The 10 Biggest Security Risks You Don't Know About

I always patch my system and run regular scans with updated antivirus and antispyware scanners. But while researching this story, I got hit by a Trojan horse (Trojan.Winloginhook.Delf.A) that was too new for my antivirus program to catch. Whether it's a new variant on a familiar foe, like a Trojan horse, or a completely new type of attack, today's threats can leave even the most security conscious among us vulnerable.

There are ways we can minimize our risk, however. The first step in mounting a good defense is to know what's coming at you, so I've compiled a list of ten serious security problems that you need to be aware of. To protect yourself, you should of course know how to keep your PC patched and your antimalware tools current. In addition, I'll provide tips to help you avoid these new dangers, and to contain the damage if you do get hit.

In This Article:

• Zombie PC Armies Set to Attack
• Your Stolen Data Free on the Web
• Phishers Co-opt Legitimate Sites
• The Human Security Hole
• Crooks Redirect Your Browser to Their Scam Web Sites
• Rootkits and Viruses Partner Up
• Viruses Call Up Your Cell Phone
• Malware on Your Passport?
• Your Data Held for Ransom
• No Safe Haven: Threats Plague All Platforms

Zombie PC Armies Set to Attack

Danger level: High | Likelihood: High | Target: Windows users

Botnets were once the province of technically adept criminals who used these remote-controlled armies of infected PCs to send spam, launch Internet attacks, or spread spyware. But now even unsophisticated cyberthugs can generate their own botnet and target your PC, thanks to savvier miscreants who create and sell simple tools for that purpose.

Many people have made a business out of building and selling self-contained bot development kits that let potential herders (as individuals who run a botnet are called) direct their own scam. The kits, which cost anywhere from $20 to $3000, permit aspiring criminals to create full-featured botnets and other malicious software, ranging from customizable worms to keyloggers--no techie chops required. "There are tons of [kits]--fifty, sixty, a hundred different ones," says Eric Sites, vice president for research and development at Sunbelt Software, a maker of antispyware programs.

Clever Web Controls

It gets worse. After building a new bot and sending it out to unsuspecting computer users, the wannabe hacker can use sophisticated command-and-control tools to direct the resulting network easily.

Sites's team at Sunbelt, along with the Rapid Response Team at security firm iDefense Labs, has found a new Web-based botnet control they've dubbed Metaphisher. Instead of issuing text commands, herders can use the control's highly graphical user interface, complete with well-designed custom icons and intuitive controls. Point, click, hack.

According to iDefense Labs, Metaphisher-controlled bots have infected more than a million PCs worldwide. The command suite even encrypts communications between itself and the bot herder, and relays information about virtually every aspect of infected PCs to the botmaster--including their geographic location, the Windows security patches installed, and the browsers other than Internet Explorer loaded on each PC.

All these easy-to-use kits and controls undoubtedly contribute to the huge numbers of bot-infected PCs that law enforcement officials have uncovered during recent criminal investigations. For example, Jeanson James Ancheta, a 21-year-old California man, was recently sentenced to 57 months in prison after pleading guilty to violating the federal Computer Fraud and Abuse Act. He had been running a lucrative criminal enterprise based on a botnet with as many as 400,000 infected systems. And three bot herders arrested in the Netherlands last fall are thought to have controlled a staggering 1.5 million zombie PCs.

The low barrier to entry means that even as law enforcement catches some herders, eager newcomers join their ranks every day. "It's amazing how many people get into running botnets just because they see someone else doing it and making money," says Joe Stewart, a senior security researcher at the South Carolina-based firm Lurhq, a provider of managed security services.

How It Works: Quick Bot Deployment With Simple Tools

1. A would-be criminal buys a bot-building kit online for a small fee.
2. With no programming skills, the criminal uses his kit to build a new bot not yet known to antivirus makers.
3. The criminal sends his new bot out as an e-mail attachment or plants it on malicious Web sites.
4. The resultant botnet rakes in cash with spam, spyware, and denial-of-service attacks.

Your Stolen Data Free on the Web

Danger level: High | Likelihood: Medium | Target: Windows users

It's bad enough when one crook uses a keylogger to steal your bank log-in and passwords. It's much, much worse to have all of your sensitive information sitting in an unprotected FTP site, open to anyone who happens across it.

Unfortunately, that is exactly what security researchers have started seeing over the past year.

Alex Eckelberry of antispyware firm Sunbelt Software showed me one such FTP server that his company had found while investigating a keylogger that wasn't even particularly widespread. The server, based in Washington, D.C., was packed with nearly a gigabyte of credentials stolen during the month of April.

Not only do keyloggers capture anything you type, they can take screen shots of your PC's display, and they can glean data from the Windows Protected Storage area, which is the place where Internet Explorer stores its saved passwords.

One of the log files on the FTP server held pilfered passwords for a number of U.S. banks and for Buy.com, along with Yahoo, Hotmail, and other e-mail account user names and passwords, plus account details for online casinos and a host of other sites. The danger is international: The log records were in myriad languages--German, Spanish, Hungarian, Turkish, and Japanese, among others--and it held IP addresses that pointed to infected computers scattered around the world.

When his company discovered the first cache of keylogger data more than a year ago, Eckelberry says he alerted the banks and companies whose credentials had been scavenged by the logger.

Tim Brown, owner of Kingdom Sewing & Vacuum in Northridge, California, was one recipient of such a call from Sunbelt. He figures that his bank log-in was lifted by a keylogger when he was on a trip to Costa Rica and used a hotel computer To check his account. But his home computers weren't safe, either: "I didn't have any antivirus or spam blockers on my computers," he says. "I do now."

Brown was relatively lucky: He was notified before anyone had used his stolen data, and he immediately changed his account information to protect himself.

Thousands of other potential victims may not be that fortunate. And these days, Sunbelt is uncovering so many data vaults that it can't handle the sheer volume of stolen credentials, so it has stopped contacting individuals and simply reports what it finds to the FBI.

With this much data available, there has been no rush to create new keyloggers, says Sunbelt's Eric Sites. According to the Anti-Phishing Working Group, a business and law enforcement association, there were 180 unique keylogger programs in April, far more than the 77 found in April of last year but a slight drop from the three months prior.

Sites concludes that the maturing malware business is focusing its attention on efficiently processing its cornucopia of stolen information. "The collection and sorting and manipulation of keylogger data [are] getting dropped into SQL databases," he says. "Then [the criminals] can churn through the data to find what they're looking for. Those back-end systems are incredibly complex."

Phishers Co-Opt Legitimate Sites

Danger level: High | Likelihood: High | Target: All Internet users

Phishing is one of the most lucrative computer crimes, and it continues to grow rapidly. In April 2006 the number of unique new phishing sites spiked to a record 11,121, almost four times the 2854 sites found in April 2005, according to the most recent report from the Anti-Phishing Working Group.

You might expect phishers' fake sites to be easy to recognize by their amateurish spelling mistakes or broken Web graphics. But these days few phishers try to re-create entire bank-site pages by hand. Instead, modern scammers operate sophisticated server-side software that pulls all of the text, graphics, and links directly from the target bank's live site. All of the queries you input go to the real site--except your log-in data. That choice information goes straight to the bad guys.

Some phishing sites have become so smooth that they can even trap cautious and experienced Web surfers. In their "Why Phishing Works" study published in April, experts at UC Berkeley and Harvard presented test subjects with Web sites and had them look for the fakes. As it turned out, "even in the best-case scenario, when users expect spoofs to be present and are motivated to discover them, many users cannot distinguish a legitimate Web site from a spoofed Web site," the report states. "In our study, the best phishing site was able to fool more than 90 percent of participants."

Browser Redirects Below the Radar

The key for the phisher is to inveigle you into visiting the bogus site. You may be well conditioned not to trust an e-mail missive purporting to be from your bank and asking you to click a link to check your account details. But phishers today are adopting more forceful means to push your browser to their sites.

A malware-enabled technique called smart redirection secretly sends your browser to the scammer's Web site even if you manually type your bank's correct Web address into the browser. Malware on your machine monitors the availability of dozens or hundreds of duplicate fake bank sites, hosted on computers around the world, and redirects your browser to an available fake site whenever you attempt to reach your bank. And if authorities subsequently close down one site, the smart redirection software on an infected system simply sends the victim to a destination site that has eluded shutdown.

As long as there's money to be made, criminals will continue to hone their phishing skills and to develop new techniques. And there's plenty of money to be made. "Good, credentialed credit card information sells for $70 a card," says Michael Rothschild of security hardware maker CounterStorm. The phishers can even sell your data twice: "They can sell the credit that's left on the card, and they can sell the identity," he says.

How It Works: Ultraslick Lures Set Out to Catch the Wary

1. A well-informed, careful user manually types a bank URL into the browser address bar.
2. Malware on the computer redirects the user to a live phishing site.
3. By pulling text and images from the live bank site in real time, the phishing site looks just like the actual thing.
4. The sophisticated phisher fools even the careful user, who types in his or her bank account log-in.

The Human Security Hole

Danger level: High | Likelihood: High | Target: All

You can update Windows and each of your applications, and you can use security software to protect your PC, but one constantly exploited weakness can never be patched: human fallibility.

Online villains use an ever-changing array of tricks and traps to lure you in, and they're getting sneakier.

A recent eBay auction trap highlights the effectiveness of good social engineering. According to reports from US-CERT and Internet security companies, clever phishers were using a vulnerability in the eBay site to add auction links to eBay's pages. Those links brought unsuspecting users to a new site that would ask them for their eBay logins. You're no doubt suspicious of random e-mail messages that prompt you to click a link and enter your account information. But if you are prompted after clicking a link on a verifiable eBay page, you just might get caught with your guard down.

Your e-mail gets equal attention. Clever crooks steal or buy e-mail addresses, not to pelt you with spam, but to send out virus-laden messages that appear to originate from a genuine address--without ever infecting the supposed sender. Combined with a list of known e-mail addresses at a particular company, these spoofed e-mail messages allow for carefully crafted and targeted attacks that are far more successful than the net-cast-wide approach used to distribute most malware today. You're likelier to click on a Word document or an e-mail link that appears in a well-worded note from somebody@yourcompany.com.

Spoofed e-mail addresses are also useful in conjunction with such attacks as the recent one that took advantage of a new, zero-day exploit in Microsoft Word. To get hit, all you'd have to do is open a .doc attachment--and why wouldn't you open an e-mail from Bob down the hall?

Criminals know that if they can fool you with an e-mail or top-notch phishing site, they're well on their way to owning your computer. But there's a positive flip side: A well-informed user constitutes the best defense against any Internet attack. Stay educated, and stay safe.

Crooks Redirect Your Browser to Their Scam Web Sites

Danger level: High | Likelihood: High | Target: Businesses

Odds are, you use Domain Name System servers every day. They translate human-friendly names like "www.pcworld.com" into the numerical IP addresses that computers use to find each other on the Internet. Your ISP has its own DNS server, as do most companies. The Internet can't get by without them.

But more than a million DNS servers around the world--up to 75 percent of all servers, according to networking firm The Measurement Factory--run old or misconfigured DNS software. Such systems are subject to a wide enough range of serious attacks that the SANS Institute, a computer security research and education organization, lists DNS software as one of the top 20 Internet vulnerabilities. For example, it was widely reported that cybercrooks used misconfigured DNS servers in lethal denial-of-service attacks that forced antispam firm Blue Security to shut its doors permanently in May.

Attacks work in several ways. One tactic is "cache poisoning," where an offender can simultaneously target everyone who uses the DNS server. A successful attack tricks a company's or ISP's server into sending everyone who uses it to a phishing or other malicious site. You might type 'www.americanexpress.com' or 'www.yahoo.com', but you will end up at a Web site that installs an arsenal of malware on your computer.

Another lethal ploy: When bad guys send spoofed requests to DNS servers that are recursive, the servers respond by sending answer messages to the intended victim. The responses contain more data than the original requests, which thus magnifies the attack beyond what the crooks could send themselves. The hapless victim is completely overwhelmed by garbage data and can't respond to genuine requests from regular users.

Rootkits and Viruses Partner Up

Danger level: High | Likelihood: Medium | Target: Windows users

Rootkits are a malware inventor's dream: They allow worms, bots, and other malevolent software to hide in plain sight. The files don't show up in Windows Explorer, the running processes don't display in the Task Manager, and many current antivirus programs can't find rootkit-hidden malware--which is precisely why malware writers increasingly use them to hide malicious apps.

When news broke last November that some Sony music CDs installed rootkit software to hide copy-protection files, gleeful online crooks were quick to follow with malware that exploited Sony's creation to hide their own programs. Sony's software masked any files or running processes that began with "$sys$", so the opportunistic malware writers changed their file names accordingly.

In March, Spain-based antivirus maker Panda Software reported finding variants of the virulent Bagle worm equipped with rootkit functionality. Worse, like producers of botnet programs, rootkit software makers sell tools or give away free ones, so it's even easier for malware authors to build rootkit functionality directly into long-standing software strains like Bagle, or into brand-new malicious creations.

Even as opportunistic criminals use existing rootkits, chilling new possibilities for the software are emerging. For example, security firm eEye discovered it was possible for crooks to hide files in the boot sector of the hard drive. And in January, John Heasman, security consultant for Next-Generation Security Software, announced that rootkits could hide malicious code within a PC's BIOS by using functions in the BIOS's Advanced Configuration and Power Interface feature.

A project run by Microsoft and University of Michigan researchers really blew the lid off rootkit research, devising a method to virtually "jack up" the operating system and then use software called SubVirt to run it from below. As far as the operating system knew, it was running normally, but the "virtual machine" completely controlled everything the OS saw and could easily hide itself.

Fortunately the technique can't be implemented easily, and it tends to offer the user clues, causing a slower-running system and producing certain tell-tale modified files. For now, this extreme kind of rootkit exists only as a proof-of-concept; it should be a long time before malware authors can launch such attacks.

High-Stakes Hide-and-Seek

Simply finding today's relatively less dangerous rootkits is a serious challenge for security software. The art of detection and removal is part engineering, part voodoo, and always difficult.

Detecting a rootkit on a Windows PC is not unlike shining a flashlight at objects in a darkened room, and then trying to identify each object by the shadow it casts on the wall. Specialized software, such as F-Secure's BlackLight and Sysinternals' RootkitRevealer, scans the Windows file system and memory for characteristic irregularities that rootkits leave behind.

But those tools may not work in every case. Recently, the adware program Look2Me effectively broke BlackLight by disabling a key system call. The discovery was accidental, but rootkit makers will undoubtedly pay attention to it in their next round of malware.

How It Works: Cloaked Malware Sets Up Camp on Your PC

1. A Trojan horse with rootkit software invades a PC as a drive-by download.
2. The malware makes deep system changes to hide from antivirus apps.
3. The camouflaged Trojan horse pulls keyloggers and spyware onto your PC.

Viruses Call Up Your Cell Phone

Danger level: Medium | Likelihood: Low (USA), medium (Europe and Asia) | Target: Cell phone and smartphone users

As if viruses on your PC weren't bad enough, these nasty programs now target your cell phone. Like their computer-based cousins, some mobile viruses wreak havoc by crashing the phone and wrecking its operating system. Others are mere nuisances that change icons and make the device more difficult to use.

And of course, some are strictly money-minded. A Trojan horse currently infecting Russian phones sends text messages to services that charge the sender a fee.

So far these pests aren't a major problem in the United States, but they are significant threats in Europe and Asia. And a lot of experts think it's just a matter of time before the money-grubbing aggravations arrive on American phones.

Like many real-world biological agents, a cell phone virus typically needs to be physically close to another susceptible phone to make the leap. Computer security experts like Mikko Hyppönen, chief research officer for Finnish antivirus firm F-Secure, often use unsecured phones as bait to see what slithers in. On one London trip, Hyppönen's phone got hit four times via Bluetooth, which has a maximum range of about 30 feet. Bluetooth is the most common--but not the only--vector of infection. The Mabir virus, for example, spreads via SMS messages.

The vast majority of mobile viruses hit phones using the Symbian operating system, but a few go after Windows Mobile- and Java-based phones. Following the discovery of Cabir.A in June 2004, the number of viruses has continued to climb. There were 211 variants as of May 15, 2006, up from 156 at the end of 2005.

Malware on Your Passport?

Danger level: Medium | Likelihood: Low | Target: Most consumers

Could your passport, a pack of razor blades, or even your pet cat carry a computer virus? It may seem farfetched, but recent findings from a trio of Dutch researchers serve to demonstrate the possibility.

RFID (Radio-Frequency Identification) chips are small, inexpensive devices that can be embedded in stickers and in pet ID tags, and soon they'll show up in driver's licenses and U.S. passports. They're used for electronically transmitting information--say, inventory data for shipping pallets, or your passport number--over short distances.

Though highly useful, some implementations of the RFID technology have security weaknesses. For example, the information on some tags can be rewritten, and other tags can be read from an unusually great distance.

In an attempt to exploit some of these weaknesses, the Dutch university researchers conducted a controversial proof-of-concept study using modified RFID tags and a viruslike command to "infect" the back-end database that stored the tag's records. Theoretically, an RFID system could thus be made to crash or run malicious code--a scary prospect for a critical business or government technology.

Numerous computer security experts have pointed out that a reasonably well-built system with effective "middleware" between the RFID reader and the database probably wouldn't be vulnerable to such an assault. And sensitive RFID chips can use encryption and shielding covers to protect against acquiring an unasked-for malicious payload. The planned U.S. passports will use both measures.

Still, the study illustrates a basic point: Nearly every system has exploitable flaws. Keep an eye on your cat.

Your Data Held for Ransom

Danger level: Medium | Likelihood: Low | Target: Windows users

It sounds like a plot concocted by Austin Powers' nemesis, Dr. Evil: Get onto your victims' computers, kidnap their files, and hold the data hostage until they pay up. But such attacks, though rare, have occurred all over the world.

Cryzip, one early example of ransomware, searches for 44 different file types (such as Microsoft Word or Excel files) on a hard drive, and compresses them into a password-protected zip file. It then tells the victim to deposit $300 in one of 99 randomly selected e-gold accounts. Once paid off, the criminals provide the victim with the necessary password.

In May, another ransomware application, named Arhiveus came to light. Rather than of directing payment to a potentially traceable e-gold account, it instructed victims to buy prescription drugs from a specific online pharmacy and then send the order ID to the malware author as proof of payment.

"It looks like a Russian-based pharmacy that they're hosting in China," says Lurhq's Joe Stewart. "Appended to [the URL] is what looks like an affiliate ID--they probably get a cut." In his examination of both Cryzip and Arhiveus, Stewart found the necessary passwords to "free" the data embedded within the malware code itself, unencrypted.

Savvy users sometimes get lucky, too. Richmond Mathewson, a software developer from Plovdiv, Bulgaria, managed to rescue most of a friend's data after she found the entire contents of her 'My Documents' folder had vanished, taking with it all her work files, which she hadn't backed up. When he looked at the computer, Mathewson found the simple but chilling Arhiveus ransom note. He saved the day with his networked Mac Mini, a free undelete tool, and about 4 hours' labor. But he says the recovery wasn't complete: "To date, 5 percent of the files are still unrecovered."

Currently, ransomware isn't very sophisticated, and its scope is limited. Besides including the password with the program, Arhiveus dumps all the victim's files into one long file called "EncryptedFiles.als"--but doesn't actually encrypt it.

"The threat is very small to the average user at the moment," says Stewart. "I'd estimate [the number of ransomware infections] to be in the low thousands worldwide.... It doesn't serve these guys' interests to become widespread. If they keep it low-key, and target people who are powerless to do something about it, they're more likely to get paid."

But "this seems to be just the initial phase of the threat," Stewart adds. Like every type of attack, ransomware will evolve as criminals hone their approach. "With Arhiveus testing the waters of mixing ransomware with affiliate product purchases in shady online stores, it could be the start of something bigger."

How It Works: Extortion, Malware-Style

1. An unsuspecting user accidentally visits a rigged Web site, and the ransomware Trojan horse slithers into the PC.
2. The ransomware zips up the entire contents of the My Documents folder into a password-protected file.
3. The user gets a ransom note demanding money, or a purchase at a particular online store, in return for the password.

No Safe Haven: Threats Plague All Platforms

Danger level: High | Likelihood: Low | Target: Windows, Mac, and Linux users

Mac and Linux users have been understandably complacent as Windows users suffer a seemingly endless series of attacks that exploit hole after hole in Microsoft's operating system. But these alternative OSes--once considered safe computing havens--increasingly must cope with their own problems.

The Mac is under attack as evildoers aim at the 70-odd reported security holes in OS X. One of these vulnerabilities was exploited in February by the first piece of malware to hit OS X Tiger: the so-called Oompa-loompa instant-messaging worm. And while Internet Explorer users are probably well accustomed to hearing reports of new browser bugs that could allow "remote code execution" (read: giving an attacker control of your PC), Mac users now need to beware as well--the most recent of Apple's three major security patches this year closed one such hole in the Safari browser.

Linux has a case of worms, too; the number of malicious programs targeting that OS doubled between 2004 and 2005. Rootkits, the looming threat for Windows PCs, actually trace back to attacks meant to take surreptitious control of the administrative "root" user on Unix OSes. Also, while being able to run your own personal Web server is part of the open-source draw, doing so can allow crooks to hijack your site or take control of your PC.

The latest twist is cross-platform malware: single programs that can assault two or more types of systems.

A proof-of-concept virus that attacks both Windows and Linux appeared in April. The virus, created by antivirus firm Kaspersky, contains no payload and does no damage. Known variously as Virus.Linux.Bi.a and also Virus.Win32.Bi.a, it infects just a single type of Linux file format (ELF) and a single type of Windows file format (PE). And it's based on old Linux elements that aren't part of newer systems. Still, it was enough of a wake-up call to prompt Linux creator Linus Torvalds to write a fix.

Windows' ubiquitousness means that malware targeting its many security holes has the greatest chance to infect the most PCs. But as alternative operating systems grow in popularity, they become more attractive targets, too.

OS Holes Abound

The number of security advisories issued for the OSs below show Microsoft is not alone when it comes to vulnerabilities, but Apple seems to patch more promptly.