« July 2005 | Main | September 2005 »

16 more Zotob suspects

News reports this morning are noting that the FBI and Turkish authorities have announced that they have identified 16 more suspects in the Zotob case. No word yet on how the additional 16 suspects were identified, however given the appearant financial motives behind the incident and the scale of the operation, it may have been classic detective work that lead to this latest development.

The FBI said the Turkish authorities have identified 16 more individuals as suspects in the recent Zotob and the Mytob worm attacks. But Louis M. Reigel III, assistant director of the FBI’s cyber division, said no additional arrests had been made as of Monday.

Based on a code analysis of the worm and its variants, there are at least three gangs of hackers involved with the worm, believes Finnish anti-virus software maker F-secure, according to Mikko Hypponen, director of the company’s anti-virus research. If Turkish officials make the arrests, the action would represent the biggest roundup in the history of the information security business, said Mr. Hypponen.

Source: 16 Sought in Zotob Gang Dragnet, Red Herring online, August 30, 2005. Also see  Cyber-cops arrest 16 more Zotob suspects, by Robert Jaques, posted to vnunet.com 31 Aug 2005.

August 31, 2005 in government, media, Zotob | Permalink | Comments (0)
Tell others: digg submit del.icio.us this

Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone

An interesting set of slides regarding the August, 2003, Blaster worm outbreak from the ETH (DDoSVax) team. Presented at DIMVA, 2005.

We present an extensive flow-level traffic analysis of the network worm Blaster.A and of the e-mail worm Sobig.F. Based on packet-level measurements with these worms in a testbed we defined flow-level filters. We then extracted the flows that carried malicious worm traffic from AS559 (SWITCH) border router backbone traffic that we had captured in the DDoSVax project. We discuss characteristics and anomalies detected during the outbreak phases, and present an in-depth analysis of partially and completely successful Blaster infections. Detailed flow-level traffic plots of the outbreaks are given. We found a short network test of a Blaster pre-release, significant changes of various traffic parameters, backscatter effects due to non-existent hosts, ineffectiveness of certain temporary port blocking countermeasures, and a surprisingly low frequency of successful worm code transmissions due to Blaster's multi-stage nature. Finally, we detected many TCP packet retransmissions due to Sobig.F's far too greedy spreading algorithm.

Source: Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone [PDF slides], Thomas Dübendorfer, Arno Wagner, Theus Hossmann, and Bernhard Plattner,  Computer Engineering and Networks Laboratory (TIK), Swiss Federal Institute of Technology, ETH Zurich.

August 30, 2005 in Blaster, slides | Permalink | Comments (0)
Tell others: digg submit del.icio.us this

Virus Bulleting 2005 Conference Program Online

The program for the 2005 Virus Bulletin Conference is now online. You can see abstracts of several interesting papers which will be presented in a few months at the conference. Ones to note especially for wormblog readers: The 15th Virus Bulletin International Conference, VB2005, will take place 5-7 October 2005 in Dublin, Ireland.

August 29, 2005 in events | Permalink | Comments (1)
Tell others: digg submit del.icio.us this

A financial twist to the Zotob case

Some more information on the story around the arrest of two suspects in the Zotob, and Mytob, cases. A story in the Washington Post on Friday reports that there is a financial information theft aspect to the Zotob worm, as well as the Mytob worm. This perspective is also being reported in Maghreb Arabe Presse in Morocco.

Louis M. Reigel III, director of the FBI's Cyber Division, said evidence indicates Ekici paid Essebar to develop the worms, which the two used for financial gain. Reigel declined to say whether the men were connected to a larger criminal enterprise. But according to information released by the Moroccan government, the two men are alleged to have forwarded financial information stolen from victims' computers to a credit card fraud ring.

And finally, eWeek has an interesting summary of the Zotob timeline from the Microsoft perspective. Source: Suspected Zotob Worm Authors Arrested, by Brian Krebs, posted on Washingtonpost.com on Friday, August 26, 2005.

So how did they break this case so quickly? According to the F-Secure antivirus weblog, the handles used by the men, "diabl0" and "coder", are appearant in the worm. This has shades of the Blaster.C variant and the "teekids" handle.

Both nicknames can be found from the code of Zotob.A: the worm connected to a irc server named "diabl0.turkcoders.net" and contained the words "Greetz to good friend Coder".

Source: Breaking news: two arrests in the Zotob case, Friday, August 25, 2005.

August 27, 2005 in government, media, Zotob | Permalink | Comments (2)
Tell others: digg submit del.icio.us this

Turk, Moroccan nabbed in huge worm case

CNN is reporting that there has been a pair of arrests in the investigation into the Zotob and Mytob worm cases. The report says that a 21-year old resident of Turkey and an 18-year-old Moroccan were arrested in their home countries in an international investigation.
Farid Essebar, a Moroccan who used the screen name "Diabl0," and Attilla Ekici of Turkey, who used the moniker "Coder," were arrested in their home countries by authorities who cooperated with U.S. investigators in tracking the origins of the Mytob worm and its damaging variant, Zotob.

FBI officials said the two men are expected to be prosecuted by the governments of their home countries.

Source: Turk, Moroccan nabbed in huge worm case, August 26, 2005.

Microsoft has a comment in a press release, as well, on the arrest. They reportedly participated in the investigation:

“We congratulate the Turkish and Moroccan authorities and the FBI for finding and apprehending the alleged authors and distributors of the Zotob and Mytob worms so quickly,” [Brad] Smith said. “This arrest demonstrates the value of public-private collaboration — the first-class investigative work by the authorities and round-the-clock technical and investigative support provided by our Internet Crime Investigations Team here at Microsoft. The results show clearly that cybercriminals will be identified, apprehended and held accountable for their actions.”
Source: Microsoft Commends Turkish and Moroccan Authorities and the FBI on the Arrest of the Alleged Authors of the Recent Zotob and Mytob Worms, Microsoft Press Release, August 26, 2005.

eWeek has a story on the Microsoft response to the Zotob worm and the release of an obviously wormable vulnerability in MS05-039, released on the August, 2005, patch Tuesday:

"This is something we had created an entire process around and we were much better prepared this time," he said. "Our process is working, and it's working very well."

That process, Toulouse explained, started long before Patch Tuesday. "Whenever we're dealing with critical updates, one of the things we do is really look very hard at the attack vectors. What are the ways people will try to exploit this? How easy is it to create and unleash a worm? We attack the flaw just like the attacker would, and we knew up front that this one would be trouble.

"We had three critical bulletins in August but, in the case of the Plug and Play vulnerability, we knew there was a remote, unauthenticated attack vector affecting Windows 2000. Whenever there's a remote, unauthenticated attack vector, it sends up major red flags," Toulouse said.

Source: Inside Microsoft's Zotob Situation Room, by Ryan Naraine for eWeek, posted August 26, 2005.

August 26, 2005 in government, Zotob | Permalink | Comments (0)
Tell others: digg submit del.icio.us this

Adaptive Detection Of Worms/viruses In Firewalls

An interesting paper, although I'm not entirely sure it will work as well as they hope in the real world. A surprising number of standards are violated in a myriad of ways by various applications and systems, making that kind of protocol analysis difficult to rely on for detection.
In this paper, we seek to answer the question: "How to detect worms/viruses, which are replicated via emails, at the level of a firewall without cooperation with an anti-virus server?" All packets pass through firewalls and only firewalls are able to prevent packets from entering the network. Our motivation is to reduce risk through preventing malicious packets (e.g., worms/viruses) from entering the secure network. We present our firewall model and address how to detect worms/viruses based on protocol sanity, probabilistic estimation of maliciousness, and patterns of packets.
Source: Adaptive Detection Of Worms/viruses In Firewalls, by InSeon Yoo and Ulrich Ultes-Nitsche.

August 26, 2005 in defense, papers | Permalink | Comments (1)
Tell others: digg submit del.icio.us this

Adaptive Defense Against Various Network Attacks

This paper is much like earlier papers on threshold random walk detection methods used to detect failed connection attempts as well as host and port scans. Since scanning worms will typically scan many hosts and fail to connect frequently, you can look for these failed connection attempts and their sources and identify malicious activity this way. This falls apart under hitlist worms (ie worms which have a target list built in) or application layer worms, but for some classes of worms (including the recent Zotob worm) this should work.
In defending against various network attacks, such as Distributed Denial-of-Service (DDoS) attacks or worm attacks, a defense system needs to deal with various network conditions and dynamically changing attacks. In this paper, we introduce an “adaptive defense” principle based on cost minimization — a defense system adaptively adjusts its configurations according to the network condition and attack severity in order to minimize the combined cost introduced by false positives (misidentify normal traffic as attack) and false negatives (misidentify attack traffic as normal) at any time. In this way, the adaptive defense system generates fewer false alarms in normal situations (or under light attacks) with relaxed defense configurations, while protecting a network or a server more vigorously under severe attacks. Specifically, we present detailed adaptive defense system designs for defending against two major network attacks: SYN flood DDoS attack and Internet worm infection. The adaptive defense is a high-level system design that can be built on top of various non-adaptive detection and filtering algorithms, which makes it applicable for a wide range of security defenses.
Source: Adaptive Defense Against Various Network Attacks, Cliff C. Zou, Nick Duffield, Don Towsley, and Weibo Gong.

August 25, 2005 in defense, papers | Permalink | Comments (2)
Tell others: digg submit del.icio.us this

EpiGrass: a simulator of epidemics over networks

A new network infection modeling tool has been released. This one goes beyond a number of tools for analyzing network epidemics by integrating with geographic data from GIS systems. I haven't used it yet, myself, but it looks like a useful tool with some interesting features. I'd be interested in hearing how flexible it is for various network topologies and worm propagation models.

EpiGrass is a simulator of epidemics over networks.  Its is a scientific tool created for simulations and scenario analysis in Network epidemiology. For an in depth description of Epigrass capabilities, please refer to the documentation.

EpiGrass can interact with the GRASS GIS from which it can obtain maps and other geo-referenced information. However, EpiGrass does not require an installation of the GRASS GIS for most of its features.

Epigrass is free-software, licensed under the Gnu public license (GPL).

Source: EpiGrass project page on SourceForge. Thanks to Adam O. for pointing this out to me.

August 24, 2005 in modeling, tools | Permalink | Comments (0)
Tell others: digg submit del.icio.us this

Jose Nazario discusses worms

At the risk of looking like I'm just tooting my own horn, I'll make mention of a recent interview I had about the worm problem. In a recent SecurityFocus interview, I spoke at length about the worm problem. The interview focused mostly on counterworms, a subject which comes up here from time to time. Here's an excerpt:
It's tempting to think about fighting fire with fire when a worm hits -- launching a counterworm to stop the worm. The most natural thing to do is to deliver a counterworm with a payload that contains the patch for the security vulnerability exploited by the worm, which would prevent its spread.

However, remember the following things. Even if you knew instantly what vulnerabilities the worm was exploiting and how to prevent its use of that hole, how would you prepare a worm with the patch payload in time to launch it in a meaningful time period? How would you outpace the worm (in about 6 hours, Blaster had reached it's peak propagation speed; SQLSlammer reached that speed in a matter of a few minutes; Witty hit that point in a matter of minutes, too)?

Source: Jose Nazario discusses worms, an interview by Federico Biancuzzi, posted on 2005-08-16 at SecurityFocus.

August 23, 2005 in counterworms, editorial, media | Permalink | Comments (1)
Tell others: digg submit del.icio.us this

More Zotob Removal Tools

I posted a list of two Zotob removal tools the other day, but it seems that more are out. If you're building a USB keychain for malware removal and Zotob cleanup, these should be on it. They don't replace a full blown AV scanner, but they can help you in a crisis time. Many thanks to Donna's blog for the list.

August 22, 2005 in defense, detection, microsoft, tools, Zotob | Permalink | Comments (2)
Tell others: digg submit del.icio.us this