We discussed in a recent blog how Google Reader has become an unwitting spam target. We now see the same behavior in a recent variant of Koobface. This variant uses the Google Reader page to host the malware. Once the user selects the Google link, a fake YouTube window appears, as shown below.

When the user tries to play the YouTube video, the webpage gets redirected to:

hxxp://www.hs-limmattal.ch/{blocked}/

which pretends to be a Facebook help center page that, in an ironic twist, displays information on how to protect against the Koobface worm!

The user is then asked to download a setup file that purports to be a free anti-virus scanner. The file size is said to be 32.39MB, whereas the one actually downloaded is only 40.5KB in size. The download doesn’t stop here. The malware keeps on downloading many components that support it. It also checks for the latest copy of itself and downloads as needed.

This variant of Koobface also tracks the cookies on the user’s machine and tries to send them to a remote server.

One more trick the malware uses is it tries to break Captcha and then uses it to register for another Facebook account. The infected machine shows a Captcha window and then tries to deceive the user by showing the time out for shutdown. Koobface, however, does not shut down the user’s machine when the countdown timer finishes. Instead the user’s machine is locked until the Captcha is entered successfully.

After the user enters the Captcha correctly, a JPEG image of the Captcha is sent to the remote server (as shown in the image below):

The malware keeps asking for a response from the remote server; once it receives the response, a new account gets created. The account can be used for spamming or for any other activity as desired by the attacker. The same tactic is used for infecting Twitter, MySpace, and hi5 (all popular websites):

This new method of account creation is cheap, and there are dedicated Captcha administrators who will do this work for just a few cents.

This worm steals email credentials, FTP credentials, and IM application credentials. The encrypted stolen data is sent to the Trojan’s command and control server. The worm has also redirected user searches.

To get rid of the locked machine, users can follow this process:

• Press Ctrl+Alt+Del
• Go to Task Manager
• Then select Processes
• In Processes search for RUNDLL32.exe

• End that process

• Search for processes with names rdr_xxxxxxxx. End these processes as well.

These steps will kill the malware processes that are running the user’s machine and will unlock the machine.

McAfee Labs reminds users not to click on YouTube links from unknown sources and to not accept any requests from unknown users!

We hear a lot about cybercrime events concerning Facebook or Myspace, but do you know ASmallWorld? It is a private international community for the jet-set crowd and culturally influential people.

Yesterday the French police force (OCLCTIC), accompanied by FBI agents, arrested two French residents. They were suspected of hacking this social-network platform dedicated to the worldwide upper crust. They allegedly attempted to extort US$1 million from the webmasters to not divulge stolen data.

Two years ago, a paper named “Asmallworld.net: we have hacked the smartest worldwide website” made some noise in France.

Whether you mingle with the jet set or in other circles, be careful when you share information on your favorite social network platform!

Today we released our Q2 Threats Report. Some old trends have continued. Some new trends and threats have been established, and some old “friends” have even outdone themselves. Spam volumes have increased 141 percent since March, continuing the longest ever streak of increasing spam volumes. We also highlight the dramatic expansion of botnets and the threat from AutoRun malware.

More than 14 million computers have been enslaved by cybercriminal botnets, a 16 percent increase over last quarter’s rise. The report confirmed our first-quarter prediction that the surge in botnet growth would send spam levels to new heights, surpassing their previous peak in October 2008 before the takedown of the spam-hosting ISP McColo.

Our researchers also found that over the course of 30 days AutoRun malware had troubled more than 27 million files. AutoRun malware, which exploits Windows’ AutoRun capabilities, does not require any user clicks to activate, and is most often spread through portable USB and storage devices. The rate of detection surpasses even that of the infamous Conficker worm by 400 percent, making AutoRun one of the most prevalent pieces of malware in the world.

Some of the other areas we cover and discuss:

Cybercrime as a Service
As the number of botnets continues to grow, malware writers have begun to offer malicious software as a service to those who control these bots. By exchanging or selling resources, cybercriminals distribute new malware to wider audiences instantaneously. Programs like Zeus–an easy-to-use Trojan creation tool–continue to make the creation and management of malware even easier.

Cybercriminals Target Twitter, Social Networks
Twitter’s growth in popularity has made it a new target for cybercriminals in the last three months. Malware like the “Mikeey” worm and new variations of the Koobface Trojan attack users through tweets and abbreviated URLs. Spam Twitter accounts are becoming increasingly prevalent. Twitter administrative accounts have also been hacked on multiple occasions, giving cybercriminals access to the private accounts of celebrities and politicians, such as Britney Spears and Barack Obama and even allowing for the publication of sensitive internal strategy documents on the Web. Facebook and MySpace remain strong attack vectors for cybercriminals. In May, spam messages on social networks pointed users to more than 4,000 new Koobface binaries!

To view the McAfee Q2 Threats Report, go here.

With the advent of Web 2.0, social networking websites have become an easy target for online fraud and other identity scams. Lately, we have seen Twitter being used to phish out personal information, as well as MySpace scams and Facebook spams.

With more than 15 percent of the traffic from India, Orkut is perhaps the most popular and widely used social networking website in the country. Phishers have come up with an elegant approach to social-engineer the not so tech-savvy users on Orkut. They have updated the user profiles of several thousands of compromised Orkut accounts, which now link to various phished websites. These lure visiting users into divulging their personal information.

Various phished websites claim to be the “adult” variant of Orkut. The “Orkut Sex” site has been very successful in luring several thousands of Orkut users into entering their credentials into this fake website. The attackers use the harvested details to steal other personal information for monetary gain.

We have observed scores of websites being used in this phishing attack. Here are a few of them:

• http://orkutsexlogi[blocked].tk
• http://s3x[blocked].kilu.de
• http://orkutst[blocked].tk
• http://album[blocked].kilu.de
• http://priya[blocked].freehostia.com

If you have read this far, I probably don’t need to remind you to look carefully before you enter your personal details on the web. Always make sure that you are safe and protected–and keep away from the rip-offs.

As the recession continues and unemployment rises, we foresee the top cybercrime trend for 2009 as the continued exploitation of the financial crisis to scam people with fake financial transactions services, bogus investment firms, and fraudulent legal services.

A related trend will be cybercriminals targeting people looking to advance or change their careers through further education. McAfee® Avert® Labs researchers have seen major spikes in diploma and advanced-schooling scams that have coincided with major corporate workforce reductions in the car manufacturing, chemical, and technology industries.

Our Main Threat Predictions/Trends for 2009:

• Threats on Social-Networking Sites. Cybercriminals no longer deliver threats only via spam. They are taking advantage of Facebook, MySpace, and other popular social-networking sites. McAfee expects this trend to continue throughout 2009, eventually displacing more traditional ways of malware distribution such as email.

• Personalized Threats Speak Your Language. McAfee expects to see the continued expansion of malware in languages other than English. Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.

• Malware Targets Consumer Devices. McAfee expects increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers.

• Security Software Scams. The malware underworld is using mainstream practices in an effort to “sell” security software that is either misleading or outright fraudulent. McAfee expects this trend to continue.

• Abusing Free Web-Hosting/Blogging Services. Websites such as Geocities, Blogspot, and Live.com allow anyone to create a public website for free, without the authentication necessary when purchasing a domain-name website. This gives spammers the opportunity to run their underground business with minimal expense. Spam from do-it-yourself social-website-hosting providers arrives at its destination with far greater frequency than links pointing to domain names assigned by legitimate registrars. With little to no threat of punishment for their hosted content, and the new restrictions on short-term domain tasting, the attractiveness of free bandwidth offered by these sites will undoubtedly draw greater focus from malicious parties.

• More Targeted Phishing and Corporate Blackmailing. Botnets, a.k.a. zombie computers, that spread into corporate networks and financial datacenters will increasingly be used to gather sensitive information that can be used for blackmail or sold on the underground market.

• Browser-Based Attacks. Cybercriminals will increasingly attack via web browsers as they are the least-protected and, therefore, easiest way to transfer malware.

• Security Breaches of Confidential Data. Information that is managed by partner and subsidiary companies of bigger companies will be exposed more frequently, forcing an overhaul of data-security practices.

• An Increase in Localized Phishing Campaigns. Online scammers will increasingly target specific communities, especially on college campuses, where professional-looking emails claiming to be associated with the school’s financial or scholarship department will be blasted to all the students at the school. This is a significant danger to people who are just becoming responsible for their own finances.

• More Scams Involving Home Businesses. “Legitimate” home business scams generally involve either a pay-up-front and do-it-yourself kit, or a pay-to-play shell game of training and certification. We’ll see more of it on television, and the same infrastructure that supports diploma spam and confidence fraud will adjust to the new unemployment reality and will offer people some new bait on the old check-cashing scam.

• Increase in Forging and Abuse of Free Email Services. The free email services have started to allow accounts to send mails with arbitrary “from” addresses. This has increased the usability of these services significantly to businesses, but has also increased the “abusability” by spammers.

• McColo: The Effects of a Takedown. Spam traffic took a tremendous dive in volume when ISPs pulled the plug on spam host McColo Corp., the source of up to 60 percent of worldwide spam. In 2009, we expect to see a continued shift in organizations, from passive support of law enforcement to an active role of working collaboratively with ISPs and global Internet entities such as ICANN.

• New Businesses to Replace Lost McColo Hosting. Hosting companies will be set up in countries that are eager to embrace a burgeoning Internet market and will offer services to replace the disrupted command and control centers formerly hosted by McColo. These may be used as pawns by entities that perceive strategic value in sculpting the battlefield of the future.

In conclusion, McAfee recommends that you keep your security software up to date, implement layered defenses, and educate yourself on the trends of the day. Download our February Spam Report and 2009 Threat Predictions to read further and in more depth on these trends and issues. Remember: The cybercriminals read the same news that we do.

We’ve already written about CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), the mechanism used to protect web sites, forums, and mailing systems against the automatic creation of accounts and contents. As my colleague Tad Heppner wrote in his November 2007 post, most common CAPTCHA systems work by generating distorted characters, text, or pictures that can be easily recognized by the human brain but present significant difficulty for computer-based optical character recognition or other image-recognition systems.

It should come as no surprise, however, that spammers continue to try to crack CAPTCHA. We’ve now seen a new version of a professional spammer tool on the web. XRumer 5 sells for $520 and promises advanced CAPTCHA decoding methods.

For a long time spammers have searched to defeat CAPTCHA mechanisms to create fake email accounts to send spam. Before telling you more about this new crooked utility, let’s review some older techniques used by spammers.

As shown in the following image (source XMCO), the most common CAPTCHA methods can be broken.

The first method of cracking is manual. People from developing countries offer services. The competition is intense. On some dedicated forums, proposals surge in from Vietnam or Bangladesh. They claim that lots of people are ready to work 24 hours a day to process hundred of thousands of CAPTCHA. Rates vary from $8 to $1 per 1,000 CAPTCHA.

A less expensive solution consists in using private individuals to do the work free of charge. I am sure some readers remember this unusual offer, in which it was possible to undress “Melissa” in exchange for some CAPTCHA work. This allowed a spammer to create fake Yahoo Mail accounts.

It is also possible to find free web services. The CAPTCHA Killer web site offers such services. Its designer claims the offer “is 100% focused on increasing accessibility on the Internet” for the “1 Million Americans that suffer from blindness.” The service makes available an API to automate the process. However, I was not surprised to read a cross-reference on that site saying they have been notified that using CAPTCHA Killer with Myspace was against the latter’s Terms of Service.

A very technical approach uses rainbow tables, in which each CAPTCHA image is associated with its character string. In March 2008, someone nicknamed Maluc created PHP scripts to download, extract, and save thousands CAPTCHA images from Yahoo, Google, and Hotmail. When finished, each collection will help spammers create new recognition tables or verify the accuracy of its OCR algorithm. When successful, only one millisecond is needed to compare a new footprint with the ones included in the database. You have to pay between $1,500 and $5,000 for such algorithms, which suppress the noise, create a black-and-white picture, break it into segments (one letter per segment), and identify the character.

A programmer called Wangrun in the Chinese province of Anhui says he developed software to decode CAPTCHA systems. Depending on the complexity of the CAPTCHA image, he charges between $500 and $6,000 per decoder. No price is quoted for the most difficult images but, in a comment, he writes it is feasible. Wangrun declines to say what his customers use the decoders for, but says he has “very many” of them.

Spammers can also use zombie machines to help them crack CAPTCHA. We’ve read on the Virus Bulletin web site that compromised systems making up a large botnet were recently used to help in the registration process for Windows Live Mail accounts. When the bot (detected by VirusScan as Generix.dx) asked for registration, it received a CAPTCHA and immediately presented its image to a central server that attempted to decode it and returned the result. The decipher technique was successful only around 35 percent of the time, VB said, but a new idea was launched. The fact that large numbers of infected systems were running repeated attempts suggests a high number of new accounts for spamming were created at that time.

Finally, turnkey tools are another method for defeating CAPTCHA defenses. XRumer 5 is one of them. It can flood message and links forums, guestbooks, blogs, wikis, etc. It automatically finds and fills in required fields with no need of a browser. If the forum requires registration, the program will register, log in, and post the spammer text. XRumer goes beyond JavaScript protection, pictocode protection (typing a number displayed in a box), and protection by e-mail activation. If a CAPTCHA image is detected, the program automatically downloads it, analyzes it, and fills in the form.

Version 5 can work on most recent versions of popular engines such as VBulletin, IPB, and phpBB, according to its creator. XRumer can also create accounts on gmail.com for posting. And its clients seem happy. One of them wrote last week on a forum “all that for only $500? It’s very cheap! I’d easily charge 2k for that. Solving gmail captcha is no joke. I paid 4k just for that from an OCR developer. …”

XRumer is also able to solve the “pick the cat captchas” presented in picture below.

On October 3, XRumer’s maker explained he analyzed many forums and discovered that most of this type of CAPTCHA used identical pictures. Thus XRumer can distinguish them by their sizes in bytes. And it concludes: “It’s so easy, isn’t it? Oh, they can make some distortion on images? Well, we have a time to improve our algorithm. We analyze forums, blogs, guestbooks permanently, and there is one important thing: that type of captchas used not more than 0,01% of resources (1 of 10,000 sites).”

Once again, we are reminded that malware design is a business. And once again, my searches drive me to Russia, where criminals create and employ malicious software as well as engage in identity theft and virtual prostitution. The company or individual behind XRumer appears to be the same as that which proposed an automated sex-talk service called CyberLover.ru in 2007. One name I got from a whois request today is Alexander Ryabchenko. When the media pointed the finger at him in 2007, Ryabchenko emailed to Reuters that he could not be accused of identity theft with the CyberLover concept. He explained “the program can find no more information than the user is prepared to provide.”

If anyone should ask Ryabchenko why he commercializes XRumer, I suggest he repeat the CAPTCHA Killer web site argument: to help the million people suffering from blindness.

1. SNS websites introduced
With the Web 2.0 trend, more Social Networking Services (SNS) websites have become very popular. For example Facebook and Myspaces are well-known.

You can keep contact with others via SNS websites; you can find many many friends. Many people participate in small games, virtual applications and so on. Those SNS websites have millions of unique visitors per day. It is a platform used to share files, music, information and so on. Also the platforms are used to spread viruses and worms. If a attacker spread a virus, trojan or worm via SNS websites, then many many users can be infected in a short time, which could be disastrous.

In the following sections I will talk about how to reduce the threat that comes along with SNS websites.

2. SNS website lead to threats
Nowadays, more attackers utilize SNS websites. They can easily create a zombie network via an SNS website vulnerability. They can use harvested private information for financial gain.

3. General attack ways
Attackers maybe used the following methods of attack:
a) Exploit a server vulnerability
For example: buffer overflow, weak password, database vulnerability and so on.
b) Exploit a script vulnerability
For example: SQL injection, Cross-site scripting, upload file problem and so on. In general, Cross-site scripting attacks have a wide use. A CSS worm can be get million of user cookies in one hour; and also lead million of users to an infectious virus.
c) Exploit an ActiveX vulnerability
If an ActiveX vulnerability is present, attackers are likely to target it. In general, attackers exploit ActiveX overflow vulnerabilities to install malware.
d) Used of Social Engineering Fundamentals
It’s well-known that Users of SNS websites trust each other, so Social Engineering Fundamentals work well on SNS sites.

4. Attacks Case
a) Facebook and Myspace have had ActiveX-related vulnerabilities in the past.
b) In 2006, MySpace was hit by a XSS Worm. The worm uses a malicious QuickTime video.

A few days ago I was browsing a forum while I read a message from someone saying that he received a strange link from one of his MSN contact list, which was formed like the following:

http://[MSN_login].flatl1n[removed].info

This domain hosts a webpage asking for MSN logins and passwords and pointing to another webpage asking for ICQ login credentials:

But let’s examine this page in details, especially the “Terms of Use” for example:

“Terms of Use / Privacy Policy:

By filling out this form, you authorize TST Management, Inc to spread the word about this 100% real and upcomming Messenger Community Site.
You will receive your share of the credit in helping us spread the word. This is a harmless Community site which is offering users a platform to meet each other for free.

We do not share your private information with any third parties.
By using our service/website you hereby fully authorize TST Management, Inc to send messages of a commercial nature via Instant Messages and E-Mails on behalf of third parties via the information you provide us. This is not a “phishing” site that attempts to “trick” you into revealing personal information. Everything we do with your information is disclosed here. If you are under eighteen (18), you MUST obtain permission from a parent or guardian before using our website/service.

This page is not affiliated with or operated by Microsoft(tm) or MSN Network(tm).

ANY LIABILITY, INCLUDING WITHOUT LIMITATION ANY LIABILITY FOR DAMAGES CAUSED OR ALLEGEDLY CAUSED BY ANY FAILURE OF PERFORMANCE, ERROR, OMISSION, INTERRUPTION, DEFECT, DELAY IN OPERATION OR TRANSMISSION, COMMUNICATIONS LINE FAILURE, SHALL BE STRICTLY LIMITED TO THE AMOUNT PAID BY OR ON BEHALF OF THE SUBSCRIBER TO THIS SERVICE.

We may temporarily access your MSN account to do a combination
of the following:
1. Send Instant Messages to your friends promoting this site.
2. Introduce new entertaining sites to your friends via Instant Messages.”

Oh well, that reminds me how social engineering is powerful…
The victim received this URL from who is supposed to be one of his MSN contact and it is unlikely he will spend a few minutes reading those lines. So I agree, everything that the attackers do is published inside the Privacy Policy, but I disagree when they say that they don’t “trick” people to get their login credentials: they use social engineering attacks to get users’ passwords, this is dishonest and this is phishing scam!!

Now, here is the funny part of the “Terms of Use”:

“This is a free service. You will not be asked to pay at any time.
You will not be subscribed to anything asking for payment.
This service is made possible by many hours of human effort.

TST Management, Inc reserves the right to change the terms of use / privacy policy at any time without notice. To view the latest version of this privacy policy, simply bookmark this page for future reference.”

So ironic…
And the last part, the one that aroused my curiosity:

“You understand that this agreement shall prevail if there is any conflict between this agreement and the terms of use you accepted when you signed up with MSN. You also understand that by temporarily accessing your msn account, TST Management, Inc is NOT agreeing to MSN’s terms of use and therefore not bound by them.

This agreement shall be construed and governed by the law of the republic of Panama. You expressly consent to the exclusive venue and personal jurisdiction of the courts located in the Republic of panama for any actions arising from or relating to this agreement.

If any provision of this agreement is held to be invalid, illegal or unenforceable for any reason, such invalidity, illegality or unenforceability shall not effect any other provisions of this agreement, and this agreement shall be construed as if such invalid, illegal or unenforceable provision had not been contained herein.

Copyright 2008 TST Management, Inc”

I was wondering if this website was effectively hosted in republic of Panama, but a whois of the domain informed me that the IP address is located in Hong Kong actually:

The Reverse IP field says there are 32 other sites hosted on this server (210.56.53.224).
And we can see also that “TST Management, Inc” (who is the registrant of the domain), owns 412 other domains.
So I decided to do a Google search and I wasn’t surprise to notice that they are apparently used to phishing scams!
“TST Management, Inc” seems to be another name for the “Blue China Group Ltd”, the one that was sued by MySpace last year for mass spamming.

I managed to create a screenshot of the old “Mass Comment Poster” website that belonged to them:

We can see that the Terms of use were very cynical too!!

They also host what they introduce as a MySpace tracker (called “Stalker Tracker”) which is in fact another phishing scam website:

Besides the website displays another “typical” Privacy Policy mentioning:

We may temporarily access your MySpace account to do a combination
of the following:
1. Post bulletins to your friends promoting stalkertrack.com.
2. Post comments to your friends promoting stalkertrack.com.
3. Post a blog about our upcoming tracker for your friends to read.
4. Customize your blog header html with a clickable stalkertrack.com ad image.
5. Send a batch of blog invites on your behalf.
6. Send IM invites with a personalized stalkertrack.com message and/or image advertisement attached – to your friends and potential friends and other members.
7. Introduce new entertaining sites to your friends via comments, bulletins, and messages

And guess how can they do that? Once again, just by using the login credentials entered in the form…

Last but not least, once the login credentials are submitted via the phishing scam MSN/ICQ web pages, a PHP script is called to increment an online counter, and here are the statistics available at the moment:

This counter seems to supervise the activity on all their phishing websites, not only on a couple of them.

We can see that 92 people were reaching one of their phishing scam websites when I was looking at the statistics, they were 35334 unique visitors yesterday, 284746 visitors since the beginning of June, 3616516 visitors last month, and 7031582 visitors since this counter has been created (since February/March 2008 according to the second screenshot).

Be vigilant of such IM messages and websites marked as “copyright” to “Blue China Group, Ltd” or “TST Management, Inc“. Whatever the website purports to be they are certainly requesting your login credentials in an unclear way!!

One of my roles at McAfee Avert Labs is to take a step back from the day-to-day attacks, and look at the bigger picture. To review threat trends and forecast what’s to come. Some threats such as Web Feed Attacks and IM are more easily defined and quantified. Other threats are a little more abstract after you scratch the surface.

In recent years the infamous “targeted attack” has gained much media attention. We often heard about a “segment” of users being hit, such as Myspace or Facebook users. I recall snickering the first time I heard a report stating that “home users” were the most targeted of all. I suppose next we’ll hear that Internet users are the most targeted.

So what does the word targeted in targeted attack really mean? One could argue that anyone hit with an attack that was sent to him or her specifically (as in: the email message containing the virus was sent to your address) was a victim of a targeted attack, but that definition is way too broad, as the vast majority of all attacks would then be considered targeted. I pondered the definition of targeted attacks for a bit, trying to think of a simple yet concrete definition. I landed on the work discrimination. For me the key aspect of any targeted attack is that it must discriminate, otherwise the attack is either random, or one of opportunity.

Consider Tom, a man who walks into a grocery store, and stops by the tomatoes. He gets the impulse to pick up a few of the mushy ones and hurls them at shoppers. Was this a targeted attack? I’m sure the headlines would read “XYZ Mart Shoppers Targeted by Tomato Mad Man,” but were they really? Those hit were simply in the wrong place at the wrong time; casualties of a random attack. Tom did not discriminate; he aimed for whoever was in proximity (if he aimed at all). If there happened to be five grandmothers nearby, this would still not have been a grandmother-targeted attack.

To bring this back to computer security, spammers often use massive address lists during campaigns. When spammers want to reach as many addresses as possible, they cast a wide net, sending messages to each address on the list–no discrimination, no targeted attack.

Consider a scenario in which an attacker discovers a flaw in Facebook. He may exploit that flaw to reach as many users as possible. Again, “Facebook users” were not targeted here, as there was no discrimination. The Facebook bug simply provided an opportunity.

Here’s a real-world example of a targeted attack. Select U.S. government contractors were sent email messages that contained exploited PowerPoint documents that install a remote-access Trojan on victims’ systems. Here “select U.S. government contractors” were singled out; not “government contractors,” not “email users,” not “PowerPoint users,” and not “Microsoft” (maker of PowerPoint).

In my Facebook example one could argue that the Facebook company itself was targeted; someone had to discover and exploit a flaw in that scenario to get to the user base. However, in my targeted U.S. government contractors example, few would consider Microsoft the target of that attack. The PowerPoint vulnerability was simply the means to an end, providing an opportunity.

Let’s look at another type of attack.

Some publicized targeted attacks used personal information. Potential victims may receive an email message containing not only their names, but also places of business, and possibly their titles, addresses, or phone numbers. Does that make these attacks targeted? Not necessarily. Yes, these are context-aware or personalized attacks; but without discrimination, these should not be considered targeted.

Other attacks rely on applications typically used by a segment of the population, such as music or video players, or social-networking sites. Does this mean that segment is targeted? Those users may be at a greater risk of being attacked, but that does not make them targeted. Accordingly, malicious fake video codecs and the like do not necessarily target home users!

Why Target?
In an effort to keep this blog from getting too long, here’s a short list of why attackers might keep an attack targeted:

• To keep a low profile for the malicious code (an effort to evade/delay malcode detection by flying under the radar)
• To keep a low profile for the entity behind the attack (an effort to evade prosecution)
• To minimize “casualties of war” (most attackers don’t really care if innocent bystanders get infected, but some small segment likely does).

Asking the questions why and how the XYZ attack was limited can help determine if the attack was indeed targeted.

What’s Really the Target?
Another litmus test when attempting to validate a targeted attack is to ask: What is really the target? If the answer is any and every username and password the attackers can get their hands on, then the attack is probably not targeted. We often hear about a bank being targeted in a massive phishing attack. Although such an attack may have been geared toward users of a single bank, one must ask Why? Imagine, how effective would a single phishing campaign be if a spammed email message listed dozens of banking sites and asked users to click the link for their banks? And if the attacker must limit the phishing messages to a single bank, one could consider this to be a process of elimination, and elimination does not equal discrimination.

I can appreciate the challenge the media face when writing the headline for an attack that affects only a segment of users. It’s just unfortunate that the term targeted is so overused that estimates of the problem can greatly vary.

When a colleague pointed me at this article about some MS research on using worm techniques to distribute patches more efficiently, I had a moment of extreme déjà vu. After all, Fred Cohen was talking about beneficial uses of viruses in the mid-80’s. But since then, we’ve had a number of attempts occur that prove the old adage that the road to hell is paved with good intentions.

Back in 2001 we saw CodeGreen attempt to locate and patch machines infected with the infamous CodeRed worm. In a variety of other cases, one piece of self-propagating code (worm) has tried to patch backdoors or vulnerabilities, but usually in a self-preservation attempt against a rival author rather than for any altruistic purpose. Examples of this include the Linux Cheese worm and a variety of Bagle and Netsky variants that attempted to remove the other during the much-publicized “Virus Wars” of 2004.

The use of self-replicating code to fix other security problems has invariably proved to be a Bad Idea in the real world because we simply do not understand the epidemiology of the complex, heterogeneous universe we call the Internet. Rather than steal his thunder, I’d invite you to check out Igor Muttik’s talk on “Good Viruses” in the Research Revealed track at RSA this April 9th, if this topic interests you. Alternatively, check out Vesselin Bontchev’s paper on this subject here.

On the other hand, if you actually read the Microsoft research at http://research.microsoft.com/~milanv/, he’s really looking at how the epidemiology of good code versus bad code works. Given that most worms are Windows-based, and Microsoft, by definition, is providing the patches to block those worms that exploit vulnerabilities in their software, this is not irrelevant. While biological analogies to computer viruses are often dismissed, this is one area where a “computer epidemiology” discipline would be most welcome.

McAfee pushes something like a petabyte (Pb) of DAT signatures out in a month, so I can’t even imagine how much bandwidth Microsoft consumes delivering patches to all the Windows machines on the planet. And given how little we really understand about how information flows between computers on the internet, there’s something to be said for advancing the science of information dissemination.

Unfortunately, what most researchers concentrate on is the spread of self-propagating worms exploiting services, like Slammer, Blaster, CodeRed, Witty and other high-profile, fast-spreading worms. Today, though, we’re much more likely to see a huge variety of fairly prosaic threats that rely as much on social engineering as exploits to propagate. And this is an area where there is painfully little research.

What are the different propagation rates for Web 2.0-based threats like the spate of MySpace or FaceBook attacks over the last couple of years, versus any other web-based attack? How do regional idiosyncrasies like localized software vectors or language of social engineering affect threat propagation? How fast do patches or AV signatures need to be distributed to dampen the spread of threats propagating at different rates? How do different peer-to-peer (P2P) strategies compare to other mechanisms for “good code” dissemination. All of these are increasingly valid and relevant questions in the Wild West of today’s internet.

Let’s just remember that there is no “beta” version of the internet we can experiment on at scale.