Emerging Persistent ThreatsLimitations of Current Security Technologies

Srinivas Mukkamala PhD.Chief Technology Officer

CAaNESComputational Analysis and Network Enterprise Solutions

IA Research as a Service (RaaS)

smukkamala@caanes.com

Mobile: 505 948 4305

Who Am I?• Senior Research Scientist and Adjunct Faculty

– New Mexico Tech - ICASA

• PhD Computer Science

– Computational Intelligent Techniques for Intrusion Detection

• US Patent – Computational Intelligence for Intrusion Detection

• One of the Most Cited and Downloaded Papers– Intrusion Detection Using Ensemble of Intelligent Paradigms

• Author of 120 Peer Reviewed Publications

• CACTUS Project – One of the Leads

– Computational Analysis of Cyber Terrorism Against the US

• Managed Several Security Engagements

– Security Posture Assessments

– Incident Response and Digital Forensics

7941855

Hyper Connectivity

Anything that can be connected will be connected.What about security?

FireFunctionality checks,Detector service

WaterSmart Meters,Use / Flow Sensing

HVACFans, Variable Air Volume, Air Quality

ElevatorsMaintenance, Performance

Access/SecurityBadge in, Cameras, IntegrationPerimeter, Doors, Floors, Occupancy

LightingOccupancy Sensing

24/7 MonitoringCondition Monitoring, Parking Lot Utilization

EnergySmart Meters, Demand response

Emerging Facilitators – Non Traditional Computing

Voice/Video/Data

Integrated Building & Communications Services

Images from IBM Smart Planet

What are the Goals for Malicious Activity?

Source: OWASP

Most Common Attack Methods?

Source: OWASP

Which Application Weaknesses are Exploited?

Source: OWASP

Are Traditional Methods Working?

Network Access(OSI Layer 1 – 3)

Protocols(OSI Layer 4 – 7)

Application(New Layer 8+)

Network

Layer

Application

Layer

Data Layer

Perimeter

Firewall

Network Firewall

Data Center

Firewall

Web Application Firewall

Behavioral Based Tools?

Departmental

Firewall

Intrusion Prevention

System (IPS) & Deep Inspection

Firewall

Web Application Security

PORT 80

PORT 443

Attacks Now Look ToExploit Application

VulnerabilitiesPerimeter Security

Is StrongBuffer Overflow

Cross-Site ScriptingSQL/OS Injection

Cookie Poisoning Hidden-Field Manipulation

Parameter Tampering

!Infrastructural

Intelligence

!Non-

compliant

Information

HighInformation

Density=

High ValueAttack

!Forced

Access to

InformationBut Is Open

to Web Traffic

A Few Facts About Web App Scanners

Analyzing the Accuracy and Time Costs of Web Application Security Scanners: Larry Suto

WAF Performance!

Analyzing the Effectivess of Web Application Firewalls: Larry Suto

SC

OP

ECloud

Application Enumeration

Data Store

Network

CrawlingVariablesValidation

Configurations

Automated Testing

OWASPTop 10

Top 25 ProgErrors

Top 10Database

Default

Items of Interest

XSSData Injections

Data ManipulationSession

ManagementNon Repudiation

Manual Testing

Vulnerabilities

Frequent

Patterns

Reports

PVSPort

ProtocolVariableScript

Location

Advanced

Crawling Structure

Logical AttacksSemantics

Access Controls

Logical AttacksManipulationsHidden Code

Hidden VariablesEscalation

…

months

days

hrs

mins

secs

Program

Viruses Macro

Viruses E-mail

Worms Network

Worms

Flash

Worms

Pre-

automation

Post-

automation

Co

nta

gio

n P

eri

od

Sig

na

ture

Re

sp

on

se

Pe

rio

d

Stopping Malicious Code • We’ve reached an inflection point where the latest threats now

spread orders of magnitude faster than our ability to respond

• The existing signature based capture/analyze/signature/rollout

model fails to address these threats on its own

1990 Current

Contagion Period

Signature Response Period

Symantec Research

Performance of Antivirus Scanners

N M1 M2 D P K F A

Mydoom.A � � � � � � � �

Mydoom.A V1 � � � � � � � �

Mydoom.A V2 � � � � � � � �

Mydoom.A V3 � � � � � � � �

Mydoom.A V4 � � � � � � � �

Mydoom.A V5 � ? � � � � � �

Mydoom.A V6 � � � � � � � �

Mydoom.A V7 � � � � � � � �

N – Norton, M1 – McAfee UNIX Scanner, M2 – McAfee, D – Dr. Web, P – Panda, K – Kaspersky, F – F-

Secure, A – Anti Ghostbusters, SAVE −−−− Static Analyzer for Vicious Executable, Similarity

Analysis Methodology. ACSAC 2004

Anatomy of Malware

3- Payload

2- Propagation

Mechanism

1- The Enabling

Vulnerability

The Forensics of a QakBot/Variant

Vulnerability reported /

Vendor Acknowledges

Bulletin & patch available

No exploit

Exploit code in public

Worm in the world

MS 06-035Jan 5–06

MS 09-001 Jun 25-08

MS 10-054 Feb 11-10

MS 06-035 Aug–06

MS 09-001 Jan 13-09

MS 10-054 Aug 10-10

July 17 2006Sep 14 2008Aug 11 2010

May 7 2009June 28 2010

Report� Vulnerability in

SMB

� MS activated response process

� News in Security Blogs

Bulletin� MS delivered to

customers

� Continued outreach to analysts, press, community, partners, government agencies

Exploit� Core – MS 06-035

� Anonymous

� Stratsec and Source Fire – MS 10-054

Worm� QakBot discovered

–; variants and other viruses hit simultaneously

� New Variant on June 28 2010

MS 06-035 Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution

MS 09-001 Vulnerabilities in SMB Could Allow Remote Code Execution

MS 10-054 Vulnerabilities in SMB Server Could Allow Remote Code Execution

Backdoor:Win32/Qakbot.gen!arc (Trojan.Win32.Bzud.a (Kaspersky)) is a generic detection for an archive file that contains a copy of Backdoor:Win32/Qakbot

Qakbot

Backdoor:Win32/Qakbot.gen!AEncyclopedia entryUpdated: May 14, 2010

Published: May 21, 2009

AliasesTrojanSpy:Win32/Botinok (other)

Trojan.Spy.Shoe.B (BitDefender)

Win32/Qakbot!generic (CA)

Trojan-Spy.Win32.Botinok.a (Kaspersky)W32/Pinkslipbot (McAfee)

Mal/Qbot-B (Sophos)

W32.Qakbot (Symantec)Backdoor.QBot.F (VirusBuster)

Backdoor:Win32/Qbot.A (other)

Detection initially created:Definition: 1.45.287.0Released: Released: Oct 07, 2008

Qakbot Variant

Backdoor:Win32/Qakbot.gen!arc

Encyclopedia entryUpdated: Jul 06, 2010

Published: Jun 28, 2010

AliasesWin32/Qakbot!Data (CA)

Trojan.Win32.Bzud.a (Kaspersky)W32/Qbot.W.worm (Panda)

Mal/QbotArc-A (Sophos)

TROJ_BZUD.SM (Trend Micro)

Detection initially created:Definition: 1.85.782.0Released: Jun 24, 2010

The Power of Similarity Analysis– An original malware contains a sequence of

System/API calls S

– Obfuscated version retains the functionality of the original malware and contains a sequence of System/API calls S’

– Variants created or modifications will generally not change high-level System/API calls if the functionality is retained

• This assumption holds good for Rapid Variants and Polymorphism; however might not be true for Metamorphic Malware

Therefore …

– S ≈ S’

bazjztgqk.exe bkvmbcmzs.exe btroyqkix.exe dqicelous.exe febimqrjh.exe fosgwphwn.exe

bazjztgqk.exe 100 73.6786478 78.24114 71.74157 76.071396 76.9073096

bbokuvagc.exe 100 73.6786478 78.24114 71.74157 76.071396 76.9073096

bkvmbcmzs.exe 63.00304 100 71.61254 76.052123 71.813771 66.0121886

btroyqkix.exe 66.94528 72.9347315 100 75.051016 73.192293 53.4822965

bvorgnydm.exe 63.00304 100 71.61254 76.052123 71.813771 66.0121886

cvktxdxlc.exe 63.00304 100 71.61254 76.052123 71.813771 66.0121886

dctiawdew.exe 100 73.6786478 78.24114 71.74157 76.071396 76.9073096

dkcfydapk.exe 63.00304 100 71.61254 76.052123 71.813771 66.0121886

dqicelous.exe 58.84703 63.5237935 68.86642 100 64.549778 77.5841466

dqopbvvgf.exe 63.00304 100 71.61254 76.052123 71.813771 66.0121886

eaodfxaqb.exe 58.84703 63.5237935 68.86642 100 64.549778 77.5841466

evdrdrici.exe 58.84703 63.5237935 68.86642 100 64.549778 77.5841466

fayzieggg.exe 58.84703 63.5237935 68.86642 100 64.549778 77.5841466

febimqrjh.exe 68.95742 73.423462 78.0761 72.817556 100 63.8070003

fosgwphwn.exe 16.29039 30.1519036 18.61352 31.898936 16.205353 100

gedlhqeqs.exe 63.00304 100 71.61254 76.052123 71.813771 66.0121886

gmesqesad.exe 63.00304 100 71.61254 76.052123 71.813771 66.0121886

kmuilexef.exe 58.84703 63.5237935 68.86642 100 64.549778 77.5841466

kmxjjbvsr.exe 100 73.6786478 78.24114 71.74157 76.071396 76.9073096

Feature Extraction(API Sequence)

Feature Extraction(API Sequence)

ROC Curves False Positives•Result•Summary

ReportMalware AnalysisMalware Analysis

Knowledge

Normal vs. Malware

MalwareOriginal/Variants

Pre-processing

Experiments

Executables

Scripts

Compressed Files

StaticAnalysis

DynamicAnalysis

FeatureExtraction (API Calls)

APIBag

APIFrequency (TF)

PackingUnpacking

APISequence

SimilarityMeasures

ErrorCorrection

BRAVEMalware Analysis Framework

Viewpoints

•Similarity•SVMs•Clustering

Report

•Similarity•APIs•Packing•Behavior•Complex

Report

False Negatives

Normal vs. Malware(Classification/Detection)

Normal vs. Malware(Classification/Detection)

Similarity Analysis Malware of Interest

Presented at International Conference on Cyber Warfare 2011Pending Journal Publication

Similarity Analysis of Popular MalwareWin32.Bagl

e.c.mal

Bagle.O.ma

l

Mydoom.b

.mal

Win32.Net

Sky.ad.mal

Win32.Net

Sky.aa.mal

Worm.Sass

er.D.mal

Worm.Sass

er.C.mal

Win32.Sirc

am.c.mal

Sircam.A.m

al

Vundo.FCC.

mal

Vundo-

2075.mal

Win32.Bagl

e.c.mal 100 100 11.98579 11.01129 11.98579 88.3069 88.3069 88.3069 14.1887 14.1887 14.1887

Bagle.j.mal 90.69986 65.59547 61.35457 64.03873 64.03873 64.03873 64.03873 50.17392 50.17392 76.56955 80.24496

Bagle.al.m

al 99.42608 36.59488 66.43398 57.88603 87.88603 37.88603 87.88603 25.3252 25.3252 55.35997 52.68773

Win32.Bagl

e.o.mal 97.48856 100 73.71068 97.73258 97.73258 97.73258 97.73258 48.85909 48.85909 82.69381 71.75364

Win32.Klez

.h.mal 96.64575 11.98579 48.50764 88.3069 88.3069 88.3069 88.3069 14.1887 14.1887 62.47964 17.39779

Win32.Net

Sky.c.mal 98.14567 71.55218 67.70674 80.20834 80.20834 80.20834 80.20834 50.58495 50.58495 93.65291 74.65301

Blaster.da

m.mall 97.48856 100 73.71068 97.73258 97.73258 97.73258 97.73258 48.85909 48.85909 82.69381 71.75364

MSWord.Bl

aster.c.mal 98.14567 71.55218 67.70674 80.20834 80.20834 80.20834 80.20834 50.58495 50.58495 93.65291 74.65301

CodeRed.c.

mal 66.14461 80.93707 57.67036 62.46689 57.67036 64.03873 64.03873 64.03873 40.96598 40.96598 40.96598

CodeRed.a.

mal 98.14567 71.55218 67.70674 80.20834 80.20834 80.20834 80.20834 50.58495 50.58495 93.65291 74.65301

25

Similarity Analysis of Popular MalwareWin32.Bagl

e.c.mal

Bagle.O.ma

l

Mydoom.b

.mal

Win32.Net

Sky.ad.mal

Win32.Net

Sky.aa.mal

Worm.Sass

er.D.mal

Worm.Sass

er.C.mal

Win32.Sirc

am.c.mal

Sircam.A.m

al

Vundo.FCC.

mal

Vundo-

2075.mal

Worm.Love

Letter.DK.

mal 66.14461 12.2884 48.85909 66.14461 65.40386 65.40386 11.70592 3.493751 12.2884 67.62279 81.14634

VBS.LoveLe

tter.D.mal 90.69986 65.59547 61.35457 64.03873 64.03873 64.03873 64.03873 50.17392 50.17392 76.56955 80.24496

Worm.Sass

er.C.mal 97.48856 100 73.71068 97.73258 97.73258 97.73258 97.73258 48.85909 48.85909 82.69381 71.75364

Mydoom.b

.mal 92.45689 21.85249 100 76.27815 76.27815 76.27815 76.27815 19.26173 19.26173 84.64828 57.33075

Win32.Sirc

am.c.mal 98.80203 70.05651 72.64135 88.91945 88.91945 88.91945 88.91945 100 100 66.91638 65.34238

Vundo.FCC.

mal 99.03418 11.70592 30.69936 100 100 100 100 11.32529 11.32529 100 36.11959

Vundo-

2075.mal 81.18607 33.90044 74.77176 79.91469 79.91469 79.91469 79.91469 26.36764 26.36764 76.20991 100

Vundo.ELC.

mal 97.92501 58.23748 71.91817 81.19189 81.19189 81.19189 81.19189 40.21969 40.21969 79.91435 69.33983

Vundo-

1991.mal 99.03418 11.70592 30.69936 100 100 100 100 11.32529 11.32529 100 36.11959

Vundo.FCC.

mal 72.75943 39.51834 60.72317 54.45216 54.45216 54.45216 54.45216 33.51456 33.51456 70.22576 69.5021

26

Similarity of Crime Packs

Shell Code and Crime Pack Similarity Analysis

Manoj Cherukuri and Srinivas Mukkamala

Visualization of Normal and Malware

Malware Visualization

Kesav Kancharla and Srinivas Mukkamala

29

Clustering Malware Families!

Malware Similarity - Clustering

Malware Classification and Visualization

John Donahue and Srinivas Mukkamala

Malware Similarity - Clustering

Malware Classification and Visualization

John Donahue and Srinivas Mukkamala

Malware Similarity - Clustering

Malware Classification and Visualization

John Donahue and Srinivas Mukkamala

Malware Infrastructure - Facilitators

Images from Dambala

Blog Analysis and Knowledge Exploration

Malware Attribution and Malware Infrastructure Mapping

Manoj Cherukuri and Srinivas Mukkamala

Link Analysis mooo.com and afraid.org

Osama Link Analysis

3 Pages – Inlinks | Outlinks

Malware Visualization

John Donahue and Srinivas Mukkamala

Common Hacker Attack Technique(CHAT)

Reconnaissance Scanning System Access Damage Track Coverage

Indications andWarning Threshold

(Defense)

Preventive Phase(Defense)

Reactive Phase (Defense)

Web-Based

Information

Collection Social

Engineering

Broad

Network

Mapping Targeted

Scan

Service

Vulnerability

Exploitation

Privilege

Escalation

Malicious Code

Installation

System File

Modification

Binding

Log File

Changes

Steal Sensitive Data

Encrypted or Clear

Best Opportunities for Real Time Network Security

And Stall the Attacker

Incident Response

Reduce Attack Surface

• The “Attack Surface” is the sum of the ways in which

an attacker can get at you

– Smaller Attack Surface is better

Which one has the

Smaller attack surface?

Worm exploits MS vul

and deposits trojan.

Trojan creates a rogue

http tunnel and steals

password information.