Review: Malware-fighting firewalls miss the mark

The InfoWorld Test Center attacks Astaro, SonicWall, WatchGuard, and ZyXel firewalls, and only one puts up a fight.

May 27, 2009 (InfoWorld) In the beginning was the firewall, and it was pretty good. A big box of rules that sat between your network and the evils of the Internet, the firewall examined ports and protocols to decide which packets got in and which were barred at the door. Then things got, as things often do, complicated. New threats came sneaking in on trusted protocols, ports and protocols became tangled, and looking inside packets became just as important as noting their source, destination, and type.

Protecting a network now meant deploying multiple firewall types (network, endpoint, application), anti-virus protection, content filters, intrusion detection systems, and more. Instead of a big box of rules, you needed a relay rack stuffed top to bottom with appliances -- each with its own administrative interface, and each representing a possible point of failure in the network. There had to be a better way, especially for smaller companies that couldn't afford a massive staff to feed and care for the relay racks full of appliances -- and thus, the unified threat manager (UTM) was born.

Indeed, a rapidly growing number of small and mid-size companies are opting for the administrative and operational simplicity of the single-box solution. And so we decided that UTMs aimed at the mid-size company were the perfect group to use for the rollout of InfoWorld's new firewall and UTM test protocols. When we began this process well over a year ago, we asked for input from virtually every firewall and UTM vendor we knew, and we invited every UTM vendor we could find to send us an appliance to test. In the end, four vendors answered the call. Astaro, SonicWall, WatchGuard, and ZyXel submitted units for this first set of tests.

Although all four fulfill the basic definition of a UTM -- combining firewall, VPN, intrusion detection and prevention, anti-malware, anti-spam, and Web content filtering -- we could not have asked for four more diverse units. There are differences in basic approaches to security (by default, allow most normal traffic or allow absolutely nothing), differences in administration capabilities, big differences in throughput, and most important of all, immense differences in effectiveness against malware.

UTMs unmasked

Among the four devices we tested, only one -- the SonicWall NSA E7500 -- provided a significant level of protection against malware, blocking 96 percent of the attacks we threw at it. The Astaro Security Gateway 425 and WatchGuard Firebox Peak X5500 fell far short, blocking a mere 26 percent and 33 percent of the attacks, respectively. The ZyXel ZyWall USG1000 took the middle ground, blocking a more respectable 69 percent of the attacks. (See chart below.)

In InfoWorld tests, the SonicWall NSA E7500 blocked 96 percent of malware attacks.

It's important to note that the attacks used in the test (Mu Dynamics' Published Vulnerability Attacks, drawn from the US-CERT database) were all exploits of known vulnerabilities (no "zero day" surprises) in a wide range of popular operating systems, applications, and protocols (Microsoft Windows, Internet Explorer, Cisco IOS, Apache, SQL, ICMP, SSH, and so on). We threw the full range of exploits at our UTMs, about 600 attacks in all, but the UTMs should have been designed to thwart such threats. And still hundreds were allowed to pass through.

Why did the UTMs miss so many exploits? We don't know, but we suspect that (apart from the SonicWall) they lack the horsepower to perform the necessary deep packet inspection while under load. At the same time the UTMs handled our attacks, we were pushing the limits of their throughput with legitimate traffic. The upshot is, although the vendors have packed these devices with additional gateway security functions, clearly many UTMs are still strictly firewalls at heart.

[ Read more about InfoWorld's UTM acid test and the test tools: "How to stress a UTM" | "Ixia IxLoad's multithreaded testing" | "Mu's Internet attacks in a can." ]

UTM functions require gobs of processing in order to peek into packets to look for malware, so it should be no surprise that the devices -- all except the Astaro -- took a significant hit in throughput when under attack. Compared to their maximum throughput without attacks, the WatchGuard took a 45 percent hit, the ZyXel 36 percent, and the SonicWall 23 percent. The Astaro, which blocked the fewest attacks in our test, barely lost a step when under attack -- a surprisingly tiny 2 percent dip from maximum throughput. Generally, however, you should be prepared for huge hits to throughput when you turn on all of the security functions of a UTM. You are not getting a wire speed device. On the plus side, unless your WAN link is a gigabit Ethernet feed, you may never notice the slowdown.

All the devices except the Astaro took a significant hit in throughput when under attack.

Recognizing a winner

Despite the poor attack blocking test results, each of these "UTMs" will serve as perfectly effective firewalls and VPN appliances, if they're installed and administered properly. There were no crushing disappointments here and no products that we have to warn companies not to consider. Instead, there were four variations on firewall competence, with enough brilliance thrown in to make life good for the security folks at quite a few mid-sized enterprises.

So who won? We do have a clear overall victor in the group, but before we get to that, let's talk about the winners in several important categories. If initial purchase price is your primary consideration, then ZyXel has a UTM for you. Make sure to keep tabs on just how much bandwidth you ask the ZyXel to protect, because it runs out of steam much earlier than the SonicWall and WatchGuard appliances. But at one-fifth the cost of the Astaro, the ZyXel ZyWall ($3,399 as tested) provides just as much throughput and twice the attack protection. Playing within its limits, the ZyWall is a solid, economical choice for organizations with smaller, less-demanding networks.

Maybe your primary criteria is out-of-the-box safety, though your system will require substantial customization before your users are all happy. It sounds like the WatchGuard system is for you. Also a terrific value (at $9,299 as tested), the WatchGuard Firebox lays claim to enterprise-class manageability and the most throughput in our test. This is a firewall with plenty of headroom.

If you seek the greatest number of functions in a single box, the Astaro Security Gateway appliance brings an incredible range of security options to the table in a Linux-fueled package. The Astaro is even available as a VMware virtual machine, if protecting your company's virtual server farm is what you have in mind. However, the Astaro pulls up short on attack protection and throughput, especially for the price ($18,565 as tested).

Finally, if you need nothing short of the most serious combination of uncompromising security and maximum throughput, the SonicWall NSA is your box. The clear winner of our test, the SonicWall ran only a step behind the WatchGuard in throughput and far surpassed all three competitors in attack protection. Add its wizard-based setup routine that steps administrators through an otherwise complex process, and you have a product that clearly benefits from being the sixth generation of its family.

The purchase price of the SonicWall NSA E7500 ($38,990 as tested) is significantly higher than the other appliances here. But its combination of attack defense and throughput arguably shows an even greater gap from the competition. The SonicWall is not only a UTM truly worthy of the label, but a mid-range UTM that could well keep company with much larger devices.

 

 

More e-banking protection needed

Of the thousands of new Trojans found by Kaspersky Lab's analysts every day, one-third target Internet banking.

 

This is according to Costin Raiu, chief security expert for Kaspersky Lab EEMEA, who urges banks to do more to protect their customers.

 

Speaking at the ITWeb Security Summit, in Midrand, on Tuesday, Raiu said: "Malware has grown exponentially over the past few years, generating a serious problem, as security companies out there cannot grow their number of analysts exponentially."

 

While banks around the world are dealing with the economic crisis, Raiu said now was not the time for them to cut back on their security budgets, despite cash flow issues and depressing economic forecasts.

 

In addition, he noted, while security spend is reduced, online financial transactions are not lessening.

 

Reports reveal banks are cutting back on their physical security needs in these tough economic times and it concerns Raiu that online security is following suit. "IT security accounts for between 5% and 12% of total IT spend. As IT budgets are cut, security becomes a casualty along with everything else."

 

He said the closure of global financial institutions has also exacerbated the problem and brought with it a new onslaught of phishing attacks. "Customers, who are already in doubt as to whether their funds held by one of these institutions will be paid back, are vulnerable. They are more likely to respond to a phishing mail stating their money will not be returned if, for example, they do not confirm their online details within the next 24 hours."

 

This is just one of the ways cyber criminals are making money. They use malware to record passwords typed through a keyboard, phish for personal account details, and re-route online banking customers to fraudulent Web sites designed to collect login and password details.

 

"Trojans also make use of screenshots, capturing each mouse click on the virtual 'secure' keyboard, rendering these unsafe and useless."

 

Raiu said the lack of transparency within banks about attacks they have fallen victim to compounds the problem. "Banks should be open with their customers about attacks, not only acknowledging them, but offering advice and tips to the public to minimise these threats."

 

Insurers are increasingly unwilling to reimburse banks for cyber attacks, especially since some banks still have basic authentication systems. "A multifunctional authentication system is the best way to go, giving the maximum protection for banks and their customers. Banks need to do more for their customers."

 

Malware knocks out U.S. Marshals Service network

John Fontana

May 22, 2009 (Network World) Malware Wednesday crippled Windows-based computer systems at the U.S. Marshals Service, which hunts federal fugitives and operates the country's witness protection program, knocking the agency’s network offline.

The agency's press office confirmed it was having network problems and that its e-mail system was down Thursday morning, but it was unclear if the outage extended across the entire network.

Per government regulations agencies are required to report security incidents to the US-Computer Emergency Readiness Team (US-CERT). A call to CERT was not returned by press time.

It was not clear if the malware was the cause of the network outage or if the agency took down systems to stem the spread of what was believed to be the Neeris worm, which saw a new version appear last month that copies Conficker's evil ways.The agency was running desktop malware software, but it had not been updated for more than three years -- even though the agency had paid for upgrades to newer versions that protect against Neeris. In addition, Microsoft has issued two patches, one in 2006 and one in October, to close holes in its software exploited by Neeris.

The agency's Web site was up and running Thursday morning, but a receptionist in the press office said "the agency's whole e-mail system is down, and the agency is unable to receive e-mail."

Later, another press office staffer confirmed that there were network problems.

Members of the agency's IT staff were communicating with vendors via Gmail accounts as they attempted to work through the issue.

The U.S. Marshals Service, a division of the Department of Justice, is the oldest federal law enforcement agency and has served the country since 1789.

There was no word if the problems had spread to the Department of Justice (DOJ) or to other agencies under the DOJ.

The U.S. Marshals Service has approximately 4,901 employees, which includes 94 U.S. marshals and 3,324 deputy U.S. marshals and criminal investigators. The agency's fiscal 2008 budget was $864 million.

There were reports that the agency was hit with the Neeris worm, which infects desktops and can enable a remote user to execute malicious commands on the affected system.

Neeris and its variants are capable of propagating using multiple avenues including network shares and removable drives, via software vulnerabilities in servers to propagate across networks, and via Microsoft's instant messaging clients.Trend Micro lists the risk rating for Neeris as "Low" but the damage potential as "High."

Michael Sweeny, global public relations director for Trend Micro, said the U.S. Marshals Service had contacted his company last night for help with its network issues.

He did not detail what those problems were and said he had not heard anything about Neeris being the culprit.

But Trend Micro's daily statistics on Neeris worm infections showed a spike from Wednesday evening that rose from nearly zero to 700 computers. Another smaller spike of about 100 computers was detected Thursday morning.

The Washington D.C. office of the U.S. Marshals Service has approximately 400 people.

The statistics, posted online, are based on detections made by Housecall, Trend Micro's online scanner.

The U.S. Marshals Service runs Trend Micro’s OfficeScan, an anti-malware software that installs on desktops, laptops and mobile devices.

The agency, however, runs the 5.0 version, which is more than three years old. Trend Micro says protection against Neeris has been in OfficeScan since version 8. The current version is 10.

"[Their version] is a vastly out-of-date, end-of-life product," said Sweeny.

In addition, Sweeny said the U.S. Marshals Service maintenance contract was up-to-date, meaning the agency had paid for upgrades to the software but had failed to install them.

Problems with security on government networks are not new.

An updated Government Accountability Office report issued this week said agencies have made progress in implementing information security requirements but that significant weaknesses persist. The report found 23 of 24 major federal agencies had weaknesses in their agency-wide information security programs. Those agencies included the DOJ.

While the Neeris worm has been around since 2005, a new version was discovered just last month that used the same vulnerability targeted by Conficker. The new version spreads via the Windows "autorun" command.

A patch to close the critically-rated vulnerability that Neeris and Conficker exploit was issued in October by Microsoft.Still, security researchers reported this week that Conficker was still infecting 50,000 PCs per day.

Earlier versions of Neeris exploited a vulnerability patched by Microsoft in August 2006.

 

Sophos: JSRedir-R surpasses other Web-based malware

A new web-based attack, JSRedir-R, has blown all previous Web-based malware out of the water, and is currently being found six times more often than its nearest rival, said Sophos Tuesday.

During the last seven days, almost half of all malicious infections found on websites were caused by Troj/JSRedir-R. Mal/Iframe-F, which has been the most widespread web-based threat for more than a year, accounted for just seven percent of infections this week, according to Sophos in a statement. The vendor said there is one new infected webpage every 4.5 seconds - three times more than in 2007.

"No one should be in any doubt that the web is still the main vector of attack for cybercriminals, and this new threat suggests this situation isn't going to change anytime soon," said Graham Cluley, senior technology consultant at Sophos. "The problem is that too many computer users still think there's no danger in surfing the web, but with legitimate sites often falling victim to these attacks, it's time to wake up. Hackers won't stop targeting the web as it's proving a successful way for them to spread their infections. To combat this, it's essential to scan every website for malicious code before visiting it."

JSRedir-R, which has been found on high traffic legitimate websites, loads malicious content from third-party sites (including one called Gumblar.cn, inspiring some security vendors to dub the threat 'Gumblar') without users' knowledge, said Sophos, adding that the malware can then be used to steal sensitive information for financial gain, to commit identity theft or to meddle with search engine results.

 

Identity theft lurks around every one of life's turns

Two reports today via the DataLossDB [1] newsletter demonstrate again that there is a seemingly limitless variety of ways in which your personal information can fall into the wrong hands.

Say you lose your job, for example. Already a kick in the backside, it's made even more egregious if you live in New Jersey and the state Department of Labor and Workforce Development "misdirects" your social security number in an envelope-stuffing snafu.

"It's important to remember the information was not stolen, simply misdirected," reads a letter received by some 28,000 Garden Staters, according to The Star-Ledger [2]. "Nevertheless, you should be aware of the situation and alert for irregularities that may suggest your personal information may have fallen into the wrong hands."

Hey, you're unemployed, you've got the time.

Or say you didn't lose you job. In fact, you're doing well enough that you're among the handful of Americans still confident enough in the economy to purchase a new automobile. Congratulations, but you had better hope against hope that the dealership you dealt with does not go rubber-side up.

From the Web site DailyCamera.com [3]: "Police have chained up 10 recycling bins outside Boulder's now-defunct Anderson Kia car dealership after learning that the bins were stuffed with personal information from the dealership's former customers. ... All of the folders contained Social Security numbers, driver's license information, photos, phone numbers and financial information."

A man participating in an auction spotted the material -- not clear why -- and notified police. Whether he was the first to notice the document dump -- or whether any car buyer's personal information was "misdirected" -- is anybody's guess.

It's a jungle out there.

 

 

Three million Brits could end up as phish food, Worries over the safety of bank deposits and lack of knowledge

                               Submitted by: Andrea Hounsham PR

                               Thursday, 14 May 2009

---

14 May 2009: The first recession of the internet age poses a threat that many of Britain's thirty million online banking users are not prepared for, according to a study commissioned by money.co.uk. The study found that more than nine million people (31%) do not know how to identify the fake emails that cyber-criminals use to steal online banking details. The practice is known as phishing and is often a precursor to the online banking fraud which cost the UK £52.5m in 2008.

Key research findings included:

• 38% of online Brits are more worried about the safety of bank deposits than they were prior to the credit crunch
• 26% of online banking customers (7.8m) would open an email from their bank warning about an urgent online banking security issue – a ruse often used by fraudsters
• Almost 10% (9.1% , or 2.7m adults) would act on its instructions, potentially handing security details to fraudsters
• 31% (9.3m) do not know how to tell if an email apparently from their bank is genuine.

Chris Morling, manager director of money.co.uk, said: "It is a surprise to find that so many people are still unaware that fraudsters use fake emails to trick people into giving away their online banking security details. The reality is that, whilst banks do email their customers from time to time, they rarely ask for a response, and never ask customers to reveal personal information or security details.

"Given what has happened to the banks in recent times, it is understandable that people are more concerned about the safety of their money – but there should be a real concern that this will see more people fall into the fraudsters' trap, particularly as crime tends to rise during a recession."

There is already evidence that economic turbulence is driving crime upwards, with cyber crime leading the charge. Last year alone, online banking fraud losses rose by 132% , reversing a downward trend from previous years. Meanwhile, general fraud and forgery rose by just 16%.

Morling added: "This is the first recession since the mass acceptance of online banking, and the emergence of phishing as a serious problem. The criminals behind these scams are pretty sophisticated, creating copies of online banking sites to harvest log in and security details from people prompted to visit them by fake bank emails. If you don't know how to spot these scams, they can be very convincing."

Older and wiser

Perhaps surprisingly, young adults (18-24) who have grown up with the internet, are most at risk according to the research from money.co.uk:

• 38% would open an email from their bank warning about an urgent online banking security issue (compared with 26% of all adults)
• 17.1% would act on its instructions (compared with 9.1%)
• 33% do not know how to tell if an email apparently from their bank is genuine.

Morling said: "It seems that older generations, who have adapted to internet banking, are more naturally cautious. For younger users, online banking has been the norm from day one and is something they take for granted, when they'd be better off adopting the cautious attitude of their parents when it comes to this issue."

 

 

Password Seeks Partner For Long-Term, Secure Relationship

Bill Nagel

 

May 4, 2009 (CSO) Passwords have been standing guard over our computer user accounts seemingly forever; for a long while, and for most purposes, they could go it alone.

 

But it's no secret that passwords are no longer sufficient as the sole means of granting access to critical networks, applications, and data, particularly as the number of applications requiring passwords at any given firm has skyrocketed. Either passwords are too weak, not changed regularly enough, or users write them down in a publicly accessible (read: not very secure) place, or theyre long enough, complex enough, and changed regularly, and thus impossible to remember.

 

Organizations have been enacting more stringent measures to protect corporate and customer data from external and internal threats, comply with regulations, and manage information risks. One result is that enterprise security strategies have focused more sharply on managing user identities, access rights, and entitlements, driving a broader movement toward identity and access management (IAM). One of the first things firms recognize is that single-factor authentication (passwords alone) is a weak link in the security chain.

 

Firms looking to improve their IAM posture and clear the way to implement processes and technologies, like account and credential provisioning and life-cycle management, authorization and entitlement management, single sign-on (SSO), privileged user management, and federation, look to strong authentication as a starting point.

 

If IAM is analogous to allowing only those people you trust to enter your house, then strong authentication is the first step in the process: putting a lock on your door.

 

Deciding on a strong authentication solution is basically determining what combination of locks and keys will work best in a particular environment. But this is far from a trivial exercise: Dozens of distinct types of second-factor credentials, such as tokens, smart cards, and biometrics, dot today's marketplace; most of them provide a similar level of security.

 

But the main question driving the strong authentication marketplace today is not security, it's usability. Users don't like complexity, and they dont like to do something extra that affects their productivity. Companies mandating strong authentication found that employees would circumvent this burden whenever and however possible (like sharing credentials). This poses a problem for vendors and buyers alike: What will end users actually use?

 

With that in mind, here are three of the trends in the strong authentication market.

 

A broader range of authentication options. Different users have different needs, depending on whether theyre inside or outside the company network and/or its physical premises and what kinds of sensitive information they're allowed to access. Mobile, IT-savvy users needing to access IT resources via remote VPN have different demands, desires, and capabilities than office-bound administrative staff, for example. And buyers want a one-stop shop where they can get everything they need for all of their users, including a credential management back end that handles multiple credential types seamlessly.

 

Multipurpose, easy-to-use credentials.Hardware tokens and other physical credentials can be unwieldy to carry and use, but it really becomes annoying when carrying several of them, the "token necklace" problem. Employers have the luxury of mandating that employees use a certain token, but have less authority to extend such mandates to business partners.

 

Multipurpose credentials have clear benefits, even if those purposes are all internal to the company: for example, using the same card for building access and network access. And any form factor that holds credentials people can use in multiple contexts (think work, bank, eBay, etc.) will gain acceptance more easily. Small wonder, then, that smart cards and USB smart card tokens are the form factors offered by the largest number of vendors.

 

Collaboration on authentication standards. Several vendors have joined the effort to develop and improve open authentication standards like OATH. This will make it easier for customers to pick and choose the form factors (even from different vendors) that make the most sense for the various types of users among their employee population in terms of security, usability, and cost. Its also an important step on the path to broad-based availability of strong authentication for consumers.

 

What it means

 

The strong authentication market is maturing and expanding: Technological innovation is no longer the chief driver. Biometrics, mobile authentication, and PKI solutions are still at the technological forefront, but their bleeding-edge status is long gone. The industry used to sell and differentiate itself on technological innovation, but now reflects the broader trends in the IT and IT security marketplaces: a few major vendors dominating the landscape and filling out their portfolios via acquisition just as often as through organic growth. This is largely due to:

 

1) The reality of having to serve the masses. Strong authentication has moved well past the early adopter phase. Its no longer characterized by techies bragging about the length of their private key, it's a straightforward and increasingly transparent tool thats necessary to thriving in today's IT security environment. Buyers want an offering from a stable, diversified vendor whose solutions play nice with their existing IT infrastructure and which can bring a wealth of business perspective, professional services, and quality support to the table.

 

2) Divergent needs of the user community. "Usable" means different things to different people. As such, the market is not going to settle on any one form factor anytime soon. Quite the opposite: Many of the major vendors are adjusting their form factor and management system offerings to deal with the reality that different user populations, even within a single firm, might be better served by using different physical forms of credentials.

 

3) Broader trends in the IAM market. Identity management trends also affect the strong authentication market. Companies are struggling to comply with regulations, save costs, and improve their administrative efficiency, but dont yet have a strategic vision of how IAM can help improve business processes. Consolidation, bringing more IAM components under the aegis of a single vendor with a breadth of experience and expertise, is one way to dispel the notion of IAM as a disjointed set of technologies serving primarily tactical ends, and the strong authentication market is mirroring that.

 

This is not to say that there is no technological innovation happening in the strong authentication space. There is. But it's concentrated among smaller companies that can get CIOs excited about being on the cutting edge of technology. Many of these vendors fill gaps in the major players' product lines and will eventually be acquired by one of them as the consolidation frenzy continues; others will disappear eventually, either into their own niche or altogether.

 

But for now, most enterprise buyers will stick with the few remaining settled vendors, even as the market swells with small vendors looking for their piece of the authentication pie.

 

Bill Nagel is a Researcher at Forrester Research. Bill will present new Forrester content on strong authentication at Forrester's IT Forum, May 19-22 in Las Vegas.

Botnet probe turns up 70GB of personal, financial data

Researchers had access to the hacked computers for 10 days

By Jeremy Kirk

 

May 4, 2009 (IDG News Service) Researchers from the University of California gained control over a well-known and powerful network of hacked computers for 10 days, gaining insight into how it steals personal and financial data.

 

The botnet, known as Torpig or Sinowal, is one of the more sophisticated networks that uses hard-to-detect malicious software to infect computers and subsequently harvest data such as e-mail passwords and online banking credentials.

 

The researchers were able to monitor more than 180,000 hacked computers by exploiting a weakness within the command-and-control network used by the hackers to control the computers. It only worked for 10 days, however, until the hackers updated the command-and-control instructions, according to the researchers' 13-page paper.

 

Still, that was enough of a window to see the data-collecting power of Torpig/Sinowal. In that short time, about 70GB of data were collected from hacked computers.

 

The researchers stored the data and are working with law enforcement agencies such as the U.S. FBI, ISPs and even the U.S. Department of Defense to notify victims. ISPs also have shut down some Web sites that were used to supply new commands to the hacked machines, they wrote.

 

Torpig/Sinowal can pilfer user names and passwords from e-mail clients such as Outlook, Thunderbird and Eudora while also collecting e-mail addresses in those programs for use by spammers. It can also collect passwords from Web browsers.

 

Torpig/Sinowal can infect a PC if a computer visits a malicious Web site that is designed to test whether the computer has unpatched software, a technique known as a drive-by download attack. If the computer is vulnerable, a low-level piece of malicious software called a rootkit is slipped deep into the system.

 

The researchers found out that Torpig/Sinowal ends up on a system after it is first infected by Mebroot, a rootkit that appeared around December 2007.

 

Mebroot infects a computer's Master Boot Record (MBR), the first code a computer looks for when booting the operating system after the BIOS runs. Mebroot is powerful since any data that leaves the computer can be intercepted.

 

Mebroot can also download other code to the computer.

 

Torpig/Sinowal is customized to grab data when a person visits certain online banking and other Web sites. It is coded to respond to more than 300 Web sites, with the top targeted ones being PayPal, Poste Italiane, Capital One, E-Trade and Chase bank, the paper said.

 

If a person goes to a banking Web site, a falsified form is delivered that appears to be part of the legitimate site, but asks for a range of data a bank would not normally request, such as a PIN (personal identification number) or a credit card number.

 

Web sites using SSL (Secure Sockets Layer) encryption are not safe if used by a PC with Torpig/Sinowal, since the malicious software will grab information before it is encrypted, the researchers wrote.

 

Hackers typically sell passwords and banking information on underground forums to other criminals, who try to covert the data into cash. While it's difficult to precisely estimate the value of the information collected over the 10 days, it could be worth between $83,000 to $8.3 million, the research paper said.

 

There are ways to disrupt botnets such as Torpig/Sinowal. The botnet code includes an algorithm that generates domain names that the malware calls on for new instructions.

 

Security engineers have often been able to figure out those algorithms to predict which domains the malware will call on, and preregister those domains to disrupt the botnet. It is an expensive process, however. The Conficker worm, for example, can generate up to 50,000 domain names a day.

 

Registrars, companies that sell domain name registrations, should take a greater role in cooperating with the security community, the researchers wrote. But registrars have their own issues.

 

"With few exceptions, they often lack the resources, incentives or culture to deal with security issues associated with their roles," the paper said.