 |
Malware From the Four Corners of the World
By Jeff Green,
Senior Vice President of Product Development and McAfee Avert Labs
There's no doubt in anyone's mind that globalization is sweeping the planet in areas such as commerce, entertainment, and communication. In spite of this trend, countries all over the world have still managed to maintain distinct cultural characteristics that make them unique and interesting. In the January 2008 issue of the McAfee Global Threat Report, McAfee® Avert® Labs researchers share their knowledge about the globalization of threats and malware, and in the context of information security, cultural differences are clearly apparent in each country's threat landscape. (For a more detailed view, download a copy of the report here.
Let's take a look at some examples of localized, country-targeted cybercrime by embarking on a whirlwind journey from east to west, beginning with Japan and traveling to Brazil.
Japan
Winny is one of the most popular, free P2P applications in Japan. While it was initially developed with the altruistic intent to make it easier to exchange files from an anonymous communication channel, it has since been leveraged by cybercriminals. For the bad guys, it's a perfect tool for exchanging illegal digital content.
As the Winny network has grown, more and more malware has targeted P2P users. One of the most insidious forms of malware that spreads via Winny is W32/Antinny.worm, which exposes files on victim machines to the network. Over the last four years, this type of malware was responsible for security breaches at military organizations, government agencies, and the private sector. Among the victims were the Ministry of Justice, the Japanese Maritime Self-Defense Force, a large cooperative bank, a hospital, and the Tokyo police force.
Figure 1: The Japanese message reads, "Even though Mr. Kaneko was found guilty, you are still using Winny. I really hate such people."
Many large Japanese organizations are now reframing their security polices to disallow employees from bringing their personal computers to the workplace. Though it sounds simple, the best solution has been to provide enough secured, corporate computers for employees. In 2006, for example, the Ministry of Defense purchased 56,000 computers for the staff. And beyond that, organizations are beefing up security by introducing tools to monitor employees' computers and prevent the installation of unauthorized software—including P2P applications.
China
With a Gross Domestic Product (GDP) that has increased by 10.7 percent since 2006, China now ranks as the world's fourth largest economy. Accompanying this explosive growth and changing economic landscape is an Internet revolution: the web user population has shot up at a rate of 509 percent during the last five years. In comparison, the United States has had a 121 percent effective growth rate during the same period.
Sweeping the Chinese nation is an addiction to online gaming, where players trade virtual gold or goods collected from computer games for real money. Real Money Trade (RMT), as it's called, has created an industry that's worth up to US$900 million. Opportunistic virtual entrepreneurs have set up "virtual sweatshops," where hundreds of young workers can make up to US$250 per month harvesting virtual gold by scoring points and winning games. It's estimated that there are more than 100,000 such gamers in China supplying virtual commodities to both domestic and foreign markets.
The RMT economy has become fertile ground for hackers and organized crime. Game password stealers and phishing are the most widespread forms of malware, and they target every possible aspect of RMT. McAfee Avert Labs reported an increasing trend in game password-stealer threats in 2006 that peaked in October and is continuing into 2008. Early versions of this malware, like PWS-QQPass, PWS-WoW, and PWS-Lineage Trojans have evolved into complex, highly efficient hybrids that combine several exploits (examples include PWS-OnLineGames and PWS-MMORPG) that target multiple online games and communities. Along with password stealers, phishing sites in China have grown at an alarming rate. In 2007, the McAfee SiteAdvisor™ team discovered that 0.2 percent of all web sites registered in China host exploits; that's more than twice the global average!
How are the Chinese government and law-enforcement officials coping with this tidal wave of cybercrime? With the recent conviction of cybercriminals like Li Jun, author of the notorious W32/Fujacks exploit (which attempts to infect files on the victim's system and tries to download additional Trojans from a remote web site), Chinese lawmakers are sending the message that they are taking this very seriously. Federal and local governments are working hand-in-hand with business organizations such as China Banking Regulatory Commission (CBRC) to develop more stringent policies that enforce measures for stemming online criminal activity.
Germany
Hackers are going local, and Germany, with its well-developed, sophisticated economy, has become a major target. Worldly wise cybercriminals have done their homework and are hip to how Germans bank online and what kind of content is likely to get their attention—from spam written in perfect German promising highly prized tickets to the Fédération Internationale de Football (FIFA) World Cup to false invoices from well-known German companies, such as Deutsche Telekom, eBay, or the federal service that collects fees from anyone who owns a TV or radio. This type of content is sure to pique the interest of most Deutschlanders. After all, what self-respecting German would fail to pay his bills or turn down the opportunity to attend a soccer game!
One particularly insidious piece of malware that has been widespread in Germany is Downloader-AAP. Downloader-AAP downloads a text file that contains an encrypted URL, which gets decrypted, along with Spy-Agent.ba, a Trojan that is downloaded unwittingly by the victim and steals confidential account information. The Trojan infiltrates the communications between home users and their banks and is designed to hijack home banking connections and steal user credentials and transaction authentication numbers (TANs). Hackers have adapted this Trojan to target various financial institutions in Germany.
On September 13, 2007, Germany's Federal Office of Criminal Investigations (BKA) busted an international group of phishers, who allegedly had been distributing phishing emails with Downloader-AAP as an attachment. But this conviction hasn't put a stop to Downloader-AAP. In a matter of days after the arrest, Avert Labs received a new sample that was distributed in a similar way and downloaded Spy-Agent.ba. It remains to be seen to what extent this exploit will continue to barrage the inboxes of German users.
Brazil
In the southern hemisphere, Brazil has suffered from a plague of Trojans called "PWS-Bankers." "PWS" stands for "password stealers"—malware that targets bank account passwords. As in Germany, password-stealing Trojans invade systems through phishing scams. Phishing emails display fake login pages that play upon their visitor's sense of compassion with appeals for contributions and assistance for victims of hurricanes and airplane crashes.
Because of the popularity and benefits of online banking there, Brazilian banks seem to be the favorite target of cybercriminals. In 2005, Febraban (the Brazilian Banks Federation) estimated losses at R$300 million (reais, about US$165 million) resulting from online fraud. While Brazil boasts one of the most efficient and most secure online banking systems in the world, hackers have found clever ways to get around all of this security and appropriate the account and login information of online bankers. (Nearly all Brazilian Internet banking sites use HTTPS and two PINS--one to log into the system and the other to confirm an operation, and some add another layter of security with one-time password tokens.) Hackers have found clever ways to get around all of this security and appropriate the account and login information of online bankers.
Well-written, expertly designed phishing emails with interesting subjects—fake orders from well-known stores, greeting cards, celebrity photos, tax software, election reports, to name a few—lead victims to download PWS-Banker. As soon as PWS-Banker is installed on a system, it sends valuable IP information back to fraudsters. Meanwhile, in background mode, PWS-Banker monitors the web sites the user is visiting and when it notices that the user is going to one of the target bank URLs, it displays a window that mimics the bank's site. After unsuspecting bank customers enter their account numbers, secret PIN numbers, and other valuable information, an error message pops up and sends visitors to their real banking site. In the meantime, hackers have grabbed valuable personal and financial information.
These examples illustrate the differences:
Figure 1: A real bank's online screen. A genuine bank asks only for user name and Internet PIN.
Figure 2: Fake screen used by the PWS-Banker Trojan. This form digs a little deeper, asking the user for branch office number, account number, and bank PIN.
Banks are doing their part to make online transactions as secure as possible for their customers, and Brazilian police are cracking down hard on cybercrime. From July to September 2007, close to 100 individuals involved in bank-account password stealers were apprehended. The police operation Nerds II led to the capture of a group of 29 persons responsible for the appropriation of more than R$10 million (US$5.5 million) in less than a year.
Conclusion
This brief tour is only a glimpse into a problem that is mounting. There's no doubt that culturally targeted malware is on the rise. Cybercriminals have turned into adept social anthropologists, studying the customs of dynamic nations that are on an economic growth path and sniffing out potential opportunities for exploitation. It's ultimately up to each country to come up with effective ways to address the problem—through increased law enforcement efforts to track down fraudsters, stronger policy definition and enforcement in the public and private sector, and the implementation of security technologies from trusted vendors.
|
 |
