Recent Threat Trends and a Look Ahead

Buck Watia
iDefense Security Intelligence Operations

Contains VeriSign Confidential and Proprietary Information


Presentation Agenda
I.

Today’s Threat Environment

II.

Progression of Threat Motives & Impact

I.
II.
III.

Recent Malicious Activity

I.
II.
IV.

Statistics
Notable Malcode

Where Do We Go From Here?

I.

2

A Look Back
Current & Future Trends, Motivations

Threats in Context

Contains VeriSign


Today’s Threat Environment
+ Enterprise Environment is Increasingly Complex
▪ Critical System Explosion
▪ Asset Criticality isn’t Enough to Prioritize
▪ Increase in Vulnerabilities
▪ Constant Updates and Patches

+ Sophistication of Threats
▪ Increasingly Advanced Malicious Code
▪ Increase in Communication/Teamwork Among Hackers
▪ Time to Exploitation Drastically Reduced
▪ Stealth Attacks

3

Contains VeriSign



Progression of Motives & Impact
+

2003 Year of the Worm

▪ Notoriety
▪ Dawn of code for cash
▪ MSFT Bounty program established
+

2004 Worm War & Criminal Code

▪ Bounty program curbs notoriety actors
▪ Bounty program hardens criminal gain actors
▪ Hundreds of variants, source code releases
+

NASA.GOV

2005 Year of the Bot & Ad/Spyware

▪ Criminalization and commoditization well developed
▪ Target Attacks: Espionage and hacker for hire quickly escalating
+

2006 Threat of the Unknown: Stealth for Survival

▪ Increase in innovation, organization and sophistication
▪ Targeted attacks to defeat specific authentication protection


4

Contains VeriSign


Creating Code for Cash
Millions of Stolen
Account Credentials
- Fedex Account #!

Stolen CD Keys

Phishing
& Pharming

Millions of Stolen
Credit Cards

Money Mules

Extortion
Ad/Spyware

Industrial Espionage

5

Contains VeriSign


Hackers for Hire


2005: Vulnerability Activity
Source: VeriSign iDefense Vulnerability Team

6

+

2,954 unique vulnerability reports

+

13,550 re-versioned reports

+

598 new exploits

Contains VeriSign


Exploitation Frameworks
+

Metasploit Framework

▪ Open-source project created in mid-2003 by H.D. Moore
▪ Created for pen-testing and research; a free alternative to others

▪ Widely used by hacking community since it is free
+

CANVAS

▪ Offered by Immunity Inc., started by Dave Aitel in 2002
▪ Aimed at promoting exploit development and providing a

penetration testing platform

+

Core Impact

▪ Core Impact was developed by CORE Security Technologies in

1996
▪ Dubbed as the first fully automated penetration testing product
▪ Expensive product used mainly by corporations

7

Contains VeriSign


2005: Top Exploited Vulnerabilities
# of Codes

Vulnerability Exploited


1,357

LSASS

526

WebDAV

469

Cumulative Update for Microsoft RPC/DCOM

404

Microsoft ASN.1 BERDecBitString() Buffer Overflow

368

Workstation vulnerability

357

Microsoft Plug-and-Play Buffer Overflow

220

Microsoft Windows DCERPC DCOM Heap Overflow

216


UPnP

172

SQL Server

113

IIS5 SSL DoS vulnerability

**Multiple other Microsoft vulnerabilities exploited to a lesser degree

8

Contains VeriSign


2005: Malcode Activity

Source: VeriSign iDefense Malcode Team

9

Contains VeriSign


Notable Attacks and Vectors

10


+

MS05-039/Zotob

+

Google Adword Attack

+

DNS Poisoning

+

WMF File Format Vulnerability

+

Metafisher

Contains VeriSign


MS05-039 - Zotob
+ Zero Day Exploit
▪ MSFT Discloses Vulnerability – August 9th
▪ Public exploits Released –August 11th
▪ More exploits released including one by HOD –

August 12th


+ Why is PNP/ZoTob Important
▪ Speed of attack
▪ Intel gathering and analysis is key
▪ Actors are important and threat is critical

11

Contains VeriSign


Innovation: Google Adwords Attack

12

Contains VeriSign


Operations: Organized Criminal Groups
Earn thousands of dollars
with a part time job at work
– apply today!
Private Financial Receiver
Money Transfer Agent
Country Representative
Shipping Manager
Financial Manager
Sales Manager
Sales Representative
Secondary Highly Paid Job

Client Manager

13

Contains VeriSign


Sophistication: DNS Cache Poisoning

14

+

2,000 or more DNS servers poisoned after hacked through
AWStats/Other vectors

+

Over 17 families of code, upwards of 20 MB
of files, and 45+ malicious files silently installed

+

Mostly adware, spyware, Trojans, and fraud identified as the primary
focus of attacks

+

Long term success, not being easily identified or mitigated


Contains VeriSign


.WMF File Format Vulnerability
+

Graphic File Format

+

No User Interaction Necessary

+

Originally Developed to Promote a “Pump and Dump” Stock

+

Originally Downplayed by MSFT

▪ Came out with out of cycle patch 4 days before Patch Tuesday
+

15

Still being Exploited Today by Several Codes Including Metafisher

Contains VeriSign



Metafisher – Sophisticated Phishing Attacks
+ A Highly Sophisticated Bot for Financial Fraud
▪ The IceBerg threat

– Under the radar for months
– Encryption cracked
▪ Web-based command-and-control server
– Large numbers of Bots
▪ professionally built
– suite of tools
– user-friendly administration interface
▪ Professional software lifecycle management comparable to

many professional software products

16

Contains VeriSign


17

Contains VeriSign


Metafisher – Known Attack Structures to Date

18

Contains VeriSign



Metafisher – PHP Configured Bots

19

Contains VeriSign


Metafisher – Searchable Stolen Log Files

20

Contains VeriSign


Metafisher – Form.txt – Keylogger and Phished Data

21

Contains VeriSign


BrizTrojan Targets US Banks
+ Briz Trojan Family
▪
▪
▪

Not new, family has been around for several months

Targets Argentina, Australia, France, Germany, Spain, and US
Banks in the US: Bank of America, wellsFargo

+ Sophisticated Attack
▪
▪
▪
▪
▪
▪

BHOs combine to make complex credential stealing unit
Downloads configuration files to inject HTML and JavaScript into pages to steal
credentials that otherwise would not be requested
Screenshots taken on every initial page load and at each mouse click
Logged data is stored with time stamps to determine user usage profiles to trick anti
fraud devices
Trojan injected verification questions after a successful login
Challenges banks customized authentication systems

+ US Banks were not previously a threat to sophisticated financial attacks
▪
▪
▪
▪

22

Increasing Trend
Intelligence, Sophistication, Custom code injection

Similar path as MetaPhisher
Used in combination with money mule operations to move money to off shore accounts

Contains VeriSign


Browser Helper Object

Initial
Compromise

Spammed
links via fake
windows
update
sites/porn

Installs BHO in IE

+Trojan can take on multiple layer
authentication systems
+i.e. Site Key- BOA
+ Steals all forms
+Injects custom code for targeted attacks
against specific banks

Home
User

23


Contains VeriSign


Biz Trojan

Initial
Compromise

Command and
Control Servers
Downloads
Javascript
to inject
SSL verified
pages

Installs BHO

Home
User

24

Screen Shots Taken, Data
Logged and saved

Contains VeriSign

US Banking

Servers


SNATCH: Russian Advanced Banking Malcode

25

+

Sophisticated malicious code targeting financial services

+

Created by Russian SE-Code’s #Rock group

+

Sophisticated threat similar to Metaphisher and Briz Trojans

Contains VeriSign