Criminals are getting sneakier. These days, computer viruses,
Trojans, rootkits and other unfriendly software (collectively known as
malware) can be foisted on our systems without our even noticing.
In
the early days of malware, the idea was
simply to show people that
their systems had been compromised; a virus was sometimes nothing more
than a thumbing of the perpetrator’s nose at his victims (what else
would explain a virus that just made the letters you typed tumble to the
bottom of the screen?). But as time went on, malware went from
mischievous to malicious, and destruction became the name of the game.
oday’s malware authors aim for secrecy. Their goal is often to hide
on your system and steal as much information as possible – banking
passwords, credit card numbers, confidential files, and anything else of value. Or they may want to use your computer to launch attacks on others.
It’s
embarrassingly easy to become a pawn in the bad guys’ games, as
security vendor McAfee shows us in a little exercise known as the
Malware Experience.
The Malware Experience is a class that can be
anything from a few hours to a couple of days long. It is designed to
give people the opportunity to experience malware in comfort and safety,
says current custodian Jon Carpenter, an anti-malware competitive
review manager at McAfee Labs. Mr. Carpenter has been working with the
Malware Experience for almost a decade, and has been building new
versions of it, to reflect the current malware universe, for the last
five or six years.
At McAfee's recent Focus 2011 conference, Mr.
Carpenter and Labs colleague Toralv Dirro presented a truncated version
of the Experience to members of the media.
During the class, you
become both a bad guy and his victim. You work on a laptop that is
carefully isolated from any available networks and with external storage
disabled (you are, after all, working with live malware, and don’t want
it to escape). It contains three virtual machines (VMs): the victim's
computer, a compromised web server, and the attacker's PC.
Then
you unleash your inner hacker. Working from a script, you first
construct the trap, configuring the web server with a Trojan horse – a
program that performs a benign or useful function while sneakily
installing malware on the victim’s machine in the background. It is
housed on a website crafted to resemble a known site – in this case, an
anti-virus vendor's site. So far, so good.
Next, you bait the hook
by composing an e-mail to the victim, in the guise of a promotion for a
free anti-malware tool. This will persuade the user to download the
Trojan.
Then the scenario flips, and you become the victim.
Being
a trusting soul, you open the e-mail on the victim VM and see the link
to what you think is your anti-malware vendor’s website. A sharp-eyed
person might notice, while hovering the cursor over the link, that the
URL is slightly different from the legitimate vendor URL, but hackers
usually count on the fact that the message looks convincing enough that a
large percentage of recipients will click through.
That starts the download of your Trojan, which has been given the same name as the real anti-virus program.
Since
you, as victim, have willingly downloaded the fake anti-virus program,
you then run it (your system is virus-free, it says – how nice – a total
lie, since it just installed the attacker’s malware), and the hackers
immediately have another computer under their control.
Yes, it really is that easy.
Now
that the victim’s computer is your slave, you as hacker can have some
fun. You can pop back to the attacker machine and explore the command
and control console for your malware to discover what mischief it can
perform. For example, there’s a keylogger to capture every keystroke
your victim types (very handy for grabbing passwords and credit
card numbers). The next item in the script is even more insidious:
you’re going to silently install another piece of malware, the Zeus
Trojan, on your victim’s machine.
This time the victim has to do
nothing. All the attacker needs to do is set up the configuration script
for your malware, then instruct the first Trojan to install it on the
target system. In a few minutes, the malware will report whether it was
correctly installed and you’re ready to wreak more havoc.
Let’s
say you want to steal the victim’s Facebook credentials. On the attacker
machine, it’s a matter of entering the URL you want monitored, letting
the malware synch with the victim’s machine, then sitting back and
waiting.
Soon, everything you need to know if you wanted to hijack
the victim’s account is now at your fingertips, and the victim is none
the wiser.
The Malware Experience includes a few more tricks as well, such as redirecting the victim’s surfing to a malicious website.
“We
want to make people aware of what’s possible, but not to encourage them
to try it,” explains Mr. Carpenter. “It’s all about raising awareness.”
And
raise awareness he has, by presenting the class to members of the
media, university students, police forces, and even the British House of
Lords, to demonstrate how easy it is for computers to become infected.
Mr.
Carpenter then points out ways to stay infection-free, such as not
clicking on links in unsolicited e-mails, and examining links to ensure
the site name is spelled correctly (slight misspellings are easy to
miss, and can lead to malicious sites).
“I’m a firm believer in
finding the weakest link,” he says. “It’s important that users are aware
of the risks. The [anti-malware] industry tries hard to make users
aware.”
Sorce : theglobeandmail
No comments:
Post a Comment