Trends in network security feinstein - informatica64

Trends in Network Security Ben Feinstein, CISSP GCFA Director of Research SecureWorks Counter Threat Unit℠
Friday, April 23 rd , 2010 Informática64 Móstoles, Spain

Introduction

Who Am I?
Native of Atlanta, Georgia USA
12 years old, dial-up UNIX shell, telneting around the world
Professional software developer as a teenager
Bachelor of Science in Computer Science (c. Economics), 2001
Harvey Mudd College, Claremont, California USA
Author of RFC 4765 and RFC 4767
Software Engineer at a series of security start-ups, 2001 – 2006
Joined SecureWorks in 2006
Certified Information Systems Security Professional (CISSP)
SANS Global Information Assurance Certified Forensics Analyst (GCFA)

Who is SecureWorks?
Market leading provider of information security services
Managed Security Services Provider (MSSP)
Security and Risk Consulting (SRC)
Over 2,700 clients worldwide, including more than 10% of Fortune 500
Suite of managed information and network security services
Security Information Management (SIM) On Demand
Log Monitoring
Intrusion Prevention Systems (IPS) / Intrusion Detection Systems (IDS)
Threat Intelligence
Firewall
Host IPS
Vulnerability Scanning
Web Application Scanning
Log Retention
Encrypted Email

Agenda

Agenda
Computer Networks
Vulnerability Trends of 2009
Malware Trends of 2009
Information Disclosure
Aurora
Other Trends
The New .CN
Mariposa / ButterflyBot
Conclusion
Q & A

From Mainframes to Today’s Internet

The Development of Computer Networks
Advanced Research Projects Agency (ARPA)
Established in 1958 after Soviet launch of Sputnik satellite in 1957
Later renamed the Defense Advanced Research Projects Agency (DARPA)
Directly manages a $3.2B budget
ARPANET developed by ARPA for US Department of Defense (DoD)
Development work began in 1969

Decentralization of Computing Power
Mainframes gave way to Personal Computers (PCs)
Development of Local Area Networks (LANs)
Dial-up Internet
Broadband Internet

ARPANET, circa March 1977

Map of Internet Routers (2005), Opte Project
http://www.opte.org/

Map of Online Communities, xkcd #256
http://xkcd.com/256/ , Spring 2007

Some (Much) Older Networks to Remember
Hawala
Pony Express
Source: International Monetary Fund

Network Security

The Network as an Attack Surface
Concept of Threat Modeling
Concept of an Attack Surface
Local Attacks vs. Remote Attacks
Common Vulnerability Scoring System (CVSS) version 2
Exploitability metrics
Access Vector: Local, Adjacent Network, Network
Widespread adoption of Firewalls
Widespread adoption of the Web
Web 2.0

Vulnerability Trends of 2009

2009 Vulnerability Trends
Vulnerabilities disclosed for document readers and editors soared.
Office documents including spreadsheets and presentations
Portable Document Format (PDF) documents – the dubious champ
Favorite vector of “Spear Phishers”, including “Operation Aurora”
The appearance of new malicious Web links has skyrocketed globally in the past year.
Phishing, Malvertisements, Fake-AV, etc.
A large number of sophisticated web-attack toolkits are available for sale.
CSS and SQLi attacks primarily used to redirect web-surfers to an attack-toolkit!
Phishing attacks via email increased dramatically in the second half of 2009, with activity coming from countries not previously been in the game.
Attackers are shifting their geographical profiles due to various pressures
Lots and lots of money to be made

Vulnerability Metrics for 2H 2009

Malware Trends of 2009

2009 Malware Trends
Malware authors and operators innovated
Koobface, Mariposa (Butterfly Bot), Zbot (ZeuS), and Mebroot increased compatibility with Vista and Windows 7
Complex and user friendly Banking Trojans (ZeuS, SpyEye, BlackEnergy2) are available as configurable kits
Sophisticated RATs (e.g. Aurora’s “Hydraq”) are also in use
Better prepared for takedowns and other countermeasures
Lessons learned from the days of The RBN
Taking advantage of “cloud” services – virtualized hosting environments, geographically distributed content delivery networks, and dynamic DNS services
DNS double and triple-flux technologies

2009 Malware Trends
Man in the browser/endpoint
Trojan Horse is used to intercept and manipulate calls between the main application’s executable (the browser) and its security mechanisms or libraries
Common objective of this attack is to cause financial fraud by manipulating transactions of Internet banking systems, even when other authentication factors are in use
High-dollar Commercial OLB creds - compromised
Challenge secret questions – compromised
IP Geo-location - compromised
Email out-of-band - compromised
Hardware token - compromised
Device fingerprinting - compromised
Dual approver - compromised
SMS out-of-band - compromised

2009 Malware Trends
Compromised web pages frequently vehicle of choice for mass malware distribution
Hence, most servers are compromised in order to compromise client
Those clients may then be used to compromise servers inside the enterprise! (Aurora!)
Drive-by downloads – malware code using everything from simple UU-encoding techniques to elaborate self-decoding JavaScripts
Sophisticated software development
Authors of malware kits (Trojan toolkits, web-attack toolkits, droppers, rootkits, etc.) are becoming very responsive to their client-base and are producing highly usable, modular and upgradeable software at a tremendous rate.
For instance, the BlackEnergy2 Trojan-builder kit has a fully modular plug-in architecture which allows for the separate sale of plug-ins for different purposes and designed to target specific PKI schemes, etc.

2009 Malware Trends
Greater efficiency and targeting
Dasient: 5.5 million web pages on 560,000 websites infected with malware Q4 2009.
Two years ago, infected web pages would infect users' computers with an average of at least a dozen pieces of malware; the most recent figures have that number falling to just 2.8
Smaller number of malicious programs means that users are less likely to notice an attack.
Operators learning valuable business lessons
Operate 24/7 network of login-interceptors for high-value accounts
Operators are singling out SMBs that tend to have cash on hand and no real IT
Extremely sophisticated and profitable money-mule/laundering infrastructure now exists

Contemporary ACH / Wire Fraud
Automated Clearing House (ACH)
1 - 4 victims / day
Average take $100,000 / victim
$500K - $1M/week
$100M attempted in 2009
$40M+ unrecovered
> All US bank robberies combined
Losses borne by victims due to ACH rules
ALL done by ONE Eastern European crew

Recent ACH Fraud Cases
XXXX County - $415,000
XXXX Corp - $447,000
XXXX Energy - $200,000
XXXX Construction - $588,000
XXXX Industrial - $1,200,000
XXXX School District - $117,000
XXXX XXXX School - $150,000
XXXX University - $189,000

Source: myNetWatchman

Information Disclosure: Lessons from Airplanes and ATMs

Failing to redact documents correctly
Not removing document metadata
Not sanitizing hard drives and other media
Unencrypted data

TSA published a SOP manual with sensitive information redacted

The TSA added black bars on top of text and images to prevent it from being seen

Information Disclosure The NSA specifically states that this will not work in their manual on redacting safely: Google: “Redact Confidence”

Information Disclosure [Source: Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF]

40% of hard drives purchased from eBay contain personal information
36% Financial data
21% Emails
11% Corporate Documents
[source: Kessler International]
Wipe drives before they leave your control
There are several bootable programs that will wipe all media attached to a computer
DBAN – Darik’s Boot and Nuke

A security researcher purchased an ATM via Craig’s List
He found 1,000 debit card numbers stored in the machine
Who has access to your data?
What are their controls on it?

Imperva notified rockyou.com of a SQL injection flaw on Dec 4 th
Rockyou.com fixed the problem over the weekend
The database stored passwords in plaintext
A hacker disclosed that he had copied the entire database before the flaw was fixed

The database contains the usernames and passwords for over 32 million account
Included in the database were also passwords for partner websites
This is a classic example of where defense in depth would have offered superior protection

Aurora

Background: Titan Rain intrusion set
An intrusion set is a collection of evidence, data, artifacts, logs, malware samples or other items that is all related in some way
Titan Rain was one such intrusion set
Coordinated intrusions of US Gov’t & Defense Industrial Base, circa 2003
Labeled as Chinese in origin
Nature of and identities of adversaries unknown

Background: Advanced Persistent Threat (APT)
Advanced: Adversary has capability to use anything from simple, public exploits to performing their own vulnerability discovery work and developing 0-day attacks.
Persistent: Adversary has well defined goals and objectives and is persistent at pursuing them. Adversary will try various avenues of attack, looking for one that will yield the desired outcome.
Does not typically refer to things like ZeuS

Aurora
Publicly disclosed hacking incident inside Google and other major companies
Belief within infosec community that PRC has been waging a long term, persistent campaign of “espionage-by-malware”
Titan Rain, GhostNet
Grown bolder over time

Aurora
In May of 2009 a number of actors in Mainland China began a targeted attack on Google and several other major US-Based corporations with the intent of exfiltrating sensitive data for political and financial gain.
The Aurora team used a privately-held IE-7 0-day exploit as well as an Adobe PDF vulnerability to infect workstations at Google and others with sophisticated RATs
Social-engineering using methods similar to Fake-AV campaigns was also used
Once the Aurora team had access to internal systems, they quickly compromised source-code repositories, email databases, and other extremely sensitive financial and operational data from the inside

Aurora
“ Aurora” is taken directly from strings within some custom software components of the attack
Debug symbol file path in custom code

Aurora
Known samples of main backdoor trojan used in attacks no older than 2009
Attack may have been in works for some time
Custom modules in Aurora codebase with timestamps as old as May 2006
Timeframe just after Titan Rain had blown up and PRC’s limited arsenal of mostly “COTS” trojans were being increasingly detected by commercial AV

Aurora
With a completely original code base and its use restricted to highly targeted attacks, Hydraq seems to have escaped detection until now
Compiler leaves many clues in a binary
PE resource section may reveal language code
Aurora author was careful to either compile on English-language system, or to modify the language code in the binary after the fact

Aurora
Peculiarities and origins of CRC algorithm used suggest author familiar w/ simplified Chinese

Aurora
Partial JavaScript code used to exploit Google
If only they were using Chrome…

New Details Emerge
April 19 – New York Times reported that Aurora stole source code to Google’s single sign-on (SSO) system “Gaia”
“ Cyberattack on Google Said to Hit Password System”, John Markoff
Aurora had access to “Moma”, Google’s internal employee database
May have used information from Moma to target the individual developers working on Gaia
Source code exfiltrated to Rackspace servers, and then onto ???

Other Trends

Other Trends
Social engineering
Phishing / Spearphishing
E.g., Rogue AV
Hybrid attacks
Targeted verticals and enterprises
Advanced Trojans
Social Networks (Facebook, Twitter)
Trusted relationships
Superb ROI platform for URL-based attacks
Botnet sophistication and innovation
Spread of infection by reputable or legit websites
continuously evolving attacks and malware methods
Threats come more from organized crime
However, involvement of state actors has finally come to the forefront

Other Trends
0-day black market
Premium paid for 0-days
Tipping Point has heard of governments offering $1 million for a good one
Good guys can’t compete at those prices
‘ Aurora’ used an IE 0-day that it had developed
Weak economy in US fosters fraudsters’ recruitment of unwitting, desperate money mules
Weak economy abroad has led to a large number of highly skilled IT experts in desperate situations
Global cooperation in these cases is still in its infancy

Other Trends
Clients vs. Servers
For the moment, the pendulum has swung away from servers
Servers are now more likely to be compromised as a means to compromise a large number of clients
While the very large financial database breaches do occur, they are now more likely to come from a compromised workstation with privileged access on the inside
The weakest-link rule is true now more than ever

The new .CN

The new .CN
In December 2009, published a bulletin regarding new restrictions on purchasing .CN ccTLD domain names
The new restrictions consisted of:
Webmasters to submit paper application and show ID when registering a domain name
Business license if applicable
Have to submit the information within 5 days or risk losing the domain
Continued to monitor domains hosting malicious executables and have noticed an interesting trend
Domains registered with a ccTLD of .CN have slightly declined where domains registered with a ccTLD of .IN have started to increase starting right around the timeframe of the CNNIC announcement

The new .CN

The new .CN
.RU domains have also seen an increase since the .CN registration requirements were announced.
RU-CENTER has stated they will implement rules similar to CNNIC starting April 1st

The new .CN

Publicly sold botnet kit called “BFBOT”
Distributed as binary “builder” kit, full source code is not available
Author has since “retired”, but perhaps not
Very typical of generic botnet kits, e.g. Rbot, Agobot, Phatbot
Uses console-based master control program
Not likely to catch on with script kiddies due to complexity of setup/use and lack of new development

Named after a domain that it was contacting
butterfly [dot] sinip [dot] es
Initially discovered early 2009
Sold on bfsecurity.net
“ Security tool designed to stealthy run on winnt based systems (win2k to winvista) and to stealthy and efficiently spread with 3 spreaders, which were specially designed and improved compared to already known public methods. (sic)”
The three spreaders are MSN, USB, and P2P. Listed P2P networks were “ares, bearshare, imesh, shareaza, kazaa, dcplusplus, emule, emuleplus, limewire. (sic)”

Commercial Market for ButterflyBot Source: Panda Security

ButterflyBot Capabilities
Information Theft
Steal data from Internet Explorer (protected storage and Autocomplete (IE 7+) password stealing)
Mozilla Firefox (stored passwords stealing)
Downloader
Download files via HTTP and execute them on the infected computer
DDoS
TCP SYN or UDP packet flooding
Propagation
MSN Instant Messenger
USB autorun
Copying itself to well-known P2P application download directories
VNC Server Scan
Scan for VNC (Virtual Network Computing) servers that may allow AUTHBYPASS or NOAUTH access.

ButterflyBot Console Source: Symantec

ButterflyBot Master Client Source: Panda Security

ButterflyBot Configuration Tool Source: Panda Security

Mariposa Takedown
Botnet size fluctuated between 500K and 1 million infected hosts spanning more then 190 countries
Botmasters made money by allowing other cybercrooks to utilize parts of the botnet
This lead to a variety of malware being installed
Advanced keyloggers
Various Banking trojans
RATs (Remote access Trojans)
Fake AV

Mariposa Takedown
Due to a coordinated effort between law enforcement and the security community, three individuals were identified and arrested
“ netkairo” of Balmaseda age 31
“ jonyloleante” of Molina de Segura age 30
“ ostiator“ of Santiago de Compostela age 25
Action taken on domains December 23, 2009 at 1700 Spanish time
US FBI and Spanish Civil Guard
Believed that suspects would be less able to react due to Christmas holiday and time with family
Suspects unknown, using VPNs from Swedish provider Relakks
During counter attack, “netkairo” make a fatal mistake
Did not use VPN, revealed IP address in Spain
IP provided to Civil Guard

Mariposa Takedown
“ netkairo” apprehended by agents of the Civil Guard on February 12, 2010 at his home in Balmaseda, Spain
Digital forensics of seized computers lead to 2 further arrests in Spain
Cases in front of Judge Garzón of the National Court

Conclusion

Conclusion
Defenders remain at a significant disadvantage
Must attack both sides of the risk vs. reward equation
Closer cooperation is needed between security community and law enforcement
Human weakness is arguably more important than technological vulnerabilities in today’s cyber crime ecosystem
Attractive ROI of Social Engineering

Special Thanks
Chema Alonso & Informática64
Maite Villalba and the Universidad Europea de Madrid
You, my audience!

http://www.elladodelmal.com	1252
http://elladodelmal.blogspot.com	67
http://www.slideshare.net	18
http://static.slidesharecdn.com	6
http://www.elladodelmal.blogspot.com	1
http://translate.googleusercontent.com	1

Trends in network security feinstein - informatica64

by Chema Alonso

Accessibility

Upload Details

Usage Rights

6 Embeds 1,345

Statistics