Malware: A Criminal Force Malware: The Next Big Internet...

1

Malware: The Next Big Internet Threat

Markus JakobssonAaron Emigh Ari Juels

Zulfikar Ramzan Susanne Wetzel

Malware: A Criminal Force

Also: click-fraud, session hijacking, data theft, location tracking,…

Diagram courtesy of the Anti-Phishing Working Group

Malware: A Social Problem

Images courtesy of stop-phishing.com


The Crimeware Landscape:Malware, Phishing, Identity Theft and Beyond

Aaron EmighRadix Labs

[email protected]

What is Crimeware?

Performs illegal actionsActions are unanticipated by userResults in tangible benefit to attacker

Crimeware is:Keyloggers/ScreenloggersEmail & IM redirectorsSession hijackersWeb TrojansTransaction generatorsSystem reconfiguratorsData stealersRootkits

Crimeware is not:Adware SpywareMalicious “hobbyist” software (destructive worms and viruses)Botnet controllersData collectors and forwardersProxy servers

2

Crimeware Propagation Piggybacking

Piggybacking Toolkits

Affiliate Marketing Distribution Installation: Downloader & Backdoor

3

Crimeware for Identity Fraud

Keyloggers and screenloggersEmail and IM redirectorsWeb TrojansSession hijackersTransaction generatorsSystem reconfigurators

Hostname lookup disruptorsProxies

Data stealers

+ Rootkits!

Other Crimeware Revenue Models

Spam transmissionDenial-of-service attacksClick fraudData ransomingInformation consolidation

Crimeware Flow

Crimeware Infection Execution

Storage

Attacker

Legit Server

Data Entry

(some modes)

(some modes)1 3

4

5

6

7

2

Countermeasures

1. Interfere with distribution

Spam filtersAutomated patchingGood filtering


Storage

Attacker

Legit Server

Data Entry

(some modes)

(some modes)1 3

4

5

6

7

2

Countermeasures

2. Prevent infection

AntivirusBehavioral detectionProtected applications


Storage

Attacker

Legit Server

Data Entry

(some modes)

(some modes)1 3

4

5

6

7

2

Countermeasures

3. Prevent execution

Only run signed code


Storage

Attacker

Legit Server

Data Entry

(some modes)

(some modes)1 3

4

5

6

7

2

4

Countermeasures

4. Prevent data access

Protected storage for sensitive dataEncryption


Storage

Attacker

Legit Server

Data Entry

(some modes)

(some modes)1 3

4

5

6

7

2

Countermeasures

5. Prevent user compromise

White-hat keyloggerTrusted pathStored credentials


Storage

Attacker

Legit Server

Data Entry

(some modes)

(some modes)1 3

4

5

6

7

2

Countermeasures

6. Prevent data use by attacker

Traffic sniffingBehavioral detectionPolicy-based data


Storage

Attacker

Legit Server

Data Entry

(some modes)

(some modes)1 3

4

5

6

7

2


The Crimeware Landscape:Malware, Phishing, Identity Theft and Beyond

http://crimeware.emigh.org

Aaron EmighRadix Labs

[email protected]

Where Phishing & Malware Meet

Zulfikar RamzanFeb 18, 2007

Zulfikar RamzanWhere Phishing and Malware Meet

6

Outline

Phishing: Introduction & Motivation11

Malware in Phishing Lifecycle22

Conclusions33

5


Phishing: Introduction

From: Bank-Service <[email protected]>

To: [email protected]

Subject: Update Your InformationDate: July 06, 2006 9:06:00 AM PST

Dear Bank.com User,During our regular update and verification of accounts, we couldn’t verify your account. Click Here to update and verify your account. If you don’t then your account will be suspended in 24 hours!!

Sincerely, Bank.com Team

Contains a lure for you to reveal sensitive info.

False Pretense

Poses as legitimate institution

Creates sense of urgency


The Extent of the Problem

• Jan - Sep ’06: Symantec Brightmail blocked > 2 Billion phishing emails with > 240,000 being unique

• Numbers rising; Arms race where phishers constantly bypassing latest countermeasures

• Phishing not just about “social engineering” – malware has many roles


Where Phishing & Malware Meet

• Spam often sent via compromised machines • 0.81% of spam contains malicious code

(Symantec ISTR, Jan-Jun ’06). • Different types of password stealing

malware: – Browser Overlays– Fake Browsers– Form Grabbers

• Phish sites can host traditional malware or JavaScript Malware.

• # Unique malware variants growing rapidly. Behavior blocking should complement signatures. (Symantec working in this area)


Demo of Password Stealers


JavaScript Malware [GN06]

• We often think malware = executable software

• Malicious JavaScript can run natively in web browser:– Can change home broadband router

DNS settings (Drive-by-Pharming) --attacker “controls” how you surf Internet [SRJ07].

– Can expose home network to entire Internet

– Infer user browsing habits

<SCRIPT SRC = “http://192.168.1.1/...?...”</SCRIPT>


Drive-by Pharming

Home broadband /wireless router

Web Browser

Good DNS Server

Rogue DNS Server

Your Bank

Not Your Bank

Web site with JavaScript Malware

Click Me!!!

66.6.66.6

129.79.78.8

www.bank

.com

129.7

9.78.8

www.bank.com66.6.66.6

<SCRIPT SRC = “http://192.168.1.1/...?...”</SCRIPT>

6


Conclusions

• Phishing traditionally social engineering based, malware more technical.

• Uses of malware in phishing– Sending unsolicited emails– Propagation via phishing emails– Password stealers– Malware hosted on phishing

server– JavaScript malware is

dangerous - millions susceptible

Looking forward, these problems translate to

important opportunities for developing and

deploying new countermeasures


Thank You!

Zulfikar Ramzan ([email protected])http://www.symantec.com/enterprise/security_response/weblog/authors/

zulfikar_ramzan.html

Copyright © 2007 Symantec Corporation. All rights reserved.

SYMANTEC AND THE SYMANTEC LOGO ARE TRADEMARKS OR REGISTERED TRADEMARKS OF SYMANTEC CORPORATION OR ITS AFFILIATES IN THE U.S. AND OTHER COUNTRIES. OTHER NAMES MAY BE TRADEMARKS OF THEIR RESPECTIVE OWNERS. THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY AND IS NOT INTENDED AS ADVERTISING. ALL WARRANTIES RELATING TO THE INFORMATION IN THIS DOCUMENT, EITHER EXPRESS OR IMPLIED, ARE DISCLAIMED TO THE MAXIMUM EXTENT ALLOWED BY LAW. THE INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE.

Wireless Malware

Susanne WetzelStevens Institute of Technology

Department of Computer ScienceHoboken, NJ 07030

USA

Scenario

The Challenge The Challenge

7

The Challenge The Challenge

The Challenge Security Weaknesses

"Aha! UweSchulz just passed by!"

“The secret key is K.”

Wireless Malware

• Prominent examples:– Cell phone worms (e.g., Cabir, Lasco) – Wireless driver vulnerabilities

• Question: Feature or malware?• FlexiSPY

– Watch SMS/cell phone traffic– Remotely switch on microphone

Wireless Home Routers

• Home routers are embedded systems

• Defaults minimize setup hassle– WiFi clients on LAN

8

WAPjack

• Malicious configuration of settings– DNS, logging,Internet

administration

• Very general attack

• Pharming = man-in-the-middle

WAPkit

• Subversion of control

– Use the “Upgrade” interface

• Stealthier attacks

• Most vulnerable are OSF platforms• Cannot have security through obscurity

Stopping Attacks Today is Hard

• Current countermeasures of analyzing and monitoring traffic exploit centralization

Conclusion

• Is it a feature or malware? – Monitoring your kids or spying on cell phone users?

• We haven’t seen anything yet.– Today, the ratio today between mobile malware and

malware in the conventional setting is 1/600.• A cell phone is a very personal device.• Many will want to have an iphone.

– Risk for mobile malware will increase with the number of devices.

Malware: An All-Or-Nothing Game?

Ari JuelsRSA Laboratories18 February 2007

© 2007 RSA Laboratories

Malware can often take over host completely

• “Sniffing” keyboard to capture passwords

• Initiating transactions– E.g., execute $10,000

withdrawal when user logs into bank account

• Directing user to undesired Web sites

• Launching attacks on servers

9

Host destruction is self-defeating

• Malware is like a microbe: In short term, wants to exploit host– AIDS vs. Ebola

Host destruction is self-defeating

• Malware wants to escape detection– E.g., password sniffing

• There is usually a strong residue of “good” system components

• Malware is like a microbe: In short term, wants to exploit host– AIDS vs. Ebola

Strategy: connect “good”components with outside

BANK

Example: Remote Harm-Diagnostics (RHD)

BANK

• “Good” component is browser history• Browser quirk lets Bank probe client to detect visits to certain Web sites• Bank can detect client visits to blacklisted sites known to distribute malware

Example: Remote Harm-Diagnostics (RHD)

BANK

• RHD is ad-hoc: only works sometimes • Gives Bank not perfect, but enriched information• Two big benefits of RHD:

• Privacy-preserving• Requires no client-side installation!

More powerful approach

BANK

• With client-side software, Bank can mine richer behavioral data from clients– E.g., complete log of installed software

• Tamper-proof logging is possible– Malware can (detectibly) delete log, but can’t modify

• Privacy is very important!

10

Strategy: put “good”components on outside in client

Virtual Machines

Virtual Machines Example: Browsing

• Web browser sits in virtual machine

• “Guardian” software ensures safe transit of password from keyboard to Bank– E.g., Stanford “Spyblock”

• If malware attempts to sniff password, “Guardian” can quash it

X

Conclusions

• Solutions are embryonic– RHD / data-mining challenges:

• What data to mine?• Privacy preservation

– Virtual-machine challenges:• Not disrupting ordinary software• Ensuring against malware “breaking through”• What security functionality should VM provide?

• Solutions and malware will co-evolve

For more information, see

Deceit/education : malware-jakobsson.infoTaxonomy/money : malware-emigh.infoToday/pharming : malware-ramzan.infoWireless : malware-wetzel.infoNew defenses : malware-juels.info

These slides : malware-aaas.info

Malware: A Criminal Force Malware: The Next Big Internet...

Documents

Transcript of Malware: A Criminal Force Malware: The Next Big Internet...