Your SlideShare is downloading. ×
0
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Kurt baumgartner lan_deskse2012

370

Published on

LANDesk SE Conference March 2012

LANDesk SE Conference March 2012

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
370
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Slide #6Duration: 1.5 minOn this slide you can see common IT security policy mistakes. The biggest mistake is to ignore network shares access rights. There might be an open share on internal file server or on end-user work desktop. (Question to the audience): Does anybody of you ever shared file directory from you work computer (desktop or laptop)? I.e. to transfer files to your co-worker computer.(Next question): Did you open it for unlimited users or just for dedicated person? Did you disable it later or just forgot?Sooner or later this can be a great source of malware redistribution in your organization. Looks now that the slide, this mistake is responsible for about 35% of incidents!There was an interesting case in one of the School Districts in the USA. The customer has several thousand end-users connected to the CSD network. Most of them are school student computers, beginning from 3rd grade. The network included few file share servers with unlimited access to everyone. So, everyone got infected after malware infected this network resource. The students could not do their class work, tests and lab work at school for at least few weeks.Now about missing security patches. Modern malware takes advantage of existing vulnerabilities. The network with even a single patch can be faced a serious risk. This is a common issue that we see mostly in Small organization, where number of end-users is less than 500. They either do not have enough expertise or ignoring patching completely.Partially protected environment means that Antimalware solution is installed on part of the network, leaving other resource unprotected.We have got some incidents related to firmware vulnerabilities. There was a software vulnerability in some DSL Router device. The impact of it was huge – possible lawsuit.And the last mistake is to believe that tools and software downloaded from the Web are always good software.
  • Slide #4Duration: 1 minOn this slide you can see top 7 malware families that are responsible for particular incidents. Although, this threats are not widely know, but they are a high danger to corporate IT.Let’s take a quick look at the malware responsible for majority of the incidents.The most prevalent malware is Backdoor:Qbot. We have received the first incident in March 2010. This malware is still active, we have few cases received in May 2011. Virus:Sality is the second top malware in our list. This is a file infector that constantly employs new attack methods. More about these 2 threats on other slides.Rootkit:TDSS has been known for long time. The big thing about this threat is it encrypts file system of infected users. There is a repair module in KL Products. We also developed a special stand-alone tool that kills it and repairs encrypted file system.Other malware families represented on this slide are dangerous too, but I will skip technical details and move to other interesting data.
  • Slide #5Duration: 2 minNow, I would like to show this typical network configuration schema and to demonstrate network configuration mistakes in action.There is an attacker on the left. His goal is to install malware on one of the internal computers and possible get access to valuable corporate resource. This can be CTO/CFO office, financial department, etc. The network includes email server, end-users, file server, some publicly faces web resources. The network is monitored by Security Administrator.The attacker may try 3 paths: Knowing that there is a HR team that typically receives people’s resume. The attacker crafts a special “resume” with an exploit in the inside. Later, he attaches it to an email and sends to the HR person. The HR person opens the attachments even it is executable file or Java application. Malware can propagate in the internal network via open file shares or USB devices. Try to probe the publicly faced web resource for know vulnerabilities. If attack succeeds, the attacker typically will look for other network components. Likely, file server with unrestricted access to store and to redistribute malware. Try to find misconfigured network resource, like file printers. It can also be utilized to steal sensitive corporate data. Modern printers keep documents in their operational memory for long time. It can be used by remote attacker.All of this attacks can be run automatically against broad number of network users. The remote attacker hopes that he gains access to at least some of them.(Animation in on): Here is the security issues. HR team was not aware of how malware utilizes email attachments. USB policy was not established in sensitive network area. End-users can copy infected files from file share. The file share allows write/execute, allows storing executable files. Printer should not be available to outside of the corporate network. The publicly faced web resource should have patches installed. If it has home grown software, it should be written with respect of the Security Development Life Cycle (SDL).
  • Slide #4Duration: 1 minOn this slide you can see top 7 malware families that are responsible for particular incidents. Although, this threats are not widely know, but they are a high danger to corporate IT.Let’s take a quick look at the malware responsible for majority of the incidents.The most prevalent malware is Backdoor:Qbot. We have received the first incident in March 2010. This malware is still active, we have few cases received in May 2011. Virus:Sality is the second top malware in our list. This is a file infector that constantly employs new attack methods. More about these 2 threats on other slides.Rootkit:TDSS has been known for long time. The big thing about this threat is it encrypts file system of infected users. There is a repair module in KL Products. We also developed a special stand-alone tool that kills it and repairs encrypted file system.Other malware families represented on this slide are dangerous too, but I will skip technical details and move to other interesting data.
  • Slide #8Duration: 10 secThis was general information. Now,few practical examples. The first is Zbot outbreak: root cause, risk to the business, suggestions.
  • Slide #8Duration: 10 secThis was general information. Now,few practical examples. The first is Zbot outbreak: root cause, risk to the business, suggestions.
  • Slide #8Duration: 10 secThis was general information. Now,few practical examples. The first is Zbot outbreak: root cause, risk to the business, suggestions.
  • Slide #8Duration: 10 secThis was general information. Now,few practical examples. The first is Qbot outbreak: root cause, risk to the business, suggestions.
  • Slide #9Duration: 3 minQbot is a powerful password stealer. First case was received in March 2010. It is still active in US, Latin America (mostly Brazil). Last case in April 2011.Story for the public: the analogy with the wall watch. The watch can be installed in any office (CTO, CFO, etc) and be a source of private information. {Question to audience) Do you have anything like this in your office? Do you see anything suspicious about this watch?There is nothing interesting in this watch beside that is has spy camera in the inside. There are other office devices present on this Web site. All of them have spy camera. It can monitor and transfer video and discover location of secrets, safe keys, location of back checks, office conversation, etc.Qbot performs similar operation. It monitors user activity and records online banking credentials. There are predefined list of US, Brazil banks. Once the passwords are stolen, the remote attacker can access the funds. The remove attacker can sell access credentials on black market.The malware steals access credentials to MS Outlook. It can be used to review company email history and identify next targets (CTO, CFO offices). It steals MSN messenger account information. This can be used as additional malware propagation vector. The remote attacker can send infected files to internal recipients as they send from the internal colleagues. Once the attachment is executed, it infects the system and begins executing malicious payload. It can be a backdoor, another password stealer.All of this information can be sold as well (financial and reputation damage). Here is an example of how it appears in the Web (the picture with “Record Index: 1”)Another secret information is security certificates. They are typically used for use authentication, remote connection, access to mission critical resource.Qbot can redirect users to malicious URLs. This malware will forward the user to Faked AV when this user types some Web address in the browser.
  • Slide #10Duration: 3 minNow, how this case can be recognized. There are 2 sides: end-user and security admin.End-users can see frequent “File not found” errors after attempting to open infected file. Usually they see this error when opening or copying file from the remote location. The “file not found” error means that the infected file was blocked by Antivirus. The system cannot copy it.The end-user can also see “Network Resource not found”. This means that remote network resource has too many infected files. Constant AV detections may consume to much processing resource. That is why the end-user cannot connect to it.Another visible character is URL redirection. {Question to the audience}: Have you ever been in a situation when you want to go to airline ticket booking website, but land on strange website with a weird context?What would you do? Repeat this attempt, call HelpDesk, explore this URL? From our experience, there is significant volume of complains to security admin every time the organization is infected with Qbot.(Well, some end-users even continue browsing this weird website! They might be attracted by it’s content. This is lack of awareness. They need to know what to do in this case. Education is important.)Admin side:During daily activity, the Security Admin examines Antimalware management console. This console presents information about security alerts and detection events received from end-user systems. In case of Qbot infection, the Security Administrator can see lots (e.g. thousands in this example) disinfection events. The end-users systems are infected again after successful cleaning. Finally, over 4,000 objects infected in the network.There was a case when Qbot has infected about 17,000 end-user systems. The Company changed all email and MSN messenger passwords and replaced all security certificates.
  • Slide #11Duration: 1 minVerify patch update policy and set daily/weekly schedule Review access rights for open shares and disable exceeding rights Review access to public resources and reduce access to it Disable unnecessary (random) file shares on work stations Disable “execute” access, Autorun feature on file share resources Disable wide write access on critical servers, split all users to smaller groups and assign necessary access to each of them Disable USB devices in critical environmentLocate and isolate infected workstations. Configure your AV product Configure USB scan Do not install multiple AV vendor product, better get the best one.Educate end-usersDo not open attachments without scanningPost-infection analysis
  • Slide #8Duration: 10 secThis was general information. Now,few practical examples. The first is Qbot outbreak: root cause, risk to the business, suggestions.
  • More tricky…
  • Slide #8Duration: 10 secThis was general information. Now,few practical examples. The first is Qbot outbreak: root cause, risk to the business, suggestions.
  • Transcript

    • 1. Indicators of “You’re fsck’ed” 2012A Discussion of Attacks on Sometimes Poorly Managed DesktopsKurt Baumgartner, Senior Security ResearcherGlobal Research and Analysis Teamkurt.baumgartner@kaspersky.com
    • 2. You’re Fsck’ed 2011 AND 2012?A Discussion• Two Goals 1. provide context and conversation around malware issues that challenged our corp customers and others 2. Provide some level of expectations into what we’ll be discussing in 2012 regarding managed corp assets (3?) Walk away with some idea of what may find more interesting on Securelist and what helps you
    • 3. You’re Fsck’ed?Enabling the Most Effective Attack Activity 2011 • Improper Resource Configuration • Unnecessary share access and unlimited access control • Vulnerable firmware (outdated, improperly configured) • Missing Software Patches and Security Updates • Microsoft (Windows, IE, Office) and third party software – Java, Adobe (Reader+Flash), etc • Exploit packs/commodity attacks • Spearphishing • Partially Protected Environments • Missing security suites in franchises, branch, remote offices • Mix of products, sometimes improperly installed on top of each other • No Incident Response Plan, no Public Response Plan!
    • 4. Design Mistakes 2011Enabling the most effective malware attacks 15% Network shares 5% configuration 15% 5% Missing security 0% patches Multiple AV products Partially protected environment 35% Firmware vulnerability 25% FreewareSource: Kaspersky Lab GERT – Global Emergency Response Team, Alexey Polyakov
    • 5. Top 2011 Malware FamiliesCoporate incident notables • Trojan-Spy.Win32.Zbot – US • Trojan-Spy.Win32.Qbot – US • Targeted attacks (social engineering, exploits (0day or not), spyware, RATs/backdoors, PtHash, archivers (rar), ftp, etc) – US, EU, AUS
    • 6. Other Stats 2011Breach Statistics – Mileage will Vary Verizon/US Secret Service/Dutch High Tech Crime Unit Annual Report • 92% of data breaches are directly attributed to external agents • Overall numbers saw a HUGE increase in smaller external attacks, instead of any decrease in insider activity • Cloud attacks? Yes, but no difference from non-cloud – no VM Hyper-V attacks • Partner-caused breaches continued their steady decline  what do I see? Not completely accurate, but many “partners” or third parties are private. What law firms that you use are public? What are their reporting requirements?
    • 7. What Could Possibly Go Wrong?Why did attacks succeed? Let’s analyze configuration mistakes End-user USB Email server enabled, not Just viewed scanned, aut Someones’ o start resume enabled Web server Unrestricted File server Open shares, Internet Missing security Different AV or Unrestricted none patches access to Public resource everyone, write/ execute Security Admin Wrong access Source: Kaspersky Lab GERT – Global Emergency Response Team, Alexey Polyakov
    • 8. 2012 Malware Families?Magic Answer Ball says Yes • Decline of FakeAv (short term?) but exploit packs, “crackgen sites”, compromised hosts are all active with variety of payloads • Various stealers and their markets are thriving (so much so that PII, dumps, plastics market prices dipped in 2011) • Persistent targeted attacks are persistently persisting YES • Android and “consumerization” is not fluff either
    • 9. Blackhole Exploit Pack attacks in the USGravitating towards an infiltrated state
    • 10. Blackhole Exploit Pack 2011Variety of exploits and payloads, actively developed and distributed • Single most popular exploit pack of 2011, especially targeting US users • Very recognizable URLs, javascript obfuscation, exploits, admin interface, and payloads • Delivers FakeAv, Zaccess (click fraud and more), Zbot, SpyEye, ransomware, etc • Quick note: delivers mostly exploits targeting non-0day vulnerabilities • 0day vs non • Vulnerability vs exploit
    • 11. Blackhole Exploit Pack 2011Variety of exploits, actively developed • Active development, additions for Java, Flash, Reader, HCP exploitation • “Common Vulnerabilities and Exposures” (CVE): a dictionary of publicly known information security vulnerabilities and exposures • Exploit.Java.CVE-2011-3554 http://evil.com/content/v1.jar • Java has become de facto exploit delivered first to all platforms • Secure development lifecycle? • Microsoft – mature monthly + OOB update + workaround + advance notification releases across all platforms and lines • Adobe – attempts to mirror Microsoft cycle, maturing • Oracle Sun Java – ugly quarterly release cycle (CPU), rare OOB
    • 12. Exploit Packs into 2012?Magic Answer Ball says Yes • Maturing market for 0day and packs – Bleeding Life, Phoenix, Eleonore, Blackhole, Bomba, Nice Pack, etc • ROP technique, EMET evasion development • Classic and custom shellcode releases YES • International law diffs and forums continue to provide necessary space and communications. Bitcoin? Nah ah. Webmoney, Liberty Reserve, etc
    • 13. ZeroAccess/Max++/Click2 attacks in the USUntouchable files
    • 14. ZeroAccess/Max++/Click2 AttacksMulti-component malware • Increasingly distributed family • Multiple rootkit components at sensitive low level insertions, system driver infection, dynamic kernel module loading, encrypted “file system” storage within system – no viral or worming components • Unusual P2P traffic in more recent variants • Exploit pack delivery, P2P network serialz/crackz delivery. Also *very* popular, phony codecs and raunchy spoofed video titles • Detection tools like gmer make for quick id of the problem (although “Technical Details” pages on some AV vendors are outdated) • Mostly all “bundles” include click fraud component, claims of additional stealers being downloaded that I haven’t seen
    • 15. ZeroAccess/Max++/Click2 Attacks into 2012?Magic Answer Ball says Yes • Competing with TDL • Active and professional kernel level development makes for cat/mouse vendor challenge • User mode click fraud components and backend infrastructure YES • Distribution of spyware on the horizon?
    • 16. Trojan-Spy.Win32.Zbot outbreaks in the USCombination of malicious delivery, spyware, various targeted scripts
    • 17. Zbot – Two Factor Auth, etc DefeatedUpdated spyware• Spammed email containing typical IRS, DHL, UPS, etc, theme and attachment• User clicks on link or opens attachment• Drops exe to disk, executes• Zbot hooks necessary in-process (mostly web browser) functions, steals data• from encrypted banking sessions• Multiple scripts downloaded, targeting specific banks, covers tracks• Money wired to overseas banks in select regions – non-reversible• Some reasons? AV was not updated, portions of it disabled
    • 18. Corporate Spyware in 2012? Magic Answer Ball Says…Absolutely • Not just Zeus: Spyeye Carberp Ramnit Qbot variants ZeroAccess payloads? • Similar or same delivery schemes will be effective into 2012 • Spoofing spams – IRS, DHL, Facebook • Crack and keygen sites+redirects to compromised legitimate sites • Become familiar with hooking techniques, injected code per family ABSOLUTELY
    • 19. Trojan-Spy.Win32.Qbot outbreaks in the USCombination of malicious delivery, autorun spreader, password stealerattack
    • 20. Qbot - Quick FactsGeo distribution, risk and possible damage US Brazil Estimates: 50K+ organizations Source: Kaspersky Lab GERT – Global Emergency Response Team, Alexey Polyakov
    • 21. Qbot - Offensive BehaviorsEnabling effective attacks – does your environment?• Unpatched software (how did it enter? Completelack of network logs doesn’t aid investigation). Varietyof delivery vectors: Blackhole Exploit Pack – Java, Adobe Reader, HCP, AND NOW FLASH etc Custom EP – Quicktime exploits, older IE exploits Infected Usb• Network Misconfiguration - Autorun spreader Disable autorun functionality: http://support.microsoft.com/kb/967715 No “Create” user rights to the root of a mapped network drive Registry - disable and prevent access to usb storage• Inject into sensitive communications processes Hook APIs to defeat encryption and session protections
    • 22. Qbot - Offensive BehaviorsEnabling effective attacks – their environment did • All users had “Create” rights to the root of mapped network drives – autorun.inf and infectors recreated • Every computer had c: drive set to full control for "Everyone“, no passwords needed • Qbot, autorun, exe components, propagates via file shares • Suggested to break the network and organize into segments – it was 1 big segment for all machines • Series of file servers were DDoSd by infected hosts reconnecting to copy sets of autorun.inf/infectors to shares following AV cleanup on the servers
    • 23. Qbot - Recognition and MitigationSome recommendations and suggestionsWhat end users see What Security Admin sees 600 500 Disinfection attempts 400 300 200 100 0
    • 24. Qbot - Mitigation StepsSimple rules to improve network protection • Daily/weekly schedule Patch • Microsoft, Adobe, Java, Oracle Management • Isolate infected systems Open shares • Remove write/exec/autorun access • Educate finance, business teams Education • Establish good practices
    • 25. Qbot in 2012? Magic Answer Ball Says…Doubtful but possible • Instead of Qbot? Ramnit Other multi-component bots • Similar or same delivery schemes will be effective into 2012 – exploit packs as initial vector of delivery, unpatched software at fault DOUBTFUL
    • 26. Targeted AttacksSocial EngineeringTime and People Flush - Just Enough Technology to Get the Job DoneArray of Exfiltration Tools and Techniques
    • 27. Targeted Attacks - The RSA Security HackOverview - how did this happen?
    • 28. Targeted Attacks – Social Engineering TechniquesNATO wants you! Is this even an attack?
    • 29. Targeted Attacks – Harpooning a WhaleCustomization to better hit target - Spearphishing with better chum $91 million message(Q1 profit margin difference estimate + Q2 earnings call)
    • 30. Targeted Attacks – Harpooning a WhalePoison Ivy was a Kid’s Hobby• Poison Ivy RAT is sprouting up in the media…• ChaseNET “underground scene” forum pedigree • (founded by previous EES member - Th3ChaS3r)• Brought previous EES members like ksv, Bifrost RAT developer• EES founder and OptixPro dev ”th3 s13az3”• ShapeLeSS joins ChaseNET in late October 2005, codes Poison Ivy. Codius later assumes the project, continues to distribute it SDK allows for new plugins and development, max size 7kb Swedish (not Chinese) developers
    • 31. Targeted Attacks – Harpooning a WhalePoison Ivy was a Kid’s Hobby
    • 32. Targeted Attacks – Harpooning a WhaleData exfil • Post-exploitation, Poison Ivy and other tools to establish foothold • Download other tools to impersonate users, elevate privileges, collect data from network • Encode, archive collected data • Check in with series of C2 for activity commands – Facebook, Google Code, Image Files (jpg, gif, etc) • FTP PUT / HTTP POST encoded/crypted data over proxied connections to drop servers controlled via RDP and VNC
    • 33. TA in 2012? Magic Eight Ball Says…Absolutely • 0day or known exploits - just enough to get the job done? • Similar tactics over email and possibly IM • Understand “Indicators of Compromise” and what that really means • Ensure that outbound data can be collected for later analysis ABSOLUTELY
    • 34. Android and ConsumerizationThe corporate network just walked out the door
    • 35. Android malware in 2012? Magic Eight Ball Says…Yes With the disappearance of IE6 and Windows XP SP2, the low hanging Windows workstation fruit just became a bit more out of reach More data copied or moved to more phones than ever before Where will the low hanging fruit remain for corp mobile users? Exploitation with different purposes than “rooting” begins in 2012 Most likely Android, some for iPhone Data exfiltration from the platform begins in 2012 YES
    • 36. Thank You Questions about content, and suggestions for Securelist?Kurt Baumgartner, Senior Security ResearcherGlobal Research and Analysis Teamkurt.baumgartner@kaspersky.com

    ×