Crimeware
The term crimeware, was first used by Peter Cassidy [2], and it describes a type of computer program that
tries to access a person's personal information, for the benefit of the creator of the software.
This type of software is much different than other types of unwanted software, (such as spyware,
adware, ect) since it can actually compromise a person's identity (identity theft). Crimeware and
identity theft over the internet is growing and becoming a serious, and very large threat across
the globe.
The following graph is just one example of the growing threat crimeware is becoming.
This graph shows the number of unique keyloggers (just one of the many types of crimeware software),
that appeared over the course of a year during 2005 to 2006. [1]
Contents
There are multiple types of crimeware. The more common types that will be looked at include:
- Keyloggers
- Email / Instant Messaging Redirects
- Session Hyjackers
- Web Trojans
Keyloggers, is a type of crimeware that records the keyboard strokes of the user. With this,
the attacker tries to log a user's passwords to access financial information, or a user's credit card numbers, etc.
The keystroke logs that are actually sent back to the attacker usually just contain the keystrokes
that were logged when the victim had visited targeted sites, such as a financial institutions and
corporate VPNs. As already seen above, unique keyloggers are on the rise. [1][3]
Email and Instant messaging redirectors are programs used to send emails or instant
messages transcripts to an unintended account that the attacker has access to. These methods are
usually used for attackers to seek personal or corporate information. The following is an example
of such a program. [1]
Source: Websense/APWG[1]
Session hyjackers is a term used when a user who legitimately logs into his or her user
account, then has their session "hyjacked". Once the user is logged in, malicious software
that was on the user's system can perform tasks such as money transactions without the user's
authority. [1][3]
Web trojans are programs that collect user information by tricking the user into thinking
they are entering their information through a website, when in fact information is being entered
locally and then transferred to the attacker. [1][3]
There are many methods that attackers can use to distribute their crimeware to their victims.
Some of the more common methods include:
- Email attachment
- Piggy-backing
- Search engine poisoning.
Probably the most common method, is the use of an attachment to an email. Emails that
contain such malicious programs, usually have their subject headings sound important to the user.
Often, it can be sent from someone the user knows that was also affected by this piece of crimeware,
which can go through a user's address book and send unauthorized emails out to everyone listed there.
Once the user opens such an email, the software will automatically infect the computer. [1]
Piggy-backing is also another very common type of crimeware distribution. Many times software
that appears to provide some practical function, will be downloaded by the user and installed.
Regardless if this software provides the listed functionality, it may have embedded malicious code.
Often this is how spyware and adware, etc. are spread. [1]
Search engine poisoning is another method of crimeware distribution. A report released by
Sunbelt, reported some disturbring information about search engines, in particular Microsoft’s
search engine. Using very common search words for banks and other lenders, produced search results
to malicious sites. Upon entering these sites, even though these sites may appear official, they may just
be silently downloading malicious software with the use of ActiveX. [4]
Measures that can be put in place by the user to try and reduce the installation of crimeware
on their computer, include:
- Spam filters to remove possible infected emails.
- Allow only certified code to execute. This however may have drawbacks, as not all uncertified code is malicious.
- Specialized software can be used to stop the removal of important information.
- Keystrokes can be encrypted using secure methods at the hardware level.
- Interfere with the communication to the attacker by, using products that try and sniff traffic for the compromise of personal information, or the use of encryption which only has a meaning to the intended recipient of the information. [1]
[1] The Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond. Us Department of Homeland Security,
SRI International Theft Technology Council and the Anti-Phishing Working Group. October 2006 http://www.antiphishing.org/reports/APWG_CrimewareReport.pdf
[2] Crimeware. Wikipedia. http://en.wikipedia.org/wiki/Crimeware
[3] Crimeware. SearchSecurity.com http://searchsecurity.techtarget.com/sDefinition/0,290660,sid14_gci1095413,00.html
[4] Comiotto, Brulez. Phishing and Crimeware Map. http://www.websense.com/securitylabs/charts/threatmap.php?daterange=lastyear&attacktype=2
Developer: Anthony Petta
Date of Last Revision: April 5, 2007