1 / 48

Malware, Trojans & Botnets

Malware, Trojans & Botnets. Kevin Bong Johnson Financial Group. A scary scenario. The school district’s accounting manager logs into the district’s online banking account. Balance is $150,000 short.

medea
Download Presentation

Malware, Trojans & Botnets

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Malware, Trojans & Botnets Kevin Bong Johnson Financial Group

  2. A scary scenario • The school district’s accounting manager logs into the district’s online banking account. • Balance is $150,000 short. • Looking at the transaction history, it shows almost 20 ACH transactions, each around $8,000, were initiated from the account yesterday. • The recipients of the transactions are unfamiliar. • The accounting manager calls her bank…

  3. The plot thickens • Bank traces the funds and contact the receiving banks. • Some of the funds are still available, others have been withdrawn. • Discussions with the account holders reveals that they have been hired as “money transfer agents”, and have wired the money overseas. • A scan of the accounting manager’s computer shows that viruses were found and removed.

  4. The Zeus Botnet • Has been used to breach thousands of online business banking accounts • Small businesses, non profits, towns, schools, … • Used to steal over $100 Million as of Nov 09, still going strong.

  5. Malware, Trojans and Botnets • This is one example of one of the many ways fraudsters are using Malware to make money. • How could this happen? • Aren’t there multiple layers of controls? • Malware is used to break every layer.

  6. Malware is used in most data breaches Joint United States Secret Service/Verizon 2010 Data Breach Investigations Report Analysis of 141 breach cases including over 143 million breached data records

  7. What’s the difference? • Malware – Malicious software - hostile, intrusive, or annoying program code • Virus – software that reproduces itself • Bot – computer program that does automated tasks. • Trojan – initially bad software hidden inside good software. Now more generally refers to Malware with “backdoor” (remote control) functionality, or an evil bot. • Botnet – a network of compromised “zombie” computers

  8. How do computers get infected? Joint USSS/Verizon 2010 Breach Report

  9. Injected/Installed by remote attackerListening Network Services • Example MS09-022 “Buffer Overflow in Microsoft Print Spooler Vulnerability” • Listening software = programs running in the background waiting for incoming network traffic.

  10. Other Common Network Services attacked • Web servers • FTP servers • Windows file sharing • Mail Servers • Network services (name lookup, etc.) • Databases

  11. Web – Auto Executed Drive By • Hackers infect legitimate websites • Or build infected websites and get high search engine rankings • Code – usually javascript – is included on the infected page. • Javascript is executed on the client, instructs the client to download, install, and run malicious programs.

  12. Web/Email User downloaded or executed • Download programs from file sharing sites or other untrusted sources • Not just programs – virus code can hide in Adobe PDF, Flash, Windows Media, Java • more than 46% of the browser-based exploits during the second half of 2009 were aimed at vulnerabilities in the free Adobe Reader PDF viewer

  13. Facebook – Social Engineering • Receive a message from a facebook friend: “Hey, I have this hilarious video of you dancing. Your face is so red. You should check it out.” • "Koobface infects a profile and sends a message to all friends via facebook messaging system • When you click on the video, you are prompted to update Flash player. The update is actually a copy of Koobface worm. • Facebook funniest malware vid

  14. Exploit + Payload = Malware • Vulnerability – the weakness that is utilized to compromise the machine • Most commonly software bugs and tricking users • Exploit – the chunk of hacker code that utilizes the vulnerability • Payload – the chunk of hacker code to “do something” with the compromised host. • Hiding, spreading, stealing, attacking, destroying, earning income

  15. Metasploit • Framework for joining Exploits with Payloads, and launching attacks. • Command line and GUI interfaces • Hundreds of exploits built in to the tool • Open API to build and include more • Over 100 payloads too

  16. Metasploit Exploits Example

  17. Metasploit exploits - GUI

  18. Metasploit Payloads MSF vid

  19. Stage 2: Hiding • Generally not noisy like adware and spyware (at least not initially) • May disable antivirus and administrative functions/control panels. Less obvious may just break AV update capability. • More sophisticated malware installs itself as a “Rootkit”

  20. Rootkit • Obscures the fact that a system has been compromised • Hooks into or replaces portions of the operating system • User mode – modifies • Kernel mode – • Makes the computer “lie” to higher level programs, like windows explorer and antivirus • HackerDefender a well known example (Vid)

  21. Stage 3: Join Botnet • Use Dynamic DNS lookup to find a Botnet server on the Internet • “Fast-flux” DNS techniques to direct the bot to one of hundreds of bot servers. • Forward traffic through proxies, harder to trace • Servers kept in non-cooperative countries

  22. Botnet Command and Control • Historically perferred IRC, still in use • HTTP (web browser traffic) • Peer to peer protocols • Twitter, Google Groups, Facebook

  23. Botnet Control Diagram

  24. Botnet control via IRC channel IRC C&C vid

  25. Some sample Botnet commands • ddos.synflood [host] [time] [delay] [port] • ddos.phatwonk [host] [time] [delay] • scan.start • http.download • http.execute • ftp.download • spam.setlist • spam.settemplate • spam.start • bot.open • bot.die * SYN-flood on ports 21,22,23,25,53,80,81,88, 110,113,119, 135,137,139,143,443,445,1024,1025, 1433, 1500,1720,3306,3389,5000,6667, 8000,8080

  26. Hierarchical CnC topology • Commands sent to distributed servers, which send commands to bots. • May be multiple layers. • Single bots aren’t aware of bot master location or size of botnet. • Easy to carve up to sell or perform different operations.

  27. Botnet Command and Control • Zeus Tracker Command and Control Servers as of 10.11.2010

  28. Zeus Server Distribution

  29. Current Botnet Attributes • Distributed Architecture • Multiple C&C channels • Extensive encryption • Immortal/unlimited in size • Self Protection • Self Healing • Virtual Machine Aware • Polymorphic • Multiple exploit channels

  30. Bot Herding • Separate “owned” machines based on function • Static, always on, high bandwidth  server • POS machine  steal credit cards • Corporate office  steal data, spread • Look for online business banking use  ACH theft • Home Users  SPAM, DDOS, etc. • Manage bots • Lease out services

  31. Botnet Statistics

  32. Stage 4: Use • Send SPAM • Steal email addresses from compromised computers. • Most mail systems will block large numbers of email from the same source. Distribute it to workstations, makes it harder to filter/block • Denial of Service • Have hundreds or thousands of your bots send traffic at the same website or company,fill their pipe and knock them off the Internet • Other theft • Credit card numbers • Steal “in game” online game items and sell on Ebay

  33. Banking attack – Step 1 infection • Bank of Nicolai vid • Utilize Phishing, network exploits, and drive by downloads to spread your botnet as wide as possible.

  34. Banking attack – Step 2 identify victim machines • Monitor browser use and network traffic to identify any machines in the bot network that are being used to log into online business banking services • May at that point install a rootkit on the identified machine

  35. Banking attack – Step 3 Capture Passwords • Keylogger can capture passwords • Challenge questions? • Steal or delete registration cookies to bypass challenge questions • Email password? • Hacker also already has access to your email

  36. Banking attack Step 4 – Hire mules • Use your botnet to send SPAM email soliciting for “work at home” jobs • Timing is critical, to pick up and wire funds before the account compromise is detected.

  37. Banking attack Step 5 – Perform transaction • Remote control allows them to log in From your workstation if they want. • They know your password, challenge question, etc. • Aim is to create new recipients and send funds via ACH or wire in one login session • These electronic transactions are nearly-immediate and difficult to reverse

  38. Evolution of Malware – The Red Queen • Red Queen Hypothesis –coevolution of parasite/host • From “Through the Looking Glass” • The Red Queen tells Alice “Now, here, you see, it takes all the running you can do to keep in the same place” • Passwords  Keyloggers • Challenge questions  delete cookies • Registration cookies  steal cookies • Email passwords  Access email • One Time Passwords  MITB…

  39. Man in the Browser attack • Trojan horse/rootkit specifically for the browser. • Same idea – shows you on the screen what you think you should see, but in the background is doing something evil.

  40. Man in the Browser attack • Zeus Trojan recent variants – • You login to your online business banking • You set up and send a transaction • You type in a One Time Password from a security token, etc. • The Trojan immediately and automatically in the background modifies your transaction to send the funds to his mule. • The Trojan shows you on your screen that your transaction was successful.

  41. Stage 4: Use…Version 2.0 • Scarier Use: Advanced Persistent Threats • Espionage, not financial data • Aim is long term under-the-radar occupation of corporations and government entities. • Targeted, custom malware less likely to be detected. • Well funded and well organized.

  42. APT example – China hacks Google • January 2010 • “Aurora” malware used Zero-day bug in Microsoft IE • Stole intellectual property from Google • Accessed gmail accounts of Chinese human rights activitists • Related intrusion into big energy companies, stole oil reserve data • Dozens of other companies targeted too.

  43. Another APT example - Stuxnet • Four main exploit channels, • Two Windows Zero day • USB • Targeted payload designed for a specific Industrial control system …running specific custom software • Encryption and Polymorphism • Dead-mans switch – 3 generations or June 24, 2012

  44. Built for espionage • Attributes indicate it was built by a well funded and knowledgeable group (a government). • Many believe the target was Iran’s nuclear facilities. • Stuxnet infectionrate seems to agree…

  45. Stopping Malware at step 1 - exploit • Patch systems to “fix” the bugs • Operating system • Browser • Third party apps, especially Adobe and Java • Don’t download malware • AV and browser plug-ins to block hostile sites • Avoid file sharing and less-than-reputable download sites

  46. Stopping Malware at step 1 - exploit • Don’t use guessable passwords • Use email with an antivirus/antispam filter • Use a firewall (or cable router or software firewall) to block hostile traffic to listening ports • Use portable media with caution, and scan before use

  47. Stopping malware- Antivirus • Antivirus can’t detect all malware • Must be up-to-date. • Utilizes signatures (patterns) that match parts of known malware • Polymorphism – patterns change • New variants or custom built viruses won’t have signatures • Rootkits can give “false” information to the Antivirus software

  48. Malware command and control • Some is easy to detect – IRC, P2P protocols • More sophisticated C&C could be more difficult – can really disguise itself as any network protocol • Residential router/firewalls do not generally block C&C traffic • Many corporate firewalls do not either • Default deny on outbound traffic can help stop • Myriad of gateway appliances

More Related