Malicious Software and its Underground Economy

Two Sides to Every Story

Malicious software
Lorenzo Cavallaro

Information Security Group

Royal Holloway, University of London

Apr 28, 2014Week 1-3

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Apr 28, 2014Week 1-3 1 / 12
 Lecture Outline
Learning Outcomes

The exploit downloads and installs a malware sample, infecting the victim

Week 1 Introduction
1 (Should we care? A botnet takeover storytelling)
2 Admin blabbing
3 Malicious software
4 (a glimpse at) Botnets
5 (a glimpse at) Botnets detection & Rootkits

Week 2 Static analysis and its limitations

Week 3 Dynamic analysis and its limitations
Week 4 Mobile malware
Week 5 Cybercriminal underground economy
Week 6 The cost of cybercrime

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Apr 28, 2014Week 1-3 2 / 12
 Malicious Software
(Malware) refers to any unwanted software and executable code that is used
to perform an unauthorized, often harmful, action on a computing device. It
is an umbrella-term for various types of harmful software, including viruses,
worms, Trojans, rootkits, and botnets.
 Taxonomy I

Self-Spreading
Means of Distribution Virus Worm
Non-Spreading

Dialer
Root-kit
Spyware
Trojan horse
Keylogger

Requires Host Runs Independently

Dependency on Host

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Apr 28, 2014Week 1-3 4 / 12
 Taxonomy II

Virus
Self-replicating
Needs a host to infect
Boot (Brain virus), overwrite, parasitic, cavity, entry point obfuscation,
code integration (W95/Zmist virus)
Worm
Self-replicating, spreads (autonomously) over network
Exploits vulnerabilities affecting a large number of hosts
Sends itself via email
e.g., Internet worm, Netsky, Sobig, Code Red, Blaster, Slammer

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Apr 28, 2014Week 1-3 5 / 12
 Taxonomy III

Trojan horse
Malicious program disguised as a legitimate software
Many different malicious actions
Spy on sensitive user data
Hide presence (e.g., root-kit)
Allow remote access (e.g., Back Orifice, NetBus)
Root-kit
Used to keep access to a compromised system
Usually hides files, processes, network connections
User- and kernel-level

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Apr 28, 2014Week 1-3 6 / 12
 Taxonomy III

Trojan horse
Malicious program disguised as a legitimate software
Many different malicious actions
Spy on sensitive user data
Hide presence (e.g., root-kit)
Let
Allowus haveaccess
remote a look
(e.g., at some
Back Orifice,numbers.
NetBus) . .
Root-kit
Used to keep access to a compromised system
Usually hides files, processes, network connections
User- and kernel-level

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Apr 28, 2014Week 1-3 6 / 12
Q4 2012 Threats Report
 Q4 2012 Threats Report Summary

Figure : Total Malware Samples (Source: McAfee Q4 2012 Threats Report)

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Apr 28, 2014Week 1-3 8 / 12
 Q4 2012 Threats Report Summary

Figure : New Malware Samples (Source: McAfee Q4 2012 Threats Report)

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Apr 28, 2014Week 1-3 8 / 12
 Q4 2012 Threats Report Summary

Figure : Unique Rootkit Samples (Source: McAfee Q4 2012 Threats Report)

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Apr 28, 2014Week 1-3 8 / 12
 Q4 2012 Threats Report Summary

Figure : New Fake AV Samples (Source: McAfee Q4 2012 Threats Report)

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Apr 28, 2014Week 1-3 8 / 12
Q4 2012 Threats Report (cont.)
 Q4 2012 Threats Report Summary (cont.)

Figure : New Password Stealers Samples (Source: McAfee Q4 2012 Threats Report)

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Apr 28, 2014Week 1-3 10 / 12
 Q4 2012 Threats Report Summary (cont.)

Figure : Total Malicious Signed Binaries (Source: McAfee Q4 2012 Threats Report)

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Apr 28, 2014Week 1-3 10 / 12
 Q4 2012 Threats Report Summary (cont.)

Figure : Global Botnet Infections (Source: McAfee Q4 2012 Threats Report)

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Apr 28, 2014Week 1-3 10 / 12
 Q4 2012 Threats Report Summary (cont.)

Figure : Leading Global Botnet Infections (Source: McAfee Q4 2012 Threats Report)

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Apr 28, 2014Week 1-3 10 / 12
 Q4 2012 Threats Report Summary (cont.)

Figure : New Suspect URLs (Source: McAfee Q4 2012 Threats Report)

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Apr 28, 2014Week 1-3 10 / 12
 Q4 2012 Threats Report Summary (cont.)

So, what is it to fight malware?

Figure : New Suspect URLs (Source: McAfee Q4 2012 Threats Report)

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Apr 28, 2014Week 1-3 10 / 12
 Fighting Malware I

Foremost Goals
Understand malware behaviors
to (automatically) identify and classify families of malware
(to) automatically generate effective malware detection models

Collect malware samples

How about infection strategies?
Analyze samples
Static analysis
Studying a programs properties without executing it
Reverse engineering may be hampered (e.g., obfuscation, encryption)
Dynamic analysis
Studying a programs properties by executing it
Environment-limited analysis

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Apr 28, 2014Week 1-3 11 / 12
 Fighting Malware II

Extract (and generalize) malicious behavior

Host
Network
Generate and deploy detection models
Problems hard
Lack of general definition of malicious behavior
Cat-and-mouse game: attackers have much freedom
Victims often (unwittingly) help attackers

(Week 1-3) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Apr 28, 2014Week 1-3 12 / 12