Memex 1.1

Fascinating glimpse by SecureWorks of the inner workings of a spamming botnet.

With the help of Spamhaus, we were able to not only shut down the command and control server, we were able to obtain the running software from the server, written in the Python language. Examining these showed that the Srizbi botnet is actually a working component of a piece of spamware known as “Reactor Mailer”. Reactor Mailer has been around at least since 2004, and is in its third major version. Versions 1 and 2 likely used proxy servers to relay the spam; however, since this is not as efficient as template-based spambots, version 3 was created along with Srizbi, the bot that actually does the mailing.

Reactor Mailer is the brainchild of a spammer who goes by the pseudonym “spm”. He calls his company “Elphisoft”, and has even been interviewed about his operation by the Russian hacker website xakep.ru. He claims to hire some of the best coders in the CIS (Commonwealth of Independent States, the post-Soviet confederation) to write the software. This claim is probably true – by examining details in the source code, we were able to identify at least one of the principal coders of Reactor 3/Srizbi, a Ukrainian who goes by the nickname “vlaman.” Various postings by vlaman indicate he is proficient in C and assembler, and would certainly be capable of writing the Srizbi trojan.

Reactor Mailer operates with a software-as-a-service model. Spammers are given accounts on a Reactor server, and use a web-based interface to manage their spam tasks. In the case of the Ron Paul spam, there was only one account on the server in addition to spm, which was named “nenastnyj”.

We loaded the Reactor Mailer software onto a test machine in order to recreate the interface as seen by the spammer…

Thanks to Tony Hirst for the link.

One of the many advantages of using Pobox as my email hub is its wonderful spam filter. Occasionally, though, it blocks a legit message, so I periodically have to skim through the piles of ‘discards’ it has blocked. It’s interesting to see the changing patterns of spam. The pump-and-dump, penis-enlargement and fake Rolex salesmen are still, er, hard at it. But there’s an increasing amount of incomprehensible Cyrillic guff. Putin’s Russia continues to develop along predictable lines.

Great BBC column by Bill Thompson on the first Mac trojan.

The first serious threat to Mac users has been observed “in the wild”.

It’s a Trojan Horse, a piece of code that pretends to do one thing but actually compromises your computer.

This one spreads through online video sites, taking advantage of the fact that there are many different ways to display video, each requiring slightly different software to encode and decode moving images.

That puts my son right in the middle of the vulnerable population because he likes to watch video clips via sites like YouTube and Flixster.

Although Quicktime, the Apple media player that comes bundles with every Mac, makes a good shot of dealing with most common formats, if it can’t figure out what to do with a particular file type it can go online to find the right “codec”.

The Trojan sits behind an online video and when you try to play it you get a message from Quicktime telling you to get a new codec, and if you follow the link you’ll be sent to a site that hosts the malicious software.

Click “ok” and enter your systems adminstrator’s password and it will be installed on your computer with full system access after which you are, to use the jargon, “pwned”, or scuppered.

And you don’t even get to see the video you were after.

At the moment the fake codec is being spread via porn sites, but it will quickly spread to more mainstream sites, and that’s when it will get dangerous and could affect a lot of Mac users who believe that they don’t need to worry about system security…

Richard Earney emails:

It’s unfortunate, because this Trojan is an actual attempt by Ukrainian criminals to hijack Macs, but it’s not exploiting any sort of security hole in any version of Mac OS X. To get hit by it, you must (a) be the sort of moron who downloads “video codecs” from porno sites; (b) mount the disk image and launch the installer; and (c) grant the installer administrator privileges to install whatever it wants, wherever it wants on your system. No system can prevent that.

If anything, the fact that you have to manually install the software and supply your administrator password is a sign that Mac OS X security works.

Hmmm…. I’ve just looked at Safari Preferences, which has a check-box for “Open ’safe’ files after downloading” which some users might leave checked in their innocence.

Later: Charles Arthur emailed to point out that ” it’s not strictly the first; but it does seem to be the first *commercial* one, where the professional malware writers have gotten into the game”.

This morning’s Observer column…

Storm has been spreading steadily since last January, gradually constructing a huge botnet. It affects only computers running Microsoft Windows, but that means that more than 90 per cent of the world’s PCs are vulnerable. Nobody knows how big the Storm botnet has become, but reputable security professionals cite estimates of between one million and 50 million computers worldwide. To date, the botnet has been used only intermittently, which is disquieting: what it means is that someone, somewhere, is quietly building a doomsday machine that can be rented out to the highest bidder, or used for purposes that we cannot yet predict…

Bruce Schneier has a sobering briefing on what he calls “the future of malware”.

Although it’s most commonly called a worm, Storm is really more: a worm, a Trojan horse and a bot all rolled into one. It’s also the most successful example we have of a new breed of worm, and I’ve seen estimates that between 1 million and 50 million computers have been infected worldwide.

Old-style worms — Sasser, Slammer, Nimda — were written by hackers looking for fame. They spread as quickly as possible (Slammer infected 75,000 computers in 10 minutes) and garnered a lot of notice in the process. The onslaught made it easier for security experts to detect the attack, but required a quick response by antivirus companies, sysadmins, and users hoping to contain it. Think of this type of worm as an infectious disease that shows immediate symptoms.

Worms like Storm are written by hackers looking for profit, and they’re different. These worms spread more subtly, without making noise. Symptoms don’t appear immediately, and an infected computer can sit dormant for a long time. If it were a disease, it would be more like syphilis, whose symptoms may be mild or disappear altogether, but which will eventually come back years later and eat your brain.

Storm represents the future of malware. Let’s look at its behavior:

1. Storm is patient. A worm that attacks all the time is much easier to detect; a worm that attacks and then shuts off for a while hides much more easily.

2. Storm is designed like an ant colony, with separation of duties. Only a small fraction of infected hosts spread the worm. A much smaller fraction are C2: command-and-control servers. The rest stand by to receive orders. By only allowing a small number of hosts to propagate the virus and act as command-and-control servers, Storm is resilient against attack. Even if those hosts shut down, the network remains largely intact, and other hosts can take over those duties.

3. Storm doesn’t cause any damage, or noticeable performance impact, to the hosts. Like a parasite, it needs its host to be intact and healthy for its own survival. This makes it harder to detect, because users and network administrators won’t notice any abnormal behavior most of the time.

4. Rather than having all hosts communicate to a central server or set of servers, Storm uses a peer-to-peer network for C2. This makes the Storm botnet much harder to disable. The most common way to disable a botnet is to shut down the centralized control point. Storm doesn’t have a centralized control point, and thus can’t be shut down that way…

There’s more, and none of it is pretty.

Not that we really have any idea how to mess with Storm. Storm has been around for almost a year, and the antivirus companies are pretty much powerless to do anything about it. Inoculating infected machines individually is simply not going to work, and I can’t imagine forcing ISPs to quarantine infected hosts. A quarantine wouldn’t work in any case: Storm’s creators could easily design another worm — and we know that users can’t keep themselves from clicking on enticing attachments and links.

Redesigning the Microsoft Windows operating system would work, but that’s ridiculous to even suggest. Creating a counterworm would make a great piece of fiction, but it’s a really bad idea in real life. We simply don’t know how to stop Storm, except to find the people controlling it and arrest them.

This is the other side of the end-to-end coin.

The Storm Worm has since continued unabated, most recently in the form of Web-based attacks. E-mails, socially engineered to look like electronic greeting cards and linked to a Web site containing malware, completely avoided traditional e-mail antivirus gateways. The Storm Worm’s course change to the Web reflects a growing trend of malware Web-based attacks launched through e-mail.

The simple logic behind these e-mail-based blended threats is astoundingly effective: no attachment means no antivirus block. And when combined with a user-friendly invitation, it creates the opportunity for a high infection rate.

Blended threats easily lead people to Web sites where malware gets downloaded–often without user interaction or knowledge. The industry is just now realizing the severity of the problem,

Researchers at Google recently published a paper concluding that approximately 10 percent of reviewed URLs contained “drive-by downloads” of malware binaries (PDF) and many more that were flagged as suspicious.

[Source]

According to the current Sophos monthly report, China now heads the list of countries hosting malware-infected webpages.

Lovely New Yorker essay by Michael Specter on the pestilence that is junk email.

Thanks to Arts & Letters Daily for spotting it.

Good piece pondering the implications of the assault on Estonia.

Even at their crudest, the assaults broke new ground. For the first time, a state faced a frontal, anonymous attack that swamped the websites of banks, ministries, newspapers and broadcasters; that hobbled Estonia’s efforts to make its case abroad. Previous bouts of cyberwarfare have been far more limited by comparison: probing another country’s internet defences, rather as a reconnaissance plane tests air defences.

At full tilt, the onslaught on Estonia was also of a sophistication not seen before, with tactics shifting as weaknesses emerged. “Particular ‘ports’ of particular mission-critical computers in, for example, the telephone exchanges were targeted. Packet ‘bombs’ of hundreds of megabytes in size would be sent first to one address, then another,” says Linnar Viik, Estonia’s top internet guru. Such efforts exceed the skills of individual activists or even organised crime; they require the co-operation of a state and a large telecoms firm, he says. The effects could have been life-threatening. The emergency number used to call ambulances and the fire service was out of action for more than an hour.

For many countries, the events of the past weeks have been a loud wake-up call. Estonia, one of the most wired nations in Europe, actually survived pretty well. Other countries would have fared worse, NATO specialists reckon…

IMHO, this is a really big deal. I can’t understand why governments appear to be paying so little attention to it. And I’m astonished that it has taken so long for an attack to materialise. Years ago I wrote that Saddam Hussein should stop wasting his efforts on WMD and hire some hackers instead. I guess he didn’t read the Observer. Just as well, maybe.

Good piece in Slate by Cyrus Farivar…

The Estonia case also shows how easy it is to cause massive panic on a shoestring budget. All you need to deploy a cyberattack is some malicious software, a bunch of zombie computers distributed around the world, and an Internet connection. Sure, you may need to pay for a “professional-grade” botnet—a network of computers that have been surreptitiously infected to run nefarious software. But surely that costs orders of magnitude less than the price of heavy artillery, battleships, and nuclear submarines.

Perhaps the most telling lesson here is how difficult it is to catch the perpetrators of online terrorism. Covering one’s fingerprints and footprints online is relatively simple, compared with getting rid of physical evidence. IP addresses can be spoofed, and an attack that appears to come from one place may actually originate somewhere else. As such, the Kremlin (or anyone else) can plausibly deny that they had anything to do with the attacks, even if the Estonians’ server logs show that the attacks first originated from Moscow. If the Russians don’t want to hand over data or documents—or even pick up the phone, for that matter—there’s not much that Estonia, or anyone else, can do to figure out the real story…