Friday, April 18, 2008

Feeling safe in Internet? You shouldn't. Abilities of modern adware and how to protect yourself.



Here is a document(pdf) covering the profits of computer-related crimes and tricks that modern adware uses to achieve it. I've read it as a horror book. Emotions that I received from this document were comparable to the emotions you receive from a horror dream or a very good horror movie/novel. Really. I felt a really strong urge to restrain from using Windows at all. Though even while using Linux, I wouldn't feel absolutely safe after this article. Read this about the newly-found vulnerability in Flash player. If you're really good (like I am ;) you can be sure in the code you write, but you can't feel safe about millions of lines of code from different vendors, even if they are trying their best.
If you're not a security geek, you can skip the article. Still, you can check the end of the article for tips how to protect yourself.

Following are my excerpts from the document, wanted to make just some clips, but the list got really big. My comments are in red.

“CVV for $1, CVV with SSN for $10, bank account $50, …”

-advertising on one of the sites

...Random 1% of the botnet fires up and spams like crazy for a
few minutes, then shuts down; another 1% fires up and
spams…

...China has 30 – 50,000 Internet police in 700 cities… who carefully investigate dangerous threats like prodemocracy
web pages

...Google claims that about 10% of clicks are fraudulent,
representing ~$1Billion in billings for just Google alone

...In late ’04 bot-nets were growing at 30,000 machines per day. Peak rate was 75,000 [infected machines] per day during the MyDoom/Bagle virus group wars

...Variant: DDoS the blacklists while your spam is going out: Half the botnet spams, the other half ensures that the spam gets through.

Cost of a compromised system
• Cisco router: US$5
• Unix box: US$1-5
– Can easily turn a Unix box into a router using built-in tools
Windows box: Too cheap to meter


IRC-based botnet



• IRC links may be encrypted (SSL)
• Communications may be over covert channels
– DNS TXT records
– HTTP

P2P-based botnet



• More damage-resistant than centralised IRC control
Evolution follows that of file-sharing networks
• Centralised IRC-based system allows direct control, but
provides a single point of failure  mitigate via IRC bouncers
• Mitigate even further via completely decentralised control

...This use of P2P network information distribution protocols
makes the botnet almost totally independent of
centralised systems like DNS


Storm itself is highly adaptive
The Storm network has a team of very smart people behind it.
They change it constantly. When the attacks against [Overnet]
searching started to be successful, they completely changed
how commands are distributed in the network. If AV adapts,
they re-adapt. If attacks by researchers adapt, they re-adapt.
If someone tries to DoS their distribution system, they DoS
back
— Brandon Enright, UCSD

MyDoom infected ca. 1,000,000 PCs (F-Secure)

...Botnet of 10K hosts each visit a pay-per-click site. Site records visits from 10K unique IP addresses and pays for each click.

...Modify anti-virus software to propagate the virus
(Varicella)

...Use error-correcting codes to repair the virus body if any
portion is patched out (RDA Fighter)

...Registers itself as a critical system process so it always gets
loaded, even in Safe Mode (CoolWebSearch, HuntBar, VX2)

Remove competing malware from the system. SpamThru includes a pirated copy of Kaspersky Antivirus to eliminate the competition
^^^^^ This one made me laugh


...In mid-2007 the authors of Storm and Mpack briefly turned their malware on each other in retaliation for the other side removing the malware from their machines


...Use form grabbing to bypass alternative input methods (e.g. virtual keyboards) (Haxdoor, Goldun, Metafisher, Snatch, BankAsh, Torpig, PWS.Banker, …)
• Hook functions like HttpSendRequestW() to intercept POST requests

...BroadcastPC malware installs 65MB (!!) of .NET framework without the user being made aware of this.

...Causes attempts to terminate it by AV software to terminate the AV program instead — done by swapping the handles of the rootkit and the AV
program

...Use NT native API to create registry entry names that the Win32 API can’t process

...Won’t run if the system contains SoftICE, Filemon, Regmon, Visual Studio, Ethereal, … (Numerous)

...Change scanners’ abilities to view memory by hooking the virtual memory manager (Shadow Walker)

...Tricks with processor features (AMD64 memory-typerange registers) can even defeat hardware-based monitoring

...Virus needs to brute-force break its own encryption, making detection even harder

...Zmist virus requires 2M code cycles to detect reliably
– Emulated x86 may multiply this by a factor of 100
– Then multiply again by x0,000 files on a system
Virii using techniques like this are effectively undetectable

The most popular brands of antivirus on the market […] have
an 80 percent miss rate. That is not a detection rate that is a
miss rate. So if you are running these pieces of software,
eight out of 10 pieces of malicious code are going to get in

— Graham Ingram, General Manager, AusCERT

...Used in one attack to redirect visitors to cnn.com and msn.com to spyware sites

...(Fake) windowsupdate.com: Your system is up to date and doesn’t need any security fixes

Information security by carriers to protect customer records is
practically nonexistent and is routinely defeated

— Robert Douglas, privacy consultant

Uses OLE automation to spoof the user’s actions
• Uses the IConnectionPointContainer OLE object to
register event sinks for the IWebBrowser2 interface
• Checks for accesses to e-gold.com
• After user has logged on, uses
IWebBrowser2::Navigate to copy the account balance
window to a second, hidden window
• Uses IHTMLInputHiddenElement:get_value to
obtain account balance
• Uses OLE to set Payee_Account and Amount
• Uses IHTMLElement::click to submit the form
• Waits for the verification page and again submits the form

^^^^^ Ever noticed that sometimes your captchas don't work from the first attempt? What if you have just solved a captcha to register a spammers account? And what if you have just solved a captcha to send a couple of bucks to some chinese "friends"?



Prices for a CD or DVD of stolen data in Gorbushka
market, Moscow
• Cash transfer records from Russia’s central bank: $1,500
• Tax records, including home addresses and incomes: $215
• Mobile phone company’s list of subscribers: $43
• Name, birthday, passport number, address, phone number,
vehicle description, and VIN for every driver in Moscow: $100

Conclusion: You are not secure on the Internet


What Should I Do? (Non-geeks)


Put your head between your legs and kiss …

What Should I Do? (Geeks)


  1. Disable all Windows networking and RPC services (about 2/3 of all Windows services)
    • No noticeable effect on system usability

    • Closes all ports

    • Total Windows kernel memory usage should be ~100MB

    • Need to hack the registry and other obscure things


  2. Browse the web from a browser running on a locked-down Unix box with ‘nobody’ privileges


    • Use a graphic-image-only forwarding protocol to view the result under Windows

    • Use NoScript (or equivalent) set to maximum blocking


  3. Read mail on a locked-down Unix box using a text-only client that doesn’t understand MIME

  4. Run all Internet-facing programs (Word, etc) under DropMyRights as ‘Guest’ or (standard, non-Power) ‘User’
0
said thank you for this page

Liked this article? Bookmark/share it with others: Didn't like the article, found a mistake or just want to express your own opinion? Post a comment!

0 comments:

Post a Comment

Have anything to say? Leave a comment!
Too shy or got a too private question? Email me
Alternatively, you can drop me a line on Twitter