Crimeware: Understanding New Attacks and Defenses by Markus Jakobsson; Zulfikar Ramzan Publisher: Addison Wesley Professional Pub Date: April 06, 2008 Print ISBN-10: 0-321-50195-0 Print ISBN-13: 978-0-321-50195-0 eText ISBN-10: 0-321-55374-8 eText ISBN-13: 978-0-321-55374-4 Pages: 608 Table of Contents | Index Overview "This book is the most current and comprehensive analysis of the state of Internet security threats right now The review of current issues and predictions about problems years away are critical for truly understanding crimeware Every concerned person should have a copy and use it for reference." –Garth Bruen, Project KnujOn Designer There's a new breed of online predators–serious criminals intent on stealing big bucks and top-secret information–and their weapons of choice are a dangerous array of tools called "crimeware." With an evergrowing number of companies, organizations, and individuals turning to the Internet to get things done, there's an urgent need to understand and prevent these online threats Crimeware: Understanding New Attacks and Defenses will help security professionals, technical managers, students, and researchers understand and prevent specific crimeware threats This book guides you through the essential security principles, techniques, and countermeasures to keep you one step ahead of the criminals, regardless of evolving technology and tactics Security experts Markus Jakobsson and Zulfikar Ramzan have brought together chapter contributors who are among the best and the brightest in the security industry Together, they will help you understand how crimeware works, how to identify it, and how to prevent future attacks before your company's valuable information falls into the wrong hands In selfcontained chapters that go into varying degrees of depth, the book provides a thorough overview of crimeware, including not only concepts prevalent in the wild, but also ideas that so far have only been seen inside the laboratory With this book, you will Understand current and emerging security threats including rootkits, bot networks, spyware, adware, and click fraud Recognize the interaction between various crimeware threats Gain awareness of the social, political, and legal implications of these threats Learn valuable countermeasures to stop crimeware in its tracks, now and in the future Acquire insight into future security trends and threats, and create an effective defense plan With contributions by Gary McGraw, Andrew Tannenbaum, Dave Cole, Oliver Friedrichs, Peter Ferrie, and others Crimeware: Understanding New Attacks and Defenses by Markus Jakobsson; Zulfikar Ramzan Publisher: Addison Wesley Professional Pub Date: April 06, 2008 Print ISBN-10: 0-321-50195-0 Print ISBN-13: 978-0-321-50195-0 eText ISBN-10: 0-321-55374-8 eText ISBN-13: 978-0-321-55374-4 Pages: 608 Table of Contents | Index Copyright Preface About the Authors Chapter 1 Overview of Crimeware Section 1.1 Introduction Section 1.2 Prevalence of Crimeware Section 1.3 Crimeware Threat Model and Taxonomy Section 1.4 A Crimeware Menagerie Section 1.5 Crimeware Distribution Section 1.6 Infection and Compromise Points, Chokepoints, and Countermeasures Section 1.7 Crimeware Installation Section 1.8 Crimeware Usage Section 1.9 Organizing Principles for the Remainder of This Text Acknowledgments Chapter 2 A Taxonomy of Coding Errors Section 2.1 The Trinity of Trouble Section 2.2 The Seven Pernicious Kingdoms Section 2.3 The Phyla Section 2.4 More Phyla Needed Chapter 3 Crimeware and Peer-to-Peer Networks Section 3.1 Malware in Peer-to-Peer Networks Conclusion Section 3.2 Human-Propagated Crimeware Chapter 4 Crimeware in Small Devices Section 4.1 Propagation Through USB Drives Section 4.2 Radio Frequency ID Crimeware Section 4.3 Mobile Crimeware Chapter 5 Crimeware in Firmware Section 5.1 Propagation by Firmware Updates Conclusion Section 5.2 Modeling WiFi Malware Epidemics Chapter 6 Crimeware in the Browser Section 6.1 Transaction Generators: Rootkits for the Web Conclusion Section 6.2 Drive-By Pharming Conclusion Section 6.3 Using JavaScript to Commit Click Fraud Chapter 7 Bot Networks Section 7.1 Introduction Section 7.2 Network-Oriented Features of Botnets Section 7.3 Software Features of Bots Section 7.4 Web Bots and the General Future of Botnets Section 7.5 Countermeasures Conclusion Chapter 8 Rootkits Section 8.1 Introduction Section 8.2 Evolution of Rootkits Section 8.3 User-Mode Windows Rootkits Section 8.4 Kernel-Mode Rootkit Techniques Section 8.5 Linux Rootkits Section 8.6 BIOS Rootkits Section 8.7 PCI Rootkits Section 8.8 Virtual Machine–Based Rootkits Section 8.9 Rootkit Defense Chapter 9 Virtual Worlds and Fraud Section 9.1 Introduction Section 9.2 MMOGs as a Domain for Fraud Section 9.3 Electronic Fraud Section 9.4 Fraud in MMOGs Conclusion Chapter 10 Cybercrime and Politics Section 10.1 Domain Name Abuse Section 10.2 Campaign-Targeted Phishing Section 10.3 Malicious Code and Security Risks Section 10.4 Denial-of-Service Attacks Section 10.5 Cognitive Election Hacking Section 10.6 Public Voter Information Sources: FEC Databases Section 10.7 Intercepting Voice Communications Conclusion Acknowledgments Chapter 11 Online Advertising Fraud Section 11.1 History Section 11.2 Revenue Models Section 11.3 Types of Spam Section 11.4 Forms of Attack Section 11.5 Countermeasures Section 11.6 Click Fraud Auditing Section 11.7 The Economics of Click Fraud Conclusion Acknowledgments Chapter 12 Crimeware Business Models Section 12.1 The Crimeware Business Conclusion Section 12.2 A Closer Look at Adware Chapter 13 The Educational Aspect of Security Section 13.1 Why Education? Section 13.2 Case Study: A Cartoon Approach Conclusion Chapter 14 Surreptitious Code and the Law Section 14.1 Introduction Section 14.2 The Characteristics of Surreptitious Code Section 14.3 Primary Applicable Laws Section 14.4 Secondary Applicable Laws Conclusion Chapter 15 Crimeware and Trusted Computing Section 15.1 Introduction Section 15.2 Anatomy of an Attack Section 15.3 Combating Crimeware with Trusted Computing Section 15.4 Case Studies Conclusion Chapter 16 Technical Defense Techniques Section 16.1 Case Study: Defense-in-Depth Against Spyware Conclusion Section 16.2 Crimeware-Resistant Authentication Conclusion Section 16.3 Virtual Machines as a Crimeware Defense Mechanism Chapter 17 The Future of Crimeware Section 17.1 Crimeware, Terrorware, Vandalware, and Ransomware Section 17.2 New Applications and Platforms Section 17.3 Using Social Networks to Bootstrap Attacks Section 17.4 New Use of the Internet: Controlling the Infrastructure Section 17.5 Moving Up the Stack Section 17.6 The Emergence of an E-Society: Are We Becoming More Vulnerable? Section 17.7 The Big Picture References Index Copyright Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals The authors and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests For more information, please contact: U.S Corporate and Government Sales, (800) 382-3419, corpsales@pearsontechgroup.com For sales outside the United States please contact: International Sales, international@pearsoned.com Visit us on the Web: informit.com/aw Library of Congress Cataloging-in-Publication DataJakobsson, Markus Crimeware : understanding new attacks and defenses / Markus Jakobsson, Zulfikar Ramzan p cm Includes bibliographical references and index ISBN 978-0-321-50195-0 (pbk : alk paper) 1 Computer security Internet—Security measures Computer crimes I Ramzan, Zulfikar II Title QA76.9.A25J325 2008 005.8—dc22 2007050736 Copyright © 2008 Symantec Corporation All rights reserved Printed in the United States of America This publication is protected by copyright, and permission must be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise For information regarding permissions, write to: Pearson Education, Inc Rights and Contracts Department 501 Boylston Street, Suite 900 Boston, MA 02116 Fax (617) 671-3447 ISBN-13: 978-0-321-50195-0 Text printed in the United States on recycled paper at Courier in Stoughton, Massachusetts First printing, April 2008 Dedication To Suma and Kabir and To A and Art Preface Traditionally, malware has been thought of as a purely technical threat, relying principally on technical vulnerabilities for infection Its authors were motivated by intellectual curiosity, and sometimes by competition with other malware authors This book draws attention to the fact that this is all history Infection vectors of today take advantage of social context, employ deceit, and may use data-mining techniques to tailor attacks to the intended victims Their goal is profit or political power Malware become crimeware That is, malware has moved out of basements and college dorms, and is now a tool firmly placed in the hands of organized crime, terror organizations, and aggressive governments This transformation comes at a time when society increasingly has come to depend on the Internet for its structure and stability, and it raises a worrisome question: What will happen next? This book tries to answer that question by a careful exposition of what crimeware is, how it behaves, and what trends are evident The book is written for readers from a wide array of backgrounds Most sections and chapters start out describing a given angle from a bird's-eye view, using language that makes the subject approachable to readers without deep technical knowledge The chapters and sections then delve into more detail, often concluding with a degree of technical detail that may be of interest only to security researchers It is up to you to decide when you understand enough of a given issue and are ready to turn to another chapter Recognizing that today's professionals are often pressed for time, this book is written so that each chapter is relatively self-contained Rather than having each chapter be sequentially dependent on preceding chapters, you can safely peruse a specific chapter of interest and skip back and forth as desired Each chapter was contributed by a different set of authors, each of whom provides a different voice and unique perspective on the issue of crimeware This book is meant for anyone with an interest in crimeware, computer security, and eventually, the survivability of the Internet It is not meant only for people with a technical background Rather, it is also appropriate for makers of laws and policies, user interface designers, and companies concerned with user education The book is not intended as a guide to securing one's system, but rather as a guide to determining what the problem really is and what it will become Although we often use recent examples of attacks to highlight and explain issues of interest, focus here is on the underlying trends, principles, and techniques When the next wave of attacks appears— undoubtedly using new technical vulnerabilities and new psychological twists—then the same principles will still hold Thus, this book is meant to remain a useful reference for years to come, in a field characterized by change We are proud to say that we think we have achieved this contradictory balance, and we hope that you will agree Acknowledgments We are indebted to our expert contributors, who have helped make this book what it is by offering their valuable and unique insights, and selflessly donated their time to advance the public's knowledge of crimeware The following researchers helped us provide their view of the problem: Shane Balfe, Jeffrey Bardzell, Shaowen Bardzell, Dan Boneh, Fred H Cate, David Cole, Vittoria Colizza, Bruno Crispo, Neil Daswani, Aaron Emigh, Peter Ferrie, Oliver Friedrichs, Eimear Gallery, Mona Gandhi, Kourosh Gharachorloo, Shuman Ghosemajumder, Minaxi Gupta, James Hoagland, Hao Hu, Andrew Kalafut, Gary McGraw, Chris J Mitchell, John Mitchell, Steven Myers, Chris Mysen, Tyler Pace, Kenneth G Paterson, Prashant Pathak, Vinay Rao, Jacob Ratkiewicz, Melanie Rieback, Sourabh Satish, Sukamol Srikwan, Sid Stamm, Andrew Tanenbaum, Alex Tsow, Alessandro Vespignani, Xiaofeng Wang, Stephen Weis, Susanne Wetzel, Ollie Whitehouse, Liu Yang, and the Google Ad Traffic Quality Team In addition, Markus wishes to thank his graduate students, who have helped with everything from performing LaTeX conversions to being experiment subjects, and many of whose research results are part of this book Zulfikar wishes to thank Oliver Friedrichs and the rest of the Symantec Advanced Threat Research team (as well as his colleagues throughout Symantec) for affording him the opportunity to work on this book and for engaging in countless stimulating discussions on these topics [V] [W] [X] [Y] [Z] U3-based malware UDRP (Uniform Domain Name Dispute Resolution Policy) UI (user interface), human factors in UI design Ultrapeer mode, Gnutella protocol Uniform Domain Name Dispute Resolution Policy (UDRP) UNIX utilities, rootkits Unknown malware file name–based filters file size–based filters Unreal IRCd Updates, propagation by firmware URLs, malicious content embedded into USB devices, propagation techniques USB flash drives, malware propagation countermeasures DMA vulnerability example stealing Windows passwords gauging risk of overview of U3-based malware USB Hacksaw USB Switchblade User immersion, principles of educational approaches 2nd User interface (UI), human factors in UI design User-mode rootkits DLL injection IAT hooks for modifying execution path inline function patching (detours) overview of 2nd remote code injection Windows hooks for loading User node, OpenFT Users, data leaks between (encapsulation problems) Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z] Vaccine exploits Vaccines Value proposition, common problems in adware industry Vandalism, RFID-enabled Vandalware Variables, unitialized variables as code quality problem Vehicles, future of crimeware and Vendors, software VFS (Virtual File System) Video games [See also Games; MMOGs (massively multiplayer online games).] Video, infection vectors Viral content, luring visitors to site for click fraud attack Viral marketing Viral videos Virtual File System (VFS) Virtual machine-based rootkits [See VMBRs (virtual machine-based rootkits).] Virtual machine monitors (VMMs), hardware-enforced isolation and Virtual machines, as defense technique applications of data isolation and firewalls and physical machines compared with problems with multiple machines Virtual memory, kernel-mode rootkits for redirecting Virtual PC Virtual private networks (VPNs), security standards for network access 2nd Virtual worlds cheating electronic fraud [See Electronic fraud.] games and fraud MMOGs [See MMOGs (massively multiplayer online games).] overview of Viruses, signatures VMBRs (virtual machine-based rootkits) hardware-assisted overview of software-based virtual machine detection in rootkit detection VMRUN/VMLAUNCH emulation VMMs (virtual machine monitors), hardware-enforced isolation and VMRUN/VMLAUNCH emulation VMware Voice communication, intercepting for political advantage [See also Communication, bot networks.] Voters deceiving via cognitive hacking election fraud and public voter information sources VPNs (virtual private networks), security standards for network access 2nd VT-x (Vanderpool), Intel Vulnerability, cheating in games and Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z] W32/RJump worm W32.Gaobot.gen!poly W32.Korgo.Q WAPFunnel WAPJack attacks attacking own computer as security measure types of WAPKit attacks attacking own computer as security measure click fraud man-in-the-middle attacks overview of race pharming robot delegates (zombies) trawler phishing WAPs (wireless access points) [See also WiFi.] case study classes of cloaking wireless networks default settings human factors in UI design security warnings mandated for as targets of malware Warkitting attacks weak security configuration as rule Wardriving Warez botnets harvesting, storing, and propagating criminal applications of botnets Warkitting attacks drive-by pharming attacks and WAPs and WDM (Windows Driver Model), layered model for drivers Weak security configuration, as rule for WAPs Wearable computers, future of crimeware Web 2.0 software, susceptibility to malicious code Web browsers attacking third party applications Botnet 2.0 (browser-based botnets) Browser helper objects 2nd click fraud using JavaScript [See Click fraud, using JavaScript.] drive-by pharming [See Drive-by pharming attacks.] forced browser clicks same-origin policy and session hijackers and transaction generators [See TGs (transaction generators).] vulnerabilities of web browsers exploits as distribution technique Web scripting attacks, WiFi firmware Web trojans WebAttacker Webroot WebWhacker WEP (wired equivalent privacy) Airsnort defeating encryption options for wireless networking epidemic spread and router density and limitations of 2nd wget, open-source utilities for building bots WhenU, trends in adware business WiFi [See also WAPs (wireless access points).] computing capacity of wireless routers countermeasures limiting administrative access other security settings router-to-router attacks routers [See Routers, wireless.] security measures targets of malware wireless access and WLAN access and WiFi malware epidemics, modeling contagion network epidemic model epidemic spread, WEP and WPA deployment and router density giant component infecting router methodology for overview of roadmap for case study spread of synthetic epidemics wireless security law in California WiFi protected access [See WPA (WiFi protected access).] WiGLE (Wireless Geographic Logging Engine) Windows Driver Model (WDM), layered model for drivers Windows hooks, loading user-mode rootkits Windows Media Player, web browser vulnerabilities Windows Metafile flaw, trojans exploiting Windows Mobile extensible platforms mobile devices protection from untrusted applications Windows Object Manager Windows OSs example stealing Windows passwords rootkit evolution and rootkits [See User-mode rootkits.] Windows Scheduler [See Scheduler, Windows.] Windows Vista complexity as factor in malicious code process-hardening technology RSS feed manager Wire Fraud Statute, federal laws regarding surreptitious code Wired equivalent privacy [See WEP (wired equivalent privacy).] Wireless access points [See WAPs (wireless access points).] Wireless bridging Wireless devices, as targets of malware Wireless Geographic Logging Engine (WiGLE) Wireless honeypots, as wireless countermeasure Wireless LANs (WLANs) Wireless routers [See Routers, wireless.] Wireless security law, in California Wiretap Act (Title I), Electronic Communications Privacy Act WLANs (wireless LANs) World of Warcraft bots in network architecture of targets for malicious code World-player treatment, player treatment violations World Wide Web (WWW), commercialization of WPA (WiFi protected access) for encrypting wireless routers encryption options for wireless networking epidemic spread and router density and protecting WiFi networks Write access, rootkit prevention and WRT54G router, Linux 2nd WWW (World Wide Web), commercialization of Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z] XCP (Extended Copy Protection) XML-based command, botnets XML validation, input validation and representation problems Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z] YouTube, viral videos Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z] Zango, trends in adware business Zero days trojan authors exploiting zero-days flaws web browsers exploits Zombies [See also Bot networks/bots.] grids of infected computers overview of WAPKit attacks Zune malicious alteration of embedded control systems vulnerabilities ... Oliver Friedrichs, Peter Ferrie, and others Crimeware: Understanding New Attacks and Defenses by Markus Jakobsson; Zulfikar Ramzan Publisher: Addison Wesley Professional Pub Date: April 06, 2008 Print ISBN- 10: 0-321-50195-0... Library of Congress Cataloging-in-Publication DataJakobsson, Markus Crimeware : understanding new attacks and defenses / Markus Jakobsson, Zulfikar Ramzan p cm Includes bibliographical references and index ISBN 978-0-321-50195-0 (pbk... Prevalence of Crimeware Section 1.3 Crimeware Threat Model and Taxonomy Section 1.4 A Crimeware Menagerie Section 1.5 Crimeware Distribution Section 1.6 Infection and Compromise Points, Chokepoints, and