Presentation is loading. Please wait.

Presentation is loading. Please wait.

Open Malicious Source Symantec Security Response Kaoru Hayashi.

Published byBeryl Stokes Modified over 8 years ago

Similar presentations

Presentation on theme: "Open Malicious Source Symantec Security Response Kaoru Hayashi."— Presentation transcript:

1 Open Malicious Source Symantec Security Response Kaoru Hayashi

2 Agenda  What is Open Malicious Source  Characteristics  Protection  Conclusion

3 What is Open Malicious Source  Open Source qualities –Free redistribution –Ready access to source code –Modifiable by anyone –Designed for evolution  For malicious purposes

4 For example…  Beagle, Mydoom, Netsky and Sasser –Not open malicious source –Created by an author, closed group, or individuals who can obtain source code  Gaobot, Randex and Spybot –Open malicious source –Source codes are distributed widely –Updated / released by many

5 Is this topic new?  NO, but …  Programs developed from open malicious source are on the rise  Impact is intensifying

6 Number of Submissions: Worms

7 Number of Submissions: Worms from open malicious source

8 Number of new variants: Worms

9 Number of new variants: Worms from open malicious source

10 Characteristics  Easy to create  Purpose-oriented  Difficult to recognize

11 Characteristics: Easy to create  Easy to obtain from the Internet –Whole project files –New codes, samples,or tools –Free compiler  No special knowledge, tool, or code required  A wide range of people are creating their own bot

12 Characteristics: Easy to create Easy to obtain

13 Characteristics: Easy to create Sample: Spybot

14

15 Case: Spybot W32.Spybot.A  Discovered on 2003/04/16  Backdoor –Based on backdoor “Sdbot” –Supports 22 commands including:  Key logging  Killing processes  Stealing cached password  DoS attacks  Worm –Copies itself to C$, ADMIN$, and IPC$ shares –Dictionary attack (17 keywords)  123456, admin, root, server…. –Schedules a job to run Worm Backdoor

16 Case: Spybot W32.Spybot.DNC  Discovered on 2004/09/13 as the 3071 st variant  Backdoor –Supports over 90 commands including:  Upload / Download / Execute files  Run as HTTP server / SOCKS4 proxy  Steal 42 Game CD-KEYs  Access CMD.exe  Sniff packets  Access Web Camera Worm Backdoor Additional Code

17 Case: Spybot W32.Spybot.DNC  Worm –Dictionary attack  139 keywords per password –Uses other worms or Trojans  Beagle, Mydoom, Optix, Sub7, NetDevil Worm Additional Code Backdoor Additional Code

18 Case: Spybot W32.Spybot.DNC  Vulnerability Attack –MS01-059 (UPnP) –MS02-061 (SQL) –MS03-007 (WebDAV) –MS03-026 (DCOM RPC) –MS03-049 (Workstation) –MS04-011 (LSASS)  Packed with Runtime Packer Worm Additional Code Backdoor Additional Code Vulnerability Attack Polymorphic / Packer

19 Case: Randex and Gaobot Worm W32.Randex (discovered on 2003/06/04) Worm Backdoor W32.Gaobot (discovered on 2002/10/22) Worm Backdoor Vulnerability Attack Polymorphic / Packer Over 1600 variants Worm Backdoor Vulnerability Attack Polymorphic / Packer Over 1600 variants

20 Case: Randex, Gaobot and Spybot  Now they look very similar –Backdoor layer usually based on “Sdbot” –Same codes / concepts implemented in each layer –Further similar worms / backdoors exist: i.e., Kwbot, IRCBot Worm Backdoor Vulnerability Attack Polymorphic / Packer Worm Backdoor Vulnerability Attack Polymorphic / Packer Worm Backdoor Vulnerability Attack Polymorphic / Packer

21 Characteristics: Easy to create By a lot of people May: Gaobot author arrested in Germany May: Randex author arrested in Canada June, July, August: New variants created

22 Characteristics: Purpose  Not only for fun –Propagation –Proof of concept  For profit –Information theft –System control –DDoS zombies –Financial gain

23 Characteristics: Purpose  W32.Netsky.P@mm –Propagation  Mass mailing  P2P or share networks –Payload  Removes Beagle, Mydoom, Deadhat, and Welchia worms  W32.Gaobot.BIA –Propagation  Dictionary attack  Vulnerability attack –Payload  Logs keystrokes  Sniffs packets  Steals CD-KEYs  Steals cached password  Obtains system / network information  Gains full system control  SOCKS proxy  DDoS attack  and more….

24 Characteristics: Difficult to recognize  Slow and limited propagation –Differs from mass mailers, Blaster, and Code Red –Little public interest  Automatic copy / execution on remote computers - By using a scheduler or by exploiting vulnerabilities  Many new variants released over a short time period –Over 600 variants a month  New variants are target-specific –You may be the only infected one, worldwide.

25 How to stop  Stopping the development of new threats is almost impossible –Source codes are distributed widely –Authors are located around the globe –New codes, samples, and tools are released every day

26 How to protect  Anti-virus tools –Definitions, Heuristics, Behavior blocking ….  Firewall  IDS  Patch management  Password management  Security policy  Learning, Studying, Educating … Nothing new, nothing special. But we know maintaining all is not easy.

27 Conclusion  Malicious source is distributed widely  A lot of people are creating their own bot  Sharing source code results in more powerful threats  Main purpose is profit  No magic trick to secure protection

28 Thank You! Kaoru Hayashi kaoru_hayashi@Symantec.com

Download ppt "Open Malicious Source Symantec Security Response Kaoru Hayashi."

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
Computer Viruses.

Computer Viruses.
Malicious Attacks By: Albert, Alex, Andon, Ben, Robert.

Malicious Attacks By: Albert, Alex, Andon, Ben, Robert.
CS 450 - Nathan Digangi.  Secret, undocumented routine embedded within a useful program  Execution of the program results in execution of secret code.

CS Nathan Digangi.  Secret, undocumented routine embedded within a useful program  Execution of the program results in execution of secret code.
The MS Blaster worm Presented by: Zhi-Wen Ouyang.

The MS Blaster worm Presented by: Zhi-Wen Ouyang.
What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:

What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Lesson 10 – SECURING YOUR NETWORK Security devices Internal security External security Viruses and other malicious software OVERVIEW.

Lesson 10 – SECURING YOUR NETWORK Security devices Internal security External security Viruses and other malicious software OVERVIEW.
Enterprise Network Security Accessing the WAN Lecture week 4.

Enterprise Network Security Accessing the WAN Lecture week 4.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Viruses, Worms and Spam Definitions Virus - unauthorized software, embedded in other programs and with the ability to propagate when the host program is.

Viruses, Worms and Spam Definitions Virus - unauthorized software, embedded in other programs and with the ability to propagate when the host program is.
 Discovered in June/July 2010  Targeted Siemens software and equipment running Microsoft Windows  First malware for SCADA systems to spy and subvert.

 Discovered in June/July 2010  Targeted Siemens software and equipment running Microsoft Windows  First malware for SCADA systems to spy and subvert.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions 631-692-5175 Steve Katz, CISSP Security.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.

Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.

Similar presentations

Ads by Google