Operation Aurora and beyondHow to avoid that this happens toHow to avoid that this happens to your organisationRaimund Genes • CTO
Copyright 2010 Trend Micro Inc.
What was Operation Aurora?
Industrial Espionage,
Nothing new!
Copyright 2010 Trend Micro Inc.
What was new is that Google disclosed it J 12thJanuary 12th.
Jan/13
Copyright 2010 Trend Micro Inc.
Jan/15
Attack named as Aurora
Copyright 2010 Trend Micro Inc.
JS Source code of Aurora
Copyright 2010 Trend Micro Inc.
Definition of the threat
• APT: Advanced Persistent ThreatsThreats
• non-APT hackers - financial data, sensitive customer datacustomer data
• APT attackers - espionage http://www.wired.com/threatlevel/2010/02/apt-
hacks/
Copyright 2010 Trend Micro Inc.
Why is it called Aurora?
N d b th i VNC t b kd• Named by path in VNC type backdoor
Copyright 2010 Trend Micro Inc.
Attack PlaybackAttack Playback
Step1:Malicious Link
Step4:Shell code
Step5:Download
Step3:IE exploit
Step2:Heap Spray
Copyright 2010 Trend Micro Inc.
Step7:Steal Information Step6:Malicious File
What Vulnerabilities have been used
••Operation AuroraOperation Aurora• Microsoft Security Advisory (979352979352) -
Vulnerability in Internet Explorer Could Allow Remote Code Execution
••CVECVE--20102010--02490249 - HTML Object Memory Corruption VulnerabilityObject Memory Corruption Vulnerability
Copyright 2010 Trend Micro Inc.
Aurora JS CodeAurora JS CodeHeap Spraying
Prepare forobject overwrite
Build Img object
Free img
Overwrite object
C ll t h ll dCall to shell code
Copyright 2010 Trend Micro Inc.
Aurora exploitAurora exploitAurora exploitAurora exploitMalicious FileMalicious FileMalicious FileMalicious File
• Drop dlls• Write registry entry• Inject dropped dlls to someInject dropped dlls to some
processCollect personal info and send out• Collect personal info and send out
• Create thread for remote accessCopyright 2010 Trend Micro Inc.
• APT attacker
How to craft an attack?Get public information! The web knows you!
Copyright 2010 Trend Micro Inc.Copyright 2008 - Trend Micro Inc.13
How to craft an attack?Get public information! The web knows you!
Copyright 2010 Trend Micro Inc.Copyright 2008 - Trend Micro Inc.14
How to craft an attack?Get public information! The web knows you!
Copyright 2010 Trend Micro Inc.Copyright 2008 - Trend Micro Inc.15
How to craft an attack?Get public information! The web knows you!
Copyright 2010 Trend Micro Inc.Copyright 2008 - Trend Micro Inc.16
And then an E-Mail with a spoofed sender
Copyright 2010 Trend Micro Inc.
17
And if Darren clicks on the attachment...
Copyright 2010 Trend Micro Inc.
18
Threat Predictions 2010
1 O1. No global Outbreaks, but localized and targeted attacks2. It‘s all about money, so Cybercrime will not go away3 Windows 7 will have an impact since it is less secure than Vista in the3. Windows 7 will have an impact since it is less secure than Vista in the
default configuration4. Risk Mitigation is not as viable an option anymore – even with
alternative browsers/alternative operating systems (Oss)alternative browsers/alternative operating systems (Oss)5. Malware is changing it‘s shape – every few hours6. Drive-By Infections are the norm – One web visit is enough to get y g g
infected7. New attack vectors will arise for virtualized/cloud environments8 Bots can‘t be stopped anymore and will be around forever8. Bots – can t be stopped anymore, and will be around forever9. Company/Social networks will continue to be shaken by data
breaches
Copyright 2010 Trend Micro Inc.
10. Digital Terrorism – Attacks on Scada networks?
I i M lIncrease in Malware
Copyright 2010 Trend Micro Inc.
No Script kiddies and amateurs anymore,
professional malwareprofessional malware writers who know how to play with the AV-
Industry
Copyright 2010 Trend Micro Inc.
A new malware component is
released every 1.5 seconds!seconds!
Copyright 2010 Trend Micro Inc.
URL’s instead of Attachments!
Waledac Malware
Copyright 2010 Trend Micro Inc.
Infiltrated Websites!
Copyright 2010 Trend Micro Inc.
Social Networks as an Attack Vector(11/08/2009)
Copyright 2010 Trend Micro Inc.
Is it Spam, is it an Attack Vector, is it Social Engineering?it Social Engineering?
Copyright 2010 Trend Micro Inc.
Today‘s Infection Chain
MalwareWriter
Wait for Instructions
Get Updates from
Command & Control
Fool the AV HostManagement
il S
Port Scan
Vulnerabilities
Infection Vector
Adware/Clickware
Recruitment
Activities
HostInfection
Criminals
Spyware/Trojan
Web Drive By
Downloader
Email Spam
Spam & Phishing
Dedicated Denial of Service
D t L k
/
Downloader Data Leakage
Bot
Command &ControllerBot
Herder
Botnet
Copyright 2010 Trend Micro Inc.
HTTPIRCDNS
How to avoid that this happens toHow to avoid that this happens to your organisation
Copyright 2010 Trend Micro Inc.
P tt M t hi i b liPattern Matching is baseline...and the bad guys know this...
So should we move to IPS and HIPS?
Copyright 2010 Trend Micro Inc.
Because traditional Endpoint Security Can’t Keep Up anymore
26 598
Signature file updates take too long
• Delay protection across all clients and servers
Can t Keep Up anymore
26,598y p
• Leave a critical security gap
• Require multiple updates a day to keep up with threats complicating signature management
16,438
with threats, complicating signature management
Signature files are becoming too big
6,279
10,160• Increase endpoint memory footprint
• Increase impact on endpoint performance
• Increase bandwidth utilization
57 205 799 1,4842,397
3,881
2007 2009 2011 2013 2015
• Increase bandwidth utilization
• Unpredictable increase of client size
Copyright 2010 Trend Micro Inc.
2007 2009 2011 2013 2015Unique threat samples PER HOUR
We need a layered approach, and we need a holistic view forand we need a holistic view for
IT Security!
And Pattern matching is still needed to proper identifyneeded to proper identify
malware and to clean up the damagedamage
Copyright 2010 Trend Micro Inc.
The Electric Grid - Today
Power Station
Local connection
National Transport
connection
Transport System
User AdvantagesUser Advantages1.No need for large investment2.On Demand Instant Access3.Pay as you go
Copyright 2010 Trend Micro Inc.
A Distributed Electric GridTrend Micro today
Diiferent Power Stations
Local connection Solar
International Transport
connection Solar Panel
Transport System
Copyright 2010 Trend Micro Inc.
Could we patch fast enough?
O d d l biliOr do we need vulnerability shielding accepting that Patch
Management is tough!
Copyright 2010 Trend Micro Inc.
No matter what we do, Smart Protection Network is the key component!
Smart Protection NetworkSmart Protection NetworkSmart Protection NetworkSmart Protection Network
FileFileFileFile
Community Intelligence(Feedback loop)
File
Web /
FileFileReputationReputation
FileFileReputationReputationMonitor
Smar
Solution WebWebReputationReputation
WebWebReputationReputationWeb /
URL
Domain
EmailEmailReputationReputation
EmailEmailReputationReputation
Custom
e
Incident Trigger
Validation EmailEmailWebWebFileFile
IPIPDomainDomain
BehaviorBehavior
rt Protection N
IP
r
Correlation
IPIP
Netw
orkInfo. ThreatThreatAnalyticsAnalytics
ThreatThreatAnalyticsAnalytics
In-the-Cloud platformCommunity Intelligence
(F db k l )
Service ProfessionalServices
Copyright 2010 Trend Micro Inc.
(Feedback loop)
We at Trend Micro are not worried about Cybercriminals and their ways to makeCybercriminals and their ways to make money!Cause we have prepared ourselves for this!Cause we have prepared ourselves for this!
2005 E il R t ti S i• 2005: Email Reputation Services
• 2006: Web Reputations Services
• 2008: File Reputation Services
Copyright 2010 Trend Micro Inc.
So why are we so different – Why do we protect well against real life malware?protect well against real life malware?
ERS load = 295 GB per day WRS load = 1305 GB per day FRS load = 334 GB per day
Copyright 2010 Trend Micro Inc.
Copyright 2010 Trend Micro Inc.
Smart Protection Network Key benefits
Threats are blocked before they can infiltrate the network or computer
Patent-pending correlation technology analyzes all threat vectors – email, web, file
Blocks threats Blocks threats at their source at their source –– the Internetthe Internet
We own all We own all the the
technologytechnologyProtects you wherever
you connect, at work,
Available in all solutions – Consumer, SMB, Enterprise, Partner SaaSy
at home or on the road
Partner, SaaS
Powers our SaaS, Gateway,
Trend Micro Smart
Protection Network
Reduces the Reduces the need for local need for local
Messaging, Endpoint, Mobile & Partner solutions
signaturessignatures
Immediate Protection
Local Scan Server improves time to protect
Copyright 2010 Trend Micro Inc.
Trend Micro manages updatesprotect
Reduces complexity
Threat Management Solution Assessment
• 100% of companies had malware• 56% of companies had at least 1 information
stealing malware• 72% of companies had at least 1 IRC bot• 80% of companies had malicious Web
downloads• 30% of companies had at least 1 network worm
• Technology used to detect Threats– 99% using Smart Protection Network
Copyright 2010 Trend Micro Inc.Copyright 2009 Trend Micro Inc.
g– 1% using traditional scanning engines
Top Related