IT Security - 2 Exercise 2 (Botnets, Mobile Malware)

Tanmaya Mahapatra Matriculation Number : 340959 tanmaya.mahapatra@rwth-aachen.de Bharath Rangaraj Matriculation Number : 340909 bharath.rangaraj@rwth-aachen.de

October 24, 2013

Task - 1 : Botnets and the Underground Economy

Question 1 Give some examples how cyber criminals gain money from operating botnets. Solution: Cyber criminals generally use botnets for mounting dierent types of attacks like Spamming, Phishing, stealing information, click fraud etc and gain money by selling the stolen user data like : Bank Account Information Credit card Information Personal Identity Email Addresses stored on a Users System Installing additional Malware (owned by some other people) on the compromised systems Click Fraud Drive by Downloads Spamming Question 2 What kind of goods are mainly traded in the underground economy? Solution: Generally the data stolen from a compromised system is traded like : Bank Account & Credit card Information Identity Information

 Personal Information & Contact Lists Account Information for Internet Services Question 3 Consider a Malware without botnet capabilities - how can a cyber criminal gain money in this case? Solution: Botnets can be used to perform a wide range of malicious tasks because they are remotely controlled i.e they receive their payload regularly from C&C. But a malware without botnet capability is generally designed to perform a xed scenario of malicious activity. It can be a virus, Trojan or worm. The only dierence is that the payload is xed. These are lots of ways to make prot from such malware : 1. Some Trojans in China are designed to steal passwords from players of popular online games. Virtual currencies and other virtual goods associated with online games can be sold for real money. 2. Also, some adware creates annoying pop-up windows, where sometimes the pop-up speed is even faster than the user can click to close them; advertisers will pay for that service because of the trac it generates. 3. These malware can steal data and Identity information and can also mount various other attacks like using the system to mount further attacks in the network. Prot made from malware in general is depicted in Figure 1. The gure is quite selfexplanatory. The gure is taken from Trendmicro Blog1 . Question 4 What is a dropzone ? Solution: Cyber-criminals operate botnets to steal users information which includes nancial as well as identity information. They succeed in getting their Bots installed on users system using dierent methods like Social Engineering, making use of Software vulnerabilities, PDF exploits etc. Once Bots have been installed, they contact the C&C and operate as per the commands received. Their main intention is to steal. The place where these bots pile up all the stolen data, information is known as dropzone 1. The average size of a drop-zone is about 14GB. 2. The criminals like to be sure that the information their botnet has gathered is safe, so they use several servers on dierent locations congured to receive and store the stolen information.

Task - 2 : Defeating Botnets

Question 1 What do researchers often try to gather in-depth information about a botnet and/or to

Page 2

Figure 1: Profits from Malware

Page 3

take it down? Solution: The researchers try to collect the botnets by using Honeypots and they analyse it deeply using a sandbox and once they determine its signature they send it to Anti-virus vendors. The most important information which they try to collect in order to take down a botnet are : Capturing Network trac API calls made Monitoring Registry changes Monitoring File System access and modication Question 2 How may sandboxing applications help to mitigate botnets? Solution: Running Botnets within a sandbox is a kind of Dynamic Analysis. It helps to mitigate botnets in the following ways : From Sandbox output one can extract the C&C information Keeps track of all API calls made Captures all network trac Logs registry and le system accesses Running application from untrusted or unknown sources protects the System from malicious logics of all kinds. Moreover it gives us a better controlling option - we can know what exactly is being done by the running programs if they are run in a sandbox. Sandboxing applications also prevents 2 applications from interfering. On analysis of the above information a researcher obtains some of the most crucial information to analyze and tear down a botnet (if present). But sandboxing does not guarantee complete security. For example consider the case of Linux Security issues on grounds of GUI Isolation. The design and architecture of age old X server is bad and one GUI application can access another applications data even if sandboxed by SE-Linux. One application can sni or inject keystrokes to another one, can take snapshots of the screen occupied by windows belonging to another one. This is due to bad designs in architecture level. In my opinion sandboxing application is a way to mitigate botnets but it is not a foul-proof method. Question 3 What was initially done to disrupt the Concker botnet ?

Page 4

Solution: Microsoft announced the formation of an industry group to collaboratively counter Concker. (The Concker Cabal) ICANN has sought preemptive barring of domain transfers and registrations from all TLD registries aected by the virus domain generator. Microsoft has released a removal guide for the virus, and recommends using the current release of its Windows Malicious Software Removal Tool. Felix Leder and Tillmann Werner from the Honeynet Project discovered that Concker - infected hosts have a detectable signature when scanned remotely. The peer-to-peer command protocol used by variants D and E of the virus has since been partially reverse-engineered, allowing researchers to imitate the virus networks command packets and positively identify infected computers en-masse. The United States Computer Emergency Readiness Team (US-CERT) recommends disabling AutoRun to prevent Variant B of the virus from spreading through removable media. Concker malware writers made use ofdomain names rather than IP addresses to make their attack networks resilient against detection and take down. Initial counter measures - sink holing or preemptive registrations of domains used to identify Conckers command and control(C&C) hosts - prevented the malware writers from communicating with Concker - infected systems.

Task - 3 : Stuxnet

Question 1 Name at least 3 characteristics that indicate that Stuxnet was developed by a nation state actor. Solution: Stuxnet involves high nancial investment which cannot be aorded by any normal organization. The attack was not on any individual but the attack was targeted on a nation. The stuxnet was designed to target only a particular system and it involves several conditions to be checked before attacking it. It used stolen signatures of two Taiwanese companies and exploits 4 vulnerabilities in which only one was known and the remaining three were Zero-day-threats which is not possible to be aorded by any normal organization.

Task - 3 : Stuxnet

Question 1 Name at least 3 reasons why Android is todays main target for mobile malware.

Page 5

Solution: Attackers focus on Android because it has the largest customer base. It holds 68% of the total market share. Android allows third party applications to be installed via a user enabled setting. The availability of various versions of android software customized by the various Android smartphone manufactures delays the software updates to roll out leaving it exposed to malwares for a long time before it can be xed by the update. Question 2 When statically analyzing Android malware, what is the main dierence to analyzing desktop malware? Solution: The main dierence between static analysis on desktop application and mobile applications is when reverse engineering techniques are applied to mobile applications it is dicult to nd which context of the application is valid at a certain point of time. References 1. Concker Summary and Review by Dave Piscitello,ICANN Senior Security Technologist

Page 6