Current Trends in Security Attacks

1
Current Trends in Security Attacks

• By Jim Willoughby, MCSE, CISSP, CISM, CEH

2
Malware Threat Cycle
3
Intrusion Landscape

• Hackers
• 75 Script Kiddies
• 24 Skilled
• 1 Sophisticated
• Malware - Virus - Worm
• Mainly payload medium
• Bot/IRC Kits
• Spyware - Adware
• Professionally developed
• RD budgets
• Tied to legit businesses
• Pay per click
• Pay per install

4
Motivational Range

• Storage
• House warez, e.g. pirated movies, games, and / or
  software
• Bandwidth
• Warez downloads
• Facilitates attacks against others
• Distributed computing, e.g. password cracking
• Botnet
• Extortion / DDoS
• Identity Theft
• Spam
• Phishing
• Anarchy

5
Vulnerability Spectrum

• Code Based Vulnerability
• Configuration Based Vulnerability
• Vulnerable services, like FTP and PHP
• Permissions wide open
• Weak Passwords
• Brute Force
• Social Engineering
• Trojan
• Phishing
• Browsing web-based
• P2P software

6
Threat Gamut

• Worms
• Email Worms
• Trojans
• Stealth Viruses
• Rootkits
• Alternate Data Streams
• Phishing
• Backdoor
• Adware / Spyware

7
Worms
Replicating parasitic computer programs that and
are often unnoticed until bandwidth issues cause
network problems

• Rely on a Code Based Vulnerability for entry
• Code Red, MSBlaster, SQL Slammer, and Sasser
• Malicious payloads
• Usually include an IRC backdoor
• Host file entries to block AV software update
• Generally dont infect other files

8
Email Worms

• Social engineering attack
• User is tricked into running the virus
• Originally relied on mail systems
• Many include their own SMTP engine to spread
• Include a malicious payload
• Trojan
• Macro Virus
• SPAM

9
Browsing as Vulnerability

• Attacking the browser
• Active Scripting
• Unpatched browser vulnerabilities
• Java Script Vulnerabilities
• Cross Zone Scripting attacks
• Malicious web sites and emails
• Spam
• Popup
• User enticed by phishing

10
Dangerous Surf

• McAfee study finds that major search engine
• results point users towards risky sites.
• Dangerous sites up to as much as 72 per cent of
  results for certain popular keywords,
• "free screen savers"
• "digital music"
• "popular software"
• "singers
• "sponsored" results - paid for by advertisers -
  are more dangerous than non-sponsored results.
• 8.5 per cent of sponsored links were found to be
  dangerous
• 3.1 per cent of regular search results.

11
Spyware and Adware

• Viruses may no longer be the top security threat
• Motivation purely financial
• Difficult to classify
• Many walk a fine line
• Main software is compliant, but installed by a
  malicious dropper
• Techniques similar virus world
• Trojan droppers
• Phone home and auto-update
• Rootkits

12
Spyware Entry

• Can be installed through bundle
• It comes with a desirable application
• Can be installed by itself
• The program has some useful functionality and
  some
• Pushing the technology envelope
• Click and you are owned
• Unpatched browser vulnerabilities
• Java vulnerabilities
• Social Engineering

13
BotnetsWhere organized crime and cyber crime
meet

• Organized Hacker gangs
• Client and server
• Tools
• Back door
• IRC Control channel
• Rootkits
• Dynamic DNS
• Dutch Police Crush Big 'Botnet,' Arrest Trio
• Toxbot (aka Codbot)
• A huge network of 100,000 PCs was used to conduct
  a denial-of-service attack in an extortion
  attempt,
• Also used to extort a U.S. company, steal
  identities, and distribute spyware
• Dutch prosecutors now say the botnet appears to
  contain around 1.5 million machines.

14
Evolving Motivation

• Money
• Power
• Notoriety
• According to Panda
• 70 of new malware detected by the developers
  scanning service in the first quarter had a
  cybercrime or financial motive
• 40 of the new malware detected was spyware

15
Evolution of Players

• Hackers and Gangs
• Criminals
• Professional Development Environment
• According to Panda
• Rise in popularity of Trojans and the relative
  waning of traditional virus attacks.
• Email worms were generating masses of headlines
  and hysteria, now they garner just 4 of new
  malware
• Trojans accounted for 47 per cent of new
  examples of malware

16
Organized Crime and the Internet

• A recent McAfee study into
• organized crime and the internet
• suggests
• Increase in money making cyber scams.
• New hierarchy of cyber criminals
• Each level, from amateur to professional, has
  different tactics and motives.
• Development in recent years of cyber gangs, who
  sit at the top of the cybercrime chain.
• Advanced groups of career criminals and hackers
  agree to cooperate, plan and execute long term
  attack strategies
• little interest to the socially-motivated hacker
  or script kiddy," McAfee reports.

17
Malware Future Trends

• Marriage of botnets and spyware
• According to McAfee bots fuel spyware boom
• Zombie bots such as Gaobot, MyTob and SDbot are
  often central to the spread of spyware.
• Exploited machines using backdoor techniques has
  increased over 63 per cent
• Often results in spyware and adware being
  downloaded onto affected systems
• Recent Headlines
• Botnet master jailed for five years
• A 20-year-old Los Angeles man used the "rxbot"
  Trojan horse program to find and take control of
  a 400,000 Windows machine botnet
• He then installed ad-delivery programs from two
  adware firms
• Quebec-based Gammacash
• LOUDcash, which was purchased by 180solutions and
  renamed ZangoCash

18
Malware Future Trends

• Totally smashing trust with evil certificates
• The certificate store of every Windows machine
  contains a list of trusted root certificates
• Phony certificate installed by hacker tells
  compromised machine trust malware sites
• Makes re-infection easier

19
Malware Future Trends

• Editing network configurations and disabling
  anti-malware tools in multiple ways
• Change personal firewall settings to block
  anti-virus updates
• Run scripts to blind AV software
• Self-updating malware and metamorphic code
• A form of Malware Update Service that updates
  hostile code on machines

20
Malware Future Trends

• Peer-to-peer botnets
• Uses peer-to-peer file sharing protocols to
  establish botnets
• Can direct botnets without a central point of
  control
• Script based worms for Web 2.0 sites
• Hostile code posted in user profiles on MySpace
  or FaceBook sites

21
Malware Future Trends

• Client-side exploits
• As servers become more hardened hackers hunt for
  exploits in client software
• Recent exploits in Word, PowerPoint , and Excel
  are examples

22
Malware Future Trends

• Privilege escalation attacks
• Many organizations still let users surf the web
  and use email as local administrators
• Windows VISTA more carefully divides privileges
• If VISTA catches on, attackers will look for more
  local escalation attacks on down-level platforms.

23
Future Malware Trends

• Really Big BOTNETS
• BOTNETS of 60,000 machines are common
• Size could approach a million machines with
  immense computing power
• Move to Non-Computer Platforms
• Cell Phones and PDAs are becoming more powerful
  and connected
• Look for a malicious code vector to surface

24
Blended Threats

• Include aspects of all major viruses
• Worm characteristics
• Entry points
• Code Based Vulnerability for MS and 3rd party
  software
• Include brute force password dictionary
• Spread by crawling networks
• Mail Worm functionality
• Data mines the local system for addresses
• Spread using an SMTP engine
• Often include Rootkit
• Payload includes spyware droppers

25
NextGen Worm Examples

• 'Swiss army knife' worm
• W32.Nugache.A
• spreads via email
• IM channels
• peer-to-peer element
• Control channel uses TCP port 8 rather than IRC
• Similar to The Linux worm Slapper
• Mytob's Hackers May Spawn
• Unstoppable 'Super Worm'
• Mytob Family
• Includes code borrowed from MyDoom and Rbot
• All Mytobs share characteristics such as
• hijacking addresses from compromised PCs
• spread using its own SMTP engine
• dropping in a backdoor Trojan
• shut down security software

26
Spyware Trends

• Ransomware
• Uninstall program will not work unless you pay a
  fee / ransom
• Faux Anti-Spyware, registry cleaners
• GpCode and Krotten Trojans prevent boot until fee
  is paid
• Reinstalled by Droppers
• Recent Droppers Using Rootkit Techniques
• CoolWebSearch
• Apropos
• SpyAxe
• Look2Me

27
Social Engineering

• Some cases require the end user to go to great
  extents to get infected, such as
• Password protected compressed files
• Renamed file extensions
• Install prerequisite software
• Classic Trojan examples
• Holiday themed items
• Pornography
• Games
• Recent Trojan examples
• Sudoku used as bait for adware
• World Cup Wall Chart Trojan
• World of Warcraft Virtual Gold

28
Cross-Platform Viruses

• Not just a Windows Issue
• Profit is platform independent
• Social Engineering Appears Eternal
• FUD?
• Linux Malware
• Cross-Platform Virus Targets Windows / Linux
• Not a new idea
• Mac malware
• Proof of concept code exists for a number of
  known vulnerabilities
• Most AV companies have issued warnings this year

29
What About the Hackers

• Warez servers are still around, but often serve
  multiple functions
• Botnet controller
• Spam generator
• Attack Platform
• Rootkits are commonplace
• Hacker Defender, AFXRootkit, and FURootkit
• Buggy malware often indicates its presence
• System or service crash
• Missing services files
• Common tools no longer function
• Best guidance for hacked systems will always be a
  secure rebuild

30
The Weakest Link

• BOTNET Controllers must be discoverable
• Originally use hard coded IPs
• Use Dynamic DNS
• All discoverable and easy to defeat
• Control channel defined in malware code
• Block protocol
• Monitor with IDS
• Web browsing clients must be lured
• Phishing emails
• Often easy to determine from infected host
• Shorter list that you might think
• MS Honey Monkey and others, such as McAfee
  SiteAdvisor, scan for threats

31
What Can I Do Now?

• Apply ALL Security Updates
• Disable superfluous services
• Block unsolicited inbound traffic
• Require Strong passwords
• Updated Anti-Virus Anti-Spyware products
• End user education
• Safe Browsing
• Safe Email
• Run with least user rights
• Audit for compliance

32
Microsoft Security Products

• Windows Defenderhttp//www.microsoft.com/athome/s
  ecurity/spyware/software/default.mspx
• Windows Software Update Serviceshttp//www.micros
  oft.com/windowsserversystem/updateservices/default
  .mspx
• Microsoft Baseline Security Analyzerhttp//www.mi
  crosoft.com/technet/security/tools/mbsahome.mspx
• Microsoft OneCarehttp//www.windowsonecare.com
• Microsoft Client Protectionhttp//www.microsoft.c
  om/windowsserversystem/solutions/security/clientpr
  otection/default.mspx
• Network Access Protectionhttp//www.microsoft.com
  /technet/itsolutions/network/nap/default.mspx
• Windows Vistahttp//www.microsoft.com/windowsvist
  a/default.aspx
• Built in Windows Defender and MSRT
• Better Firewall
• User Account Control
• Windows Longhornhttp//www.microsoft.com/windowss
  erver/bulletins/longhorn/beta1.mspx

33
References and Links

• Panda Quarterly Reporthttp//www.pandasoftware.co
  m/pandalabsQ12006
• Rootkits, Part 1 of 3 The Growing Threat, McAfee
  Whitepaperhttp//download.nai.com/products/mcafee
  -avert/WhitePapers/AKapoor_Rootkits1.pdf
• Malware Evolution, Kaspersky Labshttp//www.virus
  list.com/en/analysis?pubid184012401
• The Safety of Internet Search Engines, McAfee
  SiteAdvisor http//www.siteadvisor.com/studies/sea
  rch_safety_may2006.html
• Trojans are the New Model Armyhttp//www.theregis
  ter.co.uk/2006/05/08/malware_survey
• Virus writers get into cyber-extortionhttp//www.
  theregister.co.uk/2006/04/21/kaspersky_malware_tre
  nds_update
• Malicious Bots Hide Using Rootkit
  Codehttp//www.eweek.com/article2/0,1895,1816972,
  00.asp
• Alleged Pop-Up Hacker Bustedhttp//www.wired.com/
  news/technology/0,1282,69480,00.html?twwn_tophead
  _2
• The New Apple of Malwares Eye Is Mac OS X the
  Next Windows? McAfee Whitepaper
  http//download.nai.com/products/mcafee-avert/Whit
  ePapers/NewAppleofMalwaresEye.pdf
• Cross platform virus PoChttp//isc.sans.org/diary
  .php?storyid1248rss
• Hackers control bot client over
  P2Phttp//www.theregister.co.uk/2006/05/02/nugach
  e_worm