In the article, “88 percent of firms show Zeus botnet activity,” RSA’s FraudAction Anti-Trojan services analyzed data stolen by Zeus from infected computers that included IP addresses and emails that belonged to the corporations. Among the stolen data found on the sites where infected computers drop the stolen data was compromised email addresses from about 60% of the firms.

With such a high percentage of botnet activity hitting Fortune 500 companies, it just goes to show that even the biggest, theoretically most advanced companies from a security standpoint are not immune to being hit by infectious malware.

It all circles back to a recent posting on what we’re doing today to improve our cyber defenses. In the blog, “Repercussions, not legislation, key to improving nation’s cyber defenses,” I mentioned that we need to get out of the status quo network security practices and techniques that are flawed, and start thinking in a more proactive manner. Until we do, our systems will remain at risk of hidden malicious code and malware attacks designed to snoop and steal our sensitive data, whether we know it or not.

Without further delay, here are the stories that caught my eye in November:

• Apple issues a massive security patch of its own – In November Apple issued a patch that fixed 58 holes as reported by Threatpost. The days of Apple being immune to security compromise are over. The combination of phishing and browser based attacks should make Mac users concerned and will soon drive security solutions adoption on those systems.
• Microsoft is back with it’s own large security patch – Microsoft fixed 15 separate vulnerabilities with 6 security updates in November. This is the same old story as previous months, but at least it wasn’t the record 13 updates hit in October.
• Microsoft reported an increase in worm infections, but decrease in scareware antivirus – Worm infections were up over 98% since the last Microsoft Security Intelligence report and it appears that Conficker bears a good part of the blame. Researchers believe that it is still being spread by USB keys with autoexecute capabilities. Scareware numbers are down where a user is tricked into visiting a site that says they are infected and then prompted to download “protection” from the malware.
• More news of botnet operators utilizing social networks to avoid detection – Searchsecurity.com reported that botnet writers are turning to Google and social networks. Popular social networking sites like Facebook and Twitter are increasingly prominent in security news for both spreading infection and providing a means of command and control for organized malicious software writers.
• Four people were sentenced in the UK for attacks on online banks – This is something I would like to see more of. It is a rare occurrence when cyber criminals are actually tracked down and brought to justice. Last month four individuals who were syphoning money from online accounts were caught and sentenced.
• CSO online had a nice detailed story about the fight against botnets – CSO published a nice seven page story about the individuals and organizations who research and combat botnets. It’s an interesting and informative read.
• Windows 7 is revealed to have flaw that allows DoS attacks – A flaw in the OSs Server Message Block (SMB) could be used to crash the system and could be activated when a user visits a malicious website.

There were several other interesting stories, but the fact remains that endpoints are under attack and we are in a continual catch up game with our current endpoint security.

A recent article in SearchSecurity.com, “Hackers to sharpen malware, malicious software in 2010″, points to increasing sophistication in cybercriminals’ use of social networking sites. Robert Westervelt writes:

In an effort to sustain growth and pick up new users, more social networks are opening up their architecture to allow third-party applications. Cybercriminals can take advantage of this by developing applications out of the social network environment to target users. In addition, access to social network APIs gives attackers a roadmap to vulnerabilities in legitimate third-party applications and a way to tap into user accounts.

Changes in this environment means that businesses will be more pressed than ever to set policies around the use of social networks on company IT resources and this won’t be popular. It will be made all the more difficult by the fact that social networks aren’t just for personal use any more. More businesses than ever are engaging in social media and using it to connect to customers, provide service, and promote their company.

Expect web site access control, application whitelisting and software asset management solutions to play an even more important role than ever on corporate networks. It will be essential that businesses both understand and control what applications their employees are using to defend against an increasingly prevalent threat.

The complaint is that 60 Minutes didn’t do their homework and that there is no proof that the actual outage was caused by hackers. I won’t get dragged into that dispute here, but I would like to address the conclusion that some have made that hacking in general is overstated.

To those who work in the security industry and say that the cyber threat to both Government and private systems is over hyped, my answer is have they even been paying attention? Both foreign governments and organized online crime have been carrying out attacks with specific purposes with increasing frequency and the evidence is all around us.

Here are some examples:

• From 60 Min story – U.S. Government loses over a terabyte of sensitive information:

  “In 2007 we probably had our electronic Pearl Harbor. It was an espionage Pearl Harbor,” Lewis said. “Some unknown foreign power, and honestly, we don’t know who it is, broke into the Department of Defense, to the Department of State, the Department of Commerce, probably the Department of Energy, probably NASA. They broke into all of the high tech agencies, all of the military agencies, and downloaded terabytes of information.”

• Hackers steal over 130 million credit card numbers online – In August Albert Gonzales was indicted for stealing over 130 million credit card numbers from Heartland and other online businesses.

• Clampi trojan steals bank login information – Cnet posted a good article on the organized use of trojan horses to monitor our online activity and steal our credentials when we visit one of over 4600 banking sites.

• Bahama botnet used to drive online click fraud – From a recent eWeek article:

  Click Forensics, which has been reporting on click fraud data and trends for over four years now, released its figures for Q3 2009 this week. According to the latest figures, botnet-driven traffic accounted for 42.6 percent of all the empty ad traffic between the beginning of July and the end of September 2009.

  The results represents a significant increase in such activity, more than doubling botnet-driven click fraud compared to the same period in 2007 and gaining from the 27.5 percent reported for the same quarter in 2008.

These aren’t random infections from worms. This is organized hacking with a purpose. These are just a few real examples of our systems under attack and there are far more that simple searches will reveal. Our online systems are targets plain and simple and the security of our power grid is serious business.

If there is one thing that I hope people get from the 60 minutes story it’s that we need to understand the threats that exist out there and take the steps to mitigate that risk before a serious attack takes place. We have to remember that all significant threats can be considered FUD before they happen. When it comes to protecting our critical infrastructure I hope we don’t stick our head in the sand.

• Sept 1, 2009 – IIS FTP flaw announced with exploit code
  Microsoft kicked off the month by confirming the publication of exploit code for the IIS FTP vulnerability that could allow remote code execution on affected systems. The vulnerability affected systems running the IIS web server and was particular dangerous to FTP servers that had anonymous accounts for uploads.
• Sept 3, 2009 – Apple shows it continues to have more security problems than its ads would lead you to believe
  Apple released security patches for Java that fixed 15 documented security vulnerabilities. The most serious vulnerability allowed unauthorized Java applets to gain escalated privileges.
• Sept 5, 2009 – Microsoft announces patches will fail to include fix for IIS flaw
  The patch that was released following the announcement of the IIS exploit code did not contain a fix for that problem. Despite the severity of the problem, the complexity involved with producing, testing and distributing a patch to a serious security vulnerability prevented Microsoft from quickly fixing the hole in their operating system. At this same time, limited attacks were beginning to show up against those servers.
• Sept 9, 2009 – Microsoft announces SMB2 vulnerability affecting Windows Vista and Windows Server 2008
  Yet another zero-day vulnerability was announced without an immediate fix. Some security experts debated the impact of this vulnerability with many thinking this could set the stage for a Vista worm.
• Sept 11, 2009 – Clampi botnet continues to be a problem
  Online banking credentials continue to be targeted and stolen online by this dangerous botnet.
• Sept 17, 2009 – Security researchers demonstrate a remote exploit of the SMB2 vulnerability capable of spawning a worm
  The vulnerability was originally announced as a denial of service vulnerability and now was shown to have the potential to propagate a worm.
• Sept 17, 2009 – Botnets being used for click fraud
  Computerworld reported that the “bahama botnet” was being used to create fraudulent clicks to be used for affiliate marketing fraud.
• Sept 18, 2009 – Microsoft releases fix/workaround to SMB2 vulnerability
  The day after researchers announced remote exploitation code for the SMB2 vulnerability that could lead to a worm, Microsoft issued a fix that essentially turned off the service until a patch could be issued. They also indicated that this could have a performance impact until they produced the patch.
• Oct 1, 2009 – Antiphishing Working Group announces that phishing websites and rogue anti-virus software sites are dramatically on the rise.
  Coordinated attacks to trick users into infecting their PC with malware are booming. Phishing websites and fake anti-virus software both work to direct users to bogus sites where they become infected with malware.

All in all, this past month was more evidence that our reactive patching and signature based endpoint security strategy is coming to an end of its useful lifespan. The discussion has already begun at conferences and among the analysts as to what will become the new de facto endpoint security standard. Signs point strongly to a whitelisting solution playing a prominent role in this transition.