SlideShare a Scribd company logo

Trends in network security feinstein - informatica64

Download as PPT, PDF
Chema Alonso
Chema Alonso

The document summarizes trends in network security seen in 2009, including increases in vulnerabilities in document readers/editors like PDFs that were exploited by "spear phishing" attacks. Malware became more sophisticated with user-friendly banking trojans and rootkits distributed on legitimate websites. The "Aurora" attacks targeted Google and other companies in 2009 using zero-day exploits. The takedown of the Mariposa botnet in late 2009 arrested three individuals operating a commercial botnet kit.

1 of 74
Trends in Network Security Ben Feinstein, CISSP GCFA Director of Research SecureWorks Counter Threat Unit℠ Friday, April 23 rd , 2010 Informática64 Móstoles, Spain
Introduction
Who Am I? Native of Atlanta, Georgia USA 12 years old, dial-up UNIX shell, telneting around the world Professional software developer as a teenager Bachelor of Science in Computer Science (c. Economics), 2001 Harvey Mudd College, Claremont, California USA Author of RFC 4765 and RFC 4767 Software Engineer at a series of security start-ups, 2001 – 2006 Joined SecureWorks in 2006 Certified Information Systems Security Professional (CISSP) SANS Global Information Assurance Certified Forensics Analyst (GCFA)
Who is SecureWorks? Market leading provider of information security services Managed Security Services Provider (MSSP) Security and Risk Consulting (SRC) Over 2,700 clients worldwide, including more than 10% of Fortune 500 Suite of managed information and network security services Security Information Management (SIM) On Demand Log Monitoring Intrusion Prevention Systems (IPS) / Intrusion Detection Systems (IDS) Threat Intelligence Firewall Host IPS Vulnerability Scanning Web Application Scanning Log Retention Encrypted Email
Agenda
Agenda Computer Networks Vulnerability Trends of 2009 Malware Trends of 2009 Information Disclosure Aurora Other Trends The New .CN Mariposa / ButterflyBot Conclusion Q & A
From Mainframes to Today’s Internet
The Development of Computer Networks Advanced Research Projects Agency (ARPA) Established in 1958 after Soviet launch of Sputnik satellite in 1957 Later renamed the Defense Advanced Research Projects Agency (DARPA) Directly manages a $3.2B budget ARPANET developed by ARPA for US Department of Defense (DoD) Development work began in 1969
Decentralization of Computing Power Mainframes gave way to Personal Computers (PCs) Development of Local Area Networks (LANs) Dial-up Internet Broadband Internet
ARPANET, circa March 1977
Map of Internet Routers (2005), Opte Project http://www.opte.org/
Map of Online Communities, xkcd #256 http://xkcd.com/256/ , Spring 2007
Some (Much) Older Networks to Remember Hawala Pony Express Source: International Monetary Fund
Network Security
The Network as an Attack Surface Concept of Threat Modeling Concept of an Attack Surface Local Attacks vs. Remote Attacks Common Vulnerability Scoring System (CVSS) version 2 Exploitability metrics Access Vector: Local, Adjacent Network, Network Widespread adoption of Firewalls Widespread adoption of the Web Web 2.0
Vulnerability Trends of 2009
2009 Vulnerability Trends Vulnerabilities disclosed for document readers and editors soared. Office documents including spreadsheets and presentations Portable Document Format (PDF) documents – the dubious champ Favorite vector of “Spear Phishers”, including “Operation Aurora” The appearance of new malicious Web links has skyrocketed globally in the past year. Phishing, Malvertisements, Fake-AV, etc. A large number of sophisticated web-attack toolkits are available for sale. CSS and SQLi attacks primarily used to redirect web-surfers to an attack-toolkit! Phishing attacks via email increased dramatically in the second half of 2009, with activity coming from countries not previously been in the game. Attackers are shifting their geographical profiles due to various pressures Lots and lots of money to be made
Vulnerability Metrics for 2H 2009
Malware Trends of 2009
2009 Malware Trends Malware authors and operators innovated Koobface, Mariposa (Butterfly Bot), Zbot (ZeuS), and Mebroot increased compatibility with Vista and Windows 7 Complex and user friendly Banking Trojans (ZeuS, SpyEye, BlackEnergy2) are available as configurable kits Sophisticated RATs (e.g. Aurora’s “Hydraq”) are also in use Better prepared for takedowns and other countermeasures Lessons learned from the days of The RBN Taking advantage of “cloud” services – virtualized hosting environments, geographically distributed content delivery networks, and dynamic DNS services DNS double and triple-flux technologies
2009 Malware Trends Man in the browser/endpoint Trojan Horse is used to intercept and manipulate calls between the main application’s executable (the browser) and its security mechanisms or libraries Common objective of this attack is to cause financial fraud by manipulating transactions of Internet banking systems, even when other authentication factors are in use High-dollar Commercial OLB creds - compromised Challenge secret questions – compromised IP Geo-location - compromised Email out-of-band - compromised Hardware token - compromised Device fingerprinting - compromised Dual approver - compromised SMS out-of-band - compromised
2009 Malware Trends Compromised web pages frequently vehicle of choice for mass malware distribution Hence, most servers are compromised in order to compromise client Those clients may then be used to compromise servers inside the enterprise! (Aurora!) Drive-by downloads – malware code using everything from simple UU-encoding techniques to elaborate self-decoding JavaScripts Sophisticated software development Authors of malware kits (Trojan toolkits, web-attack toolkits, droppers, rootkits, etc.) are becoming very responsive to their client-base and are producing highly usable, modular and upgradeable software at a tremendous rate. For instance, the BlackEnergy2 Trojan-builder kit has a fully modular plug-in architecture which allows for the separate sale of plug-ins for different purposes and designed to target specific PKI schemes, etc.
2009 Malware Trends Greater efficiency and targeting Dasient: 5.5 million web pages on 560,000 websites infected with malware Q4 2009. Two years ago, infected web pages would infect users' computers with an average of at least a dozen pieces of malware; the most recent figures have that number falling to just 2.8 Smaller number of malicious programs means that users are less likely to notice an attack. Operators learning valuable business lessons Operate 24/7 network of login-interceptors for high-value accounts Operators are singling out SMBs that tend to have cash on hand and no real IT Extremely sophisticated and profitable money-mule/laundering infrastructure now exists
 
Contemporary ACH / Wire Fraud Automated Clearing House (ACH) 1 - 4 victims / day Average take $100,000 / victim $500K - $1M/week $100M attempted in 2009 $40M+ unrecovered > All US bank robberies combined Losses borne by victims due to ACH rules ALL done by ONE Eastern European crew
Recent ACH Fraud Cases XXXX County - $415,000 XXXX Corp - $447,000 XXXX Energy - $200,000 XXXX Construction - $588,000 XXXX Industrial - $1,200,000 XXXX School District - $117,000 XXXX XXXX School - $150,000 XXXX University - $189,000
Source: myNetWatchman
Source: myNetWatchman
Source: myNetWatchman
Information Disclosure: Lessons from Airplanes and ATMs
Information Disclosure Failing to redact documents correctly Not removing document metadata Not sanitizing hard drives and other media Unencrypted data
Information Disclosure TSA published a SOP manual with sensitive information redacted
Information Disclosure The TSA added black bars on top of text and images to prevent it from being seen
Information Disclosure The NSA specifically states that this will not work in their manual on redacting safely: Google: “Redact Confidence”
Information Disclosure [Source: Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF]
Information Disclosure 40% of hard drives purchased from eBay contain personal information 36% Financial data 21% Emails 11% Corporate Documents [source: Kessler International] Wipe drives before they leave your control There are several bootable programs that will wipe all media attached to a computer DBAN – Darik’s Boot and Nuke
Information Disclosure A security researcher purchased an ATM via Craig’s List He found 1,000 debit card numbers stored in the machine Who has access to your data? What are their controls on it?
Imperva notified rockyou.com of a SQL injection flaw on Dec 4 th Rockyou.com fixed the problem over the weekend The database stored passwords in plaintext A hacker disclosed that he had copied the entire database before the flaw was fixed Information Disclosure
Information Disclosure The database contains the usernames and passwords for over 32 million account Included in the database were also passwords for partner websites This is a classic example of where defense in depth would have offered superior protection
Aurora
Background: Titan Rain intrusion set An intrusion set is a collection of evidence, data, artifacts, logs, malware samples or other items that is all related in some way Titan Rain was one such intrusion set Coordinated intrusions of US Gov’t & Defense Industrial Base, circa 2003 Labeled as Chinese in origin Nature of and identities of adversaries unknown
Background: Advanced Persistent Threat (APT) Advanced: Adversary has capability to use anything from simple, public exploits to performing their own vulnerability discovery work and developing 0-day attacks. Persistent: Adversary has well defined goals and objectives and is persistent at pursuing them. Adversary will try various avenues of attack, looking for one that will yield the desired outcome. Does not typically refer to things like ZeuS
Aurora Publicly disclosed hacking incident inside Google and other major companies Belief within infosec community that PRC has been waging a long term, persistent campaign of “espionage-by-malware” Titan Rain, GhostNet Grown bolder over time
Aurora In May of 2009 a number of actors in Mainland China began a targeted attack on Google and several other major US-Based corporations with the intent of exfiltrating sensitive data for political and financial gain. The Aurora team used a privately-held IE-7 0-day exploit as well as an Adobe PDF vulnerability to infect workstations at Google and others with sophisticated RATs Social-engineering using methods similar to Fake-AV campaigns was also used Once the Aurora team had access to internal systems, they quickly compromised source-code repositories, email databases, and other extremely sensitive financial and operational data from the inside
Aurora “ Aurora” is taken directly from strings within some custom software components of the attack Debug symbol file path in custom code
Aurora Known samples of main backdoor trojan used in attacks no older than 2009 Attack may have been in works for some time Custom modules in Aurora codebase with timestamps as old as May 2006 Timeframe just after Titan Rain had blown up and PRC’s limited arsenal of mostly “COTS” trojans were being increasingly detected by commercial AV
Aurora With a completely original code base and its use restricted to highly targeted attacks, Hydraq seems to have escaped detection until now Compiler leaves many clues in a binary PE resource section may reveal language code Aurora author was careful to either compile on English-language system, or to modify the language code in the binary after the fact
Aurora Peculiarities and origins of CRC algorithm used suggest author familiar w/ simplified Chinese
Aurora Partial JavaScript code used to exploit Google If only they were using Chrome…
New Details Emerge April 19 – New York Times reported that Aurora stole source code to Google’s single sign-on (SSO) system “Gaia” “ Cyberattack on Google Said to Hit Password System”, John Markoff Aurora had access to “Moma”, Google’s internal employee database May have used information from Moma to target the individual developers working on Gaia Source code exfiltrated to Rackspace servers, and then onto ???
Other Trends
Other Trends Social engineering Phishing / Spearphishing E.g., Rogue AV Hybrid attacks Targeted verticals and enterprises Advanced Trojans Social Networks (Facebook, Twitter) Trusted relationships Superb ROI platform for URL-based attacks Botnet sophistication and innovation Spread of infection by reputable or legit websites continuously evolving attacks and malware methods Threats come more from organized crime However, involvement of state actors has finally come to the forefront
Other Trends 0-day black market Premium paid for 0-days Tipping Point has heard of governments offering $1 million for a good one Good guys can’t compete at those prices ‘ Aurora’ used an IE 0-day that it had developed Weak economy in US fosters fraudsters’ recruitment of unwitting, desperate money mules Weak economy abroad has led to a large number of highly skilled IT experts in desperate situations Global cooperation in these cases is still in its infancy
Other Trends Clients vs. Servers For the moment, the pendulum has swung away from servers Servers are now more likely to be compromised as a means to compromise a large number of clients While the very large financial database breaches do occur, they are now more likely to come from a compromised workstation with privileged access on the inside The weakest-link rule is true now more than ever
The new .CN
The new .CN In December 2009, published a bulletin regarding new restrictions on purchasing .CN ccTLD domain names The new restrictions consisted of: Webmasters to submit paper application and show ID when registering a domain name Business license if applicable Have to submit the information within 5 days or risk losing the domain Continued to monitor domains hosting malicious executables and have noticed an interesting trend Domains registered with a ccTLD of .CN have slightly declined where domains registered with a ccTLD of .IN have started to increase starting right around the timeframe of the CNNIC announcement
The new .CN
The new .CN .RU domains have also seen an increase since the .CN registration requirements were announced. RU-CENTER has stated they will implement rules similar to CNNIC starting April 1st
The new .CN
Mariposa / ButterflyBot
Mariposa / ButterflyBot Publicly sold botnet kit called “BFBOT” Distributed as binary “builder” kit, full source code is not available Author has since “retired”, but perhaps not Very typical of generic botnet kits, e.g. Rbot, Agobot, Phatbot Uses console-based master control program Not likely to catch on with script kiddies due to complexity of setup/use and lack of new development
Mariposa / ButterflyBot Named after a domain that it was contacting butterfly [dot] sinip [dot] es Initially discovered early 2009 Sold on bfsecurity.net “ Security tool designed to stealthy run on winnt based systems (win2k to winvista) and to stealthy and efficiently spread with 3 spreaders, which were specially designed and improved compared to already known public methods. (sic)” The three spreaders are MSN, USB, and P2P. Listed P2P networks were “ares, bearshare, imesh, shareaza, kazaa, dcplusplus, emule, emuleplus, limewire. (sic)”
Commercial Market for ButterflyBot Source: Panda Security
ButterflyBot Capabilities Information Theft Steal data from Internet Explorer (protected storage and Autocomplete (IE 7+) password stealing) Mozilla Firefox (stored passwords stealing) Downloader Download files via HTTP and execute them on the infected computer DDoS TCP SYN or UDP packet flooding Propagation MSN Instant Messenger USB autorun Copying itself to well-known P2P application download directories VNC Server Scan Scan for VNC (Virtual Network Computing) servers that may allow AUTHBYPASS or NOAUTH access.
ButterflyBot Console Source: Symantec
ButterflyBot Master Client Source: Panda Security
ButterflyBot Configuration Tool Source: Panda Security
Mariposa Takedown Botnet size fluctuated between 500K and 1 million infected hosts spanning more then 190 countries Botmasters made money by allowing other cybercrooks to utilize parts of the botnet This lead to a variety of malware being installed Advanced keyloggers Various Banking trojans RATs (Remote access Trojans) Fake AV
Mariposa Takedown Due to a coordinated effort between law enforcement and the security community, three individuals were identified and arrested “ netkairo” of Balmaseda age 31 “ jonyloleante” of Molina de Segura age 30 “ ostiator“ of Santiago de Compostela age 25 Action taken on domains December 23, 2009 at 1700 Spanish time US FBI and Spanish Civil Guard Believed that suspects would be less able to react due to Christmas holiday and time with family Suspects unknown, using VPNs from Swedish provider Relakks During counter attack, “netkairo” make a fatal mistake Did not use VPN, revealed IP address in Spain IP provided to Civil Guard
Mariposa Takedown “ netkairo” apprehended by agents of the Civil Guard on February 12, 2010 at his home in Balmaseda, Spain Digital forensics of seized computers lead to 2 further arrests in Spain Cases in front of Judge Garzón of the National Court
Conclusion
Conclusion Defenders remain at a significant disadvantage Must attack both sides of the risk vs. reward equation Closer cooperation is needed between security community and law enforcement Human weakness is arguably more important than technological vulnerabilities in today’s cyber crime ecosystem Attractive ROI of Social Engineering
Q & A
Special Thanks Chema Alonso & Informática64 Maite Villalba and the Universidad Europea de Madrid You, my audience!

More Related Content

Trends in network security feinstein - informatica64

  • 1. Trends in Network Security Ben Feinstein, CISSP GCFA Director of Research SecureWorks Counter Threat Unit℠ Friday, April 23 rd , 2010 Informática64 Móstoles, Spain
  • 3. Who Am I? Native of Atlanta, Georgia USA 12 years old, dial-up UNIX shell, telneting around the world Professional software developer as a teenager Bachelor of Science in Computer Science (c. Economics), 2001 Harvey Mudd College, Claremont, California USA Author of RFC 4765 and RFC 4767 Software Engineer at a series of security start-ups, 2001 – 2006 Joined SecureWorks in 2006 Certified Information Systems Security Professional (CISSP) SANS Global Information Assurance Certified Forensics Analyst (GCFA)
  • 4. Who is SecureWorks? Market leading provider of information security services Managed Security Services Provider (MSSP) Security and Risk Consulting (SRC) Over 2,700 clients worldwide, including more than 10% of Fortune 500 Suite of managed information and network security services Security Information Management (SIM) On Demand Log Monitoring Intrusion Prevention Systems (IPS) / Intrusion Detection Systems (IDS) Threat Intelligence Firewall Host IPS Vulnerability Scanning Web Application Scanning Log Retention Encrypted Email
  • 6. Agenda Computer Networks Vulnerability Trends of 2009 Malware Trends of 2009 Information Disclosure Aurora Other Trends The New .CN Mariposa / ButterflyBot Conclusion Q & A
  • 7. From Mainframes to Today’s Internet
  • 8. The Development of Computer Networks Advanced Research Projects Agency (ARPA) Established in 1958 after Soviet launch of Sputnik satellite in 1957 Later renamed the Defense Advanced Research Projects Agency (DARPA) Directly manages a $3.2B budget ARPANET developed by ARPA for US Department of Defense (DoD) Development work began in 1969
  • 9. Decentralization of Computing Power Mainframes gave way to Personal Computers (PCs) Development of Local Area Networks (LANs) Dial-up Internet Broadband Internet
  • 11. Map of Internet Routers (2005), Opte Project http://www.opte.org/
  • 12. Map of Online Communities, xkcd #256 http://xkcd.com/256/ , Spring 2007
  • 13. Some (Much) Older Networks to Remember Hawala Pony Express Source: International Monetary Fund
  • 15. The Network as an Attack Surface Concept of Threat Modeling Concept of an Attack Surface Local Attacks vs. Remote Attacks Common Vulnerability Scoring System (CVSS) version 2 Exploitability metrics Access Vector: Local, Adjacent Network, Network Widespread adoption of Firewalls Widespread adoption of the Web Web 2.0
  • 17. 2009 Vulnerability Trends Vulnerabilities disclosed for document readers and editors soared. Office documents including spreadsheets and presentations Portable Document Format (PDF) documents – the dubious champ Favorite vector of “Spear Phishers”, including “Operation Aurora” The appearance of new malicious Web links has skyrocketed globally in the past year. Phishing, Malvertisements, Fake-AV, etc. A large number of sophisticated web-attack toolkits are available for sale. CSS and SQLi attacks primarily used to redirect web-surfers to an attack-toolkit! Phishing attacks via email increased dramatically in the second half of 2009, with activity coming from countries not previously been in the game. Attackers are shifting their geographical profiles due to various pressures Lots and lots of money to be made
  • 20. 2009 Malware Trends Malware authors and operators innovated Koobface, Mariposa (Butterfly Bot), Zbot (ZeuS), and Mebroot increased compatibility with Vista and Windows 7 Complex and user friendly Banking Trojans (ZeuS, SpyEye, BlackEnergy2) are available as configurable kits Sophisticated RATs (e.g. Aurora’s “Hydraq”) are also in use Better prepared for takedowns and other countermeasures Lessons learned from the days of The RBN Taking advantage of “cloud” services – virtualized hosting environments, geographically distributed content delivery networks, and dynamic DNS services DNS double and triple-flux technologies
  • 21. 2009 Malware Trends Man in the browser/endpoint Trojan Horse is used to intercept and manipulate calls between the main application’s executable (the browser) and its security mechanisms or libraries Common objective of this attack is to cause financial fraud by manipulating transactions of Internet banking systems, even when other authentication factors are in use High-dollar Commercial OLB creds - compromised Challenge secret questions – compromised IP Geo-location - compromised Email out-of-band - compromised Hardware token - compromised Device fingerprinting - compromised Dual approver - compromised SMS out-of-band - compromised
  • 22. 2009 Malware Trends Compromised web pages frequently vehicle of choice for mass malware distribution Hence, most servers are compromised in order to compromise client Those clients may then be used to compromise servers inside the enterprise! (Aurora!) Drive-by downloads – malware code using everything from simple UU-encoding techniques to elaborate self-decoding JavaScripts Sophisticated software development Authors of malware kits (Trojan toolkits, web-attack toolkits, droppers, rootkits, etc.) are becoming very responsive to their client-base and are producing highly usable, modular and upgradeable software at a tremendous rate. For instance, the BlackEnergy2 Trojan-builder kit has a fully modular plug-in architecture which allows for the separate sale of plug-ins for different purposes and designed to target specific PKI schemes, etc.
  • 23. 2009 Malware Trends Greater efficiency and targeting Dasient: 5.5 million web pages on 560,000 websites infected with malware Q4 2009. Two years ago, infected web pages would infect users' computers with an average of at least a dozen pieces of malware; the most recent figures have that number falling to just 2.8 Smaller number of malicious programs means that users are less likely to notice an attack. Operators learning valuable business lessons Operate 24/7 network of login-interceptors for high-value accounts Operators are singling out SMBs that tend to have cash on hand and no real IT Extremely sophisticated and profitable money-mule/laundering infrastructure now exists
  • 24.  
  • 25. Contemporary ACH / Wire Fraud Automated Clearing House (ACH) 1 - 4 victims / day Average take $100,000 / victim $500K - $1M/week $100M attempted in 2009 $40M+ unrecovered > All US bank robberies combined Losses borne by victims due to ACH rules ALL done by ONE Eastern European crew
  • 26. Recent ACH Fraud Cases XXXX County - $415,000 XXXX Corp - $447,000 XXXX Energy - $200,000 XXXX Construction - $588,000 XXXX Industrial - $1,200,000 XXXX School District - $117,000 XXXX XXXX School - $150,000 XXXX University - $189,000
  • 30. Information Disclosure: Lessons from Airplanes and ATMs
  • 31. Information Disclosure Failing to redact documents correctly Not removing document metadata Not sanitizing hard drives and other media Unencrypted data
  • 32. Information Disclosure TSA published a SOP manual with sensitive information redacted
  • 33. Information Disclosure The TSA added black bars on top of text and images to prevent it from being seen
  • 34. Information Disclosure The NSA specifically states that this will not work in their manual on redacting safely: Google: “Redact Confidence”
  • 35. Information Disclosure [Source: Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF]
  • 36. Information Disclosure 40% of hard drives purchased from eBay contain personal information 36% Financial data 21% Emails 11% Corporate Documents [source: Kessler International] Wipe drives before they leave your control There are several bootable programs that will wipe all media attached to a computer DBAN – Darik’s Boot and Nuke
  • 37. Information Disclosure A security researcher purchased an ATM via Craig’s List He found 1,000 debit card numbers stored in the machine Who has access to your data? What are their controls on it?
  • 38. Imperva notified rockyou.com of a SQL injection flaw on Dec 4 th Rockyou.com fixed the problem over the weekend The database stored passwords in plaintext A hacker disclosed that he had copied the entire database before the flaw was fixed Information Disclosure
  • 39. Information Disclosure The database contains the usernames and passwords for over 32 million account Included in the database were also passwords for partner websites This is a classic example of where defense in depth would have offered superior protection
  • 41. Background: Titan Rain intrusion set An intrusion set is a collection of evidence, data, artifacts, logs, malware samples or other items that is all related in some way Titan Rain was one such intrusion set Coordinated intrusions of US Gov’t & Defense Industrial Base, circa 2003 Labeled as Chinese in origin Nature of and identities of adversaries unknown
  • 42. Background: Advanced Persistent Threat (APT) Advanced: Adversary has capability to use anything from simple, public exploits to performing their own vulnerability discovery work and developing 0-day attacks. Persistent: Adversary has well defined goals and objectives and is persistent at pursuing them. Adversary will try various avenues of attack, looking for one that will yield the desired outcome. Does not typically refer to things like ZeuS
  • 43. Aurora Publicly disclosed hacking incident inside Google and other major companies Belief within infosec community that PRC has been waging a long term, persistent campaign of “espionage-by-malware” Titan Rain, GhostNet Grown bolder over time
  • 44. Aurora In May of 2009 a number of actors in Mainland China began a targeted attack on Google and several other major US-Based corporations with the intent of exfiltrating sensitive data for political and financial gain. The Aurora team used a privately-held IE-7 0-day exploit as well as an Adobe PDF vulnerability to infect workstations at Google and others with sophisticated RATs Social-engineering using methods similar to Fake-AV campaigns was also used Once the Aurora team had access to internal systems, they quickly compromised source-code repositories, email databases, and other extremely sensitive financial and operational data from the inside
  • 45. Aurora “ Aurora” is taken directly from strings within some custom software components of the attack Debug symbol file path in custom code
  • 46. Aurora Known samples of main backdoor trojan used in attacks no older than 2009 Attack may have been in works for some time Custom modules in Aurora codebase with timestamps as old as May 2006 Timeframe just after Titan Rain had blown up and PRC’s limited arsenal of mostly “COTS” trojans were being increasingly detected by commercial AV
  • 47. Aurora With a completely original code base and its use restricted to highly targeted attacks, Hydraq seems to have escaped detection until now Compiler leaves many clues in a binary PE resource section may reveal language code Aurora author was careful to either compile on English-language system, or to modify the language code in the binary after the fact
  • 48. Aurora Peculiarities and origins of CRC algorithm used suggest author familiar w/ simplified Chinese
  • 49. Aurora Partial JavaScript code used to exploit Google If only they were using Chrome…
  • 50. New Details Emerge April 19 – New York Times reported that Aurora stole source code to Google’s single sign-on (SSO) system “Gaia” “ Cyberattack on Google Said to Hit Password System”, John Markoff Aurora had access to “Moma”, Google’s internal employee database May have used information from Moma to target the individual developers working on Gaia Source code exfiltrated to Rackspace servers, and then onto ???
  • 52. Other Trends Social engineering Phishing / Spearphishing E.g., Rogue AV Hybrid attacks Targeted verticals and enterprises Advanced Trojans Social Networks (Facebook, Twitter) Trusted relationships Superb ROI platform for URL-based attacks Botnet sophistication and innovation Spread of infection by reputable or legit websites continuously evolving attacks and malware methods Threats come more from organized crime However, involvement of state actors has finally come to the forefront
  • 53. Other Trends 0-day black market Premium paid for 0-days Tipping Point has heard of governments offering $1 million for a good one Good guys can’t compete at those prices ‘ Aurora’ used an IE 0-day that it had developed Weak economy in US fosters fraudsters’ recruitment of unwitting, desperate money mules Weak economy abroad has led to a large number of highly skilled IT experts in desperate situations Global cooperation in these cases is still in its infancy
  • 54. Other Trends Clients vs. Servers For the moment, the pendulum has swung away from servers Servers are now more likely to be compromised as a means to compromise a large number of clients While the very large financial database breaches do occur, they are now more likely to come from a compromised workstation with privileged access on the inside The weakest-link rule is true now more than ever
  • 56. The new .CN In December 2009, published a bulletin regarding new restrictions on purchasing .CN ccTLD domain names The new restrictions consisted of: Webmasters to submit paper application and show ID when registering a domain name Business license if applicable Have to submit the information within 5 days or risk losing the domain Continued to monitor domains hosting malicious executables and have noticed an interesting trend Domains registered with a ccTLD of .CN have slightly declined where domains registered with a ccTLD of .IN have started to increase starting right around the timeframe of the CNNIC announcement
  • 58. The new .CN .RU domains have also seen an increase since the .CN registration requirements were announced. RU-CENTER has stated they will implement rules similar to CNNIC starting April 1st
  • 61. Mariposa / ButterflyBot Publicly sold botnet kit called “BFBOT” Distributed as binary “builder” kit, full source code is not available Author has since “retired”, but perhaps not Very typical of generic botnet kits, e.g. Rbot, Agobot, Phatbot Uses console-based master control program Not likely to catch on with script kiddies due to complexity of setup/use and lack of new development
  • 62. Mariposa / ButterflyBot Named after a domain that it was contacting butterfly [dot] sinip [dot] es Initially discovered early 2009 Sold on bfsecurity.net “ Security tool designed to stealthy run on winnt based systems (win2k to winvista) and to stealthy and efficiently spread with 3 spreaders, which were specially designed and improved compared to already known public methods. (sic)” The three spreaders are MSN, USB, and P2P. Listed P2P networks were “ares, bearshare, imesh, shareaza, kazaa, dcplusplus, emule, emuleplus, limewire. (sic)”
  • 63. Commercial Market for ButterflyBot Source: Panda Security
  • 64. ButterflyBot Capabilities Information Theft Steal data from Internet Explorer (protected storage and Autocomplete (IE 7+) password stealing) Mozilla Firefox (stored passwords stealing) Downloader Download files via HTTP and execute them on the infected computer DDoS TCP SYN or UDP packet flooding Propagation MSN Instant Messenger USB autorun Copying itself to well-known P2P application download directories VNC Server Scan Scan for VNC (Virtual Network Computing) servers that may allow AUTHBYPASS or NOAUTH access.
  • 66. ButterflyBot Master Client Source: Panda Security
  • 67. ButterflyBot Configuration Tool Source: Panda Security
  • 68. Mariposa Takedown Botnet size fluctuated between 500K and 1 million infected hosts spanning more then 190 countries Botmasters made money by allowing other cybercrooks to utilize parts of the botnet This lead to a variety of malware being installed Advanced keyloggers Various Banking trojans RATs (Remote access Trojans) Fake AV
  • 69. Mariposa Takedown Due to a coordinated effort between law enforcement and the security community, three individuals were identified and arrested “ netkairo” of Balmaseda age 31 “ jonyloleante” of Molina de Segura age 30 “ ostiator“ of Santiago de Compostela age 25 Action taken on domains December 23, 2009 at 1700 Spanish time US FBI and Spanish Civil Guard Believed that suspects would be less able to react due to Christmas holiday and time with family Suspects unknown, using VPNs from Swedish provider Relakks During counter attack, “netkairo” make a fatal mistake Did not use VPN, revealed IP address in Spain IP provided to Civil Guard
  • 70. Mariposa Takedown “ netkairo” apprehended by agents of the Civil Guard on February 12, 2010 at his home in Balmaseda, Spain Digital forensics of seized computers lead to 2 further arrests in Spain Cases in front of Judge Garzón of the National Court
  • 72. Conclusion Defenders remain at a significant disadvantage Must attack both sides of the risk vs. reward equation Closer cooperation is needed between security community and law enforcement Human weakness is arguably more important than technological vulnerabilities in today’s cyber crime ecosystem Attractive ROI of Social Engineering
  • 73. Q & A
  • 74. Special Thanks Chema Alonso & Informática64 Maite Villalba and the Universidad Europea de Madrid You, my audience!

Editor's Notes

  1. Harvey Mudd College, Claremont, California USA Co-op with Aerospace Corporation, El Segundo, California USA (2000) Federally Funded Research & Development Corporation (FFRDC) Supports national security, civil and commercial space programs Graduate of FBI Citizens’ Academy
  2. ARPA renamed to DARPA in March 1972 Renamed ARPA again in February 1993 Renamed DARPA again in March 1996
  3. Hawala – today, “probably used mostly for migrant workers’ remittances to their countries of origin” Chart source: International Monetary Fund, http://www.imf.org/external/pubs/ft/fandd/2002/12/elqorchi.htm Pony Express – 1860-1861; 2,000 miles from Missouri to Sacramento, California; 190 stations spaced at roughly 10 mile intervals (about the maximum distance a horse could run at full gallop). Riders carried along a mochila and changed horses at each station. Replaced by the telegraph.
  4. Avprofit says it will pay affiliates roughly $1,000 for every 1,000 times they distribute this installer program, or about $1 per install.
  5. Krebs on Security blog, written by Brian Krebs formerly of the Washington Post http://www.krebsonsecurity.com/category/smallbizvictims/ Formerly wrote Security Fix blog for the Washington Post http://voices.washingtonpost.com/securityfix/small_business_victims/ “ Computer Crooks Steal $100,000 from Ill. Town”, 2010-04-06 http://krebsonsecurity.com/2010/04/computer-crooks-steal-100000-from-ill-town/ “ Online Thieves Take $205,000 Bite Out of Missouri Dental Practice”, 2010-03-30 http://krebsonsecurity.com/2010/03/online-thieves-take-205000-bite-out-of-missouri-dental-practice/ “ Organized Crooks Hit NJ Town, Ark. Utility”, 2010-03-22 http://krebsonsecurity.com/2010/03/organized-crooks-hit-nj-town-arizona-utility/
  6. Avalanche is fast-flux hosting network similar to Asprox
  7. http://www.nytimes.com/2010/04/20/technology/20google.html
  8. Reported in the October 2009 CTU Threat Intelligence webinar
  9. Reported in the October 2009 CTU Threat Intelligence webinar
  10. http://www.pandasecurity.com/homeusers/security-info/217587/information/ButterflyBot.A
  11. http://www.symantec.com/connect/blogs/mariposa-butterfly-bot-kit
  12. http://www.pandasecurity.com/homeusers/security-info/217587/information/ButterflyBot.A
  13. http://www.pandasecurity.com/homeusers/security-info/217587/information/ButterflyBot.A