February 2016 Feature Article: DDoS and DDoeSn't · motivational contexts such as hacktivism (which I guess would include attacks on fundamentalist sites), and even simple notoriety/hacker

February 2016 Feature Article: DDoS and DDoeSn't

Table of Contents

DDoS and DDoeSn't ....................................................................................................................................................3

TalkTalk Scammers .....................................................................................................................................................6

ESET Corporate News .................................................................................................................................................8

The Top Ten Threats ................................................................................................................................................ 10

Top Ten Threats at a Glance (graph) ....................................................................................................................... 13

About ESET .............................................................................................................................................................. 14

Additional Resources ............................................................................................................................................... 14

DDoS and DDoeSn't

David Harley, ESET Senior Research Fellow

DDoS and the Luck of the Irish…

…which seems to have taken a hit recently. In fact, several hits, at any rate in terms of DDoS (distributed denial of service) attacks.

The Irish Independent reports Multiple government websites down as servers under 'DDoS attack'. John Leyden, writing for The Register,

has also followed the story/stories, with his most recent (at the time of writing) article hinting at a link between attacks on the boards.ie

discussion forum, on the Irish National Lottery, and on government sites as reported in the Irish Independent. This speculation is probably

based on a pseudonymous claim that the first attack was the start of a 'national security audit'.

Misattribution and Misdirection

However, that message also claimed that the next victims would be 'news outlets and financial institutions'. It would be naïve not to

consider the possibility that a tip from a pseudonymous source might be deliberate misdirection, and it certainly seems highly improbable

that this might be some sort of officially-sanctioned testing.

It might, of course, be a highly unofficial group flexing its muscles at the expense of any target that takes its fancy. In that case, the

implicit link some articles have made with recent attacks on the BBC might, at a stretch, make a little more sense: the BBC's Rory Cellan-

Jones asserts that he's been contacted by a group in the US called New World Hacking. The group claims that its speciality is attacking

Daesh/ISIS/Islamic State, and that it was simply using the Beeb as a target in order to test the group's systems. Well, that's all right then.

However, it doesn't seem particularly likely that the same group would be carrying out unofficial testing on sites in Ireland.

The fact is, though, that at the time of writing we don't have enough information to establish links, or indeed much else. After all, the

details of BBC incident remain misty (with a chance of goofballs), and as far as I know, links with other known attacks are speculative at

best.

The Lottery incident is at time of writing 'still under investigation'. And while I can't say for sure that it wasn't related to any of the other

incidents, I tend to equate a lot of DDoS with ransomware, since it's often used for purposes of extortion. That said, it can be used in other

motivational contexts such as hacktivism (which I guess would include attacks on fundamentalist sites), and even simple notoriety/hacker

kudos. Still, gambling sites are a classic target for extortion-related DDoS.

Show me the Money

I remember being somewhat taken aback in the early noughties to hear at some conference or other that security services were

expending a lot of resource on working with online casinos and such on mitigating DDoS attacks. That was at a time when DDoS was a

comparatively recent phenomenon, and the more highly-publicized attacks were against big companies like Microsoft, Yahoo!, eBay and

so on. So while I wasn't particularly surprised at the phenomenon – after all, I'd been closely involved with a heavy-duty conference

workshop on mitigation techniques hard on the heels of Stacheldraht, Trin00 et al – so much as at the prioritization. Of course, it makes

sense for extortionists to go for gambling sites – as Willie Sutton might have said, that's where [quite a lot of] the money is – and indeed

they do. I did wonder if protecting such sites was the best use of tax dollars, though: I must have been more idealistic in those days.

DDoS and DDoeSn't

It does slightly concern me that several articles give contradictory and inaccurate information about what a DDoS attack is. So here's a

very terse summary.

DoS is short for Denial of Service – any service. It isn't necessarily an attack at all (you could call it a denial of service when a site stops

working properly because it can't handle the number of people trying to access it) but when it is – and that's when the term is most often

used – it frequently refers to an attack against a web site, with the result that legitimate users of whatever services are offered on the site

are no longer able to access those services, or access to the system and services is unreliable.

DDoS stands for Distributed Denial of Service. This is a DoS event where the attacks come from multiple systems: this is a common use for

systems compromised by malware which have become – normally without the knowledge of the owner – part of a botnet. A botnet is a

network of machines where agent software is installed that can be used to control their actions. (A botnet isn't necessarily malicious or

operated covertly by definition, by the way, but these days that generally is the case.)

A Trouble Shared

Sharing an attack (or other malicious action, such as a spam campaign) means that not only is the specific malicious action amplified (that

is, multiplied by the number of systems used), but the attack is harder to counter because of the Hydra-headed nature of the machines

from which it originates.

To take a simple example, one type of DoS attack is to keep sending requests for service to a site so that the site is overwhelmed by the

number of requests and unable to respond in a timely fashion (or at all) to a legitimate request. Even a single home computer can send

lots of requests per second. However, if the server is reconfigured to reject requests from that PC, the problem is resolved. But if the

malicious requests or packets (units of data) are being sent from thousands of PCs at the same time, breaking the connection with a single

PC doesn't help much, and it makes it harder to find the originator of the attack. That is, the person who's controlling the machines used

to implement the attack. In that case, the service provider has to find other ways of distinguishing malicious traffic from legitimate traffic.

Fortunately, there are many approaches to filtering out malicious traffic, but there are also many kinds of DDoS attack, so there is plenty

of work for security and network providers in that market.

Opportunity, Means and Motive

We've already touched on a couple of the reasons someone might carry out a DDoS attack: extortion ("pay me or I'll blitz your website so

that people can't use it") – major sporting events often coincide with extortion demands) and hacktivism ("I don't like what your site

represents and I'm going to stop you doing it"). It's very common for groups of one political persuasion to attack sites owned by rival

groups or groups and organizations holding opposing opinions. In fact, this kind of tussle is what is often meant by the rather woolly term

'cyberwarfare'.

Other motives might include revenge, or damaging the reputation of a competitor and its ability to execute transactions. While it's more

common than it should be for 'legitimate' companies to pay a botmaster for DDoS attacks on their competitors, it's also common for

criminal gangs to use their resources against their criminal rivals.

Conclusion

To the everyday user, a DDoS attack is mostly an interesting news story, maybe the cause of some personal inconvenience if it stops him

or her accessing a particular service.

But there may be more to it than that. I've seen DDoS described as 'attacks without hacking'. I think what is meant by this is that a DDoS

attack isn't in itself used to install malware or steal data. (Though it can certainly be used in association with more intrusive kinds of

attack.) In any case, it can certainly involve sophisticated programming at some stage in the process – for example, the malware that is

used to infect a PC and recruit it into a botnet. And that means that it can affect you at a more personal level without your necessarily

being aware of it.

If your computer has been compromised by malware, it could be that it's being misused for a variety of malicious purposes, including

DDoS attacks. And that's before we even consider the direct impact that a malicious program might have on your own security, privacy,

and financial well-being.

So that's just one more good reason for being careful out on the Internet, being careful where you click, and running good security

software.

TalkTalk Scammers

Shaun Nichols reports for The Register on Indian call centre workers accused of harvesting data. The call centre in question is Wipro,

which provides services on behalf of TalkTalk, an Internet Service Provider in the UK.

According to TalkTalk's own statement, it has been

'…working with Wipro, (a call centre provider to TalkTalk and a number of other major businesses) and the local Police in Kolkata. Acting

on information supplied by TalkTalk, the local Police have arrested three individuals who have breached our policies and the terms of our

contract with Wipro. We are also reviewing our relationship with Wipro.'

It's not clear from that statement exactly what the breach was, though TalkTalk's own advice on scam phone calls, linked from the press

release, mentions suspicious behaviours in which TalkTalk does not engage:

We'll NEVER call, text, or send links and attachments over email asking to ‘remote connect’ to your computer, unless we have

had a specific request from you.

TalkTalk will NEVER call, text, or send links and attachments over email asking you to download software onto your PC, unless

you have previously contacted us, discussed and agreed a call back for this to take place.

For Channel 4 (that's the one in the UK), Geoff White links the arrests with a story from last December about 'a wave of thefts in which

scammers used the hacked data to impersonate TalkTalk staff.' However, the scam in this instance was more complex and even uglier

than the average 'your computer has a virus but we can fix it for you, for a fee' cold call. One of the victims told Channel 4 that they would

send someone the next day to fix the problem, but that they would be paying her £200 'for her trouble.' However, they tricked her into

thinking they'd overpaid her, and thus into wiring £5,000 to someone in Bangkok. The mechanism behind the con is unclear, but the

article states that the scammers had hacked the victim's computer so that 'when she logged into her bank to get the refund, they tricked

her into thinking they’d overpaid her.'

If the December story is accurate, it suggests an interesting merging of a support scam with a direct hack against her system to implement

a variation on the classic 'overpayment scam' so beloved of 419 and other scammers. However, that story also links the scam to the

hacking of TalkTalk in November. White claims that Wipro's name came up when he was researching that story, though he doesn't say

that the Kolkata police investigation into Wipro is a direct result of the story.

The details remain murky – did the scammers in the December story use information from the November hack, or from the Wipro staff

currently under arrest? – but as Graham Cluley pointed out, with reference to the November hack:

"The truth is that even if the data taken from TalkTalk’s database isn’t in itself enough to commit identity theft, it can be used by criminals

to help them steal more information (there are already many reports of TalkTalk customers being contacted by scammers via the

telephone, pretending to be calling from the real company)"

It's interesting that the news is breaking at around the same time as there has been speculation about data records that may have leaked

from Dell and been misused subsequently by support scammers (as discussed in the January 2016 Threat Report). I'll be interested to see

how the stories develop over time, and whether any of that speculation is borne out.

[And indeed the Dell story has been developing, even if it's not yet entirely clear what has been happening: see my article for Infosecurity

Magazine on Support Scammers Targeting Dell Customers.]

ESET Corporate News

ESET placed for the first time in the “Visionaries” Quadrant of Gartner’s 2016 Magic Quadrant for Endpoint Protection Platforms

ESET announced that Gartner, Inc. has recognized it as a Visionary in the latest Magic Quadrant for Endpoint Protection Platforms, a

report published on February 1, 2016. ESET is positioned highest for its ability to execute in the Visionaries quadrant.

The latest report evaluated 18 vendors on 10 weighted criteria and placed ESET in the “Visionaries” quadrant, moving it from its previous

categorization in the “Niche Players” quadrant.

“We consider our positioning in the Magic Quadrant for Endpoint Protection Platforms by Gartner as confirmation of ESET‘s success in

delivering technologically advanced, market-leading IT security solutions that enable enterprises and SMBs to achieve more with their

businesses,” said Richard Marko, CEO at ESET. “We feel our continuous effort to deliver award-winning threat intelligence, balanced with

usability, performance and agility, has been recognized.”

The new Gartner Magic Quadrant report provides a comprehensive analysis of the top endpoint security vendors, and an overview of the

endpoint protection platforms market. The full report is available at http://www.eset.com/int/business/gartner-magic-quadrant-

endpoint-platforms.

Highlighting British Expansion, ESET Opens Office in the United Kingdom

ESET continues to focus on its expansion in Western Europe and in the United Kingdom in particular. Starting in February, ESET has

opened a sales and distribution office in the UK by acquiring its long-term partner company there. In 2015, ESET acquired data encryption

company DESlock which is also UK-based, highlighting ESET’s focus both on market position and technology outreach.

“We have confidence that fusing the local ESET UK team with our global talent, its know-how and experience, creates the perfect mix to

strengthen our market position in Britain," says Richard Marko, CEO at ESET. The company has been present in the UK market for more

than a decade thanks to its relationship with its partner company. In line with ESET’s strategy, it recorded double-digit sales growth in the

UK in 2015.

Establishing a direct ESET office in the UK is part of the company’s long-term strategy to boost market growth in EMEA's top IT security

market, the United Kingdom, and to continue year-to-year double digit growth in sales. Along with the regional EMEA office ESET already

has, there are also now eight local offices and research & development centers based in the European Union as well as an extensive

network of European partner companies. The opening of ESET UK office follows the establishment of German office in in 2013.

ESET Joins Campaign Supporting President Obama’s Call for Raising Cybersecurity Awareness

ESET has announced that it is joining technology industry leaders in supporting increased cybersecurity awareness and encouraging

consumer use of multi-factor authentication to improve online security. Together with Google®, Apple®, Facebook®, Amazon® and other

leading technology companies, ESET signed a letter to the National Cyber Security Alliance (NCSA) supporting President Obama’s effort to

increase awareness of key security steps that all Americans can take.

“ESET is committed to not just protecting users with our security products, but educating consumers and businesses so they can live safer

digital lives,” said Andrew Lee, CEO at ESET North America. “We look forward to continuing our work with the NCSA and industry partners

to reinvigorate our collective cybersecurity education efforts and raise awareness of multi-factor authentication.”

Using multi-factor identification ‒ for example, a one-time code texted to a mobile device ‒ helps verify that a user has authorized access

to an account. Activating this technology is a simple way for consumers to protect their online identity and safeguard sensitive personal

data.

The Top Ten Threats

1. Win32/Bundpil Previous Ranking: 1 Percentage Detected: 4.0% Win32/Bundpil is a worm that spreads via removable media. The worm contains an URL from which it tries to download several files. The

files are then executed and HTTP is used for communication with the command and control server (C&C) to receive new commands. The

worm may delete files with the following file extensions:

*.exe

*.vbs

*.pif

*.cmd

*Backup

2. LNK/Agent.BZ

Previous Ranking: 2 Percentage Detected: 3.24%

LNK/Agent.BZ is a link that concatenates commands to execute legitimate code while running the threat code in the background. It is

similar in its effect to the older autorun.inf type of threat.

3. LNK/Agent.AV

Previous Ranking: 4 Percentage Detected: 2.0%

LNK/Agent.AV is another link that concatenates commands to execute legitimate code while running the threat code in the

background. It is similar in its effect to the older autorun.inf type of threat.

4. JS/TrojanDownloader.Nemucod

Previous Ranking: N/A Percentage Detected: 1.52%

JS/TrojanDownloader.Nemucod is a Trojan that uses HTTP to try to download other malware. It contains a list of URLs and tries to

download several files from those addresses. The files are then executed.

5. Win32/Sality Previous Ranking: 8 Percentage Detected: 1.47%

Sality is a polymorphic file infector. When it is executed registry keys are created or deleted related to security applications in the

system and to ensure that the malicious process restarts each time the operating system is rebooted.

It modifies EXE and SCR files and disables services and processes implemented by and associated with security solutions.

More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

6. HTML/iFrame

Previous Ranking: 6 Percentage Detected: 1.44%

HTML/IFrame is a generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL

location serving malicious software.

7. Win32/Ramnit

Previous Ranking: 10 Percentage Detected: 1.42%

This is a file infector that executes every time the system starts. It infects .dll (direct link library) and .exe (executable) files and searches

for htm and html files into which it can insert malicious instructions. It exploits a vulnerability (CVE-2010-2568) found on the system that

allows it to execute arbitrary code. It can be controlled remotely to capture screenshots, send information it has gathered, download files

from a remote computer and/or the Internet, and run executable files or shut down/restart the computer.

8. JS/TrojanDownloader.Iframe

Previous Ranking: 5 Percentage Detected: 1.40%

JS/TrojanDownloader.Iframe is a trojan that redirects the browser to a specific URL location serving malicious software. The malicious

code is usually embedded in HTML pages.

9. LNK/Agent.BS

Previous Ranking: 9 Percentage Detected: 1.39%

LNK/Agent.BS is another link that concatenates commands to execute legitimate code while running the threat code in the background. It

is similar in its effect to the older autorun.inf type of threat.

10. HTML/ScrInject

Previous Ranking: 7 Percentage Detected: 1.35%

Generic detection of HTML web pages containing obfuscated scripts or iframe tags that automatically redirect to the malware download.

Top Ten Threats at a Glance (graph)

Analysis of ESET LiveGrid®, a sophisticated malware reporting and tracking system, shows that the highest number of detections this

month, with 4.0% of the total, was scored by the Win32/Bundpil class of treat.

About ESET

ESET®, the pioneer of proactive protection and the maker of

the award-winning ESET NOD32® technology, is a global

provider of security solutions for businesses and consumers.

For over 26 years, the Company has continued to lead the

industry in proactive threat detection. By obtaining its 91st

VB100 award in April 2015, ESET NOD32 technology holds the

record number of Virus Bulletin "VB100” Awards, and has never

missed a single “In-the-Wild” worm or virus since the inception

of testing in 1998. In addition, ESET NOD32 technology holds

the longest consecutive string of VB100 awards of any AV

vendor. ESET has also received a number of accolades from AV-

Comparatives, AV-TEST and other testing organizations and

reviews. ESET NOD32® Antivirus, ESET Smart Security®, ESET

Cyber Security® (solution for Mac), ESET® Mobile Security and

IT Security for Business are trusted by millions of global users

and are among the most recommended security solutions in

the world.

The Company has global headquarters in Bratislava (Slovakia),

with regional distribution centers in San Diego (U.S.), Buenos

Aires (Argentina), and Singapore; with offices in the United

Kingdom, Jena (Germany), Prague (Czech Republic) and Sao

Paulo (Brazil). ESET has malware research centers in Bratislava,

San Diego, Buenos Aires, Singapore, Prague, Košice (Slovakia),

Krakow (Poland), Montreal (Canada), Moscow (Russia) and an

extensive partner network for more than 180 countries.

More information is available via About ESET and Press Center.

Additional Resources

Keeping your knowledge up to date is as important as keeping

your AV updated. For these and other suggested resources

please visit the ESET Threat Center to view the latest:

ESET White Papers

WeLiveSecurity

ESET Podcasts

Independent Benchmark Test Results

Anti-Malware Testing and Evaluation