Finally — a solid measurement of the scale and scope of cyber attacks
Posted on | September 16, 2009 | 2 comments
Metrics precisely quantifying the scale and scope of cybercrime activity have historically been hard to pin down. But now comes a milestone survey, buttressed by another report, that defines the degree to which the Web is infested with malicious code.
The SANS Institute’s report on Top Cyber Risks is by far the most comprehensive accounting of ongoing cyber attacks ever made public. SANS is the well-respected Washington D.C.-based tech security think tank and training center. The organization distilled attack data from 6,000 companies and government agencies protected by defense systems supplied by two leading tech security companies, TippingPoint and Qualys.
SANS’ cornerstone finding: the vast bulk of attacks to infect home and workplace computers, enlist them into bot networks, and then use them to carry out criminal activities spin off two pervasive weaknesses.
The first: unpatched vulnerabilities in popular consumer applications, especially Adobe’s Acrobat Reader and Flash Player, Apple QuickTime and Microsoft Office. The second: security weaknesses in the Web applications that enable all the cool features on Web 2.0 sites.
Hand in glove
These two weaknesses work hand-in-glove — to the benefit of the bad guys. Here’s how:
Many cyberattacks hinge on getting a victim to click on a corrupted URL, as I explained in my 03Sept2009 USA Today news story.
Of course, the bad URL had to be tainted at some point earlier. Attackers most often do this via SQL injection exploits of legit Web pages; these automated attacks seek out and take advantage of Web sites running poorly- written Web applications.
“Organizations need to pay more attention to the security of their critical software applications,” says Roger Thornton, co-founder and CTO of Fortify Software. “Today’s cybercriminals have moved to the easiest breach points, which is now the applications an organization uses to conduct its business.”
Upon cracking a Web page, the hacker will typically use off-the-shelf, tried-and-true tools, such as Mpack or IcePack, for the next step. These tools will efficiently seek out security holes in popular PC applications — the everyday programs that can be found on just about any PC, including Internet Explorer, Acrobat Reader, Flash Player, Microsoft Office.
A bot is born
Mpack and IcePack and other similar tools go to work on newly infected computers. They quickly run through an extensive list of known vulnerabilities for all popular consumer apps — and exploit the first unpatched vulnerability they run into. The exploit almost always begins with the installation of a tiny wormhole, called a “Trojan downloader,” that secures ongoing access to the hard drive.
The attacker next uses this wormhole to install a botnet management program that turns the computer into an obedient “bot,” reporting to a command-and-control server operated by the “botmaster.” The top botmasters run mega botnets tens of thousands, or even hundreds of thousands of bots strong, with names like Waledac, Pushdo, Cutwail, Rustock, Mega-D and Storm.
Each freshly infected bot instantly begins to participate in myriad criminal activities – everything from spreading spam to triggering scareware promotions to hijacking online banking accounts to participating in politically-motivated Distributed Denial-of-Service attacks.
Top botmasters make use of infected machines judiciously — they’ll pay attention to time zones and use machines during early morning hours when the owner is asleep, for instance. They will also put bots to sleep for a time and use them again later, like letting farmland go fallow. This is to keep control of the bot for an extended period. For obvious reasons, fresh bots are always in high demand.
“The vast bulk of new bots are created when unsuspecting users visit trusted Web sites that are also infected,” says Alan Paller, SANS research director. “Web attacks take advantage of client-side vulnerabilities that are being given insufficient attention by cyber defenders. The web attacks also take advantage of Web programming errors that are not being picked up by common vulnerability scanners.”
The bottom line, says Paller, is that “two cyber risks dwarf all others and users are not effectively mitigating them.”
Web threats mushroom
Serendipitously, SANS released the results of its milestone survey the same day Websense released its bi-annual threat report covering the first half of 2009. Websense keeps track of Web-based attacks hitting the networks of its corporate customers; it reported a whopping 671 percent spike in malicious Web links in the first half of 2009 compared to the first half of 2008.
What’s worse: corrupted legitimate sites account for an estimated 77 percent of the bad links lurking on there in the Internet wild.
Web properties that encourage user-generated content — such as media sites, social networks and popular blogs — have become popular targets. This was vividly demonstrated just last weekend when hackers served up viral advertisements all across the New York Times’ Web site.
In a similar attack on USA Today’s Web site last May, cyber criminals patronized a legit ad placement agency to purchase advertising space on USA Today’s Life home page. The crooks then supplied the ad agency with copies of ads for Roxio Creator 2009 and Phoenix University. Then once every hour or so, the crooks sent through an ad containing a bit of malicious code, as shown below. This bad code redirected the visitor’s PC to an insistent promotion to buy worthless antivirus protection.
“Neither clicking, nor hovering over the ad was required to activate the malicious code,” says Purewire researcher Paul Royal, who discovered the USA Today attack. “In addition, the (corrupted) ad could have been, and likely was, served almost anywhere on USA Today’s website.”
Anyone who happened to visit USA Today’s Life home page at the moment the corrupted Roxio ad appeared was infected. Yet, had an investigator checked shortly thereafter, the crooks’ ad would have been found to be clean of any bad code, says Roger Thompson, senior researcher at AVG. This technique of paying an ad network to post a string of harmless, innocuous ads — sporadically replaced by a corrupted ad — has been used widely for at least two years, Thompson says.
So far this year, community-driven security tools, like those used on YouTube and BlogSpot, are proving to be “65% to 75% ineffective” at protecting users, says Websense CTO Dan Hubbard.
“The last six months have shown that malicious hackers and fraudsters go where the people are on the Web,” he says. “From malicious Twitter spam campaigns and blog comment spam to the massive SQL injection attacks, those perpetrating fraud are exploiting the inherent trust users have of known Web properties and other users.”
Web threats graphic courtesy of Trend Micro
–By Byron Acohido
Comments
2 Comments »
RSS feed for comments on this post.
The recent malvertisement campaign that hit the NY Times was orchestrated by the same criminals that targeted USAToday.com in May 2009; both resulted in malicious ads that ended up shilling the “Personal Antivirus” brand of Rogue AV software.
Comment by Paul Royal — 9/16/2009 @ 9:04 pm
Chair scales use a series of sensors to create an accurate measurement. Internet Banking
Comment by Internet Banking — 9/17/2009 @ 11:18 pm