1 / 28

Open Malicious Source

Open Malicious Source. Symantec Security Response Kaoru Hayashi. Agenda. What is Open Malicious Source Characteristics Protection Conclusion. What is Open Malicious Source. Open Source qualities Free redistribution Ready access to source code Modifiable by anyone

rian
Download Presentation

Open Malicious Source

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Open Malicious Source Symantec Security Response Kaoru Hayashi

  2. Agenda • What is Open Malicious Source • Characteristics • Protection • Conclusion

  3. What is Open Malicious Source • Open Source qualities • Free redistribution • Ready access to source code • Modifiable by anyone • Designed for evolution • For malicious purposes

  4. For example… • Beagle, Mydoom, Netsky and Sasser • Not open malicious source • Created by an author, closed group, or individuals who can obtain source code • Gaobot, Randex and Spybot • Open malicious source • Source codes are distributed widely • Updated / released by many

  5. Is this topic new? • NO, but … • Programs developed from open malicious source are on the rise • Impact is intensifying

  6. Number of Submissions:Worms

  7. Number of Submissions:Worms from open malicious source

  8. Number of new variants:Worms

  9. Number of new variants:Worms from open malicious source

  10. Characteristics • Easy to create • Purpose-oriented • Difficult to recognize

  11. Characteristics: Easy to create • Easy to obtain from the Internet • Whole project files • New codes, samples,or tools • Free compiler • No special knowledge, tool, or code required • A wide range of people are creating their own bot

  12. Characteristics: Easy to createEasy to obtain

  13. Characteristics: Easy to create Sample: Spybot

  14. Characteristics: Easy to create Sample: Spybot

  15. Case: SpybotW32.Spybot.A Backdoor • Discovered on 2003/04/16 • Backdoor • Based on backdoor “Sdbot” • Supports 22 commands including: • Key logging • Killing processes • Stealing cached password • DoS attacks • Worm • Copies itself to C$, ADMIN$, and IPC$ shares • Dictionary attack (17 keywords) • 123456, admin, root, server…. • Schedules a job to run Worm

  16. Case: SpybotW32.Spybot.DNC Additional Code • Discovered on 2004/09/13 as the 3071st variant • Backdoor • Supports over 90 commands including: • Upload / Download / Execute files • Run as HTTP server / SOCKS4 proxy • Steal 42 Game CD-KEYs • Access CMD.exe • Sniff packets • Access Web Camera Backdoor Worm

  17. Case: SpybotW32.Spybot.DNC Additional Code • Worm • Dictionary attack • 139 keywords per password • Uses other worms or Trojans • Beagle, Mydoom, Optix, Sub7, NetDevil Backdoor Additional Code Worm

  18. Case: SpybotW32.Spybot.DNC Polymorphic / Packer • Vulnerability Attack • MS01-059 (UPnP) • MS02-061 (SQL) • MS03-007 (WebDAV) • MS03-026 (DCOM RPC) • MS03-049 (Workstation) • MS04-011 (LSASS) • Packed with Runtime Packer Vulnerability Attack Additional Code Backdoor Additional Code Worm

  19. Polymorphic / Packer Vulnerability Attack Backdoor Worm Over 1600 variants Polymorphic / Packer Vulnerability Attack Backdoor Worm Over 1600 variants Case: Randex and Gaobot W32.Randex (discovered on 2003/06/04) Worm W32.Gaobot (discovered on 2002/10/22) Backdoor Worm

  20. Polymorphic / Packer Vulnerability Attack Backdoor Worm Polymorphic / Packer Polymorphic / Packer Vulnerability Attack Vulnerability Attack Backdoor Backdoor Worm Worm Case: Randex, Gaobot and Spybot • Now they look very similar • Backdoor layer usually based on “Sdbot” • Same codes / concepts implemented in each layer • Further similar worms / backdoors exist: i.e., Kwbot, IRCBot

  21. Characteristics: Easy to create By a lot of people June, July, August: New variants created May: Randex author arrested in Canada May: Gaobot author arrested in Germany

  22. Characteristics: Purpose • Not only for fun • Propagation • Proof of concept • For profit • Information theft • System control • DDoS zombies • Financial gain

  23. W32.Netsky.P@mm Propagation Mass mailing P2P or share networks Payload Removes Beagle, Mydoom, Deadhat, and Welchia worms W32.Gaobot.BIA Propagation Dictionary attack Vulnerability attack Payload Logs keystrokes Sniffs packets Steals CD-KEYs Steals cached password Obtains system / network information Gains full system control SOCKS proxy DDoS attack and more…. Characteristics: Purpose

  24. Characteristics: Difficult to recognize • Slow and limited propagation • Differs from mass mailers, Blaster, and Code Red • Little public interest • Automatic copy / execution on remote computers - By using a scheduler or by exploiting vulnerabilities • Many new variants released over a short time period • Over 600 variants a month • New variants are target-specific • You may be the only infected one, worldwide.

  25. How to stop • Stopping the development of new threats is almost impossible • Source codes are distributed widely • Authors are located around the globe • New codes, samples, and tools are released every day

  26. How to protect • Anti-virus tools • Definitions, Heuristics, Behavior blocking …. • Firewall • IDS • Patch management • Password management • Security policy • Learning, Studying, Educating … Nothing new, nothing special. But we know maintaining all is not easy.

  27. Conclusion • Malicious source is distributed widely • A lot of people are creating their own bot • Sharing source code results in more powerful threats • Main purpose is profit • No magic trick to secure protection

  28. Thank You! Kaoru Hayashi kaoru_hayashi@Symantec.com

More Related