James Lyne, Director of Technology Strategy, Sophos
Sophos current see >200,000 individual pieces of malicious code every day.
Cybercrime is becoming very professional with easy to access tools;
Sites exist for testing and quality assurance of malware, e.g. www.virtest.com – this site scans your malware with multiple (44) different anti-virus products to see if it is detected. The benefit of this service is that it uses the vendors AV engines and signatures. The site carries the assurance that no results will be sent back to the vendor or shared in any way so you can be assured that your malware will not be added to existing malware databases.
Another example is Gwapo that has youTube videos advertising their DDoS service.
Ransomware is also becoming common with malware that encrypts your drive(s) and requires payment to unencrypt it. Some ransomware become a lot more scary and malicious with threats that illegal content such as child pornography is encrypted on your computer and if you don’t pay within xx hours or days the police will be sent details of how to unencrypt it. Ransomware can be particularly harmful and effective as it does not require administrative access, for example if you have access to company files etc. they can be encrypted with your limited access.
You can get easily access ‘crime-packs’ containing various tools for exploiting and attacking tool kits. Examples include; Firepack, ice-pack, crimepack, blackhole etc. Some of these even come with CR tools built in! Additionally in keeping with the times some are available as cloud based services that you can subscribe to. Many come with technical support contacts as well.
The tools have very simple gui based interfaces for creating your own malware based on existing payloads etc. They are also very regularly updated with new code and make use of polymorphism to try and evade detection.
As an example blockhole has features such as;
– Blacklisting / blocking to try and prevent researchers from security companies accessing the application and infected machines
- Only hit IPs once
- IP blacklist
- Referrer URL blacklist
- TOR blacklist
- Import blacklisted ranges (e.g. fro cloud services)
– Auto updating / patching
– Can target multiple client vulnerabilities simultaneously
– Java 0-days almost as soon as they were available
– AV scanning add ins to check if the attack is being identified by host AV systems
A few comments on adopting a more ‘offensive’ stance, this is a grey area and may be legally questionable in some jurisdictions so you should be careful when looking at these options. Some options in escalation of scale order;
– Bit of poking – DNS, name servers and ‘affiliations’
– Web bug, image or alike
- Pretty easy to legally get away with
- Sadly basic information
- Borderline, depending on your jurisdiction
– Full hog – exploitage
- Oh, you didn’t patch Java in your system either? – use the attackers exploit, in this case java against their own jave based site / application
- Where they are, what they are doing.
Two steps forward.. Using IPv6 as an example, many machines now have IPv6 on as a default, simple router flood attack available on current Backtrack etc. can max out CPU and even crash the machine. You may not care about IPv6 yet, but if you are not disabling it or securing it you could be opening up new attack vectors in your organisation without realising it. The message again is to understand your environment and the risks you face.
Key take away points from this talk are;
– Consider upcoming technologies even if you are not using them yet
– Consider any investigative / offensive moves very carefully
- I’d recommend improving your forensics capabilities, gather solid, admissible evidence to hand to legal investigators
– Watch the basics
- Assumptions kill us
- Yes people can be that silly
– Everything in moderation – Hype hurts
On a closing not, the tools and sites mentioned in this post are real and currently accessible. Search for and use with care and at your own peril!