What it is, How it works, and Why it concerns us

1
What it is, How it works, and Why it concerns us

• Matt Pierce

2
Rouges Gallery

• Virus
• Worm
• Trojan
• Root-kit
• Adware/Spyware
• Backdoors
• Keyloggers
• Bot-nets

3
Rates of Infection

• F-Secure
• http//www.f-secure.com/en_EMEA/security/security
  -lab/latest-threats/security-threat-summaries/2008
  -4.html
• Time Frame Total Detections
• 1987-2006 250,000
• 2007 500,000
• 2008 1,500,000
• Kaspersky
• http//www.viruslist.com/en/analysis?pubid204792
  052
• http//www.viruslist.com/en/analysis?pubid204791
  987
• Year Total Detections
• 2006 105,334
• 2007 237,244
• 2008 23,680,646

4
Why Write Malware

• Money
• Spam Delivery
• Illicit Storage
• Identity Theft
• Product Development

5
Malwares Mission

• Obtain Access
• Increase Control
• Maintain Control
• Spread Control
• Wait for Orders

6
How do we get infected?

• User follows a link
• User runs malware executable
• Malware is embedded in a safe document, and the
  user opens it
• Website delivers malware as a user browses by
• Vulnerable network port receives hostile traffic

7
DLL Injection

• DLL injection modifies a running process by
  forcing it to load a dynamic link library.
• Often uses well known processes
• svchost.exe
• kernel32.exe
• winlogon.exe
• Runs with the Security Context of the Process

8
Process Hiding

• This isnt the tool your looking for.
• Replace the user space tools
• Well known commands then lie to the
  administrator
• The Kernel Lies
• A Kernel level rootkit has full access to
  memory.
• The Kernel can tell users space tools what the
  attacker wants

9
Hideeholes

• Malware has many places to hide
• File System
• Alternative Data Streams
• Recycling Bin
• System Restore
• Registry
• Browser Plug-in
• Prefetch Cache
• The Internet

10
Persistence is a Virtue

• Once running malwares mission is to stay running
• Malware often runs multiple tasks using diverse
  methods of infection
• Running malware monitors key components of other
  malware tasks
• Stop a component, remove a key, interfere in any
  way and the watchdog reinstalls lost components
• EXE wrappers randomize file and process
  signatures to hide key components from
  anti-malware technologies

11
The Sneaker net Lives again

• Fun with Autorun
• USB Drives are common
• Users are used to easily moving Gigs of data
• Infected Drives are carried right past expensive
  defenses
• Internally infected assets then carry out further
  attacks

12
Boot Sector is Back

• Traditional Boot Sector Attack
• Master Boot Record is modified by malware
• Malware loads into memory and then passes
  instructions to the real boot loader
• Didnt we win this fight?
• How better to get around anti-malware ?

13
Interrupting Security Software

• Who Watches the Watchers?
• Malware prefers not to be interrupted
• Firewalls cramp their style
• Patch management really is inconvenient
• Host Intrusion Detection is so Nosey

14
Redirection

• Why attack your enemy when you can send him down
  a dark alley
• HOST File modification
• DNS/DHCP mini servers
• Form Injection
• Intercepts Valid HTTP Forms adding additional
  data fields.

15
Bot-net Update

• All the cool OSs are doing it.
• Bot-net authors are offering service contracts
• Bot-nets evolve over time and scope
• New features and entire rewrites are common

16
The search for more victims

• Once your established, they gots to accept you.
• Network Drive Autorun
• Port 135,139, 445, oh my
• MS03-026
• MS04-011
• MS08-063
• Brute force authentication attack

17
Hercules had all the fun

• Fast Flux DNS
• Infected Endpoints automatically register
  domains
• Average infected URL lifetime is 4 hours
• Command and Control passes often amongst
  infected hosts
• Limits Blacklist efficiency
• Peer 2 Peer technology enables mesh networking

18
Necessity puts us on the defensive

• No one technology can protect our data
• Defense in depth must be designed into our
  information systems
• Timely patch management of applications and
  operating systems close the holes
• Restricted User rights limit OS exposure
• Effectively monitored network environments watch
  for malicious outbound traffic
• User Education is the key to limiting risky
  behaviors

19
Thank you