M86 Security Labs Report

Security Labs Report

Security Labs ReportJul 2009-Dec 2009 Recap

m86security.com


CONTENTS

Introduction 2

Key Points of this Report 2

Spam 3 Spam Rebounds with Vengeance 3 Botnet Sources of Spam 3 Botnet Disruption 3 Spam Types 4 AffiliatePrograms 4 MaliciousSpam 5 ZeuscampaignsfromPushdo 5 Virut distributing spambots 6 Web 6 BlackHatSEO 6 Zero-DayApplicationVulnerabilities 7TheDummiesGuidetoAttackToolkits 8AdobePDFAttacks 9RiseinTwitterAttacks 9 Abuse of URL Shorteners 10 Recommendations 11

GlossaryofTerms 12

INTRODUCTION

ThisreporthasbeenpreparedbytheM86SecurityLabsteam.ItcoverskeytrendsanddevelopmentsinInternetsecurityoverthelastsixmonths,asobservedbythesecurityanalystsatM86SecurityLabs.

M86SecurityLabsisagroupofsecurityanalystsspecializinginEmailandWebthreats,fromspamtomalware.TheycontinuouslymonitorandrespondtoInternetsecuritythreats.The Security Labs’ primary purpose is to provide a service toM86customersaspartofstandardproductmaintenanceandsupport.ThisserviceincludesupdatestoM86’sunique,proprietaryanti-spamtechnology,SpamCensorandWebthreatandvulnerabilityupdatestotheM86SecureWebGatewayproductsthatareabletopro-activelydetectandblocknewandemergingexploitsandthreatsandthemalwaretheyserve.

M86SecurityLabsanalyzesspam,phishing,malware,followsInternetsecuritytrends,andiswellrecognizedintheindustryforbeingamongthefirsttostudytheeffectoftheemergingBotnetsaswellasreportingonthein-the-wilduseofnewlydiscoveredvulnerabilitiesandtheexploitsusingthem.Everyday,theSecurityLabsanalyzesover7milliondistinctEmailmessages.Lookingforpatternsandemergingtrends,andcorrelatingthatwiththeWebexploitandvulnerabilityresearchprovidesM86withaverycompleteInternet threat vantage point.

DataandanalysisfromM86SecurityLabsiscontinuouslyupdatedandalwaysaccessibleonlineatourwebsitelocatedat: http://www.m86security.com/labs

YoucanfindusonTwitterat: http://twitter.com/m86labs

KEY POINTS OF THIS REPORT

Spamvolumesincreaseddramaticallyin2009,toover•200billionperdaywiththevastmajoritysentthroughBotnetsofinfectedcomputers.Inthesecondhalfof2009,78%ofallspamoriginatedfromthetop5botnetsalonebyvolume.

Maliciousspamdramaticallyincreasedinvolume,•reaching3billionmessagesperday,comparedto600millionmessagesperdayinthefirsthalfof2009.

EvenwithadequateprotectionfromAntivirussoftware,•ZeroDayVulnerabilitiesleftusersvulnerabletopotentialattacks40%ofthetime(in the 2nd half of 2009).

Twitterattacksareincreasing,benefitingfromtheuseof•shortened URLs. The use of shortened URLs has grown significantly,especiallywiththegrowingadoptionofTwitter.Theyhavebecomeanewdarlingforattackers,makingiteasytoobscuremaliciouslinksandexploitendusers’trustthroughsocialengineering.

2Page


SPAM

Spamcontinuestobeamassiveproblem.Notonlydoesspamconsumevaluablenetworkresources,itremainsapopularconduitforthedistributionofmalware,phishingandscamsbycybercriminals.Spamthereforeremainsasignificantthreattobusinesses.M86SecurityLabsestimatesthatglobalspamvolumeisabout200billionmessagesperday.Spamtypicallyrepresentsaround80-90%ofallinboundEmailtoorganizations.

SPAM REBOUNDS WITH VENGEANCE

2009willberememberedastheyearspamcamebackwithavengeance.Thevolumeofspamreboundedinthefirsthalfof2009,asthespammingbotnetsrecoveredgroundfromtheshutdownoftheMcColonetworkinNovember2008,whichnearlyhalvedspamvolumesovernight.OurproxyforspamvolumemovementsistheM86SecurityLabsSpamVolumeIndex(SVI),whichtrackschangesinthevolumeofspamreceivedbyarepresentativebundleofdomains.Bytheendof2009theSVIhadgrownby50%,eclipsingpre-McCololevels.

Figure1:M86SecuritySpamVolumeIndex(SVI)

BOTNET SOURCES OF SPAM

Thevastmajorityofspamoriginatesfrombotnets.M86SecurityLabsmonitorsthespamoutputfrommajorspambotnetsbypurposelyrunninginfectedmachinesinaclosedenvironment,trackingwhatisbeingsentandcomparingthatbackwiththemainspamfeedstogaugetheactivitylevelsofeachBotnetwork.Similartothefirstsixmonthsof2009,thelastsixmonthssawfivebotnetsthatwereresponsiblefor78%ofspamoutput,withthetopnineresponsiblefor90%(Figure2).

Figure2:SpambyBotnetOrigin,AverageJun-Dec2009

ThemajorspambotnetssuchasRustockandPushdo(orCutwail)continuetodominatespamoutput,supportedbysecond-tierbotnetssuchasMega-D,Grum,andLethic,andDonbot.Thespammingbotnetsareconstantlyinflux,waxingandwaning,morphing,becomingobsolete,beingreplaced,takendown,andupgraded.Itisimportanttoidentifythemajorcontributorstothevolumeofspam,sotheindustrycantakeactionagainstthem,suchasthebotnettakedownsthathavealreadyoccurred.ConsidertheimpactonSpamlevelsifthetop2or3botnetsweredisabled.

Forthelateststatisticsonbotnetspamoutputanddetailedinformationaboutthebotnetsincludinghowtheywork,refertotheM86SecurityLabssite

1.

BOTNET DISRUPTION

OnthebackofthesuccessoftheMcColoshutdowninlate2008,thislastyearsawseveralspammingbotnetsdisruptedthroughtheircontrolserversbeingshutdown.InJune2009,arogueISPcalled3FNwasdisconnectedfromtheInternetasaresultofactionfromtheUSFederalTradeCommission.3FNwasknownforhostingmaliciouscontentandbotnetcontrolserversanditsshutdowntemporarilyaffectedspamoutput,mainlyfromthePushdobotnet2.InNovember2009,Mega-D’scontrolserversweretakendowndisablingthisbotnet’sspamoutput3.AndinJanuary2010,Lethic’scontrolserversweretakendown,completelybringingitsspamoutputtoahalt4.

1 http://www.m86security.com/labs/bot_statistics.asp

2 http://www.m86security.com/labs/i/FTC-Shuts-Down-Rogue-ISP,trace.1003~.asp3http://www.m86security.com/labs/i/Mega-D-botnet-takes-a-hit,trace.1161~.asp4http://www.m86security.com/labs/i/Lethic-botnet--The-Takedown,trace.1216~.asp

3Page


Whilethesemeasuresareusefuleffortstocontrolbotnets,theirlongtermeffectivenessinstemmingoverallspamoutputhasbeennegligible.AswehaveseeninFigure1onthepreviouspage,spamvolumesareimpactedbybotnetdisruptionsortakedowns,buttendtoreboundstronglyasbotnetoperatorssimplyregroupandcomebackwithnewerandmoresophisticatedcreations.Inparticular,thebotauthorshavebuiltinmoresophisticatedlocationandrecoverymechanismstocounteranysuddenlossoftheircontrolservers,suchas:

Usingalistofdomains,insteadofhardcodedIPaddresses•-ifonedomainfailsitmovestothenextone

Havinghard-codedDNSserverstoresolvedomainnames•

Usingdomaingenerationalgorithmsincaseeverything•elsefails

Usingalternativecommunicationprotocolsforcommand•andcontrolarchitecture

Whatwearedealingwithhereareorganized,professionalgangswithmajorbusinessesandsignificantrevenuesatstake.Therefore,theywillnotrelinquishwithoutafight.

SPAM TYPES

Throughouttheyear,we’veseenaconsistenttrendamongstthevariousspamtypesinourlabenvironment.Pharmaceuticalspam,whichmainlyadvertisesfakeprescriptiondrugs,completelydominatesourspamcategories,comprising74%ofallspam.Productspam,whichcoversthingslikereplicawatchesandotherfakedesignergoodsisadistantsecondat16%,whilealltheothercategoriescomeatunder4%(Figure3).Anumberofcategoriesrecordedincreasesoverthefirsthalfoftheyear,includingEducationwhichlargelypromotesonlinediplomas,Gamblingpromotingonlinecasinos,Maliciousspamand Phishing.

Figure3:SpamCategories2009

AFFILIATE PROGRAMS

Botnetoperatorsorherdersmakemoneyoutoftheproductsthataresoldthroughtheirspammessages.Thisworksbytheonlineretailertrackinghowthesalecametotheirwebsite,from which spam campaign and then paying the creator of thatspamcampaignacommissiononanysalesmadeasadirectresultoftheirspamcampaign.Thisiscalledanaffiliateprogram. The programs can provide many resources for affiliatemembers.Dependingontheaffiliateprogram,thesecanincludepre-registereddomains,weblandingpages,undetectableexecutablesanddailystatsonhowmanyusersare visiting their sites5.Affiliatesattractvisitorstotheirsitesthroughspam,searchengineoptimization,forumspamandsocialnetworks.Theaffiliatesareeitherusingtheirownbotnetstosendspam,orpurchasespammingtimefrombotnetowners.Theaffiliatemembersmakeacommissiononeachsuccessfulsale.Oftenaffiliateprogramshaveseveraldifferent‘brands’ from which members can choose to promote.

ThemostprominentaffiliateprogramisrunbyacompanycalledGlavmedandthenotorious‘CanadianPharmacy’isoneofthebrandslinkedtotheirorganizationthatappearsoverwhelminglyinspam.TheGlavmedwebsite(www.glavmed.com)claimsa30-40%revenueshareforreferralsleadingtosales.Atanyonetime,multiplebotnetscanbeseenspamminglinksleadingto‘CanadianPharmacy’websites.InSeptember2009,M86SecurityLabstookarandomsamplingofspam,andautomaticallyfollowedthelinkstodeterminetheaffiliateprogrambeingpromoted.The‘CanadianPharmacy’programwaspromotedin67%ofspam,withPrestigeReplicasadistantsecondat8%6.

Figure4:SpamAffiliatePrograms

5http://www.m86security.com/labs/i/Ya-Bucks-Malware-Affiliate-Program,trace.1060~.asp6http://www.m86security.com/labs/i/Top-Spam-Affiliate-Programs,trace.1070~.asp

4Page


Figure5:‘CanadianPharmacy’website

MALICIOUS SPAM

MaliciousspamiscategorizedasEmailthathasamaliciousattachmentoranembeddedURLthatleadstoamaliciouswebsite(alsoknownasablendedthreat).Thelatterhalfof2009sawanoverallincreaseinthelevelsofmaliciousspamto3billionmessagesperday,comparedwith600millionmessagesperdayinthefirsthalfoftheyear.Thereweretwomain factors driving this increase

Maliciousexecutablesbeingspammedout,typicallywith•DHLorUPS‘Getyourparcel’typesubjectlines(Figure6),butalsootherthemeslike“Facebookupdate”.Theexecutablepayloadofthesecampaignsvaries,oftenitwasadownloadercalledBredolab,whichhasbeenobserveddownloadingawidevarietyofmalwareincludingscareware,passwordstealers,andspambotssuchasPushdo.

Figure6:UPSMaliciousspamwithBredolabdownloader

Blendedthreatcampaigns,whicharee-mailmessages•containingnoattachments,insteadcontainalinkthatleadstowebpageshostingmaliciouscode.Therefore,theinfectionhappensthroughthewebbrowser,notthroughthee-mailclient,hencethename‘blendedthreat.’ThemalwareofchoicedistributedthroughmostofthesecampaignswasZeus,aninformationstealer(seeFigure7).

Figure7:BlendedthreatattackfromthePushdobotnetthatleadstotheZeusmalware.

ZEUS CAMPAIGNS FROM PUSHDO

Overthelastsixmonths,wehaveseennumerous,largescaleZeusblendedthreatcampaigns.Theseattacksusethe combination of massive amounts of spam from the Pushdobotnet,welldesignedwebpages,socialengineering,thousandsofrandomlookingdomainnameshostedonafast-fluxnetworkandexploitkits,alltoinstalltheZeus(orZbot)Trojanhorse.

Thesocialengineeringaspectusedwell-knownbrandsortrustedorganizations.Thewebsiteswerewelldesigned,usingthesamelookandfeelofthetargetedbrand,goodEnglishandgrammar,andofferedaplausiblereasonfordownloadingandrunninganexecutablefromthewebsite.Theuser’semail,obtainedfromthespamlink,wasoftenincludedinthepagetoaddcredibility.SomesiteshavesubtlefeaturestoaddfurthercredibilitysuchastheVISAsiteshowingthefirstnumberofauser’sVISAcardas‘4’(allVISAcardsstartwith‘4’)orstatingthatanexecutableisaself-extractingPDFfile.Afewofthesesites,suchastheFacebookandMySpaceexamples,evenaskedtheusertologinfirst(althoughthecredentialswerenotverifiedatthetime),givingthecriminalslogincredentials,beforeuserswereaskedtodownloadandrunafile.

Iftheuserwassuspiciousenoughtonotdownloadtheexecutablefileafterclickingonthespamlink,therewasachancetheycouldgetinfectedanywayiftheywerevulnerabletobrowserorapplicationexploitsincorporatedinthewebsites.

5Page


7http://www.m86security.com/labs/i/Virut-s-Not-So-Obvious-Motive,trace.873~.asp

Eachseparatecampaignusedseveralhundredrandomlookingdomainnames,oftenwiththerecipient’sdomainorthedomainofatargetedbrandasasub-domain.Forexample:

cgi.ebay.com.<DOMAIN>.ne.kr/ws/ebayisapi.dll

<DOMAIN>.yhuttte.or.kr/owa/service_directory/settings.php

www.facebook.com.<DOMAIN>.org.uk/usersdirectory/loginfacebook.php

Thedirectorystructureonthemaliciouswebserverisalsooftensimilartothewebsiteitistryingtoimpersonate.AmongthebrandsandorganizationswehaveseenareVISA,Paypal,Ebay,Facebook,MySpace,AmericanExpress,CDC,BankofAmerica,HSBC,NACHA,IRSandFDIC.

Figure8:FacebookupdatescamleadingtoZeusTrojan

VIRUT DISTRIBUTING SPAMBOTS

Overthepastyear,malwarebecamemorevoluminous,sophisticatedandcomplex.Onepieceofmalwareweencounteredillustratesthiscomplexity.AprevalentdistributionvectorforspambotsandotherattackswasapieceofmalwarecalledVirut,whichisafileinfectingvirusthatcandownloadandinstallalmostanytypeofmalwareontoaninfectedcomputer7. TheVirutmalwareinfectsfileswith.exeand.scrfileextensions.AusermayencounterVirutbyvisitingmaliciouswebsitesthatcontainexploitsthatdownloadVirutasapayload.

VirutplaysapartindistributingspammingTrojanssuchasXarvester,Grum,PushdoandGheg.Virutalsoplaysaroleindistributingmoneymuleandprofit-drivenmalwarethatincludesrogueanti-virus,keyloggers,passwordstealersandad-clickers.

Figure9:Virutinfectedmachinealsoinfectedwithtwospambots.

WEB

Black Hat SEO

During2009agrowingtrendwastheuseofSearchEngineOptimization(SEO)techniquestodriveuserstowebpageshostingmaliciouscode.AlsoknownasSEOpoisoning,thetechniqueaimstoelevatemaliciouslandingpagesupthesearchengineresultsranking,thusensuringasteadysupplyofvictims.SEOpoisoningisaparticularlytreacherousasuserstendtoimplicitlytrustsearchengineresults.

Thetechniquesvary,butmanycenteroncreatingandpostingwebpageswithkeywordsandphrasesrelatedtoanyhottrend,suchasthosederivedfromserviceslikeGoogleTrends,othercelebritynewsorpopulartopics.Agoodexampleofthistechniqueinpracticewasseeninthenumberofmaliciouspageslistedinsearchengineresultsimmediatelyfollowingtheuntimelypassingofmegapopstar,MichaelJackson.These‘enriched’webpageshelptopushupthesearchenginerankingsforthecriminals’maliciouslandingpages.Thesystemsthecriminalsareusingaresophisticatedandhighlyautomated,leadingtoacontinuingsupplyoffreshsearchtermsand‘loaded’webpages.

Figure10:BogusSEOresultfor‘MailMarshal

6Page


8http://www.m86security.com/labs/i/Be-Careful-What-You-Search-For,trace.884~.asp

SEOattacksinvolvethemanipulationofasearchengine’sindexingalgorithmsusingvarioustechniquesinordertoplacetheirwebsiteshigherupinthesearchresults8.ThesizeandscopeofSEOpoisoningisnotimmediatelyobviousbecauseinordertofindaSEOpromotedmaliciouswebsiteyouhavetosearchforthespecificsearchtermsforwhichitwasoptimized.Thefollowingillustrateshowwidespreadtheproblemis.WerecentlyenteredthetermMailMarshal,M86Security’semailfilteringproduct,intoGoogleandchosethepreviousweek’stimeframe.AsyoucanseeinFigure10onthepreviouspage,highupthelistofresultsfor‘Marshal’isabogusresultbasedofftheterm,whichleadstheendusertomalware.

ThewholesuccessfactorofSEOpoisoningreliesonthefalsewebsitetoberankedhighinsearchresults.Onewaythatsearchenginesrankwebsitesisbythenumberof‘backlinks’,whicharelinksonotherwebsitesthatlinkbacktothesiteinquestion.Attackerscreatethousandsofbacklinkstoawebpage they want to promote. When a search engine visits this pageitseeslegitimatecontent,butwhenauservisitstheyareredirectedtoawebsiteoftheattackerschoosing.

Throughout2009,thecybercriminalsofferingoffakeanti-virus‘scareware’,inparticular,usedSEOpoisoningtechniquestodriveuserstotheirlandingpages.Inmanycases,wehaveseenendusersbeingredirectedtopagesliketheonefeaturedin Figure 11.

Figure11:ScarewarelandingpagefromSEOcampaign

ZERO-DAY VULNERABILITIES

Duringthelastsixmonths,we’veobservedanincreaseinthenumberofnewzero-dayvulnerabilities,withthemostnotablebeing discovered in Adobe and Microsoft products. We have seenclosetoadozenzero-dayvulnerabilitiesthatwereusedbycybercriminalsthroughout2009(Figure12).

Figure12:Listofvulnerabilitiesusedbycybercriminalsthroughout2009

Oneofthemajorproblemswithzero-dayvulnerabilitiesisthelengthoftimeduringthe“windowofvulnerability,”whichismeasuredfromthetimethevulnerabilityisfirstdiscoveredbeingusedin-the-wilduntilthetimewhenapatchisreleasedbytheapplicationvendor.

In the past there have been cases where this window has remained“open”formonthsorevenyears.Evennow,asbiggersoftwarecompaniesbecomemorecognizantofsecurity,thetimeintervalfromzero-dayvulnerabilitydetectiontothereleaseofapatchcouldbeverysignificantandtakefromseveraldays(bestcasescenario)toseveralweeksorevenmonths.Itshouldbenoted,ofcourse,thatevenaftertheclosureofavulnerability,exploitationcontinuestobeusedeverywherein-the-wildbecauseusersaretypicallylaxinapplyingnecessarilyupdatesfortheirapplicationsandthelatestsecuritypatches.AcurrentexampleofthiswouldbeMDAC,whichwaspatchedin2006,butisstillwidelyusedbycybercriminals.

Thechartoverthepageillustratestheissuewiththelengthofthewindowofvulnerabilityoverthelastsixmonths.Thisexampleusesjust7reportedvulnerabilities.

7Page

http://www.securityfocus.com/bid/17462/info


Figure13:WindowofVulnerability

AcursoryglanceatFigure13showsthateventhoughthewindowofvulnerabilitymightbeshortattimes,itistheoverlappingtimeintervalsthatposearealproblem.Itisduringtheseoverlappingtimeintervalsthatendusersarecompletelyvulnerabletoattackwithverylittletheycandoaboutit.Asindicatedinred,withinasixmonthperiodalone,Internetusers/consumersnotprotectedbytruepro-activereal-timeon-premisesecuritytechnologywerecompletelyexposedtopotentialattackscloseto40%ofthetime.ThismeansthatnoprotectionwasprovidedbyapplicationvendorsduringthistimeframeandeventhedesktopAVscannersthatneedtoreacttotheseattacksprovidedlittleprotectionandassuch,cybercriminalsusedthistotheiradvantagebyexploitingthesezero-dayvulnerabilities.

THE DUMMIES GUIDE TO ATTACK TOOLKITS

Attacktoolkitsareusedtobuildtheactualcyberattacksthemselves.Theincreasinglyprofessionalnatureofthesetoolsbeingused,suchasWebattacktoolkits,showsusthat the provision of software to the cybercrime industry has becomeaseriousbusinessinandofitself.Onesuchexampleistherecentattacktoolkitsthatcloselyresembleprofessionalapplicationpackages.

Aswithanyotherprofessionalsoftwareproduct,attacktoolkitsmayinclude:

Anofficialwebsite•

Version management•

Overviewsof• technicalcharacteristics(presentandfuture)

Support•

Pricinglists•

Multi-lingualtranslations•

Justafewyearsago,theattacktoolkitmarketwasmostlycomprisedofWebAttacker,followedbytheGPackandMPacktoolkits.NewerattacktoolkitssuchasYes,LuckySploit,EleonoreandFragushavehelpedtoexpandthemarketandincreasethedemandforthesepackages.Withinthelastsixmonths,we’veobservedasignificantincreaseinthenumberofnewanddifferentattacktoolkits,suchasSEO,MAX,Shaman’sDream,Siberia,andCleanPack.

Developersofmodernattacktoolkitsadvertisetheirproductsaseasilyconfigurableandmanageable.Indeed,theydonotrequireadeepknowledgeofhackingandhavemadetheprocessmuchmoresimpleforcybercriminals.Combinedwithfrequentlyupdatedversionsthatincludethelatestexploits,anattacktoolkitisaneffectiveweaponinthehandsofanycybercriminal.

Thefollowingareexamplesofattacktoolkitsitesandproducts:

Figure14:YesExploitToolkitWebsite

Figure15:FragusAttackToolkit

Figure16:EleonoreExpAttackToolkit

8Page


9http://www.m86security.com/labs/i/Adobe-PDF-Zero-Day,alerts.1210~.asp10 https://m86security.webex.com/m86security/lsr.php?AT=pb&SP=EC&rID=7091157&rKey=4beda2b0b3bbef1411 http://isc.sans.org/diary.html?storyid=7906

ADOBE PDF ATTACKS

Adobeproductsremainoneofthemosttargetedapplicationsforvulnerabilities.In2009alone,therewereseveralnotableAdobePDFvulnerabilitiesthatwerediscoveredandwidelyexploited:CVE-2009-0927,CVE-2009-1492,CVE-2009-1493,CVE-2009-1862. CVE-2009-4324 is the most recent vulnerabilityinanAdobeproduct9.Inthisexample,attackerswereabletopackagemaliciouscodeintoaPDFfile,whichwouldgoundetectedbymostdesktopAVscanners.AssoonastheenduseropenedtheblankPDFfile,themaliciouscodewouldbeexecutedandtheirsystemswouldbecompromised.Moreinformationonthisparticularexamplecanbefoundinone of our recent webinars10.

Fromanattacker’sperspective,theadvantagesarequitesimple:PDFfilesarenotbrowserdependent,andAdobeReaderandAcrobatareimmenselypopularproductswithhighlyvisibilityinthemarketplace.Finally,theotherboonforattackersisthefactthatPDF’soffertheabilitytoincludedynamiccontentwithinafile.

Consideringtheseadvantages,PDFexploitsarefrequentlyusedinattacktoolkits,alongwithflashfilesandmorerecently,java(jar)exploits.Insomecases,asetofPDFexploitsistheonlymodeofattackneededbyacybercriminaltoattackviaaWeb page.

Ultimately,PDFattackstendtobeveryeffective,withsomeachievingashighas50%successrate.ThefollowingfigureshowsthesuccessrateofaPDFexploit:

Figure17:PDFExploitationRate

Theenduseroftenhasafalsesenseofsecurity,eveniftheyareuptodatewithallthelatestsecurityupdates,theymistakenlybelievethatpermanentbrowserupdatesofferenoughprotection.However,therealsituationisdecidedlydifferent.Multiplezero-dayattacks,combinedwithlimitedcapabilities11 of anti-virus products in preventing the spread of malwarethroughPDFfiles,leavestheconsumerexposedtomalwareandunprotectedagainstcyberattacks.

RISE IN TWITTER ATTACKS

AsTwitterbegansurginginpopularitythroughthefirsthalfof2009,wewarnedusersaboutthepitfallsoftheserviceinourfirsthalfreport.Thetrifectaofspam,malwareandphishingproblemsonTwitterhavecontinuedtoincrease,highlightingthefactthatcybercriminalslovetotargetareasoftheWebwheretheuserbaseislargeandgrowing,makingiteasiertoseetheirattacksreapbigrewards.

InAugustof2009,wewroteabouttheriseofaweightlossspam campaign12 and how its impact was seen in thousands of ‘tweets’sentoutacrosstheservice(Figure18).

Figure18:SpamcampaignseenonTwitterinAugustof2009

This spam campaign was one of many that we observed inthelasthalfof2009.Thesekindsofspamcampaignsoriginate from dummy accounts or accounts that have been compromised through phishing campaigns.

Figure19:Directmessagespamfromaphishedaccount.

Inadditiontothemasstweetsaboutweightlossspam,thesephishedaccountswerealsousedtosendoutmassdirectmessages(commonlyreferredtoasDM’s)tofollowerspushingoutlinksforgamesorservices(Figure19).

Twitterisalsonostrangertobeingusedasamediumtospreadmalware.Oneofthemosthighprofileinstancesofthisincludedwellknownventurecapitalist,GuyKawaski’sTwitteraccountinlateJuneof2009.HisaccountwassetuptoautomaticallyupdateusingaservicecalledNowPublic.Ittweetedoutanupdateaboutasextape,whichledtoapieceofmalware.Thebiggestissuewiththisisthat,Mr.Kawasaki’sTwitteraccountisfollowedbythousandsuponthousandsofusers,andheisknowntosharelinks.

12 http://www.m86security.com/labs/i/Twitter-Weight-Loss-Spam,trace.1057~.asp

9Page

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927







13 http://www.m86security.com/labs/i/Twitter-Facebook-and-Bebo-used-in-spam-campaign,trace.1168~.asp14 http://www.m86security.com/labs/i/Spammers-Try-URL-Shortening-Services,trace.1038~.asp

Figure20:GuyKawasakitweetleadingtoaTrojanattackingbothMacandPCusers

The most interesting usage of Twitter in a spam campaign was observed13inNovemberof2009.Itinvolvedusingalinkto a tweet in a spam message to direct a user to the spam via Twitter(Figure21).Thiswaslikelyusedtoevadecertainspamfilters.

Figure21:Newtechniquetoevadespamfilters,linkingouttoTwitter with a spam domain being pushed in a tweet.

Whatitultimatelyboilsdowntoisthewholeconceptoftrust,whichiswhatisbeingtakenadvantageofbythesecybercriminalsonsocialnetworkingserviceslikeTwitter.Userswillnaturallytrusttheirfriends,makingitmorelikelythattheywillinfactclickonalinksharedwiththemonTwitteroranyothersocialnetworkingsite.TheexploitationoftrustisoneoftheprimaryreasonswhyattacksonTwitterandothersocialnetworkssucceedsowell.

ABUSE OF URL SHORTENERS

ThesheergrowthofURLshorteningservicesthroughout2009was apparent. The usage of these services was a byproduct of thepopularityofTwitter,whichcapsthenumberofcharactersthatcanbeusedineachupdateto140.Theproblemwithlinksharingisthatoftentimes,URLscanbequitelengthy,oftensurpassingthe140characterlimitwithease.

BymaskingthesourceURLbehindashortenedURL,itishardforanendusertodeterminewhatkindofcontentwillbeprovidedtothemwhentheyclickthrough.Thisuncertaintyisoftenputtothesidewhenthecontentcomesfromafriend,onceagainhighlightingtheabuseoftrustinsocialnetworks.

Itcomesasnosurprisethenthatthemajorityofmaliciouslinksthatwe’veobservedonsocialnetworkingsitesthroughout2009wereoftheshortenedURLvariety.AndwhilethisphenomenonremainsprevalentonserviceslikeTwitterandFacebook,wehaveobservedthembeingdistributedinspammessages14aswell(Figure22).

Figure22:ExampleofshortenedURLsincludedinspammessages

Therearemajorplayersinthespace,suchasTinyURLandBit.ly.However,thebiggestconcernliesnotwiththeleaders,ratherthehundredsoflesserknownservicesthatareupandrunningtodayandbeingusedbycybercriminals.Theyremainunchecked,anddonothaveanysafeguardsinplacetopreventmaliciouscontentfrombeingspreadthroughtheirservices.

10Page


15http://securebrowsing.finjan.com/

RECOMMENDATIONS

Education is paramount.• Teaching users the importance of best practices for their every day Internet usage is vital.ShowthemexamplesofScarewareapplications,explainhoweasyitisforthemtogetinfected.GivethemaPhishingtest,andseeiftheycanpickthefalsesitesfromthereal.Aboveallelse,thenumber1ruleistobewaryaboutclickingonanylinksinemailoronwebpages.(Rulenumber2:Seerule1).

Review your current Security Products.• Armed with thelatestthreatinformation,re-evaluatethesecurityproductsthatarebeingusedinyourorganizationorathome.Askyourincumbentvendorsthetoughquestionsaboutexactlywhattheydotodetectandblockthesethreats.Looktotestproductsagainsteachotherandensure the vendors are investing in threat research.

Be wary of links, even from trusted sources.• It cannot beemphasizedenoughthatevenifthesourceofalinkissomeoneyoutrust,theythemselvesmayhavehadtheiraccountscompromisedorsomeonemightbespoofingtheiridentity.Sendingemailtolookasthoughitisfromsomeoneelse’semailaccount,forexampleisprettystraight-forward.

Stay up to date.• KeepWebbrowsers,add-ons/extensions,desktopapplicationsuptodatetotheirlatestversions.Wehaveseenthattimeandtimeagain,manyattackstargetvulnerabilitiesfoundinoldversionsofWebbrowsers,applicationsororganizationsarenotblockingthelatestspamandWebthreatssimplybecausetheirproductsarenotuptodate.Whilebeingcompletelyuptodatewiththelatestpatcheshelptoprotectyouandyourendusersfrompatchedvulnerabilities,youwillstillneedtoremainonguardfortheun-patched,zerodayvulnerabilities.

Consider using browser add-ons/extensions to add •an additional layer of security. We recommend using theNoScriptextensionforMozillaFirefox,whichlimitstheexecutionofJavaScriptcode.WealsosuggestusingextensionsthatwilldisplayshortenedURLsastheirfullURLs,makingiteasiertoknowwhatthedestinationURLactuallyis.ManysecurityvendorssuchasM86havefreetoolsforuserstoinstallontheirpersonalorhomecomputers,typicallythemostvulnerable.Toolssuchas SecureBrowsing15,whichanalyzeslinksfromsearchengineresultsoronwebpagestogaugetheirmaliciousnature,italsoworkswithshortenedURL’ssuchasthosefound in twitter.

11Page

Direct Message (or DM) – A private message that is sent betweenusersofthesocialnetworking/micro-bloggingservice,Twitter.

Malicious spam -Spammessagesthatcontainamaliciousattachment,suchasanexecutableorPDFfileorcontainingalinkthatleadstheendusertomalware(knownasaBlendedThreat).

Scareware -Atypeofscamusedbycybercriminalstoconvince an end user that their computers have been infected withmalware.Usuallydeliveredintheformofapop-uporthroughaBlackHatSEOcampaign,byscaringtheenduser,theytricktheenduserbyconvincingthemthattheyaredownloadingaproperAnti-Virussolution,whentheyareinsteaddownloadingmalware.

SEO (or Search Engine Optmization) – A method to increasethevolumeoftraffictoawebsiteviasearchenginesthrough“organic”searchresults,intendedtomoveawebsiteupinthesearchenginerankings.

SEO Poisoning–Amethodemployedbycybercriminalstopoisonsearchengineresultsforpopularnewsitems,trendingtopics,andoverallhype.Commoninstancesofthishavebeenseenindeathsofcelebrities,naturaldisasters,andproductreleases(suchasApple’siPadandGoogleWave).

Spambots-Botnetsthatareprimarilyusedtosendoutspammessages.Spambotscanberentedouttocybercriminalsforvarious campaigns.

Spam Categories-(SeedefinitionofSpamtypes)

Spam Types (or Spam Categories) – The different types of spam being sent out by various botnets. The most common spamtypeseentodayisPharmaceuticalspam.

Tweet – A term used to describe the messages posted to the socialnetworking/micro-bloggingservice,wheremessagesarelimitedto140characters.

Zero-Day Vulnerabilities–Avulnerabilitythatisunknowntoothers,undisclosedtothesoftwaredeveloper,orforwhichnosecurityfixisavailable.

GLOSSARY OF TERMS

AffiliatePrograms–Amethodbywhichspammersmakemoney.Bysigningupforanaffiliateprogram,spammersareprovidedwithtemplatesandauniqueidentifier,forwhichtheywillusetotrackreferrals.Iftheydrivebacktrafficthatleadstoasale,theyarerewardedwithacommission.‘CanadianPharmacy’isthemostpopularaffiliateprogramtoday.

Attack Toolkit –Ahackerkitthatexploitsseveralclientsidevulnerabilitiestoexecutearbitrarycode.

Black Hat SEO–ThewaycybercriminalsutilizeSEO(“blackhat”)toincreasethesearchenginerankingsfortheirownwebsites,sothattheirmaliciouslandingpagesenduphigherinsearchenginerankings,drivingmoreenduserstotheirsites.

Blended Threats -Anattackthatcombinesbothe-mailandwebastheattackvector.Foregoingtraditionalmethodsofattachingavirusdirectlytoane-mailmessage,ablendedthreatcontainsalinktoawebsite,whichwilleitherpushmalwaretotheenduserorhostingmaliciouscode.

Botnets (or Bot networks)–Abotnetisanetworkofcompromisedcomputers(knownasdronesorzombies)thatareusedbycybercriminalstosendoutspammessages,spreadmalware,andothercriminalactivity.

Bot herder (or Bot owner)–Theindividualresponsibleforcommandingthebotnettoperformtasksbywayofcommand&control.

Command and Control (or C&C) – The method by which thebotherdercommandsthevariouszombiesinthebotnet.Historically,botnetswerecontrolledbywayofInternetRelayChat(IRC)andmorerecently,overHTTP(HypertextTransferProtocol).Botherdershavealsostartedexperimentingwithotherwaystoimplementcommandandcontrol,suchasthroughTwitter,GoogleGroups,andFacebookNotes.

CVE (or Common Vulnerabilities and Exposures) – A commonidentifierforpublicly-knowninformationsecurityvulnerabilities.

©Copyright2009M86Security.Allrightsreserved.M86SecurityisaregisteredtrademarkofM86Security.Allotherproductandcompanynamesmentionedhereinaretrademarksorregisteredtrademarksoftheirrespectivecompanies.

Corporate Headquarters828WestTaftAvenueOrange,CA92865United States

Phone:+1(714)282-6111Fax:+1(714)282-6116

International HeadquartersRenaissance 2200BasingView,BasingstokeHampshireRG214EQUnited KingdomPhone:+44(0)1256848080Fax:+44(0)1256848060

Asia-PacificSuite1,Level1,BuildingCMillenniumCentre600 Great South RoadAuckland,NewZealandPhone:+64(0)99845700Fax:+64(0)99845720

M86 Security Labs Report

Documents