Successfully reported this slideshow.
Indicators of “You’re fsck’ed” 2012A Discussion of Attacks on Sometimes Poorly Managed DesktopsKurt Baumgartner, Senior Se...
You’re Fsck’ed 2011 AND 2012?A Discussion• Two Goals   1. provide context and conversation around malware issues that     ...
You’re Fsck’ed?Enabling the Most Effective Attack Activity 2011 • Improper Resource Configuration    • Unnecessary share a...
Design Mistakes 2011Enabling the most effective malware attacks                         15%                        Network...
Top 2011 Malware FamiliesCoporate incident notables   • Trojan-Spy.Win32.Zbot – US   • Trojan-Spy.Win32.Qbot – US   • Targ...
Other Stats 2011Breach Statistics – Mileage will Vary  Verizon/US Secret Service/Dutch High Tech Crime Unit Annual Report ...
What Could Possibly Go Wrong?Why did attacks succeed? Let’s analyze configuration mistakes                                ...
2012 Malware Families?Magic Answer Ball says Yes   • Decline of FakeAv (short term?) but exploit packs, “crackgen     site...
Blackhole Exploit Pack attacks in the USGravitating towards an infiltrated state
Blackhole Exploit Pack 2011Variety of exploits and payloads, actively developed and distributed   • Single most popular ex...
Blackhole Exploit Pack 2011Variety of exploits, actively developed    • Active development, additions for Java, Flash, Rea...
Exploit Packs into 2012?Magic Answer Ball says Yes   • Maturing market for 0day and packs – Bleeding     Life, Phoenix, El...
ZeroAccess/Max++/Click2 attacks in the USUntouchable files
ZeroAccess/Max++/Click2 AttacksMulti-component malware    • Increasingly distributed family    • Multiple rootkit componen...
ZeroAccess/Max++/Click2 Attacks into 2012?Magic Answer Ball says Yes   • Competing with TDL   • Active and professional ke...
Trojan-Spy.Win32.Zbot outbreaks in the USCombination of malicious delivery, spyware, various targeted scripts
Zbot – Two Factor Auth, etc DefeatedUpdated spyware• Spammed email containing typical IRS, DHL, UPS, etc, theme and attach...
Corporate Spyware in 2012? Magic Answer Ball Says…Absolutely  • Not just Zeus:  Spyeye  Carberp  Ramnit  Qbot variants  Ze...
Trojan-Spy.Win32.Qbot outbreaks in the USCombination of malicious delivery, autorun spreader, password stealerattack
Qbot - Quick FactsGeo distribution, risk and possible damage                     US                     Brazil          Es...
Qbot - Offensive BehaviorsEnabling effective attacks – does your environment?• Unpatched software (how did it enter? Compl...
Qbot - Offensive BehaviorsEnabling effective attacks – their environment did   • All users had “Create” rights to the root...
Qbot - Recognition and MitigationSome recommendations and suggestionsWhat end users see                             What S...
Qbot - Mitigation StepsSimple rules to improve network protection                  • Daily/weekly schedule     Patch      ...
Qbot in 2012? Magic Answer Ball Says…Doubtful but possible   • Instead of Qbot?   Ramnit   Other multi-component bots   • ...
Targeted AttacksSocial EngineeringTime and People Flush - Just Enough Technology to Get the Job DoneArray of Exfiltration ...
Targeted Attacks - The RSA Security HackOverview - how did this happen?
Targeted Attacks – Social Engineering TechniquesNATO wants you! Is this even an attack?
Targeted Attacks – Harpooning a WhaleCustomization to better hit target - Spearphishing with better chum                  ...
Targeted Attacks – Harpooning a WhalePoison Ivy was a Kid’s Hobby•   Poison Ivy RAT is sprouting up in the media…•   Chase...
Targeted Attacks – Harpooning a WhalePoison Ivy was a Kid’s Hobby
Targeted Attacks – Harpooning a WhaleData exfil •   Post-exploitation, Poison Ivy and other tools to establish foothold • ...
TA in 2012? Magic Eight Ball Says…Absolutely  • 0day or known exploits - just enough to   get the job done?  • Similar tac...
Android and ConsumerizationThe corporate network just walked out the door
Android malware in 2012? Magic Eight Ball Says…Yes                   With the disappearance of IE6 and Windows XP SP2,    ...
Thank You Questions about content, and suggestions for Securelist?Kurt Baumgartner, Senior Security ResearcherGlobal Resea...
Upcoming SlideShare
Loading in …5
×

Kurt baumgartner lan_deskse2012

614 views

Published on

LANDesk SE Conference March 2012

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Kurt baumgartner lan_deskse2012

  1. 1. Indicators of “You’re fsck’ed” 2012A Discussion of Attacks on Sometimes Poorly Managed DesktopsKurt Baumgartner, Senior Security ResearcherGlobal Research and Analysis Teamkurt.baumgartner@kaspersky.com
  2. 2. You’re Fsck’ed 2011 AND 2012?A Discussion• Two Goals 1. provide context and conversation around malware issues that challenged our corp customers and others 2. Provide some level of expectations into what we’ll be discussing in 2012 regarding managed corp assets (3?) Walk away with some idea of what may find more interesting on Securelist and what helps you
  3. 3. You’re Fsck’ed?Enabling the Most Effective Attack Activity 2011 • Improper Resource Configuration • Unnecessary share access and unlimited access control • Vulnerable firmware (outdated, improperly configured) • Missing Software Patches and Security Updates • Microsoft (Windows, IE, Office) and third party software – Java, Adobe (Reader+Flash), etc • Exploit packs/commodity attacks • Spearphishing • Partially Protected Environments • Missing security suites in franchises, branch, remote offices • Mix of products, sometimes improperly installed on top of each other • No Incident Response Plan, no Public Response Plan!
  4. 4. Design Mistakes 2011Enabling the most effective malware attacks 15% Network shares 5% configuration 15% 5% Missing security 0% patches Multiple AV products Partially protected environment 35% Firmware vulnerability 25% FreewareSource: Kaspersky Lab GERT – Global Emergency Response Team, Alexey Polyakov
  5. 5. Top 2011 Malware FamiliesCoporate incident notables • Trojan-Spy.Win32.Zbot – US • Trojan-Spy.Win32.Qbot – US • Targeted attacks (social engineering, exploits (0day or not), spyware, RATs/backdoors, PtHash, archivers (rar), ftp, etc) – US, EU, AUS
  6. 6. Other Stats 2011Breach Statistics – Mileage will Vary Verizon/US Secret Service/Dutch High Tech Crime Unit Annual Report • 92% of data breaches are directly attributed to external agents • Overall numbers saw a HUGE increase in smaller external attacks, instead of any decrease in insider activity • Cloud attacks? Yes, but no difference from non-cloud – no VM Hyper-V attacks • Partner-caused breaches continued their steady decline  what do I see? Not completely accurate, but many “partners” or third parties are private. What law firms that you use are public? What are their reporting requirements?
  7. 7. What Could Possibly Go Wrong?Why did attacks succeed? Let’s analyze configuration mistakes End-user USB Email server enabled, not Just viewed scanned, aut Someones’ o start resume enabled Web server Unrestricted File server Open shares, Internet Missing security Different AV or Unrestricted none patches access to Public resource everyone, write/ execute Security Admin Wrong access Source: Kaspersky Lab GERT – Global Emergency Response Team, Alexey Polyakov
  8. 8. 2012 Malware Families?Magic Answer Ball says Yes • Decline of FakeAv (short term?) but exploit packs, “crackgen sites”, compromised hosts are all active with variety of payloads • Various stealers and their markets are thriving (so much so that PII, dumps, plastics market prices dipped in 2011) • Persistent targeted attacks are persistently persisting YES • Android and “consumerization” is not fluff either
  9. 9. Blackhole Exploit Pack attacks in the USGravitating towards an infiltrated state
  10. 10. Blackhole Exploit Pack 2011Variety of exploits and payloads, actively developed and distributed • Single most popular exploit pack of 2011, especially targeting US users • Very recognizable URLs, javascript obfuscation, exploits, admin interface, and payloads • Delivers FakeAv, Zaccess (click fraud and more), Zbot, SpyEye, ransomware, etc • Quick note: delivers mostly exploits targeting non-0day vulnerabilities • 0day vs non • Vulnerability vs exploit
  11. 11. Blackhole Exploit Pack 2011Variety of exploits, actively developed • Active development, additions for Java, Flash, Reader, HCP exploitation • “Common Vulnerabilities and Exposures” (CVE): a dictionary of publicly known information security vulnerabilities and exposures • Exploit.Java.CVE-2011-3554 http://evil.com/content/v1.jar • Java has become de facto exploit delivered first to all platforms • Secure development lifecycle? • Microsoft – mature monthly + OOB update + workaround + advance notification releases across all platforms and lines • Adobe – attempts to mirror Microsoft cycle, maturing • Oracle Sun Java – ugly quarterly release cycle (CPU), rare OOB
  12. 12. Exploit Packs into 2012?Magic Answer Ball says Yes • Maturing market for 0day and packs – Bleeding Life, Phoenix, Eleonore, Blackhole, Bomba, Nice Pack, etc • ROP technique, EMET evasion development • Classic and custom shellcode releases YES • International law diffs and forums continue to provide necessary space and communications. Bitcoin? Nah ah. Webmoney, Liberty Reserve, etc
  13. 13. ZeroAccess/Max++/Click2 attacks in the USUntouchable files
  14. 14. ZeroAccess/Max++/Click2 AttacksMulti-component malware • Increasingly distributed family • Multiple rootkit components at sensitive low level insertions, system driver infection, dynamic kernel module loading, encrypted “file system” storage within system – no viral or worming components • Unusual P2P traffic in more recent variants • Exploit pack delivery, P2P network serialz/crackz delivery. Also *very* popular, phony codecs and raunchy spoofed video titles • Detection tools like gmer make for quick id of the problem (although “Technical Details” pages on some AV vendors are outdated) • Mostly all “bundles” include click fraud component, claims of additional stealers being downloaded that I haven’t seen
  15. 15. ZeroAccess/Max++/Click2 Attacks into 2012?Magic Answer Ball says Yes • Competing with TDL • Active and professional kernel level development makes for cat/mouse vendor challenge • User mode click fraud components and backend infrastructure YES • Distribution of spyware on the horizon?
  16. 16. Trojan-Spy.Win32.Zbot outbreaks in the USCombination of malicious delivery, spyware, various targeted scripts
  17. 17. Zbot – Two Factor Auth, etc DefeatedUpdated spyware• Spammed email containing typical IRS, DHL, UPS, etc, theme and attachment• User clicks on link or opens attachment• Drops exe to disk, executes• Zbot hooks necessary in-process (mostly web browser) functions, steals data• from encrypted banking sessions• Multiple scripts downloaded, targeting specific banks, covers tracks• Money wired to overseas banks in select regions – non-reversible• Some reasons? AV was not updated, portions of it disabled
  18. 18. Corporate Spyware in 2012? Magic Answer Ball Says…Absolutely • Not just Zeus: Spyeye Carberp Ramnit Qbot variants ZeroAccess payloads? • Similar or same delivery schemes will be effective into 2012 • Spoofing spams – IRS, DHL, Facebook • Crack and keygen sites+redirects to compromised legitimate sites • Become familiar with hooking techniques, injected code per family ABSOLUTELY
  19. 19. Trojan-Spy.Win32.Qbot outbreaks in the USCombination of malicious delivery, autorun spreader, password stealerattack
  20. 20. Qbot - Quick FactsGeo distribution, risk and possible damage US Brazil Estimates: 50K+ organizations Source: Kaspersky Lab GERT – Global Emergency Response Team, Alexey Polyakov
  21. 21. Qbot - Offensive BehaviorsEnabling effective attacks – does your environment?• Unpatched software (how did it enter? Completelack of network logs doesn’t aid investigation). Varietyof delivery vectors: Blackhole Exploit Pack – Java, Adobe Reader, HCP, AND NOW FLASH etc Custom EP – Quicktime exploits, older IE exploits Infected Usb• Network Misconfiguration - Autorun spreader Disable autorun functionality: http://support.microsoft.com/kb/967715 No “Create” user rights to the root of a mapped network drive Registry - disable and prevent access to usb storage• Inject into sensitive communications processes Hook APIs to defeat encryption and session protections
  22. 22. Qbot - Offensive BehaviorsEnabling effective attacks – their environment did • All users had “Create” rights to the root of mapped network drives – autorun.inf and infectors recreated • Every computer had c: drive set to full control for "Everyone“, no passwords needed • Qbot, autorun, exe components, propagates via file shares • Suggested to break the network and organize into segments – it was 1 big segment for all machines • Series of file servers were DDoSd by infected hosts reconnecting to copy sets of autorun.inf/infectors to shares following AV cleanup on the servers
  23. 23. Qbot - Recognition and MitigationSome recommendations and suggestionsWhat end users see What Security Admin sees 600 500 Disinfection attempts 400 300 200 100 0
  24. 24. Qbot - Mitigation StepsSimple rules to improve network protection • Daily/weekly schedule Patch • Microsoft, Adobe, Java, Oracle Management • Isolate infected systems Open shares • Remove write/exec/autorun access • Educate finance, business teams Education • Establish good practices
  25. 25. Qbot in 2012? Magic Answer Ball Says…Doubtful but possible • Instead of Qbot? Ramnit Other multi-component bots • Similar or same delivery schemes will be effective into 2012 – exploit packs as initial vector of delivery, unpatched software at fault DOUBTFUL
  26. 26. Targeted AttacksSocial EngineeringTime and People Flush - Just Enough Technology to Get the Job DoneArray of Exfiltration Tools and Techniques
  27. 27. Targeted Attacks - The RSA Security HackOverview - how did this happen?
  28. 28. Targeted Attacks – Social Engineering TechniquesNATO wants you! Is this even an attack?
  29. 29. Targeted Attacks – Harpooning a WhaleCustomization to better hit target - Spearphishing with better chum $91 million message(Q1 profit margin difference estimate + Q2 earnings call)
  30. 30. Targeted Attacks – Harpooning a WhalePoison Ivy was a Kid’s Hobby• Poison Ivy RAT is sprouting up in the media…• ChaseNET “underground scene” forum pedigree • (founded by previous EES member - Th3ChaS3r)• Brought previous EES members like ksv, Bifrost RAT developer• EES founder and OptixPro dev ”th3 s13az3”• ShapeLeSS joins ChaseNET in late October 2005, codes Poison Ivy. Codius later assumes the project, continues to distribute it SDK allows for new plugins and development, max size 7kb Swedish (not Chinese) developers
  31. 31. Targeted Attacks – Harpooning a WhalePoison Ivy was a Kid’s Hobby
  32. 32. Targeted Attacks – Harpooning a WhaleData exfil • Post-exploitation, Poison Ivy and other tools to establish foothold • Download other tools to impersonate users, elevate privileges, collect data from network • Encode, archive collected data • Check in with series of C2 for activity commands – Facebook, Google Code, Image Files (jpg, gif, etc) • FTP PUT / HTTP POST encoded/crypted data over proxied connections to drop servers controlled via RDP and VNC
  33. 33. TA in 2012? Magic Eight Ball Says…Absolutely • 0day or known exploits - just enough to get the job done? • Similar tactics over email and possibly IM • Understand “Indicators of Compromise” and what that really means • Ensure that outbound data can be collected for later analysis ABSOLUTELY
  34. 34. Android and ConsumerizationThe corporate network just walked out the door
  35. 35. Android malware in 2012? Magic Eight Ball Says…Yes With the disappearance of IE6 and Windows XP SP2, the low hanging Windows workstation fruit just became a bit more out of reach More data copied or moved to more phones than ever before Where will the low hanging fruit remain for corp mobile users? Exploitation with different purposes than “rooting” begins in 2012 Most likely Android, some for iPhone Data exfiltration from the platform begins in 2012 YES
  36. 36. Thank You Questions about content, and suggestions for Securelist?Kurt Baumgartner, Senior Security ResearcherGlobal Research and Analysis Teamkurt.baumgartner@kaspersky.com

×