Malware, Trojans & Botnets

Kevin Bong

Johnson Financial Group

2

A scary scenario

• The school district’s accounting manager logs into the district’s online banking account.

• Balance is $150,000 short.

• Looking at the transaction history, it shows almost 20 ACH transactions, each around $8,000, were initiated from the account yesterday.

• The recipients of the transactions are unfamiliar.

• The accounting manager calls her bank…

The plot thickens

• Bank traces the funds and contact the receiving banks.

• Some of the funds are still available, others have been withdrawn.

• Discussions with the account holders reveals that they have been hired as “money transfer agents”, and have wired the money overseas.

• A scan of the accounting manager’s computer shows that viruses were found and removed.

3

The Zeus Botnet

• Has been used to breach thousands of online business banking accounts

• Small businesses, non profits, towns, schools, …

• Used to steal over $100 Million as of Nov 09, still going strong.

4

Malware, Trojans and Botnets

• This is one example of one of the many ways fraudsters are using Malware to make money.

• How could this happen?

– Aren’t there multiple layers of controls?

– Malware is used to break every layer.

5

Malware is used in most data breaches

6

Joint United States Secret Service/Verizon 2010 Data Breach Investigations Report Analysis of 141 breach cases including over 143 million breached data records

What’s the difference?

• Malware – Malicious software - hostile, intrusive, or annoying program code

• Virus – software that reproduces itself

• Bot – computer program that does automated tasks.

• Trojan – initially bad software hidden inside good software. Now more generally refers to Malware with “backdoor” (remote control) functionality, or an evil bot.

• Botnet – a network of compromised “zombie” computers

7

How do computers get infected?

8

Joint USSS/Verizon 2010 Breach Report

Injected/Installed by remote attackerListening Network Services

• Example MS09-022 “Buffer Overflow in Microsoft Print Spooler Vulnerability”

• Listening software = programs running in the background waiting for incoming network traffic.

9

Other Common Network Services attacked

• Web servers

• FTP servers

• Windows file sharing

• Mail Servers

• Network services (name lookup, etc.)

• Databases

10

Web – Auto Executed Drive By

• Hackers infect legitimate websites

• Or build infected websites and get high search engine rankings

• Code – usually javascript – is included on the infected page.

• Javascript is executed on the client, instructs the client to download, install, and run malicious programs.

11

Web/Email User downloaded or executed

• Download programs from file sharing sites or other untrusted sources

• Not just programs – virus code can hide in Adobe PDF, Flash, Windows Media, Java

• more than 46% of the browser-based exploits during the second half of 2009 were aimed at vulnerabilities in the free Adobe Reader PDF viewer

12

Facebook – Social Engineering

• Receive a message from a facebook friend: “Hey, I have this hilarious video of you dancing. Your face is so red. You should check it out.”

• "Koobface infects a profile and sends a message to all friends via facebook messaging system

• When you click on the video, you are prompted to update Flash player. The update is actually a copy of Koobface worm.

• Facebook funniest malware vid

13

Exploit + Payload = Malware

• Vulnerability – the weakness that is utilized to compromise the machine

– Most commonly software bugs and tricking users

• Exploit – the chunk of hacker code that utilizes the vulnerability

• Payload – the chunk of hacker code to “do something” with the compromised host.

– Hiding, spreading, stealing, attacking, destroying, earning income

14

Metasploit

• Framework for joining Exploits with Payloads, and launching attacks.

• Command line and GUI interfaces

• Hundreds of exploits built in to the tool

• Open API to build and include more

• Over 100 payloads too

15

Metasploit Exploits Example

16

Metasploit exploits - GUI

17

Metasploit Payloads

18

MSF vid

Stage 2: Hiding

• Generally not noisy like adware and spyware (at least not initially)

• May disable antivirus and administrative functions/control panels. Less obvious may just break AV update capability.

• More sophisticated malware installs itself as a “Rootkit”

19

Rootkit

• Obscures the fact that a system has been compromised

• Hooks into or replaces portions of the operating system

– User mode – modifies

– Kernel mode –

• Makes the computer “lie” to higher level programs, like windows explorer and antivirus

• HackerDefender a well known example (Vid)

20

Stage 3: Join Botnet

• Use Dynamic DNS lookup to find a Botnet server on the Internet

• “Fast-flux” DNS techniques to direct the bot to one of hundreds of bot servers.

• Forward traffic through proxies, harder to trace

• Servers kept in non-cooperative countries

21

Botnet Command and Control

• Historically perferred IRC, still in use

• HTTP (web browser traffic)

• Peer to peer protocols

• Twitter, Google Groups, Facebook

22

Botnet Control Diagram

23

Botnet control via IRC channel

24

IRC C&C vid

Some sample Botnet commands

• ddos.synflood [host] [time] [delay] [port]

• ddos.phatwonk [host] [time] [delay]

• scan.start

• http.download

• http.execute

• ftp.download

• spam.setlist

• spam.settemplate

• spam.start

• bot.open

• bot.die

25

* SYN-flood on ports 21,22,23,25,53,80,81,88, 110,113,119, 135,137,139,143,443,445,1024,1025, 1433, 1500,1720,3306,3389,5000,6667, 8000,8080

Hierarchical CnC topology

26

• Commands sent to distributed servers, which send commands to bots.

• May be multiple layers.

• Single bots aren’t aware of bot master location or size of botnet.

• Easy to carve up to sell or perform different operations.

Botnet Command and Control

• Zeus Tracker Command and Control Servers as of 10.11.2010

27

Zeus Server Distribution

28

Current Botnet Attributes

• Distributed Architecture

• Multiple C&C channels

• Extensive encryption

• Immortal/unlimited in size

• Self Protection

• Self Healing

• Virtual Machine Aware

• Polymorphic

• Multiple exploit channels

29

Bot Herding

• Separate “owned” machines based on function

– Static, always on, high bandwidth server

– POS machine steal credit cards

– Corporate office steal data, spread

– Look for online business banking use ACH theft

– Home Users SPAM, DDOS, etc.

• Manage bots

• Lease out services

30

Botnet Statistics

31

Stage 4: Use• Send SPAM

– Steal email addresses from compromised computers.

– Most mail systems will block large numbers of email from the same source. Distribute it to workstations, makes it harder to filter/block

• Denial of Service

– Have hundreds or thousands of your bots send traffic at the same website or company,fill their pipe and knock them off the Internet

• Other theft

– Credit card numbers

– Steal “in game” online game items and sell on Ebay

32

Banking attack – Step 1 infection

• Bank of Nicolai vid

• Utilize Phishing, network exploits, and drive by downloads to spread your botnet as wide as possible.

33

Banking attack – Step 2 identify victim machines

• Monitor browser use and network traffic to identify any machines in the bot network that are being used to log into online business banking services

• May at that point install a rootkit on the identified machine

34

Banking attack – Step 3 Capture Passwords

• Keylogger can capture passwords

• Challenge questions?

– Steal or delete registration cookies to bypass challenge questions

• Email password?

– Hacker also already has access to your email

35

Banking attack Step 4 – Hire mules

• Use your botnet to send SPAM email soliciting for “work at home” jobs

• Timing is critical, to pick up and wire funds before the account compromise is detected.

36

Banking attack Step 5 – Perform transaction

• Remote control allows them to log in From your workstation if they want.

• They know your password, challenge question, etc.

• Aim is to create new recipients and send funds via ACH or wire in one login session

• These electronic transactions are nearly-immediate and difficult to reverse

37

Evolution of Malware – The Red Queen

• Red Queen Hypothesis –coevolution of parasite/host

• From “Through the Looking Glass”– The Red Queen tells Alice “Now, here, you see, it takes all the

running you can do to keep in the same place”

• Passwords Keyloggers

• Challenge questions delete cookies

• Registration cookies steal cookies

• Email passwords Access email

• One Time Passwords MITB…

38

Man in the Browser attack

• Trojan horse/rootkit specifically for the browser.

• Same idea – shows you on the screen what you think you should see, but in the background is doing something evil.

39

Man in the Browser attack

• Zeus Trojan recent variants –

– You login to your online business banking

– You set up and send a transaction

– You type in a One Time Password from a security token, etc.

– The Trojan immediately and automatically in the background modifies your transaction to send the funds to his mule.

– The Trojan shows you on your screen that your transaction was successful.

40

Stage 4: Use…Version 2.0

• Scarier Use: Advanced Persistent Threats

• Espionage, not financial data

• Aim is long term under-the-radar occupation of corporations and government entities.

• Targeted, custom malware less likely to be detected.

• Well funded and well organized.

41

APT example – China hacks Google

• January 2010

• “Aurora” malware used Zero-day bug in Microsoft IE

• Stole intellectual property from Google

• Accessed gmail accounts of Chinese human rights activitists

• Related intrusion into big energy companies, stole oil reserve data

• Dozens of other companies targeted too.

42

Another APT example - Stuxnet

• Four main exploit channels,

– Two Windows Zero day

– USB

• Targeted payload designed for a specific Industrial control system …running specific custom software

• Encryption and Polymorphism

• Dead-mans switch – 3 generations or June 24, 2012

43

Built for espionage

• Attributes indicate it was built by a well funded and knowledgeable group (a government).

• Many believe the target was Iran’s nuclear facilities.

• Stuxnet infectionrate seems to agree…

44

Stopping Malware at step 1 - exploit

• Patch systems to “fix” the bugs

– Operating system

– Browser

– Third party apps, especially Adobe and Java

• Don’t download malware

– AV and browser plug-ins to block hostile sites

– Avoid file sharing and less-than-reputable download sites

45

Stopping Malware at step 1 - exploit

• Don’t use guessable passwords

• Use email with an antivirus/antispam filter

• Use a firewall (or cable router or software firewall) to block hostile traffic to listening ports

• Use portable media with caution, and scan before use

46

Stopping malware- Antivirus

• Antivirus can’t detect all malware

• Must be up-to-date.

• Utilizes signatures (patterns) that match parts of known malware

– Polymorphism – patterns change

– New variants or custom built viruses won’t have signatures

– Rootkits can give “false” information to the Antivirus software

47

Malware command and control

• Some is easy to detect – IRC, P2P protocols

• More sophisticated C&C could be more difficult – can really disguise itself as any network protocol

• Residential router/firewalls do not generally block C&C traffic

• Many corporate firewalls do not either

• Default deny on outbound traffic can help stop

• Myriad of gateway appliances

48