malware: a criminal force malware: the next big internet...
TRANSCRIPT
1
Malware: The Next Big Internet Threat
Markus JakobssonAaron Emigh Ari Juels
Zulfikar Ramzan Susanne Wetzel
Malware: A Criminal Force
Also: click-fraud, session hijacking, data theft, location tracking,…
Diagram courtesy of the Anti-Phishing Working Group
Malware: A Social Problem
Images courtesy of stop-phishing.com
Malware: The Next Big Internet Threat
The Crimeware Landscape:Malware, Phishing, Identity Theft and Beyond
Aaron EmighRadix Labs
What is Crimeware?
Performs illegal actionsActions are unanticipated by userResults in tangible benefit to attacker
Crimeware is:Keyloggers/ScreenloggersEmail & IM redirectorsSession hijackersWeb TrojansTransaction generatorsSystem reconfiguratorsData stealersRootkits
Crimeware is not:Adware SpywareMalicious “hobbyist” software (destructive worms and viruses)Botnet controllersData collectors and forwardersProxy servers
2
Crimeware Propagation Piggybacking
Piggybacking Toolkits
Affiliate Marketing Distribution Installation: Downloader & Backdoor
3
Crimeware for Identity Fraud
Keyloggers and screenloggersEmail and IM redirectorsWeb TrojansSession hijackersTransaction generatorsSystem reconfigurators
Hostname lookup disruptorsProxies
Data stealers
+ Rootkits!
Other Crimeware Revenue Models
Spam transmissionDenial-of-service attacksClick fraudData ransomingInformation consolidation
Crimeware Flow
Crimeware Infection Execution
Storage
Attacker
Legit Server
Data Entry
(some modes)
(some modes)1 3
4
5
6
7
2
Countermeasures
1. Interfere with distribution
Spam filtersAutomated patchingGood filtering
Crimeware Infection Execution
Storage
Attacker
Legit Server
Data Entry
(some modes)
(some modes)1 3
4
5
6
7
2
Countermeasures
2. Prevent infection
AntivirusBehavioral detectionProtected applications
Crimeware Infection Execution
Storage
Attacker
Legit Server
Data Entry
(some modes)
(some modes)1 3
4
5
6
7
2
Countermeasures
3. Prevent execution
Only run signed code
Crimeware Infection Execution
Storage
Attacker
Legit Server
Data Entry
(some modes)
(some modes)1 3
4
5
6
7
2
4
Countermeasures
4. Prevent data access
Protected storage for sensitive dataEncryption
Crimeware Infection Execution
Storage
Attacker
Legit Server
Data Entry
(some modes)
(some modes)1 3
4
5
6
7
2
Countermeasures
5. Prevent user compromise
White-hat keyloggerTrusted pathStored credentials
Crimeware Infection Execution
Storage
Attacker
Legit Server
Data Entry
(some modes)
(some modes)1 3
4
5
6
7
2
Countermeasures
6. Prevent data use by attacker
Traffic sniffingBehavioral detectionPolicy-based data
Crimeware Infection Execution
Storage
Attacker
Legit Server
Data Entry
(some modes)
(some modes)1 3
4
5
6
7
2
Malware: The Next Big Internet Threat
The Crimeware Landscape:Malware, Phishing, Identity Theft and Beyond
http://crimeware.emigh.org
Aaron EmighRadix Labs
Where Phishing & Malware Meet
Zulfikar RamzanFeb 18, 2007
Zulfikar RamzanWhere Phishing and Malware Meet
6
Outline
Phishing: Introduction & Motivation11
Malware in Phishing Lifecycle22
Conclusions33
5
Zulfikar RamzanWhere Phishing and Malware Meet
Phishing: Introduction
From: Bank-Service <[email protected]>
Subject: Update Your InformationDate: July 06, 2006 9:06:00 AM PST
Dear Bank.com User,During our regular update and verification of accounts, we couldn’t verify your account. Click Here to update and verify your account. If you don’t then your account will be suspended in 24 hours!!
Sincerely, Bank.com Team
Contains a lure for you to reveal sensitive info.
False Pretense
Poses as legitimate institution
Creates sense of urgency
Zulfikar RamzanWhere Phishing and Malware Meet
The Extent of the Problem
• Jan - Sep ’06: Symantec Brightmail blocked > 2 Billion phishing emails with > 240,000 being unique
• Numbers rising; Arms race where phishers constantly bypassing latest countermeasures
• Phishing not just about “social engineering” – malware has many roles
Zulfikar RamzanWhere Phishing and Malware Meet
Where Phishing & Malware Meet
• Spam often sent via compromised machines • 0.81% of spam contains malicious code
(Symantec ISTR, Jan-Jun ’06). • Different types of password stealing
malware: – Browser Overlays– Fake Browsers– Form Grabbers
• Phish sites can host traditional malware or JavaScript Malware.
• # Unique malware variants growing rapidly. Behavior blocking should complement signatures. (Symantec working in this area)
Zulfikar RamzanWhere Phishing and Malware Meet
Demo of Password Stealers
Zulfikar RamzanWhere Phishing and Malware Meet
JavaScript Malware [GN06]
• We often think malware = executable software
• Malicious JavaScript can run natively in web browser:– Can change home broadband router
DNS settings (Drive-by-Pharming) --attacker “controls” how you surf Internet [SRJ07].
– Can expose home network to entire Internet
– Infer user browsing habits
<SCRIPT SRC = “http://192.168.1.1/...?...”</SCRIPT>
Zulfikar RamzanWhere Phishing and Malware Meet
Drive-by Pharming
Home broadband /wireless router
Web Browser
Good DNS Server
Rogue DNS Server
Your Bank
Not Your Bank
Web site with JavaScript Malware
Click Me!!!
66.6.66.6
129.79.78.8
www.bank
.com
129.7
9.78.8
www.bank.com66.6.66.6
<SCRIPT SRC = “http://192.168.1.1/...?...”</SCRIPT>
6
Zulfikar RamzanWhere Phishing and Malware Meet
Conclusions
• Phishing traditionally social engineering based, malware more technical.
• Uses of malware in phishing– Sending unsolicited emails– Propagation via phishing emails– Password stealers– Malware hosted on phishing
server– JavaScript malware is
dangerous - millions susceptible
Looking forward, these problems translate to
important opportunities for developing and
deploying new countermeasures
Zulfikar RamzanWhere Phishing and Malware Meet
Thank You!
Zulfikar Ramzan ([email protected])http://www.symantec.com/enterprise/security_response/weblog/authors/
zulfikar_ramzan.html
Copyright © 2007 Symantec Corporation. All rights reserved.
SYMANTEC AND THE SYMANTEC LOGO ARE TRADEMARKS OR REGISTERED TRADEMARKS OF SYMANTEC CORPORATION OR ITS AFFILIATES IN THE U.S. AND OTHER COUNTRIES. OTHER NAMES MAY BE TRADEMARKS OF THEIR RESPECTIVE OWNERS. THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY AND IS NOT INTENDED AS ADVERTISING. ALL WARRANTIES RELATING TO THE INFORMATION IN THIS DOCUMENT, EITHER EXPRESS OR IMPLIED, ARE DISCLAIMED TO THE MAXIMUM EXTENT ALLOWED BY LAW. THE INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE.
Wireless Malware
Susanne WetzelStevens Institute of Technology
Department of Computer ScienceHoboken, NJ 07030
USA
Scenario
The Challenge The Challenge
7
The Challenge The Challenge
The Challenge Security Weaknesses
"Aha! UweSchulz just passed by!"
“The secret key is K.”
Wireless Malware
• Prominent examples:– Cell phone worms (e.g., Cabir, Lasco) – Wireless driver vulnerabilities
• Question: Feature or malware?• FlexiSPY
– Watch SMS/cell phone traffic– Remotely switch on microphone
Wireless Home Routers
• Home routers are embedded systems
• Defaults minimize setup hassle– WiFi clients on LAN
8
WAPjack
• Malicious configuration of settings– DNS, logging,Internet
administration
• Very general attack
• Pharming = man-in-the-middle
WAPkit
• Subversion of control
– Use the “Upgrade” interface
• Stealthier attacks
• Most vulnerable are OSF platforms• Cannot have security through obscurity
Stopping Attacks Today is Hard
• Current countermeasures of analyzing and monitoring traffic exploit centralization
Conclusion
• Is it a feature or malware? – Monitoring your kids or spying on cell phone users?
• We haven’t seen anything yet.– Today, the ratio today between mobile malware and
malware in the conventional setting is 1/600.• A cell phone is a very personal device.• Many will want to have an iphone.
– Risk for mobile malware will increase with the number of devices.
Malware: An All-Or-Nothing Game?
Ari JuelsRSA Laboratories18 February 2007
© 2007 RSA Laboratories
Malware can often take over host completely
• “Sniffing” keyboard to capture passwords
• Initiating transactions– E.g., execute $10,000
withdrawal when user logs into bank account
• Directing user to undesired Web sites
• Launching attacks on servers
9
Host destruction is self-defeating
• Malware is like a microbe: In short term, wants to exploit host– AIDS vs. Ebola
Host destruction is self-defeating
• Malware wants to escape detection– E.g., password sniffing
• There is usually a strong residue of “good” system components
• Malware is like a microbe: In short term, wants to exploit host– AIDS vs. Ebola
Strategy: connect “good”components with outside
BANK
Example: Remote Harm-Diagnostics (RHD)
BANK
• “Good” component is browser history• Browser quirk lets Bank probe client to detect visits to certain Web sites• Bank can detect client visits to blacklisted sites known to distribute malware
Example: Remote Harm-Diagnostics (RHD)
BANK
• RHD is ad-hoc: only works sometimes • Gives Bank not perfect, but enriched information• Two big benefits of RHD:
• Privacy-preserving• Requires no client-side installation!
More powerful approach
BANK
• With client-side software, Bank can mine richer behavioral data from clients– E.g., complete log of installed software
• Tamper-proof logging is possible– Malware can (detectibly) delete log, but can’t modify
• Privacy is very important!
10
Strategy: put “good”components on outside in client
Virtual Machines
Virtual Machines Example: Browsing
• Web browser sits in virtual machine
• “Guardian” software ensures safe transit of password from keyboard to Bank– E.g., Stanford “Spyblock”
• If malware attempts to sniff password, “Guardian” can quash it
X
Conclusions
• Solutions are embryonic– RHD / data-mining challenges:
• What data to mine?• Privacy preservation
– Virtual-machine challenges:• Not disrupting ordinary software• Ensuring against malware “breaking through”• What security functionality should VM provide?
• Solutions and malware will co-evolve
For more information, see
Deceit/education : malware-jakobsson.infoTaxonomy/money : malware-emigh.infoToday/pharming : malware-ramzan.infoWireless : malware-wetzel.infoNew defenses : malware-juels.info
These slides : malware-aaas.info