Lucene search

K
threatpostDennis FisherTHREATPOST:4AA7CCD955E3A10C3072855FDE3C4044
HistoryJul 16, 2010 - 3:54 p.m.

This Week In Security: Black Hat, Spammers and Trusted Rootkits

2010-07-1615:54:46
Dennis Fisher
threatpost.com
7

The old saying that there’s nothing new under the sun is just as true in the security industry as it is anywhere else. Many new attacks are variants or tweaks of existing ones, new software fails in exactly the same way as old software and new technologies crop up to solve problems that are 30 years old. You can add to that list the sad frequency with which interesting talks at security conferences are having to be canceled because someone doesn’t like the content. This week saw yet another talk pulled from Black Hat, a major cybersecurity meeting in Washington, a rootkit with digitally signed drivers and some new tactics by spammers. Read on for the full week in review.

The biggest story of the week turned out to be an all-too-familiar one: researchers having to pull a talk from a security conference because of outside pressure. In this case it was Wayne Huang, the CTO and founder of application security company Armorize, who had to cancel his planned talk at Black Hat, titled “The Chinese Cyber Army: An Archaeological Study From 2001 to 2010,” because some people in the Chinese and Taiwanese governments objected to the content. Huang had given the talk once before, in 2007 at a small OWASP conference in Taiwan, but the political climate was much different then and the Chinese and Taiwanese governments were not getting along, so the talk went ahead. Now, however, the relations are much better and the government in Taiwan had expressed serious concerns over the talk, which details the tactics, training and makeup of China’s state-sponsored cyber army.

Armorize has much of its operations in Taiwan, including R&D, so Huang and Armorize’s executives decided that they had no choice but to pull the talk. Huang will still give a second talk that was already scheduled at the Security BSides conference in Las Vegas on a new Metasploit module for drive-by-downloads. (You can hear Armorize CEO Caleb Sima discuss the decision to pull the talk in a short podcast here.)

This week did see one truly novel story, which was the appearance of a new rootkit known as Stuxnet, which not only uses Windows shortcut files to launch but also contains two drivers that are digitally signed using the certificate of Realtek Semiconductor. The malware itself was rather uninteresting, aside from the fact that it uses Windows LNK files, which are shortcuts pointing to original files, to launch from pre-owned USB drives. That’s odd enough. But then it turned out Stuxnet includes two drivers that were signed using a valid certificate belonging to Realtek, a huge hardware manufacturer in Taiwan. That’s a new kind of badness that gives the rootkit an easy way to evade security software, which often treat signed files as benign by default. This is not awesome.

In somewhat awesome news, however, is the meeting that took place Wednesday in the White House on the Obama administration’s progress on cybersecurity. Howard Schmidt, the president’s cybersecurity coordinator, invited more than 100 experts from all walks of security to hear the progress report and offer suggestions on what elese can be done. President Obama dropped in and spoke for about 20 minutes, urging the people at the meeting to continue their work and to work with the government to resolve common problems.

“They’re trying to demonstrate that this is a priority for them and I
think the clearest evidence of that is that Obama was there,” said
Cigital CTO Gary McGraw, who attended the meeting. “I think they’ve made an awful lot of progress, but
most of it has been on the operational front, like lowering the number
of connection points to the Internet. I’d like to see some more rhetoric
at least on software security, because the government agencies are
falling behind and that’s a shame. I’d like to make sure that we don’t
put all of the emphasis on shiny accomplishments and that we pay some
attention to this.”

[block:block=47]

It’s safe to assume that spammers and bot herders have been paying close attention to the takedown efforts that have disrupted some of their larger operations in the last year or so. News came this week that spammers are moving to using disposable domains, buying them in bulk and using each one for less than a day before moving on to the next one. This helps them stay agile and avoid blacklists, which can’t keep up, and the takedown efforts of law enforcement and antispam groups. It’s a tactic that makes a lot of sense, given the commodity status of domain names and the ease with which the bad guys can move their operations from one to the other at a moment’s notice.

Others receiving votes:

Mozilla Bumps Bug Bounty to $3,000

Researchers: Password Crack Could Affect Millions

Pulling Back the Curtain on Rogue AV Tech Support