Sneaky mal ware just needs a few clicks to take control.

Criminals are getting sneakier. These days, computer viruses, Trojans, root kits and other unfriendly software (collectively known as mal ware) can be foisted on our systems without our even noticing.
In the early days of mal ware, the idea was simply to show people that their systems had been compromised; a virus was sometimes nothing more than a thumbing of the perpetrator’s nose at his victims (what else would explain a virus that just made the letters you typed tumble to the bottom of the screen?). But as time went on, mal ware went from mischievous to malicious, and destruction became the name of the game.

A roundup of The Globe's Small Business Summit

Today’s mal ware authors aim for secrecy. Their goal is often to hide on your system and steal as much information as possible – banking passwords, credit card numbers, confidential files, and anything else of value. Or they may want to use your computer to launch attacks on others.
It’s embarrassingly easy to become a pawn in the bad guys’ games, as security vendor McAfee shows us in a little exercise known as the Mal ware Experience.
The Mal ware Experience is a class that can be anything from a few hours to a couple of days long. It is designed to give people the opportunity to experience mal ware in comfort and safety, says current custodian Jon Carpenter, an anti-mal ware competitive review manager at McAfee Labs. Mr. Carpenter has been working with the Mal ware Experience for almost a decade, and has been building new versions of it, to reflect the current mal ware universe, for the last five or six years.
At McAfee's recent Focus 2011 conference, Mr. Carpenter and Labs colleague Toralv Dirro presented a truncated version of the Experience to members of the media.
During the class, you become both a bad guy and his victim. You work on a laptop that is carefully isolated from any available networks and with external storage disabled (you are, after all, working with live mal ware, and don’t want it to escape). It contains three virtual machines (VMs): the victim's computer, a compromised web server, and the attacker's PC.
Then you unleash your inner hacker. Working from a script, you first construct the trap, configuring the web server with a Trojan horse – a program that performs a benign or useful function while sneakily installing mal ware on the victim’s machine in the background. It is housed on a website crafted to resemble a known site – in this case, an anti-virus vendor's site. So far, so good.
Next, you bait the hook by composing an e-mail to the victim, in the guise of a promotion for a free anti-mal ware tool. This will persuade the user to download the Trojan.
Then the scenario flips, and you become the victim.
Being a trusting soul, you open the e-mail on the victim VM and see the link to what you think is your anti-mal ware vendor’s website. A sharp-eyed person might notice, while hovering the cursor over the link, that the URL is slightly different from the legitimate vendor URL, but hackers usually count on the fact that the message looks convincing enough that a large percentage of recipients will click through.
That starts the download of your Trojan, which has been given the same name as the real anti-virus program.
Since you, as victim, have willingly downloaded the fake anti-virus program, you then run it (your system is virus-free, it says – how nice – a total lie, since it just installed the attacker’s mal ware), and the hackers immediately have another computer under their control.
Yes, it really is that easy.
Now that the victim’s computer is your slave, you as hacker can have some fun. You can pop back to the attacker machine and explore the command and control console for your mal ware to discover what mischief it can perform. For example, there’s a key logger to capture every keystroke your victim types (very handy for grabbing passwords and credit card numbers). The next item in the script is even more insidious: you’re going to silently install another piece of mal ware, the Zeus Trojan, on your victim’s machine.
This time the victim has to do nothing. All the attacker needs to do is set up the configuration script for your mal ware, then instruct the first Trojan to install it on the target system. In a few minutes, the mal ware will report whether it was correctly installed and you’re ready to wreak more havoc.
Let’s say you want to steal the victim’s Facebook credentials. On the attacker machine, it’s a matter of entering the URL you want monitored, letting the mal ware synch with the victim’s machine, then sitting back and waiting.
Soon, everything you need to know if you wanted to hijack the victim’s account is now at your fingertips, and the victim is none the wiser.
The Mal ware Experience includes a few more tricks as well, such as redirecting the victim’s surfing to a malicious website.
“We want to make people aware of what’s possible, but not to encourage them to try it,” explains Mr. Carpenter. “It’s all about raising awareness.”
And raise awareness he has, by presenting the class to members of the media, university students, police forces, and even the British House of Lords, to demonstrate how easy it is for computers to become infected.
Mr. Carpenter then points out ways to stay infection-free, such as not clicking on links in unsolicited e-mails, and examining links to ensure the site name is spelled correctly (slight misspellings are easy to miss, and can lead to malicious sites).
“I’m a firm believer in finding the weakest link,” he says. “It’s important that users are aware of the risks. The [anti-mal ware] industry tries hard to make users aware.”

No comments:

Post a Comment

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More