Posted: June 20th, 2009 | Author: nart | Filed under: Hacktivism | No Comments »
I just read a great post by Jose Nazario suggesting that there hasn’t been much evidence of the use of botnets. But the most interesting point he makes is where he points out that the site under attack could take offensive action against the people participating in these “refresh” style attacks:
The attackers who participate by loading these pages and going off to dinner, sleep, or on with their days open themselves up to attacks back through drive-by attacks. Imagine a simple scenario: the victims modify their sites to include some code like LuckySploit that commits a simple set of attacks. The attacker’s machine reloads the page (this is, after all, part of the attack). Hit a browser or accessory bug and bam, the attacker has been attacked. Now you’ve got a foothold on the attacker’s machine and, if you’re a sophisticated cyberwar player, you can use this to further understand your adversary. This is a dangerous strategy. If you’re going to employ this kind of attack you need to remember you may be putting your “army” at risk.
That’s interesting because it has happened before. A similar type of campaign back in 1998 by EDT was focused on the Pentagon and the site under attack retaliated:
In September 1998, the Electronic Disturbance Theater, a group of activists that practices politically driven cyber civil-disobedience, launched an attack aimed at disabling a Pentagon Web site by flooding it with requests. The Pentagon responded by redirecting the requests to a Java applet programmed to issue a counteroffensive. The applet flooded the browsers used to launch the attack with graphics and messages, causing them to crash.
(Also, the defacers are getting into it: A gov.ir site was defaced too (http://www.marivan.gov.ir/Election.htm))
Posted: June 16th, 2009 | Author: nart | Filed under: Hacktivism | 1 Comment »
There have been a variety of good reports (zdnet, sans, fp ) on the DDOS campaigns targeting Iranian sites after the election. However, one of the things I’ve noticed is the tendency to characterize this as something relatively new. But this has been happening for at least a decade! See, http://www.fraw.org.uk/download/ehippies/archive/op-01.html , http://www.fraw.org.uk/download/ehippies/archive/op-01a.html, http://www.thing.net/~rdom/ecd/archives.html
I think that one of the issues that’s being overlooked is the mobilization and participation component. To just DDOS a site its easier to use/buy/rent/etc… a botnet. That involved few people, it is easy, and its is effective. To get a bunch of people to basically refresh a site (even if they are using some rudimentary automated tools) requires participation. I have doubts about whether the downtime of the targeted sites is due to this type of attack. I suspect that there are likely other attacks involved that do the heavy lifting.
“But to think that it takes a lot of people to execute an act of civil disobedience on the Internet is naiive. Programs make a difference, not people.” — Oxblood Ruffin, cDc
Anyway, I’m finding that these sites are unavailable:
16/06/09 12:18 http://ahmadinejad.ir/ 217.218.155.110 503
16/06/09 12:18 http://www.justice.ir/ 62.193.12.10 503
16/06/09 12:18 http://www.iranjudiciary.org/ 62.18.21.156 (51, ‘Network is unreachable’)
16/06/09 12:18 http://rajanews.com/ 10.7.222.162 (51, ‘Network is unreachable’)
16/06/09 12:18 http://www.farsnews.com/ 77.104.73.15 (61, ‘Connection refused’)
16/06/09 12:18 http://www.leader.ir/ 62.220.121.130 (61, ‘Connection refused’)
16/06/09 12:18 http://www.president.ir/ 80.191.69.11 timed out
16/06/09 12:18 http://www1.farsnews.com 77.104.73.16 timed out
16/06/09 12:18 http://www.irna.ir/ 81.12.51.146 timed out
16/06/09 12:18 http://www.police.ir/ 81.28.32.52 timed out
16/06/09 12:18 http://www.mfa.gov.ir/ 217.172.99.41 timed out
The defacers seem to be out too:
http://zone-h.org/mirror/id/9003285
Posted: May 5th, 2009 | Author: nart | Filed under: Featured, Worms/Viruses/Botnets | 1 Comment »
Two recent reports have been published that document how the C&C servers of two large botnets were accessed by researchers. The first comes from Finjan which discovered a botnet, dubbed Hexzone, with 1.9 million infected hosts. (Also see Jose Nazario’s post on this.) The second report documents the exploitation of the Torpig botnet by researchers at the University of California, Santa Barbara. They took control of Torpig for 10 days and discovered 182,800 bots on 1,247,642 IP addresses. (As a result the caution against relying on IP addresses and other measures such as unique ID’s assigned by the malware as a measure of the total number of infected hosts).
In the Hexzone case, Finjan was able to access a web interface to the control server located in Ukraine. Since, “folders on this server were left open” — which presumably means there was no password protection — they were able to access the web interface. The University of California researchers were able to crack the scheme used by Torpig to generate domain names that the attackers would register and use as control servers. The researchers registered the domain names that Torpig infected hosts were to connect to before the attackers did and we thus able to seize control of the bot net.
The Torpig botnet focused on collected financial information form infected hosts such as banking information, online trading, investment and payment services as well as credit card numbers. It also turns the infected host into a “proxy” that could be used for a variety of malicious purposes including pushing spam. The infected hosts could also be used to perform DDOS attacks. Torpig also collects:
messages that users of infected machines send, for example, through webmail systems, forums, and chats. Since the full content of these messages is captured by Torpig, they often contain detailed (and private) descriptions of the lives of their authors.
One of the most interesting observations in the report for me concerns the potential collaboration among multiple actors to exploit the information obtained from Torpig. The University of California note that there are a variety of “builds” and that the data collected is associated with particular builds.
Therefore, the most convincing explanation of the build type is that it denotes different “customers” of the Torpig botnet, who, presumably, get access to their data in exchange for a fee. If correct, this interpretation would mean that Torpig is actually used as a “malware service”, accessible to third parties who do not want or cannot build their own botnet infrastructure.
The Finjan also notes that Hexzone relied on partnerships to propagate:
These cybercriminals established a vast affiliation network across the Web to successfully distribute and operate their malware install-base.
Interesting stuff.
Posted: May 4th, 2009 | Author: nart | Filed under: Uncategorized | No Comments »
CIPAV – docs 1, 2, 3 — Because suspects are increasingly using tools to mask their IP address the FBI now uses a “computer and internet protocol address verifier” to identify a suspect’s IP (as well as additional info) . It appears to work be levergaing various “drive-by” exploits. On a worrying note, the first few lines of the document obtained by Wired via FOIA note “we are seeing indications that it is being used needlessly by some agencies, unnecessarily raising difficult legal questions”.
Joint Strike Fighter – The same WaPo reporter behind the “electricity grid hack” story strikes again. This time with at least a few interesting details. What I found interesting is the mention of the fact that the attacks were reportedly on allies, such as Turkey, that are part of the development and on contractors such as Lockheed Martin, Northrop Grumman Corp. and BAE Systems PLC. (more here).
“Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities” — I haven’t read it in detail yet, but it looks very interesting. the best line so far: “Today’s policy and legal framework for guiding and regulating the U.S. use of cyberattack is ill-formed, undeveloped, and highly uncertain.”
Insider Threat — This is something I’ve been focusing on recently, but here is a report which suggests that “37% of employees would become insiders given the right incentive”.
Posted: May 1st, 2009 | Author: nart | Filed under: InfoWar, Worms/Viruses/Botnets | No Comments »
If by “debunking” you mean “validating” the GhostNet report you should listen to Paul Ducklin from Sophos discuss GhostNet in this interview. To be fair to Ducklin, I think that his comments are pretty much spot on but the host appears to be confused between our GhostNet report and the “Snooping Dragon” report by the folks at Cambridge.
Ducklin spanks us for relying on VirusTotal which is a point well taken. He also raises the attribution issue but in the context of the sophistication and availability of the tools the attacker used in the GhostNet case. We too raise this issue noting that while the individual tools used by the attackers were technically unsophisticated they were still able to infect and control high value targets in many cases for long period of time.
This report serves as a wake-up call. At the very least, a large percentage of high-value targets compromised by this network demonstrate the relative ease with which a technically unsophisticated approach can quickly be harnessed to create a very effective spynet…These are major disruptive capabilities that the professional information security community, as well as policymakers, need to come to terms with rapidly.
Tibet is the starting point of our story because that is where we (and by we I mean all the hard work of Greg Walton over the years) had samples of socially engineered emails with malicious attachments that were sent to Tibetan-related organizations and individuals. (Maarten Van Horenbeeck has done great work in this area concerning Tibet and the Falun Gong.) Greg also developed the trust relationships that allowed him (and Shishir from the Cambridge team) to travel to Dharmsala and collect network traffic from the OHHDL. Greg also collected samples from Tibetan-related organizations around the world.
Were people at these organizations really becoming infecting as a result of falling for these socially engineered attacks? Was there anything more we could find out about the control servers other than that these pieces of malware connect to IP addresses that are often in China? In many cases we were not able to find out much other than the obvious: a malware infected computer that connects to a control server in China. In fact, in many cases the control servers were identified in the field.
But when analyzing the data collected at the OHHDL back in the Citizen Lab, we were able to identify traffic to a control server in China (in Hainan Province) that was not identified in the field research and were able to find the attackers web-interface on it and several additional control servers. By carefully going through the data we were able to identify two distinct malware infections on the same computer at the OHHDL. While each piece had more than one control server, we were able to identify commonalities that allowed us to group the control servers into two distinct networks.
The infection we focused on issued HTTP GET requests to several PHP files on a server. There were connections to two domain names on the same server IP address. A lookup in APNIC shows that this IP address is assigned to a range belonging to Hainan-TELECOM in Hainan Province in China. One particular request stood out since it contained a parameter that appeared to contain a date while rest of the parameters in the request were encoded with base64. We took that string and put it in Google, and were surprised to see results.
Since it was not secured with a password we were able to click directly on a link from Google which took us straight to the attackers’ web interface. There was no “hacking” involved. I have a healthy fear of prison and stay clearly within the limits of the law.
Now that we knew the file names and paths favoured by the attacker we were able to guess the location of 26 such interfaces including several on the server to which the infected OHHDL computer connected.
It became clear that the attackers’ had a wide interest of targets that extended far beyond the Tibetans. When Ducklin discusses the wide range of malicious documents he’s seen that are similar to the ones used by the attackers we focused on it corroborates information that some of those who have been infected (that are not Tibetan related) are telling us. Non-Tibetan targets receive socially engineered emails that are contextually relevant to them. Many of the most interesting GhostNet victims are embassies, government ministries and international organizations. These are not Tibet specific targets.
GhostNet is *not* Tibet specific.
In our report we devoted a significant portion to alternative explanations and a discussion of the attribution problem. We do *not* say that we can prove that the Chinese government is behind GhostNet. In fact, we raise several plausible scenarios. Moreover, we suggest that this network is probably *not* unique and that there are many more like it out there.
One thing I’ve pointed out and will do so again is that just because tools used by the GhostNet attackers are widely available does not necessarily preclude government involvement. I mean what would that look like any way? A trojan labeled “Developed by the Government of China”? If I wanted to meld into the crowd, if I wanted to leverage the attribution problem, I’d use available tools and common methods. The GhostNet attackers showed that using such less sophisticated methods can be quite successful. Why reinvent the wheel and possibly provide a ’smoking gun’ that points directly to you? Furthermore, if you could leverage independent actors to do the dirty work for, even better. There’s even less traceabilty.
That is why we stated right in the beginning of the report that “the study clearly raises more questions than it answers.”