Upload
digitallibrary
View
2.797
Download
3
Embed Size (px)
DESCRIPTION
Today the threat has changed. Hackers are no longer kids trying to create a name for themselves; they're professionals with a vast network and are capable of increasingly sophisticated and highly targeted attacks. In fact, many of today's attacks are so stealth that the victims may not even realize their systems have been compromised for days, weeks or even months. So how do organizations address malware attacks as part of their overall risk management program? What steps can you take to ensure that your organization is not the next TJX or Ameritrade? This presentation provides an overview of the attacks targeting the enterprise today and an insider's look into how a malware attack is executed and what tools are needed to respond effectively. Get statistics on malware from the Kaspersky Anti-Virus Research Lab in Moscow and the specific business risks they represent. Learn about risk analysis, virus dissection and recommended mitigation frameworks.
Citation preview
Copyright 2008. All Rights Reserved. 1April 29, 2008 Copyright 2008. All Rights Reserved. 1April 29, 2008
Anatomy of a Malware AttackThe New Malware Ecosystem
Tom Bowers
Senior Security Evangelist
April 29, 2008
Copyright 2008. All Rights Reserved. 2April 29, 2008
• Malware growth rates
• Evolution from nuisance to monetized threat
• Malware as a business
• Malware Ecosystem
Introduction
Copyright 2008. All Rights Reserved. 3April 29, 2008
Malware Samples per Year
Source: The Kapsersky Internet Security Lab
Copyright 2008. All Rights Reserved. 4April 29, 2008
Distribution of Malware Categories in the First Half of 2007
What We Are Seeing
Source: The Kapsersky Internet Security Lab
Copyright 2008. All Rights Reserved. 5April 29, 2008
Jeffrey Lee ParsonAge 18 (USA)
Arrested August 29, 2003
for the Lovesan.b virus
Sven JaschanAge 18 (Germany)
Arrested May 7, 2004 for
NetSky and Sasser viruses
Chen Ing-Hau Age 24 (Taiwan)
Arrested September 21, 2000
for the CIH virus
The Rogues’ Gallery –
The Script Kiddies
Copyright 2008. All Rights Reserved. 6April 29, 2008
Jeanson James AnchetaAge 20 (USA)
Arrested November 3,2005 for creating zombie networks and leasing them for spam mailing and DDoS attacks on
websites
Farid EssebarAge 18 (Morocco)
Arrested on August 26,2005 for creating zombie networks using Mytob
and Zotob (Bozori) worms
The Rogues’ Gallery –
Two-Bit Thieves
Atilla EkiciAge 21 (Turkey)
Copyright 2008. All Rights Reserved. 7April 29, 2008
The Rogues’ Gallery –
Big Business
• Yaron Bolondi, aged 32 (Israel)
• Attempted to withdraw £220 million (more than $420 million in 2005) from the bank's accounts the network of a London branch of Sumitomo Bank
• Arrested March 16, 2005
Copyright 2008. All Rights Reserved. 8April 29, 2008
Criminal Attacks on the Rise
Source: The Kapsersky Internet Security Lab
Copyright 2008. All Rights Reserved. 9April 29, 2008
A Great Low Risk Business
Cybercriminals feel relatively safe because:
– There are gaps in legislation
– Law enforcement understaffed and under-equipped
– Victims rarely inform police about crimes.
– Insignificant damages –incidents are not interesting to police (despite the huge number of these crimes)
– The crimes are international
Copyright 2008. All Rights Reserved. 10April 29, 2008
Malware Ecosystem
Copyright 2008. All Rights Reserved. 11April 29, 2008
Chinese Underground
Source: TR-2007-011: Reihe Informatik. December 3, 2007
Copyright 2008. All Rights Reserved. 12April 29, 2008
Malware Business Portal
Offers:
•Specific node counts
•Guaranteed infection rates
•SLAs
•Technical Support
Copyright 2008. All Rights Reserved. 13April 29, 2008
Malware Control Console
Storm Worm
Copyright 2008. All Rights Reserved. 14April 29, 2008
Targeted Attacks• Los Alamos and Oak Ridge Spear Phishing attack
– Visitor database only
– 12 different attackers, 7 emails to 1000's of employees
– 11 emails opened
• What about your business?
– Specific companies being targeted
– Specific groups within a company
• Denotes social engineering skill
• Solid research (competitive intelligence) skills
– Job sites
– User forums…
Copyright 2008. All Rights Reserved. 15April 29, 2008 Copyright 2008. All Rights Reserved. 15April 29, 2008
Hunting Malware
Copyright 2008. All Rights Reserved. 16April 29, 2008
Virus Hunting Protocol
Copyright 2008. All Rights Reserved. 17April 29, 2008
Wireshark
• What
– Network communications
• Why
– Infection mechanism, bot and data dump communications
• When
– Anytime though before infection is preferable
Copyright 2008. All Rights Reserved. 18April 29, 2008
Regmon
What– What registry
changes are made
Why– Covers all registry
entries
When– Setup before
infection, measurement afterward
Copyright 2008. All Rights Reserved. 19April 29, 2008
Filemon
What
– What files are changed, added, deleted…from a system
Why
– Typical Windows XP system has 50,000 to 100,000 files
When
– Setup before infection, measure afterward
Copyright 2008. All Rights Reserved. 20April 29, 2008
Other Tools
• Netcat – the Swiss Army Knife
– Monitor Port 80 communications
– Create Log files of that communication
• B64Dec – Base 64 decoder
• Process Explorer – View Tasks and Task Trees
Copyright 2008. All Rights Reserved. 21April 29, 2008
PinchPasswordstealer
Copyright 2008. All Rights Reserved. 22April 29, 2008
Pinch Highlights
• Infection Vectors
– ICQ
• Purpose
– Collect victim system information
– Collect cached passwords
– Send collected data to Internet server
Copyright 2008. All Rights Reserved. 23April 29, 2008
Conclusions
• Malware has evolved
• Highly organized, profitable, low risk business
• Organized ecosystem
• Basic incident response tools
Copyright 2008. All Rights Reserved. 24April 29, 2008
Questions?
• Search engine query: “Tom Bowers” “information security”