Rogue Dialers: From Problem to Solution
Introduction to the problemóPrinciples of operation
A few years ago a special type of malicious program appeared, the so-called Rogue Dialer or Trojan Dialer. Such programs purport to dial premium numbers or place long-distance calls that charge per-minute connection fees, provided the victimís computer is equipped with a modem connected to the phone line.
Itís worth noting that there are two branches of dialer programs. The first one, which is quite legitimate, comprises programs designed to charge users for access to restricted sections of certain websites. Such programs candidly offer to download software that will access pages of particular interest (typically pornographic or similar adult content). The programs are placed on a computer only after the user has given his/her explicit permission.
Unlike the former, the second branch is completely illegal; these programs are sometimes referred to as rogue dialers. The programs are installed without the userís knowledge, by taking advantage of software vulnerabilities or other flaws in system configuration or maintenance. A rogue dialer may appear to request user consent before installing, but it ignores the userís response, and installs silently in the background. The motives behind such programs can range from simple pranks to retribution to, as in more severe instances, financial gain. For the latter to occur, a perpetrator needs to register and set up a premium dial-up number (many telecommunication companies offer a Prime Rate service option to customers, enabling clients to arrange TV voting polls and provide other kinds of commercial services). By developing or ordering the dialer for the associated phone number, the perpetrator can earn real money.
Letís take a look at a typical scheme for arranging a dialer-based business. This scheme applies to both legal and illegal dialing arrangements:
The head company (akin to the Internet Provider) leases the phone line and creates a special modem dial-up number with equipment capable of charging callers for access to a number. These companies develop unique versions of dialer programs and equip them with tracking numbers to derive payments.
Customers are companies that provide paid access to their resources. They use the services supplied by the head companies.
Intermediary sites are Internet sites that place advertisements and links to dialers on their pages. Also, such pages may host exploits such as scripts that execute in the background and inadvertently install dialers (the nefarious category above). Each such site has a supplementary ID number alongside the main subscriber number to aid tracking and accounting.
When a call is made, equipment at the head company receives an identifying number so that appropriate charges can be made against the caller. The user is redirected to the restricted areas served by individual customers. The net result is the company and its customers receive their share of profit, while the unsuspecting user bears the brunt of the cost of premium access.
The damage suffered from dialer operations can be significant. The author is aware of cases where premium access resulted in costs of 100 to 1000 US dollars, and these cases are quite common. According to unconfirmed reports, there are cases where damage reached as high as 3000 dollars. Considering that the average connection fee is 2 to 5 dollars (and in rare cases can go as high as 10 dollars per call), the amount of damage can be staggering.
Often the victims of such ploys attempt to appeal against the charged amounts, asserting they were victimized and cannot be held accountable. In this case, the phone provider examines the records made by the billing equipment to confirm the connection, enabling the operator to proceed with the payment request. No single case has ever been registered where the caller didnít pay the full sum. That means people who made the calls eventually were made to pay for them.
Telecommunications companies (telcos) and other organizations, including law enforcement, cannot indict authors of the dialer programs because developers of legal software are protected by the formal consent of the user agreeing to the installation. Authors of criminal dialers use services of offshore states that do not prosecute these kinds of activities. Besides, the amounts collected by such states can be substantial, which discourages them from obstructing these operations.
Despite broadband Internet access replacing old-fashioned dial-up in many areas, the problem with illegal dialers still remains. This is due to several factors: the first one is that many computers still have built-in modems connected to the phone line. Even if the user doesnít connect to the Internet via the modem, automatic dialing can still occur behind the scenes while the modem is enabled. Disconnecting the modem isnít an option because some people use it to send and receive faxes. But the predominant factor for the continued use of dial-up is inadequate development of broadband services in areas such as Asia, Eastern Europe, South America, Africa and other technologically-challenged regions.
For the above reasons, dial-up access still remains a popular and widespread means to go online; therefore itís important to protect users against Rogue Dialers.
Causes and indications of dialer installation
Dialers can infiltrate a PC in a variety of ways, but the typical infestation scenario would look like this: while surfing a website (mainly of adult or entertainment nature), a user receives an error message indicating inability to access certain content. The site asks the user to download special software, which is designed to enable access after dialing a certain phone number. When the user consents, a small file is downloaded and installed. Itís worth noting that most alerts and notifications displayed by the dialer have one interesting traitóthey are shown in a different language from the userís native language. In the majority of cases, the user simply cannot understand the messagesí meaning and unwittingly approves the installation and subsequent call. The author of this article has evaluated dialers that used German, Italian and English in dialog boxes.
After the dialer is installed, it breaks the current connection and dials the premium number. As a result, the restricted sections of the site become available. Moreover, some systems are so sophisticated that they enable a user to not to only access specific locations, but act as a regular Internet provider. This could lead to the user spending a significant amount of time connected to a dial-up that charges exorbitant rates.
Dialers can also work clandestinely at any moment of their operation ó from the installation stage to the actual dialing. A connection can be established without the usersí knowledge; a malicious program can detect an active connection to the Internet, break it and reconnect to a specific number that will then become the default connection type. Also, the dialer can modify current dialing properties by replacing the original dial-up number with a fraudulent one and making calls to that number. Some illegal dialers can detect when the computer enters idle mode (by monitoring mouse and keyboard activity) and make calls when the user is supposedly away.
Symptoms pointing to dialer infection can be numerous, from visible modifications of the dialing properties to spontaneous modem disconnections and subsequent restoration of access, decreased Internet connection speed for no apparent reason, a busy phone line when the modem is supposedly not in use, or a modem sound when you pick up a telephone handset.
I will note here that some experts recommend turning on the modem sound as a precaution against rogue dialers, but in some cases the rogue dialer can temporary disable the sound and turn it back on after it has completed its mission.
Response of antivirus companies and deficiencies of AV software
For various reasons, AV companies have not responded adequately to dialer programs. Some AV vendors practically ignored the existence of such malicious code; others didnít detect and treat it at default settings. Only a fraction of security vendors included dialer programs in their databases for known threats, but it was barely enough: as the number and complexity of dialer programs grew, databases had to be consistently updated.
Dialers are a somewhat controversial class of programs. Their developers take active steps aimed at reversing their image to classify such programs not as destructive code but as advertising software or software for premium access. They allege that the formal dialing is done with the consent of a user, such as when the user is notified of the need to end the current connection and dial a different number. Sometimes the price of the call is indicated in the instructions or other accompanying information. Therefore, authors of rogue dialers demand that AV drop their software from signature lists for malicious code.
Around 2005 and 2006, AV companies started addressing the problem of unauthorized dialers. Together with antivirus companies, other providers such as telcos and ISPs included some form of dialer protection for their customers. This has led to practically every AV product receiving some form of protection against malicious dialers. But unfortunately almost all vendors went the same route when creating such protection ó intercepting library functions for calling (such as RasDial, tapiRequestMakeCall) in user mode.
Unfortunately, this kind of interception cannot provide total protection. Besides using library functions such as RAS API, and TAPI, a program can initiate a call by a way of direct writing to the port (CreateFile Ė WriteFile Ė CloseHandle). The interception of standard library functions by AV companies doesnít solve the problem because the procedures can be circumvented so that the AV software wonít impede the ability to write directly to the deviceís port.
Some anti-dialer products went a bit further ó they have added a special driver that tracks data sent to the modem and analyzes it for the presence of dialer-specific commands. With this adjustment the anti-dialers could more effectively fend off illegitimate dial-up attempts; but a closer look could reveal some disturbing weaknesses. The incorrect filtration routine of the data stream might let dialers operate invisibly under such security solutions. This means that control systems can be subverted with specialized command modifications.
The solution ó DialStop plug-in
The author has conducted in-depth analysis of all vulnerabilities applicable to modern anti-dialing systems. The flaws described in the present article and the need to reliably protect modem users have led to the creation of a proprietary system against unauthorized dialers. Itís based on a proprietary kernel-mode driver (thus avoiding the vulnerabilities of intercepting standard library functions) coupled with an adaptive algorithm for data analysis that allows reliable detecting and prompting before connection attempts.
The system driver verifies the integrity and validity of transmitted data, safeguarding against driver hijacking by malicious code and the elevation of system privileges. This is done via the validation of packets and their relatively small size. In the case that a malicious program attempts to reinstall modems on a system with the intention of evading security controls, the DialStop plug-in will detect the change and offer to set up protection for the modem.
The system is designed to operate under Microsoft Windows 2000/XP/2003 Server platforms and is available for free from the Agnitum website as a plug-in for Outpost Firewall Pro.
This article was written with contributions by the author of the DialStop system, Oleg Bil.