Addison Wesley Crimeware Understanding New Attacks And Defenses Apr 2008 ISBN 0321501950
Crimeware: Understanding New Attacks and Defenses
by Markus Jakobsson; Zulfikar Ramzan Publisher:
Addison Wesley Professional
Pub Date:
April 06, 2008
Print ISBN-10:
0-321-50195-0
Print ISBN-13:
978-0-321-50195-0
eText ISBN-10:
0-321-55374-8
eText ISBN-13:
978-0-321-55374-4
Pages:
608
Overview
"This book is the most current and comprehensive analysis of the state of Internet security threats right now. The review of current issues and predictions about problems years away are critical for truly understanding crimeware. Every concerned person should have a copy and use it for reference."
- –Garth Bruen, Project KnujOn Designer There's a new breed of online predators–serious criminals intent on stealing big bucks and top-secret information–and their weapons of choice are a dangerous array of tools called "crimeware." With an ever- growing number of companies, organizations, and individuals turning to the Internet to get things done, there's an urgent need to understand and prevent these online threats.
Crimeware: Understanding New Attacks and Defenses will help
security professionals, technical managers, students, and researchers understand and prevent specific crimeware threats. This book guides you through the essential security principles, techniques, and countermeasures to keep you one step ahead of the criminals, regardless of evolving technology and tactics. Security experts Markus Jakobsson and Zulfikar Ramzan have brought together chapter contributors who are among the best and the brightest in the security industry. Together, they will help you understand how crimeware works, how to identify it, and how to prevent future attacks before your company's valuable information falls into the wrong hands. In self- contained chapters that go into varying degrees of depth, the book provides a thorough overview of crimeware, including not only concepts prevalent in the wild, but also ideas that so far have only been seen inside the laboratory.
With this book, you will Understand current and emerging security threats including rootkits, bot networks, spyware, adware, and click fraud Recognize the interaction between various crimeware threats Gain awareness of the social, political, and legal implications of these threats Learn valuable countermeasures to stop crimeware in its tracks, now and in the future Acquire insight into future security trends and threats, and create an effective defense plan
With contributions by Gary McGraw, Andrew Tannenbaum, Dave Cole, Oliver Friedrichs, Peter Ferrie, and others.
Crimeware: Understanding New Attacks and Defenses
by Markus Jakobsson; Zulfikar Ramzan Publisher:
Addison Wesley Professional
Pub Date:
April 06, 2008
Print ISBN-10:
0-321-50195-0
Print ISBN-13:
978-0-321-50195-0
eText ISBN-10:
0-321-55374-8
eText ISBN-13:
978-0-321-55374-4
Pages:
608
Copyright
Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals. The authors and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein. The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact: U.S. Corporate and Government Sales, (800) 382-3419,
For sales outside the United States please contact: International Sales, . Visit us on the Web: Library of Congress Cataloging-in-Publication DataJakobsson, Markus. Crimeware : understanding new attacks and defenses / Markus Jakobsson, Zulfikar Ramzan. p. cm. Includes bibliographical references and index.
ISBN 978-0-321-50195-0 (pbk. : alk. paper) 1. Computer security.
2. Internet—Security measures. 3. Computer crimes. I. Ramzan, Zulfikar.
II. Title. QA76.9.A25J325 2008 005.8—dc22 2007050736 Copyright © 2008 Symantec Corporation All rights reserved. Printed in the United States of America. This publication is protected by copyright, and permission must be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. For information regarding permissions, write to:
Pearson Education, Inc Rights and Contracts Department 501 Boylston Street, Suite 900 Boston, MA 02116 Fax (617) 671-3447
ISBN-13: 978-0-321-50195-0 Text printed in the United States on recycled paper at Courier in Stoughton, Massachusetts. First printing, April 2008
Dedication To Suma and Kabir and To A and Art
Preface
Traditionally, malware has been thought of as a purely technical threat, relying principally on technical vulnerabilities for infection. Its authors were motivated by intellectual curiosity, and sometimes by competition with other malware authors.
This book draws attention to the fact that this is all history. Infection vectors of today take advantage of social context, employ deceit, and may use data-mining techniques to tailor attacks to the intended victims. Their goal is profit or political power. Malware become crimeware. That is, malware has moved out of basements and college dorms, and is now a tool firmly placed in the hands of organized crime, terror organizations, and aggressive governments. This transformation comes at a time when society increasingly has come to depend on the Internet for its structure and stability, and it raises a worrisome question: What will happen next? This book tries to answer that question by a careful exposition of what crimeware is, how it behaves, and what trends are evident.
The book is written for readers from a wide array of backgrounds. Most sections and chapters start out describing a given angle from a bird's-eye view, using language that makes the subject approachable to readers without deep technical knowledge. The chapters and sections then delve into more detail, often concluding with a degree of technical detail that may be of interest only to security researchers. It is up to you to decide when you understand enough of a given issue and are ready to turn to another chapter.
Recognizing that today's professionals are often pressed for time, this book is written so that each chapter is relatively self-contained. Rather than having each chapter be sequentially dependent on preceding chapters, you can safely peruse a specific chapter of interest and skip back and forth as desired. Each chapter was contributed by a different set of authors, each of whom provides a different voice and unique perspective on the issue of crimeware. This book is meant for anyone with an interest in crimeware, computer security, and eventually, the survivability of the Internet. It is not meant only for people with a technical background. Rather, it is also appropriate for makers of laws and policies, user interface designers, and companies concerned with user education. The book is not intended as a guide to securing one's system, but rather as a guide to determining what the problem really is and what it will become. Although we often use recent examples of attacks to highlight and explain issues of interest, focus here is on the underlying trends, principles, and techniques. When the next wave of attacks appears— undoubtedly using new technical vulnerabilities and new psychological twists—then the same principles will still hold. Thus, this book is meant to remain a useful reference for years to come, in a field characterized by change. We are proud to say that we think we have achieved this contradictory balance, and we hope that you will agree.
Acknowledgments
We are indebted to our expert contributors, who have helped make this book what it is by offering their valuable and unique insights, and selflessly donated their time to advance the public's knowledge of crimeware. The following researchers helped us provide their view of the problem: Shane Balfe, Jeffrey Bardzell, Shaowen Bardzell, Dan Boneh, Fred H. Cate, David Cole, Vittoria Colizza, Bruno Crispo, Neil Daswani, Aaron Emigh, Peter Ferrie, Oliver Friedrichs, Eimear Gallery, Mona Gandhi, Kourosh Gharachorloo, Shuman Ghosemajumder, Minaxi Gupta, James Hoagland, Hao Hu, Andrew Kalafut, Gary McGraw, Chris J. Mitchell, John Mitchell, Steven Myers, Chris Mysen, Tyler Pace, Kenneth
G. Paterson, Prashant Pathak, Vinay Rao, Jacob Ratkiewicz, Melanie Rieback, Sourabh Satish, Sukamol Srikwan, Sid Stamm, Andrew Tanenbaum, Alex Tsow, Alessandro Vespignani, Xiaofeng Wang, Stephen Weis, Susanne Wetzel, Ollie Whitehouse, Liu Yang, and the Google Ad Traffic Quality Team.
In addition, Markus wishes to thank his graduate students, who have helped with everything from performing LaTeX conversions to being experiment subjects, and many of whose research results are part of this book. Zulfikar wishes to thank Oliver Friedrichs and the rest of the Symantec Advanced Threat Research team (as well as his colleagues throughout Symantec) for affording him the opportunity to work on this book and for engaging in countless stimulating discussions on these topics.
We also both want to acknowledge the help and guidance we have received from Jessica Goldstein and Romny French at Addison-Wesley. Finally, we want to thank our understanding spouses and families, who have seen much too little of us in the hectic months during which we labored on getting the book ready for publication.
Markus JakobssonPalo Alto, California
January, 2008
Zulfikar Ramzan
Mountain View, California January, 2008
About the Authors Markus Jakobsson, Ph.D., is currently principal scientist at Palo Alto
Research Center and an adjunct associate professor at Indiana University. He has previously held positions as principal research scientist at RSA Laboratories, adjunct associate professor at New York University, and was a member of the technical staff at Bell Laboratories. He studies the human factor of security and cryptographic protocols, with a special focus on privacy. Markus has coauthored more than one hundred peer-reviewed articles and is a co-inventor of more than fifty patents and patents pending. He received his Ph.D. in computer science from University of California at San Diego in 1997.
Zulfikar Ramzan, Ph.D., is currently a senior principal researcher with
Symantec Security Response. He focuses on improving the security of the online experience, including understanding threats like phishing, online fraud, malicious client-side software, and web security. In general, Zulfikar's professional interests span the theoretical and practical aspects of information security and cryptography. He is a frequent speaker on these issues and has coauthored more than fifty technical articles and one book. Zulfikar received his S.M. and Ph.D. degrees from the Massachusetts Institute of Technology in electrical engineering and computer science (with his thesis research conducted in cryptography and information security).
Chapter 1. Overview of Crimeware Aaron Emigh and Zulfikar Ramzan It used to be the case that the authors of malicious code (or malware) were interested primarily in notoriety. However, those days are long gone. The reality is that somewhere along the way, beginning roughly in the
very early part of the twenty-first century, a marked shift occurred in the online threat landscape. Cyber-attackers started realizing that they could potentially make serious money from their activities. With more and more people conducting transactions online, malicious code moved away from being simply malicious, and moved toward being criminal. This trend has given rise to a new form of malicious software—namely, crimeware.
Crimeware is software that performs illegal actions unanticipated by a user running the software; these actions are intended to yield financial benefits to the distributor of the software. Crimeware is a ubiquitous fact of life in modern online interactions. It is distributed via a wide variety of mechanisms, and attacks are proliferating rapidly. This book presents material related to crimeware that we hope is of use to people who are interested in information security, whether as researchers or as practitioners. This opening chapter presents a somewhat broad overview of crimeware. It delineates the different types of crimeware seen today and describes how this software arrives on the machine of an end user in the first place and what it does when it gets there. It also describes where opportunities for countermeasures exist. The chapter is peppered with specific real-life examples as well as data about the prevalence of the threats discussed. The remainder of this text will expound upon many of these topics in greater detail and introduce both crimeware concepts that are relevant today and concepts that are either at the bleeding edge of what's possible or even slightly beyond it.
1.1. Introduction
1.1.1. Theft of Sensitive Information
Online identity theft, in which confidential information is illicitly obtained through a computer network and used for profit, is a rapidly growing enterprise. Some estimates of the direct financial losses due to phishing alone exceed $1 billion per year ]. But the losses do not stop here. Additional losses include customer service expenses, account replacement costs, and higher expenses owing to decreased use of online services in the face of widespread fear about the security of online financial transactions. Increasingly, online identity theft is perpetrated using malicious software known as crimeware.
Crimeware can be used to obtain many kinds of confidential information, including usernames and passwords, Social Security numbers, credit card numbers, bank account numbers, and personal information such as birth dates and mothers' maiden names. In addition to online identity theft, crimeware is used in targeted attacks against institutions, such as theft of access credentials to corporate virtual private networks (VPNs) and theft of intellectual property or business data. Crimeware can also be used in distributed denial-of-service attacks, which are used to extort money from businesses, and in click fraud, in which online advertisers are cheated into paying criminals who simulate clicks on advertisements they host themselves. Instances of ransomware have also occurred, in which data on a compromised machine is encrypted, and the criminal then offers to decrypt the data for a fee.
1.1.2. Crimeware and Its Scope
Crimeware is a subclass of the more broad category of malware, which refers generally to unwanted software that performs malicious actions on a user's computer. In addition to crimeware, malware encompasses (possibly) legal but malicious software, such as adware and spyware, and illegal software without a commercial purpose, such as destructive viruses. Many malware examples straddle the line between being criminal and being malicious. For example, while adware might be a nuisance to some, not all adware is, strictly speaking, criminal. Because adware resides in a gray area and because it is so prevalent, this text discusses adware in more detail in . Although this text focuses on crimeware, it also discusses issues related to other forms of online malicious activity, such as the broader concepts of malware and phishing attacks. In many cases, these threats have common attributes or share some common solutions. For example, phishing attacks can be used as a social engineering lure to convince users to install crimeware on their machines. Because social engineering is an often-used mechanism for crimeware propagation, and because both phishing and crimeware can serve the ultimate goal of identity theft, it can be difficult to have a detailed exposition of crimeware without reference to phishing. Along similar lines, malware that is not crimeware might have similar propagation and detection mechanisms.
1.1.3. Crimeware Propagation
As shown in , crimeware is generally spread either by social engineering or by exploiting a security vulnerability. A typical social engineering attack might aim to convince a user to open an email attachment or download a file from a web site, often claiming the attachment has something to do with pornography, salacious celebrity photos, or gossip. Some downloadable software, such as games or video player "accelerators," can also contain malware. According to the twelfth edition of the Symantec Internet Security Threat Report (ISTR), 46% of malicious code that propagated during the first half of 2007 did so over
the Simple Mail Transfer Protocol (SMTP), ].
[1] SMTP is the standard protocol for mail transmission over the Internet.
Figure 1.1. Crimeware propagation techniques can be broken up
into two broad categories: those based on social engineering and
those based on security exploitation.
Malware is also spread by exploits of security vulnerabilities; as discussed in
Chapter 2 , these vulnerabilities are often rooted in coding
errors. In the first half of 2007, 18% of the 1509 malicious code instances documented by Symantec exploited vulnerabilities ]. Such malware can propagate using a worm or virus that takes advantage of security vulnerabilities to install the malware, or by making the malware available on a web site that exploits a (web browser or web browser plug-in) security vulnerability. Traffic may be driven to a malicious web site via social engineering, such as spam messages that promise some appealing content at the site, or through injecting malicious content into a legitimate web site by exploiting a security weakness such as a cross-site scripting vulnerability on the site. The relatively small percentage of exploits involving vulnerability-oriented malware suggests that attackers find no need to use technically complex methods when simpler social- engineering-based methods will suffice.
Crimeware attacks often span multiple countries, and are commonly perpetrated by organized criminals. Because crimeware is designed with financial gain in mind, the perpetrators often treat their malicious activities as a full-time job rather than as a hobby. They appear to take their work seriously, as indicated by the proliferation of crimeware and the creative and sophisticated mechanisms the attackers have employed. This chapter describes and categorizes the different types of crimeware and discusses the structural elements common to various attacks.
Chapter 1. Overview of Crimeware Aaron Emigh and Zulfikar Ramzan It used to be the case that the authors of malicious code (or malware) were interested primarily in notoriety. However, those days are long gone. The reality is that somewhere along the way, beginning roughly in the
very early part of the twenty-first century, a marked shift occurred in the online threat landscape. Cyber-attackers started realizing that they could potentially make serious money from their activities. With more and more people conducting transactions online, malicious code moved away from being simply malicious, and moved toward being criminal. This trend has given rise to a new form of malicious software—namely, crimeware.
Crimeware is software that performs illegal actions unanticipated by a user running the software; these actions are intended to yield financial benefits to the distributor of the software. Crimeware is a ubiquitous fact of life in modern online interactions. It is distributed via a wide variety of mechanisms, and attacks are proliferating rapidly. This book presents material related to crimeware that we hope is of use to people who are interested in information security, whether as researchers or as practitioners. This opening chapter presents a somewhat broad overview of crimeware. It delineates the different types of crimeware seen today and describes how this software arrives on the machine of an end user in the first place and what it does when it gets there. It also describes where opportunities for countermeasures exist. The chapter is peppered with specific real-life examples as well as data about the prevalence of the threats discussed. The remainder of this text will expound upon many of these topics in greater detail and introduce both crimeware concepts that are relevant today and concepts that are either at the bleeding edge of what's possible or even slightly beyond it.
1.1. Introduction
1.1.1. Theft of Sensitive Information
Online identity theft, in which confidential information is illicitly obtained through a computer network and used for profit, is a rapidly growing enterprise. Some estimates of the direct financial losses due to phishing alone exceed $1 billion per year ]. But the losses do not stop here. Additional losses include customer service expenses, account replacement costs, and higher expenses owing to decreased use of online services in the face of widespread fear about the security of online financial transactions. Increasingly, online identity theft is perpetrated using malicious software known as crimeware.
Crimeware can be used to obtain many kinds of confidential information, including usernames and passwords, Social Security numbers, credit card numbers, bank account numbers, and personal information such as birth dates and mothers' maiden names. In addition to online identity theft, crimeware is used in targeted attacks against institutions, such as theft of access credentials to corporate virtual private networks (VPNs) and theft of intellectual property or business data. Crimeware can also be used in distributed denial-of-service attacks, which are used to extort money from businesses, and in click fraud, in which online advertisers are cheated into paying criminals who simulate clicks on advertisements they host themselves. Instances of ransomware have also occurred, in which data on a compromised machine is encrypted, and the criminal then offers to decrypt the data for a fee.
1.1.2. Crimeware and Its Scope
Crimeware is a subclass of the more broad category of malware, which refers generally to unwanted software that performs malicious actions on a user's computer. In addition to crimeware, malware encompasses (possibly) legal but malicious software, such as adware and spyware, and illegal software without a commercial purpose, such as destructive viruses. Many malware examples straddle the line between being criminal and being malicious. For example, while adware might be a nuisance to some, not all adware is, strictly speaking, criminal. Because adware resides in a gray area and because it is so prevalent, this text discusses adware in more detail in . Although this text focuses on crimeware, it also discusses issues related to other forms of online malicious activity, such as the broader concepts of malware and phishing attacks. In many cases, these threats have common attributes or share some common solutions. For example, phishing attacks can be used as a social engineering lure to convince users to install crimeware on their machines. Because social engineering is an often-used mechanism for crimeware propagation, and because both phishing and crimeware can serve the ultimate goal of identity theft, it can be difficult to have a detailed exposition of crimeware without reference to phishing. Along similar lines, malware that is not crimeware might have similar propagation and detection mechanisms.
1.1.3. Crimeware Propagation
As shown in , crimeware is generally spread either by social engineering or by exploiting a security vulnerability. A typical social engineering attack might aim to convince a user to open an email attachment or download a file from a web site, often claiming the attachment has something to do with pornography, salacious celebrity photos, or gossip. Some downloadable software, such as games or video player "accelerators," can also contain malware. According to the twelfth edition of the Symantec Internet Security Threat Report (ISTR), 46% of malicious code that propagated during the first half of 2007 did so over
the Simple Mail Transfer Protocol (SMTP), ].
[1] SMTP is the standard protocol for mail transmission over the Internet.
Figure 1.1. Crimeware propagation techniques can be broken up
into two broad categories: those based on social engineering and
those based on security exploitation.
Malware is also spread by exploits of security vulnerabilities; as discussed in
Chapter 2 , these vulnerabilities are often rooted in coding
errors. In the first half of 2007, 18% of the 1509 malicious code instances documented by Symantec exploited vulnerabilities ]. Such malware can propagate using a worm or virus that takes advantage of security vulnerabilities to install the malware, or by making the malware available on a web site that exploits a (web browser or web browser plug-in) security vulnerability. Traffic may be driven to a malicious web site via social engineering, such as spam messages that promise some appealing content at the site, or through injecting malicious content into a legitimate web site by exploiting a security weakness such as a cross-site scripting vulnerability on the site. The relatively small percentage of exploits involving vulnerability-oriented malware suggests that attackers find no need to use technically complex methods when simpler social- engineering-based methods will suffice.
Crimeware attacks often span multiple countries, and are commonly perpetrated by organized criminals. Because crimeware is designed with financial gain in mind, the perpetrators often treat their malicious activities as a full-time job rather than as a hobby. They appear to take their work seriously, as indicated by the proliferation of crimeware and the creative and sophisticated mechanisms the attackers have employed. This chapter describes and categorizes the different types of crimeware and discusses the structural elements common to various attacks.
1.2. Prevalence of Crimeware
Information theft via crimeware is a rapidly increasing problem. Phishing scams, for example, are increasingly being performed via crimeware. According to the Anti-Phishing Working Group, both the number of unique key-logging trojans and the number of unique URLs distributing such crimeware grew considerably between May 2005 and May 2007, with the bulk of the growth happening between May 2005 and May 2006 ). Also, according to Symantec, of all threats reported from January to June 2007 that could compromise sensitive information, 88% had keystroke-logging capabilities [ . This number was up from 76% from the previous reporting period (July to December 2006).
Table 1.1. The number of unique password-stealing applications and password-stealing malicious code URLs from May 2005 to 2006 compared with the number from May 2006 to 2007.
Applications URLs
Month 2005–2006 2006–2007 2005–2006 2006–2007May 79 215 495 2100 June 154 212 526 2945 July 174 182 918 1850 August 168 172 958 2303 September 142 216 965 2122 October 154 237 863 1800 November 165 230 1044 1899 December 180 340 1912 2201 January 184 345 1100 1750 February 192 289 1678 3121 March 197 260 2157 1486
April 180 306 2683 1721 May 215 216 2100 3353
(Source: Anti-Phishing Working Group, Phishing Attack Trends Report, released July 8, 2007. Available from
.)
These trends reflect the growing commoditization of crimeware technology and the use of multiple hosts, such as botnets—large networks of compromised computers used together in coordinated
attacks—for distribution and data collection The use of multiple web sites to host the same piece of malicious code makes it more difficult to shut down malicious web sites, thereby stemming the spread and impact of crimeware.
[2]
Botnets can be used to carry out a plethora of malicious activities; they are discussed in
greater detail in1.3. Crimeware Threat Model and Taxonomy
Crimeware comes in many different flavors. Cybercriminals are technically innovative, and they can afford to invest in technology so long as the investment provides adequate returns. The most dangerous crimeware attacks are carried out as part of professional organized crime. As financial institutions have increased their online presence, the economic value of compromising account information has increased dramatically. Given the rapid evolution of cybercrime, it is not feasible to provide a comprehensive catalogue of crimeware technologies here. Nevertheless, several types of crimeware are discussed in this section, as representative of the species. The distinctions between crimeware variants are not always clear-cut, because many attacks are hybrids that employ multiple technologies. For example, a deceptive phishing email could direct a user to a site that has been compromised with content injection. The content injection could be used to install a backdoor on the victim's computer via a browser security vulnerability. This backdoor might then be used to install crimeware that poisons the user's hosts file
and enables a pharming attack. Subsequent attempts to reach legitimate web sites will then be rerouted to phishing sites, where confidential information is compromised using a man-in-the-middle attack. While this type of example might seem highly involved, it is not uncommon.
[3]
A more detailed exposition on pharming can be found in the text edited by Jakobsson
and Myers [ .Other malicious software can also be installed using the backdoor, such as a mail relay to transmit spam and a remotely controlled slave that listens over a chat channel and participates in a distributed denial-of- service attack when a command to do so is received.
Notwithstanding the proliferation of various types of crimeware, a crimeware attack on a conventional computing platform without protected data or software can be roughly diagrammed as shown in . Note that not all stages are required. In this diagram, the stages of a crimeware attack are categorized as follows:
1. Crimeware is distributed. Depending on the particular crimeware
attack, crimeware may be distributed via social engineering (as is the case in malicious email attachments and piggyback attacks) or via an exploit of a security vulnerability (as is the case in web browser security exploits, Internet worms, and hacking).
2. The computing platform is infected. Infection takes many forms,
which are discussed separately later in this chapter. In some cases, the crimeware itself is ephemeral and there may be no executable "infection" stage, as in immediate data theft or system reconfiguration attacks. For example, a crimeware instance might modify a user's hosts file before erasing itself. In such cases, the attack leaves behind no persistent executable code. In other cases, a crimeware instance might be more persistent. For example, a keystroke logger will likely continue to run on the victim's machine.
3. The crimeware executes, either as part of a one-time attack such as
data theft or system reconfiguration, as a background component of
an attack such as that involving a rootkit or by invocation of an infected component.
[4] A rootkit is a component that uses various stealthing techniques to mask its presence on a machine. Rootkits are discussed in greater detail in
4. Confidential data is retrieved from storage, in attacks such as those
involving data theft. For example, the crimeware can scan the victim's hard drive for sensitive information.
5. Confidential information is provided by the user, in attacks such as
those involving keyloggers and web trojans. Here the crimeware instance might wait passively until the user visits a particular web site or engages in a particular type of transaction. At that point, the crimeware instance will record whatever information the victim enters.
6. The attacker misappropriates confidential data. Data may come from
any of several sources (e.g., the victim's hard drive or his or her keystrokes) depending on the type of crimeware involved.
7. The legitimate server receives confidential data, either from the
executing crimeware (in attacks in which data is explicitly compromised by the crimeware) or from the attacker (in man-in-the- middle attacks).
Figure 1.2. The stages of a typical crimeware attack. First, the
crimeware (1) is distributed, (2) infiltrates a particular computing
platform, and (3) executes. At this point, crimeware can function in
multiple ways depending on the nature of the particular crimeware
instance. For example, the crimeware instance may (4) scan the
user's hard drive for sensitive information or (5) intercept the user's
keystrokes. In some modes, the crimeware instance transmits the
information it collected (6) directly to the attacker. In other modes,
the information is transmitted indirectly to the attacker through an
otherwise (7) legitimate server that is being misused. In the case of
a man-in-the-middle attack, the information will be sent to (6) the
attacker before it is relayed to (7) a legitimate server.
1.4. A Crimeware Menagerie
Many varieties of crimeware are explored in this section, all of which follow the stages outlined previously. Crimeware species include keyloggers and screenscrapers, redirectors, session hijackers, web trojans, transaction generators, system reconfigurators, and data stealers. In addition, crimeware based on man-in-the-middle attacks is examined, and rootkits that can prevent detection of foreign code are discussed.
1.4.1. Keyloggers and Screenscrapers Keyloggers are programs that monitor data being input into a machine.
They typically install themselves either into a web browser or as a device driver. Keyloggers also send relevant data to a remote server. These programs use a number of different technologies and may be implemented in many ways:
A browser helper object can detect changes to the URL and log information when a URL is affiliated with a designated credential collection site. An application-level software package may use a hooking mechanism to intercept keystroke data.
A kernel-level device driver can store keyboard and mouse inputs in conjunction with monitoring the user's activities. A screenscraper monitors both the user's inputs and portions of the display. Screenscrapers can thwart alternate on-screen input security measures. Examples of such on-screen input measures include graphical keyboards where users point and click on the characters in their password, rather than typing the password out explicitly using the physical keyboard.
A keylogger can also be implemented as a hardware device that is physically attached to a machine. Because this book focuses more on the software side, however, such keyloggers fall outside the scope considered by this text. We will not discuss them further here. many crimeware varieties, configurators are available to automate construction of customized keyloggers (as shown in ). Keyloggers are often packaged to monitor the user's location and to transmit only credentials associated with particular sites back to the attacker. Often, hundreds of such sites are targeted, including financial institutions, information portals, and corporate VPNs. Online poker sites have even been targeted by keylogging trojans (for example, Trojan.checkraise ]). Similarly, online games such as Lineage and World of Warcraft have been targeted by malicious code instances (for example, Infostealer.Gampass , and Trojan.Dowiex ]).
Figure 1.3. An automated keylogger generator. This generator
allows the attacker to create a customized keystroke logger. The
attacker can specify an email address. The log file that collects the
keystrokes is then periodically sent to this particular email address.
The user can specify the frequency with which the log file is sent.
For example, the user can specify that the file be sent at fixed time
intervals or when the file reaches a certain length. Application-level keyloggers often use some type of system hook (e.g.,
SetWindowsHook ) to monitor keystrokes. A system hook is a
mechanism that allows for the interception of Windows messages, commands, or process transactions—including those associated with keyboard events. Keyboard hooks have numerous legitimate purposes. For example, many instant messaging clients use a keyboard hook to determine whether a user is typing a message (and relay that information to whomever the user is communicating with). The actual keylogging application includes a component that initiates the hook as well as a component that logs the data collected. In Windows, the logging functionality might be implemented as a Dynamic Link Library (DLL). Another way to implement an application-level keylogger is by monitoring keyboard requests using, for example, Windows APIs such as
GetAsyncKeyState() and GetKeyboardState() . This approach
Application-level keyloggers are capable of recording passwords even in the presence of an auto-complete feature. Kernel-level keyloggers operate at a much lower level; that is, they receive data directly from the keyboard itself. These keyloggers typically work by creating a layered device driver that inserts itself into the chain of devices that process keystrokes. When any request is made to read a keystroke, an I/O request packet (IRP) is generated. This IRP works its way down the device chain until the lowest-level driver retrieves the actual keystroke from the keyboard buffer. The keystroke is represented by its scancode, which is a numeric representation of the key that the user pressed. The scancode is placed in the IRP, which then traverses back up the device chain. Each device on the chain can potentially modify or respond to the scancode. Many legitimate applications might be in this chain—for example, encryption tools or instant messaging clients. Kernel-level keyloggers will not capture entire passwords when the auto- complete feature is used. The auto-complete function happens at the application layer, which is above the kernel layer. Therefore, auto- complete processing will occur after the keylogging driver has processed the keystroke. A more detailed exposition of kernel-level keyloggers can be found in
Chapter 6 of the text by Hoglund and Butler [ 177 ]. Various types of secondary damage may follow a keylogger compromise. In one real-world example, a credit reporting agency was targeted by a
keylogger spread via pornography spam. This attack led to the compromise of more than 50 accounts with access to the agency; those accounts were, in turn, used to compromise as many as 310,000 sets of personal information from the credit reporting agency's database [ .
1.4.2. Email and Instant Messaging Redirectors
Email redirectors are programs that intercept and relay outgoing emails, in the process sending an additional copy to an unintended address to which an attacker has access. Instant messaging redirectors monitor instant messaging applications and transmit transcripts to an attacker. Email and instant messaging redirectors, examples of which are shown in
respectively, are used for corporate espionage as well as personal surveillance.
Figure 1.4. An email redirector. Note that the user interface is fairly
straightforward and requires the attacker just to specify the email
address to which mail should be copied.
Figure 1.5. An instant messaging redirector. Here instant messaging
transcripts are sent to the address specified by the attacker.
Although this particular redirector targets the AOL instant
messenger, the tool itself is not a product developed by AOL.
[View full size image]
1.4.3. Session Hijackers
Session hijacking refers to an attack in which a legitimate user session is commandeered. In this kind of attack, a user's activities are monitored, typically by a malicious browser component. When the user logs into his or her account or initiates a transaction, the malicious software "hijacks" the session to perform malicious actions, such as transferring money, once the user has legitimately established his or her credentials. Session hijacking can be performed on a user's local computer by malware, or it can be performed remotely as part of a man-in-the-middle attack. When performed locally by malware, session hijacking can look to the targeted site exactly like a legitimate user interaction that has been initiated from the user's home computer.
1.4.4. Web Trojans
Web trojans are malicious programs that pop up over login screens in an effort to collect credentials. When installed on a machine, the trojan silently waits for the user to visit a particular web site (or set of web sites). When the user visits that site, the trojan places a fake login window on top of the site's actual login window. The user, who is oblivious to the presence of the trojan on his or her machine, then tries to log in normally, thinking that he or she is entering information onto the web site. In reality, the information is being entered locally and then transmitted to the attacker for misuse. Web trojans do not always duplicate the login window exactly. For instance, they can add extra fields to the log-in window to collect more information. In one example, Infostealer.Banker.D added a field into its fake login window for a victim to enter a PIN (in addition to the username and password) ]. Along similar lines, some web trojans wait for users to actually log in as they normally would before presenting them with additional form fields in which to enter data.
Figure 1.6 shows a screen shot of a web trojan configurator, which canbe used to automatically create a web trojan for either Yahoo!, AOL, MSN, or Hotmail.
Figure 1.6. A web trojan configurator. This configurator allows the
attacker to specify the site for which a fake login is displayed
(Yahoo!, AOL, MSN, or Hotmail). When a user visits the site
configured by the attacker, the user will be presented with a fake
login window that overlays on top of the real login window. Data
entered into the fake window will be transmitted to the attacker.
1.4.5. Transaction Generators
Unlike many of the other types of crimeware discussed in this chapter, a transaction generator does not necessarily target an end user's computer, but rather typically targets a computer inside a transaction- processing center such as a credit card processor. A transaction generator generates fraudulent transactions for the benefit of the attacker, from within the payment processor. These programs also often intercept and compromise credit card data. Transaction generators are typically installed by attackers who have targeted the transaction- processing center and compromised its security. Transaction generators could potentially be installed on the end user's machine as well. For example, such a transaction generator could be implemented as some type of web browser extension or plug-in, which then modifies transaction details on the fly. Such transaction generators are discussed in detail in
1.4.6. System Reconfiguration Attacks
System reconfiguration attacks, such as hostname lookup attacks and proxy attacks, modify settings on a user's computer, which then cause information to be compromised.
Hostname Lookup Attacks
Hostname lookup attacks interfere with the integrity of the Domain Name
System (DNS). Hostname lookup attacks are commonly referred to as
pharming. We give a brief description of pharming here; a more extensive
treatment can be found in
Chapter 4 of the text edited by Jakobsson and Myers [ 202 ]. When establishing a connection with a remote computer such as a web
server belonging to a bank or other target, a hostname lookup is normally performed to translate a domain name such as "bank.com" to a numeric