Today's malware aint what you think

Presenter BIO
Roger A. Grimes
 CPA, CISSP, CEH, CISA, TICSA, MCSE: Security, yada, yada
 InfoWorld Contributing Editor, Security Columnist, Product
Reviewer, and Blogger
 23-year Windows security consultant, instructor, and author
 Author of seven books on computer security, including:
 Windows Vista Security: Security Vista Against
Malicious Attacks (Wiley, 2007)
 Professional Windows Desktop and Server Hardening
(Dec. 2005)
 Malicious Mobile Code: Virus Protection for Windows
(O’Reilly, 2001)
 Honeypots for Windows (Apress, December 2004)
 Author of over 300 national magazine articles on computer
security
 Principal Security Architect for Microsoft InfoSec ACE Team

Presentation Summary
 Quick History of Past Malware Threats
 Today's Threats
 Anatomy of Today's Cyber Attack
 Malware Examples
 Best Defenses

Malware Has Been Around Since The Beginning of
Computers
 Most early malware were network worms
 Late 1960’s – John Conway’s Game of LifeCore Wars
 Imp
 1971, Creeper worm was written by Bob Thomas of the
BBN (Bulletin Board Network)
 (First PC, Altair 8800, 1974)
 IBM Christmas worm –Dec. 1987
 Robert Morris Worm –Nov. 1988
Historic Malware Trends

 (Apple computer invented 1976)
 1982 - Richard Skrenta, Jr. a 9th grade high school
student, a Core War fan, wrote a 400-line Apple II boot
virus, called Elk Cloner
 Spread around the world
 Every 50th boot would present message
 No virus scanners or cleaners at this time
 (IBM PC introduced in late 1981)
 1986 – Pakistani Brain – first IBM-compatible virus
 1987 – Stoned, Jerusalem, Cascade (encrypted), Lehigh
First PC Viruses – Boot Viruses

 Boot Viruses
 Even though they made up just a few percent of the
malware programs, they accounted for most of the
infections
 March 1992 – Michelangelo
 Executable Viruses
 Some Trojan Horse Programs
 Some Worms, but not many
Most malware programs were not intentionally
malicious
Early PC Malware

 1985 – Macro viruses
 1998 – HTML viruses
 2001 – Code Red – IIS worm
 2003 – SQL Slammer
 Fastest exploit to date – 10 minutes to infect world
 2003 – MS Blaster
 In 99.9999% of cases, patch was available before exploit
was released
PC Malware Hits Mainstream

 From 1999 to late 2006, about 90% of malware attacks
arrived via email
 VBScript, Javascript
 Malicious file attachments
 Rogue embedded links
 Spam
 MIME-type mismatches
 Social-engineering methods
 Melissa, I love you worm
Email wormsviruses

 Still, most were not intentionally malicious
 Those were the days!
Email wormsviruses

 Run an up-to-date antivirus program
 Run a host-based firewall that prevents
unauthorized outbound connections
 Be fully patched
 Visit only trusted web sites
 Careful opening unexpected documents
 Use other programs and OSs to remain safe
Current Malware Trends
Conventional Defense Wisdom

 AV is not all that accurate and cannot be relied
upon
 Host-based firewalls really don’t work most of
the time
 Nobody fully patches
 Trusted web sites are how you get infected
 Many attacks work cross-platform or don’t care
about OS or app
 Targeted spearphishing makes determining what
documents you should open hard to do
Sadly...

 Malware and hacking is worst than ever!
 Even though we already do all the recommended
stuff
Sadly...

 Mostly trojans, worms, and downloaders
 Professionally written
 Development forks, teams
 Criminally-motivated
 Bots & botnets
 Tens of millions of PCs “owned” at any one time
 Designed To Get Money
 Steal passwords, identity info, DDoS attacks
 Mostly asks for permission to run and user responds
“YES”
Current Malware Landscape
New Malware Model

 Cybercriminals are stealing tens of millions (at
least) of dollars every day
 2009 Verizon Data Breach report found that 91
percent of all compromised records in 2008 was
attributed to organized criminal activity.
Criminally Motivated

 Cybercriminals are stealing tens of millions (at
least) of dollars every day
 2009 Verizon Data Breach report found that 91
percent of all compromised records in 2008 was
attributed to organized criminal activity.
 “On the brighter side, we are happy to report that these
efforts with law enforcement led to arrests in at least 15
cases.”
Criminally Motivated

1. User visits “innocent” infected web site
2. Contains simple Javascript redirector
3. Prompts user to install fake program
 Anti-virus scanner, patch, codec, malformed PDF, etc.
4. First program is a small downloader
 Starts the malware process
 Provides bot control
 Dials home for more instructions
Most Common Malware Cycle

Only Visit Trusted web sites
Good advice?

 What has trusted ever meant anyway?
 How do I know I can trust it?
 Do those “seals of approval” mean anything?
Trusted Web Sites?

 What has trusted ever meant anyway?
 How do I know I can trust it?
 Do those “seals of approval” mean anything?
 Me, I feel safer on a pay-for-view porn site!!
Trusted Web Sites?

 77 percent of web sites with malicious code are
legitimate sites that have been compromised
 61 percent of the top 100 sites either hosted
malicious content or contained a masked redirect to
lure unsuspecting victims to malicious
 37 percent of malicious Web/HTTP attacks included
data-stealing code
 57 percent of data-stealing attacks are conducted over
the Web
Innocently Infected Web Sites

How?
 Web site itself compromised
 Misconfiguration
 Vulnerability
 Allows user postings
 Malicious ads from legitimate ad services
 Malicious sponsored ads on search engines
 Poisoned search engine results
 Web site codelets created by bad guys to go
malicious one day

Tens of Millions of Malicious Web Sites
 Look real, but completely malicious
 Often taken there by OS or app help program or
search engine
 Promote product that is nothing but malicious
 Have entire teams of people dedicated to promoting
product on “independent” blogs, review magazines,
etc.
 Ex: You must have this codec to watch these car
racing videos on YouTube
Some aren’t so Innocent!

Poisoned Ad Services
 You name the major web site and it has probably
hosted malicious ads
 Ads posted by web site owner, marketing firm hired
by web site, compromised ad service, or hacking
 Avast - the most compromised services are Yahoo’s
yieldmanager.com and Fox’s fimserve.com
 Responsible for more than 50% of poisoned ads
 Doubleclick.net too
http://blog.avast.com/2010/02/18/ads-poisoning-
%e2%80%93-jsprontexi/

Poisoned Cartoons?
 King Features, a newspaper comic distributor was
hacked
 King Feature distributes online comics to about 50
different newspapers
 Online readers were prompted to download a
malicious PDF
 http://voices.washingtonpost.com/securityfix/2009/
12/hackers_exploit_adobe_reader_f.html

Search Engine Poisoning
 Bad guys create web sites that are very attractive to search
engine bot crawlers (e.g. lots of links with lots of
keywords)
 It is not uncommon to find malicious links in 15% to 20%
of the first 100 results from a search
 Some of the most popular searches will return 90%
 Malicious web sites are generated are often generated on
the fly, changed only by a single keyword in the URL
 http://www.cyveillanceblog.com/general-
cyberintel/malware-google-search-results

SEO Kits
 Poisoned search engine results often created by Search
Engine Optimization (SEO) kits
 Kits download must popular search engine requests from
the search engines themselves (e.g. googletrends)
 Then generate web site on the fly with those keywords
and images
 Generates thousands of web sites with those keywords
and link to each other
 http://www.sophos.com/sophos/docs/eng/papers/sopho
s-seo-insights.pdf

Sponsored Ads
 Search engines often host sponsored ads that redirect to
malicious sites and code
 Nearly all search engines involved
 Certainly the ones you use are
 Due to malware companies posing as legitimate
companies and switching up ads or legitimate web sites
being infected that paid for legitimate ad time

Sponsored Ads

Many Infected Host Providers Are Slow To
Respond
 Example: ThePlanet.com
 Stopbadware.org notifies ThePlanet when they note
an infected web site hosted by ThePlanet
 Averages 12K-20K infected sites a month
 1 month after reporting, 12K of reported web sites
remain infected
 4.5K remain infected after 7 months

Bulletproof Hosting
 Many companies advertise on the promise that they
will keep your web site up no matter what you do
with it
 The Russian Business Network is number one in this
space
 McColo was #2 before 2008 takedown
 Plenty of competition
 Located in countries without appropriate laws
Not-So Innocently Infected Web Sites

Bulletproof Hosting -Examples
Not-So Innocently Infected Web Sites

`
Dynamic DNS Server
Initial Mothership
Web Server
Dynamic Mothership
1. Bot program exploits
victim PC and installs
itself
2. It “phones home”
using dynamic DNS
server to find
“mothership”
3. Finds mothership,
downloads new code and
instructions
4. Repeats 1-20 times
5. Infects new victim PCs
6. Sometimes plays role
of bot host, sometimes of
dynamic DNS server,
sometimes mothership
-Created for just this single
victim instance
-Can be a legitimate DNS
server or exploited system
-Usually just another
exploited victim or web
server
-Updates dynamic DNS
server with current IP
address
-Mothership updates may
cycle 20 times
-Sends bot host new
programs, new payload, new
instructions
New Malware Model Steps

1. Infect or Exploit
2. Modify system to gain control
3. Phone “home” to get code update
Repeat this step 1-20 times
4. Modify host and spread to create bot net
5. Steal information-financial, passwords, etc.
6. Able to bypass any authentication method
7. When finished, self-delete, cover up tracks
New Malware Model Steps

 Self-healing bot nets
 Intended to live only a few hours
 Auto-updating
 Design To Hide
 Millions of malicious links on social networking
sites
 Some of the biggest users of Facebook, Myspace, and
Twitter
New Malware Model (con’t)

 Silent Drive-by-Downloads and one-click and your
owned traps used to be the way people got infected
 Require unpatched software and vulnerabilities
 UAC and other browser protections make this harder to
do
 Still happens, but now in the minority
 OS patching is nearly 100% now
 App patching could be better
 Malware writers are mostly targeting unpatched
Internet browser apps now

 In most cases, people are tricked into intentionally
installing a malware program
 99% of the risk in most environments
 Occasionally, a roving worm, like Conficker, becomes Ms.
Popularity for a few days or months

 Vuls. trending down since 1H 2007
Known Vulnerabilities Going Down Year-after-Year
 Figures for all reporting vendors

 Even OS and Browser Vulnerabilities Are Flat
Known Vulnerabilities Going Down Year-after-Year
 From MS SIR 8

 Especially in the browser space
 Every new browser vendor promises to make the
perfectly secure browser that apparently Microsoft
cannot seem to make
 Later on I’ll tell you how it doesn’t matter at all
anyway
Still Plenty of Vulnerabilities

 Firefox – 169
 Apple Safari – 94
 Internet Explorer – 45
 Google Chrome – 41
 Opera - 25
Number of Browser Vulnerabilities in 2009
 From SymantecSecunia

 Firefox – 52
 3.0-15, 3.5-18, 3.6-19
 Apple Safari 4– 17
 Internet Explorer 8 – 21
 Google Chrome – 28
 Opera – 6
 Of all browsers Symantec analyzed in 2009, Safari had the longest window
of exposure (the time between the release of exploit code for a
vulnerability and a vendor releasing a patch), with a 13-day average; IE, FF,
and Opera had the shortest windows of exposure, avg 1 day.
Number of Browser Vulnerabilities in 2010 (so far)

 The way almost all your users are getting
infected is direct action trojans
But Vulns Don’t Matter All That Much

 By a huge percentage, trojans are number one!
Trojans Are #1!
(From Microsoft SIR 8)
Exploits
Trojans
Trojans

But Worms are more frequent on work computers

 Trojan program looks “really, really” authentic
 Coming from legitimate web sites, spam, phishing
attacks
 Bad guy often buys ads on search engines or “poisons”
search engine results
 Certain keywords are more likely to bring up malware
than legitimate web sites
 Bad guys use the latest news (e.g. earthquake, celebrity
event, etc.)
 Often accidentally redirected to malware sites by
legitimate trusted software
Why Are They So Prevalent?

Tricking End Users
Antivirus 2010

 In one year, Google found over 11,000 web sites
offering fake AV scanners
 1,462 unique new installer programs per day
 20% detection rate by real AV
 1 hr – median time redirection web site is up before
hackers move on
 In SIR 8, Microsoft said its security products cleaned
fake anti-virus related malware from 7.8 million
computers in the second half of 2009.
Fake AV Stats – from Google

Apparently worry about copyright infringement

 Millions of new programs created every year
 Challenging for pure definition scanners to keep up
 No antivirus scanner will ever be perfect
 Check out http://www.virustotal.com/estadisticas.html

 “Zero-day” exploits becoming more common
 One attack program can have 20 exploit vectors
 DNS tricks
 Poisoning, hosts file manipulation
 Sound-alikes
 One-offs (everything unique for each victim)
 Millions of malware programs each year
 Symantec reported 2.8 M malware programs in 09
 More than legitimate programs
Infection or Exploit

Known Malware Detection Rates Not Bad
www.virusbulletin.com
 Dozens of AV scanners routinely detect 100% of the
known malware programs in the wild with zero false-
positives
 Awarded VB100
Malware Is Hiding Better

First-Day Malware Detection Rates Could Be Improved
www.av-test.org (Dec. 2009)
 Brand new threats were released and tested
 Best products detected malware 98% of the time, blocked
95% of the time
 Average product was 70-90% effective
 Sounds good until you realize that out of 100 users in
your network, at least two of them will be presented with
a trojan program that is not detected as malicious
 Now multiple that by the size of your user base, especially
over time

How Does Malware Hide?
Early Techniques:
 Encrypted – hide the malware so it can’t be scanned
 Oligomorphic- multi. encryption/decryption engines
 Polymorphic- random encryption/decryption
 Metamorphic- mutates malware body, looks for compiler
on host and re-compiles malware on-the-fly

Today’s Techniques:
 HTML Encoding/Obfuscation
 Character set (e.g. UTF-8, UTF-7, Unicode) encoding
 Compression (e.g. multi-compressed zip files)
 Packers, Multi-packers
 SSL/TLS/encryption for travel and communications
New Malware Is Hiding Even Better

 Language encoding (e.g. simplified Chinese)
 Transfer encoding (e.g. chunked, token-extension)
 Packet fragmentation, time-outs
 Password protected files
 Embedded code (e.g. RTF links)
 Embedded in thick content (e.g. PDF, Flash, MS-Office
objects)

 Dynamic DNS names
 Dynamic IP addressing
 One-time URLs (unique per victim)
 Self-deleting malware
 Delete and come back when needed

 Responsible for up to nearly 50% of all successful
web-based attacks.
Adobe Acrobat Malware Is a Huge Problem

 Usually arrives in email
 Sender has internal details
 Most captured from company’s public web site and news
 Other times, obviously has insider knowledge of project
or detal
 Often target senior executives
 Project document, pending lawsuit, child support inc.
 Common scam: Target accounting to infect the payroll
transfer transaction computer
 Defense: That computer should not be connected to the
normal network or used for anything else, highly guarded
and secured
Targeted Spearphishing

 Can arrive in email
Adobe Acrobat Malware Example

 Prompts User to Save Another “PDF” file

 Can be prevented by modifying one setting

 Most attacks several years old.
Do You Patch Office?

 More than half (56.2 percent) of the attacks affected
Office program installations that had not been
updated since 2003.
 Most of these attacks involved Office 2003 users who
had not applied a single service pack or other
security update since the original release of Office
2003 in October 2003.
Do You Patch Office?

CAN-SPAM Act of 2003 took down spam!

 25% - Percentage of spam when CAN-SPAM Act was
passed
Spam stats

 Spam is most of our email
 88% according to Symantec
 93% according to MessageLabs
 95 percent of user-generated comments to blogs, chat
rooms and message boards are spam or malicious.
(Websense 2009 report)
 Spearphishing for targeted attacks increasing greatly
 85% of spam is sent by bots from innocently infected
computers (Symantec)
 20% of all spam sent in March 2010 used TLS
(MessageLabs)
Spam stats

 Spammers bypass CAPTCHAs, by:
 OCR – recognize the symbols
 VCR – recognize the voice
 Paying third world country employees to manually
answer
 Freelancer.com - dozens of such projects are bid on
every week.
 80 cents to $1.20 for each 1,000 deciphered boxes or
about $6 every 15 days for the average worker
Spammers Still Abusing Free Web Mail

Per MessageLabs
 Hundreds of billions of spams are sent each day
 85% from spambots, 90% from the top five bots
 Rustock – largest current botnet with 2.4M hosts,
responsible for 1/3rd of all spam
 Grum- Responsible for 24% of all spam
 Mega-D – Responsible for 18% of all spam
 Top spam bots vary according to measurer, but Rustock
always gets #1 spot
Bot Nets and Spam

Popular Botnet Families

 Many commercial bot net kits
 Management interfaces
 24 x 7 tech support
 Bypass any authentication
 Made to order
Example: ButterflyMariposa bot net (March 2010)
 13 million controlled computers in 190 countries
 Run by three non-experts, required very little skill
 Bought original bot kit for $300
Bot Nets

 Crum - $200 – Creates polymorphic encrypted
malware, free updates
 Eleonore Exploits Pack –$700 – several exploits
including MS, Firefox, Opera, and PDF
 Neon – $500- PDFs (including FoxIt), Flash, Snapshot
 Adrenaline- $3000- keylogging, theft of digital
certificates, encryption of information, anti-detection
techniques, cleaning of fingerprints, injection of viral
code, etc.
http://malwareint.blogspot.com/2009/08/prices-of-
russian-crimeware-part-2.html
Malware Kit Examples

Crime Does Pay

 For the most part, we aren’t catching many of the criminals
 International jurisdictions, non-compliant countries, no hard
evidence, real crimefighting takes time
 Users/admins not doing the simple things they should be
doing to stop malicious attacks
 Attackers don’t need complex, hypervisor attacks to do
damage; current attacks doing just fine
 Vendors could produce zero-defect software and it would
not make a measurable dent in cybercrime
Future Not Looking That Great

The most popular software in a particular
category will be successfully attacked the most
Grimes Corollary

The most popular software in a particular
category will be successfully attacked the most
Grimes Corollary
Regardless of whether or not Microsoft made it!
 Windows, IE, Microsoft Office
 PDF over XPS
 Apache over IIS
 Quicktime over Windows Media Player
 ActiveX over Java Applets

AuctionSales Site scams
 Selling a car or motorcycle for an unbelievable
price with unbelievable terms
 “I’ll give you the best price ever and pay for
international shipping”
 Send your money to a “trusted, third party”
 “Buyer protection”
 Doesn’t care what your OS or browser is
 So much for your anti-malware programs
Many Times No Malware Needed

 Auction Car Sale Scam Example

 Auction Car Sale Example

Lessons To Take Away
 Malware usually comes from innocently infected web sites
 Visiting only “trusted” web sites is not great advice anymore
 Consider investing more in technologies that can mitigate
these types of threats
 Educate end users about the current state of malware
**If we could educate users to not install fake programs, the
majority of the current malware threat would disappear
overnight
Forming a Defense

Best End-User Defenses
 Don’t be logged in as Administrator or root when
surfing the web or reading email
 Run up-to-date anti-malware programs
 Antivirus, Firewalls, Anti-spam, Anti-phishing, intrusion
detection
 Fully patch OS and all applications, including
browser add-ons (harder than it sounds)
 Use good, secure defaults
Fight the Good Fight

 Educate end-users to most likely threats
 Tell them to learn what their AV software looks like
and what it doesn’t
 Show them what their patching software looks like
 Tell them not to install software offered by their
favorite web site
 Does your educational content contain this
information?
 Phish your own users (be the first!)

 Use search engines that contain anti-malware
abilities (e.g. Bing, Google, etc.)
 Use browsers that have anti-malware checkers
 Most of the popular ones, but not all
 Look for unusual network traffic patterns
 Unexpected large transfers, workstation-to-workstation,
server-to server
 Install honeypots as early warning detectors

Future Defenses
 Most countries are starting to work together better
(although very slowly)
 Ultimately will take rebuilding the Internet
 Building in pervasive identity and accountability
 Still support anonymity
 Will have to be done incrementally
 Support End-t0-End Trust initiatives
 All needed protocols are already in place
 See Trusted Computing Group’s work
 Microsoft’s End To End Trust
Forming a Defense

 e: roger@banneretcs.com
Questions

Today's malware aint what you think

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Today's malware aint what you think

Ähnlich wie Today's malware aint what you think (20)

Mehr von Nathan Winters

Mehr von Nathan Winters (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Today's malware aint what you think

Hinweis der Redaktion