1 / 20

Malware and the Modern Threat Landscape

Malware and the Modern Threat Landscape. Paul Royal College of Computing Georgia Institute of Technology. Agenda. Overview Platform, Installation, Activities Propagation Studies Evolution Traditional Defense-in-Depth Obfuscation, Server-side Polymorphism Analysis Takedown.

sopoline-knowles
Download Presentation

Malware and the Modern Threat Landscape

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Malware and theModern Threat Landscape Paul Royal College of Computing Georgia Institute of Technology

  2. Agenda • Overview • Platform, Installation, Activities • Propagation Studies • Evolution • Traditional Defense-in-Depth • Obfuscation, Server-side Polymorphism • Analysis • Takedown

  3. Malware Overview • Platform • Predominantly Microsoft Windows • Emergent threats beginning to target Mac OS X and mobile devices • Propagation • Social engineering • Standard (emails with ecards), innovative (torrents offering key generators slipstreamed with malware), or novel (Kraken’s use of MSN Messenger) • Rapid, short-term exploitation of critical vulnerabilities • Conficker/Downadup’s use of MS08-067 allowed it to grow to 500,000 hosts in a single week

  4. Overview Cont’d • Installation • Thread injection into a benign/trusted process • Can be part of the unpacking process (code is deobfuscated into a newly allocated section) • Internet Explorer is a common target for malware that need to get out using an (authenticated) web proxy • Activities • Information theft, spam, DDoS • RogueAV software sales • Affiliate programs offer commissions as high as 90% • Using botnets as installation medium can earn individuals $100,000/week

  5. Functional Definition • Malicious software is the centerpiece of current threats on the Internet • Botnets (spamming, DDOS, etc.) • Information Theft • Surveillance and Espionage • Used by Criminals • Criminal Infrastructure • Domain of Organized Crime • Used by Nations • Cyber Warfare

  6. Propagation Strategies • Visiting “Safe” Websites • Reading USAToday.com results in malware on your computer • What happened? • USAToday.com ad network compromised • Visitors served malicious javascript bundled with ad for Roxio Creator 2009 • Automatically directed users to Rogue AV website through malicious traffic distribution system • Neither clicking nor hovering over ad required to activate code

  7. Propagation Strategies • Case Study: Alexa Top-ranked Domains • System created to examine Alexa top 25,000 domains each day • Browser inside virtual machine (VM) forced to visit domain • Network actions following visit used to determine whether drive-by download occurred • February 2012 • 58 of Alexa top 25,000 domains resulted in drive-by downloads • 10.5M users served malicious content • 1.6M likely compromised

  8. Propagation Strategies Cont’d • “Feature-minded” Software Vendors • Executive receives email with PDF attachment • Email’s subject, recipient’s ethnicity compels him to view attachment • PDF contains embedded, malicious Flash movie which exploits Acrobat Reader’s flash interpreter, compromises the system and phones home to controller • Soon after, compromised, legitimate websites found hosting drive-by attacks that use the same flaw to exploit Flash Player • Vulnerability traced back to bug reported to Adobe eight months prior

  9. Propagation Strategies Cont’d • “Uninformed” Users • Waledac’s email campaigns • Use of geo-location, temporally relevant events (e.g., bomb blast in <your city>, July 4th fireworks videos) to make attacks more compelling

  10. Traditional Defense-in-Depth • Network-Level Protection • Firewall • Evaded by C&C protocol congruency • IPS/IDS • Evaded by custom encodings • Host-Level Protection • User Access Control • Analogous to “informed consent” • AntiVirus • Uses complex, heuristics-based detection along with signature matching

  11. Malware Obfuscation • Often referred to as “packing” • A technique whereby parts or all of an executable file are compressed, encrypted, or transformed in some fashion • Code that reverses the pre-runtime transformation is included in the executable Transformed Machine Code (Appears as Data) Machine Code Push EBP MOV EBP, ESP SUB ESP, 8 CALL 00401170 … <Deobs Code> Paulroy Phillip Robert eijadd3 … Encrypt/ Compress/ Transform ObfuscationTool Program A Program A’

  12. Obfuscation Impact on AntiVirus • Novel obfuscations easily evade AV • Example: Project ZeroPack • Proof-of-Concept obfuscation tool • Makes malware appear benign to AV tools • Developed for DefCon 16’s Race to Zero contest ZeroPack

  13. Scalable, Effective Malware Distribution • Server-side Polymorphism • Attacks the heart of the traditional host-based AV model by automating mutations • When done professionally: Waledac Update Update Collected on 12/30/2008 Collected on 2/25/2009

  14. Malware Complexity • Stuxnet • Nation-state created malware • Multiple zero day arbitrary code execution exploits • Private network, removable media propagation • Multiple zero day privilege escalation exploits • Rootkit components with stolen code-signing certificates from Realtek and Jmicron • Botnet ‘T’ (now known as Shady RAT) • Used for data exfiltration • No packing obfuscations • AV detections still < 50% • Centralized C&C • Hosted on four-year-old legitimate, compromised realty website • Commands via HTTP comments

  15. Malware Analysis • There is a pronounced need to understand malicious software behavior • Malware analysis is the basis for understanding the intentions of malicious programs • Threat Discovery and Analysis • Compromise Detection • Forensics and Asset Remediation • Malware authors incentivized to make analysis challenging • Direct financial motivation

  16. Analyzer Detection Prevalence • Analysis tool/environment detection is a standard malware feature

  17. Malware Network Takedowns Cont’d • Case Study: Mariposa • Large, data-stealing botnet • Used to steal credit card, banking information • Compromises in half of Fortune 1000 • Before takedown, over 1M members

  18. Mariposa Cont’d • Takedown Timeline • Spring 2009: Mariposa discovery • Fall 2009: International Mariposa Working Group (MWG) formed • Defence Intelligence, GTISC, Panda Antivirus, FBI, Guardia Civil (Spanish LEO) • December 2009: All C&C domains shutdown and sinkholed within hours of the first • Operators panic; log into domain management services from home systems • Warrants issued to operators’ ISP • January 2010: Operators arrested • 800,000 financial credentials found on one operator’s home systems

  19. Closing Thoughts • Today’s malware author/operator is more motivated and resourceful than ever before • The increasing complexity of systems and software prohibits compartmentalization to a single person or group • Understanding modern malicious software can promote the creation of malware resistant systems

  20. Questions?

More Related