Operation Aurora and beyond How to avoid that this happens to your organisation

Raimund Genes • CTO

Copyright 2010 Trend Micro Inc. What was Operation Aurora?

Industrial Espionage, Nothing new!

Copyright 2010 Trend Micro Inc. What was new is that Google disclosed it J12January 12th. Jan/13

Copyright 2010 Trend Micro Inc. Jan/15

Attack named as Aurora

Copyright 2010 Trend Micro Inc. JS Source code of Aurora

Copyright 2010 Trend Micro Inc. Definition of the threat • APT: Advanced Persistent Threats • non-APT hackers - financial data, sensitive customer data

• APT attackers - espionage http://www.wired.com/threatlevel/2010/02/apt- hacks/

Copyright 2010 Trend Micro Inc. Why is it called Aurora?

• NdbthiVNCtbkdNamed by path in VNC type backdoor

Copyright 2010 Trend Micro Inc. Attack Playback

Step4:Shell code Step1:Malicious Link

Step5:Download

Step3:IE exploit

Step2:Heap Spray

Step7:Steal Information Step6:Malicious File Copyright 2010 Trend Micro Inc. What Vulnerabilities have been used •Operation Aurora

• Microsoft Security Advisory (979352) - Vulnerability in Internet Explorer Could Allow Remote Code Execution

•CVECVE--20102010--02490249 -HTML Object Memory Corruption Vulnerability

Copyright 2010 Trend Micro Inc. Aurora JS Code

Heap Spraying

Prepare for object overwrite Build Img object Free img Overwrite object

CllCall toshllhell code

Copyright 2010 Trend Micro Inc. Aurora exploit Malicious File • Drop dlls • Write registry entry • Inject dropped dlls to some process • Collect personal info and send out • Create thread for remote access • APT attacker Copyright 2010 Trend Micro Inc. How to craft an attack? Get public information! The web knows you!

Copyright 2010 Trend Micro Inc. 13 Copyright 2008 - Trend Micro Inc. How to craft an attack? Get public information! The web knows you!

Copyright 2010 Trend Micro Inc. 14 Copyright 2008 - Trend Micro Inc. How to craft an attack? Get public information! The web knows you!

Copyright 2010 Trend Micro Inc. 15 Copyright 2008 - Trend Micro Inc. How to craft an attack? Get public information! The web knows you!

Copyright 2010 Trend Micro Inc. 16 Copyright 2008 - Trend Micro Inc. And then an E-Mail with a spoofed sender

Copyright 2010 Trend Micro Inc. 17 And if Darren clicks on the attachment...

Copyright 2010 Trend Micro Inc. 18 Threat Predictions 2010 1. No global Outbreaks, but localized and targeted attacks 2. It‘s all about money, so Cybercrime will not go away 3. Windows 7 will have an impact since it is less secure than Vista in the default configuration 4. Risk Mitigation is not as viable an option anymore – even with alternative browsers/alternative operating systems (Oss) 5. Malware is changing it‘s shape – every few hours 6. Drive-By Infections are the norm – One web visit is enougggh to get infected 7. New attack vectors will arise for virtualized/cloud environments 8Bots8. Bots – can‘ t be stopped anymore , and will be around forever 9. Company/Social networks will continue to be shaken by data breaches 10. Digital Terrorism – Attacks on Scada networks?

Copyright 2010 Trend Micro Inc. IiMlIncrease in Malware

Copyright 2010 Trend Micro Inc. No Script kiddies and amateurs anymore, professional malware writers who know how to play with the AV- Industry

Copyright 2010 Trend Micro Inc. A new malware component is released every 1.5 seconds!

Copyright 2010 Trend Micro Inc. URL’s instead of Attachments!

Waledac Malware

Copyright 2010 Trend Micro Inc. Infiltrated Websites!

Copyright 2010 Trend Micro Inc. Social Networks as an Attack Vector (11/08/2009)

Copyright 2010 Trend Micro Inc. Is it Spam, is it an Attack Vector, is it Social Engineering?

Copyright 2010 Trend Micro Inc. Today‘s Infection Chain

Fool the AV Host Malware Get Updates from Management Writer Command & Control Wait for Instructions

Infection Vector Activities Port Scan Host Recruitment Criminals Vulnerabilities Infection Adware/Clickware Email Spam Web Drive By Dedicated Denial of Service Downloader Spam & Phishing Spyware/Trojan Downloader DtData LkLeakage

Command & Bot Controller Herder Botnet

HTTP IRC DNS Copyright 2010 Trend Micro Inc. How to avoid that this happens to your organisation

Copyright 2010 Trend Micro Inc. PttPattern M Mthiatching i s b aseli ne... and the bad guys know this...

So should we move to IPS and HIPS?

Copyright 2010 Trend Micro Inc. Because traditional Endpoint Security Can’ t Keep Up anymore Signature file updates take too long • Delayyp protection across all clients and servers 26,598 • Leave a critical security gap • Require multiple updates a day to keep up with threats, complicating signature management

16,438 Signature files are becoming too big

• Increase endpoint memory footprint 10,160 • Increase impact on endpoint performance 6,279

• Increase bandwidth utilization 3,881 2,397 1,484 799 • Unpredictable increase of client size 57 205

2007 2009 2011 2013 2015 Unique threat samples PER HOUR

Copyright 2010 Trend Micro Inc. We need a layered approach, and we need a holistic view for IT Security!

And Pattern matching is still needed to proper identify malware and to clean up the damage

Copyright 2010 Trend Micro Inc. The Electric Grid - Today

Power Station

Local connection

National Transport System

User Advantages 1.No need for large investment 2.On Demand Instant Access 3.Pay as you go

Copyright 2010 Trend Micro Inc. A Distributed Electric Grid Trend Micro today

Diiferent Power Stations

Local connection Solar Panel

International Transport System

Copyright 2010 Trend Micro Inc. Could we patch fast enough?

Or d o we need vul nerabili ty shielding accepting that Patch Management is tough!

Copyright 2010 Trend Micro Inc. No matter what we do, Smart Protection Network is the key component!

Smart Protection Network Community Intelligence (Feedback loop)

File Reputation Monitor

File Sma Solution Web Reputation r

Web / t Protection Behavior

URL Custome File Email Email Web Incident Reputation Validation Email Domain Trigger N N

Domain r IP etwork

IP Info. Threat Analytics Correlation Professional Service Services

In-the-Cloud platform Community Intelligence (Fee dback l oop)

Copyright 2010 Trend Micro Inc. We at Trend Micro are not worried about Cybercriminals and their ways to make money! Cause we have prepared ourselves for this!

• 2005: Ema il Repu ta tion Serv ices

• 2006: Web Reputations Services

• 2008: File Reputation Services

Copyright 2010 Trend Micro Inc. So why are we so different – Why do we protect well against real life malware?

ERS load = 295 GB per day WRS load = 1305 GB per day FRS load = 334 GB per day

Copyright 2010 Trend Micro Inc. Copyright 2010 Trend Micro Inc. Smart Protection Network Key benefits

Ê Patent-pending correlation Ê Threats are blocked before they technology analyzes all threat can infiltrate the network or vectors – email, web, file computer

Blocks threats We own all ÊAvailable in all Ê Protects you wherever at their source the solutions – Consumer, SMB, Enterprise, – the Internet technology you connect, at work, Partner, SaaS at home or on the Trend Micro road Smart Protection Ê Powers our SaaS, Network Gateway, Messaging, Endpoint, Mobile & Reduces the Partner solutions need for local signatures Ê Local Scan Server improves time to Ê Immediate Protection protect Ê Trend Micro manages updates Ê Reduces complexity

Copyright 2010 Trend Micro Inc. Threat Management Solution Assessment • 100% of companies had malware • 56% of companies had at least 1 information stealing malware • 72% of companies had at least 1 IRC bot • 80% of companies had malicious Web downloads • 30% of companies had at least 1 network worm

• Technology used to detect Threats – 99% using Smart Protection Network – 1% using traditional scanning engines

Copyright 2009 Trend Micro Inc. Copyright 2010 Trend Micro Inc.