International Telecommunication Union   ITU
Site Map Contact us Print Version
 Tuesday, 22 January 2008

The past week marks the one-year anniversary of the emergence of the spam-enabling Storm worm, a tenacious strain of malicious software that probably speaks more about the future of online crime than almost any other malware family circulating online today. A chronological account from security firm Trend Micro visually sums up Storm's evolution. Dmitri Alperovitch, director of Secure Computing, said federal law enforcement officials who need to know have already learned the identities of those responsible for running the Storm worm network, but that U.S. authorities have thus far been prevented from bringing those responsible to justice due to a lack of cooperation from officials in St. Petersburg, Russia, where the Storm worm authors are thought to reside. 

Alperovitch believes the majority of Storm worm victims are Microsoft Windows users who for whatever reason have ignored the best advice of security professionals by not running anti-virus software and/or regularly applying software security updates. Indeed, the infection statistics seem to support that analysis. According to Vincent Gullotto, head of Microsoft's security research and response team, Microsoft's "malicious software removal tool" -- shipped as part of its monthly patch updates -- has removed an average of 200,000 versions of the Storm worm from Windows systems each month since November, when the software giant first started shipping removal routines for Storm.

According to Trend, nearly 12,000 pieces of Storm-connected malware were unleashed online over the past year (this includes the Trojan that drops the payload, the Storm worm itself, as well as regular -- sometimes hourly -- updates pushed out to infected machines to stay a step ahead of any anti-virus software installed on the host system.) As big as Storm got this past year, Symantec's numbers help put things in a bit more perspective. Storm-related malware made up slightly more than one-quarter of one percent of all potential malicious code infections in 2007, Symantec said.

Read the full article on the Washington Post.

Tuesday, 22 January 2008 12:29:53 (W. Europe Standard Time, UTC+01:00)  #     | 

Romanian artist Alex Dragulescu, a research assistant at the Massachusetts Institute of Technology's Sociable Media Group, puts a face to threats such as Storm and Netsky. "Dragulescu created his so-called 'threat art' in conjunction with live malware intercepted by e-mail security firm MessageLabs. Each is disassembled into a dump of binary code and then run through a program Dragulescu wrote. That program spends a few hours crunching through all the data, looking for patterns in the code that will determine the shape, color and complexity of each piece of threat art."

According to the Washington Post's article, the configuration of these created organisms is driven largely by the botnets' actions. Dragulescu explains that if there is a repeated attempt to write to a system memory address, a particular Windows API call that tries to write to a file or [blast out e-mail], for instance, the program tracks that and looks for the prevalence, number and behavior of those occurrences. 

Dragulescu's other threat art include his "spam architecture," or his "spam plants," the latter of which take its form from rules that look at the ASCII values (computer code that represent the English alphabet) of each spam sample.

For more of Dragulescu's images, check out his Web site and the MessageLabs threat art page.
Read the full article on the Washington Post.

CYB | Cybersecurity | Botnets | Malware | Spam | Media
Tuesday, 22 January 2008 12:14:37 (W. Europe Standard Time, UTC+01:00)  #     | 
 Monday, 21 January 2008

Information Week reports that the CIA admitted on Friday at a New Orleans security conference that cyberattacks have caused at least one power outage affecting multiple cities outside the United States. According to Alan Paller, director of research at the SANS Institute, CIA senior analyst Tom Donahue confirmed that online attackers had caused at least one blackout. Information about which foreign cities were affected by the outage and other information related to the attack were not disclosed. According to Paller, a written statement from Donahue read, "We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyberattacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."

The conference was on sharing data about cyberattacks on critical utilities and resources, and methods of attack mitigation. Discussions also include the new SCADA, Supervisory Control And Data Acquisition, and Control Systems Survival Kit, a document of best practices for SCADA systems.

Read the full article here.

Monday, 21 January 2008 14:06:15 (W. Europe Standard Time, UTC+01:00)  #     | 
 Friday, 18 January 2008 reports that "foreign hackers, primarily from Russia and China, are increasingly seeking to steal Americans’ health care records, according to a Department of Homeland Security analyst." Two cases of intrusions to the health care systems' servers have been recorded in the past year which alarmed security officials. In early 2007, a Centers for Disease Control and Prevention Web site was infected with a virus, and in April, a Military Health System server holding Tricare records was hacked. Mark Walker, who works in DHS’ Critical Infrastructure Protection Division, said the hackers are seeking to exfiltrate health care data probably for espionage. DHS is increasing its analysis staff to monitor threats in several industries, including health care, and will be issuing more alerts about cyberthreats to health care data, he said. He added further that DHS wants to build a database of health information system intrusions so it can better analyze the threats and develop countermeasures.

More on this report here.

Friday, 18 January 2008 11:49:15 (W. Europe Standard Time, UTC+01:00)  #     | 

A growing concern among security companies as well as the public this year is the burgeoning market for "protection racket." The computer security industry was said to have deteriorated with one sharing everything about newly discovered weaknesses to some within it involved in a protection racket. Researchers such as Paul Henry, vice-president of technology at Secure Computing, describe this trend as "a move by a small minority of security companies now paying hackers for exclusive access to newly discovered vulnerabilities. This ensures their customers are protected while the software vendor works out a solution and rolls out a patch, a process that can take weeks." This worries security experts because hackers are now being given a so-called legitimate route of selling vulnerabilities to a single company who then protect their own. "They don't have to run the risk of going to jail any more by actually using a vulnerability, they can just threaten you with it and they get paid. It's extortion," says Henry.

Security researchers are said to be drawn to this new practice due to bad treatment from well-known software companies. Henry explains that "there have been cases where people reporting vulnerabilities to software companies have been treated terribly and threatened with legal action because the vendors just don't want to look stupid. Security researchers that have found a vulnerability won't get paid by a vendor, and if they think they actually might end up talking to their lawyers and being threatened, then it's hardly surprising they end up selling vulnerabilities to security companies."

Read the full article on The Guardian.

Friday, 18 January 2008 11:33:53 (W. Europe Standard Time, UTC+01:00)  #     | 
 Thursday, 17 January 2008

The UN Department of Economic and Social Affairs recently released the UN e-Government Survey 2008: From e-Government to Connected Governance, which presents an assessment of the new role of the government in enhancing public service delivery, while improving the efficiency and productivity of government processes and systems. It comprises two parts including a section which presents the findings of the UN e-Government Survey 2008 and a section focusing on the ‘how to’ approach connected governance.

For more information on the survey, visit the Global E-Government Survey 2008 website.
Access the complete survey here.

Thursday, 17 January 2008 09:18:21 (W. Europe Standard Time, UTC+01:00)  #     | 
 Wednesday, 16 January 2008

A documentary, "The New Face of Cybercrime," created by Academy award nominated director Fredric Golding and presented by Fortify Software, provides a face to the criminals' intent on hacking into systems today. Candid interviews with many industry leaders and executives of large organizations taking steps against these attacks are also included, providing perspective on how they think about these threats and what they are doing about them throughout their companies.

Wednesday, 16 January 2008 09:24:11 (W. Europe Standard Time, UTC+01:00)  #     | 
 Tuesday, 15 January 2008

The Storm Worm botnet, using its huge collection of infected computers, is now sending out phishing emails directing people to fake banking sites that it also hosts on the computers it remotely controls, according to F-Secure and Trend Micro. Apparently, Storm has never been involved in phishing up to this point, however, the new campaign may indicate, according to F-Secure, that Storm's controllers have figured out how to divide the massive army into clusters which it is now renting out to others. F-Secure and Trend Micro both reported that the phishing scam was using a technique known as fast-flux DNS to keep the phishing site alive. Fast-flux works by constantly changing the IP address in the internet's phone book system (known as DNS) and having multiple computers in the botnet host the phishing site. This makes it very difficult to blacklist a IP address and since the site isn't being hosted by a company that researchers could contact to take down the site, the site lives longer.

According to Paul Ferguson, an advanced threat researcher for security giant Trend Micro, the spam emails were sent from a different segment of the botnet than the phishing sites were hosted. The site used for phishing was just registered on Monday. Anti-phishing filters, such as the ones bundled into Opera, Firefox and IE7, have gotten pretty good at quickly adding sites to their blocked list, however, "the issue becomes how do you work to take it down and find the perpetrators," said Ferguson.

Read Ferguson's article on this incident on Trend Micro's Malware Blog.
Read the full article on Wired Blog Network.

Tuesday, 15 January 2008 17:41:20 (W. Europe Standard Time, UTC+01:00)  #     | 

Pushdo trojan, a fairly new and prolific threat being circulated in fake "E-card" emails, is classified as a more sophisticated "downloader" trojan due to its control server. According to the analysis of Secureworks, when executed, Pushdo reports back to one of several control server IP addresses embedded in its code. The server listens on TCP port 80, and pretends to be an Apache webserver. Any request that doesn't have the correct URL format will be answered with the following content:

Looking for blackjack and hookers?

The Bender Bending Rodriguez text is simply misdirection to mask the true nature of the server - if the HTTP request contains the following parameters, one or more executables will be delivered via HTTP:

Typical Pushdo Request

The Pushdo controller is preloaded with multiple executable files - the one we looked at contained 421 different malware samples ready to be delivered. The Pushdo controller also uses the GeoIP geolocation database in conjunction with whitelists and blacklists of country codes. This enables the Pushdo author to limit distribution of any one of the malware loads from infecting users located in a particular country, or provides the ability to target a specfic country or countries with a specific payload.

Pushdo's detection of the physical hard drive serial number as a identifier not only provides a unique ID for the infected system, but can also reveal information such as whether the code is running in a virtual machine or not. This could be a way for the malware author to spy on anti-virus companies using automated tools to monitor the malware download points.

Another anti-anti-malware function of Pushdo is that it looks at the names of all running processes and compare them to a list of anti-virus and personal firewall process names. Instead of killing off these processes, however, Pushdo merely reports back to the controller which ones are running, by appending "proc=" and a list of the matching process names to the HTTP request parameters. This enables the authors to determine which anti-virus engines or firewalls are preventing the malware from running or phoning home, by their absence from the statistics. This way the Pushdo author doesn't have to maintain a test environment for each AV/firewall product.

Recently, an e-card email containing a newer variant of Pushdo was received. Apparently taking notice that the Bleeding Snort project had published a signature (sid 2006377) to detect the Pushdo request variables in transit, the author has now changed the request to be less fingerprintable. An example of the new request format is:

GET /40e800142020202057202d4443574d414c393635393438366c0000003c66000000007600000002 HTTP/1.0

Apparently, the author of Pushdo is intent on evading detection for as long as possible, in order to have the maximum amount of time to seed Cutwail spambots into the wild. Although it is unclear just how large the Cutwail botnet has become, the ambition of the project rivals that of other more well-known spam botnets, such as Storm.

Read the complete analysis on Pushdo here.
Read the blog entry detailing the trouble Sophos are having with the Pushdo trojan.

Tuesday, 15 January 2008 11:33:44 (W. Europe Standard Time, UTC+01:00)  #     | 

A new-generation worm-botnet known as Nugache, according to Dave Dittrich, might be the most advanced worm/botnet yet. It has no C&C server to target, has bots capable of sending encrypted packets and has the possibility of any peer on the network suddenly becoming the de facto leader of the botnet. However, despite numerous worms, viruses, bots and Trojans over the years having one or two of the features that Storm, Nugache, Rbot and other such programs possess, none has approached the breadth and depth of their feature sets. Rbot, with more than 100 features that users can choose from when compiling the bot, enables two different bots compiled from an identical source have nearly identical feature sets, yet look completely different to an antivirus engine.

A disturbing concern, experts say, is that there are several malware groups out there right now that are writing custom Trojans, rootkits and attack toolkits to the specifications of their customers, who are in turn using the malware not to build worldwide botnets like Storm, but to attack small slices of a certain industry, such as financial services or health care. A popular example of this is Rizo, a variant of Rbot. Like Nugache and Storm, Rizo has been modified a number of times to meet the requirements of various different attack scenarios. "Within the course of a few weeks, different versions of Rizo were used to attack customers of several different banks in South America. Once installed on a user's PC, it monitors Internet activity and gathers login credentials for online banking sites, which it then sends back to the attacker. It's standard behavior for these kinds of Trojans, but the amount of specificity and customization involved in the code and the ways in which the author changed it over time are what have researchers worried."

To read the full article on Nugache, click here.
More security related news at Schneier on Security.

Tuesday, 15 January 2008 10:12:09 (W. Europe Standard Time, UTC+01:00)  #     | 
 Thursday, 20 December 2007

The article, Beware, botnets have your PC in their sights, by New Scientist republished by TMCnet, provides a brief discussion of the cybersecurity situation in developing countries and how the current conditions may later evolve into an enormous cybersecurity problem in the coming years. Although hackers and cybercriminals tend to attack computers in developed countries at the moment due to more stable and consistent Internet connectivity, it is foreseen that developing countries may be next in line with the increasing technological developments and initiatives such as the One Laptop Per Child (OLPC) programme and Intel's low-cost Classmate computer. "If thousands of Classmates are distributed without adequate security, or if a previously unknown flaw in BitFrost, OLPC's security system, emerges, the new generation of cheap PCs will lead to problems... The ITU is assuming that attacks of this kind are a foregone conclusion and is organising a global effort to help developing countries fortify themselves against them." ITU, with its Botnet Mitigation Toolkit and Cybersecurity efforts, aims to increase international cooperation among states and provide the training and expertise needed to build CERTs in developing countries.

Read the full article here.

More information on ITU Cybersecurity related activities here.

Thursday, 20 December 2007 12:26:39 (W. Europe Standard Time, UTC+01:00)  #     | 
 Wednesday, 19 December 2007

The OPTA Commission has imposed a fine of 1 million Euros on three Dutch enterprises, operating under the company name DollarRevenue, and their two directors, due to their unlawful installion of software on more than 22 million computers belonging to Internet users in the Netherlands and elsewhere. They primarily used misleading files, making Internet users believe that they were about to download apparently innocent files, whereas they actually contained DollarRevenue software. "They also used botnets, thereby installing files without user intervention. Each day 60,000 installations occurred on average. A total of more than 450 million program files were illegally placed on 22 million computers." With the enterprises and their directors having deliberately contravened provisions of the Universal Service and End Users Decree [Besluit universele dienstverlening en eindgebruikers], based on the Telecommunications Act [Telecommunicatiewet] and designed to promote safe Internet usage and to protect the privacy of Internet users, fines totalling 1 million Euros were imposed.

Read the full article on the OPTA website.

Wednesday, 19 December 2007 17:14:35 (W. Europe Standard Time, UTC+01:00)  #     | 
 Tuesday, 18 December 2007

ITU, in collaboration with the ictQATAR and Q-CERT, will be hosting a workshop 18-21 February 2008 entitled Regional Workshop on Frameworks for Cybersecurity and Critical Information Infrastructure Protection (CIIP) and a Cybersecurity Forensics Workshop. The workshops will be held in Doha, Qatar.

The description of the event, draft agenda, invitation letter, and registration form for meeting participants are available on the event website.

Contact cybmail(at) with any general queries you may have related to the workshop.

Tuesday, 18 December 2007 17:33:04 (W. Europe Standard Time, UTC+01:00)  #     | 
 Monday, 17 December 2007

A presentation on "Measuring National Cybersecurity Readiness" has been posted online today on the ITU-D ICT Applications and Cybersecurity Division (CYB) website. The presentation by Robert Shaw, head of the ICT Applications and Cybersecurity division, provides background information and resources on cybersecurity, information on related ITU-D activities and initiatives, and other relevant activities. For more information on CYB's activities involving cybersecurity, visit the division website.

Monday, 17 December 2007 17:25:52 (W. Europe Standard Time, UTC+01:00)  #     | 
 Friday, 14 December 2007

According to McAfee, the website of the French Embassy in Libya is currently under attack through IFRAME injection. With the visit by Libyan President Muammar Khadafi in the country, controversy is stirring up which has apparently triggered interest among people behind the attack. The iframe routes the victim to sites hosted through Hong Kong provider, then it redirects the victim to Russia and Ukraine where exploit and downloaders are used (Exploit-YIMCAM and downloader-AUD). McAfee warns people not to attempt reaching the site as it is still dangerous.

For more information, visit the McAfee Blog.

Friday, 14 December 2007 10:12:11 (W. Europe Standard Time, UTC+01:00)  #     | 
 Thursday, 13 December 2007

The International Telecommunication Union (ITU) highlighted the role played by information and communication technologies (ICTs) as both a cause and a potential cure for climate change at the UN Conference on Climate Change in Bali, Indonesia, on 12 December.

ICTs can be used for remote monitoring of climate change and the gathering of crucial scientific data such as using telemetry or remote sensing by satellite. Smart and emerging technologies can be integrated into energy-efficient products, notably in next-generation networks (NGN) where ITU's Standardization sector (ITU-T) is carrying out vital specialized work.

Activities at the ITU's Development Sector (ITU-D) refer to promoting a role for information and communications technologies in the protection of the environment, together with partners from other international organizations and the industry. ITU-D also provides assistance to developing countries in emergency telecommunications as well as in the area of e-waste.

At the UN Conference, ITU raised awareness on standby services of ICT equipment such as computers and PC screens, DVD players, TVs and battery chargers, which places a burden on energy consumption. "Always-on" services, like broadband or mobile phones on standby, have increased energy consumption compared with fixed-line telephones, which do not require an independent power source.

ITU underlined an active commitment to promote the use of ICTs as a positive force to reduce greenhouse emissions and to find ways to mitigate the effects of climate change. In this regard, ITU can support and facilitate scientific studies aimed at implementation of new measures against the negative effects of climate change. As part of a unified effort of the UN system, ITU can contribute in its areas of expertise to support Member States and to foster partnerships with the private sector to develop more energy-efficient technologies.

For more information, click here.

Thursday, 13 December 2007 12:59:57 (W. Europe Standard Time, UTC+01:00)  #     | 
 Tuesday, 11 December 2007

PC Tools recently discovered a social-engineering attack that uses trickery rather than a software flaw to access victim's valuable information. It is a new program that can mimic online flirtation and then extract personal information from its unsuspecting conversation partners. The program is believed to be making the rounds in Russian chat forums such as CyberLover. According to PC Tools, the "bot" cannot be easily distinguished from a real potential suitor, and the software can work quickly establishing up to 10 relationships in 30 minutes. It then compiles a report on every person it meets complete with name, contact information, and photos, which then may be made available for fraudulent activities. "Although the program is currently targeting Russian Web sites, PC Tools is urging people in chat rooms and social networks elsewhere to be on the alert for such attacks. Their recommendations amount to just good sense in general, such as avoiding giving out personal information and using an alias when chatting online."

Read the full article here.

Tuesday, 11 December 2007 10:00:31 (W. Europe Standard Time, UTC+01:00)  #     | 
 Monday, 03 December 2007

Kelly Jackson Higgins, Senior Editor of Dark Reading wrote on how cyberwarfare has evolved into a growing underground market. According to experts, international cyber-spying is considered as the biggest threat for 2008 with the malware economy mimicking legitimate software markets. Malware suppliers are reportedly offering tools that make it easy for criminals with little technical know-how to commit their crimes, and many now advertise their 'products,' and offer support services as a value-add. These, as well as cyber-spying trends, are among the many findings of McAfee's annual Virtual Criminology Report released on 29 November 2007. The report was based on input from more than a dozen security experts from NATO, the FBI, SOCA, The London School of Economics, and the International Institute for Counter-Terrorism.

"What struck me through most of this report is the threat is more evolutionary than revolutionary -- things we've talked about as potentially developing are now status quo," says David Marcus, senior research and communications manager for McAfee. "That's the disturbing part. Cyberwarfare, or state-sponsored malware, is business as usual." According to the report, what further concerns governments is that this malware, as well as the burgeoning market for zero-day exploits, sold in the black market can also be used for targeting government, banks or other sensitive infrastructures, such as the power grid.

Read the full article here.

Monday, 03 December 2007 11:25:11 (W. Europe Standard Time, UTC+01:00)  #     | 

The CSI Survey 2007, the 12th of its kind, by the Computer Security Institute, aims to raise the level of security awareness, as well as help determine the scope of computer crime in the United States. The survey strongly suggests in this year’s results that mounting threats are beginning to materialize as mounting losses. The survey results are based on the responses of 494 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities.

Among the key findings from this year’s survey are:

  • The average annual loss reported in this year’s survey shot up to $350,424 from $168,000 the previous year. Not since the 2004 report have average losses been this high.
  • Almost one-fifth (18 percent) of those respondents who suffered one or more kinds of security incident further said they’d suffered a “targeted attack,” defined as a malware attack aimed exclusively at their organization or at organizations within a small subset of the general population.
  • Financial fraud overtook virus attacks as the source of the greatest financial losses. Virus losses, which had been the leading cause of loss for seven straight years, fell to second place. If separate categories concerned with the loss of customer and proprietary data are lumped together, however, then that combined category would be the second-worst cause of financial loss. Another significant cause of loss was system penetration by outsiders.
  • Insider abuse of network access or e-mail (such as trafficking in pornography or pirated software) edged out virus incidents as the most prevalent security problem, with 59 and 52 percent of respondents reporting each respectively.
  • When asked generally whether they’d suffered a security incident, 46 percent of respondents said yes, down from 53 percent last year and 56 percent the year before.
  • The percentage of organizations reporting computer intrusions to law enforcement continued upward after reversing a multi-year decline over the past two years, standing now at 29 percent as compared to 25 percent in last year’s report.

For the complete detailed survey results, click here.

Monday, 03 December 2007 10:28:54 (W. Europe Standard Time, UTC+01:00)  #     | 

A Taxonomy of Privacy by Daniel J. Solove, an associate professor at the George Washington University Law School, won the Privacy Enhancing Technologies award 2006. This paper attempts to identify privacy problems in a comprehensive and concrete manner, and it aims to guide the law toward a more coherent understanding of privacy and to serve as a framework for the future development of the field of privacy law.

“Privacy is a concept in disarray,” Solove says. “Abstract incantations of ‘privacy’ are not nuanced enough to capture the problems involved. The law has often failed to adequately protect privacy, and privacy problems are frequently misconstrued or inconsistently recognised. Without an understanding of what the privacy problems are, how can privacy be addressed in a meaningful way?”

His taxonomy defines threats to privacy from the perspective of the individual, in four categories of potentially harmful activities — information collection, information processing, information dissemination and invasion. With the help of this more comprehensive taxonomy, Solove hopes that privacy considerations can be better recognised and balanced against opposing interests.

Read the full paper here.

Monday, 03 December 2007 10:02:12 (W. Europe Standard Time, UTC+01:00)  #     |