Mcafee Threat Intelligence Updates Records with New Internet Reputation Info

Total Page:16

File Type:pdf, Size:1020Kb

Mcafee Threat Intelligence Updates Records with New Internet Reputation Info In the Cloud Security Greg Day Principal Security Analyst EMEA AVERT member July 28, 2009 The Tsunami • Decades of threats, surely we have a handle on this? • Estimated in excess $1trillion loss through Cybercrime and data loss in 2008 McAfee Unsecured Economies Report 2009 • Q1 2009 - 12 million new IP’s zombied since January! 50 percent increase since 2008 McAfee Quarterly threat Report Q1 2009 • Koobface - more than 800 new variants in March 09! McAfee Quarterly threat Report Q1 2009 2 July 28, 2009 Confidential McAfee Internal Use Only Understand the motivation, to understand the methodology Source: Chat Interview with the Dream Coders Team, the developers of MPack http://www.robertlemos.com/2007/07/23/mpack-interview-chat-sessions-posted/ 3 July 28, 2009 Confidential McAfee Internal Use Only Today anyone can be a cyber criminal! 4 July 28, 2009 Confidential McAfee Internal Use Only Over 20 years of Anti-Virus • Dr Solomon’s Anti-virus from 1990 • Looking for string match against known malware 5 July 28, 2009 Confidential McAfee Internal Use Only The age old question - Is anti-virus dying? Anti-Virus protection (%) of 2003 Medium+ threats 100 80 60 40 y 1991 : Michelangelo : 6 months ? 20 y 1997 : WM/Cap : 2 months ? 0 AV y 1999 : WM/Melissa : 1 Day ? % Proactive protectionAV software% Reactive Protection y 2000 : VBS/Loveletter : 4 hours ? Anti-Virus protection (%) of y 2001 : CodeRed/Nimda : 1 hour ? 2004 Medium+ threats y 2003 : Slammer : 3 mins ? 100 80 y 2008 : Mass Web compromises : secs ? 60 % 40 20 0 AV software % Proactive protection % Reactive Protection 6 July 28, 2009 Confidential McAfee Internal Use Only From Elephant to Chameleon How threats have changed 7 July 28, 2009 Confidential McAfee Internal Use Only Evolution of threats 1987 – Brain & Stoned (Early BSV) 1990 – Vienna modified to be polymorphic 1991 – Polymorphism hits the wild (Tequila) 1995 – WM/Concept (first Macro Virus) 1999 – Melissa Mass Mailer & ExploreZip reply mailer 2000 – Phage (Virus for Palm Pilot) 2001 – CodeRed & Nimda (utilise security vulnerabilities) 2002 – Klez & Elkern, Bugbear (Droppers) 2003 – Slammer (Speed), Slapper (Unix, directed attack) 2004 – Turf wars (Bagle Netsky, Sober, BOTs) 2005 – System & data theft (Trojan’s & Rootkit) 2007 – Rootkits, Packers, Recycling (Threat Longevity) 2008 – Drive-by infections, 8 July 28, 2009 Confidential McAfee Internal Use Only Early proactive techniques 9 July 28, 2009 Confidential McAfee Internal Use Only Heuristics (behavioural analysis) • Positive & Negative analysis • Protection against new file and/or macro viruses • Checks for virus like characteristics • Block execution of possible virus code (OAS) • No cleaning as no exact match • Tangible sample to send to virus lab 10 July 28, 2009 Confidential McAfee Internal Use Only Speed… The blended/zero day attack, bought the new solutions 11 July 28, 2009 Confidential McAfee Internal Use Only 12 July 28, 2009 Confidential McAfee Internal Use Only 13 July 28, 2009 Confidential McAfee Internal Use Only Proactive behavioural protection (HIPS, NIPS, FW, Whitelisting etc…) • Known Vulnerably detection • Behavioural controls – RFC non-compliance – Anomaly detections – Policy controls • Define web/email usage • Lockdown Windows & Windows system folder • Registry Modification • Block un-used ports • Blacklist– Proactive non-corperate or Reactive? high risk apps Conficker – AutoRun.inf 14 July 28, 2009 Confidential McAfee Internal Use Only Proactive Behavioural Controls - limitations • What did I really stop? • Did it stop all of the attack? • What else could it have done? • We still want to identify the threat • We sometimes need to clean up • Assumes clean at point of install 15 July 28, 2009 Confidential McAfee Internal Use Only Volume… 1,500,000+ Source: McAfee Avert Labs 900,000 - 800,000 - 700,000 - • 246% growth from 2006 to 600,000 - 2007 500,000 - 400,000 - ~350,000 projected for ‘08 • 400%+ growth projected # of threats 271,197 300,000 - for 2008 200,000 - 78,381 100,000 - • 2008 exceed projections 0 - 2006 2007 2008 16 July 28, 2009 Confidential McAfee Internal Use Only The Great Zoo: McAfee Known Malware Samples Count of dirty samples/hashes in the McAfee zoo 17 July 28, 2009 Confidential McAfee Internal Use Only Shark – Compliable multi system back door Trojan Now anyone can be a cyber criminal! 4. See what you have! 1. Setup server5. Full control! 2. Compile6. Enable threat keylogger 7.3. Control Infected processes systems talk home! 18 July 28, 2009 Confidential McAfee Internal Use Only Buy the deployment tools 19 July 28, 2009 Confidential McAfee Internal Use Only Mass infection of public web pages globally (13 March 08 ) • 200,000 web pages compromised – SQL injection – Vuls in .ASP pages running phpBB • Inserted JS to write IFRAME in header or body – MS06-014 – RealPlayer (ActiveX Control) – Baofeng Storm (ActiveX control) – Ourgame GL World GlobalLink Chat (ActiveX Control) • Daisy chains to China server – Drops down loaders – Steals gaming credentials 20 July 28, 2009 Confidential McAfee Internal Use Only Example: IFrame & MPack Booby-trappedBooby-trapped legitimate sites MPackMPack C&CC&C centercenter legitimate sites 1. The victim visits a legitimate site that has been booby-trapped with hidden redirect code (hidden iFrame). 2. They are silently redirected to the server hosting the attack tool. 3. Depending on the browser, various vulnerabilities may be tested. Various malware are (2):(2): silentsilent downloaded and executed. redirectredirect 4. The web pages accessible from the victim's workstation are in turn (3):(3): exploitationexploitation booby-trapped. (1):(1): connectionconnection toto aa legitimatelegitimate sitesite Botnet, RockPhish, Fast-Flux, DDoS, Identity theft, (4):(4): machinemachine (4):(4): HTMLHTML infectioninfection … underunder controlcontrol 21 July 28, 2009 Confidential McAfee Internal Use Only Regular “Protection Gap” Protection gap of 24-72 hours with current solutions t0 t1 t2 t3 t4 Malware in Malware Protection is Protection is Protection is the wild discovered available downloaded deployed 22 July 28, 2009 Confidential McAfee Internal Use Only Security in the Cloud 23 July 28, 2009 Confidential McAfee Internal Use Only Next Gen “In the cloud” detection Internet Fingerprint Database 24 July 28, 2009 Confidential McAfee Internal Use Only What is “in the Cloud scanning”? End-node reporting Very little system overhead Meta-data 25 July 28, 2009 Confidential McAfee Internal Use Only In the cloud security - Blocking what we already know! Non-replicating malware is static And some replicating is static too (e.g. worms) Can be detected with a fingerprint (MD5,SHA-1,SHA-2, etc.) Black List of fingerprints Replicating vs Non-Replicating Malware 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0%26 July 28, 2009 Confidential McAfee Internal Use Only 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 How does in the Cloud anti-virus work? User receives new 1 file via email or web 2 No detection with existing DATs, but Internet the file is “suspicious” Fingerprint of file 3 is created and sent 6 VirusScan processes using Artemis information and removes threat Artemis reviews this 4 fingerprint and other inputs Artemis statistically across threat landscape 5 Artemis Collective Threat identifies threat Intelligence and notifies client 27 July 28, 2009 Confidential McAfee Internal Use Only In the Cloud in action 28 July 28, 2009 Confidential McAfee Internal Use Only In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by other products Behaviours, sources, detections can be assigned a weight Based on the resulting weight, software may be classified as “suspicious” with different degrees of certainty 29 July 28, 2009 Confidential McAfee Internal Use Only Closing the loop 30 July 28, 2009 Confidential McAfee Internal Use Only Malware case study – Spy-Agent.bw First seen – 15th October 2008, 22:24:28 Auto-blacklisted – 15th October 2008, 22:57:01 Artemis clients sent fingerprints ~2 hours before regular submission saw the file 31 July 28, 2009 Confidential McAfee Internal Use Only Security & privacy Example: U0B6gKhbtiZCoxyh0IneADS/RShS8iRCBSEvwfjekG/q4yDRg qEUXjHWKvnrySGa6QMdftrlpl5pAdJvOUAcNcvCjKvpIfsxv8q Bk4uRQQ60r5StRCXOpiA0Qy3fKmLRUZyNq1EyjLLPKgJDZI 0nqHhRWX+TDgPgXRfW9wD06qE Cryptographically strong actionable responses Query specific Immune to replay attacks 32 July 28, 2009 Confidential McAfee Internal Use Only Cloud security compressed “Protection Gap” Protection delivered in real-time t0 t1 t1 t2 t3 t4 Malware in ProtectionMalware is the wild downloadeddiscovereddeployedavailable Case study – Spy-Agent.bw • Artemis protection – ~32 minutes • Regular protection – ~8.5 hours – Not including deployment time 33 July 28, 2009 Confidential McAfee Internal Use Only I was blind, but now I see Artemis customers Customer SiteAdvisor Vulnerability Internet Research SPAM Malware Research Research Collective Threat Risk and HIPs Compliance Intelligence 34 July 28, 2009 Confidential McAfee Internal Use Only Taking it to the next level 35 July 28, 2009 Confidential McAfee Internal Use Only Collaborative Global Intelligence Physical Deploy agents: Officers around the Interpol globe (MI5, MI6, FBI, CIA, Interpol.) World Global intelligence system: Share intelligence information. (e.g. criminal history, global finger printing system) CIA FBI Results Police Effective - Accurate detection of Stations offenders Police Intelligence Pro-active -
Recommended publications
  • Statistical Structures: Fingerprinting Malware for Classification and Analysis
    Statistical Structures: Fingerprinting Malware for Classification and Analysis Daniel Bilar Wellesley College (Wellesley, MA) Colby College (Waterville, ME) bilar <at> alum dot dartmouth dot org Why Structural Fingerprinting? Goal: Identifying and classifying malware Problem: For any single fingerprint, balance between over-fitting (type II error) and under- fitting (type I error) hard to achieve Approach: View binaries simultaneously from different structural perspectives and perform statistical analysis on these ‘structural fingerprints’ Different Perspectives Idea: Multiple perspectives may increase likelihood of correct identification and classification Structural Description Statistical static / Perspective Fingerprint dynamic? Assembly Count different Opcode Primarily instruction instructions frequency static distribution Win 32 API Observe API calls API call vector Primarily call made dynamic System Explore graph- Graph structural Primarily Dependence modeled control and properties static Graph data dependencies Fingerprint: Opcode frequency distribution Synopsis: Statically disassemble the binary, tabulate the opcode frequencies and construct a statistical fingerprint with a subset of said opcodes. Goal: Compare opcode fingerprint across non- malicious software and malware classes for quick identification and classification purposes. Main result: ‘Rare’ opcodes explain more data variation then common ones Goodware: Opcode Distribution 1, 2 ---------.exe Procedure: -------.exe 1. Inventoried PEs (EXE, DLL, ---------.exe etc) on XP box with Advanced Disk Catalog 2. Chose random EXE samples size: 122880 with MS Excel and Index totalopcodes: 10680 3, 4 your Files compiler: MS Visual C++ 6.0 3. Ran IDA with modified class: utility (process) InstructionCounter plugin on sample PEs 0001. 002145 20.08% mov 4. Augmented IDA output files 0002. 001859 17.41% push with PEID results (compiler) 0003. 000760 7.12% call and general ‘functionality 0004.
    [Show full text]
  • A the Hacker
    A The Hacker Madame Curie once said “En science, nous devons nous int´eresser aux choses, non aux personnes [In science, we should be interested in things, not in people].” Things, however, have since changed, and today we have to be interested not just in the facts of computer security and crime, but in the people who perpetrate these acts. Hence this discussion of hackers. Over the centuries, the term “hacker” has referred to various activities. We are familiar with usages such as “a carpenter hacking wood with an ax” and “a butcher hacking meat with a cleaver,” but it seems that the modern, computer-related form of this term originated in the many pranks and practi- cal jokes perpetrated by students at MIT in the 1960s. As an example of the many meanings assigned to this term, see [Schneier 04] which, among much other information, explains why Galileo was a hacker but Aristotle wasn’t. A hack is a person lacking talent or ability, as in a “hack writer.” Hack as a verb is used in contexts such as “hack the media,” “hack your brain,” and “hack your reputation.” Recently, it has also come to mean either a kludge, or the opposite of a kludge, as in a clever or elegant solution to a difficult problem. A hack also means a simple but often inelegant solution or technique. The following tentative definitions are quoted from the jargon file ([jargon 04], edited by Eric S. Raymond): 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
    [Show full text]
  • Malware and Social Engineering Attacks
    chapter 2 Malware and Social Engineering Attacks After completing this chapter, you will be able to do the following: ● Describe the differences between a virus and a worm ● List the types of malware that conceals its appearance ● Identify different kinds of malware that is designed for profit ● Describe the types of social engineering psychological attacks ● Explain physical social engineering attacks 41 42 Chapter 2 Malware and Social Engineering Attacks Today’s Attacks and Defenses Successful software companies use a variety of strategies to outsell their competition and gain market share. These strategies may include selling their software at or below a com- petitor’s price, offering better technical support to customers, or providing customized software for clients. And if all else fails, a final strategy can be to buy out the competition through a merger or acquisition. These strategies are also being widely used by attackers who sell their attack software to others. Approximately two out of three malicious Web attacks have been developed using one of three popular attack toolkits. The toolkits are MPack (the most popular attack toolkit, which has almost half of the attacker toolkit mar- ket), NeoSploit, and ZeuS. These toolkits, which are bought and sold online through the underground attacker community, are used to create customized malware that can steal personal information, execute fraudulent financial transactions, and infect computers without the user’s knowledge. The toolkits range in price from only $40 to as much as $8,000. The developers behind these attack toolkits compete fiercely with each other. Some of their tactics include updating the toolkits to keep ahead of the latest security defenses, advertising their attack toolkits as cheaper than the competition, and provid- ing technical support to purchasers.
    [Show full text]
  • Undergraduate Report
    UNDERGRADUATE REPORT Attack Evolution: Identifying Attack Evolution Characteristics to Predict Future Attacks by MaryTheresa Monahan-Pendergast Advisor: UG 2006-6 IINSTITUTE FOR SYSTEMSR RESEARCH ISR develops, applies and teaches advanced methodologies of design and analysis to solve complex, hierarchical, heterogeneous and dynamic problems of engineering technology and systems for industry and government. ISR is a permanent institute of the University of Maryland, within the Glenn L. Martin Institute of Technol- ogy/A. James Clark School of Engineering. It is a National Science Foundation Engineering Research Center. Web site http://www.isr.umd.edu Attack Evolution 1 Attack Evolution: Identifying Attack Evolution Characteristics To Predict Future Attacks MaryTheresa Monahan-Pendergast Dr. Michel Cukier Dr. Linda C. Schmidt Dr. Paige Smith Institute of Systems Research University of Maryland Attack Evolution 2 ABSTRACT Several approaches can be considered to predict the evolution of computer security attacks, such as statistical approaches and “Red Teams.” This research proposes a third and completely novel approach for predicting the evolution of an attack threat. Our goal is to move from the destructive nature and malicious intent associated with an attack to the root of what an attack creation is: having successfully solved a complex problem. By approaching attacks from the perspective of the creator, we will chart the way in which attacks are developed over time and attempt to extract evolutionary patterns. These patterns will eventually
    [Show full text]
  • CONTENTS in THIS ISSUE Fighting Malware and Spam
    MARCH 2008 Fighting malware and spam CONTENTS IN THIS ISSUE 2 COMMENT EVASIVE ACTION Home (page) renovations Pandex has attracted very little attention from the media and generated little 3 NEWS discussion between malware Botherders herded researchers and among the 29A folds general populace. Chandra Prakash and Adam Thomas provide an overview of the Pandex operation and take an in-depth look at VIRUS PREVALENCE TABLE 3 the underlying code that has allowed this malware to evade detection for so long. 4 MALWARE ANALYSIS page 4 Pandex: the botnet that could PACKING A PUNCH In the fi nal part of the series on exepacker 9 FEATURE blacklisting, Robert Neumann takes a look at how all the processing and analysis techniques are put Exepacker blacklisting part 3 into practice in a real-life situation. page 9 15 CONFERENCE REPORT AVG TURNS 8 Black Hat DC and CCC 24C3 John Hawes gets his hands on a preview version of the latest offering from AVG. 18 PRODUCT REVIEW page 18 AVG Internet Security 8 22 END NOTES & NEWS This month: anti-spam news and events, and Ken Simpson considers the implications of rising spam volume despite increasing accuracy of content fi lters. ISSN 1749-7027 COMMENT ‘It is hoped that within all sizes of business. It is hoped that the comment facility will promote discussion among visitors and that the comment facility in some cases the more knowledgeable of VB’s readers will promote will be able to guide and assist those less well versed in discussion among the complexities of anti-malware technologies.
    [Show full text]
  • Security of Personal Identifiable Information
    https://doi.org/10.48009/2_iis_2008_634-638 SECURITY OF PERSONAL IDENTIFIABLE INFORMATION Jack D. Shorter,Texas A&M University – Kingsville, [email protected] Karen A. Forcht, North Carolina A & T University, [email protected] Alicia Aldridge,Appalachian State University, [email protected] Daphyne S. Thomas, James Madison University,[email protected] Abstract impacted if Google’s merger with DoubleClick is completed? In today’s fast moving world, the use of technology has become a part of everyday life. Whether it is DoubleClick is one of the fastest growing digital using a computer to access the Internet, sending marketers, and the amount of user data that could be email, or using cell phones to contact friends and provided to them from Google would be phenomenal. family, technology is found in almost everything. At issue is whether Google can be trusted with users’ Technology provides many conveniences such as PII at its disposal. Armed with this information online banking, renewing a driver’s license, making a DoubleClick could target consumers with a method known as “retargeting.” This type of practice was consumer purchase, or conducting research. th However, using technology has its pros and cons. On one of the topics discussed at the 17 annual the positive side, conducting personal business online Conference on Computers, Freedom & Privacy in is convenient, saves time, and is economical. May 2007. This method uses ads and serves them to However, with the pluses, there are usually minuses users based on their Web surfing behaviors. [4] as well. In the case of an online consumer purchase, one may find price deals, but may discover a lack of A user uses a search engine such as Google to find a quality or poor customer care.
    [Show full text]
  • What Is Exploit Kit and How Does It Work? [1]Ade Kurniawan, [2]Ahmadfitriansyah [1][2]Department of Informatics Engineering, Universal University,Batam, Indonesia
    International Journal of Pure and Applied Mathematics Volume 118 No. 20 2018, 509-516 ISSN: 1314-3395 (on-line version) url: http://www.ijpam.eu Special Issue ijpam.eu What is Exploit Kit and How Does it Work? [1]Ade Kurniawan, [2]AhmadFitriansyah [1][2]Department of Informatics Engineering, Universal University,Batam, Indonesia Abstract— In the Year 2016 to mid-2017, the analysts have claimed those years as the years of Malware especially Ransomware. The number, spread, infection and impact of malware have caused many users, businesses, governments, and organizations to be anxious, one of the tools to spread it by using exploit kits. A popular method of mass distribution used the perpetrators of cyber criminals is using the exploit kit. Exploit kit has become more effective, cheaper and sophisticated tools to spread malware to their victims. Therefore, in this paper, we provide this research using the Network Forensic Method. The results which are done will explain the chain of events about what the exploit kit is and how the exploit kit works, including actors, campaigns, payload, and terminology involved in the spreading of malware Index Terms—Exploit Kit, Payload, Malware, Ransomware, and Chain of events. I. INTRODUCTION In our digital era, everything is connected and Network Forensics Method. Network forensics is a everyone is vulnerable. The development, part of Digital Forensic conducted with scientific dependability, and complexity of computer software methods to identify, analyse and reconstruct events have brought immediate implications for global based on digital evidence/logs from the network safety and security, especially physical objects such [14][15][16].
    [Show full text]
  • Analyse De Mpack Et De La Bluepill (Septembre 2007)
    7 BRE 200 L’ACTU SÉCU 16 SEPTEM LES “UNE MENACE NOMMÉE MPACK” Le hacking devient un jeu d’enfant... SOMMAIRE DOSSIER SPÉCIAL PACK : LES ROOTKITS VIRTUELS “BLUEPILL” ARTNERS.COM MPACK et TORPIG LES VULNÉRABILITÉS DU MOIS ICEPACK LES OUTILS LIBRES .XMCOP FISHING_BAIT SHARK WWW © XMCO Partners - 2007 [1] Ce document est la propriété du cabinet XMCO Partners. Toute reproduction est strictement interdite. 7 BRE 200 L’EDITO SEPTEM Les packs spécial rentrée... Vous avez certainement vu le film tions, nous plongeons pour vous Michel Sardou et de Johnny Hal- « The Matrix » : le monde dans au cœur des menaces du moment lyday contrôlés par une backdoor lequel nous vivons ne serait pas pour les décortiquer et ainsi vous (voir l’interview de LCI de Marc réel, nous serions en fait endormis aider à vous en protéger. Behar sur notre site). pendant qu’une machine nous ferait vivre dans un monde virtuel L’Actu Secu continue d’évoluer et et utiliserait notre énergie vitale ne manquera pas de présenter pour se nourrir. des sujets d’actualité comme : l’ISO27001, la sécurité Bluetooth, Cette fiction est la toile de fond de l’Ajax ou encore les risques liés à ce 16ième ActuSécu. Fort de nos la technologie RFID… 1000 téléchargements pour son numéro consacré aux Botnets, Bonne lecture nous vous présentons pour cette rentrée 2007 les menaces qui font L’équipe XMCO vous souhaite et feront parler d’elles : MPACK, une bonne rentrée IcePack, la BluePill, Torpig, Des menaces d'ailleurs présentes Shark… dans l’actualité du mois d’août : les clients du Crédit Mutuel atta- Avec le même souci de clarté qui qués par le trojan Banker « Tor- nous anime lors de nos presta- pig » ou encore les ordinateurs de AOUT 2007 Nombre de bulletins Microsoft : 9 Nombre d’exploits dangereux : 20 Nombre de bulletins XMCO : 103 Le TOP des Menaces du Mois 1.
    [Show full text]
  • Crimeware on the Net
    Crimeware on the Net The “Behind the scenes” of the new web economy Iftach Ian Amit Director, Security Research – Finjan BlackHat Europe, Amsterdam 2008 Who Am I ? (iamit) • Iftach Ian Amit – In Hebrew it makes more sense… • Director Security Research @ Finjan • Various security consulting/integration gigs in the past – R&D – IT • A helping hand when needed… (IAF) 2 BlackHat Europe – Amsterdam 2008 Today’s Agenda • Terminology • Past vs. Present – 10,000 feet view • Business Impact • Key Characteristics – what does it look like? – Anti-Forensics techniques – Propagation methods • What is the motive (what are they looking for)? • Tying it all up – what does it look like when successful (video). • Anything in it for us to learn from? – Looking forward on extrusion testing methodologies 3 BlackHat Europe – Amsterdam 2008 Some Terminology • Crimeware – what we refer to most malware these days is actually crimeware – malware with specific goals for making $$$ for the attackers. • Attackers – not to be confused with malicious code writers, security researchers, hackers, crackers, etc… These guys are the Gordon Gecko‟s of the web security field. The buy low, and capitalize on the investment. • Smart (often mislead) guys write the crimeware and get paid to do so. 4 BlackHat Europe – Amsterdam 2008 How Do Cybercriminals Steal Business Data? Criminals’ activity in the cyberspace Federal Prosecutor: “Cybercrime Is Funding Organized Crime” 5 BlackHat Europe – Amsterdam 2008 The Business Impact Of Crimeware Criminals target sensitive business data
    [Show full text]
  • Common Threats to Cyber Security Part 1 of 2
    Common Threats to Cyber Security Part 1 of 2 Table of Contents Malware .......................................................................................................................................... 2 Viruses ............................................................................................................................................. 3 Worms ............................................................................................................................................. 4 Downloaders ................................................................................................................................... 6 Attack Scripts .................................................................................................................................. 8 Botnet ........................................................................................................................................... 10 IRCBotnet Example ....................................................................................................................... 12 Trojans (Backdoor) ........................................................................................................................ 14 Denial of Service ........................................................................................................................... 18 Rootkits ......................................................................................................................................... 20 Notices .........................................................................................................................................
    [Show full text]
  • Dissecting Web Attacks
    Dissecting Web Attacks Val Smith ([email protected]) Colin Ames ([email protected]) Delchi ([email protected]) Bios Valsmith – Affiliations: • Attack Research • Metasploit • cDc – Work: • Attack Techniques Research - History • Pen Tester/ Exploit • Founder Offensive Computing developer • Speaker • Reverse Engineer - Blackhat • Malware Analyst - Defcon - Shmoocon Bios Colin Ames – Security Researcher, Attack Research – Steganography Research – Penetration Testing – Reverse Engineering – Malware Analysis The Problem THESE GUYS (For Real?) AND THESE GUYS (Who says so?) AND THESE GUYS ? WANT YOUR AND WILL USE YOUR TO GET THEM While this happens you are: I n t r o d u c t i o n Introduction • Attackers are using the web in various ways to: – Push users to their malicious sites – Gain access to computers – Steal information • They use many technologies – Java/Javascript HTML – Iframes Encoding/Obfuscation – Spam Injection Introduction • For this talk we analyzed different types of attacks – Blog Spam – Web site injection • We dissect the attacks piece by piece to analyze and show – Source code Commands – Network traffic Attack Goals – Binaries Attackers Blog Spam • Analysis process – View victim blog, locate malicious comments – Trace back all A HREFs in comments – WGET code from attacker site • Follow any links • Decode obfuscated instructions • Debug javascript – Firebug, Venkman • Decompile Java Applets – Lookup owners of domains / IPs – Reverse any exploits / binaries Blog Spam • 1st Stage of the attack – Uses comments to sites – Blogs such as Drupal & Wordpress • Comments: – Usually in response to valid post – Splice together random but legitimate phrases from sources such as wikipedia – Contain several linked words to various sites – Will be added en mass to many disparate posts – Often will have non-English embedded words such as Italian, German, Russian Shows some comments added to a legitimate post.
    [Show full text]
  • Emerging Threats and Attack Trends
    Emerging Threats and Attack Trends Paul Oxman Cisco Security Research and Operations PSIRT_2009 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 1 Agenda What? Where? Why? Trends 2008/2009 - Year in Review Case Studies Threats on the Horizon Threat Containment PSIRT_2009 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 2 What? Where? Why? PSIRT_2009 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 3 What? Where? Why? What is a Threat? A warning sign of possible trouble Where are Threats? Everywhere you can, and more importantly cannot, think of Why are there Threats? The almighty dollar (or euro, etc.), the underground cyber crime industry is growing with each year PSIRT_2009 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 4 Examples of Threats Targeted Hacking Vulnerability Exploitation Malware Outbreaks Economic Espionage Intellectual Property Theft or Loss Network Access Abuse Theft of IT Resources PSIRT_2009 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 5 Areas of Opportunity Users Applications Network Services Operating Systems PSIRT_2009 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 6 Why? Fame Not so much anymore (more on this with Trends) Money The root of all evil… (more on this with the Year in Review) War A battlefront just as real as the air, land, and sea PSIRT_2009 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 7 Operational Evolution of Threats Emerging Threat Nuisance Threat Threat Evolution Unresolved Threat Policy and Process Reactive Process Socialized Process Formalized Process Definition Reaction Mitigation Technology Manual Process Human “In the Automated Loop” Response Evolution Burden Operational End-User “Help-Desk” Aware—Know End-User No End-User Increasingly Self- Awareness Knowledge Enough to Call Burden Reliant Support PSIRT_2009 © 2009 Cisco Systems, Inc.
    [Show full text]