Threats in Cyberspace - 2008

Saumil Shah

Evolvement of IPRs and its management seminarFebruary 9, 2008 - Ahmedabad

© n e t - s q u a r e

About me

• Founder & CEO Net-Square Solutions.

• Speaker at Blackhat, RSA, and many international security conferences.

• Author:• Web Hacking – Attacks and Defense (2002)• The Anti-virus book (1996)

• MS Computer Science – Purdue University.

© n e t - s q u a r e

Attack trends since 2000 AD

• 2000: Networks and OS

• 2001: HTTP, DDoS, Worms

• 2002: Web apps, email, Worms, Databases

• 2003: Apps, Bruteforcing

• 2004: Apps, IE, Spyware, Phishing

• 2005: Apps, ID thefts, Phishing, Malware

• 2006: Large data stores, apps, IDs, etc.

• 2007: App worms, Botnets, Pharming

© n e t - s q u a r e

Spam in 2007

• 90-95% of all emails sent were spam.

• 13% of users >50 spam emails per day.

© n e t - s q u a r e

Spam in 2007

• Pump-and-dump stock scam.

• Image and attachment spam.• surged but died towards the end of 2007.

• News topics as subject lines.

• Generated through botnets.

• Fraud and Phishing.

© n e t - s q u a r e

Breaches in 2007

• TD Ameritrade: 6.3 million customer records.

• Monster.com: 1.6 million job seekers' records.

• Western Union: 20,000 credit card records.

• Illinois Dept of Financial and Professional regulation: 3,00,000 records.

• T J Maxx: 45.7 million credit card records.

• Moneygram: 79,000 records.

© n e t - s q u a r e

We’ve all been victims of fraud

• “I’ve never been to Japan!”

© n e t - s q u a r e

Hacking the Human Mind

• Citibank “phishing” scamThe email:

http://antiphishing.org

© n e t - s q u a r e

Faking a bank

• http://www.mycitibank.net/

http://antiphishing.org

© n e t - s q u a r e

Faking a bank

• Who is mycitibank.net?

Domain Name.......... mycitibank.netCreation Date........ 2004-06-22Registration Date.... 2004-06-22Expiry Date.......... 2005-06-22Organisation Name.... Sharon J WarrOrganisation Address. 4 Knotty Pine PlaceOrganisation Address. Texarkana 75503, TX, UNITED STATES

© n e t - s q u a r e

Spyware

• “Marketing delivered to your desktops”.

• Advertisers pay for targeted advertising.

• Adware companies:• 100-200 employees, $50-$200M revenues

• How to get into desktops?…

© n e t - s q u a r e

A typical user's desktop

© n e t - s q u a r e

Spyware

• Digital Gluttony• “I want to download it all!”

• Cater to users’ greed.

• MP3s, Videos, Ringtones, Wallpapers, Smileys, Screensavers, Calendars, …

• …as long as it is free.

© n e t - s q u a r e

The Spyware/Adware eco-system

© n e t - s q u a r e

Malware example

© n e t - s q u a r e

How do you know what NOT to click?

© n e t - s q u a r e

Malware on the rise

• 2005-2006: 172% increase.

• 2006-2007: 800% increase.

• MPack.

• RBN.

• Fast-flux Networks.

• The Storm Botnet.

© n e t - s q u a r e

MPack

• Exploit delivery mechanism.

• Updated regularly with 0-day exploits.• IE VML bug.• IE Animated Cursor vulnerability.• QuickTime overflow.• Winzip ActiveX overflow. etc.

• PHP based automatic website generator.

• Sold for $500-$1000, with auto-exploit-updates.

© n e t - s q u a r e

Botnets

• Large number of compromised systems.

• Centrally controlled.

• Spam marketing.

• Identity theft, password theft.

• DDoS threats.

• Espionage.

© n e t - s q u a r e

Botnet control

© n e t - s q u a r e

The Storm Botnet

• P2P controlled – no central "mother ship".

• Event based campaigns• 2008 greetings, Thanksgiving/Xmas/Valentines

• Operated by the RBN.

• Purchase expired domains.

• Domains resolve to fast-flux networks.• Continuously changing DNS records.• Point to infected hosts.

© n e t - s q u a r e

The Storm Botnet

• A few infected hosts are special• P2P control relays.• DNS servers.• HTTP servers.

• Rootkits, malware, hacked sites, etc.• various delivery mechanisms.

• Running for more than a year.

• We have NOT been able to shut it down.

© n e t - s q u a r e

Growth of the Storm Botnet

© n e t - s q u a r e

Cyber warfare / terrorism?

© n e t - s q u a r e

Cyber warfare / terrorism?

• China penetrated key US databases.

• Dec 07/Jan 08 power blackouts in Central and South America.

• 14 year old boy takes control of Tram network in Poland.

© n e t - s q u a r e

Effectiveness of Anti-Virus software

• Makes computers sluggish.

• False alarms.

• "Most popular brands have an 80% miss rate" – AusCERT.

• Heuristic recognition fell from 40-50% (2006) to 20-30% (2007) – HeiseOnline.

• Signature based scanning does not work.

• AI techniques can be easily beaten.

© n e t - s q u a r e

Security by pop-ups

© n e t - s q u a r e

Web 2.0 attacks

• MySpace worm – XSS goes the virus way.

• Cross Site Request Forgery.

• Predicted rise in Web 2.0 attacks in 2008.• as more generic APIs become popular.

© n e t - s q u a r e

Pharming

• Hijacking DNS entries.

• www.hsbc.com resolves to fraud site.

• DNS server specified in broadband router.

• Broadband routers have web administration interfaces.• and are typically on 192.168.1.1• and have weak passwords: admin/admin.

• Malicious sites contain an IFRAME to access web admin interface.

© n e t - s q u a r e

Pharming – Hijacking DNS entries

© n e t - s q u a r e

Resources

• 20 Reasons the world hates Norton Antivirus

http://www.dtgeeks.com/index.php/blogs/comment/20_reasons_the_world_hates_norton_anti_virus

• Antivirus protection worse than a year ago

http://www.heise-security.co.uk/news/print/100900

• Teen tram hack

http://www.theregister.co.uk/2008/01/11/tram_hack/print.html

• China has penetrated key US databases

http://www.securecomputing.net.au/print.aspx?CIID=101491

• Trojan to attack bank sites

http://www.symantec.com/enterprise/security_response/weblog/2008/01/banking_in_silence.html

• The Russian Business Network

http://rbnexploit.blogspot.com/

saumil@net-square.com

Evolvement of IPRs and its management seminarFebruary 9, 2008 - Ahmedabad