Docstoc

Your Title Here - PowerPoint

Document Sample
Your Title Here - PowerPoint Powered By Docstoc
					Malware, Trojans &
Botnets

Kevin Bong
Johnson Financial Group
A scary scenario
 • The school district’s accounting manager logs
   into the district’s online banking account.
 • Balance is $150,000 short.
 • Looking at the transaction history, it shows
   almost 20 ACH transactions, each around
   $8,000, were initiated from the account
   yesterday.
 • The recipients of the transactions are unfamiliar.
 • The accounting manager calls her bank…


                                                        2
The plot thickens
 • Bank traces the funds and contact the receiving
   banks.
 • Some of the funds are still available, others have
   been withdrawn.
 • Discussions with the account holders reveals that
   they have been hired as “money transfer agents”,
   and have wired the money overseas.
 • A scan of the accounting manager’s computer
   shows that viruses were found and removed.



                                                        3
The Zeus Botnet
 • Has been used to breach thousands of online
   business banking accounts
 • Small businesses, non profits, towns, schools, …
 • Used to steal over $100 Million as of Nov 09, still
   going strong.




                                                         4
Malware, Trojans and Botnets
 • This is one example of one of the many ways
   fraudsters are using Malware to make money.
 • How could this happen?
   – Aren’t there multiple layers of controls?
   – Malware is used to break every layer.




                                                 5
Malware is used in most data breaches

               Threat Agents by Percent of
                   Breached Records

                  Malware                           94%

                  Hacking                           96%

       Social Engineering      3%

                   Misuse      3%

         Physical Access       1%

 Joint United States Secret Service/Verizon
 2010 Data Breach Investigations Report
 Analysis of 141 breach cases including over 143 million breached data records



                                                                                 6
What’s the difference?
 • Malware – Malicious software - hostile, intrusive,
   or annoying program code
 • Virus – software that reproduces itself
 • Bot – computer program that does automated
   tasks.
 • Trojan – initially bad software hidden inside good
   software. Now more generally refers to Malware
   with “backdoor” (remote control) functionality, or
   an evil bot.
 • Botnet – a network of compromised “zombie”
   computers
                                                        7
How do computers get infected?




                    Joint USSS/Verizon 2010 Breach Report




                                                            8
Injected/Installed by remote attacker
Listening Network Services
 • Example MS09-022 “Buffer Overflow in Microsoft Print Spooler
   Vulnerability”
 • Listening software = programs running in the background
   waiting for incoming network traffic.




                                                                  9
Other Common Network Services
attacked
 • Web servers
 • FTP servers
 • Windows file sharing
 • Mail Servers
 • Network services (name lookup, etc.)
 • Databases




                                          10
Web – Auto Executed Drive By
 • Hackers infect legitimate websites
 • Or build infected websites and get high search
   engine rankings
 • Code – usually javascript – is included on the
   infected page.
 • Javascript is executed on the client, instructs the
   client to download, install, and run malicious
   programs.




                                                         11
Web/Email User downloaded or executed
 • Download programs from file sharing sites or
   other untrusted sources
 • Not just programs – virus code can hide in Adobe
   PDF, Flash, Windows Media, Java
 • more than 46% of the browser-based exploits
   during the second half of 2009 were aimed at
   vulnerabilities in the free Adobe Reader PDF
   viewer




                                                      12
Facebook – Social Engineering
 • Receive a message from a facebook friend:
   “Hey, I have this hilarious video of you dancing.
   Your face is so red. You should check it out.”
 • "Koobface infects a profile and sends a message
   to all friends via facebook messaging system
 • When you click on the video, you are prompted
   to update Flash player. The update is actually a
   copy of Koobface worm.
 • Facebook funniest malware vid



                                                       13
Exploit + Payload = Malware
 • Vulnerability – the weakness that is utilized to
   compromise the machine
    – Most commonly software bugs and tricking users
 • Exploit – the chunk of hacker code that utilizes
   the vulnerability
 • Payload – the chunk of hacker code to “do
   something” with the compromised host.
    – Hiding, spreading, stealing, attacking, destroying,
      earning income




                                                            14
Metasploit
 • Framework for joining Exploits with Payloads,
   and launching attacks.
 • Command line and GUI interfaces
 • Hundreds of exploits built in to the tool
 • Open API to build and include more
 • Over 100 payloads too




                                                   15
Metasploit Exploits Example




                              16
Metasploit exploits - GUI




                            17
Metasploit Payloads




                      MSF vid
                                18
Stage 2: Hiding
 • Generally not noisy like adware and spyware (at
   least not initially)
 • May disable antivirus and administrative
   functions/control panels. Less obvious may just
   break AV update capability.
 • More sophisticated malware installs itself as a
   “Rootkit”




                                                     19
Rootkit
 • Obscures the fact that a system has been
   compromised
 • Hooks into or replaces portions of the operating
   system
    – User mode – modifies
    – Kernel mode –
 • Makes the computer “lie” to higher level
   programs, like windows explorer and antivirus
 • HackerDefender a well known example (Vid)


                                                      20
Stage 3: Join Botnet
 • Use Dynamic DNS lookup to find a Botnet server
   on the Internet
 • “Fast-flux” DNS techniques to direct the bot to
   one of hundreds of bot servers.
 • Forward traffic through proxies, harder to trace
 • Servers kept in non-cooperative countries




                                                      21
Botnet Command and Control
 • Historically perferred IRC, still in use
 • HTTP (web browser traffic)
 • Peer to peer protocols
 • Twitter, Google Groups, Facebook




                                              22
Botnet Control Diagram




                         23
Botnet control via IRC channel




                     IRC C&C vid
                                   24
Some sample Botnet commands
     • ddos.synflood [host] [time] [delay] [port]
     • ddos.phatwonk [host] [time] [delay]
     • scan.start
     • http.download
     • http.execute
     • ftp.download
     • spam.setlist
     • spam.settemplate
     • spam.start                    * SYN-flood on ports
     • bot.open                      21,22,23,25,53,80,81,88, 110,113,119,
                                     135,137,139,143,443,445,1024,1025,
     • bot.die                       1433, 1500,1720,3306,3389,5000,6667,
                                     8000,8080



                                                                             25
Hierarchical CnC topology
                        • Commands sent to
                          distributed servers, which
                          send commands to bots.
                        • May be multiple layers.
                        • Single bots aren’t aware of
                          bot master location or size
                          of botnet.
• Easy to carve up to sell or perform different
  operations.



                                                        26
Botnet Command and Control
 • Zeus Tracker Command and Control Servers as
   of 10.11.2010




                                                 27
Zeus Server Distribution




                           28
Current Botnet Attributes
 • Distributed          • Self Protection
   Architecture         • Self Healing
 • Multiple C&C         • Virtual Machine
   channels               Aware
 • Extensive            • Polymorphic
   encryption
                        • Multiple exploit
 • Immortal/unlimited     channels
   in size



                                             29
Bot Herding
 • Separate “owned” machines based on function
   – Static, always on, high bandwidth  server
   – POS machine  steal credit cards
   – Corporate office  steal data, spread
   – Look for online business banking use  ACH theft
   – Home Users  SPAM, DDOS, etc.
 • Manage bots
 • Lease out services



                                                        30
Botnet Statistics




                    31
Stage 4: Use
• Send SPAM
   – Steal email addresses from compromised computers.
   – Most mail systems will block large numbers of email from the
     same source. Distribute it to workstations, makes it harder
     to filter/block
• Denial of Service
   – Have hundreds or thousands of your bots
     send traffic at the same website or company,
     fill their pipe and knock them off the Internet
• Other theft
   – Credit card numbers
   – Steal “in game” online game
     items and sell on Ebay

                                                                    32
Banking attack – Step 1 infection
 • Bank of Nicolai vid
 • Utilize Phishing, network exploits, and drive by
   downloads to spread your botnet as wide as
   possible.




                                                      33
Banking attack – Step 2 identify victim
machines
 • Monitor browser use and network traffic to
   identify any machines in the bot network that are
   being used to log into online business banking
   services
 • May at that point install a rootkit on the identified
   machine




                                                           34
Banking attack – Step 3 Capture
Passwords
 • Keylogger can capture passwords
 • Challenge questions?
    – Steal or delete registration cookies to bypass challenge
      questions
 • Email password?
    – Hacker also already has access to your email




                                                                 35
Banking attack Step 4 – Hire mules
 • Use your botnet to send SPAM email soliciting
   for “work at home” jobs
 • Timing is critical, to pick up and wire funds before
   the account compromise is detected.




                                                          36
Banking attack Step 5 – Perform
transaction
 • Remote control allows them to log in From your
   workstation if they want.
 • They know your password, challenge question,
   etc.
 • Aim is to create new recipients and send funds
   via ACH or wire in one login session
 • These electronic transactions are nearly-
   immediate and difficult to reverse




                                                    37
Evolution of Malware – The Red Queen
 • Red Queen Hypothesis –coevolution of parasite/host
 • From “Through the Looking Glass”
    – The Red Queen tells Alice “Now, here, you see, it takes all the
      running you can do to keep in the same place”
 • Passwords  Keyloggers
 • Challenge questions  delete cookies
 • Registration cookies  steal cookies
 • Email passwords  Access email
 • One Time Passwords  MITB…




                                                                        38
Man in the Browser attack
 • Trojan horse/rootkit specifically for the browser.
 • Same idea – shows you on the screen what you
   think you should see, but in the background is
   doing something evil.




                                                        39
Man in the Browser attack
 • Zeus Trojan recent variants –
    – You login to your online business banking
    – You set up and send a transaction
    – You type in a One Time Password from a security
      token, etc.
    – The Trojan immediately and automatically in the
      background modifies your transaction to send the
      funds to his mule.
    – The Trojan shows you on your screen that your
      transaction was successful.



                                                         40
Stage 4: Use…Version 2.0
 • Scarier Use: Advanced Persistent Threats
 • Espionage, not financial data
 • Aim is long term under-the-radar occupation of
   corporations and government entities.
 • Targeted, custom malware less likely to be
   detected.
 • Well funded and
   well organized.




                                                    41
APT example – China hacks Google
 • January 2010
 • “Aurora” malware
   used Zero-day bug
   in Microsoft IE
 • Stole intellectual property from Google
 • Accessed gmail accounts of Chinese human
   rights activitists
 • Related intrusion into big energy companies,
   stole oil reserve data
 • Dozens of other companies targeted too.

                                                  42
Another APT example - Stuxnet
 • Four main exploit channels,
    – Two Windows Zero day
    – USB
 • Targeted payload designed for a specific
   Industrial control system …running specific
   custom software
 • Encryption and Polymorphism
 • Dead-mans switch – 3 generations or June 24,
   2012


                                                  43
Built for espionage
 • Attributes indicate it was built by a well funded
   and knowledgeable group (a government).
 • Many believe the target was Iran’s nuclear
   facilities.
 • Stuxnet infection
   rate seems to
   agree…




                                                       44
Stopping Malware at step 1 - exploit
 • Patch systems to “fix” the bugs
    – Operating system
    – Browser
    – Third party apps, especially Adobe and Java
 • Don’t download malware
    – AV and browser plug-ins to block hostile sites
    – Avoid file sharing and less-than-reputable download
      sites




                                                            45
Stopping Malware at step 1 - exploit
 • Don’t use guessable passwords
 • Use email with an antivirus/antispam filter
 • Use a firewall (or cable router or software
   firewall) to block hostile traffic to listening ports
 • Use portable media with caution, and scan
   before use




                                                           46
Stopping malware- Antivirus
 • Antivirus can’t detect all malware
 • Must be up-to-date.
 • Utilizes signatures (patterns) that match parts of
   known malware
    – Polymorphism – patterns change
    – New variants or custom built viruses won’t have
      signatures
    – Rootkits can give “false” information to the Antivirus
      software




                                                               47
Malware command and control
 • Some is easy to detect – IRC, P2P protocols
 • More sophisticated C&C could be more difficult –
   can really disguise itself as any network protocol
 • Residential router/firewalls do not generally block
   C&C traffic
 • Many corporate firewalls do not either
 • Default deny on outbound traffic can help stop
 • Myriad of gateway appliances



                                                         48

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:78
posted:9/1/2012
language:English
pages:48