Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    March 2012
    S M T W T F S
    « Feb   Apr »
     123
    45678910
    11121314151617
    18192021222324
    25262728293031
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for March 12th, 2012




    A federal judge approved the U.S. Government’s request to continue to run clean DNS servers for DNS Changer -infected victims by 120 days. The U.S. Government was initially granted a request to permit a private company to replace the rogue DNS servers with normal DNS servers. This previous decision also stated that the replacement servers must halt its operation by March 8, 2012. But with this decision, these servers have 4 more months to operate.  This extension is supposed to give affected entities more time to clean their computers. This development came days after an Estonian County Court approved the extradition of four more individuals involved in Esthost operations, a subsidiary of the company Rove Digital. All six suspects who were arrested in November last year can now be extradited to the U.S. upon approval of the Estonian government.

    The Esthost takedown last year was considered a triumph for the online security industry. Dubbed “Operation Ghost Click”, this collaboration among the FBI, NASA, Estonian Police, Trend Micro, and other industry partners resulted to the halting of almost 4,000,000 bots. The DNS Changer botnet was estimated to have affected millions of users and businesses. For more information on the Esthost takedown, the “largest cybercriminal takedown in history”, please refer to our previous blog posts:

    Extension Means More Recovery Period for Affected Users

    This extension was granted in light of new information that March 8 deadline proved to be insufficient for affected parties. A report released last month indicates that 3 million systems worldwide are still infected. The roster of victims also include 50 percent of Fortune 500 companies and almost half of all US government agencies. The US government argued that terminating the replacement servers on the previously set date will only disrupt the operations of affected businesses, corporations, and individuals.

    Before the takeover, DNS Changer Trojans were found to modify settings to use DNS servers setup by malicious third parties. This modification resulted to the hijacking victims’ search results eventually leading them to malware-hosting sites and adware among other threats. The malware also prevented users from visiting security sites that might help combat this infection. This means that DNS Changer victims were exposed to malware threats for a long time.

    By terminating the replacement servers now, while concerned parties are still struggling with the infection, will only result to users being cut off of their access to the Internet. Trend Micro senior threat researcher Feike Hacquebord believes that it may take some time to completely recover from the effects of the DNSChanger, “Rove Digital has been spreading DNS Changer Trojans and other malware for many years. It is not an easy task to clean up the big mess caused by malware infection campaigns spanning more than 5 years.” But Hacquebord is hopeful that this reprieve can bring more positive results, the “DNSChanger Working Group (DCWG) is working hard to help Internet service providers with informing victims and assisting them with computer clean-ups. We are hopeful that in the coming months, the number of infections will go down significantly.”

    The decision to extend the deadline underscores the scope and the damages created by the Esthost operation/ Rove Digital. For the meantime, users can check if their systems are infected or not by validating their IP addresses using “eye check” sites. DCWG also provides helpful tips on how users can verify if they are affected by this botnet.

     
    Posted in Botnets, Malware | Comments Off



    A couple of weeks ago, I and many of my colleagues from Trend Micro attended the annual “RSA Conference” in San Francisco. Here are some highlights of what we saw and heard.

    Cloud Security Alliance Summit

    One important event for us was the “Cloud Security Alliance (CSA) Summit 2012,” which was held at the recent “RSA Conference” in San Francisco. As part of this event, Trend Micro CEO Eva Chen received the first-ever CSA Industry Leadership Award. This highlighted the key role we played in helping decision makers consider the security implications of moving to the cloud. At the same time, it was also announced that the CSA would be expanded to include the APAC region, for which Trend Micro would set up a regional headquarters as a founding sponsor.

    The summit also featured several important talks, some of which I listed below:

    • Protecting State Secrets in the Cloud by former NSA director Mike McConnell. I found this to be a very timely talk considering that debates regarding the Cybersecurity Act of 2012 went on in the U.S. Congress a week or so before the “RSA Conference”.  The key takeaway from this talk was that governments now realize the national and global economic impact that targeted attacks and APTs make.
    • Securing an OpenStack Cloud by Chris Kemp, former NASA CTO. He gave a technical presentation on OpenStack. OpenStack is, as the name implies, a project to build an open source cloud OS. I won’t talk about the details of the presentation too much, as it was fairly in-depth, but I do encourage readers to check out the presentation slides.
    • Cloud Innovation—The Panel’s View on the Next Generation of Cloud Security Devices and Services. This panel discussion primarily focused on securing mobile devices and networks. The most interesting part of this discussion, however, had to do with the Trustworthy Internet Movement (TIM), announced by the moderator and Qualys CEO, Philippe Courtot. More information on the formation of TIM may be found here.

    Innovation Sandbox

    Another highlight of “RSA Conference” was the annual Innovation Sandbox Awards, in which 10 finalists vied for the Most Innovative Company Award. Appthority emerged as the clear winner with its Appthority Platform, which enterprise users can use to protect themselves against threats on mobile devices, including targeted attacks and data exfiltration.

    CloudPassage, which aims to secure virtual servers in all kinds of cloud environments or structures, and Sumo Logic, which delivers a cloud-based service that can help enterprises automatically and efficiently spot security red flags in logs coming from plugged-in products across their perimeters, also piqued my interest.

    In Part 2, I will share takeaways from other important talks, along with other observations.

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice