Hackers using DDoS tools to attach websites: CERT-In

NEW DELHI: Websites of reputed government and private organisations are under threat from hackers, the Computer Emergency Response Team India (CERT-In) has said, warning users to be extra cautious while using the internet.

“It is observed that some hacker groups are launching distributed denial of service (DDoS) attacks on websites of government and private organisations in India. The attacks may be targeted to different websites of reputed organisations,” CERT-In, the national nodal agency for responding to computer security incidents, said in an advisory on its website.

“These attacks are being launched through popular DDoS tools and can consume bandwidth requiring appropriate proactive actions in coordination with service providers,” it said.

The agency has asked users to deploy adequate security systems to deal with these attacks originating through DDoS.

As a counter measure, it has also suggested that the users review traffic patterns and if there is any rise, this should be reported to the agency.

In a recent written reply in the Lok Sabha, Minister of State for Communications and IT Sachin Pilot said 112 government websites, including that of Bharat Sanchar Nigam Ltd ( BSNL), were hacked in just three months – Dec 2011 to Feb 2012.

These hacked websites belonged to the agencies in the governments of Andhra Pradesh, Madhya Pradesh, Rajasthan, Tamil Nadu, Maharashtra, Gujarat, Kerala, Orissa, Uttar Pradesh, Sikim and Manipur.

Source: http://timesofindia.indiatimes.com/tech/enterprise-it/security/Hackers-using-DDoS-tools-to-attach-websites-CERT-In/articleshow/13592771.cms

10 Strategies To Fight Anonymous DDoS Attacks

Preventing distributed denial of service attacks may be impossible. But with advance planning, they can be mitigated and stopped. Learn where to begin.

By Mathew J. Schwartz |  InformationWeek

Consider 2011 to be the year that distributed denial-of-service (DDoS) attacks went mainstream.

Who’s responsible? Blame Anonymous, according to a new report released Monday by security vendor Radware.

“Their major campaign, Operation Payback, during the WikiLeaks saga in December 2010–against those supporting the U.S. government–was the turning point that shaped the security scene in 2011,” according to the report. In short, by distributing easy-to-use DDoS tools, such as low-orbit ion cannon, Anonymous popularized DDoS attacks.

But are DDoS attacks something that businesses and government agencies must simply endure, or, can they be more actively resisted? In fact, organizations can take a number of steps to at least mitigate the effect that DDoS attacks have on their websites, servers, databases, and other essential infrastructure.

1. Know you’re vulnerable.
One lesson from the use of DDoS by Anonymous–as well as its sister hacktivist group LulzSec–is that any site is at risk. That’s not meant to sound alarmist, but rather simply to acknowledge that the hacktivist agenda can seem random, at best. Indeed, after Anonymous came along, “the financial sector, which had not really considered itself as a prime target, was hit and urgently forced to confront threatening situations,” according to the Radware report. “Government sites had been targeted before, but 2011 saw a dramatic increase in frequency, and neutral governments that felt themselves exempt, like New Zealand, were attacked.”

2. DDoS attacks are cheap to launch, tough to stop.
As the recent Anonymous retaliation for the Megaupload takedown shows, hacktivists can quickly crowdsource “5,600 DDoS zealots blasting at once,” as Anonymous boasted on Twitter, to take down the websites of everyone from the FBI and the Justice Department to the Motion Picture Association of America and Recording Industry Association of America. “DDoS is to the Internet what the billy club is to gang warfare: simple, cheap, unsophisticated, and effective,” said Rob Rachwald, director of security strategy of Imperva, via email.

3. Plan ahead.
Stopping DDoS attacks requires preparation. If attacked, “folks that don’t take active measures to ensure the resilience of their networks are going to get knocked over,” said Roland Dobbins, Asia-Pacific solutions architect for Arbor Networks, via phone. “They need to do everything they can to increase resiliency and availability.” Accordingly, he recommends implementing “all of the industry best and current practices for their network infrastructure, as well as applications, critical supporting services, including DNS.”

4. Secure potential bottlenecks.
Which parts of the corporate network can become a bottleneck or weak link in a DDoS attack? A survey by Radware of 135 people with information security expertise–including IT managers as well as CIOs and CISOs–found that the bottlenecks they’d experienced included the server under attack (for 30%), their Internet pipe (27%), a firewall (24%), an intrusion prevention or detection system (8%), a SQL server (5%), or a load balancer (4%). For example, Sergey Shekyan, a Web application vulnerability scanner developer at Qualys, reported that he was able to DDoS a Squid proxy server using the free slowhttptest tool with slow read DDoS attack support. That’s because while the server was theoretically able to handle 60,000 concurrent connections per minute, it had been misconfigured to only allow 1,024 open file descriptors at a time.

5. Watch what’s happening on the network.
If prevention–including securing infrastructure and making sure it can reasonably scale to handle sharp increases in packet traffic–is the first step, the second is actively monitoring the network. “If the enterprise doesn’t have visibility into their network traffic so they can exert control over the traffic, then they have a problem,” said Dobbins.

6. Look beyond large attacks.
Historically, the most popular type of DDoS attack–and the one most used by Anonymous–has been a packet flood. The concept is simple: direct so many packets at a website that its servers buckle under the pressure. But not all effective DDoS attacks unload untold numbers of packets. Notably, a study by Radware of 40 DDoS attacks from 2011 found that only 9% involved more than 10 Gbps of bandwidth, while 76% involved less than 1 Gbps.

7. Beware application-layer attacks.
Attacks that eschew packet quantity for taking out a switch or application can unfortunately be quite difficult to detect. According to Radware’s report, “it is much easier to detect and block a network flood attack–which is about sending a large volume of irrelevant traffic such as UDP floods, SYN floods, and TCP floods, typically spoofed–rather than an application flood attack where the attackers are using real IP addresses from real machines and running complete application transactions.”

8. Watch for blended attacks.
Detection can get even trickier when attackers start targeting more than one application at a time, perhaps together with a packet flood. “Attackers are often likely to combine both packet flooding attacks with application-layer DDoS, to increase their odds of success,” according to the Radware report. “The majority of organizations, which are targeted by sub-1-Gbps attacks, are targeted with a mix of network and application flood attacks.”

9. Make upstream friends.
Large attacks can overwhelm even the largest enterprise network. “Work very closely with [your] Internet service provider–or for multinationals, providers–to successfully deal with these attacks,” said Arbor’s Dobbins. Build relationships and lines of communication in advance. “At 4 a.m., if there is a DDoS attack, it’s not the time you want to be scrambling around trying to reconfigure your infrastructure, and finding who call at your ISP,” he said.

10. Consider countermeasures.
While the legality of certain types of attack countermeasures is an open question, Radware said that network gear may be able to automatically mitigate suspected DDoS attacks. For example, it can silently drop questionable packets, or send a TCP reply to the attacker that advertises “window size equals 0,” which says that for the time being, no new data can be received. “Legitimate clients generally respect this and will suspend their communication for the time being,” according to Radware’s report. “It seems that some attackers also honor this message and suspend the attack until a new, larger window size is advertised, which of course the site being attacked has no intention of doing.”

Source: http://www.informationweek.com/news/security/vulnerabilities/232600411?pgno=2

Winning the DDoS Arms Race

By Miguel Ramos

In the two previous weeks, we’ve taken a look at what hacktivists are targeting with DDoS attacks and what companies can do to protect their online presence against these attacks.

Today I’ll address the fact that even by erecting “barricades” to help stem the tide that occurs when a DDoS attack happens, the reality is that it’s far cheaper to generate bogus traffic than it is to identify what’s legitimate. In other words, with most infrastructural fixes, the sheer volume of incoming requests that happen from a DDoS attack will rapidly exceed in-house capacity.

That’s why even when you establish an in-house policy to address to the problem, it’s important to consider third-party options on the market — and why they should be considered for every organization’s defense strategy.

Every organization’s Internet service provider should be considered a resource. But relying on your ISP is a quick fix, and not always the best one.

The problem with most ISPs is that their core business competency is focused on providing backup services and getting data packets from one location to another. Even if they offer DDoS mitigation services, you should be double checking their claims and ask: can they conduct deep-packet inspection? Do they have the specialized DDoS mitigation tools available? Can they mitigate 100-plus gigabit-per-second attacks?

The reason I ask that you double check this is because ISPs understandably have a duty to serve their entire customer base, not just any one customer. If it believes — and there are times when this will be the case — that the attack traffic coming through you affects the stability of the services they provide to their other customers, their only option is to shut you down. This is the “greater good” argument that every ISP will ask of itself, and it’s often valid.

Then there’s the content delivery network, or CDN, option. This is the strategy of having server farms deployed offsite, and it’s particularly popular with content-heavy companies, such as those in media and e-commerce. CDN providers cache static content on their own servers, so that visitors get content from them instead of you. However, just because they offer savings while enhancing core performance, it doesn’t mean they’re the best defense against DDoS attacks.

The problem with the CDN option is that many such attacks are dynamic in nature — they’re designed to identify and target weak points. More specifically, they’re crafted to isolate dynamic content sources, such as login pages and search boxes, which are squarely placed in the origin servers. This bypasses the strength of the CDN option and goes to the heart of the problem.

Finally, there’s the cloud-based DDoS mitigation provider. In a business environment, it offers the best defense against most DDoS attacks.

A dedicated, third-party DDoS mitigation service by nature comes with significant bandwidth capability — not infinite, perhaps, but certainly more than most other options. It should have the right staff, with experience and expertise in this evolving field. It should have sophisticated and diverse DDoS mitigation equipment, since no one piece of hardware can be deployed to handle all attacks. In fact, a good team will use a strategic approach when the attack comes, and deploy the solution that best fits the attack vector. Of course, it must also have deep-packet inspection capabilities.

Going one level deeper, the provider needs to have diversity in its bandwidth sources — that’s the only way to handle attacks that feature hundreds of gigabits of data. It needs to have connectivity from many providers in order to ensure resiliency. (This is why cloud computing is so invaluable in this regard.) And it needs to be fully aware of new attack modes, along with new technologies to deal with them.

That’s why I think the best way to look at DDoS attacks is to see them as a kind of arms race —the best resource is one that’s specifically dedicated to stockpiling weapons, and knowing how to use them judiciously. And in today’s threat environment, that’s vital.

Source: http://www.thetechherald.com/articles/DDoS-Attacks-%28Part-III%29-Winning-the-DDoS-Arms-Race/16479/

Wikileaks has been under DDoS attack for the last three days

By Emil Protalinski | May 16, 2012, 5:27pm PDT

Summary: The Pirate Bay is down. Wikileaks is down. Visa was down. Are all these Distributed Denial of Service (DDoS) attacks a coincidence? Right now it’s not clear, but something is definitely happening.

After covering The Pirate Bay Distributed Denial of Service (DDoS) attack and Anonymous’ denial of responsibility for it, I’ve been checking the torrent site’s Facebook Page every so often. The Pirate Bay said it thought it might know who was behind the attack, so I was curious if they would post it today. They haven’t yet, but they did just post this:

Wikileaks.org is also under attack.
This sure is the year of the storm…
As predicted here: https://thepiratebay.se/blog/204

I checked, and indeed Wikileaks is down for me. The site’s Twitter account sent this message out five hours ago: “WikiLeaks has been under sustained DDOS attacks over the last 72 hours. http://www.wikileaks.org is good, http://wikileaks.org is flooded.”

At the time of writing, Down for everyone or just me confirms it: “It’s not just you! http://wikileaks.org looks down from here.” As you can see in the screenshot above, Is it down right now agrees as well: “Wikileaks.org is DOWN for everyone. It is not just you. The server is not responding…”

While looking around for more information about the Wikileaks attack, I happened to stumble on this message from LulzPirate, which has 32,900 followers: “TANGO DOWN: http://Visa.com – Enjoy! #UG #WikiLeaks.” I saw it just a few minutes after it was posted.

I tried going to visa.com and indeed it failed. I couldn’t believe my eyes as I read the “Service Unavailable” message.

I checked Down for everyone or just me and was given this message: “It’s not just you! http://visa.com looks down from here.” A few refreshes later, I got: “It’s just you. http://visa.com is up.”

Phew, okay so two out of three. The Visa attack was clearly just a temporarily blip, and not another massive DDoS attack like Wikileaks and The Pirate Pay seem to be experiencing. What a day.

It seems to me that the fact both The Pirate Bay and Wikileaks are down due to a DDoS attack is no coincidence. We’re not talking about a few minutes here or even a few hours, we’re talking about days of outage.

It takes a considerable number of computers and connections, not to mention effort and skill, to conduct one such attack, let alone two. The two could be unrelated, but right now I’m finding that very hard to believe. Either way, the question remains: who could be behind these attacks?

Source: http://www.zdnet.com/blog/security/wikileaks-has-been-under-ddos-attack-for-the-last-three-days/12219

Denial of Service Vulnerability Found in Ruby

The flaw was discovered by security researchers Alexander Klink and Julian Waelde.

Security researchers Alexander Klink and Julian Waelde have uncovered a vulnerability in Ruby that could enable a hacker to launch a denial of service attack.

“The deterministic hash function used to hash a string in the 1.8 series of Ruby, which makes sure that no other bits of information than the input string itself is involved in generating the hash value, allows for the string’s hash value to be pre-calculated beforehand,” writes Softpedia’s Eduard Kovacs.

“‘By collecting a series of strings that have the identical hash value, an attacker can let Ruby process collide bins of hash tables (including Hash class instances),’ reads the issue’s description,” Kovacs writes.

Go to “Ruby Flaw Allows Hackers to Launch DoS Attacks” to read the details.

Fortinet’s Top 8 Security Predictions for 2012

Looking back on 2011, FortiGuard Labs, the research arm of Fortinet, the  saw a number of landmark developments in the world of network security. Huge botnets such as DNS Changer and Coreflood were permanently taken off line, 64-bit rootkits advanced (TDSS), source code was leaked for the Zeus and SpyEye botnets , and Anonymous hacktivists raised their profile by taking down major banks offline and threatening to go after a critical infrastructure and even drug cartels in Mexico.

Many of these events our team predicted in their “Top 5 Security Predictions for 2011,” while others, such as legislation to potentially jail and fine individuals who had malicious code stored on computer systems were more surprising.

2012 promises to be even more worrisome. After gazing into FortiCrystalball this month, FortiGuard Labs saw eight network security trends that could happen in the coming year.  In short, the Labs are predicting a rise of mobile malware (with new worms and polymorphism), increased crackdowns on network run money laundering operations,  renewed and successful collaboration between government and the private sectors, discoveries of exploitable SCADA vulnerabilities, an increase in sponsored attacks, and Anonymous hacktivists using their powers for good over evil.  The full report is outlined below:

Prediction No. 1: Ransomware will take mobile devices hostage – Over the past few years, FortiGuard Labs has witnessed the evolution and success of “ransomware” (an infection that holds a device “hostage” until a “ransom” payment is delivered) on the PC. Mobile malware that utilize exploits have also been observed, along with social engineering tricks that lead to root access on the infected device. With root access comes more control and elevated privileges, suitable for the likes of ransomware. FortiGuard predicts the team will see the first instances of ransomware on a mobile device in the coming year.

Prediction No. 2: Worming into Android – Worms, i.e., malware that is able to quickly propagate from one device to another, have, by and large, remained absent from the Android operating system, but FortiGuard Labs believes that will change in 2012. Unlike Cabir, the first Symbian worm discovered in 2004, Android malware developers most likely won’t be using Bluetooth or computer sync to spread because of their limited ranges. Instead, the team believes the threat will come from either poisoned SMS messages that include a link that contains the worm or through infected links on social networks, such as Facebook and Twitter.

Prediction No. 3: Polymorphism want a cracker? – While there isn’t much of it as we’ve just said, there’s no denying that Android-based malware has gotten more diverse and complex. In the last year: FortiGuard Labs has seen Android malware use encryption, embed exploits, detect emulators and implement botnets. But what they haven’t seen yet is an example of polymorphism in action.

Polymorphism is malware that is capable of automatically mutating, making it extremely difficult to identify and thus destroy. The team has previously encountered polymorphism on Windows Mobile phones and believes it’s only a matter of time before the malware appears on Android devices.

Prediction No. 4: Clampdown on network-based money laundering – Money mules, which typically consist of third party individuals electronically transferring money from one person or service to another and illegitimate payment processors, are critical components to a successful money laundering

Using anonymous fund transferring services, human networks and payment processor safe havens, cybercriminal syndicates have pretty much operated with impunity for years. How do you catch someone when you don’t even know where they’re located?  FortiGuard believes that will change in 2012. The recent arrest of ChronoPay CEO Pavel Vrublevsky’s on the grounds of hacking Aerfolot’s website and preventing visitors from buying tickets, is a good example of the type of takedowns the team expects to see in the coming year.

Prediction No. 5: Public-Private Relationships in security – Last year FortiGuard Labs predicted they’d see an increase in global collaborative botnet takedowns. And they were right not only with botnet takedowns, but global collaboration. Among globally-supported botnet takedowns were Rustock and DNS Changer while other international efforts helped take a massive scareware operation offline that siphoned $72 million in bank funds.

Meanwhile, arrests were made against international members of Anonymous and LulzSec hacktivist groups. This crackdown will continue in 2012, and the team believes that much of it will be aided by the Defense Advanced Research Projects Agency’s (DARPA) public defense initiative.  DARPA was recently granted $188 million budget and plans to use part of the money on initiatives to build a cyber defense team in the private sector. With recent movement, it seems likely that in 2012 we will start to see similar relationships formed worldwide.

Prediction No. 6: SCADA under the microscope – For over a decade, supervisory control and data acquisition (SCADA) system-based threats have been a concern, because they are often connected to critical infrastructure such as power and water grids that would have serious consequences if they were ever breached. In 2011, FortiGuard saw two examples of this in the form of Stuxnet, which compromised Iran’s nuclear program and Duqu, a Stuxnet-like virus that used similar attack methods and stolen certificates.

While Iranian officials confirmed the latter had infected systems in the region, no hostile industrial code has been found to date. However, it’s clear the building blocks are now in place. The reality is that critical infrastructure systems are not always operating on a closed circuit. New human machine interface (HMI) devices that interact with these systems are being developed by a number of different software and hardware manufacturers, and many have Web interfaces for logging in. Historically, Web-based interfaces that interact with back end systems can many times be circumvented.

Even more concerning is the migration to cloud-based SCADA services. This allows data storage and potential control of critical systems on a public cloud server, hence the security concern. Groups like Anonymous have already found an assortment of Web-based vulnerabilities simply by picking targets and scouring code.  In 2012, FortiGuard predicts a number of SCADA vulnerabilities will be discovered and exploited with potentially devastating consequences.

Prediction No. 7: Sponsored attacks – The FortiGuard team often talks about crime-as-a-service(CaaS), which is just like software-as-a-service (SaaS), but instead of offering legal and helpful services though the Internet, criminal syndicates are offering illegal and detrimental services, such as infecting large quantities of computers, sending spam and even launching distributed denial of service (DDoS) attacks.

If you’ve got the money, there’s a good chance you can find a CaaS provider to help you out. What FortiGuard sees evolving in 2012, is that instead of hiring a CaaS outfit for blanket attacks, they’re going to see more strategic and targeted attacks on companies and individuals.  This scope would include state or corporate sponsorship. Admittedly, this prediction will be tough to monitor because without “freedom of information” legislation in place, many of these discovered cases will be settled out of court with verdicts not being released publicly.  For example, Russian payment processor ChronoPay allegedly hired a hacker to attack direct competitor, Assist, in 2011.

Prediction No. 8: Hacking for a cause – While Anonymous has been alive and kicking in one capacity or another since its formation on 4Chan.org in 2003, only in the last year have the loosely organized anarchists started using their power to attack large, high profile targets such as Sony.  More hacktivist groups were formed in 2011 (most notably LulzSec), and more will likely rise in 2012.

What FortiGuard found interesting about Anonymous towards the end of the year, was how the group started to use their power for “good.” Case in point, they’ve recently threatened to unmask Mexican drug cartel members and they recently helped authorities break up a child porn ring. FortiGuard expects to see more examples of “hacktivist” justice meted out throughout 2012 along with a mix of attacks that border or cross the line of justice.

E-Commerce, Retail Websites Alert for DDoS Attacks this Holiday Season

Online shoppers aren’t the only ones that may overwhelm e-commerce Websites and crash them this holiday season. Cyber-attackers may be waiting in the wings with a DDoS attack.

With the holiday season ramping up, it’s not just online shoppers that have to be vigilant for cyber-threats. Enterprises and retailers have to be alert for scammers, cyber-criminals and hackers.

High-profile distributed-denial-of-service attacks made headlines in 2011, and security vendors warned retailers could face similar attacks during the holiday shopping season. Online sales last year exceeded $36 billion during the holiday shopping season, according to numbers released by MasterCard. Retailers anticipate this year’s online sales to exceed last year’s figures, with industry estimates of $1.2 billion in sales on Cyber Monday alone.

Worries about “denial-of-service outages are the name of the game for online retail organizations during the heavy holiday shopping season,” Adam Powers, CTO of Lancope, told eWEEK.

Some can be inadvertent, driven by high demand from shoppers. Powers described Target’s launch of the Missoni clothing line earlier this year as a “poster child for a legitimate oversubscription DoS,” noting that high demand for Missoni merchandise “brought” Target “to its knees.”

Organizations should check their infrastructure to make sure they can handle increased network traffic and capacity, according to Check Point Software Technologies. They can implement flexible hosting sites or cloud sites to add capacity and prevent the site from crashing. The existing security gateway will also need to be able to handle the increased traffic volume and keep scanning and protecting the network, Check Point said.

Others can be malicious, especially to an online retailer with a strong brand, according to Powers. Cyber-criminals can take advantage of events such as Black Friday to launch an attack, and hacktivists may also take advantage of intense media attention to make a point, he said.

E-commerce is exceptionally vulnerable to distributed-denial-of-service attacks, as unscrupulous players could also decide to sabotage competitor Websites to steal customers, according to Corero Network Security. If the site is not available, frustrated customers are more likely to just move to a competitor’s site.

“The bottom line is that retailers and other blue-chip corporations need to improve their defensive posture against DDoS attacks, as criminals and hacktivists have significantly increased the frequency and sophistication of DDoS attacks they employ,” said Mike Paquette, chief strategy officer of Corero Network Security.

Cyber-attackers use network flooding techniques and application-layer attacks such as ApacheKiller to bring targeted Websites to a crawl or crash, rendering them inaccessible to customers.

DDoS attacks increased by 30 percent in 2010, and the number is expected to be higher in 2011, according to Gartner estimates. The attacks have also been escalating in size and complexity in 2011, according to Paul Sop, chief technology officer at Prolexic. Attackers generally are throwing more packets, using more bandwidth and targeting the application layer, Sop said.

E-commerce businesses aren’t the only ones that have to worry about DDoS attacks during this holiday season, as hospitality, gaming and shipping services should also be on high alert for DDoS attacks, Sop said. A significant percentage of yearly revenues are made in the fourth quarter from holiday shoppers and a serious DDoS attack can be financially devastating, according to Prolexic.

Retailers don’t have to just worry about making sure their sites are up and capable of handling the “influx of shoppers,” but that the payment data being collected remain secure, Mandeep Khera, CMO of LogLogic, told eWEEK.Merchants who collect credit card information have to ensure that their databases are secure so that attackers who try to break in don’t waltz off with payment information. Ensuring they are following all 12 PCI requirements would help retailers protect customer credit card data, according to Khera.

White hats bust history’s biggest botnet

Security white hats have coordinated with law enforcement in a five year effort to torpedo a criminal botnet that enslaved some 4 million computers.

Researchers hostexploit.com’s Jart Armin and others from Team Cymru, SpamHous, Symantec and Trend Micro joined the FBI, NASA’s Office of Inspector General, Estonian police, and the Dutch National Police Agency and gathered intelligence on the monster DNS Changer botnet.

The researchers, under the title of the DNS Changer Working Group, led to the destruction of a sophisticated money-making Estonian business behind the botnet.

Their intelligence gathering predated 2005 and crossed dozens of countries, leading to the arrest of several Estonian business people and the disconnection of more than 100 command and control servers from US data centres.

The botnet consisted of infected machines which had browser Domain Name Server (DNS) settings changed to point to US-based command and control servers operated by a criminal business.

It generated cash by switching web advertisements on victim browsers, hijacking search results and installing malware. The ad revenue alone generated some $14 million in illicit fees.

A anonymous FBI agent described the botnet and the business behind it as having “a level of complexity that we haven’t seen before”.

On November 8, the FBI and Estonian police took down the botnet using evidence supplied by the private industry.

Two data centres were raided in New York and Chicago. An Internet Systems Consortium support officer for BIND was on hand to hot swap the botnet servers of which the 4 million victim machines relied on.

“He got on a plane upstate and replaced them with legitimate DNS,” Trend Micro and a key coordinator Paul Ferguson said. This move was required because infected computers that pointed to the DNS servers could have lost internet connectivity.

“[The new servers] began recording IP addresses of infected machines contacting them.”

Those logs provided a hit list of DNS Changer victims which will be supplied to local telcos who will contact each infected subscriber to help them reconfigure DNS settings and remove malware. The data will be compiled until mid next year under a court appointed custodial role given to the ICS.

“Fixing DNS settings could be tricky. You can’t just make an application tool for everyone,” Ferguson said

A common danger unites even the bitterest enemies

Online criminals can expect to face a stronger alliance of white hats and law enforcement.

Companies say the crime-fighting effort is unhindered by rivalry. Top researchers at Symantec and Trend Micro – rival companies that fight in an already saturated anti-virus market – say they ignore “marketing stuff” and work together to take down criminals.

Ferguson says they hold regular conference calls and share intelligence over closed community mailing lists.

“There are members of academia, ISPs, law enforcement working on these operations,” he said. “The mailing lists operate 24/7 … I work daily with researchers at Symantec – we leave the marketing out of it and work together because the bad guys do”.

In the lead up to the take down of the DNS Changer botnet, participating white hats held conference calls up to twice a week to ensure that the four million victims of the botnet would not lose internet connection when the DNS servers were pulled.

Ferguson said he aims to meet each of the white hats in person before working on a case: “I like to meet them in person over a beer at conference … nothing substitutes.”

Symantec’s managing director Craig Scroggie said the industry relied on such cooperation to help protect users who, after all, were their customers.

“It is an established practice,” Scroggie said. “If someone finds malware that another has not seen, they share it.”

He said the agreements were a formal process, adding that the security community has a common interest in combating and sharing information about online crime.

New Trojan Epidemic Hits Mac Users

Mac OS X users have been targeted with a new computer Trojan horse with the intention of captivating systems for launch of mass denial-of-service (DDoS) attacks, as reported by the Internet Security firm, Sophos at msnbc.msn on October 26, 2011.

According to Sophos, the newly dubbed malware OSX/Tsunami-A, functions by embedding itself to the host system and then waiting to receive further instructions from a remote Internet Relay Chat (IRC) channel. Sophos however claims that the name Tsunami Trojan is attained due to its goal towards forcing infected computers into becoming part of a compromised network that further launches DDoS attacks trafficking websites so massively that they are unable to function properly.

While throwing light on the new Trojan, Graham Cluley, Senior Technology Consultant at Sophos said that DDoS is not just a tool. As seen by the portion of OSX/Tsunami’s source code, a lot of instructions can be given to the script. At the same time, it can also be used for accessing an infected computer, as reported by tgdaily on October 26, 2011.

Now, as a matter of fact, it is quite tricky as to find the way in which the code finds itself on the Mac. It is possible that a cyber crook plants it on the system to access it remotely and launch DDoS attacks. It is however, possible that the victim itself volunteers for participating in an organized attack on a website.

According to Robert Lipovsky, a Malware Researcher at ESET, Tsunami seems to be consequential from an old backdoor Trojan dating back to 2002, designed with an intention to infect Linux systems, as reported by eweek on October 27, 2011.

The security firm, ESET also highlighted that the Trojan appears to be rotating quite quickly as evident from it being discovered on the first instance itself on October 27, 2011.

However, the security experts are apprehensive towards witnessing cyber criminals targeting unsafe Mac computers in the future as well.

Finally, 2011 has been a milestone year for Mac malware. The hugely successful Mac-based malware outbreak came to fore on May 2011 and a huge increase in the spread of Mac malware has also been noticed by security researchers.

World’s Most Sophisticated Rootkit Is Being Overhauled

Experts from security vendor ESET warn that TDL4, one of the most sophisticated pieces of malware in the world, is being rewritten and improved for increased resilience to antivirus detection.

“ESET researchers have been tracking the TDL4 botnet for a long time, and now we have noticed a new phase in its evolution,” announced David Harley, the company’s director of malware intelligence.

“Based on the analysis of its components we can say that some of those components have been rewritten from scratch (kernel-mode driver, user-mode payload) while some (specifically, some bootkit components) remain the same as in the previous versions,” he noted. (See also “Is Your PC Bot-Infested? Here’s How to Tell.”)

Harley and his colleagues believe this suggests a major change within the TDL development team or the transition of its business model toward a crimeware toolkit that can be licensed to other cybercriminals.

TDL, also known as TDSS, is a family of rootkits characterized by complex and innovative detection evasion techniques. Back in July, malware analysts from Kaspersky Lab called TDL version 4 the most sophisticated threat in the world and estimated that the number of computers infected with it exceeds 4.5 million.

There are many things that make TDL4 stand out from the crowd of rootkits currently plaguing the Internet. Its ability to infect 64-bit Windows systems, its use of the public Kad peer-to-peer network for command purposes and its Master Boot Record (MBR) safeguard component are just some of them.

However, according to ESET’s researchers, changes are now being made to the way TDL4 infects systems and ensures its hold on them. Instead of storing components within the MBR, the new variants create a hidden partition at the end of the hard disk and set it as active.

This ensures that malicious code stored on it, including a special boot loader, gets executed before the actual operating system, and that the MBR code checked by antivirus programs for unauthorized modifications remains untouched.

The TDL4 authors have also developed an advanced file system for the rogue partition, which allows the rootkit to check the integrity of components stored within.

“The malware is able to detect corruption of the files stored in the hidden file system by calculating its CRC32 checksum and comparing it with the value stored in the file header. In the event that a file is corrupted it is removed from the file system,” the ESET researchers explain.

In April, Microsoft released a Windows update that modified systems to disrupt the TDL4 infection cycle. The rootkit’s authors responded half a month later with an update of their own that bypassed the patch.

This kind of determination to keep the malware going suggests that its return on investment is significant. The code quality and the sophisticated techniques are certainly indicative of professional software development.

Several antivirus vendors like Kaspersky, BitDefender or AVAST, offer free stand-alone tools that can remove TDSS and similar rootkits. However, in order to avoid getting infected in the first place users should install an antivirus solution that provides advanced layers of protection, like those analyzing software behavior.