Botnet SPAM campaign against the Commonwealth Bank of Australia NetBank and the HSBC

As of July 15th we are seeing in our Malware Capture Facility at the CVUT University a SPAM campaign against the  NetBank (the Commonwealth Bank of Australia) and the HSBC. Our captre facility has been collecting botnet traffic for some time and is able to analyze the traffic patterns. These past days we have seen a quite large SPAM attack against both banks.

The SPAM attack against the NetBank has the subject "You have received a secure message" and appears to come from the mail address "NetBankNotification@cba.com.au".  The message is sending the following text to the users:

You have received a secure messageRead your secure message by opening the attachment, SecureMessage.zip.  You will be prompted to open (view) the file or save (download) it to  your computer. For best results, save the file first, then open it. If you have concerns about the validity of this message, please  contact the sender directly. For questions please contact the Commonwealth Bank of Australia NetBank. First time users - will need to register after opening the attachment. About Email Encryption - http://www.commbank.com.au/about-us.html

Finally, this mail has an attachment file called "SecureMessage.zip". 

The attack was first seen in our monitor system on Ju ly 11th 2013.



On the same campaign we saw a SPAM attack against the HSBC bank. 

The message appears to come from the mail address "payment.advice@hsbc.com.hk" and has the subject "Payment Advice - Advice Ref:[B62720685918]". The text of the message is 

Sir/MadamUpon your request, attached please find payment e-Advice for your reference. Yours faithfully HSBC

*********************************************************

We maintain strict security standards and procedures to prevent unauthorised access to information about you. HSBC will never contact you by e-mail or otherwise to ask you to validate personal information such as your user ID, password, or account numbers. If you receive such a request, please call our Direct Financial Services hotline.Please do not reply to this e-mail. Should you wish to contact us, please send your e-mail to commercialbanking@hsbc.com.hk and we will respond to you.Note: it is important that you do not provide your account or credit card numbers, or convey any confidential information or banking instructions, in your reply mail.Copyright. The Hongkong and Shanghai Banking Corporation Limited 2005. All rights reserved.

*********************************************************

This mail is sending an attachment called "Payment_Advice.zip". 

Both attachments correspond to a second stage malware that infects the computer, download more binaries and remain in the computer waiting.

Be careful and do not open attachments like this.

Botnets vs. Aliens

If tomorrow we are invaded by aliens and they use our own Internet, we are going to use Botnets to attack them.

After the years botnets have evolve from a rudimentary union of computers to a highly resilient and complex network of very sophisticated software. They are being attacked every day, their domains are taken down, their computers are being seized, they protocols are being decrypted, they code is being analyzed, their core control computers are being taken and they are being studied and dissected several times each day. And despite all that, they keep doing their job.

Yes, sometimes some of these actions are enough to stop some of them, but hundreds (maybe thousands)  more are being created and remain under the radar.

Doesn't this amaze you? We are trying really hard to stop them, they are being attacked continually and they still they manage to survive. It remembers me about the supposedly origin of the Internet: to survive a nuclear attack. Perhaps the story is not true, but if I must choose which overlay network achieved this, I should pick botnets.

Botnets are composed of a large set of technologies, from the good old IRC to P2P, social networks, routers, IPv6, HTTP, custom protocols, tor and a large etc. But none of this technologies alone (perhaps not even P2P) has achieved this survivability. Together, along with a good will to survive (and pushed by money) they managed to get really hard to stop. No other network has received so many attacks and learnt from the them to evolve.

You could be fighting them or creating them, but you can not ignore that if we need an attacking tool against the Aliens in the future, we are going to pick Botnets to help us.

How to visualize botnet traffic in real time

Ok, the title is a little bit misleading, because you can use this to visualize any type of traffic. But since I'm specializing in botnet detection, I will share some of the methods and tools I'm using right now.

Traffic visualization is a really important part of the network security analysis. Without a proper graphical representation you will miss a lot of information that can not be captured in any other way.

In the case of botnets, I'm interested in the synchronization patterns between bots and in the network behavior of infected hosts.

I have tried several different visualization tools for this task, using live traffic, pcaps and NetFlows, and by far the most useful to me was oip. Did you ever heard about it? No? I had not heard of it neither. This simple and powerful tool was created by the Utah State University some time ago, you can find the original version in https://it.wiki.usu.edu/OIP. Unfortunately, it seems to be abandoned. The author is unknown to me and the svn repository is down (https://svn.usu.edu/repos/organicips). The odp presentation was made by someone cane Rian in 2008, but that's all. Fortunately, the tar file and videos are still available. Thanks a lot USU!

However, when I tried to use it, it was broken. Probable because it was created for older systems. So I modified it to suit my needs. Now the oip sniffer is working again and with new features. You can find the new code here https://github.com/eldraco/oip.

These are some screenshots of the oip sniffer:

You can also see some videos I have made of oip here:

• http://youtu.be/n89qPyIkU2A
• http://youtu.be/oahlhemKAKw
• http://youtu.be/QlSvYbR5i3s

The modifications I have done are:

• Now it is running in Linux without problems.
• Enlarge the size of the packets-balls so you can see them better.
• Change the blue balls to white balls, to see them better with dark backgrounds.
• Add the -e argument to speed up the analysis of pcap files. A value of 1000 menas normal speed, 100 means 10x faster and a value of 10 means 100x faster.
• Add the -c argument to give the pcap file name in the command line.
• If you give a pcap file name, the analysis starts right away!
• Fix the code to add the network device to the oip server.

So with the new oip working I set up my Virtual Machines and start infecting them. Usually I also run other tools in parallel to see what is going on on the network (wireshark, tcpdump, ngrep, iftop, etc) but oip is my preferred tool to see the packets. 

Start the server like this for your wlan0 device

./oipd wlan0

And then start the gui like this:

./oipgui

On the gui you should go to the blue button on the top left, select "Connection" and then fill the Server with localhost if you are running oip in your own machine, or the IP address of the remote server if you are running it in other computer. Then hit "Connect" and you should see the packets.

I also recommend to store the traffic in pcap format at the same time, so you can "replay" it again later if you need.

With this incredible tool we can now see how the hosts are behaving, how and when they are connecting to other host and find strange connection patterns.

If you have stored a pcap file, you can replay it with the gui like this:

./oipgui -c capture.pcap -e 10

The -e in the example means replay 100x faster. So you don't have to wait too long in huge captures!

I'm planning to add some sort of "rewind" and "forward" options to the gui, so you can see again some behavior if you just spot it on the window.

With oip I'm able to see more clearly which botnets characteristics I should study and which features are most useful for detection.

Hope that you like the new oip, and if you have any problem, just tell me.

La demostración de que en el vaticano está el señor de las tinieblas

Con toda la pompa última que ha surgido alrededor del vaticano, no puedo dejar de sumar mi granito de arena a las noticias sobre el tema. Pero claro, desde el único lugar donde me animo a sumar algo es desde un pequeño análisis de los DNS del vaticano.

Así, el vaticano nos cuenta que...


# dig any vatican.va

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> any vatican.va
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- 3426="" br="" id:="" noerror="" opcode:="" query="" status:="">;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;vatican.va.                    IN      ANY
;; ANSWER SECTION:
vatican.va.             3600    IN      SOA     john.vatican.va. postmaster.vatican.va. 2013031902 14400 3600 1209600 3600
vatican.va.             3600    IN      TXT     "google-site-verification=xJIGtooD1R7HCcYnGpEnQJbesRSBdJmzNZX0WLDIMII"
vatican.va.             3600    IN      TXT     "v=spf1 ip4:212.77.4.211 a mx ?all"
vatican.va.             3600    IN      MX      100 raphaelmx3.posta.va.
vatican.va.             3600    IN      MX      10 raphaelmx1.posta.va.
vatican.va.             3600    IN      MX      10 raphaelmx2.posta.va.
vatican.va.             3600    IN      NS      john.vatican.va.
vatican.va.             3600    IN      NS      seth.namex.it.
vatican.va.             3600    IN      NS      michael.vatican.va.
vatican.va.             3600    IN      NS      osiris.namex.it.
vatican.va.             3600    IN      NS      ns2.nic.it.
;; Query time: 346 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Mar 30 21:19:04 2013
;; MSG SIZE  rcvd: 400

Tengo que decir que me llamó mucho la atención esos nombres... vamos chicos! ponerle a los equipos del vaticano los nombres de los 12 apostoles y de los ángeles no es mucho cliche??? 

Sin embargo se vé que cuando delegaron ciertos servidores DNS en Italia y no bajo el control del vaticano..., algún gracioso no pudo contenerse y metio los nombres de seth y osiris..., que son egipcios!

Pero no solo eso, según wikipedia (http://es.wikipedia.org/wiki/Seth), seth es, entre otras cosas, el "(...) dios de lo tumultuoso, lo incontenible. Señor de lo que no es bueno y las tinieblas (...)". Y según wikipedia (http://es.wikipedia.org/wiki/Osiris) osiris es entre otras cosas, el "(...) símbolo de la fertilidad (...)"...

No sé quién puso a osiris y seth en el vaticano, pero merecía un reconocimiento! 

Para cuando belsebu?

Cómo elegir pareja de paddle sin que los demás sepan

Cuando voy a jugar al paddle, elegimos las parejas al azar antes de jugar. Sin embargo, es difícil elegir jugar con alguien sin que los otros sepan. Algo como forzar una elección que parece al azar.

Así que analizé un poco la situación.

Tenemos 4 jugadores, dos parejas. Las parejas se eligen sin hablar y a medida que van entrando a la cancha.

Vamos a calcular el poder de elección en base a con quién si puede decidir jugar y con quién puede decidir no jugar. Como hay 4 jugadores, cada uno puede elegir como máximo 3 SI jugar y como máximo 3 NO jugar. Aunque claro no puede tener 3 SI y 3 NO al mismo tiempo.

Si puede elegir jugar con uno u otro, tiene 2 poderes de SI.

Si puede elegir no jugar con alguien, tiene 1 poder de NO.

• El primer jugador que entra en la cancha no puede elegir pareja, así que su poder de elección es 0 para los que NO quiere jugar y 0 para los que SI quiere jugar.
• El segundo jugador que entra a la cancha puede elegir NO jugar con el primero o SI jugar con el primero. Pero no puede elegir con cuál de los otros dos jugar. Su poder de elección es 1 para NO jugar y 1 para SI jugar.
• El tercer jugador puede elegir si juega con el primero o con el segundo y al mismo tiempo puede elegir no jugar con el primero o con el segundo. Pero no puede elegir jugar con el cuarto. Así que su poder es 2 para SI jugar y 2 para NO jugar. 
• El cuarto no puede elegir nada, como el primero, así que su poder es 0 para SI y 0 para NO.

Resumen:

#Jugador	Elige jugar	Elige NO jugar
Jugador 1	0	0
Jugador 2	1	1
Jugador 3	2	2
Jugador 4	0	0

Así que concluimos que el jugador que tiene más poder de elección es el tercero que entra en la cancha! (Como bien había predicho Ramiro, el amigo de mi amigo marco! :-)

Privacy, security and bluetooth

I believe that when we think about privacy, we still think about not giving out our real name, phone or address. We still think that privacy is not something we should concern about. Why should we care? I don't have anything to hide. I'm not important.

On the other hand, we want to socialize, to communicate with our friends and family, to let them know what we think and do. Humans are social. We have socialized in the past, we socialize now and we will socialize in the future. It is not going to change.

What did change is technology. 15 years ago, there was nothing strange in giving out your email address. Now your email address identifies you better than your own name. There was no way to find your friends using your email address. Now your email address can even tell where you are.

So much we have bond our lives and sociality to the Internet that it is not only possible to have all the relevant information about someone, but it is easy to do so. Moreover, and the real issue, is that they can have more information about you than yourself. Trust me, they know how to infer information that you can not dream of.

It is not an issue about data any more. Is an issue about behavior. Browsing the web now is having your visiting pattern, buying behavior and even keystroke pattern. Do you hide your identity when posting on the web? No problem, with stylometry they can analyze the way you write and recognize you again. Your phone has become in the perfect way to know where you are, how is your moving pattern and social activities. They can know if you have children, have financial problems or you like to drive fast. It is not new that they can know if your daughter is pregnant before you do. They can know if you are starting to feel angry about your cell phone company and your chances of leaving are growing. They know when you are going to leave your cell phone company before you do. Sounds scary isn't it? The bad news is that this is not new and is not the worst part.

As Mikko Hypponen said on its 2010 TED talk, it is not an issue about privacy vs security. It is an issue about control vs. freedom.

Why freedom? Have you though about what may happen in 15 years? They will be able to know more about your life than you will be ever able to do.

But why does this happen? Well, I have three answers. First is money. Second is power. Third is because they can.

The money problem is difficult, long and may be only addressed with new legislation. They want to sell the data and they will until we stop them.

The power problem is more difficult, because governments make laws. Do you trust your government now? Do you trust the government you will have in 15 years? And 50? I can only imagine technical solutions here, which bring us to the third problem.

The possibility of technology. More data, more centralization, new algorithms using more cloud-based power. The end is not clear. They can use it and they probably will. The biggest problem about the technology issue is that everyone has this technology. They can monitor you. You can hide your IP. They can use JavaScript to know where you are. You can disable JavaScript. They can see your typing pattern. You can insert random times. And the list go on.

A final example. We have developed a tool called bluedriving to capture bluetooths devices in the street with its gps location. You can draw a map of the locations and times when every device has been. Your cellphone identifies you almost uniquely. The privacy of your movements is now easy to have.

Anyway, I see two solutions. Use technology wisely and educate others. The bluedriving tool is a way to educate and to have the technology at our side. Use it wisely.

Consecuencia de la poda indiscriminada

Recientemente los dueños de las plantas alrededor de mi casa decidieron podarlas. Podar tiene muchas consecuencias y muchos pro y contras. Sin embargo fui testigo de una consecuencia no prevista. Alrededor de mi casa habia muchas plantas de lavanda y hay muchas abejas que vienen todos los días a las plantas. Sin embargo ahora que las plantas fueron cortadas tremendamente, no hay suficientes flores de lavanda para las abejas que venian. En consecuencia muchas de las abejas comenzaron a dar vueltas alrededor y se metieron en la casa. No tiene nada de malo y seguramente en unos días ya no entren más, pero claramente la poda de plantas y arboles tiene un efecto más grande de lo que pensamos. Muchas veces no sabemos porqué hacemos las cosas y no somos concientes de sus consecuencias. Acá un simple ejemplo más.