Changes in the Threat Landscape
advertisement
Changes in the Threat Landscape
Beth Jones
SophosLabs, Dec 2006
Outline
• Overview of the current malware threat
• Overview of the current spam threat
• A more detailed look at the Threat Landscape
• Threat Trends and Techniques
• SophosLabs
• Looking forward
• Summary
SophosLabs
Overview of the current malware threat
Threat numbers
• 3000 new malicious software threats per month
• 300% rise in spam in May 2006
Threat numbers
200000
180000
160000
140000
120000
100000
80000
60000
40000
20000
0
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
The profile of a virus writer is changing...
• Virus writers now have a financial motive
(phishing, stealing confidential data, denial of
service extortion attempts, spam)
• More organized criminals see that viruses and
Trojan horses can help them make money
• They are less likely to make the mistakes that
the “old school” virus writers make of needing to
show off to their friends
• Law enforcement coordination required to stop
international virus writing gangs
…from Headlines
…to targeted attacks
• Although large outbreaks make the
headlines, there are also attacks
targeted on specific sites or business
rivals
• Less likely to be noticed than a large
outbreak
• “Hacked to order” to steal information
or resources
• Large outbreaks typically target
Windows PCs, but not necessary for
targeted attacks
Changing Threats
• Most Trojans have spyware components
• 140 Brazilian banking trojans a day were seen during the summer of
2005.
• Total number of banker Trojans with individual IDs is 5500+
• Troj/Bank* - 3818
• Troj/Banc* 1839
• However now that we have Mal/Packer and the Mal/Banc behavioral
genotypes there are probably many more thousands that we detect proactively
• Similar trend with other spyware
• Troj\Torpig-BJ
Keeping out of the news
• Don’t want to draw attention
• Strong evidence that they ‘test’ first.
• Easier to steal from 200, than 200,000
• Specific targeted attacks
•
Easily deployed through spam.
•
Drop malware either directly or from website
• Use a variety of techniques to ‘hide’ themselves
•
Self updating
•
Packing techniques
• Malware toolkits for sale.
SophosLabs
Overview of the current spam threat
By Country Stats
• Malware - Nov 2006
• Based on ALL data
• Spam Jul-Sep 2006
Norway
Denmark
Hong Kong
Korea, Republic of
Sweden
Czech Republic
United Kingdom
Canada
Spain
Taiwan
Brazil
Italy
Estonia
Germany
France
Ukraine
China
Netherlands
Russian Federation
United States
Spam
Malware
0
5
10
15
20
25
%
30
35
40
45
Changing face of Spam
• Increase in ‘Image Only’ spam
• Widely used for stock ‘Pump and Dump’
• Now being used for other types (Degree, Med etc).
• Shorter campaigns
• URLs used in campaigns lasting just a few minutes
• Avoid URI blocking technologies
• Abuse free hosting services
• Free page redirects to spammers site.
• Redirectors
• TinyURL etc.
• Free URL, that again redirect.
• Eg. Kickme.to\spammer.it
Spam Example
• Stock ‘pump-and-dump’ campaigns
• No URL
• Image only
• Small image changes introduced to
get around checksums
Image Spam Example
The threat landscape is changing…
A more detailed look at the
Threat Landscape
Facts & Figures
• Dec 2005
• 135 Alerts (4-5 per day)
• 1138 Identities (1-2 every hour)
• ~1000 we didn’t alert on (but added)
• 68% Trojans
• Doesn’t include the ones we detect proactively
• >4000 Banker Trojans detected with just 4 Genotype\Family
identities
• May 2006
• 84% Trojans
Web infection – stage 1
Workstations
Email seed-list
Gateway
SMTP
SMTP
ISP
Attacker’s PC
Attacker’s web
Email server
Web infection – stage 2
Workstations
Gateway
ISP
Attacker’s PC
Attacker’s web
Email server
Backdoor Trojans
• Client/Server (SubSeven)
• Attacker uses a dedicated client program
• IRC (Rbot)
• Attacker uses a standard IRC client
• Web (Bugbear)
• Attacker uses an internet browser
Bots
• Bot (Zombie, Drone)
• A piece of code developed to emulate human behavior on a
network, in computer security used to describe network
spreading threats with payload that allows remote attacker to
control resources owned by the infected machine
• Control most frequently over IRC (TCP 6667 default port)
Definitions
• Botnet (Zombie army)
• A group of bots controlled by a single originator/hacker
• The botnet owner usually sets up an IRC server that allows
authenticated access for specific IRC bot clients bundled with
network spreading worms
• Botnet server often connected with other IRC botnet servers
Botnets
Botnet 1
Botnet user
(customer)
Botnet
originator
(owner)
Botnet 2
Rootkits
• A rootkit is a set of tools (programs, utilities) used by an attacker in
order to maintain access to a compromised system without his
activity being detected by the system administrator.
• Rootkits act by denying the listing of certain elements like
processes, files, registry entries and TCP ports, falsely improving
the user’s confidence that the machine has not been
compromised
Normal system
Application
System
Disk
Rootkit installed
Application
Rootkit
System
Disk
Threat Trends
Changes in techniques
• Malware authors are using newer or different tactics to try
and maintain their element of surprise.
• Techniques include
• Obfuscation techniques
• Packers/wrappers
• Exploits
Obfuscation techniques
• Packing
• Aggressive development of packers & cryptors
• Junk data/code
• Added to make analysis more difficult
• Code Injection
• Masquerade as another process. Bypass local security (client
firewall)
• Persistence
• Twinning procedures
Obfuscation – Code Injection
• Masquerade as another process
• Bypass local security (client firewall)
• Change XOR key
255 “variants”
^0x1b
Troj/Dloadr-AMQ (Sep 2006)
Obfuscation – Code Injection
• Browser Helper Objects (BHO)
• Code “injection”? (well, silent loading at least)
• Core of Adware- applications
• < AVI: cimuz.avi >
• BHO – sniff HTTP traffic
• Often used in Banking trojans
Obfuscation – Persistence
• Payloads to maintain persistence, eg:
• Process termination
• Process “twinning”
• < AVI: zlob-twin.avi >
Exploit Usage
• WebAttacker (demo)
<wa-banker.avi>
• OS & browser
• IRC bots
• LSASS (MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012),
WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1
(MS04-007)
• Troj/Animoo
• Exp/WMF
• ADODB (Psyme)
Troj/Tibs
Obfuscated JS
Exp/WMF
WebViewFolderIcon
Exp/CodeBase
ADODB Stream
Exp/Ani
Full Circle!
http://frekasele.info
http://west-best.info
http://ariec.org
Guru/JSShell
Dload-AQE
Daxctle
Dload
(Mal/Packer)
Troj/Tibs
Tool888
PUA
Troj/LDPinch
Dload
(inj DLL)
http://www.perfectcodec.com
Registered - 13th Nov
Troj/Zlob !!!
Backdoor
Webroot: Hardcore porn
“Require new Codec to view movie”
Troj/LDPinch
• Password stealer, 2004-6, very active
• HTTP POST
B64
OS
Process list
SMTP cfg
MAPI, POP3 credentials
……
ADODB - Psyme
• “Utility” script
• used in many campaigns
• Downloaders, backdoors etc
• Key part of infection mechanism
• Spam URI to ADODB exploit
Troj/Proxy-EN
• Installs stealthing proxy Trojan (via dropper)
• PE: %sysdir%\protector.exe
• SYS: HKLM\SYSTEM\CurrentControlSet\Services\ntio256
ImagePath
DisplayName
=
• Devicename?
• \\.\poofpoof
• IOControlCodes (3):
• 0x220400 - registry
• 0x220404 - files
• 0x22040c - process
\??\C:\WINDOWS\System32\ntio256.sys
=
"Input and output operations“
Obfuscated JavaScripts
• Simple
• “Kits” available
shellcode = unescape("%u4343"+"%u4343"+"%u4343" +
• Not indicative of malicious
"%u1c70%u8bad%u0868%uf78b%u046a%ue859%u0043%u0000" +
• But certainly suggestive!
"%ua3e9%u0000%u5f00%ua164%u0030%u0000%u408b%u8b0c" +
"%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u9516" +
"%u2ee8%u0000%u8300%u20ec%udc8b%u206a%uff53%u0456" +
• Various mechanisms
• Char substitution
• Unescaped
• StrReverse
• ……
• Emulate?
• Performance considerations
function decrypt_p(x){var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,58,12,
54,53,10,24,87,45,56,12 …);for(j=Math.ceil(l/b);
j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l-){w|=(t[x.charCodeAt(p++)48])<<s;if(s){r+=String.fromCharCode(165^w&255);
w>>=8;s-=2}else{s=6}}document.write(r)}}
decrypt_p("WsuvPNgVPF@s3JX4jLixWtNtKj ...”)
Targetted Attacks
• Exp/1Table (incl. MS06-027)
• Malformed Word documents
• Drop various backdoor & PWS Trojans
• Exp/MS06-048
• Malformed PowerPoint presentations
• CVE-2006-3590
• Drop Troj/Bifrose backdoor
• Eastern origin, politically themed
Games
• MMORPGs
• Massive multiplayer online role-playing games
• Financial scope
• Young demographic
• Real value
W32/PrsKey-A (Oct 2005)
“Priston’s Tale”
keylogger, Yahoo! email
(Lineage: >4m subscribers)
• Phishing (since ~2002)
• Trojans (since ~2003)
W32/Looked (2005-6)
“Lineage”, & “WoW”
Prepender, pws, keylogger
Games
• Mechanism?
• Steal login credentials
• Transfer items/goods within game
• Sell for real cash
• Banned by game manufacturers
Priest
$355+
Cleric
$200+
Games
• Denial of Service
•
Second Life, ‘Grey Goo’
• Next step?
•
Spyware (EULA)
•
API advancements
SophosLabs
Who are SophosLabs?
Who are SophosLabs?
• A global group within Sophos engineering
• 53 people
• In 4 countries
Global labs
What do SophosLabs do?
What do SophosLabs do?
Protect Sophos customers 24/7
What do SophosLabs do?
Updates
Viruses
Alerts
Spam
Information
Updates
• Anti-virus updates
• 4-6 per day
• Protect against
• Viruses
• Worms
• Trojans
• Spyware
Updates
• Anti-spam updates
• Every 5 minutes
• Protect against
• Spam
• Phishing
• Stock scams
Alerts
• Virus alerts
• Free
• Notification of new threats
• Zombie alerts
• Notify customers of spam zombies on their networks
• Phishing alerts
• Notify customers of phishing attacks against
their customers
Information
• Virus descriptions
• Statistics
• Top 10 malware
• “The Dirty Dozen” Top
spamming countries
• Background information for
marketing and journalists
• Education, research and
whitepapers
Inside SophosLabs
Analysis Process
1. Interception
2. Analysis
Spam
PUA
Malware
SophosLabs
Classification
Detection
Removal
3. Testing
4. Publication
Testing
Customer Update
Phishing
E.g. New Trojan seeding campaign
A
B
C
IDE
IDE
1st variant
received, analysed
IDE released
2nd variant
received, analysed
IDE released
IDE
Gen/Fam
Spotted trend,
release generic
3rd variant
Pro-actively detected
E.g. Research into Threats
B C
A
F
G I
K
L J H
E
D
IDE
Research
Analyse a specific family,
group, or class of malware.
Solution
- Release generic detection
- Implement new product
feature/functionality
Pro-active Protection
New malware using same
techniques is proactively
blocked.
New Technologies
• 2004 – Genotype technology
• Looking for genes in files
• 2006 – Potentially Unwanted Applications
• Recognising the ‘greyness’ of today’s world
• Giving users the choice
• 2006 – Behavioral Genotypes
• Looking for smaller genes
• Packing characteristics
• Access characteristics
• Compiler characteristics
Looking forward
0wn3d
• Steal & Compromise
• More of the same
• Explore new avenues to steal/phish
• Legally harvest data!
• Volumes will increase
“…records 'anonymous' information about the
user's surfing habits and IP address etc. and
sends it back to the ad companies so that they
can customize ads according to your preferences.”
Genotype™ technology
• 1 signature per threat
×
• Extract “characteristics”
• Performance
• General
• Resources, HLL, PE structure, DLL/PE etc …
• Specific
• Encryption loop, API(s), embedded objects …
• Correlate
• Significant improvements in Gen detection
• Behavioural Genotype™
• Suspicious behaviours
App/RAS-A
Troj/Patch-F
Genotype™
App/3721-Gen
Pack/Execrypt-B
App/MyWebS-A
App/Buttonz-A
App/BetInet-Gen
• Genotype detections
App/SpySher-Ins
Troj/ZlobDrop-X
App/Chivio-Gen
Guru/Chivio-Gen
• Yellow
• Increase
Guru/YodaPro3-A
App/Microfl-Gen
App/New DotNet-A
Troj/Dloader-KH
App/CDVoy-Gen
Troj/Agent-DJV
App/MyWebS-Gen
• Behavioural
App/WhenU-Dlr
Troj/ByteVeri-N
Troj/Ifradv-A
• Control
Troj/Psyme-DL
App/SmartB-A
App/UClean-Dlr
App/180Sol-Ins
• Through gateway
Troj/Animoo-E
App/NWDial-Gen
Guru/Behav-1018
• On endpoints
Troj/Busky-Gen
Guru/Behav-1001
Troj/Dialer-DM
Guru/Behav-1017
Pack/NSPack3-A
Exp/WMF-A
App/Softom-Gen
Troj/Tibspk-Gen
App/Dealio-Ins
Guru/ComPack
Mal/Packer
0
500
1000
1500
2000
2500
3000
3500
4000
4500
5000
5500
Microsoft Vista
• User Account Control
• Enforce standard user mode
• Elevate when required
• Intrusive?
• Installer Detection
• Filename includes keywords like "install," "setup," "update," etc.
• Keywords in the Resource
• Keywords in the side-by-side manifest embedded in the executable.
• Keywords in specific StringTable entries linked in the executable.
• Targeted sequences of bytes within the executable.
• Firewall
• Outbound filtering
Microsoft Vista
• PatchGuard
•
Lock down kernel
• “… patching kernel structures and code to manipulate kernel functionality …”
•
Lock out some vendors!
•
Already supported on x64 (Server 2003 SP1, XP 64bit)
• Misc
•
IE7
•
Security Centre (improved monitoring, updates)
•
Address Space Layout Randomization (ASLR)
•
Application isolation
•
USB device blocking
•
Windows Defender
Summary
Summary
• Threat/Variant → Campaigns
• Professional, coordinated, persistent
• Huge volumes
• Balance protection, analysis & research
• Financial motivation
• Widens scope
• Aggressive response
• Genotype™, Behavioural Genotype™
• Control
Questions
Thank you
www.sophos.com
US and Canada: 1-866-866-2802
NASales@sophos.com
UK and Worldwide: + 44 1235 55 9933
Sales@sophos.com
