Q2 2009 Threat Summary
Securing the Cyber Infrastructure
On May 29th, the President of the United States, Barack Obama, announced the creation of a new White House office to be led by a Cybersecurity Coordinator. The President began his speech by acknowledging the significance of virtual space.
"So cyberspace is real. And so are the risks that come with it."
Cyberspace is indeed real. Corporate information, personal data, network resources, and virtual commodities have been under constant attack for years. The law is only just beginning to catch up with the criminals and the reality of cyberspace. Most governments are still catching up to the reality of what needs to be protected.
President Obama also discussed the costs involved with eCrime:
"[W]e've had to learn a whole new vocabulary just to stay ahead of the cyber criminals who would do us harm — spyware and malware and spoofing and phishing and botnets. Millions of Americans have been victimized, their privacy violated, their identities stolen, their lives upended, and their wallets emptied. According to one survey, in the past two years alone cyber crime has cost Americans more than $8 billion."
Eight billion dollars is only a faction of the global costs. While it is impressive that President Obama knows terms such as "malware and spoofing" it remains to be seen if the United States government is "ahead of the cyber criminals". In the constant battle to protect consumer's computers, just keeping up with newly emerging threats is a daily challenge.
On May 29th the Pentagon (United States Department of Defense) submitted their cyber defense plan to the White House. On June 23rd, Defense Secretary Robert M. Gates, announced the creation of Cybercom. The new organization will be to coordinate the day-to-day operation of military and Pentagon computer networks.
F-Secure Chief Research Officer Mikko Hyppönen contributed the following to the New York Times on the 29th:
In his remarks today, President Obama emphasized the global nature of the Internet and the security threats involved. This means that protecting the Internet cannot be done without international cooperation. A White House office will also have to address some important political and military questions. For example, it's typical that online attacks are rerouted through various countries to make it harder to locate the attacker's origin. So it will be important to work with other countries in combating these attacks. Moreover, because laws differ from country to country, cooperative enforcement of laws will be crucial.
Cyberwarfare will certainly be asymmetrical warfare. The enemy uses compromised computers belonging to consumers for their dirty work. As a result, the United States needs to think carefully about whether it is willing and committed to counterattack malicious proxies inside the U.S. or inside allied nations. If an attacker launches a wide attack through thousands of infected home computers in Asia and Europe, the U.S. will need to think carefully about how it will protect itself and what attempts to deal with this situation are justified.
There are no easy answers. But the good news in all of this is that President Obama has now clearly and convincingly brought the importance of this matter into the spotlight. It’s about time."
This new effort to secure America's cyber infrastructure, if successful, could finally produce the global organization and cooperation needed to curb the growth of eCrime and other emerging cyber threats. It will be a daunting challenge to undertake.
- New York Times: http://roomfordebate.blogs.nytimes.com/2009/05/29/a-plan-of-attack-in-cyberspace/
- Obama's speech: Securing Cyberspace
Green Dam Youth Escort
China has mandated that all computers sold in China, including imports, will need to be pre-installed with a software application called "Green Dam Youth Escort". The requirement takes effect on July 1, 2009. The software's intended purpose is to filter pornographic or violent material. Green Dam is designed for Microsoft Windows.
Response to Green Dam has been diverse. Privacy advocates state that Green Dam will act as spyware allowing for the monitoring of millions of Chinese computers. China has defended Green Dam against these claims stating that it is nothing more than filtering software.
In addition to censorship and monitoring concerns, there are claims that Green Dam infringes on copyrights belonging to Solid Oak Software Inc. The Wall Street Journal has reported that Solid Oak would file injunctions on U.S. manufacturers to stop them shipping machines with Green Dam.
On June 11th, researchers from the University of Michigan published a report called " Analysis of the Green Dam Censorware System". The report demonstrated various security vulnerabilities in Green Dam Youth Escort that could allow "malicious sites to steal private data, send spam, or enlist the computer in a botnet". At least one of the reported vulnerabilities was patched on June 13th.
The security implications of millions of computers running Green Dam cannot be ignored. Vulnerabilities in Green Dam could suddenly introduce a "low hanging fruit" to be exploited on July 1st.
University of Michigan: http://www.cse.umich.edu/~jhalderm/pub/gd/
Internet Storm Center: http://isc.sans.org/diary.html?storyid=6571&rss
June's Iranian Presidential Election
The disputed Iranian presidential election of June 12, 2009 has led to large political protests and a wave of social networking media use. Twitter, Facebook, YouTube and other sites are being heavily utilized to distribute information and to circumvent government censorship. Facebook now offers a Persian language interface. Google Translate launched a "Persian ALPHA" tool. Twitter.com has been used to such an extent that the site was asked by the United States State Department to delay any network maintenance that might take the site offline.
This use of social media sites is a favorable development. Information wants to be free. On the other side of technology, there are also calls for Distributed Denial of Service (DDoS) attacks and targeted hacks against Iranian government servers.
More information from The World Tech Podcast: http://188.8.131.52/pod/tech/WTPpodcast247.mp3
Some of these attacks are much like the Estonian DDoS attacks of two years ago. Those that could not take part in physical protests turned to cyberspace in order to take action. In Iran's case, calls to DDoS government servers could create collateral damage to the networks being used by protestors. As cyberspace continues to integrate itself with our daily real world activities, we will see more political cyber attacks in the future. These attacks will not be carried out by military forces but rather by self-organized groups.
Technology does not discriminate between just and unjust causes. Hopefully the move to create a unified defense of the American cyber infrastructure will help generate the tools and organizations to maintain a global virtual world were information can flow freely and yet people will be defended against cyber attacks. As President Obama stated, cyberspace has become "woven into every aspect of our lives." It must be protected.
Conficker Remains in the Wild
The threat landscape in the first quarter of 2009 was dominated by the Conficker worm, which has proved to be the most significant malware outbreak in recent years.
The Conficker Working Group, a multi-vendor effort, was a great success and is an excellent example of international cooperation within the Internet security industry. Conficker created a great deal of media interest especially around April 1, 2009, at the start of Q2, when the Conficker C variant was due to modify its behavior. Nothing significant really changed on or after April 1st. Variant C began "dialing home" larger numbers of potential domains, but it simply did not have the same number of vulnerable machines to infect. The success of Conficker B exposed the problems that needed to be addressed and variant C did not have enough of a foothold to expand the worm further.
The Conficker case once again demonstrated the emotional interest in outbreaks. Despite the subsequent loss of media interest, the Conficker worm is still out there and there are no answers as to what it was designed to do. Millions of unique IP addresses are currently being logged by the Working Group's sinkhole project.
The popularity of social networking sites continues to grow in 2009 and sites such as twitter.com are transforming the way in which traditional media reports news and information.
A Twitter cross-site scripting worm and spam outbreak occurred in April during the Easter period. Large numbers of Twitter profiles were affected. The messages initially read "I love www.StalkDaily.com!". The messages morphed several times to include "Wow… www.StalkDaily.com" and "Join www.StalkDaily.com everyone!".
Many people followed the links to stalkdaily.com, as they believe the messages to be genuine Tweets from their friends. A cross-site script on the site then caused new users to start to Tweet the same messages. Not surprisingly, the entire worm was a publicity stunt by stalkdaily.com by one Michael Mooney AKA mikeyy. There were several variants during April 12th and 13th and a follow up worm on April 17th that Mike Mooney also admitted to writing.
Twitter spam has become a challenging issue for the site. http://www.twitter.com/spam is Twitter's official response to the issue.
Search Engine Optimization
While the mikeyy Twitter worms were largely an annoyance, the rapid outbreak and subsequent interest in "mikeyy" did not go unnoticed by cyber criminals. They quickly seized the opportunity and search engine results for "twitter worm" or "mikeyy" soon led people to sites hosting malware.
Malicious search results based on trending news stories are becoming commonplace. Knowing the reputation of sites yielded by search is becoming increasingly important.
Targeted attacks continue unabated. Exploits in popular file types are used.
We've covered targeted attacks many times in the past and we've also covered PDF and vulnerabilities in Adobe Acrobat/ Adobe Reader being used to install malware. We decided to take a look at targeted attacks and see which file types were the most popular during 2008 and if that has changed at all during 2009.
In 2008 we identified approximately 1968 targeted attack files. The most popular file type was DOC, i.e. Microsoft Word representing 34.55 percent.
Targeted Attacks 2009
As of the middle of Q2, 2009 we have discovered 663 targeted attack files and the most popular file type is now PDF. Why the change? Primarily because there has been more vulnerabilities in Adobe Acrobat / Adobe Reader than in the Microsoft Office applications.
Adobe recognizes that its popularity makes it a target.
During Quarter 2, 2009, Adobe began a Quarterly Update Cycle.
This is a promising move as it helps to highlight the need to keep Adobe applications up-to-date. A quartely update schedule is more likely to be noticed by those that need to patch.
F-Secure Health Check
Statistics from our Health Check application show that during the month of May, 1 in 3 computers scanned were vulnerable to an Adobe Reader flaw reported in the month of February. It takes time for consumers to security update their systems. Adobe's new quarterly schedule should help to raise attention to the issue.