In my first of three entries summarizing 2009 online fraud trends, I suggested that there had never been a better time to be a cybercriminal, and talked about the high grade Trojans currently
available to fraudsters. But to use a modern warfare analogy, even if you have nuclear weapons they aren’t really effective without a robust ballistic missile program that will deliver the payload to the designated targets. And to use the more classic virus
analogy, it takes a very effective infection mechanism to turn a lethal virus strain into a global pandemic.
Wildfire Infection
The RSA FraudAction lab
exposed the infrastructure of the notorious Sinowal Trojan, also known as Torpig or Mebroot, in October 2008. Sinowal isn’t a Trojan kit and you cannot buy it anywhere: it’s a syndicated organized crime ring that is based in East Europe, spans several continents,
and for the past four years its virtual silhouette was glued to every eCrime researcher’s billboard, complete with a “most wanted” sign.
The first thing that caught the team’s attention was the sheer magnitude of the stolen data: there were almost 300,000 compromised PCs, each tapped for one set of online banking credentials and one credit card on average. The other amazing fact was that
the server was live since 2006 despite numerous attempts to shut it down; it had a highly resilient framework and good disaster recovery backups.
When the Sinowal data was analyzed, an amazing fact stood out: the pace of infection increased
tenfold in summer 2008. If March had 2,500 new computers infected with Sinowal, the rate in September jumped to 25,000.
What caused this massive surge of infection? The immediate suspect was the code itself: perhaps the fraudsters managed to turn the Trojan horse into a lot stealthier. But as the team dug deeper they realized nothing in the code would explain this massive
boost of distribution. No, there had to be another explanation.
Which was soon found in Drive by Download.
Here’s a good example for Drive by Download. Try this now: go to
www.paulmccartney.com and click on the news section on the left. Go down the archive of articles on the right to May 2009, and find the post from 01.05.2009 titled “website security statement”. Read it… Of if you’re too lazy, here’s an earlier
account I posted about the incident.
Summer 2008 marked the beginning of an onslaught of drive-by-download attacks, which spread like wildfire through a highly advanced
SQL Injection botnet, beefed up by other hacking methods such as taking over websites’ FTP service after stealing the administrator passwords.
The interesting thing about drive by download attacks is that the infection takes place in a perfectly legitimate website with a healthy traffic of perfectly legitimate users. It’s important to note that the only pre-condition is browsing the website: no
other user action is needed. Infection is absolutely automatic, and happens as long as the PC isn’t completely patched against the latest security vulnerabilities. Most users do not bother to update their browser version, operating system and internet tools
such as Acrobat Reader or Flash; when a software pops up and offers an upgrade, many click on “remind me later”. It’s a bit like getting a knock on your door, and finding a team of doctors bringing you a Swine Flu vaccine. “Not now, remind me later” isn’t
what you’re supposed to say.
Right now there are thousands of legitimate websites hacked in order to lead their traffic into infection servers. Not all of them are as visited as PaulMcCartney or
Paris Hilton fan sites, but some are. Websense
reported in mid 2009 a 671% increase in the number of legitimate websites hijacked for spreading malware compared to last year, and Panda Labs
estimated a that over 10 million PCs have already been infected with a financial Trojan. That was a year ago; today the numbers should be in the dozens of millions. And the amazing thing is: people still know nothing about drive by download.
If you keep your PC security fully up to date you stand a good chance against automatic drive by download infection, but can still get infected by downloading an executable file. Here the main advance is: use common sense.
Cybercriminals are aware of this pesky thing called common sense, and develop social engineering methods designed to befuddle your judgment. The best course of action these days is Web 2.0 applications – which fraudsters simply adore – and in particular
social networks. If you’re logged into the social network and notice an invitation from a friend to watch a cool video, but when you get to the page the video doesn’t work and the site advises downloading the latest video converter, and after you click on
the link a helpful gray box pops up and asks your permission to install the friendly program, don’t click on Run. Because if you do, you’ll be the latest unlucky member of a botnet, and will soon have your PC swarming with Trojans.
Other infection methods include getting an email with an exciting piece of news such as
Michael Jackson is Dead! And
Ceasefire in Gaza! Here the attack starts with a message delivered via email or social media, with a link leading to an infection site. The same applies to fake Christmas cards or other digital greetings.
P2P networks are a great source of infection via compromised files. Then there’s
SEO (search engine optimization) tricks deployed by cybercriminals to lead users searching for certain items of interest to the open jaws of a malware server or a fake antivirus.
Speaking of antivirus, it’s important to understand that today’s antivirus technologies find it difficult to keep track with malicious Trojans. Heuristics work well for certain Trojan families but not for all, and the main tool for identifying crimeware
remains the virus signature. However Trojan kits such as Zeus allow you to build new variants on the fly, so by the time the AV company has an up to date signature, victims already download the new, untraceable code. Cisco published a
research showing only 40% of Trojans released to the web get detected by over half of the leading AVs; Trusteer
reported that fully up to date AVs were successful in detecting Zeus only 23% of the times, and that 55% of the PCs running Zeus had a fully up to date AV.
AV companies responded by developing
community-based threat reporting,
cloud-based protection or
reputation-based security These directions pose new challenges for Trojan builders, but it will take time to see the impact on the upward trend in infection.
To summarize, things have changed dramatically in the past year when it comes to infection. The rate of infection today is 10 times higher than last year; rather than the Internet becoming a better place, things actually get worse. No longer should people
worry just about files sent through email; today they can catch something by browsing a legitimate website or clicking on links to see fake videos.
Many people ask me “so what do YOU do to protect yourself?” – and my answer is: I use common sense and never download any applications unless I initiated the download myself; I enable automatic updates of the operating system and every Internet tool I use.
Oh, and I never use my wife’s computer to access online banking or shop online. God knows what kind of stuff she downloads ;)