Tag Archives: malware

It’s time to quarantine infected computers

Image credit: Roy Costello used under Creative Commons

Image credit: Roy Costello used under Creative Commons

Quarantine is a word derived from the the 17th century Venetian for 40 (quaranta). The purpose of quarantine is to separate and restrict the movement of otherwise healthy organisms who may have been exposed to disease, to see if they become ill. The 40 day period was designed to identify carriers of the Bubonic plague or Black Death, before they could go ashore and spread the contagion more widely.  Desperate times call for desperate measures, nevertheless the concept was widely adopted and remains with us to this day.

The word quarantine has been thoroughly misused by the well-meaning security industry, where known infected files or systems are moved to a protected area until they can be examined and cleaned-up. More accurately we should be calling this “isolation” as in most cases we already know the subject to be compromised or infected.  Nonetheless, this serves an equally important purpose of containing the spread of compromise and it’s consequences; abuse of compromised systems for sending Spam, theft of sensitive information and spread of infection just for example.
Continue reading

loveme, kissme, catch me, try me.

Picture by dprotz used under Creative Commons

Yesterday evening the FBI issued a press release regarding the legal action against Aleksandr Andreevich Panin, a Russian national perhaps better known as “Gribodemon” and “Harderman”, the online aliases behind the notorious SyEye banking Trojan and Hamza Bendelladj a Tunisian national who went by the online moniker of “Bx1”. Panin has entered a guilty plea to the charges of conspiracy to commit wire and bank fraud, the charges against Bendelladj are still pending. The FBI press release gives thanks to Trend Micro’s Forward Looking Threat Research team for their assistance in the investigation.

Bendelladj is alleged to have operated at least one command and control server for SpyEye, although as our TrendLabs blog and our investigation make clear, his involvement seems to be far deeper. He was arrested at Bangkok airport on the 5th January 2013 and Panin was arrested on July 1 last year when he flew through Atlanta.

The FTR team at Trend Micro began a particularly focused investigation into the person or people behind SpyEye almost 4 years ago. Over the intervening period, we mapped out the infrastructure used to support the malware, we identified weak points in that infrastructure and pursued a number of important leads pointing to the identities of individuals behind this pernicious banking Trojan. Once we felt that we had sufficient information we involved law enforcement who drove it to the successful conclusion you see today.

Our ongoing research turned up a wealth of data, much of which it would be imprudent to share while legal action is still ongoing, however it might interest you to know that some of the most frequent passwords used by one of the accused include “loveme”, “kissme” and “Danny000”. I’ll let you draw your own conclusions regarding OpSec.

The arrests last year and yesterday’s guilty plea are another illustration that Trend Micro’s strategy of going after the people behind online crime, instead of simply the infrastructure they exploit, is the right one. You may more often see stories that a botnet has been “taken down” resulting perhaps in a massive drop in the number of infected computers or Spam, but these types of activity while laudable are only temporary. Criminals will very soon come back and often come back stronger, having learned from their previous failures, the network of compromised computers will be rebuilt and the crime spree begin anew.

As with DNS Changer, as with the Reveton Ransomware, Trend Micro has proactively provided information and assistance to law enforcement that has led to arrests of individuals rather than the simple switching-off of criminal computers. It is through activities such as these that we hope to fulfil our mission of creating a world safe for exchanging digital information.

GCHQ – General Chit-chat, Hazy Questions?

Photo by Jenny Mealing (jennifrog) used under Creative Commons.

Yesterday’s questioning of intelligence chiefs by Members of Parliament is a first in British history. The momentous occasion was preceded by anticipation that the three big authorities, MI5, MI6 and GCHQ, would offer an open and transparent account of the extent of their surveillance operations, in particular GCHQ. While mass data collection has been suspected, or in a few cases disclosed, for some time by the UK security agencies. However, I was struck by how little new information was actually shared and by the disappointingly weak line of questioning. One important area, for example, which wasn’t clarified at all was how the practice of sifting through who is a ‘threat’ and who isn’t is qualified, neither was the deliberate and systematic undermining of international cryptographic standards. The responses in the areas of “mass data collection” even appeared to give the lie to earlier assurance that only metadata was collected and that content never was, yet that area was never explored,. This assurance has now given way to a somewhat disingenuous assurance that “the people who work in GCHQ” would simply do not loo at the content, unless sufficient justification exists. In fact, they would “leave the building” if they were asked to “ Snoop”… Maybe part of the obvious disconnect is that those earlier assurances came from politicians themselves rather than the intelligence community.

For any commercial entity the Data Protection Act regulates and governs processing of personal information. Intelligence agencies and law enforcement, of course,  benefit from a number of exceptions from those same rules, so it has been left indefinite who in the back rooms is looking out for the interests of the general public. A vague personal assurance that data belonging to “non-threats” are not viewed and that candidates for GCHQ would not be employed if they were the sort to be tempted to do so, is not the same as a bound contract within a legal framework. Besides, somebody must have trusted Edward Snowden in a similar way at some point…

Speaking of Snowden, it would have also been helpful for some questions to have been asked to shed light on the relationships between GCHQ and foreign intelligence agencies; do they accept requests from other nations to surrender their data to UK citizens? A recent report on mass surveillance of personal data that came to light on the same day as the inquiry shows that NSA sent millions of records every day from internal networks to data warehouses at the agency’s headquarters. The US National Security Agency (NSA) is clearly working in collaboration with GCHQ, just how much is UK law helping the NSA to circumvent US law and vice versa and what is the relationship here? Just for example, how does a contractor in the US, to US intelligence services, end up with access to so much highly damaging sensitive information about British spy agencies?

It will be very interesting to see how the requirements of the security agencies, which were voiced in the February 2013 response to the Draft Communications Data Bill, (Intelligence Committee response, “Access to communications data by the intelligence and security Agencies (PDF)“) influence the next draft of that same bill. The somewhat chilling conclusion of that Intelligence Committee response includes the statement that:

“Any move to introduce judicial oversight of the authorisation process could have a significant impact on the Agencies’ operational work. It would also carry a financial cost. We are not convinced that such a move is justified in relation to the Agencies, and believe that retrospective review by the Interception of Communications Commissioner, who provides quasi-judicial oversight, is a sufficient safeguard.”

Of course there will be further sessions both in camera and hopefully more public questioning. While it is clear that, in the interests of national security,  many aspects of surveillance programmes cannot and should not be revealed; the level of public trust in the very people that have been charged with protecting our liberty is at such a low that only unprecedented steps stand any chance of restoring our faith.

It seems we truly do live in Interesting Times, which is more often that not, a curse.