Malware What is malware? Malware: malicious software worm - - PowerPoint PPT Presentation

malware what is malware
SMART_READER_LITE
LIVE PREVIEW

Malware What is malware? Malware: malicious software worm - - PowerPoint PPT Presentation

Mar 22, 2024 115 likes •548 views

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

slide-1
SLIDE 1

Malware

slide-2
SLIDE 2

What is malware?

  • Malware: malicious software
  • worm
  • ransomware
  • adware
  • virus
  • trojan horse
  • etc.
slide-3
SLIDE 3

… and how do we fight it?

  • AV software
  • Firewalls
  • Filtering
  • Patching
  • Writing more secure software
  • Training users
slide-4
SLIDE 4

How to Monetize Malware

  • Botnets
  • Networking infected computers together
  • Sending instructions to those computers to do things like:
  • Send spam
  • Mine cryptocurrency
  • Perform ad fraud
  • Perform DDoS attacks
  • Stealing banking credentials
  • Stealing Bitcoin and other alternative currencies
  • Ransoming the computer
  • Pay per install software
slide-5
SLIDE 5

How malware spreads

  • Attachments in emails
  • Other social engineering
  • Drive-by downloads
  • Spreading itself
slide-6
SLIDE 6

Vulnerabilities vs. Exploits

  • Vulnerability: hole in software
  • Exploit: code written to use vulnerability to gain

unauthorized access to something

  • There’s way more known vulnerabilities than known

exploits.

  • https://www.exploit-db.com/ vs. https://nvd.nist.gov/
slide-7
SLIDE 7

Zero Day Attacks

  • Realized exploit comes before known vulnerability
  • Fairly rare
  • Zero days are expensive — 1.5 million USD for

Apple iOS 10 exploit

  • Overwhelmingly, exploits in the wild are not 0day.
slide-8
SLIDE 8

Morris Worm

  • Created in 1988 by Robert Morris
  • Purportedly to measure the Internet
  • Infected 10% of computers connected to the

Internet

  • Slowed down computers to where they became

unusable.

slide-9
SLIDE 9

Morris Worm

  • Exploited Unix systems through:
  • sendmail
  • finger
  • rsh
  • weak passwords
  • Note that the vulnerabilities that he exploited were known.
  • Buggy: installed itself multiple times, didn’t phone home, etc.
slide-10
SLIDE 10

Effects of Morris Worm

  • CERT organizations worldwide
  • CERT-CC at CMU funded by the US gov
  • Patching known vulnerabilities
  • More attention to computer security
slide-11
SLIDE 11

Conficker

  • Computer worm first appearing in November 2008
  • Sinkholed in 2009
  • Good guys registered domain names used for

attacks

  • Operators arrested in 2011
  • Still infecting computers today
  • Millions of infections — hard to count.
slide-12
SLIDE 12

Conficker — how it spreads

  • Conficker-A: Vulnerability in Windows. Infected

machines scanned IP space for more machines.

  • Conficker-B: Added infected USB devices, shared

network folders with weak passwords.

  • Conficker C: Hardened new command and control

infrastructure and added fake AV as a monitization.

  • Conficker D-E: Turned from centralized botnet to

peer-to-peer

slide-13
SLIDE 13

Conficker Infections over Time

slide-14
SLIDE 14

Reaction to Conficker

  • Patch released before worm, yet patch rate was

slow.

  • Large scale anti-botnet effort
  • Microsoft added security updates for unlicensed

software

  • Conficker botnet shrank at a slower pace than the

market share of Windows XP / Vista

slide-15
SLIDE 15

Stuxnet

  • Worm first known about in 2010, detected as early

as 2005

  • Built by the US and Israeli governments to attack

Iranian nuclear program

  • Targets PLCs through Windows computers
  • Infected over 200,000 Windows machines
slide-16
SLIDE 16

Stuxnet - how it spreads

  • Use zero day exploits to compromise Windows

machines

  • Spread using USB drives, peer-to-peer RPC
  • Bridges computers connected to the Internet

with those that aren’t

  • Attacks files connected to certain SCADA software
  • Hijacks communication
slide-17
SLIDE 17

Reaction to Stuxnet

  • Cyberwarfare IRL
  • Car bomb attacks against Iranians by Iranian

government

  • Some efforts to isolate important PLCs better:
  • Similar effort against North Korea failed
  • Doqu/Flame
slide-18
SLIDE 18

Drive by downloads

  • Website infected with malware
  • Malware injects code into webpage
  • That code infects those who visit it by directing

them to an exploit kit through an intermediary

slide-19
SLIDE 19

How are websites targeted?

  • Find an exploit in a certain piece of software
  • Use Google Dorks to find websites with that

vulnerability

  • Compromised advertising
  • Other ways?
slide-20
SLIDE 20

Exploit Kits

  • Each machine has different software on it
  • Uses a host of exploits to infect a machine
  • Exploit kits can be bought or rented
slide-21
SLIDE 21

Fake Antivirus

  • Installs itself on your machine and forces you to

buy software

  • Many people buy this software
  • Largely shut down by shutting down payment

processors

slide-22
SLIDE 22

Ransomware

  • Encrypts all your files using a key:
  • Old: same key for all
  • New: different key for each system
  • Requires victim to pay criminal to get files back:
  • Old: Payments through Western Union and the like
  • New: Payments through Bitcoin
slide-23
SLIDE 23

Computer Virus

  • A type of malicious software program ("malware")

that, when executed, replicates itself by modifying

  • ther computer programs and inserting its own
  • code. - Wikipedia
slide-24
SLIDE 24

Parts of a Virus

  • Infection vector: How a virus spreads
  • Trigger: Sets off the malicious functionality
  • Payload: The malicious functionality
slide-25
SLIDE 25

Phases of a Virus

Dormant Scanning and Propagating Waiting for a trigger Execute

triggered

slide-26
SLIDE 26

How do they infect?

Malware Executable File

slide-27
SLIDE 27

How do they infect?

Malware Executable File

slide-28
SLIDE 28

How do they infect?

Executable File Malware

slide-29
SLIDE 29

How do they infect?

Executable File Malware

slide-30
SLIDE 30

How do they infect?

Executable File Malware Malware

slide-31
SLIDE 31

How do they infect?

Malware

slide-32
SLIDE 32

How do they infect?

Executable File Malware

Packer

slide-33
SLIDE 33

How do they execute?

Executable File Malware Line of code

slide-34
SLIDE 34

How do they execute?

Executable File Malware Line of code

slide-35
SLIDE 35

Definitions

  • Self-Modifying code: Code that can change itself

(usually without changing the functionality)

  • Polymorphic malware: Infects others with an encrypted

copy of itself. Encryption and code changes.

  • Backdoor: Malware that leaves hidden ways of

replicating itself

  • Rootkit: Malicious software to maintain access to

system; good at hiding itself.

slide-36
SLIDE 36

ILOVEYOU

  • Bug in email: sent out messages

subject:ILOVEYOU and attachment:LOVE-LETTER- FOR-YOU.txt.vbs

  • .vbs files were hidden
  • Propogation: Sent itself to all addresses in address

book

  • Payload: Overwrote random files
slide-37
SLIDE 37

Adware

  • Software that contains unwanted ads
slide-38
SLIDE 38

Types of Ad Fraud

  • Pretend to be part of the ad chain and buy traffic,

get paid.

  • Have bots, sell fake ad traffic
  • Disguise source of traffic to ads
  • Cookie stuffing — fake affiliate cookies
  • Ad Stacking — show invisible ads to consumer
slide-39
SLIDE 39

Adblock Plus

  • Browser-based Ad blocker
  • Let in some “acceptible” ads
  • Is this adware? Fraud?
slide-40
SLIDE 40

Fake Software

  • Stuffing ads into software
  • Maybe turning paid software into freeware?
  • Is this adware? fraud?
slide-41
SLIDE 41

DNSChanger

  • Upon infecting your computer, changed your

routers’ nameserver settings.

  • Started in 2006. FBI raided in 2011. Shut down in
  • 2012. Still alive today.
  • Main changes? Major ad networks
  • Is this adware? fraud?
slide-42
SLIDE 42

My Really Cool Toolbar

  • Lots of toolbars, other browser extensions
  • Useful functionality
  • Changed settings (homepage, etc)
  • Hard to Remove
  • Is this adware? fraud?