Col. Charles W. Williamson III in his post “Carpet bombing in cyberspace: Why America needs a military botnet” ran into trouble with the security community when he stated, “America needs a network that can project power by building an af.mil robot network (botnet) that can direct such massive amounts of traffic to target computers that they can no longer communicate and become no more useful to our adversaries than hunks of metal and plastic.” Richard Bejtlich’s post, “Mutually Assured DDoS” points out several of the problems with a af.mil robot network. Sean Sullivan from F-Secure also did a thoughtful response titled “US Air Force Colonel Proposes Skynet.” I will leave it to the reader to head over to Williamson’s, Bejtlich’s, and Sullivan’s blogs and form their own opinions.

In the end, an effective Distributed Denial of Service (DDoS) attack will likely be done in a manner making it difficult to block the involved IPs without shutting down services to the victim’s customers. In cyberspace, attackers do not wear uniforms, nor do they necessarily come from a particular domain. It is not so easy to identifying the enemy. The intelligent attacker makes all effort to blend into the population.

With that in mind, I wanted to post some sites that can help identify from where attacks might originate. Please do remember that IPs used in an attack do not necessarily identify who is behind the attacks.

Overview

I agree with Col. Charles W. Williamson III that that cyberspace is a dangerous place. The idea of going on the offensive and striking back is appealing. Since early childhood, I can remember my dad always saying, “The best defense is a good offense.” The problem with a offensive military botnet is that it will run into problems when it comes to locating the base of the enemy. To understand why this is the case, we will start by defining some of the favorite cyberspace weapons used by the bad guys. We will then examine the countries where attacks are occurring. Sources of publish information will be examined, which should help the reader continuously monitor activities in their network. We will end by discussing Carnegie Mellon’s attempt to establish international communication and coordination.

Definitions

Let us defines a few of the favorite tools being used in carrying out attacks in cyberspace.

Malware

Malware is short for short for malicious software. It is any software written for malicious reasons that infiltrates or damage a computer without authorization. Some common malware types are trojans, worms, viruses, bots, rootkits, and spyware/adware. Below are definitions taken from the links above.

• Trojan - a package disguised as something useful or popular, but actually carrying a malicious payload that will damage the victim machines or threaten data integrity, or impair the functioning of the victim machine. Trojans can be classified according to the actions which they carry out on victim machines: backdoors, PSW trojans, trojan clickers, trojan downloaders, trojan droppers, trojan proxies, trojan spies, trojan notifiers, and arcbombs.
• Virus - will attach itself to a program or file so it can spread from one computer to another, leaving infections as it travels. Viruses can be classified according to their environment and infection methods, such as file viruses, boot sector viruses, macro viruses, and script viruses.
• Worm - are considered a subclass of virus and take advantage of file or information transport features on systems allowing it to travel unaided. Worms includes programs that propagate via LANs or the Internet with the objective to penetrating remote machines, launching copies on victim machines, and spreading further to new machines. The key difference to a trojan is that worms can propagate on their own. They self-copy and infect other machines through penetrate and infect purely through vulnerabilities that are inherent to the system itself. No human intervention is required.
• Rootkit - a program (or combination of several programs) designed to take fundamental control (in Unix terms “root” access, in Windows terms “Administrator” access) of a computer system, without authorization by the system’s owners and legitimate managers.
• Spyware - is computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user’s interaction with the computer, without the user’s informed consent.
• Adware - advertising-supported software is any software package which automatically plays, displays, or downloads advertising material to a computer after the software is installed on it or while the application is being used. Generally, addware is classified as privacy-invasive software.

Botnet

A botnet is a collection of Internet connected computers running autonomously and automatically in order to accomplish some distributed task. Distributed computing can be used for useful and constructive applications, while the term botnet typically refers a system designed and used for illegal purposes. The individual compromised machines (drones or zombies) run malicious software (bot) and are assimilated and used without the owner’s knowledge. The machines operate under the Command and Control (C&C) of the botnet owner (herder). Botnets are used for (definitions taken from the accompanying links):

• Click Fraud - click fraud is a type of internet crime that occurs in pay per click online advertising when a person, automated script, or computer program imitates a legitimate user of a web browser clicking on an ad, for the purpose of generating a charge per click without having actual interest in the target of the ad’s link.
• DDoS - one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.
• Keylogging - a method of capturing and recording user keystrokes.
• Warez - refers primarily to copyrighted works traded in violation of copyright law.
• Spam - is the abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages.

Phishing

Phishing is the practice of sending out fake emails, or spam for purpose of gathering personal information and/or identity theft.

Source Countries

Now that we know a few of the weapons used in cyberspace, we are ready to examine countries where these various attacks are occurring. Once more, please remember that those behind the attacks might not be at the same location as the machines that are launching the attacks.

The Shadowserver Foundation (see below) collects and provides some very interesting statistics. The below map shows the locations of infected machines (drones) that Shadowserver has observed in the past 24 hours. Please note that this information is not complete. It cannot be. If we knew all infected computers and C&C machines, we could shut them down easily. The challenge is in the ever changing landscape. The Shadowserver Foundation does a commendable job continuously monitoring this dynamic landscape.

The below map shows the last 24-hours worth of tracked C&C servers.

The below graph shows the count of all the network scans into routed CIDR blocks that occur from the botnets that Shadowserver is aware of:

The below map shows the last 24-hours worth of tracked existing C&C and the target of scan attacks.

The below graph shows the count of all the DDoS attacks that occurred from the botnets that Shadowserver is aware of:

The below most recent 24 hour period map shows the C&C and the target of the DDoS attack.

The below map shows the machines suffering DDoS attacks and the C&C sources in 2007.

The PhishTank (see below) provides daily verified phishing attempts. Below is a map of the countries generating the most reported verified Phishing attempts for April 2008.

Sources for Information

As previously mentioned, the Shadowserver Foundation gathers, tracks, and reports on malware, botnet activity, and electronic fraud. It is a great source of information concerning cybercrime. Richard Perlotto, the gentleman who runs the technology and operational side of the Shadowserver Foundation, presented last week at the Asia Pacific Information Security conference (AusCERT2008).

PhishTank provides information on phishing attacks. While OpenDNS created and operate the site, PhishTank is a community effort with the information being provided by companies and people submitting phishing e-mails and Web sites. The data is totally open and a free API exist. The API documentation is available for developers wanting to use PhishTank’s community data to integrate anti-phishing elements into their applications.

If you have anything in your security arsenal that is monitoring for certain IPs or domains, the DNS-DB Malware Domain Blocklist and the Global Watchlist provide invaluable up-to-date information. The DNS-DB Malware Domain Blocklist site maintains a list of domains, pulled from various sources, that are known to be used to propagate malware and spyware. The Global Watchlist was created after a discussion between C.S. Lee and Spoonfork. C.S. Lee describes the purpose of this list in his posting “The Harimau Watchlist” What they have done, in their own words is to “pull the list of suspected malicous IPs/Net ranges from different sources such as Sans dshield, Arbor atlas and so forth, then putting all of them in one place.” You can search through a web interface or set up processes to search automatically via URL. They have also made all the IPs and data available in one file. Helping detect and possibly prevent access from these IPs and domains through Snort, Dragon, and other IDS/IPS signatures is the Emerging Threats site.

The Spamhaus Project attempts to “track the Internet’s Spam Gangs, to provide dependable realtime anti-spam protection for Internet networks, to work with Law Enforcement Agencies to identify and pursue spammers worldwide, and to lobby governments for effective anti-spam legislation.” The project offers a realtime database of IP addresses consisting of a combination of the Spamhaus Block List (SBL), the Exploits Block List (XBL) and the Policy Block List (PBL). If you desire a data feed, the service is not free. You can try it out for 30 days free. They do operate DNSBL servers spread across 18 countries. You may qualify for free access via DNS queries.

The SANS Internet Storm Center (ISC) provides a free analysis and warning service to fight back against the malicious attackers. The ISC gathers millions of intrusion detection log entries every day, from sensors covering over 500,000 IP addresses in over 50 countries. It is a a free service to the Internet community. After removing identifying information, the ISC sends send intrusion detection and firewall logs to the DShield distributed intrusion detection system.

The National Vulnerability Database (NVD) is a fantastic source of free information enabling automation of vulnerability management, security measurement, and compliance. While it might not help with filtering of IPs, the data can be used in combination when automating your security. To quote the site, “NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.” NVD is the repository for Information Security Automation Program (ISAP) and the Security Content Automation Protocol (SCAP). Here are a few of the major sources of information NVD provides:

1. CVE Vulnerabilities - a dictionary of publicly known information security vulnerabilities and exposures. Allows you to download the entire CVE List in various formats.
2. Checklists - repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications.
3. US-CERT Alerts - provide timely information about current security issues, vulnerabilities, and exploits.
4. US-CERT Vuln Notes - include technical descriptions of the vulnerability, as well as the impact, solutions and workarounds, and lists of affected vendors.
5. OVAL Queries - an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. OVAL Repositoty downloads include Data Files of all vulnerability, compliance, inventory, and patch definitions for supported platforms.

There are a few good sources for security statistics in the form of a reports. The Anti-Phishing Working Group (APWG) is the global pan-industrial with over 3000 members in over 1700 companies and agencies worldwide. The group’s purpose is eliminating the fraud and identity theft that result from phishing, pharming and email spoofing of all types. They produce an interesting Phishing Activity Trends report which was last updated in January 2008.

WhiteHat produces a Security Statistics Report. The report presents a statistical picture of current website vulnerabilities focused solely on previously unknown vulnerabilities on public websites. The report also contains expert analysis and recommendations. Jeremiah Grossman, founder and CTO, does maintain a very informative blog where additional information can be found. You can hear Jeremiah on a recent episode of Risky Business where he discussed with host Patrick Gray Cross Site Request Forgery attacks.

Microsoft produces a “Security Intelligence Report.” Currently the fourth volume is available covering July through December 2007. You can also watch the video cast of Bret Arsenault, GM US National Security Team and Vinny Gullotto, GM Microsoft Malware Protection Center, discuss the trends and findings in the latest SIR.

There are a few final additional sources of information that I have found useful when trying to understand security trends. Dan Geer did a presentation, “A Quant Look at the Future Extrapolation via Trend Analysis.” The state-of-the-art report (SOAR) published by the Information Assurance Technology Analysis Center (IATAC) provides observations about noteworthy trends in software security assurance as a discipline. The Computer Crime and Security Survey is conducted by CSI annually. The aim of this effort is to raise the level of security awareness, as well as help determine the scope of computer crime in the United States. They use to issue the report with the FBI. Registration is required.

Blogs can also be a valuable source of information, and may occasionally post IPs to be concerned about. SunBelt Software just did a posting titled “Fresh new rogue antispyware programs.” Dancho Danchev recently posted “Malware Domains Used in the SQL Injection Attacks.” The F-Secure folks maintain a very informative site concerning the latest news from their labs. There are many excellent sites for information on malware, botnets, and phishing. For example, Kaspersky Lab maintains the blog VirusList and the AVDefender. SANS ISC has the Handler’s Diary.

International Incident Coordination

Security on international projects is complicated. Take a look at my previous post, “Information Security and the Law.” Different countries have different laws impacting what can and cannot be done. Many CEOs may not know a great deal about information technology, but they know they have no desire to break the laws of other countries. This can pressure managers to prefer to implement light security. Heavy on the data protection, but light on the detection. We have established cyberspace can be a dangerous place, especially when you are playing in international waters. Defenses will fail. If an organization cannot detect nefarious activities in a high risk environment, that is a bad combination. Even when you have fully supportive management, it is easy to run into a road block when dealing with other countries.

Carnegie Mellon University Software Engineering Institute (SEI) is trying to help establish some coordination between the white hats working in international security. First, a little history in order to understand the players involved. SEI was charged by the Defense Advanced Research Projects Agency (DARPA) with setting up center to “coordinate communication among experts during security emergencies and to help prevent future incidents.” This center was named the CERT Coordination Center (CERT/CC) and is an amazing source for cutting edge security research and information.

With the establishment of incident response team both within the United Stated and Internationally, soon difficulties developed due to differences in language, timezone, and international standards or conventions. It became apparent that better communication and coordination between teams were needed. The Forum of Incident Response and Security Teams (FIRST) was established. Membership consists of teams from a wide variety of organizations including educational, commercial, vendor, goverment and military.

CERT/CC also began a program to help Computer Security Incident Response Team (CSIRT) development and establish CSIRTs around the world. National CSIRTs deal with security at the macro level. Large-scale incidents can affect the economy, critical infrastructure, government operations, and/or national security. If the incident ends up being a worldwide event, National CSIRTs can coordinate with CSIRTs in other countries to establish communications and cooperation among those countries.

To hear more about CSIRT, in August Jeff Carpenter talked with Julia Allen on the CERT podcast titled, “Tackling Security at the National Level: A Resource for Leaders.” Jeffrey J. Carpenter is the technical manager of the CERT/CC and has assisted with the formation and development of CSIRTs. Julia Allen is a senior researcher within the CERT Program and is engaged in developing and transitioning executive outreach programs in enterprise security and governance, and works extensively with the IT operations and audit communities. She is one of my favorite sources for enterprise security information.

Below is an interactive map to locate CSIRTs with national responsibility around the world. From the map, additional information can be pulled up on the individual sites.

Final Words

I understand the frustration Col. Charles W. Williamson III feels. The problem is that in cyberspace, the enemy is all around us. It is within us. If we lash out, our first target must be ourselves. In the end, we are fighting blind. Edmund Burke once said, “All that is necessary for evil to succeed is that good men do nothing.” I do not think good men attacking each other was the something Edmund had in mind. That is what will occur if we fight blind. We can’t even withdraw into the safety of our own silos for the perimeters are being continuously breached. Retreat is not an option. The delusion that isolationism will bring safety has been shattered. The only solution is for the good guys to band together. There is strength in unity. Only when working together will we be strong enough to take on those who bring destruction.