Internet Attack Trend

and Defense
SC Leung
Senior Consultant
 Agenda

 Trend of the information security threat

 How we become victims …

 Most economical way to mitigate risks

Page  2
Security Threat Landscape
 Attacks targeting at Our Vulnerabilities

System and
Human
Applications

 Insecure Configuration defaults:  People can be cheated

AutoRuns in USB, CDROM … – “Social Engineering” techniques
– How can you gain trust from
 All software have security holes others == How can hacker gain
trust from you
– Opportunity Window between
discovery of security hole and
availability of Patch

Page  4
 New Phishing Tactic Targets Tabs

 http://www.azarask.in/blog/post/a-new-type-of-phishing-
attack/ (Proof of concept included)
 http://krebsonsecurity.com/2010/05/devious-new-phishing-tactic-
targets-tabs/

Page  5
 Botnet (roBot Network) is the major threat

Bot Herder

Command &
Control Centre

C&C

Bots

Your computers!
bot bot bot

attacks
victim victim

Page  6
 Maturity of the Underground Economy

Commercialization Professionalization Risk Management

 Sell products  Manageability of  Invisibility

(credentials malware Infrastructure   Security
and tools) Botnets
• authentication,
 Hosting - spam or  Specialization, encryption
phishing hosting Outsourcing, and
 Survivability
 CaaS (cybercrime as Globalization of HR
• e.g. Conficker
a service) - hired gun  Chained exploits

sophistication

Page  7
 Malware 2.0

Evade Detection Command & Control

 Propagation
 Forming a Botnet
 Manage
 Update
 Survive the adverse

Malware today causes victim PC becoming part of botnet

Page  8
 Malware 2.0

 Encryption or obfuscation

 Morphing

 Uses Search Engine to evade

detection
• Malware URL visible only when
referred by search engine
• Done by configuring “.htaccess” file of
web server Sample content of “.htaccess”
file under hacker’s control

Page  9
 Malware Propagation channels

Document
Executables Website
Malware

Page  10
 Malware Propagation channels

Document
Executables Website
Malware
 Fake security
software
 Fake video player
codec

Page  11
 Malware Propagation channels

Document
Executables Website
Malware
 Embedded malware
in PDF or Office files
 Zeus botnet served
PDF malware (Apr-
2010)

Image by Websense
Page  12
 Malware Propagation channels

Document
Executables Website
Malware
 Legitimate and
trusted websites
compromised
 Used to redirect user
to malicious websites
(via injected invisible
iframes)
 Most significant
 Web admin incapable
to detect and mitigate
the risks
Page  13
 Malware Propagation via websites

 Mass infection of Wordpress blogs hosted by Network

Solutions (Apr 2010)
– Use insecure web application configuration

Page  14
 PHPNuke.org web site hacked in May 2010

 PHPNuke.org web site hacked (7 May 2010)

– Serving several exploits

Page  15
 Malware Propagation Channels

Document
Executables Website
Malware

Social Engineering & Black Hat SEO

 Hackers exploit Social Network Services to convince

victims

 Hacker uses Search Engine Optimization techniques to

escalate malicious website ranking in search results
Page  16
 Targeted Attacks

Document
Executables Website
Malware

Social Engineering & Black Hat SEO

Targeted Attacks

 Targeted, crafted email to corporations and government

Page  17
 Attacks Following Money

Phishing Banking Trojans

 Targeting traditional  Targeting new online

online banking, online banking services, esp.
game two factor authentication
 Obtaining credential for  Performing transaction
later use or for sale on the spot
 via keyloggers  via advanced banking
trojans, using involved
man-in-the browser
techniques Page  18
 Data Leakage

Social Networking
P2P File Sharing
Services

 Insecure default settings  Insecure default privacy

 Malware embedded in settings
P2P software  Leak out of personal
– e.g. Foxy software information by friends
 Lack of control 3rd party
apps on SNS
 Malware on SNS

Page  19
Social network

Id Theft Social Engineering

Data Leakage

Page  20
 Client Side attacks via Social Network Sites

 Surge in Facebook Malware

 TRUST:
– Use social engineering
trick, spoofing user’s
friend and sending a
message with an URL
pertaining to be a
movie
– URL brings user to a
fake YouTube site

Page  21
 Client Side attacks via Social Network Sites

 Suggesting to install a codec in order to view the movie

Install the codec to view the movie

Page  22
Submitting the malware to VirusTotal.com

Page  23
Only small portion of scanners can identify the malware
 Redirection of attacks to central exploit server
 Malicious servers redirect victims to the Exploit Server which
serves as a central delivery

Source: http://www.honeynet.org/papers/mws/KYE-Malicious_Web_Servers.htm

Page  24
 Mobile Computing

 Store personal & sensitive data  Attacks exist for

different mobile
platforms
 Some banks (UK Lloyd TSB)
start to use as the client tool
 NextGen data/voice integration
 2009-11 Attack
jailbreak iPhones’s
 Insecure habits
SSH backdoor
– Short URLs is common
– Click links in email is common
 MobileSpy logs
– Saved passwords is common
GPS location, call
logs, sms log.
 Security protection less mature Versions available
than in PC for Android,
Blackberry, iPhone,
Windows Mobile,
Symbian
Page  25
 Targeted Attack continues

 Chained exploit

 Advanced Persist Threats

– Governments, critical infrastructure, private companies

Page  26
Consequence of Attack
 Consequences of Security Exposure

 Machines fall into control by Hackers

 Theft of Credentials  financial loss

 Hacker launch local attacks to the whole network

 Bandwidth and Performance downgrade

 Legal liability  liable for hacking activities within your

premise

Page  28
Mitigation Strategies
Revisited
 What do we do?

International
Cyber Drill Exercise
Collaboration
– Good example of Conficker Working
Group

Proactive Discovery Intelligence and

of Incidents Research

– finding compromised web site and  collecting information of hacker

malware hosting behaviour

Page  30
 Awareness Education and Training
Public
 Awareness
– Social Engineering
– Emerging attacks like SNS, mobile
 Social Engineering Drill
Exercise
 Publish Guidelines
ISPs
 Training of staff
 Local cyber response drills
– Cyber Response Drill – some
teams do hold it annually
 Form ISAC (Information
Sharing and Advisory Centre)
Page  31
 Proactivity in Incident Handling in HKCERT
Incident Reports Statistics (Apr-3 to Sep-30 2009)
 Traditional report vs Proactive Discovery (search incidents that are
not reported)
– Traditional report: 493 (60%); Proactive Discovery: 330 (40%)

 Among Traditional reports (493 cases)

– Direct Phone in: 244 (49.5%), Referral: 170 (34.5%), Direct Email: 79 (16%),
– Report by Local parties: 329 (67%), Report by Overseas parties: 164 (33%)

 Conclusion:
– Proactive Discovery is becoming a key source of incident reports
– Overseas and referral reports has a significant portion.
– We are aware more resources are required for handling external
communication, development of automated searching capability
Page  32
 What can you do – infrastructure?

Personal Company

 Install Antivirus  Install Antivirus

 Install Personal Firewall  Install Firewall. Block all incoming

traffic except known services

 Close all security holes  Separate SAMS, ITED and public

– Patch systems servers in zones

 Set up Security Policy

 Set Strong Password
– Ban unauthorized servers in your
network
 Close Insecure default settings:
Autorun, …

Page  33
 HKCERT Guidelines

 "Autorun virus" Removal Procedure

 SQL Injection Defense Guideline
 Data Protection Guideline
 Guideline for Safety Using Wireless LA
 SME Information Security Guideline
 Guideline for Prevention of Spyware and other Potentially
Unwanted Software

 http://www.hkcert.org/english/sguide_faq/home.html

Page  34
 Point of Contact

 Phone : +852 8105 6060

 Fax : +852 8105 9760
 Email : hkcert@hkcert.org
 URL : http://www.hkcert.org/