You are previewing Crimeware.
O'Reilly logo
Crimeware

Book Description

“This book is the most current and comprehensive analysis of the state of Internet security threats right now. The review of current issues and predictions about problems years away are critical for truly understanding crimeware. Every concerned person should have a copy and use it for reference.”

—Garth Bruen, Project KnujOn Designer

There’s a new breed of online predators—serious criminals intent on stealing big bucks and top-secret information—and their weapons of choice are a dangerous array of tools called “crimeware.” With an ever-growing number of companies, organizations, and individuals turning to the Internet to get things done, there’s an urgent need to understand and prevent these online threats.

Crimeware: Understanding New Attacks and Defenses will help security professionals, technical managers, students, and researchers understand and prevent specific crimeware threats. This book guides you through the essential security principles, techniques, and countermeasures to keep you one step ahead of the criminals, regardless of evolving technology and tactics. Security experts Markus Jakobsson and Zulfikar Ramzan have brought together chapter contributors who are among the best and the brightest in the security industry. Together, they will help you understand how crimeware works, how to identify it, and how to prevent future attacks before your company’s valuable information falls into the wrong hands. In self-contained chapters that go into varying degrees of depth, the book provides a thorough overview of crimeware, including not only concepts prevalent in the wild, but also ideas that so far have only been seen inside the laboratory.

With this book, you will 

  • Understand current and emerging security threats including rootkits, bot networks, spyware, adware, and click fraud

  • Recognize the interaction between various crimeware threats

  • Gain awareness of the social, political, and legal implications of these threats

  • Learn valuable countermeasures to stop crimeware in its tracks, now and in the future

  • Acquire insight into future security trends and threats, and create an effective defense plan

  • With contributions by Gary McGraw, Andrew Tanenbaum, Dave Cole, Oliver Friedrichs, Peter Ferrie, and others.

    Table of Contents

    1. CONTENTS
    2. PREFACE
    3. ABOUT THE AUTHORS
    4. 1 Overview of Crimeware
      1. 1.1 Introduction
        1. 1.1.1 Theft of Sensitive Information
        2. 1.1.2 Crimeware and Its Scope
        3. 1.1.3 Crimeware Propagation
      2. 1.2 Prevalence of Crimeware
      3. 1.3 Crimeware Threat Model and Taxonomy
      4. 1.4 A Crimeware Menagerie
        1. 1.4.1 Keyloggers and Screenscrapers
        2. 1.4.2 Email and Instant Messaging Redirectors
        3. 1.4.3 Session Hijackers
        4. 1.4.4 Web Trojans
        5. 1.4.5 Transaction Generators
        6. 1.4.6 System Reconfiguration Attacks
        7. 1.4.7 Data Theft
        8. 1.4.8 Man-in-the-Middle Attacks
        9. 1.4.9 Rootkits
      5. 1.5 Crimeware Distribution
        1. 1.5.1 Attachment
        2. 1.5.2 Peer-to-Peer Networks
        3. 1.5.3 Piggybacking
        4. 1.5.4 Internet Worms
        5. 1.5.5 Web Browser Exploits
        6. 1.5.6 Server Compromise
        7. 1.5.7 Affiliate Marketing
      6. 1.6 Infection and Compromise Points, Chokepoints, and Countermeasures
      7. 1.7 Crimeware Installation
      8. 1.8 Crimeware Usage
        1. 1.8.1 Information Compromise
        2. 1.8.2 Spam Transmission
        3. 1.8.3 Denial-of-Service Attacks
        4. 1.8.4 Click Fraud
        5. 1.8.5 Data Ransoming
        6. 1.8.6 Information Consolidation
      9. 1.9 Organizing Principles for the Remainder of This Text
    5. 2 A Taxonomy of Coding Errors
      1. 2.1 The Trinity of Trouble
        1. 2.1.1 Connectivity
        2. 2.1.2 Complexity
        3. 2.1.3 Extensibility
      2. 2.2 The Seven Pernicious Kingdoms
        1. 2.2.1 On Simplicity: Seven Plus or Minus Two
      3. 2.3 The Phyla
      4. 2.4 More Phyla Needed
        1. 2.4.1 A Complete Example
        2. 2.4.2 Go Forth (with the Taxonomy) and Prosper
    6. 3 Crimeware and Peer-to-Peer Networks
      1. 3.1 Malware in Peer-to-Peer Networks
        1. 3.1.1 Introduction
        2. 3.1.2 Data Collection
        3. 3.1.3 Malware Prevalence
        4. 3.1.4 Filtering Malware
        5. 3.1.5 Single-Criterion Filters
        6. 3.1.6 Single-Criterion Filters Across Networks
        7. 3.1.7 Composite Filters
      2. 3.2 Human-Propagated Crimeware
        1. 3.2.1 The Problem
        2. 3.2.2 Infection Vectors
        3. 3.2.3 Case Study: Signed Applets
    7. 4 Crimeware in Small Devices
      1. 4.1 Propagation Through USB Drives
        1. 4.1.1 Example: Stealing Windows Passwords
        2. 4.1.2 Example: Let’s Go Further
        3. 4.1.3 DMA Vulnerability
        4. 4.1.4 Gauging the Risk
        5. 4.1.5 Countermeasures
      2. 4.2 Radio Frequency ID Crimeware
        1. 4.2.1 Radio Frequency Identification
        2. 4.2.2 RFID Security Problems
        3. 4.2.3 Types of RFID Crimeware
        4. 4.2.4 Countermeasures and Other Considerations
      3. 4.3 Mobile Crimeware
    8. 5 Crimeware in Firmware
      1. 5.1 Propagation by Firmware Updates
        1. 5.1.1 Embedded Control Systems: Ubiquitous and Mutable
        2. 5.1.2 The Case of Home Wireless Access Points
        3. 5.1.3 Configuring and Upgrading Router Firmware
        4. 5.1.4 Standard Security Measures
        5. 5.1.5 Weak Security Configuration Is the Rule
        6. 5.1.6 Attacks
        7. 5.1.7 Attack Vectors
        8. 5.1.8 Countermeasures
      2. 5.2 Modeling WiFi Malware Epidemics
        1. 5.2.1 Basic Methodology
        2. 5.2.2 Roadmap
        3. 5.2.3 Infecting the Router
        4. 5.2.4 The Contagion Network
        5. 5.2.5 The Epidemic Model
        6. 5.2.6 The Spread of Synthetic Epidemics
        7. 5.2.7 Going Forward
    9. 6 Crimeware in the Browser
      1. 6.1 Transaction Generators: Rootkits for the Web
        1. 6.1.1 Building a Transaction Generator
        2. 6.1.2 Stealthy Transaction Generators
        3. 6.1.3 Countermeasures
      2. 6.2 Drive-By Pharming
        1. 6.2.1 The Drive-By Pharming Attack Flow
        2. 6.2.2 Prior Related Work
        3. 6.2.3 Attack Details
        4. 6.2.4 Additional Comments
        5. 6.2.5 Countermeasures
      3. 6.3 Using JavaScript to Commit Click Fraud
        1. 6.3.1 Terms and Definitions
        2. 6.3.2 Building Blocks
        3. 6.3.3 The Making of a Badvertisement
        4. 6.3.4 Hiding the Attack
        5. 6.3.5 Why Will Users Visit the Site?
        6. 6.3.6 Detecting and Preventing Abuse
        7. 6.3.7 Brief Economic Analysis
        8. 6.3.8 Implications
    10. 7 Bot Networks
      1. 7.1 Introduction
        1. 7.1.1 Challenges of Estimating the Botnet Problem
        2. 7.1.2 Botnet Size Metrics
      2. 7.2 Network-Oriented Features of Botnets
        1. 7.2.1 Characteristics of Botnet Communications
        2. 7.2.2 Communications Protocols
        3. 7.2.3 Network-Level Resilience
      3. 7.3 Software Features of Bots
        1. 7.3.1 General Software Features of Bots
        2. 7.3.2 Techniques for Staying Resilient
        3. 7.3.3 Applications of Botnets
      4. 7.4 Web Bots and the General Future of Botnets
        1. 7.4.1 Botnets 2.0: Browser-Based Bots
        2. 7.4.2 The Future of Botnets
      5. 7.5 Countermeasures
    11. 8 Rootkits
      1. 8.1 Introduction
      2. 8.2 Evolution of Rootkits
      3. 8.3 User-Mode Windows Rootkits
        1. 8.3.1 Loading the Rootkit into a Target Process
        2. 8.3.2 Modifying the Execution Path
      4. 8.4 Kernel-Mode Rootkit Techniques
        1. 8.4.1 Interrupt Descriptor Table Hooks
        2. 8.4.2 System Call Hooks
        3. 8.4.3 System Service Descriptor Table Hooks
        4. 8.4.4 Thread-Based SSDT Hooks
        5. 8.4.5 System Call Code Patching
        6. 8.4.6 Layered Drivers
        7. 8.4.7 IRP Patching
        8. 8.4.8 Direct Kernel Object Manipulation
        9. 8.4.9 Hiding Threads from the Scheduler
        10. 8.4.10 Redirecting Virtual Memory Access
        11. 8.4.11 Loading Kernel Drivers Without SCM
      5. 8.5 Linux Rootkits
        1. 8.5.1 Executable Replacement Rootkits
        2. 8.5.2 Loadable Kernel Module Rootkits
        3. 8.5.3 Runtime Kernel Patching Rootkits
        4. 8.5.4 VFS Rootkits
      6. 8.6 BIOS Rootkits
      7. 8.7 PCI Rootkits
      8. 8.8 Virtual Machine–Based Rootkits
        1. 8.8.1 Software-Based VMBRs
        2. 8.8.2 Hardware-Assisted VMBRs
      9. 8.9 Rootkit Defense
        1. 8.9.1 Rootkit Prevention
        2. 8.9.2 Rootkit Detection
    12. 9 Virtual Worlds and Fraud
      1. 9.1 Introduction
        1. 9.1.1 Fraud and Games
        2. 9.1.2 Cheating and Games
      2. 9.2 MMOGs as a Domain for Fraud
        1. 9.2.1 Functional Overview of MMOGs
        2. 9.2.2 Architectural Overview of MMOGs
      3. 9.3 Electronic Fraud
        1. 9.3.1 Phishing and Pharming
        2. 9.3.2 Misleading Applications
      4. 9.4 Fraud in MMOGs
        1. 9.4.1 An Extended Model of Security for MMOGs
        2. 9.4.2 Guidelines for MMOG Security
        3. 9.4.3 Countermeasures
    13. 10 Cybercrime and Politics
      1. 10.1 Domain Name Abuse
        1. 10.1.1 Background
        2. 10.1.2 Domain Speculation in the 2008 Federal Election
        3. 10.1.3 Domain Parking
        4. 10.1.4 Malicious Intent
      2. 10.2 Campaign-Targeted Phishing
        1. 10.2.1 Profit-Motivated Phishing
      3. 10.3 Malicious Code and Security Risks
        1. 10.3.1 Adware
        2. 10.3.2 Spyware
        3. 10.3.3 Malicious Code: Keyloggers and Crimeware
      4. 10.4 Denial-of-Service Attacks
      5. 10.5 Cognitive Election Hacking
      6. 10.6 Public Voter Information Sources: FEC Databases
      7. 10.7 Intercepting Voice Communications
    14. 11 Online Advertising Fraud
      1. 11.1 History
      2. 11.2 Revenue Models
        1. 11.2.1 Impression-Based Model
        2. 11.2.2 Click-Based Model
        3. 11.2.3 Action-Based Model
        4. 11.2.4 Syndication
        5. 11.2.5 Referral Deals
      3. 11.3 Types of Spam
        1. 11.3.1 Impression Spam
        2. 11.3.2 Click Spam
        3. 11.3.3 Conversion Spam
      4. 11.4 Forms of Attack
        1. 11.4.1 Human Clickers
        2. 11.4.2 Robotic Clicking
      5. 11.5 Countermeasures
        1. 11.5.1 Prevention
        2. 11.5.2 Detection
        3. 11.5.3 Containment
      6. 11.6 Click Fraud Auditing
        1. 11.6.1 Confidentiality of Signals
        2. 11.6.2 Data Limitations
        3. 11.6.3 Privacy
      7. 11.7 The Economics of Click Fraud
    15. 12 Crimeware Business Models
      1. 12.1 The Crimeware Business
        1. 12.1.1 Introduction
        2. 12.1.2 Adware
        3. 12.1.3 Spyware and Trojans
        4. 12.1.4 Bots and Botnets
      2. 12.2 A Closer Look at Adware
        1. 12.2.1 The Online Advertising Platform
        2. 12.2.2 The Malicious Side of Advertising
    16. 13 The Educational Aspect of Security
      1. 13.1 Why Education?
        1. 13.1.1 The Role of Education
        2. 13.1.2 Why Security Education Is Difficult
        3. 13.1.3 Some Existing Approaches
        4. 13.1.4 Some Problems with Practiced Approaches
        5. 13.1.5 Educational Goals
      2. 13.2 Case Study: A Cartoon Approach
    17. 14 Surreptitious Code and the Law
      1. 14.1 Introduction
      2. 14.2 The Characteristics of Surreptitious Code
        1. 14.2.1 Surreptitious Download, Installation, or Operation
        2. 14.2.2 Misrepresentation and Impersonation
        3. 14.2.3 Collection and Transmission of Personal Data
        4. 14.2.4 Interference with Computer Operation
        5. 14.2.5 Perseverance of Surreptitious Software
        6. 14.2.6 Other Burdens of Surreptitious Software
        7. 14.2.7 Exploitation of Intercepted Information
      3. 14.3 Primary Applicable Laws
        1. 14.3.1 The Computer Fraud and Abuse Act
        2. 14.3.2 The Federal Trade Commission Act
        3. 14.3.3 Trespass to Chattels
        4. 14.3.4 State Anti-Spyware Laws
      4. 14.4 Secondary Applicable Laws
        1. 14.4.1 The Electronic Communications Privacy Act
        2. 14.4.2 The CAN-SPAM Act
        3. 14.4.3 Intellectual Property Laws
        4. 14.4.4 Identity Theft and Fraud Laws
        5. 14.4.5 Pretexting Laws
        6. 14.4.6 State Theft Laws
    18. 15 Crimeware and Trusted Computing
      1. 15.1 Introduction
      2. 15.2 Anatomy of an Attack
      3. 15.3 Combating Crimeware with Trusted Computing
        1. 15.3.1 Integrity Measurement and Storage
        2. 15.3.2 Attestation
        3. 15.3.3 Protected Storage: Binding and Sealing
        4. 15.3.4 Secure Boot
        5. 15.3.5 Hardware-Enforced Isolation
        6. 15.3.6 Trusted Computing: A Panacea?
      4. 15.4 Case Studies
        1. 15.4.1 Securing Credit Card Transactions
        2. 15.4.2 Content Protection
    19. 16 Technical Defense Techniques
      1. 16.1 Case Study: Defense-in-Depth Against Spyware
        1. 16.1.1 Introduction
        2. 16.1.2 Packet Vaccines
        3. 16.1.3 AGIS
        4. 16.1.4 SpyShield
      2. 16.2 Crimeware-Resistant Authentication
        1. 16.2.1 Introduction
        2. 16.2.2 Crimeware Resistance of Existing Approaches
        3. 16.2.3 Preference-Based Life Questions
        4. 16.2.4 Characteristics of Good Life Questions
        5. 16.2.5 Finding Good Life Questions
        6. 16.2.6 Determining Error Rates
        7. 16.2.7 Questions and Their Entropies
      3. 16.3 Virtual Machines as a Crimeware Defense Mechanism
    20. 17 The Future of Crimeware
      1. 17.1 Crimeware, Terrorware, Vandalware, and Ransomware
      2. 17.2 New Applications and Platforms
        1. 17.2.1 Reputation Systems, Auction Sites, and Gambling Applications
        2. 17.2.2 Phones, Cars, and Wearable Computers
      3. 17.3 Using Social Networks to Bootstrap Attacks
      4. 17.4 New Use of the Internet: Controlling the Infrastructure
      5. 17.5 Moving Up the Stack
      6. 17.6 The Emergence of an E-Society: Are We Becoming More Vulnerable?
      7. 17.7 The Big Picture
    21. REFERENCES
    22. INDEX
      1. A
      2. B
      3. C
      4. D
      5. E
      6. F
      7. G
      8. H
      9. I
      10. J
      11. K
      12. L
      13. M
      14. N
      15. O
      16. P
      17. Q
      18. R
      19. S
      20. T
      21. U
      22. V
      23. W
      24. X
      25. Y
      26. Z