the Lizard Squad collective has claimed credit – was arrested. But Finnish police say that while they have interviewed the teenager on suspicion of having committed “data crimes,” he has not been charged or arrested, contrary to a report in the Washington Post. That interview followed Ryan telling Britain’s Sky News via a Skype interview that just two or three people directed the DDoS attacks “mostly to raise awareness – to amuse ourselves.”See Also: Advanced Threats: How to Defend the Enterprise

Finnish legal experts say that if Ryan is charged for related crimes, he would face less severe penalties under the country’s data crime laws, because he is younger than age 18.

Ryan has claimed to be a spokesman for Lizard Squad, rather than an active member of the collective. He claims the disruptions – coming in the wake of the high-profile hack of Sony Pictures Entertainment – were proof that Microsoft and Sony weren’t devoting sufficient resources to protect their gaming networks, and, by extension, their customers. “They should have more than enough funding to be able to protect against these attacks,” he said. “And if they can’t protect against the attacks on their core business networks, then I don’t think they’re really doing that much on their overall level of security.”

Lizard Squad, meanwhile, says the attacks were meant to advertise its new DDoS-as-a-service offering, dubbed “LizardStresser.” It claims to accept payments via PayPal, as well as in Bitcoins.

Regardless, Lizard Squad called off its DDoS attack against the gaming networks after Kim Dotcom, who runs the cloud storage and file-hosting service Mega, offered the group 3,000 free, lifetime vouchers if they would permanently cease their Xbox and PlayStation Network attacks.

Source: http://www.bankinfosecurity.com/ddos-attacks-slam-finnish-bank-a-7761/op-1

Denial of Service Vulnerability Found in Ruby

The flaw was discovered by security researchers Alexander Klink and Julian Waelde.

Security researchers Alexander Klink and Julian Waelde have uncovered a vulnerability in Ruby that could enable a hacker to launch a denial of service attack.

“The deterministic hash function used to hash a string in the 1.8 series of Ruby, which makes sure that no other bits of information than the input string itself is involved in generating the hash value, allows for the string’s hash value to be pre-calculated beforehand,” writes Softpedia’s Eduard Kovacs.

“‘By collecting a series of strings that have the identical hash value, an attacker can let Ruby process collide bins of hash tables (including Hash class instances),’ reads the issue’s description,” Kovacs writes.

Go to “Ruby Flaw Allows Hackers to Launch DoS Attacks” to read the details.

Fortinet’s Top 8 Security Predictions for 2012

Looking back on 2011, FortiGuard Labs, the research arm of Fortinet, the  saw a number of landmark developments in the world of network security. Huge botnets such as DNS Changer and Coreflood were permanently taken off line, 64-bit rootkits advanced (TDSS), source code was leaked for the Zeus and SpyEye botnets , and Anonymous hacktivists raised their profile by taking down major banks offline and threatening to go after a critical infrastructure and even drug cartels in Mexico.

Many of these events our team predicted in their “Top 5 Security Predictions for 2011,” while others, such as legislation to potentially jail and fine individuals who had malicious code stored on computer systems were more surprising.

2012 promises to be even more worrisome. After gazing into FortiCrystalball this month, FortiGuard Labs saw eight network security trends that could happen in the coming year.  In short, the Labs are predicting a rise of mobile malware (with new worms and polymorphism), increased crackdowns on network run money laundering operations,  renewed and successful collaboration between government and the private sectors, discoveries of exploitable SCADA vulnerabilities, an increase in sponsored attacks, and Anonymous hacktivists using their powers for good over evil.  The full report is outlined below:

Prediction No. 1: Ransomware will take mobile devices hostage – Over the past few years, FortiGuard Labs has witnessed the evolution and success of “ransomware” (an infection that holds a device “hostage” until a “ransom” payment is delivered) on the PC. Mobile malware that utilize exploits have also been observed, along with social engineering tricks that lead to root access on the infected device. With root access comes more control and elevated privileges, suitable for the likes of ransomware. FortiGuard predicts the team will see the first instances of ransomware on a mobile device in the coming year.

Prediction No. 2: Worming into Android – Worms, i.e., malware that is able to quickly propagate from one device to another, have, by and large, remained absent from the Android operating system, but FortiGuard Labs believes that will change in 2012. Unlike Cabir, the first Symbian worm discovered in 2004, Android malware developers most likely won’t be using Bluetooth or computer sync to spread because of their limited ranges. Instead, the team believes the threat will come from either poisoned SMS messages that include a link that contains the worm or through infected links on social networks, such as Facebook and Twitter.

Prediction No. 3: Polymorphism want a cracker? – While there isn’t much of it as we’ve just said, there’s no denying that Android-based malware has gotten more diverse and complex. In the last year: FortiGuard Labs has seen Android malware use encryption, embed exploits, detect emulators and implement botnets. But what they haven’t seen yet is an example of polymorphism in action.

Polymorphism is malware that is capable of automatically mutating, making it extremely difficult to identify and thus destroy. The team has previously encountered polymorphism on Windows Mobile phones and believes it’s only a matter of time before the malware appears on Android devices.

Prediction No. 4: Clampdown on network-based money laundering – Money mules, which typically consist of third party individuals electronically transferring money from one person or service to another and illegitimate payment processors, are critical components to a successful money laundering

Using anonymous fund transferring services, human networks and payment processor safe havens, cybercriminal syndicates have pretty much operated with impunity for years. How do you catch someone when you don’t even know where they’re located?  FortiGuard believes that will change in 2012. The recent arrest of ChronoPay CEO Pavel Vrublevsky’s on the grounds of hacking Aerfolot’s website and preventing visitors from buying tickets, is a good example of the type of takedowns the team expects to see in the coming year.

Prediction No. 5: Public-Private Relationships in security – Last year FortiGuard Labs predicted they’d see an increase in global collaborative botnet takedowns. And they were right not only with botnet takedowns, but global collaboration. Among globally-supported botnet takedowns were Rustock and DNS Changer while other international efforts helped take a massive scareware operation offline that siphoned $72 million in bank funds.

Meanwhile, arrests were made against international members of Anonymous and LulzSec hacktivist groups. This crackdown will continue in 2012, and the team believes that much of it will be aided by the Defense Advanced Research Projects Agency’s (DARPA) public defense initiative.  DARPA was recently granted $188 million budget and plans to use part of the money on initiatives to build a cyber defense team in the private sector. With recent movement, it seems likely that in 2012 we will start to see similar relationships formed worldwide.

Prediction No. 6: SCADA under the microscope – For over a decade, supervisory control and data acquisition (SCADA) system-based threats have been a concern, because they are often connected to critical infrastructure such as power and water grids that would have serious consequences if they were ever breached. In 2011, FortiGuard saw two examples of this in the form of Stuxnet, which compromised Iran’s nuclear program and Duqu, a Stuxnet-like virus that used similar attack methods and stolen certificates.

While Iranian officials confirmed the latter had infected systems in the region, no hostile industrial code has been found to date. However, it’s clear the building blocks are now in place. The reality is that critical infrastructure systems are not always operating on a closed circuit. New human machine interface (HMI) devices that interact with these systems are being developed by a number of different software and hardware manufacturers, and many have Web interfaces for logging in. Historically, Web-based interfaces that interact with back end systems can many times be circumvented.

Even more concerning is the migration to cloud-based SCADA services. This allows data storage and potential control of critical systems on a public cloud server, hence the security concern. Groups like Anonymous have already found an assortment of Web-based vulnerabilities simply by picking targets and scouring code.  In 2012, FortiGuard predicts a number of SCADA vulnerabilities will be discovered and exploited with potentially devastating consequences.

Prediction No. 7: Sponsored attacks – The FortiGuard team often talks about crime-as-a-service(CaaS), which is just like software-as-a-service (SaaS), but instead of offering legal and helpful services though the Internet, criminal syndicates are offering illegal and detrimental services, such as infecting large quantities of computers, sending spam and even launching distributed denial of service (DDoS) attacks.

If you’ve got the money, there’s a good chance you can find a CaaS provider to help you out. What FortiGuard sees evolving in 2012, is that instead of hiring a CaaS outfit for blanket attacks, they’re going to see more strategic and targeted attacks on companies and individuals.  This scope would include state or corporate sponsorship. Admittedly, this prediction will be tough to monitor because without “freedom of information” legislation in place, many of these discovered cases will be settled out of court with verdicts not being released publicly.  For example, Russian payment processor ChronoPay allegedly hired a hacker to attack direct competitor, Assist, in 2011.

Prediction No. 8: Hacking for a cause – While Anonymous has been alive and kicking in one capacity or another since its formation on 4Chan.org in 2003, only in the last year have the loosely organized anarchists started using their power to attack large, high profile targets such as Sony.  More hacktivist groups were formed in 2011 (most notably LulzSec), and more will likely rise in 2012.

What FortiGuard found interesting about Anonymous towards the end of the year, was how the group started to use their power for “good.” Case in point, they’ve recently threatened to unmask Mexican drug cartel members and they recently helped authorities break up a child porn ring. FortiGuard expects to see more examples of “hacktivist” justice meted out throughout 2012 along with a mix of attacks that border or cross the line of justice.

E-Commerce, Retail Websites Alert for DDoS Attacks this Holiday Season

Online shoppers aren’t the only ones that may overwhelm e-commerce Websites and crash them this holiday season. Cyber-attackers may be waiting in the wings with a DDoS attack.

With the holiday season ramping up, it’s not just online shoppers that have to be vigilant for cyber-threats. Enterprises and retailers have to be alert for scammers, cyber-criminals and hackers.

High-profile distributed-denial-of-service attacks made headlines in 2011, and security vendors warned retailers could face similar attacks during the holiday shopping season. Online sales last year exceeded $36 billion during the holiday shopping season, according to numbers released by MasterCard. Retailers anticipate this year’s online sales to exceed last year’s figures, with industry estimates of $1.2 billion in sales on Cyber Monday alone.

Worries about “denial-of-service outages are the name of the game for online retail organizations during the heavy holiday shopping season,” Adam Powers, CTO of Lancope, told eWEEK.

Some can be inadvertent, driven by high demand from shoppers. Powers described Target’s launch of the Missoni clothing line earlier this year as a “poster child for a legitimate oversubscription DoS,” noting that high demand for Missoni merchandise “brought” Target “to its knees.”

Organizations should check their infrastructure to make sure they can handle increased network traffic and capacity, according to Check Point Software Technologies. They can implement flexible hosting sites or cloud sites to add capacity and prevent the site from crashing. The existing security gateway will also need to be able to handle the increased traffic volume and keep scanning and protecting the network, Check Point said.

Others can be malicious, especially to an online retailer with a strong brand, according to Powers. Cyber-criminals can take advantage of events such as Black Friday to launch an attack, and hacktivists may also take advantage of intense media attention to make a point, he said.

E-commerce is exceptionally vulnerable to distributed-denial-of-service attacks, as unscrupulous players could also decide to sabotage competitor Websites to steal customers, according to Corero Network Security. If the site is not available, frustrated customers are more likely to just move to a competitor’s site.

“The bottom line is that retailers and other blue-chip corporations need to improve their defensive posture against DDoS attacks, as criminals and hacktivists have significantly increased the frequency and sophistication of DDoS attacks they employ,” said Mike Paquette, chief strategy officer of Corero Network Security.

Cyber-attackers use network flooding techniques and application-layer attacks such as ApacheKiller to bring targeted Websites to a crawl or crash, rendering them inaccessible to customers.

DDoS attacks increased by 30 percent in 2010, and the number is expected to be higher in 2011, according to Gartner estimates. The attacks have also been escalating in size and complexity in 2011, according to Paul Sop, chief technology officer at Prolexic. Attackers generally are throwing more packets, using more bandwidth and targeting the application layer, Sop said.

E-commerce businesses aren’t the only ones that have to worry about DDoS attacks during this holiday season, as hospitality, gaming and shipping services should also be on high alert for DDoS attacks, Sop said. A significant percentage of yearly revenues are made in the fourth quarter from holiday shoppers and a serious DDoS attack can be financially devastating, according to Prolexic.

Retailers don’t have to just worry about making sure their sites are up and capable of handling the “influx of shoppers,” but that the payment data being collected remain secure, Mandeep Khera, CMO of LogLogic, told eWEEK.Merchants who collect credit card information have to ensure that their databases are secure so that attackers who try to break in don’t waltz off with payment information. Ensuring they are following all 12 PCI requirements would help retailers protect customer credit card data, according to Khera.

White hats bust history’s biggest botnet

Security white hats have coordinated with law enforcement in a five year effort to torpedo a criminal botnet that enslaved some 4 million computers.

Researchers hostexploit.com’s Jart Armin and others from Team Cymru, SpamHous, Symantec and Trend Micro joined the FBI, NASA’s Office of Inspector General, Estonian police, and the Dutch National Police Agency and gathered intelligence on the monster DNS Changer botnet.

The researchers, under the title of the DNS Changer Working Group, led to the destruction of a sophisticated money-making Estonian business behind the botnet.

Their intelligence gathering predated 2005 and crossed dozens of countries, leading to the arrest of several Estonian business people and the disconnection of more than 100 command and control servers from US data centres.

The botnet consisted of infected machines which had browser Domain Name Server (DNS) settings changed to point to US-based command and control servers operated by a criminal business.

It generated cash by switching web advertisements on victim browsers, hijacking search results and installing malware. The ad revenue alone generated some $14 million in illicit fees.

A anonymous FBI agent described the botnet and the business behind it as having “a level of complexity that we haven’t seen before”.

On November 8, the FBI and Estonian police took down the botnet using evidence supplied by the private industry.

Two data centres were raided in New York and Chicago. An Internet Systems Consortium support officer for BIND was on hand to hot swap the botnet servers of which the 4 million victim machines relied on.

“He got on a plane upstate and replaced them with legitimate DNS,” Trend Micro and a key coordinator Paul Ferguson said. This move was required because infected computers that pointed to the DNS servers could have lost internet connectivity.

“[The new servers] began recording IP addresses of infected machines contacting them.”

Those logs provided a hit list of DNS Changer victims which will be supplied to local telcos who will contact each infected subscriber to help them reconfigure DNS settings and remove malware. The data will be compiled until mid next year under a court appointed custodial role given to the ICS.

“Fixing DNS settings could be tricky. You can’t just make an application tool for everyone,” Ferguson said

A common danger unites even the bitterest enemies

Online criminals can expect to face a stronger alliance of white hats and law enforcement.

Companies say the crime-fighting effort is unhindered by rivalry. Top researchers at Symantec and Trend Micro – rival companies that fight in an already saturated anti-virus market – say they ignore “marketing stuff” and work together to take down criminals.

Ferguson says they hold regular conference calls and share intelligence over closed community mailing lists.

“There are members of academia, ISPs, law enforcement working on these operations,” he said. “The mailing lists operate 24/7 … I work daily with researchers at Symantec – we leave the marketing out of it and work together because the bad guys do”.

In the lead up to the take down of the DNS Changer botnet, participating white hats held conference calls up to twice a week to ensure that the four million victims of the botnet would not lose internet connection when the DNS servers were pulled.

Ferguson said he aims to meet each of the white hats in person before working on a case: “I like to meet them in person over a beer at conference … nothing substitutes.”

Symantec’s managing director Craig Scroggie said the industry relied on such cooperation to help protect users who, after all, were their customers.

“It is an established practice,” Scroggie said. “If someone finds malware that another has not seen, they share it.”

He said the agreements were a formal process, adding that the security community has a common interest in combating and sharing information about online crime.

New Trojan Epidemic Hits Mac Users

Mac OS X users have been targeted with a new computer Trojan horse with the intention of captivating systems for launch of mass denial-of-service (DDoS) attacks, as reported by the Internet Security firm, Sophos at msnbc.msn on October 26, 2011.

According to Sophos, the newly dubbed malware OSX/Tsunami-A, functions by embedding itself to the host system and then waiting to receive further instructions from a remote Internet Relay Chat (IRC) channel. Sophos however claims that the name Tsunami Trojan is attained due to its goal towards forcing infected computers into becoming part of a compromised network that further launches DDoS attacks trafficking websites so massively that they are unable to function properly.

While throwing light on the new Trojan, Graham Cluley, Senior Technology Consultant at Sophos said that DDoS is not just a tool. As seen by the portion of OSX/Tsunami’s source code, a lot of instructions can be given to the script. At the same time, it can also be used for accessing an infected computer, as reported by tgdaily on October 26, 2011.

Now, as a matter of fact, it is quite tricky as to find the way in which the code finds itself on the Mac. It is possible that a cyber crook plants it on the system to access it remotely and launch DDoS attacks. It is however, possible that the victim itself volunteers for participating in an organized attack on a website.

According to Robert Lipovsky, a Malware Researcher at ESET, Tsunami seems to be consequential from an old backdoor Trojan dating back to 2002, designed with an intention to infect Linux systems, as reported by eweek on October 27, 2011.

The security firm, ESET also highlighted that the Trojan appears to be rotating quite quickly as evident from it being discovered on the first instance itself on October 27, 2011.

However, the security experts are apprehensive towards witnessing cyber criminals targeting unsafe Mac computers in the future as well.

Finally, 2011 has been a milestone year for Mac malware. The hugely successful Mac-based malware outbreak came to fore on May 2011 and a huge increase in the spread of Mac malware has also been noticed by security researchers.

World’s Most Sophisticated Rootkit Is Being Overhauled

Experts from security vendor ESET warn that TDL4, one of the most sophisticated pieces of malware in the world, is being rewritten and improved for increased resilience to antivirus detection.

“ESET researchers have been tracking the TDL4 botnet for a long time, and now we have noticed a new phase in its evolution,” announced David Harley, the company’s director of malware intelligence.

“Based on the analysis of its components we can say that some of those components have been rewritten from scratch (kernel-mode driver, user-mode payload) while some (specifically, some bootkit components) remain the same as in the previous versions,” he noted. (See also “Is Your PC Bot-Infested? Here’s How to Tell.”)

Harley and his colleagues believe this suggests a major change within the TDL development team or the transition of its business model toward a crimeware toolkit that can be licensed to other cybercriminals.

TDL, also known as TDSS, is a family of rootkits characterized by complex and innovative detection evasion techniques. Back in July, malware analysts from Kaspersky Lab called TDL version 4 the most sophisticated threat in the world and estimated that the number of computers infected with it exceeds 4.5 million.

There are many things that make TDL4 stand out from the crowd of rootkits currently plaguing the Internet. Its ability to infect 64-bit Windows systems, its use of the public Kad peer-to-peer network for command purposes and its Master Boot Record (MBR) safeguard component are just some of them.

However, according to ESET’s researchers, changes are now being made to the way TDL4 infects systems and ensures its hold on them. Instead of storing components within the MBR, the new variants create a hidden partition at the end of the hard disk and set it as active.

This ensures that malicious code stored on it, including a special boot loader, gets executed before the actual operating system, and that the MBR code checked by antivirus programs for unauthorized modifications remains untouched.

The TDL4 authors have also developed an advanced file system for the rogue partition, which allows the rootkit to check the integrity of components stored within.

“The malware is able to detect corruption of the files stored in the hidden file system by calculating its CRC32 checksum and comparing it with the value stored in the file header. In the event that a file is corrupted it is removed from the file system,” the ESET researchers explain.

In April, Microsoft released a Windows update that modified systems to disrupt the TDL4 infection cycle. The rootkit’s authors responded half a month later with an update of their own that bypassed the patch.

This kind of determination to keep the malware going suggests that its return on investment is significant. The code quality and the sophisticated techniques are certainly indicative of professional software development.

Several antivirus vendors like Kaspersky, BitDefender or AVAST, offer free stand-alone tools that can remove TDSS and similar rootkits. However, in order to avoid getting infected in the first place users should install an antivirus solution that provides advanced layers of protection, like those analyzing software behavior.

Peer-to-peer update makes ZeuS botnets harder to take down

A new strain of the ZeuS crimeware toolkit comes with a peer-to-peer design that lets infected machines bypass centralized servers when receiving updates and marching orders from operators, a researcher said.

The update to a custom-built ZeuS variant known as Murofet could make it harder for white-hat hackers and law-enforcement agents to disrupt botnets by eliminating centralized command and control servers they infiltrate or shut down, said the the researcher with Zeus Tracker, which monitors botnet communications. The researcher, who asked that his name not be included in this article, recently counted machines from more than 100,000 unique IP addresses infected by the custom build.

Zombies under the control of Murofet come with an initial list of IP addresses to query. They send UDP packets to those destinations over high-numbered ports and wait for fellow bots to respond with additional addresses that are also a part of the p2p network.

If the remote node is running a more recent version of the bot software, it then updates the other machine using a TCP connection. The p2p feature was added around the same time the malware scaled back its reliance on a domain generation algorithm, that allowed bots to connect to custom-registered domain names on specific dates.

The new capability gives the ZeuS offshoot p2p capabilities similar to those that Waledac, TDL-4, and other botnets have boasted for years. With the many other advanced features offered by ZeuS, it’s surprising it didn’t add it years ago.

The new architecture means Murofet no longer uses a static URL to download binary updates and configuration files, and that’s likely to make the job of some researchers harder. But despite the new design, the ZeuS malware remains vulnerable, because it still relies on a central domain and falls back on the domain generation algorithm in the event connections to the main command server and p2p drones is lost.

“Its not impossible to track it, but its more difficult than before,” the researcher told The Register over instant messenger. “I would say it makes tracking of ZeuS just more complicated but its not *the new super trojan*.”