Southeast Asia’s Viral Infection

By | November 22, 2011
0 Comment

Southeast Asia is fast developing a reputation as the most dangerous place on the Internet. It’s not a reputation the region can afford to have.

By one count Thailand has risen to be the country with the most number of malware infections, by one account, and by another to be the second, all in the past few months.

PandaLabs’ report on the second quarter of 2011 [PDF] lists Thailand as having the second highest rate of malware infection (after China) with nearly 57% of computers scanned by their antivirus software as being infected. The global average is about 40%. Thailand was second in the previous quarter too, but with an even higher infection rate, of 65%. Most of these infections seem to come from worms.

Indeed, this trend seems to have started last year. The AntiPhishing Working Group’s report for the second half of 2010 lists as top in terms of infected countries–nearly 67%, higher than China’s 63%. (I should point out that the chief analyst for the APWG is Luis Corrons, who is technical director of PandaLabs, so the source of this data may actually be one place.)

Indonesia, meanwhile, now equals the United States as the highest single source of Distributed Denial of Service attacks, according to data from Kaspersky (Expect More DDoS Attacks Tomorrow, published on Monday):

The US and Indonesia topped the rating with each country accounting for 5% of all DDoS traffic. The US’s leading position is down to the large number of computers in the country – a highly attractive feature for botmasters. Meanwhile, the large number of infected computers in Indonesia means it also ranks highly in the DDoS traffic rating. According to data from Kaspersky Security Network, Kaspersky Lab’s globally-distributed threat monitoring network, in Q2 2011 almost every second machine (48%) in Indonesia was subjected to a local malware infection attempt.

A couple of points here:

  • Indonesia has a lot fewer computers connected to the Internet compared to the U.S.: about 40 million vs 245 million. This means that Indonesia is generating 5 times as much DDOS traffic per computer as the U.S.
  • The discrepancies in the infection rates between Kaspersky and Panda are artifacts of the way these companies measure these things. Basically, as far as I understand, they gather data from users, so a lot depends on just how popular that particular piece of antivirus software is in the country, and on factors such as the likelihood of people actually using antivirus software.

The Kaspersky report shows that Southeast Asia features heavily in the proportion of DDOS traffic:

  • Indonesia 5%
  • Philippines 4%
  • Vietnam 4%
  • Thailand 4%
  • Singapore 4%
  • Malaysia 3%

Internet traffic optimizer Akamai, meanwhile, reported that [PDF, may have to answer a short survey before reading] Burma (Myanmar) accounted for 13% of the world’s attack traffic (i.e. DDOS traffic). This was the first time that Burma appeared on the list. I’ve spoken to Akamai and they’re not clear why this is the case, but they did point to the fact that their data covers the first quarter of 2011, a few months after a massive DDOS attack on Burma which happened to coincide with the country’s elections.

The suspicion at the time that this was self-inflicted: basically pro-government hackers preventing Burmese from using the Internet to get alternative sources of election information. Makes sense. Akamai’s theory is that this traffic that they saw in the first quarter of this year was residual traffic from those massive attacks. But the truth is that no one knows.

More generally, it’s not good that Southeast Asia is now becoming this malware and DDOS capital. There are lots of reasons for it, which I’ll be exploring as part of a project in the months to come.

Full version of the Kaspersky report: DDoS attacks in Q2 2011 – Securelist

Using Google to Predict the Future

By | November 22, 2011
0 Comment

Elegantly simple proposal to measure economic confidence in The Economist’s search for other quirky indicators: searches in the U.S. on Google for “gold price” in the piece Alternative indicators: Behind the bald figures

But the hottest tip came from Edward Ritchie, an investment analyst in London. He tracks Google searches for the “gold price” as an indicator of economic confidence. This does not follow the gold price itself. For example, during most of 2008 when the world’s financial system was melting down, the gold price tumbled yet the number of searches soared. The number of gold-price searches shoots up when American consumer confidence dives and subsides when households perk up again (see chart). That makes it a handy device for spotting turning-points in economic confidence, with the added advantage that the data are available earlier than for conventional survey-based figures. Worryingly, the number of searches has recently vaulted above its 2008 peak, signalling the possibility of a double dip.”

Here’s the graph:

I’m a big fan of using Google search to measure, track and predict things. A few of my previous posts on the matter. And no, I’ve not made any money so far out of this crystal ball.

How To Use Google To Get Round Super Injunctions

Technoratis Decline, Death of Blogging?

Googling the Tsunami

Googles Suicide Watch: where I googled the word “suicide”

Has Quora Peaked?

Fail, Seinfeld and Tina Fey: A Zeitgeist

The Financial Crisis in Charts

Hoodiephobia, Or We Don’t Lie to Google

And this one from 2006: Mapping Trends With Google

The Battery DDOS: Tip of An Iceberg

By | November 22, 2011
0 Comment

An interesting story brewing about the FBI investigating a DDOS (Distributed Denial of Service) attack on websites selling batteries. But the reporting does not go far enough: In fact, a little research reveals this is part of a much bigger assault on a range of industries.

As a starting point, look at Elinor Mills of the excellent Insecurity Complex at CNET:

U.S. battery firms reportedly targeted in online attack | InSecurity Complex – CNET News: “The FBI is investigating denial-of-service attacks targeting several U.S. battery retail Web sites last year that were traced to computers at Russian domains in what looks like a corporate-sabotage campaign, according to documents published yesterday by The Smoking Gun.”

But a closer look at the source documents suggests this is just the tip of a much bigger iceberg. The Smoking Gun incorrectly reports the email address used by the alleged hacker, a St Petersburg man called Korjov Sergey Mihalivich, as lvf56fre@yahoo.com. In fact, the FBI lists it as lvf56kre@yahoo.com, which yields much more interesting results. Such as this one, from ShadowServer.

ShadowServer shows that the domains under that person’s control, globdomain.ru (not globdomian.ru as reported by the Smoking Gun) and greenter.ru, have been prolific since 2010 in launching DDOS attacks against 14 countries and more than 30 industries and government websites. An update from ShadowServer in January 2011 counted 170 “different victims. Again, these attacks are across many different industries and target some rather high profile sites.” (It doesn’t identify them.)

The DDOS attacks use the BlackEnergy botnet, described by Arbor Networks’ Jose Nazario in a 2007 paper [PDF]. Back then Nazario reported the botnet’s C&C systems were hosted in Malaysia and Russia.

The same email address used for those two domains has registered other domains: trashdomain.ru, which has been recorded as the host for a Trojan dropper called Microjoin.

In other words, this is a lot more than about batteries. This appears to be a DDOS for rent to businesses wanting to take out business rivals in a host of fields. Indeed, the FBI investigation makes this clear, and cites the $600,000 damage caused as included attacks on “a wide range of businesses located in the United States.” (This does not include the dozen other countries affected, hence, presumably, the quite low sum involved.)

The batteries attack took place in October 2010, but the FBI document makes clear that as of May 2011 the attacks were still going on.

At present it’s not clear who is behind these attacks–in other words, who is paying for them. This could be a ransom attack–pay up or we will keep DDOSing–but this doesn’t seem to be the case, as Batteries4less.com Chief Executive Coryon Redd doesn’t mention any such approach in an interview with Mills. He seems to believe that “[t]he competitor is going to be U.S.-based and contracting out with a bad guy in Russia.”

Could be right. In which case the investigation has stumbled on a dark world of business tactics stretching from banking to astrology consultants. More research needed, please.

The New Attack: Penetrate and Tailor

By | November 22, 2011
0 Comment

In its latest security report Cisco identifies a trend I hadn’t heard of before with malware writers: Closer inspection of those computers they’ve successfully penetrated to see whether there’s something interesting there, and then if there is targeting that company (or organisation) with a more tailored follow-up attack:

Attackers can—and do— segregate infected computers into interest areas and modify their methods accordingly. For example, after initial infection by a common downloader Trojan, subsequent information may be collected from infected machinesto identify those systems more likely to lead to sensitive information. Subsequently, those “interesting” machines may be delivered an entirely different set of malware than would other “non-interesting” computers.

This is, as Cisco says, a pretty good example of that much maligned term, the Advanced Persistent Threat. Unfortunately they don’t give more concrete examples. But it seems as if the most targeted sector is the pharmaceuticals and chemical industry: 500% more than the median infection rate, or twice the next industry, oil and gas.

On DoS (Denial of Service) attacks, Cisco says that “while once largely prank-related, DoS attacks are increasingly politically and financially motivated.” It doesn’t add more, unfortunately, and much of the rest of the report is sales-pitch. I’ll try to get more out of them, because there might be some interesting trends lurking behind the rather thin data.

Podcast: Bad Things

By | July 28, 2020
0 Comment

The BBC World Service Business Daily version of my piece on link scams.  (The Business Daily podcast is here.)  

Loose Wireless 110803

To listen to Business Daily on the radio, tune into BBC World Service at the following times, or click here.

Australasia: Mon-Fri 0141*, 0741 

East Asia: Mon-Fri 0041, 1441 
South Asia: Tue-Fri 0141*, Mon-Fri 0741 
East Africa: Mon-Fri 1941 
West Africa: Mon-Fri 1541* 
Middle East: Mon-Fri 0141*, 1141* 
Europe: Mon-Fri 0741, 2132 
Americas: Tue-Fri 0141*, Mon-Fri 0741, 1041, 2132

Thanks to the BBC for allowing me to reproduce it as a podcast.