Malware What is malware? • Malware: malicious software • worm • ransomware • adware • virus • trojan horse • etc. … and how do we fight it? • AV software • Firewalls • Filtering • Patching • Writing more secure software • Training users How to Monetize Malware • Botnets • Networking infected computers together • Sending instructions to those computers to do things like: • Send spam • Mine cryptocurrency • Perform ad fraud • Perform DDoS attacks • Stealing banking credentials • Stealing Bitcoin and other alternative currencies • Ransoming the computer • Pay per install software How malware spreads • Attachments in emails • Other social engineering • Drive-by downloads • Spreading itself Vulnerabilities vs. Exploits • Vulnerability: hole in software • Exploit: code written to use vulnerability to gain unauthorized access to something • There’s way more known vulnerabilities than known exploits. • https://www.exploit-db.com/ vs. https://nvd.nist.gov/ Zero Day Attacks • Realized exploit comes before known vulnerability • Fairly rare • Zero days are expensive — 1.5 million USD for Apple iOS 10 exploit • Overwhelmingly, exploits in the wild are not 0day. Morris Worm • Created in 1988 by Robert Morris • Purportedly to measure the Internet • Infected 10% of computers connected to the Internet • Slowed down computers to where they became unusable. Morris Worm • Exploited Unix systems through: • sendmail • finger • rsh • weak passwords • Note that the vulnerabilities that he exploited were known. • Buggy: installed itself multiple times, didn’t phone home, etc. Effects of Morris Worm • CERT organizations worldwide • CERT-CC at CMU funded by the US gov • Patching known vulnerabilities • More attention to computer security Conficker • Computer worm first appearing in November 2008 • Sinkholed in 2009 • Good guys registered domain names used for attacks • Operators arrested in 2011 • Still infecting computers today • Millions of infections — hard to count. Conficker — how it spreads • Conficker-A: Vulnerability in Windows. Infected machines scanned IP space for more machines. • Conficker-B: Added infected USB devices, shared network folders with weak passwords. • Conficker C: Hardened new command and control infrastructure and added fake AV as a monitization. • Conficker D-E: Turned from centralized botnet to peer-to-peer Conficker Infections over Time Reaction to Conficker • Patch released before worm, yet patch rate was slow. • Large scale anti-botnet effort • Microsoft added security updates for unlicensed software • Conficker botnet shrank at a slower pace than the market share of Windows XP / Vista Stuxnet • Worm first known about in 2010, detected as early as 2005 • Built by the US and Israeli governments to attack Iranian nuclear program • Targets PLCs through Windows computers • Infected over 200,000 Windows machines Stuxnet - how it spreads • Use zero day exploits to compromise Windows machines • Spread using USB drives, peer-to-peer RPC • Bridges computers connected to the Internet with those that aren’t • Attacks files connected to certain SCADA software • Hijacks communication Reaction to Stuxnet • Cyberwarfare IRL • Car bomb attacks against Iranians by Iranian government • Some efforts to isolate important PLCs better: • Similar effort against North Korea failed • Doqu/Flame Drive by downloads • Website infected with malware • Malware injects code into webpage • That code infects those who visit it by directing them to an exploit kit through an intermediary How are websites targeted? • Find an exploit in a certain piece of software • Use Google Dorks to find websites with that vulnerability • Compromised advertising • Other ways? Exploit Kits • Each machine has different software on it • Uses a host of exploits to infect a machine • Exploit kits can be bought or rented Fake Antivirus • Installs itself on your machine and forces you to buy software • Many people buy this software • Largely shut down by shutting down payment processors Ransomware • Encrypts all your files using a key: • Old: same key for all • New: different key for each system • Requires victim to pay criminal to get files back: • Old: Payments through Western Union and the like • New: Payments through Bitcoin.