Malware Outlook: Stormy

Subscription Options

Subscribe Magazine

Subscribe Newswire

Widgets & RSS Feeds

Last fall saw the takedown of Atrivo/Intercage and McColo Hosting Solutions, two known hosts of botnets. Botnets are the most pervasive method being used today for sending spam campaigns. According to the whitepaper FireEye: Taking the Botnet Threat Seriously, “A botnet is comprised of a collection of machines that have been infiltrated by functionality that can be automated and controlled remotely by an attacker.

The attack traces its roots to automated Internet Relay Chat (IRC) agents known as bots (short for robots), easily available and easily deployed, and originally intended to extend and automate the management of IRC networks. The remote control capabilities of bots enable them to be leveraged in a coordinated manner to unleash attacks against networks, as well as targeted, stealthy attacks on specific servers via agents managed remotely from a command-and-control (C&C) center operated by one or more attackers (hence botnet).” Because a typical spam campaign includes millions of email messages, botnets are employed instead of conventional email servers. According to FireEye, 11 percent of the world’s computers are enmeshed in at least one botnet.

When McColo Hosting Solutions was disconnected in November, spam levels dropped significantly. Spamcop.net, a spam watch-dog group, noted a decline from about 40 spam emails per second to around 10 per second. Trend Micro speculated that McColo was accountable for anywhere from 50 to 75 percent of all spam activity “on the planet”. As predicted by industry experts, however, it has been a short-lived victory; spam has resumed to pre-take down levels. “STORM is definitely still out there,” says Jamz Yaneza, threat research manager at Trend Micro, Inc. “It has been broken down in chunks. The disbandment wasn’t in my opinion the result of pressure on it but mainly because it is an old botnet. Now we are seeing the rise of a new type of botnet.” Yaneza comments that the techniques used in STORM (for example Fast-Flux and Double-Flux) have not gone away. “They have been borrowed by different kinds of botnets and the backend networks have been sold in the underground piece by piece,” he explains. “There is a whole criminal underground here. The bad guys even have incorporated tech support in terms of their botnets, and their phish kits. That surprised me and it’s also really scary. They have a whole software lifecycle.”

While McColo was located in San Jose, Calif. and offered “IT services for any customer, starting from individuals to large companies and corporations” and boasted of using “only certified equipment providers, such as Cisco, IBM, Intel, and Supermicro” the company did not have a good reputation. “Webmasters have been complaining of abuse from McColo sites for years,” says Phillip Lin, director of marketing for FireEye, Inc. “McColo-hosted sites were caught harvesting email addresses from Web sites (to use in spam campaigns). McColo has been linked to Digital Infinity out of Russia.” Unfortunately, persistence and innovation are hallmarks of these messaging ne’er-do-wells. “Reports are that McColo recently changed business names again to ‘World of Hi-Tech Investments LLC’ out of Delaware,” reports Lin.

According to a Messaging Anti-Abuse Working Group (MAAWG) report issued last month, “The percentage of email identified as abusive has oscillated over the last year between 89 percent and 92 percent.” If spam volumes have rebounded, can the McColo take down be considered a success? “I assume that some in U.S. law enforcement were a bit unhappy with the fact that the Washington Post broke the story, because they had wanted to take a slower watch and learn approach,” says Greg Shapiro, VP and chief technology officer for Sendmail, Inc. “Now others know that this is a possibility, and as a result will now spread out, and try to hide more. Former McColo clients are already taking steps to prevent themselves from being detected and centralized in a single IP like that again. So it was good, but in the long-term it may hurt us. We just have to wait and see.”

Lin believes that removing McColo from the Internet should be seen in perspective as the first of many milestones to come that will be necessary to protect the Internet and its users. “Cutting McColo off has shown the world that it is possible (and productive) to fight back against Internet ‘bad actors’, those egregious entities that exist on the Internet only to facilitate cyber crime,” says Lin. “Also, FireEye’s subsequent take down of the massive Srizbi botnet proved that disabling botnets is possible given the right technology and coordination among the Internet’s governing and operating bodies.”

Conficker

But even as the above take downs were initiated, another worm was spreading through the Internet. The latest variant of this worm, Conficker C, was noticed early last month, and was the subject of much speculation and sensational headlines. The widespread infection of the worm, which targets Microsoft Windows system through thumb drives, network shares, or directly across the network, caused a media frenzy with the announced discovery of a possible April 1 payload. With many headlines referencing April Fool’s Day and world-coming-to-an-end prophesizing, newspapers across the globe prepared PC users for the worst. With the date come and gone, does it mean that we are in the clear? “It’s just as likely that Conficker will receive instructions to do something on April 2nd, or April 14th as it will on April 1st,” wrote Graham Cluley, senior technology consultant for Sophos, Inc. in March. “The emphasis by some media outlets on April 1st is really unfortunate. In fact, in my own experience, it has been some of the newspapers and media organizations who have been guilty of dreaming up apocalyptic headlines and the security vendors who have been pouring the cold water.”

Because conficker exploits several weaknesses in Microsoft’s Windows operating system, Microsoft has offered a $250,000 USD reward for information leading to the arrest of those responsible. The actual number of infected systems seems to be in debate as published numbers range from at least 3 million to up to 12 million or more. The number is hard to determine, partly because many machines have been disinfected. Many messaging security vendors offered free tools to verify the presence of a Conficker infection and its removal. Lin acknowledges that part of the success in the managing of Conficker is due to the industries earlier efforts, “FireEye’s success in taking down McColo and Srizbi (coupled with the subsequent media coverage) jumpstarted a movement among Internet groups to put processes in place to quickly deal with massive cyber crime and malware outbreaks,” he says. “The recent anti-Conficker actions taken by gTLD and ccTLD registrars is one of the great outcomes from the McColo and Srizbi botnet takedown.”

Botnets Profitable

The real driver behind botnets and malware is profit. “Most of the malware being released these days are to help spammers get their products sold,” observes Shapiro. “The model in the spamming world is either through selling your own wares or through a partnership where you get some type of royalty or fixed percentage of the sales through another seller.” Shapiro goes on to talk of a paper titled Spamalytics: An Empirical Analysis of Spam Marketing Conversion by Enright, Kanich, Kreibich, Levchenko, Paxson, Savage and Voelker that explored the “conversion rate” of spam—the probability that an unsolicited email will ultimately elicit a “sale”. Writes the authors, “This underlies the entire spam value proposition. In this paper we present a methodology for measuring the conversion rate of spam. Using a parasitic infiltration of an existing botnet’s infrastructure, we analyze two spam campaigns: one designed to propagate a malware Trojan, the other marketing online pharmaceuticals. For nearly a half billion spam emails we identify the number that are successfully delivered, the number that pass through popular anti-spam filters, the number that elicit user visits to the advertised sites, and the number of ‘sales’ and ‘infections’ produced.” Says Shapiro, “They took over one of the command and control nodes and actually replaced the messages that went out in spam and placed a URL in them so they would point to their own servers for a customer to purchase, and judge the response. This way they knew how many messages got sent and how many came back to the Web site.” He goes on to say how the authors went as far as to clone the Web site so they could get right down to the store to see how many people clicked the buy button. (The authors note that they did not collect any credit card information.) “The results were quite astounding,” continues Shapiro. “For a 26-day period they got 28 purchasers. The average purchase price was $100 ($2,731.88 in total) (USD). While this doesn’t sound profitable since product and spamming costs need to be accounted for, their study only measured 1.5 percent of the worker bots used by STORM. An estimate of the daily sales would likely be closer to $7000 (USD) or higher as new bots were created by the ‘postcard’ infections. Extrapolated out, that would be about $3.5 million (USD) per year in sales, of which the affiliate could make 10 percent or more. This proves out that spam continues to increase because it is a financially beneficial operation. With numbers like that, why would spammers ever stop?”

This explains why most malware is about trying to get control of computers. “We are only in the early stages of uncovering the true extent of cyber crime and stealth malware infiltrations,” believes Lin. “The botnet problem is really one manifestation of the ‘stealth malware’ pandemic. Most malware typically features two-way communications that are used to build botnets.” Lin says that today’s stealth malware is so sophisticated that it can:

• bypass traditional security like anti-virus and anti-spam
• download subsequent malware payloads after the initial infection
• remain invisible in the file system and hide from task manager process list
• reinstall itself if components are removed
• disable security updates and cripple endpoint security
• apply the latest security patches to prevent other malware from infecting the PC

“Progress has certainly been made in detecting stealth malware and shutting down botnets, but on the horizon looms an escalation of cyber crime tactics as more sophisticated stealth malware is created and schemes executed to maintain the profits that cyber criminals enjoy today,” he says. “Take the recent example of McColo and Srizbi. From the ashes of the Srizbi botnet has come Xarvester, Rustock, Grum, Cimbot, and numerous other botnets picking up where Srizbi left off, at least in terms of spam distribution.”

Is It Dangerous?

With all the excitement that Conficker conjecture generated, were we actually in danger? Is spam dangerous or just highly annoying and expensive to combat? “It is more than an annoyance, but I would not call it a danger,” responds Shapiro. “No one is losing their lives from spam. No CEO is being called in front of congress and getting their name on the front page because of spam. Usually that is another problem, like data leakage or other exposure. Spam is more than an annoyance, but only so far as taking up people’s time and taking up budgets for handling the spam problem. There is some financial loss for people who may fall prey to a phishing scam. Worst case in spam someone buys a $100 (USD) product and it doesn’t do what it is supposed to do.”

What does an organization that is constantly battling spam think? Jonathan McCormack, chief operating officer of Intermedia.NET, a provider of enterprise-strength hosted Microsoft Exchange to small and mid-sized businesses (SMBs), rates spam in the annoyance category. “Most spam is a solicitation, not an active attack, and thus causes more damage in lost productivity than anything else.” However, he does add that this does not mean that there is nothing to really worry about. “I have a healthy paranoia. These people are extremely intelligent, well-organized, and very motivated.“ He does classify phishing as a danger. “This tactic is very effective in getting users to release sensitive corporate data.”

There is another clear danger: ransomware. “Ransomware is one of several techniques used by cyber criminals to monetize infected PC’s. It can be quite successful, and is typically used in the last stages of the malware infection lifecycle,” discloses Lin. “Cyber criminals initially focus their monetizing efforts on under-the-radar data thefts (as in customer/patient identity theft, compromising credentials for deeper network access, credit cards, etc.) Their goal is to get in and get out data unnoticed. As the monetization continues, cyber criminals begin to use the malware infections in more conspicuous ways, such as forming a botnet to deliver spam and perpetrate DDoS (distributed denial of service) attacks. For consumers infected with malware, one late stage activity is to encrypt and lock users out of their own files, and forcing them to pay ransom to get access back into their files. This is one of the last schemes used by cyber criminals since the user now knows something is wrong with the PC and will try to remove the malware infection.”

Some industry insiders are not too concerned about ransomware. “Ransomware is a blip on the radar, and it is not as successful at monetizing endpoints as other malware classes,” states Adam O’Donnell, director of emerging technologies at Cloudmark. “Attackers try it from time to time to see if they will be successful, but frankly, if it were successful, we would be hearing far more anecdotes on ransomware events from our friends and family than we do.”

Others like Lin are taking a more cautious approach, “A current example is the Vundo FileFix Pro ransomware. The FireEye research team recently uncovered a scheme by the Vundo (Trojan malware) where it morphed its scareware tactics to include ransomware. Beyond tricking users into downloading a fake anti-virus program, Vundo now encrypts victim’s files essentially denying access to the files unless the victim pays a fee for a program called FileFix Professional, which decrypts the files.” Lin explains that Vundo’s new ransomware functionality locks the user out of every important file in their “My Documents” folder ranging from Microsoft Office to Adobe PDF files until the victim agrees to pay a $60 (USD) ransom demand.

Social Networks

Another malware trend that warrents monitoring is social networks. Yaneza is concerned with the threats he is seeing. “There have been lots of articles about how good social networking can be as a collaborative tool, which is great. But social networks also give users a false sense of trust. Simply because you know the profile you see online, does not actually translate to that being the actual person you are talking to in the real world. For all you know you could be talking to your dog.”

Profiles are easily forged. For instance on MySpace fake profiles consist of a spammer-created account that contains links to spam or malware inside the ‘bio/about me’ section of the profile. “The spammer then sends a large number of friend requests to people who in turn look at the profile to see if they should accept the friend request,” explains O’Donnell. “It is at this point that users are exposed to spam.” Cloudmark recently announced that it is working with MySpace to protect users against spam, malware, viruses and phishing attacks. The company says it is the only commercially available solution to combat all categories of social networking abuse, noting that MySpace has implemented several solutions, including Cloudmark Authority, to protect it’s 130 million active users. According to Cloudmark, MySpace has seen an overall 73 percent reduction in spam, including:

• 82 percent reduction in bulletin spam, spread on bulletin board posts
• 99.5 percent reduction in comment spam, spread in the comment section of another user’s profile
• 85 percent reduction in mail spam, spread via private buddy-to-buddy messages
• 49 percent reduction in profile spam, spread by creating fake profiles to support fraudulent activities

O’Donnell is not surprised by the attention that social network sites have received from spammers. “Social engineering-driven malware has been a part of the email security threat space for years,” he notes. “Anti-spam and anti-virus filters have pushed down so hard on the problem on the email side that the bad guys are using social networks as the latest channel to push their malware.” O’Donnell also points out how the youngest generation of computer users use social networks as an integrated messaging platform, essentially replacing their need for email. “It only makes sense that the malware writers will target this demographic by pushing their content over social networks.” When asked if over time he anticipates MySpace abusers to change their tactic, O’Donnell says, “I fully expect us to engage in a cat and mouse game with the social networking spammers, with one caveat: if the profit margins for the spammers are small enough, we may be able to wipe them off of MySpace completely with the exception of newcomers experimenting with new spam venues.”

Protection Policies

Of all the threats, McCormack feels that phishing is the hardest to defend. “There is no substitute for end-user training. If you do not know who a message is from, do not open it. It is important that organizations have an acceptable use policy and conduct end-user training.” He also adds that this is not just a consumer issue. Business email and personal email get intermixed as people commonly use their business email for personal use.

Shapiro agrees, but has seen an increase in the number of organizations that forbid the use of business email for personal use. “The problem is now people often maintain a separate personal email address, especially with the free providers. The danger is that a lot of people during the course of their work will say, ‘I have to work on this project tonight’ and will send a document to their Yahoo! account to get it home. This means it does not have to go through VPN or any other solution, therefore exposing all the company confidential information to an outside service, probably traveling in the clear. There are a lot of exposures that way. Dual identities are important, and corporations are cracking down on what is happening on their network. Some are banning the use of Facebook during the day, so people are separating out their lives and I am a big proponent of that, but corporations do have to worry about what leaks through personal accounts.”

For Yaneza it comes down to policies. “There has been a lot of talk that says ‘user education is a lost cause, let’s put everything on technology.’ But, we have seen people try to put technology in everything, but it is not working. Social engineering is not solvable by technology alone, it has to come through educating users of the risks of particular online actions. So aside from creating policies for your enterprise, SMB and companies in general, what is required is for everyone to be on the same page.”

It takes a multi-layered approach to stay protected, from the gateway all the way to the desktop. “Besides our protection,” says McCormack, “we tell all companies to run locally on their desktop some sort of anti-virus software protection so that if something does get through, hopefully it can get isolated right away by an end-user. It’s the age-old security in depth. Anything you put in place, they will find a way to get through that hole, but if you put multiple things in place, you put up more blocks.”

While Conficker was a Windows-only concern, Yaneza warns that there has been an increase in attacks directed at Apple Mac and Linux systems. “The bad guys have not lost a beat,” he cautions. “We have seen versions of Windows-specific malware coming into versions of the Mac. Users of all platforms need to be aware. That smugness they had, it is not true anymore and hasn’t been true for the last year.”

With botnet creators wanting to evade further detection of their networks by going even deeper underground, it will take increasing efforts to be rid of them. “Beyond the technological sophistication, effectively taking down massive botnets will require the worldwide cooperation of Internet organizations (like those gTLD and ccTLD registrars), law enforcement, and other public/private entities that form/support the Internet,” concedes Lin. “As far as what lies on the horizon, the more the Internet community looks into botnets and its uses, the more that is uncovered about the extent and variety of cyber criminal activities ranging from spam/DDoS to scareware/ransomware to cyber terrorism/cyber warfare. Cyber criminals will get more aggressive despite the law enforcement and security community response primarily because there are now billions of dollars at stake. Monetizing stealth malware pays. It is easy to do and relatively under-policed.”

Indeed it does not look like those spam clouds are going away anytime soon. “As long as email is as easy and convenient to use as it is today, I do not think spammers will change their ways,” says Shapiro. “If we get to the point where email changes dramatically—like e-postage, which I do not see happening, or some other mechanism that it costs them something more than the pennies they pay today—they will not change their ways as far as messaging goes. They will continue, as well as take advantage of new messaging avenues, like social networking, SMS or IM.”