Modern Malware and Threats
-
Upload
marketingarrowecscz -
Category
Technology
-
view
124 -
download
3
Transcript of Modern Malware and Threats
Modern Malware and ThreatsMartin Čmelík www.security-portal.cz
Moderní malware a možnosti obrany, Hotel Panorama, Praha - 28.05.2015
What is malware?
Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.
'Malware' is a general term used to refer to a variety of forms of hostile or intrusive software.source: wikipedia
Threat Landscape
Motivation Actors Targets
CYBER WAR Military/Political Advance Cyber Nation - States
Critical Infrastructure
TERRORISM Political Change Terrorist Networks and Groups
Infrastructure and Public Assets
ESPIONAGE Intellectual Property Gain
Nation-States and Enterprises
Governments, Companies and
Individuals
ORGANIZED CRIME
Financial Gain Criminals Companies and Individuals
HACKTIVISM Ego, Curiosity and Change
Groups and Individuals
Governments, Companies and
Individuals
Types of malwareViruses
Worms
Trojan Horses
Spyware
Crimeware
Bankers
Backdoors
Exploits
RAT (Remote Access Toolkit)
Bootkits
Rootkits
Ransomware
Zombie/Bot, Dropper, …
source: http://www.kaspersky.com/internet-security-center/malware-tree.jpg
Malware classification tree
Traditional vs Modern malwareTraditional Malware: - Open channels- Known detection and patches available - Broad & Noisy- Single - Centralized infrastructure
Modern Malware:- Stealthy & Covert - Unknown detection and Zero Day- Targeted & Personalize- Persistent- Distributed infrastructure
Sources of infectionSpear phishing & Spam
Social Media
Infected websites (drive-by-download, watering hole, …)
Exploit Kits (Blackhole - not active, SweetOrange, Angler, Magnitude, …)
Infected media - USB stick (autorun.inf, BadUSB)
Infected host on network
Dynamic binary patching
Pirated Software & Key Generators
Human error
PersistenceBackdoor- enable an attacker to bypass normal authentication procedure to gain access to system
Rootkit- admin-level type of access - hiding existence in system- blocking AV/Malware scanners or providing spoofed data- firmware (network card, disk, BIOS, VGA, …) rootkits are resistant to OS reinstallation
Bootkit- kernel-mode type of rootkit- infect MBR, VBR or boot sector- can be used to attack full disk encryption
CommunicationCommon (allowed) protocols: HTTP, HTTPS, SSH, DNS
Proprietary protocols and encryption
Communication via proxies, tunnels, IRC
Through public services like Facebook, Reddit, Twitter, Google
Steganography (image EXIF metadata)
TOR hidden services (e.g. Mevade)
P2P network (e.g. Alureon, GameOver)
Computer speakers and microphones to bridge air gaps (badBIOS PoC)
Fast Flux (or DDNS) - combination of P2P, distributed CnC, load balancing and proxy redirection (e.g. Storm Worm)
Single vs Double Fast Flux network
source: http://www.honeynet.org/node/136
Bredolab Botnet
source: http://securelist.com/analysis/publications/36335/end-of-the-line-for-the-bredolab-botnet/
Anti-Detection techniquesObfuscation - deliberate act of creating source or machine code that is difficult for humans to understand.
Packers - comparable to obfuscation. Uses executable data compression algorithm and combine compressed data with decompression code into single executable. Still could provide quite good results when you will combine more of them together.
Olygomorphic code - randomly selecting each piece of the decryptor from several predefined alternatives (+,-,/,XOR). Limited to just a few hundred different decryptors.
Polymorphic code - uses polymorphic engine to mutate while keeping original algorithm intact. Code changes encryptor/decryptor each time it runs, but the function will remain same.
Metamorphic code - no part of malware stays the same. Metamorphic viruses often translate their own binary code into a temporary representation, editing the temporary representation of themselves and then translate the edited form back to machine code again.
Steganography - concealment of information within computer files (images, videos, …). Used sporadically at this time, but seems to be weapon of choice for droppers which can download and extract from image/youtube video/whatever malware payload.
Example of obfuscated JavaScript
Result? Redirect to google.com website
source: http://www.kahusecurity.com/2011/making-wacky-redirect-scripts-part-i/
Example of obfuscated PHP script
source: http://ddecode.com/phpdecoder/?results=e0719289a4608ed4ef4efa66375337ef
Exploit Kit servicesDashboard - statistics, infected computers, traffic flow summary, infection rate in % by OS, used exploit, country, browser, affiliate/partner, …
Available exploits to use and exploits which you can buy
AntiVirus evasion techniques + virustotal-like service to verify results
Code obfuscation service (HTML, JavaScript, ActionScript/Flash, PDF, Java, …)
Landing pages and details about used obfuscation, iframes etc. if website is on any kind of blacklist (URL scanner), …
Random domain generator (changing every X hours)
Tool for sending spams and spear phishing campaigns (mail lists included)
DDoS attacks service
CnC control-like panel
…and much more
24/7 support (!)
Malware analysisStatic (code) Analysis - signature (virustotal.com) and string analysis, reverse engineering performed using disassemblers (e.g. IDA Pro, OllyDbg), debuggers and decompilers. Analysis without running the code.RE is time consuming
Dynamic (behavioral) Analysis - executing malware in sandboxed/virtualized OS environment and looking how malware behaves (monitoring system/library calls). What has been changed in system, which connection attempts been made, which files created, etc.Quick method which can detect APT attacks, spear phishing campaigns and 0day exploits.
Memory Analysis - simple rule: malware must run, if it runs, it has to be in memory. Dumping memory and searching for malicious artifacts (e.g. Volatility Framework, Memoryze).
Example of Hybrid AnalysisOne of Tor Exit node in Russia has been performing dynamic binary patching and injecting its own malware to EXE files downloaded via HTTP protocol. This is report of one file modified by this exit node.
Regular application downloaded from microsoft.com website (isn't it?)
source: https://malwr.com/analysis/ZmY0ZGFlY2ZjMWMzNDNkZmE3YzE1MzhjNWEyNjlhNTk/
Analyzing Web-Based malware
urlQuery.net is a free online service for testing and analyzing URLs, helping with identification of malicious content on websites. The main focus of urlQuery is to find and detect suspicious and malicious content on webpages, to help improve the security industry and make the internet a safer place.
source: http://urlquery.net/report.php?id=1413821943900
General Recommendationshave a good antivirus on computers and servers
have HIPS on computers and servers
IPS on the core of the network with Anti-Malware and Anti-Botnet engine can help a lot. Even if engine wouldn't be able detect malicious file itself, it can recognize communication to CnC servers by deep packet inspection or by monitoring of DNS requests.
If you can use appliances which can recognize specific applications in network flow. Strict policies allowing communication just from known applications can mitigate malware infection and communication to CnC as well.
Correlate all security events and audit logs in robust SIEM solution
Invest money in good employees. Someone has to read and understand the output of logs and SIEM events.
General RecommendationsEvery piece of network equipment has to be properly setup and secured. Starting with switches and ending with personal computers.
All systems has to be regularly updated
Strict policies and new technologies for malware detection has to be enforced in order to avoid contact with malware distribution websites and mail attachments coming from spear phishing and spam campaigns.
…in best case uninstall Adobe Reader, Adobe Flash and Java
Consider OS level hardeningWindows - EMET (The Enhanced Mitigation Experience Toolkit)Linux - SELinux, Grsecurity
EMET (The Enhanced Mitigation Experience Toolkit)
EMET force applications to use key security defenses which could potentially block malware during its execution.
Defense mechanisms: ASLR (buffer overflow)DEP (no-exec memory)SEHOP (stack overflow)ROP (DEP bypass)
Are you still hungry?Flame - most complex, sophisticated and interesting piece of malware (developed by US and Israel)
Dexter - POS malware with ability to search credit card information in memory (Target data breach - 40 million credit cards)
Gapz - dropper using non-standard technique for code injection, bypassing security software
The Mask - targets government, diplomatic offices and embassies, oil and gas companies, research organizations and activists (state sponsored malware)
Recommended sourceshttp://blog.kaspersky.com/http://nakedsecurity.sophos.com/http://www.welivesecurity.com/
Thank you!
Martin Čmelík~ security consultant ~
martin.cmelik (at) gmail.com www.linkedin.com/in/martincmelik
www.security-portal.cz | www.securix.org | www.security-session.cz