Attacks/Breaches
2/9/2011
05:35 PM
50%
50%

Schwartz On Security: Big Bang Botnets Sometimes Self-Defeating

Do crimeware toolkits, SCADA malware, and spam-spewing worms become too big not to fail?

By most measures, malware and crimeware attacks are getting bigger and bolder. But could their scale also be their undoing?

Arguably, the best attack never reveals itself. Back in 2007, the breach into the IT systems of TJX, the parent company of T.J. Maxx and other retailers, progressed for more than a year before being spotted. Attackers had plenty of time to steal credit card numbers and line their pockets.

More recently, there's been Stuxnet -- everyone's new poster child for security Armageddon. But if it was so good, why was it discovered? As Apple's incoming global security chief, David Rice, noted in an online post a few months ago, whoever made Stuxnet blew four zero-day vulnerabilities on a piece of malware that arguably could have succeeded with just one. "Far from 'amazing,' as this malware is oft described, this was an operational fumble," he said.

Some are leveling the same charge at today's crimeware toolkit vendors. Mickey Boodaei, CEO of Trusteer, said via email that Zeus -- and now the new SpyEye Zeus hybrid -- has long included functionality designed to disable his company's Rapport, a free tool designed to block malware such as Zeus. But when malware takes aim at a security application, it's essentially broadcasting its presence. Accordingly, Rapport nukes Zeus.

"For malware, it's always better to keep a low profile," Boodaei said.

Instead, the SpyEye Zeus developer -- or developers -- seem to be operating like a Silicon Valley startup, replete with chief evangelist. "Using social marketing tactics that only companies like Google and Apple have been able to successfully utilize so far, they leaked a secret beta version to the media," Boodaei said. "The main features are visually highlighted so that every screen shot tells the story of why this is the next generation, game changing, most innovative piece of malware we've ever seen."

What's a malware toolkit vendor to do -- skew toward exclusivity, or aim for a high sales volume via low prices and heavy advertising? Beware the latter approach, as law enforcement agencies love a big takedown.

The equation is slightly different, however, for spam-spewing botnets and their related worms, where more of everything makes for tougher-to-stop malware. The latest version of the Waledac malware, for example, now carries 123,920 FTP credentials. What's a worm going to do with all of those passwords?

In an email, Fraser Howard, a principal virus researcher at Sophos, told me that the malware uses those credentials to upload its own pages to legitimate Web sites. These Waledac-built pages contain META tags to redirect people to spam Web sites, typically selling scareware, drugs, or fake drugs. Because attackers hide malicious redirects on legitimate sites and name their pages randomly -- think "sdfsdfsklj.html" -- they're difficult to detect, at least in isolation.

The overall goal is simple: to fake out spam filters. "By using a continually changing pool of URLs to legitimate sites -- albeit dodgy redirect pages on them -- they try to evade spam blocking," Howard said. "These legit sites may have a 'good reputation' and so are unlikely to trigger spam blocks." Accordingly, the more Web sites on which Waledac can hide its dodgy pages, the better. This makes detecting and blocking the worm's activities, or proactively blocking exploited Web pages, much more difficult.

Waledac also contains nearly half a million POP3 email account passwords, the better to relay spam. While the scale of that password harvesting might sound surprising, "it is pretty commonplace in all sorts of data stealers," Howard told me.

So bigger is better for worms that generate profits via spam. Then again, just like crimeware toolkits, spam-driven malware and botnets might make such a big splash that law enforcement agencies catch up with their authors -- as happened with Mariposa -- or white hat hackers find a way to take down the botnet itself, as happened with Conficker. Then crimeware and botnet operators, despite the profits, also know what it feels like to be a target.

SEE ALSO:

Schwartz On Security: The Right To Social Networks

Schwartz On Security: Slouching Toward Smartphone, Apple Armageddon

Schwartz on Security: Bling Botnets Sell Gangster Lifestyle

Schwartz On Security: Hack My Ride

Schwartz On Security: First, Know You've Been Breached

Schwartz On Security: Don't Get Hacked For the Holidays

Schwartz On Security: WikiLeaks Highlights Cost Of Security

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: nice one
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0702
Published: 2015-04-20
Unrestricted file upload vulnerability in the Custom Prompts upload implementation in Cisco Unified MeetingPlace 8.6(1.9) allows remote authenticated users to execute arbitrary code by using the languageShortName parameter to upload a file that provides shell access, aka Bug ID CSCus95712.

CVE-2015-0703
Published: 2015-04-20
Cross-site scripting (XSS) vulnerability in the administrative web interface in Cisco Unified MeetingPlace 8.6(1.9) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCus95857.

CVE-2015-1235
Published: 2015-04-19
The ContainerNode::parserRemoveChild function in core/dom/ContainerNode.cpp in the HTML parser in Blink, as used in Google Chrome before 42.0.2311.90, allows remote attackers to bypass the Same Origin Policy via a crafted HTML document with an IFRAME element.

CVE-2015-1236
Published: 2015-04-19
The MediaElementAudioSourceNode::process function in modules/webaudio/MediaElementAudioSourceNode.cpp in the Web Audio API implementation in Blink, as used in Google Chrome before 42.0.2311.90, allows remote attackers to bypass the Same Origin Policy and obtain sensitive audio sample values via a cr...

CVE-2015-1237
Published: 2015-04-19
Use-after-free vulnerability in the RenderFrameImpl::OnMessageReceived function in content/renderer/render_frame_impl.cc in Google Chrome before 42.0.2311.90 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger renderer IPC messages ...

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.