new approaches to categorizing economically-motivated ... · the virus expert vs the end user •...
TRANSCRIPT
MONEY CHANGES EVERYTHINGNew approaches to categorizing economically-motivated digital threatsAnthony Arrott, PhD, David PerryTrend Micro, Inc.Virus Bulletin conference, Vienna, Austria, 2007
Copyright 2007 - Trend Micro Inc.
In the beginning…
Copyright 2007 - Trend Micro Inc.
GENESIS 2
• 19 And out of the ground the LORDGod formed every beast of the field,and every fowl of the air; and broughtthem unto Adam to see what hewould call them: and whatsoeverAdam called every living creature,that was the name thereof.
• 20 And Adam gave names to allcattle, and to the fowl of the air, andto every beast of the field;
Copyright 2007 - Trend Micro Inc.
That being said…
• This is NOT about virus naming conventions!• The virus is no longer the main concern• The individual malware is merely a component in today’s
attack, used in quantity with a great number of peopleand servers and complexity
• Maybe we need to focus our defining efforts towards theneed of another group of people
Copyright 2007 - Trend Micro Inc.
THE END USERS!
Copyright 2007 - Trend Micro Inc.
Confronted with a world of information
Copyright 2007 - Trend Micro Inc.
PATTERNS alone do not convey MEANING
Copyright 2007 - Trend Micro Inc.
With so many things to identify
Copyright 2007 - Trend Micro Inc.
We look to identify PATTERNS
Copyright 2007 - Trend Micro Inc.
We simplify our approach
Copyright 2007 - Trend Micro Inc.
We might miss the point
Copyright 2007 - Trend Micro Inc.
So there is language
Copyright 2007 - Trend Micro Inc.
Language also has problems…
• Confusion ofmap andterritory
• Specialmeaning
• Connotation• Conflation
Copyright 2007 - Trend Micro Inc.
DEFINITIONS
Copyright 2007 - Trend Micro Inc.
TAXONOMY
Copyright 2007 - Trend Micro Inc.
EXPERTS
PERSPECTIVEPatterns and language and perspective=taxonomy
Copyright 2007 - Trend Micro Inc.
Perspective, in the ideal and in the real world
Copyright 2007 - Trend Micro Inc.
Perspective, in a different metaphor
Copyright 2007 - Trend Micro Inc.
The virus expert vs the end user
• The virus expert; This particular piece ofmalware is a password stealing trojan,delivered by a downloader connected via amultiple web redirect using iframe and (adinfinitum)
• End user hears: blah blah blah blah blah
• End user says: What does this mean? Whatis the purpose of this malware?
• The virus expert hears: I am a dummy, ignoreme.
Copyright 2007 - Trend Micro Inc.
This is an impasse of communications
THE RISE OF THE WEB THREATSMONEY CHANGES EVERYTHING…
Copyright 2007 - Trend Micro Inc.
SpywareSpam
Mass MailersVulnerabilities
Worm/Outbreaks
Threat Environment EvolutionC
ompl
exity
200720032001 2004 2005
IntelligentBotnets
Crimeware
?Web Based
Malware Attacks
•Multi-Vector•Multi-Component•Web Polymorphic•Rapid Variants•Single Instance•Single Target•Regional Attacks•Silent, Hidden•Hard to Clean•Botnet Enabled
Copyright 2007 - Trend Micro Inc.
Malware for Profit is driving WebThreats
Worms vs. Web Threats
0
500
1000
1500
2000
2500
3000
Q1-05 Q2-05 Q3-05 Q4-05 Q1-06 Q2-06 Q3-06
Wor
ms
0
2000
4000
6000
8000
10000
12000
Web
Thr
eats
The threat landscape is shifting toWeb-borne attacks
Source: Trend Micro
Worms:Constant in thelast 2 years
Web Threats:High Volumeand Growing
Copyright 2007 - Trend Micro Inc.
Trojan
The ProblemThreat Landscape Is Evolving
ThreatLandscapeEvolution
BusinessNetworkEvolution
CombinedThreatsTime
Pharming
Spyware
Bots
Script Virus Email Worm
Boundless Internetconnectivity
Shared multi-service networks
Shared networkLAN/WAN
Macro VirusNetworkWorm
Spam
Phishing
Profit-MotivatedPC Virus
FileInfector
Standalone PC
Copyright 2007 - Trend Micro Inc.
HaxdoorYour boss asks you to develop a corporate travel policyYou begin with a Google search on travel policy
Oct 7, 2006
First result isa .gov site
Second resultlooks like agood choice
Copyright 2007 - Trend Micro Inc.
Haxdoor
You click on the secondsearch result
You wait…the siteappears to bedownloading images andcontent…you wait…andyou wait…
Finally you close thebrowser window…you’llfind another site
Copyright 2007 - Trend Micro Inc.
Haxdoor
Unbeknownst to you…• The IFRAME at the top of the page leads you to an
index.htm file (81.95.146.98/index.html)• This file includes a script that exploits the MS Internet
Explorer (MDAC) Remote Code Execution Exploit(MS06-014)– The original exploit code has been modified to try to bypass AV
scanners that detect the original exploit
• An executable file (win.exe) is downloaded to yoursystem and executed
• You now have a backdoor with rootkit features—avariant of the notorious family of backdoor rootkits knownas Haxdoor!
Copyright 2007 - Trend Micro Inc.
ZLOB on myspace!
Copyright 2007 - Trend Micro Inc.
Who are these women? Why do they want tobe my friend?
Copyright 2007 - Trend Micro Inc.
Whence springs the trap
Copyright 2007 - Trend Micro Inc.
Many Facets to identify
Copyright 2007 - Trend Micro Inc.
Four components of Web Threats
Rootkit
watchdogprogram
mimicry
Polymorphic
BHO
toolbar
LSP
application
cookie
Dialer
Adware
trackware
keylogger
browserhijacker
fraudulentchanges
fraudulentroyalty
Exploit
unknowingconsent
lack fulldisclosure
Freeloader
Trojan
Worm
protected by:operates by:money from:installed by:
How does itprotectitself?
How does itdo it?
What does itdo?
How does itget there?
Copyright 2007 - Trend Micro Inc.
One web threat explored…
Unprotected –uses normaluninstallersupplied bypublisher
Toolbar, searchcompanion, andhomepageredirect
Collecting pay-per-click andother moneyfrom onlineadvertisers forserving pop-upads on infectedPCs.
ActiveX- usingsocialengineering topiggyback oninstallation ofmp3 downloads,game cheats,song lyrics,porn, etc.
protected by:operates by:money from:installed by:
How does itprotect itself?
How does it doit?
What does itdo?
How does it getthere?
Example: Integrated Search Technologies (ISTBar)
Copyright 2007 - Trend Micro Inc.
Problems of scale…
• Sometimes getting too close to an object obscures It’splace in the greater scheme…
Copyright 2007 - Trend Micro Inc.
Some Qualities of modern web threats…
• Double Fraud• Silent installation• Stealth persistence!• Malware self-defense• Vertical segmentation
Copyright 2007 - Trend Micro Inc.
Types of web threats by number of infectedsystems…
Adware
Trojan
Browser Helper
Freeloader
Trojan Spyware
Trackware
Cracking App
Copyright 2007 - Trend Micro Inc.
(definable) Facets of a web threat
• How does it get on to the victim’scomputer? (method of access)
• What unwanted activities does itperform on the victim’s computer?(economic purpose)
• How does it technically accomplish itspurpose? (method of accomplishment)
• How does it protect itself from beingdetected, blocked or removed? (self-defense)
Copyright 2007 - Trend Micro Inc.
Question
• Is this already too complicatedfor the end user tounderstand?
• Unfortunately, it won’t work(beat you to it, vess)
Copyright 2007 - Trend Micro Inc.
IN NON INTERNET CRIME
• We don’t call a bank robbery by theweapon
• We don’t normally hide that acrime has taken place
• Jurisdiction is clearer• The public and the experts share a
gestalt on the nature of mostcrimes
Copyright 2007 - Trend Micro Inc.
Big concept, little time, conclusions
• The ultimate purpose of any digital threatcategorization system is to provide clear, actionableinformation that allows everyone (from anti-malwareproduct designers to IT administrators to individualPC users) to make prudent, effective cost/risksecurity decisions.
• The shift in malware from vandalism to monetarygain suggests that economic purpose rather thantechnical method of exploitation be the primaryconsideration in threat classification.
• Economically-motivated threats typically possessmultiple functional aspects (e.g., installation,money-making, self-preservation) requiring multi-dimensional categorization.
Copyright 2007 - Trend Micro Inc.
Thank you, please read the paper!
Copyright 2007 - Trend Micro Inc.
And, of course, questions…