Where Are We and Where Are We Going 3: Ransom Trojans

Security guru Mikko Hypponen dwells here on ransom Trojans distribution scheme from an attacker’s perspective, and specifies the susceptibility of applications and browsers in the context of such attacks.

Ransom Trojans – a growing menace

Ransom Trojans – a growing menace

One problem in particular, which has been growing just over the last months are ransom Trojans. And ransom Trojans are, from the point of view of the victim, a really shitty problem, because if you get hit by credit card theft, it’s fairly transient, you will notice that there were extra charges on your credit card bill, and then you just call the bank or you call the credit card company and you will complain, and they will refund you. Or if you get hit by a banking Trojan, especially for home users, the banks will refund you, because they don’t want people moving away from online banking back to real-world banking – that just won’t work anymore.

But ransom Trojans are a different thing. Rransom Trojans will directly, permanently hurt the end user. Ransom Trojans, like most of today’s Windows malware, are being distributed through exploit kits like “Blackhole”.

“Blackhole”, manufactured and sold by Russians, going by the range of $2000 right now, is a turnkey solution. You buy the kit, you hack a website – SQL injection, PHP holes, what have you; and then you drop Blackhole onto that website, and there you go. Now anybody who visits that website gets a perfectly normal website, it looks and operates normally, but they get series of exploits launched at them, and these exploits try to find a way in. They iterate through your operating systems, through your browsers, through your plug-ins, through you add-ons, and if you have anything which is unpatched or out of date, then they’ll launch an exploit against that.

Blackhole admin panel

Blackhole admin panel

What you see here is the admin interface for Blackhole (see image); this is what the administrator, or the criminal sees: the statistics on who has been visiting the website, with what operating system and how many of them were infected. The one thing that I find especially interesting in this user interface for the criminals is that they have enough guys buying Blackhole and using it for criminal purposes that it’s actually worth their while to run ads on the interface which is only seen by the criminals.

Blackhole statistics by exploits

Blackhole statistics by exploits

So they have an ad network built into Blackhole, where they can show ads for the guys who are running it for criminal purposes. So this is a typical interface, this was found from a server that was running in Denmark, and as you can see from the statistics here, most of the visitors on this Danish website were infected because they had an out-of-date version of Java. 83% of the infected users were running Java, then an out-of-date Adobe PDF Reader plug-in for Adobe Reader 8 or Adobe Reader 9. Adobe Reader 10 is actually much better here. Or an outdated version of Flash. But Java continues to be one of the main mechanisms people get infected on their Windows computers, and is now increasing also on Mac OS X computers, where Java exploits are already becoming a bigger problem.

So, what to do? I always say: “Friends don’t let friends run Java. Get rid of Java!” That’s what I recommend. I got rid of Java almost 3 years ago and I haven’t looked back. Now there are some caveats here. I know some of you have to run Java applications. That’s ok. I’m talking about Java applets; in fact, I’m talking about the Java plug-in in the browser. Drop the plug-in from the browser and you won’t miss it; or if you miss it (I know some online banks that run Java, or there are some internal applications that require Java) – alright, then have a separate browser just for that. Have, I don’t know, Firefox which has the Java plug-in, and you only use it for the sites which need Java, the 2 or 3 sites that do. And for everything else you use another browser.

So which browser to use? Depends.

Blackhole stats by browsers

Blackhole stats by browsers

If we look at how big percentage of Chrome users get owned, just looking at the real statistics from an interface of Blackhole – you can see that Chrome in practice, in the real world is actually much more secure than Firefox or IE. And this is probably one of the reasons why Chrome is the most common browser on the planet. If it’s not yet, it’s gonna be very soon, which is great, because IE was the number 1 browser for almost 15 years.

The downside of course is that Chrome is done by Google, and by using Chrome you are selling your soul to Google, and that is a bad thing. Google is the Big Brother and there’s not much we can do about it, cause it’s really hard to try to avoid Google. I know, I’ve tried, it’s really hard to stay away, because the services are great.

Just stop and think about it for a moment. Think about Google. Think about their infrastructure. Think about their data centers. We run significant data centers ourselves for F-Secure; we have data centers around the world because we process somewhere in the range of 70,000-100,000 sample submissions every day, and processing here means we do cross-referencing, we run them, we throw them in the sandnets, we execute them, we scan them with all possible antivirus scanners on the planet – so, intensive stuff. We have sizeable infrastructure. But that’s nothing when you compare it to the infrastructure of Google. Just think about the search engine, think about Google Maps, think about YouTube. Just for a moment think about YouTube. I once took the time to start going through the DNS namespace of Youtube.com, and I found somewhere in the range of 80,000 hosts. Most of them cache servers in their namespace. That is just a ridiculous amount of hardware to run YouTube, and that’s just one of their services. So obviously it’s a very-very-very expensive operation to run the data centers for Google.

So how much do the Google services cost? How much do you pay? How much do you pay for google.com, or YouTube, or Google Maps? Nothing, it’s free. That’s an interesting combination of a very expensive service to run, which is completely free, and then you look at Google’s profits, and their profits are billions every quarter. And that’s a funny combination: a very expensive service to run, which is free and very profitable, which sort of explains to us just how valuable profiling us is.

That’s a funny combination: a very expensive service to run, which is free and very profitable.

And you could say exactly the same things about Facebook. And it’s sort of funny that 10 years ago we were worried about Microsoft. We were worried about Microsoft 10 years ago. Microsoft was the Big Brother and we couldn’t trust Microsoft, and Microsoft was the evil thing. I don’t think anybody is worried about Microsoft anymore, right? It’s Google and Facebook we should be worried about today.

Read previous: Where Are We and Where Are We Going 2: Classifying the Attackers
Read next: Where Are We and Where Are We Going 4: GPCode, Police and Banking Trojans

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: