MALWARE

Tomas Kegel SørensenEsben B. Larsen

Christoph Froeschel Magnus Koch

ITU Copenhagen 07.11.2008

AGENDA

• PART I: INTRODUCTION TO MALWARE• PART II: MOBILE MALICIOUS CODE• PART III: PURPOSE OF MALWARE• PART IV: AVOIDING MALWARE

PART I: INTRODUCTION TO MALWARE

WHAT IS MALWARE?

• Malware is a contraction of mal-ious soft-ware• Malware refers to various types of software

that can cause problems, damage, disrupt a computer

• Installed without user knowledge or approval

DEFINITIONS OF COMMON ATTACKS• Virus- is a program that copies itself into other

programs. Viruses infect host files associated with applications.

- typically, user interaction is required for propagation, such as running a program or opening a document file.

DEFINITION OF COMMON ATTACKS

• Worm - is a program that copies itself over computer

networks, infection machines in remote locations.

- typically, no user interaction is required, as the worm spreads via vulnerabilities or misconfigurations in target systems.

- Expontiel growth

Definitions of common attacks

•Warhead : Penetrate the target - Browers That surf infected webservers- Outlook E-mail- Windows File Sharing- Backdoors from previous worms•Propagation Engine : Moves the body to the destination-Files sharing programs such as FTP, HTTP and SMB- Mail programs•TSA : Looking for new victims to attack- Recieved or send emails- Ip adresses that is similar to victim•Scanning Engine : Fire warheads against the new victims•Payload : What it does to the target-Nothing called null payload worms-Opening up Backdoors-Planting a zombie-Performing a Mathematical Operation

DEFINITIONS OF COMMON ATTACKS

• Trojan horse - is a program that seems to do something usefull

or interesting, but actually runs malicious code behind the scene.

- Eg. Screen savers

- a common use is a ”trap door” that enables a malious code adversary discreet acces to the machine at a future date.

DEFINITIONS OF COMMON ATTACKS

• Time bombs or logic bombs - are programs that hibernates until at

specified event happends or until a condition is true.

- effective when coupled to a virus

TAXONOMY OF MALWARE

MaliciousPrograms

Need Host Program Independent

Viruses Logic Boms TrojanHorses

Worms

COMBINING MALWARE

• Worms and viruses is the transport mechanism for malicious code

• Trojan horses and time/logic bombs is the malicious code.

PART II: MALICIOUS MOBILE CODE

MALICIOUS MOBILE CODE

• Mobile code is a lightweight program that is downloaded from a remote system and executed locally with minimal or no user intervention

• Malicious mobile code is mobile code that makes your system do something that you do not want it to do.

MALICIOUS MOBILE CODE FOR A VARIETY OF NASTY ACTIVITIES

• Monitoring your browsing activities• Obtaining unauthorized access to your file

system• Infecting your machine with a Trojan horse• Hijacking your Web browser

MOBILE CODE EXAMPLES

- Browser Scripts- ActiveX Controls- Java Applets- Mobile Code in E-mail Clients

BROWSER SCRIPTS

• <script type="text/javascript"> <-- a • function do_something() {• // Code for this function would go here. • }• </script> <-- b

• (a)Script begins

• (b)Script ends

ACTIVEX CONTROLS

• A software component based on Microsoft's ActiveX technology that is used to add interactivity and more functionality, such as animation or a popup menu, to a Web page page. An ActiveX control can be written in any of a number of languages, including Java, C ++ , and Visual Basic C++, Basic.

• The first time a control is accepted it is downloaded to your computer and registered.

AUTHENTICATION THROUGH CODE SIGNING

JAVA APPLETS

• Java applets are relatively lightweight programs designed to be transmitted across the Internet

• Java Applet Security Model– Java applet security model forces downloaded Java

applets to run within a highly restrictive sandbox. • Exploit bugs in the implementation of the JRE

to allow an un trusted applet to escape from its sandbox.– program called Brown Orifice

MOBILE CODE IN E-MAIL CLIENTS

• The majority of modern e-mail clients contains some form of Web browser functionality to display HTML.

• Turn off support for mobile code in your e-mail client if you don't use this functionality.

CONCLUSION• Do not execute ActiveX controls, whether signed or

not signed, unless you trust their author with access to your system.

• Do not execute signed Java applets unless you trust their author with access to your system.

• Remember that there is no such thing as "trust once," when it comes to ActiveX controls or Java applets, because a malicious program can grant itself perpetual trust once it has access.

• Disable support for mobile code that you do not require in your browser and e-mail software.

PART III: PURPOSE OF MALWARE

INCREASING MALWARE THREAT

CHANGE OF PERSPECTIVE I

• Hacker wanted to show they canMorris Worm in 1988

• Malware used to be destructive ”I Love You” Virus – deleted files send and

forwarded itself to contacts in outlook (2000)• Today Malware is not destructive anymore – it

works silent on a PC

IT’S BUSINESS

• ”Sources of cybercrime will become increasingly organized and profit driven” (Gunter Ollmann, IBM)

• ”Hacker teams are highly professional, with strong focus on quality and the right marketing” (Torsten Holz, University of Mannheim)

BOTNETS FOR RENT

• Hacker groups rent out their botnets• Reports suggest that botnets can be rented for

$100/hour• Pay-as-you go scheme – cybercrime made

easy!

RETURN ON INVESTMENT

• Crime syndicates blackmail gambling sites/online shops

• They demand up to 50.000$• Stealing personal information (credit cards,

bank accounts)

BEYOND TRADITIONAL CRIME I

• The Sony RootKit scandal automatically installing software on PCs Sony wanted an improved copy protection …but introduced new security holes on

computers with a Windows OS

BEYOND TRADITIONAL CRIME II

• Remote Forensic Software Government installs spyware on computers of

”suspected” persons FBI uses a tool called ”Magic Lantern”Use key loggers in order to get sensitive

information Conflicts with the legislation

FUTURE TRENDS

• Cybercrimes in virtual worlds• Increase in botnets• Mobile Devices• Virtual Machine RootKit (Blue Pill)

SUM UP

• High Risk• Focus is on ”business” - earning money is

important• Malware gets smarter and thus hard to detect• Magnus will now talk about avoiding malware

PART IV: AVOIDING MALWARE

STRATEGY

1: User Education & restricted user privileges.2: Avoiding common software “packages”3: Anti-virus software (locally and at network

gateways.)

1 USER EDUCATIONMETHODS• Educate users to avoid them making known mistakes.• Restrict the privileges of user accounts (Configuration

Hardening).

PROBLEMS• Most users are not willing to spend time learning security.• Even expert users are not immune to unexpected attacks

(Bubble Boy).

BUBBLE BOY - 1999

1 USER EDUCATION

METHODS• Educate users to avoid them making known mistakes.• Restrict the privileges of user accounts.

(Configuration Hardening)

PROBLEMS• Most users are not willing to spend time learning

security.• Even expert users are not immune to unexpected

attacks.

2 AVOID COMMON SOFTWAREEXAMPLES• The “Microsoft Word” – “Outlook” combination.• The “Wordpress” cms system.

METHOD• Avoid common software, or at least include less popular

software somewhere in your workflow.

PROBLEM• What is common software?• How can you be sure that security issues will be identified

and addressed when using less common software?

3 ANTI-VIRUS SOFTWARE

METHOD• Scan all incoming files for malware.

PROBLEMS• New malware emerges.• Malware-authors camouflage already known

threats.

• Scan locally or use Secure Web Gateways.

MALWARE SIGNATURES

• The fingerprints of malware (also called dat files)• Performance improvements– Fingerprints are matched to certain file types.– Depending on the file type different areas are

scanned.

3 ANTI-VIRUS SOFTWARE

METHOD• Scan all incoming files for malware.

PROBLEMS• New malware emerges.• Malware-authors camouflage already known

threats.

NEW MALWARE

• Can actually be new malware, or camouflaged versions of old threats.

• Polymorphism (obfuscated code)– Changed variable names.– Changed order of the instructions in the malware

program.– Encryption.– Metamorphism.

HOW TO IDENTIFY MALWARE WITH AN UNKNOWN SIGNATURE

• Generic Signatures.– Often broken up and containing “wildcard areas”.– Not god for totally new malware.

• Emulation.• Heuristics.

HEURISTICS

• Establish a database of typical malware traits.– Attempts to access the boot sector.– to locate all documents in a current directory.– to write to an EXE file.– to delete hard drive contents.

CURRENT THREAT PATTERNS

• Classic & server-side polymorphism • 10.000+ new strains per day.• Each victim potentially attacked by a different strain. • Today a signature protects < 20 users. Earlier > 100.000• Blacklisting strategy increasingly ineffective.

SOLUTIONS (ACCORDING TO SYMANTEC)

• Whitelisting signatures for non-malware.• Reputation based approach.

THE END