Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.
-
Upload
tamsin-daniel -
Category
Documents
-
view
215 -
download
1
Transcript of Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.
![Page 1: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/1.jpg)
![Page 2: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/2.jpg)
Attacking Windows Stack and How to Protect against These Attacks Graham Calladine, David Hoyle
Security Center of ExcellenceMicrosoftSession Code: SIA313
![Page 3: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/3.jpg)
Session Objectives & Takeaways
To learn and understand:Current Attack Trends that Microsoft is seeingAttack Vectors Mitigation Strategies with Windows Products
![Page 4: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/4.jpg)
10 Years…
We have come a long way since Melissa2003-2004 difficult times
Blaster/Slammer – Was horrible – Hit Home Users hardConficker emerged in a different s/w industry – Did not hit home users hardPartnerships
MS Response Alliance & Internet Consortium for Advanced Security on the Internet & CWG
![Page 5: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/5.jpg)
WW Threat Trends
Not a simple trend – Geographically DiverseMiscellaneous Trojans (inc rouge s/w) most prevalentWORMS 2nd most prevalentPassword Stealers & Monitoring toolsBreaches – Data Scarce – (datalossdb.org)
Top is stolen equipment, twice as many incidents as intrusionBut equipment loss is easily reported!
Data: Microsoft SIR v7 Report
![Page 6: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/6.jpg)
Geographical Trends
8 Locations with most infected machinesUSA,UK,France,Italy – TrojansChina, language specific browser threatsBrazil, malware targeting online bankingSpain, Korea, WORMS targeting online gamers
Data Source: SIR V7 Report Pg 40
![Page 7: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/7.jpg)
Threat Landscape is getting better?
Improvement in Software Development PracticeSoftware Development Lifecycle (SDL)Geoff 1min Video
Increased Availability of Automatic Patch Update Process
Patch Tuesday and Auto UpdatesHowever, unpatched client is primary initial infection vector
Social engineering techniques to mislead Victims
Attacker still finds success with a variety of techniques for manipulating people
![Page 8: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/8.jpg)
SANS Analysis
The Top Cyber Security Risks” 2009 SeptemberApplication Vulnerabilities Exceed OS VulnerabilitiesWeb Application Attacks
Cross Site Scripting, PHPFile Include, and SQL Injection
Windows: Conficker/Downadup
Cited from SANS “The Top Cyber Security Risks” 2009 September, http://www.sans.org/top-cyber-security-risks/
![Page 9: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/9.jpg)
Attackers use social engineering techniques – Human Emotion
Microsoft Security Intelligence Report, 2008 July through December 2008
FEAR I want: Protection I got: Rogue SoftwareDesire I wanWeb Surfing, Free Stuff Games, etcI got: fake contents, malicious downloads, etc
Trust I want: Online Banking, Email, Social Networking etc.I got: Banking Malware, Phishing, Spam, and File Format Infections, etc.
![Page 10: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/10.jpg)
Attack Vectors and Trends
Current attacks in the wildRogue Security Software and WormBrowser Based Attacks
PhishingCross Site ScriptingClickjacking
File Format Attacks
![Page 11: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/11.jpg)
Attack Vectors and Trends
Rogue Security Software and WormsBrowser Based AttacksFile Format Attack
![Page 12: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/12.jpg)
Rogue Unwanted SoftwareRank Family Most Significant
CategoryInfected Machines
1Win32/Renos
Trojan Downloaders & Droppers 4,371,508
2Win32/Zlob
Trojan Downloaders & Droppers 3,772,217
3Win32/Vundo Miscellaneous Trojans 3,635,207
4Win32/ZangoSearchAssistant Adware 3,326,275
5Win32/Taterf Worms 1,916,446
6Win32/ZangoShoppingreports Adware 1,752,252
7Win32/FakeXPA Miscellaneous Trojans 1,691,393
8Win32/FakeSecSen Miscellaneous Trojans 1,575,648
9Win32/Hotbar Adware 1,477,886
10Win32/Agent Miscellaneous Trojans 1,289,178
Win32/Renos
Win32/FakeXPA
![Page 13: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/13.jpg)
Rogue Security Software 1
Use Fear to convince victimsWin32/Renos Family
![Page 14: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/14.jpg)
Rogue Security Software 2
Use the same logicWin32/FakeXPA Family
![Page 15: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/15.jpg)
Use your Desire
A Rogue Software Real Sample
There is no security issue or vulnerability in YouTube.com.
http://blogs.technet.com/mmpc/archive/2009/08/20/winwebsec-on-youtube.aspx
![Page 16: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/16.jpg)
Rogue Software
Win32/FakeVimes and Win32/PrivacyCenter have become more prevalent in the last 2 monthsDistributed via fake online scanners
![Page 17: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/17.jpg)
Worms: Win32/Conficker.A to EWin32/Conficker is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE)
On October 23, 2008, Microsoft released critical security update MS08-067Allow remote code execution if an affected system received a specially crafted Remote Procedure Call (RPC) request
On November 21, 2008, the first significant worm that exploits MS08-067 was discovered
The first variant discovered, Worm:Win32/Conficker.A, only uses MS08-067 exploits to propagate
On December 29 2008, a significantly more dangerous variant, Win32/Conficker.B, was discovered
Exploits the MS08-067 vulnerability but uses additional methods to propagate.It attempts to spread itself to other computers on the network
Combining the vulnerability with social engineering to introduce and spread the worm in an organization
Continues…
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fConficker
![Page 18: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/18.jpg)
Social Engineeringby e-mailing infected fileswith official-sounding names to people at a company like“Corporate Policy.PDF”
![Page 19: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/19.jpg)
Worms: Win32/Conficker.A to E
Release D, monitors 500/50,000 domain names/day for payloads…
Still isConficker Working Group (CWG) formed Jan09
Many people from well know sec groups/researchersImplemented defense DNS strategyKaspersky & OpenDNS – calc’ed 1Y of namesAll 110 TLDs involved & signed upRapid, effective collaboration – keeps Conficker constrained
![Page 20: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/20.jpg)
Published Articles for Conficker
Knowledge Base articleKB962007
MMPC blog (http://blogs.technet.com/mmpc)Get Protected, Now! (October 23, 2008)A Quick Update About MS08-067 Exploits (November 17, 2008)Just in Time for New Year’s… (December 31, 2008)MSRA Released Today Addressing Conficker and Banload (January 13, 2009)Centralized Information About the Conficker Worm (January 22, 2009)Information about Worm:Win32/Conficker.D (March 27, 2009)
![Page 21: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/21.jpg)
MitigationsGet the latest computer updates Install and update anti-malware signaturesRun an up-to-date scanning and removal tool Use caution with attachments and file transfers Use caution when clicking on links to web pages Standard user rightsProtect yourself from social engineering attacksUser Security Best Practices such as strong Password PolicyKeep eye on vulnerabilities and follow the guideline from the trusted sourceUse recent technologies and systems that can reduce the risk on exploiting
![Page 22: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/22.jpg)
Attack Vectors and Trends
Rogue Security Software and worms
Browser Based AttacksFile Format Attack
![Page 23: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/23.jpg)
Browser Based Attacks
PhishingCross Site ScriptingClickJacking
![Page 24: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/24.jpg)
Browser Based Attacks
PhishingCross Site ScriptingClickJacking
![Page 25: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/25.jpg)
Phishing: Overview
Phishing is a method of identity theft that tricks Internet users into revealing personal or financial information online.
![Page 26: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/26.jpg)
Phishing Scam Samples
Social engineering techniques “Verify your account”“If you don't respond within 48 hours, your account will be closed”“Dear Valued Customer”“Click the link below to gain access to your account”
![Page 27: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/27.jpg)
Spear Phishing and Whaling
Spear phishing - highly targeted phishing Send email messages that appear genuine to all employees and members within a community
Whaling - involves targeted attacks on senior executives and other high ranking people
![Page 28: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/28.jpg)
Phishing Trends in Industry
APWG: Anti Phishing Working Group Report, 2009 1H
http://www.antiphishing.org/reports/apwg_report_h1_2009.pdf
![Page 29: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/29.jpg)
Phish Tank: Current Phish Sites
Live Phish site can be found
http://www.phishtank.com/
![Page 30: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/30.jpg)
Phishing with Hotmail
Illegally acquired by a phishing scheme and exposed to a website
Microsoft Recommends:Renew their passwords for Windows Live IDs every 90 daysFor administrators, make sure you approve and authenticate only users that you know and can verify credentialsAs phishing sites can also pose additional threats, install and keep anti-virus software up to date
![Page 31: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/31.jpg)
Techniques
Man-in-the-middle attacks Proxies, DNS Cache Poisoning, etc
URL Obfuscation attacksBad Domain Name, Friendly Login URL’s, Host Name/URL Obfuscation, etc
Etc…
![Page 32: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/32.jpg)
Anti-PhishingIE 8 SmartScreen
demo
![Page 33: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/33.jpg)
Mitigations
Use an up-to-date anti-malware product from a known, trusted source, and keep it updated.Use the most recent version of your Web browser, and keep it up to date by applying security updates and service packs in a timely fashion.Use a robust spam filter to guard against fraudulent and dangerous e-mail.You can add sites you trust to the Trusted Sites zone with more than middle security level. Follow the guidance to take actions
http://www.microsoft.com/mscorp/safety/technologies/antiphishing/guidance.mspx
![Page 34: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/34.jpg)
Browser Based Attacks
Phishing
Cross Site ScriptingClickJacking
![Page 35: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/35.jpg)
Cross Site Scripting: Overview
Cross-Site Scripting (XSS): Occurs whenever an application reads user data, and embeds that user data in Web responses without encoding or validating the user dataCommon vulnerabilities that make Web-based applications susceptible to cross-site scripting attacks:
Improper input validationFailing to encode outputTrusting data from shared resources
![Page 36: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/36.jpg)
Cross Site Scripting in News
October 2005 MySpace “Samy” wormFebruary 2006 FacebookJune 2008 Yahoo MailDecember 2008 American ExpressApril 2009 Twitter
http://twittercism.com/remove-stalkdaily/
![Page 38: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/38.jpg)
Types of Cross-Site Scripting
Two major types of cross-site scripting attacks:Type 1: Non-Persistent
Often referred to as reflected cross-site scriptingRequires some level of social engineering
Type 2: PersistentStored cross-site scriptingOne attack can affect multiple users
Type 0: DOM-Based
38
![Page 39: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/39.jpg)
Type 1: Non-PersistentCross-Site Scripting
39Malicious User User
Congratulations! You won a prize, please click here to claim your prize!
<html><head><title>Hello</title></head><body>[malicious code]</body>…
http://www.contoso.com?id=[malicious code]
Web Server
![Page 40: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/40.jpg)
Blog Comment:Hello, this article was helpful! [malicious code]Thanks, Kevin
Type 2: PersistentCross-Site Scripting
40
Malicious User
User
DatabaseWeb Server
Blog Comment:Hello, this article was helpful! [malicious code]Thanks, Kevin
User User
![Page 41: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/41.jpg)
Mitigation Strategies
Server SidesValidate all untrusted inputEncode any Web response data that could contain user or other untrusted inputUse built-in ASP.NET protection via the ValidateRequest optionUse the System.Web.HttpCookie.HttpOnly propertyUse the <frame>, <iframe> IE6 and above security attributeUse the Microsoft Anti-Cross Site Scripting Library (AntiXSS)
![Page 42: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/42.jpg)
Microsoft Anti-Cross Site Scripting Library V3.1
New featuresAn expanded white list that supports more languages Performance improvements Performance data sheets (in the online help) Support for Shift_JIS encoding for mobile browsers A sample application Security Runtime Engine (SRE) HTTP module
![Page 43: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/43.jpg)
Security Runtime Engine (SRE) HTTP module Ideally, you do not need to change your code!
In your your web.config, <httpModules> <add name="AntiXssModule" type="Microsoft.Security.Application. SecurityRuntimeEngine.AntiXssModule"/> </httpModules>
In antixssmodule.config, <ControlEncodingContexts> <ControlEncodingContext FullClassName="System.Web.UI.Page"
PropertyName="Title" EncodingContext="Html" /> <ControlEncodingContext FullClassName="System.Web.UI.WebControls.Label" PropertyName="Text" EncodingContext="Html" /> <ControlEncodingContext FullClassName="System.Web.UI.WebControls.CheckBox" PropertyName="Text" EncodingContext="Html" /> </ControlEncodingContexts>
![Page 44: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/44.jpg)
Anti-Cross Site Scripting in ActionMicrosoft Anti-Cross Site Scripting Library V3.1
demo
![Page 45: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/45.jpg)
Mitigation Strategies
Client SidesIE8 XSS Filter
![Page 46: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/46.jpg)
Anti-Cross Site Scripting in ActionIE8 XSS Filter with Microsoft Application Compatibility Tool Kit
demo
![Page 47: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/47.jpg)
Browser Based Attacks
PhishingCross Site Scripting
ClickJacking
![Page 48: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/48.jpg)
ClickJacking: Overview
Clickjacking is :an attack that tricks the victim into initiating commands on a website that they did not intend. Use iframes and web page layers in DHTML such that you overlay a potentially malicious button (for example) on top of an existing legitimate web page.
![Page 49: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/49.jpg)
A ClickJacking Example
Suppose that a hacker site has the following source code…
![Page 50: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/50.jpg)
Mitigation
Use FrameBreaker Script<script>if (top!=self) top.location.href=self.location.href</script>
Use X-Frame-Options Header for IE8HTTP response header named X-FRAME-OPTIONS with HTML pages to restrict how the page may be framedThe OPTIONS value contains the token DENY, IE8 will prevent the page from rendering if it will be contained within a frame
Add X-FRAME-OPTIONS and Deny to HTTP Response Headers using IIS Manager, In html, insert <meta http-equiv="X-FRAME-OPTIONS" content="DENY" /> in <head> section, orUsing ASP.Net, you can insert Response.AddHeader("X-Frame-Options", "Deny”).
![Page 51: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/51.jpg)
ClickJacking: FrameBreaker and IE8 Defense
demo
![Page 52: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/52.jpg)
Attack Vectors and Trends
Rogue Unwanted SoftwareBrowser Based Attacks
File Format Attack - Office
![Page 53: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/53.jpg)
File Format Attack: Overview
This class of vulnerability is described as parser vulnerabilities.
Attacker creates a specially crafted document that takes advantage of an error in how the code processes or parses the file format.
Increasingly, attackers are using common file formats as transmission vectors for exploits.
Office format and PDF format
![Page 54: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/54.jpg)
File Format Attack Trend
Recent (2H08) saw a sharp increase in the number of file format–based attacks,
Often in the form of spear phishing and whaling attacks, the victim opens the attachmentOr at a malicious / compromised web site, and the malicious code forces browsers to a malicious document, which is opened by victim
![Page 55: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/55.jpg)
Binary Office File Format vs. Open XML format
Office 2003 (and lower) Binary FormatOLE Structured Storage outer formatFile system within a file!Complex file formatcomplete with
FAT TableSectorsStreams (like files)
Another application specific inner format within a stream!
STRM1 STRM2
STRM3 STRM4Header
![Page 56: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/56.jpg)
Examining The File
Requires a hex editor + expert knowledgeInteresting strings in a stream near the beginning of the malicious files!
What could possibly go wrong?
![Page 57: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/57.jpg)
Office 2007 Open XML File Format
Safety was a design goal from the beginningDesigned under the SDL
ZIP file container with ‘XML parts’Also non-XML parts (typically binary data like embedded images or OLE objects)
Non-XML parts can be disabled by policy
Rename to .zip and open with zip file viewer!
![Page 58: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/58.jpg)
Historical DataFuzzing Iterations Completed
1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2
2004 2005 2006 2007 2008
30
25
20
15
10
5
0
Office Security Bulletin Trend (by quarter)
72% Not Vulnerable
Newer is Better% of vulns affecting Office 2007 since Jan 2007
28% Vulnerable
![Page 59: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/59.jpg)
Layered Defenses
Harden the Attack
Surface
Reduce the Attack
Surface
Improve User
Experience
Mitigate the Exploits
![Page 60: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/60.jpg)
Security EngineeringSecurity Development Lifecycle FoundationIntensive Distributed Fuzzing
Integrate OS AdvancesSupport for DEP/NXLeverage WIC Image ParsersRobust & Agile Cryptography
Harden the Attack
Surface
Harden the Attack Surface
![Page 61: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/61.jpg)
Reduce the Attack
Surface
File BlockBlock unused or legacy file formatsEasy policy enforcementView allows read-only accessTied in with Protected View for formats between block and allow
Office File ValidationBinary filesRuns automatically on openEvaluates file for ‘correctness’Protects against unknown exploitsFaster updates for changes to rules
Reduce the Attack Surface
![Page 62: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/62.jpg)
Gatekeeper vs MSRC cases
![Page 63: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/63.jpg)
Mitigate the Exploits
Protected Viewer ‘Sandbox’
Word, Excel, PPT files can run in the ‘sandbox’Prevents harmful documents from damaging user data and OSHelp users make better trust decisions
![Page 64: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/64.jpg)
Protected Viewer
Office Protected
Viewer
Files that failed
File Validation
Files that don’t comply with File
Block Policy
Files in unsafe folders
All Outlook Attachments
Files from the Internet
Zone
Mitigate the Exploits
![Page 65: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/65.jpg)
Office - FileFormatsdemo
![Page 66: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/66.jpg)
Observations on XP
Malicious PPT drops an EXE and a clean
PPT on users desktop
The EXE creates a ‘.log’ file in users temp folder and
executes it.
The malware creates 2 binaries in
system32 and modifies HKLM
registry keys
The binaries are injected into SYSTEM
processes like winlogon.exe
Requires regular
user rights
Requires regular
user rights
Requires admin rights
Requires admin rights
![Page 67: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/67.jpg)
Observations on Vista
Malicious PPT drops an EXE and a clean
PPT on users desktop
The EXE creates a ‘.log’ file in users temp folder and
executes it.
The malware creates 2 binaries in
system32 and modifies HKLM
registry keys
The binaries are injected into SYSTEM
processes like winlogon.exe
Requires regular
user rights
Requires regular
user rights
Requires admin rights
Requires admin rights
![Page 68: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/68.jpg)
Better Together
File Block
GateKeeper
Standard User / UAC
UAC “Dark Roast”
![Page 69: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/69.jpg)
MitigationsConfigure your computer to use Microsoft Update
Ensure that Microsoft security update MS06-027 has been applied to any affected software in your environment: http://www.microsoft.com/technet/security/bulletin/ MS06-027.mspx.
Keep your third-party software up to date. Updates for Adobe products can be downloaded from http://www.adobe.com/downloads/updates/.
If possible, upgrade your software applications to the most recent versions, since these demonstrate lower rates of attack.
Avoid opening attachments or clicking links to documents in e-mail or instant messages that are received unexpectedly or from an unknown source.
Use up-to-date antivirus software from a known, trusted source that offers real-time protection and continually updated definition files to detect and block exploits.
![Page 70: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/70.jpg)
Summary
Trends are WORMS, Rogue, FileFormatVaries world wide
Security Community effort in industry to keep on topTechnology evolving fast to solve root cause (GateKeeper)Updates, Virus Checkers, Good Risk Management are key, Security StandardsLockdowns go a long way
![Page 71: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/71.jpg)
Quick Case Study
AppLocker + Windows only rules + App rulesNo execute for standard users for writable areasBitlockerLockdown to reduce attack surfaceVirus checker/Updates etc…
Gives a solid defense in-depth client build!
![Page 72: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/72.jpg)
Summary
Both security vendors and IT professionals should Adjust their risk management processes appropriately to help ensure that all operating systems and applications are protected (ISO 27000, COBIT, MS Sec Risk Guide)Keep updating wide range of potential security issuesTake appropriate actions based on your risk assessment
As individual to protect against malicious codeKeep update the security patches and anti-virus signatures, and if possible upgrade to newer softwareEducate themselves for potential security risksIT professionals and consumers should take advantage of the defense-in-depth technologies, such as firewalls, antivirus programs, and antispyware programs available from trusted sources…
![Page 73: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/73.jpg)
SummaryMost important of all…Stay informed & up to date
Microsoft Malware Protection CenterMicrosoft Security Update GuideMicrosoft Security Engineering CenterMicrosoft Security Response CenterMicrosoft SIR v7 ReportMicrosoft AVSecurity EssentialsEnd to End trustMicrosoft Security Development LifecycleCommon Vulnerabilities and Exposures : http://cve.mitre.org
![Page 74: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/74.jpg)
question & answer
![Page 75: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/75.jpg)
Track Resources
Common Vulnerabilities and Exposures : http://cve.mitre.org
Nation Vulnerability Database : http://nvdnist.gov
www.securityfocus.com, www.secunia.com, www.securitytracker.com
Microsoft Malware Protection Center, Microsoft Security Update Guide, Microsoft Security Engineering Center, Microsoft Security Response Center, Microsoft SIR v7 Report, Microsoft AV, Security Essentials, End to End trust, Microsoft Security Development Lifecycle
![Page 76: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/76.jpg)
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
![Page 77: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/77.jpg)
Related Content
SIA-205: SDL-Agile: Microsoft’s Approach to Security for Agile Projects
![Page 78: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/78.jpg)
Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!
![Page 79: Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313.](https://reader036.fdocuments.in/reader036/viewer/2022062421/56649da05503460f94a8be50/html5/thumbnails/79.jpg)
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.