2011-02-01
Abstract
Spam, malware and general security topics all hit the headlines in 2010. Terry Zink takes a look back at the biggest newsmakers of the year.
Copyright © 2011 Virus Bulletin
2010 was a year filled with plenty of security stories – spam, malware and general security topics all hit the headlines. (In this article, when I use the term ‘spammers’, I use it in a generic sense to refer to people who send spam, distribute malware, perform black search engine optimization, etc.) It was a jam-packed year, so let’s take a look at the biggest newsmakers. (Please note that the views and opinions expressed in this article are the author’s own and do not necessarily state or reflect those of Microsoft.)
This story began in December 2009. It was then that Rustock, the world’s largest botnet, first started sending spam over Transport Layer Security, or TLS.
TLS is a protocol that is used as a form of security in email by encrypting the communication channel between the sender and the receiver (see http://www.wisegeek.com/what-is-tls.htm for more details). Usually, it is used between two legitimate parties who do not want anyone to eavesdrop on their communication. Like any encryption protocol, TLS is computationally expensive. It requires the sender and receiver to negotiate a certificate exchange and uses up quite a bit more computation resources. This reduces both the number of messages a sender can transmit and the number of messages a receiver can receive.
This is what makes Rustock’s behaviour puzzling. Rustock is known to send large bursts of messages, but only about one per email envelope. It also sends from a very wide swathe of IP addresses. By sending spam over TLS, Rustock was effectively limiting the amount of mail it could send. Since spam requires very wide distribution in order to be effective, this behaviour seemed counterintuitive. Why would Rustock start doing this? Perhaps its creators wanted the messages to be seen as legitimate – a receiver might consider a sender over TLS more likely to be legitimate (on the assumption that a botnet is unlikely to devote the resources to using the protocol). Another possibility is that they wanted to encrypt all of the communication channels from nodes to bot-controllers, and this logically extended to the sending of email as well. Ultimately, why they did it is still unclear.
Yet as mysteriously as it started, Rustock stopped sending spam over TLS about halfway through the year. It’s possible that when its creators discovered that sending spam over TLS didn’t improve delivery but mostly impeded it, they abandoned the encryption protocol in favour of the efficiency of sending mail over plain text. In any case, they reverted to type and continued to spam as usual.
Spamhaus is best known for its work in categorizing IP space with a bad reputation. It is very well respected within the anti-spam community and many consider it indispensable for filtering out spam. Indeed, without the IP block lists maintained by Spamhaus (combined with its reliably low false positive rate), many filtering services would be unable to function as the filtering resources would be overwhelmed with more expensive content filtering that would drag down network resources and introduce unacceptably high latency.
Spamhaus expanded on its bad guy identification with a domain block list in March 2010, but then in September it moved forward with the inverse of what it is known for – a whitelist of known good senders. While still a small list, this is a reversal of what the anti-abuse community has typically done until now (identify the bad players).
Moving to a whitelist model is not exactly revolutionary, but it does put an interesting twist on spam filtering. If we start looking for the good guys, can we be more aggressive against the bad guys? Perhaps we can use it to be more efficient in spam filtering by conserving resources on content filtering. Or perhaps we can use it to drive down false positives. Or perhaps this is something that we will have to do anyhow if we ever start to use IPv6 addresses to send email, as this will make the use of IP block lists much more difficult. In any case, the shift from looking for bad guys to looking for good guys is an intriguing development.
For years, many home computer users have been oblivious to the malware running on their systems and to just how much abuse they have been responsible for. As these infected machines act as bot nodes, the inattentiveness of their owners causes real harm to the rest of the world. In January, the federal government of Australia urged ISPs to come up with a mechanism to take infected computers offline and submitted its own draft copy of a voluntary code of conduct. The abuse mitigation plan proposed slowing down an infected customer’s Internet connection or changing their password so that the user would be forced to call the support desk (at which point they could be informed that their machine was infected with malware and advised as to how to clean up and prevent future infections).
Later on in the year, American ISP Comcast experimented with its own bot-detection programme before rolling it out to its entire customer base. Comcast’s approach is to detect when a customer’s computer is connecting to a known botnet. Then, when the computer next connects to the Internet, Comcast directs the user’s homepage to a landing portal – a quarantine of sorts. This page informs the user that they have an infected machine, and provides information about why they were quarantined and what to do about it.
The Australian government and Comcast are being proactive and attempting to change user behaviour by making it inconvenient for users to have bad computer hygiene. Most computer users are not aware of the malware lurking in the background on their machines, but if they receive a notification saying that they must take action or else their Internet experience will be impeded, then that prompts them to change their behaviour. At the very least, it should prompt them to install the latest updates and run a malware check.
It’s a good strategy and a nice change – prompting the user to take action and doing the heavy lifting for them (detecting infection) instead of assuming that they will engage in best practices of taking care of their computer.
It is not unusual these days for websites to be hacked. Indeed, many of the vulnerabilities that were in play 10 years ago are still in play today (such as SQL injection attacks and cross-site scripting). 2010 was no stranger to these attacks.
In the summer of 2010, the social media website Gawker was attacked, and in December the hackers made their findings public. The hackers managed to acquire nearly 1.5 million usernames and decrypted about 200,000 of them. The most commonly used passwords were ‘password’, ‘123456’ (or some variant thereof) and variants of ‘qwerty’, the first six letters on a standard keyboard.
The attack on Gawker is one of a long list of compromises. In 2009, hackers posted hundreds of thousands of Hotmail, Yahoo! and Gmail usernames and passwords. Then, as now, the most common passwords were ‘password’, ‘123456’ and other such variants. User behaviour hasn’t changed much in a year, and statistical guessing games are all an attacker needs in order to compromise an account. If password reuse is such a common occurrence among users, then cyber thieves don’t need many skills in order to break into a system. All they need is a list of usernames (usually email addresses) and then, starting with the most commonly used passwords, can use a process of trial-and-error until they find one key that works.
What made this particular attack so heinous was not its size per se, but rather its reuse and downstream implications. After the hacking group posted the usernames and passwords, a flurry of spam activity started to emanate from Twitter where some of the usernames were sending out spammy tweets. Some users of Gawker must have been using the same credentials to log into their Twitter accounts. Even if the passwords were not decrypted, it was a fairly good bet that they contained some of the most common ones in the set. In other words, the hackers gave the spammers a gift by publishing the Gawker credentials, and other services like Twitter paid for it.
LinkedIn, another social networking site, decided to take evasive action and force its entire user base to reset their passwords as there were likely to be a number of reused usernames and passwords in LinkedIn’s user list, too.
The lessons we’ve learned from this particular hack are:
Users do not choose good passwords.
Other sites will pay the penalty for such insecurity.
Hacking incidents like these are not going to go away anytime soon.
2010 saw botnets infiltrated and shut down in droves as security researchers resorted to a variety of tactics in order to knock them offline.
In January, the Lethic botnet was shut down by Neustar.
In February, Microsoft acquired a court order which effectively shut down Waledac.
In March, a group of security researchers worked together with law enforcement and shut down the Mariposa botnet.
In August, security company Lastline took down the Cutwail botnet.
In September, authorities arrested a large money mule operation associated with the ZeuS botnet.
In November, the Bredolab botnet was taken down by anonymous security folks.
In late December, Rustock stopped sending so much spam.
Each of these takedowns had a small effect in the immediate aftermath. However, as we have learned since the 2008 McColo shutdown, botnet operators have become increasingly resistant to major disturbances and it no longer takes very long for them to get back online. Indeed, what we see now compared to back then is that botnet operators have evolved to make their infrastructure smarter. They have also started getting smaller; rather than huge botnets consisting of lots of nodes, they have lots of botnets with smaller numbers of nodes. This means that shutting down a botnet now has less impact on global spam levels.
Every year there are stories of cybercriminals being arrested or being hit with huge fines. Every year, anti-abuse professionals hope that this will reduce the amount of abuse going on, and every year they are disappointed. However, hope springs eternal that maybe this time it’s different. Below are some of the more notable cases of 2010:
In June, Microsoft sued Boris Mizhen, accusing him of sending millions of spam messages to Hotmail. The lawsuit also claimed that Mizhen attempted to circumvent its filters by abusing the Junk Email Reporting Program and its Smart Network Data Services system. Mizhen has a long history of being accused of spamming; he has previously been listed on Spamhaus’s Register of Known Spam Operators (ROKSO) and had previously been sued by Microsoft (in 2003) for sending spam to Hotmail.
In July, a 23-year-old Slovenian was arrested by authorities on suspicion of helping to develop the Mariposa botnet.
In August, notorious alleged spammer Leo Kuvayev was arrested in Russia. Kuvayev had previously been charged with spamming by the state of Massachusetts and at one point was listed by Spamhaus as one of the world’s three most prolific spammers. This time, however, Kuvayev was arrested and jailed on multiple charges relating to child abuse [1].
In October, authorities in the UK arrested 19 people in connection with the ZeuS malware gang. The group of individuals behind the spyware ring was thought to be part of a multinational operation that was responsible for stealing $10 million over a three-month period and may have been responsible for up to $30 million. What was significant about this arrest was the amount of international cooperation that went on to break up this ring. ZeuS is one of the major pieces of malware out there and it is hoped that going after the people behind it will knock part of it offline, at least for a little while.
In November, 23-year-old Oleg Nikolaenko, believed to be the operator of the Mega-D botnet, one of the largest spamming botnets in the world, was arrested and scheduled to be arraigned in a federal court in Milwaukee, Wisconsin.
Defence in depth is always important in computer security, but disruption of the activities of those behind the threats also has the potential to impact cyber abuse in a positive way.
For years, users of the Internet have been plagued mercilessly with junk mail filling up our inboxes. This has spawned a new industry – the anti-spam industry. Since the start of the anti-spam industry (less than 15 years ago), we have seen spam levels continuing to rise every year. Indeed, according to some metrics, spam comprises 90% of all email, and 97% of email flowing over the public Internet.
Yet, in the second half of 2010, spam volumes started to decline. This was noticed by a number of vendors. The CBL – an IP block list that populates its lists with widely distributed honeypots, and a contributor to the Spamhaus feed – saw a steady decline starting in May 2010:
Over at Microsoft Forefront Online, a similar trend was observed. After ramping up during the start of the year, a gradual decline was seen in the volume of spam hitting the servers, and total spam volume continued to drop for the rest of the year (Figure 2).
McAfee’s third quarter threat report [3] showed the same pattern, as did reports from Cisco’s Senderbase page.
This is a very interesting development. There are numerous possible explanations for the drop in spam:
In September, a spam affiliate programme known as Spamit decided to close down, blaming its closure on increased public attention [4]. Affiliates like this are commonly associated with the Canadian Pharmacy spam advertisements that we regularly see, not just in our email but also in our search engine query results and the comment sections of various blogs. With Spamit out of the way, perhaps pharmaceutical spammers lost a major source of revenue. Without the money, there is no incentive to spam.
In October, two rival sets of malware developers – those behind ZeuS and SpyEye – decided to merge code bases [5]. It takes time to combine two pieces of software and if you are not an organization that is used to having to support older versions, those older versions of the software can simply lie ‘stranded’ (i.e. nobody pays attention to them and they are not supported). Perhaps the technicality of merging the two code bases is not going smoothly in the criminal underground.
Perhaps the shut downs of all of the various botnets are having an effect on the amount of spam that we receive. Spammers, tired of being shut down, are moving on to other things because once you get good at spamming, authorities start to take notice. It may be that the risk/reward ratio is not what it once was.
Will this particular trend seen in 2010 continue into 2011? That remains to be seen. It could be that more lucrative types of abuse are starting to attract the major criminal players – and that leads into the next major story of 2010.
In November 2010, social networking site Facebook announced a new messaging platform using the Facebook interface – a new communication platform that works a lot like email.
This messaging platform is basically a way to talk to people from within Facebook regardless of whether they are users of the site. You use the Facebook interface to talk to your friends. If your friends are on SMS (i.e. text via cell phone), the communication exchange will be sent to the Facebook chat. If your friend is using a chat platform, then the message is routed through the Facebook chat window into their chat program. Similarly, if all they use is email, then you can have a conversation with them. You are given a [email protected] email address. You send your friend the message, and they reply to you. The message then goes to your Facebook messages view where you can read it. In this case, the email address you are given is an SMTP address to which the mail is delivered, and then the Facebook messaging API parses the message and renders it for you in your own window.
Facebook was pretty insistent that this platform is not email, nor is it meant to directly replace email. The model of this communication platform is more like chat – no subject lines, and instant communication, all while allowing the user to use one platform. It didn’t take long for others to predict that this would be the first nail in the coffin for email (my own position is that email will always be a useful platform because you need more than just chat to communicate electronically). However, the point was made – email is not quite the growth platform it was 15 years ago. The major growth is in other avenues of communication, especially through social networking, and that is where advertisers will innovate.
Folks in the technology business may not realize it, but if teens and advertisers start flocking to platforms other than email, then spammers will do so as well. Indeed, there are plenty of ways for spammers to advertise – through fake tweets on Twitter, through black search engine optimization, through compromised social networking accounts and friendship requests, and so on. These are all major problems that newly successful companies of the past five years have had to deal with. Once you become popular, you become a magnet for abuse. Unfortunately, many such companies haven’t quite learned how to deal with abuse yet. Email spam has been around for a long time, and both email providers and (most) users have a good understanding of how to combat it. Perhaps the reason spam dropped in 2010 is because spammers are seeing other, more profitable ways to abuse the Internet where the defences are not yet well established.
Facebook did not unveil a platform that does away with the need for email. However, it may have signalled to the rest of us that the focus for abuse is moving someplace else. (I don’t mean that spam will ever go away – it won’t. There’s too much money in it. What I mean is that the problem will not get exponentially worse the way it did in the late 1990s and first half of the 2000s.)
He may not have won Time Magazine’s Person of the Year award, but WikiLeaks founder Julian Assange made a major impact on global diplomacy. With the release of thousands of documents about the wars in Iraq and Afghanistan, people started to take notice. However, with the release of thousands of diplomatic cables in November, and the ensuing heated public debate over the legality of those disclosures, corporations that were passively involved in providing financial services to WikiLeaks started to distance themselves from the site. By the end of the year, PayPal, MasterCard and Visa were reported to have stopped processing WikiLeaks donations and transactions.
Driven by an ideology of hacktivism, which uses hacking as a means to advance political goals, and informationism, which is the belief that information should be allowed to flow freely throughout the Internet, volunteers belonging to a group known as ‘Anonymous’ launched distributed denial-of-service attacks against the websites of these companies. Believing that these companies were passively involved in a conspiracy to suppress free access to information (or at least conspiring to act as a barrier to it), Anonymous succeeded in taking down the targeted firms for a period of time with an all-volunteer DDoS attack.
PayPal, MasterCard and Visa are not small websites. They handle a lot of traffic every day in order to deal with their very large user bases. For these to be overwhelmed with a DDoS attack means that Anonymous had to mobilize a lot of resources. They did so in a short period of time, primarily tapping a large and vocal group of readers of a particular website.
Ideologically driven individuals with technical skills, such as those who constructed the DDoS tools taken up by Anonymous – or even those without technical skills of their own but with access to simple tools of Internet disruption – can do a lot of damage when motivated to do so, as the WikiLeaks backlash attests.
No story generated more hype, mystery and intrigue in 2010 than that of Stuxnet, and deservedly so. In July 2010, a new strain of malware was detected that utilized four zero-day vulnerabilities in Windows. It also exploited a vulnerability used in 2009’s major Conficker outbreak. Stuxnet was a computer worm that was designed to cause major disruptions in the circuit boards of industrial control systems, reprogram programmable logic controller boards, and then hide its changes. A certain number of infections were discovered in Iran, and a large proportion of those were discovered in Iranian nuclear power plants. In November, Iran confirmed that its nuclear programme had been damaged by the worm. Stuxnet appears to have been intended to cause damage to various components of nuclear plants – making almost imperceptible changes that could lead to great cumulative disarray.
Stuxnet was not like a traditional piece of malware that sneaks into a system. From the early discovery that it had been digitally signed with certificates from legitimate tech companies to subsequent speculation and revelations concerning its origin, purpose, architects and effect, theories have abounded. Those stories have been told in other venues so I won’t repeat them here (some of them require the use of a tinfoil hat, and deservedly so), but already rumours of copycat versions (or next-generation versions, or rumours of the vulnerability being sold on the black market) are spreading – even though the four zero-day vulnerabilities have been patched for months.
Stuxnet is a game changer because it is believed to be a remarkably sophisticated instance of cyber espionage. Attacks in 2007 against Estonia and in 2008 against Georgia took the pattern of a cyber riot wherein nationalistic hooligans with technical skills took down a country’s infrastructure using electronic attacks. Stuxnet, on the other hand, hints at a remarkably well-planned and well-organized effort involving multiple knowledge bases and skills.
