RSA Conference Europe – Cybercrime, Easy as Pie and Damn Ingenious

James Lyne, Director of Technology Strategy, Sophos

Sophos current see >200,000 individual pieces of malicious code every day.

Cybercrime is becoming very professional with easy to access tools;

Sites exist for testing and quality assurance of malware, e.g. www.virtest.com – this site scans your malware with multiple (44) different anti-virus products to see if it is detected.  The benefit of this service is that it uses the vendors AV engines and signatures.  The site carries the assurance that no results will be sent back to the vendor or shared in any way so you can be assured that your malware will not be added to existing malware databases.

Another example is Gwapo that has youTube videos advertising their DDoS service.

Ransomware is also becoming common with malware that encrypts your drive(s) and requires payment to unencrypt it.  Some ransomware become a lot more scary and malicious with threats that illegal content such as child pornography is encrypted on your computer and if you don’t pay within xx hours or days the police will be sent details of how to unencrypt it.  Ransomware can be particularly harmful and effective as it does not require administrative access, for example if you have access to company files etc. they can be encrypted with your limited access.

You can get easily access ‘crime-packs’ containing various tools for exploiting and attacking tool kits.  Examples include; Firepack, ice-pack, crimepack, blackhole etc.  Some of these even come with CR tools built in!  Additionally in keeping with the times some are available as cloud based services that you can subscribe to.  Many come with technical support contacts as well.

The tools have very simple gui based interfaces for creating your own malware based on existing payloads etc.  They are also very regularly updated with new code and make use of polymorphism to try and evade detection.

As an example blockhole has features such as;

–          Blacklisting / blocking to try and prevent researchers from security companies accessing the application and infected machines

  • Only hit IPs once
  • IP blacklist
  • Referrer URL blacklist
  • TOR blacklist
  • Import blacklisted ranges (e.g. fro cloud services)

–          Auto updating / patching

–          Can target multiple client vulnerabilities simultaneously

–          Java 0-days almost as soon as they were available

–          AV scanning add ins to check if the attack is being identified by host AV systems

A few comments on adopting a more ‘offensive’ stance, this is a grey area and may be legally questionable in some jurisdictions so you should be careful when looking at these options.  Some options in escalation of scale order;

–          Bit of poking – DNS, name servers and ‘affiliations’

–          Web bug, image or alike

  • Pretty easy to legally get away with
  • Sadly basic information

–          Javascript. Web Shell. Querying more information

  • Borderline, depending on your jurisdiction

–          Full hog – exploitage

  • Oh, you didn’t patch Java in your system either? – use the attackers exploit, in this case java against their own jave based site / application
  • Where they are, what they are doing.

Two steps forward.. Using IPv6 as an example, many machines now have IPv6 on as a default, simple router flood attack available on current Backtrack etc. can max out CPU and even crash the machine.  You may not care about IPv6 yet, but if you are not disabling it or securing it you could be opening up new attack vectors in your organisation without realising it.  The message again is to understand your environment and the risks you face.

Key take away points from this talk are;

–          Consider upcoming technologies even if you are not using them yet

–          Consider any investigative / offensive moves very carefully

  • I’d recommend improving your forensics capabilities, gather solid, admissible evidence to hand to legal investigators

–          Watch the basics

  • Assumptions kill us
  • Yes people can be that silly

–          Everything in moderation – Hype hurts

On a closing not, the tools and sites mentioned in this post are real and currently accessible.  Search for and use with care and at your own peril!

K

Advertisements

Author: Kevin Fielder

Innovative and dynamic security professional, with a passion for driving change by successfully engaging with all levels of the business. I am a determined individual with proven ability to provide security insights to the business, in their language. These insights have gained board buy in for delivering security strategy aligned to key business goals. This is achieved by understanding the need to drive change through people, process and technology, rather than focusing exclusively on any one area. I take pride in being a highly articulate, motivational and persuasive team-builder. I have a strategic outlook with the ability to engage with and communicate innovative and effective security solutions to all levels of management. Along with a proven ability to translate security into business language and articulate the business benefits I am also passionate about leading security innovations and making security a key part of the business proposition to its customers. Security should be made a key differentiator to drive sales and customer retention, not just a cost centre! Outside of work I am a proud husband and father to an awesome family, and a passionate CrossFit coach and athlete.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s