Security Labs Report Security Labs Report Jul 2009-Dec 2009 Recap m86security.com
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Security Labs Report
Security Labs ReportJul 2009-Dec 2009 Recap
m86security.com
Security Labs Report
CONTENTS
Introduction 2
Key Points of this Report 2
Spam 3 Spam Rebounds with Vengeance 3 Botnet Sources of Spam 3 Botnet Disruption 3 Spam Types 4 AffiliatePrograms 4 MaliciousSpam 5 ZeuscampaignsfromPushdo 5 Virut distributing spambots 6 Web 6 BlackHatSEO 6 Zero-DayApplicationVulnerabilities 7TheDummiesGuidetoAttackToolkits 8AdobePDFAttacks 9RiseinTwitterAttacks 9 Abuse of URL Shorteners 10 Recommendations 11
GlossaryofTerms 12
INTRODUCTION
ThisreporthasbeenpreparedbytheM86SecurityLabsteam.ItcoverskeytrendsanddevelopmentsinInternetsecurityoverthelastsixmonths,asobservedbythesecurityanalystsatM86SecurityLabs.
M86SecurityLabsisagroupofsecurityanalystsspecializinginEmailandWebthreats,fromspamtomalware.TheycontinuouslymonitorandrespondtoInternetsecuritythreats.The Security Labs’ primary purpose is to provide a service toM86customersaspartofstandardproductmaintenanceandsupport.ThisserviceincludesupdatestoM86’sunique,proprietaryanti-spamtechnology,SpamCensorandWebthreatandvulnerabilityupdatestotheM86SecureWebGatewayproductsthatareabletopro-activelydetectandblocknewandemergingexploitsandthreatsandthemalwaretheyserve.
M86SecurityLabsanalyzesspam,phishing,malware,followsInternetsecuritytrends,andiswellrecognizedintheindustryforbeingamongthefirsttostudytheeffectoftheemergingBotnetsaswellasreportingonthein-the-wilduseofnewlydiscoveredvulnerabilitiesandtheexploitsusingthem.Everyday,theSecurityLabsanalyzesover7milliondistinctEmailmessages.Lookingforpatternsandemergingtrends,andcorrelatingthatwiththeWebexploitandvulnerabilityresearchprovidesM86withaverycompleteInternet threat vantage point.
DataandanalysisfromM86SecurityLabsiscontinuouslyupdatedandalwaysaccessibleonlineatourwebsitelocatedat: http://www.m86security.com/labs
YoucanfindusonTwitterat: http://twitter.com/m86labs
KEY POINTS OF THIS REPORT
Spamvolumesincreaseddramaticallyin2009,toover•200billionperdaywiththevastmajoritysentthroughBotnetsofinfectedcomputers.Inthesecondhalfof2009,78%ofallspamoriginatedfromthetop5botnetsalonebyvolume.
Maliciousspamdramaticallyincreasedinvolume,•reaching3billionmessagesperday,comparedto600millionmessagesperdayinthefirsthalfof2009.
EvenwithadequateprotectionfromAntivirussoftware,•ZeroDayVulnerabilitiesleftusersvulnerabletopotentialattacks40%ofthetime(in the 2nd half of 2009).
Twitterattacksareincreasing,benefitingfromtheuseof•shortened URLs. The use of shortened URLs has grown significantly,especiallywiththegrowingadoptionofTwitter.Theyhavebecomeanewdarlingforattackers,makingiteasytoobscuremaliciouslinksandexploitendusers’trustthroughsocialengineering.
2Page
Security Labs Report
SPAM
Spamcontinuestobeamassiveproblem.Notonlydoesspamconsumevaluablenetworkresources,itremainsapopularconduitforthedistributionofmalware,phishingandscamsbycybercriminals.Spamthereforeremainsasignificantthreattobusinesses.M86SecurityLabsestimatesthatglobalspamvolumeisabout200billionmessagesperday.Spamtypicallyrepresentsaround80-90%ofallinboundEmailtoorganizations.
SPAM REBOUNDS WITH VENGEANCE
2009willberememberedastheyearspamcamebackwithavengeance.Thevolumeofspamreboundedinthefirsthalfof2009,asthespammingbotnetsrecoveredgroundfromtheshutdownoftheMcColonetworkinNovember2008,whichnearlyhalvedspamvolumesovernight.OurproxyforspamvolumemovementsistheM86SecurityLabsSpamVolumeIndex(SVI),whichtrackschangesinthevolumeofspamreceivedbyarepresentativebundleofdomains.Bytheendof2009theSVIhadgrownby50%,eclipsingpre-McCololevels.
Figure1:M86SecuritySpamVolumeIndex(SVI)
BOTNET SOURCES OF SPAM
Thevastmajorityofspamoriginatesfrombotnets.M86SecurityLabsmonitorsthespamoutputfrommajorspambotnetsbypurposelyrunninginfectedmachinesinaclosedenvironment,trackingwhatisbeingsentandcomparingthatbackwiththemainspamfeedstogaugetheactivitylevelsofeachBotnetwork.Similartothefirstsixmonthsof2009,thelastsixmonthssawfivebotnetsthatwereresponsiblefor78%ofspamoutput,withthetopnineresponsiblefor90%(Figure2).
Figure2:SpambyBotnetOrigin,AverageJun-Dec2009
ThemajorspambotnetssuchasRustockandPushdo(orCutwail)continuetodominatespamoutput,supportedbysecond-tierbotnetssuchasMega-D,Grum,andLethic,andDonbot.Thespammingbotnetsareconstantlyinflux,waxingandwaning,morphing,becomingobsolete,beingreplaced,takendown,andupgraded.Itisimportanttoidentifythemajorcontributorstothevolumeofspam,sotheindustrycantakeactionagainstthem,suchasthebotnettakedownsthathavealreadyoccurred.ConsidertheimpactonSpamlevelsifthetop2or3botnetsweredisabled.
Forthelateststatisticsonbotnetspamoutputanddetailedinformationaboutthebotnetsincludinghowtheywork,refertotheM86SecurityLabssite
1.
BOTNET DISRUPTION
OnthebackofthesuccessoftheMcColoshutdowninlate2008,thislastyearsawseveralspammingbotnetsdisruptedthroughtheircontrolserversbeingshutdown.InJune2009,arogueISPcalled3FNwasdisconnectedfromtheInternetasaresultofactionfromtheUSFederalTradeCommission.3FNwasknownforhostingmaliciouscontentandbotnetcontrolserversanditsshutdowntemporarilyaffectedspamoutput,mainlyfromthePushdobotnet2.InNovember2009,Mega-D’scontrolserversweretakendowndisablingthisbotnet’sspamoutput3.AndinJanuary2010,Lethic’scontrolserversweretakendown,completelybringingitsspamoutputtoahalt4.
1 http://www.m86security.com/labs/bot_statistics.asp
2 http://www.m86security.com/labs/i/FTC-Shuts-Down-Rogue-ISP,trace.1003~.asp3http://www.m86security.com/labs/i/Mega-D-botnet-takes-a-hit,trace.1161~.asp4http://www.m86security.com/labs/i/Lethic-botnet--The-Takedown,trace.1216~.asp
3Page
Security Labs Report
Whilethesemeasuresareusefuleffortstocontrolbotnets,theirlongtermeffectivenessinstemmingoverallspamoutputhasbeennegligible.AswehaveseeninFigure1onthepreviouspage,spamvolumesareimpactedbybotnetdisruptionsortakedowns,buttendtoreboundstronglyasbotnetoperatorssimplyregroupandcomebackwithnewerandmoresophisticatedcreations.Inparticular,thebotauthorshavebuiltinmoresophisticatedlocationandrecoverymechanismstocounteranysuddenlossoftheircontrolservers,suchas:
Usingalistofdomains,insteadofhardcodedIPaddresses•-ifonedomainfailsitmovestothenextone
Havinghard-codedDNSserverstoresolvedomainnames•
Usingdomaingenerationalgorithmsincaseeverything•elsefails
Usingalternativecommunicationprotocolsforcommand•andcontrolarchitecture
Whatwearedealingwithhereareorganized,professionalgangswithmajorbusinessesandsignificantrevenuesatstake.Therefore,theywillnotrelinquishwithoutafight.
SPAM TYPES
Throughouttheyear,we’veseenaconsistenttrendamongstthevariousspamtypesinourlabenvironment.Pharmaceuticalspam,whichmainlyadvertisesfakeprescriptiondrugs,completelydominatesourspamcategories,comprising74%ofallspam.Productspam,whichcoversthingslikereplicawatchesandotherfakedesignergoodsisadistantsecondat16%,whilealltheothercategoriescomeatunder4%(Figure3).Anumberofcategoriesrecordedincreasesoverthefirsthalfoftheyear,includingEducationwhichlargelypromotesonlinediplomas,Gamblingpromotingonlinecasinos,Maliciousspamand Phishing.
Figure3:SpamCategories2009
AFFILIATE PROGRAMS
Botnetoperatorsorherdersmakemoneyoutoftheproductsthataresoldthroughtheirspammessages.Thisworksbytheonlineretailertrackinghowthesalecametotheirwebsite,from which spam campaign and then paying the creator of thatspamcampaignacommissiononanysalesmadeasadirectresultoftheirspamcampaign.Thisiscalledanaffiliateprogram. The programs can provide many resources for affiliatemembers.Dependingontheaffiliateprogram,thesecanincludepre-registereddomains,weblandingpages,undetectableexecutablesanddailystatsonhowmanyusersare visiting their sites5.Affiliatesattractvisitorstotheirsitesthroughspam,searchengineoptimization,forumspamandsocialnetworks.Theaffiliatesareeitherusingtheirownbotnetstosendspam,orpurchasespammingtimefrombotnetowners.Theaffiliatemembersmakeacommissiononeachsuccessfulsale.Oftenaffiliateprogramshaveseveraldifferent‘brands’ from which members can choose to promote.
ThemostprominentaffiliateprogramisrunbyacompanycalledGlavmedandthenotorious‘CanadianPharmacy’isoneofthebrandslinkedtotheirorganizationthatappearsoverwhelminglyinspam.TheGlavmedwebsite(www.glavmed.com)claimsa30-40%revenueshareforreferralsleadingtosales.Atanyonetime,multiplebotnetscanbeseenspamminglinksleadingto‘CanadianPharmacy’websites.InSeptember2009,M86SecurityLabstookarandomsamplingofspam,andautomaticallyfollowedthelinkstodeterminetheaffiliateprogrambeingpromoted.The‘CanadianPharmacy’programwaspromotedin67%ofspam,withPrestigeReplicasadistantsecondat8%6.
Figure4:SpamAffiliatePrograms
5http://www.m86security.com/labs/i/Ya-Bucks-Malware-Affiliate-Program,trace.1060~.asp6http://www.m86security.com/labs/i/Top-Spam-Affiliate-Programs,trace.1070~.asp
4Page
Security Labs Report
Figure5:‘CanadianPharmacy’website
MALICIOUS SPAM
MaliciousspamiscategorizedasEmailthathasamaliciousattachmentoranembeddedURLthatleadstoamaliciouswebsite(alsoknownasablendedthreat).Thelatterhalfof2009sawanoverallincreaseinthelevelsofmaliciousspamto3billionmessagesperday,comparedwith600millionmessagesperdayinthefirsthalfoftheyear.Thereweretwomain factors driving this increase
Maliciousexecutablesbeingspammedout,typicallywith•DHLorUPS‘Getyourparcel’typesubjectlines(Figure6),butalsootherthemeslike“Facebookupdate”.Theexecutablepayloadofthesecampaignsvaries,oftenitwasadownloadercalledBredolab,whichhasbeenobserveddownloadingawidevarietyofmalwareincludingscareware,passwordstealers,andspambotssuchasPushdo.
Figure6:UPSMaliciousspamwithBredolabdownloader
Blendedthreatcampaigns,whicharee-mailmessages•containingnoattachments,insteadcontainalinkthatleadstowebpageshostingmaliciouscode.Therefore,theinfectionhappensthroughthewebbrowser,notthroughthee-mailclient,hencethename‘blendedthreat.’ThemalwareofchoicedistributedthroughmostofthesecampaignswasZeus,aninformationstealer(seeFigure7).
Figure7:BlendedthreatattackfromthePushdobotnetthatleadstotheZeusmalware.
ZEUS CAMPAIGNS FROM PUSHDO
Overthelastsixmonths,wehaveseennumerous,largescaleZeusblendedthreatcampaigns.Theseattacksusethe combination of massive amounts of spam from the Pushdobotnet,welldesignedwebpages,socialengineering,thousandsofrandomlookingdomainnameshostedonafast-fluxnetworkandexploitkits,alltoinstalltheZeus(orZbot)Trojanhorse.
Thesocialengineeringaspectusedwell-knownbrandsortrustedorganizations.Thewebsiteswerewelldesigned,usingthesamelookandfeelofthetargetedbrand,goodEnglishandgrammar,andofferedaplausiblereasonfordownloadingandrunninganexecutablefromthewebsite.Theuser’semail,obtainedfromthespamlink,wasoftenincludedinthepagetoaddcredibility.SomesiteshavesubtlefeaturestoaddfurthercredibilitysuchastheVISAsiteshowingthefirstnumberofauser’sVISAcardas‘4’(allVISAcardsstartwith‘4’)orstatingthatanexecutableisaself-extractingPDFfile.Afewofthesesites,suchastheFacebookandMySpaceexamples,evenaskedtheusertologinfirst(althoughthecredentialswerenotverifiedatthetime),givingthecriminalslogincredentials,beforeuserswereaskedtodownloadandrunafile.
Iftheuserwassuspiciousenoughtonotdownloadtheexecutablefileafterclickingonthespamlink,therewasachancetheycouldgetinfectedanywayiftheywerevulnerabletobrowserorapplicationexploitsincorporatedinthewebsites.
5Page
Security Labs Report
7http://www.m86security.com/labs/i/Virut-s-Not-So-Obvious-Motive,trace.873~.asp
Eachseparatecampaignusedseveralhundredrandomlookingdomainnames,oftenwiththerecipient’sdomainorthedomainofatargetedbrandasasub-domain.Forexample:
cgi.ebay.com.<DOMAIN>.ne.kr/ws/ebayisapi.dll
<DOMAIN>.yhuttte.or.kr/owa/service_directory/settings.php
www.facebook.com.<DOMAIN>.org.uk/usersdirectory/loginfacebook.php
Thedirectorystructureonthemaliciouswebserverisalsooftensimilartothewebsiteitistryingtoimpersonate.AmongthebrandsandorganizationswehaveseenareVISA,Paypal,Ebay,Facebook,MySpace,AmericanExpress,CDC,BankofAmerica,HSBC,NACHA,IRSandFDIC.
Figure8:FacebookupdatescamleadingtoZeusTrojan
VIRUT DISTRIBUTING SPAMBOTS
Overthepastyear,malwarebecamemorevoluminous,sophisticatedandcomplex.Onepieceofmalwareweencounteredillustratesthiscomplexity.AprevalentdistributionvectorforspambotsandotherattackswasapieceofmalwarecalledVirut,whichisafileinfectingvirusthatcandownloadandinstallalmostanytypeofmalwareontoaninfectedcomputer7. TheVirutmalwareinfectsfileswith.exeand.scrfileextensions.AusermayencounterVirutbyvisitingmaliciouswebsitesthatcontainexploitsthatdownloadVirutasapayload.
VirutplaysapartindistributingspammingTrojanssuchasXarvester,Grum,PushdoandGheg.Virutalsoplaysaroleindistributingmoneymuleandprofit-drivenmalwarethatincludesrogueanti-virus,keyloggers,passwordstealersandad-clickers.
Figure9:Virutinfectedmachinealsoinfectedwithtwospambots.
WEB
Black Hat SEO
During2009agrowingtrendwastheuseofSearchEngineOptimization(SEO)techniquestodriveuserstowebpageshostingmaliciouscode.AlsoknownasSEOpoisoning,thetechniqueaimstoelevatemaliciouslandingpagesupthesearchengineresultsranking,thusensuringasteadysupplyofvictims.SEOpoisoningisaparticularlytreacherousasuserstendtoimplicitlytrustsearchengineresults.
Thetechniquesvary,butmanycenteroncreatingandpostingwebpageswithkeywordsandphrasesrelatedtoanyhottrend,suchasthosederivedfromserviceslikeGoogleTrends,othercelebritynewsorpopulartopics.Agoodexampleofthistechniqueinpracticewasseeninthenumberofmaliciouspageslistedinsearchengineresultsimmediatelyfollowingtheuntimelypassingofmegapopstar,MichaelJackson.These‘enriched’webpageshelptopushupthesearchenginerankingsforthecriminals’maliciouslandingpages.Thesystemsthecriminalsareusingaresophisticatedandhighlyautomated,leadingtoacontinuingsupplyoffreshsearchtermsand‘loaded’webpages.
Figure10:BogusSEOresultfor‘MailMarshal
6Page
Security Labs Report
8http://www.m86security.com/labs/i/Be-Careful-What-You-Search-For,trace.884~.asp
SEOattacksinvolvethemanipulationofasearchengine’sindexingalgorithmsusingvarioustechniquesinordertoplacetheirwebsiteshigherupinthesearchresults8.ThesizeandscopeofSEOpoisoningisnotimmediatelyobviousbecauseinordertofindaSEOpromotedmaliciouswebsiteyouhavetosearchforthespecificsearchtermsforwhichitwasoptimized.Thefollowingillustrateshowwidespreadtheproblemis.WerecentlyenteredthetermMailMarshal,M86Security’semailfilteringproduct,intoGoogleandchosethepreviousweek’stimeframe.AsyoucanseeinFigure10onthepreviouspage,highupthelistofresultsfor‘Marshal’isabogusresultbasedofftheterm,whichleadstheendusertomalware.
ThewholesuccessfactorofSEOpoisoningreliesonthefalsewebsitetoberankedhighinsearchresults.Onewaythatsearchenginesrankwebsitesisbythenumberof‘backlinks’,whicharelinksonotherwebsitesthatlinkbacktothesiteinquestion.Attackerscreatethousandsofbacklinkstoawebpage they want to promote. When a search engine visits this pageitseeslegitimatecontent,butwhenauservisitstheyareredirectedtoawebsiteoftheattackerschoosing.
Throughout2009,thecybercriminalsofferingoffakeanti-virus‘scareware’,inparticular,usedSEOpoisoningtechniquestodriveuserstotheirlandingpages.Inmanycases,wehaveseenendusersbeingredirectedtopagesliketheonefeaturedin Figure 11.
Figure11:ScarewarelandingpagefromSEOcampaign
ZERO-DAY VULNERABILITIES
Duringthelastsixmonths,we’veobservedanincreaseinthenumberofnewzero-dayvulnerabilities,withthemostnotablebeing discovered in Adobe and Microsoft products. We have seenclosetoadozenzero-dayvulnerabilitiesthatwereusedbycybercriminalsthroughout2009(Figure12).
Figure12:Listofvulnerabilitiesusedbycybercriminalsthroughout2009
Oneofthemajorproblemswithzero-dayvulnerabilitiesisthelengthoftimeduringthe“windowofvulnerability,”whichismeasuredfromthetimethevulnerabilityisfirstdiscoveredbeingusedin-the-wilduntilthetimewhenapatchisreleasedbytheapplicationvendor.
In the past there have been cases where this window has remained“open”formonthsorevenyears.Evennow,asbiggersoftwarecompaniesbecomemorecognizantofsecurity,thetimeintervalfromzero-dayvulnerabilitydetectiontothereleaseofapatchcouldbeverysignificantandtakefromseveraldays(bestcasescenario)toseveralweeksorevenmonths.Itshouldbenoted,ofcourse,thatevenaftertheclosureofavulnerability,exploitationcontinuestobeusedeverywherein-the-wildbecauseusersaretypicallylaxinapplyingnecessarilyupdatesfortheirapplicationsandthelatestsecuritypatches.AcurrentexampleofthiswouldbeMDAC,whichwaspatchedin2006,butisstillwidelyusedbycybercriminals.
Thechartoverthepageillustratestheissuewiththelengthofthewindowofvulnerabilityoverthelastsixmonths.Thisexampleusesjust7reportedvulnerabilities.
7Page
Security Labs Report
Figure13:WindowofVulnerability
AcursoryglanceatFigure13showsthateventhoughthewindowofvulnerabilitymightbeshortattimes,itistheoverlappingtimeintervalsthatposearealproblem.Itisduringtheseoverlappingtimeintervalsthatendusersarecompletelyvulnerabletoattackwithverylittletheycandoaboutit.Asindicatedinred,withinasixmonthperiodalone,Internetusers/consumersnotprotectedbytruepro-activereal-timeon-premisesecuritytechnologywerecompletelyexposedtopotentialattackscloseto40%ofthetime.ThismeansthatnoprotectionwasprovidedbyapplicationvendorsduringthistimeframeandeventhedesktopAVscannersthatneedtoreacttotheseattacksprovidedlittleprotectionandassuch,cybercriminalsusedthistotheiradvantagebyexploitingthesezero-dayvulnerabilities.
THE DUMMIES GUIDE TO ATTACK TOOLKITS
Attacktoolkitsareusedtobuildtheactualcyberattacksthemselves.Theincreasinglyprofessionalnatureofthesetoolsbeingused,suchasWebattacktoolkits,showsusthat the provision of software to the cybercrime industry has becomeaseriousbusinessinandofitself.Onesuchexampleistherecentattacktoolkitsthatcloselyresembleprofessionalapplicationpackages.
Aswithanyotherprofessionalsoftwareproduct,attacktoolkitsmayinclude:
Anofficialwebsite•
Version management•
Overviewsof• technicalcharacteristics(presentandfuture)
Support•
Pricinglists•
Multi-lingualtranslations•
Justafewyearsago,theattacktoolkitmarketwasmostlycomprisedofWebAttacker,followedbytheGPackandMPacktoolkits.NewerattacktoolkitssuchasYes,LuckySploit,EleonoreandFragushavehelpedtoexpandthemarketandincreasethedemandforthesepackages.Withinthelastsixmonths,we’veobservedasignificantincreaseinthenumberofnewanddifferentattacktoolkits,suchasSEO,MAX,Shaman’sDream,Siberia,andCleanPack.
Developersofmodernattacktoolkitsadvertisetheirproductsaseasilyconfigurableandmanageable.Indeed,theydonotrequireadeepknowledgeofhackingandhavemadetheprocessmuchmoresimpleforcybercriminals.Combinedwithfrequentlyupdatedversionsthatincludethelatestexploits,anattacktoolkitisaneffectiveweaponinthehandsofanycybercriminal.
Thefollowingareexamplesofattacktoolkitsitesandproducts:
Figure14:YesExploitToolkitWebsite
Figure15:FragusAttackToolkit
Figure16:EleonoreExpAttackToolkit
8Page
Security Labs Report
9http://www.m86security.com/labs/i/Adobe-PDF-Zero-Day,alerts.1210~.asp10 https://m86security.webex.com/m86security/lsr.php?AT=pb&SP=EC&rID=7091157&rKey=4beda2b0b3bbef1411 http://isc.sans.org/diary.html?storyid=7906
ADOBE PDF ATTACKS
Adobeproductsremainoneofthemosttargetedapplicationsforvulnerabilities.In2009alone,therewereseveralnotableAdobePDFvulnerabilitiesthatwerediscoveredandwidelyexploited:CVE-2009-0927,CVE-2009-1492,CVE-2009-1493,CVE-2009-1862. CVE-2009-4324 is the most recent vulnerabilityinanAdobeproduct9.Inthisexample,attackerswereabletopackagemaliciouscodeintoaPDFfile,whichwouldgoundetectedbymostdesktopAVscanners.AssoonastheenduseropenedtheblankPDFfile,themaliciouscodewouldbeexecutedandtheirsystemswouldbecompromised.Moreinformationonthisparticularexamplecanbefoundinone of our recent webinars10.
Fromanattacker’sperspective,theadvantagesarequitesimple:PDFfilesarenotbrowserdependent,andAdobeReaderandAcrobatareimmenselypopularproductswithhighlyvisibilityinthemarketplace.Finally,theotherboonforattackersisthefactthatPDF’soffertheabilitytoincludedynamiccontentwithinafile.
Consideringtheseadvantages,PDFexploitsarefrequentlyusedinattacktoolkits,alongwithflashfilesandmorerecently,java(jar)exploits.Insomecases,asetofPDFexploitsistheonlymodeofattackneededbyacybercriminaltoattackviaaWeb page.
Ultimately,PDFattackstendtobeveryeffective,withsomeachievingashighas50%successrate.ThefollowingfigureshowsthesuccessrateofaPDFexploit:
Figure17:PDFExploitationRate
Theenduseroftenhasafalsesenseofsecurity,eveniftheyareuptodatewithallthelatestsecurityupdates,theymistakenlybelievethatpermanentbrowserupdatesofferenoughprotection.However,therealsituationisdecidedlydifferent.Multiplezero-dayattacks,combinedwithlimitedcapabilities11 of anti-virus products in preventing the spread of malwarethroughPDFfiles,leavestheconsumerexposedtomalwareandunprotectedagainstcyberattacks.
RISE IN TWITTER ATTACKS
AsTwitterbegansurginginpopularitythroughthefirsthalfof2009,wewarnedusersaboutthepitfallsoftheserviceinourfirsthalfreport.Thetrifectaofspam,malwareandphishingproblemsonTwitterhavecontinuedtoincrease,highlightingthefactthatcybercriminalslovetotargetareasoftheWebwheretheuserbaseislargeandgrowing,makingiteasiertoseetheirattacksreapbigrewards.
InAugustof2009,wewroteabouttheriseofaweightlossspam campaign12 and how its impact was seen in thousands of ‘tweets’sentoutacrosstheservice(Figure18).
Figure18:SpamcampaignseenonTwitterinAugustof2009
This spam campaign was one of many that we observed inthelasthalfof2009.Thesekindsofspamcampaignsoriginate from dummy accounts or accounts that have been compromised through phishing campaigns.
Figure19:Directmessagespamfromaphishedaccount.
Inadditiontothemasstweetsaboutweightlossspam,thesephishedaccountswerealsousedtosendoutmassdirectmessages(commonlyreferredtoasDM’s)tofollowerspushingoutlinksforgamesorservices(Figure19).
Twitterisalsonostrangertobeingusedasamediumtospreadmalware.Oneofthemosthighprofileinstancesofthisincludedwellknownventurecapitalist,GuyKawaski’sTwitteraccountinlateJuneof2009.HisaccountwassetuptoautomaticallyupdateusingaservicecalledNowPublic.Ittweetedoutanupdateaboutasextape,whichledtoapieceofmalware.Thebiggestissuewiththisisthat,Mr.Kawasaki’sTwitteraccountisfollowedbythousandsuponthousandsofusers,andheisknowntosharelinks.
12 http://www.m86security.com/labs/i/Twitter-Weight-Loss-Spam,trace.1057~.asp
9Page
Security Labs Report
13 http://www.m86security.com/labs/i/Twitter-Facebook-and-Bebo-used-in-spam-campaign,trace.1168~.asp14 http://www.m86security.com/labs/i/Spammers-Try-URL-Shortening-Services,trace.1038~.asp
Figure20:GuyKawasakitweetleadingtoaTrojanattackingbothMacandPCusers
The most interesting usage of Twitter in a spam campaign was observed13inNovemberof2009.Itinvolvedusingalinkto a tweet in a spam message to direct a user to the spam via Twitter(Figure21).Thiswaslikelyusedtoevadecertainspamfilters.
Figure21:Newtechniquetoevadespamfilters,linkingouttoTwitter with a spam domain being pushed in a tweet.
Whatitultimatelyboilsdowntoisthewholeconceptoftrust,whichiswhatisbeingtakenadvantageofbythesecybercriminalsonsocialnetworkingserviceslikeTwitter.Userswillnaturallytrusttheirfriends,makingitmorelikelythattheywillinfactclickonalinksharedwiththemonTwitteroranyothersocialnetworkingsite.TheexploitationoftrustisoneoftheprimaryreasonswhyattacksonTwitterandothersocialnetworkssucceedsowell.
ABUSE OF URL SHORTENERS
ThesheergrowthofURLshorteningservicesthroughout2009was apparent. The usage of these services was a byproduct of thepopularityofTwitter,whichcapsthenumberofcharactersthatcanbeusedineachupdateto140.Theproblemwithlinksharingisthatoftentimes,URLscanbequitelengthy,oftensurpassingthe140characterlimitwithease.
BymaskingthesourceURLbehindashortenedURL,itishardforanendusertodeterminewhatkindofcontentwillbeprovidedtothemwhentheyclickthrough.Thisuncertaintyisoftenputtothesidewhenthecontentcomesfromafriend,onceagainhighlightingtheabuseoftrustinsocialnetworks.
Itcomesasnosurprisethenthatthemajorityofmaliciouslinksthatwe’veobservedonsocialnetworkingsitesthroughout2009wereoftheshortenedURLvariety.AndwhilethisphenomenonremainsprevalentonserviceslikeTwitterandFacebook,wehaveobservedthembeingdistributedinspammessages14aswell(Figure22).
Figure22:ExampleofshortenedURLsincludedinspammessages
Therearemajorplayersinthespace,suchasTinyURLandBit.ly.However,thebiggestconcernliesnotwiththeleaders,ratherthehundredsoflesserknownservicesthatareupandrunningtodayandbeingusedbycybercriminals.Theyremainunchecked,anddonothaveanysafeguardsinplacetopreventmaliciouscontentfrombeingspreadthroughtheirservices.
10Page
Security Labs Report
15http://securebrowsing.finjan.com/
RECOMMENDATIONS
Education is paramount.• Teaching users the importance of best practices for their every day Internet usage is vital.ShowthemexamplesofScarewareapplications,explainhoweasyitisforthemtogetinfected.GivethemaPhishingtest,andseeiftheycanpickthefalsesitesfromthereal.Aboveallelse,thenumber1ruleistobewaryaboutclickingonanylinksinemailoronwebpages.(Rulenumber2:Seerule1).
Review your current Security Products.• Armed with thelatestthreatinformation,re-evaluatethesecurityproductsthatarebeingusedinyourorganizationorathome.Askyourincumbentvendorsthetoughquestionsaboutexactlywhattheydotodetectandblockthesethreats.Looktotestproductsagainsteachotherandensure the vendors are investing in threat research.
Be wary of links, even from trusted sources.• It cannot beemphasizedenoughthatevenifthesourceofalinkissomeoneyoutrust,theythemselvesmayhavehadtheiraccountscompromisedorsomeonemightbespoofingtheiridentity.Sendingemailtolookasthoughitisfromsomeoneelse’semailaccount,forexampleisprettystraight-forward.
Stay up to date.• KeepWebbrowsers,add-ons/extensions,desktopapplicationsuptodatetotheirlatestversions.Wehaveseenthattimeandtimeagain,manyattackstargetvulnerabilitiesfoundinoldversionsofWebbrowsers,applicationsororganizationsarenotblockingthelatestspamandWebthreatssimplybecausetheirproductsarenotuptodate.Whilebeingcompletelyuptodatewiththelatestpatcheshelptoprotectyouandyourendusersfrompatchedvulnerabilities,youwillstillneedtoremainonguardfortheun-patched,zerodayvulnerabilities.
Consider using browser add-ons/extensions to add •an additional layer of security. We recommend using theNoScriptextensionforMozillaFirefox,whichlimitstheexecutionofJavaScriptcode.WealsosuggestusingextensionsthatwilldisplayshortenedURLsastheirfullURLs,makingiteasiertoknowwhatthedestinationURLactuallyis.ManysecurityvendorssuchasM86havefreetoolsforuserstoinstallontheirpersonalorhomecomputers,typicallythemostvulnerable.Toolssuchas SecureBrowsing15,whichanalyzeslinksfromsearchengineresultsoronwebpagestogaugetheirmaliciousnature,italsoworkswithshortenedURL’ssuchasthosefound in twitter.
11Page
Direct Message (or DM) – A private message that is sent betweenusersofthesocialnetworking/micro-bloggingservice,Twitter.
Malicious spam -Spammessagesthatcontainamaliciousattachment,suchasanexecutableorPDFfileorcontainingalinkthatleadstheendusertomalware(knownasaBlendedThreat).
Scareware -Atypeofscamusedbycybercriminalstoconvince an end user that their computers have been infected withmalware.Usuallydeliveredintheformofapop-uporthroughaBlackHatSEOcampaign,byscaringtheenduser,theytricktheenduserbyconvincingthemthattheyaredownloadingaproperAnti-Virussolution,whentheyareinsteaddownloadingmalware.
SEO (or Search Engine Optmization) – A method to increasethevolumeoftraffictoawebsiteviasearchenginesthrough“organic”searchresults,intendedtomoveawebsiteupinthesearchenginerankings.
SEO Poisoning–Amethodemployedbycybercriminalstopoisonsearchengineresultsforpopularnewsitems,trendingtopics,andoverallhype.Commoninstancesofthishavebeenseenindeathsofcelebrities,naturaldisasters,andproductreleases(suchasApple’siPadandGoogleWave).
Spambots-Botnetsthatareprimarilyusedtosendoutspammessages.Spambotscanberentedouttocybercriminalsforvarious campaigns.
Spam Categories-(SeedefinitionofSpamtypes)
Spam Types (or Spam Categories) – The different types of spam being sent out by various botnets. The most common spamtypeseentodayisPharmaceuticalspam.
Tweet – A term used to describe the messages posted to the socialnetworking/micro-bloggingservice,wheremessagesarelimitedto140characters.
Zero-Day Vulnerabilities–Avulnerabilitythatisunknowntoothers,undisclosedtothesoftwaredeveloper,orforwhichnosecurityfixisavailable.
GLOSSARY OF TERMS
AffiliatePrograms–Amethodbywhichspammersmakemoney.Bysigningupforanaffiliateprogram,spammersareprovidedwithtemplatesandauniqueidentifier,forwhichtheywillusetotrackreferrals.Iftheydrivebacktrafficthatleadstoasale,theyarerewardedwithacommission.‘CanadianPharmacy’isthemostpopularaffiliateprogramtoday.
Attack Toolkit –Ahackerkitthatexploitsseveralclientsidevulnerabilitiestoexecutearbitrarycode.
Black Hat SEO–ThewaycybercriminalsutilizeSEO(“blackhat”)toincreasethesearchenginerankingsfortheirownwebsites,sothattheirmaliciouslandingpagesenduphigherinsearchenginerankings,drivingmoreenduserstotheirsites.
Blended Threats -Anattackthatcombinesbothe-mailandwebastheattackvector.Foregoingtraditionalmethodsofattachingavirusdirectlytoane-mailmessage,ablendedthreatcontainsalinktoawebsite,whichwilleitherpushmalwaretotheenduserorhostingmaliciouscode.
Botnets (or Bot networks)–Abotnetisanetworkofcompromisedcomputers(knownasdronesorzombies)thatareusedbycybercriminalstosendoutspammessages,spreadmalware,andothercriminalactivity.
Bot herder (or Bot owner)–Theindividualresponsibleforcommandingthebotnettoperformtasksbywayofcommand&control.
Command and Control (or C&C) – The method by which thebotherdercommandsthevariouszombiesinthebotnet.Historically,botnetswerecontrolledbywayofInternetRelayChat(IRC)andmorerecently,overHTTP(HypertextTransferProtocol).Botherdershavealsostartedexperimentingwithotherwaystoimplementcommandandcontrol,suchasthroughTwitter,GoogleGroups,andFacebookNotes.
CVE (or Common Vulnerabilities and Exposures) – A commonidentifierforpublicly-knowninformationsecurityvulnerabilities.
©Copyright2009M86Security.Allrightsreserved.M86SecurityisaregisteredtrademarkofM86Security.Allotherproductandcompanynamesmentionedhereinaretrademarksorregisteredtrademarksoftheirrespectivecompanies.
Corporate Headquarters828WestTaftAvenueOrange,CA92865United States
Phone:+1(714)282-6111Fax:+1(714)282-6116
International HeadquartersRenaissance 2200BasingView,BasingstokeHampshireRG214EQUnited KingdomPhone:+44(0)1256848080Fax:+44(0)1256848060
Asia-PacificSuite1,Level1,BuildingCMillenniumCentre600 Great South RoadAuckland,NewZealandPhone:+64(0)99845700Fax:+64(0)99845720
Related Documents
