Malware, Trojans &

Botnets

Kevin Bong
Johnson Financial Group
A scary scenario
• The school district’s accounting manager logs
into the district’s online banking account.
• Balance is $150,000 short.
• Looking at the transaction history, it shows
almost 20 ACH transactions, each around
$8,000, were initiated from the account
yesterday.
• The recipients of the transactions are unfamiliar.
• The accounting manager calls her bank…

2
The plot thickens
• Bank traces the funds and contact the receiving
banks.
• Some of the funds are still available, others have
been withdrawn.
• Discussions with the account holders reveals that
they have been hired as “money transfer agents”,
and have wired the money overseas.
• A scan of the accounting manager’s computer
shows that viruses were found and removed.

3
The Zeus Botnet
• Has been used to breach thousands of online
business banking accounts
• Small businesses, non profits, towns, schools, …
• Used to steal over $100 Million as of Nov 09, still
going strong.

4
Malware, Trojans and Botnets
• This is one example of one of the many ways
fraudsters are using Malware to make money.
• How could this happen?
– Aren’t there multiple layers of controls?
– Malware is used to break every layer.

5
Malware is used in most data breaches

Joint United States Secret Service/Verizon

2010 Data Breach Investigations Report
Analysis of 141 breach cases including over 143 million breached data records

6
What’s the difference?
• Malware – Malicious software - hostile, intrusive, or
annoying program code
• Virus – software that reproduces itself
• Bot – computer program that does automated tasks.
• Trojan – initially bad software hidden inside good
software. Now more generally refers to Malware with
“backdoor” (remote control) functionality, or an evil
bot.
• Botnet – a network of compromised “zombie”
computers

7
How do computers get infected?

Joint USSS/Verizon 2010 Breach Report

8
Injected/Installed by remote attacker
Listening Network Services
• Example MS09-022 “Buffer Overflow in Microsoft Print Spooler
Vulnerability”
• Listening software = programs running in the background
waiting for incoming network traffic.

9
Other Common Network Services
attacked
• Web servers
• FTP servers
• Windows file sharing
• Mail Servers
• Network services (name lookup, etc.)
• Databases

10
Web – Auto Executed Drive By
• Hackers infect legitimate websites
• Or build infected websites and get high search
engine rankings
• Code – usually javascript – is included on the
infected page.
• Javascript is executed on the client, instructs the
client to download, install, and run malicious
programs.

11
Web/Email User downloaded or executed
• Download programs from file sharing sites or
other untrusted sources
• Not just programs – virus code can hide in Adobe
PDF, Flash, Windows Media, Java
• more than 46% of the browser-based exploits
during the second half of 2009 were aimed at
vulnerabilities in the free Adobe Reader PDF
viewer

12
Facebook – Social Engineering
• Receive a message from a facebook friend:
“Hey, I have this hilarious video of you dancing.
Your face is so red. You should check it out.”
• "Koobface infects a profile and sends a message
to all friends via facebook messaging system
• When you click on the video, you are prompted
to update Flash player. The update is actually a
copy of Koobface worm.
• Facebook funniest malware vid

13
Exploit + Payload = Malware
• Vulnerability – the weakness that is utilized to
compromise the machine
– Most commonly software bugs and tricking users
• Exploit – the chunk of hacker code that utilizes
the vulnerability
• Payload – the chunk of hacker code to “do
something” with the compromised host.
– Hiding, spreading, stealing, attacking, destroying,
earning income

14
Metasploit
• Framework for joining Exploits with Payloads,
and launching attacks.
• Command line and GUI interfaces
• Hundreds of exploits built in to the tool
• Open API to build and include more
• Over 100 payloads too

15
Metasploit Exploits Example

16
Metasploit exploits - GUI

17
Metasploit Payloads

MSF vid
18
Stage 2: Hiding
• Generally not noisy like adware and spyware (at
least not initially)
• May disable antivirus and administrative
functions/control panels. Less obvious may just
break AV update capability.
• More sophisticated malware installs itself as a
“Rootkit”

19
Rootkit
• Obscures the fact that a system has been
compromised
• Hooks into or replaces portions of the operating
system
– User mode – modifies
– Kernel mode –
• Makes the computer “lie” to higher level programs,
like windows explorer and antivirus
• HackerDefender a well known example (Vid)

20
Stage 3: Join Botnet
• Use Dynamic DNS lookup to find a Botnet server
on the Internet
• “Fast-flux” DNS techniques to direct the bot to
one of hundreds of bot servers.
• Forward traffic through proxies, harder to trace
• Servers kept in non-cooperative countries

21
Botnet Command and Control
• Historically perferred IRC, still in use
• HTTP (web browser traffic)
• Peer to peer protocols
• Twitter, Google Groups, Facebook

22
Botnet Control Diagram

23
Botnet control via IRC channel

IRC C&C vid

24
Some sample Botnet commands
• ddos.synflood [host] [time] [delay] [port]
• ddos.phatwonk [host] [time] [delay]
• scan.start
• http.download
• http.execute
• ftp.download
• spam.setlist
• spam.settemplate
• spam.start
* SYN-flood on ports
• bot.open 21,22,23,25,53,80,81,88, 110,113,119,
135,137,139,143,443,445,1024,1025,
• bot.die
1433, 1500,1720,3306,3389,5000,6667,
8000,8080

25
Hierarchical CnC topology
• Commands sent to distributed
servers, which send commands
to bots.
• May be multiple layers.
• Single bots aren’t aware of bot
master location or size of botnet.

• Easy to carve up to sell or perform different

operations.

26
Botnet Command and Control
• Zeus Tracker Command and Control Servers as
of 10.11.2010

27
Zeus Server Distribution

28
Current Botnet Attributes
• Distributed • Self Protection
Architecture • Self Healing
• Multiple C&C • Virtual Machine
channels Aware
• Extensive • Polymorphic
encryption
• Multiple exploit
• Immortal/unlimited channels
in size

29
Bot Herding
• Separate “owned” machines based on function
– Static, always on, high bandwidth  server
– POS machine  steal credit cards
– Corporate office  steal data, spread
– Look for online business banking use  ACH theft
– Home Users  SPAM, DDOS, etc.
• Manage bots
• Lease out services

30
Botnet Statistics

31
Stage 4: Use
• Send SPAM
– Steal email addresses from compromised computers.
– Most mail systems will block large numbers of email from the same
source. Distribute it to workstations, makes it harder to filter/block
• Denial of Service
– Have hundreds or thousands of your bots
send traffic at the same website or company,
fill their pipe and knock them off the Internet
• Other theft
– Credit card numbers
– Steal “in game” online game
items and sell on Ebay

32
Banking attack – Step 1 infection
• Bank of Nicolai vid
• Utilize Phishing, network exploits, and drive by
downloads to spread your botnet as wide as
possible.

33
Banking attack – Step 2 identify victim
machines
• Monitor browser use and network traffic to
identify any machines in the bot network that are
being used to log into online business banking
services
• May at that point install a rootkit on the identified
machine

34
Banking attack – Step 3 Capture
Passwords
• Keylogger can capture passwords
• Challenge questions?
– Steal or delete registration cookies to bypass challenge
questions
• Email password?
– Hacker also already has access to your email

35
Banking attack Step 4 – Hire mules
• Use your botnet to send SPAM email soliciting
for “work at home” jobs
• Timing is critical, to pick up and wire funds before
the account compromise is detected.

36
Banking attack Step 5 – Perform
transaction
• Remote control allows them to log in From your
workstation if they want.
• They know your password, challenge question,
etc.
• Aim is to create new recipients and send funds
via ACH or wire in one login session
• These electronic transactions are nearly-
immediate and difficult to reverse

37
Evolution of Malware – The Red Queen
• Red Queen Hypothesis –coevolution of parasite/host
• From “Through the Looking Glass”
– The Red Queen tells Alice “Now, here, you see, it takes all the
running you can do to keep in the same place”
• Passwords  Keyloggers
• Challenge questions  delete cookies
• Registration cookies  steal cookies
• Email passwords  Access email
• One Time Passwords  MITB…

38
Man in the Browser attack
• Trojan horse/rootkit specifically for the browser.
• Same idea – shows you on the screen what you
think you should see, but in the background is
doing something evil.

39
Man in the Browser attack
• Zeus Trojan recent variants –
– You login to your online business banking
– You set up and send a transaction
– You type in a One Time Password from a security token,
etc.
– The Trojan immediately and automatically in the
background modifies your transaction to send the funds
to his mule.
– The Trojan shows you on your screen that your
transaction was successful.

40
Stage 4: Use…Version 2.0
• Scarier Use: Advanced Persistent Threats
• Espionage, not financial data
• Aim is long term under-the-radar occupation of
corporations and government entities.
• Targeted, custom malware less likely to be
detected.
• Well funded and
well organized.

41
APT example – China hacks Google
• January 2010
• “Aurora” malware
used Zero-day bug
in Microsoft IE
• Stole intellectual property from Google
• Accessed gmail accounts of Chinese human rights
activitists
• Related intrusion into big energy companies, stole oil
reserve data
• Dozens of other companies targeted too.

42
Another APT example - Stuxnet
• Four main exploit channels,
– Two Windows Zero day
– USB
• Targeted payload designed for a specific Industrial
control system …running specific custom software
• Encryption and Polymorphism
• Dead-mans switch – 3 generations or June 24,
2012

43
Built for espionage
• Attributes indicate it was built by a well funded
and knowledgeable group (a government).
• Many believe the target was Iran’s nuclear
facilities.
• Stuxnet infection
rate seems to
agree…

44
Stopping Malware at step 1 - exploit
• Patch systems to “fix” the bugs
– Operating system
– Browser
– Third party apps, especially Adobe and Java
• Don’t download malware
– AV and browser plug-ins to block hostile sites
– Avoid file sharing and less-than-reputable download
sites

45
Stopping Malware at step 1 - exploit
• Don’t use guessable passwords
• Use email with an antivirus/antispam filter
• Use a firewall (or cable router or software
firewall) to block hostile traffic to listening ports
• Use portable media with caution, and scan
before use

46
Stopping malware- Antivirus
• Antivirus can’t detect all malware
• Must be up-to-date.
• Utilizes signatures (patterns) that match parts of
known malware
– Polymorphism – patterns change
– New variants or custom built viruses won’t have
signatures
– Rootkits can give “false” information to the Antivirus
software

47
Malware command and control
• Some is easy to detect – IRC, P2P protocols
• More sophisticated C&C could be more difficult –
can really disguise itself as any network protocol
• Residential router/firewalls do not generally block
C&C traffic
• Many corporate firewalls do not either
• Default deny on outbound traffic can help stop
• Myriad of gateway appliances

48