By

What Conficker was – and wasn't

Well, the big April 1st “dooms day” has come and gone.

I’ll admit that even though we really didn’t think anything malicious was going to happen, we did add a Conficker scanner to The Box (our security appliance at www.ebasedsecurity.com) so we could scan our client’s systems.

Let me explain our thinking.  We’ve been following Conficker all along the way. From the first strain to the most recent, we’ve been watching with our honeypots – collecting data and samples and determining what could happen. We’ve seen the changes, what it does and how it communicates with it’s “mother ship” waiting for it’s next set of instructions.

When news of Conficker hit mass media, (60 Minutes did a piece on it) our non-technical gut feeling was that the cybercriminals wouldn’t actually do anything malicious with their code. There was too much public awareness.

Keep in mind that if they had, they could have created some real havoc on the Internet. Some experts (my Dad’s definition of an expert is: an ex is a has been and a spirt is a drip under pressure) estimate that anywhere from 10 million to 100 million PCs are infected with Conficker.

If a cybercriminal or a group of cybercriminals have remote control of that many PCs and they decided to launch an attack against some main Internet servers, they could overload them with so much bogus traffic as to basically eliminate them from accessibility.

Now, if they attacked the main DNS servers on the Internet (the servers that convert domain names to IP addresses) could they slow down or shut-down the Internet? Possibly.

However, nothing happened.

Or did it?

What actually happened might be exactly what the cybercriminals wanted.

How many of you did Google searches for Conficker over the past week (the week before April 1)?

Many, many (our research showed that over 1.7 million ) people searched for “conficker scanner” or “conficker removal”, “remove conficker”, “find conficker” and numerous other terms.

Did you realize that many of the search results were offering solutions that actually infected your PC? Many of the websites that were displayed as a result of those search terms were created by the cybercriminals!

Could this have been the real intention of the cybercriminals? If so, this could be the biggest social engineering hack of all time. We examined many of these sites and found a number of them (64%) were selling Conficker scanners and removal tools. All of these “tools” we found were actually RATs (Remote Access Trojans) which actually provided the cybercriminals with remote control of the PC it was installed on.

And, “they” (the cybercriminals) got you to pay for it!

Are these guys geniuses or what?

Many of the sites that weren’t selling bogus removal tools tried to infect any PC that visited their site. These infected webpage sites used a variety of sneaky methods to infect PCs. One instance we found actually tried 17 different attacks on all the PCs visiting it’s infectious website.

If you’ve been following us, you know that legitimate websites serving malware are increasing. This coupled with infected websites serving malware makes the Internet a very dangerous place.

Fortunately for all of our clients with The Box, they don’t have to worry about things like this because The Box doesn’t allow downloads from non-whitelisted websites. What a concept.

That’s what Conficker was and what it wasn’t.

Anyone have comments? (comments that aren’t SPAM)

By

Are you really safe online?

According to a recent report by McAfee, here are some extremely interesting statistics:

  • 92% of users surveyed believed their anti-virus software was up to date, but only 51% had updated their anti-virus software within the past week
  • 73% of users surveyed believed they had a firewall installed and enabled, yet only 64% actually did
  • About 70 % of PC users believed they had anti-spyware software, but only 55% actually had it installed
  • 25% of users surveyed believed they had anti-phishing software, but only 12% actually had the software
  • 42% of businesses surveyed dedicate just one hour a week to proactive IT security management, despite the fact that 21% acknowledged an attack could put them out of business
  • 44% of businesses surveyed think cybercrime is only an issue for larger organizations and does not affect them
  • 52% of businesses surveyed believe that because they are not well-known, cybercriminals will not target them
  • 45% of businesses surveyed do not think they are a “valuable target” for cybercriminals
  • 46% of businesses surveyed do not think they can be a source of profit for cybercriminals

Interesting aren’t they?

If you’re a member of the 51% who had updated their anti-virus software within the past week, then you should read Secunia’s information after they tested 12 security suites. In their report it states that after testing 12 major security suites with 300 different exploits one suite blocked more than
10 times more than the next closest competitor – and it only blocked 64 out of the 300!

Here’s their report: http://secunia.com/gfx/Secunia_Exploit-vs-AV_test-Oct-2008.pdf

Do a Google search using “evading anti-virus”. In the SERPs you’ll see tutorials on how to make a virus, trojan or worm undetectable by current anti-virus software. There are specific steps.

Here’s an article about how one strain of worm was undetectable: http://arstechnica.com/news.ars/post/20080408-new-kraken-worm-evading-harpoons-of-antivirus-programs.html

In the darker forums where we lurk as part of our security research, we’ve seen numerous “how to’s” on evading detection. Many of them are so simple that anyone with just a little computer knowledge could create their own undetectable virus.

Many of the cybercriminal “mobs” offer to recreate their malware if you buy it and then find that it’s detectable by anti-virus software.

If you’re one of the 64% that actually had a firewall installed, how was it configured? If you’re like most people, you have the default firewall settings and you never, ever read the logs to see how people are trying to get in. Most of the people we’ve talked with reply by saying, “My firewall has logs?”

Has you firewall ever been tested? I guarantee it has been by a hacker, but have you ever had it tested? Have you had a security scan performed on your firewall? In the security world, we believe that an untested firewall is no security at all.

If you’re one of the 21% that acknowledged an attack could put you out of business and you only spend 1 hour a week in proactive security management, I’d like to say you’ll get what you deserve but that would be rude and a little – “in your face”.

The fact is, you could be “hacked” right now and you wouldn’t even know it. Maybe an attack wouldn’t put you out of business, but I’m sure it will cost you a lot more than preventative security management
would have cost you.

In risk management, isn’t it true that if prevention costs you less than the potential problem, it becomes a no-brainer to move forward with the prevention?

If you’re one of the 44% of businesses that think cybercrime is only an issue for larger organizations, I have to ask you this, “Where do you think most of the attacks on larger organizations is launched from?” The answer: hacked systems in smaller organizations.

If you’re one of the 52% of businesses that believe since you’re not well-known cybercriminals will not target you, I will tell you to Google the term, “security through obscurity”, or “security by obscurity”. Read everything you can about your adopted security strategy.

Cybercriminals find “hackable” computers by scanning IP addresses. Yes, sometimes, they will target a specific site, but generally, they just look for computers that have openings.

If you’re one of the 45% or 46% who think you’re not valuable to a cybercriminal, answer me this, “Do you turn your back on smaller sources of income?”

Hackers hack for money. Gone are the days when they would hack strictly to create havoc. They now make money from their craft. In some cybergangs, it’s believed that the money they make from one income stream is $150,000,000 (that’s right million).

Just as you might find every email address on your list valuable, they too find every computer that they control valuable. To you, the money is in the list. To cybercriminals, the money is in their botnet (their network of remotely controlled computers). Every controlled computer, whether a server or a PC,
is important to them.

I still find that one of the easiest ways for hackers to deface or hack a website is by logging in as you. They infect as many computers as possible. Then when you login to your website, they record your credentials and then just login as you. It’s that simple. How do they find your computer to infect it in the first place?

They don’t know who you are or where you live. They just hack as many computers as they can and the odds are, with so many people starting web based businesses, that some of the computers they infect will belong to people who own one or more websites.

It really is that simple.

If you still think you’re safe online, then keep doing what you’ve always done and you’ll keep getting what you’ve always gotten – whether you know it or not.

That’s a fact.

If you disagree, please tell me your comments.