Late yesterday it was announced that the largest cybercrime takedown, dubbed Operation Ghost Click, had been carried out. A gang of 6 people were arrested in a joint operation by the FBI and Estonian police. The six people were arrested in Estonia while the FBI raided a number of datacentres within the US and seized equipment allegedly used by those arrested. The six people arrested are alleged to have participated in a scheme which saw over 4 million computers worldwide infected with a computer virus that made those computers part of a botnet and generate more than $14 million for the criminals.
The criminals used the computer virus to change the DNS settings on the infected computers allowing the criminals to redirect the victims’ Internet traffic to Internet servers under the control of the criminals. So if the people using an infected computer wanted to go to a certain website the criminals could point the DNS record to a fake replica site under their control and use that to scam money from the victims.
In order to ensure minimum impact on the infected computers the authorities, together with TrendMicro, were able to replace the DNS servers under the criminals’ control with legitimate servers. While this ensures the affected users can continue to use the Internet their computers still remain infected with the computer virus.
The FBI have set up a page where you can check if your system is infected, TrendMicro provide more details herewith links to their HouseCall software for a free scan and clean-up should your system be infected.
More details on the operation can be found in the FBI’s press release. A very interesting thing to note that a number of Apple Mac computers were infected as part of this botnet. Showing that no matter what operating system you use you still need to take precautions to ensure your system is secure. Brian Kreb’s, as usual, has an excellent article on this operation.
Well done to TrendMicro, the FBI and the Estonian police for their work on this case. A prime example of how sharing and working together we can eliminate threats.
An issue with the DAT 5958 update to the McAfee VirusScan Enterprise product causes PCs running Microsoft Windows XP Service Pack 3 to crash. The DAT 5958 update incorrectly identifies the system file svchost.exe as containing malicious code belonging to w32/wecorl.a. When the McAfee software tries to clean the mistakenly identified malicious code from the svchost.exe it causes the Denial of Service, Blue Screen of Death or DCOM error conditions rendering the affected PC unusable.
There is a lot of media attention being paid to the Conficker C worm due to update itself tomorrow. Researchers have not been able to identify what exactly that update will do. It may simply upgrade the worm to make it harder to detect or instruct it to carry out certain actions. This lack of understanding is leading to a certain level of confusion and indeed some security companies hyping up the issue to no doubt help their bottom line.
F-Secure have a very good Questions and Answers post on their Blog that cuts through some of the hype. Remember April 1st only impacts on machines already infected with the Conficker C variant. If your machine is not infected nothing will happen to it.
To prevent infection by Conficker C you can follow the steps outlined in our earlier post. Should you feel that you do not have enough time to put those measures in place, researchers from the Univeristy of Bonn have issued a paper on how to contain Conficker C on your network.
To detect if you have any infected machines on your network Nessus has a plugin, 36036, available and Nmap 4.85 Beta can also detect infected computers. The US Department of Homleand Security has also released a detection tool . Should you detect any machines infected with Conficker C, the Internet Storm Center has a list of removal tools.
Conficker C is due to activate its update at midnight GMT tonight. So by this time tomorrow we should now exactly what all the fuss is about.
Implement strong passwords as outlined in the Creating a Strong Password Policy whitepaper.
Disable the AutoPlay feature through the registry or using Group Policies as discussed in Microsoft Knowledge Base Article 953252. NOTE: Windows 2000, Windows XP, and Windows Server 2003 customers must deploy the update associated with Microsoft Knowledge Base Article 953252 to be able to successfully disable the AutoRun feature. Windows Vista and Windows Server 2008 customers must deploy the security update associated with Microsoft Security Bulletin MS08-038 to be able to successfully disable the AutoRun feature.We advise that you follow the above recommendations to ensure your systems are protected from this threat.
Microsoft are again urging PC users to apply the MS08-067 emergency patch issued last October due to an increase in attacks aimed at exploiting that vulnerability. In particular a new worm Worm:Win32/Conficker.A. has been noted as causing a rise in the number of attacks.
Once a PC is infected the Worm:Win32/Conficker.A. will patch the vulnerability to prevent the PC from being exploited by another worm or attacker and will also reset the system restore point to make it more difficult to recover the infected PC.
Microsoft tonight released a critical patch, MS08-067, outside their normal patch cycle. For Microsoft to release a patch outside of their patch cycle indicates that this is a serious issue that we must pay attention to.
I am obviously not the only one who thinks that as the Internet Storm Center‘s Infocon has turned yellow which means they are “currently tracking a significant new threat. The impact is either unknown or expected to be minor to the infrastructure. However, local impact could be significant. Users are advised to take immediate specific action to contain the impact. Example: ‘MSBlaster’ worm outbreak. “
The vulnerability could allow an attacker without authentication to remotely run arbitary code using a specially crafted RPC request on Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems. This is similar in nature to how the MSBlaster worm propogated throughout the Internet and this vulnerability could be used in the same way. Microsoft have reported that they have seen live targetted attacks on some customer systems using this vulnerability.
It is recommended that you patch your systems ASAP. However patches, be they from Microsoft or other vendors, brings with them many inherent risks that we need to consider before rolling them out onto production systems. Will the patch introduce new problems as well as fixing the ones identified? Will it impact on other applications and systems? If we patch we may have problems, if we don’t we may have a security breach. Not the easiest of choices for an IT or Infromation Security professional to have to make.
I recommend you look at the following steps to mitigate the problem;
A concise and factual presentation should be made to senior management with the options to address the issue laid out clearly, together with the potential downside to each solution.
Whatever solution is decided upon needs to be agreed to and signed off by senior management.
An incident response team should be set up in order to (a) respond to any side effects from the selected plan of action or (b) in the event your systems are compromised in spite of the steps taken.
Remember as part of the plan to ensure that all your backups have been running successfully and more importantly that you can restore them!
Have key contact details for all relevant personnel in the event of a major problem with your systems, including contacts in third parties such as ISPs, partner companies, extranet contacts etc.
Communicate clearly with the user population explaining why the patch is being deployed and to report any unusual behaviour.
Ensure that all Anti-Virus signatures and software is up to date.
Ensure all Intrusion Detection/Prevention Systems’ signatures are up to date.
Consider how best to update remote PCs and laptops that may not be connected to your corporate network.
Make sure your perimeter firewall is configured properly and that where possible personal firewalls are installed on desktops and more importantly on servers.
I strongly advise, as with all patches, to ensure that you test and are satisfied that the patch does not negatively impact your environment before you deploy it. It also may be worth keeping on high alert even after deploying the patch as;
Other new vulnerabilities could still be found in this feature of Windows.
Not everyone will patch their systems in a timely fashion as we have seen time and time again and their compromise may impact your organisation.
The old saying “no news is good news” takes a bit of a twist as criminals use fake emails from CNN to trick people into downloading malware onto their PCs. Once downloaded this software will then make the PC part of a botnet to be used as the criminals see fit. The emails look very convincing, see below, and will no doubt catch many users unaware.
To protect your networks you should
Ensure you have the most up to date Anti-Virus installed and up to date on all workstations.
Ensure that you have the latest browser and Operating System patches installed and applied on all workstations. Don’t forget that some patches do not come into effect unless you reboot the system.
Block incoming emails into your network with the below subject line.
Educate and warn users about the threat and ask them not to click on any links in suspicious emails.
Today say the launch of the Olympic games and here’s hoping that the rest of the games are as good as the opening ceremony. But what has the Olympic games got to do with information security? Well here are some of the issues that you should consider over the duration of the event;
Already a number of online scams have appeared related to the games, such as websites selling fake tickets to the event. I doubt that those criminals’ scruples would also stop them abusing the credit card details that people submit to these sites.
Criminals will use the Olympic Games as a ruse to get people to download malware to recruit their systems to be part of a botnet. No doubt the Storm botnet will be sending emails with titles relating to terrorist attacks against the games or a famous athlete caught in a compromising situation or other similar ruses to get your users to download the botnet software.
We will also probably see a number of phishing attacks using the games as a bait to lure unsuspecting people. Phishing emails telling users they have won tickets to the game will come as no surprise.
These Olympics will have a huge online presence with various sites offering live steaming media coverage of the events. If you do not manage this properly your network could be swamped with this traffic leading to a nice self inflicted denial of service attack.
Numerous fake websites will no doubt be set up offering coverage of the games online to also download malware onto the unsuspecting visitor’s computer.
Legitimate websites will also be targetted by criminals to infect these sites with their malware so that it is downloaded to vulnarable machines that visit them.
So if you want to be able to relax and enjoy the games without becoming an unwilling competitor against the bad guys you should look at the following;
Increase your security awareness training amongst your users. Make them aware of the possible threats that they may face.
Make sure your anti-virus software is up to date and has been distributed to all computers.
Ensure that all necessary patches have been applied to PCs, especially in relation to their browsers and other components such as media and flash players.
Ensure your perimeter defences are up to date and that you are scanning all Internet traffic, be that email or web traffic, for malicious content.
Ensure you have QOS (Quality of Service) enabled on your network to ensure legitimate business traffic is not impeded by those users streaming their live coverage of the net.
People may use their laptops at home to access sites relating to the games so ensure that you have end point security enabled to prevent any infected devices connecting back into your network.
Ensure portable devices like laptops are encrypted. Users may watch certain events in pubs, hotels or friends houses and either have their laptop with them on the way to or from work.
By considering the above you should be in a better position to be able to enjoy the spectacle that the Olympic Games are.