Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Today's Attackers Can Find the Needle

EMERGING THREATS From massive botnets to targeted phishing and transacting Trojans, today's new breed of attacker is more dangerous than ever.

From massive botnets to targeted phishing and transacting Trojans, today's new breed of attacker is more dangerous than ever.

More information from our sister site

Learn how to protect your organization against organized cybercrime.

Visit our Guide to Thwarting Hacker Techniques for tips and expert advice on defending the enterprise against hackers.

There's not much West Coast-cool to Christopher Maxwell and Jeanson James Ancheta. Both Californians are young and cocky, don't have great jobs and are staring down the barrel of multi-year prison sentences for herding bots and dropping adware on compromised computers.

This is the face of today's hacker: someone like Maxwell who, by day, works at Wal-Mart and, by night, prosecutors say, corrals drones for his botnet. Or like Ancheta, who was driving a BMW before his 21st birthday, and made more than $60,000 from adware purveyors and from renting his botnet to spammers.

Their respective schemes were elaborate and lucrative.

In their wake are hundreds of thousands of unwitting victims preyed on through compromised corporate and home computers.

For some, like Northwest Hospital in Seattle, the toll was much more serious. Maxwell allegedly used the Sasser worm to exploit Windows machines running the vulnerable LSASS login verification service. The worm aggressively scanned the hospital's networks looking for additional vulnerable servers and clients and degrading service to the point where administrative functions like records management, patient admissions and billing were forced offline. Patient care continued, but the hospital had to reschedule one procedure and alter that patient's treatment schedule.

All of this, authorities say, to net a 15-cent commission for each bit of adware dropped onto an unsuspecting machine. But 15 cents on thousands of machines adds up quickly.

These cases, documented in voluminous court filings, are examples of the type of for-profit crime plaguing the Internet. The days of hackers vying for bragging rights with splashy tricks that show off their skills are long gone.

Today's cyberattackers are marshaling botnets, developing targeted code and hocking their exploits with one goal in mind: money. Although some attackers work alone--lone wolves, as one U.S. Department of Justice official puts it--others are part of large, organized operations.

For users, this trend can result in online fraud that drains bank accounts and steals identities. For businesses, the impact can be equally harsh. Confidential data gets lost, operations are disrupted, and reputations are tarnished.

Numbers Don't Lie
Victims and statistics tell the story. An IBM survey released earlier this year of IT professionals shows that nearly 60 percent believe cybercrime results in more lost revenue, customers and worker productivity than physical crime.

The FBI/Computer Security Institute's annual survey of 700 information security professionals reveals that the average loss from unauthorized access to information shot up to $303,234 last year from $51,454 in 2004. At the same time, theft of proprietary information more than doubled to an average loss of $355,552. Research firm Computer Economics estimates that total worldwide damages from malware, including recovery costs and revenue loss, totaled $14.2 billion last year.

Botnets are the primary vehicle for hacker mayhem. Many bot programs have limited functionality until triggered by the host system. Once activated, bots download their malicious arsenal, including Trojans bearing keyloggers or auto-update capabilities that communicate with a third-party server.

According to Symantec's Internet Security Threat Report, nearly 11,000 new Windows viruses and worms were detected in the second half of 2005. Bot-related malware was up 43 percent over the first six months of 2005, and Symantec warns the next surge may be coming soon.

"Bad guys have perfected their business models," says malware expert and author Ed Skoudis. "If you go back 20 years, few crime organizations had IT departments. Now they do; and it more than pays for itself."

Stealthy and Social
Many of today's hackers aren't satisfied with mere pennies for each adware dropped or botnet rented. They want customer data and intellectual property; they want to infiltrate government agencies and steal precious secrets that, if let out, could endanger national security. A large manufacturing company (that did not want to be identified) reports constant network scans from China and Eastern Bloc nations, probing for engineering files that could be sold to the competition on the ever-fertile black market.

Money motivates hackers, but sophisticated skills are getting them inside the virtual walls of a corporation and enabling them to steal away undetected with their loot. Rootkits are the flavor-of-the-moment stealth technology-- some are bundled in spyware that exploits flaws in popular browsers like Internet Explorer. Rootkits mask the presence of malicious code and intrusions. Those that piggyback spyware could also drop keyloggers and provide root- level access to systems; most have auto-update capabilities. It's all about getting in and out quietly. The longer an attacker has system access, the longer he can poke around.

Following the Money
Tracking cybercriminals often involves reverse engineering malicious code from infected computers, which allows investigators to figure out the server bots report to, and who issues commands via that server. It's never a simple process because those servers could be overseas, or criminals could use methods to disguise themselves.

But since most cybercrime is financially motivated, following the money is a popular way to track down perpetrators, says Ramyar Tabatabaian, supervisory special agent at the FBI's Los Angeles office. Bank-account-stealing Trojans, for example, sit dormant on a computer until a specific activity awakens them, such as a user visiting a bank's Web site. The Trojan piggybacks on that session, captures passwords and other confidential information and sends it to a central server. The stolen credentials are used to drain money out of accounts, and the money is sometimes funneled to people recruited to temporarily accept money into their bank accounts before wiring it overseas.

"That's always our first stop," Tabatabaian says of the hired help, whom security intelligence firm iDefense calls "money mules."

Money mules launder money for criminals who profit from stolen credit cards or other financial accounts, and are trying to evade law enforcement, says Ken Dunham, iDefense rapid response director. Typically, the job is advertised on a seemingly legitimate Web site or as "private financial receiver," "shipping manager," or "money transfer agent." The young, naïve, or desperate tend to fall for the scheme, he says.

The mules, usually recruited in the U.S., U.K. and Australia, receive direct-deposit payments to their personal accounts that are in the same country as the victim. They withdraw the cash, keep a percentage and send the rest via wire transfer to an overseas account.

Dunham says there isn't much public information available about these money-mule operations, but he cites a case in Australia where more than 60 people were arrested last year for allegedly laundering money to accounts in Russia as part of a global phishing operation.

Once money goes overseas, the FBI works with foreign law enforcement to track down suspects, and has had success in Russia, Romania and elsewhere. The agency has 53 offices overseas that act as liaisons to foreign law enforcement.


"What hackers are realizing is that there are so many ways to get information out of an enterprise. As people get wise to them, hackers are adapting," says Richard Bejtlich, a former captain for the Air Force CERT team and founder of consultancy TaoSecurity. He cautions businesses to focus on egress filtering as a means to monitor packets that leave your network. "Pay attention to what is leaving your company," Bejtlich says.

Hackers are also attacking defensive technologies, specifically antivirus and antispyware, rendering them inoperable or blind to the presence of malware. They're also toying with custom-packing algorithms to foil reverse-engineering attempts by researchers, Skoudis says. Some researchers report having to wade through two dozen different custom-packing algorithms before they're able to determine the intentions behind a piece of malicious code. Precious time is lost while enterprise exposure to exploits grows.

Some malware is sensitive to what debuggers are running on a system and will shut down. Other code is sensitive to whether it's running on a virtual machine and--in another attempt to frustrate researchers--will behave differently or shut down.

It's not all about bits and bytes for hackers. As derided as reformed hacker Kevin Mitnick often is in security circles, his work on social engineering has probably never been more relevant. Attacks are more targeted than ever with hackers zeroing in on handpicked companies, divisions within corporations, even specific people.

"There's a greater level of intelligence-gathering in place," says Al Huger, senior director of engineering for Symantec Security Response. "It's not just port-scanning activity. Hackers are spending more time on newsgroups, finding employees who post, finding out their interests. It's very canny and successful."

Huger relayed an anecdote about a bank's security officer who was phished by a hacker posing as a customer whose account was broken into after visiting a malicious site. The hacker e-mailed the malicious URL in question, which the security officer followed. The site exploited an unpublished browser flaw, and the bank was backdoored. For six months, the hacker stole VPN and database passwords. "As far as we know, this was a binary attack," Huger says. "It has never been seen anywhere else, and it was targeted at that one person."

"Small cells of hackers are doing this for big business," says Eric Cole, network security expert, author of Hackers Beware and coauthor of Network Security Bible. "This information and data sells for a lot of money. Hackers focus their energy and reconnaissance on pharmaceuticals, financial institutions and government agencies. The competition will pay a lot of money for that. It sounds like Hollywood stuff, but I see this happening. It amazes me more people are not aware of it."

5 Ways to Avoid Today's Cyberthreats
Today's cybercriminals are savvy, but strong defenses can keep them from targeting your organization. Here are a few tips:
  1. Don't forget the basics. Continue to take a layered security approach, keep patches updated and hold hardware/software suppliers accountable for flaws. Egress filtering can also track what leaves your network.
  2. Fortify Web applications and the client. These are the key targets of today's cybercriminals. Educate programmers on secure coding practices, using the Open Web Application Security Project guide as a model. Upgrade endpoint security solutions to protect desktops and mobile devices.
  3. Look at your products as if you're a cybercriminal. Think outside the box. Imagine how vulnerabilities could be exploited and investigate unintended uses of your systems and applications.
  4. Integrate security ops into day-to-day ops. Do forensic data collection when restoring hosts instead of simply wiping and reinstalling.
  5. Train your IT and operations staff. Your security posture is only as sound as the people working with systems. Invest in their ongoing education.
Source: Ernie Hayden, CISO and manager of enterprise information security at the Port of Seattle, and Information Security advisory board member

Transacting Trojans
Backed by that kind of intelligence, Trojans are becoming more insidious. While most can record keystrokes, mouse movements and screenshots, and then send them to a third party, others have forsaken the ability to transmit information in favor of acting in real time--a devious twist on the zero-day attack concept.

Some Trojans, for example, don't trigger until users log in to their online bank accounts, then transact on their behalf, moving money from one account to another.

"Trojans that transact are the Holy Grail," says Amir Orad, VP of marketing at RSA Security. "This new generation of Trojans collects information that is used on the spot. You don't have the time gap; these are zero-day, real-time attacks."

Botnets offer attackers a lot of power, but don't necessarily require much technical skill.

"We're seeing a huge flood of people who aren't so talented or tech-savvy running these botnets. We find people using an IRC botnet server who have little knowledge of how IRC works, so they're playing with commands. Here they have thousands of hosts at their disposal, waiting for commands, and they're fumbling around trying to figure out what to do," says Jose Nazario, senior security engineer with Arbor Networks.

Once they figure out what to do, attackers quickly find people who will pay them for the botnet's services, whether that's installing adware and spyware on zombie machines, or launching a DDoS attack against a competitor.

Botnet operators appear to be from a variety of places-- mostly the U.S., Russia, Romania and Brazil, Nazario says. The sharper ones have developed simple, effective ways to manage their botnets; they know exactly what capabilities the various bots have and where they're located.

TaoSecurity's Bejtlich says that botnet command-and-control, once contained to IRC, is moving to the Web. Hackers are developing Web-based control mechanisms that export data as normal HTTP or HTTPS traffic. He advises that security managers proxy Web traffic wherever it leaves enterprise networks and filter the content.

2 Years of Cybercrime
Click here a listing of events where law enforcement officials have been successful in convicting cybercriminals (PDF).

Crime and Punishment
The FBI and U.S. Secret Service boast a nationwide network of task forces to investigate cybercrime. Many cases are complicated, manpower-intensive, and involve working with ISPs and law enforcement overseas, says Larry Johnson, a recently retired Secret Service special agent in charge of the criminal investigative division. Online thieves use a number of aliases and are adept at hiding their tracks.

There have been successes taking down cybercriminals (see "2 Years of Cybercrime"). Individuals like Ancheta--who pleaded guilty to charges--have recently been taken out of commission, as have larger organized groups. In 2004, the Secret Service's Operation Firewall led to 21 arrests in the U.S. and shut down an international online center,, which had about 4,000 members and trafficked stolen identity information including credit and bank card numbers. Several others were arrested abroad. The case remains under investigation, says a Department of Justice official.

In March, the Secret Service announced Operation Rolling Stone, which targets fraud and identity theft and netted 22 arrests in the U.S. and U.K. The operation is part of an effort to crack down on online forums selling stolen credit cards, ID information and malware.

Law enforcement officials say they're concerned attackers will bypass identity scams and go directly to financial institutions to drain accounts, or break into large corporate databases to snatch thousands of identities at once. Businesses must also be aware of the threat posed by insiders closest to precious assets.

In Maxwell's case, powerful university computers were turned into bots that scanned for additional vulnerable servers.

While Northwest Hospital took the brunt of his alleged crimes, it also turned out to be Maxwell's undoing. Once IT managers noticed the presence of two scanning executables on their network, they notified authorities, and eventually the FBI got involved. Special agent David Farquhar monitored the infected machines and traced the route the executables took to the hospital over IRC channels, ISPs and domain providers until he landed on a phone number registered to the Maxwell home in Vacaville, Calif. Maxwell and two juvenile cohorts were arrested, their computers confiscated and their PayPal accounts raided-- allegedly $33,000 in payments from adware companies over a nine-month period was found. The investigation later showed that his botnet also damaged U.S. Department of Defense computers in Colorado and Germany. In May, he pleaded guilty in the botnet case; he faces a possible 15 years in prison at his sentencing, slated for Aug. 4.

Ancheta, meanwhile, was sentenced last month to nearly five years in prison. Using nicknames like fortunecookie and Resilient, Ancheta directed more than 400,000 computers in his botnet to install adware that he had altered to download surreptitiously. For a price, Ancheta also leased his zombie armies for DDoS attacks or for sending massive amounts of spam, prosecutors say.

"He is not some script kiddie," says federal prosecutor James Aquilina. "He is very sophisticated. He writes his own code, modifies existing code, and is tenacious and creative in preventing his bots from being detected by law enforcement and network administrators." The cases of Ancheta and Maxwell serve as a clear sign that cybercrime is profitable--a trend that enterprises cannot afford to ignore. "These are some smart guys doing evil stuff," Skoudis says.

Article 5 of 15

Dig Deeper on Hacker tools and techniques: Underground hacking sites

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All