In 2009, I created a presentation on malware that was aimed at the financial services sector. The presentation was based on a pre-drawn whiteboard, and as the presentation continued the attacks were drawn in red. Deemed successful, it was extended into a webinar, but due to the complexities of lining up a whiteboard at meeting facilities and the time required to pre-draw the board it was later replaced with several slide-based presentations.
The graphic used as a base in the webinar is below. Below that are notes for the presentation itself.
- Past: kids for exploration and bragging.
- Today: criminals to make money
- Past: could just run cleanup tools
- Today: far more stealthy, as long term infections make more money
Criminals working together.
- Networks of affiliates, not bound by country
- Russian name for this: Partnerka
- Pay per click, pay per install multi-level marketing schemes
- Malware is brokwn up into parts now, with different groups contributing different “modules”
- For example, one pharmacy scam can net $16k per day
- Referal fees alone can net $180k per year
Price chart (trendLabs)
- Payout for each unique adware installation – 30 cents
- Basic Malware package – $1,000 to $2,000
- Exploit kit rental – 1 hour $1
- Exploit kit rental – 5 hours $4 (Buy in bulk and save)
- Distributed Denial of Service attack $100 per day
- 10,000 compromised PCs $1,000
- Stolen bank account credentials – $50+
- 1 million freshly-harvested emails – $8 up, depending on quality
- Lots of analysis to group malware into families
- This is useless, who cares if it’s a virus or a worm, what matters is how much damage was done
- Enter vector analysis
Vector: Web – Lazy
- Put up own website
- Same problems with driving traffic as regular sites
- Need to leverage SEO
- Sometimes need a hook (often paired with Email)
- IBM reports that malicious links increased five-fold in 2009
- Play on fears
- Resemble anti-malware sites, use colours and shields and everything
- Looks like a scan, but they infect you… and make you pay for the privilege
- Fifteen new sites discovered daily
- Uses SEO, don’t trust search links
Vector: Web – Moderate
- Target a social networking site
- It already gets the traffic
- Users have to be able to upload content
- Facebook Games
- Attackers post content and try to get people to DL it
- Then, when people view it, it runs and posts it for more to see
- Content is viewed as “safe” when it’s not
- Infect an ad server and get your malware on lots of high-trust sites
- Got New York Times and Van Morrison last year
- URL Shorteners
- (Choose one that cares. Bit.ly has worked with leading anti-malware providers to make it as safe as it can be.)
Vector: Web – Difficult
- Take over popular website
- Most are well protected, but if it can be done, the value for the attacker is high
- They can then load it up with malware and take over all site visitors
Payload: General: SQL Injection internet-wide attack (backend databases)
- Thousands of government sites, fortune 500 companies and schools infected in early 2008
- Sometimes, specific sites targeted, as in April: Paul McCartney
- 7Safe reports that 40% of all web attacks involve SQLi
- The more interesting you are, the more of a target you are.
- Embassies are targeted, to leverage attacks up to high-profile people
- Anyone can send to anyone from anywhere
- Trusted relationships can be abused via forgery
- Also can utilize a popularity wave
- natural disasters and celebrity deaths (Haiti)
- Elections (Obama)
- Paranoia (Birthers)
- FBI and IRS do not send emails
- Package delays are not sent out (UPS, FedEx and DHL), instead a customer will call
- There are no Internet lotteries
Vector: Webmail / IM / Web Forums
- These can be spammed
- Attackers trafficing in usernames and passwords
- If someone asks you to “retweet”, ponder why
Vector, Payload: FTP / Gumblar
- Take over developer’s workstation
- Track FTP info and login in legitmately
- No way for provider to protect, as all connections look legitimate!
- CD, DVD, BluRay, Floppy, media cards, USB
- Compromised from the factory: Digital Photo Frames
- Keyboard keylogger
- Take over a system through the avenues into it
- Cell Phones and MP3 players are risks
- iPhone viruses have been seen now.
- First, just a joke
- Later, the same joke that was leveraged to do something else
- Increased focus on narrow and specific targets
- HTML5 and Google Chrome OS blur the lines between on and offline
- Increase of targetted attacks (happening now, but under reported)
- Mac OSX currently at risk, and will grow
- Mobile device risks will grow
- iPhone and Blackberry being exploited NOW
Just Break In
- Microsoft, Adobe, Quicktime, etc
- Firewalls help, but if anything is running, it needs to be patched.
Impact: Data Theft
- What can malware do? Anything.
- It can grab passwords
- search disk for sensitive data and send it offsite
- Steal user names, passwords, account numbers, credit card numbers (ID Theft)
- 2009 Verizon report found that 93% of data breaches were in financial services and 90% of those were linked to organized crime
- Espionage – Google / China (details still coming in)
- track access to bank accounts and steal money (Names: SilentBanker / URLZone / ZEUS)
- Blocks logout and does a transfer
- Tracks transfer and hides it’s own activity!
- Is aware of transaction limits and stays below threshholds
- Leverages existing confirmation technology, so 2 factor doesn’t provide protection!
- Money mules
Impact: Take Orders
- Botnet: Ghostnet – over 1000 machines in 103 countries, belonging to government, aid workers and activists
- Botnet: Unnamed – Wire Transfer email infects and starts collecting information entered into web forms, websites visited and directories accessed
- Botnet: Koobface – Registers accounts on social networking sites: Facebook/Myspace/Bebo/Tagged/Friendster/Twitter/Gmail, friends people, sends them malware
- Botnet: Many others – Send Spam
- Since it’s free to use other resources, ANY acceptance keeps it going
What can be done?
- Basic server and network hardening: firewall, disable unneeded apps, layers of defense
- Complete endpoint solution
- Signature-based still needed, but due to polymorphism, won’t take care of it all
- Behavior-based profiling, formerly “heuristics”
- Look for pre-executation, not simultanous execution (race condition)
- Endpoint Firewall – internal pivot protection
- Application Control / Whitelisting – For those who can’t avoid granting admin privs
- Zero Day Protection (define, look at independent tests)
- Encryption – protect against casual data theft, not perfect, but does add a layer
- NAC – connect with network infrastructure. Still difficult to implement. Look into your infrastructure
- DLP – Look at the data and prevent it from crossing boundaries. Right now, it’s a nice to have.
- Reporting – If you’re regulated, reporting is important.
- Lightweight, Frequent Updates – fast updates are essential as new threats emerge all the time.
- Time Tested – Some new players that are promising, but also a long history of new players that don’t make it.
- If you’re in a business, it may be better to play it safe… at least until you know the company is stable.
- Keep the scareware threat in mind and research carefully
- Company Operations – For security software, look at support and responsiveness. If they offer to save you money by reducing service levels, be very careful.
- Home Use – These days, home users connect in all the time. You must protect against this somehow.
- Mobile Use – As time goes by, mobile devices become just as important as home use. Be prepared.
- Multiplatform and Legacy – It’s best to protect any legacy systems you have. Ideally, this wouldn’t require secondary systems.
- If you have money, you’re a target.
- No solution is perfect
- Make sure you lock things down as tight as you can
- Supplement with antimalware
- Plan for failure
- Fix your apps!