Alarming Trends in Cyber Attacks z Large increases in Cybersecurity spending z Factor of 10+ increase in the past ten years Cyber Security: z Yet, security incidents continue to sky- rocket Threats and Challenges z Incidents reported by CERT Coordination Center increased by a factor of 120 in the past decade R. Sekar z 97% of participants in 2003 FBI/CSI survey reported attacks [email protected] z Malicious attacks cost companies tens of billions to clean up [Computer Economics, Trend Micro] z Many small/medium businesses are victims of cyber extortion z 17% of companies surveyed by CMU and Information Week Secure Systems Laboratory 2 Evolution of Threats Evolution of Modern Threats z World War II and earlier z First generation z Break secret messages during transmission z break into high-value systems (e.g., banks) through z Primarily the domain of nation states proprietary networks z Modern cryptography has all but eliminated this threat z criminal elements as well as rogue nations z Modern era z Second generation z Focus shifts from altering messages to breaking end- z Malware that spreads due to information sharing systems that store and process these messages z Viruses and worms z Perpetrated by hackers as a “hobby” z Third generation z Malware that spreads via the Internet z Email viruses and Internet worms z Still, no evidence of organized or criminal elements Secure Systems Laboratory 3 Secure Systems Laboratory 4 1 Traditional Threats - Examples Current Threats (Fourth generation) z 1989 z Steal confidential information z Hackers in West Germany broke into US government z Credit-card/bank account #s, passwords, … and corporate computers and selling operating system z Trade secrets and other proprietary information source code to the Soviet KGB z Security-sensitive information z Useful for breaching physical world security z 1994 z Establish base for future operations z Russian crackers siphoned $10 million from Citibank z Conduit for future attacks and transferred the money to bank accounts around the z Surveillance world z Capture keystrokes, microphone or camera input z Reveal information about software installed z Snoop on web sites visited Secure Systems Laboratory 5 Secure Systems Laboratory 6 Current Threats (Continued) Current Threats (Continued) z Driven by commercialization of Malware zSpecialization and commoditization z Thriving black-market for exploits zExploit tools and techniques z Zero-day exploits have arrived zcompromise z “Bot”-centric model for cyber crime zpayload z Relay spam (e-mail scam, phishing) z Extortion (using DDoS or targeted attacks) zTargeting information z Focus on desktop (rather than server) vulnerabilities zBotnet management and leasing z Profit-driven adware and spyware zBrokers z Customer-profiling, niche-marketing z IP protection (digital rights management) zEmployment of botnets z aggressive installation, stealth (rootkits, spyware) zCash-out zthe step that most closely relates to things outside the cyber world 2 Modern Threats: Enablers Modern Threats: A Glance z High connectivity z Viruses z Home users with always-on broadband connectivity z Increasing adoption of the Net in day-to-day activities z Worms z Software homogeneity z DDoS and Botnet z Find single bug, own millions of computers! z Spyware z Inherent complexity of modern software z Short-term thinking by vendors z Spam z “Feature obsession” and cost-cutting z Phishing z shoddy software quality + code bloat z Result: security bugs are all over the place and easy to find! z Online extortion z Lack of user awareness z Find millions of trusting users and own their computers! z Lack of traceability and attribution z Conduct your attack and disappear! Secure Systems Laboratory 9 Secure Systems Laboratory 10 Computer Virus Well-Known Computer Viruses z Properties z 1982, Elk Cloner z Replicates itself z First virus in the wild z Attaches to other non-malicious code z Targeting Apple II z Examples z 1986, (c)Brain z Boot sector virus (difficult on OS with memory z First virus for IBM PC protection) z A boot sector virus z Other OS level virus z 1995, Concept virus z Virus that attaches to programs, scripts, libraries z First Macro virus z Macro virus z 1998, CIH z Mail attachments / active web content z One of the most harmful widely circulated viruses z Overwrites both hard disks (data loss) and Flash BIOS (hardware damage) Secure Systems Laboratory 11 Secure Systems Laboratory 12 3 Macro Virus CIH Virus z Written in a macro language. z Spreads via Portable Executable files under Windows 95/98/Me. z Macros can perform operations that the software can do. z Damages: z Overwriting the first 1024KB of the hard drive with z To date, only Microsoft Office products are zeroes Î vulnerable to this kind of virus. Loss of data on the entire hard drive z Simple solution: turning off the macro feature z Overwriting the Flash BIOS with junk code Î Computers cannot boot any more z Activated in the public eye on April 26, 1999 z An untold number of computers worldwide were affected, much in Asia Secure Systems Laboratory 13 Secure Systems Laboratory 14 Melissa ILOVEYOU z Found on March 26, 1999 z First appeared on May 3, 2000 z Targetting Microsoft Word and Outlook-based systems, and creating considerable network traffic z Caused widespread e-mail outages, an z Shut down many Internal mail systems estimated $10 billion in economic damage z That got clogged with infected e-mails propagating from the worm z Inside a file called “List.DOC” z Written in VBScript z Spread on Microsoft Word 97 and Word 2000. z E-mail z Can mass-mail itself from email client Microsoft Outlook 97 or Outlook 98. z Subject: “ILOVEYOU” z Attempts to mass mail itself once an infected Word z Attachment “LOVE-LETTER-FOR-YOU.TXT.vbs” document is opened. z Overwrote important files with a copy of itself z Sent out itself to everyone in a user’s contact list Secure Systems Laboratory 15 Secure Systems Laboratory 16 4 Computer Worm Timeline of Notable Worms (1) z Replicates over the network (usually by itself) z Nov 1988, Morris worm z First worm appeared at Xerox PARC in 1978 z First well-known worm z What a worm can do? z March 1999, Melissa (E-mail worm) z Targeting Microsoft Word & Outlook-based systems z Replicates itself, and thus consumes network bandwidth z z Deletes files on a host system May 2000, VBS/Loveletter or ILOVEYOU (E-mail worm) z Caused an estimated $10 billion in economic damage z Sends documents via e-mail z Carries other executables as a payload z July 2001, Code Red (Exploited IIS bugs) z Installs a backdoor in an infected computer (zombie computer) z Considerably slowed down Internet traffic z Modern worms z Jan 2003, SQL Slammer (Exploited MS SQL Server bugs) z Very fast: infected most of its 75,000 victims within ten minutes z Large scale infection z Amazingly small, only 376 bytes z Fast spread rate z spread over the Internet within a second Secure Systems Laboratory 17 Secure Systems Laboratory 18 Timeline of Notable Worms (2) Code Red z Released on July 13, 2001 z Aug 2003, Blaster, Welchia (Nachi), SoBig z Considerably slowed down the Internet traffic z Blaster (Exploited DCOM RPC bugs) z Details: z Coded to start a SYN flood on Aug 15 against windowsupdate.com z Attacked computers running Microsoft’s IIS web server z Welchia (Nachi) z Defaced the affected web site z A goodwill worm to remove Blaster and patch Windows z Tried to spread itself by looking for more IIS servers on z SoBig (E-mail worm) the Internet z Infected millions of Windows computers in Aug 2003 z Waited 20-27 days after it was installed to launch DoS z Microsoft wanted information of the worm creator for $250,000 attacks on several fixed IP addresses, including White House. z Apr 2004, Sasser (Exploited LSASS bugs) z Exploited a buffer overflow vulnerability in IIS; z Affected: Used illegal GET requests to trigger the vulnerability Secure Systems Laboratory 19 Secure Systems Laboratory 20 5 SLAMMER Blaster z January 2003 z Spread during August 2003 (first noticed on z Caused DoS on some Internet hosts and dramatically August 11, peaked on August 13) slowed down general Internet traffic z Fast z Programmed to start a SYN flood on August 15 z Infect most of its 75,000 victims within ten minutes against port 80 of windowsupdate.com. z A buffer overflow based attack targeting Microsoft SQL z Exploited a buffer overflow in the DCOM RPC Server service on the affected Windows operating z Amazingly small, only 376 bytes z Generate random IP addresses and send itself out to systems those addresses. z If the selected address happens to belong to a host that is running an unpatched copy of Microsoft SQL Server, the host immediately becomes infected and begin spraying the Internet with more copies of the worm program. z Only stays in memory. Secure Systems Laboratory 21 Secure Systems Laboratory 22 Welchia (Nachi) SoBig z Welchia (Nachi), a worm that tries to remove the Blaster worm and patch Windows z Consequences: z Infected millions of Microsoft Windows computers in August 2003 z Discovered in August 18, 2003 z Microsoft wanted information of the worm creator for $250,000 z Details: z Not good z Appear as an e-mail with one of the following subjects: z Re: Approved Re: Details Re: Thank you … z Create vast amount of network traffic, thereby slowing down the Internet z Contain the text: “See the attached file for details” or the like z Contain an attachment by one of the following names: z Make the system unstable (e.g.