An emerging area of inquiry in security research is the blurring boundaries between cybercrime and other, more targeted forms of attack, and more specifically attacks that appear to be politically motivated. These attacks often take the form of targeted malware attacks that act as a form of surveillance in which sensitive documents and communications are captured from the targeted organizations and individuals or politically motivated distributed denial of service (DDoS) attacks that aim to punish, disrupt and censor the ability of the targets to communicate to the world.

One of the themes that informed the “Shadows in the Cloud” report was the (potential) relationship between crimeware networks and cyber-espionage. The boundaries between the two appear to be blurring, making issues of attribution increasingly complex. It may also indicate that there is an emerging market for sensitive information and politically motivated attacks as crimeware networks seek to monetize such information and capabilities.

I explored this theme in a report on a case related to Kneber botnet documented by NetWitness in which a known ZeuS-based botnet, typically used to steal banking information and other credentials, was specifically targeting .mil and .gov email addresses with spearphishing attacks and then dropping a second piece of malware, an infostealer, on the compromised systems that uploaded sensitive documents to a drop zones in Belarus and Russia. This botnet was engaged in all sorts of other malicious activity associated with cybercrime.

When it comes to DDoS attacks a similar pattern is observed. Jose Nazario of Arbor Networks wrote a very interesting paper that analyzed politically motivated DDoS attacks (and is basically the inspiration for this blog post). The numerous DDoS attacks described in this paper are very interesting, some are punitive attacks others appear to be an effort to censor political speech (something I worked on at ONI in the past with Kyrgyzstan in 2005 and Belarus in 2006).

In the paper Nazario discusses the role that well known BlackEnergy-based botnets played in the DDoS attacks on Georgian websites during the Russia-Georgia conflict in 2008. In a really amazing presentation Jose Nazario and Andre DiMino of Shadowserver document the attacks on Georgia. But what is most interesting, in this context, are the other unrelated targets that the same botnets also attacked. The RU-GE case is a great example of the blurring boundaries between crimeware networks, politically motivated attacks a censorship.

On a much smaller scale, I observed some recent attacks in which a BlackEnergy-based botnet attacked a variety of unrelated targets but eventually attacked political websites. The botnet was discovered while analyzing data captured from the computer of a Tibetan political figure. Due to the character of the network Greg Walton and I concluded that the attack was not targeted and was not related to the Tibet or to the political activities of the individual who was compromised. However, I continued to monitor the botnet.

The botnet had two command and control domain names 091809.ru and sexiland.ru both hosted on the same IP address (210.51.166.238, China Netcom). The command and control interface was not password protected and I was able to access it and determine the size of the botnet. According to the statistics in the interface, 091809.ru had 2044 active bots, an average of 2418 per hour and 8105 per day. In total the 091809.ru recorded 64346 infections. According to the statistics in the interface, sexiland.ru (210.51.166.238) had 3623 active bots, an average of 4869 per hour and 12749 per day. In total the sexiland.ru recorded 51813 infections. This is not a particularly large botnet at all, but the attackers could access at least 6000 bots at any given time.

This botnet attacked a variety of websites, however, four of them caught my attention.

1. bachuna.net

2009-12-15 05:00:01
flood http bachuna.net

The attackers began flooding bachuna.net on 2009-12-15. The attacks appear to relate to Ukrainian news stories (here, here, here and here) which broke around the same time as the attacks started involving a judge named Oleg Bachun and two competing websites bachuna.net and bachun.net. While the former was supportive of the judge the latter implicated him in illegal activities. Since I am relying on Google Translate it would be great of some Russia and Ukrainian speakers could provide a more in-depth assessment of what happened in the case as well as to the domain names involved as it appears from the reports that bachun.net was transfered to the owner of bachuna.net.

2. ingushetiyaru.org

2010-01-16 18:00:01 – 2010-01-20 06:00:02
flood http www.ingushetiyaru.org

Rights in Russia reported that “a website run by an opposition group in Ingushetia, Ingushetiyaru.org, suffered a DDoS attack after publishing comments critical of the region’s authorities.” Ingushetia is located near Chechnya and is a politically sensitive area. Ingushetiyaru.org reported the DDoS on their livejournal site and the broader implications in this article. This is not the first time there have DDoS attacks related to this region. Jeff Carr reported on another DDoS attack and implicated the RBN in the attack.

3. angusht.com

2010-01-22 12:00:01 – 2010-01-26 15:00:02
flood http angusht.com

This website, angusht.com, is also related to Ingushetia and reported DDoS attacks (here too) earlier this year. Several other related sites were also reported to be inaccessible. The timing of the inaccessibility of the sites and the DDoS attacks on angusht.com and ingushetiyaru.org also correlate with reports of an explosion of a gas pipeline in Ingushetia.

4. kadyrov2012.com

2010-01-25 08:00:02 – 2010-01-27 02:00:01
flood http kadyrov2012.com

The website kadyrov2012.com was a satirical website claiming that the Russian-backed Chechen leader Ramzan Kadyrov was going to run in for president in Russia’s elections. Reuters reported the story on January 24 which correlate with the timing of the DDoS attacks.

These attacks are fairly small when compared with others and fly under the radar screen of most. They show that small scale attacks designed to censor opposing views occur with frequency against key websites and during critical time periods. It is clear that those engaged in political activities and those who vocally oppose repressive policies such as censorship may be subjected to a complex set of threats from targeted malware through to DDoS and not simply censorship in the form of Internet filtering. Finally, these attacks demonstrate that botnets involved with criminal activity are being used to conduct both political and apolitical DDoS attacks

Full list of sites DDoS’d by this botnet here.

Tags: Censorship, DDoS, Malware

http://blogs.forbes.com/firewall/2010/04/12/blurring-the-boundaries-between-cybercrime-and-politically-motivated-attacks/?boxes=Homepagechannels

A cybersecurity showdown is in the works.

Late last week cybersecurity firm McAfee ( MFE – news – people ) and start-up Damballa both released new assessments of the high-profile hacking incident revealed by Google ( GOOG – news – people ) in January.

But while McAfee continues to describe the digital intruders as a sophisticated example of cyberespionage’s “advanced, persistent threat,” Damballa counters that the gang behind the so-called Aurora attacks were “amateurs” who used “old-school” techniques to create a run-of-mill collection of hijacked computers typically used for identity theft and spam. (See “Google Hackers’ Unexpected Backdoor” and “Researchers Call Google Hackers Amateurs.”)

One of those conclusions, it seems, must be wrong. But that doesn’t mean the facts from the two companies aren’t both accurate, says Nart Villeneuve, a researcher with the University of Toronto’s Citizen Lab. Given the complexity of a modern cybercriminal operation, he says, the two reports might be looking at opposite ends of the same animal.

Villeneuve points out that McAfee has been most vocal about how the hackers accessed their victims’ networks, moved between servers and planted hidden software. Damballa, meanwhile, says it has focused on the spyware samples themselves and the so-called “command and control” servers that the software communicated with to receive orders and steal data.

“When these researchers argue about whether the hackers are sophisticated or not sophisticated, they’re looking at different pieces of the puzzle,” says Villeneuve. “The truth is that no one’s providing enough detail to make any kind of complete comparison or analysis possible.”

McAfee, for its part, isn’t giving any ground. McAfee researcher Dmitri Alperovitch told Forbes that his cybersecurity firm is working directly with Google and other victims, and argues that Damballa doesn’t have enough access to the case for credible analysis.

In fact, Alperovitch claims that Damballa is dissecting the wrong piece of malicious software, or “malware,” altogether. “Their analysis is correct, but what they’re analyzing is something totally unrelated to Aurora,” he says. “As far as we’ve seen, the malware they’re looking at has nothing to do with this incident.”

Damballa’s vice president of research Gunter Ollman counters that its malware samples were taken from clients that were targeted by Aurora and from a public profile of the Hydraq Trojan–the spyware used by Aurora–published by security firm Symantec ( SYMC – news – people ). Ollman says Damballa traced those samples to five domains around the world that were used to control the so-called “botnet” of hijacked machines that infected Google, and he contends that McAfee is failing to examine those command and control servers. “It’s as if McAfee has been looking at the smoking gun and trying to analyze the bullets, while we’re following the driver of the getaway van,” Ollman says.

On some basic facts, the two accounts agree: Between July and December the Aurora hackers began infecting target networks with the Hydraq Trojan software, controlling the computers from servers outside the U.S. In at least some of those network infections, including the one that affected Google in December, the hackers used an e-mail laced with an attachment that exploited a security vulnerability in Internet Explorer 6, allowing the intruders to gain access to a piece of Google’s corporate network.

But that’s where the agreement ends. Damballa’s report points to several factors that indicate that Aurora was “just another botnet,” run by unsophisticated criminals: the Hydraq Trojan’s anatomy, which included some code that was five to eight years old; an older, more easily detected system of communication between hijacked computers known as dynamic domain name system or DDNS; and evidence that the same command and control computers were used to control earlier samples of malicious software used for routine cybercrime.

Whether Damballa’s analysis is based on faulty software samples–as McAfee claims–is tough to prove, given that neither company has published all of the details of their samples, including the domain names of the command and control servers they’ve analyzed.

But McAfee’s Alperovitch says that at least 40 versions of Hydraq were customized for different targets–not a single, antiquated piece of software, as Damballa says. And he disputes the idea that employing DDNS reveals a lack of sophistication. Although the method isn’t often used by modern, high-volume cybercriminal operations, it’s often still a tool for smaller targeted attacks.

Regardless, he says the discussion of whether certain tactics were amateurish isn’t the point. “The attack was successful,” says Alperovitch. “If it works, why use something more sophisticated?”

Citizen Lab’s Nart Villeneuve points out that both companies may be right about the respective piece of the operation they’re scrutinizing. McAfee may have analyzed the actions of sophisticated cyberspies that bought their malicious software and communications system from a less-sophisticated cybercrime group–the botnet controllers that Damballa has focused on.

Given that cybercrime and cyberespionage has become such a segmented and specialized industry, he points out that no single piece of a scheme can be used to describe the whole. “It’s not uncommon for botnet operators to sell or rent their botnet or simply use portions to install other peoples’ malware,” says Villeneuve.

Even so, independent security researcher and consultant Dancho Danchev argues that truly sophisticated cyberspies would have contracted more professional services. “Personally, I’m not impressed. Not at all,” Danchev wrote in an e-mail. “The tools and techniques used in the attacks can be easily outsourced to much more quality assurance-centered vendors of custom-build malware and cybercrime-friendly services than the ones used in the attack.”

Danchev says Aurora’s success stems from its combination of simple tactics with persistence and tricks like customizing spoof emails based on data pulled from social networking sites. Even so, that set of tactics doesn’t necessarily support McAfee’s portrait of ultra-advanced cyberspies. “That’s not ‘highly sophisticated,’ ” Danchev says. “It’s what makes every successful malware attack or botnet campaign successful in general.”

http://www.forbes.com/2010/03/08/google-damballa-mcafee-technology-security10-hackers_2.html

Tags: Aurora, Botnets, China, Google, Malware.

The data about Aurora has always felt just a little off for me. Maybe its that everyone writing about it just has their own piece of the puzzle to analyse, without the detail required to accurately link the pieces together.

When it comes to the command and control infrastructure, maybe it’s that some obfuscated the domain names while others published them, but with a domain on the blog post that’s not in technical write up. Maybe it is that some have significantly bigger lists than others (that include duplicates as well as the root domain for a dynamic dns provider that hands out sub-domains).

Maybe it is that some name domains that hosted the exploit but do not provide details on C&C’s that compromised hosts check-in with. Maybe the difference between the long lists and short lists is that some are including “copycats” — sites that host the IE exploit. Since “Aurora” is now being used to refer to the specific attack on Google, the 0day vulnerability in Internet Explorer (that was apparently used), and the malware that was apparently dropped by the exploit (Hydraq) interchangeably it is difficult to get a handle on exactly what is what.

Google says the attacks were “highly sophisticated and targeted” (as does McAfee, Mandiant, and iDefense) while Damballa says that it was the work of amateurs, Dancho Danchev says that “[i]t’s in fact [an] average team” and Mikko Hypponen says “[t]his wasn’t in my opinion ground-breaking as an attack. We see this fairly regularly.” OK, well, that’s quite the continuum of “sophistication.” Back to that in a bit.

Attribution? The New York Times reported that the attacks were traced to two schools in China: Shanghai Jiaotong University and the Lanxiang Vocational School. While some have drawn links between these schools and the Chinese military others cast doubt on it. The Financial Times reportsthat “a freelance security consultant in his 30s” in China wrote (part of) the Internet Explorer exploit but “is not a full-time government worker, did not launch the attack, and in fact would prefer not be used in such offensive efforts.” Hmm. OK. Mandiant indicated that the quality of the exploit points toward some kind of relationship with the Chinese state, while iDefense, looking at the command and control infrastructure, pretty unambiguously states that the Chinese State was being the attacks whether or not “amateurs” were used.

So here we are at the crossroads of the exploit, the malware, and the command and control infrastructure. And as Richard Bejtlich points out there’s more to it than just the technical aspects of malware, there is, as Mike Cloppert describes, a range of indicators that allow one to characterize the adversary behind the attacks. Clearly, most of us relying on public sources do not have a sufficient level of detailed information to analyse the attack on Google with such depth.

This brings me back to the Damballa report. I really liked this report because is focused on the command and control infrastructure, it was based on interesting data collected via passive DNS data collection and included many interesting conclusion and enough detail to begin connecting their data with other publicly available data. In fact, one of the most interesting observations for me was evidence that the DNS resolutions indicate that Google China was compromised first, followed by Google in Mountain View some 17 hours later. Still, there are parts of the report that are confusing to me.

The Damballa report starts by looking at “five CnC domain names associated with the Aurora botnet” that were publicly disclosed, however, these domain names are not explicitly stated in the report. The most seemingly authoritative list, from Symantec, for example, lists 7 domains. The starting point appears to be “blog1.servebeer.com”. This one is common to all lists (except Symantec’s technical write-up). The domain servebeer.com is a Dymanic DNS serverice offered by No-IP that allows people to register sub-domains such as “blog1.” Based on factors such as “DDNS credentials” Damballa linked the following domains together (four of which are not disclosed).

CnC_Domain.1
CnC_Domain.2
CnC_Domain.3
CnC_Domain.4
blog1.servebeer.com

At some point each of the 5 domains above pointed at at least one of the “IP addresses associated with two of the CnC servers used during the Aurora attack.” The IP’s were not disclosed. Therefore, I am not entirely sure of how the next group of domain names are linked.

baltika1.servebeer.com
m7been.zapto.org
miecros.info
mcsmc.org
yahoo.blogdns.net
filoups.info
google.homeunix.com

While the last 2 domains (filoups.info and google.homeunix.com) appear on the US CERT list of “Aurora” domains, the first 5 domains (baltika1.servebeer.com, m7been.zapto.org, miecros.info, mcsmc.org, and yahoo.blogdns.net) do not.

Damballa then links this second group to “two distinct families of Fake AV Alert / Scareware: Login Software 2009 and Microsoft Antispyware Services.”

Fake AV Alert / Scareware
mcsmc.org
micronetsys.org
mnprfix.cn
filoups.info
miecros.info

Fake Microsoft Antispyware
ec2-79-125-21-42.eu-west-1.compute.amazonaws.com
ip-173-201-21-161.ip.secureserver.net
inekoncuba.inekon.co.cu
google.homeunix.com
yahoo.blogdns.net
voanews.ath.cx
ymail.ath.cx

So, filoups.info links the “Fake AV Alert / Scareware” to the US CERT list of “Aurora” domains and google.homeunix.com links the “Fake Microsoft Antispyware” to the US CERT list of “Aurora” domains. Both appear in Damballa’s second cluster (which has an unclear relationship with the first cluster).

Using the Damballa list along with samples from ThreatExpert I compiled a list that included a few additional domain names. I included domain names that the individual piece of malware requested that had similar paths to those identiofied by Damballa and excluded those that appeared to be other malware or SEO URLs.

For example, one sample contains google.homeunix.com, yahoo.blogdns.net, tyuqwer.blogdns.com, and tyuqwer.dyndns.org. The domains google.homeunix.com and tyuqwer.dyndns.org appear on the US CERT list, yahoo.blogdns.net appears on the Damballa list and tyuqwer.blogdns.com appears on neither. Another sample contains google.homeunix.com tyuqwer.dyndns.org blogspot.blogsite.org and voanews.ath.cx. All of these domains appear on the US CERT list google.homeunix.com and voanews.ath.cx appear on the Damballa list.

The next grouping largely focuses on “mcsmc.org” abnd the domain names that apear with it and request similar URL paths but are not in the Damballa report.

virtualmits.com
syswa.cn
thcway.info
searchnix.info
wscntgy.com
google-analitics.in
licagreem.in
jusched.in

The relationships between the domains can be built our further, especially if we include common IP addresses. I think this indicates that there are a variety of conclusion being drawn based on data that comes bundled with a variety of assumptions. For example, is the sample detailed by Symatec the same — as opposed to similar to — the one used in attack on Google? How were these “master” lists — such as the one by US CERT created? How were these domains bundled together?

In the Damballa report in particular there are a few additional assumptions that I am not entirely sure of. First, I’m not sure that DDNS == amateur. Many of the targeted attack on civil society and human rights groups I’ve looked at used DDNS. And while many DDNS providers do cooperate with the security industry and law enforcement, the ones in China (like 3322.org) don’t. Moreover, I’m not sure that “amateur” necessarily excludes state involvement — even governments can engage in behaviour that would be considered amateurish. And would you want to tip off state involvement by being uber3l33t? The logic just starts to become circular after a while, especially if you only focus on the technical aspects.

I mean, if we take Google at their word and believe that “a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists” how do we explain the connection to (probably Eastern European) SEO and related common malware?

Even if we assume that the “master” list is accurate, Damballa does raise some alternative explanations for the association between the two:

* it is possible that two different groups purchased the services of the same crimeware group (probably the same people behind Operation Aurora) to distribute and manage their malware family. Or the crimeware group rented out different variants of the same malware to different groups with different intentions.
* There is no natural progression seen between the two families. Usually malware writers evolve in both technology and protection of their creation but these two families did not show any related evolution. The malware families appear to exist independently, and then become superseded by Trojan.Hydraq.

The relationship between crimeware — or common botnet operators/kits — and targeted malware attacks in order to extract sensitive data (some might call this espionage) is something I tried to explore in “The “Kneber” Botnet, Spear Phishing Attacks and Crimeware.” Again, given the lack of precise data I don’t claim to know what’s going on in the Google case — in fact, I may have just made it worse with this post. But if we accepts the links that Damballa has found to be accurate it does raise the important issue of the relationship between crimeware and espionage.

But, maybe, we’re jumping to conclusions based on faulty assumptions. I just don’t know. It is still a mess.

“ It really blew us away. ”
— Chris Davis, CEO of Ottawa-based Defence Intelligence, on the scope of the recently dismantled botnet
Canadian corporate and government infrastructure was also hit. Non-critical systems at major Canadian banks were infected, as were some government computers, Mr. Davis said. Defence Intelligence notified Ottawa and the banks early on, and the infections were wiped out.

Defence Intelligence first identified Mariposa last May. The botnet got its name because it was designed using the Butterfly botkit, a piece of software that was at one time for sale on the Internet black market for about $1,000. The software is not especially difficult to use, and the three people arrested are described as having limited computer skills.

Defence Intelligence eventually enlisted the help of multiple partners, including the Georgia Institute of Technology and the Spanish company Panda Security. The FBI and the Spanish Guardia Civil also joined the investigation.

Botnets generally work by contacting one or several Web domains owned by the malicious software’s creator. In December, security experts simultaneously blocked all the Mariposa domains, redirecting them to their own servers. That’s when they were able to take a detailed look at the vast number of corporate and government computers infected.

“That’s when we started to get granular visibility” of the botnet network, Mr. Davis said. “It really blew us away.”

Spanish police believe the botnet managed to retrieve the personal information of more than 800,000 users.

So far, the three people arrested have been identified only by their Internet usernames: netkairo, johnyloleante and ostiator. The break in the case came when netkairo – while trying to regain control of Mariposa from the security experts – attempted to access the botnet from his home computer, leading police to his door. He was arrested in February, and the information on his computer led to the other arrests.

Although Mariposa has been rendered relatively impotent, the botnet continues to expand. Of the 15 million or so infected computers, about half are from the enterprise world, and half are individual home computers.

Mr. Davis said the toughest part of fighting such botnets is alerting the millions of people, companies and government offices whose computers have been compromised.

“There isn’t a good way to distribute that information outside North America and Western Europe,” Mr. Davis said. “Even there, I can contact companies, but what do I do about my mom’s computer in Squamish?

“There isn’t a mechanism in place. There really needs to be.”

Most cyber attacks are likely to remain difficult to trace to official sources, the report explains, citing the denial of service attacks on Georgia as Russia’s army invaded in 2008. This year GCHQ’s close US counterpart, the National Security Agency (NSA), has been called in to investigate attacks on Google’s GMail service apparently from inside China.

“An internationally agreed definition of cyber warfare will remain elusive, with state actors making increasing use of hired criminals and ‘hacktivists’ to carry out deniable cyber attacks on their behalf,” CSOC predicts.

The offical British view casts ongoing talks (http://www.nytimes.com/2009/12/13/science/13cyber.html) between the US and Russia – aimed at fostering cooperation between states on internet security and agreeing ground rules – in a pessimistic light.

“States are likely to increasingly see the cyber domain as an area in which to wage war… it is difficult to see international agreement on what acts are and are not acceptable in a cyber war being achieved within five years,” CSOC says. “Even if regulation of this kind was to emerge, it is likely that it would make little difference.

“The increasing sophistication of criminal cyber tools and the availability of cheap, fast broadband will mean that states are able to achieve their aims by hiring criminal botnets to carry out DDOS or other attacks on their enemies’ infrastructure.”

Cyber arms race

Government eavesdroppers also face a secret “cyber arms race” to develop quantum cryptography technology, according to GCHQ.

“In the next 5 to 10 years, states are likely to engage in a cyber arms race for quantum cryptanalysis, which would enable the users to crack any encryption within a very short space of time, and for quantum cryptography, which would prevent secure communications from being intercepted,” it said.

Quantum computers would be able to test every possible cipher for a traditionally-encrypted message very quickly. Meanwhile a quantum-encrypted message would be impossible to intercept because just by observing it the eavesdropper would destroy it.

GCHQ – the descendent of the UK’s famous World War Two codebreaking effort at Bletchley Park – is responsible for intercepting foreign communications and for trying to ensure government communications are not intercepted. Without directly referring to its own work on quantum cryptography, it said the revolution the technology would spark in both areas remains out of reach.

“It is unlikely that any state actor will have been able to put quantum systems into operation by 2015, although some state actors may have basic quantum computing capabilities by 2020,” CSOC says.

The NSA is said to be investing heavily in quantum computing.

The predictions in CSOC’s report have served as the basis of a series of classified and unclassified meetings with industry and academics hosted by the Office of Cyber Security in recent weeks. Officials plan to feed the results of the meetings into policy, including whether and how the UK should develop offensive capabilities online. ®

About 75,000 personal computers in almost 2,500 companies and government agencies worldwide have been caught in a botnet based on a new variant of the ZeuS Trojan

About 75,000 personal computers in almost 2,500 companies and government agencies across the globe have been caught in a botnet uncovered by a researcher at the US-based NetWitness network forensics firm. Hackers were able to collect logins and passwords for Facebook, Yahoo, Hotmail and other accounts, including online banking sites. They were also able to access some corporate servers used to store confidential data, including one used for processing credit-card payments.

Companies reportedly attacked include Paramount Pictures, Merck, Juniper Networks and Cardinal Health in the US, but affected computers in more than 200 countries including Egypt, Mexico, Saudi Arabia, Turkey. The Wall Street Journal reported that Merck and Cardinal Health said they had isolated and contained the problem, and Merck said “no sensitive information was compromised”.

NetWitness’s Alex Cox uncovered the botnet while installing monitoring software to help a large corporation deal with cyberattacks. He found a 75GB cache of data generated by the botnet, which NetWitness has called Kneber after a username linking the infected systems. NetWitness said in a statement: “Disturbingly, the data was only a one-month snapshot of data from a campaign that has been in operation for more than a year.”

The PCs in question, almost all running Microsoft Windows XP or Vista, had been compromised by a new variant of the well-known ZeuS Trojan, which is one of the “top five” in its class. Cox told the SearchSecurity.com site that the variant used in the latest attacks had a detection rate of less than 10% among antivirus software. The botnet communication was also shielded from detection by existing intrusion detection systems.

“This is not about a single piece of malware on 75,000 machines, it’s about how bad the security industry is responding to these incidents and how bad the problem is,” said Cox.

SearchSecurity.com said “the cybercriminals exploited vulnerabilities in Adobe Flash as well as holes in Adobe Reader and Acrobat using malicious PDF applications in spear phishing attacks, according to Cox. They also used exploit kits to set up drive-by attacks to infect victims.”

The discovery of the Kneber botnet follows publicity about attempts to penetrate Google and other companies, dubbed Operation Aurora. In this case, the botnet command centre appears to have been in Germany, while ZeuS appears to be mainly the work of cybercriminals based in Eastern Europe. ZeuS is often used to collect data from online forms, including names, dates of birth, and account names and passwords, and one special feature is that it can work with the Firefox web browser.

Amit Yoran, chief executive of NetWitness and former Director of the National Cyber Security Division, said: “While Operation Aurora shed light on advanced threats from sponsored adversaries, the number of compromised companies and organizations pales in comparison to this single botnet. These large-scale compromises of enterprise networks have reached epidemic levels. Cyber criminal elements, like the Kneber crew quietly and diligently target and compromise thousands of government and commercial organizations across the globe. Conventional malware protection and signature based intrusion detection systems are by definition inadequate for addressing Kneber or most other advanced threats.”

NetWitness also said that “over half the machines infected with Kneber also were infected with Waledac, a peer to peer botnet.” This suggests some level of co-existence if not active cooperation between cybercriminals, where a PC could continue to operate in one botnet even if the other was found and removed. Earlier this month, there was a small “botnet war” after the upstart Spy Eye appeared with a feature called Kill Zeus. This aims to remove ZeuS from the victim’s PC, giving Spy Eye exclusive access. However, by far the biggest and best botnet is still Conficker, with more than 5m PCs.

Jiaotong has one of China’s top computer science programs. Just a few weeks ago its students won an international computer programming competition organized by I.B.M. — the “Battle of the Brains” — beating out Stanford and other top-flight universities.

Lanxiang, in east China’s Shandong Province, is a huge vocational school that was established with military support and trains some computer scientists for the military. The school’s computer network is operated by a company with close ties to Baidu, the dominant search engine in China and a competitor of Google.

Within the computer security industry and the Obama administration, analysts differ over how to interpret the finding that the intrusions appear to come from schools instead of Chinese military installations or government agencies. Some analysts have privately circulated a document asserting that the vocational school is being used as camouflage for government operations. But other computer industry executives and former government officials said it was possible that the schools were cover for a “false flag” intelligence operation being run by a third country. Some have also speculated that the hacking could be a giant example of criminal industrial espionage, aimed at stealing intellectual property from American technology firms.

Independent researchers who monitor Chinese information warfare caution that the Chinese have adopted a highly distributed approach to online espionage, making it almost impossible to prove where an attack originated.

“We have to understand that they have a different model for computer network exploit operations,” said James C. Mulvenon, a Chinese military specialist and a director at the Center for Intelligence Research and Analysis in Washington. Rather than tightly compartmentalizing online espionage within agencies as the United States does, he said, the Chinese government often involves volunteer “patriotic hackers” to support its policies.

Spokesmen for the Chinese schools said they had not heard that American investigators had traced the Google attacks to their campuses.

If it is true, “We’ll alert relative departments and start our own investigation,” said Liu Yuxiang, head of the propaganda department of the party committee at Jiaotong University in Shanghai.

But when asked about the possibility, a leading professor in Jiaotong’s School of Information Security Engineering said in a telephone interview: “I’m not surprised. Actually students hacking into foreign Web sites is quite normal.” The professor, who teaches Web security, asked not to be named for fear of reprisal.

“I believe there’s two kinds of situations,” the professor continued. “One is it’s a completely individual act of wrongdoing, done by one or two geek students in the school who are just keen on experimenting with their hacking skills learned from the school, since the sources in the school and network are so limited. Or it could be that one of the university’s I.P. addresses was hijacked by others, which frequently happens.”

At Lanxiang Vocational, officials said they had not heard about any possible link to the school and declined to say if a Ukrainian professor taught computer science there.

A man named Mr. Shao, who said he was dean of the computer science department at Lanxiang but refused to give his first name, said, “I think it’s impossible for our students to hack Google or other U.S. companies because they are just high school graduates and not at an advanced level. Also, because our school adopts close management, outsiders cannot easily come into our school.”

Mr. Shao acknowledged that every year four or five students from his computer science department were recruited into the military.

Google’s decision to step forward and challenge China over the intrusions has created a highly sensitive issue for the United States government. Shortly after the company went public with its accusations, Secretary of State Hillary Rodham Clinton challenged the Chinese in a speech on Internet censors, suggesting that the country’s efforts to control open access to the Internet were in effect an information-age Berlin Wall.

A report on Chinese online warfare prepared for the U.S.-China Economic Security Review Commission in October 2009 by Northrup Grumman identified six regions in China with military efforts to engage in such attacks. Jinan, site of the vocational school, was one of the regions.

Executives at Google have said little about the intrusions and would not comment for this article. But the company has contacted computer security specialists to confirm what has been reported by other targeted companies: access to the companies’ servers was gained by exploiting a previously unknown flaw in Microsoft’s Internet Explorer Web browser.

Forensic analysis is yielding new details of how the intruders took advantage of the flaw to gain access to internal corporate servers. They did this by using a clever technique — called man-in-the-mailbox — to exploit the natural trust shared by people who work together in organizations.

After taking over one computer, intruders insert into an e-mail conversation a message containing a digital attachment carrying malware that is highly likely to be opened by the second victim. The attached malware makes it possible for the intruders to take over the target computer.

The recent invasions of the computer systems of Google and several dozen other American companies have placed a spotlight on the dismal state of American computer security.

Many American corporations take a reactive approach to attacks and are dependent on off-the-shelf antivirus products.

John Markoff reported from San Francisco and David Barboza from Shanghai. Bao Beibei and Chen Xiaoduan in Shanghai contributed research.

Google and Operation Aurora opened the eyes of many security teams to the prevalence of “advanced persistent threats” across all sectors and the continuing lack of network intelligence within many organizations regarding the communications of sophisticated miscreants.

Why are good security teams across a wide variety of sectors being taken down by advanced threats? Google and Operation Aurora put everyone on public notice that “advanced persistent threats” or APT represent the most critical operational security risks. Advanced threats are not limited to politically motivated attacks. There is a vast underground marketplace where data regarding your organization and your customers are bought and sold to organized criminal groups, terrorists, and state-sponsored entities around the world. These adversaries are organized, have sophisticated network weapons, and are patient. These threats transcend the ability of preventative security technologies deployed in most organizations. Financial services organizations need real-time network intelligence and local situational awareness regarding these advanced threats, to lower risk and shorten the potential exposure window.

Join the FS-ISAC and NetWitness for this complimentary opportunity to hear Alex Cox, Senior Consultant at NetWitness Corporation, and former lead researcher on the emerging threats analysis and solution development team at a large national bank, discuss how to create a powerful, real-time cyber threat intelligence capability within your organization. Alex will describe the sources of specific fraud, malware, crimeware and data exfiltration threats, and discuss how to move to a more proactive threat intelligence posture. Use this opportunity to gather intelligence on new techniques used by the enemy and methods for using real-time network forensics to lower the risk to your organization.

All who register will receive a copy of the webinar recording post event. Register now by clicking on the Register button.

For any questions contact webinars@fsisac.com

When Wednesday, February 24, 2010 2:00 PM – 3:00 PM
Eastern Time Zone
Add to Calendar
Add to Calendar

Where
Webinar

Planner Denise Anderson

Websites
FS-ISAC, NetWitness

NetWitness said in a release that it had discovered the program last month while the company was installing monitoring systems. The company named it the Kneber botnet based on a username that linked the infected systems. The purpose appears to be to gather login credentials to online financial systems, social networking sites and e-mail systems, and then to transmit that information to the system’s controllers, the company said.

The company’s investigation determined that the botnet had been able to compromise both commercial and government systems, including 68,000 corporate login credentials. It has also gained access to e-mail systems, online banking accounts, Facebook, Yahoo, Hotmail and other social network credentials, along with more than 2,000 digital security certificates and a significant cache of personal identity information.

“These large-scale compromises of enterprise networks have reached epidemic levels,” said Amit Yoran, chief executive of NetWitness and former director of the National Cyber Security Division of the Department of Homeland Security. “Cyber criminal elements, like the Kneber crew, quietly and diligently target and compromise thousands of government and commercial organizations across the globe.”

The company, which is based in Herndon, Va., noted that the new botnet made sophisticated use of a well-known Trojan Horse — a backdoor entryway to attack — that the computer security community had previously identified as ZeuS.

“Many security analysts tend to classify ZeuS solely as a Trojan that steals banking information,” said Alex Cox, the principal analyst at NetWitness responsible for uncovering the Kneber botnet. “But that viewpoint is naïve. When we began to detect the correlation among both the methodology used by the Kneber crew to attack victim machines and the wide variety of data sets harvested, it became clear that security teams must rethink their entire perspective on advanced threats such as ZeuS.”

Half of the machines infected with the Kneber botnet were also infected by an earlier botnet known as Waledec, the company noted.

The existence of the botnet was first reported by The Wall Street Journal, shortly before the company issued its news release.

Doch wer steckte wirklich dahinter? Der chinesische Geheimdienst? Irgendein Militär? Private Hacker? Am Ende doch nur Spaßvögel? Ausländische Hacker gar, die diese chinesischen Computer unterwandert hatten? “Völlig zweifelsfrei konnten wir nie nachweisen, wer genau hinter diesen Angriffen steckte”, sagt Villeneuve. Er hat jedenfalls schon viel gesehen – und häufig erlebt, dass der erste Anschein bei solchen Untersuchungen trügt. Villeneuve arbeitet manchmal im Auftrag der Universität Toronto, wo er als Forscher arbeitet; mal als Cheftechniker einer kleinen Firma, die Zensursperren im Internet knackt; und mal als technischer Experte hinter aufsehenerregenden Reports von Organisationen namens “Internet Warfare Monitor” oder “Open Net Initiative”.

Erst kürzlich dachte er wieder, er kämpfe gegen eine gigantische Cyberarmee – und dann war die Realität doch ernüchternder. Das war, als er herausfinden wollte, wer die Webseite Mizzima News mit Parolen verunstaltet hatte. Dieser Dienst der Bürgerrechtsbewegung von Birma trug plötzlich Sprüche wie “We Born for Hack Those Fucking Media Website, Which Are Ever Talk About Only Worse News For Our Country.” Steckte dahinter das berüchtigte Militär von Birma? Waren Geheimdienste in Aktion?

Die Täter hatten es leicht: Es gab ein Sicherheitsloch in der Serversoftware dieser Webseite, über das ein trojanisches Pferd namens c99shell eingeschleust werden konnte, und das zumindest ließ sich leicht herausfinden. Aber die Täter? “Die Angriffe kamen scheinbar aus vielen verschiedenen Ländern, auch aus Deutschland”, sagt Villeneuve. Das lag bestimmt nicht daran, dass die Täter wirklich in so vielen verschiedenen Ländern saßen. Hatten sie aus der Ferne Computer an all diesen Standorten gekapert?

Nein – ironischerweise hatten die Täter für ihre Angriffe einen Dienst missbraucht, den auch viele Bürgerrechtler nutzen, um ihre wahre Identität im Internet zu verschlüsseln. Ein Onlineservice, der Besuche im Netz für einen staatlichen Schnüffler so aussehen lässt, als sitze da ein Websurfer in der einen Sekunde in Ostdeutschland, in der nächsten in Mumbai und wenige Sekunden später dann in der Ukraine. Die Hacker hatten diesen Service für ihre eigenen Zwecke genutzt.

Doch nach einer monatelangen Jagd – zu denen geduldige Recherchen auf Webservern mit Namen wie overkill.myanmar.org gehörten, Untersuchungen vergleichbarer Angriffe vergangener Jahre und sogar eine Erkundungsreise nach Birma und stundenlange Gespräche in entlegenen Chatrooms des Internets – wusste Villeneuve schließlich genug. So viel zumindest, dass er einen Angreifer zur Rede stellen konnte, in einem Chatroom im Internet. Einen Mann in Birma, der einmal in Russland studiert hatte, und der allerhöchstens noch mit einer Handvoll Hackerkollegen zusammengearbeitet hatte. Ein Einzelgänger, der mit den Verunstaltungen von Webseiten seine nationalistischen Neigungen auslebte. “Ganz endgültig zugegeben hat er es allerdings nie”, sagt Villeneuve und zuckt bedauernd die Schultern. “Aber er hat genug gesagt. Ich habe ihn verstanden.”

Die Tür geht auf, und Ron Deibert betritt den Kellerraum der Hacker. Professor Ron Deibert, der Mann, der hier vor vielen Jahren damit begann, ein Institut für die Überwachung von Internetzensoren, Datenkriegern und Hackern in aller Welt aufzubauen. Es ist auf der ganzen Welt das einzige Institut dieser Art; und Deibert ist zu einer führenden Autorität auf dem Gebiet der Internetzensur und der Internetkriege geworden. Er hat Vorträge bei Google gehalten und sie vor Eindringlingen gewarnt, noch bevor die Attacken auf den Konzern publik wurden. Er hat Hillary Clinton mit beraten, bevor sie vor wenigen Wochen eine aufrüttelnde Rede über die Sicherheit im Cyberspace hielt, die viele als eine Kriegserklärung an China verstanden. Er hat Firmen gegründet, die ihren Kunden helfen, mit den neuen Gefahren im Netz richtig umzugehen.
Mehr zum Thema

* Cyberwar Der Kalte IT-Krieg hat längst begonnen
* Bundeswehr Statusmeldung: Bin im Krieg

Deibert sieht müde aus. Er hat in den vergangenen Wochen viele Interviews gegeben, viele Vorträge gehalten. “Es gab eine Zeit, da hatten wir eine romantische Vorstellung vom Internet”, sagt er. “Ein Tummelplatz für Nichtregierungsorganisationen! Ein Paradies für Hippies!” Doch von Beginn an, glaubt Deibert, waren auch dunkle Mächte mit am Werk. Zensoren. Spione. Doch nie so viele wie heute.

“Die Phase, die jetzt begonnen hat, ist sehr gefährlich”, glaubt Deibert. “Ein riesiges Ökosystem von Computern und mobilen Geräten ist da entstanden – und die Entwicklung von Waffen gegen dieses System schreitet rasant voran. Das ist ein Rüstungswettlauf. Ehrlich gesagt, die schlimmsten Dinge haben wir noch lange nicht gesehen. Wir brauchen eine Art Waffenkontrolle im Cyberspace.”