SlideShare a Scribd company logo

Dan Guido SOURCE Boston 2011

β€’
β€’
Source Conference
Source Conference

SOURCE Boston 2011 Exploit Intelligence Report Dan's data and analysis of attacker capabilities and methods.

Technology
1 of 64
Download to read offline
The Exploit Intelligence Project Dan Guido SOURCE Boston, 04/20/2011 https://www.isecpartners.com
Intro and Agenda ο‚— I work for iSEC Partners ο‚— NYC, Seattle, SF – specialize in Application Security ο‚— I don’t have a product to sell you ο‚— Today, I’m going to be sharing data and my analysis of attacker capabilities and methods ο‚— An informed defense is more effective and less costly ο‚— EIP shows that intelligence-driven, threat-focused approaches to security are practical and effective 2
WARNING! The commentary is really important for this talk. If you’re a reporter, please contact me and I’ll be happy to provide that commentary for any section you’re interested in: dguido@isecpartners.com 3
We Have An Analysis Problem Or, you’re counting the wrong beans!
Let’s Talk About Vulnerabilities 5 *IBM X-Force 2010 Trend and Risk Report
How many vulnerabilities did you have to pay attention to in 2010? 6
since 2006 7
Vulnerability Origin 8 *Secunia Yearly Report 2010
Affected Vendors (2010) 1 2 Oracle 5 Adobe Microsoft Apple 5 9
Wheel of Vulnerability Fortune 10 *Secunia: The Security Exposure of Software Portfolios
Where or how were massively exploited vulnerabilities first discovered in 2010? 6 5 4 3 2 1 0 Targeted ZDI Prominent Personal Known Discovered Attacks Researcher Website Behavior by Malware 11
Google Chrome is Insecure! 12 *Bit 9 Research Report: Top Vulnerable Apps – 2010
How many vulnerabilities were massively exploited in Google Chrome in 2010? 13
Are we doing something wrong? Yes, you’re doing it backwards!
We Have to Start at Attacks 1. 2. 3. ο‚— Where do bad guys get their info from? ο‚— How do bad guys view the new vulns that come out? ο‚— How effective are my defenses against this attacker? 15
Maslow’s Internet Threat Hierarchy # of Attacks Data Lost APT IP Targeted $$$ Mass Banking Credentials Malware
Mass Malware How does it work?
Kill Chain Model ο‚— Systematic model for evaluating intrusions ο‚— Helps us objectively evaluate attacker capabilities ο‚— Align defense to specific processes an attacker takes ο‚— Typically used as a model to defend against APT ο‚— Evolves beyond response at point of compromise ο‚— Assumes unfixable vulnerabilities ο‚— First described by Mike Cloppert 18
Recon 19
Weaponization 20 5-20 exploits, $200-$2000 dollars
Delivery 21
Exploitation 22
Installation 23
Command and Control 24
Actions on Objectives 25
Leads to Cyber Pompeii
Process Overview Recon Millions of Infected Sites Existing defenses attack Weaponize Thousands of Vulnerabilities the most robust aspects of mass malware operations Delivery Thousands of IPs The last point that you Exploit <100 Exploits have control of your data Install Millions of Malware Samples C2 Thousands of IPs Actions N/A 27
Going on the Offensive
Exploit Kit Popularity (2011) 29 *ThreatGRID Data
Exploit Kit Popularity ο‚— AVG Threat Labs ο‚— Malware Domain List ο‚— Krebs on Security ο‚— Malware Intelligence ο‚— Contagio Dump ο‚— Malware Tracker ο‚— M86 Security ο‚— …
Data Sources ο‚— Blackhole ο‚— LuckySploit ο‚— Bleeding Life ο‚— Phoenix ο‚— CrimePack ο‚— 2.5, 2.4, 2.3, 2.2, 2.1, 2.0 ο‚— 3.1.3, 3.0, 2.2.8, 2.2.1 ο‚— SEO Sploit pack ο‚— Eleonore ο‚— Siberia ο‚— 1.6, 1.4.4, 1.4.1, 1.3.2 ο‚— Unique Pack ο‚— Fragus ο‚— WebAttacker ο‚— JustExploit ο‚— YES ο‚— Liberty ο‚— Zombie ο‚— 2.1.0, 1.0.7
Data Processing ο‚— Decode ο‚— Relate ο‚— Jsunpack ο‚— SHODAN HQ ο‚— Generic JS Unpacker ο‚— Python API for ExploitDB, ο‚— Decodeby.us MSF, CVE ο‚— PHP De-obfuscation ο‚— Live Testing ο‚— Vmware ο‚— Detect ο‚— Windows XP/7 ο‚— YARA Project ο‚— Generic scanning engine Note: All free tools except VMWare/Windows
Jsunpack/YARA Rules rule IEStyle { meta: ref = β€œCVE-2009-3672” hide = true impact = 8 strings: $trigger1 = β€œgetElementsByTagName” nocase fullword $trigger2 = β€œstyle” nocase fullword $trigger3 = β€œouterhtml” nocase fullword condition: all of them } 33
Jsunpack vs Eleonore 1.4.1 34
vuln_search.py ο‚— CVE ο‚— Metasploit ο‚— Name ο‚— Authors ο‚— ID ο‚— Description ο‚— ID ο‚— Name ο‚— Exploit DB ο‚— Rank ο‚— Author ο‚— Date ο‚— ID ο‚— References ο‚— Name ο‚— Vendor URLs (ex. MSB) ο‚— ZDI ο‚— Other Notable URLs Powered by:
Sample Results: CVE-2010-1818 ο‚— Exploit DB ο‚— 08/30/2010 ο‚— Ruben Santamarta ο‚— Apple QuickTime "_Marshaled_pUnk" Backdoor ο‚— 14843 ο‚— Metasploit ο‚— Ruben Santamarta, jduck ο‚— Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution ο‚— β€œβ€¦ exploits a memory trust issue in Quicktime…” ο‚— exploit/windows/browser/apple_quicktime_marshaled_punk ο‚— Rank: Great ο‚— Refs ο‚— http://reversemode.com/index.php?option=com_content&task= view&id=69&Itemid=1 ο‚— OSVDB-67705 36
Recap Mapping of Exploit Kits -> CVEs + Metadata 37
Targeting Trends Java from 2008 to Present
Targeting Trends ο‚— Java, Round One ο‚— 12-08 – Prominent researcher finds CVE-2008-5353 ο‚— 08-09 – Wins a Pwnie (researcher interest runs high) ο‚— 08-09 – ZDI submissions start trickling out ο‚— 11-09 – 1 kit incorporates CVE-2008-5353 39
Java, Round Two ο‚— 11-09 – ZDI publishes 2nd batch of Java vulns ο‚— CVE-2009-3867 ο‚— 01-10 – Three kits integrate 1st and 2nd vulns ο‚— CVE-2008-5353 and CVE-2009-3867 ο‚— 04-10 – 3rd batch of researcher disclosures ο‚— CVE-2010-0886, CVE-2010-0840, CVE-2010-0842 ο‚— Back and forth between researchers/malware keeps interest in Java running high 40
From April 2010 onwards, new Java exploits are added to almost all popular exploit kits 41
Java Today ο‚— Popularity ο‚— 11 out of 15 kits include at least one Java exploit (73%) ο‚— 7 out of 15 kits include more than one (46%) ο‚— Where did this trend come from? ο‚— Who followed who? The malware or research community? ο‚— Why can we even compare these two groups together? ο‚— What is next? ο‚— Java and Flash will continue to be a pain point ο‚— Quickest path to install malware in IE and Firefox 42
The New Trend: more exploits are being rapidly repurposed from targeted attack campaigns in 2010-2011 6 5 4 3 2 1 0 Targeted ZDI Prominent Personal Known Silent Patch Attacks Researcher Website Behavior 43
Capabilities Assessment If we only had a time machine
Optimized Defense ο‚— Jan 1, 2009 – what can we put in place to mitigate all exploits for the next two years? ο‚— Restrictions: no patching allowed ο‚— 2009 recap ο‚— Internet Explorer 7, Firefox 3.0 ο‚— Adobe Reader 9 ο‚— Java, Quicktime, Flash, Office 2007 ο‚— Windows XP SP3 ο‚— Dataset represents 27 exploits 45
Slice and Dice Memory Logic Corruption (8) (19) Partition exploits based on mitigation options 46
19 Memory Corruption Exploits ο‚— 5 unique targets ο‚— IE, Flash, Reader, Java, Firefox, Opera ο‚— Do I have my sysadmins adhere to patch schedules or have them test and enable DEP in four applications? ο‚— Patch schedules: Monthly, Quarterly, Ad-hoc ο‚— Two years: 60+ patches in these apps ο‚— I choose Data Execution Prevention (DEP) ο‚— Good choice! It mitigates 14 exploits. 47
8 Logic Flaws ο‚— 4 unique targets ο‚— Java, Reader, IE, Firefox, FoxIt ο‚— Do we have a business case to justify getting repeatedly compromised by mass malware? ο‚— No? Remove Java from the Internet Zone in IE ο‚— Configure Reader to prompt on JS execution ο‚— β€œDisallow opening of non-PDF file attachments” ο‚— This leaves two exploits, one in IE and one in FF 48
Most Severe Exploits 2009-2010 IE Help Center XSS Firefox SessionStore Reader libTIFF Reader CoolType SING Flash (IE) newfunction Quicktime (IE) _Marshaled_pUnk Java getSoundBank 49
Enhanced Mitigation Experience Toolkit ο‚— Microsoft utility that adds obstacles to exploitation ο‚— On XP: DEP, SEHOP, Null Page, Heap Spray, EAT filter ο‚— Distributed as an MSI, controlled via CLI or Registry ο‚— Apply it to one application at a time ο‚— Harden legacy applications ο‚— Temporary protections against known zero-day ο‚— Permanent protections against highly targeted apps ο‚— http://blogs.technet.com/cfs- file.ashx/__key/CommunityServer-Components- PostAttachments/00-03-35-03-78/Users-Guide.pdf 50
Most Severe Exploits 2009-2010 IE Help Center XSS Firefox SessionStore The Firefox exploit is only in one kit. We can make an informed decision about the amount of risk we are assuming. 51
Intelligence-Driven Mitigations ο‚— Easy mitigations (22 out of 27 exploits) ο‚— DEP on IE, Firefox, and Reader ο‚— No Java in the Internet Zone ο‚— Disallow opening of non-PDF file attachments ο‚— Hard mitigations (all the rest) ο‚— EMET on IE and Reader, the two most attacked apps ο‚— Upgrade to IE8 for that pesky Help Center XSS ο‚— Disallow Firefox, patch it, or accept the risk ο‚— Extremely limited susceptibility going forward 52
Taking It Further ο‚— Mass malware exploits are: 1. Result of users browsing internet sites 2. Shortest path to install malware w/ a single exploit Google DEP Sandbox Chrome Bypass Escape Malicious DEP IE8 HTML Bypass IE7, Plugins, Install Java, Flash, SpyEye etc. 53 *DDZ – Memory Corruption, Exploitation and You
Google Chrome Frame β€œX-UA-Compatible: chrome=1” 54
Google Chrome Frame ο‚— Internet sites standardized around HTML/JS ο‚— This is why you don’t need IE6 or IE7 at home ο‚— For internet sites, add HTTP header w/ Bluecoat ο‚— Browser is sandboxed ο‚— Uses auto-updated Google version of Flash ο‚— No other plugins are loaded ο‚— Maintain whitelist of internet sites that need IE ο‚— Typically, established vendor relationships ο‚— All intranet websites will load with IE as usual ο‚— Seamless to the user, mitigates all exploits in use 55
Maslow’s Internet Threat Hierarchy # of Attacks Data Lost APT IP Targeted $$$ Now you’re ready to defend against Banking more advanced attackers Credentials
Intelligence-Driven Conclusions ο‚— Don’t wait to act with Flash and Java ο‚— Pay attention to targeted attack disclosures in 2011 ο‚— Force malware authors to use multiple exploits ο‚— Seriously consider Google Chrome Frame ο‚— Are your consultants/MSSPs/scanners evaluating vulnerabilities the same way that attackers are? ο‚— Intelligence-Driven Response ο‚— Informed defense is more effective and less costly ο‚— Threat-focused security is practical ο‚— Attack data is necessary to adequately model your risk 57
Thanks ο‚— Rcecoder, Mila Parkour, Francois Paget, Adam Meyers ο‚— Exploit Pack Table on Contagio Dump & Exploit Kit Source ο‚— Mike Cloppert and Dino Dai Zovi ο‚— Inspiration, ideas, and encouragement ο‚— Chris Clark ο‚— Getting started with the research process at iSEC ο‚— John Matherly ο‚— Creating SHODAN and fixing my bugs ο‚— Dean De Beer ο‚— ThreatGRID data, screenshots, and background material 58
References and Q&A ο‚— Updates with more data at SummerCon, 6/10 ο‚— Related Presentations (online) ο‚— Memory Corruption, Exploitation, and You – DDZ ο‚— Intelligence-Driven Response to APT – M. Cloppert ο‚— Any Mandiant Presentation ο‚— Related Presentations (at SOURCE) ο‚— 2011 Verizon Data Breach Report, Hutton ο‚— Fuel for Pwnage, Diaz and Mieres ο‚— Dino Dai Zovi Keynote ο‚— dguido@isecpartners.com 59
Appendix
Frequently Asked Question #1 ο‚— Q: What do you think about network detections? ο‚— A: Apply the same analysis process (kill chain) to the adversary you care about and determine major source of overlaps in intrusions. You may find better indicators than simply IP addresses. ο‚— ie., β€œHey, all the malicious domains attacking me are registered with the same whois data.” ο‚— or, β€œAll the domains that compromise me have low TTL values in common.” ο‚— See some of Mike Cloppert’s writings ο‚— See ThreatGRID when it comes out 61
Frequently Asked Question #2 ο‚— Q: How can we keep up with this data? You did a point in time assessment, but I want this going forward. ο‚— A: This analysis process and data should be picked up by the security industry and used effectively. AV companies have been doing you a disservice by not doing this in the past. They should start now. 62
Frequently Asked Question #3 ο‚— Q: Aren’t you cheating by saying we should use EMET to mitigate past exploits? ο‚— A: ο‚— If we were smart enough to enable mitigations like DEP, we would have had a solid 1.5 years where we weren’t affected by mass malware mem corruption exploits at all, buying us a huge amount of time to investigate other mitigations techniques. ο‚— The exploits that EMET was needed for came after the tool was released in Oct 2009. If you had someone performing this analysis, you could have observed the exploits that bypassed DEP and responded the same way I did. Intelligence gathering is not a static process, we have to continue collecting and responding to new information. ο‚— There are more ways to use this intelligence. For instance, since we know that Flash and targeted attacks are so rapidly incorporated into mass exploitation campaigns, we would have known on April 11th that CVE-2011- 0611 would be a significant issue. The patch came out on April 15th, but I doubt many orgs patched over the weekend or enabled other mitigating options before it was massively exploited on April 18th. With this data in hand, they would have realized the seriousness of the original event on the 11th. 63
Frequently Asked Question #4 ο‚— Q: Future analysis? ο‚— A: ο‚— How [exactly] do researcher disclosures correlate with massive exploitation? ο‚— Are the number of bugs exploited as zero-day increasing? Why? ο‚— Do researchers follow zero-day disclosure trends or vice-versa? ο‚— Exactly how much exploit code is modified from public PoC’s before being integrated into a kit? ο‚— Expect new results some time in June 64

Recommended

2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
Β 
Apt presso good to learn
Apt presso good to learnApt presso good to learn
Apt presso good to learnFajar Isnanto
Β 
clash-titans-zeus-spyeye-33393
clash-titans-zeus-spyeye-33393clash-titans-zeus-spyeye-33393
clash-titans-zeus-spyeye-33393Harshit Nayyar
Β 
Zero days-hit-users-hard-at-the-start-of-the-year-en
Zero days-hit-users-hard-at-the-start-of-the-year-enZero days-hit-users-hard-at-the-start-of-the-year-en
Zero days-hit-users-hard-at-the-start-of-the-year-enAnatoliy Tkachev
Β 
IRJET- Android Malware Detection System
IRJET- Android Malware Detection SystemIRJET- Android Malware Detection System
IRJET- Android Malware Detection SystemIRJET Journal
Β 
Николай Π‘ΡŒΠ΅Ρ€Π½Π΅Ρ€ Β«Program Analysis and Testing using Efficient Satisfiability ...
Николай Π‘ΡŒΠ΅Ρ€Π½Π΅Ρ€ Β«Program Analysis and Testing using Efficient Satisfiability ...Николай Π‘ΡŒΠ΅Ρ€Π½Π΅Ρ€ Β«Program Analysis and Testing using Efficient Satisfiability ...
Николай Π‘ΡŒΠ΅Ρ€Π½Π΅Ρ€ Β«Program Analysis and Testing using Efficient Satisfiability ...Yandex
Β 
Slide jul apcert agm 2016
Slide jul apcert agm 2016Slide jul apcert agm 2016
Slide jul apcert agm 2016Setia Juli Irzal Ismail
Β 
AVTOKYO2012 Android Malware Heuristics(en)
AVTOKYO2012 Android Malware Heuristics(en)AVTOKYO2012 Android Malware Heuristics(en)
AVTOKYO2012 Android Malware Heuristics(en)ι›…ε€ͺ θ₯Ώη”°
Β 

Recommended

2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
Β 
Apt presso good to learn
Apt presso good to learnApt presso good to learn
Apt presso good to learnFajar Isnanto
Β 
clash-titans-zeus-spyeye-33393
clash-titans-zeus-spyeye-33393clash-titans-zeus-spyeye-33393
clash-titans-zeus-spyeye-33393Harshit Nayyar
Β 
Zero days-hit-users-hard-at-the-start-of-the-year-en
Zero days-hit-users-hard-at-the-start-of-the-year-enZero days-hit-users-hard-at-the-start-of-the-year-en
Zero days-hit-users-hard-at-the-start-of-the-year-enAnatoliy Tkachev
Β 
IRJET- Android Malware Detection System
IRJET- Android Malware Detection SystemIRJET- Android Malware Detection System
IRJET- Android Malware Detection SystemIRJET Journal
Β 
Николай Π‘ΡŒΠ΅Ρ€Π½Π΅Ρ€ Β«Program Analysis and Testing using Efficient Satisfiability ...
Николай Π‘ΡŒΠ΅Ρ€Π½Π΅Ρ€ Β«Program Analysis and Testing using Efficient Satisfiability ...Николай Π‘ΡŒΠ΅Ρ€Π½Π΅Ρ€ Β«Program Analysis and Testing using Efficient Satisfiability ...
Николай Π‘ΡŒΠ΅Ρ€Π½Π΅Ρ€ Β«Program Analysis and Testing using Efficient Satisfiability ...Yandex
Β 
Slide jul apcert agm 2016
Slide jul apcert agm 2016Slide jul apcert agm 2016
Slide jul apcert agm 2016Setia Juli Irzal Ismail
Β 
AVTOKYO2012 Android Malware Heuristics(en)
AVTOKYO2012 Android Malware Heuristics(en)AVTOKYO2012 Android Malware Heuristics(en)
AVTOKYO2012 Android Malware Heuristics(en)ι›…ε€ͺ θ₯Ώη”°
Β 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidFraunhofer AISEC
Β 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware GenerationStephan Chenette
Β 
[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...
[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...
[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...Asuka Nakajima
Β 
Mobile Security - Hakin9 Magazine
Mobile Security - Hakin9 MagazineMobile Security - Hakin9 Magazine
Mobile Security - Hakin9 Magazinelogfusion
Β 
IE Exploit Protection
IE Exploit ProtectionIE Exploit Protection
IE Exploit ProtectionKim Jensen
Β 
Hakin9 05 2013
Hakin9 05 2013Hakin9 05 2013
Hakin9 05 2013Rodrigo Gomes Pires
Β 
Advanced Malware Analysis
Advanced Malware AnalysisAdvanced Malware Analysis
Advanced Malware AnalysisPrathan Phongthiproek
Β 
Mag-Securs No.29, 2011 - Validy: Learning from the Stuxnet Case
Mag-Securs No.29, 2011 - Validy: Learning from the Stuxnet CaseMag-Securs No.29, 2011 - Validy: Learning from the Stuxnet Case
Mag-Securs No.29, 2011 - Validy: Learning from the Stuxnet CaseNeelabh Rai
Β 
Metasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitMetasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitAnurag Srivastava
Β 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
Β 
Secure JEE Architecture and Programming 101
Secure JEE Architecture and Programming 101Secure JEE Architecture and Programming 101
Secure JEE Architecture and Programming 101Mario-Leander Reimer
Β 
Analysis of rxbot
Analysis of rxbotAnalysis of rxbot
Analysis of rxbotUltraUploader
Β 
Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationJeff Zahn
Β 
Wendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security ProgramWendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security ProgramSource Conference
Β 
Don Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesDon Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesSource Conference
Β 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsSource Conference
Β 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference
Β 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary plantingSource Conference
Β 
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...Source Conference
Β 
2013 Security Threat Report Presentation
2013 Security Threat Report Presentation2013 Security Threat Report Presentation
2013 Security Threat Report PresentationSophos
Β 
Kaspersky - 07apr2011
Kaspersky - 07apr2011Kaspersky - 07apr2011
Kaspersky - 07apr2011Agora Group
Β 
Functional and Behavioral Analysis of Different Type of Ransomware.pptx
Functional and Behavioral Analysis of Different Type of Ransomware.pptxFunctional and Behavioral Analysis of Different Type of Ransomware.pptx
Functional and Behavioral Analysis of Different Type of Ransomware.pptxtarkovtarkovski
Β 

More Related Content

What's hot

Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidFraunhofer AISEC
Β 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware GenerationStephan Chenette
Β 
[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...
[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...
[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...Asuka Nakajima
Β 
Mobile Security - Hakin9 Magazine
Mobile Security - Hakin9 MagazineMobile Security - Hakin9 Magazine
Mobile Security - Hakin9 Magazinelogfusion
Β 
IE Exploit Protection
IE Exploit ProtectionIE Exploit Protection
IE Exploit ProtectionKim Jensen
Β 
Mag-Securs No.29, 2011 - Validy: Learning from the Stuxnet Case
Mag-Securs No.29, 2011 - Validy: Learning from the Stuxnet CaseMag-Securs No.29, 2011 - Validy: Learning from the Stuxnet Case
Mag-Securs No.29, 2011 - Validy: Learning from the Stuxnet CaseNeelabh Rai
Β 
Metasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitMetasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitAnurag Srivastava
Β 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
Β 
Secure JEE Architecture and Programming 101
Secure JEE Architecture and Programming 101Secure JEE Architecture and Programming 101
Secure JEE Architecture and Programming 101Mario-Leander Reimer
Β 
Analysis of rxbot
Analysis of rxbotAnalysis of rxbot
Analysis of rxbotUltraUploader
Β 
Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationJeff Zahn
Β 

What's hot (13)

Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on Android
Β 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
Β 
[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...
[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...
[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...
Β 
Mobile Security - Hakin9 Magazine
Mobile Security - Hakin9 MagazineMobile Security - Hakin9 Magazine
Mobile Security - Hakin9 Magazine
Β 
IE Exploit Protection
IE Exploit ProtectionIE Exploit Protection
IE Exploit Protection
Β 
Hakin9 05 2013
Hakin9 05 2013Hakin9 05 2013
Hakin9 05 2013
Β 
Advanced Malware Analysis
Advanced Malware AnalysisAdvanced Malware Analysis
Advanced Malware Analysis
Β 
Mag-Securs No.29, 2011 - Validy: Learning from the Stuxnet Case
Mag-Securs No.29, 2011 - Validy: Learning from the Stuxnet CaseMag-Securs No.29, 2011 - Validy: Learning from the Stuxnet Case
Mag-Securs No.29, 2011 - Validy: Learning from the Stuxnet Case
Β 
Metasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitMetasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With Metasploit
Β 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
Β 
Secure JEE Architecture and Programming 101
Secure JEE Architecture and Programming 101Secure JEE Architecture and Programming 101
Secure JEE Architecture and Programming 101
Β 
Analysis of rxbot
Analysis of rxbotAnalysis of rxbot
Analysis of rxbot
Β 
Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentation
Β 

Viewers also liked

Wendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security ProgramWendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security ProgramSource Conference
Β 
Don Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesDon Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesSource Conference
Β 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsSource Conference
Β 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference
Β 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary plantingSource Conference
Β 
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...Source Conference
Β 

Viewers also liked (6)

Wendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security ProgramWendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security Program
Β 
Don Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesDon Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking Devices
Β 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
Β 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Β 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary planting
Β 
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Β 

Similar to Dan Guido SOURCE Boston 2011

2013 Security Threat Report Presentation
2013 Security Threat Report Presentation2013 Security Threat Report Presentation
2013 Security Threat Report PresentationSophos
Β 
Kaspersky - 07apr2011
Kaspersky - 07apr2011Kaspersky - 07apr2011
Kaspersky - 07apr2011Agora Group
Β 
Functional and Behavioral Analysis of Different Type of Ransomware.pptx
Functional and Behavioral Analysis of Different Type of Ransomware.pptxFunctional and Behavioral Analysis of Different Type of Ransomware.pptx
Functional and Behavioral Analysis of Different Type of Ransomware.pptxtarkovtarkovski
Β 
Maximize Computer Security With Limited Ressources
Maximize Computer Security With Limited RessourcesMaximize Computer Security With Limited Ressources
Maximize Computer Security With Limited RessourcesSecunia
Β 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010Stephan Chenette
Β 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysiswremes
Β 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
Β 
Cansec West 2009
Cansec West 2009Cansec West 2009
Cansec West 2009abhicc285
Β 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
Β 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasAditya K Sood
Β 
Hacking 10 2010
Hacking 10 2010Hacking 10 2010
Hacking 10 2010Felipe Prado
Β 
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksThe Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksAlienVault
Β 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_enSunghun Kim
Β 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareTeodoro Cipresso
Β 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesEnterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesAlex Senkevitch
Β 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesMohammed A. Imran
Β 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry moreBHack Conference
Β 
Protect Yourself Against Today's Cybercriminals and Hackers
Protect Yourself Against Today's Cybercriminals and HackersProtect Yourself Against Today's Cybercriminals and Hackers
Protect Yourself Against Today's Cybercriminals and HackersKaseya
Β 
Barcamp: Open Source and Security
Barcamp: Open Source and SecurityBarcamp: Open Source and Security
Barcamp: Open Source and SecurityJoshua L. Davis
Β 

Similar to Dan Guido SOURCE Boston 2011 (20)

2013 Security Threat Report Presentation
2013 Security Threat Report Presentation2013 Security Threat Report Presentation
2013 Security Threat Report Presentation
Β 
Kaspersky - 07apr2011
Kaspersky - 07apr2011Kaspersky - 07apr2011
Kaspersky - 07apr2011
Β 
Functional and Behavioral Analysis of Different Type of Ransomware.pptx
Functional and Behavioral Analysis of Different Type of Ransomware.pptxFunctional and Behavioral Analysis of Different Type of Ransomware.pptx
Functional and Behavioral Analysis of Different Type of Ransomware.pptx
Β 
Maximize Computer Security With Limited Ressources
Maximize Computer Security With Limited RessourcesMaximize Computer Security With Limited Ressources
Maximize Computer Security With Limited Ressources
Β 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010
Β 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysis
Β 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
Β 
Cansec West 2009
Cansec West 2009Cansec West 2009
Cansec West 2009
Β 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Β 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
Β 
Hacking 10 2010
Hacking 10 2010Hacking 10 2010
Hacking 10 2010
Β 
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksThe Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
Β 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
Β 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting Malware
Β 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesEnterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Β 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilities
Β 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry more
Β 
Info sec 12 v1 2
Info sec 12 v1 2Info sec 12 v1 2
Info sec 12 v1 2
Β 
Protect Yourself Against Today's Cybercriminals and Hackers
Protect Yourself Against Today's Cybercriminals and HackersProtect Yourself Against Today's Cybercriminals and Hackers
Protect Yourself Against Today's Cybercriminals and Hackers
Β 
Barcamp: Open Source and Security
Barcamp: Open Source and SecurityBarcamp: Open Source and Security
Barcamp: Open Source and Security
Β 

More from Source Conference

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser BotnetSource Conference
Β 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
Β 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICSource Conference
Β 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesSource Conference
Β 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network SecuritySource Conference
Β 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration TestersSource Conference
Β 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSource Conference
Β 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
Β 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserSource Conference
Β 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItSource Conference
Β 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of AnonymousSource Conference
Β 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
Β 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?Source Conference
Β 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawSource Conference
Β 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendSource Conference
Β 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationSource Conference
Β 
Reputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsReputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsSource Conference
Β 

More from Source Conference (20)

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
Β 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
Β 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
Β 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
Β 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
Β 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
Β 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
Β 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
Β 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
Β 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
Β 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
Β 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
Β 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
Β 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
Β 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
Β 
JSF Security
JSF SecurityJSF Security
JSF Security
Β 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
Β 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
Β 
Keynote
KeynoteKeynote
Keynote
Β 
Reputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsReputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet Blacklists
Β 

Recently uploaded

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
Β 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
Β 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
Β 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
Β 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
Β 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
Β 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
Β 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
Β 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
Β 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
Β 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
Β 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
Β 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
Β 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
Β 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
Β 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
Β 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
Β 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
Β 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
Β 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
Β 

Recently uploaded (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
Β 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Β 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Β 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
Β 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Β 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Β 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Β 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
Β 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
Β 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Β 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Β 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Β 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Β 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Β 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
Β 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Β 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Β 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Β 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
Β 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Β 

Dan Guido SOURCE Boston 2011

  • 1. The Exploit Intelligence Project Dan Guido SOURCE Boston, 04/20/2011 https://www.isecpartners.com
  • 2. Intro and Agenda ο‚— I work for iSEC Partners ο‚— NYC, Seattle, SF – specialize in Application Security ο‚— I don’t have a product to sell you ο‚— Today, I’m going to be sharing data and my analysis of attacker capabilities and methods ο‚— An informed defense is more effective and less costly ο‚— EIP shows that intelligence-driven, threat-focused approaches to security are practical and effective 2
  • 3. WARNING! The commentary is really important for this talk. If you’re a reporter, please contact me and I’ll be happy to provide that commentary for any section you’re interested in: dguido@isecpartners.com 3
  • 4. We Have An Analysis Problem Or, you’re counting the wrong beans!
  • 5. Let’s Talk About Vulnerabilities 5 *IBM X-Force 2010 Trend and Risk Report
  • 6. How many vulnerabilities did you have to pay attention to in 2010? 6
  • 8. Vulnerability Origin 8 *Secunia Yearly Report 2010
  • 9. Affected Vendors (2010) 1 2 Oracle 5 Adobe Microsoft Apple 5 9
  • 10. Wheel of Vulnerability Fortune 10 *Secunia: The Security Exposure of Software Portfolios
  • 11. Where or how were massively exploited vulnerabilities first discovered in 2010? 6 5 4 3 2 1 0 Targeted ZDI Prominent Personal Known Discovered Attacks Researcher Website Behavior by Malware 11
  • 12. Google Chrome is Insecure! 12 *Bit 9 Research Report: Top Vulnerable Apps – 2010
  • 13. How many vulnerabilities were massively exploited in Google Chrome in 2010? 13
  • 14. Are we doing something wrong? Yes, you’re doing it backwards!
  • 15. We Have to Start at Attacks 1. 2. 3. ο‚— Where do bad guys get their info from? ο‚— How do bad guys view the new vulns that come out? ο‚— How effective are my defenses against this attacker? 15
  • 16. Maslow’s Internet Threat Hierarchy # of Attacks Data Lost APT IP Targeted $$$ Mass Banking Credentials Malware
  • 18. Kill Chain Model ο‚— Systematic model for evaluating intrusions ο‚— Helps us objectively evaluate attacker capabilities ο‚— Align defense to specific processes an attacker takes ο‚— Typically used as a model to defend against APT ο‚— Evolves beyond response at point of compromise ο‚— Assumes unfixable vulnerabilities ο‚— First described by Mike Cloppert 18
  • 19. Recon 19
  • 20. Weaponization 20 5-20 exploits, $200-$2000 dollars
  • 21. Delivery 21
  • 26. Leads to Cyber Pompeii
  • 27. Process Overview Recon Millions of Infected Sites Existing defenses attack Weaponize Thousands of Vulnerabilities the most robust aspects of mass malware operations Delivery Thousands of IPs The last point that you Exploit <100 Exploits have control of your data Install Millions of Malware Samples C2 Thousands of IPs Actions N/A 27
  • 28. Going on the Offensive
  • 29. Exploit Kit Popularity (2011) 29 *ThreatGRID Data
  • 30. Exploit Kit Popularity ο‚— AVG Threat Labs ο‚— Malware Domain List ο‚— Krebs on Security ο‚— Malware Intelligence ο‚— Contagio Dump ο‚— Malware Tracker ο‚— M86 Security ο‚— …
  • 31. Data Sources ο‚— Blackhole ο‚— LuckySploit ο‚— Bleeding Life ο‚— Phoenix ο‚— CrimePack ο‚— 2.5, 2.4, 2.3, 2.2, 2.1, 2.0 ο‚— 3.1.3, 3.0, 2.2.8, 2.2.1 ο‚— SEO Sploit pack ο‚— Eleonore ο‚— Siberia ο‚— 1.6, 1.4.4, 1.4.1, 1.3.2 ο‚— Unique Pack ο‚— Fragus ο‚— WebAttacker ο‚— JustExploit ο‚— YES ο‚— Liberty ο‚— Zombie ο‚— 2.1.0, 1.0.7
  • 32. Data Processing ο‚— Decode ο‚— Relate ο‚— Jsunpack ο‚— SHODAN HQ ο‚— Generic JS Unpacker ο‚— Python API for ExploitDB, ο‚— Decodeby.us MSF, CVE ο‚— PHP De-obfuscation ο‚— Live Testing ο‚— Vmware ο‚— Detect ο‚— Windows XP/7 ο‚— YARA Project ο‚— Generic scanning engine Note: All free tools except VMWare/Windows
  • 33. Jsunpack/YARA Rules rule IEStyle { meta: ref = β€œCVE-2009-3672” hide = true impact = 8 strings: $trigger1 = β€œgetElementsByTagName” nocase fullword $trigger2 = β€œstyle” nocase fullword $trigger3 = β€œouterhtml” nocase fullword condition: all of them } 33
  • 35. vuln_search.py ο‚— CVE ο‚— Metasploit ο‚— Name ο‚— Authors ο‚— ID ο‚— Description ο‚— ID ο‚— Name ο‚— Exploit DB ο‚— Rank ο‚— Author ο‚— Date ο‚— ID ο‚— References ο‚— Name ο‚— Vendor URLs (ex. MSB) ο‚— ZDI ο‚— Other Notable URLs Powered by:
  • 36. Sample Results: CVE-2010-1818 ο‚— Exploit DB ο‚— 08/30/2010 ο‚— Ruben Santamarta ο‚— Apple QuickTime "_Marshaled_pUnk" Backdoor ο‚— 14843 ο‚— Metasploit ο‚— Ruben Santamarta, jduck ο‚— Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution ο‚— β€œβ€¦ exploits a memory trust issue in Quicktime…” ο‚— exploit/windows/browser/apple_quicktime_marshaled_punk ο‚— Rank: Great ο‚— Refs ο‚— http://reversemode.com/index.php?option=com_content&task= view&id=69&Itemid=1 ο‚— OSVDB-67705 36
  • 37. Recap Mapping of Exploit Kits -> CVEs + Metadata 37
  • 38. Targeting Trends Java from 2008 to Present
  • 39. Targeting Trends ο‚— Java, Round One ο‚— 12-08 – Prominent researcher finds CVE-2008-5353 ο‚— 08-09 – Wins a Pwnie (researcher interest runs high) ο‚— 08-09 – ZDI submissions start trickling out ο‚— 11-09 – 1 kit incorporates CVE-2008-5353 39
  • 40. Java, Round Two ο‚— 11-09 – ZDI publishes 2nd batch of Java vulns ο‚— CVE-2009-3867 ο‚— 01-10 – Three kits integrate 1st and 2nd vulns ο‚— CVE-2008-5353 and CVE-2009-3867 ο‚— 04-10 – 3rd batch of researcher disclosures ο‚— CVE-2010-0886, CVE-2010-0840, CVE-2010-0842 ο‚— Back and forth between researchers/malware keeps interest in Java running high 40
  • 41. From April 2010 onwards, new Java exploits are added to almost all popular exploit kits 41
  • 42. Java Today ο‚— Popularity ο‚— 11 out of 15 kits include at least one Java exploit (73%) ο‚— 7 out of 15 kits include more than one (46%) ο‚— Where did this trend come from? ο‚— Who followed who? The malware or research community? ο‚— Why can we even compare these two groups together? ο‚— What is next? ο‚— Java and Flash will continue to be a pain point ο‚— Quickest path to install malware in IE and Firefox 42
  • 43. The New Trend: more exploits are being rapidly repurposed from targeted attack campaigns in 2010-2011 6 5 4 3 2 1 0 Targeted ZDI Prominent Personal Known Silent Patch Attacks Researcher Website Behavior 43
  • 44. Capabilities Assessment If we only had a time machine
  • 45. Optimized Defense ο‚— Jan 1, 2009 – what can we put in place to mitigate all exploits for the next two years? ο‚— Restrictions: no patching allowed ο‚— 2009 recap ο‚— Internet Explorer 7, Firefox 3.0 ο‚— Adobe Reader 9 ο‚— Java, Quicktime, Flash, Office 2007 ο‚— Windows XP SP3 ο‚— Dataset represents 27 exploits 45
  • 46. Slice and Dice Memory Logic Corruption (8) (19) Partition exploits based on mitigation options 46
  • 47. 19 Memory Corruption Exploits ο‚— 5 unique targets ο‚— IE, Flash, Reader, Java, Firefox, Opera ο‚— Do I have my sysadmins adhere to patch schedules or have them test and enable DEP in four applications? ο‚— Patch schedules: Monthly, Quarterly, Ad-hoc ο‚— Two years: 60+ patches in these apps ο‚— I choose Data Execution Prevention (DEP) ο‚— Good choice! It mitigates 14 exploits. 47
  • 48. 8 Logic Flaws ο‚— 4 unique targets ο‚— Java, Reader, IE, Firefox, FoxIt ο‚— Do we have a business case to justify getting repeatedly compromised by mass malware? ο‚— No? Remove Java from the Internet Zone in IE ο‚— Configure Reader to prompt on JS execution ο‚— β€œDisallow opening of non-PDF file attachments” ο‚— This leaves two exploits, one in IE and one in FF 48
  • 49. Most Severe Exploits 2009-2010 IE Help Center XSS Firefox SessionStore Reader libTIFF Reader CoolType SING Flash (IE) newfunction Quicktime (IE) _Marshaled_pUnk Java getSoundBank 49
  • 50. Enhanced Mitigation Experience Toolkit ο‚— Microsoft utility that adds obstacles to exploitation ο‚— On XP: DEP, SEHOP, Null Page, Heap Spray, EAT filter ο‚— Distributed as an MSI, controlled via CLI or Registry ο‚— Apply it to one application at a time ο‚— Harden legacy applications ο‚— Temporary protections against known zero-day ο‚— Permanent protections against highly targeted apps ο‚— http://blogs.technet.com/cfs- file.ashx/__key/CommunityServer-Components- PostAttachments/00-03-35-03-78/Users-Guide.pdf 50
  • 51. Most Severe Exploits 2009-2010 IE Help Center XSS Firefox SessionStore The Firefox exploit is only in one kit. We can make an informed decision about the amount of risk we are assuming. 51
  • 52. Intelligence-Driven Mitigations ο‚— Easy mitigations (22 out of 27 exploits) ο‚— DEP on IE, Firefox, and Reader ο‚— No Java in the Internet Zone ο‚— Disallow opening of non-PDF file attachments ο‚— Hard mitigations (all the rest) ο‚— EMET on IE and Reader, the two most attacked apps ο‚— Upgrade to IE8 for that pesky Help Center XSS ο‚— Disallow Firefox, patch it, or accept the risk ο‚— Extremely limited susceptibility going forward 52
  • 53. Taking It Further ο‚— Mass malware exploits are: 1. Result of users browsing internet sites 2. Shortest path to install malware w/ a single exploit Google DEP Sandbox Chrome Bypass Escape Malicious DEP IE8 HTML Bypass IE7, Plugins, Install Java, Flash, SpyEye etc. 53 *DDZ – Memory Corruption, Exploitation and You
  • 54. Google Chrome Frame β€œX-UA-Compatible: chrome=1” 54
  • 55. Google Chrome Frame ο‚— Internet sites standardized around HTML/JS ο‚— This is why you don’t need IE6 or IE7 at home ο‚— For internet sites, add HTTP header w/ Bluecoat ο‚— Browser is sandboxed ο‚— Uses auto-updated Google version of Flash ο‚— No other plugins are loaded ο‚— Maintain whitelist of internet sites that need IE ο‚— Typically, established vendor relationships ο‚— All intranet websites will load with IE as usual ο‚— Seamless to the user, mitigates all exploits in use 55
  • 56. Maslow’s Internet Threat Hierarchy # of Attacks Data Lost APT IP Targeted $$$ Now you’re ready to defend against Banking more advanced attackers Credentials
  • 57. Intelligence-Driven Conclusions ο‚— Don’t wait to act with Flash and Java ο‚— Pay attention to targeted attack disclosures in 2011 ο‚— Force malware authors to use multiple exploits ο‚— Seriously consider Google Chrome Frame ο‚— Are your consultants/MSSPs/scanners evaluating vulnerabilities the same way that attackers are? ο‚— Intelligence-Driven Response ο‚— Informed defense is more effective and less costly ο‚— Threat-focused security is practical ο‚— Attack data is necessary to adequately model your risk 57
  • 58. Thanks ο‚— Rcecoder, Mila Parkour, Francois Paget, Adam Meyers ο‚— Exploit Pack Table on Contagio Dump & Exploit Kit Source ο‚— Mike Cloppert and Dino Dai Zovi ο‚— Inspiration, ideas, and encouragement ο‚— Chris Clark ο‚— Getting started with the research process at iSEC ο‚— John Matherly ο‚— Creating SHODAN and fixing my bugs ο‚— Dean De Beer ο‚— ThreatGRID data, screenshots, and background material 58
  • 59. References and Q&A ο‚— Updates with more data at SummerCon, 6/10 ο‚— Related Presentations (online) ο‚— Memory Corruption, Exploitation, and You – DDZ ο‚— Intelligence-Driven Response to APT – M. Cloppert ο‚— Any Mandiant Presentation ο‚— Related Presentations (at SOURCE) ο‚— 2011 Verizon Data Breach Report, Hutton ο‚— Fuel for Pwnage, Diaz and Mieres ο‚— Dino Dai Zovi Keynote ο‚— dguido@isecpartners.com 59
  • 61. Frequently Asked Question #1 ο‚— Q: What do you think about network detections? ο‚— A: Apply the same analysis process (kill chain) to the adversary you care about and determine major source of overlaps in intrusions. You may find better indicators than simply IP addresses. ο‚— ie., β€œHey, all the malicious domains attacking me are registered with the same whois data.” ο‚— or, β€œAll the domains that compromise me have low TTL values in common.” ο‚— See some of Mike Cloppert’s writings ο‚— See ThreatGRID when it comes out 61
  • 62. Frequently Asked Question #2 ο‚— Q: How can we keep up with this data? You did a point in time assessment, but I want this going forward. ο‚— A: This analysis process and data should be picked up by the security industry and used effectively. AV companies have been doing you a disservice by not doing this in the past. They should start now. 62
  • 63. Frequently Asked Question #3 ο‚— Q: Aren’t you cheating by saying we should use EMET to mitigate past exploits? ο‚— A: ο‚— If we were smart enough to enable mitigations like DEP, we would have had a solid 1.5 years where we weren’t affected by mass malware mem corruption exploits at all, buying us a huge amount of time to investigate other mitigations techniques. ο‚— The exploits that EMET was needed for came after the tool was released in Oct 2009. If you had someone performing this analysis, you could have observed the exploits that bypassed DEP and responded the same way I did. Intelligence gathering is not a static process, we have to continue collecting and responding to new information. ο‚— There are more ways to use this intelligence. For instance, since we know that Flash and targeted attacks are so rapidly incorporated into mass exploitation campaigns, we would have known on April 11th that CVE-2011- 0611 would be a significant issue. The patch came out on April 15th, but I doubt many orgs patched over the weekend or enabled other mitigating options before it was massively exploited on April 18th. With this data in hand, they would have realized the seriousness of the original event on the 11th. 63
  • 64. Frequently Asked Question #4 ο‚— Q: Future analysis? ο‚— A: ο‚— How [exactly] do researcher disclosures correlate with massive exploitation? ο‚— Are the number of bugs exploited as zero-day increasing? Why? ο‚— Do researchers follow zero-day disclosure trends or vice-versa? ο‚— Exactly how much exploit code is modified from public PoC’s before being integrated into a kit? ο‚— Expect new results some time in June 64