Tag Archives: Malware

Russian botnet master nabbed in Spain, extradited to US

This is a story that has been ongoing for some time. Pyotr Levashov, a well-known and well-established Russian cybercriminal who was arrested in April of last year (2017 if you’re reading this in the distant future – welcome alien overlords!) while vacationing in Spain, has finally been extradited to the U.S. Apparently cybercriminaling does pay well sometimes. The arrest was based on a formal U.S. Department of Justice indictment against him for, among other things, operating the Kelihos Botnet, a long-running, expansive, global botnet that bombarded the world with all kinds of spam for nonsense like get-rich-quick schemes and enhancement medications; if you’re interested, and you should be, you can read the DOJ press release about the indictment and the actual search warrant that allowed for their infiltration of the botnet.

Before we continue, let’s talk about what a botnet is. When malware, or bad software (get it? Mal ware?), is surreptitiously installed on your machine, either through a drive-by attack in which it’s embedded in a Flash ad, or you click on a link or file from a rogue email, or one of many other attack vectors, it will use your machine to carry out tasks without your permission, involvement, or even knowledge. And just to be sure, those tasks it’s carrying out are bad. It can use your machine to send spam, participate in DDoS attacks, store harmful or illegal files, and many other unethical / criminal activities, all without you ever being privy to what’s going on. When that happens, your machine is what’s known as a zombie computer, or more commonly, a bot. Now, imagine hundreds of thousands of these infected machines all acting in unison, for a common goal or under a central control authority. That’s a botnet. Here’s an effective graphic from Reuters that illustrates the architecture of a botnet.

Typical botnet architecture (Source: Reuters)

Typical botnet architecture (Source: Reuters)

I wanted to embed an interactive map from Arbor Networks that shows real time attacks happening right now, and provides historical data, but their embed code which uses iframes doesn’t work on WordPress. I find it strange a security firm would still be supplying iframe embed codes, but who am I to judge? No matter; there are other sites that provide similar information using their own honeypot networks, such as Kaspersky’s real-time threat map and the well-known Norsecorp map. Actually, I had intended to use Norsecorp’s IPViking map, however it is now run under HP’s banner, although powered by Norse, and I simply couldn’t get it to work in any browser. Their map linked above works beautifully, though.

Kaspersky's Threat Map

Kaspersky’s Threat Map

Norsecorp's Threat Map

Norsecorp’s Threat Map

There are several interesting facets to this case: The first is, this guy has been around a long time and was one of the bad actors behind the Storm botnet that first manifested all the way back in 2007. That botnet was eventually dismantled by the combined efforts of Microsoft, malware firms, and the feds, a partnership and collaboration that continues to this day. We’ll come back to this particular botnet soon, because the architecture of these things is going to become important.

By soon, I mean right now! Another interesting aspect to this case is that the botnet was very sophisticated. It used a hybrid structure that is unusual for this kind of thing. Botnets are typically peer-to-peer, in which all the infected machines communicate with each other to coordinate and carry out their nefarious activities, or they use what’s known as a C&C, or Command and Control server, that oversees the whole thing and controls the botnet form a more centralized location. That allows better control and oversight of the bots.

Kelihos, however, was a hybrid, in which there was a C&C server, but there was also a peer-to-peer aspect as there was some autonomy in the architecture that allowed the bots to continuously update among themselves a list of secondary control servers to which they would report, and those would be directly overseen by the main C&C. This is in direct contrast to the Storm botnet mentioned earlier, which was pure peer to peer. A hybrid network also allows for rapid updates to, and distribution of, associated malware.

That leads to the next neat(?) thing about the botnet: It was aggressively and frequently updated. In fact, when a live sinkholing, in which the bots are redirected to to different targets that can then help track the bots or even deactivate them, took place at a 2013 RSA security conference, a new version of the botnet rapidly took its place which indicated that the creators were prepared for just such an emergency and had pre-planned a contingency.

And this was not just a spamming botnet. Along with pushing spam of both the email and desktop pop-up kind, it also stole bitcoin and targeted banks and other large industry outlets with industry specific malware that could rake in millions of dollars while running undetected. For botnet software, this had a wide range of functionalities, both general and specific, although for all it could do it was not hard to track.

The next interesting aspect of this case is Russia fought vigorously against Levashov’s extradition. Not by attempting to block it, but rather by filing an extradition request of their own based on crimes they say he committed in Russia itself. A smart move, regardless of whether the Russian charges are true or an attempt to protect one of their own, that is a clever way of approaching it. It didn’t work, ultimately, and Levashov is now in U.S. custody, but it was an interesting tactic to counter the original extradition request. Not only that, it has happened before.

A really interesting story all the way around, and I’m curious to see how it concludes. In the meantime, be careful, ensure your OS is up to date and fully patched, be sure you are running up-to-date anti-virus and anti-malware protection, try not to visit questionable sites, don’t activate or respond to emails from unknown sources, use an ad-blocker (uBlock Origin is my preferred choice, and I have no connection to them; purely my own opinion), and just generally practice safe computing.

What’s the best antivirus program?

I don’t think I need to tell anyone reading this that digital security is a big issue at all levels: Personal, corporate, government, and international. On your PC, at the very least, an antivirus program is mandatory, although many people feel they don’t need one. Take my word for it, you do.

But there are many options, and for something like that you want the program that performs the best, detecting the most viruses and other malware compared to the competition. To offer some clarification, antivirus programs have a list of what are called ‘virus definitions,’ which is just what it sounds like: it provides characteristics of the viruses known to the antivirus package that it uses to determine if you have been infected (whenever you update your AV program, you’re downloading virus definition files).

New, dangerous ransomware appears in the wild

In class we talked briefly about ‘Ransomware,’ software that compresses / encrypts / locks up your files, then demands payment for the password or key or whatever to get your files back. We also discussed that the amounts of money demanded are never too much to prevent someone from actually paying – if they asked for a million dollars no one would pay it, and the encryption was normally breakable if you knew what you were doing.

Now, in an event that involves many of the topics we discussed in our last class, a scary new ransomware attack is changing all that. Known as OphionLocker (this article shows it may not be as sophisticated as everyone is saying, possibly breakable through a C++ IDE ), it uses what is known as elliptic curve cryptography, a practically unbreakable form of encoding, to hold files hostage, and it is delivered through malicious ads displayed on web pages.

Bad USB!

First off, my apologies for the late post. I spent all day recording the lecture for the week I’ll be gone, and it turned out to be much more involved than I had anticipated. I think it ultimately came out all right, but it took about six and a half hours.

So we’ll see how it goes, in the meantime here’s a late post.

There was, earlier this year, the revelation that every single one of the billions of USB devices out there has a fatal flaw in its firmware, in which a malicious user or hacker could reprogram it to fool the machine into which it is plugged that it is some other type of device. In other words, it may be a thumb drive, but its firmware could be reprogrammed to fool a PC into thinking it’s a keyboard, which would then allow it to send keypresses to the host machine and a malicious user to then get the host to carry out malicious tasks. The flaw is known as BadUSB.

Massive information theft unveiled

Over on Tom’s Guide is a post revealing that a massive, and I do mean massive theft of information has been taking place for many years and by the same attack.

The attack, dubbed NightHunter by the security firm that discovered it, has been using an unusual form of hostile software to carry out the theft. Using keyloggers (which record keypresses and relay them to a third party, something we’ll talk about in class) embedded in phishing emails (fraudulent emails asking for account information, something we’ll also talk about in class), they were able to steal information – including login information – from sites like Skype, Facebook, Twitter, Amazon, LinkedIn, Google, and bank sites to name only a few.

As far as I can tell this is a new revelation, and the attempt to figure out who is behind it is still going on. In the meantime, be careful. Keyloggers are the most difficult type of malware to identify if your machine has been infected.

Going Up