Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Vulnerability automation and Botnet "solutions" I expect to see this year
From: <cdejrhymeswithgay () hush com>
Date: Thu, 26 Oct 2006 09:28:16 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Tue, 24 Oct 2006 10:52:58 -0500 Gadi Evron <ge () linuxbox org>
wrote:
So, what I am going to talk about... A tad bit of history on
vulnerabilities and their use on the Internet, and then, what we
are going
to see on corporate, ISP and Internet security relating to botnets

this
coming year.

Vulnerabilities don't exist for the sake of vulnerabilities. They
are used
for something, they are a tool. Botnets are much the same, using
vulnerabilities on the next layer.

This past year we have seen how disclosed vulnerabilities, patched
vulnerabilities and 0days have been utilized by automated kits. An
inter-linked system of websites which download malicious code
(update the
kits), try to infect millions of users from just a couple dozen
main hubs,
and react to the environment.
If a certain vulnerability is seen to be more successful on
certain OS
types or if one is found to not work, the kit will be fixed
accordingly
and distributed. Often immediately after a patch Tuesday, likely
that same
Friday evening.

This way, income can be maximized with the number of infections,
data
stolen and thus ROI. Both from the expected response time of the
vendors
as well as how many victims can be reached in that window.

One such kit is Webattacker, which has recently been getting more
known in
public circles.

Where we are

That does it, botnets are mainstream. People did not yet
understand the
idea that software vulnerabilities facilitate an attack (=are not
the
attack) and botnets facilitate much the same, only on a different
level. I
will discuss that further after what interests everybody.

Solutions in the coming year!

First, many products in the industry have been implemented
successfully in
the past, just as solutions of necessity, not "products". Some
were
successful, some failed. Some (services) have been supplied to the

rich
and connected, some haven't.
Botnets are now main-stream, which means other lesser beings and
corporations want these services. They want to be protected in a
hostile
world. They realize the Internet is not a safe place, and plan
accordingly.

Services we will see more and more of:
*. Intelligence (very limited), showing IP addresses for botnet
command
and control (C&C) servers, which your computers may be connecting
to
(i.e. compromised).
*. Intelligence (very limited), showing IP addresses that you
control
which show in spam (meaning compromised hosts) or show in other
ways in
botnet data being collected. Mostly, this is spam-oriented and the

rest of
the intelligence is barely noticeable as of yet.
*. Intelligence (very limited) on the millions on millions of
credentials
(for sites, credit cards, banks, eCommerce systems, etc.) and
identities
being stolen every single day by massive phishing man-in-the-
middle trojan
horses.
*. Intelligence (very limited) other black listing services.

In the past, a limited version of these services was provided, but

very
secretly, and at a very high cost.

Products:

Botnet products on the network can either detect internal problems

(such
as bots on the corporate or ISP network or the spreading of
infections) or
external problems (such as C&C servers or attacks from the world).

These
can be based on behavior or intelligence.

Solutions, which we discussed in the past and are now going to
manifest:

Intelligence-based (until now only supplied by select groups to
select
groups) -
*. Known bad IPs. Etc. Much like in spam, only for other realms.
*. Known bad URLs or domain names. Etc. Much like in spam, only
for other
realms.

Detection -
*. IDS approach (decent but not even close to cutting it),
*. DNS monitoring approach (very cool, but is just one approach in

a
layered solution).
*. Netflow approach (proven for years now, only one approach,
however
useful, which is growing more limited every day).

Respond and quarantine -
*. Walled garden approach (close off/limit suspicious or confirmed
compromised computers until they clean themselves. NOt successful
in
current solutions, shows promise).
*. Try to fix the situation remotely (solve the vulnerabilities,
etc. ahead of time or remove after the fact).

There are several others, but these are the main ones describing
the 10 or
so products we are about to see (all of which are already
available
publicly as open source, privately developed tools or unsuccessful
solutions due to lack of client awareness and interest).

QoS, virtualization and half decent intelligence gathering will
come
next. Other solutions I will not waste breath speaking of right
now, they
will appear for public consumption once the effectiveness of the
solutions
above (or the better ones there) is done to dust.

What's next?

Decent, real decent, intelligence, and support response tools to
mitigate
what you find in conjunction with a response team trained to deal
with
thousands of real incidents rather than mark check-lists on a
couple an
hour to a couple a month. That's simply not being aware of what's
happening in your network.
Many of the CERTs and SOCs are very trained and high quality, they

are not
equipped or don't see what they need to react to nor in most cases

are
built to deal with this threat.

What's never going to happen?

With security done right, on a wide-scale, with a decent systems
design,
network, policy, monitoring and responce - a lot can be done and
0days can
also be avoided, even (and especially) with business concerns
being put
first.

Gadi Evron,
ge () linuxbox org 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

If Hitler was alive and a hacker, do you think your box would be
working, Gadi?
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wpwEAQECAAYFAkVAxgAACgkQsGS6s78KOsXp5gP8CIlcHIyTcYj8wDx+LMRuHnrIsCO2
N6ELTIQfGdwLBR+o57u41PHmurUdwcwiXChZ4W2Qz/p1NO+Js7rXETMYHRUW/hwv0Aos
KZN7RpCFH3PsS9fnPKljBEaWTDG6q+IoBvKI/+6V6M+s0jftHsPp6I6w9eiWf9TQ9tp7
tF9QnSg=
=WL6I
-----END PGP SIGNATURE-----




Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault