Today's malware aint what you think

Roger A. GrimesInfoWorld

Presenter BIORoger A. Grimes CPA, CISSP, CEH, CISA, TICSA, MCSE: Security, yada,

yadaInfoWorld Contributing Editor, Security Columnist,

Product Reviewer, and Blogger23-year Windows security consultant, instructor, and

authorAuthor of seven books on computer security, including:

Windows Vista Security: Security Vista Against Malicious Attacks (Wiley, 2007)

Professional Windows Desktop and Server Hardening (Dec. 2005)

Malicious Mobile Code: Virus Protection for Windows (O’Reilly, 2001)

Honeypots for Windows (Apress, December 2004)Author of over 300 national magazine articles on

computer securityPrincipal Security Architect for Microsoft InfoSec ACE

Team

Roger’s Books

Presentation SummaryQuick History of Past Malware Threats

Today's ThreatsAnatomy of Today's Cyber AttackMalware ExamplesBest Defenses

Malware Has Been Around Since The Beginning of Computers

Most early malware were network wormsLate 1960’s – John Conway’s Game of Life\Core Wars

Imp1971, Creeper worm was written by Bob Thomas of the BBN (Bulletin Board Network)(First PC, Altair 8800, 1974)IBM Christmas worm –Dec. 1987Robert Morris Worm –Nov. 1988

Historic Malware Trends

(Apple computer invented 1976) 1982 - Richard Skrenta, Jr. a 9th grade high

school student, a Core War fan, wrote a 400-line Apple II boot virus, called Elk ClonerSpread around the worldEvery 50th boot would present messageNo virus scanners or cleaners at this time

(IBM PC introduced in late 1981)1986 – Pakistani Brain – first IBM-compatible

virus1987 – Stoned, Jerusalem, Cascade (encrypted),

Lehigh

Historic Malware TrendsFirst PC Viruses – Boot Viruses

Boot VirusesEven though they made up just a few percent of

the malware programs, they accounted for most of the infections

March 1992 – MichelangeloExecutable VirusesSome Trojan Horse ProgramsSome Worms, but not many

Most malware programs were not intentionally malicious

Historic Malware TrendsEarly PC Malware

1985 – Macro viruses 1998 – HTML viruses 2001 – Code Red – IIS worm 2003 – SQL Slammer

Fastest exploit to date – 10 minutes to infect world

2003 – MS Blaster

In 99.9999% of cases, patch was available before exploit was released

Historic Malware TrendsPC Malware Hits Mainstream

From 1999 to late 2006, about 90% of malware attacks arrived via email VBScript, Javascript Malicious file attachments Rogue embedded links Spam MIME-type mismatches Social-engineering methods

Melissa, I love you worm

Historic Malware TrendsEmail worms\viruses

Still, most were not intentionally malicious

Those were the days!

Historic Malware TrendsEmail worms\viruses

Run an up-to-date antivirus program Run a host-based firewall that prevents

unauthorized outbound connections Be fully patched Visit only trusted web sites Careful opening unexpected documents Use other programs and OSs to remain

safe

Current Malware TrendsConventional Defense Wisdom

AV is not all that accurate and cannot be relied upon

Host-based firewalls really don’t work most of the time

Nobody fully patches Trusted web sites are how you get

infected Many attacks work cross-platform or

don’t care about OS or app Targeted spearphishing makes

determining what documents you should open hard to do

Current Malware TrendsSadly...

Malware and hacking is worst than ever!

Even though we already do all the recommended stuff

Current Malware TrendsSadly...

Mostly trojans, worms, and downloaders Professionally written

Development forks, teams

Criminally-motivated Bots & botnets

Tens of millions of PCs “owned” at any one time

Designed To Get Money Steal passwords, identity info, DDoS attacks

Mostly asks for permission to run and user responds “YES”

Current Malware LandscapeNew Malware Model

Cybercriminals are stealing tens of millions (at least) of dollars every day

2009 Verizon Data Breach report found that 91 percent of all compromised records in 2008 was attributed to organized criminal activity.

Current Malware LandscapeCriminally Motivated

Cybercriminals are stealing tens of millions (at least) of dollars every day

2009 Verizon Data Breach report found that 91 percent of all compromised records in 2008 was attributed to organized criminal activity.

“On the brighter side, we are happy to report that these efforts with law enforcement led to arrests in at least 15 cases.”

Current Malware LandscapeCriminally Motivated

1. User visits “innocent” infected web site2. Contains simple Javascript redirector3. Prompts user to install fake program

Anti-virus scanner, patch, codec, malformed PDF, etc.

4. First program is a small downloader Starts the malware process Provides bot control Dials home for more instructions

Current Malware LandscapeMost Common Malware Cycle

Only Visit Trusted web sites

Good advice?

What has trusted ever meant anyway?How do I know I can trust it?Do those “seals of approval” mean

anything?

Current Malware LandscapeTrusted Web Sites?

What has trusted ever meant anyway?How do I know I can trust it?Do those “seals of approval” mean

anything?

Me, I feel safer on a pay-for-view porn site!!

Current Malware LandscapeTrusted Web Sites?

77 percent of web sites with malicious code are legitimate sites that have been compromised

61 percent of the top 100 sites either hosted malicious content or contained a masked redirect to lure unsuspecting victims to malicious

37 percent of malicious Web/HTTP attacks included data-stealing code

57 percent of data-stealing attacks are conducted over the Web

Current Malware LandscapeInnocently Infected Web Sites

How?Web site itself compromised

MisconfigurationVulnerabilityAllows user postings

Malicious ads from legitimate ad servicesMalicious sponsored ads on search enginesPoisoned search engine resultsWeb site codelets created by bad guys to go malicious one day


Tens of Millions of Malicious Web SitesLook real, but completely maliciousOften taken there by OS or app help program or search enginePromote product that is nothing but maliciousHave entire teams of people dedicated to promoting product on “independent” blogs, review magazines, etc.Ex: You must have this codec to watch these car racing videos on YouTube

Current Malware LandscapeSome aren’t so Innocent!

Poisoned Ad ServicesYou name the major web site and it has probably hosted malicious adsAds posted by web site owner, marketing firm hired by web site, compromised ad service, or hackingAvast - the most compromised services are Yahoo’s yieldmanager.com and Fox’s fimserve.com

Responsible for more than 50% of poisoned adsDoubleclick.net toohttp://blog.avast.com/2010/02/18/ads-poisoning-

%e2%80%93-jsprontexi/


Poisoned Cartoons?King Features, a newspaper comic distributor was hackedKing Feature distributes online comics to about 50 different newspapersOnline readers were prompted to download a malicious PDFhttp://voices.washingtonpost.com/securityfix/2009/12/hackers_exploit_adobe_reader_f.html


Search Engine PoisoningBad guys create web sites that are very attractive to search engine bot crawlers (e.g. lots of links with lots of keywords)It is not uncommon to find malicious links in 15% to 20% of the first 100 results from a searchSome of the most popular searches will return 90%Malicious web sites are generated are often generated on the fly, changed only by a single keyword in the URL

http://www.cyveillanceblog.com/general-cyberintel/malware-google-search-results


SEO KitsPoisoned search engine results often created by Search Engine Optimization (SEO) kitsKits download must popular search engine requests from the search engines themselves (e.g. googletrends)Then generate web site on the fly with those keywords and imagesGenerates thousands of web sites with those keywords and link to each otherhttp://www.sophos.com/sophos/docs/eng/papers/sophos-seo-insights.pdf


Sponsored AdsSearch engines often host sponsored ads that redirect to malicious sites and codeNearly all search engines involved

Certainly the ones you use areDue to malware companies posing as legitimate companies and switching up ads or legitimate web sites being infected that paid for legitimate ad time


Sponsored Ads


Many Infected Host Providers Are Slow To RespondExample: ThePlanet.comStopbadware.org notifies ThePlanet when they note an infected web site hosted by ThePlanetAverages 12K-20K infected sites a month1 month after reporting, 12K of reported web sites remain infected4.5K remain infected after 7 months


Bulletproof HostingMany companies advertise on the promise that they will keep your web site up no matter what you do with itThe Russian Business Network is number one in this spaceMcColo was #2 before 2008 takedownPlenty of competition

Located in countries without appropriate laws

Current Malware LandscapeNot-So Innocently Infected Web Sites

Bulletproof Hosting -Examples


Bulletproof Hosting -Examples


`

Dynamic DNS Server

Initial Mothership Web Server

Dynamic Mothership

1. Bot program exploits victim PC and installs itself2. It “phones home” using dynamic DNS server to find “mothership”3. Finds mothership, downloads new code and instructions4. Repeats 1-20 times5. Infects new victim PCs6. Sometimes plays role of bot host, sometimes of dynamic DNS server, sometimes mothership

-Created for just this single victim instance-Can be a legitimate DNS server or exploited system

-Usually just another exploited victim or web server-Updates dynamic DNS server with current IP address

-Mothership updates may cycle 20 times-Sends bot host new programs, new payload, new instructions

Current Malware LandscapeNew Malware Model Steps

1. Infect or Exploit2. Modify system to gain control3. Phone “home” to get code update

Repeat this step 1-20 times

4. Modify host and spread to create bot net5. Steal information-financial, passwords, etc.6. Able to bypass any authentication method7. When finished, self-delete, cover up tracks

Current Malware LandscapeNew Malware Model Steps

Self-healing bot nets Intended to live only a few hours Auto-updating Design To Hide Millions of malicious links on social

networking sites Some of the biggest users of Facebook,

Myspace, and Twitter

Current Malware LandscapeNew Malware Model (con’t)

Silent Drive-by-Downloads and one-click and your owned traps used to be the way people got infected Require unpatched software and vulnerabilities UAC and other browser protections make this

harder to do Still happens, but now in the minority

OS patching is nearly 100% now App patching could be better

Malware writers are mostly targeting unpatched Internet browser apps now


In most cases, people are tricked into intentionally installing a malware program 99% of the risk in most environments

Occasionally, a roving worm, like Conficker, becomes Ms. Popularity for a few days or months


Vuls. trending down since 1H 2007

Current Malware LandscapeKnown Vulnerabilities Going Down Year-after-Year

Figures for all reporting vendors

Even OS and Browser Vulnerabilities Are Flat

Current Malware LandscapeKnown Vulnerabilities Going Down Year-after-Year

From MS SIR 8

Especially in the browser space

Every new browser vendor promises to make the perfectly secure browser that apparently Microsoft cannot seem to make

Later on I’ll tell you how it doesn’t matter at all anyway

Current Malware LandscapeStill Plenty of Vulnerabilities

Firefox – 169 Apple Safari – 94 Internet Explorer – 45 Google Chrome – 41 Opera - 25

Current Malware LandscapeNumber of Browser Vulnerabilities in 2009

From Symantec\Secunia

Firefox – 52 3.0-15, 3.5-18, 3.6-19

Apple Safari 4– 17 Internet Explorer 8 – 21 Google Chrome – 28 Opera – 6

Of all browsers Symantec analyzed in 2009, Safari had the longest window of exposure (the time between the release of exploit code for a vulnerability and a vendor releasing a patch), with a 13-day average; IE, FF, and Opera had the shortest windows of exposure, avg 1 day.

Current Malware LandscapeNumber of Browser Vulnerabilities in 2010 (so far)

The way almost all your users are getting infected is direct action trojans

Current Malware LandscapeBut Vulns Don’t Matter All That Much

By a huge percentage, trojans are number one!

Current Malware LandscapeTrojans Are #1!

(From Microsoft SIR 8)

Exploits

Trojans

Trojans

Current Malware LandscapeBut Worms are more frequent on work computers


Trojan program looks “really, really” authentic Coming from legitimate web sites, spam,

phishing attacks Bad guy often buys ads on search engines or

“poisons” search engine results Certain keywords are more likely to bring up

malware than legitimate web sites Bad guys use the latest news (e.g. earthquake,

celebrity event, etc.) Often accidentally redirected to malware sites

by legitimate trusted software

Why Are They So Prevalent?

Tricking End UsersAntivirus 2010

In one year, Google found over 11,000 web sites offering fake AV scanners

1,462 unique new installer programs per day

20% detection rate by real AV 1 hr – median time redirection web site is up

before hackers move on In SIR 8, Microsoft said its security products

cleaned fake anti-virus related malware from 7.8 million computers in the second half of 2009.

Fake AV Stats – from Google

Apparently worry about copyright infringement

Millions of new programs created every year Challenging for pure definition scanners to

keep up No antivirus scanner will ever be perfect

Check out http://www.virustotal.com/estadisticas.html

Why Are They So Prevalent?

“Zero-day” exploits becoming more common One attack program can have 20 exploit

vectors DNS tricks

Poisoning, hosts file manipulation Sound-alikes

One-offs (everything unique for each victim) Millions of malware programs each year

Symantec reported 2.8 M malware programs in 09

More than legitimate programs

Current Malware LandscapeInfection or Exploit

Known Malware Detection Rates Not Badwww.virusbulletin.com

Dozens of AV scanners routinely detect 100% of the known malware programs in the wild with zero false-positives

Awarded VB100

Why Are They So Prevalent?Malware Is Hiding Better

First-Day Malware Detection Rates Could Be Improved

www.av-test.org (Dec. 2009) Brand new threats were released and tested Best products detected malware 98% of the

time, blocked 95% of the time Average product was 70-90% effective Sounds good until you realize that out of 100

users in your network, at least two of them will be presented with a trojan program that is not detected as malicious

Now multiple that by the size of your user base, especially over time


How Does Malware Hide?Early Techniques: Encrypted – hide the malware so it can’t be

scanned Oligomorphic- multi. encryption/decryption

engines Polymorphic- random encryption/decryption Metamorphic- mutates malware body, looks for

compiler on host and re-compiles malware on-the-fly


How Does Malware Hide?Today’s Techniques: HTML Encoding/Obfuscation Character set (e.g. UTF-8, UTF-7, Unicode)

encoding Compression (e.g. multi-compressed zip files) Packers, Multi-packers SSL/TLS/encryption for travel and

communications

Why Are They So Prevalent?New Malware Is Hiding Even Better

How Does Malware Hide?Today’s Techniques: Language encoding (e.g. simplified Chinese) Transfer encoding (e.g. chunked, token-

extension) Packet fragmentation, time-outs Password protected files Embedded code (e.g. RTF links) Embedded in thick content (e.g. PDF, Flash, MS-

Office objects)


How Does Malware Hide?Today’s Techniques: Dynamic DNS names Dynamic IP addressing One-time URLs (unique per victim) Self-deleting malware Delete and come back when needed


Responsible for up to nearly 50% of all successful web-based attacks.

Current Malware LandscapeAdobe Acrobat Malware Is a Huge Problem

Responsible for up to nearly 50% of all successful web-based attacks.

Current Malware LandscapeAdobe Acrobat Malware Is a Huge Problem

Usually arrives in email Sender has internal details

Most captured from company’s public web site and news

Other times, obviously has insider knowledge of project or detal

Often target senior executives Project document, pending lawsuit, child

support inc. Common scam: Target accounting to infect the

payroll transfer transaction computer Defense: That computer should not be

connected to the normal network or used for anything else, highly guarded and secured

Current Malware LandscapeTargeted Spearphishing

Can arrive in email

Current Malware LandscapeAdobe Acrobat Malware Example

Prompts User to Save Another “PDF” file


Can be prevented by modifying one setting


Most attacks several years old.

Current Malware LandscapeDo You Patch Office?

More than half (56.2 percent) of the attacks affected Office program installations that had not been updated since 2003.

Most of these attacks involved Office 2003 users who had not applied a single service pack or other security update since the original release of Office 2003 in October 2003.

Current Malware LandscapeDo You Patch Office?

CAN-SPAM Act of 2003 took down spam!

Current Malware Landscape

25% - Percentage of spam when CAN-SPAM Act was passed

Current Malware LandscapeSpam stats

Spam is most of our email 88% according to Symantec 93% according to MessageLabs

95 percent of user-generated comments to blogs, chat rooms and message boards are spam or malicious. (Websense 2009 report)

Spearphishing for targeted attacks increasing greatly

85% of spam is sent by bots from innocently infected computers (Symantec)

20% of all spam sent in March 2010 used TLS (MessageLabs)

Current Malware LandscapeSpam stats

Spammers bypass CAPTCHAs, by: OCR – recognize the symbols VCR – recognize the voice Paying third world country employees to

manually answer Freelancer.com - dozens of such projects are

bid on every week. 80 cents to $1.20 for each 1,000 deciphered

boxes or about $6 every 15 days for the average worker

Current Malware LandscapeSpammers Still Abusing Free Web Mail

Per MessageLabsHundreds of billions of spams are sent each day85% from spambots, 90% from the top five botsRustock – largest current botnet with 2.4M hosts, responsible for 1/3rd of all spamGrum- Responsible for 24% of all spamMega-D – Responsible for 18% of all spam

Top spam bots vary according to measurer, but Rustock always gets #1 spot

Current Malware LandscapeBot Nets and Spam

Current Malware LandscapePopular Botnet Families


Many commercial bot net kits Management interfaces 24 x 7 tech support Bypass any authentication Made to order

Example: Butterfly\Mariposa bot net (March 2010) 13 million controlled computers in 190

countries Run by three non-experts, required very little

skill Bought original bot kit for $300

Current Malware LandscapeBot Nets

Crum - $200 – Creates polymorphic encrypted malware, free updates

Eleonore Exploits Pack –$700 – several exploits including MS, Firefox, Opera, and PDF

Neon – $500- PDFs (including FoxIt), Flash, Snapshot

Adrenaline- $3000- keylogging, theft of digital certificates, encryption of information, anti-detection techniques, cleaning of fingerprints, injection of viral code, etc.

http://malwareint.blogspot.com/2009/08/prices-of-russian-crimeware-part-2.html

Current Malware LandscapeMalware Kit Examples

Current Malware LandscapeCrime Does Pay

For the most part, we aren’t catching many of the criminals

International jurisdictions, non-compliant countries, no hard evidence, real crimefighting takes time

Users/admins not doing the simple things they should be doing to stop malicious attacks

Attackers don’t need complex, hypervisor attacks to do damage; current attacks doing just fine

Vendors could produce zero-defect software and it would not make a measurable dent in cybercrime

Current Malware LandscapeFuture Not Looking That Great

The most popular software in a particular category will be successfully attacked the

most

Grimes Corollary

The most popular software in a particular category will be successfully attacked the

most

Grimes Corollary

Regardless of whether or not Microsoft made it!Windows, IE, Microsoft OfficePDF over XPSApache over IISQuicktime over Windows Media PlayerActiveX over Java Applets

Auction\Sales Site scamsSelling a car or motorcycle for an unbelievable price with unbelievable terms“I’ll give you the best price ever and pay for international shipping”Send your money to a “trusted, third party”“Buyer protection”Doesn’t care what your OS or browser isSo much for your anti-malware programs

Current Malware LandscapeMany Times No Malware Needed

Auction Car Sale Scam Example


Auction Car Sale Example


Lessons To Take Away Malware usually comes from innocently infected

web sites Visiting only “trusted” web sites is not great advice

anymore

Consider investing more in technologies that can mitigate these types of threats

Educate end users about the current state of malware

**If we could educate users to not install fake programs, the majority of the current malware threat would disappear overnight

Current Malware LandscapeForming a Defense

Best End-User Defenses Don’t be logged in as Administrator or root

when surfing the web or reading email Run up-to-date anti-malware programs

Antivirus, Firewalls, Anti-spam, Anti-phishing, intrusion detection

Fully patch OS and all applications, including browser add-ons (harder than it sounds)

Use good, secure defaults

Fight the Good Fight

Best End-User Defenses Educate end-users to most likely threats Tell them to learn what their AV software

looks like and what it doesn’t Show them what their patching software

looks like Tell them not to install software offered by

their favorite web site Does your educational content contain this

information? Phish your own users (be the first!)


Best End-User Defenses Use search engines that contain anti-

malware abilities (e.g. Bing, Google, etc.) Use browsers that have anti-malware

checkers Most of the popular ones, but not all

Look for unusual network traffic patterns Unexpected large transfers, workstation-to-

workstation, server-to server

Install honeypots as early warning detectors


Future Defenses Most countries are starting to work

together better (although very slowly) Ultimately will take rebuilding the Internet

Building in pervasive identity and accountability

Still support anonymity Will have to be done incrementally

Support End-t0-End Trust initiatives All needed protocols are already in place See Trusted Computing Group’s work Microsoft’s End To End Trust

Current Malware LandscapeForming a Defense

e: [email protected]

Current Malware LandscapeQuestions

Technology

Today's malware aint what you think