152 JOURNAL OF EMERGING TECHNOLOGIES IN WEB INTELLIGENCE, VOL. 2, NO. 2, MAY 2010Protect<strong>in</strong>g Data From the Cyber Theft – AVirulent Disease1 Dr. S.N. Panda and 2 Vikram Mangla1 Pr<strong>of</strong>essor & Pr<strong>in</strong>cipal, 2 Assistant Pr<strong>of</strong>essor1 RIMT-IMCT, Mandi Gob<strong>in</strong>d Garh, Punjab.2 Chitkara Institue <strong>of</strong> Eng<strong>in</strong>eer<strong>in</strong>g & Technology, Rajpura, Punjab.1 panda.<strong>in</strong>dia@gmail.com, 2 mangla.vikram@gmail.comAbstract - Network security policies are essential elements <strong>in</strong>Internet security. Network security perimeter devices suchas firewalls, IPSec, and IDS/IPS devices operate based onlocally configured policies. Malware-related data breacheshave reached pandemic proportions as crim<strong>in</strong>als discoverthat Internet crime is easy to commit, highly lucrative, andlargely under-policed. With a few hundred dollars, a cybercrim<strong>in</strong>al can beg<strong>in</strong> a career <strong>of</strong> break<strong>in</strong>g <strong>in</strong>to computers tosteal identity and confidential data for sale to the highestbidder. This paper will cover current and emerg<strong>in</strong>g trends <strong>of</strong>stealth malware, such as mov<strong>in</strong>g primarily to the <strong>Web</strong> s<strong>in</strong>cemost organizations allow <strong>Web</strong> traffic <strong>in</strong>to the network. Itwill also cover new advances <strong>in</strong> network securitytechnologies that use multi-phase heuristic and virtualmach<strong>in</strong>e analysis to detect and mitigate the damages thatresult from malware-related data thefts.Index Terms - Network Security, <strong>Web</strong> Threats, Malware,Phish<strong>in</strong>gI. INTRODUCTIONWith the global connectivity provided by the Internet,network security has ga<strong>in</strong>ed significant attention <strong>in</strong>research and Industrial communities. Due to the<strong>in</strong>creas<strong>in</strong>g threats <strong>of</strong> network attacks, network securitydevices such like firewalls and IPSec gatewaye havebecome important <strong>in</strong>tegrated elements not only <strong>in</strong>enterprise networks but also <strong>in</strong> small size and homenetworks. Motivated by the lure <strong>of</strong> pr<strong>of</strong>its from the sale <strong>of</strong>stolen confidential <strong>in</strong>formation, cyber crim<strong>in</strong>als today areshift<strong>in</strong>g to the <strong>Web</strong> as their chosen attack vector, whichprovides an ideal environment for cyber crime. Malwarerelateddata breaches have reached pandemic proportionsas crim<strong>in</strong>als discover that Internet crime is easy tocommit, highly lucrative, and largely under-policed. Witha few hundred dollars, a cyber crim<strong>in</strong>al can beg<strong>in</strong> a career<strong>of</strong> break<strong>in</strong>g <strong>in</strong>to computers to steal identity andconfidential data for sale to the highest bidder. Fraudsterswho purchase the data have developed a variety <strong>of</strong>schemes to monetize that <strong>in</strong>formation rang<strong>in</strong>g fromtransact<strong>in</strong>g unauthorized stock trades to transferr<strong>in</strong>g fundsto <strong>of</strong>fshore bank accounts. The cyber crime economy is sorobust that there is a vibrant market for pr<strong>of</strong>essionalmalware toolkits available for $500 to $1,000 and comepre-configured with a range <strong>of</strong> attack modules, exploit‘ma<strong>in</strong>tenance’ updates, and 24 x 7 onl<strong>in</strong>e technicalsupport.Many <strong>Web</strong> threats can be deployed unbeknownst to theuser, requir<strong>in</strong>g no additional action than merely open<strong>in</strong>g a<strong>Web</strong> page. Large numbers <strong>of</strong> users, an assortment <strong>of</strong>technologies, and a complex network structure providecrim<strong>in</strong>als with the targets, exploitable weaknesses, andanonymity required for large-scale fraud. <strong>Web</strong> threatspose a broad range <strong>of</strong> risks, <strong>in</strong>clud<strong>in</strong>g f<strong>in</strong>ancial damages,identity theft, and loss <strong>of</strong> confidential bus<strong>in</strong>ess<strong>in</strong>formation, theft <strong>of</strong> network resources, damaged brand orpersonal reputation, and erosion <strong>of</strong> consumer confidence<strong>in</strong> e-commerce. These high stakes, the pervasive use <strong>of</strong>the <strong>Web</strong>, and the complexity <strong>of</strong> protect<strong>in</strong>g aga<strong>in</strong>st <strong>Web</strong>threats comb<strong>in</strong>e to form perhaps the greatest challenge toprotect<strong>in</strong>g personal and bus<strong>in</strong>ess <strong>in</strong>formation <strong>in</strong> a decade.In August 2007, a scene played out as cyber crim<strong>in</strong>als<strong>in</strong>filtrated the monster.com job site through “Monster forEmployers” accounts, compromis<strong>in</strong>g the personal<strong>in</strong>formation <strong>of</strong> 1.6 million users. Many <strong>of</strong> these users thenreceived <strong>of</strong>ficial-look<strong>in</strong>g emails, claim<strong>in</strong>g to be frommonster.com and encourag<strong>in</strong>g them to download a “helperapplication” that turned out to be yet more malware.These attacks were well-researched, us<strong>in</strong>g familiarlanguage and brand<strong>in</strong>g, and coded to transfer data slowly,under the radar <strong>of</strong> IT adm<strong>in</strong>istrators look<strong>in</strong>g for suspiciousnetwork traffic.[1] <strong>Web</strong> threats also <strong>in</strong>clude malware thatis downloaded from an email attachment, but accesses the<strong>Web</strong> to convey <strong>in</strong>formation to the hacker. In 2007,fraudulent emails were sent purport<strong>in</strong>g to be from theFederal Trade Commission. These emails claimed that acompla<strong>in</strong>t had been filed aga<strong>in</strong>st the company andconta<strong>in</strong>ed an attachment. If the recipient opened theattachment, a keylogg<strong>in</strong>g Trojan was deployed thatattempted to steal log<strong>in</strong> <strong>in</strong>formation from the user’scomputer and send it back to the hacker. [2].Phish<strong>in</strong>g is a prevalent <strong>Web</strong> threat, spo<strong>of</strong><strong>in</strong>g legitimatecompanies to trick people <strong>in</strong>to provid<strong>in</strong>g confidential<strong>in</strong>formation. Consumer phish<strong>in</strong>g is wide-spread, send<strong>in</strong>gemails that spo<strong>of</strong> organizations like banks and on-l<strong>in</strong>eretailers. These phish<strong>in</strong>g emails <strong>of</strong>ten use l<strong>in</strong>ks to takerecipients to <strong>Web</strong> sites where confidential <strong>in</strong>formation isgathered. Employees can fall victim to these consumerthreats, but phish<strong>in</strong>g can also affect corporations moredirectly. In 2005, phish<strong>in</strong>g emails targeted CEOs andother high-level executives <strong>of</strong> US credit unions <strong>in</strong> anattempt to ga<strong>in</strong> control <strong>of</strong> millions <strong>of</strong> personal f<strong>in</strong>ancialrecords. The email messages conta<strong>in</strong>ed a l<strong>in</strong>k to a <strong>Web</strong>site where a Trojan was downloaded. Even one successful© 2010 ACADEMY PUBLISHERdoi:10.4304/jetwi.2.2.152-155
JOURNAL OF EMERGING TECHNOLOGIES IN WEB INTELLIGENCE, VOL. 2, NO. 2, MAY 2010 153<strong>in</strong>fection could have caused millions <strong>of</strong> dollars <strong>of</strong> damageand caused irreparable harm to hundreds <strong>of</strong> thousands <strong>of</strong>users through identity and asset theft. [3]But <strong>Web</strong> threats don’t just steal confidential<strong>in</strong>formation; they can also steal network resources.Variations <strong>of</strong> e-greet<strong>in</strong>g card spam were sent throughout2007. These simple spam messages told recipients that afriend had sent them an e-greet<strong>in</strong>g card and to follow thel<strong>in</strong>k <strong>in</strong> the email to view the card. If recipients followedthe l<strong>in</strong>k, it took them to a <strong>Web</strong> site that downloadedmalicious code.This code hijacked the computer, turn<strong>in</strong>g it <strong>in</strong>to a “bot”and allow<strong>in</strong>g the hackers to use the mach<strong>in</strong>e for their ownpurposes—send<strong>in</strong>g spam, host<strong>in</strong>g malicious <strong>Web</strong> sites,and much more. Consumer and corporate computers were<strong>in</strong>fected by the millions. Hackers network these <strong>in</strong>fectedcomputers to create botnets, steal<strong>in</strong>g resources and furtherperpetuat<strong>in</strong>g their fraudulent activities.II. WEB THREATS DEFINED<strong>Web</strong> threats are any threat that uses the <strong>Web</strong> t<strong>of</strong>acilitate cyber crime. They are sophisticated <strong>in</strong> theirmethods, us<strong>in</strong>g multiple types <strong>of</strong> malware and fraud, all <strong>of</strong>which utilize HTTP or HTTPS protocols, but can alsoemploy other protocols as components <strong>of</strong> the attack, suchas l<strong>in</strong>ks <strong>in</strong> email or IM, or malware <strong>in</strong> attachments or onservers that access the <strong>Web</strong>. The creators <strong>of</strong> such threatsfrequently update <strong>Web</strong> site content, variants, and malwaretypes <strong>in</strong> order to evade detection and achieve greatersuccess.<strong>Web</strong> threats based on malware are hidden with<strong>in</strong> <strong>Web</strong>pages and victims are <strong>in</strong>fected when they visit the page.Fraudulent sites mimic legitimate bus<strong>in</strong>ess <strong>Web</strong> sites anduse social eng<strong>in</strong>eer<strong>in</strong>g to request visitors to discloseconfidential <strong>in</strong>formation. Individuals once characterizedas hackers, virus writers, spammers, and spy ware makersare now simply known as cyber crim<strong>in</strong>als with f<strong>in</strong>ancialpr<strong>of</strong>it their primary aim.Over the last 15 years, <strong>in</strong>formation security threatshave evolved through a series <strong>of</strong> <strong>in</strong>carnations. In eachcase, malware writers and fraudsters sought out themedium that was most used and least protected (forexample email). Today, a new wave <strong>of</strong> threats is emerg<strong>in</strong>gthat uses the <strong>Web</strong> as a delivery vehicle. These <strong>Web</strong> threatsare ga<strong>in</strong><strong>in</strong>g traction at a time when the <strong>Web</strong> has become amajor commerce eng<strong>in</strong>e as well as social network<strong>in</strong>gvehicle, with usage cont<strong>in</strong>u<strong>in</strong>g to grow.At the same time, the <strong>Web</strong> is relatively unprotected,compared to messag<strong>in</strong>g for example, as a medium todeliver malware and conduct fraud. Accord<strong>in</strong>g to IDC,“Up to 30% <strong>of</strong> companies with 500 or more staff havebeen <strong>in</strong>fected as a result <strong>of</strong> Internet surf<strong>in</strong>g, while only20%-25% <strong>of</strong> the same companies experienced viruses andworms from emails.” [4]III. WEB THREAT DELIVERY MECHANISMS<strong>Web</strong> threats can be divided <strong>in</strong>to two primarycategories, based on delivery method – push and pull.Push based threats use spam, phish<strong>in</strong>g, or other fraudulentmeans to lure a user to a malicious (<strong>of</strong>ten spo<strong>of</strong>ed) <strong>Web</strong>site, which then collects <strong>in</strong>formation and/or <strong>in</strong>jectsmalware. Push attacks use phish<strong>in</strong>g, DNS poison<strong>in</strong>g (orpharm<strong>in</strong>g), and other means to appear to orig<strong>in</strong>ate from atrusted source. Their creators have researched their targetwell enough to spo<strong>of</strong> corporate logos, <strong>of</strong>ficial <strong>Web</strong> sitecopy, and other conv<strong>in</strong>c<strong>in</strong>g evidence to <strong>in</strong>crease theappearance <strong>of</strong> authenticity. Precisely-targeted push-basedthreats are <strong>of</strong>ten called “spear phish<strong>in</strong>g” to reflect thefocus <strong>of</strong> their data gather<strong>in</strong>g (“phish<strong>in</strong>g”) attack.Spear phish<strong>in</strong>g typically targets specific <strong>in</strong>dividualsand groups for f<strong>in</strong>ancial ga<strong>in</strong>. In November 2006, amedical center fell victim to a spear phish<strong>in</strong>g attack.Employees <strong>of</strong> the medical center received an email tell<strong>in</strong>gthem they had been laid <strong>of</strong>f. The email also conta<strong>in</strong>ed al<strong>in</strong>k that claimed to take the recipient to a careercounsel<strong>in</strong>g site. Recipients that followed the l<strong>in</strong>k were<strong>in</strong>fected by a keylogg<strong>in</strong>g Trojan. [5] In other push-basedthreats, malware authors use social eng<strong>in</strong>eer<strong>in</strong>g such asentic<strong>in</strong>g email subject l<strong>in</strong>es that reference holidays,popular personalities, sports, pornography, world events,and other popular topics to persuade recipients to open theemail and follow l<strong>in</strong>ks to malicious sites or openattachments with malware that accesses the <strong>Web</strong>.Pull-based threats are <strong>of</strong>ten referred to as “drive-by”threats, s<strong>in</strong>ce they can affect any visitor, regardless <strong>of</strong>precautions. Pull threat developers <strong>in</strong>fect legitimate <strong>Web</strong>sites, which unknow<strong>in</strong>gly transmit malware to visitors oralter search results to take users to malicious sites. Uponload<strong>in</strong>g the page, the user’s browser passively runs amalware downloader <strong>in</strong> a hidden HTML frame (IFRAME)without any user <strong>in</strong>teraction. Both push- and pull-based<strong>Web</strong> threat variants target <strong>in</strong>fection at a regional or locallevel (for example, via local language sites aimed atparticular demographics), rather than us<strong>in</strong>g the mass<strong>in</strong>fection technique <strong>of</strong> many earlier malware approaches.These threats typically take advantage <strong>of</strong> Internet port 80,which is almost always open to permit access to the<strong>in</strong>formation, communication, and productivity that the<strong>Web</strong> affords to employees.IV. TODAY’S INSIDER - THREAT IS STEALTH MALWARELaw enforcement, computer crime experts, and eventhe military are play<strong>in</strong>g catch up to the threat posed toconsumers, bus<strong>in</strong>esses, and national security as cybercrim<strong>in</strong>als cash <strong>in</strong> on stolen identity data, fraudulent onl<strong>in</strong>etransactions, and cyber espionage. It is no surprise that therise <strong>in</strong> cyber crime has co<strong>in</strong>cided with the <strong>in</strong>creased use <strong>of</strong>the Internet and especially “<strong>Web</strong> 2.0” technologies.<strong>Web</strong> sites and applications now support usercontributedcontent, syndicated content, iframes, thirdpartywidgets (or applets), and convoluted advertis<strong>in</strong>gdistribution networks <strong>in</strong>to which ‘stealth’ malware caneasily be <strong>in</strong>jected somewhere along the l<strong>in</strong>e. In a 2007USENIX paper, Google researchers determ<strong>in</strong>ed thatapproximately 9% <strong>of</strong> all suspicious web sites launched“drive-by” downloads <strong>of</strong> stealth malware b<strong>in</strong>aries[12].Government studies[13] estimate that 65% <strong>of</strong> all exploits© 2010 ACADEMY PUBLISHER