1 / 54

The SANS Internet Storm Center Workings, observations, and trends

The SANS Internet Storm Center Workings, observations, and trends. Jim Clausing, Internet Storm Center Handler. Outline. The SANS Internet Storm Center Global Collaborative Incident Handling Case study – WMF Case study – VML Case study – Poebot Current Threats Contribute! Q & A.

jolie
Download Presentation

The SANS Internet Storm Center Workings, observations, and trends

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The SANS Internet Storm Center Workings, observations, and trends Jim Clausing, Internet Storm Center Handler

  2. Outline • The SANS Internet Storm Center • Global Collaborative Incident Handling • Case study – WMF • Case study – VML • Case study – Poebot • Current Threats • Contribute! • Q & A

  3. Handlers on duty...

  4. History • SANS Institute – 1979 • GIAC (Global Incident Analysis Center) – 1999, mailing list to watch Y2K. The initials have since been taken over by the certification organization • www.incidents.org and intrusions@incidents.org mailing list, GCIA practicals, diary • Dshield.org – 1999, Johannes hired by SANS in 2000 (now ~300,000 targets/day) • Internet Storm Center – 2001, grew out of li0n worm analysis (22 Mar) • All volunteer – March 2002

  5. What is the Internet Storm Center? • Sponsored by SANS Institute • Intended to provide “early warning.” • Infocon – when do we change it? • Diary – daily • RSS feed • Monthly webcast (2nd Wed of the month) • How to contact: • http://isc.sans.org/contact.php (preferred) • handlers@sans.org

  6. A little more info about the web sites • Dshield.org - • ~300,000 targets/day • ~800,000,000 rows/month in database • isc.sans.org • ~55,000 users/day (>75K on busy days) • Monitored by major news organizations (NPR, Washington Post, Al Jazeera, …)

  7. How do DShield and the Internet Storm Centerwork together? Reports Database Sensors DShield: Automated Data Collection Engine.

  8. The Internet Storm Center uses DShield and readerreports to create daily diaries. DShield Data ISC Handlers Reader Reports From: isc reader To: handlers@sans.org Subject: Recent attack. ....

  9. How readers contact us

  10. How readers contact us (cont'd) From jim.clausing@acm.org Sat Oct 16 17:32:02 2004 Date: Sat, 16 Oct 2004 21:16:34 GMT From: jim.clausing@acm.org To: handlers-850371@sans.org Subject: ISC# [850371] test Name: Jim Clausing E-Mail: jim.clausing@acm.org /* handlers@sans.org is an alias for all ISC handlers. Please include the list in all replies to keep everyone informed. You may receive more than one response */ testing, please ignore --- Malware OK:N Diary OK:N Mention Name:N IP: xxx.yyy.146.107 Browser: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040914 Firefox/0.10 Port: 33018 HTTP_VIA: HTTP_X_FORWARDED_FOR: ---

  11. The ISC Handlers are a diverse group of networksecurity professionals • ~35-40 Handlers • 9 Countries • GIAC certifications (many with honors) • Various industries (Banking, ISPs, Gov, Edu) are represented, and different areas of expertise. • Each day, one handler takes charge as “Handler on Duty”. • New Handlers are picked by existing handlers. • Malware subgroup (includes several non-handlers) • Mailing list/Jabber server

  12. A few handlers (and a groupy)

  13. Data from DShield allows us to “zoom in” onnew trends and solicit more details from users. I am seeing... Diary: “Got Packets?” DShield Data Anomaly

  14. Data from DShield can also be used to verifyif a report is an isolated incident or not. Is anybodyelse seeing this? Yes No DShield Data

  15. Diaries are frequently revised based on userfeedback. Diary Worthy? Immediate publication of new event to solicit feedback from readers and provide the earliest possible alert. Initial Observation Initial Diary Revised Diaries Additional Observations

  16. A number of automated reports are providedbased on data collected by DShield. • Top Ports: Am I seeing the same attacks as others? • Trends: What changed? Am I ready for it? • Source Reports: Is anybody else getting attacked by the same source? • INFOCON: Are there any significant new threats that require immediate action?

  17. Looking at the Dshield data

  18. The WMF exploit showed that 0-day exploits areno longer used to attack only high value targets. DEC 28 2005 Phone Call: “I went to Knoppix-STD.org, and it looks like adware was installed on my system” Verification: • Visit knoppix-std.org • “Fax Viewer” pops up • Anti Spyware Ad is installed.

  19. Initially, the WMF 0-day exploit is used toinstall fake anti-spyware.

  20. How do we defend our network against a widelyused 0-day exploit? • Firewall? • Not much good. This is a client exploit. • Antivirus? • Threat is developing too fast. • Configuration Changes? • Disable shimgvw.dll works ok. • User Education? • Too late, and wouldn't work. • IDS? • Again, too late, threat developing too fast.

  21. Why did Anti Virus not work well? • Rapid delivery of obfuscation tools (e.g. Metasploit). • Anti Virus recognized payload, but not exploit. • Multi-payload exploit: Only partially discovered and removed. • New payloads released hourly. > 500 distinct versions after few days !

  22. The situation escalates as more and moresites attempt to exploit the vulnerability. Dec 31 2005 • The race is on by malware writers to capture as many vulnerable systems as possible. (SPEED COUNTS!) • Spam used to disseminate exploit. • Exploit can be triggered by desktop search programs. • Ilfak Guilfanov releases patch! YELLOW

  23. Is it ok for the Internet Storm Center (or anybody)to release or recommend an unofficial patch? • Patch has been validated. • Tom Liston verified that the patch is “ok”. • Risks are communicated to the user. • The patch was clearly labeled as “unofficial” • No good mitigation method is available. • disabling shimgvw.dll causes many problems. • Widespread use of exploit. • 500 versions found in the wild, large botnets built. • No vendor patch is available.

  24. Even with patch and workarounds, the battleagainst WMF exploit continues. • several 1,000 e-mails over the new year weekend. • Microsoft releases WMF patch by mistake. Microsoft releases official patch ahead of its scheduled January patch day. JAN 5 2006

  25. The VML vulnerability of Sep 2006 • 2006-09-18 23:15 GMT – Sunbelt Software posts about IE VML exploit • At first, claim turning off javascript will mitigate • First pass through VirusTotal only Microsoft detects (they’ve apparently had coverage since 16 Sep)  • 2006-06-19 16:27 UTC – Evidence that it is already incorporated into a version of WebAttacker toolkit. • 2006-06-19 – US-CERT posts VU#416092, MSFT publishes advisory, recommands unregistering DLL • 2006-06-20 – Public exploit available

  26. The VML vulnerablity of Sep 2006, cont’d • 2006-09-22 00:00 UTC – Ed Skoudis becomes HOD • 2006-09-22 – MSFT claims it isn’t being widely exploited, patch will come on 10 Oct. AUSCERT says it is seeing increasing exploiting including via spam • 2006-09-22 ~12:00 UTC– ZERT announces its existence, produces patch • 2006-09-22 15:00 UTC – we raise infocon to yellow • 2006-09-23 15:00 UTC – infocon back to green • 2006-09-23 – We’re seeing several thousand exploited websites and exploit being incorporated into new trojans

  27. The VML vulnerability of Sep 2006, cont’d • 2006-09-23 – Yet another variation of VML exploit this time, a heap overflow • 2006-09-25 – VML exploits via e-greeting cards • 2006-09-26 15:00 UTC – Metasploit module released • 2006-09-26 17:00 UTC – Microsoft releases MS06-055

  28. Recent reports to the ISC show the followingthreats as important and current. • 0-day exploits (“commodity” as well as targeted). • The Age of the Bot. • Client (and more targeted) attacks. • Diminishing utility of signature based Antivirus solutions. • Unique covert channel usage is increasing and becoming more sophisticated. • Financially motivated • Malware Analysis Tool Detection

  29. Poebot Evolution February 2005 • W32/Poebot-A is a network worm with backdoor Trojan functionality • The worm spreads through network shares protected by weak passwords. • The backdoor component joins a predetermined IRC channel and awaits further commands from a remote user.

  30. Poebot Evolution February 2006 Capabilities: • joins and parts IRC channels, changes nick, creates clones, sends raw command, sends messages and notices, floods channels • runs IDENTD server on a specified port • scans for vulnerable computers using a number of exploits and reports to a hacker • tries to spread to network shares, bruteforces share passwords using the hardcoded list

  31. Poebot Evolution February 2006, cont. Capabilities: • steals logins and passwords (cached passwords, FlashFXP passwords, IE site passwords, MSN passwords) • steals Outlook account information (SMTP and POP server names, logins and passwords) • steals HTTP e-mail server logins and passwords (Hotmail) • sniffs network traffic (packet sniffer)

  32. Poebot Evolution February 2006, cont. Capabilities: • downloads and runs files on an infected computer • opens a pipe-based remote command shell on an infected computer • act as a proxy server on a selected port • collects information about an infected system (software and hardware configuration)

  33. Poebot Evolution February 2006, cont. Capabilities: • finds and terminates competing bots • performs a DoS (Denial of Service) attack • updates itself from Internet • lists processes paying attention on processes with the specific names (games mostly) • possibly using encrypted/covert C&C

  34. Poebot Evolution February 2006, cont. Infection Mechanisms: ASN.1 (MS04-007), ports 80, 139, 445LSASS (MS04-011), port 445DCOM-RPC (MS04-012), port 135WKSSVC (MS03-049), ports 135, 445WEBDAV (MS03-007), port 80UPNP (MS05-039), port 445MSSQL, port 1433DameWare, port 6129BackupExec, port 6101IceCast, port 8000SlabMail, port 110RealServer, port 554

  35. The outbreaks of major viruses and worms are slowing For Hire

  36. Recent Study by Panda Software (2Q2006) • Trojans accounted for 54.4 percent of the new malware detected during the second quarter of 2006 • The number of new worms continued to fall, representing just 4.9 percent of the new threats detected • The increase in Trojans and the large number of new bots and backdoor Trojans detected confirms the financial motivation behind the new malware dynamic • This new aim of malware creators is also reflected in the large number of bots (16%) and backdoor Trojans (12%) detected over the last quarter. These types of threats are also widely used in other criminal business models that provide income for cyber-criminals.

  37. Enter the new age of the Botnets

  38. HTTProxy covert channel • Malware installed via opening infected attachment • Malware issues HTTP GET request • Malware receives HTML from web site • Malware parses first 64 bytes of HTML • Malware extracts Base64 encoded command from HTML comments "<!--" and “-->” found within the first 64 bytes • Commands: S (sleep), D (download and execute), and R (reverse shell)

  39. Malware using covert channels • PWS-Banker.bm : Uses ICMP • TSPY_SMALL.CBE : Uses ICMP • Remacc.SAdoor : IP, ICMP, UDP or TCP packet with certain characteristics. • Win32.Bube.J : HTTP • HTTPProxy: HTML comments

  40. Malware Analysis Tool Detection VMWare Detected Better act normal

  41. Examples • Sniffer : Sniffer is running, so do not go to the internet • Debugger : Kill the debugger or terminate the process • VMware: Running in VMware, play nice. If not running in VMware then do bad things • Internet connectivity: No connectivity, sleep

  42. 0-Day exploits used to be applied only againsthigh value and well defended targets. But nowwe see them used against regular users • 0-day: Exploit without patch (not: unreleased exploit) • 2006 zero-days in use: • WMF: Used to install spyware • Javascript: more drive-by downloads (2 exploits) • Safari Archives: used to install bots. • Word Exploit: only used targeted like “traditional” 0-day use. • VML: Again used to install spyware

  43. 0-days are still used to make money. But insteadof outright selling them, they are used to installspyware/adware/spam botnets • Exploits are hard to sell on the “open market”. WMF is rumored to have sold for $5,000. • Security companies (iDefense, 3COM) buy exploits for > $10k. • Spyware or Adware install will bring approx. $1 per user. • 0-day • Millions of Vulnerable Users • Millions of $$$ for successful exploit!

  44. 0-day exploits are delivered to users like anyother exploit. Most of them affect browsers andare delivered via e-mail/web sites. • User asked to click on “enticing” link to malware hosting site. • Exploit deposited on trusted site which allows user uploads (ebay images, web forum). • “Spear Phishing” used to target particular users or groups. • Takes advantage of the fact that Outlook and Outlook Express use IE to render HTML e-mail

  45. Vendors have a hard time responding to 0-dayexploits. • Patch release is not designed to be fast, but designed to cause minimal disruption (to user and vendor image). • Traditionally, pre-patch vulnerability information was limited to reduce information available to malware writers • This no longer applies if the malware is already out and spreading. • Enter groups like ZERT

  46. Packers allow for rapid mutation of existingmalware, making it very hard for AV products to keep up. • Zotob: Every 4 hrs a new version. • New Version: Old code repacked. • No need to write new malware. Packer Malware

  47. Packers can use different “keys”, debugger traps, or they can be nested. Packer Malware Debug/VM Trap Packer #2

  48. Anti Virus writers are working on defenses, butso far the defenses fall short. • “Sandbox”: Still essentially pattern based and requires unpacking the code to analyze. • “Unpackers”: Packers again are easily modified and it is hard to keep up. Implementation can introduce new problems (Remember: ZIP/RAR... vulnerabilities in AV Products)

  49. Things will get worse! You haveto stay in touch with current developments.Use the ISC as your life line for survival. • As you are reading this slide, everything that preceded it is out of date. • A solid foundation in InfoSec basic principles and best practices is necessary to understand new threats quickly. • Use the ISC to stay in touch.

  50. The Internet Storm Center is a collaborativeinformation sharing community:Come to collaborate and share! • Send us your logs: • http://www.dshield.org/howto.php • Send us your observations: • http://isc.sans.org/contact.php • handlers@sans.org • Send us your malware: • http://isc.sans.org/contact.php • http://isc.sans.org/seccheck

More Related