From creeper to stuxnet
-
Upload
shahar-geiger-maor -
Category
Design
-
view
3.665 -
download
2
description
Transcript of From creeper to stuxnet
From Creeper
to Stuxnet
Tell me and I’ll forget Show me and I may remember Involve me and I’ll understand
Shahar Geiger Maor,
VP & Senior Analyst
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 2
A Story With A Beginning And No End
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 3
The Beginning –Basic Terminology
Phreaking, Cracking and Hacking…
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 4
I’m A Creep(er)!
1960 1970 1980 1990 2000 2010
1971
The very first viruses: Creeper and Wabbit
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 5
Captain Zap
1960 1970 1980 1990 2000 2010
1981
first person ever arrested for a computer crime
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 6
Machine Of The Year
1960 1970 1980 1990 2000 2010
1982
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 7
War Games
1960 1970 1980 1990 2000 2010
1983
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 8
Introducing: MOD & LOD
1960 1970 1980 1990 2000 2010
1987
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 9
When Ideology meets Ego
1960 1970 1980 1990 2000 2010
1991
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 10
Professional conferences
1960 1970 1980 1990 2000 2010
1993
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 11
Celebrity
1960 1970 1980 1990 2000 2010
1995
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 12
The Rise of Malwares
1960 1970 1980 1990 2000 2010
1995
The Concept Virus
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 13
The Rise of Malwares
1960 1970 1980 1990 2000 2010
1999
The Melissa and Nimda Viruses
http://scforum.info/index.php?topic=2528.msg4935;topicseen
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 14
The Rise of Malwares
1960 1970 1980 1990 2000 2010
2000
The ILOVEYOU Worm
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 15
The Rise of Malwares
1960 1970 1980 1990 2000 2010
2008
Conficker
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
0
2000000
4000000
6000000
8000000
10000000
12000000
14000000
16000000Ja
n-0
0
Au
g-0
0
Mar
-01
Oct
-01
May
-02
Dec
-02
Jul-
03
Feb
-04
Sep
-04
Ap
r-0
5
No
v-0
5
Jun
-06
Jan
-07
Au
g-0
7
Mar
-08
Oct
-08
May
-09
Dec
-09
AV Signatures
The Increasingly Difficult Security Challenge
100s of millions of viruses. signature based scanning won’t keep up…
Source: Symantec
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
No Existing Protection Addresses the “Long Tail”
Unfortunately neither technique works well for the tens of millions of
files with low prevalence.
(But this is precisely where the majority of today’s malware falls)
Today, both good and bad software obey a long-tail distribution.
Bad Files Good Files
Pre
vale
nce
Whitelisting works
well here.
For this long tail a new
technique is needed.
Blacklisting works
well here.
Source: Symantec
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Growing Amount of Malware –Lower Rate of Detection
Submission-ID: 2009-
12-10_22-01_0002
Submission-ID: 2010-
01-15_22-14_0001
src: AV-Test.org src: AV-Test.org
AV Engine Time To Detect Time To Detect
Authentium Zero-hour No detection
Avast 24.28 hrs. 2.10 hrs.
AVG 10.18 hrs. 3.52 hrs.
CA-AV No detection Zero-hour
ClamAV 40.82 hrs. No detection
Dr.Web 3.68 hrs. 13.17 hrs.
Eset Nod32 2.35 hrs. Zero-hour
F-Secure Zero-hour 20.03 hrs.
Ikarus 2.55 hrs. 1.90 hrs.
ISS VPS No detection No detection
Kaspersky 6.70 hrs. 14.52 hrs.
McAfee 28.83 hrs. No detection
Microsoft 11.62 hrs. No detection
Norman Zero-hour No detection
Panda 76.48 hrs. No detection
Rising 71.27 hrs. No detection
Spybot S&D No detection No detection
Sunbelt No detection Zero-hour
VirusBuster 4.05 hrs. Zero-hour
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Secured Mediation Kiosks
Source: OPSWAT, STKI’s modifications
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Nor(malware) distribution
What about the long
tail?
Choose any AV
software…
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Nor(malware) distribution
The long tail problem
remains
Choose many AV
software…
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 22
Organized Cybercrime
1960 1970 1980 1990 2000 2010
2009
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
M&As in the Cyber Underground…
http://krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/
SpyEye made headlines this year when investigators discovered it automatically searched for and removed ZeuS from infected PCs before installing itself
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Common “Positions” in the cyber-crime business
Programmers
Distributors
Tech experts Crackers
Fraudsters
Hosted systems
providers Cashiers
Money mules
Tellers
Leaders
http://www.fbi.gov/news/speeches/the-cyber-threat-whos-doing-what-to-whom
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Underground Economy
http://press.pandasecurity.com/wp-content/uploads/2011/01/The-Cyber-Crime-Black-Market.pdf
Price Products
From $2-$90 Credit card details
From $190 + cost of details Physical credit cards
From $200-$1000 Card cloners
Up to $35,000 Fake ATMs
From $80 to 700$ (with guaranteed balance) Bank credentials From 10 to 40% of the total $10 for simple account without guaranteed balance Bank transfers and cashing checks
From $80-$1500 with guaranteed balance Online stores and pay platforms
According to the project (not specified) Design and publishing of fake online stores
From $30-$300 (depending on the project) Purchase and forwarding of products
From $15 Spam rental
From $20 to $40 for three months SMTP rental
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 26
Cyber Wars
1960 1970 1980 1990 2000 2010
1990’s-2000’s-2010’s
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Growing Number of Incidents -US
Incidents of Malicious Cyber
Activity Against Department of Defense Information Systems, 2000–2009
http://www.uscc.gov/annual_report/2010/annual_report_full_10.pdf
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Sources of Attacks on gov.il
Source: CERT.gov.il
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Cyber-Warfare is Becoming A Giants’ Playground
http://www.bbc.co.uk/news/technology-11773146
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Operation Aurora
http://www.damballa.com/downloads/r_pubs/Aurora_Botnet_Command_Structure.pdf
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Advanced Persistent Threat (APT) –RSA Case Study
http://www.nytimes.com/2011/03/18/technology/18secure.html
“Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA”. Art Coviello Executive Chairman, RSA
http://www.rsa.com/node.aspx?id=3872
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Stuxnet:
http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?_r=2&hp
(THE NEW YORK TIMES, 15/1/11)
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Stuxnet Timeline
Eraly 2008: Siemens cooperated with Idaho National Laboratory ,
to identify the vulnerabilities of
computer controllers that the company sells
2008-2009:
Suspected exploits have been created for
Siemens SCADA systems
July 2009:
Stuxnet began circulating around the
world
July 2010: Stuxnet is first discovered by
VirusBlokAda
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Rootkit.Win32.Stuxnet Geography
Source: http://ebiquity.umbc.edu/blogger/wp-content/uploads/2010/09/stuxnet.gif
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Stuxnet in Action: “A Game Changer”
10-30 developers (!!!)
Stuxnet has some 4,000 functions (software that runs an average email server has about 2,000 functions)
Exploits a total of four unpatched Microsoft vulnerabilities
compromise two digital certificates
• Self-replicates through removable drives
• Spreads in a LAN through a vulnerability in the Windows Print Spooler
• Copies and executes itself on remote computers through network shares
• Updates itself through a peer-to-peer mechanism within a LAN
• Contacts a remote command and control server
• modifies code on the Siemens PLCs
• Hides modified code on PLCs
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Vulnerability Timeline
Source: Burton Group
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
…Lets talk about Patch Management (PM)
• Mostly Microsoft, security-related patches
• “Its not the deployment, but the whole process evolving” AKA Pizza Night.
• 20%-50% FTE is dedicated for PM
• Common SLAs: 3…6…or sometimes 12 Months!!
• VIP patches: up-to a week
• Hardware\non-security patches’ SLA: Where upgrades\vendor support is needed
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Your Text here Your Text here
Shahar Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 38
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Generic Cyber Attacks
1. Individuals\Groups 2. Criminal\Nationalistic
background
3. Lots of intervals 4. Lots of targets 5. Common tools
39
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Distributed Denial Of Service (DDOS)
1. Targets websites, internet lines etc.
2. Legitimate traffic
3. Many different sources
4. From all over the world
5. Perfect timing
40
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Advanced Persistent Threat (APT)
1. Group/ Org./ State
2. Ideological/ Nationalistic background
3. Multi-layered attack
4. Targeted
5. Variety of tools
6. Impossible to detect in real time(???)
41
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
Security “Threatscape”
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 43
Scan Me To Your Contacts:
Thank You!