Crimeware - PowerPoint PPT Presentation

1 / 36
About This Presentation
Title:

Crimeware

Description:

Upsets 'bastion mentality' enemy within, rather than without. Computer viruses, in particular, do not have to have an obvious point of origin, ... – PowerPoint PPT presentation

Number of Views:120
Avg rating:3.0/5.0
Slides: 37
Provided by: infosecur7
Category:

less

Transcript and Presenter's Notes

Title: Crimeware


1
Crimeware
  • Robert M. Slade, MS, CISSP
  • rslade_at_computercrime.org, cissp_at_shaw.ca,
    rslade_at_isc2.org
  • http//victoria.tc.ca/techrev/rms.htm

2
Only a nuisance?
  • Malware (malicious software) is often the orphan
    of computer security.

3
Non-standard
  • Upsets bastion mentality
  • enemy within, rather than without
  • Computer viruses, in particular, do not have to
    have an obvious point of origin, or a director
    for the attack.

4
Financial losses
  • 2005 FBI survey (and others)
  • Highest category of cybercrime (of 17)
  • Fully one-third of ALL losses
  • 62 Billion (est.) for USA
  • Supported by subsequent surveys and estimates

5
Malware and Viruses Definition
  • Malicious Software
  • Intentionally designed for penetrating a system,
    breaking security policies, or malicious payloads
  • Bugs or errors not included
  • Backdoors, data diddlers, DDoS, hoax warnings,
    logic bombs, pranks, RATs, trojans, viruses,
    worms, zombies, etc.

6
Not your father's malware
  • Modern malware is network aware
  • New means of spread
  • New methods of attack
  • New payloads

7
Malware types
  • Virus
  • Worm
  • Hoax warning
  • Trojan
  • Logic bomb
  • Data diddler
  • RAT (Remote Access Trojan)
  • DDoS (Distributed Denial of Service) zombie
  • Prank
  • Instances cross boundaries, converge more than
    one type of malware in program
  • This does not mean that it is not important to
    make distinctions

8
Virus
  • Central characteristic is reproduction
  • Generally requires some action by the user
  • May or may not carry payloads
  • Payload may or may not be damaging
  • other malware, file retrieval, encryption
    extortion, etc, etc ...

9
Virus criminal use
  • Distribute payload (botnets)
  • Retrieve data (Sircam, Klez)
  • Crypto extortion
  • Phishing distribution
  • Malware economies

10
Worm
  • Reproduces
  • Generally uses loopholes in systems
  • Does not involve user
  • Often attacks server software of some type
  • rapid spread ...

11
Trojan horse
  • Stated positive utility
  • Hidden negative payload
  • keylogger, password stealer, financial files
    (credit cards), identity theft, phish, etc ...
  • Social engineering
  • Most common form of crimeware
  • so far ...

12
Phishing
  • Fake sites
  • Mirror real sites
  • Browser chrome
  • Convince user to input identity and
    authentication data
  • Phishing kits
  • Fraud in a box

13
Data diddler
  • Payload in a trojan or virus that deliberately
    corrupts data, generally by small increments over
    time
  • Relatively rare, but recently re-introduced

14
DDoS
  • Expands denial of service
  • Middle of master / attacker agent target
    structure
  • Hides attacker, multiplies attack
  • Extortion

15
RAT (Remote Access Trojan)
  • Installed, usually remotely, after system
    installed and working, not in development
  • Trojan vs. tool
  • Rootkits require working account, RATs generally
    dont

16
Spyware and Adware
  • Intended as marketing, not malice
  • Installed with other software
  • As a separate function or program
  • Generates unwanted or irrelevant advertising
  • Reports on user activities
  • possibly other installed programs, possibly user
    surfing
  • Drive-by downloads

17
Botnets
  • Multiple computers controlled remotely
  • Installed by virus-carried RAT, drive-by, etc
  • Similar functionality to DDoS
  • 2003 used for spamming
  • Spambotnets
  • Used to distribute new viruses
  • DDoS extortion attacks

18
(Digression)
  • ISOI II
  • secret meetings on botnet research
  • (agenda posted on Website)
  • New detection technologies
  • Reports on research
  • Researchers as organized crime targets?
  • CastleCops DdoS attack

19
Coincidence?
  • 86.91.28.132 - - 19/Feb/2007151018 0000
    "GET / HTTP/1.1" 200 497 "http//you.shut.us.down.
    we.shut.you.down.is.it.a.trade.or.not.net"
    "Mozilla/4.0 (compatible)"
  • 72.134.56.15 - - 19/Feb/2007151018 0000
    "GET / HTTP/1.1" 200 497 "http//you.shut.us.down.
    we.shut.you.down.is.it.a.trade.or.not.net"
    "Mozilla/4.0 (compatible)"
  • 195.39.161.105 - - 19/Feb/2007151018 0000
    "GET / HTTP/1.1" 200 497 "http//even.prolexic.can
    t.protect.you.net.wanna.try.akamai.ill.drop.them.t
    oo" "Mozilla/4.0 (compatible)"
  • 24.205.238.48 - - 19/Feb/2007151018 0000
    "GET / HTTP/1.1" 200 497 "http//you.shut.us.down.
    we.shut.you.down.is.it.a.trade.or.not.net"
    "Mozilla/4.0 (compatible)"
  • 212.213.90.13 - - 19/Feb/2007151018 0000
    "GET / HTTP/1.1" 200 497 "http//you.shut.us.down.
    we.shut.you.down.is.it.a.trade.or.not.net"
    "Mozilla/4.0 (compatible)"

20
Spam
  • Is spam malware/crimeware?
  • annoyance ? misleading ? fraud ? 419 ? phishing ?
    money laundering ? malware distribution ? botnet
    creation ? ???

21
Examples
  • Note new technologies ...

22
MTX
  • taking control and preventing help
  • replaces WSOCK32.DLL
  • sends itself as second message
  • prevents access to AV sites

23
Noped
  • hacktivism
  • looks for strings in filenames
  • files emailed to addresses possibly associated
    with law enforcement

24
SULFNBK Hoax
  • misinterpretation of events
  • Magistr infects MS Windows system files and mails
    them out
  • SULFNBK valid program (Win 98)
  • most users receiving warning would find file, add
    legitimacy
  • Fagled spreads with false virus warning
  • you sent infected email, here is disinfector

25
Sircam
  • loss of confidentiality
  • searches for document, incorporates document into
    virus, mails document out
  • eg. yourfile.doc becomes yourfile.doc.pif
  • MS Outlook addresses, has own SMTP mailer
  • forerunner of spambots

26
Code Red/Nimda
  • server attacks and multipartite
  • 350,000 unpatched MS IIS servers in 9 - 13 hours
  • .eml, .nws, corrupted Web pages
  • also Gokar (email, IRC, infected web pages)
  • also Gigger (JavaScript in HTML formatted email)
  • also Klez (network shares)

27
Magic Lantern
  • official viruses
  • ML isnt actually a virus
  • detection avoidance may create problems in
    detecting real viruses
  • dont report this signature

28
BadTrans B
  • convergence (and file naming)
  • drops keystroke logger/password stealer
  • (see also Magic Lantern)
  • filename song.mp3.pif
  • content type of audio/x-wav is ignored
  • also MyParty
  • www.whatever.com
  • also Maldal/Zacker/Reeezak
  • Shockwave icon

29
Coolsite
  • application settings and policy breaking
  • linking to the site opens a flood of windows to
    pornographic sites
  • browser home page changed
  • Amero popup case

30
SWF.LFM.926
  • new objects to infect
  • uses Shockwave ActionScript
  • also Peachey (Adobe Acrobat)
  • also new RTF extensions in MS products
  • also Stages .SHS/.SHB (shell scrap)

31
w1c.exe
  • Superbowl, Dolphin Stadium website
  • World of Warcraft password stealing
  • Virtual economies, real theft
  • Malware economies presentation

32
Protection
  • Know thine enemy
  • Know thyself

33
Policies
  • avoid Microsoft
  • not really, but don't follow the herd
  • know your system
  • open source
  • check for control
  • know your facts
  • user awareness training, community security ed
  • dont open attachments

34
Developments to watch
  • amateurs to professionals
  • nuisance to danger
  • confidentiality
  • Compromised info presentation
  • firewall destruction
  • policy problems
  • desktop to enterprise

35
Developments (cont.)
  • multipartite
  • new objects to infect
  • new places to hide
  • viral utilities
  • law enforcement
  • marketing
  • Convergence

36
Crimeware
  • Robert M. Slade, MS, CISSP
  • rslade_at_computercrime.org, cissp_at_shaw.ca,
    rslade_at_isc2.org
  • http//victoria.tc.ca/techrev/rms.htm
Write a Comment
User Comments (0)
About PowerShow.com