It's a provocative essay… that fails to convince us of the need for an AF.MIL botnet.
Quoting the colonel:
"The U.S. would not, and need not, infect unwitting computers as zombies. We can build enough power over time from our own resources."
In that case the AF.MIL botnet might be missing a key element of success. Criminal botmasters don't use their own resources. Criminals steal resources from geographically diverse locations. Their crimes are international and they can be exceedingly difficult to trace back to their origins. They often avoid resources in their own countries so as to avoid local law enforcement action.
"The truly difficult problems come in defending against attack from devices adversaries have captured from U.S. or allies' civilians."
This isn't just difficult — this is likely to be the main problem that any credible cyber-threat would present. Using the criminal's model of success, an enemy nation-state will just infect resources belonging to others. And in that case an AF.MIL solution would be fuel for the fire by cannibalizing its own and/or other nation's networks without counterattacking the true source of the threat.
In his essay, Col. Williamson uses a fortress analogy. He suggests that the military age of the fortress is over because air power can travel over fortress walls. Military forces respond to such threats by attacking the enemy's airfields from which the attacks are launched. So to extrapolate, AF.MIL botnet would attack the locations from which DDoS attacks are being launched.
However, Col. Williamson seems to have overlooked something from his own essay:
"Homer's epic poems describe how fortified Troy held out against the united Greek armies for 10 years until Troy finally fell when it foolishly brought the threat inside its own walls by falling for the enemy's masquerade in the form of a giant wooden horse."
Trojans are precisely the point. Social engineering, exploits, and trojans are used to create the enemy within. The enemy's launch point will be from within the fortress walls.
It's quite possible that any threat big enough to warrant the use of an AF.MIL botnet would largely come from within the borders of the United States.
Let's take AKILL for example. Owen Thor Walker, an 18 year old bot herder from New Zealand was arrested as a result of last year's Bot Roast II. He controlled a network of one million computers. A failed botnet update resulted in a DDoS on the University of Pennsylvania. The failure led to the arrest of a partner and then Walker himself.
Now let's suppose that instead of Walker being some Kiwi kid interested in making lots of money, that he was an enemy of the state bent on attacking the USA. Do you think his arsenal was located in New Zealand? It wasn't. So what's the military target? UPenn?
"[A smart enemy] could even craft his packets to make it appear the attack was coming from inside U.S. military networks so that if we merely captured the apparent source IP address and used that to aim the attack we would fire our botnet at our own computers."
A smart enemy might not need to spoof US military networks. A herder known as SoBe, whose real name is unknown since he is a juvenile, pleaded guilty in February for helping to herd more than 400 thousand computers along with Resjames. He also admitted to damaging US military computers.
If SoBe can infect the military, a "smart enemy" will do so as well in an attempt to win the cyber-battle before it's even fought.
"The best defense is a good offense" may not apply very well to cyber-threats if you're really planning to play by the rule of law.
First discovered on March 26th, Mozilla Thunderbird reported cross-site scripting and security bypass vulnerabilities which can be exploited by remote attackers. Mozilla recently (May 1st) released version 2.0.0.14 to mitigate these vulnerabilities.
A couple of weeks ago we blogged about mass SQL injections. After that it went quiet but the attacks have now started again, this time pointing to several different domains.
During the last few days we've seen the same type of encoded SQL script as in the previous case being inserted into ASP/ASP.NET pages. The scripts point to the following domains:
We're seeing some new BBB trojan attacks going around.
This attack method is well-known and has been occurring for months: A high-level executive inside an organization receives an e-mail that mentions a complaint supposedly made to the Better Business Bureau (USA). The e-mail appears to be credible and links to a site in order to download the complaint. The download claims to require IE and ActiveX in order to succeed. Once ActiveX is enabled, the sites drops a backdoor on the system.
The message looks like this:
This would be fairly convincing to most recipients, especially since the real company and individual names are used.
The message links to a page under us-bbb.com (the real BBB site is at us.bbb.org).
The site was running over the weekend, was down today on Monday and then just reappeared — with a modified version of the malware.
If the recipient enables ActiveX, the site sends the system a CAB file which gets automatically installed as Acrobat.exe — and displays this:
In reality, it's just installed a backdoor (which we detect as an Agent variant).
Internet Security 2009 Beta was released on April 28th.
IS 2009 contains many new features including DeepGuard 2.0 and new engine technologies.
There's been a great deal of work put into our back-end systems that will directly impact the effectiveness of IS 2009. We're looking forward to its potential here in the lab.
The readership of this blog has been a very useful resource to the Internet Security project team in the past. They welcome you to try out 2009 and to provide feedback. Those that provide excellent feedback will be entered into a drawing. The team is still determining the prizes (it's budgeting time) but will probably come up with a couple of cool iPods and some free twelve-month licenses.
You can read the current release notes and sign up for the download from our Technology Preview pages.
And while on the topic of new technologies… if you don't have a machine to test our new beta, you can still try some of the technologies that will be included in Internet Security 2009.
Our Online Scanner 3.3.0 was released with a new mix of technologies.
It's *free* to use (requires Internet Explorer). Custom Scan options are possible. You can scan your entire system or a single folder.
Try Online Scanner from our support pages. If you're curious about some of changes made, check out the details in the scan report.
There was a "cyberwar" in Estonia one year ago. Civil unrest, protests, and rioting culminated in DDoS attacks against Estonian government websites. What started on the streets moved online with those that couldn't be physically present taking part in DDoS attacks that lasted for more than a week.
We blogged about the attacks here (April 28th), here (April 30th), and here (May 9th).
There were plenty of DDoS tools distributed during the attacks:
The anniversary of the riots haven't generated any activity as of yet and we don't expect anything significant later.
More recent failed examples appear to indicate that a good deal of offline heat is required before online attacks catch fire.
Some phishing gangs have a new technique. They're using trojan-spy applications.
Last week we received the following e-mail message:
Notice that the message doesn't mention anything about providing an account-name or password.
Instead, it attempts to convince the recipient that they need to install a Digital Certificate for enhanced safety. (Anybody want to buy a bridge?)
The message links to a site with the following:
It's basically a page full of jargon designed to overwhelm the potential victim. What happens if the victim falls for the bait and installs the "certificate"? A trojan-spy will be installed.
So now the phishers don't need to ask for passwords anymore, they can just take them.
This technique keeps the classic element of phishing by mimicking the trusted institution — the bank. What they've adjusted is the part that people have become skeptical of, which is giving away their password when requested by e-mail.
