Malware, Botnet and cyber threats, what is happening to the cyberspace?
The article proposes an analysis of the main cyber threats that worry security experts and that are profoundly changing the cyber space. The exponential growth of the number of cyber threats and
attacks is rebutted by a wide range of statistical provided by reports published by the major security firms. The scenario is really scaring due concomitant action of cyber criminals, hacktivists and state sponsored hackers that are producing malware and botnets of increasing complexity.
Day by day we read about the discovery of new cyber threats that menace the integrity of user’s machines, a multitude of agents developed by cyber criminals or by state sponsored researchers that operate stealing sensible information and in many cases destroying targets.
Every machine that is connected to internet is exposed to serious risk to be compromised, in many
cases, also having all the common defense systems in place due the exploit of zero days vulnerabilities.
There are several consequences to this malware diffusion, first of all the economic loss of the entity
hit by cyber attacks, it must be considered a cross effect in many sectors of social texture from Small
business to Large Industry.
Small business for example is one of the most damaged sector, the budget reserved by the companies
for cyber security is usually limited and the global economic crisis has worsened the situation
exposing the businesses to continuous attacks most of them also undetected. But small business
is directed linked to other sectors, in many cases small companies works directly as supplier for
large industry and in the security chain they represent the weakest link that hackers hit to penetrate
large organization. Similar scenario is very common in the last wave of APT (Advanced persistent
threat) attacks that has hit for example defense companies all over the world.
If small business suffers the attacks the Governments and Large Industry are no better, the diffusion of malware is increased in impressive way in frequency of attacks and complexity of the malicious agents spread, the main purpose of malware is the cyber espionage, in fact sensible information and intellectual properties are privileged targets of cybercrime and foreign governments.
Thinks that cyber espionage malware are mainly developed by cybercriminal or governments is
wrong, the cyberspace is also crowded by malicious agent sold by legitimate company for cyber
espionage purpose. As denounced by Assange on its SpyFile web site, many legitimate companies
are selling espionage products, acquired by private companies and intelligence agencies, to spy
on competitors and opponents.
To provide some sample let’s remind the discovery made by Doctor Web firm, a Russian anti-
virus company, that in August has detected a cross-platform Trojan horse that is able to gain
full control of its victims and it is also able to can render the system unusable. The agent, named
dubbed BackDoor.DaVinci.1, runs both in Windows and Mac OS X and what is singular is the
characteristics of the Mac OS X release that for the first time implements rootkit technologies to
hide malware processes and files. According the info available on internet, the trojan has been
designed by the Italian Hacking Team a security firm which is specialized in the development of
offensive solutions for cyber investigations.
The Davinci malware is not a unique case, many companies are working on similar projects, Fin-
Fisher for example is another powerful cyber espionage agent developed by Gamma Group that
is able to secretly spy on target’s computers intercepting communications, recording every keystroke
and taking the complete control of the host. Unfortunately, although similar instruments designed
for justifiable purposes, such as support for investigations and prevention of crime and terrorism,
are too easily sold to governments that use them bloodthirsty for tracking and persecution of
dissidents. Another factor that is contributing is sensible mode to the rapid diffusion of malware
and of dangerous botnets is the simplicity to acquire bot agents on the web, it has been also consolidated a “malware as service” model in which cyber criminals support the development of malicious networks for ordinary crime … a scaring alliance.
It’s quite simple to find on internet, and also in the Deep Web, on forums and web site published
in the underground to exchange exploit packages continuously updated thanks to collaboration
of hackers and criminals, a new markets is growing with an amazing trend involving also young
person the desire to measure their capabilities in this fashioning field and that desire to make easy
earns.
Cyberspace Today
The rapid evolution of cyber threats has motivated several security firms to make public data related
the malware diffusion, providing useful information to private companies, CERTs of several countries
and of course to the end users.
In September Symantec has published its report on cybercrime ”The yearly Norton Cybercrime report“, an interesting study on the evolution of cyber criminal activities and their impact on the society.The report covers different technologies including and social networking and mobile reporting the impact on final customers in economic terms.
The impact of cybercrime is worrying with 556 million of victims per year, 2 on 3 adults have been
victims of on line illegals in their lifetime, the total economic loss is 110 Billion with an average cost
per victim of $197.
The Asian region is the most affected by cybercrime, the global pricetag of consumer cybercrime
for China amounts to 46 Billion, followed by US with 21 Billion and European Area with 16 Billion.
The highest numbers of cybercrime victims were found in Russia (92 percent), China (84 percent)
and South Africa (80 percent). The technologies that have suffered the major increase in cybercrime
are social networking and mobile, mobile users are very vulnerable to attacks, 2/2 adults use a
mobile device to access the internet and the mobile vulnerabilities doubled in 2011 respect previous
year.
44% of users aren’t aware of the existence of solutions for mobile environments, and 35 of adults
have lost their mobile device or had it stolen. Of particular concern is an improper use of social networks, wrong management of sessions, absence of validation of visited links and a total ignorance
of any security setting expose users to fraudulent activities.
15 percent of users have had their account infiltrated, and 1 in 10 have been victims of fake links
or scams.
The report confirms that cybercrime industry is an factory that has no crisis and that moves amounts
of money comparable to the economical revenue of a State.
One of the most dangerous threat for internet users and also for institutions that expose their services
on the web are the botnet, millions of infected computers synchronized to conduct an attack
against a specific target.
In the classic architecture each machine, named bot, executes orders sent by a master unit called boot master, which can instruct the various components of the malicious network to perform an attack rather than exchange communication messages. The model of botnet could be used for various scopes, in military as cyber weapon, in industry for cyber espionage, in cybercrime to steal sensible information such as banking credentials
The infection phase that represents the recruiting of the machines due the diffusion of different
types of malware developed with specific and profoundly different characteristics. The most common
way to build a botnet is to send the victims infected mails, containing link to compromised web site or that have attacked the malware agent that once executed on the machine it transforms it in a
bot.
Usually the infected machines try to contact the C&C (Command & Control) servers to receive operative instructions, botnets represent one of the most dangerous cyber threats due their adaptive
capabilities and the massive diffusion. Recent events have demonstrated that every platform
could be attacked, one of the latest and most aggressive malware is Flashback Trojan, a malware
created to conduct click fraud scam by hijacking people’s search engine results inside their web
browsers, stealing banking or login credential. Of course once infected the system it could be used
as part of a botnet causing bigger damages.
Which is the status of botnet diffusion?
McAfee Labs proposed an interesting analysis on the phenomenon in McAfee Threats Report – First
Quarter 2012 that illustrates the cyber threat botnet is growing creating great concern between security experts due their diffusion, millions of compromised computers connected to the Internet are
in fact daily used to realize scam and cyber attacks. Security firms tracking the volume of messages
exchanged between bots and command servers are able to examine the level of infection
of the malicious agents. Overall messaging botnet growth jumped up sharply from last quarter, mainly in Colombia, Japan, Poland, Spain, and the United States.
Behind the principal botnets there is the cybercrime industry that is pushing on the diffusion of
malware to infect an increasing number of machines, but also proposing new models of busi-ness, such as botnet rental or the commerce of the agents for botnet creation. The business is reaching important figures in a short time mainly due to the opportunities provided by the Deep Web.
In the last months experts of the AlienVault firm discovered a new service that offers cyber-attack
tools and hosting as part of malware-as-a-service. Once again cybercrime operates as enterprise, the
products proposed are tools for the organization of cyber attacks such as spam of malware, malware
hosting, and a to build up a complete command and control infrastructure (C&C) for the arrangement
of botnets.
The service is called Capfire4 and it’s a good example of C2C (Cybercrime to Cybercrime), it
provides technological support to criminals who haven’t necessary knowledge to conduct a cyber
attack or to arrange a cyber scam.
In the simplest way, users can access to a Web portal that offers the possibility to create customized
version of malware, controlling the malicious architectures through a friendly management console
to coordinate the bots.
Few steps for criminal that need to create a botnet without having particular knowledge
But Botnet creation is not only a prerogative of cybercrime, it is also considered in cyber warfare scenario as a military option for offensive purposes or cyber espionage. Deploying a botnet it is possible to attack the nerve centers of a country, isolated attacks can target its critical infrastructures, create serious problems in areas like finance, communications and transport. That is cyber warfare, no matter if behind the attack there is a foreign government or ruthless criminals, the risk is high and
face the threat has high priority.
The US government is taking in serious consideration the cyber threat related to the botnet, recently administrative officials belonging to U.S. President Barack Obama’s team declared that the government had started IBG (Industry Botnet Group) a coordinated project that involves private
enterprises and trade units.
One of the key features of the program is the increasing of the level of awareness on the botnet
world through the cooperation of government and private sector.
Geography of cyber threats
Despite cyber space is known as a domain without borders, many studies have demonstrated that cyber criminal activities are mainly located in some area of the planet, as we can see also the
victims of the attacks have a geographical features that make them attractive targets. Kaspersky
Security firm has in a recent reports illustrated that factors such as the economic level of a
country, its Internet population and the security level of the nation concur to define a geography
of attacks. These countries present sufficient security mechanisms to defend users and also the
computer system used are often equipped with last versions of operating systems that incorporate
mechanisms to prevent cyber attacks. According the Internet World Stats the level of Internet
penetration in US and Europe is very high, internet users in these areas actively use online
services and cards associated with their banking accounts to pay for goods online:
• North America – 78.3%, 1st in the world.
• Europe – 58.3%, 3rd in the world.
Having to deal with advanced and updated defense systems the crime industry is increasing the level of sophistication of attacks developing new technologies, mainly with the principal intent
to make money. The Trojan spread are mainly used with the purpose of deliver or hide malicious
agents or to steal sensible information with specific reference to banking sector.
The sector mainly attacked by cybercrime is the financial / banking in which the incidence of theft
of information is high, some examples of malware known to chronicle are Zbot (ZeuS) and SpyEye,
both are universal Trojans which targets the accounts of many banks and also e-pay services
such as PayPal and E-bay, let’s remind that usually these accounts are linked to bank accounts and are considered privileged targets, 34% and 9% respectively of all phishing attacks target them.
To have an idea of the of the business and of related profits in 2010 arrested stole $9 million from more than 600 accounts in three months using Zbot. The most effective vector of attacking European
and American users is still internet in the first half of 2012, 80% of all infected computers were
attacked in this way, Italy and Spain are the most hit countries.
The criminals use to compromise user’s machine in one of the following mode:
• Infecting legitimate sites
• Spoofing search engines
• Spreading malicious spam on social networking sites and on Twitter
The percentage of users exposed to Internet attacks (H1 2012):
• USA – 38.8%, 31st in the world;
• Germany – 28.8%, 101st in the world;
• UK – 36.8%, 42nd in the world;
• France – 36.3%, 44th in the world;
• Italy – 43.5%, 18th in the world;
• EU – 32.1%.
From the research is emerged also another interesting result, despite in Western Europe, Canada and US there is a strong legal basis for combating malicious content hosted on web site, 69% of infected code was hosted on servers located in these regions in the first half of 2012 corresponding to over the half of the malicious programs on the Internet. The figures are not surprising, the majority of data centers providing failsafe hosting are located in these areas and usually cybercriminals and hackers compromise such servers to obtain reliable hosting that host legal sites, making hard their identification from an user’s perspective. The report reveals that domain zones .net, .com, .info and .org. account for 44.5% of repelled attacks that were launched from malicious web sites on users located in North America and Western Europe. Users from the US, Canada and Western Europe are typically redirected to sites located in the domain zones of India (.in), Russia (.ru) and the Cocos Islands (co.сс).
You run ... I’ll get you, the eternal challenge
Despite the level of alert of private companies, governments and security firms is high the incidence
of cyber threat is still too high, this is possible due the increasing level of complexity of malware
agents.
Meantime worldwide security expert are searching for a common strategy to decapitate the botnets,
the cybercrime industry is providing new efficient solution to avoid any type of detection and
mitigation.
We have different innovative factors in the menace moved by malware and botnet creators, such
as new modular and destructive malicious agent and also new botnet based on the P2P (peer to
peer) communication protocol that not relies on command and control (C&C) servers for receiving
commands. The interesting feature is that P2P communication is used as a backup system in
case the C&C servers are not reachable, creating an autonomous peer networks in which each node
can operate as a slave or as master giving orders to other PC operating and exchanging information
acquired illegally by the victims.
The major concern of security experts is related to the capabilities of many of these agents to exploit
zero days vulnerabilities that make practically impossible the detection of the agents. But it’s
dangerous justify the success of the attacks only to the exploit to unknown vulnerabilities, in many cases well known vulnerabilities are exploited due the absence of an appropriate update of the systems.
The Zeus case is not isolated, recently Kaspersky Lab, in collaboration with CrowdStrike Intelligence
Team, Dell SecureWorks and members of the Honeynet Project, dismantled the second Hlux
botnet (aka Kelihos).
This botnet had scary size, it has been estimated it was three times larger than the first botnet Hlux /
Kelihos dismantled in September 2011. After only 5 days from the transaction, Kaspersky Lab had
already neutralized more than 109,000 infected hosts. It is estimated that the first botnet Hlux / Kelihos had only 40,000 infected systems.
The event has demonstrated that it is becoming hard to tackle new generation of botnets, due the
usage of the peer-to-peer technology also implemented in Kelihos. The new variant of malware incorporates P2P technology to eliminate the need for a C&C server, avoiding detection and the immunization campaigns to decapitate the malicious networks.
Another interesting improvement proposed by the cybercrime industry is the use of Tor networks
is the botnet architecture as discovered in September 2012 by the German security firm G Data
Software that has detected a botnet with a particular feature, it is controlled from an Internet Relay
Chat (IRC) server running as a hidden service of the Tor. Despite similar choice presents some
technical problems related to the latency of the Tor networks and the implicit difficulty to control
the botnet, the advantage is the difficulty of localize the command and control servers, due the
encryption of the connections interior to the network and the unpredictability of the routing of the
information.
The challenge between security firms and attackers is open and it is fundamental to keep high
the effort in the detection and fight of cyber threats to avoid dramatic consequences.
The raise of Advanced Threat … the inadequacy of the defense
Are our defense systems adequate to reply to incoming cyber threats?
Unfortunately in many cases the cyber threats present a level of complexity that make possible
to avoid common security measures. The security firm FireEye has released a report named “Advanced Threat Report” related first half of 2012 that provides an overview of the current threat
landscape, evolving advanced malware and advanced persistent threat (APT) tactics, and the
level of infiltration seen in organizations’ networks today.
The report presents and alarming scenario, the organizations are assisting to an impressive increase
in advanced malware that is bypassing their traditional security defenses. In these days we are
reading a lot of news on agents that are able to elude common defense mechanisms, problem that
is afflicting across all sectors, from defense to energy.
The organization are facing with a dramatic explosion of the diffusion of advanced malware in
terms of volume and also in effectiveness in bypassing traditional signature-based security mechanisms.
A statistic proposed by the security firms report that on average, organizations are experiencing a
staggering 643 Web-based malicious events each week, incidents that have as results the impairment
of final targeted systems. This figure includes file-based threats, such as malicious executables
or files that contain exploit s targeting vulnerabilities in applications, that are delivered over the web
and email. The figures does not include callback activities, very common on the web.
The graph show the abnormal increase registered in the first half 2012 that is greater than the
number of infection per week of the entire last year, the patterns of attacks vary substantially by industry, in particular the sector of healthcare and Energy/ Utilities increased respectively up 100%, and up 60%.
Conclusions
The fight against the proliferation of botnets and more in general of any kind of malware goes
through some key factors such as:
• The promotion of joint operations that involve government agencies and the major private industry
players. In this sense, some large companies have already embarked on a close collaboration
with governments, as in the case of Microsoft.
• Fundamental is a timely and methodical study on evolution of technological solutions on which are based botnets. It’s important to define, a universally recognized set of indicators to deterministically qualify the threat and its evolution.
• Awareness on the cyber threats and divulgation of best practices for the containment of the
infection.
• Approval of regulations and penalties, recognized globally, for those who develop or contribute to the spread of botnets. Unfortunately today, different legislative frameworks represent an advantage for those who intend to commit a crime using these tools.
Despite the great effort and the increasing investments made by government and private company
many sectors still suffer the attacks of cybercrime, the situation in worrying because in many cases
the cyber threats do undetected causing serious damages. As demonstrated by the provided data
the number of compromised machines and infrastructures is increasing despite the adoption of
security countermeasures.
Another fundamental step in the fight of malicious agent is the definition of a global agreement
and the of a global strategy against cybercrime and a regulatory on the use and diffusion of any
kind of cyber tool by government agencies, both on legislative and operative perspectives …
In the meantime the cyberspace is still too crowded!
The article proposes an analysis of the main cyber threats that worry security experts and that are profoundly changing the cyber space. The exponential growth of the number of cyber threats and
attacks is rebutted by a wide range of statistical provided by reports published by the major security firms. The scenario is really scaring due concomitant action of cyber criminals, hacktivists and state sponsored hackers that are producing malware and botnets of increasing complexity.
Day by day we read about the discovery of new cyber threats that menace the integrity of user’s machines, a multitude of agents developed by cyber criminals or by state sponsored researchers that operate stealing sensible information and in many cases destroying targets.
Every machine that is connected to internet is exposed to serious risk to be compromised, in many
cases, also having all the common defense systems in place due the exploit of zero days vulnerabilities.
There are several consequences to this malware diffusion, first of all the economic loss of the entity
hit by cyber attacks, it must be considered a cross effect in many sectors of social texture from Small
business to Large Industry.
Small business for example is one of the most damaged sector, the budget reserved by the companies
for cyber security is usually limited and the global economic crisis has worsened the situation
exposing the businesses to continuous attacks most of them also undetected. But small business
is directed linked to other sectors, in many cases small companies works directly as supplier for
large industry and in the security chain they represent the weakest link that hackers hit to penetrate
large organization. Similar scenario is very common in the last wave of APT (Advanced persistent
threat) attacks that has hit for example defense companies all over the world.
If small business suffers the attacks the Governments and Large Industry are no better, the diffusion of malware is increased in impressive way in frequency of attacks and complexity of the malicious agents spread, the main purpose of malware is the cyber espionage, in fact sensible information and intellectual properties are privileged targets of cybercrime and foreign governments.
Thinks that cyber espionage malware are mainly developed by cybercriminal or governments is
wrong, the cyberspace is also crowded by malicious agent sold by legitimate company for cyber
espionage purpose. As denounced by Assange on its SpyFile web site, many legitimate companies
are selling espionage products, acquired by private companies and intelligence agencies, to spy
on competitors and opponents.
To provide some sample let’s remind the discovery made by Doctor Web firm, a Russian anti-
virus company, that in August has detected a cross-platform Trojan horse that is able to gain
full control of its victims and it is also able to can render the system unusable. The agent, named
dubbed BackDoor.DaVinci.1, runs both in Windows and Mac OS X and what is singular is the
characteristics of the Mac OS X release that for the first time implements rootkit technologies to
hide malware processes and files. According the info available on internet, the trojan has been
designed by the Italian Hacking Team a security firm which is specialized in the development of
offensive solutions for cyber investigations.
The Davinci malware is not a unique case, many companies are working on similar projects, Fin-
Fisher for example is another powerful cyber espionage agent developed by Gamma Group that
is able to secretly spy on target’s computers intercepting communications, recording every keystroke
and taking the complete control of the host. Unfortunately, although similar instruments designed
for justifiable purposes, such as support for investigations and prevention of crime and terrorism,
are too easily sold to governments that use them bloodthirsty for tracking and persecution of
dissidents. Another factor that is contributing is sensible mode to the rapid diffusion of malware
and of dangerous botnets is the simplicity to acquire bot agents on the web, it has been also consolidated a “malware as service” model in which cyber criminals support the development of malicious networks for ordinary crime … a scaring alliance.
It’s quite simple to find on internet, and also in the Deep Web, on forums and web site published
in the underground to exchange exploit packages continuously updated thanks to collaboration
of hackers and criminals, a new markets is growing with an amazing trend involving also young
person the desire to measure their capabilities in this fashioning field and that desire to make easy
earns.
Cyberspace Today
The rapid evolution of cyber threats has motivated several security firms to make public data related
the malware diffusion, providing useful information to private companies, CERTs of several countries
and of course to the end users.
In September Symantec has published its report on cybercrime ”The yearly Norton Cybercrime report“, an interesting study on the evolution of cyber criminal activities and their impact on the society.The report covers different technologies including and social networking and mobile reporting the impact on final customers in economic terms.
The impact of cybercrime is worrying with 556 million of victims per year, 2 on 3 adults have been
victims of on line illegals in their lifetime, the total economic loss is 110 Billion with an average cost
per victim of $197.
The Asian region is the most affected by cybercrime, the global pricetag of consumer cybercrime
for China amounts to 46 Billion, followed by US with 21 Billion and European Area with 16 Billion.
The highest numbers of cybercrime victims were found in Russia (92 percent), China (84 percent)
and South Africa (80 percent). The technologies that have suffered the major increase in cybercrime
are social networking and mobile, mobile users are very vulnerable to attacks, 2/2 adults use a
mobile device to access the internet and the mobile vulnerabilities doubled in 2011 respect previous
year.
44% of users aren’t aware of the existence of solutions for mobile environments, and 35 of adults
have lost their mobile device or had it stolen. Of particular concern is an improper use of social networks, wrong management of sessions, absence of validation of visited links and a total ignorance
of any security setting expose users to fraudulent activities.
15 percent of users have had their account infiltrated, and 1 in 10 have been victims of fake links
or scams.
The report confirms that cybercrime industry is an factory that has no crisis and that moves amounts
of money comparable to the economical revenue of a State.
One of the most dangerous threat for internet users and also for institutions that expose their services
on the web are the botnet, millions of infected computers synchronized to conduct an attack
against a specific target.
In the classic architecture each machine, named bot, executes orders sent by a master unit called boot master, which can instruct the various components of the malicious network to perform an attack rather than exchange communication messages. The model of botnet could be used for various scopes, in military as cyber weapon, in industry for cyber espionage, in cybercrime to steal sensible information such as banking credentials
The infection phase that represents the recruiting of the machines due the diffusion of different
types of malware developed with specific and profoundly different characteristics. The most common
way to build a botnet is to send the victims infected mails, containing link to compromised web site or that have attacked the malware agent that once executed on the machine it transforms it in a
bot.
Usually the infected machines try to contact the C&C (Command & Control) servers to receive operative instructions, botnets represent one of the most dangerous cyber threats due their adaptive
capabilities and the massive diffusion. Recent events have demonstrated that every platform
could be attacked, one of the latest and most aggressive malware is Flashback Trojan, a malware
created to conduct click fraud scam by hijacking people’s search engine results inside their web
browsers, stealing banking or login credential. Of course once infected the system it could be used
as part of a botnet causing bigger damages.
Which is the status of botnet diffusion?
McAfee Labs proposed an interesting analysis on the phenomenon in McAfee Threats Report – First
Quarter 2012 that illustrates the cyber threat botnet is growing creating great concern between security experts due their diffusion, millions of compromised computers connected to the Internet are
in fact daily used to realize scam and cyber attacks. Security firms tracking the volume of messages
exchanged between bots and command servers are able to examine the level of infection
of the malicious agents. Overall messaging botnet growth jumped up sharply from last quarter, mainly in Colombia, Japan, Poland, Spain, and the United States.
Behind the principal botnets there is the cybercrime industry that is pushing on the diffusion of
malware to infect an increasing number of machines, but also proposing new models of busi-ness, such as botnet rental or the commerce of the agents for botnet creation. The business is reaching important figures in a short time mainly due to the opportunities provided by the Deep Web.
In the last months experts of the AlienVault firm discovered a new service that offers cyber-attack
tools and hosting as part of malware-as-a-service. Once again cybercrime operates as enterprise, the
products proposed are tools for the organization of cyber attacks such as spam of malware, malware
hosting, and a to build up a complete command and control infrastructure (C&C) for the arrangement
of botnets.
The service is called Capfire4 and it’s a good example of C2C (Cybercrime to Cybercrime), it
provides technological support to criminals who haven’t necessary knowledge to conduct a cyber
attack or to arrange a cyber scam.
In the simplest way, users can access to a Web portal that offers the possibility to create customized
version of malware, controlling the malicious architectures through a friendly management console
to coordinate the bots.
Few steps for criminal that need to create a botnet without having particular knowledge
But Botnet creation is not only a prerogative of cybercrime, it is also considered in cyber warfare scenario as a military option for offensive purposes or cyber espionage. Deploying a botnet it is possible to attack the nerve centers of a country, isolated attacks can target its critical infrastructures, create serious problems in areas like finance, communications and transport. That is cyber warfare, no matter if behind the attack there is a foreign government or ruthless criminals, the risk is high and
face the threat has high priority.
The US government is taking in serious consideration the cyber threat related to the botnet, recently administrative officials belonging to U.S. President Barack Obama’s team declared that the government had started IBG (Industry Botnet Group) a coordinated project that involves private
enterprises and trade units.
One of the key features of the program is the increasing of the level of awareness on the botnet
world through the cooperation of government and private sector.
Geography of cyber threats
Despite cyber space is known as a domain without borders, many studies have demonstrated that cyber criminal activities are mainly located in some area of the planet, as we can see also the
victims of the attacks have a geographical features that make them attractive targets. Kaspersky
Security firm has in a recent reports illustrated that factors such as the economic level of a
country, its Internet population and the security level of the nation concur to define a geography
of attacks. These countries present sufficient security mechanisms to defend users and also the
computer system used are often equipped with last versions of operating systems that incorporate
mechanisms to prevent cyber attacks. According the Internet World Stats the level of Internet
penetration in US and Europe is very high, internet users in these areas actively use online
services and cards associated with their banking accounts to pay for goods online:
• North America – 78.3%, 1st in the world.
• Europe – 58.3%, 3rd in the world.
Having to deal with advanced and updated defense systems the crime industry is increasing the level of sophistication of attacks developing new technologies, mainly with the principal intent
to make money. The Trojan spread are mainly used with the purpose of deliver or hide malicious
agents or to steal sensible information with specific reference to banking sector.
The sector mainly attacked by cybercrime is the financial / banking in which the incidence of theft
of information is high, some examples of malware known to chronicle are Zbot (ZeuS) and SpyEye,
both are universal Trojans which targets the accounts of many banks and also e-pay services
such as PayPal and E-bay, let’s remind that usually these accounts are linked to bank accounts and are considered privileged targets, 34% and 9% respectively of all phishing attacks target them.
To have an idea of the of the business and of related profits in 2010 arrested stole $9 million from more than 600 accounts in three months using Zbot. The most effective vector of attacking European
and American users is still internet in the first half of 2012, 80% of all infected computers were
attacked in this way, Italy and Spain are the most hit countries.
The criminals use to compromise user’s machine in one of the following mode:
• Infecting legitimate sites
• Spoofing search engines
• Spreading malicious spam on social networking sites and on Twitter
The percentage of users exposed to Internet attacks (H1 2012):
• USA – 38.8%, 31st in the world;
• Germany – 28.8%, 101st in the world;
• UK – 36.8%, 42nd in the world;
• France – 36.3%, 44th in the world;
• Italy – 43.5%, 18th in the world;
• EU – 32.1%.
From the research is emerged also another interesting result, despite in Western Europe, Canada and US there is a strong legal basis for combating malicious content hosted on web site, 69% of infected code was hosted on servers located in these regions in the first half of 2012 corresponding to over the half of the malicious programs on the Internet. The figures are not surprising, the majority of data centers providing failsafe hosting are located in these areas and usually cybercriminals and hackers compromise such servers to obtain reliable hosting that host legal sites, making hard their identification from an user’s perspective. The report reveals that domain zones .net, .com, .info and .org. account for 44.5% of repelled attacks that were launched from malicious web sites on users located in North America and Western Europe. Users from the US, Canada and Western Europe are typically redirected to sites located in the domain zones of India (.in), Russia (.ru) and the Cocos Islands (co.сс).
You run ... I’ll get you, the eternal challenge
Despite the level of alert of private companies, governments and security firms is high the incidence
of cyber threat is still too high, this is possible due the increasing level of complexity of malware
agents.
Meantime worldwide security expert are searching for a common strategy to decapitate the botnets,
the cybercrime industry is providing new efficient solution to avoid any type of detection and
mitigation.
We have different innovative factors in the menace moved by malware and botnet creators, such
as new modular and destructive malicious agent and also new botnet based on the P2P (peer to
peer) communication protocol that not relies on command and control (C&C) servers for receiving
commands. The interesting feature is that P2P communication is used as a backup system in
case the C&C servers are not reachable, creating an autonomous peer networks in which each node
can operate as a slave or as master giving orders to other PC operating and exchanging information
acquired illegally by the victims.
The major concern of security experts is related to the capabilities of many of these agents to exploit
zero days vulnerabilities that make practically impossible the detection of the agents. But it’s
dangerous justify the success of the attacks only to the exploit to unknown vulnerabilities, in many cases well known vulnerabilities are exploited due the absence of an appropriate update of the systems.
The Zeus case is not isolated, recently Kaspersky Lab, in collaboration with CrowdStrike Intelligence
Team, Dell SecureWorks and members of the Honeynet Project, dismantled the second Hlux
botnet (aka Kelihos).
This botnet had scary size, it has been estimated it was three times larger than the first botnet Hlux /
Kelihos dismantled in September 2011. After only 5 days from the transaction, Kaspersky Lab had
already neutralized more than 109,000 infected hosts. It is estimated that the first botnet Hlux / Kelihos had only 40,000 infected systems.
The event has demonstrated that it is becoming hard to tackle new generation of botnets, due the
usage of the peer-to-peer technology also implemented in Kelihos. The new variant of malware incorporates P2P technology to eliminate the need for a C&C server, avoiding detection and the immunization campaigns to decapitate the malicious networks.
Another interesting improvement proposed by the cybercrime industry is the use of Tor networks
is the botnet architecture as discovered in September 2012 by the German security firm G Data
Software that has detected a botnet with a particular feature, it is controlled from an Internet Relay
Chat (IRC) server running as a hidden service of the Tor. Despite similar choice presents some
technical problems related to the latency of the Tor networks and the implicit difficulty to control
the botnet, the advantage is the difficulty of localize the command and control servers, due the
encryption of the connections interior to the network and the unpredictability of the routing of the
information.
The challenge between security firms and attackers is open and it is fundamental to keep high
the effort in the detection and fight of cyber threats to avoid dramatic consequences.
The raise of Advanced Threat … the inadequacy of the defense
Are our defense systems adequate to reply to incoming cyber threats?
Unfortunately in many cases the cyber threats present a level of complexity that make possible
to avoid common security measures. The security firm FireEye has released a report named “Advanced Threat Report” related first half of 2012 that provides an overview of the current threat
landscape, evolving advanced malware and advanced persistent threat (APT) tactics, and the
level of infiltration seen in organizations’ networks today.
The report presents and alarming scenario, the organizations are assisting to an impressive increase
in advanced malware that is bypassing their traditional security defenses. In these days we are
reading a lot of news on agents that are able to elude common defense mechanisms, problem that
is afflicting across all sectors, from defense to energy.
The organization are facing with a dramatic explosion of the diffusion of advanced malware in
terms of volume and also in effectiveness in bypassing traditional signature-based security mechanisms.
A statistic proposed by the security firms report that on average, organizations are experiencing a
staggering 643 Web-based malicious events each week, incidents that have as results the impairment
of final targeted systems. This figure includes file-based threats, such as malicious executables
or files that contain exploit s targeting vulnerabilities in applications, that are delivered over the web
and email. The figures does not include callback activities, very common on the web.
The graph show the abnormal increase registered in the first half 2012 that is greater than the
number of infection per week of the entire last year, the patterns of attacks vary substantially by industry, in particular the sector of healthcare and Energy/ Utilities increased respectively up 100%, and up 60%.
Conclusions
The fight against the proliferation of botnets and more in general of any kind of malware goes
through some key factors such as:
• The promotion of joint operations that involve government agencies and the major private industry
players. In this sense, some large companies have already embarked on a close collaboration
with governments, as in the case of Microsoft.
• Fundamental is a timely and methodical study on evolution of technological solutions on which are based botnets. It’s important to define, a universally recognized set of indicators to deterministically qualify the threat and its evolution.
• Awareness on the cyber threats and divulgation of best practices for the containment of the
infection.
• Approval of regulations and penalties, recognized globally, for those who develop or contribute to the spread of botnets. Unfortunately today, different legislative frameworks represent an advantage for those who intend to commit a crime using these tools.
Despite the great effort and the increasing investments made by government and private company
many sectors still suffer the attacks of cybercrime, the situation in worrying because in many cases
the cyber threats do undetected causing serious damages. As demonstrated by the provided data
the number of compromised machines and infrastructures is increasing despite the adoption of
security countermeasures.
Another fundamental step in the fight of malicious agent is the definition of a global agreement
and the of a global strategy against cybercrime and a regulatory on the use and diffusion of any
kind of cyber tool by government agencies, both on legislative and operative perspectives …
In the meantime the cyberspace is still too crowded!