Computer Security 2
Focus on Malware
- (previously) Bad guy instals .exe on the victim computer somehow...
- (a) trojan tricks user into double clicking/running it
- (b) attacker exploits vulnerability in internet-facing software, e.g. Flash player to install malware
- Most malware targets Microsoft Windows at present
- Once the malware runs, it can install "rootkit" malware more permanently, open communications back to bad-guy control center
- 1. Watch you browse, steal passwords etc., (encryption is no help here) (aka "keylogger")
- 2. Send email to your contact list with more attacks or spam
- 3. Set up the machine as a "zombie" to be rented out for attacks or spam or whatever
- A group of machines with malware on them allowing "bot herder" to control them
- How to obtain the zombies?
- -Bot herder sends out million emails pointing to a site that attacks a Flash vulnerability, installing rootkit malware onto vulnerable machines
- The bot herder sends out commands for all the zombies to do something
- Botnets can be rented, there's an active botnet market in the bad-guy community (suggested interesting Bus-school article)
In parallel with other harm, the malware may set up the compromised machine as a "zombie" or "bot". A zombie is a machine, one of thousands, which all together form a "botnet". The owner of the botnet can distribute tasks to be done by all the zombies, like this: "ok everyone, here is a list of 10 million email addresses, start sending spam email to them." Because the number of zombies is large, the botnet can accomplish things that require a lot of machines. Sending spam is a great example. Another great example is doing dictionary-password attacks on random websites, as shown previously.
- "Distributed Denial of Service" DDOS attack
- Attackers coordinates a large number of machines to send man requests to a site all at once
- Overwhelm the site's connection to the internet with so many packets, it becomes effectively unreachable
- When bad guys "take down" a web site in the news, typically this means a DDOS attack done with zombie machines
- Technical Fix many DDOS techniques depend on sending packets with a forged ("spoofed") From: IP address field. The router upstream of the attacking zombie could block such forged packets from leaving their network to help blunt DDOS attacks. Nobody is very motivated to do this currently. If I were dictator of the internet, I would require it to reduce this silly pollution. (This is a tragedy of the commons.)
The zombies can also be used to "attack" a web site, by all trying to access it at the same time. With some tends of thousands of machines all hitting a site at the same time, it is possible to in effect make the site unavailable to the internet. This is called a "denial of service" (DOS) attack. It's not breaking into the site or stealing passwords or money; instead it's making the proper function of something unavailable.
Obviously the botnet is not paying the owner of the machine. The botnet is stealing the use of the machine from its proper owner. If a machine seems sluggish in regular use, and the networking lights are blinking like mad all the time... the machine may be a zombie. Like a parasite in the real world, the zombie software wants the machine to still mostly work for its owner, otherwise they would be motivated to clean it.
One problem with zombies is that the owners may not be all that motivated to fix it. The millions of compromised Windows machines out there are putting out this pollution that causes problems for us all. If you think a machine is a zombie, you should erase it and fix it. The zombie may be doing who knows what with your passwords, your data, there's too many risks.
In what would make a most interesting Business School case study, there are active markets in botnets. The botnet owners basically rent out their botnets for spamming or whatever use a bad guys wants to pay for that day.
- Traditional computer -- installed application can do anything, general purpose
- Phone model -- applications and what the user can do is more limited and isolated
- Adding limits has some advantages
- In the limited phone environment, each application is "sandboxed" can only do some things
- Android: user sees list of specific, limited capabilities at install time
- Apple: there's an Apple review process
- Both android and Apple have had malware, with Android currently showing more
- Google and Apple can remotely disable software once it's discovered to be malware
- Android advice: android allows the user to install any software they want. However, I would stick to the official Play store which has internal anti-malware
- Ultimately: limit applications so the phone is still usable and trustable no matter what the user does, limiting/managing the applications to prevent harm
- I believe this is technically possible, but we're not there yet. The bad guys are clever and relentless!