Attacks/Breaches
2/9/2011
05:35 PM
Connect Directly
RSS
E-Mail
50%
50%

Schwartz On Security: Big Bang Botnets Sometimes Self-Defeating

Do crimeware toolkits, SCADA malware, and spam-spewing worms become too big not to fail?

By most measures, malware and crimeware attacks are getting bigger and bolder. But could their scale also be their undoing?

Arguably, the best attack never reveals itself. Back in 2007, the breach into the IT systems of TJX, the parent company of T.J. Maxx and other retailers, progressed for more than a year before being spotted. Attackers had plenty of time to steal credit card numbers and line their pockets.

More recently, there's been Stuxnet -- everyone's new poster child for security Armageddon. But if it was so good, why was it discovered? As Apple's incoming global security chief, David Rice, noted in an online post a few months ago, whoever made Stuxnet blew four zero-day vulnerabilities on a piece of malware that arguably could have succeeded with just one. "Far from 'amazing,' as this malware is oft described, this was an operational fumble," he said.

Some are leveling the same charge at today's crimeware toolkit vendors. Mickey Boodaei, CEO of Trusteer, said via email that Zeus -- and now the new SpyEye Zeus hybrid -- has long included functionality designed to disable his company's Rapport, a free tool designed to block malware such as Zeus. But when malware takes aim at a security application, it's essentially broadcasting its presence. Accordingly, Rapport nukes Zeus.

"For malware, it's always better to keep a low profile," Boodaei said.

Instead, the SpyEye Zeus developer -- or developers -- seem to be operating like a Silicon Valley startup, replete with chief evangelist. "Using social marketing tactics that only companies like Google and Apple have been able to successfully utilize so far, they leaked a secret beta version to the media," Boodaei said. "The main features are visually highlighted so that every screen shot tells the story of why this is the next generation, game changing, most innovative piece of malware we've ever seen."

What's a malware toolkit vendor to do -- skew toward exclusivity, or aim for a high sales volume via low prices and heavy advertising? Beware the latter approach, as law enforcement agencies love a big takedown.

The equation is slightly different, however, for spam-spewing botnets and their related worms, where more of everything makes for tougher-to-stop malware. The latest version of the Waledac malware, for example, now carries 123,920 FTP credentials. What's a worm going to do with all of those passwords?

In an email, Fraser Howard, a principal virus researcher at Sophos, told me that the malware uses those credentials to upload its own pages to legitimate Web sites. These Waledac-built pages contain META tags to redirect people to spam Web sites, typically selling scareware, drugs, or fake drugs. Because attackers hide malicious redirects on legitimate sites and name their pages randomly -- think "sdfsdfsklj.html" -- they're difficult to detect, at least in isolation.

The overall goal is simple: to fake out spam filters. "By using a continually changing pool of URLs to legitimate sites -- albeit dodgy redirect pages on them -- they try to evade spam blocking," Howard said. "These legit sites may have a 'good reputation' and so are unlikely to trigger spam blocks." Accordingly, the more Web sites on which Waledac can hide its dodgy pages, the better. This makes detecting and blocking the worm's activities, or proactively blocking exploited Web pages, much more difficult.

Waledac also contains nearly half a million POP3 email account passwords, the better to relay spam. While the scale of that password harvesting might sound surprising, "it is pretty commonplace in all sorts of data stealers," Howard told me.

So bigger is better for worms that generate profits via spam. Then again, just like crimeware toolkits, spam-driven malware and botnets might make such a big splash that law enforcement agencies catch up with their authors -- as happened with Mariposa -- or white hat hackers find a way to take down the botnet itself, as happened with Conficker. Then crimeware and botnet operators, despite the profits, also know what it feels like to be a target.

SEE ALSO:

Schwartz On Security: The Right To Social Networks

Schwartz On Security: Slouching Toward Smartphone, Apple Armageddon

Schwartz on Security: Bling Botnets Sell Gangster Lifestyle

Schwartz On Security: Hack My Ride

Schwartz On Security: First, Know You've Been Breached

Schwartz On Security: Don't Get Hacked For the Holidays

Schwartz On Security: WikiLeaks Highlights Cost Of Security

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0761
Published: 2014-08-27
The DNP3 driver in CG Automation ePAQ-9410 Substation Gateway allows remote attackers to cause a denial of service (infinite loop or process crash) via a crafted TCP packet.

CVE-2014-0762
Published: 2014-08-27
The DNP3 driver in CG Automation ePAQ-9410 Substation Gateway allows physically proximate attackers to cause a denial of service (infinite loop or process crash) via crafted input over a serial line.

CVE-2014-2380
Published: 2014-08-27
Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 uses weak encryption, which allows remote attackers to obtain sensitive information by reading a credential file.

CVE-2014-2381
Published: 2014-08-27
Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 uses weak encryption, which allows local users to obtain sensitive information by reading a credential file.

CVE-2014-3344
Published: 2014-08-27
Multiple cross-site scripting (XSS) vulnerabilities in the web framework in Cisco Transport Gateway for Smart Call Home (aka TG-SCH or Transport Gateway Installation Software) 4.0 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug IDs CSCuq31129, CSCuq3...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.