Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Symantec takes credit for pushing a nasty botnet into a sinkhole

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

October 2, 2013

It looks like Symantec is taking full credit for luring a the powerful Zero Access botnet into an effective sinkhole where it can't do anymore harm to internet users.

ZeroAccess has been active for the past two years already and is one of the largest known botnets in existence. It has upwards of 1.9 million infected computers and servers forming its nasty army, all remotely controlled by miscreants.

It's estimated that this group of computer robots is literally put to work generating tens of millions of dollars annually.

It's claimed that cyber criminals make money from the infected Windows machines by instructing the computers to virtually and fraudulently click on web adverts, thus ramping up income for an affiliate ad network or, to a lesser extent, mine for new Bitcoins.

By subverting the communications system used by the bots to organize, Symantec has sinkholed (IE- gained control or disabled) more than half a million bots, Symantec claims.

This will have made a serious dent in the number of zombie drones under the thrall of the ZeroAccess group. Symantec added that it's working with ISPs and government computer security teams such as CERT globally, in an effort to help get infected computers cleaned up as fast as possible.

ZeroAccess infects Microsoft-powered computers caught up in drive-by-downloads-- booby-trapped websites attempt to exploit security holes in web surfers' machines to install the malware.

It then uses a rootkit to hide itself from the operating system and the victim, set itself up on a secret file system, downloads yet more bogus software, then connects itself to other infected systems and opens up more backdoor access.

And the whole process is repeated over and over. The Zero Access botnet is very sophisticated and powerfully resilient, using a peer-to-peer architecture to communicate in the wild.

So it seems to enjoy a high degree of redundancy and no central command-and-control server for the good guys to target. As a result, nobody is under any illusions that Symantec's action has finally put an end to the zombie network.

More details and additional information on the takedown effort can be found in a blog post on Symantec's site.

In other internet security news

Leaked documents in the wild now provide evidence that GCHQ planted malware in the systems of Belgacom, the largest telecommunications company in Belgium.

According to slides obtained by NSA whistleblower Edward Snowden and supplied to German newspaper Der Spiegel, the attack targeted several Belgacom employees and involved planting hacking technology called 'Quantum Insert' which was developed by the NSA.

The attack technique surreptitiously directs victims to spook-run websites where they are exposed to secondary malware infection.

The ultimate goal of "Operation Socialist" was to gain access to Belgacom's Core GRX routers in order to run man-in-the middle attacks against targets roaming with smartphones.

The leaked documents reveal that spooks in Cheltenham were particularly interested in BICS - a joint venture between Belgacom, Swisscom and South Africa’s MTN - which provides wholesale carrier services to mobile and fixed-line phone companies around the world, including trouble spots such as Yemen and Syria.

BICS is among a group of companies that run the TAT-14, SEA-ME-WE3 and SEA-ME-WE4 cables connecting the United States, Britain, Europe, North Africa, the Middle East and Singapore to the rest of the globe.

Early goals for the spies included mapping its network to understand Belgacom's infrastructure as well as investigating VPN links from BICS to other telecoms providers. The leaked slides describe the exercise as already being a success and close to achieving its ultimate goal of compromising enough of Belgacom's infrastructure to run man-in-the-middle attacks.

One slide explains spooks had successfully compromised "hosts with access" to Belgacom's Core GRX routers, leaving them just one step away from their objective. The slides themselves aren't dated but other leaked documents date the compromise of Belgacom's systems to around three years ago in 2010.

In a statement issued earlier this week, Belgacom admitted its internal systems were compromised but played down the impact of the breach, saying that the intrusion didn't compromise the delivery of communications. It added that the intrusion is under investigation by Belgian law enforcement.

If GCHQ was indeed the agency concerned at that time, then this investigation is unlikely to go anywhere soon, and the most that can be expected is some sort of diplomatic complaint from Belgium to Britain, its EU and Nato partner.

We've asked Belgacom if it has any comment on Der Spiegel's revelations. In response, a spokesman supplied the following short statement which clarifies that Belgacom filed a criminal complaint in July shortly after detecting the hacking attmpts, and long before going public with the problem on Monday.

Belgacom said-- "We have filed on July 19 a formal complaint against an unknown third party and have granted since then our full support to the investigation that is being performed by the Federal Prosecutor."

Background on GRX (GPRS Roaming Exchange), a tasty target for signals intelligence types, can be found in a presentation put together by Philippe Langlois, founder and chief executive of P1 Security, from the Troppers security conference in Germany back in 2011.

In other internet security news

According to a recent study by online reputation–tracking firm Iovation, internet users who access the web through the anonymizing Tor network are much more likely to be hackers or other troublemakers than are typical people.

The company announced yesterday that about 30.2 percent of all transactions it logged as coming from the Tor network during the month of August were fraudulent, compared to about a one per cent fraud rate for internet transactions as a whole outside of the Tor system.

Tor disguises the source of internet connections by shuttling them through hard-to-follow network routes and assigning them IP addresses at random from a large pool of distributed IPs around the globe.

While it's not too difficult to tell whether a connection is coming from Tor, it's rather very hard to know just who is behind any given connection, or even where in the world they are located when they come from Tor.

For that reason, while Tor has often been used for political activism, whistleblowing, and other risky but laudable activities, it's also home to a shady underworld of less-praiseworthy dealings, ranging from drug trafficking to child pornography.

For example, the online black market Silk Road website conducts its business entirely over Tor. Online criminals have recently began experimenting with using Tor as a cover for other kinds of internet traffic, as well.

The number of clients accessing the network on a daily basis doubled in August when the Mevade.A botnent began using Tor to route its command and control data.

Iovation found that about 31.8 percent of all Tor transactions were suspect and that the company isn't just talking about sales on Silk Road, either.

"Transactions simply means any online action at one of our customer sites like online purchases, account registrations, credit applications, logins, wire transfers, comments, etc, etc" said Scott Olson, Iovation's vice president of product.

"Any interaction where fraud, abuse or other similar nature are of grave concern to all our subscribers," he added.

Iovation's Reputation Manager service can't identify individual Tor users, but it can spot traffic that originates from known Tor IP addresses, called "exit nodes."

To conduct its study, it analyzed 240 million transactions conducted in August 2013 and compared the fraud rate of Tor traffic to that of the whole internet.

Iovation is making the ability to identify Tor traffic generally available to its Reputation Manager customers at no charge.

"Tor in itself isn't a bad service," Olson said. "It can be used for positive things as well as fraudulent things. For our clients, they are concerned with mitigating risk and in this case, Tor is disproportionately associated with a much higher fraud rate for online purchases, account applications, logins, etc."

And Iovation isn't the first to identify this issue. As recently as August, the head of Russia's Federal Security Service said he would like to block Tor traffic at the national level as part of the country's anti-terrorism efforts.

Although blocking all Tor traffic would be challenging, blocking traffic that re-enters the mainstream internet via Tor exit nodes is comparatively easy.

Wikipedia prevents editing by Tor users, for example, and if Tor's reputation for being rife with bad actors grows, more sites may choose to do the same.

In other internet security news

According to new documents unearthed using the Freedom of Information Act, the NSA acquired professional computer and server hacking tools complete with their documentation from French security firm Vupen.

A bonafide contract shows the U.S. security agency paid for a whole year's supply of zero-day vulnerability information and the software needed to exploit those security holes to attack various electronic systems.

The documents, obtained by government transparency and accountability site MuckRock, show that the U.S. intelligence nerve-centre signed up to a one-year subscription to Vupen's “binary analysis and exploits service” in September 2012.

Vupen prides itself on advanced vulnerability research as well as selling software exploits for unpatched flaws in systems - known as zero-days - to governments. Several U.S. defense contractors and security startups, such as Endgame Systems, are also in the business of privately researching and selling information about software security vulnerabilities and associated attack code.

That U.S. government organizations may be among Vupen's customers' list isn't a surprise to most people in the internet security industry. The NSA, even though it has advanced offensive cybersecurity capabilities, not least in the shape of its Tailored Access Operations cyber-espionage unit, might still find it valuable to tap into external help from commercial providers such as Vupen.

"Likely reasons for NSA's subscription to Vupen's 0-day exploits could be-- 1) know what capabilities other governments can buy, and, 2) false flag, deniable cyber-ops," writes Christopher Soghoian, principal technologist and senior policy analyst at the American Civil Liberties Union.

"There are specific times when U.S. special forces use AK-47s, even though they have superior guns available. It's the same for the NSA's Vupen purchase. Deniability," he added.

Soghoian, who delivered a presentation about the exploit vulnerability marketplace at the recent Virus Bulletin conference, has previously likened the trade in software exploits to a trade in conventional weapons - think bullets, bombs and rockets.

In other internet security news

Earlier this year, it was revealed in the media how a massive security breach accidentally allowed access to thousands of images of people suspected of petty crimes.

Now it is reavealed that the private company behind that CCTV and image database is claiming its technology has led to the arrest of over one hundred suspects.

London's Metropolitan Police has spent the past twelve months working with Facewatch, a website where business owners can communicate with each other and the police to share information about potential criminals.

Facewatch streamlines the process of handing CCTV footage, snapshots, incident forms and other evidence to police and law enforment agencies.

The system's creators say the police force in London had already made 100 arrests using Facewatch and expects many more as businesses around the capital begin to use it on a larger scale.

However, they had no numbers on the estimate of convictions so far that arose from those arrests, but nevertheless, the site is proving to be a great tool at reducing crime.

Some 7,500 businesses and an additional eight police forces across Britain are also using Facewatch, which the company hopes will become a key part of the U.K.'s police armoury of crime-fighting tools.

Additionally, about 800 museums are also using the system, including London's V&A and the Ashmolean in Oxford, according to the company. was invited last week to have a look at the latest build of Facewatch at the firm's headquarters near Embankment station in London.

Facewatch allows businesses to quickly upload footage or snapshots of suspicious individuals to the website. Customers can also use a neat process similar to Apple's screenshot command to zoom in and cut out a frame of footage on screen and then upload it to the site's servers.

This effectively removes two of the current hurdles which prevent police making the best use of any CCTV footage-- 1) The need to physically collect footage from a business and 2) Needing the correct codecs to actually view the footage once people have brought it back into the station.

Each piece of intelligence (the term Facewatch uses for its uploads) is individually tagged and indexed. This allows it to be shared with local businesses, allowing them to quickly identify potential criminals and collate evidence which could lead to a conviction.

When a crime is reported, the business is emailed at each stage of the police investigation, allowing it to keep an eye on how the case is proceeding through the system.

According to Facewatch, this results in a detection rate of about 15 percent, higher than the 5 percent rate of most crimes. Facewatch only focuses on low-level crime, such as theft or antisocial behavior, and isn't designed to take on serious crimes such as DUI, embezzlement, car theft, murder, rape or drug offences.

Simon Gordon, the system's founder, said he was inspired to begin developing the system after becoming frustrated at the number of purse and wallet thefts at Gordon's Wine Bar, which he also owns.

The famous London wine bar is a fitting place to run a surveillance system, says Gordon, as it was once known as a meeting place for spies from either side of the Russian curtain back in the late sixties and early seventies.

Gordon said-- "The old system of using CCTV footage in criminal investigations was very inefficient. We allow businesses to give intelligence directly to police, but also we then get updates on how the investigation is proceeding and when more details can be provided moving forward.

"We want to help the victims of crime by speeding up the investigation, while providing more details in the process. Police don't have to waste time taking reports in person and are freed up to actually catch the criminal, instead of the tedious process of gathering initial information."

Facewatch is currently working on facial recognition software, which will soon be tested in a shopping centre in Hampshire. Detective Chief Inspector Mick Neville, head of the Met's central forensics image team at New Scotland Yard, said-- "Facewatch image submissions to the Metropolitan Police are on the increase and this has led to more prolific thieves being brought to justice."

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Source: Symantec.

Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

Click here to order our special clearance dedicated servers.

Get your Linux or Windows dedicated server today.

Click here to order our special clearance dedicated servers.

Click here to order our special clearance dedicated servers.