User-Based Innovation & Communities Drive Commercial
Download
Report
Transcript User-Based Innovation & Communities Drive Commercial
The Security Economy
James Hamilton
Microsoft SQL Server Architect
http://research.microsoft.com/~JamesRH
[email protected]
2004.06.17
Agenda
Threat environment is worsening rapidly
Capitalism in play
The security Economy
Personal/Financial advantage drives innovation
1st Gen: Fun and fame
2nd Gen: Revenue models emerge
3rd Gen: Resources for hire
What can be done?
2
Threat: Cracking not new Phenomena
1981: Kevin Mitnick (Condor) cracks LA School System & PacBell
1992: 414 Gang cracks Los Alamos & cancer center
1983: Mitnick (Condor) cracks Pentagon Computers
1984: Kevin Poulsen (Dark Dante) cracks into ARPAnet
1986: Pakistani Brain virus – 1st malicious virus
1996: Chaos Computing Club hacks LBL
1987: Jerusalem Virus – 1st infecting files
1988: Robert Morris releases 1st internet worm
Credit cards and $6,000 in cash and product
1991: Michelangelo virus
1991: Justin Petersen (Agent Steal) cracks bank computer & transfers funds
1992: Morty Rosenfeld (Storm Shadow) cracks TRW
Steals VMS source code
1989: Fry Guy cracks McDonalds
Sendmail buffer overrun -- over 6,000 systems infected
1988: Mitnick cracks MCI DECnet
steals passwords
Credit card reports and numbers
1994 Richard Pryce (DataStream Cowbow) cracks USAF Rome Lab,…
1994: Vladimir Levin cracks CitBank network
Source: Bill Wall, Harris computer Corp
3
Incidents Reported Industry-wide
CERT/CC incident statistics 1988 through 2003
Incident: single security issue grouping together all
impacts of that that issue
Issue: disruption, DOS, loss of data, misuse,
damage, loss of confidentiality
'0
2
'0
0
'9
8
'9
6
'9
4
'9
2
'9
0
'8
8
90000
80000
70000
60000
50000
40000
30000
20000
10000
0
4
Source: http://www.cert.org/stats/cert_stats.html
1st Gen: Fun and fame
A new frontier for experimentation & learning
Many of the same folks who phone phreaked when
inband signaling was still employed
Mostly non-destructive experimentation
Community learning & sharing
Trade ideas & methods at security focused conferences
e.g. Blackhat http://www.blackhat.com/
Building on the ideas of others
Phrack ezine: http://www.phrack.org/show.php?p=49&a=14
29A: http://29a.host.sk/
Not all work from first principles
Baseless loaders
Encryption & morphing engines
Fun but clearly not a viable business
5
DB Attack: Data Thief
Cesar Cerrudo author
Originally produced
as an SQL Injection
Demonstration
UI driven:
use local database
to store stolen data
You select target
web page
Displays a menu of all
tables available in
database in UI
Transfers contents of
selected tables to
local database
No programming or IQ required
Download: http://www.appsecinc.com/resources/freetools/
6
2nd Gen: Revenue models emerge
Selling bugs
Vender provided bounties: Qmail http://cr.yp.to/qmail/guarantee.html
Third Party: IDefense http://idefense.com/poi/teams/vcp.jsp?flashstatus=true
Professional services feedback loop
New opportunity for 1st gen fun and fame folks
Problem exists so opportunity for security services
When not billing time, crack products
Establish both the problem & credibility
More spent in patch application & more concern
about security
More opportunity for security services
Get known & join security services shop
Separation of virus creation from distribution
Posted to web sites (research & freedom of speech
defense)
7
3rd Gen: Resources for hire
Systems lying dormant waiting to be needed
Theft of assets:
No indication they are infected
AOL PW, Paypal PW, credit card numbers, game and S/W
keys, etc.
Zombies bot-nets:
Spam distribution
http://news.com.com/Mounties+charge+teenage+virus+suspect/2100-7349_3-5221785.html?tag=cd.top
Copywrite or illegal media distribution
DDos attacks
Anonymous or difficult to track actions
Zombie systems for sale
http://www.theregister.co.uk/2004/04/30/spam_biz
20 cents each: $500/10,000
http://www.theregister.com/2004/05/12/phatbot_zombie_trade/
8
3rd Gen: Resources for hire (cont…)
Mega-virus/worms most dangerous new trend
Polymorphic
Could even simulate AV running (no known examples)
Consolidation in AV market would make this easier
Disable competition for resources & control
Attempt to evade signature searching
Disable anti-virus
Aggregate large number of already found attacks into a single
virus/worm
Remove other viruses, worms & bots
P2P command & control
Phatbot first to go P2P rather than IRC
WASTE provides an (optionally) encrypted P2P channel
http://waste.sourceforge.net/
Phatbot uses Gnutella as directory service
Infected systems can be efficiently found & controlled and
therefore have value
9
Phatbot Feature List
Polymorph on install to evade antivirus signatures as it spreads from system to system
Checks to see if it is allowed to send mail to AOL, for spamming purposes
Can steal Windows Product Keys
Can run an IDENT server on demand
Starts an FTP server to deliver the trojan binary to exploited hosts
Can run a socks, HTTP or HTTPS proxy on demand
Can start a redirection service for GRE or TCP protocols
Can scan for and use the following exploits to spread itself to new victims:
WKS - Windows Workstation Service
Newer versions of Agobot and Phatbot have added scanner modules for:
Antivirus software, others are competing viruses/trojans
Tests available bandwidth by posting large amounts of data to the following websites:
Bagle virus backdoor, CPanel resetpass vulnerability, UPnP vulnerability, Weak SQL admin PW
Attempts to kill instances of MSBlast, Welchia and Sobig.F
Sniffs IRC network traffic looking for logins to other botnets & IRC operator passwords
Can sniff FTP network traffic for usernames and passwords
Can sniff HTTP network traffic for Paypal cookies
Contains a list of nearly 600 processes to kill if found on an infected system.
DCOM, DCOM2, MyDoom backdoor, DameWare, Locator Service, weak pw Shares, WebDav
www.st.lib.keio.ac.jp, www.lib.nthu.edu.tw, www.stanford.edu, www.xo.net, ….
Can steal AOL account logins and passwords
Can steal CD Keys for several popular games
Can harvest emails from the web for spam purposes
Can harvest emails from the local system for spam purposes
10
Source: http://www.lurhq.com/phatbot.html
Phatbot Command Set
bot.command
runs a command with system()
bot.unsecure
enable shares / enable dcom
bot.secure
delete shares / disable dcom
bot.flushdns
flushes the bots dns cache
bot.quit
quits the bot
bot.longuptime If uptime > 7 days then bot will respond
bot.sysinfo
displays the system info
bot.status
gives status
bot.rndnick
makes the bot generate a new random nick
bot.removeallbut removes the bot if id does not match
bot.remove
removes the bot
bot.open
opens a file (whatever)
bot.nick
changes the nickname of the bot
bot.id
displays the id of the current code
bot.execute
makes the bot execute a .exe
bot.dns
resolves ip/hostname by dns
bot.die
terminates the bot
bot.about
displays the info the author wants you to see
shell.disable
Disable shell handler
shell.enable
Enable shell handler
shell.handler
FallBack handler for shell
commands.list
Lists all available commands
plugin.unload
unloads a plugin (not supported yet)
plugin.load
loads a plugin
cvar.saveconfig saves config to a file
cvar.loadconfig loads config from a file
cvar.set
sets the content of a cvar
cvar.get
gets the content of a cvar
cvar.list
prints a list of all cvars
inst.svcdel
deletes a service from scm
inst.svcadd
adds a service to scm
inst.asdel
deletes an autostart entry
inst.asadd
adds an autostart entry
logic.ifuptime
exec command if uptime is bigger than X
mac.login
logs the user in
mac.logout
logs the user out
ftp.update
executes a file from a ftp url
ftp.execute
updates the bot from a ftp url
ftp.download
downloads a file from ftp
http.visit
visits an url with a specified referrer
http.update
executes a file from a http url
http.execute
updates the bot from a http url
http.download
downloads a file from http
rsl.logoff
logs the user off
rsl.shutdown
rsl.reboot
pctrl.kill
pctrl.list
scan.stop
scan.start
scan.disable
scan.enable
scan.clearnetranges
scan.resetnetranges
scan.listnetranges
scan.delnetrange
scan.addnetrange
ddos.phatwonk
ddos.phaticmp
ddos.phatsyn
ddos.stop
ddos.httpflood
ddos.synflood
ddos.udpflood
redirect.stop
redirect.socks
redirect.https
redirect.http
redirect.gre
redirect.tcp
harvest.aol
harvest.cdkeys
harvest.emailshttp
harvest.emails
waste.server
waste.reconnect
waste.raw
waste.quit
waste.privmsg
waste.part
waste.netinfo
waste.mode
waste.join
waste.gethost
waste.getedu
waste.action
waste.disconnect
Source: http://www.lurhq.com/phatbot.html
shuts the computer down
reboots the computer
kills a process
lists all processes
signal stop to child threads
signal start to child threads
disables a scanner module
enables a scanner module
clears all netranges registered
resets netranges to the localhost
lists all netranges registered
deletes a netrange from the scanner
adds a netrange to the scanner
starts phatwonk flood
starts phaticmp flood
starts phatsyn flood
stops all floods
starts a HTTP flood
starts an SYN flood
starts a UDP flood
stops all redirects running
starts a socks4 proxy
starts a https proxy
starts a http proxy
starts a gre redirect
starts a tcp port redirect
makes the bot get aol stuff
makes the bot get a list of cdkeys
makes the bot get a list of emails via http
makes the bot get a list of emails
changes the server the bot connects to
reconnects to the server
sends a raw message to the waste server
disconnect waste
sends a privmsg
makes the bot part a channel
prints netinfo
lets the bot perform a mode change
makes the bot join a channel
prints netinfo when host matches
prints netinfo when the bot is .edu
11
lets the bot perform an action
disconnects the bot from waste
What can be done?
No single defense effective
Secure by default:
Security focused design & development process
/GS, /SafeEH, NX (no execute), ..
Static analysis with source annotations & more constrained prog langs
Statistical attack detection with auto defense
Tight feedback loop
More redundancy, many layers of defense, rigidly enforced fault
containment domains, restartable components, low trust between
components, limited communications allowed between components,
limited communications external to components…
Innovative security focused tools
Simple security features
Threat models, targeted testing, attack teams, accountable code
reviews, security audit, …
Fundamental architectural change:
Default features secure
If less than 80% use, then off-by-default
Customers system state sent “home” (with approval)
Auto-patching & configuration checkers
Black hat forums & other sources constantly monitored
Security Communications:
Customer education
12
Microsoft