intrusion detection and malware analysis · intrusion detection and malware analysis course...

27
Intrusion Detection and Malware Analysis Course Introduction / Overview of Security Threats Pavel Laskov Wilhelm Schickard Institute for Computer Science

Upload: others

Post on 03-Jun-2020

18 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Intrusion Detection and Malware Analysis · Intrusion Detection and Malware Analysis Course Introduction / Overview of Security Threats ... reverse engineering Stuxnet and understanding

Intrusion Detection and Malware AnalysisCourse Introduction / Overview of Security Threats

Pavel LaskovWilhelm Schickard Institute for Computer Science

Page 2: Intrusion Detection and Malware Analysis · Intrusion Detection and Malware Analysis Course Introduction / Overview of Security Threats ... reverse engineering Stuxnet and understanding

IT in a modern society

Telecommunication E-Commerce

Transportation Power

– Major growth factor

– Social phenomenon

– Critical infrastructure

Page 3: Intrusion Detection and Malware Analysis · Intrusion Detection and Malware Analysis Course Introduction / Overview of Security Threats ... reverse engineering Stuxnet and understanding

What can go wrong?

Morris worm (1988)

Written by a Cornell graduate studentRobert Morris Jr, (now associateprofessor at MIT).Exploited multiple vulnerabilities inUNIX (sendmail, finger, rsh).Multiple infection resulted in severedenial of service.Infected 6,000 computers (from 60,000then connected to Internet).Estimated damage: $10-100M.

Page 4: Intrusion Detection and Malware Analysis · Intrusion Detection and Malware Analysis Course Introduction / Overview of Security Threats ... reverse engineering Stuxnet and understanding

What can go wrong?

ILOVEYOU worm (2000)

First mass-mailer wormUsed social engineering to activate aVBS script.Infected about 50M computers.Caused shutdown of email atPentagon, CIA and British Parliamentfor cleanup.Estimated damage: $5.5B.

Page 5: Intrusion Detection and Malware Analysis · Intrusion Detection and Malware Analysis Course Introduction / Overview of Security Threats ... reverse engineering Stuxnet and understanding

What can go wrong?

SQL Slammer worm (2003)

“Flash” worm: infected most of hevulnerable systems within 10 minutes.Used a buffer overflow in a MS SQLserver patched 6 months (!) earlier.Caused a major disruption of Internettraffic due to routing problems.

Page 6: Intrusion Detection and Malware Analysis · Intrusion Detection and Malware Analysis Course Introduction / Overview of Security Threats ... reverse engineering Stuxnet and understanding

What can go wrong?

Samy worm (2007)

Infected more than 1M users inMySpace within 20 hours.Used sophisticated cross-site-scriptingfor propagation.Forced MySpace to close the site forcleanup.

Page 7: Intrusion Detection and Malware Analysis · Intrusion Detection and Malware Analysis Course Introduction / Overview of Security Threats ... reverse engineering Stuxnet and understanding

What can go terribly wrong?

Page 8: Intrusion Detection and Malware Analysis · Intrusion Detection and Malware Analysis Course Introduction / Overview of Security Threats ... reverse engineering Stuxnet and understanding

Stuxnet: a new era in malware history

The real-world implications of Stuxnet are beyond any threatwe have seen in the past. Despite the exciting challenge inreverse engineering Stuxnet and understanding its purpose,Stuxnet is the type of threat we hope to never see again

W32.Stuxnet Dossier, Symantec

Page 9: Intrusion Detection and Malware Analysis · Intrusion Detection and Malware Analysis Course Introduction / Overview of Security Threats ... reverse engineering Stuxnet and understanding

Key features of Stuxnet

A first virus/worm to target industrial control systemsHighly versatile propagation mechanisms:

USB drivesLANExploitation of WinCC database serverInfection of PCS7 project filesPeer-to-peer update mechanisms

Use of 4 previously unknown vulnerabilitiesHighly professional code, extensive hiding mechanismsCommand-and-Control functionality

Page 10: Intrusion Detection and Malware Analysis · Intrusion Detection and Malware Analysis Course Introduction / Overview of Security Threats ... reverse engineering Stuxnet and understanding

Architecture of SCADA systems

Page 11: Intrusion Detection and Malware Analysis · Intrusion Detection and Malware Analysis Course Introduction / Overview of Security Threats ... reverse engineering Stuxnet and understanding

Some tricks from Stuxnet’s repertoire

Removable disk infectionWin2k, XP: Autorun.inf

Vista, Windows 7: specially crafted .lnk files start an exploitstored on a removable drive when its content is viewed

Page 12: Intrusion Detection and Malware Analysis · Intrusion Detection and Malware Analysis Course Introduction / Overview of Security Threats ... reverse engineering Stuxnet and understanding

Some tricks from Stuxnet’s repertoire

Infection of PCS7 project files

PCS7 project files have extension .s7p and storemanagement information about the system configurationA specially crafted .s7p file will cause a Simatic manager tosearch for and a load a certain DLL library (name notdisclosed).A malicious variant of this DLL is placed by Stuxnet in aspecial directory where it will be loaded from unless found in4 other system-default locations.

Page 13: Intrusion Detection and Malware Analysis · Intrusion Detection and Malware Analysis Course Introduction / Overview of Security Threats ... reverse engineering Stuxnet and understanding

What can go wrong: lessons learned

The key source of security problems isunpatched vulnerabilities.Current detection tools are uselessunless regularly updated.Human error can lead to serioussecurity breeches; further exploited bysocial engineering.

Page 14: Intrusion Detection and Malware Analysis · Intrusion Detection and Malware Analysis Course Introduction / Overview of Security Threats ... reverse engineering Stuxnet and understanding

Key IT security mechanisms

Prevention

Detection

Reaction

Page 15: Intrusion Detection and Malware Analysis · Intrusion Detection and Malware Analysis Course Introduction / Overview of Security Threats ... reverse engineering Stuxnet and understanding

Technical challenges

Prevention mechanisms are sufficient only if they arecorrectly implemented.Detection mechanisms have to deal with huge variablitity ofattacks and potentially unknown ones.Detection mechanisms must be able to withstand evasionand denial-of-service attacks.Reaction mechanisms must be timely and accurate andcause no disruption of normal functionality.

Page 16: Intrusion Detection and Malware Analysis · Intrusion Detection and Malware Analysis Course Introduction / Overview of Security Threats ... reverse engineering Stuxnet and understanding

Non-technical challenges

Organized crime: hacking previously done for fun is nowdone for profit.Incompetence and naivity of end users: what do they wantto steal from me?Costs: investment in security is always lost money.Slow incident response: no matter what happened to mybusiness it’s none of the business for my competitor.

Page 17: Intrusion Detection and Malware Analysis · Intrusion Detection and Malware Analysis Course Introduction / Overview of Security Threats ... reverse engineering Stuxnet and understanding

Top security threats

Remote exploitsWeb application attacks: SQL injection, cross-site scriptingSpyware / KeyloggersBotnetsCustomized attacks / social engineering

Page 18: Intrusion Detection and Malware Analysis · Intrusion Detection and Malware Analysis Course Introduction / Overview of Security Threats ... reverse engineering Stuxnet and understanding

Earning money with security violations

Study by T. Holz, M. Engelberth and F. Freiling at theUniversity of Mannheim in April - October 2008.Methodology: recovery of stolen credentials from dropzones.Malware:

Limbo/Nethell: keylogger, infection via drive-by-downloadZeuS/Zbot: keylogger, infection via spam attachments

Page 19: Intrusion Detection and Malware Analysis · Intrusion Detection and Malware Analysis Course Introduction / Overview of Security Threats ... reverse engineering Stuxnet and understanding

Earning money with security violations

Study by T. Holz, M. Engelberth and F. Freiling at theUniversity of Mannheim in April - October 2008.Methodology: recovery of stolen credentials from dropzones.Malware:

Limbo/Nethell: keylogger, infection via drive-by-downloadZeuS/Zbot: keylogger, infection via spam attachments

Page 20: Intrusion Detection and Malware Analysis · Intrusion Detection and Malware Analysis Course Introduction / Overview of Security Threats ... reverse engineering Stuxnet and understanding

Impersonation attacks using keyloggers

A keylogger is installed on a usermachine by some attack vector.Keylogger downloads configurationdata from a dropzone.Keylogger monitors keystrokesduring access to specific websitesand uploads them to a dropzone.Attacker retrieves credentials from adropzone and sells it.

Page 21: Intrusion Detection and Malware Analysis · Intrusion Detection and Malware Analysis Course Introduction / Overview of Security Threats ... reverse engineering Stuxnet and understanding

Analysis methodology

Collect malware samples from honeypots and spam-traps.Execute malware samples in a specially instrumentedsandbox, record and analyze outgoing communication.Contact a dropzone and download log files.Assess market value of stolen credentials using well-knownestimates.

Page 22: Intrusion Detection and Malware Analysis · Intrusion Detection and Malware Analysis Course Introduction / Overview of Security Threats ... reverse engineering Stuxnet and understanding

Kassensturz

Credentials Amount Price range Average value

Bank accounts 10,775 $10 - 1000 $5,387,500Credit cards 5,682 $0.40 - 20 $56,820Social network IDs 78,359 $1 - 15 $587,162Auction accounts 7,105 $1-8 $28,420Email passwords 149,458 $4-30 $2,540,786

Total 224,485 $8,600,688

Page 23: Intrusion Detection and Malware Analysis · Intrusion Detection and Malware Analysis Course Introduction / Overview of Security Threats ... reverse engineering Stuxnet and understanding

What will you learn?

Main attack mechanismsnetwork, host and web application attacks

Detection of malicious network trafficnetwork audit toolsfeature extraction algorithmsdetection algorithmssome response mechanisms

Detection and analysis of malicious softwareMalware types and their functionalityMalware collection, monitoring and analysis

Page 24: Intrusion Detection and Malware Analysis · Intrusion Detection and Malware Analysis Course Introduction / Overview of Security Threats ... reverse engineering Stuxnet and understanding

Course administration

Lectures:Fri, 10:00–12:00 (ct), F122

Formalities:Credit hours (diploma): 2 SWS (lectures) + 1 SWS (exercises)Credit points (master): 4 LP (lectures + exercises)

Exams and grading:diploma: oral exam by appointment, separate Ubungsschein forexercises (with a grade)master: written exam at the end of semester (70%), exercisegrades (30%)

Course web page:http://www.ra.cs.uni-tuebingen.de/lehre/ws10/intrusion det.html

Page 25: Intrusion Detection and Malware Analysis · Intrusion Detection and Malware Analysis Course Introduction / Overview of Security Threats ... reverse engineering Stuxnet and understanding

Homework assignments and exercises

Meetings:Mon, 14:00 (ct) –16:00, A301First meeting: 25.10

2 individual homework assignments3 assignments as a mini-project (in groups of 3-4 students)Final assignment: live IDS competitionEvaluation and grades:

all assignments are equally weightedthe competition winner receives 20% bonus.

Page 26: Intrusion Detection and Malware Analysis · Intrusion Detection and Malware Analysis Course Introduction / Overview of Security Threats ... reverse engineering Stuxnet and understanding

Literature

Edward Amoroso.Intrusion Detection.B&T, 1999.

John Aycock.Computer Viruses and Malware.Springer Verlag, 2006.

Carl Endorf, Eugene Schultz, and Jim Mellander.Intrusion Detection & Prevention.McGraw-Hill, 2003.

Stephen Northcutt and Judy Novak.Network Intrusion Detection.New Riders, 2002.

Peter Szor.The Art of Computer Virus Research and Defense.Symantec Press, 2005.

Page 27: Intrusion Detection and Malware Analysis · Intrusion Detection and Malware Analysis Course Introduction / Overview of Security Threats ... reverse engineering Stuxnet and understanding

Take-home message

First and foremost: hunting hackers isfun!It’s a major challenge: hackers arequite savvy!It may get quite practical: modernIT-security needs intrusion detection!