Monday, December 10, 2007

Phishers, Spammers, and Malware Authors Clearly Consolidating

In a recent article entitled "Popular Spammers Strategies and Tactics" I emphasized on the consolidation that's been going on between phishers, spammers and malware authors for a while :

"The allure of being self-sufficient doesn’t seem to be a relevant one when it comes to a spammer’s results oriented attitude. Spammers excel at harvesting and purchasing email addresses, sending, and successfully delivering the messages, phishers are masters of social engineering, while on the other hand malware authors or botnet masters in this case, provide the infrastructure for both the fast-fluxing spam and scams in the form of infected hosts. We’ve been witnessing this consolidation for quite some time now, and some of the recent events greatly illustrate this development of an underground ecosystem. Take for instance the cases when spam comes with embedded keyloggers, when phishing emails contain malware, and a rather ironical situation where malware infected hosts inside Pfizer are spamming viagra emails."

The recently uncovered breach at the U.S Oak Ridge National Laboratory is a perfect example of some of the key concepts I covered in the article, namely, harvesting of the emails courtesy of the spammers, segmenting the emails database for targeted mailings on a per company, institution basis, and malware authors eventually purchasing the now segmented databases for such targeted attacks with the spammers earning a higher profit margin for providing the service of segmentation :

"The unknown attackers managed to access a non-classified computer maintained by the Oak Ridge National Laboratory by sending employees hoax emails that contained malicious attachments. That allowed them to access a database containing the personal information of people who visited the lab over a 14-year period starting in 1990. The institution, which has a staff of about 3,800, conducts top-secret research that is used for homeland security and military purposes."

And, of course, there's a Chinese connection, but thankfully there're articles emphasizing on the concept of stepping-stones before reaching the final destination, with China's highly malware infected Internet population acting as the stepping-stone, not the original source of the attack :

"Security researchers said the memorandum, which was obtained by The New York Times from an executive at a private company, included a list of Web and Internet addresses that were linked to locations in China. However, they noted that such links did not prove that the Chinese government or Chinese citizens were involved in the attacks. In the past, intruders have compromised computers in China and then used them to disguise their true location."

Publicly obtainable research, and common sense state that malware coming through email attachments is slowing down, and is actually supposed to be filtered on the gateway perimeter by default, especially executables. Even the first round of Storm Worm malware in January, 2007, concluded that email attachments are not longer as effective as they used to be, and therefore migrated to spamming malware embedded links exploiting outdated vulnerabilities.

How such type of targeted malware attack could have been prevented?

- ensure that the emails are harvested much harder than they are for the time being, in this particular case, a huge percentage of the emails account, thus the future contact points for the malicious parties to take advantage of ornl.gov can be harvested without even bothering to crawl the domain itself through web scrapping ornl.gov

- a freely avaivable, but highly effective tool to evaluate whether or not your mail server filtering capabilities for such type of content work, is PIRANA - Email Content Filters Exploitation Framework :

"PIRANA is an exploitation framework that tests the security of a email content filter. By means of a vulnerability database, the content filter to be tested will be bombarded by various emails containing a malicious payload intended to compromise the computing platform. PIRANA's goal is to test whether or not any vulnerability exists on the content filtering platform. This tool uses the excellent shellcode generator from the Metasploit framework!"

Taking the second possible scenario, namely that it wasn't a targeted attack, but malware attachments "as usual", mostly because the fact that modern malware automatically excludes mailings to .gov's .mil's and the majority of known to them anti-virus vendor's related email addresses, hoping to infect as much people as possible before a reactive response is in place.

If it were a spammed malware embedded link, the chances are the receipts followed it, but a spammed malware as an attachment is too Web 1.0 for someone to fall victim into, and it's rocket scientists we're talking about anyway.