Post on 23-Dec-2015
Attacking Windows Stack and How to Protect against These Attacks Graham Calladine, David Hoyle
Security Center of ExcellenceMicrosoftSession Code: SIA313
Session Objectives & Takeaways
To learn and understand:Current Attack Trends that Microsoft is seeingAttack Vectors Mitigation Strategies with Windows Products
10 Years…
We have come a long way since Melissa2003-2004 difficult times
Blaster/Slammer – Was horrible – Hit Home Users hardConficker emerged in a different s/w industry – Did not hit home users hardPartnerships
MS Response Alliance & Internet Consortium for Advanced Security on the Internet & CWG
WW Threat Trends
Not a simple trend – Geographically DiverseMiscellaneous Trojans (inc rouge s/w) most prevalentWORMS 2nd most prevalentPassword Stealers & Monitoring toolsBreaches – Data Scarce – (datalossdb.org)
Top is stolen equipment, twice as many incidents as intrusionBut equipment loss is easily reported!
Data: Microsoft SIR v7 Report
Geographical Trends
8 Locations with most infected machinesUSA,UK,France,Italy – TrojansChina, language specific browser threatsBrazil, malware targeting online bankingSpain, Korea, WORMS targeting online gamers
Data Source: SIR V7 Report Pg 40
Threat Landscape is getting better?
Improvement in Software Development PracticeSoftware Development Lifecycle (SDL)Geoff 1min Video
Increased Availability of Automatic Patch Update Process
Patch Tuesday and Auto UpdatesHowever, unpatched client is primary initial infection vector
Social engineering techniques to mislead Victims
Attacker still finds success with a variety of techniques for manipulating people
SANS Analysis
The Top Cyber Security Risks” 2009 SeptemberApplication Vulnerabilities Exceed OS VulnerabilitiesWeb Application Attacks
Cross Site Scripting, PHPFile Include, and SQL Injection
Windows: Conficker/Downadup
Cited from SANS “The Top Cyber Security Risks” 2009 September, http://www.sans.org/top-cyber-security-risks/
Attackers use social engineering techniques – Human Emotion
Microsoft Security Intelligence Report, 2008 July through December 2008
FEAR I want: Protection I got: Rogue SoftwareDesire I wanWeb Surfing, Free Stuff Games, etcI got: fake contents, malicious downloads, etc
Trust I want: Online Banking, Email, Social Networking etc.I got: Banking Malware, Phishing, Spam, and File Format Infections, etc.
Attack Vectors and Trends
Current attacks in the wildRogue Security Software and WormBrowser Based Attacks
PhishingCross Site ScriptingClickjacking
File Format Attacks
Attack Vectors and Trends
Rogue Security Software and WormsBrowser Based AttacksFile Format Attack
Rogue Unwanted SoftwareRank Family Most Significant
CategoryInfected Machines
1Win32/Renos
Trojan Downloaders & Droppers 4,371,508
2Win32/Zlob
Trojan Downloaders & Droppers 3,772,217
3Win32/Vundo Miscellaneous Trojans 3,635,207
4Win32/ZangoSearchAssistant Adware 3,326,275
5Win32/Taterf Worms 1,916,446
6Win32/ZangoShoppingreports Adware 1,752,252
7Win32/FakeXPA Miscellaneous Trojans 1,691,393
8Win32/FakeSecSen Miscellaneous Trojans 1,575,648
9Win32/Hotbar Adware 1,477,886
10Win32/Agent Miscellaneous Trojans 1,289,178
Win32/Renos
Win32/FakeXPA
Rogue Security Software 1
Use Fear to convince victimsWin32/Renos Family
Rogue Security Software 2
Use the same logicWin32/FakeXPA Family
Use your Desire
A Rogue Software Real Sample
There is no security issue or vulnerability in YouTube.com.
http://blogs.technet.com/mmpc/archive/2009/08/20/winwebsec-on-youtube.aspx
Rogue Software
Win32/FakeVimes and Win32/PrivacyCenter have become more prevalent in the last 2 monthsDistributed via fake online scanners
Worms: Win32/Conficker.A to EWin32/Conficker is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE)
On October 23, 2008, Microsoft released critical security update MS08-067Allow remote code execution if an affected system received a specially crafted Remote Procedure Call (RPC) request
On November 21, 2008, the first significant worm that exploits MS08-067 was discovered
The first variant discovered, Worm:Win32/Conficker.A, only uses MS08-067 exploits to propagate
On December 29 2008, a significantly more dangerous variant, Win32/Conficker.B, was discovered
Exploits the MS08-067 vulnerability but uses additional methods to propagate.It attempts to spread itself to other computers on the network
Combining the vulnerability with social engineering to introduce and spread the worm in an organization
Continues…
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fConficker
Social Engineeringby e-mailing infected fileswith official-sounding names to people at a company like“Corporate Policy.PDF”
Worms: Win32/Conficker.A to E
Release D, monitors 500/50,000 domain names/day for payloads…
Still isConficker Working Group (CWG) formed Jan09
Many people from well know sec groups/researchersImplemented defense DNS strategyKaspersky & OpenDNS – calc’ed 1Y of namesAll 110 TLDs involved & signed upRapid, effective collaboration – keeps Conficker constrained
Published Articles for Conficker
Knowledge Base articleKB962007
MMPC blog (http://blogs.technet.com/mmpc)Get Protected, Now! (October 23, 2008)A Quick Update About MS08-067 Exploits (November 17, 2008)Just in Time for New Year’s… (December 31, 2008)MSRA Released Today Addressing Conficker and Banload (January 13, 2009)Centralized Information About the Conficker Worm (January 22, 2009)Information about Worm:Win32/Conficker.D (March 27, 2009)
MitigationsGet the latest computer updates Install and update anti-malware signaturesRun an up-to-date scanning and removal tool Use caution with attachments and file transfers Use caution when clicking on links to web pages Standard user rightsProtect yourself from social engineering attacksUser Security Best Practices such as strong Password PolicyKeep eye on vulnerabilities and follow the guideline from the trusted sourceUse recent technologies and systems that can reduce the risk on exploiting
Attack Vectors and Trends
Rogue Security Software and worms
Browser Based AttacksFile Format Attack
Browser Based Attacks
PhishingCross Site ScriptingClickJacking
Browser Based Attacks
PhishingCross Site ScriptingClickJacking
Phishing: Overview
Phishing is a method of identity theft that tricks Internet users into revealing personal or financial information online.
Phishing Scam Samples
Social engineering techniques “Verify your account”“If you don't respond within 48 hours, your account will be closed”“Dear Valued Customer”“Click the link below to gain access to your account”
Spear Phishing and Whaling
Spear phishing - highly targeted phishing Send email messages that appear genuine to all employees and members within a community
Whaling - involves targeted attacks on senior executives and other high ranking people
Phishing Trends in Industry
APWG: Anti Phishing Working Group Report, 2009 1H
http://www.antiphishing.org/reports/apwg_report_h1_2009.pdf
Phish Tank: Current Phish Sites
Live Phish site can be found
http://www.phishtank.com/
Phishing with Hotmail
Illegally acquired by a phishing scheme and exposed to a website
Microsoft Recommends:Renew their passwords for Windows Live IDs every 90 daysFor administrators, make sure you approve and authenticate only users that you know and can verify credentialsAs phishing sites can also pose additional threats, install and keep anti-virus software up to date
Techniques
Man-in-the-middle attacks Proxies, DNS Cache Poisoning, etc
URL Obfuscation attacksBad Domain Name, Friendly Login URL’s, Host Name/URL Obfuscation, etc
Etc…
Anti-PhishingIE 8 SmartScreen
demo
Mitigations
Use an up-to-date anti-malware product from a known, trusted source, and keep it updated.Use the most recent version of your Web browser, and keep it up to date by applying security updates and service packs in a timely fashion.Use a robust spam filter to guard against fraudulent and dangerous e-mail.You can add sites you trust to the Trusted Sites zone with more than middle security level. Follow the guidance to take actions
http://www.microsoft.com/mscorp/safety/technologies/antiphishing/guidance.mspx
Browser Based Attacks
Phishing
Cross Site ScriptingClickJacking
Cross Site Scripting: Overview
Cross-Site Scripting (XSS): Occurs whenever an application reads user data, and embeds that user data in Web responses without encoding or validating the user dataCommon vulnerabilities that make Web-based applications susceptible to cross-site scripting attacks:
Improper input validationFailing to encode outputTrusting data from shared resources
Cross Site Scripting in News
October 2005 MySpace “Samy” wormFebruary 2006 FacebookJune 2008 Yahoo MailDecember 2008 American ExpressApril 2009 Twitter
http://twittercism.com/remove-stalkdaily/
Types of Cross-Site Scripting
Two major types of cross-site scripting attacks:Type 1: Non-Persistent
Often referred to as reflected cross-site scriptingRequires some level of social engineering
Type 2: PersistentStored cross-site scriptingOne attack can affect multiple users
Type 0: DOM-Based
38
Type 1: Non-PersistentCross-Site Scripting
39Malicious User User
Congratulations! You won a prize, please click here to claim your prize!
<html><head><title>Hello</title></head><body>[malicious code]</body>…
http://www.contoso.com?id=[malicious code]
Web Server
Blog Comment:Hello, this article was helpful! [malicious code]Thanks, Kevin
Type 2: PersistentCross-Site Scripting
40
Malicious User
User
DatabaseWeb Server
Blog Comment:Hello, this article was helpful! [malicious code]Thanks, Kevin
User User
Mitigation Strategies
Server SidesValidate all untrusted inputEncode any Web response data that could contain user or other untrusted inputUse built-in ASP.NET protection via the ValidateRequest optionUse the System.Web.HttpCookie.HttpOnly propertyUse the <frame>, <iframe> IE6 and above security attributeUse the Microsoft Anti-Cross Site Scripting Library (AntiXSS)
Microsoft Anti-Cross Site Scripting Library V3.1
New featuresAn expanded white list that supports more languages Performance improvements Performance data sheets (in the online help) Support for Shift_JIS encoding for mobile browsers A sample application Security Runtime Engine (SRE) HTTP module
Security Runtime Engine (SRE) HTTP module Ideally, you do not need to change your code!
In your your web.config, <httpModules> <add name="AntiXssModule" type="Microsoft.Security.Application. SecurityRuntimeEngine.AntiXssModule"/> </httpModules>
In antixssmodule.config, <ControlEncodingContexts> <ControlEncodingContext FullClassName="System.Web.UI.Page"
PropertyName="Title" EncodingContext="Html" /> <ControlEncodingContext FullClassName="System.Web.UI.WebControls.Label" PropertyName="Text" EncodingContext="Html" /> <ControlEncodingContext FullClassName="System.Web.UI.WebControls.CheckBox" PropertyName="Text" EncodingContext="Html" /> </ControlEncodingContexts>
Anti-Cross Site Scripting in ActionMicrosoft Anti-Cross Site Scripting Library V3.1
demo
Mitigation Strategies
Client SidesIE8 XSS Filter
Anti-Cross Site Scripting in ActionIE8 XSS Filter with Microsoft Application Compatibility Tool Kit
demo
Browser Based Attacks
PhishingCross Site Scripting
ClickJacking
ClickJacking: Overview
Clickjacking is :an attack that tricks the victim into initiating commands on a website that they did not intend. Use iframes and web page layers in DHTML such that you overlay a potentially malicious button (for example) on top of an existing legitimate web page.
A ClickJacking Example
Suppose that a hacker site has the following source code…
Mitigation
Use FrameBreaker Script<script>if (top!=self) top.location.href=self.location.href</script>
Use X-Frame-Options Header for IE8HTTP response header named X-FRAME-OPTIONS with HTML pages to restrict how the page may be framedThe OPTIONS value contains the token DENY, IE8 will prevent the page from rendering if it will be contained within a frame
Add X-FRAME-OPTIONS and Deny to HTTP Response Headers using IIS Manager, In html, insert <meta http-equiv="X-FRAME-OPTIONS" content="DENY" /> in <head> section, orUsing ASP.Net, you can insert Response.AddHeader("X-Frame-Options", "Deny”).
ClickJacking: FrameBreaker and IE8 Defense
demo
Attack Vectors and Trends
Rogue Unwanted SoftwareBrowser Based Attacks
File Format Attack - Office
File Format Attack: Overview
This class of vulnerability is described as parser vulnerabilities.
Attacker creates a specially crafted document that takes advantage of an error in how the code processes or parses the file format.
Increasingly, attackers are using common file formats as transmission vectors for exploits.
Office format and PDF format
File Format Attack Trend
Recent (2H08) saw a sharp increase in the number of file format–based attacks,
Often in the form of spear phishing and whaling attacks, the victim opens the attachmentOr at a malicious / compromised web site, and the malicious code forces browsers to a malicious document, which is opened by victim
Binary Office File Format vs. Open XML format
Office 2003 (and lower) Binary FormatOLE Structured Storage outer formatFile system within a file!Complex file formatcomplete with
FAT TableSectorsStreams (like files)
Another application specific inner format within a stream!
STRM1 STRM2
STRM3 STRM4Header
Examining The File
Requires a hex editor + expert knowledgeInteresting strings in a stream near the beginning of the malicious files!
What could possibly go wrong?
Office 2007 Open XML File Format
Safety was a design goal from the beginningDesigned under the SDL
ZIP file container with ‘XML parts’Also non-XML parts (typically binary data like embedded images or OLE objects)
Non-XML parts can be disabled by policy
Rename to .zip and open with zip file viewer!
Historical DataFuzzing Iterations Completed
1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2
2004 2005 2006 2007 2008
30
25
20
15
10
5
0
Office Security Bulletin Trend (by quarter)
72% Not Vulnerable
Newer is Better% of vulns affecting Office 2007 since Jan 2007
28% Vulnerable
Layered Defenses
Harden the Attack
Surface
Reduce the Attack
Surface
Improve User
Experience
Mitigate the Exploits
Security EngineeringSecurity Development Lifecycle FoundationIntensive Distributed Fuzzing
Integrate OS AdvancesSupport for DEP/NXLeverage WIC Image ParsersRobust & Agile Cryptography
Harden the Attack
Surface
Harden the Attack Surface
Reduce the Attack
Surface
File BlockBlock unused or legacy file formatsEasy policy enforcementView allows read-only accessTied in with Protected View for formats between block and allow
Office File ValidationBinary filesRuns automatically on openEvaluates file for ‘correctness’Protects against unknown exploitsFaster updates for changes to rules
Reduce the Attack Surface
Gatekeeper vs MSRC cases
Mitigate the Exploits
Protected Viewer ‘Sandbox’
Word, Excel, PPT files can run in the ‘sandbox’Prevents harmful documents from damaging user data and OSHelp users make better trust decisions
Protected Viewer
Office Protected
Viewer
Files that failed
File Validation
Files that don’t comply with File
Block Policy
Files in unsafe folders
All Outlook Attachments
Files from the Internet
Zone
Mitigate the Exploits
Office - FileFormatsdemo
Observations on XP
Malicious PPT drops an EXE and a clean
PPT on users desktop
The EXE creates a ‘.log’ file in users temp folder and
executes it.
The malware creates 2 binaries in
system32 and modifies HKLM
registry keys
The binaries are injected into SYSTEM
processes like winlogon.exe
Requires regular
user rights
Requires regular
user rights
Requires admin rights
Requires admin rights
Observations on Vista
Malicious PPT drops an EXE and a clean
PPT on users desktop
The EXE creates a ‘.log’ file in users temp folder and
executes it.
The malware creates 2 binaries in
system32 and modifies HKLM
registry keys
The binaries are injected into SYSTEM
processes like winlogon.exe
Requires regular
user rights
Requires regular
user rights
Requires admin rights
Requires admin rights
Better Together
File Block
GateKeeper
Standard User / UAC
UAC “Dark Roast”
MitigationsConfigure your computer to use Microsoft Update
Ensure that Microsoft security update MS06-027 has been applied to any affected software in your environment: http://www.microsoft.com/technet/security/bulletin/ MS06-027.mspx.
Keep your third-party software up to date. Updates for Adobe products can be downloaded from http://www.adobe.com/downloads/updates/.
If possible, upgrade your software applications to the most recent versions, since these demonstrate lower rates of attack.
Avoid opening attachments or clicking links to documents in e-mail or instant messages that are received unexpectedly or from an unknown source.
Use up-to-date antivirus software from a known, trusted source that offers real-time protection and continually updated definition files to detect and block exploits.
Summary
Trends are WORMS, Rogue, FileFormatVaries world wide
Security Community effort in industry to keep on topTechnology evolving fast to solve root cause (GateKeeper)Updates, Virus Checkers, Good Risk Management are key, Security StandardsLockdowns go a long way
Quick Case Study
AppLocker + Windows only rules + App rulesNo execute for standard users for writable areasBitlockerLockdown to reduce attack surfaceVirus checker/Updates etc…
Gives a solid defense in-depth client build!
Summary
Both security vendors and IT professionals should Adjust their risk management processes appropriately to help ensure that all operating systems and applications are protected (ISO 27000, COBIT, MS Sec Risk Guide)Keep updating wide range of potential security issuesTake appropriate actions based on your risk assessment
As individual to protect against malicious codeKeep update the security patches and anti-virus signatures, and if possible upgrade to newer softwareEducate themselves for potential security risksIT professionals and consumers should take advantage of the defense-in-depth technologies, such as firewalls, antivirus programs, and antispyware programs available from trusted sources…
SummaryMost important of all…Stay informed & up to date
Microsoft Malware Protection CenterMicrosoft Security Update GuideMicrosoft Security Engineering CenterMicrosoft Security Response CenterMicrosoft SIR v7 ReportMicrosoft AVSecurity EssentialsEnd to End trustMicrosoft Security Development LifecycleCommon Vulnerabilities and Exposures : http://cve.mitre.org
question & answer
Track Resources
Common Vulnerabilities and Exposures : http://cve.mitre.org
Nation Vulnerability Database : http://nvdnist.gov
www.securityfocus.com, www.secunia.com, www.securitytracker.com
Microsoft Malware Protection Center, Microsoft Security Update Guide, Microsoft Security Engineering Center, Microsoft Security Response Center, Microsoft SIR v7 Report, Microsoft AV, Security Essentials, End to End trust, Microsoft Security Development Lifecycle
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
Related Content
SIA-205: SDL-Agile: Microsoft’s Approach to Security for Agile Projects
Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.