Post on 14-Oct-2020
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1
Polymorphism in Crimeware and why it isn’t needed in targeted attacks
Alex Lanstein
FireEye, Inc.
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2
As We’ve Heard…
• Polymorphism is effectively used in “drive-by” exploits, Email centric attacks, and also in subsequent payloads downloaded once the criminal has a foothold
• But for single target attacks, this is unnecessary
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 3
Polymorphic JavaScript Obfuscation
• Exploits are easy to detect if they are static…
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 4
Exact Same Exploit – More Obfuscation
Cyber criminals use polymorphic packers
Packer software rolls up malware into a single package that has the ability to make its "signature" mutate, evading typical detection
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 5
Repacked in Each Session (Polymorphic)
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 6
Payload Polymorphism
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 7
Polymorphism Exists for Email Attachments Too
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 8
As We’ve Heard…
• Polymorphism is effectively used in “drive-
by” exploits, Email centric attacks, and
also in subsequent payloads downloaded
once the criminal has a foothold
• But for single target attacks, this is
unnecessary
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 9
Target Reconnaissance is Simple
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 10
Tibetan Supporters are Frequent Targets
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 11
Decoy Documents are the Norm
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 12
Initial Dropper is Simple in Functionality
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 13
Callbacks Leverage Sites With Good Reputation
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 14
Callbacks Leverage Sites With Good Reputation
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 15
Spearphishing is Free!
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 16
And Exactly as Sophisticated as it Needs To Be….
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 17
How FireEye Breaks the Attack Lifecycle
17
Known attacks & callbacks
blocked in microseconds
• Fast-path blocking
Dynamic, real-time analysis of
inbound, zero-day attacks • Pulls out suspicious flows, email
attachments, and/or files/binaries
• Analyzes within virtual execution
environments
• Confirms attack underway and profiles
malware for callback and other data
Zero-day callback filter stops
data exfiltration
• Local feedback loop feeds malware
content into fast path blocking
• Stops data exfiltration due to zero-day
(and known) attacks
INBOUND & OUTBOUND
FAST PATH BLOCKING
Real-time
sharing of
malware
data
Seconds
MALWARE-VM FILTER
MALWARE-CALLBACK FILTER
Local Feedback Loop
FireEye Malware
Protection Cloud
FireEye Appliance
Min
ute
s
Global Feedback Loop
Compromised
Web server, or
Web 2.0 site
Callback Server
1
3
2
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 18
Next Generation Threat Protection Portfolio
• Protects across the most
prolific threat vectors,
Web and email
• Protects against the
lateral movement of
malware within the
enterprise
• Most comprehensive
portfolio to stop the
infiltration mechanisms
of advanced attacks and
its persistence
Complete Protection Against
Advanced Targeted Attacks
Web
Malware
Protection
System
Malware
Protection
System
File
Malware
Protection
System
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 19
• Inline blocking both
inbound and outbound
• Advanced content
analysis (PDF,
JavaScript, URLs)
• Models up to 1 Gbps at
microseconds latency
FEATURES
Web Malware Protection System
• Inline, real-time, signature-less malware protection at near-zero false positives
• Analyzes all web objects, e.g., web pages, flash, PDF, Office docs and executables
• Blocks malicious callbacks terminating data exfiltration across protocols
• Dynamically generates zero-day malware and malicious URL security content and
shares through Malware Protection Cloud network
• Integration with Email and File MPS and MAS for real-time callback channel blocking
http://
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 20
Multi-Protocol, Real-Time VX Engine
PHASE 1
Multi-Protocol Object Capture
PHASE 2
Virtual Execution Environments
PHASE 1: WEB MPS
• Aggressive Capture
• Web Object Filter DYNAMIC,
REAL-TIME ANALYSIS
• Exploit detection
• Malware binary analysis
• Cross-matrix of OS/apps
• Originating URL
• Subsequent URLs
• OS modification report
• C&C protocol descriptors
Map to Target
OS and
Applications
PHASE 1: E-MAIL MPS
• Email Attachments
• URL Analysis
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 21
21
www.FireEye.com
alex@fireeye.com
@alex_lanstein on twitter
Thank You