790 likes | 945 Views
Attacking Windows Stack and How to Protect against These Attacks. Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313 . Session Objectives & Takeaways . To learn and understand: Current Attack Trends that Microsoft is seeing Attack Vectors
E N D
Attacking Windows Stack and How to Protect against These Attacks Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313
Session Objectives & Takeaways • To learn and understand: • Current Attack Trends that Microsoft is seeing • Attack Vectors • Mitigation Strategies with Windows Products
10 Years… • We have come a long way since Melissa • 2003-2004 difficult times • Blaster/Slammer – Was horrible – Hit Home Users hard • Conficker emerged in a different s/w industry – Did not hit home users hard • Partnerships • MS Response Alliance & Internet Consortium for Advanced Security on the Internet & CWG
WW Threat Trends • Not a simple trend – Geographically Diverse • Miscellaneous Trojans (inc rouge s/w) most prevalent • WORMS 2nd most prevalent • Password Stealers & Monitoring tools • Breaches – Data Scarce – (datalossdb.org) • Top is stolen equipment, twice as many incidents as intrusion • But equipment loss is easily reported! Data: Microsoft SIR v7 Report
Geographical Trends • 8 Locations with most infected machines • USA,UK,France,Italy – Trojans • China, language specific browser threats • Brazil, malware targeting online banking • Spain, Korea, WORMS targeting online gamers Data Source: SIR V7 Report Pg 40
Threat Landscape is getting better? • Improvement in Software Development Practice • Software Development Lifecycle (SDL) • Geoff 1min Video • Increased Availability of Automatic Patch Update Process • Patch Tuesday and Auto Updates • However, unpatched client is primary initial infection vector • Social engineering techniques to mislead Victims • Attacker still finds success with a variety of techniques for manipulating people
SANS Analysis • The Top Cyber Security Risks” 2009 September • Application Vulnerabilities Exceed OS Vulnerabilities • Web Application Attacks • Cross Site Scripting, PHPFile Include, and SQL Injection • Windows: • Conficker/Downadup Cited from SANS “The Top Cyber Security Risks” 2009 September, http://www.sans.org/top-cyber-security-risks/
Attackers use social engineering techniques – Human Emotion FEAR I want: Protection I got: Rogue Software Desire I wanWebSurfing, Free Stuff Games, etc I got: fake contents, malicious downloads, etc Trust I want: Online Banking, Email, Social Networking etc. I got: Banking Malware, Phishing, Spam, and File Format Infections, etc. Microsoft Security Intelligence Report, 2008 July through December 2008
Attack Vectors and Trends • Current attacks in the wild • Rogue Security Software and Worm • Browser Based Attacks • Phishing • Cross Site Scripting • Clickjacking • File Format Attacks
Attack Vectors and Trends • Rogue Security Software and Worms • Browser Based Attacks • File Format Attack
Rogue Unwanted Software Win32/Renos Win32/FakeXPA
Rogue Security Software 1 • Use Fear to convince victims • Win32/Renos Family
Rogue Security Software 2 • Use the same logic • Win32/FakeXPA Family
A Rogue Software Real Sample http://blogs.technet.com/mmpc/archive/2009/08/20/winwebsec-on-youtube.aspx • Use your Desire There is no security issue or vulnerability in YouTube.com.
Rogue Software • Win32/FakeVimes and Win32/PrivacyCenter have become more prevalent in the last 2 months • Distributed via fake online scanners
Worms: Win32/Conficker.A to E • Win32/Conficker is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE) • On October 23, 2008, Microsoft released critical security update MS08-067 • Allow remote code execution if an affected system received a specially crafted Remote Procedure Call (RPC) request • On November 21, 2008, the first significant worm that exploits MS08-067 was discovered • The first variant discovered, Worm:Win32/Conficker.A, only uses MS08-067 exploits to propagate • On December 29 2008, a significantly more dangerous variant, Win32/Conficker.B, was discovered • Exploits the MS08-067 vulnerability but uses additional methods to propagate.It attempts to spread itself to other computers on the network • Combining the vulnerability with social engineering to introduce and spread the worm in an organization • Continues… http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fConficker
Social Engineering by e-mailing infected files with official-sounding names to people at a company like “Corporate Policy.PDF”
Worms: Win32/Conficker.A to E • Release D, monitors 500/50,000 domain names/day for payloads… • Still is • Conficker Working Group (CWG) formed Jan09 • Many people from well know sec groups/researchers • Implemented defense DNS strategy • Kaspersky & OpenDNS – calc’ed 1Y of names • All 110 TLDs involved & signed up • Rapid, effective collaboration – keeps Confickerconstrained
Published Articles for Conficker • Knowledge Base article • KB962007 • MMPC blog (http://blogs.technet.com/mmpc) • Get Protected, Now! (October 23, 2008) • A Quick Update About MS08-067 Exploits (November 17, 2008) • Just in Time for New Year’s… (December 31, 2008) • MSRA Released Today Addressing Conficker and Banload(January 13, 2009) • Centralized Information About the Conficker Worm (January 22, 2009) • Information about Worm:Win32/Conficker.D(March 27, 2009)
Mitigations • Get the latest computer updates • Install and update anti-malware signatures • Run an up-to-date scanning and removal tool • Use caution with attachments and file transfers • Use caution when clicking on links to web pages • Standard user rights • Protect yourself from social engineering attacks • User Security Best Practices such as strong Password Policy • Keep eye on vulnerabilities and follow the guideline from the trusted source • Use recent technologies and systems that can reduce the risk on exploiting
Attack Vectors and Trends • Rogue Security Software and worms • Browser BasedAttacks • File Format Attack
Browser Based Attacks • Phishing • Cross Site Scripting • ClickJacking
Browser Based Attacks • Phishing • Cross Site Scripting • ClickJacking
Phishing: Overview • Phishing is a method of identity theft that tricks Internet users into revealing personal or financial information online.
Phishing Scam Samples • Social engineering techniques • “Verify your account” • “If you don't respond within 48 hours, your account will be closed” • “Dear Valued Customer” • “Click the link below to gain access to your account”
Spear Phishing and Whaling • Spear phishing - highly targeted phishing • Send email messages that appear genuine to all employees and members within a community • Whaling - involves targeted attacks on senior executives and other high ranking people
Phishing Trends in Industry • APWG: Anti Phishing Working Group Report, 2009 1H http://www.antiphishing.org/reports/apwg_report_h1_2009.pdf
Phish Tank: Current Phish Sites • Live Phish site can be found http://www.phishtank.com/
Phishing with Hotmail • Illegally acquired by a phishing scheme and exposed to a website • Microsoft Recommends: • Renew their passwords for Windows Live IDs every 90 days • For administrators, make sure you approve and authenticate only users that you know and can verify credentials • As phishing sites can also pose additional threats, install and keep anti-virus software up to date
Techniques • Man-in-the-middle attacks • Proxies, • DNS Cache Poisoning, etc • URL Obfuscation attacks • Bad Domain Name, • Friendly Login URL’s, • Host Name/URL Obfuscation, etc • Etc…
demo Anti-Phishing IE 8 SmartScreen
Mitigations • Use an up-to-date anti-malware product from a known, trusted source, and keep it updated. • Use the most recent version of your Web browser, and keep it up to date by applying security updates and service packs in a timely fashion. • Use a robust spam filter to guard against fraudulent and dangerous e-mail. • You can add sites you trust to the Trusted Sites zone with more than middle security level. • Follow the guidance to take actions • http://www.microsoft.com/mscorp/safety/technologies/antiphishing/guidance.mspx
Browser Based Attacks • Phishing • Cross Site Scripting • ClickJacking
Cross Site Scripting: Overview • Cross-Site Scripting (XSS): Occurs whenever an application reads user data, and embeds that user data in Web responses without encoding or validating the user data • Common vulnerabilities that make Web-based applications susceptible to cross-site scripting attacks: • Improper input validation • Failing to encode output • Trusting data from shared resources
Cross Site Scripting in News • October 2005 MySpace “Samy” worm • February 2006 Facebook • June 2008 Yahoo Mail • December 2008 American Express • April 2009 Twitter http://twittercism.com/remove-stalkdaily/
Types of Cross-Site Scripting • Two major types of cross-site scripting attacks: • Type 1: Non-Persistent • Often referred to as reflected cross-site scripting • Requires some level of social engineering • Type 2: Persistent • Stored cross-site scripting • One attack can affect multiple users • Type 0: DOM-Based
Type 1: Non-PersistentCross-Site Scripting <html> <head> <title>Hello</title> </head> <body> [malicious code] </body> … Web Server Congratulations! You won a prize, please click hereto claim your prize! http://www.contoso.com? id=[malicious code] Malicious User User
Type 2: PersistentCross-Site Scripting Database Web Server Blog Comment: Hello, this article was helpful! [malicious code] Thanks, Kevin Blog Comment: Hello, this article was helpful! [malicious code] Thanks, Kevin Malicious User User User User
Mitigation Strategies • Server Sides • Validate all untrusted input • Encode any Web response data that could contain user or other untrusted input • Use built-in ASP.NET protection via the ValidateRequest option • Use the System.Web.HttpCookie.HttpOnly property • Use the <frame>, <iframe> IE6 and above security attribute • Use the Microsoft Anti-Cross Site Scripting Library (AntiXSS)
Microsoft Anti-Cross Site Scripting Library V3.1 • New features • An expanded white list that supports more languages • Performance improvements • Performance data sheets (in the online help) • Support for Shift_JIS encoding for mobile browsers • A sample application • Security Runtime Engine (SRE) HTTP module
Security Runtime Engine (SRE) HTTP moduleIdeally, you do not need to change your code! In your yourweb.config, <httpModules> <addname="AntiXssModule" type="Microsoft.Security.Application.SecurityRuntimeEngine.AntiXssModule"/> </httpModules> In antixssmodule.config, <ControlEncodingContexts> <ControlEncodingContextFullClassName="System.Web.UI.Page"PropertyName="Title"EncodingContext="Html" /> <ControlEncodingContextFullClassName="System.Web.UI.WebControls.Label" PropertyName="Text"EncodingContext="Html" /> <ControlEncodingContextFullClassName="System.Web.UI.WebControls.CheckBox"PropertyName="Text"EncodingContext="Html" /> </ControlEncodingContexts>
demo Anti-Cross Site Scripting in Action Microsoft Anti-Cross Site Scripting Library V3.1
Mitigation Strategies • Client Sides • IE8 XSS Filter
demo Anti-Cross Site Scripting in Action IE8 XSS Filter with Microsoft Application Compatibility Tool Kit
Browser Based Attacks • Phishing • Cross Site Scripting • ClickJacking
ClickJacking: Overview • Clickjacking is : • an attack that tricks the victim into initiating commands on a website that they did not intend. • Use iframes and web page layers in DHTML such that you overlay a potentially malicious button (for example) on top of an existing legitimate web page.
A ClickJacking Example • Suppose that a hacker site has the following source code…
Mitigation • Use FrameBreaker Script • <script>if (top!=self) top.location.href=self.location.href</script> • Use X-Frame-Options Header for IE8 • HTTP response header named X-FRAME-OPTIONS with HTML pages to restrict how the page may be framed • The OPTIONS value contains the token DENY, IE8 will prevent the page from rendering if it will be contained within a frame • Add X-FRAME-OPTIONS and Deny to HTTP Response Headers using IIS Manager, • In html, insert <meta http-equiv="X-FRAME-OPTIONS" content="DENY" /> in <head> section, or • Using ASP.Net, you can insert Response.AddHeader("X-Frame-Options", "Deny”).