open malicious source symantec security response kaoru hayashi
TRANSCRIPT
![Page 1: Open Malicious Source Symantec Security Response Kaoru Hayashi](https://reader035.vdocuments.us/reader035/viewer/2022062315/5697bffb1a28abf838cc1291/html5/thumbnails/1.jpg)
Open Malicious Source
Symantec Security ResponseKaoru Hayashi
![Page 2: Open Malicious Source Symantec Security Response Kaoru Hayashi](https://reader035.vdocuments.us/reader035/viewer/2022062315/5697bffb1a28abf838cc1291/html5/thumbnails/2.jpg)
Agenda
What is Open Malicious Source
Characteristics
Protection
Conclusion
![Page 3: Open Malicious Source Symantec Security Response Kaoru Hayashi](https://reader035.vdocuments.us/reader035/viewer/2022062315/5697bffb1a28abf838cc1291/html5/thumbnails/3.jpg)
What is Open Malicious Source
Open Source qualities– Free redistribution
– Ready access to source code
– Modifiable by anyone
– Designed for evolution
For malicious purposes
![Page 4: Open Malicious Source Symantec Security Response Kaoru Hayashi](https://reader035.vdocuments.us/reader035/viewer/2022062315/5697bffb1a28abf838cc1291/html5/thumbnails/4.jpg)
For example…
Beagle, Mydoom, Netsky and Sasser– Not open malicious source
– Created by an author, closed group, or individuals who can obtain source code
Gaobot, Randex and Spybot– Open malicious source
– Source codes are distributed widely
– Updated / released by many
![Page 5: Open Malicious Source Symantec Security Response Kaoru Hayashi](https://reader035.vdocuments.us/reader035/viewer/2022062315/5697bffb1a28abf838cc1291/html5/thumbnails/5.jpg)
Is this topic new?
NO, but …
Programs developed from open malicious source are on the rise
Impact is intensifying
![Page 6: Open Malicious Source Symantec Security Response Kaoru Hayashi](https://reader035.vdocuments.us/reader035/viewer/2022062315/5697bffb1a28abf838cc1291/html5/thumbnails/6.jpg)
Number of Submissions:Worms
0
10000
20000
30000
40000
50000
60000
Jan-04
Feb-04
Mar-04
Apr-04
May-04
Jun-04
Jul-04
Aug-04
Beagle Mydoom Netsky Sasser
![Page 7: Open Malicious Source Symantec Security Response Kaoru Hayashi](https://reader035.vdocuments.us/reader035/viewer/2022062315/5697bffb1a28abf838cc1291/html5/thumbnails/7.jpg)
Number of Submissions:Worms from open malicious source
0
5000
10000
15000
20000
25000
30000
Jan-04
Feb-04
Mar-04
Apr-04
May-04
Jun-04
Jul-04
Aug-04
Gaobot Spybot Randex
![Page 8: Open Malicious Source Symantec Security Response Kaoru Hayashi](https://reader035.vdocuments.us/reader035/viewer/2022062315/5697bffb1a28abf838cc1291/html5/thumbnails/8.jpg)
Number of new variants:Worms
0
5
10
15
20
25
30
Jan-04
Feb-04
Mar-04
Apr-04
May-04
Jun-04
Jul-04
Aug-04
Beagle Mydoom Netsky Sasser
![Page 9: Open Malicious Source Symantec Security Response Kaoru Hayashi](https://reader035.vdocuments.us/reader035/viewer/2022062315/5697bffb1a28abf838cc1291/html5/thumbnails/9.jpg)
0
100
200
300
400
500
600
700
Apr-03
May-03
Jun-03
Jul-03
Aug-03
Sep-03
Oct-03
Nov-03
Dec-03
Jan-04
Feb-04
Mar-04
Apr-04
May-04
Jun-04
Jul-04
Aug-04
Gaobot Spybot Randex
Number of new variants:Worms from open malicious source
![Page 10: Open Malicious Source Symantec Security Response Kaoru Hayashi](https://reader035.vdocuments.us/reader035/viewer/2022062315/5697bffb1a28abf838cc1291/html5/thumbnails/10.jpg)
Characteristics
Easy to create
Purpose-oriented
Difficult to recognize
![Page 11: Open Malicious Source Symantec Security Response Kaoru Hayashi](https://reader035.vdocuments.us/reader035/viewer/2022062315/5697bffb1a28abf838cc1291/html5/thumbnails/11.jpg)
Characteristics: Easy to create
Easy to obtain from the Internet– Whole project files
– New codes, samples,or tools
– Free compiler
No special knowledge, tool, or code required
A wide range of people are creating their own bot
![Page 12: Open Malicious Source Symantec Security Response Kaoru Hayashi](https://reader035.vdocuments.us/reader035/viewer/2022062315/5697bffb1a28abf838cc1291/html5/thumbnails/12.jpg)
Characteristics: Easy to createEasy to obtain
![Page 13: Open Malicious Source Symantec Security Response Kaoru Hayashi](https://reader035.vdocuments.us/reader035/viewer/2022062315/5697bffb1a28abf838cc1291/html5/thumbnails/13.jpg)
Characteristics: Easy to create Sample: Spybot
![Page 14: Open Malicious Source Symantec Security Response Kaoru Hayashi](https://reader035.vdocuments.us/reader035/viewer/2022062315/5697bffb1a28abf838cc1291/html5/thumbnails/14.jpg)
Characteristics: Easy to create Sample: Spybot
![Page 15: Open Malicious Source Symantec Security Response Kaoru Hayashi](https://reader035.vdocuments.us/reader035/viewer/2022062315/5697bffb1a28abf838cc1291/html5/thumbnails/15.jpg)
Case: SpybotW32.Spybot.A
Discovered on 2003/04/16
Backdoor– Based on backdoor “Sdbot”– Supports 22 commands including:
Key logging Killing processes Stealing cached password DoS attacks
Worm– Copies itself to C$, ADMIN$, and IPC$ shares– Dictionary attack (17 keywords)
123456, admin, root, server….– Schedules a job to run
Worm
Backdoor
![Page 16: Open Malicious Source Symantec Security Response Kaoru Hayashi](https://reader035.vdocuments.us/reader035/viewer/2022062315/5697bffb1a28abf838cc1291/html5/thumbnails/16.jpg)
Case: SpybotW32.Spybot.DNC
Discovered on 2004/09/13 as the 3071st variant
Backdoor– Supports over 90 commands including:
Upload / Download / Execute files Run as HTTP server / SOCKS4 proxy Steal 42 Game CD-KEYs Access CMD.exe Sniff packets Access Web Camera
Worm
Backdoor
Additional Code
![Page 17: Open Malicious Source Symantec Security Response Kaoru Hayashi](https://reader035.vdocuments.us/reader035/viewer/2022062315/5697bffb1a28abf838cc1291/html5/thumbnails/17.jpg)
Case: SpybotW32.Spybot.DNC
Worm– Dictionary attack
139 keywords per password
– Uses other worms or Trojans Beagle, Mydoom, Optix, Sub7,
NetDevil
Worm
Additional Code
Backdoor
Additional Code
![Page 18: Open Malicious Source Symantec Security Response Kaoru Hayashi](https://reader035.vdocuments.us/reader035/viewer/2022062315/5697bffb1a28abf838cc1291/html5/thumbnails/18.jpg)
Case: SpybotW32.Spybot.DNC
Vulnerability Attack– MS01-059 (UPnP)
– MS02-061 (SQL)
– MS03-007 (WebDAV)
– MS03-026 (DCOM RPC)
– MS03-049 (Workstation)
– MS04-011 (LSASS)
Packed with Runtime Packer
Worm
Additional Code
Backdoor
Additional Code
Vulnerability Attack
Polymorphic / Packer
![Page 19: Open Malicious Source Symantec Security Response Kaoru Hayashi](https://reader035.vdocuments.us/reader035/viewer/2022062315/5697bffb1a28abf838cc1291/html5/thumbnails/19.jpg)
Case: Randex and Gaobot
Worm
W32.Randex (discovered on 2003/06/04)
Worm
Backdoor
W32.Gaobot (discovered on 2002/10/22)
Worm
Backdoor
Vulnerability Attack
Polymorphic / Packer
Over 1600 variants
Worm
Backdoor
Vulnerability Attack
Polymorphic / Packer
Over 1600 variants
![Page 20: Open Malicious Source Symantec Security Response Kaoru Hayashi](https://reader035.vdocuments.us/reader035/viewer/2022062315/5697bffb1a28abf838cc1291/html5/thumbnails/20.jpg)
Case: Randex, Gaobot and Spybot
Now they look very similar– Backdoor layer usually based on “Sdbot”
– Same codes / concepts implemented in each layer
– Further similar worms / backdoors exist: i.e., Kwbot, IRCBot
Worm
Backdoor
Vulnerability Attack
Polymorphic / Packer
Worm
Backdoor
Vulnerability Attack
Polymorphic / Packer
Worm
Backdoor
Vulnerability Attack
Polymorphic / Packer
![Page 21: Open Malicious Source Symantec Security Response Kaoru Hayashi](https://reader035.vdocuments.us/reader035/viewer/2022062315/5697bffb1a28abf838cc1291/html5/thumbnails/21.jpg)
0
100
200
300
400
500
600
700
Apr-03
May-03
Jun-03
Jul-03
Aug-03
Sep-03
Oct-03
Nov-03
Dec-03
Jan-04
Feb-04
Mar-04
Apr-04
May-04
Jun-04
Jul-04
Aug-04
Gaobot Spybot Randex
Characteristics: Easy to create By a lot of people
May: Gaobot author arrested in Germany
May: Randex author arrested in Canada
June, July, August: New
variants created
![Page 22: Open Malicious Source Symantec Security Response Kaoru Hayashi](https://reader035.vdocuments.us/reader035/viewer/2022062315/5697bffb1a28abf838cc1291/html5/thumbnails/22.jpg)
Characteristics: Purpose
Not only for fun– Propagation
– Proof of concept
For profit– Information theft
– System control
– DDoS zombies
– Financial gain
![Page 23: Open Malicious Source Symantec Security Response Kaoru Hayashi](https://reader035.vdocuments.us/reader035/viewer/2022062315/5697bffb1a28abf838cc1291/html5/thumbnails/23.jpg)
Characteristics: Purpose
W32.Netsky.P@mm– Propagation
Mass mailing P2P or share networks
– Payload Removes Beagle,
Mydoom, Deadhat, and Welchia worms
W32.Gaobot.BIA– Propagation
Dictionary attack Vulnerability attack
– Payload Logs keystrokes Sniffs packets Steals CD-KEYs Steals cached password Obtains system / network
information Gains full system control SOCKS proxy DDoS attack and more….
![Page 24: Open Malicious Source Symantec Security Response Kaoru Hayashi](https://reader035.vdocuments.us/reader035/viewer/2022062315/5697bffb1a28abf838cc1291/html5/thumbnails/24.jpg)
Characteristics: Difficult to recognize
Slow and limited propagation– Differs from mass mailers, Blaster, and Code Red– Little public interest
Automatic copy / execution on remote computers - By using a scheduler or by exploiting vulnerabilities
Many new variants released over a short time period– Over 600 variants a month
New variants are target-specific – You may be the only infected one, worldwide.
![Page 25: Open Malicious Source Symantec Security Response Kaoru Hayashi](https://reader035.vdocuments.us/reader035/viewer/2022062315/5697bffb1a28abf838cc1291/html5/thumbnails/25.jpg)
How to stop
Stopping the development of new threats is almost impossible
– Source codes are distributed widely
– Authors are located around the globe
– New codes, samples, and tools are released every day
![Page 26: Open Malicious Source Symantec Security Response Kaoru Hayashi](https://reader035.vdocuments.us/reader035/viewer/2022062315/5697bffb1a28abf838cc1291/html5/thumbnails/26.jpg)
How to protect
Anti-virus tools– Definitions, Heuristics, Behavior blocking ….
Firewall
IDS
Patch management
Password management
Security policy
Learning, Studying, Educating …
Nothing new, nothing special.But we know maintaining all is not easy.
![Page 27: Open Malicious Source Symantec Security Response Kaoru Hayashi](https://reader035.vdocuments.us/reader035/viewer/2022062315/5697bffb1a28abf838cc1291/html5/thumbnails/27.jpg)
Conclusion
Malicious source is distributed widely
A lot of people are creating their own bot
Sharing source code results in more powerful threats
Main purpose is profit
No magic trick to secure protection