11/5/2015
On modern malware threats and defenses against them
Nov 2015, UBC Dmitry Samosseiko, Director of Threat Research, SophosLabs
2 1 2
The good old days…
“Cyber weapons”
Nation-state WHO? Hacktivism cyber-espionage
Financially motivated Cyber crime 3 4 3 4
Cyber espionage, early days APT – What does it mean? Advanced Persistent Threat • Nov 2010 – operation “Aurora” – Google A fancy name for targeted attacks • Jan 2011 – Canadian government organizations a.k.a. ATA – advanced targeted attacks • Feb 2011 - “Knight Dragon” – energy industries • Mar 2011 - RSA • Jun 2011 – Northrop Grumman (RSA hack) “….daily onslaught of digital assaults launched by attackers who • Jun 2011 - IMF are considered highly-skilled, determined and possessed of a long- • Aug 2011 - “ShadyRat” – MANY governments and corporations worldwide term perspective on their mission” (Wikipedia) • Sept 2011 – Mitsubishi (nuclear plant, defense secrets) • ….
5 6 5 6
1 11/5/2015
Potential targets for APTs and hackers?
By state-sponsored groups: • Large corporations • Government agencies • Contractors (so, any company) • Political activists
By hackers and financially motivated cybercriminals • Retailers, banks, credit unions, online stores, casinos, … • ATMs • Celebrities Source: AV-TEST 7 8 7 8
Malicious software Malware monetization options
• Viruses = infecting files, self-propagates • Worms = spreads through network holes, self-propagates • Trojans = resident software with backdoor functionality, pretends to be legitimate, doesn’t self-propagate
SOURCE: http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/ 9 9 10
Botnets use Banking malware
• Examples: Vawtrak, Dyreza, Dridex, Zeus 1. Email spam • Targeting banking institutions worldwide “Grum” ~ 200,000 PCs • Steals account credentials on banking websites “Rustock” ~ 815,000 PCs • Initiates automatic money transfer 2. Web spam • “Web injects“ (injecting DLL into browser process) 3. DDoS • Includes social engineering to 4. “Installs” • Deliver mobile component to bypass 2FA 5. Information stealers • Steal ATM PIN • Vawtrack – Crimeware-as-a-Service model (steal to order)
https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-vawtrak- international-crimeware-as-a-service-tpna.pdf
11 Picture source: http://en.wikipedia.org/wiki/Botnet 11 12
2 11/5/2015
Targeted attacks on banks and merchants Target’s breach
• Infecting bank networks directly (Carbanak) • • 40 million – The number of credit and debit cards thieves stole from Infecting Point-of-Sale devices, memory “scraping” (BlackPos, Target Alina, PoSeidon, FindPOS, FighterPOS, PunKey, NitlovePOS and • 46 – The percentage drop in profits at Target in the fourth quarter of MalumPOS) 2013, compared with the year before. • Target • 200 million – Estimated dollar cost to credit unions and community banks for reissuing 21.8 million cards — about half of the total stolen • Home Depot in the Target breach. • P.F. Chang • 18.00 – 35.70 - The median price range (in dollars) per card stolen from Target and resold on the black market • 1 million – 3 million – The estimated number of cards stolen from Target that were successfully sold on the black market and used for fraud • 53.7 million – The income that hackers likely generated from the sale of 2 million cards stolen from Target).
14 Sources: KrebsOnSecurity.com Forbes.com 13 14
• Fake anti-virus Scareware / FakeAV • Fake anti-spyware • System “optimizers” Used to be #1 threat 3 years ago
Videos at http://youtube.com/SophosLabs 15 16 15 16
Ransomware
• Encrypts documents or • …blocks screen/mouse/keyboard access • Demands money to unlock/decrypt (SMS, e-currency, prepaid cards, Bitcoins)
17 17 18
3 11/5/2015
CryptoLocker
19 20 19 20
The end? TorrentLocker
Operation Tovar – July 2014:
Russian Evgeniy Bogachev, aka "lucky12345" and "slavik", was charged by the US FBI of being the ringleader of the gang behind Gameover Zeus and Cryptolocker
• Earnings estimate - $3M
21 22 21 22
CTB-Locker “Threat Finder”
23 24 23 24
4 11/5/2015
Powershell-based Ransomware CryptoWall
25 26 25 26
CryptoWall Attack example, stage 1
• Unbreakable encryption • Unique public key is generated on the server • Deletes “shadow” copies of files • Uses I2P proxies to communicate with its command-n-control • Uses TOR network and Bitcoins for payments • Infection vectors: email, drive-by downloads, malvertizement
27 28 27 28
… stage 2 (CHM file) … stage 3 (EXE)
• Launches new instance of explorer.exe • Injects unpacked CryptoWall binary code into this process • Original process exits • vssadmin.exe Delete Shadows /All /Quiet • Achieves persistence with autorun registry keys • Starts a new process for CnC communication via I2P • Obtains unique public key • Uses AES 256 encryption to encrypt documents • Writes and displays “how to decrypt” note in the language, based on GEO IP lookup
29 30 29 30
5 11/5/2015
Web-based attacks Myth: I’m a safe surfer Do you ever visit these sites?
> 100 000 new malicious pages every day
80% belong to legitimate sites
31 32 31 32
Exploit kits/packs
• Cheap ($50/month) • Easy to use • ‘Silent’ infection of victims
34 33 34
Website infections Arms Race …
Not just Apache
• Linux trojans • FTP account hacking • cPanel exploits • SQL Injections • Vulnerable webservers, CMS (Wordpress, Drupal, …), PHP, … • “Shellshock”!!!
3 35 6 36
6 11/5/2015
Evasion Techniques
Everything is a moving target
• Binaries repackaged every 20 min (!) and AV tested + server side polymorphism • 100s of payload domains created daily • 10,000s of new infected websites stealing legitimate traffic or used as payload or CnC servers
37 38 37 38
Android malware Android environment
• Information stealers • SMS senders Malware vs PUA growth • Platform popularity (70% of new smartphone sales) 200000
• Phishing 180000 • Adding applications to Google Play is easy • Privilege escalation 160000 • Google screening using Bouncer and “Verify application” 140000 • Alternative Android application markets • Zeus for Android 120000 • Fake AV 100000 • Forums and file sharing sites • Ransomware 80000 • “Cracked” and repackaged apps 60000 • Adware 40000 • Android app landscape similar to Windows • Spyware 20000 0 2010-09 2010-11 2011-01 2011-03 2011-05 2011-07 2011-09 2011-11 2012-01 2012-03 2012-05 2012-07 2012-09 2012-11 2013-01 2013-03 2013-05 2013-07 2013-09 2013-11 2014-01 2014-03 2014-05 2014-07 2014-09 2014-11 2015-01 2015-03 2015-05
39 39 40
Android FakeAV demo Android Ransomware
https://www.youtube.com/watch?v=v8NDgLmziLk
41 42
7 11/5/2015
Mac malware? Scareware for Macs
43 Source: Google Trends: http://www.google.ca/trends/explore?q=mac+malware#q=mac%20malware&cmpt=q 44 43 44
October 2014 – OSX/iWorm OSX malware?
• Commercial keyloggers • Spreads through illegal software downloads (torrents) • Toolbars and browser extensions • Turns your Mac into a “bot” • “Bundleware” • Adware • Search result substition • Ad-theft
45 46 45 46
iOS malware? Linux malware
Yes, for “jailbroken” devices Linux samples by month • ELF 600 - YiSpecter (Oct 4, 2015. Uses “private” APIs, signed with • PHP 500
enterprise certificates) • Perl 400 - WireLurker (infects via USB through “enterprise” provisioning) • Shell 300 - XCodeGhost (modifies Xcode development environment) 200 100
0
47 48 47 48
8 11/5/2015
Why Linux? Linux malware example: Troj/Apmod
Apache is powering 93% of web servers, globally • Installs itself as an Apache module which inspect outgoing 1. Linux Web servers is the perfect “launch pad” for malware and HTTP content exploits targeting Windows • Injects JavaScript code into every page served 2. A Linux “botnet” is a perfect platform for spam and DDOS • The JavaScript writes an
Combine this with a common belief that Unix/Linux ‘is safe’ and needs no AV. The We call it the “web traffic hijacking” result is -- highly effective malware spreading on Unix/Linux, and going unnoticed for a long time
49 49 50
Cybercrime pays… Fake anti-virus profitability Statistics from topsale2.ru
Affiliate Account Affiliate ID Username Balance (USD) 4928 nenastniy $158,568.86 56 krab $105,955.76 2 rstwm $95,021.16 4748 newforis $93,260.64 5016 slyers $85,220.22 3684 ultra $82,174.54 3750 cosma2k $78,824.88 5050 dp322 $75,631.26 3886 iamthevip $61,552.63 4048 dp32 $58,160.20 51 52 51 52
What can be done?
Date Orders 01 30 02 74 Awareness This affiliate used 66 unique domains referencing his AffID 03 216 04 193 • 124 orders per day 05 231 Security measures • Average sale = $160 06 191 • 40% commission 07 189 08 78 Legal actions 124*160 = $19840 * 40% = 09 99 10 128 $7936/day 11 52 12 7 Average sales per 124 day
53 54 53 54
9 11/5/2015
Legal actions and takedown efforts Introducing SophosLabs
Takedown highlights One global team -- UK, Canada, Australia, Hungary, India • Nov 2009 – “Mega-D” (30-35% of spam). Arrested
• Feb 2010 – “Mariposa” botnet, 12M PCs. Arrested. • Mar 2010 – “Zeus” botnet. Arrested >100 researchers 24/7 365 days/year • Oct 2010 – “Bredolab” botnet, 30M PCs! & engineers • Sep 2011 – “Kelihos” botnet ○ Threat research • Mar 2011 – “Rustock” botnet. On the run. ○ Systems development • … ○ Content QA • Nov 2012 – “Nitol” Expertise: • Jan 2013 – Zeus botmaster arrested ○ Malware • June 2014 - Operation “Tovar” ○ Email spam • Sept 2015 – Arrests tied to Citadel and Dridex
55 55 56
What we’re seeing
Suspicious URLs seen of previously unseen and analyzed each day files received each day 150,000 from 70 sources 300,000 within SophosLabs, 3 every second!
of “Live Protection” file Threat Protection Spam email messages lookup events added Analysis per day seen by our 80 600 5 million to Hadoop clusters for Collection & Remediation spam feeds across 20 analysis every day countries million
57 58
… across all the platforms and threat types
• Email spam • Malicious software • Adware • Application control
• Windows (32/64) • Android • Linux • OSX
… and browsers!
59 60
10 11/5/2015
6 2 Layered protection Stop attacks and breaches
61 62
Automating Live Protection (“cloud”) Runtime (Dynamic) File Analysis RUNTIME Aka “Sandbox” ANALYSIS
• VM-based system for sample execution STATIC • Extracts behavioral characteristics LIVE NEW ANALYSIS Process creation data PROTECTION FILES DATABASE API calls RUNTIME ANALYSIS Network traffic AUTOMATED … CLASSIFICATION SYSTEM • Generates malware index (measure of “maliciousness”)
SUSPICIOUS FILES Want to try one? Go to http://malwr.com
63 64 63 64
URL Analysis Automation is key
Website URLs
• URL Patterns • “Big data” problems • Domain age • Fast turn around time • Popularity • Anti-anti-anti-* techniques • Location • Network reputation • Scan results from various content engines (AS, AV, MM) • Sources • Manual analysis
65 65 66
11 11/5/2015
The adversaries are... The threats are…
1. Highly motivated and determined 1. More complex
2. Well organized 2. More diverse
3. Well equipped 3. More targeted
67 68 67 68
Thank you!
Twitter: @samosseiko
Blogs: http://nakedsecurity.sophos.com/ http://blogs.sophos.com/
69 69 © Sophos Ltd. All rights reserved. 70
12