Criminals are getting sneakier. These days, computer viruses, Trojans, rootkits and other unfriendly software (collectively known as malware) can be foisted on our systems without our even noticing.
In the early days of malware, the idea was simply to show people that their systems had been compromised; a virus was sometimes nothing more than a thumbing of the perpetrator’s nose at his victims (what else would explain a virus that just made the letters you typed tumble to the bottom of the screen?). But as time went on, malware went from mischievous to malicious, and destruction became the name of the game.
Today’s malware authors aim for secrecy. Their goal is often to hide on your system and steal as much information as possible – banking passwords, credit card numbers, confidential files, and anything else of value. Or they may want to use your computer to launch attacks on others.
It’s embarrassingly easy to become a pawn in the bad guys’ games, as security vendor McAfee shows us in a little exercise known as the Malware Experience.
The Malware Experience is a class that can be anything from a few hours to a couple of days long. It is designed to give people the opportunity to experience malware in comfort and safety, says current custodian Jon Carpenter, an anti-malware competitive review manager at McAfee Labs. Mr. Carpenter has been working with the Malware Experience for almost a decade, and has been building new versions of it, to reflect the current malware universe, for the last five or six years.
At McAfee's recent Focus 2011 conference, Mr. Carpenter and Labs colleague Toralv Dirro presented a truncated version of the Experience to members of the media.
During the class, you become both a bad guy and his victim. You work on a laptop that is carefully isolated from any available networks and with external storage disabled (you are, after all, working with live malware, and don’t want it to escape). It contains three virtual machines (VMs): the victim's computer, a compromised web server, and the attacker's PC.
Then you unleash your inner hacker. Working from a script, you first construct the trap, configuring the web server with a Trojan horse – a program that performs a benign or useful function while sneakily installing malware on the victim’s machine in the background. It is housed on a website crafted to resemble a known site – in this case, an anti-virus vendor's site. So far, so good.
Next, you bait the hook by composing an e-mail to the victim, in the guise of a promotion for a free anti-malware tool. This will persuade the user to download the Trojan.
Then the scenario flips, and you become the victim.
Being a trusting soul, you open the e-mail on the victim VM and see the link to what you think is your anti-malware vendor’s website. A sharp-eyed person might notice, while hovering the cursor over the link, that the URL is slightly different from the legitimate vendor URL, but hackers usually count on the fact that the message looks convincing enough that a large percentage of recipients will click through.
That starts the download of your Trojan, which has been given the same name as the real anti-virus program.
Since you, as victim, have willingly downloaded the fake anti-virus program, you then run it (your system is virus-free, it says – how nice – a total lie, since it just installed the attacker’s malware), and the hackers immediately have another computer under their control.
Yes, it really is that easy.
Now that the victim’s computer is your slave, you as hacker can have some fun. You can pop back to the attacker machine and explore the command and control console for your malware to discover what mischief it can perform. For example, there’s a keylogger to capture every keystroke your victim types (very handy for grabbing passwords and credit card numbers). The next item in the script is even more insidious: you’re going to silently install another piece of malware, the Zeus Trojan, on your victim’s machine.
This time the victim has to do nothing. All the attacker needs to do is set up the configuration script for your malware, then instruct the first Trojan to install it on the target system. In a few minutes, the malware will report whether it was correctly installed and you’re ready to wreak more havoc.
Let’s say you want to steal the victim’s Facebook credentials. On the attacker machine, it’s a matter of entering the URL you want monitored, letting the malware synch with the victim’s machine, then sitting back and waiting.
Soon, everything you need to know if you wanted to hijack the victim’s account is now at your fingertips, and the victim is none the wiser.
The Malware Experience includes a few more tricks as well, such as redirecting the victim’s surfing to a malicious website.
“We want to make people aware of what’s possible, but not to encourage them to try it,” explains Mr. Carpenter. “It’s all about raising awareness.”
And raise awareness he has, by presenting the class to members of the media, university students, police forces, and even the British House of Lords, to demonstrate how easy it is for computers to become infected.
Mr. Carpenter then points out ways to stay infection-free, such as not clicking on links in unsolicited e-mails, and examining links to ensure the site name is spelled correctly (slight misspellings are easy to miss, and can lead to malicious sites).
“I’m a firm believer in finding the weakest link,” he says. “It’s important that users are aware of the risks. The [anti-malware]industry tries hard to make users aware.”