Attacking Windows Stack and How to Protect against These Attacks Graham Calladine, David Hoyle

Security Center of ExcellenceMicrosoftSession Code: SIA313

Session Objectives & Takeaways

To learn and understand:Current Attack Trends that Microsoft is seeingAttack Vectors Mitigation Strategies with Windows Products

10 Years…

We have come a long way since Melissa2003-2004 difficult times

Blaster/Slammer – Was horrible – Hit Home Users hardConficker emerged in a different s/w industry – Did not hit home users hardPartnerships

MS Response Alliance & Internet Consortium for Advanced Security on the Internet & CWG

WW Threat Trends

Not a simple trend – Geographically DiverseMiscellaneous Trojans (inc rouge s/w) most prevalentWORMS 2nd most prevalentPassword Stealers & Monitoring toolsBreaches – Data Scarce – (datalossdb.org)

Top is stolen equipment, twice as many incidents as intrusionBut equipment loss is easily reported!

Data: Microsoft SIR v7 Report

Geographical Trends

8 Locations with most infected machinesUSA,UK,France,Italy – TrojansChina, language specific browser threatsBrazil, malware targeting online bankingSpain, Korea, WORMS targeting online gamers

Data Source: SIR V7 Report Pg 40

Threat Landscape is getting better?

Improvement in Software Development PracticeSoftware Development Lifecycle (SDL)Geoff 1min Video

Increased Availability of Automatic Patch Update Process

Patch Tuesday and Auto UpdatesHowever, unpatched client is primary initial infection vector

Social engineering techniques to mislead Victims

Attacker still finds success with a variety of techniques for manipulating people

SANS Analysis

The Top Cyber Security Risks” 2009 SeptemberApplication Vulnerabilities Exceed OS VulnerabilitiesWeb Application Attacks

Cross Site Scripting, PHPFile Include, and SQL Injection

Windows: Conficker/Downadup

Cited from SANS “The Top Cyber Security Risks” 2009 September, http://www.sans.org/top-cyber-security-risks/

Attackers use social engineering techniques – Human Emotion

Microsoft Security Intelligence Report, 2008 July through December 2008

FEAR I want: Protection I got: Rogue SoftwareDesire I wanWeb Surfing, Free Stuff Games, etcI got: fake contents, malicious downloads, etc

Trust I want: Online Banking, Email, Social Networking etc.I got: Banking Malware, Phishing, Spam, and File Format Infections, etc.

Attack Vectors and Trends

Current attacks in the wildRogue Security Software and WormBrowser Based Attacks

PhishingCross Site ScriptingClickjacking

File Format Attacks

Attack Vectors and Trends

Rogue Security Software and WormsBrowser Based AttacksFile Format Attack

Rogue Unwanted SoftwareRank Family Most Significant

CategoryInfected Machines

1Win32/Renos

Trojan Downloaders & Droppers 4,371,508

2Win32/Zlob

Trojan Downloaders & Droppers 3,772,217

3Win32/Vundo Miscellaneous Trojans 3,635,207

4Win32/ZangoSearchAssistant Adware 3,326,275

5Win32/Taterf Worms 1,916,446

6Win32/ZangoShoppingreports Adware 1,752,252

7Win32/FakeXPA Miscellaneous Trojans 1,691,393

8Win32/FakeSecSen Miscellaneous Trojans 1,575,648

9Win32/Hotbar Adware 1,477,886

10Win32/Agent Miscellaneous Trojans 1,289,178

Win32/Renos

Win32/FakeXPA

Rogue Security Software 1

Use Fear to convince victimsWin32/Renos Family

Rogue Security Software 2

Use the same logicWin32/FakeXPA Family

Use your Desire

A Rogue Software Real Sample

There is no security issue or vulnerability in YouTube.com.

http://blogs.technet.com/mmpc/archive/2009/08/20/winwebsec-on-youtube.aspx

Rogue Software

Win32/FakeVimes and Win32/PrivacyCenter have become more prevalent in the last 2 monthsDistributed via fake online scanners

Worms: Win32/Conficker.A to EWin32/Conficker is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE)

On October 23, 2008, Microsoft released critical security update MS08-067Allow remote code execution if an affected system received a specially crafted Remote Procedure Call (RPC) request

On November 21, 2008, the first significant worm that exploits MS08-067 was discovered

The first variant discovered, Worm:Win32/Conficker.A, only uses MS08-067 exploits to propagate

On December 29 2008, a significantly more dangerous variant, Win32/Conficker.B, was discovered

Exploits the MS08-067 vulnerability but uses additional methods to propagate.It attempts to spread itself to other computers on the network

Combining the vulnerability with social engineering to introduce and spread the worm in an organization

Continues…

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fConficker

Social Engineeringby e-mailing infected fileswith official-sounding names to people at a company like“Corporate Policy.PDF”

Worms: Win32/Conficker.A to E

Release D, monitors 500/50,000 domain names/day for payloads…

Still isConficker Working Group (CWG) formed Jan09

Many people from well know sec groups/researchersImplemented defense DNS strategyKaspersky & OpenDNS – calc’ed 1Y of namesAll 110 TLDs involved & signed upRapid, effective collaboration – keeps Conficker constrained

Published Articles for Conficker

Knowledge Base articleKB962007

MMPC blog (http://blogs.technet.com/mmpc)Get Protected, Now! (October 23, 2008)A Quick Update About MS08-067 Exploits (November 17, 2008)Just in Time for New Year’s… (December 31, 2008)MSRA Released Today Addressing Conficker and Banload (January 13, 2009)Centralized Information About the Conficker Worm (January 22, 2009)Information about Worm:Win32/Conficker.D (March 27, 2009)

MitigationsGet the latest computer updates Install and update anti-malware signaturesRun an up-to-date scanning and removal tool Use caution with attachments and file transfers Use caution when clicking on links to web pages Standard user rightsProtect yourself from social engineering attacksUser Security Best Practices such as strong Password PolicyKeep eye on vulnerabilities and follow the guideline from the trusted sourceUse recent technologies and systems that can reduce the risk on exploiting

Attack Vectors and Trends

Rogue Security Software and worms

Browser Based AttacksFile Format Attack

Browser Based Attacks

PhishingCross Site ScriptingClickJacking

Browser Based Attacks

PhishingCross Site ScriptingClickJacking

Phishing: Overview

Phishing is a method of identity theft that tricks Internet users into revealing personal or financial information online.

Phishing Scam Samples

Social engineering techniques “Verify your account”“If you don't respond within 48 hours, your account will be closed”“Dear Valued Customer”“Click the link below to gain access to your account”

Spear Phishing and Whaling

Spear phishing - highly targeted phishing Send email messages that appear genuine to all employees and members within a community

Whaling - involves targeted attacks on senior executives and other high ranking people

Phishing Trends in Industry

APWG: Anti Phishing Working Group Report, 2009 1H

http://www.antiphishing.org/reports/apwg_report_h1_2009.pdf

Phish Tank: Current Phish Sites

Live Phish site can be found

http://www.phishtank.com/

Phishing with Hotmail

Illegally acquired by a phishing scheme and exposed to a website

Microsoft Recommends:Renew their passwords for Windows Live IDs every 90 daysFor administrators, make sure you approve and authenticate only users that you know and can verify credentialsAs phishing sites can also pose additional threats, install and keep anti-virus software up to date

Techniques

Man-in-the-middle attacks Proxies, DNS Cache Poisoning, etc

URL Obfuscation attacksBad Domain Name, Friendly Login URL’s, Host Name/URL Obfuscation, etc

Etc…

Anti-PhishingIE 8 SmartScreen

demo

Mitigations

Use an up-to-date anti-malware product from a known, trusted source, and keep it updated.Use the most recent version of your Web browser, and keep it up to date by applying security updates and service packs in a timely fashion.Use a robust spam filter to guard against fraudulent and dangerous e-mail.You can add sites you trust to the Trusted Sites zone with more than middle security level. Follow the guidance to take actions

http://www.microsoft.com/mscorp/safety/technologies/antiphishing/guidance.mspx

Browser Based Attacks

Phishing

Cross Site ScriptingClickJacking

Cross Site Scripting: Overview

Cross-Site Scripting (XSS): Occurs whenever an application reads user data, and embeds that user data in Web responses without encoding or validating the user dataCommon vulnerabilities that make Web-based applications susceptible to cross-site scripting attacks:

Improper input validationFailing to encode outputTrusting data from shared resources

Cross Site Scripting in News

October 2005 MySpace “Samy” wormFebruary 2006 FacebookJune 2008 Yahoo MailDecember 2008 American ExpressApril 2009 Twitter

http://twittercism.com/remove-stalkdaily/

http://xssed.com/ - live XSSed

Types of Cross-Site Scripting

Two major types of cross-site scripting attacks:Type 1: Non-Persistent

Often referred to as reflected cross-site scriptingRequires some level of social engineering

Type 2: PersistentStored cross-site scriptingOne attack can affect multiple users

Type 0: DOM-Based

38

Type 1: Non-PersistentCross-Site Scripting

39Malicious User User

Congratulations! You won a prize, please click here to claim your prize!

<html><head><title>Hello</title></head><body>[malicious code]</body>…

http://www.contoso.com?id=[malicious code]

Web Server

Blog Comment:Hello, this article was helpful! [malicious code]Thanks, Kevin

Type 2: PersistentCross-Site Scripting

40

Malicious User

User

DatabaseWeb Server

Blog Comment:Hello, this article was helpful! [malicious code]Thanks, Kevin

User User

Mitigation Strategies

Server SidesValidate all untrusted inputEncode any Web response data that could contain user or other untrusted inputUse built-in ASP.NET protection via the ValidateRequest optionUse the System.Web.HttpCookie.HttpOnly propertyUse the <frame>, <iframe> IE6 and above security attributeUse the Microsoft Anti-Cross Site Scripting Library (AntiXSS)

Microsoft Anti-Cross Site Scripting Library V3.1

New featuresAn expanded white list that supports more languages Performance improvements Performance data sheets (in the online help) Support for Shift_JIS encoding for mobile browsers A sample application Security Runtime Engine (SRE) HTTP module

Security Runtime Engine (SRE) HTTP module Ideally, you do not need to change your code!

In your your web.config, <httpModules> <add name="AntiXssModule" type="Microsoft.Security.Application. SecurityRuntimeEngine.AntiXssModule"/> </httpModules>

In antixssmodule.config, <ControlEncodingContexts>  <ControlEncodingContext FullClassName="System.Web.UI.Page"

PropertyName="Title" EncodingContext="Html" />  <ControlEncodingContext FullClassName="System.Web.UI.WebControls.Label" PropertyName="Text" EncodingContext="Html" />  <ControlEncodingContext FullClassName="System.Web.UI.WebControls.CheckBox" PropertyName="Text" EncodingContext="Html" /> </ControlEncodingContexts>

Anti-Cross Site Scripting in ActionMicrosoft Anti-Cross Site Scripting Library V3.1

demo

Mitigation Strategies

Client SidesIE8 XSS Filter

Anti-Cross Site Scripting in ActionIE8 XSS Filter with Microsoft Application Compatibility Tool Kit

demo

Browser Based Attacks

PhishingCross Site Scripting

ClickJacking

ClickJacking: Overview

Clickjacking is :an attack that tricks the victim into initiating commands on a website that they did not intend. Use iframes and web page layers in DHTML such that you overlay a potentially malicious button (for example) on top of an existing legitimate web page.

A ClickJacking Example

Suppose that a hacker site has the following source code…

Mitigation

Use FrameBreaker Script<script>if (top!=self) top.location.href=self.location.href</script>

Use X-Frame-Options Header for IE8HTTP response header named X-FRAME-OPTIONS with HTML pages to restrict how the page may be framedThe OPTIONS value contains the token DENY, IE8 will prevent the page from rendering if it will be contained within a frame

Add X-FRAME-OPTIONS and Deny to HTTP Response Headers using IIS Manager, In html, insert <meta http-equiv="X-FRAME-OPTIONS" content="DENY" /> in <head> section, orUsing ASP.Net, you can insert Response.AddHeader("X-Frame-Options", "Deny”).

ClickJacking: FrameBreaker and IE8 Defense

demo

Attack Vectors and Trends

Rogue Unwanted SoftwareBrowser Based Attacks

File Format Attack - Office

File Format Attack: Overview

This class of vulnerability is described as parser vulnerabilities.

Attacker creates a specially crafted document that takes advantage of an error in how the code processes or parses the file format.

Increasingly, attackers are using common file formats as transmission vectors for exploits.

Office format and PDF format

File Format Attack Trend

Recent (2H08) saw a sharp increase in the number of file format–based attacks,

Often in the form of spear phishing and whaling attacks, the victim opens the attachmentOr at a malicious / compromised web site, and the malicious code forces browsers to a malicious document, which is opened by victim

Binary Office File Format vs. Open XML format

Office 2003 (and lower) Binary FormatOLE Structured Storage outer formatFile system within a file!Complex file formatcomplete with

FAT TableSectorsStreams (like files)

Another application specific inner format within a stream!

STRM1 STRM2

STRM3 STRM4Header

Examining The File

Requires a hex editor + expert knowledgeInteresting strings in a stream near the beginning of the malicious files!

What could possibly go wrong?

Office 2007 Open XML File Format

Safety was a design goal from the beginningDesigned under the SDL

ZIP file container with ‘XML parts’Also non-XML parts (typically binary data like embedded images or OLE objects)

Non-XML parts can be disabled by policy

Rename to .zip and open with zip file viewer!

Historical DataFuzzing Iterations Completed

1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2

2004 2005 2006 2007 2008

30

25

20

15

10

5

0

Office Security Bulletin Trend (by quarter)

72% Not Vulnerable

Newer is Better% of vulns affecting Office 2007 since Jan 2007

28% Vulnerable

Layered Defenses

Harden the Attack

Surface

Reduce the Attack

Surface

Improve User

Experience

Mitigate the Exploits

Security EngineeringSecurity Development Lifecycle FoundationIntensive Distributed Fuzzing

Integrate OS AdvancesSupport for DEP/NXLeverage WIC Image ParsersRobust & Agile Cryptography

Harden the Attack

Surface

Harden the Attack Surface

Reduce the Attack

Surface

File BlockBlock unused or legacy file formatsEasy policy enforcementView allows read-only accessTied in with Protected View for formats between block and allow

Office File ValidationBinary filesRuns automatically on openEvaluates file for ‘correctness’Protects against unknown exploitsFaster updates for changes to rules

Reduce the Attack Surface

Gatekeeper vs MSRC cases

Mitigate the Exploits

Protected Viewer ‘Sandbox’

Word, Excel, PPT files can run in the ‘sandbox’Prevents harmful documents from damaging user data and OSHelp users make better trust decisions

Protected Viewer

Office Protected

Viewer

Files that failed

File Validation

Files that don’t comply with File

Block Policy

Files in unsafe folders

All Outlook Attachments

Files from the Internet

Zone

Mitigate the Exploits

Office - FileFormatsdemo

Observations on XP

Malicious PPT drops an EXE and a clean

PPT on users desktop

The EXE creates a ‘.log’ file in users temp folder and

executes it.

The malware creates 2 binaries in

system32 and modifies HKLM

registry keys

The binaries are injected into SYSTEM

processes like winlogon.exe

Requires regular

user rights

Requires regular

user rights

Requires admin rights

Requires admin rights

Observations on Vista

Malicious PPT drops an EXE and a clean

PPT on users desktop

The EXE creates a ‘.log’ file in users temp folder and

executes it.

The malware creates 2 binaries in

system32 and modifies HKLM

registry keys

The binaries are injected into SYSTEM

processes like winlogon.exe

Requires regular

user rights

Requires regular

user rights

Requires admin rights

Requires admin rights

Better Together

File Block

GateKeeper

Standard User / UAC

UAC “Dark Roast”

MitigationsConfigure your computer to use Microsoft Update

Ensure that Microsoft security update MS06-027 has been applied to any affected software in your environment: http://www.microsoft.com/technet/security/bulletin/ MS06-027.mspx.

Keep your third-party software up to date. Updates for Adobe products can be downloaded from http://www.adobe.com/downloads/updates/.

If possible, upgrade your software applications to the most recent versions, since these demonstrate lower rates of attack.

Avoid opening attachments or clicking links to documents in e-mail or instant messages that are received unexpectedly or from an unknown source.

Use up-to-date antivirus software from a known, trusted source that offers real-time protection and continually updated definition files to detect and block exploits.

Summary

Trends are WORMS, Rogue, FileFormatVaries world wide

Security Community effort in industry to keep on topTechnology evolving fast to solve root cause (GateKeeper)Updates, Virus Checkers, Good Risk Management are key, Security StandardsLockdowns go a long way

Quick Case Study

AppLocker + Windows only rules + App rulesNo execute for standard users for writable areasBitlockerLockdown to reduce attack surfaceVirus checker/Updates etc…

Gives a solid defense in-depth client build!

Summary

Both security vendors and IT professionals should Adjust their risk management processes appropriately to help ensure that all operating systems and applications are protected (ISO 27000, COBIT, MS Sec Risk Guide)Keep updating wide range of potential security issuesTake appropriate actions based on your risk assessment

As individual to protect against malicious codeKeep update the security patches and anti-virus signatures, and if possible upgrade to newer softwareEducate themselves for potential security risksIT professionals and consumers should take advantage of the defense-in-depth technologies, such as firewalls, antivirus programs, and antispyware programs available from trusted sources…

SummaryMost important of all…Stay informed & up to date

Microsoft Malware Protection CenterMicrosoft Security Update GuideMicrosoft Security Engineering CenterMicrosoft Security Response CenterMicrosoft SIR v7 ReportMicrosoft AVSecurity EssentialsEnd to End trustMicrosoft Security Development LifecycleCommon Vulnerabilities and Exposures : http://cve.mitre.org

question & answer

Track Resources

Common Vulnerabilities and Exposures : http://cve.mitre.org

Nation Vulnerability Database : http://nvdnist.gov

www.securityfocus.com, www.secunia.com, www.securitytracker.com

Microsoft Malware Protection Center, Microsoft Security Update Guide, Microsoft Security Engineering Center, Microsoft Security Response Center, Microsoft SIR v7 Report, Microsoft AV, Security Essentials, End to End trust, Microsoft Security Development Lifecycle

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

Related Content

SIA-205: SDL-Agile: Microsoft’s Approach to Security for Agile Projects

Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.