Crimeware and Malware Based Business Systems

Crimeware & Malware Based Business Systems

Swinburne University Of Technology

Faculty of Science, Engineering and Technology ASSIGNMENT AND PROJECT COVER SHEET Unit Code: COS80013

Unit Title: Internet Security

Assignment number and title: Research Assignment Due date: 31 October 2014 17:30 Lab/tute group: Wed 7.30PM

Family name:

Tutor:

Brinthapan

Other names:

Gin Tan

Lecturer:

James Hamlyn-Harris

Identity no:

1711482

Parathan

To be completed if this is an INDIVIDUAL ASSIGNMENT I declare that this assignment is my individual work. I have not worked collaboratively nor have I copied from any other student’s work or from any other source except where due acknowledgment is made explicitly in the text, nor has any part been written for me by another person. Signature: To be completed if this is a GROUP ASSIGNMENT We declare that this is a group assignment and that no part of this submission has been copied from any other student's work or from any other source except where due acknowledgment is made explicitly in the text, nor has any part been written for us by another person. ID Number

Name

Signature

Marker's comments:

Total Mark:

Extension certification: This assignment has been given an extension and is now due on Signature of Convener:

Date:

/ 2014

Crimeware & Malware Based Business Systems

Crimeware & Malware Based Business Systems – A Look into Future Internet Security – COS80013 Research Assignment

Author: Parathan Brinthapan ID: 1711482 Submission Date/Time: 30th October 2014 – 9.00PM Due Date: 31st October 2014 – 5.30PM Expected Grade: Distinction Expression of Interest: Will present in the Lab

Crimeware & Malware Based Business Systems

Introduction Crimeware is a collective name commonly used to refer all the malware with common objective, which is to commit an action outside the legal boundary. Malware is an unwanted software that performs malicious actions on installed user’s computer. This report looks in to impact, usage and anatomy of the malware as crimeware. Several surveys and statistics have been looked into to compose this report. Finally, the report highlights some detection and prevention systems and the algorithm behind them. This report does not focus on existing business systems which detects and prevents crimeware. Instead, this report highlights on new ideas how future systems should be designed and whether only technology has the answer to the problem. This report will discuss malware in depth. However, malware which does not fall under crimeware is outside the scope of this research report.

Crimeware and Malware Panda security (2011) defines the crimeware as “the programs and social engineering designed to fraudulently obtain financial gain form either the affected user or third parties”. Further U.S Department of Homeland Security Science and Technology Directorate (2006) states that crimeware is “a software which conducts illegal actions unanticipated by a user running the software , which are intended to yield financial benefits to the distributor of the software”. Therefore it can be understood that crimeware is a type of cybercrime which targets to obtain financial benefits to the owner or creator of the malicious software. It is also understood that malwares are often used as crimeware for illegal access. However, in real world scenario, the access does not stop at financial gains; rather it moves on to sensitive data which could even cripple large governments (Kshetri, 2013).

Impact of Crimeware and Malware Anyone can be a victim of crimeware (organizations, personal users, governments etc.). Nowadays research on crimeware has been increased since the crimeware type of cyber-crime is increased all over the world. According to APWG (2010), 18 million computers were scanned during the period of April to June in the year 2010, out of which more than 50% of the computers were infected with malware. Further more than 17% of the malware were targeted at banks to steal passwords and banking related information. Page | 1

Crimeware & Malware Based Business Systems

The following are the few statistics related to crimeware from various sources: 

According to Federal Deposit Insurance Corporation, American companies lost $120



million during the 3rd quarter of 2009 (McMillan, 2010) According to Internet Crime Complaint Center (2009), more than half billion dollars



from users were stolen by USA cyber criminals during the year 2009. Mashevsky (2010) indicates that the following are the most targeted financial institutions during the first quarter of the year 2010.

Financial Institution Bradesco group Bank of America Citi bank ABN AMRO Banking group Other



% of total attacks 6.65% 2.36% 3.74% 2.28% 14.51%

According APWG (2013), an average of 31% of the computers worldwide were infected by malware. Further, according to McAfee (2013), Germany is the most infected country



with more than 200 infection during the year 2013 According to Cisco (2014), The following are malware types by percentage of total encounters:

. 27%

23%

. 22%

17%

5%

6%

Usage of Crimeware Crimeware is used primarily used to gather information especially information which has some financial value. Panda Security (2011) mentions that crime ware could be used for the following purposes by the attacker:

Page | 2

Crimeware & Malware Based Business Systems



Information compromise: information could be compromised by crimeware. Information could be either modified (system reconfiguration crimeware) or stolen for



various purposes. Denial of service attacks: used to do Denial of Service Attacks by sending ICMP packets and SYN which result in shutdown of the legitimate server. Famous victims of



such attacks are Yahoo, eBay Spam transmission: Email relay is been implemented on a compromised machine by



crime ware and commanded to send spam messages (used by spammers). Data ransoming: data ransoming/ Ransom ware means, making compromised data to disposable state or unusable state. In such attack, the attacker can cause significant loss for the owner of the data. Further, it was identified ransom ware uses encryption and



decryption techniques to spoil the data Click fraud: This attack is aimed at the pay per click revenue generation methodology. Pay per click is an advertising method which allows the web site administrator to place third-party advertisement and earn per click. Crime ware simulate as if the legitimate user



is clicking the advertisement and thus the attacker earns money Information consolidation: crime ware is used to collect data about a particular individual and perform identity theft. Identity theft could result in millions of money loss or could even life loss.

Anatomy of Crimeware Today almost all the financial institution have gone online to gain competitive advantage and to promise the 24/7 availability of their service. Hence, information available online is massive and have high financial value. Attackers have invested in technology as the financial benefits are high compared to their investment. Further, crimeware types also increased dramatically over time. Each kind of crimeware is designed in different ways. However, all the crimeware have some unique steps in common to attack the target. According to Trend Micro (2013) and APWG (2006) the following illustration shows the anatomy of a crimeware.

Page | 3

Crimeware & Malware Based Business Systems

Anatomy of a Crimeware (KZ-CERT, 2014)

Crimeware Information Compromise Points Crimeware compromise the information at some stage of the attack. Different types of crimeware compromise the information at different stage. This report discussed few famous crimeware exist in the world right now. The following are the information compromise points of few crimeware types. Crimeware type Data Theft Key loggers Email/ IM attachments Session hijacker Web Trojans Transaction generators

Infection point Execution stage Infection stage Infection stage Infection stage Infection stage Infection stage

Data compromise point storage Data entry ( I/O device) Attacker ( network) Attacker ( network) Data entry ( I/O device) N/A

Checkpoints and Countermeasures of Crimeware According to APWG (2006), choke points of each crime ware should be identified and counter measures should be applied. It is recommended to apply counter measures to chokepoints such as infection point and data compromise point.

Page | 4

Crimeware & Malware Based Business Systems

According to Stallings and Brown (2012), the following are the possible counter measures which could be applied in practical to prevent the crime ware: 1. First step is the crime ware distribution point. It should be stopped at this stage rather than detecting it once the victim gets affected. However, this strategy is impossible. Hence, NIST5 suggests four key elements of prevention:  Policy- Having an appropriate IT security policy would be the first step of 

prevention Awareness- Policy awareness should be conducted in order to educate the users



and make them aware about the IT security policy Vulnerability mitigation: Vulnerability mitigation can be done using detection, identification and removal Detection: The process of identifying the malware and locate the malware in the infected system. Such detection tools are firewall and intrusion detection system (IDS), host based antivirus, host based scanners, generic decryption technology and many more. Identification: once the malware is located, identification process involves in determining what kind of malware (malware type) is been infected the system Removal: Removal process involves in erasing all the traces of the malware using specific techniques related to the malware.

In some cases, malware is detected but it cannot be identified or removed. For example zero day attacks. In which case, files are isolated and clean backup version is reloaded to the system. The following section explains the requirements for effective malware counter measures.

Requirements for effective malware counter measures:  

Generality: The approach chosen should be able to handle wide range of attacks Timeliness: The approach should be quick to safe guard the system from malware being



infected to other files/system. This will help to decrease the consequences of the attack Resiliency: The approach should be able to identify the malware by passing the evasion techniques deployed in malware by the attacker. Evasion techniques are used to hide the presence of malware in the system. Page | 5

Crimeware & Malware Based Business Systems



Minimal denial of service costs: The approach should be designed in such a way that it



does not disrupt the normal function of the system or with minimal disruption. Transparency: The counter measure technique / tool/ software should not modify the



system components such as Operating System, Hardware, and application software Global and local coverage: approach should be designed to cope up with the internal attacks as well as external attacks.

Detection Techniques & Prevention Systems Detection Techniques Idika & Mathur (2007) proposes three detection techniques they are Anomaly Based Detection, Specification Based Detection and Signature Based detection. Above said techniques can be activated Statically, Dynamically or using a Hybrid model. In Anomaly based detection, the detector looks for previously known anomalous action and then compares it with the malware and then it will alert the Prevention System. On the other hand, Signature based detection systems rely on a repository updated by humans who can identify malware. Finally, Specification based system is based on Anomaly detection but, has protocols to decide the effects of a crimeware. Zhang, Jha & Raghunathan (2014) argues that, current malware detection systems are less efficient when it comes to combating the malware. Authors state this is mainly due to complexity of the software itself. Instead they propose a defence framework to detect malware. This framework will be active from the day a software is deemed to be usable by a moderator. This moderator will generate behaviour of the software and send it to users of the software and companies that produce anti malware. However, proposers themselves are not sure whether this will be practical as behavioural models can be reverse engineered to create the exact copy of the software. Some researchers even suggest implementing a data mining to system to learn and detect malwares (Thuraisingham, Al-Khatib, Khan, Masud, Hamlen, Khadilkar & Abrol (2012)). Experts illustrate the model and implementation of a data mining system known as SNODMAL (Stream based novel class detection for malware) for malware diagnosis. SNODMAL extends a data mining system called SNOD (Stream-based Novel Class Detection) for detecting malware. Page | 6

Crimeware & Malware Based Business Systems

They also propose the design of SNODMAL++ and that is a more extensive model of SNODMAL. However, they agree this is just the first step of a future detection model.

Prevention Systems Malware prevention can be done by two ways. First method is always easy to implement but hard to follow, that is creating policies for users. This policy should outline the impact of the crimeware and necessary action against employees if one distributes them in the organisation network. However, employees can always argue that malware could have got in via their system accidentally. There are also privacy issues related to monitoring employee activity. Disgruntled employees will also create problem for a policy based system. The second one is to create a technology based solution. Technology is dependable than humans. However, technology lacks the ability to learn and remodify itself like humans. EINSTEIN is a project by US government to create a real time malware detection and removal system. But, Bellovin , Bradner, Diffie, Landau and Rexford (2011) argues that even sophisticated systems like this would not be able to provide 100% protection. They list the following o support their arguments: Scale (in terms of Denial of Service), ability to correlate, device management and signature management. Piggin (2014), highlights the importance of protecting industrial systems using a stronger malware prevention system. He mentions there is a need for a proactive system to protect industries such as nuclear, power and gas plants. He mentions multi-tier system is vital for such protection. He states that failure of such crimeware protection system would endanger the life of staff, environment and economy. Another type of prevention framework is combining complementing solutions together (Jian, Venkatasubramanian, West & Insup 2013). To do so an in-depth study will be required. The study should look in to economic aspects of each malware, building benchmark platforms, securing code mashups, social engineering tricks and epidemiology to build topologies. Hyung-Kyu & Seung-Jung (2014) believes that protecting entire world begins at protecting personal networks more effectively. Therefore they suggest an internal network protection system against crimewares. They propose a real time activity tracker alongside network filter

Page | 7

Crimeware & Malware Based Business Systems

should be used to track and destroy crimewares. They assure if their model is implemented properly data loss due to malware in the internal networks will be reduced to zero. McHugh & Deek (2005) propose an incentive based system to reduce malware attack. This is a combination of Human factor & technology. This model looks in to hackers’ motivation to create a malware. They suggest providing an environment other than internet for hackers to practice to satisfy their hearts. By doing this they assure that hackers who create malware for personal satisfaction would not go beyond this point. Authors also mention that providing incentives for best malwares is also a positive idea. They go on to say that malwares in this environment could be used to learn about other malwares written for an illegal gain. Their conclusion is technology and humans should come together in preventing crimewares.

Critical Analysis Authors, researchers, software vendors and hardware vendors are still unsure whether to empower humans or technology to control crimewares. Most of the publications suggest coordination between humans and technology will be the ideal solution. However, almost all authors agree that not all humans will take the good side. But, they mention that to learn from the good to use it against bad. Many suggest to create a fail free system but, no ideas has been given on how to create such systems. Multi-tier systems are one solution again, in the future there could be a malware which can penetrate through all available barriers. Self-immune systems are the best choice for prevention however, time and cost related producing such systems will delay the production. Modern day malware & crimeware based business systems are unable to provide a 100% dependable solution. Even governments like US are struggling to get 100% success rates. Due to nature of the malware it is very hard to create a system that could handle all malwares in the world. Number of people writing malwares is greater than number of people who are fighting against it. In some countries rules are delicate so that crimeware writers easily escape. Some countries even encourage their citizens to write malware against other countries. Malware today is almost like a rapidly evolving virus. Santos (2010) elaborates on selfprotection techniques in the malwares which makes it hard to detect and destroy. This increases Page | 8

Crimeware & Malware Based Business Systems

the time between infection and defence. Malwares use Stealth, Evasion and Obfuscation techniques to hide them. Passive methods include Code Obfuscation, Entry‐Point Obfuscation, Encryption & Compression. Active methods include Anti‐emulation, Anti‐disassembling, Retro‐ virus and Anti-debugging. Therefore, an updated anti malware system is also not guaranteed to protect as modern malwares can block the action of these software.

Conclusion This research report discussed on crimeware anatomy, crimeware propagation techniques, crimeware usage, choke points and counter measures for crimeware. Crimeware is identified as collection of malware which is especially designed to steal financial information or cause financial loss. Crimeware attacks are increasing all over the world. Crimeware could be used to compromise the information, used as ransomware, used for spam transmission and information consolidation. Crime ware anatomy has seven steps, which steps are carefully designed and implemented by the attackers to serve their purposes. Crime ware can be propagated by security vulnerabilities or social engineering techniques. These days there are many cases found as social engineering technique victims. Further counter measure could be taken to each corresponding chokepoints. Counter measure could be detection, identification and removal. There various techniques and tools used to prevent and detect crimeware attacks. Such famous tools are anti-virus software which acts as the first line of security. Further, organizations use firewall and Intrusion detection and Intrusion Prevention system. On the other hand large organization can afford to implement an immune system which was first introduced and developed by IBM in the year 2010. Therefore it can be concluded that every individual who connect their computer/ devices to the network should be aware of the crime ware at least to the extent where they can deploy first line of defence. However, preventing crimeware cannot be done in isolation. Governments, private organizations and individuals should act in collaboration to completely prevent crimeware and malware from propagation.

Page | 9

Crimeware & Malware Based Business Systems

Reference APWG 2006. Phishing Activity Trend Report. APWG 2010. Phishing Activity Trend Report. APWG 2013. Phishing Activity Trend Report. BELLOVIN , S. M., BRADNER, S. O., DIFFIE, W., LANDAU, S. & REXFORD, J. 2011. Privacy and Security As Simple As Possible - But Not More So. Communications of the ACM, 54, 30-33. INTERNET CRIME COMPLAINT CENTER 2009. Internet Crime Report. Washington: Department of Justice.

Page | 10

Crimeware & Malware Based Business Systems CISCO 2014. Annual Security Report. California: Cisco Systems, Inc. HYUNG-KYU, C. & SEUNG-JUNG, S. 2014. Design of Safe Internal Network with the Use of Active Tracking System. International Journal of Security & Its Applications, 8, 291299. IDIKA, N. & MATHUR, A. P. 2007. A Survey of Malware Detection Techniques. Indiana: Purdue University. JIAN, C., VENKATASUBRAMANIAN, K. K., WEST, A. G. & INSUP, L. E. E. 2013. Analyzing and Defending Against Web-Based Malware. ACM Computing Surveys, 45, 49-49:35. KSHETRI, N. 2013. Cybercrime and cyber-security issues associated with China: some economic and institutional considerations. Electronic Commerce Research, 13, 41-69. KZ-CERT. 2014. Cybercrime Schemes [Online]. Republic of Kazakhstan. Available: http://kzcert.kz/en/presscenter/publication/?doc=60 [Accessed 10th October 2014]. MCAFEE LABS 2013. 2013 Threats Prediction. California. TREND LABS 2013. Targeted Attack Trends. The International Telecommunication Union. MASHEVSKY, Y. 2010. Crimeware: A new round of confrontation begins... [Online]. Secure List. Available: http://securelist.com/analysis/publications/36298/crimeware-a-newround-of-confrontation-begins/ [Accessed 12th October 2014]. MCHUGH, J. A. & DEEK, F. P. 2005. An Incentive System for Reducing MALWARE ATTACKS. Communications of the ACM, 48, 94-99. MCMILLAN, R. 2010. FDIC: Hackers took more than $120M in three months [Online]. Computer World. Available: http://www.computerworld.com/article/2520400/government-it/fdic--hackers-tookmore-than--120m-in-three-months.html [Accessed 2nd October 2014]. PIGGIN, R. 2014. Industrial systems: cyber-security's new battlefront. Engineering & Technology (17509637), 9, 70-74. SANTOS, T. 2010. Self‐Protection Techniques in Malware. Porto. PANDA SECURITY 2011. Crimeware: the silent epidemic [Online]. Available: http://www.pandasecurity.com/homeusers/security-info/types-malware/crimeware/ [Accessed 1st October 2014]. STALLINGS, W. & BROWN, L. 2012. Computer Security Principles and Practice, Pearson. THURAISINGHAM, B., AL-KHATIB, T., KHAN, L., MASUD, M., HAMLEN, K., KHADILKAR, V. & ABROL, S. 2012. Design and Implementation of a Data Mining System for Malware Detection. Journal of Integrated Design & Process Science, 16, 33-49. US DEPARTMENT OF HOMELAND SECURITY 2006. The Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond. ZHANG, M., JHA, N. & RAGHUNATHAN, A. 2014. A defense framework against malware and vulnerability exploits. International Journal of Information Security, 13, 439-452.

Page | 11