The cyber-gangsters' "weapons" and the state of Internet security

Monday, May 10, 2010

Roman Zeltser


Writing an article about Chinese hackers (all 3 parts were published here - please use the search to find them) I had to explain why it's difficult to fight against them due to a wide range of tools, methods and existing vulnerability of operating systems and applications in addition to the specific political conditions in China. Since this material turned to more than 15-page information, I have decided to put it into a separate article. So, it's offered here.


Before talking about hackers, let's define who are we dealing with? Who are the people or organizations that are motivated to dedicate their intelligence and skills to a dirty business of exploiting computer systems?

Andrew M. Colarik of the USA and Lech J. Janczewski of New Zealand state that, "In the context of information security, terrorists may come in many forms such as politically motivated, anti-government, anti-world trade, and pro-environmental extremists". They further state, "Cyber terrorism means premeditated, politically motivated attacks by sub-national groups or clandestine agents, or individuals against information and computer systems, computer programs, and data that result in violence against non-combatant targets".
 Let's add the money-motivated hackers, and you see the picture of the enemy.

The goal of money-motivated hackers is to benefit from money inflow:
  •           with cyber espionage (to get the advanced technology secrets; to disrupt the competitors' networks; or to embarrass competitor and gain the advantage in the same field of business);
  •           by acting as a "cyberbully" and demand money by various methods of electronic blackmailing;
  •           by breaking into financial organizations' computer systems and transfer money to offshore accounts;
  •           by stealing the valuable information and re-sell it to those who wants to use it for own advantage (example: stealing credit card account information and reselling it);  
  •           by "building" the botnets for DDoS attacks and sell the right to use it;
  •           with identity theft by using stolen information to transfer money out of the bank accounts or to buy the goods from the Internet-based stores with newly opened credit cards;
I am sure there are few more methods but you got an idea.
According to a new study from McAfee, data theft and breaches from cybercrime may have cost businesses last year as much as $1trillion globally in lost intellectual property and resources for repairing the damage.
The goal of cyber-terrorists is to intimidate or force a government or its people to perform the changes that serve attacker's political and social objectives or political motivation. The goal also can be described as a disruption of major infrastructures of the country (e.g. nuclear plants, energy supply systems, defense infrastructure, and similar) in order to gain quick advantage in the pre-planned geo-political action.

Whether you want to call it "cyber terrorism" or only "information warfare", unfortunately, it's not the theory, it's the reality (read my blog about cyber attack on Estonia). As you see, political views have various forms and can be the main motivational factor to be engaged in unlawful attacks or threats of attacks against computers, networks, and the information infrastructure.

I don't know if anyone assigned a name "cyber-gangsters" to all the people and organizations that are politically or financially - motivated to utilize multiple weaknesses of computer systems in order to achieve particular goals but I feel it's appropriate and I will use this term.

The cyber-gangsters' "weapons"
Neither definition-based anti-virus nor any other single solution is enough to block modern threats. Zero-day attacks, "mutating" viruses, or targeted attacks are all high-risk situations requiring an additional layer of protection. Our widely accepted security standards do not meet the needs either. In fact, the PCI standard for financial institutions and 3rd-party vendors involved into financial transactions that is considered pretty tough proved to be inefficient. The cyber-gangsters using the sophisticated sniffer software were able to penetrate into Heartland Payment System AFTER they passed their PCI DSS audit. The result of the breach and lost data for the company was disastrous.
"The number of crimeware-spreading sites infecting PCs with password-stealing crimeware reached an all time high of 31,173 in December, an 827 % increase from January of 2008." Source: Anti-Phishing Working Group, Phishing Activity Trends Report 

Let's look what the "weapons" that are used by cyber-gangsters against personal computer and computer network (not a complete list, for sure).
-         Zero-day attacks
-         "Mutating" viruses
-         Targeted attacks (DDoS) utilizing botnets
-         Application exploits (including SQL injection) due to OS and applications design problems
-         Cross-Site scripting
-         Social Networking site exploits
-         Browser exploits
-         Hosted site exploits
-         P-2-P networking infection
-         Smartphone attacks
-         Wi-Fi protocol weaknesses exploits
-         Social Engineering to collect the information for the following attack
-         Malicious e-mails and spam - based infections
-         Creating malicious underground organizations to assist in cyber exploits and attacks
-         Identity theft (which has also been linked to terrorist activity)
-         Keyloggers, mouse-loggers, etc
-         Rogue Blogs pollution
-         Search engine results manipulation to redirect user to malicious web sites
-         Two-factor authentication circumvention

Why do we loose a war with cyber-gangsters? Imagine that you are a network or security administrator. You will have to take care about a wide range of vulnerable spots in your network, computers, and applications. This range becomes wider every day. As for hackers, it's enough to find only ONE VULNERABLE SPOT and you are fried. Do you see the difference?  

1. Infected with a virus
There are various virus-detection technologies, regular or more advanced; however, modern malware can successfully avoid virus detection attempts. None of the today's technologies are able to clean 100% of viruses. The number of various viruses and their variants is well over half of a million, and every day there more and more news about newly created and more sophisticated viruses, worms, and their "brothers"' variants.

As the software engineer pointed in the article (the link above), it is not easy to design the anti-virus software that will be able to detect new viruses since you don't know where to look and what to expect. So, no matter how the technology is advanced, we're still working in the reactive mode.

The "success" of newly-created viruses is obvious. In accordance to the, the Conficker A+B virus has infected ~5.9 Millions of PCs, the Conficker C- ~290,000 PCs, and the last variant of Conficker A+B+C -~6.3 Millions of PCs. One in 7 computers infected with Conficker are hosted on Chinese Internet service provider (ISP) Chinanet. The number of infected PCs proves one more time that the most of the virus infections occur on the PCs that are not properly and timely managed. The protection could be achieved simply by installing patch MS8-067 or disabling AutoPlay on a Windows OS.

I don't need to point you to the numerous news about new infections happened almost every day on a large scale. In accordance to Norton Symantec anti-virus company, the top 100 infected sites had on average 18,000 threats and 40 per cent of the sites had more than 20,000 threats. An astounding 75 % of websites on the list were found to be distributing "malware" for more than 6 months. This is the world we live in.

I don't know if you heard anything about Zeus virus but this is the one that successfully avoids most of the anti-virus scanners available today. In fact, the effectiveness of an up to date anti-virus against Zeus is not 100%, not 90%, not even 50% - it's just 23%. Its popularity has also encouraged the opening of the Zeus Tracker which currently list 537 active cyber-gangsers domains, with the majority of them hosted in Russia, the U.S and China, followed by the Netherlands, Ukraine and Germany.

Does it mean we should not spend money and use the anti-virus programs since they don't guarantee 100% virus-free PC? Not at all, some protection is better than nothing. Ask any computer specialist, and every one of them has its own opinion which anti-virus program is better. I have also shared my experience in this blog after I have replaced all anti-virus and anti-spyware programs on my PC with the only one - VIPRE from Sunbelt. Follow the link and find out why I have chosen this product and more details with screenshots.

2. Applications and OS design problems
If the operating systems and applications were designed with a tough security in mind would you see the daily headlines like these?
-         Microsoft confirms 'detailed' Windows 7 exploit;
-         Typical weekly Security Vulnerability Alert (
  •           Windows                                                                     4 
  •           Microsoft Office                                                          9 
  •           Other Microsoft Products                                            1 
  •           Third Party Windows Apps                                          4
  •           Mac Os                                                                      21 
  •           Linux                                                                          2
  •           BSD                                                                           1
  •           Solaris                                                                        4
  •           Aix                                                                              1
  •           Cross Platform                                                              9
  •           Web Application' Cross Site Scripting                             5
  •           Web Application“ SQL Injection                                      1
  •           Web Application                                                             8
  •           Network Device                                                              3

-         VMware has advised of a total of 93 vulnerabilities in several of its products, including ESXServer, VirtualCenter, and vCenter.
-         Secunia's typical report:
o        [SA37448] Internet Explorer Layout Handling Memory Corruption Vulnerability
o        [SA37318] Microsoft Windows Win32k Kernel-Mode Driver Multiple Vulnerability
o        [SA24314] Internet Explorer Charset Inheritance Cross-Site Scripting Vulnerability
o        [SA35948] Adobe Flash Player Multiple Vulnerabilities
o        [SA37314] Windows Web Services on Devices API Memory Corruption Vulnerability
o        [SA37273] Google Chrome Two Vulnerabilities
o        [SA36983] Adobe Reader/Acrobat Multiple Vulnerabilities
o        [SA37313] Apple Mac OS X Security Update Fixes Multiple Vulnerabilities
o        [SA37277] Microsoft Office Word File Information Block Parsing Buffer Overflow
o        [SA37309] Microsoft Windows Win32k Kernel-Mode Driver Privilege Escalation

3. Web application security problems
There have been more than 250,000,000 customer record breaches since January, 2005. Each of those compromised records costs companies' on average $202 with the total cost of a data breach ranges from $613,000 to $32,000,000. There two options for compromising the web server: brute force password guessing and web application attacks. In accordance to Imperva, the most destructive attack techniques are: SQL Injection, Cross-Site Scripting, and Cookie Poisoning.

 SQL Injection
SQL Injection continues to be one of the most predominant Web application threats that affect commercial and custom web applications (83% of Enterprises Experienced a Database Breach Last Year). Considering the widespread availability of valuable data on the Web, the popularity of e-commerce and dependency on the web for all kinds of information, attackers are motivated to implement faster, more advanced SQL injection methods to launch high profile, widespread attacks on targeted web sites such as an automated SQL injection via search engines, SQL Injection for web site defacement, malware distribution for Denial of Service (DoS) attacks, and direct database SQL Injection that takes advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a back-end database.

Recent news: Another 1.5 million websites associated with the newest series of SQL injection attacks have been found by network security specialist eSoft.
          Cross-Site Scripting (XSS or CSS): attack that takes advantage of a Web site vulnerability in which the site displays content that includes un-sanitized, user-provided data.
          Cookie Poisoning: attack that modifies the contents of a cookie (personal information stored in a Web user's computer) in order to bypass security mechanisms. 
         Design flaw: Every application security problem starts with poor design. In addition to thousands of desktop/server operating systems vulnerabilities, when you run the application on a top of it, it adds more vulnerability since the initial design was performed by the programmers who are not savvy in application security. Poor design is a cause of many problems that are exploited by not-to-our-surprise savvy hackers. It is the reason why the number of application vulnerabilities greatly exceeds the number of operating systems vulnerabilities.

To mitigate this problem, SANS Institute began educating programmers in application design security and even introduced a new security certification targeting the army of programmers. 

4. The problem of botnets
The new technology, Web 2.0, browser-based computing, and mobile platforms give rise to a new breed of threat: stealthy Web-borne malware used to build botnets of enterprise and consumer PCs to steal customer data, intellectual property, and user credentials.
There are between 4 and 6 million computers scattered across the globe that have been compromised by cyber-gangsters without the users' knowledge. Botnets contribute to more than 87% of all unsolicited mail, equating to approximately 151 billion emails a day.

Last September, a botnet research group Shadowserver was monitoring more than 3750 distinct botnets averaging 20,000 or more bots each, with some containing more than a million infected PCs (!). Bots are so inexhaustible because they install as Trojans from malicious websites, bypassing many of today's security controls.

There are millions of PCs that are unpatched with the latest security fixes from many vendors. All of them are easy targets for "botnet kings".

I want particularly discuss the so-called Fast-flux and Double-flux botnets because they are prime example of sophistication that the cyber-gangster have these days.
Fast flux (fluctuation) is a technique to continuously move the location of a Web, email, or DNS server from computer to computer on the botnet in an effort to hide its malicious activity (spamming or phishing) and make the detection more difficult. IP blacklists that I personally use against spamming of my e-mails are basically useless in finding fast flux-based botnets.

"Double-flux, as you may guess, is similar to Fast flux but with double trick. With Double flux, the DNS name servers that resolve the Web host names are moved from computer to computer, so you don't know where you are actually connected (and in many instances, you are connected to the proxy pointed to the web server but not to the actual web server. To add even more protection against investigators, many of these systems encrypt (!) their communications, which makes it even more difficult (and close to impossible) to track their activities.

With compromised computers issuing 83% of the 107 billion spam messages distributed globally each day, the shutdown of botnet hosting ISPs, such as McColo in 2008 and Real Host in 2009, appear to have made botnets re-evaluate and enhance their backup strategy to enable recovery in just hours. It is predicted that in 2010 botnets will become autonomously intelligent, with each node containing an inbuilt self-sufficient coding in order to coordinate and extend its own survival. (Source: MessageLabs Intelligence 2009 Annual Security Report)
Are you seeing what I'm seeing?  There is no light in the end of a tunnel, and so far, we are terribly losing the cyber war.

5. Social networking sites problems with uneducated users and security

As technology advances, the cyber-gangsters are on the leading edge. The "break-into-the-system" old methods still take place but now they build the web sites with malicious content, turn their greedy eyes to the social networking web sites, and employ the latest and sophisticated technologies to achieve own goal.

For instance, with over 350 million users (!) of Facebook, this social networking web site becomes a prime target for cyber-gangsters. I have no doubts that the FSB (former KGB) has a copy of all Facebook accounts coupled with scientific analysis software to filter down the most useful intelligence data on citizens of many countries, and especially, United States. Hey, it's almost free database with people who have no clue that their opinions, personal information, employment, personal preferences, and pictures are being thoroughly analyzed and stored in the mainframe computer. I would be surprised if China is not following the same plan, or, perhaps, Russians share their intelligence data with their partner? Thank you, Facebook!

Do you think I am speculating? If the U.S. Government officials reported that in-spite all the efforts to protect the network, they miss at least 20% of all attacks, what the Facebook security personnel can do better? Yes, now they might have enough cash to buy good equipment and security software but we all know that it's not enough. It is the case when "social networking" is being used for "social engineering".

 There is a great Top Ten 2010 Social Networking Websites Review Comparison web site that also highlights the security measures applied on each site (Privacy Settings, Block Users, Report Spam, Report Abuse, safety tips). Most sites have information pages dedicated to educating users about the risks of Internet scams but what the chart is missing? One of the most important parameters is how the web sites are protected against phishing and malware attacks. And here is a "proof":

  • Beware: Spam on Facebook and Twitter has reached epidemic.
  • Koobface (social networking worm). It gains access to Facebook profile pages and directs you to view a video that then encourages you to update your Flash player. Malicious files such as flash_update.exe and bloivar29.exe are being downloaded and installed which results in a range of visible problems, including modifications to your Facebook profile, with the immediate result being an error message to contact support.
  • The attack that took down Twitter on 12/9/2009 used legitimate credentials to log in and redirect to a site purporting to be under the control of the Iranian Cyber Army. According to Twitter, the DNS (Domain Name System) settings for were hijacked, resulting in roughly 80 percent of the traffic from the site being redirected elsewhere from 9:46 p.m. to 11 p.m. PST.
  • Lost My Phone, Give Me Your Number!! Groups On Facebook Are A Spammer's Paradise
  • Facebook password-reset spam is Bredolab botnet attack
  • Sophos warns of Facebook 'Rubber Duck' identity theft. A Sophos Asia-Pacific recently installed the Facebook equivalent of a honeypot hacker and discovered how easy to steal an identity on Facebook.
Why the social networking sites became the targets of many cyber-gangsters? The answer is simple. According to FBI, those sites are "a gold mine of personal information" that can be stripped down redirecting users to malicious web sites through innocent link or video. Considering the average Facebook user, for instance, has about 120 friends, it's easy to imagine how the links are distributed and multiplied. Now consider the second number: 300 millions. It is the number of Facebook users. Doing a simple math calculation we are facing a nightmare situation with the security.

"The cyber-criminals are very adept to using social engineering," said Donald DeBold, director of threat research for CA, an Internet security company. "Your friend is in trouble traveling in another country, 'I lost my wallet. I need help.' They exploit the curiosity aspect out of human nature."

This information is distributed not only on social networking sites but also by e-mails harvested in advance. A friend of mine recently called me with a warning that I may receive e-mail with a request to send him money since "he is in London now, and someone stole his wallet but this is not true". I have explained him how the e-mail harvesting works and why his contact list may receive the "cry-help" e-mails. The first recommendation is to quickly change your e-mail address.

I don't say that social networking web sites are doing nothing to protect its users. For instance, Facebook has developed automated systems that detect compromised accounts. They spot and freeze accounts that are sending an unusually high number of messages to their friends. 
Enterprise Security Security Awareness Breaches Privacy
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.