7CCSMSEN: Security Engineering
Introduction
Lorenzo Cavallaro
http://s2lab.kcl.ac.uk
Systems Security Research Lab – Cybersecurity Research Group Department of Informatics, King’s College London
Lorenzo Cavallaro (S2 Lab) 7CCSMSEN 1 / 41
“Security Engineering is about building systems to remain dependable in the face of malice, error, or mischance.”
Security Engineering (2nd ed). Ross Anderson
Should we care?
(let me tell you a story…)
The Botnet Threat
A network of compromised devices (bots) controlled by a bot master
Responsible for (non-exhaustive list):
Large-scale network probing (i.e., scanning activities) Launching Distributed Denial of Service (DDoS) attacks Sending large-scale unsolicited emails (SPAM) Click-fraud campaign
Information theft (e.g., PII, financial, IP)
Shift from a for-fun activity towards a profit-oriented business
Lorenzo Cavallaro (S2 Lab) 7CCSMSEN 5 / 41
Torpig
Trojan horse
Distributed via the Mebroot “malware platform”
Injects itself into 29 different applications as DLL
Steals sensitive information (passwords, HTTP POST data) HTTP injection for phishing
Uses “encrypted” HTTP as C&C protocol
Uses domain flux to locate C&C server
Mebroot
Spreads via drive-by downloads
Sophisticated rootkit (overwrites master boot record)
Lorenzo Cavallaro (S2 Lab) 7CCSMSEN 6 / 41
The Torpig Botnet
Lorenzo Cavallaro (S2 Lab)
7CCSMSEN
7 / 41
Vulnerable web server