The  History  of  A.acks  

By  Robin  Gonzalez  

Malware  

•  So:ware   that   is   intended   to   damage   or  disable  computers  and  computer  systems.  

•  Malware  vs.  Viruses?  

•  Types  of  malware?  

Symptoms  of  Malware  -­‐  Increased  CPU  usage.  -­‐  Slow  computer  or  web  browser  speeds.  -­‐  Problems  connecKng  to  networks.  -­‐  Freezing  or  crashing.  -­‐  Modified  or  deleted  files.  -­‐  Appearance  of  strange  files,  programs,  or  desktop  icons.  -­‐  Programs  running,  turning  off,  or  reconfiguring  themselves  (malware  will  o:en  reconfigure  or  turn  off  anKvirus  and  firewall  programs).  -­‐  Strange  computer  behavior.  -­‐  Emails/messages  being  sent  automaKcally  and  without  user’s  knowledge  (a  friend  receives  a  strange  email  from  you  that  you  did  not  send).  

Some%mes  it  is,  most  of  the  %me  it  is  not.  If  it  is  Windows,  then  it  most  likely  isn’t…    

QUESTION  Should  we  have  all  these  terms  for  

malware??  

Malware  evolu9on  

Virus  •  (1949)  John  von  Neumann’s  arKcle  on  “Theory  of  self-­‐reproducing  

automata”  is  published.  •  (1971)     The   Creeper   system,   an   experimental   self-­‐replicated  

program,  is  wri.en  by  Bob  Thomas  at  BBN  Technologies.    •  (1974)  The  first  virus  called  “The  Rabbit”  was  wri.en,  which  made  

mulKple  copies  of  itself  unKl  it  clogs  a  system.  •  (1986)  The  Brain  computer  virus  was  released.  It  infected  the  boot  

sector  of  storage  media   forma.ed  with  FAT  (File  AllocaKon  Table)  file  system  it  was  wri.en  in  Pakistan.    

•  (1989)   Ghostball,   the   first   mulKparKte   virus,   its   discovered.     It  infects   both   executable   .COM-­‐files   and   boot   sectors   on   MS-­‐DOS  systems.   It   did   not   automaKcally   spread   but   it   caused   threats   to  privacy,  performance  issues,  and  other  symptoms.  

•  (1998)   CIH   virus   emerges.   One   of   the   most   damaging   viruses,  overwriKng   criKcal   informaKon   on   infected   system   drives   and  someKmes  destroying  the  BIOS.  

Worms  •  (1975)   The   term   comes   from   a   science   ficKon   story   called  

“The  Shockwave  Rider”  by  John  Brunner.  •  (early   80s)   Xerox’s   Palo   Alto   Research   Center   began  

experimenKng   with   5   program   worms   to   perform   helpful  tasks  around  the  network.    

•  (1988)   The   Morris   Worm   was   invented   and   crashed   the  Internet   by   exploiKng   buffer   overflow   vulnerabiliKes.   It   was  the  first  form  of  a.ack  capable  of  propagaKng  itself.  

Famous  worms:  Storm  Worm,  Melissa,  ILOVEYOU  

Trojans  •  They  are  usually  spread  by  some  sort  of  social  engineering.  •  Differently  from  the  previous  two  a.acks  they  do  not  propagate.  •  If   installed   or   run   with   elevated   privileges   a   Trojan   will   generally  

have  unlimited  access.    •  BitDefender:  Trojan-­‐type  malware  is  on  the  rise,  accounKng  for  83-­‐

percent  of  the  global  malware  detected  in  the  world.  •  (1999)  NetBus,  a  so:ware  program  for  remote  access  to  Windows  

OS.     It  has  been  used  to  plant  illegal  files  in  users’  computers.  The  first  version  was  very  stealthy  which  defined  it  as  a  trojan.  

•  (2007)  Zeus,  o:en  used   to   steal  banking   informaKon  as  a  MitB  or  keystroke  logging.    

Rootkits  •  (1986)  The  Brain  virus  used  cloaking  techniques  to  hide  itself  

(both  trojans  and  rootkits  features)     intercepted  a.empts  to  read   the   boot   sector   and   redirected   them   to   elsewhere   on  the  disk.  

•  (1990)  Lane  Davis  and  Steven  Dake  wrote  the  earliest  known  rootkit  for  SunOS  (an  UNIX  OS).      

•  (2005)   Sony   BMG   published   CDs   with   copy   protecKon   and  DRM  so:ware  called  Extended  Copy  ProtecKon.  The  so:ware  included  a  music  player  buy  silently  installed  a  rootkit  to  limit  the  user’s  abiliKes  to  access  the  CD.  

DoS  and  DDoS  •  A:er  the  story  of  the  Morris  worm  incident  died  out,  the   Internet  

conKnued   to   grow   through   the  early   1990s   into   a   fun  place,  with  lots  of  free  informaKon  and  services.  

•  (mid-­‐90s)  Remote  DoS  a.ack  programs  first  appeared.   In  order   to  use  these  programs,  one  needed  an  account  on  a  big  computer,  on  a  fast  network,  to  have  maximum  impact.  

•  (1995)   The   first   DDoS   protest   against   the   French   government’s  nuclear  policy  was  implemented  by  Strano  Network.  

•  (1996)   A   vulnerability   in   TCP/IP   stack   that   allowed   a   flood   of  packets  with  only  the  SYN  bit  set  (SYN  flood).    

•  (1997)   The   Internet   was   shutdown   due   to   (nonmalicious)   false  route  adverKsement  by  a  single  router.  

•  (2002)   A   DDoS   a.ack   to   the   13   root   servers   of   DNS   data.   The  a.ackers  shut  down  9  of  the  13  servers.  

Fragment  of  the  7007  Explana9on  and  Analogy    We   did   *not*   perform   any   of   this   maliciously,  I'm  not  sure  that   I  could  duplicate  the  event   if   I  tried.    Anyone  who  called  and  got  a  harsh  voice  on  the  phone,  well,  I  sincerely  apologize  to  them  individually,   but   some   in   par%cular   should   not  have  tried  to  impersonate  a  company  other  than  their  own  *and*  should  not  have  started  cursing  out  the  NOC  tech  who  answered.    

QUESTIONS  Are  DoS  and  DDoS  always  a.acks?  

 Are  cyber  protests  a.acks?  

 Are  there  ethical  reasons  on  why  to  do  

a  DoS?  

Backdoors  •  (1983)   The   film   WarGames   was   released   with   one   of   the   first  

examples  of  a  hard  coded  user  and  password  combinaKon  to  give  access  to  a  system.  

•  Many   computer   worms   (e.g.,   Sobig   and   Mydoom)   installed  backdoors  on  affected  computers.   In  some  cases,  these  backdoors  worked  to  create  spam  botnets.  

•  (2014)   A   backdoor   was   discovered   in   certain   Samsung   Android  products.   The   backdoor   provided   remote   access   to   the   device  proprietary  to  the  data  stored  on  the  device.  

Other   famous   backdoors:   Pirated   copies   of   WordPress   plug-­‐ins,  Borland  Interbase’s  backdoor  to  control  all  Interbase’s  databases.    

An  example  of  a  backdoor  

A  sophis%cated  aGempt  to  plant  a  backdoor  in  the  Linux  kernel,   exposed   in  November  2003,  added  a   small  and  subtle   code   change   by   subver%ng   the   revision   control  system.   In   this   case,   a   two-­‐line   change   appeared   to  check   root   access   permissions   of   a   caller   to   the  sys_wait4   func%on,   but   because   it   used   assignment   =  instead   of   equality   checking   ==,   it   actually   granted  permissions   to   the   system.   This   difference   is   easily  overlooked,   and   could   even   be   interpreted   as   an  accidental   typographical   error,   rather   than   an  inten%onal  aGack.  

Botnets  •  They  usually  serve  two  purposes,  either  to  create  DDoS  a.acks  or  

to  send  spam  messages.  •  Bots,  however,  can  be  used  for  many  other  things  such  as:  adware,  

spyware,  click  fraud,  brute  force  a.acks.  •  (2004)   Bagle,   a   mass-­‐mailing     computer   worm   affecKng   all  

Microso:   Windows   versions   which   used   a   spam   botnet   to  propagate.  It   included  around  230,000  bots  that  sends  roughly  5.7  billion  spam  messages.  

•  (2008)  Mariposa,   a   cyberscamming  and  DoS  botnet  with  up   to  12  million  bots  with  unique  IPs.  It  used  a  malicious  program  to  monitor  acKvity  for  passwords,  credit  cards.  

•  (2010)   Zeus,   uses   keyloggers   to   steal   banking   informaKon.   It   was  spread   mainly   through   drive-­‐by   downloads   and   phishing.   It  currently  affects  over  3.6  million  of  unique  IPs  in  the  US  alone.    

Steps  involved  in  spam  botnet  crea9on  

1.  A  botnet  operator  sends  out  viruses  or  worms,   infecKng   ordinary   users '  computers,  whose   payload   is   a  malicious  applicaKon—the  bot.    2.  The  bot  on   the   infected  PC   logs   into  a  parKcular  C&C  server.    3.   A   spammer   purchases   the   services   of  the  botnet  from  the  operator.    4.   The   spammer   provides   the   spam  messages   to   the   operator,   who   instructs  the   compromised   machines   via   the  control  panel  on   the  web   server,   causing  them  to  send  out  spam  messages.  

Stuxnet  •  It  is  considered  a  computer  worm  introduced  by  USB  drives.  •  Anonymous  US  officials   claimed   to   the  Washington  Post   the  

worm   was   developed   during   the   Obama   administraKon   to  sabotage  Iran’s  nuclear  program.    

•  It   specifically   targets   PLCs   (Programmable   Logic   Controllers),  exploiKng  four  zero-­‐day  vulnerabiliKes.  

•  It  targeted  Windows  OS  and  Siemens  Step  7  so:ware.  •  It  has  three  modules:  a  worm  (executes  all  rouKnes),  a  link  file  

(executes  the  propagated  copies  of  the  worm),  and  a  rootkit  (hides  all  malicious  files  and  processes).  

•  There  is  a  lot  of  controversy  on  its  originality  and  complexity.  

Flame  •  It   was   discovered   in   2012   and   it   also   a.acks   Windows   OS.  

Considered  by  many  the  most  complex  malware  ever   found.  The  size  of  its  program  is  of  20  mbs.  

•  The   program   is   being   used   for   targeted   cyber-­‐espionage   in  Middle  Eastern  countries.  

•  It  can  spread  to  other  systems  over  LAN  or  a  USB  sKck.  •  It   can   record   audio,   keyboard   acKvity,   screenshots,   network  

traffic,  and  Skype  conversaKons.    •  Although  no  official  statements  have  been  issued,  it  has  been  

claimed  to  be  wri.en  by  the  US  NaKonal  Security  Agency  and  Israel’s  military.    There’s   li.le  doubt  about   it  being  a  naKon-­‐state  sponsored  a.ack.  

Keyloggers  •  (1983)  The  first  documented  keylogger  was  wri.en  by  Perry  

Kivolowitz  and  posted  to  the  Usenet  news  group.    

•  (1970s)  Spies  installed  keystroke  loggers  in  typewriters  in  the  US  Embassy  and  Consulate  buildings  in  Moscow.      

•  (2000)   The   FBI   used   FlashCrest   iSpy   to   obtain   the   PGP  passphrase  of  Nicodemo  Scarfo  Jr.,  son  of  a  mob  boss.  

•  (2001)   The   FBI   creates   Magic   Lantern,   a   keystroke   logging  so:ware   that   can   be   installed   remotely,   via   e-­‐mail  a.achment,  or  by  exploiKng  common  OS  vulns.    

Chernobyl  (CIH)  in  acKon  

youtube.com/watch?v=RrnWFAx5vJg