new approaches to categorizing economically-motivated ... · the virus expert vs the end user •...

MONEY CHANGES EVERYTHINGNew approaches to categorizing economically-motivated digital threatsAnthony Arrott, PhD, David PerryTrend Micro, Inc.Virus Bulletin conference, Vienna, Austria, 2007

Copyright 2007 - Trend Micro Inc.

In the beginning…


GENESIS 2

• 19 And out of the ground the LORDGod formed every beast of the field,and every fowl of the air; and broughtthem unto Adam to see what hewould call them: and whatsoeverAdam called every living creature,that was the name thereof.

• 20 And Adam gave names to allcattle, and to the fowl of the air, andto every beast of the field;


That being said…

• This is NOT about virus naming conventions!• The virus is no longer the main concern• The individual malware is merely a component in today’s

attack, used in quantity with a great number of peopleand servers and complexity

• Maybe we need to focus our defining efforts towards theneed of another group of people


THE END USERS!


Confronted with a world of information


PATTERNS alone do not convey MEANING


With so many things to identify


We look to identify PATTERNS


We simplify our approach


We might miss the point


So there is language


Language also has problems…

• Confusion ofmap andterritory

• Specialmeaning

• Connotation• Conflation


DEFINITIONS


TAXONOMY


EXPERTS

PERSPECTIVEPatterns and language and perspective=taxonomy


Perspective, in the ideal and in the real world


Perspective, in a different metaphor


The virus expert vs the end user

• The virus expert; This particular piece ofmalware is a password stealing trojan,delivered by a downloader connected via amultiple web redirect using iframe and (adinfinitum)

• End user hears: blah blah blah blah blah

• End user says: What does this mean? Whatis the purpose of this malware?

• The virus expert hears: I am a dummy, ignoreme.


This is an impasse of communications

THE RISE OF THE WEB THREATSMONEY CHANGES EVERYTHING…


SpywareSpam

Mass MailersVulnerabilities

Worm/Outbreaks

Threat Environment EvolutionC

ompl

exity

200720032001 2004 2005

IntelligentBotnets

Crimeware

?Web Based

Malware Attacks

•Multi-Vector•Multi-Component•Web Polymorphic•Rapid Variants•Single Instance•Single Target•Regional Attacks•Silent, Hidden•Hard to Clean•Botnet Enabled


Malware for Profit is driving WebThreats

Worms vs. Web Threats

0

500

1000

1500

2000

2500

3000

Q1-05 Q2-05 Q3-05 Q4-05 Q1-06 Q2-06 Q3-06

Wor

ms

0

2000

4000

6000

8000

10000

12000

Web

Thr

eats

The threat landscape is shifting toWeb-borne attacks

Source: Trend Micro

Worms:Constant in thelast 2 years

Web Threats:High Volumeand Growing


Trojan

The ProblemThreat Landscape Is Evolving

ThreatLandscapeEvolution

BusinessNetworkEvolution

CombinedThreatsTime

Pharming

Spyware

Bots

Script Virus Email Worm

Boundless Internetconnectivity

Shared multi-service networks

Shared networkLAN/WAN

Macro VirusNetworkWorm

Spam

Phishing

Profit-MotivatedPC Virus

FileInfector

Standalone PC


HaxdoorYour boss asks you to develop a corporate travel policyYou begin with a Google search on travel policy

Oct 7, 2006

First result isa .gov site

Second resultlooks like agood choice


Haxdoor

You click on the secondsearch result

You wait…the siteappears to bedownloading images andcontent…you wait…andyou wait…

Finally you close thebrowser window…you’llfind another site


Haxdoor

Unbeknownst to you…• The IFRAME at the top of the page leads you to an

index.htm file (81.95.146.98/index.html)• This file includes a script that exploits the MS Internet

Explorer (MDAC) Remote Code Execution Exploit(MS06-014)– The original exploit code has been modified to try to bypass AV

scanners that detect the original exploit

• An executable file (win.exe) is downloaded to yoursystem and executed

• You now have a backdoor with rootkit features—avariant of the notorious family of backdoor rootkits knownas Haxdoor!


ZLOB on myspace!


Who are these women? Why do they want tobe my friend?


Whence springs the trap


Many Facets to identify


Four components of Web Threats

Rootkit

watchdogprogram

mimicry

Polymorphic

BHO

toolbar

LSP

application

cookie

Dialer

Adware

trackware

keylogger

browserhijacker

fraudulentchanges

fraudulentroyalty

Exploit

unknowingconsent

lack fulldisclosure

Freeloader

Trojan

Worm

protected by:operates by:money from:installed by:

How does itprotectitself?

How does itdo it?

What does itdo?

How does itget there?


One web threat explored…

Unprotected –uses normaluninstallersupplied bypublisher

Toolbar, searchcompanion, andhomepageredirect

Collecting pay-per-click andother moneyfrom onlineadvertisers forserving pop-upads on infectedPCs.

ActiveX- usingsocialengineering topiggyback oninstallation ofmp3 downloads,game cheats,song lyrics,porn, etc.

protected by:operates by:money from:installed by:

How does itprotect itself?

How does it doit?

What does itdo?

How does it getthere?

Example: Integrated Search Technologies (ISTBar)


Problems of scale…

• Sometimes getting too close to an object obscures It’splace in the greater scheme…


Some Qualities of modern web threats…

• Double Fraud• Silent installation• Stealth persistence!• Malware self-defense• Vertical segmentation


Types of web threats by number of infectedsystems…

Adware

Trojan

Browser Helper

Freeloader

Trojan Spyware

Trackware

Cracking App


(definable) Facets of a web threat

• How does it get on to the victim’scomputer? (method of access)

• What unwanted activities does itperform on the victim’s computer?(economic purpose)

• How does it technically accomplish itspurpose? (method of accomplishment)

• How does it protect itself from beingdetected, blocked or removed? (self-defense)


Question

• Is this already too complicatedfor the end user tounderstand?

• Unfortunately, it won’t work(beat you to it, vess)


IN NON INTERNET CRIME

• We don’t call a bank robbery by theweapon

• We don’t normally hide that acrime has taken place

• Jurisdiction is clearer• The public and the experts share a

gestalt on the nature of mostcrimes


Big concept, little time, conclusions

• The ultimate purpose of any digital threatcategorization system is to provide clear, actionableinformation that allows everyone (from anti-malwareproduct designers to IT administrators to individualPC users) to make prudent, effective cost/risksecurity decisions.

• The shift in malware from vandalism to monetarygain suggests that economic purpose rather thantechnical method of exploitation be the primaryconsideration in threat classification.

• Economically-motivated threats typically possessmultiple functional aspects (e.g., installation,money-making, self-preservation) requiring multi-dimensional categorization.


Thank you, please read the paper!


And, of course, questions…

new approaches to categorizing economically-motivated ... · the virus expert vs the end user •...

Documents