France: État des Lieux

A l’occasion de la mise en place du blog McAfee France, il nous est paru intéressant de vous proposer quelques statistiques liées à notre pays et couvrant les 3 premiers trimestres de 2012.

Au 30 septembre 2012, près de 150.000 adresses Internet suspectes hébergées en France ont été analysées par McAfee. Elles n’étaient qu’au nombre de 50.000 à la fin 2011. 73% d’entre elles ont alors été affectées d’un risque maximal.

Près de 70% de ces URLs cachent un malware. 20% d’entre elles sont utilisées dans des campagnes de phishing.

Ces 150.000 URLs sont associées à environ 50.000 domaines. McAfee en a ainsi ajouté mensuellement plus de 10.000, soit près de 2.700 nouveaux domaines suspects chaque mois.

Plus de 8.000 malware prêts au download ont ainsi été repérés en 2012. Les deux principaux sont :

  • Generic.dx (E4E63BFB0669F2939EBE433D289E49E0)
  • HTML/IFrame.L trojan (4447FD93D7CA7BAFE66CA119E8303F83)

Du côté du phishing, les principales cibles mondiales passant par des URLs françaises sont EBay, Paypal, Wells-Fargo, American Express et ADP (Automatic Data Processing).

Mais, la France est aussi une cible pour les cybercriminels. Pour 2012, les principaux malware repérés sur notre territoire ont été :

  • Generic.dx!b2az (A75F9BFCFCEAEBBA8749D0705F5AA1E0)
  • W32/Conficker.worm!inf (92B1CA5033820F474F79B1AA8EE44A66)
  • ZeroAccess (11028C6A84A967070CB1286550F2058F)
  • Generic PUP.z!ms (5ED3CEAAAEB87B6D37F806E0EB00F05C)
  • Generic Downloader.x!dze (70535D0798332779DDE87B1435C3627E)
  • W32/Bactera.worm!a (BDDD44CC65A56530ABEBE544DBFA13D1)
  • Adware-Tuto(4PC C0C5903D963030A38CFBBEECC2C1267B et 04E45C5782A0040016FF9B140876CEDF)

En France, et sur la même période, les principales cibles du phishing ont été (par ordre alphabétique) :

  • BNP Paribas
  • Credit Agricole
  • Electricité de France
  • Free
  • La Banque Postale
  • LexisNexis
  • Meetic
  • Orange
  • SFR
  • VISA France
  • Wistee

Le volume de spam émis, depuis la France, par des ordinateurs infectés et connectés à des botnet, est stable depuis le début de l’année, malgré un léger pic au cours du second trimestre 2012.

Le nombre de nouvelles machines rejoignant ces botnets est en baisse. Les deux principales familles sont Cutwail et Festi.

Update: NGRBot Posing as Skype Drops Ransomware With Fake McAfee Logo

This blog was updated on October 15. See the end of this file.

We recently received a sample of the malware NGRBot from a customer, who got a spam email with what appears to be a Skype link. Victims are lured into clicking a link that promises an image. Once victims click the link, the file skype_09-10-12_image.exe gets dropped on their machines and launches itself, spamming all of their contacts. This bot is also known as Dorgbot. Kaspersky states that the malware was first seen on October 6.

The bot comes with Skype icon and tricks its victims into executing the file.

We have already written about NGRBot earlier here. This sample comes with an additional module to steal credit card and login details.

The new bot module steals login credentials of victims from Gmail, AOL, FastMail, MoneyBookers, Megaupload, SpeedyShare, YouTube, iknowthatgirl, YouPorn, Brazzers, Webnames, Dotster, Enom, 1and1, Moniker, Namecheap, Godaddy, Alertpay, Netflix, Thepiratebay, Torrentleech, Vip-file, Sms4file, Letitbit, Whatcd, eBay, Twitter, Facebook, Yahoo, and PayPal, among others.

The malware can post its lure in different languages.

seen this?? :D %s

poglej to fotografijo :D %s

pogled na ovu fotografiju :D %s

titta pmin bild :D %s

shikoni nfoto :D %s

pozrite sa na tto fotografiu :D %s

uita-te la aceasta fotografie :D %s

katso tkuvaa :D %s

bu resmi bakmak :D %s

olhar para esta foto :D %s

spojrzec na to zdjecie :D %s

se dette bildet :D %s

zd meg a kpet :D %s

ser dette billede :D %s

vejte se na mou fotku :D %s

guardare quest’immagine :D %s

look at this picture :D %s

bekijk deze foto :D %s

mira esta fotografa :D %s

schau mal das foto an :D %s

regardez cette photo :D %s

This malware is widespread. We advise customers to be extra cautious when clicking on links, particularly those with words such as “pic” or image” that appear in the chat windows of messaging software.



We have now seen this bot download and execute ransomware, which locks the victim’s machine and demands money to return control to the user. The lock screen of the ransomware also rips off the McAfee logo. This family of ransomware checks for the victim’s location and then produces the lock screen. It charges about US$200 to release the desktop.

The malware modifies the registry entry “System\CurrentControlSet\Control\SafeBoot” to prevent users from booting into Safe Mode.

The ransomware disables:

  • Taskmgr.exe
  • cmd.exe
  • regedit.exe
  • msconfig.exe

The most recent sample we received also shows porn images in the lock screen.

Task Force Tells DHS to Offer ‘Cool’ Cybersecurity Jobs to Gov. Workers and Test Them Like Pilots

Cybersecurity analysts watch their computers during a mock Red Team/Blue Team exercise at the Department of Homeland Security’s secretive cyberdefense training facility at Idaho National Laboratory. Photo: Mark J. Terrill/AP

In order to attract the highly skilled and qualified cybersecurity workers the Department of Homeland Security needs to fulfill its mission of protecting government computer systems and overseeing the security of critical infrastructure systems, DHS has to reserve its coolest cybersecurity jobs for federal workers, not contractors, according to a task-force report submitted to DHS this month.

This means, in part, hiring at least 600 new cybersecurity professionals, including ones who have proven, hands-on experience to take on critical tasks, the task force recommended in its 41-page report (.pdf).

Furthermore, the government needs to focus less on professional certifications in making its hiring decisions and more on real-world experience and expertise. To do this, it needs to build a system for actively measuring these skills, such as one that is currently used for testing pilots, the group said.

The group noted that pilots undergo situational testing that becomes more complicated as their skills increase, such as placing them in conditions where the weather deteriorates or where systems malfunction, in order to test them under duress.

“The result is a continuous improvement in pilot competency and proficiency,” the task force wrote in its report, noting that pilots must pass proficiency exams “not once but regularly — as often as every six months for some pilots — in order to keep their jobs.”

“The standards are strict because people’s lives depend on these professionals doing their job effectively,” the group noted. “Certainly the risks of malicious actors penetrating the computer systems of America’s power systems, or hostile nations stealing U.S. military and economic secrets, rises to a similar level of urgency.”

The task force, composed of 15 people, was co-chaired by Alan Paller, director of research at the SANS Institute, a cybersecurity training institute, and Jeff Moss, a former hacker and founder of the BlackHat and DefCon security and hacker conferences. Moss is currently chief security officer at ICANN — which helps oversee the internet domain name system and the maintenance of other core parts of the global internet.

Known as the Homeland Security Advisory Council Task Force on CyberSkills, the group was set up in July upon the request of DHS Secretary Janet Napolitano to develop a plan to attract workers with high levels of cybersecurity skills who can fill major gaps in the DHS’s workforce. The task force consulted with outside experts from private industry, academia and government to compile its recommendations.

“This is all about getting better people,” DHS Deputy Secretary Jane Holl Lute told Wired. “The people we have are great. But we need people with better skill sets…. We really need people with cutting-edge, highly technical and sophisticated skill sets. We’re not going to pull them out of the air. We’ve got to deliberately focus on creating systems that generate people with those skill sets willing to serve in the public sector.”

But the number of people who have these skills are limited, and competition from the private sector to hire them is fierce.

To attract the right workers, therefore, the task force recommended first identifying a list of critical-mission jobs that need to be filled — penetration testers, security engineers and coders, malware and intelligence analysts, incident responders and advanced forensic analysts — and then finding ways to attract and retain them.

This includes streamlining the convoluted hiring process for government workers and reserving the most interesting and challenging cybersecurity jobs — such as penetration testing and reverse engineering — for government workers, instead of hiring contractors to fill them.

“If you want the best people to stay, you also have to have the best jobs to attract them — ‘cool jobs’ that are exciting, challenging, and offer a path for growth in skill and responsibility,” the task force noted.

It also includes providing workers with the right tools and laboratory environments to help challenge them and keep them stay proficient in their jobs.

Lute agreed with the task force that proficiency testing will be a crucial part of making sure that workers can meet the demands of critical-mission jobs.

“We don’t want to just put you in a program, send you out at the other end, hand you a sheepskin [certificate] and say you’re qualified,” she said. “We want to have proficiency, professional-level testing against peer-reviewed standards that say this is world-class talent.”

The task force noted that one of the biggest obstacles to attracting highly skilled workers to government positions is the salary gap that exists between federal and private-sector jobs.

Asked about the salary issue, Lute said the government shouldn’t try to compete with the private sector in that regard.

“I don’t know that you have to pay what they would get in the private sector,” she says. “The model is to appeal to that piece of you that wants to connect to meaning, that wants to give rewarding work and have an opportunity to add value and to feel valued. Not everybody who joins the government plans to make it their lifelong career….[I]f money is their chief primary motivator, the private sector is their better answer for that.”

The task force acknowledged that people who enter public service generally don’t expect to earn the highest salaries and are more often driven by an interest in service and the chance to do something unique. But even these people will leave their government job if it offers a lackluster career path.

One way to combat this is to establish an attractive career path with opportunities for growth and challenging work so that employees see a future in their job, and to create a more supportive work environment that engages highly skilled workers in developing the direction of their work as well as the growth of others, so that they feel valued.

“People are much more likely to stay in federal service if they feel that they are doing unique work and have unique opportunities, are in service to something bigger than themselves, and believe that the people and the system they work for care about their long-term careers,” the task force writes.

To augment the work that DHS employees will do, the task force also advised building a reserve army of cybersecurity specialists — inside and outside government — who can be called upon in times of emergency, akin to the National Guard, to help address attacks against critical infrastructure and other cyber crises.

The group acknowledged, however, that a number of legal, privacy and practical issues would need to be resolved to make such a program viable.