Posts Tagged ‘information security’

GFIRST 2010: social malware, insider threat, fast flux botnets ….

Wednesday, September 8th, 2010

I attended the 6th Annual GFIRST National Conference organized by US-CERT. GFIRST stands for Government Forum of Incident Response and Security Teams. This year’s theme was: Building Today, Shaping Tomorrow – Ensuring an Effective Response Capability to Manage Risks in Cyberspace. The conference was well attended with some talks standing room only in a 300-person conference room. Most commercial information security vendors interested in this space were participating exhibitors in the accompanying expo. I will not be able to cover some of the really interesting presentations in this public forum due to the sensitivity of the topics, but here are a couple of tidbits for general consumption.

“Emerging Threats in 2010″ by Dave Marcus, Director of Security Research and Communications, McAfee Labs was one of my favorite presentations of the conference. Dave Marcus, who blogs at Reclaim Hacking, posited that he can make anyone click on malicious malware by mining personal information from the social media aggregated by several services. Dave uses Twitscoop to find the trending topics for messaging that the recipient will be interested in, uses Bing to figure out what OS the user is is using and what the user is yapping about so that he can send targeted malware on the right platform like Android, MacOS, etc., mines pic tags using PicFog (alert: potential offensive material), uses Twittermap to deliver malware to folks attending an event, mines twitter trends using Trendistic, uses hashtags.org to track trends, uses Openbook that mines Facebook, and designs url’s by appending keywords to tinyURL. Openbook exposes the awful default privacy settings in Facebook as lots of users don’t know how to set their preferences. After listening to this presentation, I have no doubt a determined adversary can figure out anyone’s hot button to push to deliver targeted malware. So what can you do? Check the privacy settings of your social media accounts, start using url expanders, install safe browsing plug-in’s …

Dawn Capelli and Adam Cummings of CERT gave a nice talk on insider threat by presenting their empirical analysis of the MERIT database, which covers 157 fraud, 116 sabotage, 77 theft, 120 espionage, 44 miscellaneous cases, and SpyDR (Spy Data Repository) espionage database, which covers 120 cases. Their findings show that sabotage is perpetrated by former employees who insert malicious code before leaving while fraud is carried out typically by help desk person recruited from outside. Their recommendations: enable message tracking on your mail server, use Splunk to track mail flow to competitors, foreign entities, etc., look for email with size over a certain size, do continuous logging, targeted monitoring, real time alerting. You can find more detailed information on this research here.

Aaron Shelmire and Ed Stoner of CERT presented their Dynamic DNS and Fast Flux analysis. They started their analysis with a malicious software catalog and appended the malware domains list with ISC-SIE A, MX, NS records. They define a fast flux domain as one that resolves to at least 25 different IPs on 20 ASNs. It was a good chance to validate each other’s results. For instance, Shelmire and Stoner see 1.5%-2% fast flux in malware. Our FastFluxMonitor detects flux about 1.4% – 4% in malware domain feeds. Their high level findings were similar to the trends we observed in our Botnet Threat Intelligence database.

Our presentation in the Event Detection via DNS and Route Monitoring session was received well. Daniel Massey discussed how to detect network route prefix hijacking via BGP monitoring. Our presentation focused on the use of the botnet social networks in detection and mitigation. In summary, our Botnet Threat Intelligence solution provides two levels of evidence as shown in the table below. Our guilt by association score is based upon a domain’s, nameserver’s, or IP’s relationship to other malicious entities through the historical social network knowledge. In contrast, our fast flux score is based on the domain’s or nameserver’s real-time behavior. Guilt by association scores provide pre-zero day intelligence while fast flux scores provide near-real time situation assessment.

GBA vs. FF.tiff

Tags: , ,
Posted in Conferences | 1 Comment »

Kneber Botnet – less fluxy but more stealthy

Friday, February 19th, 2010

The recent news story about the Kneber botnet based on the excellent work done by the NetWitness team and informative posts by Dancho Danchev and others brought the ZeuS Trojan botnet into limelight. In contrast to some misleading reports, the security community has been following this botnet, which infected more than 75,000 computer systems at nearly 2,500 companies, for quite a long time. We have been tracking ZeuS with our Fast Flux Monitor for some time as well. Given the recent interest in this botnet, we decided to analyze the reported ZeuS data using our Fast Flux Monitor database to provide some additional insight.

Most of the domain, nameserver and IP entities associated with the attacking infrastructure reported in the NetWitness Kneber report have been in our FastFluxMonitor database. What is interesting is that most of the reported Kneber domains and nameservers are not exhibiting fast flux behavior. For instance, all of the reported Kneber domains for the Trojan installers resolve to 1 to 4 IPs, which is not enough for using a fast flux evasion scheme. The number of domains the Kneber Trojan installers resolve to are shown in the table below.

ZeuS Installer.jpg

Comparing the ZeuS network graph with the various botnets in our database reveals that ZeuS botnet has a different network graph than others like Avalanche, Conficker, Gumblar and Pushdo. The figure below shows the domain, nameserver and IP connectivity for the Avalanche botnet:

ffm_avalanche_network.jpg

In this graph, the blue, red, green nodes denote the IPs, domains, and nameservers addresses, respectively. Each cluster represents a set of entities where any two nodes can be linked through the domain, nameserver and IP connectivity . The Avalanche graph has one large cluster and six small clusters, making it easy to discover the various entities of this botnet. In contrast, the same graph for the ZeuS botnet shown below has one large cluster and over 200 small clusters, thus making it hard to discover the various entities of this botnet.

ffm_zeus_network jpeg.jpg

Referring to the data shown in the table above, the reported Kneber domains and nameservers belong to one of the small clusters on the right. These clusters consist of domains and nameservers that do not exhibit fast flux behavior. Whether the small clusters represent the discreet probe of networks by large criminal organizations, or small operator hosting set-ups that downloaded free phishing kits, the ZeuS botnet is stealthier than the others by relying on a large number of smaller clusters used for attack campaigns.

We will present our comparative analysis of the Avalanche, Conficker, Gumblar, Pusdhdo, and ZeuS at the NATO IST-091 Symposium on “Information Assurance and Cyber Defence”, which will provide an explanation for the difference.

Tags: ,
Posted in Research Brief | No Comments »

DHS Conference on Cyber Security (CATCH)

Tuesday, February 17th, 2009

How can an organization defend against cybercrime enabled by botnets operating as fast flux service networks? Milcord will present its solution for “Real-time Detection of Fast Flux Service Networks” and botnets at the Cybersecurity Applications and Technology Conference for Homeland Security conference scheduled March 3-4, 2009 in Washington, DC. Very soon afterwards we’ll be announcing the beta release of our new product Fast Flux Monitor that was the foundation for our research investigation. 

To find out more about our research, visit the [[Botnet Defense]] project page.

Here’s the abstract:

Here we present the first empirical study of
detecting and classifying fast flux service networks
(FFSNs) in real time. FFSNs exploit a network of
compromised machines (zombies) for illegal activities
such as spam, phishing and malware delivery using
DNS record manipulation techniques. Previous studies
have focused on actively monitoring these activities
over a large window (days, months) to detect such
FFSNs and measure their footprint. In this paper, we
present a Fast Flux Monitor (FFM) that can detect and
classify a FFSN in the order of minutes using both
active and passive DNS monitoring, which
complements long term surveillance of FFSNs.

Tags: , , ,
Posted in Conferences, Publications | 1 Comment »

Information Assurance and Software Protection Workshop

Thursday, September 4th, 2008

Milcord presented its [[Information Security|Information Assurance]] technology solutions at the 2nd Annual Defense Research & Engineering (DDR&E) Information Assurance and Software Protection Workshop held at Wright-Patterson Air Force Base, Ohio on 3-4 September 2008

Tags:
Posted in Conferences | No Comments »

Skybox Security brings attack simulation technology to enterprise networks

Wednesday, February 25th, 2004

A Skybox Security innovation has made [[Attack Graph|attack graph]] simulation technology feasible for managing the information security risks in large enterprise networks. Milcord has partnered with Skybox on a number of Government information security projects. Attack graph simulation technology was pioneered by Laura Painton Swiler and Cindy Phillips in the 90′s at Sandia National Laboratories. more…

Tags: , , , ,
Posted in Partnership, Research Brief | No Comments »