Cybercriminals enjoy the latest technology advancements just like everyone else, and they're not agreeing to sit in the backseat of the technology bandwagon. (Part V In a Series on Cybercrime. Read Part I, Part II, Part III, Part IV)
We’re surrounded by applications, adopting them as soon as they are released. Never before in human history has a population adapted to technology advancements as we currently are nowadays. But we, the netizens, are not the only ones benefitting from these technologies. The hackers are sharing this high-speed ride with us and they’re not agreeing to sit in the back seat of the technology bandwagon. What are the current technologies hackers are using in order to deliver their malware and to continue proliferating albeit different attempts to shut them down?
Social Networks as an Attack Platform
Social networks are consistently growing in size. And they represent a fat target: the wealthiest individuals engage with these sites much more than the average person. It should come then as no surprise that attackers have gone nuts. Social networks have simplified the hacker’s task in two ways. First, there’s a false notion of trust users place in these networks and their affiliated 3rd party applications (that the Wall Street Journal trashed on their front page recently). Second, the rapid growth of Web 2.0 applications and their high volume of vulnerabilities. Mix the two with the inherent viral nature of social networks and you receive a breeding ground for malware. And hackers are exhibiting creativity when it comes to exploiting social networks at all levels:
• Security vulnerabilities within the Social Network platform – These are gaping security holes on the social network platform itself. Take for example, a recent (though now fixed) Facebook design flaw. By exploiting Facebook’s photo authentication code, a single spammer was able to promote an iPad scam through a user’s “Wall”.
• Security vulnerabilities residing in a Social Network’s 3rd party application – Even a vulnerable 3rd party application becomes a tool for promoting malware. Just a couple of months ago, security firm Sophos have shown the proliferation of click-jacking attacks. In these types of attacks, the user assumes she is retrieving information from the most recent popular application circulating between her friends. Although in reality, hidden behind those buttons are in fact like/ dislike/ share buttons. Unknowingly, she is voting for this app, further encouraging the spread of the worm.
• Phishing scams purporting to originate from the Social Network- Amazingly, the oldest trick in the book does not die out when a phishing email claiming to be from a social network arrives in the inbox of the victim. Twitter users, even high-profiled ones such as UK’s Secretary of State for Energy and Climate Change, fall time and again to such phishing campaigns. LinkedIn users are not immune either – as victims of the Bugat Trojan can prove.
• Engaging Search Engines – Social networks users are even unknowingly engaged to promote malicious sites on search engines. For instance, a few months ago a search on Google for a certain rumored application was used to increase the ranking of a malicious site. The ironic part in this incident is that there was never such an existing application!
Social Networks as Command and Control Conduits
But all these described attacks are just a handful of techniques coming out of the hacker’s toolbox. The real gift that social networks presented to the hacker industry is the ability to literally thrive on their platform. For the past year and a half the security industry has seen social networks being used to command and control the bots. Take for example the Mehika Twitter botnet uncovered in recent months, as a typical scenario. A hacker’s account is set up which the bot follows. When the time is ripe for attack, the hacker Tweets to its bot-followers and accordingly they rise to the task of spamming, DDoS-ing, or any other attack of hacker desire. Similarly, commands to compromised computers may also pass over the radar of security researchers when used as status updates in Facebook and LinkedIn accounts.
Network Closure - the Resilient Botnet Command Infrastructure
Botnet farmers are not only investing in maintaining their elaborate network, but have also invested much effort to make these networks resilient to shutdown. Earlier this year, RSA researchers found bot networks containing redundant command and control channels. The idea behind this sort of network closure is that despite a channel take-down, the bots in the farmer’s collection can continue to receive their commands - via another channel. This redundant network has even proved to be effective as in the takedown of the Troyak botnet. Due to this botnet’s network closure, it shot back to business within a couple of days after an attempt to sever it from the Internet.
Fast-Flux Technology – Evading Takeover
But network closure is not the only method for a botnet farmer to hold its ground against shutdown. In traditional botnet command and controls setups, the compromised machine receives its signals from a single server. If that server is detected and removed, the zombie machines have in a sense, “lost their brains”. Thus security researchers are constantly on the lookout to buy out those domains before the hackers register it for their purposes. As a result, the botnet farmers are constantly developing new methods to evade this sort of detection. Trojan code has accordingly evolved in sync with this sort of cat and mouse chase. At first, the more “primitive” code attempted to register its servers according to hard-coded values. Nowadays the code incorporates “fast-flux technology” – a technique where the DNS servers are chosen randomly.
With this fast-flux technology, it should not come as a surprise that 57,000 malicious websites are created per week. Of course, not all of these websites are C&C servers, but fast-flux technology is the current method botnet farmers are using. As long as this method allows them to be ahead of the game, we can expect this number to grow.
With that in mind, dare I propose the reason why eNom is the 2nd largest domain name registrar (DNR)? ENom is considered the host for the largest number of malicious websites according to HostExploit. Adding the fact that bots are registering URLs in an automated manner and that eNom does not require a complex registration process, could we conclude that this is actually the reason that eNom is such a popular DNR?
Coming Up Next – When Hacktivism Meets Industrialization
We discussed the profitable industry of hackers. But those are not the only hackers out there. Some consider themselves “ideological” hackers. These are state-sponsored, governmental or nation-inspired hackers. These hacktivists are beginning to borrow attack techniques from the successful hacker industry. So stay tuned as I talk about what happens when ideology meets practice!
Related Reading: Hackers Have Business Models Too!