Your questions answered: fraudware infection vectors
I received this email a few days ago:
Dale's email is certainly worth answering; I'll do my best ;o)
Fraudware such as XP Antivirus 2009 (or 2008) and its myriad stablemates does not come in strictly via the Clipbook vector. On the contrary, my opinion is that the clipboard trick is one of their least effective tactics when it is compared with their standard modus operandi. Why? Because hijacking the clipboard and forcing a malicious URL to be pasted into online posts is all well and good, but they still need somebody to click on the link for anything further to happen.
What other vectors do those behind the fraudware use to distribute their wares in addition to the clipboard hijack? Well, there are the Flash based malvertizements that are featured so often on this blog and which are by far the most popular, and effective, tool that they have. Malicious SWF require no user interaction to be effective, a lack of user interaction that is often facilitated by the use of the ubiquitous Flash (that I described as, and still describe as, "the Typhoid Mary of the Internet"). Unfortunately, there is no way for the end user to control the functionality that allows the fraudsters to misuse Flash without disabling Flash entirely and the bad guys (who are experts in social engineering and adapting their wares to suit the average human psyche) *know* that the average man in the street will not give up on using Flash (and will turn off software features that block Flash).
On a side note, I find it ironic that Adobe have acknowledged on their blog, and admit publicly, that they are trying to work out how to address the problem of clipboard hijackings when *browser* hijackings are so much more prevalent, and *FAR* more dangerous to the end user. The cynic in me is whispering that the only reason Adobe have made a public statement about the clipboard hijacking is because there has been so much attention within the popular press. Oh well, let's hope that if they "fix" the clipboard problem that they will do so by allowing users more granular control of what SWF is and is not allowed to do without explicit user approval or interaction. After all, Flash can be set to ask permission before accessing a computer's microphone or camera or if a site tries to use "older security settings". I see no reason why it can't be designed to ask permission before hijacking a web browser (I have not, as yet, seen a Silverlight based malvertizement, but the use of Silverlight simply isn't widespread enough to be of interest to the crooks, and I am therefore unable to make a fair comparison).
There are also non SWF advertising attacks where networks allow a middle man to use a geographically targeted redirect to lead victims straight to the fraudware site. The attack that I reported here used only "authorized" redirects - no SWF was used to get the victim to the fraudware site, nor were browser exploits used. You would think that such basic attacks should be easy to detect, but they are not - on the contrary, staff at host advertising networks, and the staff responsible for the victim web sites, will invariably not experience a fraudware hijack and will instead end up at a legitimate web site (not only do the bad guys use geographical targeting, they also often block specific IP ranges - IP ranges that are owned by victim web sites and hosting advertising networks and, invariably, antivirus and antispyware companies, and well known security researchers).
How can victim advertising networks and web sites (and security researchers) get around such problems? Well, we have caught some pretty big campaigns when staff at an affected web site or ad network have checked things when they were at home. Or, you can use one of the myriad web proxies on the net to anonymize your IP and/or pretend that you are in a different country (www.proxy.org is a resource that I point people to if they want to use such services). The bad guys are known to block most of the, dare I say it, popular proxies therefore the trick is to find one that is new, and/or low profile. Be warned though, web proxies are invariably of no use if you need to gather evidence about a malicious redirect - web proxies invariably encrypt network traffic making it well nigh impossible to gather evidence sufficient to shut down a malvertizing campaign. As for me, I prefer services such as TOR and a few other less common tricks ;o)
The bad guys also use splogs, which may be indexed by the popular search engines (blogger.com/blogspot.com and myspace are popular targets). The mitigating factor in such attacks is that they require the end user to click on what are often obviously nonsensical search results to access the dangerous site, at which time the blog loads and the victim is redirected to the fraudware site (again, no SWF required). Splogs that regurgitate content from legitimate blogs, verbatim, are more difficult for the end user to detect :o(
Email spam - which they use to entice the user to a splog, or a hijacked web site.
Comment spam, guestbook spam, mailing list spam, registration spam, trackback spam and forum spam. The crooks find it highly amusing to use one of my email addresses as the reply or registration address for a lot of crud - thank heavens for spam filters and Magic Mail Monitor. I love Magic Mail Monitor. My fetch and filter protocols get rid of the worst of the spam, and I get rid of the rest by viewing the headers of all emails using MMM *before* they are downloaded to my local machine. I sort by Subject and then by Sender and delete the unwanted stuff - little time is wasted, and *very* little bandwidth. There was a time when a troller-prat decided he was going to use a compromised PC to send me a stack of emails with very large attachments - MMM fixed that problem quick smart :o)
There is a bright side to all of the spam that I get - it is a wonderfully rich harvest of up-to-the-minute malicious domains that are very useful in my day to day research. The same applies to comment spam on this blog which is also a wonderfully rich source of research material - another reason why I don't use CAPTCHA - I have no interest in blocking anything other than trolls ;o)
Hacked legitimate web sites (non-SQL injection attacks) - this is not as common as some of their other trickery has been but it is a growing trend, and I am certainly receiving (and have been able to confirm) reports of hacked web sites with malicious iframes inserted that expose viewers to fraudware.
SQL injection - yep, they use that too.