Beyond Aurora s Veil: A Vulnerable Tale

Similar documents
Anti-exploit tools: The next wave of enterprise security

Indian Computer Emergency Response Team (CERT-In) Annual Report (2010)

Cloud Services Prevent Zero-day and Targeted Attacks Tom De Belie Security Engineer. [Restricted] ONLY for designated groups and individuals

Cloud Services Prevent Zero-day and Targeted Attacks

Proč a jak splnit literu kybernetického zákona

Data Center security trends

One Minute in Cyber Security

Desktop Security. Overview and Technology Guidance. Michael Ramsey Network Specialist, NC DPI

Malware B-Z: Inside the Threat From Blackhole to ZeroAccess

Be Prepared for Java Zero-day Attacks

Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities?

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

Trend Micro Cloud App Security for Office 365. October 27, 2015 Trevor Richmond

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Ⅰ. Security Trends - June 2010

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Fighting Advanced Threats

Advanced Persistent Threats

Beyond the Hype: Advanced Persistent Threats

Cyber Security Presentation Cyber Security Month Curtis McNay, Director of IT Security

UNCLASSIFIED. Briefing to Critical Infrastructure Sector Organizations on the Canadian Cyber Incident Response Centre (CCIRC)

Advanced Persistent Threats

White Paper - Crypto Virus. A guide to protecting your IT

DETECTING THE ENEMY INSIDE THE NETWORK. How Tough Is It to Deal with APTs?

What Do You Mean My Cloud Data Isn t Secure?

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Threat Intelligence. How to Implement Software-Defined Protection. Nir Naaman, CISSP Senior Security Architect

MALWARE THREATS AND TRENDS. Chris Blow, Director Dustin Hutchison, Director

Today s Web: Business Value Of Web 2.0

ASEC REPORT VOL AhnLab Monthly Security Report. Malicious Code Trend Security Trend Web Security Trend

INCREASINGLY, ORGANIZATIONS ARE ASKING WHAT CAN T GO TO THE CLOUD, RATHER THAN WHAT CAN. Albin Penič Technical Team Leader Eastern Europe

Modular Network Security. Tyler Carter, McAfee Network Security

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

Overview. Introduction. Conclusions WINE TRIAGE. Zero day analysis. Symantec Research Labs (SRL)

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Botnets: The Advanced Malware Threat in Kenya's Cyberspace

Security A to Z the most important terms

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Microsoft Security Intelligence Report Volume 13

Secure Your Mobile Workplace

Fighting Advanced Persistent Threats (APT) with Open Source Tools

Cisco & Big Data Security

場 次 :C-3 公 司 名 稱 :RSA, The Security Division of EMC 主 題 : 如 何 應 用 網 路 封 包 分 析 對 付 資 安 威 脅 主 講 人 :Jerry.Huang@rsa.com Sr. Technology Consultant GCR

WHITE PAPER. Understanding How File Size Affects Malware Detection

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Deep Security Vulnerability Protection Summary

Cyber Attack Trend and Botnet

Surviving and operating services despite highly skilled and well-funded organised crime groups. Romain Wartel, CERN CHEP 2015, Okinawa

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

Perspectives on Cybersecurity in Healthcare June 2015

Defending Against Cyber Attacks with SessionLevel Network Security

Protecting Your Organisation from Targeted Cyber Intrusion

RSA Security Anatomy of an Attack Lessons learned

Trend Micro Incorporated Research Paper Adding Android and Mac OS X Malware to the APT Toolbox

Networking for Caribbean Development

The Dark Side of Trusting Web Searches From Blackhat SEO to System Infection

Integrated Approach to Network Security. Lee Klarich Senior Vice President, Product Management March 2013

Malicious Network Traffic Analysis

Cloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?

============================================================= =============================================================

white paper Malware Security and the Bottom Line

Priority One: Client-side software that remains unpatched. Priority Two: Internet-facing web sites that are vulnerable.

Student Tech Security Training. ITS Security Office

Using big data analytics to identify malicious content: a case study on spam s

Technical Note. CounterACT: Powerful, Automated Network Protection Inside and Out

Defending Against. Phishing Attacks

Top 10 Data Security Threats Plaguing Credit Unions

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

Advanced Threat Protection Framework: What it is, why it s important and what to do with it

Internet threats: steps to security for your small business

Agenda , Palo Alto Networks. Confidential and Proprietary.

Description: Course Details:

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Integrated Protection for Systems. João Batista Territory Manager

Attacks 2011: How Complexity Evaded Defenses and Strategies for Prevention TOMER TELLER CHECK POINT SOFTWARE TECHNOLOGIES. Session Classification:

N J C C I C NJ CYBERSECURITY AND COMMUNICATIONS INTEGRATION CELL

Fighting Advanced Persistent Threats (APT) with Open Source Tools

Current counter-measures and responses by CERTs

GlobalSign Malware Monitoring

Computer Security DD2395

Security Trends X-Force

Security Awareness For Website Administrators. State of Illinois Central Management Services Security and Compliance Solutions

24/7 Visibility into Advanced Malware on Networks and Endpoints

Trends in Targeted Attacks By Nart Villeneuve

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

Trust the Innovator to Simplify Cloud Security

Effective Defense in Depth Strategies

How to Make Browsers Safer Using Virtualization

The Top Cyber Security Risks Two risks dwarf all others, but organizations fail to mitigate them

WHITE PAPER: Cyber Crime and the Critical Need for Endpoint Security

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Malware Trend Report, Q April May June

76% Secunia Vulnerability Review. Key figures and facts from a global IT-Security perspective. Published February 26, secunia.

Data Centers Protection from DoS attacks. Trends and solutions. Michael Soukonnik, Radware Ltd Riga. Baltic IT&T

Web 2.0 and Data Protection. Paul Tsang Security Consultant McAfee

Common Cyber Threats. Common cyber threats include:

Endpoint & Server Protection. Brent Biernat First Vice President Network Services May 13, 2014

NetDefend Firewall UTM Services

Transcription:

Beyond Aurora s Veil: A Vulnerable Tale Derek Manky Cyber Security & Threat Research FortiGuard Labs October 26th, 2010: SecTor 2010 Toronto, CA

Conficker: April Doomsday.. Meanwhile JBIG2 Zero Day PDF/SWF January 2009: Malicious PDF Samples In the Wild Drop Gh0st RAT Trojan, Exploits CVE 2009 0658 No Click Variant through Windows Shell Extensions February 02, 2009: Adobe Acknowledges via APSA09 01 March 10, 2009: Adobe Patches via APSB09 03 2 Attacks Occurred Roughly 63 Days Before Patch

... A Vulnerable Tale Gh0st RAT Advertisement Photo 3

Bredolab & Gumblar Meanwhile Gumblar & Bredolab Botnets Sync Through PDF Exploits 4 March 18, 2009 Adobe Issues Patch APSB09 04 Includes CVE 2009 0927, PDF Exploit March 23, 2009: Gumblar attack surfaces Compromised websites with exploits Freshly exploiting CVE 2009 0927 Drops Bredolab Botnet (First appearance) Downloads FTP Stealing Module for Gumblar Downloads FakeAV for Profit Aggressively Attacked 5 Days After POC Released

Bredolab & Gumblar 5

Bredolab & Gumblar Then and Now Gumblar & Bredolab Botnets Sync Through PDF Exploits Bredolab Oct 2009: New Protocol (v2), Custom Encrypted HTTP Jan 2010: Uses Pushdo Botnet New Webmailing Engine Distributed (Webwail)[1] Cracks CAPTCHAs in < 30 seconds Feb 2010: Downloads Ransomware Force Kills Applications, Demands > $50 USD Oct 2010: Distributes Grum/Tedroo Botnet Source Code Available Bredolab now used for various operators & attacks since original incarnation [1] FortiGuard Labs Discovers Webwail in December 2009 6

Bredolab & Gumblar Then and Now Gumblar & Bredolab Botnets Sync Through PDF Exploits Gumblar Today[1] 9,350 infected links 951 links hosting exploits 165 malware variants served Popular exploited vulns: CVE 2007 0701 CVE 2008 0655 CVE 2008 2992 CVE 2009 0927 [1] FortiGuard Web Scanning Systems, Oct 19 th 2010 7

... A Vulnerable Tale In The Threat Spotlight Internet Explorer HTML Memory Corruption ( Aurora ) 8 September 30, 2009: Microsoft Receives Vulnerability Report (Later CVE 2010 0249) December 15, 2009: Google Later Acknowledges Attack Discovery January 04, 2010: C&C Servers Taken Down January 12, 2010: Attacks Publicly Acknowledged Dropped Custom Trojan January 14, 2010: Public POC Exploit Code Available January 21, 2010: Microsoft Patches via MS10 002 Zero Day 113 Days Before Patch, 7 Days From Public POC

... A Vulnerable Tale Meanwhile Internet Explorer Use After Free 9 March 09, 2010: Microsoft Acknowledges via Advisory / CVE 2010 0806 Web Drive By Attacks Already In the Wild Drop Gh0st RAT Trojan, Similar to Aurora March 30, 2010: Microsoft Patches via MS10 018 Attacks Occurred Roughly 21 Days Before Patch FortiGuard Detects Highest Exploit Rate Before Patch (Zero Day)

Internet Explorer Use-After-Free

Exploit Demonstration Fortinet Confidential 11

The Next Chapter What can we learn?!!! Headlines are not everything!!! Reactive defense against high profiles attack == inefficient Threats often share similar attack techniques Browsers, Document Formats, System Services Conficker Neeris (RPC DCOM), Murofet (DGA) Gh0st RAT (PDF JBIG2) Gumblar (PDF geticon) Aurora Google/etc & Gh0st RAT: IE Use After Free 12

The Next Chapter What can we learn? 13 Zero day attacks happen more often than you may think Attacks can continue for months undetected Can be 1 3 week response time for patches Once detected / reported.. Otherwise 6 12 months Patched vulnerabilities are attacked quickly, and frequently Conficker: 30 Days Gumblar: 5 Days Patch management! Quick patching is essential Does not work on zero day attacks

The Next Chapter The new decade of threats Attacks can survive for years Attacks change extremely frequently Server side polymorphism Repack hosted malware Repack hosted scripts [Gumblar] Crimeware and source code Copy & paste bots New versions Endless domains Creates tremendous volume 14

FortiGuard Labs Security Research 87 Zero-Days Discovered Since 2008, Mostly Critical Oct 2010: 30+ Outstanding in Zero-Day State 15 http://www.fortiguard.com/advisory/upcomingadvisory.html

Fighting Back Strategic Defense Standard security rules apply; often ignored Layered security vs. Growing attack surface Applicable to Infection & Post Infection Education and Training (RSS) Think before you link Use of JS, Flash (Noscript, PDF Reader) Trust management (PGP, SSL) Alternative software considerations OS, Browsers, Doc Readers, Sandboxes Access level lock down (Admin privileges) 16

Fighting Back Layered Security vs. Growing Attack Surface Intrusion Prevention: Botnet C&C, Zero Days & Exploits Application Control: Malicious services Compromised Facebook Applications Webfiltering: Botnet C&C, Fast Flux / MalHosting, SEO Antispam: Spambots & Incoming Campaigns Antivirus: Trojans, bots, ransomware, etc Vulnerability Review Software used vs. alternatives 17

18

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information