Enhancing Malware Detection Doug Cooke Director, Sales Engineering Canada September 19, 2018

Malware Evolution Early Days Financially Motivated Targeted Attacks Aurora, Conflicker Spy, Adware Autorun worms Web 2.0 attacks Obfuscation StuxNet, Shamoon Poly patching Trojans Hacktivism Email worms File infectors, macro viruses Floppy disk attacks 1992-3 1998 2002 2005 2010 2008 Future 2012 Early Days Financially Motivated Targeted Attacks

Time To React Time to React Early Days Financially Motivated Aurora, Conflicker Spy, Adware Autorun worms Web 2.0 attacks Obfuscation StuxNet, Shamoon Poly patching Trojans Hacktivism Email worms File infectors, macro viruses Floppy disk attacks 1992-3 1998 2002 2005 2010 2008 Future 2012 Early Days Financially Motivated Targeted Attacks

Case Study: What is Project Blitzkrieg Code name for a McAfee Labs project monitoring an attack against NA banking community RAS identified the malware as belonging to the Gozi family and labeled it Prinimalka Man in the Middle attack targeting banking customers Banks security measures could not detect or prevent Incorporates “web injects” – code injected into the browser based on URL Campaign of attacks started in Spring 2012, continued activity with new variants had continued into 2013. How can we monitor these attack campaigns? How quickly can we identify Patient Zero and stop propagation?

Four Phases of an Attack First Contact Physical Access Unsolicited Message Malicious Website Network Access Local Execution Exploit Social Engineering Configuration Error Establish Presence Download Malware Escalate Privilege Persist on System Self-Preservation Malicious Activity Propagation Bot Activities Adware & Scareware Identity & Financial Fraud Tampering At McAfee, our years of experience and worldwide research teams continually analyze the threat landscape. In this presentation, we will share some research showing the 4 phases of every malicious attack and how you can protect yourself and your business • First malware needs a way to come in contact with unsuspecting users. Second, they then use a diversity of ways to enter your system and begin to write files to disk and modify your system. Third, they use several means to hide from detection before they even begin to do their dirty work of stealing personal information or scare you into buying useless security software. Its not until the fourth phase do they really start to do their unscrupulous business. • First, lets look at the first phase of how modern threats operate; How the attacker first crosses path with its victim. The most common form of first contact is via a malicious web site. The web continues to be a dangerous place for the uninformed and unprotected. Websites can become malicious on purpose or by infection and host malware, potentially unwanted programs, or phishing sites. In 2011, McAfee Labs recorded an average of 6,500 new bad sites per day; in one quarter that figure shot up to 9,300. We also noticed that about one in every 400 URLs we attempted to load were malicious; some days that number was one in every 200 URLs! Protecting users from these sites becomes essential to protection and actually offers the least expensive way to maintain a secure environment. Other important methods include physical access such as thumb drives used by Advances Persistent Threats or APT’s, unsolicited messages from social media sites, and network access from misconfigured or unsecure wireless networks. • Phase 2 is the ways the attacker gets code running first time on target machine. The vast majority of the time the code will exploit one or more of the thousands of vulnerabilities in common, legitimate applications or in the operating system itself. If the malware can take down or otherwise subvert the protections in existing software it can write its code to disk and move onto phase three. • In phase 3, the goal is to persist the malicious code on the system, so that it can survive reboot, stay hidden from security measures as well as hide itself from the user. The code can hide itself in known good processes, block access to security software updates, disable the Windows task manager, Windows Safe Mode, System Restore, the Firewall, Microsoft Security Center as well as change browser security settings. Rootkits and other advanced attacks have been particularly difficult to stop as they will many times load prior to the operating system, effectively hiding from security software • And finally in phase 4, we get to the real reason for the malware, its ‘business logic’; what the attacker wants to accomplish. This could be stealing identities, passwords, bank fraud, force the purchase Fake AntiVirus software, steal intellectual property, or sell bot network services. How the attacker first crosses path with target. How the attacker gets code running first time on target machine How the attacker persists code on the system, to survive reboot, stay hidden, Hide from user and security software The business logic, what the attacker wants to accomplish, steal passwords, bank fraud, purchase Fake AV

Four Phases of an Attack Example: Fake AV First Contact Physical Access Unsolicited Message Malicious Website Network Access Local Execution Exploit Social Engineering Configuration Error Establish Presence Download Malware Escalate Privilege Persist on System Self-Preservation Malicious Activity Propagation Bot Activities Adware & Scareware Identity & Financial Fraud Tampering At McAfee, our years of experience and worldwide research teams continually analyze the threat landscape. In this presentation, we will share some research showing the 4 phases of every malicious attack and how you can protect yourself and your business • First malware needs a way to come in contact with unsuspecting users. Second, they then use a diversity of ways to enter your system and begin to write files to disk and modify your system. Third, they use several means to hide from detection before they even begin to do their dirty work of stealing personal information or scare you into buying useless security software. Its not until the fourth phase do they really start to do their unscrupulous business. • First, lets look at the first phase of how modern threats operate; How the attacker first crosses path with its victim. The most common form of first contact is via a malicious web site. The web continues to be a dangerous place for the uninformed and unprotected. Websites can become malicious on purpose or by infection and host malware, potentially unwanted programs, or phishing sites. In 2011, McAfee Labs recorded an average of 6,500 new bad sites per day; in one quarter that figure shot up to 9,300. We also noticed that about one in every 400 URLs we attempted to load were malicious; some days that number was one in every 200 URLs! Protecting users from these sites becomes essential to protection and actually offers the least expensive way to maintain a secure environment. Other important methods include physical access such as thumb drives used by Advances Persistent Threats or APT’s, unsolicited messages from social media sites, and network access from misconfigured or unsecure wireless networks. • Phase 2 is the ways the attacker gets code running first time on target machine. The vast majority of the time the code will exploit one or more of the thousands of vulnerabilities in common, legitimate applications or in the operating system itself. If the malware can take down or otherwise subvert the protections in existing software it can write its code to disk and move onto phase three. • In phase 3, the goal is to persist the malicious code on the system, so that it can survive reboot, stay hidden from security measures as well as hide itself from the user. The code can hide itself in known good processes, block access to security software updates, disable the Windows task manager, Windows Safe Mode, System Restore, the Firewall, Microsoft Security Center as well as change browser security settings. Rootkits and other advanced attacks have been particularly difficult to stop as they will many times load prior to the operating system, effectively hiding from security software • And finally in phase 4, we get to the real reason for the malware, its ‘business logic’; what the attacker wants to accomplish. This could be stealing identities, passwords, bank fraud, force the purchase Fake AntiVirus software, steal intellectual property, or sell bot network services. How the attacker first crosses path with target. How the attacker gets code running first time on target machine How the attacker persists code on the system, to survive reboot, stay hidden, Hide from user and security software The business logic, what the attacker wants to accomplish, steal passwords, bank fraud, purchase Fake AV

Phase Protection Methods Local Execution Establish Presence Malicious Activity First Contact Website Filtering File Scanning On Access Scanning Write Blocking Endpoint Health Rootkit Prevention Physical File Transfer Firewall Lets take a look at protection technologies and where they are effective. In phase one, effective tools are those that limit or block first contact with a victim. These include host or network based web filtering products for the majority of today’s threats. For protection against physical compromise, such as with APT’s, device control is needed. Host based NAC products can ensure that only ‘healthy’ endpoints are allowed to connect to a network. Even host based firewalls can protect against misconfigured network security or unsecured internet connections like roaming users might find. In phase two, the job gets harder, especially when trying to stop previously unknown threats from exploiting new or recent vulnerabilities. Typical here is some type of buffer overflow attack which requires some type of memory protection or system call interception techniques to watch for buffer overflow attack. What is also required is scanning memory and network traffic upon access, sometimes called on-access scanning. Relatively new are file whitelisting or application control products, which limit use a ‘deny by default’ approach so that only known files or applications can be installed. In phase three, traditional AV has played the strongest role by scanning the disk for known malicious files. This method has the advantage of being very deterministic in detecting and cleaning all areas of the file and operating system, but remediation costs are higher. New technologies like McAfee’s Deep Defender protect attacks prior to the OS loading, providing new protections for this critical threat. Uses McAfee DeepSAFE technology to operate beyond the OS and the first solution to provide real-time kernel memory protection to stop zero-day threats before they have chance to hide. What is interesting about these four phases is that various security technologies usually have a narrow role to play in disrupting malware. It also shows that traditional Antivirus techniques stop malware very late in the infection process, usually after software has been written to disk. In phase four, change control techniques like Whitelisting and access protection rules can prevent malicious software from changing known good application files, preventing the execution of many activities. Also hosts based firewalls can prevent connections to known malicious bot networks and limit the loss of sensitive data. Note: encryption, DLP not shown here for clarity’s sake, but when to use them is more straightforward Buffer Overflow Prevention Behavioral Prevention Web Filtering Email Whitelisting Change Protection

Evolution of Content Time to Protect Reactive Signatures Early Days Months Days Hours 1992-3 1998 2002 2005 2010 2008 Future 2012 Early Days Financially Motivated Targeted Attacks

Evolution of Content Signatures + Reactive Cloud Reputation Signatures 1992-3 1998 2002 2005 2010 2008 Future 2011 Early Days Financially Motivated Targeted Attacks

Cloud Based Reputation File, Mail IP, Domain Geo Location Malicious Code – Anti-Malware – Anti-Spyware – Whitelisting Mobility Protection – Anti Malware Servers Network IPS Mail Gateway Web Gateway IP and Domain Reputation Queries Internet Network ATMs Mobile Devices Workstations Hashed File Look Ups Time to Protect – Minutes!

Evolution of Content Signatures + Cloud Reputation Signatures + Telemetry Signatures + Cloud Reputation Reactive Signatures 1992-3 1998 2002 2005 2010 2008 Future 2011 Early Days Financially Motivated Targeted Attacks

US Campaign (victims) – Oct 1st – Nov 30th, 2012

Distribution of C&C Servers

Adding Context to the Content Leverage 100M+ consumers base plus opt-in enterprises Enhanced scanning engines to collect further data during scanning activities – HASH of malware file & originating IP – file paths, processes, features of the file etc. – upload suspicious file Enhanced scanning drivers allow specific data to be pulled from specific types of malware – e.g. Blitzkrieg – establish cloud based data for FI to monitor attacking IPs – e.g. SpyEye - pull institution specific data from java scripts The enriched data introduces the opportunity for greater analysis and correlation of collected data Expose this data to customers through a service offering Access to Zero Day Attacks as Quickly as Possible

Getting Out in Front!

Summary Will use these talking point for previous slide The malware community will continue to find creative approaches to wreak havoc around the computing community. New technologies (whitelisting etc.) will help but the opportunity still exists to leverage more sophisticated detection capabilities. Pulling contextual information from active systems will enhance the effectiveness of cloud based reputation databases.