Tonight on 60 Minutes: Conficker and cyber-crime
Watch CBS Videos Online
Labels: 60 Minutes, conflicker
The view from the server room.
Labels: 60 Minutes, conflicker
Labels: vundo
Labels: how to, john strand, nessus
Labels: conflicker
Labels: wireshark ethereal
Labels: Antivirus2009, fake antivirus, Malware
Labels: dojosec, wep, wireless security
Labels: john strand, nmap, PaulDotCom
IT heads at the top 20 firms admit that they are particularly wary of confidential material being downloaded into a transportable form now that the credit crunch has begun to bite and is costing jobs both internally and among their top financial institution clients.
At magic circle giant Allen & Overy (A&O), which last month announced jobs cuts affecting 9% of its workforce, IT director Jason Haines said: “Most law firm employees are bound by a professional conduct code but we would be careless if we weren’t being a bit more vigilant.”
The pressure is arising not only out of concerns that disgruntled employees may download firm precedents and other closely guarded intellectual property, but out of the need to meet a higher security bar imposed by many clients in relation to confidential material.
Addleshaw Goddard’s head of IT Graham van Terhayden said: “Clients want to do extra audits and are asking more questions about our capability and redoubling their questions.
“The more clients ask the question, the more we will focus on it.”
While many of the top firms have long banned access to social networking sites such as Facebook, the majority allow lawyers to use mobile media such as USB keys.
But where some firms are still monitoring activity on an ad hoc basis, others have rolled out constant surveillance of all employees.
Labels: computer crime, Malware
The new variant, which Symantec calls W32.Downadup.C, appears to have defensive capabilities that weren't present in earlier versions. While it spreads in the same manner, "Conficker.C" can disable some of the tools used to detect and eradicate it, including antivirus and other antimalware detection tools.
W32.Downadup C also can switch domains at a much greater rate, Symantec said. "The Downadup authors have now moved from a 250-a-day domain-generation algorithm to a new 50,000-a-day domain generation algorithm," the researchers reported. "The new domain generation algorithm also uses one of a possible 116 domain suffixes."
A report from CA about Conficker.C confirms Symantec's findings, although the CA researchers said the jump from 500 to 50,000 domains will not occur until April 1.
The ability to quickly switch domains will make it difficult for Internet security organizations, such as ICANN and OpenDNS, to block the domains used by the worm, industry experts note.
The new variant emerges just as some vendors have come out with tools they say will eradicate the worm. today issued a new, free toolz that it says will remove Conficker.A and Conficker.B from infected machines. A spokesman says the company has begun work on the new variant. And BitDefender also is offering a free tool it says will remove all variants of the worm.
Perhaps the most disconcerting aspect of the worm is that although it has reportedly infected hundreds of thousands of machines, it does not, as yet, seem to have a purpose. Although it has been contacting domains and spreading itself through various means, security experts say it has yet to be given a task -- such as distributing spam or launching a DDoS attack -- and researchers are still uncertain as to what it might be used for.
And some experts say there may be other exploits that behave like Conficker/Downadup. "BitDefender Labs has been seeing an increase in worms, like Downadup, that have a built-in mathematical algorithm, generating strings based on the current date," says Vlad Valceanu, BitDefender's senior malware analyst. "The worms then produce a fixed number of domain names on a daily basis and check them for updates. This makes it easy for malware writers and cybercriminals to upgrade a worm or give it a new payload, as they only have to register one of the domains and then upload the files."
The AV vs virus writer arms race continues. The bad guys always seem to be one step ahead, but with a worm as big as Conficker/Downadup AV researchers are watching this situation closely.
Labels: downadup/conflicker, symantec
This is exactly what happened in both incidents I was involved in. A server on a local subnet was compromised and the attacker installed ARP spoofing malware (together with keyloggers and other Trojans) on the machine. The ARP spoofing malware poisoned local subnet so the outgoing traffic was tunneled through it. The same malware then inserted malicious JavaScript into every HTML page served by any server on that subnet. You can see how this is fruitful for the attacker – with one compromised server they can effectively attack hundreds of web sites (if it’s a hoster indeed).
The ARP spoofing malware they used was relatively common, but still AV detection was miserable with major AV programs missing it (both compromised machines had up to date AV programs installed).
Labels: symantec, Trojan.Vundo