The top security threat in enterprise environments during the first half of the year was the Conficker worm, Microsoft says in its Security Intelligence Report (SIRv7), which covers the first six months of 2009. Read more »

Michael Patterson
Founder and CEO

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Guys like Stephen Covey keep me inspired.  Have you read his book “Seven Habits of Highly Effective People“.  I thought it was great.  It lead me to believe that it was high time someone blogged about what sets NetFlow and sFlow reporting tools apart: Read more »

Michael Patterson
Founder and CEO

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Distributed denial of service (DDoS) attacks are unfortunately par for the course on the Internet these days but when high-profile sites are targeted, the attacks are big news. Take for example last week’s DDoS attack on Twitter, which the microblogging site speculated was geopolitical in motivation.

Quick overview of DDoS

DDoS attacks are often caused by botnets flooding Web sites with requests thus bringing the site’s Web servers to their knees. A botnet is a collection of computers that have been compromised by viruses and worms so that they can be controlled by malicious individual(s). An example could be the collection of computers compromised by Conficker, however a Conficker botnet has yet to be leveraged to do harm.

In the case of Twitter, the irony is that it could have been the compromised computers of some of Twitter’s own users that caused the DDoS. Read more »

Black Hat Las Vegas is taking place this week. The event is where professional hackers gather to share what they’ve been working on over the past few months. The results are often pretty startling for most average computer users.

For instance, Alessandro Acquisti, a researcher at Carnegie Mellon University is going to show how information about an individual’s place and date of birth can be exploited to predict his or her Social Security Number. To cut a long story short, Acquisti says SSNs were designed to be simple identifiers and not for authentication purposes, and so businesses should stop using them as confidential passwords.

We know enterprise networks are big targets for cybercriminals. Here are some Black Hat Vegas briefing sessions by security professionals about new attacks that could be around the corner and how to protect against them. Slides from the presentations are expected to be available at the Black Hat site after the event. Slides from January’s Black Hat DC 2009 briefing sessions are here. Read more »

C‭isco, in its midyear security report, notes that although vulnerability and threat activity has been off to a slower start this year compared to 2008, we should expect spam volumes to rise to record levels. Cisco says that Memorial Day on May 25, 2009 was the third-highest volume day ever recorded for spam. The report also suggests that criminals are expected to maintain their aggressive targeting of legitimate websites to create botnets through the propagation of malware.

Cisco also warns that until social networking sites use “more robust protection”, cyber criminals will continue to target popular online communities to lure unsuspecting users to click to fraudulent sites or to download malware. Read more »

It was a cold afternoon here in the city, colder then your normal spring afternoon. Things had been hectic here in the office lately, but I had a feeling that things were going to get much much busier.

A tall man walked through the door.

“Are you the Cisco NetFlow detective?” he asked.

“Yes, I am. What can I do for you?’

‘I’m in trouble, big trouble!” he said.

“What kind of trouble?” I knew that he was in trouble from the second I saw him; it’s the kind of trouble the haunts a man, the kind that brings them to a guy like me.

“Jimmy, I’m getting logs from the IDS and firewalls notifying me of an intrusion attempt. They are trying to communicate to a local IP, but I don’t know who that local IP is or who else they were talking to.”

“What’s even worse is that our school district was awarded a technology grant that makes us a beacon school for technology. These hacks are getting out to the news and my job is on the line. The school board is calling for an investigation into my actions. I don’t know what else I can do!”

“Don’t worry Joe, I’ve seen this before and I can help you out. Let’s look at your network. What do you have behind that firewall?”

“We have multiple Cisco routers and three Catalyst switches.” said Joe.

“Good news Joe, they support Cisco NetFlow. This will be easy.”

Joe looked confused. “What’s Cisco NetFlow?”

“NetFlow is a protocol developed by Cisco to help you manage your network traffic. It gives you a record of each conversation. It can tell you who is talking on your network, who they are talking to and what they are saying. We’ll use Scrutinizer to help us manage and report on it. It will find out where the issue is.”

After a few minutes Jimmy D and Joe had set up Scrutinizer and were successfully sending flows from all the switches and routers.

“Now we need to let it gather some data. Let’s get together in the morning.”

The Next Day:

“First, let’s take a look at the firewall logs.”

As we browsed through the list something caught my attention. It appeared the attacks were coming from a 66.122.5.200 address. We then created a custom report in Scrutinizer to reveal who was attempting to communicate with this address. We already knew that the internal machine wasn’t getting to the IP in question, but we still wanted to know who is trying to communicate with it. It could be a virus or worse.

We first resolved the outside IP of 66.122.5.200 and it returned the host www.hackedquiznotes.tv. We then created a custom report that generated all conversations to and from that IP. On a hunch, I decided to report on the router that served the student level of the campus.

We ran the report and found the issue.

“Look, from here we can see that this workstation is trying to communicate with that IP. We can also see that they were using port 6609. Let’s go down to that lab and look at that machine.”

Soon Jimmy D and Joe were in the computer lab face-to-face with a student.

“Ben, this is Detective Jimmy D and he is looking at some issues with our network,” said Joe.

“Excuse me for a moment Ben, I need to check something on that computer.” Joe and I sat down at the computer while Ben stood over by the door.

“Haven’t I seen him before?” I asked.

“You might have seen Ben in the paper. He and his father helped break ground on the new CBA Network Management building. CBA Network is one of the companies asking the school district to outsource their network solutions to them. They are trying to cut costs.”

I started typing and the pieces started to come together… The picture wasn’t good.

“Joe, it looks like Ben added an app that monitors certain folders for any activity. Once activity is detected it uploads that file to a remote site. In this case, it is www.hackedquiznotes.tv, via port 6609.”

“That’s not right. Ben wouldn’t have access like that…”

Joe quickly sat down at the computer and checked on the user name that was running that service. The users name is abcnm and it was created two weeks ago by Jon, the Jr. Admin.

Joe turned to me and had a horrible look on his face.

“What wrong Joe?” I said.

“I can’t believe it,” said Joe. Two weeks ago Jon, my Jr Admin was passed up for the Admin position. He was very upset that I had gotten the job. He wanted it, and wanted it bad.

“Why do you think he did this?” asked Joe.

Joe quickly turned to Ben and asked, “What do you have to say about this?”

All of a sudden a look of anger came over Ben’s face. The kind of anger you see when you see the senior quarterback missing the last touch down during the last second of his last game ever.

“Arggg, I would of gotten away with it, if it wasn’t for him!” yelled Ben.  “My dad was going to buy me a new car, if he won this contract. So I made sure Jon would take over your job in the new building. The district
would have gotten rid of you by then!”

“Ahh I see,” said Joe. “Well I think that you need to speak with Vice Principal Flanagan. I’ll bet he
will want to contact the District and your father!”

“Thank you Jimmy D. You have saved my position!”

“Not a problem Joe, that is my job.”

Although quite a bit of this story is fictional, it is based on a real life call. Some of the names have been changed to protect the innocent.

Jimmy D the Netflow Detective

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Join the NetFlow Developments group on LinkedIn.

Network managers take note: Malicious code activity is on the up and hackers are targeting users’ confidential information. Security firm Symantec, in its Internet Security Threat Report released this month, said the malicious code signatures it developed in 2008 represented more than 60% of all malicious code signatures ever created by Symantec.

The report found that 90% of all threats detected by Symantec in 2008 attempted to steal confidential information and keystroke logging was the main method employed by hackers. Keystroke loggers, which logs all keyboard activity, can steal information such as online bank account credentials and credit card numbers. These details are sold by criminals to organized gangs in a market that has not suffered in the economic downturn.

Symantec also found that malware authors are becoming more resilient and finding new ways to relaunch their activities after suffering temporary shutdowns. The report gives an example of the shuttering of two U.S.-based botnet housing outfits that contributed to a significant decrease in active botnet activity during September and November. But they re-emerged on alternate hosting Web sites and soon began infecting victims to a level higher than their pre-shudown levels.

Web applications were the common sources of vulnerabilities, the report notes. Of the 12,885 site-specific cross-site scripting vulnerabilities reported in 2008 only 3% had been fixed at the time the report was written, according to Symantec. Cross-site scripting allows hackers to inject their code into legitimate Web pages.

Most Web-based attacked originated from the U.S. during 2008, followed by China and the Ukraine. Europe, the Middle East and Africa acounted for 45% of the world’s Web-based attacks.

The report also found that by the end of last year more than one million individual computers had been infected by the Conficker worm, which continues to be active and which you can catch with Flow Analytics.

If you want to read more from the security report, Symantec has a Web page dedicated to it.

Related security posts from Systrax:

Network security: Cisco NetFlow watching for strange behavior on your network

Downadup/Conficker Worm caught by using Flow Analytics, NetFlow Analyzer

Conficker C: The biggest prank of the year

I’m sure just about every company’s security manager is aware of Conficker. This worm is spreading through networks at alarming rates. It’s weapon: exploiting a vulnerability, called MS08-067, in Windows 2000, XP, and Server 2003.

Conficker looks like legitimate traffic
Conficker.A, .B & .C (yes, it has versions) randomly creates domain names that are based on the system clocks of popular web sites such as google.com, yahoo.com, etc., so the HTTP traffic looks legitimate. At first, I thought we should block all the domains, but that is not a simple task. As of April 8th, Conficker.E was found not to be using randomly created domains, but deletes itself on May 3rd, 2009; unlike Conficker.C. It constantly changes its own behavior!

On April 7th researches found a variant of Conficker that initiates communication via a peer-to-peer (P2P) connection. A TCP connection is then used to download the file. Irregular UDP communications also take place.

What is Cisco’s position?
Learn more about Cisco’s position on Conficker. They encourage customers to purchase their Home Network Defender product and as a result, you “should be” protected. Here is some additional great information on Conficker from Cisco.

Track Conficker with Cisco NetFlow?
It isn’t that easy. Remember, Conficker looks like legitimate traffic. Network Behavior Analysis solutions can’t confidently detect Conficker either. We are looking into a solution that watches Conficker behaviors. Our Internet Threats Monitor has proven to be very effective at getting updates out to all our customers within just a few minutes. We could do the same as Conficker mutates and we learn its new behavior. For now, here are a few things to be aware of:

• Make sure you know your company’s legitimate applications VERY WELL.
  • Make sure you have defined the known applications within Scrutinizer.
  • Put in the time to mark legitimate traffic within the Top Applications gadget of Flow Analytics.
• Watch your DNS logs for hosts failing to resolve odd host names. Maybe script something that looks for excessive DNS lookup failures within a time frame, etc. I’m still looking into this.
• Participate in Systrax and get involved.

Are you infected?
Take the Conficker test right now. If all 6 images show up you are in good shape.

Brian

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Over the weekend I spent quite a bit of time watching some of the awesome IT security videos that are offered on The Academy Pro web site. I couldn’t believe all the valuable step by step information that this site offers.  Believe it or not, I had a goal. I needed to learn more about “Conficker“.

We have already covered how to detect “Conficker” traffic via Scrutinizer’s Flow Analytics application from my buddy Milton’s blog back in March. In the NetworkWorld article titled “Downadup/Conflicker worm: When will the next shoe fall? “, Don Jackson, director of threat intelligence in the counter threat unit at SecureWorks is quoted as saying,  “It has the potential to infect about 30% of Windows systems online, a potential 300 to 350 million PCs”. So how can we prevent this from happening?

My goal was to conduct a security audit for such a vulnerability. That is where TheAcademyPro comes in. TheAcademyPro web site was created by Peter Giannoulis, a well know information security consultant and author. Check out this awesome interview with Peter on Hak5. They just started a series on how to conduct vulnerability scans for Conficker:

Conficker vulnerabilities with Core Impact – Posted on April 20th, 2009

“Everybody’s had to deal with Conficker over the last little while, but many don’t realize exactly how easy it is to exploit a system using the targeted vulnerability. Let’s begin the week by manually exploiting Conficker vulnerabilities with Core Impact 8 modules.”

Now I have a bit more information and might be able to conduct a security audit soon. I will keep you posted.

Jimmy D the Netflow Detective

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Join the NetFlow Developments group on LinkedIn.

If there’s one thing to know when working here at Plixer, it’s this: Watch your back when April Fools comes around!

Last year, Tom Pore convinced Raul that there was a customer who needed immediate assistance. Of course, this customer being Mr. Behr and Mr. Lyon at the San Diego Zoo. Raul, being the “go getter”, didn’t bother to second guess Tom’s request and made the call.

The funny part was that the operator that answered the phone caught on long before Raul that he was being duped. Can you imagine that?

Raul – “Good morning, could I please speak to Mr. Lyon?”

Operator - “Sorry, there’s nobody here by that name…”
Raul – “Oh, could I speak to Mr. Behr then?”

Operator – “…”

… and that’s what you get for trusting Tom.

In Raul’s defense though, we did have contacts at the San Diego Zoo, so that made “Mr. Lyon’s” request for assistance way more legitimate.

(I’ll pause to give you guys time to pick yourselves up off the floor)

This coming April, however; we could all find ourselves being the victim of one big prank…

Right now, there’s a lot of buzz being generated on the net regarding the Conficker C worm. The true danger is that 75% of the world’s users are running Windows, which harbors the vulnerabilities this worm exploits. To compound the issue, Conficker C is programmed to have all infected machines accept instructions on April 1st.

What does this mean? I have no idea, and neither does anyone else… and that worries people.

So what will happen when millions of PC’s in this giant botnet awaken?

Maybe some poor sap is going get the DDoS attack of DDoS attacks; maybe we’ll all get spammed with “I Love You!” e-cards; maybe the planet will finally be hacked…

To combat this, Microsoft has issued a patch that supposedly addresses the vulnerability, but it still wants blood from the person(s) responsible.

Earlier this year, Microsoft issued a bounty of $250,000 for information leading to the arrest of the author(s) of Confiker. That person must have some GOOD friends…

So what does Conficker C and Tom Pore have in store for us this coming April Fools? We’ll just have to see…

 

Ryan

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!