Coordinated Malware Eradication & Remediation
Project (CMEP) – The Way Forward
Dr Aswami Ariffin (Dr AA)Vice President & Digital Forensics Scientist Cyber Security Responsive Services Division
CyberSecurity [email protected]
Copyright © 2015 CyberSecurity Malaysia
About me…
Agenda
1. CMERP Objectives
2. Incidents & Statistics
3. CMERP Framework/Matrix/System
4. Industry & Academia Collaborator
5. Research, Development and Commercialization
6. Big Data Forensics & Honeynet
7. Conclusion
CMERP ObjectivesMissionTo address the computer security concerns of Malaysian Internet users
VisionTo reduce the probability of successful attacks and lower the risk of consequential damage
Objectives•To reduce the number of bot/malware infection in Malaysia•Provide proactive measure to safeguard and mitigate malware infection•Collaboration with industry and academia (national and international) to ensure success of the project
APT modus operandi
Victim 1
Victim 3
Victim 2
Hacker
C&C Server
Contact List Victim 1
Contact List Victim 2
Contact List Victim 3
1. Send spear phishing email to
targeted victims
1. Send spear
phishing email to
targeted victims
1. S
end
spea
r
phish
ing
emai
l to
targ
eted
vict
ims
3.Uploads tools and request data
4. Send requested data
2. RAT communicate with C&C Server and grabbing order
2. RAT communicate with C&C Server and grabbing order
2. RAT communicate with C&C Server and grabbing order
5. Send spear phishing email to contact list
5. Send spear phishing email to contact list
5. Send spear phishing email to contact list
RAT installation:Victim open malicious attachment
Online bank malware case,Online bank malware case,Sept 2014Sept 2014
Modus operandi banker malware
Hacker
1.Malware coder write a malicious softwareTo exploit a computer vulnerability and installs a trojan
2.Victim infected with credential stealing malware
3.Banking credential + phone no stolen
4.Hacker retrieve banking info + phone no
5.Send SMS containing link
to a malicious APK
6.Download malware
7.Hacker access banking site
8.Transaction approval SMS
9.Malware forwards approval SMS
11.Transaction approve using
stolen SMS
10.Hacker retrieve stolen SMS
12.Money transfer to mule
13.Money transfer from mule to organizer
Malware coder
Victim Machine CnC Server Hacker
Legitimate site
Victim phone
Money mule
Scam organizer
Incidents handled in 2014
Incidents handled in 2015
Year 20132.8 Million Infected IP
Year 20143.2 Million Infected IP
Popular malware family in Malaysia
12
Daily Counts Past 60 Days Family MalaysiaDonxRef 89Conficker 40,064Obfuscator 7,469Autorun 36,602Comisproc 30,079Msidebar 275Jenxcus 97,543Dynamer 5,596Bursted 2,972Axpergle 2,043Filcout 22,453Sefnit 14,891Faceliker 63,216Nitol 1,699Zbot 3,115Redirector 2,168Orsam 1,926Gamarue 51,206IframeRef 3,631Passdoc 171Bumat 1,506FlyAgent 2,363Clikug 13,741Dorkbot 37,375Neclu 581Rotbrow 10,213Sality 26,721VB 1,376Wysotot 3,078Neyer 197Brantall 7,685Kenilfe 538Qfas 480Malagent 3,098Sulunch 989Spacekito 2,120DelfInject 1,167Ramnit 15,981Mailcab 23Necurs 3,377Jpgiframe 374Sisproc 1,843Rimecud 4,174Xyligan 3FlyStudio 798CplLnk 13,265Startpage 208Dunik 511Fynloski 6,560Almanahe 582Total 548135
1.Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. Alert level: Severe
2. Jenxcus is a worm coded in VBScript that is capable of propagating via removable drives. Its payload opens a backdoor on an infected machine, allowing it to be controlled by a remote attacker. 3.Alert level: Severe
1. JS/Facelikeris a Javascript that does 'likejacking' attacks. A 'likejacking' attack is when this threat 'likes' Facebook content without your knowledge or consent. This threat might be included in malicious or hacked webpages. Alert Level: Severe
4. Gamarue, this malware family can give a malicious hacker control of your PC. They can also steal your sensitive information and change your PC security settings. We've seen them installed by exploit kits and other malware. They can also be attached to spam emails. Alert Level: SevereSo
urce
: Mic
roso
ft
CMERP - 2014
CMERP framework
15
CMERP matrix – detect, respond & prevent
Constantly monitors traffic/security
feed/incident alert.
Constantly monitors traffic/security
feed/incident alert.
When Infection detected, the customer is identified and system automatically fetches contact information.
When Infection detected, the customer is identified and system automatically fetches contact information.
Customer is automatically alerted that their system appears have been compromised and follow up action will be taken.
Customer is automatically alerted that their system appears have been compromised and follow up action will be taken.
WallGarden – The customer's device is been removed/quarantined/ restricted access from network.
WallGarden – The customer's device is been removed/quarantined/ restricted access from network.
Customer can download tools made available at isolation portal to remove the infection (also patches and bug fixes).
Customer can download tools made available at isolation portal to remove the infection (also patches and bug fixes).
PC/IP detected to be clean can rejoins the network. If infection is still present, the problem is automatically flagged.
PC/IP detected to be clean can rejoins the network. If infection is still present, the problem is automatically flagged.
CMERP system concept
Project phases
Industry collaborator
Academia collaborator
R&D&C
iOS forensics – vulnerability research
Big data forensics & honeynet
Conclusion
1. Cyber threat intelligence report; malware biometrics
2. National/International cooperation to combat against cybercrime; analytics dashboard.
3. Enforcement; cyber laws
4. Lower the cost of combating cybercrime
5. More efficient through strategic alliances
6. Capacity and capability building
7. Emergency readiness
24