Malware What is malware?
• Malware: malicious software
• worm
• adware
• virus
• etc. … and how do we fight it?
• AV software
• Firewalls
• Filtering
• Patching
• Writing more secure software
• Training users How to Monetize Malware
• Botnets
• Networking infected computers together
• Sending instructions to those computers to do things like:
• Send spam
• Mine cryptocurrency
• Perform ad fraud
• Perform DDoS attacks
• Stealing banking credentials
• Stealing Bitcoin and other alternative currencies
• Ransoming the computer
• Pay per install software How malware spreads
• Attachments in emails
• Other social engineering
• Drive-by downloads
• Spreading itself Vulnerabilities vs. Exploits
• Vulnerability: hole in software
• Exploit: code written to use vulnerability to gain unauthorized access to something
• There’s way more known vulnerabilities than known exploits.
• https://www.exploit-db.com/ vs. https://nvd.nist.gov/ Zero Day Attacks
• Realized exploit comes before known vulnerability
• Fairly rare
• Zero days are expensive — 1.5 million USD for Apple iOS 10 exploit
• Overwhelmingly, exploits in the wild are not 0day. Morris Worm
• Created in 1988 by Robert Morris
• Purportedly to measure the Internet
• Infected 10% of computers connected to the Internet
• Slowed down computers to where they became unusable. Morris Worm
• Exploited Unix systems through:
• sendmail
• finger
• rsh
• weak passwords
• Note that the vulnerabilities that he exploited were known.
• Buggy: installed itself multiple times, didn’t phone home, etc. Effects of Morris Worm
• CERT organizations worldwide
• CERT-CC at CMU funded by the US gov
• Patching known vulnerabilities
• More attention to computer security Conficker
• Computer worm first appearing in November 2008
• Sinkholed in 2009
• Good guys registered domain names used for attacks
• Operators arrested in 2011
• Still infecting computers today
• Millions of infections — hard to count. Conficker — how it spreads
• Conficker-A: Vulnerability in Windows. Infected machines scanned IP space for more machines.
• Conficker-B: Added infected USB devices, shared network folders with weak passwords.
• Conficker C: Hardened new command and control infrastructure and added fake AV as a monitization.
• Conficker D-E: Turned from centralized botnet to peer-to-peer Conficker Infections over Time Reaction to Conficker
• Patch released before worm, yet patch rate was slow.
• Large scale anti-botnet effort
• Microsoft added security updates for unlicensed software
• Conficker botnet shrank at a slower pace than the market share of Windows XP / Vista Stuxnet
• Worm first known about in 2010, detected as early as 2005
• Built by the US and Israeli governments to attack Iranian nuclear program
• Targets PLCs through Windows computers
• Infected over 200,000 Windows machines Stuxnet - how it spreads
• Use zero day exploits to compromise Windows machines
• Spread using USB drives, peer-to-peer RPC
• Bridges computers connected to the Internet with those that aren’t
• Attacks files connected to certain SCADA software
• Hijacks communication Reaction to Stuxnet
• Cyberwarfare IRL
• Car bomb attacks against Iranians by Iranian government
• Some efforts to isolate important PLCs better:
• Similar effort against North Korea failed
• Doqu/Flame Drive by downloads
• Website infected with malware
• Malware injects code into webpage
• That code infects those who visit it by directing them to an exploit kit through an intermediary How are websites targeted?
• Find an exploit in a certain piece of software
• Use Google Dorks to find websites with that vulnerability
• Compromised advertising
• Other ways? Exploit Kits
• Each machine has different software on it
• Uses a host of exploits to infect a machine
• Exploit kits can be bought or rented Fake Antivirus
• Installs itself on your machine and forces you to buy software
• Many people buy this software
• Largely shut down by shutting down payment processors Ransomware
• Encrypts all your files using a key:
• Old: same key for all
• New: different key for each system
• Requires victim to pay criminal to get files back:
• Old: Payments through Western Union and the like
• New: Payments through Bitcoin