Modern Malware and ThreatsMartin Čmelík www.security-portal.cz

Moderní malware a možnosti obrany, Hotel Panorama, Praha - 28.05.2015

What is malware?

Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

'Malware' is a general term used to refer to a variety of forms of hostile or intrusive software.source: wikipedia

Text

Value of hacked computer

source: krebsonsecurity.com

Threat Landscape

Motivation Actors Targets

CYBER WAR Military/Political Advance Cyber Nation - States

Critical Infrastructure

TERRORISM Political Change Terrorist Networks and Groups

Infrastructure and Public Assets

ESPIONAGE Intellectual Property Gain

Nation-States and Enterprises

Governments, Companies and

Individuals

ORGANIZED CRIME

Financial Gain Criminals Companies and Individuals

HACKTIVISM Ego, Curiosity and Change

Groups and Individuals

Governments, Companies and

Individuals

Types of malwareViruses

Worms

Trojan Horses

Spyware

Crimeware

Bankers

Backdoors

Exploits

RAT (Remote Access Toolkit)

Bootkits

Rootkits

Ransomware

Zombie/Bot, Dropper, …

source: http://www.kaspersky.com/internet-security-center/malware-tree.jpg

Malware classification tree

Traditional vs Modern malwareTraditional Malware: - Open channels- Known detection and patches available - Broad & Noisy- Single - Centralized infrastructure

Modern Malware:- Stealthy & Covert - Unknown detection and Zero Day- Targeted & Personalize- Persistent- Distributed infrastructure

Sources of infectionSpear phishing & Spam

Social Media

Infected websites (drive-by-download, watering hole, …)

Exploit Kits (Blackhole - not active, SweetOrange, Angler, Magnitude, …)

Infected media - USB stick (autorun.inf, BadUSB)

Infected host on network

Dynamic binary patching

Pirated Software & Key Generators

Human error

PersistenceBackdoor- enable an attacker to bypass normal authentication procedure to gain access to system

Rootkit- admin-level type of access - hiding existence in system- blocking AV/Malware scanners or providing spoofed data- firmware (network card, disk, BIOS, VGA, …) rootkits are resistant to OS reinstallation

Bootkit- kernel-mode type of rootkit- infect MBR, VBR or boot sector- can be used to attack full disk encryption

CommunicationCommon (allowed) protocols: HTTP, HTTPS, SSH, DNS

Proprietary protocols and encryption

Communication via proxies, tunnels, IRC

Through public services like Facebook, Reddit, Twitter, Google

Steganography (image EXIF metadata)

TOR hidden services (e.g. Mevade)

P2P network (e.g. Alureon, GameOver)

Computer speakers and microphones to bridge air gaps (badBIOS PoC)

Fast Flux (or DDNS) - combination of P2P, distributed CnC, load balancing and proxy redirection (e.g. Storm Worm)

Single vs Double Fast Flux network

source: http://www.honeynet.org/node/136

Bredolab Botnet

source: http://securelist.com/analysis/publications/36335/end-of-the-line-for-the-bredolab-botnet/

Anti-Detection techniquesObfuscation - deliberate act of creating source or machine code that is difficult for humans to understand.

Packers - comparable to obfuscation. Uses executable data compression algorithm and combine compressed data with decompression code into single executable. Still could provide quite good results when you will combine more of them together.

Olygomorphic code - randomly selecting each piece of the decryptor from several predefined alternatives (+,-,/,XOR). Limited to just a few hundred different decryptors.

Polymorphic code - uses polymorphic engine to mutate while keeping original algorithm intact. Code changes encryptor/decryptor each time it runs, but the function will remain same.

Metamorphic code - no part of malware stays the same. Metamorphic viruses often translate their own binary code into a temporary representation, editing the temporary representation of themselves and then translate the edited form back to machine code again.

Steganography - concealment of information within computer files (images, videos, …). Used sporadically at this time, but seems to be weapon of choice for droppers which can download and extract from image/youtube video/whatever malware payload.

Example of obfuscated JavaScript

Result? Redirect to google.com website

source: http://www.kahusecurity.com/2011/making-wacky-redirect-scripts-part-i/

Example of obfuscated PHP script

source: http://ddecode.com/phpdecoder/?results=e0719289a4608ed4ef4efa66375337ef

Exploit Kit servicesDashboard - statistics, infected computers, traffic flow summary, infection rate in % by OS, used exploit, country, browser, affiliate/partner, …

Available exploits to use and exploits which you can buy

AntiVirus evasion techniques + virustotal-like service to verify results

Code obfuscation service (HTML, JavaScript, ActionScript/Flash, PDF, Java, …)

Landing pages and details about used obfuscation, iframes etc. if website is on any kind of blacklist (URL scanner), …

Random domain generator (changing every X hours)

Tool for sending spams and spear phishing campaigns (mail lists included)

DDoS attacks service

CnC control-like panel

…and much more

24/7 support (!)

Blackhole Exploit kit

Threat Detection and Mitigation

Malware analysisStatic (code) Analysis - signature (virustotal.com) and string analysis, reverse engineering performed using disassemblers (e.g. IDA Pro, OllyDbg), debuggers and decompilers. Analysis without running the code.RE is time consuming

Dynamic (behavioral) Analysis - executing malware in sandboxed/virtualized OS environment and looking how malware behaves (monitoring system/library calls). What has been changed in system, which connection attempts been made, which files created, etc.Quick method which can detect APT attacks, spear phishing campaigns and 0day exploits.

Memory Analysis - simple rule: malware must run, if it runs, it has to be in memory. Dumping memory and searching for malicious artifacts (e.g. Volatility Framework, Memoryze).

Example of Hybrid AnalysisOne of Tor Exit node in Russia has been performing dynamic binary patching and injecting its own malware to EXE files downloaded via HTTP protocol. This is report of one file modified by this exit node.

Regular application downloaded from microsoft.com website (isn't it?)

source: https://malwr.com/analysis/ZmY0ZGFlY2ZjMWMzNDNkZmE3YzE1MzhjNWEyNjlhNTk/

Analyzing Web-Based malware

urlQuery.net is a free online service for testing and analyzing URLs, helping with identification of malicious content on websites. The main focus of urlQuery is to find and detect suspicious and malicious content on webpages, to help improve the security industry and make the internet a safer place.

source: http://urlquery.net/report.php?id=1413821943900

General Recommendationshave a good antivirus on computers and servers

have HIPS on computers and servers

IPS on the core of the network with Anti-Malware and Anti-Botnet engine can help a lot. Even if engine wouldn't be able detect malicious file itself, it can recognize communication to CnC servers by deep packet inspection or by monitoring of DNS requests.

If you can use appliances which can recognize specific applications in network flow. Strict policies allowing communication just from known applications can mitigate malware infection and communication to CnC as well.

Correlate all security events and audit logs in robust SIEM solution

Invest money in good employees. Someone has to read and understand the output of logs and SIEM events.

General RecommendationsEvery piece of network equipment has to be properly setup and secured. Starting with switches and ending with personal computers.

All systems has to be regularly updated

Strict policies and new technologies for malware detection has to be enforced in order to avoid contact with malware distribution websites and mail attachments coming from spear phishing and spam campaigns.

…in best case uninstall Adobe Reader, Adobe Flash and Java

Consider OS level hardeningWindows - EMET (The Enhanced Mitigation Experience Toolkit)Linux - SELinux, Grsecurity

EMET (The Enhanced Mitigation Experience Toolkit)

EMET force applications to use key security defenses which could potentially block malware during its execution.

Defense mechanisms: ASLR (buffer overflow)DEP (no-exec memory)SEHOP (stack overflow)ROP (DEP bypass)

Are you still hungry?Flame - most complex, sophisticated and interesting piece of malware (developed by US and Israel)

Dexter - POS malware with ability to search credit card information in memory (Target data breach - 40 million credit cards)

Gapz - dropper using non-standard technique for code injection, bypassing security software

The Mask - targets government, diplomatic offices and embassies, oil and gas companies, research organizations and activists (state sponsored malware)

Recommended sourceshttp://blog.kaspersky.com/http://nakedsecurity.sophos.com/http://www.welivesecurity.com/

Questions?

Thank you!

Martin Čmelík~ security consultant ~

martin.cmelik (at) gmail.com www.linkedin.com/in/martincmelik

www.security-portal.cz | www.securix.org | www.security-session.cz