28 giugno 2011

LulzSec Went After Qakbot, Mariposa Bots - Dark Reading

Had the now-defunct LulzSec hacking group had its demands met earlier this month for getting botnet intelligence from startup Unveillance, it could have wrested control of a portion of the infamous Qakbot's command-and-control infrastructure that's under the purview of the security firm.

The bots Unveillance had sinkholed are Qakbot-infected machines as well as some Mariposa-infected machines, which could have been a treasure trove of botnet firepower for the hacking group, security experts say. Qakbot is a Trojan that spreads like a worm, and its goal is to steal financial accounts and ultimately help siphon money. The botnet has been spotted on the rise, most recently infecting 1,500 Massachusetts state PCs and possibly exposing personal information of some 250,000 state residents.

Karim Hijazi, CEO and president at Unveillance, which uses sinkhole servers to pose as botnet servers that capture communique from orphaned bots, says his firm controls a large portion of the Qakbot botnet's command-and-control infrastructure via its sinkhole servers. "I believe [LulzSec] wanted it for use for a variety of reasons," Hijazi says. "Fraud, information-stealing, reverse-proxy, [etc.]."

In addition, Unveillance sinkholed some Mariposa bots, which LulzSec was also interested in obtaining. Although law enforcement controls the Mariposa command-and-control servers themselves, there are still plenty of machines worldwide infected with the bot malware. "We still see over 4 million events/communications from infected machines part of Mariposa per hour and over 100,000 unique IP addresses an hour," Hijazi says.

LulzSec wanted Mariposa for DDoS purposes, says Pedro Bustamante, senior research adviser for Panda Security. "It’s important to note that even if LulzSec [was able] to completely hack Unveillance and take over their systems, this will not have an impact on LulzSec getting access to the Mariposa botnet," Bustamante says. "The reason is that the DNS records for the Mariposa command-and-control servers are under the control of law enforcement, and are only being redirected to Unveillance for sinkholing purposes ... we can change the DNS records for the main C&C domains and point them somewhere else as to minimize the impact" of any theft of those existing Mariposa bots, he says.

Clues to LulzSec's botnet intentions began to surface last month, when Unveillance discovered some unusual traffic patterns around its network. On May 25, Hijazi noticed something funny was going on with his email account as well. "An email I saw on my phone was showing as already-read on my computer," even though he had not opened the message yet, he recalls.

Minutes later, he witnessed an email in his inbox go from "unread" to "read" and then back to "unread" again. "That was a really compelling event," he says. Between that and the unusual traffic trying to get past Unveillance's firewalls, something was definitely going amiss: "It was lockdown time," he says.

In the wee hours of the morning, Hijazi received an email with his Infragard password in the subject line, and a message asking if he wanted "to talk," and signed "Love, Friends." He gathered his team at 4:30 a.m., and they began brainstorming and shoring up security.

It wasn't until later in an online chat with the hackers that Hijazi learned what the attackers really wanted: "They ... [were] saying, 'We want your botnet information' or they would 'dox' us," he says. Among their demands was Qakbot information and its sinkholes: "They wanted [me] to convey ownership of the domain for DDoS'ing. They wanted command and control of those DDoS botnets," Hijazi says.

When Hijazi refused, they demanded money, but he replied that his firm was a start-up and didn't have any money. "On Friday, they dumped my emails online, and InfraGard was taken down," he says.

While Anonymous -- from which LulzSec originally spun off -- has been best known for using "crowdsource" distributed denial-of-service (DDoS) attacks using the Low Orbit Ion Cannon (LOIC) tool, the group also has relied on established botnets to take down websites it targets.

Meanwhile, Hijazi says the AntiSec operation headed by Anonymous is hosting a new hacker training school via an IRC chat room for new recruits. "New information about their 'new' AntiSecPro hacker training school shows intent to use the ZeuS source code to train new recruits [bot-herders] how to compile and deploy a ZeuS botnet," Hijazi says.

Aside from the Zeus training and offering source code for Zeus 2.0.8.9, the "#school4lulz" training includes language injection via HTTP, IDS evasion, SQL injection techniques, botnet C&C protocol selection, takeover mitigation, social engineering skills, war-driving, and how to find an individual's personal information online, Unveillance says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Breach Patrol: When Should Customers Be Told? - Dark Reading

  • Email this page E-mail this page
  • |  Print Print this page
  • |   Bookmark and Share

  • Breach Patrol: When Should Customers Be Told?

    Speed of notifications seems to be a key question now

    Jun 17, 2011 | 02:24 PM | 0 Comments

    By Mathew J. Schwartz, InformationWeek
    Special to Dark Reading

    Dark Reading
    Are companies notifying consumers quickly enough after their personal data has been exposed via a security breach?

    The speed of such notifications seems to be a key question now. Earlier this month, the House Committee on Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade peppered representatives from two breached companies with questions ranging from how they'd secured their data, to how quickly they'd notified affected customers.

    Read the full article here.

    Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

    ISC Diary | Deja-Vu: Cisco VPN Windows Client Privilege Escalation

    -->

    Deja-Vu: Cisco VPN Windows Client Privilege Escalation

    -->
    Share |

    Published: 2011-06-28,
    Last Updated: 2011-06-28 20:14:39 UTC
    by Johannes Ullrich (Version: 1)

    1 comment(s)

    Cisco released earlier today a bulletin regarding a vulnerability in the Cisco VPN client for Windows 7. The vulnerability is pretty simple: The client runs as a service, and all users logged in interactively have full access to the executable. A user could now replace the executable, restart the system and have the replacement running under the LocalSystem account.

    The fix is pretty simple: Revoke the access rights for interactive users.

    The interesting part : NGS Secure Research found the vulnerability, and released the details after Cisco released the patch [1]. The vulnerability is almost identical to one found in 2007 by the same company in the same product [2]

    Very sad at times how some vendors don't learn. Lucky that at least companies like NGS appear to be doing some of the QA for them.

    [1] http://www.securityfocus.com/archive/1/518638
    [2] http://www.securityfocus.com/archive/1/476812

    ------
    Johannes B. Ullrich, Ph.D.
    SANS Technology Institute
    Twitter

    Keywords: cisco vpn
    1 comment(s)