2 Our Products 80% of world’s critical infrastructures Determined, resourceful, global adversaries Our Resources Attacked > 4,000 times a day At least

2

Our ProductsOur Products80% of world’s critical infrastructures80% of world’s critical infrastructures

Determined, resourceful, global adversariesDetermined, resourceful, global adversaries

Our ResourcesOur ResourcesAttacked > 4,000 times a dayAttacked > 4,000 times a day

At least one DDoS a dayAt least one DDoS a day

Logged attacks from every countryLogged attacks from every country

Our BusinessOur BusinessSubject to Phishing, Bots, Root-kits, …Subject to Phishing, Bots, Root-kits, …

3

4

5

MainframesMainframesEmanationsEmanations

TempestTempest

InsidersInsidersTCSEC, Common CriteriaTCSEC, Common Criteria

6

MainframesMainframes

NetworksNetworks

EmanationsEmanationsTempestTempest


EavesdroppingEavesdroppingDES, AES, IPSecDES, AES, IPSec

Network ProtocolsNetwork ProtocolsSync flood, DNS spoofingSync flood, DNS spoofing

Network StacksNetwork Stacks““Ping of death”Ping of death”

7

MainframesMainframes

NetworksNetworks

ServicesServices

EmanationsEmanationsTempestTempest


EavesdroppingEavesdroppingDES, AES, IPSecDES, AES, IPSec

Network ProtocolsNetwork ProtocolsSync flood, DNS spoofingSync flood, DNS spoofing

Network StacksNetwork Stacks““Ping of death”Ping of death”

Operating System ServicesOperating System ServicesBuffer overruns, XSSBuffer overruns, XSSWeb spoofs, wormsWeb spoofs, worms

Application ServicesApplication ServicesSQL injection, SQL SlammerSQL injection, SQL SlammerMedia playersMedia players

8

Undiscovered

Vulnerability Discovered

Correction

Component Fixed

Packaging

Customer FixAvailable

Module Gap

Customer Testing /Deployment

Actual Vulnerability To Attack

ResponsibleDisclosure

Experimentation

VulnerabilityDisclosed

Software Ship Fix Deployed

Early Disclosure

9

Undiscovered


Correction

Component Fixed

Packaging


Module Gap




Experimentation



Early Disclosure

Rarely discovered

10

Undiscovered


Correction

Component Fixed

Packaging


Module Gap




Experimentation



Early Disclosure

Attacks occur here

11

Undiscovered


Correction

Component Fixed

Packaging


Module Gap




Experimentation



Early Disclosure

Why does this gap exist?

12

Undiscovered


Correction

Component Fixed

Packaging


Module Gap




Experimentation



Early Disclosure

Days From Patch To Days From Patch To ExploitExploit Have decreased so that Have decreased so that

patching is not a defense in patching is not a defense in large organizationslarge organizations

Average 6 days for patch to Average 6 days for patch to be reverse engineered to be reverse engineered to identify vulnerabilityidentify vulnerabilitySource: Microsoft

151151151151180180180180

331331331331

BlasterBlasterWelchia/ Welchia/ NachiNachi

NimdaNimda

25252525

SQL SQL SlammerSlammer

14141414

SasserSasser

Days BetweenDays BetweenUpdate & ExploitUpdate & Exploit

13

Blaster shows the complex Blaster shows the complex interplay between security interplay between security researchers, software researchers, software companies, and hackerscompanies, and hackers

Vulnerability reported to us /

Patch in progress

Bulletin & patch available

No exploit

Exploit code in public Worm in the world

July 1 July 16 July 25 Aug 11

ReportReport Vulnerability in Vulnerability in

RPC/DDOM RPC/DDOM reportedreported

MS activated MS activated highest level highest level emergency emergency response processresponse process

BulletinBulletin MS03-026 delivered MS03-026 delivered

to customers to customers (7/16/03)(7/16/03)

Continued outreach Continued outreach to analysts, press, to analysts, press, community, community, partners, partners, government government agenciesagencies

ExploitExploit X-focus (Chinese X-focus (Chinese

group) published group) published exploit toolexploit tool

MS heightened MS heightened efforts to get efforts to get information to information to customerscustomers

WormWorm Blaster worm Blaster worm

discovered –; discovered –; variants and other variants and other viruses hit viruses hit simultaneously (i.e. simultaneously (i.e. “SoBig”)“SoBig”)

Source: Microsoft

14

15

Analysis of code led us to t33kid.comAnalysis of code led us to t33kid.comFBI/USSS watched and gathered intelligence FBI/USSS watched and gathered intelligence

Real-time SubpoenaReal-time SubpoenaISP Cari.net in San Diego (issued by on call AUSA)ISP Cari.net in San Diego (issued by on call AUSA)

Virtual host led to TexasVirtual host led to TexasOwner of site in Texas Owner of site in Texas

Had criminal record Had criminal record Was potential suspectWas potential suspect

T33kid.com leased space from Texas ownerT33kid.com leased space from Texas ownerInvestigative work led us to Jeffrey Lee ParsonInvestigative work led us to Jeffrey Lee Parson

Seven computers seizedSeven computers seized

16

17

“Less than 24 hours after Microsoft released its Security Bulletins for August, exploit code was made publicly available for the vulnerabilities addressed in Microsoft Security Bulletin MS05-038 and MS05-041. The postings, titled ‘Microsoft Internet Explorer COM Objects Instantiation Exploit (MS05-038)’ and ‘Microsoft Windows Remote Desktop Protocol DoS Exploit (MS05-041),’ were published by the French security firm FrSIRT. A second piece of code was published on August 11th for MS05-038.”

“Three pieces of exploit code targeting the Windows Plug and Play issue (MS05-039) have been made publicly available. These are listed as the ‘Microsoft Windows Plug and Play Remote Buffer Overflow Exploit (MS05-039)’, ‘Microsoft Windows 2000 Plug and Play Universal Remote Exploit (MS05-039)’ and ‘Microsoft Windows 2000 Plug and Play Universal Remote Exploit #2 (MS05-039)’ on the FrSIRT Web site. One of which has also been included as an exploit module in the Metasploit Framework.”

“Authorities in Morocco and Turkey have arrested two people believed to be responsible for unleashing a computer worm that infected networks at U.S. companies and government agencies earlier this month, the FBI said Friday.…Microsoft played a role in locating the suspects, the FBI said.” http://www.msnbc.msn.com/id/9086742/

http://www.msnbc.msn.com/id/9086742/

18

Answers “Where are the Answers “Where are the greatest risks?”greatest risks?”Exploits written in 2005 for Exploits written in 2005 for 6 popular Operating Systems6 popular Operating Systems

Win32Win32Linux (4 distributions)Linux (4 distributions) Mail Server

4%OS Admin Tools

4%

File Compression

3% W eb Server0%

Code Repository1%

Database3%

Productivity App6%

W eb Server App6%

Development Tools

4%

W indowing Environment

4%

Image Processing

3%

Mail Client2%

Misc1%

OS Component6%

Browser15%

Multimedia App8%

Kernel11%

Network Service19%

Exploits written 2005 YTD - all platformsExploits written 2005 YTD - all platforms

VulnsVulns ExploitableExploitable TrivialTrivial

TotalTotal 344344 9696 6161

2005 Vulns and Exploits (YTD)2005 Vulns and Exploits (YTD)

Thru May 31, 2005Thru May 31, 2005

19

Network serviceNetwork servicekdenet

4%

ftp 4%

telnet 4%

ppxp4%

msmq4%

dnsmasq8%

ethereal21%

tcpip13% tcpdump

13%

squid25%

Thru May 31, 2005Thru May 31, 2005

20

21

National InterestNational Interest

Personal GainPersonal Gain

Personal FamePersonal Fame

CuriosityCuriosity

22




CuriosityCuriosity

Script-KiddyScript-Kiddy HobbyistHobbyistHackerHacker

ExpertExpert SpecialistSpecialist

23




CuriosityCuriosity



Vandal

24




CuriosityCuriosity



Vandal

Trespasser

25




CuriosityCuriosity



Vandal

Trespasser

Author

26




CuriosityCuriosity



Vandal

Thief

Trespasser

Author

27




CuriosityCuriosity



Vandal

Thief

Spy

Trespasser

Author

28




CuriosityCuriosity



Vandal

Thief

Spy

Trespasser

Fastest Fastest growing growing segmentsegment

Author

29




CuriosityCuriosity



Vandal

Thief

Spy

TrespasserTools created Tools created by experts by experts now used by now used by less skilled less skilled attackers and attackers and criminalscriminals

Author

30




CuriosityCuriosity



Vandal

Thief

Spy


Author

31




CuriosityCuriosity



Vandal

Thief

Spy


Author

32

1990 2005

19911992 1993 19941995 1996 19971998 1999 20002001 2002 20032004

16-bit 100 MHz 16-bit 100 MHz processorprocessor10 GByte disk10 GByte disk20 MByte ram20 MByte ramCD driveCD drive13” VGA monitor13” VGA monitor

33

1990 2005

19911992 1993 19941995 1996 19971998 1999 20002001 2002 20032004


Windows 95Windows 95FAT FSFAT FSIPX and NetBIOSIPX and NetBIOSOpen networkingOpen networking

34

1990 2005

19911992 1993 19941995 1996 19971998 1999 20002001 2002 20032004



32-bit 2.5 GHz processor32-bit 2.5 GHz processor250 GByte disk250 GByte disk3 GByte ram3 GByte ramDVD R/W driveDVD R/W drive21” digital monitor21” digital monitor

35

1990 2005

19911992 1993 19941995 1996 19971998 1999 20002001 2002 20032004




Windows XP SP2Windows XP SP2ICFICFUSBUSBUPnPUPnPWindows UpdateWindows Update

36

1990 2005

19911992 1993 19941995 1996 19971998 1999 20002001 2002 20032004




Windows XP SP2Windows XP SP2ICFICFUSBUSBUPnPUPnPWindows UpdateWindows UpdateLegacy createsLegacy creates

security security issuesissues

37

The security kernel of The security kernel of Windows NT was written:Windows NT was written:

Before there was a World Before there was a World Wide WebWide Web

Before TCP/IP was the default Before TCP/IP was the default communications protocolcommunications protocol

38

The security kernel of Windows The security kernel of Windows NT was written:NT was written:

Before there was a World Wide Before there was a World Wide WebWeb

Before TCP/IP was the default Before TCP/IP was the default communications protocolcommunications protocol

The security kernel of Windows The security kernel of Windows Server 2003 was written:Server 2003 was written:

Before buffer overflow tool kits Before buffer overflow tool kits were availablewere available

Before Web Services were widely Before Web Services were widely deployeddeployed

39

Six computers attached to InternetSix computers attached to InternetDifferent versions of Windows, Linux and Mac OSDifferent versions of Windows, Linux and Mac OS

40


Over the course of one weekOver the course of one weekMachines were scanned 46,255 timesMachines were scanned 46,255 times

4,892 direct attacks4,892 direct attacks

41




No up-to-date, patched operating systems No up-to-date, patched operating systems succumbed to a single attacksuccumbed to a single attack

42




No up-to-date, patched operating systems No up-to-date, patched operating systems succumbed to a single attacksuccumbed to a single attack

All down rev systems were compromised All down rev systems were compromised Windows XP with no patchesWindows XP with no patches

Infested in 18 minutes by Blaster and Sasser Infested in 18 minutes by Blaster and Sasser

Within an hour it became a "bot"Within an hour it became a "bot"Source: StillSecure, see http://www.denverpost.com/Stories/0,1413,36~33~2735094,00.html

43

44

Compromise of security by trusted partyCompromise of security by trusted partyTraditional domain of TCSEC and Common CriteriaTraditional domain of TCSEC and Common Criteria

Compromise ofdesign or

implementation

Compromise duringdistribution

Compromiseby user

Compromiseby admin

45

Traditional “hacker” Traditional “hacker” Asynchronous network attack via vulnerabilityAsynchronous network attack via vulnerability

User self-betrayalUser self-betrayal

Attacker

Exploit vulnerability

Fool user intoself-betrayal

46

MalwareMalwareSpam, phishing, worms, bots, …Spam, phishing, worms, bots, …

AsymmetricAsymmetricAttacker need only find one victimAttacker need only find one victim

Defender needs to protect allDefender needs to protect all

Force multiplierForce multiplierWrite once, attack allWrite once, attack all

HarvestHarvestHarvest the “interesting” successesHarvest the “interesting” successes

47

48

Mass unsolicited emailMass unsolicited email

For commerceFor commerceDirect mail advertisementDirect mail advertisement

For Web trafficFor Web trafficArtificially generated Web trafficArtificially generated Web traffic

HarassmentHarassment

For fraudFor fraudPhishingPhishing

Identity theftIdentity theft

Credential theftCredential theft

49

““Our first program pays you $0.50 for every validated free-trial Our first program pays you $0.50 for every validated free-trial registrant your website sends to [bleep]. Commissions are registrant your website sends to [bleep]. Commissions are quick and easy because we pay you when people sign up for quick and easy because we pay you when people sign up for our three-day free-trial. Since [bleep] doesn't require a credit our three-day free-trial. Since [bleep] doesn't require a credit card number or outside verification service to use the free trial, card number or outside verification service to use the free trial, generating revenue is a snap.generating revenue is a snap.

The second program we offer is our pay per sign-up plan. This The second program we offer is our pay per sign-up plan. This program allows you to earn a percentage on every converted program allows you to earn a percentage on every converted (paying) member who joins [bleep]. You could make up to 60% (paying) member who joins [bleep]. You could make up to 60% of each membership fee from people you direct to join the site.of each membership fee from people you direct to join the site.

Lastly, [bleep] offers a two tier program in addition to our other Lastly, [bleep] offers a two tier program in addition to our other plans. If you successfully refer another webmaster to our site plans. If you successfully refer another webmaster to our site and they open an affiliate account, you begin earning money and they open an affiliate account, you begin earning money from their traffic as well! The second tier pays $0.02 per free-from their traffic as well! The second tier pays $0.02 per free-trial registrant or up to 3% of their sign-ups.”trial registrant or up to 3% of their sign-ups.”

50

““Our first program pays you $0.50 for every validated free-trial Our first program pays you $0.50 for every validated free-trial registrant your website sends to [bleep]. Commissions are registrant your website sends to [bleep]. Commissions are quick and easy because we pay you when people sign up for quick and easy because we pay you when people sign up for our three-day free-trial. Since [bleep] doesn't require a credit our three-day free-trial. Since [bleep] doesn't require a credit card number or outside verification service to use the free trial, card number or outside verification service to use the free trial, generating revenue is a snap.generating revenue is a snap.

The second program we offer is our pay per sign-up plan. This The second program we offer is our pay per sign-up plan. This program allows you to earn a percentage on every converted program allows you to earn a percentage on every converted (paying) member who joins [bleep]. You could make up to 60% (paying) member who joins [bleep]. You could make up to 60% of each membership fee from people you direct to join the site.of each membership fee from people you direct to join the site.

Lastly, [bleep] offers a two tier program in addition to our other Lastly, [bleep] offers a two tier program in addition to our other plans. If you successfully refer another webmaster to our site plans. If you successfully refer another webmaster to our site and they open an affiliate account, you begin earning money and they open an affiliate account, you begin earning money from their traffic as well! The second tier pays $0.02 per free-from their traffic as well! The second tier pays $0.02 per free-trial registrant or up to 3% of their sign-ups.”trial registrant or up to 3% of their sign-ups.”

Key Points

•$0.50 for every validated free-trial registrant

•60% of each membership fee

51

SoBig spammed over 100 million SoBig spammed over 100 million inboxesinboxes

52


If 10% read the mail and clicked the link If 10% read the mail and clicked the link = 10 million people= 10 million people

53



If 1% of people who went to site signed If 1% of people who went to site signed up for 3-days free trialup for 3-days free trial

= (100,000 people) x ($0.50) = $50,000= (100,000 people) x ($0.50) = $50,000

54



If 1% of people who went to site signed If 1% of people who went to site signed up for 3-days free trialup for 3-days free trial

= (100,000 people) x ($0.50) = $50,000= (100,000 people) x ($0.50) = $50,000

If 1% of free trials sign up for 1 yearIf 1% of free trials sign up for 1 year= (1,000 people) x ($144/yr) = $144,000/yr= (1,000 people) x ($144/yr) = $144,000/yr

55

California Man Charged with Botnet OffensesNovember 3, 2005

Botnets are big business ... U.S. case against an alleged computer hacker, who authorities believe netted $60,000 in cash and a BMW from a personal army of zombie computers.

Federal authorities arrested a 20-year-old California man Thursday and charged him with running a network of 400,000 compromised computers called a "botnet," including computers used by the U.S. government for national defense.

Ancheta was a member of affiliate networks used by unnamed "advertising service companies," who paid him around $60,000 to install their advertising software on the machines he controlled, the statement alleges.

Ancheta allegedly distributed software for Gammacash, of Quebec, and LoudCash, part of CDT of Montreal, which was purchased by 180 Solutions Inc. in April.

56

57

Faking Faking An e-mail that seems An e-mail that seems to be from a to be from a legitimate sourcelegitimate source

SpoofingSpoofingA Web site that A Web site that appears to be appears to be “official”“official”

PhishingPhishingLuring users to Luring users to provide sensitive provide sensitive datadata

58

Faking Faking An e-mail that seems An e-mail that seems to be from a to be from a legitimate sourcelegitimate source

SpoofingSpoofingA Web site that A Web site that appears to be appears to be “official”“official”

PhishingPhishingLuring users to Luring users to provide sensitive provide sensitive datadata

59

Deceptive AddressSource code reveals actual mail from address as “href=mailto://[email protected]”

60

Impersonal Message Be wary if a company with which you regularly do business fails to address you by name

61

Alarmist MessageCriminals try their best to create a sense of urgency so you'll respond without thinking. Also, look for misspellings, grammatical errors, and typos--such as “…an access to MSN services for your account…”

62

Deceptive LinkSource code reveals that the actual address linked to is “href=http://www.online-msnupdate.com/?sess=qCKWmHUBPPZwT8n4GEMNn70wHDEG140IHKG5tAGiqGOINeov&amp:[email protected]”

The difference between these two URLs could be a sign that the message is fake. (However, even if the URLs are the same, don't let down your guard, because the pop-up could be a trick, too.)

63

Know the CompanyeBay generally does not send out emails to customers containing login links. Look carefully at the status bar for all links and URLs—the URL in the status bar for the login link is not eBay.com.

64

Differences between links or URLs in an email and the status bar should make you suspicious. If you receive an e-mail like this one, open a new browser window, type in the URL yourself and login into your account to see if there are any real account problems.

65

66

67

1 MS filed John Doe lawsuit in WA

68


2 Issued subpoenas to web hosts in

CA

69

3 Subpoenas identified ISP

in Austria



CA

70


in Austria



CA

4 Austrian ISP identified IP address

registered to Qwest in the US

71


in Austria

5 Subpoena to Qwest and

investigations identified Jayson Harris in Iowa,

US


6 Referred to FBI and obtained $3 million Default Judgment


CA

4 Austrian ISP identified IP address

registered to Qwest in the US

72

Most people are spoofedMost people are spoofedOver 60% have visited a fake or spoofed siteOver 60% have visited a fake or spoofed site

People are tricked People are tricked Over 15% admit to having provided personal data Over 15% admit to having provided personal data

Target for spoofing attacksTarget for spoofing attacksBanks, credit card companies, Web retailers, online Banks, credit card companies, Web retailers, online auctions (E-bay) and mortgage companies.auctions (E-bay) and mortgage companies.

Economic lossEconomic loss1.2 million U.S. adults have lost money1.2 million U.S. adults have lost money

The total dollar impact: $929 millionThe total dollar impact: $929 million

Source: TRUSTe & Gartner

73

74

Software that:Software that:Collects personal information from you Collects personal information from you

Without your knowledge or permissionWithout your knowledge or permission

75



PrivacyPrivacy15 percent of enterprise PCs have a keylogger15 percent of enterprise PCs have a keyloggerSource: Webroot's SpyAuditSource: Webroot's SpyAudit

Number of keyloggers jumped three-fold in 12 monthsNumber of keyloggers jumped three-fold in 12 monthsSource: Source: SophosSophos

76

Software that:Software that:Collects personal information from you Collects personal information from you Without your knowledge or permissionWithout your knowledge or permission



ReliabilityReliabilityMicrosoft WatsonMicrosoft Watson

~50% of crashes caused by spyware~50% of crashes caused by spyware

77





ReliabilityReliabilityMicrosoft WatsonMicrosoft Watson

~50% of crashes caused by spyware~50% of crashes caused by spyware

Support CostsSupport CostsDell, HP, IBM: Spyware causes ~30% of callsDell, HP, IBM: Spyware causes ~30% of calls

Estimated support costs at $2.5m+ / yearEstimated support costs at $2.5m+ / year

78

“Dubbed "Trojangate," the incident resulted in nearly 20 arrests, with some reportsindicating that there were hundreds -- perhaps thousands -- of documents stolen from multiple Israeli firms. About 100 servers containing stolen data have been seized and are being investigated.” BBC

Israel Spyware

79


Israel Spyware

“In 2004, MessageLabs came upon a Trojan horse created for the purpose of attacking a type of software used in airplane design.” AP

80


Israel Spyware

“In 2004, MessageLabs came upon a Trojan horse created for the purpose of attacking a type of software used in airplane design.” AP

“Someone placed surveillance software on sheriff's office computers, apparently enabling unauthorized access to sensitive information about prisoner movements, confidential homeland security updates and private personnel files.” AP

81

UK police foil massive bank theft “Police in London say they have foiled one of the biggest attempted bank thefts in Britain. The plan was to steal £220m ($423m) from the London offices of the Japanese bank Sumitomo Mitsui. Computer experts are believed to have tried to transfer the money electronically after hacking into the bank's systems. A man has been arrested by police in Israel after the plot was uncovered by the National Hi-Tech Crime Unit. Unit members worked closely with Israeli police …” Story from BBC NEWS:

http://news.bbc.co.uk/go/pr/fr/-/1/hi/uk/4356661.stm

82

Microsoft Windows Microsoft Windows AntiSpywareAntiSpyware

Global SpyNet™ community helps identify new spywareGlobal SpyNet™ community helps identify new spyware

Automatic signature downloads keep you up-to-dateAutomatic signature downloads keep you up-to-date

17 million downloads, 23 million spyware packages cleaned17 million downloads, 23 million spyware packages cleaned

Scheduled scans help maintain PC security and privacyScheduled scans help maintain PC security and privacy

Continuous protection guards 50+ ways spyware gets on a PCContinuous protection guards 50+ ways spyware gets on a PC

Intelligent alerts handle spyware based on your preferencesIntelligent alerts handle spyware based on your preferences

83

Driver Characteristic Instance count

Delprot.sysDelprot.sys Deletion protection for iSearch adware/spyware.Deletion protection for iSearch adware/spyware.8187081870

1.03%1.03%

““LoadMeDude”LoadMeDude”

TROJ_LODMEDUD_ATROJ_LODMEDUD_A

Randomly named driver that hides processes, Randomly named driver that hides processes, registry, files.registry, files.

Auto-update capability.Auto-update capability.

Bundled with Comedy Central adware/spyware.Bundled with Comedy Central adware/spyware.

2549625496

0.32%0.32%

winik.syswinik.sys Protects CommonName adware/spyware.Protects CommonName adware/spyware.1358313583

0.17%0.17%

iesprt.sysiesprt.sys

TROJ_BANKER.WTROJ_BANKER.WSteals banking passwords.Steals banking passwords.

23862386

0.03%0.03%

Hxdefdrv.sysHxdefdrv.sys

““Hacker Defender”Hacker Defender”

Public domain source rootkit.Public domain source rootkit.

Resource hiding and backdoor capability.Resource hiding and backdoor capability.13231323

0.02%0.02%

84

85

86

Bot EcosystemBot EcosystemBotsBots

BotnetsBotnets

Control channelsControl channels

HerdersHerders

87

Bot EcosystemBot EcosystemBotsBots

BotnetsBotnets

Control channelsControl channels

HerdersHerders

It began in mass with MyDoom.AIt began in mass with MyDoom.AEight days after MyDoom.A hit the InternetEight days after MyDoom.A hit the Internet

Scanned for the back door left by the wormScanned for the back door left by the worm

Installed Trojan horse called MitgliederInstalled Trojan horse called Mitglieder

Then used those systems as their spam engines Then used those systems as their spam engines

Millions of computers across the Internet were Millions of computers across the Internet were now for sale to the underground spam now for sale to the underground spam community community

88

Age Age (days)(days) NameName ServerServer MaxSizeMaxSize

02.0002.00 nubela.netnubela.net dns.nubela.netdns.nubela.net 1072510725

10.9410.94 winnt.bigmoney.biz (randex)winnt.bigmoney.biz (randex) winnt.bigmoney.bizwinnt.bigmoney.biz 23932393

09.6609.66 PS 7835 - y.eliteirc.co.ukPS 7835 - y.eliteirc.co.uk y.eliteirc.co.uky.eliteirc.co.uk 20612061

09.1309.13 y.stefanjagger.co.uk (#y)y.stefanjagger.co.uk (#y) y.stefanjagger.co.uky.stefanjagger.co.uk 18321832

03.1003.10 ganjahaze.comganjahaze.com ganjahaze.comganjahaze.com 15071507

01.0401.04 PS 8049 - 1.j00g0t0wn3d.netPS 8049 - 1.j00g0t0wn3d.net 1.j00g0t0wn3d.net1.j00g0t0wn3d.net 36893689

10.9310.93 pub.isonert.netpub.isonert.net pub.isonert.netpub.isonert.net 537537

08.0708.07 irc.brokenirc.netirc.brokenirc.net irc.brokenirc.netirc.brokenirc.net 649649

01.0201.02 PS 8048 - grabit.zapto.orgPS 8048 - grabit.zapto.org grabit.zapto.orggrabit.zapto.org 6262

10.3410.34 dark.naksha.netdark.naksha.net dark.naksha.netdark.naksha.net UNKUNK

08.9608.96 PS 7865 - lsd.25u.comPS 7865 - lsd.25u.com lsd.25u.comlsd.25u.com UNKUNK

UNKUNK PS ? - 69.64.38.221PS ? - 69.64.38.221 69.64.38.22169.64.38.221 UNKUNK

89














90














As of 12 August 2005:Tracking 3523 bot-nets of which 700 are activeAverage size is 80,000 computers

91

Botnet with 10,000 Machines Shut DownBotnet with 10,000 Machines Shut DownSept 8, 2004Sept 8, 2004

““A huge IRC "botnet" controlling more than 10,000 machines has A huge IRC "botnet" controlling more than 10,000 machines has been shut down by the security staff of Norwegian provider been shut down by the security staff of Norwegian provider Telenor, according to the Internet Storm Center. The discovery Telenor, according to the Internet Storm Center. The discovery confirms beliefs about the growth of botnets, which were cited in confirms beliefs about the growth of botnets, which were cited in the recent distributed denial of service (DDoS) attack upon Akamai the recent distributed denial of service (DDoS) attack upon Akamai and DoubleClick that sparked broader web site outages. […]”and DoubleClick that sparked broader web site outages. […]”http://news.netcraft.com/archives/2004/09/08/botnet_with_10000_machines_shut_down.htmlhttp://news.netcraft.com/archives/2004/09/08/botnet_with_10000_machines_shut_down.html

http://news.netcraft.com/archives/2004/09/08/botnet_with_10000_machines_shut_down.html

92

Botnet with 10,000 Machines Shut DownBotnet with 10,000 Machines Shut DownSept 8, 2004Sept 8, 2004

““A huge IRC "botnet" controlling more than 10,000 machines has A huge IRC "botnet" controlling more than 10,000 machines has been shut down by the security staff of Norwegian provider been shut down by the security staff of Norwegian provider Telenor, according to the Internet Storm Center. The discovery Telenor, according to the Internet Storm Center. The discovery confirms beliefs about the growth of botnets, which were cited in confirms beliefs about the growth of botnets, which were cited in the recent distributed denial of service (DDoS) attack upon Akamai the recent distributed denial of service (DDoS) attack upon Akamai and DoubleClick that sparked broader web site outages. […]”and DoubleClick that sparked broader web site outages. […]”http://news.netcraft.com/archives/2004/09/08/botnet_with_10000_machines_shut_down.htmlhttp://news.netcraft.com/archives/2004/09/08/botnet_with_10000_machines_shut_down.html

FBI busts alleged DDoS MafiaFBI busts alleged DDoS MafiaAug 26, 2004Aug 26, 2004

““A A Massachusetts businessman allegedly paid members of the Massachusetts businessman allegedly paid members of the computer underground to launch organized, crippling distributed computer underground to launch organized, crippling distributed denial of service (DDoS) attacks against three of his competitors [...]”denial of service (DDoS) attacks against three of his competitors [...]”http://www.securityfocus.com/news/9411http://www.securityfocus.com/news/9411

http://news.netcraft.com/archives/2004/09/08/botnet_with_10000_machines_shut_down.html

http://www.securityfocus.com/news/9411

93

Keystroke loggers for stealing CC, PIIKeystroke loggers for stealing CC, PII

SYN or application flooding code SYN or application flooding code Used for DDoSUsed for DDoS

DDoS has been used many timesDDoS has been used many times

Including public attacks against Including public attacks against Microsoft.com Microsoft.com

Spam relays – 70-80% of all spam Spam relays – 70-80% of all spam Source SpecialHam.com, Spamforum.bizSource SpecialHam.com, Spamforum.biz

PiracyPiracy

Future featuresFuture features

94

AttackAttack Requests/botRequests/bot Botnet TotalBotnet Total Resource exhaustedResource exhaustedBandwidth flood Bandwidth flood (uplink)(uplink)

186 kbps186 kbps 1.86 Gbps1.86 Gbps T1, T3, OC-3, OC-12T1, T3, OC-3, OC-12

Bandwidth flood Bandwidth flood (downlink)(downlink)

450 kbps450 kbps 4.5 Gbps4.5 Gbps T1, T3, OC-3, OC-12, OC-48 (2.488Gbps)T1, T3, OC-3, OC-12, OC-48 (2.488Gbps)

50% of Taiwan/US backbone50% of Taiwan/US backbone

Syn floodSyn flood 450 SYNs/sec450 SYNs/sec 4.5M SYN/sec4.5M SYN/sec 4 Dedicated Cisco Guard (@$90k) OR4 Dedicated Cisco Guard (@$90k) OR

20 tuned servers20 tuned servers

Static http get Static http get (cached)(cached)

93/sec93/sec 929,000/sec929,000/sec 15 servers15 servers

Dynamic http getDynamic http get 93/sec93/sec 929,000/sec929,000/sec 310 servers310 servers

SSL handshakeSSL handshake 10/sec10/sec 100,000/sec100,000/sec 167 servers167 servers

10,000-member botnet

95

AttackAttack Requests/botRequests/bot Botnet TotalBotnet Total Resource exhaustedResource exhaustedBandwidth flood Bandwidth flood (uplink)(uplink)

186 kbps186 kbps 1.86 Gbps1.86 Gbps T1, T3, OC-3, OC-12T1, T3, OC-3, OC-12

Bandwidth flood Bandwidth flood (downlink)(downlink)

450 kbps450 kbps 4.5 Gbps4.5 Gbps T1, T3, OC-3, OC-12, OC-48 (2.488Gbps)T1, T3, OC-3, OC-12, OC-48 (2.488Gbps)

50% of Taiwan/US backbone50% of Taiwan/US backbone

Syn floodSyn flood 450 SYNs/sec450 SYNs/sec 4.5M SYN/sec4.5M SYN/sec 4 Dedicated Cisco Guard (@$90k) OR4 Dedicated Cisco Guard (@$90k) OR

20 tuned servers20 tuned servers

Static http get Static http get (cached)(cached)

93/sec93/sec 929,000/sec929,000/sec 15 servers15 servers

Dynamic http getDynamic http get 93/sec93/sec 929,000/sec929,000/sec 310 servers310 servers

SSL handshakeSSL handshake 10/sec10/sec 100,000/sec100,000/sec 167 servers167 servers

10,000-member botnet

>$350.00/weekly - $1,000/monthly (USD) >Type of service: Exclusive (One slot only)>Always Online: 5,000 - 6,000>Updated every: 10 minutes

September 2004 postings to SpecialHam.com, Spamforum.biz

>$220.00/weekly - $800.00/monthly (USD)>Type of service: Shared (4 slots)>Always Online: 9,000 - 10,000>Updated every: 5 minutes

96

Updated monthly to remove Updated monthly to remove prevalent malwareprevalent malwareTargeted at consumers Targeted at consumers without antiviruswithout antivirusEnterprise deployable as Enterprise deployable as part of a defense-in-depth part of a defense-in-depth strategystrategyAvailable through:Available through: Windows UpdateWindows Update Auto UpdateAuto Update Online interfaceOnline interface MS Download CenterMS Download Center

Complements traditional Antivirus technologies by providing one Complements traditional Antivirus technologies by providing one tool that removes prevalent viruses and worms from a PCtool that removes prevalent viruses and worms from a PC

97

ReleaseRelease Days Days LiveLive ExecutionsExecutions

DisinfectionsDisinfections

ValueValue %%

JanuaryJanuary 2828 124,613,632 124,613,632 239,197 239,197 0.1920% 0.1920%

FebruaryFebruary 2828 118,209,670118,209,670

351,135351,135

0.2970%0.2970%

MarchMarch 3535 145,502,003145,502,003 443,661443,661 0.3049%0.3049%

AprilApril 2828 125,150,400125,150,400 590,714590,714 0.4720%0.4720%

MayMay 3535 164,283,730164,283,730 1,154,3451,154,345 0.7027%0.7027%

JuneJune 2828 162,763,946162,763,946 642,955642,955 0.3950%0.3950%

JulyJuly 1818 156,379,734156,379,734 627,414627,414 0.4090%0.4090%

TotalTotal 2002001,001,824,3311,001,824,331

4,093,5314,093,531 0.4106%0.4106%

1

10

100

1000

10000

100000

1000000

Machines Cleaned

(log)

1 2 3 4 5 6 7 8 9

Malware per MachineSource: Microsoft

Trojans1%

Bots58%

Exploit Worms

15%

Mass Mailing Worms

15%

Rootkits10%

Instant Msg.

Worms1%

98

Increase the value of an enterprise by Increase the value of an enterprise by damaging a competing enterprisedamaging a competing enterpriseManipulate the value of a futures Manipulate the value of a futures contractcontractDivert delivery of value, to someone to Divert delivery of value, to someone to whom it was not intendedwhom it was not intendedMake a coercive threat credibleMake a coercive threat credibleStop by direct intervention an activity Stop by direct intervention an activity perceived as destroying valueperceived as destroying valueReduce an opponent’s defensive or Reduce an opponent’s defensive or destructive capabilitiesdestructive capabilities

Source: Scott Borg, an economist at Dartmouth

99

100

Intended Behavior

101

Intended Behavior

Actual Behavior

102

Intended Behavior

Actual Behavior

Traditional Bugs

103

Intended Behavior

Actual Behavior

Traditional Bugs

Most Security Bugs

104

Create model of app (DFD, UML etc)Create model of app (DFD, UML etc)

Categorize threats with STRIDECategorize threats with STRIDESpoofing, Tampering, Repudiation, Spoofing, Tampering, Repudiation, Info Disclosure, Denial of Service, Elevation Info Disclosure, Denial of Service, Elevation of Privilegeof Privilege

Build threat tree Build threat tree

Rank threats with DREADRank threats with DREADDamage potential, Reproducibility, Damage potential, Reproducibility, Exploitability, Affected Users, Exploitability, Affected Users, DiscoverabilityDiscoverability

105

1.2.1Parse

Request

106

1.2.1Parse

Request

Threat (Goal)

STRIDE

Threat (Goal)

STRIDE

Threat (Goal)

STRIDE

Sub threat

Threat

Condition

KEY

107

1.2.1Parse

Request

Threat (Goal)

STRIDE

Threat (Goal)

STRIDE

Threat (Goal)

STRIDE

DREADThreat

SubthreatCondition

Threat Threat

ConditionCondition DREAD

Sub threat

Threat

Condition

KEY

108

109

The underlying DLL The underlying DLL (NTDLL.DLL) not (NTDLL.DLL) not vulnerablevulnerable


Code made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security Push

110




EvenEven if it was vulnerable if it was vulnerableEvenEven if it was vulnerable if it was vulnerable IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003

111




EvenEven if it was running if it was runningEvenEven if it was running if it was running IIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by default


112





EvenEven if it did have if it did have WebDAV enabledWebDAV enabledEvenEven if it did have if it did have WebDAV enabledWebDAV enabled

Maximum URL length in IIS 6.0 is 16kb by Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) default (>64kb needed) Maximum URL length in IIS 6.0 is 16kb by Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) default (>64kb needed)


113








EvenEven if the buffer was if the buffer was large enoughlarge enoughEvenEven if the buffer was if the buffer was large enoughlarge enough

Process halts rather than executes malicious code, Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)due to buffer-overrun detection code (-GS)Process halts rather than executes malicious code, Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)due to buffer-overrun detection code (-GS)

114








EvenEven if it there was an if it there was an exploitable buffer exploitable buffer overrunoverrun

Would have occurred in Would have occurred in w3wp.exew3wp.exe which is which is now running as ‘network service’now running as ‘network service’

EvenEven if the buffer was if the buffer was large enoughlarge enoughEvenEven if the buffer was if the buffer was large enoughlarge enough

Process halts rather than executes malicious code, Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)due to buffer-overrun detection code (-GS)Process halts rather than executes malicious code, Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)due to buffer-overrun detection code (-GS)

115

6767

3535

Days After Product ReleaseDays After Product Release

8855

ReleasedReleased11/29/200011/29/2000


20032003

8844



Bulletins 614 Days Bulletins 614 Days After Product ReleaseAfter Product Release

Bulletins 564 Days Bulletins 564 Days After Product ReleaseAfter Product Release

As of June 2, 2005As of June 2, 2005

116© 2005 Microsoft Corporation. All rights reserved.© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Documents

2 Our Products 80% of world’s critical infrastructures Determined, resourceful, global adversaries Our Resources Attacked > 4,000 times a day At least