Self-destructing botnets

Self-destruct code is often written into bot malware. Up until recently that wasn't considered an issue. So, what changed and what does it mean to IT security personnel?

I first learned about the use of self-destruct code in 2007 when I read an ITU report titled "Zombie Botnet Mitigation Project: Background and Approach".
The report mentioned how certain bot malcode was programmed to destroy all resident data files if there was an attempt to remove the malware. Man, that's harsh.
All-purpose kill switch
Wanting to know more, I began researching the how and why of kill switch software. One thing became very apparent. Self-destruct mechanisms can be used for more than just expunging data.
In fact, botmasters have almost god-like authority over compromised computers. It appears that the worst case scenario would be when an instruction from the bot's command and control server activates a process that completely destroys the operating system. Losing data doesn't seem so bad all of a sudden.
When are kill switches used
Whether a kill switch is used or not, appears to be up to the whim of the botcode developer.
I did find one exception though. It seems that a self-destruct mechanism is always part of malware targeting financial institutions. InfoStealer, ZeuS, and Nethell are three such examples.
ZeuS in particular
The ZeuS bot malware is of special interest, having successfully created at least one botnet containing over 100,000 members. The following slide, courtesy of Prevx, shows the worldwide distribution of the botnet:

As I mentioned earlier the ZeuS botnet is entirely focused on gaining access to financial information. The security product developer Prevx describes ZeuS as:

"Information stealing software aimed at the ever-growing market for financial information stolen from banks, e-commerce Web sites and personal computers."

ZeuS is also unique in that it's for sale. This allows anyone, even those with less than stellar programming skills to create sophisticated botnets. Prevx explains further:

"The DIY "exe builder" for the Zeus Trojan can be bought online for just US$4,000. Each Zeus Trojan build incorporates a kernel level rootkit, which means it can hide from even the most advanced security software.

There seems to be some confusion as to the cost of the ZeuS package. I've seen the price range from as low as US$700 to the US$4000 mentioned by Prevx.
Self-destruct option
If you remember, I mentioned that ZeuS is one of those special cases of bot malware that has a self-destruct option built into the software. Reverse engineering the code wasn't even necessary to determine that; the help file supplied with ZeuS was kind enough to explain the self-destruct command (courtesy of abuse.ch):

KOS: incapacitate OS, namely grip branches HKEY_CURRENT_USER registry and/or HKEY_LOCAL_MACHINE. If you have sufficient privileges - fly to "blue screen", in other cases creates the brakes. Following these steps, loading OS will not be possible!

The translation to English may not be perfect, but it's obvious that the self-destruct sequence (Kill Operating System) in ZeuS is not the kind that just destroys data files. In this case it appears that initiating the KOS command results in the botnet's computers going into a "blue screen of death" condition, preventing the operating system from booting.
KOS command issued
I'm afraid to say that all this discussion about the ZeuS malware and its self-destruct option wasn't just a what-if exercise. In early April of 2009, analysts at abuse.ch were shocked to find telltale signs that the KOS command was issued by one of the ZeuS command and control servers, effectively "Blue-screening" over 100,000 computers.
There's precious little information available as to what this means. Still if the theory holds true, at least 100,000 employees of businesses and financial institutions weren't able to do their job.
Experts wonder why
It's very clear that security experts are perplexed as to why this was done. One possible explanation is offered by Jozsef Gegeny of S21sec:

"To disappear and hide all tracks, making further analysis harder?"

Or possibly:

"The point more probably for a phisher is to earn time. Taking the victim away from Internet connection - before the unwanted money transfer is realized and further actions could be taken."

Roman Hüssy a security expert at abuse.ch who has been instrumental in researching the ZeuS botnet mentioned his thoughts to Brian Krebs in a Washington Post article:

"Maybe the botnet was hijacked by another crime group. Then again, maybe the individuals in control over that ill-fated botnet simply didn't understand what they were doing. "Many cybercriminals...using the Zeus crimeware kit aren't very skilled."

It's early in the discovery process; hopefully some real insight will eventually surface.
Final thoughts
As I mentioned in the beginning, security experts seemed to downplay the possibility of this happening, pointing out that botmasters work hard to develop their botnets. Why turn around and destroy them? Ironically, that still seems logical. All the same, if the 100,000 users of the victimized computers and the IT personnel that had to recover them were asked, I suspect they'd have a whole different opinion.

Chinese censorware carries botnet risk

Experts have warned of serious security flaws in the Chinese government's censorship software, which could open the door to hackers creating huge botnets.
Programming errors in the Green Dam Youth Escort software, which the Chinese Ministry of Industry and Information Technology said on Tuesday must be pre-installed on all new computers in the country, are at the root of the flaws, according to experts from the University of Michigan.
"Once Green Dam is installed, any Web site the user visits can exploit these problems to take control of the computer," wrote the university's researchers. "This could allow malicious sites to steal private data, send spam or enlist the computer in a botnet."
The warning came in a paper published on Thursday by researchers Scott Wolchok, Randy Yao and J Alex Halderman.
The Green Dam software filters content by blocking URLs and Web site images and by monitoring text in other applications. The filtering blacklists include both political and adult content.
The researchers said that after only one day of testing Green Dam, they discovered programming errors in the code used to process Web site requests. These would result in buffer over-run conditions on all computers running the software, they said.
"The code processes URLs with a fixed-length buffer, and a specially crafted URL can overrun this buffer and corrupt the execution stack," said the researchers.
"Any Web site the user visits can redirect the browser to a page with a malicious URL and take control of the computer."
The researchers built a proof-of-concept program to demonstrate the flaw and said it would crash any computer running Green Dam.
In addition, Green Dam can be used to install any other program on a computer, via a blacklist vulnerability. This problem would allow Green Dam's makers, or a third-party impersonating them, to execute arbitrary code and install malicious software on the user's computer, after installing a filter update.
Chinese government news agency Xinhua reported that Jinhui Computer System Engineering, which developed Green Dam, had said the software was not spyware.
"Our software is simply not capable of spying on internet users, it is only a filter," Jinhui is quoted as saying.
The Xinhua article did not address whether the filter itself could be used to upload spyware.
The University of Michigan researchers recommended that anybody running Green Dam uninstall the software immediately.
However, according to a translation of feedback on Jinhui's user forum, teachers and educational establishments have no choice but to use the software.
"Let me say something here," wrote one teacher. "We were forced to install the software. So I have to come to this Web site and curse. After we installed the software, many normal Web sites are banned."

Digital piracy looms over World Copyright Summit

Global piracy costs US firms over $25 billion in lost sales annually.

Movie directors, composers, authors, legal experts, policy-makers and others are meeting here this week to discuss the "threats and opportunities" the Internet poses to copyright in the digital age.

Some 500 delegates from more than 55 countries are scheduled to attend the 2nd World Copyright Summit being held on Tuesday and Wednesday at the Ronald Reagan Convention Center.

Web and software giants Google and Microsoft and representatives of movie, music and book rights societies are also among those attending the summit organized by the International Confederation of Societies of Authors and Composers (CISAC), whose president is Bee Gees brother Robin Gibb.

French Culture Minister Christine Albanel, Hollywood director Milos Forman and US Senator Patrick Leahy, chairman of the Senate Judiciary Committee, are among the nearly 100 speakers slated to address the gathering.

Looming over the summit is the threat posed to artists by digital piracy.

Organizer CISAC, listing the "key issues" for the summit, cited "How the digital media environment is providing common threats and opportunities to all creative repertoires."

Kathy Garmezy, assistant executive director for government and international affairs of the Directors Guild of America, said that while counterfeit DVDs and the like remain a concern for the movie industry, the biggest danger is on the Internet.

"The counterfeiting kind of piracy is certainly a problem," Garmezy said, "but it's so much more manageable than online piracy."

Delegates to the summit will be looking to hammer out a united approach to illegal downloading, she said.

"Just like the Internet is global, the battles are global and we can only win them with united action," she told AFP.

"We have to find a way to reach common peace between those who think the Internet is free and the artists who create the works," Garmezy said.

"This is not about spoiled artists or rich studios," she added. "It's about the act of creation and the future of it. Nobody's going to stop piracy altogether but can you keep it to a point where it won't destroy you?"

Garmezy and others praised the recent passage of a bill in France to combat Internet privacy that is considered one of the toughest in the world.

"We're adamant about taking a stand to support the French," she said.

The legislation sets up a "three-strikes" system for illegal downloaders of music or film who first receive an email warning, then a letter and finally lose their Internet account for up to a year if they are caught a third time.

Internet Service Providers (ISPs) in the United States, however, have been notably reluctant to act as copyright "enforcers."

The Recording Industry Association of America (RIAA) announced in December that it planned to stop suing people who download music illegally and focus instead on getting ISPs to take action.

Six months later, however, no ISPs have publicly signed on to the program.

Phil Crosland, an executive vice president of the American Society of Composers, Authors and Publishers, said his organization was "trying to negotiate fair payment, whether it's with Yahoo!, AOL or YouTube."

"We're finding it challenging to generate fair payment from many of these websites who are using the contents of our members," he said.

"Composers of film and TV music are missing out on this migration to a mobile and Web world."

On the Internet piracy front, Garmezy said "solutions have to be put in place that allow people to deal with the evolving technology."

Theodore Feder, president of the Artists Rights Society, which represents visual artists such as painters, sculptors and photographers, said that promises to be an uphill battle.

"The technology will always be a little ahead of the policing and the monitoring," he said.

According to industry estimates cited by the US Congressional International Anti-Piracy Caucus, global piracy costs US firms over $25 billion in lost sales annually.

Microsoft gets Bing bump, ComScore says

Microsoft is getting a bit of a Bing-related bump, according to some early figures from market researcher ComScore.
According to Microsoft , Microsoft upped its search share to 11.1 percent last week, as compared to 9.1 percent the prior week. Some of that gain came from the fact that more people were using Microsoft.
Microsoft's engine had 15.5 percent daily penetration, as opposed to 13.8 percent in the prior week.
Earlier data also showed Microsoft off to a solid start with its revamped search engine. Of course, the real issue is whether Microsoft can make the gains stick over time. The software maker has seen its market share tip up over time, only to again drop to single digits.
Microsoft has said it would like to pick up at least a couple points of market share over the next year. One might think that the company should expect more, given it has not only poured huge resources into the technology, but is also spending tens of millions of dollars in both a big advertising push and deals to nab the default search engine position on new PCs.
So far, Bing is off to a good start, said ComScore Senior Vice President Mike Hurt.
"These initial data suggest that Microsoft Bing has generated early interest, resulting in a spike in search engagement and an immediate term improvement to Microsoft's position in the search market," Hurt said in a statement. "So far it appears that the lifts in searcher penetration and engagement have held relatively steady throughout the five-day period."
But Hurt agreed that only time will tell whether it is a blip or a true gain. "The ultimate performance of Bing depends on the extent to which it generates more trial through its extensive launch campaign and whether it retains those trial users."
Bing went live last week after being shown off at D: All Things Digital by CEO Steve Ballmer.
Microsoft plans to continue its ad push, including the TV spots, with the current campaign eventually yielding to commercials that focus more specifically on the areas where Bing hopes to differentiate itself--tasks such as travel and product search.
Bing has managed to grab some attention inside Google. Speaking at a financial conference on Tuesday, Google CFO Patrick Pichette said the company is in the process of analyzing it. "I have a review tomorrow on it with the executive committee," Pichette said yesterday, according to Marketwatch.

Spam reduced following Pricewert shutdown

It's been almost a week since the Federal Trade Commission (FTC) had the allegedly rogue Pricewert ISP shut down, and it seems like the Internet has indeed been a safer, or I should say slightly less dangerous, place.
The FTC charged that Pricewert's distribution of illegal, malicious, and harmful content and deployment of botnets that compromised thousands of computers caused substantial consumer injury and was an unfair practice, in violation of federal law.
According to Symantec, the Cutwail botnet--one of the most notorious botnets, accounting for up to 35 percent of all spam in May across the globe--experienced a major blow to its track record after the shutdown late Thursday of Internet service provider Pricewert.
Another botnet Pricewert is allegedly involved with is the Pushdo, which was also reportedly affected. Both Pushdo and Cutwail reportedly used 3FN, one of the names Pricewert did business under, as botnet control servers.
According to the data released Monday by TRACElabs, the overall spam volume index has been reduced by 15 percent since Thursday. However the day-by-day number has gradually increased.
This means a couple of things.
First, either the timing of these changes was a coincidence or Pricewert was indeed involved in this nasty business. It's important to note that the company has not yet been convicted of any wrongdoings. The first court hearing is scheduled for June 15.
Second, it's likely that the spammers will soon recover from this heavy blow as many similar companies are based outside of the United States, where the anti-spam laws are not strictly enforced.
Nonetheless this for now looks like an apparent victory for the authorities and for all the Internet users. In terms of its long-term impact on spam, Symantec's MessageLabs Senior Anti-Spam Technologist Matt Sergeant told CNET News: "For now, we will see spam levels lower than usual, but we expected the swift comeback of Cutwail. The spammers learned that they can't put all their eggs in one basket and need to have backup command and control."

Virtual-machine exploit lets attackers take over host

Penetration-testing company Immunity has exploited a flaw in VMware software that allows malicious code running in a virtual machine to take over the host operating system.
Immunity included the attack code in an update to its commercial penetration-testing tool, Canvas 6.47, released last week. The attack code is in a module of the tool called Cloudburst.
Cloudburst uses a vulnerability in the virtual-machine display functions of VMware Workstation that can be exploited by a specially crafted video file. The malicious file, when executed within a virtual machine, could allow an intruder to take over the host operating system, according to security researchers.
The bug itself affects VMware Workstation 6.5.1 and earlier, or the associated Player versions. The software can be running on any host system, including Linux, according to VMware.
However, the Cloudburst exploit currently has certain limitations: it will only succeed on Workstation 6.5.0 or 6.5.1 or the associated Player versions. In addition, the guest and host must be Windows-based, among other requirements, Immunity said in its release notes.
The bug, which has been assigned the Common Vulnerabilities and Exploits (CVE) reference CVE-2009-1244, was disclosed in January, and VMware issued a patch in April. However, system administrators do not always keep their systems up to date with patches, Immunity said.
The bug is dangerous partly because it works with default VMware settings, according to security researchers. Secunia, a third-party security firm, gave the flaw a "highly critical" rating.
The flaw was discovered by Immunity researcher Kostya Kortchinsky, and Immunity published a video demonstrating its attack in April.
"The exploit is amazing," Immunity chief executive Dave Aitel said in a newslist post announcing the exploit video.
Two similar vulnerabilities came to light in 2007: a memory corruption vulnerability (CVE-2007-4496) and a bug in the Shared Folders implementation (CVE-2007-1744) that could allow a guest operating system to read or write files on the host system.
However, the first bug was not necessarily exploitable, while the second required a non-default configuration to be exploitable, security researchers said.

What's your identity fraud risk level?

Many people are worried about identity fraud. Not paranoid, but generally curious about the chances they could be victimized by things like mail theft. Now there is a Web site that offers an assessment of a person's identity fraud risk for free.


The My ID Score site was recently launched by ID Analytics, which offers corporations and consumers services to protect them against identity fraud.

It scans the company's ID Network, billed as the largest identity fraud database in the United States, to see what types of activities and transactions have been made in your name.

Thomas Oscherwitz, chief privacy officer at ID Analytics said it looks at hundreds of variables and data points and then looks for anomalies, such as credit card applications on the same day with different addresses or pre-paid cell phone purchases in a short period of time.

The site focuses on transactions that use your personal data and does not look at account fraud in which someone uses your stolen credit card or in which your credit card data was stolen in a network breach at a payment processing company, for example.

"We look at events within the network, such as whether someone is using your information to apply for credit cards," Oscherwitz said.

Within the site, most people fall within the range of 1-450, which is considered moderate risk, according to Oscherwitz. A score of 600 and above is considered high risk, he added.

The site asks for basic information such as name, address, phone number, and date of birth. It also asks for Social Security number but it is not compulsory.

The site then asked a series of multiple choice questions that a legitimate user would know--things like identifying cities I've lived in, addresses, phone numbers and middle initial.

Once the score is displayed, the site offers information for how to obtain free copies of a credit report and offers links to other sites with information about identity fraud and companies that offer monitoring services.

For consumers whose scores are high, the site partners with the nonprofit Identity Theft Resource Center to provide more information about what underlying data triggered the score, Oscherwitz said.

Hacker's Last Ditch Bid To Avoid US Justice

A British "UFO eccentric" accused of hacking into US military networks should be tried in the UK - not America - because of his mental health problems, the High Court was told .

Gary McKinnon outside the High Court

A QC appearing for Gary McKinnon, who suffers from Asperger's Syndrome, said there was "clear, uncontradicted expert evidence" that the stress of extradition could result in psychosis and suicide because of his illness.
Mr McKinnon, from Wood Green, London, is seeking judicial review of the then Home Secretary Jacqui Smith's decision last October to order extradition after previous legal challenges failed.
Mr McKinnon's supporters say he acted through "naivety" as a result of Asperger's - a form of autism which leads to obsessive behaviour - and should not be considered a criminal.
His QC, Edward Fitzgerald, accused the Home Secretary of reaching a "flawed" decision in the light of the uncontradicted medical evidence of the severe mental suffering extradition could trigger.
He told Lord Justice Stanley Burnton and Mr Justice Wilkie: "She underestimated the gravity of the situation without obtaining evidence of her own. She is simply not addressing the issue."
The US government says Mr McKinnon was responsible for the "biggest military hack of all time", involving 97 government computers belonging to organisations including the US Navy and Nasa.
Mr McKinnon has admitted hacking into the system in 2001-2, but claims he was looking for evidence of extra-terrestrial life.
The US government alleges his conduct was intentional and calculated to influence and affect it by "intimidation and coercion". It says the cost of repair totalled more than 700,000 US dollars (£436,000).
But Mr Fitzgerald said extradition was "unnecessary, avoidable and disproportionate" as Mr McKinnon could be prosecuted in the UK and was prepared to plead guilty to computer hacking offences.
Being forced to travel to America and face separation from his partner and family would impact on his Asperger's Syndrome and expose him to a high risk of serious mental deterioration, said Mr Fitzgerald.
Home Office lawyers argue extradition is justified and would not be disproportionate, given the very serious charges Mr McKinnon faces.
The US authorities had given assurances he would be provided with appropriate care and treatment.
Mr McKinnon, who began writing his own software programmes at 14, was diagnosed with Asperger's last August.
His lawyers fought a series of battles to block his removal and lost every one until earlier this year when judges ruled the fresh evidence about his health "merits substantive consideration", leading to today's hearing.
He was caught as he tried to download a grainy black and white photograph he believed was an alien spacecraft from a Nasa computer in the Johnson Space Centre in Houston, Texas.

Do most security breaches still originate internally?

Are insider threats more prevalent than externally-initiated attacks? Here's why that may not be the case.

While researching a different project, I came across some surveys, in which analysts were disagreeing with the commonly held idea that most security breaches are the work of insiders.
That sure caught my attention especially since I just read a NetworkWorld article that mentioned:

"According to the Computer Security Institute (CSI) in San Francisco, California, approximately 60 to 80 percent of network misuse incidents originate from the inside network."

It became clear while doing research for this post that not everyone is in agreement with who would be considered an "insider". Or for that matter what a security breach amounts to. Before getting any deeper into the discussion, I'd like to submit some definitions for your approval.
Define insider
The National Threat Assessment Center (division of the U.S. Secret Service) and Carnegie Mellon University's Computer Emergency Response Team (CERT) are partners in an ongoing research project called Insider Threat Study. That's quite a team and I have no problem using their expertise to create the following definitions:

• Insiders: Consists of current/former employees and contractors that have permission to access an organization's computer systems and network.
• Security breach: Defined as a situation where an individual intentionally exceeds or misuses network, system, or data access in a manner that negatively affects the security of the organization's data, systems, or operations.

Started keeping track
If you remember, the NetworkWorld article used a Computer Security Institute (CSI) quote. This makes a lot of sense as the CSI group and the Federal Bureau of Investigation (FBI) have been sharing research about computer crime since 1996. Starting in 2001, they began publishing comprehensive annual reports that are packed full of information about security breaches.
Not what it seems

"Conventional wisdom says 80 percent of computer security problems are due to insiders." I remember when I first read that sentence in the 2001 survey report; I figured I finally knew where the 80 percent everyone is talking about came from. It makes sense if you think about it; insider attacks just have to be easier to pull off.
In my second read through, I realized that's not what the researchers are saying. They're saying things have changed and "conventional wisdom" is wrong as Georgetown's Dr. Denning explained in the report:

"One interesting trend is the shift of perceived threats from insiders to outsiders. For the first time, more respondents said that independent hackers were more likely to be the source of an attack than disgruntled or dishonest insiders."

OK, now I'm confused. Hang on though, the infamous 80 percent shows up yet again when the 2001 survey report quotes Dr. Eugene Schultz:

"Unfortunately, a lot of this confusion comes from the fact that some people keep quoting a 17-year-old FBI statistic that indicated 80 percent of all attacks originated from the inside."

So that's where the 80 percent came from. Still, that percentage seems rather skewed when considering today's technology. Thankfully, Dr. Schultz confirms that by mentioning:

"When this statistic was first released, it was almost certainly valid, the computing world at that time consisted to a large degree of mainframes and stand-alone PCs. Today we have a proliferation of network services (most notably worldwide Web service) available to the entire Internet community, a truly target-rich environment for would-be attackers."

That certainly puts it into perspective. All pointing to why the CSI/FBI team's research is showing that the number of external attacks is on the rise as the following graph shows (courtesy of CSI/CMP):

What about today?
So why is the 80 percent insider rule still alive and well today as evidenced by the NetworkWorld article I mentioned earlier? Especially since CSI is being used as a reference source. Trying to understand, I read the most recent CSI/FBI Computer Crime and Security Survey(2008) to see if anything changed.
Fortunately, the CSI/FBI research team continued to use the same format, asking respondents to estimate the percentage of internal attacks they encountered. The following graph shows the results (courtesy of CSI/CMP):

The graph clearly shows that the survey respondents believe most security breaches were initiated from outside their organization. I'm not sure if that's the case with every organization, but I'm willing to bet that most network administrators have experienced a fairly dramatic uptick in external attacks this past year.
Not that simple
I also submit that determining the point of origin isn't that simple. For example, what about an external attack that successfully penetrates a network. At that point does it change to an insider attack? Not if you take my definition of insider literally, but the perimeter has been breached and the attacker obviously has elevated access privileges. Doesn't it then have all the appearances of an insider attack?
Different point of view
This past weekend, I had a chance to discuss this article with a friend, who happens to be a security analyst. I'm glad I did as he introduced a totally different viewpoint that I want to share with you.
First, he reminded me that reporting or even admitting to a security breach is a sensitive subject and not something most organizations are anxious to do. Second, he pointed out that everyone has their own agenda. For example:

• Equipment, software, and service vendors will elevate the threat vector that helps them sell their products.
• Companies may prefer to blame the security breach on outside threats rather than employees. It's a lot less incriminating.
• Organizations that deal in IT security will try to invoke any sense of alarm as it justifies their existence.

Interesting to say the least and I agree that these considerations would play a part in how an organization responds.
Final thoughts
I have a few points that seem to stand out:

• I agree with the CSI/FBI survey results that indicate external security breaches are more prevalent.
• I feel that internal security breaches are much easier to accomplish.
• Internal security breaches are more costly in terms of what is stolen and the resultant repercussions.

I'm not sure if my last point is true any longer. Recent news about external security breaches resulting in terabytes of Department of Defense data being stolen seems pretty significant.
Security breaches are a complicated and controversial subject to be sure. What I've presented is just one opinion and we all know that more is better when it comes to opinions. So, please let me know what you think.

Grow security army to combat threats

Working with a large pool of researchers and partners is the most effective way to combat the threats of today's complex security landscape, according to an IT industry veteran.


Alan Kessler, president of TippingPoint, told ZDNet Asia in an interview that the challenge in security today was that no one single vendor is capable of managing or meeting the myriad of threats.

"The threat landscape is changing--malware, social [engineering] and application-level vulnerabilities are increasing. When you look at that type of threat landscape, you can't just focus on one or two operating systems--it now becomes tens if not hundreds of thousands of applications, Web-based," he said. "How can any one company serve the security needs in that type of environment--you can't do it alone you have to build a platform, you have to enable that platform with powerful tools, you have to provide a way for the ecosystem to be built up around that platform."

Having a trusted platform would pave the way for security researchers and partners to invest in it, while they would also benefit by having their labor shared with "the larger commercial world". These driving forces, said Kessler, are and will continue to be the basis of TippingPoint's model--bringing together experts through its Zero Day Initiative and refreshing its intrusion prevention system (IPS) products with the knowledge learned.

Kessler, who joined TippingPoint in late January, drew a parallel with his experience at Palm, during which he led the smartphone company to its IPO in 2000. "How different could a Palm Pilot be from a high-end intrusion prevention system? Very different, but one of the lessons that I learnt at Palm is if you build a platform and you enable an ecosystem it can be very powerful."

"We signed up 25,000 application developers to write applications for Palm; we just signed our thousandth researcher as part of our Zero Day Initiative," added Kessler. "There's a lot more we can do to enable more researchers [that in turn] enable more partners to deliver more powerful solutions around an ecosystem that TippingPoint delivers, and I think that would be a big part of what you'd hear us talk about and execute moving forward.

Kessler, who carries not a Palm device but a Blackberry Bold these days, acknowledged that the company had to "continue to have wonderful products" but having just that was no longer enough.
"You might even hear us talking more about the services that we enable, and less about IPS. IPS is a tool, but it's really the value that we bring to our customers that matters most," he explained. "We'll sound less like a product and more like a platform. We'll talk probably less about feats and speeds and more about the different partners and the ecosystem we build around our solution."
More emphasis on Asia
The company also has ambitious plans for the Asia-Pacific region, said Kessler. On top of doubling its headcount in the region from the current 30, as well as set up local offices in countries such as Malaysia.
Much of the activities will be centered in Southeast Asia, a high-growth area for TippingPoint. In the last year or so, the company has set up offices in Indonesia, the Philippines and Thailand.
On the whole, Kessler noted he was pleased with the progress the company has made since he took over at the helm. "[U.S.] President [Barack] Obama had his first 100 days a little before I did. I didn't run a deficit; I made money--he didn't," he joked.

Scammers using search optimization on Twitter, Google

Online scammers are targeting people looking for popular topics on Twitter and Google to lure them to Web sites that display fake security warnings and try to sell them antivirus products, PandaLabs said on Wednesday.
This technique isn't new, but seems to be widening on Google and is particularly successful on Twitter where links are spread fast and furiously and people often don't think before they click.
In the Twitter scam, hundreds of fake accounts have been posting tweets that reference the band Phish, which has a cult-like following, according to a PandaLabs blog.
There were so many of the tweets, which say "PhishTube Broadcast," that the term showed up in the Trending Topics list. The tweets contain links that eventually lead to spoof porn pages that infect victims with the fake antivirus malware if they click anywhere on the page, PandaLabs said.
PandaLabs researchers also discovered links to malicious Web sites high up in searches on Google for "Microsoft" and its "Project Natal" gaming technology. The malicious sites display fake messages saying the computer is infected with viruses and offer to sell antivirus software.
The researchers then tried other popular searches and found 16,000 malicious links targeting "YouTube," 10,500 targeting "France" and "airline crash" and thousands of others targeting people searching on "E3," "Sony," and "Eminem" with "MTV Awards" or "Bruno," according to anotherPandaLabs blog post.

S'pore bank refutes Trojan attack claim

A new Trojan horse is targeting customers of Singapore's local banks, a local newspaper has warned, but one of the banks identified has refuted the claim.
The Trojan, which directs users of infected computers to a fake Web site that closely resembles their real banking portal, is capable of stealing log-in information before the legitimate site encrypts it, The Straits Times reported Wednesday.
During the process of logging into an online banking account, the transaction appears to freeze, prompting the user to provide the information multiple times, which the Trojan records.
The paper said the three big local banks--DBS Bank, OCBC Bank and United Overseas Bank (UOB)--were alerted to the Trojan late last month. Citing an advisory posted on the UOB Web site, The Straits Times said cybercriminals could "make unauthorized fund transfers within a short period of time".
Banks in Singapore routinely put out advisories to alert customers of possible threats to their online banking accounts and activities. Online banking users here use two-factor authentication to log into their accounts and may be required to do the same when they perform transactions that involve greater risk, such as third-party funds transfers.
Both DBS and OCBC, indicated in their advisories the Trojan is affiliated to "Banker". DBS included links to security companies, McAfee and Symantec, that identify the Trojan as PWS-Banker.cz, and Infostealer.Banker.C, respectively.
The Trojan variant was also confirmed by a separate source from the banking industry in Singapore.
Low-risk threat
Both Symantec and McAfee rated the Trojan as a low-risk threat. Symantec, which last updated the profile on May 8, said the number of infections was under 50 and listed threat containment as "easy" although it accorded a damage level of "medium".
McAfee released information about PWS-Banker.cz on May 22, and maintained that the risk to both the corporate and home users was "low".
When asked, Symantec was unable to provide the geographical spread of attacks, but ZDNet Asia understands that the threat could impact any bank customer regardless of geographical location or type of banking service offered.
According to UOB, its "site was never targeted" by the Trojan. "Various security solution providers have confirmed this fact for us," a UOB spokesperson said in an e-mail.
"The bank has in place Internet technologies that track and monitor all incoming traffic. This is enforced as part of the bank’s existing suite of security measures and independent of any potential threats like the latest Trojan program," the spokesperson explained. "One vital step in our ongoing efforts to ensure a safe online environment for our bank customers is to proactively engage and alert our customers of any potential threats that may surface."

Asian telcos less stringent on security

Telcos and service providers in the Asia-Pacific region are paying less attention to network security standards, compared to their Western counterparts--opening the door to potentially large implications, said a Nokia Siemens Networks (NSN) executive.
Keith White, head of NSN's security practice, Asia-Pacific, told ZDNet Asia in an interview, the company has noticed, over the past 12 months, a trend toward meeting "just the minimum" security and compliance standards amongst telcos in the region. Service providers in the United States and Europe are comparatively "more regulated" in that respect, with the recently announced U.S. cybersecurity agency as an example of such, he noted.

Governments really have to step up and enforce standards.

Keith White, Nokia Siemens Networks

By contrast, Asian telcos are not governed by a strict mandate to adhere to security standards, resulting in "a lot of ad hoc security implementations".
"A lot of service providers just deploy security to a level they think is reasonable", making the level of enforcement "very subjective", said White.
And this trend will get increasingly worrying as telcos start moving to all-IP networks, which opens new vulnerabilities, exacerbated by the lack of adherence to a set of strict security standards and operators' haste to roll out networks as quickly as possible, he added.
"Telcos are used to working on closed networks. As we start to install networks [with] equipment that is IP-addressable, these are accessible from anywhere in the world," said White. Networks can be "simply" compromised by a user with access to a default administrator account, brute force or denial-of-service (DDoS) attacks.
Adding to the threat is a new trend NSN discovered over the past three months, added White.
He said some equipment is shipped with a second default administrator password, leaving a backdoor open to unauthorized access. Worse, it is not "standard security procedure" for service providers to check for this vulnerability, leaving many networks open as a result.
Even if enterprises secure their networks with virtual private network (VPN) software, traffic handled over the public Internet will grind to a halt when networks get compromised. "The actual information is relatively secure, but if the infrastructure goes down, it's like chopping the bridge down," said White.
Telcos in the region "don't want to spend any more than they have to on security... Governments really have to step up and enforce standards", said White.
With networks in the region being rapidly upgraded to catch up to the West, security standards should be ramped up to match, he said.
Pointing to Singapore's planned next-generation National Broadband Network (NBN) as an example, White said: "We are ramping up our infrastructure in the region, but not any mandated security requirements that are going with it."

Hackers Tunnel In Via DirectShow

As Microsoft steps up its security efforts for its products it seems that hackers are just as fervent in their pursuits.

For the third time in as many months, Microsoft has issued an out of band, critical security advisory for remote code execution exploits on one of its products. This time, there's a bug in DirectShow, meaning that any browser utilizing a multimedia a plug-in relying on DirectShow is also vulnerable.
According to a recent Microsoft Security Response Center blog post, hackers are using malicious QuickTime files to hijack PCs via DirectShow as a conduit.

"The vulnerability could allow remote code execution if [the] user opened a specially crafted QuickTime media file," the company said in the advisory. "Microsoft is aware of limited, active attacks that use this exploit code.
Former Microsoft Security Honcho Joins Feds
The U.S. Department of Homeland Security on Tuesday named former Redmond cyber security manager and policy wonk Phil Reitinger as director of the National Cyber Security Center. Reitinger succeeds Rod Beckstrom and according to the DHS, is charged with "collecting, analyzing, integrating and sharing cybersecurity information across all the federal agencies."

Reitinger, was once both a director and senior security strategist with Microsoft's Trustworthy Computing Security Team, after having been Executive Director of the Department of Defense's Cyber Crime Center.
Reitinger's appointment comes on the heels of a major initiative by the Obama administration to at least scratch the surface in figuring out what domestic and global challenges in IT security are for the public and private sectors.
In that announcement, Obama also announced a new White House position to be filled, called the cybersecurity coordinator. There's no word on how instrumental Reitinger will be in a process that will involve many cooks in the proverbial IT security pro kitchen as the process goes forward.
Apple, RIM Patch Flaws
Apple issued patches for QuickTime and iTunes. The updates, first released on Monday, are designed to remedy at least 10 QuickTime holes and one vulnerability in iTunes. Apple said the flaw transcends the aisle, affecting both Windows and Mac-based versions of QuickTime 7.6.2 and iTunes 8.2.
Research in Motion Ltd. rolled out a patch for another flaw in its BlackBerry Enterprise Server's attachment service. Apparently the snafu with potentially malicious .PDF files continues to plague the hardware marker.
A year ago, RIM issued a similar patch to stop malicious code that was distributed via a cluster of updates to BES systems. Like that patch, the most recent one is designed to fix a bug in BlackBerry's attachment download mechanism, which enables users to open up documents from the mobile device.
As enterprise use of Adobe or other PDF-type files on Blackberry devices grows, this will no doubt be an issue that RIM will continue to grapple with and try to fix every time it occurs.
Twitter "Twoubles" Continue
I'm plumb out of witty "twitterisms" to describe the ongoing security breaches on the popular micro-blogging and social networking site. But incursion incidents are nonetheless still occurring. Late last week, Twitter users were again being duped into disclosing login and password details to a Web site called TwitterCut that takes their information and then spams a given user's "followers" with messages disguised as if they were coming from the compromised user profile.
Security vendor F-Secure opines that the TwitterCut homepage looks so similar to the real login page that users logged in and immediately found out they'd been had.
The hosts of TwitterCut claim they had no ill intent and were instead trying to utilize Twitter as an avenue to create followers quickly and leverage hits and viewership for online ad sales purchases. TwitterCut's creators claim they procured the Twitter login script for 50 bucks. The site has nonetheless been marked by Microsoft and others as a malicious Web Site and will show up in IE and other browsers as such.