Presentation 1

advertisement
Intro to COBIT
Part 1 Threat Landscape
Presented by George Grachis
CISSP
Current Trends
UCLA Database Hacked


Hacker attack at UCLA affects
800,000 people
POSTED: 2:50 p.m. EST, December
12, 2006
UCLA says hacker invaded database for
more than a year
• Info exposed on about 800,000
students, faculty, staff
• Data included Social Security numbers,
birth dates, addresses
• UCLA: No evidence any data have been
misused
Malware Defined
What is malicious code?
As the name implies, it is software that is
designed and developed with malicious
intent. This includes gaining unauthorized
access, network vandalism, theft of data or
services, and destruction of software, data, or
systems. We classify malicious code as :



Trojan Horses
Worms
Viruses
Trojan Horses
A trojan horse is a generic term used to
describe a computer program
containing an apparent or actual useful
function that also contains additional
(hidden) functions that allows
unauthorized collection, falsification, or
destruction of data
Viruses
A virus is a program that "infects" other
programs by modifying them to include a
copy of itself.
A virus must have two functional elements:


A search routine to locate new files or areas to
infect and
A copy routine so it can replicate itself into the file
or area located by the search routine
This is what distinguishes a virus from other
forms of malicious code.
Worms
Worms are similar to viruses, but replicate
in their entirety, creating exact copies of
themselves, without needing a "carrier"
program. Worms are normally found on
computer networks and multi-user
computers, and use inter-computer or
inter-user communications (E-mail) as
the transmission medium.
How does malicious code initially get
in to a computer?
Malicious code can invade a system through any of the
normal means we use to communicate, transfer, or
share software and data.
This includes: Diskettes, tapes, CD-ROM, and any other
portable media


Infections also occur from the use of new diskettes, new
(shrink wrapped) software, and new computer systems.
Communications systems and services
The primary means of infection today is by receiving
infected files via e-mail as attachments
Propagation via e-mail



Built-in SMTP engines in malicious code
allows the infected system to send infected email without the owner’s knowledge
Search files with extensions adb, asp, dbx,
doc, eml, htm, html, msg, oft, php, pl, rtf,
sht, tbb, txt, uin, vbs, wab and / or others for
e-mail addresses to send infected e-mail.
Subject and Body are designed to entice a
person to open and read the e-mail and
attachment.
How does malicious code spread?



Sharing software through the use of media
and transferring files across networks (to
include the Internet), are the most common
form of spreading malicious code.
A virus or worm on a infected system will also
propagate through network shares by
dropping copies of itself to or infecting shared
folders.
Infections also occur from the use of new
diskettes, new (shrink wrapped) software,
and new computer systems
How is malicious code activated?
Malicious code are only activated if it is executed.




In the case of .COM, .EXE, .SYS, infected files it is easy to
see how they are executed.
Boot Sectors and master boot records are “executed” when
the computer attempts to boot from a floppy diskette or
hard drive.
.DOC, .XLS, and other MS Office files files aren’t “executed”
in a strict sense. The macros that are a part of the file ARE
executed, this is where the virus resides.
Design flaws in application software can cause them to
automatically execute e-mail attachments.
How can malicious code impact a
system?








Retrieve cached passwords / data files (e.g. theft of sensitive /
privacy related information)
Download and execute a file (typically to install a backdoor)
Keystroke logging (e.g. theft of sensitive / privacy related
information)
Delete files / format hard drive
Copy files (usually copies of itself for reactivation)
Write to files (e.g. data corruption) / registry (e.g. control the
infected system)
Terminate processes (typically antiviral and firewall software)
Open port(s) on the victim's computer, connect to a backdoor
web server and achieve a level of control over the infected
computer
What are the symptoms and
indications of an infection?
What do you look for?
Note abnormal or unexpected activity such as:






Displays, music, or other sounds
Slowdown in processing speed
Unusual disk activity
Strange error messages
Unexpected or unexplained changes in file sizes
Loss of programs or data
These symptoms don't necessarily mean you
are infected, only that you MIGHT be infected
Organized Crime



Malicious code authors have formed groups and
associations to facilitate the proliferation and
development of their wares.
Groups have appeared in most countries around
the world, some of them even have an
international constituency.
The following slide will give you some idea as to
some of the malicious code authoring groups
that are or have been in existence
Malicious Code Authoring Groups
29A (Spain)
Australian Institute of Hackers (Australia)
Alliance (International)
A New Order of Intelligence (Sweden)
Corea Virus Club (Korea)
Digital Anarchy (Argentina)
Diabolical Kreations (Paraguay)
Death Virii Crew (Russia)
No Mercy (Indonesia)
Phalcon-Skism (USA/Canada)
TridenT (Netherlands)
Taiwan Power Virus Organization (Taiwan)
Youths Against McAfee (USA)
and dozens more...
Newsletters & e-Zines











29A
40 Hex
Anaconda
ARCV Newsletter
AVCR Journal
Censor
Chaos AD
Chiba City Times
CPI Newsletter
Crypt Newsletter
Evolution

God@rky's V.H.N.
Immortal EAS Virus
Magazine
Infected Moscow
Infected Voice
Infectious Disease Magazine
Insane Reality Magazine
Minotauro Magazine
Nemesis
Source Of Kaos

and many more...








Malicious code authors and groups have also
prepared and developed tutorials covering
virtually all aspects of malicious code
development.
The tutorials are also freely available on the
Internet. The following slide shows just a
sampling of some of the tutorials
available.
Tutorials













The Virus Writer's Handbook (Terminator Z)
Virus Infection Tutorial 0.3 (Pocket)
Batch Viruses by Wavefunc
Macro Virus Tutorial (Dark Night)
Mutation Engines (JHB)
Guide to improving Polymorphic Engines (Rogue Warrior)
Argument for slow infection and slow polymorphism (Rogue Warrior)
Infection on Compression (MGL/SVL)
The SFT stealth tutorial (MGL/SVL)
Self Checking Executable Files (Demogorgon)
Upper Memory Residency (IntrusO)
Interleaved Encryption Technique (Stomach Contents)
and many, many more...
Malware Applications
Why are there so many viruses,
trojan horses, and worms?
The availability of source code is also a
main factor in proliferation.
Many malicious code authors make their
source code freely available through the
Internet and electronic chat rooms.
Bots


The word bot is an abbreviation of the
word robot. Robots are frequently used
in the Internet world.
Spiders used by search engines to map
websites and software responding to
requests on IRC (such as eggdrop) are
robots
IRC and BOTS


IRC stands for Internet Relay Chat. It is
a protocol designed for real time chat
communication (reference to RFC 1459,
update RFC 2810, 2811, 2812, 2813),
based on client-server architecture.
Most IRC servers allow free access for
everyone.
Bots



An IRC server connects to other IRC servers
within the same network.
IRC users can communicate both in public on
channels or in private (one to one). There are
two basic levels of access to IRC channels:
users and operators. A user who creates a
channel becomes its operator.
An operator has more priviledges than a
regular user.
Bots



IRC bots are treated no different than
regular users (or operators).
Control over these bots is usually based
on sending commands to a channel setup by the attacker, infested with bots.
An important feature of such bots is the
fact that they are able to spread rapidly
to other computers



Many zombie (bot infected computers)
networks have been controlled with the
use of proprietary tools, developed
intentionally by crackers themselves.
IRC is considered the best way to launch
attacks, because it’s flexible, easy to use
and public servers are readily available.
IRC offers a simple method to control
hundreds or even thousands of bots at
once in a flexible manner..
Sniffing & Key logging



Bots can also be effectively used to enhance
the art of sniffing.
Observing traffic data can lead to detection of
an incredible amount of information. This
includes user habits, TCP packet payload
which could contain interesting information
(such as passwords).
The same applies to key logging – capturing
all the information typed in by the user (e–
mails, passwords, home banking data, PayPal
account info etc.).
Identity Theft


The above mentioned methods allow an
attacker controlling a bot-net to collect an
incredible amount of personal information.
Such data can then be used to build fake
identities, which can in turn be used to obtain
access to personal accounts or perform
various operations (including other attacks)
shifting the blame to someone else.
Hosting of Illegal Software


Last, but not least, bot compromised computers can
be used as a dynamic repository of illegal material
(pirated software, pornography, etc.). The data is
stored on the disk of an unaware home or business
Broadband user.
Hours could be spent talking about the possible
applications of bot-nets (for example pay per click
abuse, phishing, hijacking HTTP/HTTPS connections
etc.). Bots alone are only tools, which can easily be
adapted to every task which requires a great number
of hosts under single control.
Different Types of Bots


Many types of ready–made bots are
available for download from the
Internet. Each of them has its own
special features.
Let's have a look at the most popular
bot outlining common features and
distinctive elements.
Agobot




Agobot is probably one of the most popular bots used
by crackers.
What is interesting about Agobot is its source code.
Highly modular, it makes it simple to add new
functions.
Agobot provides many mechanisms to hide its
presence on the host computer. They include: NTFS
Alternate Data Stream, Antivirus Killer and the
Polymorphic Encryptor Engine.
Agobot offers traffic sniffing and sorting functionality.
Protocols other than IRC can also be used to control
this bot.
Hacker Tools
How easy is it to create a virus using
an automated creation tool?
An 8 year-old can do it!
It’s as simple as making a few selections
on the menu-driven creation tool. The
following slides will take you through
the process of using a menu-driven,
automated creation tool to create a
unique, custom made macro virus.
















Software For 2007 !
Guide to Hacking 2007 (NEW)
Hacker Training Suite (NEW)
Digital Cable Hacking CD (NEW)
Chat System Hacker '07 (NEW)
The Master Hacker PRO (NEW)
Hackers Tool Chest PRO(NEW)
WiFi Wireless Hacking (NEW)
Internet Spy PRO
Password Stealers '07 CD(NEW)
Smart Guide to Hacking(NEW)
Serials & Reg Keys Expanded
Special Edition Hackers(NEW)
Virus & Trojans 2006
Internet Detective 2007 (NEW)
Hardware For 2007 !




NEW Handheld Credit Card Reader
SECTION: CREDIT & FINANCES
Identity Fraud Book
Portable Credit & Magnetic Card Reader/ Writer
Windows Magnetic Strip Hacking Software
The Ultimate Credit Card Hacking Bible
Blank Magnetic Swipe Cards
Credit Card Hacking Software CD Combo
Why is malicious code successful?







Lack of training and awareness
Using out-of-date anti-virus products
Absence of or inadequate security
controls
Ineffective use of existing security
controls
Bugs and loopholes in system software
Unauthorized use of software
Network misuse
What’s Next


Expect to see increased use of social
networks that link users. These networks
allow people with common personal or
professional interests to find each other
easily.
The linking of users or networks also gives
attackers a method to attack multiple users
through one entity or through a web of the
network.


As the use of RSS (Really Simple
Syndication) becomes more prevalent,
today’s software may not handle attacks
well.
Frequent updates of RSS, along with the
embedding of downloads and encoding
through a variety of XML formats, can lead
to undetected infections.

As more applications become embedded
within browsers (for example, a
spreadsheet program that can be loaded
within the browser), the web will become
more of an application platform, leading to
more opportunities for security
vulnerabilities and problems.


The use of “underground” business tools will
also increase. We will see the types and
availability of certain types of toolkits – such as
those for vulnerability testing – getting better,
which bodes well for both researcher and
criminal.
For example, new technology – fuzzers – can
automatically run a series of tests (millions of
tests) against an application, searching for
errors in the code.


The blackhat and whitehat markets for
zero-day threats will increase, and the
number of entities offering “rewards” to
researchers who find and report
vulnerabilities will likewise also increase.
We will also see increased organization,
sharing, trading, and commerce in the
underground with regards to zero-day
exploit code.
Black Market







$980.00-$4900 Trojan Program to steal online
account information.
$490.00 Credit Card with PIN
$78.00-$294 Billing data w SSN, Address.
$147.00 Drivers License
$147.00 Birth Certificate
$98.00 Social Security Card
$6 Paypal Account w Logon & password




We will see more and more privacy issues connected to
storage of personal, private, and confidential business
data on the internet.
As more and more people use the internet, more goods
and services transactions will take place over the web
Signing up for services, buying goods from web-based
businesses, for example.
As this happens, the danger of leaking data increases.
For example, many companies offer 2GB of free personal
storage space.
End of Part 1
Download