By Hunter King & Nick Chapman

The saying goes: “What happens in Vegas stays in Vegas.” Well, apparently not during the week of Black Hat USA 2008. Black Hat is one of the world’s largest and most well known security conferences. Several members of the SecureWorks Counter Threat Unit^SM had an opportunity to attend and we’d like to share some brief highlights from a few of the talks.

There were many highly renowned speakers sharing their expertise, including our own Joe Stewart speaking about the Storm botnet. Informal conversations with other attendees were also extremely valuable. With all this knowledge and experience in one place, Black Hat really is like drinking from the InfoSec fire hose. We don’t want to keep you in suspense any longer, so here are a few samples from some of our favorite talks.

SQL Injection Worms for Fun and Profit

Readers of our previous blog postings will know that we, like many others, have been keeping an eye on the recent waves of mass SQL injection attacks (here, here, and here). Justin Clarke of Gotham Digital Science gave a turbo talk about this very topic. The main thrust of his presentation was that this is just the beginning. The current attacks, although widespread, are very limited in scope. The attackers are only targeting websites using Microsoft SQL Server for a backend database and only targets Microsoft ASP (and more recently Cold Fusion) websites. Once a website has been compromised, the payload is only targeting users who visit that site. Nasty attacks that could be on the horizon include privilege escalation / attacking the database host OS, attacking HTML Forms, scanning internal corporate networks / DMZs, and more. Today the attackers are using the Google search engine to identify potentially vulnerable systems and have successfully compromised literally hundreds of thousands of websites. It would be quite feasible to use Google search results to further refine their focus, generating a targeted attack against an entire business vertical or just a particular organization.

Get Rich or Die Trying - “Making Money on The Web, The Black Hat Way”

Jeremiah Grossman and Arian Evans gave a wonderful talk about real world ways to monetize attacks, both against technology and flaws in business logic (Arian’s other talk about encoding issues was also very interesting). What I found fascinating is how, as the amount of money involved increased, the amount of technical expertise required to pull off the hack decreased. The presentation started by talking about manually solving CAPTCHAs for profit. Initial offers were for $10 per 1000 CAPTCHAs solved, which works out to an income of about $50 a day. However, free market competition drove that price down to as low as $2 per 1000 CAPTCHAs.

Another example of ways hackers can make large sums of money that don’t require a high degree of technical sophistication was through information leakage. An Application Service Provider (ASP) which provided services to banks had been revealing sensitive information in an error message. Only three items of information were actually required to access an account through the ASP – a client identifier, a bank identifier and an account number.

These parameters were supplied via HTTP GET variables, easily modifiable by anyone with a web browser. If these three items didn’t match, the web application was kind enough to tell the visitor that “Account X belongs to Bank Y.” If a visitor used the correct bank identifier but other parameters did not match, the website would inform them you that “Bank Y belongs to Client Z.” The website was also only checking that a visitor was authenticated - it did not verify that the user was authorized to access a particular account. This could easily be exploited for profits in the tens or hundreds of thousands of dollars.

A third example requires even less technical expertise. A website featuring press releases (including profit and loss statements) would add press releases to their site ahead of their official release date — they just wouldn’t link them from the main page. However, the press releases were stored on sequentially numbered web pages, so it was a trivial task to identify and access a “hidden” press release. This would allow outsiders to have access to P&L information for publicly traded companies before the market closed. Hackers exploited this to earn over 8 million dollars on the stock exchange market.

The critical lesson here is that all avenues of attack must be considered. This is especially true when dealing with how the business logic is implemented at a technical level. This is very difficult to do, because it requires knowledge of the business processes and a grasp of some of the technical details that drive those processes. If you’re not aware of how these interact, rest assured that there are many people using your systems, and it only takes a single one having that “Eureka!” moment where they find a critical flaw. This can lead to financial losses in the hundreds of thousands or more. What’s even worse is that some of these “attacks” aren’t even illegal, not even in the United States.

Malware Detection Through Network Flow Analysis

The always entertaining Bruce Potter, founder of The Shmoo Group, gave a talk titled “Malware Detection Through Network Flow Analysis.” In it, Bruce emphasized the need to quickly detect compromised machines in order to minimize damage. Given the rate at which client-side attacks presently occur, compromise is, for many, inevitable. Quick detection of infections becomes an increasingly important tool in the defender’s toolkit. Bruce advocates analyzing network traffic data for statistical anomalies. For example, a desktop which sends out twice as much data as it receives is likely part of a botnet. Without NetFlow data (or similar), this infection may go completely unnoticed. Bruce also advocated including frequency distribution graphs alongside traditional time-based graphs as a method of quickly identifying potential network issues. Incorporating these techniques won’t stop the bad guys, but could greatly minimize the damage done once a compromise does occur.

Circumventing Automated JavaScript Analysis Tools

Billy “AJAX” Hoffman’s talk, titled, “Circumventing Automated JavaScript Analysis Tools,” focused on why current attempts to run malicious JavaScript within sandboxes are failing. With the increasing popularity of sandboxes, including SecureWorks’ own Caffeine Monkey, JavaScript-based malware is being forced to play “catch-up” with x86 malware with regard to sandbox detection. These techniques revolve around writing code which behaves differently in a browser than in a sandbox. Using the “quit” command within a try/catch block is a perfect example. This command, which does nothing when run from within a web browser, will exit Mozilla’s standalone JavaScript interpreter. Billy listed at least 20 pages of similar techniques (each needed to be coded for explicitly). Two main alternatives exist:

1) Analyze malware using a real browser within a VM. JavaScript can tell when being run from within a sandbox, but not while running in a real browser in a VM.

2) Modify the Mozilla JS interpreter to run in headless mode. This would break the majority of Billy’s attacks, and raise the bar significantly for malware authors. The analysis needed to detect this form of inspection would be easy to identify and evade.

It is tax time in the United States, and scammers are seizing the opportunity to launch new attacks on your bank accounts and steal your identity.

One new twist involves the use of SMS text messages sent to phones. In this phishing attack, the message reads similar to:

NOTICE: You have 71 IRS UNITS pending for refunding, please visit xxxxx website.com ASAP

Users of most smart phones can visit the scammer’s site using their phone simply by following the link. Others must type the address into their browser once they get to a computer. Once there, a phishing site asks for personal and banking account information.

In another scam, an email bearing the name and logo of the Internal Revenue Service tells recipients that they must register for direct deposit at an official website in order to get their rebate check as promised by the proposed “economic stimulus” package. These messages contain subjects such as “2007 fiscal activity rebate”. The link in the email points to yet another phishing site asking for personal information and bank accounts numbers.

Keep in mind that the proposed stimulus package has not yet passed and the terms of the deal are still being debated on Capitol Hill. Also, the IRS and U.S. Treasury do not require individuals to use direct deposit.

Similar scams using dishing (voice phishing) phone calls have also been reported. These scams usually hide or spoof the Caller ID information to seem more credible.

These types of scams are expected to increase throughout the American tax season, which ends on April 15. The scams involving the economic stimulus package could go on for while longer. Until the plan is finalized, no one will be getting checks from the government. Current estimates put possible check mailing dates in June or July.

All the usual warnings regarding phishing apply, and user education is really the only way to combat this sort of social engineering. Treat unsolicited SMS messages and phone calls with the same critical eye that you would use for unsolicited email.