internet vulnerabilities & criminal activities malware 3.2 9/26/2011
TRANSCRIPT
![Page 1: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/1.jpg)
Internet Vulnerabilities & Criminal Activities
Malware3.2
9/26/2011
![Page 2: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/2.jpg)
Malware
Malicious software designed to gain access to information and/or resources without the knowledge or consent of the
end user
![Page 3: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/3.jpg)
Malware History
1981 - First Apple II virus in the wild1983 - Fred Cohen coins term “virus”1986 - First PC virus1988 - Morris Internet worm1990 - First Polymorphic virus1991 - Virus Construction Set1994 - Good Times virus hoax1995 - First Macro Virus1998 - Back Oriface tool released
![Page 4: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/4.jpg)
Malware History cont.
1999 - Melissa virus / worm 1999 - Tribal Flood Network - DDOS tool 2001 - Code Red worm 2001 - Nimda worm 2003 - Slammer worm 2004 - So Big & Sasser worms 2007 - Storm worm / Zeus botnet tool 2008 - Conficker worm 2010 – Stuxnet – weaponized malware
![Page 5: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/5.jpg)
Malware Trends
Increasing complexity & sophistication
Acceleration of the rate of release of
innovative tools & techniques
Movement from viruses to worms to
kernel-level exploitations
![Page 6: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/6.jpg)
Malware can be:
“Proof of concept”Created to prove it can be doneNot found outside of laboratory
environmentIf code available, can be used by
others“In the Wild.”
Found on computers in everyday use
![Page 7: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/7.jpg)
Traditional Categories of Malware
VirusWormMalicious Mobile CodeBackdoorTrojan HorseRootkitCombination Malware – Malware
“Cocktail”
![Page 8: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/8.jpg)
Virus
Infects a host fileSelf replicatesRequires human interaction to
replicateExamples:
MichelangeloMelissa
![Page 9: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/9.jpg)
Worm
Spreads across a networkDoes not require human
interaction to spreadSelf-replicatingExamples:
Morris WormCode RedSlammer
![Page 10: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/10.jpg)
Malicious Mobile Code
Lightweight program downloaded from a remote source and executed locally
Minimal human interactionWritten in Javascript, VBScript,
ActiveX, or JavaExample:
Cross Site Scripting
![Page 11: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/11.jpg)
Backdoor
Bypasses normal security controlsGives attacker access to user’s
systemExample:
NetcatBack OrifaceSub 7
![Page 12: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/12.jpg)
Trojan Horse
Program that disguises its hidden malicious purpose
Appears to be harmless game or screensaver
Used for spyware & backdoorsNot self-replicating
![Page 13: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/13.jpg)
Rootkit
Replaces or modifies programs thts are part of the operating system
Two LevelsUser-levelKernel-level
ExamplesUniversal RootkitKernel Intrusion System
![Page 14: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/14.jpg)
Combination Malware
Uses a combination of various techniques to increase effectiveness
Examples:LionBugbear.BStuxnet
![Page 15: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/15.jpg)
Malware Distribution Attachments
E-mail and Instant Messaging Piggybacking
Malware added to legitimate program Adware, spyware EULA - End User License Agreement
Internet Worms Exploit security vulnerability Used to install backdoors
Web Browser Exploit Malware added to legitimate web site
Cross-site scripting & SQL Injection Visitors to web site may be infected Drive by malware
![Page 16: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/16.jpg)
Malware Distribution cont.
HackingToo labor intensive for large crime
operationsMay be used to compromise DNS server
Affiliate Marketing Web site owner paid 8¢ to 50 ¢ per
machine to install malware on a visitor’s computer
Mobile DevicesTransfer via bluetooth
![Page 17: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/17.jpg)
Malware Activity
Adware
Spyware
Hijacker
Toolbars
Dialers
Rogue Security Software
Bots
![Page 18: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/18.jpg)
Adware
Displays ads on infected machineAds format can be:
Pop-upsPop-underEmbedded in programsOn top web site ads
More annoying than dangerous
![Page 19: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/19.jpg)
SpywareSend information about infected
computer to someone, somewhereWeb sites surfedTerms searched forInformation from web formsFiles downloadedSearch hard drive for files installedE-mail address bookBrowser historyLogon names, passwords, credit card numbersAny other personal information
![Page 20: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/20.jpg)
Hijacker
Takes control of web browserHome pageSearch enginesSearch bar Redirect sitesPrevent some sites from loading
IE vulnerable
![Page 21: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/21.jpg)
Toolbars
Plug-ins to IEGoogleYahoo
Attempt to emulate legitimate toolbars
Installed via underhanded meansAdware or Spyware
Acts a keystroke logger
![Page 22: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/22.jpg)
Dialers
Alters modem connections and ISDN-Cards
Once installed, will dial 1-900 numbers or other premium rate numbers
Run up end-users phone bill & provide revenue for criminal enterprise
Targets MS Windows
![Page 23: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/23.jpg)
Rogue Security Software
Usually delivered via a trojan horseUses social engineering techniques to
get user to installFake warnings that computer is infectedFake video of machine crashing
Disables anti-virus and anti-spyware programs
Alters computer system so the rogue software cannot be removed
![Page 24: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/24.jpg)
Bots
Allows attacker remote access to a computer
When end-user is online, computer contacts Command & Control (C&C) site
Bot will then perform what ever commands received from the C&C
Some things botnets are used forDistributed Denial of Service (DDoS) attacksSpamHosting contraband such as child pornOther illegal fraud schemes
![Page 25: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/25.jpg)
Weaponized Malware
Attacks SCADA systemSupervisory Control And Data Acquisition
Causes physical damage SCADA systems control
DamsElectrical gridNuclear power plants
Cyber War - The Aurora Projecthttp://www.youtube.com/watch?
v=rTkXgqK1l9A
![Page 26: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/26.jpg)
More Malware Terminology
Downloader Single line of codePayload from malwareInstructs infect computer to download
malware from attacker’s serverDrop
Clandestine computer or service (E-mail)Collects information sent to it from infected
machinesBlind Drop - well hidden, designed to run
attended
![Page 27: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/27.jpg)
More Malware Terminology cont.
ExploitCode used to take advantage of a
vulnerability in software code or configurationForm-grabber
A program that steal information submitted by a user to a web site
PackerTool used to scramble and compress an .exe
fileHides malicious nature of codeMakes analysis of program more difficult
![Page 28: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/28.jpg)
More Malware Terminology cont.
RedirectHTTP feature Used to forward someone from one web
page to anotherDone invisibly with malware
Variant Malware produced from the same code baseDifferent enough to require new signature
for detection by anti-virus software
![Page 29: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/29.jpg)
Malware Sources
Malware Can be programmed from scratch
Less likely to be detected by anti-malware programs
Can be purchasedMalware tools
Haxdoor, Torpig, Metafisher, Web AttackerTools offered with other services
Access to botnet, drop sitesTools derived from small stable base of
existing code
![Page 30: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/30.jpg)
Frauds Involving Malware
Advertising schemesPay-per-viewPay-per-click (“Click Fraud”)Pay-per-install
Banking fraud Identity theftSpamDenial-of-service attacks
DoS extortion
![Page 31: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/31.jpg)
Advertising Schemes
Pay-per-viewSell advertising space on controlled
web sitesCommand botnet to “view” as many
ads as possibleMay have ads download in the
backgroundFraudulent commissions generated
![Page 32: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/32.jpg)
Advertising Schemes cont.
Pay-per-click (“”Click Fraud”)Similar to Pay-per-view fraudBots simulate clicks on adsBetween 5% and 35% of all ad commissions
may be fraudulentPay-per-install
Commission paid every times advertisers software is installed
When installed, notification sent to advertiserInfected machines will be instructed to install
advertisers software
![Page 33: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/33.jpg)
Banking Fraud
Banks are a prime target of malwareMalware can allows attacker to empty
victim’s bank accountExample (September 2009)
Rewrite online bank statements on the flyCovers up theft of fundsTrojan horseAlters HTML code before browser displays
Makes use of “Money Mules”
![Page 34: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/34.jpg)
Identity Theft
Phishing & key logging
Recent increase in malware
associated with identity theft
Information sent to drop site
![Page 35: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/35.jpg)
Spam
Bots used to send spamAlso show dramatic riseBots are available for rent for
spam purposesSpam sent can also contain
malware
![Page 36: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/36.jpg)
Denial of Service Attacks
Botnet commanded to make requests of a web site
Web site may crash due to heavy traffic
Legitimate traffic blockedThreat of DoS attack can be used
for extortionBots for rent for DoS attacks
![Page 37: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/37.jpg)
Problems for Law Enforcement
AnonymityJurisdiction
Attackers know how difficult international law enforcement is
Exploit the situationTarget victims in one country from another countryHave C&C site and drop site located in a third
countryUse multiple proxies to access C&C site and drop siteMoney gain quickly funneled through online bank
accounts and international money transfers
![Page 38: Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011](https://reader030.vdocument.in/reader030/viewer/2022032706/56649dff5503460f94ae70d1/html5/thumbnails/38.jpg)
Other Issues
Monetary ThresholdMust reach a limit before prosecutor will take
caseMay be hard to prove exact amount of money
involvedCyber crimes may be considered a non-priority
Virtual world emboldens individualsLess fear of getting caughtRealization of difficulties in investigating crimesEasy money