Presentation is loading. Please wait.

Presentation is loading. Please wait.

國立清華大學高速通訊與計算實驗室 NTHU High-Speed Communication & Computing Laboratory Evidence of Advanced Persistent Threat: A Case Study of Malware for Political Espionage.

Similar presentations


Presentation on theme: "國立清華大學高速通訊與計算實驗室 NTHU High-Speed Communication & Computing Laboratory Evidence of Advanced Persistent Threat: A Case Study of Malware for Political Espionage."— Presentation transcript:

1 國立清華大學高速通訊與計算實驗室 NTHU High-Speed Communication & Computing Laboratory Evidence of Advanced Persistent Threat: A Case Study of Malware for Political Espionage Frankie Li, Anthony Lai, Ddl Ddl Valkyrie-X Security Research Group th International Conference on Malicious and Unwanted Software Presenter: 劉力瑋 1/9

2 國立清華大學高速通訊與計算實驗室 NTHU High-Speed Communication & Computing Laboratory Outline APT A case in Hong Kong Analysis Conclusion 2/9

3 國立清華大學高速通訊與計算實驗室 NTHU High-Speed Communication & Computing Laboratory Advanced Persistent Threats (APT) This paper consider an APT as a cyber attack launched by a group of sophisticated, determined, and coordinated attackers who systematically compromise the network of a specific target machine or entity for a prolonged period. 3/9

4 國立清華大學高速通訊與計算實驗室 NTHU High-Speed Communication & Computing Laboratory A case in Hong Kong A well design (2011/7/7) Title : Democracy Depot meeting Sender : Attachments : Democracy Depot meeting Second was received on 2011/7/14 It is sent by a political group about the news of a riot in 廣州 4/9

5 國立清華大學高速通訊與計算實驗室 NTHU High-Speed Communication & Computing Laboratory Analysis The attachments(malware) which you download will be a dropper, its “Property” field contains the command. Then it creates a Malicious DLL (droppee)to inject your explorer.exe. It also creates a mutex to avoid duplication of malware installation on the victim’s machine. 5/9

6 國立清華大學高速通訊與計算實驗室 NTHU High-Speed Communication & Computing Laboratory Analysis First,it tries several non- resolved DNS names and a non-routed IP address. The droppee triggers the download of additional binaries that act as core modules performing the actual malicious functions. After several trails, it contact the single valid IP address, using TCP port number Then it run into an infinite loop and waited for the response from the C&C 6/9

7 國立清華大學高速通訊與計算實驗室 NTHU High-Speed Communication & Computing Laboratory Analysis Additional binaries downloaded by droppee perform the actual malicious functions. All passwords from “foxmail,” “outlook,” “outlook express,” “IE Form Storage,” “MSN,” “Passport DotNet,” and “protected storage,” were collected from the infected machine. The screen captures will also be collected and uploaded to the C&C. 7/9

8 國立清華大學高速通訊與計算實驗室 NTHU High-Speed Communication & Computing Laboratory Analysis Filtered information is collected, compressed and then uploaded through encrypted HTTP traffic. Afterwards, the information is removed to hide its temporary presence. 8/9

9 國立清華大學高速通訊與計算實驗室 NTHU High-Speed Communication & Computing Laboratory Discussion and Conclusion APT-type malware does not carry obvious malicious functions. Unlike the other malware it seldom changes the infected system as a zombie machine. How to avoid it 9/9


Download ppt "國立清華大學高速通訊與計算實驗室 NTHU High-Speed Communication & Computing Laboratory Evidence of Advanced Persistent Threat: A Case Study of Malware for Political Espionage."

Similar presentations


Ads by Google