DNS Changer Malware / Operation Ghost Click

Trend Micro recently announced, along with the FBI, the dismantling of a cyber criminal gang based out of Estonia. The gang was allegedly responsible for compromising millions of computers and redirecting them to online ads through the implementation of rogue DNS servers.

Over four million computers across 100 countries had inadvertently downloaded malware onto their systems, many through installing what they thought was a needed codec to view certain movies online. Compromised systems would then have their DNS settings altered to use servers controlled by the gang, rerouting the end users to locations on the Internet they never intended to visit.

These locations contain ads which, upon click-through or even viewing, generated revenue for the gang, resulting in over $14 million made through advertising fraud. The U.S. Attorney’s Office is seeking to extradite the gang for prosecution, likely due to the large number of U.S. government and businesses systems compromised by the gang and the fact that some of the rogue DNS servers were based in Chicago and New York.

DNS provides the IP address location of a website so a user who types “google.com” into a browser is actually taken to “” (or one of their other IP locations). By forcing a system to use a specific DNS server, like this gang did, users would receive false IP address locations for websites they were trying to visit or ads they normally would have viewed, benefiting the gang while not maliciously harming the user. Examples provided during the indictment of the six Estonian members of the gang included:

“When the user of an infected computer clicked on a domain name link for Netflix, the user was instead taken to a website for an unrelated business called ‘BudgetMatch.'”

“When the user of an infected computer visited the home page of the Wall Street Journal, a featured advertisement for the American Express ‘Plum Card’ had been fraudulently replaced with an ad for ‘Fashion Girl LA.'”

The malware which compromised these systems also prevented updates to anti-virus software and the operating system. This helped the malware stay on the compromised systems over an extended period of time. For those concerned that they may be compromised the FBI has provided a document which aids in understanding the malware and how to check for DNS settings changes on your computer, for both Windows and Mac systems.
The FBI doc

In this document the IP address ranges of the known rogue DNS servers are listed, indicating server locations in Russia, Ukraine, U.S., and Amsterdam. You can see the ranges below: through through through through through through
-Matt Sully

Security through the eyes of a teenager. Part 2

Are young people more knowledgeable about information security than their elders?
I believe that young people are more knowledgeable when it comes to security. The reason being that my generation has been brought up with daily use of computers. We have more experience than most of the older population. This does not mean that everyone from my generation knows how to stay secure while online.
Are young people concerned about privacy online?
Everyone says they are worried about their privacy, but young people have already posted all kinds of information about themselves on Facebook, Twitter, and many other social networks  Even if the settings on that site lower the visibility to the public eye, they are still there. I’m not sure if young people believe privacy of their information to be important since it is already up there. If it is banking information then we worry, but if not, then it is less of a concern.
How concerned about information security are young people?
Personally, I don’t believe that young people are worried about information security at all. We all fret when something goes wrong, but before something happens, security is not always important. I think the reason for this is that we are not the ones paying for it. It also depends on what kind of computer they are using, and the marketing out there. I remember when I got my MacBook, I thought it was immune to harmful internet malware. I started downloading more movies and music, something I would have not done on my old laptop which was a PC. 
Here are the results of the survey that I sent to my friends:


Security through the eyes of a teenager. Part 1

It’s often assumed that younger generations are more aware of online threats than us old folks.  The notion being that since they’ve grown up on the internet, they are more knowledgeable and tech savvy. We decided to put this theory to the test.

As part of a co-op initiative,  Defence Intelligence has recently been joined by a 17 year old high school student named Montana.  We thought this would be a great chance to get some insight into what young people really think about information security.  As part of her work here, she’s going to be doing some research on awareness amongst her peers.  Over the next couple of weeks, she’ll be taking over our blog and posting her findings.  Here she is with her introduction.  – Keith
My name is Montana, and I am a student at West Carleton Secondary School in Dunrobin, Ontario. I signed up for co-op last year to gain an understanding of a specific field that could possibly open many opportunities. I take co-op for five days a week, three hours a day. 
I first decided I was going to take the co-op course at my school when a friend informed me about her experience. I was interested in learning more about a possible career, and began to think what field I would be interested in. I have taken an interest in working with computers but I was uncertain of which direction. After doing some research I discovered Defence Intelligence – a small Ottawa based information security company. I was fortunate to be able to have such a unique Co-op placement.
My first day of co-op started by getting myself lost on the OC Transpo bus routes. Once I found the place, I was confused just by the terminology, let alone the work I was doing. After a few days of adjustment and the help of Mr. Sully’s patient explanations, I became more comfortable. 
I was first given a project to research the top 25 websites I visited most often. I learned how to use many online resources, the threat analyst interface, and Google search in an effective way. I was able to identify what information is valuable when making a decision about the safety of a website. Each day I was getting better and faster by expanding my intake of knowledge. I was eager to learn as much as possible and to test out my abilities.
Back at school, many students were interested when I got to describe my job and share what I do. It made me sound pretty technical, although I had no previous experience with internet security before.
After many weeks, I gave a presentation to my co-workers. 
That’s what I enjoy about working here. I get the opportunity to make an actual business presentation where I am relied on to demonstrate my understanding. I learned how to speak to people and how to present myself with the comprehension I gained.  The subject was the threat analyst interface, which has been an ongoing project since I joined Defence Intelligence. I was not nervous about presenting in front of everyone, but was afraid of not giving a clear explanation. I did fairly well, but with some improvements needed. 
When I walked in one afternoon, I was told that I was to be moved around to get a feel for all parts of the business. I am not only learning about the specialty of the business, but the sales side and much more. I was also given a project to create a survey for my friends to answer. 
This survey was intended to get feedback from teenagers about internet security and if they really cared about it. The survey was made up of 10 questions. The first time I mentioned the survey was on Facebook. I posted the survey as a disguised link. This way I was able to see the amount of people who will click on an unknown (potentially untrustworthy) link. I will later repost the link and ask my friends to complete the survey.
Mrs. Stewart, my co-op teacher, came in one day to see how things were going at my work placement. She was pleased to hear that I was enjoying my time at Defence Intelligence. She was also impressed with the variety of areas that I would be working in. 
My co-op placement has lived up to my expectations and I am learning more than what a class in school could teach me – business techniques, management, working with others, communications skills, and so much more. I’m really thankful to Defence Intelligence for taking me on as a co-op student and feeding me with incredible amounts of knowledge. 
– Montana

It’s only an option if you know you have a choice

I have backlogs everywhere and am probably the worst person in the world at keeping up with my social networking updates. If people only knew about my life through my sporadic social updates, they’d think I was still “Having a good time at Steak and Ale, about to go see this new Gladiator movie.”

In one of my few and far between surfacings for air, I saw some important offerings in the blogging world addressing privacy and security issues of our currently beloved social tools, Twitter and Linkedin.

Graham Cluley put out a blog this morning about Twitter’s efforts to begin default HTTPS usage, starting with a small percentage of users. The option to choose an HTTPS connection, however, is available to all Twitter users, and can be enabled through the settings page (at the bottom).

HTTPS encrypts your normal HTTP traffic across the network, protecting the data being exchanged and the identification of the exchanging parties. This was publicly popularized for banking and purchasing transactions but is making its way into other facets of the internet.

It’s always a smart move to choose HTTPS for your connections into social networking sites. No matter who you are or what sort of details you share with others, every user should be concerned about their privacy and protection of the ownership over their own accounts. For those who like to connect to public wi-fi spots, this is especially important, as open wi-fi leaves you vulnerable to eavesdropping by others.

Facebook offers HTTPS as well, so search out this setting and enable it if it isn’t already enabled. HTTPS is of course important to your security, but there are plenty more settings on Facebook and elsewhere that may be of concern to you regarding usage of your private data.

Rik Ferguson recently blogged about Linkedin settings dealing with social advertising, which would use your own personal information in some of the ads put out across the Linkedin site. This would include your name and profile photo integrated right into the advertisement, giving the appearance that you personally endorse a product or service. I already have a big enough issue with buying shirts smeared with the name of the department store. Where’s my discount for free advertising? They should pay ME to wear these shirts.

To disable these advertising options on Linkedin, go to your settings page and click on “account” in the bottom left. Rik walks you through it on his blog here.

Spend some time today, and periodically (new defaults pop up all the time), digging through your social networking settings and opt out of what you don’t want. Pay attention to what you’re agreeing to when you sign up for a new service. Your safety and privacy could be at risk. And stop buying T-shirts with the store name on them. That’s just wrong.

Matt Sully

Defcon 19 Cell Hack

Hackers from around the globe recently met in Vegas for the 19th Defcon hacking conference. This is a huge event for those interested in security and more importantly, the holes in current security products and tactics, as well as next generation vulnerabilities. So naturally, one might be wary of freely using their laptop or smart phone around so many hacking enthusiasts. Throwing caution to the digital wind however, perhaps through arrogance, confidence, or disregard, people still actively connected, but mostly through their cell phones instead of their laptops.

Though little is confirmed about a legitimate hack, while at the conference people were expressing concern over strange occurrences on their phones, including degraded signal and well timed multiple suggested software updates. Degraded service where thousands of 4G users are bombarding towers all at the same time may be reasonably expected. According to a post on seclists.org, however, a “weapon” may have been used to gain access to thousands of what should have been suspecting cell phone users’ phones and computers at Defcon.

In the seclists.org post by coderman, he says the attack was designed for mass exploitation, reconnaissance, [data] exfiltration, and eavesdropping, using a variety of exploits and techniques across CDMA and 4G connections.

He offers in the same post symptoms or actions that may indicate a victim of the Defcon cell attack. Some of the symptoms are vague and include an Android crash or charging troubles, which could be caused by normal issues. Other symptoms, which may still be benign, include full signal but poor bandwidth, or slow download speeds but fast upload speeds. Most concerning, though possibly excluding phones, he mentions the presence of an ssh process that can’t be killed.

Fake charging stations, believed to be a delivery method for the malware mentioned here, were sprinkled throughout the area. Many were wise enough to spot and avoid them, but plugging in anywhere while at Defcon was a generally recognized bad idea, but apparently not recognized enough.

I am disappointed by the lack of paranoia/caution displayed by the people who attended this event. They should know better than to trust leaving anything open to compromise when going to a conference like this, from their wallets to their cell phones. Attendees were even advised by staff not to use the available wifi. Even hackers are victims from time to time.

IT Security Isn’t Important – Part 1 of 3

That’s right, it isn’t important.  I realize that it matters to most of the people reading this.  What I have  recently realized, however, is that it really doesn’t matter to most.  We in the industry are in denial about our place in the scheme of things.  It’s self-evident to us that information security is of vital importance.  We talk about the massive market for IT security, the amount of press breaches are given, and the big push for compliance and increased security across all standards.  Still, it’s just not that important to enough people.  Symantec had roughly $6b in revenue last year.  While they were doing that, Avon sold $11b worth of cosmetics using a network of door to door salespeople.  Think about it.

The IT security market is considerable.  Gartner estimates it to be in the realm of $85b a year.  $85b is a lot of money.  Having said that, there was more money spent on commercial cleaning and garbage removal last year than there was on IT security.  So really, how important are we?  While the threat of a dirty office is no laughing matter, I don’t think it is quite as important as keeping your data secure.

We talk a lot about user awareness and training, and yet I think we’ve failed in that it’s something that we mention to people and then forget.  It’s very much a “do as I say and not as I do” mentality.  We speak to organizations and groups about awareness, but do little ourselves to spread that awarenes.  I’m as guilty as anyone in this regard.  Three years in, and the most my friends and family can say of my business is that I do “fancy anti-virus or something”.  This is usually followed up by a request to “speed their computer up”.  The number one question I get from the average consumer?  “Is it safe to use my credit card online?”  Nearly twenty years on, and we still haven’t answered a single question for the general public.

Most people have a very good knowledge of “real world” crimes.  It makes sense, they’ve been around longer and get all the good TV shows.  What we need to do is translate cyber crimes into “real world” crimes.  Most people think they know what a virus is, or what a hacker does.  Mostly though, they just don’t.  I have had far too many conversations with C-level execs and VPs who have absolutely no clue.  It’s disheartening when you speak to the CIO of a Fortune 50 company who doesn’t know what a botnet is.  It’s disheartening, but it’s also enlightening. We need people to understand that what happens online affects the real world, and them directly.  In short, we need to make information security important to them personally.

It’s up to us as security professionals to make it important to everyone.  It’s up to us to help people understand.  We need to step outside of the security groups and the IT crowd.  We need to talk to the business leaders, the financial teams, the HR groups, all of them.  We should be talking to our friends, our colleagues, that aunt that keeps sending out the cute slideshows.  If we ever want the average user to “get it”, we need to help them do so.  Until then, it just won’t be important.

While we need to exchange ideas and information with our peers, what I think is even more crucial is that we spend more time talking to the uninitiated.  It’s great to see all the experts at an event, but what would help our industry more is to see the non-experts at these events. If we keep talking to other experts and rely on them to spread the word, we’ll continue to fail.

So do we start at the top?  Should we try to get the government to mandate the hell out of security and force people’s hands?  Do we harass CEOs to institute appropriate policies and then enforce them?  I don’t think so.  Good policy is important, but even the best policy is easily ignored by those who care little for it.  I think we all know enough users who skirt their employers facebook policy.  If people don’t understand the policy and the reasoning behind it, they will never back it, and they will never adhere to it.

Defence Intelligence has run a number of informational seminars in the past.  These have mostly been aimed at specific threats or technologies, and were designed for security experts.  What I’m asking myself now is, why have we never done a far more basic seminar for the layman?  We feel the pain of the security staff while they try to justify their budget, but what have we done to help them?  I’ve been frustrated many times while trying to explain why “we have a firewall” is not a legitimate security stance.  Really, though, how much have I done to correct it?

We’re going to change.  We’re going to start offering basic informational seminars and training to both our clients and our potential clients.  No fees, no product pitch, just basic information, awareness and policy for anyone who might be interested.  At least then we’ll be able to say that we’re doing our part to make security important.

Part 2 coming soon – Why IT Security Isn’t Important

Mariposa Redux

It seems that long after we identified and took down Mariposa, bad folks are still using the butterfly kit behind it to build large botnets. 

There’s been some coverage around the EvilFistSquad/Metulji takedown recently, and given the relationship to Mariposa, I thought I’d say a few words.

A few points:

Mariposa is back?

EvilFistSquad/Metulji is not Mariposa.  It is similar in intent and based on the same butterfly kit.

How big is it? 

Like Mariposa, it’s impossible to tell for certain.  Even if all command and control domains were seized, dynamic ips, NATs/firewalls, etc. make it impossible to be sure.  By all accounts, it’s big.

Who is behind it?

The FBI and Interpol arrested two individuals earlier this month in connection with this botnet.  It is unclear, but likely, that other operators are still at large.

Is it still active?

Some of the command and control domains have been taken down, but not all.  Compromised systems are still losing data.

What we can learn from this:

What this takedown shows us is that you needn’t be technically proficient or even all that clever to amass millions of victims.  Think about it:

The creator of butterfly was arrested and had his equipment seized.  The authorities have all his transaction details and know who purchased the kit.

The botmasters raised suspicions by extravagant spending.

The botmasters used their real names and addresses in some cases.

As Luis Carrons from Panda was quoted as saying: “Obviously, those bot masters are either not concerned about going to jail or just plain stupid.”

This case also goes to show just how difficult these botnets can be to dismantle.  Even when the malware is known, even when the attackers are less than gifted, it can still be incredibly difficult to take down a botnet.  Mariposa was a rare slam dunk in that we were able to gain control of all of the C&C domains simultaneously and redirect them to our space.

Working with Panda and the FBI for the Mariposa takedown was a pleasure, and I’m glad to see that they’re staying on top of all the butterflies out there.  This is another example of how Law Enforcement, Researchers, and the private sector can work together to be more effective in the fight against online crime.

Congratulations to all those who worked on this, keep up the good fight.

Keith Murphy

Google Plus Anti-Malware

Google never rests, and is always mixing up something new to try out on its users. Some efforts have been failures and others have been welcomed by many. Recently, Google announced a seemingly one-time attempt at informing specific users of a possible malware compromise on their systems.

Currently they are a bit vague on the malware involved, but state in their blog that this particular malware uses a limited number of proxies to send traffic to Google. When a user compromised by this malware visits Google they are displayed a message at the top of their browsers saying, “Your computer appears to be infected.”

It must really be a very specific and limited means of terminating traffic that ends up at Google through these proxies for the company to display these messages with confidence. A wide range of malware utilizes Google in some way to carry out functions or as a form of communication. Some use Google resources as a way to spread malware, through fake Blogspot pages or highjacked web searches. Some malware just checks Google to make sure the compromised system has an internet connection. 

This may only be a one time event, but I wouldn’t put it past Google that this is an introduction into future areas of exploration into the anti-virus field. Why not? They dip their fingers into every other internet pot. Google safe browsing is already a sight people have grown accustomed to and understand as well as embrace.  Is Google going to capitalize on their already existing involvement in the malware world by taking the extra step toward their end users? Is Google AV on the horizon?

Matt Sully

Defence Intelligence

And we’re back.

Not that we really went anywhere, we’ve just neglected the blog for awhile as we concentrated on improving our flagship product, reworking our website and brand, hiring some new talent, and widening our malware dragnet to keep our clients safer.  Needless to say, we’ve been rather busy.

The last year has been a whirlwind for all of us here at Defence Intelligence.  As with most IT startups, we were not without our share of growing pains.  We have spent most of the last year narrowing our focus and clearly defining our space and goals.  We’ve had some personnel changes, some product changes, and even split off part of our business.  Having said all of that, we’re finally ready to put ourselves out there again, and we’ll be updating this blog on a regular basis.

You’ll notice our new logo, our new website, and our new version of Nemesis over at www.defintel.com.  With all of the changes we’ve made, we wanted our brand to reflect our growth and advances while retaining ties to our roots.  I think the talented folks at Owly Design did a great job, and can’t recommend them enough.  Feel free to let us know what you think of their work.

The biggest news is Nemesis 2.0.  It’s been a long time coming.  I can’t tell you how happy I am to be able to announce the release of this product. This is what we’ve been working so hard on for what seems like an eternity.  This is the product that we always wanted to give our clients. Nemesis 2.0 is truly a revolutionary approach to malware protection, and it is quite simply the most effective anti-malware tool on the market. We’ve made lots of improvements, but some of the most obvious are as follows:

  • Improved compromise detection and protection capabilities
  • A web based management console that provides real time awareness of malicious activity on the client network
  • Client defined rule creation to immediately block suspicious network communication
  • Event history search and custom filtering options to find details behind Nemesis protection events
  • Easy summary/situational reporting generation and download

You can learn more at: http://defintel.com/solutions-nemesis.php or contact us for a free trial.

We’ll be rolling out more improvements to Nemesis in the near future, keep an eye on our blog for details. As always, all additions and upgrades to our products are free of charge to our clients.

I’d like to thank our clients, our partners and our friends for their support during all of this, it is much appreciated.  I’d also like to thank all of our team for their work on 2.0.  Eric and Matt in particular have gone above and beyond the call of duty, and I know that it hasn’t been easy.  Now I get to start harassing them for 2.1. 😉

If you haven’t looked at Nemesis or Defence Intelligence before, now is the time.  Malware has evolved.  So have we.

All the best,

Keith Murphy