Transcription
ThreatsaurusThe A-Z ofcomputer anddata securitythreats
2
The A-Z of computerand data security threatsWhether you’re an IT professional, use a computerat work, or just browse the Internet, this book isfor you. We explain the facts about threats to yourcomputers and to your data in simple, easy-tounderstand language.Sophos frees IT managers to focus on theirbusinesses. We provide endpoint, encryption,email, web and network security solutions thatare simple to deploy, manage and use. Over 100million users trust us for the best protectionagainst today’s complex threats, and analystsendorse us as a leader.The company has more than two decadesof experience and a global network of threatanalysis centers that allow us to respond rapidlyto emerging threats. As a result, Sophos achievesthe highest levels of customer satisfaction in theindustry. Our headquarters are located in Boston,Mass., and Oxford, UK.Copyright 2012 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in aretrieval system or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording orotherwise unless you have the prior permission in writing of the copyright owner.Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sophos Group. All other productand company names mentioned are trademarks or registered trademarks of their respective owners.3
ContentsIntroduction5A-Z of threats8Security software/hardware 84Safety tips108Malware timeline1274
IntroductionEveryone knows about computer viruses. Or at least they think they do.Thirty years ago, the first computer virusappeared, Elk Cloner, displaying a short poemwhen an infected computer booted up for the50th time. Since then, cybercriminals havecreated millions of viruses and other malware—email viruses, Trojans, Internet worms, spyware,keystroke loggers—some spreading worldwideand making headlines.Many people have heard about viruses that fillyour computer screen with garbage or delete yourfiles. In the popular imagination, malware stillmeans pranks or sabotage. The early 1990s sawglobal panic about the Michelangelo virus. In the2000s, when millions of computers were infectedwith the SoBig-F virus and primed to downloadunknown programs from the web at a set time,antivirus companies scrambled to persuadeInternet service providers to shut down serversto avoid a doomsday scenario. Hollywood movieslike Independence Day reinforced this perception,with virus attacks signaled by flashing screensand alarms.However, this is far from the truth today.The threats are no less real now, but they arelow-profile, well-targeted, and more likely to beabout making cash than creating chaos.5Today, malware is unlikely to delete your harddisk, corrupt your spreadsheet, or display amessage. Such cyber-vandalism has given wayto more lucrative exploits. Today’s viruses mightencrypt all your files and demand a ransom.Or a hacker might blackmail a large company bythreatening to launch a denial-of-service attack,which prevents customers from accessing thecompany’s website.More commonly, though, viruses don’t cause anyapparent damage or announce their presenceat all. Instead, a virus might silently install akeystroke logger, which waits until the victimvisits a banking website and then recordsthe user’s account details and password, andforwards them to a hacker via the Internet.The hacker is an identity thief, using these detailsto clone credit cards or plunder bank accounts.The victim isn’t even aware that the computer hasbeen infected. Once the virus has done its job,it may delete itself to avoid detection.Another trend is for malware to take over yourcomputer, turning it into a remote-controlledzombie. It uses your computer without yourknowledge to relay millions of profit-makingspam messages. Or, it may launch other malwareattacks on unsuspecting computer users.
And as social networks like Facebook andTwitter have grown in popularity, hackers andcybercriminals are exploiting these systems tofind new ways of infecting computers and stealingidentities.Hackers may not even target large numbersof victims any more. Such high-visibilityattacks bring unwanted attention, and antiviruscompanies can soon neutralize malware that iswidely reported. In addition, large-scale exploitscan bring hackers more stolen data than they canhandle. Because of this, threats are becomingmore carefully focused.Spearphishing is an example. Originally, phishinginvolved sending out mass-mail messages thatappeared to come from banks, asking customersto re-register confidential details, which couldthen be stolen. Spearphishing, by contrast,confines itself to a small number of people,usually within an organization. The mail appearsto come from colleagues in trusted departments,asking for password information. The principle isthe same, but the attack is more likely to succeedbecause the victim thinks that the message isinternal, and his or her guard is down.6Stealthy, small-scale, well-targeted: for now,this seems to be the way that security threatsare going.What of the future, though? Predicting howsecurity threats will develop is almost impossible.Some commentators assumed that there wouldnever be more than a few hundred viruses,and Microsoft’s Bill Gates declared that spamwould no longer be a problem by 2006. It’s notclear where future threats will come from, orhow serious they will be. What is clear is thatwhenever there is an opportunity for financialgain, hackers and criminals will attempt to accessand misuse data.
7
A-Z ofthreats8
9
AdwareAdware is software that displays advertisements on your computer.Adware, or advertising-supported software,displays advertising banners or pop-ups on yourcomputer when you use an application. This is notnecessarily a bad thing. Such advertising can fundthe development of useful software, which is thendistributed free (for example, Android apps, manyof which are adware funded).However, adware becomes a problem if it:ÌÌ installs itself on your computer without yourconsentÌÌ installs itself in applications other than the oneit came with and displays advertising when youuse those applicationsÌÌ hijacks your web browser in order to displaymore ads (see Browser hijacker)ÌÌ gathers data on your web browsing withoutyour consent and sends it to others via theInternet (see Spyware)ÌÌ is designed to be difficult to uninstall10Adware can slow down your PC. It can also slowdown your Internet connection by downloadingadvertisements. Sometimes programming flawsin the adware can make your computer unstable.Advertising pop-ups can also distract you andwaste your time if they have to be closed beforeyou can continue using your PC.Some antivirus programs detect adware andreport it as potentially unwanted applications.You can then either authorize the adware programor remove it from your computer. There are alsodedicated programs for detecting adware.
11
Anonymizing proxyAnonymizing proxies allow the user to hide their web browsing activity.They are often used to bypass web security filters—e.g., to access blockedsites from a work computer.Anonymizing proxies hold significant risks fororganizations:ÌÌ Security: The anonymizing proxy bypasses websecurity and allows users to access infectedwebpagesÌÌ Liability: Organizations can be legally liable iftheir computers are used to view pornography,hate material or to incite illegal behavior. Thereare also ramifications if users violate third-partylicenses through illegal MP3, film and softwaredownloads12ÌÌ Productivity: Anonymizing proxies can permitusers to visit sites that, although safe, are oftenused for non-work purposes
Advanced persistent threat (APT)Advanced persistent threats are a type of targeted attack. APTs arecharacterized by an attacker who has time and resources to plan aninfiltration into a network.These attackers actively manage their attackonce they have a foothold in a network andare usually seeking information, proprietary oreconomic, rather than simple financial data.APTs are persistent in that they may remain on anetwork for some time before gaining access to13the information they seek and stealing it. APTsshould not be confused with more commonbotnets, which are usually opportunistic andindiscriminate attacks seeking any availablevictim rather than specific information.
Autorun wormAutorun worms are malicious programs that take advantage of theWindows AutoRun feature. They execute automatically when the deviceon which they are stored is plugged into a computer.Autorun worms are commonly distributed onUSB drives, automatically infecting computersas soon as the USB is plugged in. AutoPlay is asimilar technology to Autorun. It is initiated onremovable media prompting users to choose tolisten to music with the default media player, or toopen the disk in Windows Explorer. Attackers havesimilarly exploited AutoPlay, most famously viathe Conficker worm.14On patched and newer operating systems,Microsoft has set AutoRun to off by default.As a result, autorun worms should pose less ofa threat in the future.
Backdoor TrojanA backdoor Trojan allows someone to take control of a user’s computer viathe Internet without their permission.A backdoor Trojan may pose as legitimatesoftware to fool users into running it.Alternatively—as is increasingly common—users may allow Trojans onto their computerby following a link in spam email or visiting amalicious webpage.Once the Trojan runs, it adds itself to thecomputer’s startup routine. It can then monitorthe computer until the user is connected to theInternet. When the computer goes online, theperson who sent the Trojan can perform manyactions—for example, run programs on theinfected computer, access personal files, modifyand upload files, track the user’s keystrokes,or send out spam email.15Well-known backdoor Trojans include Netbus,OptixPro, Subseven, BackOrifice and, morerecently, Zbot or ZeuS.To avoid backdoor Trojans, you should keep yourcomputers up to date with the latest patches(to close down vulnerabilities in the operatingsystem), and run anti-spam and antivirussoftware. You should also use a firewall, whichcan prevent Trojans from accessing the Internetto make contact with the hacker.
Boot sector malwareBoot sector malware spreads by modifying the program that enables yourcomputer to start up.When you turn on a computer, the hardware looksfor the boot sector program, which is usually onthe hard disk (but can be on a floppy disk or CD),and runs it. This program then loads the rest ofthe operating system into memory.Boot sector malware replaces the original bootsector with its own, modified version (and usuallyhides the original somewhere else on the harddisk). The next time you start up, the infected bootsector is used and the malware becomes active.16Boot sectors are now used by some malwaredesigned to load before the operating system inorder to conceal its presence (e.g., TDL rootkit).
17
BotnetA botnet is a collection of infected computers that are remotely controlledby a hacker.Once a computer is infected with a bot, thehacker can control the computer remotely overthe Internet. From then on, the computer is azombie, doing the bidding of the hacker, althoughthe user is completely unaware. Collectively, suchcomputers are called a botnet.The hacker can share or sell access to controlthe botnet, allowing others to use it for maliciouspurposes.For example, a spammer can use a botnet tosend out spam email. Up to 99% of all spam isdistributed this way. This allows the spammers toavoid detection and to get around any blacklistingapplied to their own servers. It can also reducetheir costs because the computer’s owner ispaying for the Internet access.18Hackers can also use zombies to launch adistributed denial-of-service attack, alsoknown as a DDoS. They arrange for thousandsof computers to attempt to access the samewebsite simultaneously, so that the web server isunable to handle all the requests reaching it.The website thus becomes inaccessible.(See Zombie, Denial-of-service attack, Spam,Backdoor Trojan, Command and controlcenter)
19
Browser hijackerBrowser hijackers change the default homepage and search engine in yourInternet browser without your permission.You may find that you cannot change yourbrowser’s homepage once it has been hijacked.Some hijackers edit the Windows registry so thatthe hijacked settings are restored every time yourestart your computer. Others remove optionsfrom the browser’s tools menu, so that you can’treset the start page.transparent, or opaque, layers on a webpage.This technique can trick a user into clicking on abutton or link on a page other than the one theywere intending to click on. Effectively the attackeris hijacking clicks meant for one page and routingthem to other another page, most likely owned byanother application, domain, or both.Browser hijacking is used to boost advertisingrevenue, as in the use of blackhat SEO, to inflate asite’s page ranking in search results.Although these threats don’t reside on your PC,they do affect your browsing experience.Browser hijackers can be very tenacious, as wellas sneaky. Attackers use clickjacking, also knownas a UI redress attack, by inserting multiple20
Brute force attackA brute force attack is one in which hackers try a large number of possiblekeyword or password combinations to gain unauthorized access to asystem or file.Brute force attacks are often used to defeat acryptographic scheme, such as those secured bypasswords. Hackers use computer programs totry a very large number of passwords to decryptthe message or access the system.21To prevent brute force attacks, it is important tomake your passwords as secure as possible.(See How to choose secure passwords)
22
Buffer overflowA buffer overflow occurs when a program stores excess databy overwriting other parts of the computer’s memory, causingerrors or crashes.Buffer overflow attacks take advantage of thisweakness by sending more data to a programthan it expects. The program may then read inmore data than it has reserved space for andoverwrite parts of the memory that the operatingsystem is using for other purposes.Contrary to popular belief, buffer overflowsdon’t just happen in Windows services or coreprograms. They can occur in any application.23Buffer overflow protection (BOP) looks for codethat uses buffer overflow techniques to targetsecurity vulnerabilities. (See Exploit, Drive-bydownload)
Chain letterAn electronic chain letter is an email that urges you to forward copiesto other people.Chain letters, like virus hoaxes, depend on you,rather than on computer code, to propagatethemselves. The main types are:ÌÌ Hoaxes about terrorist attacks, premium-ratephone line scams, thefts from ATMs andso forthÌÌ False claims that companies are offering freeflights, free mobile phones or cash rewards ifyou forward the emailÌÌ Messages that claim to be from agencies likethe CIA and FBI, warning about dangerouscriminals in your areaÌÌ Petitions that, even if genuine, continue tocirculate long after they expireÌÌ Jokes and pranks (e.g., the claim that theInternet would be closed for maintenanceon April 1)24ÌÌ On social networks like Facebook, posts askingusers to share links, such as a photo of a sickinfant that needs a heart transplant, or phonyscares such as children being targeted withstrawberry flavored drugsChain letters don’t threaten your security, butthey can waste time, spread misinformation anddistract users from genuine email.They can also create unnecessary email trafficand slow down mail servers. In some cases, thechain letter encourages people to send email tocertain addresses so that they are deluged withunsolicited mail.The solution to the chain letter problem is simple:Don’t forward these messages. (See Hoax)
Command and control centerA command and control center (C&C) is a computer that controls a botnet(i.e., a network of compromised or zombie computers). Some botnets usedistributed command and control systems, making them more resilient.From the command and control center, hackerscan instruct multiple computers to perform theirdesired activities.Command and control centers are often usedto launch distributed denial-of-service attacksbecause they can instruct a vast number of25computers to perform the same action at thesame time. (See Botnet, Zombie, Denial-ofservice attack)
26
CookieCookies are files placed on your computer that allow websitesto remember details.When you visit a website, it can place a file calleda cookie on your computer. This allows thewebsite to remember your details and track yourvisits. Cookies can be a threat to confidentiality,but not to your data.Cookies were designed to be helpful. For example,if you submit your ID when you visit a website,a cookie can store this data so you don’t haveto re-enter it the next time. Cookies also havebenefits for webmasters, as they show whichwebpages are most used, providing useful inputwhen planning a redesign of the site.Cookies are small text files and cannot harmyour data. However, they can compromise yourconfidentiality. Cookies can be stored on yourcomputer without your knowledge or consent,27and they contain information about you in a formyou can’t access easily. And when you revisit thesame website, this data is passed back to the webserver, again without your consent.Websites gradually build up a profile of yourbrowsing behavior and interests. This informationcan be sold or shared with other sites, allowingadvertisers to match ads to your interests, displayconsecutive ads as you visit different sites, andtrack the number of times you have seen an ad.If you prefer to remain anonymous, use thesecurity settings on your Internet browser todisable cookies.
28
Data leakageData leakage is the unauthorized movement of information,usually outside an organization. It can be deliberate (data theft) oraccidental (data loss).Data leakage prevention is a top concern fororganizations, with data breach scandalsfrequently popping up in the headlines. Manycorporate and government organizations havefailed to protect their confidential information,including the identities of their workforce, theircustomers and the general public.Users routinely use and share data withoutgiving sufficient thought to confidentiality andregulatory requirements.29A variety of techniques can be used to preventdata leakage. These include antivirus software,encryption, firewalls, access control, writtenpolicies and improved employee training.(See Data loss, Data theft, How to secure yourdata)
30
Data lossData loss is the result of the accidental misplacement of data, rather thanits deliberate theft.Data loss frequently occurs through the loss of adevice containing data, such as a laptop, tablet,CD-ROM, mobile phone or USB stick. Whenthese are lost, the data is at risk of falling into31the wrong hands unless a strong data securitytechnique is used. (See Data leakage, Data theft,How to secure your data)
32
Data theftData theft is the deliberate theft of information, rather thanits accidental loss.Data theft can take place both inside anorganization (e.g., by a disgruntled employee),or by criminals outside the organization.In 2012 these thefts included hackers breakinginto a Belgian credit provider, Dexia, anddemanding payment (blackmail) of 150,000(US 197,000) to prevent the hackers frompublishing confidential information.Another example is India-based call centerworkers who were selling confidential informationon nearly 500,000 British citizens includingnames, addresses, phone numbers and creditcard numbers.Some other recent data thefts include some ofthe biggest in history:ÌÌ 2007: The TJX Companies discloses theft of45.6M credit and debit card numbers, costingthe retailer 256MÌÌ 2009: Heartland Payment Systems disclosesbreach of 10
or send out spam email. Well-known backdoor Trojans include Netbus, OptixPro, Subseven, BackOrifice and, more recently, Zbot or ZeuS. To avoid backdoor Trojans, you should keep your computers up to date with the latest patches (to close down vulnerabilities in the operating system), and run an
