01_malware Trends Module.pptx

Malware Trends

Motivation • Malware authors have migrated away from the cavalier mindset of hacking for bragging rights and now focus on: – Stealing Information • Corporate espionage • Cyber stalking • Nation-state actors

– Stealing Money • Point-of-Sale server compromises • ACH Fraud • Harvesting of banking credentials

2

Traditional Malware • Fell into well-defined types: – Viruses – Worms – Trojan Horses – Backdoors – Rootkits

3

Today’s Threats: Blended • Takes the traditional types of malware and combines them – Bots: Zeus, Spyeye, Cutwail – Ransomware: Cryptolocker, WannaCry, NotPetya – Adware – Spyware: Many commercial products still available – Exploit Kits: Blackhole, Rig, Sundown – DDoS: LOIC

– Built-It-Yourself Kits: Today, kits are available that allow novice users to build and deploy malware in minutes – Mobile Malware

4

Threat Actor Motives over Time

Source:Verizon’s 2017Data Breach Investigations Report, page 5

5

Evolution of Hacks

Source:Verizon’s 2017Data Breach Investigations Report, page 7

6

Breach Discovery Methods over Time

Source:Verizon’s2017Data BreachInvestigations Report, page 8

7

Point of Sale Compromises • Criminals are still attacking POS servers to gather credit card data • Many retailers do not follow the Payment Card Industry Data Security Standards (PCI- DSS) • Vendors are shipping servers with default admin credentials • Malware many times scrapes RAM to cull credit card numbers

8

Point-of-Sale Malware

a.exe

Aloha POS Box Came with $IPC and $Admin open

Victim Machine

• Service: starts b.exe and c.exe

b.exe

c.exe

• Looks for PoS processes on the system • If process found, dumps process memory to disk

• Extracts CC information from the process memory • Encodes and saves to a file on disk

9

Point-of-Sale Malware a.exe

Start

b.exe

Start

Grep for CC syntax, to pull Track 1 and Track 2 information

c.exe

Encode and save information

Search for process “edcsvr.exe” – listens on port 5003 and 6660

Spoolsv.chm Once found, dump process memory space to disk

XOR’d data with XOR key “memdump”; entries are delimited with “$$$” followed by 7 spaces

10

Point of Sale Malware

EncodedData XORKey Delimiter

DecodedData

11

Target Hack • Occurred Thanksgiving 2013, most likely to target holiday shoppers • Target’s SOC ignored or missed warnings when anomalous event alerts were triggered • Malware was installed which garnered credit card data and exfiltrated this data • An estimated 40 million credit card and 70 million addresses and phone numbers were stolen, per • Through February 1, 2014, Target spent $61 million on the breach, with estimates reaching the billions of dollars

Source: businessweek.com/articles/2014-03-13/target-missed-alarms-in-epichack-of-credit-card-data

12

Botnets • An army of zombie computers that report back to the attacker and can be used for further malicious purposes (SPAM, DDoS, proxies, etc.) • Extremely common and effective in modern cybercrime

• Examples: Zeus Botnet @ DOLLARADMIN.RU

– ZeuS/Cridex/Spyeye: Financial theft

4.

3.

– Cutwail: SPAM engine

1.

2. UPS File

Victim 13

Botnet: IRC Style • IRC style botnet could control an army of computers from a single command and control server • People believe IRC is out of vogue, but is still in use today • Powerful, but weakness is a central point of failure

14

IRC Botnets BOT-Infected MobileUser

SCAN

Government Systems (unpatched)

scan vuln

INFECTED

Attacker

IRCSERVER IRCd

15

Botnet: Peer-2-Peer • P2P botnets have a flexible command and control infrastructure allowing the botnet master to control the botnet from any victim system – Gameover ZeuS

• Robust and redundant infrastructure makes it very difficult to take down this kind of infrastructure

16

Gameover ZeuS • One of the most prolific banking trojan/credential stealing malware • All communication is encrypted • Configuration stored in the registry • Infections are hardware branded and unique to each infection • Delivered via phishing emails and exploit kits • Seen bundled with Cryptolocker • In June 2014, law enforcement attempted to disrupt the botnet with good success, through international cooperation

17

Ransomware • Malware that basically holds a computer captive until a ransom is paid • Various types of ransomware: – SMS: Pay premium SMS fee to unlock – Winlocker: Appeared to come from law enforcement – File Encryptors: Very common today, will encrypt personal files – MBR: Can change the MBR to deliver the ransom message prior to booting – Mobile Device: SimpleLocker for Android encrypts SD cards, payment requested in Ukrainian currency (US $22)

18

WannaCry • Ransom was low, $300 (bitcoin) • Attack first occurred May 12, 2017 – In four days, over 200,000 computers infected in 150 countries

Source:sophos.com

19

WannaCry • Leveraged exploit against the SMB protocol leaked by ShadowBrokers to spread as a worm • Encrypts files locally, on a shared drive or on external media, the system still operates • Once infected, the system attempts to connect to its C2 server to exchange public and private keys • A security researcher noticed a “kill switch;” the malware looked for a certain URL and if it could reach it, it did not run – Probably used to foil researches efforts, as most environments would respond to all URLs, even if they don’t exist

20

WannaCry Global Impact • Radiology machines at healthcare facilities • FedEx reported interference • Nissan forced to take systems offline to prevent further spread as proactive measure • 100,000 Chinese university computers frozen (high numbers likely attributed to OS bootlegging) • Police stations around the world

Source: http://www.techrepublic.com/pictures/gallery-10-major-organizations-affected-bythe-wannacry-ransomware-attack

21

Adware • • • •

Been around for years Generates revenue for the author through advertisements Many may see this as just an irritant Many times installed as browser plugins

22

Spyware • Captures user activity surreptitiously through: – Keystroke logging – Account hijacking – Turning on camera and microphone – Screenshots of open windows – Tracking cookies

• Many commercial mobile tools available

23

Smartphones/Tablets Preloaded • Multiple Android devices found to have malware preloaded prior to first use • Included info stealers, and “Loki” ransomware • Suspected of being installed somewhere along supply chain

Source: https://arstechnica.com/security/2017/03/preinstalled-malware-targets-androidusers-of-two-companies/

24

Exploit Kits • Exploit kits have exploded in popularity over the years • An unsuspecting user is typically redirected to an exploit kit landing page through other compromised systems • Kit checks browser type and plugins installed, to include versions, with utilities such as PluginDetect • Has a number of exploits on hand to deliver if it determines the browser is vulnerable – JAR – PDF – SWF – MS Silverlight

• If exploited, the intended payload is dropped

25

Angler Exploit Kit

Source: http://thehackernews.com/2015/03/domain-shadowing-angular-exploit-kit.html

26

Blackhole Exploit Kit • Most popular exploit kit until late 2013, when the suspected author was arrested (Paunch) • Easy-to-use GUI with nice metrics

Source:softpedia.com

27

Other Exploit Kits

Source:https://www.trendmicro.com/vinfo/us/security/definition/exploit-kit

28

PowerShell

29

PowerShell • Living off the land: utilize existing Admin tools such as PowerShell to blend in with your environment • Attackers are using PowerShell now more than ever • According to Symantec, in December 2016, there was a surge in malicious PowerShell scripts – 95.4% of scripts analyzed were malicious

• PowerShell can be used for: – Reconnaissance – Lateral Movement – Downloader

30

Malicious Activity Done with PowerShell

Image from softpedia.com.

31

DoS and DDoS Attacks • DoS: Denial of Service attack floods a victim with more requests than it can handle • DDoS: A Distributed Denial of Service attack is a coordinated attack from multiple systems against a single victim – The power is exponentially increased with multiple attackers – Botnets many times used for DDoS – Modern techniques include DNS amplification, NTP reflection

“One Botnet of one million hosts could conservatively generate enough traffic to take most Fortune 500 companies collectively offline. A botnet of 10 million hosts (like Conficker) could paralyze the network infrastructure of a major Western nation.” -Jeffrey Carr, CyberWarfare pg. 13

32

DNS Amplification • Multiple DNS requests are sent to open DNS servers using spoofed IP address (victim’s IP) • Requests usually ask for “ANY” record associated with a domain, i.e. A records, mail records, etc., hence the amplification • Large volume of responses overwhelms the victim

Source:mwclearning.com

33

NTP Reflection • Takes advantage of a vulnerability in the Network Time Protocol • Attackers take advantage of the “monlist” command, which will return the previous 600 hosts who have connected to that server • The large response overwhelms the spoofed, intended victim

34

Anonymous and LOIC • LOIC stands for Low Orbit Ion Cannon • Distributed by members of Anonymous to DDoS targets

Source: sourceforge.net/projects/loic

35

Mobile Malware & Exploits • Malware is not limited to desktop/laptop computers

• Mobile malware is rampant – Fragmentation of platforms and devices – Devices are always on and accessible

– Always transferring data – Frequently accept apps from unknown creators – Many apps track location, control banking, store credit card numbers, etc.

36

Android Malware Theats

Source: https://safeandsavvy.f-secure.com/2016/02/18/these-were-the-top-10-android-threats-in2015-plus-what-to-expect-in-2016/

37

Today’s Threats: Compartmentalized • The days of one author writing the malware, creating the phishing email, building a webserver, collecting the money, etc., are gone • Segmented areas of specialty: – Exploit Writing – Payload Coding – Botnet infrastructure design, maintenance, hosting, and renting

– Delivery Mechanism – Money mule recruitment and payment

38

Breakdown

Source: http://blogs.msdn.com/cfs-filesystemfile.ashx/key/communityserver-blogs-components-weblogfiles/00-00-00-68-90-metablogapi

39

Evolution of Delivery • • • • • •

Social Media Drive-by Downloads Exploit Kits Phishing Sophistication Advancements in SPAM Compromise of Trusted Websites

40

Watering Hole • Attacker infects systems known to be frequented by intended targets

Source:trendmicro.com

41

Advanced Persistent Threats • Purpose is to steal information over the long term • Uses stealth to hide on the system and network • Targets usually include high value systems such as corporate and government networks • Attacks occur over long periods of time • Majority of APTs suggest high level of knowledge, skills, and resources involved

42

APT Lifecycle

Initial Compromise

Clean up

Expansion • Escalate Privileges

Exfiltrate Information

Establish Persistence

Move Laterally

43

APT Initial Infection • Conduct research to identify potential targets – Social media such as Facebook, LinkedIn, etc.

• Use information to target individuals – Spear phishing emails – Social engineering – Drive-by downloads

• Primary objective is to entice the user to compromise their system

44

APT Expansion • Exploit system vulnerabilities to escalate privileges on the infected computer – OS weaknesses, password cracking, etc.

• Obtain administrative access to the computer – Administrative access facilitates moving to other computers on the same network

• Goal is to spread to as many nodes on the network as possible – To cause maximum harm to the organization – To collect as much data as possible

45

APT Establish Persistence • Install Remote Administration Tool (RAT) • Create backdoors on the system – Enable communication with remote Command & Control server(s)

• Delayed activation – Malware can be configured to activate or ”call home” after long intervals of days, weeks, or months

46

APT Exfiltrate Information • Ultimate goal of an APT is to collect data • Some APT malware are noisy – Take anything from the network, including any documents, emails, and data available on the network – Have the ability to collect documents based on file extensions: PDF, DOC, DOCX, XLS, XLSX, PPT, PPTX

• Some APT malware are quiet, more focused – Only search documents that match a certain criteria: keywords, metadata, location, etc.

• Data collected on a central host, bundled together, and then sent to a drop site

47

APT Cleanup • APT always tries to avoid detection when first installed, but also post exfiltration • Involves removing evidence of the intrusion on the system – Remove evidence of who was behind the attack

• Might involve misdirection by data manipulation or planting false data

48

So How Do We Find the Malware?

49