Get Smart about Business Spending
SAN FRANCISCO--Technology is not enough to help the security industry keep botnets from stealing peoples' money and committing denial-of-service attacks, a top botnet researcher said on Wednesday. His suggestion? Stop the flow of money to their coffers.
"We need to disrupt their business model and make it hard for them to carry out their attacks and make money," Joe Stewart, a security researcher at SecureWorks, said in an interview at the RSA 2009 security conference here.
"Right now, it's risky to surf the Internet with a PC," he said. "I would like to see us return to a time when you could surf the Internet and trust that your computer wasn't going to get infected."
Computers can be infected in any number of ways, but typically they get a Trojan or other malicious program downloaded onto them without the owner's knowledge, which happens either from visiting a Web site with malicious code on it or opening malicious attachments in e-mail.
Once infected, depending on the attack, a computer can be controlled by remote attackers who are able to steal data or instruct the computer and other so-called zombies into sending spam or launching distributed denial-of-service attacks to shut down Web sites.
Researchers have focused on trying to stop attacks, but once they get a botnet operator kicked offline by shutting down its hosting provider it's usually not long before the botnet cranks back up with its command-and-control server at a different location, he said. For example, four months after a major botnet hoster, McColo, was shut down in November, the spam volumes were back up to normal levels.
Specifically, victims should be encouraged to seek reimbursement when they are charged for things like purchasing software that masquerades as a legitimate antivirus program, said Stewart, who created an ingenious eye-chart program that PC users can use to test whether their computers are infected with Conficker. The eye chart was needed because Conficker blocks access to security sites people would normally visit to check for infection.
The industry should also create teams of researchers that would focus on a single crime group or operation much like police stay on the trail of a particular real-world organized crime gang until everyone is arrested, Stewart said.
The organization would need funding, which could possibly come from the companies that seem to be impacted the most from cybercrime, like credit card processors, he said.
Law enforcement efforts are thwarted because officials in other countries where cybergangs are based often can't be convinced to cooperate, he said. Getting countries to sign a global anti-Internet abuse accord would be ideal, he said.
Meanwhile, national CERT (Computer Emergency Readiness Team) organizations should be given authority to fight botnets, by ordering Internet service providers to shut down hosting providers, Stewart said. In South Korea, for example, malicious Internet activity dropped drastically when the CERT three got teeth, he added.
Stewart is scheduled to give a presentation on his idea during a session Thursday at RSA and at an upcoming Interpol meeting.
In February of 2005, a Miami man sued Bank of America for not adequately protecting him against a $90,000 fraudulent wire transfer to the Parex Bank in Latvia. Joe Lopez was the first online user to sue his financial institution for not protecting his assets from a computer hacker.
Lopez, owner of a computer and copier supply business, accused Bank of America of negligence and breach of contract for not alerting him in advance to the existence of a piece of malware known as "Coreflood" prior to April 6, 2004, when the alleged theft took place.
Shortly after the wire transfer occurred, a sum of $20,000 was withdrawn from Parex by unknown individuals, according to the complaint filed in court. The remaining $70,000 was, however, frozen by Latvian banking authorities. Bank of America has since settled this case; neither side has revealed the terms.
"I had probably heard the news about Joe Lopez, but (until recently), I hadn't thought twice about the whole Coreflood episode of a few years ago," admitted Joe Stewart, director of Malware Research at SecureWorks, when I spoke to him at last summer's Black Hat conference in Las Vegas.
In particular, Stewart recalled hearing that the U.S. Secret Service had found evidence of Aflood or Coreflood on the Lopez computer.
"The Secret Service actually named Coreflood. That was very surprising. Normally, we don't get the final tally. We don't know who's account got stolen. It's very unusual to actually have a victim that is public, and everybody knows exactly what (was) taken."
Unlike a lot of bots and botnets, most of which exist primarily to relay spam, Stewart said Coreflood has a different agenda: "Its goal is to steal the data directly from users." The much more popular Storm botnet, he said, is more of a nuisance. "Coreflood has a real financial impact for people like Joe Lopez."
Who's behind Coreflood? Stewart declines to say, but in an interview in The New York Times, he suggested that the gang responsible was based somewhere in Russia. He would not tell me the name of the group because of ongoing criminal investigations.
In this video, Stewart talks about what first drew him to study the Coreflood botnet.
When Stewart heard about Lopez, he renewed his research on the Coreflood. With the help of Spamhaus, an antispam organization, Stewart and SecureWorks were able to gain cooperation from a Wisconsin-based provider of one of the command and control centers for the botnet. What he found was not only the bot's source code but also 50 gigabytes of compressed data, searchable in a MySQL database.
Within that database were 378,758 unique bot IDs over a 16-month period. There, for everyone to see, was the time-stamped life cycle--from infection to removal--of each compromised computer. Stewart found the average to be about 66 days.
The graph shows how one state policy agency was infected with Coreflood from April 2007 through January 2008.
(Credit: SecureWorks)Apparently, Coreflood would enter a network via a drive-by browser exploit, download a copy of the installer, then run PcExec, a legitimate Windows administration tool available from Microsoft.
"It could happen to anybody," Stewart said, "any user who happened to go to the wrong site." If the user also happened to be on the corporate network when that happens, the bot is then able to take advantage of that structure and is able to be a threat to everyone on that network.
"So it's not so much a targeted attack," Stewart said. "But I think they have intentionally set a trap for the domain administrator and are leveraging that in order to have access to the entire company."
Later, the criminal gang responsible for the attack can find out which company it has infected by looking into the registry of the infected computer. "They pull out of the registry a separate request to say who is the registered owner the Windows license. They ship that information back up to the botnet controller."
Just looking at that one C&C server in Wisconsin, Stewart estimates that the gang responsible has infected more than 35,000 domains. It may sell those Web mail accounts to a spammer, because spammers love Web mail accounts. But over the years, Coreflood seems to have targeted only banks. Stewart knows this from the forensic evidence he's collected.
In this video, Stewart talks about digital forensics and what it can tell us about botnets such as Coreflood.
Within the 50GB file, Stewart was able to discern how the thieves culled the data. He said they run a test script against that data that will log via a proxy into the bank using the credentials captured, say, by a keylogging application. The Coreflood script will then capture the HTML data on the post-log-in page.
In most cases, that page also contains the account's bank balance. This is so that after running the test, the hackers have a picture of what the highest dollar amounts are, he said.
"I don't know whether they steal from all of them. We don't have access to the accounts; the bank is not going to tell us how much was stolen out of any given account," he said. "We're not going to get that information, but we know they're actively logging and checking accounts to collect the balance data. The only reason (the script) can see that data is to target the biggest accounts first."
Coreflood does not take a screenshot, Stewart said, but rather scrapes the text out of the HTML. "When they run these tools, it leaves a log file behind, and all the post log-in (data)...are saved in that directory. So we have all of the account balances. So we can parse out what everyone's balance is and see actually how much (the thieves) had access to at any one institution."
In this video, Stewart talks about why Coreflood has been around since 2001, yet hardly anyone has been talking about it.
The problem is that Coreflood has been around since 2001.
"It's unique in that's been around for so long," Stewart said. Moreover, it's unusual that it seems to have been maintained by the same group, "not something that's been sold to another group," as is the case with some botnets.
The way it's managed to evade detection, Stewart said, is that it hasn't really crept high on anyone's list of botnets. "It's not on anyone's radar." Yet it's managed to seriously impact some enterprises that use Windows domains. In companies that have been hit, every employee is potentially sending everything they do back to these guys in Russia.
"To me, (Coreflood) is far more insidious because it doesn't get the attention," said Stewart. Unlike Storm, Coreflood is not constantly in your face. "You're not seeing new social-engineering campaigns every week, not seeing a new news article about it every week talking about all the great innovations the peer-to-peer thing has now. It's been quiet, and just does a few things, and tries not to garner any attention."
So the story of Lopez is significant. It's a tangible event about how online criminals are actually affecting people. It illustrates how much money got taken from an actual bank account, and the real impact on the victim's life. Unfortunately, there are many more botnets--and many more victims to talk about.
LAS VEGAS--On Wednesday, Joe Stewart, director of malware research for SecureWorks, presented his work on protocols and encryption used by the Storm worm botnet at Black Hat 2008.
He said as far as botnets go, Storm is not particularly sophisticated, nor is it our No. 1 threat. Yet while other botnets come and go, Storm remains amazingly resilient, in part because the Trojan horse it uses to infect systems changes its packing code every 10 minutes, and, once installed, the bot uses fast flux to change the IP addresses for its command and control servers.
None of this surprising, it's just handled well.
In explaining Storm worm's resiliency compared to newer and sleeker botnets, Stewart looked at the encryption used within the commands sent from the command and control server. He said the compression or packing code changes so often in order to thwart antivirus signature files.
Storm uses P2P to communicate with its various nodes and supernodes throughout the Internet. He said because of that, it has to contend with bogus media files being sent via P2P and researchers such as himself attempting man-in-the-middle attacks to see what the commands might be. To handle that, Storm has started using 64-bit RSA encryption based, in part, on the date.
Joe Stewart talks about what botnet code is available and what can be found within it.
LAS VEGAS--Black Hat 2008 is bigger, and some might say better. Occupying most of the third and fourth floors of the convention hall at Caesars Palace, the conference started on Saturday with two- and four-day training sessions that continue through Tuesday.
The "public" part of Black Hat runs Wednesday and Thursday and features speakers in 15 separate tracks. One of the tracks will consist of Turbo talks of 20 minutes each. After those, there will an opportunity for the audience to talk with some of the speakers in a another room.
Wednesday starts with a bang with Billy Rios and Nitesh Dhanjani reprising their Black Hat DC talk "Bad Sushi." Then high expectations are running high as Dan Kaminsky reveals more about his DNS vulnerability. Petko Petkov will be talking on Client-side security and Joe Stewart talking on the protocols and encryption of the Storm worm. Brian Chess and Jacob West will host the second annual Iron Chef Black Hat. Tom Stracener and Robert Hansen will present on vulnerabilities with Google Gadgets and Bruce Potter will talk about malware detection using network flow analysis. Then Jim Christy returns with the annual Meet the Feds panel with Federal agents from various agencies.
Events continue into the evening with the annual Hacker Court, a mock trial on some topical issue. At the same time there will be a presentation on recommendations for the 44th Presidency around cybersecurity.
Thursday starts with Shawn Moyer and Nathan Hamiel presenting Satan is on my Friends List, a talk about social networking evil. Then Billy Hoffman on Circumventing Automated JavaScript Analysis Tools. Lukas Grunwald on Federal Trojans. Karsten Nohl on MiFare hacking. Jeremiah Grossman and Arian Evans on making money on the Web, the Black Hat way. And Rob Carter and others will talk on a hybrid file format that combines GIF images with Java Archive Sets. Calling these files GIFARs, the speakers say this intersection of Javascript with images could pose a difficult problem in the near future. Christopher Tarnovsky will talk on exploiting Secure Smartcards and Microcontrollers.
Preceding the talks on both Wednesday and Thursday will be a keynote. On Wednesday, Ian Angell, Professor of Information Systems, London School of Economics, will talk on "Complexity in Computer Security--a Risky Business". On Thursday, Rod Beckström, director of the National Cyber Security Center (NCSC) will talk on "Natural Security."
So far the only controversy concerns Apple. Last week one researcher announced he would not present his talk on the Apple FileVault, then it was announced that a second talk on security practices at Apple was also withdrawn by the panel moderator.
For the first time, Black Hat 2008 will borrow the "Wall of Sheep," a display of unprotected wireless networks sniffed at the conference, from it's sister conference, Defcon, which begins on Friday at the Riveria, just up the street.
- prev
- 1
- next
