You are on page 1of 6

IT Security - 2 Exercise 2 (Botnets, Mobile Malware

)
Tanmaya Mahapatra Matriculation Number : 340959 tanmaya.mahapatra@rwth-aachen.de Bharath Rangaraj Matriculation Number : 340909 bharath.rangaraj@rwth-aachen.de

October 24, 2013

1

Task - 1 : Botnets and the Underground Economy

Question 1 Give some examples how cyber criminals gain money from operating botnets. Solution: Cyber criminals generally use botnets for mounting different types of attacks like Spamming, Phishing, stealing information, click fraud etc and gain money by selling the stolen user data like : • Bank Account Information • Credit card Information • Personal Identity • Email Addresses stored on a User’s System • Installing additional Malware (owned by some other people) on the compromised systems • Click Fraud • Drive by Downloads • Spamming Question 2 What kind of goods are mainly traded in the underground economy? Solution: Generally the data stolen from a compromised system is traded like : • Bank Account & Credit card Information • Identity Information

1

The figure is quite selfexplanatory. These are lots of ways to make profit from such malware : 1. Their main intention is to steal. Profit made from malware in general is depicted in Figure 1. The average size of a drop-zone is about 14GB. Trojan or worm. making use of Software vulnerabilities. so they use several servers on different locations configured to receive and store the stolen information. But a malware without botnet capability is generally designed to perform a fixed scenario of malicious activity. Virtual currencies and other virtual goods associated with online games can be sold for real money. These malware can steal data and Identity information and can also mount various other attacks like using the system to mount further attacks in the network.2 : Defeating Botnets Question 1 What do researchers often try to gather in-depth information about a botnet and/or to Page 2 . The only difference is that the payload is fixed. Also. 2. 2 Task . they contact the C&C and operate as per the commands received. Question 4 What is a dropzone ? Solution: Cyber-criminals operate botnets to steal user’s information which includes financial as well as identity information. 3.how can a cyber criminal gain money in this case? Solution: Botnets can be used to perform a wide range of malicious tasks because they are remotely controlled i. where sometimes the pop-up speed is even faster than the user can click to close them. 2. They succeed in getting their Bots installed on user’s system using different methods like Social Engineering. information is known as dropzone 1. Once Bots have been installed. It can be a virus. advertisers will pay for that service because of the traffic it generates.• Personal Information & Contact Lists • Account Information for Internet Services Question 3 Consider a Malware without botnet capabilities . Some Trojans in China are designed to steal passwords from players of popular online games. some adware creates annoying pop-up windows.e they receive their payload regularly from C&C. The criminals like to be sure that the information their botnet has gathered is safe. The figure is taken from Trendmicro Blog1 . The place where these bots pile up all the stolen data. PDF exploits etc.

Figure 1: Profits from Malware Page 3 .

take it down? Solution: The researchers try to collect the botnets by using Honeypots and they analyse it deeply using a sandbox and once they determine its signature they send it to Anti-virus vendors. This is due to bad designs in architecture level. Question 3 What was initially done to disrupt the Conficker botnet ? Page 4 . It helps to mitigate botnets in the following ways : • From Sandbox output one can extract the C&C information • Keeps track of all API calls made • Captures all network traffic • Logs registry and file system accesses Running application from untrusted or unknown sources protects the System from malicious logics of all kinds. But sandboxing does not guarantee complete security.we can know what exactly is being done by the running programs if they are run in a sandbox. The design and architecture of age old X server is bad and one GUI application can access another application’s data even if sandboxed by SE-Linux. One application can sniff or inject keystrokes to another one. Moreover it gives us a better controlling option . The most important information which they try to collect in order to take down a botnet are : • Capturing Network traffic • API calls made • Monitoring Registry changes • Monitoring File System access and modification Question 2 How may sandboxing applications help to mitigate botnets? Solution: Running Botnets within a sandbox is a kind of Dynamic Analysis. Sandboxing applications also prevents 2 applications from interfering. In my opinion sandboxing application is a way to mitigate botnets but it is not a foul-proof method. For example consider the case of Linux Security issues on grounds of GUI Isolation. can take snapshots of the screen occupied by windows belonging to another one. On analysis of the above information a researcher obtains some of the most crucial information to analyze and tear down a botnet (if present).

• Microsoft has released a removal guide for the virus. Page 5 . 4 Task . Initial counter measures . and recommends using the current release of its Windows Malicious Software Removal Tool.3 : Stuxnet Question 1 Name at least 3 characteristics that indicate that Stuxnet was developed by a nation state actor.Solution: • Microsoft announced the formation of an industry group to collaboratively counter Conficker.infected hosts have a detectable signature when scanned remotely. Solution: • Stuxnet involves high financial investment which cannot be afforded by any normal organization.infected systems.prevented the malware writers from communicating with Conficker . • Felix Leder and Tillmann Werner from the Honeynet Project discovered that Conficker .3 : Stuxnet Question 1 Name at least 3 reasons why Android is today’s main target for mobile malware. It used stolen signatures of two Taiwanese companies and exploits 4 vulnerabilities in which only one was known and the remaining three were Zero-day-threats which is not possible to be afforded by any normal organization. • The stuxnet was designed to target only a particular system and it involves several conditions to be checked before attacking it.sink holing or preemptive registrations of domains used to identify Confickers command and control(C&C) hosts . (The Conficker Cabal) • ICANN has sought preemptive barring of domain transfers and registrations from all TLD registries affected by the virus’ domain generator. 3 Task . • The attack was not on any individual but the attack was targeted on a nation. allowing researchers to imitate the virus network’s command packets and positively identify infected computers en-masse. • The United States Computer Emergency Readiness Team (US-CERT) recommends disabling AutoRun to prevent Variant B of the virus from spreading through removable media. • Conficker malware writers made use ofdomain names rather than IP addresses to make their attack networks resilient against detection and take down. The peer-to-peer command protocol used by variants D and E of the virus has since been partially reverse-engineered.

It holds 68% of the total market share.Solution: • Attackers focus on Android because it has the largest customer base. Conficker Summary and Review by Dave Piscitello. • Android allows third party applications to be installed via a user enabled setting. what is the main difference to analyzing desktop malware? Solution: The main difference between static analysis on desktop application and mobile applications is when reverse engineering techniques are applied to mobile applications it is difficult to find which context of the application is valid at a certain point of time. • The availability of various versions of android software customized by the various Android smartphone manufactures delays the software updates to roll out leaving it exposed to malwares for a long time before it can be fixed by the update.ICANN Senior Security Technologist Page 6 . References 1. Question 2 When statically analyzing Android malware.