open malicious source symantec security response kaoru hayashi
TRANSCRIPT
Open Malicious Source
Symantec Security ResponseKaoru Hayashi
Agenda
What is Open Malicious Source
Characteristics
Protection
Conclusion
What is Open Malicious Source
Open Source qualities– Free redistribution
– Ready access to source code
– Modifiable by anyone
– Designed for evolution
For malicious purposes
For example…
Beagle, Mydoom, Netsky and Sasser– Not open malicious source
– Created by an author, closed group, or individuals who can obtain source code
Gaobot, Randex and Spybot– Open malicious source
– Source codes are distributed widely
– Updated / released by many
Is this topic new?
NO, but …
Programs developed from open malicious source are on the rise
Impact is intensifying
Number of Submissions:Worms
0
10000
20000
30000
40000
50000
60000
Jan-04
Feb-04
Mar-04
Apr-04
May-04
Jun-04
Jul-04
Aug-04
Beagle Mydoom Netsky Sasser
Number of Submissions:Worms from open malicious source
0
5000
10000
15000
20000
25000
30000
Jan-04
Feb-04
Mar-04
Apr-04
May-04
Jun-04
Jul-04
Aug-04
Gaobot Spybot Randex
Number of new variants:Worms
0
5
10
15
20
25
30
Jan-04
Feb-04
Mar-04
Apr-04
May-04
Jun-04
Jul-04
Aug-04
Beagle Mydoom Netsky Sasser
0
100
200
300
400
500
600
700
Apr-03
May-03
Jun-03
Jul-03
Aug-03
Sep-03
Oct-03
Nov-03
Dec-03
Jan-04
Feb-04
Mar-04
Apr-04
May-04
Jun-04
Jul-04
Aug-04
Gaobot Spybot Randex
Number of new variants:Worms from open malicious source
Characteristics
Easy to create
Purpose-oriented
Difficult to recognize
Characteristics: Easy to create
Easy to obtain from the Internet– Whole project files
– New codes, samples,or tools
– Free compiler
No special knowledge, tool, or code required
A wide range of people are creating their own bot
Characteristics: Easy to createEasy to obtain
Characteristics: Easy to create Sample: Spybot
Characteristics: Easy to create Sample: Spybot
Case: SpybotW32.Spybot.A
Discovered on 2003/04/16
Backdoor– Based on backdoor “Sdbot”– Supports 22 commands including:
Key logging Killing processes Stealing cached password DoS attacks
Worm– Copies itself to C$, ADMIN$, and IPC$ shares– Dictionary attack (17 keywords)
123456, admin, root, server….– Schedules a job to run
Worm
Backdoor
Case: SpybotW32.Spybot.DNC
Discovered on 2004/09/13 as the 3071st variant
Backdoor– Supports over 90 commands including:
Upload / Download / Execute files Run as HTTP server / SOCKS4 proxy Steal 42 Game CD-KEYs Access CMD.exe Sniff packets Access Web Camera
Worm
Backdoor
Additional Code
Case: SpybotW32.Spybot.DNC
Worm– Dictionary attack
139 keywords per password
– Uses other worms or Trojans Beagle, Mydoom, Optix, Sub7,
NetDevil
Worm
Additional Code
Backdoor
Additional Code
Case: SpybotW32.Spybot.DNC
Vulnerability Attack– MS01-059 (UPnP)
– MS02-061 (SQL)
– MS03-007 (WebDAV)
– MS03-026 (DCOM RPC)
– MS03-049 (Workstation)
– MS04-011 (LSASS)
Packed with Runtime Packer
Worm
Additional Code
Backdoor
Additional Code
Vulnerability Attack
Polymorphic / Packer
Case: Randex and Gaobot
Worm
W32.Randex (discovered on 2003/06/04)
Worm
Backdoor
W32.Gaobot (discovered on 2002/10/22)
Worm
Backdoor
Vulnerability Attack
Polymorphic / Packer
Over 1600 variants
Worm
Backdoor
Vulnerability Attack
Polymorphic / Packer
Over 1600 variants
Case: Randex, Gaobot and Spybot
Now they look very similar– Backdoor layer usually based on “Sdbot”
– Same codes / concepts implemented in each layer
– Further similar worms / backdoors exist: i.e., Kwbot, IRCBot
Worm
Backdoor
Vulnerability Attack
Polymorphic / Packer
Worm
Backdoor
Vulnerability Attack
Polymorphic / Packer
Worm
Backdoor
Vulnerability Attack
Polymorphic / Packer
0
100
200
300
400
500
600
700
Apr-03
May-03
Jun-03
Jul-03
Aug-03
Sep-03
Oct-03
Nov-03
Dec-03
Jan-04
Feb-04
Mar-04
Apr-04
May-04
Jun-04
Jul-04
Aug-04
Gaobot Spybot Randex
Characteristics: Easy to create By a lot of people
May: Gaobot author arrested in Germany
May: Randex author arrested in Canada
June, July, August: New
variants created
Characteristics: Purpose
Not only for fun– Propagation
– Proof of concept
For profit– Information theft
– System control
– DDoS zombies
– Financial gain
Characteristics: Purpose
W32.Netsky.P@mm– Propagation
Mass mailing P2P or share networks
– Payload Removes Beagle,
Mydoom, Deadhat, and Welchia worms
W32.Gaobot.BIA– Propagation
Dictionary attack Vulnerability attack
– Payload Logs keystrokes Sniffs packets Steals CD-KEYs Steals cached password Obtains system / network
information Gains full system control SOCKS proxy DDoS attack and more….
Characteristics: Difficult to recognize
Slow and limited propagation– Differs from mass mailers, Blaster, and Code Red– Little public interest
Automatic copy / execution on remote computers - By using a scheduler or by exploiting vulnerabilities
Many new variants released over a short time period– Over 600 variants a month
New variants are target-specific – You may be the only infected one, worldwide.
How to stop
Stopping the development of new threats is almost impossible
– Source codes are distributed widely
– Authors are located around the globe
– New codes, samples, and tools are released every day
How to protect
Anti-virus tools– Definitions, Heuristics, Behavior blocking ….
Firewall
IDS
Patch management
Password management
Security policy
Learning, Studying, Educating …
Nothing new, nothing special.But we know maintaining all is not easy.
Conclusion
Malicious source is distributed widely
A lot of people are creating their own bot
Sharing source code results in more powerful threats
Main purpose is profit
No magic trick to secure protection
