The Butterfly effect – Mariposa

By Greg Day, EMEA Security CTO for Symantec | March 5, 2010 | Leave a Comment 

Greg Day, EMEA Security CTO for Symantec

A virus-infected network of nearly 13 million computers around the world has been smashed by Spanish police. The Mariposa, or Butterfly, botnet included PCs inside more than half of America’s 1,000 biggest companies and more than 40 major banks.

Our colleague Vikram Thakur recently wrote a blog about the threat. Symantec has been tracking the threat since October 2009. At that time, a security company had reported that a large number of Fortune 100 companies had been infected. The same firm has worked with authorities in arresting alleged key members of the botnet ‘ring’.

Symantec products detect this malicious worm under multiple names, the most prominent of which is W32.Pilleuz. Pilleuz and its variants have been extremely active over the past several months. The threat itself has multiple capabilities and is able to spread via USB devices, instant messaging clients, and P2P. It has the ability to steal credentials and personal information, as well as accept commands from its command-and-control (C&C) server. One such command could be to flood network traffic to a certain domain, thereby performing a distributed denial of service (DDoS).

Details about what role the arrested people played in Pilleuz’s day-to-day operations are still sketchy. We’re hopeful that the arrests will have a significant impact on the infections Symantec is seeing.

Photo credit

1,900,000 Bots In A Network…

By Guy Bunker | April 24, 2009 | Leave a Comment 

Guy Bunker

Some research has highlighted an enormous bot network of nearly 2 million machines. Couple that with the finding that one bot can create 600,000 spam messages a day and that gives you the potential for an enormous amount of junk to be zipping around the Internet. This number greater than we saw in the latest Internet Security Threat Report (published earlier this month), where we saw a peak of just over 100,000 machines available on a single day, but with more than 4 million unique systems being compromised in 2008. However, it is possible and if those machines infected with the Conficker / Downadup were ever to be turned into a bot network then that would become even bigger than this!

One of the things the research does highlight is that anti-malware definitions are kept up to date otherwise systems can become infected all too easily. How often should this happen… well as often as the application allows. Switching it to only update once a week will put you at risk. Symantec issued 1.6 million new malware signatures last year… on average that’s more than 30,000 a week… so if you are not up-to-date then you are asking for trouble.

Beware The Browser…

By Guy Bunker | April 14, 2009 | Leave a Comment 

Guy Bunker

Symantec’s latest Internet Security Threat Report came out today and one of the trends highlighted is the Internet browser. It’s not just the browser that has vulnerabilities it is also the plug-ins. The average time to fix a problem in the browser is around a week, but some of the maximum times are around six months! However, at least there are fixes and providing you have auto-updates switched on, or have the ‘check for new version’ you should get these pretty quickly after they come out.

However, there were 424 vulnerabilities in browser plug-ins and these are seldomly updated automatically. The most popular vulnerability is memory corruption which enables the cyber-criminal to run any piece of code and basically take over the machine or do whatever they like. Most of the threats are to your confidential information. Social engineering attacks are also in the running, which ultimately result in the user inadvertently installing malware on their machine.

Many of the pieces of malware are now multi-functional, with many allowing remote access, exporting user data and logging keystrokes at the same time. What does this mean, well if you happen to be doing a bit of on-line banking (or shopping) then the cyber-criminal could end up with your bank or credit card details… and they you could become a victim of fraud or worse still identity theft.

New pieces of malware have been created which can be used to become whatever is needed – by downloading content or the payload from cyber-criminal web sites. So, they can be spambots one day and run denial of service the next. Conficker / Downadup is probably the most infamous of this type of malware, although it is unclear as to what the payload is going to be. Having your machine host a spam service unknowingly or perhaps participate in a denial-of-service attack is not good.

So if you are an organization then you need to look at your security and patching policy. Ensure that the latest security definitions are delivered to your users in a timely manner – this will keep you protected while you work on patching the OS and applications. You should also look at a policy for patching or regularly updating browser plug-ins as well.

If you are an individual, then you should also keep your security definitions up to date and also ensure that the OS and application updates are installed. So, if a reminder appears on the screen that an update is available – then install it now, don’t put it off. You may regret it later.istr2009-2

Build It And They Will Come…

By Guy Bunker | November 18, 2008 | Leave a Comment 

Guy Bunker

… Shut it down and they will go. McColo.com a hosting company has been shut down, and just why is this good news? Well, the amount of spam the world sees has dropped by 65% over the course of 24 hours. How do we know this, well at Symantec we monitor this type of thing! Unfortunately it won’t last, the spammers and botnet herders will move their operations quickly to somewhere else. However, the good news is that it is possible to make a significant dent in cyber-criminal operations by taking out the appropriate pieces.

So, the battle this time has been won, but the war is far from over.