Security in VoIP Systems
One of the tasks of security companies is to "forecast" what will happen in the future based in the data and trends we observe. This is a really important task, as this way we can provide users with guidelines and base our researchs in the possible protection mechanisms we will have to develop in the future.
Some days ago, a Trojan entered the fray which attempts to deceive users passing itself off as a security program for Skype. It is called Skype Defender and its main aim is to steal the user's data of Skype. It is then when we shall look back and bring to mind what we told about VoIP attacks almost 2 years ago. In January 2006, we published a document about security in VoIP systems, written by Fernando de la Cuadra and Enrique González Ochoa. We presented it in the 5th Iberoamerican Conference on Systems, Cybernetics and Computer Science CISCI 2006, in Orlando, Florida.
Here you have an extract of the document:
"Identity Theft. A malicious application could steal a VoIP system user ID, deactivate the user's connection to avoid duplicity and use the stolen ID in its own VoIP network. In this way, the theft victim would be paying for the account when in fact the thief would be the one using it. This use of communication lines is an update of "phreaking" techniques, which use telephone lines to make connections or have conversations unbeknownst to their legitimate owners."
It seems that some of the predictions we made have come true. I have published this document here again in case you want to know which threats are awaiting us.
August spyware list
This month there has been some changes in the first positions with regard to the previous one: Adware/Gator goes up from the third to the second position and, therefore, Adware/Lop loses one position.
1.- Application/MyWebSearch
2.- Adware/Gator
3.- Adware/Lop
4.- Spyware/Virtumonde
5.- Adware/Savenow
6.- Adware/ActiveSearch
Application/RealSpy, as the previous month, continues gaining ground and goes up from the 13th to the 11th position. It is a commercial keylogger that logs the keystrokes typed by the user, monitors the websites visited, captures screenshots and records conversations of instant messaging programs such as MSN, ICQ, AOL and Yahoo.
Adware/SystemDoctor goes up from 23th to 13th position. It is an adware that promotes the fake error repairing program Application/SystemDoctor2006
Trj/Lineage.BZE continues gaining ground and goes up from the 24th to the 18th position. It is a Trojan that steals passwords from the MORPG Lineage.
Easy money: affiliate programs
Today we’re going to describe one of the ways the cybercriminals use to earn some easy money. There are many marketing companies that promote web traffic to different Web pages, software installations, etc. They use what they call 'affiliate programs', paying money for every software installed or traffic generated. This web traffic is very assorted: activex, rogue-antispywares, bundles, banners, fakecodecs, iframes, etc.
They usually pay depending on the country you obtain the download. Normally USA and Europe are the best paid countries and other countries as China or Russia are the worst paid.
Here we can see some examples obtained from these pages:
We will pay you for installs coming from 16 countries as exposed here :
$0.40 for USA, Canada
$0.20 for United Kingdom, France, Germany, Italy, Spain, Belgium, Luxembourg, Monaco
$0.05 for Austria, Denmark, Finland, Sweden, Norway, The Netherlands
$0.01 for China, Korea, Japan
Although some of these marketing enterprises can be well-intentioned, other have been specifically created by & for cybercriminals to earn money. Here we can see a gif file that was being used by one of these companies in order to advertise itself in an underground malware forum:
A short time ago, analyzing a Trj/Sinowal variant (a banking Trojan) to discover where it was sending the information to, we found one of these websites. We found out that this site had 4 different kits to install malware through exploits in the same server the page was hosted in:
There was an IcePack, a Traffic Pro, a Prime Exploit System, and a very basic kit that only used two exploits and had no name. These kits were downloading two Trojans: Trj/Galapoper and Trj/Sinowal. This is not the first time we see something similar.
The web sites where they promote themselves use to be very eye-catching, here you can see some examples:
Easy money: affiliate programs
Today we’re going to describe one of the ways the cybercriminals use to earn some easy money. There are many marketing companies that promote web traffic to different Web pages, software installations, etc. They use what they call ‘affiliate programs’, paying money for every software installed or traffic generated. This web traffic is very assorted: activex, rogue-antispywares, bundles, banners, fakecodecs, iframes, etc.
They usually pay depending on the country you obtain the download. Normally USA and Europe are the best paid countries and other countries as China or Russia are the worst paid.
Here we can see some examples obtained from these pages:
We will pay you for installs coming from 16 countries as exposed here :
$0.40 for USA, Canada
$0.20 for United Kingdom, France, Germany, Italy, Spain, Belgium, Luxembourg, Monaco
$0.05 for Austria, Denmark, Finland, Sweden, Norway, The Netherlands
$0.01 for China, Korea, Japan
Although some of these marketing enterprises can be well-intentioned, other have been specifically created by & for cybercriminals to earn money. Here we can see a gif file that was being used by one of these companies in order to advertise itself in an underground malware forum:
A short time ago, analyzing a Trj/Sinowal variant (a banking Trojan) to discover where it was sending the information to, we found one of these websites. We found out that this site had 4 different kits to install malware through exploits in the same server the page was hosted in:
There was an IcePack, a Traffic Pro, a Prime Exploit System, and a very basic kit that only used two exploits and had no name. These kits were downloading two Trojans: Trj/Galapoper and Trj/Sinowal. This is not the first time we see something similar.
The web sites where they promote themselves use to be very eye-catching, here you can see some examples:
July spyware list
This month, the first positions of the list are very similar to last month’s.
1.- Application/MyWebSearch
2.- Adware/Lop
3.- Adware/Gator
4.- Adware/ActiveSearch
5.- Spyware/Virtumonde
6.- Adware/Savenow
Adware/VideoActiveXObject goes up from the 10th to 7th position.
It is the most active version of the known fakecodecs.
Application/RealSpy goes up from the 17th to the 13th position.
It is a commercial keylogger that logs the keystrokes typed by the user, monitors the websites visited, captures screenshots and records conversations of instant messaging programs such as MSN, ICQ, AOL and Yahoo.
Trj/Lineage.BZE goes up from the 34th to the 24th position.
It is a Trojan that steals passwords from the MORPG Lineage.