COLORADO SPRINGS, Co. – Web 2.0 is all the rage, making users more
productive by offering new programming
methods and applications used on an
Internet platform. We now have all sorts of
new Web 2.0 applications available on the
Internet from Google Apps to blogs to instant messaging.
These offer us tremendous value when it comes to collaboration
and communication, but they also open us up to new
kinds of attacks from people that wish to do harm to our
systems. Now we are engaged in a constant battle to thwart
these new attacks and keep our systems and data secured
from hackers. In order to win, you must understand the new
methods by which you are being attacked and how you can
defend yourself from these attacks. Sufficed to say, the old
methods of securing your systems are no longer enough, so
just what can we do to protect ourselves? First, let�??s take a
look at what you�??re up against.
Latest Security Exploits
New exploits are popping up all over the net in the new Web
2.0 world. These new attacks are trickier than ever because
they look nothing like traditional attacks. Chief among these
new threats are attacks from trusted sites, the Storm Bot-net,
and a few others hiding within new Web 2.0 applications. The
methods used by today�??s hackers utilize proven concepts of
coding and testing with a familiarity towards current security
implementations. The old sloppy script hacks that we have
seen in the past are giving way to professional programmers
working with professional crime organizations.
Exploits of Trusted Sites
The first of the newest attacks come from a place you
wouldn�??t expect: websites you trust. Now this isn�??t to say
that your favorite travel agent decided to turn to hacking as
a hobby. Likely their site has been infiltrated through a
means that they previously trusted, namely flash based
advertising. Adobe Flash has been at the forefront of
providing a rich media experience on the web. Sites like
YouTube live on this technology. In addition, advertisers use
Flash to deliver their message with more eye catching graphics
and movement.
In order to exploit these ads, hackers are posting ads that
link to sites containing malware or creating copycat versions
of existing ads that will install spyware or viruses to anyone
that visits them. The original ads are often links to fake
antispyware or other supposed security that will �??scan your
system�?� and insist they install an applet to remove the
security risk, when in reality malware is being installed. The
hackers are able to do the redirect in a way that works
around traditional website filters and allows users to get to
the block site by using the safe site as a proxy.
Recently several well known sites have fallen victim to these
flash based attacks, sites like Expedia.com, Rhapsody.com,
and MayoClinic.com, to name a few1. These are not momand-
pop businesses that are being targeted; these are large
companies whose websites have been considered safe for a
good while. It is in this simple premise that makes the
attacks so effective; they take advantage of your trust.
Ad-networks that place the advertising on these web sites
are part of the problem. Large sites rely on these ad
vendors to place ads and pay for the right to do so. When
traced back to the advertiser, the network of these hackers�??
companies is deep with fake names and false leads2.
Storm Bot-net
Spam is no new threat to the network. Many companies have
devoted significant resources in order to stop spam from
infiltrating the inboxes of their users. The problem is that
spam is becoming more elusive due to bot-nets. A bot is an
unwelcome malware program that runs automatically on a
user�??s machine. This allows spam and other attacks, like a
denial of service, to avoid detection by IP or region since it
can spread to and come from legitimate sources distributed
across regions. IT departments are fully aware of what are
called zombie computers infiltrated by these bots to form a
bot-net.
The method for installation of malware packages can
vary, but the result is an infected computer sending attacks
or spam to friends and colleagues or even to the far corners
of the Internet without the user�??s knowledge.
One fairly well known example of the criminal bot-net phenomenon
is called the Storm Bot-net. It was first successful
spreading via e-mail spam in early 2007. The power of this
bot-net lies in the number of computers infected. Estimates
are hard to nail down, but at least 160,000 computers are
infected at this early point of 2008, with the number varying
based upon the latest effort to infect new computers. Some
estimates have put the number of Storm zombies as high as
1.7 million in mid-year 2007.
Some of the most successful
e-mail messages that allowed the bot to spread detailed
shocking and fake news stories such as �??Chinese missile
shot down USA aircraft�?�, and �??U.S. Secretary of State
Condoleezza Rice has kicked German Chancellor Angela
Merkel�?�. It has also masked itself as a Christmas greeting
promising scantily clad women in Santa suits, a New Year�??s
greeting, and a Valentine�??s Day e-card 3. These latest holiday
attacks allowed the bot-net to grow an estimated 50 percent in a
very short period of time. At one point, Storm was responsible
for the majority of spam mail sent across the globe. It�??s
easy to see why New Zealand computer scientist Peter
Gutman describes Storm as the most powerful
Supercomputer in the world.
The other disturbing behavior of this particular bot is its
response to attempts to track it and disable it. Storm has
attempted to shut down security vendor services that are provided
over the Internet5. It has also become increasingly decentralized,
making it harder to shut down in a single set of actions.
Another feature of the bot is its connection to encrypted
peer-to-peer networks. Although the encryption used by p2p
networks is not very strong in recent investigations of its
methods, the real benefit to the infrastructure of Storm is
the removal of a master command and control server 6.
Instead, it receives command and control instructions from
the p2p network.
This allows the bot
to bypass many filters and carry out
new commands that are not easily
traceable to a single Internet source.
One day the bot could be committing a
denial of service attack on a vendor or
governmental Internet asset, and the
next day its sending spam to lure
people into the next Internet scam.
Why has this particular bot-net been
so successful at attacking the modern
defenses of security software and
hardware? The first issue is the
constantly changing pattern of the
attack. These changes make it hard
for a signature-based security tool to
trace the attack. It has been reported
that Storm can change its payload
every few minutes. In addition, the
bot-net changes its human vector,
going from a Merry Christmas image to a New Year�??s e-card
link in just a couple of days.
Even if everyone was notified to
look for and avoid a Christmas themed e-mail, the New
Year�??s payload would already be on its way. The New Year�??s
version of the attack was shown to have 166 different
versions, making it hard to block with e-mail filters.
Good security would dictate that access to the IP address of
the web site carrying the malicious code be blocked. In the
example of the e-card attack, the e-mail linked to a web site
�??u*have*postcard*.com�?� (asterisks inserted for safety). Blocking
that web site has certainly worked to protect users in past
attacks, but Storm uses fast flux DNS.
This allows the web site to be accessible via hundreds, or
even thousands of IP addresses being swapped in and out
constantly. This method combines a round-robin approach
and a very short time to l
