80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 - - PowerPoint PPT Presentation

80 of code red 2 code red 2 re re code red 1 and code red
SMART_READER_LITE
LIVE PREVIEW

80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 - - PowerPoint PPT Presentation

Nov 16, 2023 103 likes •454 views

Slammer s Bandwidth-Limited Growth 80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up due to released Jan 2004 Nimda endemic dies off released with Oct. onset of Blaster (and 2005; not since

slide-1
SLIDE 1

Slammer’s Bandwidth-Limited Growth

slide-2
SLIDE 2

80% of Code Red 2 cleaned up due to

  • nset of Blaster

Code Red 2 re- released with Oct. 2003 die-off Code Red 1 and Nimda endemic Code Red 2 re-re- released Jan 2004 (and 2005; not since …?) Code Red 2 dies off again

slide-3
SLIDE 3

Code Red 2 re-re- released Jan 2004 (and 2005; not since …?)

Feb 7 2012!

slide-4
SLIDE 4
slide-5
SLIDE 5
slide-6
SLIDE 6
slide-7
SLIDE 7
slide-8
SLIDE 8
slide-9
SLIDE 9

2009 - 2010

slide-10
SLIDE 10

2012

slide-11
SLIDE 11

2013-2014

slide-12
SLIDE 12
slide-13
SLIDE 13
slide-14
SLIDE 14
slide-15
SLIDE 15
slide-16
SLIDE 16
slide-17
SLIDE 17
slide-18
SLIDE 18

Stuxnet: Slowly ramped up centrifuge speeds until they flew apart … … while feeding false readings to control system. Included 4 zero days for spreading

slide-19
SLIDE 19

Flame: General information stealer. Includes geolocation from local photos, taking screenshots, microphone access to capture local audio, recording Skype calls, download contacts from nearby BlueTooth devices. Exploited previously unknown MD5 hash collision vulnerability. Built-in autowipe “kill switch”.

slide-20
SLIDE 20

Gauss: Specifically targets banking transactions, mainly in Lebanon. Includes trapdoor looking for specific accounts, undeciphered to date.

slide-21
SLIDE 21
slide-22
SLIDE 22

#!/usr/bin/perl while (<>) { chomp; if ( /^(get|post|options|head|...)(.*)/i ) { # Do not respond if it looks like an exploit last if length > 1000; my $date = gmtime; if ( $1 =~ /get|head/i ) print "HTTP/1.1 200 OK\r\n"; elsif ( $1 =~ /search/i ) print "HTTP/1.1 411 Length Required\r\n"; elsif ( $1 =~ /options/i ) { print "HTTP/1.1 200 OK\r\n"; print "DASL: \r\nDAV: 1, 2\r\n"; print "Public: OPTIONS, TRACE, GET, HEAD, DELETE, ...\r\n"; print "Allow: OPTIONS, TRACE, GET, HEAD, DELETE, ...\r\n"; } elsif ( $1 =~ /propfind/i ) print "HTTP/1.1 207 Multi-Status\r\n"; else print "HTTP/1.1 405 Method Not Allowed\r\n"; } print <<EOF; Server: Microsoft-IIS/5.0 Date: $date GMT Content-Length: 0 Content-Type: text/html Set-Cookie: ASPSESSIONIDACBAABCQ=BHAMAEHAOAIHMOMGJCPFLBGO; path=/ Cache-control: private EOF last; } }

slide-23
SLIDE 23
slide-24
SLIDE 24

GQ: Building a Large-Scale Honeyfarm

  • Honeyfarm: use a network telescope to route scan

traffic to a set of honeypots

  • Goal: scale to 100,000s of monitored addresses …
  • … at high fidelity

Global Internet

Advertised Dark Space

Physical Honeyfarm Servers

VM VM VM VM VM VM VM VM VM

MGMT Gateway

GRE Tunnels

  • r direct routing
slide-25
SLIDE 25

GQ: Building a Large-Scale Honeyfarm

  • Honeyfarm: use a network telescope to route scan

traffic to a set of honeypots

  • Goal: scale to 100,000s of monitored addresses …
  • … at high fidelity

Advertised Dark Space

Physical Honeyfarm Servers

VM VM VM VM VM VM VM VM VM

MGMT Gateway

GRE Tunnels

  • r direct routing

Dark space: blocks of otherwise unallocated addresses Global Internet

slide-26
SLIDE 26

GQ: Building a Large-Scale Honeyfarm

  • Honeyfarm: use a network telescope to route scan

traffic to a set of honeypots

  • Goal: scale to 100,000s of monitored addresses …
  • … at high fidelity

Advertised Dark Space

Physical Honeyfarm Servers

VM VM VM VM VM VM VM VM VM

MGMT Gateway Routers send dark space traffic either via tunnels or direct attachment

GRE Tunnels

  • r direct routing

Global Internet

slide-27
SLIDE 27

GQ: Building a Large-Scale Honeyfarm

  • Honeyfarm: use a network telescope to route scan

traffic to a set of honeypots

  • Goal: scale to 100,000s of monitored addresses …
  • … at high fidelity

Advertised Dark Space

Physical Honeyfarm Servers

VM VM VM VM VM VM VM VM VM

MGMT Gateway Gateway applies filtering to reduce load, allocates honeypot and mediates communication

GRE Tunnels

  • r direct routing

Global Internet

slide-28
SLIDE 28

GQ: Building a Large-Scale Honeyfarm

  • Honeyfarm: use a network telescope to route scan

traffic to a set of honeypots

  • Goal: scale to 100,000s of monitored addresses …
  • … at high fidelity

Advertised Dark Space

Physical Honeyfarm Servers

VM VM VM VM VM VM VM VM VM

MGMT Gateway Outbound communication attempted by a honeypot

GRE Tunnels

  • r direct routing

Global Internet

slide-29
SLIDE 29

GQ: Building a Large-Scale Honeyfarm

  • Honeyfarm: use a network telescope to route scan

traffic to a set of honeypots

  • Goal: scale to 100,000s of monitored addresses …
  • … at high fidelity

Advertised Dark Space

Physical Honeyfarm Servers

VM VM VM VM VM VM VM VM VM

MGMT Gateway Outbound communication attempted by a honeypot can be redirected back to another honeypot

GRE Tunnels

  • r direct routing

Global Internet

slide-30
SLIDE 30

GQ: Building a Large-Scale Honeyfarm

  • Honeyfarm: use a network telescope to route scan

traffic to a set of honeypots

  • Goal: scale to 100,000s of monitored addresses …
  • … at high fidelity

Advertised Dark Space

Physical Honeyfarm Servers

VM VM VM VM VM VM VM VM VM

MGMT Gateway If redirected traffic again tries to communicate

  • utbound, then we have found a worm

GRE Tunnels

  • r direct routing

Global Internet

slide-31
SLIDE 31
slide-32
SLIDE 32
slide-33
SLIDE 33
slide-34
SLIDE 34

Decryptor

Encrypted Glob of Bits

Key

Jmp ¡

ê

Once running, worm uses an encryptor with a new key to propagate

Decryptor

Main Worm Code

Key

Encryptor

} Decryptor

Different Encrypted Glob of Bits

Key2

ê

Polymorphic Propagation