Post on 11-Apr-2017
transcript
The Malware Self-Protection Matrix
Marion MarschalekSenior Malware Researcher at Cyphort Labs
Your speakers today
Marion Marschalek Senior Malware Researcher
Cyphort Labs
Shelendra SharmaProduct Marketing Director
Agenda
o Malware detection evolutiono Malware self-protectiono Wrap-up and Q&A
Cyph
ort L
abs T
-shi
rt
Threat Monitoring & Research team
________24X7 monitoring for
malware events
________Assist customers with
their Forensics and Incident Response
We enhance malware detection accuracy
________False positives/negatives
________Deep-dive research
We work with the security ecosystem
________Contribute to and learn
from malware KB
________Best of 3rd Party threat
data
HOW DO YOU FIND WHAT YOU CAN‘T SEE?
http://1ms.net/
A Digital Threat History
http://www.hdbackgroundpoint.com
VIRUS
EXPLOITWORM
TROJAN
MULTI-COMPONENTMALWARE
ADWARE ROOTKIT
SPYWAREAPT
TARGETED THREAT
SURVEILLANCESOFTWARE
INSIDETHREAT
A THREAT DETECTION HISTORY
www.crane.com
Your signature update.
Checksums
Byte Patterns
Behavior Patterns
Static / Dynamic Heuristics
Whitelisting
Anomalies
Network Streams
Cloud Protection
2015
And many, many more!
Endpoint
VirusDetectionSignatureProductComputerServer
THINGS HAVE CHANGEDThreat
Prevention
DefinitionSolution
Cloud
12
Malware Self-Protection
DebuggingDisassembly
StaticEmulation
SandboxingReputationAnomalies
Debugger detection, sub-processes, thread injection Obfuscation Packer and crypter Emulator detection, time based evasion VM detection, modular malware Binary updates, targeted malware Binary padding, use of legitimate tools
Gladly, most threats make mistakes themselves.
ZEUS why can‘t detection work
%APP%\Uwirpa 10.12.2013 23:50
%APP%\Woyxhi 10.12.2013 23:50
%APP%\Hibyo 19.12.2013 00:10
%APP%\Nezah 19.12.2013 00:10
%APP%\Afqag 19.12.2013 23:29
%APP%\Zasi 19.12.2013 23:29
%APP%\Eqzauf 20.12.2013 22:23
%APP%\Ubapo 20.12.2013 22:23
%APP%\Ydgowa 20.12.2013 22:23
%APP%\Olosu 20.12.2013 23:03
%APP%\Taal 20.12.2013 23:03
%APP%\Taosep 20.12.2013 23:03
%APP%\Wokyco 16.01.2014 13:22
%APP%\Semi 17.01.2014 16:34
%APP%\Uheh 17.01.2014 16:34
16
Sandbox Detection
Persistence Mechanisms
File Names
Network ConnectionBig Picture Detection & Combination Static/Dynamic Features
SILVER BULLET ...?
ARMOURINGhttp://hdwallpapersimage.com/
SAZOORA being picky
20
Code Obfuscation
Virtual Machine Code Execution
handler13:ExitProcHresult...
handler14:ExitProc...
handler15:ExitProcI2...
... FC C8 13 76 ...
Various packer layers – no static detection
Static detection won‘t work
Reputation & Metadata Features
SILVER BULLET ...?
EXPLOITATION
http://themovieandme.blogspot.com/
Endpoint protection built to detect repetitive patterns of evil.
Exploit = system corruption
Exploit vs. vulnerability
http://www.wikipedia.com/
TYPICAL DRIVE-BY INFECTION
o hxxp://www.insertyourwebsitehere.com/js/responsive/min/main-b87ba20746a80e1104da210172b634c4.min.js
o hxxp://stat.litecsys.com/d2.php?ds=true&dr=2711950755o hxxp://vstat.feared.eu/pop2.php?acc=%7E%BE%CE%F5%01%8D%AC
%B2%26%C6%DC%5B%E7n4%D0%16%A3L%99%03%BB%D8%08&nrk=5992423910
o hxxp://g12z4pj3k4k9y4wd517-ll6.dienami.ru/f/1398361080/5/x007cf6b534e520804090407000700080150050f0304045106565601;1;5
o BOOM.
hxxp://www.insertyourwebsitehere.com/js/responsive/min/main-
b87ba20746a80e1104da210172b634c4.min.js
TYPICAL DRIVE-BY INFECTION
hxxp://stat.litecsys.com/d2.php?ds=true&dr=2711950755
TYPICAL DRIVE-BY INFECTION
hxxp://vstat.feared.eu/pop2.php?acc=%7E%BE%CE%F5%01%8D%AC%B2%26%C6%DC%5B%E7n4%D0%16%A3L%99%03%BB%D8%08&
nrk=5992423910
IE 6, 7, 8 or 9, 10, 11
TYPICAL DRIVE-BY INFECTION
hxxp://g12z4pj3k4k9y4wd517-ll6.dienami.ru/f/1398361080/5/
x007cf6b534e520804090407000700080150050f0304045106565601;1;5
TYPICAL DRIVE-BY INFECTION
(There is none.)
Patching, patching and more patching
An exploit will seldom come alone!
SILVER BULLET ...?
VISIBILITY – KNOW HOW – ACTIONABILITY
LURE
EXPLOIT
INFECTCALL HOME
STEAL DATA
Follow the kill chain
Q&A
Thank You!