Trends in network security feinstein - informatica64

Trends in Network Security Ben Feinstein, CISSP GCFA Director of Research SecureWorks Counter Threat Unit℠ Friday, April 23 rd , 2010 Informática64 Móstoles, Spain

Who Am I? Native of Atlanta, Georgia USA 12 years old, dial-up UNIX shell, telneting around the world Professional software developer as a teenager Bachelor of Science in Computer Science (c. Economics), 2001 Harvey Mudd College, Claremont, California USA Author of RFC 4765 and RFC 4767 Software Engineer at a series of security start-ups, 2001 – 2006 Joined SecureWorks in 2006 Certified Information Systems Security Professional (CISSP) SANS Global Information Assurance Certified Forensics Analyst (GCFA)

Who is SecureWorks? Market leading provider of information security services Managed Security Services Provider (MSSP) Security and Risk Consulting (SRC) Over 2,700 clients worldwide, including more than 10% of Fortune 500 Suite of managed information and network security services Security Information Management (SIM) On Demand Log Monitoring Intrusion Prevention Systems (IPS) / Intrusion Detection Systems (IDS) Threat Intelligence Firewall Host IPS Vulnerability Scanning Web Application Scanning Log Retention Encrypted Email

Agenda Computer Networks Vulnerability Trends of 2009 Malware Trends of 2009 Information Disclosure Aurora Other Trends The New .CN Mariposa / ButterflyBot Conclusion Q & A

From Mainframes to Today’s Internet

The Development of Computer Networks Advanced Research Projects Agency (ARPA) Established in 1958 after Soviet launch of Sputnik satellite in 1957 Later renamed the Defense Advanced Research Projects Agency (DARPA) Directly manages a $3.2B budget ARPANET developed by ARPA for US Department of Defense (DoD) Development work began in 1969

Decentralization of Computing Power Mainframes gave way to Personal Computers (PCs) Development of Local Area Networks (LANs) Dial-up Internet Broadband Internet

Map of Internet Routers (2005), Opte Project http://www.opte.org/

Map of Online Communities, xkcd #256 http://xkcd.com/256/ , Spring 2007

Some (Much) Older Networks to Remember Hawala Pony Express Source: International Monetary Fund

The Network as an Attack Surface Concept of Threat Modeling Concept of an Attack Surface Local Attacks vs. Remote Attacks Common Vulnerability Scoring System (CVSS) version 2 Exploitability metrics Access Vector: Local, Adjacent Network, Network Widespread adoption of Firewalls Widespread adoption of the Web Web 2.0

2009 Vulnerability Trends Vulnerabilities disclosed for document readers and editors soared. Office documents including spreadsheets and presentations Portable Document Format (PDF) documents – the dubious champ Favorite vector of “Spear Phishers”, including “Operation Aurora” The appearance of new malicious Web links has skyrocketed globally in the past year. Phishing, Malvertisements, Fake-AV, etc. A large number of sophisticated web-attack toolkits are available for sale. CSS and SQLi attacks primarily used to redirect web-surfers to an attack-toolkit! Phishing attacks via email increased dramatically in the second half of 2009, with activity coming from countries not previously been in the game. Attackers are shifting their geographical profiles due to various pressures Lots and lots of money to be made

Vulnerability Metrics for 2H 2009

2009 Malware Trends Malware authors and operators innovated Koobface, Mariposa (Butterfly Bot), Zbot (ZeuS), and Mebroot increased compatibility with Vista and Windows 7 Complex and user friendly Banking Trojans (ZeuS, SpyEye, BlackEnergy2) are available as configurable kits Sophisticated RATs (e.g. Aurora’s “Hydraq”) are also in use Better prepared for takedowns and other countermeasures Lessons learned from the days of The RBN Taking advantage of “cloud” services – virtualized hosting environments, geographically distributed content delivery networks, and dynamic DNS services DNS double and triple-flux technologies

2009 Malware Trends Man in the browser/endpoint Trojan Horse is used to intercept and manipulate calls between the main application’s executable (the browser) and its security mechanisms or libraries Common objective of this attack is to cause financial fraud by manipulating transactions of Internet banking systems, even when other authentication factors are in use High-dollar Commercial OLB creds - compromised Challenge secret questions – compromised IP Geo-location - compromised Email out-of-band - compromised Hardware token - compromised Device fingerprinting - compromised Dual approver - compromised SMS out-of-band - compromised

2009 Malware Trends Compromised web pages frequently vehicle of choice for mass malware distribution Hence, most servers are compromised in order to compromise client Those clients may then be used to compromise servers inside the enterprise! (Aurora!) Drive-by downloads – malware code using everything from simple UU-encoding techniques to elaborate self-decoding JavaScripts Sophisticated software development Authors of malware kits (Trojan toolkits, web-attack toolkits, droppers, rootkits, etc.) are becoming very responsive to their client-base and are producing highly usable, modular and upgradeable software at a tremendous rate. For instance, the BlackEnergy2 Trojan-builder kit has a fully modular plug-in architecture which allows for the separate sale of plug-ins for different purposes and designed to target specific PKI schemes, etc.

2009 Malware Trends Greater efficiency and targeting Dasient: 5.5 million web pages on 560,000 websites infected with malware Q4 2009. Two years ago, infected web pages would infect users' computers with an average of at least a dozen pieces of malware; the most recent figures have that number falling to just 2.8 Smaller number of malicious programs means that users are less likely to notice an attack. Operators learning valuable business lessons Operate 24/7 network of login-interceptors for high-value accounts Operators are singling out SMBs that tend to have cash on hand and no real IT Extremely sophisticated and profitable money-mule/laundering infrastructure now exists

Contemporary ACH / Wire Fraud Automated Clearing House (ACH) 1 - 4 victims / day Average take $100,000 / victim $500K - $1M/week $100M attempted in 2009 $40M+ unrecovered > All US bank robberies combined Losses borne by victims due to ACH rules ALL done by ONE Eastern European crew

Recent ACH Fraud Cases XXXX County - $415,000 XXXX Corp - $447,000 XXXX Energy - $200,000 XXXX Construction - $588,000 XXXX Industrial - $1,200,000 XXXX School District - $117,000 XXXX XXXX School - $150,000 XXXX University - $189,000

Information Disclosure: Lessons from Airplanes and ATMs

Information Disclosure Failing to redact documents correctly Not removing document metadata Not sanitizing hard drives and other media Unencrypted data

Information Disclosure TSA published a SOP manual with sensitive information redacted

Information Disclosure The TSA added black bars on top of text and images to prevent it from being seen

Information Disclosure The NSA specifically states that this will not work in their manual on redacting safely: Google: “Redact Confidence”

Information Disclosure [Source: Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF]

Information Disclosure 40% of hard drives purchased from eBay contain personal information 36% Financial data 21% Emails 11% Corporate Documents [source: Kessler International] Wipe drives before they leave your control There are several bootable programs that will wipe all media attached to a computer DBAN – Darik’s Boot and Nuke

Information Disclosure A security researcher purchased an ATM via Craig’s List He found 1,000 debit card numbers stored in the machine Who has access to your data? What are their controls on it?

Imperva notified rockyou.com of a SQL injection flaw on Dec 4 th Rockyou.com fixed the problem over the weekend The database stored passwords in plaintext A hacker disclosed that he had copied the entire database before the flaw was fixed Information Disclosure

Information Disclosure The database contains the usernames and passwords for over 32 million account Included in the database were also passwords for partner websites This is a classic example of where defense in depth would have offered superior protection

Background: Titan Rain intrusion set An intrusion set is a collection of evidence, data, artifacts, logs, malware samples or other items that is all related in some way Titan Rain was one such intrusion set Coordinated intrusions of US Gov’t & Defense Industrial Base, circa 2003 Labeled as Chinese in origin Nature of and identities of adversaries unknown

Background: Advanced Persistent Threat (APT) Advanced: Adversary has capability to use anything from simple, public exploits to performing their own vulnerability discovery work and developing 0-day attacks. Persistent: Adversary has well defined goals and objectives and is persistent at pursuing them. Adversary will try various avenues of attack, looking for one that will yield the desired outcome. Does not typically refer to things like ZeuS

Aurora Publicly disclosed hacking incident inside Google and other major companies Belief within infosec community that PRC has been waging a long term, persistent campaign of “espionage-by-malware” Titan Rain, GhostNet Grown bolder over time

Aurora In May of 2009 a number of actors in Mainland China began a targeted attack on Google and several other major US-Based corporations with the intent of exfiltrating sensitive data for political and financial gain. The Aurora team used a privately-held IE-7 0-day exploit as well as an Adobe PDF vulnerability to infect workstations at Google and others with sophisticated RATs Social-engineering using methods similar to Fake-AV campaigns was also used Once the Aurora team had access to internal systems, they quickly compromised source-code repositories, email databases, and other extremely sensitive financial and operational data from the inside

Aurora “ Aurora” is taken directly from strings within some custom software components of the attack Debug symbol file path in custom code

Aurora Known samples of main backdoor trojan used in attacks no older than 2009 Attack may have been in works for some time Custom modules in Aurora codebase with timestamps as old as May 2006 Timeframe just after Titan Rain had blown up and PRC’s limited arsenal of mostly “COTS” trojans were being increasingly detected by commercial AV

Aurora With a completely original code base and its use restricted to highly targeted attacks, Hydraq seems to have escaped detection until now Compiler leaves many clues in a binary PE resource section may reveal language code Aurora author was careful to either compile on English-language system, or to modify the language code in the binary after the fact

Aurora Peculiarities and origins of CRC algorithm used suggest author familiar w/ simplified Chinese

Aurora Partial JavaScript code used to exploit Google If only they were using Chrome…

New Details Emerge April 19 – New York Times reported that Aurora stole source code to Google’s single sign-on (SSO) system “Gaia” “ Cyberattack on Google Said to Hit Password System”, John Markoff Aurora had access to “Moma”, Google’s internal employee database May have used information from Moma to target the individual developers working on Gaia Source code exfiltrated to Rackspace servers, and then onto ???

Other Trends Social engineering Phishing / Spearphishing E.g., Rogue AV Hybrid attacks Targeted verticals and enterprises Advanced Trojans Social Networks (Facebook, Twitter) Trusted relationships Superb ROI platform for URL-based attacks Botnet sophistication and innovation Spread of infection by reputable or legit websites continuously evolving attacks and malware methods Threats come more from organized crime However, involvement of state actors has finally come to the forefront

Other Trends 0-day black market Premium paid for 0-days Tipping Point has heard of governments offering $1 million for a good one Good guys can’t compete at those prices ‘ Aurora’ used an IE 0-day that it had developed Weak economy in US fosters fraudsters’ recruitment of unwitting, desperate money mules Weak economy abroad has led to a large number of highly skilled IT experts in desperate situations Global cooperation in these cases is still in its infancy

Other Trends Clients vs. Servers For the moment, the pendulum has swung away from servers Servers are now more likely to be compromised as a means to compromise a large number of clients While the very large financial database breaches do occur, they are now more likely to come from a compromised workstation with privileged access on the inside The weakest-link rule is true now more than ever

The new .CN In December 2009, published a bulletin regarding new restrictions on purchasing .CN ccTLD domain names The new restrictions consisted of: Webmasters to submit paper application and show ID when registering a domain name Business license if applicable Have to submit the information within 5 days or risk losing the domain Continued to monitor domains hosting malicious executables and have noticed an interesting trend Domains registered with a ccTLD of .CN have slightly declined where domains registered with a ccTLD of .IN have started to increase starting right around the timeframe of the CNNIC announcement

The new .CN .RU domains have also seen an increase since the .CN registration requirements were announced. RU-CENTER has stated they will implement rules similar to CNNIC starting April 1st

Mariposa / ButterflyBot Publicly sold botnet kit called “BFBOT” Distributed as binary “builder” kit, full source code is not available Author has since “retired”, but perhaps not Very typical of generic botnet kits, e.g. Rbot, Agobot, Phatbot Uses console-based master control program Not likely to catch on with script kiddies due to complexity of setup/use and lack of new development

Mariposa / ButterflyBot Named after a domain that it was contacting butterfly [dot] sinip [dot] es Initially discovered early 2009 Sold on bfsecurity.net “ Security tool designed to stealthy run on winnt based systems (win2k to winvista) and to stealthy and efficiently spread with 3 spreaders, which were specially designed and improved compared to already known public methods. (sic)” The three spreaders are MSN, USB, and P2P. Listed P2P networks were “ares, bearshare, imesh, shareaza, kazaa, dcplusplus, emule, emuleplus, limewire. (sic)”

Commercial Market for ButterflyBot Source: Panda Security

ButterflyBot Capabilities Information Theft Steal data from Internet Explorer (protected storage and Autocomplete (IE 7+) password stealing) Mozilla Firefox (stored passwords stealing) Downloader Download files via HTTP and execute them on the infected computer DDoS TCP SYN or UDP packet flooding Propagation MSN Instant Messenger USB autorun Copying itself to well-known P2P application download directories VNC Server Scan Scan for VNC (Virtual Network Computing) servers that may allow AUTHBYPASS or NOAUTH access.

ButterflyBot Console Source: Symantec

ButterflyBot Master Client Source: Panda Security

ButterflyBot Configuration Tool Source: Panda Security

Mariposa Takedown Botnet size fluctuated between 500K and 1 million infected hosts spanning more then 190 countries Botmasters made money by allowing other cybercrooks to utilize parts of the botnet This lead to a variety of malware being installed Advanced keyloggers Various Banking trojans RATs (Remote access Trojans) Fake AV

Mariposa Takedown Due to a coordinated effort between law enforcement and the security community, three individuals were identified and arrested “ netkairo” of Balmaseda age 31 “ jonyloleante” of Molina de Segura age 30 “ ostiator“ of Santiago de Compostela age 25 Action taken on domains December 23, 2009 at 1700 Spanish time US FBI and Spanish Civil Guard Believed that suspects would be less able to react due to Christmas holiday and time with family Suspects unknown, using VPNs from Swedish provider Relakks During counter attack, “netkairo” make a fatal mistake Did not use VPN, revealed IP address in Spain IP provided to Civil Guard

Mariposa Takedown “ netkairo” apprehended by agents of the Civil Guard on February 12, 2010 at his home in Balmaseda, Spain Digital forensics of seized computers lead to 2 further arrests in Spain Cases in front of Judge Garzón of the National Court

Conclusion Defenders remain at a significant disadvantage Must attack both sides of the risk vs. reward equation Closer cooperation is needed between security community and law enforcement Human weakness is arguably more important than technological vulnerabilities in today’s cyber crime ecosystem Attractive ROI of Social Engineering

Special Thanks Chema Alonso & Informática64 Maite Villalba and the Universidad Europea de Madrid You, my audience!

Trends in network security feinstein - informatica64

More Related Content

What's hot (20)

Similar to Trends in network security feinstein - informatica64 (20)

More from Chema Alonso (20)

Trends in network security feinstein - informatica64

Editor's Notes