Chapter 9 Applications Benevolent Malware Benevolent malware? o “Obviously a contradiction in terms” o Malware characteristics, but tries to do “good” Den Zuk --- 1988, removed Brain virus o Later versions would reformat disk… Cheese --- 2001, remove li0n worm o Created lots of network traffic Welchia --- 2003, patched problem that Blaster exploited (used official MS patch) o Lots of traffic, cure worse than disease Predator Worms Like Cheese and Welchia Destroy malware and/or immunize o Trying to do good, but it’s still illegal o Previous “predators” caused problems o Might be OK on local network o But how to prevent spread to Internet? Other technical problems o Control, bandwidth use, monitoring, etc. Benevolent Malware No “killer app” for benevolent malware Everything can be done by more controlled means Many unresolved issues… o Legal issues o Ethical issues o Technical issues Mobile agents --- a niche application? Mobile Agents Program transfers itself over network o It does things on behalf of a user o For example, propagate to various airline sites in search of best airfare Questions about mobile agent security o Has a lot in common with malware o A “solution in search of a problem”? o Mobile agents have some advantages, but what they do can be done by other means Mobile Agents Previous master’s project Platform for Privacy Preferences Project (P3P) o Privacy policies that websites follow Student developed an “agent-based privacy enhancing model” o Used agents to analyze P3P preferences o Essentially, a reputation system o Research papers are here and here Spam Infection may be “means to an end” o For example, DDoS attacks or May use zombies/bots for spam o Harvest your email address o Customized spam so that it looks like it came from you , and so on Aycock has lots of interest in spam o Spam simulator: Spamulator Access-for-Sale Worms “Scalable, targeted intrusion” Compromise machine, install back door Access to the back door is for sale o Might, for example, use key for access o Can’t allow unauthorized access o So, patch flaws once access obtained o Good for ID theft, blackmail, etc. Like a botnet, but single machine(s) Access-for-Sale Worms Two 1. “business models” Organized crime o Attacker and cyberthieves work together o Defenses? 2. Disorganized crime o Attacker sells access to cyberthieves o How to advertise? o Defenses? Access-for-Sale Worms Organized crime Access-for-Sale Worms Disorganize d crime Access-for-Sale Worms Good idea to use public key crypto o That is, worm carries public key, and… o Private key used to access back door What is the advantage of public key crypto over symmetric key crypto? Cryptovirology Use malware for extortion Example: virus encrypts valuable data o Victim must pay to get decryption key o Again, public key crypto is best here o Note that data encrypted with symmetric key, and symmetric key is encrypted with a public key (we call this “hybrid crypto” in CS 265) o Password-protected may be good enough Cryptovirology Examples AIDS Trojan --- 1989 o Floppy disk, sent by mail, with “curious software license” o Encrypted files if user didn’t pay PGPCoder Trojan (Gpcode, 2006) o Encrypted files having various extensions o Cost $200 to buy decryptor Information Warfare Use computers to supplement (or supplant?) conventional warfare o Acquire info from adversary’s computers o Plant false info, corrupt data, denial of service, etc. Laws and such are not clear Of limited use if communication infrastructure is damaged… Information Warfare Electronic countermeasures (ECM) o Deny enemy use of electronic technology o For example, radar jamming Information warfare analog of ECM? o Denial of service o Comparison with traditional ECM? Information Warfare ECM vs DoS o Persistence --- jamming usually temporary, malware can last longer o Targeting --- ECM uses direct targeting, malware could be direct or indirect o Deception --- possible in both cases o Range of effects --- limited in ECM, much broader with malware (logic bomb, DoS, precision attack, intelligence gathering, forced quarantine, …) Information Warfare ECM vs DoS o Reliability --- ECM may be more difficult to test, so reliability is less certain o Continuity --- ECM subject to “ECCM”, while malware only has to succeed once and can attack weakest link Indirect ways to insert malware? o Software vendors, dormant in systems, deliberately leak infected systems, etc. Cyberterrorism Difficult to define? Create fear, not just irritate users o Inability to use facebook does not strike fear of death into (most) users So cyberterrorist must somehow create tangible results in real world o Nuclear power plants, utility grid, … ??? Cyberterrorism Similar uses as info warfare o That is, supplement to real attacks o For example, attack communication infrastructure during physical attack to delay response, cause confusion, etc. Disinformation attack Other? before and during