Thursday, November 20, 2008
Frank Boldewin had seen a lot of malicious software in his time, but never anything like Rustock.C.
Used to infect Windows PCs and turn them into unwitting spam servers, Rustock.C is a rootkit that installs itself on the Windows operating system and then uses a variety of sophisticated techniques that make it nearly impossible to detect or even analyze.
When he first started looking at the code earlier this year, it would simply cause his computer to crash. There was driver level encryption, which had to be decrypted, and it was written in assembly language, using "spaghetti code structure" that made it extremely hard for Boldewin to figure out what the software was actually doing.
Analyzing a rootkit is typically an evening's work for someone with Boldewin's technical skills. With Rustock.C, however, it took him days to figure out how the software worked.
Because it is so hard to spot, Boldewin, a security researcher with German IT service provider GAD, believes that Rustock.C had been around for nearly a year before antivirus products began detecting it.
This is the story with rootkits. They're sneaky. But are they a major threat?
In late 2005, Mark Russinovich discovered the most famous rootkit. A windows security expert, Russinovich was baffled one day when he discovered a rootkit on his PC. After some sleuthing, he eventually discovered that copy protection software used by Sony BMG Music Entertainment actually used rootkit techniques to hide itself on computers. Sony's software wasn't designed to do anything malicious, but it was virtually undetectable and extremely difficult to remove.
Sony's rootkit became a major PR disaster for the company, which spent millions in legal settlements with users who were affected by the software.
Three years later, Russinovich, a technical fellow with Microsoft, still considers it the rootkit that caused the most trouble for computer users.
But the Sony rootkit presaged problems for the antivirus vendors too. The fact that none of them had even noticed this software for about a year was a serious black eye for the security industry.
Though they got their start on Unix machines years earlier, at the time of the Sony fiasco, rootkits were considered the next big threat for antivirus vendors. Security researchers explored the use of virtualization technology to hide rootkits and debated whether a completely undetectable rootkit could someday be created.
But Russinovich now says that rootkits have failed to live up to their hype. "They're not as prevalent as everybody expected them to be," he said in an interview.
"Malware today operates very differently from when the rootkit craze was going on," he said. "Then... malware would throw popups all over your desktop and take over your browser. Today we're seeing a totally different type of malware."
Today's malware runs quietly in the background, spamming or hosting its nasty Web sites without the victim ever noticing what 's going on. Ironically, though they are built to evade detection, the most sophisticated kernel-level rootkits are often so incredibly intrusive that they draw attention to themselves, security experts say.
"It's extremely difficult to write code for your kernel that doesn't crash your computer," said Alfred Huger, vice president of Symantec's Security Response team. "Your software can step on somebody else's pretty easily."
Huger agrees that while rootkits are still a problem for Unix users, they're not widespread on Windows PCs.
Rootkits make up far less than 1 percent of all the attempted infections that Symantec tracks these days. As for Rustock.C, despite all its technical sophistication, Symantec has only spotted it in the wild about 300 times.
"On the whole malware spectrum, it's a very small piece and it's of limited risk today," Huger said.
Not everyone agrees with Symantec's findings, however. Thierry Zoller, director of product security with n.runs, says that Rustock.C was widely distributed via the notorious Russian Business Network and that infections are most likely in the tens of thousands.
"Rootkits were used to hold access to a compromised target as long as possible and never had the goal to be spread widely," he said in an interview conducted via instant message.
In the end, criminals may be avoiding rootkits for a very simple reason: They just don't need them.
Instead of using sneaky rootkit techniques, hackers have instead developed new techniques for making it hard for antivirus vendors to tell the difference between their software and legitimate programs. For example, they make thousands of different versions of one malicious program, jumbling up the code each time so that antivirus products have a hard time spotting it.
In the second half of 2007, for example, Symantec tracked nearly half a million new types of malicious code, up 136 percent from the first half of the year. Security experts say that this situation is even worse in 2008.
"The stuff that we run across is not that complicated," said Greg Hoglund, CEO of HBGary, a company that sells software to help customers respond to computer intrusions. "Most of the malware that's out there nowadays... doesn't even attempt to hide."
For example, one of HB Gary's customers was recently hit by a targeted attack. The bad guys knew exactly what they wanted and, after breaking into the network, swiped the information before the company's incident response team could even get there, Hoglund said. "It was very clear that the attackers knew that they would get away with the data so quickly that they didn't even have to hide."
The entire membership list of the British National party has been posted on the internet, identifying thousands of people as secret supporters of the far right and exposing many to the risk of dismissal from work, disciplinary action or vilification.
Around 13,500 names and home addresses were posted on a website late on Monday evening, apparently by a disgruntled member of the party's own leadership.
As well as names and addresses the list includes the home and mobile phone numbers and personal email addresses of BNP members. It is thought that the list may include lapsed members of the party and the names and addresses of people who have expressed an interest in joining the party, but have not signed up. Many of the members' occupations are listed, revealing a small number of police officers, two solicitors, four ministers of religion, at least one doctor and a number of primary and secondary school teachers.
Last night the BNP's spokesman Simon Darby said the police had been called in to investigate the data security breach. Describing the posting as "malevolent and spiteful" he said: "This isn't a question of us mislaying the information, this is theft."
The BNP list also included the names and ages of children who have become members of the party after a parent has taken out a family membership, and several people who have joined the party at the age of 16.
Against the name of a woman said to be a serving police officer and living on the Wirral, Merseyside, for example, is the note: "Discretion required re employment concerns - police officer", along with the names and ages of a number of her children.
Other notes against the names of individuals include: "Discretion requested (employment concerns), government employee, IT consultant" and "activist (discretion requested), teacher (secondary school)".
The BNP is known to go to considerable lengths to conceal the identities of members. Membership lists are held on computer spreadsheets, usually by an official based in York. He sends limited lists to local organisers as encrypted attachments to emails which can be accessed only by officials who have been given a password.
The BNP conceded that very few people would have had access to its full membership list. The party said that the list was not up-to-date, featuring no members who had signed up since late 2007, and claimed that it included the names of people who had never been members of the party. The party also said it had obtained an injunction earlier this year at the high court in Manchester to prevent the misuse of its membership list.
The BNP's leader, Nick Griffin, confirmed on the party's website that much of the list was genuine, and that it contained data that was stored at some point between November 30 and December 2 2007. He added: "This latest attack is not really directed against our own people, who are already tough-minded and know that nothing ever comes of this sort of bluster, so much as against the thousands of [members of the UK Independence party] who are thinking of joining us.
"It probably will frighten some of them, but it's water off a duck's back to the stout hearts of the British National party."
Last night, internet chat rooms frequented by British supporters of the far right were buzzing with anger, indignation - and considerable alarm. One typical posting said: "The most shocking thing is some of the comments by the names! God help anyone who is in the army, the prison service, healthcare, a police officer or a teacher."
It is thought that the information commissioner, who enforces the Data Protection Act, may investigate the matter, looking not only at the posting of the membership list, but at the amount of information that the BNP has been storing about its members.
A spokesperson for the Information Commissioner's Office said: "Following media reports that the personal details of BNP members have been incorrectly disclosed, we will be contacting the party to establish the full facts. We will then decide what action, if any, is appropriate.
"We encourage all organisations to alert the Information Commissioner's Office if they discover a security breach has occurred."
The membership list reveals that the BNP has a handful of members in Australia, one in Oman and around 17 living in the United States. Strangely, some of the members' hobbies are also listed. One gives her occupation as "holistic therapist" and her pastimes as "metaphysics, cartoon drawing". Another lists his hobbies as "fantail doves, koi carp, gardening".
There are also one or two insights into reasons that people have left the party. Against the name of one lapsed member from Gillingham, Kent, is the note: "Objects to being told he shouldn't wear a bomber jacket."
The Defense Department's geeks are spooked by a rapidly spreading worm crawling across their networks. So they've suspended the use of so-called thumb drives, CDs, flash media cards, and all other removable data storage devices from their nets, to try to keep the worm from multiplying any further.
The ban comes from the commander of U.S. Strategic Command, according to an internal Army e-mail. It applies to both the secret SIPR and unclassified NIPR nets. The suspension, which includes everything from external hard drives to "floppy disks," is supposed to take effect "immediately." Similar notices went out to the other military services.
In some organizations, the ban would be only a minor inconvenience. But the military relies heavily on such drives to store information. Bandwidth is often scarce out in the field. Networks are often considered unreliable. Takeaway storage is used constantly as a substitute.
The problem, according to a second Army e-mail, was prompted by a "virus called Agent.btz." That's a variation of the "SillyFDC" worm, which spreads by copying itself to thumb drives and the like. When that drive or disk is plugged into a second computer, the worm replicates itself again — this time on the PC. "From there, it automatically downloads code from another location. And that code could be pretty much anything," says Ryan Olson, director of rapid response for the iDefense computer security firm. SillyFDC has been around, in various forms, since July 2005. Worms that use a similar method of infection go back even further — to the early '90s. "But at that time they relied on infecting floppy disks rather than USB drives," Olson adds.
Servicemembers are supposed to "cease usage of all USB storage media until the USB devices are properly scanned and determined to be free of malware," one e-mail notes. Eventually, some government-approved drives will be allowed back under certain "mission-critical," but unclassified, circumstances. "Personally owned or non-authorized devices" are "prohibited" from here on out.
To make sure troops and military civilians are observing the suspension, government security teams "will be conducting daily scans and running custom scripts on NIPRNET and SIPRNET to ensure the commercial malware has not been introduced," an e-mail says. "Any discovery of malware will result in the opening of a security incident report and will be referred to the appropriate security officer for action."
"The USB ban should be effective in stopping the worm," Olson says. Asked if such a wide-spread measure was a bit of over-kill, Olson responded, "I don't know."
"I know this [is an] inconvenience," e-mails one Michigan Army National Guardsman. "This has been briefed to the CoS [Chief of Staff] of the ARMY. This is not just a problem for Michigan, and is effecting operations around the world. This is a very serious threat and should be treated as such. Please understand that this is a form of attack, and we need to have patience in dealing with this issue."
President elect Barack Obama's embrace of online video and social networking may have propelled him to victory, but unless he's careful, his administration could be brought down by the same sloppy security problems that have plagued MySpace, Facebook, and dozens of other Web 2.0 properties.
A cursory look at Change.gov and MyBarackObama reveal enough amateur mistakes to make even the most ardent supporters wonder just who in the heck is in charge of security. For one, the content management system for both of the sites is easily accessible to anyone. And as far as we can tell, neither page is protected by secure sockets layer - the "s" following a web address's "http" that assures you the connection is encrypted.
Security 101 would dictate that pages this sensitive should be restricted to select internet protocol addresses, or at the very least, encrypted to prevent so-called man-in-the-middle attacks. There are no such protections on Change.gov or MyBarackObama, the latter suggesting that this lack of attention to security has been allowed to persist for some time now.
Even more troubling is the discovery that administrative pages for both sites are linked to Google Analytics. This is a hard configuration to make sense of. It means that Google, a private company with important business before the US government, has complete administrative access to one of the government's most important websites. It would also appear to run contrary to this privacy policy pledging "not to make Personal Information available to anyone other than our employees, staff, and agents."
The failure of Obama's webmasters to follow anything remotely like best practices is more than a little troubling because it suggests they don't fully grasp the security realities of living in a Web 2.0 world. Miscreants have been all too happy to exploit weaknesses in Facebook and MySpace even when they amount to little more than pranks. Imagine the damage that could be done by someone publishing an errant blog post or malicious hyperlink to the website belonging to the President of the United States.
Then consider this: If Change.gov were to be breached by miscreants, it wouldn't be the first time an Obama website has been hacked. As previously reported, the campaigns for both Obama and his Republican rival John McCain were penetrated by sophisticated overseas attackers who stole large amounts of information. You'd think that would have been enough to give the Obama camp religion about the importance of good computer hygiene, but evidently not.
We left messages for Obama's press contacts, but had not received any response by time of publication. We similarly reached out to Blue State Digital, the company that designed the CMS for Change.gov, but no one was available to speak with us late Wednesday afternoon. At some point, it would be nice to know if the system has been audited by an outside security firm. If anyone gets back to us about that, we'll be sure to update this article.
In the meantime, remember that for all Barack Obama's talk about change, his Web 2.0 security posture so far seems to be more of the same.
A man taken into custody on suspicion of theft last week has admitted that he is a hacker working for the terrorist Kurdistan Workers' Party (PKK), police investigators said Wednesday.
A police search of a computer belonging to R.Ç., 20, who was stopped in Diyarbakir on suspicion of theft, has revealed files containing classified information belonging to institutions including the General Staff and the National Intelligence Organization (MIT).
A search of the computer, seized coincidentally during a police raid against the sellers of stolen goods in Diyarbakir, revealed that the suspect had not only sent MIT documents to the PKK, but also had an "online friendship" with Murat Karayilan, the commander of PKK militants in northern Iraq. R.Ç. was arrested on Nov. 14 on charges of "acquiring state secrets and confidential documents in the name of the PKK terrorist organization"
In his initial testimony, R.Ç. said the computer was his own and that he had downloaded the MIT file from a Web site "out of curiosity." As part of the expanded police investigation a search of the suspect's home was conducted, yielding many compact discs of domestic and foreign films. The police examined the discs' contents carefully and found that some of the CDs marked as films also stored classified information from the General Staff, MIT and other institutions.
However, in his testimony to a prosecutor during the week, R.Ç., a high school dropout and a self-taught computer genius, described in detail how he entered security forces and intelligent units' computers using a computer virus named Poison Ivy, which he had developed. He said the contact between him and the PKK's Karayilan was established through a terrorist friend of his who resides in France. Sources also quoted R.Ç. as describing his acquaintance with Karayilan as: "I know Murat Karayilan through the Internet. I haven't seen him face-to-face."
The young man also said, "I wanted to confess everything I did because I thought the PKK would stage terrorist attacks killing innocent people using the information I gave them and because my conscience is uneasy."