Cyber Risk – Common Threats Part 1 of 2

Home , Botnet, Conficker, Macro virus, Mydoom, SQL injection, Storm botnet

Table of Contents

Threats to Information Systems ...... 2

Malware ...... 4

Viruses ...... 5

Virus Examples ...... 6

Worms ...... 8

Brief Virus and Worm History ...... 9

Downloaders ...... 11

Attack Scripts ...... 13

Botnet -1 ...... 15

Botnet -2 ...... 17

IRCBotnet Example ...... 19

Trojans...... 20

Denial of Service ( DoS ) ...... 23

Rootkits ...... 25

Notices ...... 26

Page 1 of 26 Threats to Information Systems

Threats to Information Systems

Networks face a multitude of threats every day. • Some are direct: malicious code, direct exploits. • Some target users: spearphishing, steganography.

http://news.softpedia.com/news/PDF-Based-Targeted-Attack- http://datalossdb.org/ Against-Military-Contractors-Spotted-212139.shtml

http://www.computerworlduk.com/news/security/3288274/microsoft- warns-rootkit-infection-requires-windows-reinstall/?olo=rss

http://ddanchev.blogspot.com/2011/03/dissecting-massive-sql-injection-attack.html

**004 So some of the common threats. You probably can't read an article online or go through a news report without something related to cyber; cyber attack, denial of service, phishing attack, I mean, they're all over the place. It's very, very common.

If you operate some type of network you are experiencing this stuff on a daily basis. Whether you see it or not is a totally different story, but I guarantee that if you're operating a network you're seeing this type of garbage. You're seeing scareware here. You're seeing data leakage, or data loss reports. You're seeing exploits and documents that come embedded with things to take advantage of computers.

Page 2 of 26 You look at the cyber threat landscape, and it's huge. There are so many possible things that can wrong. So many ways that you can be taken advantage of if you operate a network. Why do people even bother? Why do we have networks? Why do we have computers?

Student: Convenience.

Chris Evans: Convenience, absolutely. Can you imagine doing anything now without your Smartphone, a laptop or a computer? I don't know how people lived 50 years ago. My laptop's attached to me at the hip. I've got it right here. If that ever goes away I start to shake. I go into withdrawal.

So your networks really face a multitude of threats every day, but you put up with it because you need the networks. You need those computer systems. You need that connectivity.

So you might face direct attacks where people are attacking your systems or your users directly like direct exploits, or SQL injection, or something like that, steganography attacks, or phishing attacks. Phishing is probably the number one attack that you will see. It's cheap, it's easy and it works, which is why it's so prevalent.

Page 3 of 26 Malware

Malware

aka Malicious Code or Malicious Software Hostile, intrusive code designed to infiltrate a computer without users knowledge or consent Examples • Viruses • Worms • Trojans • Downloaders • Attack Scripts • Botnets

**005 You'll see a lot on malware. Malware is malicious code or malicious software. It is designed to do something hostile to you, take advantage of something, steal data, provide access to a computer, and generally wreck havoc with computer systems, hopefully without you knowing it as a user. That's what malware's intended to do.

And so there are some different categories of malware; viruses, worms, Trojans, downloaders or dropper programs, there's all sorts of malware out there that you can be taken advantage of with, and we'll kind of step through all of these.

Page 4 of 26 Viruses

Viruses

Self-replicating programs that require user intervention to spread Most spread through email, removable media drives, and commonly used files like Microsoft Office or Adobe documents Usually have two parts • Replication Element • Payload

**006 So viruses are self-replicating programs. You used to hear a lot about this in the '90s and early parts of the '00 decade. You don't really hear a whole lot about this anymore, because viruses, what were they intended to do? They were for notoriety. People wrote viruses because they wanted their name out there. "Hey, I wrote the Melissa something or another," or "I did this particular virus."

Most viruses were spread through e-mail, removable media, or CDs, or USB drives, or something like that. It took advantage a lot of Microsoft Office files because you'd have Word documents with viruses embedded in them.

Page 5 of 26 Usually they have two parts. They have a replication element, which tells the virus how it's going to spread to other computer systems, and it has a payload.

What is a payload? A payload is what the virus actually does. Does it delete files? Does it shut off the computer? Does it popup annoying boxes on your computer screen? That's what a payload is. It's what the virus actually is intended to do.

Virus Examples

Chernobyl • First virus known to have the power to damage computer hardware • Attempts to erase the hard drive and overwrite the systems BIOS Melissa • A fast-spreading virus distributed as an e-mail attachment that, when opened, disables safeguards in Word 97 or Word 2000 • If Microsoft Outlook is used, the virus sends itself to addresses in the user's address books EICAR – a test virus • Not a virus, does not include any fragments of viral code • The file is a legitimate program, and produces sensible (non- malicious) results when run (it prints the message "EICAR- STANDARD-ANTIVIRUS-TEST-FILE!")

**007 Some interesting examples of viruses here. You have Chernobyl, which was interesting in and of itself because it was the first virus to actually damage hardware. So it tried to erase the hard

Page 6 of 26 drive, overwrite the BIOS, or otherwise cause physical damage or physical manifestation of some type of malicious activity. It tried to attack the computer system itself, not just the information on it.

Melissa was a really superfast spreading virus that came out through Word documents and that sort of thing. If you had Microsoft Outlook, so this ran rampant through corporations who had exchange with Outlook. So you would get this e-mail in your inbox. You would click on it, and it would exploit your computer, and then send itself to everybody in your address book.

So you figure that companies with global address books where you've got six thousand people in the company, now you've got for each person who clicks on the message six thousand messages are going out. And so what you would see is one person would get it, six thousand people would get it, and then everybody would be sending it to each other and you'd crash the exchange server or whatever your mail program was. So this was a great virus to show how quickly these things can spread.

And then the EICAR is a test virus. It doesn't actually do any damage, but it's good for testing virus scanners, testing your detection and your response procedures.

So as you're going through, and if you determine that, let's say, viruses are a risk to you, how could you mitigate the risk of that? Well, come up with some processes and then test them with this, the EICAR virus.

Page 7 of 26 Worms

Worms

Worms, in contrast, are self-replicating programs that do not require user intervention to spread, rather, they take advantage of vulnerabilities in operating systems and applications to spread. Examples Morris 1988, first worm to spread extensively in the wild; prompted establishment of the CERT/CC Storm 2007, added infected hosts to the Storm Botnet Conficker 2008/9, prompted the Conficker Working Group, but morphing code thwarted attempts to stop it Stuxnet 2010, first worm to target SCADA Morto 2011, targeted Remote Desktop Windows machines with a password dictionary

**008 Worms, so in contrast to viruses, which don't self replicate, worms do replicate on their own. When they get run they start looking around for computer systems that they can spread to. If they find one they'll automatically send themselves to the computer, probably exploit it, copy themselves, and then run on that computer, and so these are very fast spreading, automatic ways of pushing malware out to large sets of computers.

So there's a bunch of good examples here ranging from Morris, Storm, Conficker, to Stuxnet which was a big SCADA or industrial control system one from a couple of years ago that you still

Page 8 of 26 hear about in the news, to one that went after remote desktop on Windows with the Morto worm.

Brief Virus and Worm History

Viruses have been around for decades and will continue to harass and plague Internet users for the foreseeable future. Some (in)famous worms and viruses • Love Letter – a file extension virus, used a visual basic script to overwrite file and sent itself out through Microsoft Outlook. • Melissa – a macro virus, used Outlook to propagate itself to people in the victims address book. • Slammer – a worm targeting a vulnerability in Microsoft SQL server; at its time (2003), it was the fastest worm in history, doubling the number of infected computers every 8.5 seconds. • MyDoom.B – a mal-email virus, it not only performed a DoS attack, but also included a backdoor to allow remote control of a system. • Lasco – targeted phones and PDA running Symbian OS. • Conficker – fast moving, evolving worm targeting Windows.

**009 Viruses and worms have been around for a long time. They'll still be around for a while because people like to write these things. They like to make names for themselves. Some of these are even ways of accessing information and systems.

Think about it. If you are a hacker you're, one, probably pretty lazy. You want to get the most bang for the least amount of effort. What is that, or what can give that to you? A worm. You write a worm. It

Page 9 of 26 goes out and infects one computer, and then spreads all over the place all by itself. To me, that's a really easy way of spreading malware through a network. Perhaps the worm doesn't do anything other than give me remote access to a system, or maybe it pulls information out of systems.

But me, as a hacker, all I have to do is write it once, deploy it once, and then it does the work for me. To me that's big, because as a hacker I'm lazy. I don't want to go through popping six thousand systems. I just want to do it once.

And so a couple more examples here for you from Love Letter, that was a file extension virus, again, doing the monkey business through Outlook.

Melissa was a macro virus, again, through Outlook. You're starting to see a trend here, right? Viruses and worms that propagate through e-mail, what do they like to do? Read your address book and then send itself to everybody in the address book. Again, it's an easy way of targeting lots of different computers without having to go through the work of, all right, scan the network, find the computer, blah, blah, blah. I don't have to do that. I just have to read your address book and send it to somebody through e- mail.

Slammer was a great worm from 2003. This was a SQL server vulnerability that it was taking advantage of. It probably goes down as the fastest worm in history that was basically doubling itself every eight and a half seconds. So if you think

Page 10 of 26 about that you've got all these servers and now it's just skyrocketing in terms of infection rates.

Downloaders

Typically the first infection vector – gives an attacker the ability to dynamically push malware Characteristics • Used to install another Trojan, adware, other malware • Generally written in VBS or JS for simplicity • Easier to circumvent AV signatures with a new downloader/dropper than to recreate a Trojan or exploit code Examples • Zlob • Agent • Pushdo

http://www.secureworks.com/research/threats/pushdo/?threat=pushdo

**010 Another category of malware, downloaders. This is probably what you will see first in terms of a malware infection. Hackers want to be able to push Malware to an infected system, but they don't necessarily know ahead of time what they're going to push or what they want to do. Well, they'll use a downloader program.

And what this does is it goes and it sits on the computer and it downloads additional malware, additional components or added

Page 11 of 26 functionality. And so all it is meant to do is when I get run, go out to the malware server and pull down a package and run it. Interpret that for more instructions. That might say go get another package.

So basically downloaders, or dropper programs, are used to install other Trojans, other malware, additional capability, and it's easier to get around antivirus and intrusion detection methods here because you can just rewrite the downloader instead of having to rewrite your entire toolset. So if the downloader can get around antivirus, or IDS, it can pull down additional malware or something like that.

An example from when I was doing Pen testing we used downloaders quite a bit, because it gave us the flexibility of saying, "Well, I don't want to push five megabytes of tools, of hacker tools to this box I'm trying to get access to. One, that might be suspicious; two, this phishing e-mail might not even work, so why bother sending all our tool setup there if it's not going to work? Let me just send a downloader."

And what the downloader will do is if the phishing e-mail is successful this program will run, and it will come out to our servers and download our toolset to the box, and then it will run that.

That gives me the flexibility of saying, "Well, I only have to give you a very small program first," so it's low threat. But then I've got the ability to say over here on my servers, "Send them this package. Send them this one." I can customize what I actually deliver to you in terms of malware.

Page 12 of 26 Attack Scripts

Attack Scripts

Web-enabled attack vector that targets web browsers and web applications Characteristics • Drive-By • Commonly use JavaScript • Target a specific vulnerability (IE, Acrobat Reader, Real Player, etc.) • Target web application vulnerabilities (SQL Injection, XSS) Example • Browser Exploitation Framework (BeEF)

**011 Attack scripts, these are web- enabled attacks. They target web browsers. You usually see this implement as what's called the drive-by downloader, or drive-by attack. You open up your browser and go to a website, and that website basically exploits your computer and gives you malware.

What do you actually see when that happens? If they do it right you don't see anything. You just notice, "Well, I went to this website and now all of sudden my computer is serving me ads, and it's running slow."

They commonly use JavaScript. Sometimes they'll target a specific

Page 13 of 26 vulnerability, or they'll target like an application vulnerability like cross-site scripting or SQL injection.

What you typically see here is the hacker toolkits like Impact, BlackHole, Incognito or the Browser Exploitation Framework, BeEF.

What these tools are designed to do is you run them on website. When somebody comes and visits your website that toolset says, "What operating system are you running?" And your browser replies, "I'm running Windows." It then asks you, "Okay, what browser are you running,"

"Internet Explorer, Firefox, Chrome," and then it will as ask you, "Okay, what plug- ins do you have?"

"I have Shockwave. I have PDF Reader. I have QuickTime. I have Flash," and then it will ask, "Okay, what versions of those do you have?"

What is this malicious website doing to you? It's understanding who you are and what you have that might be vulnerable. So it'll compare all that and then say, "Okay, well, I've got an exploit for you, because you're running an old version of Flash," or something like that, and it will exploit your browser that way.

So these toolsets like BeEF, and BlackHole and that sort of thing are really powerful for determining, "You come to my website. I'm going to exploit you through whatever way I can," and you see that. That's starting to be pretty common.

Page 14 of 26 There was a survey that was done last year by a security research company. They said that about fifty percent of the websites that they looked at that were malicious, or malicious websites, fifty percent of them had a toolkit on them like BlackHole or like Incognito. And so what's that saying is there are a lot of attackers out there who are using this type of stuff, these types of malware delivery tools in order to exploit users who are coming to malicious websites.

Botnet -1

A collection of compromised computers that can be remotely controlled for • Trojan, virus, and/or worm propagation • Spam and/or phishing attacks • Denial of Service attacks • Obtaining personal information through — Adware — Spyware — Keystroke loggers

**012 A botnet, you've probably heard of various botnets that are out there, Zeus, or MyDoom, or something like that, but a

Page 15 of 26 botnet is nothing more than a collection of computers that are used to do something malicious.

So this could be used for sending spam, or denial of service attacks, or something like that, and it's typically you see this in terms of malware gets installed on your grandmother's PC, and your grandmother's computer is now part of this botnet. Did she do anything malicious? Is she attacking somebody else? She's not. Her computer is.

But the reason you've seen an explosion of botnets over the last ten years is because people are leaving their computers on all the time now. You don't shut them off overnight like you used to. You have always on Internet access, which means even at three o'clock in the morning you're sound asleep, but your computer is up sending spam to somebody on the target list or something like that.

Page 16 of 26 Botnet -2

Botnet -2

Initial compromise • Web downloads • Email attachments and links • Instant Messaging attachments • Direct exploits Causal factors • Unpatched systems • Lack of network and/or host-based firewalls • “Unsafe” browsing habits

**013 So how this actually occurs, well, how does your computer become part of a botnet?

Remember we talked about the drive-by downloads? That's a big one. So you go to a malicious site and the site says, "How can I exploit you today," and it gives you code that joins your computer to a bot, or a botnet.

E-mail attachments and links, you've probably been told many, many times never open an attachment from somebody you don't know. People still do it, and that's why this is a big attack factor; IM attachments or even direct exploits to a lesser degree.

Page 17 of 26 How this actually, or why this still works is people don't have patches on their systems. People have unsafe browsing habits, meaning they go to hacker websites without understanding that they could be exploited, or there's a lack of network and/or host-based firewalls.

There was a report that said that the number of botnet-infected computers is dwindling compared to what it was six years ago, seven years ago, and they are attributing that to the number of computers that now have a firewall running on them. Like Windows now has a built-in firewall.

And so what they're saying is, "Okay, well, we're seeing this drop off or this decline in numbers of bot infected computers and it's because of the firewall," but then you see reports of these botnets are still three million computers strong. These bots are, or these botnets are huge, so I guess it's all relative.

Page 18 of 26 IRCBotnet Example

IRCBotnet Example

Bot Herder 1) Herder sends phishing attack to Victim1

4) Zombie is used for future attacks on new victims 2) Victim1 opens email and gets exploited 3) Victim1 now a Zombie (aka robot) unknowingly downloads more malware

**014 Here's an example of an IRCBotnet. If you look in the center in the top of the slide there you've got the Bot Herder. This is the guy who controls the botnet. He's the one who's issuing instructions to the computers telling them to conduct a denial of service attack on this, send spam over here to these computers.

And so how the evolution of this botnet is it starts with the Bot Herder basically phishing for computers he can turn into zombie hosts. So he'll send e-mail or something like that to these potential victims. That person opens up the e-mail, opens the attachment, visits the website, whatever the case may be, and it infects the computer.

Page 19 of 26 So what happens after the initial infection, the computer starts downloading additional malware, additional capability, and it joins the computer to the botnet such that when the Bot Herder says, "Jump," the computer says, "Absolutely."

So the Bot Herder will say, "Okay, conduct a denial of service attack," and now the six million computers that he has, part of his botnet here, will go and attack that computer that he asks it to.

Trojans

Malware masquerading as a legitimate program Characteristics • Do not self propagate • Can be used as keystroke loggers, password stealers, network sniffers, remote control, spam Examples • Winny, Limewire, Back Orifice, Agobot, Flash / browser games • Trojan Horse Construction Kit

**015 Trojans, these are a category of malware that masquerades as a legitimate program. They don't self- replicate or propagate on their own, but

Page 20 of 26 they can do all sorts of things like keystroke logging. They can sniff network traffic, steal passwords, and they can even do the whole download additional malware things.

Some examples of it are listed there, but you may have actually seen something like this. You see this quite a bit on phones, mobile phones within various applications. There are apps out there that are like special versions of Angry Birds or something like that.

Well, what is this application? It's the legitimate application along with a little extra stuff in there, so when you download this and run it you actually get to play Angry Birds and you're having a good time. What's going on in the background? What is that extra stuff that somebody imbedded in there? Well, it's password stealers, keystroke loggers, whatever the case may be. That's an example of a Trojan.

There's another one out there. When you visit websites, and you've ever seen the message in your browser that says, "You don't have the right plug-in," or you're trying to view a video file or something like that and it says, "You need the XYZ Media Player to see this video," and there's always a download link under there, right? What do you think people do?

Student: Download it.

Chris Evans: Well, of course. They want to view the video so you're going to download this executable, and they're going to run it, and they're going to be

Page 21 of 26 able to watch the video online. Well, that's great. So they're watching the video, but what they didn't realize is that that media player that they downloaded also is a keystroke logger, or a traffic sniffer, or something like that.

There's a company that I've done some consulting for in the past that has had an issue with this. They've had one person who continually goes to music and video sharing sites, which by company policy they're allowed to do, but what they also do is when they play the video in their web browser it says, "You need a particular plug-in to view this video, download here."

So they always click on it. They always download it. The computer always gets infected with something or other, and this person has been told three times, "Don't do this. Don't do this." Actually they've been told twice. The first time they didn't catch on, but they've been told twice that they can't do this because every time they do it, it infects the computer, it compromises the network and it causes problems.

So now they're at the point where they're going to get one more chance, and if they do it again they're going to get fired. So there's a big meeting between them, the supervisor, the chief information officer, the security guys. They all came together and said, "Okay, don't click on anything that says, 'download me and run me.'"

"But I just want to view the music video," great. You don't need the executable to actually look at that. Just play it in Media Player or something like that. So this is an example of somebody who's always downloading Trojans.

Page 22 of 26 Denial of Service ( DoS )

Denial of Service (DoS)

An attack on the availability of a service • Attempt to deny, degrade, disrupt, or otherwise interfere with the ability of a provider to keep services available Attacks usually target chokepoints or single points of failure within the network • Bandwidth – by generating more traffic than routes can handle • Servers – either directly (e.g., the OS) or indirectly through a supporting function (e.g., the power, A/C, etc.) • Applications – attack the application’s ability to process requests • End Users – attack users to prevent them from accessing services

**016 Denial of service attacks, this is a type of attack as opposed to a type of malware, but this is an attempt to deny or degrade service or the ability of a computer system to do what it was intended to.

And these types of attacks usually target choke points in the network, so single points of failure like I've only got one path out to the Internet, attackers will target that. They're looking at trying to exceed the resources that you have.

So in a denial of service attack, he with the most resources wins, and what I mean by this is if you have a one link out to the Internet, and that link supports, let's

Page 23 of 26 say, 10 megabits per second, or something like that, if the attacker can generate 20 megabits per second on that link, what happens? You lose as the defender, right? Because your traffic pipe is now saturated and you won't be able to communicate, but if the attacker can only generate one megabit per second, you can generate 10, you win, because your capacity exceeds the attacker's ability to generate traffic.

So that's an example of a bandwidth denial of service attack. There are others up here with regard to servers and web applications, their ability to process connections. There's opportunities to do that, and there's also denial of service attacks on you as the end user.

What's a denial service attack on you as an end user?

Student: I can't get to a site that I previously could.

Chris Evans: Right, I unplug your computer, even stupid stuff like this, right? I unplug your computer, well, I've DOS'ed you.

More commonly what you'll see is people making configuration changes within the operating system that break your computer, and so you can't view a website or something like that.

Page 24 of 26 Rootkits

Rootkits

Programs having the ability to hide themselves and cover traces of hacking activities from the user and potentially the operating system Typically, a rootkit will “hook” calls to operating system functions to facilitate • Process hiding • File hiding • Registry hiding

Root Kit

Operating User Root kit hides two System files from the user 17

**017 Rootkits, these are more advanced malware that are there to hide processes, hide files, and you usually see this from more advanced attackers. So your average everyday hacker probably will not use a rootkit, but a more advanced capable attacker will.

And so what the rootkit is designed to do is intercept requests or data calls between the user and the operating system.

So if you ask the operating system, "Show me a list of files," the operating system usually replies with, "Here are all the files in the directory." Well, what a rootkit will do is it will intercept that

Page 25 of 26 request. So you say, "Show me all the files." The rootkit will intercept that, send it down to the operating system, the operating system goes, "Okay, here's one, two and three. Here are all these files that are here, but the rootkit will say, "Hide two and three. Don't show the user that they are there." So what you actually get back on a rootkit-infected system is a partial answer from the operating system based on whatever the rootkit wanted to hide.

And so rootkits are good for hiding files, processes, network activity, and those sorts of things.

Notices

© 2014 Carnegie Mellon University This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study. Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected]. This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide. Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding.

THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT). CERT ® is a registered mark owned by Carnegie Mellon University.

Page 26 of 26