Inside the Password-Stealing Business_the Who and How of Identity Theft
This report outlines contemporary attack techniques used in the most advanced and prevalent passwordstealing malware families, it explains the tricks of the trade (such as on-screen keyboards) used to attack banks latest security mechanisms, and it dissects a new target of password-stealing behavior—massive multiplayer online role-playing games (MMORPG).
Research Report Inside the Password-Stealing Business: the Who and How of Identity Theft By Dennis Elser and Micha Pekrul, McAfee® Avert® Labs Research Report Inside the Password-Stealing Business: the Who and How of Identity Theft Table of Contents Prevalence and Distribution Channels Cat and Mouse: Banking Systems Evolve, Attackers Catch Up Sinowal and StealthMBR: Today’s Nastiest Password Stealer and Stealthiest Rootkit Sinowal’s latest twist Any single infection will take your immune system down Zbot: the Next Generation of Keylogging Steam Stealer and the Underground Market for Game Credentials Conclusion: Cybercriminals Exploit the Economic Crisis Acknowledgement About the Authors 3 5 7 8 10 11 13 15 17 17 Research Report Inside the Password-Stealing Business: the Who and How of Identity Theft With shopping and banking transactions occurring primarily online today, password stealing has become a common cybercrime. Whatever the vector of attack, in many cases some sort of password-stealing malware makes its way onto victims’ computers. The criminal organizations behind the circulation of malicious software often operate from countries such as Russia, China, or Brazil; and their sole interest is obtaining user credentials and turning these into cash. In times of economic uncertainty, stolen credentials are becoming even more valuable than ever, so protecting your privacy and identity is paramount. This report outlines contemporary attack techniques used in the most advanced and prevalent passwordstealing malware families, it explains the tricks of the trade (such as on-screen keyboards) used to attack banks latest security mechanisms, and it dissects a new target of password-stealing behavior—massive multiplayer online role-playing games (MMORPG). Prevalence and Distribution Channels McAfee Avert Labs has seen the count of password-stealing malware variants increase by nearly 400 percent between 2007 and 2008. 400,000 350,000 300,000 250,000 200,000 150,000 100,000 50,000 0 2000 2001 2002 2003 2004 2005 2006 2007 2008 Figure 1: The growth of password-stealing malware. (Source for all graphics is McAfee Avert Labs except where noted.) Password Stealers and Keyloggers (cumulative) Whereas infections with password stealers targeting games were seen less commonly before, 2006 and 2007 have seen an increase in this subcategory, too.1 During that period, underground economies have sprung up around the trade of virtual game goods, like swords, helmets, and skill points. These virtual goods are later turned back into real money as soon as they’re sold to other players who want to improve their gaming skills and scores without having to spend endless hours actually playing these games. “Gold farming” is a way to make a living in some countries; in China, for example, thousands of people try to harvest as much virtual value as possible and then sell it to more prosperous players worldwide. 1. Dr. Igor Muttik, “Securing Virtual Worlds Against Real Attacks–The challenges of online game development,” McAfee Avert Labs. www.mcafee.com/us/local_content/white_papers/threat_center/wp_online_gaming.pdf 3 Research Report Inside the Password-Stealing Business: the Who and How of Identity Theft Gozi Sinowal Zbot Silentbanker SteamStealer Goldun Pinch WoW LegMlr Figure 2: Contemporary phone-home destination countries for stolen identities, per malware family. Users are faced with data theft in different shapes, and not all of them are malware. For instance, one form of virtual theft is phishing. It shares the same goals (getting the victim’s credentials) but sets aside the use of malicious code. Instead, the attack relies purely on social engineering techniques to get the clueless user to cough up passwords. Fake websites that carry out phishing attacks may look deceptively real. Figure 3: This phishing site asks for all unused transaction authentication numbers (TANs) and the index so that attackers can defeat advanced iTAN systems 4 Research Report Inside the Password-Stealing Business: the Who and How of Identity Theft Spam is one of the main distribution methods for seeding password stealers. With mass mailings, such as fake invoices or fake UPS notifications, users are often tricked into opening allegedly legitimate PDF attachments and subsequently end up with an executable that compromises their systems. The spam mail’s topic is often tailored to the target audience, leveraging trends, political news, or topics localized for targeted countries. Figure 4: A typical spam mail shipping the Zbot malware. Next to phishing, spam and other common social-engineering tricks, another increasingly popular and effective way to infect users’ PCs are browser-based attacks.2 Using so-called “drive-by infections,” attackers let legitimate and trusted websites distribute malicious code by hacking thousands of websites in automated fashion. Hackers even rely on search engines to discover potentially vulnerable websites. A script or iframe element is usually injected to point the victim to malicious code, either served off the attacker’s home server or hosted directly on the compromised site. Users visiting these compromised websites end up unknowingly requesting and executing malicious code. Cat and Mouse: Banking Systems Evolve, Attackers Catch Up The evolution of password-stealing malware is closely tied to advancements in digital security devices and measures. Simple authentication factors that rely only on a combination of a user name and password are easily defeated by simple keyloggers. As soon as security mechanisms are improved, for instance, by introducing “external” authentication factors, a keylogger can no longer be successful. A “memorable word” could be one such additional factor. Online banking systems ask the user to provide only parts of that predefined word that a keylogging Trojan, through no fault of its own, will never be able to sniff completely. Nowadays, attackers are facing systems protected with multifactor authentication systems. Widely used in Europe, typical multifactor authentication uses transaction authentication numbers, or TANs. Provided by the bank, these are huge lists of one-time passwords for which the user needs to choose a TAN for authentication of each transaction. The next step in improving security are indexed TANs (iTANs)—a TAN associated with an indexed number. The online banking system dictates a randomly chosen index Figure 5: Blizzard’s one-time password token. (Source: (which belongs to a certain TAN) per transaction. Blizzard Entertainment) 2. Christoph Alme, “Web Browsers: Emerging Platform Under Attack,” McAfee Avert Labs. www.mcafee.com/us/local_content/white_papers/wp_webw_browsers_w_en.pdf 5 Research Report Inside the Password-Stealing Business: the Who and How of Identity Theft Other multifactor or strong authentication systems are cryptographic devices that create one-time passwords that are valid only for a minute. These security tokens are often used in corporate networks. But even Blizzard, the maker of the popular online game World of Warcraft, introduced security tokens for authentication.3 Modern security systems feature hardware TAN generators that also require the user’s bank card and the successful completion of challenge-response procedures. For every new obstacle, there is a counterpart in the evolution of password stealers. For example, as soon as banks introduced virtual keyboards that require the user to click corresponding digits instead of typing them, malware authors reacted by implementing screen-capture functionality. Another common technique is web injection, where the malware puts additional form fields into a bank’s web pages and asks for additional details, such as ATM pin numbers, a complete “memorable word,” or the user’s social security number. These injected elements are very difficult to detect by the user since they appear to be legitimate and don’t arouse suspicion. We’re not surprised to see that malware authors not only try to keep up, they even try to stay one step ahead. To avoid having to tailor their password-grabbing forms to match the security precautions and layouts of targeted banking websites, attackers redirect DNS servers or hosts files to point to their own servers. An infected user intending to connect to the Bank of America website would be directed to a lookalike site hosted on a different server, which, of course, belongs to the attacking party. A different scenario using DNS hijacking is to remotely act as the “man in the middle” by wiretapping network traffic and then rerouting the (modified) traffic to the real destination and vice versa. Figure 6: “Web Injections” that are tailored to fit into the custom layout of a targeted website are sold at underground malware markets. Hijacking attacks carried out locally don’t need to rely on a certain protocol, such as DNS. Instead, whenever unpredictable TANs are used, malware lurking on infected systems wait for and detect credentials entered by the user. And since these are one-time passwords, the TAN is first saved by the malware and, without actually letting it reach the destined bank, a fake error message reporting a “wrong” TAN is shown to the user. This is done passively by intercepting established connections and by overwriting the authentication number with trash. Or, this can be done actively by showing the user a custom-made fake pop-up. We’ll talk more about password-stealing Trojans of that caliber later. 3. www.blizzard.com/store/details.xml?id=1100000182. 6 Research Report Inside the Password-Stealing Business: the Who and How of Identity Theft Sinowal and StealthMBR: Today’s Nastiest Password Stealer and Stealthiest Rootkit Sinowal is a highly prevalent password-stealing Trojan that finds its way into computers along with one of the most sophisticated and most stealthy rootkits around today—StealthMBR, also known as Mebroot. The StealthMBR rootkit infects the hard disk’s master boot record to gain control over the system before the operating system boots and anchors deeply into internal Microsoft Windows structures. The rootkit downloads additional password-stealing components with each reboot of the system and, instead of saving it to the hard disk, lets the Trojan directly inject itself into any running process using the SetWindowsHookEx() Windows application program interface (API) function. In addition to the rootkit’s stealth, other covert mechanisms are used by the newly downloaded Trojan. Apart from using XOR-ciphered strings, such as hostnames, early Sinowal variants detect sandbox environments and behave well if they suspect they are being observed. On real computer systems, however, certain Windows API functions are detoured to custom functions that belong to the Trojan’s code. The criminal intent is the Trojan’s desire to steal sensitive data processed by these functions. The API-hooking technique, as implemented by the Trojan, patches jump instructions into previously legitimate operating system code (as shown in Figure 7) to detour the control flow to the malicious code before the legitimate code executes. Figure 7: A detour from ws2_32 library’s connect() API to Sinowal’s code. Security software may detect (and remove) these types of API hooks by checking the library’s code in memory for any detours and for their destinations. This is also the technique that Sinowal uses—but for its own interests—to circumvent API hooks placed by security software, such as personal firewalls or host intrusion prevention systems (HIPS). Once Sinowal detects a hooked API function, it tries to decode jump and call instructions to find the API’s “real” address, so the security product’s code is not invoked at all, and the user isn’t notified about the suspicious behavior of the malware. Figure 8: Referrer set by the browser as it appears to the HttpSendRequestA() API. It’s no surprise that the detoured functions are those that are extensively used by applications communicating over the Internet. With the Trojan active, it monitors web browsers, email and FTP clients, and any other application using functions exported by ws2_32.dll, wininet.dll, nspr4.dll (Firefox), crypt32.dll, and advapi32.dll for any sensitive information processing. The HttpSendRequestA() API is an example of a function that is hooked by Sinowal if it runs in the context of Internet Explorer. Before allowing the flow of code execution to reach its intended destination—the original wininet::HttpSendRequestA— the detour takes control. It then parses the function’s lpszHeaders argument for referrers, which are set by the browser any time the user clicks a hyperlink during web7 Research Report Inside the Password-Stealing Business: the Who and How of Identity Theft browsing activities. (The HTTP “referrer” header contains the URL of the previous website that refers to the new resource being requested now.) Depending on that particular referrer, Sinowal causes Internet Explorer to display a context-sensitive pop-up window with the window’s title set to “Advanced Card Verification,” asking the user to enter credit card details. The malicious pop-up is injected through an Internet Explorer COM interface. Figure 9: Pop-ups injected by the Sinowal Trojan to capture the user’s credentials. As seen in Figure 9, users see either a fake VISA or MasterCard pop-up window, depending on the payment method they choose at an e-commerce site. The user won’t even be able to “accidentally” click the pop-up away since Sinowal uses the SetForegroundWindow()function to lay the pop-up on top of other windows, and it does so in an infinite loop. Information the Trojan steals is then encrypted before it is sent to a criminal organization formerly known as the “Russian Business Network,” whose IP addresses have been hardcoded into the Trojan’s code. You might assume that you’re safe with all the cryptography incorporated into the HTTPS and SSH protocols, but the malware simply grabs any data before it is encrypted or right after it has been decrypted, respectively. Sinowal’s latest twist The newest generations of the Sinowal family introduced a significant change in strategy and code: the family collects less data globally (at the operating system level, for example, hooking fewer API functions) and instead became more successful in stealing data by directly targeting particular applications. This grants the attackers several benefits over their previous generations of the Sinowal Trojan: is less data and traffic overhead Trojan isn’t easily discovered by its API hooks in memory • Sinowal is more compatible. Older Sinowal generations were bound to particular versions of Internet Explorer, while newer generations work more independently and universally across various versions • The • There 8 Research Report Inside the Password-Stealing Business: the Who and How of Identity Theft The new generations now look up credentials directly on disk after getting their exact locations from the Windows registry. The Trojan’s enemies—local security software—are directly targeted and disabled by patching them on disk. The attackers’ domain names are not only hardcoded but calculated using an algorithm based on the current date. Older generations of the Trojan, with its massive datastealing capabilities, may have been used in a data-mining preparatory stage for assembling malicious intelligence, which was then used to tweak the next generations to produce optimal results. Login and password combinations that have been auto-saved by Internet Explorer are looked up using the FindFirst-/FindNextUrlCacheEntry() API functions; auto-saved credentials for the Firefox browser are retrieved by reading and parsing its “signons.txt,” “signons2.txt,” and “signons3.txt” files—the files that hold all the user’s private information. The list of applications attacked in similar ways is long: Microsoft Outlook, Eudora, Mozilla Thunderbird, VanDyke SecureCRT, WinSCP, and PuTTY–to name just a few. Passwords, personal identification numbers (PINs), and TANs typed into dialog boxes by a user are stolen using a technique that is less suspicious compared with older hooking functions: a background thread cycles through the desktop’s windows, looking for specific window captions and classes that may indicate the use of password dialogs in general or dialogs that belong to certain finance applications explicitly supported by the Trojan. Passwords, TANs, or PINs are then retrieved by sending the dialog a WM_GETTEXT window message. That works with the password character (asterisk) being set, since the Trojan disables this kind of visual obfuscation before reading the password and then re-enabling it using WM_SETPASSWORDCHAR. This happens within such a short period that users do not notice the change. Figure 10: A conventional password dialog. Not only is the security and privacy of infected systems compromised by the infection itself, but the trustworthiness of the site is compromised in several ways. Software intending to deliver additional security, such as browser plug-ins (also known as browser helper objects), visually signals secure connections established to a banking site, such as a traffic light icon. And those will simply be patched by the malware on disk to change their behavior, so they will feign secure connections where there really aren’t any. Because their malware is looking for particular byte patterns of code to patch, malware authors have another reason to reverse-engineer security products. Even encrypted or hashed passwords are cracked by brute force by abusing commercial third-party libraries meant to be used for securing communications. An even more dangerous “feature” of current variants of Sinowal is their ability to turn the infected user’s computer into a proxy that is open to the whole world. It does so by injecting its proxy server code into the services.exe process, an application running with System privileges. After the code injection, the now-infected process will consecutively accept any incoming HTTP-, SOCKS4-, and SOCKS5-proxy connections. The attacker can thereby mount a second-stage attack, misusing the geographical location and reputation of Figure 11: Proxy servers running in the the infected host. context of a System-privileged process. 9 Research Report Inside the Password-Stealing Business: the Who and How of Identity Theft Any single infection will take down your immune system As if the sole infection and hijacking of the victim’s identity by one malware wasn’t enough, the malware’s HTTP proxy code drills yet another hole into infected computers. Because attackers do not care about writing secure code, bugs in Sinowal’s proxy (and likewise in other major malware families) open up the machine to further attacks through remote code execution. A single malware infection can lead to an endless number of downstream infections through the following attack vectors: Figure 12: Erroneous HTTP proxy code. attackers command the infected PC to download another malware component attacker is a bot herder and rents the infected PC to another attacker who will download onto and execute other malware on the victim’s PC • A different attacker party searches for systems infected by a particular malware, then remotely exploits that malware’s “vulnerabilities” • The • The As mentioned before, malware authors do reverse-engineer security software, so why shouldn’t they also reverse-engineer their rivals’ malware to gain a bigger “market share”? One recent example of malicious software that removes rivals rather unconventionally is the Tigger rootkit, 4 which exploits a local vulnerability (MS08-066) in Windows code, granting the malware system privileges that it uses to disable security products and remove competing malware. As seen in Figure 12, one of the vulnerabilities in Sinowal’s HTTP proxy code is composed of a loop that copies data from a user-supplied buffer taken from the Internet to a limited stack buffer until a certain character in the user-supplied buffer is found. Providing malformed input would cause the respective buffer to be written beyond its boundaries, allowing another attacker to execute more arbitrary malicious code on the already infected victim machine. This allows another potential herd of attackers to gain control by overwriting critical data, such as the structured exception handler (SEH), heap structures, and the function’s return address on stack. Although Windows provides built-in security mechanisms to protect against execution of code in memory areas holding data, and to prevent the successful overwriting of SEH5, those mechanisms can be rendered ineffective—as any application can decide for itself whether these measures should take effect on a particular application process. Attacker A Attacker B Further crime More malware Attacker C Exploit proxy Online Banking Infected machine / vulnerable proxy Figure 13: Different attack scenarios 4. http://mnin.blogspot.com/2009/02/why-i-enjoyed-tiggersyzor.html. 5. http://blogs.technet.com/swi/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx. 10 Research Report Inside the Password-Stealing Business: the Who and How of Identity Theft It’s no surprise that malware authors are not expected to compile their products with /GS or /NXCOMPAT, which are flags that would instruct a compiler to build more secure code. Given the overflowable stack buffer in Sinowal, all the “remaining” fields (the ones right after the buffer) and, most important, pointers accountable for arbitrary code execution can be remotely overwritten. Known major threats today are effective for “only” several weeks—through the cooperation of security companies and law enforcement, the malware’s command and control servers subsequently are taken down. When that occurs, password-stealing malware cannot phone home its stolen credentials; but with the perforated proxy server running in the context of a highly privileged process, the infected machine is open to further attacks. The existence of this proxy code and its probable bugs appears to have been known to underground communities since 2006. Zbot: the Next Generation of Keylogging Zbot is another financially oriented data-stealing malware family that targets banking PINs and TANs in particular. Compared to first generations of Sinowal, the Zbot Trojan very similarly hooks a number of user-mode API functions to grab credentials on the fly. One difference is that Zbot gets by with usermode API hooks, as opposed to incorporating the kernel-mode hooks that Sinowal’s accompanying rootkit component contains. A detour for ntdll.dll’s NtQueryDirectoryFile() function, which is the native API being called by the FindFirst-/FindNextFile() API functions, filters several directory names and files that appear invisible to the user. Figure 14: The Zbot construction kit allows production of new variants with a simple mouse click. Several additional hooks for native API functions such as NtCreateThread(), LdrLoadDll(), and LdrGetProcedureAddress() are planted to inject malicious code both into newly created processes and threads and to ensure that its very own API hooks will stay effective. Like Sinowal, the Zbot Trojan steals credentials on the fly by hooking code that belongs to networking APIs. These hooks represent a local man-in-the-middle attack by intercepting communication on the client, before it hits the network. The Trojan may be configured to target only sessions on a particular host, such as the website of a large bank, but it can also grab credentials and hostnames universally. For example, the InternetReadFile() hook will look for HTML-typical tags; the detoured ws2_32.dll’s send() function, on the contrary, checks buffers for anything that may look like an FTP protocol. “User,” “pass,” “feat,” “pasv,” “list,” “nbsp;,” “br,” or “script” verbs and keywords may trigger the logging or modification capabilities of the Trojan. 11 Research Report Inside the Password-Stealing Business: the Who and How of Identity Theft Figure 15: Currently active command-and-control servers of the Zbot malware family. [Source: abuse.ch] One of Zbot’s trickiest detours is the one installed for TranslateMessage(),a Windows function to convert virtual key codes into readable characters. That’s where the Trojan inserts itself and acts as a conventional keylogger by intercepting WM_KEYDOWN messages and logging any characters, for example, credentials. But the truly sneaky part is the detour intercepting WM_LBUTTONDOWN window messages, which are events that signal left-mouse-button clicks. For each click (limited to a maximum of 20), a quadratic screenshot with the mouse cursor as its center is created and used to graphically grab credentials that the user provides with virtual or on-screen keyboards. The bad guys reaction to a “graphical keylogger” of that caliber is more than natural. It’s a typical cat-and-mouse game that evolved after online banking institutes decided to transition from traditional keyboard-based authentication to proprietary authentication mechanisms based on virtual keyboards. Code ws2_32.dll send() 1. Detour to the Trojan’s code Zbot’s hook procedure for send() 3. Call to ws2_32.dll 2. Inspect and modify arguments Stack int flags int len const char *buf SOCKET s address of caller Heap, Stack and Globals USER, PASS, LIST, FEAT Figure 16: Graph illustrating Zbot’s send() API hook. 12 Research Report Inside the Password-Stealing Business: the Who and How of Identity Theft Figure 17: Next-generation keylogging steals data from virtual keyboards. The screenshots are stored as JPEG files to a “screens” subdirectory hidden through the rootkit functionality of the Trojan—a user would never stumble upon and discover them by accident. All of the file names are assembled from various components, such as the identification associated with the currently running process, an underscore character, and the current clock tick count. With this information, the chronological sequence of the clicked ciphers can easily be reassembled into complete TANs. Another “feature” that Sinowal and Zbot have in common is the SOCKS proxy, in which Zbot has a built-in backdoor that listens on a randomly chosen transmission control protocol (TCP) port. Among the set of commands supported by this backdoor is a function to create and send screenshots using a proprietary protocol. The attacker may, depending on the victim’s bandwidth, supply adequate encodings (for example, GIF, JPEG, or BMP). More devastating consequences, however, can be expected by issuing a backdoor command that deletes all registry subkeys beginning at the root keys “HKEY_CURRENT_USER\Software,” “HKEY_LOCAL_ MACHINE\Software,” and “HKEY_LOCAL_MACHINE\System,” thus rendering the affected system totally unusable. The attackers may remotely destroy the compromised system to remove their traces, after having launched an attack abusing the compromised host’s IP address as the attack source. Steam Stealer and the Underground Market for Game Credentials Steam Stealer, another password thief, is less common than the two professionally authored password stealers Sinowal and Zbot. Its code has a modular structure, which might indicate the existence of a construction kit or various code snippets stolen from other malware. The latter seems a more reasonable explanation, as the malware is configurable through a resource that is embedded into the executable, making redundant the need for a separate construction kit. The code has various deficiencies, such as the broad use of deprecated library functions, which, fortunately, make the malware anything but robust. Steam Stealer abuses commercial third-party tools to crack credentials it harvests. In summary, it looks as though this Trojan is a patchwork of code snippets and third-party binaries that can be found on various underground forums. Figure 18: A list of games targeted by Steam Stealer. 13 Research Report Inside the Password-Stealing Business: the Who and How of Identity Theft Before Steam Stealer tries to rob a game player’s treasury, it uses several well-known methods to detect virtual machines. Simple ones call the GetCurrentUser() API function and check its results against a list of user names known to be employed by certain sandboxes. Others aim at detecting virtual operating systems by probing a certain hardware register’s value. The byte pattern formed by this sequence of x86 assembly codes is pretty peculiar. So peculiar, in fact, that it is easily detected and flagged by many anti-malware products. As a reaction, the malware’s authors decided to hide the pattern by building its code (which consists of only a few bytes) dynamically on stack before the malware jumps to it. Code that is trying to execute on stack is detected by Microsoft’s data execution prevention (DEP), which was introduced in Windows XP SP2. With DEP enabled for all processes, which isn’t the default case on some Windows platforms, the malware would have simply crashed and done no further harm. Other detection methods used by Steam Stealer, such as probing for the presence of several security products, are as simple as trying to open certain keys in the Windows registry or blacklisting processes and loaded libraries by name. Nonetheless, there is a commercial market for Steam Stealer: the customized malware is sold by its authors for €60 each, and is tailored to the customer’s needs. Accompanying the malware is an additional executable packer, sold for €40, which aims to make the malware “FUD,” which in cybercrime circles is the term for executables that are “fully undetectable.” These executable packers, or crypters, are often referred to as binders, since they work like conventional installers. They drop and execute bundled and encrypted binaries, optionally only to memory, so on-access scanners won’t ever see and scan dropped files. With services such as VirusTotal.com publicly available, or also by using “offline” command line scanning, cybercriminals scan and modify their newly built variants using binders until these are no longer detected. Figure 19: Steam’s online shop. 14 Research Report Inside the Password-Stealing Business: the Who and How of Identity Theft Figure 20: Excerpt of Steam Stealer’s decompiled pseudocode. As soon as Steam Stealer is running, it loads several modules that start collecting Firefox’s saved passwords, CD keys, and product IDs of a huge list of popular games and Microsoft products. Steam Stealer follows a predefined list of registry paths belonging to the products and reads their values, which hold unencrypted credentials that the attackers hunt for. One component, explicitly targeting Steam credentials, reads and decodes a file that contains the user’s Steam account and password. This file, ClientRegistry.blob, is found in Steam’s installation directory. The list of stolen credentials is assembled into a stack variable and saved to a separate location on disk—ready to deliver the goods to the attacker. Depending on the configuration embedded with Steam Stealer, the malware might also steal the credentials of instant messengers, email accounts, local area network accounts, and FTP accounts. Unfortunately, not all of these credentials are encrypted by their applications before they’re saved to disk. But the ones that are a headache for the malware writer bundle freeware password-recovery software and abuse it to crack encrypted credentials. Steam Stealer can be configured to collect anything and either send it home by email (using a separate SMTP component) or upload it to an FTP server. Conclusion: Cybercriminals Exploit the Economic Crisis In early February 2009, the FBI issued a press release6 to inform the public of the ongoing problem of work-at-home scams. Desperate individuals who have unexpectedly lost their jobs as a result of the economic crisis are looking for new opportunities and will take just about anything they can get—and sometimes they get entangled with cybercrime schemes. They may resort to working as “money mules,” illegally transferring funds obtained through password stealers on behalf of cybercrooks. These victims, who are under severe financial pressure, often either don’t know or don’t care about the criminal activity behind the money laundering. But the business they are involved in is quite risky—the bank transfers they make may be reversed and consequently leave a hole in the money launderer’s account, and these mules are very likely to be on the radar of cybercrime investigation authorities. Fortunately, many banks restrict the amount of money that can be transferred to foreign countries. With the help of money mules, however, transfers look like domestic transactions and usually evade the radar of law enforcement authorities. However, because the money launderers are generally more visible, they are the ones discovered and prosecuted by federal law enforcement while the real criminals hide behind them in the shadows. Consumers are advised to keep their eyes open and not fall for job offers that appear too good to be true—or they may unwittingly end up becoming involved in criminal activities. Back in the virtual world, attackers hide behind someone else’s infected host because proxies nowadays don’t need to ship with a separate binary—they are just part of the malware. Similar to the money launderer’s real-world scenario, the “owned” host’s IP address is then used to anonymously commit cybercrimes. And there’s a double whammy for the victims, as if an infection by a password stealer wasn’t troublesome enough already! Victims may face legal action for seemingly having committed cybercrimes when their home PCs are identified source as the source of the malware exploit. With the attacker’s ability to remotely destroy the infected system through the fully compromised system, removing his traces is as easy as playing point-and-click computer games. The victim doesn’t even have a chance to ask a forensic expert trace the source of the malware. 6. http://www.fbi.gov/pressrel/pressrel09/workathomescams020309.htm. 15 Research Report Inside the Password-Stealing Business: the Who and How of Identity Theft Criminal Victim Money Mule Victim Money Mule Figure 21: How “money mules,” the middlemen who launder money, and “work-at-home scam” victims engage in criminal activity. As we’ve outlined in this paper, the evolution of password-stealing malware is driven by a cops-androbbers game between cybercriminals and online banking institutions. But implementing more security doesn’t necessarily bring about better usability. The contrary is usually the case, as the introduction of yet another security mechanism usually complicates things for users, eventually discouraging them. How many levels of complexity will customers put up with? Entering or having to memorize yet another “secret” code simply won’t do. Financial institutions need to find a better compromise between security and usability. Some consumers even write down their ATM PIN numbers and store them, along with their bank cards, in their wallets because they find it too difficult to remember so many codes and passwords. Without a doubt, behavior like that will render all security efforts useless. One-time password tokens are a good start, but the costs of these devices trickle down to the customer. How many users are ready to pay for additional banking security that they feel should be free? And one more thing that is certain is that password stealers will not vanish any time soon. With the availability of easy-to-use construction kits that allow anyone to create customized Trojans with a simple mouse click, infections with even more sophisticated password-stealing malware is a harsh reality. Because stealing credentials online is a highly profitable business, criminals will not stop, but rather will expand their audience beyond bank customers and online gamers. Skimming attacks, which compromise ATM operating systems and software, are an example of new techniques that could gain popularity among the cyberunderground. With modern malware’s sophisticated mechanisms for circumventing security solutions and for staying undiscovered, it is increasingly important not only to prevent but also to uncover and isolate existing infections on a network. Strange behavior, such as an increase in permanent network traffic or encrypted HTTP power-on self-test requests, is a likely sign of infection and may easily be detected by the alert network gateway. The risk of a whole corporate network becoming infected by a single employee is remarkably high: an employee may unknowingly take an infected laptop or mass storage device to the workplace and connect it to the corporate network. In tough economic times, governments tend to lapse into protectionist activity and restrain trade between nations. But with emerging cross-border threats—where a crime is committed in one country but the suspect resides in a different country—it is critical that governments pay more attention to cybercrime and cooperate on an international level to catch the wrongdoers. € 16 Research Report Inside the Password-Stealing Business: the Who and How of Identity Theft Acknowledgement We thank our colleague François Paget for his invaluable help with statistical data. About the Authors Dennis Elser is a senior engineer with the gateway anti-malware research and development team at McAfee. His specialties include vulnerability research and the development of proactive exploit detection technologies. Elser is a regular contributor to the McAfee Avert Labs blog and author of several Virus Bulletin magazine articles on topics ranging from Windows vulnerabilities to multimedia-based malware. Micha Pekrul is a senior engineer on the gateway anti-malware R&D team at McAfee. His areas of expertise include research on malicious web content and the development of respective detection approaches used in McAfee web anti-malware, gateway edition. Pekrul frequently shares his timely insights about the latest threats on the Avert Labs blog and is author of several Virus Bulletin articles. McAfee, Inc. 3965 Freedom Circle Santa Clara, CA 95054 888 847 8766 www.mcafee.com McAfee and/or other noted McAfee related products contained herein are registered trademarks or trademarks of McAfee, Inc., and/or its affiliates in the U.S. and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. Any other non-McAfee related products, registered and/or unregistered trademarks contained herein is only by reference and are the sole property of their respective owners. © 2009 McAfee, Inc. All rights reserved. 6622wp_password-stealers_0709_ETMG