operation aurora and beyond

Operation Aurora and beyondHow to avoid that this happens toHow to avoid that this happens to your organisationRaimund Genes • CTO

Copyright 2010 Trend Micro Inc.

What was Operation Aurora?

Industrial Espionage,

Nothing new!


What was new is that Google disclosed it J 12thJanuary 12th.

Jan/13


Jan/15

Attack named as Aurora


JS Source code of Aurora


Definition of the threat

• APT: Advanced Persistent ThreatsThreats

• non-APT hackers - financial data, sensitive customer datacustomer data

• APT attackers - espionage http://www.wired.com/threatlevel/2010/02/apt-

hacks/


Why is it called Aurora?

N d b th i VNC t b kd• Named by path in VNC type backdoor


Attack PlaybackAttack Playback

Step1:Malicious Link

Step4:Shell code

Step5:Download

Step3:IE exploit

Step2:Heap Spray


Step7:Steal Information Step6:Malicious File

What Vulnerabilities have been used

••Operation AuroraOperation Aurora• Microsoft Security Advisory (979352979352) -

Vulnerability in Internet Explorer Could Allow Remote Code Execution

••CVECVE--20102010--02490249 - HTML Object Memory Corruption VulnerabilityObject Memory Corruption Vulnerability


Aurora JS CodeAurora JS CodeHeap Spraying

Prepare forobject overwrite

Build Img object

Free img

Overwrite object

C ll t h ll dCall to shell code


Aurora exploitAurora exploitAurora exploitAurora exploitMalicious FileMalicious FileMalicious FileMalicious File

• Drop dlls• Write registry entry• Inject dropped dlls to someInject dropped dlls to some

processCollect personal info and send out• Collect personal info and send out

• Create thread for remote accessCopyright 2010 Trend Micro Inc.

• APT attacker

How to craft an attack?Get public information! The web knows you!

Copyright 2010 Trend Micro Inc.Copyright 2008 - Trend Micro Inc.13

And then an E-Mail with a spoofed sender


17

And if Darren clicks on the attachment...


18

Threat Predictions 2010

1 O1. No global Outbreaks, but localized and targeted attacks2. It‘s all about money, so Cybercrime will not go away3 Windows 7 will have an impact since it is less secure than Vista in the3. Windows 7 will have an impact since it is less secure than Vista in the

default configuration4. Risk Mitigation is not as viable an option anymore – even with

alternative browsers/alternative operating systems (Oss)alternative browsers/alternative operating systems (Oss)5. Malware is changing it‘s shape – every few hours6. Drive-By Infections are the norm – One web visit is enough to get y g g

infected7. New attack vectors will arise for virtualized/cloud environments8 Bots can‘t be stopped anymore and will be around forever8. Bots – can t be stopped anymore, and will be around forever9. Company/Social networks will continue to be shaken by data

breaches


10. Digital Terrorism – Attacks on Scada networks?

I i M lIncrease in Malware


No Script kiddies and amateurs anymore,

professional malwareprofessional malware writers who know how to play with the AV-

Industry


A new malware component is

released every 1.5 seconds!seconds!


URL’s instead of Attachments!

Waledac Malware


Infiltrated Websites!


Social Networks as an Attack Vector(11/08/2009)


Is it Spam, is it an Attack Vector, is it Social Engineering?it Social Engineering?


Today‘s Infection Chain

MalwareWriter

Wait for Instructions

Get Updates from

Command & Control

Fool the AV HostManagement

il S

Port Scan

Vulnerabilities

Infection Vector

Adware/Clickware

Recruitment

Activities

HostInfection

Criminals

Spyware/Trojan

Web Drive By

Downloader

Email Spam

Spam & Phishing

Dedicated Denial of Service

D t L k

/

Downloader Data Leakage

Bot

Command &ControllerBot

Herder

Botnet


HTTPIRCDNS

How to avoid that this happens toHow to avoid that this happens to your organisation


P tt M t hi i b liPattern Matching is baseline...and the bad guys know this...

So should we move to IPS and HIPS?


Because traditional Endpoint Security Can’t Keep Up anymore

26 598

Signature file updates take too long

• Delay protection across all clients and servers

Can t Keep Up anymore

26,598y p

• Leave a critical security gap

• Require multiple updates a day to keep up with threats complicating signature management

16,438

with threats, complicating signature management

Signature files are becoming too big

6,279

10,160• Increase endpoint memory footprint

• Increase impact on endpoint performance

• Increase bandwidth utilization

57 205 799 1,4842,397

3,881

2007 2009 2011 2013 2015

• Increase bandwidth utilization

• Unpredictable increase of client size


2007 2009 2011 2013 2015Unique threat samples PER HOUR

We need a layered approach, and we need a holistic view forand we need a holistic view for

IT Security!

And Pattern matching is still needed to proper identifyneeded to proper identify

malware and to clean up the damagedamage


The Electric Grid - Today

Power Station

Local connection

National Transport

connection

Transport System

User AdvantagesUser Advantages1.No need for large investment2.On Demand Instant Access3.Pay as you go


A Distributed Electric GridTrend Micro today

Diiferent Power Stations

Local connection Solar

International Transport

connection Solar Panel

Transport System


Could we patch fast enough?

O d d l biliOr do we need vulnerability shielding accepting that Patch

Management is tough!


No matter what we do, Smart Protection Network is the key component!

Smart Protection NetworkSmart Protection NetworkSmart Protection NetworkSmart Protection Network

FileFileFileFile

Community Intelligence(Feedback loop)

File

Web /

FileFileReputationReputation

FileFileReputationReputationMonitor

Smar

Solution WebWebReputationReputation

WebWebReputationReputationWeb /

URL

Email

Domain

EmailEmailReputationReputation

EmailEmailReputationReputation

Custom

e

Incident Trigger

Validation EmailEmailWebWebFileFile

IPIPDomainDomain

BehaviorBehavior

rt Protection N

IP

r

Correlation

IPIP

Netw

orkInfo. ThreatThreatAnalyticsAnalytics

ThreatThreatAnalyticsAnalytics

In-the-Cloud platformCommunity Intelligence

(F db k l )

Service ProfessionalServices


(Feedback loop)

We at Trend Micro are not worried about Cybercriminals and their ways to makeCybercriminals and their ways to make money!Cause we have prepared ourselves for this!Cause we have prepared ourselves for this!

2005 E il R t ti S i• 2005: Email Reputation Services

• 2006: Web Reputations Services

• 2008: File Reputation Services


So why are we so different – Why do we protect well against real life malware?protect well against real life malware?

ERS load = 295 GB per day WRS load = 1305 GB per day FRS load = 334 GB per day


Smart Protection Network Key benefits

Threats are blocked before they can infiltrate the network or computer

Patent-pending correlation technology analyzes all threat vectors – email, web, file

Blocks threats Blocks threats at their source at their source –– the Internetthe Internet

We own all We own all the the

technologytechnologyProtects you wherever

you connect, at work,

Available in all solutions – Consumer, SMB, Enterprise, Partner SaaSy

at home or on the road

Partner, SaaS

Powers our SaaS, Gateway,

Trend Micro Smart

Protection Network

Reduces the Reduces the need for local need for local

Messaging, Endpoint, Mobile & Partner solutions

signaturessignatures

Immediate Protection

Local Scan Server improves time to protect


Trend Micro manages updatesprotect

Reduces complexity

Threat Management Solution Assessment

• 100% of companies had malware• 56% of companies had at least 1 information

stealing malware• 72% of companies had at least 1 IRC bot• 80% of companies had malicious Web

downloads• 30% of companies had at least 1 network worm

• Technology used to detect Threats– 99% using Smart Protection Network

Copyright 2010 Trend Micro Inc.Copyright 2009 Trend Micro Inc.

g– 1% using traditional scanning engines

operation aurora and beyond

Documents