China and Satellite Hacking Claims

The Earth-observing Terra spacecraft. Credit: NASA

In a post on AllThingsNuclear.org, scientist Laura Grego examines U.S. claims linking the Chinese military to alleged hacking attacks on two Earth observation satellites, and concludes there is very little evidence to back them up.

“Why would China try to hack a low-resolution earth-monitoring satellite, much of whose data are distributed free and freely, and for which system China even has operated a ground station to assist in collecting data?” she writes.

Grego questions whether the incidents were indeed hacking, and says that even if they were, it is unclear what advantage an unauthorised user could obtain from Landsat-7 and Terra, “which are not strategically important or national security-related satellites.”

She further notes that no evidence of Chinese involvement is presented in the draft of the U.S.-China Security and Economic Commission’s annual report to Congress. Greco says the report’s assertion that the incidents “appear consistent with authoritative Chinese military writings” is based on one book by a “marginal figure” in China.

Severe Threat: Clampi Trojan revealed as financial-plundering botnet monster

A close look at the Clampi Trojan, an elusive piece of malware that uses encryption to help hide its nefarious data-stealing deeds, reveals it to be a botnet-controlled monster that can swipe a victim's sensitive data associated with more than 4,500 different sites, according to one researcher.

"We've been able to get through the layers of encryption in Clampi," says Joe Stewart, director of malware research at SecureWorks. "Clampi is collecting data associated with about 4,600 key sites, such as banks and other financial institutions targeted by criminal networks."

But it doesn't stop there.
Clampi is going after utilities, market research firms, online casinos and career sites, in a broad sweep to grab personally identifiable information, such as credentials and account information, that might be of use to criminals for financial gain. Clampi, also known as Ligats, Ilomo or Rscan, is using psexec tools to spread across Microsoft-based networks in a worm-like fashion.

SecureWorks
So far, the analysis by SecureWorks has identified 1,400 specific sites in 70 countries out of the 4,600 or so total sites the Clampi Trojan appears programmed to monitor once it has infected a victim's Windows-based machine.

The design
The design of the Clampi Trojan, which was first spotted in 2007, reveals its creator has gone out and methodically figured out a lot about the target sites.

He says the 4,600 number is enormous in comparison to what is usually found in Trojans designed for stealing financial data from victims trying to conduct transactions at online Web sites. Most Trojans of this sort, such as Zeus, normally would have not more than 30 banks as a target.

A Worm
The Clampi Trojan, once it worms its way into a victim's machine, will watch for the victim to try and do anything online associated with any of the 4,600 different sites and then leap into action to steal data, transferring it via an encrypted channel back to command-and-control servers.

According to SecureWorks, Clampi's main way of spreading is through drive-by downloads when a user visits a Web site that has been compromised by attackers.

Trusted Sites
Some of these sites may be trusted as legitimate by Web visitors, but the site has been compromised, often because the Webmaster or network manager security credentials for it have been stolen and the attacker has simply loaded up the malware to enable the Clampi drive-by download.

The Clampi Trojan, believed to have infected hundreds of thousands of machines, basically functions as a botnet under the command-and-control of a botmaster, probably in Eastern Europe or China.

Botnet
As a botnet, it is sweeping up victim's sensitive personal data and sending it back through a set of command-and-control servers to cybercriminals. Clampi seems to be picking up speed in its spread since July and may be the Trojan used in a cybertheft scam that hit the US earlier this month.

Command and Control
The Clampi command-and-control server is encrypted by 448-bit blowfish encryption, using a randomly generated key that is sent to the control server using 2,048-bit RSA encryption. SecureWorks got through the encryption layer by intercepting the session key in a test system and decrypting the network traffic. This allowed the security firm to examine the list of Web sites targeted by a module that's part of Clampi.

How can you defend yourself against Clampi?
There is no product you can buy to stop this as a zero-day attack, although antivirus software might eventually detect it and stop it later on your machine.

The best recommendation, is to find a way to use a "separate system" to conduct financial transactions, one that is not the same system as you might use to browse the Internet. That would lower the risk of being infected by the Clampi Trojan.

Chinese Hackers Exploit Microsoft Internet Explorer Weakness!

Symantec, Sunbelt Software and SANS' Internet Storm Center (ISC) bumped up their warnings yesterday after Microsoft announced that attackers were exploiting a bug in an ActiveX control used by Internet Explorer (IE) to display Excel spreadsheets.

There is no patch for the vulnerability, nor will Microsoft release one later today when it issues its July batch of patches.

Temporary Fix
A temporary fix that sets the "kill bits" of the ActiveX control is available, but experts believe it's likely most users won't take advantage of the protection.

Symantec Threat ranking raised
Symantec raised its ThreatCon ranking to the second of four steps. "We're seeing it exploited, but currently on a limited scale," said Ben Greenbaum, a senior researcher with Symantec security response.

Sunbelt Threat ranking raised
Sunbelt also bumped up its ranking, to high, the company noted today. "We just set the Sunbelt Threat Level to high since our researchers and at least two other major organizations have found in-the-wild exploit code," said Tom Kelchner, malware researcher with the Florida-based firm.

ISC at Condition Yellow
Meanwhile, the ISC went to condition Yellow after discovering numerous sites hosting attack code. The ISC reported both broad and targeted attacks using exploit code against the new zero-day. "[There was] a highly-targeted attack against an organization earlier today who received a Microsoft Office document with embedded HTML," said the ISC in a frequently-updated blog post. "This one was particularly nasty.... It was specifically crafted for the target, with the document being tailored with appropriate contact information and subject matter that were specific to the targeted recipient."

China sites compromised
Broader attacks are originating from compromised sites in China, the ISC added. "A .cn domain [is] using a heavily obfuscated version of the exploit, which may become an attack kit (think MPACK), and is similar to recent DirectShow attacks," said the center.

Microsoft security hole exploited
Last week, Microsoft confirmed that hackers were exploiting an unpatched bug in an ActiveX control that's part of DirectShow, a component of the DirectX graphics platform within Windows.
McAfee echoed the ISC late on Monday, confirming that attack code targeting yesterday's ActiveX bug has been added to a Web exploit toolkit and is being distributed from hijacked Chinese sites. The toolkit also contained attack code for last week's DirectShow vulnerability.

Some computers in Spain, the U.K. and Germany also showed evidence of compromises, McAfee researcher Haowei Ren said in an entry to the company's security blog.

Small Number of Attacks
Symantec's Greenbaum added that while his company is seeing only a small number of attacks currently -- "It's not in the top 500 attacks," he said -- this has the potential to get big, and big quickly. "It's the kind of attack that can be very easily hosted on a Web server, and meets all the criteria for large-scale attacks in the relatively near future," Greenbaum said.

The number and diversity of attacks will likely increase because working exploit code is publicly available, he said.

Microsoft Patch Delayed
Although Microsoft is working on a patch for the new vulnerability, it's unclear when it will be ready. Users will definitely not receive any automatic protection today, however.

"Unfortunately, the comprehensive update for this vulnerability is not quite ready for broad distribution," a company spokesman said yesterday afternoon. "We recommend that customers follow the automatic 'Fix It' workaround ... to help secure their environment against this vulnerability while we finish up development and testing of the comprehensive update."

Manually Steer Browser
Fix It requires users to manually steer their browser to Microsoft's support site and download, install and run the tool to disable the ActiveX control.

That means many users won't be protected. "Most users won't [manually] mitigate," agreed Greenbaum. The message is clear 'Don't be in that vulnerable group.'

San Francisco: One of the Worst Cities in the US

San Francisco, Calif.

San Francisco is officially one the worst cities in the US for finding and keeping IT work. Its a haven for IT geeks and tech companies but it also offers insanely high real estate prices, suicide-inducing traffic and too many cocky and annoying IT people fighting over precious jobs. (Are there any other kinds?)

San Francisco also claims the No. 1 spot for worst cities in US for identify theft, or "iJacking."

Regardless of their location, however, my fellow bloggers don't seem either alarmed or elated about these findings. Perhaps this insouciance (10 point word score), like the very inclusion of iJacking in such rankings, is simply a sign of the times. Discuss!

China increases cyber attack on Netherlands

There has been substantial increase in cyber-attacks on .NL sites across Netherlands and Europe since the arrival of the Dalai Llama and NL's support for his issues.

Many national institutions across Netherlands are reporting an increase of government backed hacking attempts, Denial-of-Service attacks (DOS) and the intrusion of malicious Malware on their NL sites. This is meant to cause the maximum disruption of services and to damage the commerce and reputation of corporate and governmental institutions.

The overt political atmosphere and diplomatic relationship between China and the Netherlands has suffered rapid deterioration over the last few weeks, culminating in the expansion of covert maneuvers designed to undermine the Netherlands IT, Telecoms and Financial infrastructure.

The advice coming out of all sectors is to increase protection measures on .NL public domains, block enquiries by country, make sure your anti-virus and malware software is up to date. If you don't have anti-virus or malware protection, then now is the time to source some.

Remember to be very selective with your anti-virus and malware software providers. Many of the 'free' or 'shareware' applications are emerging as very good and smart but, you may also be signing up to a 'grey' provider, who are just as likely to infect your site as they are to protect it.

The internet and its use as a global vehicle for freedom of speech and an outlet for discourse, is being attacked by those forces that would stifle open-ness, truth and the civil rights of it's people. They cannot be allowed to expand their tyranny into this realm. Civil liberties are in peril!

The high price of that freedom, has always been and will always be, eternal vigilance. Build those Firewalls high! The enemy is at the Gates!

FBI Shutdown by Mysterious Virus Attack!

The FBI and the U.S. Marshals Service were forced to shut down parts of their computer networks after a mystery virus struck the law-enforcement agencies.

A spokesperson for the U.S. Marshals Service confirmed that it had disconnected from Justice Department computers as a precaution after being hit with the virus, while an FBI spokesperson would only say that it was experiencing similar issues.

"We too are evaluating a network issue on our external, unclassified network that's affecting several government agencies," reported FBI spokesman Mike Kortan.

The virus' type and origin are unknown, but spokespeople for both agencies said agencies' access to the Internet and e-mail was shut down while the issue was evaluated.

Government regulations require agencies to report any security issues to US-Computer Emergency Readiness Team (US-CERT), but a call to CERT late Thursday for comment was not immediately returned.

All this following reports that a number of unfriendly governments may have penetrated the US Government sites and planted spybots, viruses, trojans, etc.