Criminal Enterprise or Legit Business? It Can Be Hard to Tell, Cisco Says
July 20, 2009 Alex Woodie
In its recently released mid-year security review, Cisco Systems makes the case that online criminals are using more sophisticated tools and methods of attack, and are increasingly using legitimate business techniques to mask their nefarious goals. A good example of this evolution was on display with Conficker, a worm that began circulating in late 2008 and that continues to infect computers to this day.
When Conficker surfaced late last year and blossomed into the biggest computer worm in more than five years, it took security experts a bit by surprise, according to Cisco, which documented the technology and techniques behind the Conficker outbreak in its mid-year security report.
Whereas many malware exploits of the past few years have concentrated “up the stack” on vulnerabilities in applications, the Conficker worm represented a shift “back to the future” by taking advantage of older vulnerabilities in Windows. Cisco said this “old school” approach worked well because most security professionals were concentrating up the stack on applications, particularly the popular new Web 2.0 apps.
Once infected with the Conficker worm, an afflicted PC becomes part of a “botnet” of infected computers that online criminals can use for their malicious purposes. In the case of Conficker, one of the ways the criminals made money was by renting the network of infected PCs to Waledcac, another botnet that utilized the processing and network power of Conficker’s dirty work to spread “scamware.” Scamware refers to a business model that relies on scared individuals to purchase software from the scammers in order to escape infection. This sharing of botnet resources represents a criminal adaptation of the software as a service (SaaS) model.
Conficker’s hold on infected PCs started to crack when a group of more than 100 concerned organizations gathered together to create the Conficker Working Group. The group worked with computer security professionals (including those at Cisco) and the Internet domain naming organization ICANN to identify and root out domains that the Conficker botnet was using.
The collaborative approach to thwart Conficker worked and helped to “blunt the impact” of the worm, Cisco says. However, when the criminals behind Conficker realized their techniques had been discovered, they quickly shifted gears and tried different communication methods. While Conficker has been muted to some degree, it continues to spread. As of the end of June, there were still several million computer systems under its control, Cisco says, making Conficker the most prolific worm since the SQL Slammer attack of 2003.
The case of Conficker shows that vigilance must be maintained as computer criminals continue to adapt to changing circumstances. “We see many signs that criminals are mimicking the practices embraced by successful, legitimate businesses to reap revenue and grow their enterprises,” says Tom Gillis, vice president and general manager of security products for Cisco.
Cisco also shared details of the inner-workings of a botnet. The company got a glimpse into the underworld phenomenon through conversations with a botnet-running criminal, which Cisco helped bring to justice. The criminal admitted to selling access to his botnet, which was created using instant messaging (IM) spam and associated malware, for 10 cents to 25 cents per infected node. That wasn’t going to make the criminal (who claimed he needed the money to pay for antibiotics for a “sick child”) very wealthy. The guys who made the really big bucks–up to $10,000 per week–were involved in phishing and identity theft scams.
Cisco asked the criminal why he chose of life of crime, and he responded that, due to his lack of a “decent education,” he wasn’t able to find an above-board job. “In this faltering economy,” Cisco says, “one has to wonder if even well-educated IT experts with no criminal record will resort to illegal activities, since jobs are so scarce.” (Cisco invites readers to a full-length report, Infiltrating a Botnet, at its Web site.)
Another example of the blending of the techniques of criminals and legitimate businessmen is the phenomenon known as “spamdexing.” Just as legitimate companies will try to boost their search engine rankings through numerous techniques, such as adding a slew of keywords to the bottoms of their Web pages to get on more search indices, online ne’er-do-wells are also using these techniques to bolster their search results.
However, instead of getting legitimate Web pages or download when clicking through, the unsuspecting victims of spamdexing get a disk full of malware for their troubles. This approach is working because of the apparently innate human tendency to trust the top 10 results of a Google search more than the bottom 10 results.
While criminal outfits have been masquerading as legitimate groups since the dawn of time, use of the tactic is accelerating on the Internet, explains Patrick Peterson, Cisco fellow and chief security researcher.
“Securing the Internet has long been a moving target as criminals develop increasingly sophisticated ways to breach corporate networks and obtain valuable personal data,” Peterson says. “What is striking in our latest findings is how, in addition to using their technical skills to cast a wide net and avoid detection, these criminals are also demonstrating some strong business acumen.
“They are collaborating with each other, preying on individuals’ greatest fears and interests, and increasingly making use of legitimate Internet tools like search engines and the software-as-a-service model,” Peterson continues. “Some also continue to succeed using well-documented methods that in recent years have been downplayed as threats given the preponderance of new tactics. With criminals being so quick to identify weaknesses both in online networks and in consumers’ psyches, businesses need to adopt ever more advanced ways to fight cybercrime and remain vigilant across all attack vectors.”
Other big areas of concern for security professionals are mobile devices. The rapidly growing popularity of mobile, network-connected devices is also proving irresistible to online criminals, Cisco reports. Since the start of the year, at least two or three new campaigns have surfaced every week targeting handheld mobile devices, says Cisco, which calls the 4.1 billion mobile phone subscriptions worldwide a “new frontier for fraud.”
Disgruntled employees and malicious insiders are also taking their tolls on the health of the world’s computer systems. Cisco detailed several examples of insider fraud this year, including an employee at the Federal Reserve Bank of New York, who, along with his brother, used stolen identities to receive $73,000 in student loans. The brother also used stolen identities for a boat loan in New Jersey, Cisco says. Also occurring in April was the case of a former employee of New York’s Department of Taxation and Finance, who allegedly spent more than $200,000 on credit cards obtained using stolen personal data.
All is not doom and gloom, however, and Cisco reports several bright spots in the ongoing fight against computer fraud. The company reports a collaborative approach helped to stop the Srizbi/Reactor Mailer botnet, which had been one of the world’s biggest spammers. A coordinated campaign helped to identify the company behind the Srizbi/Reactor Mailer botnet, and it was shut down in November. When the organization resurfaced in Estonia and tried to rebuild its network, it was subsequently disabled by Microsoft and its Malicious Software Removal Tool (MSRT), which it updates every Patch Tuesday.
Security experts simply need to work harder if they’re going to keep up with their criminal counterparts. That is a huge challenge, especially as the lines between legitimate businesses and criminal enterprises continue to blur and attacks become increasingly sophisticated. On top of that, security pros must keep in mind all of the old vulnerabilities that are still out there (like the one Conficker exploited), while keeping an eye on the ever-present insider threat and complying with the ever-growing number of regulations.
Yeah, it’s a tough, unforgiving job, with the greatest achievement occurring when nothing happens. So go give your organization’s security guy or gal a big hug, because they probably need it.
A PDF of Cisco’s 32-page Midyear Security Report can be downloaded at cisco.com/web/about/security/intelligence/midyear_security_review09.pdf.