Archive for the ‘Targeted attack’ Category

U.S. Cybersecurity Changes with H.R. 4061

Thursday, February 4th, 2010

It seems that the recent and unusually public disclosure of the Google breach (and dozens of other U.S. corporations) has turned some heads. As Google reaches out to the NSA for help to secure its networks, a prominent cybersecurity bill passed the House today. It will drive large new cybersecurity efforts in the U.S. and will be an interesting bill to follow through the Senate. A summary of H.R. 4061 here.

One Big Invalid Pointer Reference 0Day

Friday, January 15th, 2010

The Google compromise in China story builds interest as Microsoft released an advisory and blog post on the relevant Internet Explorer browser vulnerability, crediting “details” to Google, Mandiant and others. A number of factors are unfolding a dramatic story here, with the detection of a 20-year old Stanford student’s computer targeted and attacked (it seems to be no surprise that a regional coordinator of Students for a Free Tibet would be another target), and mention of Sergey Brin’s own Russian refuge background reported “The source told the Guardian the company’s decision was largely influenced by the experiences of Sergey Brin’s Russian refugee background.”

The 0day Google hack attacked a invalid pointer reference within Internet Explorer. It seems that malicious web links were visited by Google employees, resulting in FUD spyware installations on their workstations. Over the past couple of decades, this type of vulnerability has been exploited and sometimes resulted in hugely prevalent and successful exploits on the web, such as the infamous createTextRange Internet Explorer mshtml.dll hole.

Update: Google China employees seem to have been given an early holiday, according to Tech Crunch IMers.

The trojan itself has been analyzed and described on our ThreatExpert blog here and more information from Symantec on the attacks here.

2010 and a Fresh Study

Tuesday, January 5th, 2010

There is an infinite number of ways to calculate 2010, here is a fairly fun list of some of them.

The past year showed massive numbers of malware being run on systems across the globe. Behind the malware was an active malware marketplace, often with forums full of services for hire, advice on distributing and maintaining crimeware, and devious ways to hire money-mules.

There is more than meets the eye to these services. Much of the activity was not being discussed in these public forums or was as front and center in the media as the Conficker circus. While bot activity is not new to the party, a recently published study “SBotMiner: Large Scale Search Bot Detection“ brings in the year with a fresh start on identifying and quantifying malicious search bot traffic. The activity is under-studied and significant: the “miner” identified that almost 4% of all query traffic is bot-related (which represents at least hundreds of millions of search queries every couple of months), and that seems to be only the tip of the iceberg. The traffic was collected in Feb and April 2009, the search engine is not specified (google, yahoo!, live, altavista, ask, etc.) and that selection may have impacted the studies’ volumes and results. It is suggested that Live search results were used, so results most likely are much larger when the other engines are considered. The study also includes more forms of bot-based attacker-related traffic, instead of exclusively examining click fraud related bot queries and activity.

The discussion and findings included:

“More importantly, detecting bot-generated search traffic has profound implications for the ongoing arms race of network security. While many bot queries from individual hosts may be legitimate (e.g., academic crawling of specific Web pages), a significant fraction of bot search traffic is associated with malicious attacks at different phases. In addition to the well known click-fraud attacks that can be commonly observed in query logs, attackers also use search engines to find Web sites with vulnerabilities, to harvest email addresses for spamming, or to search well-known blacklists.”

“Attackers are leveraging search engines for exploiting vulnerabilities of Web sites. SBotMiner Identifies 88K searchbot groups searching for various PHP scripts and ASP scripts.”

“Using the entire datasets, SBotMiner detects 8,678 groups searching for PHP scripts in Feb and 79,337 such groups in April; 64 groups searching for ASP scripts in Feb and 301 groups in April. These searches spread all over the world.”

“Initial evidence shows that many of them might be associated with various forms of malicious activities such as phishing attacks, searching for vulnerabilities and spamming targets, or checking blacklists. Interestingly, attacks from different countries and regions do exhibit distinct characteristics, and search bots from countries with high bandwidth Internet access are more likely to be aggressive in submitting more queries.”

“We used sampled query logs collected in two different months and identified 700K bot groups with more than 123 million pageviews involved. The percentage of bot traffic is non-trivial — accounting for 3.8% of total traffic”  

So how might this effect you, dear reader? Well, 2010 already brings with it more publicly available information on the methods being used to harvest information about you, the blackhat Seo that these groups are increasingly relying on and the means in which these groups attempt to identify vulnerable servers to attack and use, in turn, to attack your system. It’s a fine read with some fresh information and an enjoyable way to settle into the New Year.