Malicious Software and its Underground Economy

Two Sides to Every Story

Malicious software
Lorenzo Cavallaro
Information Security Group Royal Holloway, University of London

Jun 17, 2013Week 1-3

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013Week 1-3

1 / 10

Lecture Outline
Learning Outcomes

The exploit downloads and installs a malware sample, infecting the victim Week 1 Introduction 1 (Should we care? A botnet takeover storytelling) 2 Admin blabbing 3 Malicious software 4 (a glimpse at) Botnets 5 (a glimpse at) Botnets detection & Rootkits Week 2 Static analysis and its limitations Week 3 Dynamic analysis and its limitations Week 4 Mobile malware Week 5 Cybercriminal underground economy Week 6 The cost of cybercrime
(Week 1-3) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jun 17, 2013Week 1-3 2 / 10

Malicious Software
(Malware) refers to any unwanted software and executable code that is used to perform an unauthorized, often harmful, action on a computing device. It is an umbrella-term for various types of harmful software, including viruses, worms, Trojans, rootkits, and botnets.

Taxonomy I

Self-Spreading

Means of Distribution

Virus

Worm

Non-Spreading

Root-kit Trojan horse

Dialer Spyware Keylogger

Runs Independently

Requires Host

Dependency on Host
(Week 1-3) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jun 17, 2013Week 1-3 4 / 10

Taxonomy II

Virus
Self-replicating Needs a host to infect
Boot (Brain virus), overwrite, parasitic, cavity, entry point obfuscation, code integration (W95/Zmist virus)

Worm
Self-replicating, spreads (autonomously) over network
Exploits vulnerabilities aecting a large number of hosts Sends itself via email

e.g., Internet worm, Netsky, Sobig, Code Red, Blaster, Slammer

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013Week 1-3

5 / 10

Taxonomy III

Trojan horse
Malicious program disguised as a legitimate software Many dierent malicious actions
Spy on sensitive user data Hide presence (e.g., root-kit) Allow remote access (e.g., Back Orice, NetBus)

Root-kit
Used to keep access to a compromised system Usually hides les, processes, network connections
User- and kernel-level

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013Week 1-3

6 / 10

Taxonomy III

Trojan horse
Malicious program disguised as a legitimate software Many dierent malicious actions
Spy on sensitive user data Hide presence (e.g., root-kit) Let us have a look some numbers. Allow remote access (e.g., at Back Orice, NetBus) . .

Root-kit
Used to keep access to a compromised system Usually hides les, processes, network connections
User- and kernel-level

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013Week 1-3

6 / 10

Q4 2012 Threats Report

Q4 2012 Threats Report Summary

Figure : Total Malware Samples (Source: McAfee Q4 2012 Threats Report)

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013Week 1-3

8 / 10

Q4 2012 Threats Report Summary

Figure : New Malware Samples (Source: McAfee Q4 2012 Threats Report)

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013Week 1-3

8 / 10

Q4 2012 Threats Report Summary

Figure : Unique Rootkit Samples (Source: McAfee Q4 2012 Threats Report)

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013Week 1-3

8 / 10

Q4 2012 Threats Report Summary

Figure : New Fake AV Samples (Source: McAfee Q4 2012 Threats Report)

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013Week 1-3

8 / 10

Q4 2012 Threats Report Summary

Figure : New Password Stealers Samples (Source: McAfee Q4 2012 Threats Report)

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013Week 1-3

8 / 10

Q4 2012 Threats Report Summary

Figure : Total Malicious Signed Binaries (Source: McAfee Q4 2012 Threats Report)

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013Week 1-3

8 / 10

Q4 2012 Threats Report Summary

Figure : Global Botnet Infections (Source: McAfee Q4 2012 Threats Report)

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013Week 1-3

8 / 10

Q4 2012 Threats Report Summary

Figure : Leading Global Botnet Infections (Source: McAfee Q4 2012 Threats Report)

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013Week 1-3

8 / 10

Q4 2012 Threats Report Summary

Figure : New Suspect URLs (Source: McAfee Q4 2012 Threats Report)

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013Week 1-3

8 / 10

Q4 2012 Threats Report Summary

So, what is it to ght malware?

Figure : New Suspect URLs (Source: McAfee Q4 2012 Threats Report)

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013Week 1-3

8 / 10

Fighting Malware I
Foremost Goals Understand malware behaviors to (automatically) identify and classify families of malware (to) automatically generate eective malware detection models Collect malware samples
How about infection strategies?

Analyze samples
Static analysis
Studying a programs properties without executing it Reverse engineering may be hampered (e.g., obfuscation, encryption)

Dynamic analysis
Studying a programs properties by executing it Environment-limited analysis

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013Week 1-3

9 / 10

Fighting Malware II

Extract (and generalize) malicious behavior

Host Network

Generate and deploy detection models Problems hard Lack of general denition of malicious behavior Cat-and-mouse game: attackers have much freedom Victims often (unwittingly) help attackers

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013Week 1-3

10 / 10