Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Estonia, Botnets, and Economic Warfare

Published: 2007-05-21
Last Updated: 2007-05-21 21:38:32 UTC
by John Bambenek (Version: 1)
0 comment(s)
Now that the Estonia cyber attacks have waned somewhat, a wealth of discussion is being had on the implications of electronic warfare. Arbor Networks has a good technical analysis available on this. In this case, Russia tends to be blamed for the attacks over a row between Estonia and Russia over a cold-war era statue. My personal hunch is that this is more of a case of hacktivism. There was plenty of protest and boycotts from the pro-Russian side to indicate there were plenty of people spun up with fervor over the issue to put their botnets to work. Running a botnet and firing off an ICMP DDoS isn't difficult to pull off compared to say, poisoning a critic with Polonium 210. This is more likely a case of a bunch of people getting really torqued off and wanting a piece of the action (call it the "Blue Security treatment").

However, now that this has happened on a national scale, there will likely be more incidents of hacktivism on a large scale trying to take down organizations in the wake of some political or social controversy. I'd bet money that we'll see some of this with the general election in 2008 in the United States on a larger scale, certainly if the candidates are in any way controversial. Since botnets are only growing and will likely branch away from IRC-based controllers to other methods that are more quiet, it'll be a persistent problem for a long time... at least as long as it takes for us to figure out how to harden consumer PCs that often have no protection at all and are the low-hanging fruit for gibbering packet apes wanting to spew ICMP love.

John Bambenek - bambenek /at/ gmail (dot) com
0 comment(s)

Aucert 2007 Update

Published: 2007-05-21
Last Updated: 2007-05-21 21:38:14 UTC
by Mark Hofman (Version: 1)
0 comment(s)
Johannes, Marc and I are currently at the Auscert Conference on the Gold Coast in Queensland Australia. It brings together a number of speakers from all over the world and is attended by over 1100 delegates.  I'll be summarizing some of the information here.  Both Johannes and Marc had their presentations today, both of which were very well attended and received.

The keynote today was delivered by Ivan Krstić (One Laptop Per Child).  Ivan's presentation was thought provoking for many of the attendees.  One of the ideas he presented is that the security industry as a whole has failed our users.  We are asking people to make decisions that they really should not have to make.  For example the bad certificate warning that we are all familiar with.  The majority of users will click yes or OK because that makes things work.  One of the problems is, Ivan suggests, that we are living with a concept from 1971,  user based permissions.  "Why do programs have to run with the permissions of the user?" he asked us.  Programs typically do not need the same permissions, for example mine sweeper does not need to download files, calc does not need to save files.  

Another thought he presented was that in the security industry we don't look enough into the past.  Better models than the user permissions model were available as far back as 1959.  When scientists need answers they often look into the past to see what has gone before.  In security it seems that everything is a new idea, even though it has been done before.  For example virtualisation, a hot concept, but to ex-mainframe people like myself it is certainly not new concept.  It has been around for years, and is done well.

Ivan also talked about one of the solutions they developed (bitfrost) to have a system that can run any code, malicious or not, that will not damage the underlying system, basically using virtualisation for each piece of code, essentially a sandpit for each program.  An interesting talk and a good start to the day.

Toxbot Takedown
Scott McIntyre (FIRST, KPN-CERT, XS4ALL) presented on the Toxbot takedown.  An entertaining presentation where he not only demonstrated his aptitude in Australian, but also showed us some home truths regarding the size and complexity of this botnet.  Toxbot received quite a lot of press with a large number of bots and the perpetrators eventually ending up with jail sentences and fines.   The presentation went into some of the numbers of machines infected, which BTW is very high, as well as information on the number of machines that are still infected today.  He discussed the large number of variations and how new exploits were tagged on to the malware as they became available.   Scott also went into  PHP attacks seen and how botnets use both legit IRC services as well as setting up their own C&Cs.  He also suggested that many ISPs can do  a lot better in the incident handling and security space, which makes commercial sense for them as customers increasingly ask for this.  

Exploits, rootkits, bootkits, fruitkits!
Paul Ducklin (Sophos) showed people some static malware analysis tricks and pulled apart the ANI exploit.  Explaining that a number of exploits that we see are often because IE will blindly execute things that it "trusts".

More tomorrow.

0 comment(s)
Diary Archives