Attacks/Breaches
2/9/2011
05:35 PM
Connect Directly
RSS
E-Mail
50%
50%

Schwartz On Security: Big Bang Botnets Sometimes Self-Defeating

Do crimeware toolkits, SCADA malware, and spam-spewing worms become too big not to fail?

By most measures, malware and crimeware attacks are getting bigger and bolder. But could their scale also be their undoing?

Arguably, the best attack never reveals itself. Back in 2007, the breach into the IT systems of TJX, the parent company of T.J. Maxx and other retailers, progressed for more than a year before being spotted. Attackers had plenty of time to steal credit card numbers and line their pockets.

More recently, there's been Stuxnet -- everyone's new poster child for security Armageddon. But if it was so good, why was it discovered? As Apple's incoming global security chief, David Rice, noted in an online post a few months ago, whoever made Stuxnet blew four zero-day vulnerabilities on a piece of malware that arguably could have succeeded with just one. "Far from 'amazing,' as this malware is oft described, this was an operational fumble," he said.

Some are leveling the same charge at today's crimeware toolkit vendors. Mickey Boodaei, CEO of Trusteer, said via email that Zeus -- and now the new SpyEye Zeus hybrid -- has long included functionality designed to disable his company's Rapport, a free tool designed to block malware such as Zeus. But when malware takes aim at a security application, it's essentially broadcasting its presence. Accordingly, Rapport nukes Zeus.

"For malware, it's always better to keep a low profile," Boodaei said.

Instead, the SpyEye Zeus developer -- or developers -- seem to be operating like a Silicon Valley startup, replete with chief evangelist. "Using social marketing tactics that only companies like Google and Apple have been able to successfully utilize so far, they leaked a secret beta version to the media," Boodaei said. "The main features are visually highlighted so that every screen shot tells the story of why this is the next generation, game changing, most innovative piece of malware we've ever seen."

What's a malware toolkit vendor to do -- skew toward exclusivity, or aim for a high sales volume via low prices and heavy advertising? Beware the latter approach, as law enforcement agencies love a big takedown.

The equation is slightly different, however, for spam-spewing botnets and their related worms, where more of everything makes for tougher-to-stop malware. The latest version of the Waledac malware, for example, now carries 123,920 FTP credentials. What's a worm going to do with all of those passwords?

In an email, Fraser Howard, a principal virus researcher at Sophos, told me that the malware uses those credentials to upload its own pages to legitimate Web sites. These Waledac-built pages contain META tags to redirect people to spam Web sites, typically selling scareware, drugs, or fake drugs. Because attackers hide malicious redirects on legitimate sites and name their pages randomly -- think "sdfsdfsklj.html" -- they're difficult to detect, at least in isolation.

The overall goal is simple: to fake out spam filters. "By using a continually changing pool of URLs to legitimate sites -- albeit dodgy redirect pages on them -- they try to evade spam blocking," Howard said. "These legit sites may have a 'good reputation' and so are unlikely to trigger spam blocks." Accordingly, the more Web sites on which Waledac can hide its dodgy pages, the better. This makes detecting and blocking the worm's activities, or proactively blocking exploited Web pages, much more difficult.

Waledac also contains nearly half a million POP3 email account passwords, the better to relay spam. While the scale of that password harvesting might sound surprising, "it is pretty commonplace in all sorts of data stealers," Howard told me.

So bigger is better for worms that generate profits via spam. Then again, just like crimeware toolkits, spam-driven malware and botnets might make such a big splash that law enforcement agencies catch up with their authors -- as happened with Mariposa -- or white hat hackers find a way to take down the botnet itself, as happened with Conficker. Then crimeware and botnet operators, despite the profits, also know what it feels like to be a target.

SEE ALSO:

Schwartz On Security: The Right To Social Networks

Schwartz On Security: Slouching Toward Smartphone, Apple Armageddon

Schwartz on Security: Bling Botnets Sell Gangster Lifestyle

Schwartz On Security: Hack My Ride

Schwartz On Security: First, Know You've Been Breached

Schwartz On Security: Don't Get Hacked For the Holidays

Schwartz On Security: WikiLeaks Highlights Cost Of Security

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

CVE-2014-3991
Published: 2014-07-11
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) dol_use_jmobile, (2) dol_optimize_smallscreen, (3) dol_no_mouse_hover, (4) dol_hide_topmenu, (5) dol_hide_leftmenu, (6) mainmenu, or (7) leftmenu pa...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.