IEEE Globecom 2011

Information Warfare

Tom Chen Swansea University Wales, UK [email protected] Outline

• Background - Definitions; actors; targets; historical cases • Attack techniques - Reconnaissance; intrusions; stealth; persistent control; DDoS • Defense techniques - Deterrence; prevention; detection; attribution; intrusion tolerance; self healing • Open research issues • Conclusions and future directions

TC/Globecom2011/12-9-11 p. 2 Background

TC/Globecom2011/12-9-11 p. 3 Section Outline

• Definitions • Actors • Targets • Historical cases

TC/Globecom2011/12-9-11 p. 4 Definitions

• Info. warfare (or cyber warfare): military or political conflicts between nations carried out through computer networks - Actions to adversely affect enemy’s info. and info. systems while defending own - Information is both target and means for gaining advantage (in support of military/political goals) - Definitions vary, e.g., U.S. DoD defines broadly: “operations directed against information in any form, transmitted over any media, including operations against information content, its supporting systems and software, the physical hardware device that stores the data or instructions, and also human practices and perceptions” TC/Globecom2011/12-9-11 p. 5 DoD Definitions

Info. Operations Broad (info. warfare) definition

Psychological Military Operations Computer Electronic operations deception security network warfare Propaganda Weapon hiding, Classified operations Radio Examples: leaflets target decoys info. (CNO) jamming *Definition here

Computer Computer Computer network network network exploitation/ attack (CNA) defense (CND) espionage (CNE) DDoS, Firewalls, Backdoors, malware IDS data theft

TC/Globecom2011/12-9-11 p. 6 Recognition as Warfare Domain

• U.S. DoD Strategy for Operating in Cyberspace (July 2011) recognizes cyberspace as 5th operational domain (with sea, air, land, space)

“Potential U.S. adversaries may seek to exploit, disrupt, deny, and degrade the networks and systems that DoD depends on... particularly concerned with three areas of potential adversarial activity: - theft or exploitation of data; - disruption or denial of access or service...; - destructive action including corruption, manipulation, or direct activity that threatens to destroy or degrade networks...”

TC/Globecom2011/12-9-11 p. 7 Definitions (cont)

Espionage, reconnaissance, data Increasingly theft common

DDoS Suspected (Stuxnet) Attacks Attacks for damage but no blatant incidents Attacks for control

Defense Ongoing

TC/Globecom2011/12-9-11 p. 8 Relation to Cyber Crime

• Cyber crime differs in: - Profit motive - Criminals, not state - Aim for theft of personal information, fraud - Targeted to consumers, businesses • Common tools (e.g., malware, botnets) usable for cyber war - Same exploits involved in cyber war: govt. depends on civilian providers for computer equipment, software, services

TC/Globecom2011/12-9-11 p. 9 Relation to Cyber Terrorism

• Terrorist groups make use of Internet as tool and perhaps see as target to multiply physical attack (no incidents yet) - Terrorist groups al-Qaeda, Armed Islamic Group, Aum Shinrikyo, Hizballah, Hamas building up cyber skills - Uses: communications, organization, propaganda, recruiting, fund raising, research targets - Benefits: anonymity, accessibility • U.S. govt. stated that other nations are greater cyber threat than terrorists

TC/Globecom2011/12-9-11 p. 10 Actors

• U.S. Cyber Command (CYBERCOM) and NSA (joint director and location) - CYBERCOM coordinates and conducts activities to defend DoD networks and conduct full spectrum military cyberspace operations - Includes: training; situational awareness; create secure and resilient networks; build partnerships for collective defenses; integrate and deploy innovative capabilities

TC/Globecom2011/12-9-11 p. 11 Actors (cont)

• Services (Army, Navy, AF, Marines) each have cyber unit to support CYBERCOM: Army Cyber Command, 10th Fleet, 24th Air Force, Marine Forces Cyber Command, Coast Guard Cyber Command • Dept. Homeland Security (DHS) to defend civilian networks • Some responsibilities for cyber security: Secret Service, FBI, Homeland Security Council, DoD, Office of Management and Budget (OMB)

TC/Globecom2011/12-9-11 p. 12 Actors (cont)

• China: People’s Liberation Army (PLA); unknown whether large population of hackers is affiliated - Report by U.S. Office of the National Counterintelligence Executive (Oct. 2011) identified China as most active in cyber espionage, though difficult to confirm ties to govt. - Pointed to ‘Project 863’ funding covert activities to acquire US technology and info. - Russian intelligence services also aggressive and capable

TC/Globecom2011/12-9-11 p. 13 Actors (cont)

• Russia: Federal Security Service of Russian Federation (FSB); Federal Guard Service; General Staff • UK: Office Cyber Security (OCS); Cyber Security Operations Centre (CSOC) • Israel: C4I Directorate of Israel Defense Force (IDF); Unit 8200 of Directorate of Military Intelligence • Many emerging: Australia, France, India, S. Korea, Estonia, Brazil

TC/Globecom2011/12-9-11 p. 14 Actors (cont)

• Various non-state actors: script kiddies, malware writers, criminals, scammers, blackhats, hacktivists (e.g., Anonymous) • Cyber terrorists (debatable) aiming at violence, disruption, fear, confusion, for sake of political or ideological agenda

TC/Globecom2011/12-9-11 p. 15 Motivations

• Asymmetric warfare: means for weaker nation to fight stronger nation through indirect tactics - Low cost of entry • Potential payoffs are high - Much information available for espionage - Modern societies are more dependent on networks (vulnerable to disruption) • Risks are low - Attribution is very difficult - International laws are not coordinated

TC/Globecom2011/12-9-11 p. 16 Targets

• Critical infrastructures (communications, energy, transport, finance, human services) • Govt. and military systems • Defense contractors • Industrial control systems • Internet - Most of US gov’t and military communications travel over civilian networks - Servers, databases are easy targets

TC/Globecom2011/12-9-11 p. 17 Historical Cases

• Is information warfare real? None formally declared

Year Name Suspect Nature

1998 Moonlight Maze Russia Espionage

2003 Titan Rain China Espionage

2006 Operation Shady RAT China Espionage

2007 Estonia Russia (initially) DDoS

2009 GhostNet China Espionage

2009 Night Dragon China Espionage

2010 Aurora China Espionage

2010 Stuxnet US, Israel Malware attack

TC/Globecom2011/12-9-11 p. 18 Moonlight Maze

• 1998 Series of infiltrations into Pentagon, NASA, DoE, affiliated labs over 2 years • Tens of thousands of files - military maps, US troop configurations, military hardware designs, naval codes • Traced to mainframe in Russia but denied - Russia cooperated with DoD investigation

TC/Globecom2011/12-9-11 p. 19 Titan Rain

• 2003 (disclosed in 2005) Series of intrusions into DoD, Sandia Nat. Labs, NASA, Redstone Arsenal military base, World Bank, defense contractors • Military intelligence stolen - not classified but sensitive, e.g., Army helicopter specs, Falconview (flight planning software), aerospace documents • Term “APT” (advanced persistent threat) created

TC/Globecom2011/12-9-11 p. 20 Titan Rain (cont)

• Discovered by Sandia security expert Shawn Carpenter - Tracked through chat rooms, servers, planted homemade bugging code in primary router to track all connections - Stolen files transmitted to zombie servers in S. Korea, Hong Kong, Taiwan, before relaying to Guangdong (Chinese province) - Estimated 6-10 full time hackers - Red Hacker Alliance group suspected; unknown ties to PLA

TC/Globecom2011/12-9-11 p. 21 Titan Rain (cont)

• Carpenter passed discoveries to Army and FBI • When Sandia learned of activities, Sandia ordered Carpenter to stop - Illegal for American citizens to hack into foreign computers - When he persisted, he was fired and stripped of top secret clearance - Carpenter won law suit against dismissal

TC/Globecom2011/12-9-11 p. 22 Shady RAT

• 2006 (disclosed 2011) McAfee report of 5 year cyber espionage by one actor (not identified but most assume China) - Compromised 72 defense contractors, various businesses, U.N., Int. Olympic Committee

TC/Globecom2011/12-9-11 p. 23 Shady RAT (cont)

• Targets in U.S., Taiwan, S. Korea, Japan, Hong Kong, UK, Singapore, India, Germany (notably not China)

TC/Globecom2011/12-9-11 p. 24 Shady RAT (cont)

• Stolen emails, contracts, proprietary business documents, source code, govt. secrets, SCADA configurations - maybe 1,000 TB data - Spear phishing installed RAT (remote access tool) • Unspecified by McAfee but said detected by heuristic signatures (Generic BackDoor.t, Generic Downloader.x) - RAT opens backdoor to remote command & control (C&C) servers • Interesting aspect is variety of targets, not techniques

TC/Globecom2011/12-9-11 p. 25 Estonia

• 2007 Moving statue of Soviet soldier from capital to war cemetery caused Russian protests • DDoS shut down hundreds of Estonian govt. services, news sites, e-commerce sites for 2 weeks - 3 waves of attacks April 26 - May 18 - Peaked on May 9 with 4 million packet/sec launched by botnets

TC/Globecom2011/12-9-11 p. 26 Estonia (cont)

• Estonia is highly wired - 60% population used Internet daily - 97% banking transactions done online • Expected cyber attacks after moving statue but not at such scale • Attacks were well coordinated, sustained, and effective (by Estonia standards) - Choice of govt. and business targets suggested political motive - Russia had motive, means, and opportunity

TC/Globecom2011/12-9-11 p. 27 Estonia (cont)

• Estonia called on NATO for help, blaming Russia for “cyber war” - Some attacks traced to Russia but denied involvement - DDoS instructions discussed on Russian web forums - Botnets commonly owned by Russian crime gangs, eg. Russian Business Network • NATO countries saw as serious but helped only with network security experts - Raised question whether cyber attacks qualify for “mutual defense” (Article 5) of NATO members

TC/Globecom2011/12-9-11 p. 28 Estonia (cont)

• 19 year old student in Estonia arrested and fined, but clearly not solely responsible - Further investigations impeded by Russia lack of cooperation • Russian govt. not directly linked but encouraged attacks through rhetoric • Not clearly “cyber war” but opened eyes to potential effects of real cyber war

TC/Globecom2011/12-9-11 p. 29 GhostNet

• 2008 Investigation by Info. Warfare Monitor (Canada) of alleged Chinese cyber espionage against Tibet uncovered very wide infections of ‘gh0st RAT’ Trojan - Included Tibetan computers, ministries of foreign affairs and embassies in many countries - 1,295 infected computers in 103 countries reported to network of C&C servers - Gh0st RAT allowed remote, real-time, complete control - Spread by emails with attachments packed with exploit code TC/Globecom2011/12-9-11 p. 30 GhostNet (cont)

TC/Globecom2011/12-9-11 p. 31 GhostNet (cont)

• For year, China-based hackers alleged to have penetrated govt. computers in US, UK, France, Germany, S. Korea, Taiwan • China’s policy is “active defense” - cyber capabilities are major part of modern conflicts, and must be ready to respond to aggression immediately • Gh0st RAT open source Trojan developed originally in China, later translated to English • Network monitoring traced malware to C&C servers in China (8), US (1), Hong Kong (1)

TC/Globecom2011/12-9-11 p. 32 GhostNet (cont)

• Many victims linked to Chinese foreign and defense policy, suggesting Chinese govt. involvement - Several IP traces to Hainan Island, home of Lingshui signals intelligence office and PLA 3rd Technical Dept

TC/Globecom2011/12-9-11 p. 33 Night Dragon

• Feb 2011 McAfee revealed multi-year espionage to steal sensitive data from oil and energy companies - Stolen files related to oil and gas production, financial data related to field exploration and bidding - McAfee attributes origin to China based on techniques and tools used, network activities - Relatively unsophisticated range of methods

TC/Globecom2011/12-9-11 p. 34 Night Dragon (cont)

Web server compromised, e.g. by SQL injection

Hacker tools installed on server, used to attack intranet

Password cracking gained authenticated access to data

RATs (e.g., zwShell) planted, connect to C&C servers

RAT used for more reconnaissance, compromises, data theft

TC/Globecom2011/12-9-11 p. 35 Aurora

• 2009 Google announced 34 companies (Morgan Stanley, Intel, Adobe, Juniper,...) attacked by China - Blog said attackers wanted to access gmail accounts of Chinese dissidents - Threatened to pull out of China and stop censoring search results - Worked with NSA to investigate - U.S. Secretary of State Hillary Clinton called on China to investigate but no official China response

TC/Globecom2011/12-9-11 p. 36 Aurora (cont)

• Attackers used 0-day exploit for Internet Explorer and exploit for Perforce (source code revision software used by Google) - Victims lured to malicious web site by spear phishing - Also tricked victims with email attachments - malicious PDFs - Installed ‘Hydraq’ Trojan - created backdoor to connect to C&C servers in Illinois, Texas, Taiwan - Variety of malware and several layers of encryption used to evade detection - Similar attacks seen on military systems before

TC/Globecom2011/12-9-11 p. 37 White Paper Protecting your Critical Assets

Executive Summary As Operation Aurora highlighted, advanced persistent threats (APT) are an increasingly common form of complex and directed attacks that use insidious techniques for gaining access to privileged systems and maintaining that access until all of the attackers’ goals and objectives have been met. Operation Aurora employed an APT technique that proved extremely successful in targeting, exploiting, accessing, and exfiltrating highly valuable intellectual property from its victims. This paper details Operation Aurora and provides some insight into what was learned and how to prevent such attacks from being successful in the future.

How Aurora Worked Operation Aurora included numerous steps that all occurred invisibly in an instant from the user’s perspective. As you can see in the illustration below, without any apparent signs of malicious intent or actions, Operation Aurora completed its attack in six simple steps: 1. A targeted user received a link in email or instant message from a “trusted” source. 2. The user clicked on the link which caused them to visit a website hosted in Taiwan that also contained a malicious JavaScript payload. 3. The user’s browser downloaded and executed the malicious JavaScript, which included a zero-day Internet Explorer exploit. 4. The exploit downloadedAurora a binary disguised as an image(cont) from Taiwan servers and executed the malicious payload. 5. The payload set up a backdoor and connected to command and control servers in Taiwan. 6. As a result, attackers had complete access to internal systems. They targeted sources of intellectual property, including software configuration management (SCM) systems accessible by the compromised system. The compromised system could also be leveraged to further 6. Attackers penetrate the network. 1. Link delivered by gain access spear phishing to internal systems

2. Web site in Taiwan 5. Backdoor serves malicious connects to Javascript C&C servers in Taiwan

3. 0-day Internet Explorer exploit 4. Malware disguisedFigure 1. The complete steps of Operation Aurora’s attack. compromises target as image downloaded 3 from Taiwan server

[McAfee] TC/Globecom2011/12-9-11 p. 38 Aurora (cont)

• Aurora tools similar to those on open Chinese hacker forums • Later revealed attackers’ main goal was source code for Google password management program, Gaia - Google caught unprepared for breach - Companies do not specifically lock down source code management systems [McAfee] - Also targeted Google’s signing certificates but those too well protected

TC/Globecom2011/12-9-11 p. 39 Stuxnet Discovery in 2010

June 17 Stuxnet discovered by Belarus security company VirusBlokAda July 13 Stuxnet confirmed by Symantec and other antivirus companies July 19 Press report Stuxnet aimed at Siemens industrial control systems July 22 Most vulnerable systems are reportedly in Iran Sept 7 Symantec report four Windows 0-day exploits to Microsoft Sept 24 Press speculated target was Iran’s nuclear plant Sept 25 Iran admitted 30k PCs infected but not nuclear plant Oct 5 Iran blamed US and Israel (no response; Siemens also) Nov 12 Symantec and PLC experts determined likely target was Iran’s Natanz uranium enrichment centrifuges

Stuxnet source code in the wild

TC/Globecom2011/12-9-11 p. 40 Stuxnet (cont)

• Highly sophisticated, complex, stealthy malware • Very selective - designed for a specific target • Aimed beyond computers at industrial control systems for real world impact - Many believe target was Bushehr nuclear plant or Natanz uranium enrichment plant in Iran

TC/Globecom2011/12-9-11 p. 41 Stuxnet’s Infection Path

PLC controls WinCC/Step 7 many types of software equipment programs a Stuxnet PLC Stuxnet spreads infects to PCs PLC Various mechanical equipment in industrial Stuxnet Windows PC with control Siemens Siemens WinCC/ systems Step 7 control Simatic Step 7 software programmable logic controller (PLC)

TC/Globecom2011/12-9-11 p. 42 What are PLCs

• PLCs are specialized computers for controlling automated equipment in industrial control systems (factories, assembly lines, critical infrastructures) - Rugged for different physical environments - Elaborate input/output arrangements but no keyboard, optical drive, monitor - Run a single specific-purpose, real-time application - Programmed by Windows PCs, then operate by themselves

TC/Globecom2011/12-9-11 p. 43 Programming a PLC

4

Siemens Other PLCs Simatic Step 7 PLC PLC Commun.

Motors, valves,

Outputs drives, pumps, in Temperatures, Inputs CPU factories, gas pressures, Sensing Load devices devices assembly lines, etc. Memory manufacturing plants

Windows PC PC loads program Programming with Siemens device (PC) into PLC, then PLC WinCC/Step 7 operates by itself

TC/Globecom2011/12-9-11Fig. 1. A typical PLC architecture p. 44

However, Stuxnet goes through numerous checks on the host configuration including whether:

any of numerous antivirus software products are present and circumventable; • the operating system is one of the targeted versions of Windows; • the PC is not 64-bit; • a certain registry key (suspected to be a type of infection marker) is not a specific value; • the current date is earlier than June 24, 2012. • The infection process will stop at any point if a check fails. In order to load malicious code to a Simatic S7 PLC, Stuxnet replaces the s7otbxdx.dll file on an infected PC with a malicious version. The s7otbxdx.dll file handles reading and writing blocks between the PC and PLC. The malicious version of this file loads malicious blocks to the PLC and conceals the presence of the malicious blocks from the user. However, the infection of the PLC is carried out only after checking:

the type of CPU is the targeted one; • the presence of Profibus (a standard industrial network bus); • Stuxnet Spreading Methods

• Initial infection probably by infected USB flash drive - Creators knew industrial control system networks are not Internet-connected • Once introduced, Stuxnet spread aggressively to PCs by multiple ways through LAN - Creators knew industrial control systems usually connected by LANs - Ultimately aiming for PCs programming a Siemens Simatic Step 7 PLC

TC/Globecom2011/12-9-11 p. 45 Vulnerabilities Exploited 6 TABLE I

VULNERABILITIES EXPLOITED BY STUXNET

Reference Vulnerability Potential impact MS08-067 Windows Server service not properly handling Remote code (CVE-2008-4250) specially crafted RPC requests execution MS10-046 Windows Shell incorrectly parses shortcuts when Remote code (CVE-2010-2568) displaying icon of specially crafted shortcut execution * MS10-061 Windows Print Spooler service insufficiently restricts Remote code (CVE-2010-2729) user permissions to access shared print spoolers execution * MS10-073 Multiple vulnerabilities in Windows kernel-mode Escalation of drivers privilege * MS10-092 Windows Task Scheduler improperly validates Escalation of (CVE-2010-3338) whether scheduled tasks run in intended privilege security context * CVE-2010-2772 Hard-coded password in Siemens Simatic WinCC Local access to and PCS 7 SCADA systems back-end database * 0-day exploits

TC/Globecom2011/12-9-11Stuxnet’s payload is an inauspicious omen for future malware in the smart grid. Stuxnet was clearlyp. 46 meant to affect the real world through industrial control systems. Malware in the smart grid may have a direct impact on the generation, transmission, and distribution of energy as well as any systems interfacing to the smart grid such as electric vehicles and home appliances. As more things become dependent on the smart grid, the scope for potential physical damage becomes boundless.

IV. METHODS OF SPREADING

The initial infection vector is suspected to be a removable drive because the target network was not connected to the Internet. A copy of Stuxnet may have been introduced into the target network on an infected USB flash drive. Once a PC has been infected, Stuxnet uses various means to spread through local networks to other PCs [11], [12]. The vulnerabilities exploited by Stuxnet are listed in Table I.

A. Removable Drives

Stuxnet’s use of removable drives as an infection vector is interesting for its unusualness. The earliest computer viruses spread by floppy disks before the invention of the Internet; since then, most malware have found it convenient to spread through the Internet. Stuxnet’s reliance on removable drives suggests that the creators knew that the target PCs would not be reachable by the Internet. Exploits (cont)

MS10-073 and MS08-067 (shared MS10-092 folders) (privilege escalation)

CVE2010-2772 (WinCC database)

Infected USB flash MS10-061 (shared (MS10-046) printers)

Target PLC

TC/Globecom2011/12-9-11 p. 47 Infection to Siemens Step 7 PLC

• On infected PC, Stuxnet replaces a certain .DLL file with a malicious .DLL file • This .DLL file monitors and intercepts all communications between PC and PLC • If specific conditions on PLC are detected, Stuxnet on PC installs malicious code blocks onto PLC, unseen by PC operator

TC/Globecom2011/12-9-11 p. 48 Intention of Payload on PLC

• Malicious code in PLC appears to affect speed of specific types of variable-frequency power supplies (if connected to PLC) - High quality, high frequency, variable-frequency power supplies are export controlled in US because they can be used in gas centrifuge uranium enrichment plants • Stuxnet makes specific changes to frequencies (coincides with frequencies of centrifuges used in Iran’s Natanz uranium enrichment plant) • If target was Natanz, sabotage would have damaged high-speed centrifuges TC/Globecom2011/12-9-11 p. 49 Was Stuxnet a ‘Cyber Weapon’?

Comparison to Previous Malware

Stuxnet Common malware

Very selective - Siemens Targeting Indiscriminate Simatic S7 PLC

Type of target Industrial control system Computers

Slammer = 376 bytes; Size 500 KB Nimda = 37 KB Internet and other Probable initial Removable flash drive infection vector networks

Exploits Four 0-day exploits Possibly one 0-day

TC/Globecom2011/12-9-11 p. 50 Size (Complexity)

Kbytes: 0 100 200 300 400 500

Stuxnet is unusually large and complex Stuxnet

Conficker

Nimda

MyDoom

Code Red

Slammer

TC/Globecom2011/12-9-11 p. 51 Exploits

• Stuxnet used four 0-day exploits - Vulnerabilities are unknown to vendor, therefore no patch is available - 0-day exploits are highly valued by attackers; only used for valuable targets • Previous worms used mostly known exploits (available patches), perhaps one 0-day exploit - 1988 Morris worm: 3 known exploits (no 0-day) - 2001 Nimda worm: 5 known exploits (no 0-day)

TC/Globecom2011/12-9-11 p. 52 Stealth

• Stealth important to buy time to reach target before detection • Stuxnet used multiple stealth mechanisms - Some novel, some known - Considerable effort invested in stealth

TC/Globecom2011/12-9-11 p. 53 Stealth (cont)

Infected USB flash Infected PC Target PLC

Stuxnet files look like Stuxnet inserts Stuxnet installs innocent Stuxnet loads itself into trusted malicious kernel drivers .lnk itself as .DLL in processes signed with 2 stolen novel way recognized as legitimate digital undetected by antivirus certificates - bypasses normal programs Windows Vista and “behavior-based” Windows 7 protection antivirus looking against unsigned drivers TC/Globecom2011/12-9-11 for malicious p. 54 DLLs Stealth (cont)

Infected USB flash Infected PC Siemens Simatic with Siemens Step 7 PLC WinCC/Step 7

If intended target is detected, Stuxnet Stuxnet replaces writes malicious legitimate .DLL with code blocks to PLC Trojan version used without detection by to monitor PC operator connection with PLC

TC/Globecom2011/12-9-11 p. 55 Was Stuxnet “Cyber Weapon”?

• Circumstantial reasons for suspicion: - Very selective about infection target - Payload carries out very specific actions - Vulnerable targets mostly in Iran - Highly technical inside knowledge of target - Enormous resources spent on development • All implies a very resourceful group went to great efforts to reach one very valuable target Biggest difference: Stuxnet aimed at specific physical target for real world impact, not computers

TC/Globecom2011/12-9-11 p. 56 W32.Stuxnet Dossier Security Response

We have observed over 40,000 unique external IP addresses, from over 155 countries. Looking at the percentage of infected hosts by country, shows that approximately 60% of infected hosts are in Iran:

Figure 3 Geographic Distribution of Infections

Stuxnet Target?

Stuxnet Symantecaims to identify those observed hosts which haveStuxnet the Siemens traffic Step 7 software sent installed.to its TheC&C following servers chart shows the percentage of infected hosts by country with the Siemens software installed.

Figure 4 Percentage of Stuxnet infected Hosts with Siemens Software installed

[Symantec] Looking at newly infected IP addresses per day, on August 22 we observed that Iran was no longer reporting new infections.Hence This was most speculation likely due to Iran blockingthat target outward connections was Bushehr to the command nuclear and control plant servers, rather than a drop-off in infections. or Natanz uranium enrichment plant in Iran

TC/Globecom2011/12-9-11 p. 57

Page 6 Stuxnet Target? (cont)

• Copies of Stuxnet kept history of infected machines • Symantec traced original infection to 5 organizations in Iran - Stuxnet spread quickly beyond Iran because of aggressive 0-day exploits used

TC/Globecom2011/12-9-11 p. 58 Specificity

• Infects Windows PC with Siemens WinCC/Step 7 only if: - Recognizes antivirus software and able to circumvent - Version of Windows is vulnerable - PC is not 64-bit - Certain registry key not a specific value (suspected to be type of infection marker) - Current date is earlier than June 24, 2012

TC/Globecom2011/12-9-11 p. 59 Specificity (cont)

• Infects Siemens Simatic Step 7 PLC only if: - Siemens 315 PLC (small general purpose) or Siemens 417 PLC (top of line) - Presence of S7-300 CPU - Presence of CP-342-5 Profibus (a standard network bus) - Presence of at least 33 frequency drives made by Fararo Paya (Iran) or Vacon (Finland), operating at 807-1,210 Hz • Typical for frequency drives used in nuclear plants (and export controlled by US)

TC/Globecom2011/12-9-11 p. 60 How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History | Threat Level | Wired.com 11/07/2011 16:58

Things changed as e-commerce took hold, and hackers began to focus on financial gain for their payloads — stealing credit card data, online banking credentials and corporate secrets. More recently, attacks have evolved to so-called advanced persistent threats — where attackers, some state-sponsored, patiently worked their way deep into a network and sat there months or years silently siphoning national secrets, source code and other sensitive data.

Stuxnet was different from all of these. It wasn’t an evolution in malware, but a revolution. The idea that someone would create such a sophisticated worm to slither blindly through networks in search of a single target was “leaps and bounds” beyond what the Symantec researchers had expected. “I could work in this industry for another twenty years and never see another project like this,” O Murchu said recently.

“We were expecting something to be espionage, we were expecting something to steal credit card numbers…. But we weren’t expecting this.” – Eric Chien

By the end of September, Symantec was slowly building a profile of Stuxnet’s target.

Falliere had reverse-engineered the code that Stuxnet was injecting into the PLC and knew the malware was resetting the value of something connected to the device, but he had no idea what was on the receiving end of these commands or what the changed values would do. It was like watching tracer bullets fly through the night sky without seeing what they hit.

They had already discovered that the specific system Stuxnet targeted used the Profibus standard to communicate. They also noticed that the virus searched for a specific value — 2C CB 00 01 — before deciding to attack its target PLC. They had a hunch this might be some kind of ID the Step7 system assigned to a hardware part, so they set up a simulated Step7 PLC environment, and began plugging in parts. The reference value finally popped up when they attached a Profibus network card.

But there were two numbers Stuxnet sought that were still a mystery — 9500h and 7050h. Neither showed up when they plugged in hardware parts to their simulated system, nor did Google searches on the numbers produce anything.

Then a breakthrough came in November 2010.

The researchers had put out a request on their blog asking for anyone with experience in Profibus and critical infrastructures to contact them, and a Dutch programmer named Rob Hulsebos wrote back. Most of his e-mail discussed information the researchers already knew, but one line stood out. Every Profibus component had to have a unique ID that was a word long, Hulsebos wrote. It suddenly occurred to Chien that the two mystery numbers were manufacturer IDs.

He and O Murchu searched online for Profibus documentation and found a PDF with a list of specs for devices used with Profibus network cards. At the bottom of the list were the two mystery numbers Stuxnet sought. They were product IDs for two types of frequency converters made in Finland and Iran. The first, 9500h, referred to Vacon NX frequency converters made by Vacon in Finland, and the second, 7050h, referred to an unspecified frequency converter made by Fararo Paya in Iran.

Frequency converters modulate the speed of motors and rotors in things like high-speed drills that are used to cut metal parts in factories and in paper mills to force pulp through a grate. Increase the frequency of the drive, and the rotor increases its spin. In the Profibus documentation the researchers found online, they discovered a list of commands to control frequencies; they matched exactly the commands that were written in Stuxnet.

“The STL code [in Stuxnet] was sending down things like ‘word 47F and 1!,” Chien recalls. “And you look at the frequency converter [manual], and it says, ‘To start the frequency converter, send down the word 47F and set this value to 1. We were speechless.”

Based on information in theStuxnet’s code, Stuxnet was targeting aTarget facility that had 33 or more of the frequency converter drives installed, all operating at between 807Hz and 1,210Hz.

PLC Profibus

[Symantec] Stuxnet searches for a facility that has a minimum of 33 frequency converters installed. (Graphic: Symantec) TC/Globecom2011/12-9-11 p. 61

http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1 Page 16 of 24 Inside Knowledge

• Previous malware aimed at well known Windows or Unix computers • Stuxnet creators knew - Specific network environment of target - Programming of Siemens Simatic PLCs - Exactly type of equipment (frequency drives) loaded on target PLC

TC/Globecom2011/12-9-11 p. 62 Level of Effort

• Symantec estimates 5-10 people working up to 6 months - Code shows diversity of programming languages and skills - With access to industrial control systems, specifically Siemens Simatic S7 PLCs • Security experts estimate at least one million dollars cost

Effort and target suggest political motive

TC/Globecom2011/12-9-11 p. 63 Successful?

• Destruction - no; delays - probably • Iranian officials had acknowledged delays at Bushehr and Natanz • Jan. 2010 International Atomic Energy Agency inspectors had noticed a very high number of failed centrifuges at Natanz • Head of Israel’s intelligence stated unspecified malfunctions had set back Iran’s ability to create nuclear weapon until 2015

TC/Globecom2011/12-9-11 p. 64 Attack Techniques

TC/Globecom2011/12-9-11 p. 65 Section Outline

• Reconnaissance • Intrusions • Stealth • Persistent control • Distributed denial of service

TC/Globecom2011/12-9-11 p. 66 Reconnaissance

TC/Globecom2011/12-9-11 p. 67 Reconnaissance

• Learn information about targets before attack - Scanning • Pings (see if host is online) • Network mapping (discover network topology) • Port scanning (see if host is listening) • Operating system identification (discover host’s OS) - Vulnerability scanning • Scans are easily detectable but not necessarily considered malicious - Military systems are constantly probed

TC/Globecom2011/12-9-11 p. 68 Scanning - Pings

• Ping sweeps (“ICMP echo request” messages) scan block of IP addresses for live hosts • Easy to detect and source address cannot be spoofed - But attacker might send pings with spoofed addresses to create confusion - Scans can alternatively be done with TCP SYN, TCP resets, or other types of packets - not as conspicuous to detect

TC/Globecom2011/12-9-11 p. 69 Network Mapping

• Traceroute maps network topology - Series of UDP packets with time-to-live (TTL) field set to 1, 2, etc. - “ICMP time exceeded” messages are returned by routers, revealing their addresses and distances • Many tools: Sam Spade, CyberKit, NetScanTools, iNetTools, Cheops

TC/Globecom2011/12-9-11 p. 70 Network Mapping (cont)

Example of network mapping by Cheops

TC/Globecom2011/12-9-11 p. 71 Port Scanning

• Probing well known TCP/UDP ports reveals services running on targets - Examples: TCP 80 = HTTP; UDP 53 = DNS; TCP 25 = SMTP • Also, some ports in higher range are known used for backdoors and Trojan horses - E.g., list at www.emsisoft.com/en/kb/ portlist/ • Many tools: Nmap, Strobe, Ultrascan, Netcat, SuperScan, WinScan

TC/Globecom2011/12-9-11 p. 72 Advanced(Scanning(Functions(Overview( " Nmap" supports" a" number" of" user" selectable" scan" types." By" default," Nmap" will" perform" a" basic" TCP" scan" on" each" target" system." In" some" situations," it" may" be" necessary"to"perform"more"complex"TCP"(or"even"UDP)"scans"in"an"attempt"to"find" uncommon"services"or"to"evade"a"firewall."These"advanced"scan"types"are"covered" in"this"section."

( Port%Scanning%Options%Overview% Port Scanning! # (cont) There#are#a#total#of#Summary(of(features(covered(in(this(section:131,070#TCP/IP#ports#(65,535#TCP#and#65,535#UDP)( .#Nmap,#by# " default,# only# scans# 1,000# of# the# most# commonly# used# ports.# This# is# done# to# save# Feature( Option( time#when#scanning#multiple#targets#as#the#majority#of#ports#outside#the#top#1000# Nmap user interface and options TCP"SYN"Scan" :sS( are# rarely# used.# Sometimes,# however,# you# may# want# to# scan# outside# the# default# TCP"Connect"Scan" :sT( range#of#ports#to#look#for#uncommon#services#or#ports#that#have#been#forwarded#to#UDP"Scan" :sU( a#different#locationTCP"NULL"Scan.#This#section#covers" #the#options#which#allow#this#and#other#port#:sN( specific#features.TCP"FIN"Scan# " :sF( % Xmas"Scan" :sX( TCP"ACK"Scan" :sA( A"Custom"TCP"Scan complete" list" of" TCP/IP"" ports" can" be" found"::scanflags on" the" IANA"( website" at" Tip% www.iana.org/assignments/portIP"Protocol"Scan" =numbers." :sO( ! Send"Raw"Ethernet"Packets" ::send:eth( ! Send"IP"Packets" ::send:ip( ( Summary%of%features%covered%in%this%section:% % ! Feature% Option% You$ must$Perform#a#Fast#Scan login$ with$ #root/administrator$ privileges$;F% (or$ use$ the$ sudo$ Note( commandScan#Specific#Ports)$to$execute$many$of$the$scans$discuss# ;ped%%[port]$in$this$section.% $ Scan#Ports#by#Name# ;p%[name]% Scan#Ports#by#Protocol# ;p%U:[UDP%ports],T:[TCP%ports]% Scan#All#Ports# ;p%% Scan#Top#Ports# ;;top;ports%[number]% Perform#a#Sequential#Port#Scan# ;r% % TC/Globecom2011/12-9-11 p. 73 !

66"

80# TCP$SYN$ScanPort$ Scanning (cont) # The#+sS#option#performs#a#TCP#SYN#scan.# # Nmap example TCP SYN scan

Usage$syntax: nmap -sS [target]#

#"nmap"'sS"10.10.1.48" " Starting(Nmap(5.00(((http://nmap.org()(at(2009708725(11:01(CDT( Interesting(ports(on(10.10.1.48:( Not(shown:(994(closed(ports( PORT(((((STATE(SERVICE( 21/tcp(((open((ftp( 22/tcp(((open((ssh( 25/tcp(((open((smtp( 80/tcp(((open((http( 111/tcp((open((rpcbind( 2049/tcp(open((nfs( MAC(Address:(00:0C:29:D5:38:F4((VMware)( ( Nmap(done:(1(IP(address((1(host(up)(scanned(in(1.73(seconds(

Performing$a$TCP$SYN$scan$ TC/Globecom2011/12-9-11 p. 74 # The#TCP#SYN#scan#is#the#default#option#for#privileged#users#(users#running#as#root#on# Unix/Linux# or# Administrator# on# Windows).# The# default# TCP# SYN# scan# attempts# to# identify#the#1000#most#commonly#used#TCP#ports#by#sending#a#SYN#packet#to#the# target#and#listening#for#a#response.#This#type#of#scan#is#said#to#be#stealthy#because#it# does# not# attempt# to# open# a# fullKfledged# connection# to# the# remote# host.# This# prevents#many#systems#from#logging#a#connection#attempt#from#your#scan.# #

Stealth' operation' is' not' guaranteed.' Modern' packet' capture' programs' Note$ and'advanced'firewalls'are'now'able'to'detect'TCP'SYN'scans.'

67# Vulnerability Scans

• Some types of vulnerabilities: - Default security settings: default accounts and passwords are sometimes not changed - Misconfiguration errors: incorrect settings may weaken security - Well-known vulnerabilities: critical vulnerabilities are published by vendors with patches, but patches may not be applied

TC/Globecom2011/12-9-11 p. 75 Vulnerability Scans (cont)

• Many tools: Nessus, Satan, SARA, SAINT, McAfee CyberCop ASaP, TogerSuite Pro, ISS Internet Scanner, eEye Digital Retina Scanner, Cisco Secure Scanner - Typically discover hosts by ping, then probe for open ports and specific vulnerabilities - Vulnerability scans are easily detectable when certain ports are probed (e.g., port 23 Telnet, TCP port 25 SMTP, TCP port 79 finger,...)

TC/Globecom2011/12-9-11 p. 76 Vulnerability Scans (cont)

• Several sites publish vulnerabilities (cve.mitre.org, nvd.nist.org, www.kb.cert.org, securityfocus.com, secunia.com, us-cert.gov, sans.org,...) - Identified by CVE (common vulnerabilities and exposures) numbers, coordinated by MITRE Name: CVE-1999-0002 Status: Entry Reference: SGI:19981006-01-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19981006-01-I Reference: CERT:CA-98.12.mountd Reference: CIAC:J-006 Reference: URL:http://www.ciac.org/ciac/bulletins/j-006.shtml Reference: BID:121 Reference: URL:http://www.securityfocus.com/bid/121 Reference: XF:linux-mountd-bo

Buffer overflow in NFS mountd gives root access to remote attackers, mostly in Linux systems.

TC/Globecom2011/12-9-11 p. 77 VulnerabilityVulnerability Scans Scanner (cont)

Vulnerability scanner GUI for user 1. Basic scans configuration to discover open ports

Vulnerability Scanning database engine

State of 2. Customized probes to current scan discover vulnerabilities

Report Targets

TC/3-14-05/Infocom2005 SMU Engineering p. 35

TC/Globecom2011/12-9-11 p. 78 Vulnerability Scans (cont)

Nessus output

TC/Globecom2011/12-9-11 p. 79 OS Detection

• “TCP stack fingerprinting” tries to discover details of target’s operating system - Different OS’s have specific vulnerabilities • TCP protocol is standardized but responses to illegal TCP packets are not - Operating systems respond differently to illegal TCP packets - Scans are detectable by TCP packets with strange flag combinations or options • Tools: Nmap, Cheops, NetScanTools

TC/Globecom2011/12-9-11 p. 80 Howlett_CH04.fm Page 111 Wednesday, June 23, 2004 10:24 PM

Uses for Port Scanners 111

(not as a pretty Web page), but you will be able to verify that a server is running there. You can do similar things with other services such as FTP or SMTP. In the UNIX version, Nmap also color codes the ports found according to what they are (see Table 4.8) As you can see from Figure 4.3, this output lets you scan a report and quickly deter- mine whether there are any services or ports you should be concerned with. This doesn’t mean you should ignore any unusual numbers that aren’t highlighted or bolded (in UNIX versions). Trojan horses and chat software often show up as unknown services, but you can look up a mystery port in the list of common ports in Appendix C or cross-reference it against a list of known bad ports to quickly determine if the open port is anything to be concerned about. If you can’t find it anywhere, you have to wonder what strange service is running on that machine that doesn’t use a well-known port number.

Table 4.8 Nmap Output Color Coding

Colors Descriptions

Red This port number is assigned to a service that offers some form of direct logon to the machine, such as Telnet or FTP. These services are often the most attractive to hackers.

Blue This port number represents mail service such as SMTP or POP. These services are also often the subject of hackers’ attacks.

Bold black These are services that can provide some information about the machine OSor operatingDetection system such as (cont)finger, echo, and so on.

Plain blackNmap Any otherexample services or ports identified.

Figure 4.3 Nmap Output

TC/Globecom2011/12-9-11 p. 81 Sniffing

• Many free and commercial sniffers, e.g., Snort, Wireshark, tcpdump, dsniff - Allow attacker to intercept and log packets, easiest on wired or wireless LANs • FBI developed Carnivore (replaced by commercial NarusInsight) • Echelon system rumored to intercept satellite signals (by US, UK, Australia, Canada, New Zealand) • Room 641A rumored to intercept Internet backbone packets (by AT&T for NSA)

TC/Globecom2011/12-9-11 p. 82 Deep Packet Inspection (DPI)

• Capability of network equipment (firewalls, intrusion detection systems, packet analyzers) to decode entire packet payloads up to layer 7 • Difficulties - Keeping state information for connections - Encrypted payloads - Unusual port numbers

TC/Globecom2011/12-9-11 p. 83 Intrusions

TC/Globecom2011/12-9-11 p. 84 Intrusions

Intrusions

Password Social Exploits of Malware attacks engineering vulnerabilities

John the Spear Buffer overflow, Trojans, bots, Examples: Ripper phishing SQL injection worms

TC/Globecom2011/12-9-11 p. 85

Intrusions (cont)

2011 Sampling of Security Breaches by Attack Type, Time and Impact conjecture of relative breach impact is based on publicly disclosed information regarding leaked records and financial losses Attack Type Bethesda Software SQL Injection URL Tampering Northrop Grunman Italy IMF Fox News PM Site Spear Phishing X-Factor

3rd Party Software Citigroup Spanish Sega DDoS Nat Police SecureID Gmail Accounts Booz Epsilon PBS Allen Unknown Hamilton Vanguard Defense Sony PBS SOCA Monsanto Malaysian Gov Site Peru HB Gary RSA Special Lockheed Police Martin Nintendo Brazil Gov L3 Communications Sony BMG SK Communications Greece Turkish Korea Government Size of circle estimates relative impact of AZ Police breach in terms of cost to business

NATO US Senate

Feb 2011 Mar 2011 Apr 2011 May 2011 Jun 2011 Jul 2011 Aug 2011

TC/Globecom2011/12-9-111 2011 Cyber Attacks (and Cyber Costs) Timeline[IBM (X-ForceUpdated): 2011 Midyear Trend Report] p. 86 http://paulsparrows.wordpress.com/2011/06/28/2011-cyber-attacks-and-cyber-costs-timeline-updated/ http://blog.thomsonreuters.com/index.php/cyber-attacks-timeline-graphic-of-the-day/ http://www.ponemon.org/blog/post/cost-of-a-data-breach-climbs-higher 12 Password Attacks

• Password attacks are easy to carry out, surprisingly successful • 2009 Imperva analyzed 32 million passwords - 50% used names, common words, slang, or trivial characters (e.g., 123456) - 65% use 8 or fewer characters - Vulnerable to dictionary attacks (variations of common words) • Also, people tend to re-use same password for different accounts

TC/Globecom2011/12-9-11 p. 87 Consumer Password Worst Practices

3. Recommendation: It should notPassword be a name, a slang word, Attacks or any word in the dictionary. It should not include any part of your name or your e-mail address. Almost all of the 5000 most popular passwords, that are used by a share of 20% of the users, were just that – names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common passwordTop among 20 Rockyou.com passwords account [Imperva] owners is “123456”. The runner up is “12345”. The following table depicts the top 20 common passwords in the database list:

Password Popularity – Top 20

Number of Users with Number of Users with Rank Password Password (absolute) Rank Password Password (absolute) 1 123456 290731 11 Nicole 17168 2 12345 79078 12 Daniel 16409 3 123456789 76790 13 babygirl 16094 4 Password 61958 14 monkey 15294 5 iloveyou 51622 15 Jessica 15162 6 princess 35231 16 Lovely 14950 7 rockyou 22588 17 michael 14898 8 1234567 21726 18 Ashley 14329 9 12345678 20553 19 654321 13984 10 abc123 17542 20 Qwerty 13856

TC/Globecom2011/12-9-11 If a hacker would have used the list of the top 5000 passwords as a dictionary for brute force attack on Rockyou.p. 88 com users, it would take only one attempt (per account) to guess 0.9% of the users passwords or a rate of one success per 111 attempts. Assuming an attacker with a DSL connection of 55KBPS upload rate and that each attempt is 0.5KB in size, it means that the attacker can have 110 attempts per second. At this rate, a hacker will gain access to one new account every second or just less than 17 minutes to compromise 1000 accounts. And the problem is exponential. After the !rst wave of attacks, it would only take 116 attempts per account to compromise 5% of the accounts, 683 attempts to compromise 10% of accounts and about 5000 attempts to compromise 20% of accounts. The following diagram depicts the expected e"ectiveness of attacks using a small, carefully chosen, attack dictionary:

Accumulated Percent of Dictionary Attack Success

20%

15%

10%

5%

0 1 359 717 1075 1433 1791 2149 2507 2865 3223 3581 3939 4297 4655 Number of password tries

Imperva White Paper < 4 > Consumer Password Worst Practices

3. Recommendation: It should not be a name, a slang word, or any word in the dictionary. It should not include any part of your name or your e-mail address. Almost all of the 5000 most popular passwords, that are used by a share of 20% of the users, were just that – names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password among Rockyou.com account owners is “123456”. The runner up is “12345”. The following table depicts the top 20 common passwords in the database list:

Password Popularity – Top 20

Number of Users with Number of Users with Rank Password Password (absolute) Rank Password Password (absolute) Consumer Password Worst Practices1 123456 290731 11 Nicole 17168 2 12345 79078 12 Daniel 16409 3. Recommendation: It should3 not be a name,123456789 a slang word, or any word in the76790 dictionary. It should not include 13 babygirl 16094 any part of your name or your e-mail address. Almost all of the 5000 most4 popular passwords,Password that are used by a share of 20%61958 of the users, were just that – 14 monkey 15294 names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password5 amongiloveyou Rockyou.com account owners is “123456”.51622 The runner up is “12345”. The 15 Jessica 15162 following table depicts the top 20 common passwords in the database list: 6 princess 35231 16 Lovely 14950 Password Popularity – Top 20

7 Number of Usersrockyou with 22588 Number of Users with 17 michael 14898 Rank Password Password (absolute) Rank Password Password (absolute) 8 1234567 21726 18 Ashley 14329 1 123456 290731 11 Nicole 17168 2 12345 9 7907812345678 12 Daniel20553 16409 19 654321 13984 3 123456789 76790 13 babygirl 16094 4 Password 10 61958abc123 14 monkey17542 15294 20 Qwerty 13856 5 iloveyou 51622 15 Jessica 15162 6 princess 35231 16 Lovely 14950 7 rockyou If a hacker would22588 have used17 the listmichael of the top 500014898 passwords as a dictionary for brute force attack on Rockyou. 8 1234567com users, it21726 would take only18 one attemptAshley (per account)14329 to guess 0.9% of the users passwords or a rate of one 9 12345678 20553 19 654321 13984 10 abc123success per 17542111 attempts. Assuming20 Qwerty an attacker with13856 a DSL connection of 55KBPS upload rate and that each attempt is 0.5KB in size, it means that the attacker can have 110 attempts per second. At this rate, a hacker will

If a hacker would havegain used access the list of to the one top 5000 new passwords account as a dictionary every for second brute force or attack just on less Rockyou. than 17 minutes to compromise 1000 accounts. And the com users, it wouldproblem take only one is attempt exponential. (per account) Afterto guess the 0.9% of! rstthe userswave passwords of attacks, or a rate ofit onewould only take 116 attempts per account to compromise success per 111 attempts. Assuming an attacker with a DSL connection of 55KBPS upload rate and that each attempt is 0.5KB in 5%size, itof means the that accounts, the attacker 683can have attempts 110 attempts to per compromise second. At this rate, 10% a hacker of will accounts and about 5000 attempts to compromise 20% gain access to one ofnew accounts. account every Thesecond following or just less than diagram 17 minutes todepicts compromise the 1000 expected accounts. And e "theectiveness of attacks using a small, carefully chosen, problem is exponential. AfterPassword the !rst wave of attacks, itAttacks would only take 116 (cont)attempts per account to compromise 5% of the accounts,attack 683 attempts dictionary: to compromise 10% of accounts and about 5000 attempts to compromise 20% of accounts. The following diagram depicts the expected e"ectiveness of attacks using a small, carefully chosen, attack dictionary: Accumulated Percent of Dictionary Attack Success Accumulated Percent of Dictionary(Hypothetical Attack Success against 32 million passwords studied) 20% 20%

15% 15%

10%

5% 10%

0 1 359 717 1075 1433 1791 2149 2507 2865 3223 3581 3939 4297 4655 Number of password tries TC/Globecom2011/12-9-11 5% p. 89

Imperva White Paper < 4 >

0 1 359 717 1075 1433 1791 2149 2507 2865 3223 3581 3939 4297 4655 Number of password tries

Imperva White Paper < 4 > Password Attacks (cont)

• Historically, Unix password file was readable by anyone - Intruders try to copy password file and run password cracking tools, e.g., Ophcrack, L0phtCrack (aka LC5), John the Ripper, Crack, Nutcracker, Lincrack - Passwords are essentially hashed (irreversible to recover password), but a guess can be hashed and compared to hash in password file - if matched, then password is guessed • Modern password policies prevent easily guessed passwords

TC/Globecom2011/12-9-11 p. 90 Password Attacks (cont)

Ophcrack running on Windows

Boot up target PC from Ophcrack LiveCD to crack passwords automatically

TC/Globecom2011/12-9-11 p. 91 Password Attacks (cont)

• Routers, switches, operating systems ship with default accounts/passwords, sometimes not changed by system administrators - List of default passwords is easy to find, e.g.: www.phenoelit.de/dpl/dpl.html

TC/Globecom2011/12-9-11 p. 92 Password Attacks (cont)

TC/Globecom2011/12-9-11 p. 93 Password Attacks (cont)

• Recent example: Stuxnet malware discovered July 2010 - Targets Windows PCs running Siemens WinCC/Step 7 software used to program Siemens industrial control systems - One way to spread was hardcoded default password in Siemens WinCC database servers - Vulnerability of hardcoded password known to Siemens but Siemens did not want to change or delete due to danger to existing Siemens industrial control systems

TC/Globecom2011/12-9-11 p. 94 Social Engineering Attacks

• Social engineering attacks - commonly phishing tricks users into disclosing personal data - Typically unsolicited e-mail message (lure) tries to entice users to visit a Web site - E-mail appears to be financial organization and contains URL and motivation, e.g., problem with account - Fake site spoofs legitimate site, hoping that victim will input personal data • Detected by spam filters and antiphishing organizations, e.g. APWG

TC/Globecom2011/12-9-11 p. 95 Spear Phishing

• Personalized phishing aimed at specific group - Reconnaissance to find personal info. about targets, e.g., from web, Facebook, Twitter - Personalized emails to targets appearing from trusted acquaintances, perhaps with malicious PDF or Word attachment or link to malicious web site - Malware installed could be Trojan, backdoor, bot,... • More successful than phishing • More difficult to detect - personalized and sent to smaller group

TC/Globecom2011/12-9-11 p. 96 Spear Phishing (cont)

• March 2011 successfully breached RSA by targeting employees • Flash 0-day exploit - installed ‘Poison Ivy’ downloader • Attackers took over virtual IT help desks to stay undetected • Compromised RSA’s SecurID product

TC/Globecom2011/12-9-11 p. 97 Spear Phishing Example

Email with PDF attachment

CVE-2010-3654 critical vulnerability in Adobe Flash, Reader, Acrobat (memory corruption and application crash) allows execution of arbitrary code Installs “nsunday.dll” and “nsunday.exe” - Windows Trojan tries to connect to IP address 65.202.221.207 and 64.208.241.73 TC/Globecom2011/12-9-11 p. 98 Spear Phishing Example

Email with attached Word document embedded malicious Flash file

CVE-2011-0611 critical vulnerability in Adobe Flash, Reader, Acrobat allows execution of arbitrary code Opening document installs backdoor ‘Zolpiq’

TC/Globecom2011/12-9-11 p. 99 Exploits of Vulnerabilities

• Vulnerabilities are widely found in most operating systems and software - New vulnerabilities are continually published by various organizations, e.g., Microsoft, CERT, Bugtraq, NIPC, MITRE, Secunia,... • Exploits are code designed to take advantage of specific vulnerability - 80% vulnerabilities are easily exploitable (exploit code is available or no exploit code is required)

TC/Globecom2011/12-9-11 p. 100 Exploits (cont)

• Most computers compromised by exploiting known but unpatched vulnerabilities - Often attackers choose a vulnerability and find target sites (vs. choose a site and find its vulnerability) - Sysadmins may not install patches promptly - ‘0-day vulnerabilities’ are unknown vulnerabilities with no patch available

TC/Globecom2011/12-9-11 p. 101 Critical Vulnerabilities - All Software

Release date Level Title Type of vulnerability

2007-10-26 Critical RealNetworks multiple remote buffer overflow vulnerabilities Buffer overflow

IBM Lotus Notes command execution and security bypass 2007-10-24 Critical vulnerabilities Incorrect permissions

2007-10-24 Critical IBM Lotus Notes WordPerfect file viewer code execution Buffer overflow

Sun Java runtime environment virtual machine code Error in Java virtual 2007-10-23 Critical execution machine Mozilla Thunderbird multiple client side code execution 2007-10-19 Critical vulnerabilities Memory corruption

2007-10-19 Critical Mozilla Firefox/SeaMonkey code execution Memory corruption

Opera security update fixes multiple command execution 2007-10-17 Critical vulnerabilities Origin validation error Apple iPhone and iPod touch TIFF image remote code 2007-10-12 Critical execution Buffer overflow CA BrightStore ARCserve backup multiple code execution Buffer overflow, memory 2007-10-11 Critical vulnerabilities corruption

2007-10-10 Critical Kaspersky online scanner ActiveX control code execution Format string error

TC/Globecom2011/12-9-11 [FrSIRT] p. 102 Buffer Overflow Exploits

• Buffer overflow attacks are one of most common exploits because - Buffer overflow vulnerabilities are found in many systems and applications, e.g., C does not check that variables fit in allocated memory space - Success can give complete control by executing arbitrary code on target - Exploit codes can be re-used (including in worms) - Attacks can be carried out remotely through network

TC/Globecom2011/12-9-11 p. 103 Stack-based Buffer Overflow

• Stack segment is part of program memory serving as temporary storage to keep context during function calls - When function is called, a stack frame is pushed onto call stack - Buffer overflow happens when more data than expected is accepted, overflowing into the stack and writing over the return pointer - Overwritten return pointer then points back into data (malicious code) • If done carefully, attacker can make arbitrary code run on target computer

TC/Globecom2011/12-9-11 p. 104 Normal Stack Operation

Stack Program Local main() variable { Saved frame : Function call function(data); pointer printf(“..”); Push stack Return pointer frame onto } Function call stack for arguments function call Top of stack

TC/Globecom2011/12-9-11 p. 105 Normal Stack (cont)

Stack Program

main() { Pop off stack after : function call function(data); printf(“..”); Return pointer } Return pointer resumes execution in main program Top of stack

TC/Globecom2011/12-9-11 p. 106 Buffer Overflow

Buffer overflow attack Program If “injection vector” is not Local main() variable { checked for : proper length: function(data); printf(“..”); When pushed Return pointer } on stack, Function call data for local arguments variable overflows allocated buffer and Top of stack overwrites into return pointer

TC/Globecom2011/12-9-11 p. 107 Buffer Overflow (cont)

Program Attacker’s main() code { : function(data); printf(“..”); When popped Return pointer } off stack, Function call new return arguments pointer points back into Top of stack buffer to run attacker’s code

TC/Globecom2011/12-9-11 p. 108 Buffer Overflow (cont)

• If not careful, program will just crash • Successful buffer overflow needs to know exactly how to overflow buffer (“smash the stack”) to point back to attacker’s own code - Depends on knowledge of processor and operating system • Not easy to write but exploit codes already written are readily found and re-used

TC/Globecom2011/12-9-11 p. 109 PDF Exploits

• PDF exploits have become most common [F- Secure] - MS Word second most common

TC/Globecom2011/12-9-11 p. 110 Symantec Global Internet Security Threat Report

these vulnerabilities has been automated by attackers. Enterprises may benefit from this information because it provides an indication of the types of vulnerabilities that attackers are most likely to employ in attacks and how to best protect against these vulnerabilities.

The top attacked vulnerability in 2009 was the Microsoft Windows SMB2 ‘_Smb2ValidateProviderCallback()’ Remote Code Execution Vulnerability (table 9).106 Publicly announced in September 2009, this vulnerability was initially believed to be a DoS vulnerability that would let attackers crash Windows.107 However, within a week it was discovered that the vulnerability could let attackers execute arbitrary code and completely compromise affected computers.108 A number of publicly and commercially available exploits for the vulnerability were subsequently released. In October 2009, Microsoft released patches to address the vulnerability. Considering that exploits for this vulnerability can be easily automated, it is interesting that the vulnerability has not been associated with any worm activity. Symantec believes that the cause of the attack activity is due to the availability of reliable exploits that are either standalone or bundled with a number of freely and commercially available penetration testing tools.

The vulnerability is limited to Windows Vista®, Windows Server® 2008, and pre-release versions of Windows 7. The security features in these newer versions have been an obstacle for attackers, who have thus far relied on vulnerabilities in third-party software such as Web browsers and browser plug-ins to gain a foothold on these new versions. However, a successful exploit of this vulnerability will compromise the affected computer at the kernel level, which could let attackers install rootkits once the computer has been compromised. These factors could indicate that attackers are increasingly targeting newer versions of the Windows operating system. Additionally, since the attacker does not need to entice the victim to perform actions such as visiting a malicious Web page, it is possible for attackers to scan the Internet for potential targets and initiate attacks atPDF random. Since Exploits the attack can be automated(cont) at little cost to the attacker, they can reach a large number of publicly facing targets that are affected by the vulnerability. This is in contrast to the other vulnerabilities on the top five, which are client-side in nature. Client-side vulnerabilities can be used to attackSymantec harder to reach alsotargets onreports the internal networkPDF of vulnerabilities an organization. The top attacked in Top vulnerability• from 2008 could also be exploited in the same automated fashion (table 10). When vulnerabilities5 attacked possess the characteristics vulnerabilities necessary to facilitate (2009) automated scanning and exploitation, attackers will continue to capitalize on them.

Rank BID Vulnerabilities 1 36299 Microsoft Windows SMB2 ‘_Smb2ValidateProviderCallback()’ Remote Code Execution 2 35759 Adobe Reader and Flash Player Remote Code Execution 3 33627 Microsoft Internet Explorer 7 Uninitialized Memory Code Execution 4 35558 Microsoft Windows ‘MPEG2TuneRequest’ ActiveX Control Remote Code Execution 5 34169 Adobe Reader Collab ‘getIcon()’ JavaScript Method Remote Code Execution

Table 9. Top attacked vulnerabilities, 2009 Source: Symantec

TC/Globecom2011/12-9-11 p. 111

106 It should be noted that Symantec uses the same signature to detect BID 36594 Microsoft Windows SMB2 Command Value Remote Code Execution Vulnerability; however, Symantec believes that the majority of attack activity was associated with the Smb2ValidateProviderCallBack vulnerability due to the number of public exploits associated with that vulnerability. 107 http://www.securityfocus.com/bid/36299 108 http://www.symantec.com/connect/blogs/bsod-and-possibly-more 43 PDF Exploits (cont)

• Critical vulnerabilities in Reader and Acrobat allow take over victim PC - Used in spear phishing - Often install backdoor or Trojan - Also SWF files embedded in MS Office documents • PDFs are very common • People think PDFs are safe, unlike Word (learned from Melissa virus)

TC/Globecom2011/12-9-11 p. 112 PDF Exploits (cont)

Date Vulnerabilities Severity Affected programs

APSA09-02, CVE-2009-1492, Reader 9.1 and Acrobat 9.1 and May 2009 Critical (buffer overflow) CVE-2009-1493 earlier

APSB10-07, CVE-2010-0188, Reader and Acrobat 8.x before 8.2.1 Feb. 2010 Critical (unspecified) CVE-2010-0186 and 9.x before 9.3

Sept. 2010 APSA10-02, CVE-2010-2883 Critical (buffer overflow) Reader and Acrobat 9.3.4. and earlier

Flash Player 10.1.82 and earlier; Sept. 2010 APSA10-03, CVE-2010-2884 Critical (unspecified) Reader 9.3.4 and earlier

Critical (memory Flash Player 10.1.85 and earlier; Oct. 2010 APSA10-05, CVE-2010-3654 corruption) Reader and Acrobat 9.4 and earlier

Flash Player 10.2.152 and earlier; March 2011 APSA11-01, CVE-2011-0609 Critical (unspecified) Reader and Acrobat 9.x and 10.x

Flash Player 10.2.152 and earlier; April 2011 APSA11-02, CVE-2011-0611 Critical (unspecified) Reader and Acrobat 9.x and 10.x

TC/Globecom2011/12-9-11 p. 113 PDF Exploits (cont)

• Nov 2010 Adobe added sandboxing to Reader - Isolates Reader from sensitive Windows operations, e.g., changing registry settings, modify sensitive files - Called Protected Mode in Reader to prevent installing malware or buffer overflow exploits

TC/Globecom2011/12-9-11 p. 114 Drive-by Downloads

• Malware can be downloaded automatically when user visits malicious or compromised legitimate site - Invisible iframe loads another small page with JavaScript automatically executed in browser - Scripts can be obscured or encrypted - Scripts attempt browser exploits to compromise browser security - Successful exploit results in installation of small Trojan downloader, which triggers to download more malware later

TC/Globecom2011/12-9-11 p. 115 Drive-by Downloads (cont)

• 2005 WebAttacker (sold on Russian site for US $20) is Perl CGI toolkit for launching malicious scripts from malicious or compromised legitimate web sites - Automatic fingerprinting: scripts can detect client’s browser, operating system, service pack, Java virtual machine version, common antivirus programs - Targeted attack: server chooses most appropriate browser exploit from set of exploits aimed at vulnerabilities in browsers, OS, plug-ins - Downloads Trojan horse (keylogger and backdoor)

TC/Globecom2011/12-9-11 p. 116 Drive-by Downloads (cont)

• MPACK another popular attack toolkit detected Nov. 2006 - Creates malicious PHP server - Loaded through iframes on malicious sites - Targeted attacks: delivered exploits are customized to specific browsers - Professionally developed and updated with new exploits - 10,000 compromised sites discovered [Websense June 2007]

TC/Globecom2011/12-9-11 p. 117 Drive-by Downloads (cont)

• MPACK management console to track attacks

TC/Globecom2011/12-9-11 p. 118 Browser Exploits

• How many browser vulnerabilities?

- SymantecFirefox Global 169 Internet vulnerabilities Security Threat Report (2009) - Safari 94 vulnerabilities

Period

169 94 2009 45 41 25 Firefox Safari 99 40 Internet Explorer 2008 47 Chrome 11 Opera 35

020640 0 80 100 120 140 160 180

Documented vulnerabilities [Symantec Internet Security Report April 2010] TC/Globecom2011/12-9-11 p. 119 Figure 7. Web browser vulnerabilities Source: Symantec

Internet Explorer was subject to 45 new vulnerabilities in 2009. This is fewer than the 47 new vulnerabilities documented in Internet Explorer in 2008. One particular vulnerability in Internet Explorer was the third most attacked of all of the vulnerabilities discovered in 2009.90 Interestingly, reports of attacks in the wild began to surface seven days after the vulnerability was announced by Microsoft. Patches were available when Microsoft first published the vulnerability. Numerous publicly and commercially available exploits were subsequently made available. The potential for reliable exploitation and the market share of Internet Explorer were factors in the large number of attacks targeting this vulnerability. This demonstrates that Internet Explorer is still a popular target of Internet attackers despite the trend toward attacks on browser plug-ins and other client-side vulnerabilities that do not target the browser directly.

The results for the remaining three browsers analyzed in 2009 were as follows: Safari was affected by 94 new vulnerabilities, which is more than double the 40 vulnerabilities identified in Safari in 2008; Symantec documented 25 new vulnerabilities in Opera, which is down from 35 in 2008; finally, Chrome was affected by 41 vulnerabilities, which is significantly more than the 11 documented for 2008—although it should be noted that Chrome was only officially released in September 2008.

90 http://www.securityfocus.com/bid/33627 36 Symantec Global Internet Security Threat Report

This metric will examine the window of exposure for the following Web browsers:92

Ǒ Apple Safari Ǒ Google Chrome Ǒ Microsoft Internet Explorer Ǒ Mozilla Firefox Ǒ Opera

In 2009, the average window of exposure for Safari was 13 days, based on a sample set of 78 patched vulnerabilitiesBrowser (figure 8). It should be notedExploits that there are now full versions (cont) of Safari for both Macintosh® and Windows. The window of exposure for Safari in 2008 was nine days, based on a sample set of 31 patched vulnerabilities. The maximum time for Apple to patch a Safari vulnerability in 2009 was 145 days. The maximum time to release a patch in 2008 was 156 days. • AverageIn 2009, there window were a number of vulnerabilitiesof exposure targeting cross-browser (days JavaScript, HfromTML, and graphics exploit rendering engines. This accounts for the increase in the window of exposure because, in some cases, to patch)Apple released patches for these vulnerabilities later than other patches. This could reflect the difficulty of testing and patching these vulnerabilities. Other browser vendors were similarly affected because many browsers are now using third-party and/or open-source engines and components. While browsers have - Safaribeen prone 13 to similar days attacks (2009)in the past because they have had to implement the same features as competitors, the use of shared components puts multiple vendors at risk when a vulnerability is - Mozilladiscovered in(Firefox) an affected component. less than 1 day Period

13 <1 2009 2 <1 Safari <1 Internet Explorer Chrome Opera 9 Firefox 7 2008 3 1 <1

0 246810 12 14

Average time in days TC/Globecom2011/12-9-11 [Symantec Internet Security Report April 2010] p. 120 Figure 8. Window of exposure for Web browsers Source: Symantec

92 It should be noted that this metric examines all versions of each browser; vulnerabilities affecting multiple versions of a browser are counted as a single vulnerability. 38 Symantec Global Internet Security Threat Report

The 321 total vulnerabilitiesBrowser in plug-in technologies Exploits for Web browsers for(cont) 2009 is less than the 424 in 2008. Of the total for 2008, 287 vulnerabilities affected ActiveX, which is significantly more than any other plug-in technology. Of the remaining plug-ins for which vulnerabilities were documented, there were 54 vulnerabilities identifiedWeb in Java SE,browser 40 in Quick plug-inTime, 17 invulnerabilities Adobe Reader, 16 in Adobe Flash Player, and 5 vulnerabilities in Firefox extensions.

Adobe Flash Player 4% QuickTime 10% Adobe Flash Player 7% Adobe Reader 4% Adobe Reader 15% Mozilla extensions 1% Java SE 11% QuickTime 8% Mozilla extensions 1%

Java SE 26%

ActiveX 70% ActiveX 42%

2008 2009

TC/Globecom2011/12-9-11 2008 [Symantec Internet Security Report April 2010] 2009 p. 121

Figure 9. Web browser plug-in vulnerabilities Source: Symantec

The decrease of ActiveX plug-in vulnerabilities to 42 percent of the total in 2009 from 70 percent of the total in 2008 is influenced by a number of factors. Symantec has observed that automated vulnerability discovery tools such as fuzzers were a large factor in the number of ActiveX vulnerabilities published in previous years. As of 2009, hundreds or possibly thousands of ActiveX components have been audited by the security research community. Since much of the vulnerability research can be attributed to a few popular tools, it is likely that these tools are beginning to reach their limitations. New approaches or more in-depth security research techniques may change this trend and result in the discovery of increasingly more ActiveX vulnerabilities per year. However, for the moment it appears that this trend is on the decline. Interestingly, a number of vulnerabilities were discovered in one of the tools used for conducting ActiveX vulnerability research. In March 2009, a vulnerability was discovered in the iDefense COMRaider ActiveX fuzzing software.98 Later, in July 2009, two vulnerabilities were discovered in the same software.99

98 http://www.securityfocus.com/bid/33942 99 http://www.securityfocus.com/bid/35725 41 Top Web-based Attacks Symantec Global Internet Security Threat Report

Overall Rank Percentage 2009 2008 Attack 2009 2008 1 2 PDF Suspicious File Download 49% 11% 2 1 Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness 18% 30% 3 N/A Microsoft Internet Explorer 7 Uninitialized Memory Code Execution 6% N/A 4 6 Microsoft Internet Explorer MS Snapshot ActiveX File Download 4% 5% 5 4 Adobe SWF Remote Code Executable 3% 7% 6 14 Microsoft Internet Explorer Malformed XML Buffer Overflow 3% 1% 7 5 Microsoft Internet Explorer DHTML CreateControlRange Code Executable 3% 6% 8 20 Microsoft Internet Explorer WPAD Spoofing 3% 1% 9 N/A Microsoft MPEG2TuneRequestControl ActiveX Buffer Overflow 2% N/A 10 N/A Microsoft MPEG2TuneRequestControl ActiveX Instantiation 1% N/A

Table 3. Top Web-based attacks Source: Symantec

Many of the vulnerabilities observed through Web-based attacks in 2009 have been known and patched for TC/Globecom2011/12-9-11some time. For example, the Microsoft[Symantec Internet Internet SecurityExplorer Report ADODB.Stream April 2010] Object File Installation Weaknessp. 17122 was published on August 23, 2003, and fixes have been available since July 2, 2004, yet it remains the second-ranked Web-based attack. This is likely because of the use of Web attack kits like Fragus,18 Eleonore,19 and Neosploit.20 These kits come bundled with a variety of different exploits, including some exploits for older vulnerabilities. Because an older vulnerability is likely to be included in more kits, it will probably be seen in more attacks than many of the newer vulnerabilities. These exploit and attack kits are often frequently used in conjunction with some of the crimeware kits available in the underground economy, as is discussed in the next section.

Lowering the bar

A crimeware kit is a toolkit that allows people to customize a piece of malicious code designed to steal data and other personal information. The Zeus21 kit can be purchased for as low as $700, but can also be found for free on some forums.22 These kits can be bought in the underground economy and various Web forums. Crimeware kits like Zeus make it easier for unskilled attackers to compromise computers Tweet and steal information.23 These kits allow anyone who buys them to customize them to their own needs. In 2009, Symantec observed nearly 90,000 unique variants of the basic Zeus toolkit and it was the Tweet second most common new malicious code family observed in the APJ region during this time.

Variants of the Zeus kit use spam to lure users to a website that uses social engineering or that exploits a Web browser vulnerability to install the bot on a victim’s computer. The bot then allows remote access to the computer and can be used to steal information such as the user’s online banking credentials. Each bot can then be used to send additional spam runs to compromise new users.

17 http://www.securityfocus.com/bid/10514/discuss 18 http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23391 19 http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23481 20 http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23588 21 http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99 22 http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf : p. 1 23 http://www.symantec.com/connect/blogs/zeus-king-underground-crimeware-toolkits 11 SQL Injection

• Web applications backed by SQL database • SQL is ANSI/ISO standard for database queries - Widely implemented in MS SQL server and other products - SQL database often sits in back end of Web servers • User inputs data in Web page for SQL query (e.g., login and password) but input is not properly filtered for string literal escape characters (e.g., quotes) - Attacker can send SQL statements to database

TC/Globecom2011/12-9-11 p. 123 SQL Injection (cont)

Example: web application looks up personnel records

SQL query: True Inputs in web form: SELECT * FROM directory lastname = smith WHERE lastname = ‘smith’ AND firstname = john AND firstname = ‘john’ True

SQL query

Record for John Smith Web SQL Web client application database

SQL query returns record when condition is TRUE

TC/Globecom2011/12-9-11 p. 124 SQL Injection (cont)

Probe for vulnerability: add extra quote in input

SQL query: Inputs: SELECT * FROM directory WHERE lastname = smith’ lastname = ‘smith’’ AND firstname = john firstname = ‘john’

SQL query

Error message: Microsoft OLE DB Provider for ODBC Drivers error ‘80040e14’ Error message indicates data [Microsoft] [ODBC SQL Server was passed directly to Driver] [SQL Server] Incorrect database ➞ possible injection syntax... vulnerability /directory.asp, line 10

TC/Globecom2011/12-9-11 p. 125 SQL Injection (cont)

After learning how the SQL query works, attacker can compromise it with carefully crafted inputs

Always true SQL query: Inputs: SELECT * FROM directory WHERE lastname =’ OR 1=1-- lastname = ‘’ OR 1=1-- AND firstname = john firstname = ‘john’ begin comment

SQL query

All records

OR condition is always true; AND condition is ignored ➞ all records are disclosed

TC/Globecom2011/12-9-11 p. 126 SQL Injection (cont)

• By trial and error, and seeing error messages, attacker figures out SQL query code • By carefully crafting inputs, can extract, modify, or delete data • Commonly insert malware into database - When dynamic web page is generated, it will serve malware to browser - Legitimate web sites can be compromised this way to serve malware - difficult to detect

TC/Globecom2011/12-9-11 p. 127 SQL Injection (cont)

• Injection vulnerabilities are possible because no strict separation between program instructions and user data - Data can be interpreted as instructions if input is not properly filtered - Input sanitization is needed • User-submitted data should be checked for data type, constrained, and stripped of undesirable characters • Web application firewalls protect web servers from input attacks

TC/Globecom2011/12-9-11 p. 128 A Taxonomy of Malware

Malware

Self-replicating Non-replicating*

Standalone Needs host Hidden Hidden program function presence

Not evasive Evasive

Examples: Worms Viruses Trojan Bots Rootkits horses

TC/Globecom2011/12-9-11 * Not mutually exclusive subcategories p. 129 Symantec Global Internet Security Threat Report

Prevalence of malicious code types

Analyzing the prevalence of malicious code types provides insight into the general diversity of the threat landscape. Combined with the data from other metrics, this helps Symantec more accurately determine emerging trends in malicious code. During this reporting period, the overall volume of the top 50 potential malicious code infections doubled from 2008 to 2009; therefore, decreases in percentages do not likely indicate a year-over-year decline in potential infections. As in previous reporting periods, Trojans composed the highest percentageMalware of the volume of thePrevalence top 50 potential malicious code infections (figure 11), although the percentage dropped from 68 percent in 2008 to 56 percent in 2009.138

Type

56% Trojan 68%

43% Worm 29%

32% Virus 2009 19% 2008

13% Back door 15%

010 20 30 40 50 60 70 80

Percentage of top 50 by potential infections

Figure 11. Prevalence of malicious code types by potential infections [SymantecSource: Internet Symantec Security Report April 2010] TC/Globecom2011/12-9-11 p. 130

The previous two volumes of the Symantec Global Internet Security Threat Report discussed the possibility that attackers are gravitating toward the extensive use of a smaller number of more successful Trojans.139 The Bredolab Trojan is a good example of this: its flexibility, style of downloading new threats, obfuscation, and polymorphism mechanisms together enable it to be easily customized for specific targets. Its success corroborates the hypothesis of attackers using smaller numbers of more successful Trojans more often.

The proportionate decline in Trojan activity observed in 2009 is also likely due to the rise in worm and virus activity. For example, the top malicious code sample causing potential infections in 2009 was the Sality.AE140 virus. The main goal of Sality.AE is to download and install additional malicious software on a victim’s computer. The virus also prevents access to various security-related domains, stops security- related services, and deletes security-related files. The virus also infects .exe and .scr files on a victim’s local drive as well as on any writable network resource. It also spreads by copying itself to attached removable drives.

138 Because malicious code samples may be comprised of multiple components that are each classified as different types, cumulative percentages discussed in this metric may exceed 100 percent. 139 http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiv_04-2009.en-us.pdf and http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiii_04-2008.en-us.pdf 140 http://www.symantec.com/security_response/writeup.jsp?docid=2008-042106-1847-99 51 Viruses/Worms

• Virus: piece of code that self-replicates by modifying or attaching to normal programs/files - Execution of host program/file results in execution of virus code (and replication) • Worm: also self-replicating but a stand-alone program that exploits security holes to compromise other computers and spread copies of itself through the network - Unlike viruses, worms do not need to parasitically attach to other programs - Depends on network to spread

TC/Globecom2011/12-9-11 p. 131 Polymorphism

• “Encryption” (not real encryption) attempts to hide a recognizable signature (static byte pattern) from file-scanning antivirus software by scrambling virus body - But decryption routine (prepended and unencrypted) is constant (detectable) • “Polymorphism” continually permutes appearance randomly - No more than few bytes common between copies

TC/Globecom2011/12-9-11 p. 132 Trojan Horse

• Trojan horse: software with hidden malicious function disguised as benign program - Very broad category includes bots, backdoors, spyware,... (which generally have both Trojan and non-Trojan variants) - a Trojan is anything with disguise - Possibly legitimate program corrupted with malicious code, or a malicious program masquerading as useful one - Not self replicating → spread by social engineering deception, spam, or carried in worm payload

TC/Globecom2011/12-9-11 p. 133 Symantec Global Internet Security Threat Report

New malicious code families

Symantec analyzes new malicious code families detected during each reporting period to determine which threat types and attack vectors are being employed in the most prevalent of the new threats. This information also allows administrators and users to gain familiarity with threats that attackers may favor in their exploits. Insight into emerging threat development trends can help bolster security measures and mitigate future attacks.

In 2009, there were six Trojans, three worms, and one virus in the top 10 new malicious code families detected (table 11). Two of the three worms include a back door component.126 Volume XIII of the Symantec Global Internet Security Threat Report noted that the growing prevalence of Trojans is indicative of multistage attacks.127 A multistage attack typically involves an initial compromise followed by the installation of an additional piece of malicious code, such as a Trojan that downloads and installs adware. As with 2008, in 2009 four of the top 10 new malicious code families downloaded additional threats (these multistage attacks are examined in detail in “Staged downloaders—multiple infections by type”). It should alsoTop be noted 10that, although New Downadup Malware was a major threat andFamilies received significant media attention, it was discovered in 2008 and is, therefore, not considered a new malicious code family for this reporting period. Popular: 6 are Trojans

Rank Sample Type Vectors Impact 1 Induc Virus Delphi® files Infects the Delphi compilation process to spread to all compiled Delphi files 2 Changeup Worm Mapped and Downloads additional threats removable drives 3 Bredolab Trojan N/A Downloads additional threats, including Trojan.Fakeavalert 4 Ergrun Trojan N/A Downloads additional threats 5 Pilleuz Worm, back door File-sharing, instant Allows remote access messages, removable drives 6 Mibling Worm, back door Instant messages Allows remote access and lowers security settings 7 Kuaiput Trojan N/A Downloads additional threats 8 Fostrem Trojan N/A Downloads additional threats 9 Interrupdate Trojan N/A Blocks security-related updates and sniffs network traffic 10 Swifi Trojan N/A Exploits a vulnerability in Adobe Flash Player and may lower security settings

Table 11. Top new malicious code families [Symantec Internet Security Report April 2010] TC/Globecom2011/12-9-11Source: Symantec p. 134

126 Back door components allow attackers to remotely connect to a compromised computer, typically using a specialized application. Once connected, the attacker can perform numerous actions such as taking screenshots, changing configuration settings, and uploading, downloading, or deleting files. 127 http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiii_04-2008.en-us.pdf : p. 46 49 Rootkits

• Rootkit: set of low-level software (possibly at kernel level) enabling an attacker to maintain remote access by evading detection - Hide running processes, files, or network activities - Originally referred to set of recompiled Unix tools (ps, netstat, passwd) modified to hide certain results • User-mode rootkits alter executables or system libraries • Kernel-mode rootkits modify operating system at kernel level, e.g., install as drivers or kernel modules

TC/Globecom2011/12-9-11 p. 135 User-Mode Rootkit: LRK

• LRK (Linux RootKit) replaces binaries normally used to list running processes, files, system logs, etc. Figure 7.3. LRK binary replacements that hide an attacker on a system.

TC/Globecom2011/12-9-11Without the attacker's intervention, a diligent system administrator[Skoudis] might notice each of these activities. To p. 136 address this situation, LRK comes to the attacker's rescue by including replacements for various tools used by system administrators to find these anomalies.

First, LRK includes several replacements that hide running processes on the machine. To use this capability, the attacker must include the name of the process to be hidden in the file /dev/ptyp. On a stock Linux system, there are files called /dev/ptyp0, /dev/ptyp1, /dev/ptyp2, and so on using hexadecimal notation up to /dev/ptypf, but there aren't typically any real files named simply /dev/ptyp. Depending on the configuration of this RootKit file, various commands on the system can hide processes based on their full name, substrings of the process name, the user terminal (known as the tty) that the process is attached to, or even all root-level processes. Then, LRK replaces the ps, top, and pidof commands, all of which are used to determine which processes are actively running on a system. Furthermore, LRK overwrites the killall command so that the attacker's hidden processes cannot be killed using the command. That way, even if the administrator is miraculously able to discover it, the attacker's running process cannot be stopped using the killall command. It's important to note, that although the attacker's processes are hidden by the ps, top, and pidof commands, they will still be visible inside of the /proc directory, a component of the file system created by the kernel to show the status of all running processes and the kernel itself. In Chapter 8, we'll explore how kernel-mode RootKits hide even the evidence shown in /proc.

LRK includes a modified version of crontab, which is used to start various programs at specific times. By default, the altered version of crontab automatically activates the program names stored by the attacker in the file /dev/hda02. Again, Linux systems normally include files called /dev/hda1, /dev/hda2, and so on to indicate portions of the hard drive, but on a stock Linux machine, there are no files called /dev/hda02. The zero makes it different. Whereas the normal crontab's configuration is available for the system administrator to see, this alternative crontab uses this additional hidden configuration file.

Beyond process-related hiding, LRK also supports hiding network usage. On some older Linux systems, the ifconfig command shows whether the network interface is in promiscuous mode, gathering all traffic from the LAN. LRK replaces ifconfig so that it never shows promiscuous mode, thereby disguising sniffers. Additionally, administrators frequently use the netstat command to show which TCP and UDP ports are listening for traffic. The LRK version of netstat shows all port usage, except those ports configured by the attacker in the file /dev/ptyq. As with the /dev/ptyp file, /dev/ptyq isn't normally included on a system. Only /dev/ptyq0, /dev/ptyq1, and so on up to /dev/ptyqf should be present. By default, the LRK netstat hides TCP and UDP port 31337, although the attacker can configure the system to hide any other additional ports.

LRK really shines in its ability to hide files in the file system. The attacker creates the file /dev/ptyr, which contains a list of files to be hidden. The ls command, normally used to show the listing of a directory, will omit from its output any files that are hidden. Similarly, the find command, used to search for files, won't be able to find any of the hidden entries. Finally, the du command, which shows the disk usage of the hard < Day Day Up >

Kernel Manipulation Impact

Neo: This isn't real…

Morpheus: What is "real"? How do you define "real"? If you're talking about what you can feel, what you can smell, what youKernel-Mode can taste and see, then "real" is simply electrical signals Rootkit interpreted by your brain…

—Dialogue from the movie The Matrix, 1999

What happens if some bad guy starts manipulating the kernel itself? Because the kernel is all about control, by modifying the kernel, an attacker can change the system in a fundamental way. To apply changes to the kernel, the attacker first requires superuser privileges on the machine. To manipulate the kernel, root-level access is needed on UNIX machines, and administrator or system access is required on Windows systems. Once• installed,Kernel-mode a kernel-mode RootKit replaces or modifies rootkits components of the kernel. modify These alterations operating system might make everything on the system appear to be running perfectly well, but the operating system is really rotten to thekernel core. The attacker canvia change theloadable kernel so that it lies about thekernel status of the machine. modules (Linux) or For example, the administrator might run a command looking to see if any backdoor processes are running. This command calls the kernel to get a list of running processes. However, the bad guy changed the kernel so that it lies, and doesn't show the attacker's backdoor process, as illustrated in Figure 8.2. Alternatively, an administratordevice might run a file integrity drivers checker to see if some(Windows) critical files on the machine have been changed. The deceiving kernel tells the administrator that no files have been altered; everything looks wonderful.

Figure 8.2. Manipulating the kernel to hide processes.

Hide processes

Hide files and directories

Hide open ports

Intercept data transferred within computer Using kernel manipulation, the attackers can alter the kernel so that it thoroughly hides the attacker's activities on the machine. Most kernel-mode RootKits include the following types of subterfuge:

TC/Globecom2011/12-9-11 [Skoudis] p. 137 Rootkits (cont)

• Detection of rootkits is very difficult when operating system can not be trusted - Some antivirus and anti-spyware programs try • Necessary to boot from alternate media/drive • Removal is not recommended - Re-installing clean OS is easier and safer

TC/Globecom2011/12-9-11 p. 138 Backdoors

• Backdoor: program to allow easy remote access bypassing normal security safeguards - In past, programmers left backdoors for convenient later access (e.g., for troubleshooting) - Now backdoors are installed by attackers after target has been compromised • Famous but outdated: Back Orifice, Netbus, Sub7 • Recently ‘gh0st RAT’ Trojan backdoor used in GhostNet; ‘hydraq’ Trojan backdoor used in Aurora

TC/Globecom2011/12-9-11 p. 139 Netbus

• March 1998 - Netbus released by Swedish programmer Carl-Fredrik Neikter - Works as client-server (server installed on target) - Client component gives GUI remote control to attacker - Server component allows remote administration of Win95/98/NT4 computers (default port 12345) - Capable of keylogging, screen captures, program launching, file browsing, shutting down system,… • Feb. 1999 - NetBus 2.0 Pro released as commercial remote administration tool

TC/Globecom2011/12-9-11 p. 140 Back Orifice

• Aug. 1998 - popular Back Orifice released by Cult of the Dead Cow - Works as client-server - Ostensibly for remote administration/control of Win95/98 computers (default port 31337), but capable of evading detection (in task list) • Sometimes called remote access Trojan (RAT) - Software development kit allows new plug-ins • July 1999 - Back Orifice 2000 released as open source

TC/Globecom2011/12-9-11 p. 141 Netcat

• Netcat: a popular backdoor used by hackers and But how does an attacker send commands to this nifty little Netcat backdoor listener? The attacker uses Netcat in client mode on some other system across the network to send commands and get responses. The sysadminsclient command syntax is: - Works as client-listener pair (listener installed on target)$ nc [victim_address] 2222

This Netcat client will get data from Standard In (the keyboard), shoot it across the network to the destination on TCP port 2222, take whatever it receives back, and display it on Standard Out (the screen). - ListenerThe Netcat client runs and listener command work together beautifully, shell as shown and in Figure waits 5.6, where for we've data connected the client and listener together across a network, and have told the listener to execute a shell.

- ClientFigure sends 5.6. Connecting instructions to a Netcat backdoor listener with a Netcat client.

TC/Globecom2011/12-9-11 Using this[Skoudis] technique, the attacker can get command shell access across the network. All commands typed in p. 142 will run with the privileges of the user who executed the Netcat listener. It's also important to note that Netcat doesn't offer any authentication. Using this technique, the user won't get a "login:" prompt across the network asking for a userID and password. Instead, the attacker will get a raw, naked command shell, already logged in as the user who activated Netcat. Some attackers really do want authentication when they set up a backdoor, to prevent other riff raff or even the system administrator from finding and using their backdoors. Creating a Netcat backdoor that supports authentication is quite simple. Instead of using the -e option to run a shell directly, the attacker could use Netcat with the -e option to execute a small script that asks for a user ID and password. If the user ID and password are correct, this script would then execute a shell.

This simple little Netcat backdoor listener can easily be adapted to Windows. The overall Netcat syntax is almost identical. The client is exactly the same. On the listener, all we have to change is the particular shell from /bin/sh to cmd.exe, the Windows command shell, to get:

C:\> nc –l –p 2222 –e cmd.exe

Once connected to the Netcat listener, the attacker can drop the connection by hitting Ctrl+C at the connected Netcat client. The connection goes away, and any backdoor listener created with the -l option will stop running. Therefore, dropping a connection closes the backdoor. To get around this inconvenience, the Windows version of Netcat supports the -L option, meaning "Listen Harder," in addition to -l. Using the "Listen Harder" option on Windows, the backdoor listener will automatically restart itself when a connection is dropped. On UNIX systems, where Netcat lacks the -L capability, the attacker must configure the system Stealth Techniques

• Initiate only outbound connections - undetected unless organizations are monitoring outbound traffic • Evade traffic monitoring by tunneling or encryption • Evade firewalls by using common HTTP ports 80 or 443 • Process injection: malicious process runs in address space of running legitimate process by forcing it to load dynamic link library (DLL)

TC/Globecom2011/12-9-11 p. 143 DDoS Trojans

• Oct. 1999 - Trin00 Trojan discovered - Compromised computers form hierarchical Trin00 network • “Daemons” communicate with “masters” in Trin00 network (default UDP ports 27444 and 31335) - Attacker sends commands to masters, which activate daemons to carry out distributed DoS attack • Followed by other DDoS Trojans: Tribe Flood Network (TFN), TFN2K, Stacheldraht

TC/Globecom2011/12-9-11 p. 144 DDoS Trojans (cont)

Attacker Some hosts are set up as “masters”, wait for commands from attacker

Many “daemons” wait for commands from masters Flood

Target

TC/Globecom2011/12-9-11 p. 145 Bots

• Today DDoS carried out by bots • Bots secretly listen for remote commands (usually through IRC channels or HTTP) and execute them on compromised computers (‘zombies’) - Botnet: group of bots under control of a ‘bot herder’ - C&C servers: computers used by attacker to relay commands to bots • Used mainly for spam, spread malware, DDoS attacks, data theft

TC/Globecom2011/12-9-11 p. 146 IRC Bots

• 2000 GT Bot spread by spam, capable of DDoS attacks • 2002 SDBot source code released • 2002 Agobot added modular downloads - First download is IRC bot client - Second download attacks antivirus protection - Third download blocks connections to antivirus web sites • 2003 Spybot, derived from SDBot, added spyware

TC/Globecom2011/12-9-11 p. 147 Rustock

• 2006 Rustock with advanced rootkit capabilities to evade detection - Maybe up to 2.4 million bots, used for spam and DDoS - Used HTTP instead of IRC - Harder to detect because bot traffic disguised as web traffic - Filtering would require inspection of all encrypted HTTP traffic - 96 C&C servers were active in 2011

TC/Globecom2011/12-9-11 p. 148 Storm

• 2007 Storm botnet notorious for self defense (DDoS attacks on researchers) - Size estimates vary widely - Spread by social engineering (spam) - Peer-to-peer structure resilient to takedown - Encrypted traffic: portions of botnet seem to be encrypted with different keys • Portions are resold or leased

TC/Globecom2011/12-9-11 p. 149 Conficker

• 2008 Conficker infected millions of Windows computers and servers by password attacks, Windows exploits, shared folders - 5 different variants (Conficker A, B, C, D, E) - A-D use HTTP - D-E use P2P and kill antivirus

TC/Globecom2011/12-9-11 p. 150 Zeus

• Zeus bot spread by drive-by downloads and phishing - Used for keylogging and stealing personal financial info. • ZeuS crimeware kit had sold for $2,000 - 10,000 but source code leaked May 2011 - DIY botnet creation including Trojan and C&C server files

TC/Globecom2011/12-9-11 p. 151 Defense Techniques

TC/Globecom2011/12-9-11 p. 152 Section Outline

• Deterrence and prevention • Detection • Attribution • Mitigation: botnet takedown; intrusion tolerance • Recovery : self healing

TC/Globecom2011/12-9-11 p. 153 Deterrence

• Deterrence is based on “credible threat of unacceptable counteraction” [DoD] • Unacceptable if costs of cyber war are feared to be prohibitive - Worked for nuclear weapons under threat of mutually assured destruction • Credibility is based on convincing adversary of: - Capability - Will to retaliate or preemptive strike

TC/Globecom2011/12-9-11 p. 154 Deterrence (cont)

• ‘Capability’ depends first on detection capability - Attribution is a major problem - Timeliness problem: stealthy malware can escape detection for long time • Also depends on ability to inflict devastating damage on attacker - May not be persuasive against developing nations less reliant on networks (hence less vulnerable) • ‘Will’ is demonstrated by policy declarations

TC/Globecom2011/12-9-11 p. 155 Deterrence (cont)

• Work towards multilateral cyber treaty has been unsuccessful for many years - Seen as ‘weapons of mass disruption’, not as critical as physical warfare - No real incidents seen yet - Limits on capabilities are hopeless - unverifiable • Current activities focus on: acceptable behaviors in cyberspace (e.g. no civil infrastructures, no first strike); information exchange; stronger computer protection in underdeveloped countries

TC/Globecom2011/12-9-11 p. 156 Prevention

Preventive Defenses

Patching Antivirus/ Close Vulnerability Strengthen anti-spyware unnecessary assessment/ OS updating ports penetration policies testing

TC/Globecom2011/12-9-11 p. 157 Software Patching

• Vendors publish patches for serious vulnerabilities in their software (OS and applications) • But many people do not keep up with patches for various practical reasons • Modern operating systems and applications can do automatic updates

TC/Globecom2011/12-9-11 p. 158 Antivirus Updating

• Commercial antivirus programs typically depend on signatures augmented with heuristic rules - Signatures require regular updating to keep up with new malware - Signatures allow most accurate detection • Same for anti-spyware programs

TC/Globecom2011/12-9-11 p. 159 Vulnerability Assessment

• Many free and commercial tools (Satan, Nessus, SARA, SAINT) are capable of testing for vulnerabilities - Found vulnerabilities should then be patched • Penetration testing: simulating an attack on your own network to find weaknesses

TC/Globecom2011/12-9-11 p. 160 Strengthen OS Policies

• Computers are often attacked through OS • Examples - Malware attempt to install themselves through e-mail or web download - Malware attempt to modify OS - Attackers search for vulnerabilities • Modern OS’s have evolved better security features

TC/Globecom2011/12-9-11 p. 161 Modern OS Security Features

Cryptographic data protection

Windows Mac

BitLocker uses Trusted Platform Module for full disk encryption FileVault encrypts home directory with 256-bit AES including system volume

Native support for elliptic curve cryptography and other new Encryption of virtual memory cryptographic algorithms

Encrypting File System (EFS) can encrypt system page file Keychain (storing passwords) encrypted by triple DES

Support for PKI and public key certificates Support for PKI, public key certificates, Kerberos

Disk Utility encrypts disk images by 256-bit AES

TC/Globecom2011/12-9-11 p. 162 Modern OS Security Features (cont)

System security

Windows Mac

Administrator account disabled by default Root account disabled by default

Principle of least privileges: users start with basic privileges, must Principle of least privileges: users start with basic privileges, must prove authorization for higher privileges prove authorization for higher privileges

Address space layout randomization (ASLR) protects against Address space layout randomization (ASLR) protects against buffer overflow attacks buffer overflow attacks

Support for ‘execute disable’ feature in Intel/AMD processors to Support for ‘execute disable’ feature in Intel processors to protect protect against buffer overflow against buffer overflow

Applications are ‘sandboxed’ (restricted access to system Native detection of stack overflows resources)

Processes and services are isolated Secure empty trash: rigorously deletes files

Kernel patch protection (PatchGuard): prevents unauthorized kernel modifications

Windows resource protection: prevents unauthorized changes to system files and settings

TC/Globecom2011/12-9-11 p. 163 Modern OS Security Features (cont)

Malware protection

Windows Mac

Security patches through Windows Update service Security patches through Software Update service

Windows Defender: anti-malware and anti-spyware File Quarantine checks file against list of known malware

User access control: requires permission to execute programs Applications can be signed by creators to ensure data integrity

User permission is required to run programs for first time

Applications are ‘sandboxed’ (restricted access to system resources)

TC/Globecom2011/12-9-11 p. 164 Modern OS Security Features (cont)

Network security

Windows Mac

Software firewall with advanced packet filter rules for incoming Firewall filter on per-port or per-application basis and outgoing traffic

Windows filtering platform: filtering capability at all TCP/IP Support for OpenSSL, OpenSSH, SSL/TLS, VPNs, Kerberos,.... protocol layers

Network access protection: computer must prove security Safari ‘private browsing’: does not store browser history or cache capabilities to be granted access to network

Support for ‘execute disable’ feature in Intel processors to protect Secure socket tunneling protocol: proprietary VPN protocol against buffer overflow

Support for Diffie-Hellman, Kerberos, SSL/TLS, IPsec, DNS security extensions (DNSSEC),....

Protected mode Internet Explorer: anti-phishing filter, URL handling protection, ActiveX protection,....

TC/Globecom2011/12-9-11 p. 165 Modern OS Security Features (cont)

• Example: ASLR (address space layout randomization) randomizes positions of certain memory areas, e.g. stack - Harder for buffer overflow attack to guess stack pointer needed to execute malicious code - Implemented in Windows Vista, Mac OS X 10.5, iOS 4.3, Android 4.0

TC/Globecom2011/12-9-11 p. 166 Modern OS Security Features (cont)

• Example: code signing requires applications to carry cryptographic signature to authenticate creator and integrity - Implemented in iOS, Android, Mac OS X updates and Mac App Store apps, Windows updates and drivers • Example: sandboxing restricts actions of untrusted programs - Implemented in iOS, Android, Mac OS X opt-in and all Mac App Store apps starting March 2012, Windows 8

TC/Globecom2011/12-9-11 p. 167 Defense in Depth

• Common defense strategy • No single defense offers complete protection • Multiple layers increase cost to attacker and buy time for defense, even though no layer is perfect • Protection layers depend on risk to assets and value of assets - Network: firewalls, intrusion detection, router access control lists, honeypots,... - Host: access control, antivirus, intrusion detection, sandboxing,...

TC/Globecom2011/12-9-11 p. 168 Detection

TC/Globecom2011/12-9-11 p. 169 Antivirus

• Evolved over 15-20 years • Goals of antivirus software: - Detection of known and new viruses/worms - Identification of specific virus/worm and infected programs - Disinfection of virus/worm from host and infected programs - Prevention of new infections if possible

TC/Globecom2011/12-9-11 p. 170 Antivirus (cont)

• Early antivirus - Scanned for known virus signatures by string matching (unique sequence of bytes) or changes in file length - Accurate identification allows reliable removal of virus - But detect only known viruses and close (similar enough) variants - Must be updated regularly

TC/Globecom2011/12-9-11 p. 171 Antivirus (cont)

• Enhancements - Heuristic rules to search for probable infection from new unknown viruses - Integrity checking by adding a checksum or hash function to each program - detects changes, but false positives are a problem - Development of programming language to write virus-specific detection routines

TC/Globecom2011/12-9-11 p. 172 Antivirus (cont)

• Code emulation: virtual machine simulated CPU and memory management to simulate execution of suspected code and see its behavior without risk to real system - Emulation detects polymorphic viruses which must decrypt to execute - But operating systems are too complex to emulate completely, and emulation slows down antivirus performance

TC/Globecom2011/12-9-11 p. 173 Antivirus (cont)

• Sandboxing takes emulation approach further: suspected code runs in isolated “virtual machine” copy (or “cage”) of operating system with copy of real data and registry - Changes are made only to copies within cage, not to real data or system - Cage is restricted from certain capabilities, e.g., networking - Must be careful to keep viruses from escaping cage - Will not catch viruses sent from trusted sources

TC/Globecom2011/12-9-11 p. 174 Antivirus (cont)

• Behavior blocking: warns user if code is attempting to do something suspicious - Similar to anomaly detection in IDS - General enough to catch new virus classes without signature - Many warnings might annoy users who do not want to make decisions - Drawbacks: stealthy viruses (e.g., slow infectors) might avoid suspicious behaviors; may not identify virus specifically enough for removal

TC/Globecom2011/12-9-11 p. 175 Antivirus (cont)

• Behavior blocking examples - Block VB (Visual Basic) scripts, e.g., used by LoveLetter worm - Block self-mailing e-mail attachments (many e-mail worms carry their own SMTP engines, e.g., Bugbear, Sobig, Klez, Nimda) - Block inputs leading to buffer overflows - Block suspicious processes attempting to call WINSOCK library APIs to send themselves

TC/Globecom2011/12-9-11 p. 176 Antivirus Scanner

Repair - Signature strings instructions - Unpacking - Sandboxing - Checksumming - Decryption Signature - Heuristics Files database - Behavior blocking

AV scanning engine Configuration (what and when to scan)

TC/Globecom2011/12-9-11 p. 177 Intrusion Detection Systems

• IDS are essentially packet sniffers, with analysis engine to recognize patterns of suspicious traffic and raise alarms - Distributed IDS have multiple sensors feeding centralized logging, analysis, alerts • Many free and commercial IDS - Snort, NFR (Network Flight Recorder), ISS RealSecure

TC/Globecom2011/12-9-11 p. 178 Network Environment

2. Demilitarized zone: monitor protected but Typical vulnerable public servers monitoring Public zones: server Honeypot

IDS

Private Internet server Router Private Firewall network Intrusion IDS Honeypot detection system 3. Intranet: monitor the most trusted, protected assets 1. Perimeter: monitor threats from Internet

TC/Globecom2011/12-9-11 p. 179 IDS Functions

• Continually monitor activities Sensors (packet traffic or host behavior) Recognize suspicious, Analysis • malicious, or inappropriate activities

Output • Trigger alarms to system administrator

TC/Globecom2011/12-9-11 p. 180 Snort as IDS

Signatures

Rulesets

Pre- Detection Alerts/ Network Sniffer processor engine logging

Log libpcap Filtering Match to Output and signatures formatting by plug-ins

TC/Globecom2011/12-9-11 p. 181 Snort (cont)

• Snort works as IDS in alerting mode or logging mode - Alerting mode: alerts can be output in various formats, e.g., alert message and full packet header - Logging mode: full packets are logged for later analysis • Output plug-ins for different formats

TC/Globecom2011/12-9-11 p. 182 Snort Rules

• Snort signatures are packaged in set of rules, covering traffic related to: - Attack responses, backdoors, DDoS, DNS attacks, malformed packets, exploits, pings and scans, IMAP/ POP/SMTP attacks, SQL attacks, FTP/TFTP attacks, Telnet attacks, Web attacks, etc. • Large user community writes new rules

TC/Globecom2011/12-9-11 p. 183 Example Snort Rule

Action if Source IP Destination IP signature is Protocol and port Direction and port detected

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: “SCAN SYN FIN”;flags:SF; reference:arachnids,198; classtype:attempted-recon; sid:624; rev:1;)

Rule options: executed if rule header (first line) matches packet - message to be written into log to describe this alert - look for flags: SYN and FIN - cites reference for signature - specifies category of attack (reconnaissance); signature ID for more info.; rule revision number

TC/Globecom2011/12-9-11 p. 184 Snort (cont)

• Example output log format is Tcpdump

[date-time] [source-hw-address] -> [dest-hw-address] [type] [length] [source-ip-address:port] -> [dest-ip-address:port] [protocol] [TTL] [TOS] [IP-length] [datagram-length] [payload-length] [hex-dump] [ASCII-dump]

TC/Globecom2011/12-9-11 p. 185 Goals of Intrusion Detection

• To determine if intrusion occurred and its nature - Type and scope of intrusion - Attribution: responsible intruder (not just intermediaries) - Seriousness of threat and appropriate defenses

TC/Globecom2011/12-9-11 p. 186 IDS Approaches

• Misuse (signature-based) detection - Traffic data is compared to set of signatures (patterns) for known attacks - Intrusion detected if a signature matches • Anomaly (behavior-based) detection - Any behavior outside of a “normal profile” is considered suspicious

TC/Globecom2011/12-9-11 p. 187 Approaches (cont)

Intrusion = match Misuse Normal Known detection behavior attacks to signature

Intrusion = Anomaly Normal Anomalous detection behavior behavior anything outside of normal profiles

TC/Globecom2011/12-9-11 p. 188 Misuse Detection

• Most common approach because accurate match of signature reveals exact intrusion and its threat • Definition of signatures (attack patterns or rules) is critical - If signatures are too specific, can result in false negatives (missed detection) if attack is changed - If signatures are too general, can result in false positives (false alarms) • Implementations differ in definition of signatures

TC/Globecom2011/12-9-11 p. 189 Example: Detecting Slammer

• Slammer worm targeted Microsoft SQL server • Buffer overflow exploit and copy of worm are contained in single 404-byte packet sent to random IP addresses on UDP port 1434 • Vulnerability was published 6 months earlier and signature was available - Exploit code requires special byte “0x04” as first character, so easy to detect

TC/Globecom2011/12-9-11 p. 190 Misuse Detection (cont)

• Disadvantages: - New attacks will likely be missed if no signature - Potentially high rate of false negatives (missed detection) - Takes time to develop new signatures - Signatures must be updated regularly

TC/Globecom2011/12-9-11 p. 191 Anomaly Detection

• Assumes normal behavior can be profiled, intrusions are deviations from normal - Idea in 1986 IDES • Potential to detect new types of attack that are different from “normal” behavior, without need for a signature - Normal profile is set of metrics (behavior aspect) and acceptable ranges

TC/Globecom2011/12-9-11 p. 192 Disadvantages

• Need to be trained with reference data (training sets) to build profiles, and training sets should be updated regularly • Very difficult to define normal behavior in practice - Normal behavior can have unknown variations - Usually characterized by a set of statistical metrics - Best metrics are not known for certain

TC/Globecom2011/12-9-11 p. 193 Disadvantages (cont)

• Non-normal behavior may be suspicious but not malicious - Tend to high rate of false positives (false alarms) - Additional processing often needed to identify truly malicious activities, nature of intrusion and its threat - Anomaly detection typically complements misuse detection

TC/Globecom2011/12-9-11 p. 194 Honeypots

• Honeypots are decoy PCs that intentionally look vulnerable to attackers • Receive traffic to unassigned IP addresses that should see no legitimate traffic - So traffic to honeypot is very likely malicious • Goal to learn about attackers’ behavior, after an attack

TC/Globecom2011/12-9-11 p. 195 Honeypots (cont)

• Not ordinary PCs - specially configured to: - Appear convincing with some (or all) services of a regular computer - Appear vulnerable to attackers to encourage attacks - Monitor and record all events for later forensics - Restrict any attacks to the honeypot (without possibility of spreading to other systems)

TC/Globecom2011/12-9-11 p. 196 Honeypots (cont)

• Low-interaction honeypots emulate a few services, allow limited simple interactions with attackers, low risk (e.g., Honeyd) - Limited data collection (for emulated services only) • High-interaction honeypots have full services and OS, allow full interaction, high risk of compromise - Detailed data collection is possible

TC/Globecom2011/12-9-11 p. 197 Honeypots (cont)

• Honeypots collect far less data than firewalls and IDS, but all data is valuable (little noise) - Honeynet Project collects less than 1 MB per day • Less likely to run out of storage and processing resources than IDS • Disadvantage: must wait passively for attack traffic to that IP address • Variation: honeynet is a network of complete (regular) computers, set up to attract attacks but doing nothing else

TC/Globecom2011/12-9-11 p. 198 Attribution

• Levels of attribution - To specific hosts involved • Perhaps possible by IP addresses - To primary controlling host • Very difficult for many reasons - To actual human actor - To organization responsible

TC/Globecom2011/12-9-11 p. 199 Attribution (cont)

• Difficulties - Source IP addresses can be spoofed - Computer accounts can be hijacked and used as zombies - Data theft can be relayed through multiple proxies - Routers are stateless and record flow stats at most - No automated means in Internet to trace - Acts of individuals hard to trace back to state sponsor - Motivations behind attacks can be unclear

TC/Globecom2011/12-9-11 p. 200 Response/mitigation

TC/Globecom2011/12-9-11 p. 201 Botnet Takedowns

• March 2010 quarter of 249 C&C servers for Zeus botnet taken down by two eastern European ISPs • March 2010 Mariposa botnet taken down - 12.7 million PCs across 190 countries - Arrested 3 suspects in Spain identified after they tried to resurrect botnet after takedown

TC/Globecom2011/12-9-11 p. 202 Botnet Takedowns (cont)

• Oct. 2010 Dutch police and others took down 143 C&C servers of Bredolab botnet - Spyware stole bank login details from millions of infected PCs • Sept. 2010 Microsoft won federal approval to seize 276 domain names for Waledec’s C&C servers - Contacted ISPs to contact infected PCs and direct them to disinfection tools

TC/Globecom2011/12-9-11 p. 203 Botnet Takedowns (cont)

• March 2011 Microsoft and US Marshalls took down 26 Rustock C&C servers at 7 US hosting providers - Peaked 1 million PCs delivered 30 billion spam daily - Possible because all C&C servers on small US hosting firms instead of usual eastern Europe hosting - Pursued case against botnet operators in Russia courts - Offered $250,000 reward for information

TC/Globecom2011/12-9-11 p. 204 Botnet Takedowns (cont)

• April 2011 Coreflood botnet - 2 million infected PCs - U.S. DoJ ordered registrars to reroute requests from infected computers to substitute servers, instead of C&C servers - Infected PCs given ‘pause’ command - Possible because Coreflood did not use C&C authentication - Botnets had been infiltrated before but first time commanded to shut down

TC/Globecom2011/12-9-11 p. 205 Intrusion Tolerance

• Attacks can not be completely prevented but systems must continue to operate - Related to fault tolerance but assumes intelligent adversary instead of random independent faults • Various ideas and methods proposed - DARPA’s OASIS (Organically Assured and Survivable Information Systems) - 30 projects - Europe’s MAFTIA (Malicious and Accidental Fault Tolerance for Internet Applications)

TC/Globecom2011/12-9-11 p. 206 Intrusion Tolerance (cont)

• Key ideas are diversity, redundancy, reconfiguration: - Protect confidentiality: distribute data so attacker reading one piece does not obtain useful info. (e.g., fragmentation redundancy scattering, Pasis, ITUA) - Assure non-stop availability: more classical fault tolerance, requiring sufficient replication and periodic recovery (e.g., SCIT) - If non-stop availability is too expensive: detect intrusion, activate recovery by reconfiguring compromised systems (e.g., Sitar, Dpasa, Willow, DIT, Hacqit, ITSI)

TC/Globecom2011/12-9-11 p. 207 Self Healing

• Infrastructures (power, communications) automatically isolate faults and reconfigure backup resources with minimal interruption of availability Sufficient backup resources

Sensors detect fault

Fault is isolated

Working nodes are notified

Backup resources are configured

TC/Globecom2011/12-9-11 p. 208 Self Healing (cont)

• Challenges - Self healing mechanisms (sensing, communications, reconfiguration) must be designed into system - Backup resources must be sufficient - Fault scenarios are predictable for natural causes but unpredictable for intelligent attackers - Fault detection time is critical

TC/Globecom2011/12-9-11 p. 209 Conclusions and Open Issues

TC/Globecom2011/12-9-11 p. 210 Open Issues and Conclusions

• Events led to recognition of cyber domain as operational domain but is info. warfare real? - No formal or blatant cyber attacks - Cyber espionage offers asymmetric warfare with anonymity and deniability - Cyber domain not suited all-out direct confrontations • Network connectedness makes precision difficult • Retaliation and escalation are easy • Cyber terrorism is currently only theoretical - Terrorists more interested in making use of networks

TC/Globecom2011/12-9-11 p. 211 Conclusions (cont)

• Critical infrastructures at risk? - Industrial control systems (ICS) regulate power, water, communications, manufacturing - Failure consequences might be catastrophic - Vulnerabilities known: old legacy systems; lack of patching (high availability is highest priority); limited system monitoring - Traditionally depended on security through obscurity - proprietary software, protocols, OS, closed networks - Reportedly China, Russia have reconnoitered

TC/Globecom2011/12-9-11 p. 212 Conclusions (cont)

• Attribution continues to be key difficulty - Little international cooperation - Info. sharing is impeded by traditional reluctance of companies to discuss security incidents - U.S. federal agents must go through cumbersome authorization process to track down foreign intrusions - Military have more flexibility to respond but careful to avoid international embarrassment if caught - Fear of sparking international incidents, e.g. with China interfering with financial cooperation

TC/Globecom2011/12-9-11 p. 213 Conclusions (cont)

• US policy prefers deterrence through diplomacy over direct confrontation - Diplomatically build international consensus for rules of behavior, rules of engagement - Fear of cyber attack escalation into physical war - How to incentivize actors like China to cooperate - China sees opportunity to gain cyber advantage - but at same time does not want disruption of U.S. due to financial investments

TC/Globecom2011/12-9-11 p. 214 Conclusions (cont)

• Future trends: - Cyber domain well suited for espionage - large scale data theft will continue - Malware will be tactical weapon of choice • Existing antivirus is mostly ineffective in detecting malware used in APTs [Mandiant] - Sabotage to computer components? • Only 2% of chips purchased by military are manufactured in U.S. • Chips with malicious flaws are almost impossible to detect

TC/Globecom2011/12-9-11 p. 215 Conclusions (cont)

• Future trends (cont): - Power grid evolving to smart grid with greater dependence on ICT will expose more risks - More smart phones: more end points to exploit, not that secure - More cloud computing: risks?

TC/Globecom2011/12-9-11 p. 216 References

TC/Globecom2011/12-9-11 p. 217 References

D. Alperovitch, “Revealed: Operation Shady RAT,” McAfee white paper.

V. Anand, “Chinese concepts and capabilities of information warfare,” Strategic Analysis, vol. 30, Oct. 2006, pp. 781-797.

J. Andress, S. Winterfeld, Cyber Warfare, Syngress, 2011.

J. Arquilla, D. Ronfeldt, Networks and Netwars: The Future of Terror, Crime and Militancy, RAND, 2002.

J. Arquilla, “From Blitzkrieg to bitskrieg: the military encounter with computers,” Commun. of ACM, vol. 54, oct. 2011, pp. 58-65.

A. Bousquet, The Scientific Way of Warfare, Columbia U. Press, 2009.

C. Billo, “Cyber warfare: an analysis of the means and motivations of selected nation states,” Dartmouth College Institute for Security Technology Studies, Nov. 2004.

C. Bronk, “Blown to bits: China’s war in cyberspace, August-September 2020,” Strategic Studies Quarterly, Spring 2011.

TC/Globecom2011/12-9-11 p. 218 References (cont)

J. Carr, Inside Cyber Warfare, O’Reilly, 2010.

R. Clarke, R. Knake, Cyber War, ECCO Press, 2010.

C. Czosseck, K. Geers, The Virtual Battlefield, IOS Press, 2009.

DoD Strategy for Operating in Cyberspace, July 2011, http://www.defense.gov/news/ d20110714cyber.pdf.

M. Eberschloe, Information Warfare: How to Survive Cyber Attacks, Osborne, 2001.

R. Forno, R. Baklarz, The Art of Information Warfare, Universal Publishers, 1999.

J. Fritz, “How China will use cyber warfare to leapfrog in military competitiveness,” Culture Mandala, vol. 8, Oct. 2008, pp. 28-80.

S. Goel, “Cyberwarfare: connecting the dots in cyber intelligence,” Commun. of ACM, vol. 54, Aug. 2011, pp. 132-140.

R. Grant, “Victory in cyberspace,” Air Force Association special report, Oct. 2007.

TC/Globecom2011/12-9-11 p. 219 References (cont)

B. Hutchinson, M. Warren, Information Warfare, Butterworth Heinemann, 2001.

W. Hutchinson, “Information warfare and deception,” Informing Science, vol. 9, 2006, pp. 213-223.

Info War Monitori, Tracking GhostNet, http://www.tracking-ghotst.net

L. Janczewski, A. Colarik, Cyber Warfare and Cyber Terrorism, IGI Global, 2008.

P. Jordan, P. Taylor, Hactivism and Cyberwars, Routledge, 2004.

A. Karatzogianni, Cyber Conflict and Global Politics, Routledge, 2009.

J. Krekel, et al., “Capability of the People’s Republic of China to conduct cyber warfare and computer network exploitation,” US-China Economic and Security Review Commission, 2009.

M. Libicki, Cyberdeterrence and Cyberwar, RAND, 2009.

TC/Globecom2011/12-9-11 p. 220 References (cont)

H. Lin, “Lifting the veil on cyber offense,” IEEE Security and Privacy, July 2009, pp. 15-21.

J. Nye, “Cyber power,” Harvard Kennedy School Belfer Center for Science and International Affairs, May 2010.

Office of the National Counterintelligence Executive, “Foreign spies stealing US economic secrets in cyberspace: report to Congress on foreign economic collection and industrial espionage 2009-2011,” Oct. 2011, http://www.ncix.gov/publications/reports/ fecie_all/Foreign_Economic_Collection_2011.pdf

A. Peritz, M. Sechrist, “Protecting cyberspace and the US national interest,” Harvard Kennedy School Belfer Center for Science and International Affairs, Sept. 2010.

K. Rauscher, A. Korotkov, “Working towards rules for governing cyber conflict,” East- West Institute, Jan. 2011.

Symantec, “W32.Stuxnet Dossier,” http://www.symantec.com/content/en/us/enterprise/ media/security_response/whitepapers/w32_stuxnet_dossier.pdf

TC/Globecom2011/12-9-11 p. 221 References (cont)

T. Thomas, “Chinese and American network warfare,” JFQ, http://www.dtic.mil/doctrine/ jel/jfq_pubs/1538.pdf.

S. Vakin, L. Shustov, R. Dunwell, Fundamentals of Electronic Warfare, Artech House, 2001.

E. Waltz, Information Warfare Principles and Operations, Artech House, 1998.

L. Wentz, C. Barry, S. Starr, Military Perspectives on Cyberpower, Center for Technology and National Security Policy at the National Defense University, 2009.

K. Zetter, “How digital detectives deciphered Stuxnet the most menacing malware in history,” Wired, http://www.wired.com/threatlevel/2011/07/how-digital-detectives- deciphered-stuxnet/.

TC/Globecom2011/12-9-11 p. 222