FREE ELECTRONIC LIBRARY - Abstracts, books, theses

Pages:   || 2 | 3 | 4 | 5 |   ...   | 6 |


-- [ Page 1 ] --


June 2011








BITS Malware Risk and Mitigation Report

Table of Contents

1. Executive Summary

2. Malware Evolution

2.1 Malware Categories

2.2 Malware Example

2.3 Polymorphic Malware

3. Malware Supply and Demand

3.1 The Malware Industry

3.2 Malware Supply Chain

3.3 Beyond Crime

4. Malware in Financial Services

4.1 Malware Infection Vectors

4.1.1 Installed/Injected by Remote Attacker

4.1.2 Email

4.1.3 Web/Internet Auto-Infection

4.1.4 Web/Internet User-Initiated

4.1.5 Installed by Other Malware

4.1.6 Network Propagation

4.1.7 Portable Media and Devices

4.1.8 Coded into FI Software

4.1.9 Social Media

4.2 Internal Targets

5. Securing the Ecosystem

5.1 Situational Awareness

5.2 Risk Management

5.3 Cross-Industry Anti-Malware Roles and Responsibilities

6. Conclusion

7. Appendices A. Terms and Definitions

B. Acronyms

C. Contributors

D. Citations

© BITS/The Financial Services Roundtable 2011. All Rights Reserved.

1. Executive Summary Malware is an abbreviation of the words malicious and software. The term refers to software that is deployed with malicious intent. Malware is easy to deploy remotely, and tracking the source of malware is hard. This combination has enabled commercial malware providers to supply sophisticated black markets for both malware and the information that it collects. Demand for sophisticated malware is created primarily by organized crime syndicates and state-sponsored espionage agents. The financial services industry is a primary target for malware-enabled cyber attacks because financial institutions (FIs) operate software that tracks ownership of monetary assets. Cybercriminals also directly target FI customers and business partners using malware-enabled attacks. This paper is intended to assist financial institutions by promoting awareness and understanding of the risks and the mitigation activities associated with the use of malware in the financial industry.

This report is composed of six (6) sections and four (4) appendices, beginning with this executive


- Section 2 provides a brief historical overview of malware. It demonstrates that malware has evolved side-by-side with software technology and that this co-evolution may be expected to continue. It provides examples of how malware is deployed in critical infrastructure.

- Section 3 describes the criminal organizational structure that supports malware creation and distribution. It highlights negative consequences for the financial industry that result from the existence of this criminal infrastructure, which includes its expanded use for the purposes of nation-state espionage and sabotage.

- Section 4 lists cyber attack methods that are known to have utilized malware to damage financial services.

- Section 5 describes ways in which the financial sector, in collaboration with technology and business partners, may thwart malware-enabled cyber attacks.

2. Malware Evolution Software-enabled crime is not a new concept [1]. Computer-enabled fraud and service theft evolved in parallel with the information technology that enabled it. Since the advent of mainframe-based automated bank account systems, FIs have been victims of malware-based cyber attacks. Criminals altered software to transfer other people’s money to accounts they controlled, and emptied the accounts anonymously. As computers were shared on networks, these services experienced service theft, wherein criminals altered system software to hide reconnaissance activities which enabled theft of both valuable services and valuable information [2].

BITS Malware Risk and Mitigation Report This co-evolution of technology services and cybercrime may have created some confusion in the general population, for whom attacks on technology do not seem to be as significant as attacks on physical assets. Those not familiar with the emerging technology itself find it difficult to understand the implications of software compromise. General confusion over cybercrime objectives is exacerbated by the element of opportunism in some types of cybercrime, wherein attackers do not select specific victims, but simply let rogue software loose to find its own targets. This type of cybercrime appears to some segments of the public as bad luck for the victim rather than as a direct result of adversarial intent.

Nevertheless, even opportunistic cybercriminals select their targets, if only by selecting the operating system platform on which malware may be processed. Where the platform is the latest version of an emerging technology, the selected victim class may be assumed to be those financially able to afford that new technology. Another selection made by cybercriminals is the specification of data that malware processes. Where data concerning credit card numbers is sought, the target victim class includes all credit card holders and associated institutions. Where the data sought is bank account numbers, all financial firms are targets. The attraction of cybercrime lies in the high return on investment, low-to-no-risk operating environments, and proliferation of vulnerable computing resources. The ubiquitous connectedness provided by the Internet has allowed for multiple elements of the criminal community to operate in tandem to pursue profit driven crime as well as other malicious activities, using malware.

To the casual observer, headlines about cyber attacks may seem unrelated. Attacks are scattered across geography and technology. They involve different companies and nationalities. As recently as five years ago, security standards publications identified malware and phishing attacks as separate threats [3]. However, today security analysts agree that various types of malware are used in conjunction [4]. Cooperation and collaboration among cybercriminals have created crime patterns that evolve in concert with emerging technology, and all users of emerging technology are victims.

There is also evidence that cybercriminals operate in geopolitically-identifiable groups. As one analyst put it, “the phrase ‘campaign’ is more appropriate than ‘adversary’ [5].” Malware is typically used to steal information that can be readily monetized, such as login credentials, credit card and bank account numbers, and intellectual property such as computer software, financial algorithms, and trade secrets. Although many cybercriminal groups are trafficking in commodities shared by multiple industry sectors, such as credit card numbers, there are some situations wherein a single company is obviously the target of a single adversary, whether it be an organized crime syndicate, nation-state, or a single operative. For example, the work of a single nation-state adversary was evident to Google upon analysis of its 2009 cyber attack [6]. The extent to which any given attack lands on one set of companies or customers rather than another depends on a variety of factors. These factors are explained in Section 4 of this report.

Just as information technology software tools and techniques have become more proficient, more effective, and more economical over time, malware crime patterns have become more finely tuned.

© BITS/The Financial Services Roundtable 2011. All Rights Reserved.

BITS Malware Risk and Mitigation Report Malware creation and distribution channels are described in detail in Section 3. The remainder of this section describes in general how malware works and how it accomplishes crime.

2.1 Malware Categories Malware may take as many forms as software. It may be deployed on desktops, servers, mobile phones, printers, and programmable electronic circuits. Sophisticated attacks have confirmed data can be stolen through well written malware residing only in system memory without leaving any footprint in the form of persistent data. Malware has been known to disable information security protection mechanisms such as desktop firewalls and anti-virus programs. Some even have the ability to subvert authentication, authorization, and audit functions. It has configured initialization files to maintain persistence even after an infected system is rebooted. Upon execution, sophisticated malware may self-replicate and/or lie dormant until summoned via its command features to extract data or erase files.

A single piece of malware is generally described by four attributes of its operation [7]:

Propagation: The mechanism that enables malware to be distributed to multiple systems Infection: The installation routine used by the malware, as well as its ability to remain installed despite disinfection attempts Self-Defense: The method used to conceal its presence and resist analysis, these techniques may also be called anti-reversing capabilities Capabilities: Software functionality available to malware operator Table 1 lists some examples of malware in the context of this taxonomy. It is not meant to be complete, but to provide an appreciation for the variety of software types and capabilities that fall into the general category of malware.

–  –  –

Note that Table 1 refers only to single pieces of software and that there is no hierarchy in malware classification. However, alluded to in the description of a bot is the fact that a typical cybercrime will require multiple different types of software acting in coordination in order to achieve the full crime capability. For example, a criminal may use email spamming software (a form of flaw exploit) to trick a user into downloading a keylogger from an infected website. The criminal would then have to host a site for the keylogger to deliver the stolen credentials. The criminal would presumably use software to read and analyze the credentials, and then perhaps use vulnerability scanning software to see which websites identified by them have flawed software. The criminal may then use the user name and password to execute flaw exploits against the website. The steps a criminal must follow in order to accomplish a typical cybercrime are outlined in Figure 1 [5]. Activities included in each step


Reconnaissance: Criminal surveys the target to identify points of vulnerability, an attackplanning phase.

Assembly: Criminal creates, customizes, or otherwise obtains malware to satisfy attack requirements.

Delivery: Malware propagation occurs.

Compromise: Malware infection occurs.

Command: Malware capabilities are unleashed.

Although there are a wide variety of words and phrases that the media uses to refer to malware, they all have their roots in the execution paths illustrated in Table 1 and Figure 1. The specialized terminology tends to refer to the type of crime perpetrated using the software rather than the

technical description of the attack. For example:

–  –  –

© BITS/The Financial Services Roundtable 2011. All Rights Reserved.

BITS Malware Risk and Mitigation Report

2.2 Malware Example As described in Section 2.1, malware usage is enabled by emerging technology, and evolves with it.

For example, the advent of iFrame technology in web services has enabled a specific brand of malware. The technology allows a URL to be placed in a web page hosted on server A that displays content from server B. The user accessing server A does not see the call to server B, as server B’s content appears displayed in the page rendered by server A. There are a variety of legitimate reasons why a legitimate website may want to display content from multiple servers simultaneously. There may be complex specialized algorithms required to display numerical data that is generated in realtime, and so, beyond the CPU capacity of a single web server. There may be business relationships that require display of partner logos or advertisements from business partner servers. For whatever reason, the legitimate iFrame feature exists.

The iFrame feature by itself does not enable malware. Criminals take advantage of the feature by exploiting web server vulnerabilities and inserting their own servers in replacement, or in addition to a legitimately placed server B (for a full explanation of this vulnerability, see [8]). Figure 2 illustrates how the server is modified to set up for a subsequent attack on a web server user. There also are vulnerabilities in browsers with which users visit sites that have iFrames. The combination of server and browser vulnerabilities enable malware criminals to use iFrames for malware propagation and infection. The iFrame-enabled webserver, the code it links to on the malware host site, and the code that is downloaded to the user when the user accesses the iFrame are different pieces of malware.

They are used in combination to infect the user. Only after the infection takes place for the last of these pieces, the malware on the end user target, is it fully enabled with self defense and functional capabilities required to harvest data.

–  –  –

As described, successful crime execution using malware is a multi-step process. Figure 3 illustrates these steps using the iFrame attack as an example.

The actual malware installed by a propagation and infection process, such as that illustrated in Figure 3, will vary. An archetypal example is Zeus [9]. On an infected system, Zeus’ self defense mechanisms include evasion of system-monitoring tools by modifying system Application Programming Interfaces (APIs). This enables it to hide Zeus’ configuration files on disk and inspect incoming and outgoing network traffic. Zeus also disables the Windows firewall. Post-infection,

Zeus capabilities include, but are not limited to:

 exporting private key certificates  exporting protected storage passwords  monitoring for file transfer and email passwords (FTP and POP3)  logging keystrokes  taking screenshots  HTML injection  form grabbing for transaction authentication numbers (TAN) © BITS/The Financial Services Roundtable 2011. All Rights Reserved.

BITS Malware Risk and Mitigation Report  automatic transaction hijacking (ATH)  transfer of encrypted stolen credentials to malware operators in near real time (using Jabber)  routing connections through the infected machine  attacking other systems on the local network 2.3 Polymorphic Malware Remediation of modern malware is becoming increasingly more difficult due to several factors.

There are significantly more varieties of malware being found in the wild that exploit zero-day vulnerabilities. “Zero-day” modifies the word vulnerability to mean that the vulnerability is not known to potential victims, and so victims have had no days to prepare for it. Malware has also now been designed with polymorphic capabilities. Polymorphic malware changes certain characteristics of itself upon each instance or infection. This change can be in the form of a non-functional code change. This technique circumvents signature-based detection mechanisms because these typically use a hash algorithm to produce a unique signature from a file containing malware, so any change to the file will change its signature. Polymorphic malware can also change its own filename on each infection, and this also makes detection more difficult by traditional means.

3. Malware Supply and Demand The root cause of malware is the black market for stolen information. Data thieves can sell their spoils in a variety of forums [10]. Examples of prices obtained for various types of stolen information are listed in Table 2 [11].

–  –  –

Pages:   || 2 | 3 | 4 | 5 |   ...   | 6 |

Similar works:

«‘Time to listen’− a joined up response to child sexual exploitation and missing children Published: September 2016 Reference no: 160051 Contents Executive summary 3  Key findings 5  Introduction 7  Tackling child sexual exploitation can be done 9  Ensuring a consistently good response to child sexual exploitation 20  The role of leadership in tackling child sexual exploitation 25  Conclusion 29  ‘Time to listen’− a joined up response to child sexual exploitation and missing...»

«IOWA WOODLAND STEWARDSHIP PLAN Iowa Department of Natural Resources Forestry Bureau 2/11/2003 LANDOWNER: ADDRESS: PHONE: COUNTY: ACRES: 105 LOCATION: FORESTER: INTRODUCTION This stewardship plan recommends and identifies practices that will help you obtain your woodland management objectives. High quality, managed woodlands, leave a legacy of quality wood products, improved wildlife habitats, protected watersheds, and woodland recreational opportunities for future generations to enjoy. This...»

«ISBN 92-64-10034-2 Networks of Innovation Towards New Models for Managing Schools and Systems © OECD 2003 PART I Chapter 3 Networking for Educational Innovation: A Comparative Analysis by Anne Sliwka University of Erfurt, Germany Abstract. This chapter examines the rise and relevance of networking in the field of education at the regional, national, and in some cases crossnational levels. It describes the trend towards, and context of, networking as a form of social interaction of growing...»

«Theological and moral reflections on sexual child abuse in the Catholic Church JOSEPH CAROLA, S.J., MARK ROTSAERT, S.J., MICHELINA TENACE, H. MIGUEL YÁÑEZ, S. J. Foreword The analysis of cases of abuse shows that the link between pedophilia and celibacy is less significant than the link between pedophilia and deterioration of the family environment. In cases of abuse, a primary role is played by the male/female, father/mother relationship, one with the other and with the other members of the...»

«Reviewer’s Guide: PCMark™ Vantage Product Name: PCMark™ Vantage Product Tagline: The New System Performance Measurement Standard for PCs About this Guide: This Reviewer’s Guide is intended to provide background, test information, procedures and reference data for media interested in benchmarking Windows Vista PC hardware performance, as well as supplying product specific details for those that are interested in reviewing the PCMark Vantage Benchmark tool. Version 0.2 Page 1 of 47 Table...»

«Color Horoscope for Bob Dylan, born 24 May 1941 No. 6212.502-22 Text and method: Johannes Schneider Copyright Astrodienst AG. All rights reserved. Version 1.21 Astrodienst AG, Dammstr. 23, CH-8702 Zollikon / Zürich, Internet: www.astro.com E-Mail: order@astro.com Color Horoscope for Bob Dylan INTRODUCTION It is most likely that every once in a while, you feel the world is like a theater stage on which different plays are performed: tragedies, comedies, crime stories, now exciting, now amusing,...»

«University of Huddersfield Repository San-Jose, Leire, Retolaza, Jose Luis and Gutierrez, Jorge Ethical banks: an Alternative in the Financial Crisis Original Citation San-Jose, Leire, Retolaza, Jose Luis and Gutierrez, Jorge (2009) Ethical banks: an Alternative in the Financial Crisis. In: 22nd EBEN Annual Conference, 10-12 September 2009, Athens, Greece. (Unpublished) This version is available at http://eprints.hud.ac.uk/4644/ The University Repository is a digital collection of the research...»

«Acta Slavica Iaponica, Tomus 29, pp. 103‒122 The Hailar Incident: The Nadir of Troubled Relations between the Czechoslovak Legionnaires and the Japanese Army, April 1920 Martin Hošek IntroductIon The Czechoslovak Legion in Russia were employed in the Allied intervention from 1918 to 1920 on the side of the anti-Bolshevik regime of Admiral Kolchak, who in turn was supported by the Allies. This military service was very unpopular among the legionnaires who were impatient to return home....»

«PRACTICAL THEOSOPHY A PLAIN STATEMENT OF ITS TENETS BY HASH NU HARA AUTHOR OF T lie Road to Success, Concentration and the A cquirement of Personal Magnetism, Mental Alchemy, Practical Hypnotism, T he Complexion B eautiful,' Practical Yoga, etc., etc. LONDON N. FOWLER & CO. L. 7 IMPERIAL ARCADE, LUDGATE CIRCUS, E.C. J9II L. N. FOWLER & Co. COPYRIGHT, 1911, BY Entered at Stationers' Hatt. All Rzghts Reserved. INTRODUCTION -:0:A PRACTICAL handbook upon the subject of Theosophy may seem...»

«Improving Water Security for the future through IWRM and better Water Governance in the Red – Thai Binh river basin (Vietnam) By Nguyen Thuy Hang, Staff member Division for Science and Technology Institute of Water Resources Planning (Red-Thai Binh RBO Office) I. INTRODUCTION 1. Natural and socio-economic conditions The Red-Thai Binh river system is the second biggest in Vietnam (second to Mekong river system) but it is the biggest in term of area and water availability in Vietnam’s...»

«Texas Education Agency Division of Research and Analysis April 2015 www.tea.texas.gov Advanced Placement and International Baccalaureate General Information, 2011-12 Advanced Placement and International Baccalaureate Programs Introduction The Advanced Placement (AP) Program and the International Baccalaureate (IB) Diploma Programme are advanced academic programs that make rigorous, college-level academic content available to secondary school students. Many colleges and universities award credit...»

«CONSOLIDATED LIST OF FINANCIAL SANCTIONS TARGETS IN THE UK CONSOLIDATED LIST OF FINANCIAL SANCTIONS TARGETS IN THE UK Last Updated:30/01/2017 Status: Asset Freeze Targets REGIME: Tunisia INDIVIDUALS 1. Name 6: BEN ALI 1: DORSAF 2: BENT ZINE 3: EL ABIDINE 4: BEN HAJ 5: HAMDA. DOB: 05/07/1965. POB: Le Bardo, Tunisia Nationality: Tunisian National Identification no: 00589759 Address: 5 rue El Montazah, Sidi Bousaid, Tunis, Tunisia. Other Information: Daughter of Naima El Kefi. Spouse of Mohamed...»

<<  HOME   |    CONTACTS
2017 www.sa.i-pdf.info - Abstracts, books, theses

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.