Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

21st FIRST Conference – Day 4

Today’s a short day due to the AGM taking place this afternoon. I’m hoping to make the most of the time and visit the Kyoto Imperial Palace or the craft market. Still, you never know what’ll happen here.

09:00 A Railway Operator’s Perspective on the lessons of the Great Hanshin-Awaji Earthquake – Takayuki Sasaki

Mr Saskaki (from JR West Railways) talked about how to manage an unexpected disaster recovery situation. The earthquake hit 7.3 on the Richter scale and caused in excess of 10 Trillion Yen in damages. 6433 people lost their lives in the disaster.

3 rival railway companies (JR West, Hankyu, and Hanshin) teamed to ensure that passengers were able to travel easily.

Crisis control methods put in place after the earthquake .:

  • Introduction of urgent earthquake detection and alarm system
  • Anti-seismic reinforcement work
  • Establishment of a second Shinkansen General Control Center

11:00 In The Cloud Security – Greg Day

Estimated in excess of $1trillion loss through cybercrime and data loss in 2008.

Q1 2009 – 12 million new IP’s zombied since January –> 50% increase since 2008

Koobface – more than 800 new variants in March 2009

In 1990 Dr Solomon’s Antivirus had signatures for 296 viruses (+61 variants). Wouldn’t it be nice to go back to those days.

Historically AV has been designed to protect against single large threats. The new method is much more smaller viruses and variants designed to be re-wrapped and re-used over and over again.

How the virus landscape has change .:

  • 1987-2000 “Method” –> Viruses were all about proving that it was possible. Viruses were slow and not released often.
  • 2000-2003 “Speed”–> Speed of spread was the key. These viruses could be seen just by looking at the backbone and seeing the increase in traffic.
  • 2004-xxxx “Volume” –> The idea of hitting a target with many different variants until one bypassed your defenses.

Proactive behavioral controls work by examining processes to form a baseline of their memory usage and data-flows. If larger amounts of data are seen that would cause a buffer-overflow, then an alarm is triggered. Even in a standard environment it’s not easy to implement a complete lockdown of the system using this technique. This means that reaching a mid-point between the newer techniques and the older style signature and change control checks (monitoring registry changes, etc…).

The huge increase in malware in recent years has been caused by the move away from smart people writing and using malware. The people capable of writing the malware are now moving to a better business model were they sell the tools for creation of a virus/malware. Tools such as Shark can create many combinations of malware depending on the settings selected, and packers used. This lowers the level of entry that anybody can have customized malware.

** 30 minutes in…. first mention of cloud (yes, he really did use the Final Fantasy character in his presentation)

The cloud can be used to increase the response times by returning metadata on files seen in order to track possible malicious traits. This information is sent up to the servers and compared to other gathered data. The existing DNS protocol is used to transfer the metadata to the server and respond. If the suspicious file is know to the AV vendor then they can alert you through a DNS response (signed and encrypted). All data sent is anonymous.

In the case of targeted attacks, the aggregation point in the cloud is used to map the fingerprint of possible attacks. Artemis clients sent fingerprints ~2 hours before samples are received.

The trend has moved away from self-replicating malware and moved more to self-infecting (user infects themselves by visiting a website)

Using fingerprinting it’s also possible to recognise sites that are infected with hidden iframes and develop blacklists on the fly from information gathered from all users. Once a threat fingerprint has been identified, it can be detected on any site that has been infected using the same method/injection. This same scenario can also be used with message reputation to improve existing spam mail filtering.

http://www.trustedsource.org –> Gives an overview of the data seen from these initiatives

Problem of gathering more intelligence. Most customers request more intelligence on what is currently being seen, however are not happy to be one of the sources to privide information. This has hopefully been resolved by restricting the information sent to hashes of what is seen, and not files or other identifiable information.

13:30 Chinese Hacker Community and Culture, Underground Malware Industry – Zhao Wai (KnownSec)

Part 1: Chinese hacker culture
Part 2: Underground industry
Part 3: How do we fight back ?

Trends (Blackhats and Whitehats)

  • 1998-2003 : Server-Side
  • 2002-2007 : Client-Side (Image format, Office documents, IE)
  • 2006 – xxxx : 3rd Party –> For Profit

3rd Party applications are very weak on security and full of bugs.

Sometimes legitimate security researchers in China have their research accidentally released or used in attacks. This is because of other hacking groups attacking the researchers networks, or the researchers selling the exploits through untrustworthy services.

Blackhats in China

  • Age: Young (maybe not), Talented, and rich
  • Most are not in big cities
    • Why? Economic related ?
    • More fired engineers – more hackers ?
  • Blackhat Culture: Baidu zhidao forum, QQ (Chinese social networking)
  • Underground industry: everybody has a role
  • Not using IRC anymore. More often on public forums or QQ
  • International ? Not yet ?

There are currently 300 Million internet users in China. People in China are scared to use e-commerce websites due to fear of being hacked and having their information stolen. Malware is not only written in China, but is also a problem for users in China.

China is not only the world’s factory, but also the world’s malware factory.

New Kanji and phrases have been created in the last few years to describe malware functions. (e.g. GuaMa: Hooking Horse,Injecting malcode into websites)

Many different teams are involved in the malware process. Seperate teams deal with the exploitation, sales, and various other parts of the process.

In 2006/2007 a majority of malware used known vulnerabilities in 3rd party applications. Currently 0-day attack code is used in various 3rd party products. The recent malware versions like to exploit logic bugs (Baidu toolbar, snapshot).

0-day market underground

  • They love client-side vulnerabilities
    • Easier to find
  • Price is better than ZDI
    • Researchers still prefer ZDI
  • Sometimes 0-days are leaked to the market
    • Security professionals
    • Professional whitehats

The KnownSec team talked last year at Xkungfoo(xcon) about the SNS worm plus drive-by download attacks. This year there is a worm spreading through the QQ social network.

The KnownSec team are trying to crawl Chinese websites to find and label the malicious websites. However they’re not google. More water vapour than cloud computing. Easy to DDoS. It was found that a majority of the malicous servers are located in a small area of China. Some large areas have no malicious servers at all. Within China .com domains account for 52% of the malicious domains (followed closely by .cn with 32%). The team download around 858 downloaders per day. Of these 16% are brand new. The average detection rate of these downloaders on VT is 60%. In tests McAfee-GW-Edition, AntiVir and eSafe find the most samples. ClamAV finds only 10% of the samples. 50% of the malicious websites are not found by the Google safe browsing filters.

Some information on these figures can be found on the KnownSec website.

This research has been used to create a better filtering and protection engine. Webmon API –> Currently in private BETA

Day 4 was a littler shorter than the others, but it means I might finally get some sleep. I should be over my jet-lag by the time I get to fly home I’m sure 😉

Comments are closed.

%d bloggers like this: