introduction
DESCRIPTION
Introduction. Amy. Agenda – follow Amy for a day. Timing and coverage . Amy’s home. Amy’s router. Router-to-router worm (psyb0t, discovered on Netcomm NB5) MIPS CPUs running Linux Had a collection of ~55 shellcode attacks (30 – for LinkSys, 10 – for Netgear, 15 – for other types) - PowerPoint PPT PresentationTRANSCRIPT
Connecting the AV industryIgor Muttik, McAfee Avert Labs™
VB’2009 - Geneva24 September 2009
Ubiquitous malware and ubiquitous AVIgor Muttik – Intel’s McAfee LabsTM
CARO’2011Prague
2
Introduction
Amy
TIMING AND COVERAGE
Agenda – follow Amy for a day
Amy’s home
5
Router-to-router worm (psyb0t, discovered on Netcomm NB5)MIPS CPUs running LinuxHad a collection of ~55 shellcode attacks(30 – for LinkSys, 10 – for Netgear, 15 – for other types)It could
Manipulate the DNSBe an invisible MitMRe-flash the router
Invisible for AVWe see only where we look
Amy’s router
Amy’s car
7
Amy’s car – bluetooth and MP3 vulnerabilities
Bluetooth vulnerability in mass-production 2009 car (Kohno & Savage)Brakes, door locks and dashboard, remotely read tyre pressure
8
Amy’s mobile phone
Android marketplace calamity in March 2011 Zeus and SpyEye attacks on dual authentication
Phones usually have 2 CPUs and both can be attacked
Consumerisation of ITIT policies
Sometimes – not a good thing!
Remote lock/wipe/backupWill be misused
Computrace and LoJack on PCs – RPCNET.DLL from Absolute.com
Guys, these smart devices are everywhere…You do protect me, don’t you?
TIMING AND COVERAGE
At a bank
11
Amy’s payment terminals
QIWI Has 100,000 terminals in Russia alonePWS trojan infection (PWS.OSMP)
Windows is in places you would not expectInformation screens in airportsBluescreen on a boat navigation system in Amsterdam during CARO 2008
It is not just Windows and IntelEmbedded LinuxMIPSAndroid
You only seewhere you look!
TIMING AND COVERAGE
Near a factory
13
Industrial processes (like 235U enrichment)
TIMING AND COVERAGE
At work
TIMING AND COVERAGE
Amy’s computer has a bootkit
16
Pre-OS
MBR and boot-sector virusesW95/CIHBIOS quick-boot vulnerability (Schouwenberg)Bootkits grow
EFI, UEFI and GPT (GUID Partition Table)A standard of pre-OS environment and driversIn the BIOS or in a separate partitionEFI is a platform like an OSA protected place for malware droppers
Getting common - Macs, many laptops and PCs
17
You cannot detect what you cannot see…Do you see this malware?
18
EFI platform
EFI has scripting (NSH)All open sourceOVMF – virtual machines
NTFS.EFI – NTFS driver
EBC (EFI Byte Code)32-bit interpreted bytecode Cross-platform
Computers can boot into EFI shell
19
Enabling UEFI boot
20
EFI shell startup video
Youtube link: http://www.youtube.com/watch?v=wrybDw9UL5E
21
EFI shell
22
EFI shell startup video and HEXEDIT.EFI demo
Youtube link: http://www.youtube.com/watch?v=kiRsaaS1mbM
23
EFI shell commands (1/4)
24
EFI shell commands (2/4)
25
EFI shell commands (3/4)
26
EFI shell commands (4/4)
27
EFI nightmares
Nightmare scenarios1. EFI boots
Sends HDD image out (or selected files)Continues to boot the OS
2. EFI bootsEFI launches Windows in a virtual machineHas full control after that
3. EFI boots and drops malware into the file system
As powerful as BAT scripting. + Has networking+ Has unrestricted access to local devices
Guys, you need a wide and hardened net to catch all these nasties everywhere …
29
Hardening the net
Protection should be where it is neededOS ?AV (when OS is lacking) ?CPU
TrustIsolationAudit of data-flowEconomics
Security on CPUsOpen for security companiesSeparate “security” core?
30
What can we trust?Digital signatures – Yes (almost always)SSL certificates – Maybe (mostly yes)
What would be nice to trustOSSoftwareLAN and WAN agents
TPM did not work
Technological Trust
31
Example: Trust enforced at the CPU level
A software vendorSubmits code to the root authorityPays for a certificateGets a key back which matches the codeThen they can run their “trusted” code
Enforced in CPU, not by the OS!
Rather restrictiveIf applied to all softwarePerhaps OK if applied to “important” software Or certain CPU opcodes which will get special security privileges
“Economics” driving security
32
Conclusions
• Malware gets into many new places
• We see only where we look and if we have access
• We need a wider, ubiquitous net
• We would benefit from more low-level trust and security
33
References1. Routers:
http://apcmag.com/Content.aspx?id=3687 http://www.theregister.co.uk/2011/03/10/router_rooting_malware/
2. Cars: http://www.technologyreview.com/computing/35094/?nlid=4233
3. Mobile: http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.htmlhttp://www.f-secure.com/weblog/archives/00002135.html
4. Antitheft:http://www.geek.com/articles/news/stolen-pcs-disabled-over-internet-20030528/http://www.intel.com/technology/anti-theft/index.htmhttp://communities.intel.com/docs/DOC-2384http://shop.lenovo.com/ISS_Static/WW/AG/merchandising/US/PDFs/lenovo_anti_theft_protection.pdf
5. Qiwi: www.lenta.ru/news/2011/03/16/qiwi/
6. ATMs: http://www.computerworld.com/s/article/9179796/Update_ATM_hack_gives_cash_on_demand http://www.computerworlduk.com/news/security/16042/more-dodgy-atms-in-las-vegas-found-by-defcon-attendees/
7. Stuxnet:http://en.wikipedia.org/wiki/Stuxnet http://www.f-secure.com/weblog/archives/00002066.html
8. EFI: http://software.intel.com/en-us/articles/efi-shells-and-scripting/ www.tianocore.org http://www.logic.nl/Products/Technology/BIOS-and-EFI.aspx
34
Questions