Phishing Tool Builds Sites in Seconds

March 8, 2008 – 6:55 PM

Software developers like to make installation of their programs simple and quick. So do hackers.

Analysts at RSA Security Inc. early last month spotted a single piece of PHP code that installs a phishing site on a compromised server in about two seconds, the vendor noted in its monthly online fraud report for June, released on Tuesday.

The code contains all of the HTML (Hypertext Markup Language) and graphics needed for the fraudulent Web site, which spoofed a financial institution that RSA did not name in the report. The “.exe” file automatically installs the code and graphics in the right directories, RSA said.

It means the hacker did not have to repeatedly access the compromised server to upload graphics or other code for the site, potentially reducing the chance of the computer’s security software or network software detecting something awry, RSA said.

“By using such kits, fraudsters will be able to further automate the process of hijacking servers and creating new phishing sites,” the report said.

It doesn’t bode well for combatting the problem of phishing, where hackers try to elicit passwords or financial information via look-alike Web sites.

Despite efforts to quickly shut sites down, phishing sites averaged a 3.8-day life span in May, according to the Anti-Phishing Working Group, which released its latest statistics on Sunday.

Data from market analyst Gartner Inc. released last month showed that phishing attacks have doubled over the last two years.

Gartner said 3.5 million adults remembered revealing sensitive personal or financial information to a phisher, while 2.3 million said that they had lost money because of phishing. The average loss is US$1,250 per victim, Gartner said.

http://www.pcworld.com/article/id,134322/article.html?tk=nl_dnxnws

New breed of hack attack

March 8, 2008 – 6:54 PM

Hackers appear to have stepped up their efforts to trick corporate executives into downloading malicious software programs that can steal company data over the past year.

That’s according to security vendor MessageLabs, which caught an average of 10 e-mails per day in May targeted at people in senior management positions, up from just one a day a year prior, said Mark Sunner, chief security analyst.

Those 10 emails are a very small percentage of the 200 million emails that MessageLabs scans every day, but the composition of those messages is what’s alarming, Sunner said.

Many of the emails contained the name and title of the executive in the subject line, as well as a malicious Microsoft Word document containing executable code. The hackers are trying to trick the victim into thinking the messages comes from someone they know, in the hope that the victim will willingly install, for example, a program that can record keystrokes.

MessageLabs won’t reveal what companies have been targeted of late, but it has contacted executives who have been targeted and heard their family members have also received messages on their own, non-corporate e-mail accounts, Sunner said.

Those methods suggests that hackers may be researching victims and culling data from social networking sites such as Linked In, MySpace or Facebook, Sunner said.

“If you really want to work out somebody’s background … you can actually find out a lot,” Sunner said.

Tricking a relative into installing malicious code would offer the hacker another way to collect sensitive data, if an executive decides to do some work on a home computer, Sunner said.

During June, MessageLabs picked up more than 500 of these targeted messages, with some 30 percent aimed at chief investment officers – a position that can include handling acquisitions and mergers. Other positions targeted include directors of research and development, company presidents, CEOs, CIOs and CFOs.

Another danger is that the targeted messages are often just single messages sent to a single person, rather than a mass spam run. When hackers send out millions of messages, security companies often either update their software or change their spam filters to trap the bad messages.

But single messages have a higher chance of slipping through, although Sunner said MessageLabs’ filtering service catches the messages by analysing the e-mail’s attachment and determining whether it is potentially harmful. Other security companies catch malware by updating their software with indicators, or signatures, to detect harmful code or block code from running based on what it does on a computer, a technology called behavioural detection.

Tracing where the messages come from is difficult, since the sender’s name is always fake, Sunner said. The IP address from which the messages were sent indicate computers that are located around the world. Hackers often use networks of computers they already control, called botnets, to send e-mails.

“Certainly, people need to raise the level of vigilance,” Sunner said.

www.techworld.com/security/news/index.cfm

How MySpace Is Hurting Your Network

March 8, 2008 – 6:54 PM

Increasingly popular social-networking sites such as MySpace, YouTube and Facebook are accounting for such huge volumes of DNS queries and bandwidth consumption that carriers, universities and corporations are scrambling to keep pace.

The trend is prompting some network operators to upgrade their DNS systems, while others are blocking the sites altogether. Moreover, the “MySpace Effect” is expected to hit many more nets soon, as these network-intensive interactive features migrate from specialty sites to mainstream e-commerce operations and intranets.

“Social media is not just going to be in pure-play sites like MySpace and Facebook. It’s going to become increasingly prevalent across retailers, media and entertainment,” says Mike Afergan, CTO of Akamai, a content delivery network company that supports MySpace, Facebook and Friendster. “It drives a lot more requests and a lot more bit-traffic across these networks.”

The demanding nature of social-networking sites was highlighted in May when the Department of Defense announced it was blocking worldwide access to 13 Web sites, including MySpace and YouTube.

“The Commander of DoD’s Joint Task Force, Global Network Operations has noted a significant increase in use of DoD network resources tied up by individuals visiting certain recreational Internet sites,” Army General B.B. Bell said in a memo. “This recreational traffic impacts our official DoD network and bandwidth availability, while posing a significant operational security challenge.”

The Defense Department began blocking access to these sites on May 14 on its unclassified IP network, which is called NIPRNET for Non-secure Internet Protocol Routed Network.

The military isn’t the only organization to notice how taxing these sites are on network resources.

“One of the things we’re hearing more and more from carriers is that social-networking sites like MySpace and YouTube are contributing to an exponential increase in DNS traffic,” says Tom Tovar, president and COO of Nominum, which sells high-end DNS software to carriers and enterprises.

Social-networking sites create large volumes of DNS traffic because they pull content from all over the Internet. Most of these sites use content-delivery networks to extend the geographical reach of their content so users can access it closer to home.

“A single MySpace page can have anywhere from 200 to 300 DNS lookups, while a normal news site with ads might have 10 to 15 DNS lookups,” Tovar says. “It’s an exponential increase.”

Virgin Media, a cable service provider with 10 million subscribers (including 3.5 million broadband users) in the United Kingdom, has found that the amount of DNS traffic generated by social-networking sites has grown dramatically in the past 10 months. YouTube and Facebook traffic has doubled in that time frame but still represents a fraction of Virgin Media’s overall DNS traffic. YouTube grew from 0.5 percent to 0.75 percent of the carrier’s DNS traffic, while Facebook grew from 0.5 percent to 1 percent.

In contrast, MySpace now represents 10 percent of Virgin Media’s DNS traffic, up from 7.2 percent last fall.

The social-networking sites “are generating much more DNS queries per user than other sites,” says Keith Oborn, network systems product architect with Virgin Media. “Because of the way MySpace pages are structured, a single page can generate hundreds of DNS queries.”

Oborn says the fact that many of these social-networking sites, including MySpace and YouTube, are served by content-delivery networks adds to the DNS traffic.

“They’re making use of an awful lot of short TTLs [time to live values],” Oborn says. “That increases the load on the DNS servers. The same thing would happen for an enterprise customer as you see happening on a service provider network.”

Oborn says it’s rare for one Web site to account for 10 percent of DNS traffic.

“MySpace is the one that everybody knows about,” he says. “It’s the thing we need to keep a careful eye on in DNS land.”

Virgin Media is addressing this phenomenon by upgrading its DNS infrastructure to the latest version of Nominum’s software, which uses a technique called Anycast to provide load balancing for improved redundancy. Virgin Media will complete the upgrade this summer.

With the new configuration, Virgin Media says it “could do 2.5 million DNS queries per second, but all we need is 50,000 or 60,000,” Obort says. “We have a lot of overcapacity in DNS, which is both cheap and good to have. … It cost us a few hundred thousand pounds at most.”

Virgin Media is anticipating continued growth in its DNS traffic, driven in part by social-networking sites. “Overall our DNS traffic is growing twice as fast as the number of users,” Oborn says.

At the University of Kansas, social-networking sites, including MySpace, Facebook and YouTube, are among the 10 most popular destinations for a user population that averages 20,000 per day, including faculty, staff and students.

These sites “generate a lot of DNS requests since each item on the Web pages is spread over dozens and dozens of servers,” says Travis Berkley, supervisor of LAN support services at the university.

The school hasn’t needed to upgrade its DNS infrastructure yet to handle the extra traffic that social-networking sites generate. It runs BIND Version 9 software for its DNS servers.

“We have two servers that are the primary for campus, and they seem to keep up just fine,” Berkley says, adding that “some departments have set up their own workgroup DNS servers.”

One advantage for the the university is that it already limits how much Internet bandwidth students can consume from their dorm rooms. So even though the university doesn’t limit access to social-networking sites, it can ensure that usage of these sites is limited to a fixed proportion of its Internet bandwidth.

“We did that independent of these sites or even peer-to-peer,” Berkley added.

MySpace seems to be the biggest contributor of the social-networking sites in terms of fostering DNS queries. MySpace declined to comment for this article.

“MySpace is really a pain in the butt,” says Cricket Liu, vice president of architecture at InfoBlox, which sells DNS appliances to carriers and corporations. “It generates an enormous number of DNS queries because of the way it refers to content. The domain names they are using all seem to be part of their own content-delivery network.”

Liu says any organization running a recursive name server will feel the pinch from MySpace’s DNS-heavy design. That includes carriers, universities and corporations.

“The recursive name server is ultimately responsible for getting the answer on behalf of the resolver on the laptop or desktop machine,” Liu explains. “So it’s the one that has to go out and navigate the Internet’s name space, find the authoritative name server for MySpace.com and get the data back. Then it has to keep going back to the MySpace.com name servers to resolve the different domain names on a page. … It might have to hit those MySpace.com name servers 45 times or more for a particular page.”

MySpace’s own DNS servers are less affected by this situation than those run by carriers or enterprises.

“The amount of horsepower it takes to handle a recursive query is more than it takes to handle an authoritative query,” Liu explains. “MySpace has to run name servers that are authoritative for MySpace.com. … The same piece of hardware can do an order of magnitude more responses when it’s authoritative for MySpace.com than it can do acting as a recursive server. That’s because it doesn’t have to track the ongoing progress of the name resolution process; it just has to answer it.”

The impact of sites like MySpace is also minor on the root servers and top-level domains. For example, VeriSign estimates that social-networking sites account for less than 1 percent of the DNS queries at the .com and .net level. VeriSign handles 32 billion DNS queries a day.

Experts agree that carriers and enterprises are the ones that will need to watch their DNS traffic trends in light of the “MySpace Effect.”

“The rise of social-networking sites is just one of a number of factors that are causing the increase in DNS queries,” Liu says. “Another would be antispam mechanisms and just the increasing penetration of broadband.”

And it’s not just DNS queries that social-networking sites like MySpace drive, but also large volumes of traffic.

“Social-media sites are driving a fantastic amount of usage,” Akamai’s Afergan says. “These sites are motivating their users to be interacting with their sites in a very engaging way, which is driving a large experience time.”

Afergan says social-networking sites affect network utilization in two ways: the profile-based sites like MySpace generate a lot of requests per user for small files, while the video-based sites like YouTube demand a lot of bandwidth for large video files to be transmitted across the network.

“Most of our networking partners are seeing these sites drive an incredible amount of traffic, both in the number of requests and the bytes involved in those requests,” says Afergan.

The heavy network demand of these Web sites is one reason that seven of the top 10 social-networking sites use Akamai’s content-delivery service to offload traffic. It’s also a reason that many carriers allow Akamai to put edge servers inside their networks to serve up rich content locally.

“Part of what we do for carriers is minimize the traffic on their networks,” Afergan says, adding that Akamai’s servers also reduce DNS traffic.

The impact of social-networking sites is primarily on carrier and university networks today, but it is likely to affect more corporations as they add social-networking features to their e-commerce and intranet sites.

IBM, for example, runs its own social network called BluePages, which allows employees to provide information about themselves to other employees.

Meanwhile, Coca-Cola this month is set to launch a mobile phone-based social-networking community for Sprite drinkers called Sprite Yard.

“Imagine when there are thousands of these sites,” says Ken Silva, CSO of VeriSign. “Then they will be a more significant share of overall DNS queries.”

Silva worries more about the impact on DNS from the migration of telephony and television services to the Internet than he does about social-networking sites.

“If one big telephony provider migrates to the Internet, they could bring millions of users and generate big chunks of bursty growth,” he says.

VeriSign is in the midst of a three-year, US$100 million upgrade to its DNS infrastructure, which supports the .com and .net registries and two root servers. The upgrade will increase the company’s DNS capacity tenfold.

“Planning for these things like social-networking sites and large infrastructure moving to IP is what this upgrade is all about,” Silva adds.

www.pcworld.com/article/id,133350/article.html

Image Spam Slips into Inbox

March 8, 2008 – 6:53 PM

Spammers have begun using come-ons such as stock-pushing images as e-mail stationery backgrounds to evade antispam technology and shovel their unwanted messages into your inbox.

One antispam vendor has spotted the technique in its early stages, but expects we’ll see more of it. In a sample e-mail, the subject read ‘GED’ and the simple message was “I truly believe you guys would outsell the world if only guys could get their hands on your product.” But that pointless text was essentially illegible against a tiled background that contained the real message: a typical pump-and-dump stock scam image, according to representatives of Secure Computing.

Unfiltered Spam

“Many spam filters look in the [e-mail] body, but don’t look into the headers,” says Paul Henry, Secure Computing’s vice president of technology evangelism. The background image is specified in the message’s HTML header, along with other layout and style information. For this sample, the picture was pulled from fcslur.com, which is registered to the ironically-named “Privacyprotect.org” in Wellington, New Zealand.

Henry says Microsoft Office displays the background image if it’s configured to display HTML e-mail, and the sample e-mail delivered its payload in Lotus Notes e-mail as well. Setting either program to display only text would block the stationery-using junk e-mail, according to Henry–but would also block wanted images. Thunderbird did not display the background.

Henry says his company is seeing only a small amount of this type of image spam, but believes it’s destined to increase. Adam O’Donnell, director of emerging technologies at Cloudmark, which also offers antispam products, agrees.

“People continually try to vary up how they’re going to try to enclose their image in spam,” O’Donnell says. It’s a “technique used to evade [antispam] systems.”

Evasion Mutations

The varying techniques used by spammers to try to evade antispam filters mimics the ongoing cat-and-mouse game between malware authors and antivirus companies–and for exactly the same reasons. Spammers and virus-writers alike will attempt to change their spam or virus just enough to evade some automated filters or signature scanners.

Also, this new scam approach comes at a time when the overall amount of image spam is decreasing, according to recent statistics released by antivirus vendor McAfee. The picture-pushing junk mail made up 60 percent of all spam in the first quarter of the year, but in May the amount fell to just 12 percent.

Image spam may decrease, or new evasion techniques such as this use of stationery background may see it increase once more. But one thing is for certain: spam isn’t going away any time soon.

“These guys are in business, and they’re going to do the amount of work necessary to stay in business,” O’Donnell says.

www.pcworld.com/article/id,132882/article.html

Antivirus software too inconsistent

March 8, 2008 – 6:52 PM

Anti-virus technologies are inconsistent when it comes to identifying attacks such as worms, phishing and botnets.

That’s according to a report from the University of Michigan’s Electrical Engineering and Computer Science Department and network security company Arbor Networks, antivirus products are inconsistent at best when it comes to identifying attacks such as worms, phishing and botnets.

The report, Automated Classification and Analysis of Internet Malware, said that “Using a large, recent collection of malware that spans a variety of attack vectors (e.g., spyware, worms, spam), we show that different AV products characterize malware in ways that are inconsistent across AV products, incomplete across malware, and that fail to be concise in their semantics.”

It goes on to show that host-based anti-virus techniques failed to “detect or provide labels for between 20 and 62 percent of the malware samples.”

The researchers argue that a new classification technique is required that “describes malware behaviour in terms of system state changes (eg files written, processes created) rather than in sequences or patterns of system calls. To address the sheer volume of malware and diversity of its behaviour, we provide a method for automatically categorising these profiles of malware into groups that reflect similar classes of behaviors and demonstrate how behaviour-based clustering provides a more direct and effective way of classifying and analysing Internet malware.”

The researchers demonstrated the usefulness of this approach during a six-month period on 3,700 malware samples.

Traditional, signature-based anti-virus methods for detecting and squelching the growing volumes and variety of viruses and other malware have been termed dead by some industry watchers.

Companies such as McAfee, Symantec and Trend Micro have in fact started to reveal plans to move their security products to the next level through whitelisting and other approaches.

www.techworld.com/security/news/index.cfm