Chapter 9

Applications

Benevolent Malware Benevolent malware?

o “Obviously a contradiction in terms”o Malware characteristics, but tries to do

“good” Den Zuk --- 1988, removed Brain virus

o Later versions would reformat disk… Cheese --- 2001, remove li0n worm

o Created lots of network traffic Welchia --- 2003, patched problem that

Blaster exploited (used official MS patch)o Lots of traffic, cure worse than disease

Predator Worms Like Cheese and Welchia Destroy malware and/or immunize

o Trying to do good, but it’s still illegalo Previous “predators” caused problemso Might be OK on local networko But how to prevent spread to

Internet? Other technical problems

o Control, bandwidth use, monitoring, etc.

Benevolent Malware No “killer app” for benevolent

malware Everything can be done by more

controlled means Many unresolved issues…

o Legal issueso Ethical issueso Technical issues

Mobile agents --- a niche application?

Mobile Agents Program transfers itself over

networko It does things on behalf of a usero For example, propagate to various

airline sites in search of best airfare Questions about mobile agent

securityo Has a lot in common with malwareo A “solution in search of a problem”?o Mobile agents have some advantages,

but what they do can be done by other means

Mobile Agents Previous master’s project Platform for Privacy Preferences

Project (P3P)o Privacy policies that websites follow

Student developed an “agent-based privacy enhancing model”o Used agents to analyze P3P

preferenceso Essentially, a reputation systemo Research papers are here and here

Spam Infection may be “means to an

end”o For example, DDoS attacks or

May use zombies/bots for spamo Harvest your email addresso Customized spam so that it looks like

it came from you , and so on Aycock has lots of interest in spam

o Spam simulator: Spamulator

Access-for-Sale Worms “Scalable, targeted intrusion” Compromise machine, install back

door Access to the back door is for sale

o Might, for example, use key for access

o Can’t allow unauthorized accesso So, patch flaws once access obtainedo Good for ID theft, blackmail, etc.

Like a botnet, but single machine(s)

Access-for-Sale Worms Two “business models”1. Organized crime

o Attacker and cyberthieves work together

o Defenses?

2. Disorganized crimeo Attacker sells access to cyberthieveso How to advertise?o Defenses?

Access-for-Sale Worms

Organized crime

Access-for-Sale Worms Disorganize

d crime

Access-for-Sale Worms Good idea to use public key crypto

o That is, worm carries public key, and…

o Private key used to access back door What is the advantage of public

key crypto over symmetric key crypto?

Cryptovirology Use malware for extortion Example: virus encrypts valuable

datao Victim must pay to get decryption keyo Again, public key crypto is best hereo Note that data encrypted with

symmetric key, and symmetric key is encrypted with a public key (we call this “hybrid crypto” in CS 265)

o Password-protected may be good enough

Cryptovirology Examples AIDS Trojan --- 1989

o Floppy disk, sent by mail, with “curious software license”

o Encrypted files if user didn’t pay PGPCoder Trojan (Gpcode, 2006)

o Encrypted files having various extensions

o Cost $200 to buy decryptor

Information Warfare Use computers to supplement (or

supplant?) conventional warfareo Acquire info from adversary’s

computerso Plant false info, corrupt data, denial of

service, etc. Laws and such are not clear Of limited use if communication

infrastructure is damaged…

Information Warfare Electronic countermeasures (ECM)

o Deny enemy use of electronic technology

o For example, radar jamming Information warfare analog of

ECM?o Denial of serviceo Comparison with traditional ECM?

Information Warfare ECM vs DoS

o Persistence --- jamming usually temporary, malware can last longer

o Targeting --- ECM uses direct targeting, malware could be direct or indirect

o Deception --- possible in both caseso Range of effects --- limited in ECM,

much broader with malware (logic bomb, DoS, precision attack, intelligence gathering, forced quarantine, …)

Information Warfare ECM vs DoS

o Reliability --- ECM may be more difficult to test, so reliability is less certain

o Continuity --- ECM subject to “ECCM”, while malware only has to succeed once and can attack weakest link

Indirect ways to insert malware?o Software vendors, dormant in

systems, deliberately leak infected systems, etc.

Cyberterrorism Difficult to define? Create fear, not just irritate users

o Inability to use facebook does not strike fear of death into (most) users

So cyberterrorist must somehow create tangible results in real worldo Nuclear power plants, utility grid,

… ???

Cyberterrorism Similar uses as info warfare

o That is, supplement to real attackso For example, attack communication

infrastructure during physical attack to delay response, cause confusion, etc.

Disinformation before and during attack

Other?