Alarming Trends in Cyber Attacks

z Large increases in Cybersecurity spending z Factor of 10+ increase in the past ten years Cyber Security: z Yet, security incidents continue to sky- rocket Threats and Challenges z Incidents reported by CERT Coordination Center increased by a factor of 120 in the past decade R. Sekar z 97% of participants in 2003 FBI/CSI survey reported attacks [email protected] z Malicious attacks cost companies tens of billions to clean up [Computer Economics, Trend Micro] z Many small/medium businesses are victims of cyber extortion z 17% of companies surveyed by CMU and Information Week

Secure Systems Laboratory 2

Evolution of Threats Evolution of Modern Threats z World War II and earlier z First generation z Break secret messages during transmission z break into high-value systems (e.g., banks) through z Primarily the domain of nation states proprietary networks z Modern cryptography has all but eliminated this threat z criminal elements as well as rogue nations z Modern era z Second generation z Focus shifts from altering messages to breaking end- z that spreads due to information sharing systems that store and process these messages z Viruses and worms z Perpetrated by as a “hobby” z Third generation z Malware that spreads via the z viruses and Internet worms z Still, no evidence of organized or criminal elements

Secure Systems Laboratory 3 Secure Systems Laboratory 4

1 Traditional Threats - Examples Current Threats (Fourth generation) z 1989 z Steal confidential information z Hackers in West Germany broke into US government z Credit-card/bank account #s, passwords, … and corporate computers and selling operating system z Trade secrets and other proprietary information source code to the Soviet KGB z Security-sensitive information z Useful for breaching physical world security z 1994 z Establish base for future operations z Russian crackers siphoned $10 million from Citibank z Conduit for future attacks and transferred the money to bank accounts around the z Surveillance world z Capture keystrokes, microphone or camera input z Reveal information about software installed z Snoop on web sites visited

Secure Systems Laboratory 5 Secure Systems Laboratory 6

Current Threats (Continued) Current Threats (Continued) z Driven by commercialization of Malware zSpecialization and commoditization z Thriving black-market for exploits zExploit tools and techniques z Zero-day exploits have arrived zcompromise z “Bot”-centric model for cyber crime zpayload z Relay spam (e-mail scam, ) z Extortion (using DDoS or targeted attacks) zTargeting information z Focus on desktop (rather than server) vulnerabilities zBotnet management and leasing z Profit-driven adware and spyware zBrokers z Customer-profiling, niche-marketing z IP protection (digital rights management) zEmployment of botnets z aggressive installation, stealth (rootkits, spyware) zCash-out zthe step that most closely relates to things outside the cyber world

2 Modern Threats: Enablers Modern Threats: A Glance z High connectivity z Viruses z Home users with always-on broadband connectivity z Increasing adoption of the Net in day-to-day activities z Worms z Software homogeneity z DDoS and Botnet z Find single bug, own millions of computers! z Spyware z Inherent complexity of modern software z Short-term thinking by vendors z Spam z “Feature obsession” and cost-cutting z Phishing z shoddy software quality + code bloat z Result: security bugs are all over the place and easy to find! z Online extortion z Lack of user awareness z Find millions of trusting users and own their computers! z Lack of traceability and attribution z Conduct your attack and disappear!

Secure Systems Laboratory 9 Secure Systems Laboratory 10

Computer Virus Well-Known Computer Viruses z Properties z 1982, Elk Cloner z Replicates itself z First virus in the wild z Attaches to other non-malicious code z Targeting Apple II z Examples z 1986, (c)Brain z Boot sector virus (difficult on OS with memory z First virus for IBM PC protection) z A boot sector virus z Other OS level virus z 1995, Concept virus z Virus that attaches to programs, scripts, libraries z First Macro virus z Macro virus z 1998, CIH z Mail attachments / active web content z One of the most harmful widely circulated viruses z Overwrites both hard disks (data loss) and Flash BIOS (hardware damage)

Secure Systems Laboratory 11 Secure Systems Laboratory 12

3 Macro Virus CIH Virus z Written in a macro language. z Spreads via Portable Executable files under Windows 95/98/Me. z Macros can perform operations that the software can do. z Damages: z Overwriting the first 1024KB of the hard drive with z To date, only Microsoft Office products are zeroes Î vulnerable to this kind of virus. Loss of data on the entire hard drive z Simple solution: turning off the macro feature z Overwriting the Flash BIOS with junk code Î Computers cannot boot any more

z Activated in the public eye on April 26, 1999 z An untold number of computers worldwide were affected, much in Asia

Secure Systems Laboratory 13 Secure Systems Laboratory 14

Melissa ILOVEYOU z Found on March 26, 1999 z First appeared on May 3, 2000 z Targetting Microsoft Word and Outlook-based systems, and creating considerable network traffic z Caused widespread e-mail outages, an z Shut down many Internal mail systems estimated $10 billion in economic damage z That got clogged with infected e-mails propagating from the worm z Inside a file called “List.DOC” z Written in VBScript z Spread on Microsoft Word 97 and Word 2000. z E-mail z Can mass-mail itself from email client Microsoft Outlook 97 or Outlook 98. z Subject: “ILOVEYOU” z Attempts to mass mail itself once an infected Word z Attachment “LOVE-LETTER-FOR-YOU.TXT.vbs” document is opened. z Overwrote important files with a copy of itself z Sent out itself to everyone in a user’s contact list

Secure Systems Laboratory 15 Secure Systems Laboratory 16

4 Timeline of Notable Worms (1)

z Replicates over the network (usually by itself) z Nov 1988, Morris worm z First worm appeared at Xerox PARC in 1978 z First well-known worm z What a worm can do? z March 1999, (E-mail worm) z Targeting Microsoft Word & Outlook-based systems z Replicates itself, and thus consumes network bandwidth z z Deletes files on a host system May 2000, VBS/Loveletter or ILOVEYOU (E-mail worm) z Caused an estimated $10 billion in economic damage z Sends documents via e-mail z Carries other executables as a payload z July 2001, (Exploited IIS bugs) z Installs a backdoor in an infected computer (zombie computer) z Considerably slowed down Internet traffic z Modern worms z Jan 2003, SQL Slammer (Exploited MS SQL Server bugs) z Very fast: infected most of its 75,000 victims within ten minutes z Large scale infection z Amazingly small, only 376 bytes z Fast spread rate z spread over the Internet within a second

Secure Systems Laboratory 17 Secure Systems Laboratory 18

Timeline of Notable Worms (2) Code Red

z Released on July 13, 2001 z Aug 2003, , (Nachi), z Considerably slowed down the Internet traffic z Blaster (Exploited DCOM RPC bugs) z Details: z Coded to start a SYN flood on Aug 15 against windowsupdate.com z Attacked computers running Microsoft’s IIS web server z Welchia (Nachi) z Defaced the affected web site z A goodwill worm to remove Blaster and patch Windows z Tried to spread itself by looking for more IIS servers on z SoBig (E-mail worm) the Internet z Infected millions of Windows computers in Aug 2003 z Waited 20-27 days after it was installed to launch DoS z Microsoft wanted information of the worm creator for $250,000 attacks on several fixed IP addresses, including White House. z Apr 2004, (Exploited LSASS bugs) z Exploited a vulnerability in IIS; z Affected: Used illegal GET requests to trigger the vulnerability

Secure Systems Laboratory 19 Secure Systems Laboratory 20

5 SLAMMER Blaster z January 2003 z Spread during August 2003 (first noticed on z Caused DoS on some Internet hosts and dramatically August 11, peaked on August 13) slowed down general Internet traffic z Fast z Programmed to start a SYN flood on August 15 z Infect most of its 75,000 victims within ten minutes against port 80 of windowsupdate.com. z A buffer overflow based attack targeting Microsoft SQL z Exploited a buffer overflow in the DCOM RPC Server service on the affected Windows operating z Amazingly small, only 376 bytes z Generate random IP addresses and send itself out to systems those addresses. z If the selected address happens to belong to a host that is running an unpatched copy of Microsoft SQL Server, the host immediately becomes infected and begin spraying the Internet with more copies of the worm program. z Only stays in memory.

Secure Systems Laboratory 21 Secure Systems Laboratory 22

Welchia (Nachi) SoBig z Welchia (Nachi), a worm that tries to remove the Blaster worm and patch Windows z Consequences: z Infected millions of Microsoft Windows computers in August 2003 z Discovered in August 18, 2003 z Microsoft wanted information of the worm creator for $250,000 z Details: z Not good z Appear as an e-mail with one of the following subjects: z Re: Approved Re: Details Re: Thank you … z Create vast amount of network traffic, thereby slowing down the Internet z Contain the text: “See the attached file for details” or the like z Contain an attachment by one of the following names: z Make the system unstable (e.g. reboot after patching) z application.pif details.pif thank_you.pif … z Without user’s explicit consent z Infection and spreading z Infect a host computer once the attachment is opened z Replicate by sending out the above-mentioned z E-mail addresses are gathered from files on the host computer

Secure Systems Laboratory 23 Secure Systems Laboratory 24

6 Sasser z First sighted on January 26, 2004. z One of the fastest spreading e-mail worms z Details z First noticed in April 2004. Affected: z Primarily transmitted via e-mail, appearing as a transimission error z Subject lines including “Error”, “Mail Delivery System”, “Test” or “Mail Transaction Failed” z Contains a malicious attachment z Can spread without the help of the user. z Infection and Spreading z Exploit a buffer overflow in LSASS (Local Security z Resend the worm to e-mail addresses found in local files once the attachment is opened. Authority Subsystem Service) z Copies itself to the “shared folder” of KaZaA (a P2P file-sharing z Scan different ranges of IP addresses and connect to app) victims’ computers primarily through TCP port 445. z Backdoor z Installs a backdoor on port 3127/tcp to allow remote control of the subverted PC z Can be easily stopped by a properly configured z A DoS attack against SCO Group, Microsoft, and antivirus sites firewall, or by downloading patches

Secure Systems Laboratory 25 Secure Systems Laboratory 26

Distributed Denial-of-Service Botnet (DDoS) z DoS z What is a Botnet? z An attack on a computer system or network that causes z A collection of compromised computers a loss of service to users z The computers are implanted with backdoor programs z Usually by worms, viruses z Methods z The programs are under a common control infrastructure z Consumption of computational resources, such as z Botnet’s originator can control the group remotely bandwidth, disk space, or CPU time z Usually through a means such as IRC z Disruption of configuration information, such as routing z Purpose information z DDoS z Disruption of physical network components z SMTP mail relays for SPAM z DDoS z Theft of sensitive information z Use of multiple hosts (often through Botnet) in a DoS z E.g. login IDs, credit card numbers, application serial numbers

Secure Systems Laboratory 27 Secure Systems Laboratory 28

7 Rootkit SonyBMG DRM Rootkit (2005) z Stealthy backdoor programs z Extended Copy Protection (XCP) DRM for CD copy protection z User is required to install XCP software contained in the z Intended to maintain “invisibility” of CD to play XCP-protected CD on a Windows system. intruders z XCP intercepts all accesses of the CD drive and only allows XCP-bundled media player to access music z Intercepts data from terminals, network connections, tracks on the CD and the keyboard z (Rootkit) XCP conceals itself from the user by installing z Conceals logins, running processes, files, logs, or other a patch to the Windows operating system. This patch system data stops ordinary system tools from displaying processes, registry entries, or files who names begin with $sys$. z Origins of “rootkit” z Originally referred to such kind of programs in Unix z About 4.7 million XCP-CDs shipped, 2.1 million systems (root – the administrator) sold [New York Times] Secure Systems Laboratory 29 Secure Systems Laboratory 30

SonyBMG DRM Rootkit (2005) Spyware z A Controversial DRM mechanism z Properties z Intercept or take partial control of computer’s operation z Weaken system security z Without the informed consent of that computer’s z XCP rootkit can be used by other malware legitimate user. z The first one was discovered in November 2005 z Does not usually self-replicate. z XCP uninstaller, which is released later, leaves serious security holes on the system z Purpose z Delivery of unsolicited pop-up advertisements z Theft of personal information z Monitoring of Web-browsing activity for marketing purposes z Routing of HTTP request to advertising sites

Secure Systems Laboratory 31 Secure Systems Laboratory 32

8 Spam Phishing z Properties z Uses social engineering techniques z Sending of unsolicited (commercial) emails z Sending nearly identical messages to thousands (or z Masquerading as a trustworthy person or business in millions) of recipients an apparently official electronic communication z in different media z E-mail spam, , and z Attempts to fraudulently acquire sensitive information , , Internet telephony z Such as passwords and credit card details spam, Blog, wiki, guestbook, and referrer spam, etc z Cost USA organizations alone more than $10 billion in 2004 [California legislature]

Secure Systems Laboratory 33 Secure Systems Laboratory 34

Online DDoS Extortion Underlying Causes z Extortion: you pay us or you will be attacked z Untrusted software z Malware, including viruses, worms, bots, … z [CMU and Information Week, 2004] z Configuration errors z 17% of companies surveyed are victims of online z Default passwords, permissive firewall rules, … extortion. z Human element z Insider threats, operator mistakes, social engineering z [Alan Paller, SANS Institute, 2004] z Vulnerabilities in trusted software z 6 or 7 thousand organizations are paying extortion z These may be the result of errors in z Every online gambling site is paying extortion z Threat modeling z Design/logic z Implementation z Testing

Secure Systems Laboratory 35 Secure Systems Laboratory 36

9 Threats Due to Untrusted Code The Human Element

z Metamorphic viruses z Insider attacks z Viruses that use complex transformations that elude z Growing system complexity contributes to more signature-based techniques operator errors z Rootkits z misconfigured systems z Trojan software z especially problematic in settings where many z will likely evolve into stealthy forms components interact z Need proactive (rather than reactive) solutions z Intentionally introduced vulnerabilities z infiltration into key proprietary or open-source software development teams z Social engineering attacks

Software vulnerabilities CVE Vulnerabilities, 2003 and 2004

Config Error 3% Unknown attacksSymlink z Most vulnerabilities are due to software bugs Memory 4% 4% errors z 97% of vulnerabilities reported in CVE 24% Logic errors z The rest are configuration errors 19% Format string 4% z These vulnerabilities may be exploited in attacks to obtain unauthorized or unintended capabilities

Loop SQL injection z Most vulnerabilities are due to simple programming 4% 2%

errors Crash 7% z Bounds-checking Command Directory injection 14% z Input validation traversal Other inj Cross-site 7% 4% z Error-handling scripting 4%

Secure Systems Laboratory 39 Secure Systems Laboratory 40

10 Example: SQL Injection z Attacker-provided data used in SQL queries $cmd = “SELECT price FROM products WHERE name=‘” . $name . “’” … Use cmd as an SQL query zAttacker-provided name: z xyz’; UPDATE products SET price=0 WHERE name=‘OneCaratDiamondRing z Resulting query SELECT price FROM products WHERE name=‘xyz’; UPDATE products SET price=0 WHERE name=‘OneCaratDiamondRing’

Secure Systems Laboratory 41

11