SWITCH Security-Blog

SWITCH-CERT IT-Security Blog

fish


6 Comments

Usage of .ch domain names for spamming malware Tofsee stopped

It is rare that a malware family uses .ch or .li domain names in their domain name generation algorithm (DGA). The last time I remember, that we had to take action against a malware using .ch or .li domain names was about 8 years ago. It was Conficker that infected millions of computers worldwide. The malware was generating about 500 .ch and .li domains a day to be potentially used as a command and control server. By then SWITCH joined the conficker working group to prevent the use of domain names by this malware.

Since then we have been watching the use of .ch and .li domain names in malware DGAs and prepared for this by making an agreement with the Registrar of Last Resort (RoLR) to prevent the registration of domain names used in DGA algorithms of malware.

This week the Swiss Govermental Computer Emergency Response Team (GovCERT) informed us about the malware Tofsee using .ch as one of the TLDs in its DGA. Continue reading

Safer-Internet-Home


Safer Internet

Anna is the director of a small kindergarten in Zurich. To give the kindergarten a home on the Internet, she registered a domain name and put up a website where parents can get up-to-date information about the kindergarten. A friend helped her to install a popular open-source content management system (CMS) for the website, so that she can change the menu every week and perform other updates herself. The parents of the kids were delighted to have access to this information online.

Three months after the website went online, one of the parents called her, telling her that the website was no longer available, and a warning was displayed instead. He also told her that he had a virus on his home PC and had to reinstall his operating system and change all his Internet passwords. When she talked to other parents that day, they told her the same.

What happened? Continue reading

Sicherheit_Icon_virus_echt


Drive-by code and Phishing on Swiss websites in 2014

In 2014, about 1,800 Swiss websites were cleaned from drive-by code, compared with 2,700 in 2013, a decline of 33%. At the same time, the number of phishing cases affecting .ch and .li top-level domains rose from only a handful in 2013 to more than 300.

Drive-by code on Swiss websites in 2014

Last year, 35,796 suspicious drive-by URLs in the .ch and .li top-level domains were reported to SWITCH. Security experts from SWITCH-CERT automatically sent requests to these servers and analysed the responses, looking for malicious code injected into the HTML source code. When an expert identified malicious code, the registrar or domain name holder and the web hoster were notified and asked to remove it within one working day. This was done for 1,839 domain names in 2014. In 1,493 (81%) cases, the code was removed by the web hoster or domain holder within one day. For the other 346 domains, the deadline was not met, and the domain name was temporarily suspended to prevent further damage to website visitors. Some 264 (14%) of the infected websites were cleaned of malicious code, with the remaining 82 domain names having to be reactivated after five days, the maximum suspension time by law. A request for identification was sent to the holders of all 82 domains, resulting in an additional 59 (3.2%) of websites being cleaned. A total of 23 (1.3% of all notified) domain names were deleted after 30 days because the domain holder failed to respond to the identification request.

malware2015_E

Compromised .ch and .li websites used for drive-by infections by quarter

Continue reading

SISA


Swiss economy makes online security its priority

Switzerland is one of the safest countries in the world. To make also the Internet a secure place in Switzerland, the Swiss online economy has started the Swiss Internet Security Alliance (SISA). The goal of the alliance is to make Switzerland the “cleanest” Internet country in the world! The organization launched an online security check today which allows internet users to clean and protect their systems.

Offering more security
The founding of the Swiss Internet Security Alliance is a sign of its members’ commitment to making the Internet a secure place in Switzerland. The association brings together expert knowledge from representatives of various sectors and promotes information-sharing amongst competitors.

Overcoming challenges together
The Swiss Internet Security Alliance focuses on its main assets – the knowledge, experience and technical expertise of its members. Its members asut, Centralway, credit suisse, cyscon Schweiz, Lucerne University of Applied Sciences and Arts, Hostpoint, Migros Bank, PostFinance, Raiffeisen, Sunrise, Swisscard, Swisscom, SWITCH, UBS, upc cablecom and Viseca have longstanding experience in dealing with online security.  The association is open to other interested parties. More information can be found in the press release:

https://www.switch.ch/about/news/2014/sisa.html

Comprehensive security check
Upon founding the association, the Swiss Internet Security Alliance is launching a security check. The Swiss Security Check provides protection on three levels.

  1. Users with outdated or incorrectly configured software who are therefore subject to a security risk, will find this out within seconds.
  2. If there is suspicion of malware, the malware cleaner helps with the diagnosis and resolution of the problems.
  3. A cyber vaccine completes the protection and keeps electronic pests at bay.

 

The Swiss Security Check is free and can be accessed here:
http://www.swiss-isa.ch

 

Please follow @swiss_isa on Twitter!

Sicherheit_Icon_DNSSEC


DNS Hijacking nimmt zu

Internetbenutzer die den Domainnamen nytimes.com in der Navigationsleiste ihres Browsers eingegeben hatten, sahen gestern für sechs Stunden nicht etwa die Webseite der Zeitung, sondern eine Seite der “Syrian Electronic Army” oder eine Fehlermeldung. Wie die Los Angeles Times berichtet, wurden die Zugriffs-Credentials eines Resellers von Melbourne IT missbraucht um die DNS-Einträge für nytimes.com zu ändern und die Besucher so auf einen anderen Webserver zu leiten.

Angriffe über das Domain Name System (DNS) häufen sich in der letzten Zeit. Statt eine gut gesicherte Webseite zu hacken, versuchen Kriminelle den Domainnamen auf den eigenen Server umzuleiten. Der Web-Traffic ist viel wert, sei es für Propaganda, wie im Fall der Syrian Electronic Army, oder für kriminelle Zwecke, wie das Verteilen von Malware, Clickfraud oder zur Search Engine Optimierung.

Statt einzelne DNS-Server zu hacken, versuchen die Kriminellen verstärkt, Registries, Registrare und Reseller von Domainnamen anzugreifen. Gelingt es ihnen in die Systeme oder an Credentials zu gelangen, können so oft gleich tausende von Domainnamen auf den eigenen Server umgeleitet werden. Prominente Opfer sind vor allem viel besuchte Webseiten wie Suchmaschinen oder Nachrichtenportale.

Auch Schweizer Domainnamen waren in der vergangenen Woche von falschen DNS Antworten betroffen. Continue reading

Icon_menschengruppe_kreis_switchfarben


CSIRTs – Sharing to Win

Einbrüche in Datenbanken, gestohlene persönliche Daten, manipulierte Transaktionen im E-Banking, Eingriffe von staatlichen Akteuren in die Kommunikation im Internet und Angriffe auf die Verfügbarkeit von Diensten: Fast täglich wird mittlerweile über diese Sicherheitsvorfälle in den Medien berichtet.

Computer Security Incident Response Teams (CSIRTs) sind mit die Ersten, die auf solche Vorfälle reagieren und versuchen, Gegenmassnahmen zu treffen. Im Forum of Incident Response and Security Teams (FIRST) sind weltweit rund 240 dieser Teams aus der Industrie, von Regierungen und Akademischen Institutionen zusammengeschlossen, das SWITCH-CERT ist eines davon.

Continue reading

Technik_Geräte_Icon_laptop_infected


Mehr Drive-By Exploits auf gehackten Schweizer Webseiten

Als Drive-By Exploit oder Drive-By Download bezeichnet man es, wenn auf dem Computer eines Internetnutzers nur durch das Aufrufen einer Webseite im Browser automatisch und unbemerkt schädliche Software installiert wird.

Nach der Infektion mit schädlicher Software haben Kriminelle meist unbegrenzten Zugirff auf den Computer und die darauf gespeicherten Daten und versuchen damit Geld zu verdienen. Trojaner stehlen z.B. Zugangs- und Kreditkarteninformation des Benutzers oder greifen in sein Ebanking ein. Ransomware versucht durch Einschüchterung des Benutzers und durch Blockade des PCs Geld zu erpressen.

Gemäss eines Berichts (PDF) der “European Network and Information Security Agency” ENISA stellen Drive-By Exploits für 2013 die grösste Bedrohung für Internetnutzer dar. Dies bestätigen auch die Zahlen aus der Schweiz. Continue reading