The Internet Has Never Been More Dangerous - latest research from the APWG

Today, the Anti-Phishing Working Group (APWG) released their Phishing Trends Report for the 1st Half of 2009. Consumers and small business should be aware of the newest web-based threats that are out there and growing.

According to the APWG, Rogue anti-malware is growing at an unprecedented rate. In the first quarter of 2009, more new strains of rogue anti-malware were created than in all of 2008. Between January and the end of June 2009, the number of such programs grew 585%.

The number of unique phishing websites detected by APWG during the first half of 2009 fluctuated by nearly 30,000 between February and June. June’s high for the half of 49,084 was still 12% lower than the all-time high for this data set of 55,643 in April, 2007.

Payment Services jumped into the top position of targeted industry sectors in Q1 2009, rising over Financial Services for the first time since APWG began tracking the proportions of phishing attacks directed at each industry sector. The proportion of phishing campaigns directed against the Payment Services sector continued increasing through Q2, up some 16% from quarter to quarter, while the Financial Services sector’s proportion dropped more than 10% during the same period.

Additional Highlights from the 1st Half ‘09 Phishing Activity Trends Report include:

• Unique phishing reports submitted to APWG recorded a high of 37,165 in May, just under 7% higher than last year’s high of 34,758 in October.
• Brand-domain pairs increased to a record 21,085 in June, up 92% from the beginning of 2009.
• The number of hijacked brands ascended to a high of 310 at the end of Q1.
• Banking trojan/password-stealing crimeware infections detected increased during more than 186% between Q4, 2008 and Q2, 2009.
• The total number of infected computers rose more than 66% between Q4 2008 and the end of the half, 2009 to 11,937,944, representing more than 54% of the total sample of scanned computers.
• Sweden moved ahead of the United States as the nation hosting the most phish websites at the half’s end.
• China’s IP space hosted the most websites harboring malevolent code from March through June.

As hackers and cybercriminals find new ways to attack, security software and education can be your best defense. Web security and web filtering solutions, like Livia Web Protection, protect against phishing websites by automatically blocking access to those sites if a link would be clicked. Also, make sure that your Anti-virus and Anti-malware definitions are up-to-date and working properly.

To view the full APWG report, please visit http://www.apwg.com/reports/apwg_report_h1_2009.pdf

June Marks Annual National Internet Safety Month to Promote Online Safety and Consumer Awareness

The beginning of June starts the National Internet Safety Month, an effort to help increase consumer awareness of the dangers that exist online and develop best practices to avoid being a victim to cybercrime.

Introduced by the U.S. Senate, the National Internet Safety Month was created to raise the level of awareness for the need of online safety in the United States. Today’s evolving Web-based threats such as phishing attacks, spyware and identity theft should be top concerns for families nationwide. By utilizing proper precautions such as multiple passwords, updated security patches, and software solutions, home users can build a strong defense to stay safe online.

This month brings Internet safety to the forefront, however, every day of the year cybercriminals are unleashing malicious attacks towards consumers. These attacks are designed to steal personal information or corrupt their computer systems. As more and more families shop, educate, and communicate online, the National Internet Safety Month is a positive step to help increase awareness levels towards the possible online dangers that families may encounter.

Livia Web Protection fully supports the National Internet Safety Month by delivering enterprise class Web filtering and security for the home user. The software aids parents in keeping children safe from cyberbullying, online predators and accessing explicit material, while protecting the entire family from Internet misuse and scams.

For more information and what you can do to keep your family safe, visit our Safety Tips at http://www.liviaweb.com/safety-tips.html

Security Alert: Update on Conficker.C

Websense Security Labs Researchers, Nicolas Brulez and Elad Sharf have just published a great post to update on the status of the Conficker.C worm.

The entire security alert can be viewed here: http://securitylabs.websense.com/content/Alerts/3329.aspx

A note that Livia Web Protection customers who are utilizing the filtering to block access to all security threat web sites are protected from this worm.

As Livia Web Protection utilizes the industry leading URL database from Websense, the company has the domain name generation algorithm (more on this in a separate update) and Websense is proactively classifying those URLs. Machines already infected with Conficker will be prevented from phoning home for updates. In addition, Websense is actively classifying the malicious binary executables and Web sites through generic and specific detection, and through ThreatSeeker Network Web Reputation.

From Websense Security Labs - - - -

April's approach has created a lot of chatter about Conficker, a worm largely considered to be one of the most widespread infections in recent years. Some estimates put peak infection at over 10,000,000 hosts. A large effort has been made by the white-hat community and the Conficker Cabal Group to mitigate Conficker infections, and with success. The current estimate indicates that the number of infected hosts has fallen to 1 to 2 million, which is still a very large number when factored against recent bot counts.

There is a good deal of speculation about what's going to happen on April 1, a special date that is hard coded into the latest variant of the worm's binary file. The wider Internet community is fortunate in that some very good research has been conducted into the different variants of the worm: A, B, B++ & C.

In this blog entry we're going to focus on and recap the major changes in the C variant, including some ideas on how to deal with it. In addition, we'll draw some conclusions and make a few predictions.

First things first:
Protect yourself The Conficker worm propagates in 3 ways: MS08-67 Propagation, NetBIOS Shares, and Removable Media Drives (USB, FireWire etc.). The first step in protection is to make sure that you're patched by going to Windows Add/Remove Programs and verifying that update KB958644 is installed (a shortcut for going there is going to RUN and typing 'appwiz.cpl' ).

If you're a system admin, verify that you applied the patch to all of your systems. The NetBIOS propagation is done through brute-forcing administrator shares (ADMIN$ shares). The worm uses a pre-defined list of commonly used passwords and if successful in brute forcing a machine, it then creates a scheduled task to run itself. So make sure you use a strong password and that strong password policies are in place.

The last propagation technique, and one of the most frustrating, is removable media drive propagation. The worm copies itself from the infected host to its local removable media drives and when an infected drive is attached to another computer that has Autorun and Autoplay enabled, it might social engineer the user into running the worm. This is best resolved by disabling AutoPlay and AutoRun (which aren't the same thing).

If you suspect you're infected you can check for symptoms. (Recovery and more preemptive measures here.)

Conficker blocks access to URLs and sites with specific strings in them to stop the user from downloading any detection or removal tools, so a good way to verify a suspected infection is to attempt to access sites from the list below. For example: microsoft.com or virusscan.jotti.org.

Confirm that you have Internet access before testing access to a blocked site. Be cautious about jumping to quick and possibly incorrect conclusions.

Preserve the investment
Curiously, the Conficker C variant doesn't have any propagation methods. The updating process to the C variant from the previous variants, which began around March 4, doesn't include the propagation functionality mentioned earlier.

So the latest variant just sits there, you ask? In a way, yes. It waits on infected machines for orders to come through. Bear in mind that most of the Conficker variants on infected hosts haven't been updated to the C variant. Of course, A, B, and B++ still propagate. And there are more changes.

The authors made some important updates to the C variant, including adding more protection mechanisms and Peer to Peer functionality. It's estimated that only 15% of the previous code variants was preserved. This makes sense if the first purpose of the worm was to infect as many machines as possible, while the new variant is aimed at preserving and protecting the investment, keeping the number of infected hosts as large as possible.

The new functionalities in the C variant are simply countermeasures to the efforts the security community, like the Conficker Cabal, against the worm. The latest variant of the worm shifted to a propagative mode from a preservation mode--for now, although not having a propagation functionality doesn't mean the authors can't update it, at will, to have one.

Domain Generation Algorithm (DGA): What's going to happen April 1?
What's going to happen in April 1? This date is hard coded in Conficker.C variants and this is why a lot of attention is focused on it. On that date, Conficker is going to update its domain generation algorithm to 50,000 domains per day and will try to access 500 of those once a day. This is one of the countermeasures and protections the authors of the worm introduced to the successful efforts of the Cabal group to stop the registration of 250 domains that the older variants (A, B, and B++) try to access each day. This change, starting April 1, 2009, will only affect already infected machines. It also means that Conficker C variants on those machines will generate a list of 50,000 domains a day. The worm will actually try and access 500 of those domains. Only the people behind Conficker know which domains they're actually going to register and activate. They could, in fact, only register one domain a day (or fewer, or more), but when they do that--if they don't get interrupted by the Cabal Group again--the infected machines will try to access those domains, potentially getting updates to do something - potentially. It doesn't necessarily mean that the worm is going to do something bad that day since it all depends if an update will be available for the worm to download. Besides the latest variants are equipped with a P2P mechanism, so orders may have already been relayed to the bots.

When the people behind Conficker decide it's time to do something that will earn them some money, like stealing data, issuing DDOS attacks, sending spam, etc., they will be able to do so at will. It doesn't have to be on April 1. Our assumption is that the people behind Conficker are waiting for sometime after that date to achieve a maximum bot update. Time equals money and it's logical to assume that something is going to happen soon enough. It also seems that those who are behind the worm are examining their options carefully and might be even trying more "business" relations to decide which path will be most safe and profitable.

Reverse-engineering the Domain Generation Algorithm
At Websense Security Labs, we reverse-engineered the different Conficker variants to discover the domains the worm will try to contact each day. As mentioned, the latest C variant generates a list of 50,000 domains a day. Of those, the worm will try to access 250 domains.

Predictions
Given the industry efforts to mitigate this problem, one of the obvious predictions is that the worm's authors will try to preserve the number of infected bots as much as possible. One of the potential options is to actually update the worm to download instructions from compromised web sites. This move could actually disrupt the Cabal group efforts, since it's easier to stop the registration of new domains, and harder to take down and stop compromised domains with good reputations. We also predict that Conficker will re-start and continue propagation through a spam based mechanism. We don't believe that the worm's authors will stick to only updates via the P2P mechanism, but will also strive to keep using the HTTP-based update mechanism, so the worm on infected hosts will be accessible to updates within networks that use Firewalls and Network Address Translation (NAT), which disrupt P2P traffic. It seems that the group behind Conficker is considering their moves carefully. If they're indeed a China based group they'll need some Western-based connections to commit cyber crimes more effectively. Establishing these connections is what we suspect they have been doing in the meantime.

Summary
Conficker is a large botnet that has a lot of potential to do harm. It hasn't happened just yet, and most security vendors predict it won't happen necessarily on April 1, and we agree. However, the bot gives its perpetrators a lot of power, and at some point, we believe, that Conficker will do something "bad" on infected machines like, stealing data, sending spam, issuing DDOS attacks, and more. The worm might already do some harm by attempting to access the 50K domains it generates each day and thus DDoS'ing some legitimate sites that the Worm's DGA happen to generate. Reverse-engineering the DGA algorithm and knowing all the domains the worm will try and contact gives us the ability to be proactive. The domain generation algorithm and the way the worm operates can be updated at any time.