Tracking the Password Thieves 112
wiredog writes "From The Washington Post, yet another story about phishers, keyloggers, and viruses. The story is nothing new, but the author has a blog where he describes how he gathered the information that went into the story. Information including the locations of the victims, and the ISPs likeliest to be hit.
Some of the victims included "an engineer for the Architect of the Capitol" and a man who "works in computer security for IBM." One victim "was fresh out of college, where he'd just earned a degree in information security. (He was actively looking for a job in the field; I suggested he may want to go back to the classroom.)" A compromised machine was also found in "the new accounts department at Bank of America" (Score!)"
Re:What exactly were they doing or not doing? (Score:1, Informative)
The summary says that a machine was compromised at the Bank of America, though from my reading it seemed to just say at a bank. I happen to have some insight into Bank of America specifically. They run firewalls and configure IP access limitations on machines and run and expensive intrusion protection system that searches for this type of thing on their network. None of those, however, will stop a user from bringing an infected MP3 player into work, or in some cases installing software on their workstation. The real question is, did all of these people lose data and how quickly was it detected and shut down? Did the compromise spread?
Aside from that, implementing measures to make sure hosts aren't compromised in the first place is a good idea, but realistically these people are running Windows and the OS simply does not have the security needed to prevent malware from hitting the box and taking over in the first place.
Re:Trojan != Virus (Score:2, Informative)
Re:ISPs most likely to be hit (Score:3, Informative)
Submarine one: "We are sinking because we are the most popular submarine.
Submarine two: "uh, guy.. Try shutting your hatch"
Re:What exactly were they doing or not doing? (Score:3, Informative)
*Often, the software uses your copy of outlook to hit other people in your address book. Consequently, the infected messages often come from a trusted source - bypassing spam filters as well as the recipients normal level of suspicion.
*The messages often mirror a terse business communication ie, "Please review and respond" along with a safe looking file name. These are no longer the "click here for nude pictures" e-mails, but good impersonations of day-to-day business correspondance.
I think of a friend of mine who kept birds. Her boyfriend got her a cat (she was a big animal fan) and she figured she could keep both in her apartment as long as the birds were in a room with a door to it. Her plan was to close the door every day before she went to work so the cat couldn't get in there when she was out. Of course, she had several things she had to do every morning before going to work and the cat had only one thing to pay attention to - did she leave the door open today? Eventually, she was in a rush one morning and came home to find the door open to the bird's room but no bird.
And yep, having Windows and MS Office was the canary to the hacker's cat.
Re:What exactly were they doing or not doing? (Score:2, Informative)
First of all, recognize that botnet malware evolves at a pace in which it is rather difficult for the antivirus vendors to keep up with. All it takes is a download of phatbot, a little code hacking to ensure it is just perfect for your uses, and then you run it through a packer. You won't preserve the same md5sum of course once your binary is customized, so the only other way that the sample can be detected is some more advanced techniques. (API hooking, entropy scanners, or looking for certain assembly sequence patterns). I'm not sure what the default scanning behavior of most AV scanners is, but they might not utilize such hardcore tests on every file in your system.
Secondly, most botnets run over port 6667, so even if you were running a firewall, you would need to have one that blocked the default IRC port by default. If this is unlikely for the majority of firewalls out there, also recognize that many newer IRC bots are relying more heavily on http command and control mechanisms. That is, they no longer communicate over IRC, and instead resort to making web posts to communicate with the hacker. Being port 80 based, suddenly its not so detectable amongst the stream of internet web traffic.
As for infection trajectories, also recognize that many infections today are indeed user error, whether it be an email attachment or downloading some videogame crack off of some site. The zero day exploits contribute to the problem as well.