Conficker Summary and Review Dave Piscitello, ICANN Senior Security Technologist 7 May 2010
|
|
- June Gibbs
- 8 years ago
- Views:
Transcription
1 ConfickerSummaryandReview ConfickerSummaryandReview DavePiscitello,ICANNSeniorSecurityTechnologist 7May2010 Abstract Thisreportprovidesachronologyofeventsrelatedtothecontainmentof theconfickerworm.itprovidesanintroductionandbriefdescriptionofthe wormanditsevolution,butitsprimaryfocusistopiecetogetherthepostdiscoveryand analysisevents,describethecontainmentmeasures chronologically,anddescribethecollaborativeefforttocontainthespread oftheworm.theauthorcaptureslessonslearnedduringacontainment periodspanningnearlyayearanddescribesrecentactivitiesthatattemptto applythelessonslearnedsothatthesecurityanddnscommunitiescanbe betterpreparedforfutureattacksthatexploittheglobaldns. Thisreportrepresentstheworkoftheauthor,onbehalfoftheICANN SecurityTeam.Theauthorisresponsibleforerrorsoromissions.While membersoftheconfickerworkinggroup,icannssac,individualsecurity researchers,andcertainicannregistrieswereinvitedtocommentor reviewthereport,noneoftheseorganizationswereaskedtoformally endorsethisworkproduct. Introduction TheConfickerwormfirstappearedinOctober2008andquicklyearnedasmuch notorietyascodered 1,Blaster 2,Sasser 3 andsqlslammer 4.Theinfectionisfoundin bothhomeandbusinessnetworks,includinglargemulti nationalenterprise networks.attemptstoestimatethepopulationsofconfickerinfectedhostsatany giventimehavevariedwidely,butallestimatesexceedmillionsofpersonal computers. TheoperationalresponsetoConfickerisperhapsaslandmarkaneventastheworm itself.internetsecurityresearchers,operatingsystemandantivirussoftware vendorsdiscoveredtheworminlate2008.thesepartiesaswellaslawenforcement formedanadhoceffortwithicann,topleveldomain(tld)registriesand registrarsaroundtheworldtocontainthethreatbypreventingconfickermalware writersfromusingtensofthousandsofdomainnamesalgorithmically generated dailybytheconfickerinfection. ConfickermalwarewritersmadeuseofdomainnamesratherthanIPaddressesto maketheirattacknetworksresilientagainstdetectionandtakedown.initial countermeasures sinkholingorpreemptiveregistrationsofdomainsusedto identifyconficker scommandandcontrol(c&c)hosts preventedthemalware writersfromcommunicatingwithconficker infectedsystemsandthus,presumably 1
2 ConfickerSummaryandReview preventedthewritersfrominstructingthebottedhoststoconductattacksorto receiveupdates.theconfickermalwarewritersrespondedtothismeasureby introducingvariantstotheoriginalinfectionthatincreasedthenumberof algorithmicallygenerateddomainnamesanddistributedthenamesmorewidely acrosstlds.torespondtothisescalation,partiesinvolvedincontainingconficker contactedmorethan100tldsaroundtheworldtoparticipateinthecontainment effort. Thecombinedeffortsofallpartiesinvolvedinthecollaborativeresponseshouldbe measuredbymorecriteriathanmitigationalone.thecontainmentmeasuresdidnot eradicatethewormordismantlethebotnetentirely.still,thecoordinated operationalresponsemeritsattentionbecausethemeasuresdisruptedbotnet commandandcontrolcommunicationsandcausedconfickermalwarewritersto changetheirbehavior.thecollaborativeeffortalsodemonstratedthatsecurity communitiesarewillingandabletojoinforcesinresponsetoincidentsthat threatenthesecurityandstabilityofthednsanddomainregistrationsystemsona globalscale. 2
3 ConfickerSummaryandReview ConfickerBackground ThissectiondrawsheavilyfromanexcellentpaperontheConfickerworm publishedatthehoneynetprojectbyauthorsfelixlederandtillmannwerner 5. ThedescriptionherelargelytracksanddistinguishesamongConfickervariants whenchangesaffectedtheworm suseofthedns.itdiscussesthewormingeneral terms.thoseinterestedinaverytechnicalanalysisofconficker sinfection armoringandupdateprocesses,variantsofthedomainnamegenerationalgorithms, signaturesthatcanbeusedbyintrusiondetectionsystemstodetectconficker,and disinfectionissues areencouragedtoreadthefullpaper.lederandtillmannhave alsoproducedashortvideoonthestructureofconfickerandmaintainalistof disinfectantsandscannersatthecontainingconfickerwebpage 6.Listsofdomain namesgeneratedbyconfickervariantsmaybeofparticularinteresttothedomain namecommunityandcanbeobtainedthereaswell.anothersourceforthis summaryisansritechnicalreportbyphillipporras,hassensaidi,andvinod Yegneswaran,whichanalyzestheConfickerpackage,processing,andprotocolin considerabledetail. Confickeriscalledawormbecausethefirstdiscoveredvariantattachedtoa program(executable),wasself replicating,and(importantly)usedanetworkasthe deliverymechanism.thiscombinationofcharacteristicsdistinguisheswormsfrom viruses 7.Confickerisactuallyablendedthreat 8 becauseitcanbedeliveredvia networkfileshares,mappeddrivesandremovablemediaaswell.theconficker infectionisatypeofsoftwarecalledadynamiclinklibrary(dll).adllcannot executealonebutmustbeloadedbyorintoarunningapplication.theconficker DLLlauncheswithrundllonWindows,whichletsitrunasastandaloneprocess.A ConfickerinstallerloadsitsDLLintoaWindowsapplicationbyexploitingtheMS08 067vulnerabilityintheWindowsOperatingSystem 9.Thisvulnerabilityallows Confickermalwarewriterstousewhatiscalledabufferoverflowto inject code intothewindowsserverservice. Abufferoverflowisamethodofexploitingsoftwareprogrammingthatfailstocheck boundariesbeforewritinginformationintomemory.theattackerdiscoversthata programisvulnerabletoabufferoverflowbyattemptingtowritemoreinformation intomemorythantheprogrammerhadallocatedtostoreinformation.specifically, theattackerseekstowriteinformationintomemorythatisadjacenttothememory heoverruns.thisadjacentmemorymaycontaindataoritmaycontainexecutable code;ineithercase,theattackedapplicationwillnotoperateasanticipatedwhenit encountersthemaliciouscodetheattackerinjected.inthecaseofconficker,the attackerinjectedexecutablecodethatgivestheattackerremotecontroloverthe infectedcomputerandinparticular,remotecodeexecutionprivileges.usingthe injectedcode,theattackercanaddorchangecodetomaketheinfectedhost computerdowhateveritchooses. 3
4 ConfickerSummaryandReview Topreventdetection,certainwormsembedthemselvesinabenignmanneronthe infectedcomputer,i.e.,intoaprogramorsoftwarethatisexpectedtorunona computerrunningthewindowsoperatingsystem.thewormthenattemptsto disablesoftwarethatcoulddetectorremovetheinfection.confickervariants disablewindowsautomaticupdate,windowssecuritycenter,windowsdefender andwindowserrorreporting.latervariantsalsouseddnsfilteringtoblock antimalwareprogramsfromobtainingupdates(e.g.,virussignaturesthatwould allowtheresidentavsoftwaretodetectandremoveconfickerrelatedmalware). ConfickermalwarealsoresetstheWindowsSystemRestorepoint 10,whichcontains informationthatcouldbeusedtoremoveconfickermalwarebyrestoringthe infectedcomputer sfilesystemandregistrytoversionssavedpriortotheinfection. EarlyvariantsoftheConfickermalwareenlistedaninfectedmachineintoa Confickerbotnet.Onceenlisted,themalwarerunningoninfectedcomputersusesa domaingenerationalgorithm(dga)tocreateadailylistofdomainnames.the Confickermalwarewritersusedthesamealgorithmtogenerateanidenticallist.The writersthenregisteredasmallnumberofthesedomainsandsetupname resolutionservicefortheselectedsubsetofdomainssothatthedomainnames assignedtointernetrendezvouslogicpoints i canberesolvedtoipaddressesbydns resolvers.theconfickermalwarewritersdidnotappeartousethegenerated domainnamesroutinely,presumablybecausetheydeterminedthenameshadbeen blocked.alatervariantshiftedthebotnetfromemployingrendezvouslogicpoints toapeer to peernetwork.malwareoperatingoninfectedhostsdiscoverotherbots bydetectingattacksfromanotherinfectedhosts,confirmingthecodetheattacking hostsattempttoinjectisthesameasitsowncode,andconnectingbacktothe attackerusinghttpsothathostswithmatchedinfectionscansharefilesdirectly. TheConficker infectedcomputersattempttoconnecttohttpserversoperatingon rendezvouslogicpointsbycontactingdomainsfromthedaily generatedlistof domainnames.iftheyareabletoresolveadomainnameandconnecttoanhttp server,thebottedmachinesareabletoreceiveadditionalmalwareorinstructions toperformcertainactionsusingalready presentexecutables.thewormusesstrong cryptographictechniques(rsaandmd6)tocontrolwhatcodecanbeloadedonto aninfectedbox.allcode"loads"mustbecorrectlysignedortheywillberejected. Presumably,onlytheConfickermalwarewriterhastheprivatesigningkeyfor updates.insomecases,theconfickerbotwillbetoldtotryvariousmeansof infectingotherhosts(e.g.,throughanonymousnetworkshares).inothercases,the Confickerbotscanbecomeanarmythatcanbedirectedatwillbyrendezvous pointstosupportawiderangeofmaliciousorcriminalactivities. Botnetsareextremelydifficulttodismantle.Botnetscanremainoperational andwill continuetoserveasplatformsfornumerousattacks foraslongasthebotted i Arendezvouslogicpointisaserverthatisfunctionallysimilartoacommandand control(c&c)server. 4
5 ConfickerSummaryandReview computersremaininfectedandaslongasthebotscanremotelycommunicatewiththe rendezvouspoint(s). Thefollowingsectionoffersachronologyofeventsthatdescribehowthesecurity, intelligenceanddnscommunitieswereabletodisruptcommunicationsbetween Confickerinfectedhostsandrendezvouslogicpoints. OriginandEvolutionoftheConfickerWorkingGroup PriortotheformationoftheConfickerWorkingGroup,operatingsystemand securitysoftwarevendors(microsoft,symantec,f Secure),othersecurityresearch organizations(shadowserverfoundation,teamcymru)andtheintelligence community(usfederalbureauofinvestigation,ussecretserviceandtheus DepartmentofDefense)hadmonitoredandanalyzedConfickerandhadcooperated tocontainthethreat.f Securehadbegun spot sinkholing ii domainnamesthat Confickerbotswereattemptingtocontacttoestimatethesizeofthebotnet.Several operatorsofthetopleveldomainsinwhichconfickermalwarewriterswere registeringdomains(verisign,afilias,neustar,pir,andws)werealreadyinvolved atthispoint,andicannstaffassistedthesecurityresearchersincontactingcnnic toadvisethemofthethreatandaskfortheirparticipationinthecontainmenteffort. TosupporteffortstomonitorConfickertraffic,analyzetheinfection,identify infectedhostsandestimatethesizeofthebotnet,supportintelligencewas registering500domainnamesidentifiedasconfickeralgorithmicallygenerated domainsperdayacrossasmallnumberoftopleveldomains,throughanicann accreditedregistrar,alice sregistry,inc.aspartofthepreemptiveregistration action,supportintelligenceconfigurednameserverstoresolvetoipaddressesof sinkholinghostsunderthecontrolofsecurityresearchersandmalwareanalysts. Preemptivedomainregistrationshadpreviouslybeenappliedwithsomesuccessby FireEyeMalwareDetectionLabstothwarttheSrizbibotnetinearlyNovember 11 andsecurityresearcherswerehopingforsimilarsuccessbyapplyingthesame technique.inthecaseofconficker,preemptiveregistrationwastoservetwo purposes:preventconfickerinfectedhostsfromcommunicatingwithc&cand directtraffictosinkholehostswheretheconfickerbottrafficcouldbefurther monitoredandanalyzed.on28january2009,asecurityresearcheratsupport IntelligencecontactedICANNstaffregardingtheConfickerthreat.Support Intelligence sblockingactivitieswereself fundedandtheorganizationwasseeking supportfromicanntoobtainfinancialrelieforreimbursementfromregistriesfor thedomainsithadandwascontinuingtoregister. ii The verb sinkholereferstoanactivitywheretrafficsuspectedtobeassociatedwithabotnetis redirectedtoacomputer(s)operatedbysecurityresearchersorlawenforcementforobservationor todivertanattackawayfromanintendedtarget. 5
6 ConfickerSummaryandReview DiscussionsrelatingtheongoingConfickerresponseactivitiesappearedonseveral securitylistsinparallelwiththeseactivities,whichincreasedawarenessofthe globalnatureandscaleofthethreat.forexample,personnelatregistryoperator AfiliaswerediscussingConfickermonitoring,blocking,andfundingissueswith severalrelevantpartiespriortosupportintelligencecontactingicann.cert CC staffhadcontactedstaffatdomainnameregistryoperatorneustartoaskwhether NeustarmightarrangeforsomeassistancefromtheBIZregistrytohelpcontain Conficker.On31January2009,NeustarreceivedbriefingsdescribingSupport Intelligence spreemptiveregistrationinitiativefrommicrosoftstaffandother securityresearchersviaprivatecorrespondence.combined,thesedialogswere essentialinengagingresourcestocontainconficker,buttheywereloosely coordinatedinthesensethatnotallpartieswerekeptinformedatalltimes, informationsharedwasnotuniform,andthatdisseminationofinformationrelied heavilyonindividualwebsoftrust. Bythistime,severalorganizations(Symantec/Kaspersky,eNom)hadbegun contributingfundstoassistwithpaymentofthefeessupportintelligencewas incurringtocontainconficker.thisfinancialaidhelpedpayfororrecover registrationfeestocctlds.recognizingthatthecurrentmethodofpreemptive registrationwas fundamentallyunsustainable evenwithmicrosoft scontributions andthattheoperationalresponseimposedanunreasonableandprecariousburden onasingleindividual,neustarcontactedicann schiefinternetsecurityadvisor andthechairmanoficann ssecurityandstabilityadvisorycommittee(ssac). On3February2009,whileattendinganICANNDNSSSRretreat,severalparties alreadyinvolvedinthecontainmenteffortmetinatlantatoconductabriefingfor seniormanagementfromicannandgtldregistries.participatingwere: ICANNseniormanagement,generalcounsel,andsecuritystaff, Lawenforcement(FBI/NCFTA), Securityresearchers(Microsoft,SupportIntelligence,ISC),and GTLDregistryoperators(VeriSign,Afilias,NeuStar) ParticipantsreviewedhowConfickerhadbeenhandledtodate(seeabove),and discussedhowtosustaintheeffortthroughfebruaryandmarchandhowtomanage publicdisclosure.theoperatorsoftheaffectedregistries initially,biz,com,info, NET,andORG volunteeredtheirparticipationandsetaboutblockingdomain names.theparticipantsdiscussedwaysthaticannmightassistinthepreemptive registrationeffort.icann ssecuritystaffagreedtocoordinatepreemptive registrationswithcctldsandtofacilitateongoingcommunicationsamongthe participants.icannseniormanagementandgeneralcounselagreedtoconsider declaringtheconfickerresponsetobeaspecialcircumstance(exceptioncase)and tomanagecontractualwaiveraspectsoftheresponsesothatthegtldregistries couldcontinuetheirpreemptiveregistrationactivitiesthrough1april2009.the participantsagreedtocontinuetoconferenceregularlytoreportstatusandto exploremechanismstocontainormitigatefuture,similarthreats. 6
7 ConfickerSummaryandReview BasedontrafficanalysisandintelligencegatheredrelatedtoConfickeravailableat thetimeofthemeeting,participantsagreedthattheoperationalresponseplanput intoactioninatlantawouldhavetocontinueforseveralmonthsandaworkflow emerged:researcherswouldgeneratethedailylistsandcontactthetargeted registries,whowouldthentakemeasurestoblockconfickerbotnetoperatorsfrom registeringthedomainnames. On12February,Microsoftpublishedapressreleaseannouncing partnershipwith technologyindustryleadersandacademiatoimplementacoordinated,global responsetotheconficker(a.k.a.downadup)worm 12 andofferinga$250,000 rewardforinformationleadingtothearrestandconvictionofconficker swriters 13. TheannouncementacknowledgedtheparticipationandcooperationofICANN, registryoperators(neustar,verisign,cnnic,afilias,publicinternetregistry)as wellasglobaldomainsinternationalinc.,m1dglobal,aol,symantec,f Secure,ISC, researchersfromgeorgiainstituteoftechnology,theshadowserverfoundation, ArborNetworksandSupportIntelligence.Atthispoint,ArborNetworksjoinedto complementsinkholeoperations.followingthisannouncement,thepressbegan referringtotheadhocpartnershipastheconfickercabal 14.Thepartnershiplater preferredandcontinuestousethenameconfickerworkinggroup. FromearlyFebruarythroughmid April,thestafffromICANNsecurity,services, complianceandlegaldepartmentscoordinatedaseriesofcallswithpartieswho agreedtocollaborateasadnsoperationalresponseteam.theteam,consistingof involvedgtldregistryandregistrarrepresentatives,mettocontinuetoshare informationandtodiscussongoingeffortstocontainconficker.thegroupwas explicitlyavoluntarycollaborationthatfocusedspecificallyontheconficker situation,establishedmechanismsforvettingadditionalmemberstoensuretrustin thoseinvolvedandmadenodeterminationsrelatedtoanycontractualmatters. Manyofthesepartieswerealsoengagedinthebroadersecuritycommunity Confickerworkinggroup.BythispointtheCWGhadmultiplefunctioning subgroups,includingsinkholeoperators,malwareanalyzers,dnsoperators, remediationtoolproducers,etc. On20February,MicrosoftreceivedreportsofaConficker.Cvariant iii.security researchersdeterminedbyexamininginfectionsamplesthatthisvarianthadamore aggressivedomaingenerationalgorithm.cognizantthatthesecurityanddomain namecommunitieswereblockingregistrations,theconfickermalwarewriters seemedintenttotestthelevelofcommitmentoftheconfickerworkinggroup.in AnalysisofConficker.C 15,Parras,Saidi,andYegneswarandescribeConficker.Cas a directretorttotheactionoftheconfickercabal,whichrecentlyblockedalldomain iii ThelabelingofConfickervariantsbecomesconfusingatthispoint.OnesecurityresearcheratSRI obtainedavirussampleandlabeleditb++whereasotheranalystslabeledthevariantc.the8march 2009SRIanalysisofConficker.CthusdescribesthevariantothersinthecommunitylabeledD.Some membersofthesecuritycommunitynowrefertothe1april2009variantasconficker.c/d.atable comparingcertainfeaturesoftheconfickervariantsappearsinappendixa. 7
8 ConfickerSummaryandReview registrationsassociatedwiththeaandbstrains. TheConficker.Cvariant introducedtwofunctionalchanges.thefirstalteredthecontrolchannel communicationsfromac&ctoapeer to peermodel.conficker.calsochangedthe domainnamegenerationalgorithmandrendezvouslogicpointselectionmethod: Conficker.Cnowselectsitsrendezvouspointsfromapoolofover50,000randomly generateddomainnamecandidateseachday.conficker.cfurtherincreases Conficker'stop leveldomain(tld)spreadfromfivetldsinconfickera,toeight TLDsinB,to110TLDsthatmustnowbeinvolvedincoordinationeffortstotrack andblockconficker.c'spotentialdnsqueries. Withthislatestescalationindomainnamemanipulation,Conficker.Cposeda significantchallengetothosehopingtotrackitscensusandcontainthethreatit posed.theconficker.cvariantalsohighlightedtheweaknessofblockingname registrationsasacountermeasure.themeasuredoesnotscale.byintroducing increasinglylargenumbersofpossibleregistrationsandspreadingtheseacrossa largenumberoftldregistries,theconfickerwritersincreasedthelikelihoodof oversightorerror,andalsoincreasethenumberoforganizationsthathadto collaborate. LederandWermannoteintheirreportthatthenewConfickervariantimprovedthe domaingenerationalgorithmmeasurably,butatthesametimerevealed informationthatthewritersshouldhavetakencaretohide: Conficker.Ccontains codethatwillstarttolookforupdatesafter1april2009localtime...itisthis hardcodeddatevaluewithinthecodethathasgeneratedsuchahighdegreeofpress speculationaboutwhattheconfickerbotnetwillormorelikelywon'thappenon AprilFoolsday. HardcodingthedateintotheConficker.Cvariantwasnotvery cleverandinfact,showsthateveninthevirusworldthosewhofailtostudyhistory aredoomedtorepeatit:hardcodingipaddressesofinfectioncodehadearlier providedsecurityresearcherswiththemeanstoblockcommunicationsbetween botsandc&cs. Atthispoint,theCWGfacedseveraluncertaintiesandchallenges.CWGmembers andothershadmadeseveralrepairandremovaltoolsavailable,butthegroupcould notenforceremediationordeterminehowmanyhostsinfectedbypriorconficker variantsremainedinfectedandhadbeenupgradedbytheconfickermalware writersfromtheoriginalavariant(andthuscouldbefurtherupgradedto Conficker.Considerableeffortstomakethepublicawareofthethreatwere underway,butthecwghadtoanticipatethatconficker.cwouldinfectadditional (new)hosts.thecwgfocusedcertainofitsmonitoringactivitiesondetermining whetheranyofthealgorithmicallygenerateddomainsduplicatednamesalready registeredinatldandothereffortstocontinuetoidentifythedomainnames ConfickergeneratedandmaketheseavailabletoTLDssothattheycouldbeblocked. ICANNsecuritystaffandICANNregionalliaisonscontactedthelistofCCTLD operatorsthatsecurityresearchershadidentifiedastargetsforconficker registrations,suppliedeachoperatorwithatailoredlistofnamesconficker 8
9 ConfickerSummaryandReview malwarewriterswouldattempttoregister,andadvisedthemtojoinsecurity mailinglistswherednsresponseissuesrelatedtotheconfickerwormsare discussed;however,certaincctldoperatorswouldnotblockthenamesonthelist withoutacourtorder.icannstaffalsocontactedthechairoftheccnsoandthe managersoftheregionalcctldgroups(centr,aptld,aftld,lactld)toassist incallingattentiontotheanticipatedevent. TheanticipatedApril1updateeventreceivedconsiderablepublicattention 16.The ConfickerWorkingGroup,complementednowbyanumberofCCTLDs,preparedfor theevent.icannsecuritystaffandconfickerworkinggroupmembersrecognized that100%awarenessortimelyparticipationacrosssuchalargenumberofregistry operatorswasdoubtful.cooperationamongthevariousregistriesoperators, althoughunlikelytofullystopconficker,wouldenabletheanti viruscommunity andthoseinvolvedtobettertrackandunderstandthespreadofthewormandthen tousethatinformationtohelpdisinfectsystems. By30March2009,securityresearchersinvolvedinTheHoneynetProjecthad sufficientlyanalyzedconficker.ctopositivelyidentifytheinfection 17.Detection signaturesweremadeavailableandquicklyincludedinfreeandfor feenetwork scanners(nmap,tenablesecurity snessus,mcafeefoundstoneenterprise,and Qualys).Giventhenumberofsystemsthatremainedinfectedandnotpatched, securityresearchersconcededthatthatnumberofsystemsstillinfectedwithearlier ConfickervariantsandstillnotpatchedtomitigatetheMS08 67wouldbeupdated on1april2009withtheconficker.evariantandthattheextentandsuccessofthe updatecouldnotbepredicted. TheintentoftheConficker.Evariantwastoremoveallbutthecoremalware functionalityandupgradecontactedhostswiththenewp2pcommunications ability.accordingtomicrosoftmalwareprotectioncenter 18,theConficker.Evariant executesaself terminationroutinewhenthedateismay32009.thewormdeletes itsmainexecutablecomponentonthisdate.howeverthedllpayloadcomponent (detectedasworm:win32/conficker.e.dll)remainstocontinueparticipatingin P2Pcommunicationamonginfectedpeers. On21September2009,SRIreleaseda ConfickerP2PProtocolandImplementationAnalysis 19.Inthereport,theauthors describethenewp2pscan baseddiscoverymethodconfickermalwarewriters wouldnowusetojoinaninfectedhostintotheconfickerp2pnetwork,themeans bywhichpeerssharemalwareexecutables,andmore. OngoingConfickerWorkingGroupActivity EffortscontinuetoblockregistrationofConfickerdomains.Trafficanalysisefforts havebeenhelpfulindevelopingabetterunderstandingofthedistributionofthe wormandintendedapplicationsoftheconfickerbotnet 20.Microsoftandsecurity vendorscontinuetostudymethodsfordetectionandremovalofknownvariants. 9
10 ConfickerSummaryandReview SecurityresearcherscontinuetopublishanddistributeConfickerscanners, signaturesforintrusionsystems,andgeneralinformation.effortstotargetoutreach toparticularlyinfestednetworkscontinue. TheConfickerinfectionrateremainshighforBandCvariantsbutdecliningforC/E. Remediationcontinuestoposechallenges.Securityresearcherscontinuetotrack Conficker.AnOctober2009snapshotbytheShadowserverFoundationestimates thenumberofsystemsinfectedwithconfickera/b/cvariantsatapproximately sevenmillion 21.TheConfickerWorkingGroupmaintainsvisualtimelineand chronologyofconfickerat[22]totrackhistorical,currentandfutureevents. ActivitiestodetectConfickervariantsandremediateConficker infectedhostswill undoubtedlycontinueforsometime.thisisinevitablegiventhemillionsofinfected computersandhistoricallymarginalsuccessinremediatingmalware.lessons learnedduringtheconfickercontainmentperiodarediscussedinalatersectionof thispaper.securityanddnscommunitiesareworkingtodeviselong termand sustainableapproachesfordealingwithnotonlyconfickerbutalsofuture,similar threats.these,too,arediscussedinalatersectionofthispaper. TheImportanceofRolesinConfickerWorkingGroup AlltheactionsrelatedtomitigatingtheConfickerwormwerenotdirectlynor entirelywithintheremitofanyindividualcwgparticipant.throughoutthe chronologyofconfickerevents,allthecollaboratingpartiesperformedrolesthat wereappropriatetotheirorganizations corecompetencies:malwareresearchers reverseengineeredthedropper/installer,trafficanalysisengineersidentifiedthe lociofinfestations,icannfacilitatedcommunicationsbetweenregistriesand partieswhocompiledthec&cdomainlists,andregistryoperatorsblocked registrationsofconfickerdomains.thecollaboratingpartiestriedtoadheretothe bestpracticesofpublicdisclosureofsecurityincidentsandeventsbymaintaininga lowprofile,protectingsensitiveinformation,andsharingonlyinformationthatthe adhocpartnershipagreedtoshare. SeveralCWGmemberspubliclyexpressedtheirsurpriseandgratitudeformember willingnesstoengageintheconfickercontainment 23.Manysecurityandregistry organizationshadnotencounteredcircumstancessuchasthoseconfickerposed andthusdidnothavecommunicationschannelsinplacetocoordinatecontainment efforts.cwgmembersindicatedthaticann sabilitytofacilitateandexpedite communicationswithtldregistriesacceleratedprocessesthatwouldunderother circumstanceshavechallengingifnotimpossibletoobtainduringthewindowsof opportunityconfickeraffordedthem.icannsecuritystaffandregionalliaisons initiallyfilledthisgapbyrelayinginformationgatheredbysecurityresearchersto TLDoperatorsandlaterbyintroducingcollaboratorsandprovidingdirectcontact information.registryoperatorsblockedconfickerdomainsandadvisedicann 10
11 ConfickerSummaryandReview counselandseniormanagementofthemeasurestheytooktopreventthe registrationofauto generateddomainsbytheconfickermiscreants.theseadhoc methodsprovidedsomeinsightintohowcertainformalconstructsmightprove beneficialinfutureresponseefforts. ConfickerToday InfectiontrackingbytheCWGshowsthatConficker.Cpopulationshavediminished overthepastyearbutthatnumberofcomputersinfectedconfickera+bisstilllarge (graphscourtesyofconfickerworkinggroup 24 ). Overthepastyear,theShadowserverFoundationhastrackedtheConficker populations(a+b,c,andaggregate),whichremaininthemillions. 11
12 ConfickerSummaryandReview LessonsLearned Severallessonsmaybelearnedfromthechronologyandeventsrelatedto containingtheconfickerworm.perhapsthemostpositivelessonlearnedisthat DNS,security,andlawenforcementcancollaboratewhenanincidentofglobal proportionisidentified.apositiveresultfromtheadhocresponsewasthatthe participantsdisruptedthebotnetcommunicationsandthusprevented opportunitiestoputthebotnettomisuse.thecontainment,however,was temporary,andtheconfickermalwarewriterscounteredbymakingthe containmentmeasureincreasinglydifficulttocoordinateandsustain. TheConfickercollaborativeresponsesreliedlargelyonvolunteereffortsand goodwill,informalcommunicationschannels,interventionaloperationalpractices, informalagreements,andassumptionsthatresponsewouldbeuniformand unilateral.eachofthesedependenciesexposedcertainweaknesses: Adhoccollaborativeresponsemaynotbescalableorsustainable.Intheabsenceof (complementary)formalstructuresorcommitments,certainproblemsthat encumberedorconfoundedtheconfickerresponsewillpersist.theconficker responsewasahighlydistributedeffortthatleveragedmanyvolunteersaswellas fulltimestaffacrossmultipleorganizationstogetthejobdone.weneedtoconsider thefactthatwecannotrelyonhavingsufficientresourcesofthecaliberthatwere engagedforconfickertobeavailableatamoment snoticeasarealthreat.aswe studythreatstothedns,weneedtoalsoconsiderthatwehavenotyetencountered asituationwhereresourcesmightbeneededformultiple,simultaneousincidents involvingtheglobaldns. 12
13 ConfickerSummaryandReview Likeothermalwarewriters,worm/botnetwriterswilladapttocountermeasures deployedtodetectorcontainthem.however,westillseeevidencethatwhilebotnet writershaveadaptedtothecontainment,theystillappeartopreferdnstohardencodedipaddressesandstillusesecondlevellabelsacrossmultipletlds.the DNSislikelytocontinuetobepartofmalwarewritertoolkits.Itisthusappropriate toconsiderwaystobuildonthesuccessfulelementsofthisincidentresponseand improvethoseaspectsthatwerenotsosuccessful. Informalcommunicationsmaynotbesufficientforallglobalincidentresponseefforts, especiallyinsituationswherethereiszerotoleranceforerrororomission.conficker demandedconstantattentionfromresponders.confickervariantsgeneratednew domainlistsdaily.securityresearchersmonitoredtrafficandanalyzedcode samplescontinuouslyinanticipationofnewvariants.duringthemonthsofeffortto containconficker,communicationsamongresponderscouldbecharacterizedas havingspikes,lags,anddormantperiodswheresomepartieswereunableto respondorunresponsive.incertaincases,contactinformationavailabletoparties wasnotaccurate,orwasnotsufficienttoreachapartywithauthoritytoacton behalfofthecontactedorganization.inothercases,icannstaffdeterminedthat someregistrycontactinformationmaintainedbyianawasnotaccurateorwasnot thecontactataregistrywithauthoritytoparticipateinincidentresponse.formal channelswithagreed uponormandatoryexchangesandexchangefrequencies shouldbeconsideredforfutureresponseefforts. Maintainingconsistency,completenessandaccuracyofinformationduringthecourse ofalongincidentresponseeffortischallenging.duringtheconfickerresponse, partiesinitiallyusedavailableratherthanformalcommunicationschannels(e.g., securitymaillists,teleconferences,private ,etc.)andreliedoncontact informationathandorpassedhandtohand.theconfickerworkinggroup establishedcommunicationschannelsasthecontainmenteffortgrew,butsensitive informationwasnotconsistentlyclassified,encryptedorsigned.thenatureand levelofdetailcommunicatedamongtheparticipantswasunintentionallybut predictablynotuniform.theadhocnatureofthesecommunicationsalsoresultedin differentpartiesreceivinginformationatdifferenttimes,whichmadeitdifficultto maintainbroadsituationalawareness.noindividualororganizationperformed formalactiontrackingorauditing,andthuschroniclingtheincidentresponsefor post incidentreviewandanalysishasbeendifficult.inparticular,informationthat ispotentiallyvaluableinimprovingresponsetofutureglobalincidentsmaybelost orasyetundisclosed. Scalingtrustishard.Volunteereffortsrelyonpersonalwebsoftrust.Most participantsintheconfickerresponseknewsomeorseveralotherparticipantsbut itisunlikelythatanyonekneweveryoneandunlikelierstillthatanyonecould produceanaccurateaccountingofallpartiestoallinformationsharingduringthe courseofthecontainmenteffort. 13
14 ConfickerSummaryandReview Operationalprocessesthatrelyonblocklistsataregistrylevelarenotscalable.The mostobviousreasonisthatpreemptiveblockingscalespoorly:inresponsetothe blockingefforts,conficker swritersincreasedthenumbersofalgorithmically generateddomainsandthenumbersoftlds.theoperationalburdentoblock domainsincreasesinseveralways;forexample,distributionofnamesacrosslarger numbersoftlds,removalofthenamesfromavailablepoolscanbecomeexpensive, non compensatedcostsforregistryoperators.registriesalsofiltereddomainsto assurethatall collisions betweenconficker sdgadomainsanddomainsthatare alreadyregisteredintldswerenotadverselyaffected. CertainactivitiesrelatedtoincidentresponseraisecontractualissuesforICANN, registries,andregistrars.inthecaseofconficker,icannandgtldregistrieswere abletoresolvemattersrelatingtodomainfeesquickly.thecommunitycannotrely onallcontractualmatterstobesoeasilyhandledforallfutureincidents.regarding theeasebywhichconficker relatedcontractualmatterswereresolve,onesecurity expertobserved(anonymously)that, inthefirstexampleofbreakingtherules, you regivensomeleeway.thesecondtime,thestakesarehigher,andyouhaveto bewarethatasinglemistakewillbedisproportionatelyhighlighted. Certaincountermeasuresorpreemptiveactionscannotbeimplementedunilaterallyby alltldoperators.someregistryoperatorsrequirecourtordersbeforetheytakea particularactioninresponsetoaglobalincident.inascenariolikeconficker,where listsofmaliciousdomainsaregenerateddaily,evenaonedaydelaytoprocessa courtordercaninhibittheresponse. Weshouldrefrainfromconcludingfromtheselessonslearnedthatformal structuresmustreplacevoluntaryones.forexample,establishingformalstructures doesnotaddresstheissuethatsometldswillnotbewillingtoparticipateorto continuetoparticipateincertainkindsofresponseindefinitely.relyingentirelyon formalstructuresmayexcludeparticipationbycertainindividualsforarangeof political,legal,orpersonalreasons.rather,weshouldbearinmindthatresponses withinadequateresourceswillbemorepronetoerrororomissionthanthosegiven adequateresources.effectiveresponsewillinevitablyandultimatelydependupon thesupportandparticipationofrelevantstakeholders,notablythosewhohave delegatedresponsibilityforthevariousassetsinvolved.inotherwords,while certainformalstructurescancomplementandrenderadhocresponsesmore effective,bothmaybenecessarytodealwithfutureeventsoftheconfickerkind. WayForward BaseonthelessonslearnedfromthecollaborativeresponsetoConficker,one elementofawayforwardistoformalizerelationshipsamongpartiesthatbecome involvedwhensecurityeventsofaglobalnatureoccur.icann(theentityand community)hasestablishedcertainformalrelationshipsandstructuresandis workinginconcertwithotherorganizationsonothers. 14
15 ConfickerSummaryandReview WithinthespecificcontextofglobalsecurityeventsinvolvingabuseoftheDNSand domainregistrationservices,andusingconfickerasalearningexperience,icann andthegtldregistrieshavedevelopedanexpeditedregistrysecurityrequest Process(ERSR) 25.Throughthisprocess,gTLDregistriescannowinformICANNofa presentorimminentsecuritythreatagainsttheregistryorthednsinfrastructure andrequestacontractualwaiverforactionstheregistrymighttakeorhastakento mitigateoreliminatethethreat.thecontractualwaiverwouldprovideexemption fromcompliancewithaspecificprovisionoftheregistryagreementforthetime periodnecessarytorespondtothethreat.theersrallowsaregistrytomaintain operationalsecurityduringanincidentwhilekeepingrelevantparties(e.g.,icann, otheraffectedproviders,etc.)informedasappropriate. TheERSRisintendedtohelpregistriesdealwithmaliciousactivityinvolvingthe DNSofscaleandseveritythatthreatenssystematicsecurity,stabilityandresiliency ofatldorthedns.itcanalsobeusedincircumstanceswherearegistrydiscovers unauthorizeddisclosure,alteration,insertionordestructionofregistrydata.the ERSRwouldalsobeanappropriateprocessforaneventwiththepotentialtocause atemporaryorlong termfailureofoneormoreofthecriticalfunctionsofagtld registryasdefinedinicann sgtldregistrycontinuityplan 26. Today,manyorganizationssupportavarietyofactivitiesthatareintendedto improveinternetsecurityawarenessandrespondtosecurityincidents.icann securitystaffhasstudiedincidentandemergencyresponseatnationaland internationallevelstounderstandhowtheseactivitiesmightbecoordinated, especiallyincircumstanceswherethednsiscentraltoglobalincidentsorwhere eventsthreatenthesecurity,stability,orresiliencyofdomainnameserviceata globallevel.withtheassistanceoftheseorganizations,icannhasdevelopedan operationalconceptplanandbusinesscaseforadns CERT 27. Asproposedintheconceptplan,theDNS CERTwouldactasasecuritycoordination centertoassistdnsoperatorsandsupportingorganizationsbyproviding information,expertiseorresourcestorespondtothreatstothesecurity,stability andresiliencyofthednsefficientlyandinatimelymanner.again,asproposed,the centralpurposesofthedns CERTwouldbetomaintainsituationalawareness, facilitateinformationsharing,improvecoordinationwithinthednsoperational community,andimprovecoordinationwiththebroadersecurityandotheraffected communities. Inadditiontotheseprograms,ICANN ssecurityteamisstudyinghowtoimprove andmaintainaccuratecontactinformationincooperationwiththesecurity communityandregistryoperators.staffwillalsostudywaystoimproveand formalizemonitoringresponsestoglobalincidentswhiletheyareinprogress(e.g., auditingandtracking),methodstochronicleincidentresponses,andwaysto coordinatepost incidentreviewandassessment.thesemaybeincorporatedinto thedns CERTprogramasitevolves,ortheyformbethebasesforotherinitiatives 15
16 ConfickerSummaryandReview instigatedbyotherorganizations.icannwillconsiderwhatifanyroleitshould performuponreviewoftheinitiatives. ConcludingRemarks Incertainrespects,thecollaborativeresponsetoConfickerwasasinglevolleyin whatisarguablyanearlybattleofalongcampaign.icannandothermembersof thecwgwillcontinuetoassistinremediationeffortsrelatedtotheconfickerworm. Individualorganizationswillnodoubtusetheirexperiencestohelpdefinerolesin futureglobalincidents.thednsandinternetsecuritycommunitiesmustalso considerhowtheytogethermightestablishmoreformalcollaborativeresponseto futureoccurrencesofconfickerandotherthreatstothednssecurity,stabilityand resiliencyofsimilarnatureandscale. 16
17 ConfickerSummaryandReview Appendix A. Table of Conficker Variants Variant & date Conficker.A Conficker.B SRI Conficker.C a.k.a. Conficker.D Conficker.E Bot Evolution Infects via MS08-67, anonymous shares Resets system restore point, disables security services HTTP callback to download files Infects via MS08-67, anonymous shares, shares with weak passwords, network maps, removable media Reset system restore point Disables security software and security updates via DNS filtering Infects via MS08-67, anonymous shares, shares with weak passwords, network maps, removable media Disables security software and security updates via DNS filtering Changes bot from HTTP C&C to P2P Sets 1 April 2009 as activation date for new DGA Initial exploit uses MS08-67 Only installs if prior Conficker variants present Disables security software and security updates via DNS filtering Resets system restore point Updates to pure P2P network Self-terminates on 3 May 2009: remove all Conficker executables except DLL DNS/Domain Abuse 250 pseudo-randomly generated domains registered in 5 TLDs 250 pseudo-randomly generated domains registered in 8 TLDs Tens of thousands of pseudo-randomly generated domains registered in 100+ TLDs 17
18 ConfickerSummaryandReview Citations 1Code Red (Computer Worm), 2 Blaster worm, 3 Sasser (Computer Worm), 4SQLSlammer, 5 Know Your Enemy: Containing Conficker, 6ContainingConficker, 7TheDifferenceBetweenaComputerVirus,WormandTrojanHorse, 8 What is a Blended Threat? 9 Microsoft Security Bulletin MS Critical, 23 October 2008, 10HowtoRestoreWindowsXPtoapreviousstate, 11DisconnectingfromtheSrizbiBotnet, 12Microsoft Collaborates With Industry to Disrupt Conficker Worm, feb09 en.htm 13MS puts up $250K bounty for Conficker author, 14ConfickerCabal, 15 Analysis of Conficker.C, 16 Alert: April 1 "Conficker" Computer Worm, 17Conficker Researchers Counter April 1 Update With Detection Scan, 18MicrosoftMalwareProtectionCenter Win32/Conficker.E, 19ConfickerP2PProtocolandImplementationAnalysishttp://mtc.sri.com/Conficker/P2P/ 20ConfickerInfectionDistribution, 21ShadowserverFoundationConfickerstatisticspage, 22ConfickerTimeline, 23ShadowserverFoundationAnnouncesNewEffortToCombatConficker 24ConfickerWorkingGroupInfectionTracking 25ExpeditedRegistrySecurityRequestProcess, 26gTLDRegistryContinuityPlan, registrycontinuity plan 25apr09 en.pdf 27GlobalDNS CERTBusinessCase, cert business case 10feb10 en.pdf 18
AT&T Real-Time Network Security Overview
AT&T Real-Time Network Security Overview Dan Solero Director of Security Technology, AT&T Know Your Enemy: Security Threats Extend Beyond Viruses & Worms Distributed Denial of Service Spam for Hire Social
More informationTHE CONFICKER MYSTERY. Mikko Hypponen Chief Research Officer F-Secure Corporation
THE CONFICKER MYSTERY Mikko Hypponen Chief Research Officer F-Secure Corporation Network worms were supposed to be dead. Turns out they aren't. In 2009 we saw the largest outbreak in years: The Conficker
More informationConficker by the numbers
Conficker by the numbers Sebastián Bortnik Security Analyst at ESET Latin America This is a translation for ESET LLC of a document previously available in Spanish by ESET Latin America (see http://eset-la.com/centro-amenazas/2241-conficker-numeros).
More informationCurrent counter-measures and responses by CERTs
Current counter-measures and responses by CERTs Jeong, Hyun Cheol hcjung@kisa.or.kr April. 2007 Contents I. Malware Trends in Korea II. Malware from compromised Web sites III. Case Study : Malware countermeasure
More informationIndian Computer Emergency Response Team (CERT-In) Annual Report (2010)
Indian Computer Emergency Response Team (CERT-In) Annual Report (2010) Indian Computer Emergency Response Team (CERT-In) Department of Information Technology Ministry of Communications & Information Technology
More informationENEE 757 CMSC 818V. Prof. Tudor Dumitraș Assistant Professor, ECE University of Maryland, College Park
21. Botnets ENEE 757 CMSC 818V Prof. Tudor Dumitraș Assistant Professor, ECE University of Maryland, College Park http://ter.ps/757 https://www.facebook.com/sdsatumd Today s Lecture Where we ve been AuthenDcaDon
More informationRandy Lee FireEye Labs. Understanding Modern Malware.
Randy Lee FireEye Labs Understanding Modern Malware. History Of Malware 1971 1975 1986 1990 Creeper Virus - Experimental self replicating worm Rabbit - The Fork Bomb 1974 Pervading Animal - First Trojan
More informationBotnets: The Advanced Malware Threat in Kenya's Cyberspace
Botnets: The Advanced Malware Threat in Kenya's Cyberspace AfricaHackon 28 th February 2014 Who we Are! Paula Musuva-Kigen Research Associate Director, Centre for Informatics Research and Innovation (CIRI)
More informationMicrosoft Security Systemats
Investigate and Resolve Vulnerability Reports Staff public reporting alias Monitor security lists Single point of coordination and communications Microsoft Security Response Process Own and coordinate
More informationVIRUS TRACKER CHALLENGES OF RUNNING A LARGE SCALE SINKHOLE OPERATION
VIRUS TRACKER CHALLENGES OF RUNNING A LARGE SCALE SINKHOLE OPERATION Kleissner & Associates Botconf 14, 3-5 Dec 2014, Nancy/France Worlds largest botnet monitoring system Since September 2012 Originally
More informationBeyond Aurora s Veil: A Vulnerable Tale
Beyond Aurora s Veil: A Vulnerable Tale Derek Manky Cyber Security & Threat Research FortiGuard Labs October 26th, 2010: SecTor 2010 Toronto, CA Conficker: April Doomsday.. Meanwhile JBIG2 Zero Day PDF/SWF
More informationKorea s experience of massive DDoS attacks from Botnet
Korea s experience of massive DDoS attacks from Botnet April 12, 2011 Heung Youl YOUM Ph.D. SoonChunHyang University, Korea President, KIISC, Korea Vice-chairman, ITU-T SG 17 1 Table of Contents Overview
More informationMicrosoft Security Response Center (MSRC) Microsoft Malware Protection Center (MMPC)
Security@Microsoft Trustworthy Computing (TwC) Programs supporting security outreach and engagement Microsoft Active Protections Program (MAPP), Government Security Program (GSP) (was SCP) Microsoft Security
More informationTechnical Note. CounterACT: Powerful, Automated Network Protection Inside and Out
CounterACT: Powerful, Contents Introduction...3 Automated Threat Protection against Conficker... 3 How the Conficker Worm Works.... 3 How to Use CounterACT to Protect vs. the Conficker Worm...4 1. Use
More information1 Infrastructure Security
1 1.1 Introduction This whitepaper summarizes incidents to which IIJ responded, based on general information obtained by IIJ itself related to the stable operation of the Internet, information from observations
More informationCyril Onwubiko Networking and Communications Group http://ncg. ncg.kingston.ac.
Cyril Onwubiko Networking and Communications Group http://ncg ncg.kingston.ac..ac.uk http://ncg.kingston.ac.uk +44 (0)20 8547 2000 Security Threats & Vulnerabilities in assets are two most fundamental
More informationSECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning
SECURITY TERMS: Advisory - A formal notice to the public on the nature of security vulnerability. When security researchers discover vulnerabilities in software, they usually notify the affected vendor
More informationSANS Technology Institute Group Discussion/Written Project. GIAC Enterprises Downadup Incident. 3/1/2009 Tim Proffitt Seth Misenar John Jarocki
SANS Technology Institute Group Discussion/Written Project GIAC Enterprises Downadup Incident 3/1/2009 Tim Proffitt Seth Misenar John Jarocki Table of Contents Executive Summary...3 Introduction...3 Detection
More informationUsing Windows Update for Windows 95/98
Using Windows Update for Windows 95/98 Contents Introduction... 1 Before You Begin... 2 Downloading and Installing the Windows Update Components... 2 Maintaining a Secure Computing Environment... 6 Introduction
More informationDetecting Computer Worms in the Cloud
Detecting Computer Worms in the Cloud Sebastian Biedermann and Stefan Katzenbeisser Security Engineering Group Department of Computer Science Technische Universität Darmstadt {biedermann,katzenbeisser}@seceng.informatik.tu-darmstadt.de
More informationAdventures in Cybercrime. Piotr Kijewski CERT Polska/NASK
Adventures in Cybercrime Piotr Kijewski CERT Polska/NASK Would you like a Porsche? Porsche Cayenne S Turbo: 149 000 USD Or maybe a different type? Porsche 911 Turbo: 149 000 USD The car is there Porsche
More informationDisclaimer. Conficker One Year After
Disclaimer The information and data asserted in this document represent the current opinion of BitDefender on the topics addressed as of the date of publication. This document and the information contained
More informationComputer Security DD2395
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh11/ Fall 2011 Sonja Buchegger buc@kth.se Lecture 7 Malicious Software DD2395 Sonja Buchegger 1 Course Admin Lab 2: - prepare
More informationWharf T&T Limited DDoS Mitigation Service Customer Portal User Guide
Table of Content I. Note... 1 II. Login... 1 III. Real-time, Daily and Monthly Report... 3 Part A: Real-time Report... 3 Part 1: Traffic Details... 4 Part 2: Protocol Details... 5 Part B: Daily Report...
More informationA Critical Investigation of Botnet
Global Journal of Computer Science and Technology Network, Web & Security Volume 13 Issue 9 Version 1.0 Year 2013 Type: Double Blind Peer Reviewed International Research Journal Publisher: Global Journals
More informationSeminar Computer Security
Seminar Computer Security DoS/DDoS attacks and botnets Hannes Korte Overview Introduction What is a Denial of Service attack? The distributed version The attacker's motivation Basics Bots and botnets Example
More informationCyber Attack Trend and Botnet
Cyber Attack Trend and Botnet S.C. Leung CISSP CISA CBCP Agenda Botnet and Cyber Attack Trends Botnet Attack Trends Commercialization of Cyber Crime Professionalization of Cyber Crimeware Social Engineering
More informationGlasnost or Tyranny? You Can Have Secure and Open Networks!
AT&T is a proud sponsor of StaySafe Online Glasnost or Tyranny? You Can Have Secure and Open Networks! Steven Hurst CISSP Director - AT&T Security Services and Technology AT&T Chief Security Office 2009
More informationCurrent Threat Scenario and Recent Attack Trends
Current Threat Scenario and Recent Attack Trends Anil Sagar Additional Director Indian Computer Emergency Response Team (CERT-In) Objectives Current Cyber space Nature of cyberspace and associated risks
More informationUncover security risks on your enterprise network
Uncover security risks on your enterprise network Sign up for Check Point s on-site Security Checkup. About this presentation: The key message of this presentation is that organizations should sign up
More informationCyber Security & Role of CERT-In. Dr. Gulshan Rai Director General, CERT-IN Govt. of India grai@mit.gov.in
Cyber Security & Role of CERT-In Dr. Gulshan Rai Director General, CERT-IN Govt. of India grai@mit.gov.in Web Evolution Web Sites (WWW) 1993 Web Invented and implemented 130 Nos. web sites 1994 2738 Nos.
More informationWorkshop on Infrastructure Security and Operational Challenges of Service Provider Networks
Workshop on Infrastructure Security and Operational Challenges of Service Provider Networks Farnam Jahanian University of Michigan and Arbor Networks IFIP Working Group 10.4 June 29-30, 2006 What s the
More informationUsing Windows Update for Windows Me
Using Windows Update for Windows Me Contents Introduction... 1 Before You Begin... 2 Downloading and Installing the Windows Update Components... 2 Maintaining a Secure Computing Environment... 6 Introduction
More informationMicrosoft Software Update Services and Managed Symantec Anti-virus. Michael Satut TSS/Crown IT Support m-satut@northwestern.edu
Microsoft Software Update Services and Managed Symantec Anti-virus Michael Satut TSS/Crown IT Support m-satut@northwestern.edu Introduction The recent increase in virus and worm activity has created the
More informationAgenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka
Taxonomy of Botnet Threats Trend Micro Inc. Presented by Tushar Ranka Agenda Summary Background Taxonomy Attacking Behavior Command & Control Rallying Mechanisms Communication Protocols Evasion Techniques
More informationThe Importance of a Multistakeholder Approach to Cybersecurity Effectiveness
The Importance of a Multistakeholder Approach to Cybersecurity Effectiveness Abstract Area: ROADMAP FOR THE FURTHER EVOLUTION OF THE INTERNET GOVERNANCE ECOSYSTEM Entitled by: Cristine Hoepers, Klaus Steding-Jessen,
More informationSecurity Trends X-Force
Security Trends X-Force IBM Internet Security Systems (ISS) The IBM ISS X-Force research and development team drives IBM Security Innovation Research Technology Solutions Original Vulnerability Research
More informationDeep Discovery. Technical details
Deep Discovery Technical details Deep Discovery Technologies DETECT Entry point Lateral Movement Exfiltration 360 Approach Network Monitoring Content Inspection Document Emulation Payload Download Behavior
More informationMultifaceted Approach to Understanding the Botnet Phenomenon
Multifaceted Approach to Understanding the Botnet Phenomenon Christos P. Margiolas University of Crete A brief presentation for the paper: Multifaceted Approach to Understanding the Botnet Phenomenon Basic
More informationUsing Windows Update for Windows XP
Using Windows Update for Windows XP Introduction This document provides instructions on updating Windows XP with the necessary patches. It is very important to update your operating system software in
More informationComparison of Firewall, Intrusion Prevention and Antivirus Technologies
White Paper Comparison of Firewall, Intrusion Prevention and Antivirus Technologies How each protects the network Juan Pablo Pereira Technical Marketing Manager Juniper Networks, Inc. 1194 North Mathilda
More informationNetwork Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík
Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík {celeda velan jirsik}@ics.muni.cz Part I Introduction P. Čeleda et al. Network Security Monitoring and Behavior
More informationZscaler Cloud Web Gateway Test
Zscaler Cloud Web Gateway Test A test commissioned by Zscaler, Inc. and performed by AV-TEST GmbH. Date of the report: April15 th, 2016 Executive Summary In March 2016, AV-TEST performed a review of the
More informationData Centers Protection from DoS attacks. Trends and solutions. Michael Soukonnik, Radware Ltd michaels@radware.com Riga. Baltic IT&T. 21.04.
Data Centers Protection from DoS attacks. Trends and solutions Michael Soukonnik, Radware Ltd michaels@radware.com Riga. Baltic IT&T. 21.04.2010 Cybercrime Trends Page 2 Types of DoS attacks and classical
More informationFrom Georgia, with Love Win32/Georbot. Is someone trying to spy on Georgians?
From Georgia, with Love Win32/Georbot Is someone trying to spy on Georgians? At the beginning of the year, a curious piece of malware came to our attention. An analyst in our virus laboratory noticed that
More informationCryptography and Network Security Chapter 21. Malicious Software. Backdoor or Trapdoor. Logic Bomb 4/19/2010. Chapter 21 Malicious Software
Cryptography and Network Security Chapter 21 Fifth Edition by William Stallings Chapter 21 Malicious Software What is the concept of defense: The parrying of a blow. What is its characteristic feature:
More informationHow To Test For Security Protection
False Sense of Security: New Anti-Virus Testing Methodologies are Critical to Educate Customers Charlotte Dunlap Independent Security Analyst Charlotte Dunlap is an independent security analyst and regular
More informationSituational Awareness A Discussion
Situational Awareness A Discussion Dean Weber March, 2012 The Current Situation take one spending incidents financial losses overall risk grows resources applied grows but no real progress The situation
More informationIBM Managed Security Services (Cloud Computing) hosted e-mail and Web security - express managed Web security
IBM Managed Security Services (Cloud Computing) hosted e-mail and Web security - express managed Web security INTC-8608-01 CE 12-2010 Page 1 of 8 Table of Contents 1. Scope of Services...3 2. Definitions...3
More informationSapphire/Slammer Worm. Code Red v2. Sapphire/Slammer Worm. Sapphire/Slammer Worm. Sapphire/Slammer Worm. Why Was Slammer So Fast?
First Worm Ever Morris Worm Robert Morris, a PhD student at Cornell, was interested in network security He created the first worm with a goal to have a program live on the Internet in November 9 Worm was
More informationShellshock. Oz Elisyan & Maxim Zavodchik
Shellshock By Oz Elisyan & Maxim Zavodchik INTRODUCTION Once a high profile vulnerability is released to the public, there will be a lot of people who will use the opportunity to take advantage on vulnerable
More informationK7 Mail Security FOR MICROSOFT EXCHANGE SERVERS. v.109
K7 Mail Security FOR MICROSOFT EXCHANGE SERVERS v.109 1 The Exchange environment is an important entry point by which a threat or security risk can enter into a network. K7 Mail Security is a complete
More informationSECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)
WHITE PAPER SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X) INTRODUCTION This document covers the recommended best practices for hardening a Cisco Personal Assistant 1.4(x) server. The term
More informationEnterprise Incident Response: Network Intrusion Case Studies and Countermeasures
Enterprise Incident Response: Network Intrusion Case Studies and Countermeasures Eric J. Eifert Vice President, Cyber Defense Division ManTech s Mission, Cyber, & Technology Solutions Presentation Overview
More informationSECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES
REQUIREMENT 6.1 TO 6.2 SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES 6.1 TO 6.2 OVERVIEW In accordance with Payment Card Industry Data Security Standards (PCI DSS) requirements, [company
More informationWEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World
Securing Your Web World WEBTHREATS Constantly Evolving Web Threats Require Revolutionary Security ANTI-SPYWARE ANTI-SPAM WEB REPUTATION ANTI-PHISHING WEB FILTERING Web Threats Are Serious Business Your
More informationEmail David-Kovarik@northwestern.edu Phone 847-467-5930 Fax 847-467-6000
Information Technology Information and Systems Security/Compliance Northwestern University 1800 Sherman Av Suite 209 Evanston, IL 60201 Email David-Kovarik@northwestern.edu Phone 847-467-5930 Fax 847-467-6000
More informationKaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking
Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking Today s bank customers can perform most of their financial activities online. According to a global survey
More informationKindred Domains: Detecting and Clustering Botnet Domains Using DNS Traffic "" " Matt Thomas" Data Architect, Verisign Labs"
Kindred Domains: Detecting and Clustering Botnet Domains Using DNS Traffic "" " Matt Thomas" Data Architect, Verisign Labs" About the Author"! Matthew Thomas! Data Architect" Verisign Labs"! Aziz Mohaisen!
More informationMicrosoft Security Intelligence Report
Microsoft Security Intelligence Report Volume 16 July through December, 2013 Key Findings Summary This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY,
More information2010 White Paper Series. Layer 7 Application Firewalls
2010 White Paper Series Layer 7 Application Firewalls Introduction The firewall, the first line of defense in many network security plans, has existed for decades. The purpose of the firewall is straightforward;
More informationCEH Version8 Course Outline
CEH Version8 Course Outline Module 01: Introduction to Ethical Hacking Information Security Overview Information Security Threats and Attack Vectors Hacking Concepts Hacking Phases Types of Attacks Information
More informationAutomatic Extraction of Domain Name Generation Algorithms from Current Malware
Automatic Extraction of Domain Name Generation Algorithms from Current Malware Thomas Barabosch 1, Andre Wichmann 1, Felix Leder 2, and Elmar Gerhards-Padilla 1 ABSTRACT Fraunhofer FKIE Friedrich-Ebert-Allee
More informationUMHLABUYALINGANA MUNICIPALITY ANTIVIRUS MANAGEMENT POLICY
UMHLABUYALINGANA MUNICIPALITY ANTIVIRUS MANAGEMENT POLICY Antivirus Management Policy Approval and Version Control Approval Process: Position or Meeting Number: Date: Originator Recommended by Director
More informationQuality Over Quantity
Presented by Rod Rasmussen June 16, 2015 FIRST Conference, Berlin Quality Over Quantity CUTTING THROUGH CYBERTHREAT INTELLIGENCE NOISE Rod Rasmussen IID founder, CTO Co-chair Anti- Phishing Working Group
More informationProactive Botnet Countermeasures An Offensive Approache
Proactive Botnet Countermeasures An Offensive Approache Felix LEDER, Tillmann WERNER, and Peter MARTINI Institute of Computer Science IV, University of Bonn, Germany Abstract. Botnets, consisting of thousands
More informationStudent Tech Security Training. ITS Security Office
Student Tech Security Training ITS Security Office ITS Security Office Total Security is an illusion security will always be slightly broken. Find strategies for living with it. Monitor our Network with
More informationAbout Botnet, and the influence that Botnet gives to broadband ISP
About net, and the influence that net gives to broadband ISP Masaru AKAI BB Technology / SBB-SIRT Agenda Who are we? What is net? About Telecom-ISAC-Japan Analyzing code How does net work? BB Technology
More informationINFORMATION SECURITY INCIDENT MANAGEMENT PROCESS
INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS Effective Date June 9, 2014 INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS OF THE HELLER SCHOOL FOR SOCIAL POLICY AND MANAGEMENT Table of Contents 1.
More informationa GAO-04-706 GAO INFORMATION SECURITY Continued Action Needed to Improve Software Patch Management Report to Congressional Requesters
GAO United States General Accounting Office Report to Congressional Requesters June 2004 INFORMATION SECURITY Continued Action Needed to Improve Software Patch Management a GAO-04-706 June 2004 INFORMATION
More informationTECHNICAL REPORT. An Analysis of Domain Silver, Inc..pl Domains
TECHNICAL REPORT An Analysis of Domain Silver, Inc..pl Domains July 31, 2013 CONTENTS Contents 1 Introduction 2 2 Registry, registrar and registrant 3 2.1 Rogue registrar..................................
More informationProtecting the Infrastructure: Symantec Web Gateway
Protecting the Infrastructure: Symantec Web Gateway 1 Why Symantec for Web Security? Flexibility and Choice Best in class hosted service, appliance, and virtual appliance (upcoming) deployment options
More informationMalicious Software. Malicious Software. Overview. Backdoor or Trapdoor. Raj Jain. Washington University in St. Louis
Malicious Software Overview Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/
More informationWORMS : attacks, defense and models. Presented by: Abhishek Sharma Vijay Erramilli
WORMS : attacks, defense and models Presented by: Abhishek Sharma Vijay Erramilli What is a computer worm? Is it not the same as a computer virus? A computer worm is a program that selfpropagates across
More informationCOMPREHENSIVE SECURITY AUDIT COMMERCIAL TAXES DEPARTMENT, KARNATAKA. Ashish Kirtikar
COMPREHENSIVE SECURITY AUDIT COMMERCIAL TAXES DEPARTMENT, KARNATAKA Ashish Kirtikar Agenda Scope IS Audit High-level Strengths Weaknesses Recommendations. Network Architecture Review Weaknesses Recommendations.
More informationThreat Intelligence. How to Implement Software-Defined Protection. Nir Naaman, CISSP Senior Security Architect
How to Implement Software-Defined Protection Nir Naaman, CISSP Senior Security Architect Threat Intelligence 1 The Spanish flu, 1918 killing at least 50-100 million people worldwide. 2 The H1N1 Pandemic,
More informationIntroduction: 1. Daily 360 Website Scanning for Malware
Introduction: SiteLock scans your website to find and fix any existing malware and vulnerabilities followed by using the protective TrueShield firewall to keep the harmful traffic away for good. Moreover
More informationMicrosoft Security Intelligence Report volume 7 (January through June 2009)
Microsoft Security Intelligence Report volume 7 (January through June 2009) Key Findings Summary Volume 7 of the Microsoft Security Intelligence Report provides an in-depth perspective on malicious and
More informationSecurity Toolsets for ISP Defense
Security Toolsets for ISP Defense Backbone Practices Authored by Timothy A Battles (AT&T IP Network Security) What s our goal? To provide protection against anomalous traffic for our network and it s customers.
More informationOverview. Common Internet Threats. Spear Phishing / Whaling. Phishing Sites. Virus: Pentagon Attack. Viruses & Worms
Overview Common Internet Threats Tom Chothia Computer Security, Lecture 19 Phishing Sites Trojans, Worms, Viruses, Drive-bydownloads Net Fast Flux Domain Flux Infiltration of a Net Underground economy.
More informationCisco & Big Data Security
Cisco & Big Data Security 巨 量 資 料 的 傳 輸 保 護 Joey Kuo Borderless Networks Manager hskuo@cisco.com The any-to-any world and the Internet of Everything is an evolution in connectivity and collaboration that
More informationInternet Special Ops Stalking Badness Through Data Mining. Paul Vixie Andrew Fried Dr. Chris Lee
Paul Vixie Andrew Fried Dr. Chris Lee Grandma has a problem An email or web banner offered her a free demo of the game Bejeweled 3D She clicked yes to download a program. New unrecognized malware? Anti-virus
More informationOverview. Introduction. Conclusions WINE TRIAGE. Zero day analysis. Symantec Research Labs (SRL)
1 Overview Introduction WINE TRIAGE Zero day analysis Conclusions 2 5 locations: USA: Mountain View (CA), Culver City (CA), Herndon (VA) Europe: Dublin (IE), Sophia Antipolis(FR).. 4 thematic domains:
More informationCisco IPS Tuning Overview
Cisco IPS Tuning Overview Overview Increasingly sophisticated attacks on business networks can impede business productivity, obstruct access to applications and resources, and significantly disrupt communications.
More informationData Driven Assessment of Cyber Risk:
Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk Mustaque Ahamad, Saby Mitra and Paul Royal Georgia Tech InformationSecurity Center Georgia Tech Research Institute
More informationCountry Case Study on Incident Management Capabilities CERT-TCC, Tunisia
Country Case Study on Incident Management Capabilities CERT-TCC, Tunisia Helmi Rais CERT-TCC Team Manager National Agency for Computer Security, Tunisia helmi.rais@ansi.tn helmi.rais@gmail.com Framework
More informationMcAfee Avert Labs Finding W32/Conficker.worm
McAfee Avert Labs Finding W32/Conficker.worm By Kevin Gudgion, Avert Labs Services Contents Overview... 2 Symptoms... 2 Characteristics... 2 Fighting W32/Conficker.worm... 5 Finding W32/Conficker.worm...
More informationSecurity A to Z the most important terms
Security A to Z the most important terms Part 1: A to D UNDERSTAND THE OFFICIAL TERMINOLOGY. This is F-Secure Labs. Learn more about the most important security terms with our official explanations from
More informationInformation Security Threat Trends
Talk @ Microsoft Security Day Sep 2005 Information Security Threat Trends Mr. S.C. Leung 梁 兆 昌 Senior Consultant 高 級 顧 問 CISSP CISA CBCP M@PISA Email: scleung@hkcert.org 香 港 電 腦 保 安 事 故 協 調 中 心 Introducing
More informationTrends in Security Incidents and Hitachi s Activities
Hitachi Review Vol. 63 (2014), No. 5 270 Featured Articles Trends in Security Incidents and Hitachi s Activities About HIRT Activities Masato Terada, Dr. Eng. Masashi Fujiwara Akiko Numata Toru Senoo Kazumi
More informationSmartphone Botnets. Berlin Institute of Technology FG Security in Telecommunications SPRING 2010
Berlin Institute of Technology FG Security in Telecommunications Smartphone Botnets SPRING 2010 Weiss Collin Mulliner, July 7 th 2010 collin@sec.t-labs.tu-berlin.de Agenda Introduction Motivation Project
More informationAn Efficient Methodology for Detecting Spam Using Spot System
Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 3, Issue. 1, January 2014,
More informationTREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION The Computer Security Incident Response Center Is Operating As Intended, Although Some Enhancements Can Be Made September 2005 Reference Number: 2005-20-143
More informationWORMS HALMSTAD UNIVERSITY. Network Security. Network Design and Computer Management. Project Title:
HALMSTAD UNIVERSITY Network Design and Computer Management Course Title: Network Security Project Title: WORMS Project members: - Tchape Philippe 841122-T099 - Jose Enrique Charpentier 830112-9154 Lecturer:
More informationANTIVIRUS BEST PRACTICES
ANTIVIRUS BEST PRACTICES Antivirus Best Practices 1. Introduction This guideline covers the basics on Antivirus Software and its best practices. It will help to have an overall understanding of the subject
More informationHow To Detect An Advanced Persistent Threat Through Big Data And Network Analysis
, pp.30-36 http://dx.doi.org/10.14257/astl.2013.29.06 Detection of Advanced Persistent Threat by Analyzing the Big Data Log Jisang Kim 1, Taejin Lee, Hyung-guen Kim, Haeryong Park KISA, Information Security
More informationSpyware. Michael Glenn Technology Management Michael.Glenn@Qwest.com. 2004 Qwest Communications International Inc.
Spyware Michael Glenn Technology Management Michael.Glenn@Qwest.com Agenda Security Fundamentals Current Issues Spyware Definitions Overlaps of Threats Best Practices What Service Providers are Doing References
More informationENISA s Study on the Evolving Threat Landscape. European Network and Information Security Agency
ENISA s Study on the Evolving Threat Landscape European Network and Information Security Agency Agenda Introduction to ENISA Preliminary remarks The ENISA report Major findings Conclusions 2 ENISA The
More informationAgenda. 3 2012, Palo Alto Networks. Confidential and Proprietary.
Agenda Evolution of the cyber threat How the cyber threat develops Why traditional systems are failing Need move to application controls Need for automation 3 2012, Palo Alto Networks. Confidential and
More information