Kelihos appears again with a new variant as many researchers have discovered. The variant enables it to remain dormant on the machine with sinkholing techniques, and other rootkit-style operations. It hides domains, and does many other things to conceal itself, as researchers have discovered.
This is the third attempt for the Kelihos botnet. When it got shutdown back in 2011 by a collaborative effort between Kaspersky Lab and Microsoft, it was figured that it was a P2P botnet, which made it more difficult to shutdown completely all operations for the botnet. At least its main servers were cut off, but it didn’t stop the malware from spreading since tons of blackhats still had the malcode on their own server/computer.
Researchers at Deep End Research and FireEye have new samples that have been analyzing, and after some impressive research, it was found that the Kelihos network is back on the rise.
“Since automated analysis systems are configured to execute a sample within a specified time frame, by executing a sleep call with a long timeout, Nap can prevent an automated analysis system from capturing its malicious behavior. Besides making a call to the function SleepEx(), the code also makes a call to the undocumented API NtDelayExecution() for performing sleep,” Abhishek Singh and Ali Islam of FireEye wrote in an analysis.
Experts are trying to discover the new roots, and another takedown may be in order. This is insanity.
Could there be a “cyber 9/11”? Would there be an all-out cyberwar happening right now? There is a war going on, a cyber one at that, going on here in the states. If you work for a defense contractor, bank, train and plane transportation providers (also including RTAs and other digitally-depending transportation methods), power company, water and utilities plants, etc. are in direct line of fire of potential cyberwar problems.
A brewing cyberwar has been going on in the past year, and usually people view it as governments going head to head (like it would in actual wars). However, there is more of a cyberwar against governments, corporations, and of course the entities we named above.
With seeing government threats, like Stuxnet, Flame, etc., to cybercrime units like Red October, Rustock, even Virut/Waledec – seems like the threat is getting out of hand. With the use of tactics like from these malware powerhouses, our worry for a severe (life-threatening) attack should be a lot greater…mainly to the fact that the US should seriously prepare itself.
“The cyber war has been under way in the private sector for the past year,” says Israel Martinez, a board member of the U.S. National Cyber Security Council, a nonprofit group composed of federal government and private sector executives.
“We’re finding espionage, advanced persistent threats (APTs), and other malware sitting in networks, often for more than a year before it’s ever detected,” Martinez says.
Martinez studies different issues, such as US entities being targeted by fronts from China, Iran for intellectual property theft to other cybercrimes such as stealing identities or cash.
When we look at Stuxnet for example, the US and Israel crafted it jointly to disrupt Iranian nuclear facilities. Problem here is, doing that may have just been a provoking edge to the cybcerwar for Iran to develop something else and revenge. Doing this caused Iran then, to strike back with cyber attacks on US banks. Some have thought Iran was behind the Shamoon virus as well, which wipes out 30K hard drives and taking computers offline at Saudi Aramco for several weeks.
Defense firms in the US are hoping that some of the Fortune 500 cybersecurity companies have a good plan to counterattack and defend for the US to these opponents.
The Pentagon has come back with newer accounts of management for this cyberwar by planning to increase cybersecurity teams. The Senate is continually pushing for legislation for information sharing on threats and cyber attacks. President Obama prepares to issue executive order on cybersecurity, so the Department of Defense is looking for a massive increase in the number of trained cybersecurity personnel helping to defend our country’s public and even private networks.
The government has had trouble in the past looking for the right personnel, since most are employed by agencies that don’t discuss operations publicly (due to the risk of the information getting in to the wrong hands). The Pentagon is planning to push up the number of security professionals up to 5,000 in the next few years (which is up from a little under 1,000). They’re hoping for both military and civilian security personnel to join up, so the diversity helps the US prepare for any issue.
Expect a better take charge situation by corporate, government, and private firms in this cyberwar situation!
Virut is being targeted now in an effort of allied security forces. Virut is a very dangerous botnet, which when infecting your computer can cause irreversible damage to your files, can steal a lot of personal information, and cause you to lose almost all of your data.
(Our security arm, SecuraGeek Forums, published an article helpful to users about Virut a few years ago, here.)
This takedown effort involved researchers of Poland’s Computer Emergency Response Team (CERT), Russian CERT-GIB, and the Spamhaus Project that aimed at disrupting the operations of the Virut botnet, which involved 300,000 some infected machines.
In December, the Spamhaus Project helped to work against all the domains owned in the Virut botnet, and attempted to have them shutdown. Most of the domains, if not all, were registered under the .pl cc TLD. However, the gang behind the botnet moved all of the malicious domain names toward a new registrar called home.pl.
The botnet’s operations were limited a bit during this time, when NASK (Research and Academic Network) in Poland, began to move on the infrastructure of this botnet. The NASK operates the Poland CERT and is the national registry of the .pl domain. Therefore, its presence in this situation is very important.
“In past few days, Spamhaus has been in close contact with the sponsoring registrar (home.pl), the Polish Computer Emergency Response Team (CERT.pl) to get the domain names suspended,” Morrison blogged Jan. 19. “In cooperation with the Polish CERT and the registrar home.pl, we managed to get all the Virut domain names within the .pl ccTLD sinkholed.”
“In addition, Spamhaus reached out to the Austrian CERT and the Russian-based Company Group-IB CERT-GIB to shut down the remaining Virut domains within the .at and .ru ccTLDs,” he added. “In cooperation with Spamhaus, and due to the evidence and intelligence provided by Spamhaus, CERT-GIB was able to shut down all the Virut domains within the .ru ccTLD within a few hours.”
Symantec researchers have noted that the maintainers of Virut are also involved with the Waledac botnet. The evidence is due in part to the malware writers behind both botnets using affiliate programs to spread the threats. It’s been noted also that Virut has helped to spread malware such as TDL, Zeus, and others. Also, Symantec warned that Virut had been used to redeploy Waledac. Problem is, the Waledac botnet was seized by Microsoft in 2010. So, redeploying that botnet is opening up the fields for lots of trouble.
As this takedown has occurred, three dozen domain names have been seized in total, with no sign (to researchers) of them starting back up on a different network. Since domains are so critical in the infrastructure, it’s going to be difficult for the malware writers to orchestrate a new plan.
For the past five or so years, domains like ircgalaxy.pl, zief.pl, etc. were used by the botnet…now are seized! It’s not exactly clear how NASK will affect the future operations of Virut, but right now, things are looking good and steady!
The question that many have had on their minds is if mobile devices will become a source of DDoS attacks. Whether mobile phones will be used as zombies is currently under speculation by many researchers, who say “It may be imminent.”
It can be figured due to the amount of trojans found on Android devices, how iOS devices got attacked, and Windows Phone being vulnerable. Trojans are masks that cover an legitimate looking program. Basically, a program appears to be legitimate, but has hidden features to do something different. Most of the time, either the trojan will steal data and mine some cash, or use your computer as a zombie (using your resources such as CPU, RAM, etc.) to launch a DDoS attack.
A distributed denial of service is used to cause a server to take too many requests that it cannot handle. This is usually done by blackhat hackers or cybercriminals to either protest a specific ideal, or just for fun.
A highly used DDoS tool by Anonymous called “Low Orbit Ion Cannon” (LOIC) was recently redesigned for use on the Android platform. The porting over to Android from the Desktop app took no programming skills. In fact, it’s easy to use old tools and port them over to Android.
With device manufacturers slowly releasing updates to device operating system, firmware, etc. – this leaves an open hole for exploit/cyberattack. Android is particularly vulnerable because of the ability to use ‘unknown source’ apps, or apps outside of the Google Play store.
Although, if it is thought out, it would take thousands of devices to be able to have the power to construct a DDoS attack. However, this would make it a lot simpler for a pre-constructed attack, that can come from many countries – thus making it hard to trace the origin of the attack(s).
It is sure that as carriers and app developers are distributing e-wallet apps, the ability to rob personal data, credit card, etc. will increase. Heads up!
Anonymous is not going away. Just wanted everyone to know that. It’s not a likely thing for them to disappear at all. From what McAfee made it sound like, is that Anonymous was low-key and not a big threat. However, it is to be disagreed with. They could strike crazy at any time with a hacking attack.
Their year-in-review video details what they have done, and it is clear they have similar plans in 2013, if not more. Some are saying the next mission to finally carry out is “#OpNewBlood”. This is actually an old plan, but they’re still carrying it out. There are already tons of posts on Twitter discussing #OpNewBlood, and how many people can freely join Anonymous. Some have linked to how to set up chatting in IRC and how to be anonymous when browsing the Internet. Many recruiting efforts are underway, such as AnonyOnion. Can anyone LOL?
Their press release on AnonNews characterizes an “Expect Us 2013” banner. See for yourself. Apparently, a lot of the new operations would be led by @Crypt0nymous.
Anyway, back to the details about the video, it details info about the temporary shutdown of websites belonging to The US Department of Justice, the FBI, the Motion Picture Association of America – which were all in protest of the indictment of MegaUpload. Although the sites were temporarily down, it sent a message of protest against the US Government, in hopes to say that people still have a voice.
However, the hacktivism continues, and is showcased in the video. It shows newsreels of Anonymous’ intervention in Syria, when the Syrian Government shut down Internet access for a day. Apparently, from what also showed up in the video involved Anonymous’ “cyberwar” against the Israeli Government – when clearly it is a problem with Syria and other neighboring countries.
“The operations which are listed in the video are only examples, there are far more operations,” Anonymous wrote in the statement. “Some of them still running, like Operation Syria. We are still here.”
Despite such threats, and other details that Anonymous threw in the faces of the viewers of the video (with a lot of them saying F*CK YEAH!), many other underestimate their presence. But, what risk can we take in computer security? The first time we let our guard down, Anonymous will strike. They do it every time. Never let your guard down in computer security. McAfee: We’re calling out to you. Stop spreading the message giving people the idea that Anonymous is going to be less active or less threat. We don’t need anymore damage. The more we stay aware, the better protected we will be.
This “syncopathic” (goth jargon: syncope=fainting, pathic=motivation) approach is common for Anonymous…meaning they are silent (kind of when you faint), and then all of the sudden they jump up (motivate quickly) and go into hacking/activism.
Expect Anonymous or get a reality check! That’s all we’re saying here. It’s not worth the mess/damage to let your guard down.
46 US House of Representatives Republicans joined in a letter (PDF) to urge President Barack Obama not to issue the executive order on cybersecurity. The White House is currently drafting an executive order that encourages operators of critical infrastructures (like banks, power grids, etc.) to meet cybersecurity standards.
“Instead of preempting Congress’ will and pushing a top-down regulatory framework, your administration should engage Congress in an open and constructive manner to help address the serious cybersecurity challenges facing our country,” the lawmakers wrote.
The executive order is expected for release in January, which will help protect these vital systems from hackers. It’s highly important that this gets put into action, or the United States can see some issues happen such as power loss, plane crashes, train derailments, etc.
“This framework will work better than attempts to place the government in charge of overseeing minimum standards for industries seeking to invest in new and innovative security solutions,” the Republicans wrote.
The letter of urgency, led by Representatives Marsha Blackburn (Tennessee) and Steve Scalist (Louisiana) is aimed at helping to reduce the amount of government involvement in cyberwar, in hopes not to stir rages with hackers and other pests. However, if something isn’t done very soon, America as we know it could be in a lot of trouble.