Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vanja Svajcer Principal Researcher – Sophos Zagreb, 12 svibnja 2010 Anatomy of attack – the way of malware.

Similar presentations

Presentation on theme: "Vanja Svajcer Principal Researcher – Sophos Zagreb, 12 svibnja 2010 Anatomy of attack – the way of malware."— Presentation transcript:

1 Vanja Svajcer Principal Researcher – Sophos Zagreb, 12 svibnja 2010 Anatomy of attack – the way of malware

2 What do SophosLabs do? Collect threats Analyze and classify Create detection and cleanup Publish updates and information R & D More details later 2

3 SophosLabs at the core

4 Anatomy of attack Setting the scene Malware Attack techniques Analysis process & tools Protection technology 4

5 Malware types Virus Trojan Worm 5

6 Who used to write viruses? No “standard” virus writer, no “standard” motivation. Schoolkids Undergraduates Post-graduates IT Professionals Generally blokes but not A/V companies



9 Who writes malware today? Rarely see viruses but they are making a comeback It is about money It is criminal in its origins ( There are still some spotty teenagers out there …)

10 APT Advanced Persistent Threat Fashionable term for “targeted malware” Small size (around 100k) and specialised No packing Looks like legitimate Windows file Data exfiltration Difficult to remove 10

11 11 threats The latter half of 2008 saw a dramatic rise in attachment malware 2009 has seen this trend continue, several families being aggressively mass-spammed Same old social engineering tactics UPS/FedEx failed delivery reports, Microsoft patches, Airline e-tickets etc etc

12 12 Top spammed malware (2009) Dominated by key malware families Bredo Waled Simple but still working!

13 Social Engineering – Bredo Mal/Bredo Same campaign may involve numerous “different” attachments

14 Social Engineering – Zbot (aka Zeus) Mal/Zbot

15 Bredo vs Zbot Competition between the bots!!! Bredo attempting to disable any installed Zbot Reminiscent of the Netsky vs Bagle wars from years ago!!!

16 16 threats Global spam traps to track spam USA relays more spam than any other single country Compromised computers not only spread spam, but distribute malware and launch DDoS attacks

17 Web predominant 99% percent of infected systems legitimate, compromised sites Attack sites Botnet C&C using HTTP Attacks still often begin with a spammed out 17

18 18

19 Web 2.0 Application Attacks

20 Step 1: Redirect from compromised sites Compromised web sites Attacker-controlled redirects Payload Attack site using bundle of exploits

21 Compromising hosts 21

22 SQL injection Hacker uses tool to identify pages potentially vulnerable to SQL injection Sends malicious HTTP request (Demo) DB Malicious SQL injection

23 SQL injection SQL injection causes databases to become peppered with malicious script tags Result is that pages on the web server built from data retrieved from the database also contain malicious script tags

Ads by Google