Presentation is loading. Please wait.

Presentation is loading. Please wait.

Contains VeriSign Confidential and Proprietary Information Recent Threat Trends and a Look Ahead Buck Watia iDefense Security Intelligence Operations.

Similar presentations


Presentation on theme: "Contains VeriSign Confidential and Proprietary Information Recent Threat Trends and a Look Ahead Buck Watia iDefense Security Intelligence Operations."— Presentation transcript:

1 Contains VeriSign Confidential and Proprietary Information Recent Threat Trends and a Look Ahead Buck Watia iDefense Security Intelligence Operations

2 2 Contains VeriSign Confidential and Proprietary Information Presentation Agenda I.Today’s Threat Environment II.Progression of Threat Motives & Impact I. A Look Back II. Current & Future Trends, Motivations III.Recent Malicious Activity I. Statistics II. Notable Malcode IV.Where Do We Go From Here? I. Threats in Context

3 3 Contains VeriSign Confidential and Proprietary Information Today’s Threat Environment + Enterprise Environment is Increasingly Complex ▪ Critical System Explosion ▪ Asset Criticality isn’t Enough to Prioritize ▪ Increase in Vulnerabilities ▪ Constant Updates and Patches + Sophistication of Threats ▪ Increasingly Advanced Malicious Code ▪ Increase in Communication/Teamwork Among Hackers ▪ Time to Exploitation Drastically Reduced ▪ Stealth Attacks

4 4 Contains VeriSign Confidential and Proprietary Information Progression of Motives & Impact Year of the Worm ▪ Notoriety ▪ Dawn of code for cash ▪ MSFT Bounty program established Worm War & Criminal Code ▪ Bounty program curbs notoriety actors ▪ Bounty program hardens criminal gain actors ▪ Hundreds of variants, source code releases Year of the Bot & Ad/Spyware ▪ Criminalization and commoditization well developed ▪ Target Attacks: Espionage and hacker for hire quickly escalating Threat of the Unknown: Stealth for Survival ▪ Increase in innovation, organization and sophistication ▪ Targeted attacks to defeat specific authentication protection NASA.GOV

5 5 Contains VeriSign Confidential and Proprietary Information Creating Code for Cash Millions of Stolen Credit Cards Money Mules Stolen CD Keys Extortion Phishing & Pharming Industrial Espionage Hackers for Hire Millions of Stolen Account Credentials - Fedex Account #! Ad/Spyware

6 6 Contains VeriSign Confidential and Proprietary Information 2005: Vulnerability Activity + 2,954 unique vulnerability reports + 13,550 re-versioned reports new exploits Source: VeriSign iDefense Vulnerability Team

7 7 Contains VeriSign Confidential and Proprietary Information Exploitation Frameworks + Metasploit Framework ▪ Open-source project created in mid-2003 by H.D. Moore ▪ Created for pen-testing and research; a free alternative to others ▪ Widely used by hacking community since it is free + CANVAS ▪ Offered by Immunity Inc., started by Dave Aitel in 2002 ▪ Aimed at promoting exploit development and providing a penetration testing platform + Core Impact ▪ Core Impact was developed by CORE Security Technologies in 1996 ▪ Dubbed as the first fully automated penetration testing product ▪ Expensive product used mainly by corporations

8 8 Contains VeriSign Confidential and Proprietary Information 2005: Top Exploited Vulnerabilities # of CodesVulnerability Exploited 1,357LSASS 526WebDAV 469Cumulative Update for Microsoft RPC/DCOM 404Microsoft ASN.1 BERDecBitString() Buffer Overflow 368Workstation vulnerability 357Microsoft Plug-and-Play Buffer Overflow 220Microsoft Windows DCERPC DCOM Heap Overflow 216UPnP 172SQL Server 113IIS5 SSL DoS vulnerability **Multiple other Microsoft vulnerabilities exploited to a lesser degree

9 9 Contains VeriSign Confidential and Proprietary Information 2005: Malcode Activity Source: VeriSign iDefense Malcode Team

10 10 Contains VeriSign Confidential and Proprietary Information Notable Attacks and Vectors + MS05-039/Zotob + Google Adword Attack + DNS Poisoning + WMF File Format Vulnerability + Metafisher

11 11 Contains VeriSign Confidential and Proprietary Information MS Zotob + Zero Day Exploit ▪ MSFT Discloses Vulnerability – August 9 th ▪ Public exploits Released –August 11th ▪ More exploits released including one by HOD – August 12th + Why is PNP/ZoTob Important ▪ Speed of attack ▪ Intel gathering and analysis is key ▪ Actors are important and threat is critical

12 12 Contains VeriSign Confidential and Proprietary Information Innovation: Google Adwords Attack

13 13 Contains VeriSign Confidential and Proprietary Information Operations: Organized Criminal Groups Earn thousands of dollars with a part time job at work – apply today! Private Financial Receiver Money Transfer Agent Country Representative Shipping Manager Financial Manager Sales Manager Sales Representative Secondary Highly Paid Job Client Manager

14 14 Contains VeriSign Confidential and Proprietary Information Sophistication: DNS Cache Poisoning + 2,000 or more DNS servers poisoned after hacked through AWStats/Other vectors + Over 17 families of code, upwards of 20 MB of files, and 45+ malicious files silently installed + Mostly adware, spyware, Trojans, and fraud identified as the primary focus of attacks + Long term success, not being easily identified or mitigated

15 15 Contains VeriSign Confidential and Proprietary Information.WMF File Format Vulnerability + Graphic File Format + No User Interaction Necessary + Originally Developed to Promote a “Pump and Dump” Stock + Originally Downplayed by MSFT ▪ Came out with out of cycle patch 4 days before Patch Tuesday + Still being Exploited Today by Several Codes Including Metafisher

16 16 Contains VeriSign Confidential and Proprietary Information Metafisher – Sophisticated Phishing Attacks + A Highly Sophisticated Bot for Financial Fraud ▪ The IceBerg threat – Under the radar for months – Encryption cracked ▪ Web-based command-and-control server – Large numbers of Bots ▪ professionally built – suite of tools – user-friendly administration interface ▪ Professional software lifecycle management comparable to many professional software products

17 17 Contains VeriSign Confidential and Proprietary Information

18 18 Contains VeriSign Confidential and Proprietary Information Metafisher – Known Attack Structures to Date

19 19 Contains VeriSign Confidential and Proprietary Information Metafisher – PHP Configured Bots

20 20 Contains VeriSign Confidential and Proprietary Information Metafisher – Searchable Stolen Log Files

21 21 Contains VeriSign Confidential and Proprietary Information Metafisher – Form.txt – Keylogger and Phished Data

22 22 Contains VeriSign Confidential and Proprietary Information BrizTrojan Targets US Banks + Briz Trojan Family ▪ Not new, family has been around for several months ▪ Targets Argentina, Australia, France, Germany, Spain, and US ▪ Banks in the US: Bank of America, wellsFargo + Sophisticated Attack ▪ BHOs combine to make complex credential stealing unit ▪ Downloads configuration files to inject HTML and JavaScript into pages to steal credentials that otherwise would not be requested ▪ Screenshots taken on every initial page load and at each mouse click ▪ Logged data is stored with time stamps to determine user usage profiles to trick anti fraud devices ▪ Trojan injected verification questions after a successful login ▪ Challenges banks customized authentication systems + US Banks were not previously a threat to sophisticated financial attacks ▪ Increasing Trend ▪ Intelligence, Sophistication, Custom code injection ▪ Similar path as MetaPhisher ▪ Used in combination with money mule operations to move money to off shore accounts

23 23 Contains VeriSign Confidential and Proprietary Information Browser Helper Object Home User Spammed links via fake windows update sites/porn Installs BHO in IE Initial Compromise + Trojan can take on multiple layer authentication systems + i.e. Site Key- BOA + Steals all forms + Injects custom code for targeted attacks against specific banks + Trojan can take on multiple layer authentication systems + i.e. Site Key- BOA + Steals all forms + Injects custom code for targeted attacks against specific banks

24 24 Contains VeriSign Confidential and Proprietary Information Biz Trojan Home User US Banking Servers Installs BHO Downloads Javascript to inject SSL verified pages Screen Shots Taken, Data Logged and saved Initial Compromise Command and Control Servers

25 25 Contains VeriSign Confidential and Proprietary Information SNATCH: Russian Advanced Banking Malcode + Sophisticated malicious code targeting financial services + Created by Russian SE-Code’s #Rock group + Sophisticated threat similar to Metaphisher and Briz Trojans

26 26 Contains VeriSign Confidential and Proprietary Information SNATCH: Russian Advanced Banking Malcode + Targets European and American transactions + Grabs: ▪ SSL Forms and Logs ▪ E-gold, ebay, paypal, Casino accounts, bank accounts ▪ TANs ▪ ITANS + Search Engine ▪ Spoofs queries to redirect users to sites of its choice + Currently being sold for profit as a sophisticated tool for financial gain, here is the pricing ▪ Enhanced Builder Version for $600. – AV Updates for $50 to get around all new anti-virus engine builds to extend the life of the product

27 27 Contains VeriSign Confidential and Proprietary Information Threat Context is King: MS & MS MS (UPnP) + Unprecedented Underground Activity and Chatter + Public exploit code in 2 days + Rooters and bots within 5 days + Leading bot author, Diabl0, releases first bot on day 5, ZoTob.A. + Workarounds and Emergency Patch Procedures Implemented MS (MSDTC and COM+) + No Underground Activity or Chatter + Privately Traded Exploit Code ▪ Not in the hands of known actors. Not in the wild. + No Functional Malicious Code in the Wild + Deploy MS at normal speed (ID# ). + Do Not Go into Emergency Patch Procedures

28 28 Contains VeriSign Confidential and Proprietary Information Threats in Context + Vulnerabilities ▪ Is this a real threat to my critical systems? ▪ Example: What exactly is vulnerable to MS WMF exploitation? + Malicious Code & Exploit Code ▪ Is there malicious code or exploit code in the wild? ▪ Is it public or private? ▪ Is it limited to a specific operating system or application? ▪ Is it highly functional or only work part of the time? + Threat Environment ▪ Where did the malicious code come from? ▪ What actors or groups are responsible? ▪ Is there underground chatter? ▪ Is the exploit code being traded or sold?

29 29 Contains VeriSign Confidential and Proprietary Information iDefense Background + The Leading Security Intelligence Research Team ▪ iDefense provides pro-active notification of impending threats, including vulnerabilities and malicious code + Industry-Leading Services Offerings ▪ Intelligence is all the iDefense team does ▪ Completely vendor-agnostic + Marquee Customer and Partner Base ▪ Government, financial services, insurance, healthcare, retail ▪ Security software and services + 5 Experienced Intelligence Teams ▪ VAT, Labs, Malcode, RRT, Threat + Actively Gathering Cyber Intelligence Since 1998

30 Contains VeriSign Confidential and Proprietary Information Thank you If you have any questions regarding this presentation please contact Buck Watia at


Download ppt "Contains VeriSign Confidential and Proprietary Information Recent Threat Trends and a Look Ahead Buck Watia iDefense Security Intelligence Operations."

Similar presentations


Ads by Google