We reiterate our position on this matter, which we first stated on this blog a month ago. We remain concerned about provisions in the law that could seriously compromise DNSSEC, which will play a key part in future cybersecurity strategy. At the very least, by ensuring the secure transfer of DNS data from servers to end users, DNSSEC will make man-in-the-middle and cache poisoning attacks much more difficult. DNSSEC may also be used as the foundation for further tools and techniques that will aid in greater online security

We endorse the position of the White House, which we quote below:

We must avoid creating new cybersecurity risks or disrupting the underlying architecture of the Internet. Proposed laws must not tamper with the technical architecture of the Internet through manipulation of the Domain Name System (DNS), a foundation of Internet security. Our analysis of the DNS filtering provisions in some proposed legislation suggests that they pose a real risk to cybersecurity and yet leave contraband goods and services accessible online. We must avoid legislation that drives users to dangerous, unreliable DNS servers and puts next-generation security policies, such as the deployment of DNSSEC, at risk.

Post from: TrendLabs | Malware Blog - by Trend Micro

Trend Micro Reiterates Position on SOPA

But even though methodologies may change, whether through reverse engineering or analysis of the botnet infrastructure, the goal of understanding what the threat is all about is the number one priority.

Trend Micro is fortunate enough to have several experts under its fold who are able to attack the challenge using different means. And we are proud to say that our technical analysis and due diligence in monitoring Koobface activities made us understand the botnet intimately, and enabled us to respond and apply the appropriate solution to protect our customers.

Koobface at Its Peak

At its peak, Koobface was popularly known as the malware propagating through the (then) steeply rising social network Facebook, but of course, it was more than that.

Back in 2008-2009, Facebook was just becoming the dominant social network that it is now, and was just starting to distance itself from the likes of Myspace, Twitter, Friendster, myyearbook, etc.

Our first research paper about Koobface provided detailed overview that Koobface was not only exclusively propagating on Facebook, and that it also utilized the other social networks popular during that time. We also presented that once a system is infected by the Koobface malware, additional pieces of malware are installed into the system, which are then used to either monetize infected user traffic, or use the affected machine as part of the Koobface C&C infrastructure.

Our findings led us to the second research paper, which delved deeper into the C&C infrastructure and communication. Here, we were able to discover the various levels of control available for the Koobface gang – from the fine grained control of social engineering messages to be spammed by the infected user, to the various components, accounts, infrastructure and commands available to the Koobface gang.

But we couldn’t consider our research done if we weren’t able to figure out what this is all about. Nobody gives that much time and effort for nothing, so the question that remained was – what’s in it for the Koobface gang?

The Monetization of Koobface

We found out the answer to this question and presented our findings through the third part of our research paper, as we were able to gather proof that the Koobface gang is involved in criminal activities such as FakeAV installation, clickfraud, information stealing and online dating.

The Evolution of Koobface

During all these years, we are proud to say we here at Trend Micro has shown the effort and diligence to keep Koobface on our radar. Our fourth report on Koobface details how the Koobface gang changed the C&C architecture, modified the malware binaries, and improved the backend services in order to become more resilient to takedowns and evade simplistic blocking/detection solutions.

As further evidence of Trend Micro’s commitment to this effort, we released our fifth installment of our Koobface research just last month, detailing how the Koobface gang adjusted to strict security checks by Facebook, by making use of Twitter and Blogspot (instead of Facebook) and TDS (Traffic Direction Systems) to divert and monetize user Internet traffic and maintain the gang’s cash flow.

We did these things while working with the appropriate channels and withholding ourselves from revealing sensitive information that will interfere with on-going operations by various law enforcement.

However, this sensitive information regarding one of the Koobface operators were prematurely published by a blogger without coordination with the community involved. This happened before any of the desired results (i.e. arrests) happened. The slow pace of the LE investigation is understandable – the standards of evidence are much higher for LE that they eventually have to go to court. This necessarily takes time.

Let’s hope that the current situation would serve as a ‘last push’ for LE, so that this whole “Koobface saga” will end up with the arrests of the perpetrators, and the dismantling of their infrastructure – a success story like what happened in Operation Ghost Click.

Trend Micro researchers Jonell Baltazar, Ryan Flores, Joey Costoya and Nart Villenueve all devoted significant amounts of time and effort in tracking the Koobface threat.

You may also check this report developed by our friends from Sophos together with independent security researcher Jan Droemer.

Post from: TrendLabs | Malware Blog - by Trend Micro

The Koobface Saga

As we prepare for the year ahead, let us take a look at some of the Trend Micro 2011 predictions that came true and how we contributed to the security industry’s wins against the continuing war against cybercrime.

 

Though we didn’t foresee hacktivism coming to the fore in 2011, we witnessed a slew of mass compromises result from AntiSec and LulzSec attacks against various entities. Armed with politically charged agendas and disgruntled with varying issues, hacktivist groups continued to fling attacks at users.

2011, however, wasn’t all bad, as we also garnered some wins in our never-ending battle against cybercrime. In close collaboration with our industry partners and law enforcement authorities, Trend Micro was at the forefront in what has been dubbed the “Biggest Cybercriminal Ring Takedown”—Operation Ghost Click—to date. As individuals and organizations alike embark on the cloud journey, we at Trend Micro, along with our fellow cybercrimefighters in law enforcement and the security industry, will continue to serve our customers by providing data protection from, in, and for the cloud.

For more details on what 2011 was like, take a look at the 2011 security roundup report, A Look Back at 2011: Information Is Currency.

Post from: TrendLabs | Malware Blog - by Trend Micro

2011: The Year of Data Breaches

2011 was a banner year for the Android operating system – as well as for Android malware. The increasing number of Android users made it profitable for attackers to go after them in full force, as we’ve been saying all year long.

Where are the threats coming from?

Many of these threats arrive via third-party app stores, particularly in China (where access to the Android Market can be irregular at times). While the app stores are not necessarily malicious, they simply do not have the resources to adequately curate submissions. As a result, malicious, repackaged, and pirated applications are frequently found in these independent app stores.

What kinds of threats are we seeing?

What kinds of threats did we see in the mobile arena? Some of them have been seen previously for older OSes, such as premium service abusers that sign users up for paid services they didn’t subscribe to. In fact, these premium service abusers were the biggest threat in 2011, with these malicious apps reaching not just third-party stores, but the Android Market as well (as in the case of RuFraud, DroidDream and DroidDreamLight).

This threat type is popular because it offers cybercriminals a direct path to profit. However, we are also seeing more sophisticated threats emerge. Some of these kinds of threats have long been seen in the desktop platform. As mobile threats grow in sophistication, it should not be a surprise that tactics are being recycled, as it were.

Information theft has long been a problem on desktops, but now it is affecting mobile platforms as well. The well-documented DroidDreamLight family is a good case in point: earlier versions restricted themselves to stealing information related to the device; newer variants now steal such personal information such as text messages and call logs. For an attacker more interested in stealing corporate secrets rather than money, such information could be priceless.

However, if attackers are interested in stealing financial information, that threat also grew in 2011. While the first cases of ZITMO – mobile malware that works with ZeuS to defeat two-factor authentication systems on mobile phones – were seen in 2010, in 2011 we encountered ZITMO Android variants . This highlights how cybercriminals are now attempting to defeat even two-factor authentication schemes.

What about vulnerabilities and exploits?

Vulnerabilities in mobile operating systems were also seen and exploited in 2011. Certain variants of DroidKungFu exploit vulnerabilities in older Android versions to obtain root privileges. (Android was not the only phone operating system to have vulnerabilities discovered in its code: both iOS and Windows Phone 7 had their own flaws discovered in 2011.)

2011 represented the biggest year of mobile malware threats to date, but the threat will only get worse in 2012. Users should take steps to protect themselves now in order to avoid worse consequences down the road.

For a more forward-looking read, please check our security predictions for 2012.

Additional text by Julius Dizon, Research Engineer

Post from: TrendLabs | Malware Blog - by Trend Micro

2011 in Review: Mobile Malware

…if there’s actual evidence, I have no doubt that law enforcement will act. However, I think this is highly unlikely.
—Konstantin Poltev (spokesman of Esthost/Rove Digital), October 13, 2008

In the past, some cybercriminals have been so brazen that they publicly declared chances they will ever be caught are slim. Today, however, it is time for them to think again. In 2011, historic steps were taken in the battle against cybercrime. Collaboration between law enforcement and the security industry led to important takedowns and arrests. Here are some of the highlights of 2011.

Rustock

On March 16, 2011, Microsoft took down the Rustock spam botnet. The simultaneous takedown of all of its command-and-control (C&C) servers led to the true death of the Rustock botnet. The Rustock zombies could not be resurrected because Microsoft made sure that all of the hard-coded domains Rustock used were no longer made available to bad actors. The gang behind the botnet was not arrested but Microsoft published advertisements in Russian newspapers offering a US$250,000 reward for anyone who gave information that led to the identification, arrest, and conviction of the minds behind Rustock. Microsoft’s lawyers used novel legal arguments to convince a federal court in Seattle that it had the right to seize the Rustock servers. This set an important legal precedent for future cases.

Kelihos

Taking down a large spam botnet has a huge impact on the spam volume and makes the Internet a safer place for everyone. However, some bad actors won’t stop committing crimes even if their botnet is taken down and even if bounty hunters are looking for them. Consider the case of the Kelihos spam botnet, believed to have been written by the same people responsible for Waledac, another botnet taken down in 2010.

In September 2011, Microsoft once again convinced a federal judge to allow it to block all of the IP addresses and domains Kelihos’s C&C servers used without first informing the defendants. One of the defendants was explicitly named in the complaint—the owner of the cz.cc domain, one of the domains taken offline. This was a remarkable step as cz.cc was a so-called rogue second-level domain (SLD) name. The takedown of cz.cc meant that hundreds of thousands of subdomains, which were either illegitimately used or were used for Kelihos’s C&C servers, were taken offline. This sets an example for all other rogue SLDs to be more accountable for abuse incidents.

CoreFlood

CoreFlood was a botnet made up of hundreds of thousands of computers infected with a data-stealing Trojan. This particularly dangerous botnet was dismantled by the FBI in April 2011. The FBI took over its C&C servers and operated these until mid-June 2011. The FBI sent a stop command to the bots in the United States, causing the malware to exit. This was the first time the U.S. government took over the C&C infrastructure of a botnet and pushed a command to the bots so these became unreachable to the botmasters.

Ghost Click

On November 8, the FBI, the NASA, and the Estonian Police took down Rove Digital’s DNS changer infrastructure. This was accomplished in collaboration with Trend Micro, the Internet Systems Consortium (ISC), and other industry partners. At the same time, six suspects were arrested in Estonia. Among those arrested were Rove Digital’s CEO Vladimir Tsastsin and its spokesman Konstantin Poltev. More than 200 servers were seized from different data centers in the United States and Estonia. Banking accounts with millions of cash were frozen and other assets were confiscated. This was one of the biggest cybercrime takedowns ever executed. It was the result of a very successful collaboration between law-enforcement authorities and the security industry. (An infographic about the Esthost botnet, and where it stood relative to other botnets previously taken down, may be found here.)

Trend Micro played an important role by identifying the components of and monitoring Rove Digital’s vast network. The ISC replaced the rogue DNS servers that redirected victims to foreign sites. This was necessary so as not to disrupt the Internet access of millions of DNS-changer victims after the takedown.

Réseaux IP Européens (RIPE), the regional Internet registry that allocates IP addresses in Europe, also froze Rove Digital’s European IP address ranges. This ensured that Rove Digital’s accomplices who were not arrested on November 8 could not move their rogue DNS infrastructure to another location in the world and could not continue to exploit their large pool of victims. RIPE decided to follow an order from the Dutch Police to freeze the IP address ranges, a truly historic and brave step. The RIPE NCC, an independent nonprofit membership organization, decided to fight RIPE’s decision in court. This is not a bad move per se, as it can result in a legal precedent, making the persistent abuse of RIPE’s IP space a lot more difficult. Today, it seems to be rather easy for criminal entities to obtain and keep IP address ranges from RIPE even if the IP space becomes scarce. This is a RIPE-specific problem, as we don’t see these types of problems taking place in Asia or the United States.

Chronopay

In June 2011, the co-founder and CEO of credit card clearing house Chronopay, Pavel Vrublevsky, was arrested in Russia for an alleged cyber attack against a competitor. Another major shareholder of Chronopay was also arrested as part of the Ghost Click operation—Rove Digital’s CEO Vladimir Tsastsin. These two arrests may have significant consequences for the rogue antivirus business, as Chronopay was the preferred credit card clearing house of cybercrime gangs that sell FAKEAV.

2011 proved that collaboration between law-enforcement authorities and the security industry can have a major impact. For major cybercriminals, it is no longer a question of ever getting arrested but when. We are looking forward to what 2012 will bring. One thing is certain though: Trend Micro will continue to support the fight against cybercrime.

Post from: TrendLabs | Malware Blog - by Trend Micro

2011 in Review: Security Wins

Earlier this week the folks over at OpenDNS announced a preview release of their new tool DNSCrypt. This is touted as a huge step forward for privacy and security across the Internet. The premise is simple, encrypt all DNS traffic between the user and their recursive resolver. It’s a nice idea and all, but I think they missed the mark.

According to OpenDNS, the code is actually the first real-world implementation of the DNSCurve scheme. The stated goals are to provide privacy and authenticity to the entire DNS transaction. Unfortunately, you can’t just wrap an existing protocol with crypto and expect to be more secure than you were before. In this case you need to look at the entire ecosystem. Sure your DNS query will be private, invisible to other users or attackers on the same network. The problem comes a few milliseconds after you get the result. The privacy you gained by encrypting your DNS traffic evaporates when the browser makes its request of the server. An attacker in a position to see your DNS traffic is likely to have the same visibility into other forms of traffic.

If you are more concerned with authenticity of the data than privacy, there are better ways to get that as well. DNSSEC is ready to answer your call. A major advantage of DNSSEC is that in the case of some TLDs it can authenticate the result all the way to the root (This list includes an indication of which TLDs are signed). According to the DNSCrypt FAQ at OpenDNS, DNSSEC and DNSCrypt function perfectly in concert: “They aren’t conflicting in any way.”

DNSCrypt also possesses the interesting side-effect of driving more traffic to the OpenDNS infrastructure. They have open-sourced the client code, but they currently have the only running server implementation. If you are concerned that your ISP is sniffing your DNS traffic are you likely to be any less concerned that OpenDNS is doing the same thing?

Conclusion

Unfortunately, just wrapping existing protocols in encryption is not always the answer. In this case I would agree that the DNS conversation itself does become more secure. However, that additional privacy only applies to DNS. Other protocols are just as exposed as they were before.

If you want to ensure that the DNS replies you receive have not been tampered with, look to DNSSEC. If you are concerned that someone in the path is sniffing your packets and could tie Internet activity to you, consider using Tor or other VPN/proxy services.

Post from: TrendLabs | Malware Blog - by Trend Micro

DNSCrypt – Not Fundamental Enough

Last month, Google announced that they were making search more secure for their users. They announced that users already signed in to Google would have a more secure experience. This meant two things: first, search queries and results would now be sent via HTTPS. This protects the searches of users with unsecured Internet connections, such as most WiFi hotspots.

The second part was far more interesting. According to our tests, Google does not include the search terms used to reach websites anymore in the HTTP referrer header. Here’s part of the URL that Google is now sending as the referring URL:

Second, blackhat SEO sites won’t be able to access those stats either. It’s very useful for them to know what search term they have successfully hijacked. This is bad for them also for statistical purposes. When these sites receive visits from search engine visitors, they will have no idea what search sent them there. They won’t have a clear idea which search terms work and which don’t, so they are essentially in the dark. This can have a lot of impact on the effectiveness of their poisoning activities. This is, of course, good for Google as their search lists are cleaner but it’s also good for all users because they’ll be less likely to click on bad links from Google.

Of course, this only happens when users are already logged in to Google’s services. Given how many people already use Google Mail and Google+, this may not be such a big obstacle – but it still poses one. If people keep using regular no-padlock HTTP searches, they will keep disclosing their search terms and keeping things unchanged. The more people use HTTPS, the less information we’re giving the bad guys so there you have it: now you have one more reason to use secure connections to do your web searching.

Other blackhat SEO-related posts:

• Google’s Decision to Ban an Entire SLD Is a Paper Tiger
• Searches for iCloud Unveil FAKEAV
• Blackhat SEO Attack Uses Google’s Image Search to Reach 300 Million Hits

Post from: TrendLabs | Malware Blog - by Trend Micro

Google Secures Searches, Shuts Out BHSEO Scammers

We recently reported a couple of attacks involving malware that installs a Bitcoin mining application into systems. Apart from turning systems into unwilling “miners,” such malware also disrupt usage since the mining process takes up a great deal of system resources.

In the midst of talks about security issues surrounding Bitcoin, we found some attacks that target Bitcoin users, albeit through different means.

One of our fraud analysts, Maela Angeles, recently brought to our attention the emergence of phishing sites that target users of Mt. Gox, a popular exchange for Bitcoin.

Seeing this kind of threat, one cannot help but think that a similar attack was probably used to compromise a certain Bitcoin account, which later led to the drop in the Bitcoin price from US$17.50 to merely cents. Mt. Gox issued an advisory about the rise of phishing attacks late last month.

In the course of our effort to better understand how Bitcoin is affecting the threat landscape, we encountered a Web master who reported that he received a threat from a cybercriminal, saying that his site will be DoSed unless he deposits 100 Bitcoins to a certain account.

The nature of Bitcoin presents many opportunities for abuse as well as utilization for cybercriminal operations. The increase in threats that we are now seeing is definitely just the beginning.

Post from: TrendLabs | Malware Blog - by Trend Micro

Cybercriminals Have Their Eyes Set on Bitcoin

For some time now, we’ve been investigating the operation of a certain cybercriminal—a young man in his early 20s who resides in Russia. During our investigation, we discovered that the attacker uses various criminal toolkits, including SpyEye and ZeuS for crimeware, as well as exploit kits such as those for driving blackhat SEO to propagate his SpyEye/ZeuS binaries.

Using the SpyEye criminal toolkit, money mules, and an accomplice believed to reside in Hollywood, U.S.A., “Soldier,” as he’s known in the criminal underground, stole over US$3.2 million in six months starting January 2011, which equates to approximately US$533,000 per month, or US$17,000 dollars a day!

Noteworthy Compromises

Using the IP addresses of the victims that were recorded by the SpyEye command-and-control server, we were able to determine the network to which the IP address was assigned. We found that a wide variety of large organizations and U.S. multinational corporations in a variety of sectors were represented in the victim population.

We do not believe these large organizations and U.S. multinational corporations were originally the intended target, we instead believe that they were impacted following end-user compromise. Bots (infected victims’ systems) are routinely sold to other criminals who perform other data-stealing activities, thereby making these networks vulnerable to further compromise and possible fraud.

The victims’ IP addresses that were identified in the compromise included those belonging to the following types of organizations:

• U.S. government (local, state federal)
• U.S. military
• Educational and research institutions
• Banks
• Airports
• Other companies (automobile, media, technology)

C&C Infrastructure

His botnet was able to compromise approximately 25,394 systems between April 19 and June 29, 2011. And while nearly all of the victims were located in the United States, there were a handful of victims spread across 90 other countries.

Stolen Data

While SpyEye is known as a “banking Trojan,” it is quite capable of stealing all forms of credentials. We processed the data for well-known services and found that many credentials, especially for Facebook, have been stolen.

The SpyEye variant that was used for the above-mentioned operation is detected as TSPY_SPYEYE.EXEI. We’ve also blocked access to related remote sites using our Web reputation technology.

Such information gives us a clearer view of what goes on within a botnet as prominent as those created with SpyEye. Our continuous effort to obtain more information on how cybercriminals do business, their targets, and what kind of information they seek will hopefully lead us to discover how to dismantle these operations and prevent them from stealing a users’ hard-earned money.

Compromise on such a mass scale is not that unusual for criminals using toolkits like SpyEye but the amounts stolen and the number of large organizations potentially impacted are causes for serious concern.

Hat tip also goes out to Kevin Stevens and Nart Villeneuve for additional intelligence found regarding this campaign.

Update as of October 4, 2011: We recently released the white paper, From Russia To Hollywood: Turning the Tables on a SpyEye Cybercrime Ring, which documents our investigation on this attack.

Post from: TrendLabs | Malware Blog - by Trend Micro

Soldier SpyEyes a Jackpot

We found that Internet users in more than 40 different networks of ISPs and universities in Iran were met with rogue SSL certificates issued by DigiNotar. Even worse, we found evidence that some Iranians who used software designed to circumvent traffic censorship and snooping were not protected against the massive man-in-the-middle attack.

Rogue SSL Certificates for Man-in-the-Middle Attacks

SSL certificates are used for secure Web sessions like Internet banking and Google’s Gmail. Certification authorities issue and check the authenticity of SSL certificates. In July 2011, hackers managed to create rogue SSL certificates for hundreds of domain names, including google.com and even the entire .com top-level domain by breaking into the systems of certification authority DigiNotar in the Netherlands. This is very dangerous, as these rogue SSL certificates can be used in man-in-the-middle attacks wherein encrypted secure Web traffic can be read by a third party.

On August 29, 2011, the rogue Google.com SSL certificate issued by DigiNotar was discovered. This rogue certificate makes snooping on Gmail traffic possible in man-in-the-middle attacks. Trend Micro has concrete evidence that these man-in-the-middle attacks indeed happened in Iran on a large scale.

Our evidence is based on data that the Trend Micro Smart Protection Network has collected over time. The Trend Micro Smart Protection Network constantly analyzes data from the feedback of millions of customers around the world, including what domain names are accessed from which parts at a particular time. This feedback data makes it possible to protect against newly seen attack vectors in the blink of an eye.

Attack Targeted Iranian Users

In recent weeks, we saw a very remarkable pattern for domain, validation.diginotar.nl—it was mostly loaded by Dutch and Iranian Internet users until August 30, 2011. Domain name validation.diginotar.nl is used by Internet browsers to check the authenticity of SSL certificates issued by DigiNotar.

DigiNotar is a small Dutch certification authority whose customers mainly reside in the Netherlands. We, therefore, expect this domain name to be mostly requested by Dutch Internet users and perhaps a handful of users from other countries but certainly not by a lot of Iranians.

Analyzing Smart Protection Network data, we saw that a significant number of Internet users who loaded the SSL certificate verification URL of DigiNotar were from Iran on August 28, 2011. On August 30, 2011 most traffic from Iran disappeared and on September 2, 2011 almost all of the Iranian traffic was gone and DigiNotar received requests mostly only from Dutch Internet users, as expected.

These aggregated statistics from the Trend Micro Smart Protection Network clearly shows that Iranian Internet users were exposed to a large-scale man-in-the-middle attack wherein SSL-encrypted traffic can be decrypted by a third party. Because of this, a third party was probably able to read all of the email messages an Iranian Internet user sent with his/her Gmail account.

Closer analysis of our data revealed even more alarming facts like outgoing proxy nodes in the United States of anti-censorship software made in California were sending Web rating requests for validation.diginotar.nl to the cloud servers of Trend Micro. This very likely means that Iranian citizens who were using this anti-censorship software were victimized by the same man-in-the-middle attack. Their anti-censorship software should have protected them. In reality, however, a third party was able to spy on all of their encrypted messages.

Post from: TrendLabs | Malware Blog - by Trend Micro

DigiNotar: Iranians – The Real Target