BSidesMO Wrap-up

Last Friday I attended my first BSides event in Missouri’s capitol (literally in the capitol building!) Jefferson City. The BSides community exists to bring fellow security practitioners together to present and participate in a small-scale environment that encourages collaboration. I’m not the outgoing sort and I generally like to fade into the background and just learn, but this environment really lends itself well to establishing relationships with others. There were quite a few St Louis based individuals and the chatter is already taking off for setting up a BSides event closer to home in the Spring. Two tracks were offered at BSidesMO; I chose track 2. A brief review of a few of my favorite talks follows below. Many thanks to Jerry Gamblin (@jgamblin), Randy Raw (@randyraw), & Beth Young (@bethayoung) for putting on a great show.

The Evolution of Malware – Chris Quinn

I don’t spend any time studying malware, but I spend quite a bit of time cleaning it up. This talk was pretty eye opening on several levels. The increase of viruses (250k in 2007  –> 286M in 2010) is a shocking display of slope. The growth is primarily attributed to the mutating nature of most of the new viruses, targeting only a few dozen before mutating again. That narrowing of focus in targeting victims kind of reminds me of the scene in Jurassic Park where one of the raptors lays as bait while the other hides in the bushes ready to pounce: Clever Girl! The real payoff of the talk, however, was the discussion on Stuxnet. Some high level details on design:

• Used seven distinct mechanisms to spread, six of which leveraged 0-day vulnerabilities)
• Comprised of 15 modules
• Five mechanisms to conceal itself
• reprograms industrial PLCs w/ 10k lines of code (10k!)
• rootkits for windows PC and the PLC
• used two stolen certificates to sign its files making them look legitimate

For systems infected without the appropriate configuration, the virus did nothing. Otherwise, it would collect telemetry data for days and then replay to monitoring systems while then controlling the PLCs at will. Amazing stuff. Bruce Schneier has a nice summary of the knowns/unknowns (at time of writing), and you can read Symantec’s comprehensive dossier on the subject as well.

Make the World Go Away – Beth Young

Beth’s talk focuses on reducing your threat landscape. She discussed inbound reduction techniques like blocking ip ranges from areas of the world that would have no business accessing a particular resource. This was interesting as the legwork required to build this yourself and implement on the firewalls is fairly cumbersome, but worthwhile. F5 customers can tap the built-in geo-location services in BIG-IP LTM to stop requests at the door using the iRules whereis command, performing the same function in minutes what probably took Beth and her team a considerably longer time to achieve. The most interesting part of the talk concerned protecting internal users and in turn the organization by poisoning the DNS for known bad domains. This is done either by routing said requests to a bit bucket (IP based) or redirecting the requests to an alternative web-server for stats collection and remediation (name based). Both are intriguing, and I expect I’ll write this solution up utilizing F5 gear in the next few weeks.

Web Exploitation Trends – Larry Battle

Larry had some great information, a lot of which was similar to Chris Quinn’s, so I won’t rehash that. The social engineering discussion was engaging, however. I don’t recall the place (Surprise Valley, Sunrise Valley?) but Larry described a place in Idaho that had an entire real-estate website for people wanting to relocate there, only the place didn’t even exist. The entire site was a scam, and when you clicked on the videos, a flash “upgrade” would be presented, at which time it appeared flash was updating (with real-looking flash screens) but actually malware was being downloaded instead. The craftiness of these criminals is amazing. The other uncool but fascinating part was the “You have a virus, pay $25 and we’ll clean it” scam. I always go straight to task manager and kill the processes as soon as these pop-up, but I wasn’t aware that they aren’t malware in the sense that they do damage to your system. It’s really just a scare tactic to get you to spend $25. The whole thing is a ruse, and does nothing to infect or clean your system. Fascinating stuff.

• Where Do You Wear Your Malware?
• 3 Billion Malware Attacks and Counting
• Stefan Maierhofer - Malware
• e-card Malware
• Pete Silva - malware
• generic malware/spyware/loggers - DevCentral - DevCentral Groups ...
• 2010 Year End Security Wrap
• Joe Pruitt - Trojan
• Custom Code for Targeted Attacks
• IE7 Offers Another Reason To Use FireFox