310 likes | 471 Views
Stopping Next-Gen Threats. Dan Walters – Sr. Systems Engineer Mgr. "We're moving towards a world where every attack is effectively zero-day… having a signatured piece of malware, that shouldn't be the foundation on which any security model works." - Chris Young, GVP Cisco Security
E N D
Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr.
"We're moving towards a world where every attack is effectively zero-day… having a signatured piece of malware, that shouldn't be the foundation on which any security model works." - Chris Young, GVP Cisco Security Tech Week Europe, September 28th 2012
The Attack Lifecycle – Multiple Stages Compromised Web server, or Web 2.0 site 1 Callback Server Exploitation of system 1 Malware binary download 2 File Share 2 IPS Callbacks and control established 3 File Share 1 DMZ 2 3
The curious case of Trojan.Bisonal • Targets 100% Japanese organizations • Delivered via weaponized doc/xls files • Embeds the target name into the command and control traffic
Custom “Flag” and c2 domain GET /j/news.asp?id=* HTTP/1.1 User-Agent: flag:khihost:BusinessIP:10.0.0.43 OS:XPSP3 vm:�� proxy:�� Host: online.cleansite.us Cache-Control: no-cache GET /a.asp?id=* HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0;.NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) Host: khi.acmetoy.com Connection: Keep-Alive
Other “Flag”s seen • flag:410maff <-- ministry of agriculture, forestry, and fisheries • flag:1223 • Flag:712mhi <-- mitsubishi heavy industries • Flag:727x • Flag:8080 • Flag:84d • flag:boat • Flag:d2 • Flag:dick • flag:jsexe • flag:jyt • Flag:m615 • flag:toray • Flag:MARK 1 • flag:nec01 <-- nec corporation • Flag:qqq • flag:nids<-- national institute for defense studies (nids.go.jp) • flag:nsc516 <-- nippon steel corp • flag:ihi <-- ihicorp
Multi-Protocol, Real-Time VX Engine PHASE 1 Multi-Protocol Object Capture PHASE 2 Virtual Execution Environments • PHASE 1: WEB MPS • Aggressive Capture • Web Object Filter • PHASE 1: E-MAIL MPS • Email Attachments • URL Analysis • DYNAMIC, REAL-TIME ANALYSIS • Exploit detection • Malware binary analysis • Cross-matrix of OS/apps • Originating URL • Subsequent URLs • OS modification report • C&C protocol descriptors Map to Target OS and Applications
Thank You! FireEye - Modern Malware Protection System