Month: July 2009

DDoS global hysteria

Ahnalwarealert1234823488p

Hype and hysteria is normal in the AV business. After all, it’s been an intrinsic part of the business model since the Michelangelo virus. However, I get quite concerned about stuff like this when it could be used as a justification for war. South Korea, already on pins and needles because of its bellicose and nutty northern neighbor, is now suspecting that same country of launching a “cyber” war.

This is nuts.

I know of not a shred of evidence that this bot is from North Korea. It would take considerable research to ascertain the original source (the relevant IPs to the malicious code are in several places — Florida and Germany).

What happened here is trivial stuff in the security world: A bot got on between 60,000 to 100,000 PCs, and started launching DDoS attacks.

BFD. This hasn’t happened before? Russian politicians have to run their political campaigns on social networks because they are so used to being DDoSed during political campaigns. This is common stuff in the malware world.

Through underground channels, one can contact a botmaster (someone who “owns” all these infected machines), and pay them to DDoS whomever. It’s a felony, but it doesn’t mean it doesn’t happen. Or, one can gain control of a command and control (C&C) server and start DDoSing. This is what that kid who was DDoSing CastleCops did — he found a C&C by accident (they are out there, we’ve stumbled upon them not a few times in our research), went to his local library and started DDoSing CastleCops.

And no, one does not have to run out and frantically buy AV software. MyDoom and its variants are well-known pieces of malware that have been out for years. Detections are pretty robust; if you have a recently updated AV product, you should be fine. And remember, millions of people aren’t infected with this bot — the count of infected systems is less than .01% of the entire PC universe.

A far, far more critical issue is the current DirectShow exploit — now that is something to get worried about.

(Incidentally, Brian Krebs is keeping a good tally of the situation, and also links to this excellent overview by Hauri.)

Alex Eckelberry

Mydoom attacks – North Korea NOT

The moderately large botnet distributed-denial-of-service attacks on government web sites in the U.S. and Korea on July 4 and continuing this week were probably NOT the work of North Korean intelligence forces, according to researchers who have analyzed the attacks.

In spite of South Korea’s contention that their country’s rival to the north was to blame, apparently it was the work of a fairly unsophisticated intruder who used the five-year-old Mydoom worm to launch the attack from a botnet of about 50,000 machines mostly in Asia.

The worm was first identified by Sunbelt Software in January, 2004, as Email-Worm.Win32.Mydoom.gen (v). Its variants have always been detected by Sunbelt’s malware analysis technology, MX-V™, included in the company’s VIPRE™ antivirus product line. MX-V is a compact, high-speed virtualized Windows environment integrated into VIPRE, which performs rapid behavioral analysis of potential malware.

Mydoom is a mass-mailing worm and generally arrives in spam email as an attachment carrying file extensions of .bat, .cmd, .exe, .scr or .zip. If an Internet user activates it, the worm sets up a back door on a system and allows the botnet owner who sent the email to control the infected computer. The infected machine, added to a botnet, can then be used to send spam email to propagate the worm. It also can be used to launch denial-of-service attacks. It will install on most Windows operating systems, including Windows 95, Windows NT, Windows 98, Windows 2000, Windows Me, Windows XP, and Windows Server 2003.

It’s been considered a low-level threat and has been detected by most major antivirus products since it first appeared in 2004.

News stories here and here.

Tom Kelchner

Koobface is back – on Twitter

Good ole Koobface worm is back. This time it’s on Twitter.

Here’s how it works:

1. you get a tweet from a friend with the text:

  • My home video :);
  • michaeljackson’ testament on youtube, or
  • Watch my new private video! LOL :).

2. you click the link and go to a Facebook page with a video

3. you run the video

4. you get infected. Then every time you log into Twitter, Koobface sends similar tweets to all your friends to infect them.

Story here.

Oh, yes. If you get infected, don’t bother spreading it to Alex Eckelberry. Someone was nice enough to email his family the Koobface variant in April (see his blog piece here.)

Tom Kelchner

Will Google Chrome break Microsoft’s hegemony?

Dominate234823423488p

No.

But Microsoft should be (and assuredly is) concerned.

The Google Chrome OS is a lightweight OS initially targeted at the netbook market, but ultimately usable on any desktop PC. It’s not for mobile phones or other small devices — that’s Android (although the two will share components).

But the use of Chrome all comes down to one question: Are users willing to give up their Microsoft applications? Are business users willing to give up interoperability with the rest of their organization, with the wealth of business applications designed for the Microsoft environment?

I’ve bought two netbooks so far. Both were running Windows, because I need Microsoft Office (particularly, Powerpoint, for my presentations on the road). No, I don’t want to run StarOffice or some other solution (like Google Docs). I need perfect operation, every time. I actually once saw a Linux die-hard do a presentation by flipping through a PDF — it was silly. Businesses have always been the major driver of the microcomputer, because people use their business machines and then want to go home and use their home machines in a similar environment (using the same files, etc.). Macs themselves are wonderful (the most wonderful operating system out there IMHO), but there are also practical considerations. People who use Macs in a business environment are the early-adopter types, but the platform has never gotten to massive scale simply because of interoparabiliy (and cost).

I’m as much a fan of Linux, Macs and all the rest as anyone else. But I am also a pragmatist.

Ultimately, the success of the Chrome OS will depend on the third party applications available for it. This is helped by the fact that it’s *nix based is very useful, as applications are easy to port. The fact that Google has some applications already developed is helpful. But it is very, very hard to get any real headway on Microsoft. (Years ago, I was the product manager for an ill-fated operating environment, DESQview (and its big sister, DESQview/X). A different time, and different circumstances, but I will say that getting application support is always a major issue with any operating system.)

Remember, despite Linux dominating the netbook market, the minute Microsoft started offering XP Home on these machines, was the minute that the tide changed. Windows XP now has over 90% market share on netbooks, and I don’t expect that to radically change any time soon.

The whole cloud argument — well, that’s a wonderful buzzwords. I’ve also heard the same arguments about cloud-based computing for many years, whether it was ASPs, , etc. There are very useful aspects to the cloud, but excitable non-technical types tend to get a bit starry-eyed around this stuff when it’s not entirely deserving of mass adulation. It’ s just an alternative method of storage, but is deeply constrained by infrastructure (the speed of your connection, the availability of a connection, and so on).

Alex Eckelberry

Microsoft DirectShow Zero day

This is serious and is ITW. 

Killbit:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
“Compatibility Flags”=dword:00000400 

More at SANS here, plus CSIS writeup here (if you don’t “taler Dansk”, then use this Google Translate link).

Best solution?  Don’t use IE for now. 

Alex Eckelberry

Update:  Microsoft info here.

Pornography, government and the Internet

It’s probably superstition, but it seems that news stories comes in bunches. Today’s theme is: “governments across the planet try to deal with Internet pornography”:

— The Green-Dam saga continues. China delayed indefinitely the requirement that new computers have an installation of Green Dam-Youth Escort filtering software to protect young people from pornographic and violent Internet content. The big question seems to be: “will the delay be temporary or permanent.” They really should just make the filtering voluntary AFTER they get rid of the political censorship issue and AFTER they resolve the copyright-infringement issues and AFTER they fix the vulnerabilities in it. But I digress.

— The Ukraine has made illegal the possession of pornography except for medicinal purposes. I just don’t know what to say about “medicinal purposes” except that it’s going to generate another category of spam that will probably give a whole new meaning to “Canadian pharmacy.”

— In the U.S., several adult-content web sites appear to be collateral casualties of the take down of the Pricewert ISP by the Federal Trade Commission. Some are reporting the loss of $5,000 per day. Some are scrambling to find their web site content, since the Federal court and FTC confiscated Pricewert’s servers. I guess the lesson here is: don’t do business with businesses that do illegal stuff.

— The Georgia (USA) Bureau of Investigation is warning that an email containing a six-minute child porn video is circulating in the Stone Mountain area. The video may be might be a 2005 clip from the Dominican Republic that has been known to investigators. There are conflicting news reports, but at least one says it’s being spammed by malware. Possession of the video on one’s computer is a felony in the U.S. Investigators are telling Internet users to delete the email on sight (Subject line: “VERY Disturbing! TAKE CARE OF YOUR KIDS/ they should kill this man, do not open if your [sic] sensitive… click video link.” )

Pornography has been a complicated issue since, well, forever. There are paintings in the ruins of Pompeii of “adult” nature that were buried in the year 79. In the quaint 1950s in the very Puritan U.S., there were “nudist” and “art photo” magazines that pushed the legal envelop and “men’s” magazines explored how much of a woman’s anatomy they could show and still stay at least one millimeter away from the legal limit.

In the U.S., porn enthusiasts probably won the battle when courts as high as the U.S. Supreme Court found themselves completely unable to define the difference between pornography and free speech. In 1964, U.S. Supreme Court Justice Potter Steward wrote the legendary articles of surrender, saying that he couldn’t define pornography, but “I know it when I see it.” Shortly after that, the VCR went on sale and it was REALLY “game over” for the anti-porn side.

The result has been a legal shadow world and very lucrative gray economy that turned into a terrific environment for scams, fraud, rogue anti-malware products and thieving computer malcode. Yes, there is a load of pornography out there on the Internet that is perfectly legal, sold by perfectly legal businesses with secure servers. Governments in conservative places will always try to fight it. They will only ever have very limited success. Sex will always be a very shiny lure.

The bottom line: if you see any advertisement on the web or in your email for “adult” anything, it simply will never be truly safe to go there.

Links to stories:

China’s Web ‘Dam’

Yushchenko signs porn law despite widespread opposition

Web-Hosting Firm’s Shutdown Costing Adult Affiliate Operator $5K a Day

GBI: Open This E-Mail, Go Directly to Jail (Possibly)

Tom Kelchner