WSJ-WP-NYT Re-Tell ZeuS Infection for The Masses

February 18, 2010

WSJ, WP, and NYT Re-Tell ZeuS Infection for The Masses.

In a trio of stories today, the Wall Street Journal, the Washington Post, and the New York Times may have created some traction where corporate security staff have been struggling.  I am certain that many information security leaders in the financial services industry have fallen short in attempts to effectively describe the complexity of the attacks against our organization.  These three versions of the same story may have broken through…

Sure, from the perspective of an IT or information security professional they were a little off on some of the facts, and didn’t include some of what might seem like the most telling technical details, but they just might have gotten through.  For that they deserve some attention.  If you have not done so already, I strongly recommend passing the stories along to leaders in your organizations.  Or better — write your own summary of the source material from NetWitness and ship it as the cover letter to introduce the links.

The botnet discovered by NetWitness is not unique.  Cisco Systems documented the state of Zeus botnets in their 2009 Annual Security Report — mentioning that the Zeus Trojan infected 3.6 million computers worldwide by October 2009.

So what else will you find in the NetWitness report?

The Zeus code was delivered by obfuscated executables.  NetWitness wrote that “this particular malicious executable had less than a 10 percent detection rate among all antivirus products and the botnet communication was not identified by existing intrusion detection systems.” (page 3)

The overwhelming majority of compromised PCs were running Windows XP Professional SP2, with Windows XP Professional SP3, Windows XP Home Edition SP3, and Windows XP Home Edition SP2 (together amounting to more than 95% of all infected PCs). (page 5)

“The data we analyzed contain over 68,000 stolen credentials during a 4-week period.” (page 5)  The data included 75GB representing only a one-month snapshot from an attack that has lasted more than a year.

Not only were 68K username/password pairs stolen, NetWitness wrote that “the ZeuS Trojan allows for the theft of any file that is resident on an infected system, and a common target for this capability are encryption certificates used for access to banking, corporate VPN and other sensitive systems.  There were 1972 unique certificates files in the data set.” (page 6)  So, in nearly 2000 cases, the combination of a login credential and a certificate that identified the corresponding user’s PC were stolen.  Remember the “something you know plus something you have” requirement of entry-level strong authentication, this was a material loss for some number of targeted organizations.

They reported that the most recent activity seemed to have been directed as stealing credentials used with financial services organizations…  “The infected machines were simply scraping information when users communicated…” with the sites listed.  Web sites for most of the major global financial services organizations are listed as being specifically targeted by this attack, including, but not limited to: Citibank, HSBC, Suntrust, Bank of America, Wells Fargo, e-gold, US Bank, TD Canada Trust, National City, Citizens Bank, S3, WaMu, Wachovia, Chase, Barclays, Lloyds, Paypal, and many more.  (see pages 6-7 for the list)

“The attacks are continuing and corporate losses are still being compiled, said Tim Belcher, chief technology officer at Herndon, Virginia-based NetWitness Corp. ” (Jeff Bliss, Business Week)

A range of reporting appears to support that login credentials appear to have material monetary value in the criminal underground, and using this story as an example, criminals are using sophisticated techniques to steal user’s security phrases and corresponding answers as well.

This attack was based on a foundation of luring unsuspecting employees at targeted firms into downloading malicious applications from sites that are either controlled by the hackers or legitimate sites that have been compromised, or by coaxing the users into opening e-mail containing malicious attachments or links to the same (see my discussion of this topic earlier this month).

What can we do?  The usual measures…

  1. Set up users with least privilege on all platforms.
  2. Employ up-to-date AV with heuristics enabled on PCs and on email choke points, and on web proxies.
  3. Ensure that multiple layers of controls are enabled on a network-edge web proxies.
  4. Confirm that application security considerations baked into the full software development life-cycle.
  5. Write and enforce the use of
    1. Minimum security (configuration) standards,
    2. Aggressive vulnerability assessments,
    3. Ongoing configuration monitoring and
    4. Fine-grained configuration management.
  6. Configure enough event logging, and then
    1. Maintain effective event correlation & analysis,
    2. Alarming, and
    3. Multi-level reporting and
    4. Trending.
    5. May also need new categories of monitoring, correlation, alarming, and reporting — for example, excessive login attempts (failed and successful).
  7. Comprehensively protect “internal” identities (user name/password pairs, digital certificates, and anything else used to identify your user base).
  8. Resist the use of internal identities in uncontrolled environments where they are much more likely to be stolen.  This may take some planning and organized roll-out if you have this issue already.
  9. Integrate employee background checking and monitoring into HR processes.
  10. Consider investing in DLP technology.

What did you think was the most important message of the NetWitness-based reporting?


“Broad New Hacking Attack Detected — Global Offensive Snagged Corporate, Personal Data at nearly 2,500 Companies; Operation Is Still Running.” By Siobhan Gorman, Feb 18, 2010,
and then an excellent supporting illustration at:

“More than 75,000 computer systems hacked in one of largest cyber attacks, security firm says.”, By Ellen Nakashima, Feb 18, 2010

“Malicious Software Infects Computers.”, By John Markoff, Feb 18, 2010

The source report — “The ‘Kneber’ BotNet — A ZeuS Discovery and Analysis.”, Feb 17, 2010

“Cisco 2009 Annual Security Report.” and the full report at:

“Newly Discovered Zeus Spinoff Botnet has Wide Impact.”, by Angela Moscaritolo, Feb 18, 2010

“Over 75,000 systems compromised in cyberattack.”, By Jaikumar Vijayan, Feb 18, 2010

“Global Hackers Breached 2,400 Companies, Security Firm Says.”, By Jeff Bliss, Feb 18, 2010


HTML 5 – Persistent Offline Storage As A Risk Management Challenge

February 7, 2010

HTML 5 – Persistent Offline Storage As A Risk Management Challenge

I just watched an excellent Shmoocon presentation by Michael Sutton called, “Pulling The Plug — Security Risks in Next Generation Offline Web Apps.”

His main theme is that the HTTP Cookies and Flash Local SharedObjects that developers use today are going to be relatively rapidly overtaken by HTML5’s persistent offline storage (with Gears to continue as a transitional technology).  WebKit browsers already handle offline data storage today (Safari on Mac OS & iPhone, and Google Chrome).

We have all been associated with cookies as indicators of authentication as well as a “live” session.  And most of us have been much nearer than we would wish to Flash and its “cookies” (LSOs).  Mr. Sutton argues that is the past.

Increasing pressure to make web applications mobile friendly and/or off-line friendly, has resulted in the importance of “local” storage rapidly accelerating for an extended period.  HTML5 has many new features, but persistent offline storage may have the greatest impact on financial services risk management (it may also have dramatic impacts in the Health, retail, and transportation industries as well, but those are the topics of other blogs).   As more and more data persists on mobile devices, attacks against those data stores will increase.

HTML5 uses SQLite as its relational data store.  Mr. Sutton highlights a key risk issue for this approach by reminding us how many applications today are vulnerable to XSS attacks, and then outlining enumeration logic for an SQLite attack:

(1) Identify Tables
SELECT name FROM sqlite_master WHERE type=’table’
(2) Identity Table Structure
SELECT sql FROM sqlite_master WHERE name=’table_name’
(3) Access and use the data‘local_database_name’)
var data;
var rs = db.execute(‘SELECT * FROM __DOJO_STORAGE’);
while (rs.isValidRow())  (
data = data + (rs.field(0) + ‘#’ + rs.field(1));
data = data + ‘\n’;;

Criminals will necessarily find something much more interesting for the data than our “alert”…

I strongly recommend this presentation to all security professionals.  He describes a world where writing risk-appropriate applications is going to keep getting harder — much harder.  And HTML5’s persistent offline storage will challenge our software architects, application designers, risk managers, marketing executives, and risk management professionals.  What do you think?


The Shmoocon 2010 Schedule and Presentations:

APWG Reports Criminals Focusing on Financial Services and Succeeding

February 1, 2010

APWG Reports Criminals Focusing on Financial Services and Succeeding

“These criminals are rapidly figuring out how the financial industry works, where there is big money and large transfers, so they can basically do large wires out of these accounts without setting off fraud alerts.” Linda McGlasson, Managing Editor, Bank Info Security, quoting Dave Jevans, Chairman of the APWG.

The Anti-Phishing Working Group (APWG) has published phishing activity trend reports for years.  They recently released their report for Q3 2009.  It is the result of their scanning more than 22 million unique PCs during the three month period — which seems like a useful sample size.  More than 11 million of those PCs were infected with malicious software, and almost 16% (1.87 million) of those were infected with banking trojans or password stealers.  Financial services security and risk management professionals need to keep this information front-of-mind as we deal with problem-solving across a broad spectrum of issues and situations.

I strongly recommend that you invest, or continue to invest creativity and sustained energy in ensuring that your security staff, as well as your entire workforce understand that “phishing” is (what APWG described as) a complicated “criminal mechanism employing both social engineering and technical subterfuge to steal” sensitive and valuable information.  It is a “big deal” because it continues to be successful on a scale that delivers attractive profits to criminals at what continues to be minimal risk.

In its “3rd Quarter ‘09 Phishing Activity Trends Summary” the report included:

  • Financial Services rose back to the top of most targeted industry sectors in Q3 after a brief displacement by Payment Services in Q1 & Q2 of 2009.  54% of all phishing targeted financial services during Q3, 2009 [Page. 7]
  • Over the quarter, the proportion of crimeware‐specific (malicious code designed specifically against financial institutions’ customers) malware remained consistent, while data‐stealing malware rose. [See page 8]
  • The number of rogueware variants fell as gangs turned to ransomware to extort money from users. [See page 9]
  • The total number of infected computers in Q3, represented more than 48.35 percent of the total sample of scanned computers. [See page 10]

Overall, the criminal activity they describe in this report is composed of two high level components:

Social Engineering Component: Personal identity data and account credentials are prominent examples of their targets.  Criminals are increasingly sophisticated in their social-engineering efforts using spoofed email that appears to come from legitimate businesses and agencies to direct financial services employees, as well as customers to counterfeit websites designed to trick the recipient into divulging identity (starting with user name-password pairs) and financial information.
Technical Component: Criminals plant malicious software (malware) onto PCs to steal credentials directly.  This is often carried out using a combination of software and remote command-and-control systems to intercept user’s identity information — usually their login account name(s) and password(s).  They use a variety of technical means to corrupt “local navigational infrastructures” — hosts files, DNS, or, look-alike or obfuscated target server names, to misdirect users to carefully-crafted counterfeit websites.  Another approach to credential and other identity information is to employ phisher‐controlled or phisher-rented proxies used to monitor and intercept users’ keystrokes [See page 2 for more detail].  Because of the diversity of potent methods of employing malicious software, the APWG used to include monthly counts of ‘password‐stealing malicious code URLs’ and ‘password stealing malicious code unique applications’ in their reports.  Their researchers have determined that this has “proven systematically unreliable.”  In its place, they now report on “Detected Crimeware,” which they believe provides a “more precisely descriptive measure of malevolent code trends” [See page 8].

They define “crimeware attacks” as:

“…designed with the intent of collecting information on the end‐user in order to steal those usersʹ credentials. Unlike most generic keyloggers, phishing‐based keyloggers have tracking components which attempt to monitor specific actions (and specific organizations, most importantly financial institutions, online retailers, and e‐commerce merchants) in order to target specific information. The most common types of information are: access to financial‐based websites, ecommerce sites, and web‐based mail sites.”

They define “Malevolent Software” as:

  • Crimeware (data-stealing malicious code designed specifically to be used to victimize financial institutions’ customers and to co-opt those institutions’ identities);
  • Data Stealing/Generic Trojans (code designed to send information from the infected machine, control it, and open backdoors on it);
  • Other Malware (the remainder of malicious code commonly encountered in the field such as auto-replicating worms, dialers for telephone charge-back scams, etc.)” [Page 8]

Unless users understand that serious phishing is composed of many facets can we expect them to resist criminal’s efforts on this front.  User-awareness and training is a sub-optimal solution to resisting criminal phishing attacks.  It seems, though, to be an essential component of our risk-management plans on this front.  The phish-resisting vendor technology and services are maturing, but they are still only a fraction — maybe even a small fraction — of what I believe would be a risk-appropriate level of due diligence in the financial services industry today.

The report also reports that:

  • More than 300 brands per month were hijacked by phishing campaigns. [Page 3]
  • More than 60% of malicious phishing web sites include some form of user’s intended target web site name in its URL. [Page 3]
  • 98.7% of malicious phishing web sites use a hostname instead of just an IP address. [Page 3]
  • 99.94% of malicious phishing web sites sites are accessed using HTTP via TCP port 80 (which needs to be “open” to support your Internet-enabled business activities). [Page 3]
  • Criminals employ round 150 unique URLs to attack each targeted brand. [Page 5]

So, what should we make of all this?  One way to view this is that it helps to explain what the FDIC was reporting about increasing thefts via electronic funds transfers (EFT) last year.  In 2009, the Federal Deposit Insurance Corporation (FDIC) reported that it had detected an increase in the number of unauthorized electronic funds transfers (EFT) as well as an increase in the resulting direct financial losses.  These EFTs were placed through automated clearing houses (ACH) and wire transfers.  The FDIC also reported that in most of these cases, the fraudulent transfers were made using stolen credentials.

Credential theft is a big criminal business.  It plays out in many ways.  One way is a direct assault on financial services enterprises — because that is where so much money is concentrated.  I believe that we need to continue increasing and fine-tuning our efforts to ensure that our leadership and our workforce understand what they are up against.  In order to meet our threshold due diligence obligations, we are going to be making additional financial and human investments to resist these types of attacks.  What do you think?


“Phishing Trends: Numbers up, Corporate Accounts Targeted Analyst: ‘I Think We’re in for a Challenging Year.'” January 27, 2010. By Linda McGlasson, Managing Editor, Bank Info Security.

“3rd Quarter ‘09 Phishing Activity Trends Summary.” By the Anti-Phishing Working Group.

“FDIC: Alert About Fraudulent Electronic Funds Transfers (EFTs).” August 26, 2009.

%d bloggers like this: