Malicious Software Lecture Notes
Malicious Software and its Underground Economy
Two Sides to Every Story
Introduction
Lorenzo Cavallaro
Information Security Group Royal Holloway, University of London
Jun 17, 2013—Week 1-1
(Week 1-1) Lorenzo Cavallaro (ISG@RHUL)
Malware and its Underground Economy
Jun 17, 2013—Week 1-1
1 / 12
Should we care?
(Let me tell you a story. . . )
The Botnet Threat
A network of compromised machines (bots) controlled by a bot master Responsible for (non-exhaustive list): Large-scale network probing (i.e., scanning activities) Launching Distributed Denial of Service (DDoS) attacks Sending large-scale unsolicited emails (SPAM) Click-fraud campaign Information theft Shift from a for-fun activity towards a profit-oriented business
(Week 1-1) Lorenzo Cavallaro (ISG@RHUL)
Malware and its Underground Economy
Jun 17, 2013—Week 1-1
4 / 12
The Torpig Botnet
Trojan horse
Distributed via the Mebroot “malware platform” Injects itself into 29 different applications Steals sensitive information (e.g., passwords, SSN, credit card numbers) HTTP injection for phishing Uses “encrypted” HTTP as Command & Control (C&C) protocol Uses a resilient approach (domain flux) to contact a C&C server
Mebroot
Spreads via drive-by downloads Sophisticated rootkit
(Week 1-1) Lorenzo Cavallaro (ISG@RHUL)
Malware and its Underground Economy
Jun 17, 2013—Week 1-1
5 / 12
The Torpig Botnet
Vulnerable web server (1) GET / (2)
Mebroot drive-by-download server
(5) (4) (3) gnh5.exe
Mebroot C&C server
Torpig DLLs
GET /?gnh5
Stolen data (6) Config (7) Phishing HTML URL
Torpig C&C server
(becomes a bot) Victim client
Injection server
(Week 1-1) Lorenzo Cavallaro (ISG@RHUL)
Malware and its Underground Economy
Jun 17, 2013—Week 1-1
6 / 12
Data Collection Principles
Principle 1: the hijacked botnet should be operated so that any harm and/or damage to victims and targets of attacks would be minimized
Always
Two Sides to Every Story
Introduction
Lorenzo Cavallaro
Information Security Group Royal Holloway, University of London
Jun 17, 2013—Week 1-1
(Week 1-1) Lorenzo Cavallaro (ISG@RHUL)
Malware and its Underground Economy
Jun 17, 2013—Week 1-1
1 / 12
Should we care?
(Let me tell you a story. . . )
The Botnet Threat
A network of compromised machines (bots) controlled by a bot master Responsible for (non-exhaustive list): Large-scale network probing (i.e., scanning activities) Launching Distributed Denial of Service (DDoS) attacks Sending large-scale unsolicited emails (SPAM) Click-fraud campaign Information theft Shift from a for-fun activity towards a profit-oriented business
(Week 1-1) Lorenzo Cavallaro (ISG@RHUL)
Malware and its Underground Economy
Jun 17, 2013—Week 1-1
4 / 12
The Torpig Botnet
Trojan horse
Distributed via the Mebroot “malware platform” Injects itself into 29 different applications Steals sensitive information (e.g., passwords, SSN, credit card numbers) HTTP injection for phishing Uses “encrypted” HTTP as Command & Control (C&C) protocol Uses a resilient approach (domain flux) to contact a C&C server
Mebroot
Spreads via drive-by downloads Sophisticated rootkit
(Week 1-1) Lorenzo Cavallaro (ISG@RHUL)
Malware and its Underground Economy
Jun 17, 2013—Week 1-1
5 / 12
The Torpig Botnet
Vulnerable web server (1) GET / (2)
Mebroot drive-by-download server
(5) (4) (3) gnh5.exe
Mebroot C&C server
Torpig DLLs
GET /?gnh5
Stolen data (6) Config (7) Phishing HTML URL
Torpig C&C server
(becomes a bot) Victim client
Injection server
(Week 1-1) Lorenzo Cavallaro (ISG@RHUL)
Malware and its Underground Economy
Jun 17, 2013—Week 1-1
6 / 12
Data Collection Principles
Principle 1: the hijacked botnet should be operated so that any harm and/or damage to victims and targets of attacks would be minimized
Always