24C3 - 1.01

24th Chaos Communication Congress
Volldampf voraus!

Speakers
Maarten Van Horenbeeck
Schedule
Day Day 1 (2007-12-27)
Room Saal 2
Start time 20:30
Duration 01:00
Info
ID 2189
Event type lecture
Track Hacking
Language en
Feedback

Crouching Powerpoint, Hidden Trojan

An analysis of targeted attacks from 2005 to 2007

Targeted trojan attacks first attracted attention in early 2005, when the UK NISCC warned of their wide spread use in attacks on UK national infrastructure. Incidents such as "Titan Rain" and the compromise of US Department of State computer systems have increased their profile in the last two years. This presentation will consist of hard, technical information on attacks in the form of a case study of an actual attack ongoing since 2005. It covers exploitation techniques, draws general conclusions on attack methodologies and focuses on how to defend against the dark arts.

June 16th, 2005. The NISCC or National Infrastructure Security Co-ordination Centre in the United Kingdom issued a briefing stating that parts of the UK Critical National Infrastructure were under attack by ongoing email-borne electronic attacks. This warning was echoed shortly after by the Australian Defence Signals Directorate and Canada’s CCIRC. A second warning was released by the US Computer Emergency Readiness Team in July, 2005. They reported ongoing attacks dating back to January 2005.

April 2007. E-mail security firm Messagelabs releases a public report on the amount of targeted attacks they had uncovered during the month of March. The report coincides with a US House Committee hearing on a major 2006 e-mail borne information security compromise at the Department of State.

September 2007. Chancellor Merkel's visit to China prompts several German news outlets to report on attacks against government information systems originating from China. Simultaneously, reports appear on similar attacks originating from Iran.

This presentation does not deal with 98% of keyloggers and trojans out on the internet. To the contrary, it deals with the small percentage of attacks that currently uses advanced techniques to compromise industrial networks with as goal to gather intelligence - information that helps gain competitive advantage.

This presentation presents a gradual increase in the complexity of targeted attacks, and includes detail both on the exploitation techniques used as well as the overall attack methodology. Using a real-life case study with samples, it covers the move from relatively simple, screen-saver mimicking executables in 2005 to the use of advanced, sometimes 0-day, file format exploits in 2007, and investigates how an organization can protect itself against the zero day threat.