En français

Tor-pig ?

No, I am not going to tell you yet another story about the swine flu. Researchers from the University of Santa Barbara in California published a report on their discoveries after temporarily taking control of the command system of the Torpig botnet.

This botnet is made up of victims of a certain piece of malware (Torpig/Sinowal/Anserin) which targets Microsoft Windows systems. According to some previous accounts it was first spotted (says here RSA) in February 2006 or in July 2005 according to other sources. Thus, it has now been almost four years since the birth of this trojan and it is still very active!

In concluding their report, the researchers from Santa Barbara quoted by ZDNet this week, have found that this malicious software can collect millions of passwords, thousands of credit card numbers or bank account credentials in a ten day period. They are maintaining a project webpage.

This is a new example of the techniques that are necessary today to efficiently collect information about these botnets : penetrating their command centres. Today, such methods for collecting evidence remain illegal in Europe (and even research conducted in this manner could be questioned).

En français

Finjan revealed yesterday the existence of a botnet with over 1.9 million infected machines.

The command & control (C&C) server of this network has been located in Ukraine and according to the data collected by the people at Finjan, after infiltrating into this C&C server, their could be a group of six people managing it.

On Finjan’s blog, screenshots of the web interface to this C&C are shown. The Trojan horses installed through this botnet have a variety of functionalities: “read email address and other details from the infected computer; communicate with other computers using HTTP protocol; execute a process; inject code into other processes; visit websites without end-users’ consent; register as a background service on the infected computer and a few dozen other commands.”

Finjan also counted the share of infected machines worldwide: US / 45%, UK / 6%, Canada / 4%, Germany / 4%, France / 3%, autres / 38%. That would make a total of 60.000 victim machines in France alone… It would seem that computers infected are running Windows XP.

Once again, it is shown here that to fight this type of cybercrime, it is essential to collect evidence by infiltrating into suspects computer systems. And investigative services do not have such legal powers in France. It is even not sure that we would be allowed to present evidence collected in this manner by private entities in order to bring the suspects to court. As was pointed out by Joe Stewart at the RSA conference this week – San Francisco – it is high time that methods used to fight against this new type of criminal activities online are adapted to the challenge, and not only on the side of the industry but also in partnership with law enforcement and the justice to put an end to the activities of such criminal groups.

En français

Worcester

Aged 17 today, a young boy from Worcester, in the Boston area (Massachusetts, USA), was sentenced last week to 11 months of emprisonment in a juvenile detention center.

He was found guilty of hacking into corporate computer systems, making hoax 911 calls which led to SWAT team responses and using stolen credit card numbers to buy goods. All these offences were committed between November 2005 and May 2008.

The suspect, known under the screenname of  DShocker, decided to plead guilty and was originally facing a maximum sentence of 10 years in prison. In France, although being a minor he might not have faced imprisonment, for similar actions the maximum penalty would be of 5 years in prison and a 75 000 € fine (articles 323-1 à 323-7 of the penal code).

En français

Instant messengers: where many predators lure their victims

There has been many reports in the news today about the first successful attempts to use the new cyberpatrolling powers which were authorized last week by the French legislation. The Bobigny prosecutor chose to communicate around a specific case that was brought forward by the specially trained gendarmes of the cybercrime division of the STRJD in Rosny sous Bois.

French readers can visit this article on 01Net: La gendarmerie arrête un pédophile en s’infiltrant sur un forum.

As I was explaining a few days ago, this is not about undercover operations but more properly covert Internet investigations.

Some might wonder about the necessity to communicate this much around this specific case. Actually, it is not about exposing police methods, but about sending a clear message to online predators of children in chatrooms, forums, etc. that they can no longer wander around unpunished, to reinstate what we call in French: the peur du gendarme (fear of the gendarme).

En français

A temporary XSS vulnerability in Symantec's website

Symantec published this week its “Global Internet security threat report” on trends for 2008. The full document can be downloaded from the website of the company.

This report is driven from data collected by Symantec, through its customers and its security teams. Although such reports are always not to be fully taken for granted, because of the obvious bias, they contain valuable information for the reader. Here are a few of the ideas that are worth noting:

• Websites are at the top of the list of media used for the distribution of malware ; the implementation of those malware is automated on websites using similar platforms, code or vulnerabilities, such as XSS ; very often those vulnerabilities are classified with a medium risk and are not subject to rapid updates ;
• On the contrary, the report underlines that a major vulnerability was exploited to distribute the most active worm today – Conficker. On this topic, you can read an interesting blog message by Sid.
• Motivations of cybercrooks are still mostly financial. Payloads distributed through malware and phishing scams are predominantly targeted at personal data and payment systems.
• The report confirms the existence of a grey market for those data, in particular credit card numbers, which represent 32% of the market observed by Symantec with prices ranging from a couple cents to $30, before banking credentials or email account credentials. Credit card data are obviously easier to intercept and reuse.
• Malware and phishing kits have rapidly developed in 2008, leading to a huge increase in the number of online threats discovered by Symantec (+165%).
• The report concludes on the success of joint work such as the Conficker cabal. As I have previously written, it can be regretted that government authorities are not officially associated to these initiatives.

As other sources of information, this report presents evidence of the growing number of organised crime groups behind online threats.

As a conclusion, it was funny to note yesterday that an XSS vulnerability was discovered on Symantec’s website, but now seems to have been patched.

En français

Legal background

The law on the prevention of crime of March 2007 introduced in the French legislation the possibility for specially trained law enforcement officials to get in contact online with people suspected of committing offences such as the traficking of human beings, proxenitism or crimes against children on the Internet, and thus collect evidence of those infractions. Provocation of the offences is not allowed.

This is covered by articles 706-35-1 and 706-47-3 of the penal procedural code.

A decree, published in May 2007, describes in new articles D47-8, D47-9 and D47-11 of the penal procedural code the strict rules that “cyber-patrols” must follow when exchanging illegal contenton the Internet.

A recent legal instrument the arrêté March 30rd 2009, published last week, decides which specific units can host cyber-patrols and how the “cyber-patrollers” are trained and appointed. This same text defines the mission of the CNAIP, the French national centre in charge of the national child sexual abuse database, which is hosted by the Gendarmerie nationale in Rosny-sous-Bois. This unit is in charge of receiving all illegal content collected during criminal investigations of child abuse and fulfills the tedious task of examining all those images and videos, in relation with international counterparts, in order to try and identify perpetrators and victims.

What will cyber-patrollers do?

These new types of online investigators will connect to forums, exchange groups, discussion groups where suspected pedophiles go and chat with them, using a pseudonym or avatar. They will be in a better position to collect evidence of those offences, in particular the new child-grooming offence which was voted in 2007: making proposals of sexual nature to a minor under 15 years of age. This will hopefully allow to detect predators before they can meet with children and help and identify more of those people who exchange in more discreet forums pictures and movies of children being abused.

A French NGO is currently showing on television a series of prevention messages, which give advice on how to protect children from the risks of the Internet. This can be seen here, and you can see one of those video-clips below: