MALWARE

1. MALWARE Tomas Kegel Sørensen Esben B. Larsen Christoph Froeschel Magnus Koch ITU Copenhagen 07.11.2008

2. AGENDA • PART I: INTRODUCTION TO MALWARE • PART II: MOBILE MALICIOUS CODE • PART III: PURPOSE OF MALWARE • PART IV: AVOIDING MALWARE

3. PART I: INTRODUCTION TO MALWARE

4. WHAT IS MALWARE? • Malware is a contraction of mal-ious soft-ware • Malwarerefers to various types of software thatcancause problems, damage, disrupt a computer • Installedwithoutuserknowledgeorapproval

5. DEFINITIONS OF COMMON ATTACKS • Virus • is a program thatcopiesitselfintoother programs. Virusesinfect host files associatedwithapplications. - typically, user interaction is required for propagation, such as running a program or opening a document file.

6. DEFINITION OF COMMON ATTACKS • Worm - is a program thatcopiesitself over computer networks, infectionmachines in remote locations. • typically, no user interaction is required, as the worm spreads via vulnerabilities or misconfigurations in target systems. • Expontielgrowth

7. Definitions of commonattacks • Warhead : Penetrate the target • BrowersThat surf infected webservers • Outlook E-mail • Windows File Sharing • Backdoors from previousworms • PropagationEngine : Moves the body to the destination • -Filessharing programs such as FTP, HTTP and SMB • Mail programs • TSA : Looking for new victims to attack • - Recievedor send emails • - Ip adresses that is similar to victim • Scanning Engine : Fire warheadsagainst the new victims • Payload : What it does to the target • Nothingcallednullpayloadworms • Opening up Backdoors • Planting a zombie • Performing a Mathematical Operation

8. DEFINITIONS OF COMMON ATTACKS • Trojan horse - is a program thatseems to do somethingusefullorinteresting, but actually runs maliciouscodebehind the scene. - Eg. Screen savers - a commonuse is a ”trap door” thatenables a maliouscodeadversarydiscreet acces to the machine at a future date.

9. DEFINITIONS OF COMMON ATTACKS • Time bombsorlogicbombs - are programs thathibernatesuntil at specified event happendsoruntil a condition is true. - effectivewhencoupled to a virus

10. TAXONOMY OF MALWARE Malicious Programs Need Host Program Independent Worms Viruses Logic Boms Trojan Horses

11. COMBINING MALWARE • Worms and viruses is the transport mechanism for maliciouscode • Trojan horses and time/logicbombs is the maliciouscode.

12. PART II: MALICIOUS MOBILE CODE

13. MALICIOUS MOBILE CODE • Mobile code is a lightweight program that is downloaded from a remote system and executed locally with minimal or no user intervention • Malicious mobile code is mobile code that makes your system do something that you do not want it to do.

14. MALICIOUS MOBILE CODE FOR A VARIETY OF NASTY ACTIVITIES • Monitoring your browsing activities • Obtaining unauthorized access to your file system • Infecting your machine with a Trojan horse • Hijacking your Web browser

15. MOBILE CODE EXAMPLES • Browser Scripts • ActiveX Controls • Java Applets • Mobile Code in E-mail Clients

16. BROWSER SCRIPTS • <script type="text/javascript"> <-- a • function do_something() { • // Code for this function would go here. • } • </script> <-- b • (a)Script begins • (b)Script ends

17. ACTIVEX CONTROLS • A software component based on Microsoft's ActiveX technology that is used to add interactivity and more functionality, such as animation or a popup menu, to a Web page page. An ActiveX control can be written in any of a number of languages, including Java, C ++ , and Visual Basic C++, Basic. • The first time a control is accepted it is downloaded to your computer and registered.

18. AUTHENTICATION THROUGH CODE SIGNING

19. JAVA APPLETS • Java applets are relatively lightweight programs designed to be transmitted across the Internet • Java Applet Security Model • Java applet security model forces downloaded Java applets to run within a highly restrictive sandbox. • Exploit bugs in the implementation of the JRE to allow an un trusted applet to escape from its sandbox. • program called Brown Orifice

20. MOBILE CODE IN E-MAIL CLIENTS • The majority of modern e-mail clients contains some form of Web browser functionality to display HTML. • Turn off support for mobile code in your e-mail client if you don't use this functionality.

22. CONCLUSION • Do not execute ActiveX controls, whether signed or not signed, unless you trust their author with access to your system. • Do not execute signed Java applets unless you trust their author with access to your system. • Remember that there is no such thing as "trust once," when it comes to ActiveX controls or Java applets, because a malicious program can grant itself perpetual trust once it has access. • Disable support for mobile code that you do not require in your browser and e-mail software.

23. PART III: PURPOSE OF MALWARE

24. INCREASING MALWARE THREAT

25. CHANGE OF PERSPECTIVE I • Hacker wanted to show they can • Morris Worm in 1988 • Malware used to be destructive • ”I Love You” Virus – deleted files send and forwarded itself to contacts in outlook (2000) • Today Malware is not destructive anymore – it works silent on a PC

26. IT’S BUSINESS • ”Sources of cybercrime will become increasingly organized and profit driven” (Gunter Ollmann, IBM) • ”Hacker teams are highly professional, with strong focus on quality and the right marketing” (TorstenHolz, University of Mannheim)

27. BOTNETS FOR RENT • Hacker groups rent out their botnets • Reports suggest that botnets can be rented for $100/hour • Pay-as-you go scheme – cybercrime made easy!

28. RETURN ON INVESTMENT • Crime syndicates blackmail gambling sites/online shops • They demand up to 50.000$ • Stealing personal information (credit cards, bank accounts)

29. BEYOND TRADITIONAL CRIME I • The Sony RootKit scandal • automatically installing software on PCs • Sony wanted an improved copy protection • …but introduced new security holes on computers with a Windows OS

30. BEYOND TRADITIONAL CRIME II • Remote Forensic Software • Government installs spyware on computers of ”suspected” persons • FBI uses a tool called ”Magic Lantern” • Use key loggers in order to get sensitive information • Conflicts with the legislation

31. FUTURE TRENDS • Cybercrimes in virtual worlds • Increase in botnets • Mobile Devices • Virtual Machine RootKit (Blue Pill)

32. SUM UP • High Risk • Focus is on ”business” - earning money is important • Malware gets smarter and thus hard to detect • Magnus will now talk about avoiding malware

33. PART IV: AVOIDING MALWARE

34. STRATEGY 1: User Education & restricted user privileges. 2: Avoiding common software “packages” 3: Anti-virus software (locally and at network gateways.)

35. 1 USER EDUCATION METHODS • Educate users to avoid them making known mistakes. • Restrict the privileges of user accounts (Configuration Hardening). PROBLEMS • Most users are not willing to spend time learning security. • Even expert users are not immune to unexpected attacks (Bubble Boy).

36. BUBBLE BOY - 1999

37. 1 USER EDUCATION METHODS • Educate users to avoid them making known mistakes. • Restrict the privileges of user accounts. (Configuration Hardening) PROBLEMS • Most users are not willing to spend time learning security. • Even expert users are not immune to unexpected attacks.

38. 2 AVOID COMMON SOFTWARE EXAMPLES • The “Microsoft Word” – “Outlook” combination. • The “Wordpress” cms system. METHOD • Avoid common software, or at least include less popular software somewhere in your workflow. PROBLEM • What is common software? • How can you be sure that security issues will be identified and addressed when using less common software?

39. 3 ANTI-VIRUS SOFTWARE METHOD • Scan all incoming files for malware. PROBLEMS • New malware emerges. • Malware-authors camouflage already known threats.

40. Scan locally or use Secure Web Gateways.

41. MALWARE SIGNATURES • The fingerprints of malware (also called dat files) • Performance improvements • Fingerprints are matched to certain file types. • Depending on the file type different areas are scanned.

42. 3 ANTI-VIRUS SOFTWARE METHOD • Scan all incoming files for malware. PROBLEMS • New malware emerges. • Malware-authors camouflage already known threats.

43. NEW MALWARE • Can actually be new malware, or camouflaged versions of old threats. • Polymorphism (obfuscated code) • Changed variable names. • Changed order of the instructions in the malware program. • Encryption. • Metamorphism.

44. HOW TO IDENTIFY MALWARE WITH AN UNKNOWN SIGNATURE • Generic Signatures. • Often broken up and containing “wildcard areas”. • Not god for totally new malware. • Emulation. • Heuristics.

45. HEURISTICS • Establish a database of typical malware traits. • Attempts to access the boot sector. • to locate all documents in a current directory. • to write to an EXE file. • to delete hard drive contents.

46. CURRENT THREAT PATTERNS • Classic & server-side polymorphism • 10.000+ new strains per day. • Each victim potentially attacked by a different strain. • Today a signature protects < 20 users. Earlier > 100.000 • Blacklisting strategy increasingly ineffective.

47. SOLUTIONS (ACCORDING TO SYMANTEC) • Whitelisting signatures for non-malware. • Reputation based approach.

48. THE END