DOCSLIB.ORG

How the History of Cyber Attacks Is Changing Current & Future Security

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
How the History of Cyber Attacks Is Changing Current & Future Security How the History of Cyber Attacks is Changing Current & Future Security Defenses Cyber Security Dinner Seminar Tom Ruffolo CISA [email protected] Agenda Technology Trends History of Attacks New Tech that History of Defenses enables ⬧Examples Attacks or Future Security ⬧ Solutions ⬧Leveraging Defenses New ⬧Defense ⬧Likely Attacks Technology Technology ⬧Solutions History of Technology: Enabling Attacks 1980s 1990s 2000s 2010s Technology Evolution Blackberry, iPhone (’07) SaaS Cloud Apps & Office Real Internet Introduced WiFi & Portable Devices Public Cloud Data Centers Private Internet AOL, CompuServe Faster Internet, Websites IOT Birth of PCs [DOS] Email Use Grows Social: Facebook, LinkedIn Expanded Social Media Windows 95/98 Online Shopping, Payroll Smart Phones & Apps Windows XP Windows 10 Cloud Apps & Email Usage Up WiFi: 11-450 Mbps Slow Proprietary Networks Slow Internet Speeds: xx Kbps WiFi: Up to 16 Gbps Internet: Low Mbps Fast Internet: 100 Mbps–Gbps 3G: .4 Mbps+ 4G: ~10 Mbps (-1Gbps) 5G (2019): 100Mbps – 20Gbps 12/13/2018 Page 3 History of Security Attacks 12/13/2018 4 1980s Morris Worm ▪ Objective: ▪ Attack Target: – Graduate Student: Size the Internet – ARPANET Users ▪ Attack Type: ▪ Impact: 1st Malware Worm – Replicated out of control, 1,000s of Govt & University machines WW were so slow they Self Replicating Worm Sent to could not function (DDoS). Authorized Dec Vax Users on ARPANET – $100,000+ Cost in Downtime & Cleaning ▪ Attack Method: ▪ Response: 1. Leverages Unix, System Configuration – Admins: Tighten Security & Weak Password Vulnerabilities to Configurations, Password Security Self Replicate itself Rapidly Over 60,000 Node Network – DARPA Funding of US-CERT (Computer Emergency Readiness Team) – 1st Conviction Under 1986 Computer Fraud Act 12/13/2018 5 1989 Aids Info Disk - Ransomware ▪ Objective: ▪ Attack Target: – To Extort $$ from PC Users – PC DOS Users ▪ Attack Type: ▪ Impact: 1st Ransomware – Computer Unusable… Wait for your Unlock key in the Mail ▪ Attack Method: 1. Mail a “Floppy Disk” ▪ Response: – User is Educated 2. Insert Disk & Open File – Future: Endpoint Security External 3. Malware Hides Directories & Storage Lockdown or AV Scans Encrypts File Names on Drive C: 4. Mail $189 to Panama to Unlock 12/13/2018 6 Melissa & ILOVEYOU Macro Viruses 1999/2000 ▪ Objective: ▪ Attack Target: – Disruption, Steal Passwords – Everyone ▪ Attack Type: ▪ Impact: Mass Mailing Macro Worm – Most Costly Malware to Date Simple Multi-Stage, Self Replicating • $5-8B in Damages WW • $15B to Remove Worm ▪ Attack Method: ▪ 1. Email->MS Word Macro Attachment Response: 2. Open Attachment -> Infect PC – Windows Vulnerabilities Patched – Users: Restrict Running Programs 3. Replicate: – Vendors: Improved Email Security 1. Melissa: Sends Copy to 50 People – Employees Get an Education 2. ILOVEYOU: Send Copy to All Contacts – 2002- Bill Gates “Security Project” 12/13/2018 7 Advanced Persistent Threats (APTs) (2010+) Targeted Strategic Extract RECON Credentials Discovery Attacks Users Data Top 4 Attack Map Get Download & Find More Extract & Methods used Collect Data Network, Credentials Install Credentialed Remove on People of Targeted Backdoor Users Resources, Traces #1 Malware Users Data #2 Phishing #3 Malicious Websites #4 Social Engineering Spear Phish Increase Social Sites Email Map Your One Step Transfer Data Network Attack Closer Out Web Search Malicious Access Web Links Page 8 Operation Aurora - APT (2009+) ▪ Objective: ▪ Attack Targets: – Gain Access to Source Code – Google, Adobe, Juniper, – Gain Access to Dissident Gmail Rackspace, Symantec, Northrop… ▪ Attack Type: ▪ Impact: Advanced Persistent Threat (APT) – Some Google Source Code Stolen Multi-Year Attack – Google Threatens to Leave China (Censored Search Engine Business) ▪ Attack Method: ▪ Response: 1. China Based – Microsoft IE Patch 2. Visit Malicious Web Sites (Links) – Dedicated APT Solutions 1. Leveraging Zero Day Vulnerabilities in IE – Later: APT Solutions in Everything 3. Download & Encrypt Payload to Avoid Discovery 4. Ongoing Access to Source Code etc 12/13/2018 9 How Ransomware Works (2014+) Attackers Website Well Known VariantsDownload Malicious CodeCost of Ransomware Ransomware as a Service • Files Encrypted (even Backup) • System Unusable • 2013-2015 Crytolocker, Cryptowall • 2015 $325M • Ransom Needed (Ransomware) Request • No Traces of Dr. Evil • 2016 Locky, Petya, NotPetya • 2016 1.45B (FBI) (Ransomware) • 2017Download $5B • 2017 WannaCry (Cryptoworm) • 2019 $11.5B Forecasted Application or Attachment Ransomware Compromised O/S Exploit Replicate 12/13/2018 Page 10 WannaCry Ransomware (2017) ▪ Objective: ▪ Attack Target: – Extort $$ from Everyone – Everyone (Personal, Small, Enterprise) ▪ Attack Type: ▪ Impact: Ransomware Cryptoworm – Infected >230,000 Computers in 150 Countries Simple Multi-Stage, Self Replicating ▪ Response: ▪ Attack Method: – Windows Vulnerabilities Patched – Kill Switch Turned on to Kill Replication, 1. Initial Infection Unknown (normally Email or Web) 2. Encrypts Data – PC, Server but New Variant Ignores Kill Switch 3. Ransomware Request - Bitcoin – New Ransomware/Zero Day Security 4. Spreads to Random PCs on Network or • Endpoint Security Developed (including AI) • Gateway Firewall UTMs Internet w/Win Vulnerability (EternalBlue) • Patch Management – Backup & Disaster Recovery Focus 12/13/2018 11 CEO Fraud - Social Eng. Attack (2015+) ▪ Objective: ▪ Attack Target: – Steal $$ or High Value Data – All Size Companies ▪ Attack Type: ▪ Impact: Impersonate “CEO”, Order Teams to – Unrecoverable $$ or Data Loss Initiate Targeted Transactions ▪ Response: ▪ Attack Method (Social Eng.): – Improved Email Security 1. Reconnaissance (Social Media…) – Online Employee Training 2. Spear Phishing (Spoofed Emails) – Human 2-Factor Authentication 3. Response • Improved Internal Communication 4. Damage • Policies, Process, Procedures 5. Impact – Social Media Usage Controls – Website Domain Control (Spoofing) 12/13/2018 12 Supply Chain Attacks (2017) ▪ Objective: ▪ Attack Target: – Introduce Malware Into Your – All Companies – Any Software Network, then Initiate an Attack ▪ Impact: ▪ Attack Type: – Any Attack is Possible Corrupt Legitimate Software ▪ Response (Hard to Prevent/Detect): Downloads from Trusted Vendor – Prevent: • NextGen Web Reputation Checking ▪ Attack Method: • Controlled (or Delayed) Updates 1. Corrupt Trusted Software/Update • Vendor Selection Scrutiny 1. On Suppliers Download Servers or – Detect 2. Corrupt Software Vendor’s Software or • Zero Day Malware Detection 3. Hijack Software Update Path 2. User Downloads Malware • APT Detection(C&C) 3. Attack Starts – Respond: • Backup and Disaster Recovery 12/13/2018 13 Crypto Currency Attacks & Mining (2017) ▪ Objective: ▪ Attack Target: 1. Steal Cryptocurrency or – Crypto Food Chain Incl. Users 2. Create Crytocurrency on Your Nickel ▪ Attack Methods (Numerous & Growing): 1. Crypto Mining by ▪ Broad Crypo Currency Ecosystem • Cryptojacking Browsers or Servers • Using Malware Infections Attacks Require Broad Solutions in 2. Hijacking the Cryptojacker: Redirect wallet Address to These Areas: another wallet – Traditional Security Solutions 3. Crypto Attacks on 3rd Parties: Tools, Wallets, Exchanges 4. Attacks on End users: – Crypto Infrastructure Protection • Crypto Wallet Shuffling (Stealing your wallet or changing your wallet with theirs for crytofund storage – Secure Access Control • Scraping your PC for crypto information (wallets, coin addresses) • Stealing login Credentials for your Crypto Account and wallet – Protect Developers & Tools 5. Attacks on Cryto Exchanges: $532M lost from Credential – Social Attacks on People Stealing Malware, Stolen Private Wallet Keys While the architecture of Blockchain may be secure the surrounding ecosystem is not. 12/13/2018 14 New Threats from Moving to the Cloud ISSUES Data Center ❑Visibility ❑Data Protection ❑Malware ❑Access Control Cloud Applications Storage/ CRM HR Sharing Finance Office Sales Development Operations Apps 12/13/2018 15 History of Security – Attacks Summary 1980s 1990s 2000s 2010s Technology Blackberry, iPhone (’07) SaaS Cloud Apps & Office Evolution Rapid Internet Growth WiFi & Portable Devices Public Cloud Data Centers Private Internet AOL, CompuServe Faster Internet, Websites IoT Birth of PCs [DOS] Email Use Grows Social: Facebook, LinkedIn Expanded Social Media Windows 95/98 Online Shopping, Payroll Smart Phones & Apps Windows XP Windows 10 WiFi: 11-450 Mbps Cloud Apps & Email Usage Up Internet: Low Mbps WiFi: < 1Gbps Slow Proprietary Networks Slow Internet Speeds: xx bps K 3G: .4 Mbps+ Fast Internet: 100 Mbps–Gbps 4G: ~10 Mbps – 1Gbps 5G: 100 Mbps - 20 Gbps Software Supply Chain Website Vulnerabilities CEO Fraud Email Threats Stolen credentials Ransomware / RaaS 1st Malware Worms Adv Persistent Threats Attack Windows OS, Servers Phishing Email 1st Ransomware Spear Phishing Malware Variants Attachments Methods Hackers Fast Morphing Malware Hacker Malware, Worms, Botnets Privilege Misuse Hacking Website Vulnerabilities Hacking History of Security – Defense Responses 2010s Software Supply Chain 1980s 1990s 2000s CEO Fraud Ransomware/ RaaS Adv. Persistent Threats Website Vulnerabilities Privilege Misuse Stolen credentials Email Threats Website Vulnerabilities Malware Worms Phishing Email, Attack Windows OS, Servers Spear Phishing 1st Ransomware Attachments Fast Morphing Malware 1st Morphed Malware Methods Hackers Malware, Worms, Hacking Hackers Botnets Hacking Windows 10 Dedicated APT Solution Improved
Load more

Recommended publications
  • Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress
    Order Code RL32114 Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress Updated January 29, 2008 Clay Wilson Specialist in Technology and National Security Foreign Affairs, Defense, and Trade Division Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress Summary Cybercrime is becoming more organized and established as a transnational business. High technology online skills are now available for rent to a variety of customers, possibly including nation states, or individuals and groups that could secretly represent terrorist groups. The increased use of automated attack tools by cybercriminals has overwhelmed some current methodologies used for tracking Internet cyberattacks, and vulnerabilities of the U.S. critical infrastructure, which are acknowledged openly in publications, could possibly attract cyberattacks to extort money, or damage the U.S. economy to affect national security. In April and May 2007, NATO and the United States sent computer security experts to Estonia to help that nation recover from cyberattacks directed against government computer systems, and to analyze the methods used and determine the source of the attacks.1 Some security experts suspect that political protestors may have rented the services of cybercriminals, possibly a large network of infected PCs, called a “botnet,” to help disrupt the computer systems of the Estonian government. DOD officials have also indicated that similar cyberattacks from individuals and countries targeting economic,
    [Show full text]
  • The Downadup Codex a Comprehensive Guide to the Threat’S Mechanics
    Security Response The Downadup Codex A comprehensive guide to the threat’s mechanics. Edition 2.0 Introduction Contents Introduction.............................................................1 Since its appearance in late-2008, the Downadup worm has become Editor’s Note............................................................5 one of the most wide-spread threats to hit the Internet for a number of Increase in exploit attempts against MS08-067.....6 years. A complex piece of malicious code, this threat was able to jump W32.Downadup infection statistics.........................8 certain network hurdles, hide in the shadows of network traffic, and New variants of W32.Downadup.B find new ways to propagate.........................................10 defend itself against attack with a deftness not often seen in today’s W32.Downadup and W32.Downadup.B threat landscape. Yet it contained few previously unseen features. What statistics................................................................12 set it apart was the sheer number of tricks it held up its sleeve. Peer-to-peer payload distribution...........................15 Geo-location, fingerprinting, and piracy...............17 It all started in late-October of 2008, we began to receive reports of A lock with no key..................................................19 Small improvements yield big returns..................21 targeted attacks taking advantage of an as-yet unknown vulnerability Attempts at smart network scanning...................23 in Window’s remote procedure call (RPC) service. Microsoft quickly Playing with Universal Plug and Play...................24 released an out-of-band security patch (MS08-067), going so far as to Locking itself out.................................................27 classify the update as “critical” for some operating systems—the high- A new Downadup variant?......................................29 Advanced crypto protection.................................30 est designation for a Microsoft Security Bulletin.
    [Show full text]
  • Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G
    Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G. van Eeten, Delft University of Technology https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/asghari This paper is included in the Proceedings of the 24th USENIX Security Symposium August 12–14, 2015 • Washington, D.C. ISBN 978-1-939133-11-3 Open access to the Proceedings of the 24th USENIX Security Symposium is sponsored by USENIX Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere and Michel J.G. van Eeten Delft University of Technology Abstract more sophisticated C&C mechanisms that are increas- ingly resilient against takeover attempts [30]. Research on botnet mitigation has focused predomi- In pale contrast to this wealth of work stands the lim- nantly on methods to technically disrupt the command- ited research into the other side of botnet mitigation: and-control infrastructure. Much less is known about the cleanup of the infected machines of end users. Af- effectiveness of large-scale efforts to clean up infected ter a botnet is successfully sinkholed, the bots or zom- machines. We analyze longitudinal data from the sink- bies basically remain waiting for the attackers to find hole of Conficker, one the largest botnets ever seen, to as- a way to reconnect to them, update their binaries and sess the impact of what has been emerging as a best prac- move the machines out of the sinkhole. This happens tice: national anti-botnet initiatives that support large- with some regularity. The recent sinkholing attempt of scale cleanup of end user machines.
    [Show full text]
  • Undergraduate Report
    UNDERGRADUATE REPORT Attack Evolution: Identifying Attack Evolution Characteristics to Predict Future Attacks by MaryTheresa Monahan-Pendergast Advisor: UG 2006-6 IINSTITUTE FOR SYSTEMSR RESEARCH ISR develops, applies and teaches advanced methodologies of design and analysis to solve complex, hierarchical, heterogeneous and dynamic problems of engineering technology and systems for industry and government. ISR is a permanent institute of the University of Maryland, within the Glenn L. Martin Institute of Technol- ogy/A. James Clark School of Engineering. It is a National Science Foundation Engineering Research Center. Web site http://www.isr.umd.edu Attack Evolution 1 Attack Evolution: Identifying Attack Evolution Characteristics To Predict Future Attacks MaryTheresa Monahan-Pendergast Dr. Michel Cukier Dr. Linda C. Schmidt Dr. Paige Smith Institute of Systems Research University of Maryland Attack Evolution 2 ABSTRACT Several approaches can be considered to predict the evolution of computer security attacks, such as statistical approaches and “Red Teams.” This research proposes a third and completely novel approach for predicting the evolution of an attack threat. Our goal is to move from the destructive nature and malicious intent associated with an attack to the root of what an attack creation is: having successfully solved a complex problem. By approaching attacks from the perspective of the creator, we will chart the way in which attacks are developed over time and attempt to extract evolutionary patterns. These patterns will eventually
    [Show full text]
  • Miscellaneous: Malware Cont'd & Start on Bitcoin
    Miscellaneous: Malware cont’d & start on Bitcoin CS 161: Computer Security Prof. Raluca Ada Popa April 19, 2018 Credit: some slides are adapted from previous offerings of this course Viruses vs. Worms VIRUS WORM Propagates By infecting Propagates automatically other programs By copying itself to target systems Usually inserted into A standalone program host code (not a standalone program) Another type of virus: Rootkits Rootkit is a ”stealthy” program designed to give access to a machine to an attacker while actively hiding its presence Q: How can it hide itself? n Create a hidden directory w /dev/.liB, /usr/src/.poop and similar w Often use invisiBle characters in directory name n Install hacked Binaries for system programs such as netstat, ps, ls, du, login Q: Why does it Become hard to detect attacker’s process? A: Can’t detect attacker’s processes, files or network connections By running standard UNIX commands! slide 3 Sony BMG copy protection rootkit scandal (2005) • Sony BMG puBlished CDs that apparently had copy protection (for DRM). • They essentially installed a rootkit which limited user’s access to the CD. • It hid processes that started with $sys$ so a user cannot disaBle them. A software engineer discovered the rootkit, it turned into a Big scandal Because it made computers more vulneraBle to malware Q: Why? A: Malware would choose names starting with $sys$ so it is hidden from antivirus programs Sony BMG pushed a patch … But that one introduced yet another vulneraBility So they recalled the CDs in the end Detecting Rootkit’s
    [Show full text]
  • The Blaster Worm: Then and Now
    Worms The Blaster Worm: Then and Now The Blaster worm of 2003 infected at least 100,000 Microsoft Windows systems and cost millions in damage. In spite of cleanup efforts, an antiworm, and a removal tool from Microsoft, the worm persists. Observing the worm’s activity can provide insight into the evolution of Internet worms. MICHAEL n Wednesday, 16 July 2003, Microsoft and continued to BAILEY, EVAN Security Bulletin MS03-026 (www. infect new hosts COOKE, microsoft.com/security/incident/blast.mspx) more than a year later. By using a wide area network- FARNAM O announced a buffer overrun in the Windows monitoring technique that observes worm infection at- JAHANIAN, AND Remote Procedure Call (RPC) interface that could let tempts, we collected observations of the Blaster worm DAVID WATSON attackers execute arbitrary code. The flaw, which the during its onset in August 2003 and again in August 2004. University of Last Stage of Delirium (LSD) security group initially This let us study worm evolution and provides an excel- Michigan uncovered (http://lsd-pl.net/special.html), affected lent illustration of a worm’s four-phase life cycle, lending many Windows operating system versions, including insight into its latency, growth, decay, and persistence. JOSE NAZARIO NT 4.0, 2000, and XP. Arbor When the vulnerability was disclosed, no known How the Blaster worm attacks Networks public exploit existed, and Microsoft made a patch avail- The initial Blaster variant’s decompiled source code re- able through their Web site. The CERT Coordination veals its unique behavior (http://robertgraham.com/ Center and other security organizations issued advisories journal/030815-blaster.c).
    [Show full text]
  • Detecting Botnets Using File System Indicators
    Detecting botnets using file system indicators Master's thesis University of Twente Author: Committee members: Peter Wagenaar Prof. Dr. Pieter H. Hartel Dr. Damiano Bolzoni Frank Bernaards LLM (NHTCU) December 12, 2012 Abstract Botnets, large groups of networked zombie computers under centralised control, are recognised as one of the major threats on the internet. There is a lot of research towards ways of detecting botnets, in particular towards detecting Command and Control servers. Most of the research is focused on trying to detect the commands that these servers send to the bots over the network. For this research, we have looked at botnets from a botmaster's perspective. First, we characterise several botnet enhancing techniques using three aspects: resilience, stealth and churn. We see that these enhancements are usually employed in the network communications between the C&C and the bots. This leads us to our second contribution: we propose a new botnet detection method based on the way C&C's are present on the file system. We define a set of file system based indicators and use them to search for C&C's in images of hard disks. We investigate how the aspects resilience, stealth and churn apply to each of the indicators and discuss countermeasures botmasters could take to evade detection. We validate our method by applying it to a test dataset of 94 disk images, 16 of which contain C&C installations, and show that low false positive and false negative ratio's can be achieved. Approaching the botnet detection problem from this angle is novel, which provides a basis for further research.
    [Show full text]
  • Malware Detection Advances in Information Security
    Malware Detection Advances in Information Security Sushil Jajodia Consulting Editor Center for Secure Information Systems George Mason University Fairfax, VA 22030-4444 email: ja jodia @ smu.edu The goals of the Springer International Series on ADVANCES IN INFORMATION SECURITY are, one, to establish the state of the art of, and set the course for future research in information security and, two, to serve as a central reference source for advanced and timely topics in information security research and development. The scope of this series includes all aspects of computer and network security and related areas such as fault tolerance and software assurance. ADVANCES IN INFORMATION SECURITY aims to publish thorough and cohesive overviews of specific topics in information security, as well as works that are larger in scope or that contain more detailed background information than can be accommodated in shorter survey articles. The series also serves as a forum for topics that may not have reached a level of maturity to warrant a comprehensive textbook treatment. Researchers, as well as developers, are encouraged to contact Professor Sushil Jajodia with ideas for books under this series. Additional titles in the series: ELECTRONIC POSTAGE SYSTEMS: Technology, Security, Economics by Gerrit Bleumer; ISBN: 978-0-387-29313-2 MULTIVARIATE PUBLIC KEY CRYPTOSYSTEMS by Jintai Ding, Jason E. Gower and Dieter Schmidt; ISBN-13: 978-0-378-32229-2 UNDERSTANDING INTRUSION DETECTION THROUGH VISUALIZATION by Stefan Axelsson; ISBN-10: 0-387-27634-3 QUALITY OF PROTECTION: Security Measurements and Metrics by Dieter Gollmann, Fabio Massacci and Artsiom Yautsiukhin; ISBN-10; 0-387-29016-8 COMPUTER VIRUSES AND MALWARE by John Aycock; ISBN-10: 0-387-30236-0 HOP INTEGRITY IN THE INTERNET by Chin-Tser Huang and Mohamed G.
    [Show full text]
  • Ten Strategies of a World-Class Cybersecurity Operations Center Conveys MITRE’S Expertise on Accumulated Expertise on Enterprise-Grade Computer Network Defense
    Bleed rule--remove from file Bleed rule--remove from file MITRE’s accumulated Ten Strategies of a World-Class Cybersecurity Operations Center conveys MITRE’s expertise on accumulated expertise on enterprise-grade computer network defense. It covers ten key qualities enterprise- grade of leading Cybersecurity Operations Centers (CSOCs), ranging from their structure and organization, computer MITRE network to processes that best enable effective and efficient operations, to approaches that extract maximum defense Ten Strategies of a World-Class value from CSOC technology investments. This book offers perspective and context for key decision Cybersecurity Operations Center points in structuring a CSOC and shows how to: • Find the right size and structure for the CSOC team Cybersecurity Operations Center a World-Class of Strategies Ten The MITRE Corporation is • Achieve effective placement within a larger organization that a not-for-profit organization enables CSOC operations that operates federally funded • Attract, retain, and grow the right staff and skills research and development • Prepare the CSOC team, technologies, and processes for agile, centers (FFRDCs). FFRDCs threat-based response are unique organizations that • Architect for large-scale data collection and analysis with a assist the U.S. government with limited budget scientific research and analysis, • Prioritize sensor placement and data feed choices across development and acquisition, enteprise systems, enclaves, networks, and perimeters and systems engineering and integration. We’re proud to have If you manage, work in, or are standing up a CSOC, this book is for you. served the public interest for It is also available on MITRE’s website, www.mitre.org. more than 50 years.
    [Show full text]
  • ITU Botnet Mitigation Toolkit Background Information
    ITU Botnet Mitigation Toolkit Background Information ICT Applications and Cybersecurity Division Policies and Strategies Department ITU Telecommunication Development Sector January 2008 Acknowledgements Botnets (also called zombie armies or drone armies) are networks of compromised computers infected with viruses or malware to turn them into “zombies” or “robots” – computers that can be controlled without the owners’ knowledge. Criminals can use the collective computing power and connected bandwidth of these externally-controlled networks for malicious purposes and criminal activities, including, inter alia, generation of spam e-mails, launching of Distributed Denial of Service (DDoS) attacks, alteration or destruction of data, and identity theft. The threat from botnets is growing fast. The latest (2007) generation of botnets such as the Storm Worm uses particularly aggressive techniques such as fast-flux networks and striking back with DDoS attacks against security vendors trying to mitigate them. An underground economy has now sprung up around botnets, yielding significant revenues for authors of computer viruses, botnet controllers and criminals who commission this illegal activity by renting botnets. In response to this growing threat, ITU is developing a Botnet Mitigation Toolkit to assist in mitigating the problem of botnets. This document provides background information on the toolkit. The toolkit, developed by Mr. Suresh Ramasubramanian, draws on existing resources, identifies relevant local and international stakeholders, and
    [Show full text]
  • Containing Conficker to Tame a Malware
    &#4#5###4#(#%#5#6#%#5#&###,#'#(#7#5#+#&#8##9##:65#,-;/< Know Your Enemy: Containing Conficker To Tame A Malware The Honeynet Project http://honeynet.org Felix Leder, Tillmann Werner Last Modified: 30th March 2009 (rev1) The Conficker worm has infected several million computers since it first started spreading in late 2008 but attempts to mitigate Conficker have not yet proved very successful. In this paper we present several potential methods to repel Conficker. The approaches presented take advantage of the way Conficker patches infected systems, which can be used to remotely detect a compromised system. Furthermore, we demonstrate various methods to detect and remove Conficker locally and a potential vaccination tool is presented. Finally, the domain name generation mechanism for all three Conficker variants is discussed in detail and an overview of the potential for upcoming domain collisions in version .C is provided. Tools for all the ideas presented here are freely available for download from [9], including source code. !"#$%&'()*+&$(% The big years of wide-area network spreading worms were 2003 and 2004, the years of Blaster [1] and Sasser [2]. About four years later, in late 2008, we witnessed a similar worm that exploits the MS08-067 server service vulnerability in Windows [3]: Conficker. Like its forerunners, Conficker exploits a stack corruption vulnerability to introduce and execute shellcode on affected Windows systems, download a copy of itself, infect the host and continue spreading. SRI has published an excellent and detailed analysis of the malware [4]. The scope of this paper is different: we propose ideas on how to identify, mitigate and remove Conficker bots.
    [Show full text]
  • THE CONFICKER MYSTERY Mikko Hypponen Chief Research Officer F-Secure Corporation Network Worms Were Supposed to Be Dead. Turns O
    THE CONFICKER MYSTERY Mikko Hypponen Chief Research Officer F-Secure Corporation Network worms were supposed to be dead. Turns out they aren't. In 2009 we saw the largest outbreak in years: The Conficker aka Downadup worm, infecting Windows workstations and servers around the world. This worm infected several million computers worldwide - most of them in corporate networks. Overnight, it became as large an infection as the historical outbreaks of worms such as the Loveletter, Melissa, Blaster or Sasser. Conficker is clever. In fact, it uses several new techniques that have never been seen before. One of these techniques is using Windows ACLs to make disinfection hard or impossible. Another is infecting USB drives with a technique that works *even* if you have USB Autorun disabled. Yet another is using Windows domain rights to create a remote jobs to infect machines over corporate networks. Possibly to most clever part is the communication structure Conficker uses. It has an algorithm to create a unique list of 250 random domain names every day. By precalcuting one of these domain names and registering it, the gang behind Conficker could take over any or all of the millions of computers they had infected. Case Conficker The sustained growth of malicious software (malware) during the last few years has been driven by crime. Theft – whether it is of personal information or of computing resources – is obviously more successful when it is silent and therefore the majority of today's computer threats are designed to be stealthy. Network worms are relatively "noisy" in comparison to other threats, and they consume considerable amounts of bandwidth and other networking resources.
    [Show full text]