Crimeware

1
Crimeware

• Robert M. Slade, MS, CISSP
• rslade_at_computercrime.org, cissp_at_shaw.ca,
  rslade_at_isc2.org
• http//victoria.tc.ca/techrev/rms.htm

2
Only a nuisance?

• Malware (malicious software) is often the orphan
  of computer security.

3
Non-standard

• Upsets bastion mentality
• enemy within, rather than without
• Computer viruses, in particular, do not have to
  have an obvious point of origin, or a director
  for the attack.

4
Financial losses

• 2005 FBI survey (and others)
• Highest category of cybercrime (of 17)
• Fully one-third of ALL losses
• 62 Billion (est.) for USA
• Supported by subsequent surveys and estimates

5
Malware and Viruses Definition

• Malicious Software
• Intentionally designed for penetrating a system,
  breaking security policies, or malicious payloads
• Bugs or errors not included
• Backdoors, data diddlers, DDoS, hoax warnings,
  logic bombs, pranks, RATs, trojans, viruses,
  worms, zombies, etc.

6
Not your father's malware

• Modern malware is network aware
• New means of spread
• New methods of attack
• New payloads

7
Malware types

• Virus
• Worm
• Hoax warning
• Trojan
• Logic bomb
• Data diddler
• RAT (Remote Access Trojan)
• DDoS (Distributed Denial of Service) zombie
• Prank
• Instances cross boundaries, converge more than
  one type of malware in program
• This does not mean that it is not important to
  make distinctions

8
Virus

• Central characteristic is reproduction
• Generally requires some action by the user
• May or may not carry payloads
• Payload may or may not be damaging
• other malware, file retrieval, encryption
  extortion, etc, etc ...

9
Virus criminal use

• Distribute payload (botnets)
• Retrieve data (Sircam, Klez)
• Crypto extortion
• Phishing distribution
• Malware economies

10
Worm

• Reproduces
• Generally uses loopholes in systems
• Does not involve user
• Often attacks server software of some type
• rapid spread ...

11
Trojan horse

• Stated positive utility
• Hidden negative payload
• keylogger, password stealer, financial files
  (credit cards), identity theft, phish, etc ...
• Social engineering
• Most common form of crimeware
• so far ...

12
Phishing

• Fake sites
• Mirror real sites
• Browser chrome
• Convince user to input identity and
  authentication data
• Phishing kits
• Fraud in a box

13
Data diddler

• Payload in a trojan or virus that deliberately
  corrupts data, generally by small increments over
  time
• Relatively rare, but recently re-introduced

14
DDoS

• Expands denial of service
• Middle of master / attacker agent target
  structure
• Hides attacker, multiplies attack
• Extortion

15
RAT (Remote Access Trojan)

• Installed, usually remotely, after system
  installed and working, not in development
• Trojan vs. tool
• Rootkits require working account, RATs generally
  dont

16
Spyware and Adware

• Intended as marketing, not malice
• Installed with other software
• As a separate function or program
• Generates unwanted or irrelevant advertising
• Reports on user activities
• possibly other installed programs, possibly user
  surfing
• Drive-by downloads

17
Botnets

• Multiple computers controlled remotely
• Installed by virus-carried RAT, drive-by, etc
• Similar functionality to DDoS
• 2003 used for spamming
• Spambotnets
• Used to distribute new viruses
• DDoS extortion attacks

18
(Digression)

• ISOI II
• secret meetings on botnet research
• (agenda posted on Website)
• New detection technologies
• Reports on research
• Researchers as organized crime targets?
• CastleCops DdoS attack

19
Coincidence?

• 86.91.28.132 - - 19/Feb/2007151018 0000
  "GET / HTTP/1.1" 200 497 "http//you.shut.us.down.
  we.shut.you.down.is.it.a.trade.or.not.net"
  "Mozilla/4.0 (compatible)"
• 72.134.56.15 - - 19/Feb/2007151018 0000
  "GET / HTTP/1.1" 200 497 "http//you.shut.us.down.
  we.shut.you.down.is.it.a.trade.or.not.net"
  "Mozilla/4.0 (compatible)"
• 195.39.161.105 - - 19/Feb/2007151018 0000
  "GET / HTTP/1.1" 200 497 "http//even.prolexic.can
  t.protect.you.net.wanna.try.akamai.ill.drop.them.t
  oo" "Mozilla/4.0 (compatible)"
• 24.205.238.48 - - 19/Feb/2007151018 0000
  "GET / HTTP/1.1" 200 497 "http//you.shut.us.down.
  we.shut.you.down.is.it.a.trade.or.not.net"
  "Mozilla/4.0 (compatible)"
• 212.213.90.13 - - 19/Feb/2007151018 0000
  "GET / HTTP/1.1" 200 497 "http//you.shut.us.down.
  we.shut.you.down.is.it.a.trade.or.not.net"
  "Mozilla/4.0 (compatible)"

20
Spam

• Is spam malware/crimeware?
• annoyance ? misleading ? fraud ? 419 ? phishing ?
  money laundering ? malware distribution ? botnet
  creation ? ???

21
Examples

• Note new technologies ...

22
MTX

• taking control and preventing help
• replaces WSOCK32.DLL
• sends itself as second message
• prevents access to AV sites

23
Noped

• hacktivism
• looks for strings in filenames
• files emailed to addresses possibly associated
  with law enforcement

24
SULFNBK Hoax

• misinterpretation of events
• Magistr infects MS Windows system files and mails
  them out
• SULFNBK valid program (Win 98)
• most users receiving warning would find file, add
  legitimacy
• Fagled spreads with false virus warning
• you sent infected email, here is disinfector

25
Sircam

• loss of confidentiality
• searches for document, incorporates document into
  virus, mails document out
• eg. yourfile.doc becomes yourfile.doc.pif
• MS Outlook addresses, has own SMTP mailer
• forerunner of spambots

26
Code Red/Nimda

• server attacks and multipartite
• 350,000 unpatched MS IIS servers in 9 - 13 hours
• .eml, .nws, corrupted Web pages
• also Gokar (email, IRC, infected web pages)
• also Gigger (JavaScript in HTML formatted email)
• also Klez (network shares)

27
Magic Lantern

• official viruses
• ML isnt actually a virus
• detection avoidance may create problems in
  detecting real viruses
• dont report this signature

28
BadTrans B

• convergence (and file naming)
• drops keystroke logger/password stealer
• (see also Magic Lantern)
• filename song.mp3.pif
• content type of audio/x-wav is ignored
• also MyParty
• www.whatever.com
• also Maldal/Zacker/Reeezak
• Shockwave icon

29
Coolsite

• application settings and policy breaking
• linking to the site opens a flood of windows to
  pornographic sites
• browser home page changed
• Amero popup case

30
SWF.LFM.926

• new objects to infect
• uses Shockwave ActionScript
• also Peachey (Adobe Acrobat)
• also new RTF extensions in MS products
• also Stages .SHS/.SHB (shell scrap)

31
w1c.exe

• Superbowl, Dolphin Stadium website
• World of Warcraft password stealing
• Virtual economies, real theft
• Malware economies presentation

32
Protection

• Know thine enemy
• Know thyself

33
Policies

• avoid Microsoft
• not really, but don't follow the herd
• know your system
• open source
• check for control
• know your facts
• user awareness training, community security ed
• dont open attachments

34
Developments to watch

• amateurs to professionals
• nuisance to danger
• confidentiality
• Compromised info presentation
• firewall destruction
• policy problems
• desktop to enterprise

35
Developments (cont.)

• multipartite
• new objects to infect
• new places to hide
• viral utilities
• law enforcement
• marketing
• Convergence

36
Crimeware

• Robert M. Slade, MS, CISSP
• rslade_at_computercrime.org, cissp_at_shaw.ca,
  rslade_at_isc2.org
• http//victoria.tc.ca/techrev/rms.htm