Yeah, it is true. I guess some programming errors are more serious than others, so lets give these guys a break: I also suppose the dark clouds gathered for all the recent DDoS characters, too.

This post had a personal info. I have removed it as I think it is irrelevant to the point I’m trying to make. Let’s just call him “Rick”. A user on a domain I maintain forwarded me an email from Rick explaining why his anti-spam swallowed the email, I replied with a set of challenges to his anti-spam’s filter effectiveness, as well as question the validity of the reasons behind it. Let’s be charitable and just say he did not seem to be open to discuss the matter.

Personal manners aside, this does bring up the greater question of arbitrary spam filters (arguably the worst ill effect spam had on the Internet) and standards conformance. (more…)

Following up on that strange title, ISOI 3 (Internet Security Operations and Intelligence), a workshop for do-ers who work on the security of the Internet and its users, is happening Monday and Tuesday in Washington, DC.

This time around we have even more government participation (we’re in DC, duh), but a bit less from academia (who can try and look at long term solutions), rather than just us security researchers, and operators (who respond, contain and mitigate incidents).

I am very pleased with our progress on encouraging global cooperation, and getting more industry information sharing going. I am also happy we are moving from “just” good-will based relationships to the physical world with our efforts, being able to take things to the next level with world-wide operational task forces and, indeed, affecting change.

If you are interested in this realm of Internet security operations, take a look at ISOI 3’s schedule, and perhaps submit something for the next workshop.

Some reporters are somewhat annoyed that entrance is barred to them, but I hope they’d understand that although we make things public whenever we can as full disclosure is a strong weapon in the fight against cyber crime, folks can not share as openly when they have to be on their toes all the time.

The third ISOI is here because after DHS ended up unable to host it, sponsors emerged who were happy to assist:

Afilias Ltd.: http://www.afilias.info/
ICANN: http://www.icann.org/
The Internet Society: http://www.isoc.org/
Shinkuro, Inc.: http://www.shinkuro.com/

It’s going to be an interesting next week here at the swamp. Atendees better show up with their two forms of ID.

Gadi Evron,
ge@linuxbox.org.

In the situation when Skype’s explanation written on 20th Aug, Microsoft’s response written on Monday too and Skype’s clarification written today, 21th Aug exist it’s time to share word with a short summary:

Why the security community reacted like it reacted?

1. Microsoft has released monthly security updates since January 2004
2. There was three critical MS patches in July, and four critical in June
3. Only four August critical patches included a mandatory reboot
4. Critical patch (MS07-044) for code execution issue in Excel needs no reboot
5. Critical patch (MS07-050) for VML needs reboot only if files in use
6. SecurityLab.ru released public Skype Network Remote DoS Exploit on 17th Aug
7. There was new Skype for Windows version 3.5.0.214 out on 17th Aug
8. A lot of home users go to Microsoft Update on Tuesday, not on Thursday…

Do we need more reasons? No. Boys and girls at Skype, please share information that you are aware of public PoC, what the new bugfix release fixes etc.

But the good news: Villu Arak of Skype states that their “bug has been squashed.” And

The parameters of the P2P network have been tuned to be smarter…

Fine, because there are Black Tuesday patches in the future too!

I posted a column on eWeek on what critical infrastructure means, looking back at the Estonia incident.

They edited out some of what I had to say on home computers and their impact as a critical infrasrtcuture, but hey, word limitations.

http://www.eweek.com/article2/0,1895,2166125,00.asp

Gadi Evron,
ge@linuxbox.org.

Syngress was kind enough to allow me to post the chapter I wrote for Botnets: The Killer Web Application here as a free sample.

It is the third chapter in the book, and requires some prior knowledge of what a botnet C&C (command and control) is. It is basic, short, and to my belief covers quite a bit. It had to be short, as I had just 5 days to write it while doing other things, and not planning on any writing, but it is pretty good in my completely unbiased opinion.

You can download it from this link:
http://www.beyondsecurity.com/whitepapers/005_427_Botnet_03.pdf

For the full book, you would need to spend the cash.

Enjoy!

Gadi Evron,
ge@linuxbox.org.

CFP: ISOI III (a DA workshop)
=============================

Introduction
————

CFP information and current speakers below.

ISOI 3 (Internet Security Operations and Intelligence) will be held in
Washington DC this August the 27th, 28th.

This time around the folks at US-CERT (Department of Homeland Security -
DHS) are hosting. Sunbelt Software is running the after-party dinner.

We only have a partial agenda at this time (see below), but to remind you of what you will see, here are the previous ones:
http://isotf.org/isoi2.html
http://isotf.org/isoi.html

If you haven’t RSVP’d yet, please do so soon. Although we have 240 seats, we are running out of space.

A web page for ISOI 3 can be found at: http://isotf.org/isoi3.html

Details
——-
27th, 28th August, 2007
Washington DC -
AED conference center:
http://www.aedconferencecenter.org/main/html/main.html

Registration via contact@isotf.org is mandatory, no cost attached to attending. Check if you apply for a seat in our web page.

CFP
—

This is the official CFP for ISOI 3. Main subjects include: fastflux, fraud, DDoS, botnets. Other subjects relating to Internet security operations are also welcome.

Some of our current speakers as you can see below lecture on anything from Estonia’s “war” to current web 2.0 threats in-the-wild.

Please email contact@isotf.org as soon as possible to submit a proposal. I will gather them and give them to our committee (Jeff Moss) for review.

Current speakers (before committee decision)
——————————————–

Roger Thompson (Exp Labs
- Google adwords .. .the dangers of dealing with the Russian mafia

Barry Raveendran Greene (Cisco)
- What you should be asking me as a routing vendor

John LaCour (Mark Monitor)
- Vulnerabilities used to hack sites for phishing
- Using XSS to track phishers

Dan Hubbard (Websense)
- Mpack and Honeyjax (Web 2.0 honeypots)

April Lorenzen
- Fastflux: Operational Update

William Salusky (AOL)
- The Spammer Evolves - Migration to WebMail

Hillar Aarelaid (Estonian CERT)
- Incident Response during the Recent Attack

Gadi Evron (Beyond Security)
- Strategic Lessons from the Estonian “First Internet War”

Jose Nazarijo (Arbor)
- Botnet statistics from the Estonian attack

Andrew Fried (Treasury Department)
- Phishing and the IRS - New Methods

Danny McPherson (Arbor)
- TBA

People have been wondering why I’ve been keeping quiet on this issue, especially since I was right there helping out.

A lot of people had information to share and emotions to get out of the way. Also, it was really not my place reply on this - with all the work done by the Estonians, my contributions were secondary. Mr. Alexander Harrowell discussed this with me off mailing lists, and our discussions are public on his blog. Information from Bill Woodcock on NANOG was also sound.

As to what actually happened over there, more information should become available soon and I will send it here. I keep getting stuck when trying to write the post-mortem and attack/defense analysis as I keep hitting a stone wall I did not expect: strategy. Suggestions for the future is also a part of that document, so I will speed it up with a more down-to-Earth technical analysis (which is what I promised CERT-EE).

In the past I’ve been able to consider information warfare as a part of a larger strategy, utilizing it as a weapon. I was able to think of impact and tools, not to mention (mostly) disconnected attacks and defenses.

I keep seeing strategy for the use IN information warfare battles as I write this document on what happened in Estonia, and I believe I need more time to explore this against my previous take on the issue, as well as take a look at some classics such as Clausewitz, as posh as
it may sound.

Thanks,

Gadi Evron,
ge@linuxbox.org.

Hi guys and gals, how are you all doing?

I’ve always been a fan of virtual worlds (although for my own life’s sake, I don’t participate in them). This time around it’s about what some refer to as a WMD, and I like it.

http://www.joystiq.com/2007/05/28/user-created-wmds-do-massage-damage-in-second-life-beta-test/

Funny how history repeats itself and he couldn’t control his “virus”.

Gadi Evron,
ge@linuxbox.org.

The New York Times carries a good popular-level accounting of what happened in the recent Estonian information warfare incident. Suggested reading.

http://www.nytimes.com/2007/05/29/technology/29estonia.html (subscription required)
Syndicated: Times Daily

The new trend in organizing Distributed Denial of Service attacks are P2P networks.

This is the way how Netcraft describes the situation:

large numbers of client computers running P2P software are tricked into requesting a file from the intended target of the DDoS, allowing the attacker to use the P2P network to overwhelm the target site with traffic.

The Netcraft entry points to FL-based Prolexic Technologies alert too sharing more technical details and information about the number of clients and the traffic being generated.
A very nice catch, Rich Miller of Netcraft!

Today was the third day when the Web site of Finnish broadcasting company YLE (Yleisradio) suffer problems of large-scale DDoS attack.

From the YLE News site:

The company’s web pages were targeted by of a concerted attack on Monday and Tuesday. Two other major web sites, those of the telecommunications service provider Eniro, and the Suomi24 portal also reported similar attack.

There are several possible motives - Finland was the host of Eurovision Song Contest 2007 last weekend and our second place in hockey World Championship during the next day.

Some people said earlier that there was connections to recent DoS attacks on Estonian government sites too.

In this post I’d like to discuss the threat widely circulated insecure broadband routers pose today. We have touched on it before.

Today, yet another public report of a vulnerable DSL modem type was posted to bugtraq, this time about a potential WIRELESS flaw with broadband routers being insecure at Deutsche Telekom. I haven’t verified this one myself but it refers to “Deutsche Telekom Speedport w700v broadband router”:
http://seclists.org/bugtraq/2007/May/0178.html

If you all remember, there was another report a few months ago about a UK ISP named BeThere with their wireless router being accessible from the Internet and exploitable, as another example:
http://blogs.securiteam.com/index.php/archives/826

Two issues here:
1. Illegitimate access to broadband routers via wireless communication.
2. Illegitimate access to broadband routers via the WAN.

I’d like to discuss #2.

Some ISPs which provide such devices (as in the example of #2 above) use them as bridges only, preventing several attack vectors (although not all). Many others don’t. Most broadband ISPs have a vulnerable user-base on some level.

Many broadband ISPs around the world distribute such devices to their clients.

Although the general risk is well known, like with many other security issues many of us remained mostly quiet in the hope of avoiding massive exploitation. As usual, we only delayed the inevitable. I fear that the lack of awareness among some ISPs for this “not yet widely exploited threat” has resulted in us not being PROACTIVE and taking action to secure the Internet in this regard. What else is new, we are all busy with yesterday’s fires to worry about tomorrow’s.
Good people will REACT and solve the problem when it pops up in wide-exploitation, but what we may potentially be facing is yet another vector for massive infections and the creation of eventual bot armies on yet another platform.

My opinion is, that with all these public disclosures and a ripe pool of potential victims, us delaying massive exploitation of this threat may not last. I believe there is currently a window of opportunity for service providers to act and secure their user-base without rushing. Nothing in security is ever perfect, but actions such as changing default passwords and preventing connections from the WAN to these devices would be a good step to consider if you haven’t already.

My suggestion would be to take a look at your infrastructure and what your users use, and if you haven’t already, add some security there. You probably have a remote login option for your tech support staff which you may want to explore - and secure. That’s if things were not left at their defaults.

Then, I’d also suggest scanning your network for what types of broadband routers your users make use of, and how many of your clients have port 23 or 80 open. Whether you provide with the devices or not, many will be using different ones set to default which may pose a similar threat. Being aware of the current map of vulnerable devices of this type in your networks can’t hurt.

It is not often that we can predict which of the numerous threats out there that we do not address currently, is going to become exploited next. If you can spare the effort, I’d strongly urge you to explore this front and be proactive on your own networks.

The previous unaddressed threat which most of us chose to ignore was spoofing. We all knew of it for a very long time, but some of us believed it did not pose a threat to the Internet or their networks for no other reason than “it is not currently being exploited” and “there are enough bots out there for spoofing to not be necessary”. I still remember the bitter argument I had with Randy Bush over that one. This is a rare opportunity, let’s not waste it.

We are all busy, but I hope some of you will have the time to look into this.

I am aware of and have assisted several ISPs, who spent some time and effort exploring this threat and in some cases acting on it. If anyone can share their experience on dealing with securing their infrastructure in this regard publicly, it would be much appreciated.

Thanks.

Gadi Evron,
ge@linuxbox.org.

Support Intelligence releases daily reports on different fortune 500
companies which are heavily affected by the botnet problem, with many
compromised machines on their networks.

You can find more information on their blog:
http://blog.support-intelligence.com/

They are good people, and they know botnets.

Gadi Evron,
ge@linuxbox.org.

There is a current on-going Internet emergency: a critical 0day vulnerability currently exploited in the wild threatens numerous desktop systems which are being compromised and turned into bots, and the domain names hosting it are a significant part of the reason why this attack has not yet been mitigated.

This incident is currenly being handled by several operational groups.

This past February, I sent an email to the Reg-Ops (Registrar Operations) mailing list. The email, which is quoted below, states how DNS abuse (not the DNS infrastructure) is the biggest unmitigated current vulnerability in day-to-day Internet security operations, not to mention abuse.

While we argue about this or that TLD, there are operational issues of the highest importance that are not being addressed.

The following is my original email message, elaborating on these above statements. Please note this was indeed just an email message, sent among friends.

Date: Fri, 16 Feb 2007 02:32:46 -0600 (CST)
From: Gadi Evron
To: reg-ops@…
Subject: [reg-ops] Internet security and domain names

Hi all, this is a tiny bit long. Please have patience, this is important.

On this list (which we maintain as low-traffic) you guys (the
registrars) have shown a lot of care and have become, on our sister mitigation and research lists (those of you who are subscribed), an integral part of our community we now call “The Internet Security Operations Community”.

We face problems today though, that you can not help us solve under the current setting. But only you can help us coming up with new ideas.

Day-to-day, we are able to report hundreds and thousands of completely bogus phishing and other bad domains, but both policy-wise and resources-wise, registrars can’t handle this. I don’t blame you.

In emergencies, we can only mitigate threats if one of you or yours are in control.. Just a week ago we faced the problem of the Dolphins stadium being hacked and malicious code being put on it:

1. We tracked down all the IP addresses involved and mitigated them (by we I mean also people other than me. Many were involved).
2. We helped the Dolphins Stadium IT staff take care of the malicious code on their web page - Specifically Gary Warner).
3. We coordinated with law enforcement.
4. We coordinated that no one does a press release which will hurt law enforcement.
5. We did a lot more. Including actually convincing a Chinese registrar to pull one of the domains in question. A miracle. There was another domain to be mitigated, unsuccessfully.

One thing though - at a second’s notice, this could all be for nothing as the DNS records could be updated with new IP addresses. There were hundreds of other sites also infected.

Even if we could find the name server admin, some of these domains have as many as 40 NSs. That doesn’t make life easy. Then, these could change, too.

This is the weakest link online today in Internet security, which we in most cases can’t mitigate, and the only mitigation route is the domain name.

Every day we see two types of fast-flux attacks:
1. Those that keep changing A records by using a very low TTL.
2. Those that keep changing NS records, pretty much the same.

Now, if we have a domain which can be mitigated to solve such
emergencies and one of you happen to run it, that’s great…
However, if we end up with a domain not under the care of you and yours.. we are simply.. fucked. Sorry for the language.

ICANN has a lot of policy issues as well, and the good guys there can’t help. ICANN has enough trouble taking care of all those who want money for .com, .net or .xxx.

All that being said, the current situation can not go on. We can no longer ignore it nor are current measures sufficient. It is imperative that we find some solutions, as limited as they may be.

We need to be able to get rid of domain names, at the very least during real emergencies. I am aware how it isn’t always easy to distinguish what is good and what is bad. Still, we need to find a way.

Members of reg-ops:
What do you think can be conceivably done? How can we make a difference which is REALLY needed on today’s Internet?

Please participate and let me know what you think, we simply can no longer wait for some magical change to happen.

Gadi.

Thousands of malicious domain names and several weeks later, we face the current crisis. The 0day vulnerability is exploited in the wild, and mitigating the IP addresses is not enough. We need to be able to “get rid” of malicious domain names. We need to be able to mitigate attacks on the weakest link - DNS, which are not necessarily solved by DNS-SEC or Anycast.

On Reg-Ops and other operational groups, we came up with some imperfect ideas on what we can make happen on our own in short term which will help us reach better mitigation, as security does not seem to be on the agenda of those running DNS:

1. A system by which registrars can acknowledge confirmed bad domains (under strict guidelines) and respond to the reports according to their AUP and ICANN policy, thus “getting rid” of them in a much quicker fashion, is being set up at the ISOTF.
A black list for registrars, if you will. This is far from perfect and currently slow-going. Naturally, this can not be forced on all registrars, nor do the black hat ones, care.

2. A black list for resolvers (hopefully large service providers) is also being created at the ISOTF, so that the risk of visibility of bad domains, as will be defined, can be minimized. Naturally, no provider can be forced to use this list and there are millions of unaffiliated resolvers, etc.

Other options that have been raised as technically possible, but considered unlikely and indeed, bad:

3. Setting up a black list of domain names for TLD servers, for them not to respond on.

4. Creating an alternate root which we could trust.

Another suggestion which was raised:

5. Apply to change the ICANN policy.

We need a solution. This operational issue needs to be added as a main agenda item today so that tomorrow we will be ready to mitigate it. I blame myself to some degree for not raising this with higher echelons 2 and 3 years ago due to respect to those who have been working on DNS for many years, but what’s done is done.

The operational communities do not always know how to voice their needs or the difficulties they face. Nor will everyone agree on what the issues are. It is my strong belief (which is obviously my personal opinion), based on facts we see in daily security operations on the Internet that this issue is paramount, and I am sending here a call for help to the DNS experts of the world: what is our next step to be?

What do we currently intend to do (not my personal opinion):
We are formalizing a letter to ICANN’s SSAC, as they are the top experts on DNS infrastructure security issues, coming from operational folks at the ISOTF dealing with daily usage of the DNS for abuse purposes (and specifically fastflux).

Further, the ISOTF is moving forward with items #1 and #2 as mentioned above. #3 will have to remain as a contingency, #4 we have no influence to affect. #5 is currently being explored.

Are we missing a possible solution? What does the larger community suggest?

Gadi Evron,
ge@linuxbox.org.

Information about the target Web sites of polymorphic worm Allaple has been released. Finnish CERT-FI unit has posted information to Bleeding Edge Threats Wiki database.

According to the report the targets are

www.starman.ee,
www.if.ee and
www.online.if.ee.

Note: The report is not fully visible when browsing with Safari. Firefox on XP and Mac are working OK.

AS Starman is Tallinn-based cable-TV operator and an ISP. If P&C Insurance Company is a subsidiary of Finnish Sampo Group.
Reportedly the worms have absolutely no Command and Control channels in them. I.e. if the author of the worm wants to disable these worms he or she can’t do it. The only solution is to patch these affected machines with MS04-012 - or format these workstations.

The first reports of the worm are from July 2006. This DoS attack is not a minor issue.
If you see this worm in your organization there are some typical characteristics:

* ICMP packets with the mystery string ‘Babcdefghijklmnopqrstuvwabcdefghi’
* HTTP GET requests to www.if.ee
and
* TCP SYN packets to www.if.ee (port 97)

This worm has several names - aka W32/Allaple-B, Rahack.W and Rahack.BB.