Lecture 8
Trojan Horse
creator uses something else to fool you into downloading this - looks like something good, but actually is very bad (wipes hard drive) - Does not replicate autmatically (unless bundled with a worm)
Most Vulnerable Mobile Platform
- used to be Android, but now iOS (now 9 malware families able to attack non-jail-broken devices, used to be 4 malware families attacking jail-broken devices)
History
- 1949 - theories for self replicating programs developed - 1970s, first virus. Creeper - 1980s - Viruses become widely seen and spread via early networks and floppys - 1983 - Fred Cohen formally defines computer virus - 1988 - Jerusalem virus. Activates every friday the 13th deletes programs used on that day - 1990s - Macro viruses evolve - 2000s viruses take advantage of internet - 2010's Stealth - 2016 Ransomware
Real Life Implications (SCADA)
- 2010, stuxnet worm - 2011, Duqu: goal was to gather info, stole digital certificates for future attacks - 2011, cyberattack on public water utility in Springfield. Attack destroyed pump at facility. IP address based in Russia gained access
Examples of SCADA
- 2013: 50 types of malware specifically targeted energy identifies - 2014: dozens of turbines effected in a major US energy provider
2016 Ransomware Survey
- 44 of the 125 Canadian respondents had attack in last year - 33 paid ransoms - 11 had to shut down to fix it - 5 were healthcare = lives at risk
Comparison (Computer worm and worm)
- Computer worm can hide in files without infecting them - replicates itself, regardless of hosts actions Actual worm - lives independent of host - replicates by itself
How Successful is Ransomware?
- Extremely. Makers have begun sabotaging competitors malware - "Chimera" locks files, but also leaks files if not paid - authors of ransomware "Petya and Mischa" hacked competitor Chimera -- stole and are using Chimeras code, posted 3500 decryption keys for Chimera - the estimated cost for cybercriminals to infect 1,000 vulnerable computers with malvertisements was 5 USD
No more ransom
- Intel Security, Interpol, the Dutch police and Kaspersky labs have created a web-portal to help users remove ransomware without paying their attackers - Users upload encrypted files -> site checks it's known 160,000 decryption keys
Top 5 most observed vulnerabilities - Jan 2014
- Internet Explorer Memory Corruption Vulnerability - Generic Malicious Flash - Generic Exploit kit - Local File XML Call - Sutra TDS Redirection
Famous Malware
- Malware today is a combination of all the previous types - types can be combined (virus with worm, worm with keylogger, Trojan to get into an organization then use worm to move around and infect other computers with a virus or ransomware)
The Morris Worm
- The first wide-spread worm - released on November 2, 1988 - written by Robert Tappan Morris (grad student at Cornell University) - Morris was convicted under the US Computer Crime and Abuse Act - Received three years probation and community service - Fine in excess of $10,000 - Currently at MIT
New Market for Ransomeware
- Traditionally ransomware was developed and used by hackers or groups - Then it became a product, to be bought and sold, or on a subscription-based service, like any other software
Zeus
- Trojan horse identified in 2007 - tool for many cyber criminals - available for sale - gets passwords/files - uses "man-in-the-browser" attack to gain financial info -- infects browser, during banking transaction, displays correct transfer details but submits false details (to other accounts for ex)
Comparison (Biological Virus and Computer Virus)
- biologically you can transfer a virus from one person to another through infected cells - same with computer virus. By launching your computer program, it infects other programs
Good use of Worms/Viruses?
- called patching or polite worms - can be used by virus writing gangs in turf wars - 2007 Trojan Horse used by FBI, to rack emailed bomb threats - 2003 Welchia Worm - enters computer, deleted malicious Blaster worm, downloads/installs security patches from Microsoft, deletes itself after 120 days
Ransomware
- could be delivered using a virus or a worm - looks like it comes from the government - says it requires download - becoming more popular because the route to the money is easy - your computer will become a competed-for target - if ransomware program comes onto your computer and sees that there is already one there, it will remove the old one
Boleto Malware
- created in brazil - uses man-in-the-broswer attack to intercept money orders - affected 34 banks in Brazil - infected almost 200k computers - compromised almost 500k transactions - re-directed 3.75 billion USD
Keyloggers
- designed to record every keystroke you make - might need advanced technology to detect these programs (security software) - can be combined with viruses and worms
Citadel Ransomware
- developed by Mark Vartanyan, Russian, living in Ukraine and Norway - Caught, pleaded guilty in March 2017, faces 10 y in jail Citadel cost victims $500m
Application Level Rootkit
- easy to write - relatively ineffective - can hide by modifying the contents of folders as they are shown - Can easily be detected by rootkit
Kernel Level Rootkit
- exploit undocumented operating system structures - OS version specific - unrestricted security access - works at a lower level --> harder to detect (OS compromised, OS un-trusted, why trust program running on un-trusted OS)
Man-In-The-Middle Attack
- fraudulent websites sits in between user and real business - channels and intercepts all traffic and info - e.g., GameOver Zeus
Illegal Use of Keyloggers
- industrial espionage - espionage - mainly used to steal user data (confidential info) - becoming more sophisticated (e.g., log keystrokes entered on particular sites that cyber criminals are interested)
Where is Malware hosted?
- mainly in the US (more than 20%) - Canada between 0.3 and 0.6%
Legal Use of Keyloggers
- monitor employees, students and offenders - parental control - jealous spouses - company security - collect evidence - business environments
Guidelines for Businesses (re viruses)
- multiple defenses - monitor network incursion attempts - protect private keys - use encryption - restrict removable media - update and patch - enforce password policy - restrict email attachments - ensure incident response procedures are in place - educate employees - ensure regular backups
Why Create Viruses/Worms?
- out of challenge/fun - try to steal info/identity theft - profit/financially motivated - the thrill - profit - sense of power - revenge - theft - pushing the envelope - chaos
Guidelines for Consumers (re viruses)
- protect yourself - antivirus - bidirectional firewall - use reputation checking tools - update regularly - beware scareware - use strong passwords - think before you click - regularly review activity in bank/CC accounts
Viruses
- small piece of software that piggybacks on another file - viruses attached to a program and run every time that program is launched - Macro Viruses are embedded into documents and spreadsheets
Mazar Android BOT
- spreads via SMS/MMS messages, has malicious link embedded - once installed, roots the phone and gains admin access - to make money, it sends premium messages - can completely wipe device - can inject itself into chrome
SCADA (Supervisory Control and Data Acquisition)
- traditionally not connected to Internet - needed physical access Now - connected to internet more frequently, vulnerabilities exploited SCADA software not updated - security does exist, computers seperated from Internet whenever possible
GameOver Zeus
- version of Zeus thats still alive today (source code modified, Trojan still alive) - steals banking info - ~100mil in loss, included CryptoLocker demanding a ransom of ~$500 - shut down mid-2014 - traditionally makes fraudulent transactions from bank - currently injects itself into the login process on Monsters.com - man in the browser
Major types of malware
- viruses - worms - ransomware - keyloggers - rootkits
Worms
-small pieces of computer code - capable of self-replication - dont need to attack to programs or documents - you dont need to do anything for your computer to get affected with worms
Code Red Worm
1. Each copy scanned the internet for vulnerable machines 2. once found, make copy onto that machine 3. repeat step 1 - replicated itself for the first 20 days of each month - payload: replaces web pages with a page saying hacked by chinese - launched DDoS attack on White House website
Virus Phases (2)
1. Spread 2. Attack - Based on number of times replicated, date, etc
Types of Keyloggers
1. USB Stick based (physical) - must go back to computer to get the data, unless wireless 2. Software Programs - digital (made up of dedicated programs designed to track and log keystrokes)
Two Classifications of Rootkits
1. persistent - survives a reboot, must stay on hard drive 2. non-persistent - memory based, does not survive reboot
Malware
Malicious software
RootKits
Root: administrative and most basic access Kit: collection of tools - collection of tools granting root privileges - lets you hide running programs - enable admin access to computer/network - exploits vulnerability to install - uses stealth technologies to hide - prevents users from receiving accurate information about what is taking place - many rootkit source codes available online