Emerging Information Security Threats, 2007

As organizations erect barriers to protect their data, attackers are unleashing new ways of finding and exploiting weaknesses. The threat landscape is one of professional, highly skilled online criminals who create, buy or trade advanced tools that allow them to steal confidential company data, disrupt business operations or snatch logon credentials and other personal information. The teen-aged script kiddies who focused on compromising systems for fame and game are receding into the distant past. Today's profit-minded attackers are more likely to carry a briefcase than a skateboard.

As defenders against these organized cybercriminals, security managers have inherent disadvantages.

Organizations are single entities with relatively static measures for protecting data—it takes time to adjust the IT security architecture, update personnel skills and deploy new defensive technologies. In contrast, the number of adversaries is virtually unlimited. If some of them happen to employ ineffective tactics, there are others who have developed attack vectors you may not have even considered.

How can you repel that which you do not expect? One way to keep up with the cyberspace arms race while fending off attacks on information resources is to stay abreast of the threat landscape.

Targeted Email Attacks

In recent years, there has been a shift away from massive attacks, such as those caused by indiscriminant network worms or hooligan Web defacements. Targeted attacks are more profitable, because they are better at obtaining information, such as credit card account details and trade secrets, highly prized on the black market. They also offer a more efficient use of the attacker's resources.

Targeted attacks often take the form of spear phishing campaigns, which personalize the attacker's message to his audience. This increases the likelihood that recipients will be fooled into divulging confidential information. Although financial organizations have been deploying two-factor authentication in attempt to curtail this threat, the victims remain vulnerable to man-in-the-middle attacks.

A carefully orchestrated phishing campaign last summer targeted CitiBusiness customers even though they employed one-time password tokens. The attacker's Web site prompted victims for the temporary "password" generated by the token, and passed it to the genuine CitiBusiness Web site. This allowed the attacker to access the victim's account immediately after the person logged on to the fraudulent Web site.

While fooling victims into revealing sensitive data remains a popular tactic of phishing attacks, criminals are also using the social engineering power of email for other purposes. In one such attack reported last fall, staff at a five-star hotel received messages that tried to trick the employees into laundering money. The messages were disguised as notices submitted on behalf of the hotel's guests, included their names, and requested that money be paid to a third party after the hotel processed a credit card payment.

Voice-Based Phishing

Voice-over-IP is emerging as another mechanism for phishing scams.

Traditional phishing attacks contact potential victims via email—a cheap mechanism for attackers. Now, making phone calls using voice-over-IP (VoIP) is becoming very cheap, opening the door to voice-based phishing attacks.

Voice-based phishing surfaced publicly last summer, as illustrated by discussion board messages from concerned recipients of such calls. Websense Security Labs documented one such attack on customers of Santa Barbara Bank & Trust last June, and sporadic reports since then indicate that such voice-based scams are active on the emerging threat landscape.

VoIP phishing attacks often begin with a recorded voice prompting the victim for sensitive information, perhaps claiming that the call is originating from the person's bank. Alternatively, the victim might be asked to call a phone number; in this case, the call is answered by an automated voice system that mimics the bank's system and asks the caller for sensitive information. People tend to trust phone calls more than they trust email, which is why such voice-based phishing can be very effective.

Another targeted email attack, reported by McAfee Avert Labs in February, involved email messages sent to two individuals at a specific company. The messages included a malicious Microsoft Word attachment, crafted to exploit a vulnerability that did not have a patch at the time. The company did not disclose what data if any was affected, but unfortunately, this was one of several public incidents in recent months where a zero-day exploit was delivered via email.

Email remains a popular attack vector because it is effective at bypassing network perimeter defenses such as firewalls. Organizations sometimes block dangerous email attachments from entering the network. As a result, attackers increasingly rely on phishing-style social engineering techniques or client-side exploits to download a malicious program via a connection that originates from the victim's computer.

Client-Side Infection Campaigns

A high-profile example of attackers using a client-side exploit happened in February, when Websense Security Labs reported that the Dolphin Stadium Web site was compromised. The stadium was hosting the Super Bowl and its Web site was enjoying a surge of traffic. If a visitor to the site was using an unpatched system, the machine got infected with spyware that harvested logon credentials for the popular game World of Warcraft. Although the weapons and gold used in the game are virtual, they can be sold for real-world money.

The program that infected Dolphin Stadium Web site visitors was seeking only logon credentials to World of Warcraft, rather than a myriad of other possible targets. The compromise of the Web site was not a blaring defacement, but aimed at infecting victims without attracting undue attention and timed to maximize its effectiveness. The presence of a keylogger on the infected computer was not easily noticeable, in contrast to attacks that infected machines with adware and until recently dominated the threat landscape.

Client-Side Infection Kits

Cybercriminals targeting PC vulnerabilities can buy ready-made exploits.

Attackers commonly use infection kits, planted on compromised Web servers, to exploit client-side vulnerabilities on the systems of the site's visitors. The kits are often available for purchase on the Web and through private channels to interested parties and come with dozens of exploits, offering a convenient way of executing an automated infection campaign.

A once popular infection kit called WebAttacker, whose light version was recently available for purchase for as little as $50, seems to have been surpassed by more effective collections of exploits. Roger Thompson, CTO of security vendor Exploit Prevention Labs, says as many as 60 percent of the attacks on personal computers the company tracked in January involved up to a dozen up-to-date, highly effective exploits.

Drive-by infections like the Dolphin Stadium incident that affect Web site visitors and install keyloggers are all too common. Although logon credentials to banking sites are still a popular target of keyloggers, usernames and passwords for other types of Web sites, such as gaming, social networking and job posting sites, are also targeted. While the immediate purpose of such campaigns is sometimes unclear, an interest in credentials for diverse categories of Web sites indicates a long-term effort by well-funded and dedicated attackers to assemble data warehouses.

Stealthy and Self-Preserving Malware

The increasing profitability of targeted attacks has fueled investment in the development of malicious software that helps make them possible. Such efforts produce malware with capabilities that stretch our defensive abilities.

• Using protected tunnels and peer-to-peer protocols for malicious traffic is becoming increasingly common. There are bot specimens that employ SSL to encrypt their command and control (C&C) channels. Another approach has been employed by some Phatbot and SDBot variants, whose use of peer-to-peer protocols makes it particularly challenging to disrupt their C&C communications. A keylogger recently demonstrated another technique, in which it obfuscated its messages to the attacker and embedded them in Internet Control Message Protocol packets. Malware may also use the ubiquitous HTTP protocol when calling home, which helps it pass through firewalls and travel unnoticed in other Web traffic.
• Rootkits are getting better at concealing the presence of malware on the infected system and occur more frequently. Recently released Rustock and Unreal rootkits are highly effective at shielding themselves from common rootkit scanners that look for discrepancies in the infected system's configuration. Proof-of-concept rootkits such as SubVirt, Blue Pill and Vitriol are able to treat the infected system as a virtualized one, making their detection very challenging. Another emerging category of rootkits focuses concealment within applications. For instance, the Argeniss rootkit for Oracle can hide the attacker's database of choice—anything from collections of pornography to stolen credit card data—after the intrusion.
• The complexity of anti-analysis techniques employed by malware is continuing to evolve. Protecting malware from reverse engineering conceals the authors' plans and protects the C&C channel. Protective measures often involve detecting the presence of virtualization and debugging software commonly used by analysts. Rather than including such functionality directly in the malicious code, malware authors often rely on packers—programs that can add anti-analysis mechanisms to almost any executable. For example, Themida is a commercial packer highly effective at complicating malware analysis.

The Collective Power of Bots

Stealth and self-preservation are characteristic of many types of malicious software; however, no malware is as prominent on the current threat landscape as bots.

A massive DDoS attack on the CastleCops Web site earlier this year demonstrated their power. A community of antimalware and antispam activists, CastleCops reported that the traffic directed at its Web site by the attacker's bots peaked at almost 1 Gbps. The flood inundated CastleCops' Internet pipe, making the Web site largely inaccessible for several days. The situation was reminiscent of DDoS attacks on spam-fighting sites Spamhaus, Spamnation and Blue Security; Blue Security ultimately could not withstand the sustained attack and closed down for good.

Such assaults demonstrate that attackers are becoming more aggressive at defending their spam- and malware-driven business models by punishing organizations and individuals they consider threats. Bots are a powerful weapon attackers can use for this purpose, providing attackers with the ability to command thousands of infected computers with a few keystrokes.

Botnet Market

Selling or renting botnets for DDoS and other attacks can be a lucrative business.

Attackers may directly compromise computers to build a botnet by finding and infecting vulnerable computers. However, it is often more cost-effective to purchase a botnet assembled by someone else, or simply rent it for a few days to accomplish a particular task.

In 2004, one bot herder made $3,000 in three months selling and renting botnets. The stakes have increased since then. The Shadowserver Foundation, which tracks bot activities, estimates that it costs approximately $1,000 to rent a botnet for a single spam event that spans one to two days. Renting a sizable network of 10,000 bots for a DDoS attack may cost $500 to $1,000 per event.

The price to purchase an average botnet outright typically falls in the range of $5,000 to $7,400, according to Shadowserver. The SANS Internet Storm Center received a report indicating that purchase prices on botnets have been falling recently, due in part to groups from Russia willing to sell them for as little as 25 cents per bot.

Being able to launch DDoS attacks allows the owner of the bot network (botnet) to discipline adversaries, extort money under the threat of such an attack, and offer attack services to others. One case of "DDoS for hire," documented by the FBI, involved the arrest of an owner of a sports apparel company on charges of hiring an attacker to disable the competitors' Web sites.

Sending spam messages is another common reason for employing a botnet. The spammer uses infected computers as spam relays, which provides him or her with virtually unlimited bandwidth and makes it very difficult for the defenders to block or trace the source of the unwanted messages.

Joe Stewart, a senior security researcher with managed security provider Secure-Works, in January analyzed a spam-related botnet powered by the Rustock Trojan that appeared to manipulate the price of a penny stock. The so-called pump-and-dump technique involved the attacker purchasing stock of a little-known company, hyping it up via spam messages and selling it as soon as it slightly increased in price. The technique can be surprisingly effective, earning a spammer as much as $20,000 over a weekend. Stewart's Web site was subsequently targeted by a DDoS attack the day after a newspaper described his analysis of the campaign.

Bot herders have been targeting desktop PCs of broadband users, using the infected computers as unwitting participants in a botnet, but this trend may be changing. Researchers at security assessment specialist Beyond Security—Gadi Evron, Kfir Damari and Noam Rathaus—this year observed an increase in the use of Web servers to construct botnets.

Server-focused bot herders exploit vulnerabilities in Web applications that are built using languages such as ASP, Perl and PHP to invoke their own scripts. Tynan Wilke, a SecureWorks researcher, documented one such campaign. In this attack, the bot herder used Google to locate servers with a vulnerable open-source Horde Webmail application and took advantage of the vulnerability to install a malicious Perl script. The bot allowed the attacker to launch DoS attacks, query Google for further propagation, and execute commands on the compromised Web server, according to Wilke.

Browser Malware

While botnets have become potent weapons for cyberattackers, online thieves are also turning their focus to the Web browser. The browser is becoming the primary application used to access data at home and at work, making it an attractive target. After all, why bother compromising the underlying operating system if the most sensitive transactions—from online banking to corporate sales management—occur in the browser? The browser includes powerful functionality to support the advanced requirements of modern Web-based applications; these features create an ecosystem for malicious code to survive without directly interacting with the operating system.

October 2005 brought the first high-profile worm that was purely Web-based. The Sammy worm took advantage of a cross-site scripting (XSS) flaw in the MySpace Web site and employed a popular JavaScript construct used in many AJAX applications. Such worms embed their code in pages of the compromised Web site and typically spread when the site's users view the infected page. The payload of such worms varies, but could range from defacing the infected pages to executing financial transactions within the context of the victim's session.

The Sammy worm infected more than a million MySpace users. On its heels came other worms powered by XSS and AJAX techniques. The list includes MySpace worms that propagated with the help of Flash and QuickTime browser plug-ins, as well as worms that spread on Orkut, Gaia Online and Yahoo! Mail Web sites.

Another example of the power of browser-based malware is the proof-of-concept port-scanning tool written in JavaScript by security vendor SPI Dynamics to demonstrate some of the challenges of securing intranets. Running in the victim's browser, the scanner can perform reconnaissance against the victim's network even if it is behind a firewall. This tool illustrates the extent to which the malicious Web site can explore the internal network of the site's visitor, even when operating purely in the browser.

SPI Dynamics further demonstrated the capabilities of browser malware by exhibiting a JavaScript bot at the ShmooCon conference in March without making its code public. Called Jikto, the proof-of-concept bot can locate vulnerabilities in Web applications while running within a Web browser. An attacker could inject Jikto in the victim's browser by exploiting XSS and other Web site vulnerabilities. The attacker could control Jikto instances remotely, capturing the information they collect and instructing them to launch further Web-based attacks.

The Race Continues

Clearly, today's threat environment is multifaceted and rapidly changing. From zero-day exploits, client-side attacks and botnets, organizations are facing a maturing marketplace that encourages attackers to invest in better organization and tools. In turn, defenders need to keep learning from each other, sharing threat information and discussing effective defense strategies. This is the only way to ensure they do not fall behind in the cyberspace arms race that is unlikely to end any time soon.