Malwareaka “BritneySpears.mp3.vbs”

MalwareWhat is malware?

• A -ware synonym for computer viruses.

• Essentially a program that does something malicious-- hence malware.

• More currently carries the connotation of a long-lasting program.

• Encompasses a whole class of software:

• Scareware

• Ransomware

• Botnets

MalwareScareware

• Software designed to make you think you’re infected with something.

• Essentially a fake anti-virus that acts as a backdoor or something more.

MalwareRansomware

• Amusing abuse of encryption as a means of protection.

• Malware that hijacks your system files and asks you to send money in order to decrypt your files.

• Surprisingly effective.

MalwareBotnets

• The big, bad, infamous viruses you know of today.

• Programs designed to turn a computer into a zombie for control.

• Typically used to carry out distributed denial of service attacks (DDoS) and spam.

The History

MalwareHistory

• It all started as a prank.

• In 1982, Richard Skrenta sabotaged pirated copies of games to give to his friends.

• Friends wised up-- he writes the “Elk Cloner,” one of the first self-replicating computer viruses.

MalwareHistory

• By the way...

MalwareHistory

• But obviously, that’s not the platform where malware took off.

• In 1986, two brothers running a computer shop in Pakistan notice there’s code at the header of their floppy disk.

• They replace the code with their own code, which replaced the name of the floppy disk with “(c)Brain”

MalwareHistory

• In 1988, the Morris worm spread throughout the Internet.

• It exploited vulnerabilities in finger, sendmail and weak passwords on the given systems.

• Due to a flaw in the way the code spread, it caused a surprising amount of damage.

MalwareHistory

• More viruses started to show up after (c)Brain and Morris.

• .COM and .EXE files started getting infected.

• “Cascade” became the first virus to start hiding code by encrypting itself before running.

MalwareHistory

• Viruses soon began exhibiting anti-detection techniques.

• The “1260” virus started to exhibit anti-detection techniques by masking strings within itself.

• The Whale virus exhibited polymorphism, rewriting itself at run-time to look different every time it was executed.

MalwareHistory

• And then came...

MalwareHistory

• Surprisingly, viruses died down.

• Most viruses were written for DOS/Unix-based systems. The DOS viruses typically crashed the computer before Windows got a chance to fully boot.

• Boot sector viruses-- for the time being-- mostly become endangered species.

MalwareHistory

• Office programs on Windows became popular.

• Macro viruses started popping up.

• The aptly-named Concept virus simply replicated itself, then popped up the message “That’s enough to prove my point.”

MalwareHistory

• Then came the Melissa virus.

• Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows Systems.

• Word and Excel-- the most popular office programs at the time-- were both susceptible.

MalwareHistory

WORD/Melissa written by Kwyjibo Works in both Word 2000 and Word 97 Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!Word -> Email | Word 97 <-> Word 2000 ... it's a new age!

The Evolution

MalwareEvolution

• The term “virus” was first coined in 1983.

• Because of boot-sector and file modifications many programs exhibited, the easiest way to describe these programs was to call them a virus.

• Interestingly, as time went on, viruses came to quite literally evolve to reflect their biological definition.

MalwareEvolution

• A biological virus is:

• something that spreads rapidly and effectively

• something that lives for long periods of time on its host

• something that leeches resources from its host

MalwareEvolution

• Anonymity of the Internet makes malware quite interesting from a biological standpoint.

• Obviously they’re created by someone’s hand, but they’re faceless.

• They do exactly what they were designed to do and nothing more.

MalwareEvolution

• The early stages of malware and viral development, after the “prank” stage moved onto the destructive stage.

• The intent of the virus was to infect and destroy.

• The Chernobyl virus, once installed, destroyed the firmware of the motherboard of the host system.

MalwareEvolution

• The discovery of generalized exploitation of flaws in combination with a poorly secured Windows operating system caused malware to evolve rapidly from the late nineties onward.

• AlephOne and Smashing the Stack for Fun and Profit

• Worms and viruses began spreading with more intent than destruction and modification.

MalwareEvolution

• Macro viruses were essentially documents-- this made it more likely for the viruses to spread.

• Stupid people exist. By that virtue, stupid people will do stupid things. Like opening files from people they don’t even know.

• People would open BUSHJO~1.DOC thinking they’d be getting some hilarious jokes about Bush Sr. and *poof*

MalwareEvolution

• By the late 90s, worms evolved from just spreading to staying for long periods of time on their hosts.

• They served specific purposes, such as existing as a back door or running a mail server.

• These arbitrary mail servers also allowed for the automated e-mailing of malware programs.

MalwareEvolution

• By the 21st century, worms and viruses stopped being solely destructive.

• High-profile worms such as Code Red spread with the purpose of doing Bad Things.

• There was money to be made and systems to control.

MalwareEvolution

• Malware is in a constant state of back-and-forth between being detected and being infected.

• This directly reflects the natural evolution of viruses.

The CharactersThe jerks who keep you up at night.

MalwareMotivations

• Curiosity and knowledge

• VX/Heavens

• Amusement

• “That’s enough to prove my point”

• Destruction

• Power

• Money

MalwareBotkids

• Typically from EFnet, but exist in pretty much every IRC network

• PP4L and GNAA have a few botkids among their ranks

• Used mostly for chat-spamming/DDoS

• One of the main reasons why IRC usage is irrationally banned from most networks

MalwareUbisoft

• Ubisoft implements online-based DRM scheme.

• Botkids DDoS the hell out of it.

• People get angry.

• Botkids win.

MalwareScientology

• /b/tards have everyone from botkids to botmasters.

• /b/ implemented something rather amusing-- the consensual botnet.

• People literally installed programs onto their computers for a botmaster to help them DDoS Scientology.

• I’m totally serious.

• People actually did this.

MalwareRooters

• Some of the people you should thank for your free music and movies.

• People who hijack a server on a beefy pipe and install rootkits.

• Typically where piracy topsites run their distribution operations.

Malware

MalwareRooters

• These guys obviously want to hide from authorities.

• Computers get infected to bounce through for anonymity’s sake, creating a long chain of infected computers that ultimately mask where they’re coming from or connecting from.

• Think of it like a private, illegal TOR network.

MalwareOrganized Crime

• “Nice website you got here. Be a shame if someone DDoS’d it...”

• Botnets typically used for extortion and fraud.

• Targetted malware that does nothing more than sniff social security numbers, credit card information and more.

MalwarePolitics

• Russian government entities have gone to black-hats in their country to take down dissidents.

• Numerous inter-country incidents have occurred over the years involving computer warfare.

MalwareThe Estonia Incident

• Estonia seriously wants a statue. Seriously, seriously wants a statue.

• Russian nationalists don’t like this.

• The entire country of Estonia is knocked off the Internet.

MalwareRussia vs. Georgia

• Well-known Georgian blogger starts commenting on the Georgian-Russian conflict in 2009.

• Russian nationalists don’t like this.

• So they attack Blogger, Twitter, Facebook and LiveJournal, successfully taking down the websites for hours and even days on end.

MalwareChina and Project Aurora

• Chinese hackers want source code, among other things.

• They perform a targetted attack on Adobe, Google and many other software companies through PDF files and IE.

• The attack was a success and obviously freaked out a lot of Important People.

• The true impact of the attack is still being investigated.

The Game

MalwareThe Game

• A majority of people honestly believe that hacking cannot be prevented. Being hacked is an act of nature.

• Think about that.

MalwareThe Game

• The easiest way to spread malware is to trick the user into running the program.

MalwareThe Game

• The infector does not care about sophistication or, necessarily, being as sneaky as possible.

• It works the same as spam: it doesn’t matter if 99% of people who receive the spam delete it-- it only matters that 1% buy into it and send money.

• The weakest link is the best link to attack.

• The majority of infections are caused by people willingly running them.

MalwareThe Game

• While that obviously works... it can take time.

• Automated spamming of networks such as AIM and MSN will get your accounts banned.

• CAPTCHA-breaking is costly (about a dollar per image or so).

• The next step up is exploitation.

MalwareThe Game

• We’re still not in remote exploits yet, though.

• Social engineering is one of the key components of hijacking someone’s system.

• Therefore, the next step is to find vulnerabilities in a piece of software that someone will open.

• Kind of like macro viruses.

MalwareThe Game

• I just wanted to take the time to laugh at this bug:

• Seriously. It doesn’t stop getting old.

MalwareThe Game

MalwareThe Game

• Remote exploits are essentially at the bottom of the priority list.

• Current network configurations have multiple computers behind a single gateway, making remote attacks more complicated and not the most appealing vector.

MalwareThe Game

• One would assume that unknown exploits-- or 0day exploits-- would be the most frequent vector. Not true.

• 0days go for a lot of money. More on that later.

• It would be unwise to waste an 0day unless the time-- or the payoff as a result of using the exploit-- warranted it.

MalwareThe Game

• Because of the splintering of update systems, people find it frustrating to keep their software updated.

• So they don’t.

• And they get owned.

• This is why Conficker is still a problem.

MalwareThe Game

• China and other countries in the region tend to have more infections per capita than a lot of other countries.

• This is due to the rampant piracy in the region in combination with the bad update practices many users around the world go through.

MalwareThe Game

MalwareTargetted attacks

• Sometimes a given network-- like Google-- is a desire of the baddies.

• Aurora was a great example.

• This is where the concept of an “advanced persistent threat” comes from.

• ...but please ignore that phrase whenever possible. It’s a marketing gimmick.

The Pieces

MalwareThe Pieces

• Packers originated from the 64K demoscene. They were used to compress binaries as much as humanly (or inhumanly) possible.

• Packers are now used quite frequently in malware.

• Now they come with features such as polymorphism and anti-debugging techniques.

MalwareThe Pieces

• Protectors and cryptors are used to obfuscated a program at execution.

• These, too, use techniques such as polymorphism and anti-debug and analysis techniques to protect the underlying program.

MalwarePackers vs. Protectors

• Packers and protectors share a lot of common threading.

• However, the core difference is purpose.

• A packer’s objective is to compress the binary. It is only a result of the packing that the program tends to be obfuscated.

• A protector does exactly what it says-- protects the program from analysis.

MalwareThe Pieces

• Bots tend to come with a set of exploits in order to further spread themselves.

• These are called “exploit packs.”

• They’re usually purchased from a third-party and placed inside a bot.

MalwareCommand and Control

• Command and control servers are the central locations where botnets phone home.

• They take on multiple forms.

MalwareIRC-based C&C

• A good majority of botnets-- from the hundreds to the thousands to the millions-- use IRC.

• It’s a simple, text-based IRC protocol with a rich history and numerous servers and options to protect the identity of the botmaster, his bots and the control over his bots.

MalwareP2P-based C&C

• IRC-based protocols, in some ways, can be really easy to smash. Not every botmaster hosts his IRC server-- and if they do, it’s easy to ask someone to take it down.

• The Storm worm specifically used a peer-to-peer protocol to control the bots in the network.

• This added extensive control that an IRC-based protocol wouldn’t.

MalwareFacebook-based C&C

• Mikko Hypponen and the F-Secure team found a botnet that was using Facebook as a means of command and control.

• An SMS message was sent to a Facebook account to save a note.

• The bots had access to this Facebook account.

• Depending on the subject and the contents of the message, they carried out the master’s wishes.

MalwareTwitter-based C&C

• The same idea goes for Twitter.

• Bots would follow a single account on Twitter, parse the most recent status update, then carry out the commands.

MalwareTwitter-based C&C

MalwareThe Pieces

• Drop-servers are typically where exploits and malware are stored to be shipped and delivered.

• In the context of browser-based exploits, this is usually where the malicious Javascript is stored.

• Like scam artists, these are usually one-stop shops. It’s set-up, drop-off and get-out all in the span of a few days or less.

MalwareThe Pieces

• Rootkits are one of the most important pieces of modern malware.

• Rootkits take advantage of the detailed intricacies of the operating system to hide the malware from the user-- and, ultimately, the anti-virus software underneath.

The Market

MalwareThe Market

• Malware consists of many, many people. So, naturally, there exists a marketplace.

• Think of it like a war bazaar.

MalwareThe Market

• Programmers sell their wares:

• Packers and protectors

• Cryptors

• Bot software

• Rootkits

MalwareThe Market

• Exploit writers and researchers sell their 0day exploits to those who wish to buy.

• On the black market, this is done in private amongst people who know each other.

• Out in the open, this is done through programs such as Zero Day Initiative and iDefense.

• A good 0day can net up to $80,000 and more.

MalwareThe Market

• HDMoore estimates that browser 0-days have a market price of $5,000 per 1% market share.

• Internet Explorer has around 60% market share.

• You’re CS majors-- do the math.

MalwareThe Market

• Botmasters also sell and lease their botnets to anyone who wants bot-based services.

• “You want to perform a DDoS attack on Twitter? Well, that’ll take X bandwidth, which comes out to Y bots... that’ll run you about $2,000 a minute, minimum ten minutes.”

• The going rate for a single node in a botnet is about ten cents.

MalwareThe Market

• Surprisingly, bot masters are more abundant than the bot authors themselves. This is probably why individual bots are so cheap.

• Obviously it’s easier to buy a bot program and use it rather than go through all the research necessary to create your own bot.

• More sophisticated botnets even come with tech-support.

MalwareThe Market

• Here’s another story from Russia...

Detection

MalwareDetection

• Analyzing and detecting malware is a surprisingly difficult problem.

• Viruses and malware have been in an arms race for decades.

• Highly appropriate that one of the biggest malware producers in the world-- China-- is communist.

• Not to mention Russia. But I’ve already mentioned them too much.

MalwareDetection

• Anti-virus engines started out by generating signatures based on specific points of memory within a given program.

• This was circumvented by polymorphism.

MalwareDetection

• Anti-virus engines started using heuristic algorithms in order to determine the evil code that existed in these programs.

• This was circumvented by-- hilariously-- studying the algorithms and getting around them.

• Repeat ad-infinitum.

MalwareDetection

• Obviously in order to glean any sort of signature information from a given binary, one must analyze the program.

• Malware then began shipping with anti-debug and anti-analysis tricks.

• With each passing trick, one was circumvented and three were created.

MalwareDetection

• Malware analysis has gotten to the point where anti-virus companies are using emulators and other intensely complicated techniques in order to analyze a binary.

• And the malware authors have found vulnerabilities in this process, not to mention anti-emulation techniques that prevent the researchers from getting any semblance of analysis done!

Conclusions

MalwareConclusions

• Malware exhibits similar properties to actual viruses. By attempting to eradicate them, they evolve to become stronger and more resistant.

• Malware has a lot of money behind it-- spammers, scammers and other baddies have their hands deep in the game.

MalwareConclusions

• Malware is hard to detect. It is always evolving, always changing and always masking itself.

• People are stupid.

• Therefore, malware will always exist.

The End