Trends in network security feinstein - informatica64

Trends in Network Security

Ben Feinstein, CISSP GCFADirector of ResearchSecureWorks Counter Threat Unit℠

Friday, April 23rd, 2010Informática64

Móstoles, Spain

Introduction

3

Who Am I?• Native of Atlanta, Georgia USA• 12 years old, dial-up UNIX shell, telneting around the world• Professional software developer as a teenager• Bachelor of Science in Computer Science (c. Economics), 2001

– Harvey Mudd College, Claremont, California USA• Author of RFC 4765 and RFC 4767• Software Engineer at a series of security start-ups, 2001 – 2006• Joined SecureWorks in 2006• Certified Information Systems Security Professional (CISSP)• SANS Global Information Assurance Certified Forensics Analyst (GCFA)

4

Who is SecureWorks?• Market leading provider of information security services

– Managed Security Services Provider (MSSP)– Security and Risk Consulting (SRC)

• Over 2,700 clients worldwide, including more than 10% of Fortune 500• Suite of managed information and network security services

– Security Information Management (SIM) On Demand– Log Monitoring– Intrusion Prevention Systems (IPS) / Intrusion Detection Systems (IDS)– Threat Intelligence– Firewall– Host IPS– Vulnerability Scanning– Web Application Scanning– Log Retention– Encrypted Email

Agenda

6

Agenda• Computer Networks• Vulnerability Trends of 2009• Malware Trends of 2009• Information Disclosure• Aurora• Other Trends• The New .CN• Mariposa / ButterflyBot• Conclusion• Q & A

From Mainframes to Today’s Internet

8

The Development of Computer Networks• Advanced Research Projects Agency (ARPA)

– Established in 1958 after Soviet launch of Sputnik satellite in 1957– Later renamed the Defense Advanced Research Projects Agency (DARPA)– Directly manages a $3.2B budget

• ARPANET developed by ARPA for US Department of Defense (DoD)– Development work began in 1969

9

Decentralization of Computing Power• Mainframes gave way to Personal Computers (PCs)• Development of Local Area Networks (LANs)• Dial-up Internet• Broadband Internet

10

ARPANET, circa March 1977

11

Map of Internet Routers (2005), Opte Projecthttp://www.opte.org/

12

Map of Online Communities, xkcd #256http://xkcd.com/256/, Spring 2007

http://xkcd.com/256/

13

Some (Much) Older Networks to Remember• Hawala

• Pony Express

Source: International Monetary Fund

Network Security

15

The Network as an Attack Surface• Concept of Threat Modeling• Concept of an Attack Surface• Local Attacks vs. Remote Attacks• Common Vulnerability Scoring System (CVSS) version 2

– Exploitability metrics– Access Vector: Local, Adjacent Network, Network

• Widespread adoption of Firewalls• Widespread adoption of the Web• Web 2.0

Vulnerability Trends of 2009

17

2009 Vulnerability Trends• Vulnerabilities disclosed for document readers and editors soared.

– Office documents including spreadsheets and presentations– Portable Document Format (PDF) documents – the dubious champ– Favorite vector of “Spear Phishers”, including “Operation Aurora”

• The appearance of new malicious Web links has skyrocketed globally in the past year.

– Phishing, Malvertisements, Fake-AV, etc.– A large number of sophisticated web-attack toolkits are available for sale.– CSS and SQLi attacks primarily used to redirect web-surfers to an attack-

toolkit!• Phishing attacks via email increased dramatically in the second half of

2009, with activity coming from countries not previously been in the game.

– Attackers are shifting their geographical profiles due to various pressures– Lots and lots of money to be made

18

Vulnerability Metrics for 2H 2009

Malware Trends of 2009

20

2009 Malware Trends• Malware authors and operators innovated

– Koobface, Mariposa (Butterfly Bot), Zbot (ZeuS), and Mebroot increased compatibility with Vista and Windows 7

– Complex and user friendly Banking Trojans (ZeuS, SpyEye, BlackEnergy2) are available as configurable kits

– Sophisticated RATs (e.g. Aurora’s “Hydraq”) are also in use• Better prepared for takedowns and other countermeasures

– Lessons learned from the days of The RBN• Taking advantage of “cloud” services – virtualized hosting environments,

geographically distributed content delivery networks, and dynamic DNS services

– DNS double and triple-flux technologies

21

2009 Malware Trends• Man in the browser/endpoint • Trojan Horse is used to intercept and manipulate calls between the main

application’s executable (the browser) and its security mechanisms or libraries

• Common objective of this attack is to cause financial fraud by manipulating transactions of Internet banking systems, even when other authentication factors are in use

– High-dollar Commercial OLB creds - compromised– Challenge secret questions – compromised– IP Geo-location - compromised– Email out-of-band - compromised– Hardware token - compromised– Device fingerprinting - compromised– Dual approver - compromised– SMS out-of-band - compromised

22

2009 Malware Trends• Compromised web pages frequently vehicle of choice for mass malware

distribution– Hence, most servers are compromised in order to compromise client– Those clients may then be used to compromise servers inside the enterprise!

(Aurora!)• Drive-by downloads – malware code using everything from simple UU-

encoding techniques to elaborate self-decoding JavaScripts • Sophisticated software development

– Authors of malware kits (Trojan toolkits, web-attack toolkits, droppers, rootkits, etc.) are becoming very responsive to their client-base and are producing highly usable, modular and upgradeable software at a tremendous rate.

– For instance, the BlackEnergy2 Trojan-builder kit has a fully modular plug-in architecture which allows for the separate sale of plug-ins for different purposes and designed to target specific PKI schemes, etc.

23

2009 Malware Trends• Greater efficiency and targeting• Dasient: 5.5 million web pages on 560,000 websites infected with malware

Q4 2009. • Two years ago, infected web pages would infect users' computers with an

average of at least a dozen pieces of malware; the most recent figures have that number falling to just 2.8

– Smaller number of malicious programs means that users are less likely to notice an attack.

• Operators learning valuable business lessons– Operate 24/7 network of login-interceptors for high-value accounts– Operators are singling out SMBs that tend to have cash on hand and no real IT– Extremely sophisticated and profitable money-mule/laundering infrastructure

now exists

24

25

Contemporary ACH / Wire Fraud• Automated Clearing House (ACH)

• 1 - 4 victims / day• Average take $100,000 / victim• $500K - $1M/week• $100M attempted in 2009• $40M+ unrecovered• > All US bank robberies combined• Losses borne by victims due to ACH rules

• ALL done by ONE Eastern European crew

26

Recent ACH Fraud Cases• XXXX County - $415,000• XXXX Corp - $447,000• XXXX Energy - $200,000• XXXX Construction - $588,000• XXXX Industrial - $1,200,000• XXXX School District - $117,000• XXXX XXXX School - $150,000• XXXX University - $189,000

27

Source: myNetWatchman

28


29


Information Disclosure:Lessons from Airplanes and ATMs

31

Information Disclosure• Failing to redact documents correctly

• Not removing document metadata

• Not sanitizing hard drives and other media

• Unencrypted data

31

32

Information Disclosure• TSA published a SOP manual with sensitive information redacted

32

33

Information Disclosure• The TSA added black bars on top of text and images to prevent it from

being seen

33

34

Information Disclosure

The NSA specifically states that this will not work in their manual on redacting safely:

Google: “Redact Confidence”

35


[Source: Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF]

36

Information Disclosure• 40% of hard drives purchased from eBay contain personal information

– 36% Financial data– 21% Emails– 11% Corporate Documents – [source: Kessler International]

• Wipe drives before they leave your control• There are several bootable programs that will wipe all media attached to a

computer • DBAN – Darik’s Boot and Nuke

37

Information Disclosure• A security researcher purchased an ATM via Craig’s List

• He found 1,000 debit card numbers stored in the machine

• Who has access to your data?

• What are their controls on it?

38

• Imperva notified rockyou.com of a SQL injection flaw on Dec 4th

• Rockyou.com fixed the problem over the weekend

• The database stored passwords in plaintext

• A hacker disclosed that he had copied the entire database before the flaw was fixed


39


• The database contains the usernames and passwords for over 32 million account

• Included in the database were also passwords for partner websites

• This is a classic example of where defense in depth would have offered superior protection

Aurora

41

Background: Titan Rain intrusion set• An intrusion set is a collection of evidence, data, artifacts, logs, malware

samples or other items that is all related in some way

• Titan Rain was one such intrusion set– Coordinated intrusions of US Gov’t & Defense Industrial Base, circa 2003– Labeled as Chinese in origin– Nature of and identities of adversaries unknown

42

Background: Advanced Persistent Threat (APT)• Advanced: Adversary has capability to use anything from simple, public

exploits to performing their own vulnerability discovery work and developing 0-day attacks.

• Persistent: Adversary has well defined goals and objectives and is persistent at pursuing them. Adversary will try various avenues of attack, looking for one that will yield the desired outcome.

• Does not typically refer to things like ZeuS

43

Aurora• Publicly disclosed hacking incident inside Google and other major

companies

• Belief within infosec community that PRC has been waging a long term, persistent campaign of “espionage-by-malware”

• Titan Rain, GhostNet

• Grown bolder over time

44

Aurora• In May of 2009 a number of actors in Mainland China began a targeted

attack on Google and several other major US-Based corporations with the intent of exfiltrating sensitive data for political and financial gain.

• The Aurora team used a privately-held IE-7 0-day exploit as well as an Adobe PDF vulnerability to infect workstations at Google and others with sophisticated RATs

– Social-engineering using methods similar to Fake-AV campaigns was also used

• Once the Aurora team had access to internal systems, they quickly compromised source-code repositories, email databases, and other extremely sensitive financial and operational data from the inside

45

Aurora• “Aurora” is taken directly from strings within some custom software

components of the attack– Debug symbol file path in custom code

46

Aurora• Known samples of main backdoor trojan used in attacks no older than

2009

• Attack may have been in works for some time– Custom modules in Aurora codebase with timestamps as old as May 2006– Timeframe just after Titan Rain had blown up and PRC’s limited arsenal of

mostly “COTS” trojans were being increasingly detected by commercial AV

47

Aurora• With a completely original code base and its use restricted to highly

targeted attacks, Hydraq seems to have escaped detection until now

• Compiler leaves many clues in a binary– PE resource section may reveal language code– Aurora author was careful to either compile on English-language system, or to

modify the language code in the binary after the fact

48

Aurora• Peculiarities and origins of CRC algorithm used suggest author familiar w/

simplified Chinese

49

Aurora• Partial JavaScript code used to exploit Google

– If only they were using Chrome…

50

New Details Emerge• April 19 – New York Times reported that Aurora stole source code to

Google’s single sign-on (SSO) system “Gaia”– “Cyberattack on Google Said to Hit Password System”, John Markoff

• Aurora had access to “Moma”, Google’s internal employee database

• May have used information from Moma to target the individual developers working on Gaia

• Source code exfiltrated to Rackspace servers, and then onto ???

Other Trends

52

Other Trends• Social engineering

– Phishing / Spearphishing• E.g., Rogue AV• Hybrid attacks• Targeted verticals and enterprises• Advanced Trojans

• Social Networks (Facebook, Twitter)– Trusted relationships– Superb ROI platform for URL-based attacks

• Botnet sophistication and innovation– Spread of infection by reputable or legit websites– continuously evolving attacks and malware methods

• Threats come more from organized crime– However, involvement of state actors has finally come to the forefront

53

Other Trends• 0-day black market

– Premium paid for 0-days– Tipping Point has heard of governments offering $1 million for a good one– Good guys can’t compete at those prices– ‘Aurora’ used an IE 0-day that it had developed

• Weak economy in US fosters fraudsters’ recruitment of unwitting, desperate money mules

• Weak economy abroad has led to a large number of highly skilled IT experts in desperate situations

• Global cooperation in these cases is still in its infancy

54

Other Trends• Clients vs. Servers

– For the moment, the pendulum has swung away from servers– Servers are now more likely to be compromised as a means to compromise a

large number of clients– While the very large financial database breaches do occur, they are now more

likely to come from a compromised workstation with privileged access on the inside

– The weakest-link rule is true now more than ever

The new .CN

56

The new .CN• In December 2009, published a bulletin regarding new restrictions on

purchasing .CN ccTLD domain names• The new restrictions consisted of:

– Webmasters to submit paper application and show ID when registering a domain name

– Business license if applicable – Have to submit the information within 5 days or risk losing the domain

• Continued to monitor domains hosting malicious executables and have noticed an interesting trend

• Domains registered with a ccTLD of .CN have slightly declined where domains registered with a ccTLD of .IN have started to increase starting right around the timeframe of the CNNIC announcement

57

The new .CN

58

The new .CN• .RU domains have also seen an increase since the .CN registration

requirements were announced.• RU-CENTER has stated they will implement rules similar to CNNIC starting

April 1st

59

The new .CN

Mariposa / ButterflyBot

61

Mariposa / ButterflyBot• Publicly sold botnet kit called “BFBOT”

– Distributed as binary “builder” kit, full source code is not available– Author has since “retired”, but perhaps not

• Very typical of generic botnet kits, e.g. Rbot, Agobot, Phatbot

• Uses console-based master control program– Not likely to catch on with script kiddies due to complexity of setup/use and

lack of new development

62

Mariposa / ButterflyBot• Named after a domain that it was contacting

– butterfly [dot] sinip [dot] es

• Initially discovered early 2009

• Sold on bfsecurity.net– “Security tool designed to stealthy run on winnt based systems (win2k to

winvista) and to stealthy and efficiently spread with 3 spreaders, which were specially designed and improved compared to already known public methods. (sic)”

– The three spreaders are MSN, USB, and P2P. Listed P2P networks were “ares, bearshare, imesh, shareaza, kazaa, dcplusplus, emule, emuleplus, limewire. (sic)”

63

Commercial Market for ButterflyBot

Source: Panda Security

64

ButterflyBot Capabilities• Information Theft

– Steal data from Internet Explorer (protected storage and Autocomplete (IE 7+) password stealing)

– Mozilla Firefox (stored passwords stealing)• Downloader

– Download files via HTTP and execute them on the infected computer• DDoS

– TCP SYN or UDP packet flooding• Propagation

– MSN Instant Messenger– USB autorun– Copying itself to well-known P2P application download directories

• VNC Server Scan– Scan for VNC (Virtual Network Computing) servers that may allow

AUTHBYPASS or NOAUTH access.

65

ButterflyBot Console

Source: Symantec

66

ButterflyBot Master Client


67

ButterflyBot Configuration Tool


68

Mariposa Takedown• Botnet size fluctuated between 500K and 1 million infected hosts spanning

more then 190 countries

• Botmasters made money by allowing other cybercrooks to utilize parts of the botnet

– This lead to a variety of malware being installed• Advanced keyloggers• Various Banking trojans• RATs (Remote access Trojans)• Fake AV

69

Mariposa Takedown• Due to a coordinated effort between law enforcement and the security

community, three individuals were identified and arrested– “netkairo” of Balmaseda age 31– “jonyloleante” of Molina de Segura age 30– “ostiator“ of Santiago de Compostela age 25

• Action taken on domains December 23, 2009 at 1700 Spanish time– US FBI and Spanish Civil Guard– Believed that suspects would be less able to react due to Christmas holiday

and time with family

• Suspects unknown, using VPNs from Swedish provider Relakks• During counter attack, “netkairo” make a fatal mistake

– Did not use VPN, revealed IP address in Spain– IP provided to Civil Guard

70

Mariposa Takedown• “netkairo” apprehended by agents of the Civil Guard on February 12, 2010

at his home in Balmaseda, Spain

• Digital forensics of seized computers lead to 2 further arrests in Spain

• Cases in front of Judge Garzón of the National Court

Conclusion

72

Conclusion• Defenders remain at a significant disadvantage

• Must attack both sides of the risk vs. reward equation

• Closer cooperation is needed between security community and law enforcement

• Human weakness is arguably more important than technological vulnerabilities in today’s cyber crime ecosystem

– Attractive ROI of Social Engineering

Q & A

74

Special Thanks• Chema Alonso & Informática64

• Maite Villalba and the Universidad Europea de Madrid

• You, my audience!