Coming to a PC near you very soon is an innovative and possibly deadly combination of well known exploitation techniques, emerging from the Dark Side of the Internet. What makes this new attack so innovative are the targets: Internet security information and research Websites. Hackers in the last week have been creating exact clones of Internet security Websites using proxies, DNS (domain name server) spoofing or redirection, and dedicated denial-of-service (DDoS) attacks.
It should not surprise anyone to realize that Internet security research sites, forums, and information Websites are attacked on a regular or even daily basis. Mostly it is nuisance spam, bogus log-in attempts, or hack attempts to gain entry to the administrator side, and in more intense cases, DDoS.
But this cloning approach emerged from investigation only in the last week. To begin with, I discovered purely by accident an exact clone of my HostExploit Website. After further investigation, I discovered this was not an isolated case: One server was hosting clones of security sites like avertlabs.com (McAfee), isc.sans.org, milw0rm.com, nmap.org, packetstormsecurity.org, secunia.com, securiteam.com, securityfocus.com, securityreason.com, thedarkvisitor.com, www-935.ibm.com (IBM), and xforce.iss.net (IBM).
In itself, this was a worrying discovery, if simply viewed from the aspect of content theft, hijacked traffic, click-through, SSL forgery, PayPal information, and RSS links, etc., of relatively high-traffic security sites. However, in parallel to the emergence of these clones commencing on Friday and over the weekend, several of the real sites listed as clones and a few others -- Metasploit, Zone-H, and Kaspersky -- were under hacker or DDoS attack, and in some cases a mixture of the two. For a while a couple sites were completely unavailable for a day or so, and one or two are still under a continuous DDoS attack.
Working off limited data from server logs and network traffic, at least a couple of the attacks originated from Poland (AS5617 TPNET); Romania (AS 9050 Romtelecom, AS39650 VIANET); Russia (JSC servers funneled via RTcomm, and Rostelecom via AS9002 RETN); and Turkey (AS9121 TTNet, AS8386 KOCNET). Many of these servers appear regularly on lists of the worst European offenders for hosting spam and exploits, according to the German-based anti-spam service UCEprotect.
I must emphasize here that there's no proven link between the appearances of the clones and this weekend's attacks. This could be a simple coincidence, but, as Edmund Burke said. "Better be despised for too anxious apprehensions, than ruined by too confident security."
In any event, if by hacking and DDoS, the real security Websites were offline, the only source available could be the clones. It is a simple step to ensure, by DNS redirection, cookie plants, and other exploits, that visitors go to and continued to visit the false, cloned sites.
Consider the mayhem that could be caused by providing bad file downloads and misinformation using these sorts of exploits, botnets, and spam, or even distorting the core news and advisories this sector, its enterprise customers, and the press depend upon. Worst of all, even without any changes from the real sites, the data gathered from all those misdirected, security-minded visitors would be hugely valuable.
Obviously the intended outcome of the attacks and the clones is to damage reputations, create distrust, and ultimately make it easier for cyber-criminals to operate. The good news is, thanks to swift action, these discovered clones and the hacker sites serving them are offline. For now. This is certainly not the last we will see of this approach.
— Jart Armin, Editor of RBNexploit.com, a watch blog on the infamous RBN (Russian Business
Network), and HostExploit.com
This blog is part of Internet Evolution's Security Clan, which looks at the present and future threats to Internet security and the methods being used to defend and protect users and organizations. Register here to join the Security Clan, and you might become eligible to win one of our limited edition T-shirts.
Wow, after reading a little on this DNS, ahh stuff, this is amazing…scary…and SAD. DNS issues were reported on back in 1993, officially recognized somewhere around 1996 per Dan Kaminsky, (<<<<< Good video there), then brushed under the rug! Now the state of DNS patching (based on Nov 2008 report) isn’t good…Wither the Internet, the Internet limping along on a crutch, or is the Internet a microcosm of humanity – imperfect people, creating imperfect technology, on the fly, putting the horse in front of the cart. Then the bamboozled hoards of people drop the reigns & cover their eyes hoping that the wild team of horses pulling the wagon - or the wagon pulling the horses - doesn’t go off the cliff!
Tell me this isn’t a war against ourselves folks. Tell me it’s all Microsoft’s fault, tell me UNIX/Linux/MAC will save us, tell me Best Practices are done everywhere, or are even done at-fricken-all, tell me I.T. support people and I.T. managers REALLY know what they are doing and are properly trained, tell me people writing software and the managers wanting to get the software RUSHED to market w/o fully testing it actually care about its security, go ahead & tell me there is actual accountability - anywhere, tell me people are led by “LEADERS” properly, tell me people are motivated to “Do a good job” and be “Conscientious” and “CARE about their work”, and tell me corporate and home computer end users actually know what they are doing or are properly trained, tell me whistler blowers are protected so that CHANGE, REAL change can occur with all of these SEVERE data breaches. All this data/computer security, or lack thereof, could be construed as a certified mess or just a lot of bullsh1t if you really sat down and thought about it or drew it all out on a whiteboard. A bad situation reminiscent perhaps of the global financial/credit crisis? Assume the crash position (tongue in cheek).
="Yes, the good old botnets...Grandma and the Porn ring. Pirated copies of Windows that are unpatchable,
legal copies that are not patched, pirated copies of software that are
suseptable to malware, illegally downloaded copied of software with
Trojans insided, Trojans that went undetected for years...Bot-Nets here to stay...?"
ISPs should include a specification in their user AUP concerning infected computers. If your compuer is infected, get help or you may invalidate your AUP.
let me add the note that DDoS attacks are often staged using bot-nets-- which operate using malware that has been got onto un-suspecting good people's computers
and if we mount a grass-roots Safe-Computing train the trainers campaign as I've mentioned below, that combined with a little follow on help from Microsoft's MSRT we may be able to plug up the leaks and bail this thing out
Our sister site, security pub Dark Reading, reports that the dedicated denial-of-service attacks going on in parallel to these cloning attacks hit more widely than originally thought. Metasploit and Immunity were hit, as were Packet Storm and Milw0rm -- both of which were part of the cloning attacks Jart Armin reports here, lending credence to his suspicion there's some kind of link or coordination between the clones and DDoS attacks.
I think a grass-roots, train the trainers campaign directed at teaching everyone to teach safe computing can probalby do more to killing malware and spam that we might ever imagine.
people do not like to be preached to or learned nothin' but if you can show them how to become teachers they are much more likely to be helpful
Looks like the "HUMANS" running/monitoring these DNS systems still need a wet 2"x4" upside their heads! This is sad, the state of DNS still has issues, lousy patching practices, poor methodology. Besides inherent flaws in systems designed by humans, I still seem to think that people are ignoring the obvious here - most of Security issues are the result of the human factor, lazy users, lazy, lousy I.T. support, worst practices, faulty designs in software, hardware, transportation mechanisms. Even worse, after actually doing DNS patching, issues STILL exist with "Man in the Middle" attacks.
more than likely the single most important thing we can all do to promote safe computing is to simply learn to use the tools available now
Lesson (1) If you connect an un-protected computer to the 'Net it will get infected in a matter of minutes ( I've tried this myself )
Lesson (2) To prevent infection install a quality anti-virus package with firewall before you put the computer online
Lesson(3) Practice safe computing: most malware is distributed via "social engineering": hackers tricking users into clicking. DO NOT CLICK-UPDATE ANYTHING EVER NOTIME NEVER NO-HOW. Always go to the site that distributes the software you want, download it deliberately and then apply the update
Lesson(4) keep your computer updated. Second Tuesday each month is Patch Tuesday. Click on Tools, then Windows Update and take the express option. Better yet switch automatic updates on in your Control Pannel
Do your best to get your friends, family, & associates to also become teachers. The more people we have just doing these 5 simple things the more we will reduce malware.
A bot-net kill was distributed by Microsoft with the MSRT included in Feb.10th updates. I expect more to follow but it is our job to plug the leaks so MSRT can bail us out. Cleaning up the bot-nets will clean up the spam.
Amendment(1) Before you buy, download, or install: Do not ever take anyone's word that they have a good program. Always go google anyone who wants to sell you anything: find out if there is any information out on that company or product.
="Yahoo site came up with an invalid security certificate"
the intent here is that INVALID CERTIFICATE means: you are not connected to the site you meant to connect with. this would indicate you are being "spoofed" (possibly by someone playing games in a DNS server )
Is the SSL mechanism reliable? Can we count on it, both when it indicates we have a secure connection and also whn it reports an error?
It's what we have and our best response I think is to insist on it working properly.
When you get a certificate error: 1. immediately terminate your browser using the task-manager, and re-start your computer. 2. GOOGLE the site you are trying to connect with to see if there are any bulletins out 3. if you have a service agreement with the site you are trying to connect with call their help desk and report the problem.
one of the issues we all have at hand today is: do i have a good set of certificates in my browser? Click tools,options,advanced,view certificates (FireFox browser*). you will see an ugly list of certificates. are they valid? how would you know?
You should have one (1) certificate that has implicit trust and this one should be issued by the computer OEM. That certificate is then used to authenticate various Certificate Authorities such as VeriSign, Thawte, et. al.which in turn are used to authenticate certificates for various sites you might want to communicate with .
you can't very well trace all that stuff manually so you depend on the security software in your browser to do that for you which is all well and good so long as your browser is not compromised, or your operating software ...
see what I mean: Security is like a balloon? a tiny pin-prick and - pop! it s gone; you are hacked. to win at security you must win by a complete shut-out.
*for ie.8 : tools,internet options,content,certificates,certification authorities ( two tabs )
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
A little taste of an apocalyptic scenario occurred last Friday when a large chunk of the Internet was unreachable for up to an hour. Similar to the plot of a Hollywood horror movie, this was an experiment that went wrong -- on one of the most important protocols of the Internet system.
Two recently filed lawsuits have been causing a bit of a stir lately. The defendants are some of the biggest players of the media world, and they have been accused by a group of parents, on behalf of their children, of using Flash cookies (local, shared objects) to “spy” on adults and children alike.
When Thomas Jefferson said, “Money, not morality, is the principle of commerce,” he probably did not mean that money should trump morality. But questions of both money and morality might be asked about at least two Internet-based commercial entities currently looking to raise funds via the stock market.
“Most new domain names are malicious,” is certainly a bold and attention-grabbing opening line. Although not the author, I can, however, lend support to these words from Paul Vixie, president of Internet Systems Consortium, a provider of open-source software solutions.
Getting to Work on Smart Work: How IT Is Transforming the Implementation of the 'Internet of Things' Organizations in all industry sectors are becoming more instrumented, interconnected, and intelligent -- and that's changing the way they approach virtually every facet of their operations. It's up to IT to help organizations adopt a "Three I's" approach that leverages the emerging Internet of Things and enables them to work smarter. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
In the final episode of this series about the death of Internet anonymity, Saunders describes how the Internet of the future will start to attain a level of intelligence that requires no human intervention. Scary.
What can users today do to protect their online privacy? The simplest and most obvious option is to not use the Internet – at all. However, once all digital information is consolidated over the Internet, trying to protect digital identity by simply unplugging from the Internet becomes impossible – a fact that has manifest implications for civil liberties, Saunders says.
By 2011 the number of Internet-connected sensors will exceed 1 trillion, making your chances of doing anything or going anywhere unnoticed pretty much zero. Saunders talks about how the 'sensortization' of the Internet is eliminating the traditional divide between online and offline populations.
The 20th Century Internet was characterized by the ability to interact with other people and information on the Internet largely without anyone knowing who you were. The Internet of this century, conversely, will be defined by identity. Saunders explains how Internet users are unwittingly contributing to the demise of the anonymous Internet.
More companies are trolling social networks to find and vet potential job candidates. Beware the pitfalls of blurring the line between personal and professional lives.
It is 20 years since the invention of the World Wide Web, and the Internet has changed beyond recognition since then. Steve Saunders peers into the future to predict what the Web will look like in another 20 years time – and he doesn’t like what he sees.
Marketers want to sell you stuff, and they need your help. It's crazy, it's crass, it's fun for the whole family! It's the art form of the new millenium!
An email from Ukraine teaches us that perhaps those who complain about the Internet just haven’t figured out how to spam people’s inboxes with requests for pens and balloons… or something.
RIM is giving in to demands by India to snoop on encrypted BlackBerry data. It's time to develop cheap or free encryption software for BlackBerrys and other cellular phones.
Nielsen’s recent numbers on the increasing use of texting bode well for enterprise networks. Shunning the phone in favor of text messaging could mean reducing bandwidth.
Two studios have filed suit against an ad broker for placing ads to help monetize P2P sites suspected of copyright infringement. That's taking a dangerous step toward what might be a worthy goal.
By 2014, mobile devices will overtake laptops as the appliance of choice for consumers. But device makers still have some wishes to fulfill, including mobile app simplification and the ability to better perform word processing/spreadsheet functions.
Google's foray into pay-for-view movies may be an indicator that the days of free ad-sponsored content are numbered, or at least that ad sponsorship won't fund nearly enough content.
Online education, improving to better replicate the interactions that occur between teachers and students face-to-face, grew in double digits during the recession. Still, there’s more work to be done.
Digg
Del.icio.us
Reddit
Email This
TWEET THIS
