Malware What is malware?
• Malware: malicious software
• worm
• adware
• virus
• etc. … and how do we fight it?
• AV software
• Firewalls
• Filtering
• Patching
• Writing more secure software
• Training users How to Monetize Malware
• Botnets
• Networking infected computers together
• Sending instructions to those computers to do things like:
• Send spam
• Mine cryptocurrency
• Perform ad fraud
• Perform DDoS attacks
• Stealing banking credentials
• Stealing Bitcoin and other alternative currencies
• Ransoming the computer
• Pay per install software How malware spreads
• Attachments in emails
• Other social engineering
• Drive-by downloads
• Spreading itself Vulnerabilities vs. Exploits
• Vulnerability: hole in software
• Exploit: code written to use vulnerability to gain unauthorized access to something
• There’s way more known vulnerabilities than known exploits.
• https://www.exploit-db.com/ vs. https://nvd.nist.gov/ Zero Day Attacks
• Realized exploit comes before known vulnerability
• Fairly rare
• Zero days are expensive — 1.5 million USD for Apple iOS 10 exploit
• Overwhelmingly, exploits in the wild are not 0day. Morris Worm
• Created in 1988 by Robert Morris
• Purportedly to measure the Internet
• Infected 10% of computers connected to the Internet
• Slowed down computers to where they became unusable. Morris Worm
• Exploited Unix systems through:
• sendmail
• finger
• rsh
• weak passwords
• Note that the vulnerabilities that he exploited were known.
• Buggy: installed itself multiple times, didn’t phone home, etc. Effects of Morris Worm
• CERT organizations worldwide
• CERT-CC at CMU funded by the US gov
• Patching known vulnerabilities
• More attention to computer security Conficker
• Computer worm first appearing in November 2008
• Sinkholed in 2009
• Good guys registered domain names used for attacks
• Operators arrested in 2011
• Still infecting computers today
• Millions of infections — hard to count. Conficker — how it spreads
• Conficker-A: Vulnerability in Windows. Infected machines scanned IP space for more machines.
• Conficker-B: Added infected USB devices, shared network folders with weak passwords.
• Conficker C: Hardened new command and control infrastructure and added fake AV as a monitization.
• Conficker D-E: Turned from centralized botnet to peer-to-peer Conficker Infections over Time Reaction to Conficker
• Patch released before worm, yet patch rate was slow.
• Large scale anti-botnet effort
• Microsoft added security updates for unlicensed software
• Conficker botnet shrank at a slower pace than the market share of Windows XP / Vista Stuxnet
• Worm first known about in 2010, detected as early as 2005
• Built by the US and Israeli governments to attack Iranian nuclear program
• Targets PLCs through Windows computers
• Infected over 200,000 Windows machines Stuxnet - how it spreads
• Use zero day exploits to compromise Windows machines
• Spread using USB drives, peer-to-peer RPC
• Bridges computers connected to the Internet with those that aren’t
• Attacks files connected to certain SCADA software
• Hijacks communication Reaction to Stuxnet
• Cyberwarfare IRL
• Car bomb attacks against Iranians by Iranian government
• Some efforts to isolate important PLCs better:
• Similar effort against North Korea failed
• Doqu/Flame Drive by downloads
• Website infected with malware
• Malware injects code into webpage
• That code infects those who visit it by directing them to an exploit kit through an intermediary How are websites targeted?
• Find an exploit in a certain piece of software
• Use Google Dorks to find websites with that vulnerability
• Compromised advertising
• Other ways? Exploit Kits
• Each machine has different software on it
• Uses a host of exploits to infect a machine
• Exploit kits can be bought or rented Fake Antivirus
• Installs itself on your machine and forces you to buy software
• Many people buy this software
• Largely shut down by shutting down payment processors Ransomware
• Encrypts all your files using a key:
• Old: same key for all
• New: different key for each system
• Requires victim to pay criminal to get files back:
• Old: Payments through Western Union and the like
• New: Payments through Bitcoin Computer Virus
• A type of malicious software program ("malware") that, when executed, replicates itself by modifying other computer programs and inserting its own code. - Wikipedia Parts of a Virus
• Infection vector: How a virus spreads
• Trigger: Sets off the malicious functionality
• Payload: The malicious functionality Phases of a Virus
Scanning and Propagating
Waiting for Dormant a trigger
triggered
Execute How do they infect?
Malware
Executable File How do they infect?
Malware
Executable File How do they infect?
Malware
Executable File How do they infect?
Executable File
Malware How do they infect?
Malware
Executable File
Malware How do they infect?
Malware How do they infect? Packer
Executable File
Malware How do they execute?
Malware
Executable File
Line of code How do they execute?
Malware
Executable File
Line of code Definitions
• Self-Modifying code: Code that can change itself (usually without changing the functionality)
• Polymorphic malware: Infects others with an encrypted copy of itself. Encryption and code changes.
• Backdoor: Malware that leaves hidden ways of replicating itself
• Rootkit: Malicious software to maintain access to system; good at hiding itself. ILOVEYOU
• Bug in email: sent out messages subject:ILOVEYOU and attachment:LOVE-LETTER- FOR-YOU.txt.vbs
• .vbs files were hidden
• Propogation: Sent itself to all addresses in address book
• Payload: Overwrote random files Adware
• Software that contains unwanted ads Types of Ad Fraud
• Pretend to be part of the ad chain and buy traffic, get paid.
• Have bots, sell fake ad traffic
• Disguise source of traffic to ads
• Cookie stuffing — fake affiliate cookies
• Ad Stacking — show invisible ads to consumer Adblock Plus
• Browser-based Ad blocker
• Let in some “acceptible” ads
• Is this adware? Fraud? Fake Software
• Stuffing ads into software
• Maybe turning paid software into freeware?
• Is this adware? fraud? DNSChanger
• Upon infecting your computer, changed your routers’ nameserver settings.
• Started in 2006. FBI raided in 2011. Shut down in 2012. Still alive today.
• Main changes? Major ad networks
• Is this adware? fraud? My Really Cool Toolbar
• Lots of toolbars, other browser extensions
• Useful functionality
• Changed settings (homepage, etc)
• Hard to Remove
• Is this adware? fraud?