docMalware at a glance or: Facing the latest threats
download 
Report Transcription
Malware at a glance or: Facing the latest threats
Malware at a glance or: Facing the latest threats Raimund Genes CTO Anti-Malware Once upon a time… • Profile: – – – – Male Between 14 and 34 years of age Computer addicted No permanent girlfriend Jeffrey Lee Parson MSBlaster Sven Jaschan Sasser No commercial interest!!! David L. Smith Melissa Onel de Guzman ILOVEYOU 2 The most famous quote for malware writers nowadays The secret of life is honesty and fair dealing If you can fake that, you‘ve got it made Groucho Marx 3 Cybercrime – not only a word But reality! • • • • • • Jeanson James Ancheta from California 20 year old Was arrested 4th of November 2005 in Los Angeles Created a botnet with 400000 computers under his control Botnet was for rental to spread Spam or to start DDOS Access to BotNet was granted for 3000 USD in average, over 30 transaction have been made = 90000 USD • $107,000 in advertising affiliate proceeds by downloading adware to the infected computers • 60000 USD in cash, pimped up BMW and high end computer environment 4 Ancheta will be in jail for 57 month, he even infected a US Marine Naval Air Warfare, China Lake, CA 5 A typical Bot Herder: 0x80" (pronounced X-eighty) Background: High school dropout. Attitude: "most of these people I infect are so stupid they really ain't got no business being on the Internet in the first place.“ Working hours: approx. 2 minutes/day to manage Botnet. - Monthly earnings: $ 6800 on average. Daily Activities: Chatting with people while his bots make him money. - Recently paid $800 for an hour alone in a VIP room with several dancers. Job Description: Controls 13,000+ computers in more than 20 countries. – Infected Bot PCs download Adware then search for new victim PCs. - Adware displays constant ads and mines data about the victim's online browsing habits. - Malicious Bots collect data incl. password, e-mail address, SS#, credit and banking data, a.s.o - Gets paid by companies like TopConverting.com, GammaCash.com, Loudcash, or 180Solutions. Source: Washington Post: Invasion of the Computer Snatchers 6 Cybercrime – not only a word But reality! • Jay R. Echouafni • Entrepreneur • CEO Orbit Communications • ... and BotNet-Renter Jay Echouafni rented Botnets to switch off webpages through DDOS-attacks 7 50.000 USD, or we shut down your page! 8 Eight Years for Extorting Millions The strategy was simple. A bookmaker that was accepting online stakes in time of some big sports competitions received an e-mail, notifying the site was under attack and urging to pay $40,000. The email was followed by a trial attack and then by another e-mail demanding to transfer money via Western Union to accounts in Riga, Latvia. The accused attacked nine British and Irish bookmakers and casinos from the Ivan Maksakov (Wrote Bots) fall of 2003 till the spring of 2004, casing Alexander Petrov (Controlled DDoS attacks) direct damage of over £2 million. The Denis Stepanov (Some initial arrangements) amount reached £40 million once the costs incurred for buying protection equipment were taken into account. 9 So what is a Botnet? • Botnet: A large number of compromised computers (zombies) controlled by an unauthorized entity for (usually) malicious purposes. • Zombie: A computer that has been covertly taken over by an unauthorized entity. 10 How big is the problem? • Botnets: The #1 emerging Internet threat • Estimated 7% of all computers on the internet are zombies (75-100 million machines) – Responsible for over 80% of all spam – Generate click fraud in excess of $1 billion annually – Phishing to commit identity theft – DDOS attacks for extortion or retribution of 8-22Gbps – Malware distribution such as key loggers – Propagation of the species - 200k bots/month growth 11 How do you spread bots/malware? With clever Social Engineering – Spreading is only one Double-Click away 12 Country specific targeted attacks! 13 Phishing • Phishing • • • • Uses Social Engineering Pursues users to give away confidential data Mail from a “trusted source” Call for action: “your account will be closed”, “update your data” • Link to a web page, which looks like the “real one” • Access data will be transferred to third parties Goes to a site in Romania 14 Phishing BKA President Dr. Joerg Ziercke: Success-Quote of Phishing attacks in germany: <> 5% ConsumerReports (USA): Phishing attacks on US citizens have generated 630 M USD in 2005 15 Pharming • “automated” Phishing • DNS Cache Poisoning • DNS Server Hacks • “real” adresses will be redirected to wrong adresses • No Phishing Mails needed – automated attacks with malware 16 Spyware 17 Ransomware – Troj_Ransom.A 18 Web – The latest method to spread malware! Study: Browsers Are Chief Virus Carrier SEPTEMBER 13, 2006 | If you work in security for one of those "cool" companies that lets employees use the corporate network to surf the Web on their own time, you might want to think about becoming a killjoy. According to a study of 200 companies published earlier today by IDC Denmark, Web surfing has surpassed email as the most prevalent method of spreading worms and viruses. (See IDC: Private Internet Use Insecure.) "There is a common misconception that emails constitute the biggest security threat from the Internet," says Per Andersen, managing director at IDC Denmark. "But the survey shows that up to 30 percent of companies with 500 or more staff have been infected as a result of Internet surfing, while only 20 to 25 percent of the same companies experienced viruses and worms from emails." 19 What are we really facing? The amazing case of Gromozon (aka Troj_LINKOPTIMI) •In May 2006 italian users started to report strange behaviour in Windows – crashes at boot up, unusual popups from heuristic AV, but files couldn‘t be cleaned, odd files on the harddisks. Then users start to report infections of rootkits, discovered by some rootkit scanners. 20 Gromozon It starts with a webpage... The webpage contains an obfuscated JavaScript. This encrypted JavaScript actually calls another webpage! This webpage then runs a complex PHP script, checking 21 which browser is used Gromozon The PHP script starts different infection routines, depending on the browser. It checks for Internet Explorer (version checking as well), Firefox and Opera. Using browser specific vulnerabilities it tries to autoload the file www.google.com. If this is not working it asks the user – then Firefox users are save (default settings)... But not the MS IE community... 22 Gromozon The file www.google.com is a downloader. It is using a server side polymorphism, changing it‘s shape all the time. It connects to a remote server and drops installers, installing an adware program, a rootkit and a Windows service. The Windows service links to a file which is encrypted by the infected system, utilizing the Windows Encrypting File System (EFS). The welknown adware LinkOptimizer is hidden to the user (and to AV software) by the rootkit. The rootkit even prevents Anti-Rootkit tools like F-Secure Blacklight from running. 23 OK Gromozon is the mother of all malware, but an exception, or? Automatic Analysis of a Stration variant 24 Travel Policies are dangerous… Say you are a new hire for any company. Your boss asks you to develop a well-researched and well-documented company policy on, say for example, company employee travels. Most often than not, you will have to start of with a Google search. And that is exactly what you do. Open Google and type in "travelpolicy". This will be the result: Oct 7, 2006 25 Travel Policies are dangerous… You don't choose the first hit simply because you see it's a .GOV site and information found in .GOV sites may seem too lengthy for your objectives. You just need a simple do-it-yourself tutorial in how to create and implement a travel policy guide for your business - which is exactly the description for the second hit encircled in the above image. So you click on the URL. And then the site opens... Seems like the site is pretty much taking more time in downloading images and content. So you wait... And wait... And when you observe that it's been taking forever for the site to complete, you close the window and move on to other sites that can offer the information that you need. End of story? Not quite. 26 Travel Policies are dangerous… As you waited for the site to completely show up, something was already happening in the background that goes unobserved... The site, www.travelpolicy.com, has an IFRAME at the very top which leads you to the 81.95.146.98/index.html. The index.html file actually has a script that exploits the MS Internet Explorer (MDAC) Remote Code Execution Exploitdescribed in MS06-014. The original exploit code is also modified in an attempt to bypass AV scanners that detect the original code. It sure is nasty! An executable file, win.exe, is downloaded to your system and executed. This file is actually a backdoor with rootkit features, and is a variant of the notorious family of backdoor rootkits known as Haxdoor! 27 Travel Policies are dangerous… not anymore Now it‘s an innocent page again. So was the site hacked? Was it done on purpose? Oct 14, 2006 28 Get Rich quick… the hacker’s dream Zero day attacks on sale! 29 Get Rich quick… the hacker’s dream Webattacker Toolkit order page Dear friends! We are glad to offer you multicomponental exploit WebAttacker IE0604, provided to exploit vulnerabilities in popular Internetbrowsers like Internet Explorer and Mozilla Firefox. Utilizing the vulnerabilities you can install any executable program on local disks of people visiting your sites. Purpose(Assignment) of Webattacker: the latent loading of an EXEprogram from the remote Web-Source with the automatic start of this program on a local disk of the visitor. 30 Threat Summary • The internet is now really in a golden age - of criminal invention! •Phishing, Pharming, Spyware, Spam - all linked to making money! And due to the fact that even Spam is banned in some countries now (Can Spam Act, Anti Spyware act in California) it is getting more and important for these criminals to hide their traces. •The bad guys are hiring amateurs and professional programmers who could write BOTS to hijack computers. These so called Zombie computers are then uses for all kind of criminal activities - from sending spam, starting phishing attacks up to Distributed Denial of Service attack (DDOS), we have seen everything.. 31 Another famous quote Willy Sutton, a famous bank robber in the 40th (robbed banks in Miami, New York and New Orleans) was asked why he robbed banks „Because that‘s where the money is“ 32 A modern Willy Sutton Hacking raid on Sumitomo bank thwarted Thieves may have used keylogging to try to steal $424M MARCH 17, 2005 (TECHWORLD.COM) - Security experts are praising Sumitomo Mitsui Banking Corp. for admitting that it was the target of a failed $424 million hacking attempt. The U.K.'s National High Tech Crime Unit (NHTCU) has issued a warning to large banks to guard against keylogging, the method adopted by the would-be thieves in an attack on the Japanese bank's London systems. The intruders tried to transfer money out of the bank via 10 accounts around the world. Yeron Bolondi, 32, was seized by Israeli police yesterday after an alleged attempt to transfer some of the cash into his business account. He was reportedly charged with money laundering and deception. In a statement, Israeli police said there had been an attempt to transfer $26.7 million into the account "by deception in a sophisticated manner." 33 Big Numbers.... •Identity thieves are expected to steal more than 1 trillion in 2006! •The FBI claims, that financial loss from spyware and other computer related crimes have cost U.S. businesses $62 Billion in 2005 •Cybercriminals are making more money then the „illegal drug trading industry“ according to the U.S. treasury •Each day, $24 billion in bank deposits are at risk each day in the United States 34 The threats will not disappear! That‘s why Trend Micro is adressing the root problem! Here! 35 Root Problem: Spam and Phishing Trend Micro‘s hall of shame – Network Reputation Services 36 I hope that Microsoft is wrong this time... 37
