If you are having trouble viewing this email, click here to view this online



   ISSUE 19

 21 March 2013

Article of the Month   Around the World


To an avid IT security connoisseur, the recent news of mass cyber-attacks using “bots and Zombies” would not be alarming. This would not make this enthusiast think, even for a moment, that the computer world has been over taken by the living dead or better yet alien forces, but only one thing would come to mind "Botnets".


Botnet, according to google, is a collection of Internet-connected programs communicating with other similar programs in order to perform tasks (google, retrieved 2013, March 9 from http://en.wikipedia.org/wiki/Botnet). The term bot is derived from “ro-bot “. Bot is a generic term used to describe a script or set of scripts designed to perform predefined functions in automated fashion

(SANS,retrieved 2013,March 9frommalicious/bots-botnet-overview_1299 ).

Because of their network-based,coordinated and controlled nature; Botnets are currently one of the most dangerous species of attacks that roam the Internet.

Deriving their power both in their cumulative bandwidth and their access capabilities, botnets can cause severe network outages through massive distributed denial-of-service attacks.

(retrieved2013,March9from http://cdn.intechopen.com/pdfs/39021/InTech-Botnet_detection_enhancing_analysis_by



Because of their distributed architecture,and their propagating, self-organizing,and autonomous framework that is under a command and control (C2 or C&C) infrastructure, botnets are quietly different from other types of known malwares. They can spread over millions and millions of computers with the same nature as worms do.However what makes it even more dangerous is that unlike worms, zombie nodes in a single botnet can work in co-operation and at the same time be managed from a single “hive-like” mentality.

Because of this, botnets cannot be classified into the standard groups of threats like we do for other malwares.From the many works that try to summarize the taxonomy of botnets,we can understand that there are main classification areas of botnets are the topology of C&C architecture used, the propagation mechanism,the exploitation strategy and available set of commands used by perpetrator.(retrieved 2013, March 9 from http://cdn.intechopen.com/pdfs/39021/InTech-Botnet_detection_enhancing_analysis_by_using_data

_using_data_mining_techniques.pdf )

The creation of a botnet requires high level of planning, coordination and deep technical skill. A good, functional botnet can be characterized as a professionally designed and built tool,intended to be re-entered or sold for use by anyone with a novice skill set, on up (The hacker news,Retreived2013,march11from http://news.thehackernews.com/THN-August2012.pdf).

However the elements used for the infection and subsequent hijacking of a computer into a botnet are only 3:



Used to infect the computers by tricking users into clicking an executable file.This can be done in a variety of ways such as drive-by infections,malicious PDFs and infected USB sticks.

2. Used to enables the cyber-criminal to issue instructions to the infected computer’s Trojan.
3. Used for the collection of information harvested from victims.

ComputerWeekly.com,retrieved 2013, March 10 from http://www.computerweekly.com/feature/Setting-up-a-botnet-is-easier-than-you-think)

Besides being used to perform the normal set of attacks spamming, malware spreading, sensitive information leakage,identity fraud, click fraud;this ingenious technique are very valuable instruments in carrying out Advanced Persistent Threats (APT) for critical organizations.

Nevertheless the most famous,and yet very dangerous,threat posed by the use of Botnets is “Denial of Service” (DoS) attacks.This can be even made much more severe by ensuring that the targeted organization'snetwork bandwidth is consumed from wide range of IP addresses,i.e. a distributed environment (DDos), where the victim's system/network administrator would not be able to isolate the source IP addresses used in the exploit,i.e. to add to the blacklist,as it would seem to come from regular end-user.

Even if evidence reveals that most commonly implemented by botnets are TCP SYN and UDP flooding attacks (Freiling, Holz, & Wicherski, 2005),the newest botnets are designed in such a w as to make discovering and eliminating the source of control even more difficult. Instead of using the traditional command and control, server-centric model ( such as IRC Server),the new botnet is said to utilize the peer to peer protocol that has been made popularized on the internets by many file sharing applications found on many plat forms .Using peer to peer, or p2p, it is no longer necessary to send commands from a physical server location. The internet protocol address, or IP, is dynamic (meaning constantly changing). The benefit of this is that it is much more difficult to trace back to the source (The hacker news, Retreived 2013, March 11 from http://news.thehackernews.com/THN-August2012.pdf).

In 2007 this new kind of botnet arrived using an encrypted implementation that was based on the eDonkey protocol, originally called W32/Nuwar but later gained fame as the Storm worm.
. Storm had about 100 peers hardcoded into it as hash values, which the malware decrypts and uses to check for new files to download (Mcafee, retirevied 2013,march11from, http://www.mcafee.com/in/resources/white-papers/wp-new-era-of-botnets.pdf).
. What made this even more interesting is that all these transactions were encrypted, so only the malware itself could decrypt and act upon the answers. The replies generally lead to URLs that download other binaries.Storm was responsible for the vast majority of spam   during 2007–2008 until it was taken down.


Initially Bots had run almost exclusively on versions of Windows.Recently, though, localized versions have emerged. Using the script language Perl, hackers created versions that ran on several flavors of Unix and Linux (Mcafee, retirevied 2013, march 11 from).

Due to the “open” format, of the later formats, and the boom in Android application and packages; new impetus has been injected to the use of Botnets. As this new Market has few restrictions when it comes to registering as a developer, which is implemented to encourage app developers to adopt the platform, this makes it is easier for cybercriminals to upload their malicious apps or their Trojanized counterparts. Concepts such as BYOD being implemented in many blue chip organizations, has allowed the introductions of many mobile devices which run Android Operating Systems. By this, the attack surface has been considerably incremented. The attack vector had been made greater as mobiles are simpler to infect through any infected media. ( The hacker news, Retreived 2013, march 11 from http://news.thehackernews.com/THN-August2012.pdf)

 With the recent trends in cyber-warfare it would not be long where Botnets would be purchased or rented on the black market, or even worse be forcibly taken over from their nefarious owners and redirected to new targets. We know these things occur regularly, so it would be naive to not expect that government organizations or nation states around the globe have involved themselves in the acquisition of botnet capability for offensive and counter-offensive needs (Mcafee, retirevied 2013, march 11 from http://www.mcafee.com/in/resources/white-papers/wp-new-era-of-botnets.pdf).


As Cyber threats grow exponentially with new forms of attack vectors, security professionals need to be on guard and try to think out of the box in order to, not only detect potential attacks, but to thwart them as well. It can also be noted that time tested strategies such as defence in depth, Layering of Technologies, etc. would not be sufficient to prevent this theat. Conversely these may in fact give rise to the potential perpetrator having more attack vectors to perpetrate the crime. The best approach, I feel, is an easy one. That is, just to ensure that our own curiosity doesn't take us to places where our computer would rather not go. Or else we may just be the reason why botnets are able to grow at such an alarming rate.



 Kumar is in the Board of Directors of ISACA Sri Lanka Chapter, serving as the Marketing Director. Kumar works as an Information Systems Auditor at SJMS Associates, an esteemed firm of Chartered Accountants backed by Deloitte Touche Tohmatsu.


  10 security best practice guidelines for consumers
   '....Consumers need to proceed with extra caution to avoid scams, viruses, social engineering attempts, privacy-leaking apps, and malicious software of every flavor. These guidelines will keep you on the straight and narrow......'

Hackers also attack Czech  mobile operators' websites


'....Earlier today, unknown hackers attacked the website of the Prague Public Transit Company (DPP) alongside with the websites of T-Mobile and O2, two Czech mobile phone operators.

 It is the latest attack in what appears to be an organized and massive DDoS campaign against major Czech Internet websites over the past four days, between Monday 4 and Thursday 7 March, 2013......'


International network of on-line card fraudsters Dismantled


'....Finnish law enforcement authorities, working closely with the European Cybercrime Centre (EC3) at Europol, have dismantled an Asian criminal network responsible for illegal internet transactions and purchasing of airline tickets.

As a result of this successful operation, two members of the

criminal gang,   traveling on false documents, were arrested at

Helsinki airport. In addition, around 15 000 compromised credit card numbers were found on the criminals? seized computers.

The criminal network had been misusing credit card details stolen from cardholders worldwide. In Europe alone, over 70 000 euros in losses were sustained by cardholders and banks. In addition, there

is evidence of   further criminal activities in large-scale

international payment fraud and illegal immigration.

 Coordinated investigative measures on an EU level, international operational meetings, forensic examination of seized electronic evidence and the valuable support from the financial services industry were key to the successful outcome of this investigation......' 

Pakistan Intelligence agency hacked by Indian hacker

'....Hacker going by name "Godzilla" today claimed to hack into one of the server belongs to ISI website (http://isi.org.pk) and gets all possible secret information about Pakistan Intelligence......'

Month in Brief

Facebook IncidentsReported to Sri Lanka CERT|CC in February 2013



 Fake + Harassment



Statistics - Sri Lanka CERT|CC



Baltimore man, 81, loses his home following lottery fraud

'....The first caller told Norman Breidenbaugh he had won $2.5 million in a foreign sweepstakes, but there was a catch:

Breidenbaugh needed to send $2,000 in fees before collecting his earnings.

 Other calls followed, promising Breidenbaugh millions more ? even a Mercedes Benz ? as long as he would wire some money to pay taxes on the prizes. He obliged, sending more than $400,000 over about six years, hoping the promised winnings would cover his wife's medical expenses.

 The prizes never came. The people calling Breidenbaugh, 81, were con artists from Canada and Jamaica, claiming they were Border Patrol or Secret Service agents, a fraud scheme that has increasingly targeted elderly people. Breidenbaugh fell behind on property taxes and last year lost his Baltimore home......'


Privacy of Millions of HTC devices at risk



'.... More than 18 million smartphones and other mobile devices made by HTC are at risk vulnerable to many security and privacy issue.

 The Federal Trade Commission charged HTC with customizing the software on its Android- and Windows based phones in ways that let third-party applications install software that could steal personal information......'

  Notice Board
  Training and Awareness Programmes - March 2013
Date Event Venue
- 01-06 Education Leadership Development Center, Meepe Development of Education - e content for e-thaksalawa, Grade 10-11
- 03Gurulugomi Vidyalaya, Kalutara Safe Use of Internet awareness session  
- 21-25 Education Leadership Development Center, Meepe 1.Training for the newly selected teachers for the education content development for e-thaksalawa

2.e-thaksalawa content development (questions) workshop


Brought to you by:                           

In a partnership with: