1. 1 UCR Know thy enemy: what do attackers want? Slide credits: some slides adapted from Lorenzo Cavallaro and others

2. 2 UCR Plan for this class This is a digression for us, but a useful one I hope  Looking up—rest of the quarter will be looking down Learn a bit about what it is that attackers want and the cost of cybercrime Malware and its economy:  Mobile malware paper: what is happening in the mobile space?  Torpig paper: a botnet from the inside  Pay-per-install paper: insight into the malware ecosystem  Pay-per-exploit: yet another model  Cost of cybersecurity: what is the cost to us?  Shadow communication networks

3. 3 UCR Malware—some terminology Malware: unwanted software that is used to perform unauthorized, usually harmful, actions on a computing device. Different types: viruses, worms, trojans, rootkits, botnets, …

4. 4 UCR Malware types

5. 5 UCR Mobile Malware in the Wild Adrienne Porter Felt, Matthew Finifter, Erika Chin, Steven Hanna and David Wagner UC Berkeley SPSM 2011

6. 6 UCR Objectives of paper Understand motives of mobile malware “in the wild” Context  Study spans 2009 to 2011  Smart phone market transitioning from being Nokia/Symbian dominated to having today’s mix of Android iOS replacing Symbian  For profit malware starting to appear

7. 7 UCR Introduction Mobile Malware is fairly recent  July 2004 – Cabir virus came out on Symbian  August 2010 – Fake Player on Android  July 2012 – Find and Call on iOS Evolving rapidly  Amusement  Credential Theft  SMS spam  Ransomware

8. 8 UCR Threat model Three types of threats  Malware  Personal spyware  Grayware Security measures  Markets  Permissions Root exploits and Jail breaking  Root exploits developed for users to bypass manufacturer limitations  But used by both users and adversaries  Can bypass defenses

9. 9 UCR Asides Sensitive personal information on mobile device  E‐mail, contacts, passwords…

10. 10 UCR Background – Application Markets Apple App Store  All applications are reviewed by apple  iOS devices can only obtain apps through here, unless jailbreaked Google Play (Android Market)  Some applications may be reviewed  Does not restrict installing apps from other markets Symbian Ovi  Security automatically reviewed by program  Risky applications are reviewed by human  Can install apps from other markets

11. 11 UCR Methodology Analyzed information about 46 malwares that spread between Jan. 2009 – June 2011  4 – iOS  24 – Symbian  18 – Android Information from anti‐virus companies and newssources Omitted spyware and grayware

12. 12 UCR Results

13. 13 UCR Novelty and Amusement Minor damage  Changing wallpapers, sending annoying SMS A preliminary type of malware  Expected to decrease in number

14. 14 UCR Selling User Information Personal information obtained via API calls  Location, contacts, history, IMEI Information can be sold for advertisement  $1.90 to $9.50 per user per month IMEI information can be used to spoof blacklisted phones

15. 15 UCR Stealing User Credentials Malwares can intercept SMS to circumvent two-factor authentication  Done in conjunction with phishing on desktops Keylogging and scanning documents for passwords Application sandboxing prevents most of these

16. 16 UCR Premium‐Rate Calls and SMS Premium‐rate calls and SMS directly benefits adversaries  Few dollars per minute or SMS 24 of the 46 malwares send these  Mostly on Android and Symbian iOS avoids this by always showing Confirmation for outgoing SMS messages

17. 17 UCR SMS Spam Distributing spam origin makes blocking harder Less noticeable when having unlimited SMS Phone numbers are more “reliable” than e‐mail Can be prevented by enforcing SMS to be sent from a designated confirmation window

18. 18 UCR Search Engine Optimization (SEO) Clicks on a certain link on a search query to increase visibility Phishing websites use this technique, along with desktop malware Can be prevented with affixing an application unique tag on the HTTP request  Privacy concerns?

19. 19 UCR Ransomware Kenzero – Japanese virus included in pornographic games distributed on the P2P network  Asked for Name, Address, Company Name for “registration” of software  Asked 5800 Yen (~$60) to delete information from website  About 661 out of 5510 infections actually paid (12%) Not many Ransom malwares on mobile yet….

20. 20 UCR Possible Future Malware Types Advertising Click Fraud Invasive Advertising (AirPush) In‐Application Billing Fraud Government spying E‐mail Spam DDoS NFC and Credit Cards

21. 21 UCR Malware detection Permissions:  Number of permissions asked for  Common permissions  Sets of permissions Application Review  Apple iOS rarely lists malware (but it does happen – find and call)  Symbian: 5 out of 24 pieces of malware were signed (2 phish for user IMEIs before attack to avoid detection)

22. 22 UCR Malware detection –Android Permissions 8 out of 11 malwares request to send SMS (73%)  Only 4% of non‐malicious apps ask for this READ_PHONE_STATE is used by 8/11 malwares  Only 33% for non‐malicious apps Malware asks on average 6.18 dangerous permissions  3.46 for Non‐malicious apps

23. 23 UCR Root Exploits Rooting allows higher level of customization  Installing from unofficial markets  System Backups  Tethering  Uninstalling apps However, malwares can take advantage of root commands to obtain permissions

24. 24 UCR Root Exploits Root exploits available for 74% of device lifetime Malware authors do not need to investigate them, but the community does

25. 25 UCR Conclusion Mobile malware rapidly grew in number Profitability is the current trend for malwares Defense against mobile malware requires more research Human review are effective methods to prevent malware Rooting benefits both users and malware producers

26. 26 UCR TORPIG BOTNET TAKEOVER Based on “Your Botnet is my Botnet: Analysis of a Botnet Takeover”, Stone-Gross et al (UCSB), CCS 2009

27. 27 UCR Bots and Botnets Bot: autonomous program performing tasks Benign bots  First bots appeared on IRC channels  Basically scripts that react to events and offer useful services  E.g., Eggdrop bot used to manage channels when operator is away Malicious IRC bots  Takeover wars between channels  Spam/flooding/trash talking  Denial of service  IRC proxies to hide origin

28. 28 UCR Bots/Botnets today Malware (backdoor/trojan) running on compromised machines Remotely controlled by criminal entities who control networks of bots  Called Botnets Botnets have grown to be a main vehicle for carrying out cybercrime  Mostly for financial motivation Different business models

29. 29 UCR Botnet creation Network worm  Using exploits such as those we covered last class Email attachments Trojan version of program (repackaged app, etc..) Drive-by-download from malicious or compromised site  Also using exploits such as those we covered last class Existing backdoor from a previous infection Often bought as a service (Pay per install/exploit as a service)

30. 30 UCR

31. 31 UCR Botnet infections

32. 32 UCR Torpig uses Mebroot Rootkit distributed by Neosploit exploit kit Spread via drive-by-downloads: hidden iframe on website executes obfuscated JavaScript to download Mebroot on victim’s machine Mebroot overwrites the master boot record of the machine, circumventing most anti-virus tools (back then) Easy to use tool, sold for $$$; Torpig one of their clients

33. 33 UCR Torpig Botnet

34. 34 UCR Studying Botnets Passive analysis e.g.:  Collected spam mails that were likely sent by bots  DNS queries or DNS blacklist queries  analyzed network traffic (netflow data) at the tier-1 ISP Active approach to study botnets is via infiltration.  Using an actual malware sample or a client simulating a bot, researchers join a botnet to perform analysis from the inside.  To achieve this, honeypots, honey clients, or spam traps are used to obtain a copy of a malware sample.

35. 35 UCR Monetization Uses man in the browser phishing attack to get sensitive information  When you visit a domain in its configuration file (typically, a banking web site), Torpig issues a request to an injection server.  User visits the trigger page. At that time, Torpig requests the injection URL from the injection server and injects the returned content into the user’s browser.

36. 36 UCR

37. 37 UCR Domain flux – Botnet resilience Administrators could detect botnet C&C server and block it Botnet authors use IP fast-flux techniques to avoid that.  Bots query a certain domain that is mapped onto a set of IP addresses, which change frequently. However, fast-flux uses only a single domain name, which constitutes a single point of failure  Block it at DNS level  How do you think botnet developers reacted?

38. 38 UCR Domain flux Torpig uses a Domain Generation Algorithm (DGA) to change the domain name  If a domain is blocked, the bot simply rolls over to the following domain in the list. Using the generated domain name dw, a bot appends a number of TLDs: in order, dw.com, dw.net, and dw.biz. If none is available, switches to a daily name (changes every day) Modern botnets like Conficker generate 50,000 domains per day and introduce non-determinism in their generation algorithm.

39. 39 UCR Taking control of the Botnet Reverse engineered the Domain Generation Algorithm Registered the.com and.net domains that were to be used by the botnet for three consecutive weeks from January 25th, 2009 to February 15th, 2009. However, on February 4th, 2009, the Mebroot controllers distributed a new Torpig binary that updated the domain algorithm. Controlled botnet for 10 days and collected over 8.7GB of Apache log files and 69GB of pcap data.

40. 40 UCR Is this ethical? Protecting Victims PRINCIPLE 1.  The sinkholed botnet should be operated so that any harm and/or damage to victims and targets of attacks would be minimized. PRINCIPLE 2.  The sinkholed botnet should collect enough information to enable notification and remediation of affected parties.

41. 41 UCR Botnet analysis ~180,000 active bots The submission header and the body are encrypted using the Torpig encryption algorithm.

42. 42 UCR Botnet analysis (cont.)

43. 43 UCR Botnet size vs. IP count(cont.)

44. 44 UCR New infections

45. 45 UCR New infections (cont.)

46. 46 UCR Threats and data analysis

47. 47 UCR Threats and data analysis (cont.)

48. 48 UCR Threats and data analysis (cont.) Symantec indicated ranges of prices for common goods and, in particular, priced credit cards between $0.10–$25 and bank accounts from $10–$1,000. If these figures are accurate, in ten days of activity, the Torpig controllers may have profited anywhere between $83K and $8.3M.

49. 49 UCR Threats and data analysis (cont.)

50. 50 UCR Threats and data analysis (cont.) 173,686 unique passwords recorded, 40% cracked in less than 75 minutes 28% of users exhibited password reuse

51. 51 UCR Conclusion A comprehensive analysis of the operations of the Torpig botnet. Interesting takeover by reverse engineering the DGA Big financial opportunity – up to 83mil IPs grossly overestimate botnet size. Victims of botnets often users with poorly maintained machines and easily guessable passwords

52. 52 UCR Next, lets look at PPI Modern botnets monetize by selling installs They also buy machines from affiliates Affliates have their own markets also to get machines  Buy exploits or exploit kits  Buy traffic generation services  Etc… Talk from Usenix 2011

53. 53 UCR Exploit as a Service (EaaS) Another business model  PPI decoupled malware distribution from monetization  Eaas decouples exploit from distribution and monetization Relies on drive-by-download  Exploit kits used to attack browsers Criminal either  Buys exploit kit  Rents pre-configured exploit servers

54. 54 UCR EaaS Led to further segmentation: Traffic providers Exploit providers