This post is also available in: עברית (Hebrew)
The hacking problem just got worse. The defenders are losing the race of protecting computer users. One of their great successes is summarized in the article “FBI seized Citadel banking Trojan servers” that appeared in the internet site “The Hacker News, security in a serious way”. The uniqueness of this attack is that of the sheer volume of the end points infected allowed the collection of 500 million dollars for a little more than a year. The hackers’ network would penetrate end point users’ PCs and copy their bank account details, such as passwords, account numbers, and other details. The size of the network was over 5 million end points and required the collaboration between Microsoft and the FBI to take down the network of contaminated computers – termed Botnet. Worth noting is that Microsoft does not claim to taking down all this botnet but that they “significantly disrupted the criminal operation”. In other words, we can assume that not all of the botnet was eliminated and that the damage was above 500 million dollars. It is the largest known single event that caused such direct losses, but can it be worse? What else is hidden in the depths of the WWW?
This event points out the importance of improving the defenses of the end points users. Particularly, the protection of their critical information. In the following I will discuss the process of taking over of computing systems, endpoints, by hackers, and may be that way to help in reducing the hacker’s success with the attacks on the novice endpoint user.
In the first phase of attack the hackers use a variety of means to get malware to the targeted endpoint allowing him to alter programs and further download additional malware into the computer deepening his control over the endpoint. He uses software that is new to the defenses of the endpoint and as a result is not recognized by them. He takes advantage of user errors and careless use that allow him to deceive the user into downloading software that may enter via email or presented on a site visited by the user. In other cases an employee may download malicious software that will allow the hacker to take control of a networked corporate computer. Hackers are willing to go far in attempts to take down a first endpoint in a network which in turn will be used as a jumping board to contaminate other endpoints, as a “trusted” source. After taking down one endpoint the hacker could take down the entire network.
After the penetration, the hacker completes the take-over by replacing the defenses of the user with his, customized, defenses that will prevent other hackers from getting in. The firewall is altered to allow for free remote communication and control of the endpoint by the hacker.
The use of key logger and sophisticated software means of deceit expose the passwords to open the computer and related means, communications with internet sites (such as banks or medical services…), and encryption codes. Copying the screen, authentication pictures, microphone and speaker, GPS, biometric means, and others are another source of sensitive and critical data of the hacker to use.
At this point the hacker could communicate the users critical information, such as – IP (Intellectual Property), military secrets, medical data, business data, address lists, etc.
At this phase the hackers may send email, without user knowledge, using his mailing list, to unsuspecting users assuming that it comes from a “trusted” source. Every careless user’s computer is infected and becomes a part of the hacker network – botnet.
At this stage the hacker sells his services to conduct DDOS attacks or SPAM. Pay by click is a well-known use for such a botnet, in some cases bringing hundreds of thousands of dollars to the “renter” coffins[J2] . A new use is to mine bit coins, the internet currency.
We may summarize the situation in that the design of legacy systems, with their complexity and usage requirement on one end, and the human factor, error prone, careless, and sometimes malicious, on the other leads to a state where computers are not defendable. There is a need to protect users even in the case where their computer is infected with malware – but that is already another discussion.
By: Moti Barkan