the$history$of$a.acks$ -...
TRANSCRIPT
Malware
• So:ware that is intended to damage or disable computers and computer systems.
• Malware vs. Viruses?
• Types of malware?
Symptoms of Malware -‐ Increased CPU usage. -‐ Slow computer or web browser speeds. -‐ Problems connecKng to networks. -‐ Freezing or crashing. -‐ Modified or deleted files. -‐ Appearance of strange files, programs, or desktop icons. -‐ Programs running, turning off, or reconfiguring themselves (malware will o:en reconfigure or turn off anKvirus and firewall programs). -‐ Strange computer behavior. -‐ Emails/messages being sent automaKcally and without user’s knowledge (a friend receives a strange email from you that you did not send).
Some%mes it is, most of the %me it is not. If it is Windows, then it most likely isn’t…
Virus • (1949) John von Neumann’s arKcle on “Theory of self-‐reproducing
automata” is published. • (1971) The Creeper system, an experimental self-‐replicated
program, is wri.en by Bob Thomas at BBN Technologies. • (1974) The first virus called “The Rabbit” was wri.en, which made
mulKple copies of itself unKl it clogs a system. • (1986) The Brain computer virus was released. It infected the boot
sector of storage media forma.ed with FAT (File AllocaKon Table) file system it was wri.en in Pakistan.
• (1989) Ghostball, the first mulKparKte virus, its discovered. It infects both executable .COM-‐files and boot sectors on MS-‐DOS systems. It did not automaKcally spread but it caused threats to privacy, performance issues, and other symptoms.
• (1998) CIH virus emerges. One of the most damaging viruses, overwriKng criKcal informaKon on infected system drives and someKmes destroying the BIOS.
Worms • (1975) The term comes from a science ficKon story called
“The Shockwave Rider” by John Brunner. • (early 80s) Xerox’s Palo Alto Research Center began
experimenKng with 5 program worms to perform helpful tasks around the network.
• (1988) The Morris Worm was invented and crashed the Internet by exploiKng buffer overflow vulnerabiliKes. It was the first form of a.ack capable of propagaKng itself.
Famous worms: Storm Worm, Melissa, ILOVEYOU
Trojans • They are usually spread by some sort of social engineering. • Differently from the previous two a.acks they do not propagate. • If installed or run with elevated privileges a Trojan will generally
have unlimited access. • BitDefender: Trojan-‐type malware is on the rise, accounKng for 83-‐
percent of the global malware detected in the world. • (1999) NetBus, a so:ware program for remote access to Windows
OS. It has been used to plant illegal files in users’ computers. The first version was very stealthy which defined it as a trojan.
• (2007) Zeus, o:en used to steal banking informaKon as a MitB or keystroke logging.
Rootkits • (1986) The Brain virus used cloaking techniques to hide itself
(both trojans and rootkits features) intercepted a.empts to read the boot sector and redirected them to elsewhere on the disk.
• (1990) Lane Davis and Steven Dake wrote the earliest known rootkit for SunOS (an UNIX OS).
• (2005) Sony BMG published CDs with copy protecKon and DRM so:ware called Extended Copy ProtecKon. The so:ware included a music player buy silently installed a rootkit to limit the user’s abiliKes to access the CD.
DoS and DDoS • A:er the story of the Morris worm incident died out, the Internet
conKnued to grow through the early 1990s into a fun place, with lots of free informaKon and services.
• (mid-‐90s) Remote DoS a.ack programs first appeared. In order to use these programs, one needed an account on a big computer, on a fast network, to have maximum impact.
• (1995) The first DDoS protest against the French government’s nuclear policy was implemented by Strano Network.
• (1996) A vulnerability in TCP/IP stack that allowed a flood of packets with only the SYN bit set (SYN flood).
• (1997) The Internet was shutdown due to (nonmalicious) false route adverKsement by a single router.
• (2002) A DDoS a.ack to the 13 root servers of DNS data. The a.ackers shut down 9 of the 13 servers.
Fragment of the 7007 Explana9on and Analogy We did *not* perform any of this maliciously, I'm not sure that I could duplicate the event if I tried. Anyone who called and got a harsh voice on the phone, well, I sincerely apologize to them individually, but some in par%cular should not have tried to impersonate a company other than their own *and* should not have started cursing out the NOC tech who answered.
QUESTIONS Are DoS and DDoS always a.acks?
Are cyber protests a.acks?
Are there ethical reasons on why to do
a DoS?
Backdoors • (1983) The film WarGames was released with one of the first
examples of a hard coded user and password combinaKon to give access to a system.
• Many computer worms (e.g., Sobig and Mydoom) installed backdoors on affected computers. In some cases, these backdoors worked to create spam botnets.
• (2014) A backdoor was discovered in certain Samsung Android products. The backdoor provided remote access to the device proprietary to the data stored on the device.
Other famous backdoors: Pirated copies of WordPress plug-‐ins, Borland Interbase’s backdoor to control all Interbase’s databases.
An example of a backdoor
A sophis%cated aGempt to plant a backdoor in the Linux kernel, exposed in November 2003, added a small and subtle code change by subver%ng the revision control system. In this case, a two-‐line change appeared to check root access permissions of a caller to the sys_wait4 func%on, but because it used assignment = instead of equality checking ==, it actually granted permissions to the system. This difference is easily overlooked, and could even be interpreted as an accidental typographical error, rather than an inten%onal aGack.
Botnets • They usually serve two purposes, either to create DDoS a.acks or
to send spam messages. • Bots, however, can be used for many other things such as: adware,
spyware, click fraud, brute force a.acks. • (2004) Bagle, a mass-‐mailing computer worm affecKng all
Microso: Windows versions which used a spam botnet to propagate. It included around 230,000 bots that sends roughly 5.7 billion spam messages.
• (2008) Mariposa, a cyberscamming and DoS botnet with up to 12 million bots with unique IPs. It used a malicious program to monitor acKvity for passwords, credit cards.
• (2010) Zeus, uses keyloggers to steal banking informaKon. It was spread mainly through drive-‐by downloads and phishing. It currently affects over 3.6 million of unique IPs in the US alone.
Steps involved in spam botnet crea9on
1. A botnet operator sends out viruses or worms, infecKng ordinary users ' computers, whose payload is a malicious applicaKon—the bot. 2. The bot on the infected PC logs into a parKcular C&C server. 3. A spammer purchases the services of the botnet from the operator. 4. The spammer provides the spam messages to the operator, who instructs the compromised machines via the control panel on the web server, causing them to send out spam messages.
Stuxnet • It is considered a computer worm introduced by USB drives. • Anonymous US officials claimed to the Washington Post the
worm was developed during the Obama administraKon to sabotage Iran’s nuclear program.
• It specifically targets PLCs (Programmable Logic Controllers), exploiKng four zero-‐day vulnerabiliKes.
• It targeted Windows OS and Siemens Step 7 so:ware. • It has three modules: a worm (executes all rouKnes), a link file
(executes the propagated copies of the worm), and a rootkit (hides all malicious files and processes).
• There is a lot of controversy on its originality and complexity.
Flame • It was discovered in 2012 and it also a.acks Windows OS.
Considered by many the most complex malware ever found. The size of its program is of 20 mbs.
• The program is being used for targeted cyber-‐espionage in Middle Eastern countries.
• It can spread to other systems over LAN or a USB sKck. • It can record audio, keyboard acKvity, screenshots, network
traffic, and Skype conversaKons. • Although no official statements have been issued, it has been
claimed to be wri.en by the US NaKonal Security Agency and Israel’s military. There’s li.le doubt about it being a naKon-‐state sponsored a.ack.
Keyloggers • (1983) The first documented keylogger was wri.en by Perry
Kivolowitz and posted to the Usenet news group.
• (1970s) Spies installed keystroke loggers in typewriters in the US Embassy and Consulate buildings in Moscow.
• (2000) The FBI used FlashCrest iSpy to obtain the PGP passphrase of Nicodemo Scarfo Jr., son of a mob boss.
• (2001) The FBI creates Magic Lantern, a keystroke logging so:ware that can be installed remotely, via e-‐mail a.achment, or by exploiKng common OS vulns.