Curse of the Were-Laptop

by Uri Rivner on 11/20/2009

Richmond, Virginia - Sunday 8:00 PM ET

The storm outside sent wave after wave of heavy rain drops that banged on the large window, trickling down into the garden bushes below. Distant thunderclaps rolled, making the glass vibrate every other minute, not before the bright flashes of lightning lit Jack's study.

Jack was browsing the Internet, several web pages open on his laptop display. He was scanning the latest private messages in his favorite social network website; one of them was from Sarah, his good friend back from the college days, saying something about a cool video he must watch.

Clicking on the link in the private message made a new page open. Jack immediately recognized the website's logo - it was a popular video sharing site – and waited for the video clip titled 'something funny' to load.

After about ten seconds, a message came up saying the video clip cannot be loaded since the Flash movie program was out of date. The message helpfully suggested running an update, and Jack didn't think twice before hitting the "Run" button.

The room filled with the blinding flare of lightning, immediately followed by roaring thunder that shook the window glass.

Thirty seconds later, the download process ended and now the video was running just fine. It wasn't that funny – actually, it was pretty bad slapstick. What did Sarah have in mind?

Almaty, Kazakhstan – Monday 07:05 KET

The Zeus Trojan server was crunching the incoming traffic. Information from more than 500 computers out of over 7,000 infected by this particular strand of Zeus operated by a gang of cyber criminals was flowing in simultaneously.

One specific request came from an IP address in Virginia, US. Being a new device, the server opened a new record in the 'users' table for further tracking. A lot of data started to flow in from this new device into the unstructured database; social network data, URLs browsed in a popular news website, access credentials into a well known virtual world - all of these were filed for possible future use… But now came something much more interesting, triggering the structured data indexing script.

Richmond, Virginia - Sunday 10:30 PM ET

Jack blinked at the page. Other than a user name and password, the bank was now asking for his ATM PIN code. This looked a little odd; why would the bank ask that?

Slightly suspicious, Jack looked carefully at the website address, but it was the real URL. Just to make sure, he double clicked on the small yellow lock, which presented the genuine certificate of the bank.

Sighing to himself, he typed the PIN code, filled the regular login information and clicked submit. He was immediately let inside. Perhaps this is a new requirement, he thought, and then went on to check his balance and last month's transactions.

"Honey, I see a 250 dollar check from last week in the statement. Who was this for?" Shouted Jack, hoping his voice will carry to the bedroom, beating both the raindrops and the sound of TV reality show that was playing in the background.

"Wasn't it for your sister? The new baby carriage?” -- came the faint response.

"Oh, right", said Jack. He always went in to check his online banking on Sunday evenings. This way if there was anything he wanted done, he could call the bank first thing Monday morning. But now everything seemed in order.

"Are you coming dear? If you'll watch the show with me for ten minutes I promise to let you watch the game all night!"

Jack grinned. Sounds like a good deal… He folded the laptop, putting it in the nice black case his wife bought him recently for his new promotion.

Somewhere in Virginia - Monday 7:45 AM ET

Surveillance cameras watched the Honda SUV as it approached the main gate. Jack nodded to the guard, opened the window and waved his RFID access tag in front of the new security device implemented earlier this year. He smiled at the small face capture camera, heard the friendly beep and saw the guard nod back. Closing the window, he muttered to himself something about the ridiculous amount of security he had to go through these days.

Driving straight to his designated parking spot, Jack got out of the car. Carrying the laptop case with him, he disappeared into the vast steel and glass building.

* * *

We all know about Lycanthropy, the mythical disease in which victims are bit by werewolves and develop the nasty habit of turning into beasts every full moon. They can live years without realizing they have been infected by a curse.

Today, laptops all over the world have two faces. At day they are plugged into the corporate network, protected by the latest technology. But at night…as night their owners connect them to private broadband, where many predators await.

When a laptop gets infected at home by a Trojan, it poses a unique risk. It becomes a Were-Laptop: an unsuspecting carrier of a hidden curse.

Its owner, unaware of the danger, can take the Were-Laptop with him or her, walk through the office doors, and plug it into the network.

And then you have a Trojan behind corporate firewalls.

Laptops are one way in: VPN access through home desktops is another. A typical scenario is this: the consumer surfs the web with her unpatched home computer, goes to a “drive by download” infection site, get infected automatically. Later on she’ll connect to the VPN; the Trojan will record everything and the fraudster might even use the device as a transparent proxy into the network, a controlled robot that can now penetrate the deeps of the corporate applications. Once the user logs out of VPN, the Trojan can transmit the data security without leaving any trace inside the network.

It's almost as if online criminals have completed a full circle. Ten years ago, they tried to hack into the enterprise, but the industry responded with firewalls and intrusion detection systems.

Seeing that network security is too difficult to breach, fraudsters turned into a much less protected target: the consumer. Phishing, Trojans and other attack vectors became a money making machine.

Now that online banking and eCommerce security is getting stronger, the fraudsters will have to turn elsewhere, and reach the exact same conclusion. The enterprise network is too difficult to breach; let’s attack the users. Byron Acohido's article in USA Today demonstrates some of the precision attacks cyber criminals and industrial spies stage against corporate resources; but this is just the tip of a very large iceberg.

Today we know that thousands of corporate resources have been compromised. We know certain Trojans already have specific triggers for VPN and access management systems, so they start recording as soon as the employee is logged in.

We also know that a vast amount of corporate data – VPN access codes, internal systems passwords, and even emails, reports and files – already siphoned off the enterprise and resides in Trojan motherships around the world. We talk about data from every major corporate: hardly anyone is entirely immune.

This is enough to cause real damage if anyone is interested in the data – good old industrial espionage or foreign power intelligence. But a bigger threat will be when more sophisticated hackers will use the employee end point as an access point to the network, and start exploring around. I’ll let those of you with criminal minds suggest what can a hacker do within your organization.

So why hasn't this hidden curse materialize yet?

That's because at the moment, the Trojan operators did not find the right market for the stolen data and the compromised end-point. The Dark Cloud is almost entirely focused on financial gain: online banking credentials, credit cards, identity theft. There’s no developed market, no available monetization channels for blueprints, reports and corporate access points.

But sooner or later, fraudsters will realize they are inside the firewall. They'll wake up and say: hey, how cool is that? And who is interested in this precious asset?

And although today monetizing access to corporate resources is a generally unknown practice in the consumer-focused eCrime world, fraudsters at large will figure it out. 

They always do.

* * *

Where did Jack just enter? Is it a large corporate that handles many business or consumer accounts? A financial services company? A high-security laboratory involved in classified research? A critical infrastructure provider? A government complex? A military compound?

Whichever the case, Jack is going to walk up to his desk, put the laptop in the docking station, provide the Windows access credentials and sit back in his chair, getting ready for another week of hard work.

The very laptop that was infected by Zeus a few hours ago.

The Were-Laptop.

There’s no coincidence that I posted this on the day that New Moon from the Twilight Saga opened in theaters.