Upload
cora-campbell
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
2
Our ProductsOur Products80% of world’s critical infrastructures80% of world’s critical infrastructures
Determined, resourceful, global adversariesDetermined, resourceful, global adversaries
Our ResourcesOur ResourcesAttacked > 4,000 times a dayAttacked > 4,000 times a day
At least one DDoS a dayAt least one DDoS a day
Logged attacks from every countryLogged attacks from every country
Our BusinessOur BusinessSubject to Phishing, Bots, Root-kits, …Subject to Phishing, Bots, Root-kits, …
3
4
5
MainframesMainframesEmanationsEmanations
TempestTempest
InsidersInsidersTCSEC, Common CriteriaTCSEC, Common Criteria
6
MainframesMainframes
NetworksNetworks
EmanationsEmanationsTempestTempest
InsidersInsidersTCSEC, Common CriteriaTCSEC, Common Criteria
EavesdroppingEavesdroppingDES, AES, IPSecDES, AES, IPSec
Network ProtocolsNetwork ProtocolsSync flood, DNS spoofingSync flood, DNS spoofing
Network StacksNetwork Stacks““Ping of death”Ping of death”
7
MainframesMainframes
NetworksNetworks
ServicesServices
EmanationsEmanationsTempestTempest
InsidersInsidersTCSEC, Common CriteriaTCSEC, Common Criteria
EavesdroppingEavesdroppingDES, AES, IPSecDES, AES, IPSec
Network ProtocolsNetwork ProtocolsSync flood, DNS spoofingSync flood, DNS spoofing
Network StacksNetwork Stacks““Ping of death”Ping of death”
Operating System ServicesOperating System ServicesBuffer overruns, XSSBuffer overruns, XSSWeb spoofs, wormsWeb spoofs, worms
Application ServicesApplication ServicesSQL injection, SQL SlammerSQL injection, SQL SlammerMedia playersMedia players
8
Undiscovered
Vulnerability Discovered
Correction
Component Fixed
Packaging
Customer FixAvailable
Module Gap
Customer Testing /Deployment
Actual Vulnerability To Attack
ResponsibleDisclosure
Experimentation
VulnerabilityDisclosed
Software Ship Fix Deployed
Early Disclosure
9
Undiscovered
Vulnerability Discovered
Correction
Component Fixed
Packaging
Customer FixAvailable
Module Gap
Customer Testing /Deployment
Actual Vulnerability To Attack
ResponsibleDisclosure
Experimentation
VulnerabilityDisclosed
Software Ship Fix Deployed
Early Disclosure
Rarely discovered
10
Undiscovered
Vulnerability Discovered
Correction
Component Fixed
Packaging
Customer FixAvailable
Module Gap
Customer Testing /Deployment
Actual Vulnerability To Attack
ResponsibleDisclosure
Experimentation
VulnerabilityDisclosed
Software Ship Fix Deployed
Early Disclosure
Attacks occur here
11
Undiscovered
Vulnerability Discovered
Correction
Component Fixed
Packaging
Customer FixAvailable
Module Gap
Customer Testing /Deployment
Actual Vulnerability To Attack
ResponsibleDisclosure
Experimentation
VulnerabilityDisclosed
Software Ship Fix Deployed
Early Disclosure
Why does this gap exist?
12
Undiscovered
Vulnerability Discovered
Correction
Component Fixed
Packaging
Customer FixAvailable
Module Gap
Customer Testing /Deployment
Actual Vulnerability To Attack
ResponsibleDisclosure
Experimentation
VulnerabilityDisclosed
Software Ship Fix Deployed
Early Disclosure
Days From Patch To Days From Patch To ExploitExploit Have decreased so that Have decreased so that
patching is not a defense in patching is not a defense in large organizationslarge organizations
Average 6 days for patch to Average 6 days for patch to be reverse engineered to be reverse engineered to identify vulnerabilityidentify vulnerabilitySource: Microsoft
151151151151180180180180
331331331331
BlasterBlasterWelchia/ Welchia/ NachiNachi
NimdaNimda
25252525
SQL SQL SlammerSlammer
14141414
SasserSasser
Days BetweenDays BetweenUpdate & ExploitUpdate & Exploit
13
Blaster shows the complex Blaster shows the complex interplay between security interplay between security researchers, software researchers, software companies, and hackerscompanies, and hackers
Vulnerability reported to us /
Patch in progress
Bulletin & patch available
No exploit
Exploit code in public Worm in the world
July 1 July 16 July 25 Aug 11
ReportReport Vulnerability in Vulnerability in
RPC/DDOM RPC/DDOM reportedreported
MS activated MS activated highest level highest level emergency emergency response processresponse process
BulletinBulletin MS03-026 delivered MS03-026 delivered
to customers to customers (7/16/03)(7/16/03)
Continued outreach Continued outreach to analysts, press, to analysts, press, community, community, partners, partners, government government agenciesagencies
ExploitExploit X-focus (Chinese X-focus (Chinese
group) published group) published exploit toolexploit tool
MS heightened MS heightened efforts to get efforts to get information to information to customerscustomers
WormWorm Blaster worm Blaster worm
discovered –; discovered –; variants and other variants and other viruses hit viruses hit simultaneously (i.e. simultaneously (i.e. “SoBig”)“SoBig”)
Source: Microsoft
14
15
Analysis of code led us to t33kid.comAnalysis of code led us to t33kid.comFBI/USSS watched and gathered intelligence FBI/USSS watched and gathered intelligence
Real-time SubpoenaReal-time SubpoenaISP Cari.net in San Diego (issued by on call AUSA)ISP Cari.net in San Diego (issued by on call AUSA)
Virtual host led to TexasVirtual host led to TexasOwner of site in Texas Owner of site in Texas
Had criminal record Had criminal record Was potential suspectWas potential suspect
T33kid.com leased space from Texas ownerT33kid.com leased space from Texas ownerInvestigative work led us to Jeffrey Lee ParsonInvestigative work led us to Jeffrey Lee Parson
Seven computers seizedSeven computers seized
16
17
“Less than 24 hours after Microsoft released its Security Bulletins for August, exploit code was made publicly available for the vulnerabilities addressed in Microsoft Security Bulletin MS05-038 and MS05-041. The postings, titled ‘Microsoft Internet Explorer COM Objects Instantiation Exploit (MS05-038)’ and ‘Microsoft Windows Remote Desktop Protocol DoS Exploit (MS05-041),’ were published by the French security firm FrSIRT. A second piece of code was published on August 11th for MS05-038.”
“Three pieces of exploit code targeting the Windows Plug and Play issue (MS05-039) have been made publicly available. These are listed as the ‘Microsoft Windows Plug and Play Remote Buffer Overflow Exploit (MS05-039)’, ‘Microsoft Windows 2000 Plug and Play Universal Remote Exploit (MS05-039)’ and ‘Microsoft Windows 2000 Plug and Play Universal Remote Exploit #2 (MS05-039)’ on the FrSIRT Web site. One of which has also been included as an exploit module in the Metasploit Framework.”
“Authorities in Morocco and Turkey have arrested two people believed to be responsible for unleashing a computer worm that infected networks at U.S. companies and government agencies earlier this month, the FBI said Friday.…Microsoft played a role in locating the suspects, the FBI said.” http://www.msnbc.msn.com/id/9086742/
18
Answers “Where are the Answers “Where are the greatest risks?”greatest risks?”Exploits written in 2005 for Exploits written in 2005 for 6 popular Operating Systems6 popular Operating Systems
Win32Win32Linux (4 distributions)Linux (4 distributions) Mail Server
4%OS Admin Tools
4%
File Compression
3% W eb Server0%
Code Repository1%
Database3%
Productivity App6%
W eb Server App6%
Development Tools
4%
W indowing Environment
4%
Image Processing
3%
Mail Client2%
Misc1%
OS Component6%
Browser15%
Multimedia App8%
Kernel11%
Network Service19%
Exploits written 2005 YTD - all platformsExploits written 2005 YTD - all platforms
VulnsVulns ExploitableExploitable TrivialTrivial
TotalTotal 344344 9696 6161
2005 Vulns and Exploits (YTD)2005 Vulns and Exploits (YTD)
Thru May 31, 2005Thru May 31, 2005
19
Network serviceNetwork servicekdenet
4%
ftp 4%
telnet 4%
ppxp4%
msmq4%
dnsmasq8%
ethereal21%
tcpip13% tcpdump
13%
squid25%
Thru May 31, 2005Thru May 31, 2005
20
21
National InterestNational Interest
Personal GainPersonal Gain
Personal FamePersonal Fame
CuriosityCuriosity
22
National InterestNational Interest
Personal GainPersonal Gain
Personal FamePersonal Fame
CuriosityCuriosity
Script-KiddyScript-Kiddy HobbyistHobbyistHackerHacker
ExpertExpert SpecialistSpecialist
23
National InterestNational Interest
Personal GainPersonal Gain
Personal FamePersonal Fame
CuriosityCuriosity
Script-KiddyScript-Kiddy HobbyistHobbyistHackerHacker
ExpertExpert SpecialistSpecialist
Vandal
24
National InterestNational Interest
Personal GainPersonal Gain
Personal FamePersonal Fame
CuriosityCuriosity
Script-KiddyScript-Kiddy HobbyistHobbyistHackerHacker
ExpertExpert SpecialistSpecialist
Vandal
Trespasser
25
National InterestNational Interest
Personal GainPersonal Gain
Personal FamePersonal Fame
CuriosityCuriosity
Script-KiddyScript-Kiddy HobbyistHobbyistHackerHacker
ExpertExpert SpecialistSpecialist
Vandal
Trespasser
Author
26
National InterestNational Interest
Personal GainPersonal Gain
Personal FamePersonal Fame
CuriosityCuriosity
Script-KiddyScript-Kiddy HobbyistHobbyistHackerHacker
ExpertExpert SpecialistSpecialist
Vandal
Thief
Trespasser
Author
27
National InterestNational Interest
Personal GainPersonal Gain
Personal FamePersonal Fame
CuriosityCuriosity
Script-KiddyScript-Kiddy HobbyistHobbyistHackerHacker
ExpertExpert SpecialistSpecialist
Vandal
Thief
Spy
Trespasser
Author
28
National InterestNational Interest
Personal GainPersonal Gain
Personal FamePersonal Fame
CuriosityCuriosity
Script-KiddyScript-Kiddy HobbyistHobbyistHackerHacker
ExpertExpert SpecialistSpecialist
Vandal
Thief
Spy
Trespasser
Fastest Fastest growing growing segmentsegment
Author
29
National InterestNational Interest
Personal GainPersonal Gain
Personal FamePersonal Fame
CuriosityCuriosity
Script-KiddyScript-Kiddy HobbyistHobbyistHackerHacker
ExpertExpert SpecialistSpecialist
Vandal
Thief
Spy
TrespasserTools created Tools created by experts by experts now used by now used by less skilled less skilled attackers and attackers and criminalscriminals
Author
30
National InterestNational Interest
Personal GainPersonal Gain
Personal FamePersonal Fame
CuriosityCuriosity
Script-KiddyScript-Kiddy HobbyistHobbyistHackerHacker
ExpertExpert SpecialistSpecialist
Vandal
Thief
Spy
TrespasserTools created Tools created by experts by experts now used by now used by less skilled less skilled attackers and attackers and criminalscriminals
Author
31
National InterestNational Interest
Personal GainPersonal Gain
Personal FamePersonal Fame
CuriosityCuriosity
Script-KiddyScript-Kiddy HobbyistHobbyistHackerHacker
ExpertExpert SpecialistSpecialist
Vandal
Thief
Spy
TrespasserTools created Tools created by experts by experts now used by now used by less skilled less skilled attackers and attackers and criminalscriminals
Author
32
1990 2005
19911992 1993 19941995 1996 19971998 1999 20002001 2002 20032004
16-bit 100 MHz 16-bit 100 MHz processorprocessor10 GByte disk10 GByte disk20 MByte ram20 MByte ramCD driveCD drive13” VGA monitor13” VGA monitor
33
1990 2005
19911992 1993 19941995 1996 19971998 1999 20002001 2002 20032004
16-bit 100 MHz 16-bit 100 MHz processorprocessor10 GByte disk10 GByte disk20 MByte ram20 MByte ramCD driveCD drive13” VGA monitor13” VGA monitor
Windows 95Windows 95FAT FSFAT FSIPX and NetBIOSIPX and NetBIOSOpen networkingOpen networking
34
1990 2005
19911992 1993 19941995 1996 19971998 1999 20002001 2002 20032004
16-bit 100 MHz 16-bit 100 MHz processorprocessor10 GByte disk10 GByte disk20 MByte ram20 MByte ramCD driveCD drive13” VGA monitor13” VGA monitor
Windows 95Windows 95FAT FSFAT FSIPX and NetBIOSIPX and NetBIOSOpen networkingOpen networking
32-bit 2.5 GHz processor32-bit 2.5 GHz processor250 GByte disk250 GByte disk3 GByte ram3 GByte ramDVD R/W driveDVD R/W drive21” digital monitor21” digital monitor
35
1990 2005
19911992 1993 19941995 1996 19971998 1999 20002001 2002 20032004
16-bit 100 MHz 16-bit 100 MHz processorprocessor10 GByte disk10 GByte disk20 MByte ram20 MByte ramCD driveCD drive13” VGA monitor13” VGA monitor
Windows 95Windows 95FAT FSFAT FSIPX and NetBIOSIPX and NetBIOSOpen networkingOpen networking
32-bit 2.5 GHz processor32-bit 2.5 GHz processor250 GByte disk250 GByte disk3 GByte ram3 GByte ramDVD R/W driveDVD R/W drive21” digital monitor21” digital monitor
Windows XP SP2Windows XP SP2ICFICFUSBUSBUPnPUPnPWindows UpdateWindows Update
36
1990 2005
19911992 1993 19941995 1996 19971998 1999 20002001 2002 20032004
16-bit 100 MHz 16-bit 100 MHz processorprocessor10 GByte disk10 GByte disk20 MByte ram20 MByte ramCD driveCD drive13” VGA monitor13” VGA monitor
Windows 95Windows 95FAT FSFAT FSIPX and NetBIOSIPX and NetBIOSOpen networkingOpen networking
32-bit 2.5 GHz processor32-bit 2.5 GHz processor250 GByte disk250 GByte disk3 GByte ram3 GByte ramDVD R/W driveDVD R/W drive21” digital monitor21” digital monitor
Windows XP SP2Windows XP SP2ICFICFUSBUSBUPnPUPnPWindows UpdateWindows UpdateLegacy createsLegacy creates
security security issuesissues
37
The security kernel of The security kernel of Windows NT was written:Windows NT was written:
Before there was a World Before there was a World Wide WebWide Web
Before TCP/IP was the default Before TCP/IP was the default communications protocolcommunications protocol
38
The security kernel of Windows The security kernel of Windows NT was written:NT was written:
Before there was a World Wide Before there was a World Wide WebWeb
Before TCP/IP was the default Before TCP/IP was the default communications protocolcommunications protocol
The security kernel of Windows The security kernel of Windows Server 2003 was written:Server 2003 was written:
Before buffer overflow tool kits Before buffer overflow tool kits were availablewere available
Before Web Services were widely Before Web Services were widely deployeddeployed
39
Six computers attached to InternetSix computers attached to InternetDifferent versions of Windows, Linux and Mac OSDifferent versions of Windows, Linux and Mac OS
40
Six computers attached to InternetSix computers attached to InternetDifferent versions of Windows, Linux and Mac OSDifferent versions of Windows, Linux and Mac OS
Over the course of one weekOver the course of one weekMachines were scanned 46,255 timesMachines were scanned 46,255 times
4,892 direct attacks4,892 direct attacks
41
Six computers attached to InternetSix computers attached to InternetDifferent versions of Windows, Linux and Mac OSDifferent versions of Windows, Linux and Mac OS
Over the course of one weekOver the course of one weekMachines were scanned 46,255 timesMachines were scanned 46,255 times
4,892 direct attacks4,892 direct attacks
No up-to-date, patched operating systems No up-to-date, patched operating systems succumbed to a single attacksuccumbed to a single attack
42
Six computers attached to InternetSix computers attached to InternetDifferent versions of Windows, Linux and Mac OSDifferent versions of Windows, Linux and Mac OS
Over the course of one weekOver the course of one weekMachines were scanned 46,255 timesMachines were scanned 46,255 times
4,892 direct attacks4,892 direct attacks
No up-to-date, patched operating systems No up-to-date, patched operating systems succumbed to a single attacksuccumbed to a single attack
All down rev systems were compromised All down rev systems were compromised Windows XP with no patchesWindows XP with no patches
Infested in 18 minutes by Blaster and Sasser Infested in 18 minutes by Blaster and Sasser
Within an hour it became a "bot"Within an hour it became a "bot"Source: StillSecure, see http://www.denverpost.com/Stories/0,1413,36~33~2735094,00.html
43
44
Compromise of security by trusted partyCompromise of security by trusted partyTraditional domain of TCSEC and Common CriteriaTraditional domain of TCSEC and Common Criteria
Compromise ofdesign or
implementation
Compromise duringdistribution
Compromiseby user
Compromiseby admin
45
Traditional “hacker” Traditional “hacker” Asynchronous network attack via vulnerabilityAsynchronous network attack via vulnerability
User self-betrayalUser self-betrayal
Attacker
Exploit vulnerability
Fool user intoself-betrayal
46
MalwareMalwareSpam, phishing, worms, bots, …Spam, phishing, worms, bots, …
AsymmetricAsymmetricAttacker need only find one victimAttacker need only find one victim
Defender needs to protect allDefender needs to protect all
Force multiplierForce multiplierWrite once, attack allWrite once, attack all
HarvestHarvestHarvest the “interesting” successesHarvest the “interesting” successes
47
48
Mass unsolicited emailMass unsolicited email
For commerceFor commerceDirect mail advertisementDirect mail advertisement
For Web trafficFor Web trafficArtificially generated Web trafficArtificially generated Web traffic
HarassmentHarassment
For fraudFor fraudPhishingPhishing
Identity theftIdentity theft
Credential theftCredential theft
49
““Our first program pays you $0.50 for every validated free-trial Our first program pays you $0.50 for every validated free-trial registrant your website sends to [bleep]. Commissions are registrant your website sends to [bleep]. Commissions are quick and easy because we pay you when people sign up for quick and easy because we pay you when people sign up for our three-day free-trial. Since [bleep] doesn't require a credit our three-day free-trial. Since [bleep] doesn't require a credit card number or outside verification service to use the free trial, card number or outside verification service to use the free trial, generating revenue is a snap.generating revenue is a snap.
The second program we offer is our pay per sign-up plan. This The second program we offer is our pay per sign-up plan. This program allows you to earn a percentage on every converted program allows you to earn a percentage on every converted (paying) member who joins [bleep]. You could make up to 60% (paying) member who joins [bleep]. You could make up to 60% of each membership fee from people you direct to join the site.of each membership fee from people you direct to join the site.
Lastly, [bleep] offers a two tier program in addition to our other Lastly, [bleep] offers a two tier program in addition to our other plans. If you successfully refer another webmaster to our site plans. If you successfully refer another webmaster to our site and they open an affiliate account, you begin earning money and they open an affiliate account, you begin earning money from their traffic as well! The second tier pays $0.02 per free-from their traffic as well! The second tier pays $0.02 per free-trial registrant or up to 3% of their sign-ups.”trial registrant or up to 3% of their sign-ups.”
50
““Our first program pays you $0.50 for every validated free-trial Our first program pays you $0.50 for every validated free-trial registrant your website sends to [bleep]. Commissions are registrant your website sends to [bleep]. Commissions are quick and easy because we pay you when people sign up for quick and easy because we pay you when people sign up for our three-day free-trial. Since [bleep] doesn't require a credit our three-day free-trial. Since [bleep] doesn't require a credit card number or outside verification service to use the free trial, card number or outside verification service to use the free trial, generating revenue is a snap.generating revenue is a snap.
The second program we offer is our pay per sign-up plan. This The second program we offer is our pay per sign-up plan. This program allows you to earn a percentage on every converted program allows you to earn a percentage on every converted (paying) member who joins [bleep]. You could make up to 60% (paying) member who joins [bleep]. You could make up to 60% of each membership fee from people you direct to join the site.of each membership fee from people you direct to join the site.
Lastly, [bleep] offers a two tier program in addition to our other Lastly, [bleep] offers a two tier program in addition to our other plans. If you successfully refer another webmaster to our site plans. If you successfully refer another webmaster to our site and they open an affiliate account, you begin earning money and they open an affiliate account, you begin earning money from their traffic as well! The second tier pays $0.02 per free-from their traffic as well! The second tier pays $0.02 per free-trial registrant or up to 3% of their sign-ups.”trial registrant or up to 3% of their sign-ups.”
Key Points
•$0.50 for every validated free-trial registrant
•60% of each membership fee
51
SoBig spammed over 100 million SoBig spammed over 100 million inboxesinboxes
52
SoBig spammed over 100 million SoBig spammed over 100 million inboxesinboxes
If 10% read the mail and clicked the link If 10% read the mail and clicked the link = 10 million people= 10 million people
53
SoBig spammed over 100 million SoBig spammed over 100 million inboxesinboxes
If 10% read the mail and clicked the link If 10% read the mail and clicked the link = 10 million people= 10 million people
If 1% of people who went to site signed If 1% of people who went to site signed up for 3-days free trialup for 3-days free trial
= (100,000 people) x ($0.50) = $50,000= (100,000 people) x ($0.50) = $50,000
54
SoBig spammed over 100 million SoBig spammed over 100 million inboxesinboxes
If 10% read the mail and clicked the link If 10% read the mail and clicked the link = 10 million people= 10 million people
If 1% of people who went to site signed If 1% of people who went to site signed up for 3-days free trialup for 3-days free trial
= (100,000 people) x ($0.50) = $50,000= (100,000 people) x ($0.50) = $50,000
If 1% of free trials sign up for 1 yearIf 1% of free trials sign up for 1 year= (1,000 people) x ($144/yr) = $144,000/yr= (1,000 people) x ($144/yr) = $144,000/yr
55
California Man Charged with Botnet OffensesNovember 3, 2005
Botnets are big business ... U.S. case against an alleged computer hacker, who authorities believe netted $60,000 in cash and a BMW from a personal army of zombie computers.
Federal authorities arrested a 20-year-old California man Thursday and charged him with running a network of 400,000 compromised computers called a "botnet," including computers used by the U.S. government for national defense.
Ancheta was a member of affiliate networks used by unnamed "advertising service companies," who paid him around $60,000 to install their advertising software on the machines he controlled, the statement alleges.
Ancheta allegedly distributed software for Gammacash, of Quebec, and LoudCash, part of CDT of Montreal, which was purchased by 180 Solutions Inc. in April.
56
57
Faking Faking An e-mail that seems An e-mail that seems to be from a to be from a legitimate sourcelegitimate source
SpoofingSpoofingA Web site that A Web site that appears to be appears to be “official”“official”
PhishingPhishingLuring users to Luring users to provide sensitive provide sensitive datadata
58
Faking Faking An e-mail that seems An e-mail that seems to be from a to be from a legitimate sourcelegitimate source
SpoofingSpoofingA Web site that A Web site that appears to be appears to be “official”“official”
PhishingPhishingLuring users to Luring users to provide sensitive provide sensitive datadata
59
Deceptive AddressSource code reveals actual mail from address as “href=mailto://[email protected]”
60
Impersonal Message Be wary if a company with which you regularly do business fails to address you by name
61
Alarmist MessageCriminals try their best to create a sense of urgency so you'll respond without thinking. Also, look for misspellings, grammatical errors, and typos--such as “…an access to MSN services for your account…”
62
Deceptive LinkSource code reveals that the actual address linked to is “href=http://www.online-msnupdate.com/?sess=qCKWmHUBPPZwT8n4GEMNn70wHDEG140IHKG5tAGiqGOINeov&:[email protected]”
The difference between these two URLs could be a sign that the message is fake. (However, even if the URLs are the same, don't let down your guard, because the pop-up could be a trick, too.)
63
Know the CompanyeBay generally does not send out emails to customers containing login links. Look carefully at the status bar for all links and URLs—the URL in the status bar for the login link is not eBay.com.
64
Differences between links or URLs in an email and the status bar should make you suspicious. If you receive an e-mail like this one, open a new browser window, type in the URL yourself and login into your account to see if there are any real account problems.
65
66
67
1 MS filed John Doe lawsuit in WA
68
1 MS filed John Doe lawsuit in WA
2 Issued subpoenas to web hosts in
CA
69
3 Subpoenas identified ISP
in Austria
1 MS filed John Doe lawsuit in WA
2 Issued subpoenas to web hosts in
CA
70
3 Subpoenas identified ISP
in Austria
1 MS filed John Doe lawsuit in WA
2 Issued subpoenas to web hosts in
CA
4 Austrian ISP identified IP address
registered to Qwest in the US
71
3 Subpoenas identified ISP
in Austria
5 Subpoena to Qwest and
investigations identified Jayson Harris in Iowa,
US
1 MS filed John Doe lawsuit in WA
6 Referred to FBI and obtained $3 million Default Judgment
2 Issued subpoenas to web hosts in
CA
4 Austrian ISP identified IP address
registered to Qwest in the US
72
Most people are spoofedMost people are spoofedOver 60% have visited a fake or spoofed siteOver 60% have visited a fake or spoofed site
People are tricked People are tricked Over 15% admit to having provided personal data Over 15% admit to having provided personal data
Target for spoofing attacksTarget for spoofing attacksBanks, credit card companies, Web retailers, online Banks, credit card companies, Web retailers, online auctions (E-bay) and mortgage companies.auctions (E-bay) and mortgage companies.
Economic lossEconomic loss1.2 million U.S. adults have lost money1.2 million U.S. adults have lost money
The total dollar impact: $929 millionThe total dollar impact: $929 million
Source: TRUSTe & Gartner
73
74
Software that:Software that:Collects personal information from you Collects personal information from you
Without your knowledge or permissionWithout your knowledge or permission
75
Software that:Software that:Collects personal information from you Collects personal information from you
Without your knowledge or permissionWithout your knowledge or permission
PrivacyPrivacy15 percent of enterprise PCs have a keylogger15 percent of enterprise PCs have a keyloggerSource: Webroot's SpyAuditSource: Webroot's SpyAudit
Number of keyloggers jumped three-fold in 12 monthsNumber of keyloggers jumped three-fold in 12 monthsSource: Source: SophosSophos
76
Software that:Software that:Collects personal information from you Collects personal information from you Without your knowledge or permissionWithout your knowledge or permission
PrivacyPrivacy15 percent of enterprise PCs have a keylogger15 percent of enterprise PCs have a keyloggerSource: Webroot's SpyAuditSource: Webroot's SpyAudit
Number of keyloggers jumped three-fold in 12 monthsNumber of keyloggers jumped three-fold in 12 monthsSource: Source: SophosSophos
ReliabilityReliabilityMicrosoft WatsonMicrosoft Watson
~50% of crashes caused by spyware~50% of crashes caused by spyware
77
Software that:Software that:Collects personal information from you Collects personal information from you
Without your knowledge or permissionWithout your knowledge or permission
PrivacyPrivacy15 percent of enterprise PCs have a keylogger15 percent of enterprise PCs have a keyloggerSource: Webroot's SpyAuditSource: Webroot's SpyAudit
Number of keyloggers jumped three-fold in 12 monthsNumber of keyloggers jumped three-fold in 12 monthsSource: Source: SophosSophos
ReliabilityReliabilityMicrosoft WatsonMicrosoft Watson
~50% of crashes caused by spyware~50% of crashes caused by spyware
Support CostsSupport CostsDell, HP, IBM: Spyware causes ~30% of callsDell, HP, IBM: Spyware causes ~30% of calls
Estimated support costs at $2.5m+ / yearEstimated support costs at $2.5m+ / year
78
“Dubbed "Trojangate," the incident resulted in nearly 20 arrests, with some reportsindicating that there were hundreds -- perhaps thousands -- of documents stolen from multiple Israeli firms. About 100 servers containing stolen data have been seized and are being investigated.” BBC
Israel Spyware
79
“Dubbed "Trojangate," the incident resulted in nearly 20 arrests, with some reportsindicating that there were hundreds -- perhaps thousands -- of documents stolen from multiple Israeli firms. About 100 servers containing stolen data have been seized and are being investigated.” BBC
Israel Spyware
“In 2004, MessageLabs came upon a Trojan horse created for the purpose of attacking a type of software used in airplane design.” AP
80
“Dubbed "Trojangate," the incident resulted in nearly 20 arrests, with some reportsindicating that there were hundreds -- perhaps thousands -- of documents stolen from multiple Israeli firms. About 100 servers containing stolen data have been seized and are being investigated.” BBC
Israel Spyware
“In 2004, MessageLabs came upon a Trojan horse created for the purpose of attacking a type of software used in airplane design.” AP
“Someone placed surveillance software on sheriff's office computers, apparently enabling unauthorized access to sensitive information about prisoner movements, confidential homeland security updates and private personnel files.” AP
81
UK police foil massive bank theft “Police in London say they have foiled one of the biggest attempted bank thefts in Britain. The plan was to steal £220m ($423m) from the London offices of the Japanese bank Sumitomo Mitsui. Computer experts are believed to have tried to transfer the money electronically after hacking into the bank's systems. A man has been arrested by police in Israel after the plot was uncovered by the National Hi-Tech Crime Unit. Unit members worked closely with Israeli police …” Story from BBC NEWS:
http://news.bbc.co.uk/go/pr/fr/-/1/hi/uk/4356661.stm
82
Microsoft Windows Microsoft Windows AntiSpywareAntiSpyware
Global SpyNet™ community helps identify new spywareGlobal SpyNet™ community helps identify new spyware
Automatic signature downloads keep you up-to-dateAutomatic signature downloads keep you up-to-date
17 million downloads, 23 million spyware packages cleaned17 million downloads, 23 million spyware packages cleaned
Scheduled scans help maintain PC security and privacyScheduled scans help maintain PC security and privacy
Continuous protection guards 50+ ways spyware gets on a PCContinuous protection guards 50+ ways spyware gets on a PC
Intelligent alerts handle spyware based on your preferencesIntelligent alerts handle spyware based on your preferences
83
Driver Characteristic Instance count
Delprot.sysDelprot.sys Deletion protection for iSearch adware/spyware.Deletion protection for iSearch adware/spyware.8187081870
1.03%1.03%
““LoadMeDude”LoadMeDude”
TROJ_LODMEDUD_ATROJ_LODMEDUD_A
Randomly named driver that hides processes, Randomly named driver that hides processes, registry, files.registry, files.
Auto-update capability.Auto-update capability.
Bundled with Comedy Central adware/spyware.Bundled with Comedy Central adware/spyware.
2549625496
0.32%0.32%
winik.syswinik.sys Protects CommonName adware/spyware.Protects CommonName adware/spyware.1358313583
0.17%0.17%
iesprt.sysiesprt.sys
TROJ_BANKER.WTROJ_BANKER.WSteals banking passwords.Steals banking passwords.
23862386
0.03%0.03%
Hxdefdrv.sysHxdefdrv.sys
““Hacker Defender”Hacker Defender”
Public domain source rootkit.Public domain source rootkit.
Resource hiding and backdoor capability.Resource hiding and backdoor capability.13231323
0.02%0.02%
84
85
86
Bot EcosystemBot EcosystemBotsBots
BotnetsBotnets
Control channelsControl channels
HerdersHerders
87
Bot EcosystemBot EcosystemBotsBots
BotnetsBotnets
Control channelsControl channels
HerdersHerders
It began in mass with MyDoom.AIt began in mass with MyDoom.AEight days after MyDoom.A hit the InternetEight days after MyDoom.A hit the Internet
Scanned for the back door left by the wormScanned for the back door left by the worm
Installed Trojan horse called MitgliederInstalled Trojan horse called Mitglieder
Then used those systems as their spam engines Then used those systems as their spam engines
Millions of computers across the Internet were Millions of computers across the Internet were now for sale to the underground spam now for sale to the underground spam community community
88
Age Age (days)(days) NameName ServerServer MaxSizeMaxSize
02.0002.00 nubela.netnubela.net dns.nubela.netdns.nubela.net 1072510725
10.9410.94 winnt.bigmoney.biz (randex)winnt.bigmoney.biz (randex) winnt.bigmoney.bizwinnt.bigmoney.biz 23932393
09.6609.66 PS 7835 - y.eliteirc.co.ukPS 7835 - y.eliteirc.co.uk y.eliteirc.co.uky.eliteirc.co.uk 20612061
09.1309.13 y.stefanjagger.co.uk (#y)y.stefanjagger.co.uk (#y) y.stefanjagger.co.uky.stefanjagger.co.uk 18321832
03.1003.10 ganjahaze.comganjahaze.com ganjahaze.comganjahaze.com 15071507
01.0401.04 PS 8049 - 1.j00g0t0wn3d.netPS 8049 - 1.j00g0t0wn3d.net 1.j00g0t0wn3d.net1.j00g0t0wn3d.net 36893689
10.9310.93 pub.isonert.netpub.isonert.net pub.isonert.netpub.isonert.net 537537
08.0708.07 irc.brokenirc.netirc.brokenirc.net irc.brokenirc.netirc.brokenirc.net 649649
01.0201.02 PS 8048 - grabit.zapto.orgPS 8048 - grabit.zapto.org grabit.zapto.orggrabit.zapto.org 6262
10.3410.34 dark.naksha.netdark.naksha.net dark.naksha.netdark.naksha.net UNKUNK
08.9608.96 PS 7865 - lsd.25u.comPS 7865 - lsd.25u.com lsd.25u.comlsd.25u.com UNKUNK
UNKUNK PS ? - 69.64.38.221PS ? - 69.64.38.221 69.64.38.22169.64.38.221 UNKUNK
89
Age Age (days)(days) NameName ServerServer MaxSizeMaxSize
02.0002.00 nubela.netnubela.net dns.nubela.netdns.nubela.net 1072510725
10.9410.94 winnt.bigmoney.biz (randex)winnt.bigmoney.biz (randex) winnt.bigmoney.bizwinnt.bigmoney.biz 23932393
09.6609.66 PS 7835 - y.eliteirc.co.ukPS 7835 - y.eliteirc.co.uk y.eliteirc.co.uky.eliteirc.co.uk 20612061
09.1309.13 y.stefanjagger.co.uk (#y)y.stefanjagger.co.uk (#y) y.stefanjagger.co.uky.stefanjagger.co.uk 18321832
03.1003.10 ganjahaze.comganjahaze.com ganjahaze.comganjahaze.com 15071507
01.0401.04 PS 8049 - 1.j00g0t0wn3d.netPS 8049 - 1.j00g0t0wn3d.net 1.j00g0t0wn3d.net1.j00g0t0wn3d.net 36893689
10.9310.93 pub.isonert.netpub.isonert.net pub.isonert.netpub.isonert.net 537537
08.0708.07 irc.brokenirc.netirc.brokenirc.net irc.brokenirc.netirc.brokenirc.net 649649
01.0201.02 PS 8048 - grabit.zapto.orgPS 8048 - grabit.zapto.org grabit.zapto.orggrabit.zapto.org 6262
10.3410.34 dark.naksha.netdark.naksha.net dark.naksha.netdark.naksha.net UNKUNK
08.9608.96 PS 7865 - lsd.25u.comPS 7865 - lsd.25u.com lsd.25u.comlsd.25u.com UNKUNK
UNKUNK PS ? - 69.64.38.221PS ? - 69.64.38.221 69.64.38.22169.64.38.221 UNKUNK
90
Age Age (days)(days) NameName ServerServer MaxSizeMaxSize
02.0002.00 nubela.netnubela.net dns.nubela.netdns.nubela.net 1072510725
10.9410.94 winnt.bigmoney.biz (randex)winnt.bigmoney.biz (randex) winnt.bigmoney.bizwinnt.bigmoney.biz 23932393
09.6609.66 PS 7835 - y.eliteirc.co.ukPS 7835 - y.eliteirc.co.uk y.eliteirc.co.uky.eliteirc.co.uk 20612061
09.1309.13 y.stefanjagger.co.uk (#y)y.stefanjagger.co.uk (#y) y.stefanjagger.co.uky.stefanjagger.co.uk 18321832
03.1003.10 ganjahaze.comganjahaze.com ganjahaze.comganjahaze.com 15071507
01.0401.04 PS 8049 - 1.j00g0t0wn3d.netPS 8049 - 1.j00g0t0wn3d.net 1.j00g0t0wn3d.net1.j00g0t0wn3d.net 36893689
10.9310.93 pub.isonert.netpub.isonert.net pub.isonert.netpub.isonert.net 537537
08.0708.07 irc.brokenirc.netirc.brokenirc.net irc.brokenirc.netirc.brokenirc.net 649649
01.0201.02 PS 8048 - grabit.zapto.orgPS 8048 - grabit.zapto.org grabit.zapto.orggrabit.zapto.org 6262
10.3410.34 dark.naksha.netdark.naksha.net dark.naksha.netdark.naksha.net UNKUNK
08.9608.96 PS 7865 - lsd.25u.comPS 7865 - lsd.25u.com lsd.25u.comlsd.25u.com UNKUNK
UNKUNK PS ? - 69.64.38.221PS ? - 69.64.38.221 69.64.38.22169.64.38.221 UNKUNK
As of 12 August 2005:Tracking 3523 bot-nets of which 700 are activeAverage size is 80,000 computers
91
Botnet with 10,000 Machines Shut DownBotnet with 10,000 Machines Shut DownSept 8, 2004Sept 8, 2004
““A huge IRC "botnet" controlling more than 10,000 machines has A huge IRC "botnet" controlling more than 10,000 machines has been shut down by the security staff of Norwegian provider been shut down by the security staff of Norwegian provider Telenor, according to the Internet Storm Center. The discovery Telenor, according to the Internet Storm Center. The discovery confirms beliefs about the growth of botnets, which were cited in confirms beliefs about the growth of botnets, which were cited in the recent distributed denial of service (DDoS) attack upon Akamai the recent distributed denial of service (DDoS) attack upon Akamai and DoubleClick that sparked broader web site outages. […]”and DoubleClick that sparked broader web site outages. […]”http://news.netcraft.com/archives/2004/09/08/botnet_with_10000_machines_shut_down.htmlhttp://news.netcraft.com/archives/2004/09/08/botnet_with_10000_machines_shut_down.html
92
Botnet with 10,000 Machines Shut DownBotnet with 10,000 Machines Shut DownSept 8, 2004Sept 8, 2004
““A huge IRC "botnet" controlling more than 10,000 machines has A huge IRC "botnet" controlling more than 10,000 machines has been shut down by the security staff of Norwegian provider been shut down by the security staff of Norwegian provider Telenor, according to the Internet Storm Center. The discovery Telenor, according to the Internet Storm Center. The discovery confirms beliefs about the growth of botnets, which were cited in confirms beliefs about the growth of botnets, which were cited in the recent distributed denial of service (DDoS) attack upon Akamai the recent distributed denial of service (DDoS) attack upon Akamai and DoubleClick that sparked broader web site outages. […]”and DoubleClick that sparked broader web site outages. […]”http://news.netcraft.com/archives/2004/09/08/botnet_with_10000_machines_shut_down.htmlhttp://news.netcraft.com/archives/2004/09/08/botnet_with_10000_machines_shut_down.html
FBI busts alleged DDoS MafiaFBI busts alleged DDoS MafiaAug 26, 2004Aug 26, 2004
““A A Massachusetts businessman allegedly paid members of the Massachusetts businessman allegedly paid members of the computer underground to launch organized, crippling distributed computer underground to launch organized, crippling distributed denial of service (DDoS) attacks against three of his competitors [...]”denial of service (DDoS) attacks against three of his competitors [...]”http://www.securityfocus.com/news/9411http://www.securityfocus.com/news/9411
93
Keystroke loggers for stealing CC, PIIKeystroke loggers for stealing CC, PII
SYN or application flooding code SYN or application flooding code Used for DDoSUsed for DDoS
DDoS has been used many timesDDoS has been used many times
Including public attacks against Including public attacks against Microsoft.com Microsoft.com
Spam relays – 70-80% of all spam Spam relays – 70-80% of all spam Source SpecialHam.com, Spamforum.bizSource SpecialHam.com, Spamforum.biz
PiracyPiracy
Future featuresFuture features
94
AttackAttack Requests/botRequests/bot Botnet TotalBotnet Total Resource exhaustedResource exhaustedBandwidth flood Bandwidth flood (uplink)(uplink)
186 kbps186 kbps 1.86 Gbps1.86 Gbps T1, T3, OC-3, OC-12T1, T3, OC-3, OC-12
Bandwidth flood Bandwidth flood (downlink)(downlink)
450 kbps450 kbps 4.5 Gbps4.5 Gbps T1, T3, OC-3, OC-12, OC-48 (2.488Gbps)T1, T3, OC-3, OC-12, OC-48 (2.488Gbps)
50% of Taiwan/US backbone50% of Taiwan/US backbone
Syn floodSyn flood 450 SYNs/sec450 SYNs/sec 4.5M SYN/sec4.5M SYN/sec 4 Dedicated Cisco Guard (@$90k) OR4 Dedicated Cisco Guard (@$90k) OR
20 tuned servers20 tuned servers
Static http get Static http get (cached)(cached)
93/sec93/sec 929,000/sec929,000/sec 15 servers15 servers
Dynamic http getDynamic http get 93/sec93/sec 929,000/sec929,000/sec 310 servers310 servers
SSL handshakeSSL handshake 10/sec10/sec 100,000/sec100,000/sec 167 servers167 servers
10,000-member botnet
95
AttackAttack Requests/botRequests/bot Botnet TotalBotnet Total Resource exhaustedResource exhaustedBandwidth flood Bandwidth flood (uplink)(uplink)
186 kbps186 kbps 1.86 Gbps1.86 Gbps T1, T3, OC-3, OC-12T1, T3, OC-3, OC-12
Bandwidth flood Bandwidth flood (downlink)(downlink)
450 kbps450 kbps 4.5 Gbps4.5 Gbps T1, T3, OC-3, OC-12, OC-48 (2.488Gbps)T1, T3, OC-3, OC-12, OC-48 (2.488Gbps)
50% of Taiwan/US backbone50% of Taiwan/US backbone
Syn floodSyn flood 450 SYNs/sec450 SYNs/sec 4.5M SYN/sec4.5M SYN/sec 4 Dedicated Cisco Guard (@$90k) OR4 Dedicated Cisco Guard (@$90k) OR
20 tuned servers20 tuned servers
Static http get Static http get (cached)(cached)
93/sec93/sec 929,000/sec929,000/sec 15 servers15 servers
Dynamic http getDynamic http get 93/sec93/sec 929,000/sec929,000/sec 310 servers310 servers
SSL handshakeSSL handshake 10/sec10/sec 100,000/sec100,000/sec 167 servers167 servers
10,000-member botnet
>$350.00/weekly - $1,000/monthly (USD) >Type of service: Exclusive (One slot only)>Always Online: 5,000 - 6,000>Updated every: 10 minutes
September 2004 postings to SpecialHam.com, Spamforum.biz
>$220.00/weekly - $800.00/monthly (USD)>Type of service: Shared (4 slots)>Always Online: 9,000 - 10,000>Updated every: 5 minutes
96
Updated monthly to remove Updated monthly to remove prevalent malwareprevalent malwareTargeted at consumers Targeted at consumers without antiviruswithout antivirusEnterprise deployable as Enterprise deployable as part of a defense-in-depth part of a defense-in-depth strategystrategyAvailable through:Available through: Windows UpdateWindows Update Auto UpdateAuto Update Online interfaceOnline interface MS Download CenterMS Download Center
Complements traditional Antivirus technologies by providing one Complements traditional Antivirus technologies by providing one tool that removes prevalent viruses and worms from a PCtool that removes prevalent viruses and worms from a PC
97
ReleaseRelease Days Days LiveLive ExecutionsExecutions
DisinfectionsDisinfections
ValueValue %%
JanuaryJanuary 2828 124,613,632 124,613,632 239,197 239,197 0.1920% 0.1920%
FebruaryFebruary 2828 118,209,670118,209,670
351,135351,135
0.2970%0.2970%
MarchMarch 3535 145,502,003145,502,003 443,661443,661 0.3049%0.3049%
AprilApril 2828 125,150,400125,150,400 590,714590,714 0.4720%0.4720%
MayMay 3535 164,283,730164,283,730 1,154,3451,154,345 0.7027%0.7027%
JuneJune 2828 162,763,946162,763,946 642,955642,955 0.3950%0.3950%
JulyJuly 1818 156,379,734156,379,734 627,414627,414 0.4090%0.4090%
TotalTotal 2002001,001,824,3311,001,824,331
4,093,5314,093,531 0.4106%0.4106%
1
10
100
1000
10000
100000
1000000
Machines Cleaned
(log)
1 2 3 4 5 6 7 8 9
Malware per MachineSource: Microsoft
Trojans1%
Bots58%
Exploit Worms
15%
Mass Mailing Worms
15%
Rootkits10%
Instant Msg.
Worms1%
98
Increase the value of an enterprise by Increase the value of an enterprise by damaging a competing enterprisedamaging a competing enterpriseManipulate the value of a futures Manipulate the value of a futures contractcontractDivert delivery of value, to someone to Divert delivery of value, to someone to whom it was not intendedwhom it was not intendedMake a coercive threat credibleMake a coercive threat credibleStop by direct intervention an activity Stop by direct intervention an activity perceived as destroying valueperceived as destroying valueReduce an opponent’s defensive or Reduce an opponent’s defensive or destructive capabilitiesdestructive capabilities
Source: Scott Borg, an economist at Dartmouth
99
100
Intended Behavior
101
Intended Behavior
Actual Behavior
102
Intended Behavior
Actual Behavior
Traditional Bugs
103
Intended Behavior
Actual Behavior
Traditional Bugs
Most Security Bugs
104
Create model of app (DFD, UML etc)Create model of app (DFD, UML etc)
Categorize threats with STRIDECategorize threats with STRIDESpoofing, Tampering, Repudiation, Spoofing, Tampering, Repudiation, Info Disclosure, Denial of Service, Elevation Info Disclosure, Denial of Service, Elevation of Privilegeof Privilege
Build threat tree Build threat tree
Rank threats with DREADRank threats with DREADDamage potential, Reproducibility, Damage potential, Reproducibility, Exploitability, Affected Users, Exploitability, Affected Users, DiscoverabilityDiscoverability
105
1.2.1Parse
Request
106
1.2.1Parse
Request
Threat (Goal)
STRIDE
Threat (Goal)
STRIDE
Threat (Goal)
STRIDE
Sub threat
Threat
Condition
KEY
107
1.2.1Parse
Request
Threat (Goal)
STRIDE
Threat (Goal)
STRIDE
Threat (Goal)
STRIDE
DREADThreat
SubthreatCondition
Threat Threat
ConditionCondition DREAD
Sub threat
Threat
Condition
KEY
108
109
The underlying DLL The underlying DLL (NTDLL.DLL) not (NTDLL.DLL) not vulnerablevulnerable
The underlying DLL The underlying DLL (NTDLL.DLL) not (NTDLL.DLL) not vulnerablevulnerable
Code made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security Push
110
The underlying DLL The underlying DLL (NTDLL.DLL) not (NTDLL.DLL) not vulnerablevulnerable
The underlying DLL The underlying DLL (NTDLL.DLL) not (NTDLL.DLL) not vulnerablevulnerable
Code made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security Push
EvenEven if it was vulnerable if it was vulnerableEvenEven if it was vulnerable if it was vulnerable IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003
111
The underlying DLL The underlying DLL (NTDLL.DLL) not (NTDLL.DLL) not vulnerablevulnerable
The underlying DLL The underlying DLL (NTDLL.DLL) not (NTDLL.DLL) not vulnerablevulnerable
Code made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security Push
EvenEven if it was running if it was runningEvenEven if it was running if it was running IIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by default
EvenEven if it was vulnerable if it was vulnerableEvenEven if it was vulnerable if it was vulnerable IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003
112
The underlying DLL The underlying DLL (NTDLL.DLL) not (NTDLL.DLL) not vulnerablevulnerable
The underlying DLL The underlying DLL (NTDLL.DLL) not (NTDLL.DLL) not vulnerablevulnerable
Code made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security Push
EvenEven if it was running if it was runningEvenEven if it was running if it was running IIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by default
EvenEven if it did have if it did have WebDAV enabledWebDAV enabledEvenEven if it did have if it did have WebDAV enabledWebDAV enabled
Maximum URL length in IIS 6.0 is 16kb by Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) default (>64kb needed) Maximum URL length in IIS 6.0 is 16kb by Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) default (>64kb needed)
EvenEven if it was vulnerable if it was vulnerableEvenEven if it was vulnerable if it was vulnerable IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003
113
The underlying DLL The underlying DLL (NTDLL.DLL) not (NTDLL.DLL) not vulnerablevulnerable
The underlying DLL The underlying DLL (NTDLL.DLL) not (NTDLL.DLL) not vulnerablevulnerable
Code made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security Push
EvenEven if it was running if it was runningEvenEven if it was running if it was running IIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by default
EvenEven if it did have if it did have WebDAV enabledWebDAV enabledEvenEven if it did have if it did have WebDAV enabledWebDAV enabled
Maximum URL length in IIS 6.0 is 16kb by Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) default (>64kb needed) Maximum URL length in IIS 6.0 is 16kb by Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) default (>64kb needed)
EvenEven if it was vulnerable if it was vulnerableEvenEven if it was vulnerable if it was vulnerable IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003
EvenEven if the buffer was if the buffer was large enoughlarge enoughEvenEven if the buffer was if the buffer was large enoughlarge enough
Process halts rather than executes malicious code, Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)due to buffer-overrun detection code (-GS)Process halts rather than executes malicious code, Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)due to buffer-overrun detection code (-GS)
114
The underlying DLL The underlying DLL (NTDLL.DLL) not (NTDLL.DLL) not vulnerablevulnerable
The underlying DLL The underlying DLL (NTDLL.DLL) not (NTDLL.DLL) not vulnerablevulnerable
Code made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security Push
EvenEven if it was running if it was runningEvenEven if it was running if it was running IIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by default
EvenEven if it did have if it did have WebDAV enabledWebDAV enabledEvenEven if it did have if it did have WebDAV enabledWebDAV enabled
Maximum URL length in IIS 6.0 is 16kb by Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) default (>64kb needed) Maximum URL length in IIS 6.0 is 16kb by Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) default (>64kb needed)
EvenEven if it was vulnerable if it was vulnerableEvenEven if it was vulnerable if it was vulnerable IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003
EvenEven if it there was an if it there was an exploitable buffer exploitable buffer overrunoverrun
Would have occurred in Would have occurred in w3wp.exew3wp.exe which is which is now running as ‘network service’now running as ‘network service’
EvenEven if the buffer was if the buffer was large enoughlarge enoughEvenEven if the buffer was if the buffer was large enoughlarge enough
Process halts rather than executes malicious code, Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)due to buffer-overrun detection code (-GS)Process halts rather than executes malicious code, Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)due to buffer-overrun detection code (-GS)
115
6767
3535
Days After Product ReleaseDays After Product Release
8855
ReleasedReleased11/29/200011/29/2000
ReleasedReleased09/28/200309/28/2003
20032003
8844
ReleasedReleased05/31/200105/31/2001
ReleasedReleased11/17/200311/17/2003
Bulletins 614 Days Bulletins 614 Days After Product ReleaseAfter Product Release
Bulletins 564 Days Bulletins 564 Days After Product ReleaseAfter Product Release
As of June 2, 2005As of June 2, 2005
116© 2005 Microsoft Corporation. All rights reserved.© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.