Approximately one third of malicious links intercepted in July 2008 were related to “Antivirus XP 2008.” Since then, links to this rogue application have been spammed out from other botnets, including Srizbi, Rustock, and Mega-D.
Example of rogue “Antivirus XP 2008” in action on a clean install of Windows XP 12 Having many or several variations of the code by using different encoding techniques 13 Code that can re-write and re-program itself in different ways to perform the same instructions Believed to be Russian in origin, the rogue Antivirus XP suites were promoted through a suspected criminal network hosted by Bakasoftware.com, where affiliates could make substantial revenues from each install. The Web site testified, “With affiliate program Bakasoftware you can easily sell popular software products and earn up to 90% of their value,” (“С партнёрской программой Bakasoftware вы сможете с лёгкостью продавать популярные программные продукты и зарабатывать до 90% от их стоимости”).
Once installed, the rogue application then pretended to scan the computer, displaying the number of infections it had apparently found, but could only be removed after purchasing the software in return for a payment of GBP 49.(approximately USD $100). In subsequent attacks, the rogue software changed its name from time to time, including “Win Antispyware 2008” and “XP Antivirus 2009.” By August 2008, 64% of malicious emails were spoofed virtual greeting cards or fake online postcards, many of which contained links to small Trojan droppers designed to install a rogue anti-spyware program which by this time had also been promoted in spam containing images from online albums hosted by free, reputable Web-based email and application service providers.
4.2.1 Botnets – evolutions (part 2: malware) Since its birth in January 2007, the size and scope of the Storm botnet had remained somewhat of a mystery to some within the security industry. Some reports pointed to the botnet shrinking or being overtaken by newer botnets while others claimed that Storm had simply undergone quiet periods before ramping up to compete with other newer botnets emerging on the scene.
At some stage, Storm had been partitioned into smaller more discreet segments, each rented to different spammers, but still a part of the same overall botnet. In addition to spamming, some parts of the botnet were also used to spread malware and launch phishing attacks.
By April 2008, MessageLabs Intelligence reported that the Storm botnet had been reduced to 5% of its original size.
However, in May 2008, MessageLabs intercepted more than 81,000 copies of malware that bore similar hallmarks to previous Storm attacks. The attack accounted for about 12% of all malware interceptions by Skeptic14. The malware was downloaded via a link hosted on computers already under the control of the Storm botnet.
These Web sites used the lightweight open-source “nginx” Web server, although usually only available on Unix-like operating systems, nginx had been ported to Windows and was in use by the Storm botnet to host its Web content.
Nginx is a legitimate server used by many Web sites, although not as popular as other open source servers such as Apache, Nginx is lightweight and very functional, two very attractive qualities for any botnet needing to distribute content.
New variants of Storm appeared in July 2008, in the wake of the July 4 Independence Day celebrations in the U.S. when the botnet began breaking a false “news” report of a U.S.-led invasion on Iran. The emails included links to the Storm malware disguised as video footage of the fabricated event.
4.2.2 Web-based Threats Throughout 2008, levels of spyware and adware interceptions have been overshadowed by a shift toward Web-based malware. Web-based malware has now become more attractive to cyber-criminals as they present an opportunity to capitalize on users’ unfamiliarity with the nature of Web-borne threats.
Malware has been around for over 20 years, evolving rapidly as the Internet became ubiquitous, and adapting threats around the latest technology; web-based malware, however, has been a much more recent evolution, being Internetbased since its inception, exploiting vulnerabilities in browsers and web servers to deploy malware, trojans or attack other websites, such as with “Code Red” and “Nimda” in 2001.
The number of legitimate Web sites that were infected by SQL injection attacks and Cross-Site Scripting15 attacks had increased further by October 2008. The ASPROX botnet, which comprises approximately 100,000 nodes was specifically designed to conduct SQL injection attacks against legitimate sites to spread and is also responsible for a number of currently active phishing runs, particularly against notable financial organizations in the UK.
As demonstrated in the past with email-borne malware, the availability of toolkits lowers the barrier to entry for cybercriminals, pushing the threat level higher. As the low-tech criminals become more equipped to craft their own attacks against vulnerable Web sites with minimum technical expertise, the level of threat will increase further.
15 Cross-site scripting (XSS) is a vulnerability found in Web-based applications which enable a malicious user to inject code into the Web pages viewed by other users.
4.2.3 Policy Controls – Legal Liability and Unsecured Web Access In 2008, analysis of statistics from the Symantec’s MessageLabs URL Filtering Service showed more businesses were blocking employee access to inappropriate Web sites, such as pornography, to implement acceptable use policies and maintain employee productivity.
1 2% 1 0% 8 % 6 % 4 % 2 % 11:00-2:00 28.9% Workday 85.3% Chart showing employee use of adult Web sites during working day (worldwide) Almost one third of blocked attempts to access adult or sexually explicit Web sites occurred during lunchtime hours, and 85% during the average working day.
4.2.4 Social Networking Malware Online criminals have also sought other routes into organizations, relying heavily on social engineering tactics to dupe their victims. One popular approach is to create a fake profile on social networking Web sites and use it to post malicious links and phish other users.
Cyber-criminals have been spreading malicious links by polluting blogging Web sites with comments that include links to malicious Web sites. Phishing for genuine social networking accounts, belonging to real people, enables spammers to post blog comments on the pages of other contacts and allows them to send messages from the phished accounts to other contacts.
These messages are often used to dispense spam, including links to spam sites such as online pharmacies. In some cases the spam conveys a more sinister message, in links to malicious sites harboring malware.
Once connected to legitimate profiles, scammers could use the personal information found on users’ profiles to target users more effectively. Information such as mobile telephone numbers and email addresses could be readily accessible in some cases.
0 :0 1 :0 2 :0 3 :0 4 :0 5 :0 6 :0 7 :0 8 :0 9 :0 1 0 :0 1 1 :0 1 2 :0 1 3 :0 1 4 :0 1 5 :0 1 6 :0 1 7 :0 1 8 :0 1 9 :0 2 0 :0 2 1 :0 2 2 :0 2 3 :0 Example of a phished account used to email links to malicious Websites When the link in the email is activated, the browser is directed to a page purportedly hosting a video, but it also indicates a new codec is required to view the video. Activation of this download will result in some unwanted and potentially malicious software being downloaded and installed.
Malicious content embedded in spoofed video sharing Website For example, it was often linked to the latest incarnation of the “Antivirus XP 2008” rogue anti-spyware tools, first detected by Symantec’s MessageLabs in July 2008.
“Web 2.0” Snake Oil - Toolkits Lowering the Barrier to Fraud The “Web 2.0” paradigm is all about user-generated content, and sites allowing users to share multimedia content have grown enormously in popularity. The ability to upload enticing content - snake oil – and persuade someone to activate it has been one of the criminals’ strongest abilities.
The availability of toolkits allows criminals to easily spoof multimedia content for major hosted video-sharing Web sites, which can be used to bait someone into downloading malware in the belief that they were about to watch some compelling video clip. This technique is covered in more detail in the malware section later in this report.
4.3 Targeted Attacks Targeted Trojans are often aimed at specific individuals within an organization with the purpose of compromising networks for corporate espionage. Each attack is small in number and utilizes highly-sophisticated social engineering techniques, such as personalization, to persuade the recipient to open the email and attachment.
These attacks are categorized by their distinctive profile and focus specifically on small numbers of targets in each incident, to try and fly below the radar of traditional anti-virus engines.
To emphasize how threats of this kind have increased in popularity within the threat landscape, MessageLabs Intelligence noted the number of attacks of this nature between 1 and 2 per week in 2005, 1 to 2 per day in 2006, and per day in early 2007. The latest MessageLabs Intelligence findings outline that in 2008 the number of attacks peaked at approximately 78 per day in April 2008, and averaged 53 per day for the year.
Targeted attacks per day 184.108.40.206.220.127.116.11.18.104.22.168.22.214.171.124.13.3.Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov 2007 To appear legitimate, cyber-criminals adopt a variety of tactics. One way they do this is by utilizing exploits within Office document attachments, which may appear to originate from someone with whom the recipient has a prior relationship.
Alternatively, the subject line topic is relevant to the recipient, indicating that the attackers have gathered prior intelligence or reconnaissance against their targets, possibly through social networking tools.
Beijing Olympics In August 2008, with the world focused on the Olympic Games in Beijing, organizations involved with the Olympics became attractive targets for cyber-criminals. Throughout the year, MessageLabs Intelligence had collected evidence of targeted malware being distributed in legitimate looking emails from Olympic organizers that had been sent to several participating nations’ national sporting organizations and athletic representatives.
Culminating in an attack16 on 24 July, 19 domains were targeted17 with 57 emails, each of which contained a press release and media information relating to the Olympics. The content for the messages appeared to have been taken from an official Olympic Web site.
16 For more details, please visit www.messagelabs.com/mlireport/MLISpecialReport_2008_08_OlympicTargeted_Final.pdf 17 For more information, please visit www.vnunet.com/vnunet/news/2223416/malware-writers-juice-olympics To further compound the problem, the email and its attachment appeared legitimate to some recipients who were not safeguarded, and who innocently forwarded it to a number of other news and sporting organizations.
Corporate Espionage Similarly, semi-targeted attacks, where the perpetrator may have gathered some additional intelligence through reconnaissance to supplement the social engineering aspects of the attack have become more complex during 2008.
Материалы этого сайта размещены для ознакомления, все права принадлежат их авторам.
Если Вы не согласны с тем, что Ваш материал размещён на этом сайте, пожалуйста, напишите нам, мы в течении 1-2 рабочих дней удалим его.