Archive for the ‘Botnets’ Category

The denials, now from the aforementioned Chinese schools (Shanghai Jiaotong University and Lanxiang Vocational School), are expected, but without foundation given the proof uncovered by Joe Stewart, a malware specialist with SecureWorks.

Mr. Stewart reverse-engineered code from the Hydraq trojan and, according to the NY Times, ‘determined the main program used in the attack contained a module based on an unusual algorithm from a Chinese technical paper that has been published exclusively on Chinese-language Web sites.’

For a much more detailed analysis beyond the scope of the Times article, jump to the original SecureWorks blog post by Mr. Stewart where he explains the basis of his conclusions about the unusual CRC algorithm.  As he says, “This information strongly indicates the Aurora codebase originated with someone who is comfortable reading simplified Chinese…In my opinion, the use of this unique CRC implementation in Hydraq is evidence that someone from within the PRC authored the Aurora codebase…”

I had fun hypothesizing about the evil genius of backdoors inside the source code of pirated copies of Windows (take the tin hat off now!), but this argument concludes that  someone or some group (PLA?) in the PRC is behind this.  As Mr. Stewart recognizes, this could still be the work of others, intent on blaming the Chinese government, but he refers to Occam’s Razor and its classic argument that the simplest explanation is probably the best one.

On the other hand, the counter argument, and some compelling evidence, has been raised in this blog piece.

To play the Devil’s Advocate for a moment;  say the U.S. government was behind this, to throw suspicion on the PRC for political and economic reasons, and to fight-back against the “persistent campaign of “espionage-by-malware” emanating from the People’s Republic of China (PRC)”, as Mr. Stewart describes it, who would be helping the U.S.?

As I stated before, maybe we’re doing it or maybe others are doing it for us.  If we’re doing it, we’re doing it directly or using inside assets.  If someone else is doing it for us – who?  My money is on the Israelis.  Israel has plenty of sharp coders and the Mossad is quite capable, as recent news has shown.  And, they’ve done this before.  If not Israel, what other nation would be likely to help the U.S.?  England,  Canada or Australia probably.

Then there’s the voice that says, ‘everyone’s doing it, so why worry?’ Sadly, all too true…  Most likely, we’ll never really know the answer.

by Bill Wildprett, Suspicious Minds blog, Copyright 2010


Read Full Post »

An excellent article in the N.Y. Times on February 18th stated that two Chinese schools, the Shanghai Jiaotong University and the Lanxiang Vocational School were involved in the recent online attacks against Google and dozens of other U.S. corporations.  These conclusions come from research by various security researchers, the NSA, and U.S. defense contractors.

There are multiple possibilities to consider here and more detailed information is required before making any final conclusions.  One the one hand, it appears to be obvious ~ yes, it’s the Chinese government/military working with or sponsoring patriotic student hacking activities.

On the other hand, perhaps not.  An important part of the covert Intelligence function and process is the dissemination of dis-information for various reasons, be they political, economic, strategic, etc.,  As the Times article speculates, this may be a false-flag intelligence operation led by another nation-state.

To do this successfully, you need insiders who work for you who can plant the trail of ‘bread crumbs’ that lead back to the source of origin or you need outsiders who can co-opt internal resources to make it look like the attacks came from the schools.  For the latter, you’d need to control individual servers or a botnet from within China to do the attacks, with just enough hard-to-find, but incriminating and hard-to-spoof pieces of evidence to prove the assertion.

Think about who might do this, why and how?

Image courtesy of scienceblogs.com

If you put the tinfoil conspiracy theory hat on, is it possible that pirated copies of Microsoft Windows could be involved?  That’ would be almost too perfect.  A completely new twist on the meaning of Trojan Horse!  The news that there was a completely undiscovered flaw in IE6 that was used for the attacks is plausible, but is it probable?  Are we talking undiscovered, or simply unrevealed?

I’m not a forensics expert or CS grad, so am more than curious about how you’d prove, absolutely, that the attacks came from specific machines, not just IP addresses.  We can’t use the Evil bit to solve this conundrum.

It’s interesting to speculate about all this and it certainly will be interesting to follow.  Will we ever know the Truth or just read stories; it’s like an Information Security version of the Allegory of the Cave

Later friends!

by Bill Wildprett, Suspicious Minds blog, Copyright 2010

Read Full Post »

O Botnet, Where Art Thou? Yes, like an Odyssey worthy of Homer or a George Clooney movie, the saga of the Conficker botnet continues.  The Most Excellent folks at Shadowserver have posted an update today.

While Conficker fell off the media radar, Shadowserver has been following it:

  • “As recently as late October 2009, the number of systems infected with the A+B+C variants topped seven million.”
  • “Currently, there are over 12,000 ASN’s that have at least one Conficker IP in their network space.”
  • The Conficker stats and charts page can be found here: http://www.shadowserver.org/wiki/pmwiki.php/Stats/Conficker

Like the Bogey Man and the Monster Under the Bed, we Know it’s There, but what is It Doing?  One thing the data shows is that overall, its presence is dropping, its previous  high was6.5 Million, estimated in October 2009 at 7 Million, and now declining, thanks largely to serious eradication efforts, including ongoing domain registration by the Conficker Working Group.

A very interesting piece on SearchSecurity.com brings us up-to-date on the hunt for the Conficker authors.  The article quotes Mikko Hyppönen from F-Secure speaking about how the worm’s authors used the MD6 cryptographic hash to sign the worm, including updating the hash after an MD6 weakness was found.  Also, the worm was able to work-around disabled Autoplay initiated on Windows systems.

The counter-attacks by security researchers will influence botnet developers as they morph their capabilities and attack surfaces in response.  While Conficker seems to be contained and has become the inverse of Top of Mind, you should still Pay Attention, just because…

Peace & Love Y’all!

Read Full Post »

An update on the status of the Conficker botnet, courtesy of ShadowServer and the Conficker Working Group, via Dark Reading, shows the botnet currently at 5.5 Million compromised (by the A & B variants) machines, mostly in Brazil, China andVietnam.

As I’ve posited before, these are un-patched systems running unlicensed copies of Windows.  From the Dark Reading article: “Microsoft, meanwhile, says of all of the attacks exploiting the MS08-067 vulnerability, Conficker accounts for more than 3 million threat reports versus about a half million for all other vulnerabilities exploiting the bug…”.

To mitigate against the inevitable future use of the Conficker botnet, perhaps Microsoft could provide a one-time system scour and patch available only to IP addresses from the afore-mentioned countries.

How best to compel licensed users to apply patches when released?  This tricky issue is problematic for business users who require patch testing prior to production deployment, although patch testing is vastly more robust than it used to be, hence less likely to disturb production systems by creating a new incident to respond to.

It’s the SOHO and SMB users who need help.  What to do, what to do?  Forcing automatic system OS and applications patching on the second Tuesday each month, even if Automatic Updates is turned off might work, but is that degree of invasive action necessary, required, and prudent?

Aye, there’s the rub…

More user education, without fostering FUD, like those smarmy Apple ads.  In addition to the ‘I’m a PC‘ Microsoft ads, how about also promoting safe computing by having the actors say something about regular patching, like “I’m a PC AND I always use Automatic Updates, just because I like being sure“.

It couldn’t hurt!  😉

Read Full Post »

It lurks among us, waiting for who-knows-what to do exactly that.  It lurks, in the Microsoft Windows realm, because it’s the only viable environment to propagate in.

The smug ones pontificate about how safe they are with their Macs or Linux ~ that’s immaterial because the World is Windows, for better or worse and we need to learn about and from Conficker for the future’s sake.

An interesting piece in the N.Y. Times discussed how Conficker continues to morph following the advances or missteps of it’s adversaries.  The article also speculates that the original purpose of Conficker may not be financial, but state-sponsored.  It’s as if a five million zombie botnet, at current counts, sprang into being for no obvious reason.  Waledac spambots are one thing, financial gain from selling AV scareware is another, but is that all there is?

Anyone or group sophisticated enough to create Conficker and keep abreast and ahead of the Conficker Working Group, etc., must have a purpose and intent(s) in mind ~ we just don’t know yet what it/they are.

Calling Dr. Evil…

If somehow, the ‘good guys & gals’ could take over the Conficker botnet, the harnessed computing power could be used for good, like SETI research at least.  😉

Given the Microsoft emergency patch on October 23, 2008 and the media press during late March/early April 2009, this begs the question of why so many Windows machines remained un-patched long enough to continue the infection spread.  Variant C disabled Windows Update and blocked AV software lookups.  Perhaps the use of pirated copies of Windows has aided the worm’s spread; as unlicensed copies, my understanding is they are incapable of running Windows Update.

It may be another proof of concept and a way to test the waters, stimulus-response style.  In this chess match, there are vested interests watching the process and reactions on both sides of the aisle…


Read Full Post »