Terry Zink's Anti-malware Blog

Some antispam humour

tzink — Sat, 21 Nov 2009 19:42:00 GMT

While I am out, I am posting some random stuff from around the web. From AppleGeeks:

A positive (?) story about social engineering

tzink — Sat, 21 Nov 2009 04:00:00 GMT

I’m currently on vacation in South America* so I thought I’d pre-write a few stories about how spam/malware relates to real life.

We all know that a big trend in recent years with malware is social engineering. Social engineering is an attempt to trick the end user into doing something by impersonating someone else or by playing on their emotions. This is usually a bad thing… but not always.

When someone nefarious gains access to your credentials, they don’t necessarily have to use it right away. They can sit on it for a while before making use of it. That adds another dimension of social engineering because something that you did several months ago (giving up your credentials) can come back to haunt you many weeks or months later. And then, when it happens, you can’t recall when you might have surrendered them.

But what if social engineering was used for the powers of good? Let me tell you a story.

Many of my readers will know that I am a magician, and this year my focus has shifted to mentalism. This branch of magic focuses on predictions, reading thoughts, and creating experiences in the minds of the audience. Well, this year, I was sitting on a couch preparing to depart from a local establishment. I was leaving, I overheard another lady talking to someone else. She was talking and said something like “Give me a call” and said her phone number. My brain flipped into action.

I pulled out a pen and notepad and wrote it down (I memorized as soon as I heard it). This might come in handy, I thought to myself. I started thinking about how I could use it.

And that time came a few months later. I decided to use it in a magic effect. I decided to test out something new. I walked up to her and said “Amanda” (not her real name), “I want you to think of a number. Make it a meaningful number… your phone number.” Keep in mind that I have never asked for it nor obtained it in any fashion. “Concentrate, now. Visualize it, floating in front of you,” I said as I waved my hand in front of her as if it were a few inches in front of her eyes such that only she could see it. I moved in closer, putting my hand on her shoulder while gesturing with my other hand. “Still seeing it now, I want you to silently recite the numbers in your head. Echo them one by one, clearly.” She looked up and to the right, saying the numbers.

I played it up a bit more. “10 digits,” I said. She nodded. I then said the numbers very slowly “1… 2… 3… 4, 5, 6… 7, 8, 9, 0.” Her eyes went wide and she smiled in disbelief. I had just performed a miracle. I smiled in return, thanked her for helping out and proceeded on my way out the door.

Now for some analysis on social engineering:

The original leak of information is something that I overheard by accident. Sometimes people slip information without realizing it. They enter in their username and password over clear text (like a discussion forum) and then re-use that those credentials elsewhere. If a hacker breaks into those forums and obtains that information, they have revealed their info by accident to an eavesdropper.
But it doesn’t stop there. In fact, it’s just the beginning, because my trick illustrates real social engineering using body language techniques. The first thing I said was to think of a number, but not just any number – a phone number. Getting someone to think of something related to them makes it about them. Once that happens, emotions start to kick in. When emotions kick in, it becomes more difficult to think logically.
I put my hand on her shoulder. That breaks a psychological barrier of personal space invasion and again triggers an emotional response. It’s something I do a lot when I perform magic close-up. The sensation of touch makes it even more personal.
At the same time, I waved my hand in front of her, at eye level, and my eyes followed it. Her eyes did the same. This wasn’t necessarily designed to do anything, however, I say to illustrate the fact that I was using a psychological technique to control (actually, influence) her gaze.
Finally, when I got closer to the end, I leaned forward and moved in closer. Moving in towards a personal is a technique I picked up from Neuro-Linguistic Programming and general techniques of learning body language. When we lean in to someone, it means we are interested in them, or what they are saying. Whether or not she actually was interested in me (or more accurately, what I was saying and doing), I was using a psychological technique to suggest interest. It’s not particularly overt but at the same time it is not subtle.

So you see, I was using a lot of social engineering technique to generate an emotional response because when the number was revealed, I got a positive response. All I basically did was say “Think of a number”, but I spiced it up. And when you spice things up and get the person to start thinking more with their emotions, you can get away with a lot more.

But in this case, it made me look pretty suave and sophisticated, if I do say so myself.

Traveling for the next little while

tzink — Wed, 18 Nov 2009 01:27:23 GMT

I am going to be traveling in Peru for the next little while, but fear not! I shall still be blogging!

I have written a few posts in advance to entertain you all that shall become publically visible over the next few days. Enjoy.

Virus attachments vs email classified as malware

tzink — Mon, 16 Nov 2009 22:27:12 GMT

This probably belongs in the “Well, no kidding” category but I thought I would post it anyhow.

Since near the beginning of this year, I have been tracking how much email our filters classify as malware. I then took those values, broke them down into a weekly chart and compared it to how many mails we received on a weekly basis that contained virus attachments. Is there any relationship between the two? If there is a new malware campaign, is that associated with an increase in spams with links to malware?

It’s hard to measure this because we block so much mail at the network edge (90%). So, all of the data that I have is for post-edge blocked mail. Below is a chart of the amount of mail we classify as malware vs how much mail has a virus attachment, on a weekly basis:

The result is pretty significant, 31% of the variance in the number of viruses in email is associated with the variance in the number of messages we classify as malware. In other words, there is a very strong malware spam/virus correlation (correlation = 0.55) since March of this year.

The problem is that I had to massage the data. There were 4 weeks of outliers that skewed the data set. If you include those, there is a weak relationship between the two of them, and it is negative (r = –0.12):

So on the one hand, I feel that removing the outliers results in an outcome that makes sense and fits the expectation. On the other hand, I feel bad about having to do some data-mining in order to return a result that I was expecting.

Where’s rustock?

tzink — Sat, 14 Nov 2009 18:01:00 GMT

Win32/Rustock is a multi-component family of rootkit-enabled backdoor trojans, which were historically developed to aid in the distribution of spam e-mail. First discovered sometime in early 2006, Rustock has evolved to become a prevalent and pervasive threat. It is the largest spamming botnet that sends mail to our servers.

I decided to take a look at where its spamming IPs were located, geographically, for the date of November 12, 2009. Below is the chart:

In a surprising twist and departure from the norm, the United States is very under-represented in the above chart. South America is strongly over-represented. The top countries are below:

Rank	Country	Distinct IPs
1	Brazil	3274
2	India	2687
3	Columbia	1211
4	Poland	899
5	United States	836
6	Argentina	760
7	Czech Republic	745
8	Romania	731
9	Thailand	630
10	Israel	464
11	Spain	447
12	Italy	440
13	South Korea	419
14	South Africa	379
15	Great Britain	372
16	Germany	372
17	Turkey	368
18	Peru	363
19	Vietnam	361
20	Ukraine	332

Three of the top six countries are in South America. Only one is in Asia, and one is in Europe. This differs significantly from the total spamming IP distribution where the United States has 18% of the total IPs:

For this one day, South America’s representation has doubled compared to its global IP distribution for all spam, the United States is around 1/3, but Asia and Europe are about the same. For some odd reason, the United States seems to be more resistant to relaying spam from rustock than other countries. And for some reason, South America is more prone to relaying it. I’ll take some guesses in my next post as to why this is.

FireEye knocks Mega-d offline

tzink — Fri, 13 Nov 2009 19:13:18 GMT

From the Register:

A botnet that was once responsible for an estimated third of the world's spam has been knocked out of commission thanks to researchers from security firm FireEye.

After carefully analyzing the machinations of the massive botnet, alternately known as Mega-D and Ozdok, the FireEye employees last week launched a coordinated blitz on dozens of its command and control channels. The channels were used to send new spamming instructions to the legions of zombie machines that make up the network.

Almost immediately, the spam stopped, according to M86 Security blog. Last year, the email security firm estimated the botnet was the leading source of spam until some of its servers were disabled.

…

The takedown effort is significant because it shows that a relatively small company can defeat a for-profit network that took extraordinary measures to ensure it remained operational. Not only did Ozdok reserve a long list of domain names as command and control channels, it also used hard-coded DNS servers. When all else failed, its software was able to dynamically generate new domain names on the fly.

I decided to check this using our own statistics. While I don’t know if Mega-D was at one time responsible for 1/3 of all spam (my stats only go back to late July 2009), it certainly isn’t one of the big ones today. Those slots are reserved for Rustock, Bagle-cb, Cutwail, and sometimes DarkMailer. However, Mega-d certainly does register (no pun intended) on our radar. Below are the stats:

You can see that Mega-d does have a sawtooth-like sending pattern, but we definitely saw a big drop in spam from that botnet that appears to be generating a bit of a recovery today (11/13/2009). Also note that the numbers on the y-axis are not necessarily representative of the full set of spam we see from Mega-d but the general trend is representative.

The good news in all of this is yes, a relatively small company can make an impact into a major spam operation. The bad news is that these takedowns tend to be short lived. Earlier this year, when a Latvian ISP was disconnected due to its abusive practices, it made only a small dent in global spam volumes, and this small dent vanished a few days later. The spam operation is becoming more resilient to disruptions in its service.

Are pirated versions of software more susceptible to malware? Updated!

tzink — Wed, 11 Nov 2009 21:09:00 GMT

One of the pieces of conventional wisdom that goes through my head is that if you install pirated versions of software, then your computer is more likely to be infected with malware. It makes sense; in order for spammers/malware authors to take control machine, they offer users cheap software. Yet this cheap software comes with a heavy price tag – you relinquish control of it to the whims and fancy of the spammer or malware writer to do nefarious things like spam, host phishing pages, host fast flux, serve as a command-and-control center, and so forth. Furthermore, individuals with pirated software are also much less likely to download security updates and therefore remain exposed and vulnerable for longer periods of time and, therefore, more prone to malware infection.

That’s the theory. But is it true?

To test this, I compared the data in the Microsoft Security and Intelligence Report and the Business Software Alliance Piracy Study. I used Microsoft’s metric of CCM, Computers Cleaned per thousand executions of the Malicious Software Removal Tool. I extracted the countries in common between the two reports and ran two correlation studies, one for 1H 2009 compared to the 2008 piracy rate, and another for 2H 2008 compared to the 2008 piracy rate.

Below are the top 10 countries for CCM in 1H 2009 and the change from 2H 2008 (green is good and represents a decrease, red is bad and represents and increase):

I have removed Serbia and Montenegro as it represented an outlier. Note that 4 of the top 6 countries (Turkey, Spain, Saudi Arabia and Taiwan) have all had substantial increases of malware infection (and removal) compared to the previous six months of the year. Below is a table of rates of piracy for the top ten countries:

For interest’s sake, here are the best countries with the lowest rates of piracy:

You can see that the US has the lowest rate of piracy which surprises me a little bit given that so much spam comes out of the US. Next, to determine if there is any relationship between the two of them, I calculated the statistical correlation between the two and plotted a scatter plot. I did this comparing the 1H 2009 CCM to the rate of 2008 software piracy, and then the 2H 2008 CCM to the rate of 2008 software piracy. Below are the results:

In 1H 2009, 0.8% of the variance of the rate of piracy is associated with the CCM, and in 2H 2008, 1.1% of the variance of the rate of piracy is associated with the CCM. In other words, there is no statistically significant relationship between the national rate of software piracy and the national rate of malware detection.*

* Update!

But is this really the best way to compare whether or not pirated software is more susceptible to malware? All I did was take the malware clean rate (CCM) and the country’s software piracy rate and compare them. But this study does not account for the following:

In this calculation, pirated software is mixed in with legitimate software, lumps it together and then compares it to the CCM. But this cannot differentiate between the two of them. It could be that pirated software contains many more malware infections than legitimate software and by mixing the two pieces of data together, the statistical relationship will show no correlation. In other words, they could be cancelling each other out.

What would have to be checked is a pulling of the data that contains the CCM for legitimate software vs the CCM for pirated software, both within the country and then across countries. That would be a much more accurate comparison.
This study of mine does not account for relationship that update frequency has on rates of malware infection. Does pirated software update less frequently? Or run fewer instances of the Malicious Software Removal Tool? If so, then it should have a higher rate of malware infection. The data in the SIR does have some data points surrounding the rate of update frequency. This should be accounted for in the malware/piracy study, and it is something that I did not include.

Therefore, I am retracting my earlier statement that there is no statistically significant relationship between the rate of software piracy and the rate of malware infection/detection. My earlier methodology is incomplete and right now I do not have enough of a complete data set to measure this with statistical certainty. The non-correlation is spurious.

The experiment I used above, while a good start, does not go far enough and account for enough of the variables that could have an impact on the conclusions.

Countries with the most infected computers

tzink — Tue, 10 Nov 2009 18:52:01 GMT

All Spammed Up has a new post up referencing an article that security researchers have issued a report indicating that Spain is the country with the most infected computers, at 44.5%. The United States is second at 14.4%. The countries with the least infections are Sweden, The Netherlands and Peru.

The Microsoft Security and Intelligence Report, v7, doesn’t measure infection rates quite the same way. Instead, it has a metric called Computers Cleaned per Thousand machines scanned, or CCM (where M is the Latin word for thousand – mille). This is a measure of the number of computers cleaned per thousand executions of the Malicious Software Removal Tool (MSRT). Below is a heat map of the countries with the most infections, for a better image either click the image (as it will be cut off in this blog) below or download the full report and zoom in your Adobe pdf reader (it is on page 41):

Click here for ginormous image.

Going from the above, we can see that Spain is definitely one of the hotter countries. But, it is not the hottest. Below is a table of the countries with the worst rates of infection:

Spain is clearly one of the worst but it is actually only number 4 behind Serbia and Montenegro, Turkey and Brazil. There is no set pattern but in general, countries in the developed world (at the very least, the G7) are not found among the worst countries for malware infection. Of course, the very interesting thing is that even within different countries, the types of infections are different. Microsoft classifies the types of malware it removes and below is a table of what it looks like among various countries. Click on the picture to see the full image as it will be cut off partially in this blog:

Click here for full sized image.

From our table above, Brazil and Spain are the worst offenders for malware infected computers, coming in at 3 and 4 respectively. Yet the type of malware hitting them is different. Brazil is plagued by Password Stealers that target Brazilian banks (led Win32/Bancos), followed by Worms and Viruses. by contrast, Spain is hit hardest by Worms, then miscellaneous trojans and password stealers, which are substantially less than Brazil.

The United States was number 2 in the report that All Spammed Up referenced, but the most common malware affecting systems in the US are miscellaneous trojans, followed by trojan downloaders and droppers and then Adware (the pattern is similar in the United Kingdom). So, different regions of the world are more prone to certain types of attacks than others.

If we can make a generalization, then the countries with the highest malware infections rates as measured by the MSRT CCM metric are more prone to Worms. The United States is actually about average with regards to infection (8.6 CCM vs 8.7 global average). With regards to the lower countries, I am currently not seeing any discernable pattern and I would have to do a deeper statistical investigation.

Changing the title of this blog

tzink — Tue, 10 Nov 2009 18:19:38 GMT

For the very first time since I created this blog back in July of 2006, I am changing it’s title. It is no longer “Terry Zink’s Anti-spam Blog”, it is now “Terry Zink’s Anti-malware Blog”.

I have not moved out of spam. Instead, I have decided to broaden the focus of this blog to include malware as well as spam. The relationship between the two is tightly integrated and I believe that I need to touch a wider array of the security space to remain relevant. The only real change you will see will be that I will be writing about malware more than I have in the past, and other security topics in general. My sphere of interest has expanded from focusing on spam to focusing on the general security space.

Happy reading.

The Story of Conficker, part 3

tzink — Sat, 07 Nov 2009 03:00:00 GMT

Setbacks and Triumphs

The domain registration task became exponentially more challenging on March 4, 2009, with the discovery of Worm:Win32/Conficker.D. Investigators reverse-engineered the new variant and determined that it was programmed to generate 50,000 new domain names a day across 110 TLDs, beginning on April 1, 2009. Though this seemed at first like an impossible hurdle to overcome, CWG members immediately began working to counter the effects of the upcoming change. As security researchers continued to analyze the Conficker.D malware, ICANN staffers began contacting the registries responsible for each of the affected TLDs seeking cooperation in registering or blocking the domains, and the CWG compiled “go packs” of information for Internet service providers and enterprises about the steps they should take to help keep their customers and employees safe.

April 1, 2009, came and went, with the world outside the security community noticing little or no change. By that time, however, ICANN had secured the cooperation of all 110 TLDs used by Conficker, and the global DNS community was active and prepared to deal with the Conficker threat. Rapid, effective collaboration across borders and organizational lines had proven instrumental in containing what has been, and remains, a significant threat to the world’s computers and information.

The CWG Today

The CWG remains in place today, with more than 300 member organizations representing law enforcement, academia, and industry, and remains vigilant against new developments. In cooperation with ICANN and the DNS community, the CWG continues to block or register the 50,000 domain names generated each day by the Conficker algorithms. Each month the group supplies the 110 affected TLD operators with an updated list of generated domain names covering the next several months, so they can begin implementing countermeasures well in advance. Automated mechanisms verify that each domain name has been blocked before it is scheduled to be used and alert the CWG for any that have not, so activity for those domains can be closely monitored. Once in a while, a domain name generated by the algorithm happens to correspond to an existing domain owned by a legitimate party; in such cases, the CWG contacts the legitimate domain owner in advance and offers assistance managing the expected spike in traffic coming from infected computers.

In March, the group underwent a reorganization process to add structure and to segment its work by subject area to work more effectively. The group maintains a Web site at http://www.confickerworkinggroup.org with links to information in multiple languages about Conficker and resources that service providers and end users can use to determine if they are infected, and if so, what to do about it. The fight against Conficker is not over. The five identified variants continue to spread to new computers due to a lack of information or action on the part of some system administrators and end users. Even after Conficker recedes into insignificance, there will likely be other threats of similar magnitude to deal with in the future. As such threats appear, though, collaborative efforts, such as the CWG, can provide the global security community with unequaled tools for mitigation and resolution.

Conficker, Part 1
Conficker, Part 2
Conficker, Part 3

The Story of Conficker, part 2

tzink — Thu, 05 Nov 2009 23:10:00 GMT

The Conficker Working Group Is Born

In January 2009, representatives from a number of security research companies and domain registrars, along with the anti-botnet Shadowserver Foundation, began discussing how best to implement a defensive Domain Name Service (DNS) strategy to handle domain registrations. To coordinate the significant amount of e-mail being generated by these discussions, the group established the CONFICKER e-mailing list on January 28, which drew a growing number of security researchers and members from law enforcement, academia, and industry, in addition to members representing each of the eight TLDs used by Conficker. Enlisting the support of the TLD operators would prove to be a vital step in containing the Conficker threat, enabling the group to block domain names more efficiently and at far less expense than would be possible through the commercial registration process.

By early February 2009, working group members had instituted a process for registering as many domain names as possible, before the Conficker operators could register them, and assigning them to IP addresses belonging to six sinkholes (server complexes designed to absorb and analyze malware traffic) operated by organizations belonging to the working group. Infected computers looking for command-and-control servers would contact the sinkholes instead, providing researchers with valuable telemetry for analyzing the spread of the worm. A number of Internet service providers (ISPs) were also able to use this telemetry data to identify infected computers.

Around the same time, the Internet Corporation for Assigned Names and Numbers (ICANN), which is responsible for allocating IP addresses and managing the Internet domain name system, invited the group to deliver a presentation on its domain registration efforts to a meeting of the ICANN board of directors. The board expressed its support for the program and assigned two staffers to help coordinate it. Despite these efforts, the Conficker operators were still able to register some domains before the working group could get to them. To mitigate this, researchers at Kaspersky Lab, an anti-malware vendor headquartered in Russia, worked with OpenDNS, a free network resolution service used by many organizations and individuals, to compute a year’s worth of Conficker domain names and proactively point them at the group’s sinkholes. Any infected computer belonging to an OpenDNS user would not be able to contact any of the Conficker command-and-control servers, even on domains the Conficker operators had been able to secure.

The formation of the Conficker Working Group (CWG) was officially announced to the public on February 12, 2009, as what a number of news stories characterized as an unprecedented example of global cooperation in the computer security industry, and a potential blueprint for dealing with threats in the future. The CWG had grown from an e-mail list for nine individuals to a group of more than 30 member organizations from around the world, coordinating complex activities through a robust communications infrastructure. On the day the CWG was announced, the group had successfully registered every Conficker domain name for the next 10 days, a genuine—if temporary—victory over the Conficker operators.

Conficker, Part 1
Conficker, Part 2
Conficker, Part 3

The story of Conficker

tzink — Thu, 05 Nov 2009 01:08:00 GMT

One of my favorite stories in the recent edition of the Microsoft Security and Intelligence Report v7, pp 29-32, is that of the story of Conficker. I thought I would repost it here because it illustrates the problem of Conficker and the way the industry worked together to respond to the problem.

Case Study: The Conficker Working Group

The appearance in late 2008 of Win32/Conficker, an aggressive and technically complex new family of worms, posed a serious challenge to security responders and others charged with ensuring the safety of the world’s computer systems and data. (“Win32/Conficker Update,” beginning on page 95, explains the technical details of the Conficker worm and the methods it uses to propagate.) Working together, however, the security community was able to react quickly to the threat and contain much of the damage, in the process establishing a potentially groundbreaking template for future cooperative response efforts. On October 23, 2008, Microsoft released critical security update MS08-067, addressing CVE-2008-4250, a vulnerability in the Windows Server service that could allow malicious code to spread silently between vulnerable computers across the Internet.

The vulnerability affected most currently supported versions of Windows, although architectural improvements in Windows Vista and Windows Server 2008 made them more difficult to exploit than earlier versions. Like the worms that plagued the Internet earlier this decade, malware that exploited the vulnerability would be able to spread without user interaction by taking advantage of the protocols computers use to communicate with each other across networks. For this reason, and because actual attack code that exploited the vulnerability was known to exist in the wild at the time, the MSRC took the unusual step of releasing MS08-067 “out of band” rather than wait for the next scheduled release of Microsoft security updates, which takes place on the second Tuesday of every month. Security Bulletin MS08-067 happened to be released on the last day of the eighth annual meeting of the International Botnet Task Force in Arlington, Virginia, a suburb of Washington, D.C., where attendees agreed to closely monitor developments around what appeared to be the first legitimately “wormable” vulnerability to be discovered in Windows in several years.

The November appearance of Win32/Conficker, the first significant worm that exploited the MS08-067 vulnerability, marked a major challenge for security researchers, due to the aggressive tactics several of its variants used to propagate. Despite this, researchers soon discovered a way to limit or eliminate the Conficker bot-herders’ ability to issue instructions to infected computers. As described on page 96, the authors of the Conficker malware used an algorithm to generate 500 new domain names every day (250 for each of the first two Conficker variants discovered) to use for command-and-control servers. Computers infected with Conficker would attempt to contact each of these generated domain names every day. If the authors had a task they wanted the computers in the botnet to perform, they would simply use the same algorithm to generate domain names in advance and register a few of them, which they could then use to host command-and-control servers.

Fortunately, researchers from Microsoft and other organizations were able to reverse engineer the domain-name-generation algorithms used by the first two variants, designated Worm:Win32/Conficker.A and Worm:Win32/Conficker.B, soon after each variant was discovered. This enabled them to begin registering the domain names before the botnet operators could, thereby impeding the Conficker malware from obtaining new instructions. Initially, the researchers resorted to registering the domains commercially through the domain name registrars for the eight top-level domains (TLDs) (.com, .net, .org, .info, .biz, .ws, .cn, and .cc) used by Conficker, an approach that quickly became unworkable. Registering 500 domain names per day would cost thousands of (U.S.) dollars per day for the foreseeable future—and the cost would only increase if new variants appeared using different name-generation algorithms. It was clear that more help would be needed.

Conficker, Part 1
Conficker, Part 2
Conficker, Part 3

Microsoft’s Security and Intelligence Report, v7, now available

tzink — Mon, 02 Nov 2009 17:41:48 GMT

Every 6 months or so, Microsoft releases its Security and Intelligence Report for the previous 6 months of the year. SIRv7 is now available here. This is a very comprehensive document covering topics from the entire threat landscape that Microsoft is involved with combating. This year’s report contains three key messages:

The redistribution of knowledge – Microsoft’s level of security intelligence will be unmatched and provided to individuals and organizations to help them make better security decisions.
OK, so what else is new? – The SIR contains the information that is relevant to people right now.
What do I do now? - The SIR allows people to assess where they are and what action they need to take.

I thought I would post an excerpt from the Executive Foreword. I think that this highlights the theme of this current SIR.

Welcome to the seventh installment of Microsoft’s Security Intelligence Report, which I hope you will find is the most extensive and comprehensive edition to date. The cover story in this report looks back at the major threats that have attacked customers over the last 10 years, and then the report drills deeply into the current threats that you need to understand and includes what you can do to best manage your risks.

At Microsoft, we remember the pain past incidents caused our customers and we reflect on them frequently. In particular, the Slammer and Blaster attacks that disrupted the Internet in 2003 are vivid reminders of the responsibility we have at Microsoft to ensure our products are as secure and privacy enhanced as possible.

As you can see from the timeline above, 2003 and 2004 were difficult times. [tzink note: see the report for a better image] But, you can also see that since then, major security incidents have become less and less frequent. From the data in this report, you’ll also note that the scope and impact of major events have changed, as well. For example, from the press surrounding the Conficker worm that has been attacking customers over the past year, it’s easy to conclude that Conficker is just as widespread and impactful as Slammer or Blaster—but in most respects, it hasn’t been. In 2003, Blaster became one of the most prevalent threats impacting home PC users. Six years later, Conficker didn’t even make the Top 10 list among this audience. I don’t want to minimize the pain that many of our customers experienced fighting Conficker, because, as you’ll read in the report, it was the top threat detected and cleaned in enterprises in the first half of 2009, but Conficker emerged in a much different software industry than Slammer and Blaster.

Indeed, the software industry has matured a great deal since the days of Slammer and Blaster. Since 2003, the software industry has improved its ability to mobilize and coordinate resources to fight threats… The Conficker Working Group (CWG) was founded earlier this year, establishing a new model for how the collective industry can work together to mitigate global threats.

The industry was able to proactively get ahead of Conficker by discovering the vulnerability before attackers could use it in widespread attacks. The Security Science team at Microsoft was able to find the MS08-067 vulnerability, which Conficker uses to propagate, and work with the Microsoft Security Response Center (MSRC) to release its update before attackers could use it for a Blaster-type attack. Our industry partners helped protect many customers from attack via the Microsoft Active Protections Program (MAPP). MAPP supplies Microsoft vulnerability information to security software partners prior to security update releases from Microsoft… This program enabled the majority of MAPP partners to provide protections to their customers for Conficker 24 hours after the MS08-067 security update was released. This meant that many customers were protected up to a week earlier than traditionally possible, and certainly much earlier than customers could obtain such defense-in-depth protections and threat mitigations in 2003.

With the vulnerability that Slammer exploited, many administrators didn’t know whether they needed to apply a security update or that it had to be applied manually. Today, customers are notified and protected much faster; multiple communications channels exist to help customers find and understand information on security vulnerabilities. Security advisories help draw attention to security issues as they unfold, and provide customers with critical information before security bulletins become available. Microsoft’s advanced notification service provides customers with an insight into the number and nature of security updates that Microsoft will be releasing each month so they can plan more effectively for the deployment of the updates. Security bulletins provide information on vulnerabilities, along with workarounds and mitigations.

…

The progress that the software industry has made to better protect systems and customers might be small consolation to the users of those 5 million systems that were infected with Conficker in the first half of 2009. Still, it is a significant step forward, given that more than 100 times as many systems were protected from Conficker. This is in stark contrast to the Slammer and Blaster attacks of 2003 where many, many more systems were infected. The industry will continue to work together to make the frequency, scale and scope of emerging threats as minimal as possible.

We thank you for your help and efforts to protect the ecosystem, and look forward to continuing to work with you to create a safer, more trusted Internet.

George Stathakopoulos
General Manager, Trustworthy Computing Security
Trustworthy Computing Group

More excerpts to come over the next few days highlighting global trends in the threat landscape.

Live Free or Die Hard

tzink — Thu, 29 Oct 2009 23:20:04 GMT

Spoiler alert.

This past weekend, I got a chance to watch the 4th installment in the Die Hard series, Live Free or Die Hard. I hadn’t seen the whole thing end-to-end before, only parts of it. It was nice to finally get a chance to see the whole thing.

Overall, I like it. It’s so far over the top that it’s completely unbelievable… but that’s the point. It’s supposed to be unbelievable. A jet plane flying around the city at low speeds and hovering like a helicopter in between parts of a freeway? John McClane getting hit by a car and walking away? Bad guys falling 20 feet onto concrete below and not even suffering a limp? Whatever.

But what about the basic premise of the story? In case you haven’t seen it, at the beginning of the film, various government agencies experience a major shutdown. Hackers infiltrate the computer systems of the FBI, departments of transportation, nuclear facilities… well, nearly every agency in the United States and they proceed to shut it down. The villain behind it is a disgruntled employee of the Department of Homeland Security who is a brilliant programmer and security expert. After the events of September 11, he warned his superiors that the nation’s cyber infrastructure was vulnerable to attack. Rather than listen to him, he was ignored and/of vilified, and fired from his job. To get revenge, the villain plots a major hacking operation to demonstrate to his superiors that they should have listened to him; this proves that the nation’s infrastructure is vulnerable. In reality, this is all a smokescreen as it is a diversionary attempt to steal billions, possibly trillions, of dollars of wealth. In the hacking world, the villain would be classified as a cyber warrior.

Of course there are some things in the movie that are completely unrealistic like the physical stunts above. Furthermore, why would the bad guys hack into a hacker’s computer and wait for them to hit the Delete key that detonates some C4, rather than them executing the explosion remotely? That seems a little inefficient to me.

But that’s not the question I want to address. What I want to ask is whether or not the nation’s cyber infrastructure is really as vulnerable to attack as the movie makes it out to be.

My answer? Unlikely. There are a couple of problems with this scenario:

The bad guy’s team was too small.

I counted a team of maybe 3 hackers on the bad guy’s team, not including himself. That is way too small a team to control multiple that much computer systems. Over here, we have a lot of people running a network that is not nearly as complicated as multiple government departments. It takes constant monitoring and tons of documentation to keep things running smoothly. And many times, things don’t run smoothly. It would take a very long time to code something up, test it, deploy it, and control it while evading detection during the entire time the operation was running.

Of course, something like that might be possible but three people is not enough. It takes forever to get done all of the stuff I mentioned. And it is very resource intensive. Nobody writes code that executes as perfectly as the villain’s does the first time they try it out. Of course, maybe they tested things but the government has a lot of independent systems. The left hand doesn’t know what the right hand is doing. So, you need guys who are familiar with each of the government’s various departments’ computer systems. And know how to control them. That just isn’t possible with 3 people.

The computer hackers running the operation would be busy all day trying to evade detection and the amount of psychological pressure on them would be intense (especially when your boss is holding a gun and waving it around, and his girlfriend could knock your teeth into next week). Nobody under that type of pressure avoids making mistakes, so you have to build automated mechanisms to control stuff for you. And if you do that, it takes time to code it. And if you take time to code it, even if you’re a great programmer, it’ll still have bugs. The flawless execution of their stuff was completely unrealistic without having back up teams responding to issues that would inevitably come up.
The nation is vulnerable to attack, but not in the way they made it out.

The uber-point of the nation’s security being vulnerable is correct, but not in the way they were making it out to be. In my first point, I say that the team is too small. I go on to say that government departments have all their stuff implemented differently. I don’t know this to be true, of course, but I surmise that each department built their stuff independently of each other. Some may have built their stuff on Linux and MySQL. Others may have used Ruby. Others, Perl. Maybe there is some Java, Exchange, PHP (ugh) and Oracle.

And when stuff is built independently, they don’t talk to each other. And when they don’t talk to each other, it is very difficult to take them all over simultaneously.

Furthermore, when computer systems get big, particularly when they were implemented in the 1980’s or 1990’s, they aren’t documented very well. If you work at a company whose infrastructure was written long ago, you’ll know how disorganized it is. The code is poorly written, you will probably have GOTO’s going to GOTO’s, and there is no written support. If you want to figure out what is happening, you have to “decompile” the code in your head or on paper. It’s a mess.

Thus, if an organization as large as the government is going to be attacked, what is more likely to happen is that rather than being controlled, it is more likely to be shut down than having control of it given to an external attacker. A hacker can break in and deploy a worm, but this is much more likely to cause systems to crash and not boot than it is give control to a remote user. Remember, it is not a single organization with a unified communication system, it is multiple computer networks that must be compromised and controlled.

Poorly written code doesn’t act like a cohesive unit. Instead, it deadlocks and becomes unresponsive. Memory leaks, and resources do not get released. It’s the equivalent of having large paperweights on your desks (like my IP phone at work) and servers that sit there, spinning their wheels and doing nothing.

When the governments of Estonia in 2007 and Georgia in 2008 were attacked, and when Twitter suffered a DDOS attack in 2009), they shut down the nation’s, or web site’s, computer systems but they didn’t control them from the inside to make them do nefarious things. They “just” rendered them inoperable. So, we can all take solace in the probability that if a hacker ever takes over, traffic lights will only go out. We don’t have to worry about them all turning green.
An emergency data dump wouldn’t go to only one server in one location.

Or, I certainly hope not.

As I said in my introduction, the taking over of a nation’s computer systems was only a diversion. When this happened, all of the nations banks, financial institutions, trading accounts, etc, started downloading of all of its data into a data center located in Maryland (I think). This computer data center was supposedly the Social Security Administration, but in reality it was designed to be a redundant backup in the case that a real emergency happened. Of course, this emergency did happen, and the bad guy is the one who designed it that way. Thus, his goal was to create an emergency, trigger this data download into the servers, and then walk away with all of the money (or delete it, sending America back to the Stone Age).

Okay, I won’t get into all of the problems, but let me say this – if this guy was so brilliant, then his design has a flaw. If you really were going to do this, you wouldn’t download all of the data into one location. You would download it into two locations. Remember, this is absolutely critical information and losing it would be disastrous. Therefore, you’d have a backup. That’s so obvious that a designer has to know that. What you would probably do is download it to two separate (redundant) servers in the same data center, and then do the same thing in another geographically separate data center. That way you have double-redundancy for a set of data that is so important. Clearly, this bad guy can’t be that smart if he designed it to have one backup. What a doofus. No wonder he got fired.

I could probably name more problems, but this will do. But like I said, this movie isn’t real life, it’s entertainment. It’s not supposed to be realistic. And for what it was worth, it was a good ride. I liked it.

Yippie-ay-yo-kay-yay!

The evolving MAAWG

tzink — Wed, 28 Oct 2009 17:30:11 GMT

MAAWG is an organization that started up in response to the spam problem. Its official name is the Messaging Anti-Abuse Working Group, and they are meeting this week in Philadelphia to discuss all things abusive. I didn’t go this time around, but maybe in the future I will secure my attendance. DarkReading has an interesting article on the proceedings that you may wish to check out. An excerpt:

"Email [abuse] will remain substantial," says Michael O'Reirdan, chairman of MAAWG and distinguished engineer in national engineering and technical operations at a major U.S. ISP. Even so, O'Reirdan says he'd like for MAAWG to change its name to more than a messaging title to better reflect the evolving threats to ISPs and their users. [tzink: emphasis mine]

Other MAAWG members, such as Cisco, note that malware distribution via email has become less of a threat in developed countries. "Email as a malware distribution [vector] is somewhat dead except in emerging economies," says Henry Stern, senior security researcher for Cisco's IronPort team. G-20 countries are now sending anywhere from 20 to 40 percent less spam this year than last, he says.

That's, in turn, pushing spamming botnets out of the U.S. to lesser-developed countries with emerging broadband infrastructures. "It's more lucrative for them to go outside the U.S. There's a migration away from old email spam here" and to other methods, such as attacks on social networks, for instance, says Patrick Peterson, a Cisco fellow.

Indeed, over the past year, the threat landscape has changed and shifted in various fashions. The spam problem is not going away anytime soon. People will continue to spam, ad nauseum, forever. However, it is not the growth industry it once was. I liken spam to the railroad industry. Back in the 1800’s and 1900’s, railroads were the new and emerging transportation mechanism. They were growing by leaps and bounds and revolutionized domestic trade (in the United States) and international trade (in Europe). Trains could travel to places that boats could not. Nowadays, we don’t really see a lot of railway expansion. It’s an established industry. There is certainly plenty of maintenance but there are other ways to get goods around – by automobile or by plane. That being said, rails are not going away. They are a very efficient distribution mechanism of transporting lots of goods, such as grain, steel, automobiles or passengers. It is an entrenched part of our economy. But it is not the growth industry of today.

In a similar way, spam is not a major growth industry. It is harder for spam to get by filters and the spamming is done by more elite spammers. That does not mean that cyber-abuse has gone away, however. There are other attack vectors that have crept up over the past couple of years:

Rogue antivirus
Black search engine optimization (getting spammy webpages to the top of web queries)
Hijacking of free web creation tools (like Blogspot or Live Spaces)
Fast flux
Social networking abuse
Cyber riots in the form of DOS attacks against countries or services (like Twitter)

So you see, there’s a big chunk other than just spam. Botnets are behind most of it, but they are a distribution vector for accomplish all of the above in addition to spamming. To say it is only Messaging Anti-Abuse is too narrow in scope. It is a natural progression to widen one’s view when the nature of the threat changes.

A couple of years ago, I attended the CEAS – the Conference on Email and Antispam. They have since changed their name to the Collaboration, Electronic messaging, Anti-Abuse and Spam Conference (CEMAAS?). It’s catching in other places, so why not MAAWG? For every new communication medium, there will be someone who will attempt to take advantage of it and abuse it, and eventually organizations like MAAWG will have to figure out how to fix that one, too. That’s simply the way it is.