Via Threatpost -
The groups of attackers that employ the Zeus toolkit for their scams and malware campaigns have long used sites in the .ru Russian TLD as homes for their botnet controllers. Security researchers and law enforcement agencies have had a difficult time making headway in getting these domains taken down, but now it seems that some changes in the way that the Russian organization in charge of the .ru domain is enforcing rules for fraudulent domains is forcing attackers to move to a long-forgotten TLD owned by the former Soviet Union.
Botherders tend not to be too picky about where they locate their command-and-control servers. Any domain and hosting provider that will leave them alone typically fits the bill. For the past few years, that description has fit many domains in the Russian TLD, as well as many others in smaller Eastern European countries that haven't dedicated a lot of resources to rooting out these C&C servers. Security researchers have known for a long time where the C&C servers are and have been exposing them online, and the attackers will change the location of those servers frequently in response to takedowns or other actions.
Now it appears that some of the Zeus attack crews are moving away from the .ru TLD altogether and migrating to the .su TLD, which was the property of the former Soviet Union. According to statistics on the Zeus Tracker site, three of the Zeus C&C servers with the longest uptimes are currently running on .su domains. Also, two of the C&Cs with the most files online are on .su domains.
[...]
Since the demise of the Soviet Union, the .su TLD has remained active and companies and organizations located in countried that were part of the Soviet Union are allowed to register domains using that TLD. But, because the Soviet Union no longer exists and there are a relatively small number of sites on the TLD, it has gone unnoticed. Attackers have shown a remarkable ability to find obscure TLDs and infest them with malware-serving domains or C&C servers in a short period of time, and the .su TLD is now having its moment in the sun.
Monday, January 30, 2012
Saturday, January 28, 2012
Lookout: Our Take on the ‘Apperhand’ SDK (aka ‘Android.Counterclank’)
Via Lookout Mobile Security Blog -
Today, news came out that claimed a particular family of malware, termed ‘Android.Counterclank’, had infected 5 million users. We disagree with the assessment that this is malware, although we do believe that the Apperhand SDK is an aggressive form of ad network and should be taken seriously.
This isn’t malware.
The average Android user probably doesn’t want applications that contain Apperhand on his or her phone, but we see no evidence of outright malicious behavior. In fact, almost all of the capabilities attributed to these applications are also attributable to a class of more aggressive ad networks – this includes placing search icons onto the mobile desktop and pushing advertisements through the notifications bar.
Malware is defined as software that is designed to engage in malicious behavior on a device. Malware can also be used to steal personal information from a mobile device that could result in identity theft or financial fraud.
Apperhand doesn’t appear to be malicious, and at this point in our investigation, this is an aggressive form of an ad network – not malware.
We’re researching ad networks closely.
We spend a significant amount of time looking not just at mobile apps, but also at SDKs that are commonly integrated into apps. We’ve recently been focusing heavily on the capabilities of various mobile advertising SDKs. We believe that ad networks are important for the overall mobile ecosystem; however, some advertising networks go beyond the commonly accepted behavior of ad networks with more aggressive tactics.
This particular ad network SDK, com.apperhand, bears similarities to one previously distributed in a number of apps in June of 2011 as the “ChoopCheec platform” or “Plankton”.
[...]
We’re continuing our investigation.
At this point, it appears that what we’re seeing is an example of an ad network that pushes the lines of privacy. Over the past few months we have been closely tracking this, and we are seeing a trend of this type of behavior. While this is not malware, we do think that consumers should take it seriously, and we’re actively working on a solution to help users understand whether applications have potentially undesirable behavior such as this while not creating unnecessary worry.
Today, news came out that claimed a particular family of malware, termed ‘Android.Counterclank’, had infected 5 million users. We disagree with the assessment that this is malware, although we do believe that the Apperhand SDK is an aggressive form of ad network and should be taken seriously.
This isn’t malware.
The average Android user probably doesn’t want applications that contain Apperhand on his or her phone, but we see no evidence of outright malicious behavior. In fact, almost all of the capabilities attributed to these applications are also attributable to a class of more aggressive ad networks – this includes placing search icons onto the mobile desktop and pushing advertisements through the notifications bar.
Malware is defined as software that is designed to engage in malicious behavior on a device. Malware can also be used to steal personal information from a mobile device that could result in identity theft or financial fraud.
Apperhand doesn’t appear to be malicious, and at this point in our investigation, this is an aggressive form of an ad network – not malware.
We’re researching ad networks closely.
We spend a significant amount of time looking not just at mobile apps, but also at SDKs that are commonly integrated into apps. We’ve recently been focusing heavily on the capabilities of various mobile advertising SDKs. We believe that ad networks are important for the overall mobile ecosystem; however, some advertising networks go beyond the commonly accepted behavior of ad networks with more aggressive tactics.
This particular ad network SDK, com.apperhand, bears similarities to one previously distributed in a number of apps in June of 2011 as the “ChoopCheec platform” or “Plankton”.
[...]
We’re continuing our investigation.
At this point, it appears that what we’re seeing is an example of an ad network that pushes the lines of privacy. Over the past few months we have been closely tracking this, and we are seeing a trend of this type of behavior. While this is not malware, we do think that consumers should take it seriously, and we’re actively working on a solution to help users understand whether applications have potentially undesirable behavior such as this while not creating unnecessary worry.
How Pakistan Helps the U.S. Drone Campaign
Via Reuters (Jan 22, 2012) -
The death of a senior al Qaeda leader in a U.S. drone strike in Pakistan's tribal badlands, the first strike in almost two months, signaled that the U.S.-Pakistan intelligence partnership is still in operation despite political tensions.
The Jan 10 strike -- and its follow-up two days later -- were joint operations, a Pakistani security source based in the tribal areas told Reuters.
They made use of Pakistani "spotters" on the ground and demonstrated a level of coordination that both sides have sought to downplay since tensions erupted in January 2011 with the killing of two Pakistanis by a CIA contractor in Lahore.
"Our working relationship is a bit different from our political relationship," the source told Reuters, requesting anonymity. "It's more productive."
U.S. and Pakistani sources told Reuters that the target of the Jan 10 attack was Aslam Awan, a Pakistani national from Abbottabad, the town where Osama bin Laden was killed last May by a U.S. commando team.
[...]
The Pakistani source, who helped target Awan, could not confirm that he was killed, but the U.S. official said he was. European officials said Awan had spent time in London and had ties to British extremists before returning to Pakistan.
The source, who says he runs a network of spotters primarily in North and South Waziristan, described for the first time how U.S.-Pakistani cooperation on strikes works, with his Pakistani agents keeping close tabs on suspected militants and building a pattern of their movements and associations.
"We run a network of human intelligence sources," he said. "Separately, we monitor their cell and satellite phones.
"Thirdly, we run joint monitoring operations with our U.S. and UK friends," he added, noting that cooperation with British intelligence was also extensive.
Pakistani and U.S. intelligence officers, using their own sources, hash out a joint "priority of targets lists" in regular face-to-face meetings, he said.
"Al Qaeda is our top priority," he said.
He declined to say where the meetings take place.
Once a target is identified and "marked," his network coordinates with drone operators on the U.S. side. He said the United States bases drones outside Kabul, likely at Bagram airfield about 25 miles north of the capital.
From spotting to firing a missile "hardly takes about two to three hours," he said.
It was impossible to verify the source's claims and American experts, who decline to discuss the drone program, say the Pakistanis' cooperation has been less helpful in the past.
U.S. officials have complained that when information on drone strikes was shared with the Pakistanis beforehand, the targets were often tipped off, allowing them to escape.
The death of a senior al Qaeda leader in a U.S. drone strike in Pakistan's tribal badlands, the first strike in almost two months, signaled that the U.S.-Pakistan intelligence partnership is still in operation despite political tensions.
The Jan 10 strike -- and its follow-up two days later -- were joint operations, a Pakistani security source based in the tribal areas told Reuters.
They made use of Pakistani "spotters" on the ground and demonstrated a level of coordination that both sides have sought to downplay since tensions erupted in January 2011 with the killing of two Pakistanis by a CIA contractor in Lahore.
"Our working relationship is a bit different from our political relationship," the source told Reuters, requesting anonymity. "It's more productive."
U.S. and Pakistani sources told Reuters that the target of the Jan 10 attack was Aslam Awan, a Pakistani national from Abbottabad, the town where Osama bin Laden was killed last May by a U.S. commando team.
[...]
The Pakistani source, who helped target Awan, could not confirm that he was killed, but the U.S. official said he was. European officials said Awan had spent time in London and had ties to British extremists before returning to Pakistan.
The source, who says he runs a network of spotters primarily in North and South Waziristan, described for the first time how U.S.-Pakistani cooperation on strikes works, with his Pakistani agents keeping close tabs on suspected militants and building a pattern of their movements and associations.
"We run a network of human intelligence sources," he said. "Separately, we monitor their cell and satellite phones.
"Thirdly, we run joint monitoring operations with our U.S. and UK friends," he added, noting that cooperation with British intelligence was also extensive.
Pakistani and U.S. intelligence officers, using their own sources, hash out a joint "priority of targets lists" in regular face-to-face meetings, he said.
"Al Qaeda is our top priority," he said.
He declined to say where the meetings take place.
Once a target is identified and "marked," his network coordinates with drone operators on the U.S. side. He said the United States bases drones outside Kabul, likely at Bagram airfield about 25 miles north of the capital.
From spotting to firing a missile "hardly takes about two to three hours," he said.
It was impossible to verify the source's claims and American experts, who decline to discuss the drone program, say the Pakistanis' cooperation has been less helpful in the past.
U.S. officials have complained that when information on drone strikes was shared with the Pakistanis beforehand, the targets were often tipped off, allowing them to escape.
Friday, January 27, 2012
USS Ponce Being Refit to Become a "Mothership" in Middle East
Via Washington Post (Jan 27, 2012) -
The Pentagon is rushing to send a large floating base for commando teams to the Middle East as tensions rise with Iran, al-Qaeda in Yemen and Somali pirates, among other threats.
In response to requests from the U.S. Central Command, which oversees military operations in the Middle East, the Navy is converting an aging warship it had planned to decommission into a makeshift staging base for the commandos. Unofficially dubbed a “mothership,” the floating base could accommodate smaller high-speed boats and helicopters commonly used by Navy SEALs, procurement documents show.
Special Operations Forces are a key part of the Obama administration's strategy to make the military leaner and more agile as the Pentagon confronts at least $487 billion in spending cuts over the next decade.
Lt. Cmdr. Mike Kafka, a spokesman for the Navy’s Fleet Forces Command, declined to elaborate on the floating base’s purpose or to say where, exactly, it will be deployed in the Middle East. Other Navy officials acknowledged that they were moving with unusual haste to complete the conversion and send the mothership to the region by early summer.
Navy documents indicate that it could be headed to the Persian Gulf, where Iran has threatened to block the Strait of Hormuz, a crucial shipping route for much of the world’s oil supply. A market survey proposal from the Military Sealift Command, dated Dec. 22 and posted online, states that the floating base needed to be delivered to the Persian Gulf.
Other contract documents do not specify a location but say the mothership would be used to “support mine countermeasure” missions. Defense officials have said that if Iran did attempt to close the Strait of Hormuz, it would rely on mines to obstruct the waterway.
---------------------------------------------
It's funny, as the term "mothership" is commonly found on his blog in terms of Somali pirates...
The Pentagon is rushing to send a large floating base for commando teams to the Middle East as tensions rise with Iran, al-Qaeda in Yemen and Somali pirates, among other threats.
In response to requests from the U.S. Central Command, which oversees military operations in the Middle East, the Navy is converting an aging warship it had planned to decommission into a makeshift staging base for the commandos. Unofficially dubbed a “mothership,” the floating base could accommodate smaller high-speed boats and helicopters commonly used by Navy SEALs, procurement documents show.
Special Operations Forces are a key part of the Obama administration's strategy to make the military leaner and more agile as the Pentagon confronts at least $487 billion in spending cuts over the next decade.
Lt. Cmdr. Mike Kafka, a spokesman for the Navy’s Fleet Forces Command, declined to elaborate on the floating base’s purpose or to say where, exactly, it will be deployed in the Middle East. Other Navy officials acknowledged that they were moving with unusual haste to complete the conversion and send the mothership to the region by early summer.
Navy documents indicate that it could be headed to the Persian Gulf, where Iran has threatened to block the Strait of Hormuz, a crucial shipping route for much of the world’s oil supply. A market survey proposal from the Military Sealift Command, dated Dec. 22 and posted online, states that the floating base needed to be delivered to the Persian Gulf.
Other contract documents do not specify a location but say the mothership would be used to “support mine countermeasure” missions. Defense officials have said that if Iran did attempt to close the Strait of Hormuz, it would rely on mines to obstruct the waterway.
---------------------------------------------
It's funny, as the term "mothership" is commonly found on his blog in terms of Somali pirates...
Thursday, January 26, 2012
Insight into Sykipot Operations
Via Symantec Security Response Blog -
The Sykipot campaign has been persistent in the past few months targeting various industries, the majority of which belong to the defense industry. Each campaign is marked with a unique identifier comprised of a few letters followed by a date hard-coded within the Sykipot Trojan itself.In some cases the keyword preceding the numbers is the sub-domain's folder name on the Web server being used.
[...]
These campaign markers allow the attackers to correlate different attacks on different organizations and industries.
The attackers also left additional clues allowing us to gain insight into what appears to be a staging server that is used prior to the delivery of new binaries to targeted users. In addition, we were able to confirm that the server was also used as a command and control (C&C) server for a period of time as well. The server is based in the Beijing region of China and was running on one of the largest ISPs in China. Furthermore, on one occasion one of the attackers connected from the Zhejiang province. The server has hosted over a hundred malicious files from the past couple of months, many of which were used in Sykipot campaigns.
[...]
The Sykipot attackers have a long running history of attacks against multiple industries. Based on these insights, the attackers are familiar with the Chinese language and are using computer resources in China. They are clearly a group of attackers who are constantly modifying their creation to utilize new vulnerabilities and to evade security products and we expect that they will continue their attacks in the future.
The Sykipot campaign has been persistent in the past few months targeting various industries, the majority of which belong to the defense industry. Each campaign is marked with a unique identifier comprised of a few letters followed by a date hard-coded within the Sykipot Trojan itself.In some cases the keyword preceding the numbers is the sub-domain's folder name on the Web server being used.
[...]
These campaign markers allow the attackers to correlate different attacks on different organizations and industries.
The attackers also left additional clues allowing us to gain insight into what appears to be a staging server that is used prior to the delivery of new binaries to targeted users. In addition, we were able to confirm that the server was also used as a command and control (C&C) server for a period of time as well. The server is based in the Beijing region of China and was running on one of the largest ISPs in China. Furthermore, on one occasion one of the attackers connected from the Zhejiang province. The server has hosted over a hundred malicious files from the past couple of months, many of which were used in Sykipot campaigns.
[...]
The Sykipot attackers have a long running history of attacks against multiple industries. Based on these insights, the attackers are familiar with the Chinese language and are using computer resources in China. They are clearly a group of attackers who are constantly modifying their creation to utilize new vulnerabilities and to evade security products and we expect that they will continue their attacks in the future.
NASA: NPP's 'Blue Marble'
http://npp.gsfc.nasa.gov/science/sciencecollection.html
A 'Blue Marble' image of the Earth taken from the Visible Infrared Imager Radiometer Suite (VIIRS) instrument aboard NASA's most recently launched Earth-observing satellite - Suomi NPP. This composite image uses a number of swaths of the Earth's surface taken on January 4, 2012. The NPOESS Preparatory Project (NPP) satellite was renamed 'Suomi NPP' on January 24, 2012 to honor the late Verner E. Suomi of the University of Wisconsin.
The high-resolution version can be found here.
A 'Blue Marble' image of the Earth taken from the Visible Infrared Imager Radiometer Suite (VIIRS) instrument aboard NASA's most recently launched Earth-observing satellite - Suomi NPP. This composite image uses a number of swaths of the Earth's surface taken on January 4, 2012. The NPOESS Preparatory Project (NPP) satellite was renamed 'Suomi NPP' on January 24, 2012 to honor the late Verner E. Suomi of the University of Wisconsin.
The high-resolution version can be found here.
Wednesday, January 25, 2012
N. Korea Suspected of Trying to Hack into Seoul University
Via Yonhap News Agency (Jan 17, 2012) -
North Korea is suspected of masterminding last year's attempt to hack into the e-mail accounts of a Seoul university's graduate school alumni, school officials said Tuesday.
The Graduate School of Information Security at Korea University said it has conducted a joint investigation with intelligence authorities to track the origins of the hacking attempt, upon learning that an e-mail carrying malicious codes was sent to some of its graduates via its internal e-mail accounts last November.
"The e-mail was found to have been sent from a server based in Taiwan often used by North Korea," a school official said, declining to be identified.
"But no damage has been reported, as our graduates who received the e-mail never opened the file attached, and the codes did not work well from the first place," he added.
North Korea is suspected of masterminding last year's attempt to hack into the e-mail accounts of a Seoul university's graduate school alumni, school officials said Tuesday.
The Graduate School of Information Security at Korea University said it has conducted a joint investigation with intelligence authorities to track the origins of the hacking attempt, upon learning that an e-mail carrying malicious codes was sent to some of its graduates via its internal e-mail accounts last November.
"The e-mail was found to have been sent from a server based in Taiwan often used by North Korea," a school official said, declining to be identified.
"But no damage has been reported, as our graduates who received the e-mail never opened the file attached, and the codes did not work well from the first place," he added.
U.S. Military Raid in Somalia Frees Dane, American
Via USA Today -
The Navy Seals that rescued two aide workers in Somalia were not dealing with al-Qaeda-linked militant groups but pirate-gangs that have been terrorizing the region kidnapping people and holding them for ransoms.
The raid under cover of darkness on Wednesday freed American Jessica Buchanan and Poul Hagen Thisted, a Dane, who were "on their way to be reunited with their families," the Danish Refugee Council said Wednesday.
President Obama authorized the mission by SEAL Team 6, the same unit that was behind the operation in Pakistan last May that killed Osama bin Laden.
One official who spoke on the condition he would remain anonymous told the Associated Press that the team parachuted into the area before moving on foot to the target. Nine kidnappers were killed. The raid happened near the Somali town of Adado.
The SEAL raid shows the the United States is "more willing to confront pirates than it has in the past," says Derek Reveron, a professor at the Naval War College.
It also suggests a growing willingness to use its special operations forces, which is riskier than drone strikes.
"Clearly it was a good target of opportunity," Reveron says. "But it also strikes me as pretty significant, parachuting SEALs into Somalia."
As large ships at sea have increased their defenses against pirate attacks, gangs have looked for other money making opportunities like land-based kidnappings.
It is not clear what impact the raid will have on piracy in the region.
But the number of successful pirate hijackings on shipping has dropped dramatically in 2011 in the Horn of Africa region. The number of successful pirate attacks fell to 24 last year, from 45 in 2010, according to NATO.
The Navy Seals that rescued two aide workers in Somalia were not dealing with al-Qaeda-linked militant groups but pirate-gangs that have been terrorizing the region kidnapping people and holding them for ransoms.
The raid under cover of darkness on Wednesday freed American Jessica Buchanan and Poul Hagen Thisted, a Dane, who were "on their way to be reunited with their families," the Danish Refugee Council said Wednesday.
President Obama authorized the mission by SEAL Team 6, the same unit that was behind the operation in Pakistan last May that killed Osama bin Laden.
One official who spoke on the condition he would remain anonymous told the Associated Press that the team parachuted into the area before moving on foot to the target. Nine kidnappers were killed. The raid happened near the Somali town of Adado.
The SEAL raid shows the the United States is "more willing to confront pirates than it has in the past," says Derek Reveron, a professor at the Naval War College.
It also suggests a growing willingness to use its special operations forces, which is riskier than drone strikes.
"Clearly it was a good target of opportunity," Reveron says. "But it also strikes me as pretty significant, parachuting SEALs into Somalia."
As large ships at sea have increased their defenses against pirate attacks, gangs have looked for other money making opportunities like land-based kidnappings.
It is not clear what impact the raid will have on piracy in the region.
But the number of successful pirate hijackings on shipping has dropped dramatically in 2011 in the Horn of Africa region. The number of successful pirate attacks fell to 24 last year, from 45 in 2010, according to NATO.
Subscribe to:
Posts (Atom)