From creeper to stuxnet

From Creeper
to Stuxnet

Tell me and I’ll forget Shahar Geiger Maor,
Show me and I may VP & Senior Analyst
remember

A Story With A Beginning And No End

2
Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic

The Beginning –Basic Terminology

Phreaking, Cracking and Hacking…

3

I’m A Creep(er)!

The very first viruses: Creeper and Wabbit

1971

1960 1970 1980 1990 2000 2010
4

Captain Zap

first person ever arrested for a computer crime
1981

1960 1970 1980 1990 2000 2010
5

Machine Of The Year

1982

1960 1970 1980 1990 2000 2010
6

War Games

1983

1960 1970 1980 1990 2000 2010
7

Introducing: MOD & LOD

1987

1960 1970 1980 1990 2000 2010
8

When Ideology meets Ego

1991

1960 1970 1980 1990 2000 2010
9

Professional conferences

1993

1960 1970 1980 1990 2000 2010
10

Celebrity

1995

1960 1970 1980 1990 2000 2010
11

The Rise of Malwares

The Concept Virus

1995

1960 1970 1980 1990 2000 2010
12


The Melissa and
Nimda Viruses

http://scforum.info/index.php?topic=2528.msg4935;topicseen

1999

1960 1970 1980 1990 2000 2010
13


The ILOVEYOU Worm

2000

1960 1970 1980 1990 2000 2010
14


Conficker

2008

1960 1970 1980 1990 2000 2010
15

The Increasingly Difficult Security Challenge

16000000

14000000 AV Signatures

12000000

10000000 100s of millions of viruses.
8000000 signature based scanning won’t keep up…

6000000

4000000

2000000

0

Jan-09
Jan-00

Jan-01

Jan-02

Jan-03

Jan-04

Jan-05

Jan-06

Jan-07

Jan-08

Jan-10
Jul-00

Jul-01

Jul-02

Jul-03

Jul-04

Jul-05

Jul-06

Jul-07

Jul-08

Jul-09
Source: Symantec

No Existing Protection Addresses the “Long Tail”

Today, both good and bad software obey a long-tail distribution.
Bad Files Unfortunately neither technique Good Files
works well for the tens of millions of
files with low prevalence.

Prevalence
(But this is precisely where the
majority of today’s malware falls)

Blacklisting works For this long tail a new Whitelisting works
well here. technique is needed. well here.

Source: Symantec

Growing Amount of Malware –Lower Rate of Detection

Submission-ID: 2009- Submission-ID: 2010-
12-10_22-01_0002 01-15_22-14_0001

src: AV-Test.org src: AV-Test.org

AV Engine Time To Detect Time To Detect
Authentium Zero-hour No detection
Avast 24.28 hrs. 2.10 hrs.
AVG 10.18 hrs. 3.52 hrs.
CA-AV No detection Zero-hour
ClamAV 40.82 hrs. No detection
Dr.Web 3.68 hrs. 13.17 hrs.
Eset Nod32 2.35 hrs. Zero-hour
F-Secure Zero-hour 20.03 hrs.
Ikarus 2.55 hrs. 1.90 hrs.
ISS VPS No detection No detection
Kaspersky 6.70 hrs. 14.52 hrs.
McAfee 28.83 hrs. No detection
Microsoft 11.62 hrs. No detection
Norman Zero-hour No detection
Panda 76.48 hrs. No detection
Rising 71.27 hrs. No detection
Spybot S&D No detection No detection
Sunbelt No detection Zero-hour
VirusBuster 4.05 hrs. Zero-hour


Secured Mediation Kiosks

Source: OPSWAT, STKI’s modifications

Nor(malware) distribution

Choose any AV
software…

What about the long
tail?


Nor(malware) distribution

Choose many AV
software…

The long tail problem
remains


Organized Cybercrime

2009

1960 1970 1980 1990 2000 2010
22

M&As in the Cyber Underground…

SpyEye made headlines this year when
investigators discovered it automatically searched
for and removed ZeuS from infected PCs before
installing itself
http://krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/

Common “Positions” in the cyber-crime business

Leaders
Hosted
Programmers systems Cashiers
providers

Distributors Fraudsters Money mules

Tech experts Crackers Tellers

http://www.fbi.gov/news/speeches/the-cyber-threat-whos-doing-what-to-whom

Underground Economy

Products Price
Credit card details From $2-$90
Physical credit cards From $190 + cost of details
Card cloners From $200-$1000
Fake ATMs Up to $35,000
Bank credentials From $80 to 700$ (with guaranteed balance)
From 10 to 40% of the total
$10 for simple account without guaranteed
Bank transfers and cashing checks balance
Online stores and pay platforms From $80-$1500 with guaranteed balance
Design and publishing of fake online stores According to the project (not specified)
Purchase and forwarding of products From $30-$300 (depending on the project)
Spam rental From $15
SMTP rental From $20 to $40 for three months

http://press.pandasecurity.com/wp-content/uploads/2011/01/The-Cyber-Crime-Black-Market.pdf

Cyber Wars

1990’s-2000’s-2010’s

1960 1970 1980 1990 2000 2010
26

Growing Number of Incidents -US

Incidents of Malicious Cyber
Activity Against Department of Defense
Information Systems, 2000–2009

http://www.uscc.gov/annual_report/2010/annual_report_full_10.pdf

Sources of Attacks on gov.il

Source: CERT.gov.il

Cyber-Warfare is Becoming A Giants’ Playground

http://www.bbc.co.uk/news/technology-11773146

Operation Aurora

http://www.damballa.com/downloads/r_pubs/Aurora_Botnet_Command_Structu
re.pdf

Advanced Persistent Threat (APT) –RSA Case Study

“Recently, our security
systems identified an
extremely sophisticated
cyber attack in progress
being mounted against
RSA”.
Art Coviello
Executive Chairman, RSA
http://www.rsa.com/node.aspx?id=3872

http://www.nytimes.com/2011/03/18/technology/18secure.html

Stuxnet: (THE NEW YORK TIMES, 15/1/11)

http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?_r=2&hp

Stuxnet Timeline

Eraly 2008: Siemens
cooperated with Idaho
National Laboratory
, to identify the July 2009:
vulnerabilities of Stuxnet began
computer controllers circulating around the
that the company sells world

2008-2009: July 2010: Stuxnet is
Suspected exploits first discovered by
have been created for VirusBlokAda
Siemens SCADA
systems


Rootkit.Win32.Stuxnet Geography

Source: http://ebiquity.umbc.edu/blogger/wp-content/uploads/2010/09/stuxnet.gif

Stuxnet in Action: “A Game Changer”

 10-30 developers (!!!)
 Stuxnet has some 4,000 functions (software that runs an average
email server has about 2,000 functions)
 Exploits a total of four unpatched Microsoft vulnerabilities
 compromise two digital certificates

• Self-replicates through removable drives
• Spreads in a LAN through a vulnerability in the Windows Print
Spooler
• Copies and executes itself on remote computers through network
shares
• Updates itself through a peer-to-peer mechanism within a LAN
• Contacts a remote command and control server
• modifies code on the Siemens PLCs
• Hides modified code on PLCs


Vulnerability Timeline

Source: Burton Group

…Lets talk about Patch Management (PM)

• Mostly Microsoft, security-related patches
• “Its not the deployment, but the whole process evolving” AKA
Pizza Night.
• 20%-50% FTE is dedicated for PM
• Common SLAs: 3…6…or sometimes 12 Months!!
• VIP patches: up-to a week
• Hardwarenon-security patches’ SLA: Where upgradesvendor
support is needed


Your Text here Your Text here

Shahar GeigerMaor’s work Copyright 2012 @STKI Do Do not remove source or attribution from any or portion of graphic of graphic
Shahar Maor’s work Copyright 2012 @STKI not remove source or attribution from any graphic graphic or portion 38

Generic Cyber Attacks

1. IndividualsGroups
2. CriminalNationalistic
background
3. Lots of intervals
4. Lots of targets
5. Common tools

39

Distributed Denial Of Service (DDOS)

1. Targets
websites, internet
lines etc.
2. Legitimate traffic
3. Many different
sources
4. From all over the
world
5. Perfect timing

40

Advanced Persistent Threat (APT)

1. Group/ Org./
State
2. Ideological/
Nationalistic
background
3. Multi-layered
attack
4. Targeted
5. Variety of
tools
6. Impossible to
detect in real
time(???)

41

Security “Threatscape”


Thank You!

Scan Me To Your Contacts:

43

From creeper to stuxnet

Recomendados

Recomendados

Mais conteúdo relacionado

Destaque

Destaque (12)

Mais de Ariel Evans

Mais de Ariel Evans (10)

Último

Último (20)

From creeper to stuxnet

Notas do Editor