Pages:     | 1 |   ...   | 3 | 4 || 6 | 7 |

Approximately one third of malicious links intercepted in July 2008 were related to Antivirus XP 2008. Since then, links to this rogue application have been spammed out from other botnets, including Srizbi, Rustock, and Mega-D.

Example of rogue Antivirus XP 2008 in action on a clean install of Windows XP 12 Having many or several variations of the code by using different encoding techniques 13 Code that can re-write and re-program itself in different ways to perform the same instructions Believed to be Russian in origin, the rogue Antivirus XP suites were promoted through a suspected criminal network hosted by Bakasoftware.com, where affiliates could make substantial revenues from each install. The Web site testified, With affiliate program Bakasoftware you can easily sell popular software products and earn up to 90% of their value, ( Bakasoftware 90% ).

Once installed, the rogue application then pretended to scan the computer, displaying the number of infections it had apparently found, but could only be removed after purchasing the software in return for a payment of GBP 49.(approximately USD $100). In subsequent attacks, the rogue software changed its name from time to time, including Win Antispyware 2008 and XP Antivirus 2009. By August 2008, 64% of malicious emails were spoofed virtual greeting cards or fake online postcards, many of which contained links to small Trojan droppers designed to install a rogue anti-spyware program which by this time had also been promoted in spam containing images from online albums hosted by free, reputable Web-based email and application service providers.

4.2.1 Botnets evolutions (part 2: malware) Since its birth in January 2007, the size and scope of the Storm botnet had remained somewhat of a mystery to some within the security industry. Some reports pointed to the botnet shrinking or being overtaken by newer botnets while others claimed that Storm had simply undergone quiet periods before ramping up to compete with other newer botnets emerging on the scene.

At some stage, Storm had been partitioned into smaller more discreet segments, each rented to different spammers, but still a part of the same overall botnet. In addition to spamming, some parts of the botnet were also used to spread malware and launch phishing attacks.

By April 2008, MessageLabs Intelligence reported that the Storm botnet had been reduced to 5% of its original size.

However, in May 2008, MessageLabs intercepted more than 81,000 copies of malware that bore similar hallmarks to previous Storm attacks. The attack accounted for about 12% of all malware interceptions by Skeptic14. The malware was downloaded via a link hosted on computers already under the control of the Storm botnet.

These Web sites used the lightweight open-source nginx Web server, although usually only available on Unix-like operating systems, nginx had been ported to Windows and was in use by the Storm botnet to host its Web content.

Nginx is a legitimate server used by many Web sites, although not as popular as other open source servers such as Apache, Nginx is lightweight and very functional, two very attractive qualities for any botnet needing to distribute content.

New variants of Storm appeared in July 2008, in the wake of the July 4 Independence Day celebrations in the U.S. when the botnet began breaking a false news report of a U.S.-led invasion on Iran. The emails included links to the Storm malware disguised as video footage of the fabricated event.

4.2.2 Web-based Threats Throughout 2008, levels of spyware and adware interceptions have been overshadowed by a shift toward Web-based malware. Web-based malware has now become more attractive to cyber-criminals as they present an opportunity to capitalize on users unfamiliarity with the nature of Web-borne threats.

Malware has been around for over 20 years, evolving rapidly as the Internet became ubiquitous, and adapting threats around the latest technology; web-based malware, however, has been a much more recent evolution, being Internetbased since its inception, exploiting vulnerabilities in browsers and web servers to deploy malware, trojans or attack other websites, such as with Code Red and Nimda in 2001.

14 Skeptic is the unique predictive and proactive technology developed by Symantec to identify new and previously unknown threats at the Internet-level, and is the registered trademark of Symantec (for more information please visit messagelabs.com/ technology/skeptic) In 2008, vulnerabilities and weak security in web applications were being exploited by criminals to deploy web-based malware more widely. New toolkits are able to seek-out websites with weak security and target them. Recent examples of these types of attack include extensive SQL injection attacks able to pollute data-driven websites, causing malicious JavaScript to be presented to the sites visitors.

The technical sophistication of these threats has also evolved. Previously, techniques included the use of malicious HTML and JavaScript code, but more recent exploits targeting vulnerabilities in server-based applications such as blogging tools and client-side browser plug-ins including Flash, have caused malware to be installed just by visiting the page.

Botnets, such as ASPROX, which was specifically designed to compromise vulnerable Web sites with malicious JavaScript code, were very active in the second half of 2008. The volume of malicious sites increased from about 1,per day in January 2008 to more than 5,000 per day by October 2008.

The malicious JavaScript is downloaded to any visitor via the inclusion of HTML code, such as this:

0 :0 1 :0 2 :0 3 :0 4 :0 5 :0 6 :0 7 :0 8 :0 9 :0 1 0 :0 1 1 :0 1 2 :0 1 3 :0 1 4 :0 1 5 :0 1 6 :0 1 7 :0 1 8 :0 1 9 :0 2 0 :0 2 1 :0 2 2 :0 2 3 :0 Example of a phished account used to email links to malicious Websites When the link in the email is activated, the browser is directed to a page purportedly hosting a video, but it also indicates a new codec is required to view the video. Activation of this download will result in some unwanted and potentially malicious software being downloaded and installed.

Malicious content embedded in spoofed video sharing Website For example, it was often linked to the latest incarnation of the Antivirus XP 2008 rogue anti-spyware tools, first detected by Symantecs MessageLabs in July 2008.

Web 2.0 Snake Oil - Toolkits Lowering the Barrier to Fraud The Web 2.0 paradigm is all about user-generated content, and sites allowing users to share multimedia content have grown enormously in popularity. The ability to upload enticing content - snake oil and persuade someone to activate it has been one of the criminals strongest abilities.

The availability of toolkits allows criminals to easily spoof multimedia content for major hosted video-sharing Web sites, which can be used to bait someone into downloading malware in the belief that they were about to watch some compelling video clip. This technique is covered in more detail in the malware section later in this report.

4.3 Targeted Attacks Targeted Trojans are often aimed at specific individuals within an organization with the purpose of compromising networks for corporate espionage. Each attack is small in number and utilizes highly-sophisticated social engineering techniques, such as personalization, to persuade the recipient to open the email and attachment.

These attacks are categorized by their distinctive profile and focus specifically on small numbers of targets in each incident, to try and fly below the radar of traditional anti-virus engines.

To emphasize how threats of this kind have increased in popularity within the threat landscape, MessageLabs Intelligence noted the number of attacks of this nature between 1 and 2 per week in 2005, 1 to 2 per day in 2006, and per day in early 2007. The latest MessageLabs Intelligence findings outline that in 2008 the number of attacks peaked at approximately 78 per day in April 2008, and averaged 53 per day for the year.

Targeted attacks per day Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov 2007 To appear legitimate, cyber-criminals adopt a variety of tactics. One way they do this is by utilizing exploits within Office document attachments, which may appear to originate from someone with whom the recipient has a prior relationship.

Alternatively, the subject line topic is relevant to the recipient, indicating that the attackers have gathered prior intelligence or reconnaissance against their targets, possibly through social networking tools.

Beijing Olympics In August 2008, with the world focused on the Olympic Games in Beijing, organizations involved with the Olympics became attractive targets for cyber-criminals. Throughout the year, MessageLabs Intelligence had collected evidence of targeted malware being distributed in legitimate looking emails from Olympic organizers that had been sent to several participating nations national sporting organizations and athletic representatives.

Culminating in an attack16 on 24 July, 19 domains were targeted17 with 57 emails, each of which contained a press release and media information relating to the Olympics. The content for the messages appeared to have been taken from an official Olympic Web site.

Example of targeted Trojan spoofing an organization involved with the Olympic Games, which contained a malicious.PDF The malware was hidden within a file attachment, using embedded JavaScript to drop a malicious executable program onto the targets computer. This malware allowed confidential information to be leaked to an external party. Most traditional signature-based anti-virus systems were unable to detect and stop highly specialized targeted attacks such as these.

16 For more details, please visit www.messagelabs.com/mlireport/MLISpecialReport_2008_08_OlympicTargeted_Final.pdf 17 For more information, please visit www.vnunet.com/vnunet/news/2223416/malware-writers-juice-olympics To further compound the problem, the email and its attachment appeared legitimate to some recipients who were not safeguarded, and who innocently forwarded it to a number of other news and sporting organizations.

Corporate Espionage Similarly, semi-targeted attacks, where the perpetrator may have gathered some additional intelligence through reconnaissance to supplement the social engineering aspects of the attack have become more complex during 2008.

Pages:     | 1 |   ...   | 3 | 4 || 6 | 7 |

2011 www.dissers.ru -

, .
, , , , 1-2 .