Mr. Mark Welton

 The five game changing viruses  Security best practices that deal with the problems

 Nimda  Bagel and Netsky  Storm  Slammer  Stuxnet

 “self replicating virus that does not alter files but resides in active memory and duplicates  itself and sometimes drains system resources”  Released on September 18, 2001  5 main forms of infection ◦ ◦ Open network shares ◦ Via browsing of compromised web sites ◦ Exploitation of various Microsoft IIS 4.0/5.0 directory traversal vulnerabilities ◦ Back doors left behind by the “Code Red II” and “sadmind/IIS” worms

 On IIS used two vulnerabilities ◦ Extended Unicode Directory Traversal Vulnerability ◦ Escaped Character Decoding Command Execution Vulnerability  Once infected the IIS server would then scan for other hosts with the same two vulnerabilities  It would also use TFTP to transfer files from one infected host to the new host ◦ Files included an admin.dll file and many copies of.eml and.nws files in multiple location of the server

 Would a message with a random subject and attach a file named readme.exe  Opening the attachment infected the machine  Could use the preview pane in older versions Microsoft Outlook and Outlook Express to execute the file without the user clicking on the attachment  Would then out an infected to all addresses in the user’s address book  It would sent the out every 10 days to the user’s address book

 It would look through an infected web server for.htm,.html, or.asp files  Nimda would add a java script to each of these files pointing to a readme.eml file on the server  An Automatic Execution of Embedded MIME Types Vulnerability in IE would execute the file

 Once a host machine was infected it scanned the local network to find shared folders  Once the network share was found the worm would look for.doc.eml or.exe files that could be written  It would attach a file called riched20.dll if the file did not exist in the directory  When the user ran one of the infected files it would download and execute the worm infecting the machine  It would also create a guest account with administrator privileges and create open shares on the infected system  It would then send the account and password for this account to the attackers

 Would replace mmc.exe on a server  Would infect all executable files on both local and network drives replicating the.eml and.nws files along with the riched20.dll  The worm would act as a remote thread to Explorer.exe  Would change the registry key to open network shares for all drives (C$->Z$)

 Filter attached files with extensions like.exe.com.dll  Educate users not to open attachments they did not expect  Harden and patch web servers  Patch and/or upgrade desktop software  Firewall unused ports  Use IPS to detect and stop unneeded communication

 First strain sighted on January 18, 2004  Second strain sighted February 17, 2004  Mass-mailing worm (would not @microsoft  Would open backdoors TCP ports 6777 and 8866  Second strain had its own SMTP engine to mass-mail itself  Created a botnet used to send spam

 In December 29, 2009 the botnet was responsible for 10.30% of the worldwide spam volume, surging to 14% on New Year’s Day  As of April 2010 botnet estimated sending roughly 5.7 billion spam messages a day

 Similar to Bagle worm  Written by an 18 year old from Germany  Insults authors of Bagle in code  One strain targeted Bagle and MyDoom infected machines infect the machine, remove Bagle and MyDoom and patch the vulnerability they used  “Botnet Wars”

 Filter attached files with extensions like.exe.com.dll.vbs  Educate users not to open attachments they did not expect  Harden and patch web servers  Patch and/or upgrade desktop software  Firewall unused ports  Use IPS to detect and stop unneeded communication

 First detected in January 2007  Worm spread through spam  would link to an infection-hosting web site  Used social engineering in s to get users to click on link  By September 2007 it was estimated that as many as 1 million compromised systems made up the Storm Botnet  Used known Microsoft vulnerability to infect the machine

 Back-end servers that control the spread of the botnet and Storm worm automatically re- encode their distributed infection software twice an hour, for new transmissions, making it difficult for anti-virus vendors to stop the virus and infection spread  Additionally, the location of the remote servers which control the botnet are hidden behind a constantly changing DNS technique called ‘fast flux’, making it difficult to find and stop virus hosting sites and mail serversDNSfast flux

 Command and Control of the botnet used peer-to-peer techniques make no central command and control point that can be shutdown  Botnet also encrypted traffic  Has more computing power then the top 500 supercomputers combined  It is estimated it is only using 10% to 20% of the total capacity of the botnet

 Launched a series of EXE file in stages creating the following services in the botnet ◦ Backdoor/downloader ◦ SMTP relay ◦ address stealer ◦ virus spreader ◦ DDoS attack tool ◦ updated copy of Storm worm dropper  Would use fast flux DNS to hide the bot in the network  Also kernel rootkit the machine and used modified eDonkey comminications

 Educate users not to open links they did not expect  Patch and/or upgrade desktop software  Firewall unused ports  Use IPS to detect and stop unneeded communication

 Started on January 25, 2003 at 05:30 UTC  Infected 75,000 machines in ten minutes  Used buffer overflow in SQL server and Microsoft Desktop Engine database products  Patch was release six months earlier  Was a single packet exploit  Infection was in memory only  Would scan for more hosts to infect

 Patch and/or upgrade desktop software  Patch servers  Firewall unused ports  Use IPS to detect and stop unneeded communication

◦ Stuxnet – industrial sabotage -> Iranian uranium enrichment program ◦ Ghostnet – stole diplomatic communications -> embassies, Dhali Llama ◦ Aurora – stole source code and other intellectual property -> Google ◦ Night Dragon – industrial and commercial intelligence -> large oil companies

 Targets Siemens S7/WinCC products, compromises S7 PLC's to sabotage physical process  Exploited Windows zero-day vulnerabilities  Spreads via: ◦ USB/Removable Media ◦ 3 Network Techniques ◦ S7 Project Files ◦ WinCC Database Connections  Drivers digitally signed with legitimate (stolen) RealTek and JMicron certificates  Installs cleanly on W2K through Win7/2008R2  Conventional OS rootkit, detects and avoids major anti-virus products  Advanced reverse-engineering protections

 discovered until June 2010  Infection came for a USB flash drive  Used 4 vulnerability 2 of which where day zero  Used 7 different infection methods  Existed at least a year before discovery

 Initial infection of worm thought to be from an offsite contractor transferring a file  Or it may have been a Siemens engineer  Or it may have been a flash drive handed out at a conference  …

 Self-replicates through removable drives exploiting a vulnerability allowing auto-execution ◦ Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability  Spreads in a LAN through a vulnerability in the Windows Print Spooler ◦ Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability  Spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability  Copies and executes itself on remote computers through network shares  Copies and executes itself on remote computers running a WinCC database server  Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded  Updates itself through a peer-to-peer mechanism within a LAN  Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned vulnerabilities for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be disclosed  Contacts a command and control server that allows the hacker to download and execute code, including updated versions  Contains a Windows rootkit that hide its binaries  Attempts to bypass security products  Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabotage the system  Hides modified code on PLCs, essentially a rootkit for PLCs

Infected Removable Media: 1. Exploits vulnerability in Windows Shell handling of.lnk files (0-day) 2. Used older vulnerability in autorun.inf to propagate Local Area Network Communications: 3. Copies itself to accessible network shares, including administrative shares 4. Copies itself to printer servers (0-day) 5. Uses “Conficker” vulnerability in RPC Infected Siemens Project Files: 6. Installs in WinCC SQL Server database via known credentials 7. Copies into STEP7 Project files

 OI OI