The main headline story on the BBC tonight is:
People have two weeks to protect themselves from 'powerful computer attack'
We need to watch out for headlines like this, and without supporting reasons, it makes little sense to the general public, and can end up scaring people who have little idea about how these threats actually work. The quote leaves more questions open than it closes, such as where the “two weeks” came from?
In fact the Zeus botnet infrastructure has been around for quite a while, and happily gathering information on users. So the shocking headline seems to imply that something big is happening, and it can only be constrained for two weeks, and then it’ll explode. I think the headline feels like we are being told that a bomb is going to go off in two weeks, and you’ve got that time to get protection in place.
In this case, the Zeus bomb, and all the associated botnets, went off some time ago, and there’s very little that can be done about stopping them. The key thing is that users look after themselves better on-line, and not that there is a single piece of software that can thrawt all the Zeus-related threats. As long as there is one unpatched Windows XP system around, there’s a hiding place for a bot. As these bots are using peer-to-peer systems to find their master, the botnet master can appear anywhere, and rally their troops on their harvesting exercises. So grabbing hold of a few bot masters, and strangling them, is not really going to cause any long term damage to their infrastucture. In fact, it almost feels like the Internet is becoming alive, with its own in-built eco-system.
While Heartbleed was real and new, the new threats of the Zeus botnet are not actually new. When it comes down to it, on the Internet, the true threats are the well known vulnerabilities that are fixed by users patching their systems, and not necessarily people rushing to update their virus scanners. Patch your system, and you are much less exposed than updating your virus scanner.
So the threat is not a new one, and the “two weeks to an explosion” is really not precise. So a stronger message could be to define what a user should observe in a phishing email – don’t click on links in HMRC emails – and patch your system. In fact, don’t click on any email links unless you know they are fully trusted.
The powerful attack that is coming in two weeks is actually mainly related to phishing emails that request you do submit your tax online. When you do click on it, there’s a PDF, a Flash file or a Java program, which then exploits your system by running some code, and then dials back to the main master botnet controller, which downloads the latest data harvester for you machine. By not clicking on the link in the first place protects you, and if you are stupid enough to click on it, then a patched system will often stop the exploit from working … but I suppose that these pieces of advice that would not make it into the BBC headline news …
Experts warn against clicking on a link that looks dodgy
Users should update all their Adobe software as soon as possible
doesn’t quite feel as satisifying as:
You have two weeks to get yourself ready, or you'll pay for it.
For many they will feel that when the wake up in two weeks time and switch on their computer, everything will be exposed to the World … well we told you so! In a world where we have created the most inclusive technology ever, we want to enagage rather than frighten, and educate rather than overrule. I see that ISPs are detecting infections from their clients, which is a great step forward, but where is the boundary drawn in detecting a whole lot of other things?
The Internet is filled with Botnets
The actual story is about Evgeniy Bogachev being charged with the creation of the Zeus botnets, and the associated exploit kits. These botnets and the associated Cryptolocker randsomware have been running happily on the Internet for quite a while now. If you look at any Internet traffic, you’ll find a whole lot related to botnets, who are blinding harvesting data from our the Internet. While the taking over of the botnet is good, the botnets have been used for many years, and have been going up and down, with very little that can be done. As long as we have unpatched systems, we’ll have botnets.
Here’s a part of the log from my own Web site, and you can actually see a botnet searching for the resolution of domain names to IP addresses, even though there is a 404 error on the page. The bot blindly keeps trying to gather it’s information.
2014-06-02 00:00:06 10.185.7.7 GET /ip/whois site=derrickcarter.com 80 - 220.127.116.11 Opera/9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 46 2014-06-02 00:00:08 10.185.7.7 GET /ip/whois site=exkr.com.ua 80 - 18.104.22.168 Opera/9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 265 2014-06-02 00:00:11 10.185.7.7 GET /ip/whois site=paulrevereradio.com 80 - 22.214.171.124 Opera/9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 171 2014-06-02 00:00:14 10.185.7.7 GET /ip/whois site=paulrevereradio.com 80 - 126.96.36.199 Opera/9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 155 2014-06-02 00:00:20 10.185.7.7 GET /ip/whois site=lycee-technique.mc 80 - 188.8.131.52 Opera/9.80+(Windows+NT+6.2;+Win64;+x64)+Presto/2.12.388+Version/12.16 404 0 0 530
Will I get infected?
The old fashioned worms and viruses have a lot to answer for. The way the headline puts it, is that we are going to get hit, no matter where we are, and it’s coming to get us, just by connecting to the Internet.This is far from the truth, as it is the users who normally infect themselves, and who have sloppy practices. Continually we see phishing email, and most people can now spot these a mile off. A strange thing is, is that our spam checkers often let these though, as they often have an email address of a person who might actually know you.
Figure 2 shows some of the man classifications for malware. In times gone past you switched your computer on, and if someone on the network had been inflected, there was a good chance that you were too. But, it’s not really like that now, as the vector of infection tends to be through a phishing email, where there’s a link to follow, or that you install a piece of software that has a trojan in it. So the randsomware people will try and scare you with messages that say your system has been locked in some way.
Figure 2: Malware classificaitons
Figure 3 shows one of the easiest way to extort money from the user, and uses the method of authority. You will see that they have captured an IP address which makes it look like it is a serious method of detecting criminal activity. Then we see pictures of a senior police office and the Queen, with links to pay with a direct payment (kash and paysafecard). It almost feels like some Big Brother world, where Big Brother is watching, and you must pay a fine for every crime you commit.
The other method that the scammers use is to send you an email with a link that you click on. Many users now are aware of attachments, and tend to avoid these. A link, though, such as for a PDF document or Web page, is now the vector of choice within a phishing email. As we will see in the next section, the three main colprets here are unpatched systems, which allow a script to be run on the computer and thus download the bot through a backdoor connection. Once in, it keeps itself resident by adding itself to the start-up registry key.
Figure 3: You’ve been bad!
The real threats – unpatched systems!
The problem often comes from three major threats: CVE-2013-5331 (Adobe Flash), CVE-02007-0071 (Adobe PDF) and CVE-2013-1723 (Java). If a user has an unpatched system, they can be exposed to each of these vulnerabilities. The threats are fairly easy to implement for script kiddies using exploit kits such as Phoenix, which has all the scripts required to create the documents and code required to exploit the user’s machine (Figure 4). The Zeus botnet makes use of these vulnerabilities to harvest data from the user’s machine in order to gather it within its network, where the user’s machine becomes a client for gathering information. This can include screen captures of users entering their password characters when the log-into the bank account. The paper publish on this goes back to 2011 where a university academic group managed to take-over the Zeus network, and analysed the username, passwords and credit card details of users. With the latest threat, we are told that someone, somewhere is holding back the tide, and they can only do this for two weeks, and then it will be unleashed. I think this could be hype, especially in gear up activity within the security community.
I personally feel there is a great deal of hype, and so many “experts” are rolled-out to scare us all, and the OpenSSL hype showcased how nieve that broadcast media can be in terms of security threats. “Change your password now…” was the message, which was basically very bad advice, especially on unpatched systems. Basically it was saying, go ahead and change your password, as someone might be watching you changing your password. So while the OpenSSL vulnerability was real, we need to be careful of new ones, especially in actually articulating what is going on, which is in case is that one of the people responsible for the exploit kits has been arrested, and a major botnet has been taken-over. Some interesting hypes are explained here.
Figure 4: The key threats
Here is a demo of exploit kits (go to 57m6s to find):
If you’re interested, Figure 5 shows the code that relates to the Phoenix Expoit kit, where the code aims to exploit a vulnerability in Adobe Reader, Adobe Flash or Java. Often it is what’s called a buffer overflow, where the coder write into an area of memory that is reserved for something else, and causes the system to run in a different way (such as jumping out of a sandbox, and into the host system). Once the script is successful, there is a dial-back to get the latest version of the botnet from the command-and-control system, afterwhich it stays resident, and watches for key events, such as a bank login. All the information gathering is then send back to the botnet infastructure for processing at some later time.
Figure 5: Phoenix 2 Exploit kit
Don’t be frightened by the headlines, but be careful. The new threat is not new, and it won’t explode in two weeks time, but you are at threat, and you have been for quite a while.So don’t click on that link in your email, or watch your freeware software, and all the additional software that it is trying to download! I think the media need to watch that they don’t cry wolf too often, and desensitive the general public. The Internet and the Cloud are too of the great things that have happened in the history of mankind, and we need to education and inform, rather than scare and frighten. While Heartbleed was truely a major problem, the hype around this one needs to be looked at carefully, and to blindly say you have two weeks to protect yourself before the dam bursts is really not useful.
Organisations such as the NCA are doing good work in disrupting crime gangs, but users too need to be part of the fight, and broadcast media has a key role in not only alerting users of threats, but also to educate.
So the bottom line is still … patch your system … and be safe!