Crimeware:UnderstandingNewAttacksandDefenses
byMarkusJakobsson;ZulfikarRamzan
Publisher:AddisonWesleyProfessional
PubDate:April06,2008
PrintISBN-10:0-321-50195-0
PrintISBN-13:978-0-321-50195-0
eTextISBN-10:0-321-55374-8
eTextISBN-13:978-0-321-55374-4
Pages:608
TableofContents|Index
Overview
"Thisbookisthemostcurrentandcomprehensiveanalysisofthestateof
Internetsecuritythreatsrightnow.Thereviewofcurrentissuesand
predictionsaboutproblemsyearsawayarecriticalfortrulyunderstanding
crimeware.Everyconcernedpersonshouldhaveacopyanduseitfor
reference."
–GarthBruen,ProjectKnujOnDesigner
There'sanewbreedofonlinepredators–seriouscriminalsintenton
stealingbigbucksandtop-secretinformation–andtheirweaponsof
choiceareadangerousarrayoftoolscalled"crimeware."Withanevergrowingnumberofcompanies,organizations,andindividualsturningto
theInternettogetthingsdone,there'sanurgentneedtounderstandand
preventtheseonlinethreats.
Crimeware:UnderstandingNewAttacksandDefenseswillhelp
securityprofessionals,technicalmanagers,students,andresearchers
understandandpreventspecificcrimewarethreats.Thisbookguidesyou
throughtheessentialsecurityprinciples,techniques,and
countermeasurestokeepyouonestepaheadofthecriminals,
regardlessofevolvingtechnologyandtactics.SecurityexpertsMarkus
JakobssonandZulfikarRamzanhavebroughttogetherchapter
contributorswhoareamongthebestandthebrightestinthesecurity
industry.Together,theywillhelpyouunderstandhowcrimewareworks,
howtoidentifyit,andhowtopreventfutureattacksbeforeyour
company'svaluableinformationfallsintothewronghands.Inselfcontainedchaptersthatgointovaryingdegreesofdepth,thebook
providesathoroughoverviewofcrimeware,includingnotonlyconcepts
prevalentinthewild,butalsoideasthatsofarhaveonlybeenseen
insidethelaboratory.
Withthisbook,youwill
Understandcurrentandemergingsecuritythreatsincludingrootkits,
botnetworks,spyware,adware,andclickfraud
Recognizetheinteractionbetweenvariouscrimewarethreats
Gainawarenessofthesocial,political,andlegalimplicationsof
thesethreats
Learnvaluablecountermeasurestostopcrimewareinitstracks,now
andinthefuture
Acquireinsightintofuturesecuritytrendsandthreats,andcreatean
effectivedefenseplan
WithcontributionsbyGaryMcGraw,AndrewTannenbaum,DaveCole,
OliverFriedrichs,PeterFerrie,andothers.
Crimeware:UnderstandingNewAttacksandDefenses
byMarkusJakobsson;ZulfikarRamzan
Publisher:AddisonWesleyProfessional
PubDate:April06,2008
PrintISBN-10:0-321-50195-0
PrintISBN-13:978-0-321-50195-0
eTextISBN-10:0-321-55374-8
eTextISBN-13:978-0-321-55374-4
Pages:608
TableofContents|Index
Copyright
Preface
AbouttheAuthors
Chapter1.OverviewofCrimeware
Section1.1.Introduction
Section1.2.PrevalenceofCrimeware
Section1.3.CrimewareThreatModelandTaxonomy
Section1.4.ACrimewareMenagerie
Section1.5.CrimewareDistribution
Section1.6.InfectionandCompromisePoints,Chokepoints,and
Countermeasures
Section1.7.CrimewareInstallation
Section1.8.CrimewareUsage
Section1.9.OrganizingPrinciplesfortheRemainderofThisText
Acknowledgments
Chapter2.ATaxonomyofCodingErrors
Section2.1.TheTrinityofTrouble
Section2.2.TheSevenPerniciousKingdoms
Section2.3.ThePhyla
Section2.4.MorePhylaNeeded
Chapter3.CrimewareandPeer-to-PeerNetworks
Section3.1.MalwareinPeer-to-PeerNetworks
Conclusion
Section3.2.Human-PropagatedCrimeware
Chapter4.CrimewareinSmallDevices
Section4.1.PropagationThroughUSBDrives
Section4.2.RadioFrequencyIDCrimeware
Section4.3.MobileCrimeware
Chapter5.CrimewareinFirmware
Section5.1.PropagationbyFirmwareUpdates
Conclusion
Section5.2.ModelingWiFiMalwareEpidemics
Chapter6.CrimewareintheBrowser
Section6.1.TransactionGenerators:RootkitsfortheWeb
Conclusion
Section6.2.Drive-ByPharming
Conclusion
Section6.3.UsingJavaScripttoCommitClickFraud
Chapter7.BotNetworks
Section7.1.Introduction
Section7.2.Network-OrientedFeaturesofBotnets
Section7.3.SoftwareFeaturesofBots
Section7.4.WebBotsandtheGeneralFutureofBotnets
Section7.5.Countermeasures
Conclusion
Chapter8.Rootkits
Section8.1.Introduction
Section8.2.EvolutionofRootkits
Section8.3.User-ModeWindowsRootkits
Section8.4.Kernel-ModeRootkitTechniques
Section8.5.LinuxRootkits
Section8.6.BIOSRootkits
Section8.7.PCIRootkits
Section8.8.VirtualMachine–BasedRootkits
Section8.9.RootkitDefense
Chapter9.VirtualWorldsandFraud
Section9.1.Introduction
Section9.2.MMOGsasaDomainforFraud
Section9.3.ElectronicFraud
Section9.4.FraudinMMOGs
Conclusion
Chapter10.CybercrimeandPolitics
Section10.1.DomainNameAbuse
Section10.2.Campaign-TargetedPhishing
Section10.3.MaliciousCodeandSecurityRisks
Section10.4.Denial-of-ServiceAttacks
Section10.5.CognitiveElectionHacking
Section10.6.PublicVoterInformationSources:FECDatabases
Section10.7.InterceptingVoiceCommunications
Conclusion
Acknowledgments
Chapter11.OnlineAdvertisingFraud
Section11.1.History
Section11.2.RevenueModels
Section11.3.TypesofSpam
Section11.4.FormsofAttack
Section11.5.Countermeasures
Section11.6.ClickFraudAuditing
Section11.7.TheEconomicsofClickFraud
Conclusion
Acknowledgments
Chapter12.CrimewareBusinessModels
Section12.1.TheCrimewareBusiness
Conclusion
Section12.2.ACloserLookatAdware
Chapter13.TheEducationalAspectofSecurity
Section13.1.WhyEducation?
Section13.2.CaseStudy:ACartoonApproach
Conclusion
Chapter14.SurreptitiousCodeandtheLaw
Section14.1.Introduction
Section14.2.TheCharacteristicsofSurreptitiousCode
Section14.3.PrimaryApplicableLaws
Section14.4.SecondaryApplicableLaws
Conclusion
Chapter15.CrimewareandTrustedComputing
Section15.1.Introduction
Section15.2.AnatomyofanAttack
Section15.3.CombatingCrimewarewithTrustedComputing
Section15.4.CaseStudies
Conclusion
Chapter16.TechnicalDefenseTechniques
Section16.1.CaseStudy:Defense-in-DepthAgainstSpyware
Conclusion
Section16.2.Crimeware-ResistantAuthentication
Conclusion
Section16.3.VirtualMachinesasaCrimewareDefenseMechanism
Chapter17.TheFutureofCrimeware
Section17.1.Crimeware,Terrorware,Vandalware,andRansomware
Section17.2.NewApplicationsandPlatforms
Section17.3.UsingSocialNetworkstoBootstrapAttacks
Section17.4.NewUseoftheInternet:ControllingtheInfrastructure
Section17.5.MovingUptheStack
Section17.6.TheEmergenceofanE-Society:AreWeBecoming
MoreVulnerable?
Section17.7.TheBigPicture
References
Index
Copyright
Manyofthedesignationsusedbymanufacturersandsellersto
distinguishtheirproductsareclaimedastrademarks.Wherethose
designationsappearinthisbook,andthepublisherwasawareofa
trademarkclaim,thedesignationshavebeenprintedwithinitialcapital
lettersorinallcapitals.
Theauthorsandpublisherhavetakencareinthepreparationofthis
book,butmakenoexpressedorimpliedwarrantyofanykindand
assumenoresponsibilityforerrorsoromissions.Noliabilityisassumed
forincidentalorconsequentialdamagesinconnectionwithorarisingout
oftheuseoftheinformationorprogramscontainedherein.
Thepublisheroffersexcellentdiscountsonthisbookwhenorderedin
quantityforbulkpurchasesorspecialsales,whichmayincludeelectronic
versionsand/orcustomcoversandcontentparticulartoyourbusiness,
traininggoals,marketingfocus,andbrandinginterests.Formore
information,pleasecontact:U.S.CorporateandGovernmentSales,
(800)382-3419,
ForsalesoutsidetheUnitedStatespleasecontact:InternationalSales,
VisitusontheWeb:informit.com/aw
LibraryofCongressCataloging-in-PublicationDataJakobsson,Markus.
Crimeware:understandingnewattacksanddefenses/Markus
Jakobsson,
ZulfikarRamzan.p.cm.
Includesbibliographicalreferencesandindex.
ISBN978-0-321-50195-0(pbk.:alk.paper)1.Computersecurity.
2.Internet—Securitymeasures.3.Computercrimes.I.Ramzan,Zulfikar.
II.Title.
QA76.9.A25J3252008
005.8—dc222007050736
Copyright©2008SymantecCorporation
Allrightsreserved.PrintedintheUnitedStatesofAmerica.This
publicationisprotectedbycopyright,andpermissionmustbeobtained
fromthepublisherpriortoanyprohibitedreproduction,storageina
retrievalsystem,ortransmissioninanyformorbyanymeans,electronic,
mechanical,photocopying,recording,orlikewise.Forinformation
regardingpermissions,writeto:
PearsonEducation,Inc
RightsandContractsDepartment
501BoylstonStreet,Suite900
Boston,MA02116
Fax(617)671-3447
ISBN-13:978-0-321-50195-0
TextprintedintheUnitedStatesonrecycledpaperatCourierin
Stoughton,Massachusetts.Firstprinting,April2008
Dedication
ToSumaandKabir
and
ToAandArt
Preface
Traditionally,malwarehasbeenthoughtofasapurelytechnicalthreat,
relyingprincipallyontechnicalvulnerabilitiesforinfection.Itsauthors
weremotivatedbyintellectualcuriosity,andsometimesbycompetition
withothermalwareauthors.
Thisbookdrawsattentiontothefactthatthisisallhistory.Infection
vectorsoftodaytakeadvantageofsocialcontext,employdeceit,and
mayusedata-miningtechniquestotailorattackstotheintendedvictims.
Theirgoalisprofitorpoliticalpower.Malwarebecomecrimeware.That
is,malwarehasmovedoutofbasementsandcollegedorms,andisnow
atoolfirmlyplacedinthehandsoforganizedcrime,terrororganizations,
andaggressivegovernments.Thistransformationcomesatatimewhen
societyincreasinglyhascometodependontheInternetforitsstructure
andstability,anditraisesaworrisomequestion:Whatwillhappennext?
Thisbooktriestoanswerthatquestionbyacarefulexpositionofwhat
crimewareis,howitbehaves,andwhattrendsareevident.
Thebookiswrittenforreadersfromawidearrayofbackgrounds.Most
sectionsandchaptersstartoutdescribingagivenanglefromabird's-eye
view,usinglanguagethatmakesthesubjectapproachabletoreaders
withoutdeeptechnicalknowledge.Thechaptersandsectionsthendelve
intomoredetail,oftenconcludingwithadegreeoftechnicaldetailthat
maybeofinterestonlytosecurityresearchers.Itisuptoyoutodecide
whenyouunderstandenoughofagivenissueandarereadytoturnto
anotherchapter.
Recognizingthattoday'sprofessionalsareoftenpressedfortime,this
bookiswrittensothateachchapterisrelativelyself-contained.Rather
thanhavingeachchapterbesequentiallydependentonpreceding
chapters,youcansafelyperuseaspecificchapterofinterestandskip
backandforthasdesired.Eachchapterwascontributedbyadifferent
setofauthors,eachofwhomprovidesadifferentvoiceandunique
perspectiveontheissueofcrimeware.
Thisbookismeantforanyonewithaninterestincrimeware,computer
security,andeventually,thesurvivabilityoftheInternet.Itisnotmeant
onlyforpeoplewithatechnicalbackground.Rather,itisalsoappropriate
formakersoflawsandpolicies,userinterfacedesigners,andcompanies
concernedwithusereducation.Thebookisnotintendedasaguideto
securingone'ssystem,butratherasaguidetodeterminingwhatthe
problemreallyisandwhatitwillbecome.
Althoughweoftenuserecentexamplesofattackstohighlightand
explainissuesofinterest,focushereisontheunderlyingtrends,
principles,andtechniques.Whenthenextwaveofattacksappears—
undoubtedlyusingnewtechnicalvulnerabilitiesandnewpsychological
twists—thenthesameprincipleswillstillhold.Thus,thisbookismeantto
remainausefulreferenceforyearstocome,inafieldcharacterizedby
change.Weareproudtosaythatwethinkwehaveachievedthis
contradictorybalance,andwehopethatyouwillagree.
Acknowledgments
Weareindebtedtoourexpertcontributors,whohavehelpedmakethis
bookwhatitisbyofferingtheirvaluableanduniqueinsights,and
selflesslydonatedtheirtimetoadvancethepublic'sknowledgeof
crimeware.Thefollowingresearchershelpedusprovidetheirviewofthe
problem:ShaneBalfe,JeffreyBardzell,ShaowenBardzell,DanBoneh,
FredH.Cate,DavidCole,VittoriaColizza,BrunoCrispo,NeilDaswani,
AaronEmigh,PeterFerrie,OliverFriedrichs,EimearGallery,Mona
Gandhi,KouroshGharachorloo,ShumanGhosemajumder,MinaxiGupta,
JamesHoagland,HaoHu,AndrewKalafut,GaryMcGraw,ChrisJ.
Mitchell,JohnMitchell,StevenMyers,ChrisMysen,TylerPace,Kenneth
G.Paterson,PrashantPathak,VinayRao,JacobRatkiewicz,Melanie
Rieback,SourabhSatish,SukamolSrikwan,SidStamm,Andrew
Tanenbaum,AlexTsow,AlessandroVespignani,XiaofengWang,
StephenWeis,SusanneWetzel,OllieWhitehouse,LiuYang,andthe
GoogleAdTrafficQualityTeam.
Inaddition,Markuswishestothankhisgraduatestudents,whohave
helpedwitheverythingfromperformingLaTeXconversionstobeing
experimentsubjects,andmanyofwhoseresearchresultsarepartofthis
book.ZulfikarwishestothankOliverFriedrichsandtherestofthe
SymantecAdvancedThreatResearchteam(aswellashiscolleagues
throughoutSymantec)foraffordinghimtheopportunitytoworkonthis
bookandforengagingincountlessstimulatingdiscussionsonthese
topics.
Wealsobothwanttoacknowledgethehelpandguidancewehave
receivedfromJessicaGoldsteinandRomnyFrenchatAddison-Wesley.
Finally,wewanttothankourunderstandingspousesandfamilies,who
haveseenmuchtoolittleofusinthehecticmonthsduringwhichwe
laboredongettingthebookreadyforpublication.
MarkusJakobssonPaloAlto,California
January,2008
ZulfikarRamzan
MountainView,California
January,2008
AbouttheAuthors
MarkusJakobsson,Ph.D.,iscurrentlyprincipalscientistatPaloAlto
ResearchCenterandanadjunctassociateprofessoratIndiana
University.Hehaspreviouslyheldpositionsasprincipalresearch
scientistatRSALaboratories,adjunctassociateprofessoratNewYork
University,andwasamemberofthetechnicalstaffatBellLaboratories.
Hestudiesthehumanfactorofsecurityandcryptographicprotocols,with
aspecialfocusonprivacy.Markushascoauthoredmorethanone
hundredpeer-reviewedarticlesandisaco-inventorofmorethanfifty
patentsandpatentspending.HereceivedhisPh.D.incomputerscience
fromUniversityofCaliforniaatSanDiegoin1997.
ZulfikarRamzan,Ph.D.,iscurrentlyaseniorprincipalresearcherwith
SymantecSecurityResponse.Hefocusesonimprovingthesecurityof
theonlineexperience,includingunderstandingthreatslikephishing,
onlinefraud,maliciousclient-sidesoftware,andwebsecurity.Ingeneral,
Zulfikar'sprofessionalinterestsspanthetheoreticalandpracticalaspects
ofinformationsecurityandcryptography.Heisafrequentspeakeron
theseissuesandhascoauthoredmorethanfiftytechnicalarticlesand
onebook.ZulfikarreceivedhisS.M.andPh.D.degreesfromthe
MassachusettsInstituteofTechnologyinelectricalengineeringand
computerscience(withhisthesisresearchconductedincryptography
andinformationsecurity).
Chapter1.OverviewofCrimeware
AaronEmighandZulfikarRamzan
Itusedtobethecasethattheauthorsofmaliciouscode(ormalware)
wereinterestedprimarilyinnotoriety.However,thosedaysarelonggone.
Therealityisthatsomewherealongtheway,beginningroughlyinthe
veryearlypartofthetwenty-firstcentury,amarkedshiftoccurredinthe
onlinethreatlandscape.Cyber-attackersstartedrealizingthattheycould
potentiallymakeseriousmoneyfromtheiractivities.Withmoreandmore
peopleconductingtransactionsonline,maliciouscodemovedawayfrom
beingsimplymalicious,andmovedtowardbeingcriminal.Thistrendhas
givenrisetoanewformofmalicioussoftware—namely,crimeware.
Crimewareissoftwarethatperformsillegalactionsunanticipatedbya
userrunningthesoftware;theseactionsareintendedtoyieldfinancial
benefitstothedistributorofthesoftware.Crimewareisaubiquitousfact
oflifeinmodernonlineinteractions.Itisdistributedviaawidevarietyof
mechanisms,andattacksareproliferatingrapidly.
Thisbookpresentsmaterialrelatedtocrimewarethatwehopeisofuse
topeoplewhoareinterestedininformationsecurity,whetheras
researchersoraspractitioners.Thisopeningchapterpresentsa
somewhatbroadoverviewofcrimeware.Itdelineatesthedifferenttypes
ofcrimewareseentodayanddescribeshowthissoftwarearrivesonthe
machineofanenduserinthefirstplaceandwhatitdoeswhenitgets
there.Italsodescribeswhereopportunitiesforcountermeasuresexist.
Thechapterispepperedwithspecificreal-lifeexamplesaswellasdata
abouttheprevalenceofthethreatsdiscussed.Theremainderofthistext
willexpounduponmanyofthesetopicsingreaterdetailandintroduce
bothcrimewareconceptsthatarerelevanttodayandconceptsthatare
eitheratthebleedingedgeofwhat'spossibleorevenslightlybeyondit.
1.1.Introduction
1.1.1.TheftofSensitiveInformation
Onlineidentitytheft,inwhichconfidentialinformationisillicitlyobtained
throughacomputernetworkandusedforprofit,isarapidlygrowing
enterprise.Someestimatesofthedirectfinanciallossesduetophishing
aloneexceed$1billionperyear[143].Butthelossesdonotstophere.
Additionallossesincludecustomerserviceexpenses,account
replacementcosts,andhigherexpensesowingtodecreaseduseof
onlineservicesinthefaceofwidespreadfearaboutthesecurityofonline
financialtransactions.Increasingly,onlineidentitytheftisperpetrated
usingmalicioussoftwareknownascrimeware.
Crimewarecanbeusedtoobtainmanykindsofconfidentialinformation,
includingusernamesandpasswords,SocialSecuritynumbers,credit
cardnumbers,bankaccountnumbers,andpersonalinformationsuchas
birthdatesandmothers'maidennames.Inadditiontoonlineidentity
theft,crimewareisusedintargetedattacksagainstinstitutions,suchas
theftofaccesscredentialstocorporatevirtualprivatenetworks(VPNs)
andtheftofintellectualpropertyorbusinessdata.Crimewarecanalsobe
usedindistributeddenial-of-serviceattacks,whichareusedtoextort
moneyfrombusinesses,andinclickfraud,inwhichonlineadvertisers
arecheatedintopayingcriminalswhosimulateclicksonadvertisements
theyhostthemselves.Instancesofransomwarehavealsooccurred,in
whichdataonacompromisedmachineisencrypted,andthecriminal
thenofferstodecryptthedataforafee.
1.1.2.CrimewareandItsScope
Crimewareisasubclassofthemorebroadcategoryofmalware,which
refersgenerallytounwantedsoftwarethatperformsmaliciousactionson
auser'scomputer.Inadditiontocrimeware,malwareencompasses
(possibly)legalbutmalicioussoftware,suchasadwareandspyware,
andillegalsoftwarewithoutacommercialpurpose,suchasdestructive
viruses.Manymalwareexamplesstraddlethelinebetweenbeing
criminalandbeingmalicious.Forexample,whileadwaremightbea
nuisancetosome,notalladwareis,strictlyspeaking,criminal.Because
adwareresidesinagrayareaandbecauseitissoprevalent,thistext
discussesadwareinmoredetailinChapter12.
Althoughthistextfocusesoncrimeware,italsodiscussesissuesrelated
tootherformsofonlinemaliciousactivity,suchasthebroaderconcepts
ofmalwareandphishingattacks.Inmanycases,thesethreatshave
commonattributesorsharesomecommonsolutions.Forexample,
phishingattackscanbeusedasasocialengineeringluretoconvince
userstoinstallcrimewareontheirmachines.Becausesocialengineering
isanoften-usedmechanismforcrimewarepropagation,andbecause
bothphishingandcrimewarecanservetheultimategoalofidentitytheft,
itcanbedifficulttohaveadetailedexpositionofcrimewarewithout
referencetophishing.Alongsimilarlines,malwarethatisnotcrimeware
mighthavesimilarpropagationanddetectionmechanisms.
1.1.3.CrimewarePropagation
AsshowninFigure1.1,crimewareisgenerallyspreadeitherbysocial
engineeringorbyexploitingasecurityvulnerability.Atypicalsocial
engineeringattackmightaimtoconvinceausertoopenanemail
attachmentordownloadafilefromawebsite,oftenclaimingthe
attachmenthassomethingtodowithpornography,salaciouscelebrity
photos,orgossip.Somedownloadablesoftware,suchasgamesorvideo
player"accelerators,"canalsocontainmalware.Accordingtothetwelfth
editionoftheSymantecInternetSecurityThreatReport(ISTR),46%of
maliciouscodethatpropagatedduringthefirsthalfof2007didsoover
theSimpleMailTransferProtocol(SMTP),[1]makingitthemostpopular
meansofpropagation[401].
[1]SMTPisthestandardprotocolformailtransmissionovertheInternet.
Figure1.1.Crimewarepropagationtechniquescanbebrokenup
intotwobroadcategories:thosebasedonsocialengineeringand
thosebasedonsecurityexploitation.
Malwareisalsospreadbyexploitsofsecurityvulnerabilities;as
discussedinChapter2,thesevulnerabilitiesareoftenrootedincoding
errors.Inthefirsthalfof2007,18%ofthe1509maliciouscodeinstances
documentedbySymantecexploitedvulnerabilities[401].Suchmalware
canpropagateusingawormorvirusthattakesadvantageofsecurity
vulnerabilitiestoinstallthemalware,orbymakingthemalwareavailable
onawebsitethatexploitsa(webbrowserorwebbrowserplug-in)
securityvulnerability.Trafficmaybedriventoamaliciouswebsitevia
socialengineering,suchasspammessagesthatpromisesome
appealingcontentatthesite,orthroughinjectingmaliciouscontentintoa
legitimatewebsitebyexploitingasecurityweaknesssuchasacross-site
scriptingvulnerabilityonthesite.Therelativelysmallpercentageof
exploitsinvolvingvulnerability-orientedmalwaresuggeststhatattackers
findnoneedtousetechnicallycomplexmethodswhensimplersocialengineering-basedmethodswillsuffice.
Crimewareattacksoftenspanmultiplecountries,andarecommonly
perpetratedbyorganizedcriminals.Becausecrimewareisdesignedwith
financialgaininmind,theperpetratorsoftentreattheirmaliciousactivities
asafull-timejobratherthanasahobby.Theyappeartotaketheirwork
seriously,asindicatedbytheproliferationofcrimewareandthecreative
andsophisticatedmechanismstheattackershaveemployed.This
chapterdescribesandcategorizesthedifferenttypesofcrimewareand
discussesthestructuralelementscommontovariousattacks.
Chapter1.OverviewofCrimeware
AaronEmighandZulfikarRamzan
Itusedtobethecasethattheauthorsofmaliciouscode(ormalware)
wereinterestedprimarilyinnotoriety.However,thosedaysarelonggone.
Therealityisthatsomewherealongtheway,beginningroughlyinthe
veryearlypartofthetwenty-firstcentury,amarkedshiftoccurredinthe
onlinethreatlandscape.Cyber-attackersstartedrealizingthattheycould
potentiallymakeseriousmoneyfromtheiractivities.Withmoreandmore
peopleconductingtransactionsonline,maliciouscodemovedawayfrom
beingsimplymalicious,andmovedtowardbeingcriminal.Thistrendhas
givenrisetoanewformofmalicioussoftware—namely,crimeware.
Crimewareissoftwarethatperformsillegalactionsunanticipatedbya
userrunningthesoftware;theseactionsareintendedtoyieldfinancial
benefitstothedistributorofthesoftware.Crimewareisaubiquitousfact
oflifeinmodernonlineinteractions.Itisdistributedviaawidevarietyof
mechanisms,andattacksareproliferatingrapidly.
Thisbookpresentsmaterialrelatedtocrimewarethatwehopeisofuse
topeoplewhoareinterestedininformationsecurity,whetheras
researchersoraspractitioners.Thisopeningchapterpresentsa
somewhatbroadoverviewofcrimeware.Itdelineatesthedifferenttypes
ofcrimewareseentodayanddescribeshowthissoftwarearrivesonthe
machineofanenduserinthefirstplaceandwhatitdoeswhenitgets
there.Italsodescribeswhereopportunitiesforcountermeasuresexist.
Thechapterispepperedwithspecificreal-lifeexamplesaswellasdata
abouttheprevalenceofthethreatsdiscussed.Theremainderofthistext
willexpounduponmanyofthesetopicsingreaterdetailandintroduce
bothcrimewareconceptsthatarerelevanttodayandconceptsthatare
eitheratthebleedingedgeofwhat'spossibleorevenslightlybeyondit.
1.1.Introduction
1.1.1.TheftofSensitiveInformation
Onlineidentitytheft,inwhichconfidentialinformationisillicitlyobtained
throughacomputernetworkandusedforprofit,isarapidlygrowing
enterprise.Someestimatesofthedirectfinanciallossesduetophishing
aloneexceed$1billionperyear[143].Butthelossesdonotstophere.
Additionallossesincludecustomerserviceexpenses,account
replacementcosts,andhigherexpensesowingtodecreaseduseof
onlineservicesinthefaceofwidespreadfearaboutthesecurityofonline
financialtransactions.Increasingly,onlineidentitytheftisperpetrated
usingmalicioussoftwareknownascrimeware.
Crimewarecanbeusedtoobtainmanykindsofconfidentialinformation,
includingusernamesandpasswords,SocialSecuritynumbers,credit
cardnumbers,bankaccountnumbers,andpersonalinformationsuchas
birthdatesandmothers'maidennames.Inadditiontoonlineidentity
theft,crimewareisusedintargetedattacksagainstinstitutions,suchas
theftofaccesscredentialstocorporatevirtualprivatenetworks(VPNs)
andtheftofintellectualpropertyorbusinessdata.Crimewarecanalsobe
usedindistributeddenial-of-serviceattacks,whichareusedtoextort
moneyfrombusinesses,andinclickfraud,inwhichonlineadvertisers
arecheatedintopayingcriminalswhosimulateclicksonadvertisements
theyhostthemselves.Instancesofransomwarehavealsooccurred,in
whichdataonacompromisedmachineisencrypted,andthecriminal
thenofferstodecryptthedataforafee.
1.1.2.CrimewareandItsScope
Crimewareisasubclassofthemorebroadcategoryofmalware,which
refersgenerallytounwantedsoftwarethatperformsmaliciousactionson
auser'scomputer.Inadditiontocrimeware,malwareencompasses
(possibly)legalbutmalicioussoftware,suchasadwareandspyware,
andillegalsoftwarewithoutacommercialpurpose,suchasdestructive
viruses.Manymalwareexamplesstraddlethelinebetweenbeing
criminalandbeingmalicious.Forexample,whileadwaremightbea
nuisancetosome,notalladwareis,strictlyspeaking,criminal.Because
adwareresidesinagrayareaandbecauseitissoprevalent,thistext
discussesadwareinmoredetailinChapter12.
Althoughthistextfocusesoncrimeware,italsodiscussesissuesrelated
tootherformsofonlinemaliciousactivity,suchasthebroaderconcepts
ofmalwareandphishingattacks.Inmanycases,thesethreatshave
commonattributesorsharesomecommonsolutions.Forexample,
phishingattackscanbeusedasasocialengineeringluretoconvince
userstoinstallcrimewareontheirmachines.Becausesocialengineering
isanoften-usedmechanismforcrimewarepropagation,andbecause
bothphishingandcrimewarecanservetheultimategoalofidentitytheft,
itcanbedifficulttohaveadetailedexpositionofcrimewarewithout
referencetophishing.Alongsimilarlines,malwarethatisnotcrimeware
mighthavesimilarpropagationanddetectionmechanisms.
1.1.3.CrimewarePropagation
AsshowninFigure1.1,crimewareisgenerallyspreadeitherbysocial
engineeringorbyexploitingasecurityvulnerability.Atypicalsocial
engineeringattackmightaimtoconvinceausertoopenanemail
attachmentordownloadafilefromawebsite,oftenclaimingthe
attachmenthassomethingtodowithpornography,salaciouscelebrity
photos,orgossip.Somedownloadablesoftware,suchasgamesorvideo
player"accelerators,"canalsocontainmalware.Accordingtothetwelfth
editionoftheSymantecInternetSecurityThreatReport(ISTR),46%of
maliciouscodethatpropagatedduringthefirsthalfof2007didsoover
theSimpleMailTransferProtocol(SMTP),[1]makingitthemostpopular
meansofpropagation[401].
[1]SMTPisthestandardprotocolformailtransmissionovertheInternet.
Figure1.1.Crimewarepropagationtechniquescanbebrokenup
intotwobroadcategories:thosebasedonsocialengineeringand
thosebasedonsecurityexploitation.
Malwareisalsospreadbyexploitsofsecurityvulnerabilities;as
discussedinChapter2,thesevulnerabilitiesareoftenrootedincoding
errors.Inthefirsthalfof2007,18%ofthe1509maliciouscodeinstances
documentedbySymantecexploitedvulnerabilities[401].Suchmalware
canpropagateusingawormorvirusthattakesadvantageofsecurity
vulnerabilitiestoinstallthemalware,orbymakingthemalwareavailable
onawebsitethatexploitsa(webbrowserorwebbrowserplug-in)
securityvulnerability.Trafficmaybedriventoamaliciouswebsitevia
socialengineering,suchasspammessagesthatpromisesome
appealingcontentatthesite,orthroughinjectingmaliciouscontentintoa
legitimatewebsitebyexploitingasecurityweaknesssuchasacross-site
scriptingvulnerabilityonthesite.Therelativelysmallpercentageof
exploitsinvolvingvulnerability-orientedmalwaresuggeststhatattackers
findnoneedtousetechnicallycomplexmethodswhensimplersocialengineering-basedmethodswillsuffice.
Crimewareattacksoftenspanmultiplecountries,andarecommonly
perpetratedbyorganizedcriminals.Becausecrimewareisdesignedwith
financialgaininmind,theperpetratorsoftentreattheirmaliciousactivities
asafull-timejobratherthanasahobby.Theyappeartotaketheirwork
seriously,asindicatedbytheproliferationofcrimewareandthecreative
andsophisticatedmechanismstheattackershaveemployed.This
chapterdescribesandcategorizesthedifferenttypesofcrimewareand
discussesthestructuralelementscommontovariousattacks.
1.2.PrevalenceofCrimeware
Informationtheftviacrimewareisarapidlyincreasingproblem.Phishing
scams,forexample,areincreasinglybeingperformedviacrimeware.
AccordingtotheAnti-PhishingWorkingGroup,boththenumberof
uniquekey-loggingtrojansandthenumberofuniqueURLsdistributing
suchcrimewaregrewconsiderablybetweenMay2005andMay2007,
withthebulkofthegrowthhappeningbetweenMay2005andMay2006
[100,159](seeTable1.1).Also,accordingtoSymantec,ofallthreats
reportedfromJanuarytoJune2007thatcouldcompromisesensitive
information,88%hadkeystroke-loggingcapabilities[401].Thisnumber
wasupfrom76%fromthepreviousreportingperiod(JulytoDecember
2006).
Table1.1.Thenumberofuniquepassword-stealing
applicationsandpassword-stealingmaliciouscodeURLs
fromMay2005to2006comparedwiththenumberfrom
May2006to2007.
Applications
Month
URLs
2005–2006
2006–2007
2005–2006
2006–2007
May
79
215
495
2100
June
154
212
526
2945
July
174
182
918
1850
August
168
172
958
2303
September
142
216
965
2122
October
154
237
863
1800
November
165
230
1044
1899
December
180
340
1912
2201
January
184
345
1100
1750
February
192
289
1678
3121
March
197
260
2157
1486
April
180
306
2683
1721
May
215
216
2100
3353
(Source:Anti-PhishingWorkingGroup,PhishingAttackTrendsReport,
releasedJuly8,2007.Availablefrom
/>Thesetrendsreflectthegrowingcommoditizationofcrimeware
technologyandtheuseofmultiplehosts,suchasbotnets—large
networksofcompromisedcomputersusedtogetherincoordinated
attacks—fordistributionanddatacollection.[2]Theuseofmultipleweb
sitestohostthesamepieceofmaliciouscodemakesitmoredifficultto
shutdownmaliciouswebsites,therebystemmingthespreadandimpact
ofcrimeware.
[2]Botnetscanbeusedtocarryoutaplethoraofmaliciousactivities;theyarediscussedin
greaterdetailinChapter7.
1.3.CrimewareThreatModelandTaxonomy
Crimewarecomesinmanydifferentflavors.Cybercriminalsare
technicallyinnovative,andtheycanaffordtoinvestintechnologysolong
astheinvestmentprovidesadequatereturns.Themostdangerous
crimewareattacksarecarriedoutaspartofprofessionalorganized
crime.Asfinancialinstitutionshaveincreasedtheironlinepresence,the
economicvalueofcompromisingaccountinformationhasincreased
dramatically.
Giventherapidevolutionofcybercrime,itisnotfeasibletoprovidea
comprehensivecatalogueofcrimewaretechnologieshere.Nevertheless,
severaltypesofcrimewarearediscussedinthissection,as
representativeofthespecies.Thedistinctionsbetweencrimeware
variantsarenotalwaysclear-cut,becausemanyattacksarehybridsthat
employmultipletechnologies.Forexample,adeceptivephishingemail
coulddirectausertoasitethathasbeencompromisedwithcontent
injection.Thecontentinjectioncouldbeusedtoinstallabackdooronthe
victim'scomputerviaabrowsersecurityvulnerability.Thisbackdoor
mightthenbeusedtoinstallcrimewarethatpoisonstheuser'shostsfile
andenablesapharmingattack.[3]Subsequentattemptstoreach
legitimatewebsiteswillthenbereroutedtophishingsites,where
confidentialinformationiscompromisedusingaman-in-the-middle
attack.Whilethistypeofexamplemightseemhighlyinvolved,itisnot
uncommon.
[3]AmoredetailedexpositiononpharmingcanbefoundinthetexteditedbyJakobsson
andMyers[202].
Othermalicioussoftwarecanalsobeinstalledusingthebackdoor,such
asamailrelaytotransmitspamandaremotelycontrolledslavethat
listensoverachatchannelandparticipatesinadistributeddenial-ofserviceattackwhenacommandtodosoisreceived.
Notwithstandingtheproliferationofvarioustypesofcrimeware,a
crimewareattackonaconventionalcomputingplatformwithoutprotected
dataorsoftwarecanberoughlydiagrammedasshowninFigure1.2.
Notethatnotallstagesarerequired.Inthisdiagram,thestagesofa
crimewareattackarecategorizedasfollows:
1. Crimewareisdistributed.Dependingontheparticularcrimeware
attack,crimewaremaybedistributedviasocialengineering(asisthe
caseinmaliciousemailattachmentsandpiggybackattacks)orviaan
exploitofasecurityvulnerability(asisthecaseinwebbrowser
securityexploits,Internetworms,andhacking).
2. Thecomputingplatformisinfected.Infectiontakesmanyforms,
whicharediscussedseparatelylaterinthischapter.Insomecases,
thecrimewareitselfisephemeralandtheremaybenoexecutable
"infection"stage,asinimmediatedatatheftorsystemreconfiguration
attacks.Forexample,acrimewareinstancemightmodifyauser's
hostsfilebeforeerasingitself.Insuchcases,theattackleaves
behindnopersistentexecutablecode.Inothercases,acrimeware
instancemightbemorepersistent.Forexample,akeystrokelogger
willlikelycontinuetorunonthevictim'smachine.
3. Thecrimewareexecutes,eitheraspartofaone-timeattacksuchas
datatheftorsystemreconfiguration,asabackgroundcomponentof
anattacksuchasthatinvolvingarootkit,[4]orbyinvocationofan
infectedcomponent.
[4]Arootkitisacomponentthatusesvariousstealthingtechniquestomaskits
presenceonamachine.RootkitsarediscussedingreaterdetailinChapter8.
4. Confidentialdataisretrievedfromstorage,inattackssuchasthose
involvingdatatheft.Forexample,thecrimewarecanscanthevictim's
harddriveforsensitiveinformation.
5. Confidentialinformationisprovidedbytheuser,inattackssuchas
thoseinvolvingkeyloggersandwebtrojans.Herethecrimeware
instancemightwaitpassivelyuntiltheuservisitsaparticularwebsite
orengagesinaparticulartypeoftransaction.Atthatpoint,the
crimewareinstancewillrecordwhateverinformationthevictim
enters.
6. Theattackermisappropriatesconfidentialdata.Datamaycomefrom
anyofseveralsources(e.g.,thevictim'sharddriveorhisorher
keystrokes)dependingonthetypeofcrimewareinvolved.
7. Thelegitimateserverreceivesconfidentialdata,eitherfromthe
executingcrimeware(inattacksinwhichdataisexplicitly
compromisedbythecrimeware)orfromtheattacker(inman-in-themiddleattacks).
Figure1.2.Thestagesofatypicalcrimewareattack.First,the
crimeware(1)isdistributed,(2)infiltratesaparticularcomputing
platform,and(3)executes.Atthispoint,crimewarecanfunctionin
multiplewaysdependingonthenatureoftheparticularcrimeware
instance.Forexample,thecrimewareinstancemay(4)scanthe
user'sharddriveforsensitiveinformationor(5)intercepttheuser's
keystrokes.Insomemodes,thecrimewareinstancetransmitsthe
informationitcollected(6)directlytotheattacker.Inothermodes,
theinformationistransmittedindirectlytotheattackerthroughan
otherwise(7)legitimateserverthatisbeingmisused.Inthecaseof
aman-in-the-middleattack,theinformationwillbesentto(6)the
attackerbeforeitisrelayedto(7)alegitimateserver.