Tuesday, January 23, 2007

Social Engineering and Malware

With all the buzz over the "Storm Worm" -- here's a frontal PR attack among vendors -- it is almost unbelievable how hungry for a ground breaking event, the mainstream media is. And it's not even a worm. If you are to report each and every outbreak not differentiating itself even with a byte from previous "event-based" malware attacks, what follows is a flood of biased speculations -- too much unnecessary attention to current trends and no attention to emerging ones. With pre-defined subjects, static file names, one level based propagation vector, with the need for the end user to OPEN AN .EXE ATTACHMENT FROM AN UNKNOWN SOURCE, and with "the" Full_Movie.exe in 35kb, worldwide scale attacks such as the ones described here, are more of a PR strategy -- malware with multiple propagation vectors has the longest lifecycle, as by diversifying it's improving its chances of penetration. Don't misunderstand me, protecting the end user from himself is a necessity, but overhyping this simple malware doesn't really impress anyone with a decent honeyfarm out there. It doesn't really matter how aggressively it's getting spamed, what matters the ease to filter and enjoying the effective rules you've applied. No signatures needed. As a matter of fact I haven't seen a corporate email environment that's allowing incoming executable files in years, especially anything in between 0-50kb, have you? My point is that, the end user seems to be the target for this attack, since from an attacker's perspective, you have a higher chance of success if you try to infect someone who doesn't really know whether his AV is running, or cannot recall the last time an update was done to at least mitigate the risk of infection. These are the real Spam Kings.

At the beginning of 2006, I discussed the evolving concept of localizing malware attacks :

"By localization of malware, I mean social engineering attacks, use of spelling and grammar free native language catches, IP Geolocation, in both when it comes to future or current segmented attacks/reports on a national, or city level. We are already seeing localization of phishing and have been seeing it in spam for quite some time as well. The “best” phish attack to be achieved in that case would be, to timely respond on a nation-wide event/disaster in the most localized way as possible. If I were to also include intellectual property theft on such level, it would be too paranoid to mention, still relevant I think. Abusing the momentum and localizing the attack to target specific users only, would improve its authenticity. For instance, I’ve come across harvested emails for sale segmented not only on cities in the country involved, but on specific industries as well, that could prove invaluable to a malicious attack, given today’s growth in more targeted attacks, compared to mass ones."

The current "events-based" malware is a good example here. If it were a piece of malware to automatically exploit the targeted PC, then you really have a problem to worry about. Meanwhile, Businessweek is running an interesting article on Why Antivirus Technology Is Ineffective, and stating "white-listing" is the future of malware prevention. Could be, if there wasn't ways to bypass the white-listing technology, or give a "white-listed" application a Second Life -- and of course there are.

In another piece of quality research written by Mike Bond and George Danezis, the authors take us through the temptation stage, monitoring, blackmail, voluntary propagation, involuntary propagation, and present nice taxonomies of rewards and blackmail.

And if you're still looking for fancy stats and data to go through, read this surprisingly well written paper by Microsoft - Behavioural Modelling of Social Engineering-Based Malicious Software. They've managed to spot the most popular patterns - generic conversation, non-english language used, virus alert/software patch required, malware found on your computer, no malware found, account information, mail delivery error, physical attraction, accusatory, current events, and free stuff.
Current events, free stuff, and malware on your computer are the most effective ones from my point of view as they all exploit wise psychological tactics. Current events because the Internet is a major news source and has always been, free stuff, due the myth of "free stuff" on the Internet, and the found malware putting the (gullible) end user in a "oops it was my turn to get a nasty virus" state of mind.