Archive for January, 2011

The U.S. government has been stepping up its use of smart cards to help lock down its computer networks, but hackers have found ways around them.

Over the past 18 months, security consultancy Mandiant has come across several cases where determined attackers were able to get onto computers or networks that required both smart cards and passwords. In a report set to be released Thursday, Mandiant calls this technique a “smart card proxy.”

The attack works in several steps. First, the criminals hack their way onto a PC. Often they’ll do this by sending a specially crafted e-mail message to someone at the network they’re trying to break into. The message will include an malicious attachment that, when opened, gives the hacker a foothold in the network.

After identifying the computers that have card readers, the bad guys install keystroke logging software on those computers to steal the password that is typically used in concert with the smart card.

Then they wait.

When the victim inserts the smart card into the hacked PC, the criminals then try to log into the server or network that requires the smart card for authentication. When the server asks for a digital token from the smart card, the bad guys simply redirect that request to the hacked system, and return it with the token and the previously stolen password.

This is similar to the techniques criminals have been using for several years now to get around the extra authentication technologies used in online banking.

Mandiant is the kind of company that businesses and government agencies call to clean up the mess after they’ve been hacked. It has done investigations at about 120 organizations overt the past year and a half. Most of them get hacked via a targeted e-mail. But in many cases, they were actually hacked years earlier, but never managed to remove the malicious software from their network, according to the report.

Companies or government agencies that assume that they are secure just because they use smart cards to authenticate, could be in for a nasty surprise some day, said Rob Lee, a director with Mandiant. “Everything is circumventable in the end,” he said.


China’s Internet Spying

Posted: January 27, 2011 in Analysis

Businessmen in major metropolitan hotels find their computers are penetrated.

A correspondent from Asia Sentinel wrote on January 24th, 2011, last June, at about the time of the anniversary of the Tiananmen Square massacre of 1989, several members of the internal investigation unit of a US company assembled at an international luxury chain hotel in Beijing for a conference.

The company does not want to be identified, or even to have its field of business identified more specifically. When the employees got back to their home base, they discovered that their computers had been penetrated through the hotel’s internet system. The penetration of some of the computers was so extensive that their hard disks crashed.

“They had been hacked through and through,” said a source. “It happened in the hotel through the internet connections. Whoever was on the other end had the ability to go clear into their hard disks.”
“As well as non-classified US government systems, the hackers accessed systems at the World Bank and at defense contractors such as Lockheed Martin. Defense, law enforcement and intelligence agencies in the UK, Canada, Australia and New Zealand alerted businesses to improve security procedures in light of these intrusions.”

It was unclear whether there was state involvement in these attacks, the report states. But, it continues, the US-China Economic and Security Review Commission concluded that “the depth of resources necessary to sustain the scope of computer network exploitation targeting the US and many countries around the world, coupled with the extremely focused targeting of defense engineering data, US military operational information, and China-related policy information is beyond the capabilities or profile of virtually all organized cybercriminal enterprises and is difficult at best without some type of state-sponsorship.”

The New Trend in “Malware Evolution”

Posted: January 27, 2011 in Analysis

Back in the days when malware was more about fun and less about profit, the talk about “Malware Evolution” was very simplistic. These discussions focused mainly on the new client side features of the malware and how it behaves on the infected machine.

Today, the malware authors are all about profit, and they are doing everything in their power to make their malware as stealthy as possible. This means trying to dodge common end-user security products (e.g., anti-virus), as well as evading security products that monitor the network traffic. For these reasons, it’s time to start using new terms when discussing “Malware Evolution”.

Rootkits are probably the most common feature in today’s “Malware Evolution.” In the case of rootkits, the malware abuses several operating system (OS) features in order to go undetected by both the OS itself and end point security solutions.

However, now that malicious code in the wild is getting updated and being controlled from remote cybercrime servers, the malware authors are also determined to remain invisible to network security products like firewalls, intrusion prevention systems (IPS), etc. which monitor network traffic.

Carberp as a case study

Let’s take the Carberp information stealing Trojan as an example. Many pundits speak of Carberp as the eventual successor to ZeuS in the realm of botnets.

In terms of network traffic, the first known version of Carberp started with a simple server side PHP script (task.php, first.php). The malware installed one plug-in (grabber.pcp) which was used to steal information. The stolen information was then sent to the Carberp drop server in clear text.

The next version of Carberp was a bit more complex. An htaccess file was used to redirect requests to specific HTML filenames (task.html, first.html) to one PHP server side script which handled all the botnet tasks. This version of the malware installed several plug-ins:
1) stopav.plug – Anti-Virus killer
2) miniav.plug – Removes other malware from the infected machine (much like the ZeuS killer feature that was introduced by SpyEye)
3) passw.plug – Information stealer
The stolen information was still sent in clear text.

Carberp evolves

Recently, Seculert Research Lab identified what seems to be a new version of Carberp. This new version includes several interesting new features:

1) Network traffic evolution: All communications with the Command & Control (C&C) server, as well as the stolen information sent to the malware drop, are encrypted using RC4. The interesting part is that the RC4 key is randomly generated and is sent as part of the HTTP request. This is the first time we have encountered such behavior. For example, other malware, such as ZeuS, only use one RC4 key which is embedded within the malware itself.
2) Anti-Virus statistics: While the new version of Carberp sends information about the running processes on the infected machine to the C&C server, as in previous versions, it now also checks which AV software is installed on the machine (see screenshot below). The following pie chart shows the distribution of different AV products which are installed on a specific botnet’s infected machines. The majority of the victims are using Kaspersky. This is probably because this botnet primarily targets people from Russia.

3) Malware name: Previous versions of Carberp didn’t seem to use this name, neither in the malware code nor in the administration panel. As you can see in the screenshot below, the name “Carberp” is mentioned in the logo of the new version’s Administration Panel. We suspect that the authors of this malware have embraced the security industry alias for this piece of malicious code.

Based on the “success” of Carberp, we expect to see other types of malware evolve similarly with respect to the way they communicate with Command & Control servers and the nature of information they collect about their victims.

It’s time that the security industry confronts this new type of “Malware Evolution” and starts to think out-of-the-box (literally) about malware detection and prevention.

Carberp Banking Malware Upgrades Itself

Posted: January 26, 2011 in Analysis

A piece of banking malware that researchers have been keeping an eye on is adding more sophisticated capabilities to stay hidden on victims’ PCs, according to the vendor Seculert.

Carberp, which targets computers running Microsoft’s Windows OS,was discovered last October by several security companies and noted for its ability to steal a range of data as well as disguise itself as legitimate Windows files and remove antivirus software. It has been billed as a rival to Zeus, another well-known piece of malware.

Carberp communicates with a command-and-controller (C&C) server using encrypted HTTP Web traffic. Previous versions of Carberp encrypted that traffic using RC4 encryption but always used the same encryption key.

Using the same key meant it was easier for intrusion protection systems to analyze traffic and pick out possible communication between the infected Carberp computers and the C&C servers, said Aviv Raff, CTO and co-founder of Seculert. Seculert runs a cloud-based service that alerts its customers to new malware, exploits and other cyberthreats.

A new version of Carberp is mixing it up, using a randomly different key when it makes an HTTP request, said Raff. When it uses the same key, there are some static patterns that can be detected. Even Zeus, which is begrudgingly respected for its high-quality engineering, uses the same key that is embedded in the malware.

“Most network based security solutions are using traffic signatures to detect bots trying to connect to the C&C,” Raff said. “This new feature is used to evade this type of detection and make it hard and almost impossible to create such signatures.”

Seculert has posted a writeup about Carberp.

Carberp has also expanded the scope of the victims it seeks to infect. The latest version is targeted users in Russian-speaking markets, Raff said. Previous versions targeted banks in the Netherlands and the U.S., he said.

SAN FRANCISCO (AFP) – Mozilla and Google on Monday took steps toward giving people more online privacy but each said hurdles remain to creating simple “Do Not Track” buttons for Web browsing software.

Mozilla proposed adding a signal to its popular Firefox browser to let users automatically ask websites not to track their online activities.

Websites would then decide whether to grant the desire or continue to gather data for purposes such as targeting Internet advertising.

Firefox users would be able to broadcast that they want to opt out of third party, advertising-based tracking by setting browsers to transmit a “Do Not Track HTTP header” with every click or page view.

“The challenge with adding this to the header is that it requires both browsers and sites to implement it to be fully effective,” Mozilla technology and privacy officer Alex Fowler acknowledged in a blog post.

“Mozilla recognizes the chicken and egg problem and we are taking the step of proposing that this feature be considered for upcoming releases of Firefox.”

Google on Monday released extension software for its Chrome browser that lets users opt out of being tracked by a growing set of companies adopting industry privacy standards regarding online advertising.

“Keep My Opt-Outs” lets people opt out of having snippets of code referred to as “cookies” installed on their computers to track online behavior for the purpose of targeting ads.

“Keep in mind that once you install the Keep My Opt-Outs extension, your experience of online ads may change,” Google product managers Sean Harvey and Rajas Moonka said in a blog post.

“You may see the same ads repeatedly on particular websites, or see ads that are less relevant to you.”

The top 15 largest US ad networks are among the more than 50 companies involved in the opt-out program. Google is among the firms that also provide an option for people to specify what types of ads they are most interested in.

“Importantly, we’ve designed the extension so that it should not otherwise interfere with your Web browsing experience or website functionality,” Harvey and Moonka said.

“This new feature gives you significant control without compromising the revenue that fuels the Web content that we all consume every day.”

California-based Google said it is working to make the feature available to Web browsers other than Chrome.

Microsoft plans to increase privacy options in the upcoming version of its popular Web browser Internet Explorer 9 (IE9), including the ability to prevent tracking by third-party websites.

The US software giant said that the new feature, “Tracking Protection,” is designed to “help consumers be in control of potential online tracking as they move around the Web.”

The tool will be built into a test version of IE9 being released this year.

IE9 users will have to be savvy enough to create lists of third-party websites that they do not want to track their behavior.

Talk of Web browser privacy enhancements comes amid moves in Washington to create “Do Not Track” mechanisms in browsers to stop online services from collecting Web surfing or ad-targeting data.

Internet Explorer is the most widely used Web browser in the United States followed by Mozilla’s Firefox,Google’s Chrome and Apple’s Safari.

“Technology that supports something like a ‘Do Not Track’ button is needed,” Mozilla chief executive Gary Kovacs told AFP during a recent visit to Mozilla’s headquarters in Mountain View, California. “The user needs to be in control.”

Firefox debuted in 2004 as an innovative, communally crafted open-source browser released as an option to Internet Explorer.

According to a new report (PDF) from DNS and online security service provider OpenDNS, social networking site Facebook was the most-blocked site during 2010. In this context, blocking means that OpenDNS customers specifically configured their DNS and security services to prevent their users from connecting, presumably out of security concerns, to prevent people from wasting time at work, or using company or organizational resources inappropriately. However, Facebook ranked highly on another list: it was the second most commonlywhitelisted site, meaning sites that were specifically granted exemptions from other security or blocking rules.

“Overall, 2010 was all about social, and this trend is reflected in the data we’re seeing,” said OpenDNS founder and CEO David Ulevitch, in a statement. “Facebook is both one of the most blocked and the most allowed Web sites, reflecting the push/pull of allowing social sites in schools and the workplace.”

OpenDNS found the top five most commonly blacklisted sites for 2010 were Facebook, MySpace, YouTube, Doubleclick (an advertising network now owned by Google), and Twitter. Other commonly-blocked sites included other ad networks and adult-oriented sites. However, the top five whitelisted sites included a few of the same times—YouTube and Facebook, followed by Gmail, Google, and Google’s translation service.

Overall, Facebook was blocked by 14.2 percent of networks using OpenDNS, and specifically whitelisted by 12.7 percent. However, amongst OpenDNS’s business users the proportions changed: a full 23 percent blocked Facebook.

OpenDNS also broke down Web content filtering into broad categories, finding that during 2010 Web sites classified as pornographic were blocked by 85 percent of users, followed by sites with “sexuality” (80.1 percent) and “tasteless” content (77.3 percent). Proxies and anonymizing sites were also blocked by 76.2 percent of users, meaning the organizations are attempting to prevent their users from circumventing Web content filtering.

OpenDNS also found that the United States hosts more phishing sites than any other country—by a significant margin. According to OpenDNS, some 53.8 percent of phishing Web sites were on systems hosted in the United States, with Germany coming in a distant second with 6.3 percent.

Cloud printing on the go

Posted: January 26, 2011 in Analysis

Back in April 2010 google  announced Google Cloud Print, a service that in Beta allows printing from any app on any device, OS or browser without the need to install any software. Just last month we opened Google Cloud Print to users in the Chrome notebook pilot program. Today we are very pleased to announce the beta launch of Google Cloud Print for mobile documents and Gmail for mobile, which we will be rolling out to users throughout the next few days.

Imagine printing an important document from your smartphone on the way to work and finding the printout waiting for you when you walk in the door. Just open a document in Google Docs or an email in Gmail in your mobile browser and choose “Print” from the dropdown menu in the top right corner. You can also print certain kinds of email attachments (such as .pdf or .doc) by clicking the “Print” link that appears next to them.

This feature will be rolling out today and tomorrow for English speaking users in the US and will work on most phones that support HTML5, such as devices running Android 2.1+ and iOS 3+. To get started, you’ll need to connect your printer to Google Cloud Print. This step requires a Windows PC for now, but Linux and Mac support are coming soon. You can learn more at the Google Cloud Print help center.

Happy printing!

(Cross-posted on the Docs Blog and Gmail Blog.)