Monthly Archives: December 2013

New DDoS malware targets Linux and Windows systems

Attackers are compromising Linux and Windows systems to install a new malware program designed for launching distributed denial-of-service (DDoS) attacks, according to researchers from the Polish Computer Emergency Response Team (CERT Polska). Attackers are compromising Linux and Windows systems to install a new malware program designed for launching distributed denial-of-service (DDoS) attacks, according to researchers from the Polish Computer Emergency Response Team (CERT Polska). The malware was found by the Polish CERT at the beginning of December and the Linux version is being deployed following successful dictionary-based password guessing attacks against the SSH (Secure Shell) service. This means only systems that allow remote SSH access from the Internet and have accounts with weak passwords are at risk of being compromised by attackers distributing this malware. “We were able to obtain a 32-bit, statically linked, ELF file,” the Polish CERT researchers said Monday in a blog post. The executable runs in daemon mode and connects to a command-and-control (C&C) server using a hard-coded IP (Internet Protocol) address and port, they said. When first run, the malware sends operating system information — the output of the uname command — back to the C&C server and waits for instructions. “From the analysis we were able to determine that there are four types of attack possible, each of them a DDoS attack on the defined target,” the researchers said. “One of the possibilities is the DNS Amplification attack, in which a request, containing 256 random or previously defined queries, is sent to a DNS server. There are also other, unimplemented functions, which probably are meant to utilize the HTTP protocol in order to perform a DDoS attack.” While executing an attack, the malware provides information back to the C&C server about the running task, the CPU speed, system load and network connection speed. A variant of the DDoS malware also exists for Windows systems where it is installed as “C:Program FilesDbProtectSupportsvchost.exe” and is set up to run as a service on system start-up. Unlike the Linux version, the Windows variant connects to the C&C server using a domain name, not an IP address, and communicates on a different port, according to the Polish CERT analysis. However, the same C&C server was used by both the Linux and Windows variants, leading the Polish CERT researchers to conclude that they were created by the same group. Since this malware was designed almost exclusively for DDoS attacks, the attackers behind it are likely interested in compromising computers with significant network bandwidth at their disposal, like servers. “This also probably is the reason why there are two versions of the bot — Linux operating systems are a popular choice for server machines,” the researchers said. However, this is not the only malware program designed for Linux that was identified recently. A security researcher from the George Washington University, Andre DiMino, recently found and analyzed a malicious bot written in Perl after allowing attackers to compromise one of his honeypot Linux systems. The attackers were trying to exploit an old PHP vulnerability, so DiMino intentionally configured his system to be vulnerable so he could track their intentions. The vulnerability is known as CVE-2012-1823 and was patched in PHP 5.4.3 and PHP 5.3.13 in May 2012, suggesting the attack targeted neglected servers whose PHP installations haven’t been updated in a long time. After allowing his honeypot system to be compromised, DiMino saw attackers deploy malware written in Perl that connected to an Internet Relay Chat (IRC) server used by attackers for command and control. The bot then downloaded local privilege escalation exploits and a script used to perform Bitcoin and Primecoin mining — an operation that uses computing power to generate virtual currency. “Most servers that are injected with these various scripts are then used for a variety of tasks, including DDoS, vulnerability scanning, and exploiting,” DiMino said Tuesday in a blog post that provides a detailed analysis of the attack. “The mining of virtual currency is now often seen running in the background during the attacker’s ‘downtime’.” DiMino’s report comes after researchers from security vendor Symantec warned in November that the same PHP vulnerability was being exploited by a new Linux worm. The Symantec researchers found versions of the worm not only for x86 Linux PCs, but also for Linux systems with the ARM, PPC, MIPS and MIPSEL architectures. This led them to conclude that the attackers behind the worm were also targeting home routers, IP cameras, set-top boxes and other embedded systems with Linux-based firmware. Source: http://news.idg.no/cw/art.cfm?id=41695C7E-ED43-55A5-51306549A5A0A129

Read More:
New DDoS malware targets Linux and Windows systems

DDoS botnet spreading on Linux and Windows machines

A blended DDoS botnet consisting of both Windows and Linux machines has been detected by researchers working with the Polish CERT. The botnet is exclusively dedicated to mounting DDoS attacks, main…

More here:
DDoS botnet spreading on Linux and Windows machines

DDoS attacks lead to 18 percent of data center outages

Maintaining top-of-the-line server performance is a delicate balancing act between power consumption, user accessibility and a variety of other factors both physical and abstract that can affect how well employees do their jobs or how quickly and effectively IT-related tasks are accomplished. Yet in many cases, even the most stringent attempts to keep the data center operating without issue can run afoul due to external forces. In the past, distributed-denial-of-service (DDoS) attacks were a small fraction of the reasons that businesses experienced outages in their IT infrastructure. However, recent findings from the Ponemon Institute reveal that they now account for 18 percent of these problems. This is up from only 2 percent in 2010, when Ponemon last studied the phenomenon. Data centers get caught in the cross-fire Often enough, these attacks are not even targeting data centers, 451 Research analyst Eric Hanselman told Network Computing. Rather, hackers are attempting to shut down the applications hosted in the IT infrastructure, and the servers become collateral damage in the process. Furthermore, due to the heightened sophistication of DDoS attacks, which are now both faster and more effective due to the amount of traffic that can be generated, these assaults are even harder to stop or recover from than ever. “It appears that these attacks are much more frequent and more difficult to contain than other root causes of data center outages,” Larry Ponemon, founder of the privacy and security think tank that bears his name, said in an email interview with Network Computing. Preventative measures begin with server monitoring Due to the problems associated with these attacks, decision-makers should try and stop them as early as possible. Noticing suspicious activity before it causes an outage can help immensely, but that requires businesses to implement server monitoring tools that can notice suspicious activity such as an uptick in traffic. “The most surprising factor was the lack of readiness or preparedness of companies,” Ponemon told Network Computing. “In general, we found several companies completely unprepared to deal with this type of outage event.” The high cost of a DDoS-based outage Those companies that fail to prevent or ready themselves for a DDoS-based outage may find themselves paying $822,000 on average to deal with the problem, second only to the average cost of outages caused by equipment failure ($959,000), according to Network Computing. This is more than double the expense of dealing with problems originating with human error, which typically only amount to $380,000. These costs relate to lost work time, reduced revenue and the repairs themselves, though overall business disruption amounts to 80 percent of the expenses. While an outage may not be quite as expensive to a smaller business, one could cause relatively similar amounts of damage, and all companies should be ready to quickly get back on their feet after these types of incidents. “The cost of unplanned downtime – whether it is the entire data center or one rack of servers – can be a huge unplanned cost for most organizations,” Ponemon told Network Computing. While Ponemon noted that businesses should expect a data center outage at some point, companies should still strive to minimize the possibility of a breach or attack. Putting in the proper safeguards and having a robust disaster recovery plan in place can reduce the amount of time that servers spend out of service. By implementing the right tools to notice and stop suspicious activity that may be the result of a DDoS attack, decision-makers may also potentially prevent about one-fifth of possible outage causes. Source: http://copperegg.com/ddos-attacks-lead-to-18-percent-of-data-center-outages/

See the article here:
DDoS attacks lead to 18 percent of data center outages

Mozilla blocks rogue add-on that made computers scan sites for flaws

A singular new botnet composed of over 12,500 infected computers has been used by its masters to effectively crowdsource the search for websites vulnerable to SQL injection attacks. As explained …

Read the original post:
Mozilla blocks rogue add-on that made computers scan sites for flaws

The Year DDoS Got Real for CUs

Before 2013, Distributed Denial of Service attacks seemed to many credit union executives as something the other guys worried about. The prevailing attitude was: We’re not on anyone’s radar. We aren’t on anyone’s enemies list. Why worry? Then came January 2013 when the $1.6 billion University Federal Credit Union in Austin, Texas, and Patelco, the $4 billion Pleasanton, Calif. credit union, both acknowledged they had been knocked offline for some hours. Many big banks were taken down at the same time, in attacks claimed by al Qassam Cyberfighters, an organization that many allege is sponsored by the Iranian government. A month later, in February, both institutions were taken down another time, again in attacks claimed by al Qassam. Many banks also fell victim a second time. There were also dud DDoS attacks, such as a much-ballyhooed May 7 attack – which saw institutions fearfully running for cover from an attack said to be planned by OpUsa, a hacktivist group affiliated with Anonymous – but it amounted to nothing. As the year progressed, there were more reports of DDoS used as a diversionary tactic by criminals who sought to distract financial institution security staff with website attacks as they busied themselves perpetrating high-value wire thefts. There have been no such cases publicly linked to credit unions, but there are multiple cases linked to banks. How many credit unions have been taken down by DDoS? That number is unknown. Patelco and University were named in Internet postings by al Qassam, thus their attacks became public knowledge. The NCUA, for its part, requires credit unions that have been “significantly affected by DDoS” to notify the NCUA or their state regulators. When asked in October for the number of credit unions that had filed reports, the agency shared data showing two outages. But the regulator did not indicate that it believed that tally to be complete. CUNA Mutual, at the same time, indicated it had no count whatsoever of DDoS outages. No one really knows how many credit unions were attacked by DDoS in the year but one fact did seem to emerge. “DDoS has become a perennial, it is here to stay in the threats universe,” said Charles Burckmyer, president of Sage Data Security, a firm that claims several hundred financial institutions as clients. Just what is DDoS? The question is good, because the answer is tough to give. That’s because the format of DDoS shifted dramatically in 2013, said Rodney Joffe, senior technologist at Neustar, an Internet analytics company that also offers DDoS mitigation services. Early in the year, Joffe recalled, DDoS sought to wipe out victim websites by targeting them with huge volumes of traffic – generally assembled using resources stolen from zombie computer botnets where the machine owners have no clue their devices are digital slaves to criminals. So those targets – such as Patelco and UFCU – went down because they were overwhelmed. But DDoS attacks and mitigation strategies continually evolve, said Joffe. When one side jigs, the other responds. That showed up as many financial institutions signed up with third-party mitigation companies to provide emergency “pipe” – Internet bandwidth – to be able to deflect volume-based attacks. So the attackers switched to hitting victims with an avalanche of requests for services that had the effect of using the target computers to in effect tire themselves, noted Stephen Gates, chief security evangelist of Corero Network Security. A classic, for instance, is hitting a financial institution website with many requests for a password reset, probably for non-existent members, but the institution’s computer still is forced to go through so many motions it may become unavailable to genuine users. Pierluigi Stella, chief technology officer at security company Network Box USA, elaborated: “The (DDoS criminal’s) query is usually less than 100 bytes; the reply can be tens of thousands; so the hacker gets an amplification factor of 100. For each packet of 100 bytes the hacker sends out, you get hit by 10,000 bytes.” Multiply that by maybe several hundred queries per second and it is easy to see why this attack has proven so successful in 2013, suggested Stella. The cure, said experts, is to deploy tools that in effect scrub all data as it comes into the system. Bad data is sidelined, authentic data is passed through, and while that is easier to prescribe than it is to implement in practice, experts agreed that DDoS mitigation companies took large strides in 2013 towards building tools that in fact scrubbed incoming data with high success rates. The bad news: Nobody thinks today’s DDoS format will be tomorrow’s, and no one knows what criminals will unleash in the months ahead. Maybe the jackpot question is, how well protected are credit unions when it comes to fending off DDoS, especially as it morphs into different formats? Have they invested in state-of-the-art protections? Not very many have made those investments, said multiple experts contacted by Credit Union Times. Few credit unions will discuss their DDoS defenses on the record but off the record some have indicated that their defenses are thin. Many hope that their vendors – for Internet banking or their Internet service provider – have adequate protections in place to keep the credit union itself also protected. DDoS will remain part of the threats landscape, said multiple experts, mainly because it is effective, it is inexpensive, and it is increasingly easy to deploy. As long as it gets results, criminals will continue to use it, said Joffe. Nonetheless, he flatly predicted that we will not see more of the al Qassam-style, high-profile attacks that won headlines early in 2013. “Those attacks were politically motivated but they accomplished nothing,” said Joffe. Other experts agreed, pointing to changes in Iranian politics and a recent thawing in relationships with the United States. The upshot is that the al Qassam attacks may in fact be history, meaning there may not be more days when several dozen financial institutions are taken offline in a brazen show of Internet power. “But we will see more DDoS because it works,” said Joffe, and he specifically predicted more use of it as a diversion because if a security staff can be distracted for a half-day, that may be ample time for a wire transfer to move money out of the United States and through several hops into a destination country where funds are unlikely to be returned. Gartner analyst Avivah Litan – one of the experts who first reported the use of DDoS as a diversion – noted in an interview that good policy would be to “slow” wire transfers at times when the institution found itself under a DDoS attack. Her opinion is that simply slowing down transaction speed might sharply reduce losses. At least until the criminals figure out a new strategy – and that is a big takeaway from the 2013 DDoS saga. “This is an arms race that is no different from any other arm’s race,” said Joffe. “As we add defenses, the criminals alter their attacks and so it goes on.” The good guys win, said Joffe, by making it expensive for the criminals, such as disrupting their botnet zombie networks. “If we can make it more expensive for them than the rewards they get from their DDoS, we win,” said Joffe. “This will be survival of the fittest,” he warned. Source: http://www.cutimes.com/2013/12/18/the-year-ddos-got-real-for-cus?ref=hp

More:
The Year DDoS Got Real for CUs

Week in review: Cryptolocker copycat, CyanogenMod's built-in SMS encryption, NSA uses Google cookies to track suspects

Here's an overview of some of last week's most interesting news and articles: The DDoS debate: Multi-layered versus single solution There is a DDoS debate in the cybersecurity industry about whi…

View post:
Week in review: Cryptolocker copycat, CyanogenMod's built-in SMS encryption, NSA uses Google cookies to track suspects

DDoS attacks escalate, businesses still unprepared

Many businesses are failing to take adequate measures to protect themselves against the threat of a DDoS attack. A Corero Network Security survey of 100 companies revealed that in spite of the repo…

See more here:
DDoS attacks escalate, businesses still unprepared

Companies still ignore DDoS attacks

Just days after NatWest Bank suffered a debilitating DDoS attack, a new survey has revealed that most businesses are still unprepared for this kind of threat. Some companies are unprepared for DDoS attacks Just days after NatWest Bank suffered a debilitating DDoS attack, a new survey has revealed that most businesses are still unprepared for this kind of threat. More than half the respondents to a survey by Corero lack adequate distributed denial-of-service (DDoS) defence technology. The study also reveals a lack of DDoS defence planning on multiple levels: nearly half of businesses have no formal DDoS response plan, 54 percent have outdated or non-existent network maps, and around one in three lack any clear idea of their normal network traffic volume. Furthermore, the survey slates businesses for under-investing in their security infrastructures, with around 40 percent of respondents still relying on firewalls, while nearly 60 percent do not test their DDoS defences regularly with network and application-layer tests. However, experts warn that DDos attacks are escalating and say that they can cause not only business disruption but also loss of IP, significant brand damage and a loss of customer confidence. Mike Loginov, CEO and CISO at independent security consultancy Ascot Barclay Group, told SCMagazineUK.com that figures from his firm and others show sharply rising numbers of successful DDoS attacks, adding: “These attacks are not necessarily undertaken by the perpetrator with financial gain in mind. However, they still leave the targeted business suffering costly damage repairs, loss of business and an undermining of the organisation’s capability to defend itself. Many attacks go unreported for fear of brand damage.” Andrew Miller, CFO and COO at Corero, which carried out the latest survey, agreed the threat is growing but stressed that companies are still not doing enough to protect themselves. “These denial-of-service-attacks (DDoS) are increasing and becoming more complex, but we’re still not seeing companies increasing their vigilance, investment and planning,” he told SCMagazineUK.com. “Across the board companies really need a combination of infrastructure investment, but more importantly putting in place plans to be able to detect what’s traversing companies’ networks.” Loginov agreed: “Generally speaking, IT departments, as the report suggests, are just not geared up to defend organisations against what cyber security professionals these days consider rudimentary attacks.” Miller said companies need “hybrid DDoS and cloud protection” but added that currently only “a small percentage” of companies have these defences in place. “What we’re seeing the more proactive customers doing is deploying a combination of both on-premises technology to provide 24/7 protection from denial of service attacks, as well as cloud protection services to deal with the high-volume ‘fill the pipe’ network-layer DDoS attacks – a combination of solutions rather than a single solution.” These warnings come just days after NatWest Bank was hit by a DDoS attack that left customers unable to access their accounts online. The 6 December attack disrupted NatWest’s website for about an hour and briefly hit the websites of the other banks in the RBS Group – RBS and Ulster Bank. The attack was focused on disruption rather than accessing account details. But Miller said organisations need to “understand it’s not just inconvenience, we’re talking about some loss of IPR. In the case of RBS, it’s obviously a significant issue from a brand and customer satisfaction perspective”. Miller added: “Denial of service attacks are often used as a smokescreen, a way of initially gaining entry into IT systems through a brute force-type attack, then following on from that the more sophisticated attacks which are aimed either at stealing customer information or intellectual property. We’re seeing banks in the US we’re talking to subject to these types of attacks on a daily basis.” In a statement to journalists, Jag Bains, CTO of DOSarrest Internet Security , said: “The transparency shown by RBS in admitting that they failed to invest properly in their IT systems is a common refrain amongst many enterprises, large and small. While each organisation may have multiple reasons for failing to invest, they all share the same notion that they won’t be a target until they get attacked. “With DDoS tools becoming more advanced and pervasive, all IT operations should work under the premise that they will be attacked and plan accordingly. Every stack and layer within their purview should be reviewed and they should identify cost-effective cloud solutions for their DDoS which provides much better performance and mitigation than expensive hardware.” The DDoS attacks on RBS came in the same week as an unrelated major IT failure, which hit the Group’s online and mobile banking, ATMs and debit card payments. As SCMagazineUK.com reported, RBS, NatWest and Ulster Bank customers were unable to use their cards to draw cash or pay for goods or services. RBS CEO Ross McEwan branded the outage as “unacceptable” and blamed decades of failure to invest adequately in new technology. Source: http://www.scmagazineuk.com/companies-still-ignore-ddos-attacks/article/324844/

View article:
Companies still ignore DDoS attacks