CSIS 3756Security Design

Mr. Mark Welton

What we are going to look at The five game changing viruses Security best practices that deal with the problems

Nimda Bagel and Netsky Storm Slammer Stuxnet

My Top 5 Game Changing Viruses

“self replicating virus that does not alter files but resides in active memory and duplicates

itself and sometimes drains system resources” Released on September 18, 2001 5 main forms of infection

◦ email◦ Open network shares◦ Via browsing of compromised web sites◦ Exploitation of various Microsoft IIS 4.0/5.0 directory

traversal vulnerabilities◦ Back doors left behind by the “Code Red II” and

“sadmind/IIS” worms

Nimda Worm

On IIS used two vulnerabilities◦ Extended Unicode Directory Traversal Vulnerability◦ Escaped Character Decoding Command Execution

Vulnerability Once infected the IIS server would then scan for

other hosts with the same two vulnerabilities It would also use TFTP to transfer files from one

infected host to the new host◦ Files included an admin.dll file and many copies of .eml

and .nws files in multiple location of the server

Infection of vulnerabilities

Would email a message with a random subject and attach a file named readme.exe

Opening the attachment infected the machine Could use the preview pane in older versions

Microsoft Outlook and Outlook Express to execute the file without the user clicking on the attachment

Would then email out an infected email to all email addresses in the user’s address book

It would sent the email out every 10 days to the user’s address book

email

It would look through an infected web server for .htm, .html, or .asp files

Nimda would add a java script to each of these files pointing to a readme.eml file on the server

An Automatic Execution of Embedded MIME Types Vulnerability in IE would execute the file

From the infected web server…

Once a host machine was infected it scanned the local network to find shared folders

Once the network share was found the worm would look for .doc .eml or .exe files that could be written

It would attach a file called riched20.dll if the file did not exist in the directory

When the user ran one of the infected files it would download and execute the worm infecting the machine

It would also create a guest account with administrator privileges and create open shares on the infected system

It would then send the account and password for this account to the attackers

Network Shares

Would replace mmc.exe on a server Would infect all executable files on both

local and network drives replicating the .eml and .nws files along with the riched20.dll

The worm would act as a remote thread to Explorer.exe

Would change the registry key to open network shares for all drives (C$->Z$)

Some other interesting things…

Filter attached files with extensions like .exe .com .dll

Educate users not to open attachments they did not expect

Harden and patch web servers Patch and/or upgrade desktop software Firewall unused ports Use IPS to detect and stop unneeded

communication

Security Countermeasures

First strain sighted on January 18, 2004 Second strain sighted February 17, 2004 Mass-mailing worm (would not email to

@hotmail.com @msn.com @microsoft or @avp)

Would open backdoors TCP ports 6777 and 8866

Second strain had its own SMTP engine to mass-mail itself

Created a botnet used to send spam

Bagle Worm

In December 29, 2009 the botnet was responsible for 10.30% of the worldwide spam volume, surging to 14% on New Year’s Day

As of April 2010 botnet estimated sending roughly 5.7 billion spam messages a day

Some stats…

Similar to Bagle worm Written by an 18 year old from Germany Insults authors of Bagle in code One strain targeted Bagle and MyDoom

infected machines infect the machine, remove Bagle and MyDoom and patch the vulnerability they used

“Botnet Wars”

Netsky

Filter attached files with extensions like .exe .com .dll .vbs

Educate users not to open attachments they did not expect

Harden and patch web servers Patch and/or upgrade desktop software Firewall unused ports Use IPS to detect and stop unneeded

communication

Security Countermeasures

First detected in January 2007 Worm spread through e-mail spam Email would link to an infection-hosting web site Used social engineering in emails to get users to

click on link By September 2007 it was estimated that as

many as 1 million compromised systems made up the Storm Botnet

Used known Microsoft vulnerability to infect the machine

Storm

Back-end servers that control the spread of the botnet and Storm worm automatically re-encode their distributed infection software twice an hour, for new transmissions, making it difficult for anti-virus vendors to stop the virus and infection spread

Additionally, the location of the remote servers which control the botnet are hidden behind a constantly changing DNS technique called ‘fast flux’, making it difficult to find and stop virus hosting sites and mail servers

So why didn’t antivirus stop it…

Command and Control of the botnet used peer-to-peer techniques make no central command and control point that can be shutdown

Botnet also encrypted traffic Has more computing power then the top

500 supercomputers combined It is estimated it is only using 10% to 20%

of the total capacity of the botnet

So why not just stop the CC…

Launched a series of EXE file in stages creating the following services in the botnet◦ Backdoor/downloader◦ SMTP relay◦ E-mail address stealer◦ E-mail virus spreader◦ DDoS attack tool◦ updated copy of Storm worm dropper

Would use fast flux DNS to hide the bot in the network

Also kernel rootkit the machine and used modified eDonkey comminications

What bot would do

Educate users not to open links they did not expect

Patch and/or upgrade desktop software Firewall unused ports Use IPS to detect and stop unneeded

communication

Security Countermeasures

Started on January 25, 2003 at 05:30 UTC Infected 75,000 machines in ten minutes Used buffer overflow in SQL server and

Microsoft Desktop Engine database products Patch was release six months earlier Was a single packet exploit Infection was in memory only Would scan for more hosts to infect

Slammer

Scans increased in seconds

Patch and/or upgrade desktop software Patch servers Firewall unused ports Use IPS to detect and stop unneeded

communication

Security Countermeasures

Stuxnet Worm

◦ Stuxnet – industrial sabotage -> Iranian uranium enrichment program

◦ Ghostnet – stole diplomatic communications -> embassies, Dhali Llama

◦ Aurora – stole source code and other intellectual property -> Google

◦ Night Dragon – industrial and commercial intelligence -> large oil companies

New Advances Persistent Threats

Targets Siemens S7/WinCC products, compromises S7 PLC's to sabotage physical process

Exploited Windows zero-day vulnerabilities Spreads via:

◦ USB/Removable Media◦ 3 Network Techniques◦ S7 Project Files◦ WinCC Database Connections

Drivers digitally signed with legitimate (stolen) RealTek and JMicron certificates

Installs cleanly on W2K through Win7/2008R2 Conventional OS rootkit, detects and avoids major anti-virus products Advanced reverse-engineering protections

“Most Sophisticated Worm Ever”

discovered until June 2010 Infection came for a USB flash drive Used 4 vulnerability 2 of which where day zero Used 7 different infection methods Existed at least a year before discovery

Stuxnet Worm

Initial infection of worm thought to be from an offsite contractor transferring a file

Or it may have been a Siemens engineer Or it may have been a flash drive handed

out at a conference …

Conspiracy Theory anyone…

Self-replicates through removable drives exploiting a vulnerability allowing auto-execution◦ Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability

Spreads in a LAN through a vulnerability in the Windows Print Spooler◦ Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability

Spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability

Copies and executes itself on remote computers through network shares Copies and executes itself on remote computers running a WinCC database server Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7

project is loaded Updates itself through a peer-to-peer mechanism within a LAN Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned

vulnerabilities for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be disclosed

Contacts a command and control server that allows the hacker to download and execute code, including updated versions

Contains a Windows rootkit that hide its binaries Attempts to bypass security products Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to

potentially sabotage the system Hides modified code on PLCs, essentially a rootkit for PLCs

List of features

Infected Removable Media:1. Exploits vulnerability in Windows Shell handling of .lnk files (0-

day)2. Used older vulnerability in autorun.inf to propagate

Local Area Network Communications:3. Copies itself to accessible network shares,

including administrative shares4. Copies itself to printer servers (0-day)5. Uses “Conficker” vulnerability in RPC

Infected Siemens Project Files:6. Installs in WinCC SQL Server database

via known credentials7. Copies into STEP7 Project files

How Stuxnet Infects a System

http://www.youtube.com/watch?v=cf0jlzVCyOI