Addison wesley crimeware understanding new attacks and defenses apr 2008 ISBN 0321501950

Crimeware can be used to obtain many kinds of confidential information,including usernames and passwords, Social Security numbers, creditcard numbers, bank account numbers, and personal

by Markus Jakobsson; Zulfikar Ramzan

Publisher: Addison Wesley Professional Pub Date: April 06, 2008

Print ISBN-10: 0-321-50195-0 Print ISBN-13: 978-0-321-50195-0 eText ISBN-10: 0-321-55374-8 eText ISBN-13: 978-0-321-55374-4 Pages: 608

Table of Contents | Index

Overview

"This book is the most current and comprehensive analysis of the state ofInternet security threats right now The review of current issues and

predictions about problems years away are critical for truly understandingcrimeware Every concerned person should have a copy and use it forreference."

–Garth Bruen, Project KnujOn Designer

There's a new breed of online predators–serious criminals intent on

stealing big bucks and top-secret information–and their weapons of

growing number of companies, organizations, and individuals turning tothe Internet to get things done, there's an urgent need to understand andprevent these online threats

choice are a dangerous array of tools called "crimeware." With an ever-Crimeware: Understanding New Attacks and Defenses will help

security professionals, technical managers, students, and researchersunderstand and prevent specific crimeware threats This book guides youthrough the essential security principles, techniques, and

countermeasures to keep you one step ahead of the criminals,

regardless of evolving technology and tactics Security experts MarkusJakobsson and Zulfikar Ramzan have brought together chapter

contributors who are among the best and the brightest in the securityindustry Together, they will help you understand how crimeware works,

company's valuable information falls into the wrong hands In self-contained chapters that go into varying degrees of depth, the book

provides a thorough overview of crimeware, including not only conceptsprevalent in the wild, but also ideas that so far have only been seen

inside the laboratory

With this book, you will

Understand current and emerging security threats including rootkits,bot networks, spyware, adware, and click fraud

Recognize the interaction between various crimeware threats

Gain awareness of the social, political, and legal implications of

these threats

Learn valuable countermeasures to stop crimeware in its tracks, nowand in the future

Acquire insight into future security trends and threats, and create aneffective defense plan

With contributions by Gary McGraw, Andrew Tannenbaum, Dave Cole, Oliver Friedrichs, Peter Ferrie, and others.

Section 1.8 Crimeware Usage

Section 1.9 Organizing Principles for the Remainder of This TextAcknowledgments

Section 17.3 Using Social Networks to Bootstrap Attacks

Section 17.4 New Use of the Internet: Controlling the InfrastructureSection 17.5 Moving Up the Stack

Section 17.6 The Emergence of an E-Society: Are We BecomingMore Vulnerable?

Section 17.7 The Big Picture

References

Index

book, but make no expressed or implied warranty of any kind and

assume no responsibility for errors or omissions No liability is assumedfor incidental or consequential damages in connection with or arising out

of the use of the information or programs contained herein

The publisher offers excellent discounts on this book when ordered inquantity for bulk purchases or special sales, which may include electronicversions and/or custom covers and content particular to your business,training goals, marketing focus, and branding interests For more

information, please contact: U.S Corporate and Government Sales,

(800) 382-3419, corpsales@pearsontechgroup.com

For sales outside the United States please contact: International Sales,international@pearsoned.com

retrieval system, or transmission in any form or by any means, electronic,mechanical, photocopying, recording, or likewise For information

Traditionally, malware has been thought of as a purely technical threat,relying principally on technical vulnerabilities for infection Its authorswere motivated by intellectual curiosity, and sometimes by competitionwith other malware authors

This book draws attention to the fact that this is all history Infection

vectors of today take advantage of social context, employ deceit, andmay use data-mining techniques to tailor attacks to the intended victims

Their goal is profit or political power Malware become crimeware That

is, malware has moved out of basements and college dorms, and is now

a tool firmly placed in the hands of organized crime, terror organizations,and aggressive governments This transformation comes at a time whensociety increasingly has come to depend on the Internet for its structure

and stability, and it raises a worrisome question: What will happen next?

This book tries to answer that question by a careful exposition of whatcrimeware is, how it behaves, and what trends are evident

The book is written for readers from a wide array of backgrounds Mostsections and chapters start out describing a given angle from a bird's-eyeview, using language that makes the subject approachable to readerswithout deep technical knowledge The chapters and sections then delveinto more detail, often concluding with a degree of technical detail thatmay be of interest only to security researchers It is up to you to decidewhen you understand enough of a given issue and are ready to turn toanother chapter

Recognizing that today's professionals are often pressed for time, thisbook is written so that each chapter is relatively self-contained Ratherthan having each chapter be sequentially dependent on preceding

chapters, you can safely peruse a specific chapter of interest and skipback and forth as desired Each chapter was contributed by a differentset of authors, each of whom provides a different voice and unique

perspective on the issue of crimeware

This book is meant for anyone with an interest in crimeware, computersecurity, and eventually, the survivability of the Internet It is not meantonly for people with a technical background Rather, it is also appropriatefor makers of laws and policies, user interface designers, and companies

Although we often use recent examples of attacks to highlight and

explain issues of interest, focus here is on the underlying trends,

principles, and techniques When the next wave of attacks appears—undoubtedly using new technical vulnerabilities and new psychologicaltwists—then the same principles will still hold Thus, this book is meant toremain a useful reference for years to come, in a field characterized bychange We are proud to say that we think we have achieved this

contradictory balance, and we hope that you will agree

Acknowledgments

We are indebted to our expert contributors, who have helped make thisbook what it is by offering their valuable and unique insights, and

selflessly donated their time to advance the public's knowledge of

crimeware The following researchers helped us provide their view of theproblem: Shane Balfe, Jeffrey Bardzell, Shaowen Bardzell, Dan Boneh,Fred H Cate, David Cole, Vittoria Colizza, Bruno Crispo, Neil Daswani,Aaron Emigh, Peter Ferrie, Oliver Friedrichs, Eimear Gallery, Mona

Gandhi, Kourosh Gharachorloo, Shuman Ghosemajumder, Minaxi Gupta,James Hoagland, Hao Hu, Andrew Kalafut, Gary McGraw, Chris J

Mitchell, John Mitchell, Steven Myers, Chris Mysen, Tyler Pace, Kenneth

G Paterson, Prashant Pathak, Vinay Rao, Jacob Ratkiewicz, MelanieRieback, Sourabh Satish, Sukamol Srikwan, Sid Stamm, Andrew

Tanenbaum, Alex Tsow, Alessandro Vespignani, Xiaofeng Wang,

Stephen Weis, Susanne Wetzel, Ollie Whitehouse, Liu Yang, and theGoogle Ad Traffic Quality Team

In addition, Markus wishes to thank his graduate students, who havehelped with everything from performing LaTeX conversions to being

experiment subjects, and many of whose research results are part of thisbook Zulfikar wishes to thank Oliver Friedrichs and the rest of the

Symantec Advanced Threat Research team (as well as his colleaguesthroughout Symantec) for affording him the opportunity to work on thisbook and for engaging in countless stimulating discussions on thesetopics

We also both want to acknowledge the help and guidance we havereceived from Jessica Goldstein and Romny French at Addison-Wesley.Finally, we want to thank our understanding spouses and families, whohave seen much too little of us in the hectic months during which welabored on getting the book ready for publication.

a special focus on privacy Markus has coauthored more than one

hundred peer-reviewed articles and is a co-inventor of more than fiftypatents and patents pending He received his Ph.D in computer sciencefrom University of California at San Diego in 1997

Zulfikar Ramzan, Ph.D., is currently a senior principal researcher with

Symantec Security Response He focuses on improving the security ofthe online experience, including understanding threats like phishing,

online fraud, malicious client-side software, and web security In general,Zulfikar's professional interests span the theoretical and practical aspects

of information security and cryptography He is a frequent speaker onthese issues and has coauthored more than fifty technical articles andone book Zulfikar received his S.M and Ph.D degrees from the

Massachusetts Institute of Technology in electrical engineering and

computer science (with his thesis research conducted in cryptographyand information security)

Aaron Emigh and Zulfikar Ramzan

It used to be the case that the authors of malicious code (or malware)were interested primarily in notoriety However, those days are long gone.The reality is that somewhere along the way, beginning roughly in thevery early part of the twenty-first century, a marked shift occurred in theonline threat landscape Cyber-attackers started realizing that they couldpotentially make serious money from their activities With more and morepeople conducting transactions online, malicious code moved away frombeing simply malicious, and moved toward being criminal This trend has

given rise to a new form of malicious software—namely, crimeware.

Crimeware is software that performs illegal actions unanticipated by auser running the software; these actions are intended to yield financialbenefits to the distributor of the software Crimeware is a ubiquitous fact

of life in modern online interactions It is distributed via a wide variety ofmechanisms, and attacks are proliferating rapidly

1.1 Introduction

1.1.1 Theft of Sensitive Information

Online identity theft, in which confidential information is illicitly obtainedthrough a computer network and used for profit, is a rapidly growing

enterprise Some estimates of the direct financial losses due to phishing

replacement costs, and higher expenses owing to decreased use of

online services in the face of widespread fear about the security of onlinefinancial transactions Increasingly, online identity theft is perpetratedusing malicious software known as crimeware

Crimeware can be used to obtain many kinds of confidential information,including usernames and passwords, Social Security numbers, creditcard numbers, bank account numbers, and personal information such asbirth dates and mothers' maiden names In addition to online identitytheft, crimeware is used in targeted attacks against institutions, such astheft of access credentials to corporate virtual private networks (VPNs)and theft of intellectual property or business data Crimeware can also beused in distributed denial-of-service attacks, which are used to extort

money from businesses, and in click fraud, in which online advertisers

are cheated into paying criminals who simulate clicks on advertisements

they host themselves Instances of ransomware have also occurred, in

which data on a compromised machine is encrypted, and the criminalthen offers to decrypt the data for a fee

1.1.2 Crimeware and Its Scope

Crimeware is a subclass of the more broad category of malware, whichrefers generally to unwanted software that performs malicious actions on

a user's computer In addition to crimeware, malware encompasses

(possibly) legal but malicious software, such as adware and spyware,and illegal software without a commercial purpose, such as destructiveviruses Many malware examples straddle the line between being

criminal and being malicious For example, while adware might be anuisance to some, not all adware is, strictly speaking, criminal Becauseadware resides in a gray area and because it is so prevalent, this textdiscusses adware in more detail in Chapter 12

Although this text focuses on crimeware, it also discusses issues related

to other forms of online malicious activity, such as the broader concepts

of malware and phishing attacks In many cases, these threats havecommon attributes or share some common solutions For example,

phishing attacks can be used as a social engineering lure to convinceusers to install crimeware on their machines Because social engineering

it can be difficult to have a detailed exposition of crimeware without

reference to phishing Along similar lines, malware that is not crimewaremight have similar propagation and detection mechanisms

1.1.3 Crimeware Propagation

As shown in Figure 1.1, crimeware is generally spread either by socialengineering or by exploiting a security vulnerability A typical social

engineering attack might aim to convince a user to open an email

attachment or download a file from a web site, often claiming the

attachment has something to do with pornography, salacious celebrityphotos, or gossip Some downloadable software, such as games or videoplayer "accelerators," can also contain malware According to the twelfth

edition of the Symantec Internet Security Threat Report (ISTR), 46% of

malicious code that propagated during the first half of 2007 did so overthe Simple Mail Transfer Protocol (SMTP),[1] making it the most popularmeans of propagation [401]

[1] SMTP is the standard protocol for mail transmission over the Internet.

Figure 1.1 Crimeware propagation techniques can be broken up into two broad categories: those based on social engineering and

those based on security exploitation.

Malware is also spread by exploits of security vulnerabilities; as

discussed in Chapter 2, these vulnerabilities are often rooted in codingerrors In the first half of 2007, 18% of the 1509 malicious code instancesdocumented by Symantec exploited vulnerabilities [401] Such malwarecan propagate using a worm or virus that takes advantage of securityvulnerabilities to install the malware, or by making the malware available

on a web site that exploits a (web browser or web browser plug-in)

appealing content at the site, or through injecting malicious content into alegitimate web site by exploiting a security weakness such as a cross-sitescripting vulnerability on the site The relatively small percentage of

exploits involving vulnerability-oriented malware suggests that attackersfind no need to use technically complex methods when simpler social-engineering-based methods will suffice

Crimeware attacks often span multiple countries, and are commonly

perpetrated by organized criminals Because crimeware is designed withfinancial gain in mind, the perpetrators often treat their malicious activities

as a full-time job rather than as a hobby They appear to take their workseriously, as indicated by the proliferation of crimeware and the creativeand sophisticated mechanisms the attackers have employed This

chapter describes and categorizes the different types of crimeware anddiscusses the structural elements common to various attacks

Aaron Emigh and Zulfikar Ramzan

It used to be the case that the authors of malicious code (or malware)were interested primarily in notoriety However, those days are long gone.The reality is that somewhere along the way, beginning roughly in thevery early part of the twenty-first century, a marked shift occurred in theonline threat landscape Cyber-attackers started realizing that they couldpotentially make serious money from their activities With more and morepeople conducting transactions online, malicious code moved away frombeing simply malicious, and moved toward being criminal This trend has

given rise to a new form of malicious software—namely, crimeware.

Crimeware is software that performs illegal actions unanticipated by auser running the software; these actions are intended to yield financialbenefits to the distributor of the software Crimeware is a ubiquitous fact

of life in modern online interactions It is distributed via a wide variety ofmechanisms, and attacks are proliferating rapidly

1.1 Introduction

1.1.1 Theft of Sensitive Information

Online identity theft, in which confidential information is illicitly obtainedthrough a computer network and used for profit, is a rapidly growing

enterprise Some estimates of the direct financial losses due to phishing

replacement costs, and higher expenses owing to decreased use of

online services in the face of widespread fear about the security of onlinefinancial transactions Increasingly, online identity theft is perpetratedusing malicious software known as crimeware

Crimeware can be used to obtain many kinds of confidential information,including usernames and passwords, Social Security numbers, creditcard numbers, bank account numbers, and personal information such asbirth dates and mothers' maiden names In addition to online identitytheft, crimeware is used in targeted attacks against institutions, such astheft of access credentials to corporate virtual private networks (VPNs)and theft of intellectual property or business data Crimeware can also beused in distributed denial-of-service attacks, which are used to extort

money from businesses, and in click fraud, in which online advertisers

are cheated into paying criminals who simulate clicks on advertisements

they host themselves Instances of ransomware have also occurred, in

which data on a compromised machine is encrypted, and the criminalthen offers to decrypt the data for a fee

1.1.2 Crimeware and Its Scope

Crimeware is a subclass of the more broad category of malware, whichrefers generally to unwanted software that performs malicious actions on

a user's computer In addition to crimeware, malware encompasses

(possibly) legal but malicious software, such as adware and spyware,and illegal software without a commercial purpose, such as destructiveviruses Many malware examples straddle the line between being

criminal and being malicious For example, while adware might be anuisance to some, not all adware is, strictly speaking, criminal Becauseadware resides in a gray area and because it is so prevalent, this textdiscusses adware in more detail in Chapter 12

Although this text focuses on crimeware, it also discusses issues related

to other forms of online malicious activity, such as the broader concepts

of malware and phishing attacks In many cases, these threats havecommon attributes or share some common solutions For example,

phishing attacks can be used as a social engineering lure to convinceusers to install crimeware on their machines Because social engineering

it can be difficult to have a detailed exposition of crimeware without

reference to phishing Along similar lines, malware that is not crimewaremight have similar propagation and detection mechanisms

1.1.3 Crimeware Propagation

As shown in Figure 1.1, crimeware is generally spread either by socialengineering or by exploiting a security vulnerability A typical social

engineering attack might aim to convince a user to open an email

attachment or download a file from a web site, often claiming the

attachment has something to do with pornography, salacious celebrityphotos, or gossip Some downloadable software, such as games or videoplayer "accelerators," can also contain malware According to the twelfth

edition of the Symantec Internet Security Threat Report (ISTR), 46% of

malicious code that propagated during the first half of 2007 did so overthe Simple Mail Transfer Protocol (SMTP),[1] making it the most popularmeans of propagation [401]

[1] SMTP is the standard protocol for mail transmission over the Internet.

Figure 1.1 Crimeware propagation techniques can be broken up into two broad categories: those based on social engineering and

those based on security exploitation.

Malware is also spread by exploits of security vulnerabilities; as

discussed in Chapter 2, these vulnerabilities are often rooted in codingerrors In the first half of 2007, 18% of the 1509 malicious code instancesdocumented by Symantec exploited vulnerabilities [401] Such malwarecan propagate using a worm or virus that takes advantage of securityvulnerabilities to install the malware, or by making the malware available

on a web site that exploits a (web browser or web browser plug-in)

appealing content at the site, or through injecting malicious content into alegitimate web site by exploiting a security weakness such as a cross-sitescripting vulnerability on the site The relatively small percentage of

exploits involving vulnerability-oriented malware suggests that attackersfind no need to use technically complex methods when simpler social-engineering-based methods will suffice

Crimeware attacks often span multiple countries, and are commonly

perpetrated by organized criminals Because crimeware is designed withfinancial gain in mind, the perpetrators often treat their malicious activities

as a full-time job rather than as a hobby They appear to take their workseriously, as indicated by the proliferation of crimeware and the creativeand sophisticated mechanisms the attackers have employed This

chapter describes and categorizes the different types of crimeware anddiscusses the structural elements common to various attacks

Information theft via crimeware is a rapidly increasing problem Phishingscams, for example, are increasingly being performed via crimeware.According to the Anti-Phishing Working Group, both the number of

unique key-logging trojans and the number of unique URLs distributingsuch crimeware grew considerably between May 2005 and May 2007,with the bulk of the growth happening between May 2005 and May 2006[100, 159] (see Table 1.1) Also, according to Symantec, of all threatsreported from January to June 2007 that could compromise sensitiveinformation, 88% had keystroke-logging capabilities [401] This numberwas up from 76% from the previous reporting period (July to December2006)

[2] Botnets can be used to carry out a plethora of malicious activities; they are discussed in greater detail in Chapter 7.

representative of the species The distinctions between crimeware

variants are not always clear-cut, because many attacks are hybrids thatemploy multiple technologies For example, a deceptive phishing emailcould direct a user to a site that has been compromised with contentinjection The content injection could be used to install a backdoor on thevictim's computer via a browser security vulnerability This backdoor

might then be used to install crimeware that poisons the user's hosts fileand enables a pharming attack.[3] Subsequent attempts to reach

legitimate web sites will then be rerouted to phishing sites, where

confidential information is compromised using a man-in-the-middle

attack While this type of example might seem highly involved, it is notuncommon

[3] A more detailed exposition on pharming can be found in the text edited by Jakobsson and Myers [202].

Other malicious software can also be installed using the backdoor, such

as a mail relay to transmit spam and a remotely controlled slave thatlistens over a chat channel and participates in a distributed denial-of-service attack when a command to do so is received

Notwithstanding the proliferation of various types of crimeware, a

crimeware attack on a conventional computing platform without protecteddata or software can be roughly diagrammed as shown in Figure 1.2.Note that not all stages are required In this diagram, the stages of acrimeware attack are categorized as follows:

1 Crimeware is distributed Depending on the particular crimeware

attack, crimeware may be distributed via social engineering (as is thecase in malicious email attachments and piggyback attacks) or via anexploit of a security vulnerability (as is the case in web browser

security exploits, Internet worms, and hacking)

2 The computing platform is infected Infection takes many forms,

which are discussed separately later in this chapter In some cases,the crimeware itself is ephemeral and there may be no executable

"infection" stage, as in immediate data theft or system reconfigurationattacks For example, a crimeware instance might modify a user'shosts file before erasing itself In such cases, the attack leaves

behind no persistent executable code In other cases, a crimewareinstance might be more persistent For example, a keystroke loggerwill likely continue to run on the victim's machine

3 The crimeware executes, either as part of a one-time attack such as

data theft or system reconfiguration, as a background component of

an attack such as that involving a rootkit,[4] or by invocation of aninfected component

[4] A rootkit is a component that uses various stealthing techniques to mask its

presence on a machine Rootkits are discussed in greater detail in Chapter 8.

4 Confidential data is retrieved from storage, in attacks such as those

involving data theft For example, the crimeware can scan the victim'shard drive for sensitive information

7 The legitimate server receives confidential data, either from the

executing crimeware (in attacks in which data is explicitly

middle attacks)

compromised by the crimeware) or from the attacker (in man-in-the-Figure 1.2 The stages of a typical crimeware attack First, the crimeware (1) is distributed, (2) infiltrates a particular computing platform, and (3) executes At this point, crimeware can function in multiple ways depending on the nature of the particular crimeware instance For example, the crimeware instance may (4) scan the user's hard drive for sensitive information or (5) intercept the user's keystrokes In some modes, the crimeware instance transmits the information it collected (6) directly to the attacker In other modes, the information is transmitted indirectly to the attacker through an otherwise (7) legitimate server that is being misused In the case of

a man-in-the-middle attack, the information will be sent to (6) the

attacker before it is relayed to (7) a legitimate server.

Keyloggers are programs that monitor data being input into a machine.They typically install themselves either into a web browser or as a devicedriver Keyloggers also send relevant data to a remote server Theseprograms use a number of different technologies and may be

implemented in many ways:

A browser helper object can detect changes to the URL and log

information when a URL is affiliated with a designated credentialcollection site

characters in their password, rather than typing the password outexplicitly using the physical keyboard

A keylogger can also be implemented as a hardware device that is

physically attached to a machine Because this book focuses more on thesoftware side, however, such keyloggers fall outside the scope

considered by this text We will not discuss them further here

Keyloggers may collect credentials for a wide variety of sites As with

Trojan.Dowiex [339])

Figure 1.3 An automated keylogger generator This generator allows the attacker to create a customized keystroke logger The attacker can specify an email address The log file that collects the keystrokes is then periodically sent to this particular email address The user can specify the frequency with which the log file is sent For example, the user can specify that the file be sent at fixed time

intervals or when the file reaches a certain length.

SetWindowsHook) to monitor keystrokes A system hook is a

mechanism that allows for the interception of Windows messages,

commands, or process transactions—including those associated withkeyboard events Keyboard hooks have numerous legitimate purposes.For example, many instant messaging clients use a keyboard hook todetermine whether a user is typing a message (and relay that information

to whomever the user is communicating with) The actual keyloggingapplication includes a component that initiates the hook as well as acomponent that logs the data collected In Windows, the logging

functionality might be implemented as a Dynamic Link Library (DLL).Another way to implement an application-level keylogger is by monitoringkeyboard requests using, for example, Windows APIs such as

GetAsyncKeyState() and GetKeyboardState() This approachrequires constant polling, so it is more computationally intensive

Kernel-level keyloggers operate at a much lower level; that is, they

receive data directly from the keyboard itself These keyloggers typicallywork by creating a layered device driver that inserts itself into the chain ofdevices that process keystrokes When any request is made to read akeystroke, an I/O request packet (IRP) is generated This IRP works itsway down the device chain until the lowest-level driver retrieves the

actual keystroke from the keyboard buffer The keystroke is represented

by its scancode, which is a numeric representation of the key that the

user pressed The scancode is placed in the IRP, which then traversesback up the device chain Each device on the chain can potentially

modify or respond to the scancode Many legitimate applications might

be in this chain—for example, encryption tools or instant messaging

clients

complete feature is used The auto-complete function happens at theapplication layer, which is above the kernel layer Therefore, auto-

Kernel-level keyloggers will not capture entire passwords when the auto-complete processing will occur after the keylogging driver has processedthe keystroke A more detailed exposition of kernel-level keyloggers can

be found in Chapter 6 of the text by Hoglund and Butler [177]

Various types of secondary damage may follow a keylogger compromise

In one real-world example, a credit reporting agency was targeted by akeylogger spread via pornography spam This attack led to the

compromise of more than 50 accounts with access to the agency; thoseaccounts were, in turn, used to compromise as many as 310,000 sets ofpersonal information from the credit reporting agency's database [219]

1.4.2 Email and Instant Messaging Redirectors

Email redirectors are programs that intercept and relay outgoing emails,

in the process sending an additional copy to an unintended address towhich an attacker has access Instant messaging redirectors monitorinstant messaging applications and transmit transcripts to an attacker.Email and instant messaging redirectors, examples of which are shown inFigures 1.4 and 1.5, respectively, are used for corporate espionage aswell as personal surveillance

Figure 1.4 An email redirector Note that the user interface is fairly straightforward and requires the attacker just to specify the email

address to which mail should be copied.

Figure 1.5 An instant messaging redirector Here instant messaging transcripts are sent to the address specified by the attacker Although this particular redirector targets the AOL instant

messenger, the tool itself is not a product developed by AOL.

[View full size image]

Session hijacking refers to an attack in which a legitimate user session iscommandeered In this kind of attack, a user's activities are monitored,typically by a malicious browser component When the user logs into his

or her account or initiates a transaction, the malicious software "hijacks"the session to perform malicious actions, such as transferring money,once the user has legitimately established his or her credentials Sessionhijacking can be performed on a user's local computer by malware, or itcan be performed remotely as part of a man-in-the-middle attack Whenperformed locally by malware, session hijacking can look to the targetedsite exactly like a legitimate user interaction that has been initiated fromthe user's home computer

1.4.4 Web Trojans

Web trojans are malicious programs that pop up over login screens in aneffort to collect credentials When installed on a machine, the trojan

silently waits for the user to visit a particular web site (or set of web sites).When the user visits that site, the trojan places a fake login window ontop of the site's actual login window The user, who is oblivious to thepresence of the trojan on his or her machine, then tries to log in normally,

attacker for misuse

Web trojans do not always duplicate the login window exactly For

instance, they can add extra fields to the log-in window to collect moreinformation In one example, Infostealer.Banker.D added a field into itsfake login window for a victim to enter a PIN (in addition to the usernameand password) [333] Along similar lines, some web trojans wait for users

to actually log in as they normally would before presenting them withadditional form fields in which to enter data

Figure 1.6 shows a screen shot of a web trojan configurator, which can

be used to automatically create a web trojan for either Yahoo!, AOL,

MSN, or Hotmail

Figure 1.6 A web trojan configurator This configurator allows the attacker to specify the site for which a fake login is displayed (Yahoo!, AOL, MSN, or Hotmail) When a user visits the site configured by the attacker, the user will be presented with a fake login window that overlays on top of the real login window Data entered into the fake window will be transmitted to the attacker.

Unlike many of the other types of crimeware discussed in this chapter, atransaction generator does not necessarily target an end user's

processing center such as a credit card processor A transaction

computer, but rather typically targets a computer inside a transaction-generator generates fraudulent transactions for the benefit of the

attacker, from within the payment processor These programs also oftenintercept and compromise credit card data Transaction generators aretypically installed by attackers who have targeted the transaction-

processing center and compromised its security

Transaction generators could potentially be installed on the end user'smachine as well For example, such a transaction generator could beimplemented as some type of web browser extension or plug-in, whichthen modifies transaction details on the fly Such transaction generatorsare discussed in detail in Chapter 6

1.4.6 System Reconfiguration Attacks

Hostname Lookup Attacks

Hostname lookup attacks interfere with the integrity of the Domain Name

System (DNS) Hostname lookup attacks are commonly referred to as pharming We give a brief description of pharming here; a more extensive

treatment can be found in Chapter 4 of the text edited by Jakobsson andMyers [202]

When establishing a connection with a remote computer such as a webserver belonging to a bank or other target, a hostname lookup is normallyperformed to translate a domain name such as "bank.com" to a numeric

IP address such as 129.79.78.8 This translation is usually performed by

a DNS server

The DNS is the equivalent of the directory assistance service (or even agiant phone book) for the Internet Every computer that is directly

accessible on the Internet has a unique Internet Protocol (IP) address—for example, something like 129.79.78.8 To access the web site of

"www.bank.com", your computer needs to know the IP address of thatsite It is difficult for typical users to remember these numerical

addresses, so instead we remember a simpler name—for example,

www.bank.com A DNS server actually has an entry (called a record) thatassociates www.bank.com with the IP address 69.8.217.90 To accessthis entry, the user's machine typically has to access a DNS server (theother way that IP address-to-hostname translations are performed isthrough the hosts file, which we discuss later) Many such DNS serversexist on the Internet Normally, the user's Internet service provider (orcorporate IT staff, for enterprises) configures which DNS server to use.One form of hostname lookup attack tries to interfere with the DNS—forexample by compromising a DNS server and modifying its records Morecommonly, hostname lookup attacks are performed locally by crimewarethat modifies the hosts file on the victim's computer A computer uses ahosts file to see whether a domain or hostname is known to the localmachine with a predetermined address, before it consults DNS If thedomain or hostname appears in the hosts file, the corresponding address

"www.bank.com" might be made to refer to a malicious IP address Whenthe user goes there, he or she will see a legitimate-looking site and enterconfidential information, which actually goes to the attacker

A second form of hostname lookup attack involves polluting the user's

DNS cache The DNS cache is stored on the user's local machine and

keeps track of responses provided by DNS servers This way, if a queryfor a particular domain name was recently made and a response given,the user's machine does not need to repeat that query Instead, it can justlook up the result in the DNS cache If the user has a misconfigured DNScache, however, an attacker might be able to pollute it with incorrect

information Once the cache is polluted, future responses might containinvalid information and lead users to incorrect web sites

A DNS server also has a cache that can be used to improve its

performance; this cache can likewise be polluted if the server is

misconfigured Of course, it might be possible for an attacker to directlycompromise a DNS server and modify its records as well Such attacksthat compromise information on the DNS server itself do not fall withinthe definition of crimeware, as they do not involve software that runs onthe victim's computer

One more way to interfere with hostname lookups is to alter the systemconfiguration of a victim's computer so as to change the DNS server to amalicious server controlled by the attacker When a user navigates to acorrectly named site, such a server might then send the user to a

management password on the home router has not been modified fromits default setting) This approach is employed in drive-by pharming

attacks, as discussed in Chapter 6

Another type of system reconfiguration attack is to install a proxy throughwhich the user's network traffic will be passed The attacker can gleanconfidential information from the traffic while retransmitting it back andforth between the victim and a remote web site A proxy attack is a form

of a man-in-the-middle attack (see Section 1.4.8 for more details)

Proxies come in many types, including HTTP proxies, TCP/IP drivers,and browser helper objects that proxy web traffic from the browser Manyare manageable using a remote interface, such as the one shown in

Figure 1.7

Figure 1.7 A TCP/IP proxy manager The attacker configures the manager to intercept all traffic between the victim and whatever web

site he or she is communicating with.

1.4.7 Data Theft

Once malicious code is running on a user's machine, it can directly stealconfidential data stored on the computer Such data might include

passwords, activation keys to software, sensitive correspondence, andany other information that is stored on a victim's computer Some

confidential data, such as passwords stored in browser and email clients,

is accessible in standard locations By automatically filtering data andlooking for information that fits patterns such as a Social Security

number, a great deal of other sensitive information can also be obtained.Even data the victim thinks he or she has erased could be stolen When iterases a file, the operating system simply removes references to the filefrom the file system table In reality, the underlying content might still

Data theft is also commonly performed by crimeware performing

corporate (or possibly governmental) espionage, using software such asthat shown in Figures 1.8 and 1.9 High-value machines can be targeted,but some espionage may rely on large-scale attacks, because personalcomputers often contain the same confidential information that is alsostored on better-protected enterprise computers In addition to

conducting espionage for hire, an attacker might publicly leak confidentialmemos or design documents, causing their owners economic damage orembarrassment

Figure 1.8 A data theft crimeware configuration interface where the files are kept in standard locations The attacker can specify different types of confidential data to access and an email address

to which this information should be sent Once the configuration tool is run, the attacker will seek to place the resulting crimeware

instance on the victim's machine.

[View full size image]

Figure 1.9 A data theft crimeware configuration interface where the

Figure 1.10 A man-in-the-middle attack The attacker intercepts communication from one party and passes it on to the other party, surreptitiously gleaning information along the way These attacks can be prevented if the data is encrypted end-to-end, and the attacker does not have access to the decryption key, as might happen under the Secure Sockets Layer (SSL) protocol.

Examples of a man-in-the-middle attack in the context of crimeware-A session hijacking attack, in which information is received from auser and passed through to the legitimate site until the desired

authentication and/ or transaction initiation has been performed,whereupon the session is hijacked

A hostname lookup (pharming) attack, in which a web site at thecorrect host name, but incorrect IP address, relays data between theuser and legitimate site, to provide verisimilitude and delay detection

A web proxy attack, in which a malicious web proxy receives all webtraffic from a compromised computer and relays it to a legitimatesite, collecting credentials and other confidential information in theprocess The malicious proxy need not be on an external machine,but could be hosted on a victim's home broadband router, which ispart of the user's internal network This concept of hosting such a

proxy on the router, which is known as trawler phishing, is described

in more detail in Chapter 5

Man-in-the-middle attacks are difficult for a user to detect, because alegitimate site can appear to work properly, and there may be no externalindication that anything is wrong Normally, Secure Sockets Layer (SSL)web traffic will not be vulnerable to a man-in-the-middle attack (assumingthe attacker does not possess a decryption key)

The handshake used by SSL ensures that the session is established withthe party named in the server's certificate, that an external attacker

cannot obtain the session key, and that SSL traffic is encrypted using thesession key so it cannot be decoded by an eavesdropper Proxies

normally have provisions for tunneling such encrypted traffic without

being able to access its contents However, browsers and other standardsoftware applications generally silently accept cryptographic certificatesfrom trusted certificate authorities; crimeware can modify this systemconfiguration to install a new trusted certificate authority Having done so,

a proxying intermediary can create its own certificates in the name of anySSL-protected site These certificates, which appear to come from a

"trusted" certificate authority thanks to the altered system reconfiguration,will be unconditionally accepted by the local software The intermediary

information, and then re-encrypt the traffic to communicate with the otherside In practice, most man-in-the-middle attacks simply do not use SSL,because users do not generally check for its presence [306, 477]

Man-in-the-middle attacks can compromise authentication credentialsother than passwords, such as one-time or time-varying passcodes

generated by hardware devices Such stolen credentials can be used by

an attacker for authentication as long as they remain valid

1.4.9 Rootkits

A rootkit is any software that hides the presence and activity of malicioussoftware Rootkits can be as simple as crude replacements of the

administrative software that is commonly used to monitor running

processes on a computer, or as complex as sophisticated kernel-levelpatches that enforce invisibility of protected malicious code, even to

detectors with access to kernel-level data structures

One proposed mechanism for detecting rootkits is to have the core

operating system run as a guest inside a virtual machine, while security software runs on the outside (on the host operating system) This

approach provides security software with a bird's-eye view of any

malicious software that is running on top of the guest operating systemand executing inside the virtual machine On the flip side, a rootkit canpotentially take the existing host operating system and turn it into a guestoperating system by running it inside a virtual machine Any softwarerunning on the original host (including security software) will then runinside a virtual machine Such software will have difficulty detecting therootkit, which itself runs outside the virtual machine Such attacks can beaided by modern processor features supporting virtualization At thesame time, if modern processors provide virtualization support, thensecurity software can run in a separate virtual machine, making it difficult

to disable [190]

It is theoretically possible for crimeware to install itself not only in thememory and hard drive of an infected computer, but also in nonvolatilestorage of hardware devices, such as an ACPI BIOS or a graphics card[167] Such exploits have been proven possible in laboratory

experiments, but have yet to appear in the wild A more detailed