Attacks/Breaches
2/9/2011
05:35 PM
50%
50%

Schwartz On Security: Big Bang Botnets Sometimes Self-Defeating

Do crimeware toolkits, SCADA malware, and spam-spewing worms become too big not to fail?

By most measures, malware and crimeware attacks are getting bigger and bolder. But could their scale also be their undoing?

Arguably, the best attack never reveals itself. Back in 2007, the breach into the IT systems of TJX, the parent company of T.J. Maxx and other retailers, progressed for more than a year before being spotted. Attackers had plenty of time to steal credit card numbers and line their pockets.

More recently, there's been Stuxnet -- everyone's new poster child for security Armageddon. But if it was so good, why was it discovered? As Apple's incoming global security chief, David Rice, noted in an online post a few months ago, whoever made Stuxnet blew four zero-day vulnerabilities on a piece of malware that arguably could have succeeded with just one. "Far from 'amazing,' as this malware is oft described, this was an operational fumble," he said.

Some are leveling the same charge at today's crimeware toolkit vendors. Mickey Boodaei, CEO of Trusteer, said via email that Zeus -- and now the new SpyEye Zeus hybrid -- has long included functionality designed to disable his company's Rapport, a free tool designed to block malware such as Zeus. But when malware takes aim at a security application, it's essentially broadcasting its presence. Accordingly, Rapport nukes Zeus.

"For malware, it's always better to keep a low profile," Boodaei said.

Instead, the SpyEye Zeus developer -- or developers -- seem to be operating like a Silicon Valley startup, replete with chief evangelist. "Using social marketing tactics that only companies like Google and Apple have been able to successfully utilize so far, they leaked a secret beta version to the media," Boodaei said. "The main features are visually highlighted so that every screen shot tells the story of why this is the next generation, game changing, most innovative piece of malware we've ever seen."

What's a malware toolkit vendor to do -- skew toward exclusivity, or aim for a high sales volume via low prices and heavy advertising? Beware the latter approach, as law enforcement agencies love a big takedown.

The equation is slightly different, however, for spam-spewing botnets and their related worms, where more of everything makes for tougher-to-stop malware. The latest version of the Waledac malware, for example, now carries 123,920 FTP credentials. What's a worm going to do with all of those passwords?

In an email, Fraser Howard, a principal virus researcher at Sophos, told me that the malware uses those credentials to upload its own pages to legitimate Web sites. These Waledac-built pages contain META tags to redirect people to spam Web sites, typically selling scareware, drugs, or fake drugs. Because attackers hide malicious redirects on legitimate sites and name their pages randomly -- think "sdfsdfsklj.html" -- they're difficult to detect, at least in isolation.

The overall goal is simple: to fake out spam filters. "By using a continually changing pool of URLs to legitimate sites -- albeit dodgy redirect pages on them -- they try to evade spam blocking," Howard said. "These legit sites may have a 'good reputation' and so are unlikely to trigger spam blocks." Accordingly, the more Web sites on which Waledac can hide its dodgy pages, the better. This makes detecting and blocking the worm's activities, or proactively blocking exploited Web pages, much more difficult.

Waledac also contains nearly half a million POP3 email account passwords, the better to relay spam. While the scale of that password harvesting might sound surprising, "it is pretty commonplace in all sorts of data stealers," Howard told me.

So bigger is better for worms that generate profits via spam. Then again, just like crimeware toolkits, spam-driven malware and botnets might make such a big splash that law enforcement agencies catch up with their authors -- as happened with Mariposa -- or white hat hackers find a way to take down the botnet itself, as happened with Conficker. Then crimeware and botnet operators, despite the profits, also know what it feels like to be a target.

SEE ALSO:

Schwartz On Security: The Right To Social Networks

Schwartz On Security: Slouching Toward Smartphone, Apple Armageddon

Schwartz on Security: Bling Botnets Sell Gangster Lifestyle

Schwartz On Security: Hack My Ride

Schwartz On Security: First, Know You've Been Breached

Schwartz On Security: Don't Get Hacked For the Holidays

Schwartz On Security: WikiLeaks Highlights Cost Of Security

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas and her guest, David Shearer, (ISC)2 Chief Executive Officer, as they discuss issues that keep IT security professionals up at night, including results from the recent 2016 Black Hat Attendee Survey.