malware what is malware
play

Malware What is malware? Malware: malicious software worm - PowerPoint PPT Presentation

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software


  1. Malware

  2. What is malware? • Malware: malicious software • worm • ransomware • adware • virus • trojan horse • etc.

  3. … and how do we fight it? • AV software • Firewalls • Filtering • Patching • Writing more secure software • Training users

  4. How to Monetize Malware • Botnets • Networking infected computers together • Sending instructions to those computers to do things like: • Send spam • Mine cryptocurrency • Perform ad fraud • Perform DDoS attacks • Stealing banking credentials • Stealing Bitcoin and other alternative currencies • Ransoming the computer • Pay per install software

  5. How malware spreads • Attachments in emails • Other social engineering • Drive-by downloads • Spreading itself

  6. Vulnerabilities vs. Exploits • Vulnerability: hole in software • Exploit: code written to use vulnerability to gain unauthorized access to something • There’s way more known vulnerabilities than known exploits. • https://www.exploit-db.com/ vs. https://nvd.nist.gov/

  7. Zero Day Attacks • Realized exploit comes before known vulnerability • Fairly rare • Zero days are expensive — 1.5 million USD for Apple iOS 10 exploit • Overwhelmingly, exploits in the wild are not 0day.

  8. Morris Worm • Created in 1988 by Robert Morris • Purportedly to measure the Internet • Infected 10% of computers connected to the Internet • Slowed down computers to where they became unusable.

  9. Morris Worm • Exploited Unix systems through: • sendmail • finger • rsh • weak passwords • Note that the vulnerabilities that he exploited were known. • Buggy: installed itself multiple times, didn’t phone home, etc.

  10. Effects of Morris Worm • CERT organizations worldwide • CERT-CC at CMU funded by the US gov • Patching known vulnerabilities • More attention to computer security

  11. Conficker • Computer worm first appearing in November 2008 • Sinkholed in 2009 • Good guys registered domain names used for attacks • Operators arrested in 2011 • Still infecting computers today • Millions of infections — hard to count.

  12. Conficker — how it spreads • Conficker-A: Vulnerability in Windows. Infected machines scanned IP space for more machines. • Conficker-B: Added infected USB devices, shared network folders with weak passwords. • Conficker C: Hardened new command and control infrastructure and added fake AV as a monitization. • Conficker D-E: Turned from centralized botnet to peer-to-peer

  13. Conficker Infections over Time

  14. Reaction to Conficker • Patch released before worm, yet patch rate was slow. • Large scale anti-botnet effort • Microsoft added security updates for unlicensed software • Conficker botnet shrank at a slower pace than the market share of Windows XP / Vista

  15. Stuxnet • Worm first known about in 2010, detected as early as 2005 • Built by the US and Israeli governments to attack Iranian nuclear program • Targets PLCs through Windows computers • Infected over 200,000 Windows machines

  16. Stuxnet - how it spreads • Use zero day exploits to compromise Windows machines • Spread using USB drives, peer-to-peer RPC • Bridges computers connected to the Internet with those that aren’t • Attacks files connected to certain SCADA software • Hijacks communication

  17. Reaction to Stuxnet • Cyberwarfare IRL • Car bomb attacks against Iranians by Iranian government • Some efforts to isolate important PLCs better: • Similar effort against North Korea failed • Doqu/Flame

  18. Drive by downloads • Website infected with malware • Malware injects code into webpage • That code infects those who visit it by directing them to an exploit kit through an intermediary

  19. How are websites targeted? • Find an exploit in a certain piece of software • Use Google Dorks to find websites with that vulnerability • Compromised advertising • Other ways?

  20. Exploit Kits • Each machine has different software on it • Uses a host of exploits to infect a machine • Exploit kits can be bought or rented

  21. Fake Antivirus • Installs itself on your machine and forces you to buy software • Many people buy this software • Largely shut down by shutting down payment processors

  22. Ransomware • Encrypts all your files using a key: • Old: same key for all • New: different key for each system • Requires victim to pay criminal to get files back: • Old: Payments through Western Union and the like • New: Payments through Bitcoin

  23. Computer Virus • A type of malicious software program ("malware") that, when executed, replicates itself by modifying other computer programs and inserting its own code. - Wikipedia

  24. Parts of a Virus • Infection vector: How a virus spreads • Trigger: Sets off the malicious functionality • Payload: The malicious functionality

  25. Phases of a Virus Scanning and Propagating Waiting for a trigger Dormant triggered Execute

  26. How do they infect? Malware Executable File

  27. How do they infect? Malware Executable File

  28. How do they infect? Malware Executable File

  29. How do they infect? Executable File Malware

  30. How do they infect? Malware Executable File Malware

  31. How do they infect? Malware

  32. How do they infect? Packer Executable File Malware

  33. How do they execute? Malware Executable File Line of code

  34. How do they execute? Malware Executable File Line of code

  35. Definitions • Self-Modifying code: Code that can change itself (usually without changing the functionality) • Polymorphic malware: Infects others with an encrypted copy of itself. Encryption and code changes. • Backdoor: Malware that leaves hidden ways of replicating itself • Rootkit: Malicious software to maintain access to system; good at hiding itself.

  36. ILOVEYOU • Bug in email: sent out messages subject:ILOVEYOU and attachment:LOVE-LETTER- FOR-YOU.txt.vbs • .vbs files were hidden • Propogation: Sent itself to all addresses in address book • Payload: Overwrote random files

  37. Adware • Software that contains unwanted ads

  38. Types of Ad Fraud • Pretend to be part of the ad chain and buy traffic, get paid. • Have bots, sell fake ad traffic • Disguise source of traffic to ads • Cookie stuffing — fake affiliate cookies • Ad Stacking — show invisible ads to consumer

  39. Adblock Plus • Browser-based Ad blocker • Let in some “acceptible” ads • Is this adware? Fraud?

  40. Fake Software • Stuffing ads into software • Maybe turning paid software into freeware? • Is this adware? fraud?

  41. DNSChanger • Upon infecting your computer, changed your routers’ nameserver settings. • Started in 2006. FBI raided in 2011. Shut down in 2012. Still alive today. • Main changes? Major ad networks • Is this adware? fraud?

  42. My Really Cool Toolbar • Lots of toolbars, other browser extensions • Useful functionality • Changed settings (homepage, etc) • Hard to Remove • Is this adware? fraud?

Recommend


More recommend