1. Internet Vulnerabilities & Criminal Activities Malware 3.2 9/26/2011

2. Malware Malicious software designed to gain access to information and/or resources without the knowledge or consent of the end user

3. Malware History  1981 - First Apple II virus in the wild  1983 - Fred Cohen coins term “virus”  1986 - First PC virus  1988 - Morris Internet worm  1990 - First Polymorphic virus  1991 - Virus Construction Set  1994 - Good Times virus hoax  1995 - First Macro Virus  1998 - Back Oriface tool released

4. Malware History cont.  1999 - Melissa virus / worm  1999 - Tribal Flood Network - DDOS tool  2001 - Code Red worm  2001 - Nimda worm  2003 - Slammer worm  2004 - So Big & Sasser worms  2007 - Storm worm / Zeus botnet tool  2008 - Conficker worm  2010 – Stuxnet – weaponized malware

5. Malware Trends  Increasing complexity & sophistication  Acceleration of the rate of release of innovative tools & techniques  Movement from viruses to worms to kernel-level exploitations

6. Malware can be:  “Proof of concept”  Created to prove it can be done  Not found outside of laboratory environment  If code available, can be used by others  “In the Wild.”  Found on computers in everyday use

7. Traditional Categories of Malware  Virus  Worm  Malicious Mobile Code  Backdoor  Trojan Horse  Rootkit  Combination Malware – Malware “Cocktail”

8. Virus  Infects a host file  Self replicates  Requires human interaction to replicate  Examples:  Michelangelo  Melissa

9. Worm  Spreads across a network  Does not require human interaction to spread  Self-replicating  Examples:  Morris Worm  Code Red  Slammer

10. Malicious Mobile Code  Lightweight program downloaded from a remote source and executed locally  Minimal human interaction  Written in Javascript, VBScript, ActiveX, or Java  Example:  Cross Site Scripting

11. Backdoor  Bypasses normal security controls  Gives attacker access to user’s system  Example:  Netcat  Back Oriface  Sub 7

12. Trojan Horse  Program that disguises its hidden malicious purpose  Appears to be harmless game or screensaver  Used for spyware & backdoors  Not self-replicating

13. Rootkit  Replaces or modifies programs thts are part of the operating system  Two Levels  User-level  Kernel-level  Examples  Universal Rootkit  Kernel Intrusion System

14. Combination Malware  Uses a combination of various techniques to increase effectiveness  Examples:  Lion  Bugbear.B  Stuxnet

15. Malware Distribution  Attachments  E-mail and Instant Messaging  Piggybacking  Malware added to legitimate program  Adware, spyware  EULA - End User License Agreement  Internet Worms  Exploit security vulnerability  Used to install backdoors  Web Browser Exploit  Malware added to legitimate web site  Cross-site scripting & SQL Injection  Visitors to web site may be infected  Drive by malware

16. Malware Distribution cont.  Hacking  Too labor intensive for large crime operations  May be used to compromise DNS server  Affiliate Marketing  Web site owner paid 8¢ to 50 ¢ per machine to install malware on a visitor’s computer  Mobile Devices  Transfer via bluetooth

17. Malware Activity  Adware  Spyware  Hijacker  Toolbars  Dialers  Rogue Security Software  Bots

18. Adware  Displays ads on infected machine  Ads format can be:  Pop-ups  Pop-under  Embedded in programs  On top web site ads  More annoying than dangerous

19. Spyware  Send information about infected computer to someone, somewhere  Web sites surfed  Terms searched for  Information from web forms  Files downloaded  Search hard drive for files installed  E-mail address book  Browser history  Logon names, passwords, credit card numbers  Any other personal information

20. Hijacker  Takes control of web browser  Home page  Search engines  Search bar  Redirect sites  Prevent some sites from loading  IE vulnerable

21. Toolbars  Plug-ins to IE  Google  Yahoo  Attempt to emulate legitimate toolbars  Installed via underhanded means  Adware or Spyware  Acts a keystroke logger

22. Dialers  Alters modem connections and ISDN- Cards  Once installed, will dial 1-900 numbers or other premium rate numbers  Run up end-users phone bill & provide revenue for criminal enterprise  Targets MS Windows

23. Rogue Security Software  Usually delivered via a trojan horse  Uses social engineering techniques to get user to install  Fake warnings that computer is infected  Fake video of machine crashing  Disables anti-virus and anti-spyware programs  Alters computer system so the rogue software cannot be removed

24. Bots  Allows attacker remote access to a computer  When end-user is online, computer contacts Command & Control (C&C) site  Bot will then perform what ever commands received from the C&C  Some things botnets are used for  Distributed Denial of Service (DDoS) attacks  Spam  Hosting contraband such as child porn  Other illegal fraud schemes

25. Weaponized Malware  Attacks SCADA system  Supervisory Control And Data Acquisition  Causes physical damage  SCADA systems control  Dams  Electrical grid  Nuclear power plants  Cyber War - The Aurora Project  http://www.youtube.com/watch?v=rTkXgqK1l9A

26. More Malware Terminology  Downloader  Single line of code  Payload from malware  Instructs infect computer to download malware from attacker’s server  Drop  Clandestine computer or service (E-mail)  Collects information sent to it from infected machines  Blind Drop - well hidden, designed to run attended

27. More Malware Terminology cont.  Exploit  Code used to take advantage of a vulnerability in software code or configuration  Form-grabber  A program that steal information submitted by a user to a web site  Packer  Tool used to scramble and compress an.exe file  Hides malicious nature of code  Makes analysis of program more difficult

28. More Malware Terminology cont.  Redirect  HTTP feature  Used to forward someone from one web page to another  Done invisibly with malware  Variant  Malware produced from the same code base  Different enough to require new signature for detection by anti-virus software

29. Malware Sources  Malware  Can be programmed from scratch  Less likely to be detected by anti-malware programs  Can be purchased  Malware tools  Haxdoor, Torpig, Metafisher, Web Attacker  Tools offered with other services  Access to botnet, drop sites  Tools derived from small stable base of existing code

30. Frauds Involving Malware  Advertising schemes  Pay-per-view  Pay-per-click (“Click Fraud”)  Pay-per-install  Banking fraud  Identity theft  Spam  Denial-of-service attacks  DoS extortion

31. Advertising Schemes  Pay-per-view  Sell advertising space on controlled web sites  Command botnet to “view” as many ads as possible  May have ads download in the background  Fraudulent commissions generated

32. Advertising Schemes cont.  Pay-per-click (“”Click Fraud”)  Similar to Pay-per-view fraud  Bots simulate clicks on ads  Between 5% and 35% of all ad commissions may be fraudulent  Pay-per-install  Commission paid every times advertisers software is installed  When installed, notification sent to advertiser  Infected machines will be instructed to install advertisers software

33. Banking Fraud  Banks are a prime target of malware  Malware can allows attacker to empty victim’s bank account  Example (September 2009)  Rewrite online bank statements on the fly  Covers up theft of funds  Trojan horse  Alters HTML code before browser displays  Makes use of “Money Mules”

34. Identity Theft  Phishing & key logging  Recent increase in malware associated with identity theft  Information sent to drop site

35. Spam  Bots used to send spam  Also show dramatic rise  Bots are available for rent for spam purposes  Spam sent can also contain malware

36. Denial of Service Attacks  Botnet commanded to make requests of a web site  Web site may crash due to heavy traffic  Legitimate traffic blocked  Threat of DoS attack can be used for extortion  Bots for rent for DoS attacks

37. Problems for Law Enforcement  Anonymity  Jurisdiction  Attackers know how difficult international law enforcement is  Exploit the situation  Target victims in one country from another country  Have C&C site and drop site located in a third country  Use multiple proxies to access C&C site and drop site  Money gain quickly funneled through online bank accounts and international money transfers

38. Other Issues  Monetary Threshold  Must reach a limit before prosecutor will take case  May be hard to prove exact amount of money involved  Cyber crimes may be considered a non-priority  Virtual world emboldens individuals  Less fear of getting caught  Realization of difficulties in investigating crimes  Easy money