The Social Graph of Malware Archives - Sky's Blog

DDoS, EDoS, then “that bad aftertaste”

sky — Wed, 07 Jul 2010 16:09:06 +0000

In early June, I was in a nice rainy East Coast US city for meetings dealing with particularly thorny issues related to ways the Internet experience is being killed off for regular folks—and for institutions (NGOs) that are promoting free speech and human rights. Over a small breakfast, I sketched in my book some notes about the progression of malware over time. Basically paralleling the development I describe in my site The Social Graph of Malware, malware has gone from simple and juvenile defacement of web sites to become sophisticated and bandwidth-hogging socially-engineered schemes designed to get people to fall for a purchase they didn’t want to make, or just to click a link to enroll their computer in a network of zombies poised to conduct nasty attacks on other people.What strikes me as the next stage in targeted attacks^[1] hasn’t really been spoken of much, and the attacks only began in earnest during mid-2009—it’s that I think we’re entering an era in which attacks will be positioned to create a “bad aftertaste” and thus kill off the visitor/audience for some big web sites. The attacks are, in a sense, damaging the reputation, good will, and the brand of the attacked sites. These attacks take advantage of the Google Safe Browsing interface now available in Firefox and Chrome browsers, and the (new) BrightCloud toolbar for Firefox and for Chrome—both of which alert a web user that they are about to use a web site that could contain malware [see diagram]. A would-be site visitor is presented with one of these “warnings” and is dissuaded from viewing the site. (Once the site has been cleaned up, the warning disappears, and visitors may decide to click through and go to the site anyway, if they wish.) The problem is that you are left with the bad aftertaste of having gone to a legitimate site, seen this explicit warning, and you may decide never to go back even if the warning has been removed!

In prior years, attacks have been positioned to “take down” legitimate businesses by denying access to their sites [DDoS].^[2] Soon it was discovered (and is not widely exploited yet) that if an attacker simply hammers a site so hard that the defending organization has to dedicate more resources (read “money”) to defense, they can wear down the organization by depleting its budget and even its “will to stay alive online.” This doesn’t work if the attacker is just exploiting a site to drive traffic to its own illegitimate sales site, but it does work if the attacker’s intent is to take the organization down.

I already see evidence of small to medium attacks of the economic sort, and predict that we will see far more of them during the remainder of 2010 and 2011. I am working with NGOs now to prevent this type of “bad aftertaste” attack trend, and will report on how it’s going as I gather more information and evidence.

To get a feel for how much this is happening, see the StopBadware and the BadwareBusters web sites (forums where people are discussing these attacks and their remediation).

[1] Many attacks taking place on web site today are opportunistic rather than targeted, meaning that an attacker finds a web server that can be exploited and compromised and then uses it regardless of who it represents or affects. By and large, these attackers want to remain undiscovered, if possible, so the compromised server doesn’t get fixed any time soon. Therefore, it’s usually a “silent” attack with no immediately visible consequences on the web page.

[2] (Distributed) Denial of Service attacks bog down the target web servers so they can’t respond to legitimate requests from customers. They make it impossible to reach the business or organization. In some cases, the attacker asks for a “ransom” payment to stop the attack, is other cases they conduct a short-lived attack to make a protest or prove a point, and in some cases they continue their attack long enough to have a direct economic impact on the target.

The post DDoS, EDoS, then “that bad aftertaste” appeared first on Sky's Blog.

Google, Human Rights, Free Speech

sky — Wed, 13 Jan 2010 02:04:51 +0000

Google’s Chief Legal Officer has fired a “shot across the bow” aimed at the Chinese ship of state.

In a post on the Official Google Blog a couple of hours ago, David Drummond, SVP Corporate Development and Chief Legal Officer, says that Google and other organizations have been the targets of attacks from China, and that Google may suspend operations within China.

He characterizes the attacks as “highly sophisticated” and “targeted” — though his description doesn’t really describe the sophistication — and it seems to be much like what we’re seeing in terms of attacks against the Tibetan exile community and Tibet support groups [TSGs] in general.

He specifically says the more than twenty attacks they identified, had as a primary goal:

“…accessing the Gmail accounts of Chinese human rights activists.”

He cites a number of reports, including the GhostNet report, which you should read if you’d like a little more detailed analysis of how some of this stuff takes place.

And here’s the punchline:

“We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.”

Whoa! He used the word censoring here! I don’t recall that Google described their actions as censorship when they first started filtering results at Google.cn…

This is a welcome step forward, assuming they follow through, and I applaud their willingness to listen to others who have been criticizing Google’s decision (to provide censored search results in China) from the beginning, as well as (now) to respond to the censorship and repression of free speech that we see spreading now.

See my related posts (below) for more on the issue of free speech and human rights in China and elsewhere in the world.

The post Google, Human Rights, Free Speech appeared first on Sky's Blog.

Can short URL sites and Twitter together be attack vectors?

sky — Mon, 20 Apr 2009 05:43:15 +0000

On my site The Social Graph of Malware, I try to present current information (with appropriate background) on malware and attack vectors that use social engineering as a part of their methodology.

Last week I read somewhere (I know not where) about the potential for URL-shortening sites pointing you at sites containing malware. It’s pretty simple – imagine that someone posing as your friend twitters you and there’s one of these shortened URLs inside the message … but that this shortened URL points you at a site containing an embedded virus rather than at a site that you would want to actually visit. Your actual or supposed friend might not even know the site is poisoned. How can you protect yourself against this? Read this page at The Social Graph of Malware for more details. (I promise you there are no shortened URLs in the article.)

The post Can short URL sites and Twitter together be attack vectors? appeared first on Sky's Blog.