1 UCR Know thy enemy: what do attackers want? Slide credits:
some slides adapted from Lorenzo Cavallaro and others
Slide 2
2 UCR Plan for this class This is a digression for us, but a
useful one I hope Looking uprest of the quarter will be looking
down Learn a bit about what it is that attackers want and the cost
of cybercrime Malware and its economy: Mobile malware paper: what
is happening in the mobile space? Torpig paper: a botnet from the
inside Pay-per-install paper: insight into the malware ecosystem
Pay-per-exploit: yet another model Cost of cybersecurity: what is
the cost to us? Shadow communication networks
Slide 3
3 UCR Malwaresome terminology Malware: unwanted software that
is used to perform unauthorized, usually harmful, actions on a
computing device. Different types: viruses, worms, trojans,
rootkits, botnets,
Slide 4
4 UCR Malware types
Slide 5
5 UCR Mobile Malware in the Wild Adrienne Porter Felt, Matthew
Finifter, Erika Chin, Steven Hanna and David Wagner UC Berkeley
SPSM 2011
Slide 6
6 UCR Objectives of paper Understand motives of mobile malware
in the wild Context Study spans 2009 to 2011 Smart phone market
transitioning from being Nokia/Symbian dominated to having todays
mix of Android iOS replacing Symbian For profit malware starting to
appear
Slide 7
7 UCR Introduction Mobile Malware is fairly recent July 2004
Cabir virus came out on Symbian August 2010 Fake Player on Android
July 2012 Find and Call on iOS Evolving rapidly Amusement
Credential Theft SMS spam Ransomware
Slide 8
8 UCR Threat model Three types of threats Malware Personal
spyware Grayware Security measures Markets Permissions Root
exploits and Jail breaking Root exploits developed for users to
bypass manufacturer limitations But used by both users and
adversaries Can bypass defenses
Slide 9
9 UCR Asides Sensitive personal information on mobile device
Email, contacts, passwords
Slide 10
10 UCR Background Application Markets Apple App Store All
applications are reviewed by apple iOS devices can only obtain apps
through here, unless jailbreaked Google Play (Android Market) Some
applications may be reviewed Does not restrict installing apps from
other markets Symbian Ovi Security automatically reviewed by
program Risky applications are reviewed by human Can install apps
from other markets
Slide 11
11 UCR Methodology Analyzed information about 46 malwares that
spread between Jan. 2009 June 2011 4 iOS 24 Symbian 18 Android
Information from antivirus companies and newssources Omitted
spyware and grayware
Slide 12
12 UCR Results
Slide 13
13 UCR Novelty and Amusement Minor damage Changing wallpapers,
sending annoying SMS A preliminary type of malware Expected to
decrease in number
Slide 14
14 UCR Selling User Information Personal information obtained
via API calls Location, contacts, history, IMEI Information can be
sold for advertisement $1.90 to $9.50 per user per month IMEI
information can be used to spoof blacklisted phones
Slide 15
15 UCR Stealing User Credentials Malwares can intercept SMS to
circumvent two-factor authentication Done in conjunction with
phishing on desktops Keylogging and scanning documents for
passwords Application sandboxing prevents most of these
Slide 16
16 UCR PremiumRate Calls and SMS Premiumrate calls and SMS
directly benefits adversaries Few dollars per minute or SMS 24 of
the 46 malwares send these Mostly on Android and Symbian iOS avoids
this by always showing Confirmation for outgoing SMS messages
Slide 17
17 UCR SMS Spam Distributing spam origin makes blocking harder
Less noticeable when having unlimited SMS Phone numbers are more
reliable than email Can be prevented by enforcing SMS to be sent
from a designated confirmation window
Slide 18
18 UCR Search Engine Optimization (SEO) Clicks on a certain
link on a search query to increase visibility Phishing websites use
this technique, along with desktop malware Can be prevented with
affixing an application unique tag on the HTTP request Privacy
concerns?
Slide 19
19 UCR Ransomware Kenzero Japanese virus included in
pornographic games distributed on the P2P network Asked for Name,
Address, Company Name for registration of software Asked 5800 Yen
(~$60) to delete information from website About 661 out of 5510
infections actually paid (12%) Not many Ransom malwares on mobile
yet.
Slide 20
20 UCR Possible Future Malware Types Advertising Click Fraud
Invasive Advertising (AirPush) InApplication Billing Fraud
Government spying Email Spam DDoS NFC and Credit Cards
Slide 21
21 UCR Malware detection Permissions: Number of permissions
asked for Common permissions Sets of permissions Application Review
Apple iOS rarely lists malware (but it does happen find and call)
Symbian: 5 out of 24 pieces of malware were signed (2 phish for
user IMEIs before attack to avoid detection)
Slide 22
22 UCR Malware detection Android Permissions 8 out of 11
malwares request to send SMS (73%) Only 4% of nonmalicious apps ask
for this READ_PHONE_STATE is used by 8/11 malwares Only 33% for
nonmalicious apps Malware asks on average 6.18 dangerous
permissions 3.46 for Nonmalicious apps
Slide 23
23 UCR Root Exploits Rooting allows higher level of
customization Installing from unofficial markets System Backups
Tethering Uninstalling apps However, malwares can take advantage of
root commands to obtain permissions
Slide 24
24 UCR Root Exploits Root exploits available for 74% of device
lifetime Malware authors do not need to investigate them, but the
community does
Slide 25
25 UCR Conclusion Mobile malware rapidly grew in number
Profitability is the current trend for malwares Defense against
mobile malware requires more research Human review are effective
methods to prevent malware Rooting benefits both users and malware
producers
Slide 26
26 UCR TORPIG BOTNET TAKEOVER Based on Your Botnet is my
Botnet: Analysis of a Botnet Takeover, Stone-Gross et al (UCSB),
CCS 2009
Slide 27
27 UCR Bots and Botnets Bot: autonomous program performing
tasks Benign bots First bots appeared on IRC channels Basically
scripts that react to events and offer useful services E.g.,
Eggdrop bot used to manage channels when operator is away Malicious
IRC bots Takeover wars between channels Spam/flooding/trash talking
Denial of service IRC proxies to hide origin
Slide 28
28 UCR Bots/Botnets today Malware (backdoor/trojan) running on
compromised machines Remotely controlled by criminal entities who
control networks of bots Called Botnets Botnets have grown to be a
main vehicle for carrying out cybercrime Mostly for financial
motivation Different business models
Slide 29
29 UCR Botnet creation Network worm Using exploits such as
those we covered last class Email attachments Trojan version of
program (repackaged app, etc..) Drive-by-download from malicious or
compromised site Also using exploits such as those we covered last
class Existing backdoor from a previous infection Often bought as a
service (Pay per install/exploit as a service)
Slide 30
30 UCR
Slide 31
31 UCR Botnet infections
Slide 32
32 UCR Torpig uses Mebroot Rootkit distributed by Neosploit
exploit kit Spread via drive-by-downloads: hidden iframe on website
executes obfuscated JavaScript to download Mebroot on victims
machine Mebroot overwrites the master boot record of the machine,
circumventing most anti-virus tools (back then) Easy to use tool,
sold for $$$; Torpig one of their clients
Slide 33
33 UCR Torpig Botnet
Slide 34
34 UCR Studying Botnets Passive analysis e.g.: Collected spam
mails that were likely sent by bots DNS queries or DNS blacklist
queries analyzed network traffic (netflow data) at the tier-1 ISP
Active approach to study botnets is via infiltration. Using an
actual malware sample or a client simulating a bot, researchers
join a botnet to perform analysis from the inside. To achieve this,
honeypots, honey clients, or spam traps are used to obtain a copy
of a malware sample.
Slide 35
35 UCR Monetization Uses man in the browser phishing attack to
get sensitive information When you visit a domain in its
configuration file (typically, a banking web site), Torpig issues a
request to an injection server. User visits the trigger page. At
that time, Torpig requests the injection URL from the injection
server and injects the returned content into the users
browser.
Slide 36
36 UCR
Slide 37
37 UCR Domain flux Botnet resilience Administrators could
detect botnet C&C server and block it Botnet authors use IP
fast-flux techniques to avoid that. Bots query a certain domain
that is mapped onto a set of IP addresses, which change frequently.
However, fast-flux uses only a single domain name, which
constitutes a single point of failure Block it at DNS level How do
you think botnet developers reacted?
Slide 38
38 UCR Domain flux Torpig uses a Domain Generation Algorithm
(DGA) to change the domain name If a domain is blocked, the bot
simply rolls over to the following domain in the list. Using the
generated domain name dw, a bot appends a number of TLDs: in order,
dw.com, dw.net, and dw.biz. If none is available, switches to a
daily name (changes every day) Modern botnets like Conficker
generate 50,000 domains per day and introduce non-determinism in
their generation algorithm.
Slide 39
39 UCR Taking control of the Botnet Reverse engineered the
Domain Generation Algorithm Registered the.com and.net domains that
were to be used by the botnet for three consecutive weeks from
January 25th, 2009 to February 15th, 2009. However, on February
4th, 2009, the Mebroot controllers distributed a new Torpig binary
that updated the domain algorithm. Controlled botnet for 10 days
and collected over 8.7GB of Apache log files and 69GB of pcap
data.
Slide 40
40 UCR Is this ethical? Protecting Victims PRINCIPLE 1. The
sinkholed botnet should be operated so that any harm and/or damage
to victims and targets of attacks would be minimized. PRINCIPLE 2.
The sinkholed botnet should collect enough information to enable
notification and remediation of affected parties.
Slide 41
41 UCR Botnet analysis ~180,000 active bots The submission
header and the body are encrypted using the Torpig encryption
algorithm.
Slide 42
42 UCR Botnet analysis (cont.)
Slide 43
43 UCR Botnet size vs. IP count(cont.)
Slide 44
44 UCR New infections
Slide 45
45 UCR New infections (cont.)
Slide 46
46 UCR Threats and data analysis
Slide 47
47 UCR Threats and data analysis (cont.)
Slide 48
48 UCR Threats and data analysis (cont.) Symantec indicated
ranges of prices for common goods and, in particular, priced credit
cards between $0.10$25 and bank accounts from $10$1,000. If these
figures are accurate, in ten days of activity, the Torpig
controllers may have profited anywhere between $83K and $8.3M.
Slide 49
49 UCR Threats and data analysis (cont.)
Slide 50
50 UCR Threats and data analysis (cont.) 173,686 unique
passwords recorded, 40% cracked in less than 75 minutes 28% of
users exhibited password reuse
Slide 51
51 UCR Conclusion A comprehensive analysis of the operations of
the Torpig botnet. Interesting takeover by reverse engineering the
DGA Big financial opportunity up to 83mil IPs grossly overestimate
botnet size. Victims of botnets often users with poorly maintained
machines and easily guessable passwords
Slide 52
52 UCR Next, lets look at PPI Modern botnets monetize by
selling installs They also buy machines from affiliates Affliates
have their own markets also to get machines Buy exploits or exploit
kits Buy traffic generation services Etc Talk from Usenix 2011
Slide 53
53 UCR Exploit as a Service (EaaS) Another business model PPI
decoupled malware distribution from monetization Eaas decouples
exploit from distribution and monetization Relies on
drive-by-download Exploit kits used to attack browsers Criminal
either Buys exploit kit Rents pre-configured exploit servers
Slide 54
54 UCR EaaS Led to further segmentation: Traffic providers
Exploit providers