![Page 1: Effective Malware: The Importance of StealthMalware: Srizbi. Size: 260k+ bots. Responsible for more spam than all other botnets combined. Infection vector: Browser exploits, social](https://reader033.vdocuments.net/reader033/viewer/2022052020/6034e3840c944e3e2f4bc48e/html5/thumbnails/1.jpg)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 1
Effective Malware: The Importance of Stealth
Henry Stern Senior Security Researcher Cisco IronPort Systems LLC
![Page 2: Effective Malware: The Importance of StealthMalware: Srizbi. Size: 260k+ bots. Responsible for more spam than all other botnets combined. Infection vector: Browser exploits, social](https://reader033.vdocuments.net/reader033/viewer/2022052020/6034e3840c944e3e2f4bc48e/html5/thumbnails/2.jpg)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 2
The Conflict of Stealth and Interest
The Conflict of Stealth and Interest
![Page 3: Effective Malware: The Importance of StealthMalware: Srizbi. Size: 260k+ bots. Responsible for more spam than all other botnets combined. Infection vector: Browser exploits, social](https://reader033.vdocuments.net/reader033/viewer/2022052020/6034e3840c944e3e2f4bc48e/html5/thumbnails/3.jpg)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 3
Boring is Beautiful
Be malicious.
Be boring.
Be succesful.
![Page 4: Effective Malware: The Importance of StealthMalware: Srizbi. Size: 260k+ bots. Responsible for more spam than all other botnets combined. Infection vector: Browser exploits, social](https://reader033.vdocuments.net/reader033/viewer/2022052020/6034e3840c944e3e2f4bc48e/html5/thumbnails/4.jpg)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 4
What is Interest?
Malware needs to do something.
Doing something causes interest. Noisy. Destructive. High tech.
Sufficient interest provokes action.
![Page 5: Effective Malware: The Importance of StealthMalware: Srizbi. Size: 260k+ bots. Responsible for more spam than all other botnets combined. Infection vector: Browser exploits, social](https://reader033.vdocuments.net/reader033/viewer/2022052020/6034e3840c944e3e2f4bc48e/html5/thumbnails/5.jpg)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 5
What is Stealth?
Evading interest.
Malware is more effective when not countered.
Countering malware costs resources.
Malware is tolerated if it is not interesting.
![Page 6: Effective Malware: The Importance of StealthMalware: Srizbi. Size: 260k+ bots. Responsible for more spam than all other botnets combined. Infection vector: Browser exploits, social](https://reader033.vdocuments.net/reader033/viewer/2022052020/6034e3840c944e3e2f4bc48e/html5/thumbnails/6.jpg)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 6
The State of Practice
We tolerate certain levels of malfeasance.
Attackers are not always observant of this. e.g. Conficker vs. Gh0stNet
Maybe they should be!
![Page 7: Effective Malware: The Importance of StealthMalware: Srizbi. Size: 260k+ bots. Responsible for more spam than all other botnets combined. Infection vector: Browser exploits, social](https://reader033.vdocuments.net/reader033/viewer/2022052020/6034e3840c944e3e2f4bc48e/html5/thumbnails/7.jpg)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 7
The Bestiary
Imbot
ASProx
Conficker
Storm (Waledac)
Reactor Mailer 3 (Srizbi)
GhostNet
![Page 8: Effective Malware: The Importance of StealthMalware: Srizbi. Size: 260k+ bots. Responsible for more spam than all other botnets combined. Infection vector: Browser exploits, social](https://reader033.vdocuments.net/reader033/viewer/2022052020/6034e3840c944e3e2f4bc48e/html5/thumbnails/8.jpg)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 8
IMbot
Malware: Imbot.AC, Bifrose.E.
Infection vector: Instant Messenger.
Size: 50k sustained. 15k new bots per campaign. Roughly same cleaned up.
Exploits trust between IM friends.
Social pressure to clean infections. “Hey, you have a virus and it’s spamming me.”
Large amount of effort required to sustain bot pool.
![Page 9: Effective Malware: The Importance of StealthMalware: Srizbi. Size: 260k+ bots. Responsible for more spam than all other botnets combined. Infection vector: Browser exploits, social](https://reader033.vdocuments.net/reader033/viewer/2022052020/6034e3840c944e3e2f4bc48e/html5/thumbnails/9.jpg)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 9
ASProx
• Behaviour: Mass SQL injection. Javascript payload.
• Generic MSSQL function infects all fields in table. • Large number of compromised websites for first layer of
javascript redirection. • Small number of hosts for actual exploit code. • Too many sites infected to clean up. • Involves enough third parties that clean-up is effectively
impossible.
![Page 10: Effective Malware: The Importance of StealthMalware: Srizbi. Size: 260k+ bots. Responsible for more spam than all other botnets combined. Infection vector: Browser exploits, social](https://reader033.vdocuments.net/reader033/viewer/2022052020/6034e3840c944e3e2f4bc48e/html5/thumbnails/10.jpg)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 10
Storm (Waledac)
Purpose: Spam, DDOS.
Infection vector: Social engineering, now Conficker.
Infamous for its social engineering campaigns, peer-to-peer rendezvous protocol, fast flux service network.
Spam activity was low and slow.
Attracted too much attention, was never especially effective at spamming.
Poorly-implemented, high tech features resulted in total subversion.
![Page 11: Effective Malware: The Importance of StealthMalware: Srizbi. Size: 260k+ bots. Responsible for more spam than all other botnets combined. Infection vector: Browser exploits, social](https://reader033.vdocuments.net/reader033/viewer/2022052020/6034e3840c944e3e2f4bc48e/html5/thumbnails/11.jpg)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 11
Conficker
Behaviour: Scanning worm.
Purpose: Vehicle for secondary infections.
Infection vector: MS08-067 buffer overflow.
Size: Millions.
Technical sophistication attracted significant researcher, media attention.
Enormous development investment from malware authors.
![Page 12: Effective Malware: The Importance of StealthMalware: Srizbi. Size: 260k+ bots. Responsible for more spam than all other botnets combined. Infection vector: Browser exploits, social](https://reader033.vdocuments.net/reader033/viewer/2022052020/6034e3840c944e3e2f4bc48e/html5/thumbnails/12.jpg)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 12
Reactor Mailer 3
Malware: Srizbi.
Size: 260k+ bots.
Responsible for more spam than all other botnets combined.
Infection vector: Browser exploits, social engineering.
Purpose-built spam tool. No other functionality.
Full-kernel rootkit, minimal user disruption.
Trivial for security vendors to block symptoms.
Survived 18 months without major harassment.
![Page 13: Effective Malware: The Importance of StealthMalware: Srizbi. Size: 260k+ bots. Responsible for more spam than all other botnets combined. Infection vector: Browser exploits, social](https://reader033.vdocuments.net/reader033/viewer/2022052020/6034e3840c944e3e2f4bc48e/html5/thumbnails/13.jpg)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 13
GhostNet
Malware: gh0st RAT.
Infection vector: Targeted social engineering. Specific, known groups and individuals. High degree of human intervention by attacker.
Dates back as far as 2002.
Accusations of foreign government involvement.
![Page 14: Effective Malware: The Importance of StealthMalware: Srizbi. Size: 260k+ bots. Responsible for more spam than all other botnets combined. Infection vector: Browser exploits, social](https://reader033.vdocuments.net/reader033/viewer/2022052020/6034e3840c944e3e2f4bc48e/html5/thumbnails/14.jpg)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 14
A Taxonomy of Interest
A Taxonomy of Interest
![Page 15: Effective Malware: The Importance of StealthMalware: Srizbi. Size: 260k+ bots. Responsible for more spam than all other botnets combined. Infection vector: Browser exploits, social](https://reader033.vdocuments.net/reader033/viewer/2022052020/6034e3840c944e3e2f4bc48e/html5/thumbnails/15.jpg)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 15
The Taxonomy
I am infected.
My friend is attacking me.
Somebody around me is infected.
Somebody is attacking me.
Something nearby is shiny.
![Page 16: Effective Malware: The Importance of StealthMalware: Srizbi. Size: 260k+ bots. Responsible for more spam than all other botnets combined. Infection vector: Browser exploits, social](https://reader033.vdocuments.net/reader033/viewer/2022052020/6034e3840c944e3e2f4bc48e/html5/thumbnails/16.jpg)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 16
I am Infected
Do I notice anything?
Does it adversely affect me?
Is it important enough for me to act?
![Page 17: Effective Malware: The Importance of StealthMalware: Srizbi. Size: 260k+ bots. Responsible for more spam than all other botnets combined. Infection vector: Browser exploits, social](https://reader033.vdocuments.net/reader033/viewer/2022052020/6034e3840c944e3e2f4bc48e/html5/thumbnails/17.jpg)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 17
My friend is attacking me.
Is it something I see?
Does it harm me or my other friends?
Is it worthwhile for me to act?
![Page 18: Effective Malware: The Importance of StealthMalware: Srizbi. Size: 260k+ bots. Responsible for more spam than all other botnets combined. Infection vector: Browser exploits, social](https://reader033.vdocuments.net/reader033/viewer/2022052020/6034e3840c944e3e2f4bc48e/html5/thumbnails/18.jpg)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 18
Somebody around me is infected.
Is it affecting my usage of a shared resource?
Will it go away on its own?
Will my actions be effective?
![Page 19: Effective Malware: The Importance of StealthMalware: Srizbi. Size: 260k+ bots. Responsible for more spam than all other botnets combined. Infection vector: Browser exploits, social](https://reader033.vdocuments.net/reader033/viewer/2022052020/6034e3840c944e3e2f4bc48e/html5/thumbnails/19.jpg)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 19
Somebody is attacking me.
How much damage is being done?
Can I do anything about it?
Will it happen again?
![Page 20: Effective Malware: The Importance of StealthMalware: Srizbi. Size: 260k+ bots. Responsible for more spam than all other botnets combined. Infection vector: Browser exploits, social](https://reader033.vdocuments.net/reader033/viewer/2022052020/6034e3840c944e3e2f4bc48e/html5/thumbnails/20.jpg)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 20
Something nearby is shiny.
Is it kewl?
Is it newsworthy?
Is it understood?
![Page 21: Effective Malware: The Importance of StealthMalware: Srizbi. Size: 260k+ bots. Responsible for more spam than all other botnets combined. Infection vector: Browser exploits, social](https://reader033.vdocuments.net/reader033/viewer/2022052020/6034e3840c944e3e2f4bc48e/html5/thumbnails/21.jpg)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 21
Implications
Implications
![Page 22: Effective Malware: The Importance of StealthMalware: Srizbi. Size: 260k+ bots. Responsible for more spam than all other botnets combined. Infection vector: Browser exploits, social](https://reader033.vdocuments.net/reader033/viewer/2022052020/6034e3840c944e3e2f4bc48e/html5/thumbnails/22.jpg)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 22
Common Failings
Malware is too exciting.
Indiscriminate attacks.
Excessive population sizes and activity.
Whiz-bang features.
![Page 23: Effective Malware: The Importance of StealthMalware: Srizbi. Size: 260k+ bots. Responsible for more spam than all other botnets combined. Infection vector: Browser exploits, social](https://reader033.vdocuments.net/reader033/viewer/2022052020/6034e3840c944e3e2f4bc48e/html5/thumbnails/23.jpg)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 23
Why Not Boring?
Tip-toe around users, avoid their friends.
Low-volume, focused attacks.
Don’t be shiny.
Clean up afterwards.
![Page 24: Effective Malware: The Importance of StealthMalware: Srizbi. Size: 260k+ bots. Responsible for more spam than all other botnets combined. Infection vector: Browser exploits, social](https://reader033.vdocuments.net/reader033/viewer/2022052020/6034e3840c944e3e2f4bc48e/html5/thumbnails/24.jpg)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 24
Are They Already Boring?
Sophos estimated 11m unique samples in mid-2008.
Collins estimates that 10% of flows are definitive mysteries.
What’s in the long tail?
![Page 25: Effective Malware: The Importance of StealthMalware: Srizbi. Size: 260k+ bots. Responsible for more spam than all other botnets combined. Infection vector: Browser exploits, social](https://reader033.vdocuments.net/reader033/viewer/2022052020/6034e3840c944e3e2f4bc48e/html5/thumbnails/25.jpg)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 25