Presentation is loading. Please wait.

Presentation is loading. Please wait.

Professional Malware is Unstoppable

Published byHanna Sachs Modified over 5 years ago

Similar presentations

Presentation on theme: "Professional Malware is Unstoppable"— Presentation transcript:

1 Professional Malware is Unstoppable
It’s time to build a better mousetrap

2 Agenda Problem: Malware Growth What is Professional Malware?
Why Cybercrime is thriving… Recent Attack Trends unstoppable Recent Anti-Detection Trends Almost unstoppable Next Generation Countermeasures Detect, Diagnose, Respond

3 New Malware Daily

4 Cybercrime Evolution Cybercrime Authors have evolved over the last 30 years Continued improvement and innovation Capitalistic Shadow Economy - Competition Malware Authors Professional Software Development Lifecycle model Professional Quality Assurance Malware doesn’t ship until code is undetected by latest Antivirus products Guarantee’s are provided – think SLA

5 What is Professional Malware?
0 out of 40 Antivirus Detected readme.pdf This file was a zero day attack.. No Antivirus detection

6 What is Professional Malware?
Malware developed with a budget Rootkits, Trojans, keystroke loggers, bots, viruses Malware developed with a goal Cybercrime Cyber-espionage New and Unknown techniques No Signatures Zero Day Exploits Anti-Detection & Anti-Forensics

7 Professional Malware requires QA
Quality Assurance is robust Labs are setup with “all” security products Antivirus Personal Firewalls IDS/IPS Data Leak Prevention Malware authors guarantee their products are undetectable… Including service level agreement… New strains released upon detection

8 Goals of Professional Malware
Compromise a machine undetected Gain complete control Identify & acquire “target” information Exfiltrate information surreptitiously Remain undetected – see next slide until target info is acquired as long as possible/necessary

9 Why is Cybercrime Thriving?

10 The Bad Guys are well funded and aggressive
They’ve developed techniques to slip by our protections and detection systems

11 Software and people have vulnerabilities
Security is only as strong as the weakest link

12 Recent Attack Trends “Unstoppable”

13 “This is the “bread and butter” of normal business operations today”
Attack Trends Code gets into your network via – Spear phishing & Spam Browsing the Internet Web Browser bugs exploiting: Internet Explorer, Firefox, Safari, Opera Sharing Files – conducting business… Doc’s, Xls, pdf, ppt, mp3, zip, jpg “This is the “bread and butter” of normal business operations today”

14 2009 Attack Trends

15 2009 Attack Trends “Drive By Download”

16 Why is this a serious threat?
The Attack Vector is very advanced… Basically unstoppable! Legitimate web sites are compromised Example foxnews.com compromised DOD for 2 weeks User’s browser is infected by visiting the site User doesn’t have to click on anything… Remains Hidden From Antivirus by code injection and rootkit techniques

17 Information Stealing Techniques
Sniffs Usernames and Passwords All accounts – not just banks Transfers Money while you are logged into your bank account Man-in-the-browser Can bypass multiple levels of authentication 2 factor key fobs – think RSA SecureID

18 Defensive Techniques Anti Forensics Anti-Anti-Virus Network Traffic
In-memory only payloads – no disk access Flash RAM based storage of code, no disk Encryption of disk-based assets Anti-Anti-Virus Recompile code – pack code – encrypt code Network Traffic Inject evil traffic in with legitimate web browsing Hiding in plain site

19 Defeating Forensics and Antivirus “Memory Tricks”

20 Dynamic, uploaded capability – no disk presence
Non-persistant

21 Defeating Antivirus & Reverse Engineering

22 Packing & Code Obfuscation
Themida is a commercial packer About $300 US Can make “Known” viruses undetectable by Antivirus 1 of the most advanced tools available Others: VMProtect

23 Defeating Live Analysis

24 Defeating Malware Analysis Sandboxes & Virtualization
One of many “kits” available online This kit has techniques to defeat AntiVirus, Malware Analysis, Virtualization, Hardware Emulation, Debuggers, and Disassemblers

25 Defeating Personal Firewalls

26 Just interface lower in the driver chain
Firewall ROOTKIT

27 Use your own driver Firewall ROOTKIT

28 Snip out the firewall Bypass Firewall X X ROOTKIT

29 Alter firewall logic directly to break it
ROOTKIT

30 Why is this a serious threat?
The Anti-Detection & Self Defense is very advanced… Host Detection: Bypasses all AV & Personal Firewalls New Rootkit techniques New variants come out every day Network Detection: Advanced covert communication system to avoid detection Looks like legitimate web traffic to real domains

31 So why are we all fighting against military grade cyber weapons?

32 Supply and Demand

33 Espionage Isn’t Just for Govt’s
April 3rd, "Espionage used to be a problem for the FBI, CIA and military, but now it's a problem for corporations. It's no longer a cloak-and-dagger thing. It's about computer architecture and the soundness of electronic systems.“ - Joel Brenner - Office of the Director of National Intelligence

34 100 – 200 Billion Dollar Industry
Digital Black Market 100 – 200 Billion Dollar Industry Oct 24, 2008 – The Congressional Research Service study says cyber attacks cost $226 billion annually. Mar 2008 – PricewaterhouseCoopers research study says US$45 billion every year * Despite the significant impact, there is no clear framework for business executives to assess the financial impact of their cyber risks.

35 Build a better Mouse Trap
The Opportunity Build a better Mouse Trap

36 Build A Better Mouse Trap
The Opportunity Build A Better Mouse Trap

37 Next Generation Countermeasures

38 Next Generation Countermeasures
Host Scanning Improvements Memory Forensics Automated Reverse Engineering Runtime Analysis Scalable Sandbox Analysis

39 Improved Host Scanning Engine
Scanning Engines must evolve: Must be able to search physical memory Must be able to parse undocumented OS structures, such as process table or thread structures Must detect illegal modifications to the system Must provide improved behavioral identification Must create new algorithm for lower levels of visibility

40 Memory Forensics Memory Forensics is important why?
Can Identify executable code hidden from AV Can overcome many of the advanced tricks posed by advanced malware Can detect illegal modifications to the system Is the only way to detect some of the latest threats

41 Running memory contains evidence

42 Automated Reverse Engineering
Once you detect suspicious or unknown code you need to identify if it’s malicious or not… Automated Reverse Engineering provides critical intelligence: Is this written by kids or Professionals? How malware installs itself How to identify other compromised hosts How to clean it up How and to whom it communicates over the network What information it steals How it remains undetected….

43 Conclusion A motivated & funded adversary will get in… it’s a just matter of time… New & Improved security diagnostics ARE needed to keep up with the bad guys: Memory Forensics - better malware detection RAM today, E-Prom’s on motherboards & video card memory tomorrow Automated Malware Analysis and Debugging – real intelligence Hypervisor, Kernel, Emulation, Hooking, Hardware Malware Intelligence Sharing & Collaboration Platform Database of malware intelligence mined for intelligence purposes Law Enforcement Backing

44 Any Questions? For more information please contact or call

Download ppt "Professional Malware is Unstoppable"

Similar presentations

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
New trends on cyber security - Cyber Espionage & Identity theft By K S Yash, CRO 1.

New trends on cyber security - Cyber Espionage & Identity theft By K S Yash, CRO 1.
1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.

1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Hacker Zombie Computer Reflectors Target.

Hacker Zombie Computer Reflectors Target.
Spyware and Viruses Group 6 Magen Price, Candice Fitzgerald, & Brittnee Breze.

Spyware and Viruses Group 6 Magen Price, Candice Fitzgerald, & Brittnee Breze.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:

Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:

November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:
Financial Sector Cyber Attacks Malware Types & Remediation Best Practices

Financial Sector Cyber Attacks Malware Types & Remediation Best Practices
Rootkits Jonathan Barella Chad Petersen. Overview What are rootkits How do rootkits work How to detect rootkits How to remove rootkits.

Rootkits Jonathan Barella Chad Petersen. Overview What are rootkits How do rootkits work How to detect rootkits How to remove rootkits.
1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.

1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.
©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.

©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.
FLTCYBERCOM / C10F    U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET    1 Overall Classification of this Briefing is UNCLASSIFIED//FOUO Phishing.

FLTCYBERCOM / C10F    U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET    1 Overall Classification of this Briefing is UNCLASSIFIED//FOUO Phishing.
PROTECTING YOUR DATA THREATS TO YOUR DATA SECURITY.

PROTECTING YOUR DATA THREATS TO YOUR DATA SECURITY.
©2014 Check Point Software Technologies Ltd. 2014 Security Report “Critical Security Trends and What You Need to Know Today” Nick Hampson Security Engineering.

©2014 Check Point Software Technologies Ltd Security Report “Critical Security Trends and What You Need to Know Today” Nick Hampson Security Engineering.
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.

Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.
877-240-5577 877 240-5577 bitdefender virus protection

bitdefender virus protection
Understanding and breaking the cyber kill chain

Understanding and breaking the cyber kill chain

Similar presentations

Ads by Google