11/5/2015
On modern malware threats and defenses against them
Nov 2015, UBC Dmitry Samosseiko, Director of Threat Research, SophosLabs
2 1 2
The good old days…
“Cyber weapons”
Nation-state WHO? Hacktivism cyber-espionage
Financially motivated Cyber crime 3 4 3 4
Cyber espionage, early days APT – What does it mean? Advanced Persistent Threat • Nov 2010 – operation “Aurora” – Google A fancy name for targeted attacks • Jan 2011 – Canadian government organizations a.k.a. ATA – advanced targeted attacks • Feb 2011 - “Knight Dragon” – energy industries • Mar 2011 - RSA • Jun 2011 – Northrop Grumman (RSA hack) “….daily onslaught of digital assaults launched by attackers who • Jun 2011 - IMF are considered highly-skilled, determined and possessed of a long- • Aug 2011 - “ShadyRat” – MANY governments and corporations worldwide term perspective on their mission” (Wikipedia) • Sept 2011 – Mitsubishi (nuclear plant, defense secrets) • ….
5 6 5 6
1 11/5/2015
Potential targets for APTs and hackers?
By state-sponsored groups: • Large corporations • Government agencies • Contractors (so, any company) • Political activists
By hackers and financially motivated cybercriminals • Retailers, banks, credit unions, online stores, casinos, … • ATMs • Celebrities Source: AV-TEST 7 8 7 8
Malicious software Malware monetization options
• Viruses = infecting files, self-propagates • Worms = spreads through network holes, self-propagates • Trojans = resident software with backdoor functionality, pretends to be legitimate, doesn’t self-propagate
SOURCE: http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/ 9 9 10
Botnets use Banking malware
• Examples: Vawtrak, Dyreza, Dridex, Zeus 1. Email spam • Targeting banking institutions worldwide � “Grum” ~ 200,000 PCs • Steals account credentials on banking websites � “Rustock” ~ 815,000 PCs • Initiates automatic money transfer 2. Web spam • “Web injects“ (injecting DLL into browser process) 3. DDoS • Includes social engineering to 4. “Installs” • Deliver mobile component to bypass 2FA 5. Information stealers • Steal ATM PIN • Vawtrack – Crimeware-as-a-Service model (steal to order)
https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-vawtrak- international-crimeware-as-a-service-tpna.pdf
11 Picture source: http://en.wikipedia.org/wiki/Botnet 11 12
2 11/5/2015
Targeted attacks on banks and merchants Target’s breach
• Infecting bank networks directly (Carbanak) • • 40 million – The number of credit and debit cards thieves stole from Infecting Point-of-Sale devices, memory “scraping” (BlackPos, Target Alina, PoSeidon, FindPOS, FighterPOS, PunKey, NitlovePOS and • 46 – The percentage drop in profits at Target in the fourth quarter of MalumPOS) 2013, compared with the year before. • Target • 200 million – Estimated dollar cost to credit unions and community banks for reissuing 21.8 million cards — about half of the total stolen • Home Depot in the Target breach. • P.F. Chang • 18.00 – 35.70 - The median price range (in dollars) per card stolen from Target and resold on the black market • 1 million – 3 million – The estimated number of cards stolen from Target that were successfully sold on the black market and used for fraud • 53.7 million – The income that hackers likely generated from the sale of 2 million cards stolen from Target).
14 Sources: KrebsOnSecurity.com Forbes.com 13 14
• Fake anti-virus Scareware / FakeAV • Fake anti-spyware • System “optimizers” Used to be #1 threat 3 years ago
Videos at http://youtube.com/SophosLabs 15 16 15 16
Ransomware
• Encrypts documents or • …blocks screen/mouse/keyboard access • Demands money to unlock/decrypt (SMS, e-currency, prepaid cards, Bitcoins)
17 17 18
3 11/5/2015
CryptoLocker
19 20 19 20
The end? TorrentLocker
Operation Tovar – July 2014:
Russian Evgeniy Bogachev, aka "lucky12345" and "slavik", was charged by the US FBI of being the ringleader of the gang behind Gameover Zeus and Cryptolocker
• Earnings estimate - $3M
21 22 21 22
CTB-Locker “Threat Finder”
23 24 23 24
4 11/5/2015
Powershell-based Ransomware CryptoWall
25 26 25 26
CryptoWall Attack example, stage 1
• Unbreakable encryption • Unique public key is generated on the server • Deletes “shadow” copies of files • Uses I2P proxies to communicate with its command-n-control • Uses TOR network and Bitcoins for payments • Infection vectors: email, drive-by downloads, malvertizement
27 28 27 28
… stage 2 (CHM file) … stage 3 (EXE)
• Launches new instance of explorer.exe • Injects unpacked CryptoWall binary code into this process • Original process exits • vssadmin.exe Delete Shadows /All /Quiet • Achieves persistence with autorun registry keys • Starts a new process for CnC communication via I2P • Obtains unique public key • Uses AES 256 encryption to encrypt documents • Writes and displays “how to decrypt” note in the language, based on GEO IP lookup
29 30 29 30
5 11/5/2015
Web-based attacks Myth: I’m a safe surfer Do you ever visit these sites?
> 100 000 new malicious pages every day
80% belong to legitimate sites
31 32 31 32
Exploit kits/packs
• Cheap ($50/month) • Easy to use • ‘Silent’ infection of victims
34 33 34
Website infections Arms Race …
Not just Apache
• Linux trojans • FTP account hacking • cPanel exploits • SQL Injections • Vulnerable webservers, CMS (Wordpress, Drupal, …), PHP, … • “Shellshock”!!!
3 35 6 36
6 11/5/2015
Evasion Techniques
Everything is a moving target
• Binaries repackaged every 20 min (!) and AV tested + server side polymorphism • 100s of payload domains created daily • 10,000s of new infected websites stealing legitimate traffic or used as payload or CnC servers
37 38 37 38
Android malware Android environment
• Information stealers • SMS senders Malware vs PUA growth • Platform popularity (70% of new smartphone sales) 200000
• Phishing 180000 • Adding applications to Google Play is easy • Privilege escalation 160000 • Google screening using Bouncer and “Verify application” 140000 • Alternative Android application markets • Zeus for Android 120000 • Fake AV 100000 • Forums and file sharing sites • Ransomware 80000 • “Cracked” and repackaged apps 60000 • Adware 40000 • Android app landscape similar to Windows • Spyware 20000 0 2010-09 2010-11 2011-01 2011-03 2011-05 2011-07 2011-09 2011-11 2012-01 2012-03 2012-05 2012-07 2012-09 2012-11 2013-01 2013-03 2013-05 2013-07 2013-09 2013-11 2014-01 2014-03 2014-05 2014-07 2014-09 2014-11 2015-01 2015-03 2015-05
39 39 40
Android FakeAV demo Android Ransomware
https://www.youtube.com/watch?v=v8NDgLmziLk
41 42
7 11/5/2015
Mac malware? Scareware for Macs
43 Source: Google Trends: http://www.google.ca/trends/explore?q=mac+malware#q=mac%20malware&cmpt=q 44 43 44
October 2014 – OSX/iWorm OSX malware?
• Commercial keyloggers • Spreads through illegal software downloads (torrents) • Toolbars and browser extensions • Turns your Mac into a “bot” • “Bundleware” • Adware • Search result substition • Ad-theft
45 46 45 46
iOS malware? Linux malware
Yes, for “jailbroken” devices Linux samples by month • ELF 600 - YiSpecter (Oct 4, 2015. Uses “private” APIs, signed with • PHP 500
enterprise certificates) • Perl 400 - WireLurker (infects via USB through “enterprise” provisioning) • Shell 300 - XCodeGhost (modifies Xcode development environment) 200 100
0
47 48 47 48
8 11/5/2015
Why Linux? Linux malware example: Troj/Apmod
Apache is powering 93% of web servers, globally • Installs itself as an Apache module which inspect outgoing 1. Linux Web servers is the perfect “launch pad” for malware and HTTP content exploits targeting Windows • Injects JavaScript code into every page served 2. A Linux “botnet” is a perfect platform for spam and DDOS • The JavaScript writes an