third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Detailed section » 3 Botnets<br />
»<br />
Dorifel case<br />
Detection and incident response<br />
On 8 August 2012 the <strong>NCSC</strong> received report of failing systems.<br />
These systems were, through infection, part of the Citadel<br />
botnet. These systems had been ordered through the Citadel<br />
botnet to execute new malware that later became known as<br />
Dorifel. The Dorifel malware is a banking trojan, malware<br />
directed at stealing internet banking log-in details. The makers<br />
of anti-virus software had the first anti-virus updates available<br />
the next day meaning that users with up-to-date anti-virus<br />
software were no longer at risk from new infections from that<br />
moment on. However this was of only limited effect because<br />
this malware was able to switch of anti-virus software without<br />
this being noticed. As a result, systems infected with Citadel<br />
were still vulnerable. The Dorifel malware encrypted files on<br />
the system and on the network storage. The Dutch anti-virus<br />
maker SurfRight published a programme able to reverse this<br />
encryption.<br />
The <strong>NCSC</strong> advised various target groups of the risks and<br />
perspective into potential action. There was close collaboration<br />
with private investigative companies to analyse the malware.<br />
Much of the expertise in this area appears to be held primarily<br />
by private organisations and be limited in the government.<br />
Impact<br />
The version that appeared in the <strong>Netherlands</strong> was potentially<br />
a test version. The consequences were major because this<br />
version caused systems to fail. If the malware had worked as<br />
planned, this attack would probably have remained unnoticed.<br />
In the meantime it has become apparent that the number<br />
of infections in the <strong>Netherlands</strong> is greater than abroad. The<br />
IP addresses found on the Dorifel C&C servers show that at<br />
least 150,000 Dutch systems are (were) infected. One of the<br />
consequences was that organisations were unable to operate.<br />
Because Dorifel was probably not spread through a 0-day, it is<br />
likely that organisations were not careful enough in preventing<br />
and detecting infection by known malware. The organisations<br />
affected include local authorities, hospitals, parts of central<br />
government and government-related bodies. There is no data<br />
regarding the number of infections form organisations in the<br />
vital sectors.<br />
3.4 Prevent and combat<br />
3.4.1. Combat<br />
It is becoming increasingly difficult to detect and combat botnets.<br />
There is more frequent use of P2P architectures, encryption and<br />
large-scale randomly created domain names to prevent detection,<br />
infiltration and dismantling. Under current legislation there are few<br />
opportunities for investigators, companies and the government to<br />
tackle sophisticated botnets.<br />
Botnets are generally investigated, infiltrated and sabotaged by<br />
private parties. Investigative agencies and security companies are<br />
able to operate more freely than the government in an area where<br />
there are still many legal uncertainties. Investigators themselves are<br />
also calling for social discussion on whether it is desirable to have<br />
governments infiltrate botnets because of the high impact on the<br />
privacy of (innocent) users. [128]<br />
Government services are predominantly reactive in their actions<br />
during incidents and have no timely, complete and detailed picture<br />
of malware and botnet activity. Because of a lack of information<br />
provision and coordination of activities in this area, private sector<br />
efforts are often temporary and limited in reach or effect, because<br />
the efforts being made by various actors work against each other.<br />
One example of this is switching off of the Waledac botnet by<br />
Microsoft, something that according to investigators from Fox-IT<br />
among others was an unwise and undesirable act because the<br />
botnet was filtered, leaving people unable to collate information<br />
concerning infections.<br />
3.4.2 Responsibilities<br />
Preventing infection by malware largely remains the responsibility<br />
of the owner (or delegated administrator) of a system. Software<br />
manufacturers, site administrators, Internet Service Providers<br />
(ISPs), etc. also share some of the responsibility.<br />
Users should continue with the time-honoured recommendations<br />
such as maintaining updates, being aware of clicking on links and<br />
using a virus scanner. It remains difficult for less technically savvy<br />
end-users to adopt technical measures, it takes time and effort and<br />
malware is spreading through constantly changing methods of<br />
social engineering.<br />
Recognising infection by malware is virtually impossible without<br />
sufficient understanding of how a computer works. [129]<br />
The high extent of spreading among victims leads to the<br />
assumption that data was stolen from various organisations.<br />
However it is not known what data was stolen by Dorifel.<br />
128 http://www.f-secure.com/weblog/archives/00002056.html<br />
129 Three of the five characteristics in the recommendation below require technical knowledge to<br />
recognise, the other two are not applicable to botnets: https://www.security.nl/<br />
artikel/45721/1/Vijf_kenmerken_van_een_besmette_computer.html<br />
65