From creeper to stuxnet

From Creeper

to Stuxnet

Tell me and I’ll forget Show me and I may remember Involve me and I’ll understand

Shahar Geiger Maor,

VP & Senior Analyst

Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 2

A Story With A Beginning And No End


The Beginning –Basic Terminology

Phreaking, Cracking and Hacking…


I’m A Creep(er)!

1960 1970 1980 1990 2000 2010

1971

The very first viruses: Creeper and Wabbit


Captain Zap

1960 1970 1980 1990 2000 2010

1981

first person ever arrested for a computer crime


Machine Of The Year

1960 1970 1980 1990 2000 2010

1982


War Games

1960 1970 1980 1990 2000 2010

1983


Introducing: MOD & LOD

1960 1970 1980 1990 2000 2010

1987


When Ideology meets Ego

1960 1970 1980 1990 2000 2010

1991


Professional conferences

1960 1970 1980 1990 2000 2010

1993


Celebrity

1960 1970 1980 1990 2000 2010

1995


The Rise of Malwares

1960 1970 1980 1990 2000 2010

1995

The Concept Virus



1960 1970 1980 1990 2000 2010

1999

The Melissa and Nimda Viruses

http://scforum.info/index.php?topic=2528.msg4935;topicseen








1960 1970 1980 1990 2000 2010

2000

The ILOVEYOU Worm



1960 1970 1980 1990 2000 2010

2008

Conficker

Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic

0

2000000

4000000

6000000

8000000

10000000

12000000

14000000

16000000Ja

n-0

0

Au

g-0

0

Mar

-01

Oct

-01

May

-02

Dec

-02

Jul-

03

Feb

-04

Sep

-04

Ap

r-0

5

No

v-0

5

Jun

-06

Jan

-07

Au

g-0

7

Mar

-08

Oct

-08

May

-09

Dec

-09

AV Signatures

The Increasingly Difficult Security Challenge

100s of millions of viruses. signature based scanning won’t keep up…

Source: Symantec


No Existing Protection Addresses the “Long Tail”

Unfortunately neither technique works well for the tens of millions of

files with low prevalence.

(But this is precisely where the majority of today’s malware falls)

Today, both good and bad software obey a long-tail distribution.

Bad Files Good Files

Pre

vale

nce

Whitelisting works

well here.

For this long tail a new

technique is needed.

Blacklisting works

well here.

Source: Symantec


Growing Amount of Malware –Lower Rate of Detection

Submission-ID: 2009-

12-10_22-01_0002

Submission-ID: 2010-

01-15_22-14_0001

src: AV-Test.org src: AV-Test.org

AV Engine Time To Detect Time To Detect

Authentium Zero-hour No detection

Avast 24.28 hrs. 2.10 hrs.

AVG 10.18 hrs. 3.52 hrs.

CA-AV No detection Zero-hour

ClamAV 40.82 hrs. No detection

Dr.Web 3.68 hrs. 13.17 hrs.

Eset Nod32 2.35 hrs. Zero-hour

F-Secure Zero-hour 20.03 hrs.

Ikarus 2.55 hrs. 1.90 hrs.

ISS VPS No detection No detection

Kaspersky 6.70 hrs. 14.52 hrs.

McAfee 28.83 hrs. No detection

Microsoft 11.62 hrs. No detection

Norman Zero-hour No detection

Panda 76.48 hrs. No detection

Rising 71.27 hrs. No detection

Spybot S&D No detection No detection

Sunbelt No detection Zero-hour

VirusBuster 4.05 hrs. Zero-hour


Secured Mediation Kiosks

Source: OPSWAT, STKI’s modifications


Nor(malware) distribution

What about the long

tail?

Choose any AV

software…


Nor(malware) distribution

The long tail problem

remains

Choose many AV

software…


Organized Cybercrime

1960 1970 1980 1990 2000 2010

2009


M&As in the Cyber Underground…

http://krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/

SpyEye made headlines this year when investigators discovered it automatically searched for and removed ZeuS from infected PCs before installing itself


Common “Positions” in the cyber-crime business

Programmers

Distributors

Tech experts Crackers

Fraudsters

Hosted systems

providers Cashiers

Money mules

Tellers

Leaders

http://www.fbi.gov/news/speeches/the-cyber-threat-whos-doing-what-to-whom


Underground Economy

http://press.pandasecurity.com/wp-content/uploads/2011/01/The-Cyber-Crime-Black-Market.pdf

Price Products

From $2-$90 Credit card details

From $190 + cost of details Physical credit cards

From $200-$1000 Card cloners

Up to $35,000 Fake ATMs

From $80 to 700$ (with guaranteed balance) Bank credentials From 10 to 40% of the total $10 for simple account without guaranteed balance Bank transfers and cashing checks

From $80-$1500 with guaranteed balance Online stores and pay platforms

According to the project (not specified) Design and publishing of fake online stores

From $30-$300 (depending on the project) Purchase and forwarding of products

From $15 Spam rental

From $20 to $40 for three months SMTP rental


Cyber Wars

1960 1970 1980 1990 2000 2010

1990’s-2000’s-2010’s


Growing Number of Incidents -US

Incidents of Malicious Cyber

Activity Against Department of Defense Information Systems, 2000–2009

http://www.uscc.gov/annual_report/2010/annual_report_full_10.pdf


Sources of Attacks on gov.il

Source: CERT.gov.il


Cyber-Warfare is Becoming A Giants’ Playground

http://www.bbc.co.uk/news/technology-11773146


Operation Aurora

http://www.damballa.com/downloads/r_pubs/Aurora_Botnet_Command_Structure.pdf


Advanced Persistent Threat (APT) –RSA Case Study

http://www.nytimes.com/2011/03/18/technology/18secure.html

“Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA”. Art Coviello Executive Chairman, RSA

http://www.rsa.com/node.aspx?id=3872


Stuxnet:

http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?_r=2&hp

(THE NEW YORK TIMES, 15/1/11)


Stuxnet Timeline

Eraly 2008: Siemens cooperated with Idaho National Laboratory ,

to identify the vulnerabilities of

computer controllers that the company sells

2008-2009:

Suspected exploits have been created for

Siemens SCADA systems

July 2009:

Stuxnet began circulating around the

world

July 2010: Stuxnet is first discovered by

VirusBlokAda

http://www.anti-virus.by/en/index.shtml


Rootkit.Win32.Stuxnet Geography

Source: http://ebiquity.umbc.edu/blogger/wp-content/uploads/2010/09/stuxnet.gif


Stuxnet in Action: “A Game Changer”

10-30 developers (!!!)

Stuxnet has some 4,000 functions (software that runs an average email server has about 2,000 functions)

Exploits a total of four unpatched Microsoft vulnerabilities

compromise two digital certificates

• Self-replicates through removable drives

• Spreads in a LAN through a vulnerability in the Windows Print Spooler

• Copies and executes itself on remote computers through network shares

• Updates itself through a peer-to-peer mechanism within a LAN

• Contacts a remote command and control server

• modifies code on the Siemens PLCs

• Hides modified code on PLCs


Vulnerability Timeline

Source: Burton Group


…Lets talk about Patch Management (PM)

• Mostly Microsoft, security-related patches

• “Its not the deployment, but the whole process evolving” AKA Pizza Night.

• 20%-50% FTE is dedicated for PM

• Common SLAs: 3…6…or sometimes 12 Months!!

• VIP patches: up-to a week

• Hardware\non-security patches’ SLA: Where upgrades\vendor support is needed


Your Text here Your Text here

Shahar Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 38


Generic Cyber Attacks

1. Individuals\Groups 2. Criminal\Nationalistic

background

3. Lots of intervals 4. Lots of targets 5. Common tools

39


Distributed Denial Of Service (DDOS)

1. Targets websites, internet lines etc.

2. Legitimate traffic

3. Many different sources

4. From all over the world

5. Perfect timing

40


Advanced Persistent Threat (APT)

1. Group/ Org./ State

2. Ideological/ Nationalistic background

3. Multi-layered attack

4. Targeted

5. Variety of tools

6. Impossible to detect in real time(???)

41


Security “Threatscape”

http://www.bizarrebytes.com/wp-content/uploads/2011/01/Sean-Connery-007.jpg


Scan Me To Your Contacts:

Thank You!

From creeper to stuxnet

Design

Transcript of From creeper to stuxnet