from creeper to stuxnet

From Creeper

to Stuxnet

Tell me and I’ll forget

Show me and I may remember

Involve me and I’ll

Shahar Geiger Maor,

VP & Senior Analyst

Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic2

A Story With A Beginning And No End


The Beginning –Basic Terminology

Phreaking, Cracking and Hacking…


I’m A Creep(er)!

1960 1970 1980 1990 2000 2010

1971

The very first viruses: Creeper and Wabbit


Captain Zap

1960 1970 1980 1990 2000 2010

1981

first person ever arrested for a computer crime


Machine Of The Year

1960 1970 1980 1990 2000 2010

1982


War Games

1960 1970 1980 1990 2000 2010

1983


Introducing: MOD & LOD

1960 1970 1980 1990 2000 2010

1987


When Ideology meets Ego

1960 1970 1980 1990 2000 2010

1991


Professional conferences

1960 1970 1980 1990 2000 2010

1993


Celebrity

1960 1970 1980 1990 2000 2010

1995


The Rise of Malwares

1960 1970 1980 1990 2000 2010

1995

The Concept Virus



1960 1970 1980 1990 2000 2010

1999

The Melissa and Nimda Viruses

http://scforum.info/index.php?topic=2528.msg4935;topicseen








1960 1970 1980 1990 2000 2010

2000

The ILOVEYOU Worm



1960 1970 1980 1990 2000 2010

2008

Conficker

Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic

0

2000000

4000000

6000000

8000000

10000000

12000000

14000000

16000000Ja

n-0

0

Jul-

00

Jan

-01

Jul-

01

Jan

-02

Jul-

02

Jan

-03

Jul-

03

Jan

-04

Jul-

04

Jan

-05

Jul-

05

Jan

-06

Jul-

06

Jan

-07

Jul-

07

Jan

-08

Jul-

08

Jan

-09

Jul-

09

Jan

-10

AV Signatures

The Increasingly Difficult Security Challenge

100s of millions of viruses.signature based scanning won’t keep up…

Source: Symantec


No Existing Protection Addresses the “Long Tail”

Unfortunately neither technique works well for the tens of millions of

files with low prevalence.

(But this is precisely where the majority of today’s malware falls)

Today, both good and bad software obey a long-tail distribution.

Bad Files Good Files

Pre

vale

nce

Whitelisting works

well here.

For this long tail a new

technique is needed. Blacklisting works

well here.

Source: Symantec


Growing Amount of Malware –Lower Rate of Detection

Submission-ID: 2009-

12-10_22-01_0002

Submission-ID: 2010-

01-15_22-14_0001

src: AV-Test.org src: AV-Test.org

AV Engine Time To Detect Time To Detect

Authentium Zero-hour No detection

Avast 24.28 hrs. 2.10 hrs.

AVG 10.18 hrs. 3.52 hrs.

CA-AV No detection Zero-hour

ClamAV 40.82 hrs. No detection

Dr.Web 3.68 hrs. 13.17 hrs.

Eset Nod32 2.35 hrs. Zero-hour

F-Secure Zero-hour 20.03 hrs.

Ikarus 2.55 hrs. 1.90 hrs.

ISS VPS No detection No detection

Kaspersky 6.70 hrs. 14.52 hrs.

McAfee 28.83 hrs. No detection

Microsoft 11.62 hrs. No detection

Norman Zero-hour No detection

Panda 76.48 hrs. No detection

Rising 71.27 hrs. No detection

Spybot S&D No detection No detection

Sunbelt No detection Zero-hour

VirusBuster 4.05 hrs. Zero-hour


Secured Mediation Kiosks

Source: OPSWAT, STKI’s modifications


Nor(malware) distribution

What about the long

tail?

Choose any AV

software…


Nor(malware) distribution

The long tail problem

remains

Choose many AV

software…


Organized Cybercrime

1960 1970 1980 1990 2000 2010

2009


M&As in the Cyber Underground…

http://krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/

SpyEye made headlines this year when investigators discovered it automatically searched for and removed ZeuS from infected PCs before installing itself


Common “Positions” in the cyber-crime business

Programmers

Distributors

Tech experts Crackers

Fraudsters

Hosted systems

providersCashiers

Money mules

Tellers

Leaders

http://www.fbi.gov/news/speeches/the-cyber-threat-whos-doing-what-to-whom


Underground Economy

http://press.pandasecurity.com/wp-content/uploads/2011/01/The-Cyber-Crime-Black-Market.pdf

PriceProducts

From $2-$90Credit card details

From $190 + cost of detailsPhysical credit cards

From $200-$1000Card cloners

Up to $35,000Fake ATMs

From $80 to 700$ (with guaranteed balance)Bank credentialsFrom 10 to 40% of the total$10 for simple account without guaranteed balanceBank transfers and cashing checks

From $80-$1500 with guaranteed balanceOnline stores and pay platforms

According to the project (not specified)Design and publishing of fake online stores

From $30-$300 (depending on the project)Purchase and forwarding of products

From $15Spam rental

From $20 to $40 for three monthsSMTP rental


Cyber Wars

1960 1970 1980 1990 2000 2010

1990’s-2000’s-2010’s


Growing Number of Incidents -US

Incidents of Malicious CyberActivity Against Department of Defense

Information Systems, 2000–2009

http://www.uscc.gov/annual_report/2010/annual_report_full_10.pdf


Sources of Attacks on gov.il

Source: CERT.gov.il


Cyber-Warfare is Becoming A Giants’ Playground

http://www.bbc.co.uk/news/technology-11773146


Operation Aurora

http://www.damballa.com/downloads/r_pubs/Aurora_Botnet_Command_Structure.pdf


Advanced Persistent Threat (APT) –RSA Case Study

http://www.nytimes.com/2011/03/18/technology/18secure.html

“Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA”. Art CovielloExecutive Chairman, RSA

http://www.rsa.com/node.aspx?id=3872


Stuxnet:

http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?_r=2&hp

(THE NEW YORK TIMES, 15/1/11)


Stuxnet Timeline

Eraly 2008: Siemens cooperated with Idaho

National Laboratory , to identify the

vulnerabilities of computer controllers

that the company sells

2008-2009:

Suspected exploits have been created for

Siemens SCADA systems

July 2009:

Stuxnet began circulating around the

world

July 2010: Stuxnet is first discovered by

VirusBlokAda

http://www.anti-virus.by/en/index.shtml


Rootkit.Win32.Stuxnet Geography

Source: http://ebiquity.umbc.edu/blogger/wp-content/uploads/2010/09/stuxnet.gif


Stuxnet in Action: “A Game Changer”

10-30 developers (!!!)

Stuxnet has some 4,000 functions (software that runs an average email server has about 2,000 functions)

Exploits a total of four unpatched Microsoft vulnerabilities

compromise two digital certificates

• Self-replicates through removable drives

• Spreads in a LAN through a vulnerability in the Windows Print Spooler

• Copies and executes itself on remote computers through network shares

• Updates itself through a peer-to-peer mechanism within a LAN

• Contacts a remote command and control server

• modifies code on the Siemens PLCs

• Hides modified code on PLCs


Vulnerability Timeline

Source: Burton Group


…Lets talk about Patch Management (PM)

• Mostly Microsoft, security-related patches

• “Its not the deployment, but the whole process evolving” AKA Pizza Night.

• 20%-50% FTE is dedicated for PM

• Common SLAs: 3…6…or sometimes 12 Months!!

• VIP patches: up-to a week

• Hardware\non-security patches’ SLA: Where upgrades\vendor support is needed


Your Text hereYour Text here

Shahar Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 38


Generic Cyber Attacks

1. Individuals\Groups2. Criminal\Nationalistic

background3. Lots of intervals4. Lots of targets5. Common tools

39


Distributed Denial Of Service (DDOS)

1. Targets websites, internet lines etc.

2. Legitimate traffic3. Many different

sources4. From all over the

world5. Perfect timing

40


Advanced Persistent Threat (APT)

1. Group/ Org./ State

2. Ideological/ Nationalistic background

3. Multi-layered attack

4. Targeted5. Variety of

tools6. Impossible to

detect in real time(???)

41


Security “Threatscape”

http://www.bizarrebytes.com/wp-content/uploads/2011/01/Sean-Connery-007.jpg


Scan Me To Your Contacts:

Thank You!

from creeper to stuxnet

Technology