The SANS Internet Storm Center Workings, observations, and trends Jim Clausing, Internet Storm Center Handler.
Download ReportTranscript The SANS Internet Storm Center Workings, observations, and trends Jim Clausing, Internet Storm Center Handler.
The SANS Internet Storm Center Workings, observations, and trends Jim Clausing, Internet Storm Center Handler Outline The SANS Internet Storm Center Global Collaborative Incident Handling Case study – WMF Case study – VML Case study – Poebot Current Threats Contribute! Q&A http://isc.sans.org Handlers on duty... http://isc.sans.org History SANS Institute – 1979 GIAC (Global Incident Analysis Center) – 1999, mailing list to watch Y2K. The initials have since been taken over by the certification organization www.incidents.org and [email protected] mailing list, GCIA practicals, diary Dshield.org – 1999, Johannes hired by SANS in 2000 (now ~300,000 targets/day) Internet Storm Center – 2001, grew out of li0n worm analysis (22 Mar) All volunteer – March 2002 http://isc.sans.org What is the Internet Storm Center? Sponsored by SANS Institute Intended to provide “early warning.” Infocon – when do we change it? Diary – daily RSS feed Monthly webcast (2nd Wed of the month) How to contact: http://isc.sans.org/contact.php (preferred) [email protected] http://isc.sans.org A little more info about the web sites Dshield.org ~300,000 targets/day ~800,000,000 rows/month in database isc.sans.org ~55,000 users/day (>75K on busy days) Monitored by major news organizations (NPR, Washington Post, Al Jazeera, …) http://isc.sans.org How do DShield and the Internet Storm Center work together? Sensors Database DShield: Automated Data Collection Engine. http://isc.sans.org Reports The Internet Storm Center uses DShield and reader reports to create daily diaries. DShield Data ISC Handlers Reader Reports From: isc reader To: [email protected] Subject: Recent attack. .... http://isc.sans.org How readers contact us http://isc.sans.org How readers contact us (cont'd) From [email protected] Sat Oct 16 17:32:02 2004 Date: Sat, 16 Oct 2004 21:16:34 GMT From: [email protected] To: [email protected] Subject: ISC# [850371] test Name: Jim Clausing E-Mail: [email protected] /* [email protected] is an alias for all ISC handlers. Please include the list in all replies to keep everyone informed. You may receive more than one response */ testing, please ignore --Malware OK:N Diary OK:N Mention Name:N IP: xxx.yyy.146.107 Browser: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040914 Firefox/0.10 Port: 33018 HTTP_VIA: HTTP_X_FORWARDED_FOR: --- http://isc.sans.org The ISC Handlers are a diverse group of network security professionals ~35-40 Handlers 9 Countries GIAC certifications (many with honors) Various industries (Banking, ISPs, Gov, Edu) are represented, and different areas of expertise. Each day, one handler takes charge as “Handler on Duty”. New Handlers are picked by existing handlers. Malware subgroup (includes several non-handlers) Mailing list/Jabber server http://isc.sans.org A few handlers (and a groupy) http://isc.sans.org Data from DShield allows us to “zoom in” on new trends and solicit more details from users. Diary: “Got Packets?” Anomaly http://isc.sans.org DShield Data I am seeing... Data from DShield can also be used to verify if a report is an isolated incident or not. Is anybody else seeing this? No DShield Data http://isc.sans.org Yes Diaries are frequently revised based on user feedback. Initial Observation Diary Worthy? Immediate publication of new event to solicit feedback from readers and provide the earliest possible alert. Initial Diary Additional Observations http://isc.sans.org Revised Diaries A number of automated reports are provided based on data collected by DShield. Top Ports: Am I seeing the same attacks as others? Trends: What changed? Am I ready for it? Source Reports: Is anybody else getting attacked by the same source? INFOCON: Are there any significant new threats that require immediate action? http://isc.sans.org Looking at the Dshield data http://isc.sans.org The WMF exploit showed that 0-day exploits are no longer used to attack only high value targets. DEC 28 2005 Phone Call: “I went to Knoppix-STD.org, and it looks like adware was installed on my system” Verification: http://isc.sans.org Visit knoppix-std.org “Fax Viewer” pops up Anti Spyware Ad is installed. Initially, the WMF 0-day exploit is used to install fake anti-spyware. http://isc.sans.org How do we defend our network against a widely used 0-day exploit? Firewall? Not much good. This is a client exploit. Antivirus? Threat is developing too fast. Configuration Changes? Disable shimgvw.dll works ok. User Education? Too late, and wouldn't work. IDS? Again, too late, threat developing too fast. http://isc.sans.org Why did Anti Virus not work well? Rapid delivery of obfuscation tools (e.g. Metasploit). Anti Virus recognized payload, but not exploit. Multi-payload exploit: Only partially discovered and removed. New payloads released hourly. > 500 distinct versions after few days ! http://isc.sans.org The situation escalates as more and more sites attempt to exploit the vulnerability. Dec 31 2005 YELLOW The race is on by malware writers to capture as many vulnerable systems as possible. (SPEED COUNTS!) Spam used to disseminate exploit. Exploit can be triggered by desktop search programs. Ilfak Guilfanov releases patch! http://isc.sans.org Is it ok for the Internet Storm Center (or anybody) to release or recommend an unofficial patch? Patch has been validated. Tom Liston verified that the patch is “ok”. Risks are communicated to the user. The patch was clearly labeled as “unofficial” No good mitigation method is available. disabling shimgvw.dll causes many problems. Widespread use of exploit. 500 versions found in the wild, large botnets built. No vendor patch is available. http://isc.sans.org Even with patch and workarounds, the battle against WMF exploit continues. several 1,000 e-mails over the new year weekend. Microsoft releases WMF patch by mistake. JAN 5 2006 http://isc.sans.org Microsoft releases official patch ahead of its scheduled January patch day. The VML vulnerability of Sep 2006 2006-09-18 23:15 GMT – Sunbelt Software posts about IE VML exploit At first, claim turning off javascript will mitigate First pass through VirusTotal only Microsoft detects (they’ve apparently had coverage since 16 Sep) 2006-06-19 16:27 UTC – Evidence that it is already incorporated into a version of WebAttacker toolkit. 2006-06-19 – US-CERT posts VU#416092, MSFT publishes advisory, recommands unregistering DLL 2006-06-20 – Public exploit available http://isc.sans.org The VML vulnerablity of Sep 2006, cont’d 2006-09-22 00:00 UTC – Ed Skoudis becomes HOD 2006-09-22 – MSFT claims it isn’t being widely exploited, patch will come on 10 Oct. AUSCERT says it is seeing increasing exploiting including via spam 2006-09-22 ~12:00 UTC– ZERT announces its existence, produces patch 2006-09-22 15:00 UTC – we raise infocon to yellow 2006-09-23 15:00 UTC – infocon back to green 2006-09-23 – We’re seeing several thousand exploited websites and exploit being incorporated into new trojans http://isc.sans.org The VML vulnerability of Sep 2006, cont’d 2006-09-23 – Yet another variation of VML exploit this time, a heap overflow 2006-09-25 – VML exploits via e-greeting cards 2006-09-26 15:00 UTC – Metasploit module released 2006-09-26 17:00 UTC – Microsoft releases MS06-055 http://isc.sans.org Recent reports to the ISC show the following threats as important and current. 0-day exploits (“commodity” as well as targeted). The Age of the Bot. Client (and more targeted) attacks. Diminishing utility of signature based Antivirus solutions. Unique covert channel usage is increasing and becoming more sophisticated. Financially motivated Malware Analysis Tool Detection http://isc.sans.org Poebot Evolution February 2005 W32/Poebot-A is a network worm with backdoor Trojan functionality The worm spreads through network shares protected by weak passwords. The backdoor component joins a predetermined IRC channel and awaits further commands from a remote user. http://isc.sans.org Poebot Evolution February 2006 Capabilities: joins and parts IRC channels, changes nick, creates clones, sends raw command, sends messages and notices, floods channels runs IDENTD server on a specified port scans for vulnerable computers using a number of exploits and reports to a hacker tries to spread to network shares, bruteforces share passwords using the hardcoded list http://isc.sans.org Poebot Evolution February 2006, cont. Capabilities: steals logins and passwords (cached passwords, FlashFXP passwords, IE site passwords, MSN passwords) steals Outlook account information (SMTP and POP server names, logins and passwords) steals HTTP e-mail server logins and passwords (Hotmail) sniffs network traffic (packet sniffer) http://isc.sans.org Poebot Evolution February 2006, cont. Capabilities: downloads and runs files on an infected computer opens a pipe-based remote command shell on an infected computer act as a proxy server on a selected port collects information about an infected system (software and hardware configuration) http://isc.sans.org Poebot Evolution February 2006, cont. Capabilities: finds and terminates competing bots performs a DoS (Denial of Service) attack updates itself from Internet lists processes paying attention on processes with the specific names (games mostly) possibly using encrypted/covert C&C http://isc.sans.org Poebot Evolution February 2006, cont. Infection Mechanisms: ASN.1 (MS04-007), ports 80, 139, 445 LSASS (MS04-011), port 445 DCOM-RPC (MS04-012), port 135 WKSSVC (MS03-049), ports 135, 445 WEBDAV (MS03-007), port 80 UPNP (MS05-039), port 445 MSSQL, port 1433 DameWare, port 6129 BackupExec, port 6101 IceCast, port 8000 SlabMail, port 110 RealServer, port 554 http://isc.sans.org The outbreaks of major viruses and worms are slowing For Hire http://isc.sans.org Recent Study by Panda Software (2Q2006) •Trojans accounted for 54.4 percent of the new malware detected during the second quarter of 2006 •The number of new worms continued to fall, representing just 4.9 percent of the new threats detected •The increase in Trojans and the large number of new bots and backdoor Trojans detected confirms the financial motivation behind the new malware dynamic •This new aim of malware creators is also reflected in the large number of bots (16%) and backdoor Trojans (12%) detected over the last quarter. These types of threats are also widely used in other criminal business models that provide income for cyber-criminals. http://isc.sans.org Enter the new age of the Botnets http://isc.sans.org HTTProxy covert channel Malware installed via opening infected attachment Malware issues HTTP GET request Malware receives HTML from web site Malware parses first 64 bytes of HTML Malware extracts Base64 encoded command from HTML comments "<!--" and “-->” found within the first 64 bytes Commands: S (sleep), D (download and execute), and R (reverse shell) http://isc.sans.org Malware using covert channels PWS-Banker.bm : Uses ICMP TSPY_SMALL.CBE : Uses ICMP Remacc.SAdoor : IP, ICMP, UDP or TCP packet with certain characteristics. Win32.Bube.J : HTTP HTTPProxy: HTML comments http://isc.sans.org Malware Analysis Tool Detection VMWare Detected Better act normal http://isc.sans.org Examples Sniffer : Sniffer is running, so do not go to the internet Debugger : Kill the debugger or terminate the process VMware: Running in VMware, play nice. If not running in VMware then do bad things Internet connectivity: No connectivity, sleep http://isc.sans.org 0-Day exploits used to be applied only against high value and well defended targets. But now we see them used against regular users 0-day: Exploit without patch (not: unreleased exploit) 2006 zero-days in use: WMF: Used to install spyware Javascript: more drive-by downloads (2 exploits) Safari Archives: used to install bots. Word Exploit: only used targeted like “traditional” 0day use. VML: Again used to install spyware http://isc.sans.org 0-days are still used to make money. But instead of outright selling them, they are used to install spyware/adware/spam botnets Exploits are hard to sell on the “open market”. WMF is rumored to have sold for $5,000. Security companies (iDefense, 3COM) buy exploits for > $10k. Spyware or Adware install will bring approx. $1 per user. 0-day Millions of Vulnerable Users Millions of $$$ for successful exploit! http://isc.sans.org 0-day exploits are delivered to users like any other exploit. Most of them affect browsers and are delivered via e-mail/web sites. User asked to click on “enticing” link to malware hosting site. Exploit deposited on trusted site which allows user uploads (ebay images, web forum). “Spear Phishing” used to target particular users or groups. Takes advantage of the fact that Outlook and Outlook Express use IE to render HTML e-mail http://isc.sans.org Vendors have a hard time responding to 0-day exploits. Patch release is not designed to be fast, but designed to cause minimal disruption (to user and vendor image). Traditionally, pre-patch vulnerability information was limited to reduce information available to malware writers This no longer applies if the malware is already out and spreading. Enter groups like ZERT http://isc.sans.org Packers allow for rapid mutation of existing malware, making it very hard for AV products to keep up. Zotob: Every 4 hrs a new version. New Version: Old code repacked. No need to write new malware. Packer U n p ac k er http://isc.sans.org Malware en c o d edm alw are Packers can use different “keys”, debugger traps, or they can be nested. Packer U n p ac k er Packer #2 Debug/VM Trap U n p ac k er http://isc.sans.org Malware en c o d edm alw are U n p ac k er en c o d edm alw are n ew en c o d edm alw are Anti Virus writers are working on defenses, but so far the defenses fall short. “Sandbox”: Still essentially pattern based and requires unpacking the code to analyze. “Unpackers”: Packers again are easily modified and it is hard to keep up. Implementation can introduce new problems (Remember: ZIP/RAR... vulnerabilities in AV Products) http://isc.sans.org Things will get worse! You have to stay in touch with current developments. Use the ISC as your life line for survival. As you are reading this slide, everything that preceded it is out of date. A solid foundation in InfoSec basic principles and best practices is necessary to understand new threats quickly. Use the ISC to stay in touch. http://isc.sans.org The Internet Storm Center is a collaborative information sharing community: Come to collaborate and share! Send us your logs: http://www.dshield.org/howto.php Send us your observations: http://isc.sans.org/contact.php [email protected] Send us your malware: http://isc.sans.org/contact.php http://isc.sans.org/seccheck http://isc.sans.org Geeks in Vegas http://isc.sans.org Questions?? http://isc.sans.org Handlers form a biker gang http://isc.sans.org Now it's your turn to ask questions! Thanks! http://isc.sans.org/contact.php http://www.dshield.org/howto.php http://handlers.sans.org/jclausing http://isc.sans.org