'Two weeks' to block cyber-attack
 

BBC

Re: 'Two weeks' to block cyber-attack
 

So the botnet is under control of the FBI, so we have two weeks to prepare for an attack? Are the FBI going to attack us?!

I'm confused.

Re: 'Two weeks' to block cyber-attack
 

The authorities can take over C&C's but not that great at doing much beyond that. They could send updates to the zombies that made the infection inert but they would need to know the right keys and Zeus uses encryption which is different per zeus-customer.

Gameover variant of Zeus can update over peer-to-peer so it doesnt really need the domains and control centre box's. They need to take down the infection methods or the botnet will still grow. The Cutwail spam botnet and servers with Magnitude exploit kit's are still adding more zombies to the gameover botnet every day.

Malware writers are winning the technical game but they can't code around arrest warrants...

Re: 'Two weeks' to block cyber-attack
 

Sure they can, write the code to point the finger elsewhere so someone else gets arrested :P

Re: 'Two weeks' to block cyber-attack
 

What happens in two weeks?

Re: 'Two weeks' to block cyber-attack
 

Somebody gets attacked, I think, but Im not really very clear on who.

Re: 'Two weeks' to block cyber-attack
 

The two weeks is an estimate as to how long it will take the malware writers to regain control of their command and control systems and start re-infecting. Some are claiming it could be a few days not two weeks, they don't really know.

The current cut off is allowing authorities to understand the level of infection, and get ISP's to make contact with effected customers, hopefully giving those infected a chance to get their systems cleaned.

Two weeks as a conservative estimate is not enough time though, but at least the issue is getting media coverage.

Full NCA article here.

Re: 'Two weeks' to block cyber-attack
 

I also find it strange how there does not appear to be any direct links to anything that tells users how to detect and get rid of this. Not fully read the article but all I can see it is saying to look for Get Safe Online on facebook and google+

---------- Post added at 11:50 ---------- Previous post was at 11:48 ----------

anyway Get Safe Online link to these toolshttp://www.symantec.com/security_res...052915-1402-99

http://www.f-secure.com/en/web/home_...online-scanner

and a few others

Re: 'Two weeks' to block cyber-attack
 

Right I think I get the idea, they've probably done a takeover in a similar manner to how Torpig was taken over, except given it's law enforcement they seized the domains the botnet was chatting to rather than spotting a window in the malware where domains weren't registered.

I look forward to reading the reports. Usually there's the malware itself, the bot, and a downloader. When Torpig was taken over they managed to take over the botnet however the downloader was still under the control of the miscreants who pushed a new version of the malware with updated domains.

If they don't have control of both the botnet C+C and the downloader C+C this may be a rather short 2 weeks but that's probably where the 2 weeks comes from, the period before the botnet moves onto a different domain that the authorities don't have control over.

Re: 'Two weeks' to block cyber-attack
 

So rather than two weeks to "block a powerful computer attack" what they really mean is things will be quiet for 2 weeks and then it'll be back to business as usual.

Rather exaggerated and sensationalist if you ask me...

Re: 'Two weeks' to block cyber-attack
 

Agreed.

BBC rolled out Graham Clueless earlier today, I really don't know why they give that man airtime. Anyway, essentially the advice is that during this small window of opportunity all Windows users should patch their O/S and run an up-to-date anti virus scan.

McAfee's Stinger application has been engineered to detect these particular malware types, although folks who already have their important files encrypted by cryptolocker will only be able to remove the malware, not recover their files.

Re: 'Two weeks' to block cyber-attack
 

Nice placebo there.

30 days after release AV detects ~60% of new malware and variants.

If you already have this you're hosed so patching is an exercise in futility not least because the infection vectors tend to be dodgy plugins rather than the OS itself.

I really do regret that malware course at times like these. It's made me so cynical. :(

Re: 'Two weeks' to block cyber-attack
 

Ooh, things like this really get my goat! Once again, governments etc. are solving the wrong problem. Once again we have a story about hacking being reported, and once again, there is not one word about the real cause - namely people browsing the Internet with administrator accounts because the poor sods usually don't know any better!

I've never heard of a PC shop or store which takes the trouble to explain the difference between admin and user accounts, or why it's important. Yet browsing via a user account will stop all but the most sophisticated attacks in their tracks, because Windows itself simply won't let the scumware install in the first place.

Whenever I have someone asking me about a new PC, I always, always tell them to create one admin account and as many user accounts as they need, explaining why as simply as necessary. The best analogy is that it's the difference between having a ticket to a rock concert and having a backstage pass.

It's simple. DO NOT BROWSE USING AN ADMINISTRATOR ACCOUNT UNLESS YOU *KNOW* THE SITE IS SECURE AND/OR CLEAN. EVER.

If you need to install something you've downloaded, the safest way is to: download it via the user account; switch to the admin account; disable internet access unless the installation needs to be verified online or whatever; install the software; then log back onto your user account. As long as you keep firewall and antiviral software updated, your PC will be as secure as it can be without disconnecting it from the Internet altogether. Puting it behind a router is even better, as it adds hardware protection. Administrator accounts should be used only for installing software and making changes to system policies, not browsing.

And don't forget to secure your wireless networks, peeps!

Had Microsoft not elected to treat its users like know-nothing idiots and explained about admin and user accounts in the user manuals when the NT-based versions of Windows first came out, I suspect the global virus problem would be nowhere near as bad as it is. These damn botnets might never have had a chance to establish in the first place.

On the other hand, hindsight is of course as perfect as it is useless. :p:

Re: 'Two weeks' to block cyber-attack
 

Totally superflous advice.

Loggin in under an "administrator account" does not mean any program you run is given administrator priveleges. All current versions of explicitly prompt the user to allow an application administrative access and unless the user actually allows it all applications ARE run as a non-administrative user account.

All that changing to a user account does is change the privilege escalation dialog to require a user type their password instead of clicking OK. It makes no sodding difference in the grand scheme of things. If a user erroneously clicks "Allow" when they shouldn't they're going to type their password and click "Allow" under the same circumstances.

Your analogy is also totally incorrect. The real equivalent is the difference between having a backstage pass and having a backstage pass. Only in the latter the doorman asks to check your ID against your pass when you go backstage instead of checking your ID at the door.

Re: 'Two weeks' to block cyber-attack
 

It uses email attachments from a spamming botnet but also uses drive by downloads using the Magnitude exploit kit. So you can get infected just by visiting a site too.

---------- Post added at 19:57 ---------- Previous post was at 19:56 ----------

Yet people think you have a screw loose when you tell them AV is far from foolproof and easy to bypass....

Re: 'Two weeks' to block cyber-attack
 

To be honest more often it's Java vulnerabilities and other plug-ins that are the problem rather than IE or any other browser per se.

A malware escaping the JRE sandbox is bad whichever browser the JRE is running through.

Re: 'Two weeks' to block cyber-attack
 

Well i have just scanned my PC using the symantec tool and all it found were two problems which are false positives.

Incredimail & Update.exe which is to do with Nero.

Scaremongering, panic stations Mr Mainwaring!

Re: 'Two weeks' to block cyber-attack
 

That's one thing people forget.

It's easy to blame Windows (or any OS) or any particular browser because these have produced lots of attack vectors in the past. But, Microsoft, Apple, the various Linux maintainers, and the browser manufacturers have all spent a lot of time and money over the last few years hardening the security on their code. They've experienced the problems and have worked to solve them.

As such, it's often easier for the bad guys to attack other software (something made easier by the fact that software that really doesn't need it is demanding network access now). The companies behind this software haven't had the problems to do with, so probably aren't prepared for them. At the moment, browser plugins and Java are being attacked and I think both Adobe and Oracle are working hard to improve the security in their products as a result. Neither are quite there yet, but it took the OS manufacturers a few years to get their act together.

I don't know what the next attack vector will be but I suspect it'll be other devices (such as smart TVs) that are suddenly wanting internet access as the companies behind these may not have a lot of experience of developing secure software. Or they may not be willing to spend the cash required to update old devices. Think about that. Microsoft have not long stopped patching a 13 year old OS. How many devices do you know of that receive updates beyond a year or two after release, if they receive any at all (I have an old Philips Freeview box that I bought when Freeview launched and it has never received a software update).

Re: 'Two weeks' to block cyber-attack
 

Android smartphones. What, you thought that you were the only person who wanted to root your phone? ;)

Smart TVs are pretty disinteresting as they don't hold any private data and aren't really used to do anything that involves it.

Re: 'Two weeks' to block cyber-attack
 

Botnets are just as useful for outputting data (spam, DDoS, etc.) on behalf of the controllers as they are for gathering data from infected machines.

Re: 'Two weeks' to block cyber-attack
 

If we ignore activeX....Java, Flash, PDF and office documents are the most common plugins that lead to a compromise through the browser or OS.

---------- Post added at 13:59 ---------- Previous post was at 13:53 ----------

There are already vulnerabilities found in smart tv's, which are running a kind of sandboxed linux mostly. Attacking these is not very useful for the average hacker at the moment but that may change if banking apps become common. Tv's with microphones and built in cameras are becoming more common and the security agencies will like to pwn those :)

Mobile phones have software issues but there is still a fundamental problem relating to SIMs and sending a dodgy message via most networks, which not many people are shouting about. The phone networks can fix the problem easy but that would stop GCHQ from making use of it. It's the only reason I can see that they wouldn't block this backdoor which has been known about for about 2 or 3 years now.

Internet connected fridges and toasters could indeed in theory send out spam.

---------- Post added at 14:01 ---------- Previous post was at 13:59 ----------

It's not stored data, it's data they send via http or other protocols which is of interest. If you use your tv to login to your email or twitter, there is a good chance you use that password elsewhere. If you can get the email password then you could potentially have access to all the accounts of that person.

Re: 'Two weeks' to block cyber-attack
 

Naturally but it is scraping the bottom of the barrel to go down that route just yet. Very few people use their TV to access anything interesting, about the most you might get are Netflix credentials.

For sure Smart TV security is awful but for now Android-based devices are way more lucrative and ubiquitous.

No doubt as soon as people start using the TVs for everything they'll get more attention. The best bet for those is probably to keep them in walled gardens to be honest.

Re: 'Two weeks' to block cyber-attack
 

That is what it boils down to and has for years, what is most popular and will lead to the most infections. Infect that. That is why Internet Explorer and windows were the main targets for drive by downloads. Not that many internet connected tv's out there at the moment, no point spending time getting those infected.

Again you have to differentiate between a targeted attack and mass infections. If you are targeting an individual then everything is useful and it could be beneficial to sniff Netflix logins in case the same password is used elsewhere like email. If you are after bank logins it's a numbers game and you try and infect as many people as possible knowing a percentage of those installs will give the goodies, while the others can still be used for DDoS, sending spam, ransomware or other activities.

Plenty of Android malware on the play store disguised as Antivirus software and Android is a very lucrative platform with a large number of potential victims. Some custom roms (particularly Chinese/China based) available for download are pre-rootkitted so are well hidden from being spotted too. Gonna get worse before it gets better :(

Re: 'Two weeks' to block cyber-attack
 

I do see a lot more malware and spammy adverts targeting Android these days. Some specifically designed for certain brands' browsers as well on popular sites. It's definitely taking off, and indeed, mostly because there are just so many devices and a lot of manufacturers are really bad at updating/patching older models.

Re: 'Two weeks' to block cyber-attack
 

Heh there's at least one Android Malware that actually co-operates with PC malware to steal money from online banking. It uses a broadcast receiver to intercept SMS.

The malware between them steal online banking credentials for bank(s) that use SMS to authenticate online transfers, then after a C&C request initiate a transfer to an account to receive the cash.

The SMS authentication gets intercepted by the Android malware and is used to complete the transaction without the user's knowledge. :)

See how many members disconnect from the Internet after reading this thread.

Re: 'Two weeks' to block cyber-attack
 

That technique has been in use by a zeus banking variant for over three years now. There was a completely independent malware strain found at the beginning of this year that does the same and a big fuss was made about it. Was end of 2010/ or beginning of 2011 the method was first seen in malware.

Plenty of apps out there that anyone can download to intercept sms and forward them to another phone without the user knowing too. Probably find some of them on the play store too.

The more people use two factor authentication, the more common this will become in other malware. Time for 3 and 4 factor authorisation with passcode, fuzzy logic and quantum bits :LOL:

Re: 'Two weeks' to block cyber-attack
 

Unfortunately, security has to be easy/simple to use for the lay/less experienced user.

I use to work for a major Financial Services company, and we encrypted all laptops (this was in 2003) - the number of times the Chairman or the CFO would lock themselves out (once or twice a week).

Re: 'Two weeks' to block cyber-attack
 

Similarly some of our encryption hardware is, IMO, a bit overkill. Some encrypted memory sticks will, for example, destroy the decryption key after 10 incorrect password attempts, rendering it impossible to access your data if someone enters the wrong password a few times, even if you remember the correct one eventually.

Have to advise people not to store critical data on there, which sorta defeats the purpose of using encrypted sticks in the first place.

Re: 'Two weeks' to block cyber-attack
 

A fair few attacks made to anti-virus support community forums gaining access to usernames, passwords, email addresses. I had an email from ESET earlier.

Re: 'Two weeks' to block cyber-attack
 

Phones are the obvious target. Android phones currently attract the most malware, but while Apple is currently doing a good job of protecting non-jailbroken iOS devices, there's no guarantee they'll continue to be able to do so, so iOS devices are also a potential target.

I think Smart TVs would only really be of any use if you wanted to spy on the owners (most seem to have webcams and microphones now), you wanted to send out a lot of spam, to sniff out (and infect) computers with ports open that may be blocked by the router's firewall or to act as very slow bitcoin miners.

---------- Post added at 09:55 ---------- Previous post was at 09:47 ----------

I think security also has to be appropriate for purpose. What I mean by this is what is there any point in spending the time and money (if needed) to set up a decent security system if all you are going to do on the computer is go on facebook or twitter from time to time and not store any sensitive data beyond photos of the owner falling around drunk in some sunny party island.

Re: 'Two weeks' to block cyber-attack
 

Lol.
Some people could use said pictures as blackmail.. ;)

Re: 'Two weeks' to block cyber-attack
 

Looks like any internet connected tv, smart or not, can be abused for DDoS or other uses en-mass via the Hybrid Broadband protocol standard most new tv's have implemented. It's basically like HTML for the tv that does the red button type graphic displays and such. Cheap bit of radio transmitting hardware attached to your latop lets you broadcast your malicious code to all the tv's in the surrounding area. An interesting read: From the Aether to the Ethernet –
Attacking the Internet using Broadcast Digital Television

Re: 'Two weeks' to block cyber-attack
 

Well the Internet hasn't ended...

Re: 'Two weeks' to block cyber-attack
 

That's what they want you to think

Re: 'Two weeks' to block cyber-attack
 

It went down briefly, but they failed over to a synchronous image........

Re: 'Two weeks' to block cyber-attack
 

They should have used VMWare Fault Tolerant mode, which keeps both CPUs in lockstep not just the disk image.

Re: 'Two weeks' to block cyber-attack
 

Latency was too high.

Re: 'Two weeks' to block cyber-attack
 

Still better than ending the internet, even if only briefly.

Re: 'Two weeks' to block cyber-attack
 

Gameover ZeuS botnet pulls dripping stake from heart, staggers back from the UNDEAD

The domain registering trick is at least 5 years old, if not older. Going back to basics and hope the algorithm for domain name generating doesn't get figured out.

https://www.cableforum.co.uk/images/...2014/07/25.jpg

Re: 'Two weeks' to block cyber-attack
 

New article shows that botnet is up to 12k zombies and still growing: http://www.theregister.co.uk/2014/08..._the_dead_as_/

Re: 'Two weeks' to block cyber-attack
 

12k zombies isn't really that many, I've worked in places that have had 12k living...

Re: 'Two weeks' to block cyber-attack
 

Looks like GCHQ/NSA etc have more innocent users as zombies than this botnet :P

http://www.theinquirer.net/inquirer/...enda-programme

One of the slides suggests they actually exploit the systems to have them ready for use hiding their attacks, rather then just having a list of vulnerable ones ready to exploit if needed. Either way, no difference between governments, hackers or crime-based botnet herders, except for the fact it's legal when one of them does it.