ESET Threat Blog

While serving in the Marine Corps, one activity that I felt was effective in preparing both myself and my unit to be able to handle real-world scenarios, was getting as much experience as possible from military training exercises. In most cases multiple branches worked together or, as in the case with NATO exercises, multiple countries worked together. The goal was always to prepare us for various potential scenarios as well as learning to quickly adapt due to the impossible-to-calculate number of permutations of attacker, weapons, target, collateral damage, etc. 

Today the Bipartisan Policy Center (BPC) held a simulated cyber attack against the United States. The goal was to take a group of former high-ranking Cabinet and national security officials and successfully complete the mission of advising the president throughout the crisis. Their responses will be in real-time as will be  the intelligence and news feeds. The full list of participants is available from the PRNewsWire press release (http://www.prnewswire.com/news-releases/cyber-shockwave-hits-washington-83570087.html). 

The exercise began at 10 am EST and lasted for three hours. During that time, the attack escalated from cellular networks to electrical utilities. The exercise was designed by former CIA Director Michael Hayden in partnership with the BPC. 

To understand the scope and capabilities of the adversaries we are facing in today's connected world, I selected what I thought was a very applicable report: Annual Threat Assessment of the US Intelligence Community for the Senate Select Committee on Intelligence. This report is from the congressional testimony on February 2, 2010, by US Director of National Intelligence, Dennis Blair. Below are samplings of his comments: 

"The cyber criminal sector in particular has displayed remarkable technical innovation with an agility presently exceeding the response capability of network defenders. Criminals are developing new, difficult-to-counter tools."

"Criminals are collaborating globally and exchanging tools and expertise to circumvent defensive efforts, which makes it increasingly difficult for network defenders and law enforcement to detect and disrupt malicious activities."

The full testimony (PDF) is available here (http://www.dni.gov/testimonies/20100202_testimony.pdf)

This brings to mind the old adage, "fight fire with fire" – which is applicable when combating cybercrime and cyber attackers. Continually increasing global cooperation (for instance: laws, extradition agreements, criminal sentences) coupled with fast-paced innovation can have the direct impact of not only closing the gap, but also plain and simply putting them in a "hurt locker" (aka "world of hurt") since, in many cases, cybercriminals/attackers don't feel pain commensurate with the scale and scope of their crimes. 

I brought up cybercrime because a number of the tools and techniques are similar or identical between cybercriminals and those that would wage cyber warfare. In fact, if you were to follow the money trail of all cybercrime activity there is a very high probability that you will ultimately encounter an adversary that is planning, or conducting, cyber attacks against the United States.  

By now you can read about operation Cyber ShockWave from just about anywhere on the 'net. You can also go to the Bipartisan Policy Center's web site directly: http://www.bipartisanpolicy.org/events/cyber2010. This weekend CNN will be providing special coverage of Cyber ShockWave (Saturday February 20). 

Hopefully this exercise provided realistic attacks and the video coverage will show the decision-makers "making the call" in different scenarios. For obvious reasons, the "big gaping holes" shouldn't be exposed to the world, but at the very least, it does bring awareness to a problem that governments across the world face on a daily basis – how to handle the dynamic nature of threats as they continually evolve. 

Jeff Debrosse

Sr. Research Director

Two new papers have gone up on the ESET White Papers page at http://www.eset.com/download/whitepapers.php. (Strictly speaking, they're not altogether new: they include some material that has previously been blogged here.)

The Internet Book of the Dead is a bit different from other papers you’ll find on the ESET white papers page. (Technically, it’s not actually an ESET paper.)

It's essentially a transcript of an interview with the BBC that never happened because of synchronization issues: I couldn't get into the studio at the time when the interview was needed. However, it seemed a pity to waste the material I put together in preparation.

A version has already appeared on this blog, but the white paper version is at: http://www.eset.com/download/whitepapers/EsetWP-InternetBookOfDead.pdf.

2010: Cybercrime Coming of Age is the result of the Research teams in ESET Latin America and ESET, LLC putting their heads together to discuss the likely shape of things to come in the next 12 months in security and cybercrime.

The full paper is at:
http://www.eset.com/download/whitepapers/EsetWP-CybercrimeComesOfAge.pdf

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or http://twitter.com/ESETblog) 
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macviruscom.wordpress.com/

You may have gathered from some of the blogs published here last year that i'm not biggest fan of the BBC's "Click" programme. I regard the Beeb's forays into buying botnets and stolen credit card details and making active use of them as at best naive. I agree that people need to be aware of such issues, but I don't happen to think it's necessary for a public body that prides itself on its high standards to engage in near-criminal activity itself in order to raise awareness, still less to foster unequivocally criminal behaviour by making payments to real criminals. I don't happen to think that the end always justifies the means, especially if the "end" is self-serving self-publicity, which is certainly not an end that justifies any means.

Still, I found myself this morning looking at a "Click" item on Internet scams. There's information on both the item and the availability of the programme in an article called "Net scams profit from desperate jobseekers" by Marc Cieslak:  you can find it at http://news.bbc.co.uk/1/hi/programmes/click_online/8448966.stm.

Some of the detail is a bit misleading: there's nothing new about using "mules" for money laundering, a practice often called mule-driving, that's been around about as long as bank phishing, and there are plenty of job-related scams that have been around much longer (there's a sub-class of 419 that includes some of them). So it's not altogether correct to suggest that this has arisen in response to the recent/current (depending on where you live…) economic downturn and consequent increases in unemployment. Nonetheless, it wouldn't surprise me if such scams have, in fact, increased in volume (and successful deployment) as more people have become unemployed or at least concerned about the possibility of unemployment. If there's one thing I've learned from 20 years in security, it's that there is no romantic notion of honour and Robin Hood hustling among cybercriminals: anyone is considered fair game for a scammer, however badly off the victim may be already.

As I've said quite recently (see http://www.eset.com/threat-center/blog/2009/11/17/no-mules-fool), it's sometimes too easy for those of us who specialize in monitoring and fighting cybercrime to forget that criminal manipulation and social engineering that is old hat to us is nonetheless quite successfully duping innocent (if naive) individuals into engaging in criminal activity. So I'm happy, for once, to be able to recommend a "Click" item that hasn't, to the best of my knowledge, put a single penny into the pocket of a cybercriminal.

You may also find http://www.cyberfraud.org.uk/ worth a look. Its founder, Caroline Coats, apparently set it up after becoming a cybercrime victim herself. [Thanks to Lee for pointing out that that link doesn't work without the www!]

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macviruscom.wordpress.com/

I wanted to share with you some more results from the cybercrime survey ESET commission and recently released. You can find the entire report at http://www.eset.com/company/CERC_Poll_2009_Oct.pdf.

57% of American computer owners now bank online, however the more money a person makes the more likely they are to bank online. 2/3rds of computer owners who earn $80,000 to $100,000 annually use online banking and 3/4ths of those earning more than $100,000 use online banking. It is not surprising that younger people engage in online banking more than older people. Where 60% of computer owners under the age of 45 use online banking, only 30% of those over 65 do. Surprisingly, geography seems to be a factor. 71% of those users in the Pacific Time Zone use online banking.

As I briefly mentioned in http://www.eset.com/threat-center/blog/2009/11/16/once-upon-a-cybercrime%E2%80%A6, there was an indication that on average, Mac users lose more money than PC users do when they are victims of cybercrime. Because the size of the sample set is small, I personally have a hard time reaching a conclusion, despite assurances from someone far, far more education in statistics and surveys that the finding in 99% likely to be accurate. So I decided to look a bit further at the numbers to see if I could find anything approaching an explanation.

If we combine age and income demographics we see that Macs are more popular among younger computer owners. We have seen that younger computer owners are also more likely to do online banking. When we look at income we see that Mac users tend to be more affluent. So, we see that Mac users tend to be in the ranks of those most likely to use online banking and be affluent.

I also blogged http://www.eset.com/threat-center/blog/2009/11/18/so-you-think-you-are-smart about the higher degree of victimization amongst more educated users and we see Mac users predominantly in the ranks of the more educated.
Are you seeing a trend? Here comes the trend breaker. Only 18% of the Mac users polled lived in the Pacific Time zone where online banking is far more prevalent.

Online banking however is not the only source of cybercrime. Social networks are very popular amongst phishers. The survey results show that Mac users are significantly more likely to access social networks from their computers. 57% of Mac users reported the use of social networks, where less than half (46%) of PC users did so.

One other interesting point… Educated does not equate to security knowledge. We did find a lower percentage of Mac users who could correctly identify what phishing is than for PC users. Additionally, where 5% of PC users incorrectly identified a trojan horse program as phishing, 11% of the Mac respondents thought a trojan horse program was phishing. If you think a phishing attack is something you believe your computer is not at risk too, does it affect your behavior? I would guess yes, but I don’t have an authoritative answer.

I still would love to see a larger survey, but when trying to identify why this survey showed that Mac cybercrime victims on average lose significantly more than PC cybercrime victims, we do see that in general Mac users fall into most of the demographics of the most victimized users, including having more money to lose. We also see a lower understanding of what phishing is amongst the Mac community. Perhaps, just maybe, the combination of having more to lose with less understanding of the threat, and the perception that the computer can protect them from attacks that are irrelevant to the computer combine for a woeful result.

Randy Abrams
Director of Technical Education

Cyber Monday is the Monday that follows Thanksgiving in the USA. This is said to be the busiest online shopping day of the year. Does that mean that there is more risk of cybercrime? The answer is yes and no. There is more risk simply because more people are shopping online so malicious web pages, fake holiday specials, and other attractions are bound to get more traffic.

 In reviewing our threat statistics for the past couple of years what we discovered was that we do not see an increase in the number of threats, so as an individual your risk is pretty close to the same as any other time of year, but that means there is some risk and there are steps you can take to minimize your chances of becoming a victim of cybercrime. Here are a few tips to consider.

1)    Beware of the unsolicited emails for promotions that seem too good to be true. Things like “We’ll give you a free copy of Windows 7 for filling out this survey”, or “Get $100 for filling out this survey”. Often times these are ploys to get your credit card information and other personal information. It may be for the purpose of sending you spam or it may be for financial or identity theft.

2)    Watch out for anything related to banks, PayPal, and other online financial providers. NEVER click on a link in an email having to do with financial institutions. For some really simple tips on protecting yourself from phishing see my “Antiphishing Made Easy” tip on the San Diego Chamber of Commerce web site at http://www.sdchamber-members.org/TechTip.htm.

3)    Shop at reputable websites. Do not believe things like a BBB logo, check with the Better Business Bureau to see that they say the company is a member. It’s best if you know somebody who has done business with the company before. Crooks will post fake positive reviews of their web sites

4)    When you go to enter payment information, make sure the address in the browser starts with https, and not just http. Https encrypts the information, such as your credit card number. It isn’t enough to see the https, the bad guys can use that too, but you want to use a reputable site and verify they are encrypting your data.

5)    You might want to consider getting a credit card with a low spending limit and using that exclusively when you shop online… especially if you can’t resist that offer that is too good to be true!

6)    Do not click on the links in emails. If you want to shop at Fry’s online, type in www.frys.com and find the item you are looking for.

Following these tips will greatly improve your odds of safely shopping on line on Cyber Monday and every other day of the year.
 
If you believe that you have become a victim of a phishing attack, contact your bank immediately.

Randy Abrams
Director of Technical Education

Recently I blogged (Once Upon A Cybercrime…) about a survey ESET commissioned which indicated that Mac users are victims of cybercrime as often as PC users. This finding was not the main point of the survey, but was an interesting finding. The survey is titled “Securing Our e-City National Cybercrime Survey” and was commissioned to gather more information about how we can better target education as part of our Securing our e-City project. You can learn more about Securing Our e-City at http://securingourecity.org/

I want to share with you some additional findings of the study over the coming days and weeks. Extrapolating the losses of those surveyed it appears that cybercrime has cost Americans 11 billion dollars.

First I’ll give you a breakdown of the educational levels of our survey participants.

5% had less than a high school education. 25% had a high school education. 29% had some college. 27% had a college degree. 14% had advanced degrees.

Now let’s look at the victimization rates.

2% of those with less than a high school education had been victims
2% of those with a high school education had been victims
9% of those with some college education reported being victims
7% of those with a college degree reported being victims
18% of those with advanced degrees reported being victims

Given this data, the logical conclusion is that the number one way to avoid cybercrime is to avoid college!

But seriously, I don’t really think it is education that makes one stupid, or makes them a victim. A more likely explanation is that those with higher earnings make more attractive targets. It is also quite possible that those with higher education feel they are smart enough to avoid being tricked. A PhD in psychology does not translate to internet security knowledge. A degree in dentistry does not afford a higher level of computer security knowledge. Even people with computer science degrees often fail to learn enough about computer and Internet security.

I am a firm supporter of education, but when it comes to computers there is specific education required if you wish to avoid becoming a victim of cybercrime. Knowing tips and techniques, such as I describe at  AntiPhishing Made Easy  can make a big difference. Education won’t always protect you. When a TJ Maxx or Heartland compromises your credit card information, your computer savvy isn’t going to help. When you receive and email claiming that information is needed to secure your web mail account, then security knowledge is quite useful. When something tells you that you need a codec to view a movie, just a little bit of security knowledge protects you. When you see something that says you need a new flash player, knowing to go to Adobe for the update and not accepting it anywhere else on the web is what is going to prevent you from infecting your computer.

Yeah, you might have a lot of college education, but if you do, you probably have more money and are a much more attractive target to the cyber criminal. If you have more to lose then you have more to gain by becoming a savvy computer user.

Randy Abrams
Director of Technical Education
 

Recently ESET commissioned Competitive Edge Research and Communications, Inc. to conduct a study about attitudes, beliefs, and experiences of Americans with respect to cybercrime. There were some interesting results.

One of the findings is that most American’s are not aware that cybercrime is linked to organized crime. Viruses and Trojans are no longer the purview of pimple-faced punks who never see the sun. Malware has become a tool of the organized crime, but only about one out of 5 Americans realize it is not the lone wolf who is biting them.

Not at all surprising is the fact that both PC and Mac users perceive the Mac as being safer, but the statistics show that Mac users are victims of cybercrime just as frequently as PC users. The most probable explanation for this would be confusing viruses as being cybercrime. 57% of Mac users feel it is safe to use their computers without antivirus software where only 27% of PC users feel it is safe to do so. Much of the losses associated with cybercrime are related to phishing attacks. Phishing attacks are just as effective on Macs, Linux, Windows, Solaris, and any operating system since they rely on tricking the user and not upon malicious software or any software vulnerabilities. The Mac offers no immunity to phishing attacks and so we see a virtually equal percentage of victim representation across the board.

A significant part of the phishing problem is ignorance. The survey found that less than 50% of Americans even know what phishing is. It is difficult to defend against something one is not aware of.

An interesting finding was that it appears that when a Mac user is a victim of phishing they tend to lose more money on average than a PC user. I’m not ready to proclaim this as fact since we can’t explain the finding, but that was the undeniable trend found by this specific study.

With respect to online banking, 84% of the general public feels it is at least somewhat safe to bank online. When you look at the reasons given for not banking online then you see that well of over half of those people who shun online banking do so because of security concerns.

Of note, we did find a lower rate of cybercrime victims among people who use both a Mac and a PC. This is probably due to a higher level of computer and internet knowledge. Being educated to the threats and defenses is a quite effective in decreasing the odds of a user becoming a victim of cybercrime.

Randy Abrams
Director of Technical Education

Click here to learn more about ESET's Beta Program for Mac.

I recently learned a new acronym: SODDI (Some Other Dude Did It). What this refers to is the defense that criminals routinely use (plausible deniability) – and even more so when it comes to illicit activities on the Internet.

On Sunday, November 8th 2009 the Associated Press published an article regarding an individual that was accused of possessing child pornography. After 11 months, and at a personal expense of $250,000, computer forensics proved that the computer had become infected with malware that was designed to download illegal content. Malicious software was the culprit at work behind the scenes.

This activity is a topic that had been discussed for quite a few years as a potential liability for any computer that has been infected. Software that is designed to conduct remote operations can surreptitiously download any kind of digital material to a person’s machine or establish connections (or probe/attack) any target. This would cause the owner of the infected computer to appear to have broken one, or more, of many laws including illegally accessing a network, theft of intellectual property (IP) and child pornography – to name a few. Basically, any action that an attacker or criminal can directly perform on the Internet, can also be duplicated and executed from a victim’s computer. The end result is truly horrific for the victims who have to defend themselves when the trail leads to them – and seemingly stops at their computers.

There are numerous examples of this occurring. For instance, substitute school teacher Julie Amero’s life was undeniably, and tragically, altered after the school computer she was using in a 7th grade classroom started displaying pornographic images to her students. After significant expense, loss of a teaching career and other losses she was finally convicted of a lesser charge (in 2008) and a reduced fine.

Cases like these are where several (of many) cybercrime issues converge:

• Laws: many legal systems still struggle to catch up with cybercrimes
• Plausible deniability: the challenge of proving that a person is the one that used their computer to commit an act (usually a criminal act)
• Attribution: lack of attribution across the Internet impairs the ability to accurately, and with a high degree of confidence, trace internet connections/packets back to their source(s)

When two or more of these elements are combined, the end result is typically a confusing, and potentially indefensible, gathering of forensic data that can both let a criminal “walk” or cause an innocent person to be charged, tried and sentenced.

In any war there is a term known as “collateral damage”. In the war against cybercriminals, the collateral damage is clear and unmistakable. As a society, when we  gain more overall forensic analysis experience and systems are capable of providing more accurate attributable information, we should see a diminishing number of cases of innocent victims and more/stiffer convictions for the bad guys.
   
Jeff Debrosse
Senior Research Director

As usual, ESET has released its monthly Global Threat Trends Report, which will be available in due course at http://www.eset.com/threat-center/index.php.

There are no surprises in the top five malicious programs, which have the same rankings as in the September report. Clearly, not enough people are taking our accumulated advice on reducing the risk from Conficker, INF/Autorun and so on.

Something I didn't anticipate though is the dramatic upsurge in Win32/Flystudio detections. This class of threat has been around for a while. It did feature strongly in our July report, when it came in from nowhere to number 5, and then hovered around the lower reaches for a while. Well, this month it shot back from 46 to 6. Here's the description from the latest report.

6. Win32/FlyStudio
Previous Ranking: 46

The Win32/FlyStudio threat is designed to modify information inside the victim's Internet browser. This threat will modify search queries, with the intention of delivering advertisements to the user. Win32/FlyStudio seems to be targeting users located in China.

What does this mean for the End User?

FlyStudio is a popular scripting language, much used as a development tool in China. However, the malicious code is being reported in other regions too, including North America. This may mean that it has been deployed by other malware.

Win32/TrojanDownloader.Swizzor, however, has dropped out of the top ten.

Other items discussed include:

• The AMTSO workshop in Prague, which inspired lively debate about when, if ever, it's acceptable to create samples for testing, and the thorny issue of AMTSO compliance – what is it, and who can legimately claim it?
• An interesting exercise conducted by Christopher and Samir at the First International Workshop on Aggressive Alternative Computing and Security, in which they installed a number of scanners (including NOD32) then logged in as administrator and tried to disable them. We're pleased to note that our product was one of those fairly resistant to such tampering, but we're not convinced that this is a very useful way to test the efficacy of a product. I'll return to that shortly in a separate blog.
• The Halloween Search Engine Optimization (SEO) poisoning issue already blogged here.

Perhaps the most interesting, though, is the first sight of some statistics garnered from a cybercrime survey conducted by Competitive Edge Research and Communication Inc. on behalf of the Security Our eCity initiative, which ESET sponsors. We'll be talking more here about some of the data points from that report in the near future, but an issue that the October report focused on was the find that 63% of adults seem to think cyber criminals are mostly individual computer hackers, whereas only 21% regard organized crime as primarily responsible for cybercrime.

As the report suggests, In the last quarter of 2009, that’s a pretty frightening statistic. It may not matter to the individual computer user who is responsible for specific threats, as long as he takes the right countermeasures. But if people don't understand the nature of the threat properly (and the security industry is apparently failing to convey that information), it seems likely that they don’t understand what constitutes an appropriate countermeasure, either.

Someone asked me today to hazard a guess at the ratio of individuals to organized crime in the current threatscape. I don't really have information that specific, and automatically mistrust it when other companies offer it, unless I know it comes from someone who spends a lot of time interacting with people I wouldn't want to meet in a dark alley.

It depends on your definition of organized crime, I guess. There are plenty of horror stories about various flavours of mafia, but there are certainly also one-man-band criminals out there, not to mention the amateurs still  throwing out Proof of Concept malware and probing systems for the hell of it, or the kudos of discovering a poorly protected site.

However, most attacks are profit-driven, and most profit-driven attacks appear to be made by gangs.  On the other hand, a lot of what crosses my radar is freelancers offering specific services to anyone who’ll pay for banking Trojans, or 0-day exploits, or credit cards, or whatever. So the market is certainly “organized” but some of the players aren’t necessarily aligned with one group in particular: Having said that, though, if their services are “good” enough, I’d assume that they’ll catch the attention of the major gangs. 

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

For many years banks and credit card vendors have accepted that there will be some amount of fraud and built those costs in to the operational model. The thinking goes that if the loss is small enough then it isn’t worth pursuing so they simply pass the cost on to the public through fee structures, such as return check fees, ATM fees, and differentials in the rate that they borrow money at and the rate they loan money at.

Perhaps this was a viable model before the internet gained popularity, but today it accounts for significant losses, perhaps in the billions of dollars if the polls are to be believed.

The lack of an aggressive stance against phishing means that banks are clearly not the enemy of the cyber criminal and facilitate their nefarious deeds.

The fact is that many financial institutions actively teach their customers to become victims through insanely ignorant worst practices. American Express sends a monthly statement with a link to your account. Financial institutions should not be sending links to pages that require a login… this is what phishers do and reinforces unsafe cyber habits.

My own credit union, First Technology Credit Union accepts complaints/feedback on line, but when they reply they send a link that the customer must use to provide more information or comments, etc. Granted this link does not ask for log on information, but it is also teaches customer to follow the same practices that lead to successful phishing attacks.

The Industrial Credit Union (http:icu.org) recommends “If you receive an email from the IRS requesting information, we recommend you simply delete or ignore it.” but the IRS wants you to report the emails. http://www.irs.gov/privacy/article/0,,id=179820,00.html?portlet=1. The Marine Federal Credit Union offers similar advice to that misguidedly given by the Industrial Credit Union

Recently the FDIC recommended that Banks step up efforts to spot money mule related activity http://www.wired.com/threatlevel/2009/10/money_mules/. A money mule is a person who is recruited to illegally transfer stolen money from the victim’s account to the criminal’s account. Many, perhaps even most, money mules do not know they are participating in an illegal activity until they also become a victim.

That the FDIC has to recommend this course of action shows how completely out of touch the financial services industry is with their responsibility to assist in online security.

Currently the banking and credit card industry are the educational and operations arms of cyber crime. It is long past time for banks, credit card companies, and credit unions to stop sending links in email and to step up to the plate when it come to fighting cyber crime. Until the financial institutions stop teaching people to be phishing victims and start playing a proactive role in fighting cybercrime, they are finding cyber crime through apathetic and ignorant complicity, much as a misguided money mule does.

Randy Abrams
Director of Technical Education