Crime Time: Malware and the Latest Threats to Your BusinessInterview with Authors of New Book on Attacks and Defenses
Dr. Markus Jakobsson, principal scientist at Palo Alto Research Center and an adjunct associate professor at Indiana University, and Zulfikar Ramzan, a Senior Principal Researcher in the Advanced Threat Research Group at Symantec, have published a new book, "Crimeware: Understanding New Attacks and Defenses" available April 19 from Symantec Press. Both Jakobsson and Ramzan have studied extensively the global phishing landscape and will speak in May at the Anti-Phishing Working Group's CeCos meeting in Japan.
Following is an exclusive interview with the authors, as well as an excerpt of their book.
Q: What's the reason for your book on crimeware, and what are the reasons we all should pay attention to this threat vector?
Jakobsson: Crimeware is a force we must face on the Internet. I've heard several people say in recent times that ecommerce will vanish within two years at this rate that criminals are attacking. While I'm normally a pretty optimistic person, after putting this book together with Zully (Zulfikar), we're not very optimistic when it comes to crimeware, and I'm taking a very negative view. What used to be a purely technical threat is no longer true; some of the social context and deceit used by criminals is being seen now.
Ramzan: There are a few interesting trends driving the crimeware movement. One is the move away from hobbyist-driven threats to criminal and financially-driven threats. With the use of the Internet exploding and more and more internet transactions being done globally, there is money to be made from doing this sort of activity. Also, there is potentially the case that a lot of the attackers who were doing these attacks a few years ago have grown up and have bills to pay, so they're looking to cash in and make money off of their skills in criminal ways.
Finally there is the development of an underground economy for Internet crime. Criminals can buy or sell stolen credentials, attack tool kits for carrying out these kinds of attacks; they can rent or buy compromised machines that are part of a "botnet" to use as a launch pad for carrying these attacks out. When this type of economy exists, a lot of people can now take part in this underground marketplace for illicit activities, they've made it easier for people to come in who don't have special skills or less technical skills to be able to carry out an attack and outsource the parts they don't know how to do, and focus on the one area they do know how to do and add "their value" to the attack. A large part of that has been the social aspect of the attacks. Most of the attacks we're seeing take advantage of just that -- just trying to trick people because that works. There's no reason to try to be so technically sophisticated if something that is simple will do the trick.
Q: Who is doing all this criminal activity, and who is out there stopping them?
Ramzan: From what we see the law enforcement is taking an active stance against it, but they've not targeted high enough. They're catching many smaller players because they're so many of them out there. They've not gotten to the "mob boss" players yet. There are so many people involved in these groups at so many different levels it's hard to sort them out. The higher-level people are much more careful and much better about covering their own tracks than the lower-level people are. As law enforcement increases in its sophistication of tracking these threats better, they'll be in a better position to capture some of the more savvy online criminals.
Jakobsson: As organized crime becomes more involved in online crime, it's not just the offender (programmer for hire) that should be targeted for takedown, but their boss and the organized crime group as well. The programmer can be replaced easily, so it's harder to get to the bottom of it. Hiring isn't always done on a formal basis, but often informal on a contract basis.
Q: Based on what you're seeing in terms of the influx of crimeware, will we be able to continue business as usual out on the Internet with any degree of confidence?
Jakobsson: We hope so, but we're seriously worried that this may not be the case.
Ramzan: It all depends on how the threats continue to evolve, I don't foresee the Internet becoming completely unstable, but I certainly think that no matter who you are, there is generally less confidence in any online transaction. Reasons could be because your machine is infected, or someone has compromised your bank's website or log-in page; there are just so many ways for things to become compromised.
Q: Does the Trusted Computing model offer a panacea or solution to the problems of the Internet?
Jakobsson: It's a great heuristic solution, but not always applicable and offers no guarantee that it will work other than it will become harder to penetrate it. It could address the problems with security, but it won't wipe it out.
Ramzan: Because crimeware is so money- and profit-driven, just to develop a solution that won't answer the entire problem or wipe it out completely but lowers the profit margin will help put a dent in the numbers or even erase their profits. Changing the economics of the game and reducing the number of instances is what solutions like Secure ID are doing.
Jakobsson: One good example I'll point to is eBay and PayPal are no longer the top brands being attacked in phishing because they put so much work into finding solutions for their customers. So they're not worth as much to hackers anymore. This should be the goal for any brand, to protect customers by making their brand less attractive to phishers and criminals. Not to be the lowest hanging fruit for the criminals is key.
Q: Did the recent two factor authentication guidance have any impact on criminal activity against online banking customers?
Jakobsson: It did have some impact -- it forced the attackers to go up to man-in-the-middle attacks or place malware on the users' machines. Again, it only stopped the not-so-sophisticated criminal temporarily, until a toolkit is devised for them to usurp the two-factor authentication mechanisms offered by the online banking sites. It is a game of catch-up.
Q: How current is your book in terms of recent crimeware attacks and defenses? How quickly is crimeware evolving?
Jakobsson: Our book is about current events, and was put together pretty quickly, from end of 2006 to December of 2007; we had so many different contributors add information to keep it current and still tried to keep the timelessness in there by talking about the overall trends. The key to gathering much of this information was the collaboration and additional authors who contributed their research on these topics.
Ramzan: The list of crimeware menagerie in the book shows there are so many different variations and kinds of malware. Criminals are infinitely creative in the things they will try and are doing things on the fly. We're seeing a lot of interesting samples lately, making changes to the code and changing addresses they're attacking from on a minute by minute basis, even in the presence of two-factor authentication and other technologies.
Q: What's the difference between crimeware and phishing?
Jakobsson: It's hard to define where the boundaries of crimeware end and phishing begins, except for the fact that crimeware needs the execution of something, where phishing usually doesn't. The user experience and the deceit involved in the two really aren't that different.
Q: What is something out on the horizon of crimeware that everyone should be watching for next?
Jakobsson: One thing I fear is the crimeware that doesn't spread via the internet or storage devices and appliances (all of this has happened), but instead comes graphically from nearby devices. For example, your neighbor's wireless router infects your router which then turns and infects your other neighbor's router, and so on. One of the chapters of the book covers this kind of infection of access points, which is much harder to detect because a central authority doesn't see any of this. It doesn't go over the Internet, and it can spread like a real disease does in a neighborhood.
Ramzan: I'll give you an example of this -- if one of the routers is infected with a malicious virus that tries to replicate itself onto nearby routers within its antennae coverage (which is kind of a creepy thought) in a crowded urban area, how many wireless access points can you see from your machine? That's the same number of routers that your router can see. This kind of crimeware could rapidly infect large areas even with minimal contact. Any machine connecting to that infected router will become infected and that's how it spreads through an entire city.
Q: What is available commercially for router security? And are they a good defense against these types of attacks?
Ramzan: The whole router security problem has not happened outside of the lab. It is as we've said in the book, a theoretical threat. It is possible, and it may be a while before attackers begin to try these types of attacks because most attackers try to do the least amount of work that will make them a profit. It's all about low-hanging fruit. As security gets better and the lowest branch is protected, they'll reach for a higher level. We're starting to see some shifts in the landscape as we introduce new types of solutions, and it is really a cat and mouse game between the security providers and the criminals. They're certainly watching us and we're seeing an almost immediate response and change in direction when we introduce a new solution against a certain type of attack. This router attack has been tested in the lab, but we didn't include a malware sample added to with it, but it is reality that this could happen.
Q: What are some areas that are overlooked as attack vectors for crimeware?
Jakobsson: A year ago one of my students and I performed a social network experiment where we took a very funny commercial and hosted it on our site. We changed the certificate and made it a self-signed certificate that the viewer had to agree to before they could view the commercial. We made the authentication server's name something really horrendously obvious, such as "unsafe computer." We then sent it to 20 computer users with a note, "Check this link out. Do you want to go for a drink next Friday night?" Some of them clicked on it and downloaded the self-signed certificate. They then forwarded the link to their friends and so on. We were on five continents within hours. Had we been malware, we would have infected thousands upon thousands of computers, but instead it was just counting how many people downloaded the file. It spread at a disastrous speed. We didn't use a social network, but had we mined Facebook and gotten 10,000 users from there and sent it to them, well, the results would have been the same. It speaks to the fact that no matter how much security a computer has, a user can circumvent it and say yes, download the file, or yes I want to run this executable. When it comes from a friend, it can be easily confused - they download it because it is fun, and don't ask "is this safe?"
Q: In one part of the book you talk about malware on portable devices such as iPods and USB thumbdrives - what's the biggest problem you're seeing with this kind of infection?
Ramzan: There is one problem that is so recent that we didn't cover it in the book and that is portable devices that already have malware preloaded at the factory. There was one recent case of digital picture frames available at BestBuy that had malware preloaded on them from the factory, where if a user plugged the USB from the picture frame into their machine their computer was infected. There are many instances of this type of infection happening.
Q: What are some of the dangers of botnets for financial institutions?
Ramzan: This is an issue that has been raised in the press, but there's not a real understanding of what these networks represent. There is a lack of awareness in the public and in financial institutions what these networks can do. Once a computer is compromised and becomes a part of a botnet, it can be ordered to join other "bots" to send spam messages, and is controlled by a bot master. It is an evolution of something that has existed for a very long time. What makes it interesting is that the majority of botnets are being used to send out spam messages. They want to send these spam messages from as many different machines as possible, so if one is detected, the other thousand machines will operate and continue to send out the spam email. For the average user who is infected, they aren't the victim. The victim is the one who receives the hundreds of spam emails in their inbox. There isn't really any incentive to have a clean machine because the bot software once it is embedded doesn't take up much processing space on the computer and runs in the background. A botnet is a "Swiss Army Knife" for a criminal; it can do so many different things for them.
Jakobsson: A good analogy of what a botnet represents is a single bee. One bee is okay. It's no big deal to swat it away. However, if a hive full of bees attacks you, you've got real problems. It significantly changes how you would operate if the botnet aims its focus at you or your website. But as of late we've seen a downtick in the number of denial of service attacks, mainly because they're hard to make a profit on. It is possible to ask for an extortion deal, but that is risky for the attacker to reveal their botnet. They're more into staying under the radar, because their botnet is worth so much money in terms of attack power. From a hosting perspective, botnets are an attacker's dream. They can host basically anything on them. If law enforcement takes down a few of the machines, the attacker just gets more.