CSIS 3756 Security Design
description
Transcript of CSIS 3756 Security Design
CSIS 3756Security Design
Mr. Mark Welton
What we are going to look at The five game changing viruses Security best practices that deal with the problems
Nimda Bagel and Netsky Storm Slammer Stuxnet
My Top 5 Game Changing Viruses
“self replicating virus that does not alter files but resides in active memory and duplicates
itself and sometimes drains system resources” Released on September 18, 2001 5 main forms of infection
◦ email◦ Open network shares◦ Via browsing of compromised web sites◦ Exploitation of various Microsoft IIS 4.0/5.0 directory
traversal vulnerabilities◦ Back doors left behind by the “Code Red II” and
“sadmind/IIS” worms
Nimda Worm
On IIS used two vulnerabilities◦ Extended Unicode Directory Traversal Vulnerability◦ Escaped Character Decoding Command Execution
Vulnerability Once infected the IIS server would then scan for
other hosts with the same two vulnerabilities It would also use TFTP to transfer files from one
infected host to the new host◦ Files included an admin.dll file and many copies of .eml
and .nws files in multiple location of the server
Infection of vulnerabilities
Would email a message with a random subject and attach a file named readme.exe
Opening the attachment infected the machine Could use the preview pane in older versions
Microsoft Outlook and Outlook Express to execute the file without the user clicking on the attachment
Would then email out an infected email to all email addresses in the user’s address book
It would sent the email out every 10 days to the user’s address book
It would look through an infected web server for .htm, .html, or .asp files
Nimda would add a java script to each of these files pointing to a readme.eml file on the server
An Automatic Execution of Embedded MIME Types Vulnerability in IE would execute the file
From the infected web server…
Once a host machine was infected it scanned the local network to find shared folders
Once the network share was found the worm would look for .doc .eml or .exe files that could be written
It would attach a file called riched20.dll if the file did not exist in the directory
When the user ran one of the infected files it would download and execute the worm infecting the machine
It would also create a guest account with administrator privileges and create open shares on the infected system
It would then send the account and password for this account to the attackers
Network Shares
Would replace mmc.exe on a server Would infect all executable files on both
local and network drives replicating the .eml and .nws files along with the riched20.dll
The worm would act as a remote thread to Explorer.exe
Would change the registry key to open network shares for all drives (C$->Z$)
Some other interesting things…
Filter attached files with extensions like .exe .com .dll
Educate users not to open attachments they did not expect
Harden and patch web servers Patch and/or upgrade desktop software Firewall unused ports Use IPS to detect and stop unneeded
communication
Security Countermeasures
First strain sighted on January 18, 2004 Second strain sighted February 17, 2004 Mass-mailing worm (would not email to
@hotmail.com @msn.com @microsoft or @avp)
Would open backdoors TCP ports 6777 and 8866
Second strain had its own SMTP engine to mass-mail itself
Created a botnet used to send spam
Bagle Worm
In December 29, 2009 the botnet was responsible for 10.30% of the worldwide spam volume, surging to 14% on New Year’s Day
As of April 2010 botnet estimated sending roughly 5.7 billion spam messages a day
Some stats…
Similar to Bagle worm Written by an 18 year old from Germany Insults authors of Bagle in code One strain targeted Bagle and MyDoom
infected machines infect the machine, remove Bagle and MyDoom and patch the vulnerability they used
“Botnet Wars”
Netsky
Filter attached files with extensions like .exe .com .dll .vbs
Educate users not to open attachments they did not expect
Harden and patch web servers Patch and/or upgrade desktop software Firewall unused ports Use IPS to detect and stop unneeded
communication
Security Countermeasures
First detected in January 2007 Worm spread through e-mail spam Email would link to an infection-hosting web site Used social engineering in emails to get users to
click on link By September 2007 it was estimated that as
many as 1 million compromised systems made up the Storm Botnet
Used known Microsoft vulnerability to infect the machine
Storm
Back-end servers that control the spread of the botnet and Storm worm automatically re-encode their distributed infection software twice an hour, for new transmissions, making it difficult for anti-virus vendors to stop the virus and infection spread
Additionally, the location of the remote servers which control the botnet are hidden behind a constantly changing DNS technique called ‘fast flux’, making it difficult to find and stop virus hosting sites and mail servers
So why didn’t antivirus stop it…
Command and Control of the botnet used peer-to-peer techniques make no central command and control point that can be shutdown
Botnet also encrypted traffic Has more computing power then the top
500 supercomputers combined It is estimated it is only using 10% to 20%
of the total capacity of the botnet
So why not just stop the CC…
Launched a series of EXE file in stages creating the following services in the botnet◦ Backdoor/downloader◦ SMTP relay◦ E-mail address stealer◦ E-mail virus spreader◦ DDoS attack tool◦ updated copy of Storm worm dropper
Would use fast flux DNS to hide the bot in the network
Also kernel rootkit the machine and used modified eDonkey comminications
What bot would do
Educate users not to open links they did not expect
Patch and/or upgrade desktop software Firewall unused ports Use IPS to detect and stop unneeded
communication
Security Countermeasures
Started on January 25, 2003 at 05:30 UTC Infected 75,000 machines in ten minutes Used buffer overflow in SQL server and
Microsoft Desktop Engine database products Patch was release six months earlier Was a single packet exploit Infection was in memory only Would scan for more hosts to infect
Slammer
Scans increased in seconds
Patch and/or upgrade desktop software Patch servers Firewall unused ports Use IPS to detect and stop unneeded
communication
Security Countermeasures
Stuxnet Worm
◦ Stuxnet – industrial sabotage -> Iranian uranium enrichment program
◦ Ghostnet – stole diplomatic communications -> embassies, Dhali Llama
◦ Aurora – stole source code and other intellectual property -> Google
◦ Night Dragon – industrial and commercial intelligence -> large oil companies
New Advances Persistent Threats
Targets Siemens S7/WinCC products, compromises S7 PLC's to sabotage physical process
Exploited Windows zero-day vulnerabilities Spreads via:
◦ USB/Removable Media◦ 3 Network Techniques◦ S7 Project Files◦ WinCC Database Connections
Drivers digitally signed with legitimate (stolen) RealTek and JMicron certificates
Installs cleanly on W2K through Win7/2008R2 Conventional OS rootkit, detects and avoids major anti-virus products Advanced reverse-engineering protections
“Most Sophisticated Worm Ever”
discovered until June 2010 Infection came for a USB flash drive Used 4 vulnerability 2 of which where day zero Used 7 different infection methods Existed at least a year before discovery
Stuxnet Worm
Initial infection of worm thought to be from an offsite contractor transferring a file
Or it may have been a Siemens engineer Or it may have been a flash drive handed
out at a conference …
Conspiracy Theory anyone…
Self-replicates through removable drives exploiting a vulnerability allowing auto-execution◦ Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability
Spreads in a LAN through a vulnerability in the Windows Print Spooler◦ Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability
Spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability
Copies and executes itself on remote computers through network shares Copies and executes itself on remote computers running a WinCC database server Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7
project is loaded Updates itself through a peer-to-peer mechanism within a LAN Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned
vulnerabilities for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be disclosed
Contacts a command and control server that allows the hacker to download and execute code, including updated versions
Contains a Windows rootkit that hide its binaries Attempts to bypass security products Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to
potentially sabotage the system Hides modified code on PLCs, essentially a rootkit for PLCs
List of features
Infected Removable Media:1. Exploits vulnerability in Windows Shell handling of .lnk files (0-
day)2. Used older vulnerability in autorun.inf to propagate
Local Area Network Communications:3. Copies itself to accessible network shares,
including administrative shares4. Copies itself to printer servers (0-day)5. Uses “Conficker” vulnerability in RPC
Infected Siemens Project Files:6. Installs in WinCC SQL Server database
via known credentials7. Copies into STEP7 Project files
How Stuxnet Infects a System
http://www.youtube.com/watch?v=cf0jlzVCyOI