Fear of infection
One significant method used by cybercriminals to make money during 2008 was the use of fake anti-virus software, also known as scareware or rogueware. Such attacks prey on IT security fears and fool users into believing their computer has a problem when it has nothing of the kind.
Typically, scareware is planted on websites in the form of pop-up adverts, or disguised downloads. However, there have also been occasions when hackers have spammed out
scareware, or links to it, using traditional social engineering tricks to fool users into clicking on the attachment or link. In just one of its spam traps, Sophos detected approximately 5000 such emails every day.
Scareware-linked websites often carry security software that pretends to be bona fide, complete with bogus reviews concerning its fake effectiveness at killing off viruses. Sometimes the websites steal users’ credit card details.
Hacking gangs have become proficient at rapidly producing professional-looking bogus websites posing as legitimate security vendors. On average Sophos identifies five new scareware websites every day, with the figure rising to over 20 a day on occasions. Even established security brands
such as Norton AntiVirus18 and AVG have been targeted.
Some legitimate software companies may even be embroiled in the scams, with rogue advertising affiliates using scareware to increase sales of the legitimate product.
The motivation for the gangs responsible for the scareware problem is apparent in the case of Lee Shin-ja, the former CEO of a Korean anti-virus company. Lee is said to have earned over US $9.8 million since 2005 with a free antispyware program that displayed fake security warnings
and directed users to purchase her company’s Doctor Virus clean-up solution19.
It is worth noting that the scareware problem is not limited to Windows computers. In February 2008, Sophos encountered scareware campaigns that targeted both Windows and Apple Mac users20.
Malware on the move
Malware transferred via USB memory sticks is also on the rise. Perhaps the most bizarre USB malware-related story which emerged during 2008 was that of astronauts infecting computers on the international space station because of lax security measures21.
Malware attacks via social networking
2008 saw much more interest in using social networking websites to spread malware. In August, Facebook admitted that up to 1800 users had had their profiles defaced by an attack that secretly installed a Trojan while displaying an animated graphic of a court jester blowing a
raspberry22 and 23.
Facebook members are also receiving messages from friends’ hacked accounts via the social network, linking to third-party websites designed to infect the recipient’s computer24. Hackers have found value in compromising Facebook accounts, stealing usernames and passwords, and then using the profiles as a launching pad for massdistributing malware attacks and spam25.
There are also third-party Facebook applications designed to present irritating pop-up adverts26. However, these appear to have become less of a threat since Facebook changed
its user interface, making third-party applications less prominent.
Exploiting wider programs
Instead of simply looking for operating system and browser vulnerabilities to exploit, hackers are also exploring security holes in other widely used programs and tools such as Adobe Flash and PDFs.
The rise in malicious Flash and PDF files can be partly explained by the use of malware construction kits that build web attack pages incorporating booby-trapped code. The inclusion of the Flash and PDF content targets vulnerabilities that have been found in the widely used Adobe browser plug-ins, underlining the importance of keeping these up to date.
In addition, there was a 46 percent increase in the amount of kernel mode rootkits during 2008. These rootkits attempt to evade detection by traditional security products by cloaking themselves using sophisticated low-level operating system techniques.
Malware by location
Research by SophosLabs identified malware written in a total of 44 different languages, although it was not possible to extract location information on 47.9 percent of the malware samples examined.
China accounts for 11.6 percent of all malware. This is a smaller proportion than 2007 when the republic’s hackers accounted for 21 percent of malicious code identified as coming from a particular region. The exact language breakdown is:
- English-speaking world – 24.5 percent
- Chinese – 11.6 percent
- German – 3.7 percent
- French – 3.1 percent
- Russian – 3.0 percent
- Brazilian Portuguese – 1.6 percent
- Other – 4.6 percent
Much of the Chinese malware takes the form of backdoor Trojans, but there is also a proportion of Chinese malware whose motive is to steal passwords from online gamers.
The majority of malicious code written in Brazil is Trojans designed to steal information from online banks. Russian hackers, meanwhile, appear to be concentrating largely on creating botnets and opening backdoors to give cybercriminals remote access to compromised computers.
A tale of three internet companies
Atrivo
This Californian-based ISP (also known as Intercage)
was disconnected from the internet in September after
evidence was published showing that large parts of
its network were being used to peddle fake anti-virus
software (or scareware) and malware27.
ESTDomains
Shortly afterwards, questions were raised about
Vladimir Tsastsin, an ethnic Russian living in Estonia28.
Tsastsin was the founder of EstDomains, a domain
registrar service and, coincidentally, a customer of
Atrivo. His company was accused of providing a safe
harbor to criminals registering domains for malicious
activity, ensuring that their activities were not shut down
when EstDomains received abuse reports.
After the Estonian government pressed charges against
Tsastsin for credit card fraud, money laundering and
other offences, ICANN withdrew his firm’s license as a
domain registrar.
McColo
Another Russian-owned network, McColo was widely
believed to be hosting command and control centres
for five major botnets: Srizbi (Zlob), Mega-D, Rustock,
Dedler and Storm.
When McColo was disconnected from the internet at
13.23 on 11 November 200829, the botnets went
offline resulting in a huge drop in spam levels. Spam
volumes plunged 75 percent30 immediately after McColo
was taken offline. Since then hackers have tried to
regain control of these botnets, with some success31.
It has been shown by these examples that the security
community working together can severely disrupt
cybercriminal activities on a global scale. Indeed, the
takedown of McColo has had more of an impact on
global spam levels (even if temporarily) than any hacker
arrest by the authorities has ever achieved.
Sophos.com
No comments:
Post a Comment