STE WILLIAMS

Security researchers have warned that the resurrected Kelihos botnet blasted off the face of the web yesterday is still alive.

Experts not involved in the blasting say the miscreants behind the network of compromised Windows computers are working on their comeback. The zombie PC army was walloped offline in September, they say, yet later resurfaced.

Seculert reports that Kelihos-B, which was distributed as a Facebook worm over recent weeks, is still active and spreading – even after the shutdown attempt by CrowdStrike and Kaspersky Labs this week.

Seculert views this botnet as the undead remnants of Kelihos-B rather than the spawn of a new variant of the malware.

The findings suggest that sink-holing 109,000 backdoored machines infected with the spam-spewing and credential-stealing Kelihos Trojan may not have disabled the entire bot network.

“Very little time passed yesterday [Wednesday] between action being taken against the second Kelihos botnet and the appearance of a new variant said to be spreading via Facebook,” commented David Harley, senior research fellow at antivirus biz ESET.

“For the time being, the teams involved in the partial disabling of the Kelihos botnet, have implemented another pretty good temporary fix.

“Sink-holing has twice reduced the effectiveness of Kelihos botnets by effectively disabling and diverting communications from infected machines to a system that is now under the control of the ‘good guys’. However, there’s a significant risk that machines that are still infected are also likely to fall prey to a new Kelihos botnet, apart from the risks to currently uninfected machines.”

Harley added that the gang are in possession of the Kelihos source code, and can therefore tweak the malware to evade future attempts to neutralise it. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/29/kelhios_bot_not_dead_yet/

Channel 4 News has been bothering contact-less bank cards again, and managed to wirelessly extract the customer’s name from ANY Visa-branded card within a few centimetres.

Previously the programme had only demonstrated the technique on Visa cards issued by Barclays, and not all of those.

However ViaForensics (the company hired by Channel 4 News to do the leg work) has today demonstrated that it can lift the customer’s name from any Visa-branded card.

That’s important because without the name even Amazon won’t process payments. Retailers generally check the CVV code (the three-digit number on the back), which isn’t stored on the card chip so it can’t be lifted, and reputable shops should check the cardholder’s address too. However Amazon was caught skipping both those checks when the telly newshounds probed earlier this week.

Barclays told the programme that sharing the name was in an early, but still valid, version of the proximity-payment standard. Barclays was an early adopter of pay-by-bonk tech, and claims that sharing the name isn’t a significant security risk anyway: “If a retailer is processing payments without CVV codes, the name isn’t probably going to make a lot of difference,” the bank claimed.

Channel 4 News will cover the story this evening, at 7PM BST but the details are already on its site. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/29/visa_cards/

Assumptions about cyber-criminals are all wrong, according to a study that argues many fraudsters are middle aged and possess only rudimentary IT skills – contrary to the elite bedroom teen hackers portrayed in movies.

The research, led by criminologist Dr Michael McGuire of The John Grieve Centre for Policing and Security at London Metropolitan University, blames 80 per cent of cybercrime on your common-or-garden gangsters. Contrary to Hollywood film scripts, cybercrime is far from the preserve of tech-savvy youths – nearly half (43 per cent) of cyber-crooks are over 35 years old, and less than a third (29 per cent) are under 25.

More cyber-crooks (11 per cent) are over 50 than youngsters aged between 14 and 18, who make up only eight per cent of e-crims, according to the doctor and his team.

The study, sponsored by BAE Detica, is billed as the first comprehensive analysis of the nature of criminal organisations involved in e-crime. The document could help cops tackle banking fraud and other scams more effectively by challenging existing assumptions about the cyber-crook demographic.

The availability of crimeware, which can be easily distributed or purchased, means getting ready-made viruses that exploit the vulnerabilities of individual systems to running botnets of hijacked computers can be accomplished without any particular technical skills. Cyber-crooks are now just as likely to be street gangs, drug traffickers or established crime families as those traditionally associated with digital crime such as ID fraudsters or hacking syndicates.

The “deskilling” of cybercrime has allowed many traditional offline scams to be applied online. For example, money laundering has been extended to the creation of money mule networks to siphon funds from compromised web accounts, and the control of drugs markets has been applied in selling unlicensed medicines.

How many are in your gang?

Half the groups involved in cybercrime are made up of six individuals or more, with one quarter comprising 11 or more. However there’s little or no correlation between group size and the impact or scope of offending.

A small group of cyber-crooks can inflict huge financial harm against targeted institutions. And many cybercrime crews have been operating for months rather than years. A quarter (25 per cent) of active groups have operated for less than six months, the Organised Crime in the Digital Age study concludes.

The report reveals that certain clusters of criminal activity exhibit more organisation or structure than others on a spectrum that extends from decentralised swarms through to highly organised hierarchies. In some cases classic crime families that have begun to move their offline activities into cyberspace – rubbing shoulders with extremist groups recruiting members online, and protesters coordinating riots using web tools.

Professor John Grieve, founder of policing centre, commented:

To tackle the problem of digital crime and intervene successfully, we need to move away from traditional models and embrace this new information about how organised criminals operate in a digital context.

The research found evidence of many cases where there has been real success in closing down digital criminal operations. Growth in the digital economy will inevitably cause an increase in organised digital crime, however this need not be seen as an insurmountable problem. Rather, it is a predictable problem that – by better understanding the perpetrators and their working methods – we can meet head on.

The team of researchers who carried out the study combined seeking out information by hand with advanced search tools – such as Detica’s NetReveal Analyzer, a bit of gear designed to turn large amounts of structured and unstructured data into intelligence. Stage one of the research involved a review of evidence made up of over 7,000 documentary sources, including public and private documentation to analyse the technologies, activities, group characteristics and miscreants involved in cybercrime.

Then the team performed a demographic analysis of initial organisational patterns found in these sources, and compared the results with evidence from interviews with expert practitioners. Finally, a network analysis of the organisational patterns and activities that emerged at the earlier stages of the research process was carried out to arrive at the study’s final conclusions. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/29/cybercrime_myths_exploded/

The director of the US National Security Agency has named China as the country behind last year’s high profile hack against RSA that resulted in the extraction of data related to SecurID tokens.

The information extracted in the March 2011 hack was later used in an unsuccessful attack against Lockheed Martin. Other US defence contractors, including L-3 Communications, were also rumoured to have been targeted but this remains unconfirmed.

RSA offered replacement tokens in the wake of the attack, which relied on a combination of spear phishing and malware that exploited a zero-day Adobe Flash exploit. Art Coviello, RSA’s executive chairman, went as far as blaming the attack on two organisations for the same country last October without naming the prime suspects in the high-profile assault.

However National Security Agency director General Keith Alexander went further on Tuesday during testimony before Senate Armed Services Committee and named China as the prime suspect behind the RSA hack. He went on to say China is stealing a “great deal” of military-related intellectual property from the US, Information Week reports.

China has long been the prime suspect in the RSA hack but has never been named as such until this week. General Alexander’s statement is another clear sign that US authorities are going beyond diplomatic channels in an attempt to shame China into cutting back on its widely reported cyber-espionage program.

China, for its part, routinely claims that it is more spied against than spying. Beijing can be expected to take a similar line over the latest accusations. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/29/nsa_blames_china_rsa_hack/

Updated A self-describer “law-abiding citizen” has posted attack plans against the Sality botnet on the Full Disclosure security mailing list, along with a tongue-in-cheek warning not to enact them since that would be illegal.

“It has come to my attention that it is not only possible but easy to seize control of version three of the botnet, and, more importantly, take it down. Sadly, doing so would require breaking the law. For this reason, I have to request that nobody perform the steps I am about describe,” the author says, with more than a hint of irony.

The details of the plan are in an online archive and contain SQL injection tools that can be used to add a copy of an encrypted version of the AVG Sality removal utility into the botnet. It also has a Python script that, the author claims, will get an updated list of targets from the botnet’s P2P network. The author also suggests the paranoid should open the file via a locked down virtual system to avoid any possibility that this is a hoax designed to infect security researchers.

The posted plans are for attacking version three of the Sality code, but security companies report the botnet controllers have already started to upgrade to a new version, so even if the attack works, the effect would be muted. The current version installs a keylogger, VoIP cracking tools, spam relays, and some experimental malware combinations

The Sality botnet is one of the bigger botnets, thought to be about the same size as Rostock, and was first spotted in June 2003, according to a recent a white paper from Symantec. It was apparently named after the Russian town of “Salavat City”, although the command and control servers are thought to be in the US, UK, and the Netherlands.

There are removal tools out there for it, but some people aren’t using them. In terms of its hosts, Symantec reports over a fifth of the infected PCs that form the botnet are in Romania, with Brazil and India the next most common. ®

Update

An examination of the exploit package posted on Full Disclosure suggests it could work at taking down the Sality botnet, but could also be used to take it over and use it for other purposes.

“From what I’ve read, the attack looks valid, and if performed it’s likely that they would work – but whether it would be an efficient takedown or just give the operators a blip in the system I’m not sure,” Liam O Murchu, manager of operations for Symantec’s Security Response team, told The Register.

The attack seeks to inject a virus cleaning system into the botnet, essentially ordering it to wipe itself, but this isn’t necessarily the payload that could be used he warned. If someone scripted their own attack code then it would be possible to take over those machines in the botnet and use then for any purpose. Stealing machines in this way is an increasingly common tactic in the malware industry he said.

While there’s no way of knowing how many of the machines in the Sality botnet are still using the vulnerable version three of the malware, he cautioned about users taking the law into their own hands and attacking the botnet. The potential knock on effects to infected systems and networks could be large and this kind behavior has often caused more trouble than it solved in the past.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/28/sality_botnet_take_down_plans/

An alleged US Army deserter has been charged with stealing the identity of Microsoft co-founder Paul Allen to run a bank fraud scam.

Brandon Price, of Pittsburgh, Pennsylvania, allegedly conned Citibank call centre workers into changing Allen’s address to that of Price’s modest home – as well as changing the phone number associated with his card – on 9 January. Days later he allegedly persuaded Citibank to send a replacement debit card in Allen’s name to the bogus address.

“An individual identifying himself as Paul Allen called the customer service department of Citibank. The caller stated that he had misplaced his debit card at his residence, but did not want to report it stolen. The individual then successfully ordered a new debit card on the account of Paul Allen and had it sent via UPS,” FBI agent Joseph J Ondercin explained in a criminal complaint (PDF).

The complaint fails to explain what personal information was used to successfully impersonate Allen. As a high-profile public figure, a great deal of personal information about Allen is in the public domain and his address and even social security number might not be hard to determine.

Citibank is defending its handling of the matter, pointing out the bank’s anti-fraud systems quickly spotted something was amiss and blocked further fraud. “Through our own security procedures, Citibank identified the actions of a fraudulent account take over and turned the matter over to law enforcement. We will continue to work with law enforcement in the ongoing investigation.” Catherine Pulley, a CitiBank spokeswoman, told Wired.

Prosecutors allege Price used the debit card the same day UPS delivered it on 13 January to pay $658 payment into his Armed Forces Bank loan account before unsuccessfully attempting to use it to pay for the wire transfer of via Western Union and attempted purchases from Gamestop and Family Value stores in Pittsburgh. All three of the latter transactions were blocked.

Price, who has been absent without leave from the US Army since June 2010, faces wire fraud and bank fraud charges over the alleged scam. He’s been held in federal custody pending a trial, the date for which is yet to be set. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/28/microsoft_co_founder_id_theft_scam/

A resurrected incarnation of the infamous Kelihos botnet has been taken out.

The takedown operation – mounted by Kaspersky Lab’s experts, along with the CrowdStrike Intelligence Team, Dell SecureWorks and members of the Honeynet Project – follows six months after the original spam-spewing and credential-stealing botnet was dismantled in September 2011.

The original takedown seemed to have only re-energised the cybercrooks involved in the creation of the original zombie network, who then used adapted strains of the original malware to create a botnet THREE times the size of the original monster, boasting a zombie army of 109,000 infected hosts.

By comparison the original Kelihos botnet, decapitated thanks to a collaboration between security experts at Kaspersky Lab and Microsoft, was estimated at having only 40,000 infected hosts.

Despite the commendable success of the latest Kelihos botnet decapitation exercise, the crooks behind the zombie network remain at large and might well try to resurrect the botnet once again, perhaps to even more devastating effect.

It’s back …

Kaspersky Lab researchers first warned in January that although the original botnet had been successfully neutralised and remained under control, a new zombie network based on similar malware had sprung up to take its place.

“Although the second botnet was new, the malware had been built using the same coding as the original Hlux/Kelihos botnet,” a statement by Kaspersky Lab explains. “This malware showed the second botnet had a few new updates, including infection methods and Bitcoin features for mining and wallet-theft. Similar to the first version, the second botnet also used its network of infected computers to send spam, steal personal data, and perform distributed denial of service (DDoS) attacks on specific targets.”

The second Kelihos (Hlux) botnet – which also featured significant changes in the communication protocol and new “features” like flash-drive infection – was disabled using a sinkholing operation that began last week.

Pwning our P2P pals

Both incarnations of Hlux/Kelihos were peer-to-peer (P2P) type botnets, which means every compromised machine on the network can act as a server and/or client. As such Kelihos was able to operate without central command and control (CC) servers. To neutralise the more flexible P2P botnet, security experts first infiltrated the botnet with a network of machines under their control. These imposters then instructed infected hosts to look for instructions at a sinkhole under the control of security researchers, effectively rendering infected machines inert.

Over a short period, the sinkhole network increased its “popularity” in the network, which allowed more infected computers to be brought under Kaspersky Lab’s control, while preventing the malicious bot-operators from accessing them. As more infected machines were neutralised, the P2P architecture caused the botnet’s infrastructure to “sink” as its strength weakened exponentially with each computer it lost control of.

A few hours after security researchers started the takedown operation, around 21 March, the bot-herders tried to take countermeasures by rolling out a new version of their bot. However these attempts seem to have largely failed.

The sinkholing operation succeeded and the botnet has been rendered inoperable. With the majority of botnets connected to the sinkhole, Kaspersky Lab’s experts ran an audit to determine the geographical locations of compromised hosts. Kaspersky Lab has counted 109,000 infected IP addresses, the majority of which were located in either Poland or the US. Most (84 per cent) of the infected machines were running Windows XP.

The original Kelihos botnet takedown operation in September 2011 also involved a sinkholing operation. Kaspersky Lab worked with Microsoft’s Digital Crimes Unit, SurfNET and Kyrus Tech to disable the original botnet. At that time, Kaspersky Labs executed a sinkhole operation, which disabled the botnet and its backup infrastructure from command and control servers.

More details on the latest Kelihos takedown operation can be found in a blog post by Kaspersky Labs here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/28/resurrected_kelihos_botnet_dismantled/

Brussels hopes to establish a European Cybercrime Centre within the continent’s police agency Europol by the start of January.

The centre proposed by the European Commission will focus on thwarting online banking fraud, attacks against smartphones, and large-scale coordinated assaults on public services and infrastructure. Other priorities will include protecting social network profiles, halting ID theft and combating the sexual exploitation of children online.

National police agencies, government-run organisations and private sector technology firms across many countries are already grappling with these problems, of course. Eurocrats want the proposed anticrime squad to act as an intelligence and co-ordination hub, as explained in this statement issued on Wednesday:

The centre would pool European cybercrime expertise and training efforts. It would warn EU countries of major cybercrime threats, of new ways to commit online crimes and identify organised cybercrime networks and prominent offenders in cyberspace.

The centre would also be able to respond to queries from cybercrime investigators, prosecutors and judges as well as the private sector on specific technical and forensic issues. It would provide operational support in concrete investigations and help set up cybercrime joint investigation teams.

In related news, a European parliamentary committee put forward a draft directive on Tuesday calling for criminal laws against computer hacking to be enacted across all EU countries, with the maximum penalty set at two years or more, or at least five years if there are aggravating factors – such as financial motivation or attacks that cause widespread disruption.

The proposal also calls for measures to make companies liable for attacks carried out for their benefit and the outlawing of hacking tools.

One man’s hacking tool is another man’s penetration testing utility, of course. Fortunately the fine print of the proposals recognises this distinction, as explained in a blog post by Rik Ferguson of Trend Micro here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/28/eu_cybercrime_hub/

The American Federal Trade Commission (FTC) is making a mistake by leaving web and data companies to regulate themselves, privacy campaigner the Electronic Privacy Information Center (EPIC) said today.

Responding to the FTC’s report Protecting Consumer Privacy in an Era of Rapid Change (PDF) published yesterday, EPIC said the FTC “mistakenly endorses self-regulation and ‘notice and choice'” as the way to protect consumers from companies skimming their personal data.

The report (covered by The Register here) lays out the “best practice” it hopes companies will follow to protect data, and pushes hard on “Do Not Track” recommendations.

EPIC has clashed with the FTC before, over Google’s new unified privacy policy: EPIC claims that the FTC should have probed Google over the changes.

EPIC also said that the FTC should explain why it doesn’t use its Section 5 authority to enforce its decisions. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/27/ftc_report_relies_too_much_on_self_regulation/

Chinese handset giant ZTE has been forced to clarify that it’s no longer touting for new business in Iran, but remained vague about allegations that it sold the country’s largest telecoms firm a nationwide internet and phone surveillance system.

Shenzhen-headquartered ZTE sold the state-run Telecommunication Co. of Iran (TCI) the kit in 2010 as part of a €98.6m (£82.4m) deal for networking equipment, according to a Reuters report last week which sourced contract documents and interviews with the people involved in the project.

The report claimed that the deal included the ZXMT system for monitoring voice, text messages and internet comms and is even referred to in ZTE marketing material as an “integrated monitoring system” and a “turnkey solution for lawful interception”.

It uses deep packet inspection to monitor, isolate and block internet traffic, the report continued.

While China is Iran’s biggest trading ally and has generally resisted calls for international sanctions, the report claimed that ZTE also sold TCI US products on a 900-page ‘packing list’ – including AV software, switches and monitors – which were subject to strict American sanctions on Iran.

ZTE has hit back with a statement which fails to mention TCI in particular but claims that the firm “always respects and complies with international and local laws wherever it operates”.

ZTE has provided standard communications and network solutions to Iran on a small scale. However, due to local issues in Iran and its complicated relationship with the international community, ZTE has restricted its business practices in the country since 2011. ZTE no longer seeks new customers in Iran and limits business activities with existing customers.

ZTE has strict internal audit and compliance policies in place. The company has a dedicated import and export control committee chaired by a senior executive. It also provides internal and external import and export compliance training to its employees.

The firm did not immediately reply to a request for clarification on whether these “standard communications and network solutions” may have included a surveillance system.

There was also no indication of exactly how ZTE is shrinking its business in Iran.

The case calls to mind similar problems Huawei has had relating to Iran. ZTE’s Shenzhen neighbour was also accused of selling monitoring technology to the Islamic state, this time by US lawmakers, and claimed to have voluntarily restricted its business activities with Iran.

Andrew Milroy, head of Frost Sullivan’s Australian ICT practice, argued that it can be difficult to prove that tech equipment sold to states like Iran is ultimately being used for military or repressive purposes, but he added that “the market will take care of it”.

“The international community can’t force Chinese companies not to trade [with the likes of Iran] but they can put pressure on,” he told The Reg.

“Chinese firms like Huawei and ZTE recognise that Western markets represent one of their biggest opportunities for growth. They need to be very sensitive about dealing with countries in the line of fire from the West.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/28/zte_iran_sanctions/