Virus

According to Symantec, email spam has been declining since August. The sharpest drop occurred in late December and early January, during the Christmas and New Year holiday. Did the spammers join the rest of the world in revelries and merriment? 

Symantec doesn't have an answer for that question. The company does point to the Rustock botnet, the dominating spam botnet in 2010. Since December 25, Rustock has been eerily quiet. The amount of spam produced by the botnet currently accounts for 0.5% of all spam worldwide. At its peak, it accounted for almost half (approximately forty-eight percent) of global spam. Some of the other major botnets, such as Lethic and Xarvester, have also gone into a seeming hibernation. Two other botnets, Gheg and Cutwail, are producing relatively the same amount of spam that they have been in the past. 

At the moment, the levels of spam hitting Symantec's honeypots are the lowest they have been since November 2008 when McColo, a rogue ISP, was shut down. Symantec warns that history will repeat itself. After McColo was nullified, other botnets arrived on the scene.

Even though Rustock, Lethic, and Xarvester are almost silent at the moment, they may make a reprise in the next few months. Even if they don't, they'll be replaced by other, perhaps new, botnets, some of which may be found in different arenas, such as the social media ones. Facebook has seen a plethora of spam and phishing attacks recently, including the dancing snowman and "My 1st St@tus." Twitter, too, has faced attacks, including the recent Gawker incident. 

Have the spammers, scammers, and phishers gone on vacation? I'm sure we'd like to think so, but it's unlikely. The more likely scenario is that they're organizing a new campaign. According to the BBC, it isn't unusual for spammers to stop and regroup when their botnets aren't as lucrative as they would like. Does that mean email spam will continue to decline if it isn't making a profit? Maybe, but it will never go away permanently. Why would it when it continues to be such an attractive lure? The best guess is that spammers will continue to target email but will also increase their activity on social media platforms.

Sources: BBC, PCMag, Symantec

Koobface, the virus that surfaced via Facebook in 2009, has a new look. Its method of attack is the same - social networking sites, including Facebook and Twitter - but its most recent incarnation is Java-based. Users are asked to view a video, which connects them to a page where the malware resides in the form of a Java applet.

The virus is primarily attacking Mac OS X, but it can infect Windows PCs and Linux. To date, the virus has had little to no success with Mac computers because users have to grant access to Koobface. Most users are being protected by common sense; they know better than to allow unknown files and applets to be installed on their computers. 

Even if users do allow Koobface to access their computers, the virus currently contains some flaws. In some cases, Koobface appears to have bugs that prevent it from running correctly. In others, Koobface has contacted servers that either are not active or are not serving the correct files. 

The danger, of course, is that the flaws in the current form of Koobface could be corrected. If they are, the virus will act as it does on Windows. Koobface runs a local web server and an IRC server, acts as both a botnet and a DNS changer, and often activates a number of other functions, either through files initially installed or through files that are downloaded later. The virus also spreads in the same manner as it does on Windows and Linux; it posts messages on Facebook, MySpace, and Twitter.

Mac users are encouraged to be wary. The virus worked very well in 2009; in fact, some have linked it to the DDoS attack against Twitter. Based on that knowledge, it is extremely likely that the virus will remain operative. If any of the flaws in the current form of the virus are corrected, it has the potential to become an issue not only for Macs but also for Windows and Linux. 

Source: PCMag

Several analysts, including some at Arbor Networks, have been studying Darkshell for the past three months. The malware isn't all that unique in terms of installation and operation. It is unique, though, in its choice of targets. It is currently targeting some relatively obscure companies in the industrial food-processing industry.

The Darkshell bot uses typical malware principles. It begins by copying itself into the C:/Windows/System32 directory. The bot then renames the copy in an attempt to camouflage the existence of it. The bot also almost always installs an additional, smaller driver file into C:/Windows/System32/drivers. Analysts believe that the driver is meant to circumvent any anti-virus software currently installed. Once those two files are in play, Darkshell will register itself to run as an automated service upon reboot. 

That service will "phone home" to the command-and-control (CnC) server by opening a TCP socket. During the "call," the bot shares data with the CnC server and waits for a command. The CnC will respond with one of two commands: standby or implement a distributed denial of service (DDoS) attack.

If the Darkshell bot receives the attack command, it will open anywhere from fifteen to twenty-five TCP connections to the specified target. That bot isn't isolated; it works in conjunction with other Darkshell bots, all of which have the same target, and all of which open TCP connections, too. Once those connections are open, the Darkshell bots begin inundating the victim with large numbers of identical HTTP GET requests from each of the open TCP connections. 

To date, analysts at Arbor Networks have identified thirty unique host names and thirty-four unique IP addresses as Darkshell CnC servers. Thirty-two of those IP addresses are within Chinese IP space. Darkshell has been used against approximately ninety-seven unique victims: sixty-five in China, twenty-three in the United States, four in Hong Kong, three in South Korea, and one each in the Netherlands and Sweden. The victims vary; some are online merchants of baby products, jewelry, and cosmetics. The most common victims have been the websites of small manufacturers of industrial food processing equipment and machinery. According to Arbor Networks, industrial food processing companies account for forty percent of the victims.

Darkshell hasn't been altogether successful in its endeavors. It has been detected by anti-virus software sixty-five to eight-five percent of the time. Unfortunately, that means Darkshell has succeeded in its attacks at least fifteen percent of the time.

Analysts haven't determined the motive behind Darkshell. Could it be economical, political, or military? Could it be a test run for something bigger and worse? Analysts don't know, which is why they're continuing to watch the Darkshell family closely.

Sources: Arbor Networks, Threat Post

In the past few days, Symantec researchers have discovered new information, courtesy of a Dutch Profibus expert, about the Stuxnet virus. It was unclear as to what Stuxnet, a virus that attacks industrial control systems, was meant to do or was targeting. With the new information, researchers have determined Stuxnet's purpose and potential targets. It appears that the virus' original intentions included industrial control systems with frequency converter drives from at least two specific vendors, one in Finland and the other in Iran, that used a S7-300 CPU or a CP-342-5 Profibus communications module. The concern is that the virus could mutate and spawn broader attacks on other industrial control systems.

The virus itself is very sophisticated. It spreads via holes in Windows. It then monitors the operating frequency of the frequency converter drive, a power supply that affects the frequency of output, and will only infect the drive if the frequency is between 800Hz and 1200Hz. Once operation at those frequencies occurs for a certain period of time, Stuxnet hijacks the PLC code and begins to modify the behavior of the frequency converter drives, affecting parameters and sabotaging the operating system. 

The frequencies that Stuxnet targets are considered high-speed, which currently limits potential targets. For example, a retail packaging facility doesn't use high-speed frequencies and, therefore, is unlikely to be a target. Uranium enrichment plants, though, do use high-speed frequencies. For that reason, Iran's Natanz uranium enrichment plant may have been a target of Stuxnet. Other potential targets include facilities using computer numerical controlled (CNC) equipment, such as drills used to cut metal.

The danger is that the virus could be altered to attack other targets. Dean Turner, director of the Global Intelligence Network at Symantec, admitted that such attacks were possible during a hearing with the Senate Homeland Security and Governmental Affairs Committee. He added that the virus is so complex and costly to develop that it is unlikely to be mass-produced. Unfortunately, the virus' repercussions are severe enough that even one or two successful attacks could prove devastating. Sean McGurk, acting director of Homeland Security's national cybersecurity operations center, stated that virus could affect many critical sectors, including automobile assembly and products such as chemicals and baby formula. In addition, McGurk testified that the code has the capability to enter an operating system, to steal the formula being produced, to alter the ingredients being mixed in the product, and to indicate to the operator and antivirus software that the system is functioning normally.

Another concern is the geopolitical one. Since Stuxnet currently has a very specific target, it's reasonable to expect suspicion and to assume that the virus is part of someone's overarching plan. Iran already believes that Stuxnet is part of a Western plot to sabotage its nuclear program. If the virus propagates, it's likely that countries are going to become even more suspicious of each other.

While no solutions to the virus have been proposed as of yet, cyberexperts testified at the hearing that governments and industries could do more to protect their critical systems. Michael Assante, head of the National Board of Information Security Examiners, told lawmakers that control systems should be walled off from other networks so that they are harder to hack. He went on to state that government leaders must understand that the most dangerous attacks won't disable systems but will take control and manipulate them to trigger accidents or other actions.

Sources: Boston Globe, cnet News, Symantec