1

Agenda :-
A.What is this “Buzzword”
B.Modus Operandi
C.Effect & Implications
D.Some Crimeware vectors
E.Crimeware future ( Caas)
F.Defenses
2

Every 2.5
seconds, new
malware is
released

– Crimeware :- Collective term used to refer to any
malware developed to fraudulently obtain
financial gain by …
– Capturing confidential information like
Username, Password, Credit Card numbers etc
(Online Identity Theft)
– Capturing keystrokes
– Taking control of a computer to create ‘botnet’ or
launch Spam, DDOS attack
4

• Distribution methodology :-
• Malicious email attachment
• Cross Site Scripting on legitimate websites
• Exploiting application layer vulnerabilities
• Insertion into downloadable audio/video file(
Piggybacking)
• Affiliate marketing
5

• Impact :-
• Confidential Data leakage
• Financial loss due to leakage of Password,
Credit card details
• Loss of productivity due to system slowdown
• Reputation loss
• Legal problems in case of botnet / zombie
• Spam transmission
6

• Crimeware vectors :
a. Keyloggers
b. Email Redirectors
c. MITM, Man-In-The-Browser & Pharming
d. Drive-By download
e. Drive-By Pharming
f. Click Fraud
g. Future :- Ransomware, Terrorware, Crimeware-as-a-
service(Caas)

• Key-loggers :
• Most prevalent , especially used in “Identity Theft”
related attacks.
• Downloaded by opening malicious email attachments ,
visiting malicious websites, piggybacking etc
• Hardware Key-loggers are also in wide use
• Ex:- Perfect Keylogger, Actual Keyloggers.
• Other flavors like Screenlogger, Spyware, Adware are
also in use.

Hardware
Keylogger

Email redirector :-
These are the programs which intercept and relay
outgoing emails and sends an additional copy to an
unintended address to which attacker has an access.
Used in corporate espionage as well as personal
surveillance
10

Session Hijackers:-
In session hijacking attack, the malicious software
installed in user’s browser “hijacks” the session to
perform malicious activities such as transferring the
money, manipulating the transactions etc.( Man-In-The-
Browser)
It can be carried out via malware on local machine or via
remotely in the form of MITM attack via redirecting user’
session to hacker’s server .
11

– MITM :-
– Big threat for the next few years :-
– Tools:-
– Ettercap
– Cain e Abel

Pharming :-
Malware may poison
–
Local DNS server and
traffic is routed to the
fraudsters website

• Drive-by download:-
• A Drive-by download is a program that is automatically
downloaded to your computer without your consent or
even your knowledge. Another variant is Drive-by install
• Many of these infections are connected to botnets, in
which each PC is turned into a zombie that may then be
directed to further malicious activity, like spam or
DDOSs
• Statistics from leading AV vendors have proved that
more than 10 mns computers worldwide are serving
DBW resulting in Botnet/ DDOS 14

Drive-by Pharming:-
Drive-by pharming is a vulnerability exploit in which
the attacker takes advantage of an inadequately
protected broadband router to gain access to user
data.
– Recent statistics by leading AV vendors have proved
that major routers worldwide are susceptible to this
kind of attack.

Clickfraud :-
Click fraud is a type of Internet crime that occurs in pay
per click online advertising when a person, automated
script or computer program imitates a legitimate user of
a web browser clicking on an ad, for the purpose of
generating a charge per click without having actual
interest in the advertisement.

Future :- Some new Crimewares
a. Ransomware : -It is a computer malware which
encrypts user’s important data and demand ransom
for it’s restoration.
Originally they were referred as Cryptoviruses,
Cryptotrojans, Cryptoworms. Some colleges/
universities offer courses on Cryptovirology .
b. Terrorware :- A Malware developed for creating
terror ( Airline, Cyber terrorism)

– Future :-
– Crimeware as a service (Caas):-
– Saas service for malwares. The polymorphic engine
does not reside within the virus code itself, but
rather remotely on a server. Here, PCs that are part
of a botnet -- a specific bot variant can mutate
remotely via a command over HTTP. This is called
Crimeware-as-a-service(CaaS)because the actual
viral code does not actually reside on the host, but in
the cloud -- similar to a software-as-a-service
platform
– Similarly , hackers needn’t to own their own
infrastructure to target victims. It is offered as a
service now .

• We recommend following Best Practices for Countering
Crimeware impact : People awareness tops the list
• Process Approach:-
• Regular Information Risk Assessment , Implement ISO 27001
• Application Security Audit , Code review of your application for
OWASP top 10 attacks .
• Technology Approach:- Defense-In-Depth
• Network Security Infrastructure (Firewall , NIPS , HIPS with Good AV
and Anti Spyware on the server)
• Web Application Firewall ( Little new concept)
• Inbound-Outbound malicious content filtering appliance
• Multi Factor Authentication
• Virtual Keyboard

• Thank you
• Sameer J Ratolikar
Chief Information Security Officer
20