Evolving Threats
description
Transcript of Evolving Threats
Evolving ThreatsEvolving Threats
Paul A. HenryMCP+I, MCSE, CCSA, CCSE, CISSP-ISSAP, CISM, CISA, CIFI, CCE
Florida PI License C2800597
Forensics & Recovery LLCFlorida PI Agency License A2900048
Paul A. HenryMCP+I, MCSE, CCSA, CCSE, CISSP-ISSAP, CISM, CISA, CIFI, CCE
Florida PI License C2800597
Forensics & Recovery LLCFlorida PI Agency License A2900048
Welcome To My WorldWelcome To My World
• Conficker update• Risk of banking via cell phone rising• Backdoor in a box
– Covert channels on a budget
• Obfuscation wins again– Adobe issues not going away
• Wireless network tap– Sniffing a network from 300 meters
• What’s that light at the end of the tunnel– Patch that Mac
• Old Malware never dies
Conficker UpdateConficker Update
• Upgrades– No longer limited to 250 domains for
updates• 50,000 domains• Peer to peer updates• Blocks access to larger range of security
sites– First nefarious use of conficker bot net
detected• More sure to come
Conficker UpdateConficker Update
Conficker UpdateConficker Update
Conficker UpdateConficker Update
Big MoneyBig Money
• 1.8M unique users were redirected to the rogue Anti-Virus software during 16 consecutive days
• Members of the affiliate network were rewarded for each successful redirection with 9.6 cents “a piece”, which totals
$ 172,800 or $ 10,800 per day
Introducing Gumblar - Son of ConfickerIntroducing Gumblar - Son of Conficker
• In 2008 one website was compromised every 5 sec– Now it is one every 4.5 sec
• End game is the same – deliver malware• Gumblar is building two botnets
– First botnet is made up of compromised web servers and is used to distribute “drive-by” malware across web servers
– Second botnet is made up of PCs that visit the web sites and become infected
• These PCs become part of a spam spewing botnet
Introducing Gumblar - Son of ConfickerIntroducing Gumblar - Son of Conficker
• Gumblar is now found on 42% of all discovered compromised websites
Root Cause…Root Cause…
• Really drives home the underlying problem with network security today..
• One of the most successful vulnerabilities being exploited today is RDS (MDAC)
• This one vulnerability is responsible for over 70% of compromises from automated toolkits
• Did I mention that the vulnerability was patched 3 years ago……
Most Popular ToolkitMost Popular Toolkit
Pinch Lives On…Pinch Lives On…
• Even while the authors sit in prison Pinch continues to infect users
It’s Not Rocket Science…It’s Not Rocket Science…
• It is common knowledge that you can eliminate 90% of your risk by applying patches in a timely manner
• It was recently reported by IBM that over 70% of Microsoft vulnerabilities in 2008 could be mitigated by simply enforcing the “rule of least privilege”
Now This Is Interesting…Now This Is Interesting…
• For Sale Used Nokia 1100 $30,000• A software issue in the Nokia 1100
makes is easily re-programmable– Assume any identity– Actively being used in UK to capture
banking PIN sent via SMS
Pogo Plug – Backdoor in a boxPogo Plug – Backdoor in a box
• Allows anything connected via USB to be easily shared across the Internet– Hard drive– Ethernet adapter– Wireless adapter
Pogo Plug – Backdoor in a boxPogo Plug – Backdoor in a box
• Yes there are a few good uses but….
Signatures Are ObsoleteSignatures Are Obsolete
Signatures Are ObsoleteSignatures Are Obsolete
Obfuscation wins againObfuscation wins again
Obfuscation wins againObfuscation wins again
Well it started as a good ideaWell it started as a good idea
Well it started as a good ideaWell it started as a good idea
Well it started as a good ideaWell it started as a good idea
20,000 Illegal Downloads….20,000 Illegal Downloads….
• Pirated copy of iWorks contained malware
First Mac BotNetFirst Mac BotNet
• First use of iBotnet was a DDoS Attack
First Mac BotNetFirst Mac BotNet
• Apple is currently associated with 57 different software products and numerous hardware platforms
• A search on reported vulnerabilities of OSX shows 128 Secunia Advisories and 866 reported Vulnerabilities – http://secunia.com/advisories/product/96/
That light at the end of the tunnel is an
on coming train…
Windows RC7 – BotnetWindows RC7 – Botnet
SummarySummary
• We have yet to feel the impact of Conficker – more to come
• Cell phones are becoming a viable target• Pogo Plug demonstrates the need to re
evaluate access to 80/443 outbound• We need to rethink signatures the current
model is doomed to fail• Wireless network taps will play a part in
data leakage• Security by obscurity is over for Mac• Obfuscation brings new life to old malware
Forensics& Recovery LLCFlorida PI License A 29004
www.forensicsandrecovery.com
Paul A. HenryMCP+I, MCSE, CCSA, CCSE, CISSP-ISSAP, CISM, CISA, CIFI, CCE
Florida PI License C2800597
25 SE 69th Place Ocala, Fl 34480 Telephone (954) 854 9143 [email protected]