STE WILLIAMS

Microsoft turns to FBI in hunt for Rustock ringleader

Microsoft lawyers have sealed their victory over the operators of what was once the world’s biggest source of spam after winning a court case giving them permanent control over the IP addresses and servers used to host the Rustock botnet.

The seizure was completed earlier this month when a federal judge in Washington state awarded Microsoft summary judgement in its novel campaign against Rustock, which at its height enslaved about 1.6 million PCs and sent 30 billion spam messages per day. The complex legal action ensured that IP addresses and more than two dozen servers for Rustock were seized simultaneously to prevent the operators from regrouping.

Now the attorneys are turning over the evidence obtained in the case to the FBI in hopes that the Rustock operators can be tracked down and prosecuted. Microsoft has already offered a $250,000 bounty for information leading to their conviction. It has also turned up the pressure by placing ads in Moscow newspapers to satisfy legal requirements that defendants be given notice of the pending lawsuit.

According to court documents (PDF), the Rustock ringleader is a Russian citizen who used the online handle Cosma2k to buy IP addresses that hosted many of the Rustock command and control servers. Microsoft investigators claimed the individual distributed malware and was involved in illegal spam pitching pharmaceutical drugs.

“This suggests that ‘Cosma2k’ is directly responsible for the botnet as a whole, such that the botnet code itself bore part of this person’s online nickname,” the Microsoft motion stated.

In a blog post published Thursday, Microsoft said the number of PCs still infected by Rustock malware continued to drop. As of last week, a fewer than 422,000 PCs reported to the seized IP addresses, almost a 74 percent decline from late March. It also represented significant progress since June, when almost 703,000 computers were observed.

The Rustock takedown has been a rare bright spot in the ongoing fight against computer crime. After it was initiated, federal authorities waged a similar campaign against Coreflood, another notorious botnet estimated to have infected 2 million PCs since 2002. In a step never before taken in the US, federal prosecutors obtained a court order allowing them to set up a substitute command and control server that forces infected machines to temporarily stop running the underlying malware.

In June prosecutors declared victory in the case.

Taking down botnets is a good start, but it does little stop criminals from setting up new ones. Microsoft’s determination in tracking down Cosma2k and his cronies could go a step further, by showing would-be botherders there are consequences to their crimes, no matter where in the world they may be located. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/22/microsoft_refers_rustock_to_fbi/

Microsoft turns to FBI in hunt for Rustock ringleader

Microsoft lawyers have sealed their victory over the operators of what was once the world’s biggest source of spam after winning a court case giving them permanent control over the IP addresses and servers used to host the Rustock botnet.

The seizure was completed earlier this month when a federal judge in Washington state awarded Microsoft summary judgement in its novel campaign against Rustock, which at its height enslaved about 1.6 million PCs and sent 30 billion spam messages per day. The complex legal action ensured that IP addresses and more than two dozen servers for Rustock were seized simultaneously to prevent the operators from regrouping.

Now the attorneys are turning over the evidence obtained in the case to the FBI in hopes that the Rustock operators can be tracked down and prosecuted. Microsoft has already offered a $250,000 bounty for information leading to their conviction. It has also turned up the pressure by placing ads in Moscow newspapers to satisfy legal requirements that defendants be given notice of the pending lawsuit.

According to court documents (PDF), the Rustock ringleader is a Russian citizen who used the online handle Cosma2k to buy IP addresses that hosted many of the Rustock command and control servers. Microsoft investigators claimed the individual distributed malware and was involved in illegal spam pitching pharmaceutical drugs.

“This suggests that ‘Cosma2k’ is directly responsible for the botnet as a whole, such that the botnet code itself bore part of this person’s online nickname,” the Microsoft motion stated.

In a blog post published Thursday, Microsoft said the number of PCs still infected by Rustock malware continued to drop. As of last week, a fewer than 422,000 PCs reported to the seized IP addresses, almost a 74 percent decline from late March. It also represented significant progress since June, when almost 703,000 computers were observed.

The Rustock takedown has been a rare bright spot in the ongoing fight against computer crime. After it was initiated, federal authorities waged a similar campaign against Coreflood, another notorious botnet estimated to have infected 2 million PCs since 2002. In a step never before taken in the US, federal prosecutors obtained a court order allowing them to set up a substitute command and control server that forces infected machines to temporarily stop running the underlying malware.

In June prosecutors declared victory in the case.

Taking down botnets is a good start, but it does little stop criminals from setting up new ones. Microsoft’s determination in tracking down Cosma2k and his cronies could go a step further, by showing would-be botherders there are consequences to their crimes, no matter where in the world they may be located. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/22/microsoft_refers_rustock_to_fbi/

Microsoft turns to FBI in hunt for Rustock ringleader

Microsoft lawyers have sealed their victory over the operators of what was once the world’s biggest source of spam after winning a court case giving them permanent control over the IP addresses and servers used to host the Rustock botnet.

The seizure was completed earlier this month when a federal judge in Washington state awarded Microsoft summary judgement in its novel campaign against Rustock, which at its height enslaved about 1.6 million PCs and sent 30 billion spam messages per day. The complex legal action ensured that IP addresses and more than two dozen servers for Rustock were seized simultaneously to prevent the operators from regrouping.

Now the attorneys are turning over the evidence obtained in the case to the FBI in hopes that the Rustock operators can be tracked down and prosecuted. Microsoft has already offered a $250,000 bounty for information leading to their conviction. It has also turned up the pressure by placing ads in Moscow newspapers to satisfy legal requirements that defendants be given notice of the pending lawsuit.

According to court documents (PDF), the Rustock ringleader is a Russian citizen who used the online handle Cosma2k to buy IP addresses that hosted many of the Rustock command and control servers. Microsoft investigators claimed the individual distributed malware and was involved in illegal spam pitching pharmaceutical drugs.

“This suggests that ‘Cosma2k’ is directly responsible for the botnet as a whole, such that the botnet code itself bore part of this person’s online nickname,” the Microsoft motion stated.

In a blog post published Thursday, Microsoft said the number of PCs still infected by Rustock malware continued to drop. As of last week, a fewer than 422,000 PCs reported to the seized IP addresses, almost a 74 percent decline from late March. It also represented significant progress since June, when almost 703,000 computers were observed.

The Rustock takedown has been a rare bright spot in the ongoing fight against computer crime. After it was initiated, federal authorities waged a similar campaign against Coreflood, another notorious botnet estimated to have infected 2 million PCs since 2002. In a step never before taken in the US, federal prosecutors obtained a court order allowing them to set up a substitute command and control server that forces infected machines to temporarily stop running the underlying malware.

In June prosecutors declared victory in the case.

Taking down botnets is a good start, but it does little stop criminals from setting up new ones. Microsoft’s determination in tracking down Cosma2k and his cronies could go a step further, by showing would-be botherders there are consequences to their crimes, no matter where in the world they may be located. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/22/microsoft_refers_rustock_to_fbi/

Microsoft turns to FBI in hunt for Rustock ringleader

Microsoft lawyers have sealed their victory over the operators of what was once the world’s biggest source of spam after winning a court case giving them permanent control over the IP addresses and servers used to host the Rustock botnet.

The seizure was completed earlier this month when a federal judge in Washington state awarded Microsoft summary judgement in its novel campaign against Rustock, which at its height enslaved about 1.6 million PCs and sent 30 billion spam messages per day. The complex legal action ensured that IP addresses and more than two dozen servers for Rustock were seized simultaneously to prevent the operators from regrouping.

Now the attorneys are turning over the evidence obtained in the case to the FBI in hopes that the Rustock operators can be tracked down and prosecuted. Microsoft has already offered a $250,000 bounty for information leading to their conviction. It has also turned up the pressure by placing ads in Moscow newspapers to satisfy legal requirements that defendants be given notice of the pending lawsuit.

According to court documents (PDF), the Rustock ringleader is a Russian citizen who used the online handle Cosma2k to buy IP addresses that hosted many of the Rustock command and control servers. Microsoft investigators claimed the individual distributed malware and was involved in illegal spam pitching pharmaceutical drugs.

“This suggests that ‘Cosma2k’ is directly responsible for the botnet as a whole, such that the botnet code itself bore part of this person’s online nickname,” the Microsoft motion stated.

In a blog post published Thursday, Microsoft said the number of PCs still infected by Rustock malware continued to drop. As of last week, a fewer than 422,000 PCs reported to the seized IP addresses, almost a 74 percent decline from late March. It also represented significant progress since June, when almost 703,000 computers were observed.

The Rustock takedown has been a rare bright spot in the ongoing fight against computer crime. After it was initiated, federal authorities waged a similar campaign against Coreflood, another notorious botnet estimated to have infected 2 million PCs since 2002. In a step never before taken in the US, federal prosecutors obtained a court order allowing them to set up a substitute command and control server that forces infected machines to temporarily stop running the underlying malware.

In June prosecutors declared victory in the case.

Taking down botnets is a good start, but it does little stop criminals from setting up new ones. Microsoft’s determination in tracking down Cosma2k and his cronies could go a step further, by showing would-be botherders there are consequences to their crimes, no matter where in the world they may be located. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/22/microsoft_refers_rustock_to_fbi/

Microsoft turns to FBI in hunt for Rustock ringleader

Microsoft lawyers have sealed their victory over the operators of what was once the world’s biggest source of spam after winning a court case giving them permanent control over the IP addresses and servers used to host the Rustock botnet.

The seizure was completed earlier this month when a federal judge in Washington state awarded Microsoft summary judgement in its novel campaign against Rustock, which at its height enslaved about 1.6 million PCs and sent 30 billion spam messages per day. The complex legal action ensured that IP addresses and more than two dozen servers for Rustock were seized simultaneously to prevent the operators from regrouping.

Now the attorneys are turning over the evidence obtained in the case to the FBI in hopes that the Rustock operators can be tracked down and prosecuted. Microsoft has already offered a $250,000 bounty for information leading to their conviction. It has also turned up the pressure by placing ads in Moscow newspapers to satisfy legal requirements that defendants be given notice of the pending lawsuit.

According to court documents (PDF), the Rustock ringleader is a Russian citizen who used the online handle Cosma2k to buy IP addresses that hosted many of the Rustock command and control servers. Microsoft investigators claimed the individual distributed malware and was involved in illegal spam pitching pharmaceutical drugs.

“This suggests that ‘Cosma2k’ is directly responsible for the botnet as a whole, such that the botnet code itself bore part of this person’s online nickname,” the Microsoft motion stated.

In a blog post published Thursday, Microsoft said the number of PCs still infected by Rustock malware continued to drop. As of last week, a fewer than 422,000 PCs reported to the seized IP addresses, almost a 74 percent decline from late March. It also represented significant progress since June, when almost 703,000 computers were observed.

The Rustock takedown has been a rare bright spot in the ongoing fight against computer crime. After it was initiated, federal authorities waged a similar campaign against Coreflood, another notorious botnet estimated to have infected 2 million PCs since 2002. In a step never before taken in the US, federal prosecutors obtained a court order allowing them to set up a substitute command and control server that forces infected machines to temporarily stop running the underlying malware.

In June prosecutors declared victory in the case.

Taking down botnets is a good start, but it does little stop criminals from setting up new ones. Microsoft’s determination in tracking down Cosma2k and his cronies could go a step further, by showing would-be botherders there are consequences to their crimes, no matter where in the world they may be located. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/22/microsoft_refers_rustock_to_fbi/

Cyberspy attacks targeting Russians traced back to UK and US

Security researchers at Trend Micro have discovered a sophisticated cyberspy network geared towards attacking systems in Russia and neighbouring countries.

Cyberespionage efforts against either human rights activists or high-tech Western firms have been going on for a few years. Examples include the Operation Aurora attacks against Google and more recent attempts to hack into the networks of defence contractors such as Lockheed Martin and Mitsubishi Heavy Industries.

Many of these attacks are blamed on China, an accusation the country routinely denies, in part by arguing that it is a victim rather than a perpetrator of such attacks.

The so-called Lurid attacks identified by Trend Micro have hit 47 victims including diplomatic missions, government ministries, space-related government agencies and other companies and research institutions in 61 different countries. But what really sets the attacks apart is that most of the victims are in Russia, Kazakhstan and Vietnam instead of the US or Western Europe. Curiously the common servers running the attack are located in the UK and US.

The Lurid Downloader (AKA Enfal Trojans) that features in the attack has previously been used against Western victims and the Tibetan community. This time around the malware is been pushed towards potential victims using either booby-trapped Adobe files or .RAR archive files containing Trojan code that poses as a screensaver. The attack relies of well-known vulnerabilities, one of which dates back to 2009, rather than zero-day attacks.

Infected systems phone home to command-and-control servers and upload particular documents and spreadsheets. Although Trend does not have access to the contents of files, it has determined the type of data beamed back to base in the more than 1,400 files extracted in the attacks.

“Although our research didn’t reveal precisely which data was being targeted by the attackers, we were able to determine that, in some cases, they attempted to steal specific documents and spreadsheets,” writes Trend Micro researcher Nart Villeneuve.

Rik Ferguson, director of security research communication EMEA at Trend Micro, told El Reg that some of the affected sites used Trend Micro’s technology, which helped detect the attack. subsequent detective work led researchers back to two command and control servers, hosted by different ISPs (one in the US and one in the UK). Beyond saying the attack was likely to be motivated by cyberespionage, rather than profit, Ferguson was reluctant to speculate on who might be behind the attack or their motives. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/22/russia_cyberespionage_attack/

Brit ISPs shift toward rapid pirate website blocking

Exclusive Leading UK ISPs are now privately agreed on the principle of restricting access to websites in response to hastily obtained court orders, according to sources close to discussions that took place in Westminster this week. The shift follows the landmark Newzbin2 ruling in July, which affirmed the responsibility ISPs have to enforce copyright laws.

However, the structure and processes acceptable to both ISPs and creative industries have yet to be tabled, and significant concerns remain in the Internet industry over legal issues and costs.

Rights-holders reacted a little more positively, pointing to the acknowledgement of greater responsibility, lower costs and speedier access to justice than offered by current legal processes. Although one source was cautious:

“Don’t expect a signing ceremony or even a public announcement, it’s going to be more of a voluntary solution through accretion,” he told us.

The change of heart was evident at the latest in a series of regular industry discussions chaired by Culture Minister Ed Vaizey on Monday this week, according to multiple sources familiar with the discussions. It’s the latest in a series of meetings designed to produce a self-regulatory substitute for the Digital Economy Act’s Section 17 and 18 web-blocking powers. The government has said it won’t implement these, but wants ISPs and creative industries to devise a replacement acceptable to both. This was the first meeting since June, and also the first since the Newzbin2 ruling.

June saw a voluntary plan floated (and leaked), which saw strong opposition in BT, the defendant in the Newzbin2 case. This has now been sidelined. Instead, ISPs will still demand a court order but work on an expedited process. Fighting Newzbin2 cost Hollywood studios an estimated £1m and took 18 months – and that’s the heart of the dispute. Copyright enforcement options today are expensive and impractical. Reports that ISPs will be asked to turn around court orders in an hour, however, are inaccurate, according to multiple insiders. But ISPs will respond to court orders that have been processed more quickly.

“ISPs have had to acknowledge that being a mere conduit is not an absolute defence,” said one industry representative.

While conceding the main issue, ISPs privately point to several positives for service providers: they’ll respond to court orders on a per-site basis, rather than lists of sites, and believe fewer pirate sites will be requested by rights-holders.

Industry association ISPA told us it was concerned about the costs of setting up the blocking solutions on smaller ISPs.

That leaves much of the detail to be decided. One is the nature of the “evidence test” a court will need to block access.

And at least two sources on different sides of the talks agree, glumly, that we may see more litigation before a voluntary self-regulation concord takes effect.

Vaizey held a second meeting on the subject of site-blocking on Tuesday, an open meeting attended by anti-copyright groups including The Pirate Party and the Open Rights Group, and blogger activists.

Yet there’s little mistaking the direction talks are taking. By opposing every single copyright enforcement measure ever proposed – and there have been some quite insane proposals – activists have only accelerated the marginalisation of what may be quite rational objections.

Bootnote

One objection raised was that small UK web businesses “would need weekend cover” under a less Pirate-friendly copyright enforcement regime.

So Shoreditch entrepreneurs don’t work at weekends, then? As a small UK web business here at El Reg we can affirm nothing ever happens to websites between Friday night and Monday morning.. Phew. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/22/isp_web_blocking/

US military satellite to get attack-warning equipment

A US military satellite is to be fitted with equipment which will enable it to detect hostile action and inform ground controllers what’s going on, according to reports.

US military graphic showing catalogued objects in Earth orbit

In space, nobody can hear your victim scream … yet

Lieutenant General Ellen Pawlikowski of the US Air Force told reporters including those of Aviation Week on Wednesday that a classified satellite is now planned to go into space equipped with a Self-Awareness Space Situational Awareness (SASSA) package, kit which the Pentagon has been working on for some time.

The US military and intelligence agencies operate a mighty fleet of spacecraft, with missions ranging from navigation and timing like the well-known GPS constellation – which makes almost all satnavs and a surprising amount of other Earthbound civilian electronics work, as well as guiding missiles etc – to blacker-than-black top secret spying and surveillance.

Most of these satellites, while in touch with ground control stations some or all of the time, have no sensors which would let them know if they were being meddled with or attacked – and this is a real possibility as more nations acquire space capabilities or groundbased gear such as jammers or lasers which can reach into space. As things stand, a satellite could simply go offline for a while or permanently, and its controllers would never know what happened to it.

That’s where SASSA and various other US military space hardware comes in. SASSA itself would let a satellite know if it was being jammed, blinded or scrambled: other, dedicated spacecraft would be able to watch events in Earth orbit and perhaps detect or monitor sneaky anti-satellite operations involving actual intercepts and collisions.

It would seem the idea is not so much to mount any particular defence or retaliation against hostile anti-satellite efforts, but rather to establish clearly who is behind them. As action against another nation’s spacecraft is a massive no-no under international convention, it is usually only worth doing if one can be sure that nobody will be sure who did it (or even sure that any action took place, perhaps).

SASSA and such efforts would seem to mean that attacks on US satellites will soon be much less deniable: which is, perhaps, why we are being told about them in advance. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/22/sassa_to_fly/

Bargain-basement botnet kit – yours for just €5

Bargain-basement cybercrooks have begun selling a cut-price botnet tool on underground forums for just €10 or less a pop.

The so-called Aldi Bot is a functional botnet builder that requires minimal configuration beyond entering the name of a command-and-control server, which comes with the tool. The malware – which was possibly named for the discount supermarket, although of course it has no connection to the German chain – is capable of extracting saved passwords from the browser cache of compromised machines.

Aldi Bot, whose code appears based on the recently leaked ZeuS source code, is also capable of running distributed denial of service attacks on targeted websites, according to an analysis of the tool by anti-virus firm G Data. Compromised machines might also be used as a proxy for anonymous surfing. As such the tool might be employed by perverts hunting for child abuse images on the net.

Getting the malware onto machines would require setting up bobby-trapped websites or similar trickery, such as distributing emails with infectious attachments. Most antivirus tools already detect Aldi Bot, which first appeared on underground forums late last month. The basic package does include instant messaging support. Shortly after launching the sale the author of the bot dropped his prices even further from €10 to €5. By comparison, licences for the admittedly far more sophisticated and functional ZeuS variants used to set you back thousands of dollars.

The seller punting the tool explains its low, low prices by saying he’s not in it for the money, adding that he wants to offer a “people’s bot” to the masses. Acceptable payment methods include Paysafecard and Ukash.

A video posted by the author shows attacks on a website maintained by the German police. These and other factors suggest that the seller may be a German hacker who wants virus distribution to retail at little more than the cost of a pint of beer.

More details on the malware can be found in a write-up by G Data here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/22/aldi_bot/

Aussies’ password habits still slack, says study

“Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess,” is how xkcd puts it*.

That’s probably why people don’t change their passwords unless someone forces them to, which is the unsurprising finding emanating from a PayPal-sponsored study by the ANU-hosted Centre for Internet Safety.

The study also finds the widespread probably-delusional belief that “my password is hard to guess”, with 90 percent of the study’s 1,000 respondents comfortable that their variation on pet’s name and child’s birthday is safe.

Perhaps surprisingly, most users reported that they don’t put any personally identifying information in their passwords; but since they believe their password is safe, they then use the same password across multiple sites (63 percent of respondents, and 77 percent between the ages of 18 to 24 years old).

Mirroring behaviours overseas, we’re also slack about protecting the password, with the survey finding that 41 percent of respondents has shared their password with a friend, family member or colleague without changing the password afterwards.

The “xkcd effect” is present in our password behaviours: hard-to-remember passwords are written down by 46 percent of respondents, while younger users prefer to store their passwords on mobile phones.

In more reassuring news, the study found that most users – more than 95 percent – don’t want Websites to remember their passwords. Well, it would be reassuring, except that more than a third of users get around the forgotten password by leaving their computers logged into online sites, rising to 76 percent among the youngsters.

The paper is published by PayPal, here.

*The comic in question is here. I can’t vouch for ‘Randall’s’ math, but it would be a life-changing experience for most of us if he’s right.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/22/password_habits_slack_says_paypal/