Malicious Software Lecture Notes

Topics: Internet Relay Chat, Botnet, Botnets Pages: 84 (11343 words) Published: June 23, 2013
Malicious Software and its Underground Economy
Two Sides to Every Story

Introduction
Lorenzo Cavallaro
Information Security Group Royal Holloway, University of London

Jun 17, 2013—Week 1-1

(Week 1-1) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013—Week 1-1

1 / 12

Should we care?
(Let me tell you a story. . . )

The Botnet Threat

A network of compromised machines (bots) controlled by a bot master Responsible for (non-exhaustive list): Large-scale network probing (i.e., scanning activities) Launching Distributed Denial of Service (DDoS) attacks Sending large-scale unsolicited emails (SPAM) Click-fraud campaign Information theft Shift from a for-fun activity towards a profit-oriented business

(Week 1-1) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013—Week 1-1

4 / 12

The Torpig Botnet

Trojan horse
Distributed via the Mebroot “malware platform” Injects itself into 29 different applications Steals sensitive information (e.g., passwords, SSN, credit card numbers) HTTP injection for phishing Uses “encrypted” HTTP as Command & Control (C&C) protocol Uses a resilient approach (domain flux) to contact a C&C server

Mebroot
Spreads via drive-by downloads Sophisticated rootkit

(Week 1-1) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013—Week 1-1

5 / 12

The Torpig Botnet

Vulnerable web server
(1) GET / (2)

Mebroot drive-by-download server
(5) (4) (3) gnh5.exe

Mebroot C&C server
Torpig DLLs

GET /?gnh5

Stolen data (6) Config (7) Phishing HTML URL

Torpig C&C server

(becomes a bot) Victim client

Injection server

(Week 1-1) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013—Week 1-1

6 / 12

Data Collection Principles

Principle 1: the hijacked botnet should be operated so that any harm and/or damage to victims and targets of attacks would be minimized Always responded with okn message Never sent new/blank configuration file

Principle 2: the sinkholed botnet should collect enough information to enable notification and remediation of affected parties Worked with law enforcement (FBI and DoD Cybercrime units) Worked with bank security officers Worked with ISPs

(Week 1-1) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013—Week 1-1

7 / 12

Data Collection
Data Type Mailbox account Email Form data HTTP account FTP account POP account SMTP account Windows password Data Items,(#) 54,090 1,258,862 11,966,532 411,039 12,307 415,206 100,472 1,235,122

Figure : Data items sent to our C&C server by Torpig bots.

(Week 1-1) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013—Week 1-1

8 / 12

Data Collection
Data Type Data Items,(#)

Mailbox account 54,090 Email 1,258,862 Weak passwords Form data 11,966,532 Credential reuse HTTP account 411,039 12,307 EnablesFTPmore successful social engineering attacks for account POP account 415,206 SMTP account 100,472 Windows password 1,235,122 Figure : Data items sent to our C&C server by Torpig bots.

(Week 1-1) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013—Week 1-1

8 / 12

Threats
Theft of Financial Information

8,310 unique accounts from 410 financial institutions
Top 5: PayPal (1,770), Poste Italiane, Capital One, E*Trade, Chase 38% of credentials stolen from browsers password manager

1,660 credit cards
Top 3: Visa (1,056), Mastercard, American Express, Maestro, Discover US (49%), Italy (12%), Spain (8%) Typically, one CC per victim, but there are exceptions

(Week 1-1) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013—Week 1-1

9 / 12

Value of the Financial Information
In a 2008 report on the underground economy, Symantec estimates Value of a stolen credit card details at $.10 to $25.00 Similarly, bank accounts...
Continue Reading

Please join StudyMode to read the full document

You May Also Find These Documents Helpful

  • Virus-
  • Essay on Lecture Notes
  • Lecture Notes Research Paper
  • Essay about Lecture note
  • Lecture notes Essay
  • Lecture Notes Essay
  • Lecture Notes Essay
  • Lecture Notes Essay

Become a StudyMode Member

Sign Up - It's Free