Your SlideShare is downloading. ×
0
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Trends in network security   feinstein - informatica64
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Trends in network security feinstein - informatica64

7,611

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
7,611
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
54
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Harvey Mudd College, Claremont, California USA Co-op with Aerospace Corporation, El Segundo, California USA (2000) Federally Funded Research & Development Corporation (FFRDC) Supports national security, civil and commercial space programs Graduate of FBI Citizens’ Academy
  • ARPA renamed to DARPA in March 1972 Renamed ARPA again in February 1993 Renamed DARPA again in March 1996
  • Hawala – today, “probably used mostly for migrant workers’ remittances to their countries of origin” Chart source: International Monetary Fund, http://www.imf.org/external/pubs/ft/fandd/2002/12/elqorchi.htm Pony Express – 1860-1861; 2,000 miles from Missouri to Sacramento, California; 190 stations spaced at roughly 10 mile intervals (about the maximum distance a horse could run at full gallop). Riders carried along a mochila and changed horses at each station. Replaced by the telegraph.
  • Avprofit says it will pay affiliates roughly $1,000 for every 1,000 times they distribute this installer program, or about $1 per install.
  • Krebs on Security blog, written by Brian Krebs formerly of the Washington Post http://www.krebsonsecurity.com/category/smallbizvictims/ Formerly wrote Security Fix blog for the Washington Post http://voices.washingtonpost.com/securityfix/small_business_victims/ “ Computer Crooks Steal $100,000 from Ill. Town”, 2010-04-06 http://krebsonsecurity.com/2010/04/computer-crooks-steal-100000-from-ill-town/ “ Online Thieves Take $205,000 Bite Out of Missouri Dental Practice”, 2010-03-30 http://krebsonsecurity.com/2010/03/online-thieves-take-205000-bite-out-of-missouri-dental-practice/ “ Organized Crooks Hit NJ Town, Ark. Utility”, 2010-03-22 http://krebsonsecurity.com/2010/03/organized-crooks-hit-nj-town-arizona-utility/
  • Avalanche is fast-flux hosting network similar to Asprox
  • http://www.nytimes.com/2010/04/20/technology/20google.html
  • Reported in the October 2009 CTU Threat Intelligence webinar
  • Reported in the October 2009 CTU Threat Intelligence webinar
  • http://www.pandasecurity.com/homeusers/security-info/217587/information/ButterflyBot.A
  • http://www.symantec.com/connect/blogs/mariposa-butterfly-bot-kit
  • http://www.pandasecurity.com/homeusers/security-info/217587/information/ButterflyBot.A
  • http://www.pandasecurity.com/homeusers/security-info/217587/information/ButterflyBot.A
  • Transcript

    • 1. Trends in Network Security Ben Feinstein, CISSP GCFA Director of Research SecureWorks Counter Threat Unit℠ <ul><li>Friday, April 23 rd , 2010 Informática64 Móstoles, Spain </li></ul>
    • 2. Introduction
    • 3. Who Am I? <ul><li>Native of Atlanta, Georgia USA </li></ul><ul><li>12 years old, dial-up UNIX shell, telneting around the world </li></ul><ul><li>Professional software developer as a teenager </li></ul><ul><li>Bachelor of Science in Computer Science (c. Economics), 2001 </li></ul><ul><ul><li>Harvey Mudd College, Claremont, California USA </li></ul></ul><ul><li>Author of RFC 4765 and RFC 4767 </li></ul><ul><li>Software Engineer at a series of security start-ups, 2001 – 2006 </li></ul><ul><li>Joined SecureWorks in 2006 </li></ul><ul><li>Certified Information Systems Security Professional (CISSP) </li></ul><ul><li>SANS Global Information Assurance Certified Forensics Analyst (GCFA) </li></ul>
    • 4. Who is SecureWorks? <ul><li>Market leading provider of information security services </li></ul><ul><ul><li>Managed Security Services Provider (MSSP) </li></ul></ul><ul><ul><li>Security and Risk Consulting (SRC) </li></ul></ul><ul><li>Over 2,700 clients worldwide, including more than 10% of Fortune 500 </li></ul><ul><li>Suite of managed information and network security services </li></ul><ul><ul><li>Security Information Management (SIM) On Demand </li></ul></ul><ul><ul><li>Log Monitoring </li></ul></ul><ul><ul><li>Intrusion Prevention Systems (IPS) / Intrusion Detection Systems (IDS) </li></ul></ul><ul><ul><li>Threat Intelligence </li></ul></ul><ul><ul><li>Firewall </li></ul></ul><ul><ul><li>Host IPS </li></ul></ul><ul><ul><li>Vulnerability Scanning </li></ul></ul><ul><ul><li>Web Application Scanning </li></ul></ul><ul><ul><li>Log Retention </li></ul></ul><ul><ul><li>Encrypted Email </li></ul></ul>
    • 5. Agenda
    • 6. Agenda <ul><li>Computer Networks </li></ul><ul><li>Vulnerability Trends of 2009 </li></ul><ul><li>Malware Trends of 2009 </li></ul><ul><li>Information Disclosure </li></ul><ul><li>Aurora </li></ul><ul><li>Other Trends </li></ul><ul><li>The New .CN </li></ul><ul><li>Mariposa / ButterflyBot </li></ul><ul><li>Conclusion </li></ul><ul><li>Q & A </li></ul>
    • 7. From Mainframes to Today’s Internet
    • 8. The Development of Computer Networks <ul><li>Advanced Research Projects Agency (ARPA) </li></ul><ul><ul><li>Established in 1958 after Soviet launch of Sputnik satellite in 1957 </li></ul></ul><ul><ul><li>Later renamed the Defense Advanced Research Projects Agency (DARPA) </li></ul></ul><ul><ul><li>Directly manages a $3.2B budget </li></ul></ul><ul><li>ARPANET developed by ARPA for US Department of Defense (DoD) </li></ul><ul><ul><li>Development work began in 1969 </li></ul></ul>
    • 9. Decentralization of Computing Power <ul><li>Mainframes gave way to Personal Computers (PCs) </li></ul><ul><li>Development of Local Area Networks (LANs) </li></ul><ul><li>Dial-up Internet </li></ul><ul><li>Broadband Internet </li></ul>
    • 10. ARPANET, circa March 1977
    • 11. Map of Internet Routers (2005), Opte Project <ul><li>http://www.opte.org/ </li></ul>
    • 12. Map of Online Communities, xkcd #256 <ul><li>http://xkcd.com/256/ , Spring 2007 </li></ul>
    • 13. Some (Much) Older Networks to Remember <ul><li>Hawala </li></ul><ul><li>Pony Express </li></ul>Source: International Monetary Fund
    • 14. Network Security
    • 15. The Network as an Attack Surface <ul><li>Concept of Threat Modeling </li></ul><ul><li>Concept of an Attack Surface </li></ul><ul><li>Local Attacks vs. Remote Attacks </li></ul><ul><li>Common Vulnerability Scoring System (CVSS) version 2 </li></ul><ul><ul><li>Exploitability metrics </li></ul></ul><ul><ul><li>Access Vector: Local, Adjacent Network, Network </li></ul></ul><ul><li>Widespread adoption of Firewalls </li></ul><ul><li>Widespread adoption of the Web </li></ul><ul><li>Web 2.0 </li></ul>
    • 16. Vulnerability Trends of 2009
    • 17. 2009 Vulnerability Trends <ul><li>Vulnerabilities disclosed for document readers and editors soared. </li></ul><ul><ul><li>Office documents including spreadsheets and presentations </li></ul></ul><ul><ul><li>Portable Document Format (PDF) documents – the dubious champ </li></ul></ul><ul><ul><li>Favorite vector of “Spear Phishers”, including “Operation Aurora” </li></ul></ul><ul><li>The appearance of new malicious Web links has skyrocketed globally in the past year. </li></ul><ul><ul><li>Phishing, Malvertisements, Fake-AV, etc. </li></ul></ul><ul><ul><li>A large number of sophisticated web-attack toolkits are available for sale. </li></ul></ul><ul><ul><li>CSS and SQLi attacks primarily used to redirect web-surfers to an attack-toolkit! </li></ul></ul><ul><li>Phishing attacks via email increased dramatically in the second half of 2009, with activity coming from countries not previously been in the game. </li></ul><ul><ul><li>Attackers are shifting their geographical profiles due to various pressures </li></ul></ul><ul><ul><li>Lots and lots of money to be made </li></ul></ul>
    • 18. Vulnerability Metrics for 2H 2009
    • 19. Malware Trends of 2009
    • 20. 2009 Malware Trends <ul><li>Malware authors and operators innovated </li></ul><ul><ul><li>Koobface, Mariposa (Butterfly Bot), Zbot (ZeuS), and Mebroot increased compatibility with Vista and Windows 7 </li></ul></ul><ul><ul><li>Complex and user friendly Banking Trojans (ZeuS, SpyEye, BlackEnergy2) are available as configurable kits </li></ul></ul><ul><ul><li>Sophisticated RATs (e.g. Aurora’s “Hydraq”) are also in use </li></ul></ul><ul><li>Better prepared for takedowns and other countermeasures </li></ul><ul><ul><li>Lessons learned from the days of The RBN </li></ul></ul><ul><li>Taking advantage of “cloud” services – virtualized hosting environments, geographically distributed content delivery networks, and dynamic DNS services </li></ul><ul><ul><li>DNS double and triple-flux technologies </li></ul></ul>
    • 21. 2009 Malware Trends <ul><li>Man in the browser/endpoint </li></ul><ul><li>Trojan Horse is used to intercept and manipulate calls between the main application’s executable (the browser) and its security mechanisms or libraries </li></ul><ul><li>Common objective of this attack is to cause financial fraud by manipulating transactions of Internet banking systems, even when other authentication factors are in use </li></ul><ul><ul><li>High-dollar Commercial OLB creds - compromised </li></ul></ul><ul><ul><li>Challenge secret questions – compromised </li></ul></ul><ul><ul><li>IP Geo-location - compromised </li></ul></ul><ul><ul><li>Email out-of-band - compromised </li></ul></ul><ul><ul><li>Hardware token - compromised </li></ul></ul><ul><ul><li>Device fingerprinting - compromised </li></ul></ul><ul><ul><li>Dual approver - compromised </li></ul></ul><ul><ul><li>SMS out-of-band - compromised </li></ul></ul>
    • 22. 2009 Malware Trends <ul><li>Compromised web pages frequently vehicle of choice for mass malware distribution </li></ul><ul><ul><li>Hence, most servers are compromised in order to compromise client </li></ul></ul><ul><ul><li>Those clients may then be used to compromise servers inside the enterprise! (Aurora!) </li></ul></ul><ul><li>Drive-by downloads – malware code using everything from simple UU-encoding techniques to elaborate self-decoding JavaScripts </li></ul><ul><li>Sophisticated software development </li></ul><ul><ul><li>Authors of malware kits (Trojan toolkits, web-attack toolkits, droppers, rootkits, etc.) are becoming very responsive to their client-base and are producing highly usable, modular and upgradeable software at a tremendous rate. </li></ul></ul><ul><ul><li>For instance, the BlackEnergy2 Trojan-builder kit has a fully modular plug-in architecture which allows for the separate sale of plug-ins for different purposes and designed to target specific PKI schemes, etc. </li></ul></ul>
    • 23. 2009 Malware Trends <ul><li>Greater efficiency and targeting </li></ul><ul><li>Dasient: 5.5 million web pages on 560,000 websites infected with malware Q4 2009. </li></ul><ul><li>Two years ago, infected web pages would infect users' computers with an average of at least a dozen pieces of malware; the most recent figures have that number falling to just 2.8 </li></ul><ul><ul><li>Smaller number of malicious programs means that users are less likely to notice an attack. </li></ul></ul><ul><li>Operators learning valuable business lessons </li></ul><ul><ul><li>Operate 24/7 network of login-interceptors for high-value accounts </li></ul></ul><ul><ul><li>Operators are singling out SMBs that tend to have cash on hand and no real IT </li></ul></ul><ul><ul><li>Extremely sophisticated and profitable money-mule/laundering infrastructure now exists </li></ul></ul>
    • 24.  
    • 25. Contemporary ACH / Wire Fraud <ul><li>Automated Clearing House (ACH) </li></ul><ul><li>1 - 4 victims / day </li></ul><ul><li>Average take $100,000 / victim </li></ul><ul><li>$500K - $1M/week </li></ul><ul><li>$100M attempted in 2009 </li></ul><ul><li>$40M+ unrecovered </li></ul><ul><li>> All US bank robberies combined </li></ul><ul><li>Losses borne by victims due to ACH rules </li></ul><ul><li>ALL done by ONE Eastern European crew </li></ul>
    • 26. Recent ACH Fraud Cases <ul><li>XXXX County - $415,000 </li></ul><ul><li>XXXX Corp - $447,000 </li></ul><ul><li>XXXX Energy - $200,000 </li></ul><ul><li>XXXX Construction - $588,000 </li></ul><ul><li>XXXX Industrial - $1,200,000 </li></ul><ul><li>XXXX School District - $117,000 </li></ul><ul><li>XXXX XXXX School - $150,000 </li></ul><ul><li>XXXX University - $189,000 </li></ul>
    • 27. Source: myNetWatchman
    • 28. Source: myNetWatchman
    • 29. Source: myNetWatchman
    • 30. Information Disclosure: Lessons from Airplanes and ATMs
    • 31. Information Disclosure <ul><li>Failing to redact documents correctly </li></ul><ul><li>Not removing document metadata </li></ul><ul><li>Not sanitizing hard drives and other media </li></ul><ul><li>Unencrypted data </li></ul>
    • 32. Information Disclosure <ul><li>TSA published a SOP manual with sensitive information redacted </li></ul>
    • 33. Information Disclosure <ul><li>The TSA added black bars on top of text and images to prevent it from being seen </li></ul>
    • 34. Information Disclosure The NSA specifically states that this will not work in their manual on redacting safely: Google: “Redact Confidence”
    • 35. Information Disclosure [Source: Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF]
    • 36. Information Disclosure <ul><li>40% of hard drives purchased from eBay contain personal information </li></ul><ul><ul><li>36% Financial data </li></ul></ul><ul><ul><li>21% Emails </li></ul></ul><ul><ul><li>11% Corporate Documents </li></ul></ul><ul><ul><li>[source: Kessler International] </li></ul></ul><ul><li>Wipe drives before they leave your control </li></ul><ul><li>There are several bootable programs that will wipe all media attached to a computer </li></ul><ul><li>DBAN – Darik’s Boot and Nuke </li></ul>
    • 37. Information Disclosure <ul><li>A security researcher purchased an ATM via Craig’s List </li></ul><ul><li>He found 1,000 debit card numbers stored in the machine </li></ul><ul><li>Who has access to your data? </li></ul><ul><li>What are their controls on it? </li></ul>
    • 38. <ul><li>Imperva notified rockyou.com of a SQL injection flaw on Dec 4 th </li></ul><ul><li>Rockyou.com fixed the problem over the weekend </li></ul><ul><li>The database stored passwords in plaintext </li></ul><ul><li>A hacker disclosed that he had copied the entire database before the flaw was fixed </li></ul>Information Disclosure
    • 39. Information Disclosure <ul><li>The database contains the usernames and passwords for over 32 million account </li></ul><ul><li>Included in the database were also passwords for partner websites </li></ul><ul><li>This is a classic example of where defense in depth would have offered superior protection </li></ul>
    • 40. Aurora
    • 41. Background: Titan Rain intrusion set <ul><li>An intrusion set is a collection of evidence, data, artifacts, logs, malware samples or other items that is all related in some way </li></ul><ul><li>Titan Rain was one such intrusion set </li></ul><ul><ul><li>Coordinated intrusions of US Gov’t & Defense Industrial Base, circa 2003 </li></ul></ul><ul><ul><li>Labeled as Chinese in origin </li></ul></ul><ul><ul><li>Nature of and identities of adversaries unknown </li></ul></ul>
    • 42. Background: Advanced Persistent Threat (APT) <ul><li>Advanced: Adversary has capability to use anything from simple, public exploits to performing their own vulnerability discovery work and developing 0-day attacks. </li></ul><ul><li>Persistent: Adversary has well defined goals and objectives and is persistent at pursuing them. Adversary will try various avenues of attack, looking for one that will yield the desired outcome. </li></ul><ul><li>Does not typically refer to things like ZeuS </li></ul>
    • 43. Aurora <ul><li>Publicly disclosed hacking incident inside Google and other major companies </li></ul><ul><li>Belief within infosec community that PRC has been waging a long term, persistent campaign of “espionage-by-malware” </li></ul><ul><li>Titan Rain, GhostNet </li></ul><ul><li>Grown bolder over time </li></ul>
    • 44. Aurora <ul><li>In May of 2009 a number of actors in Mainland China began a targeted attack on Google and several other major US-Based corporations with the intent of exfiltrating sensitive data for political and financial gain. </li></ul><ul><li>The Aurora team used a privately-held IE-7 0-day exploit as well as an Adobe PDF vulnerability to infect workstations at Google and others with sophisticated RATs </li></ul><ul><ul><li>Social-engineering using methods similar to Fake-AV campaigns was also used </li></ul></ul><ul><li>Once the Aurora team had access to internal systems, they quickly compromised source-code repositories, email databases, and other extremely sensitive financial and operational data from the inside </li></ul>
    • 45. Aurora <ul><li>“ Aurora” is taken directly from strings within some custom software components of the attack </li></ul><ul><ul><li>Debug symbol file path in custom code </li></ul></ul>
    • 46. Aurora <ul><li>Known samples of main backdoor trojan used in attacks no older than 2009 </li></ul><ul><li>Attack may have been in works for some time </li></ul><ul><ul><li>Custom modules in Aurora codebase with timestamps as old as May 2006 </li></ul></ul><ul><ul><li>Timeframe just after Titan Rain had blown up and PRC’s limited arsenal of mostly “COTS” trojans were being increasingly detected by commercial AV </li></ul></ul>
    • 47. Aurora <ul><li>With a completely original code base and its use restricted to highly targeted attacks, Hydraq seems to have escaped detection until now </li></ul><ul><li>Compiler leaves many clues in a binary </li></ul><ul><ul><li>PE resource section may reveal language code </li></ul></ul><ul><ul><li>Aurora author was careful to either compile on English-language system, or to modify the language code in the binary after the fact </li></ul></ul>
    • 48. Aurora <ul><li>Peculiarities and origins of CRC algorithm used suggest author familiar w/ simplified Chinese </li></ul>
    • 49. Aurora <ul><li>Partial JavaScript code used to exploit Google </li></ul><ul><ul><li>If only they were using Chrome… </li></ul></ul>
    • 50. New Details Emerge <ul><li>April 19 – New York Times reported that Aurora stole source code to Google’s single sign-on (SSO) system “Gaia” </li></ul><ul><ul><li>“ Cyberattack on Google Said to Hit Password System”, John Markoff </li></ul></ul><ul><li>Aurora had access to “Moma”, Google’s internal employee database </li></ul><ul><li>May have used information from Moma to target the individual developers working on Gaia </li></ul><ul><li>Source code exfiltrated to Rackspace servers, and then onto ??? </li></ul>
    • 51. Other Trends
    • 52. Other Trends <ul><li>Social engineering </li></ul><ul><ul><li>Phishing / Spearphishing </li></ul></ul><ul><ul><ul><li>E.g., Rogue AV </li></ul></ul></ul><ul><ul><ul><li>Hybrid attacks </li></ul></ul></ul><ul><ul><ul><li>Targeted verticals and enterprises </li></ul></ul></ul><ul><ul><ul><li>Advanced Trojans </li></ul></ul></ul><ul><li>Social Networks (Facebook, Twitter) </li></ul><ul><ul><li>Trusted relationships </li></ul></ul><ul><ul><li>Superb ROI platform for URL-based attacks </li></ul></ul><ul><li>Botnet sophistication and innovation </li></ul><ul><ul><li>Spread of infection by reputable or legit websites </li></ul></ul><ul><ul><li>continuously evolving attacks and malware methods </li></ul></ul><ul><li>Threats come more from organized crime </li></ul><ul><ul><li>However, involvement of state actors has finally come to the forefront </li></ul></ul>
    • 53. Other Trends <ul><li>0-day black market </li></ul><ul><ul><li>Premium paid for 0-days </li></ul></ul><ul><ul><li>Tipping Point has heard of governments offering $1 million for a good one </li></ul></ul><ul><ul><li>Good guys can’t compete at those prices </li></ul></ul><ul><ul><li>‘ Aurora’ used an IE 0-day that it had developed </li></ul></ul><ul><li>Weak economy in US fosters fraudsters’ recruitment of unwitting, desperate money mules </li></ul><ul><li>Weak economy abroad has led to a large number of highly skilled IT experts in desperate situations </li></ul><ul><li>Global cooperation in these cases is still in its infancy </li></ul>
    • 54. Other Trends <ul><li>Clients vs. Servers </li></ul><ul><ul><li>For the moment, the pendulum has swung away from servers </li></ul></ul><ul><ul><li>Servers are now more likely to be compromised as a means to compromise a large number of clients </li></ul></ul><ul><ul><li>While the very large financial database breaches do occur, they are now more likely to come from a compromised workstation with privileged access on the inside </li></ul></ul><ul><ul><li>The weakest-link rule is true now more than ever </li></ul></ul>
    • 55. The new .CN
    • 56. The new .CN <ul><li>In December 2009, published a bulletin regarding new restrictions on purchasing .CN ccTLD domain names </li></ul><ul><li>The new restrictions consisted of: </li></ul><ul><ul><li>Webmasters to submit paper application and show ID when registering a domain name </li></ul></ul><ul><ul><li>Business license if applicable </li></ul></ul><ul><ul><li>Have to submit the information within 5 days or risk losing the domain </li></ul></ul><ul><li>Continued to monitor domains hosting malicious executables and have noticed an interesting trend </li></ul><ul><li>Domains registered with a ccTLD of .CN have slightly declined where domains registered with a ccTLD of .IN have started to increase starting right around the timeframe of the CNNIC announcement </li></ul>
    • 57. The new .CN
    • 58. The new .CN <ul><li>.RU domains have also seen an increase since the .CN registration requirements were announced. </li></ul><ul><li>RU-CENTER has stated they will implement rules similar to CNNIC starting April 1st </li></ul>
    • 59. The new .CN
    • 60. Mariposa / ButterflyBot
    • 61. Mariposa / ButterflyBot <ul><li>Publicly sold botnet kit called “BFBOT” </li></ul><ul><ul><li>Distributed as binary “builder” kit, full source code is not available </li></ul></ul><ul><ul><li>Author has since “retired”, but perhaps not </li></ul></ul><ul><li>Very typical of generic botnet kits, e.g. Rbot, Agobot, Phatbot </li></ul><ul><li>Uses console-based master control program </li></ul><ul><ul><li>Not likely to catch on with script kiddies due to complexity of setup/use and lack of new development </li></ul></ul>
    • 62. Mariposa / ButterflyBot <ul><li>Named after a domain that it was contacting </li></ul><ul><ul><li>butterfly [dot] sinip [dot] es </li></ul></ul><ul><li>Initially discovered early 2009 </li></ul><ul><li>Sold on bfsecurity.net </li></ul><ul><ul><li>“ Security tool designed to stealthy run on winnt based systems (win2k to winvista) and to stealthy and efficiently spread with 3 spreaders, which were specially designed and improved compared to already known public methods. (sic)” </li></ul></ul><ul><ul><li>The three spreaders are MSN, USB, and P2P. Listed P2P networks were “ares, bearshare, imesh, shareaza, kazaa, dcplusplus, emule, emuleplus, limewire. (sic)” </li></ul></ul>
    • 63. Commercial Market for ButterflyBot Source: Panda Security
    • 64. ButterflyBot Capabilities <ul><li>Information Theft </li></ul><ul><ul><li>Steal data from Internet Explorer (protected storage and Autocomplete (IE 7+) password stealing) </li></ul></ul><ul><ul><li>Mozilla Firefox (stored passwords stealing) </li></ul></ul><ul><li>Downloader </li></ul><ul><ul><li>Download files via HTTP and execute them on the infected computer </li></ul></ul><ul><li>DDoS </li></ul><ul><ul><li>TCP SYN or UDP packet flooding </li></ul></ul><ul><li>Propagation </li></ul><ul><ul><li>MSN Instant Messenger </li></ul></ul><ul><ul><li>USB autorun </li></ul></ul><ul><ul><li>Copying itself to well-known P2P application download directories </li></ul></ul><ul><li>VNC Server Scan </li></ul><ul><ul><li>Scan for VNC (Virtual Network Computing) servers that may allow AUTHBYPASS or NOAUTH access. </li></ul></ul>
    • 65. ButterflyBot Console Source: Symantec
    • 66. ButterflyBot Master Client Source: Panda Security
    • 67. ButterflyBot Configuration Tool Source: Panda Security
    • 68. Mariposa Takedown <ul><li>Botnet size fluctuated between 500K and 1 million infected hosts spanning more then 190 countries </li></ul><ul><li>Botmasters made money by allowing other cybercrooks to utilize parts of the botnet </li></ul><ul><ul><li>This lead to a variety of malware being installed </li></ul></ul><ul><ul><ul><li>Advanced keyloggers </li></ul></ul></ul><ul><ul><ul><li>Various Banking trojans </li></ul></ul></ul><ul><ul><ul><li>RATs (Remote access Trojans) </li></ul></ul></ul><ul><ul><ul><li>Fake AV </li></ul></ul></ul>
    • 69. Mariposa Takedown <ul><li>Due to a coordinated effort between law enforcement and the security community, three individuals were identified and arrested </li></ul><ul><ul><li>“ netkairo” of Balmaseda age 31 </li></ul></ul><ul><ul><li>“ jonyloleante” of Molina de Segura age 30 </li></ul></ul><ul><ul><li>“ ostiator“ of Santiago de Compostela age 25 </li></ul></ul><ul><li>Action taken on domains December 23, 2009 at 1700 Spanish time </li></ul><ul><ul><li>US FBI and Spanish Civil Guard </li></ul></ul><ul><ul><li>Believed that suspects would be less able to react due to Christmas holiday and time with family </li></ul></ul><ul><li>Suspects unknown, using VPNs from Swedish provider Relakks </li></ul><ul><li>During counter attack, “netkairo” make a fatal mistake </li></ul><ul><ul><li>Did not use VPN, revealed IP address in Spain </li></ul></ul><ul><ul><li>IP provided to Civil Guard </li></ul></ul>
    • 70. Mariposa Takedown <ul><li>“ netkairo” apprehended by agents of the Civil Guard on February 12, 2010 at his home in Balmaseda, Spain </li></ul><ul><li>Digital forensics of seized computers lead to 2 further arrests in Spain </li></ul><ul><li>Cases in front of Judge Garzón of the National Court </li></ul>
    • 71. Conclusion
    • 72. Conclusion <ul><li>Defenders remain at a significant disadvantage </li></ul><ul><li>Must attack both sides of the risk vs. reward equation </li></ul><ul><li>Closer cooperation is needed between security community and law enforcement </li></ul><ul><li>Human weakness is arguably more important than technological vulnerabilities in today’s cyber crime ecosystem </li></ul><ul><ul><li>Attractive ROI of Social Engineering </li></ul></ul>
    • 73. Q & A
    • 74. Special Thanks <ul><li>Chema Alonso & Informática64 </li></ul><ul><li>Maite Villalba and the Universidad Europea de Madrid </li></ul><ul><li>You, my audience! </li></ul>

    ×