1. From Creeper
to Stuxnet
Tell me and I’ll forget
Shahar Geiger Maor,
Show me and I may remember VP & Senior Analyst
Involve me and I’ll understand
2. A Story With A Beginning And No End
2
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
3. The Beginning –Basic Terminology
Phreaking, Cracking and Hacking…
3
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
4. I’m A Creep(er)!
The very first viruses: Creeper and Wabbit
1971
1960 1970 1980 1990 2000 2010
4
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
5. Captain Zap
first person ever arrested for a computer crime
1981
1960 1970 1980 1990 2000 2010
5
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
6. Machine Of The Year
1982
1960 1970 1980 1990 2000 2010
6
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
7. War Games
1983
1960 1970 1980 1990 2000 2010
7
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
8. Introducing: MOD & LOD
1987
1960 1970 1980 1990 2000 2010
8
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
9. When Ideology meets Ego
1991
1960 1970 1980 1990 2000 2010
9
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
10. Professional conferences
1993
1960 1970 1980 1990 2000 2010
10
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
11. Celebrity
1995
1960 1970 1980 1990 2000 2010
11
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
12. The Rise of Malwares
The Concept Virus
1995
1960 1970 1980 1990 2000 2010
12
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
13. The Rise of Malwares
The Melissa and
Nimda Viruses
http://scforum.info/index.php?topic=2528.msg4935;topicseen
1999
1960 1970 1980 1990 2000 2010
13
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
14. The Rise of Malwares
The ILOVEYOU Worm
2000
1960 1970 1980 1990 2000 2010
14
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
15. The Rise of Malwares
Conficker
2008
1960 1970 1980 1990 2000 2010
15
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
16. The Increasingly Difficult Security Challenge
16000000
14000000 AV Signatures
12000000
10000000 100s of millions of viruses.
signature based scanning won’t keep up…
8000000
6000000
4000000
2000000
0
Mar-01
Oct-01
Mar-08
May-02
Oct-08
Dec-02
May-09
Dec-09
Aug-00
Jul-03
Feb-04
Sep-04
Apr-05
Nov-05
Jun-06
Aug-07
Jan-00
Jan-07
Source: Symantec
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
17. No Existing Protection Addresses the “Long Tail”
Today, both good and bad software obey a long-tail distribution.
Bad Files Unfortunately neither technique Good Files
works well for the tens of millions of
files with low prevalence.
Prevalence
(But this is precisely where the
majority of today’s malware falls)
Blacklisting works For this long tail a new Whitelisting works
well here. technique is needed. well here.
Source: Symantec
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
18. Growing Amount of Malware –Lower Rate of Detection
Submission-ID: 2009- Submission-ID: 2010-
12-10_22-01_0002 01-15_22-14_0001
src: AV-Test.org src: AV-Test.org
AV Engine Time To Detect Time To Detect
Authentium Zero-hour No detection
Avast 24.28 hrs. 2.10 hrs.
AVG 10.18 hrs. 3.52 hrs.
CA-AV No detection Zero-hour
ClamAV 40.82 hrs. No detection
Dr.Web 3.68 hrs. 13.17 hrs.
Eset Nod32 2.35 hrs. Zero-hour
F-Secure Zero-hour 20.03 hrs.
Ikarus 2.55 hrs. 1.90 hrs.
ISS VPS No detection No detection
Kaspersky 6.70 hrs. 14.52 hrs.
McAfee 28.83 hrs. No detection
Microsoft 11.62 hrs. No detection
Norman Zero-hour No detection
Panda 76.48 hrs. No detection
Rising 71.27 hrs. No detection
Spybot S&D No detection No detection
Sunbelt No detection Zero-hour
VirusBuster 4.05 hrs. Zero-hour
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
19. Secured Mediation Kiosks
Source: OPSWAT, STKI’s modifications
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
20. Nor(malware) distribution
Choose any AV
software…
What about the long
tail?
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
21. Nor(malware) distribution
Choose many AV
software…
The long tail problem
remains
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
22. Organized Cybercrime
2009
1960 1970 1980 1990 2000 2010
22
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
23. M&As in the Cyber Underground…
SpyEye made headlines this year when
investigators discovered it automatically searched
for and removed ZeuS from infected PCs before
installing itself
http://krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
24. Common “Positions” in the cyber-crime business
Leaders
Hosted
Programmers systems Cashiers
providers
Distributors Fraudsters Money mules
Tech experts Crackers Tellers
http://www.fbi.gov/news/speeches/the-cyber-threat-whos-doing-what-to-whom
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
25. Underground Economy
Products Price
Credit card details From $2-$90
Physical credit cards From $190 + cost of details
Card cloners From $200-$1000
Fake ATMs Up to $35,000
Bank credentials From $80 to 700$ (with guaranteed balance)
From 10 to 40% of the total
$10 for simple account without guaranteed
Bank transfers and cashing checks balance
Online stores and pay platforms From $80-$1500 with guaranteed balance
Design and publishing of fake online stores According to the project (not specified)
Purchase and forwarding of products From $30-$300 (depending on the project)
Spam rental From $15
SMTP rental From $20 to $40 for three months
http://press.pandasecurity.com/wp-content/uploads/2011/01/The-Cyber-Crime-Black-Market.pdf
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
26. Cyber Wars
1990’s-2000’s-2010’s
1960 1970 1980 1990 2000 2010
26
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
27. Growing Number of Incidents -US
Incidents of Malicious Cyber
Activity Against Department of Defense
Information Systems, 2000–2009
http://www.uscc.gov/annual_report/2010/annual_report_full_10.pdf
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
28. Sources of Attacks on gov.il
Source: CERT.gov.il
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
29. Cyber-Warfare is Becoming A Giants’ Playground
http://www.bbc.co.uk/news/technology-11773146
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
31. Advanced Persistent Threat (APT) –RSA Case Study
“Recently, our security
systems identified an
extremely sophisticated
cyber attack in progress
being mounted against
RSA”.
Art Coviello
Executive Chairman, RSA
http://www.rsa.com/node.aspx?id=3872
http://www.nytimes.com/2011/03/18/technology/18secure.html
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
32. Stuxnet: (THE NEW YORK TIMES, 15/1/11)
http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?_r=2&hp
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
33. Stuxnet Timeline
Eraly 2008: Siemens
cooperated with Idaho
National Laboratory ,
to identify the July 2009:
vulnerabilities of Stuxnet began
computer controllers circulating around the
that the company sells world
2008-2009: July 2010: Stuxnet is
Suspected exploits first discovered by
have been created for VirusBlokAda
Siemens SCADA
systems
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
35. Stuxnet in Action: “A Game Changer”
10-30 developers (!!!)
Stuxnet has some 4,000 functions (software that runs an average
email server has about 2,000 functions)
Exploits a total of four unpatched Microsoft vulnerabilities
compromise two digital certificates
• Self-replicates through removable drives
• Spreads in a LAN through a vulnerability in the Windows Print
Spooler
• Copies and executes itself on remote computers through network
shares
• Updates itself through a peer-to-peer mechanism within a LAN
• Contacts a remote command and control server
• modifies code on the Siemens PLCs
• Hides modified code on PLCs
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
36. Vulnerability Timeline
Source: Burton Group
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
37. …Lets talk about Patch Management (PM)
• Mostly Microsoft, security-related patches
• “Its not the deployment, but the whole process evolving” AKA
Pizza Night.
• 20%-50% FTE is dedicated for PM
• Common SLAs: 3…6…or sometimes 12 Months!!
• VIP patches: up-to a week
• Hardwarenon-security patches’ SLA: Where upgradesvendor
support is needed
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
38. Your Text here Your Text here
Shahar GeigerMaor’s work Copyright 2012 @STKI Do Do not remove source or attribution from any or portion of graphic of graphic
Shahar Maor’s work Copyright 2012 @STKI not remove source or attribution from any graphic graphic or portion 38
39. Generic Cyber Attacks
1. IndividualsGroups
2. CriminalNationalistic
background
3. Lots of intervals
4. Lots of targets
5. Common tools
39
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
40. Distributed Denial Of Service (DDOS)
1. Targets websites,
internet lines etc.
2. Legitimate traffic
3. Many different
sources
4. From all over the
world
5. Perfect timing
40
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
41. Advanced Persistent Threat (APT)
1. Group/ Org./
State
2. Ideological/
Nationalistic
background
3. Multi-layered
attack
4. Targeted
5. Variety of
tools
6. Impossible to
detect in real
time(???)
41
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
42. Security “Threatscape”
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
43. Thank You!
Scan Me To Your Contacts:
43
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic