Malware, Trojans &
Johnson Financial Group
A scary scenario
• The school district’s accounting manager logs
into the district’s online banking account.
• Balance is $150,000 short.
• Looking at the transaction history, it shows
almost 20 ACH transactions, each around
$8,000, were initiated from the account
• The recipients of the transactions are unfamiliar.
• The accounting manager calls her bank…
The plot thickens
• Bank traces the funds and contact the receiving
• Some of the funds are still available, others have
• Discussions with the account holders reveals that
they have been hired as “money transfer agents”,
and have wired the money overseas.
• A scan of the accounting manager’s computer
shows that viruses were found and removed.
The Zeus Botnet
• Has been used to breach thousands of online
business banking accounts
• Small businesses, non profits, towns, schools, …
• Used to steal over $100 Million as of Nov 09, still
Malware, Trojans and Botnets
• This is one example of one of the many ways
fraudsters are using Malware to make money.
• How could this happen?
– Aren’t there multiple layers of controls?
– Malware is used to break every layer.
Malware is used in most data breaches
Threat Agents by Percent of
Social Engineering 3%
Physical Access 1%
Joint United States Secret Service/Verizon
2010 Data Breach Investigations Report
Analysis of 141 breach cases including over 143 million breached data records
What’s the difference?
• Malware – Malicious software - hostile, intrusive,
or annoying program code
• Virus – software that reproduces itself
• Bot – computer program that does automated
• Trojan – initially bad software hidden inside good
software. Now more generally refers to Malware
with “backdoor” (remote control) functionality, or
an evil bot.
• Botnet – a network of compromised “zombie”
How do computers get infected?
Joint USSS/Verizon 2010 Breach Report
Injected/Installed by remote attacker
Listening Network Services
• Example MS09-022 “Buffer Overflow in Microsoft Print Spooler
• Listening software = programs running in the background
waiting for incoming network traffic.
Other Common Network Services
• Web servers
• FTP servers
• Windows file sharing
• Mail Servers
• Network services (name lookup, etc.)
Web – Auto Executed Drive By
• Hackers infect legitimate websites
• Or build infected websites and get high search
client to download, install, and run malicious
Web/Email User downloaded or executed
• Download programs from file sharing sites or
other untrusted sources
• Not just programs – virus code can hide in Adobe
PDF, Flash, Windows Media, Java
• more than 46% of the browser-based exploits
during the second half of 2009 were aimed at
vulnerabilities in the free Adobe Reader PDF
Facebook – Social Engineering
• Receive a message from a facebook friend:
“Hey, I have this hilarious video of you dancing.
Your face is so red. You should check it out.”
• "Koobface infects a profile and sends a message
to all friends via facebook messaging system
• When you click on the video, you are prompted
to update Flash player. The update is actually a
copy of Koobface worm.
• Facebook funniest malware vid
Exploit + Payload = Malware
• Vulnerability – the weakness that is utilized to
compromise the machine
– Most commonly software bugs and tricking users
• Exploit – the chunk of hacker code that utilizes
• Payload – the chunk of hacker code to “do
something” with the compromised host.
– Hiding, spreading, stealing, attacking, destroying,
• Framework for joining Exploits with Payloads,
and launching attacks.
• Command line and GUI interfaces
• Hundreds of exploits built in to the tool
• Open API to build and include more
• Over 100 payloads too
Metasploit Exploits Example
Metasploit exploits - GUI
Stage 2: Hiding
• Generally not noisy like adware and spyware (at
least not initially)
• May disable antivirus and administrative
functions/control panels. Less obvious may just
break AV update capability.
• More sophisticated malware installs itself as a
• Obscures the fact that a system has been
• Hooks into or replaces portions of the operating
– User mode – modifies
– Kernel mode –
• Makes the computer “lie” to higher level
programs, like windows explorer and antivirus
• HackerDefender a well known example (Vid)
Stage 3: Join Botnet
• Use Dynamic DNS lookup to find a Botnet server
on the Internet
• “Fast-flux” DNS techniques to direct the bot to
one of hundreds of bot servers.
• Forward traffic through proxies, harder to trace
• Servers kept in non-cooperative countries
Botnet Command and Control
• Historically perferred IRC, still in use
• HTTP (web browser traffic)
• Peer to peer protocols
• Twitter, Google Groups, Facebook
Botnet Control Diagram
Botnet control via IRC channel
IRC C&C vid
Some sample Botnet commands
• ddos.synflood [host] [time] [delay] [port]
• ddos.phatwonk [host] [time] [delay]
• spam.start * SYN-flood on ports
• bot.open 21,22,23,25,53,80,81,88, 110,113,119,
• bot.die 1433, 1500,1720,3306,3389,5000,6667,
Hierarchical CnC topology
• Commands sent to
distributed servers, which
send commands to bots.
• May be multiple layers.
• Single bots aren’t aware of
bot master location or size
• Easy to carve up to sell or perform different
Botnet Command and Control
• Zeus Tracker Command and Control Servers as
Zeus Server Distribution
Current Botnet Attributes
• Distributed • Self Protection
Architecture • Self Healing
• Multiple C&C • Virtual Machine
• Extensive • Polymorphic
• Multiple exploit
• Immortal/unlimited channels
• Separate “owned” machines based on function
– Static, always on, high bandwidth server
– POS machine steal credit cards
– Corporate office steal data, spread
– Look for online business banking use ACH theft
– Home Users SPAM, DDOS, etc.
• Manage bots
• Lease out services
Stage 4: Use
• Send SPAM
– Steal email addresses from compromised computers.
– Most mail systems will block large numbers of email from the
same source. Distribute it to workstations, makes it harder
• Denial of Service
– Have hundreds or thousands of your bots
send traffic at the same website or company,
fill their pipe and knock them off the Internet
• Other theft
– Credit card numbers
– Steal “in game” online game
items and sell on Ebay
Banking attack – Step 1 infection
• Bank of Nicolai vid
• Utilize Phishing, network exploits, and drive by
downloads to spread your botnet as wide as
Banking attack – Step 2 identify victim
• Monitor browser use and network traffic to
identify any machines in the bot network that are
being used to log into online business banking
• May at that point install a rootkit on the identified
Banking attack – Step 3 Capture
• Keylogger can capture passwords
• Challenge questions?
– Steal or delete registration cookies to bypass challenge
• Email password?
– Hacker also already has access to your email
Banking attack Step 4 – Hire mules
• Use your botnet to send SPAM email soliciting
for “work at home” jobs
• Timing is critical, to pick up and wire funds before
the account compromise is detected.
Banking attack Step 5 – Perform
• Remote control allows them to log in From your
workstation if they want.
• They know your password, challenge question,
• Aim is to create new recipients and send funds
via ACH or wire in one login session
• These electronic transactions are nearly-
immediate and difficult to reverse
Evolution of Malware – The Red Queen
• Red Queen Hypothesis –coevolution of parasite/host
• From “Through the Looking Glass”
– The Red Queen tells Alice “Now, here, you see, it takes all the
running you can do to keep in the same place”
• Passwords Keyloggers
• Challenge questions delete cookies
• Registration cookies steal cookies
• Email passwords Access email
• One Time Passwords MITB…
Man in the Browser attack
• Trojan horse/rootkit specifically for the browser.
• Same idea – shows you on the screen what you
think you should see, but in the background is
doing something evil.
Man in the Browser attack
• Zeus Trojan recent variants –
– You login to your online business banking
– You set up and send a transaction
– You type in a One Time Password from a security
– The Trojan immediately and automatically in the
background modifies your transaction to send the
funds to his mule.
– The Trojan shows you on your screen that your
transaction was successful.
Stage 4: Use…Version 2.0
• Scarier Use: Advanced Persistent Threats
• Espionage, not financial data
• Aim is long term under-the-radar occupation of
corporations and government entities.
• Targeted, custom malware less likely to be
• Well funded and
APT example – China hacks Google
• January 2010
• “Aurora” malware
used Zero-day bug
in Microsoft IE
• Stole intellectual property from Google
• Accessed gmail accounts of Chinese human
• Related intrusion into big energy companies,
stole oil reserve data
• Dozens of other companies targeted too.
Another APT example - Stuxnet
• Four main exploit channels,
– Two Windows Zero day
• Targeted payload designed for a specific
Industrial control system …running specific
• Encryption and Polymorphism
• Dead-mans switch – 3 generations or June 24,
Built for espionage
• Attributes indicate it was built by a well funded
and knowledgeable group (a government).
• Many believe the target was Iran’s nuclear
• Stuxnet infection
rate seems to
Stopping Malware at step 1 - exploit
• Patch systems to “fix” the bugs
– Operating system
– Third party apps, especially Adobe and Java
• Don’t download malware
– AV and browser plug-ins to block hostile sites
– Avoid file sharing and less-than-reputable download
Stopping Malware at step 1 - exploit
• Don’t use guessable passwords
• Use email with an antivirus/antispam filter
• Use a firewall (or cable router or software
firewall) to block hostile traffic to listening ports
• Use portable media with caution, and scan
Stopping malware- Antivirus
• Antivirus can’t detect all malware
• Must be up-to-date.
• Utilizes signatures (patterns) that match parts of
– Polymorphism – patterns change
– New variants or custom built viruses won’t have
– Rootkits can give “false” information to the Antivirus
Malware command and control
• Some is easy to detect – IRC, P2P protocols
• More sophisticated C&C could be more difficult –
can really disguise itself as any network protocol
• Residential router/firewalls do not generally block
• Many corporate firewalls do not either
• Default deny on outbound traffic can help stop
• Myriad of gateway appliances