Shadowserver Foundation - Viruses

Modern Computer Viruses

Author
Aim
Four Installments
- Response

Author - Chas Tomlin

IT Security Specialist in School of Electronics and Computer Science
Member of Shadowserver
Maintain a db of currently ~15,000 unique viruses and their associated network traffic.

Top

Aim

Take a look at current viruses/malware and how they propagate
See what features modern viruses come with
See what impact an infected machine might have on your network
Learn to detect and prevent viruses

Top

Four Installments

Infection
Payload
Impact
Response

Focus on Windows viruses

Top

Response

Prevention
Analysis
Detection
Reporting
Prosecute
Phishing

Top

Prevention

Anti Virus software
Patching
Least privilege

Top

Sandboxing - Analysis

Run a virus on a disposable system to observe its network behaviour.
Can be a virtual environment such as VMware, qemu, xen etc.
Malware may detect virtualisation
Highly monitored

Method One

API-hooking based technique to monitor the binary during runtime. Rootkit.
Norman sandbox
CWSandbox

Method Two

Logging network traffic, file system changes, registry changes.

Top

API Hooking output

<WINSOCK_SECTION>
  <CONNECTIONS_UNKNOWN>
    <CONNECTION ProbableWebProtocolType="Unknown" ConnectionEstablished="0" Socket="0">
      <ACTION>Winsock initialized (WSAStartup)</ACTION> 
      <ACTION>GetHostByName for host "real80.act10l.com.ar" => 72.20.13.88</ACTION> 
    </CONNECTION>
  </CONNECTIONS_UNKNOWN>
  <CONNECTIONS_UDP /> 
  <CONNECTIONS_LISTENING /> 
  <CONNECTIONS_INCOMING /> 
<CONNECTIONS_OUTGOING>
  <CONNECTION TransportProtocol="TCP" RemoteAddr="72.20.13.88" RemotePort="80" 
              ProbableWebProtocolType="IRC" ConnectionEstablished="1" Socket="700">
    <USERNAME>[1]DEU|3479169</USERNAME> 
    <PASSWORD><real80.connectpass></PASSWORD> 
    <NICK>[1]DEU|3479169</NICK> 
    <ACTION>Joined channel ##http-scan##,##http-down1##,##http-down2## argrulex3</ACTION> 
    <ACTION>Joined channel ##http-scan##,##http-down1##,##http-down2## argrulex3</ACTION> 
    <ACTION>Joined channel ##http-scan##,##http-down1##,##http-down2## argrulex3</ACTION> 
  </CONNECTION>
 </CONNECTIONS_OUTGOING>
 <CONNECTIONS_OUTGOING_BLOCKED /> 
</WINSOCK_SECTION>

Top

Detection

Intrusion Detection
Extrusion Detection
Intrusion Prevention
Darknet monitoring
Sensible firewalling

Top

IDS - Detection

Top

Extrusion Detection

Deals with detecting Intrusions by monitoring outbound traffic.
Useful when firewalls have been circumvented (internal infection).
Easily implemented on standard IDS.
Detect malicious outbound IRC traffic using snort;

This rule merely looks for IRC traffic on any TCP port (by detecting NICK change events, which occur at the beginning of the session) and sets the is_proto_irc flowbit. It does not actually generate any alerts itself.

alert tcp any any -> any any (msg:"IRC TRAFFIC DETECTED BY NICK CHANGE"; 
  flow: to_server,established; content:"NICK "; nocase; offset: 0; depth: 5; 
  flowbits: set,is_proto_irc; flowbits: noalert; sid:9000075; rev:1;)

Top

Darknet - Detection

A Darknet is a portion of unused IP space
No services exist in a Darknet
Packets that enter are logged
Can be IPv4 or IPv6
Darknets can be used to detect;
- Scan traffic
- Infected hosts, worm traffic

Top

Reporting

Found a malicious web site? Report it!!!
Use whois to find abuse contact
Some ISPs are very responsive

Top

Prosecute

What are law enforcement doing? Not enough.
Not enough resources/skills
Not enough support from prosecution
Some are prosecuted though

Top

Phishing

Fake web sites made to look like the real thing to steal your passwords
Usually hosted on hacked servers
Spam sent to lure the victim to the site.

Very large proportion of phish sites are hosted on hacked Unix/Linux servers

Experts believe that 50-75% of phishing attacks are due to one group of phishers. Rock phishers
Banks are currently not tackling the problem as the cost of solutions far out weighs the cost of the problem.
Two-factor authentication

Even two-factor authentication can be susceptible to phish/man-in-the-middle attacks

Top

<< | Viruses | >>

Normal View ? Attach:Site/PageHeader/softflow.gif Δ Home Edit History Recent Changes
HomePage Shadowserver Mission Terms of Service Standards and Guidelines Organizations Calendar Future Goals Job Opportunities Press Security Organizations News Articles Blogs and Forums Misc Presentations Chronological Operations Status Knowledge Base Botnets Botnet Detection Honeypots eFraud Malware Whitepapers Links Get Involved Get Reports on your Network Blacklists and Blocking Mailing List Submit a Botnet Build a Honeypot Hall of Fame Services Info Binary Whitelist Test IP/ASN/Geo Mapping MD5/SHA1 AV Results Statistics ASN Bots Bot Counts Drone Maps Drone Historical Conficker Botnets Botnet Charts Botnet Maps Botnet Maps Historical DDoS DDoS Charts DDoS Maps DDoS Historical Geo Locations IRC Ports Malware Sandbox Charts Sandbox Graphs Packer Statistics Scans Scan Charts Scan Maps Scan Maps Historical URLs Viruses Virus Daily Stats Virus Weekly Stats Virus Monthly Stats Virus 60-Day Stats Virus 90-Day Stats Virus Six-Month Stats Virus Yearly Stats Contact Us Site Statistics edit SideBar	Response Modern Computer Viruses Author Aim Four Installments Response Prevention Sandboxing - Analysis API Hooking output Detection IDS - Detection Extrusion Detection Darknet Detection Reporting Prosecute Phishing Author - Chas Tomlin IT Security Specialist in School of Electronics and Computer Science Member of Shadowserver Maintain a db of currently ~15,000 unique viruses and their associated network traffic. Top Aim Take a look at current viruses/malware and how they propagate See what features modern viruses come with See what impact an infected machine might have on your network Learn to detect and prevent viruses Top Four Installments Infection Payload Impact Response Focus on Windows viruses Top Response Prevention Analysis Detection Reporting Prosecute Phishing Top Prevention Anti Virus software Patching Least privilege Top Sandboxing - Analysis Run a virus on a disposable system to observe its network behaviour. Can be a virtual environment such as VMware, qemu, xen etc. Malware may detect virtualisation Highly monitored Method One API-hooking based technique to monitor the binary during runtime. Rootkit. Norman sandbox CWSandbox Method Two Logging network traffic, file system changes, registry changes. Top API Hooking output <WINSOCK_SECTION> <CONNECTIONS_UNKNOWN> <CONNECTION ProbableWebProtocolType="Unknown" ConnectionEstablished="0" Socket="0"> <ACTION>Winsock initialized (WSAStartup)</ACTION> <ACTION>GetHostByName for host "real80.act10l.com.ar" => 72.20.13.88</ACTION> </CONNECTION> </CONNECTIONS_UNKNOWN> <CONNECTIONS_UDP /> <CONNECTIONS_LISTENING /> <CONNECTIONS_INCOMING /> <CONNECTIONS_OUTGOING> <CONNECTION TransportProtocol="TCP" RemoteAddr="72.20.13.88" RemotePort="80" ProbableWebProtocolType="IRC" ConnectionEstablished="1" Socket="700"> <USERNAME>[1]DEU\|3479169</USERNAME> <PASSWORD><real80.connectpass></PASSWORD> <NICK>[1]DEU\|3479169</NICK> <ACTION>Joined channel ##http-scan##,##http-down1##,##http-down2## argrulex3</ACTION> <ACTION>Joined channel ##http-scan##,##http-down1##,##http-down2## argrulex3</ACTION> <ACTION>Joined channel ##http-scan##,##http-down1##,##http-down2## argrulex3</ACTION> </CONNECTION> </CONNECTIONS_OUTGOING> <CONNECTIONS_OUTGOING_BLOCKED /> </WINSOCK_SECTION> Top Detection Intrusion Detection Extrusion Detection Intrusion Prevention Darknet monitoring Sensible firewalling Top IDS - Detection Top Extrusion Detection Deals with detecting Intrusions by monitoring outbound traffic. Useful when firewalls have been circumvented (internal infection). Easily implemented on standard IDS. Detect malicious outbound IRC traffic using snort; This rule merely looks for IRC traffic on any TCP port (by detecting NICK change events, which occur at the beginning of the session) and sets the is_proto_irc flowbit. It does not actually generate any alerts itself. alert tcp any any -> any any (msg:"IRC TRAFFIC DETECTED BY NICK CHANGE"; flow: to_server,established; content:"NICK "; nocase; offset: 0; depth: 5; flowbits: set,is_proto_irc; flowbits: noalert; sid:9000075; rev:1;) Top Darknet - Detection A Darknet is a portion of unused IP space No services exist in a Darknet Packets that enter are logged Can be IPv4 or IPv6 Darknets can be used to detect; Scan traffic Infected hosts, worm traffic Top Reporting Found a malicious web site? Report it!!! Use whois to find abuse contact Some ISPs are very responsive Top Prosecute What are law enforcement doing? Not enough. Not enough resources/skills Not enough support from prosecution Some are prosecuted though Top Phishing Fake web sites made to look like the real thing to steal your passwords Usually hosted on hacked servers Spam sent to lure the victim to the site. Very large proportion of phish sites are hosted on hacked Unix/Linux servers Experts believe that 50-75% of phishing attacks are due to one group of phishers. Rock phishers Banks are currently not tackling the problem as the cost of solutions far out weighs the cost of the problem. Two-factor authentication Even two-factor authentication can be susceptible to phish/man-in-the-middle attacks Top << \| Viruses \| >> Edit Page History Source Attach File Backlinks List Group Page last modified on December 31, 2005, at 04:32 AM	Bot Counts Botnets Calendar/Blog October 2009 November 2009 14 \| 16 · December 2009 09 … 29 · January 2010 February 2010 24 · March 2010 06 · April 2010 May 2010 09 · June 2010 05 · July 2010 02 … 15 · August 2010 September 2010 October 2010 November 2010 December 2010 Link List Arbor Networks ASERT AV Comparatives Emerging Threats Mwcollect Nepenthes Offensive Computing SANS ISC Securtyfix SecuriTeam Sunbelt/CWSandbox Support Intelligence TaoSecurity ThreatSTOP Websense Zeus Tracker