2014 Threats Predictions: Software Defined Networking Promises Greater Control While Increasing Security Risks

This post is one in a series of articles that expand on the recently released McAfee Labs 2014 Threats Predictions. In this and related posts, McAfee Labs researchers offer their views of new and evolving threats we expect to see in the coming year. This article was written by Ramnath Venugopalan.

Software Defined Networking was developed in an attempt to simplify networking and make it more secure. By separating the control plane (the controller)—which decides where packets are sent—from the data plane (the physical network)—which forwards traffic to its destination—the creators of SDN hoped to achieve scalability and agility in network management. The application layer (virtual services) is also separate. SDN increasingly uses elastic cloud architectures and dynamic resource allocation to achieve its infrastructure goals.

Network security today primarily aims to increase control over tightly segmented networks. This increases the complexity of the overall network and makes it harder to manage. This trend will continue as the quest to prevent the lateral movement of malware competes with the need to manage all of these networks. SDN can help provide greater security without increasing management headaches for complex virtual networks in data centers.

SDN can boost security by routing traffic, as appropriate, through a central next-generation firewall and intrusion prevention system as well as by dynamically reprogramming and restructuring a network that is suffering a distributed denial-of-service attack. SDN can also provide capabilities such as automatically quarantining an endpoint or network that has been infected with malware.

In spite of these benefits, SDN also opens potential security holes, especially connections between controllers and network elements, through which the SDN stack itself might be the subject of a distributed denial of service attack. Security is not built into the SDN concept; it needs to be designed in from the beginning of development. SDN configuration errors can have more complex consequences than in traditional settings. Thus SDN requires meticulous adherence to the basic principles of information security and proper policy management. This need will become more important as SDN implementations vary with each provider and begin to cover very large virtual networks with several subnetworks, each with its own policy. Furthermore, SDN has a centralized architecture; compromising the central control could give an attacker command of the entire network.

Security zones are not typically built into VPN solutions, so users must annually coordinate network access policies, port locations of security devices, and any exceptions. Because flexibility is a reason for SDN migration, it is likely that a change in the network might not be adequately reflected in the security infrastructure, or vice versa. Further, open APIs for security functions to SDN have not yet appeared and have not begun to standardize, so API incompatibilities may also cause security holes to appear.

In 2014 and beyond, we will begin to see increased adoption of SDN in data centers, not just in university networks, where they began. We also expect to see targeted attacks, which are likely to leverage policy configuration errors for infiltration and lateral movement. We also anticipate DoS attacks that attempt to overwhelm the links between the network controller and the other two sections.

Exploiting human errors will be the first avenue of attack. As SDN management gets stronger and enterprise adoption of these networks grows, targeted attacks will focus on exploiting the SDN central controller to take over the network and completely bypass network protections.


Researchers warn of new, meaner ransomware with unbreakable crypto

Security researchers have uncovered evidence of a new piece of malware that may be able to take gigabytes' worth of data hostage unless end users pay a ransom.

Discussions of the new malware, alternately dubbed PrisonLocker and PowerLocker, have been occurring on underground crime forums since November, according to a blog post published Friday by Malware Must Die, a group of researchers dedicated to fighting online crime. The malware appears to be inspired by CryptoLocker, the malicious software that wreaked havoc in October when it used uncrackable encryption to lock up victims' computer files until they paid hundreds of dollars for the decryption key.

PowerLocker could prove an even more potent threat because it would be sold in underground forums as a DIY malware kit to anyone who can afford the $100 for a license, Friday's post warned. CryptoLocker, by contrast, was custom built for use by a single crime gang. What's more, PowerLocker might also offer several advanced features, including the ability to disable the task manager, registry editor, and other administration functions built into the Windows operating system. Screen shots and online discussions also indicate the newer malware may contain protections that prevent it from being reverse engineered when run on virtual machines.

Read 1 remaining paragraphs | Comments

Variant of Pony Botnet Pickpockets Bitcoin Users

Last month the Pony Botnet became a household name when it was revealed that it had stolen more than two million social networking account passwords. This rather eye-catching headline is a side effect of the data that the botnet actually steals, which includes stored passwords, cache, and cookies from the following applications:


Chrome Cyberduck LeechFTP
Firefox Epic LinasFTP
Internet Explorer ExpanDrive Martin Prikryl
Opera FFFTP NCH Software
Windows Live Mail FileZilla NetSarang
BatMail FlashFXP Nichrome
BlazeFtp Fling NovaFTP
Bromium FTP Explorer Pocomail
BulletProof FTP FTPClient PuTTY
Chromium FTPHost Robo-FTP 3.7
ClassicFTP FTPRush RockMelt
Comodo FTPVoyager SFTP
Cryer Ghisler Thunderbird
CuteFTP 6, 7, 8 Global Downloader VanDyke
CuteFTP Lite K-Meleon Visicom Media
CuteFTP Pro LeapFTP

McAfee offers detection for Pony Botnet as Backdoor-FJW. This malware did not change much between May and November 2013, aside from the common tricks of malware authors to use custom packers to obfuscate their code from analysis. During a recent analysis of this threat, however, we have discovered a variant of the botnet that has added a small trick to its repertoire.


Once we removed the malware from its obfuscated shell we were able to see two small but important additions to the strings we would normally see in a pony botnet sample.


The preceding image shows the strings “wallet.dat” and “\Bitcoin” have been appended to the list of strings that we commonly see associated with this threat.Bitcoin has been in the news during the past year for its rising popularity, value, and the attention it has attracted from the cybercrime community. However, this is the first malware we have analyzed that seeks wallet.dat for exfiltration from a system. A close look at the functions used to accomplish this reveals that they work in much the same way that the malware has always stolen FTP credentials and server information.Using hardcoded strings and file names, the malware locates specific installed software from the list above in the registry and then extracts data from the data files known to coincide with that software.


The malware operates in similar fashion here:


There are two important takeaways from this analysis. The first is that encrypting your important information (Bitcoin wallet, confidential data, login information, etc.) cannot be overlooked. Simply having an encrypted Bitcoin wallet would render this new module useless for the malware authors. The second is that storing passwords or credentials in browsers or other software that you use to connect to any remote host is a bad idea. The threat landscape is constantly evolving: Even threats that have seemingly run their course pop up again with new tricks to meet their monetary goals.

World of Warcraft users hit by account-hijacking malware attack

World of Warcraft players have been hit with a malicious trojan that hijacks accounts even when they're protected by two-factor authentication, officials have warned.

The malware is infecting systems by posing as an installer of Curse, a legitimate add-on that helps players manage other World of Warcraft add-ons. On Friday, officials with WoW developer Blizzard warned that trojanized versions of Curse available on unofficial sites were posing as the authorized Curse client. Once installed on end-user computers, the imposter versions were being used to take over accounts. In some cases, users reported that their accounts were hijacked even after the passwords were changed and even when the accounts were protected by Authenticator, a two-factor authentication system that sends a temporary password to players' smartphones.

"We've been receiving reports regarding a dangerous trojan that is being used to compromise players' accounts even if they are using an authenticator for protection," Blizzard officials wrote on Friday. "The trojan acts in real time to do this by stealing both your account information and the authenticator password at the time you enter them."

Read 3 remaining paragraphs | Comments