Attack Trends Elias Levy, [email protected] Ivan Arce, [email protected] Criminals Become Tech Savvy

n this installment of Attack Trends, I’ll look at the growing 2003 alone. Fraud schemes are usu- ELIAS LEVY ally peddled by individuals who Symantec convergence of technically savvy computer crackers with spam potential victims (www. brightmail.com/brc_fraud-stats. financially motivated criminals. Historically, most com- html), such as the Nigerian, or 419, scam (see the 419 Coalition’s Web puter crime on the Internet has not been financially moti- site at http://home.rica.net/alphae/ I 419coal/). But as the number of vated: it was the result of either curious or malicious technical fraud cases has increased, so has the public’s awareness of them; fraudsters attackers, called crackers. This changed Increasingly on the defensive, are increasingly forced to resort to as the Internet became more com- spammers are fighting back by be- more intricate schemes. mercialized and more of the public has coming more sophisticated, generat- We’re now seeing the practice of gone online. Financially motivated ing unique messages, and finding new “phishing” gaining popularity with actors in the fauna of the Internet’s open proxies or SMTP relays to send fraudsters. Using this scheme, crimi- seedy underbelly—spammers and messages and hide their true sources. nals create email messages with re- fraudsters—soon joined crackers to turn addresses, links, and branding exploit this new potential goldmine. Fraud that seem to come from trusted, Internet fraud has also become a se- well-known organizations; the hope Spam rious problem. In the past three is to convince the victim to disclose As anyone with a computer can tell years, Consumer Sentinel, a com- sensitive information. This practice you, the spam problem has grown plaint database developed and main- is rooted in crackers’ first attempts to to immense proportions. It now tained by the US Federal Trade fool America Online users into part- represents more than 50 percent of Commission (www.consumer.gov/ ing with their screen names and pass- all email transmitted over the Inter- sentinel/), has recorded more than words in the mid-1990s. net (see MessageLabs’ December 300,000 Internet-related fraud com- The goal these days is to extract in- 2003 Monthly View, www.messagelabs. plaints, which accounted for nearly formation from a victim that crackers com/binaries/Dec03.pdf, and US$200 million personal losses in can use for financial gain more than BrightMail’s January 2004 Spam Statistics update, www.brightmail. com/spamstats.html). Its costs, which Internet service providers (ISPs) pass on to their customers, are enormous. With spam’s ubiquity comes a whole culture and industry devoted to fighting it. Large groups of people, such as the Spamhaus Project, spend lots of effort to identify spams’ sources so as to shut down spammers’ Internet access. They’ve even created new technology to flag its sources (DNS or border gateway protocol- [BGP]- based blacklists) and spam messages (Bayesian networks, distrib- uted checksum databases, and heuristics) for filtering purposes.

PUBLISHED BY THE IEEE COMPUTER SOCIETY 1540-7993/04/$20.00 © 2004 IEEE IEEE SECURITY & PRIVACY 65 Attack Trends

Worms and viruses used in scams

his is an incomplete list of malicious code that has been used by spammers and fraudsters. It is a testament to their increased sophisti- Tcation in committing online crime. Spam relays: Backdoor.Hogle—http://securityresponse.symantec.com/avcenter/venc/data/backdoor.hogle.html

DDoS attacks: W32.Mimail.F—http://securityresponse.symantec.com/avcenter/venc/data/[email protected] W32.Mimail.G—http://securityresponse.symantec.com/avcenter/venc/data/[email protected] W32.Mimail.L—http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

Phishing scams: W32.Mimail.I—http://securityresponse.symantec.com/avcenter/venc/data/[email protected] W32.Mimail.J—http://securityresponse.symantec.com/avcenter/venc/data/[email protected] W32.Mimail.P—http://securityresponse.symantec.com/avcenter/venc/data/[email protected] W32.Mimail.Q—http://securityresponse.symantec.com/avcenter/venc/data/[email protected] W32.Mimail.S—http://securityresponse.symantec.com/avcenter/venc/data/[email protected] Trojan Septer.Trojan—http://securityresponse.symantec.com/avcenter/venc/data/septer.trojan.html

Reverse HTTP proxies: Backdoor.Migmaf—http://securityresponse.symantec.com/avcenter/venc/data/backdoor.migmaf.html W32.HLLW.Fizzer—http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.fi[email protected]

Stealing sensitive information: PWSteal.Bancos—http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.bancos.html W32.Bibrog—http://securityresponse.symantec.com/avcenter/venc/data/[email protected] W32.Dumuru.Y—http://securityresponse.symantec.com/avcenter/venc/data/[email protected] W32.Dumuru.Z—http://securityresponse.symantec.com/avcenter/venc/data/[email protected] PWSteal.Tarno—http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.tarno.html PWSteal.Banpaes—http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.banpaes.html PWSteal.Banpaes.B—http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.banpaes.b.html

Others Download.Trojan.PSK—http://securityresponse.symantec.com/avcenter/venc/data/download.trojan.psk.html W32.Mimail.A—http://securityresponse.symantec.com/avcenter/venc/data/[email protected] Downloader.Mimail—http://securityresponse.symantec.com/avcenter/venc/data/downloader.mimail.html

for tweaking AOL users. A com- Malicious code Criminals have also used dialers, monly targeted item is victims’ credit- In the past, we’ve seen spammers oc- programs designed to use victims’ card information (number, expiration casionally use worms and trojans to computer modems to dial national date, card-validation value, and so on). hijack a victim’s Web browsers. They or international “premium services” Criminals also want access to Internet replace the victims’ home and search phone numbers, generating un- payment systems such as e-Bullion, e- pages with links to Web spam, as well wanted charges. (Dialers are some- gold, Evocash, INT Gold, Gold- as drop links to the spam in the vic- times used legitimately; porno- Money, PayPal, and Swiftpay; online tims’ bookmarks and on their desk- graphic Web sites use them to charge transaction services such as Autho- tops. To make money, they infect customers for access to their service.) rize.Net, iBill, and Verotel; and Inter- computers with malicious code that More recently, the line between net accessible banks such as Bank of generates fraudulent ad views (by re- spammers, fraudsters, and crackers America, Barclays Bank, Citibank, peatedly visiting Web pages with spe- has continued to blur as the former Halifax Bank, Lloyds Bank, Nation- cific ads for which the criminals are become more sophisticated and the wide Bank, and Wells Fargo. paid for driving users to view the ads). latter become financially motivated.

66 IEEE SECURITY & PRIVACY MARCH/APRIL 2004 Attack Trends

As noted in “The Making of a Spam Backdoor.Migmaf also acted as a phishing scams, so fraudsters have Zombie Army: Dissecting the Sobig SOCKS proxy server, which per- upped the ante: instead of asking re- Worms” (IEEE Security & Privacy’s mitted the spammer to send out cipients for information, they ob- Malware Recon department, July/ anonymous spam. Infected ma- tain it either from the victims’ com- August 2003, pp. 58–59), spammers chines participated in a PayPal puter system or by monitoring their now can design worms that use in- phishing scam by acting as a proxy Web activity. fected computers to send out spam. for the scam’s Web site (www. The W32.Mimail.Q worm securityfocus.com/archive/1/ steals E-Gold information stored in Spam relays 328772). Evidence suggests that users’ systems and emails it to the One trick in the spammer’s arsenal spammers similarly used an earlier worm’s author. Backdoor.Lala and is to use worms and trojans to cre- worm, W32.HLLW.Fizzer, to point Backdoor.Lala.B steal authentica- ate spam relays. Backdoor.Hogle’s to their spam Web sites. tion cookies for PayPal, e-Bullion, creator designed it specifically for Evocash and eBay, among others, this purpose. After infecting a sys- DDoSs for example. tem, it checks to see whether the Spammers also resort to using The PWSteal.Bancos series of tro- host’s IP address is listed in the worms to create armies of comput- jans and the W32.Bibrog series of blacklists that spamcop.net and ers to launch massive distributed de- worms monitor which Web pages abuse.net maintain; if it’s listed, the nial-of-service (DDoS) attacks users visit. When they detect users program terminates. Several other against spam-fighting resources on viewing a page on certain banks’ sites, worms are suspected vehicles for the Internet. (For URLs with more they display a fake Web page that looks installing proxies that spammers information, see the sidebar.) The identical to that of the banks’. This can use (for example, the current W32.Mimail.F, W32.Mimail.G, and page then directs users to enter their fi- crop of MyDoom worms). W32.Mimail.L worms, for example, nancial information and steals it. attacked spamhaus.org (www.spam Several other trojans and worms Reverse HTTP proxies haus.org/cyberattacks/), spews.org, log keystrokes (such as W32.Du- Spam sometimes points the recipient and spamcop.net. Additionally, the muru.Y, W32.Dumuru.Z, PW- back to a Web site. Antispam cru- W32.Mimail.L worm launched a joe Steal.Tarno, PWSteal.Banpaes, PW- saders attempt to track down these job attack, also called a reputation at- Steal.Banpaes.B, and the TROJ Web sites, contact the responsible tack, against the same sites. These at- _WINCAP series) or record data in ISPs, and have them shut down. This tacks at times impaired the antispam Web form input fields (W32.Mi- denies the spammer satisfaction even services provided by these groups mail.C), especially when they detect a if a user is fooled into visiting a site. A and used by a large number of ISPs user viewing a financial institution’s backdoor found in the wild, Back- and end-users. Web page. door.Migmaf, had a clever way to get Several of these worms and trojans around this counterattack. It acted as Phishing target Brazilian banks. During the past a reverse HTTP proxy (see www. Criminals have also used worms in six months, more than 20 trojans and lurhq.com/migmaf.html), infecting phishing scams. The W32.Mimail.I, worms have been discovered, which thousands of computers. The spam- W32.Mimail.J, W32.Mimail.P, were designed to obtain financial de- mer sent out spam with links to hosts W32. Mimail.Q, and W32.Mimail.S tails from users of Brazilian banks. such as linkxxxsites.com, and then worms attempt to fool users into Brazil, which has a large number of fi- used the domain’s DNS servers to handing over credit-card information nancial institutions online, seems to be point the hostname to an infected while posing as either a PayPal appli- a bellwether of this global trend. machine’s IP address. The machine cation or a Microsoft Windows expi- would then proxy the HTTP request ration notice. The trojan Septer.Tro- Criminals to the real Web server and send results jan was something of a trailblazer—it using vulnerabilities back to the client, thus hiding the attempted to scam users into giving As I mentioned earlier, criminals true Web server’s IP address from the out their credit-card information by using phishing scams must convince client. The spammer changed the IP posing as a message sent from the their victims that they’re trustworthy address that the hostname pointed to American Red Cross soon after 9/11. by impersonating someone else, every 10 minutes, so to shut down (For URLs with more information, such as a trusted bank or organiza- the Web site, antispam activists would see the sidebar.) tion. Initially, all fraudsters had to do have had to determine the IP ad- was forge an email header. As users dresses of thousands of infected ma- Stealing learned not to reveal personal infor- chines and disable, disconnect, or dis- sensitive information mation over email, fraudsters began infect them—a difficult job indeed. Fewer people seem to be falling for including a link to Web pages that

www.computer.org/security/ IEEE SECURITY & PRIVACY 67 Attack Trends

closely mimicked those of the insti- anti-phishing.org/phishing contained a file called readme.htm. tutions they were impersonating. _archive/Earthlink_12-20-03.htm). When viewed in a local computer, As users then learned to inspect Another scam masqueraded as the US this file exploited the Microsoft In- Web page URLs to ensure that they Federal Deposit Insurance Corpora- ternet Explorer Self-Executing were contacting a legitimate Web tion (FDIC) and informed users that HTML File Vulnerability (BID site, criminals began to obfuscate their account’s insurance had been dis- 6961; www.securityfocus.com/bid/ (www.pc-help.org/obscure.htm) abled because they were under suspi- 6961) and extracted and executed a the URL by taking advantage of cion of violating the USA Patriot Act; malicious program called aaa.exe URLs’ optional authentication field. the message then requested users to (Download.Trojan.PSK). The issue has become so dire that submit sensitive information to verify The W32.Mimail.A worm used Microsoft has removed support for their identity (www.anti-phishing. the same vulnerability to infect new handling usernames and passwords org/phishing_archive/FDIC_1-24- systems. In fact, the W32.Mimail.A in HTTP and HTTPS URLs as of 2 04.htm). Similar phishing scams tar- worm was most likely seeded by February 2004 with an Internet Ex- geted Citibank (http://us.mcafee. spamming a message that contained plorer Cumulative Security Update com/virusInfo/default.asp?id= Downloader.Mimail, a trojan that (www.microsoft.com/technet/ description&virus_k=100927 and uses the same vulnerability to exe- security/bulletin/MS04-004.asp). www.trendmicro.com/vinfo/ cute and that downloads and runs Fraudsters have also developed a virusencyclo/default5.asp? the W32.Mimail.A worm. As we've technique that lets them redirect vic- VName=HTML_CITIFRAUD.A) seen, fraudsters launched this tims to a legitimate Web site while and PayPal (www.trendmicro.com/ W32.Mimail series of worms. launching a pop-up window that vinfo/virusencyclo/default5. points to their own Web page asp?VName=HTML_PAYP (www.securityfocus.com/ FRAUD.A). riminals have fully adopted the infocus/1745). Some users then as- A clever spammed message also C techniques of crackers and mali- sume that the window is part of the used the vulnerability, but instead of cious code authors. These are finan- legitimate organization’s site and impersonating a specific institution, cially motivated people, and we must enter their information. it impersonated the receiving email assume that they will pursue their address’s domain (http://antivirus. goals considerably more aggressively BID 9182 about.com/library/weekly/aa0119 than an average cracker. They have Online criminals struck gold when 04a.htm). Thus, a user with an email the monetary means to buy the re- “Zap the Dingbat,” a subscriber of of “[email protected]” would see quired expertise to develop very so- the BUGTRAQ list, disclosed a new a Web page impersonating “some- phisticated tools to accomplish their vulnerability in Internet Explorer on place.com.” The message in ques- goals of spamming and scamming 9 December 2003 (www.security tion informed the user that his com- the public. This year looks bleak. focus.com/archive/1/346948). The puter might be infected with a virus Yet, the fight between spammers and Multiple Browser URI Display Ob- and asked him to visit a Web page for fraudsters in one hand, and antispam fuscation Vulnerability (BID 9182; more information. The Web page and consumer protection folks in the www.securityfocus.com/bid/9182) downloads a backdoor that creates a other, will only intensify. Antivirus lets an attacker impersonate a Web SOCKS4 proxy, which can be used companies will continue to work on site by using a bug in IE which pre- to send spam messages (http:// detecting any malicious code crimi- vents the browser from displaying the vil.nai.com/vil/content/v_100939. nals use, antispam activists will carry page’s full URL in the address bar if it htm). Thankfully, as of 2 February on identifying sources of spam, and includes a 0x01 character before the 2004, Microsoft solved the BID antispam product vendors will tune @ character. For example, evil.com’s 9182 vulnerability with the previ- their offerings to detect new spam URL, www.good.com%[email protected], ously mentioned IE cumulative se- and fraud messages. would be displayed as www.good.com. curity update. Fraudsters wasted no time in ex- Elias Levy is an architect with Symantec. ploiting this new vulnerability—some BID 6961 Previously, he was the chief technology offi- started within days. One such scam In July 2003, a group of spammers cer and cofounder of SecurityFocus and the moderator of Bugtraq, a vulnerability dis- impersonated an email message and was detected sending out a spam closure mailing list. His research interests Web site from the ISP Earthlink, in- message pretending to be from include buffer overflows and networking forming users that their credit-card “[email protected].” The mes- protocol vulnerabilities. He is also a fre- payment had failed to go through and sage included a zip file attachment quent commentator on computer security issues and a technical advisor to a number that they would need to reenter their named readme.zip (www.security of security related companies. Contact him credit-card information (www. focus.com/infocus/1745), which [email protected].

68 IEEE SECURITY & PRIVACY MARCH/APRIL 2004