Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
February 2016 Feature Article: DDoS and DDoeSn't
Table of Contents
DDoS and DDoeSn't ....................................................................................................................................................3
TalkTalk Scammers .....................................................................................................................................................6
ESET Corporate News .................................................................................................................................................8
The Top Ten Threats ................................................................................................................................................ 10
Top Ten Threats at a Glance (graph) ....................................................................................................................... 13
About ESET .............................................................................................................................................................. 14
Additional Resources ............................................................................................................................................... 14
DDoS and DDoeSn't
David Harley, ESET Senior Research Fellow
DDoS and the Luck of the Irish…
…which seems to have taken a hit recently. In fact, several hits, at any rate in terms of DDoS (distributed denial of service) attacks.
The Irish Independent reports Multiple government websites down as servers under 'DDoS attack'. John Leyden, writing for The Register,
has also followed the story/stories, with his most recent (at the time of writing) article hinting at a link between attacks on the boards.ie
discussion forum, on the Irish National Lottery, and on government sites as reported in the Irish Independent. This speculation is probably
based on a pseudonymous claim that the first attack was the start of a 'national security audit'.
Misattribution and Misdirection
However, that message also claimed that the next victims would be 'news outlets and financial institutions'. It would be naïve not to
consider the possibility that a tip from a pseudonymous source might be deliberate misdirection, and it certainly seems highly improbable
that this might be some sort of officially-sanctioned testing.
It might, of course, be a highly unofficial group flexing its muscles at the expense of any target that takes its fancy. In that case, the
implicit link some articles have made with recent attacks on the BBC might, at a stretch, make a little more sense: the BBC's Rory Cellan-
Jones asserts that he's been contacted by a group in the US called New World Hacking. The group claims that its speciality is attacking
Daesh/ISIS/Islamic State, and that it was simply using the Beeb as a target in order to test the group's systems. Well, that's all right then.
However, it doesn't seem particularly likely that the same group would be carrying out unofficial testing on sites in Ireland.
The fact is, though, that at the time of writing we don't have enough information to establish links, or indeed much else. After all, the
details of BBC incident remain misty (with a chance of goofballs), and as far as I know, links with other known attacks are speculative at
best.
The Lottery incident is at time of writing 'still under investigation'. And while I can't say for sure that it wasn't related to any of the other
incidents, I tend to equate a lot of DDoS with ransomware, since it's often used for purposes of extortion. That said, it can be used in other
motivational contexts such as hacktivism (which I guess would include attacks on fundamentalist sites), and even simple notoriety/hacker
kudos. Still, gambling sites are a classic target for extortion-related DDoS.
Show me the Money
I remember being somewhat taken aback in the early noughties to hear at some conference or other that security services were
expending a lot of resource on working with online casinos and such on mitigating DDoS attacks. That was at a time when DDoS was a
comparatively recent phenomenon, and the more highly-publicized attacks were against big companies like Microsoft, Yahoo!, eBay and
so on. So while I wasn't particularly surprised at the phenomenon – after all, I'd been closely involved with a heavy-duty conference
workshop on mitigation techniques hard on the heels of Stacheldraht, Trin00 et al – so much as at the prioritization. Of course, it makes
sense for extortionists to go for gambling sites – as Willie Sutton might have said, that's where [quite a lot of] the money is – and indeed
they do. I did wonder if protecting such sites was the best use of tax dollars, though: I must have been more idealistic in those days.
DDoS and DDoeSn't
It does slightly concern me that several articles give contradictory and inaccurate information about what a DDoS attack is. So here's a
very terse summary.
DoS is short for Denial of Service – any service. It isn't necessarily an attack at all (you could call it a denial of service when a site stops
working properly because it can't handle the number of people trying to access it) but when it is – and that's when the term is most often
used – it frequently refers to an attack against a web site, with the result that legitimate users of whatever services are offered on the site
are no longer able to access those services, or access to the system and services is unreliable.
DDoS stands for Distributed Denial of Service. This is a DoS event where the attacks come from multiple systems: this is a common use for
systems compromised by malware which have become – normally without the knowledge of the owner – part of a botnet. A botnet is a
network of machines where agent software is installed that can be used to control their actions. (A botnet isn't necessarily malicious or
operated covertly by definition, by the way, but these days that generally is the case.)
A Trouble Shared
Sharing an attack (or other malicious action, such as a spam campaign) means that not only is the specific malicious action amplified (that
is, multiplied by the number of systems used), but the attack is harder to counter because of the Hydra-headed nature of the machines
from which it originates.
To take a simple example, one type of DoS attack is to keep sending requests for service to a site so that the site is overwhelmed by the
number of requests and unable to respond in a timely fashion (or at all) to a legitimate request. Even a single home computer can send
lots of requests per second. However, if the server is reconfigured to reject requests from that PC, the problem is resolved. But if the
malicious requests or packets (units of data) are being sent from thousands of PCs at the same time, breaking the connection with a single
PC doesn't help much, and it makes it harder to find the originator of the attack. That is, the person who's controlling the machines used
to implement the attack. In that case, the service provider has to find other ways of distinguishing malicious traffic from legitimate traffic.
Fortunately, there are many approaches to filtering out malicious traffic, but there are also many kinds of DDoS attack, so there is plenty
of work for security and network providers in that market.
Opportunity, Means and Motive
We've already touched on a couple of the reasons someone might carry out a DDoS attack: extortion ("pay me or I'll blitz your website so
that people can't use it") – major sporting events often coincide with extortion demands) and hacktivism ("I don't like what your site
represents and I'm going to stop you doing it"). It's very common for groups of one political persuasion to attack sites owned by rival
groups or groups and organizations holding opposing opinions. In fact, this kind of tussle is what is often meant by the rather woolly term
'cyberwarfare'.
Other motives might include revenge, or damaging the reputation of a competitor and its ability to execute transactions. While it's more
common than it should be for 'legitimate' companies to pay a botmaster for DDoS attacks on their competitors, it's also common for
criminal gangs to use their resources against their criminal rivals.
Conclusion
To the everyday user, a DDoS attack is mostly an interesting news story, maybe the cause of some personal inconvenience if it stops him
or her accessing a particular service.
But there may be more to it than that. I've seen DDoS described as 'attacks without hacking'. I think what is meant by this is that a DDoS
attack isn't in itself used to install malware or steal data. (Though it can certainly be used in association with more intrusive kinds of
attack.) In any case, it can certainly involve sophisticated programming at some stage in the process – for example, the malware that is
used to infect a PC and recruit it into a botnet. And that means that it can affect you at a more personal level without your necessarily
being aware of it.
If your computer has been compromised by malware, it could be that it's being misused for a variety of malicious purposes, including
DDoS attacks. And that's before we even consider the direct impact that a malicious program might have on your own security, privacy,
and financial well-being.
So that's just one more good reason for being careful out on the Internet, being careful where you click, and running good security
software.
TalkTalk Scammers
Shaun Nichols reports for The Register on Indian call centre workers accused of harvesting data. The call centre in question is Wipro,
which provides services on behalf of TalkTalk, an Internet Service Provider in the UK.
According to TalkTalk's own statement, it has been
'…working with Wipro, (a call centre provider to TalkTalk and a number of other major businesses) and the local Police in Kolkata. Acting
on information supplied by TalkTalk, the local Police have arrested three individuals who have breached our policies and the terms of our
contract with Wipro. We are also reviewing our relationship with Wipro.'
It's not clear from that statement exactly what the breach was, though TalkTalk's own advice on scam phone calls, linked from the press
release, mentions suspicious behaviours in which TalkTalk does not engage:
We'll NEVER call, text, or send links and attachments over email asking to ‘remote connect’ to your computer, unless we have
had a specific request from you.
TalkTalk will NEVER call, text, or send links and attachments over email asking you to download software onto your PC, unless
you have previously contacted us, discussed and agreed a call back for this to take place.
For Channel 4 (that's the one in the UK), Geoff White links the arrests with a story from last December about 'a wave of thefts in which
scammers used the hacked data to impersonate TalkTalk staff.' However, the scam in this instance was more complex and even uglier
than the average 'your computer has a virus but we can fix it for you, for a fee' cold call. One of the victims told Channel 4 that they would
send someone the next day to fix the problem, but that they would be paying her £200 'for her trouble.' However, they tricked her into
thinking they'd overpaid her, and thus into wiring £5,000 to someone in Bangkok. The mechanism behind the con is unclear, but the
article states that the scammers had hacked the victim's computer so that 'when she logged into her bank to get the refund, they tricked
her into thinking they’d overpaid her.'
If the December story is accurate, it suggests an interesting merging of a support scam with a direct hack against her system to implement
a variation on the classic 'overpayment scam' so beloved of 419 and other scammers. However, that story also links the scam to the
hacking of TalkTalk in November. White claims that Wipro's name came up when he was researching that story, though he doesn't say
that the Kolkata police investigation into Wipro is a direct result of the story.
The details remain murky – did the scammers in the December story use information from the November hack, or from the Wipro staff
currently under arrest? – but as Graham Cluley pointed out, with reference to the November hack:
"The truth is that even if the data taken from TalkTalk’s database isn’t in itself enough to commit identity theft, it can be used by criminals
to help them steal more information (there are already many reports of TalkTalk customers being contacted by scammers via the
telephone, pretending to be calling from the real company)"
It's interesting that the news is breaking at around the same time as there has been speculation about data records that may have leaked
from Dell and been misused subsequently by support scammers (as discussed in the January 2016 Threat Report). I'll be interested to see
how the stories develop over time, and whether any of that speculation is borne out.
[And indeed the Dell story has been developing, even if it's not yet entirely clear what has been happening: see my article for Infosecurity
Magazine on Support Scammers Targeting Dell Customers.]
ESET Corporate News
ESET placed for the first time in the “Visionaries” Quadrant of Gartner’s 2016 Magic Quadrant for Endpoint Protection Platforms
ESET announced that Gartner, Inc. has recognized it as a Visionary in the latest Magic Quadrant for Endpoint Protection Platforms, a
report published on February 1, 2016. ESET is positioned highest for its ability to execute in the Visionaries quadrant.
The latest report evaluated 18 vendors on 10 weighted criteria and placed ESET in the “Visionaries” quadrant, moving it from its previous
categorization in the “Niche Players” quadrant.
“We consider our positioning in the Magic Quadrant for Endpoint Protection Platforms by Gartner as confirmation of ESET‘s success in
delivering technologically advanced, market-leading IT security solutions that enable enterprises and SMBs to achieve more with their
businesses,” said Richard Marko, CEO at ESET. “We feel our continuous effort to deliver award-winning threat intelligence, balanced with
usability, performance and agility, has been recognized.”
The new Gartner Magic Quadrant report provides a comprehensive analysis of the top endpoint security vendors, and an overview of the
endpoint protection platforms market. The full report is available at http://www.eset.com/int/business/gartner-magic-quadrant-
endpoint-platforms.
Highlighting British Expansion, ESET Opens Office in the United Kingdom
ESET continues to focus on its expansion in Western Europe and in the United Kingdom in particular. Starting in February, ESET has
opened a sales and distribution office in the UK by acquiring its long-term partner company there. In 2015, ESET acquired data encryption
company DESlock which is also UK-based, highlighting ESET’s focus both on market position and technology outreach.
“We have confidence that fusing the local ESET UK team with our global talent, its know-how and experience, creates the perfect mix to
strengthen our market position in Britain," says Richard Marko, CEO at ESET. The company has been present in the UK market for more
than a decade thanks to its relationship with its partner company. In line with ESET’s strategy, it recorded double-digit sales growth in the
UK in 2015.
Establishing a direct ESET office in the UK is part of the company’s long-term strategy to boost market growth in EMEA's top IT security
market, the United Kingdom, and to continue year-to-year double digit growth in sales. Along with the regional EMEA office ESET already
has, there are also now eight local offices and research & development centers based in the European Union as well as an extensive
network of European partner companies. The opening of ESET UK office follows the establishment of German office in in 2013.
ESET Joins Campaign Supporting President Obama’s Call for Raising Cybersecurity Awareness
ESET has announced that it is joining technology industry leaders in supporting increased cybersecurity awareness and encouraging
consumer use of multi-factor authentication to improve online security. Together with Google®, Apple®, Facebook®, Amazon® and other
leading technology companies, ESET signed a letter to the National Cyber Security Alliance (NCSA) supporting President Obama’s effort to
increase awareness of key security steps that all Americans can take.
“ESET is committed to not just protecting users with our security products, but educating consumers and businesses so they can live safer
digital lives,” said Andrew Lee, CEO at ESET North America. “We look forward to continuing our work with the NCSA and industry partners
to reinvigorate our collective cybersecurity education efforts and raise awareness of multi-factor authentication.”
Using multi-factor identification ‒ for example, a one-time code texted to a mobile device ‒ helps verify that a user has authorized access
to an account. Activating this technology is a simple way for consumers to protect their online identity and safeguard sensitive personal
data.
The Top Ten Threats
1. Win32/Bundpil Previous Ranking: 1 Percentage Detected: 4.0% Win32/Bundpil is a worm that spreads via removable media. The worm contains an URL from which it tries to download several files. The
files are then executed and HTTP is used for communication with the command and control server (C&C) to receive new commands. The
worm may delete files with the following file extensions:
*.exe
*.vbs
*.pif
*.cmd
*Backup
2. LNK/Agent.BZ
Previous Ranking: 2 Percentage Detected: 3.24%
LNK/Agent.BZ is a link that concatenates commands to execute legitimate code while running the threat code in the background. It is
similar in its effect to the older autorun.inf type of threat.
3. LNK/Agent.AV
Previous Ranking: 4 Percentage Detected: 2.0%
LNK/Agent.AV is another link that concatenates commands to execute legitimate code while running the threat code in the
background. It is similar in its effect to the older autorun.inf type of threat.
4. JS/TrojanDownloader.Nemucod
Previous Ranking: N/A Percentage Detected: 1.52%
JS/TrojanDownloader.Nemucod is a Trojan that uses HTTP to try to download other malware. It contains a list of URLs and tries to
download several files from those addresses. The files are then executed.
5. Win32/Sality Previous Ranking: 8 Percentage Detected: 1.47%
Sality is a polymorphic file infector. When it is executed registry keys are created or deleted related to security applications in the
system and to ensure that the malicious process restarts each time the operating system is rebooted.
It modifies EXE and SCR files and disables services and processes implemented by and associated with security solutions.
More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah
6. HTML/iFrame
Previous Ranking: 6 Percentage Detected: 1.44%
HTML/IFrame is a generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL
location serving malicious software.
7. Win32/Ramnit
Previous Ranking: 10 Percentage Detected: 1.42%
This is a file infector that executes every time the system starts. It infects .dll (direct link library) and .exe (executable) files and searches
for htm and html files into which it can insert malicious instructions. It exploits a vulnerability (CVE-2010-2568) found on the system that
allows it to execute arbitrary code. It can be controlled remotely to capture screenshots, send information it has gathered, download files
from a remote computer and/or the Internet, and run executable files or shut down/restart the computer.
8. JS/TrojanDownloader.Iframe
Previous Ranking: 5 Percentage Detected: 1.40%
JS/TrojanDownloader.Iframe is a trojan that redirects the browser to a specific URL location serving malicious software. The malicious
code is usually embedded in HTML pages.
9. LNK/Agent.BS
Previous Ranking: 9 Percentage Detected: 1.39%
LNK/Agent.BS is another link that concatenates commands to execute legitimate code while running the threat code in the background. It
is similar in its effect to the older autorun.inf type of threat.
10. HTML/ScrInject
Previous Ranking: 7 Percentage Detected: 1.35%
Generic detection of HTML web pages containing obfuscated scripts or iframe tags that automatically redirect to the malware download.
Top Ten Threats at a Glance (graph)
Analysis of ESET LiveGrid®, a sophisticated malware reporting and tracking system, shows that the highest number of detections this
month, with 4.0% of the total, was scored by the Win32/Bundpil class of treat.
About ESET
ESET®, the pioneer of proactive protection and the maker of
the award-winning ESET NOD32® technology, is a global
provider of security solutions for businesses and consumers.
For over 26 years, the Company has continued to lead the
industry in proactive threat detection. By obtaining its 91st
VB100 award in April 2015, ESET NOD32 technology holds the
record number of Virus Bulletin "VB100” Awards, and has never
missed a single “In-the-Wild” worm or virus since the inception
of testing in 1998. In addition, ESET NOD32 technology holds
the longest consecutive string of VB100 awards of any AV
vendor. ESET has also received a number of accolades from AV-
Comparatives, AV-TEST and other testing organizations and
reviews. ESET NOD32® Antivirus, ESET Smart Security®, ESET
Cyber Security® (solution for Mac), ESET® Mobile Security and
IT Security for Business are trusted by millions of global users
and are among the most recommended security solutions in
the world.
The Company has global headquarters in Bratislava (Slovakia),
with regional distribution centers in San Diego (U.S.), Buenos
Aires (Argentina), and Singapore; with offices in the United
Kingdom, Jena (Germany), Prague (Czech Republic) and Sao
Paulo (Brazil). ESET has malware research centers in Bratislava,
San Diego, Buenos Aires, Singapore, Prague, Košice (Slovakia),
Krakow (Poland), Montreal (Canada), Moscow (Russia) and an
extensive partner network for more than 180 countries.
More information is available via About ESET and Press Center.
Additional Resources
Keeping your knowledge up to date is as important as keeping
your AV updated. For these and other suggested resources
please visit the ESET Threat Center to view the latest:
ESET White Papers
WeLiveSecurity
ESET Podcasts
Independent Benchmark Test Results
Anti-Malware Testing and Evaluation