Malware-Trojans-Botnets
advertisement
Malware, Trojans & Botnets Kevin Bong Johnson Financial Group A scary scenario • The school district’s accounting manager logs into the district’s online banking account. • Balance is $150,000 short. • Looking at the transaction history, it shows almost 20 ACH transactions, each around $8,000, were initiated from the account yesterday. • The recipients of the transactions are unfamiliar. • The accounting manager calls her bank… 2 The plot thickens • Bank traces the funds and contact the receiving banks. • Some of the funds are still available, others have been withdrawn. • Discussions with the account holders reveals that they have been hired as “money transfer agents”, and have wired the money overseas. • A scan of the accounting manager’s computer shows that viruses were found and removed. 3 The Zeus Botnet • Has been used to breach thousands of online business banking accounts • Small businesses, non profits, towns, schools, … • Used to steal over $100 Million as of Nov 09, still going strong. 4 Malware, Trojans and Botnets • This is one example of one of the many ways fraudsters are using Malware to make money. • How could this happen? – Aren’t there multiple layers of controls? – Malware is used to break every layer. 5 Malware is used in most data breaches Threat Agents by Percent of Breached Records Malware 94% Hacking 96% Social Engineering 3% Misuse 3% Physical Access 1% Joint United States Secret Service/Verizon 2010 Data Breach Investigations Report Analysis of 141 breach cases including over 143 million breached data records 6 What’s the difference? • Malware – Malicious software - hostile, intrusive, or annoying program code • Virus – software that reproduces itself • Bot – computer program that does automated tasks. • Trojan – initially bad software hidden inside good software. Now more generally refers to Malware with “backdoor” (remote control) functionality, or an evil bot. • Botnet – a network of compromised “zombie” computers 7 How do computers get infected? Joint USSS/Verizon 2010 Breach Report 8 Injected/Installed by remote attacker Listening Network Services • Example MS09-022 “Buffer Overflow in Microsoft Print Spooler Vulnerability” • Listening software = programs running in the background waiting for incoming network traffic. 9 Other Common Network Services attacked • Web servers • FTP servers • Windows file sharing • Mail Servers • Network services (name lookup, etc.) • Databases 10 Web – Auto Executed Drive By • Hackers infect legitimate websites • Or build infected websites and get high search engine rankings • Code – usually javascript – is included on the infected page. • Javascript is executed on the client, instructs the client to download, install, and run malicious programs. 11 Web/Email User downloaded or executed • Download programs from file sharing sites or other untrusted sources • Not just programs – virus code can hide in Adobe PDF, Flash, Windows Media, Java • more than 46% of the browser-based exploits during the second half of 2009 were aimed at vulnerabilities in the free Adobe Reader PDF viewer 12 Facebook – Social Engineering • Receive a message from a facebook friend: “Hey, I have this hilarious video of you dancing. Your face is so red. You should check it out.” • "Koobface infects a profile and sends a message to all friends via facebook messaging system • When you click on the video, you are prompted to update Flash player. The update is actually a copy of Koobface worm. • Facebook funniest malware vid 13 Exploit + Payload = Malware • Vulnerability – the weakness that is utilized to compromise the machine – Most commonly software bugs and tricking users • Exploit – the chunk of hacker code that utilizes the vulnerability • Payload – the chunk of hacker code to “do something” with the compromised host. – Hiding, spreading, stealing, attacking, destroying, earning income 14 Metasploit • Framework for joining Exploits with Payloads, and launching attacks. • Command line and GUI interfaces • Hundreds of exploits built in to the tool • Open API to build and include more • Over 100 payloads too 15 Metasploit Exploits Example 16 Metasploit exploits - GUI 17 Metasploit Payloads MSF vid 18 Stage 2: Hiding • Generally not noisy like adware and spyware (at least not initially) • May disable antivirus and administrative functions/control panels. Less obvious may just break AV update capability. • More sophisticated malware installs itself as a “Rootkit” 19 Rootkit • Obscures the fact that a system has been compromised • Hooks into or replaces portions of the operating system – User mode – modifies – Kernel mode – • Makes the computer “lie” to higher level programs, like windows explorer and antivirus • HackerDefender a well known example (Vid) 20 Stage 3: Join Botnet • Use Dynamic DNS lookup to find a Botnet server on the Internet • “Fast-flux” DNS techniques to direct the bot to one of hundreds of bot servers. • Forward traffic through proxies, harder to trace • Servers kept in non-cooperative countries 21 Botnet Command and Control • Historically perferred IRC, still in use • HTTP (web browser traffic) • Peer to peer protocols • Twitter, Google Groups, Facebook 22 Botnet Control Diagram 23 Botnet control via IRC channel IRC C&C vid 24 Some sample Botnet commands • ddos.synflood [host] [time] [delay] [port] • ddos.phatwonk [host] [time] [delay] • scan.start • http.download • http.execute • ftp.download • spam.setlist • spam.settemplate • spam.start • bot.open • bot.die * SYN-flood on ports 21,22,23,25,53,80,81,88, 110,113,119, 135,137,139,143,443,445,1024,1025, 1433, 1500,1720,3306,3389,5000,6667, 8000,8080 25 Hierarchical CnC topology • Commands sent to distributed servers, which send commands to bots. • May be multiple layers. • Single bots aren’t aware of bot master location or size of botnet. • Easy to carve up to sell or perform different operations. 26 Botnet Command and Control • Zeus Tracker Command and Control Servers as of 10.11.2010 27 Zeus Server Distribution 28 Current Botnet Attributes • Distributed Architecture • Self Protection • Multiple C&C channels • Virtual Machine Aware • Extensive encryption • Polymorphic • Immortal/unlimited in size • Self Healing • Multiple exploit channels 29 Bot Herding • Separate “owned” machines based on function – Static, always on, high bandwidth server – POS machine steal credit cards – Corporate office steal data, spread – Look for online business banking use ACH theft – Home Users SPAM, DDOS, etc. • Manage bots • Lease out services 30 Botnet Statistics 31 Stage 4: Use • Send SPAM – Steal email addresses from compromised computers. – Most mail systems will block large numbers of email from the same source. Distribute it to workstations, makes it harder to filter/block • Denial of Service – Have hundreds or thousands of your bots send traffic at the same website or company, fill their pipe and knock them off the Internet • Other theft – Credit card numbers – Steal “in game” online game items and sell on Ebay 32 Banking attack – Step 1 infection • Bank of Nicolai vid • Utilize Phishing, network exploits, and drive by downloads to spread your botnet as wide as possible. 33 Banking attack – Step 2 identify victim machines • Monitor browser use and network traffic to identify any machines in the bot network that are being used to log into online business banking services • May at that point install a rootkit on the identified machine 34 Banking attack – Step 3 Capture Passwords • Keylogger can capture passwords • Challenge questions? – Steal or delete registration cookies to bypass challenge questions • Email password? – Hacker also already has access to your email 35 Banking attack Step 4 – Hire mules • Use your botnet to send SPAM email soliciting for “work at home” jobs • Timing is critical, to pick up and wire funds before the account compromise is detected. 36 Banking attack Step 5 – Perform transaction • Remote control allows them to log in From your workstation if they want. • They know your password, challenge question, etc. • Aim is to create new recipients and send funds via ACH or wire in one login session • These electronic transactions are nearlyimmediate and difficult to reverse 37 Evolution of Malware – The Red Queen • Red Queen Hypothesis –coevolution of parasite/host • From “Through the Looking Glass” – The Red Queen tells Alice “Now, here, you see, it takes all the running you can do to keep in the same place” • Passwords Keyloggers • Challenge questions delete cookies • Registration cookies steal cookies • Email passwords Access email • One Time Passwords MITB… 38 Man in the Browser attack • Trojan horse/rootkit specifically for the browser. • Same idea – shows you on the screen what you think you should see, but in the background is doing something evil. 39 Man in the Browser attack • Zeus Trojan recent variants – – You login to your online business banking – You set up and send a transaction – You type in a One Time Password from a security token, etc. – The Trojan immediately and automatically in the background modifies your transaction to send the funds to his mule. – The Trojan shows you on your screen that your transaction was successful. 40 Stage 4: Use…Version 2.0 • Scarier Use: Advanced Persistent Threats • Espionage, not financial data • Aim is long term under-the-radar occupation of corporations and government entities. • Targeted, custom malware less likely to be detected. • Well funded and well organized. 41 APT example – China hacks Google • January 2010 • “Aurora” malware used Zero-day bug in Microsoft IE • Stole intellectual property from Google • Accessed gmail accounts of Chinese human rights activitists • Related intrusion into big energy companies, stole oil reserve data • Dozens of other companies targeted too. 42 Another APT example - Stuxnet • Four main exploit channels, – Two Windows Zero day – USB • Targeted payload designed for a specific Industrial control system …running specific custom software • Encryption and Polymorphism • Dead-mans switch – 3 generations or June 24, 2012 43 Built for espionage • Attributes indicate it was built by a well funded and knowledgeable group (a government). • Many believe the target was Iran’s nuclear facilities. • Stuxnet infection rate seems to agree… 44 Stopping Malware at step 1 - exploit • Patch systems to “fix” the bugs – Operating system – Browser – Third party apps, especially Adobe and Java • Don’t download malware – AV and browser plug-ins to block hostile sites – Avoid file sharing and less-than-reputable download sites 45 Stopping Malware at step 1 - exploit • Don’t use guessable passwords • Use email with an antivirus/antispam filter • Use a firewall (or cable router or software firewall) to block hostile traffic to listening ports • Use portable media with caution, and scan before use 46 Stopping malware- Antivirus • Antivirus can’t detect all malware • Must be up-to-date. • Utilizes signatures (patterns) that match parts of known malware – Polymorphism – patterns change – New variants or custom built viruses won’t have signatures – Rootkits can give “false” information to the Antivirus software 47 Malware command and control • Some is easy to detect – IRC, P2P protocols • More sophisticated C&C could be more difficult – can really disguise itself as any network protocol • Residential router/firewalls do not generally block C&C traffic • Many corporate firewalls do not either • Default deny on outbound traffic can help stop • Myriad of gateway appliances 48
