1 / 32

Anatomy of Modern Malware Attacks

Rob Davis, CISSP Managing Partner. Anatomy of Modern Malware Attacks. Our analysis of the Verizon DBIR. 87%. 40. 35. 29. 55%. 58%. 33%. How do they get in?.

uri
Download Presentation

Anatomy of Modern Malware Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Rob Davis, CISSP Managing Partner Anatomy of Modern Malware Attacks

  2. Our analysis of the Verizon DBIR 87% • 40 • 35 • 29 55% 58% 33% • How do they get in? • Nearly all detected attacks utilize a combined attack approach yet 75% of targets are opportunity based. Once the host and company is identified it is sold on the open market. Malware based attacks are increasing in complexity and continues to be one of the easiest methods to compromise a network. Watering hole and multi-redirection attacks dropping keyloggers and backdoors are the most common. • 52 3 2 1 Hacking to obtain credentials for access to perimeter services (VPN, Citrix, OWA) are the basis for 4 out of 5 attacks. • Percentage of infected systems by country according to BitDefenders. Soccial Engineering has shown a huge increase based on phishing attacks. The DBIR states that 95% of all attacks employeed phishing as the initial attack method. The liklihood of a click success is 80% after sending just 6 emails. 78% Of attacks are rated as low or very low difficulity. 1 2 3 4 Initial Compromise of system (phishing / hacking) System infected and credentials exported. Lateral Movement to other hosts. Misuse is defined as the insider threat where priviledge abuse and theft occur to exfiltrate information. Perimeter DLP monitoring is not always a solution since USB keys and online filesharing is used . ProfilingAttacker profiles victims and the sites visited by industry or personel interest. Vulnerable SitesThe attacker will test the websites visited for vulnerabilities. CompromiseWhen the attacker finds the vulnerable website, Javascript is injected redirecting to exploit Wait for the PreyThe compromised website is now waiting to infect the profiled victim. • Undetected Presence. Primary methods of infection have changed to primarly use malware droppers through phishing and driveby attacks. • 13 Physical Tampering of Point of Sale, ATMs and Credit Card swipers is on the rise globally based on the number of reported incidents. • Watering Hole Attacks

  3. Security CapabilitiesPeople, Process, Configuration, Technology • The Defendable Network • Make Initial Compromise as Difficult as Possible • Restrict Lateral Movement of Attackers • Improve Visibility and Monitoring (Situational Awareness for quick detection and recovery capability from security events) Misuse of Legitimate Credentials Installing malicious software (malware) Application Attack (SQL Injection, XSS)

  4. Dynamic Malware Detection (Host 10.22.155.80 – Multiple Infections and Callbacks Detected)

  5. How did the User Get Exploited??

  6. Obfuscated JavaScript to Detect Vulnerability to Exploit

  7. Obfuscated JavaScript to Detect Vulnerability to Exploit This is what obfuscated looks like. Commercial and private tools exist to automatically create the JavaScript. It is not encrypted so you can reverse engineer with some effort.

  8. Java Used for Exploit

  9. Malware EXE #1 Installed

  10. Malware EXE #2 Installed (Next session was malware EXE #3 – 6.exe) The User-Agent and request headers have changed for this web session. This download is via the first piece of malware versus coming through the browser – and the malware is proxy aware (nice job!).

  11. Example of Malware Payload (531K) Encrypted to Avoid Analysis by Cloud Based Systems

  12. VirusTotal Analysis is Negative – Can’t Even Identify File Type

  13. Exfiltration of Encrypted Data – Most Likely Local Admin and User Domain Credentials (Need to Change User Passwords)

  14. Use of Outbound Port 53 UDP Traffic for Exfiltration (DNS)

  15. Single Packet UDP Outbound for Command and Control (VERY Difficult to Detect for Most Organizations) 9e:8b:b7:f1:28:94:8d:ab:c9:c0:d1:99:9a:f7:d3:b9 b5:f3:a1:97:91:9c:9e:98:1d:39:6c:37:f9:70:7a:62:96:94:0b:06

  16. Use NetWitness to Examine ANY Hosts Using UDP 16464 Outbound Two Additional Hosts Identified – One Verified as Infected

  17. PDF Only Exploit – No EXE

  18. Dynamic Malware Detection (Host 10.225.146.113)

  19. Grab Malware File from FireEye – Submit to VirusTotal Who Else Has Seen This? The Answer is Nobody ….

  20. Malware Payload is a PDF – No Executable Downloads Unusual since PDF exploit is typically a dropper used to fetch more malware.

  21. Luxtrafficstats Redirects to HC (Hardcore) Traffic

  22. Malware Payload is a PDF – No Executable Downloads User finally takes matter into his own hands – grabs Hitman Pro, Malware Bytes, and Spybot!

  23. How Did this All Begin?? Just a Man at Work Wanting to Watch TV ….

  24. Host Visibility

  25. What Does Increased Network Visibility Give You? Additional Hosts to Investigate – Many Compromised but not All …. Can you verify what files/scripts have been executed in your environment?

  26. Example of Dynamic Malware Analysis Results Two Additional Hosts Identified – One Verified as Infected

  27. Persistence

  28. Windows Local Administrator Credentials Stolen Exfiltration of local administrator credentials. If you use the same local admin passwords then attackers can easily move laterally.

  29. Windows Local Administrator Credentials Stolen Exfiltration of domain user credentials. This is why you don’t want to use Windows credentials for remote access.

  30. Maintaining Persistence After Compromise • Attacker has already: • Gained initial access • Infected systems with backdoor malware • Obtained domain credentials • Downloaded complete organizational structure from Exchange

  31. Questions

More Related