internet vulnerabilities & criminal activities malware 3.2 9/26/2011
TRANSCRIPT
Internet Vulnerabilities & Criminal Activities
Malware3.2
9/26/2011
Malware
Malicious software designed to gain access to information and/or resources without the knowledge or consent of the
end user
Malware History
1981 - First Apple II virus in the wild1983 - Fred Cohen coins term “virus”1986 - First PC virus1988 - Morris Internet worm1990 - First Polymorphic virus1991 - Virus Construction Set1994 - Good Times virus hoax1995 - First Macro Virus1998 - Back Oriface tool released
Malware History cont.
1999 - Melissa virus / worm 1999 - Tribal Flood Network - DDOS tool 2001 - Code Red worm 2001 - Nimda worm 2003 - Slammer worm 2004 - So Big & Sasser worms 2007 - Storm worm / Zeus botnet tool 2008 - Conficker worm 2010 – Stuxnet – weaponized malware
Malware Trends
Increasing complexity & sophistication
Acceleration of the rate of release of
innovative tools & techniques
Movement from viruses to worms to
kernel-level exploitations
Malware can be:
“Proof of concept”Created to prove it can be doneNot found outside of laboratory
environmentIf code available, can be used by
others“In the Wild.”
Found on computers in everyday use
Traditional Categories of Malware
VirusWormMalicious Mobile CodeBackdoorTrojan HorseRootkitCombination Malware – Malware
“Cocktail”
Virus
Infects a host fileSelf replicatesRequires human interaction to
replicateExamples:
MichelangeloMelissa
Worm
Spreads across a networkDoes not require human
interaction to spreadSelf-replicatingExamples:
Morris WormCode RedSlammer
Malicious Mobile Code
Lightweight program downloaded from a remote source and executed locally
Minimal human interactionWritten in Javascript, VBScript,
ActiveX, or JavaExample:
Cross Site Scripting
Backdoor
Bypasses normal security controlsGives attacker access to user’s
systemExample:
NetcatBack OrifaceSub 7
Trojan Horse
Program that disguises its hidden malicious purpose
Appears to be harmless game or screensaver
Used for spyware & backdoorsNot self-replicating
Rootkit
Replaces or modifies programs thts are part of the operating system
Two LevelsUser-levelKernel-level
ExamplesUniversal RootkitKernel Intrusion System
Combination Malware
Uses a combination of various techniques to increase effectiveness
Examples:LionBugbear.BStuxnet
Malware Distribution Attachments
E-mail and Instant Messaging Piggybacking
Malware added to legitimate program Adware, spyware EULA - End User License Agreement
Internet Worms Exploit security vulnerability Used to install backdoors
Web Browser Exploit Malware added to legitimate web site
Cross-site scripting & SQL Injection Visitors to web site may be infected Drive by malware
Malware Distribution cont.
HackingToo labor intensive for large crime
operationsMay be used to compromise DNS server
Affiliate Marketing Web site owner paid 8¢ to 50 ¢ per
machine to install malware on a visitor’s computer
Mobile DevicesTransfer via bluetooth
Malware Activity
Adware
Spyware
Hijacker
Toolbars
Dialers
Rogue Security Software
Bots
Adware
Displays ads on infected machineAds format can be:
Pop-upsPop-underEmbedded in programsOn top web site ads
More annoying than dangerous
SpywareSend information about infected
computer to someone, somewhereWeb sites surfedTerms searched forInformation from web formsFiles downloadedSearch hard drive for files installedE-mail address bookBrowser historyLogon names, passwords, credit card numbersAny other personal information
Hijacker
Takes control of web browserHome pageSearch enginesSearch bar Redirect sitesPrevent some sites from loading
IE vulnerable
Toolbars
Plug-ins to IEGoogleYahoo
Attempt to emulate legitimate toolbars
Installed via underhanded meansAdware or Spyware
Acts a keystroke logger
Dialers
Alters modem connections and ISDN-Cards
Once installed, will dial 1-900 numbers or other premium rate numbers
Run up end-users phone bill & provide revenue for criminal enterprise
Targets MS Windows
Rogue Security Software
Usually delivered via a trojan horseUses social engineering techniques to
get user to installFake warnings that computer is infectedFake video of machine crashing
Disables anti-virus and anti-spyware programs
Alters computer system so the rogue software cannot be removed
Bots
Allows attacker remote access to a computer
When end-user is online, computer contacts Command & Control (C&C) site
Bot will then perform what ever commands received from the C&C
Some things botnets are used forDistributed Denial of Service (DDoS) attacksSpamHosting contraband such as child pornOther illegal fraud schemes
Weaponized Malware
Attacks SCADA systemSupervisory Control And Data Acquisition
Causes physical damage SCADA systems control
DamsElectrical gridNuclear power plants
Cyber War - The Aurora Projecthttp://www.youtube.com/watch?
v=rTkXgqK1l9A
More Malware Terminology
Downloader Single line of codePayload from malwareInstructs infect computer to download
malware from attacker’s serverDrop
Clandestine computer or service (E-mail)Collects information sent to it from infected
machinesBlind Drop - well hidden, designed to run
attended
More Malware Terminology cont.
ExploitCode used to take advantage of a
vulnerability in software code or configurationForm-grabber
A program that steal information submitted by a user to a web site
PackerTool used to scramble and compress an .exe
fileHides malicious nature of codeMakes analysis of program more difficult
More Malware Terminology cont.
RedirectHTTP feature Used to forward someone from one web
page to anotherDone invisibly with malware
Variant Malware produced from the same code baseDifferent enough to require new signature
for detection by anti-virus software
Malware Sources
Malware Can be programmed from scratch
Less likely to be detected by anti-malware programs
Can be purchasedMalware tools
Haxdoor, Torpig, Metafisher, Web AttackerTools offered with other services
Access to botnet, drop sitesTools derived from small stable base of
existing code
Frauds Involving Malware
Advertising schemesPay-per-viewPay-per-click (“Click Fraud”)Pay-per-install
Banking fraud Identity theftSpamDenial-of-service attacks
DoS extortion
Advertising Schemes
Pay-per-viewSell advertising space on controlled
web sitesCommand botnet to “view” as many
ads as possibleMay have ads download in the
backgroundFraudulent commissions generated
Advertising Schemes cont.
Pay-per-click (“”Click Fraud”)Similar to Pay-per-view fraudBots simulate clicks on adsBetween 5% and 35% of all ad commissions
may be fraudulentPay-per-install
Commission paid every times advertisers software is installed
When installed, notification sent to advertiserInfected machines will be instructed to install
advertisers software
Banking Fraud
Banks are a prime target of malwareMalware can allows attacker to empty
victim’s bank accountExample (September 2009)
Rewrite online bank statements on the flyCovers up theft of fundsTrojan horseAlters HTML code before browser displays
Makes use of “Money Mules”
Identity Theft
Phishing & key logging
Recent increase in malware
associated with identity theft
Information sent to drop site
Spam
Bots used to send spamAlso show dramatic riseBots are available for rent for
spam purposesSpam sent can also contain
malware
Denial of Service Attacks
Botnet commanded to make requests of a web site
Web site may crash due to heavy traffic
Legitimate traffic blockedThreat of DoS attack can be used
for extortionBots for rent for DoS attacks
Problems for Law Enforcement
AnonymityJurisdiction
Attackers know how difficult international law enforcement is
Exploit the situationTarget victims in one country from another countryHave C&C site and drop site located in a third
countryUse multiple proxies to access C&C site and drop siteMoney gain quickly funneled through online bank
accounts and international money transfers
Other Issues
Monetary ThresholdMust reach a limit before prosecutor will take
caseMay be hard to prove exact amount of money
involvedCyber crimes may be considered a non-priority
Virtual world emboldens individualsLess fear of getting caughtRealization of difficulties in investigating crimesEasy money