Malware at a glance or: Facing the latest threats



Malware at a glance or: Facing the latest threats
Malware at a glance
or: Facing the latest threats
Raimund Genes
CTO Anti-Malware
Once upon a time…
• Profile:
Between 14 and 34 years of age
Computer addicted
No permanent girlfriend
Jeffrey Lee Parson
Sven Jaschan
No commercial interest!!!
David L. Smith
Onel de Guzman
The most famous quote for malware writers
The secret of life is honesty and fair dealing
If you can fake that, you‘ve got it made
Groucho Marx
Cybercrime – not only a word
But reality!
Jeanson James Ancheta from California
20 year old
Was arrested 4th of November 2005 in Los Angeles
Created a botnet with 400000 computers under his control
Botnet was for rental to spread Spam or to start DDOS
Access to BotNet was granted for 3000 USD in average, over 30
transaction have been made = 90000 USD
• $107,000 in advertising affiliate proceeds by downloading
adware to the infected computers
• 60000 USD in cash, pimped up BMW and high end computer
Ancheta will be in jail for 57 month, he even infected a US
Marine Naval Air Warfare, China Lake, CA
A typical Bot Herder: 0x80" (pronounced X-eighty)
Background: High school dropout.
Attitude: "most of these people I infect are so stupid they really ain't got no
business being on the Internet in the first place.“
Working hours: approx. 2 minutes/day to manage Botnet.
- Monthly earnings: $ 6800 on average.
Daily Activities: Chatting with people while his bots make him money.
- Recently paid $800 for an hour alone in a VIP room with several dancers.
Job Description: Controls 13,000+ computers in more than 20 countries.
– Infected Bot PCs download Adware then search for new victim PCs.
- Adware displays constant ads and mines data about the victim's online
browsing habits.
- Malicious Bots collect data incl. password, e-mail address, SS#, credit and
banking data, a.s.o
- Gets paid by companies like,,
Loudcash, or 180Solutions.
Source: Washington Post: Invasion of the Computer Snatchers 6
Cybercrime – not only a word
But reality!
• Jay R. Echouafni
• Entrepreneur
• CEO Orbit Communications
• ... and BotNet-Renter
Jay Echouafni rented Botnets to switch off webpages through
50.000 USD, or we shut down your page!
Eight Years for Extorting Millions
The strategy was simple. A bookmaker
that was accepting online stakes in time
of some big sports competitions received
an e-mail, notifying the site was under
attack and urging to pay $40,000. The email was followed by a trial attack and
then by another e-mail demanding to
transfer money via Western Union to
accounts in Riga, Latvia.
The accused attacked nine British and
Irish bookmakers and casinos from the
Ivan Maksakov (Wrote Bots)
fall of 2003 till the spring of 2004, casing
Alexander Petrov (Controlled DDoS attacks) direct damage of over £2 million. The
Denis Stepanov (Some initial arrangements) amount reached £40 million once the
costs incurred for buying protection
equipment were taken into account.
So what is a Botnet?
• Botnet: A large number of compromised computers
(zombies) controlled by an unauthorized entity for
(usually) malicious purposes.
• Zombie: A computer that has been covertly taken over
by an unauthorized entity.
How big is the problem?
• Botnets: The #1 emerging Internet threat
• Estimated 7% of all computers on the internet are zombies (75-100
million machines)
– Responsible for over 80% of all spam
– Generate click fraud in excess of $1 billion annually
– Phishing to commit identity theft
– DDOS attacks for extortion or retribution of 8-22Gbps
– Malware distribution such as key loggers
– Propagation of the species - 200k bots/month growth
How do you spread
With clever Social
Engineering –
Spreading is only
one Double-Click
Country specific targeted attacks!
• Phishing
Uses Social Engineering
Pursues users to give away confidential data
Mail from a “trusted source”
Call for action: “your account will be closed”, “update your
• Link to a web page, which looks like the “real one”
• Access data will be transferred to third parties
Goes to a site in Romania
BKA President Dr. Joerg Ziercke: Success-Quote of Phishing attacks in germany: <> 5%
ConsumerReports (USA): Phishing attacks on US citizens have generated 630 M USD in 2005
• “automated” Phishing
• DNS Cache Poisoning
• DNS Server Hacks
• “real” adresses will be redirected to wrong adresses
• No Phishing Mails needed – automated attacks with
Ransomware – Troj_Ransom.A
Web – The latest method to spread malware!
Study: Browsers Are Chief Virus Carrier
SEPTEMBER 13, 2006 | If you work in security for one of those "cool"
companies that lets employees use the corporate network to surf the
Web on their own time, you might want to think about becoming a
According to a study of 200 companies published earlier today by IDC
Denmark, Web surfing has surpassed email as the most prevalent
method of spreading worms and viruses. (See IDC: Private Internet
Use Insecure.)
"There is a common misconception that emails constitute the biggest
security threat from the Internet," says Per Andersen, managing
director at IDC Denmark. "But the survey shows that up to 30 percent
of companies with 500 or more staff have been infected as a result of
Internet surfing, while only 20 to 25 percent of the same companies
experienced viruses and worms from emails."
What are we really facing?
The amazing case of Gromozon (aka Troj_LINKOPTIMI)
•In May 2006 italian users started to report strange behaviour in
Windows – crashes at boot up, unusual popups from heuristic AV, but
files couldn‘t be cleaned, odd files on the harddisks. Then users start
to report infections of rootkits, discovered by some rootkit scanners.
It starts with a webpage...
The webpage contains an obfuscated JavaScript.
This encrypted JavaScript actually calls another webpage!
This webpage then runs a complex PHP script, checking
which browser is used
The PHP script starts different infection routines, depending on the
browser. It checks for Internet Explorer (version checking as well),
Firefox and Opera.
Using browser specific vulnerabilities it tries to autoload the file
If this is not working it asks the user – then Firefox users are save
(default settings)... But not the MS IE community...
The file is a downloader. It is using a server side
polymorphism, changing it‘s shape all the time. It connects to a remote
server and drops installers, installing an adware program, a rootkit and
a Windows service. The Windows service links to a file which is
encrypted by the infected system, utilizing the Windows Encrypting
File System (EFS). The welknown adware LinkOptimizer is hidden to
the user (and to AV software) by the rootkit. The rootkit even prevents
Anti-Rootkit tools like F-Secure Blacklight from running.
OK Gromozon is the mother of all malware,
but an exception, or?
Automatic Analysis of a Stration variant
Travel Policies are dangerous…
Say you are a new hire for any company. Your boss asks you to develop a well-researched and
well-documented company policy on, say for example, company employee travels. Most often
than not, you will have to start of with a Google search. And that is exactly what you do. Open
Google and type in "travelpolicy". This will be the result:
Oct 7, 2006
Travel Policies are dangerous…
You don't choose the first hit simply because you see it's a .GOV site and information found in
.GOV sites may seem too lengthy for your objectives. You just need a simple do-it-yourself
tutorial in how to create and implement a travel policy guide for your business - which is exactly
the description for the second hit encircled in the above image. So you click on the URL.
And then the site opens...
Seems like the site is pretty
much taking more time in
downloading images and
content. So you wait... And
wait... And when you observe
that it's been taking forever for
the site to complete, you close
the window and move on to
other sites that can offer the
information that you need.
End of story?
Not quite.
Travel Policies are dangerous…
As you waited for the site to completely show up, something was already
happening in the background that goes unobserved...
The site,, has an IFRAME at the very top which
leads you to the The index.html file actually
has a script that exploits the MS Internet Explorer (MDAC) Remote
Code Execution Exploitdescribed in MS06-014. The original exploit
code is also modified in an attempt to bypass AV scanners that detect the
original code.
It sure is nasty! An executable file, win.exe, is downloaded to your
system and executed. This file is actually a backdoor with rootkit
features, and is a variant of the notorious family of backdoor rootkits
known as Haxdoor!
Travel Policies are dangerous… not anymore
Now it‘s an
innocent page
So was the site
Was it done on
Oct 14, 2006
Get Rich quick… the hacker’s dream
Zero day attacks on sale!
Get Rich quick… the hacker’s dream
Webattacker Toolkit order page
Dear friends! We are glad to offer you multicomponental exploit WebAttacker IE0604, provided to exploit vulnerabilities in popular Internetbrowsers like Internet Explorer and Mozilla Firefox. Utilizing the
vulnerabilities you can install any executable program on local disks of
people visiting your sites.
Purpose(Assignment) of Webattacker: the latent loading of an EXEprogram from the remote Web-Source with the automatic start of this
program on a local disk of the visitor.
Threat Summary
• The internet is now really in a golden age - of criminal invention!
•Phishing, Pharming, Spyware, Spam - all linked to making money! And
due to the fact that even Spam is banned in some countries now (Can
Spam Act, Anti Spyware act in California) it is getting more and
important for these criminals to hide their traces.
•The bad guys are hiring amateurs and professional programmers who
could write BOTS to hijack computers. These so called Zombie
computers are then uses for all kind of criminal activities - from sending
spam, starting phishing attacks up to Distributed Denial of Service attack
(DDOS), we have seen everything..
Another famous quote
Willy Sutton, a famous bank robber
in the 40th (robbed banks in Miami,
New York and New Orleans) was
asked why he robbed banks
„Because that‘s where the money is“
A modern Willy Sutton
Hacking raid on Sumitomo bank thwarted
Thieves may have used keylogging to try to steal $424M
MARCH 17, 2005 (TECHWORLD.COM) - Security experts are praising Sumitomo
Mitsui Banking Corp. for admitting that it was the target of a failed $424 million
hacking attempt.
The U.K.'s National High Tech Crime Unit (NHTCU) has issued a warning to large banks
to guard against keylogging, the method adopted by the would-be thieves in an attack
on the Japanese bank's London systems. The intruders tried to transfer money out of
the bank via 10 accounts around the world.
Yeron Bolondi, 32, was seized by Israeli police yesterday after an alleged attempt to
transfer some of the cash into his business account. He was reportedly charged with
money laundering and deception.
In a statement, Israeli police said there had been an attempt to transfer $26.7 million into
the account "by deception in a sophisticated manner."
Big Numbers....
•Identity thieves are expected to steal more than 1 trillion in 2006!
•The FBI claims, that financial loss from spyware and other computer
related crimes have cost U.S. businesses $62 Billion in 2005
•Cybercriminals are making more money then the „illegal drug trading
industry“ according to the U.S. treasury
•Each day, $24 billion in bank deposits are at risk each day in the United
The threats will not disappear!
That‘s why Trend Micro is adressing the root problem!
Root Problem: Spam and Phishing
Trend Micro‘s hall of shame – Network Reputation Services
I hope that Microsoft is wrong this time...

Similar documents