310 likes | 526 Views
CSIS 3756 Security Design. Mr. Mark Welton. What we are going to look at. The five game changing viruses Security best practices that deal with the problems. My Top 5 Game Changing Viruses. Nimda Bagel and Netsky Storm Slammer Stuxnet. Nimda Worm.
E N D
CSIS 3756Security Design Mr. Mark Welton
What we are going to look at • The five game changing viruses • Security best practices that deal with the problems
My Top 5 Game Changing Viruses • Nimda • Bagel and Netsky • Storm • Slammer • Stuxnet
Nimda Worm • “self replicating virus that does not alter files but resides in active memory and duplicates • itself and sometimes drains system resources” • Released on September 18, 2001 • 5 main forms of infection • email • Open network shares • Via browsing of compromised web sites • Exploitation of various Microsoft IIS 4.0/5.0 directory traversal vulnerabilities • Back doors left behind by the “Code Red II” and “sadmind/IIS” worms
Infection of vulnerabilities • On IIS used two vulnerabilities • Extended Unicode Directory Traversal Vulnerability • Escaped Character Decoding Command Execution Vulnerability • Once infected the IIS server would then scan for other hosts with the same two vulnerabilities • It would also use TFTP to transfer files from one infected host to the new host • Files included an admin.dll file and many copies of .eml and .nws files in multiple location of the server
email • Would email a message with a random subject and attach a file named readme.exe • Opening the attachment infected the machine • Could use the preview pane in older versions Microsoft Outlook and Outlook Express to execute the file without the user clicking on the attachment • Would then email out an infected email to all email addresses in the user’s address book • It would sent the email out every 10 days to the user’s address book
From the infected web server… • It would look through an infected web server for .htm, .html, or .asp files • Nimda would add a java script to each of these files pointing to a readme.eml file on the server • An Automatic Execution of Embedded MIME Types Vulnerability in IE would execute the file
Network Shares • Once a host machine was infected it scanned the local network to find shared folders • Once the network share was found the worm would look for .doc .eml or .exe files that could be written • It would attach a file called riched20.dll if the file did not exist in the directory • When the user ran one of the infected files it would download and execute the worm infecting the machine • It would also create a guest account with administrator privileges and create open shares on the infected system • It would then send the account and password for this account to the attackers
Some other interesting things… • Would replace mmc.exe on a server • Would infect all executable files on both local and network drives replicating the .eml and .nws files along with the riched20.dll • The worm would act as a remote thread to Explorer.exe • Would change the registry key to open network shares for all drives (C$->Z$)
Security Countermeasures • Filter attached files with extensions like .exe .com .dll • Educate users not to open attachments they did not expect • Harden and patch web servers • Patch and/or upgrade desktop software • Firewall unused ports • Use IPS to detect and stop unneeded communication
Bagle Worm • First strain sighted on January 18, 2004 • Second strain sighted February 17, 2004 • Mass-mailing worm (would not email to @hotmail.com @msn.com @microsoft or @avp) • Would open backdoors TCP ports 6777 and 8866 • Second strain had its own SMTP engine to mass-mail itself • Created a botnet used to send spam
Some stats… • In December 29, 2009 the botnet was responsible for 10.30% of the worldwide spam volume, surging to 14% on New Year’s Day • As of April 2010 botnet estimated sending roughly 5.7 billion spam messages a day
Netsky • Similar to Bagle worm • Written by an 18 year old from Germany • Insults authors of Bagle in code • One strain targeted Bagle and MyDoom infected machines infect the machine, remove Bagle and MyDoom and patch the vulnerability they used • “Botnet Wars”
Security Countermeasures • Filter attached files with extensions like .exe .com .dll .vbs • Educate users not to open attachments they did not expect • Harden and patch web servers • Patch and/or upgrade desktop software • Firewall unused ports • Use IPS to detect and stop unneeded communication
Storm • First detected in January 2007 • Worm spread through e-mail spam • Email would link to an infection-hosting web site • Used social engineering in emails to get users to click on link • By September 2007 it was estimated that as many as 1 million compromised systems made up the Storm Botnet • Used known Microsoft vulnerability to infect the machine
So why didn’t antivirus stop it… • Back-end servers that control the spread of the botnet and Storm worm automatically re-encode their distributed infection software twice an hour, for new transmissions, making it difficult for anti-virus vendors to stop the virus and infection spread • Additionally, the location of the remote servers which control the botnet are hidden behind a constantly changing DNS technique called ‘fast flux’, making it difficult to find and stop virus hosting sites and mail servers
So why not just stop the CC… • Command and Control of the botnet used peer-to-peer techniques make no central command and control point that can be shutdown • Botnet also encrypted traffic • Has more computing power then the top 500 supercomputers combined • It is estimated it is only using 10% to 20% of the total capacity of the botnet
What bot would do • Launched a series of EXE file in stages creating the following services in the botnet • Backdoor/downloader • SMTP relay • E-mail address stealer • E-mail virus spreader • DDoSattack tool • updated copy of Storm worm dropper • Would use fast flux DNS to hide the bot in the network • Also kernel rootkit the machine and used modified eDonkeycomminications
Security Countermeasures • Educate users not to open links they did not expect • Patch and/or upgrade desktop software • Firewall unused ports • Use IPS to detect and stop unneeded communication
Slammer • Started on January 25, 2003 at 05:30 UTC • Infected 75,000 machines in ten minutes • Used buffer overflow in SQL server and Microsoft Desktop Engine database products • Patch was release six months earlier • Was a single packet exploit • Infection was in memory only • Would scan for more hosts to infect
Security Countermeasures • Patch and/or upgrade desktop software • Patch servers • Firewall unused ports • Use IPS to detect and stop unneeded communication
New Advances Persistent Threats • Stuxnet – industrial sabotage -> Iranian uranium enrichment program • Ghostnet – stole diplomatic communications -> embassies, Dhali Llama • Aurora – stole source code and other intellectual property -> Google • Night Dragon – industrial and commercial intelligence -> large oil companies
“Most Sophisticated Worm Ever” • Targets Siemens S7/WinCC products, compromises S7 PLC's to sabotage physical process • Exploited Windows zero-day vulnerabilities • Spreads via: • USB/Removable Media • 3 Network Techniques • S7 Project Files • WinCC Database Connections • Drivers digitally signed with legitimate (stolen) RealTek and JMicron certificates • Installs cleanly on W2K through Win7/2008R2 • Conventional OS rootkit, detects and avoids major anti-virus products • Advanced reverse-engineering protections
Stuxnet Worm • discovered until June 2010 • Infection came for a USB flash drive • Used 4 vulnerability 2 of which where day zero • Used 7 different infection methods • Existed at least a year before discovery
Conspiracy Theory anyone… • Initial infection of worm thought to be from an offsite contractor transferring a file • Or it may have been a Siemens engineer • Or it may have been a flash drive handed out at a conference • …
List of features • Self-replicates through removable drives exploiting a vulnerability allowing auto-execution • Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability • Spreads in a LAN through a vulnerability in the Windows Print Spooler • Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability • Spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability • Copies and executes itself on remote computers through network shares • Copies and executes itself on remote computers running a WinCC database server • Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded • Updates itself through a peer-to-peer mechanism within a LAN • Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned vulnerabilities for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be disclosed • Contacts a command and control server that allows the hacker to download and execute code, including updated versions • Contains a Windows rootkit that hide its binaries • Attempts to bypass security products • Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabotage the system • Hides modified code on PLCs, essentially a rootkit for PLCs
How Stuxnet Infects a System Infected Removable Media: • Exploits vulnerability in Windows Shell handling of .lnk files (0-day) • Used older vulnerability in autorun.inf to propagate Local Area Network Communications: • Copies itself to accessible network shares, including administrative shares • Copies itself to printer servers (0-day) • Uses “Conficker” vulnerability in RPC Infected Siemens Project Files: • Installs in WinCC SQL Server database via known credentials • Copies into STEP7 Project files