Internet Vulnerabilities & Criminal Activities Malware 10.1 4/12/10

Malware Malicious software designed to gain access to information and/or resources without the knowledge or consent of the end user. Can also be called crime ware No longer teen age kids messing around Now used by organized crime groups for prfit

Malware History 1981 - First Apple II virus in the wild 1983 - Fred Cohen coins term “virus” 1986 - First PC virus 1988 - Morris Internet worm 1990 - First Polymorphic virus 1991 - Virus Construction Set 1994 - Good Times virus hoax 1995 - First Macro Virus 1998 - Back Oriface tool released

Malware History cont. 1999 - Melissa virus / worm 1999 - Tribal Flood Network - DDOS tool 2001 - Code Red worm 2001 - Nimda worm 2003 - Slammer worm 2004 - So Big & Sasser worms 2007 - Storm worm 2008 - Conficker worm

Malware Trends Increasing complexity & sophistication Acceleration of the rate of release of innovative tools & techniques Movement from viruses to worms to kernel-level exploitations

Malware can be: “Proof of concept” “In the Wild.” Created to prove it can be done Not found outside of laboratory environment If code available, can be used by others “In the Wild.” Found on computers in everyday use

Traditional Categories of Malware Virus Worm Malicious Mobile Code Backdoor Trojan Horse Rootkit Combination Malware

Virus Infects a host file Self replicates Requires human interaction to replicate Examples: Michelangelo Melissa Host file - exe, WP document

Worm Spreads across a network Does not require human interaction to spread Self-replicating Examples: Morris Worm Code Red Slammer

Malicious Mobile Code Lightweight program downloaded from a remote source and executed locally Minimal human interaction Written in Javascript, VBScript, ActiveX, or Java Example: Cross Site Scripting

Backdoor Bypasses normal security controls Gives attacker access to user’s system Example: Netcat Back Oriface Sub 7

Trojan Horse Program that disguises its hidden malicious purpose Appears to be harmless game or screensaver Used for spyware & backdoors Not self-replicating

Rootkit Replaces or modifies programs thts are part of the operating system Two Levels User-level Kernel-level Examples Universal Rootkit Kernel Intrusion System

Combination Malware Uses a combination of various techniques to increase effectiveness Examples: Lion Bugbear.B

Malware Distribution Attachments Piggybacking Internet Worms E-mail and Instant Messaging Piggybacking Malware added to legitimate program Adware, spyware EULA - End User License Agreement Internet Worms Exploit security vulnerability Used to install backdoors Adware, spyware may not be illegal cause of EULA

Malware Distribution cont. Web Browser Exploit Malware added to legitimate web site Cross-site scripting & SQL Injection Visitors to web site may be infected Hacking Too labor intensive for large crime operations May be used to compromise DNS server Affiliate Marketing Web site owner paid 8¢ to 50 ¢ per machine to install malware on a visitor’s computer Cross site scripting & SQL injection all caused by input to web site - talked about problem in first class

Malware Activity Adware Spyware Hijacker Toolbars Dialers Rogue Security Software Bots What malware is used to do

Adware Displays ads on infected machine Ads format can be: Pop-ups Pop-under Embedded in programs On top web site ads More annoying than dangerous Not dependent on IE being open Not stopped by pop-up blockers May be related to web sites surfed

Spyware Send information about infected computer to someone, somewhere Web sites surfed Terms searched for Information from web forms Files downloaded Search hard drive for files installed E-mail address book Browser history Logon names, passwords, credit card numbers Any other personal information Name, phone number, etc.

Hijacker Takes control of web browser IE vulnerable Home page Search engines Search bar Redirect sites Prevent some sites from loading IE vulnerable IE

Toolbars Plug-ins to IE Attempt to emulate legitimate toolbars Google Yahoo Attempt to emulate legitimate toolbars Installed via underhanded means Adware or Spyware Acts a keystroke logger

Dialers Alters modem connections and ISDN-Cards Once installed, will dial 1-900 numbers or other premium rate numbers Run up end-users phone bill & provide revenue for criminal enterprise Targets MS Windows God for use in Europe

Rogue Security Software Usually delivered via a trojan horse Uses social engineering techniques to get user to install Fake warnings that computer is infected Fake video of machine crashing Disables anti-virus and anti-spyware programs Alters computer system so the rogue software cannot be removed

Bots Allows attacker remote access to a computer When end-user is online, computer contacts Command & Control (C&C) site Bot will then perform what ever commands received from the C&C Some things botnets are used for Distributed Denial of Service (DDoS) attacks Spam Hosting contraband such as child porn Other illegal fraud schemes C&C often an IRC channel

More Malware Terminology Downloader Single line of code Payload from malware Instructs infect computer to download malware from attacker’s server Drop Clandestine computer or service (E-mail) Collects information sent to it from infected machines Blind Drop - well hidden, designed to run attended

More Malware Terminology cont. Exploit Code used to take advantage of a vulnerability in software code or configuration Form-grabber A program that steal information submitted by a user to a web site Packer Tool used to scramble and compress an .exe file Hides malicious nature of code Makes analysis of program more difficult Form grabber - used in phishing when using legit web site

More Malware Terminology cont. Redirect HTTP feature Used to forward someone from one web page to another Done invisibly with malware Variant Malware produced from the same code base Different enough to require new signature for detection by anti-virus software

Malware Sources Malware Malware tools Can be programmed from scratch Less likely to be detected by anti-malware programs Can be purchased Malware tools Haxdoor, Torpig, Metafisher, Web Attacker Tools offered with other services Access to botnet, drop sites Tools derived from small stable base of existing code Where do criminals get malware

Frauds Involving Malware Advertising schemes Pay-per-view Pay-per-click (“Click Fraud”) Pay-per-install Banking fraud Identity theft Spam Denial-of-service attacks DoS extortion Advertising schemes take advantage of legit ad plans on the web

Advertising Schemes Pay-per-view Sell advertising space on controlled web sites Command botnet to “view” as many ads as possible May have ads download in the background Fraudulent commissions generated

Advertising Schemes cont. Pay-per-click (“”Click Fraud”) Similar to Pay-per-view fraud Bots simulate clicks on ads Between 5% and 35% of all ad commissions may be fraudulent Pay-per-install Commission paid every times advertisers software is installed When installed, notification sent to advertiser Infected machines will be instructed to install advertisers software Software browser plug-ins, adware, spyware

Banking Fraud Banks are a prime target of malware Malware can allows attacker to empty victim’s bank account Newest malware (September 2009) Rewrite online bank statements on the fly Covers up theft of funds Trojan horse Alters HTML code before browser displays Makes use of “Money Mules” Crooks gain time Money mules - unaware of criminal nature of activity Allow their bank accounts too be used Social engineering - mule buys into te work at home scheme

Identity Theft Phishing & key logging Recent increase in malware associated with identity theft Information sent to drop site

Spam Bots used to send spam Also show dramatic rise Bots are available for rent for spam purposes Spam sent can also contain malware

Denial of Service Attacks Botnet commanded to make requests of a web site Web site may crash due to heavy traffic Legitimate traffic blocked Threat of DoS attack can be used for extortion Bots for rent for DoS attacks Threats often made to sites w/no legal recourse such as offshore gambling sites

Problems for Law Enforcement Anonymity Jurisdiction Attackers know how difficult international law enforcement is Exploit the situation Target victims in one country from another country Have C&C site and drop site located in a third country Use multiple proxies to access C&C site and drop site Money gain quickly funneled through online bank accounts and international money transfers

Other Issues Monetary Threshold Virtual world emboldens individuals Must reach a limit before prosecutor will take case May be hard to prove exact amount of money involved Cyber crimes may be considered a non-priority Virtual world emboldens individuals Less fear of getting caught Realization of difficulties in investigating crimes