The SANS Internet Storm Center

1
The SANS Internet Storm Center Workings,
observations, and trends
Jim Clausing, Internet Storm Center Handler
2
Outline

• The SANS Internet Storm Center
• Global Collaborative Incident Handling
• Case study WMF
• Case study VML
• Case study Poebot
• Current Threats
• Contribute!
• Q A

3
Handlers on duty...
4
History

• SANS Institute 1979
• GIAC (Global Incident Analysis Center) 1999,
  mailing list to watch Y2K. The initials have
  since been taken over by the certification
  organization
• www.incidents.org and intrusions_at_incidents.org
  mailing list, GCIA practicals, diary
• Dshield.org 1999, Johannes hired by SANS in
  2000 (now 300,000 targets/day)
• Internet Storm Center 2001, grew out of li0n
  worm analysis (22 Mar)
• All volunteer March 2002

5
What is the Internet Storm Center?

• Sponsored by SANS Institute
• Intended to provide early warning.
• Infocon when do we change it?
• Diary daily
• RSS feed
• Monthly webcast (2nd Wed of the month)
• How to contact
• http//isc.sans.org/contact.php (preferred)
• handlers_at_sans.org

6
A little more info about the web sites

• Dshield.org -
• 300,000 targets/day
• 800,000,000 rows/month in database
• isc.sans.org
• 55,000 users/day (gt75K on busy days)
• Monitored by major news organizations (NPR,
  Washington Post, Al Jazeera, )

7
How do DShield and the Internet Storm Centerwork
together?
Reports
Database
Sensors
DShield Automated Data Collection Engine.
8
The Internet Storm Center uses DShield and
readerreports to create daily diaries.
DShield Data
ISC Handlers
Reader Reports
From isc reader To handlers_at_sans.org Subject
Recent attack. ....
9
How readers contact us
10
How readers contact us (cont'd)
From jim.clausing_at_acm.org Sat Oct 16 173202
2004 Date Sat, 16 Oct 2004 211634 GMT From
jim.clausing_at_acm.org To handlers-850371_at_sans.org
Subject ISC 850371 test Name Jim
Clausing E-Mail jim.clausing_at_acm.org /
handlers_at_sans.org is an alias for all ISC
handlers. Please include the list in all
replies to keep everyone informed. You may
receive more than one response / testing,
please ignore --- Malware OKN Diary
OKN Mention NameN IP xxx.yyy.146.107 Browser
Mozilla/5.0 (X11 U Linux i686 rv1.7.3)
Gecko/20040914 Firefox/0.10 Port 33018 HTTP_VIA
HTTP_X_FORWARDED_FOR ---
11
The ISC Handlers are a diverse group of
networksecurity professionals

• 35-40 Handlers
• 9 Countries
• GIAC certifications (many with honors)
• Various industries (Banking, ISPs, Gov, Edu) are
  represented, and different areas of expertise.
• Each day, one handler takes charge as Handler on
  Duty.
• New Handlers are picked by existing handlers.
• Malware subgroup (includes several non-handlers)
• Mailing list/Jabber server

12
A few handlers (and a groupy)
13
Data from DShield allows us to zoom in onnew
trends and solicit more details from users.
I am seeing...
Diary Got Packets?
DShield Data
Anomaly
14
Data from DShield can also be used to verifyif a
report is an isolated incident or not.
Is anybodyelse seeing this?
Yes
No
DShield Data
15
Diaries are frequently revised based on
userfeedback.
Diary Worthy?
Immediate publication of new event to solicit
feedback from readers and provide the earliest
possible alert.
Initial Observation
Initial Diary
Revised Diaries
Additional Observations
16
A number of automated reports are providedbased
on data collected by DShield.

• Top Ports Am I seeing the same attacks as
  others?
• Trends What changed? Am I ready for it?
• Source Reports Is anybody else getting attacked
  by the same source?
• INFOCON Are there any significant new threats
  that require immediate action?

17
Looking at the Dshield data
18
The WMF exploit showed that 0-day exploits areno
longer used to attack only high value targets.
DEC 28 2005

• Phone Call
• I went to Knoppix-STD.org, and it looks like
  adware was installed on my system
• Verification
• Visit knoppix-std.org
• Fax Viewer pops up
• Anti Spyware Ad is installed.

19
Initially, the WMF 0-day exploit is used
toinstall fake anti-spyware.
20
How do we defend our network against a
widelyused 0-day exploit?

• Firewall?
• Not much good. This is a client exploit.
• Antivirus?
• Threat is developing too fast.
• Configuration Changes?
• Disable shimgvw.dll works ok.
• User Education?
• Too late, and wouldn't work.
• IDS?
• Again, too late, threat developing too fast.

21
Why did Anti Virus not work well?

• Rapid delivery of obfuscation tools (e.g.
  Metasploit).
• Anti Virus recognized payload, but not exploit.
• Multi-payload exploit Only partially discovered
  and removed.
• New payloads released hourly.
• gt 500 distinct versions after few days !

22
The situation escalates as more and moresites
attempt to exploit the vulnerability.
Dec 31 2005

• The race is on by malware writers to capture as
  many vulnerable systems as possible.
• (SPEED COUNTS!)
• Spam used to disseminate exploit.
• Exploit can be triggered by desktop search
  programs.
• Ilfak Guilfanov releases patch!

YELLOW
23
Is it ok for the Internet Storm Center (or
anybody)to release or recommend an unofficial
patch?

• Patch has been validated.
• Tom Liston verified that the patch is ok.
• Risks are communicated to the user.
• The patch was clearly labeled as unofficial
• No good mitigation method is available.
• disabling shimgvw.dll causes many problems.
• Widespread use of exploit.
• 500 versions found in the wild, large botnets
  built.
• No vendor patch is available.

24
Even with patch and workarounds, the
battleagainst WMF exploit continues.

• several 1,000 e-mails over the new year weekend.
• Microsoft releases WMF patch by mistake.

Microsoft releases official patch ahead of its
scheduled January patch day.
JAN 5 2006
25
The VML vulnerability of Sep 2006

• 2006-09-18 2315 GMT Sunbelt Software posts
  about IE VML exploit
• At first, claim turning off javascript will
  mitigate
• First pass through VirusTotal only Microsoft
  detects (theyve apparently had coverage since 16
  Sep) ?
• 2006-06-19 1627 UTC Evidence that it is
  already incorporated into a version of
  WebAttacker toolkit.
• 2006-06-19 US-CERT posts VU416092, MSFT
  publishes advisory, recommands unregistering DLL
• 2006-06-20 Public exploit available

26
The VML vulnerablity of Sep 2006, contd

• 2006-09-22 0000 UTC Ed Skoudis becomes HOD
• 2006-09-22 MSFT claims it isnt being widely
  exploited, patch will come on 10 Oct. AUSCERT
  says it is seeing increasing exploiting including
  via spam
• 2006-09-22 1200 UTC ZERT announces its
  existence, produces patch
• 2006-09-22 1500 UTC we raise infocon to yellow
• 2006-09-23 1500 UTC infocon back to green
• 2006-09-23 Were seeing several thousand
  exploited websites and exploit being incorporated
  into new trojans

27
The VML vulnerability of Sep 2006, contd

• 2006-09-23 Yet another variation of VML exploit
  this time, a heap overflow
• 2006-09-25 VML exploits via e-greeting cards
• 2006-09-26 1500 UTC Metasploit module released
• 2006-09-26 1700 UTC Microsoft releases MS06-055

28
Recent reports to the ISC show the
followingthreats as important and current.

• 0-day exploits (commodity as well as targeted).
• The Age of the Bot.
• Client (and more targeted) attacks.
• Diminishing utility of signature based Antivirus
  solutions.
• Unique covert channel usage is increasing and
  becoming more sophisticated.
• Financially motivated
• Malware Analysis Tool Detection

29
Poebot Evolution
February 2005

• W32/Poebot-A is a network worm with backdoor
  Trojan functionality
• The worm spreads through network shares protected
  by weak passwords.
• The backdoor component joins a predetermined IRC
  channel and awaits further commands from a remote
  user.

30
Poebot Evolution
February 2006

• Capabilities
• joins and parts IRC channels, changes nick,
  creates clones, sends raw command, sends messages
  and notices, floods channels
• runs IDENTD server on a specified port
• scans for vulnerable computers using a number of
  exploits and reports to a hacker
• tries to spread to network shares, bruteforces
  share passwords using the hardcoded list

31
Poebot Evolution
February 2006, cont.

• Capabilities
• steals logins and passwords (cached passwords,
  FlashFXP passwords, IE site passwords, MSN
  passwords)
• steals Outlook account information (SMTP and POP
  server names, logins and passwords)
• steals HTTP e-mail server logins and passwords
  (Hotmail)
• sniffs network traffic (packet sniffer)

32
Poebot Evolution
February 2006, cont.

• Capabilities
• downloads and runs files on an infected computer
• opens a pipe-based remote command shell on an
  infected computer
• act as a proxy server on a selected port
• collects information about an infected system
  (software and hardware configuration)

33
Poebot Evolution
February 2006, cont.

• Capabilities
• finds and terminates competing bots
• performs a DoS (Denial of Service) attack
• updates itself from Internet
• lists processes paying attention on processes
  with the specific names (games mostly)
• possibly using encrypted/covert CC

34
Poebot Evolution
February 2006, cont.

• Infection Mechanisms
• ASN.1 (MS04-007), ports 80, 139, 445LSASS
  (MS04-011), port 445DCOM-RPC (MS04-012), port
  135WKSSVC (MS03-049), ports 135, 445WEBDAV
  (MS03-007), port 80UPNP (MS05-039), port
  445MSSQL, port 1433DameWare, port
  6129BackupExec, port 6101IceCast, port
  8000SlabMail, port 110RealServer, port 554

35
The outbreaks of major viruses and worms are
slowing
For Hire
36
Recent Study by Panda Software (2Q2006)

• Trojans accounted for 54.4 percent of the new
  malware detected during the second quarter of
  2006
• The number of new worms continued to fall,
  representing just 4.9 percent of the new threats
  detected
• The increase in Trojans and the large number of
  new bots and backdoor Trojans detected confirms
  the financial motivation behind the new malware
  dynamic
• This new aim of malware creators is also
  reflected in the large number of bots (16) and
  backdoor Trojans (12) detected over the last
  quarter. These types of threats are also widely
  used in other criminal business models that
  provide income for cyber-criminals.

37
Enter the new age of the Botnets
38
HTTProxy covert channel

• Malware installed via opening infected attachment
• Malware issues HTTP GET request
• Malware receives HTML from web site
• Malware parses first 64 bytes of HTML
• Malware extracts Base64 encoded command from HTML
  comments "lt!--" and --gt found within the first
  64 bytes
• Commands S (sleep), D (download and execute),
  and R (reverse shell)

39
Malware using covert channels

• PWS-Banker.bm Uses ICMP
• TSPY_SMALL.CBE Uses ICMP
• Remacc.SAdoor IP, ICMP, UDP or TCP packet with
  certain characteristics.
• Win32.Bube.J HTTP
• HTTPProxy HTML comments

40
Malware Analysis Tool Detection
VMWare Detected
Better act normal
41
Examples

• Sniffer Sniffer is running, so do not go to
  the internet
• Debugger Kill the debugger or terminate the
  process
• VMware Running in VMware, play nice. If not
  running in VMware then do bad things
• Internet connectivity No connectivity, sleep

42
0-Day exploits used to be applied only
againsthigh value and well defended targets. But
nowwe see them used against regular users

• 0-day Exploit without patch (not unreleased
  exploit)
• 2006 zero-days in use
• WMF Used to install spyware
• Javascript more drive-by downloads (2 exploits)
• Safari Archives used to install bots.
• Word Exploit only used targeted like
  traditional 0-day use.
• VML Again used to install spyware

43
0-days are still used to make money. But
insteadof outright selling them, they are used
to installspyware/adware/spam botnets

• Exploits are hard to sell on the open market.
  WMF is rumored to have sold for 5,000.
• Security companies (iDefense, 3COM) buy exploits
  for gt 10k.
• Spyware or Adware install will bring approx. 1
  per user.
• 0-day
• Millions of Vulnerable Users
• Millions of for successful exploit!

44
0-day exploits are delivered to users like
anyother exploit. Most of them affect browsers
andare delivered via e-mail/web sites.

• User asked to click on enticing link to malware
  hosting site.
• Exploit deposited on trusted site which allows
  user uploads (ebay images, web forum).
• Spear Phishing used to target particular users
  or groups.
• Takes advantage of the fact that Outlook and
  Outlook Express use IE to render HTML e-mail

45
Vendors have a hard time responding to
0-dayexploits.

• Patch release is not designed to be fast, but
  designed to cause minimal disruption (to user and
  vendor image).
• Traditionally, pre-patch vulnerability
  information was limited to reduce information
  available to malware writers
• This no longer applies if the malware is already
  out and spreading.
• Enter groups like ZERT

46
Packers allow for rapid mutation of
existingmalware, making it very hard for AV
products to keep up.

• Zotob Every 4 hrs a new version.
• New Version Old code repacked.
• No need to write new malware.

Packer
Malware
47
Packers can use different keys, debugger
traps, or they can be nested.
Packer
Malware
Debug/VM Trap
Packer 2
48
Anti Virus writers are working on defenses,
butso far the defenses fall short.

• Sandbox Still essentially pattern based and
  requires unpacking the code to analyze.
• Unpackers Packers again are easily modified
  and it is hard to keep up. Implementation can
  introduce new problems (Remember ZIP/RAR...
  vulnerabilities in AV Products)

49
Things will get worse! You haveto stay in touch
with current developments.Use the ISC as your
life line for survival.

• As you are reading this slide, everything that
  preceded it is out of date.
• A solid foundation in InfoSec basic principles
  and best practices is necessary to understand new
  threats quickly.
• Use the ISC to stay in touch.

50
The Internet Storm Center is a collaborativeinfor
mation sharing communityCome to collaborate and
share!

• Send us your logs
• http//www.dshield.org/howto.php
• Send us your observations
• http//isc.sans.org/contact.php
• handlers_at_sans.org
• Send us your malware
• http//isc.sans.org/contact.php
• http//isc.sans.org/seccheck

51
Geeks in Vegas
52
Questions??
53
Handlers form a biker gang
54
Now it's your turn to ask questions!
Thanks!
http//isc.sans.org/contact.php http//www.dshiel
d.org/howto.php http//handlers.sans.org/jclausin
g