Top Attack Trends

BANGALORE, INDIA: The explosive evolution of the internet is changing the way we communicate, every day. The web has enabled most of us to work smarter and be more efficient. It has also created a plethora of opportunities for devious attackers to steal information, misuse computers and infect systems with malicious software.

Symantec recaps the top attack trends that dominated the net in recent months. Unsurprisingly, variants of spam, which has grown to comprise 85 per cent of all email, dominate the list.

Recession Spam

The dark cloud of recession that has been hanging over the world for the past year has a silver lining - for spammers. They tried to tempt innocent web users into believing they could solve the financial woes that the world’s leaders are still struggling with.

While multimillion-dollar corporations were busy firing thousands of employees, dream jobs started landing up in our inboxes. However, anyone who fell for such bait out of curiosity or desperation would’ve had a rude awakening, with their carelessness resulting in private data being leaked, at the very least. Many who clicked through the links in some of these messages inadvertently downloaded a virus that enables hackers to take control of their email accounts.

Spammers didn’t stop with job offers: they also offered easy loans for no collateral, promised to enable profitable sale of property, and tried scaring users by sending ‘rejection letters’.

Poll attacks

The run-up to the Lok Sabha polls witnessed unprecedent ed investment by political parties in gaining visibility on the Web. With election fever catching on, hackers, spammers and every other cyber criminal are a busy lot. Political themes are a perfect opportunity for them, as they have strong appeal among a wide audience and appeal to the patriotic spirit.

During the recent elections, an Indian online non-profit portal that provides several voter services, including voter registration, voter list searching, election information, and assembly constituency searching, was targeted by hackers.

Symantec discovered that this site was compromised and its pages were contaminated with malicious JavaScript. This file that was uploaded to the site was the first link in a chain of JavaScript files that eventually led to a malicious PDF file. This file attempted to exploit vulnerable PDF readers. The payload of the malicious PDF then attempted to download malware to the

compromised computer.

Tragedy

Tragedies, they say, bring out the best in everyone. As shown in the amount of unwanted/malicious mail that follows every tra gic event, spammers are obviously an exception to this.

The Myanmar cyclone prompted an outpouring of aid to the affected regions from governments and individuals all over the world. They also prompted an avalanche of spam seeking donations that would never reach the intended victims.

The earthquake in China had a ripple effect on the web, with spammers using it to spread a virus. With infected emails given ‘newsy’ subject lines, readers were enticed to open a URL linked to a video. Hitting the ‘Play’ button, however, opened an executable file de tected as Trojan.Peacom.D. This Trojan gathers system information and email addresses from the compromised computer. The Peacomm family of Trojans is also commonly known as the ‘Storm’.

Closer home, the ghastly 26/11 terror attacks that grabbed the attention of the world were also abused by spammers.

Conficker

One of the hottest topics of 2009 has undoubtedly been Downadup aka Conficker, a worm that had security experts on their toes. According to the Conficker Working Group, of which Symantec is a member, 35 million unique IP addresses have been infected by the worm since the beginning.

Since its appearance in late-2008, the Downadup worm has become one of the most widespread threats to hit the Internet for a number of years. A complex piece of malicious code, this threat could jump certain network hurdles, hide in the shadows of network traffic, and defend itself against attack with a deftness not often seen in today’s threat landscape. Yet it contained few previously unseen features. What set it apart was the sheer number of tricks it held up its sleeve.

W32.Downadup exploited vulnerabilities in unpatched Windows systems and propagated on peer-to-peer networks. But a limiting factor was that its propagation routine depended on a publicly available GeoIP data file used to determine IP location. When the GeoIP authors decided to remove it from the location called by the worm, the absence of this file made it difficult for the worm to spread as rapidly, reducing its propagation to local networks already infected.

The Downadup authors then packaged this GeoIP file within a new variant—W32.Downadup.B —along with a Swiss Army-like collection of secondary tricks in the hope that this would help the threat spread far and wide. The threat even protected itself from takeover. Transferred payload files were encrypted, as well as digitally signed, and only the Downadup authors had the key. A “hotpatching” routine for MS08-067 prevented further exploitation by other attackers or threats. The threat’s authors went to great lengths to prevent buffer overflow exploitation of their own code. No one was going to hijack this worm’s network of potential bots.

But the hidden danger behind all of this was the potential payload—Downadup contained the ability to update itself or receive additional files for execution. Again, not a new technique, but in this case the threat was generating a list of 250 new domains to connect to—every day. Any one of these domains could potentially contain an update that, if downloaded, would allow the threat to perform further malicious actions. Not only that, the threat contained its own peer-to-peer updating mechanism, allowing one infected computer to update another. Blocking access to the domains might protect you from one vector, but blocking a P2P update is a different matter.

All was quiet on the Downadup front until early March, when W32.Downadup.C began to appear on previously infected Downadup computers. More of an update than a new worm, this version didn’t include a propagation technique. New to this version was a function to end a variety of security-related processes. And where previous versions generated a list of 250 daily domains, this one created 50,000.

While there’s nothing new in this threat that hasn’t been seen earlier in one form or the other, and April Fool’s Day turned out to be a damp squib, the threat still remains and it’s best to patch Windows and update your computer security software.

Drive-by download

One of the most insidious forms of malware infection today is known as a “drive-by download”.  Just browsing to a Web site allows executable content to be automatically downloaded on to a user’s computer without his knowledge or permission. No interaction is required. What’s even more worrying, is that it’s no longer just the shady corners of the web that harbour malware; legitimate and reputable sites that most of us feel safe visiting can contain threats too.

First, the attacker finds a way into a ‘good’ Web site and inserts a hidden IFRAME into one or more pages. This link points to a separate site where the malicious code will be served up to the unsuspecting user.

The hidden IFRAME from the ‘good’ site causes the user’s browser to silently pull content from the ‘bad’ site. As it does so, the ‘bad’ site is able to determine what operating system, Web browser and vulnerable plug-ins are running on the user’s computer. It then sends specially crafted multimedia data that contains an attack to the victim's computer. Once this content has been played by the multimedia player, the attacker has gained control of the computer.

Leveraging the vulnerability present in the user’s multimedia player, one or more malware files are installed on the user’s computer.

The malicious code now steals personal information (e.g., online banking information, email, gaming passwords) and sends it back to the attacker. The entire attack is usually invisible to the victim and leaves no apparent clues to indicate that the computer has been compromised.

Booming underground economy

Over the past year, the web has matured into an efficient, global marketplace in which stolen goods and fraud-related services are regularly bought and sold.

Numerous groups and organizations are active in the trade of fraudulent goods and services in this online ‘underground economy’. The majority of these groups function through Web-based forums devoted to online fraud.

Symantec observed that the potential value of goods advertised between July 1, 2007 and June 30, 2008 on underground economy servers was more than $276 million.

Credit card comprised 31 per cent of the goods advertised, with financial accounts following at 20 per cent. While stolen bank account information sells for between $10 and $1,000, the average advertised stolen bank account balance is nearly $40,000.

As new tools and techniques to defraud legitimate users are developed every day, it’s clear that protection and mitigation against attacks must become an international priority.

Organizations should monitor all network-connected computers for signs of malicious activity, including bot activity and potential security breaches, ensuring that infected computers are removed and disinfected as soon as possible. They should also employ defense-in-depth strategies. Defense-in-depth emphasizes multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection methodology. Defense-in-depth should include the deployment of antivirus, firewalls, and intrusion detection systems, among other security measures.

Social networking sites

The web has changed the way we communicate: sharing our lives through blogs and vlogs, transferring money instantly and keeping our latest information posted on Facebook or Twitter. It’s just a little bit of harmless fun, right? Wrong.

As social networking proliferates, so do opportunities for scammers to steal bank numbers and other private data. 

Social networking sites offer a rich set of features that enable users to share personal information as well as videos, music, and images with members of their network. Although the ability to share information and multimedia files are among social networking sites’ greatest strengths, hackers see these assets as new vectors to attack unsuspecting users.

First, people often divulge considerable amounts of personal information on these sites, including details about their employment. Attackers use information gathered from social networking sites to carry out targeted social engineering attacks, tricking victims into downloading malware or divulging sensitive information.

Social networking sites provide users with a wide variety of customization options and third-party applications. Users can customize details in their profile, include links to other sites, upload images, videos, and in some cases even embed code into their profile page.

The problem is that hackers can do all of these things as well. For example, they can customize their own profile or hijack another user’s profile to gain access to a social network and use information gathered from others to carry out a social engineering attack. Posing as a member of a social network, hackers can also post links, videos, and images to distribute malware.

SMSishing and SMS malware

SMS phishing (“SMSishing”) occurs when you receive an SMS message that is purportedly sent from a reputable source, such as your bank, asking for personal details. Although SMSishing first started a few years ago, the past few months have seen a rise in these attacks.

Another piece of bad news for the ever-increasing smartphone users in India: a deadly smartphone worm is on the prowl and could be sending them spams.

Malware creators have resurface, this time on your mobile phone, with a signed Symbian malware, SymbOS.Exy.C.

Going by names such as “Sexy View” or “Sexy Girl” and now “Sexy Space”, the threat propagates through suggestive SMS messages which direct message recipients to download the threat from an external URL.

The unsuspecting user is more likely to follow the link as it comes from someone they know. Once they do, they are invited to download the application that gives access to the pictures. What it actually does, is to install software allowing the authors to gain information with the ultimate end result to be to direct a whole load of spam text messages to the owner.

 What this current threat also does – gather information from the phone and send it to predetermined addresses in addition to spamming other phones (SMS) and propagating.

 When active, SymbOS.Exy.C also has a defense mechanism, making it difficult for the user to attempt to manually end the threat. Even though for the most part SymbOS.Exy.A/B was targeting mobile phone users in China, SymbOS.Exy.C is now being circulated in English, and was reported to have been discovered in the Middle East. Thanks to globalization, India, with is growing smartphone population, will not be far behind.

Michael Jackson spam

As the focus on Michael Jackson’s life and death continues, it is not surprising that spammers and malicious code authors have turned their attention towards it. Since his death on June 25, 2009, several spam and malware campaigns have taken shape.

Symantec has discovered a mass-mailing worm using Michael Jackson's death as bait. The worm sends out spam emails with the subject “Remembering Michael Jackson” and an attach-ment named “Michael songs and pictures.zip.” The .zip file contains another file called “MichaelJacksonsongsandpictures.doc.exe,” which is a copy of the worm that is executed on the user’s machine when the file is opened.

In another example, a spammer, pretending to be a Michael Jackson concert ticket officer based in London, sends out a message that requests the recipient’s information in order to receive reimbursement for the ticket.

Spammers also hid behind a spoofed message, which appears as a rip-off of a familiar social network notification, in an attempt to entice recipients to open a malicious URL.

Swine flu spam

Symantec Security Response has observed malware writers joining spammers in leveraging the Swine Flu to reach unsuspecting computer users.  While samples are extremely limited, this appears to be yet another attempt by hackers to leverage current events as lures to distribute their malware.

Symantec Security Response has analyzed a malicious Adobe PDF document named “Swine influenza frequently asked questions.pdf.”  When users attempt to access the PDF file malcode within the PDF attempts to exploit an old Adobe vulnerability (BID 33751) in order to drop malware on the local computer.

Symantec detects the malicious PDF file as Bloodhound.Exploit.6 and the dropped malicious file contained in the PDF as InfoStealer.

Other examples of Swine Flu spam have included messages with links to a malicious video.

DDOS Attacks

Symantec Security Response recently monitored a DDoS attack affecting US and South Korean government, financial and media Web sites.

A portion of the attack was carried out by a piece of malware Symantec identified as w32.dozer and variants of the MyDoom worm that appear to be infecting computers globally.

DDoS (distributed denial of service) attacks try to block access to web sites by overwhelming those sites with traffic. To generate the traffic, attackers infect and remotely control other people’s computers. These infected computers (called Zombies) are assembled into a network (or botnet) that can be commanded to simultaneously send network traffic to the targeted websites.

The botnet that is responsible for the latest wave of attacks on US and S. Korean websites seems to have comprised of up to 50,000 infected computers. Some botnets have commanded over 5 million computers. The worms behind the attack spread primarily by email, which downloads a package containing three elements: Trojan.dozer, a list of host sites and the MyDoom worm.

Shortly after the attack was discovered, Symantec found that the threat contains code that instructs infected systems to erase critical content on the hard drive.  In addition to deleting data files, the code modifies the Master Boot Record so that when the system is rebooted, it renders the system inoperable.