Malware What is malware? Malware: malicious software worm - - PowerPoint PPT Presentation

malware what is malware
SMART_READER_LITE
LIVE PREVIEW

Malware What is malware? Malware: malicious software worm - - PowerPoint PPT Presentation

Jun 17, 2023 341 likes •574 views

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

slide-1
SLIDE 1

Malware

slide-2
SLIDE 2

What is malware?

  • Malware: malicious software
  • worm
  • ransomware
  • adware
  • virus
  • trojan horse
  • etc.
slide-3
SLIDE 3

… and how do we fight it?

  • AV software
  • Firewalls
  • Filtering
  • Patching
  • Writing more secure software
  • Training users
slide-4
SLIDE 4

How to Monetize Malware

  • Botnets
  • Networking infected computers together
  • Sending instructions to those computers to do things like:
  • Send spam
  • Mine cryptocurrency
  • Perform ad fraud
  • Perform DDoS attacks
  • Stealing banking credentials
  • Stealing Bitcoin and other alternative currencies
  • Ransoming the computer
  • Pay per install software
slide-5
SLIDE 5

How malware spreads

  • Attachments in emails
  • Other social engineering
  • Drive-by downloads
  • Spreading itself
slide-6
SLIDE 6

Vulnerabilities vs. Exploits

  • Vulnerability: hole in software
  • Exploit: code written to use vulnerability to gain

unauthorized access to something

  • There’s way more known vulnerabilities than known

exploits.

  • https://www.exploit-db.com/ vs. https://nvd.nist.gov/
slide-7
SLIDE 7

Zero Day Attacks

  • Realized exploit comes before known vulnerability
  • Fairly rare
  • Zero days are expensive — 1.5 million USD for

Apple iOS 10 exploit

  • Overwhelmingly, exploits in the wild are not 0day.
slide-8
SLIDE 8

Morris Worm

  • Created in 1988 by Robert Morris
  • Purportedly to measure the Internet
  • Infected 10% of computers connected to the

Internet

  • Slowed down computers to where they became

unusable.

slide-9
SLIDE 9

Morris Worm

  • Exploited Unix systems through:
  • sendmail
  • finger
  • rsh
  • weak passwords
  • Note that the vulnerabilities that he exploited were known.
  • Buggy: installed itself multiple times, didn’t phone home, etc.
slide-10
SLIDE 10

Effects of Morris Worm

  • CERT organizations worldwide
  • CERT-CC at CMU funded by the US gov
  • Patching known vulnerabilities
  • More attention to computer security
slide-11
SLIDE 11

Conficker

  • Computer worm first appearing in November 2008
  • Sinkholed in 2009
  • Good guys registered domain names used for

attacks

  • Operators arrested in 2011
  • Still infecting computers today
  • Millions of infections — hard to count.
slide-12
SLIDE 12

Conficker — how it spreads

  • Conficker-A: Vulnerability in Windows. Infected

machines scanned IP space for more machines.

  • Conficker-B: Added infected USB devices, shared

network folders with weak passwords.

  • Conficker C: Hardened new command and control

infrastructure and added fake AV as a monitization.

  • Conficker D-E: Turned from centralized botnet to

peer-to-peer

slide-13
SLIDE 13

Conficker Infections over Time

slide-14
SLIDE 14

Reaction to Conficker

  • Patch released before worm, yet patch rate was

slow.

  • Large scale anti-botnet effort
  • Microsoft added security updates for unlicensed

software

  • Conficker botnet shrank at a slower pace than the

market share of Windows XP / Vista

slide-15
SLIDE 15

Stuxnet

  • Worm first known about in 2010, detected as early

as 2005

  • Built by the US and Israeli governments to attack

Iranian nuclear program

  • Targets PLCs through Windows computers
  • Infected over 200,000 Windows machines
slide-16
SLIDE 16

Stuxnet - how it spreads

  • Use zero day exploits to compromise Windows

machines

  • Spread using USB drives, peer-to-peer RPC
  • Bridges computers connected to the Internet

with those that aren’t

  • Attacks files connected to certain SCADA software
  • Hijacks communication
slide-17
SLIDE 17

Reaction to Stuxnet

  • Cyberwarfare IRL
  • Car bomb attacks against Iranians by Iranian

government

  • Some efforts to isolate important PLCs better:
  • Similar effort against North Korea failed
  • Doqu/Flame
slide-18
SLIDE 18

Drive by downloads

  • Website infected with malware
  • Malware injects code into webpage
  • That code infects those who visit it by directing

them to an exploit kit through an intermediary

slide-19
SLIDE 19

How are websites targeted?

  • Find an exploit in a certain piece of software
  • Use Google Dorks to find websites with that

vulnerability

  • Compromised advertising
  • Other ways?
slide-20
SLIDE 20

Exploit Kits

  • Each machine has different software on it
  • Uses a host of exploits to infect a machine
  • Exploit kits can be bought or rented
slide-21
SLIDE 21

Fake Antivirus

  • Installs itself on your machine and forces you to

buy software

  • Many people buy this software
  • Largely shut down by shutting down payment

processors

slide-22
SLIDE 22

Ransomware

  • Encrypts all your files using a key:
  • Old: same key for all
  • New: different key for each system
  • Requires victim to pay criminal to get files back:
  • Old: Payments through Western Union and the like
  • New: Payments through Bitcoin