Difference between revisions of "Evolution of Cybercrime and current situation"

Revision as of 17:34, 3 December 2005

--Hema 09:25, 2 December 2005 (PST)

Categories of CyberCrime

1)Spam - Spam now represents more than 50 percent of all email transmitted over the Internet Its costs, which Internet service providers (ISPs) pass on to their customers, are enormous. With spam’s ubiquity comes a whole culture and industry devoted to fighting it. Large groups of people, such as the Spamhaus Project, spend lots of effort to identify spams’ sources so as to shut down spammers’ Internet access. They’ve even created new technology to flag its sources (DNS or border gateway protocol- [BGP]- based blacklists) and spam messages (Bayesian networks, distributed checksum databases, and heuristics) for filtering purposes. Increasingly on the defensive, spammers are fighting back by becoming more sophisticated, generating unique messages, and finding new open proxies or SMTP relays to send messages and hide their true sources.

2)Extortion & Reputational Damage—In the Internet variant of a protection racket, criminal gangs will threaten companies with disruption of their networks, denial of service attacks, or the theft of valuable information unless they pay ransom or security consultant fees into an offshore bank account. They can deface a company’s Web site, causing not just embarrassment but loss of sales. In other cases, spite or a desire to inflict harm means that the attack will be executed without warning.

3)Fraud & Phishing—The anonymity and opportunities for misrepresentation found on the Internet make fraud easy. Internet fraud has also become a serious problem. Consumer Sentinel, a complaint database developed and maintained by the US Federal Trade Commission (www.consumer.gov/ sentinel/), has recorded more than 390,000 Internet-related fraud complaints about transactions involving over US$540 million losses in 2004 alone. Fraud schemes are usually peddled by individuals who spam potential victims, such as the Nigerian, or 419, scam. But as the number of fraud cases has increased, so has the public’s awareness of them; fraudsters are increasingly forced to resort to more intricate schemes. We’re now seeing the practice of “phishing” gaining popularity with fraudsters. Using this scheme, criminals create email messages with return addresses, links, and branding that seem to come from trusted, well-known organizations; the hope is to convince the victim to disclose sensitive information. This practice is rooted in crackers’ first attempts to fool America Online users into parting with their screen names and passwords in the mid-1990s. The goal these days is to extract information from a victim that crackers can use for financial gain more than for tweaking AOL users. A commonly targeted item is victims’ creditcard information (number, expiration date, card-validation value, and so on). Criminals also want access to Internet payment systems such as e-Bullion, egold, Evocash, INT Gold, Gold-Money, PayPal, and Swiftpay; online transaction services such as Authorize. Net, iBill, and Verotel; and Internet accessible banks such as Bank of America, Barclays Bank, Citibank, Halifax Bank, Lloyds Bank, Nationwide Bank, and Wells Fargo.

5)Service Disruption—A cybercriminal can use an Internet attack to disrupt a key service. Denial of service attacks are one method, worms and viruses containing malicious code are another. A major auto manufacturer was one of many companies that had to shutdown its e-mail network for a few days because of the Love Lettervirus. Some viruses will wipe clean computer memories, erasing payroll records or invoices.

6)Information Theft—The most damaging category of Internet crime, information theft can take several forms. Cybercriminals can extract personal identification information or credit information from a company’s database and affect thousands of consumers. Cybercriminals can also extract a company’s own financial information.Finally, cybercriminals can steal valuable intellectual property (designs,blueprints, and marketing plans) from a company. While the reportedcost of information theft is declining, it remains one of the greatest Internet risks a company can face.

7)Money Laundering—The growth of global financial services makes it easy to conduct banking operations across borders over the Internet. The Financial Action Task Force, a group of national law enforcement agencies, notes that “Within the retail banking sector, services such as telephone and Internet banking allow customers to execute transactions on a non face-to-face basis from any location with telephone or internet access.” While use of the Internet provides law enforcement agencies a greater ability to trace transactions through electronic records, the volume of transactions, the anonymity, and the lack of consistent record-keeping make itattractive to criminals and terrorists.

Cybercrime Tools

1)Bots—A bot (short for robot) is a computer on which a worm or virus has installed programs that run automatically and allow cybercriminals access and control. Cybercriminals use viruses or bots to search for vulnerable computers where they can load their own programs or storedata. A bot network is a collection of these infected machines, often compromised weeks or months earlier by attackers using worms or viruses to plant backdoor components that can be centrally controlled and used to launch simultaneous attacks. Spammers, hackers, and other cybercriminals are acquiring or renting bot networks, making it harder for authorities to track down the real culprits.

2)Keylogging—A program that covertly recovers the keys typed by a computer user and either stores the data for later access or secretly sends the information to the author. The advantage of a keylogger program is that the cybercriminal does not need to trick a computer user into supplying sensitive information.

3)Bundling—Covertly attaching a virus or spyware to a benign or legitimate download, such as a screensaver, a game, freeware, or an image. When the computer user downloads and installs the legitimate file, they are unwittingly also giving permission to install the criminal program.

4)Denial of Service—An attack specifically designed to prevent the normal functioning of a computer network or system and to prevent access by authorized users. A distributed denial of service attack uses thousands of computers captured by a worm or trojan to launch tens of thousands of e-mail messages at the target in a very short time. Attackers can cause denial of service attacks by destroying or modifying data or by using zombie computers to bombard the system with e-mails until its servers are overloaded and other users can no longer gain access.

5)Packet Sniffer—Software program that monitors network traffic. Attackers use packet sniffers to capture and analyze data transmitted via a network. Specialized sniffers capture passwords as they cross a network.

6)Rootkit—A set of tools used by an intruder after hacking a computer. The tools allow the cybercriminal to maintain access, prevent detection, build in hidden backdoors, and collect information from both the compromised computer and from other computers systems on the network. Rootkits are available for most major operating systems.

7)Spyware—Software that gathers information without the users’ knowledge. Spyware is typically bundled covertly with another program. The user does not know that installing one also installs the other. Once installed, the spyware monitors user activity on the Internet and transmits that information in the background to someone else. Spyware can also gather and relay information one-mail addresses, passwords, and credit card numbers.

8)Scripts—Short programs or lists of commands, usually available as shareware from hacker sites, that can be copied, remotely inserted into a computer, and used to attack and disrupt computer operations.

9)Social Engineering—Social engineering is not limited to cybercrime,but it is an important element for cyber fraud. Social engineering tricks or deceives the recipient into taking an action or revealing information. The reasons given seem legitimate but the intent is criminal. Phishing is an obvious example—a certain percentage of users will respond unthinkingly to a request that appears to be from a legitimate institution.

10)Malicious Code – Worms and Trojans

Trojan is a malicious program unwittingly downloaded and installed by computer users. Some trojans pretend to be a benign application. Many hide in a computer’s memory as a file with a nondescriptname. Trojans contain commands that a computer automatically executes without the user’s knowledge. Sometimes it can act as a zombie and send spam or participate in a distributed denial of service attack, or it can be a keylogger or other monitoring program that collects data and sends it covertly to the attacker. Many trojans now also attempt to disable anti-virus programs.

Worms are wholly contained viruses that travel through networks, automatically duplicate themselves and mail themselves to other computers whose addresses are in the host computer. They propagate by sending copies of themselves to other computers through e-mail or Internet Relay Chat (IRC).

One trick in the spammer’s arsenal is to use worms and trojans to create spam relays. Backdoor.Hogle’s creator designed it specifically for this purpose. After infecting a system, it checks to see whether the host’s IP address is listed in the blacklists that spamcop.net and abuse.net maintain; if it’s listed, the program terminates. Several other worms are suspected vehicles for installing proxies that spammers can use (for example, the currentcrop of MyDoom worms).

Reverse HTTP proxies Spam sometimes points the recipient back to a Web site. Antispam crusaders attempt to track down these Web sites, contact the responsible ISPs, and have them shut down. This denies the spammer satisfaction even if a user is fooled into visiting a site. A backdoor found in the wild, Backdoor. Migmaf, had a clever way to get around this counterattack. It acted as a reverse HTTP proxy (see www. lurhq.com/migmaf.html), infecting thousands of computers. The spammer sent out spam with links to hosts such as linkxxxsites.com, and then used the domain’s DNS servers to point the hostname to an infected machine’s IP address. The machine would then proxy the HTTP request to the real Web server and send results back to the client, thus hiding the true Web server’s IP address from the client. The spammer changed the IP address that the hostname pointed to every 10 minutes, so to shut down the Web site, antispam activists would have had to determine the IP addresses of thousands of infected machines and disable, disconnect, or disinfect them—a difficult job indeed. Backdoor.Migmaf also acted as a SOCKS proxy server, which permitted the spammer to send out anonymous spam. Infected machines participated in a PayPal phishing scam by acting as a proxy for the scam’s Web site (www.securityfocus.com/archive/1/328772). Evidence suggests that spammers similarly used an earlier worm, W32.HLLW.Fizzer, to point to their spam Web sites.

12)Virus—A program or piece of code that spreads from computer to computer without the users’ consent. They usually cause an unexpected and negative event when run by a computer. Viruses contaminate legitimate computer programs and are often introduced through e-mail attachments, often with clever titles to attract the curious reader.

13)Zombie—A computer running programs that give control to someone other than the user. Zombies automatically execute commands from someone other than the user, without the user’s knowledge. Zombies are created by placing executable code on a user’s machine (often through use of a trojan); a cybercriminal can gain control of the computer and have it automatically (and usuallycovertly) execute a command to initiate a denial of service attack, send spam, or perform other activities.

14)Internet message boards – Internet message boards dedicated to stocks are fertile ground for impersonators. A habit of many posters to these boards is to cut-and-paste press releases and news stories from other electronic sources into their posts to alert other posters and visitors to that information. Frequently, posters will paste in a hyperlink to direct a reader to a source directly, as Hoke did in the PairGain hoax. (http://www.sec.gov/litigation/litreleases/lr16266.htm)

Malware and Threat Evolution

Viruses started appearing on dedicated networks such as the ARPANET in the 1970s. The boom in personal computers, initiated by Apple in the early 1980s, led to a corresponding boom in viruses. As more and more people gained hands-on access to computers, they were able to learn how the machines worked. And some individuals inevitably used their knowledge with malicious intent. While the viruses of the 1980s targeted a variety of operating systems and networks, most viruses today are written to exploit vulnerabilities in the most commonly used software: Microsoft Windows. The increasing number of vulnerable users is now being actively exploited by virus writers. The first malicious programs may have shocked users, by causing computers to behave in unexpected ways. However, the viruses which started appearing in the 1990s present much more of a threat: they are often used to steal confidential information such as bank account details and passwords.

Classic file viruses reigned supreme in the 90s; however they have almost totally disappeared today. There are currently about 10 file viruses that are still active. They experience peaks of activity when they infect the executable files of worms: the file virus will then travel as far as the infected worm file. For instance, we often see samples of MyDoom, Netsky and Bagle that are infected by file viruses such as Funlove, Xorala, Parite or Spaces. On the whole, there is very little danger that classic file viruses will cause any major epidemics.

The trends in virusology that we observe today have their primary roots in the second half of 2003. Internet worms Lovesan, Sobig, Swen and Sober all not only caused global epidemics, but also profoundly changed the malware landscape. Each of these malicious programs set new standards for virus writers.Because there were no new critical vulnerabilities in Windows, and this meant that virus writers had to find other popular methods of data transmission to distribute their creations. Classic email worms are on the decline, with network and instant messaging worms exploiting relatively lax security to take their place in early 2005. IM worms were at the peak of their development in spring and summer 2005, and showed the highest growth rate among all classes of network worms. In the first six months of this year, an average of 28 new IM worms were detected every month. It should be stressed here that when P2P worms were at the peak of their evolution in 2003, approximately 10 new variants were detected every week.

However, suddenly the situation changed. The flood of IM worms suddenly dried up:AOL and MSN, both of which have proprietary IM clients, were the main targets for such worms. Both companies took measures to protect their users: firstly, by blocking the transmission of files with names and extensions which were known to be used by IM worms. In spite of the fact that IM worms rarely use file transmission as a propagation method, the move did have a noticeable effect. The next step was to block the worms' main method of propagation: hyperlinks leading to files containing the body of the worm.

These actions closed the majority of security loopholes being exploited by virus writers. And most importantly, they closed the loopholes which IM worms based on source code circulating in the computer underground used. Most of the code used in IM worms is of fairly low quality. The majority of these worms are created by script kiddies who have no significant programming skills. When the off the shelf code was no longer effective, these self styled virus writers were unable to create new propagation methods on their own, and this led to a sharp drop in the number of new worms.

However, phishing attacks are now moving to the fore; the convergence of adware and malicious code, the increase in botnets, and malicious programs for mobile devices seem to indicate that this year may simply be the calm before the storm. Improved antivirus technologies, and increased user awareness of security issues are clearly forcing virus writers and hackers to use new approaches to access users' information and systems. Attack vectors are changing. Malicious users are starting to use viruses which propagate by exploiting vulnerabilities within web applications, particularly Internet Explorer, rather than network and email worms. One consequence of this is an increase in the number of compromised sites. Exploits for IE are placed on compromised sites, which means that users who visit these sites will have Trojans downloaded to their machines. Such attacks tend to become more prevalent at times when there are no critical vulnerabilities in Windows. To date Linux-based platforms have mainly been the victims of rootkit attacks and simple file viruses. However, the growing number of publicized vulnerabilities means that the increased number of users switching to Linux will not remain untouched by new malware.We have absolutely no doubt that the near future will show a change of approach from malicious users. They will move away from searching for vulnerabilities in traditional operating systems - Windows/*nix and associated applications - towards networking equipment, firewalls, and antivirus solutions.

Handhelds- PDAs are now almost household appliances. Virus writers have not been slow to take advantage of their growing popularity. The first Trojan for Palm OS appeared in September 2000. So far there have not been any serious virus outbreaks in the world of handhelds, but it is only a question of time. Once virus writers decided that information saved on handhelds is worth accessing, malware for these devices will undoubtedly evolve rapidly.

Mobile phones have come a long way, and are now both complex and widely used. These two factors are bound to attract the attention of virus writers, particularly with the advent of smart phones, which effectively have computer functionality. The first proof of concept virus for smartphones running Symbian OS appeared in June 2004. The only missing factor is commercial use - once virus writers identify a way to make money by exploiting cell phones, viruses will inevitably appear.

And finally, the increasing interest in on-line games, with the potential profits to be made in this area, make it more than likely that malicious code designed to steal such information will continue to evolve rapidly. The first Trojan for gaming consoles had also been discovered. Sony PlayStationPortable was the first victim - the Trojan targeting this device deleted system files causing the console to cease functioning correctly. This behaviour is very similar to Trojans for mobile phones. A few days later, a Trojan targeting Nintendo DS was detected. It may be that these new Trojans for gaming consoles signal the start of a new interest among virus writers.

Evolution of Exploit Frameworks

Computer attackers, both the evil ones and pro-penetration testers, increasingly rely on powerful exploitation frameworks to launch their attacks. Free tools like Metasploit and commercial tools like CORE IMPACT and Immunity CANVAS have revolutionized the attackers' methodology. In the old days, upon finding a vulnerability, the attacker either had to create custom exploit code from scratch or scour the Internet to find such code to exploit the hole. Today, instead of scraping together a bunch of individual exploits, these integrated exploit frameworks include around one hundred or more exploits to compromise target systems.

One of the nicest properties of the exploit tools from an attacker's perspective is the separation of the exploit from the payload. An exploit is the software that takes advantage of a flaw, letting the attacker load and execute machine language instructions of the attacker's choosing. The code triggered by the exploit is known as the payload. Old-fashioned attacks tightly bundled exploits and payloads together. You might have a buffer-overflow attack against a vulnerable FTP service, which would give the attacker command-shell access. Another attack might exploit a database buffer overflow with the purpose of adding a user for the attacker to the local administrators group. But, with this tight integration, the attackers were stuck with the given payload attached to the given exploit for the given vulnerability. Taking the payload from one attack and embedding it with another exploit required some serious machine-language fine tuning, and was often impossibly difficult. To remedy this situation, today's exploit frameworks include an arsenal of different exploits and an arsenal of different payloads, each offering a different effect the attacker wants to have on the victim. So today, the attacker can use a tool like Metasploit to choose an exploit [such as a buffer overflow in lsass.exe, originally used by the Sasser worm last year]. Then, the attacker can choose from more than a dozen different payloads. Metasploit packages the payload with the exploit, and then launches it at the target.

The real effect of these frameworks in separating the exploits and the payloads is now reverberating through our industry. Developers who create fresh exploits for new flaws don't have to reinvent the payload wheel every time. Thus, they can focus their time on perfecting their exploits and producing them much more quickly. What's more, those developers who don't focus on exploits can now zoom in on the production of really high-quality, massively functional payloads.

Evolution & Profile of the attacker

There is a growing convergence of technically savvy computer crackers with financially motivated criminals. Historically, most computer crime on the Internet has not been financially motivated: it was the result of either curious or malicious technical attackers, called crackers. This changed as the Internet became more commercialized and more of the public has gone online. Financially motivated actors —spammers and fraudsters, soon joined crackers to exploit this new potential goldmine. Criminals have fully adopted the techniques of crackers and malicious code authors. These are financially motivated people, and we must assume that they will pursue their goals considerably more aggressively than an average cracker. They have the monetary means to buy the required expertise to develop very sophisticated tools to accomplish their goals of spamming and scamming the public.

The perpetrators of these attacks vary considerably. At the low end are script kiddies, who are usually unsophisticated users that download malicious software from hacker web sites and follow the posted instructions to execute an attack on some target. These attacks are often only annoyance attacks, but they can be more severe. At the next level are hackers who are trying to prove to their peers or to the world that they can compromise a specific system, such as a government web site. Next are insiders, who are legitimate users of a system that either access information that they should not have access to or damage the system or data because they are disgruntled. Insiders are often less knowledgeable then hackers, but they are often more dangerous because they have legal access to resources that the hackers need to access illegally.

Next are organizational level attacks. In this case, the organization’s resources are used to get information illegally or to cause damage or deny access to other organizations to further the attacking organization’s gain. These can be legitimate organizations, such as two companies bidding on the same contract where one wants to know the other’s bid in order to make a better offer. They could also be criminal organizations that are committing fraud or some other illegal activity. At the highest level is the nation state that is trying to spy on or cause damage to another state. This level used to be called “national lab” attackers, because the attackers have a substantial amount of resources at their disposal, comparable to those that are available to researchers at a national lab, such as Los Alamos Laboratory or Lawrence Livermore Laboratory. After the September 11, 2001 terrorist attacks on the World Trade Center, the idea of nation state level cyber attacks being carried out by terrorists became a big concern.