Further, SQL injections and Cross site Scripting makes up 65% of the total vulnerabilities of websites in Japan. This data also signifies that countermeasures for SQL injection are extremely important.

There are many end users in Japan who misunderstand that Network Firewalls and IDS(Intrution Detection Systems)/IPS(Intrution Prevention Systems) can protect Web application attacks such as SQL injection, and there are also users who have a perception that introducing a Web Application Firewall (WAF) is
very costly.

Aforementioned IPA (http://www.ipa.go.jp/index-e.html) is an organization that promotes the growth of IT Systems in Japan, and it says that vulnerability countermeasures are not progressing in SMB related web servers due to these misconceptions of end users.

We think that low cost WAF are an effective countermeasure. However, the most cost effective measure would be WAF + some source modification. Furthermore, SQL injection attack patterns are constantly studied and new patterns are being detected. Therefore, we think that a WAF is very important due to it is ability to immediately respond to newly detected patterns.

What do you think?

Hiro Shigematsu
ProductManager – NEC System Technologies.

Now these criminals have the scalability they needed. No wonder RockPhish, the mammoth Phishing operation using a notorious self-built Fast Flux network, has had a change of heart and migrated to Asprox, an SQL injection botnet.

In the last six months the RSA FraudAction Research Lab has spotted a massive surge of Trojan infections. A good example is the Sinowal Trojan – also known as Torpig and Mebroot. Sinowal was operated by a very organized group that kept it running on the same servers since 2006. And here’s the thing: before June 2008 it was infecting machines at an average rate of 5,000 victims per month. In June the rate jumped to 20,000 and by August it was close to 30,000 infections per month. It’s not the Trojan that changed; it’s the highly effective infection mechanism and collaboration with botnet operators who offered their malware distribution services. This trend continues and even grows.

The vast magnitude of SQL injection botnets drove infection pricing to a ridiculously low level. Rather than buy expensive infection kits and “do it yourself”, you can now buy 1,000 infections at the modest rate of $23 (volume discount applies).

You mentioned social networks, Byron, and I think this is a red flag worth waving high. People should know that when they get a message from their friend in Facebook, Myspace, Classmates or for the matter any social network, might be completely fake. Once the botnet has access to a victim’s social network and sends an internal message to all his or her friends using any number of social engineering ploys – from a “video invitation” to a “funny clip” to a “cool application”. In all these cases the friend is directed to a spoofed website or an infected genuine one, triggering an automatic infection if their defenses are low, or alternatively an infection process in which they are asked to download something – a video player update, a Flash component, a security certificate – in order to “view” the content. Either way they end up with a Trojan.

What is the financial industry doing against the growing scalability of Trojans? The general direction is using multiple lines of defense and building a flexible strategy that can evolve with the threat. The technologies include Trojan detection and interception services to minimize credential harvesting; and cash-out prevention solutions such as adaptive authentication that uses various degrees of two factor and out-of-band challenges based on the risk of each incoming activity, invisible monitoring that compares the current transaction to the user’s behavioral profile, and knowledge-based authentication to verify one’s identity.

Uri Rivner
Head of New Technologies – Identity Protection & Verification
RSA, the Security Division of EMC

At BitDefender, we routinely come across e-threats like this password stealer trojan.

Compromised pages are set up to run literally dozens of exploits against machines that visit one of the SQL-injected sites – Flash player vulnerabilities, old Explorer bugs, you name it, they have it, waiting for an unpatched machine to come along. It’s all set up neatly so that exploits are tried based on user agent information about what might work.

This particular trojan is set up to steal game accounts – a type of identity theft that gets little coverage, but makes a lot of money for the bad guys, via the trade in virtual goods and avatars or characters.

@Bill Carey – strong passwords are all good, but don’t help much if the machine is actually compromised, unfortunately. Session hijacking is way too easy when you control one of the endpoints – banker trojans do that routinely.

Razvan Stoica
Communications Specialist – BitDefender

Excellent article! The SQL injection self-expanding botnet was indeed a stroke of breakthrough creativity, and I’d say its timing was just right for the fraud community. In the last couple of years, Trojans – once the tools of the very savvy high end of cyber crime – have become cheaper and easier to use, but there was one thing missing: scale. In order to really capitalize on Trojan technology, fraudsters had to look for ways to distribute their malware to a huge amount of victims.

Now these criminals have the scalability they needed. No wonder RockPhish, the mammoth Phishing operation using a notorious self-built Fast Flux network, has had a change of heart and migrated to Asprox, an SQL injection botnet.

In the last six months the RSA FraudAction Research Lab has spotted a massive surge of Trojan infections. A good example is the Sinowal Trojan – also known as Torpig and Mebroot. Sinowal was operated by a very organized group that kept it running on the same servers since 2006. And here’s the thing: before June 2008 it was infecting machines at an average rate of 5,000 victims per month. In June the rate jumped to 20,000 and by August it was close to 30,000 infections per month. It’s not the Trojan that changed; it’s the highly effective infection mechanism and collaboration with botnet operators who offered their malware distribution services. This trend continues and even grows.

The vast magnitude of SQL injection botnets drove infection pricing to a ridiculously low level. Rather than buy expensive infection kits and “do it yourself”, you can now buy 1,000 infections at the modest rate of $23 (volume discount applies).

You mentioned social networks, Byron, and I think this is a red flag worth waving high. People should know that when they get a message from their friend in Facebook, Myspace, Classmates or for the matter any social network, might be completely fake. Once the botnet has access to a victim’s social network and sends an internal message to all his or her friends using any number of social engineering ploys – from a “video invitation” to a “funny clip” to a “cool application”. In all these cases the friend is directed to a spoofed website or an infected genuine one, triggering an automatic infection if their defenses are low, or alternatively an infection process in which they are asked to download something – a video player update, a Flash component, a security certificate – in order to “view” the content. Either way they end up with a Trojan.

What is the financial industry doing against the growing scalability of Trojans? The general direction is using multiple lines of defense and building a flexible strategy that can evolve with the threat. The technologies include Trojan detection and interception services to minimize credential harvesting; and cash-out prevention solutions such as adaptive authentication that uses various degrees of two factor and out-of-band challenges based on the risk of each incoming activity, invisible monitoring that compares the current transaction to the user’s behavioral profile, and knowledge-based authentication to verify one’s identity.

Uri Rivner
Head of New Technologies – Identity Protection & Verification
RSA, the Security Division of EMC

Our software will help prevent ID theft by storing user’s passwords in secure, encrypted files and then logging users into websites automatically so users don’t need to type their passwords.

Using secure passwords is one of the additional ways users can protect themselves from identity theft and should not be overlooked.

Bill Carey
VP Marketing – RoboForm

Fake antivirus campaigns are clever because they prey on user fear, have a clear call-to-action, and cause the user to voluntarily use their credit card on their own computer to purchase the software. The criminals do not have to use credit card information to create a fraudulent transactions.

Regarding their prevalance and other delivery methods, I see even today that the tragic death of actress Natasha Richardson is being used to distribute fake antivirus trojans by posting content that is likely to come up in search results about her death. (See the SC Magazine item that just appeared on this at http://www.scmagazineuk.com).

Incidentally, the fake antivirus campaign on the credit union site was subsequently replaced by a ZBot data stealer trojan.

Please look over this excerpted chapter from my book (see link) about the iframebiz cash gang, and their activities, led by Andrey Sporaw, way back in 2005.

http://lastwatchdog.com/selling-fake-antivirus-start/

Some other questions:

Are these the same guys?

Why does selling fake antivirus appear to be stronger than ever?

What metrics or anecdotes can I use to describe just how prevalent fake antivirus campaigns are in the mix of bad stuff on the Internet?

What other delivery methods are they using?

How scaled up is this activity?

If one were to eliminate all fake antivirus campaigns, what would the threat landscape look like?

Byron