Archive
Malvertising: the new generation of cybercriminals are getting scarily professional
“One of the things that screams out of this report,” said Dave Ewart, director of product marketing at Blue Coat, “is that the criminals have got a lot smarter and more sophisticated.”
Dave Ewart, director of product marketing, Blue Coat
He was telling me about Blue Coat’s new Web Security Report 2011 (a damned good read for anyone interested in what the bad guys are doing today); and he gave me an example. “One of the things we look for in this report,” he explained, “is the top web attacks and the mechanisms used in them.” The top two are unsurprising. “Number one is the fake anti-malware scam (rogueware: ‘you’re infected but we can cure you if you just click here’). Number two is the false codec scam (‘your video player is out of date; download the latest version here if you want to see this video of Justin Bieber taking his clothes off on the beach while playing football with David Beckham and Lady Gaga’). But “Malvertising,” said Dave, “is brand new in at number three. It’s come from nowhere, and is an interesting new phenomenon.”
Malvertising has been around for a few years; but has now evolved into something quite worrying. Early versions were often just infected Flash advertisements; but the good guys have got better and better at recognising the bad guys’ infections. And the bad guys have got better and better at disguising themselves.
Consider, if you will, the nature of cybercrime. It’s purpose is to take your money. But cybercrime cannot do it through physical violence; so it has to do it through persuasion. The key element of almost all cybercrime is therefore a con – a hustle. ‘Hustle’ is the name of an excellent television programme on the BBC. It’s about professional Robin Hood style hustlers and hustling; and one of the things the hustlers demonstrate is that a successful hustle takes time, takes patience and probably a little outlay. This is something the cybercriminals have learned, and are using in the latest iteration of malvertising.
Hustle from the BBC: not to be confused with the bad guy hustlers
“The cybercriminals will provide an advertisement, like a banner ad, for some attractive, very realistic looking thing; and they will pay for the distribution of that ad through a reputable ad network.” What they’re doing is leveraging a ready-made and highly effective distribution system. But this malvertising is benign, dormant. “It will often lay in wait for months inside this multi-layered advertising network, almost like a sleeper cell. The longer the advert lives in the system the more likely it is to appear in search results, and the more likely it is to become a trusted element of a trusted web page. Two or three months, or maybe even five months later – wham – the sleeper cell suddenly bursts into life and the malware advert will, via five or six hops, take users to the malware host and deliver its payload.
…a relatively new ad domain that had existed for approximately six months had been checked several times for malware with clean ratings when it picked a day in early November to selectively target and deliver its cloaked malware payload. The next day it was gone. Developing clean reputations within ad networks, accepting categorizations and passing multiple sweeps for malware, cyber crime is very patient to develop valuable and trusted positions within Web advertising structures before launching attacks.
By not being afraid to spend a little to gain a lot; by being patient and mimicking physical world hustles, the new generation of cybercriminals are getting scarily ‘professional’.
OddJob: the next phase in the evolution of cybercrime?
Trusteer has found a new banking trojan: OddJob.
Amit Klein, CTO, Trusteer
“We have found,” said Trusteer’s CTO Amit Klein, “a new type of financial malware with the ability to hijack customers’ online banking sessions in real-time using their session ID tokens…
“The most interesting aspect of this malware,” he continued, “is that it appears to be a work in progress, as we have seen differences in hooked functions in recent days and weeks, as well as the way the Command & Control protocols operate. We believe that these functions and protocols will continue to evolve in the near future, and that our analysis of the malware’s functionality may not be 100 per cent complete as the code writers continue to refine it.”
I asked Luis Corrons, technical director at PandaLabs, what he thought about OddJob. “From the technological of view-point,” he answered, “it is smart; though I remember a Zeus variant I looked at some years ago that had a similar behaviour. It didn’t do anything about the ‘log out’ option, but was not stealing the user credentials either – it was just replacing the information that the user was introducing when doing online money transfers.
Luis Corrons, technical director, PandaLabs
“The problem with the OddJob trojan is that all the banks that take the security of their customer seriously require extra authentication for certain transactions (such as money transfers) so having the ability to ‘steal’ the user session is useless to steal money. Zeus released a new version back in 2010 that was capable of circumventing a 2nd factor authentication using a different device (mobile phone), and that is really challenging as it is one of the best protection methods implemented so far.”
So it appears that OddJob is a bit of an anomaly: it is new and sophisticated; but apparently not as dangerous as Zeus/SpyEye. So why bother when you could simply hire SpyEye? Back to one of Amit Klein’s comments: “it [OddJob] appears to be a work in progress.” That reminded me about a conversation I recently had with Bradley Anstis, VP, Technical Strategy – M86 Security. Bradley was explaining the evolution and merging of Zeus and SpyEye. “Whenever you think of Zeus,” he explained, “cross it out and replace it with ‘SpyEye’. Zeus used to be the dominant banking trojan; but its creator seemed to decide that he’d had enough of the limelight – and he’s actually given the source code to the creator of SpyEye. Now they’re working together on SpyEye, which has taken over the throne from Zeus. Already in the last month we’ve seen new versions of SpyEye come out that are getting more complex and more complicated all the time.”
Bradley Anstis, VP, Technical Strategy at M86 Security
Bradley went on to explain what he expects to see in 2011. “We think in the next year financial trojans will move away from just being oriented against banks. Any organisation that does financial transactions on the internet should be thinking now about updating their knowledge about these banking trojans, and how they could affect their business transactions in the future – companies like Amazon and eBay have user accounts that could well be targeted.”
The simple fact is that cloud computing is providing a new model just as much for cybercrime as for cyberbusiness: crime is cheaper and easier to use than ever before. And there is little doubt that OddJob is designed to make use of cloud opportunities. One “noteworthy aspect of OddJob,” comments Amit, “is that the malware’s configuration is not saved to disk – a process that could trigger a security analysis application – instead, a fresh copy [and therefore the latest version] of the configuration is fetched from the C&C server each time a new browser session is opened.” So using the cloud model, it is easy to envisage a ‘theft to order’ approach run from the cloud (actually, it is already with us); and it’s just possible that this ‘work in progress’ is an early view of a new development in the evolution of cybercrime.
The ‘Be afraid; be very afraid; be very, very afraid; and then buy my product’ scam
One of the things I really dislike about the security industry is the prevalent doom and gloom attitude it promotes. It may be their function to keep us safe; but it is in their interests to keep us afraid – if we’re not afraid, we won’t buy their products. Fear sells.
So the news is full of
- 99.99% of all email is spam (the rest is spear phishing)
- cyberwar between the USA/UK and China has already started
- most people will suffer identity theft next week
- software piracy loses the industry more than the UK’s national debt every 10 seconds
- one in three people is a hacker; one in three is a spammer; and one in three sells security
I exaggerate. A little. But here’s the latest:
As US IT security experts and liberty organisations discuss the ramifications of the recent effective shutdown of the Internet in Egypt – and whether President Obama should have access to an Internet `kill switch’ – the organisers of Infosecurity Europe show are saying that the saga highlights the need for IT contingency planning.
According to Claire Sellick, Event Director for Infosecurity Europe, the lessons coming out of the Egypt net shutdown – and the fact that the US government is now talking about having access to a similar `shutdown button’ for the US side of the Internet – should act as a red flag to IT managers in organisations of all sizes.
That’s the fear. Here’s the sell:
“Of course, gaining access to information on these topics is a not as easy as you might think. Fortunately, help is at hand in the shape of the free educational seminar programs we are planning for the Infosecurity Europe show, which takes place at Earls Court, London 19-21 April 2011 http://www.infosec.co.uk,” she added.
But this is what Jason Easley wrote in Politicususa:
After Egypt shut down their Internet service, the US Senate in their infinite wisdom decided to take up Joe Lieberman’s Protecting Cyberspace as a National Asset Act of 2010 a.k.a. the Internet kill switch bill. There is a great deal of concern over the bill, but the one thing that the legislation does not contain is an Internet kill switch. In fact, national cyber security guidelines are going to be developed with the private sector. The so called Internet kill switch started as a right wing talking point that has seeped into the national discussion.
Debunking The Myth of Obama’s Internet Kill Switch
But that’s the problem. No fear, no sale. So if a security salesmen tries to panic you – go elsewhere. Find one – and they do exist – who will explain the situation rationally; beware of the ‘buy my safety’ scam.
IronBee: a new open source web application firewall is announced at RSA
Philippe Courtot, chairman and CEO of Qualys, is sometimes described as a serial entrepreneur – and he might just be on the point of revolutionising software development. Today at RSA Qualys announced a new open source project: IronBee. It was proposed by Ivan Ristic, who could himself be described as a serial open source developer, and accepted within minutes. Qualys will fund the initial development of a new, free, open source, untied web application firewall (WAF).
Ivan Ristic; Qualys' serial open source developer
Why? Vulnerabilities in web applications are rapidly becoming one of the industry’s biggest headaches. “What we’ve been seeing in recent years,” Ristic told me, “is that applications have become the major source of problems for companies, mostly because of those companies’ need to get from planning to implementation very quickly. The security industry has to play catch-up, and we’re still trying to figure out how to develop web application security. In the meantime business has to continue doing business, and we must somehow manage this situation.
“WAFs are one possible answer to the problem. With a WAF, what you get is something like an all-seeing eye that sees everything that comes in from the outside world and everything that goes out from the organisation. By being able to intercept the traffic, both inbound and outbound, a WAF can prevent or stop an attack before it does any damage. And on the outbound it can catch data leakage and other similar issues.”
And this appeals to Courtot because Qualys is primarily a scanning company. You use Qualys to see if you are safe. It is a slice in time. Then you wait a while and scan again to see if you are still safe. But between scans you are vulnerable and could be compromised; so the continuous monitoring of a WAF is appealing to a security man like Courtot.
But there is already an open source and very popular WAF. “At the moment,” continued Ristic, “the most popular WAF is called ModSecurity [Ristic was also the original author of ModSecurity]. In 2002 I was running a software development team producing web applications – and I couldn’t sleep at night worrying about how to keep them secure. I was trying to think of ways I might be able to improve the security of my applications – and that’s how ModSecurity was born. Fast forward 5 or 6 years and tens of thousands of companies all over the world have adopted this open source WAF. The only problem is that it uses the GPL licence, which is effectively a viral licence which prevents commercial exploitation (viral nature of GPL). But with this new project I have a team of four people and we’re building a more efficient WAF from scratch, not only choosing a better license, but also, hopefully, avoiding all the same mistakes we made with ModSecurity.”
Key to the new approach is its unlimited licence. Qualys will place no limitations whatsoever on its use. If a company chooses to take the software and incorporate it into a proprietary product with no further reference to the project – so be it. But what Ristic hopes, and believes, is that other companies will take the code, add to it, and return it to the open source project – and in this way it will grow and improve. Similarly, he believes that the existing army of open source enthusiasts will adopt the project and work with it to develop a genuinely free and advanced web application firewall.
“Qualys is funding the effort to build this project from scratch and to make it available to the world under a business-friendly user licence. We are putting no restrictions on this project or the use of the code. We’re doing it because that’s the only way to make it universal. And because we are giving it away for free, we will be encouraging all cloud providers to adopt it and to take it. We are not asking for anything in return. They are free to take the code and to use it and to keep it. That’s the key – that’s the most important message of this project. We’re hoping that they are not just going to use the code, we’re hoping that they will join the project. Because there are no strings attached we hope to form a community that will be a mixture of commercial organisations and individuals and security researchers and anyone else who will jointly collaborate in creating this product that will allow us to deal with the web application security issues.” Within six months Ristic expects to have evolved the project into a genuinely democratic project with a life of its own.
Akamai is an enthusiast. “We are excited about the unveiling of the IronBee open source web application firewall project,” said John Summers, vice president of product management for Akamai Technologies. “Akamai and Qualys share a vision that web security must evolve to become an intercommunicating ecosystem of controls located both in the cloud and within the user’s infrastructure. Akamai looks forward to IronBee improving the industry’s ability to address the escalating number and sophistication of web application attacks.” There will be many more supporters by the end of RSA.
Think of that. A single web application firewall that will be as free to individuals running a website from their home computer as to major cloud providers embedding the software into their services. And all supported by the online open source community of developers and researchers. That model could change the way that cloud products are developed in the future.
Old computers and sensitive data – wipe before disposing
I am probably not alone in this. I have several old computers that no longer function. They’re old, have obsolete operating systems, won’t boot, probably contain personal information that I don’t want others to see, are simply taking space – and I don’t know what to do with them.
So when I heard that Computer Aid is looking for old computers that it can refurbish and donate to the third world, I thought my problems were solved. David Barker, CEO of Computer Aid, explained: “We are always on the lookout for donations of PCs and monitors. Just one refurbished computer can provide 6,000 hours of further use – enough to educate 60 children to a vocational level in IT and significantly increase their employment prospects. Alternatively, one computer can also allow a rural doctor to communicate with specialists in cities, thereby allowing them to provide life-saving medical treatment which they might otherwise have been unable to diagnose or carry out.
“Rather than recycling your ICT and especially your monitors, please consider donating your equipment to Computer Aid so that we can send your unwanted PCs to those who need them the most.”
This is good. Especially when you notice that ‘all donated equipment is data-wiped to US and UK military standards using Ontrack Eraser data wiping software. Donating to Computer Aid is also a carbon efficient means of IT disposal since reusing a PC is 20 times more energy-efficient than recycling.’ Useful and a good cause to boot – so I heartily recommend that companies upgrading their existing equipment should consider using Computer Aid.
Robert Winter, chief engineer, Kroll Ontrack
But it doesn’t work for me. Computer Aid is looking for equipment that it can refurbish. My old heaps are beyond that; but I certainly need something like Ontrack’s Eraser data wiping software to clean the drives before I do anything at all. So I spoke to Ontrack’s Chief Engineer Robert Winter to see if there is any easy remedy. There isn’t.
The problem, he told me, is endemic. Last year Kroll Ontrack found that two-thirds of the computers it randomly purchased from eBay still contained sensitive information from their previous owners. And a separate survey found that less than half of businesses regularly deploy a method of erasing sensitive data from old computers and hard drives.
“Companies need to plan for disposal before they need to dispose of their equipment,” he explained. Apart from anything else, this would help to demonstrate regulatory compliance – disposing of equipment with personal information still contained could lead to a heavy fine from, in the UK, the ICO. “As part of that plan, “continued Winter, “Ontrack’s Eraser could be used to wipe the data before disposal. It overwrites the whole disk with three separate and different patterns, leaving the data completely irretrievable.”
I thought of my own problem. I can’t boot the computers, so how can I wipe them? “We supply our software both on CD and USB stick. You can boot from these, so that the whole disks can be wiped. Companies buy a license, and during the lifetime of the license they can wipe a disk whenever it is necessary.” It seems an excellent solution. If you have old computers that still work, you can donate them to Computer Aid and the data will be cleared with Ontrack’s Eraser for you. But if your business plan involves re-selling the equipment to recoup some of the cost, then you can still use Eraser under your own license.
It’s just that it doesn’t work for me. I just have a couple of personal computers that aren’t good enough for Computer Aid and don’t warrant the cost of a business license from Ontrack. But maybe, just maybe, there’s a business opportunity here. USB sticks are not expensive. Could some entrepreneurial company take something like Eraser, put it on a bootable stick, and allow, say five uses for the home market?
Should SOCA be allowed to request domain takedown without judicial oversight?
Claire Sellick, Event Director of Infosecurity Europe, has been talking about one of Nominet’s current policy proposals: Dealing with domain names used in connection with criminal activity. “If, as seems likely,” she says, “Nominet adopts the plan, then a decision will be taken to take a site offline in very short order, where the intent is clearly criminal or the site appears to act as a conduit for malware.”
“The Plan” is effectively the desire of the UK’s Serious Organized Crime Agency (SOCA) to request the automatic removal of websites it doesn’t like; and this Plan would be easily achieved with the acquiescence of Nominet. Nominet maintains the register of UK domain names. Put succinctly, if Nominet withdraws a domain name from that register, then the corresponding website just vanishes. Just like that. Since websites are now the lifeblood of not just commerce but all organisations, then this is no small power. We don’t like you – so, poof! you are gone.
Such power must be tempered by a seriously responsible approach. And in fairness to Nominet, its public announcement is not nearly as cut and dried as Claire Sellick suggests:
The Dealing with domain names used in connection with criminal activity issue group is being formed, in response to a proposal submitted by Serious and Organised Crime Agency (SOCA). The publication of this proposal led to a wide range of stakeholders expressing an interest in being involved in the discussion. We are calling for those wanting to put themselves forward to take part directly to register by 23 February.
The situation is this. Nominet’s T&Cs do not clearly state that domain names must not be used for criminal activity. The Serious and Organised Crime Agency wants to be able to tell Nominet to take down any website it declares to be involved in illegal activity. Nominet feels that it needs to make this explicit in its T&Cs; and is asking its membership to discuss the issue.
Clearly, however, Claire Sellick considers it to be a done deal. I really hope not. I really hope that Nominet and its membership get some genuine safeguards into this request from SOCA. The idea that the police can say what is and what is not illegal is, to my mind, unconstitutional. I have always believed that it is the courts, and not the police, that decide whether something is legal or illegal. So the police acting as judge and jury as well as enforcers is a very scary development.
Dealing with domain names used in connection with criminal activity
Safer Internet Day
Today is, I understand, Safer Internet Day.
I have to admit to being very confused about all of this. Yes, we as parents and adults, need to protect innocent children. But I can’t help thinking we sometimes take this too far. Today, Kaspersky Labs has released data compiled by a YouGov survey. The provided headlines include:
As many as 43% of people have online ‘friends’ that they have never met…
I believe that most adults (and this particular statistic talks about ‘people’, not ‘children’) use social networking at least as much for business networking as for personal networking. Consider LinkedIn. I have hundreds of ‘contacts’ (the equivalent of Facebook’s ‘friends’) whom I value exceedingly, but whom I have never actually met in real life. So I am absolutely amazed that as few as “43% of people have online ‘friends’ that they have never met” – I would have expected the figure to be well above 90%.
Around half (49 per cent) of parents with children under 18 who have internet-enabled mobile devices don’t monitor their children’s mobile web habits
Well, from the age of 12 to 18 at least every second thought I had was of a sexual nature. In those days it was called ‘growing up’. And from the age of 14 onwards (and probably a bit earlier) there would have been hell to pay if I had suspected that my parents were ‘spying’ on me. Let’s face it, you can get married without parental consent, on your sixteenth birthday in Scotland. So we have this strange anomaly, where for commercial reasons the industry, and for political reasons the government, have to hype up the dangers of the internet; who then say ‘we can solve the problem for you, by selling you restrictive software (industry) and limiting your freedoms (government).’ But in doing so, they remove responsibility from parents, who then don’t bother teaching their children; and they remove liberty from all of us until we accept the Nanny State.
Malcom Tuck, managing director of Kaspersky Lab UK
Surely the solution has to be in talking and explaining and educating; and not in monitoring and spying and distrust. In fairness, Kaspersky is aware of the dangers:
…With young people generally regarding their mobile phone as personal and private, for the 51 per cent of parents who do supervise their children’s mobile phone habits, there is the risk of such behaviour being seen as upsetting and invasive by their children.
“We also believe that technology alone is not the answer, which is why our dedicated website http://www.kaspersky.co.uk/safer contains advice and guidance for parents, guardians and children. Protecting young people online means talking to them about the dangers and giving them the confidence and control they need to surf safely,” said Malcolm Tuck, managing director of Kaspersky Lab UK.
I would say absolutely that the function of the security industry (where children are concerned) is to educate both children and parents. It must never be to take the place of parental responsibility.
Why should the NHS be allowed to extort money from us?
This is iniquitous. If I need some shopping from my local market town, I need pay only 30p for the parking. I could, of course, walk, go by bus, or not go at all. I have a choice.
But if I need to visit the community hospital in the same market town, where I have no choice, I cannot walk nor can I catch a bus, then I am forced to pay 90p per hour. And given the waiting time at such hospitals, I am likely to be forced to stay for at least 3 hours (£2.00).
That is disgusting. It is criminal extortion, and should not be allowed.
Intel’s security game-changer. Uh-oh!
On 26 January, ComputerWorld published details of an interview with Justin Rattner, CTO at Intel. Rattner described a new hardware-based solution to malware:
“Right now, anti-malware depends on signatures, so if you haven’t seen the attack before, it goes right past you unnoticed,” said Rattner, who called the technology “radically different”.
“We’ve found a new approach that stops the most virulent attacks. It will stop zero-day scenarios. Even if we’ve never seen it, we can stop it dead in its tracks,” he said.
Intel developing security ‘game-changer’
Rattner didn’t really give much away – except that he hopes the technology will be available this year. So what is it?
Alan Bentley, SVP International, Lumension
Alan Bentley, SVP International of endpoint security firm, Lumension, clearly believes that Intel’s solution is some form of whitelisting (allowing only known good things and stopping everything else) rather than our current blacklisting approach (allowing everything by default, but using AV to stop known bad things).
“A shift in security thinking needs to happen to keep malware off our devices and away from our critical data,” he explained. Trying to shut malware out with signature-based security technologies is like herding jelly. Signature-based security was not designed to protect against the volumes of malware that we are seeing today. If you think that known malware signatures exceed 30,000 each day, the concept of protecting against unidentified malware is more than difficult, especially if you are trying to predict what malware might look like. With this approach, it is of little surprise that malware has a habit of falling through the cracks.
“If you flip security on its head and only allow the known good onto a device or a computer network, malware protection is significantly improved.”
In the interview, Rattner seems to indicate that McAfee (which it bought for $7.7bn last year) is not really involved in this project.
Rattner said Intel researchers were working on the new security technology before the company moved to buy security software maker McAfee. However, he said that doesn’t mean that McAfee might not somehow be involved.
But if this technology predates the McAfee acquisition, then it is most likely to be at chip level rather than the software level. And that rather suggests that it is to do with the Trusted Computing Platform (TCP). The biggest problem with TCP is that it involves one person or organisation imposing its own views on others. Now, if that’s a company controlling how its own computers are used, well there’s not too much wrong with that. But if it’s Intel or Microsoft – or government – controlling what can be run on privately owned computers, then that’s highly dangerous.
Lumension’s CEO, Pat Clawson, has worries along these lines, suggesting that a “pressing concern is whether it is socially acceptable for Intel to impose security on the device. Whilst it might make sense in the consumer mobility space, governments and enterprises will surely want to make their own security decisions, not have it forced on them at the chip level.” But it is indeed the consumer level – that’s you and me, by the way – that is possibly under the greatest threat. “It makes sense,” he adds, “for its focus to be on the consumer market, which represents a significant portion of both Intel and McAfee’s revenues.
“Security innovation on the mobile device would certainly be an interesting and most likely welcome addition to the consumer handset market. With current security models proving ineffective, new levels of intelligence and a change in mindset are needed to protect today’s IT environment.”
What worries me is that this vision seems to be exactly what Scott Charney was proposing with his ‘internet health certificate’; that is, we will not be allowed to access the internet unless we can prove our computers are clean – and one way to prove they are clean is with Intel controlling what can run on them. Was Charney playing John the Baptist to Rattner’s Christ: a voice crying in the wilderness, but preparing the way for our security saviour?
Kevin Townsend 