Malware What Is Malware?

Malware What is malware?

• Malware: malicious software

• worm

• ransomware

• adware

• virus

• trojan horse

• etc. … and how do we ﬁght it?

• AV software

• Firewalls

• Filtering

• Patching

• Writing more secure software

• Training users How to Monetize Malware

• Botnets

• Networking infected computers together

• Sending instructions to those computers to do things like:

• Send spam

• Mine cryptocurrency

• Perform ad fraud

• Perform DDoS attacks

• Stealing banking credentials

• Stealing Bitcoin and other alternative currencies

• Ransoming the computer

• Pay per install software How malware spreads

• Attachments in emails

• Other social engineering

• Drive-by downloads

• Spreading itself Vulnerabilities vs. Exploits

• Vulnerability: hole in software

• Exploit: code written to use vulnerability to gain unauthorized access to something

• There’s way more known vulnerabilities than known exploits.

• https://www.exploit-db.com/ vs. https://nvd.nist.gov/ Zero Day Attacks

• Realized exploit comes before known vulnerability

• Fairly rare

• Zero days are expensive — 1.5 million USD for Apple iOS 10 exploit

• Overwhelmingly, exploits in the wild are not 0day. Morris Worm

• Created in 1988 by Robert Morris

• Purportedly to measure the Internet

• Infected 10% of computers connected to the Internet

• Slowed down computers to where they became unusable. Morris Worm

• Exploited Unix systems through:

• sendmail

• ﬁnger

• rsh

• weak passwords

• Note that the vulnerabilities that he exploited were known.

• Buggy: installed itself multiple times, didn’t phone home, etc. Effects of Morris Worm

• CERT organizations worldwide

• CERT-CC at CMU funded by the US gov

• Patching known vulnerabilities

• More attention to computer security Conﬁcker

• Computer worm ﬁrst appearing in November 2008

• Sinkholed in 2009

• Good guys registered domain names used for attacks

• Operators arrested in 2011

• Still infecting computers today

• Millions of infections — hard to count. Conﬁcker — how it spreads

• Conﬁcker-A: Vulnerability in Windows. Infected machines scanned IP space for more machines.

• Conﬁcker-B: Added infected USB devices, shared network folders with weak passwords.

• Conﬁcker C: Hardened new command and control infrastructure and added fake AV as a monitization.

• Conficker D-E: Turned from centralized botnet to peer-to-peer Conficker Infections over Time Reaction to Conficker

• Patch released before worm, yet patch rate was slow.

• Large scale anti-botnet effort

• Microsoft added security updates for unlicensed software

• Conﬁcker botnet shrank at a slower pace than the market share of Windows XP / Vista Stuxnet

• Worm ﬁrst known about in 2010, detected as early as 2005

• Built by the US and Israeli governments to attack Iranian nuclear program

• Targets PLCs through Windows computers

• Infected over 200,000 Windows machines Stuxnet - how it spreads

• Use zero day exploits to compromise Windows machines

• Spread using USB drives, peer-to-peer RPC

• Bridges computers connected to the Internet with those that aren’t

• Attacks ﬁles connected to certain SCADA software

• Hijacks communication Reaction to Stuxnet

• Cyberwarfare IRL

• Car bomb attacks against Iranians by Iranian government

• Some efforts to isolate important PLCs better:

• Similar effort against North Korea failed

• Doqu/Flame Drive by downloads

• Website infected with malware

• Malware injects code into webpage

• That code infects those who visit it by directing them to an exploit kit through an intermediary How are websites targeted?

• Find an exploit in a certain piece of software

• Use Google Dorks to ﬁnd websites with that vulnerability

• Compromised advertising

• Other ways? Exploit Kits

• Each machine has different software on it

• Uses a host of exploits to infect a machine

• Exploit kits can be bought or rented Fake Antivirus

• Installs itself on your machine and forces you to buy software

• Many people buy this software

• Largely shut down by shutting down payment processors Ransomware

• Encrypts all your ﬁles using a key:

• Old: same key for all

• New: different key for each system

• Requires victim to pay criminal to get ﬁles back:

• Old: Payments through Western Union and the like

• New: Payments through Bitcoin