How the selling of fake antivirus got its start

April 8th, 2008

Book Excerpt
Chapter 14 – Gaps in the system

Pages 177-181

Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity 2008 by Byron Acohido and Jon Swartz, Union Square Press, Sterling Publishing Co.

ISBN- 13: 978-1-4027-5695-5

Expediters

andreysporawAs the accountant for a boutique Atlanta law firm, Shaillie Gattis was naturally expected to be the resident techie. Gattis actually was well qualified. Her father, Roger Thompson, made his living as a virus guru, and as a teenager, she had worked for Thompson’s antivirus start-up, Leprechaun Software, back in Brisbane, Australia, before the family moved to America. So Gattis knew her way around computers.

But one day in early 2005, Gattis found herself stumped. The desktop PC of a coworker was hopelessly bogged down. She took the machine to her father, who confidently broke out the best set of diagnostic tools money could buy and went to work. Four hours later, Thompson was stumped.

“I couldn’t get file access to delete files, so I rebooted the system to safe mode and still couldn’t manage it,” said Thompson, cofounder and CTO of Exploit Prevention Labs. “I ran other diagnostics, trying to unpick this and unpick that. I eventually rendered the system unbootable.”

Gattis told her father that the last thing her coworker remembered doing was an Internet search for lyrics to “Pictures,” a duet sung by Kid Rock and Sheryl Crow. So Thompson fired up a test machine he used for analyzing malicious code and did a Google search for “lyrics Pictures Kid Rock Sheryl Crow.”

Clicking through a few music Web sites, he eventually came to one that displayed a prominent dialogue box, dense with text, and a “close” button at the bottom. Most PC users in a hurry would click the close button to make the box disappear. But clicking the close button also began a downloading sequence.

Thompson clicked the close button and watched his test computer get loaded up with a swarm of malicious code, including an adware installer for embedding pop-up ads, and a back door through which the attacker could turn his test PC into an obedient bot. Thompson’s test machine then began displaying a particularly intrusive ad for SpySheriff-a sales pitch kept popping up every two minutes badgering him to pay $49.95 for a fake antispyware program that purportedly would clean up his computer.

Thompson also spotted something relatively rare at the time: a cloaking mechanism, called a root kit, that rendered the malicious code inaccessible. It was the root kit that prevented Thompson from cleaning up the law firm’s PC. With a little sleuthing, Thompson learned that SpySheriff was distributed by a Russian Web site called iframeCASH.biz, one of the pioneers of a quick, surefire way to compromise PCs: Web exploits.

In a Web exploit, the attacker embeds malicious code on a Web site, then sits back and waits. The victim activates the code simply by visiting a tainted Web page. The malicious code probes the visitor’s Web browser, looking for security holes. When it finds one, it installs code through the visitor’s browser that gives the intruder complete control over the now-compromised PC.

The iframers, and other Russian groups like them, showed boundless inventiveness deploying Web exploits. First they commissioned purveyors of porn and gambling Web sites to taint their pages with malicious code. Then they began openly recruiting “affiliates” to plant malicious code on other kinds of innocuous-looking Web sites run by the affiliates, or, even better yet, to hack into popular travel, social-networking, and retail Web sites run by others to taint their Web pages and turn them into moneymakers.

Displaying a sleek, black automobile as an example of an attainable status symbol, the iframeCASH.biz home page brazenly offered to pay affiliates $61 per 1,000 infections, no questions asked. The sedan was similar to a $124,000 Mercedes S600 known in underground circles to be the personal ride of a St. Petersburg resident in his early twenties named Andrej Sporaw, believed to be the group’s leader.

Web exploits took off in 2005 for a couple of reasons. First, the antispamming community had gotten highly proficient at filtering spam, thus slowing down old-style e-mail viruses, while PC users, in turn, became more wary about opening viral e-mail attachments. Second, Microsoft in August 2004 delivered Service Pack 2 for its Windows XP operating system. Service Pack 2, or SP2, represented the first fruits from the Trustworthy Computing initiative Bill Gates launched so dramatically in early 2002.

SP2 turned on a personal firewall to block the ports most commonly used by botnet controllers, and it activated Windows Auto Update, a free online service set up by Microsoft to send PC users the latest security patches automatically. SP2 had a profound effect on the overall security of the Internet. All new Windows PCs sold after August 2004 came with SP2, and Microsoft launched an aggressive marketing campaign to distribute SP2 to 260 million current Windows XP users.

Thus SP2 put in place a basic level of security for hundreds of millions of Windows PCs, though it remained up to individual PC users to keep paid subscriptions for antivirus and antispyware protection up to date. Cybercrime gangs, like the iframers, responded by turning their full attention to Web exploits-a huge tunnel through firewalls. Thompson explained why: “When you start a browser, you punch a hole right through the firewall. Your browser immediately trusts the Web site you’re visiting and authorizes it to operate inside your firewall, so the intruder can go straight to your hard drive and install whatever he likes.”

By the close of 2005, Sporaw and the Russian iframers were ready to open the floodgates on Web exploits, says Mikko Hyppönen, virus hunter at F-Secure. They did so by retaining the services of a top-notch black hat virus researcher who went off in search of the next great, gaping vulnerability. In the cat-and-mouse world of criminal hacking, a security hole discovered and exploited before a patch can be developed is known as a zero day attack. The flaw is known only by the discoverer, not the public or the software vendor; day one would be the first day the vendor makes a patch available.

Andrej Sporaw’s iframe gang reportedly paid $5,000 to the researcher who discovered the Windows metafile, or WMF, zero day flaw, and designed an exploit to take advantage of it. Though consummately profit motivated, Sporaw took the trouble to also grab credit for what would emerge as a watershed attack. F-Secure was among the first to discover and decrypt the original WMF exploit. The Finnish security company noticed a superfluous string of numbers deep inside the code. The string turned out to be the license number of Sporaw’s Mercedes S600.

“We think he just couldn’t resist leaving his mark in the code,” says Hyppönen.

WMF was ripe for exploitation; it was a clunky old image format that became supplanted by the GIF and JPEG formats familiar to anyone who has ever worked with photos on a computer. It was one of those carelessly written features Microsoft developers churned out by the truckload in the early days of personal computing.

The mercenary programmer earned his $5,000 by concocting a way to take advantage of the fact that WMF files can execute programs, including, of course, malicious programs. He crafted a corrupted WMF file that could open a back door through which the iframers could install adware and cover it all up with a root kit. That would happen anytime someone simply viewed the doctored image. In mid-December, a wave of pop-up ads carrying corrupted WMF images began appearing on Web sites across the Internet. Anyone who saw such an ad was infected.

By December 28, the security firm Websense identified more than 1,000 Web sites carrying tainted WMF files distributed by iframeCASH.biz and its affiliates. Other hacking groups jumped on the bandwagon. A tool called WMFMaker began circulating that made it a snap for anyone, even script-kiddie hackers, to spread corrupted WMF images and create their own zero day attacks, says Johannes Ulrich, CTO of the SANS Internet Storm Center.

By January 3, Ulrich counted 200 unique variants of WMF zero day exploits. F-Secure discovered one that sent waves of corrupted WMF images into the Google Desktop indexing service, infecting countless users of that service. Websense found one circulating on instant messaging services. Another type inserted a tiny, imperceptible tainted WMF image on banner advertisements on hundreds of Web sites. Yet another went out as an attachment in an e-mail virus.

“Any application that automatically displays a WMF image can be a vector for infection,” warned Alex Eckelberry, president of Sunbelt Software, in his blog. “This is a zero day exploit, the kind that gives security researchers cold chills. You can get infected simply by viewing an infected WMF image.”

The inaugural WMF zero day attack had been launched on Wednesday, December 14, a day after Microsoft’s Patch Tuesday for that month. The next Patch Tuesday was scheduled for January 10. That gave the iframers a full month of zero days to compromise PCs before Microsoft was scheduled to issue more patches. Releasing a new zero day exploit on the day after Microsoft’s Patch Tuesday would become a common practice. In a highly unusual move, Microsoft broke from its monthly pattern and issued a patch for the WMF zero day vulnerability on January 5, five days early. The two-week turnaround was blazingly fast compared to the weeks and often months Microsoft usually took to develop and test patches for newly discovered security holes.

Debby Fry Wilson, a director of Microsoft’s Security Response Center, downplayed the significance of the forces at work compelling the software giant to move so quickly.

“Normally we do an out-of-band release when things change or a problem is more severe than we first anticipated,” Wilson told eWeek reporter Paul F. Roberts. “In this case, the data continues to show that attacks are limited.”