Symantec Intelligence Quarterly October - December, 2009

White Paper: Symantec Intelligence Quarterly Symantec Intelligence Quarterly October - December, 2009

Contents

Introduction ...... 1

Highlights ...... 1

Metrics...... 2

Internationalizing top-level domain names ...... 5

Banking Trojans ...... 8

Appendix A—Contributors...... 12 Symantec Intelligence Quarterly October - December, 2009

Introduction Symantec has established some of the most comprehensive sources of Internet threat data in the world through the Symantec™ Global Intelligence Network. More than 240,000 sensors in over 200 countries monitor attack activity through a combination of Symantec products and services such as Symantec DeepSight™ Threat Management System, Symantec™ Managed Security Services and Norton™ consumer products, as well as additional third-party data sources.

Symantec also gathers malicious code intelligence from more than 130 million client, server, and gateway systems that have deployed its antivirus products. Additionally, the Symantec distributed honeypot network collects data from around the globe, capturing previously unseen threats and attacks and providing valuable insight into attacker methods.

Spam data is captured through the Symantec probe network, a system of more than 2.5 million decoy email accounts, Symantec MessageLabs™ Intelligence, and other Symantec technologies in more than 86 countries from around the globe. Over 8 billion email messages, as well as over 1 billion Web requests, are scanned per day across 16 data centers. Symantec also gathers phishing information through an extensive antifraud community of enterprises, security vendors, and more than 50 million consumers.

These resources give Symantec analysts unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in attacks, malicious code activity, phishing, and spam.

An important note about these statistics

The statistics discussed in this document are based on attacks against an extensive sample of Symantec customers. The attack activity was detected by the Symantec Global Intelligence Network, which includes Symantec Managed Security Services and Symantec DeepSight Threat Management System, both of which use automated systems to map the IP address of the attacking system to identify the country in which it is located. However, because attackers frequently use compromised systems situated around the world to launch attacks remotely, the location of the attacking system may differ from the location of the attacker.

Highlights • The United States was the top country for malicious activity during this period, accounting for 18 percent of the global total. • Credit card information was the most commonly advertised item for sale on underground economy servers known to Symantec, accounting for 18 percent of all goods and services during this period. • The top Web-based attack for the quarter was related to malicious Adobe® Acrobat® PDF activity, which accounted for 47 percent of the total. • Symantec created 921,143 new malicious code signatures during this quarter. • The most common malicious code sample by potential infections during this quarter was the Sality worm. • The majority of brands used in phishing attacks this quarter was in the financial sector, accounting for 73 percent of the total.

1 Symantec Intelligence Quarterly October - December, 2009

Metrics

Malicious activity by country This metric will assess the countries in which the highest amount of malicious activity took place or originated. Rankings are determined by calculating the average of the proportion of malicious activity that originated in each country.

The United States was the top ranked country for malicious activity this quarter, accounting for 18 percent of the total (table 1). Within specific category measurements, the United States ranked first by a large margin in malicious code, phishing website hosts, and attack origin.

Table 1. Malicious activity by country/region Source: Symantec Corporation

Brazil had the second highest amount of overall worldwide malicious activity this quarter, accounting for seven percent of the total. Within specific category measurements, Brazil ranked first in spam zombies by a significantly large margin.

Top Web-based attacks This metric will assess the top distinct Web-based attacks that originate from either compromised legitimate sites or malicious sites that have been created to intentionally target Web users.

In this quarter, the top Web-based attack was related to malicious Adobe Acrobat PDF activity, which accounted for 47 percent of Web-based attacks (table 2). Attempts to download suspicious PDF documents were specifically observed. This may indicate attempts by attackers to distribute malicious PDF content to victims via the Web. The attack is not directly related to a specific vulnerability, although the contents of the malicious file would be designed to exploit an arbitrary vulnerability in an application that processes it, such as Adobe Acrobat Reader®. This attack may be popular due to the common use and distribution of PDF documents on the Web, and to the practice of configuring browsers to automatically render PDF documents by default.

2 Symantec Intelligence Quarterly October - December, 2009

Table 2. Top Web-based attacks Source: Symantec

The second most common Web-based attack this quarter was associated with the Microsoft Internet Explorer

ADODB.Stream Object File Installation Weakness,1 which accounted for 26 percent of the total globally. The weakness allows attackers to install malicious files on vulnerable computers when users visit websites hosting an exploit. To carry out this attack, an attacker must exploit another vulnerability that bypasses Internet Explorer security settings, allowing the attacker to execute malicious files installed by the initial security weakness. This issue was published on August 23, 2003, and fixes have been available since July 2, 2004. The continued popularity of this Web-based attack may indicate that many computers running Internet Explorer have not been patched or updated and are running with this exposed weakness.

Underground economy servers—goods and services available for sale Underground economy servers are online black market forums for the promotion and trade of stolen information and services. This section discusses the most frequently observed items advertised for sale on these servers.

In this quarter, the most frequently advertised item observed on underground economy servers was credit card information, accounting for 18 percent of all goods (table 3). Prices for credit card information ranged from $1 to $100 depending on the type of card, the country of origin and the amount of bundled personal information used for card holder

verification.2 Bulk purchases were advertised as being available, but Symantec did not observe any rate-to-volume prices this quarter.

1-http://www.securityfocus.com/bid/10514 2-http://www.securityfocus.com/bid/10514

3 Symantec Intelligence Quarterly October - December, 2009

Table 3. Goods and services for sale on underground economy servers Source: Symantec

The second most commonly advertised good on underground economy servers during this quarter was bank account credentials, accounting for 13 percent of all advertised goods. The advertised price for bank account credentials ranged from $2 to $1000, depending on the amount of funds available and the type of account. The average advertised bank account balance this quarter was $50,000. Symantec observed one account with a purported balance between $75,000 and $450,000 being advertised for sale for $300.

Top malicious code samples The most common malicious code sample measured by potential infections during this quarter was the Sality worm (table

4).3 This worm infects executable files on compromised computers and removes security applications and services. Once the worm is installed it also attempts to download and install additional threats onto infected computers.

Table 4. Top malicious code samples Source: Symantec

3-http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2008-042106-1847-99

4 Symantec Intelligence Quarterly October - December, 2009

The second ranked malicious code sample for potential infections during this quarter was SillyFDC.4 This worm propagates by copying itself to any removable media devices attached to the compromised computer. As with Sality, this worm also attempts to download and install additional threats once it is installed on a computer.

Top phishing sectors The majority of brands used in phishing attacks this quarter were in the financial services sector, accounting for 73 percent of the total (table 5). The financial sector is commonly the largest sector targeted in phishing attacks because the various associated services are the most likely to yield data that could be directly used for financial gain. Many phishing attacks that spoof financial services brands will prompt users to enter credit card information or banking credentials into fraudulent sites. If this succeeds, the phishers can then capture and sell such information in the underground economy.

Table 5. Top phishing sectors

Source: Symantec

The second largest percentage of brands used in phishing attacks in this quarter was in the ISP sector, which accounted for 11 percent of the total number of phishing attacks detected. ISP accounts can be valuable to phishers as they may contain email accounts, Web-hosting space, and authentication credentials.

Internationalizing top-level domain names The Internet Corporation for Assigned Names and Numbers (ICANN), the organization responsible for overseeing the Internet’s naming and numbering systems, recently announced details of a process to assign internationalized top-level

domains.5 Touted as one of the most significant advances to the Internet since its inception, this change allows users from

4-http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2006-071111-0646-99 5-http://tools.ietf.org/html/rfc3492

5 Symantec Intelligence Quarterly October - December, 2009

around the world use their own local languages and scripts to navigate the Internet. This decision is expected to have wide-ranging repercussions, with new advancements expected in sectors such as online education and business services in new languages and new markets. This article looks at how non-Latin characters can be used to navigate the Internet and some potential challenges of the new rules.

What is an Internationalized Top-level domain? The Domain Name System (DNS) is used to translate the familiar labels of the Internet (the domain names that are easier for people to comprehend, such as www.example.com) into numerical IP addresses (e.g. 192.168.0.1) that computers understand. DNS uses a hierarchical structure with the top reserved for top-level domains (TLDs) such as .com and .org, or country-code top-level domains (ccTLDs) such as .uk and .ca. An early limitation of DNS was that it restricted domains to a

subset of ASCII code that included only the letters a-z, digits 0-9, and the hyphen '-' character.6 In contrast, an internationalized TLD is a top-level domain that can use a wide range of characters beyond the original, limited Latin/ which transliterates from) رصم ASCII set. For example, the first request to ICANN for an internationalized TLD was for

Arabic as .masr or .misr and means “Egypt”).7

How are internationalized top-level domains converted? DNS understands only the letter, digit, hyphen (LDH) subset of ASCII characters, but there are thousands of characters not represented by ASCII that are in common use throughout the world, such as characters of other widely used languages (e.g., Arabic, Cyrillic, etc.). Because these characters are now permitted in internationalized TLDs, DNS needs some way to

convert them into ASCII. This conversion process involves two other standards, Unicode8 and Punycode.9 Internationalized TLDs are represented by Unicode code points and these points are then converted to ASCII using Punycode.

What is Unicode? Unicode is a standard for defining universal character encoding put in place by the Unicode Consortium. Unlike ASCII encoding, which is limited to one byte, Unicode can be represented by up to four bytes. Unicode currently covers in excess of 107,000 characters from 90 scripts. It has become the de facto standard for encoding characters, and has been implemented in many common computing technologies, including XML, Java, Microsoft's .NET Framework, and most modern operating systems. Unicode defines a range of up to 1,114,112 code points. A Unicode code point is written as “U+” followed by the character's assigned hexadecimal number. For example, “A” (in Unicode-speak, LATIN CAPITAL LETTER A) is U+0041.

What is Punycode? Punycode is designed to help convert the Unicode representation of a character to an ASCII code representation understood by DNS. Punycode is an implementation of an encoding algorithm, called Bootstring, and has two basic functions: “ToASCII” and “ToUnicode.” A string that has been converted with Punycode will be prepended with the reserved string “xn--“ and then followed by the ASCII representation that the algorithm constructs. For example, the .test ”.to “xn--kgbechtv رابتخإ domain (reserved for testing by ICANN) in Arabic expands from

6-http://securityfocus.com/bid/12461 7-http://www.securityfocus.com/bid/36982 8-http://www.securityfocus.com/bid/35799 9-http://en.allexperts.com/e/i/id/idn_homograph_attack.htm

6 Symantec Intelligence Quarterly October - December, 2009

Implications of internationalized top-level domains Unicode and Punycode conversions add extra layers of complexity when a domain name is converted—first to its Unicode representation, then with the Punycode ToASCII function into its ASCII representation—so that DNS can map out the correct IP address. As the process becomes more complex, security implications have emerged in how operating systems and applications implement these technologies. For example, in 2005, a security issue was reported in multiple Web

browsers relating to Punycode and Unicode IDN representations.10 In another example, a buffer-overflow vulnerability in the Unicode library of Apple® Mac® OS X was discovered that allows an attacker to run arbitrary code when a user

downloads or views specially crafted data.11 Other errors may occur within specific applications, such as a parsing problem in Microsoft Internet Explorer that will cause a crash if an unsuspecting user visits a specially crafted website.12

Another problem with Unicode is simple human fallibility, rather than a specific application or operating system error. For example, allowing internationalized TLDs significantly expands the potential for homograph spoofing attacks (in which one character is substituted for a different, similar-looking one). For example in www.bankexample.com, the Unicode “a” (U+0061 LATIN SMALL LETTER A) might be replaced with the virtually identical Cyrillic “a” (U+0430 CYRILLIC SMALL LETTER A).13 These subtleties could easily fool an inattentive or unaware user and are being increasingly used by attackers to fool unsuspecting users into visiting malicious phishing websites. Similarly, punctuation control characters within the URI can be spoofed with other look-alike characters. For example, a vulnerability was discovered where a browser was unable to parse the display of different characters resembling the forward slash (“/”).14

ICANN refers to these kinds of easily-spoofed characters as “variant characters” and work is ongoing on how best to deal with them. One current proposal is to identify variant forms of the base request and classify them as desired or undesired.15 Undesired forms would then be permanently blocked and never assigned. This is a daunting undertaking at best; with there being well over a million potential Unicode code points and 107,000 unique characters to consider, potential variant characters could easily be overlooked until after an attacker has successfully launched a spoofing attack. An additional proposal under ICANN consideration is some sort of system to automatically delegate variant top-level domains; this may not be a feasible option either, since many corporations and organizations already purchase homographic and typographic domains as preventative measures against phishing attacks and it may appear unfair to automatically delegate the variant domains in internationalized TLDs when this has not been the practice in the past.

Another significant implication of internationalized TLDs may be that, along with having a significantly expanded range of domain name variations to exploit, attackers may have a significantly expanded target pool because of the expected influx of a large number of new and potentially unaware Internet users (who previously may have been restricted from using the Internet due to language and script barriers). New computer users are often less informed than experienced users on the dangers of phishing, identity theft, and malware, and Symantec expects a corollary increase in regionalized attacks because of this.

While it has been a long time coming, internationalizing the Internet is finally a reality. Overcoming the technical challenges involved in implementation is an ongoing process, but the challenges have been identified and solutions are being put in place. Users should defend themselves at all times as much as possible against these challenges.

10-http://securityfocus.com/bid/33837 11-http://www.icann.org/en/announcements/announcement-2-03dec09-en.htm

7 Symantec Intelligence Quarterly October - December, 2009

Banking Trojans The rise of the Internet has transformed business sectors such as banking and finance. For example, once novelties, online banking and other online financial transactions are now common. With this evolution, though, has come a concurrent expansion of online criminal activities such as theft and fraud; attackers have developed sophisticated malicious programs to steal sensitive information such as online banking credentials and credit card numbers. While instances of banking malware have been observed in the wild for many years, Symantec has observed a significant increase recently in the sophistication of these programs.

As is the trend with many malicious applications, such applications targeting the banking and financial sectors are

increasingly being spread through the Web via means such as social engineering attacks or drive-by-downloads.12 As is also typical of many such malicious applications, once installed on affected computers, banking malware is usually controlled remotely by attackers through command-and-control (C&C) servers that provide the programs with ongoing instructions. Along with stealing funds by compromising online banking and other financial transactions, attackers can also use these programs to collect other sensitive personal information from victims that may subsequently be sold in the underground economy.

Banking malware frequently includes complex functionality to avoid being detected by the user or security solutions, such as antivirus software or firewall protections. Attackers are also now employing obfuscation techniques such as mule accounts to further elude discovery and to enable the transfer of funds internationally. Fraudsters pay third parties a fee to create these mule accounts, which they then use as a staging account to launder the money stolen from victims’ accounts.

What follows is an analysis of two sophisticated malicious programs designed to target online banking.

Trojan.Clampi

Clampi13 is a Trojan that attempts to steal online banking authentication credentials. It has been linked to groups based in Eastern Europe, and appears to mostly target victims in English-speaking countries, with the United States, the United

Kingdom, Canada, and New Zealand being among the top affected countries.14 In addition to stealing online credentials, the program steals other sensitive and private information, such as locally stored authentication credentials and software licenses associated with various applications. Along with being continuously improved by malicious code developers since

it was first identified in 2005, a significant rise in the number of Clampi variants has been observed since 2008.15

Typically, Clampi infects computers through drive-by downloads. Once installed, it contacts its C&C servers through the HTTP protocol to obtain additional modules in the form of DLL files. This modular functionality facilitates various features of Clampi, including the collection and transfer of sensitive information such as authentication credentials and financial data, as well as enabling Clampi to further propagate itself through remotely accessible shared drives on the network.

Two of the modules that Clampi uses to gather credentials from online banking and financial accounts are called “logger”16

and “loggerext”.17 The logger module injects code into Microsoft Internet Explorer and hooks application programming

12-http://www.symantec.com/security_response/writeup.jsp?docid=2009-100110-3032-99 13-http://www.finjan.com/MCRCblog.aspx?EntryId=2345 14-http://www.rsa.com/blog/blog_entry.aspx?id=1530 15-http://www.finjan.com/MCRCblog.aspx?EntryId=2345 16-Identified affected browsers include Microsoft Internet Explorer, Mozilla Firefox and other Mozilla-based browsers, MyIE, Avant, and Maxthon; please see http://www.finjan.com/MCRCblog.aspx?EntryId=2345 17-One-time password protection means that a user gets a new password on every login.

8 Symantec Intelligence Quarterly October - December, 2009

interfaces (APIs) used by the browser to open websites.18 When a user visits a website, the malware compares the site’s address entered in the browser with a list of site addresses shipped with Clampi and stored locally on the computer in a data file. If a match is found, data sent to the site by a user will also be sent to Clampi’s C&C servers. Through this technique, the malware is able to steal any authentication credentials or other sensitive data that the user sends.

The loggerext module is used to defeat enhanced security measures employed by some sites. This includes sites that use client-side JavaScript to process user information, such as hashing authentication credentials prior to transferring them over a network.23 In order to defeat this protection, an attacker must either install a keystroke logging application or else intercept user credentials on an affected computer before they are processed by client-side JavaScript. Clampi uses the second approach by hooking into JavaScript code routines that process user credentials. To monitor domains using hashing authentication credentials, loggerext matches addresses to those in a locally stored file in a similar fashion to the logger module. Once a match is found, the Trojan replaces that site’s JavaScript code in targeted pages with malicious JavaScript code of its own. This allows the Trojan to intercept and steal a user’s password before a password hash is created and sent to the site. Clampi stores the original JavaScript code and puts it back in place of the malicious code after the credentials have been obtained. The module then calls the original JavaScript routines to make it appear that user authentication to the visited site is occurring as expected without raising any suspicion. Symantec research indicates that most of the domains monitored by Clampi are based in the Unites States and include sites belonging to financial institutions and online payment companies.24

Two other modules used by Clampi are called “prot” and “accounts”.25 These are used to steal locally stored authentication credentials and other information. The prot module steals information for Microsoft Windows Protective Storage (PStore), which is used to store credentials by various Microsoft applications such as Internet Explorer, Outlook® and others. This module is also used to steal registration information and software licenses belonging to other applications on the system. The accounts module uses a commercial password recovery application to collect passwords from sources other than PStore and the Windows registry.26

Clampi is a multipurpose and complex example of a banking Trojan. The application includes various protective features that are designed to complicate analysis and obfuscate its activities. The malware is also able to bypass most local firewalls because it communicates over TCP port 80, which most networks set as open for HTTP communications.27 It also encrypts data using the Blowfish28 symmetric block cipher prior to sending it to a C&C server.29 This conceals information in data transfers from being disclosed to third parties or data-loss-prevention (DLP) solutions. Furthermore, to protect its modules and executable functions, Clampi is designed to use a commercially-available tool called VMProtect, which compresses and virtualizes code and significantly increases the difficulty of white-box analysis.30

With its sophistication, versatility, and complexity, Clampi demonstrates the progression of banking Trojans. Clampi represents the evolution of the financial threat landscape and confirms that attackers are using increasingly advanced techniques in order to not only steal money, but to protect their malicious applications and hide their activities.

Trojan.Kissderfrom First discovered in October 2009, Kissderfrom31 is designed to access online bank accounts and then transfer any funds to accounts controlled by the attacker via mule accounts. Also known as URLZone, Kissderfrom was initially developed to target German bank accounts. It is considered a noteworthy banking Trojan because of the innovative measures it uses to

18-

9 Symantec Intelligence Quarterly October - December, 2009

conceal its activities from users. This includes forging users’ bank statements, as well as its innovative means of thwarting detection and analysis, including ensuring that any funds taken from a victim’s account do not exceed the transactional or daily limits often imposed by banks to ensure that no alarms are triggered.

Kissderfrom spreads by using a toolkit named LuckySploit. This toolkit works by compromising websites and then installing exploits that subsequently download and install the Trojan.32 The compromised computer then becomes part of a bot network controlled by the attacker. Kissderfrom is also designed to detect the legitimacy of the bot using a unique identification number provided by its C&C servers. This ensures that the Trojan instance is legitimate and is not one installed by a security researcher for testing or analysis. If an instance is found to be foreign (i.e., run by a security researcher), the funds are transferred from the infected machine to fake mule accounts. This prevents the actual mule accounts from being exposed, and also keeps them from being blocked by banking and financial organizations. More than 400 mule accounts have been observed being used in this manner, and this is the first time that a banking Trojan has been observed to be using this technique.33

After successfully being installed on a victim’s computer, Kissderfrom injects itself into the “svchost.exe” process and then sets up a continuous contact schedule with its parent C&C server.34 The bot is dependent on the C&C server for its encrypted configuration files. These configuration files contain details of the banking sites to be monitored, along with other information.

Once on a computer, Kissderfrom monitors the system to see if a process associated with certain browser applications has been executed.35 If an instance of one of these affected browsers is run, the malicious program then decrypts the configuration file, hooks into the application, and captures the first 2000 bytes sent by the user through HTTP POST requests. The data being sent by the user would contain account authentication details, which can then be used by the program for future transactions. The Trojan hooks into the process exactly at the point when a user confirms a transaction and modifies requested transaction information according to the account and fund details provided in the configuration file. This facilitates an interesting feature of the malware, where it modifies the transaction details in HTML pages of the account statement sent by the server to the user. This effectively hides the Trojan’s malicious banking transactions from the user, who only sees what appear to be the expected transactions and is unaware of any malicious activity. The only way to see the malicious transactions would be to view the account statement from a clean system.

Kissderfrom is another example of the high level of sophistication being included in the latest banking Trojans. Reports indicate that it may even be capable of bypassing the one-time password protection commonly used by some banks and financial institutions because it works inside the browser to hook APIs in order to intercept and modify information after the user has authenticated and supplied the password.36 In the future, such Trojans may evolve to encompass even more robust features and evasion techniques for financial theft and fraud.

Conclusion Banking Trojans have become an essential element of the underground economy. The progression and development of banking Trojans coincides with the evolution of the underground economy and with advancements in the security mechanisms of financial institutions to combat such threats. As banking sites deploy improved technologies to protect their assets and customers, attackers are also deploying increasingly intricate attack methods combined with sophisticated applications to defeat countermeasures and steal funds. The two examples described here demonstrate that

10 Symantec Intelligence Quarterly October - December, 2009

theft and fraud are increasingly being automated and that attackers are employing various methods to protect their applications and obfuscate their activities. It also appears that attackers often carry out these attacks against targeted regions and countries in order to maximize their returns. Finally, the sophistication of banking malware indicates that a significant amount of investment has gone into the development of these programs, which indicates that they continue to be successful malicious tools and financially rewarding for attackers.

11 Symantec Intelligence Quarterly October - December, 2009

Appendix A—Contributors

Marc Fossi Dean Turner Executive Editor Director, Global Intelligence Network Manager, Development Security Technology and Response Security Technology and Response

Téo Adams Greg Ahmad Threat Analyst Threat Analyst Security Technology and Response Security Technology and Response

Joseph Blackbird Brent Graveland Threat Analyst Threat Analyst Security Technology and Response Security Technology and Response

Eric Johnson Trevor Mack Editor Editor Security Technology and Response Security Technology and ResponseT

Debbie Mazurek John Ostrander Threat Analyst Editor Security Technology and Response Security Technology and Response

Chintan Trivedi Threat Analyst Security Technology and Response

12

About Symantec Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored.

Copyright © 2010 Symantec Corporation. All rights For specific country offices Symantec World Headquarters reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec and contact numbers, please 350 Ellis St. Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. visit our website. Mountain View, CA 94043 USA NO WARRANTY. The information in this document is being delivered to you AS-IS and Symantec +1 (650) 527 8000 Corporation makes no warranty as to its accuracy or use. Any use of the information contained herein is at the risk of the user. This document may include 1 (800) 721 3934 technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes www.symantec.com without prior notice. 1/2010 20949850