Super Bot

This sure looks like a nasty piece of work.

Massive botnet ‘indestructible,’ say researchers

A new and improved botnet that has infected more than four million PCs is “practically indestructible,” security researchers say.

“TDL-4,” the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is “the most sophisticated threat today,” said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis Monday.

“[TDL-4] is practically indestructible,” Golovanov said.

. . .

TDL-4 infects the MBR, or master boot record, of the PC with a rootkit — malware that hides by subverting the operating system. The master boot record is the first sector — sector 0 — of the hard drive, where code is stored to bootstrap the operating system after the computer’s BIOS does its start-up checks.

Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code.

But that’s not TDL-4’s secret weapon.

What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers.

See also:
TDL4 – Top Bot
Sophisticated TDL-4 Botnet Has 4.5 Million Infected Zombies
‘Indestructible’ rootkit enslaves 4.5m PCs in 3 months
TDL-4 creates 4.5 million PC ‘indestructible’ botnet
Security Researchers Discover the Mother of All Botnets
TDL-4: The ‘indestructible’ botnet?
There’s a Botnet Called TDL-4 That’s Virtually Indestructable
‘Indestructible’ Botnet Enslaves 4.5 Million PCs
‘Indestructible’ Zombie PC Botnet Borrows Exploit From Israeli, U.S. Cyberweapon
Have cybercriminals created the perfect botnet — undetectable and indestructible?

If you ever needed a reason and reminder to keep your operating system, anti-virus, and anti-spywware software patched and up to date, this would be a good one.

/remember, if you’re not part of the solution, you’re potentially part of the problem

Rustock Reigned In

Chalk up a big win for the white hats in the ongoing cyberwar against the evil spammers.

Good guys take down notorious Rustock spamming botnet

Rustock, one of the largest and most notorious spam botnets, suddenly fell silent Wednesday and has remained off line.

The takedown of Rustock’s 26 command-and-control servers appears to be the result of a coordinated effort by longstanding anti-spamming groups, the most prominent of which is Spamhaus.org, according to cybersecurity blogger Brian Krebs, who broke the story.

Rustock’s control servers directed the activities of hundreds of thousands of infected PCs in homes and businesses, used primarily to deliver e-mail and social network messaging spam. Rustock is infamous for spreading ads for drugs from unlicensed online pharmacies.

Details of how the takedown was achieved are unclear; Rustock’s control servers were renowned for being nigh impregnable.

Rustock has been around for at least three years, and late last year had doubled its spam output over the previous year; in 2010, Rustock sent out more than 44 billion spam emails per day, accounting for as much as 48% of all spam, and had more than one million bots under its control, according to MessageLabs, Symantec’ messaging security division.

See also:
Rustock Botnet Flatlined with No Spam Activity
Notorious Spamming Botnet, Rustock, Takes a Fall
Rustock botnet’s operations disrupted
Major spam network silenced mid-campaign
Rustock botnet goes quiet again
The World’s Largest Spambot Network Goes Quiet
Prolific Spam Network Is Unplugged
Prolific Spam Network Is Unplugged
Rustock Botnet is Down, But Maybe Not Out
Rustock botnet

It still amazes me how the botnet spammers find hundreds of thousands of computers to infect. If everyone would just keep their software patches up to date, botnets wouldn’t be a problem in the first place. It’s like leaving the front door to your house wide open with a sign that says “burglars welcome”.

/one of the biggest upshots of the Rustock takedown is that if you want to buy Viagra or other erectile dysfunction drugs in the future, you’re going to have to go see your doctor, because the spam offers will hopefully no longer flood your email inbox

We’re Number One, We’re Number One!

This is why it’s important to keep your computer security up to date.

US Ranks First for Bot-Infected Computers and Spam Output

According to data gathered by Microsoft’s Malicious Software Removal Tool (MSRT), the United States had the highest number of computers infected with botnet malware, during the first half of 2010.

Botnet are armies of infected computers, which connect to remote command and control (C&C) servers and listen to instructions from attackers.

Botnets can serve a variety of criminal activities, but the largest ones are primarily used to send spam.

According to a recent report from Symantec, during the first half of the year, 90% of the daily spam traffic was generated by five to six million compromised computers.

In the latest edition of its Security Intelligence Report (SIR), Microsoft reveals that during Q2, MSRT has cleaned 2,148,169 bot infections from US computers.

That’s four times more than in the second country on the list, Brazil, with 511,002. Spain (485,603), Korea (422,663) and Mexico (364,554) complete the top five.

“Unsurprisingly, the list is dominated by populous locations with large numbers of computer users, led by the United States and Brazil,” says Microsoft.

However, there are at least two regions with large numbers of computers that do not dominate the list – China, which finished 8th, and Russia, 9th.

See also:
Featured Intelligence – Battling Botnets
USA Is Still #1 In Botnets
United States Ranked Number One for Relaying Spam, Sophos Reports
Report: United States is world’s top spammer
US Has Most Botnet-infected PC’s
Microsoft Report: 2 Million US PCs Part of Botnets
Microsoft: Over 2 million U.S. PCs caught in botnets
Millions Of US Computers Completely Pwned By Botnets
Microsoft: Your Computer Could be One of 2.2 Million Infected Botnet PCs
Microsoft: Botnets are the ‘launch pad of cybercrime’

If you’re not sure whether you have an infected computer, run Microsoft’s Malicious Software Removal Tool (MRT). Go to Start/Run and then type in “mrt”.

/if you’re not part of the solution, you’re part of the problem

Cyberwar Fail

Okay, so it was pretend, could have been more realistic, and adding the natural disasters was a bit much, but today’s Cyber ShockWave proved a point, the United States is not ready to defend herself against an organized, large scale cyber-attack. The Chinese, Russians, and a myriad of other state and criminal entities probe our cyber-defenses 24 hours a day, seven days a week, looking for weaknesses. If one or more of these actors decided to launch a coordinated, sustained cyber-assault, we could be brought down to our economic knees in a crippling world of infrastructure cyberhurt.

Report: The Cyber ShockWave and its aftermath

When it comes to the protection of the nation’s infrastructure, the government is lacking in several areas. While they have the ability to act offensively, if they know who the enemy is, the trick is to collect enough information and retaliate without violating domestic and foreign policy and law. The Tech Herald was in Washington D.C. on Tuesday to witness Cyber ShockWave. Here’s what we walked away with.

What happened?

Cyber ShockWave started with a vulnerability in the operating systems used by various Smartphones. Thanks to a malicious application, celebrating the NCAA’s March Madness, Spyware was loaded onto Smartphones that included a keylogger and data intercept component. The application was then used to funnel millions of dollars to banks overseas. From there, the data and money snatching application morphs, and the malicious application turns the infected devices into bots and adds them to a telecommunications botnet.

The bots start to download videos showing The Red Army. The downloads and resulting spread of the video result flood the data networks of the major carriers, and slow them to a crawl before crippling them altogether. After that, the Malware on the Smartphones starts to replicate, thanks to sync programs linking information from the phone to a computer. Now that the computers are infected, the ISPs face the same issue the telecoms faced. In the end, both communications systems are crippled.

If this wasn’t enough, weather patterns resulting in a heat wave and hurricanes stress the electrical system. This is where things go south, on a major scale. A hurricane wrecks the petroleum refining and natural gas processing centers, and a stressed electrical grid is hurt more by Improvised Explosive Devices (IEDs) and what is assumed to be a Malware attack on the Secure Trade power trading platform.

Both incidents are deemed critical, and the former top US officials debated how to respond for most of the event. The problem is that by the end of the debates, during both sessions, there were no real answers.

Behold the confusion that is Cyber ShockWave

Can we nationalize the U.S. power system? Should the National Guard be called out? The FBI reports that they have traced the services used in the March Madness application to Russia, is retaliation called for? Two IEDs were detonated in two different power facilities, is it terrorism? According to a GNN (the news source for media information during the event), there was a cyber component to the electrical outage, later assumed to be related to patches on the Secure Trade software. Was this the work of an insider? These were the topics of note, and the confusion only led to more questions and few answers.

The downside to the ShockWave, as it were, is that there were just too many levels of attack at the same time. The Cyber ShockWave exercise was to create a possible attack scenario, but not one that is total chaos. However, by adding the botnet side to the telecom attack, adding in natural disasters as well as potential terrorism on and offline, they added too much to the “Perfect Storm” that they kept referring to it as.

The malicious application causing harm to telecom and ISP networks is one scenario that is highly likely, as more and more applications make it to market and more and more people switch to Smartphones. The odds of this happening at the same time that the power grid is attacked, and a hurricane kills off oil and gas production, is simply too high to compute.

The point of it all

The main point to take away from Cyber ShockWave, at least how we see it, is that there needs to be a solid level of cooperation inside the government first, and then after that, between the government and private sector. There is no “I” in team, and when it comes to protecting the assets within the backbone of the Internet, both private and government entities have a lot to look after.

One interesting point came up when debating the Russian server, the one the FBI said was linked to the telecom attacks. Why doesn’t the government simply shut it down? The reason is that doing so could be considered an act of war. No one knows, because there is no policy or precedence of such an action.

The mirror side to this would be the question, what if the Russian server was a jumping point to a server in the U.S.? If so, can we shut it down then? What would be the reasoning? While killing a server in a foreign country could be perceived as an act of aggression, doing so on our own soil could be a violation of various laws, unless a state of emergency is ordered. Once that happens, according to the panel, the President has a good deal of leeway.

There are few limits to what the government can do in response to a threat to national security. What limits that exist are those enforced by policy and U.S. law. What this means is that while there were several ideas passed around, many of them are without precedence, so they couldn’t be acted on.

For example there was a patch for the Smartphones, one that would fix the Malware issue. Yet, only 50-percent of consumers applied it. To prevent further attacks to the telecommunications system, you can ask the people to stop using phones, or simply force them to stop using them by turning them off. If the issue was forced, and the government did something to turn the phones off, then there would be serious consequences to deal with later.

In the end, the Bipartisan Policy Center, who put Cyber ShockWave together, had hoped that the gaps existing within the law and government policy related to cybercrime and cyberattacks would be exposed. The got their wish, as gaps in both areas were exposed. But when it comes to balance between the private and government sectors and security, it takes more than policy to make it work.

It would have added a ton of weight to the exercise if there was some sort of consultation with energy companies or telecom representatives. They were absent during the mock attacks, and their absence was felt when you consider that by the time the President was “briefed”, there was no solid plan of action as to how to deal with and recover from the incidents.

There were some smart and skilled people on the panel. Yet, the scripting made the panel come off as clueless when it came to the reach, intelligence, and overall skill of foreign attackers. The current cyber capacities of the various international terrorist groups were left completely off the table.

Overall, the Cyber ShockWave was more media hype than actual intelligence and insight. We had hoped to see some of the political heavyweights on the panel act with their full capacity and experience, but they either couldn’t or opted not to. If anything, the federal employees who attended learned that managing IT in the public world, and dealing with threats there, is nothing like attempting the same feat within the federal government.

See also:
U.S. Isn’t Prepared for Massive Cyber Attack, Ex-Officials Say
War game reveals U.S. lacks cyber-crisis skills
In a doomsday cyber attack scenario, answers are unsettling
Washington Group Tests Security in ‘Cyber ShockWave’
US networks and power grid under (mock) cyber-attack
Cyberattack simulation highlights vulnerabilities
Former officials war-game cyberattack
Former Government Officials Gather to Rehearse Cyberwar
Former top U.S. officials hold cyberattack exercise
Cyber ShockWave cripples computers nationwide (sorta)
Cyber Shockwave : Cyber-Attack to Test Government Response
Is The U.S. Ready For A Cyberwar?
25 ways to better secure software from cyber attacks
It’s Your Cyberspace Too, So Take Care Of It
Bipartisan Policy Center

/remember, this was only a test, had this been an actual emergency we would have been seriously [expletive deleted]