1

UCR

Knowthyenemy:whatdoa.ackerswant?

Slidecredits:someslidesadaptedfromLorenzoCavallaroandothers

2

UCR

Planforthisclass¢  Thisisadigressionforus,butausefuloneIhope

§  Lookingup—restofthequarterwillbelookingdown

¢  Learnabitaboutwhatitisthata.ackerswantandthecostofcybercrime

¢  Malwareanditseconomy:§  Torpigpaper:abotnetfromtheinside§  Pay-per-installpaper(briefly):insightintothemalwareecosystem§  Mobilemalwarepaper:whatishappeninginthemobilespace?§  Pay-per-exploit:yetanothermodel§  Costofcybersecurity:whatisthecosttous?§  ShadowcommunicaHonnetworks

3

UCR

Malware—someterminology¢  Malware:unwantedsoBwarethatisusedtoperform

unauthorized,usuallyharmful,acDonsonacompuDngdevice.

¢  Differenttypes:viruses,worms,trojans,rootkits,botnets,…

4

UCR

Malwaretypes

5

UCR

TORPIGBOTNETTAKEOVER

Basedon“YourBotnetismyBotnet:AnalysisofaBotnetTakeover”,Stone-Grossetal(UCSB),CCS2009

6

UCR

BotsandBotnets¢  Bot:autonomousprogramperformingtasks¢  Benignbots

§  FirstbotsappearedonIRCchannels§  Basicallyscriptsthatreacttoeventsandofferusefulservices§  E.g.,Eggdropbotusedtomanagechannelswhenoperatorisaway

¢  MaliciousIRCbots§  Takeoverwarsbetweenchannels§  Spam/flooding/trashtalking§  Denialofservice§  IRCproxiestohideorigin

7

UCR

Bots/Botnetstoday¢  Malware(backdoor/trojan)runningoncompromised

machines¢  RemotelycontrolledbycriminalenDDeswhocontrol

networksofbots§  CalledBotnets

¢  Botnetshavegrowntobeamainvehicleforcarryingoutcybercrime§  MostlyforfinancialmoHvaHon

¢  Differentbusinessmodels

8

UCR

BotnetcreaDon

¢  Networkworm§  Usingexploitssuchasthosewecoveredlastclass

¢  Emaila.achments¢  Trojanversionofprogram(repackagedapp,etc..)¢  Drive-by-downloadfrommaliciousorcompromisedsite§  Alsousingexploitssuchasthosewecoveredlastclass

¢  ExisDngbackdoorfromapreviousinfecDon¢  OBenboughtasaservice(Payperinstall/exploitasaservice)

9

UCR

10

UCR

BotnetinfecDons

11

UCR

TorpigusesMebroot¢  RootkitdistributedbyNeosploitexploitkit

¢  Spreadviadrive-by-downloads:hiddeniframeonwebsiteexecutesobfuscatedJavaScripttodownloadMebrootonvicDm’smachine

¢  Mebrootoverwritesthemasterbootrecordofthemachine,circumvenDngmostanD-virustools(backthen)

¢  Easytousetool,soldfor$$$;Torpigoneoftheirclients

12

UCR

TorpigBotnet

13

UCR

StudyingBotnets

¢  Passiveanalysise.g.:§  Collectedspammailsthatwerelikelysentbybots§  DNSqueriesorDNSblacklistqueries§  analyzednetworktraffic(neXlowdata)attheHer-1ISP

¢  AcDveapproachtostudybotnetsisviainfiltraDon.§  UsinganactualmalwaresampleoraclientsimulaHngabot,researchersjoinabotnettoperformanalysisfromtheinside.

§  Toachievethis,honeypots,honeyclients,orspamtrapsareusedtoobtainacopyofamalwaresample.

14

UCR

MoneDzaDon¢  Usesmaninthebrowserphishinga.acktogetsensiDve

informaDon§  WhenyouvisitadomaininitsconfiguraHonfile(typically,a

bankingwebsite),TorpigissuesarequesttoaninjecHonserver.

§  Uservisitsthetriggerpage.AtthatHme,TorpigrequeststheinjecHonURLfromtheinjecHonserverandinjectsthereturnedcontentintotheuser’sbrowser.

15

UCR

16

UCR

Domainflux–Botnetresilience

¢  AdministratorscoulddetectbotnetC&Cserverandblockit

¢  BotnetauthorsuseIPfast-fluxtechniquestoavoidthat.§  BotsqueryacertaindomainthatismappedontoasetofIP

addresses,whichchangefrequently.

¢  However,fast-fluxusesonlyasingledomainname,whichconsDtutesasinglepointoffailure§  BlockitatDNSlevel

§  Howdoyouthinkbotnetdevelopersreacted?

17

UCR

Domainflux¢  TorpigusesaDomainGeneraDonAlgorithm(DGA)to

changethedomainname§  Ifadomainisblocked,thebotsimplyrollsovertothefollowing

domaininthelist.

¢  Usingthegenerateddomainnamedw,abotappendsanumberofTLDs:inorder,dw.com,dw.net,anddw.biz.

¢  Ifnoneisavailable,switchestoadailyname(changeseveryday)

¢  ModernbotnetslikeConfickergenerate50,000domainsperdayandintroducenon-determinismintheirgeneraDonalgorithm.

18

UCR

TakingcontroloftheBotnet¢  ReverseengineeredtheDomainGeneraDonAlgorithm¢  Registeredthe.comand.netdomainsthatweretobe

usedbythebotnetforthreeconsecuDveweeksfromJanuary25th,2009toFebruary15th,2009.

¢  However,onFebruary4th,2009,theMebrootcontrollersdistributedanewTorpigbinarythatupdatedthedomainalgorithm.

¢  Controlledbotnetfor10daysandcollectedover8.7GBofApachelogfilesand69GBofpcapdata.

19

UCR

Isthisethical?ProtecDngVicDms¢  PRINCIPLE1.

§  Thesinkholedbotnetshouldbeoperatedsothatanyharmand/ordamagetovicHmsandtargetsofa^ackswouldbeminimized.

¢  PRINCIPLE2.§  ThesinkholedbotnetshouldcollectenoughinformaHontoenable

noHficaHonandremediaHonofaffectedparHes.

20

UCR

Botnetanalysis¢  ~180,000acDvebots¢  Thesubmissionheaderandthebodyareencryptedusing

theTorpigencrypDonalgorithm.

21

UCR

Botnetanalysis(cont.)

22

UCR

Botnetsizevs.IPcount(cont.)

23

UCR

NewinfecDons

24

UCR

NewinfecDons(cont.)

25

UCR

Threatsanddataanalysis

26

UCR

Threatsanddataanalysis(cont.)

27

UCR

Threatsanddataanalysis(cont.)¢  Symantecindicatedrangesofpricesforcommongoods

and,inparDcular,pricedcreditcardsbetween$0.10–$25andbankaccountsfrom$10–$1,000.Ifthesefiguresareaccurate,intendaysofacDvity,theTorpigcontrollersmayhaveprofitedanywherebetween$83Kand$8.3M.

28

UCR

Threatsanddataanalysis(cont.)

29

UCR

Threatsanddataanalysis(cont.)

•  173,686 unique passwords recorded, 40% cracked in less than 75 minutes

•  28% of users exhibited password reuse

30

UCR

Conclusion¢  AcomprehensiveanalysisoftheoperaHonsoftheTorpig

botnet.

¢  InteresHngtakeoverbyreverseengineeringtheDGA

¢  Bigfinancialopportunity–upto83mil

¢  IPsgrosslyoveresHmatebotnetsize.

¢  VicHmsofbotnetsodenuserswithpoorlymaintainedmachinesandeasilyguessablepasswords

31

UCR

Next,letslookatPPI¢  ModernbotnetsmoneDzebysellinginstalls

¢  Theyalsobuymachinesfromaffiliates

¢  Affliateshavetheirownmarketsalsotogetmachines§  Buyexploitsorexploitkits§  BuytrafficgeneraHonservices§  Etc…

¢  TalkfromUsenix2011

32

UCR

ExploitasaService(EaaS)¢  Anotherbusinessmodel

§  PPIdecoupledmalwaredistribuHonfrommoneHzaHon§  EaasdecouplesexploitfromdistribuHonandmoneHzaHon

¢  Reliesondrive-by-download§  Exploitkitsusedtoa^ackbrowsers

¢  Criminaleither§  Buysexploitkit§  Rentspre-configuredexploitservers

33

UCR

EaaS

•  LedtofurthersegmentaDon:•  Trafficproviders•  Exploitproviders

34

UCR

MarketplaceforVulnerabiliDes

OpDon1:bugbountyprograms(many)

¢  GoogleVulnerabilityRewardProgram:upto$20K¢  MicrosoBBountyProgram:upto$100K¢  MozillaBugBountyprogram:$7500¢  Pwn2OwncompeDDon:$15K

OpDon2:¢  ZerodayiniDaDve(ZDI),iDefense:$2K–$25K

35

UCR

Example:Mozilla

36

UCR

MarketplaceforVulnerabiliDesOpDon3:blackmarket

Source: Andy Greenberg (Forbes, 3/23/2012 )

37

UCR

SimilarevoluDonindifferentspheres

•  Advancedpersistentthreats(APT)

•  LargescalehackingeffortstargetedatgovernmentsorlargeorganizaDons

•  NaDonalcybera.ack,notjustdefense

•  HugeheadacheatnaDonallevel•  Cybera.ackslistedbyUS

secretaryofhomelanddefenseasthebiggestnaDonalthreat,aheadofterrorism

•  E.g.,afewmonthsago,a.ackfromChinastolefingerprintsof25%offederalemployeesintheUS

38

UCR

MobileMalwareintheWild

AdriennePorterFelt,Ma.hewFiniBer,ErikaChin,StevenHannaandDavidWagner

UCBerkeley

SPSM2011

39

UCR

ObjecDvesofpaper¢  UnderstandmoDvesofmobilemalware“inthewild”

¢  Context§  Studyspans2009to2011§  SmartphonemarkettransiHoningfrombeingNokia/Symbian

dominatedtohavingtoday’smixofAndroidiOSreplacingSymbian§  ForprofitmalwarestarHngtoappear

40

UCR

IntroducDon¢  MobileMalwareisfairlyrecent

§  July2004–CabirviruscameoutonSymbian§  August2010–FakePlayeronAndroid§  July2012–FindandCalloniOS

¢  Evolvingrapidly§  Amusement§  CredenHalThed§  SMSspam§  Ransomware

41

UCR

Threatmodel¢  Threetypesofthreats

§  Malware§  Personalspyware§  Grayware

¢  Securitymeasures§  Markets§  Permissions

¢  RootexploitsandJailbreaking§  Rootexploitsdevelopedforuserstobypassmanufacturer

limitaHons§  Butusedbybothusersandadversaries§  Canbypassdefenses

42

UCR

Asides¢  SensiDvepersonalinformaDononmobiledevice

§  E-mail,contacts,passwords…

43

UCR

Background–ApplicaDonMarkets¢  AppleAppStore

§  AllapplicaHonsarereviewedbyapple§  iOSdevicescanonlyobtainappsthroughhere,unlessjailbreaked

¢  GooglePlay(AndroidMarket)§  SomeapplicaHonsmaybereviewed§  Doesnotrestrictinstallingappsfromothermarkets

¢  SymbianOvi§  SecurityautomaHcallyreviewedbyprogram§  RiskyapplicaHonsarereviewedbyhuman§  Caninstallappsfromothermarkets

44

UCR

Methodology¢  AnalyzedinformaDonabout46malwaresthatspread

betweenJan.2009–June2011§  4–iOS§  24–Symbian§  18–Android

¢  InformaDonfromanD-viruscompaniesandnewssources¢  Omi.edspywareandgrayware

45

UCR

Results

46

UCR

NoveltyandAmusement¢  Minordamage

§  Changingwallpapers,sendingannoyingSMS

¢  Apreliminarytypeofmalware§  Expectedtodecreaseinnumber

47

UCR

SellingUserInformaDon¢  PersonalinformaDonobtainedviaAPIcalls

§  LocaHon,contacts,history,IMEI

¢  InformaDoncanbesoldforadverDsement§  $1.90to$9.50peruserpermonth

¢  IMEIinformaDoncanbeusedtospoofblacklistedphones

48

UCR

StealingUserCredenDals¢  MalwarescaninterceptSMStocircumventtwo-factor

authenDcaDon§  DoneinconjuncHonwithphishingondesktops

¢  Keyloggingandscanningdocumentsforpasswords¢  ApplicaDonsandboxingpreventsmostofthese

49

UCR

Premium-RateCallsandSMS¢  Premium-ratecallsandSMSdirectlybenefitsadversaries

§  FewdollarsperminuteorSMS

¢  24ofthe46malwaressendthese§  MostlyonAndroidandSymbian

¢  iOSavoidsthisbyalwaysshowingConfirmaDonforoutgoingSMSmessages

50

UCR

SMSSpam¢  DistribuDngspamoriginmakesblockingharder¢  LessnoDceablewhenhavingunlimitedSMS¢  Phonenumbersaremore“reliable”thane-mail¢  CanbepreventedbyenforcingSMStobesentfroma

designatedconfirmaDonwindow

51

UCR

SearchEngineOpDmizaDon(SEO)¢  Clicksonacertainlinkonasearchquerytoincrease

visibility¢  Phishingwebsitesusethistechnique,alongwithdesktop

malware¢  CanbepreventedwithaffixinganapplicaDonuniquetag

ontheHTTPrequest§  Privacyconcerns?

52

UCR

Ransomware¢  Kenzero–Japanesevirusincludedinpornographicgames

distributedontheP2Pnetwork§  AskedforName,Address,CompanyNamefor“registraHon”of

sodware§  Asked5800Yen(~$60)todeleteinformaHonfromwebsite§  About661outof5510infecHonsactuallypaid(12%)

¢  NotmanyRansommalwaresonmobileyet….

53

UCR

PossibleFutureMalwareTypes¢  AdverDsingClickFraud¢  InvasiveAdverDsing(AirPush)¢  In-ApplicaDonBillingFraud¢  Governmentspying¢  E-mailSpam¢  DDoS¢  NFCandCreditCards

54

UCR

MalwaredetecDon¢  Permissions:

§  Numberofpermissionsaskedfor§  Commonpermissions§  Setsofpermissions

¢  ApplicaDonReview§  AppleiOSrarelylistsmalware(butitdoeshappen–findandcall)§  Symbian:5outof24piecesofmalwareweresigned(2phishfor

userIMEIsbeforea^acktoavoiddetecHon)

55

UCR

MalwaredetecDon–AndroidPermissions

¢  8outof11malwaresrequesttosendSMS(73%)§  Only4%ofnon-maliciousappsask

forthis

¢  READ_PHONE_STATEisusedby8/11malwares§  Only33%fornon-maliciousapps

¢  Malwareasksonaverage6.18dangerouspermissions§  3.46forNon-maliciousapps

56

UCR

RootExploits¢  Roo)ngallowshigherlevelofcustomizaDon

§  Installingfromunofficialmarkets§  SystemBackups§  Tethering§  Uninstallingapps

¢  However,malwarescantakeadvantageofrootcommandstoobtainpermissions

57

UCR

RootExploits

¢  Rootexploitsavailablefor74%ofdevicelifeDme¢  MalwareauthorsdonotneedtoinvesDgatethem,butthe

communitydoes

58

UCR

Conclusion¢  Mobilemalwarerapidlygrewinnumber¢  Profitabilityisthecurrenttrendformalwares¢  Defenseagainstmobilemalwarerequiresmoreresearch¢  HumanreviewareeffecDvemethodstopreventmalware¢  RooDngbenefitsbothusersandmalwareproducers

59

UCR

DissecDngAndroidMalware:CharacterizaDonandEvoluDon

Authors:YajinZhou,XuxuanJiangIEEES&P2012

60

UCR

I. Introduction¢  Smartphone

§  Shipment : X 3 ↑ (40milionà120mil.) in 2009~2011 ▶ mobile malware↑

¢  Android-based malware §  Share : 46%↑ and growing rapidly §  400% ↑ since summer 2010

¢  Goals §  Malware samples(1260) & families(49) §  Timeline analysis §  Good example of malware

61

UCR

II. Malware Timeline

¢  Dataset §  49 families §  Official/Alternative Android Market §  2010-08 ~ 2011-10

62

UCR

Malwaregrowth

63

UCR

III. A. Malware Installation1)   Repackaging

§  Most common technique §  Concept

§  Download popular apps à Disassemble à Enclose malicious payloads à Re-assemble à Submit

64

UCR

65

UCR

III. A. 1) Repackaging¢  Where these original apps comes from?

¢  What things are done by the authors?

66

UCR

III. A. 2) Update Attack¢  Concept

§  Update component à it download malicious payload

67

UCR

III. A. 2) Update Attack

68

UCR

III. A. 2) Update Attack

69

UCR

III. A. 3) Drive-by Download¢  Enticing users to download “interesting”

or “feature-rich” apps. ¢  For example,

§  GGTracker : in-app advertisement link §  Jifake : QR code §  Spitmo and Zitmo : ported version of nefarious PC

malware(SpyEye, Zeus)

70

UCR

III. B. Activation¢  Using System Event message

¢  For example, §  BOOT_COMPLETED §  SMS_RECEIVED §  ACTION_MAIN

71

UCR

III. C. Malicious Payloads1)   Privilege Escalation

72

UCR

73

UCR

III. C. Malicious Payloads2)   Remote Control

§  1,172 samples(93%) §  Turn infected phones into bots §  1,171 samples

– HTTP-based communicate with C&C servers

§  C&C servers §  Amazon cloud §  Public blog

74

UCR

III. C. Malicious Payloads3)   Financial Charge

§  Premium-rate services

4)   Information Collection §  SMS messages §  Phone numbers §  User accounts

75

UCR

III. D. Permission Uses

76

UCR

IV. Malware EvolutionA.   DroidKungFu

1)  Root Exploits 2)  C&C Servers 3)  Shadow Payloads 4)  Obfuscation

77

UCR

IV. B. AnserverBot1)   Anti-Analysis

2)   Security Software Detection

3)   C&C Servers

78

UCR

V. Malware Detection

¢  Tested on Nexus One (Android 2.3.7) §  Lookout §  TrendMicro §  AVG Antivirus §  Norton

79

UCR

VI.Discussion¢  EcosystemAndroidMarket

¢  ASLR,TrustZoneandeXecute-Neverareneeded

¢  Lackoffine-grainAPIcontrol

¢  Blockingmalwaretoentermarketisneeded

¢  CooperaDonbetweensecurityvendors

80

UCR

VIII.Conclusion¢  Repackaging(86%)

¢  Pla{orm-levelEscalatePrivilegeExploits(36.7%)

¢  Bot-likecapability(93%)