know thy enemy: what do a.ackers want? - ucrnael/ee260/lectures/lec03.pdf · know thy enemy: what...
TRANSCRIPT
2
UCR
Planforthisclass¢ Thisisadigressionforus,butausefuloneIhope
§ Lookingup—restofthequarterwillbelookingdown
¢ Learnabitaboutwhatitisthata.ackerswantandthecostofcybercrime
¢ Malwareanditseconomy:§ Torpigpaper:abotnetfromtheinside§ Pay-per-installpaper(briefly):insightintothemalwareecosystem§ Mobilemalwarepaper:whatishappeninginthemobilespace?§ Pay-per-exploit:yetanothermodel§ Costofcybersecurity:whatisthecosttous?§ ShadowcommunicaHonnetworks
3
UCR
Malware—someterminology¢ Malware:unwantedsoBwarethatisusedtoperform
unauthorized,usuallyharmful,acDonsonacompuDngdevice.
¢ Differenttypes:viruses,worms,trojans,rootkits,botnets,…
5
UCR
TORPIGBOTNETTAKEOVER
Basedon“YourBotnetismyBotnet:AnalysisofaBotnetTakeover”,Stone-Grossetal(UCSB),CCS2009
6
UCR
BotsandBotnets¢ Bot:autonomousprogramperformingtasks¢ Benignbots
§ FirstbotsappearedonIRCchannels§ Basicallyscriptsthatreacttoeventsandofferusefulservices§ E.g.,Eggdropbotusedtomanagechannelswhenoperatorisaway
¢ MaliciousIRCbots§ Takeoverwarsbetweenchannels§ Spam/flooding/trashtalking§ Denialofservice§ IRCproxiestohideorigin
7
UCR
Bots/Botnetstoday¢ Malware(backdoor/trojan)runningoncompromised
machines¢ RemotelycontrolledbycriminalenDDeswhocontrol
networksofbots§ CalledBotnets
¢ Botnetshavegrowntobeamainvehicleforcarryingoutcybercrime§ MostlyforfinancialmoHvaHon
¢ Differentbusinessmodels
8
UCR
BotnetcreaDon
¢ Networkworm§ Usingexploitssuchasthosewecoveredlastclass
¢ Emaila.achments¢ Trojanversionofprogram(repackagedapp,etc..)¢ Drive-by-downloadfrommaliciousorcompromisedsite§ Alsousingexploitssuchasthosewecoveredlastclass
¢ ExisDngbackdoorfromapreviousinfecDon¢ OBenboughtasaservice(Payperinstall/exploitasaservice)
11
UCR
TorpigusesMebroot¢ RootkitdistributedbyNeosploitexploitkit
¢ Spreadviadrive-by-downloads:hiddeniframeonwebsiteexecutesobfuscatedJavaScripttodownloadMebrootonvicDm’smachine
¢ Mebrootoverwritesthemasterbootrecordofthemachine,circumvenDngmostanD-virustools(backthen)
¢ Easytousetool,soldfor$$$;Torpigoneoftheirclients
13
UCR
StudyingBotnets
¢ Passiveanalysise.g.:§ Collectedspammailsthatwerelikelysentbybots§ DNSqueriesorDNSblacklistqueries§ analyzednetworktraffic(neXlowdata)attheHer-1ISP
¢ AcDveapproachtostudybotnetsisviainfiltraDon.§ UsinganactualmalwaresampleoraclientsimulaHngabot,researchersjoinabotnettoperformanalysisfromtheinside.
§ Toachievethis,honeypots,honeyclients,orspamtrapsareusedtoobtainacopyofamalwaresample.
14
UCR
MoneDzaDon¢ Usesmaninthebrowserphishinga.acktogetsensiDve
informaDon§ WhenyouvisitadomaininitsconfiguraHonfile(typically,a
bankingwebsite),TorpigissuesarequesttoaninjecHonserver.
§ Uservisitsthetriggerpage.AtthatHme,TorpigrequeststheinjecHonURLfromtheinjecHonserverandinjectsthereturnedcontentintotheuser’sbrowser.
16
UCR
Domainflux–Botnetresilience
¢ AdministratorscoulddetectbotnetC&Cserverandblockit
¢ BotnetauthorsuseIPfast-fluxtechniquestoavoidthat.§ BotsqueryacertaindomainthatismappedontoasetofIP
addresses,whichchangefrequently.
¢ However,fast-fluxusesonlyasingledomainname,whichconsDtutesasinglepointoffailure§ BlockitatDNSlevel
§ Howdoyouthinkbotnetdevelopersreacted?
17
UCR
Domainflux¢ TorpigusesaDomainGeneraDonAlgorithm(DGA)to
changethedomainname§ Ifadomainisblocked,thebotsimplyrollsovertothefollowing
domaininthelist.
¢ Usingthegenerateddomainnamedw,abotappendsanumberofTLDs:inorder,dw.com,dw.net,anddw.biz.
¢ Ifnoneisavailable,switchestoadailyname(changeseveryday)
¢ ModernbotnetslikeConfickergenerate50,000domainsperdayandintroducenon-determinismintheirgeneraDonalgorithm.
18
UCR
TakingcontroloftheBotnet¢ ReverseengineeredtheDomainGeneraDonAlgorithm¢ Registeredthe.comand.netdomainsthatweretobe
usedbythebotnetforthreeconsecuDveweeksfromJanuary25th,2009toFebruary15th,2009.
¢ However,onFebruary4th,2009,theMebrootcontrollersdistributedanewTorpigbinarythatupdatedthedomainalgorithm.
¢ Controlledbotnetfor10daysandcollectedover8.7GBofApachelogfilesand69GBofpcapdata.
19
UCR
Isthisethical?ProtecDngVicDms¢ PRINCIPLE1.
§ Thesinkholedbotnetshouldbeoperatedsothatanyharmand/ordamagetovicHmsandtargetsofa^ackswouldbeminimized.
¢ PRINCIPLE2.§ ThesinkholedbotnetshouldcollectenoughinformaHontoenable
noHficaHonandremediaHonofaffectedparHes.
20
UCR
Botnetanalysis¢ ~180,000acDvebots¢ Thesubmissionheaderandthebodyareencryptedusing
theTorpigencrypDonalgorithm.
27
UCR
Threatsanddataanalysis(cont.)¢ Symantecindicatedrangesofpricesforcommongoods
and,inparDcular,pricedcreditcardsbetween$0.10–$25andbankaccountsfrom$10–$1,000.Ifthesefiguresareaccurate,intendaysofacDvity,theTorpigcontrollersmayhaveprofitedanywherebetween$83Kand$8.3M.
29
UCR
Threatsanddataanalysis(cont.)
• 173,686 unique passwords recorded, 40% cracked in less than 75 minutes
• 28% of users exhibited password reuse
30
UCR
Conclusion¢ AcomprehensiveanalysisoftheoperaHonsoftheTorpig
botnet.
¢ InteresHngtakeoverbyreverseengineeringtheDGA
¢ Bigfinancialopportunity–upto83mil
¢ IPsgrosslyoveresHmatebotnetsize.
¢ VicHmsofbotnetsodenuserswithpoorlymaintainedmachinesandeasilyguessablepasswords
31
UCR
Next,letslookatPPI¢ ModernbotnetsmoneDzebysellinginstalls
¢ Theyalsobuymachinesfromaffiliates
¢ Affliateshavetheirownmarketsalsotogetmachines§ Buyexploitsorexploitkits§ BuytrafficgeneraHonservices§ Etc…
¢ TalkfromUsenix2011
32
UCR
ExploitasaService(EaaS)¢ Anotherbusinessmodel
§ PPIdecoupledmalwaredistribuHonfrommoneHzaHon§ EaasdecouplesexploitfromdistribuHonandmoneHzaHon
¢ Reliesondrive-by-download§ Exploitkitsusedtoa^ackbrowsers
¢ Criminaleither§ Buysexploitkit§ Rentspre-configuredexploitservers
34
UCR
MarketplaceforVulnerabiliDes
OpDon1:bugbountyprograms(many)
¢ GoogleVulnerabilityRewardProgram:upto$20K¢ MicrosoBBountyProgram:upto$100K¢ MozillaBugBountyprogram:$7500¢ Pwn2OwncompeDDon:$15K
OpDon2:¢ ZerodayiniDaDve(ZDI),iDefense:$2K–$25K
37
UCR
SimilarevoluDonindifferentspheres
• Advancedpersistentthreats(APT)
• LargescalehackingeffortstargetedatgovernmentsorlargeorganizaDons
• NaDonalcybera.ack,notjustdefense
• HugeheadacheatnaDonallevel• Cybera.ackslistedbyUS
secretaryofhomelanddefenseasthebiggestnaDonalthreat,aheadofterrorism
• E.g.,afewmonthsago,a.ackfromChinastolefingerprintsof25%offederalemployeesintheUS
38
UCR
MobileMalwareintheWild
AdriennePorterFelt,Ma.hewFiniBer,ErikaChin,StevenHannaandDavidWagner
UCBerkeley
SPSM2011
39
UCR
ObjecDvesofpaper¢ UnderstandmoDvesofmobilemalware“inthewild”
¢ Context§ Studyspans2009to2011§ SmartphonemarkettransiHoningfrombeingNokia/Symbian
dominatedtohavingtoday’smixofAndroidiOSreplacingSymbian§ ForprofitmalwarestarHngtoappear
40
UCR
IntroducDon¢ MobileMalwareisfairlyrecent
§ July2004–CabirviruscameoutonSymbian§ August2010–FakePlayeronAndroid§ July2012–FindandCalloniOS
¢ Evolvingrapidly§ Amusement§ CredenHalThed§ SMSspam§ Ransomware
41
UCR
Threatmodel¢ Threetypesofthreats
§ Malware§ Personalspyware§ Grayware
¢ Securitymeasures§ Markets§ Permissions
¢ RootexploitsandJailbreaking§ Rootexploitsdevelopedforuserstobypassmanufacturer
limitaHons§ Butusedbybothusersandadversaries§ Canbypassdefenses
43
UCR
Background–ApplicaDonMarkets¢ AppleAppStore
§ AllapplicaHonsarereviewedbyapple§ iOSdevicescanonlyobtainappsthroughhere,unlessjailbreaked
¢ GooglePlay(AndroidMarket)§ SomeapplicaHonsmaybereviewed§ Doesnotrestrictinstallingappsfromothermarkets
¢ SymbianOvi§ SecurityautomaHcallyreviewedbyprogram§ RiskyapplicaHonsarereviewedbyhuman§ Caninstallappsfromothermarkets
44
UCR
Methodology¢ AnalyzedinformaDonabout46malwaresthatspread
betweenJan.2009–June2011§ 4–iOS§ 24–Symbian§ 18–Android
¢ InformaDonfromanD-viruscompaniesandnewssources¢ Omi.edspywareandgrayware
46
UCR
NoveltyandAmusement¢ Minordamage
§ Changingwallpapers,sendingannoyingSMS
¢ Apreliminarytypeofmalware§ Expectedtodecreaseinnumber
47
UCR
SellingUserInformaDon¢ PersonalinformaDonobtainedviaAPIcalls
§ LocaHon,contacts,history,IMEI
¢ InformaDoncanbesoldforadverDsement§ $1.90to$9.50peruserpermonth
¢ IMEIinformaDoncanbeusedtospoofblacklistedphones
48
UCR
StealingUserCredenDals¢ MalwarescaninterceptSMStocircumventtwo-factor
authenDcaDon§ DoneinconjuncHonwithphishingondesktops
¢ Keyloggingandscanningdocumentsforpasswords¢ ApplicaDonsandboxingpreventsmostofthese
49
UCR
Premium-RateCallsandSMS¢ Premium-ratecallsandSMSdirectlybenefitsadversaries
§ FewdollarsperminuteorSMS
¢ 24ofthe46malwaressendthese§ MostlyonAndroidandSymbian
¢ iOSavoidsthisbyalwaysshowingConfirmaDonforoutgoingSMSmessages
50
UCR
SMSSpam¢ DistribuDngspamoriginmakesblockingharder¢ LessnoDceablewhenhavingunlimitedSMS¢ Phonenumbersaremore“reliable”thane-mail¢ CanbepreventedbyenforcingSMStobesentfroma
designatedconfirmaDonwindow
51
UCR
SearchEngineOpDmizaDon(SEO)¢ Clicksonacertainlinkonasearchquerytoincrease
visibility¢ Phishingwebsitesusethistechnique,alongwithdesktop
malware¢ CanbepreventedwithaffixinganapplicaDonuniquetag
ontheHTTPrequest§ Privacyconcerns?
52
UCR
Ransomware¢ Kenzero–Japanesevirusincludedinpornographicgames
distributedontheP2Pnetwork§ AskedforName,Address,CompanyNamefor“registraHon”of
sodware§ Asked5800Yen(~$60)todeleteinformaHonfromwebsite§ About661outof5510infecHonsactuallypaid(12%)
¢ NotmanyRansommalwaresonmobileyet….
53
UCR
PossibleFutureMalwareTypes¢ AdverDsingClickFraud¢ InvasiveAdverDsing(AirPush)¢ In-ApplicaDonBillingFraud¢ Governmentspying¢ E-mailSpam¢ DDoS¢ NFCandCreditCards
54
UCR
MalwaredetecDon¢ Permissions:
§ Numberofpermissionsaskedfor§ Commonpermissions§ Setsofpermissions
¢ ApplicaDonReview§ AppleiOSrarelylistsmalware(butitdoeshappen–findandcall)§ Symbian:5outof24piecesofmalwareweresigned(2phishfor
userIMEIsbeforea^acktoavoiddetecHon)
55
UCR
MalwaredetecDon–AndroidPermissions
¢ 8outof11malwaresrequesttosendSMS(73%)§ Only4%ofnon-maliciousappsask
forthis
¢ READ_PHONE_STATEisusedby8/11malwares§ Only33%fornon-maliciousapps
¢ Malwareasksonaverage6.18dangerouspermissions§ 3.46forNon-maliciousapps
56
UCR
RootExploits¢ Roo)ngallowshigherlevelofcustomizaDon
§ Installingfromunofficialmarkets§ SystemBackups§ Tethering§ Uninstallingapps
¢ However,malwarescantakeadvantageofrootcommandstoobtainpermissions
57
UCR
RootExploits
¢ Rootexploitsavailablefor74%ofdevicelifeDme¢ MalwareauthorsdonotneedtoinvesDgatethem,butthe
communitydoes
58
UCR
Conclusion¢ Mobilemalwarerapidlygrewinnumber¢ Profitabilityisthecurrenttrendformalwares¢ Defenseagainstmobilemalwarerequiresmoreresearch¢ HumanreviewareeffecDvemethodstopreventmalware¢ RooDngbenefitsbothusersandmalwareproducers
60
UCR
I. Introduction¢ Smartphone
§ Shipment : X 3 ↑ (40milionà120mil.) in 2009~2011 ▶ mobile malware↑
¢ Android-based malware § Share : 46%↑ and growing rapidly § 400% ↑ since summer 2010
¢ Goals § Malware samples(1260) & families(49) § Timeline analysis § Good example of malware
61
UCR
II. Malware Timeline
¢ Dataset § 49 families § Official/Alternative Android Market § 2010-08 ~ 2011-10
63
UCR
III. A. Malware Installation1) Repackaging
§ Most common technique § Concept
§ Download popular apps à Disassemble à Enclose malicious payloads à Re-assemble à Submit
65
UCR
III. A. 1) Repackaging¢ Where these original apps comes from?
¢ What things are done by the authors?
69
UCR
III. A. 3) Drive-by Download¢ Enticing users to download “interesting”
or “feature-rich” apps. ¢ For example,
§ GGTracker : in-app advertisement link § Jifake : QR code § Spitmo and Zitmo : ported version of nefarious PC
malware(SpyEye, Zeus)
70
UCR
III. B. Activation¢ Using System Event message
¢ For example, § BOOT_COMPLETED § SMS_RECEIVED § ACTION_MAIN
73
UCR
III. C. Malicious Payloads2) Remote Control
§ 1,172 samples(93%) § Turn infected phones into bots § 1,171 samples
– HTTP-based communicate with C&C servers
§ C&C servers § Amazon cloud § Public blog
74
UCR
III. C. Malicious Payloads3) Financial Charge
§ Premium-rate services
4) Information Collection § SMS messages § Phone numbers § User accounts
76
UCR
IV. Malware EvolutionA. DroidKungFu
1) Root Exploits 2) C&C Servers 3) Shadow Payloads 4) Obfuscation
78
UCR
V. Malware Detection
¢ Tested on Nexus One (Android 2.3.7) § Lookout § TrendMicro § AVG Antivirus § Norton
79
UCR
VI.Discussion¢ EcosystemAndroidMarket
¢ ASLR,TrustZoneandeXecute-Neverareneeded
¢ Lackoffine-grainAPIcontrol
¢ Blockingmalwaretoentermarketisneeded
¢ CooperaDonbetweensecurityvendors