SlideShare a Scribd company logo

CoreTrace Whitepaper: Combating Buffer Overflows And Rootkits

CoreTrace Corporation
CoreTrace Corporation

Whitepaper Abstract Some malware threats are simply nuisances, and then there are truly dangerous and malicious ones. In the latter category, buffer overflow attacks and rootkits are the favorites of professional hackers. Often they are used in tandem, with a buffer overflow providing the way in and a rootkit providing a highly stealthy way to stay in. This whitepaper explains these two threats and why traditional security approaches have been largely ineffective against them. Then the paper outlines how Endpoint Security 2.0 solutions using kernel-level application whitelisting can effectively neutralize the threats and provide greater peace of mind.

TechnologyNews & Politics
1 of 17
Download to read offline
cOmbaTing buFFer OverFlOws and rOOTkiTs BOUNCER by CoreTrace™ Defeats Cybercriminals Buffer overflow + rootkit is the #1 combo meal on the cybercrime menu— a buffer overflow provides the way in and a rootkit provides the way to stay in, and invite some friends in too—and while an endpoint won’t get fries with that, if it is not protected with Endpoint Security v2.0, it may get Trojans, keyloggers, backdoors, installation routines, network sniffers, etc., (do be concerned with what may be hiding in that etc.). The best part, and why this technique is so popular, is that an endpoint is not aware that it has ingested anything. Rootkits are a MacGyver-worthy mashup of Swiss Army knife + Hydra + The Invisible Man—the best defense is a good offense was never more apropos. Not only is it difficult to know that a rootkit has control of an endpoint, even if known, it is not easily removed. The key to not allowing a rootkit to establish itself in an endpoint, is to not allow a rootkit to establish itself in an endpoint— just say no. The only way to do that is with Endpoint Security v2.0. cOnTenTs 1 Overview 1 2008 FOrward: TOrnadO warning in eFFecT Inside the Cybercrime Tornado Seeding The Clouds Endpoint Security v1.0 vs. v2.0: who’ll Stop the Rain? 6 cybercrime aT-a-glance Cybercrime Tools and Techniques Cybercrime Levels of Threat 11 buFFer OverFlOw + rOOTkiT access Vector: Buffer Overflow used to Inject Code Payload: Rootkit used to Obtain and Retain Control 12 endpOinT securiTy v2.0 Endpoint Security v1.0 vs. v2.0 BOUNCER by CoreTrace™ 15 summary Ju ne 20 08 CoreTrace Corporation 6500 River Place Blvd., Building II, Suite 105, Austin, TX 78730 512-592-4100 | sales@coretrace.com | www.coretrace.com
BOUNCER by CoreTrace™ Overview The road sign from information highway to Internet, computer geeks to script kiddies, “ hackers to cybercriminals, worms to rootkits, bragging rights to offshore accounts, and just recently, malware to malware‑as‑a‑service, points in a very clear direction— Have you ever from caché to cash—from v1.0 to v2.0, follow the money…and hold on to your Hats. taken a moment to realize that the This paper reviews the nature of cybercrime focusing on two sophisticated threats whose primary reason the popular malicious combination—buffer overflow + rootkit—requires the immediate attention of information security IT security departments. industry even exists Buffer overflow + rootkit is the #1 combo meal on the cybercrime menu—a buffer overflow is because a noted provides the way in and a rootkit provides the way to stay in, and invite some friends in too— lack of pedantic and while an endpoint won’t get fries with that, if it is not protected with Endpoint Security v2.0, people both in it may get Trojans, keyloggers, backdoors, installation routines, network sniffers, etc., (do be the RFC world of concerned with what may be hiding in that etc.). The best part, and why this technique is so the 1980s and the popular, is that an endpoint is not aware that it has ingested anything. software engineering world Rootkits are a MacGyver-worthy mashup of Swiss Army knife + Hydra + The Invisible Man— up until the the best defense is a good offense was never more apropos. Not only is it difficult to know mid 1990s? that a rootkit has control of an endpoint, even if known, it is not easily removed. The key to not Yes, there was allowing a rootkit to establish itself in an endpoint, is to not allow a rootkit to establish itself in an actually a time endpoint—just say no. Currently, the only way to do that is with Endpoint Security v2.0. where people This paper contrasts Endpoint Security v1.0 with Endpoint Security v2.0, and discusses why did not consider Endpoint Security v1.0’s centre cannot hold. Also discussed are Endpoint Security v2.0’s the unexpected three core tenets—control what you know, control at the lowest possible level, and control consequence of transparently—that were leveraged to deliver BOUNCER by CoreTrace™, a unique v2.0 an unbounded revolutionary 180°‑shifted approach to endpoint security. With BOUNCER‑secured endpoints, strcpy().(3) an IT security department can have complete confidence that when, not if, a rootkit attempts – Jeff Nathan to establish itself on their endpoint, this zero‑day threat has zero time‑to‑live, as BOUNCER Arbor Networks delivers the first knockout punch.(1) 2008 FOrward: TOrnadO warning in eFFecT The criminal energy that permeates the Internet cloud has caused a steady rain of profit for the cybercrime industry since just before the turn of the millennium; however, all indications are that the Internet cloud is poised to turn into a supercell “with billions of dollars of revenue seeming to appear from out of nowhere”(2) and be funneled into the cybercriminals’ offshore accounts. The “ cybercrime industry is heading inside the tornado of hypergrowth and will enjoy huge profits at the world’s expense. Loved by some, hated by others, Unfortunately, the majority of the endpoint security industry that is in a position to stop the rootkits can be unprecedented cybercrime deluge of cash visible on the horizon (i.e., Endpoint Security v1.0 considered as antivirus blacklist vendors) is too busy cashing in on the mutually-assured-to-be-profitable the holy grail cyber arms race that they are in with the cybercrime industry to need to upgrade their of backdoors: weapons systems to Endpoint Security v2.0. The cyber arms race is a lucrative, never ending stealthy, little, cat‑and‑mouse game of virus release followed by antivirus update with dizzying rounds of races close to hardware, to the zero-day-threat finish line. Due to Endpoint Security v1.0’s reactive blacklisting strategy, ingenious, vicious… it is running the cybercriminal’s race, so getting to the finish line first is simply not possible.(3)(4) Their control over a computer locally or remotely make them the best choice for an attacker.(4) (1) BOUNCER‑secured endpoints include PCs, servers, and embedded systems. (2) Geoffrey A. Moore; Inside the Tornado; Harper‑Business; 2005; p 5. – Mxatone and IvanLeFou Phrack Magazine (3) Jeff Nathan; It’s Our Party & We’ll Cry If We Want To…; Arbor Networks; August 9, 2006. (http://asert.arbornetworks.com/2006/08/it%e2%80%99s‑our‑party‑well‑cry‑if‑we‑want‑to/) (4) Mxatone and IvanLeFou; Stealth Hooking: another way to subvert the Windows kernel; Phrack Magazine; Issue 65; April 12, 2008. (http://www.phrack.com/issues.html?issue=65&id=4#article) Combating Buffer Overflows and Rootkits 1
BOUNCER by CoreTrace™ INsIdE ThE CyBERCRImE TORNadO It’s the Wild West…and east, and north, and south—cybercrime is inherently global and tantalizingly lucrative. A virtual frontier of opportunity targets combined with low barriers to entry, “ …chief security officer at low risk of capture and conviction, and high earning potential is the risk/reward scenario that is British Telecom’s fueling the cybercrime industry’s explosive growth rate. global financial services division… The cybercrime business model has matured and borrowing the language from Geoffrey Moore’s tells us that as long best‑selling business‑strategy books—Crossing the Chasm and Inside the Tornado—it has as the risk of getting crossed the chasm and is headed inside the tornado characterized by hypergrowth.(5) Read the caught is so low excerpt below from Inside the Tornado in the context of the cybercrime juggernaut, does any and the reward so of it sound familiar? great, the number of “Such are the market forces generated by discontinuous innovations, or what more attacks is bound to recently have been termed paradigm shifts…For a long time, although much is keep climbing. written about the new paradigm, little of economic significance happens…But…there He calls this comes a flash point of change when the entire marketplace…shifts its allegiance “the mathematics from the old architecture to the new. of toast,” as in companies who “This sequence of events unleashes a vortex of market demand. Infrastructure, to aren’t prepared for be useful, must be standard and global, so once the market moves to switch out an influx of attacks the old for the new, it wants to complete this transition as rapidly as possible. All the are pretty much pent‑up interest in the product is thus converted into a massive purchasing binge… toast.(8) Companies grow at hypergrowth rates, with billions of dollars of revenue seeming to appear from out of nowhere. – The Wall Street Journal Business Technology Blog “Nowhere has the tornado touched down more often in the past quarter-century than in the computer and electronics industry…New products, designed to the new performance vectors, incorporate software that simply blows away the old reference points… “…showing how companies can align themselves with these forces to win market “ The AFCC recently traced a leadership positions, we shall see a disconcerting pattern assert itself repeatedly: new service… offering access The winning strategy does not just change as we move to a bullet-proof from stage to stage, it actually reverses the prior strategy. hosting server “That is, the very behaviors that make a company successful at the outset of the with a built-in mainstream market cause failure inside the tornado and must be abandoned. And Zeus trojan similarly what makes companies successful in the tornado causes failure and must administration panel be abandoned once that phase of hypergrowth is past. In other words, it is not just and infection tools... the strategies themselves that are cause for note but also the need to abandon each the service includes one in succession and embrace its opposite that proves challenging.”(6) all of the required stages in a single Reversing Strategies package, so you It is interesting to note that the cybercrime industry’s leap across the chasm was symbolically just have to pay marked in February 2008 by the disbanding of the infamous, old school VXer (virus writer) for the service, group 29A. So if we are not in Kansas anymore, then where are we?—put another way, if then access the “29A has left the building!”(7) who are its current tenants? newly hired Zeus trojan server, “The shutters are being pulled down on old school virus writers’ group 29A.(8)(9) create infection points and start collecting data… mirroring legitimate (5) Geoffrey A. Moore; Crossing the Chasm; HarperCollins; 2002; and Inside the Tornado; HarperCollins; 2004. security vendor (6) Geoffrey A. Moore; Inside the Tornado; HarperCollins; 2004; pp 4–5 and 10. offerings— (7) VirusBuster/29A’s departing words posted on home page of 29A Labs; February 2008. security-as-a-service… (This URL is for informational purposes; we strongly recommend that you do not visit the 29A Labs website. malware-as-a-service.(9) http://vx.org.ua/29a/main.html) (8) The Wallstreet Journal Business Technology Blog; Electronic Crime Really Does Pay; November 2, 2007. – Andrew Hendry (http://blogs.wsj.com/biztech/2007/11/02/electronic-crime-really-does-pay/trackback/) PC World (9) Andrew Hendry; Wannabe Hackers Can Now Rent‑a‑Botnet; PC World; May 15, 2008. (http://www.pcworld.com/businesscenter/article/145931/wannabe_hackers_can_now_rentabotnet.html) Combating Buffer Overflows and Rootkits 2
BOUNCER by CoreTrace™ “29A, hexadecimal for 666, is an underground VXer collective known for creating the first Win 2000 virus, the first 64bit virus, and early examples of mobile malware that infected devices such as PDAs. “ If you dig a bit on AV world, you will “…other less well known VXer groups are dying the death, a development symptomatic discover AVers are of changes in the malware market. Profit has replaced mischief, intellectual curiosity, not a happy family… or a desire to make a name for yourself as the motive for creating malware. in some cases they hate more other “Traditional virus writers have drifted away from the scene to be replaced by more AVers than VXers… shadowy coders creating sophisticated Trojans aimed at turning an illicit profit. Less known are Enforcement action against virus writers has acted as a further disincentive for the fights for the hobbyists, at least. conquer of the AV “Instead of getting proof of concept malware from the likes of 29A, we’re dealing with market between the Storm Worm Trojan and other sophisticated “professionally developed” botnet companies…there is clients.”(10) a new fight in the AV world: The number By any measure, the cybercrime industry has crossed the chasm from v1.0 to v2.0—combating of detected virii v2.0 cyberattacks with a v1.0 arsenal is Maginot-line strategy that will never lead back to Kansas. war!…“my product The road map back to Kansas is provided by Geoffrey Moore: “The winning strategy does not detects the 100% just change as we move from stage to stage, it actually reverses the prior strategy.”(11) of virii”…If that’s not a trick…what’s As the VXers crossed the chasm, following behind, as always, were the AVers (antivirus it?…It means that researchers) weighed down from Endpoint Security v1.0 (a reactive, inherently flawed, from a collection ineffective, and bloated blacklisting strategy). What is required to defeat cybercriminals is a of 7,000 source “reversal of the prior strategy”—a unique v2.0 revolutionary 180°-shifted approach to endpoint codes, you could security. create an antivirus What is required is BOUNCER by CoreTrace™, the Endpoint Security v2.0 solution that cut with 12,000 - 14,000 the zero-day-threat finish line Gordian knot. signatures. Then you run…similar virus constructions kits sEEdINg ThE ClOUds and you reach 20,000 Buffer overflow + rootkit is a handy combination for a v2.0 cybercriminal—a buffer overflow signatures. You only provides the way into an endpoint and a rootkit provides the way to stay in an endpoint for as need to inflate the long as possible. A rootkit’s ability to mask its presence and its activities, makes it very difficult numbers a bit and… to detect, thereby maximizing profit for each established rootkit and providing excellent ROI for TAAAAACHAN!!!!!!! v2.0 cybercriminal businesses. You have a top eleet antivirus! Pathetic Buffer Overflows but that’s what it’s happening.(12) Buffer overflow vulnerabilities exist because software code is written without input validation on every instance and method of input into the software application. Code injection uses software – VirusBuster/29A errors to inject code into programs already running on an endpoint. The most common method 29A Labs “ of code injection, and one of the most difficult to stop, is via buffer overflow where code is injected at the end of a legitimate buffer to run whatever the cybercrime business wants. A buffer overflow is the result of Rootkits stuffing more data Rootkits are a collection of tools and utilities that allow a cybercriminal to hide the presence into a buffer than of a rootkit and all of its activities, as well as provide a way to keep a backdoor open to the it can handle. How system for return visits. The extent and nature of activities a rootkit is able to perform and can this often hide depend on the type of rootkit. There are many types of rootkits including user‑mode, found programming kernel‑mode, kernel‑mode data structure manipulation, and process hijacking. While all rootkits error can be taken are problematic, kernel‑based rootkits are especially insidious.(12)(13) advantage to execute arbitrary (10) John Leyden; Infamous malware group calls it quits; Channel Register; March 7, 2008. (http://www.channelregister.co.uk/2008/03/07/29a_rip/) code?…Writing an (11) Geoffrey A. Moore; Inside the Tornado; HarperCollins; 2004; p 5. Exploit (or how to (12) VirusBuster/29A; The number of detected virii war; 29A Labs; zines; Issue 4; 2001. mung the stack)…(13) (This URL is for informational purposes; we strongly recommend that you do not visit the 29A Labs website. http://vx.netlux.org/29a/29a‑4/29a‑4.232) – Aleph One Phrack Magazine (13) Aleph One; Smashing The Stack For Fun And Profit; Phrack Magazine; Issue 49; November 8, 1996. (http://www.phrack.com/issues.html?issue=49&id=14#article) Combating Buffer Overflows and Rootkits 3
BOUNCER by CoreTrace™ ENdpOINT sECURITy v1.0 vs. v2.0: WhO’ll sTOp ThE RaIN? Cybercriminals are well armed and well motivated, so how can an organization protect itself? “ Today’s threats are created by a Businesses invested $9.4 billion in IT security software in 2007;(14) clearly, increased spending commercial malware on ineffective Endpoint Security v1.0 products will not stop the cybercrime tornado. industry which has developed Endpoint Security v1.0 quickly and which Endpoint Security v1.0 strategy has been to identify malware and keep it out (i.e., blacklisting). has access to In this zero‑day‑threat world, blacklisting’s reactive strategy (it is dependent on timely signature some billion-dollar updates) is inherently flawed and no amount of multi-layering or heuristics can save it. In effect, resources… blacklisting surrenders control to the cybercriminals, handing them the first-strike advantage. Some vendors have Moreover, if the first strike is delivered by a stealth bomber (buffer overflow code injection) that switched…to daily, happens to drop a kernel-based-rootkit payload, Endpoint Security v1.0 technology is unaware or even half-hourly that an attack has occurred and the compromised system is literally open for business. updates…The average size of the Endpoint Security v2.0 signature databases has at least doubled Fortunately, the majority of cyberattacks can be defeated if the right approach is taken defending and in some cases the IT network—by necessity, that is Endpoint Security v2.0 whose revolutionary 180°‑shifted tripled within the approach starts by turning v1.0 blacklisting on its head and proceeds from there. last 18 months. Note the phrase, starts by turning v1.0 blacklisting on its head and proceeds from there. The trend seems Endpoint Security v2.0 strategy is to only allow authorized code to execute (i.e., whitelisting), to be clear: so even if malware gains access to a system, it cannot execute and is neutralized— more updates and that’s the short answer. For security reasons, the details in the execution of that strategy more signatures, are as important as adopting the strategy. and with them longer scan times, Endpoint Security v2.0 is predicated on three core tenets: control what you know, control at the higher memory lowest possible level, and control transparently. To be considered a true Endpoint Security v2.0 consumption, solution, the security features shown in Table 1 must be present. higher false positive Beware of any endpoint security solution claiming to be a v2.0 solution that merely exchanges rates and the like.(15) one list for another. While a whitelist‑based solution is superior to a blacklist‑based solution – Andreas Marx because it is proactive vs. reactive, a true Endpoint Security v2.0 solution uses a whitelist av‑test.org of fingerprints customized for each endpoint; thereby, limiting the entries to programs installed on each endpoint vs. a centralized database of all programs. Additionally, a true Endpoint Security v2.0 solution automatically generates the customized whitelist for each endpoint in a controlled environment to ensure that it is not compromised. Further, a true Endpoint Security v2.0 solution provides an efficient whitelist updating capability that does not place a burden on the IT administrative staff. The specious solution that has merely exchanged one list for another is only a 90°-shifted solution, and it has only reached v1.1—or rather, the whitelist is a behemoth one-size-fits-all- let’s‑hope‑the‑list‑isn’t‑hacked centralized database of all authorized programs that somehow “ has to be mapped to each specific endpoint. Even if the Walk away from these going-in-the-right-direction-but-didn’t-quite-make-it v1.1 half-solutions or technology used else the weight of this solution and attendant administrative burden and security risks will come by rootkits are crashing down on your CPUs and valuable IT staff.(15)(16) more and more sophisticated, the underground community is still developing POCs to improve current techniques.(16) (14) Gartner; Press Release: Gartner Predicts Worldwide Security Software Revenue to Grow 11 Percent in 2008; – Mxatone and IvanLeFou April 22, 2008. (http://www.gartner.com/it/page.jsp?id=653407) Phrack Magazine (15) Andreas Marx; Malware vs. Anti‑Malware: (How) Can We Still Survive?; Virus Bulletin; February 2008. (http://www.av-test.org/down/papers/2008-02_vb_comment.pdf) (16) Mxatone and IvanLeFou; Stealth Hooking: another way to subvert the Windows kernel; Phrack Magazine; Issue 65; April 12, 2008. (http://www.phrack.com/issues.html?issue=65&id=4#article) Combating Buffer Overflows and Rootkits 4
BOUNCER by CoreTrace™ Table 1. Endpoint Security v2.0: Security Features control “ …review on Windows Vista From the only included ‘pure’ control loWeSt control anti-virus programs. Security FeatureS What you KnoW PoSSible level tranSParently The tools were last h Only authorized programs allowed to execute  updated and frozen h Authorized programs fingerprinted to on 2 October 2007. create a unique three-factor integrity check To our surprise, the detection rate h File digest (SHA-1 hash)  h File location (pathname) of inactive samples h File size reached just 90% on average, even h Whitelist of fingerprints customized for though most of the each endpoint—entries limited   rootkits used were to programs installed on an endpoint released during h Automatically generates customized whitelist in a controlled environment   2005 and 2006. Only four of the six h Ease-of-use whitelist updating procedure   installed rootkits could be detected h Digital certificates used for authentication  by an average tool h Enforcement from within the kernel  and the cleaning rate was even lower with h Entry points to the OS securely wrapped  54%.(17) h Prevents direct kernel memory read and write from user space  – Andreas Marx and Maik Morgenstern h Monitors and reacts to memory av‑test.org modification  h Provides a complete IPsec infrastructure  (17) “ The greatest strength of BOUNCER’s technology is that it protects unpatched vulnerabilities from exploitation, effectively neutralizing zero-day threats. (17) Andreas Marx and Maik Morgenstern; Anti‑Stealth Fighters Testing for Rootkit Detection and Removal; Virus Bulletin; April 2008. (http://www.av-test.org/down/papers/2008-04_vb_rootkits.pdf) Combating Buffer Overflows and Rootkits 5
BOUNCER by CoreTrace™ cybercrime aT-a-glance The supercell cloud that will spawn the tornado of hypergrowth and huge profits for the cybercrime industry contains all of the cybercrime business segments. Cybercriminals target specific organizations at times; however, they are opportunists and collect rainfall whenever and wherever “ Just like legitimate businesses, they can. Table 2 provides an at‑a‑glance view of some of their activities.(18)(19)(20)(21)(22)(23)(24)(25) cyber criminals today are trying to Table 2. Cybercrime at-a-glance put themselves h AV-Test.org(18) 2005 2006 2007 front-and-center on millions of h MD5-unique malware samples 333,000 972,000 5,490,000 computer screens. h Unique AV updates in 45 AV products 111,566 134,484 148,869 “The attackers are h Total size of AV updates in 45 AV products 520 GB 1.0 TB 1.6 TB now following the same path that h Chances of becoming a cybervictim (19) h 1 in 4 US citizens (2007) businesses have, h Cybercriminal chances of getting convicted (20) h 1 in 7,000, although it could be as low as in trying to 1 in 600,000 advertise themselves in their h Identity fraud victims(21) h 8.4 million US citizens (2007) own special way on h Total fraud of $50 billion the more popular h Victims spend 25 hours (avg.) to Web sites,” says resolve case Tom Liston, who h Identity theft cost to consumers(21) h $49.3 billion (2007) works with SANS and businesses Internet Storm Center…They’re h Stolen identity value to cybercriminal(19) h $14–$18 per identity (2006) doing exactly what h Newly activated zombies (22) h 355,000 per day (1Q 2008) every business tries to do, which is to h Spam levels of all e-mail(22) h 60%-94% (1Q 2008) find innovative ways get themselves h Spam sent from zombies(23) h 80% (1Q 2008) out in front of as h Botnet uses(23) h #1 Use: Sending spam many eyeballs as h #2 Use: DDoS attack possible…(25) h Other ways to make money: sell or – Martha Neil lease botnet ABA Journal h Top spam-sending countries (24) United States 33.03% 12 Months View (06/03/07–06/03/08) Russian Federation 5.64% Germany 5.47% United Kingdom 4.29% China 3.78% Other 47.79% (18) Andreas Marx; Malware vs. Anti‑Malware: (How) Can We Still Survive?; Virus Bulletin; February 2008. (http://www.av-test.org/down/papers/2008-02_vb_comment.pdf) (19) www.consumerreports.org; Net threats: Why going online remains risky; September 2007. (http://www.consumerreports.org/cro/electronics‑computers/computers/internet‑and‑other‑services/net‑threats‑9‑07/ overview/0709_net_ov.htm) (20) Ben Worthen; Laws Go Soft on Hackers; The Wall Street Journal Business Technology Blog; February 22, 2008. (http://blogs.wsj.com/biztech/2008/02/22/laws‑go‑soft‑on‑hackers/trackback/) (21) Javelin Strategy and Research; Press Release: Group Imagines ‘Ideal’ Credit Card; May 27, 2007. (http://www.javelinstrategy.com/2008/05/27/group‑imagines‑ideal‑credit‑card/) (22) Commtouch Software; Q1 2008 Email Threats Trend Report: Zombies Depend on the Kindness (and IT Resources) of Others; April 7, 2008. (http://www.commtouch.com/site/Resources/documentation_center.asp) (23) Vitaly Kamluk; The botnet business; viruslist.com; May 13, 2008. (http://www.viruslist.com/en/analysis?pubid=204792003) (24) Commtouch Software; Top Spam‑Sending Countries; 12 Months View; June 3, 2008. (http://www.commtouch.com/Site/ResearchLab/statistics.asp) (25) Martha Neil; Cyber Crime Does, Increasingly, Pay; ABA Journal; December 20, 2007. (http://www.abajournal.com/news/cybe_crime_does_increasingly_pay/) Combating Buffer Overflows and Rootkits 6
BOUNCER by CoreTrace™ CyBERCRImE TOOls aNd TEChNIqUEs Cybercrime is a global industry with low start‑up costs and, ironically, unless typing into a web form is considered a computer skill, no computer skills are necessary. Cybercriminals form a well integrated community that shares and trades information, and they have many tools and “ If you make these steps the NT techniques at their disposal that are discussed below. box is opened „ Writing Viruses—A brilliant virus writer can make a decent living working at home and for everyone… selling new malicious tools online to the highest bidder. Even the less brilliant virus writers Even if you don’t can earn a living. There are many places on the web where cybercriminals post source plan to write NT code for new viruses for other people to use. There is no law against doing so, which viruses at least means that anyone can download source code for a virus, modify it, and then send it out to add to your babes do its work. Analysis of widely circulated viruses of the past five years shows that sections a code for adding of them were copied from earlier viruses. SeDebugPrivilege to Everyone. Then it „ Discovering Vulnerabilities—Cybercriminals research diligently to find new ways to makes for another break into endpoints, particularly those running Windows®. Discovering vulnerabilities is viruses easier to rewarding because they can auction new exploits on the Internet (see Figure 1). infect the machine - remember your fellow coders too :))).(26) – Ratter/29A 29A Labs Figure 1. Vulnerabilities are for sale on the Internet „ Developing Software—Cybercriminals run software development businesses for software products such as collections of exploits for breaking into endpoints and utilities to use once access is gained (such as remote control capabilities and keyloggers). They sell the software online using the same marketing and customer support techniques as mainstream software companies, such as segmentation into software editions, and offering product support and product upgrades (see Figure 2).(26) (26) Rattner/29A; Gaining passwords; 29A Labs; zines; Issue 6; 2002. (This URL is for informational purposes; we strongly recommend that you do not visit the 29A Labs website. http://vx.netlux.org/29a/29a‑6/29a‑6.225) Combating Buffer Overflows and Rootkits 7
BOUNCER by CoreTrace™ “ That’s how the war between rk[rootkit]-makers and anti-rk-junkies began, trying to find the best way, the best area, for hooking critical operating system features…In the wild the rk are used most of the time for lame mail spamming or botnets.(28) – Mxatone and IvanLeFou Phrack Magazine Figure 2. Professionally marketed malware kits are for sale on the Internet „ Build Attack Environments—Script kiddies are teenagers without the engineering talent to carry out sophisticated attacks, but who can acquire powerful software tools online and buy the capability to assemble attack environments. To get started, all that is needed is a comprehensive hacker software development kit (SDK) that costs about $320 (see Figure 3) and a few viruses to sprinkle into the Internet. Virus source code can be downloaded for free, but specific viruses that are guaranteed to get past Endpoint Security v1.0 products “ A notorious malware gang that rented out like McAfee® Active VirusScan®, Norton Antivirus, Kaspersky® Anti‑Virus, etc., are for sale botnets by the hour on the Internet (see Figure 4). With a budget of $1,000 to $5,000, Trojans are available that has resurfaced after are purposely built to steal credit card data and e-mail it to a specific address. being knocked off line two months ago “It’s comforting to know, should you want to become a Black Hat, that the by a rival band of barriers to entering the trade are much lower now. It’s true that you’ll never criminals…The gang become a “legendary Black Hat” if you can’t cut a little C++ code. Nevertheless, came to prominence out there on the Internet there are web sites where you can buy fully functional by renting out a software for launching exploits that others have written for you. Yes, there are botnet that fellow indeed hacker‑devoted software products freely available for purchase by online criminals anyone capable of installing software. $200 or so should buy you something could use to install useful (including updates).”(27)(28)(29) and maintain their malware. In October, it boasted more than 35,000 infected machines…Prices ranged from $110 to $220 per thousand infections depending on where they were located. The group was taken offline in January following a DDoS attack by a rival gang wielding a Barracuda botnet.(29) Figure 3. Malware SDKs are for sale on the Internet – Dan Goodin Channel Register (27) Robin Bloor; 10 reasons why the Black Hats have us outgunned; The Register; June 13, 2007. (http://www.theregister.co.uk/2007/06/13/black_hat_list/) (28) Mxatone and IvanLeFou; Stealth Hooking: another way to subvert the Windows kernel; Phrack Magazine; Issue 65; April 12, 2008. (http://www.phrack.com/issues.html?issue=65&id=4#article) (29) Dan Gooding; Rent‑a‑bot gang rises from the DDoS ashes; Channel Register; March 13, 2008. (http://www.channelregister.co.uk/2008/03/13/loadscc_rises_again/) Combating Buffer Overflows and Rootkits 8
BOUNCER by CoreTrace™ Figure 4. Malware to avoid detection by specific Endpoint Security v1.0 vendors is for sale on the Internet „ Assemble or Rent Botnets—Cybercriminals assemble botnets (i.e., networks of compromised endpoints) to amass a huge amount of highly distributed power to use in their activities. If they assemble a large number of endpoints, they can rent them out for about $0.20 per endpoint per day. Remarkably, botnets of more than one million endpoints have been assembled. Botnets are not without maintenance though, as owners discover and clean compromised endpoints, the botnet needs replenishment. The cybercriminals use the botnet to send out Trojan viruses that open a backdoor into an endpoint allowing the cybercriminal’s scanning software to gain access and add it to the botnet. The botnet industry is well‑developed offering low start‑up costs and easy implementation. “ Botnets are now a turnkey business with one‑stop‑shopping for all the essentials: bot software; anonymous hosting services to set up a command and control (C&C) center bro this are (complete with support and a guarantee that log files are inaccessible to law enforcement); from my spam… and ready-to-use botnets. Additionally, the software installation of a C&C center only super fresh… requires the new entrepreneur to fill in a few form fields. I will spam more... spammed like hell… „ Spamming—There are a host of different spam scams: from phishing for financial used 7 remote information, to 411 lottery scams, to the share tip scam, to direct ads for pharmaceuticals, desktops and insurance, and porn (e‑mail addresses from replies received are sold as sales leads). 13 smpt servers… Spamming is illegal in many countries, but spamming operations cannot be easily or 5 root…sent reliably traced, so this commercial arrangement persists. over 1.3 million „ Running Websites—Cybercrime‑run websites may provide Trojans in the guise of free emails.(30) computer games or pornography, or malware disguised as music or video files; or may – Thomas Claburn directly attempt to infect an endpoint upon access (known as drive‑by download). Some InformationWeek websites are spoof sites pretending to be banks or retailers. Cybercrime businesses drive traffic to their websites through mass e-mail campaigns, or by changing information in an endpoint’s browser, or by invading domain name servers and altering their reference information. „ Stealing Identities—What’s a cybercriminal to do with a stolen file of thousands of credit card records? Rather than try to exploit it on their own, cybercriminals sell the data for around $14–$18 per credit card record or around $500 if the PIN number is also obtained. In addition to selling credit card information, cybercriminals sell data from US Social Security cards, birth certificates, bills/invoices, and driver’s licenses—all of which can be used to set up fraudulent bank accounts.(30) (30) Thomas Claburn; International Cybercrime Ring Busted; InformationWeek; May 19, 2008. (http://www.informationweek.com/story/showArticle.jhtml?articleID=207801060) Combating Buffer Overflows and Rootkits 9
BOUNCER by CoreTrace™ „ Providing Independent Contracting/Consulting Services—Legitimate businesses hire cybercriminals to damage the competition. There is no way to tell whether a virus attack “ or a denial of service (DoS) attack has a third-party sponsor, but if intellectual property is stolen, a competitor may be the sponsor. The Russian Business Network is the most Malware is famous cybercriminal business and it is for hire; it is rumored that its software engineering becoming more and expertise is so great that governments hire its services. more complex every On the other side of the fence, there are ethical‑hacker consultancies that are hired to day. The number of attack a network to test its security level. Banks regularly hire ethical hackers, known as newly discovered white‑hat hackers, to fortify their security, but few other organizations do. malware samples is skyrocketing, but „ Covering Their Tracks—The only link that ties a cybercriminal to an attack is communication that’s not the only from an endpoint that they own to their botnets, so if they communicate via public WiFi challenge for the they are very difficult to trace. Furthermore, cybercriminals prefer to attack on foreign soil AV industry. In most because they are much less likely to get caught, as it is very difficult for national police cases, we’re looking forces to work together even if evidence surfaces of who is behind specific attacks. at malware that is built in a modular „ Banking Offshore—Cyberextortion pays well and typically offshore accounts in the way, with plug-ins Cayman Islands are used to pass the money through. Ransom fees paid to end a DoS that support new attack typically range from $10,000 to $50,000 depending on the size of the company features such as under attack. hiding the malware’s presence from the CyBERCRIME LEVELS OF ThREaT user and from AV products. While it There are three cybercrime threat levels that IT security measures need to address: is easy for a good background noise, opportunistic attacks, and focused attacks. While companies need to combat signature-driven background noise, the real threats are opportunistic attacks and focused attacks. product to find Background Noise a known sample that has not yet Background noise is the aggregation of all automated attempts by cybercriminals to gain been activated, access to endpoints across the world; subverting hundreds to thousands of endpoints daily. it is becoming When an endpoint connects to the Internet, an attempt to gain access to it happens in seconds. increasingly Cybercriminals have scanners that scan the Internet in specific address ranges looking for challenging to known access points such as compromised endpoints (i.e., endpoints with open backdoors detect the sample created by a virus) to add to their botnet. Consequently, some endpoints belong to more than once it is running one botnet. and trying to hide itself and Opportunistic attacks other malicious Just like all other IT managers, a cybercriminal tries to maintain a nonvolatile, reliable network, components. On the or in this case botnet, and a cybercriminal will put great effort into making network penetration Windows platform difficult to detect. the hidden objects usually include The endpoints subverted through background‑noise activities may include a business endpoint services and that is valuable to a cybercriminal if it has resources such as high‑bandwidth Internet connections. processes, registry The goal is to take control of resources and use compromised endpoints as spam generators, keys and values, as or rent them out, or set up transient websites on them. Instances of cybercriminals running well as directories spam broadcast sessions overnight from corporate endpoints when the company’s network is and files.(31) less active have gone undiscovered for months. – Andreas Marx and A cybercriminal may load a keylogger on a compromised endpoint to catch a password from Maik Morgenstern the keyboard and use it to rifle the local e-mail file for e-mail addresses or use the local search av‑test.org capability to locate personal financial information. There is an increase in establishing rootkits on compromised endpoints because it is a cybercriminal’s most reliable means of retaining control of an endpoint even after attempts have been made to clean it of all malware.(31) (31) Andreas Marx and Maik Morgenstern; Anti‑Stealth Fighters Testing for Rootkit Detection and Removal; Virus Bulletin; April 2008. (http://www.av-test.org/down/papers/2008-04_vb_rootkits.pdf) Combating Buffer Overflows and Rootkits 10
BOUNCER by CoreTrace™ Focused attacks Focused attacks are clearly the worst threat. In a focused attack, cybercriminals are targeting a specific IT network with the intent to cause disruptive damage, steal data, compromise intellectual property, or perpetrate some kind of fraud. An additional aspect of focused attacks is that the cybercriminal will take their time and slowly compromise systems, resulting in an “ attack that is extremely hard to detect. In fact, the Commonly in focused attacks, cybercriminals have the inside help of a malicious insider malicious insider that may provide information on security products and how the IT network is configured, or sounds like some provide passwords, or open a backdoor into the network. Because few organizations keep sort of bogeyman to comprehensive endpoint‑activity logs, it’s hard to prove whether a malicious insider was hear these security involved in an attack; however, it is probable in cases where the cybercriminals know exactly pros talk about it. how to pull off a sophisticated computer fraud or exactly which data files to steal. But lest you think the threat is more buFFer OverFlOw + rOOTkiT imagined than real, consider that Buffer overflow + rootkit is a very popular malicious combination that is providing sustained among companies revenue steams for the cybercrime industry and it is fueling the cybercrime industry’s that experienced a hypergrowth stage inside the tornado. data breach in 2006, 23% said the culprit was an aCCESS VECTOR: BuFFER OVERFLOw uSED TO INjECT CODE insider, according to a survey by Code injection uses software errors to inject code into programs already running on an endpoint. the Computing The most common method of code injection and the one of the most difficult to stop is via Technology Industry buffer overflow where code is injected at the end of a legitimate buffer to run a cybercriminal’s Alliance.(32) programs. – Ben Worthen Programs define memory areas called buffers that are used to accept data from a user or The Wall Street Journal another program. Buffers are defined to have a specific size. For example, a name field may Business Technology Blog permit 30 characters so 30 bytes of memory are provided. Ideally, if more data is sent to the program then it should reject everything after the first 30 characters. Unfortunately, most programmers do not bother to write their programs that way and just accept whatever is sent. To achieve a buffer overflow, cybercriminals add specialized program code called shellcode to the end of the 30 characters and the endpoint will execute the shellcode that was written to the end of the legitimate buffer. All it takes is trial and error to discover if a program is vulnerable to buffer overflow—the cybercriminal tests to see what happens when a large amount of information is sent to the buffer. Many buffer overflow defects have been found in the Windows operating system (OS) by cybercriminals simply experimenting with the software. Buffer overflow vulnerabilities are even easier to find if the cybercriminal can get the program source code allowing them to easily check every instance where the program accepts input. Another common method of exploiting buffer overflows is to analyze the patches released by OS and application vendors. This process has become so automated that when Microsoft releases security patches on Patch Tuesday (providing the less sophisticated virus developers with a pointer saying hack me here!) the cybercriminals exploit unpatched systems on Hack Wednesday.(32) PayLOaD: ROOTKIT uSED TO OBTaIN aND RETaIN CONTROL Once access to an endpoint is gained, cybercriminals install a rootkit to take control of an endpoint and to retain control so they can load the software needed to carry out their schemes at their convenience. Rootkits are either kernel‑based or non‑kernel‑based. (32) Ben Worthen, Data Breach of the Day: Britney Spears Edition; The Wall Street Journal Business Technology Blog; March 17, 2008. (http://blogs.wsj.com/biztech/2008/03/17/data-breach-of-the-day-britney-spears-edition/trackback/) Combating Buffer Overflows and Rootkits 11
BOUNCER by CoreTrace™ Kernel‑based rootkits operate in the kernel and have the highest level of privilege (i.e., full administrator, or root) allowing the cybercriminal to define and change access rights and permissions to cover up traces of their activities, making kernel-based rootkits very difficult to detect once installed. For example, with this level of privilege the cybercriminal can hide the “ rootkit from endpoint utilities that list files and provide information about running processes, and they can also hide other programs they plant on the endpoint. Strategic Alliances? Bring ‘em on, we Non‑kernel‑based rootkits operate in user space and usually have the same privilege level as love ‘em!...So they that of the user credentials used to install it. want to combine Some rootkits are known and can be detected by a scanning program; however, this defense their engines...That’s does not work for a newly written rootkit. Typically, established rootkits are detected by a file a great idea! This comparison between a suspect endpoint and a clean endpoint with full administrator rights; will be much more however, this is difficult to organize and difficult to carry out while endpoints are running. tougher to defeat.... That’s right guys. 1 + 1 = 1 in this endpOinT securiTy v2.0 case ;-) Stopped laughing yet? Ok… Cybercriminals are well armed, well skilled, and well motivated, so how can an organization these antivirus protect itself? Fortunately, despite the prolific cyberattack vectors, tools, and strategies, the engines combined majority of cyberattacks can be stopped dead in their tracks if the right approach is taken can result in a really defending the IT network—that is, Endpoint Security v2.0. difficult to beat antivirus product, but there is also a ENdpOINT sECURITy v1.0 vs. v2.0 positive side for us, Endpoint Security v1.0 with its multiple layers of reactive antivirus and blacklisting databases, virus authors. This security patches, and personal firewalls (all of which slow performance and add significant “Strategic Alliance” cost to network operations) can’t defeat today’s known rootkit threats or unknown threats also means that in (i.e., zero-day attacks from malware, rootkits, and buffer overflows)—let alone tomorrow’s. the future we do have to concentrate Endpoint Security v2.0 is proactive, whitelist‑based, provides enforcement from within the on one product less! kernel, and it is predicated on three core tenets: Yes, they are right „ Control what you know. in respect that it is harder to beat this „ Control at the lowest possible level. combined product, but it will certainly „ Control transparently. take less time than testing your virus BOUNCER By CORETRaCE™ on 2 completely different products, BOUNCER by CoreTrace™ takes a revolutionary 180°-shifted approach to endpoint security let alone the fact providing a unique Endpoint Security v2.0 solution that defeats today’s, tomorrow’s, next year’s… that it costs you known and unknown threats—finally, efficiently, effectively, BOUNCER stops the madness. a lot more time to BOUNCER leverages Endpoint Security v2.0’s three core tenets to provide the capabilities write retro listed below for PCs, servers, and embedded systems. structures against 2 antivirus products „ Preventing unauthorized programs and processes from running. instead of one. „ Preventing rootkit establishment. Afterthought: Should we also take „ Stopping code injected via buffer overflow from running and stopping further memory action and form corruption. “Strategic Alliances” other groups?(33) „ Preventing system configuration modification by staff members, malicious insiders, and malicious outsiders. – Rajaat/29A 29A Labs „ Securing the endpoint transparently to end users. „ Providing ease‑of‑use to the operational staff.(33) (33) Rajaat/29A; Strategic Alliances? Bring ‘em on, we love ‘em!; 29A Labs; zines; Issue 2; 1998. (This URL is for informational purposes; we strongly recommend that you do not visit the 29A Labs website. http://vx.netlux.org/29a/29a-2/29a-2.2_a) Combating Buffer Overflows and Rootkits 12
BOUNCER by CoreTrace™ Core Tenet #1—Control what you Know Control what you know—what else can you control? Blacklists are pursuing the flawed strategy “ This article is about recent exposures of of trying to control that which is unknowable, and, as a result, are locked in a zero‑day‑threat race many kernel level they can never win and being paid well for it. Conversely, controlling what you know—that is, vulnerabilities and controlling the authorized applications used by an endpoint so that you can be indifferent to the advances in their rest—is the principle that underpins BOUNCER’s whitelisting strategy that defeats cybercrime. exploitation which leads to trusted BOUNCER creates a whitelist of authorized programs (i.e., a list of fingerprints) that it uses (oops safe) and to recognize (i.e., identify and validate) an authorized program as it loads. Each authorized robust exploits… program’s fingerprint is comprised of the triple play of the following integrity checks: file digest to prove kernel land (SHA-1 hash), file location (pathname), and file size. vulnerabilities When an unauthorized program tries to load (e.g., a virus from an e‑mail attachment, a program such as copied on an endpoint by an authorized user, or a program copied on an endpoint through stack overflows and a vulnerability), BOUNCER simply does not allow it to execute, thereby defeating the vast integer conditions majority of threats, including preventing Trojans from overwriting authorized files. can be exploited and lead to total The greatest strength of BOUNCER’s technology is that it protects unpatched vulnerabilities control over the from exploitation, effectively neutralizing zero‑day threats. If a vulnerability is unpatched and system, no matter exploited, the malicious program or injected code is stopped anyway, so zero‑day threats how strict your become a thing of the past. Hack Wednesday goes away and there is time to test all patches user land before they are deployed—if they are deployed at all. (i.e., privilege BOUNCER’s leveraging of control what you know results in significant IT cost savings. separation) or even IT departments that use BOUNCER can say goodbye to the following and say hello to a little kernel land (i.e., sanity: chroot, systrace, securelevel) „ Zero‑day threats. enforcements are… „ Malware, trojans, viruses/worms, bots, keyloggers, adware, and spyware. I also…contribute to the newly raised „ Reactive security patching (patch for features you need on your schedule and have time concepts (greets to to fully test patches). Gera) of fail-safe „ Chronic signature updating. and reusable exploitation code „ Technology stacks, pattern matching, and behavioral heuristics (including the impact of generation.(34) false positives and prolonged learning periods typical of behavioral solutions). – Sinan “noir” Eren Core Tenet #2—Control at the Lowest Possible Level Phrack Magazine Most sophisticated attacks are targeted at the kernel; therefore, that is where the battle lies (only security software that functions in the kernel can reliably deliver the controls that IT requires). BOUNCER loads into the kernel very early and performs the following functions: “ Userland applications are „ Allocates resources only to authorized applications. usually executed in ring3. The kernel on „ Locks down the process table and keeps track of pointers. the other hand is BOUNCER leverages control at the lowest possible level to defeat the following threats: executed in the most privileged mode, „ Rootkit establishment. ring0. This grants the kernel full access to „ Injected code via buffer overflow (even in authorized applications). all CPU registers, all „ System configuration modification by staff members, malicious insiders, and malicious parts of the hardware outsiders. and the memory. With no question „ Direct kernel memory read and write from user space.(34)(35) is this the mode of choice to do start some hacking.(35) (34) Sinan “noir” Eren; Smashing The Kernel Stack For Fun And Profit; Phrack Magazine; Issue 60; December 28, 2002. (http://www.phrack.com/issues.html?issue=60&id=6#article) – kad (35) kad; Handling Interrupt Descriptor Table for fun and profit; Phrack Magazine; Issue 59; July 28, 2002. Phrack Magazine (http://www.phrack.com/issues.html?issue=59&id=4#article) Combating Buffer Overflows and Rootkits 13
CoreTrace Whitepaper: Combating Buffer Overflows And Rootkits
CoreTrace Whitepaper: Combating Buffer Overflows And Rootkits
CoreTrace Whitepaper: Combating Buffer Overflows And Rootkits

Recommended

Cryptographic Key Reliable Lifetimes - Bounding the Risk of Key Exposure in t...
Cryptographic Key Reliable Lifetimes - Bounding the Risk of Key Exposure in t...Cryptographic Key Reliable Lifetimes - Bounding the Risk of Key Exposure in t...
Cryptographic Key Reliable Lifetimes - Bounding the Risk of Key Exposure in t...a001
 
Cyberattacks on a marine context (NATO Congress 2011)
Cyberattacks on a marine context (NATO Congress 2011)Cyberattacks on a marine context (NATO Congress 2011)
Cyberattacks on a marine context (NATO Congress 2011)flagsolutions
 
Superhelt 2013-screen
Superhelt 2013-screenSuperhelt 2013-screen
Superhelt 2013-screenHenrik Kramshøj
 
Requirement of PCI DSS in India.
Requirement of PCI DSS in India.Requirement of PCI DSS in India.
Requirement of PCI DSS in India.CA Priyadarshan Behera
 
CoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Whitepaper: Application Whitelisting And Energy SystemsCoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Whitepaper: Application Whitelisting And Energy SystemsCoreTrace Corporation
 
CoreTrace Whitepaper: Application Whitelisting -- A New Security Paradigm
CoreTrace Whitepaper: Application Whitelisting -- A New Security ParadigmCoreTrace Whitepaper: Application Whitelisting -- A New Security Paradigm
CoreTrace Whitepaper: Application Whitelisting -- A New Security ParadigmCoreTrace Corporation
 
CoreTrace Whitepaper: BOUNCER by CoreTrace ROI Analysis
CoreTrace Whitepaper: BOUNCER by CoreTrace ROI AnalysisCoreTrace Whitepaper: BOUNCER by CoreTrace ROI Analysis
CoreTrace Whitepaper: BOUNCER by CoreTrace ROI AnalysisCoreTrace Corporation
 
Moskowitz Whitepaper Microsoft App Locker And Beyond
Moskowitz Whitepaper Microsoft App Locker And BeyondMoskowitz Whitepaper Microsoft App Locker And Beyond
Moskowitz Whitepaper Microsoft App Locker And BeyondCoreTrace Corporation
 

Recommended

Cryptographic Key Reliable Lifetimes - Bounding the Risk of Key Exposure in t...
Cryptographic Key Reliable Lifetimes - Bounding the Risk of Key Exposure in t...Cryptographic Key Reliable Lifetimes - Bounding the Risk of Key Exposure in t...
Cryptographic Key Reliable Lifetimes - Bounding the Risk of Key Exposure in t...a001
 
Cyberattacks on a marine context (NATO Congress 2011)
Cyberattacks on a marine context (NATO Congress 2011)Cyberattacks on a marine context (NATO Congress 2011)
Cyberattacks on a marine context (NATO Congress 2011)flagsolutions
 
Superhelt 2013-screen
Superhelt 2013-screenSuperhelt 2013-screen
Superhelt 2013-screenHenrik Kramshøj
 
Requirement of PCI DSS in India.
Requirement of PCI DSS in India.Requirement of PCI DSS in India.
Requirement of PCI DSS in India.CA Priyadarshan Behera
 
CoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Whitepaper: Application Whitelisting And Energy SystemsCoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Whitepaper: Application Whitelisting And Energy SystemsCoreTrace Corporation
 
CoreTrace Whitepaper: Application Whitelisting -- A New Security Paradigm
CoreTrace Whitepaper: Application Whitelisting -- A New Security ParadigmCoreTrace Whitepaper: Application Whitelisting -- A New Security Paradigm
CoreTrace Whitepaper: Application Whitelisting -- A New Security ParadigmCoreTrace Corporation
 
CoreTrace Whitepaper: BOUNCER by CoreTrace ROI Analysis
CoreTrace Whitepaper: BOUNCER by CoreTrace ROI AnalysisCoreTrace Whitepaper: BOUNCER by CoreTrace ROI Analysis
CoreTrace Whitepaper: BOUNCER by CoreTrace ROI AnalysisCoreTrace Corporation
 
Moskowitz Whitepaper Microsoft App Locker And Beyond
Moskowitz Whitepaper Microsoft App Locker And BeyondMoskowitz Whitepaper Microsoft App Locker And Beyond
Moskowitz Whitepaper Microsoft App Locker And BeyondCoreTrace Corporation
 
Survey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital ForensicsSurvey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital ForensicsTyler Shields
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfDefconRussia
 
Cybersecurity -Terms.
Cybersecurity -Terms.Cybersecurity -Terms.
Cybersecurity -Terms.offensoSEOwork
 
Ad26188191
Ad26188191Ad26188191
Ad26188191IJERA Editor
 
Computer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & PrivacyComputer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & PrivacySamudin Kassan
 
Future-proofing maritime ports against emerging cyber-physical threats
Future-proofing maritime ports against emerging cyber-physical threatsFuture-proofing maritime ports against emerging cyber-physical threats
Future-proofing maritime ports against emerging cyber-physical threatsSteven SIM Kok Leong
 
Symantec Ubiquity
Symantec UbiquitySymantec Ubiquity
Symantec UbiquitySymantec
 
Presales-Present_GravityZone Products_June2023.pptx
Presales-Present_GravityZone Products_June2023.pptxPresales-Present_GravityZone Products_June2023.pptx
Presales-Present_GravityZone Products_June2023.pptxPawachMetharattanara
 
Presales-Present_GravityZone Products_June2023.pptx
Presales-Present_GravityZone Products_June2023.pptxPresales-Present_GravityZone Products_June2023.pptx
Presales-Present_GravityZone Products_June2023.pptxPawachMetharattanara
 
hackers vs suits
hackers vs suitshackers vs suits
hackers vs suitsChris Hammond-Thrasher
 
C:\Fakepath-6 09 10 Financial Fraud Webinar
C:\Fakepath-6 09 10 Financial Fraud WebinarC:\Fakepath-6 09 10 Financial Fraud Webinar
C:\Fakepath-6 09 10 Financial Fraud WebinarTechBiz Forense Digital
 
Storm Worm & Botnet
Storm Worm & BotnetStorm Worm & Botnet
Storm Worm & BotnetKendiv
 
Whitepaper, lynx secure rootkit detection & protection by means of secure vir...
Whitepaper, lynx secure rootkit detection & protection by means of secure vir...Whitepaper, lynx secure rootkit detection & protection by means of secure vir...
Whitepaper, lynx secure rootkit detection & protection by means of secure vir...Avishai Ziv
 
Ransomware protection in loT using software defined networking
Ransomware protection in loT using software defined networking Ransomware protection in loT using software defined networking
Ransomware protection in loT using software defined networking IJECEIAES
 
Python For Droid
Python For DroidPython For Droid
Python For DroidRich Helton
 
BYOD and Your Business
BYOD and Your BusinessBYOD and Your Business
BYOD and Your Businesscherienetclarity
 
APT Monitoring and Compliance
APT Monitoring and ComplianceAPT Monitoring and Compliance
APT Monitoring and ComplianceMarcus Clarke
 
Introduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismIntroduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismGlobal Micro Solutions
 
Nastiest Malware 2021
Nastiest Malware 2021Nastiest Malware 2021
Nastiest Malware 2021tsevier
 
Days of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, IncidentsDays of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, IncidentsAnton Chuvakin
 
CoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Whitepaper: Whitelisting And Control SystemsCoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Whitepaper: Whitelisting And Control SystemsCoreTrace Corporation
 
CoreTrace Whitepaper: Protecting PCI Systems And Data
CoreTrace Whitepaper: Protecting PCI Systems And DataCoreTrace Whitepaper: Protecting PCI Systems And Data
CoreTrace Whitepaper: Protecting PCI Systems And DataCoreTrace Corporation
 

More Related Content

Similar to CoreTrace Whitepaper: Combating Buffer Overflows And Rootkits

Survey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital ForensicsSurvey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital ForensicsTyler Shields
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfDefconRussia
 
Computer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & PrivacyComputer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & PrivacySamudin Kassan
 
Future-proofing maritime ports against emerging cyber-physical threats
Future-proofing maritime ports against emerging cyber-physical threatsFuture-proofing maritime ports against emerging cyber-physical threats
Future-proofing maritime ports against emerging cyber-physical threatsSteven SIM Kok Leong
 
Symantec Ubiquity
Symantec UbiquitySymantec Ubiquity
Symantec UbiquitySymantec
 
Presales-Present_GravityZone Products_June2023.pptx
Presales-Present_GravityZone Products_June2023.pptxPresales-Present_GravityZone Products_June2023.pptx
Presales-Present_GravityZone Products_June2023.pptxPawachMetharattanara
 
Presales-Present_GravityZone Products_June2023.pptx
Presales-Present_GravityZone Products_June2023.pptxPresales-Present_GravityZone Products_June2023.pptx
Presales-Present_GravityZone Products_June2023.pptxPawachMetharattanara
 
C:\Fakepath-6 09 10 Financial Fraud Webinar
C:\Fakepath-6 09 10 Financial Fraud WebinarC:\Fakepath-6 09 10 Financial Fraud Webinar
C:\Fakepath-6 09 10 Financial Fraud WebinarTechBiz Forense Digital
 
Storm Worm & Botnet
Storm Worm & BotnetStorm Worm & Botnet
Storm Worm & BotnetKendiv
 
Whitepaper, lynx secure rootkit detection & protection by means of secure vir...
Whitepaper, lynx secure rootkit detection & protection by means of secure vir...Whitepaper, lynx secure rootkit detection & protection by means of secure vir...
Whitepaper, lynx secure rootkit detection & protection by means of secure vir...Avishai Ziv
 
Ransomware protection in loT using software defined networking
Ransomware protection in loT using software defined networking Ransomware protection in loT using software defined networking
Ransomware protection in loT using software defined networking IJECEIAES
 
Python For Droid
Python For DroidPython For Droid
Python For DroidRich Helton
 
APT Monitoring and Compliance
APT Monitoring and ComplianceAPT Monitoring and Compliance
APT Monitoring and ComplianceMarcus Clarke
 
Introduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismIntroduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismGlobal Micro Solutions
 
Nastiest Malware 2021
Nastiest Malware 2021Nastiest Malware 2021
Nastiest Malware 2021tsevier
 
Days of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, IncidentsDays of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, IncidentsAnton Chuvakin
 

Similar to CoreTrace Whitepaper: Combating Buffer Overflows And Rootkits (20)

Survey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital ForensicsSurvey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital Forensics
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourself
 
Cybersecurity -Terms.
Cybersecurity -Terms.Cybersecurity -Terms.
Cybersecurity -Terms.
 
Ad26188191
Ad26188191Ad26188191
Ad26188191
 
Computer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & PrivacyComputer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & Privacy
 
Future-proofing maritime ports against emerging cyber-physical threats
Future-proofing maritime ports against emerging cyber-physical threatsFuture-proofing maritime ports against emerging cyber-physical threats
Future-proofing maritime ports against emerging cyber-physical threats
 
Symantec Ubiquity
Symantec UbiquitySymantec Ubiquity
Symantec Ubiquity
 
Presales-Present_GravityZone Products_June2023.pptx
Presales-Present_GravityZone Products_June2023.pptxPresales-Present_GravityZone Products_June2023.pptx
Presales-Present_GravityZone Products_June2023.pptx
 
Presales-Present_GravityZone Products_June2023.pptx
Presales-Present_GravityZone Products_June2023.pptxPresales-Present_GravityZone Products_June2023.pptx
Presales-Present_GravityZone Products_June2023.pptx
 
hackers vs suits
hackers vs suitshackers vs suits
hackers vs suits
 
C:\Fakepath-6 09 10 Financial Fraud Webinar
C:\Fakepath-6 09 10 Financial Fraud WebinarC:\Fakepath-6 09 10 Financial Fraud Webinar
C:\Fakepath-6 09 10 Financial Fraud Webinar
 
Storm Worm & Botnet
Storm Worm & BotnetStorm Worm & Botnet
Storm Worm & Botnet
 
Whitepaper, lynx secure rootkit detection & protection by means of secure vir...
Whitepaper, lynx secure rootkit detection & protection by means of secure vir...Whitepaper, lynx secure rootkit detection & protection by means of secure vir...
Whitepaper, lynx secure rootkit detection & protection by means of secure vir...
 
Ransomware protection in loT using software defined networking
Ransomware protection in loT using software defined networking Ransomware protection in loT using software defined networking
Ransomware protection in loT using software defined networking
 
Python For Droid
Python For DroidPython For Droid
Python For Droid
 
BYOD and Your Business
BYOD and Your BusinessBYOD and Your Business
BYOD and Your Business
 
APT Monitoring and Compliance
APT Monitoring and ComplianceAPT Monitoring and Compliance
APT Monitoring and Compliance
 
Introduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismIntroduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivism
 
Nastiest Malware 2021
Nastiest Malware 2021Nastiest Malware 2021
Nastiest Malware 2021
 
Days of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, IncidentsDays of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, Incidents
 

More from CoreTrace Corporation

CoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Whitepaper: Whitelisting And Control SystemsCoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Whitepaper: Whitelisting And Control SystemsCoreTrace Corporation
 
CoreTrace Whitepaper: Protecting PCI Systems And Data
CoreTrace Whitepaper: Protecting PCI Systems And DataCoreTrace Whitepaper: Protecting PCI Systems And Data
CoreTrace Whitepaper: Protecting PCI Systems And DataCoreTrace Corporation
 
NetSpi Whitepaper: Hardening Critical Systems At Electrical Utilities
NetSpi Whitepaper: Hardening Critical Systems At Electrical UtilitiesNetSpi Whitepaper: Hardening Critical Systems At Electrical Utilities
NetSpi Whitepaper: Hardening Critical Systems At Electrical UtilitiesCoreTrace Corporation
 
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 ComplianceFeldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 ComplianceCoreTrace Corporation
 
Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:CoreTrace Corporation
 

More from CoreTrace Corporation (6)

CoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Whitepaper: Whitelisting And Control SystemsCoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Whitepaper: Whitelisting And Control Systems
 
CoreTrace Whitepaper: Protecting PCI Systems And Data
CoreTrace Whitepaper: Protecting PCI Systems And DataCoreTrace Whitepaper: Protecting PCI Systems And Data
CoreTrace Whitepaper: Protecting PCI Systems And Data
 
NetSpi Whitepaper: Hardening Critical Systems At Electrical Utilities
NetSpi Whitepaper: Hardening Critical Systems At Electrical UtilitiesNetSpi Whitepaper: Hardening Critical Systems At Electrical Utilities
NetSpi Whitepaper: Hardening Critical Systems At Electrical Utilities
 
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 ComplianceFeldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
 
Core Trace PCI DSS Compliance
Core Trace PCI DSS ComplianceCore Trace PCI DSS Compliance
Core Trace PCI DSS Compliance
 
Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:
 

Recently uploaded

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 

CoreTrace Whitepaper: Combating Buffer Overflows And Rootkits

  • 1. cOmbaTing buFFer OverFlOws and rOOTkiTs BOUNCER by CoreTrace™ Defeats Cybercriminals Buffer overflow + rootkit is the #1 combo meal on the cybercrime menu— a buffer overflow provides the way in and a rootkit provides the way to stay in, and invite some friends in too—and while an endpoint won’t get fries with that, if it is not protected with Endpoint Security v2.0, it may get Trojans, keyloggers, backdoors, installation routines, network sniffers, etc., (do be concerned with what may be hiding in that etc.). The best part, and why this technique is so popular, is that an endpoint is not aware that it has ingested anything. Rootkits are a MacGyver-worthy mashup of Swiss Army knife + Hydra + The Invisible Man—the best defense is a good offense was never more apropos. Not only is it difficult to know that a rootkit has control of an endpoint, even if known, it is not easily removed. The key to not allowing a rootkit to establish itself in an endpoint, is to not allow a rootkit to establish itself in an endpoint— just say no. The only way to do that is with Endpoint Security v2.0. cOnTenTs 1 Overview 1 2008 FOrward: TOrnadO warning in eFFecT Inside the Cybercrime Tornado Seeding The Clouds Endpoint Security v1.0 vs. v2.0: who’ll Stop the Rain? 6 cybercrime aT-a-glance Cybercrime Tools and Techniques Cybercrime Levels of Threat 11 buFFer OverFlOw + rOOTkiT access Vector: Buffer Overflow used to Inject Code Payload: Rootkit used to Obtain and Retain Control 12 endpOinT securiTy v2.0 Endpoint Security v1.0 vs. v2.0 BOUNCER by CoreTrace™ 15 summary Ju ne 20 08 CoreTrace Corporation 6500 River Place Blvd., Building II, Suite 105, Austin, TX 78730 512-592-4100 | sales@coretrace.com | www.coretrace.com
  • 2. BOUNCER by CoreTrace™ Overview The road sign from information highway to Internet, computer geeks to script kiddies, “ hackers to cybercriminals, worms to rootkits, bragging rights to offshore accounts, and just recently, malware to malware‑as‑a‑service, points in a very clear direction— Have you ever from caché to cash—from v1.0 to v2.0, follow the money…and hold on to your Hats. taken a moment to realize that the This paper reviews the nature of cybercrime focusing on two sophisticated threats whose primary reason the popular malicious combination—buffer overflow + rootkit—requires the immediate attention of information security IT security departments. industry even exists Buffer overflow + rootkit is the #1 combo meal on the cybercrime menu—a buffer overflow is because a noted provides the way in and a rootkit provides the way to stay in, and invite some friends in too— lack of pedantic and while an endpoint won’t get fries with that, if it is not protected with Endpoint Security v2.0, people both in it may get Trojans, keyloggers, backdoors, installation routines, network sniffers, etc., (do be the RFC world of concerned with what may be hiding in that etc.). The best part, and why this technique is so the 1980s and the popular, is that an endpoint is not aware that it has ingested anything. software engineering world Rootkits are a MacGyver-worthy mashup of Swiss Army knife + Hydra + The Invisible Man— up until the the best defense is a good offense was never more apropos. Not only is it difficult to know mid 1990s? that a rootkit has control of an endpoint, even if known, it is not easily removed. The key to not Yes, there was allowing a rootkit to establish itself in an endpoint, is to not allow a rootkit to establish itself in an actually a time endpoint—just say no. Currently, the only way to do that is with Endpoint Security v2.0. where people This paper contrasts Endpoint Security v1.0 with Endpoint Security v2.0, and discusses why did not consider Endpoint Security v1.0’s centre cannot hold. Also discussed are Endpoint Security v2.0’s the unexpected three core tenets—control what you know, control at the lowest possible level, and control consequence of transparently—that were leveraged to deliver BOUNCER by CoreTrace™, a unique v2.0 an unbounded revolutionary 180°‑shifted approach to endpoint security. With BOUNCER‑secured endpoints, strcpy().(3) an IT security department can have complete confidence that when, not if, a rootkit attempts – Jeff Nathan to establish itself on their endpoint, this zero‑day threat has zero time‑to‑live, as BOUNCER Arbor Networks delivers the first knockout punch.(1) 2008 FOrward: TOrnadO warning in eFFecT The criminal energy that permeates the Internet cloud has caused a steady rain of profit for the cybercrime industry since just before the turn of the millennium; however, all indications are that the Internet cloud is poised to turn into a supercell “with billions of dollars of revenue seeming to appear from out of nowhere”(2) and be funneled into the cybercriminals’ offshore accounts. The “ cybercrime industry is heading inside the tornado of hypergrowth and will enjoy huge profits at the world’s expense. Loved by some, hated by others, Unfortunately, the majority of the endpoint security industry that is in a position to stop the rootkits can be unprecedented cybercrime deluge of cash visible on the horizon (i.e., Endpoint Security v1.0 considered as antivirus blacklist vendors) is too busy cashing in on the mutually-assured-to-be-profitable the holy grail cyber arms race that they are in with the cybercrime industry to need to upgrade their of backdoors: weapons systems to Endpoint Security v2.0. The cyber arms race is a lucrative, never ending stealthy, little, cat‑and‑mouse game of virus release followed by antivirus update with dizzying rounds of races close to hardware, to the zero-day-threat finish line. Due to Endpoint Security v1.0’s reactive blacklisting strategy, ingenious, vicious… it is running the cybercriminal’s race, so getting to the finish line first is simply not possible.(3)(4) Their control over a computer locally or remotely make them the best choice for an attacker.(4) (1) BOUNCER‑secured endpoints include PCs, servers, and embedded systems. (2) Geoffrey A. Moore; Inside the Tornado; Harper‑Business; 2005; p 5. – Mxatone and IvanLeFou Phrack Magazine (3) Jeff Nathan; It’s Our Party & We’ll Cry If We Want To…; Arbor Networks; August 9, 2006. (http://asert.arbornetworks.com/2006/08/it%e2%80%99s‑our‑party‑well‑cry‑if‑we‑want‑to/) (4) Mxatone and IvanLeFou; Stealth Hooking: another way to subvert the Windows kernel; Phrack Magazine; Issue 65; April 12, 2008. (http://www.phrack.com/issues.html?issue=65&id=4#article) Combating Buffer Overflows and Rootkits 1
  • 3. BOUNCER by CoreTrace™ INsIdE ThE CyBERCRImE TORNadO It’s the Wild West…and east, and north, and south—cybercrime is inherently global and tantalizingly lucrative. A virtual frontier of opportunity targets combined with low barriers to entry, “ …chief security officer at low risk of capture and conviction, and high earning potential is the risk/reward scenario that is British Telecom’s fueling the cybercrime industry’s explosive growth rate. global financial services division… The cybercrime business model has matured and borrowing the language from Geoffrey Moore’s tells us that as long best‑selling business‑strategy books—Crossing the Chasm and Inside the Tornado—it has as the risk of getting crossed the chasm and is headed inside the tornado characterized by hypergrowth.(5) Read the caught is so low excerpt below from Inside the Tornado in the context of the cybercrime juggernaut, does any and the reward so of it sound familiar? great, the number of “Such are the market forces generated by discontinuous innovations, or what more attacks is bound to recently have been termed paradigm shifts…For a long time, although much is keep climbing. written about the new paradigm, little of economic significance happens…But…there He calls this comes a flash point of change when the entire marketplace…shifts its allegiance “the mathematics from the old architecture to the new. of toast,” as in companies who “This sequence of events unleashes a vortex of market demand. Infrastructure, to aren’t prepared for be useful, must be standard and global, so once the market moves to switch out an influx of attacks the old for the new, it wants to complete this transition as rapidly as possible. All the are pretty much pent‑up interest in the product is thus converted into a massive purchasing binge… toast.(8) Companies grow at hypergrowth rates, with billions of dollars of revenue seeming to appear from out of nowhere. – The Wall Street Journal Business Technology Blog “Nowhere has the tornado touched down more often in the past quarter-century than in the computer and electronics industry…New products, designed to the new performance vectors, incorporate software that simply blows away the old reference points… “…showing how companies can align themselves with these forces to win market “ The AFCC recently traced a leadership positions, we shall see a disconcerting pattern assert itself repeatedly: new service… offering access The winning strategy does not just change as we move to a bullet-proof from stage to stage, it actually reverses the prior strategy. hosting server “That is, the very behaviors that make a company successful at the outset of the with a built-in mainstream market cause failure inside the tornado and must be abandoned. And Zeus trojan similarly what makes companies successful in the tornado causes failure and must administration panel be abandoned once that phase of hypergrowth is past. In other words, it is not just and infection tools... the strategies themselves that are cause for note but also the need to abandon each the service includes one in succession and embrace its opposite that proves challenging.”(6) all of the required stages in a single Reversing Strategies package, so you It is interesting to note that the cybercrime industry’s leap across the chasm was symbolically just have to pay marked in February 2008 by the disbanding of the infamous, old school VXer (virus writer) for the service, group 29A. So if we are not in Kansas anymore, then where are we?—put another way, if then access the “29A has left the building!”(7) who are its current tenants? newly hired Zeus trojan server, “The shutters are being pulled down on old school virus writers’ group 29A.(8)(9) create infection points and start collecting data… mirroring legitimate (5) Geoffrey A. Moore; Crossing the Chasm; HarperCollins; 2002; and Inside the Tornado; HarperCollins; 2004. security vendor (6) Geoffrey A. Moore; Inside the Tornado; HarperCollins; 2004; pp 4–5 and 10. offerings— (7) VirusBuster/29A’s departing words posted on home page of 29A Labs; February 2008. security-as-a-service… (This URL is for informational purposes; we strongly recommend that you do not visit the 29A Labs website. malware-as-a-service.(9) http://vx.org.ua/29a/main.html) (8) The Wallstreet Journal Business Technology Blog; Electronic Crime Really Does Pay; November 2, 2007. – Andrew Hendry (http://blogs.wsj.com/biztech/2007/11/02/electronic-crime-really-does-pay/trackback/) PC World (9) Andrew Hendry; Wannabe Hackers Can Now Rent‑a‑Botnet; PC World; May 15, 2008. (http://www.pcworld.com/businesscenter/article/145931/wannabe_hackers_can_now_rentabotnet.html) Combating Buffer Overflows and Rootkits 2
  • 4. BOUNCER by CoreTrace™ “29A, hexadecimal for 666, is an underground VXer collective known for creating the first Win 2000 virus, the first 64bit virus, and early examples of mobile malware that infected devices such as PDAs. “ If you dig a bit on AV world, you will “…other less well known VXer groups are dying the death, a development symptomatic discover AVers are of changes in the malware market. Profit has replaced mischief, intellectual curiosity, not a happy family… or a desire to make a name for yourself as the motive for creating malware. in some cases they hate more other “Traditional virus writers have drifted away from the scene to be replaced by more AVers than VXers… shadowy coders creating sophisticated Trojans aimed at turning an illicit profit. Less known are Enforcement action against virus writers has acted as a further disincentive for the fights for the hobbyists, at least. conquer of the AV “Instead of getting proof of concept malware from the likes of 29A, we’re dealing with market between the Storm Worm Trojan and other sophisticated “professionally developed” botnet companies…there is clients.”(10) a new fight in the AV world: The number By any measure, the cybercrime industry has crossed the chasm from v1.0 to v2.0—combating of detected virii v2.0 cyberattacks with a v1.0 arsenal is Maginot-line strategy that will never lead back to Kansas. war!…“my product The road map back to Kansas is provided by Geoffrey Moore: “The winning strategy does not detects the 100% just change as we move from stage to stage, it actually reverses the prior strategy.”(11) of virii”…If that’s not a trick…what’s As the VXers crossed the chasm, following behind, as always, were the AVers (antivirus it?…It means that researchers) weighed down from Endpoint Security v1.0 (a reactive, inherently flawed, from a collection ineffective, and bloated blacklisting strategy). What is required to defeat cybercriminals is a of 7,000 source “reversal of the prior strategy”—a unique v2.0 revolutionary 180°-shifted approach to endpoint codes, you could security. create an antivirus What is required is BOUNCER by CoreTrace™, the Endpoint Security v2.0 solution that cut with 12,000 - 14,000 the zero-day-threat finish line Gordian knot. signatures. Then you run…similar virus constructions kits sEEdINg ThE ClOUds and you reach 20,000 Buffer overflow + rootkit is a handy combination for a v2.0 cybercriminal—a buffer overflow signatures. You only provides the way into an endpoint and a rootkit provides the way to stay in an endpoint for as need to inflate the long as possible. A rootkit’s ability to mask its presence and its activities, makes it very difficult numbers a bit and… to detect, thereby maximizing profit for each established rootkit and providing excellent ROI for TAAAAACHAN!!!!!!! v2.0 cybercriminal businesses. You have a top eleet antivirus! Pathetic Buffer Overflows but that’s what it’s happening.(12) Buffer overflow vulnerabilities exist because software code is written without input validation on every instance and method of input into the software application. Code injection uses software – VirusBuster/29A errors to inject code into programs already running on an endpoint. The most common method 29A Labs “ of code injection, and one of the most difficult to stop, is via buffer overflow where code is injected at the end of a legitimate buffer to run whatever the cybercrime business wants. A buffer overflow is the result of Rootkits stuffing more data Rootkits are a collection of tools and utilities that allow a cybercriminal to hide the presence into a buffer than of a rootkit and all of its activities, as well as provide a way to keep a backdoor open to the it can handle. How system for return visits. The extent and nature of activities a rootkit is able to perform and can this often hide depend on the type of rootkit. There are many types of rootkits including user‑mode, found programming kernel‑mode, kernel‑mode data structure manipulation, and process hijacking. While all rootkits error can be taken are problematic, kernel‑based rootkits are especially insidious.(12)(13) advantage to execute arbitrary (10) John Leyden; Infamous malware group calls it quits; Channel Register; March 7, 2008. (http://www.channelregister.co.uk/2008/03/07/29a_rip/) code?…Writing an (11) Geoffrey A. Moore; Inside the Tornado; HarperCollins; 2004; p 5. Exploit (or how to (12) VirusBuster/29A; The number of detected virii war; 29A Labs; zines; Issue 4; 2001. mung the stack)…(13) (This URL is for informational purposes; we strongly recommend that you do not visit the 29A Labs website. http://vx.netlux.org/29a/29a‑4/29a‑4.232) – Aleph One Phrack Magazine (13) Aleph One; Smashing The Stack For Fun And Profit; Phrack Magazine; Issue 49; November 8, 1996. (http://www.phrack.com/issues.html?issue=49&id=14#article) Combating Buffer Overflows and Rootkits 3
  • 5. BOUNCER by CoreTrace™ ENdpOINT sECURITy v1.0 vs. v2.0: WhO’ll sTOp ThE RaIN? Cybercriminals are well armed and well motivated, so how can an organization protect itself? “ Today’s threats are created by a Businesses invested $9.4 billion in IT security software in 2007;(14) clearly, increased spending commercial malware on ineffective Endpoint Security v1.0 products will not stop the cybercrime tornado. industry which has developed Endpoint Security v1.0 quickly and which Endpoint Security v1.0 strategy has been to identify malware and keep it out (i.e., blacklisting). has access to In this zero‑day‑threat world, blacklisting’s reactive strategy (it is dependent on timely signature some billion-dollar updates) is inherently flawed and no amount of multi-layering or heuristics can save it. In effect, resources… blacklisting surrenders control to the cybercriminals, handing them the first-strike advantage. Some vendors have Moreover, if the first strike is delivered by a stealth bomber (buffer overflow code injection) that switched…to daily, happens to drop a kernel-based-rootkit payload, Endpoint Security v1.0 technology is unaware or even half-hourly that an attack has occurred and the compromised system is literally open for business. updates…The average size of the Endpoint Security v2.0 signature databases has at least doubled Fortunately, the majority of cyberattacks can be defeated if the right approach is taken defending and in some cases the IT network—by necessity, that is Endpoint Security v2.0 whose revolutionary 180°‑shifted tripled within the approach starts by turning v1.0 blacklisting on its head and proceeds from there. last 18 months. Note the phrase, starts by turning v1.0 blacklisting on its head and proceeds from there. The trend seems Endpoint Security v2.0 strategy is to only allow authorized code to execute (i.e., whitelisting), to be clear: so even if malware gains access to a system, it cannot execute and is neutralized— more updates and that’s the short answer. For security reasons, the details in the execution of that strategy more signatures, are as important as adopting the strategy. and with them longer scan times, Endpoint Security v2.0 is predicated on three core tenets: control what you know, control at the higher memory lowest possible level, and control transparently. To be considered a true Endpoint Security v2.0 consumption, solution, the security features shown in Table 1 must be present. higher false positive Beware of any endpoint security solution claiming to be a v2.0 solution that merely exchanges rates and the like.(15) one list for another. While a whitelist‑based solution is superior to a blacklist‑based solution – Andreas Marx because it is proactive vs. reactive, a true Endpoint Security v2.0 solution uses a whitelist av‑test.org of fingerprints customized for each endpoint; thereby, limiting the entries to programs installed on each endpoint vs. a centralized database of all programs. Additionally, a true Endpoint Security v2.0 solution automatically generates the customized whitelist for each endpoint in a controlled environment to ensure that it is not compromised. Further, a true Endpoint Security v2.0 solution provides an efficient whitelist updating capability that does not place a burden on the IT administrative staff. The specious solution that has merely exchanged one list for another is only a 90°-shifted solution, and it has only reached v1.1—or rather, the whitelist is a behemoth one-size-fits-all- let’s‑hope‑the‑list‑isn’t‑hacked centralized database of all authorized programs that somehow “ has to be mapped to each specific endpoint. Even if the Walk away from these going-in-the-right-direction-but-didn’t-quite-make-it v1.1 half-solutions or technology used else the weight of this solution and attendant administrative burden and security risks will come by rootkits are crashing down on your CPUs and valuable IT staff.(15)(16) more and more sophisticated, the underground community is still developing POCs to improve current techniques.(16) (14) Gartner; Press Release: Gartner Predicts Worldwide Security Software Revenue to Grow 11 Percent in 2008; – Mxatone and IvanLeFou April 22, 2008. (http://www.gartner.com/it/page.jsp?id=653407) Phrack Magazine (15) Andreas Marx; Malware vs. Anti‑Malware: (How) Can We Still Survive?; Virus Bulletin; February 2008. (http://www.av-test.org/down/papers/2008-02_vb_comment.pdf) (16) Mxatone and IvanLeFou; Stealth Hooking: another way to subvert the Windows kernel; Phrack Magazine; Issue 65; April 12, 2008. (http://www.phrack.com/issues.html?issue=65&id=4#article) Combating Buffer Overflows and Rootkits 4
  • 6. BOUNCER by CoreTrace™ Table 1. Endpoint Security v2.0: Security Features control “ …review on Windows Vista From the only included ‘pure’ control loWeSt control anti-virus programs. Security FeatureS What you KnoW PoSSible level tranSParently The tools were last h Only authorized programs allowed to execute  updated and frozen h Authorized programs fingerprinted to on 2 October 2007. create a unique three-factor integrity check To our surprise, the detection rate h File digest (SHA-1 hash)  h File location (pathname) of inactive samples h File size reached just 90% on average, even h Whitelist of fingerprints customized for though most of the each endpoint—entries limited   rootkits used were to programs installed on an endpoint released during h Automatically generates customized whitelist in a controlled environment   2005 and 2006. Only four of the six h Ease-of-use whitelist updating procedure   installed rootkits could be detected h Digital certificates used for authentication  by an average tool h Enforcement from within the kernel  and the cleaning rate was even lower with h Entry points to the OS securely wrapped  54%.(17) h Prevents direct kernel memory read and write from user space  – Andreas Marx and Maik Morgenstern h Monitors and reacts to memory av‑test.org modification  h Provides a complete IPsec infrastructure  (17) “ The greatest strength of BOUNCER’s technology is that it protects unpatched vulnerabilities from exploitation, effectively neutralizing zero-day threats. (17) Andreas Marx and Maik Morgenstern; Anti‑Stealth Fighters Testing for Rootkit Detection and Removal; Virus Bulletin; April 2008. (http://www.av-test.org/down/papers/2008-04_vb_rootkits.pdf) Combating Buffer Overflows and Rootkits 5
  • 7. BOUNCER by CoreTrace™ cybercrime aT-a-glance The supercell cloud that will spawn the tornado of hypergrowth and huge profits for the cybercrime industry contains all of the cybercrime business segments. Cybercriminals target specific organizations at times; however, they are opportunists and collect rainfall whenever and wherever “ Just like legitimate businesses, they can. Table 2 provides an at‑a‑glance view of some of their activities.(18)(19)(20)(21)(22)(23)(24)(25) cyber criminals today are trying to Table 2. Cybercrime at-a-glance put themselves h AV-Test.org(18) 2005 2006 2007 front-and-center on millions of h MD5-unique malware samples 333,000 972,000 5,490,000 computer screens. h Unique AV updates in 45 AV products 111,566 134,484 148,869 “The attackers are h Total size of AV updates in 45 AV products 520 GB 1.0 TB 1.6 TB now following the same path that h Chances of becoming a cybervictim (19) h 1 in 4 US citizens (2007) businesses have, h Cybercriminal chances of getting convicted (20) h 1 in 7,000, although it could be as low as in trying to 1 in 600,000 advertise themselves in their h Identity fraud victims(21) h 8.4 million US citizens (2007) own special way on h Total fraud of $50 billion the more popular h Victims spend 25 hours (avg.) to Web sites,” says resolve case Tom Liston, who h Identity theft cost to consumers(21) h $49.3 billion (2007) works with SANS and businesses Internet Storm Center…They’re h Stolen identity value to cybercriminal(19) h $14–$18 per identity (2006) doing exactly what h Newly activated zombies (22) h 355,000 per day (1Q 2008) every business tries to do, which is to h Spam levels of all e-mail(22) h 60%-94% (1Q 2008) find innovative ways get themselves h Spam sent from zombies(23) h 80% (1Q 2008) out in front of as h Botnet uses(23) h #1 Use: Sending spam many eyeballs as h #2 Use: DDoS attack possible…(25) h Other ways to make money: sell or – Martha Neil lease botnet ABA Journal h Top spam-sending countries (24) United States 33.03% 12 Months View (06/03/07–06/03/08) Russian Federation 5.64% Germany 5.47% United Kingdom 4.29% China 3.78% Other 47.79% (18) Andreas Marx; Malware vs. Anti‑Malware: (How) Can We Still Survive?; Virus Bulletin; February 2008. (http://www.av-test.org/down/papers/2008-02_vb_comment.pdf) (19) www.consumerreports.org; Net threats: Why going online remains risky; September 2007. (http://www.consumerreports.org/cro/electronics‑computers/computers/internet‑and‑other‑services/net‑threats‑9‑07/ overview/0709_net_ov.htm) (20) Ben Worthen; Laws Go Soft on Hackers; The Wall Street Journal Business Technology Blog; February 22, 2008. (http://blogs.wsj.com/biztech/2008/02/22/laws‑go‑soft‑on‑hackers/trackback/) (21) Javelin Strategy and Research; Press Release: Group Imagines ‘Ideal’ Credit Card; May 27, 2007. (http://www.javelinstrategy.com/2008/05/27/group‑imagines‑ideal‑credit‑card/) (22) Commtouch Software; Q1 2008 Email Threats Trend Report: Zombies Depend on the Kindness (and IT Resources) of Others; April 7, 2008. (http://www.commtouch.com/site/Resources/documentation_center.asp) (23) Vitaly Kamluk; The botnet business; viruslist.com; May 13, 2008. (http://www.viruslist.com/en/analysis?pubid=204792003) (24) Commtouch Software; Top Spam‑Sending Countries; 12 Months View; June 3, 2008. (http://www.commtouch.com/Site/ResearchLab/statistics.asp) (25) Martha Neil; Cyber Crime Does, Increasingly, Pay; ABA Journal; December 20, 2007. (http://www.abajournal.com/news/cybe_crime_does_increasingly_pay/) Combating Buffer Overflows and Rootkits 6
  • 8. BOUNCER by CoreTrace™ CyBERCRImE TOOls aNd TEChNIqUEs Cybercrime is a global industry with low start‑up costs and, ironically, unless typing into a web form is considered a computer skill, no computer skills are necessary. Cybercriminals form a well integrated community that shares and trades information, and they have many tools and “ If you make these steps the NT techniques at their disposal that are discussed below. box is opened „ Writing Viruses—A brilliant virus writer can make a decent living working at home and for everyone… selling new malicious tools online to the highest bidder. Even the less brilliant virus writers Even if you don’t can earn a living. There are many places on the web where cybercriminals post source plan to write NT code for new viruses for other people to use. There is no law against doing so, which viruses at least means that anyone can download source code for a virus, modify it, and then send it out to add to your babes do its work. Analysis of widely circulated viruses of the past five years shows that sections a code for adding of them were copied from earlier viruses. SeDebugPrivilege to Everyone. Then it „ Discovering Vulnerabilities—Cybercriminals research diligently to find new ways to makes for another break into endpoints, particularly those running Windows®. Discovering vulnerabilities is viruses easier to rewarding because they can auction new exploits on the Internet (see Figure 1). infect the machine - remember your fellow coders too :))).(26) – Ratter/29A 29A Labs Figure 1. Vulnerabilities are for sale on the Internet „ Developing Software—Cybercriminals run software development businesses for software products such as collections of exploits for breaking into endpoints and utilities to use once access is gained (such as remote control capabilities and keyloggers). They sell the software online using the same marketing and customer support techniques as mainstream software companies, such as segmentation into software editions, and offering product support and product upgrades (see Figure 2).(26) (26) Rattner/29A; Gaining passwords; 29A Labs; zines; Issue 6; 2002. (This URL is for informational purposes; we strongly recommend that you do not visit the 29A Labs website. http://vx.netlux.org/29a/29a‑6/29a‑6.225) Combating Buffer Overflows and Rootkits 7
  • 9. BOUNCER by CoreTrace™ “ That’s how the war between rk[rootkit]-makers and anti-rk-junkies began, trying to find the best way, the best area, for hooking critical operating system features…In the wild the rk are used most of the time for lame mail spamming or botnets.(28) – Mxatone and IvanLeFou Phrack Magazine Figure 2. Professionally marketed malware kits are for sale on the Internet „ Build Attack Environments—Script kiddies are teenagers without the engineering talent to carry out sophisticated attacks, but who can acquire powerful software tools online and buy the capability to assemble attack environments. To get started, all that is needed is a comprehensive hacker software development kit (SDK) that costs about $320 (see Figure 3) and a few viruses to sprinkle into the Internet. Virus source code can be downloaded for free, but specific viruses that are guaranteed to get past Endpoint Security v1.0 products “ A notorious malware gang that rented out like McAfee® Active VirusScan®, Norton Antivirus, Kaspersky® Anti‑Virus, etc., are for sale botnets by the hour on the Internet (see Figure 4). With a budget of $1,000 to $5,000, Trojans are available that has resurfaced after are purposely built to steal credit card data and e-mail it to a specific address. being knocked off line two months ago “It’s comforting to know, should you want to become a Black Hat, that the by a rival band of barriers to entering the trade are much lower now. It’s true that you’ll never criminals…The gang become a “legendary Black Hat” if you can’t cut a little C++ code. Nevertheless, came to prominence out there on the Internet there are web sites where you can buy fully functional by renting out a software for launching exploits that others have written for you. Yes, there are botnet that fellow indeed hacker‑devoted software products freely available for purchase by online criminals anyone capable of installing software. $200 or so should buy you something could use to install useful (including updates).”(27)(28)(29) and maintain their malware. In October, it boasted more than 35,000 infected machines…Prices ranged from $110 to $220 per thousand infections depending on where they were located. The group was taken offline in January following a DDoS attack by a rival gang wielding a Barracuda botnet.(29) Figure 3. Malware SDKs are for sale on the Internet – Dan Goodin Channel Register (27) Robin Bloor; 10 reasons why the Black Hats have us outgunned; The Register; June 13, 2007. (http://www.theregister.co.uk/2007/06/13/black_hat_list/) (28) Mxatone and IvanLeFou; Stealth Hooking: another way to subvert the Windows kernel; Phrack Magazine; Issue 65; April 12, 2008. (http://www.phrack.com/issues.html?issue=65&id=4#article) (29) Dan Gooding; Rent‑a‑bot gang rises from the DDoS ashes; Channel Register; March 13, 2008. (http://www.channelregister.co.uk/2008/03/13/loadscc_rises_again/) Combating Buffer Overflows and Rootkits 8
  • 10. BOUNCER by CoreTrace™ Figure 4. Malware to avoid detection by specific Endpoint Security v1.0 vendors is for sale on the Internet „ Assemble or Rent Botnets—Cybercriminals assemble botnets (i.e., networks of compromised endpoints) to amass a huge amount of highly distributed power to use in their activities. If they assemble a large number of endpoints, they can rent them out for about $0.20 per endpoint per day. Remarkably, botnets of more than one million endpoints have been assembled. Botnets are not without maintenance though, as owners discover and clean compromised endpoints, the botnet needs replenishment. The cybercriminals use the botnet to send out Trojan viruses that open a backdoor into an endpoint allowing the cybercriminal’s scanning software to gain access and add it to the botnet. The botnet industry is well‑developed offering low start‑up costs and easy implementation. “ Botnets are now a turnkey business with one‑stop‑shopping for all the essentials: bot software; anonymous hosting services to set up a command and control (C&C) center bro this are (complete with support and a guarantee that log files are inaccessible to law enforcement); from my spam… and ready-to-use botnets. Additionally, the software installation of a C&C center only super fresh… requires the new entrepreneur to fill in a few form fields. I will spam more... spammed like hell… „ Spamming—There are a host of different spam scams: from phishing for financial used 7 remote information, to 411 lottery scams, to the share tip scam, to direct ads for pharmaceuticals, desktops and insurance, and porn (e‑mail addresses from replies received are sold as sales leads). 13 smpt servers… Spamming is illegal in many countries, but spamming operations cannot be easily or 5 root…sent reliably traced, so this commercial arrangement persists. over 1.3 million „ Running Websites—Cybercrime‑run websites may provide Trojans in the guise of free emails.(30) computer games or pornography, or malware disguised as music or video files; or may – Thomas Claburn directly attempt to infect an endpoint upon access (known as drive‑by download). Some InformationWeek websites are spoof sites pretending to be banks or retailers. Cybercrime businesses drive traffic to their websites through mass e-mail campaigns, or by changing information in an endpoint’s browser, or by invading domain name servers and altering their reference information. „ Stealing Identities—What’s a cybercriminal to do with a stolen file of thousands of credit card records? Rather than try to exploit it on their own, cybercriminals sell the data for around $14–$18 per credit card record or around $500 if the PIN number is also obtained. In addition to selling credit card information, cybercriminals sell data from US Social Security cards, birth certificates, bills/invoices, and driver’s licenses—all of which can be used to set up fraudulent bank accounts.(30) (30) Thomas Claburn; International Cybercrime Ring Busted; InformationWeek; May 19, 2008. (http://www.informationweek.com/story/showArticle.jhtml?articleID=207801060) Combating Buffer Overflows and Rootkits 9
  • 11. BOUNCER by CoreTrace™ „ Providing Independent Contracting/Consulting Services—Legitimate businesses hire cybercriminals to damage the competition. There is no way to tell whether a virus attack “ or a denial of service (DoS) attack has a third-party sponsor, but if intellectual property is stolen, a competitor may be the sponsor. The Russian Business Network is the most Malware is famous cybercriminal business and it is for hire; it is rumored that its software engineering becoming more and expertise is so great that governments hire its services. more complex every On the other side of the fence, there are ethical‑hacker consultancies that are hired to day. The number of attack a network to test its security level. Banks regularly hire ethical hackers, known as newly discovered white‑hat hackers, to fortify their security, but few other organizations do. malware samples is skyrocketing, but „ Covering Their Tracks—The only link that ties a cybercriminal to an attack is communication that’s not the only from an endpoint that they own to their botnets, so if they communicate via public WiFi challenge for the they are very difficult to trace. Furthermore, cybercriminals prefer to attack on foreign soil AV industry. In most because they are much less likely to get caught, as it is very difficult for national police cases, we’re looking forces to work together even if evidence surfaces of who is behind specific attacks. at malware that is built in a modular „ Banking Offshore—Cyberextortion pays well and typically offshore accounts in the way, with plug-ins Cayman Islands are used to pass the money through. Ransom fees paid to end a DoS that support new attack typically range from $10,000 to $50,000 depending on the size of the company features such as under attack. hiding the malware’s presence from the CyBERCRIME LEVELS OF ThREaT user and from AV products. While it There are three cybercrime threat levels that IT security measures need to address: is easy for a good background noise, opportunistic attacks, and focused attacks. While companies need to combat signature-driven background noise, the real threats are opportunistic attacks and focused attacks. product to find Background Noise a known sample that has not yet Background noise is the aggregation of all automated attempts by cybercriminals to gain been activated, access to endpoints across the world; subverting hundreds to thousands of endpoints daily. it is becoming When an endpoint connects to the Internet, an attempt to gain access to it happens in seconds. increasingly Cybercriminals have scanners that scan the Internet in specific address ranges looking for challenging to known access points such as compromised endpoints (i.e., endpoints with open backdoors detect the sample created by a virus) to add to their botnet. Consequently, some endpoints belong to more than once it is running one botnet. and trying to hide itself and Opportunistic attacks other malicious Just like all other IT managers, a cybercriminal tries to maintain a nonvolatile, reliable network, components. On the or in this case botnet, and a cybercriminal will put great effort into making network penetration Windows platform difficult to detect. the hidden objects usually include The endpoints subverted through background‑noise activities may include a business endpoint services and that is valuable to a cybercriminal if it has resources such as high‑bandwidth Internet connections. processes, registry The goal is to take control of resources and use compromised endpoints as spam generators, keys and values, as or rent them out, or set up transient websites on them. Instances of cybercriminals running well as directories spam broadcast sessions overnight from corporate endpoints when the company’s network is and files.(31) less active have gone undiscovered for months. – Andreas Marx and A cybercriminal may load a keylogger on a compromised endpoint to catch a password from Maik Morgenstern the keyboard and use it to rifle the local e-mail file for e-mail addresses or use the local search av‑test.org capability to locate personal financial information. There is an increase in establishing rootkits on compromised endpoints because it is a cybercriminal’s most reliable means of retaining control of an endpoint even after attempts have been made to clean it of all malware.(31) (31) Andreas Marx and Maik Morgenstern; Anti‑Stealth Fighters Testing for Rootkit Detection and Removal; Virus Bulletin; April 2008. (http://www.av-test.org/down/papers/2008-04_vb_rootkits.pdf) Combating Buffer Overflows and Rootkits 10
  • 12. BOUNCER by CoreTrace™ Focused attacks Focused attacks are clearly the worst threat. In a focused attack, cybercriminals are targeting a specific IT network with the intent to cause disruptive damage, steal data, compromise intellectual property, or perpetrate some kind of fraud. An additional aspect of focused attacks is that the cybercriminal will take their time and slowly compromise systems, resulting in an “ attack that is extremely hard to detect. In fact, the Commonly in focused attacks, cybercriminals have the inside help of a malicious insider malicious insider that may provide information on security products and how the IT network is configured, or sounds like some provide passwords, or open a backdoor into the network. Because few organizations keep sort of bogeyman to comprehensive endpoint‑activity logs, it’s hard to prove whether a malicious insider was hear these security involved in an attack; however, it is probable in cases where the cybercriminals know exactly pros talk about it. how to pull off a sophisticated computer fraud or exactly which data files to steal. But lest you think the threat is more buFFer OverFlOw + rOOTkiT imagined than real, consider that Buffer overflow + rootkit is a very popular malicious combination that is providing sustained among companies revenue steams for the cybercrime industry and it is fueling the cybercrime industry’s that experienced a hypergrowth stage inside the tornado. data breach in 2006, 23% said the culprit was an aCCESS VECTOR: BuFFER OVERFLOw uSED TO INjECT CODE insider, according to a survey by Code injection uses software errors to inject code into programs already running on an endpoint. the Computing The most common method of code injection and the one of the most difficult to stop is via Technology Industry buffer overflow where code is injected at the end of a legitimate buffer to run a cybercriminal’s Alliance.(32) programs. – Ben Worthen Programs define memory areas called buffers that are used to accept data from a user or The Wall Street Journal another program. Buffers are defined to have a specific size. For example, a name field may Business Technology Blog permit 30 characters so 30 bytes of memory are provided. Ideally, if more data is sent to the program then it should reject everything after the first 30 characters. Unfortunately, most programmers do not bother to write their programs that way and just accept whatever is sent. To achieve a buffer overflow, cybercriminals add specialized program code called shellcode to the end of the 30 characters and the endpoint will execute the shellcode that was written to the end of the legitimate buffer. All it takes is trial and error to discover if a program is vulnerable to buffer overflow—the cybercriminal tests to see what happens when a large amount of information is sent to the buffer. Many buffer overflow defects have been found in the Windows operating system (OS) by cybercriminals simply experimenting with the software. Buffer overflow vulnerabilities are even easier to find if the cybercriminal can get the program source code allowing them to easily check every instance where the program accepts input. Another common method of exploiting buffer overflows is to analyze the patches released by OS and application vendors. This process has become so automated that when Microsoft releases security patches on Patch Tuesday (providing the less sophisticated virus developers with a pointer saying hack me here!) the cybercriminals exploit unpatched systems on Hack Wednesday.(32) PayLOaD: ROOTKIT uSED TO OBTaIN aND RETaIN CONTROL Once access to an endpoint is gained, cybercriminals install a rootkit to take control of an endpoint and to retain control so they can load the software needed to carry out their schemes at their convenience. Rootkits are either kernel‑based or non‑kernel‑based. (32) Ben Worthen, Data Breach of the Day: Britney Spears Edition; The Wall Street Journal Business Technology Blog; March 17, 2008. (http://blogs.wsj.com/biztech/2008/03/17/data-breach-of-the-day-britney-spears-edition/trackback/) Combating Buffer Overflows and Rootkits 11
  • 13. BOUNCER by CoreTrace™ Kernel‑based rootkits operate in the kernel and have the highest level of privilege (i.e., full administrator, or root) allowing the cybercriminal to define and change access rights and permissions to cover up traces of their activities, making kernel-based rootkits very difficult to detect once installed. For example, with this level of privilege the cybercriminal can hide the “ rootkit from endpoint utilities that list files and provide information about running processes, and they can also hide other programs they plant on the endpoint. Strategic Alliances? Bring ‘em on, we Non‑kernel‑based rootkits operate in user space and usually have the same privilege level as love ‘em!...So they that of the user credentials used to install it. want to combine Some rootkits are known and can be detected by a scanning program; however, this defense their engines...That’s does not work for a newly written rootkit. Typically, established rootkits are detected by a file a great idea! This comparison between a suspect endpoint and a clean endpoint with full administrator rights; will be much more however, this is difficult to organize and difficult to carry out while endpoints are running. tougher to defeat.... That’s right guys. 1 + 1 = 1 in this endpOinT securiTy v2.0 case ;-) Stopped laughing yet? Ok… Cybercriminals are well armed, well skilled, and well motivated, so how can an organization these antivirus protect itself? Fortunately, despite the prolific cyberattack vectors, tools, and strategies, the engines combined majority of cyberattacks can be stopped dead in their tracks if the right approach is taken can result in a really defending the IT network—that is, Endpoint Security v2.0. difficult to beat antivirus product, but there is also a ENdpOINT sECURITy v1.0 vs. v2.0 positive side for us, Endpoint Security v1.0 with its multiple layers of reactive antivirus and blacklisting databases, virus authors. This security patches, and personal firewalls (all of which slow performance and add significant “Strategic Alliance” cost to network operations) can’t defeat today’s known rootkit threats or unknown threats also means that in (i.e., zero-day attacks from malware, rootkits, and buffer overflows)—let alone tomorrow’s. the future we do have to concentrate Endpoint Security v2.0 is proactive, whitelist‑based, provides enforcement from within the on one product less! kernel, and it is predicated on three core tenets: Yes, they are right „ Control what you know. in respect that it is harder to beat this „ Control at the lowest possible level. combined product, but it will certainly „ Control transparently. take less time than testing your virus BOUNCER By CORETRaCE™ on 2 completely different products, BOUNCER by CoreTrace™ takes a revolutionary 180°-shifted approach to endpoint security let alone the fact providing a unique Endpoint Security v2.0 solution that defeats today’s, tomorrow’s, next year’s… that it costs you known and unknown threats—finally, efficiently, effectively, BOUNCER stops the madness. a lot more time to BOUNCER leverages Endpoint Security v2.0’s three core tenets to provide the capabilities write retro listed below for PCs, servers, and embedded systems. structures against 2 antivirus products „ Preventing unauthorized programs and processes from running. instead of one. „ Preventing rootkit establishment. Afterthought: Should we also take „ Stopping code injected via buffer overflow from running and stopping further memory action and form corruption. “Strategic Alliances” other groups?(33) „ Preventing system configuration modification by staff members, malicious insiders, and malicious outsiders. – Rajaat/29A 29A Labs „ Securing the endpoint transparently to end users. „ Providing ease‑of‑use to the operational staff.(33) (33) Rajaat/29A; Strategic Alliances? Bring ‘em on, we love ‘em!; 29A Labs; zines; Issue 2; 1998. (This URL is for informational purposes; we strongly recommend that you do not visit the 29A Labs website. http://vx.netlux.org/29a/29a-2/29a-2.2_a) Combating Buffer Overflows and Rootkits 12
  • 14. BOUNCER by CoreTrace™ Core Tenet #1—Control what you Know Control what you know—what else can you control? Blacklists are pursuing the flawed strategy “ This article is about recent exposures of of trying to control that which is unknowable, and, as a result, are locked in a zero‑day‑threat race many kernel level they can never win and being paid well for it. Conversely, controlling what you know—that is, vulnerabilities and controlling the authorized applications used by an endpoint so that you can be indifferent to the advances in their rest—is the principle that underpins BOUNCER’s whitelisting strategy that defeats cybercrime. exploitation which leads to trusted BOUNCER creates a whitelist of authorized programs (i.e., a list of fingerprints) that it uses (oops safe) and to recognize (i.e., identify and validate) an authorized program as it loads. Each authorized robust exploits… program’s fingerprint is comprised of the triple play of the following integrity checks: file digest to prove kernel land (SHA-1 hash), file location (pathname), and file size. vulnerabilities When an unauthorized program tries to load (e.g., a virus from an e‑mail attachment, a program such as copied on an endpoint by an authorized user, or a program copied on an endpoint through stack overflows and a vulnerability), BOUNCER simply does not allow it to execute, thereby defeating the vast integer conditions majority of threats, including preventing Trojans from overwriting authorized files. can be exploited and lead to total The greatest strength of BOUNCER’s technology is that it protects unpatched vulnerabilities control over the from exploitation, effectively neutralizing zero‑day threats. If a vulnerability is unpatched and system, no matter exploited, the malicious program or injected code is stopped anyway, so zero‑day threats how strict your become a thing of the past. Hack Wednesday goes away and there is time to test all patches user land before they are deployed—if they are deployed at all. (i.e., privilege BOUNCER’s leveraging of control what you know results in significant IT cost savings. separation) or even IT departments that use BOUNCER can say goodbye to the following and say hello to a little kernel land (i.e., sanity: chroot, systrace, securelevel) „ Zero‑day threats. enforcements are… „ Malware, trojans, viruses/worms, bots, keyloggers, adware, and spyware. I also…contribute to the newly raised „ Reactive security patching (patch for features you need on your schedule and have time concepts (greets to to fully test patches). Gera) of fail-safe „ Chronic signature updating. and reusable exploitation code „ Technology stacks, pattern matching, and behavioral heuristics (including the impact of generation.(34) false positives and prolonged learning periods typical of behavioral solutions). – Sinan “noir” Eren Core Tenet #2—Control at the Lowest Possible Level Phrack Magazine Most sophisticated attacks are targeted at the kernel; therefore, that is where the battle lies (only security software that functions in the kernel can reliably deliver the controls that IT requires). BOUNCER loads into the kernel very early and performs the following functions: “ Userland applications are „ Allocates resources only to authorized applications. usually executed in ring3. The kernel on „ Locks down the process table and keeps track of pointers. the other hand is BOUNCER leverages control at the lowest possible level to defeat the following threats: executed in the most privileged mode, „ Rootkit establishment. ring0. This grants the kernel full access to „ Injected code via buffer overflow (even in authorized applications). all CPU registers, all „ System configuration modification by staff members, malicious insiders, and malicious parts of the hardware outsiders. and the memory. With no question „ Direct kernel memory read and write from user space.(34)(35) is this the mode of choice to do start some hacking.(35) (34) Sinan “noir” Eren; Smashing The Kernel Stack For Fun And Profit; Phrack Magazine; Issue 60; December 28, 2002. (http://www.phrack.com/issues.html?issue=60&id=6#article) – kad (35) kad; Handling Interrupt Descriptor Table for fun and profit; Phrack Magazine; Issue 59; July 28, 2002. Phrack Magazine (http://www.phrack.com/issues.html?issue=59&id=4#article) Combating Buffer Overflows and Rootkits 13