Intro to COBIT Part 1 Threat Landscape Presented by George Grachis CISSP Current Trends UCLA Database Hacked Hacker attack at UCLA affects 800,000 people POSTED: 2:50 p.m. EST, December 12, 2006 UCLA says hacker invaded database for more than a year • Info exposed on about 800,000 students, faculty, staff • Data included Social Security numbers, birth dates, addresses • UCLA: No evidence any data have been misused Malware Defined What is malicious code? As the name implies, it is software that is designed and developed with malicious intent. This includes gaining unauthorized access, network vandalism, theft of data or services, and destruction of software, data, or systems. We classify malicious code as : Trojan Horses Worms Viruses Trojan Horses A trojan horse is a generic term used to describe a computer program containing an apparent or actual useful function that also contains additional (hidden) functions that allows unauthorized collection, falsification, or destruction of data Viruses A virus is a program that "infects" other programs by modifying them to include a copy of itself. A virus must have two functional elements: A search routine to locate new files or areas to infect and A copy routine so it can replicate itself into the file or area located by the search routine This is what distinguishes a virus from other forms of malicious code. Worms Worms are similar to viruses, but replicate in their entirety, creating exact copies of themselves, without needing a "carrier" program. Worms are normally found on computer networks and multi-user computers, and use inter-computer or inter-user communications (E-mail) as the transmission medium. How does malicious code initially get in to a computer? Malicious code can invade a system through any of the normal means we use to communicate, transfer, or share software and data. This includes: Diskettes, tapes, CD-ROM, and any other portable media Infections also occur from the use of new diskettes, new (shrink wrapped) software, and new computer systems. Communications systems and services The primary means of infection today is by receiving infected files via e-mail as attachments Propagation via e-mail Built-in SMTP engines in malicious code allows the infected system to send infected email without the owner’s knowledge Search files with extensions adb, asp, dbx, doc, eml, htm, html, msg, oft, php, pl, rtf, sht, tbb, txt, uin, vbs, wab and / or others for e-mail addresses to send infected e-mail. Subject and Body are designed to entice a person to open and read the e-mail and attachment. How does malicious code spread? Sharing software through the use of media and transferring files across networks (to include the Internet), are the most common form of spreading malicious code. A virus or worm on a infected system will also propagate through network shares by dropping copies of itself to or infecting shared folders. Infections also occur from the use of new diskettes, new (shrink wrapped) software, and new computer systems How is malicious code activated? Malicious code are only activated if it is executed. In the case of .COM, .EXE, .SYS, infected files it is easy to see how they are executed. Boot Sectors and master boot records are “executed” when the computer attempts to boot from a floppy diskette or hard drive. .DOC, .XLS, and other MS Office files files aren’t “executed” in a strict sense. The macros that are a part of the file ARE executed, this is where the virus resides. Design flaws in application software can cause them to automatically execute e-mail attachments. How can malicious code impact a system? Retrieve cached passwords / data files (e.g. theft of sensitive / privacy related information) Download and execute a file (typically to install a backdoor) Keystroke logging (e.g. theft of sensitive / privacy related information) Delete files / format hard drive Copy files (usually copies of itself for reactivation) Write to files (e.g. data corruption) / registry (e.g. control the infected system) Terminate processes (typically antiviral and firewall software) Open port(s) on the victim's computer, connect to a backdoor web server and achieve a level of control over the infected computer What are the symptoms and indications of an infection? What do you look for? Note abnormal or unexpected activity such as: Displays, music, or other sounds Slowdown in processing speed Unusual disk activity Strange error messages Unexpected or unexplained changes in file sizes Loss of programs or data These symptoms don't necessarily mean you are infected, only that you MIGHT be infected Organized Crime Malicious code authors have formed groups and associations to facilitate the proliferation and development of their wares. Groups have appeared in most countries around the world, some of them even have an international constituency. The following slide will give you some idea as to some of the malicious code authoring groups that are or have been in existence Malicious Code Authoring Groups 29A (Spain) Australian Institute of Hackers (Australia) Alliance (International) A New Order of Intelligence (Sweden) Corea Virus Club (Korea) Digital Anarchy (Argentina) Diabolical Kreations (Paraguay) Death Virii Crew (Russia) No Mercy (Indonesia) Phalcon-Skism (USA/Canada) TridenT (Netherlands) Taiwan Power Virus Organization (Taiwan) Youths Against McAfee (USA) and dozens more... Newsletters & e-Zines 29A 40 Hex Anaconda ARCV Newsletter AVCR Journal Censor Chaos AD Chiba City Times CPI Newsletter Crypt Newsletter Evolution God@rky's V.H.N. Immortal EAS Virus Magazine Infected Moscow Infected Voice Infectious Disease Magazine Insane Reality Magazine Minotauro Magazine Nemesis Source Of Kaos and many more... Malicious code authors and groups have also prepared and developed tutorials covering virtually all aspects of malicious code development. The tutorials are also freely available on the Internet. The following slide shows just a sampling of some of the tutorials available. Tutorials The Virus Writer's Handbook (Terminator Z) Virus Infection Tutorial 0.3 (Pocket) Batch Viruses by Wavefunc Macro Virus Tutorial (Dark Night) Mutation Engines (JHB) Guide to improving Polymorphic Engines (Rogue Warrior) Argument for slow infection and slow polymorphism (Rogue Warrior) Infection on Compression (MGL/SVL) The SFT stealth tutorial (MGL/SVL) Self Checking Executable Files (Demogorgon) Upper Memory Residency (IntrusO) Interleaved Encryption Technique (Stomach Contents) and many, many more... Malware Applications Why are there so many viruses, trojan horses, and worms? The availability of source code is also a main factor in proliferation. Many malicious code authors make their source code freely available through the Internet and electronic chat rooms. Bots The word bot is an abbreviation of the word robot. Robots are frequently used in the Internet world. Spiders used by search engines to map websites and software responding to requests on IRC (such as eggdrop) are robots IRC and BOTS IRC stands for Internet Relay Chat. It is a protocol designed for real time chat communication (reference to RFC 1459, update RFC 2810, 2811, 2812, 2813), based on client-server architecture. Most IRC servers allow free access for everyone. Bots An IRC server connects to other IRC servers within the same network. IRC users can communicate both in public on channels or in private (one to one). There are two basic levels of access to IRC channels: users and operators. A user who creates a channel becomes its operator. An operator has more priviledges than a regular user. Bots IRC bots are treated no different than regular users (or operators). Control over these bots is usually based on sending commands to a channel setup by the attacker, infested with bots. An important feature of such bots is the fact that they are able to spread rapidly to other computers Many zombie (bot infected computers) networks have been controlled with the use of proprietary tools, developed intentionally by crackers themselves. IRC is considered the best way to launch attacks, because it’s flexible, easy to use and public servers are readily available. IRC offers a simple method to control hundreds or even thousands of bots at once in a flexible manner.. Sniffing & Key logging Bots can also be effectively used to enhance the art of sniffing. Observing traffic data can lead to detection of an incredible amount of information. This includes user habits, TCP packet payload which could contain interesting information (such as passwords). The same applies to key logging – capturing all the information typed in by the user (e– mails, passwords, home banking data, PayPal account info etc.). Identity Theft The above mentioned methods allow an attacker controlling a bot-net to collect an incredible amount of personal information. Such data can then be used to build fake identities, which can in turn be used to obtain access to personal accounts or perform various operations (including other attacks) shifting the blame to someone else. Hosting of Illegal Software Last, but not least, bot compromised computers can be used as a dynamic repository of illegal material (pirated software, pornography, etc.). The data is stored on the disk of an unaware home or business Broadband user. Hours could be spent talking about the possible applications of bot-nets (for example pay per click abuse, phishing, hijacking HTTP/HTTPS connections etc.). Bots alone are only tools, which can easily be adapted to every task which requires a great number of hosts under single control. Different Types of Bots Many types of ready–made bots are available for download from the Internet. Each of them has its own special features. Let's have a look at the most popular bot outlining common features and distinctive elements. Agobot Agobot is probably one of the most popular bots used by crackers. What is interesting about Agobot is its source code. Highly modular, it makes it simple to add new functions. Agobot provides many mechanisms to hide its presence on the host computer. They include: NTFS Alternate Data Stream, Antivirus Killer and the Polymorphic Encryptor Engine. Agobot offers traffic sniffing and sorting functionality. Protocols other than IRC can also be used to control this bot. Hacker Tools How easy is it to create a virus using an automated creation tool? An 8 year-old can do it! It’s as simple as making a few selections on the menu-driven creation tool. The following slides will take you through the process of using a menu-driven, automated creation tool to create a unique, custom made macro virus. Software For 2007 ! Guide to Hacking 2007 (NEW) Hacker Training Suite (NEW) Digital Cable Hacking CD (NEW) Chat System Hacker '07 (NEW) The Master Hacker PRO (NEW) Hackers Tool Chest PRO(NEW) WiFi Wireless Hacking (NEW) Internet Spy PRO Password Stealers '07 CD(NEW) Smart Guide to Hacking(NEW) Serials & Reg Keys Expanded Special Edition Hackers(NEW) Virus & Trojans 2006 Internet Detective 2007 (NEW) Hardware For 2007 ! NEW Handheld Credit Card Reader SECTION: CREDIT & FINANCES Identity Fraud Book Portable Credit & Magnetic Card Reader/ Writer Windows Magnetic Strip Hacking Software The Ultimate Credit Card Hacking Bible Blank Magnetic Swipe Cards Credit Card Hacking Software CD Combo Why is malicious code successful? Lack of training and awareness Using out-of-date anti-virus products Absence of or inadequate security controls Ineffective use of existing security controls Bugs and loopholes in system software Unauthorized use of software Network misuse What’s Next Expect to see increased use of social networks that link users. These networks allow people with common personal or professional interests to find each other easily. The linking of users or networks also gives attackers a method to attack multiple users through one entity or through a web of the network. As the use of RSS (Really Simple Syndication) becomes more prevalent, today’s software may not handle attacks well. Frequent updates of RSS, along with the embedding of downloads and encoding through a variety of XML formats, can lead to undetected infections. As more applications become embedded within browsers (for example, a spreadsheet program that can be loaded within the browser), the web will become more of an application platform, leading to more opportunities for security vulnerabilities and problems. The use of “underground” business tools will also increase. We will see the types and availability of certain types of toolkits – such as those for vulnerability testing – getting better, which bodes well for both researcher and criminal. For example, new technology – fuzzers – can automatically run a series of tests (millions of tests) against an application, searching for errors in the code. The blackhat and whitehat markets for zero-day threats will increase, and the number of entities offering “rewards” to researchers who find and report vulnerabilities will likewise also increase. We will also see increased organization, sharing, trading, and commerce in the underground with regards to zero-day exploit code. Black Market $980.00-$4900 Trojan Program to steal online account information. $490.00 Credit Card with PIN $78.00-$294 Billing data w SSN, Address. $147.00 Drivers License $147.00 Birth Certificate $98.00 Social Security Card $6 Paypal Account w Logon & password We will see more and more privacy issues connected to storage of personal, private, and confidential business data on the internet. As more and more people use the internet, more goods and services transactions will take place over the web Signing up for services, buying goods from web-based businesses, for example. As this happens, the danger of leaking data increases. For example, many companies offer 2GB of free personal storage space. End of Part 1