Upload
nathan-winters
View
104
Download
0
Embed Size (px)
DESCRIPTION
Roger Grimes
Citation preview
Roger A. GrimesInfoWorld
Presenter BIORoger A. Grimes CPA, CISSP, CEH, CISA, TICSA, MCSE: Security, yada,
yadaInfoWorld Contributing Editor, Security Columnist,
Product Reviewer, and Blogger23-year Windows security consultant, instructor, and
authorAuthor of seven books on computer security, including:
Windows Vista Security: Security Vista Against Malicious Attacks (Wiley, 2007)
Professional Windows Desktop and Server Hardening (Dec. 2005)
Malicious Mobile Code: Virus Protection for Windows (O’Reilly, 2001)
Honeypots for Windows (Apress, December 2004)Author of over 300 national magazine articles on
computer securityPrincipal Security Architect for Microsoft InfoSec ACE
Team
Roger’s Books
Presentation SummaryQuick History of Past Malware Threats
Today's ThreatsAnatomy of Today's Cyber AttackMalware ExamplesBest Defenses
Malware Has Been Around Since The Beginning of Computers
Most early malware were network wormsLate 1960’s – John Conway’s Game of Life\Core Wars
Imp1971, Creeper worm was written by Bob Thomas of the BBN (Bulletin Board Network)(First PC, Altair 8800, 1974)IBM Christmas worm –Dec. 1987Robert Morris Worm –Nov. 1988
Historic Malware Trends
(Apple computer invented 1976) 1982 - Richard Skrenta, Jr. a 9th grade high
school student, a Core War fan, wrote a 400-line Apple II boot virus, called Elk ClonerSpread around the worldEvery 50th boot would present messageNo virus scanners or cleaners at this time
(IBM PC introduced in late 1981)1986 – Pakistani Brain – first IBM-compatible
virus1987 – Stoned, Jerusalem, Cascade (encrypted),
Lehigh
Historic Malware TrendsFirst PC Viruses – Boot Viruses
Boot VirusesEven though they made up just a few percent of
the malware programs, they accounted for most of the infections
March 1992 – MichelangeloExecutable VirusesSome Trojan Horse ProgramsSome Worms, but not many
Most malware programs were not intentionally malicious
Historic Malware TrendsEarly PC Malware
1985 – Macro viruses 1998 – HTML viruses 2001 – Code Red – IIS worm 2003 – SQL Slammer
Fastest exploit to date – 10 minutes to infect world
2003 – MS Blaster
In 99.9999% of cases, patch was available before exploit was released
Historic Malware TrendsPC Malware Hits Mainstream
From 1999 to late 2006, about 90% of malware attacks arrived via email VBScript, Javascript Malicious file attachments Rogue embedded links Spam MIME-type mismatches Social-engineering methods
Melissa, I love you worm
Historic Malware TrendsEmail worms\viruses
Still, most were not intentionally malicious
Those were the days!
Historic Malware TrendsEmail worms\viruses
Run an up-to-date antivirus program Run a host-based firewall that prevents
unauthorized outbound connections Be fully patched Visit only trusted web sites Careful opening unexpected documents Use other programs and OSs to remain
safe
Current Malware TrendsConventional Defense Wisdom
AV is not all that accurate and cannot be relied upon
Host-based firewalls really don’t work most of the time
Nobody fully patches Trusted web sites are how you get
infected Many attacks work cross-platform or
don’t care about OS or app Targeted spearphishing makes
determining what documents you should open hard to do
Current Malware TrendsSadly...
Malware and hacking is worst than ever!
Even though we already do all the recommended stuff
Current Malware TrendsSadly...
Mostly trojans, worms, and downloaders Professionally written
Development forks, teams
Criminally-motivated Bots & botnets
Tens of millions of PCs “owned” at any one time
Designed To Get Money Steal passwords, identity info, DDoS attacks
Mostly asks for permission to run and user responds “YES”
Current Malware LandscapeNew Malware Model
Cybercriminals are stealing tens of millions (at least) of dollars every day
2009 Verizon Data Breach report found that 91 percent of all compromised records in 2008 was attributed to organized criminal activity.
Current Malware LandscapeCriminally Motivated
Cybercriminals are stealing tens of millions (at least) of dollars every day
2009 Verizon Data Breach report found that 91 percent of all compromised records in 2008 was attributed to organized criminal activity.
“On the brighter side, we are happy to report that these efforts with law enforcement led to arrests in at least 15 cases.”
Current Malware LandscapeCriminally Motivated
1. User visits “innocent” infected web site2. Contains simple Javascript redirector3. Prompts user to install fake program
Anti-virus scanner, patch, codec, malformed PDF, etc.
4. First program is a small downloader Starts the malware process Provides bot control Dials home for more instructions
Current Malware LandscapeMost Common Malware Cycle
Only Visit Trusted web sites
Good advice?
What has trusted ever meant anyway?How do I know I can trust it?Do those “seals of approval” mean
anything?
Current Malware LandscapeTrusted Web Sites?
What has trusted ever meant anyway?How do I know I can trust it?Do those “seals of approval” mean
anything?
Me, I feel safer on a pay-for-view porn site!!
Current Malware LandscapeTrusted Web Sites?
77 percent of web sites with malicious code are legitimate sites that have been compromised
61 percent of the top 100 sites either hosted malicious content or contained a masked redirect to lure unsuspecting victims to malicious
37 percent of malicious Web/HTTP attacks included data-stealing code
57 percent of data-stealing attacks are conducted over the Web
Current Malware LandscapeInnocently Infected Web Sites
How?Web site itself compromised
MisconfigurationVulnerabilityAllows user postings
Malicious ads from legitimate ad servicesMalicious sponsored ads on search enginesPoisoned search engine resultsWeb site codelets created by bad guys to go malicious one day
Current Malware LandscapeInnocently Infected Web Sites
Tens of Millions of Malicious Web SitesLook real, but completely maliciousOften taken there by OS or app help program or search enginePromote product that is nothing but maliciousHave entire teams of people dedicated to promoting product on “independent” blogs, review magazines, etc.Ex: You must have this codec to watch these car racing videos on YouTube
Current Malware LandscapeSome aren’t so Innocent!
Poisoned Ad ServicesYou name the major web site and it has probably hosted malicious adsAds posted by web site owner, marketing firm hired by web site, compromised ad service, or hackingAvast - the most compromised services are Yahoo’s yieldmanager.com and Fox’s fimserve.com
Responsible for more than 50% of poisoned adsDoubleclick.net toohttp://blog.avast.com/2010/02/18/ads-poisoning-
%e2%80%93-jsprontexi/
Current Malware LandscapeInnocently Infected Web Sites
Poisoned Cartoons?King Features, a newspaper comic distributor was hackedKing Feature distributes online comics to about 50 different newspapersOnline readers were prompted to download a malicious PDFhttp://voices.washingtonpost.com/securityfix/2009/12/hackers_exploit_adobe_reader_f.html
Current Malware LandscapeInnocently Infected Web Sites
Search Engine PoisoningBad guys create web sites that are very attractive to search engine bot crawlers (e.g. lots of links with lots of keywords)It is not uncommon to find malicious links in 15% to 20% of the first 100 results from a searchSome of the most popular searches will return 90%Malicious web sites are generated are often generated on the fly, changed only by a single keyword in the URL
http://www.cyveillanceblog.com/general-cyberintel/malware-google-search-results
Current Malware LandscapeInnocently Infected Web Sites
SEO KitsPoisoned search engine results often created by Search Engine Optimization (SEO) kitsKits download must popular search engine requests from the search engines themselves (e.g. googletrends)Then generate web site on the fly with those keywords and imagesGenerates thousands of web sites with those keywords and link to each otherhttp://www.sophos.com/sophos/docs/eng/papers/sophos-seo-insights.pdf
Current Malware LandscapeInnocently Infected Web Sites
Sponsored AdsSearch engines often host sponsored ads that redirect to malicious sites and codeNearly all search engines involved
Certainly the ones you use areDue to malware companies posing as legitimate companies and switching up ads or legitimate web sites being infected that paid for legitimate ad time
Current Malware LandscapeInnocently Infected Web Sites
Sponsored Ads
Current Malware LandscapeInnocently Infected Web Sites
Many Infected Host Providers Are Slow To RespondExample: ThePlanet.comStopbadware.org notifies ThePlanet when they note an infected web site hosted by ThePlanetAverages 12K-20K infected sites a month1 month after reporting, 12K of reported web sites remain infected4.5K remain infected after 7 months
Current Malware LandscapeInnocently Infected Web Sites
Bulletproof HostingMany companies advertise on the promise that they will keep your web site up no matter what you do with itThe Russian Business Network is number one in this spaceMcColo was #2 before 2008 takedownPlenty of competition
Located in countries without appropriate laws
Current Malware LandscapeNot-So Innocently Infected Web Sites
Bulletproof Hosting -Examples
Current Malware LandscapeNot-So Innocently Infected Web Sites
Bulletproof Hosting -Examples
Current Malware LandscapeNot-So Innocently Infected Web Sites
`
Dynamic DNS Server
Initial Mothership Web Server
Dynamic Mothership
1. Bot program exploits victim PC and installs itself2. It “phones home” using dynamic DNS server to find “mothership”3. Finds mothership, downloads new code and instructions4. Repeats 1-20 times5. Infects new victim PCs6. Sometimes plays role of bot host, sometimes of dynamic DNS server, sometimes mothership
-Created for just this single victim instance-Can be a legitimate DNS server or exploited system
-Usually just another exploited victim or web server-Updates dynamic DNS server with current IP address
-Mothership updates may cycle 20 times-Sends bot host new programs, new payload, new instructions
Current Malware LandscapeNew Malware Model Steps
1. Infect or Exploit2. Modify system to gain control3. Phone “home” to get code update
Repeat this step 1-20 times
4. Modify host and spread to create bot net5. Steal information-financial, passwords, etc.6. Able to bypass any authentication method7. When finished, self-delete, cover up tracks
Current Malware LandscapeNew Malware Model Steps
Self-healing bot nets Intended to live only a few hours Auto-updating Design To Hide Millions of malicious links on social
networking sites Some of the biggest users of Facebook,
Myspace, and Twitter
Current Malware LandscapeNew Malware Model (con’t)
Silent Drive-by-Downloads and one-click and your owned traps used to be the way people got infected Require unpatched software and vulnerabilities UAC and other browser protections make this
harder to do Still happens, but now in the minority
OS patching is nearly 100% now App patching could be better
Malware writers are mostly targeting unpatched Internet browser apps now
Current Malware LandscapeNew Malware Model (con’t)
In most cases, people are tricked into intentionally installing a malware program 99% of the risk in most environments
Occasionally, a roving worm, like Conficker, becomes Ms. Popularity for a few days or months
Current Malware LandscapeNew Malware Model (con’t)
Vuls. trending down since 1H 2007
Current Malware LandscapeKnown Vulnerabilities Going Down Year-after-Year
Figures for all reporting vendors
Even OS and Browser Vulnerabilities Are Flat
Current Malware LandscapeKnown Vulnerabilities Going Down Year-after-Year
From MS SIR 8
Especially in the browser space
Every new browser vendor promises to make the perfectly secure browser that apparently Microsoft cannot seem to make
Later on I’ll tell you how it doesn’t matter at all anyway
Current Malware LandscapeStill Plenty of Vulnerabilities
Firefox – 169 Apple Safari – 94 Internet Explorer – 45 Google Chrome – 41 Opera - 25
Current Malware LandscapeNumber of Browser Vulnerabilities in 2009
From Symantec\Secunia
Firefox – 52 3.0-15, 3.5-18, 3.6-19
Apple Safari 4– 17 Internet Explorer 8 – 21 Google Chrome – 28 Opera – 6
Of all browsers Symantec analyzed in 2009, Safari had the longest window of exposure (the time between the release of exploit code for a vulnerability and a vendor releasing a patch), with a 13-day average; IE, FF, and Opera had the shortest windows of exposure, avg 1 day.
Current Malware LandscapeNumber of Browser Vulnerabilities in 2010 (so far)
The way almost all your users are getting infected is direct action trojans
Current Malware LandscapeBut Vulns Don’t Matter All That Much
By a huge percentage, trojans are number one!
Current Malware LandscapeTrojans Are #1!
(From Microsoft SIR 8)
Exploits
Trojans
Trojans
Current Malware LandscapeBut Worms are more frequent on work computers
(From Microsoft SIR 8)
Trojan program looks “really, really” authentic Coming from legitimate web sites, spam,
phishing attacks Bad guy often buys ads on search engines or
“poisons” search engine results Certain keywords are more likely to bring up
malware than legitimate web sites Bad guys use the latest news (e.g. earthquake,
celebrity event, etc.) Often accidentally redirected to malware sites
by legitimate trusted software
Why Are They So Prevalent?
Tricking End UsersAntivirus 2010
In one year, Google found over 11,000 web sites offering fake AV scanners
1,462 unique new installer programs per day
20% detection rate by real AV 1 hr – median time redirection web site is up
before hackers move on In SIR 8, Microsoft said its security products
cleaned fake anti-virus related malware from 7.8 million computers in the second half of 2009.
Fake AV Stats – from Google
Apparently worry about copyright infringement
Millions of new programs created every year Challenging for pure definition scanners to
keep up No antivirus scanner will ever be perfect
Check out http://www.virustotal.com/estadisticas.html
Why Are They So Prevalent?
“Zero-day” exploits becoming more common One attack program can have 20 exploit
vectors DNS tricks
Poisoning, hosts file manipulation Sound-alikes
One-offs (everything unique for each victim) Millions of malware programs each year
Symantec reported 2.8 M malware programs in 09
More than legitimate programs
Current Malware LandscapeInfection or Exploit
Known Malware Detection Rates Not Badwww.virusbulletin.com
Dozens of AV scanners routinely detect 100% of the known malware programs in the wild with zero false-positives
Awarded VB100
Why Are They So Prevalent?Malware Is Hiding Better
First-Day Malware Detection Rates Could Be Improved
www.av-test.org (Dec. 2009) Brand new threats were released and tested Best products detected malware 98% of the
time, blocked 95% of the time Average product was 70-90% effective Sounds good until you realize that out of 100
users in your network, at least two of them will be presented with a trojan program that is not detected as malicious
Now multiple that by the size of your user base, especially over time
Why Are They So Prevalent?Malware Is Hiding Better
How Does Malware Hide?Early Techniques: Encrypted – hide the malware so it can’t be
scanned Oligomorphic- multi. encryption/decryption
engines Polymorphic- random encryption/decryption Metamorphic- mutates malware body, looks for
compiler on host and re-compiles malware on-the-fly
Why Are They So Prevalent?Malware Is Hiding Better
How Does Malware Hide?Today’s Techniques: HTML Encoding/Obfuscation Character set (e.g. UTF-8, UTF-7, Unicode)
encoding Compression (e.g. multi-compressed zip files) Packers, Multi-packers SSL/TLS/encryption for travel and
communications
Why Are They So Prevalent?New Malware Is Hiding Even Better
How Does Malware Hide?Today’s Techniques: Language encoding (e.g. simplified Chinese) Transfer encoding (e.g. chunked, token-
extension) Packet fragmentation, time-outs Password protected files Embedded code (e.g. RTF links) Embedded in thick content (e.g. PDF, Flash, MS-
Office objects)
Why Are They So Prevalent?New Malware Is Hiding Even Better
How Does Malware Hide?Today’s Techniques: Dynamic DNS names Dynamic IP addressing One-time URLs (unique per victim) Self-deleting malware Delete and come back when needed
Why Are They So Prevalent?New Malware Is Hiding Even Better
Responsible for up to nearly 50% of all successful web-based attacks.
Current Malware LandscapeAdobe Acrobat Malware Is a Huge Problem
Responsible for up to nearly 50% of all successful web-based attacks.
Current Malware LandscapeAdobe Acrobat Malware Is a Huge Problem
Usually arrives in email Sender has internal details
Most captured from company’s public web site and news
Other times, obviously has insider knowledge of project or detal
Often target senior executives Project document, pending lawsuit, child
support inc. Common scam: Target accounting to infect the
payroll transfer transaction computer Defense: That computer should not be
connected to the normal network or used for anything else, highly guarded and secured
Current Malware LandscapeTargeted Spearphishing
Can arrive in email
Current Malware LandscapeAdobe Acrobat Malware Example
Prompts User to Save Another “PDF” file
Current Malware LandscapeAdobe Acrobat Malware Example
Can be prevented by modifying one setting
Current Malware LandscapeAdobe Acrobat Malware Example
Most attacks several years old.
Current Malware LandscapeDo You Patch Office?
More than half (56.2 percent) of the attacks affected Office program installations that had not been updated since 2003.
Most of these attacks involved Office 2003 users who had not applied a single service pack or other security update since the original release of Office 2003 in October 2003.
Current Malware LandscapeDo You Patch Office?
CAN-SPAM Act of 2003 took down spam!
Current Malware Landscape
25% - Percentage of spam when CAN-SPAM Act was passed
Current Malware LandscapeSpam stats
Spam is most of our email 88% according to Symantec 93% according to MessageLabs
95 percent of user-generated comments to blogs, chat rooms and message boards are spam or malicious. (Websense 2009 report)
Spearphishing for targeted attacks increasing greatly
85% of spam is sent by bots from innocently infected computers (Symantec)
20% of all spam sent in March 2010 used TLS (MessageLabs)
Current Malware LandscapeSpam stats
Spammers bypass CAPTCHAs, by: OCR – recognize the symbols VCR – recognize the voice Paying third world country employees to
manually answer Freelancer.com - dozens of such projects are
bid on every week. 80 cents to $1.20 for each 1,000 deciphered
boxes or about $6 every 15 days for the average worker
Current Malware LandscapeSpammers Still Abusing Free Web Mail
Per MessageLabsHundreds of billions of spams are sent each day85% from spambots, 90% from the top five botsRustock – largest current botnet with 2.4M hosts, responsible for 1/3rd of all spamGrum- Responsible for 24% of all spamMega-D – Responsible for 18% of all spam
Top spam bots vary according to measurer, but Rustock always gets #1 spot
Current Malware LandscapeBot Nets and Spam
Current Malware LandscapePopular Botnet Families
(From Microsoft SIR 8)
Many commercial bot net kits Management interfaces 24 x 7 tech support Bypass any authentication Made to order
Example: Butterfly\Mariposa bot net (March 2010) 13 million controlled computers in 190
countries Run by three non-experts, required very little
skill Bought original bot kit for $300
Current Malware LandscapeBot Nets
Crum - $200 – Creates polymorphic encrypted malware, free updates
Eleonore Exploits Pack –$700 – several exploits including MS, Firefox, Opera, and PDF
Neon – $500- PDFs (including FoxIt), Flash, Snapshot
Adrenaline- $3000- keylogging, theft of digital certificates, encryption of information, anti-detection techniques, cleaning of fingerprints, injection of viral code, etc.
http://malwareint.blogspot.com/2009/08/prices-of-russian-crimeware-part-2.html
Current Malware LandscapeMalware Kit Examples
Current Malware LandscapeCrime Does Pay
For the most part, we aren’t catching many of the criminals
International jurisdictions, non-compliant countries, no hard evidence, real crimefighting takes time
Users/admins not doing the simple things they should be doing to stop malicious attacks
Attackers don’t need complex, hypervisor attacks to do damage; current attacks doing just fine
Vendors could produce zero-defect software and it would not make a measurable dent in cybercrime
Current Malware LandscapeFuture Not Looking That Great
The most popular software in a particular category will be successfully attacked the
most
Grimes Corollary
The most popular software in a particular category will be successfully attacked the
most
Grimes Corollary
Regardless of whether or not Microsoft made it!Windows, IE, Microsoft OfficePDF over XPSApache over IISQuicktime over Windows Media PlayerActiveX over Java Applets
Auction\Sales Site scamsSelling a car or motorcycle for an unbelievable price with unbelievable terms“I’ll give you the best price ever and pay for international shipping”Send your money to a “trusted, third party”“Buyer protection”Doesn’t care what your OS or browser isSo much for your anti-malware programs
Current Malware LandscapeMany Times No Malware Needed
Auction Car Sale Scam Example
Current Malware LandscapeMany Times No Malware Needed
Auction Car Sale Example
Current Malware LandscapeMany Times No Malware Needed
Lessons To Take Away Malware usually comes from innocently infected
web sites Visiting only “trusted” web sites is not great advice
anymore
Consider investing more in technologies that can mitigate these types of threats
Educate end users about the current state of malware
**If we could educate users to not install fake programs, the majority of the current malware threat would disappear overnight
Current Malware LandscapeForming a Defense
Best End-User Defenses Don’t be logged in as Administrator or root
when surfing the web or reading email Run up-to-date anti-malware programs
Antivirus, Firewalls, Anti-spam, Anti-phishing, intrusion detection
Fully patch OS and all applications, including browser add-ons (harder than it sounds)
Use good, secure defaults
Fight the Good Fight
Best End-User Defenses Educate end-users to most likely threats Tell them to learn what their AV software
looks like and what it doesn’t Show them what their patching software
looks like Tell them not to install software offered by
their favorite web site Does your educational content contain this
information? Phish your own users (be the first!)
Fight the Good Fight
Best End-User Defenses Use search engines that contain anti-
malware abilities (e.g. Bing, Google, etc.) Use browsers that have anti-malware
checkers Most of the popular ones, but not all
Look for unusual network traffic patterns Unexpected large transfers, workstation-to-
workstation, server-to server
Install honeypots as early warning detectors
Fight the Good Fight
Future Defenses Most countries are starting to work
together better (although very slowly) Ultimately will take rebuilding the Internet
Building in pervasive identity and accountability
Still support anonymity Will have to be done incrementally
Support End-t0-End Trust initiatives All needed protocols are already in place See Trusted Computing Group’s work Microsoft’s End To End Trust
Current Malware LandscapeForming a Defense