Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research

Copyright Trend Micro Inc. 9/23/ Classification Prevalent Threat Types: Downloaders BOTs Spyware / Grayware Backdoors Mass Mailers Phishing Exploits Hacking What threats do we cover?

Copyright Trend Micro Inc. 9/23/ Classification Detection Threat Categories and Sub Categories: –Known Security Risks Virus/Malware –VSAPI –Network Virus Patterns Spyware/Grayware –VSAPI/SSAPI –Potential Security Risks Virus/Malware Spyware/Grayware Fraud Other How detections are organized

Copyright Trend Micro Inc. 4 Downloaders Packed / Compressed Executables Names of downloaded files belong to system files svchost.exe winlogon.exe lsass.exe File extension do not match expected file type JPG extension but file is actually EXE What characteristics are we looking for

Copyright Trend Micro Inc. 5 Spyware/Grayware Unique / Unknown HTTP user-agents Names of downloaded files belong to trademarked/copyrighted spyware applications Gain, Media Motor, Hotbar, SpySherrif Un-expected type of traffic SMTP relay traffic, DNS MX Queries appear on workstations What characteristics are we looking for

Copyright Trend Micro Inc. 6 Backdoors Rogue services Un-authorized SMTP, HTTP servers Opened ports Loopback commands shells Loopback command shells DOS Shell visible at the network traffic Non standard service ports HTTP Traffic on non HTTP port What characteristics are we looking for

Copyright Trend Micro Inc. 7 Mass mailers Attachments with long filenames (space padded) File extensions do not match expected file type File inside archive attachment contains double extension Packed files What characteristics are we looking for

Copyright Trend Micro Inc. 8 Bots IRC traffic Policy violations Protocol mismatches IRC traffic on port 8080 (HTTP proxy) Non-standard service ports HTTP traffic on non HTTP ports File transfers to blacklisted domains What characteristics are we looking for

Copyright Trend Micro Inc. 9 Hacking Password guessing Exploit attempts DNS poisoning Network flooding What characteristics are we looking for

Copyright Trend Micro Inc. 10 Mitigable Threat Rules Policy ID Mitigation Condition 1Known external attacks Internal computer downloading Malware/Spyware via HTTP protocol 2 Internal computer downloading Malware via FTP protocol 3Known internal detections Internal computer propagating Malware via SMB (network share) protocol 4 Internal computer propagating Malware via SMTP protocol 5 Internal computer propagating Malware via IM protocols 6 Internal computer attacking the network with network viruses 7Potential external attacksInternal computer downloading potential threats via HTTP protocol 8Potential internal detectionsInternal computer propagating via SMB (network share) protocol 9Internal computer propagating potential threats via SMTP protocol 10Internal computer attacking the network with potential network viruses/exploits 11Internal computer infected by BOT 12Internal computer compromised by Exploit or infected by Backdoor 13Internal computer infected by potential Downloader

Copyright Trend Micro Inc. 11 Internal computer downloading potential threats via HTTP protocol Rule 23 - Downloaded file matches malware-used filenames Rule 66 - HTTP download found file type mismatch & file content is EXE Policy 7

Copyright Trend Micro Inc. 12 Scenario M a l i c i o u s Website Corporate Network Internet Rule 23 - Downloaded file matches malware-used filenames Rule 66 - HTTP download found file type mismatch & file content is EXE TROJ_DLOADER,TROJ_AGENT,WORM_STRAT

Copyright Trend Micro Inc. 13 Internal computer propagating via SMB (network share) protocol Rule 8 - Packed executable file dropped on a network share Policy 8

Copyright Trend Micro Inc. 14 Scenario Corporate Network Rule 8 - Packed executable file dropped on a network share Admin$ WORM_AGOBOT, PE_LOOKED C$

Copyright Trend Micro Inc. 15 Internal computer propagating potential threats via SMTP protocol Rule 9 - Suspicious archive file found & file type mismatched & file content is EXE Rule 12 - Suspicious archive file found & filename found with suspicious double- extensions Rule 13 - Suspicious archive file found & filename found with suspicious long filename Rule 55 - Suspicious filename found & filename found with suspicious long filename & file content is EXE Rule contains a suspicious link to a possible Phishing site Policy 9

Copyright Trend Micro Inc. 16 Scenario Internal Mail Server Corporate Network Internet External Mail Server External Mail Server WORM_NETSKY, WORM_MYTOB, WORM_AGOBOT

Copyright Trend Micro Inc. 17 Internal computer attacking the network with potential network viruses/exploits Rule 67 - Cross-Site Scripting (XSS) found Rule 68 - Oracle HTTP Exploit found Policy 10

Copyright Trend Micro Inc. 18 Scenario Corporate Network Command Shell Exploit HACKER TOOLS

Copyright Trend Micro Inc. 19 Internal computer infected by BOT Rule 7 - IRC BOT commands found Rule 26 - IRC session established with a known bad C&C Policy 11

Copyright Trend Micro Inc. 20 Scenario Corporate Network Internet IRC Server Rule 7 - IRC BOT commands found Rule 26 - IRC session established with a known bad C&C WORM_IRCBOT.EN

Copyright Trend Micro Inc. 21 Internal computer compromised by Exploit or infected by Backdoor Rule 17 - Suspicious Remote Command Shell found Policy 12

Copyright Trend Micro Inc. 22 Scenario Corporate Network Command Shell Exploit WORM_MSBLAST, WORM_SASSER

Copyright Trend Micro Inc. 23 Internal computer infected by potential Downloader Rule 88 - HTTP requests attempted to download known Malware-used filenames Policy 13

Copyright Trend Micro Inc. 24 Scenario M a l i c i o u s Website Corporate Network Internet Rule 88 - HTTP requests attempted to download known Malware-used filenames TROJ_DLOADER,TROJ_AGENT

Copyright Trend Micro Inc. 9/23/ Classification Thank You