Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mr. Mark Welton.  The five game changing viruses  Security best practices that deal with the problems.

Published byCaren Green Modified over 9 years ago

Similar presentations

Presentation on theme: "Mr. Mark Welton.  The five game changing viruses  Security best practices that deal with the problems."— Presentation transcript:

1 Mr. Mark Welton

2  The five game changing viruses  Security best practices that deal with the problems

3  Nimda  Bagel and Netsky  Storm  Slammer  Stuxnet

4  “self replicating virus that does not alter files but resides in active memory and duplicates  itself and sometimes drains system resources”  Released on September 18, 2001  5 main forms of infection ◦ email ◦ Open network shares ◦ Via browsing of compromised web sites ◦ Exploitation of various Microsoft IIS 4.0/5.0 directory traversal vulnerabilities ◦ Back doors left behind by the “Code Red II” and “sadmind/IIS” worms

5  On IIS used two vulnerabilities ◦ Extended Unicode Directory Traversal Vulnerability ◦ Escaped Character Decoding Command Execution Vulnerability  Once infected the IIS server would then scan for other hosts with the same two vulnerabilities  It would also use TFTP to transfer files from one infected host to the new host ◦ Files included an admin.dll file and many copies of.eml and.nws files in multiple location of the server

6  Would email a message with a random subject and attach a file named readme.exe  Opening the attachment infected the machine  Could use the preview pane in older versions Microsoft Outlook and Outlook Express to execute the file without the user clicking on the attachment  Would then email out an infected email to all email addresses in the user’s address book  It would sent the email out every 10 days to the user’s address book

7  It would look through an infected web server for.htm,.html, or.asp files  Nimda would add a java script to each of these files pointing to a readme.eml file on the server  An Automatic Execution of Embedded MIME Types Vulnerability in IE would execute the file

8  Once a host machine was infected it scanned the local network to find shared folders  Once the network share was found the worm would look for.doc.eml or.exe files that could be written  It would attach a file called riched20.dll if the file did not exist in the directory  When the user ran one of the infected files it would download and execute the worm infecting the machine  It would also create a guest account with administrator privileges and create open shares on the infected system  It would then send the account and password for this account to the attackers

9  Would replace mmc.exe on a server  Would infect all executable files on both local and network drives replicating the.eml and.nws files along with the riched20.dll  The worm would act as a remote thread to Explorer.exe  Would change the registry key to open network shares for all drives (C$->Z$)

10  Filter attached files with extensions like.exe.com.dll  Educate users not to open attachments they did not expect  Harden and patch web servers  Patch and/or upgrade desktop software  Firewall unused ports  Use IPS to detect and stop unneeded communication

11  First strain sighted on January 18, 2004  Second strain sighted February 17, 2004  Mass-mailing worm (would not email to @hotmail.com @msn.com @microsoft or @avp)  Would open backdoors TCP ports 6777 and 8866  Second strain had its own SMTP engine to mass-mail itself  Created a botnet used to send spam

12  In December 29, 2009 the botnet was responsible for 10.30% of the worldwide spam volume, surging to 14% on New Year’s Day  As of April 2010 botnet estimated sending roughly 5.7 billion spam messages a day

13  Similar to Bagle worm  Written by an 18 year old from Germany  Insults authors of Bagle in code  One strain targeted Bagle and MyDoom infected machines infect the machine, remove Bagle and MyDoom and patch the vulnerability they used  “Botnet Wars”

14  Filter attached files with extensions like.exe.com.dll.vbs  Educate users not to open attachments they did not expect  Harden and patch web servers  Patch and/or upgrade desktop software  Firewall unused ports  Use IPS to detect and stop unneeded communication

15  First detected in January 2007  Worm spread through e-mail spam  Email would link to an infection-hosting web site  Used social engineering in emails to get users to click on link  By September 2007 it was estimated that as many as 1 million compromised systems made up the Storm Botnet  Used known Microsoft vulnerability to infect the machine

16  Back-end servers that control the spread of the botnet and Storm worm automatically re- encode their distributed infection software twice an hour, for new transmissions, making it difficult for anti-virus vendors to stop the virus and infection spread  Additionally, the location of the remote servers which control the botnet are hidden behind a constantly changing DNS technique called ‘fast flux’, making it difficult to find and stop virus hosting sites and mail serversDNSfast flux

17  Command and Control of the botnet used peer-to-peer techniques make no central command and control point that can be shutdown  Botnet also encrypted traffic  Has more computing power then the top 500 supercomputers combined  It is estimated it is only using 10% to 20% of the total capacity of the botnet

18  Launched a series of EXE file in stages creating the following services in the botnet ◦ Backdoor/downloader ◦ SMTP relay ◦ E-mail address stealer ◦ E-mail virus spreader ◦ DDoS attack tool ◦ updated copy of Storm worm dropper  Would use fast flux DNS to hide the bot in the network  Also kernel rootkit the machine and used modified eDonkey comminications

19  Educate users not to open links they did not expect  Patch and/or upgrade desktop software  Firewall unused ports  Use IPS to detect and stop unneeded communication

20  Started on January 25, 2003 at 05:30 UTC  Infected 75,000 machines in ten minutes  Used buffer overflow in SQL server and Microsoft Desktop Engine database products  Patch was release six months earlier  Was a single packet exploit  Infection was in memory only  Would scan for more hosts to infect

21

22  Patch and/or upgrade desktop software  Patch servers  Firewall unused ports  Use IPS to detect and stop unneeded communication

23

24 ◦ Stuxnet – industrial sabotage -> Iranian uranium enrichment program ◦ Ghostnet – stole diplomatic communications -> embassies, Dhali Llama ◦ Aurora – stole source code and other intellectual property -> Google ◦ Night Dragon – industrial and commercial intelligence -> large oil companies

25  Targets Siemens S7/WinCC products, compromises S7 PLC's to sabotage physical process  Exploited Windows zero-day vulnerabilities  Spreads via: ◦ USB/Removable Media ◦ 3 Network Techniques ◦ S7 Project Files ◦ WinCC Database Connections  Drivers digitally signed with legitimate (stolen) RealTek and JMicron certificates  Installs cleanly on W2K through Win7/2008R2  Conventional OS rootkit, detects and avoids major anti-virus products  Advanced reverse-engineering protections

26  discovered until June 2010  Infection came for a USB flash drive  Used 4 vulnerability 2 of which where day zero  Used 7 different infection methods  Existed at least a year before discovery

27  Initial infection of worm thought to be from an offsite contractor transferring a file  Or it may have been a Siemens engineer  Or it may have been a flash drive handed out at a conference  …

28  Self-replicates through removable drives exploiting a vulnerability allowing auto-execution ◦ Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability  Spreads in a LAN through a vulnerability in the Windows Print Spooler ◦ Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability  Spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability  Copies and executes itself on remote computers through network shares  Copies and executes itself on remote computers running a WinCC database server  Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded  Updates itself through a peer-to-peer mechanism within a LAN  Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned vulnerabilities for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be disclosed  Contacts a command and control server that allows the hacker to download and execute code, including updated versions  Contains a Windows rootkit that hide its binaries  Attempts to bypass security products  Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabotage the system  Hides modified code on PLCs, essentially a rootkit for PLCs

29

30 Infected Removable Media: 1. Exploits vulnerability in Windows Shell handling of.lnk files (0-day) 2. Used older vulnerability in autorun.inf to propagate Local Area Network Communications: 3. Copies itself to accessible network shares, including administrative shares 4. Copies itself to printer servers (0-day) 5. Uses “Conficker” vulnerability in RPC Infected Siemens Project Files: 6. Installs in WinCC SQL Server database via known credentials 7. Copies into STEP7 Project files

31  http://www.youtube.com/watch?v=cf0jlzVCy OI http://www.youtube.com/watch?v=cf0jlzVCy OI

Download ppt "Mr. Mark Welton.  The five game changing viruses  Security best practices that deal with the problems."

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Protect your PC virus, worm, Trojan horse, phishing, spam, botnet and zombies, spoofing, social engineering, identity theft, spyware, rootkits Click.

Protect your PC virus, worm, Trojan horse, phishing, spam, botnet and zombies, spoofing, social engineering, identity theft, spyware, rootkits Click.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
How Stuxnet Spreads: A Study of Infection Paths in Best Practice Systems Joel Langill Chief Security Officer Eric Byres Chief Technology Officer Andrew.

How Stuxnet Spreads: A Study of Infection Paths in Best Practice Systems Joel Langill Chief Security Officer Eric Byres Chief Technology Officer Andrew.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Exploits Dalia Solomon. Categories Trojan Horse Attacks Trojan Horse Attacks Smurf Attack Smurf Attack Port Scan Port Scan Buffer Overflow Buffer Overflow.

Exploits Dalia Solomon. Categories Trojan Horse Attacks Trojan Horse Attacks Smurf Attack Smurf Attack Port Scan Port Scan Buffer Overflow Buffer Overflow.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
What are Trojan horses?  A Trojan horse is full of as much trickery as the mythological Trojan horse it was named after. The Trojan horse, at first glance.

What are Trojan horses?  A Trojan horse is full of as much trickery as the mythological Trojan horse it was named after. The Trojan horse, at first glance.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
CS 450 - Nathan Digangi.  Secret, undocumented routine embedded within a useful program  Execution of the program results in execution of secret code.

CS Nathan Digangi.  Secret, undocumented routine embedded within a useful program  Execution of the program results in execution of secret code.
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
Computer Security Fundamentals by Chuck Easttom Chapter 5 Malware.

Computer Security Fundamentals by Chuck Easttom Chapter 5 Malware.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Similar presentations

Ads by Google