Arbor Networks: Security to the Core

A few things on my reading list for today … The first is a three part series on crimeware (malware specifically designed to yield money for the operators of the malware through direct financial theft) by CSO magazine. It’s an interesting look and shows that the underground economy is just as skilled as the fully legit software economy at adapting to “everything as a service”. It’s a three party series and they cover all sorts of links between groups and techniques. Excerpts below …

And what he found stunned him. As he sailed off through the servers and in and out of files and almost over a database to where Gozi’s home base was, Jackson found a full-fledged e-commerce operation. It was slick and accessible, with comprehensive product offerings and a strong customer focus. Jackson, no one really, had ever seen anything like it. So business-like. So fully conceived. So professional.

… He had stumbled on to the next phase of Internet crime. Gozi was significant not because the Gozi Trojan was innovative or hard to detect. It wasn’t. It was in many ways no different than its four-year old ancestor Berbew. No, Gozi was significant, Jackson thought, because it wasn’t really a product at all. It was a service.

Source: Hacker Economics 1: Malware as a Service, CSO magazine.

The Internet criminals’ model perfectly mirrors the drug cartel model, which relies on a stratified market that spreads the risk out to pushers, distributors, mules, manufacturers, and all the money flows up, to the cartel. Disrupting the middle men—and that’s what HangUp Team is becoming—doesn’t solve the problem. Other middle men will simply arise to fill the void, much the way Smash started the IAACA to fill the void left by ShadowCrew when it was taken down.

Source: Hacker Economics 2: The Conspiracy of Apathy, CSO Magazine

MPACK’s multiple-exploit technique was used before in an exploit called WebAttacker. But MPACK is more effective because of iFrames. Disturbingly, the iFramers seem to have come up with some automated exploit kit capable infecting a massive number of Web pages with illicit iFrames in a short period of time, “like a machine gun spraying holes in sites” says Lance James. The first round of iFrame injections created to deliver MPACK showed up, literally, overnight—more than 10,000 pages were infected, mostly on Italian sites. Since then the process has repeated itself, moving country to country. Thousands of infections all at once.

Source: Hacker Economics 3: MPACK and the Next Wave of Malware, CSO Magazine.

Also, I read another good writeup on the Storm Worm codebase, on par with some of the great research being done on this bot at present. Storm’s been good to a lot of academics to study!

Despite all the hype and paranoia surrounding Storm, the inner workings of this botnet largely remain a mystery. Indeed, Storm is believed to have an automated distributed denial of service (DDoS) feature to dissuade reverse engineering, which gets triggered based on situational awareness gathered from its overlay network, e.g., when the count of spurious probes crosses a certain threshold [3]. It has also been reported that these defenses have been turned on those that have posted their analysis results of Storm [12]. In this paper, we attempt to partially address voids in our collective understanding of Storm by providing a multi-perspective analysis of various Storm clients. Our analysis includes a static dissection of the malware binary and the characteristics of the Storm worm’s network dialog as observed from multiple infection traces.

Source: A Multi-perspective Analysis of the Storm (Peacomm) Worm, from the Cyber-TA site hosted by SRI.

Back to the grind while I hack on some DDoS tracking and stuff … More soon, I promise! I just wanted to highlight these writeups I came across.

This entry was posted on Wednesday, October 10th, 2007 at 11:14 am and is filed under Botnets, Interesting Research, Malware, Trojan Horses. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.