A Simple Malware Test Environment

A Simple Malware Test Environment

International Journal of Computer and Information Technology (ISSN: 2279 – 0764) Volume 02– Issue 04, July 2013 A Simple Malware Test Environment Sam Lundie and Daniel Rolf School of Computing and Information Systems University of Tasmania Launceston, Tasmania, Australia e-mail: {slundie, Daniel.Rolf} @utas.edu.au Abstract— Malware does not need to compromise the operating not-present fraud increased by 38% for the calendar year system kernel in order to provide an untrustworthy browsing 2010, with 35.6 cents in every $1,000 dollars falling victim experience for the user. This paper describes a simple, virtual to fraud [1]. However, similar figures for fraud perpetrated machine-based, malware test environment built using freeware against Online Banking are much harder to obtain as banks and open source software. The system was designed to allow are seemingly reluctant to divulge loss figures. The the high-level behaviour of a piece of malware to be studied quickly and conveniently by monitoring network, process and Symantec Corporation has claimed that cybercrime has file activity. The system proved effective when trialled against surpassed illegal drug trafficking as a criminal money- different samples of the well-known malware Zeus and was maker [2]. verified further by tests conducted with the commercially available anti-malware products PC-Tools and Trusteer. It has been estimated that Zeus is guilty of approximately Although tests were conducted with variants of the Zeus 44% of all banking malware infections [3]. In August 2009 malware, the techniques discussed in this paper are equally Gunter Ollmann the VP for research at Damaballa [4] applicable to any other malware and can be used to quickly positioned the Zeus malware as the number one botnet assess the effectiveness of potential anti-malware solutions. threat with 3.6 million infections in the US alone (about Also, the system is portable and simple, requiring only a general level of technical knowledge to operate, allowing it to 19% of the installed base of PCs in the US). Zeus is be used as a convenient platform for a wide student and ever changing, and many modifications exist in the wild, professional audience. each targeted towards a specific set of exploits. Currently, Gameover is one such variant [5] which, according to the Keywords – Zeus, online banking, malware United States Federal Bureau of Investigation (FBI), has “…the capability to steal usernames and passwords and I. INTRODUCTION circumvent most common authentication methods” [6]. Governments and corporate enterprises are increasingly Zeus was specifically designed to operate against the dependent on computer networks for their day-to-day and Windows suite of operating systems (OSs) because critical operations. In this network-centric environment it is Windows enjoys the majority share of the OS market. The necessary for all participants to appreciate the importance of majority of people transacting online use a version of required network and computer security measures. It is also Microsoft Windows, with WinXP, Win7, WinVista and useful for security professionals to quickly become aware of Win2003 taking up over 90% of the total desktop computer any changed threat conditions, allowing necessary new OS market share [7]. The major non-Windows OSs, countermeasures to be designed and implemented. MacOSX and iOS, have a combined market share of only 7%. This means that targeting machines running a windows The purpose of this project was to develop a simple operating system provides much better Return on malware testing platform and to demonstrate its ability as an Investment (ROI) for those committing fraud. Microsoft educational and research tool. The test platform was based also acknowledges this threat and spends considerable time on laptop hardware and freeware tools implemented in a and resources on taking down Command and Control virtual environment, making it affordable as well as servers that target machines running its operating systems portable. [8]. Although, there are many different types of malware, credit Given the above reasons, for the purpose of this project, the card fraud is one of the most notable targets for malware target systems were chosen from the range of Windows developers and organised crime because of its impact on the operating systems and the sample malware chosen was finance industry and general public. Statistics from the Australian Payments Clearing Association show that card- www.ijcit.com 581 International Journal of Computer and Information Technology (ISSN: 2279 – 0764) Volume 02– Issue 04, July 2013 Zeus. The approach taken is equally applicable to other actions requiring a higher level of permission than that of its malware affecting Windows OSs. current context. II. COMPROMISING WINDOWS The Trojan appears to weigh up the advantages of There are many vectors of compromise for Windows running at a higher privilege level against the risk of alerting systems. Some are offensive, such as worms like Conflicker the user to its malicious intentions (because of UAC). The exploiting remote vulnerabilities, and others are reactive fact that Trojans such as Zeus and Torpig can implement where the end user performs some sort of action that User Mode Rootkits, inject code into other processes and establish outbound connections via injected processes such triggers the exploitation. Recent research by the SANS as Internet Explorer, indicates that the permission level of the Institute found that the number one initial infection vector system account used as the context for their execution is too was exploitation targeting client-side software [9]. In 2010, high. However Windows is at pains to avoid over-prompting the National Vulnerability Database [10] indicated that web the user for requests to elevate privileges. Microsoft browsers and document management software accounted for overhauled the UAC functionality after feedback from users the majority of the applications being exploited, with of Vista™ indicating that it was too onerous and that too multimedia players being strongly represented. Client-side much of their time was spent accepting the UAC prompts applications have more integration with the Internet and from the OS [14]. As such, Microsoft is in the tricky position offer more functionality providing a greater attack surface of having to provide better security for its users whilst still for developing exploits. These vulnerabilities can be allowing the flexibility of using the OS unhindered. exploited from many different sources: some are executed just by visiting a webpage having embedded malicious content, known as ‘Drive-by’ infection, whilst others are III. FUNCTIONALITY OF THE ZEUS TROJAN more targeted ‘Phishing’-style emails containing either The Zeus Trojan is a bot that installs itself on the victim embedded exploited software, or lures to sites where such machine and provides a framework for remote control of malicious content is hosted. that machine. Once infected, the machine will report back to a Command and Control (C&C) server periodically to Rootkits are designed to hide a program from the guest OS update it with the status of the local machine. Zeus is to avoid detection and sustain their life span on the infected designed to be deployable to end systems that sit behind machine. They have the ability to hide files, processes, sophisticated network infrastructure. It is specifically registry keys, open network ports and other system objects. designed for the Windows OS and will install on a machine By subverting the OS they cloak their operations from anti- with only Guest privileges. It has the ability to communicate virus/malware products that search for them. Modern with its C&C over TCP port-80 (http) and be operated using Trojans, such as Zeus, leverage the power of rootkits, to the SOCKs protocol. It will spy on the user and has the keep their activities hidden from the OS and any anti-virus ability to capture information from within the browser software that may be running on the compromised PC. which, thanks to its API hooking, includes sessions secured Trojans want to run but also want to remain hidden and, as by Secure Socket Layer (SSL). such, face a similar paradoxical situation to rootkits [11]. Another problem faced by Trojans is how to install Zeus is a modular Trojan designed for easy customisation to themselves on a system without alerting the user to their the needs of those deploying it. Once a bot is loaded on a malicious intent. Some of the more prevalent online banking system it calls to the C&C address (which is hard-coded in Trojans, such as Zeus, or its predecessor Torpig, only the binary) for a newer version of a configuration file. This operate within the context of the user who executed them allows the controllers of the bot net or ‘Bot-herders’ to and this restricts the depth to which they can embed update their Botnet by simply uploading a new themselves within the OS [12]. They are unable to employ configuration file containing a list of web-injects - the sites kernel level rootkit techniques because they require access from which the Trojan is targeting to steal information. This to the kernel to execute and thus require a higher level of communication is via a thread injected into the Explorer privilege. Such Trojans are restricted to using a shallower Process by the Trojan. Apart from the initial call to the user level rootkit. C&C, all communications are encrypted with the RC4 algorithm using a pre-shared key that is obfuscated within One reason that these Trojans may choose to avoid using the Trojan executable. Zeus and its operation have been a higher level of privilege is to avoid triggering Windows studied at depth by Binsalleeh and his group [3]. User Access Control (UAC). As part of Microsoft’s security push to increase the security of their OSs, UAC was One of the most powerful methods that Zeus uses to subvert introduced into Windows Vista ™ [13].

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    7 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us