“One of the things that screams out of this report,” said Dave Ewart, director of product marketing at Blue Coat, “is that the criminals have got a lot smarter and more sophisticated.”
He was telling me about Blue Coat’s new Web Security Report 2011 (a damned good read for anyone interested in what the bad guys are doing today); and he gave me an example. “One of the things we look for in this report,” he explained, “is the top web attacks and the mechanisms used in them.” The top two are unsurprising. “Number one is the fake anti-malware scam (rogueware: ‘you’re infected but we can cure you if you just click here’). Number two is the false codec scam (‘your video player is out of date; download the latest version here if you want to see this video of Justin Bieber taking his clothes off on the beach while playing football with David Beckham and Lady Gaga’). But “Malvertising,” said Dave, “is brand new in at number three. It’s come from nowhere, and is an interesting new phenomenon.”
Malvertising has been around for a few years; but has now evolved into something quite worrying. Early versions were often just infected Flash advertisements; but the good guys have got better and better at recognising the bad guys’ infections. And the bad guys have got better and better at disguising themselves.
Consider, if you will, the nature of cybercrime. It’s purpose is to take your money. But cybercrime cannot do it through physical violence; so it has to do it through persuasion. The key element of almost all cybercrime is therefore a con – a hustle. ‘Hustle’ is the name of an excellent television programme on the BBC. It’s about professional Robin Hood style hustlers and hustling; and one of the things the hustlers demonstrate is that a successful hustle takes time, takes patience and probably a little outlay. This is something the cybercriminals have learned, and are using in the latest iteration of malvertising.
“The cybercriminals will provide an advertisement, like a banner ad, for some attractive, very realistic looking thing; and they will pay for the distribution of that ad through a reputable ad network.” What they’re doing is leveraging a ready-made and highly effective distribution system. But this malvertising is benign, dormant. “It will often lay in wait for months inside this multi-layered advertising network, almost like a sleeper cell. The longer the advert lives in the system the more likely it is to appear in search results, and the more likely it is to become a trusted element of a trusted web page. Two or three months, or maybe even five months later – wham – the sleeper cell suddenly bursts into life and the malware advert will, via five or six hops, take users to the malware host and deliver its payload.
…a relatively new ad domain that had existed for approximately six months had been checked several times for malware with clean ratings when it picked a day in early November to selectively target and deliver its cloaked malware payload. The next day it was gone. Developing clean reputations within ad networks, accepting categorizations and passing multiple sweeps for malware, cyber crime is very patient to develop valuable and trusted positions within Web advertising structures before launching attacks.
By not being afraid to spend a little to gain a lot; by being patient and mimicking physical world hustles, the new generation of cybercriminals are getting scarily ‘professional’.
Trusteer has found a new banking trojan: OddJob.
“We have found,” said Trusteer’s CTO Amit Klein, “a new type of financial malware with the ability to hijack customers’ online banking sessions in real-time using their session ID tokens…
“The most interesting aspect of this malware,” he continued, “is that it appears to be a work in progress, as we have seen differences in hooked functions in recent days and weeks, as well as the way the Command & Control protocols operate. We believe that these functions and protocols will continue to evolve in the near future, and that our analysis of the malware’s functionality may not be 100 per cent complete as the code writers continue to refine it.”
I asked Luis Corrons, technical director at PandaLabs, what he thought about OddJob. “From the technological of view-point,” he answered, “it is smart; though I remember a Zeus variant I looked at some years ago that had a similar behaviour. It didn’t do anything about the ‘log out’ option, but was not stealing the user credentials either – it was just replacing the information that the user was introducing when doing online money transfers.
“The problem with the OddJob trojan is that all the banks that take the security of their customer seriously require extra authentication for certain transactions (such as money transfers) so having the ability to ‘steal’ the user session is useless to steal money. Zeus released a new version back in 2010 that was capable of circumventing a 2nd factor authentication using a different device (mobile phone), and that is really challenging as it is one of the best protection methods implemented so far.”
So it appears that OddJob is a bit of an anomaly: it is new and sophisticated; but apparently not as dangerous as Zeus/SpyEye. So why bother when you could simply hire SpyEye? Back to one of Amit Klein’s comments: “it [OddJob] appears to be a work in progress.” That reminded me about a conversation I recently had with Bradley Anstis, VP, Technical Strategy – M86 Security. Bradley was explaining the evolution and merging of Zeus and SpyEye. “Whenever you think of Zeus,” he explained, “cross it out and replace it with ‘SpyEye’. Zeus used to be the dominant banking trojan; but its creator seemed to decide that he’d had enough of the limelight – and he’s actually given the source code to the creator of SpyEye. Now they’re working together on SpyEye, which has taken over the throne from Zeus. Already in the last month we’ve seen new versions of SpyEye come out that are getting more complex and more complicated all the time.”
Bradley went on to explain what he expects to see in 2011. “We think in the next year financial trojans will move away from just being oriented against banks. Any organisation that does financial transactions on the internet should be thinking now about updating their knowledge about these banking trojans, and how they could affect their business transactions in the future – companies like Amazon and eBay have user accounts that could well be targeted.”
The simple fact is that cloud computing is providing a new model just as much for cybercrime as for cyberbusiness: crime is cheaper and easier to use than ever before. And there is little doubt that OddJob is designed to make use of cloud opportunities. One “noteworthy aspect of OddJob,” comments Amit, “is that the malware’s configuration is not saved to disk – a process that could trigger a security analysis application – instead, a fresh copy [and therefore the latest version] of the configuration is fetched from the C&C server each time a new browser session is opened.” So using the cloud model, it is easy to envisage a ‘theft to order’ approach run from the cloud (actually, it is already with us); and it’s just possible that this ‘work in progress’ is an early view of a new development in the evolution of cybercrime.
One of the things I really dislike about the security industry is the prevalent doom and gloom attitude it promotes. It may be their function to keep us safe; but it is in their interests to keep us afraid – if we’re not afraid, we won’t buy their products. Fear sells.
So the news is full of
- 99.99% of all email is spam (the rest is spear phishing)
- cyberwar between the USA/UK and China has already started
- most people will suffer identity theft next week
- software piracy loses the industry more than the UK’s national debt every 10 seconds
- one in three people is a hacker; one in three is a spammer; and one in three sells security
I exaggerate. A little. But here’s the latest:
As US IT security experts and liberty organisations discuss the ramifications of the recent effective shutdown of the Internet in Egypt – and whether President Obama should have access to an Internet `kill switch’ – the organisers of Infosecurity Europe show are saying that the saga highlights the need for IT contingency planning.
According to Claire Sellick, Event Director for Infosecurity Europe, the lessons coming out of the Egypt net shutdown – and the fact that the US government is now talking about having access to a similar `shutdown button’ for the US side of the Internet – should act as a red flag to IT managers in organisations of all sizes.
That’s the fear. Here’s the sell:
“Of course, gaining access to information on these topics is a not as easy as you might think. Fortunately, help is at hand in the shape of the free educational seminar programs we are planning for the Infosecurity Europe show, which takes place at Earls Court, London 19-21 April 2011 http://www.infosec.co.uk,”; she added.
But this is what Jason Easley wrote in Politicususa:
After Egypt shut down their Internet service, the US Senate in their infinite wisdom decided to take up Joe Lieberman’s Protecting Cyberspace as a National Asset Act of 2010 a.k.a. the Internet kill switch bill. There is a great deal of concern over the bill, but the one thing that the legislation does not contain is an Internet kill switch. In fact, national cyber security guidelines are going to be developed with the private sector. The so called Internet kill switch started as a right wing talking point that has seeped into the national discussion.
Debunking The Myth of Obama’s Internet Kill Switch
But that’s the problem. No fear, no sale. So if a security salesmen tries to panic you – go elsewhere. Find one – and they do exist – who will explain the situation rationally; beware of the ‘buy my safety’ scam.