Malware – Trends & Developments



Andrew Thanalertvisuti
Information Security Consultant
28+ years of computing & insecurity
1    1   1      1    1     1       1      1   1      1      1      1    1   1    1    ...
What is Malware?
     Definition:
     Malware is a set of instructions that run on your
     computer and make your syste...
Virus
    Definition:
    A virus is a self-replicating piece of code that
    attaches itself to other programs and usual...
Worm
    Definition:
    A worm is a self-replicating piece of code that
    spreads via networks and usually doesn’t requ...
Worm vs. Virus
 The difference between worms and
 viruses:
     Worms spread across a network.
     Worms don’t necessaril...
Trojan Horse
    Definition:
    A Trojan horse is a program that appears to
    have some useful or benign purpose, but r...
Internet Attacks
Evolution of Malware

      Trojan Horses
                       Rootkits   Spyware

        Viruses



 ...
Rootkit
 A form of Trojan Horse program, capable of hiding its
 own presence, maintain system/root/admin privileges
 and p...
Rootkit – Attack Scenario (1)
 Attacker gains elevated access to
 computer system
 Attacker installs a Rootkit
 Rootkit hi...
Rootkit – Attack Scenario (2)
 How does this thing get in
   To be installed, the install code needs either
   admin/syste...
Rootkit Situation
 Popular Rootkits
    Hacker Defender 1.0.0
         User mode/kernel mode; hide files, directories, reg...
Rootkit Situation
 Malware Classification*                  SANS’ Internet Storm Center July 2004 Report
                 ...
Internet Attacks
Evolution of Malware

      Trojan Horses
                       Rootkits   Spyware

        Viruses



 ...
SPAM Mails
SPAM Mails
             More than 60% of email
             traffics
               4.9 trillion in 2003; 13
             ...
Meet Spam King



Spam King: Alan Ralsky spewed tens
of thousands of e-mail sales pitches per
hour, bringing on the wrath ...
Basement of Spam King
Basement of Spam King
Basement of Spam King
General Interest emails for sale
Spammer Bulletin Board
Internet Attacks
Evolution of Malware

      Trojan Horses
                       Rootkits   Spyware

        Viruses



 ...
Internet Downloads
 User initiates download
 Security warning displayed
Pop-Under Exploit
Step 1: User visits a trusted web site
Pop-Under Exploit
Step 2: After a delay, user gets offer to install a program
Pop-Under Exploit
   The Trick: download is really from a hidden window!

   Moving top                                   ...
“Cancel” Means “Yes”
Faux Security Alert
(really just a picture)
Situation
Phishing & SPAM Frauds
  ComputerWorld June ‘04 report
    50% increase in phishing attacks per month
    Citiba...
Situation
Phenomenon growth of deceptive software
  PestPatrol
    More than 78,000 spyware in use today
    “Burrower” pr...
Cable Modems Experiment
The “always connected” home user is very vulnerable
First week of monitoring cable modem detected ...
Origin of Attacks




* North Asia excludes Japan & South Korea   Source: e-Cop
Is there a focused attack




                            Source: e-Cop, July 2004
Situation
 Hackers rely on patches to develop exploits
 Some security researchers are still disclosing
 vulnerabilities ir...
Exploit Timeline
Process, Guidance, Tools Critical
                                                         exploit
      ...
Anatomy of a Worm Incident
 July 1                July 16                  July 25               Aug 11
  Vulnerability   ...
Understanding The Landscape
National Interest                                         Spy



  Personal Gain              ...
Understanding The Landscape
                          Largest segment by
                          $ spent on defense
Nati...
Understanding The Landscape
National Interest                                          Spy



  Personal Gain             ...
Understanding The Landscape
National Interest                                          Spy



  Personal Gain             ...
Social Engineering Case Study:
MyDoom
 There was no vulnerability
    Purely Social Engineering
    Mixed techniques: ZIP ...
Making $: Real Example
 “Our first program pays you $0.50 for every validated free-trial
 registrant your website sends to...
Opportunities Are Limitless
Need Traffic? Buy It!
Need A Family Business?
Do The Math
 SoBig virus spammed mail to over
 100 million inboxes
 If 10% read the mail and clicked the link
   = 10 mill...
The Newly Connected World
 Mobility of computing devices
   Anytime, anywhere access/attack
 Wireless networking
   Public...
Putting it all together
  Attack Techniques & Countermeasures
                 Trojan   Rootkit   Spyware   Viruses   Worm...
Conclusion
 Attacks continue to become more sophisticated;
 more tools are readily available
 Vulnerability will be exploi...
Any Questions?
Upcoming SlideShare
Loading in …5
×

Malware Trends Developments

1,642 views

Published on

Maleware Trend.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,642
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
45
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Malware Trends Developments

  1. 1. Malware – Trends & Developments Andrew Thanalertvisuti Information Security Consultant
  2. 2. 28+ years of computing & insecurity 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 0 0 0 0 0 7 7 7 8 8 8 8 8 8 8 8 8 8 9 9 9 9 9 9 9 9 9 9 0 0 0 0 0 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 Standalone Systems – Disk/Diskette Sharing Client-server/PC-LAN Networks Internet Proliferation (Email, Web, IRC, IM, P2P, File Sharing) • Apple II Computer • First Self-destruct • Slammer • Commodore program (Richard • Blaster • Atari Skrenta) • WeiChia • TI-99 • First Self-replicate • Code Red • TRS-80 program (Skrenta’s • Nimda Elk Cloner) • Stealth virus (Whale) • Variable Encryption (1260) • • MyDoom • First Worm • Ken • ©Brain Virus • First Philippines’ • Sasser developed in Thompson developed by “Concept” “I LOVE Xerox Palo Alto demo first two Macro Virus • Melissa virusMelissa’s author YOU” • Trojan Pakistanis’ virus ($80m) sentenced 20 Horse • Yale, • Phishing • Excel Macro months jail • Fred Cascade, begins in Virus (cross Cohen’s Jerusalem, AOL platform) VAX Viruses • Morris’ Worm Lehigh, etc. Information Warfare • “Cukoo’s Egg” in LBL • “Solar Sunrise” - • DDoS on 13 • FBI arrest • Robert T Morris Two California “root” servers “414s” Hacker fined $10K, 3 Teens attack on Group years probation 500 Military, Govt, & Pte Computer • Phishing Systems attacks Protocol Weaknesses/Buffer overflow proliferated • SPAM Mails Insecure Default/Weak Security Techniques/Feature Misuse/Social Engineering • Spyware Computer Crimes Cyber Crimes UK Green Book to BS 7799 to ISO 17799 Trusted Operating Systems (Orange Book) Trusted Network (Red Book) Common Criteria
  3. 3. What is Malware? Definition: Malware is a set of instructions that run on your computer and make your system do something that an attacker wants it to do. It can do any of the following: • Delete files from your hard drive • Infect your PC and use it as a jumping-off point • Monitor your keystrokes • Gather information about you • Send streaming video of your PC screen to an attacker
  4. 4. Virus Definition: A virus is a self-replicating piece of code that attaches itself to other programs and usually requires human interaction to propagate. • The portion of the virus’ code that implements some evil or malignant action is known as the payload.
  5. 5. Worm Definition: A worm is a self-replicating piece of code that spreads via networks and usually doesn’t require human interaction to propagate. • A worm hits one machine, takes it over, and uses it as a staging ground to scan for and conquer other vulnerable systems.
  6. 6. Worm vs. Virus The difference between worms and viruses: Worms spread across a network. Worms don’t necessarily infect a host file. Most (but not all) worms spread without user interaction. • The Internet today, most modern viruses include worm characteristics for propagation.
  7. 7. Trojan Horse Definition: A Trojan horse is a program that appears to have some useful or benign purpose, but really masks some hidden malicious functionality. • If a program merely gives remote access, it is just a backdoor, not a true Trojan horse.
  8. 8. Internet Attacks Evolution of Malware Trojan Horses Rootkits Spyware Viruses Worms Web Site Defacement Phishing Spam Email
  9. 9. Rootkit A form of Trojan Horse program, capable of hiding its own presence, maintain system/root/admin privileges and perform activities without detection A Rootkit can … Hide processes, files, drivers, ports and network connections Install a backdoor listener for future access to the system Add Privileges to Tokens Add Groups to Tokens Manipulate the Event Viewer Basically, do anything it is programmed to do Rootkits were originally developed and used against Unix systems as Trojans (e.g. ps, ls, netstat), but now proliferated to Linux and of course Windows Sophisticated rootkits filter data going in and/or out Hook system functions in the kernel Modify key data structures in memory Hook user mode functions in kernel32.dll & ntdll.dll
  10. 10. Rootkit – Attack Scenario (1) Attacker gains elevated access to computer system Attacker installs a Rootkit Rootkit hides itself, everything else the hacker wants and provides covert channel for control/management Attacker is able to use the system for whatever they want with little risk of detection
  11. 11. Rootkit – Attack Scenario (2) How does this thing get in To be installed, the install code needs either admin/system level access, or user access with path to elevate (like insecured reg keys, SeDebugPrivelege, etc), depending on sophistication level of the installer/loader. Initial Vectors Weak passwords Arbitrary code execution due to: Buffer overflows Incorrectly secured registry keys for privileged apps Web/email exe’s, insecure zones, etc. Injection/Hook/Detours - SeDebugPrivelege Social engineering (hack the human) Physical access Island hopping from other compromised systems
  12. 12. Rootkit Situation Popular Rootkits Hacker Defender 1.0.0 User mode/kernel mode; hide files, directories, registry keys, services, and drivers Provides backdoor listeners on all ports Detectable by Pathfinder2 and VICE (anti-rootkit) FU Hide processes and drivers; detectable by klister HE4Hook Modifies kernel SDT; detectable by Pathfinder2 and VICE Vaniquish DLL-Injection based rootkit that hides files, folders, registry entries and logs passwords; detect by Pathfinder2 and VICE AFX (Aphex) DLL-Injection; hide ports, files, registry keys, folders, processes; detect by RKDS, Pathfinder2 and VICE A community of Rootkit explorer on the Internet http://www.rootkit.com http://rootkit.host.sk http://www.megasecurity.org/Info/p55-5.txt
  13. 13. Rootkit Situation Malware Classification* SANS’ Internet Storm Center July 2004 Report Highest growth since Mar ’04 Bots/Backdoor Programs E.g., Phabot, Agobot, Gaobot, Institution 2004 Little to no actions User Mode Rootkits New tools in both Windows (e.g. FU) and Kernel Mode Rootkits Unix/Linux (e.g. Adore-ng) platforms Little to no actions Bios Malware Whitepaper on Reverse Engineering of AMD K8 Microcode Malware Microcode published in http://www.packetstormsecurity.nl/ *Source: “Malware – Fighting Malicious Code”, Ed Scoudis & Lenny Zeltser
  14. 14. Internet Attacks Evolution of Malware Trojan Horses Rootkits Spyware Viruses Worms Web Site Defacement Phishing Spam Email
  15. 15. SPAM Mails
  16. 16. SPAM Mails More than 60% of email traffics 4.9 trillion in 2003; 13 billion spam mails a day MSN filters block 2.4 billion spam emails a day (~80% of the emails) US businesses lost over $10bn in 2003 in productivity, and bandwidth Adult contents increased by 170% Criminal activities Reducing trust of emails
  17. 17. Meet Spam King Spam King: Alan Ralsky spewed tens of thousands of e-mail sales pitches per hour, bringing on the wrath of Verizon. Alan Ralsky calls himself a commercial e- mailer, not a spammer. He says he maintains files with 87 million e-mail addresses of computer users who ask to be removed from his blanket solicitations. Richard Colbert, spammer.
  18. 18. Basement of Spam King
  19. 19. Basement of Spam King
  20. 20. Basement of Spam King
  21. 21. General Interest emails for sale
  22. 22. Spammer Bulletin Board
  23. 23. Internet Attacks Evolution of Malware Trojan Horses Rootkits Spyware Viruses Worms Web Site Defacement Phishing Spam Email
  24. 24. Internet Downloads User initiates download Security warning displayed
  25. 25. Pop-Under Exploit Step 1: User visits a trusted web site
  26. 26. Pop-Under Exploit Step 2: After a delay, user gets offer to install a program
  27. 27. Pop-Under Exploit The Trick: download is really from a hidden window! Moving top Hidden window out of the Window way will expose hidden window
  28. 28. “Cancel” Means “Yes”
  29. 29. Faux Security Alert (really just a picture)
  30. 30. Situation Phishing & SPAM Frauds ComputerWorld June ‘04 report 50% increase in phishing attacks per month Citibank - 470 attacks Asia eBay – 285 attacks ew s & T y - CNET echnolog ,39001150,3916 /0 0682,00 ofed' - N /security gets 'spo ewstech Lloyds TSB Bank – 24 attacks HSBC HK .asia.cnet.com/n 04, 9:44 AM http://w ww ken: 8/1 2/20 pping ta S creen cli Westpac Bank – 11 attacks U.S. hosted the most phishing Web sites in June, with 27% of such sites. The average lifespan of a phishing site in June was 2.25 us - N e w s & Te chnolog y - CN E /0,3900 TAsia 1150,39 157643 ,00.htm days. 'Citiban carries w.asia .c a vir k' email net.com/news 2/2004 tech/se curity , 9:39 A M http://ww ing taken: 8/1 25% of phishing Web sites were hosted on hacked Web Screen clipp servers. 94% of phishing Web sites were configured to allow criminals to remotely download captured personal data ws & T g y - CN ETAsia echnolo 50,39163044,0 0.htm ng Ko ng - Ne urity/0,390011 d in Ho ch/sec k spoofe /newste :41 AM D BS Ban .asia.cnet.com 4, 9 ww /12/200 http://w ping taken: 8 clip Screen sia - CNETA hnology 95,00.htm - Ne w s & Te c 8 stomers ,39161 0 01150 stpac cu h/security/0,39 nail We c s bid to /newste M
  31. 31. Situation Phenomenon growth of deceptive software PestPatrol More than 78,000 spyware in use today “Burrower” programs grown from 8 to 40 in past six months More than 500 trojan horses, 500 keystroke loggers, and 1,300 ad-ware created in 2003 Pitstop More than 25% of PCs are afflicted with some type of unwanted or deceptive software US National Cyber Alliance 2003 study 91% of broadband users have some form of unwanted or deceptive software2
  32. 32. Cable Modems Experiment The “always connected” home user is very vulnerable First week of monitoring cable modem detected 250 attacks Most users Have no security, have been told they’re vulnerable, but don’t know what that means Do not understand the technology and do not want to know Back Orifice ping DNS non-Internet lookup 11 3 2 4 8 Duplicate IP address 7 14 15 1 6 FTP port probe 1 ICMP subnet mask request NetBus port probe NNTP port probe Possible Smurf attack initiated Proxy port probe RPC port probe SMTP port probe 69 SNMP discovery broadcast 71 TCP port probe TELNET port probe 2 UDP port probe 16 19 WhatsUp scan
  33. 33. Origin of Attacks * North Asia excludes Japan & South Korea Source: e-Cop
  34. 34. Is there a focused attack Source: e-Cop, July 2004
  35. 35. Situation Hackers rely on patches to develop exploits Some security researchers are still disclosing vulnerabilities irresponsibly Why does this Most attacks occur here gap exist? Product Vulnerability Component Patch Patch deployed ship discovered modified released at customer site Lack-of or ineffective patch management process Lack-of defense-in-depth and configuration management in infrastructure security
  36. 36. Exploit Timeline Process, Guidance, Tools Critical exploit patch code Why does this gap exist? Days between patch & exploit I I I Days From Patch To Exploit I I Product Vulnerability Vulnerability Fix Fix deployed Have decreased so that ship discovered made public/ deployed at customer 331 patching is not a defense in Component fixed large organizations site Average 9 days for patch to be 180 151 reverse engineered to identify vulnerability 25 Nimda SQL Welchia/ Blaster Slammer Nachi
  37. 37. Anatomy of a Worm Incident July 1 July 16 July 25 Aug 11 Vulnerability Bulletin & patch Exploit code in reported to us / available Worm in the world public Patch in progress No exploit Report Bulletin Exploit Worm Vulnerability in MS03-026 delivered X-focus (Chinese Blaster worm RPC/DDOM to customers group) published discovered –; reported (7/16/03) exploit tool variants and other MS activated Continued outreach MS heightened viruses hit highest level to analysts, press, efforts to get simultaneously (i.e. emergency community, information to “SoBig”) response process partners, customers government agencies Blaster shows the complex interplay between security researchers, software companies, and hackers
  38. 38. Understanding The Landscape National Interest Spy Personal Gain Thief Trespasser Personal Fame Curiosity Vandal Author Script-Kiddy Hobbyist Expert Specialist Hacker
  39. 39. Understanding The Landscape Largest segment by $ spent on defense National Interest Spy Largest area by $ lost Fastest Personal Gain Thief growing segment Largest area by volume Trespasser Personal Fame Curiosity Vandal Author Script-Kiddy Hobbyist Expert Specialist Hacker
  40. 40. Understanding The Landscape National Interest Spy Personal Gain Thief Fastest growing segment Trespasser Personal Fame Curiosity Vandal Author Script-Kiddy Hobbyist Expert Specialist Hacker
  41. 41. Understanding The Landscape National Interest Spy Personal Gain Thief Tools created by experts Trespasser now used by Personal Fame less skilled attackers and criminals Curiosity Vandal Author Script-Kiddy Hobbyist Expert Specialist Hacker
  42. 42. Social Engineering Case Study: MyDoom There was no vulnerability Purely Social Engineering Mixed techniques: ZIP file, spoofed icon, “returned SMTP” text, random subjects, source addresses Self-upgrading from A to B Attack SCO.Com and Microsoft.Com B Version tries to block access to WindowsUpdate and AV vendor websites This behavior will continue to increase Install “backdoors” – turn into “bots” 66% of all SPAM on the Internet generated by these types of backdoors on home-user PCs Worm families are becoming “learning platforms” for authors Written by software engineers
  43. 43. Making $: Real Example “Our first program pays you $0.50 for every validated free-trial registrant your website sends to [bleep]. Commissions are quick and easy because we pay you when people sign up for our three-day free-trial. Since [bleep] doesn't require a credit card number or outside verification service to use the free trial, generating revenue is a snap. The second program we offer is our pay per sign-up plan. This program allows you to earn a percentage on every converted (paying) member who joins [bleep]. You could make up to 60% of each membership fee from people you direct to join the site. Lastly, [bleep] offers a two tier program in addition to our other plans. If you successfully refer another webmaster to our site and they open an affiliate account, you begin earning money from their traffic as well! The second tier pays $0.02 per free-trial registrant or up to 3% of their sign-ups.”
  44. 44. Opportunities Are Limitless
  45. 45. Need Traffic? Buy It!
  46. 46. Need A Family Business?
  47. 47. Do The Math SoBig virus spammed mail to over 100 million inboxes If 10% read the mail and clicked the link = 10 million people If 1% of people who went to site signed up for 3- days free trial = (100,000 people) x ($0.50) = $50,000 If 1% of free trials sign up for 1 year = (1,000 people) x ($144/yr) = $144,000/yr
  48. 48. The Newly Connected World Mobility of computing devices Anytime, anywhere access/attack Wireless networking Public Hotspot – Anonymous access ‘Private’ WLAN – Wardriving and LANJacking Enterprise Wireless Network Weak security means Permit unauthorized access to Corporate network Provision of public hotspot, permitting anonymous access – potential legal problems
  49. 49. Putting it all together Attack Techniques & Countermeasures Trojan Rootkit Spyware Viruses Worms Spam Web Phishing Horses Mails Deface Social Engineering Vulnerability Exploitation Feature Misuse System Programming Awareness Code security, updates management, and responsiveness Access control and management
  50. 50. Conclusion Attacks continue to become more sophisticated; more tools are readily available Vulnerability will be exploited if available patches are not deployed timely Time-to-exploit is reducing quickly Attackers are motivated financially Attackers are organized and orchestrated Sum of exploits is much greater individual vulnerability A strategic approach to manage information security risk is critical
  51. 51. Any Questions?

×