1 / 70

Changes in the Threat Landscape

Changes in the Threat Landscape . Beth Jones SophosLabs, Dec 2006. Outline. Overview of the current malware threat Overview of the current spam threat A more detailed look at the Threat Landscape Threat Trends and Techniques SophosLabs Looking forward Summary. SophosLabs.

feo
Download Presentation

Changes in the Threat Landscape

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Changes in the Threat Landscape Beth Jones SophosLabs, Dec 2006

  2. Outline • Overview of the current malware threat • Overview of the current spam threat • A more detailed look at the Threat Landscape • Threat Trends and Techniques • SophosLabs • Looking forward • Summary

  3. SophosLabs Overview of the current malware threat

  4. Threat numbers • 3000 new malicious software threats per month • 300% rise in spam in May 2006

  5. Threat numbers

  6. The profile of a virus writer is changing... • Virus writers now have a financial motive (phishing, stealing confidential data, denial of service extortion attempts, spam) • More organized criminals see that viruses and Trojan horses can help them make money • They are less likely to make the mistakes that the “old school” virus writers make of needing to show off to their friends • Law enforcement coordination required to stop international virus writing gangs

  7. …from Headlines

  8. …to targeted attacks • Although large outbreaks make theheadlines, there are also attackstargeted on specific sites or businessrivals • Less likely to be noticed than a largeoutbreak • “Hacked to order” to steal informationor resources • Large outbreaks typically targetWindows PCs, but not necessary fortargeted attacks

  9. Changing Threats • Most Trojans have spyware components • 140 Brazilian banking trojans a day were seen during the summer of 2005. • Total number of banker Trojans with individual IDs is 5500+ • Troj/Bank* - 3818 • Troj/Banc* 1839 • However now that we have Mal/Packer and the Mal/Banc behavioral genotypes there are probably many more thousands that we detect pro-actively • Similar trend with other spyware • Troj\Torpig-BJ

  10. Keeping out of the news • Don’t want to draw attention • Strong evidence that they ‘test’ first. • Easier to steal from 200, than 200,000 • Specific targeted attacks • Easily deployed through spam. • Drop malware either directly or from website • Use a variety of techniques to ‘hide’ themselves • Self updating • Packing techniques • Malware toolkits for sale.

  11. SophosLabs Overview of the current spam threat

  12. By Country Stats • Malware - Nov 2006 • Based on ALL data • Spam Jul-Sep 2006

  13. Changing face of Spam • Increase in ‘Image Only’ spam • Widely used for stock ‘Pump and Dump’ • Now being used for other types (Degree, Med etc). • Shorter campaigns • URLs used in campaigns lasting just a few minutes • Avoid URI blocking technologies • Abuse free hosting services • Free page redirects to spammers site. • Redirectors • TinyURL etc. • Free URL, that again redirect. • Eg. Kickme.to\spammer.it

  14. Spam Example • Stock ‘pump-and-dump’ campaigns • No URL • Image only • Small image changes introduced to get around checksums

  15. Image Spam Example

  16. The threat landscape is changing…

  17. A more detailed look at the Threat Landscape

  18. Facts & Figures • Dec 2005 • 135 Alerts (4-5 per day) • 1138 Identities (1-2 every hour) • ~1000 we didn’t alert on (but added) • 68% Trojans • Doesn’t include the ones we detect proactively • >4000 Banker Trojans detected with just 4 Genotype\Family identities • May 2006 • 84% Trojans

  19. Web infection – stage 1 Workstations Email seed-list Email server Gateway SMTP SMTP ISP Attacker’s PC Attacker’s web

  20. ISP Web infection – stage 2 Workstations Email server Gateway Attacker’s PC Attacker’s web

  21. Backdoor Trojans • Client/Server (SubSeven) • Attacker uses a dedicated client program • IRC (Rbot) • Attacker uses a standard IRC client • Web (Bugbear) • Attacker uses an internet browser

  22. Bots • Bot (Zombie, Drone) • A piece of code developed to emulate human behavior on a network, in computer security used to describe network spreading threats with payload that allows remote attacker to control resources owned by the infected machine • Control most frequently over IRC (TCP 6667 default port)

  23. Definitions • Botnet (Zombie army) • A group of bots controlled by a single originator/hacker • The botnet owner usually sets up an IRC server that allows authenticated access for specific IRC bot clients bundled with network spreading worms • Botnet server often connected with other IRC botnet servers

  24. Botnets Botnet 2 Botnet 1 + Botnet user(customer) + $ Botnet originator(owner) $

  25. Rootkits • A rootkit is a set of tools (programs, utilities) used by an attacker in order to maintain access to a compromised system without his activity being detected by the system administrator. • Rootkits act by denying the listing of certain elements like processes, files, registry entries and TCP ports, falsely improving the user’s confidence that the machine has not been compromised

  26. Normal system Application System Disk

  27. Rootkit installed Application Rootkit System Disk

  28. Threat Trends

  29. Changes in techniques • Malware authors are using newer or different tactics to try and maintain their element of surprise. • Techniques include • Obfuscation techniques • Packers/wrappers • Exploits

  30. Obfuscation techniques • Packing • Aggressive development of packers & cryptors • Junk data/code • Added to make analysis more difficult • Code Injection • Masquerade as another process. Bypass local security (client firewall) • Persistence • Twinning procedures

  31. Obfuscation – Code Injection • Masquerade as another process • Bypass local security (client firewall) • Change XOR key255 “variants” ^0x1b Troj/Dloadr-AMQ (Sep 2006)

  32. Obfuscation – Code Injection • Browser Helper Objects (BHO) • Code “injection”? (well, silent loading at least) • Core of Adware- applications • < AVI: cimuz.avi > • BHO – sniff HTTP traffic • Often used in Banking trojans

  33. Obfuscation – Persistence • Payloads to maintain persistence, eg: • Process termination • Process “twinning” • < AVI: zlob-twin.avi >

  34. Exploit Usage • WebAttacker (demo) <wa-banker.avi> • OS & browser • IRC bots • LSASS (MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007) • Troj/Animoo • Exp/WMF • ADODB (Psyme)

  35. Troj/Tibs Obfuscated JS Exp/WMF Exp/CodeBase WebViewFolderIcon ADODB Stream Exp/Ani

  36. Full Circle! http://frekasele.info http://west-best.info http://ariec.org Guru/JSShell Troj/Tibs  Daxctle Dload-AQE  Tool888 PUA Dload(Mal/Packer)  Troj/LDPinch  Dload(inj DLL)  Backdoor  http://www.perfectcodec.com Registered - 13th NovTroj/Zlob !!! Webroot: Hardcore porn “Require new Codec to view movie”

  37. Troj/LDPinch • Password stealer, 2004-6, very active • HTTP POST B64 OS Process list SMTP cfg MAPI, POP3 credentials … …

  38. ADODB - Psyme • “Utility” script • used in many campaigns • Downloaders, backdoors etc • Key part of infection mechanism • Spam URI to ADODB exploit

  39. Troj/Proxy-EN • Installs stealthing proxy Trojan (via dropper) • PE: %sysdir%\protector.exe • SYS: HKLM\SYSTEM\CurrentControlSet\Services\ntio256 ImagePath = \??\C:\WINDOWS\System32\ntio256.sys DisplayName = "Input and output operations“ • Devicename? • \\.\poofpoof • IOControlCodes (3): • 0x220400 - registry • 0x220404 - files • 0x22040c - process

  40. Obfuscated JavaScripts • Simple • “Kits” available • Not indicative of malicious • But certainly suggestive! • Various mechanisms • Char substitution • Unescaped • StrReverse • … … • Emulate? • Performance considerations shellcode = unescape("%u4343"+"%u4343"+"%u4343" + "%ua3e9%u0000%u5f00%ua164%u0030%u0000%u408b%u8b0c" + "%u1c70%u8bad%u0868%uf78b%u046a%ue859%u0043%u0000" + "%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u9516" + "%u2ee8%u0000%u8300%u20ec%udc8b%u206a%uff53%u0456" + function decrypt_p(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,58,12,54,53,10,24,87,45,56,12 …);for(j=Math.ceil(l/b); j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)- 48])<<s;if(s){r+=String.fromCharCode(165^w&255); w>>=8;s-=2}else{s=6}}document.write(r)}} decrypt_p("WsuvPNgVPF@s3JX4jLixWtNtKj ...”)

  41. Targetted Attacks • Exp/1Table (incl. MS06-027) • Malformed Word documents • Drop various backdoor & PWS Trojans • Exp/MS06-048 • Malformed PowerPoint presentations • CVE-2006-3590 • Drop Troj/Bifrose backdoor • Eastern origin, politically themed

  42. Games • MMORPGs • Massive multiplayer online role-playing games • Financial scope • Young demographic • Real value (Lineage: >4m subscribers) • Phishing (since ~2002) • Trojans (since ~2003) W32/PrsKey-A (Oct 2005)“Priston’s Tale” keylogger, Yahoo! email W32/Looked (2005-6)“Lineage”, & “WoW” Prepender, pws, keylogger

  43. Games • Mechanism? • Steal login credentials • Transfer items/goods within game • Sell for real cash • Banned by game manufacturers Cleric$200+ Priest$355+

  44. Games • Denial of Service • Second Life, ‘Grey Goo’ • Next step? • Spyware (EULA) • API advancements

  45. SophosLabs

  46. Who are SophosLabs?

  47. Who are SophosLabs? • A global group within Sophos engineering • 53 people • In 4 countries

  48. Global labs

  49. What do SophosLabs do?

  50. What do SophosLabs do? Protect Sophos customers 24/7

More Related