World Cyberwar I

Minor skirmishes in preparation for an all out cyberwar have been taking place in the Middle East for a number of years now. Since the Stuxnet attack on Iran’s nuclear facilities in 2010, the region has seen a number of attacks on key infrastructure. These attacks have been troubling but have intentionally been kept at a level to irritate but not mitigate. No nation in the region will declare an all out cyberwar unless they are already in a declared conventional war. The reason for this is that cyberwar is a zero sum enterprise. All the major players have cyber weapons that could severely damage the infrastructure of the other players. Attacking a rival nation will almost certainly bring an identical cyber response from the attacked nation. It’s the only factor that has kept most of these attacks at the espionage level. There have been a few exceptions, such as the Iranian attack on Saudi Aramco last December, but such attacks have been heavily obfuscated to the point where absolute attribution cannot be assigned. Maybe, but most cybersecurity experts have little doubt that Iran was behind the Aramco attack.

Now, the situation may have changed. Israel has put Iran in its sights. It will only take one key event by either adversary to set off a chain reaction that will lead to the first declared cyberwar. I suggest that the situation is similar to the state of the world before World War I. In that scenario, one event, the assassination of Austria’s Archduke Ferdinand by a schoolboy, triggered preset alliances into a wartime footing.

In World War I, the assassination of the Archduke forced the Austro-Hungarian Empire to declare war on Serbia. However, Serbia was aligned with Russia, which, in turn, declared war on the Austro-Hungarian Empire. The entrance of Russia into the fray led Germany to declare war on Russia. France, then, declared war on Germany and the Austro-Hungarian Empire. Germany, then, invaded France, which pulled Great Britain into the war. Japan, The United States, and Italy entered the war later.

In the Middle East, Iran is allied with Syria, Lebanon (Hezbollah), the Palestinian Authority, and Russia. It considers Israel, Saudi Arabia, and the US as its enemies. Egypt has grown closer to the US and has historic animosity towards Iran. Turkey is in a tough position. Although Turkey has traditionally been antagonistic towards Saudi Arabia, they have a common enemy in Iran, which may be enough to pull Turkey into any conflict that develops. Turkey has always wanted Assad out as the leader of Syria and resents the fact that both Russia and Iran are helping him maintain his power. The United Arab Emirates has mixed feelings towards Iran. Iraq has been friendlier towards Iran after Saddam Hussein’s departure, but they have enough problems to solve in their own country and will likely try to avoid being drawn into any conflicts. The US will stand with Israel. Whether the US’s European allies will offer more than moral support is difficult to say, but they may be drawn in under some circumstances. Interestingly, the only major country that might be able to avoid this conflict is China.

So who are the greatest cyber powers among these operatives? The US must be considered as the strongest with Russia second, Israel third, and Iran a close fourth. All are among the world’s top cyber powers and each is able to deliver devastating cyber attacks.

An official declaration of war would not be necessary for an all out cyberwar to begin. If confrontations between major participants are severe enough to threaten the existence of one of the parties, cyberwar will ensue. Any nation pushed into a corner will use whatever weapons it has at its disposal as it would believe it would no longer have anything to lose. Here, briefly, are the types of attacks that would take place during such a cyberwar.

Attacks on Industries Related to the War Effort

Don’t expect the target to be obvious. It may not be a main aerospace industry that is attacked, but a smaller industry that makes a key component. A sophisticated attack would attempt to alter the parameters of such components so that they malfunction when used. This is basically what Stuxnet did to Iran’s centrifuges. Most participants would try to find ways to cause weapons to misfire. Russian hackers infected an app that helped the Ukrainian artillery hit targets. They purportedly infected the app to send out geolocation signals which, in turn, transformed the artillery into targets. Some have claimed that Russia is using Ukraine to hone their cyberwar skills.

There are other ways to target key industries. They may be hacked to get information that can be used by the adversary. They may be undermined with a DDoS attack so that their internet connectivity is disrupted. Or, their networks may be injected with malware that can either hold crucial information for ransom or destroys it outright.

Attacks on Infrastructure

 Infrastructure attacks are the scariest aspect of an all-out cyberwar. Most people think such an attack would simply mean that their lights go out for a while. However, it is far worse than this. Here are some implications of such an attack on a power grid.

Financial Breakdown

Without electricity, how will you use an ATM machine? How will companies and banks transfer money? How will the stock market operate? Forget about using your credit cards. It will be back to a cash-only society and stores will not be able to use cash registers. Cashiers will have to mechanically add up prices and figure out how much change to give you. Imagine waiting in those lines. If you use your smartphone for banking, that will only work until the battery runs down and assuming the internet is still operating. But that won’t matter because if you expect your pay to be electronically transferred to your bank account, it won’t be.

Transportation Breakdown

 You can imagine the chaos that would ensue if all traffic lights were suddenly turned off (or, in some scenarios, all turned to green). Trains and planes could not operate. Gas pumps could not pump gas. People could die in plane crashes when air traffic controllers cannot communicate with pilots. Others could be trapped in elevators and subways. In short, all transportation, other than bicycles, will come to a stop.

Health Breakdown

Hospitals have generators which will operate as long as their fuel supplies last. The lives of patients on life support systems will be in continuous jeopardy. Food will spoil as freezers stop operating. If the grid stays down for a long time, starvation may become a problem. Water pumps will stop. Water purification systems will not operate. Toilets will not flush. Sewage treatment systems will fail. Ambulances will not be able to save the rapidly increasing number of accident victims, either because roads will be blocked with abandoned vehicles, or fuel would be impossible to come by. Without streetlights and alarms, crime will certainly begin to rise.

Industrial Breakdown

Industries will be unable to operate. Manufacturing will stop. Important products, such as canned foods, would not be produced. Weapons and their components would no longer be manufactured. Basic commodities, such as oil, iron, and grains would not be available if such attacks continue for a long time. Large farms would be unable to supply food processing plants with their produce as they could not transport their crops. Without feed, animals will die.

industry attacks

Information Breakdown

Normally, the first hacks that occur in a war are those on media. Adversaries will try to infiltrate each others media in order to shut the outlets down, disseminate misinformation, or spread propaganda. Social media accounts will be hacked to make major players in the conflict look bad. High profile government agencies will be breached to make them look incompetent and vulnerable.

If the past is any indication of the future, the following graph shows the sectors most likely to be affected by an infrastructure attack.

cyber attack sectors


It seems evident that a full out conventional war will now incorporate cyber weapons. However, it is also possible that a serious cyber attack could cross the digital-analog divide and precipitate a conventional war. After all, if a country’s citizens were killed or seriously threatened by a cyber attack, there would be justifiable reason to retaliate physically. Indeed, this has already been taken into account by the members of NATO. In 2014, the NATO members agreed that a serious cyber attack on any of its members would trigger Article 5. Article 5 states that any “attack against one or more of them in Europe or North America shall be considered an attack against them all”. So could a serious cyber attack on the US pull NATO members into a Middle East fray? That certainly seems possible if the cyber attack was severe enough.

But is it really possible to launch a cyber attack that is devastating enough to start a war? Maybe, but it would be difficult to organize without being discovered and it would be so costly that it could probably only be pulled off by a nation-state. Even if the attack was successful, it may not be sustainable. Sustainability is crucial for devastating damage to occur. The BlackEnergy Trojan attack on the Ukraine, probably the largest such attack in history, only managed to cut off power to about 1.4 million people for a few hours: A bad, but not devastating attack, which probably cost more to organize than what it was worth.

Sustainable attacks, lasting 6 months to a year or more, are said to possess the potential to kill large numbers of people. According to former director of the Central Intelligence Agency (CIA), R. James Woolsley, in a widespread, sustained attack, “two-thirds of the United States population would die. The other estimate is that within a year or so, 90% of the U.S. population would die. We’re talking about total devastation. We’re not talking about just a regular catastrophe.” Although most experts consider this an exaggeration, numbers in the 10 to 20 million range are quite plausible.

As you are reading this, Israel’s elite cyber intelligence group, Unit 8200, is practicing defending itself against anticipated Iranian cyber attacks. Cybersecurity firm, CrowdStrike, has reported a sharp increase in malicious cyber activity coming out of Iran. No longer constrained by the nuclear agreement, they feel emboldened to attack adversaries and especially the US. Both Israel and the U.S. will be attacked. They will, in turn strike back. Israel’s prime minister, Netanyahu, professed that “Whoever hits us will get hit seven times over. Whoever prepares themselves to attack us will be attacked first. That is what we have done and that is what we will continue doing.” If Iran’s cyber attacks are met with this type of resistance, it will be a short path from incident to full out war.

Posted in Uncategorized | Tagged , , , | Leave a comment

The Dangerous Rise in Code Injection Attacks

So what’s code injection and why is it dangerous? In terms of a malware exploit, code injection is performed by an attacker to make a legitimate application do something it shouldn’t. Attackers place or inject code into an application or process to subvert its normal activity and makes it perform tasks that will benefit the attacker. This is dangerous because the application can then be manipulated to give the attacker full control over a victim’s computer or other device.

Code injection is rapidly becoming the preferred attack vector because it offers more benefits to an attacker. The 2018 IBM threat intelligence report shows that code injection increased alarmingly in 2017, composing more than 79% of all attacks.

ibm injection

This post will outline several recent exploits that use a variety of code injection techniques to target victims. These are the FakeUpdate campaign, Smoke Loader malware, and the Early Bird technique.

The FakeUpdate Campaign

The FakeUpdate campaign began last December and has been rapidly increasing ever since. For whatever reason (phishing email, redirection), you may end up on one of the campaign’s infected, but valid, websites. Most of these sites have been abandoned or are simply outdated. Upon arriving at the site, the malicious code will analyze what browser you are using and then tell you it’s time to update it. The popup will look legitimate as in the following example.

firefox update

You are told to update the file from a legitimate looking Dropbox account. However, if you look at the URL, you will see the site in which the malicious code was injected. Here is that compromised site, as exposed by Malwarebytes.

firefox compromised

This exploit will only send you to a specific infected site only once so as to avoid detection. Accepting the ‘update’ above will download a file onto your device which will connect to the C&C server and receive instructions. The exploit has the ability to detect and avoid sandboxes. If the exploit is successful, banking malware (Chtonic, ZeusVM) will be installed on your device. Some of the infections installed RATs (Remote Access Trojans), which will give total control of your device to the attacker.

The campaign targets Firefox and Chrome browsers through fake updates, while Internet Explorer users are targeted through Flash Player updates. Thousands of sites are said to be infected. Normal browsing precautions should subvert these attacks. In other words, check out any URLs you are being directed to.

Smoke Loader Malware

 In March, within a 12 hour period, Windows Defender found 400,000 computers infected with Smoke Loader malware (aka Dofoil). Smoke Loader is designed to take over computers in order to mine cryptocurrencies. Windows Defender quickly undermined the attackers, but they returned with upgraded attacks shortly thereafter. Smoke Loader injects its code into explorer.exe, which loads Windows Explorer.

Last year, one of the big tech stories concerned flaws in Intel and other chips. Smoke Loader has been known to take advantage of this by masquerading as a patch for that problem. Victims may be led to a site that tells them to download the “”. Downloading and running the included “Intel-AMD-SecurityPatch-10-1-v1.exe” will install the malware. The site the malware is stored on will often be an HTTPS site constructed by the criminals, which many users may assume is safe. But cheap certificates are easy to come by. It should be kept in mind that any news event can be manipulated to trick victims into downloading malware.

Cryptocurrency mining malware has rapidly grown in popularity among criminals. The malware enslaves a group of computers, devices, or things and has them work for the attackers on producing new coins by solving complex algorithms. Since mining requires huge amounts of power, the attackers want the owners of these compromised computers to absorb the electricity costs. So, in addition to sudden increases in their electric bills, victims may notice that their devices have suddenly slowed down. In the case of cryptocurrency mining malware, it is in the perpetrators’ best interest to remain undiscovered. They will want to slow, but not stop, the devices the mining malware is running on.

The Early Bird Technique

In this technique, code is injected into legitimate processes that start before any antivirus software starts running. It thereby avoids detection by these programs since the antivirus programs only see legitimate processes running. The malware within these processes can be installed without being detected. The legitimate processes normally targeted were exporer.exe, svchost.exe, and rundll32.exe. The injected malware will remain persistent after reboot by writing a registry key.

This is more sophisticated than normal exploits and Cyberbit, the firm that exposed the technique, suggests connections with the government-backed Iranian hacker group, APT33. This is disconcerting because APT33 has been known to target the aerospace and energy sectors.

How does APT33 get the Early Bird technique into devices in the first place? In the past, the group specialized in spear phishing employees in the firms or organizations they wanted to target. These employees were apparently sent emails concerning potential jobs in their fields. The emails contained links to HTML files with legitimate job ads but with malicious code injected. Visiting such sites would install the Early Bird attack vector, which would, in turn, install whatever malware the attackers wanted to use. If this is, indeed, an attack vector being used by APT33, then the goal of the malware would be to use the compromised employee device to access the corporate network and steal information. If, however, Early Bird is being used by other attackers, this technique can be used to install anything from banking malware to RATs.

The Future of Code Injection

Some code is routinely injected into browsers by antivirus programs to stop malicious actions. However, leaving this door open gives attackers a potential entry point that can be exploited for evil purposes. For this reason, Google will prevent all third party code injection by January, 2019. Expect other browser makers to follow this example and expect attackers to find ways to circumvent this. That’s just the way it is.




Posted in Uncategorized | Tagged , , , , , , | Leave a comment

Fake IRS “Intent to Seize Refund” Scam Really Wants to Seize Your Bank Account

Everyone probably looks in their spam folder at some time or other. You never know when something from a long lost friend may have been incorrectly placed there. I’ve had it happen. While there, you are likely to see subject headers that may peak your interest. And what if one of those headers reads, “Internal Revenue Service Important Notification” or “Internal Revenue Service Final Notice”? Would you ignore it or would you want to take a look, just to make sure? It’s a hard call, especially during tax season.

So, imagine that you take a look and see the following.
irs email scam
On the surface, it looks legitimate. You may wonder if you actually do owe some money. Maybe there’s some mistake you made in your tax return. In any event, you may be tempted to click on the link to your billing information.

But, you know that there are dangers in clicking on such links and maybe you’ve learned that you can hover the cursor over the link to see what address it resolves to. In the above email, you will see this if you do so.

irs hover cursor

The ‘removed’ sections of the link would be an encoded representation of the victim’s email address. Nonetheless, you should be able to see that this link looks fake. This is the least sophisticated part of the hack. If they wanted to, they could have at least hidden the URL behind a short link, A more sophisticated hack would employ a mock IRS URL, but these malspam attempts are usually done in bulk and take advantage of any vulnerable URLs that they can find. They are hoping you will simply click on the link in an attempt to get to the data that you want to see.

So, let’s suppose that you simply want to see the information and you click on the link. Before you actually get to the page, you will see a popup asking if you want to open a certain document. Interestingly, the document may even have your name or email address in the title. So, for example, if your name was, Smith, you may see the following when you arrive at the linked page.

irs link popup

Again, you’d still have to overlook the website that the document was being downloaded from, especially, as in the example above, it seemed to come from a site that had nothing at all to do with the IRS. There may be a way for the hackers to write some code that will put IRS information into the URL address, but I’m not aware of it and the attackers do not use it in their campaign. They really don’t care about the details. They just need a few careless people to keep the money rolling in.

So, let’s imagine, that, for whatever reason, you agree to the download of the document that appears to have been prepared for you. Sadly, you will find that it does not open as easily as you would hope. You will be given a notification which will look something like this.


At this point, your antivirus software will probably kick in. Mine did. It recognized that Hancitor malware was trying to get onto my computer. The malware needs you to enable macros, which, for the most part, is something you shouldn’t do. If you have your settings set for allowing macros, change that setting. (Tools/Macros/Security). But, for the purposes of this narrative, let’s assume that you don’t have your settings set to prevent macros from opening automatically or you decide to enable macros for this document. Remember, ostensibly, you still want to find out why the IRS thinks you owe them money. In any event, allowing the document to open will install the malware. (Note: Recent attacks have tried to exploit RTF files.)

Once activated, Hancitor will download the following malware.

hancitor malware

Actually, other types of malware have been downloaded at this stage, including spambots. Both Pony and Evil Pony Malware are password stealers. Zeus Panda will attempt to steal your banking information and it will do a good job doing so. It is very difficult to discover once it is installed.

In short, Hancitor Malware is well-known for taking advantage of certain conditions to push itself on unsuspecting victims. During holidays, it will push notices of package deliveries. Now, it is tax season so the attackers hope more attention will be paid to any email, spam or not, that may appear to come from the IRS, even though the IRS never sends email notifications to taxpayers.

The truth is that only a series of blunders on the part of users would allow Hancitor to install itself on a victim’s machine, yet, Hancitor continues its attacks. Most attacks come from servers in these countries.

hancitor distribution

In fact, new attacks are being used which bypass the ‘enable macros’ technique. These exploits use something called a DDE (Microsoft Dynamic Data Exchange) attack. This will link information in a legitimate Word document to a malicious program. If such an exploit is used, Word will give you this notification.

hancitor notification

Clicking ‘Yes’ releases the malware. Since the Word document is legitimate, you will not be asked to enable macros.

Since DDE is part of Microsoft Word’s normal architecture, it will not trigger any antivirus actions. You will normally only see the above notice. So, expect Hancitor to claim more victims as time goes by. Hancitor will continue to survive due to extensive spamming which takes advantage of current news stories or seasonal events. It is easily avoided, however, so if you adhere to the safe browsing principles outlined above, it needn’t be a serious problem. That said, there will still be those who open their bank accounts to find they no longer contain any money; and that’s a hard way to learn a lesson in cybersecurity.

Posted in Uncategorized | Tagged , , , | Leave a comment

Yahoo’s New Privacy Policy Leaves No Doubt: Privacy is Dead

If you thought that Facebook was abusing your privacy by using your personal information for its own financial benefit, just wait to you hear what Yahoo now plans to do.

To understand the full extent of this policy, it is first necessary to identify the infrastructure of which Yahoo is actually just a small part. Verizon bought Yahoo in 2015, even though, at the time, Yahoo was a failing company. However, it is now clear what Verizon really wanted. They wanted Yahoo’s treasure trove of personal data on billions of people around the world. Although known mainly as a telecommunication service provider, Verizon has a large digital content division known as, Oath. Oath controls Yahoo, AOL, and a number of other companies, some of which are shown in the graphic below.

yahoo oath


Thus, Yahoo’s privacy policy reflects the privacy policy of Oath. In fact, when you see the Yahoo privacy policy, you will be directed to the Oath privacy site. However, Yahoo will give you the following, somewhat sobering, synopsis of this policy stating what they control.

yahoo control

Let’s get right to the point. They can exploit any information you give them, whether it is in emails, attachments, photos, or chat sessions. It’s not clear what “other communications” refers to, but, perhaps, it includes your phone calls. It also includes your interactions with the other sites in their group of companies.

And it doesn’t stop there. Oath goes on to elaborate that they will collect information such as “device IDs, cookies, and other signals, including information obtained from third parties, to associate accounts and/or devices with you”. They will collect information “when you use our Services to communicate with others or post, upload or store content (such as comments, photos, voice inputs, videos, emails, messaging services and attachments).” “Oath analyzes and stores all communications content, including email content from incoming and outgoing mail.”  This means that they can also exploit your contacts. And, perhaps most disconcerting of all, they will collect information “When you sign up for paid Services, use Services that require your financial information or complete transactions with us or our business partners, we may collect your payment and billing information.”

And as if this wasn’t enough, Oath installs web beacons “on sites, apps, videos, emails, and other services”. For those who don’t know, web beacons are transparent, one pixel, images that contain programs to watch how you interact with a web page or service. And it’s not just on their sites that they allow beacons. “we allow certain Third Parties to include their own beacons & SDKs within our sites and apps.”. These third parties include Facebook, Twitter, LinkedIn, and Google, among many, many others.

That may seem to cover all that they want from you, but it’s not. They only stop short of asking for custody of your first born child. Here’s a sobering explanation of what they want control over.

“When you upload, share with or submit content to the Services you retain ownership of any intellectual property rights that you hold in that content and you grant Oath a worldwide, royalty-free, non-exclusive, perpetual, irrevocable, transferable, sublicensable license to (a) use, host, store, reproduce, modify, prepare derivative works (such as translations, adaptations, summaries or other changes), communicate, publish, publicly perform, publicly display, and distribute this content in any manner, mode of delivery or media now known or developed in the future; and (b) permit other users to access, reproduce, distribute, publicly display, prepare derivative works of, and publicly perform your content via the Services, as may be permitted by the functionality of those Services… You must have the necessary rights to grant us the license described in this Section 6(b) for any content that you upload, share with or submit to the Services.”

 So what, you may ask, do they need all of this information for? That’s an easy answer. They want to monetize your personal information. They do this by selling all the data they collect to target-advertising firms. Here is the list of advertises that Oath gives your personal information to. I have entered information about them, mostly in their own words, to help you understand how your data is being used.


Oath also shares information with Audience Partners which provides a number of services. In politics they “target specific voter segments by party affiliation, vote frequency (including the number of primaries and general elections voted), donation history, political geographic segments including congressional district, State Senate district, State House district, local jurisdictions, and tens of thousands of additional data points.” In healthcare, they allow “marketers the ability to micro-target prospective customers based on insurance status, health propensity, geographic, demographic, attitudinal, and behavioral attributes. Healthcare professionals (doctors, nurses, pharmacists, et al) can also be targeted by specialty, or based on custom lists.” Audience Partners does a lot more than this, but this should help you understand why getting so much data from Yahoo via Oath can be important. The more these advertisers can target individuals, the happier their clients are and the more money they can make. Oath makes money by selling them the data that they want.

Of course, Oath has a different take on all of this. Oath claims they are doing you a favor by giving you more relevant ads. You should be thanking them for all the work they’re doing on your behalf. They claim they will protect your data., well, of course, unless law enforcement agencies need it. Oath claims, however, that they will not give these agencies, including government agencies, your data without a fight. “We push back on those requests that don’t satisfy our rigorous standards.” Really? Here’s the statistics for January through June of 2017.

oath govt

Only 3.6% of government requests for user data were rejected. Somehow that doesn’t seem like much of a push back to me.

Let me make this clear. I have no problems with companies trying to make money. After all, if they didn’t make profits, we wouldn’t be able to use their products or services. However, there are some ethical guidelines that should be followed. For example, no one thinks a company should make money by using slaves. In terms of targeted advertising, it’s a matter of degree. Should they be allowed to monetize any content they get their hands on whether you agree or not? In this respect, Oath and its comrades seem to go too far. You will have some limited control over what they do by going here. It will take some effort on your part, but you can, at least, stop some targeting, if only for a while.

The other problem I have with Oath is their self-righteous attitude. You may be surprised to hear that they are, in fact, helping the world by monetizing our personal data. In their own words: “Building. It’s not just about brands for us. It’s about building a better world, too… Let’s do something good together.” And then there is their list of principles that guide them. Here are a few.

“After months of listening, writing, soul searching, rewriting and gut-checking, we landed on these galvanizing statements. They are the touchstones for how we create, code, build brands, give back and lead the future.

Put consumers first

The only judge of our success is our consumer, period.”

(That goes without saying. Angry consumers are bad customers.)

Speak the truth

Transparency builds trust, and trust builds love.”

(This seems like a non sequitur. Transparency may build trust, and trust may build more loyal customers, but whether this will result in love is a bit of a stretch.)

Right not easy

This is simple: behave in ways we are proud of.”

(So are you saying it’s not easy to behave in ways you are proud of? After all, if behaving in ways you are proud of is easy, it wouldn’t be right because being right doesn’t come easy. I’m confused.)

I realize few people read the user agreements for the services these online companies offer. Maybe that’s what these companies hope will be the case. Yet, when users learn, as was the case with Facebook, that their information was used in multiple ways, they are indignant. Whose fault was that? Probably everyone bore some responsibility.

Zuckerberg, however, apologized for the misunderstanding. “It was my mistake, and I’m sorry. I started Facebook, I run it, and I’m responsible for what happens here.” But as I was writing this post, I received the new privacy policy from Facebook. To put it bluntly, it’s a take-it-or-leave-it option. You can only opt out of their facial recognition ‘service’. If you don’t believe that Facebook could be so cold-blooded after all of their public hand wringing, here is an excerpt from their new privacy agreement.

facebook policy

Thanks for your compassion, Mark.

Posted in Uncategorized | Tagged , , , | Leave a comment

The Impending DDoS Attack on the Financial Sector

Last October, a new kind of botnet was discovered. It was named, IoTroop. The name implies that it was composed of ‘things’ connected to the internet (IoT), such as routers and web cameras. The novel characteristic of this botnet was that the things within it could be updated with new commands when its administrators so desired. This feature was first discovered in the dangerous Reaper Botnet. Former botnets used devices that were compromised and then programmed to perform specific tasks, such as sending spam emails. These built-in programs could not be changed. Now, however, whenever a new vulnerability is found, the entire botnet can be reprogrammed to exploit it. That’s a dangerous turn of events.

The IoTroop botnet is based on the Mirai Botnet; the botnet that brought down much of the internet in October of 2016. IoTroop still incorporates some of the devices used in the original Mirai attack, but has now added devices from companies like AVTECH, Linksys, MikroTik, TP-Link, and a Samsung TV. (For a complete list of all compromised devices, see the original Insikt Group report.)

On January 28th of this year, three financial institutions were targeted with distributed denial of service (DDoS) attacks. It was the largest DDoS attack since the Mirai attack of 2016. The targets appeared to have been three major Dutch banks; Rabobank, ING Bank, and ABN Amro. The banks claimed that some of their services were disrupted for a short period of time, but details have not been disclosed. Here are the countries that the compromised devices (botnet clients) attacked from. The preponderance of Russian-based devices was probably due to the large number of MkroTik devices located there, as these formed the main type of device used in the attack.

iotroop botnet distribution

In February, Dutch police arrested a teenager who they thought might be implicated in these attacks, but, so far, no connection has been found.

So that’s the end of the story, right? Well, probably not. At the end of 2017, Verisign reported that the most targeted sector for DDoS attacks was the financial sector. In fact, 40% of all DDoS attacks targeted financial institutions. There is no reason to expect this will change anytime soon. In addition, whether the owners of the botnet planned it or not, this attack on Dutch banks served as a sort of ‘proof of concept’ attack. That is, the attackers were able to learn the size of a botnet needed to take down a major bank. That’s important information.

Most botnets are leased for, purportedly, ‘stress testing’. Yes, that’s right; there are websites that rent the use of a botnet. When you lease a botnet, you are supposed to use it on your own network to see how resistant it is to a DDoS attack. You can even rent the entire 400,000 device Mirai botnet, if you have the money. Of course, there will be those who lease these botnets for criminal purposes. But why? Why would they want to pay so much money just to bring down a financial institution? In other words, what’s in it for them?

There may be a number of motivations, but here are a few that have been found.

  1. Street Cred

Some hackers or hacking groups need to gain credibility among their peers and others. It’s not only that they want respect. If their group becomes known as one that can bring down a large firm, they may be able to wield the name alone as a weapon. They don’t need to actually launch an attack to get money. They can threaten an institution with a DDoS attack and, with their reputation for support, demand money to abort the attack. Sometimes they can launch a limited attack just to show that they have the capability. The hope is that a one-time investment in a large botnet will make further investments unnecessary. They can earn money through threats alone.

  1. Extortion

 With or without street cred, once a DDoS attack begins, the attackers can demand a payment (often in Bitcoins) to stop it. In such a case, it is better to wait out the attackers since it costs them more money the longer the attack takes place. (70% of all DDoS attacks last less than 10 minutes.) Botnets are leased according to the number of devices in the net and the time they will be used.

  1. Political Reasons or Revenge

 The Anonymous Hacking Group has been known to target banks with DDoS attacks for political reasons. They may ask the attacked institution to perform some service or give some apology before they will end the attack.

Individuals may launch such attacks for revenge. These attacks may be from disgruntled employees, angry customers, or jealous competitors.

  1. A Diversion to Launch Other Attacks

 According to Kaspersky, 56% of companies targeted with DDoS attacks experienced other, more serious, attacks at the same time. The DDoS attack was just a smokescreen to distract the IT staff. It’s possible the attackers allowed for a lull in the attack so that they could install malware on the network. Later, this malware would be used in more serious exploits.

The Amplified DDoS Attack

 Recently, a new type of DDoS attack has appeared. This attack, called the Memcached Reflection/Amplification attack, amplifies the attack of one botnet by a factor of 50,000.

Let me over simplify this a bit. Imagine you have a personal website. It is connected to a server that manages the traffic to your website. If you get a lot of traffic, your server will have trouble managing it. People who want to access your website will have to wait to get to it. Now, imagine that I gain control of your IP address. I can then tell certain servers, memcached servers, to send me (pretending to be you) information. In fact, I can have them send you lots of information, so much information, in fact, that your server crashes trying to keep up with all the requests. Now, imagine I have a large botnet that keeps sending requests from you for more information. You have effectively been knocked offline. This is why even large institutions, such as financial institutions, may have trouble undermining such an attack.


Since recent DDoS attacks have targeted financial institutions, it would seem likely that this amplification method will be used against them. Some memcached servers have been patched, but the amplification idea still exists. This plus the ability of botnets to evolve to exploit new vulnerabilities has everyone waiting for the inevitable attack on targets within the financial sector. My guess is that they won’t be waiting long.




Posted in Uncategorized | Tagged , , , , | Leave a comment

The Malware That Targets Android Phones on Corporate Networks

No one has ever solved the BYOD dilemma. If you don’t yet know, BYOD stands for Bring Your Own Device. It refers to a policy which allows employees to use their own smartphones, or other devices, to connect to a corporate network. The dilemma is that giving employees such freedom exposes the corporate network to the employee’s poor browsing habits, which may allow malware to penetrate corporate cyber security barriers and wreak havoc. On the other hand, putting restrictions on an employee’s private phone use is often considered an affront. This being the case, some employees will inevitably take measures to subvert any restrictions while continuing to connect to the corporate network. Corporations spend a lot of time and money trying to monitor these privately owned devices to prevent a breach.

Criminals have long been aware of the fact that smartphones connected to corporate networks (endpoints) offer the best entranceways into those networks. They have numerous ways to exploit these weak points. They also prefer to attack Android OS devices. Why? It’s a matter of numbers. Android devices vastly outnumber iOS devices, as can be seen in the chart below. So hackers, for the most part, go where the money is.
android market

There are a number of ways attackers can install malware on a device, and there is no need to go through all of these here. Recently, one of the most popular ways to take control of an Android device is by infecting a legitimate app and placing it on Google Play. This is what the malware known as, DressCode, did back in 2016. But this malware had more in mind than just stealing passwords from phone owners. It wanted to penetrate any network that the phone was connected to.

DressCode did this by compromising routers through which all devices on a network were connected. The criminals were, then, part of the network and could send what they found within this network directly to their own command and control (C&C) servers. The diagram below from Trend Micro shows some of the details of this process.

dresscode diagram

Keep in mind that any malware that infects a network can incorporate all of the devices on it into a botnet which could be used for DDoS attacks or spamming campaigns. It is important to note that such things as printers and cameras can also be part of such a network. Attackers could remotely view what is happening in an office through a network connected camera, for example.

Trend Micro’s exposure of DressCode enabled Google to detect its code on infected apps. That should have been the end of the problem, but it was not. DressCode came back in 2017 in new garb, which Trend Micro referred to as, MilkyDoor. In April of 2017, Trend Micro reported that it had found 400 infected Android apps on Google Play which had been downloaded up to a million times. MilkyDoor was a DressCode upgrade in that it encrypted all communications with its C&C, making it difficult to detect. The apps that were infected were legitimate, popular apps that had been repackaged with the malware. The encrypted communications made unusual activity difficult to detect, as the apps worked as expected. As Trend Micro noted, “MilkyDoor poses greater risk to businesses due to how it’s coded to attack an enterprise’s internal networks, private servers, and ultimately, corporate assets and data.” It could easily be leveraged into a ransomware attack platform.

But again, once MilkyDoor’s secrets were exposed, Google Play was able to remove any infected apps. That should have been the end of the story, but, for some reason, it wasn’t. Recently, DressCode, or at least a variation on it, has returned with a vengeance.

Earlier this year, it was reported that DressCode may have built a 4 million device botnet. This may not be so surprising if it weren’t for the way this botnet could be used to penetrate corporate networks. DressCode uses a SOCKS proxy to make these devices effectively tunnel through any firewalls to communicate with the attackers directly. The attackers are, then, in a position to compromise routers and enter any network these endpoints may be connected to without being detected. Since no encryption is used on this recent version of the botnet, the compromised devices are open to any other attackers who are interested in them.

Back in November, Symantec noted unusual activity in Google Play when it found 8 apps that contained malware which looked like it was designed to build botnets. At that time, they pointed out that these apps had the unusual feature of building connections through a SOCKS proxy. They, thus, called this malware, Android.Sockbot. In fact, it was DressCode. It’s purpose was to establish an ad-generating botnet. “The app connects to the requested target server and receives a list of ads and associated metadata (ad type, screen size name). Using this same SOCKS proxy mechanism, the app is commanded to connect to an ad server and launch ad requests.” Since up to 2.6 million downloads of these apps occurred, that meant a lot of revenue from a large ad botnet. Below is an example of what is contained in these infected apps. Notice the permissions that it requires.

funbaster permissions

The developer of these ads, FunBaster, is no longer found on Google Play, but can still be located on sites like Apkpure. Oddly, searching for the developer on the site will not lead you to the developer’s page, which is shown below. I’m not sure why this is the case.


The app promises, “various of minecraft skins for pe greatly transform your boring gameplay”, which may tip you off on the validity of the app. I ran one of these apps through VirusTotal where only 3 of 62 malware detection programs found problems with it.

funbaster detected

It appears to originate in, of all places, Russia.

With over 4 million devices connected to networks, it’s pretty clear that DressCode isn’t going away anytime soon, With free access to the botnet for any interested private or state-run hacking group, it is only a matter of time before these infected Android devices do more than just spread advertising. It’s simply too sophisticated to escape the attention of those who have more nefarious purposes in mind.

Now, back to BYOD. Despite these impending attacks on Android endpoints, over 70% of companies are either implementing or planning to implement a BYOD policy. It is a perfect storm or, at least, a perfect opportunity for hackers looking for corporate information.

byod percent

The WorkPlay Solution

 What if you could solve the BYOD dilemma? What if you could allow your employees to use their Android smartphones to browse as carelessly as they’d like while still having access to your corporate network? And, best of all, what if it didn’t even matter if they were victimized by malware such as DressCode because that malware, even though it was on the same device connected to your network, could not access your network? How is all of this possible? Go here to find out.

Posted in Uncategorized | Tagged , , , | Leave a comment