Friday, April 25, 2008

Daily Report

• According to the Daily Breeze, attorneys for the University of California, Los Angeles, on Tuesday obtained a preliminary injunction against animal rights groups and activists accused of harassing university researchers who conduct experiments using animals. The injunction extends and expands a temporary restraining order granted February 22. (See item 22)

• Computerworld reports large numbers of legitimate Web sites, including government sites in the U.K. and some operated by the United Nations, have been hacked and are serving up malware, a security researcher said Thursday, as massive JavaScript attacks last detected in March resume. (See item 25)

Information Technology

25. April 23, Computerworld – (International) Hackers jack thousands of sites, including UN domains. Large numbers of legitimate Web sites, including government sites in the U.K. and some operated by the United Nations (UN), have been hacked and are serving up malware, a security researcher said today as massive JavaScript attacks last detected in March resume. “They’re using the same techniques as last month, of an SQL injection of some sort,” said the vice president of security research at Websense Inc., referring to large-scale attacks that have plagued the Internet since January. Among the sites hacked were several affiliated with either the UN or U.K. government agencies. The exact number of sites that have been compromised is unknown. He estimated that it is similar to the March attacks, which at their height infected more than 100,000 URLs, including prominent domains such as “The attackers have now switched over to a new domain as their hub for hosting the malicious payload in this attack,” Websense said in an alert posted yesterday to its Web site. “We have no doubt that the two attacks are related.” Although the malware-hosting domain has changed, it is located at a Chinese IP address, just like the one used in March, he said. “It also looks like they’re using just the one [hosting] site, but changing the link within the JavaScript,” he added, talking about an obfuscation tactic that the attackers have used before. Source:

26. April 23, Dark Reading – (International) Researchers infiltrate and ‘pollute’ Storm botnet. Sophisticated peer-to-peer (P2P) botnets like Storm that have no centralized command and control architecture have frustrated researchers because they are tough to dismantle. But a group of European researchers has come up with a way to disrupt these stealthy botnets – by “polluting” them. The researchers, from the University of Mannheim and the Institut Eurecom, recently infiltrated Storm to test out a method they came up with of analyzing and disrupting P2P botnets. Their technique is a spinoff of traditional botnet tracking, but with a twist: It not only entails capturing bot binaries and infiltrating the P2P network, but it also exploits weaknesses in the botnet’s P2P protocol to inject “polluted” content into the botnet to disrupt communication among the bots, as well as to study them more closely. The researchers tested their pollution method out on Storm, and it worked. They presented their research this month at Usenix. “Our measurements show that our strategy can be used as a way to disable the communication within the Storm botnet to a large extent,” the researchers wrote in their paper. “As a side effect, we are able to estimate the size of the Storm botnet, in general a hard task.” Their Storm stats: the researchers crawled Storm every 30 minutes from December of last year through February of this year, and saw between 5,000 and 40,000 machines online at a time. And the U.S. has the most Storm bots, with 23 percent, according to the researchers, who said they spotted Storm bots in 200 countries. Source:

27. April 22, New Scientist News – (National) Beating the “botnets.” A team at the University of Washington wants to marshal swarms of good computers to neutralize the bad ones. They say their plan would be cheap to implement and could cope with botnets of any size. Current countermeasures are being outstripped by the growing size of botnets, says the Washington team, but assembling swarms of good computers in defense could render DDoS attacks obsolete. Their system, called Phalanx, uses its own large network of computers to shield the protected server. Instead of the server being accessed directly, all information must pass through the swarm of “mailbox” computers. The many mailboxes do not simply relay information to the server like a funnel – they only pass on information when the server requests it. That allows the server to work at its own pace, without being swamped. Phalanx also requires computers wishing to start communicating with the protected server to solve a computational puzzle. This takes only a small amount of time for a normal web user accessing a site. But a zombie computer sending repeated requests would be significantly slowed down. The Washington team simulated an attack by a million-computer botnet on a server connected to a network of 7,200 mailboxes organized by Phalanx. Even when the majority of the mailboxes were under simultaneous attack, the server was not overwhelmed and could still function normally. A paper on Phalanx was presented at the USENIX symposium on Networked Systems Design and Implementation, held last week in San Francisco. Source:

Communications Sector

28. April 23, IDG News Service – (National) Telecom carriers: ‘Phantom’ voice traffic costing billions. Some VoIP and mobile phone service providers are riding free when connecting to the traditional telephone network in the U.S., potentially costing carriers billions of dollars, according to testimony at a Senate hearing Wednesday. Many voice calls now do not include the identification needed for carriers to charge access fees for calls coming into their networks, said the general manager of Rock Port Telephone. These so-called phantom calls are particularly hard on rural telephone carriers, which receive an average 29 percent of their revenues from the intercarrier compensation system, he told the Senate Commerce, Science, and Transportation Committee. Some VoIP providers have refused to pay access fees by saying the U.S. Federal Communications Commission (FCC) has “given them permission to use the networks for free because they’re IP,” he said. In 2007, 18 percent of Rock Port Telephone’s voice minutes were unbillable, and some rural carriers are seeing up to 30 percent of their minutes from phantom traffic, he said. He asked senators to push the FCC to require that all voice traffic pay intercarrier compensation fees. “If the FCC lets this continue, Americans who live in rural areas will likely see their phone bills escalate,” he said. “Their quality of service will be decreased, and [there will be] large reductions of investments in broadband.” Source: