Presentation is loading. Please wait.

Presentation is loading. Please wait.

Changes in the Threat Landscape Beth Jones SophosLabs, Dec 2006.

Similar presentations

Presentation on theme: "Changes in the Threat Landscape Beth Jones SophosLabs, Dec 2006."— Presentation transcript:

1 Changes in the Threat Landscape Beth Jones SophosLabs, Dec 2006

2 Outline Overview of the current malware threat Overview of the current spam threat A more detailed look at the Threat Landscape Threat Trends and Techniques SophosLabs Looking forward Summary

3 SophosLabs Overview of the current malware threat

4 Threat numbers 3000 new malicious software threats per month 300% rise in spam in May 2006

5 Threat numbers

6 The profile of a virus writer is changing... Virus writers now have a financial motive (phishing, stealing confidential data, denial of service extortion attempts, spam) More organized criminals see that viruses and Trojan horses can help them make money They are less likely to make the mistakes that the “old school” virus writers make of needing to show off to their friends Law enforcement coordination required to stop international virus writing gangs

7 …from Headlines

8 …to targeted attacks Although large outbreaks make the headlines, there are also attacks targeted on specific sites or business rivals Less likely to be noticed than a large outbreak “Hacked to order” to steal information or resources Large outbreaks typically target Windows PCs, but not necessary for targeted attacks

9 Changing Threats Most Trojans have spyware components 140 Brazilian banking trojans a day were seen during the summer of 2005. Total number of banker Trojans with individual IDs is 5500+ Troj/Bank* - 3818 Troj/Banc* 1839 However now that we have Mal/Packer and the Mal/Banc behavioral genotypes there are probably many more thousands that we detect pro- actively Similar trend with other spyware Troj\Torpig-BJ

10 Keeping out of the news Don’t want to draw attention Strong evidence that they ‘test’ first. Easier to steal from 200, than 200,000 Specific targeted attacks Easily deployed through spam. Drop malware either directly or from website Use a variety of techniques to ‘hide’ themselves Self updating Packing techniques Malware toolkits for sale.

11 SophosLabs Overview of the current spam threat

12 By Country Stats Malware - Nov 2006 Based on ALL data Spam Jul-Sep 2006

13 Changing face of Spam Increase in ‘Image Only’ spam Widely used for stock ‘Pump and Dump’ Now being used for other types (Degree, Med etc). Shorter campaigns URLs used in campaigns lasting just a few minutes Avoid URI blocking technologies Abuse free hosting services Free page redirects to spammers site. Redirectors TinyURL etc. Free URL, that again redirect. Eg.\

14 Spam Example Stock ‘pump-and-dump’ campaigns No URL Image only Small image changes introduced to get around checksums

15 Image Spam Example

16 The threat landscape is changing…

17 A more detailed look at the Threat Landscape

18 Facts & Figures Dec 2005 135 Alerts (4-5 per day) 1138 Identities (1-2 every hour) ~1000 we didn’t alert on (but added) 68% Trojans Doesn’t include the ones we detect proactively >4000 Banker Trojans detected with just 4 Genotype\Family identities May 2006 84% Trojans

19 Web infection – stage 1 Gateway Email server Workstations Attacker’s PC SMTP ISP Email seed-list Attacker’s web

20 Web infection – stage 2 Gateway Email server Workstations Attacker’s PC Attacker’s web ISP

21 Backdoor Trojans Client/Server (SubSeven) Attacker uses a dedicated client program IRC (Rbot) Attacker uses a standard IRC client Web (Bugbear) Attacker uses an internet browser

22 Bots Bot (Zombie, Drone) A piece of code developed to emulate human behavior on a network, in computer security used to describe network spreading threats with payload that allows remote attacker to control resources owned by the infected machine Control most frequently over IRC (TCP 6667 default port)

23 Definitions Botnet (Zombie army) A group of bots controlled by a single originator/hacker The botnet owner usually sets up an IRC server that allows authenticated access for specific IRC bot clients bundled with network spreading worms Botnet server often connected with other IRC botnet servers

24 Botnet originator (owner) Botnets Botnet 2 Botnet 1 Botnet user (customer)

25 Rootkits A rootkit is a set of tools (programs, utilities) used by an attacker in order to maintain access to a compromised system without his activity being detected by the system administrator. Rootkits act by denying the listing of certain elements like processes, files, registry entries and TCP ports, falsely improving the user’s confidence that the machine has not been compromised

26 Normal system Application System Disk

27 Rootkit installed Application Rootkit System Disk

28 Threat Trends

29 Changes in techniques Malware authors are using newer or different tactics to try and maintain their element of surprise. Techniques include Obfuscation techniques Packers/wrappers Exploits

30 Obfuscation techniques Packing Aggressive development of packers & cryptors Junk data/code Added to make analysis more difficult Code Injection Masquerade as another process. Bypass local security (client firewall) Persistence Twinning procedures

31 Obfuscation – Code Injection Masquerade as another process Bypass local security (client firewall) Change XOR key 255 “variants” Troj/Dloadr-AMQ (Sep 2006) ^0x1b

32 Obfuscation – Code Injection Browser Helper Objects (BHO) Code “injection”? (well, silent loading at least) Core of Adware- applications BHO – sniff HTTP traffic Often used in Banking trojans

33 Obfuscation – Persistence Payloads to maintain persistence, eg: Process termination Process “twinning”

34 Exploit Usage WebAttacker (demo) OS & browser IRC bots LSASS (MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007) Troj/Animoo Exp/WMF ADODB (Psyme)

35 Troj/Tibs Exp/WMF Exp/Ani Exp/CodeBase WebViewFolderIcon ADODB Stream Obfuscated JS

36 Full Circle! Guru/JSShell Webroot: Hardcore porn Daxctle   Dload (Mal/Packer) Dload-AQE Backdoor Dload (inj DLL) Troj/LDPinch Tool888   PUA  Registered - 13 th Nov Troj/Zlob !!! “Require new Codec to view movie” Troj/Tibs 

37 Troj/LDPinch Password stealer, 2004-6, very active HTTP POST B64 OS Process list SMTP cfg MAPI, POP3 credentials …

38 ADODB - Psyme “Utility” script used in many campaigns Downloaders, backdoors etc Key part of infection mechanism Spam URI to ADODB exploit

39 Troj/Proxy-EN Installs stealthing proxy Trojan (via dropper) PE: %sysdir%\protector.exe SYS: HKLM\SYSTEM\CurrentControlSet\Services\ntio256 ImagePath = \??\C:\WINDOWS\System32\ntio256.sys DisplayName = "Input and output operations“ Devicename? \\.\poofpoof IOControlCodes (3): 0x220400 - registry 0x220404 - files 0x22040c - process

40 Obfuscated JavaScripts Simple “Kits” available Not indicative of malicious But certainly suggestive! Various mechanisms Char substitution Unescaped StrReverse … Emulate? Performance considerations shellcode = unescape("%u4343"+"%u4343"+"%u4343" + "%ua3e9%u0000%u5f00%ua164%u0030%u0000%u408b%u8b0c" + "%u1c70%u8bad%u0868%uf78b%u046a%ue859%u0043%u0000" + "%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u9516" + "%u2ee8%u0000%u8300%u20ec%udc8b%u206a%uff53%u0456" + function decrypt_p(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,58,12, 54,53,10,24,87,45,56,12 …);for(j=Math.ceil(l/b); j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l-- ){w|=(t[x.charCodeAt(p++)- 48])<>=8;s-=2}else{s=6}}document.write(r)}} decrypt_p("WsuvPNgVPF@s3JX4jLixWtNtKj...”)

41 Targetted Attacks Exp/1Table (incl. MS06-027) Malformed Word documents Drop various backdoor & PWS Trojans Exp/MS06-048 Malformed PowerPoint presentations CVE-2006-3590 Drop Troj/Bifrose backdoor Eastern origin, politically themed

42 Games MMORPGs Massive multiplayer online role-playing games Financial scope Young demographic Real value (Lineage: >4m subscribers) Phishing (since ~2002) Trojans (since ~2003) W32/PrsKey-A (Oct 2005) “Priston’s Tale” keylogger, Yahoo! email W32/Looked (2005-6) “Lineage”, & “WoW” Prepender, pws, keylogger

43 Games Mechanism? Steal login credentials Transfer items/goods within game Sell for real cash Banned by game manufacturers Priest $355+ Cleric $200+

44 Games Denial of Service Second Life, ‘Grey Goo’ Next step? Spyware (EULA) API advancements

45 SophosLabs

46 Who are SophosLabs?

47 A global group within Sophos engineering 53 people In 4 countries

48 Global labs

49 What do SophosLabs do?

50 Protect Sophos customers 24/7

51 What do SophosLabs do? Viruses Spam Updates Alerts Information

52 Updates Anti-virus updates 4-6 per day Protect against Viruses Worms Trojans Spyware

53 Updates Anti-spam updates Every 5 minutes Protect against Spam Phishing Stock scams

54 Alerts Virus alerts Free Notification of new threats Zombie alerts Notify customers of spam zombies on their networks Phishing alerts Notify customers of phishing attacks against their customers

55 Information Virus descriptions Statistics Top 10 malware “The Dirty Dozen” Top spamming countries Background information for marketing and journalists Education, research and whitepapers

56 Inside SophosLabs

57 Analysis Process PUAMalwarePhishing 1. Interception Spam 2. Analysis SophosLabs Classification Detection Removal Testing 3. Testing 4. Publication Customer Update

58 E.g. New Trojan seeding campaign IDE A B C 1 st variant received, analysed IDE released 2nd variant received, analysed IDE released Gen/Fam Spotted trend, release generic 3 rd variant Pro-actively detected

59 E.g. Research into Threats IDE G Research Analyse a specific family, group, or class of malware. Solution - Release generic detection - Implement new product feature/functionality Pro-active Protection New malware using same techniques is proactively blocked. A B F C D E I K JL H

60 New Technologies 2004 – Genotype technology Looking for genes in files 2006 – Potentially Unwanted Applications Recognising the ‘greyness’ of today’s world Giving users the choice 2006 – Behavioral Genotypes Looking for smaller genes Packing characteristics Access characteristics Compiler characteristics

61 Looking forward

62 0wn3d Steal & Compromise More of the same Explore new avenues to steal/phish Legally harvest data! Volumes will increase “…records 'anonymous' information about the user's surfing habits and IP address etc. and sends it back to the ad companies so that they can customize ads according to your preferences.”

63 Genotype™ technology 1 signature per threat Extract “characteristics” Performance General Resources, HLL, PE structure, DLL/PE etc … Specific Encryption loop, API(s), embedded objects … Correlate Significant improvements in Gen detection Behavioural Genotype™ Suspicious behaviours ×

64 Genotype™ Genotype detections Yellow Increase Behavioural Control Through gateway On endpoints

65 Microsoft Vista User Account Control Enforce standard user mode Elevate when required Intrusive? Installer Detection Firewall Outbound filtering Filename includes keywords like "install," "setup," "update," etc. Keywords in the Resource Keywords in the side-by-side manifest embedded in the executable. Keywords in specific StringTable entries linked in the executable. Targeted sequences of bytes within the executable.

66 Microsoft Vista PatchGuard Lock down kernel “… patching kernel structures and code to manipulate kernel functionality … ” Lock out some vendors! Already supported on x64 (Server 2003 SP1, XP 64bit) Misc IE7 Security Centre (improved monitoring, updates) Address Space Layout Randomization (ASLR) Application isolation USB device blocking Windows Defender

67 Summary

68 Threat/Variant → Campaigns Professional, coordinated, persistent Huge volumes Balance protection, analysis & research Financial motivation Widens scope Aggressive response Genotype™, Behavioural Genotype™ Control

69 Questions

70 Thank you US and Canada: 1-866-866-2802 UK and Worldwide: + 44 1235 55 9933

Download ppt "Changes in the Threat Landscape Beth Jones SophosLabs, Dec 2006."

Similar presentations

Ads by Google