This Morning:

• Phishing Sites Common Internet Threats • Trojans, • Memory exploits • Worms & Viruses, Tom Chothia • Drive-by-downloads Computer Security, Lecture 20 • Web attacks

But what does an attacker then do?

What an attacker might do once they have access. • Steal password file, credit card numbers, • installed on Machines personal data. • Create new user accounts and back doors. • Typically: • Replace existing libraries and application with – Gives repeated, root access to machine. malware. – Often installs other payloads • Log key strokes. – Hard to detect • Send Spam. • Performs DoS attacks. • E.g. Mebroot which alters the Master • Install RootKit. Boot Record of a machine to load before the OS.

Man in the Browser Attacks

can be set to attack the • Most attackers are in it to make money. browser. • A single credit card number or spam e- • In this case all certificates can be faked. mail isn’t worth very much.

• Anything that looks like a credit card no. • Networks of hacked computers (bots) or bank log in can be collected. are organised into large networks (botnets). • TLS and web defense can’t stop this. Command and Control Denial-of-service attack

• With this many computers it’s easy to over load some web site. C&C 131.253.18.12 • Easiest type of attack uses (rents) a botnet to perform a distributed denial-of- service attack.

Bot Bot Bot BotBot BotBot BotBot • Often used to blackmail companies, or Bot Bot Bot BotBot BotBot BotBot for political reasons. Bot Bot Bot

Fast Flux Botnet Command and Control

• Instead of using a IP address bots look for a URL. C&C www.ealo.net • To stop the IPs getting blocked new IP addresses are registered every few mins.

Bot Bot Bot • Makes it impossible to go after the BotBot BotBot BotBot Bot Bot Bot hosts. BotBot BotBot BotBot Bot Bot Bot

Zeus Domain Flux

• Zeus is one of the large botnets. • Bots continuously generates new URLs. – Uses Fast Flux – E.g. based on a hash of the date and a secret value. – Many C&C servers – Spreads mainly via Trojans. • Botmasters know and register the URL – Man-in-the-browser (form grabbing) in advance. – Sends Spam, Phishing. • Even if all C&C is shut down, bots will switch to a new URL in a few days. • Code is available for sale on black • We can try to block all future URLs markets. (hard) Conflicker P2P

• Computer Worm that installs a botnet • More recent malware sets itself up as a – more than 10 million infections. P2P network. – first version would not infect computers with Ukrainian keyboard layout. • Malware connects to C&C and other – spreads NetBIOS buffer overflows and bots. guessing admin passwords. – uses Domain Flux and P2P • If the main C&C goes down botmasters can connect to any bot and update • Largely contained by security researchers them all with a new C&C. who have blocked tens of thousands of domain names.

Torpig/Mebroot

• Mebroot is a root kit, that writes itself Marco Cova and colleagues into the Master Boot Record. reverse engineered Torpig’s – Executes before OS loads domain flux algorithm. – Very hard to detect. • Spreads via drive by downloads. Looking ahead they noticed • Downloads and installs other payloads. that some Torpig URLs weren't registered. • Torpig is a botnet downloaded and installed by Mebroot. So they decided to register the addresses themselves.

Botnet take over paper Underground Markets Roles

It took 10 days for 1. Attacker that steals the data (e.g. via Mebroot to replace botnet’s, phishing etc). Torpig with a new payload. 2. Cashiers: take credit cards and bank accounts and removes cash. For 10-days they had 3. Drops: people who provide a place to complete control of send goods. the botnet and saw all data. 4. Service sellers: bot masters rent botnets for spam, DDoS, phishing. 5. Based on web forums and IRC Market places Bitcoin electronic current

• Internet Relay Channel (IRC) • Based on partial SHA hash collisions: – Anyone can connect and live chat – If you can find a partial collision you have minted a bitcoin. • Web forums, less common now. • Passed from one person to another by • Tor Hidden services, growing fast signing an entry in a public database. – Although attacked by FBI in the last few months. • Only the person with the signing key can pass it on.

Payment other methods Typical Transaction 1:

• “Webmoney” online payment based in • Hacker steals 1000 fullz (credit card Russia number, CVV, name, address, etc.)

• Western Union money transfer • Sells them on forum for 10 bitcoins (£4300) • Closed down: – E-Gold another digital currency: trading • Buyer sells then in groups of 20 to shut down in 2009 due to crime cashiers for £300 in “Webmoney” – Liberty Reserve based in Costa Rica, taken down in May.

Typical Transaction 1: Typical Transaction 2:

• Cashiers meets “drops” in Internet chat • Bot master offers network for DDoS rooms who agree to receive goods. attack at £200 a day.

• Cashiers orders goods online and has • Attacker hires the botnet to attack small them sent to the “drops” company, bring down their site.

• Drops sell goods and send half the • Attacker anonymously contacts the money to the Cashiers via Western company and asks for £10,000 in Union. bitcoins to stop. Less Common Attacks: Advanced Persistent Threats Spear Phishing / Whaling • APT are attackers that will put a lot of • Mass Phishing has a very poor success rate. time and effort into attacking a target. • Targeting a phishing attack takes more time • Well funded, technically advanced. but works better. E.g. – Send fake e-mail pretending to be a boss’s secretary. • Common techniques include: – Send fake CVs/pdf malware to HR – Very carefully crafted phish attacks recruitment – Waterholding: Drive-by-downloads on website likely to be used by public. – Zero days

Reading Conclusion

• A guess lecture for Donato Capitella of • The Symantec Internet Security Threat MWR Labs: Report, 2013. – what happened in cyber security last year “Stories from the trenches: a year in • Marco et al.’s paper on Torpig. the life of a security consultant".

Both linked to from the lecture website.