sameer ratolikar - crimeware attacks & defenses - interop mumbai 2009
DESCRIPTION
Crimeware is a type of MMC (Malicious Mobile Code) designed to target financial institutions by capturing credentials of online users. It is executed via variety of techniques such as key-logging, phishing, pharming, Man-In-the-Middle, Man-In-The-Browser. This session will cover types of identity thefts, and share best practices of countering them effectively.TRANSCRIPT
1
Agenda :-
A.What is this “Buzzword”
B.Modus Operandi
C.Effect & Implications
D.Some Crimeware vectors
E.Crimeware future ( Caas)
F.Defenses
2
Every 2.5
seconds, new
malware is
released
4
– Crimeware :- Collective term used to refer to any malware developed to fraudulently obtain financial gain by …
– Capturing confidential information like Username, Password, Credit Card numbers etc (Online Identity Theft)
– Capturing keystrokes
– Taking control of a computer to create ‘botnet’ or launch Spam, DDOS attack
• Distribution methodology :-
• Malicious email attachment
• Cross Site Scripting on legitimate websites
• Exploiting application layer vulnerabilities
• Insertion into downloadable audio/video file( Piggybacking)
• Affiliate marketing
5
• Impact :-
• Confidential Data leakage
• Financial loss due to leakage of Password, Credit card details
• Loss of productivity due to system slowdown
• Reputation loss
• Legal problems in case of botnet / zombie
• Spam transmission
6
• Crimeware vectors :
a. Keyloggers
b. Email Redirectors
c. MITM, Man-In-The-Browser & Pharming
d.Drive-By download
e. Drive-By Pharming
f. Click Fraud
g. Future :- Ransomware, Terrorware, Crimeware-as-a-
service(Caas)
• Key-loggers :
• Most prevalent , especially used in “Identity Theft”related attacks.
• Downloaded by opening malicious email attachments , visiting malicious websites, piggybacking etc
• Hardware Key-loggers are also in wide use
• Ex:- Perfect Keylogger, Actual Keyloggers.
• Other flavors like Screenlogger, Spyware, Adware are also in use.
Hardware
Keylogger
� Email redirector :-
� These are the programs which intercept and relay
outgoing emails and sends an additional copy to an
unintended address to which attacker has an access.
Used in corporate espionage as well as personal surveillance
10
� Session Hijackers:-
� In session hijacking attack, the malicious software installed in user’s browser “hijacks” the session to perform malicious activities such as transferring the money, manipulating the transactions etc.( Man-In-The-Browser)
� It can be carried out via malware on local machine or via remotely in the form of MITM attack via redirecting user’session to hacker’s server .
11
–MITM :-
– Big threat for the next few years :-
– Tools:-– Ettercap
– Cain e Abel
Pharming :-
–Malware may poison
Local DNS server and
traffic is routed to the
fraudsters website
• Drive-by download:-
• A Drive-by download is a program that is automatically downloaded to your computer without your consent or even your knowledge. Another variant is Drive-by install
• Many of these infections are connected to botnets, in which each PC is turned into a zombie that may then be directed to further malicious activity, like spam or DDOSs
• Statistics from leading AV vendors have proved that more than 10 mns computers worldwide are serving DBW resulting in Botnet/ DDOS
14
Drive-by Pharming:-
Drive-by pharming is a vulnerability exploit in which the attacker takes advantage of an inadequately protected broadband router to gain access to user data.
– Recent statistics by leading AV vendors have proved that major routers worldwide are susceptible to this kind of attack.
Clickfraud :-
Click fraud is a type of Internet crime that occurs in pay per click online advertising when a person, automated script or computer program imitates a legitimate user of
a web browser clicking on an ad, for the purpose of generating a charge per click without having actual interest in the advertisement.
Future :- Some new Crimewares
a. Ransomware : -It is a computer malware which encrypts user’s important data and demand ransom for it’s restoration.
Originally they were referred as Cryptoviruses, Cryptotrojans, Cryptoworms. Some colleges/ universities offer courses on Cryptovirology .
b. Terrorware :- A Malware developed for creating terror ( Airline, Cyber terrorism)
– Future :-
– Crimeware as a service (Caas):-
– Saas service for malwares. The polymorphic engine does not reside within the virus code itself, but rather remotely on a server. Here, PCs that are part of a botnet -- a specific bot variant can mutate remotely via a command over HTTP. This is called Crimeware-as-a-service(CaaS)because the actual viral code does not actually reside on the host, but in the cloud -- similar to a software-as-a-service platform
– Similarly , hackers needn’t to own their own infrastructure to target victims. It is offered as a service now .
• We recommend following Best Practices for Countering Crimeware impact : People awareness tops the list
• Process Approach:-
• Regular Information Risk Assessment , Implement ISO 27001
• Application Security Audit , Code review of your application for OWASP top 10 attacks .
• Technology Approach:- Defense-In-Depth
• Network Security Infrastructure (Firewall , NIPS , HIPS with Good AV and Anti Spyware on the server)
• Web Application Firewall ( Little new concept)
• Inbound-Outbound malicious content filtering appliance
• Multi Factor Authentication
• Virtual Keyboard
• Thank you
• Sameer J RatolikarChief Information Security Officer
20