[SANOG] Fwd: [fellowships-alumni] PONMOCUP THREAT

GZ Kabir gzkabir at office.bdcom.com
Sat Dec 5 05:28:46 UTC 2015


This is for all…



> Begin forwarded message:
> 
> From: Wisdom Donkor <wisdom.dk at gmail.com>
> Date: December 5, 2015 at 3:53:08 AM GMT+6
> To: "Fellowships-alumni at icann.org" <Fellowships-alumni at icann.org>
> Subject: [fellowships-alumni] PONMOCUP THREAT
> 
> Dear All,
> 
> Botconf One of the world's most successful, oldest, and largest botnets is an underestimated and largely-unknown threat that has over time infected 15 million machines and made millions plundering bank accounts.
> 
> The findings from a team of eight Fox IT researchers say the 'Ponmocup' botnet controlled 2.4 million infections at its peak in 2011 and now holds about half a million machines under its power.
> 
> Lead author Maarten van Dantzig presented the work at the BotConf conference this week in the paper Ponmocup: A giant hiding in the shadows.
> 
> In it he and researchers Danny Heppener; Frank Ruiz; Yonathan Klijnsma; Yun Zheng Hu Erik de Jong; Krijn de Mik, and Lennart Haagsma say how the malware first described in 2006 has a strong focus on stealth and has made its likely Russian authors millions of dollars.
> 
> "Compared to other botnets, Ponmocup is one of the largest currently active and, with nine consecutive years, also one of the longest running but it is rarely noticed as the operators take care to keep it operating under the radar," van Dantzig says .
> 
> "Although it is difficult to quantify the exact amount of money earned with the Ponmocup botnet, it is likely that it has already been a multi-million dollar business for years now.
> 
> "Firstly, their infrastructure is complex, distributed and extensive, with servers for dedicated tasks."
> 
> Van Dantzig says the attackers maintain comprehensive infrastructure that is quality tested, and updated to improve robustness stealth, and can quickly mitigate risks.
> 
> They are he says technically sophisticated with a deep access of Windows and some 10 years malware development experience.
> 
> So far the team has found some 25 unique plug-ins and a whopping 4000 variants that indicate continuous development.
> 
> The malware includes anti-analysis tricks such as heuristic checks for network and host-based analysis tools, debuggers and virtualised environments. It also drops clever fake payloads to throw off analysts, the researcher team says.
> 
> One of the payloads injects an obvious executable into running processes that serves as an annoying advertising injector commonly found in horrid software bundlers.
> 
> It is recommends users and administrators mitigate this issue as follows:
> 
> 1.Information Risk Management Regime
> 
> Assess the risks to your organisation’s information assets with the same vigour as you would for legal, regulatory, financial or operational risk. To achieve this, embed an Information Risk Management Regime across your organisation, supported by the Board, senior managers and an empowered information assurance (IA) structure. Consider communicating your risk management policy across your organisation to ensure that employees, contractors and suppliers are aware of your organisation’s risk management boundaries. 2. Secure configuration
> 
> Introduce corporate policies and processes to develop secure baseline builds, and manage the configuration and use of your ICT systems. Remove or disable unnecessary functionality from ICT systems, and keep them patched against known vulnerabilities. Failing to do this will expose your business to threats and vulnerabilities, and increase risk to the confidentiality, integrity and availability of systems and information. 3. Network security
> 
> Connecting to untrusted networks (such as the Internet) can expose your organisation to cyber attacks. Follow recognised network design principles when configuring perimeter and internal network segments, and ensure all network devices are configured to the secure baseline build. Filter all traffic at the network perimeter so that only traffic required to support your business is allowed, and monitor traffic for unusual or malicious incoming and outgoing activity that could indicate an attack (or attempted attack). 4. Managing user privileges
> 
> All users of your ICT systems should only be provided with the user privileges that they need to do their job. Control the number of privileged accounts for roles such as system or database administrators, and ensure this type of account is not used for high risk or day-to-day user activities. Monitor user activity, particularly all access to sensitive information and privileged account actions (such as creating new user accounts, changes to user passwords and deletion of accounts and audit logs). 5. User education and awareness
> 
> Produce user security policies that describe acceptable and secure use of your organisation’s ICT systems. These should be formally acknowledged in employment terms and conditions. All users should receive regular training on the cyber risks they face as employees and individuals. Security related roles (such as system administrators, incident management team members and forensic investigators) will require specialist training. 6. Incident management
> 
> Establish an incident response and disaster recovery capability that addresses the full range of incidents that can occur. All incident management plans (including disaster recovery and business continuity) should be regularly tested. Your incident response team may need specialist training across a range of technical and non-technical areas. Report online crimes to the relevant law enforcement agency to help the UK build a clear view of the national threat and deliver an appropriate response. 7. Malware prevention
> 
> Produce policies that directly address the business processes (such as email, web browsing, removable media and personally owned devices) that are vulnerable to malware. Scan for malware across your organisation and protect all host and client machines with antivirus solutions that will actively scan for malware. All information supplied to or from your organisation should be scanned for malicious content. 8. Monitoring
> 
> Establish a monitoring strategy and develop supporting policies, taking into account previous security incidents and attacks, and your organisation’s incident management policies. Continuously monitor inbound and outbound network traffic to identify unusual activity or trends that could indicate attacks and the compromise of data. Monitor all ICT systems using Network and Host Intrusion Detection Systems (NIDS/HIDS) and Prevention Systems (NIPS/HIDS). 9. Removable media controls
> 
> Produce removable media policies that control the use of removable media for the import and export of information. Where the use of removable media is unavoidable, limit the types of media that can be used together with the users, systems, and types of information that can be transferred. Scan all media for malware using a standalone media scanner before any data is imported into your organisation’s system. 10. Home and mobile working
> 
> Assess the risks to all types of mobile working (including remote working where the device connects to the corporate network infrastructure) and develop appropriate security policies. Train mobile users on the secure use of their mobile devices for locations they will be working from. Apply the secure baseline build to all types of mobile device used. Protect data-at-rest using encryption (if the device supports it) and protect data-in-transit using an appropriately configured Virtual Private Network (VPN).
> 
> Cheers
> 
> -- 
> WISDOM DONKOR (S/N Eng.)
> ICANN Fellow / ISOC Member
> Web/OGPL Portal Specialist
> National Information Technology Agency (NITA) 
> Ghana Open Data Initiative (GODI)
> Post Office Box CT. 2439, Cantonments, Accra, Ghana
> Tel; +233 20 812881
> Email: wisdom_dk at hotmail.com <mailto:wisdom_dk at hotmail.com>
> wisdom.donkor at data.gov.gh <mailto:wisdom.donkor at data.gov.gh>
> wisdom.dk at gmail.com <mailto:wisdom.dk at gmail.com>
> Skype: wisdom_dk
> facebook: facebook at wisdom_dk
> Website: www.nita.gov.gh <http://www.nita.gov.gh/> / www.data.gov.gh <http://www.data.gov.gh/>
> www.isoc.gh <http://www.isoc.gh/> / www.itag.org.gh <http://www.itag.org.gh/> 
> 
> 
> _______________________________________________
> Fellowships-alumni mailing list
> Fellowships-alumni at icann.org
> https://mm.icann.org/mailman/listinfo/fellowships-alumni

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.sanog.org/pipermail/sanog/attachments/20151205/a2f6ce94/attachment-0001.html>


More information about the sanog mailing list