Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Malware - T&T Software WWW Server

advertisement 
Internet Vulnerabilities &
Criminal Activities
Malware
3.2
9/26/2011
Malware
Malicious software designed to
gain access to information and/or
resources without the knowledge
or consent of the end user
Malware History
 1981
 1983
 1986
 1988
 1990
 1991
 1994
 1995
 1998
- First Apple II virus in the wild
- Fred Cohen coins term “virus”
- First PC virus
- Morris Internet worm
- First Polymorphic virus
- Virus Construction Set
- Good Times virus hoax
- First Macro Virus
- Back Oriface tool released
Malware History cont.
 1999 - Melissa virus / worm
 1999 - Tribal Flood Network - DDOS tool
 2001 - Code Red worm
 2001 - Nimda worm
 2003 - Slammer worm
 2004 - So Big & Sasser worms
 2007 - Storm worm / Zeus botnet tool
 2008 - Conficker worm
 2010 – Stuxnet – weaponized malware
Malware Trends
 Increasing complexity & sophistication
 Acceleration of the rate of release of
innovative tools & techniques
 Movement from viruses to worms to
kernel-level exploitations
Malware can be:
 “Proof of concept”
Created to prove it can be done
Not found outside of laboratory
environment
If code available, can be used by others
 “In the Wild.”
Found on computers in everyday use
Traditional Categories of Malware
 Virus
 Worm
 Malicious Mobile Code
 Backdoor
 Trojan Horse
 Rootkit
 Combination Malware – Malware “Cocktail”
Virus
 Infects a host file
 Self replicates
 Requires human interaction to
replicate
 Examples:
Michelangelo
Melissa
Worm
 Spreads across a network
 Does not require human interaction to
spread
 Self-replicating
 Examples:
Morris Worm
Code Red
Slammer
Malicious Mobile Code
 Lightweight program downloaded from
a remote source and executed locally
 Minimal human interaction
 Written in Javascript, VBScript,
ActiveX, or Java
 Example:
Cross Site Scripting
Backdoor
 Bypasses normal security controls
 Gives attacker access to user’s system
 Example:
Netcat
Back Oriface
Sub 7
Trojan Horse
 Program that disguises its hidden
malicious purpose
 Appears to be harmless game or
screensaver
 Used for spyware & backdoors
 Not self-replicating
Rootkit
 Replaces or modifies programs thts are
part of the operating system
 Two Levels
User-level
Kernel-level
 Examples
Universal Rootkit
Kernel Intrusion System
Combination Malware
 Uses a combination of various
techniques to increase effectiveness
 Examples:
Lion
Bugbear.B
Stuxnet
Malware Distribution
 Attachments
 E-mail and Instant Messaging
 Piggybacking
 Malware added to legitimate program
 Adware, spyware
 EULA - End User License Agreement
 Internet Worms
 Exploit security vulnerability
 Used to install backdoors
 Web Browser Exploit
 Malware added to legitimate web site
 Cross-site scripting & SQL Injection
 Visitors to web site may be infected
 Drive by malware
Malware Distribution cont.
 Hacking
 Too labor intensive for large crime operations
 May be used to compromise DNS server
 Affiliate Marketing
 Web site owner paid 8¢ to 50 ¢ per machine to
install malware on a visitor’s computer
 Mobile Devices
 Transfer via bluetooth
Malware Activity
 Adware
 Spyware
 Hijacker
 Toolbars
 Dialers
 Rogue Security Software
 Bots
Adware
 Displays ads on infected machine
 Ads format can be:
Pop-ups
Pop-under
Embedded in programs
On top web site ads
 More annoying than dangerous
Spyware
 Send information about infected computer to
someone, somewhere
 Web sites surfed
 Terms searched for
 Information from web forms
 Files downloaded
 Search hard drive for files installed
 E-mail address book
 Browser history
 Logon names, passwords, credit card numbers
 Any other personal information
Hijacker
 Takes control of web browser
Home page
Search engines
Search bar
Redirect sites
Prevent some sites from loading
 IE vulnerable
Toolbars
 Plug-ins to IE
Google
Yahoo
 Attempt to emulate legitimate toolbars
 Installed via underhanded means
Adware or Spyware
 Acts a keystroke logger
Dialers
 Alters modem connections and ISDN-
Cards
 Once installed, will dial 1-900 numbers
or other premium rate numbers
 Run up end-users phone bill & provide
revenue for criminal enterprise
 Targets MS Windows
Rogue Security Software
 Usually delivered via a trojan horse
 Uses social engineering techniques to get
user to install
 Fake warnings that computer is infected
 Fake video of machine crashing
 Disables anti-virus and anti-spyware
programs
 Alters computer system so the rogue
software cannot be removed
Bots
 Allows attacker remote access to a computer
 When end-user is online, computer contacts
Command & Control (C&C) site
 Bot will then perform what ever commands
received from the C&C
 Some things botnets are used for
 Distributed Denial of Service (DDoS) attacks
 Spam
 Hosting contraband such as child porn
 Other illegal fraud schemes
Weaponized Malware
 Attacks SCADA system
 Supervisory Control And Data Acquisition
 Causes physical damage
 SCADA systems control
 Dams
 Electrical grid
 Nuclear power plants
 Cyber War - The Aurora Project
 http://www.youtube.com/watch?v=rTkXgqK1l9A
More Malware Terminology
 Downloader
 Single line of code
 Payload from malware
 Instructs infect computer to download malware
from attacker’s server
 Drop
 Clandestine computer or service (E-mail)
 Collects information sent to it from infected
machines
 Blind Drop - well hidden, designed to run
attended
More Malware Terminology
cont.
 Exploit
 Code used to take advantage of a vulnerability in
software code or configuration
 Form-grabber
 A program that steal information submitted by a
user to a web site
 Packer
 Tool used to scramble and compress an .exe file
 Hides malicious nature of code
 Makes analysis of program more difficult
More Malware Terminology
cont.
 Redirect
 HTTP feature
 Used to forward someone from one web page to
another
 Done invisibly with malware
 Variant
 Malware produced from the same code base
 Different enough to require new signature for
detection by anti-virus software
Malware Sources
 Malware
 Can be programmed from scratch
 Less likely to be detected by anti-malware programs
 Can be purchased
 Malware tools
 Haxdoor, Torpig, Metafisher, Web Attacker
 Tools offered with other services
 Access to botnet, drop sites
 Tools derived from small stable base of existing
code
Frauds Involving Malware
 Advertising schemes
 Pay-per-view
 Pay-per-click (“Click Fraud”)
 Pay-per-install
 Banking fraud
 Identity theft
 Spam
 Denial-of-service attacks
 DoS extortion
Advertising Schemes
 Pay-per-view
Sell advertising space on controlled web
sites
Command botnet to “view” as many ads
as possible
May have ads download in the background
Fraudulent commissions generated
Advertising Schemes cont.
 Pay-per-click (“”Click Fraud”)
 Similar to Pay-per-view fraud
 Bots simulate clicks on ads
 Between 5% and 35% of all ad commissions may
be fraudulent
 Pay-per-install
 Commission paid every times advertisers
software is installed
 When installed, notification sent to advertiser
 Infected machines will be instructed to install
advertisers software
Banking Fraud
 Banks are a prime target of malware
 Malware can allows attacker to empty
victim’s bank account
 Example (September 2009)
 Rewrite online bank statements on the fly
 Covers up theft of funds
 Trojan horse
 Alters HTML code before browser displays
 Makes use of “Money Mules”
Identity Theft
 Phishing & key logging
 Recent increase in malware associated
with identity theft
 Information sent to drop site
Spam
 Bots used to send spam
 Also show dramatic rise
 Bots are available for rent for spam
purposes
 Spam sent can also contain malware
Denial of Service Attacks
 Botnet commanded to make requests
of a web site
 Web site may crash due to heavy
traffic
 Legitimate traffic blocked
 Threat of DoS attack can be used for
extortion
 Bots for rent for DoS attacks
Problems for Law Enforcement
 Anonymity
 Jurisdiction
 Attackers know how difficult international law
enforcement is
 Exploit the situation
 Target victims in one country from another country
 Have C&C site and drop site located in a third country
 Use multiple proxies to access C&C site and drop site
 Money gain quickly funneled through online bank
accounts and international money transfers
Other Issues
 Monetary Threshold
 Must reach a limit before prosecutor will take
case
 May be hard to prove exact amount of money
involved
 Cyber crimes may be considered a non-priority
 Virtual world emboldens individuals
 Less fear of getting caught
 Realization of difficulties in investigating crimes
 Easy money
Related documents
Cyber Security is everybody`s responsibility
Cyber Security is everybody`s responsibility
all
all
malware_02
malware_02
CuckooSandbox
CuckooSandbox
here - Michael Goffin
here - Michael Goffin
Cyber Security Awareness Day 2013 Web
Cyber Security Awareness Day 2013 Web
McAfee Web Gateway CxO presentation
McAfee Web Gateway CxO presentation
Topics in Email Security - Network Security Office
Topics in Email Security - Network Security Office
Windows 8x - CIIIWebSupport
Windows 8x - CIIIWebSupport
Here are the slides
Here are the slides
Chapter 3A,B,C
Chapter 3A,B,C
Exfiltration Framework
Exfiltration Framework
Download
advertisement