introduction
DESCRIPTION
Introduction. Amy. Agenda – follow Amy for a day. Timing and coverage . Amy’s home. Amy’s router. Router-to-router worm (psyb0t, discovered on Netcomm NB5) MIPS CPUs running Linux Had a collection of ~55 shellcode attacks (30 – for LinkSys, 10 – for Netgear, 15 – for other types) - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/1.jpg)
Connecting the AV industryIgor Muttik, McAfee Avert Labs™
VB’2009 - Geneva24 September 2009
Ubiquitous malware and ubiquitous AVIgor Muttik – Intel’s McAfee LabsTM
CARO’2011Prague
![Page 2: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/2.jpg)
2
Introduction
Amy
![Page 3: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/3.jpg)
TIMING AND COVERAGE
Agenda – follow Amy for a day
![Page 4: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/4.jpg)
Amy’s home
![Page 5: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/5.jpg)
5
Router-to-router worm (psyb0t, discovered on Netcomm NB5)MIPS CPUs running LinuxHad a collection of ~55 shellcode attacks(30 – for LinkSys, 10 – for Netgear, 15 – for other types)It could
Manipulate the DNSBe an invisible MitMRe-flash the router
Invisible for AVWe see only where we look
Amy’s router
![Page 6: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/6.jpg)
Amy’s car
![Page 7: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/7.jpg)
7
Amy’s car – bluetooth and MP3 vulnerabilities
Bluetooth vulnerability in mass-production 2009 car (Kohno & Savage)Brakes, door locks and dashboard, remotely read tyre pressure
![Page 8: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/8.jpg)
8
Amy’s mobile phone
Android marketplace calamity in March 2011 Zeus and SpyEye attacks on dual authentication
Phones usually have 2 CPUs and both can be attacked
Consumerisation of ITIT policies
Sometimes – not a good thing!
Remote lock/wipe/backupWill be misused
Computrace and LoJack on PCs – RPCNET.DLL from Absolute.com
![Page 9: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/9.jpg)
Guys, these smart devices are everywhere…You do protect me, don’t you?
![Page 10: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/10.jpg)
TIMING AND COVERAGE
At a bank
![Page 11: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/11.jpg)
11
Amy’s payment terminals
QIWI Has 100,000 terminals in Russia alonePWS trojan infection (PWS.OSMP)
Windows is in places you would not expectInformation screens in airportsBluescreen on a boat navigation system in Amsterdam during CARO 2008
It is not just Windows and IntelEmbedded LinuxMIPSAndroid
You only seewhere you look!
![Page 12: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/12.jpg)
TIMING AND COVERAGE
Near a factory
![Page 13: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/13.jpg)
13
Industrial processes (like 235U enrichment)
![Page 14: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/14.jpg)
TIMING AND COVERAGE
At work
![Page 15: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/15.jpg)
TIMING AND COVERAGE
Amy’s computer has a bootkit
![Page 16: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/16.jpg)
16
Pre-OS
MBR and boot-sector virusesW95/CIHBIOS quick-boot vulnerability (Schouwenberg)Bootkits grow
EFI, UEFI and GPT (GUID Partition Table)A standard of pre-OS environment and driversIn the BIOS or in a separate partitionEFI is a platform like an OSA protected place for malware droppers
Getting common - Macs, many laptops and PCs
![Page 17: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/17.jpg)
17
You cannot detect what you cannot see…Do you see this malware?
![Page 18: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/18.jpg)
18
EFI platform
EFI has scripting (NSH)All open sourceOVMF – virtual machines
NTFS.EFI – NTFS driver
EBC (EFI Byte Code)32-bit interpreted bytecode Cross-platform
Computers can boot into EFI shell
![Page 19: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/19.jpg)
19
Enabling UEFI boot
![Page 20: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/20.jpg)
20
EFI shell startup video
Youtube link: http://www.youtube.com/watch?v=wrybDw9UL5E
![Page 21: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/21.jpg)
21
EFI shell
![Page 22: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/22.jpg)
22
EFI shell startup video and HEXEDIT.EFI demo
Youtube link: http://www.youtube.com/watch?v=kiRsaaS1mbM
![Page 23: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/23.jpg)
23
EFI shell commands (1/4)
![Page 24: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/24.jpg)
24
EFI shell commands (2/4)
![Page 25: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/25.jpg)
25
EFI shell commands (3/4)
![Page 26: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/26.jpg)
26
EFI shell commands (4/4)
![Page 27: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/27.jpg)
27
EFI nightmares
Nightmare scenarios1. EFI boots
Sends HDD image out (or selected files)Continues to boot the OS
2. EFI bootsEFI launches Windows in a virtual machineHas full control after that
3. EFI boots and drops malware into the file system
As powerful as BAT scripting. + Has networking+ Has unrestricted access to local devices
![Page 28: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/28.jpg)
Guys, you need a wide and hardened net to catch all these nasties everywhere …
![Page 29: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/29.jpg)
29
Hardening the net
Protection should be where it is neededOS ?AV (when OS is lacking) ?CPU
TrustIsolationAudit of data-flowEconomics
Security on CPUsOpen for security companiesSeparate “security” core?
![Page 30: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/30.jpg)
30
What can we trust?Digital signatures – Yes (almost always)SSL certificates – Maybe (mostly yes)
What would be nice to trustOSSoftwareLAN and WAN agents
TPM did not work
Technological Trust
![Page 31: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/31.jpg)
31
Example: Trust enforced at the CPU level
A software vendorSubmits code to the root authorityPays for a certificateGets a key back which matches the codeThen they can run their “trusted” code
Enforced in CPU, not by the OS!
Rather restrictiveIf applied to all softwarePerhaps OK if applied to “important” software Or certain CPU opcodes which will get special security privileges
“Economics” driving security
![Page 32: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/32.jpg)
32
Conclusions
• Malware gets into many new places
• We see only where we look and if we have access
• We need a wider, ubiquitous net
• We would benefit from more low-level trust and security
![Page 33: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/33.jpg)
33
References1. Routers:
http://apcmag.com/Content.aspx?id=3687 http://www.theregister.co.uk/2011/03/10/router_rooting_malware/
2. Cars: http://www.technologyreview.com/computing/35094/?nlid=4233
3. Mobile: http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.htmlhttp://www.f-secure.com/weblog/archives/00002135.html
4. Antitheft:http://www.geek.com/articles/news/stolen-pcs-disabled-over-internet-20030528/http://www.intel.com/technology/anti-theft/index.htmhttp://communities.intel.com/docs/DOC-2384http://shop.lenovo.com/ISS_Static/WW/AG/merchandising/US/PDFs/lenovo_anti_theft_protection.pdf
5. Qiwi: www.lenta.ru/news/2011/03/16/qiwi/
6. ATMs: http://www.computerworld.com/s/article/9179796/Update_ATM_hack_gives_cash_on_demand http://www.computerworlduk.com/news/security/16042/more-dodgy-atms-in-las-vegas-found-by-defcon-attendees/
7. Stuxnet:http://en.wikipedia.org/wiki/Stuxnet http://www.f-secure.com/weblog/archives/00002066.html
8. EFI: http://software.intel.com/en-us/articles/efi-shells-and-scripting/ www.tianocore.org http://www.logic.nl/Products/Technology/BIOS-and-EFI.aspx
![Page 34: Introduction](https://reader035.vdocuments.us/reader035/viewer/2022062323/5681650d550346895dd78483/html5/thumbnails/34.jpg)
34
Questions