Kabar mengejutkan diungkapkan mantan kontraktor rekanan National Security Agency (NSA) Amerika Serikat (AS) Edward Snowden. Menurut Snowden, intelijen Australia memanfaatkan 2 operator telepon seluler terbesar Indonesia demi memuluskan aksi penyadapan yang dilakukan Australia dan juga AS.
Pria yang kerap kali membocorkan rahasia intelijen AS itu, sebagaimana dilansir The New York Times, Sabtu (15/2/2014), memaparkan lembaga intelijen AS turut terlibat dalam penyadapan yang dilakukan oleh pemeritah Australia. Ia juga mengatakan dalam menyadap komunikasi di Indonesia, pemerintah Australia dan AS telah melibatkan 2 operator seluler terbesar di Indonesia, yakni operator yang mendominasi corporate colour dengan warna merah dan corporate colour warna kuning.
The New York Times yang dikutip Sydney Morning Herald dan Guardian, memaparkan data terbaru Snowden itu menyebutkan bahwa ke-2 operator telepon seluler terbesar di Indonesia itu dilibatkan untuk mengumpulkan data yang mereka inginkan. Incaran terbesar Australia dalam penyadapan itu adalah tokoh besar Indonesia dan tersangka teroris yang kerap beraksi.
Diungkapkan oleh media massa bergengsi AS, Australia dan Inggris tersebut tentang rincian yang berisi cara Australia Signal Directorate (ASD) menawari badan pengawasan AS dan kantor hukum AS dalam skandal penyadapan itu. Dokumen-dokumen tersebut menunjukkan kerja sama yang terjalin NSA dan ASD untuk kali pertama mengungkap akses komprehensif sistem komunikasi nasional Indonesia.
Menurut sebuah dokumen NSA tahun 2012, ASD telah berhasil mengakses data panggilan dari Indosat sebagai operator komunikasi satelit domestik di Indonesia. Data yang disadap tersebut termasuk data pejabat Indonesia di berbagai departemen pemerintah.
Tak tanggung-tanggung berdasarkan dokumen dari tahun 2013 lalu menyatakan ASD telah memperoleh hampir 1,8 juta kunci utama enkripsi yang digunakan untuk melindungi komunikasi rahasia dari jaringan Telkomsel dan mengembangkan sebuah cara untuk mendeskripsikan sandi secara keseluruhan.
Menurur bocoran tersebut Intelejen Australia telah mengintai Indonesia sejak bom Bali di tahun 2002 yang telah menewaskan 202 orang, termasuk 88 warga Australia. Selain Indonesia, penyadapan tersebut juga menyasar beberapa negara di Asia, termasuk China.
[New York Times]
A recent report by the AV-Test Institute found that exploits in Adobe Reader, Adobe Flash, and Java account for 66 percent of Windows systems affected by malware.
In a 10-year-plus study, AV-Test uncovered that one exploit for Adobe Reader had nearly 37,000 recorded variants that exploited user machines with high levels of precision. Users with outdated software or versions known to be susceptible stood virtually no chance of avoiding malware damage without some form of protective software.
The biggest offender? Java, which had a whopping 82,000 attacks spread across different versions, making it one of the most vulnerable magnets for exploitation.
The race to secure Java is ongoing. In the meantime, users can take better precautions to protect themselves from PDF exploits by using the following alternatives to Adobe Reader:
PDF-XChange Viewer is a free, lightweight app that lets you modify, annotate, and convert PDF files.
2. Sumatra PDF
Sumatra PDF is a free and bloat-free PDF reader, known for its minimalist take on viewing PDFs. Ease of use takes priority in this open-source viewer for Windows.
Don’t want a separate viewing client? Firefox is not only a spectacular browser, but it also comes with native support for PDF files.
In a somewhat nefarious climb to the top, Indonesia overtook China to become the top source of Internet attacks.
Attack traffic from Indonesia nearly doubled in the second quarter of 2013, according to Akamai’s latest “The State of the Internet” report released Wednesday. This spike in April to June pushed China — where 33 percent of attack traffic for the second quarter originated — out of the top spot. According to Akamai, one of the world’s largest globally distributed networks, 38 percent of observed attack traffic in the second quarter came out Indonesia, a 17 percent climb from the previous quarter.
Rounding out the top 10 on Akamai’s list of attack traffic by country: the United States, Taiwan, Turkey, India, Russia, Brazil, Romania, and South Korea. These ten countries were the source of 89 percent of attacks, said Akamai. In total, Akamai observed attack traffic originating from 175 unique countries/regions in the second quarter, two fewer than in the first quarter.
Akamai noted in the report that its “methodology captures the source IP address of an observed attack and cannot determine attribution of an attacker.” Which basically means, the actual attackers aren’t always in the country where their attack traffic is originating.
The security section of the report also said Akamai customers reported being targeted by 318 DDoS attacks in the second quarter, 54 percent more than the prior quarter, and that enterprise customers were the most frequently targeted.
The IBM X-Force Research and Development team has published its 2013 mid-year report on cyber security trends and risks. The results of the study are based on the analysis of 4,100 new vulnerabilities, and 900 million new webpages and images.
According to the report, social media is increasingly used by cybercriminals for reconnaissance and attacks. Compromised social media accounts can be highly valuable for falsifying reviews of social engineering attacks.
“IBM X-Force expects to see these newer applications of social engineering become more sophisticated as attackers create complex internetworks of identities while refining the art of deceiving victims,” noted Leslie Horacek, worldwide threat response manager for IBM X-Force and senior editor of the report.
“Users must adopt a mindset of guilty until proven innocent when it comes to social media and companies should engender suspicion to protect users and assets,” she added.
As far as vulnerabilities are concerned, researchers found that the number of new vulnerabilities reported in the first half of 2013 was similar to the number reported last year. However, it’s worth noting that the number of web application vulnerabilities has slightly decreased this year.
When it comes to web vulnerabilities, cross-site scripting (XSS) remains the most common type, accounting for over half of all security holes.
In most cases (28%), successful exploitation of a vulnerability has resulted in gaining access to a system or application.
The report names the United States as the country that hosts most malicious links, 42% to be more precise. The US is followed by Germany (9.8%), China (5.9%) and Russia (4.5%).
The IBM X-Force report also covers mobile malware, watering hole attacks, zero-day attacks, and distraction and diversion techniques.
While still costly, cyberattacks might not be depleting government cash at the rate previously thought.
A new joint report released Monday by security firm McAfee and the Center for Strategic and International Studies has lowered the estimate from $1 trillion in global annual losses to a range of $300 billion to $1 trillion.
The report’s authors say that estimating the annual costs of cyberattacks is extremely difficult because some companies hide their losses, while others don’t even know the value of what has been stolen from them.
In the new report, the authors look at losses in six categories: the loss of intellectual property, cybercrime, loss of business information, service disruptions, the cost of securing networks, and reputational damage to a hacked company.
“We use several analogies where costs have already been quantified to provide an idea of the scope of the problem, allowing us to set rough bounds — a ceiling and a floor — for the cost of malicious cyber activity, by comparing it to other kinds of crime and loss,” the report reads.
For example, in the U.S., car crashes cost the country $99 billion to $168 billion per year, or 0.7 percent to 1.2 percent of the gross domestic product. In comparison, cyberattacks cost the U.S. $24 billion to $120 billion per year, or 0.2 percent to 0.8 percent of the GDP. The report also puts U.S. job losses from cyberattacks at 508,000.
In 2009, McAfee released a report that said data theft and breaches from cybercrime were costing businesses as much as $1 trillion globally in lost intellectual property and expenditures for repairing the damage. While the global figure from McAfee’s new report still states $1 trillion, it is tampered by the $300 billion low-end figure.
Not only are hackers putting a drain on the global economy, they are also getting their hands on tons of data. A study released by Team Cymru in February said that overseas hackers are stealing as much as one terabyte of data per day from governments, businesses, militaries, and academic facilities. According to Team Cymru, the hackers are so sophisticated and are running such massive campaigns that many of them could be state-sponsored.
McAfee’s report released today is a preliminary analysis for a larger study that looks even deeper into the costs of hacking and cybercrime.
“Cybercrime and cyber espionage cost the global economy billions of dollars every year. The dollar amount, large as it is likely to be, may not fully reflect the damage to the global economy,” the report reads. “Cyber espionage and crime slows the pace of innovation, distorts trade, and brings with it the social costs associated with crime and job loss. This larger effect may be more important than any actual number and it is one we will focus on in our final report.”
It used to be that the biggest threat to corporate data breaches was simple incompetence. But even as the volume of malware remains roughly constant, the incidence and cost of malicious attacks on corporate networks are increasing.
Google recently updated its Transparency Report to showcase fluctuating levels of malware and phishing. The good news is that while phishing sites have increased, malware seems to somewhat contained:
This will come as small consolation to enterprises, however, which are coping with a 614% increase in mobile malware exploits in the last year alone, according to a new report from Juniper Networks. Up to 92% of such malware has been targeted at Android, given its dominant market position.
While most of the malware remains targeted at retail consumers, sending fraudulent premium SMS messages, the report finds that “several attacks…could potentially be used to steal sensitive corporate information or stage larger network intrusions,” giving hackers the ability to “use the mobile device to do reconnaissance and go deeper into the corporate network.”
Unfortunately, this isn’t simply a hypothetical problem.
Corporate IT Under Siege
Even as IT departments and users have apparently become less prone to system glitches and negligence, according to a 2013 study by the Ponemon Institute and Symantec of 277 companies that experienced losses or thefts of protected personal data, the incidence of malicious attacks is rising fast.
And while it’s never been cheap to have hackers hit your system, the cost from malicious breaches is rising sharply.
While all enterprises need to concern themselves with data breaches, the cost of infiltration increases significantly for highly regulated industries like Finance and Healthcare.
Raise The Barricades?
What to do? It’s simply not going to work to demand an entire enterprise use a particular phone – those days of Blackberry uniformity are over – and it’s not clear that attacks mostly originate at the device level, anyway. Mobile devices are being used to infiltrate corporate networks, but much of the threat remains on the server side.
As the report finds, U.S. and U.K. companies received the greatest reduction in data breach costs by having a strong security posture, incident response plan and chief information officer appointment. The U.S. and France also reduced costs by engaging data breach remediation consultants.
In other words, while it’s impossible to blockade all threats – the Ponemon Institute found that 51% of enterprises report getting hit with hourly attacks – a little vigilance goes a long way.
NSA slide listing current participants in the PRISM data collection program and what type of content may be available for review.
The Washington Post published on Saturday a set of slides regarding PRISM, revealing more details about the National Security Agency’s controversial surveillance program and how it operates.
The new slides, which come nearly a month after former NSA employee Edward Snowden leaked classified documents to the press about the program, appear to confirm that the NSA and FBI have the ability to perform real-time surveillance of e-mail and stored content.
The slides also seem to contradict denials from tech companies such as Google, Apple, Yahoo, and Microsoft about their level of participation in the program. The program “uses government equipment on private company property to retrieve matching information from a participating company, such as Microsoft or Yahoo and pass it without further review to the NSA,” The Washington Post reported.
Another slide shows how the data is collected by an FBI “interception unit” installed at the companies involved and then passed on to “customers” at the NSA, FBI, or CIA. “Depending on the provider,” the program allows the NSA to “receive live notifications when a target logs on or sends an e-mail,” as well as “monitor a voice, text or voice chat as it happens.”
The new data also reveals when each company allegedly joined PRISM. Microsoft was the first company to join the program in September 2007, according to one slide, followed by Yahoo about six months later and Google in early 2009, according to one of the slides. Apple was the last to join the program last October.
Google, Apple, Yahoo, Microsoft, Facebook, and other Internet companies have been left reeling after a pair of articles earlier this month alleged that they provided the NSA with “direct access” to their servers through a so-called PRISM program. Subsequent reporting by CNET revealed that this was not the case, and the Washington Post backtracked from its original story on PRISM.
Legally barred from discussing its participation in the program, Google and Microsoft have petitioned a secretive U.S. surveillance court to lift a gag order prohibiting it from disclosing more information about government requests it receives for customer data. To date, the companies have released only totals that combine legal requests made under the Foreign Intelligence Surveillance Act with other related to criminal investigations involving fraud, homicide, and kidnapping, making it impossible to determine how many FISA requests they have received.
CNET has contacted the Justice Department for comment on the new slides and will update this report when we learn more.
In another revelation, the U.K.-based Guardian reported Sunday that “top secret” documents show that the U.S. intelligence community is spying on European Union diplomatic missions. The documents, leaked by the NSA whistleblower Edward Snowden, lists 38 “targets” and details surveillance methods used against each, including bugs implanted on communications equipment and taps on communications cables.
Can you ever imagine that a single text message is enough to hack any Facebook account without user interaction or without using any other malicious stuff like Trojans, phishing, keylogger etc. ?
Today we are going to explain you that how a UK based Security Researcher, “fin1te” is able to hack any Facebook account within a minute by doing one SMS.
Because 90% of us are Facebook user too, so we know that there is an option of linking your mobile number with your account, which allows you to receive Facebook account updates via SMS directly to your mobile and also you can login into your account using that linked number rather than your email address or username.
According to hacker, the loophole was in phone number linking process, or in technical terms, at file /ajax/settings/mobile/confirm_phone.php
This particular webpage works in background when user submit his phone number and verification code, sent by Facebook to mobile. That submission form having two main parameters, one for verification code, and second is profile_id, which is the account to link the number to.
As attacker, follow these steps to execute hack:
Change value of profile_id to the Victim’s profile_id value by tampering the parameters.
Send the letter F to 32665, which is Facebook’s SMS shortcode in the UK. You will receive an 8 character verification code back.
Enter that code in the box or as confirmation_code parameter value and Submit the form.
Facebook will accept that confirmation code and attacker’s mobile number will be linked to victim’s Facebook profile.
In next step hacker just need to go to Forgot password option and initiate the password reset request against of victim’s account.
Attacker now can get password recovery code to his own mobile number which is linked to victim’s account using above steps. Enter the code and Reset the password!
Facebook no longer accepting the profile_id parameter from the user end after receiving the bug report from the hacker.
U.S. tech firms who have built their business on a free-flowing Internet just got a huge smack in the face. Leaked government documents seemed to reveal the existence of a top-secret program with the capability to mine their users’ data at will.
Right now, the debate is over exactly what data’s being collected and how—and whether the companies were complicit in letting it happen.
But that misses the real impact of such a program. Regardless of the details, it will damage the reputations of the U.S. as a technology marketplace.
There are many operations that will feel the hit, but the biggest one may be in cloud computing. After all, what foreign company would want to host its data in a cloud that could be rifled at will by the U.S. government?
What We Think We Know
Leaked documents from the National Security Agency and the FBI have revealed an apparent secret government program, code-named PRISM, that is “extracting audio, video, photographs, e-mails, documents and connection logs that enable analysts to track a person’s movements and contacts over time,” according to the Washington Post.
The data was pulled from the servers of Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube and Apple. Dropbox, the Post reported, is supposedly “coming soon.”
The NSA does not monitor every piece of data, the story reports, only targeted individuals. But the capability to monitor the target within all of the companies’ data is there, according to the slides obtained by the Post.
All of the companies named in the leaked slides have categorically denied being involved in PRISM, which is pretty much the only answer they can give: if such a program exists, they are likely bound by court order from revealing their participation, and if it doesn’t exist, then they are truthful in denying it. The U.S. government, for its part, acknowledges that such programs do exist, but that the documents published by the Post and the U.K.’s Guardian contain “numerous inaccuracies.”
Which, alas for the U.S. tech industry, isn’t exactly a “no.”
Perception-wise, the firms named in the leaked slides are screwed. If PRISM doesn’t exist, it will be very hard to prove otherwise in a climate where distrust of government is at an all-time high. If PRISM does exist, then the perception of these companies will either be as lying co-conspirators in a massive breach of user privacy – or incompetent morons who don’t know that the U.S. government can get into their data whenever it wants.
The most likely scenario here is that the tech companies are being very, very literal: they can deny ever hearing of a program called PRISM because they may have really never heard of it. Ars Technica spoke with Electronic Frontier Foundation Staff Attorney Kurt Opshal, who outlined what’s probably going on with these denials:
“Whether they know the code name PRISM, they probably don’t,” [Opshal] told Ars. “[Code names are] not routinely shared outside the agency. Saying they’ve never heard of PRISM doesn’t mean much. Generally what we’ve seen when there have been revelations is something like: ‘we can’t comment on matters of national security.’ The tech companies responses are unusual in that they’re not saying ‘we can’t comment.’ They’re designed to give the impression that they’re not participating in this.”
In Cloud We Trust?
Successfully pulling off that impression would seem to be nearly impossible and the nine tech companies named in the PRISM documents are in for a world of pain. Already, U.S.-based users, individual and corporate, are up in arms about the perceived breach, even as the U.S. government insists that it is not spying on its own citizens, but is targeting non-U.S. citizens in its quest to maintain national security.
US companies may end up becoming more active participants in cyber/national security related activities anyway, depending on how Department of Defense cyberwar rules of engagement play out.
Bit for public cloud users who reside outside the U.S., the statements about non-U.S. targets are sure to have a chilling effect. Especially in the European Union, which has been critically examining their data relationship with the U.S. for some time. That relationship, once precarious, may have just gotten pushed off the cliff.
Currently, data generated by European companies is bound by the strictures of the E.U.’s 1998 European Commission Directive on Data Protection (ECDDP), which, among other things, blocks data from being transferred to outside the European Economic Area unless the E.U.’s strict protection guidelines were followed.
The problem is that U.S. laws and policies let data like names and addresses be handled in ways that were way outside the ECDDP comfort zone. This would have effectively prevented any European data from being stored on U.S.-based clouds and data centers, were it not for Safe Harbor.
Established in the Fall of 2000, Safe Harbor is a compromise that would allow data interchange to take place. Safe Harbor requires that companies follow a certain set of privacy practices, such as informing individuals that their data is being collected and how it will be used. If Safe Harbor rules are followed by U.S. companies, which self-certify themselves to be Safe Harbor compliant, then E.U. data can be stored in the U.S., which is handy since many of the world’s biggest public cloud services are located in the U.S.
All of the E.U. nations, with the exception of Germany, are participants in the E.U.-U.S. Safe Harbor agreement. This is why in Germany, corporate workers are prohibited from using services like Google Docs to store and work with company information. (One has to wonder if the Germans didn’t have an inkling that something like PRISM was going on.)
The Europeans have had some qualms about Safe Harbor already. Last July, an independent European advisory body, the Article 29 Working Party, recommended the existing Safe Harbor agreement between the U.S. and E.U. is not enough to provide true security for European organizations’ data. Their argument? That self-certification was nowhere near enough to assure adequate protections.
“…[I]n the view of the [Article 29] Working Party, sole self-certification with Safe Harbor may not be deemed sufficient in the absence of robust enforcement of data protection principles in the cloud environment,” the recommendation stated. “The Working Party considers that companies exporting data should not merely rely on the statement of the data importer claiming that he has a Safe Harbor certification. On the contrary, the company exporting data should obtain evidence that the Safe Harbor self-certifications exists and request evidence demonstrating that their principles are complied with.”
In other words, don’t take U.S. tech companies at their word that they will comply with Safe Harbor rules.
Safe Harbor At Risk
Fast forward to today, when suddenly the Article 29 Working Party’s non-binding recommendation has some teeth to it. European companies and lawmakers are very likely going to look at the events surrounding PRISM and wonder how safe their data would be if stored in a U.S. system.
Amazon and Rackspace, two large U.S.-based public cloud providers, were not named in the PRISM slides, but Microsoft and Google were. While no one knows if the U.S. intelligence services can and were accessing cloud-based data hosted by Microsoft and Google, the integrity of their cloud hosting services will probably be called into question now, especially by companies outside the U.S., which – by the U.S. government’s own insistence – are valid targets for national security investigations.
The E.U.-U.S. Safe Harbor agreement may be the one of first casualties of the leaking of PRISM – even if PRISM turns out to be fictitious. Just the hint that something like PRISM could exist could evaporate a large amount of trust and business for U.S. cloud vendors – even ones not named in the PRISM documents.
Public cloud infrastructure is under serious threat, as users domestic and international start seriously questioning public cloud security and integrity. This may bring a large shift towards private cloud or virtual data centers deployments, as companies seek to protect their data from government’s prying eyes.
One of the most insidious cyber threats for security community is represented by diffusion of botnets, networks of infected computers (bots or zombies) managed by attackers due the inoculation of malware. The controller of a botnet, also known as botmaster, controls the activities of the entire structure giving orders through communication channels; the use of botnets is very commons in various IT contexts, from cybercrime to cyber warfare.
A botnet could be used to conduct a cyber-attacks, such as a DDoS, against a target or to conduct a cyber-espionage campaign to steal sensitive information. There are various classifications of botnets, it’s possible to discriminate them from the architecture implemented, the used network protocol or technology on which they are based.
The level of diffusion of the botnets depends on the capabilities of managers to involve the largest number of machines trying to hide the activities of the malicious architecture. A critical phase in the arrangement of a botnet is represented by its constitution; the attackers have essentially two options, recruit bots diffusing a malware, typically via phishing campaign or sending the malicious agent via email, or renting in the underground the entire architecture.
As we will see in the post the diffusion of botnet is increased due various factors such as the availability of unprotected mobile platforms and the presence in the underground market of cyber criminals that rent services and structures to compose the malicious systems.
Infected machines receive commands from Command & Control (C&C) servers that instruct the overall architecture to operate to achieve the purpose for which it has been composed such as creation of SMTP mail relays for targeted spam campaign, implementation of a fraud scheme (e.g. Banking information gathering) or to launch a denial of service attack.
According the analysis proposed recently by principal security firms botnets represent one of the most insidious cyber threats that caused in 2012 huge financial losses and serious damage to companies all over the world. The cyber threat botnet is creating great concern between security experts due its diffusion, millions of compromised computers connected to the Internet are in fact daily used to realize scams and cyber-attacks. The ease with which criminals can organize a botnet, although without having either special technical knowledge or complex infrastructures, is a factor that contributing in a meaningful way to the diffusion of botnets. Overall messaging botnet growth jumped up sharply from previous years. Behind the principal botnets, there is the cybercrime industry that is pushing on the diffusion of malware to infect an increasing number of machines, but also proposing new models of business, such as botnet rental or the commerce of the agents for botnet creation.
In many cases, the cyber criminals instead of monetizing botnet activities by directly implementing fraud schemas, rent a series of services to other criminals –a trend confirmed by the constant monitoring of the underground market offers.
According F-Secure, ZeroAccess is the most prevalent botnet observed in 2012. It compromised the largest number of machines in France, United States and Sweden, and it is considered most profitable malicious architecture. ZeroAccess infected millions of machines globally in 2012 with up to 140,000 unique IPs in US and Europe. F-Secure Threat Report H2 2012 states:
“The malicious site contains an exploit kit, usually Blackhole, which targets vulnerabilities on the user’s machine while they’re visiting the site. Once the machine is compromised, the kit drops the malware, which then turns the computer into a ZeroAccess bot.”
To give an idea of the economic impact of the botnets, the report revealed that the ZeroAccess threat reportedly clicks 140 million ads a day. It has been estimated that the botnet is costing up to USD 900,000 of daily revenue loss to legitimate online advertisers. ZeroAccess author also designed another revenue scheme through Bitcoin mining using the computational capabilities of its victims. More than half of the botnet is dedicated to mining Bitcoin for profit. Unfortunately, it is not the unique one. Botnets such as Zeus, Carberp, Dorkbot and SpamSoldier (a mobile botnet) were also very active.
Zeus botnet is confirmed as the most insidious and specialized botnet that hit banking sector. The United States, Italy and Germany were counties with major diffusions of the malware. According “2013 GLOBAL THREAT INTELLIGENCE REPORT (GTIR)”, proposed by the Solutionary security company, the US and Germany are the countries with the most prevalent sources of botnet Command and Control (C&C) traffic.
Figure 1 Botnet C&C Activity by Country – Solutionary Report
Solutionary experts confirmed that the emergence of the Blackhole 2.0 exploit kit will sustain the growth of number of botnets; SERT expects that this exploit platform will evolve in a much faster and more efficient manner being as an essential component for attackers.
Another interesting fact noted by security experts is that cyber criminals, to hide CnC communications, have started to adopt a solutions such as securing them using HTTPS protocol or hiding command messages within the traffic of social networks.
The process allows the safe passage of cyber threats, such as malicious code, and protects communications from control of security firms, but only once the victims have been already infected. For malware updates or stolen data, these communications often make use of data encryption. That’s why monitoring inbound HTTPS traffic is crucial to identify and block attacks even though it provides minimal value in detecting CnC communications.
Classification of botnets
Trying to categorize the concept of botnet is not easy. There are many purposes for which these architectures are created. They inevitably influence factors such as the malware used to compromise victims, rather than the technology that you want to use.
Botnets could be discriminated by the structure they implement. Some networks are based on one or more C&C, every bot is directly connected with Command & Control server. The C&C manages a list of infected machines; it monitors their status and gives them operative instructions.
This type of architectures is simple to arrange and manage but present the drawback of being very vulnerable, shutting down the C&C the entire botnet could not operate, the server in fact represents a single point of failure because the operation of the botnet is functional to the capability of its bot to reach the control systems. Principal detection techniques are based on the analysis of traffic between bots and C&C, to improve resilience to eradication-decentralized botnets have been designed.
Figure 2 – Botnet C&C based
In decentralized botnet architectures, also known as Peer-to-Peer botnets, the bots are not necessarily connected to the C&C servers, but they compose a mesh structure in which commands are also transmitted from the zombie to the zombie. Each node of the network has a list of addresses of “neighbor” bots with which they communicate and exchange commands. In a similar structure, each bot could send orders to others and attackers to control the entire botnet, but they need access to at least one computer.
Figure 3 – P2P botnets
Last year Symantec security researchers detected a variant of the popular Zeus malware that relies on P2P communication as a backup system in case the C&C servers were not reachable. The variant isolated by Symantec doesn’t use C&C servers implementing an autonomous botnet, the experts Andrea Lelli declared:
“Every peer in the botnet can act as a C&C server, while none of them really are one,””Bots are now capable of downloading commands, configuration files, and executable from other bots — every compromised computer is capable of providing data to the other bots,”
This type of botnet is really concerning. It’s hard to fight due the absence of a point of failure as represented in a classic botnet architecture by the C&C servers. Despite the fact that destroying a decentralized botnet is more difficult, this type of architecture presents a management superior complexity. That’s why hybrid structures are the hackers’ privilege choice.
Botnets could be also classified by using network protocol or the technology on which they are based. Various architectures could be based on different communication protocols. One of the classic botnet scheme is the IRC-oriented, that is, based on Internet Relay. Each bot receives a command through an IRC channel from an IRC-Bot Server. An IRC bot is composed of a collection of scripts that connects to Internet Relay Chat as a client.
Most advanced botnets use their own protocols based on protocols such as TCP, ICMP or UDP. For example in the case mentioned before of Zeus Peer to Peer variant, the expert noted that authors implemented communication through UDP protocol.
Botnets could be based also on instant messaging services, so they are called IM-oriented, in this case commands are sent to the zombies via IM-services such as AOL, MSN and ICQ. Of course we cannot miss web-based botnets, a collection of infected machine controlled through www. HTTP bots connect to a specific web server, receiving commands and sending back data. This type of architecture is very easy to deploy and manage. A particular variant is represented by social network botnets. These architectures use popular social media platforms to send messages to zombies. These architectures are very difficult to trace due large of volume generated by social networking activities.
This type of botnet has become very popular with the diffusion of exploit kits able to compromise remote machines and control them. Usually cyber criminals send malicious links to the victims, via mail or social network messages, that hijack user on a compromised website that hosts the exploit kit. In a dynamic way, the victim is infected and one or more malware is downloaded to victim’s host.
According to Group-IB, the new trend in C&C communication methods is the usage of public and well-known application protocols as well as placing C&C on social networks profiles and user accounts. The architecture of such botnets can be different and can be used for different purposes:
- DDoS attacks
- Spamming (e-mail, social networks)
- Covert channel for information exchange
- PsyOPS in social networks
In such cases, it is hard to detect the anomalies in network traffic to find the malicious activity, as the bots just check the prepared file or text signature in social network. Sometimes the functions of modern social networks, cloud services and WEB-portals are used as a covert channel for information storage. One of the latest incidents was related to Evernote services, where the hackers prepared their own user account and uploaded the file with the commands to the botnet. The same method was used also with Twitter in Flashback botnet. The Zeus botnet is a classic example of this type of architecture, it was known to be able to steal banking credentials from victims.
Figure 4 – Zeus Builder
As explained, one of most interesting evolutions in botnet world is the opening to mobile to mobile platform. Damballa Research Laboratory discovered 40,000 infected mobile devices that have communicated through C&C servers for the first six months of 2011. Meanwhile, colleagues at McAfee Lab were some of the first firms to announce a large scale diffusion of new variant of Zeus malware on mobile platform. Today, mobile botnets are a reality. Millions of mobile devices have been infected by botnets in China via 7,000 Trojanized applications.
“Security researchers say they have discovered a huge botnet running on the smartphones of more than a million unsuspecting mobile users in China. The botnet can allow the smartphones to be hijacked remotely and potentially used for fraudulent purposes. (BBC)”
Exactly as for a desktop machine, mobile botnets exploit the same communication channels (e.g. IRC, HTTP, P2P), and the technological evolution of mobile solution provides environments having advanced capabilities that are attracting an increasing number of botmasters.
Drew Williams, President at Condition Zebra declared:
“Since July 2012, more than 100 million Android phones have found their way to new owners, which represents slightly more than half of the market in smartphones (sorry, iPhones). Fake apps and bad SMS messaging is all the rave with the malware writers these days, and as the new year unwinds, we have already seen report after report of this rising tide of “new” target exploits.”
Following a list of principal mobile botnet observed in the last year
Figure 5 – Principal Mobile Botnet (Meisam Eslahi for Security Affairs)
Security researcher and digital forensic investigator Meisam Eslahi listed for Security Affairs the principal mobile cyber threats to emphasize their existence and their negative impacts on mobile network environments:
The Zeus in the Mobile or Zitmo is a multiplatform agent that infects a variety of mobile operating systems, such as Symbian, Windows Mobile, BlackBerry, and Android, mainly by social engineering approaches. It sends an infected SMS to victims contain a fake URL to dupe users to download a security certificate that is, in fact, the Zitmo bot. It is also able to intercept messages sent by banks to their customers and authenticates illegal transactions by stealing mobile Transaction Authentication Numbers (TAC).
DroidDream was one of the good examples of this silent and insidious malware, since it is activated silently and at night (11pm to 8 am) when the mobile’s users are asleep. It was designed to gain root privileges on infected mobiles and install a second application to steal sensitive information and protect itself from removal.
The Android.Bmaster has infected a high number of mobile devices by using Trojan applications and exploited techniques. The Symantec named Bmaster as “A Million-Dollar Mobile Botnet” since it has gained millions of dollars through premium SMS, telephone or video services. However, recently a new mobile botnet called MDK has overtaken the Bmaster by infecting nearby 7,000 applications and having one million mobile devices under the control of its botmaster.
Although the Ikee.B is a simple botnet in nature, it can be named as one of the early generations of mobile botnets that operates on jailbreak iPhones with almost the same functionality as computer-based botnets. Scanning the IP range of iPhone networks, looking for other vulnerable iPhones in global scale and self-propagation are the main activities of this malware.
Amongst different types of mobile botnets, the AnserverBot can be considered as one of the most sophisticated malwares. Its command and control is designed based on a complex two-layer mechanism and implemented over a public blog. In addition to detecting and disable the security solution in infected device, the AnserverBot periodically checks its signature to verify its integrity in order to protect itself from any type of changes.
TigerBot is fully controlled by SMS instead of the Internet and web technologies. However, it detects the C&C messages and makes them invisible to the mobile device owners. In addition to collecting private data like SMS messages, it has sophisticated capabilities to record voice-call conversations and even surrounding sounds.
There is also appeared new kind of mobile malware oriented on banking fraud called Perkele Lite, which costs $7, 000 for a configured file and $12,000 for preparing and placing it on Google Play WEB-site – said Andrey Komarov, Group-IB. It provides own C&C interface and exclusive functions for designing as legit banking application.
Figure 6 . Perkele Lite post in the undergrond
Cost of botnets and DIY trend
One of most concerning phenomena related to malware diffusion is the increasing of the offer of tools and services to allow criminals to implement and manage similar structures.
An increasing number of ill-intentioned individuals are requesting services and are acquiring the tools and malicious code for the arrangement of powerful botnet thanks the explosion of the sales model of malware as a service. Security expert Dancho Danchev is considered one of the most careful observers of cyber-criminal activities in the underground, he has posted many articles updating his readers on the evolution of black markets and described the tendency, dubbed “Do it yourself”, that refers the diffusion of instruments in criminal world that make possible the establishment of malicious botnet.
Malware as a service model allows the outsourcing of criminal services. Let’s think of botnet architecture management and C&C hosting services, thanks to the offer in the underground, criminals don’t need to own a botnet architecture neither need particular skills to manage it, they just need to rent infected network to spread of malicious agents.
Recently the researcher described a new service offering access to thousands of malware-infected hosts, Danchev also estimated the cost to arrange a botnet composed of 10,000 machines located in the US.
Figure 7 – Botnet Admin Panel
The expert analyzed a service offering access to infected hosts located everywhere in the world that is active since middle of 2012 and that despite its official Web site is currently offline it remains in operation until the present day.
Offer of similar services will increase in the next months, also attracting ordinary criminals and inexperienced cyber criminals. This will cause a decrease in the cost needed to acquire infrastructures and services to conduct a cyber-attack.
- Dual Certification – CISSP and ISSEP/ISSMP/ISSAP
- We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
- Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
- We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.
Purchases of US-based, malware-infected hosts are more expensive than machines located elsewhere due higher online purchasing power compared to the rest of the world.
Following the price list proposed by Danchev, as it is possible to note the expense is contained, and the offers various and articulated.
- 1,000 hosts World Mix go for $25, 5,000 hosts World Mix go for $110, and 10,000 hosts World Mix go for $200
- 1,000 hosts EU Mix go for $50, 5,000 hosts EU Mix go for $225, and 10,000 hosts EU Mix go for $400
- 1,000 hosts DE, CA and GB, go for $80, 5,000 hosts go for $350, and 10,000 hosts go for $600
- Naturally, access to a U.S.-based host is more expensive compared to the rest of the world. A 1,000 U.S. hosts go for $120, 5,000 U.S. hosts go for $550 and 10,000 U.S hosts go for $1,000
Last year Trend Micro published an excellent analysis on the Russian underground market, researcher Max Goncharov analyzed the services and the products offered by cyber on online Russian forums and services attended by hackers such as antichat.ru, xeka.ru, and carding-cc.com. It is relatively simple to come across sites that offer rented service for pre-built botnets, if the following table reflects the cost of Botnets, organizing a botnet has never been so easy!
Figure 8 – Botnet prices (Trend Micro)
The scenario presented demonstrates the rapid diffusion of botnets, and the increased ease for criminals to acquire products and services to create and manage malicious architecture. This first article is an introduction of the botnet world that provides an overview of the state of the art on this cyber threat detailing also offers that support the growing phenomena of DIY.
The fight against the proliferation of botnets, in my judgment, goes through following key factors:
- Timely and methodical study of evolution of technological solutions on which are based botnets. It’s important to define a universally recognized set of indicators to deterministically qualify the threat and its evolution.
- The promotion of joint operations that involve government agencies and the major private industry players. In this sense, some large companies have already embarked on a close collaboration with governments, as in the case of Microsoft.
- Awareness of the cyber threats and divulging best practices for the containment of the infection.
- Approval of regulations and penalties, recognized globally, for those who develop or contribute to the spread of botnets. Unfortunately today, different legislative frameworks represent an advantage for those who intend to commit a crime using these tools.
Despite the good intentions, we are still far from global agreement on the definition of the proper action against botnet diffusion, both on legislative and operative perspectives.
In the second part of the article that I’ll submit in the next weeks, we will analyze most sophisticate solutions implemented by botmaster to keep secure their infrastructures and monetization method behind them. The second part will also propose methods for detection and fighting of malicious architecture.
Google Search :)
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- Android : OS mobile tersukses sepanjang sejarah
- How to identify malicious Android apps on Google Play
- Exchange Server 2013 Transitions from RPC to HTTP
- Imagination Tech debuts 192-core mobile GPU
- A new laser for a faster Internet
- Why Facebook Dropped $19B On WhatsApp: Reach Into Europe, Emerging Markets
- WhatsApp dibeli Facebook Rp 209 Triliun
- Australia-AS Berbagi Akses Sadap Telkomsel dan Indosat
- DevOps: The Future Of DIY IT ?
- How to decide between a responsive website or a native mobile app