3. What is Malware?
Definition:
Malware is a set of instructions that run on your
computer and make your system do something
that an attacker wants it to do.
It can do any of the following:
• Delete files from your hard drive
• Infect your PC and use it as a jumping-off point
• Monitor your keystrokes
• Gather information about you
• Send streaming video of your PC screen to an attacker
4. Virus
Definition:
A virus is a self-replicating piece of code that
attaches itself to other programs and usually
requires human interaction to propagate.
• The portion of the virus’ code that implements
some evil or malignant action is known as the
payload.
5. Worm
Definition:
A worm is a self-replicating piece of code that
spreads via networks and usually doesn’t require
human interaction to propagate.
• A worm hits one machine, takes it over,
and uses it as a staging ground to scan for
and conquer other vulnerable systems.
6. Worm vs. Virus
The difference between worms and
viruses:
Worms spread across a network.
Worms don’t necessarily infect a host file.
Most (but not all) worms spread without user
interaction.
• The Internet today, most modern viruses
include worm characteristics for
propagation.
7. Trojan Horse
Definition:
A Trojan horse is a program that appears to
have some useful or benign purpose, but really
masks some hidden malicious functionality.
• If a program merely gives remote access,
it is just a backdoor, not a true Trojan
horse.
8. Internet Attacks
Evolution of Malware
Trojan Horses
Rootkits Spyware
Viruses
Worms
Web Site
Defacement
Phishing
Spam Email
9. Rootkit
A form of Trojan Horse program, capable of hiding its
own presence, maintain system/root/admin privileges
and perform activities without detection
A Rootkit can …
Hide processes, files, drivers, ports and network connections
Install a backdoor listener for future access to the system
Add Privileges to Tokens
Add Groups to Tokens
Manipulate the Event Viewer
Basically, do anything it is programmed to do
Rootkits were originally developed and used against Unix
systems as Trojans (e.g. ps, ls, netstat), but now
proliferated to Linux and of course Windows
Sophisticated rootkits filter data going in and/or out
Hook system functions in the kernel
Modify key data structures in memory
Hook user mode functions in kernel32.dll & ntdll.dll
10. Rootkit – Attack Scenario (1)
Attacker gains elevated access to
computer system
Attacker installs a Rootkit
Rootkit hides itself, everything else the
hacker wants and provides covert channel
for control/management
Attacker is able to use the system for
whatever they want with little risk of
detection
11. Rootkit – Attack Scenario (2)
How does this thing get in
To be installed, the install code needs either
admin/system level access, or user access with path
to elevate (like insecured reg keys,
SeDebugPrivelege, etc), depending on sophistication
level of the installer/loader.
Initial Vectors
Weak passwords
Arbitrary code execution due to:
Buffer overflows
Incorrectly secured registry keys for privileged apps
Web/email exe’s, insecure zones, etc.
Injection/Hook/Detours - SeDebugPrivelege
Social engineering (hack the human)
Physical access
Island hopping from other compromised systems
12. Rootkit Situation
Popular Rootkits
Hacker Defender 1.0.0
User mode/kernel mode; hide files, directories, registry keys, services, and
drivers
Provides backdoor listeners on all ports
Detectable by Pathfinder2 and VICE (anti-rootkit)
FU
Hide processes and drivers; detectable by klister
HE4Hook
Modifies kernel SDT; detectable by Pathfinder2 and VICE
Vaniquish
DLL-Injection based rootkit that hides files, folders, registry entries
and logs passwords; detect by Pathfinder2 and VICE
AFX (Aphex)
DLL-Injection; hide ports, files, registry keys, folders, processes; detect by
RKDS, Pathfinder2 and VICE
A community of Rootkit explorer on the Internet
http://www.rootkit.com
http://rootkit.host.sk
http://www.megasecurity.org/Info/p55-5.txt
13. Rootkit Situation
Malware Classification* SANS’ Internet Storm Center July 2004 Report
Highest growth since Mar ’04
Bots/Backdoor Programs E.g., Phabot, Agobot, Gaobot, Institution 2004
Little to no actions
User Mode Rootkits
New tools in both Windows (e.g. FU) and
Kernel Mode Rootkits Unix/Linux (e.g. Adore-ng) platforms
Little to no actions
Bios Malware
Whitepaper on Reverse Engineering of AMD K8
Microcode Malware Microcode published in
http://www.packetstormsecurity.nl/
*Source: “Malware – Fighting Malicious Code”, Ed Scoudis & Lenny Zeltser
14. Internet Attacks
Evolution of Malware
Trojan Horses
Rootkits Spyware
Viruses
Worms
Web Site
Defacement
Phishing
Spam Email
16. SPAM Mails
More than 60% of email
traffics
4.9 trillion in 2003; 13
billion spam mails a day
MSN filters block 2.4 billion
spam emails a day (~80%
of the emails)
US businesses lost over
$10bn in 2003 in
productivity, and
bandwidth
Adult contents increased
by 170%
Criminal activities
Reducing trust of emails
17. Meet Spam King
Spam King: Alan Ralsky spewed tens
of thousands of e-mail sales pitches per
hour, bringing on the wrath of Verizon.
Alan Ralsky calls himself a commercial e-
mailer, not a spammer. He says he maintains
files with 87 million e-mail addresses of
computer users who ask to be removed from
his blanket solicitations.
Richard Colbert, spammer.
30. Situation
Phishing & SPAM Frauds
ComputerWorld June ‘04 report
50% increase in phishing attacks per month
Citibank - 470 attacks
Asia
eBay – 285 attacks ew s & T
y - CNET
echnolog ,39001150,3916
/0
0682,00
ofed' - N /security
gets 'spo ewstech
Lloyds TSB Bank – 24 attacks HSBC HK .asia.cnet.com/n 04, 9:44 AM
http://w
ww
ken: 8/1
2/20
pping ta
S creen cli
Westpac Bank – 11 attacks
U.S. hosted the most phishing Web sites in June, with
27% of such sites.
The average lifespan of a phishing site in June was 2.25 us - N e
w s & Te
chnolog
y - CN E
/0,3900
TAsia
1150,39
157643
,00.htm
days. 'Citiban
carries
w.asia .c
a vir
k' email net.com/news
2/2004
tech/se
curity
, 9:39 A
M
http://ww ing taken: 8/1
25% of phishing Web sites were hosted on hacked Web
Screen
clipp
servers.
94% of phishing Web sites were configured to allow
criminals to remotely download captured personal data ws & T
g y - CN
ETAsia
echnolo 50,39163044,0
0.htm
ng Ko ng - Ne urity/0,390011
d in Ho ch/sec
k spoofe /newste :41 AM
D BS Ban .asia.cnet.com 4, 9
ww /12/200
http://w ping taken: 8
clip
Screen
sia
- CNETA
hnology 95,00.htm
- Ne w s & Te c 8
stomers ,39161
0 01150
stpac cu h/security/0,39
nail We c
s bid to /newste M
31. Situation
Phenomenon growth of deceptive software
PestPatrol
More than 78,000 spyware in use today
“Burrower” programs grown from 8 to 40 in past six
months
More than 500 trojan horses, 500 keystroke loggers,
and 1,300 ad-ware created in 2003
Pitstop
More than 25% of PCs are afflicted with some type of
unwanted or deceptive software
US National Cyber Alliance 2003 study
91% of broadband users have some form of unwanted
or deceptive software2
32. Cable Modems Experiment
The “always connected” home user is very vulnerable
First week of monitoring cable modem detected 250 attacks
Most users
Have no security, have been told they’re vulnerable, but don’t know what
that means
Do not understand the technology and do not want to know
Back Orifice ping
DNS non-Internet lookup
11 3 2 4 8 Duplicate IP address
7 14
15 1 6 FTP port probe
1
ICMP subnet mask request
NetBus port probe
NNTP port probe
Possible Smurf attack initiated
Proxy port probe
RPC port probe
SMTP port probe
69 SNMP discovery broadcast
71
TCP port probe
TELNET port probe
2 UDP port probe
16 19
WhatsUp scan
34. Is there a focused attack
Source: e-Cop, July 2004
35. Situation
Hackers rely on patches to develop exploits
Some security researchers are still disclosing
vulnerabilities irresponsibly
Why does this
Most attacks
occur here
gap exist?
Product Vulnerability Component Patch Patch deployed
ship discovered modified released at customer site
Lack-of or ineffective patch management process
Lack-of defense-in-depth and configuration management
in infrastructure security
36. Exploit Timeline
Process, Guidance, Tools Critical
exploit
patch code
Why does this
gap exist?
Days between patch & exploit
I I I Days From Patch To Exploit
I I
Product Vulnerability Vulnerability Fix Fix deployed
Have decreased so that
ship discovered made public/ deployed at customer
331 patching is not a defense in
Component fixed large organizations site
Average 9 days for patch to be
180 151 reverse engineered to identify
vulnerability
25
Nimda SQL Welchia/ Blaster
Slammer Nachi
37. Anatomy of a Worm Incident
July 1 July 16 July 25 Aug 11
Vulnerability Bulletin & patch
Exploit code in
reported to us / available Worm in the world
public
Patch in progress No exploit
Report Bulletin Exploit Worm
Vulnerability in MS03-026 delivered X-focus (Chinese Blaster worm
RPC/DDOM to customers group) published discovered –;
reported (7/16/03) exploit tool variants and other
MS activated Continued outreach MS heightened viruses hit
highest level to analysts, press, efforts to get simultaneously (i.e.
emergency community, information to “SoBig”)
response process partners, customers
government
agencies
Blaster shows the complex
interplay between security
researchers, software
companies, and hackers
38. Understanding The Landscape
National Interest Spy
Personal Gain Thief
Trespasser
Personal Fame
Curiosity Vandal Author
Script-Kiddy Hobbyist Expert Specialist
Hacker
39. Understanding The Landscape
Largest segment by
$ spent on defense
National Interest Spy
Largest area by $ lost
Fastest
Personal Gain Thief growing
segment
Largest area
by volume Trespasser
Personal Fame
Curiosity Vandal Author
Script-Kiddy Hobbyist Expert Specialist
Hacker
40. Understanding The Landscape
National Interest Spy
Personal Gain Thief Fastest
growing
segment
Trespasser
Personal Fame
Curiosity Vandal Author
Script-Kiddy Hobbyist Expert Specialist
Hacker
41. Understanding The Landscape
National Interest Spy
Personal Gain Thief
Tools created
by experts
Trespasser now used by
Personal Fame
less skilled
attackers and
criminals
Curiosity Vandal Author
Script-Kiddy Hobbyist Expert Specialist
Hacker
42. Social Engineering Case Study:
MyDoom
There was no vulnerability
Purely Social Engineering
Mixed techniques: ZIP file, spoofed icon, “returned SMTP” text,
random subjects, source addresses
Self-upgrading from A to B
Attack SCO.Com and Microsoft.Com
B Version tries to block access to WindowsUpdate and
AV vendor websites
This behavior will continue to increase
Install “backdoors” – turn into “bots”
66% of all SPAM on the Internet generated by these types of
backdoors on home-user PCs
Worm families are becoming “learning platforms”
for authors
Written by software engineers
43. Making $: Real Example
“Our first program pays you $0.50 for every validated free-trial
registrant your website sends to [bleep]. Commissions are quick and
easy because we pay you when people sign up for our three-day
free-trial. Since [bleep] doesn't require a credit card number or
outside verification service to use the free trial, generating revenue is
a snap.
The second program we offer is our pay per sign-up plan. This
program allows you to earn a percentage on every converted
(paying) member who joins [bleep]. You could make up to 60% of
each membership fee from people you direct to join the site.
Lastly, [bleep] offers a two tier program in addition to our other
plans. If you successfully refer another webmaster to our site and
they open an affiliate account, you begin earning money from their
traffic as well! The second tier pays $0.02 per free-trial registrant or
up to 3% of their sign-ups.”
47. Do The Math
SoBig virus spammed mail to over
100 million inboxes
If 10% read the mail and clicked the link
= 10 million people
If 1% of people who went to site signed up for 3-
days free trial
= (100,000 people) x ($0.50) = $50,000
If 1% of free trials sign up for 1 year
= (1,000 people) x ($144/yr) = $144,000/yr
48. The Newly Connected World
Mobility of computing devices
Anytime, anywhere access/attack
Wireless networking
Public Hotspot – Anonymous access
‘Private’ WLAN – Wardriving and LANJacking
Enterprise Wireless Network
Weak security means
Permit unauthorized access to Corporate network
Provision of public hotspot, permitting anonymous
access – potential legal problems
49. Putting it all together
Attack Techniques & Countermeasures
Trojan Rootkit Spyware Viruses Worms Spam Web Phishing
Horses Mails Deface
Social
Engineering
Vulnerability
Exploitation
Feature Misuse
System
Programming
Awareness
Code security, updates management, and
responsiveness
Access control and management
50. Conclusion
Attacks continue to become more sophisticated;
more tools are readily available
Vulnerability will be exploited if available patches
are not deployed timely
Time-to-exploit is reducing quickly
Attackers are motivated financially
Attackers are organized and orchestrated
Sum of exploits is much greater individual
vulnerability
A strategic approach to manage information
security risk is critical