Botconf 2013

francais Version française de cet article.

ImageOn December 5 and 6 2013, in Nantes (France), Botconf 2013 will take place: the first ever conference dedicated to the fight against botnets.

The call for presentations and scientific papers is on line on the conference Website https://www.botconf.eu/. The deadline for submissions is 30 June 2013.

The conference is open to academia, industry and law enforcement personnel. Students whose paper are selected will receive a grant to help finance their participation (financial support for transport and lodging).

The organising committee is composed of volunteers from the botnets.fr community and the independant scientific programme committee is composed of IT security specialists from all sectors and regions of the world. The conference will be held in English.

Threats spreading silently despite Java updates…

I don’t often publish on the English version of my blog (My blog in French is available here). Once again, it will be about Java and the spreading of threats. Last August, I detailed the way I felt about how information on vulnerabilities is distributed by the security community, updates are made by vendors and how all this contributes or not to a better security for end-users.

Once again, bad timing, and the lack of coordination and communiction are leading to an increased distribution of malware.

Monitoring the activity of Exploit kits with the research community at botnets.fr, we are also following the use of particular exploits by those exploit platforms. Two of them are quite active at the moment:

The exploit platforms are using those techniques, among others, to target victim’s machines depending on their actual configuration.

What we are seeing right now is that some exploit platforms manage to infect up to 20% of targetted machines, doubling their usual success rates !

Why is it so efficient ?

Recently, Java introduced a new security functionality that warns the users when code from an unknown platform tries to execute on the machine. This has helped a lot prevent the execution of unwanted code on targetted machines. For instance, you would get the following message when trying to check your version of Java  on the official website (here in French, in English it says “Do you want to run this application?”):

2013-04-28_11h05_17

In this case, you can safely click “Run”. This has been a great improvement and has had great impact on malware spreading… But it is without counting on the discovery of other vulnerabilities.

Recently discovered vulnerabilities in Java allow to circumvent this warning message and execute arbitrary code. Today’s success rates of exploit platforms are directly related to the absence of proper updates for Java on victim’s machines.

I am not going to blame any particular inviduals in this article, but once again, there is something wrong with the timing:

  • April 16 2013 Oracle publishes a critical update 7 u 21 for Java branch 7 which corrects a large number of vulnerabilities
  • April 17 2013 blogs start distributing proof of concept code that exploits some of those vulnerabilities described above. Metasploit includes some of them in its testing platform on April 20th.
  • Of course, exploit developers read those same blogs and have swiftly included those vulnerabilities. For instance, F-secure notes the use as soon as April 21st !
  • A seemingly not properly documented vulnerability used in combination with CVE-2013-2423 (I am voluntarily not linking to messages detailing it) manages to bypass the security warning message and is now in the wild, used in a number of exploit kits. This second vulnerability is corrected in recent Java updates too. A similar situation was described in January (read US CERT advisory).

What should people do?

As Timo Hirvonen from F-Secure is saying:

2013-04-28_13h55_06

If Java is installed and necessary on your computer, please check that you have the latest version and if not, please update ! Normally, Java should offer an automatic update process for your system, but the success rates we are seeing for exploit kits shows that not everyone has configured properly that option.

If you don’t need Java, please disable it in your browser (advice in this Infoworld article).

What could the security community do?

We cannot keep seeing those timelines of events and not react. Some questions and proposals:

  • Is full disclosure of proof of concept code the right solution to improve security?
  • Is the timing of disclosure of vulnerabilities and proof of concepts correct? Shouldn’t it be properly coordinated with information to the public?
  • Shouldn’t the community in general (including vendors), properly inform the end users to update their software and operating systems? Shouldn’t the mass media be involved in such information spreading, considering today’s importance of computers and electronic devices in general?
  • Is there no way for end users to find in one single location the configuration for their security updates? The example here of checking updates for Java and its configuration is one example of the difficulties users are facing.
  • And more specifically, why is it not always possible to find information adapted to people’s technical level?

JAVA CVE 2012-4861 Vulnerability – Let’s become more responsible !

En français francais

Update : 30/08/2012 20:10

Oracle just released an update to its Java standard engine (versions 6 and 7). It is highly recommended to upgrade your computer with this release if you have Java installed.

An update to information about this vulnerability has been published by Oracle. An analysis of the updates made is published here.

Where it all begins

You certainly have read on various specialised IT news platforms about this security event. Here, here or there.

It is a vulnerability (actually a combination of two vulnerabilities) currently qualified as a 0-day, because previously unrevealed and still exploitable for the product that is targeted has not been corrected. This vulnerability referenced under the code name “ CVE-2012-4681 ” in the U.S. CVE database from MITRE concerns the most recent version of the Oracle Corporation Java engine, 1.7. The US CERT also provides a detailed review.

Chronology

We can observe the following chain of events: (Eric Romang also gives his analysis of this timeline)

  • 04/2012 … (more about this date below)
  • 26/08/2012 , FireEye publishes on their blog an announcement of this previously unknown vulnerability. It is revealed through their study of what they describe as a targeted attack on one of their clients (other specialists such as Eric Romang or Trend Micro do not completely agree with this qualification of the facts as the vulnerability may have already been circulating in the recent months, on the other hand Symantec describes a link between those attacks and a group they have named Nitroin the past)
    • FireEye has been recently very popular when announcing by mistake the discovery of a command and control server for botnet Gauss, on the same IP address as the one for a similar botnet,  Flame. Actually, it is the antivirus company Kaspersky Lab had implemented that server to regain control of these botnets.
  • The announcement is reproduced many times on social networks and IT security blogs, sometimes including proof of concept code. Not being dependent on operating systems, purely coded in Java, this type of attack can be potentially used against all kinds of machines, running Microsoft Windows, Linux or MacOSX, should they host a vulnerable version of Java.
  • 27/08/2012 , it seems that developers of various malicious exploit platforms are advertising towards their customers that they would make available an update to take advantage of this vulnerability quickly (Brian Krebs writes on Monday about BlackHole and quickly security researchers locate active malicious servers) and according to Kafeine in several blog posts  (and here), the exploit kits Sakura as well as Sweet orange appear to be running the attack. I talked about exploits (articles published in French) in my December 2011 article about the gendarmerie ransomware or February post about the Citadel botnet.
  • 27/08/2012 continues with Rapid7 announcing the addition of this particular vulnerability to its Metaspoloit penetration testing and security assessment platform.
  • 28/08/2012 at the end of the day, the team at Kaspersky Lab publishes a small rant. It is unclear if this is against FireEye (again, IT security businesses at war ?), or against those who have posted very quickly “proof of concept” code.

  • 29/08/2012 , we can learn that Oracle was notified of these vulnerabilities starting in April (according to ComputerWorld) by the Polish company Security Explorations. It can take up to a few weeks or months for a company to be able to develop, test and publish a security patch, the development of a correction sometimes requiring extensive testing to ensure that new faults or malfunctions are not created by these changes. One of the questions that will arise is the right number of months between awareness and publication of a patch.
  • 30/08/2012, to date, Oracle has yet to publish any warning about this vulnerability and are not publicly commenting about the situation:

Something is wrong within the IT security world

This recent sequence of events demonstrates that something is not being managed properly in terms of vulnerability disclosure and security patch management:

  • one security company publishes short but precise enough information about a vulnerability being exploited live at a scale that still needs to be documented,
  • a few hours later, researchers are eager to publish, almost racing to be the first to publish a working proof of concept code, thanks to the elements released by said company,
  • one software publisher who does not communicate to the public on the measures it intends to take immediately or in the near future,
  • a few hours later, the proof of concept codes are introduced in malicious exploit platforms used by criminal groups
  • very quickly, victims are exploited on a massive scale, especially to disseminate ransomware and other banking malware which are particularly active at the moment.

It is high time that security professionals come to an agreement on proper procedures for the responsible disclosure of vulnerabilities, in a coordinated manner (developers, as well as security researchers are concerned) . It is likely that more than 100,000 euros have already been diverted from victims around the world from the use of upgraded malicious exploit kits (it is still difficult to evaluate the share of victims who are specifically attacked thanks to this vulnerability but 100 K€ is the average income generated in a few days by such botnets and there are dozens of them running in the wild), and numbers will keep rising as their is no visibility on the availability of a security patch. Moreover, since Monday, thousands of IT systems managers scratch their heads around the world on how to secure their networks and exchange scripts to quickly disable Java 1.7 on their users’ systems.

What can I do now?

On a personal computer , it is likely that you do not need Java very often, even if it is sometimes necessary for certain applications available online. It is therefore reasonable to consider disabling Java on the computer, at least if you are using version 1.7.

Many sites explain the procedures: such as this one. You can prevent this type of attacks and many more by installing security extensions such as NoScript (http://noscript.net/ on Firefox, Notscripts or Scriptno for Chrome) that allow you to have a strict control on what sites you allow to run scripts on your computer as well as launching Java modules from a web page.

In corporate environments, many may be still using the previous version of the Java engine which certainly has other vulnerabilities but can be mandated by applications used internally. If Java is not required in your business, it now seems urgent to disable it to avoid incidents. If Java 1.7 is required in your environment, there are unofficial patches that may help you.

And as a final notice, keep informing yourself and sharing that information!

Update : 30/08/2012 20:10

Oracle just released an update to its Java standard engine (versions 6 and 7). It is highly recommended to upgrade your computer with this release if you have Java installed.

An update to information about this vulnerability has been published by Oracle.

Torpig : visit of a botnet

En français francais

120px-pig_dsc039781

Tor-pig ?

No, I am not going to tell you yet another story about the swine flu. Researchers from the University of Santa Barbara in California published a report on their discoveries after temporarily taking control of the command system of the Torpig botnet.

This botnet is made up of victims of a certain piece of malware (Torpig/Sinowal/Anserin) which targets Microsoft Windows systems. According to some previous accounts it was first spotted (says here RSA) in February 2006 or in July 2005 according to other sources. Thus, it has now been almost four years since the birth of this trojan and it is still very active!

In concluding their report, the researchers from Santa Barbara quoted by ZDNet this week, have found that this malicious software can collect millions of passwords, thousands of credit card numbers or bank account credentials in a ten day period. They are maintaining a project webpage.

This is a new example of the techniques that are necessary today to efficiently collect information about these botnets : penetrating their command centres. Today, such methods for collecting evidence remain illegal in Europe (and even research conducted in this manner could be questioned).

A 1.9 million zombie botnet revealed – need for new methods

En français francais

Finjan revealed yesterday the existence of a botnet with over 1.9 million infected machines.

The command & control (C&C) server of this network has been located in Ukraine and according to the data collected by the people at Finjan, after infiltrating into this C&C server, their could be a group of six people managing it.

On Finjan’s blog, screenshots of the web interface to this C&C are shown. The Trojan horses installed through this botnet have a variety of functionalities: “read email address and other details from the infected computer; communicate with other computers using HTTP protocol; execute a process; inject code into other processes; visit websites without end-users’ consent; register as a background service on the infected computer and a few dozen other commands.”

Finjan also counted the share of infected machines worldwide: US / 45%, UK / 6%, Canada / 4%, Germany / 4%, France / 3%, autres / 38%. That would make a total of 60.000 victim machines in France alone… It would seem that computers infected are running Windows XP.

Once again, it is shown here that to fight this type of cybercrime, it is essential to collect evidence by infiltrating into suspects computer systems. And investigative services do not have such legal powers in France. It is even not sure that we would be allowed to present evidence collected in this manner by private entities in order to bring the suspects to court. As was pointed out by Joe Stewart at the RSA conference this week – San Francisco – it is high time that methods used to fight against this new type of criminal activities online are adapted to the challenge, and not only on the side of the industry but also in partnership with law enforcement and the justice to put an end to the activities of such criminal groups.

11 month sentence for a juvenile cracker

En français francais

Worcester

Worcester

Aged 17 today, a young boy from Worcester, in the Boston area (Massachusetts, USA), was sentenced last week to 11 months of emprisonment in a juvenile detention center.

He was found guilty of hacking into corporate computer systems, making hoax 911 calls which led to SWAT team responses and using stolen credit card numbers to buy goods. All these offences were committed between November 2005 and May 2008.

The suspect, known under the screenname of  DShocker, decided to plead guilty and was originally facing a maximum sentence of 10 years in prison. In France, although being a minor he might not have faced imprisonment, for similar actions the maximum penalty would be of 5 years in prison and a 75 000 € fine (articles 323-1 à 323-7 of the penal code).

Covert Internet investigations : first cases

En français francais

Instant messengers: where many predators lure their victims

Instant messengers: where many predators lure their victims

There has been many reports in the news today about the first successful attempts to use the new cyberpatrolling powers which were authorized last week by the French legislation. The Bobigny prosecutor chose to communicate around a specific case that was brought forward by the specially trained gendarmes of the cybercrime division of the STRJD in Rosny sous Bois.

French readers can visit this article on 01Net: La gendarmerie arrête un pédophile en s’infiltrant sur un forum.

As I was explaining a few days ago, this is not about undercover operations but more properly covert Internet investigations.

Some might wonder about the necessity to communicate this much around this specific case. Actually, it is not about exposing police methods, but about sending a clear message to online predators of children in chatrooms, forums, etc. that they can no longer wander around unpunished, to reinstate what we call in French: the peur du gendarme (fear of the gendarme).

Follow

Get every new post delivered to your Inbox.