fes' WebLog

Zotob Suspects

2005-08-26T23:42:00Z

In case you haven't seen it:

http://www.washingtonpost.com/wp-dyn/content/article/2005/08/26/AR2005082601201.html

"Louis M. Reigel III, director of the FBI's Cyber Division, said evidence indicates Ekici paid Essebar to develop the worms, which the two used for financial gain. Reigel declined to say whether the men were connected to a larger criminal enterprise. But according to information released by the Moroccan government, the two men are alleged to have forwarded financial information stolen from victims' computers to a credit card fraud ring."

Seems these things are used for financial gain more and more frequently, in addition to the financial loss from all of the comanies and individuals whose networks and systems went down because of it.

fes

This posting is provided "AS IS" with no warranties, and confers no rights.

How much is your computer worth?

2005-06-22T01:07:00Z

How much is your computer worth? I thought I would take a moment and hypothesize on this subject. But I'm not going to talk about hardware and software costs. These are easily quantifiable through the magic of price tags and receipts.

No, instead I think we should look at how much your computer is worth to someone else. This is a specific type of person who targets millions of computer users through any of numerous schemes. This is the attacker, the adversary, the miscreant, or criminal. It is the person who silently takes control of your computer through vulnerability exploitation, social engineering, or open holes from previous break-ins.

A bit of background. I hope I am not stating anything new, but it is a necessary precursor to the rest of the discussion. I won’t get into infection vectors, length definitions, etc. Rather, this will be succinct. Everybody probably knows what an Internet worm is, and probably knows roughly what a backdoor is. Many have at least heard of BotNet malware, but if not, think of it as a combination worm and backdoor for now (worm because it has the ability to propagate to other systems, and backdoor because it allows remote control of an infected computer). What you typically hear about BotNets (a collection of BotNet malware-infected computers, one or more control servers, and one or more controlling entities) is how they are used to launch Distributed Denial of Service (DDoS) attacks. What you may not, but should have, heard is that they are used for much more.

In this post, I’m going to focus on profit motives behind BotNet malware. Keep in mind that when you have malware on your computer, the malware could not only use your computer for anything its author programmed it for, but also watch everything that you do on your computer. For BotNet malware, many capabilities are “stock” and are available in source code floating around the Internet. But BotNet malware also has the generic ability to tell you computer to download new malware or other software with completely different functionality from arbitrary locations. This leads to many different money making opportunities, but I’ll discuss some of the leading mechanisms:

Account theft, including banking, credit cards, and other financial data. Many versions of BotNet malware have the ability to watch what you type on your keyboard. Some correlate this with web sites you are visiting, and may only “sniff” typing when you go to banking or commerce web sites. The malware will send this information to the controller, who can then either use it for identity theft, or sell it to someone else who will.
Installation of adware for profit via affiliate programs. Do you run XPSP2 with the popup blocker? Or use a third party popup blocker, but still get advertisements? It may be due to adware. Adware is software that will watch your browsing trends and pop up ads, or show them in toolbars and sidebars. Because adware is a separate program than your internet browser, it is not affected by the popup blocker. What’s more, someone who gets adware installed on your computer gets paid a reward through affiliate programs.
DDoS for hire. DDoS attacks are done for many reasons, including politically or socially-driven reasons. But they are also done in conjunction with extortion. Common targets are entities that require high uptime, such as gambling sites or small commerce sites. While a BotNet controller may not be directly involved in the extortion, they may offer contract DDoS services, that may ultimately link to extortion.
Spam relay proxies. Many mail systems block “known” spam relay IP addresses at their gateway. It is a sort of previous offender system, where a system known to send only spam is blacklisted so that the mail from the offender never consumes resources (storage, network, processing, etc.) on the target mail system. Virgin, unblocked IP addresses to use as spam relays are those that are not on the blacklist, and are thus not subject to immediate blocking. Such systems are very valuable to spammers and those who sell proxy services.
Installation of Internet dialers. Many people still use dial-up connections. And while such a connection isn’t so useful for DDoS attacks, it does have a unique opportunity for malicious profit. An attacker who gets an Internet dialer installed on a computer has the ability to change the number and provider that you dial in to when you launch your web browser. This allows them to change it to a toll number (such as a 900 number here in the states), through which they can ultimately profit (often via affiliate programs).

There is a lot of data in each of these areas that supports how BotNets are commonly used for all of them. At a later point, I may discuss some in more detail, but for now, I want to get back to the point of this post—how much is your computer worth? Being no statistician, I won’t say this is scientifically accurate (indeed, there are quite a few holes in the suppositions below), but I think it is interesting.

So, we’ll describe what sort of profit may be had by a combination of these activities in terms of profit by the miscreant:

Account theft: $0.29 per month. The FTC states that the average cost to businesses for an individual victim of identity theft is $4800 and the cost to the individual is $500 (http://www.ftc.gov/opa/2003/09/idtheft.htm). I’ll assume this is an aggregate gain of $5300 on the part of the criminal, and I’ll distribute that over a one-year period. That gives us $441.67 per month. According to a survey by the Pew Internet and American Life Project, 44% of Internet users bank online (http://www.msnbc.msn.com/id/6936297/). We’ll just assume that this group is the same as those who shop online for simplicity. In the FTC study, 27.3 Million Americans were victims of identity theft during the 5 years it ran. That means 5.46 Million on average per year, or 455,000 per month. That means about 0.15% of the US population are victims of identity theft per month. To be conservative, lets say that to be a victim of online identity theft, you have to: 1) be infected with malware that steals account details, like many BotNet malwares can, so we’ll assume 100%, 2) bank online (44% of Internet users), and 3) have your information used by someone (0.15% per month). Apply that to the average loss per instance above, and you get $0.29 per month. Realistically, this number is probably significantly lower than the actual value. That 0.15% per month is for all Americans. The chances of your personal data being used if you shop or bank online and are infected with BotNet malware that steals data as you type is probably around two orders of magnitude greater, because the 0.15% figures in the probability of your data being stolen. In our example, it’s already been stolen. The probability here is simply whether or not it will be used. For a more realistic number I would guess 10% of stolen information is actually used, meaning that the number is probably more like $441.67 times 0.44 times 0.1, or $19.43 per month.
Adware installation: $0.67 per month. Affiliate programs, in short, allow adware companies to write software and rely on others for distribution. Affiliates are often paid on a per-install basis ($.20 per installation on a US-based computer is common). As an example, a BotNet controller made approximately $20,000 in 3 months from a 10,000-strong BotNet through repeatedly surreptitiously installing one brand of adware. We’ll go with that example, although by installing multiple adware brands, it is likely possible to make more money.
DDoS for hire: $0.01 per month. There is an example of a BotNet controller who made $100 per month using a 10,000-strong BotNet for DDoS. In one particular month, 6 unique IPs were targeted. I don’t know that this is typical or not, but it is an example I am aware of. Note that if the controller is involved in the extortion end and is successful, the worth increases. For example, it is not uncommon to demand $10,000 for DDoS protection (http://www.msnbc.msn.com/id/6436834/).
Spam relay proxies: $0.20 per month. You can find, using various web searches, offers for proxies that average out to about $0.05 per relay per week. So, for monthly profit assuming a BotNet controller has installed spam proxies on the infected clients, we’ll assume $0.20 per month.
Installation of Internet dialers: Varies. According to this study from Stanford (http://www.stanford.edu/group/siqss/SIQSS_Time_Study_04.pdf), it seems the average time spent online for an Internet user is 3 hours per day. Let’s be conservative and say the dialer uses a toll number at a rate of $0.10/minute. That comes out to $18/day, or about $540 a month. Further, we’ll assume that you figure out after the first phone bill that something is wrong, so you only get hit the first month, and don’t get hit the rest of the year. Using that, to put it in terms of the other figures, that is still $45 per month.

Ignoring Internet dialers, that gives us an average aggregate worth of one infected computer of $1.17 per month. Granted, if you are a victim of an Internet dialer, or one of the chosen few who actually have your account data stolen and used, then your computer is worth much more. But we’re talking averages.

So $1.17 doesn’t sound like much per month. But, many BotNets number in the thousands. A modest number of 1000 infected systems gives you $1170 per month. And 10,000 infected systems puts you solidly into the upper middle class income range. If you go with estimates of 2-5 million computers infected with BotNet malware, that is a worth of between $2.34 and $5.85 million per month, ignoring successful extortion attempts, the cost of bandwidth, pc repair, Trojan dialers, etc.

Now, instead try the other guess of $19.43 per computer per month in profit from identity theft, and go with the low end of 2 million computers infected. That means there is potential for $466 million in profits by the miscreant per year from identity theft due to BotNets alone. Over a 5-year period, that is $2.3 billion. The FTC study reported total loss figures of $48 billion over 5 years for businesses and $5 billion for consumers, or $53 billion total. Could BotNets account for 4.3% of that figure? I wouldn’t be surprised if it is more…

This posting is provided "AS IS" with no warranties, and confers no rights.

What I do now

2005-01-17T19:19:00Z

It has been quite some time since my last post and my job responsibilities have changed, so I thought I'd say something about what I do now. As it happens, I no longer work in threat modeling or even application security for that matter. My new responsibilities are primarily concerned with malicious code investigations.

This, I think, is an important field of work. As you well know, there is a lot of malware out there. In my opinion, it is a rather dangerous time because writiers and distributors of malware have found numerous ways of profiting from their malware. It is not difficult to find stories about extortion (such as threats of DDoS attacks), identity and account theft (credit cards, bank accounts, paypal accounts, etc.), proxy resale (whether it be anonymizing services or spam proxies), and surreptitious adware installation.

My job is concerned with analyzing these threats and taking action to stem their proliferation. There are many other efforts and other teams with similar goals, but I deal with specific types of malware. This is something that I will discuss in more detail in the future, but at this point, I primarily wanted to mention my change in focus.

Threat modeling tool video

2004-07-09T23:28:00Z

Channel 9 (http://channel9.msdn.com) taped me discussing threat modeling and the threat modeling tool and posted it today. WMP 9 users can watch it at play speed “Fast” for efficiency. Feel free to take a look and send some feedback either here or there.

Incidentally, this is my first experience with Channel 9. They don't ask you to prepare anything; rather, they just stop by and tape you talking about something. Having gotten used to talking to a slide deck, it was a bit, well, interesting. Probably better that it wasn't scripted. When Michael, Dave, and I did a “live” threat modeling session on a web application that we had never seen before and with no script, audience feedback suggested that they got more out of it than when we script it. I guess that makes sense, though, since it's closer to reality than something contrived or prepared in advance (which wouldn't have any of the hiccups that occur naturally in the process).

This posting is provided "AS IS" with no warranties, and confers no rights.

Introduction

2004-07-01T18:15:00Z

Now that I've posted something, it is probably worth introducing who I am. My name is Frank Swiderski, and I've been with Microsoft for about two years now. Prior to that, I worked for the security consulting firm @stake, Inc. For the past four years, I've worked in commercial software security. This includes your standard security auditing and design sorts of activities: penetration testing, code review, tool creation, of course threat modeling, and so on. Before @stake, I was employed by the Department of Defense (both as a civilian and a contractor) for about three years, where I also did some security work.

If my name is at all familiar, it could be because:

You used @stake WebProxy 1.0 (I was the primary developer on this).
You've tried out the Threat Modeling Tool from the downloads area at microsoft.com (I was also the developer on this).
You ordered the Threat Modeling book from MSPress (I was co-author).
You've seen my very unfortunate page on the Texas A&M OS/2 users' group web site (http://os2www.tamu.edu/os2/systems/frank.html). I really wish someone would take that down. :)

That's the summary. The bits and pieces can be filled in with google or a small bit of social engineering work.

This posting is provided "AS IS" with no warranties, and confers no rights.

Updated Threat Modeling Tool at MSDN

2004-06-29T20:47:00Z

We've posted an updated Threat Modeling Tool at MSDN that addresses a few bugs. You can download it at: http://www.microsoft.com/downloads/details.aspx?FamilyID=62830f95-0e61-4f87-88a6-e7c663444ac1&displaylang=en

Thanks to BobB for his assisstance. Basically, this addresses several unhandled exceptions that resulted in the tool crashing at some rather inconvenient times. (Okay, not that there are convenient times for a tool to crash.)

Some notes on the tool:

We released it mostly because it is a useful way of organizing the data collected during threat modeling. Since it is not formally supported externally, I (and a few other contributors) fix bugs and add features also informally. So I'm hoping not to get a barrage of bug reports, but I will do my best to find time to address serious issues.
Note that it works best (DFD-wise) if you have Visio 11 installed. Visio 11 has a drawing control that you can embed in other applications (which is exactly what the TM tool does). This is a much easier way of integrating DFDs in to the threat model.
If you want to print from the tool, the best way to do it is to use the Preview button. This applies the default XSLT (configurable in Tools->Config) to the threat model and displays it in an IE control. You can right-click in this control and select print to print directly.
The threat model document, if you haven't taken a look, is XML. (Visio diagrams are stored in BASE64 blobs, though, and not in their XML format.) So, you can customize the report format if you like playing with XSLTs. The XSLTs that come with it are fairly basic, but show some ways of presenting the document.
The sample document for the tool is in the tool's install directory, and is for “Fabrikam Phone 1.0.” This is basically the same as one of the samples in the threat modeling book (http://www.microsoft.com/MSPress/books/6892.asp). Note that the DFDs are in Visio, so you won't see them if you don't have it installed. The sample is intended to show threat modeling concepts without being specific to any software type or technology.

This posting is provided "AS IS" with no warranties, and confers no rights.