Final part of Moxie Marlinspike’s Defcon talk outlines the alternatives of current CA system: ‘Perspectives’ and ‘Convergence’ projects.

‘Perspectives’ model

So, let’s talk about things that I’m a little bit more inspired by. There’s a project called ‘Perspectives’ which came out of Carnegie Mellon University, and it was done by Dan Wendlandt, David G. Andersen and Adrian Perrig. It was originally a paper that was published on using multi-path probing in order to provide authenticity for SSH¹ and SSL. And the concept is fundamentally about Perspective.

Basic premise of ‘Perspectives’ model

CA version of Perspective

Now, Perspective – one that was released – came with an implementation, but the implementation was kind of limited. It was initially designed for self-signed certificates, and so it has had some challenges.

And the last problem is responsiveness. Perspectives suffer from this idea of ‘Notary lag’. What would happen is you get a certificate, you contact a Notary and you say “Hey, what do you see for PayPal.com?” And the Notary would make a connection to PayPal.com and see the certificate. The problem is that the Notary would cache the response so that it wasn’t constantly having a connection to all of these sites, and then just periodically at some interval pull the site – you know, like once a day or something like that – all the sites that it had certificates for, in order to see whether the site had switched to a different certificate. The problem is that if a site did switch to a different certificate, your responses from the Notary would be invalid for duration of the transaction.

‘Convergence’ model

So, what I’ve done is I’ve taken this concept of using Perspective and I’ve built on it to create a system that I call ‘Convergence’. Convergence is a new protocol, a new client implementation and a new server implementation of this concept. The first thing that we do is trying to address the Perspective’s challenges. We eliminate Notary lag – basically, when you contact a Notary you also send what you saw. So now, the Notary doesn’t have to do any pulling, it just has to contact the server in the case of the cache miss or cache mismatch – so there’s no more Notary lag.

Notary bounce

Convergence is a Firefox add-on, and it looks exactly like the normal Firefox experience, the only difference is that in the upper right-hand corner you get this little Convergence button (see image). If you click this button and enable Convergence, you are completely divorced from the CA system. Everything – foreground content, background content, the certificate authority’s certificates in your web browser – are completely ignored. Everything looks exactly the same, the only difference is that normally when you visit a secure site and you put your mouse over the favicon, you’ll see a little tooltip about who has certified this communication – the only difference with Convergence is we are taking the certificate authorities completely out of the picture, everything else works the same.

The Notary implementation is available for the open source, anybody can run their own Notary, it requires very little resources, and it’s designed to be extensible. The protocol is a REST² protocol, and the idea is to design a protocol that would support a number of different back-ends. So by default, the default back-end for the Notary is to use network perspective, but you could write any number of other back-ends for the Notary, for instance if you like DNSSEC, the Notary could do DNSSEC to validate the certificate on the back-end, you wouldn’t have to use network perspective. If you’re crazy, you could use CA signatures to validate certificates. You could even use Notaries as front ends to other services, like a Notary front end to the EFF’s ‘SSL Observatory’ which the EFF has volunteered to run. And you configure Notaries that do different things, you can have a set of trusted Notaries, each one does a different thing. And Convergence implementation also has a threshold that you can set on what percentage of the Notaries have to agree in order for them to be sure and meet this consensus. What this means is that with the current CA system you have a certain number of certificate authorities, and if one of them is a bad actor – you’re completely out of luck. And we’re inverting that here, where the more authorities that you have, the more Notaries that you configure – the better off you are, because it means that all of them have to be in cahoots to misbehave or intercept your SSL communication. We have full trust agility, if we don’t like one of these people, we can just remove it, and there are no complications, everything continues to work exactly as it normally would, nothing breaks. And if you like, you could replace it with a different one that does the same thing because you think they’re more trustworthy.

Other nice things here are that the servers do nothing. You know, people don’t have to make any changes, which means we don’t have to migrate the Internet to anything else. All we have to do is implement Convergence in the four major browsers – and be done. That would be it, that would be the end of the CA system right there. We don’t have to make any changes across the Internet anywhere else. Other nice things are you don’t get any more self-signed certificate warnings; the concept of the self-signed certificate does not exist in the Convergence system. Certificates are certificates – that’s it.

‘Untrusted Connection’ Firefox warning

The other problem right now is captive portals, so if you’re running Convergence right now and you’re like in an airport or in a hotel, you know, you want to connect to the Internet and you get redirected to this captive portal where you have to type in your credit card number before you can actually access the Internet. Now, you want to secure this connection with the captive portal, but the captive portal’s not letting Internet traffic out, so you can’t contact your Notaries. So right now, you have to actually just unclick Convergence in order to deal with this thing, but the good news is that almost always in these captive portal situations we only have to build a Convergence protocol over DNS, and it will work in a captive portal situation.

You can download the software I listed on convergence.io – try it out, it’s a Beta. Look at the server stuff if you want to run a Notary, set one up; talk to people who might trust you and ask them to configure you as a Notary. Even if you’re not going to try Convergence, you’re not into it, the one question that I want to leave you with here today is whenever someone is proposing another authenticity system, I think the question that we should all ask is “Who do we have to trust, and for how long?”. If the answer is “A prescribed set of people, forever” – proceed with caution. In the meantime, try Convergence. Thank you.

¹ – SSH (Secure Shell) is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client (running SSH server and SSH client programs, respectively)

² – REST (representational state transfer) is an approach for getting information content from a website by reading a designated web page that contains an XML (Extensible Markup Language) file describing and including the desired content.

Moxie moves on with his Defcon talk to introduce and explain the notion of trust agility and outline trust requirements under DNSSEC¹ authenticity model.

I think it’s a good idea to look back at what happened to Comodo. Well… nothing happened to Comodo. But why? Why did nothing happen? What could we have done? If I decide that I don’t trust Comodo – and I don’t – the very best thing that I can do is remove them from the trust database (trustdb) in my web browser; I could say, okay, they are no longer a trusted authority. The problem is that if I do that, somewhere between a quarter and a fifth of the Internet just disappears, totally breaks, I can’t visit those sites anymore. And sure I could take an ideological stance to never visit those sites again because they are mixed up in the Comodo cabal of whatever, but really that’s no appropriate response. And the thing to remember is that this is as true for browser vendors as it is for you or me: you know, a browser vendor cannot remove Comodo from their trust database, because they’re just gonna be breaking somewhere between a quarter and a fifth of the Internet for all of their users. They are in the exact same situation that you and I are. The truth is that somewhere along the line we need a decision to trust Comodo, and now we are locked into trusting them forever.

Trust agility

Right now, there’s this idea it’s a scoping problem, that VeriSign and Comodo are in the same scope and that if we just separated this scope, then if VeriSign did something particularly egregious, a site like Facebook could switch to a different certificate authority, and this would actually have some significance because VeriSign would be unable to continue signing certificates for Facebook, which is currently not the case. But, you know, I think if it’s been a struggle to get websites to deploy https for SSL, to begin with – it seems a little bit farfetched to think they’re going to continue making really active decisions in our best interests. And what’s worse in this increasingly globalized world, it doesn’t seem like it’s really possible to make trust decision for everybody; that, you know, different people live in different context with different threats, have different needs and probably trust different individuals. And so, what’s more, it’s our data that’s at risk – not the site administrator, not the company that’s operating this web service. It’s the users’ data, and I feel like it should be the users or the browsers who could decide who to trust.

Model where the user initiates trust transaction

Server’s certificate obtained directly from DNS record

Now, this scheme has a really immediate appeal, and I think it’s because people tend to mentally associate DNS with the word ‘distributed’, and ‘distributed’ sounds really good right now, it sounds like exactly what we need. After suffering under the centralized yoke of certificate authorities for all these years, it would feel good to just wipe them off the page or replace them with a distributed system instead.

But when you start to look closely at the way that DNS works and DNSSEC works, it’s information that is distributed, the information in the DNS records is distributed across the various zones on the Internet. But the trust is incredibly centralized and hierarchical, and this is actually exactly how the CA system works today, right? The information, the certificates are distributed across the web servers of the sites that are serving them on the Internet, and the trust is highly centralized in this hierarchy of certificate authorities.

The second class of people that we have to trust here are the TLDs – these are the companies that manage the top-level domains. So, in the case of .com and .net – the largest TLDs on the Internet – the company that manages those is VeriSign: same player, same game. If you look at other TLDs like .org and .edu, the companies that manage them are probably not companies that you’ve ever heard of. I would at least suggest that if you were to think who’s a really trustworthy company, who really has a strong sense of integrity, these companies are probably not the first that would come to mind. Take a minute to look at the organizations that manage the other TLDs and look at the executive boards, look at the people managing operations and ask yourself – are these the people that I want to trust with all of my secure communication in the future? There’s also the country code top-level domains, so does everyone that’s using TLDs like .io, .cc, .ly trust the corresponding governments for these countries to secure all of their communication? What about TLDs like .ir and .cn? Should the citizens of these countries have to trust their governments with all of their secure communication to local sites? You know, we’ve seen the current picture of what countries around the world are capable of intercepting secure communication based on the EFF ‘SSL Observatory’ data. That picture would encompass pretty much all the countries in the world under DNSSEC. And if the recent domain seizures are an indication of the future, it seems like these TLDs could be dangerous.

And the third class of the people that we have to trust here is the root, and that’s ICANN³. While ICANN has made a great effort to be a sort of global organization, as far as I know – and I could be wrong – fundamentally, they’re just a California 501(c)(3) non-profit, which, as far as I know, means that they have to abide by laws in the United States. And, you know, this legislation that’s been coming up recently, like COICA⁴, PROTECT IP⁵ and this kinda thing – to me a real lesson here isn’t whether this passes or not, because there’s been some kind of heroic efforts to prevent this legislation from going through, but I think the thing to take away from this is that they’re trying to pass legislation that messes with this stuff, and maybe one day they’ll succeed, and I think ICANN would be subject to regulation in that case.

The worst part about all of these organizations is that this system actually means reduced trust agility; that today – even as unrealistic as it might be – I could still choose to remove VeriSign from my list of trusted certificate authorities, but there’s nothing that I can do to stop VeriSign from being the company that manages the .com and .net TLDs. So if we sign up to trust these people, we’re signing up not to trust them just now, but forever, regardless of whether they should continue to warrant our trust, with no ability to change our mind about whether we should continue trusting them, without any incentives to continue behaving appropriately.

Read next: SSL and the future of authenticity 4: Perspectives and Convergence models
 

¹ – DNSSEC (Domain Name System Security Extensions) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

² – NGO (Non-governmental organization) is a legally constituted organization created by natural or legal persons that operates independently from any form of government.

³ – ICANN (Internet Corporation for Assigned Names and Numbers ) is a nonprofit private organization headquartered in the United States, that was created to oversee a number of Internet-related tasks previously performed directly on behalf of the U.S. government by other organizations, notably the Internet Assigned Numbers Authority (IANA), which ICANN now operates.

⁴ – COICA (Combating Online Infringement and Counterfeits Act) was a bill introduced by Senator Patrick Leahy on September 20, 2010. It proposes amendments to Chapter 113 of Title 18 of the United States Code that would authorize the Attorney General to bring action against any domain name found “dedicated to infringing activities”, as defined within the text of the bill.

⁵ – PROTECT IP Act (Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act, or PIPA) is a proposed law with the stated goal of giving the U.S. government and copyright holders additional tools to curb access to “rogue websites dedicated to infringing on counterfeit goods”, especially those registered outside the U.S.

Second part of Moxie Marlinspike’s presentation dedicated to the authenticity component of a secure protocol and the general perceptions of SSL problems.

Secure connection intercepted by attacker

Authenticity is important of course, because normally, if you establish a secure session with a website, the problem is that if you don’t have authenticity, someone could have intercepted your connection to that website to establish a secure session with you – they make their own secure session with the website and just shuttle data back and forth, logging it in between (see image). But what’s easy to forget is that a man-in-the-middle attack was entirely theoretical in 1994 or 1995. The network tools didn’t exist, this wasn’t the kind of thing that was actively happening, this was thought of as an academic thing. You know, it’s like – oh well, there’s this other thing called the man-in-the-middle attack, and we need to design something theoretically to prevent against that.

And so the designers came up with a solution that was certificates and certificate authorities, where every site has a certificate and it’s known to be authentic because it’s signed by a certificate authority which is just some organization that we’ve decided to trust. I have this hypothesis that we’ve outrun the circumstances in which SSL was originally imagined, and that it’s a different world today.

Kipp Hickman - the man who designed SSL protocol

And then I thought – well, I wonder if that’s true, I wonder what they were actually thinking. And so I thought – well, I should talk to the people who designed SSL. I did some research and I figured out that SSL was originally designed by this guy Kipp Hickman who was a Netscape employee back in the day, and the last thing that Kipp Hickman posted to the Internet was in 1995. It was difficult to find him, you know, I talked to some people at Netscape who would point me in the right direction, and eventually I tracked him down, I basically just cold-called him. You know, I talked to him on the phone, and he’s a great guy. He was like “Oh, SSL! Yeah, I haven’t thought about that in a long time!” Yeah, okay, you know… I was like “So, certificate authorities was the deal”, and he said “Oh, that whole authenticity thing… We just threw that in at the end. We were designing SSL to prevent passive attacks¹ for the most part, you know. We heard about this thing – the man-in-the-middle attack – and so we just threw that in at the end”. He’s like “Really, that whole thing with certificates, it was a bit of a hand wave. We didn’t think it was gonna work, we didn’t know”.

Domain names global count graph (1994-2012)

The idea back then – you could say it made sense. If you look at the number of domain names on the Internet back in 1994, when that number is approaching zero (see graph), you know, it made sense that, okay, maybe you have 10 sites that you could identify as secure sites, so you have one organization that just looks at those 10 sites really carefully and makes a decision and signs the certificates. But, you know, if you try and scale that up over time to today when there’s almost a billion domain names on the Internet – and ideally, we’d like all of them to be secure – it seems a little bit unrealistic to think we’re gonna have an organization or even a set of organizations that’s gonna look appropriately, closely at all of these domain names.

So I asked Kipp about how they saw the scaling over time. He’s like “Oh, the scaling – we didn’t really think about that, because you got to remember that at the time this was designed, Yahoo! was a web page with 30 links on it – that’s what Yahoo! was.” Yeah, that’s different.

And history has really born us out. I’ve been analyzing all the possible problems with SSL that have dropped up in the past. There have been some issues with secrecy and integrity, but this managed to sort of squeak by over time. There have also been some problems with user interaction – these are things like ‘SSLstrip’. But in terms of the protocol itself, the stuff about the authenticity piece has been where all the real problems are. And I think, you know, looking back at the Comodo thing, your lesson from these events shouldn’t be that this was cyber war, because I think, pretty clearly, it wasn’t.

Eddy Nigg got mozilla.com certificate with no validation

But this is happening every day – that’s the real story. You know, one of these domains the attacker got – login.live.com – I mean, we should remember that Mike Zusman got this just by asking for it. He didn’t have to export functions from .dlls or whatever – he just sent in a request. Eddy Nigg got mozilla.com with no validation at all, he just asked for it. VeriSign issued a code signing certificate from Microsoft Corporation to attackers that are still unidentified, they were never discovered. I mean, this kinda thing happens all the time. Just recently, I needed to get an SSL certificate, so I went to this website SSL-In-A-Box.com – you know, straight to the bottom of the barrel. It’s one of the things where you have to create an account in order to submit anything. So I go to create an account, and when I click ‘Create’, it just logs me into someone else’s account. I didn’t even try to hack this, I just want a certificate. So, you know, I logged out and tried to create an account again, and it logged me into someone else’s account, and every time I did it, I just got a different account. And the thing is I didn’t even bother emailing them about it because I’m sure that they don’t even care.

GeoTrust provides the option of buying a certificate authority

One of the certificate authorities published the key to their certificate in the public directory of their web server. And the thing is you might be able to understand how it’s possible that someone could have made this mistake, but it’s still there! It’s not like “Oh, crap!” – it’s since 2009 that the key to the certificate has been available to the public.

You don’t even have to hack anybody. If you got the money, you can just buy a certificate authority. You can get a CAcert from GeoTrust² – I think it’s 50 grand (see image). Anybody have 50 grand to spend? You’re on CAcert, intercepting all the communication on the Internet. I really like their iconography in the top-right corner, because it really is just like “We’re giving you the key to the world”. They’re not hiding anything.

Map of countries with CA’s, according to ‘SSL Observatory’ data

And what if this were a state-sponsored hack – this whole Comodo thing? I think it’s worth realizing that the only reason that Iran would have to hack a certificate authority in order to issue certificates is because they don’t have a certificate authority of their own. But many other countries do. The EFF³ put together an excellent project called the ‘SSL Observatory’, where they scan the Internet, and they put together a map of all the countries in the world that are currently capable of issuing certificates and thus intercepting secure communication – and it looks like this (see image). I mean, I don’t know if you can see, but way out in the middle of the Atlantic, there’s a little red speck – that’s Bermuda. Bermuda can issue certificates. The good news is that the vibe around this sort of thing seems to be shifting: from the old vibe of the total ripoff, which I think was the general perception of certificate authorities, to the new vibe of total ripoff and mostly worthless. There’s been a lot of talk about moving forward and replacing certificate authorities with something else, but I think that if we’re gonna do that it makes sense to really accurately identify the problem and figure out what it is that we’re trying to solve so that we don’t end up in the same situation again.

Now, there’ve been a few sort of general perceptions of what the problem might be. The first is people look at the EFF ‘SSL Observatory’ data, so the EFF scan the Internet and they put together a graph of all of the organizations in the world that are currently capable of signing certificates, and it’s a lot of organizations – in fact, it’s 650 different organizations that are currently capable of intercepting communication. And so, I think one simplistic reaction to this is just to say, well, the problem is there’s too many certificate authorities, there’s just too many of them, what we need is fewer certificate authorities. But I feel like this might be a little simplistic. Remember when there was only one (VeriSign), and they could charge as much and do really whatever they wanted? And part of the problem here is really a scaling issue where we’ve gone from maybe 20 secure sites to 2 million secure sites, and ideally we’d like a billion secure sites. You know, it seems like less is not really the answer.

Another idea is that it’s a scoping issue, that the problem is that the authorities are all in the same scope. For instance, the two authorities who can sign certificates and thus intercept secure communication on the Internet today are the Department of Homeland Security and the state of China. Well, the problem is that the DHS can sign Chinese sites and China can sign U.S. sites, and if you just separated the scope so that China could only sign sites in China and the Department of Homeland Security could only sign sites in the United States, everything would be cool. I feel like it’s kind of a low bar. I think there’re plenty of people in China that probably don’t trust the state of China to certify sites even within their country, and likewise I feel there’re plenty people in the United States who don’t trust the Department of Homeland Security to be certifying their communication either.

So what is the answer to this question? What is the problem?

Read next: SSL and the future of authenticity 3: Trust agility concept
 

¹ – Passive attack on a cryptosystem is one in which the cryptanalyst cannot interact with any of the parties involved, attempting to break the system solely based upon observed data (i.e. the ciphertext).

² – GeoTrust is the world’s second largest digital certificate provider, with more than 100,000 customers in over 150 countries.

³ – EFF (Electronic Frontier Foundation) is an international non-profit digital rights advocacy and legal organization based in the United States.

Okay, let’s talk about SSL and the future of authenticity. Really, this talk is about trust, and I wanna start this talk out with a story – it’s kind of a downer, but I feel like it’s illustrative of the situation that we’re in. And the story is about a company called Comodo. They are a certificate authority and, according to Netcraft, they certify somewhere between a quarter and a fifth of the certificates on the Internet today, so it’s the second largest certificate authority in the world.

In March 2011, Comodo was hacked. The attacker was able to make off with a number of certificates – you know, mail.google.com, login.yahoo.com, Skype – basically, everything that the attacker would need to intercept login credentials to all of the popular webmail providers and a few other services. And so immediately after the attack the founder and CEO of Comodo issued a statement, where he said “This [attack] was extremely sophisticated and critically executed… it was a very well orchestrated, very clinical attack, and the attacker knew exactly what they needed to do and how fast they had to operate”. He went on to add that all of the IP addresses involved in the attack were from Iran; you know what this means – cyber. He actually spelled it out, he said “All of the above leads us to one conclusion only: that this was likely to be a state-driven attack”. So he’s painting a pretty complete picture for us here, right? This isn’t just a hack, this is war. Some used to blame Comodo for falling into the full assaults of the state-sponsored invasion, you know, from a cyber army.

And so, ironically it was these statements that really catapulted this story out of the trade press and entered the media. And so a number of reporters called me, and they had the same question: “What does this mean? What can this attacker do?”. And I said “Well, you know, it means they can intercept communication to these websites”. The reporters would say “Well, how? How would they use these certificates to do that?”. I would say “Well, you know, I think that’s commercial solutions, you know, the blue code and a few other kind of scary interception devices out there”. And one of the reporters said “Now, what is the easiest way? What is the most straightforward way that the attacker would leverage these certificates?” And I thought about it and said “Well, the attacker could just use ‘sslsniff’ which is a tool that I wrote to perform man-in-the-middle attacks¹ against SSL connections.

Comodo attacker’s IP address

Server log for Moxie’s website

Hak5 video tutorial on using SSLstrip

So just to break this down for you: on the one hand, we have the CEO of Comodo saying it was a “clinical attack”, and on the other hand you see that the attacker is literally following video tutorials on the Internet. I mean, maybe that was a great video, I don’t know. I haven’t watched it yet. They could have turned it into a clinical attack, or I’m not sure.

And then, there were a number of other sort of embarrassing searches that led them to my same website again and again throughout the day, so I sought a couple of Google search referrers which were things like “SSL protocol mitm howto iptables prerouting”. Apparently, he was having some trouble setting up their IP tables.

So I was kind of chuckling about this to myself. And then, the attacker posted a communiqué, and it could not have been more embarrassing. I mean, he alternated between making these grandiose impossible claims about how he’s hacked RSA and all that stuff, well, simultaneously very proudly declaring that he’s capable of doing extremely trivial things like, you know, he could export functions from .dlls and stuff like that. So this could not have been more embarrassing for really anybody involved – you know, the attacker, Comodo… What is worse, he just wouldn’t shut up! He just kept posting communiqués, each one more embarrassing than the last, and I think he posted six interviews with the press – that stuff was ridiculous.

And so the Comodo founder and CEO responded to these events by making a statement where he said “If there were a Secure and Trusted DNS, this issue would be a moot point! We need a Secure and Trusted DNS!” So this guy has just very enthusiastically declared that he does not understand the business that he’s in. On the one hand, he seems to be suggesting that DNS tampering² is the only way to perform a man-in-the-middle attack, which is just not true; and on the other hand, even if that were true, the reason that we have SSL certificates is to stop man-in-the-middle attacks. If man-in-the-middle attacks weren’t possible, we wouldn’t need the certificates that he’s selling us.

Later that month, they got hacked two more times, and the next month they got hacked again. Now, normally I wouldn’t take this much to be so critical of a company like Comodo, but I think it’s an interesting story because I think there’s an interesting question here, which is “What happened to Comodo?” And after all of this, it couldn’t have been more embarrassing, could not have been worse, really. You know what happened to them? Nothing. The business didn’t suffer, they didn’t lose customers, they didn’t get sued. Really, the only thing that happened to Comodo was that their CEO was named entrepreneur of the year.

If you wanted to use RSA (the algorithm), you had to license the patent from RSA (the company), you had to pay money in order to just even perform this type of cryptography. E-commerce didn’t exist: the idea of transmitting your credit card number over the Internet was totally foreign. There were no such things as web applications really – you know, people weren’t really transmitting their login and password credentials through websites. And the Internet itself was tiny. You know, in 1994 – according to ISC⁴ – there were less than 5 million hosts on the entire Internet. Compare that to today where there’s over 4 billion. At the time, there were probably less than ten ‘secure’ sites that you can think of – less than ten sites that for some reason you wanted traffic to be encrypted to these websites, whereas today there are more than 2 million certificates on the Internet, more than 2 million sites that are using SSL.

At the same time, you know, it’s worth remembering that SSL was developed at Netscape, and this was an environment of really intense pressure. The race was really on then and this is the same place where the series of 4am decisions gave us JavaScript, and we’re still dealing with that today.

So, you know, actually when you look at it, the designers of SSL were actually pretty heroic. They didn’t have a lot to work with, and they were working in circumstances that were totally different from the circumstances today, and yet it served us pretty well. You know, when it comes to these first two things – secrecy and integrity – they did okay, there’ve been some problems and there’re still some problems, but the piece that has always cost a real fortune and is now causing real problems is the authenticity piece.

Read next: SSL and the future of authenticity 2: certificate authorities
 

¹ – Man-in-the-middle attack (MITM attack) is the type of attack where attackers intrude into an existing connection to intercept the exchanged data and inject false information.

² – DNS tampering is the practice of preventing name servers from returning the actual website requested by the user, and instead either showing an error page or explaining that it is blocked.

³ – “Applied Cryptography” is a book published in 1995, detailing how programmers and electronic communications professionals can use cryptography – the technique of enciphering and deciphering messages – to maintain the privacy of computer data.

⁴ – ISC (Internet Systems Consortium, Inc.) is a Delaware-registered, public benefit non-profit corporation dedicated to supporting the infrastructure of the universal connected self-organizing Internet by developing and maintaining core production quality software, protocols, and operations.

⁵ – Netscape (Netscape Communications), formerly known as Netscape Communications Corporation, is a U.S. computer services company, best known for Netscape Navigator, its web browser.

Having talked about the ‘Ill-family’ infections, Lukas Hasik and Jiri Sejtko get down to explaining the peculiarities and distribution patterns of JS:Kroxxu and JS:Prontexi which are the two other widespread types of currently active web malware. Concluding the presentation, the speakers specify some essential measures to be implemented by webmasters and users for evading the consequences of web malware contamination.

JS:Kroxxu description

Jiri Sejtko: The second infection I will talk about is Kroxxu. Kroxxu is a multilayered botnet. It uses only compromised websites to host itself. It comes with indirect cross infection vector, which I will explain later. Kroxxu is a self-reproducing botnet, which means that it distributes password stealers, and the credentials stolen by these password stealers are then used to support the growth of the botnet.

Usual drive-by infection vector

This malware distribution domain is owned and operated by the bad guys only with purpose to distribute malware, and there is no other chance to get into this malware distribution domain without previous redirection.

Lukas Hasik: So, it should be quite easy to block the malware distribution domain when we discover it.

Indirect cross infection: how it works

So it is not as easy to block the targeted domain because all these parts are hosted on the compromised websites. These websites are legitimate, you can’t simply block them.

Active zombie domains lifespan stats

JS:Prontexi description

The third infection I will talk about is Prontexi. It uses a little bit different approach to spread. It uses infected ads. Previous approaches target mainly small websites. Well-known and big websites are usually well secured to be infected that way. Their weak point stands in advertisement. It is the only content the owners cannot influence, and they shift the responsibility for the content to the ad companies. And ad companies probably don’t care about what they are distributing, because in case of Prontexi we have detected on our user base more than 5 million infected ads that redirect users to the malware distribution domains.

Ad poisoning scheme

So, user George is redirected through this fake ad to the malware distribution domain. There is usually more than one malware distribution domain, and fake advertisement services rotate these – that is the reason we call them Rotators. And from these malware distribution domains, user George gets malicious content through the exploit kit.

Prontexi distribution statistics

Lukas Hasik: These are the dates when most people search for some presents, and they usually follow the ads to go to some websites.

Jiri Sejtko: That’s right, but in this case you don’t need to follow the ad. Once the ad is displayed, infection begins. So, that’s all about the three most spreading infections over the last year, and let’s move to the conclusion.

Conclusions

Lukas Hasik: We’ve finally got to our conclusions. So, now you probably know the answer to the question in the name of our presentation: “Am I safe if I browse only known sites?” – actually, the answer is “No”, as you probably know. So you can be sure that the infection comes from everywhere as the bad guys really like legitimate websites, because you don’t expect that the infection can come to your computer from these trustworthy and legitimate websites.

The bad guys also use the advertisement services because it allows them to get to your computer from sites that are visited by a lot of people, or that are operated by some huge companies, because they don’t have control of the advertisement provided through advertisement services.

And we haven’t mentioned the search engines that the bad guys really like to confuse with their blackhat SEO. These are the main channels that they use to get the infection, the exploits to your computer.

So, what should you do at least to keep yourself safe from the infections? The first thing is to keep your operating system and your software up-to-date. The reason is that when your operating system and your software is up-to-date, it will close the security holes for the exploits spread by the bad guys. And of course don’t browse or don’t download the ‘grey’ zone stuff. The infection ratio in the ‘grey’ zone is definitely higher than in the safe zone.

And the last but not the least, you should definitely use some good antivirus software, and when you are using antivirus protection you should not turn it off when an alert appears because you can be almost 100% sure that the website is infected. And if it is a false positive, you can be sure it will be fixed by our virus analysts in hours usually.

During our presentation, we spoke about the trust phenomenon, so one thing that you should remember is that even the most reliable sites can be infected, and sometimes they are really infected by bad guys, because it is the main channel to spread the web infection over to your computer.

Jiri Sejtko: We have seen the bad guys move many parts of infection vectors into the compromised websites, and in case of Kroxxu all of these parts were moved to the compromised websites. Malware authors are quick in adding newly discovered exploits.

So, there are two answers to apply. One is for domain owners – there are some tools, there are some products and services that will help you protect your site and keep it clean. And for users – be paranoid, even the most reliable sites can be infected.

Lukas Hasik: Jiri mentioned it a few times and you have seen it on the graphs that many infected sites remain infected almost forever. Once the site is infected, the web owners or the domain owners don’t remove the infection, or when they remove it they don’t change the credentials, so the bad guys can infect it again and again.

Jiri Sejtko: And some simple steps you should take when you find your website is infected: change your credentials, however it has to be done from a clean computer; remove the infection from your website – remove it from HTTP code, PHP code or SQL database; find the way your website has been hacked, to prevent future attacks; fix the holes in the software used on your server; and of course you may use some protection services that will help you keep your site clean.

¹ – Drive-by download a download that happens without a person’s knowledge, often spyware, a computer virus or malware.

² – Exploit kit is a software pack injected into a compromised or malicious website. It is mostly used to carry out automated ‘drive-by’ attacks in order to distribute malware.

Lukas Hasik: Hi, I am Lukas Hasik and I work as a Quality Assurance Director at Avast Software. Next to me is my colleague Jiri Sejtko who works as Senior Virus Analyst and Researcher at Avast Software too. Avast Software is provider of Avast Antivirus – the antivirus with over 130 million users.

Today we will talk about web infections. So, on our agenda we have a short introduction, and then Jiri will talk about three most widespread web infections in the last year. And at the end we will get to some conclusions.

So, our presentation’s name is “Browsing Known Websites is Safe – True or False?” Most people think that they are safe when they don’t go to the ‘grey’ part of the Internet. This is the part where you can usually download illegal software like some keygens¹, or you can browse some porn websites, or some warez² sites.

So, most of the users think that when they don’t go to this ‘grey’ part of the Internet, when they stay in the ‘safe zone’, how we call it, they cannot get infected. However, it is not completely true. These people trust their websites more than the alerts from the antivirus that they are using or other security software. That is something that we call ‘trust phenomenon’.

Also, the website owners complain first to the antivirus companies that their site has been blocked before checking their HTML code for the infection.

'Trust phenomenon' - explanation

But there is a bunch of bad guys sitting in the ‘grey’ zone of the Internet, who recently infected the website, and user George will not notice it because the website still looks the same. Visually, it is the same website, only the bad guys injected some iframe³ tags or scripts to the web page.

And when user George visits this infected website, the infection gets to his computer through exploits and from his browser. When an antivirus alert appears, he thinks: “Oh my God, what is it? This must be some false positive, I used to go to this website regularly, I’ve been there a hundred times.”

So, we expect that user George turns off the antivirus protection, and this opens a hole to his system for the exploits, and he gets infected. This is the main principle of the web infections, and now we will talk about the most widespread infections in detail.

JS:Ill-family description

Jiri Sejtko: Let’s start with ‘Ill-family’ malware. ‘Ill-family’ has been one of the most widespread infections over the last year. It uses simple iframe tags at the beginning of the attack, and during the attack the bad guys added something new into each new generation, so the injected scripts went to be really anonymous. The web is not the only spreading channel for ‘Ill-family’ malware, but today we will talk only about web infections.

‘Ill-family’ is commonly known as ‘Port 8080’⁴ infections, because injections target malicious servers on Port 8080.

‘Ill-family’ uses the normal infection flow. So, our user George has his own website which he uses for sharing his life ideas, life stories with the rest of the world. He often uses similar web pages, he often searches the Internet, he often reads newspapers. He never goes into the ‘grey’ zone, so he thinks he is safe without any antivirus protection.

'Ill-family' web malware infection flow

One of the basic functions of this malware is to steal credentials. So, credentials for his website are sent to the command & control server. This command & control server is used by bad guys to create new malware distribution domains and of course to infect new innocent websites with new stolen credentials.

Evolution of the 'Ill-family' malware

‘Ill-family’ is very well known for its evolution because the bad guys started using simple HTML tags, simple iframe tags to redirect victims to malware distribution domains. And then, in each new generation they added something new. They added some simple obfuscation, and at the end their scripts, their injections were about 4 kB long (see image).

Lukas Hasik: 4 kB of text? I would definitely notice such long text in my HTML.

'Ill-family' web malware: re-infection rate

On this graph, you see the infection rate showing how active the bad guys are (see image). It actually shows the number of domains: how many times and how many domains were infected with how many variants of ‘Ill-family’ malware. The remarkable point here is 5, so more than 3000 domains have been infected with 5 or more variants of ‘Ill-family’ malware.

Lukas Hasik: So, 3,000 domains were infected 5 or more times? It looks like the bad guys really have their favorite domains.

Jiri Sejtko: Yes, that’s right. It’s more likely domain owners or administrators really don’t know their websites are misused by the bad guys to spread malware, so they don’t care or they don’t know. But this is the point you should care about because many of these websites remain infected forever.

Read next: Browsing Known Sites is Safe – True or False 2: malware distribution
 

¹ – Keygen (key generator) is either a computer program that generates a product licensing key, serial number, or some other registration information necessary to activate a software application, or a program that generates public-key data for cryptographic applications.

² – Warez is a term referring primarily to copyrighted works distributed without fees or royalties, and may be traded, in general violation of copyright law.

³ – iframe (inline frame) is an HTML document embedded inside another HTML document on a website. The IFrame HTML element is often used to insert content from another source, such as an advertisement, into a web page.

⁴ – Port 8080 is a popular alternative to port 80 for offering web services. Its use in a URL requires an explicit “default port override” to request a web browser to connect to port 8080 rather than the http default of port 80.

What is the core reason for the Russian mobile cybercrime’s flourishing? To address this point, Denis Maslennikov explains in detail how a typical SMS Trojan scheme works, and how little it actually takes to register with an affiliate network of that kind and start benefiting from malicious activities. The speaker also outlines the profit issue and the probable future of mobile crime.

The root of all evil

So, I’ve tried to briefly describe the evolution with specific examples, and now let’s go to the root of all this evil and see how Russian mobile cybercriminals actually work.

Interpretation of Konov SMS Trojan's manifest file

The main question of the presentation is still unanswered: why are Russian mobile cybercriminals the happiest ones in the world? Let’s go back to the Konov manifest file (see image). You can see premium-rate numbers and SMS texts there. 10 or 6 dollars per SMS is a normal situation. And, you know, in Russia mobile operators usually act as owners of the premium-rate number. Well, there are such organizations like content providers. They were created to provide rental services for as many people and as many companies as possible.

So, what about ‘epbox 1290’? We can divide this, let’s say, prefix, or SMS text into 2 parts: Renter and Subtenant. The main renter leases ‘epbox’ prefix on the premium-rate numbers 4460 or 5537 from content provider and offers subtenancy services for ‘epbox 1290’ renter.

Hierarchy of ‘epbox’ distributors: renters and subtenants

But who are ‘epbox’ and ‘epbox 1290’ renters? Our ‘epbox’ renter is an affiliate network owner, and ‘epbox 1290’ Renter is one of the many affiliates. Beside ‘epbox 1290’ renter, we can also find ‘epbox M’ subtenant or ‘epbox N’ subtenant – they can also participate in this affiliate network.

And for example, ‘epbox N’ subtenant can offer legal services. For example, the user sends an SMS with the text ‘epbox N’ to the premium-rate number 4460 – and he will receive, for example, a link to download a legal game. ‘epbox M’ subtenant acts like this: if the user sends an SMS with the following text he will receive, say, a link to a .JPEG file. And ‘epbox 1290’ is our mobile cybercriminal.

Affiliate network registration form

So the root of all evil is here – it’s the affiliate network registration form (see image). For example, if I have very nice photos of San Francisco or New York, or Moscow, I can sell them. I can register with the affiliate network and try to sell my photos with the help of premium-rate SMS messages.

If I want to register there I must provide the following information: my name, my email, my website URL where I will post my pictures, website name, and Webmoney account. Webmoney is a Russian electronic money payment system; for instance, if I sell 10 pictures at 10 dollars each, the money will go to my Webmoney account.

In other words, after the registration I will receive my affiliate ID like ‘epbox 1290’ or ‘epbox M’, or something else. And I think you have already noticed that I provide no sensitive data at all. I don’t need to send them the scan of my passport or confirm my identity, or something else. It means that I can act absolutely anonymously. So, that’s the root of all the evil. In Russia it is possible to rent special text or prefix on premium-rate number absolutely anonymously.

Adult affiliate website distributing SMS Trojans

The biggest part of the affiliate websites are porn sites. Porn was always very close to malware in general. This is an example of a typical affiliate website (see image). You can see several porn thumbnails which offer users to download 3gp or mp4 porn videos.

But what is going to happen in reality if the user clicks on one of these links? The user will be redirected to a remote server which checks the referrer and correlates it with the affiliate ID. After that, a JAR¹ constructor which works on the web server will generate an SMS Trojan with the affiliate ID, and the web server will return this SMS Trojan as a porn video to the user. Unfortunately there are thousands of such websites on the web, and almost all of them do spread SMS Trojans that way.

How much do they make?

And now, let’s answer the second main question: how much do they make? But first of all we must see how the revenue is shared between persons and organizations in the following scheme.

Revenue sharing scheme

So, let’s say we have an infected phone, and the phone is infected by SMS Trojan, and this SMS Trojan sends an SMS. Mobile operator will take from 31% to 50% of the cost of the SMS. Content provider will take from 1% to 5% of the cost of the SMS. And finally, the affiliate network owner will take from 1% to 5% of the cost of the SMS. And in the end, the affiliate who actually created this SMS Trojan and spread it will earn from 40% to 67% of the cost of the SMS. So it means if an SMS costs, say, 10 dollars, the affiliate will earn from 4 to 7 dollars from each SMS message.

'Perlag' affiliate network fined: the income calculation

This turned out to be a ‘death penalty’ for Perlag – some time after this screenshot became available, this affiliate network was closed and gone.

And now, I would like to summarize everything we talked about, and let’s see today’s situation in general. Today we have a lot of SMS Trojans for Java 2 Micro Edition platform, for Symbian platform, for Windows Mobile platform, for Android platform, and some of them became really complicated. Cybercriminals are organized now, and such organizations as affiliate networks help them in their so called ‘e-business’. And unfortunately all of them are still unpunished, so that is probably why they feel safe and continue their activities.

I think that you would also agree that all antivirus vendors have problems with detecting Java 2 Micro Edition Trojans on simple mobile phones. In fact, we cannot detect them because it is impossible to create an mobile antivirus for Java 2 Micro Edition platform and simple cell phones.

Today and tomorrow

And today, only Russia and some CIS² countries are targeted by these activities and by SMS Trojans. The only reason of that is legislation loopholes, which allows cybercriminals to rent premium-rate numbers absolutely anonymously. If the situation is not changed, we will be seeing absolutely the same thing.

Affiliate website providing premium-rate numbers

The potential targets of mobile cybercrime are a questionable issue. Why? Not so long ago, on one of the affiliate websites I found the following information about the premium-rate numbers and the cost of each SMS to premium-rate numbers (see screenshot). We can find there some Russian premium-rate numbers, Ukrainian, Kazakhstani, and even Latvian, Lithuanian, Estonian, and maybe even German premium-rate numbers.

And one more content provider allows us to rent U.S. premium-rate numbers from Russia absolutely anonymously. So, we have already seen other types of malware which uses U.S. premium-rate numbers, and this malware was created by Russian cybercriminals and was spread in the U.S. Fortunately, we have not seen mobile malware, but in some cases it is only a matter of time.

So, what should we do in this situation? I think, except detecting mobile malware and providing antivirus database updates, we must surely force some legislation changes in certain countries. In my opinion, mobile cybercriminals are the same cybercriminals – and they must also be punished. And surely, we must educate users and provide more user awareness of this problem.

And again, as a summary: SMS Trojans target mostly single users, not enterprises surely. Social engineering is exploited to a large extent by cybercriminals. In most cases, threats are really easy to remove – sometimes you can go to the phone menu and simply press ‘Delete’ button. And one very positive note is that mobile operators always refund the money if malicious SMS messages were sent. So for example, if you were infected by an SMS Trojan and you somehow noticed that, and the SMS messages were sent, you should write a complaint letter to the mobile operator, and you will get your money back.

¹ – JAR (Java ARchive) is an archive file format typically used to aggregate many Java class files and associated metadata and resources (text, images and so on) into one file to distribute application software or libraries on the Java platform.

² – CIS (Commonwealth of Independent States) is a regional organization whose participating countries are former Soviet Republics, formed during the breakup of the Soviet Union.