Operation Aurora and beyond How to avoid that this happens to your organisation Raimund Genes • CTO Copyright 2010 Trend Micro Inc. What was Operation Aurora? Industrial Espionage, Nothing new! Copyright 2010 Trend Micro Inc. What was new is that Google disclosed it J12January 12th. Jan/13 Copyright 2010 Trend Micro Inc. Jan/15 Attack named as Aurora Copyright 2010 Trend Micro Inc. JS Source code of Aurora Copyright 2010 Trend Micro Inc. Definition of the threat • APT: Advanced Persistent Threats • non-APT hackers - financial data, sensitive customer data • APT attackers - espionage http://www.wired.com/threatlevel/2010/02/apt- hacks/ Copyright 2010 Trend Micro Inc. Why is it called Aurora? • NdbthiVNCtbkdNamed by path in VNC type backdoor Copyright 2010 Trend Micro Inc. Attack Playback Step4:Shell code Step1:Malicious Link Step5:Download Step3:IE exploit Step2:Heap Spray Step7:Steal Information Step6:Malicious File Copyright 2010 Trend Micro Inc. What Vulnerabilities have been used •Operation Aurora • Microsoft Security Advisory (979352) - Vulnerability in Internet Explorer Could Allow Remote Code Execution •CVECVE--20102010--02490249 -HTML Object Memory Corruption Vulnerability Copyright 2010 Trend Micro Inc. Aurora JS Code Heap Spraying Prepare for object overwrite Build Img object Free img Overwrite object CllCall toshllhell code Copyright 2010 Trend Micro Inc. Aurora exploit Malicious File • Drop dlls • Write registry entry • Inject dropped dlls to some process • Collect personal info and send out • Create thread for remote access • APT attacker Copyright 2010 Trend Micro Inc. How to craft an attack? Get public information! The web knows you! Copyright 2010 Trend Micro Inc. 13 Copyright 2008 - Trend Micro Inc. How to craft an attack? Get public information! The web knows you! Copyright 2010 Trend Micro Inc. 14 Copyright 2008 - Trend Micro Inc. How to craft an attack? Get public information! The web knows you! Copyright 2010 Trend Micro Inc. 15 Copyright 2008 - Trend Micro Inc. How to craft an attack? Get public information! The web knows you! Copyright 2010 Trend Micro Inc. 16 Copyright 2008 - Trend Micro Inc. And then an E-Mail with a spoofed sender Copyright 2010 Trend Micro Inc. 17 And if Darren clicks on the attachment... Copyright 2010 Trend Micro Inc. 18 Threat Predictions 2010 1. No global Outbreaks, but localized and targeted attacks 2. It‘s all about money, so Cybercrime will not go away 3. Windows 7 will have an impact since it is less secure than Vista in the default configuration 4. Risk Mitigation is not as viable an option anymore – even with alternative browsers/alternative operating systems (Oss) 5. Malware is changing it‘s shape – every few hours 6. Drive-By Infections are the norm – One web visit is enougggh to get infected 7. New attack vectors will arise for virtualized/cloud environments 8Bots8. Bots – can‘t be stopped anymore , and will be around forever 9. Company/Social networks will continue to be shaken by data breaches 10. Digital Terrorism – Attacks on Scada networks? Copyright 2010 Trend Micro Inc. IiMlIncrease in Malware Copyright 2010 Trend Micro Inc. No Script kiddies and amateurs anymore, professional malware writers who know how to play with the AV- Industry Copyright 2010 Trend Micro Inc. A new malware component is released every 1.5 seconds! Copyright 2010 Trend Micro Inc. URL’s instead of Attachments! Waledac Malware Copyright 2010 Trend Micro Inc. Infiltrated Websites! Copyright 2010 Trend Micro Inc. Social Networks as an Attack Vector (11/08/2009) Copyright 2010 Trend Micro Inc. Is it Spam, is it an Attack Vector, is it Social Engineering? Copyright 2010 Trend Micro Inc. Today‘s Infection Chain Fool the AV Host Malware Get Updates from Management Writer Command & Control Wait for Instructions Infection Vector Activities Port Scan Host Recruitment Criminals Vulnerabilities Infection Adware/Clickware Email Spam Web Drive By Dedicated Denial of Service Downloader Spam & Phishing Spyware/Trojan Downloader DtData LkLeakage Command & Bot Controller Herder Botnet HTTP IRC DNS Copyright 2010 Trend Micro Inc. How to avoid that this happens to your organisation Copyright 2010 Trend Micro Inc. PttPattern M Mthiatching is b aseli ne... and the bad guys know this... So should we move to IPS and HIPS? Copyright 2010 Trend Micro Inc. Because traditional Endpoint Security Can’t Keep Up anymore Signature file updates take too long • Delayyp protection across all clients and servers 26,598 • Leave a critical security gap • Require multiple updates a day to keep up with threats, complicating signature management 16,438 Signature files are becoming too big • Increase endpoint memory footprint 10,160 • Increase impact on endpoint performance 6,279 • Increase bandwidth utilization 3,881 2,397 1,484 799 • Unpredictable increase of client size 57 205 2007 2009 2011 2013 2015 Unique threat samples PER HOUR Copyright 2010 Trend Micro Inc. We need a layered approach, and we need a holistic view for IT Security! And Pattern matching is still needed to proper identify malware and to clean up the damage Copyright 2010 Trend Micro Inc. The Electric Grid - Today Power Station Local connection National Transport System User Advantages 1.No need for large investment 2.On Demand Instant Access 3.Pay as you go Copyright 2010 Trend Micro Inc. A Distributed Electric Grid Trend Micro today Diiferent Power Stations Local connection Solar Panel International Transport System Copyright 2010 Trend Micro Inc. Could we patch fast enough? Or d o we need vul nerabili ty shielding accepting that Patch Management is tough! Copyright 2010 Trend Micro Inc. No matter what we do, Smart Protection Network is the key component! Smart Protection Network Community Intelligence (Feedback loop) File Reputation Monitor File Sma Solution Web Reputation r Web / t Protection Behavior URL Custome File Email Email Web Incident Reputation Validation Email Domain Trigger N N Domain r IP etwork IP Info. Threat Analytics Correlation Professional Service Services In-the-Cloud platform Community Intelligence (Fee dback loop) Copyright 2010 Trend Micro Inc. We at Trend Micro are not worried about Cybercriminals and their ways to make money! Cause we have prepared ourselves for this! • 2005: Ema il Repu ta tion Serv ices • 2006: Web Reputations Services • 2008: File Reputation Services Copyright 2010 Trend Micro Inc. So why are we so different – Why do we protect well against real life malware? ERS load = 295 GB per day WRS load = 1305 GB per day FRS load = 334 GB per day Copyright 2010 Trend Micro Inc. Copyright 2010 Trend Micro Inc. Smart Protection Network Key benefits Ê Patent-pending correlation Ê Threats are blocked before they technology analyzes all threat can infiltrate the network or vectors – email, web, file computer Blocks threats We own all ÊAvailable in all Ê Protects you wherever at their source the solutions – Consumer, SMB, Enterprise, – the Internet technology you connect, at work, Partner, SaaS at home or on the Trend Micro road Smart Protection Ê Powers our SaaS, Network Gateway, Messaging, Endpoint, Mobile & Reduces the Partner solutions need for local signatures Ê Local Scan Server improves time to Ê Immediate Protection protect Ê Trend Micro manages updates Ê Reduces complexity Copyright 2010 Trend Micro Inc. Threat Management Solution Assessment • 100% of companies had malware • 56% of companies had at least 1 information stealing malware • 72% of companies had at least 1 IRC bot • 80% of companies had malicious Web downloads • 30% of companies had at least 1 network worm • Technology used to detect Threats – 99% using Smart Protection Network – 1% using traditional scanning engines Copyright 2009 Trend Micro Inc. Copyright 2010 Trend Micro Inc..