Malware, Trojans & Botnets Kevin Bong Johnson Financial Group.
-
Upload
winfred-johnston -
Category
Documents
-
view
216 -
download
3
Transcript of Malware, Trojans & Botnets Kevin Bong Johnson Financial Group.
2
A scary scenario
• The school district’s accounting manager logs into the district’s online banking account.
• Balance is $150,000 short.
• Looking at the transaction history, it shows almost 20 ACH transactions, each around $8,000, were initiated from the account yesterday.
• The recipients of the transactions are unfamiliar.
• The accounting manager calls her bank…
The plot thickens
• Bank traces the funds and contact the receiving banks.
• Some of the funds are still available, others have been withdrawn.
• Discussions with the account holders reveals that they have been hired as “money transfer agents”, and have wired the money overseas.
• A scan of the accounting manager’s computer shows that viruses were found and removed.
3
The Zeus Botnet
• Has been used to breach thousands of online business banking accounts
• Small businesses, non profits, towns, schools, …
• Used to steal over $100 Million as of Nov 09, still going strong.
4
Malware, Trojans and Botnets
• This is one example of one of the many ways fraudsters are using Malware to make money.
• How could this happen?
– Aren’t there multiple layers of controls?
– Malware is used to break every layer.
5
Malware is used in most data breaches
6
Joint United States Secret Service/Verizon 2010 Data Breach Investigations Report Analysis of 141 breach cases including over 143 million breached data records
What’s the difference?
• Malware – Malicious software - hostile, intrusive, or annoying program code
• Virus – software that reproduces itself
• Bot – computer program that does automated tasks.
• Trojan – initially bad software hidden inside good software. Now more generally refers to Malware with “backdoor” (remote control) functionality, or an evil bot.
• Botnet – a network of compromised “zombie” computers
7
Injected/Installed by remote attackerListening Network Services
• Example MS09-022 “Buffer Overflow in Microsoft Print Spooler Vulnerability”
• Listening software = programs running in the background waiting for incoming network traffic.
9
Other Common Network Services attacked
• Web servers
• FTP servers
• Windows file sharing
• Mail Servers
• Network services (name lookup, etc.)
• Databases
10
Web – Auto Executed Drive By
• Hackers infect legitimate websites
• Or build infected websites and get high search engine rankings
• Code – usually javascript – is included on the infected page.
• Javascript is executed on the client, instructs the client to download, install, and run malicious programs.
11
Web/Email User downloaded or executed
• Download programs from file sharing sites or other untrusted sources
• Not just programs – virus code can hide in Adobe PDF, Flash, Windows Media, Java
• more than 46% of the browser-based exploits during the second half of 2009 were aimed at vulnerabilities in the free Adobe Reader PDF viewer
12
Facebook – Social Engineering
• Receive a message from a facebook friend: “Hey, I have this hilarious video of you dancing. Your face is so red. You should check it out.”
• "Koobface infects a profile and sends a message to all friends via facebook messaging system
• When you click on the video, you are prompted to update Flash player. The update is actually a copy of Koobface worm.
• Facebook funniest malware vid
13
Exploit + Payload = Malware
• Vulnerability – the weakness that is utilized to compromise the machine
– Most commonly software bugs and tricking users
• Exploit – the chunk of hacker code that utilizes the vulnerability
• Payload – the chunk of hacker code to “do something” with the compromised host.
– Hiding, spreading, stealing, attacking, destroying, earning income
14
Metasploit
• Framework for joining Exploits with Payloads, and launching attacks.
• Command line and GUI interfaces
• Hundreds of exploits built in to the tool
• Open API to build and include more
• Over 100 payloads too
15
Stage 2: Hiding
• Generally not noisy like adware and spyware (at least not initially)
• May disable antivirus and administrative functions/control panels. Less obvious may just break AV update capability.
• More sophisticated malware installs itself as a “Rootkit”
19
Rootkit
• Obscures the fact that a system has been compromised
• Hooks into or replaces portions of the operating system
– User mode – modifies
– Kernel mode –
• Makes the computer “lie” to higher level programs, like windows explorer and antivirus
• HackerDefender a well known example (Vid)
20
Stage 3: Join Botnet
• Use Dynamic DNS lookup to find a Botnet server on the Internet
• “Fast-flux” DNS techniques to direct the bot to one of hundreds of bot servers.
• Forward traffic through proxies, harder to trace
• Servers kept in non-cooperative countries
21
Botnet Command and Control
• Historically perferred IRC, still in use
• HTTP (web browser traffic)
• Peer to peer protocols
• Twitter, Google Groups, Facebook
22
Some sample Botnet commands
• ddos.synflood [host] [time] [delay] [port]
• ddos.phatwonk [host] [time] [delay]
• scan.start
• http.download
• http.execute
• ftp.download
• spam.setlist
• spam.settemplate
• spam.start
• bot.open
• bot.die
25
* SYN-flood on ports 21,22,23,25,53,80,81,88, 110,113,119, 135,137,139,143,443,445,1024,1025, 1433, 1500,1720,3306,3389,5000,6667, 8000,8080
Hierarchical CnC topology
26
• Commands sent to distributed servers, which send commands to bots.
• May be multiple layers.
• Single bots aren’t aware of bot master location or size of botnet.
• Easy to carve up to sell or perform different operations.
Current Botnet Attributes
• Distributed Architecture
• Multiple C&C channels
• Extensive encryption
• Immortal/unlimited in size
• Self Protection
• Self Healing
• Virtual Machine Aware
• Polymorphic
• Multiple exploit channels
29
Bot Herding
• Separate “owned” machines based on function
– Static, always on, high bandwidth server
– POS machine steal credit cards
– Corporate office steal data, spread
– Look for online business banking use ACH theft
– Home Users SPAM, DDOS, etc.
• Manage bots
• Lease out services
30
Stage 4: Use• Send SPAM
– Steal email addresses from compromised computers.
– Most mail systems will block large numbers of email from the same source. Distribute it to workstations, makes it harder to filter/block
• Denial of Service
– Have hundreds or thousands of your bots send traffic at the same website or company,fill their pipe and knock them off the Internet
• Other theft
– Credit card numbers
– Steal “in game” online game items and sell on Ebay
32
Banking attack – Step 1 infection
• Bank of Nicolai vid
• Utilize Phishing, network exploits, and drive by downloads to spread your botnet as wide as possible.
33
Banking attack – Step 2 identify victim machines
• Monitor browser use and network traffic to identify any machines in the bot network that are being used to log into online business banking services
• May at that point install a rootkit on the identified machine
34
Banking attack – Step 3 Capture Passwords
• Keylogger can capture passwords
• Challenge questions?
– Steal or delete registration cookies to bypass challenge questions
• Email password?
– Hacker also already has access to your email
35
Banking attack Step 4 – Hire mules
• Use your botnet to send SPAM email soliciting for “work at home” jobs
• Timing is critical, to pick up and wire funds before the account compromise is detected.
36
Banking attack Step 5 – Perform transaction
• Remote control allows them to log in From your workstation if they want.
• They know your password, challenge question, etc.
• Aim is to create new recipients and send funds via ACH or wire in one login session
• These electronic transactions are nearly-immediate and difficult to reverse
37
Evolution of Malware – The Red Queen
• Red Queen Hypothesis –coevolution of parasite/host
• From “Through the Looking Glass”– The Red Queen tells Alice “Now, here, you see, it takes all the
running you can do to keep in the same place”
• Passwords Keyloggers
• Challenge questions delete cookies
• Registration cookies steal cookies
• Email passwords Access email
• One Time Passwords MITB…
38
Man in the Browser attack
• Trojan horse/rootkit specifically for the browser.
• Same idea – shows you on the screen what you think you should see, but in the background is doing something evil.
39
Man in the Browser attack
• Zeus Trojan recent variants –
– You login to your online business banking
– You set up and send a transaction
– You type in a One Time Password from a security token, etc.
– The Trojan immediately and automatically in the background modifies your transaction to send the funds to his mule.
– The Trojan shows you on your screen that your transaction was successful.
40
Stage 4: Use…Version 2.0
• Scarier Use: Advanced Persistent Threats
• Espionage, not financial data
• Aim is long term under-the-radar occupation of corporations and government entities.
• Targeted, custom malware less likely to be detected.
• Well funded and well organized.
41
APT example – China hacks Google
• January 2010
• “Aurora” malware used Zero-day bug in Microsoft IE
• Stole intellectual property from Google
• Accessed gmail accounts of Chinese human rights activitists
• Related intrusion into big energy companies, stole oil reserve data
• Dozens of other companies targeted too.
42
Another APT example - Stuxnet
• Four main exploit channels,
– Two Windows Zero day
– USB
• Targeted payload designed for a specific Industrial control system …running specific custom software
• Encryption and Polymorphism
• Dead-mans switch – 3 generations or June 24, 2012
43
Built for espionage
• Attributes indicate it was built by a well funded and knowledgeable group (a government).
• Many believe the target was Iran’s nuclear facilities.
• Stuxnet infectionrate seems to agree…
44
Stopping Malware at step 1 - exploit
• Patch systems to “fix” the bugs
– Operating system
– Browser
– Third party apps, especially Adobe and Java
• Don’t download malware
– AV and browser plug-ins to block hostile sites
– Avoid file sharing and less-than-reputable download sites
45
Stopping Malware at step 1 - exploit
• Don’t use guessable passwords
• Use email with an antivirus/antispam filter
• Use a firewall (or cable router or software firewall) to block hostile traffic to listening ports
• Use portable media with caution, and scan before use
46
Stopping malware- Antivirus
• Antivirus can’t detect all malware
• Must be up-to-date.
• Utilizes signatures (patterns) that match parts of known malware
– Polymorphism – patterns change
– New variants or custom built viruses won’t have signatures
– Rootkits can give “false” information to the Antivirus software
47
Malware command and control
• Some is easy to detect – IRC, P2P protocols
• More sophisticated C&C could be more difficult – can really disguise itself as any network protocol
• Residential router/firewalls do not generally block C&C traffic
• Many corporate firewalls do not either
• Default deny on outbound traffic can help stop
• Myriad of gateway appliances
48