DOCSLIB.ORG

Crimeware on the Net

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Crimeware on the Net Crimeware on the Net The “Behind the scenes” of the new web economy Iftach Ian Amit Director, Security Research – Finjan BlackHat Europe, Amsterdam 2008 Who Am I ? (iamit) • Iftach Ian Amit – In Hebrew it makes more sense… • Director Security Research @ Finjan • Various security consulting/integration gigs in the past – R&D – IT • A helping hand when needed… (IAF) 2 BlackHat Europe – Amsterdam 2008 Today’s Agenda • Terminology • Past vs. Present – 10,000 feet view • Business Impact • Key Characteristics – what does it look like? – Anti-Forensics techniques – Propagation methods • What is the motive (what are they looking for)? • Tying it all up – what does it look like when successful (video). • Anything in it for us to learn from? – Looking forward on extrusion testing methodologies 3 BlackHat Europe – Amsterdam 2008 Some Terminology • Crimeware – what we refer to most malware these days is actually crimeware – malware with specific goals for making $$$ for the attackers. • Attackers – not to be confused with malicious code writers, security researchers, hackers, crackers, etc… These guys are the Gordon Gecko‟s of the web security field. The buy low, and capitalize on the investment. • Smart (often mislead) guys write the crimeware and get paid to do so. 4 BlackHat Europe – Amsterdam 2008 How Do Cybercriminals Steal Business Data? Criminals’ activity in the cyberspace Federal Prosecutor: “Cybercrime Is Funding Organized Crime” 5 BlackHat Europe – Amsterdam 2008 The Business Impact Of Crimeware Criminals target sensitive business data using crimeware •Gain access to employee financial Employee information Data • Steal Identity information • Discover passwords Sophisticated • Steal financial statements and Organized Financial • Steal money through online accounts Data • Steal proprietary data Criminals • Gain customer record information • Brand damage •Access customer accounts Customer •Steal customer identities • Financial theft Data •Impair customer relationships • Data theft • Password theft • Identity theft • Compromised computers to steal resources • Employee productivity loss Federal Prosecutor: “Cybercrime Is Funding Organized Crime” 6 BlackHat Europe – Amsterdam 2008 The Business Impact Of Crimeware How much is business data worth to criminals? BlackHat Europe – Amsterdam 2008 Key Characteristics of Crimeware Financially motivated criminals are utilizing new methods to infect PCs with crimeware that steals sensitive data Propagation Methods Anti-Forensic Methods Hosted on compromised legitimate and Evade signature-based detection by Web 2.0 sites over the globe utilizing code obfuscation and controlled with frequent location changes exploits visibility in the wild URL and Reputation-based Anti-Virus signatures will not filtering solutions will not block match today‟s malicious code these sites 8 BlackHat Europe – Amsterdam 2008 Anti Forensics • Code Obfuscation – Not the one you are used to… • Single serve exploits – One per customer please • Geographical preference – More on this later when we talk $$$… 9 BlackHat Europe – Amsterdam 2008 Dynamic Code Obfuscation 10 BlackHat Europe – Amsterdam 2008 Dyn. Code Obf. – the neosploit way (2.0.15) BlackHat Europe – Amsterdam 2008 Obfuscation and IFRAMES • Have become in 2007 the main driving tools for distributing malware and malicious code in general. – They are even signatured by AV – while as we see the obfuscation or IFRAME itself may NOT be malicious… Source: top 10 web threats in 2007 http://www.sophos.com/pressoffice/news/articles/2008/01/toptendec07.html 12 BlackHat Europe – Amsterdam 2008 Crimeware Profile based Malware based - The Ghost In The Browser Analysis of Webof Browser AnalysisThe GhostInThe - Google Inc. Google Crimeware binaries and their URL locations are changing every hour 13 BlackHat Europe – Amsterdam 2008 Location, Location, Location index.php • Have you been to our fine //checks and saves user's IP hashed with browser //to avoid future browser's hangup establishment before? function CheckAddUser() { … – You can only get the $rcount=@mysql_num_rows($res); if ($rcount>0) { “good” stuff once… //found data, prevent view echo ":["; exit; } else { //not found, add $query = "INSERT INTO ".$dbstats."_users VALUES ('".$ipua."')"; mysql_query($query); • Where do you come } from? settings.php: $BlockDuplicates=1; //send exploits only once – You may not be worth $CountReferers=1; //make referrer's statistics $OnlyDefiniedCoutries=0; //send exploits only to the exposure… counties in the list $CoutryList="RU US UA"; //2-letter codes ONLY! (see readme for details) Source: Mpack 0.94 source code 14 BlackHat Europe – Amsterdam 2008 Crimeware Toolkits 15 BlackHat Europe – Amsterdam 2008 A glimpse into the code License_load: License_Verification: ... push edi push ebp push offset aNeosploit_key mov ebp, esp lea eax, [ebp+string] push edi • Modern toolkits are push eax push esi lea eax, [ebp+var_188] push ebx push eax sub esp, 38h provided in their binary call license_load mov ebx, [ebp+arg_0] add esp, 10h mov edi, [ebp+arg_8] form, with licensing test eax, eax push offset aServer_addr jz loc_8049918 call _getenv add esp, 0Ch mechanisms, built in mov [ebp+var_1C], eax ... push 100h ; size_t obfuscation, configuration call form_parse push 0 ; int lea edi, [ebp+var_38] push ebx ; void * xor eax, eax call _memset files, user management cld mov ecx, [ebp+var_1C] mov ecx, 7 add esp, 10h (for supporting multiple rep stosd xor edx, edx mov [esp+4E8h+var_4E8], 0 test ecx, ecx call _GeoIP_new jz short loc_804CC25 attackers under the same add esp, 10h test eax, eax kit), and DB functionality. mov ebx, eax online_test: ... mov [ebp+var_20], 1 sub esp, 8 push edx • The snippets here are push [ebp+timer] push 0 ; int push eax push ebx ; void * taken from a disassembly call _GeoIP_country_id_by_addr push [ebp+arg_4] ; int add esp, 10h call connect_to_homeserver cmp eax, 0FFh add esp, 10h of Neosploit version 2.0.15 jle loc_8049933 test eax, eax (first time analysis – in.cgi) jz short loc_804CDDE BlackHat Europe – Amsterdam 2008 Neosploit code ... call js_crypter_put mov [esp+4E8h+var_4E8], offset aStartquicktime call add_function push offset exp_superbuddy_is_decoded push 0D90FC7h loc_8049BE8: push 0CAh sub esp, 0Ch sub esp, 8 push offset exp_superbuddy push [ebp+timer] call decode_data push [ebp+var_7C] ; char * call get_ip_hash add esp, 18h push [ebp+var_54] ; int push 0 add esp, 10h call referer_validate push offset exp_superbuddy cmp eax, [ebp+var_468] call js_crypter_put add esp, 10h jnz loc_8049ABE mov [esp+4E8h+var_4E8], offset aStartsuperbudd test eax, eax call add_function jnz short loc_8049C07 push offset exp_audiofile_is_decoded push 0A1E716h push 145h push offset exp_audiofile call decode_data add esp, 18h push [ebp+var_84] push 0 push [ebp+var_2C] push offset exp_audiofile push offset a?o6PURU call js_crypter_put mov [esp+4E8h+var_4E8], offset aStartaudiofile lea ebx, [ebp+var_338] call add_function push ebx push offset exp_gom_is_decoded call _sprintf push 1F040Ah add esp, 0Ch push 0D9h push ebx push offset exp_gom push offset aData call decode_data add esp, 18h push offset exp_quicktime_opera push 0 push offset exp_gom call js_crypter_put sub esp, 8 mov [esp+4E8h+var_4E8], offset aStartgom call add_function push 0 push offset exp_wvf_is_decoded push [ebp+var_4AC] push 84C0B8h push 10Dh call js_crypter_put push offset exp_wvf mov eax, [ebp+var_4AC] call decode_data add esp, 10h add esp, 18h push 0 test eax, eax push offset exp_wvf call js_crypter_put mov [esp+4E8h+var_4E8], offset aStartwvf ... BlackHat Europe – Amsterdam 2008 Propagation techniques • How did THAT code turned out on THAT site – Anyone remember bankofindia.com? • Helpful HTML tags (infamous iframes…) • And of course, bling… $$$ 18 BlackHat Europe – Amsterdam 2008 On My Site? No way! 19 BlackHat Europe – Amsterdam 2008 Way… It’s all business • You can get paid to put a snippet of HTML on your site that will spur “installations” (= infections). Guaranteed high “install” rate, updated code (remember the toolkit), bypass of security measures… • “The number of legitimate Web sites compromised by attackers has surpassed those purposefully created by attackers” – Jan 22nd, Websense security labs. 20 BlackHat Europe – Amsterdam 2008 Evasive attacks – increasing the infection rates 21 BlackHat Europe – Amsterdam 2008 What’s the end game? • Holy grail of web attacks: successful installation of crimeware Trojan (aka – rootkit+keylogger+otherstuff) 22 BlackHat Europe – Amsterdam 2008 Local Crimeware Effect • Crimeware analysis showing a sampler of how financial crime is being performed. • Don‟t let your eyes off the ball… (the SSL icon?) 23 BlackHat Europe – Amsterdam 2008 Play-by-play… 24 BlackHat Europe – Amsterdam 2008 And in reality (movie)… [Crimeware video showing XXX-bank being targeted.] 25 BlackHat Europe – Amsterdam 2008 The last nail in the coffin of “trusted websites” • To conclude – the recent example of website exploitation to distribute crimeware: – Using all the techniques detailed in this talk – Single point of contact (no data is being pulled from external domains – all self hosted on the compromised webserver) – Still financially motivated – And to top it all – baffling the security community with how the attack took place to begin with to infect the hosting servers. • Now let‟s talk about a website‟s “reputation”… BlackHat Europe – Amsterdam 2008 Where are we going to? • Time for predictions: – We are starting to see criminals exploit (pun intended) the full potential of “web2.0” – Think
Load more

Recommended publications
  • Trojan Vs Rat Vs Rootkit Mayuri More1, Rajeshwari Gundla2, Siddharth Nanda3 1U.G
    IJRECE VOL. 7 ISSUE 2 (APRIL- JUNE 2019) ISSN: 2393-9028 (PRINT) | ISSN: 2348-2281 (ONLINE) Trojan Vs Rat Vs Rootkit Mayuri More1, Rajeshwari Gundla2, Siddharth Nanda3 1U.G. Student, 2 Senior Faculty, 3Senior Faculty SOE, ADYPU, Lohegaon, Pune, Maharashtra, India1 IT, iNurture, Bengaluru, India2,3 Abstract - Malicious Software is Malware is a dangerous of RATs completely and prevent confidential data being software which harms computer systems. With the increase leaked. So Dan Jiang and Kazumasa Omote researchers in technology in today’s days, malwares are also increasing. have proposed an approach to detect RAT in the early stage This paper is based on Malware. We have discussed [10]. TROJAN, RAT, ROOTKIT in detail. Further, we have discussed the adverse effects of malware on the system as III. CLASSIFICATION well as society. Then we have listed some trusted tools to Rootkit vs Trojan vs Rat detect and remove malware. Rootkit - A rootkit is a malicious software that permits a legitimate user to have confidential access to a system and Keywords - Malware, Trojan, RAT, Rootkit, System, privileged areas of its software. A rootkit possibly contains Computer, Anti-malware a large number of malicious means for example banking credential stealers, keyloggers, antivirus disablers, password I. INTRODUCTION stealers and bots for DDoS attacks. This software stays Nowadays, this world is full of technology, but with the hidden in the computer and allocates the remote access of advantages of technology comes its disadvantages like the computer to the attacker[2]. hacking, corrupting the systems, stealing of data etc. These Types of Rootkit: malpractices are possible because of malware and viruses 1.
    [Show full text]
  • The Evolution of Ransomware
    The evolution of ransomware SECURITY RESPONSE The evolution of ransomware Kevin Savage, Peter Coogan, Hon Lau Version 1.0 – August 6, 2015 Never before in the history of human kind have people across the world been subjected to extortion on a massive scale as they are today. CONTENTS OVERVIEW ..............................................................................3 Key information ......................................................................5 Types of ransomware .............................................................5 How ransomware has evolved ...............................................7 Targets for ransomware .......................................................13 Systems impacted by ransomware ......................................14 Ransomware: How it works ..................................................18 Ransom techniques ..............................................................27 How widespread is the problem of ransomware .................33 What does the future hold for ransomware? .......................37 Conclusion ............................................................................45 Appendix ..............................................................................47 Mitigation strategies ............................................................51 Symantec detections for common ransomware families 54 Resources .............................................................................56 OVERVIEW Never before in the history of human kind have people across the world been
    [Show full text]
  • Malware and Social Engineering Attacks
    chapter 2 Malware and Social Engineering Attacks After completing this chapter, you will be able to do the following: ● Describe the differences between a virus and a worm ● List the types of malware that conceals its appearance ● Identify different kinds of malware that is designed for profit ● Describe the types of social engineering psychological attacks ● Explain physical social engineering attacks 41 42 Chapter 2 Malware and Social Engineering Attacks Today’s Attacks and Defenses Successful software companies use a variety of strategies to outsell their competition and gain market share. These strategies may include selling their software at or below a com- petitor’s price, offering better technical support to customers, or providing customized software for clients. And if all else fails, a final strategy can be to buy out the competition through a merger or acquisition. These strategies are also being widely used by attackers who sell their attack software to others. Approximately two out of three malicious Web attacks have been developed using one of three popular attack toolkits. The toolkits are MPack (the most popular attack toolkit, which has almost half of the attacker toolkit mar- ket), NeoSploit, and ZeuS. These toolkits, which are bought and sold online through the underground attacker community, are used to create customized malware that can steal personal information, execute fraudulent financial transactions, and infect computers without the user’s knowledge. The toolkits range in price from only $40 to as much as $8,000. The developers behind these attack toolkits compete fiercely with each other. Some of their tactics include updating the toolkits to keep ahead of the latest security defenses, advertising their attack toolkits as cheaper than the competition, and provid- ing technical support to purchasers.
    [Show full text]
  • Adware-Searchsuite
    McAfee Labs Threat Advisory Adware-SearchSuite June 22, 2018 McAfee Labs periodically publishes Threat Advisories to provide customers with a detailed analysis of prevalent malware. This Threat Advisory contains behavioral information, characteristics and symptoms that may be used to mitigate or discover this threat, and suggestions for mitigation in addition to the coverage provided by the DATs. To receive a notification when a Threat Advisory is published by McAfee Labs, select to receive “Malware and Threat Reports” at the following URL: https://www.mcafee.com/enterprise/en-us/sns/preferences/sns-form.html Summary Detailed information about the threat, its propagation, characteristics and mitigation are in the following sections: Infection and Propagation Vectors Mitigation Characteristics and Symptoms Restart Mechanism McAfee Foundstone Services The Threat Intelligence Library contains the date that the above signatures were most recently updated. Please review the above mentioned Threat Library for the most up to date coverage information. Infection and Propagation Vectors Adware-SearchSuite is a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them. Mitigation Mitigating the threat at multiple levels like file, registry and URL could be achieved at various layers of McAfee products. Browse the product guidelines available here (click Knowledge Center, and select Product Documentation from the Support Content list) to mitigate the threats based on the behavior described in the Characteristics and symptoms section.
    [Show full text]
  • Security of Personal Identifiable Information
    https://doi.org/10.48009/2_iis_2008_634-638 SECURITY OF PERSONAL IDENTIFIABLE INFORMATION Jack D. Shorter,Texas A&M University – Kingsville, [email protected] Karen A. Forcht, North Carolina A & T University, [email protected] Alicia Aldridge,Appalachian State University, [email protected] Daphyne S. Thomas, James Madison University,[email protected] Abstract impacted if Google’s merger with DoubleClick is completed? In today’s fast moving world, the use of technology has become a part of everyday life. Whether it is DoubleClick is one of the fastest growing digital using a computer to access the Internet, sending marketers, and the amount of user data that could be email, or using cell phones to contact friends and provided to them from Google would be phenomenal. family, technology is found in almost everything. At issue is whether Google can be trusted with users’ Technology provides many conveniences such as PII at its disposal. Armed with this information online banking, renewing a driver’s license, making a DoubleClick could target consumers with a method known as “retargeting.” This type of practice was consumer purchase, or conducting research. th However, using technology has its pros and cons. On one of the topics discussed at the 17 annual the positive side, conducting personal business online Conference on Computers, Freedom & Privacy in is convenient, saves time, and is economical. May 2007. This method uses ads and serves them to However, with the pluses, there are usually minuses users based on their Web surfing behaviors. [4] as well. In the case of an online consumer purchase, one may find price deals, but may discover a lack of A user uses a search engine such as Google to find a quality or poor customer care.
    [Show full text]
  • What Is Exploit Kit and How Does It Work? [1]Ade Kurniawan, [2]Ahmadfitriansyah [1][2]Department of Informatics Engineering, Universal University,Batam, Indonesia
    International Journal of Pure and Applied Mathematics Volume 118 No. 20 2018, 509-516 ISSN: 1314-3395 (on-line version) url: http://www.ijpam.eu Special Issue ijpam.eu What is Exploit Kit and How Does it Work? [1]Ade Kurniawan, [2]AhmadFitriansyah [1][2]Department of Informatics Engineering, Universal University,Batam, Indonesia Abstract— In the Year 2016 to mid-2017, the analysts have claimed those years as the years of Malware especially Ransomware. The number, spread, infection and impact of malware have caused many users, businesses, governments, and organizations to be anxious, one of the tools to spread it by using exploit kits. A popular method of mass distribution used the perpetrators of cyber criminals is using the exploit kit. Exploit kit has become more effective, cheaper and sophisticated tools to spread malware to their victims. Therefore, in this paper, we provide this research using the Network Forensic Method. The results which are done will explain the chain of events about what the exploit kit is and how the exploit kit works, including actors, campaigns, payload, and terminology involved in the spreading of malware Index Terms—Exploit Kit, Payload, Malware, Ransomware, and Chain of events. I. INTRODUCTION In our digital era, everything is connected and Network Forensics Method. Network forensics is a everyone is vulnerable. The development, part of Digital Forensic conducted with scientific dependability, and complexity of computer software methods to identify, analyse and reconstruct events have brought immediate implications for global based on digital evidence/logs from the network safety and security, especially physical objects such [14][15][16].
    [Show full text]
  • Analyse De Mpack Et De La Bluepill (Septembre 2007)
    7 BRE 200 L’ACTU SÉCU 16 SEPTEM LES “UNE MENACE NOMMÉE MPACK” Le hacking devient un jeu d’enfant... SOMMAIRE DOSSIER SPÉCIAL PACK : LES ROOTKITS VIRTUELS “BLUEPILL” ARTNERS.COM MPACK et TORPIG LES VULNÉRABILITÉS DU MOIS ICEPACK LES OUTILS LIBRES .XMCOP FISHING_BAIT SHARK WWW © XMCO Partners - 2007 [1] Ce document est la propriété du cabinet XMCO Partners. Toute reproduction est strictement interdite. 7 BRE 200 L’EDITO SEPTEM Les packs spécial rentrée... Vous avez certainement vu le film tions, nous plongeons pour vous Michel Sardou et de Johnny Hal- « The Matrix » : le monde dans au cœur des menaces du moment lyday contrôlés par une backdoor lequel nous vivons ne serait pas pour les décortiquer et ainsi vous (voir l’interview de LCI de Marc réel, nous serions en fait endormis aider à vous en protéger. Behar sur notre site). pendant qu’une machine nous ferait vivre dans un monde virtuel L’Actu Secu continue d’évoluer et et utiliserait notre énergie vitale ne manquera pas de présenter pour se nourrir. des sujets d’actualité comme : l’ISO27001, la sécurité Bluetooth, Cette fiction est la toile de fond de l’Ajax ou encore les risques liés à ce 16ième ActuSécu. Fort de nos la technologie RFID… 1000 téléchargements pour son numéro consacré aux Botnets, Bonne lecture nous vous présentons pour cette rentrée 2007 les menaces qui font L’équipe XMCO vous souhaite et feront parler d’elles : MPACK, une bonne rentrée IcePack, la BluePill, Torpig, Des menaces d'ailleurs présentes Shark… dans l’actualité du mois d’août : les clients du Crédit Mutuel atta- Avec le même souci de clarté qui qués par le trojan Banker « Tor- nous anime lors de nos presta- pig » ou encore les ordinateurs de AOUT 2007 Nombre de bulletins Microsoft : 9 Nombre d’exploits dangereux : 20 Nombre de bulletins XMCO : 103 Le TOP des Menaces du Mois 1.
    [Show full text]
  • SMM Rootkits
    SMM Rootkits: A New Breed of OS Independent Malware Shawn Embleton Sherri Sparks Cliff Zou University of Central Florida University of Central Florida University of Central Florida [email protected] [email protected] [email protected] ABSTRACT 1. INTRODUCTION The emergence of hardware virtualization technology has led to A rootkit consists of a set of programs that work to subvert the development of OS independent malware such as the Virtual control of an Operating System from its legitimate users [16]. If Machine based rootkits (VMBRs). In this paper, we draw one were asked to classify viruses and worms by a single defining attention to a different but related threat that exists on many characteristic, the first word to come to mind would probably be commodity systems in operation today: The System Management replication. In contrast, the single defining characteristic of a Mode based rootkit (SMBR). System Management Mode (SMM) rootkit is stealth. Viruses reproduce, but rootkits hide. They hide is a relatively obscure mode on Intel processors used for low-level by compromising the communication conduit between an hardware control. It has its own private memory space and Operating System and its users. Secondary to hiding themselves, execution environment which is generally invisible to code rootkits are generally capable of gathering and manipulating running outside (e.g., the Operating System). Furthermore, SMM information on the target machine. They may, for example, log a code is completely non-preemptible, lacks any concept of victim user’s keystrokes to obtain passwords or manipulate the privilege level, and is immune to memory protection mechanisms.
    [Show full text]
  • Dissecting Web Attacks
    Dissecting Web Attacks Val Smith ([email protected]) Colin Ames ([email protected]) Delchi ([email protected]) Bios Valsmith – Affiliations: • Attack Research • Metasploit • cDc – Work: • Attack Techniques Research - History • Pen Tester/ Exploit • Founder Offensive Computing developer • Speaker • Reverse Engineer - Blackhat • Malware Analyst - Defcon - Shmoocon Bios Colin Ames – Security Researcher, Attack Research – Steganography Research – Penetration Testing – Reverse Engineering – Malware Analysis The Problem THESE GUYS (For Real?) AND THESE GUYS (Who says so?) AND THESE GUYS ? WANT YOUR AND WILL USE YOUR TO GET THEM While this happens you are: I n t r o d u c t i o n Introduction • Attackers are using the web in various ways to: – Push users to their malicious sites – Gain access to computers – Steal information • They use many technologies – Java/Javascript HTML – Iframes Encoding/Obfuscation – Spam Injection Introduction • For this talk we analyzed different types of attacks – Blog Spam – Web site injection • We dissect the attacks piece by piece to analyze and show – Source code Commands – Network traffic Attack Goals – Binaries Attackers Blog Spam • Analysis process – View victim blog, locate malicious comments – Trace back all A HREFs in comments – WGET code from attacker site • Follow any links • Decode obfuscated instructions • Debug javascript – Firebug, Venkman • Decompile Java Applets – Lookup owners of domains / IPs – Reverse any exploits / binaries Blog Spam • 1st Stage of the attack – Uses comments to sites – Blogs such as Drupal & Wordpress • Comments: – Usually in response to valid post – Splice together random but legitimate phrases from sources such as wikipedia – Contain several linked words to various sites – Will be added en mass to many disparate posts – Often will have non-English embedded words such as Italian, German, Russian Shows some comments added to a legitimate post.
    [Show full text]
  • Comptia® Security+ SY0-601 Cert Guide
    CompTIA® Security+ SY0-601 Cert Guide Omar Santos Ron Taylor Joseph Mlodzianowski A01_Santos_Fm_pi-plii_1.indd 1 01/06/21 2:49 pm CompTIA® Security+ SY0-601 Cert Guide Editor-in-Chief Copyright © 2022 by Pearson Education, Inc. Mark Taub All rights reserved. No part of this book shall be reproduced, stored in Product Line Manager a retrieval system, or transmitted by any means, electronic, mechanical, Brett Bartow photocopying, recording, or otherwise, without written permission from the publisher. No patent liability is assumed with respect to the use of the Executive Editor information contained herein. Although every precaution has been taken in Nancy Davis the preparation of this book, the publisher and author assume no respon- Development Editor sibility for errors or omissions. Nor is any liability assumed for damages Christopher A. Cleveland resulting from the use of the information contained herein. ISBN-13: 978-0-13-677031-2 Managing Editor ISBN-10: 0-13-677031-2 Sandra Schroeder Library of Congress Control Number: 2021935686 Senior Project Editor ScoutAutomatedPrintCode Tonya Simpson Copy Editor Trademarks Chuck Hutchinson All terms mentioned in this book that are known to be trademarks or ser- vice marks have been appropriately capitalized. Pearson IT Certification Indexer cannot attest to the accuracy of this information. Use of a term in this book Erika Millen should not be regarded as affecting the validity of any trademark or service mark. Proofreader Abigail Manheim Warning and Disclaimer Technical Editor Every effort has been made to make this book as complete and as accurate Chris Crayton as possible, but no warranty or fitness is implied.
    [Show full text]
  • Trojans and Malware on the Internet an Update
    Attitude Adjustment: Trojans and Malware on the Internet An Update Sarah Gordon and David Chess IBM Thomas J. Watson Research Center Yorktown Heights, NY Abstract This paper continues our examination of Trojan horses on the Internet; their prevalence, technical structure and impact. It explores the type and scope of threats encountered on the Internet - throughout history until today. It examines user attitudes and considers ways in which those attitudes can actively affect your organization’s vulnerability to Trojanizations of various types. It discusses the status of hostile active content on the Internet, including threats from Java and ActiveX, and re-examines the impact of these types of threats to Internet users in the real world. Observations related to the role of the antivirus industry in solving the problem are considered. Throughout the paper, technical and policy based strategies for minimizing the risk of damage from various types of Trojan horses on the Internet are presented This paper represents an update and summary of our research from Where There's Smoke There's Mirrors: The Truth About Trojan Horses on the Internet, presented at the Eighth International Virus Bulletin Conference in Munich Germany, October 1998, and Attitude Adjustment: Trojans and Malware on the Internet, presented at the European Institute for Computer Antivirus Research in Aalborg, Denmark, March 1999. Significant portions of those works are included here in original form. Descriptors: fidonet, internet, password stealing trojan, trojanized system, trojanized application, user behavior, java, activex, security policy, trojan horse, computer virus Attitude Adjustment: Trojans and Malware on the Internet Trojans On the Internet… Ever since the city of Troy was sacked by way of the apparently innocuous but ultimately deadly Trojan horse, the term has been used to talk about something that appears to be beneficial, but which hides an attack within.
    [Show full text]
  • Malware to Crimeware
    I have surveyed over a decade of advances in delivery of malware. Over this daVid dittRich period, attackers have shifted to using complex, multi-phase attacks based on malware to crimeware: subtle social engineering tactics, advanced how far have they cryptographic techniques to defeat takeover gone, and how do and analysis, and highly targeted attacks we catch up? that are intended to fly below the radar of current technical defenses. I will show how Dave Dittrich is an affiliate information malicious technology combined with social security researcher in the University of manipulation is used against us and con- Washington’s Applied Physics Laboratory. He focuses on advanced malware threats and clude that this understanding might even the ethical and legal framework for respond- ing to computer network attacks. help us design our own combination of [email protected] technical and social mechanisms to better protect us. And ye shall know the truth, and the truth shall make you free. The late 1990s saw the advent of distributed and John 8:32 coordinated computer network attack tools, which were primarily used for the electronic equivalent of fist fighting in the streets. It only took a few years for criminal activity—extortion, click fraud, denial of service for competitive advantage—to appear, followed by mass theft of personal and financial data through quieter, yet still widespread and auto- mated, keystroke logging. Despite what law-abid- ing citizens would desire, crime does pay, and pay well. Today, the financial gain from criminal enter- prise allows investment of large sums of money in developing tools and operational capabilities that are increasingly sophisticated and highly targeted.
    [Show full text]