Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vanja Svajcer Principal Researcher – Sophos Zagreb, 12 svibnja 2010 Anatomy of attack – the way of malware.

Similar presentations

Presentation on theme: "Vanja Svajcer Principal Researcher – Sophos Zagreb, 12 svibnja 2010 Anatomy of attack – the way of malware."— Presentation transcript:

1 Vanja Svajcer Principal Researcher – Sophos Zagreb, 12 svibnja 2010 Anatomy of attack – the way of malware

2 What do SophosLabs do? Collect threats Analyze and classify Create detection and cleanup Publish updates and information R & D More details later 2

3 SophosLabs at the core

4 Anatomy of attack Setting the scene Malware Attack techniques Analysis process & tools Protection technology 4

5 Malware types Virus Trojan Worm 5

6 Who used to write viruses? No “standard” virus writer, no “standard” motivation. Schoolkids Undergraduates Post-graduates IT Professionals Generally blokes but not A/V companies



9 Who writes malware today? Rarely see viruses but they are making a comeback It is about money It is criminal in its origins ( There are still some spotty teenagers out there …)

10 APT Advanced Persistent Threat Fashionable term for “targeted malware” Small size (around 100k) and specialised No packing Looks like legitimate Windows file Data exfiltration Difficult to remove 10

11 11 Email threats The latter half of 2008 saw a dramatic rise in email attachment malware 2009 has seen this trend continue, several families being aggressively mass-spammed Same old social engineering tactics UPS/FedEx failed delivery reports, Microsoft patches, Airline e-tickets etc etc

12 12 Top spammed malware (2009) Dominated by key malware families Bredo Waled Simple but still working!

13 Social Engineering – Bredo Mal/Bredo Same campaign may involve numerous “different” attachments

14 Social Engineering – Zbot (aka Zeus) Mal/Zbot

15 Bredo vs Zbot Competition between the bots!!! Bredo attempting to disable any installed Zbot Reminiscent of the Netsky vs Bagle wars from years ago!!!

16 16 Email threats Global spam traps to track spam USA relays more spam than any other single country Compromised computers not only spread spam, but distribute malware and launch DDoS attacks

17 Web predominant 99% percent of infected systems legitimate, compromised sites Attack sites Botnet C&C using HTTP Attacks still often begin with a spammed out email 17

18 18

19 Web 2.0 Application Attacks

20 Step 1: Redirect from compromised sites Compromised web sites Attacker-controlled redirects Payload Attack site using bundle of exploits

21 Compromising hosts 21

22 SQL injection Hacker uses tool to identify pages potentially vulnerable to SQL injection Sends malicious HTTP request (Demo) DB Malicious SQL injection

23 SQL injection SQL injection causes databases to become peppered with malicious script tags Result is that pages on the web server built from data retrieved from the database also contain malicious script tags

24 SQL injection User browses site Malicious script tag silently loads script from remote server Victim is infected with malware: Asprox trojan

25 25

26 Newly infected web pages – April 2010 26

27 Step 2: Further redirects Compromised web sites Attacker-controlled redirects Payload

28 SEO poisoning Search for popular keywords

29 Blackhat SEO 29

30 Blackhat SEO 30

31 31

32 Visibility – sites hosting SEO kits

33 Step 3: Load content from the attack site Compromised web sites Attacker-controlled redirects Payload Attack site using bundle of exploits

34 Web Attacks Built using purchased kit MPack, IcePack, GPack, Neosploit, Eleonore, Yes Management console Phishing Discovered: Oct 19 th 2009 Country Hit rate: France – 4% US – 17% GB – 3% Germany – 6%

35 Web Attacks Per-browser breakdown! Server-side polymorphism Hit rate: MSIE – 12% FireFox – 1% Opera – 5%

36 Polymorphism 36

37 Polymorphism 37

38 Polymorphism 38

39 Polymorphism 39

40 Polymorphism 40

41 Polymorphic malware weakness Poly engine part of the code Can be reversed by persistent researchers Must be decrypted in memory Emulate the code until the invariant is found Detection can be based on the decryption loop 41

42 Server side polymorphism 42

43 Server side polymorphism 43

44 Server side polymorphism 44

45 Server side polymorphism 45

46 46

47 Step 4: Hit the victim with exploits, infect them. Compromised web sites Attacker-controlled redirects Payload Attack site using bundle of exploits

48 Fake AV Professionalism

49 49

50 Troj/MacSwp 50

51 Zeus (Zbot) Information stealing malware and botnet building kit Builder Loader Control panel 51

52 52

53 Zeus (Zbot) - tracker 53

54 Virtumundo – “Malware Delivery Service” Each infection brings multiple pieces of malware As many as 20 different files Lots of FakeAV, rootkits, backdoors etc. Cleanup? Offers a service to deliver malware to machines Pay per infection Service to other malware authors 54

55 55 Rootkits Programs that use various techniques to hide their presence on a computer Trojans Legitimate programs?

56 What Rootkits do Anti-Virus Scanner Operating System Rootkit List Files Memo.doc Sales.xls Phish.exe Sophos.ppt Memo.doc Sales.xls Phish.exe Sophos.ppt

57 57

58 58 “State of the art” – rootkits TDSS (TDL3) MS10-015 update

59 State of the art rootkits – Sinowal (Mebroot) Infects MBR (like old boot sector viruses) Modifies OS loader to load malicious driver Driver hides the infected MBR (stealth) Installs custom networking stack Contains backdoor (encrypted HTTP communication) Payload – injecting malicious DLLs Pseudo random generation of URLs to update (daily)

60 Hard disk Rootkits – Sinowal (Mebroot) BIOS initialization MBRBoot loader Early kernel initialization CPU Real mode BIOS services Kernel initialization CPU Protected mode User process Window services MBR Boot loader Early kernel initialization User process Sinowal dropper User process Endpoint security Read MBR

61 Sinowal geographical spread (Sinowal, Feb-Mar 2010)

62 62 “State of the art” – future rootkits Virtualisation rootkits Software (Subvirt) Hardware assisted (Bluepill, Vitriol) Bootkits (eEye, vBootkit, Stoned) SMM based rootkits Bios/EFI based rootkits?

63 Virtualization rootkits Hardware Application1 Application2 VMM OSg1OSg2 OS Virtualization rootkit

64 Virtualization rootkits Hardware OSg3 Virtualization rootkit – malicious hypervisor OSg2OSg1Domain0

65 SophosLabs™

66 Malware family lifecycle First family member AnalyseDetectionTESTPublish Next family member

67 Overview 67

68 SophosLabs systems

69 Outbreak Manager

70 SophosLabs systems : Webmentor

71 QA: Identity Testing & Publishing

72 Merlin – Overview

73 73

74 Protection technology Content inspection (classic scanning) Behaviour based (HIPS) detection Reputation Domain File 74

75 Detection signatures Conventional Detection

76 Family characteristics Basic functionality identical New variants may have additional functionality Code re-used When recompiled, new variant binary different Traditional scanning not effective for proactive family detection Requires examination on a functional level

77 Call graph view

78 Family proactive detection { @Streams ("PE") ApiCheck("FindResourceA,LoadResource,SetLastError,FreeResource,SizeofR esource,GetProcessHeap,GetAclInformation,GetUserNameA,QueryServiceStat us,ControlService,DeleteService,OpenSCManagerA,OpenServiceA") ==1 ApiScore(1, "GetModuleFileNameA,wsprintfA,lstrlenA") D!==0 StrScore(1, "netmantow,network connections.,network ming,software\install\%s,installmodule") D!==0 ApiScore(1, "FindResourceA,LoadResource,FreeResource") D!==0 StrScore(1, "gogo") D!==0 }

79 Packed -> Unpacked

80 Proactive malware detection Conventional Detection Proactive Detection

81 Runtime behavioral protection Complementary to Behavioral Genotype Inspects process behaviour exhibited on the system Inspects all running processes for sign of malicious modifications of system objects Files Registry entries Processes Network connections Loaded drivers

82 Register in run key Simplified runtime architecture Privileged – kernel mode Non-privileged – user mode -Process virus.exe starting… - Oh, OK, scanning for viruses… - Nothing found. - Virus.exe is opening registry run key... - Interesting. Tell me more about it. - Virus.exe registers itself to run key… - Oh, no not OK, block operation!!! - Operation blocked. - Thank you kernel! - Reporting behaviour. Virus.exe

83 Buffer overflow protection Generic technology for detection exploits (including so called zero day exploits) Complementary to Windows DEP Detects various buffer overflow attacks Stack Heap Return to lib C Protects Microsoft and non-Microsoft processes, mostly client side

84 Buffer overflow – simplified architecture - Downloading file… - Interesting, where are you coming from? - Internet Explorer code. - OK. - Downloading file2. - Oh, not again, where are you coming from? - Stack. - Oh, no. Buffer overflow detected!!! - Suspending process. - Reporting behaviour. Iexplore.exe

85 Integration of protection technologies Regular detection data matches on content, behaviour and reputation Provides malware removal and system cleanup Example 1: AutoIT installer with behaviours: Copying self to %windir%, %sysdir%, and executing it No company name, unsigned HPmal/Tiotua-A { Gene("AND,Autoit,ProcMod-007,FileMod-001,FileMod-004,FileMod-006") D!==0 Gene("OR,CleanInstall,FALSEPOS") D==0 }

86 Cloud computing 86

87 Cloud protection Real time lookups Real time feedback (community protection) Security social networking Bridge protection gap Improve reaction time 87

88 Proactive vs reactive 88

89 Conclusion Malware getting more complex Financial motivation Targeted malware may pose a challenge Security community is not losing New methods are continuously developed Technology is not a silver bullet 89

90 Blog: Twitter: Questions?

Download ppt "Vanja Svajcer Principal Researcher – Sophos Zagreb, 12 svibnja 2010 Anatomy of attack – the way of malware."

Similar presentations

Ads by Google