Evolving ThreatsEvolving Threats

Paul A. HenryMCP+I, MCSE, CCSA, CCSE, CISSP-ISSAP, CISM, CISA, CIFI, CCE

Florida PI License C2800597

Forensics & Recovery LLCFlorida PI Agency License A2900048

Paul A. HenryMCP+I, MCSE, CCSA, CCSE, CISSP-ISSAP, CISM, CISA, CIFI, CCE

Florida PI License C2800597

Forensics & Recovery LLCFlorida PI Agency License A2900048

Welcome To My WorldWelcome To My World

• Conficker update• Risk of banking via cell phone rising• Backdoor in a box

– Covert channels on a budget

• Obfuscation wins again– Adobe issues not going away

• Wireless network tap– Sniffing a network from 300 meters

• What’s that light at the end of the tunnel– Patch that Mac

• Old Malware never dies

Conficker UpdateConficker Update

• Upgrades– No longer limited to 250 domains for

updates• 50,000 domains• Peer to peer updates• Blocks access to larger range of security

sites– First nefarious use of conficker bot net

detected• More sure to come

Conficker UpdateConficker Update

Conficker UpdateConficker Update

Conficker UpdateConficker Update

Big MoneyBig Money

• 1.8M unique users were redirected to the rogue Anti-Virus software during 16 consecutive days

• Members of the affiliate network were rewarded for each successful redirection with 9.6 cents “a piece”, which totals

$ 172,800 or $ 10,800 per day

Introducing Gumblar - Son of ConfickerIntroducing Gumblar - Son of Conficker

• In 2008 one website was compromised every 5 sec– Now it is one every 4.5 sec

• End game is the same – deliver malware• Gumblar is building two botnets

– First botnet is made up of compromised web servers and is used to distribute “drive-by” malware across web servers

– Second botnet is made up of PCs that visit the web sites and become infected

• These PCs become part of a spam spewing botnet

Introducing Gumblar - Son of ConfickerIntroducing Gumblar - Son of Conficker

• Gumblar is now found on 42% of all discovered compromised websites

Root Cause…Root Cause…

• Really drives home the underlying problem with network security today..

• One of the most successful vulnerabilities being exploited today is RDS (MDAC)

• This one vulnerability is responsible for over 70% of compromises from automated toolkits

• Did I mention that the vulnerability was patched 3 years ago……

Most Popular ToolkitMost Popular Toolkit

Pinch Lives On…Pinch Lives On…

• Even while the authors sit in prison Pinch continues to infect users

It’s Not Rocket Science…It’s Not Rocket Science…

• It is common knowledge that you can eliminate 90% of your risk by applying patches in a timely manner

• It was recently reported by IBM that over 70% of Microsoft vulnerabilities in 2008 could be mitigated by simply enforcing the “rule of least privilege”

Now This Is Interesting…Now This Is Interesting…

• For Sale Used Nokia 1100 $30,000• A software issue in the Nokia 1100

makes is easily re-programmable– Assume any identity– Actively being used in UK to capture

banking PIN sent via SMS

Pogo Plug – Backdoor in a boxPogo Plug – Backdoor in a box

• Allows anything connected via USB to be easily shared across the Internet– Hard drive– Ethernet adapter– Wireless adapter

Pogo Plug – Backdoor in a boxPogo Plug – Backdoor in a box

• Yes there are a few good uses but….

Signatures Are ObsoleteSignatures Are Obsolete

Signatures Are ObsoleteSignatures Are Obsolete

Obfuscation wins againObfuscation wins again

Obfuscation wins againObfuscation wins again

Well it started as a good ideaWell it started as a good idea

Well it started as a good ideaWell it started as a good idea

Well it started as a good ideaWell it started as a good idea

20,000 Illegal Downloads….20,000 Illegal Downloads….

• Pirated copy of iWorks contained malware

First Mac BotNetFirst Mac BotNet

• First use of iBotnet was a DDoS Attack

First Mac BotNetFirst Mac BotNet

• Apple is currently associated with 57 different software products and numerous hardware platforms

• A search on reported vulnerabilities of OSX shows 128 Secunia Advisories and 866 reported Vulnerabilities – http://secunia.com/advisories/product/96/

That light at the end of the tunnel is an

on coming train…

Windows RC7 – BotnetWindows RC7 – Botnet

SummarySummary

• We have yet to feel the impact of Conficker – more to come

• Cell phones are becoming a viable target• Pogo Plug demonstrates the need to re

evaluate access to 80/443 outbound• We need to rethink signatures the current

model is doomed to fail• Wireless network taps will play a part in

data leakage• Security by obscurity is over for Mac• Obfuscation brings new life to old malware

Forensics& Recovery LLCFlorida PI License A 29004

www.forensicsandrecovery.com

Paul A. HenryMCP+I, MCSE, CCSA, CCSE, CISSP-ISSAP, CISM, CISA, CIFI, CCE

Florida PI License C2800597

25 SE 69th Place Ocala, Fl 34480 Telephone (954) 854 9143 phenry@forensicsandrecovery.com