Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analyzing Malware Behavior

Published byReynard Roberts Modified over 6 years ago

Similar presentations

Presentation on theme: "Analyzing Malware Behavior"— Presentation transcript:

1 Analyzing Malware Behavior
The Secret to a More secure World

2 Fact Malware is the single greatest threat to enterprise security today Existing security isn’t stopping it Over 80% of corporate intellectual property is stored online, digitally

3 Scale Over 100,000 malware are released daily
Automated malware infrastructure Signature-based security solutions simply can’t keep up The peculiar thing about signatures is that they are strongly coupled to an individual malware sample More malware was released in the last year than all malware combined previous XXXX million unique samples in 2009

4 Economy Russian Mafia made more money in online banking fraud last year than the drug cartels made selling cocaine An entire industry has cropped up to support the theft of digital information with players in all aspects of the marketplace

5 Espionage Nation states are actively targeting one another
China gets the most press, because they get caught the most Corporations participate in industrial espionage as well TODO, reference some recent incidents

6 Not an antivirus problem
Malware isn’t released until it bypasses all the AV products Testing against AV is part of the QA process AV doesn’t address the actual threat – the human who is targeting you AV has been shown as nearly useless in stopping the threat AV has been diminished to a regulatory checkbox – it’s not even managed by the security organization, it’s an IT problem

7 The True Threat Malware is a human issue
Bad guys are targeting your digital information, intellectual property, and personal identity Malware is only a vehicle for intent Theft of Intellectual Property Business Intelligence for Competitive Advantage Identity Theft for Online Fraud

8 The human is continuous and evolving
If you detect a malware that is part of an targeted operation and you remove it from the computer, the risk has not been eliminated – the bad guys are still operating Tomorrow the bad guy will be back again You have not shut down the operation Remember hot staging modules

9 Anatomy of an Operation
You must understand that an ongoing operation is underway – this involves one or more primary actors, and potentially many secondary actors TODO elaborate on this, diagram?

10 Example Operation Bad Guy is using (SE) whalephishing to gain a foothold into a specific physical network Bad Guy is using SE to track dissidents TODO add example of outlook guid attack

11 Risk Intelligence

12 Risk Intelligence Who is targeting you? What are they after?
Have they succeeded? How long have they been succeeding? What have I lost so far? What can I do to counter their methods? Are there legal actions I can take?

13 Risk Intelligence (II)
Requires that you combine many small facts into a big picture More information means better analysis I refer to specific attackers as “threats” – information regarding a specific attack is called “threat intelligence”

14 Threat Intelligence within Enterprise
Locations where threat intel can be gathered Endpoint, physical memory snapshot Multiple endpoints will be involved, need to view them as a group Endpoint, live-state forensics, ongoing monitoring Message Archives Netflow / Packet Archives

15 Threat Intelligence External to Enterprise
Locations where intel can be gathered Dropsite where IP is being dropped Command and Control Server Designed to survive takedowns Hot staged failovers likely Exploit Pack Server Large Traffic Gateways Possible subscriptions to various intel feeds available Cooperation likely

16 Attribution Challenges
Lack of gov. intervention No consequences Russia is a crime state China turns a blind eye

17 Attribution Challenges
Lack of global LE cooperation No sharing of data ICANN and Registrar slow to respond to takedown requests A lot of good data is classified and not available for commercial consumption

18 Primary – what is the target?
What is being targeted IP, identity, logins to google? File searches for source code? XLS documents? Who C-level execs? Developers? Falun Gong?

19 Primary – Who is running to op?
Country of origin Is the bot designed for use by certain nationality Geolocation of IP is NOT a strong indicator However, there are notable examples Is the IP in a network that is very unlikely to have a third-party proxy installed? For example, it lies within a government installation

20 C&C servers C&C servers are not usually designed to proxy route through infected end-nodes The IP geolocation is more useful in this case Netblock lookups are a decent starting point If the C&C leads to a broadband consumer network in the US, this is more likely to be an exploited machine that performs proxy routing – IP geolocation is not useful It may be possible to get LE or the broadband provider to help ‘trace back’ in this case (multihop will become a problem)

21 Forensic Marks left by Actors
Forensic marks occur at all points where software development occurs They also occur in less obvious places All points where binary is translated into new forms (parsed, packed, packaged, etc) These forensic marks may identify the original developer of the software Obviously, only certain actors leave marks

22 The Global Theatre of Malware Actors
Follow the Money, Follow the Motive

23 A Global Theatre There are thousands of actors involved in the theft of information, from technology developers to money launderers Over the last decade, an underground economy has grown to support espionage and fraud This “malware ecosystem” supports both Crimeware and e-Espionage

24 Payment system developer
$500+ Implant Vendor $1,000+ Exploit Pack Vendor $10,000+ for 0-day Exploit Developer $10,000+ for 0-day Rootkit Developer Rogueware Developer Back Office Developer $1000+ Wizard Bot Vendor eGold ~4% of bank customers Payment system developer Country that doesn’t co-op w/ LE Secondary atm Keep 10% Victims Small Transfers A single operator here may recruit 100’s of mules per week $5,000 incrm. Drop Man Account Buyer Affiliate Botmaster ID Thief Endpoint Exploiters Keep 50% $ per 1000 infections PPI Forger Cashier / Mule Bank Broker Sells accounts in bulk Country where account is physically located $5.00 per $50 Keep 10%

25 Cash is not the only motive
State sponsored (economic power) Stealing of state secrets (intelligence & advantage) Stealing of IP (competitive / strategic advantage – longer term) Infrastructure & SCADA (wartime strike capable) Info on people (not economic) i.e., Chinese dissidents

26 TODO – image of nation states that have cyber capabilities
Not as much detail available on this

27 TODO – image of nation states that use malware to spy on their own citizens, both domestic and abroad China ref: GhostNET Ref: openNET

28 Crimeware and the State
Using crimeware collected from the underground makes it harder to attribute the attack, since it looks like every other criminal attack There is no custom code that can be fingerprinted

29 Chinese Cyber Blackwater
Citizen cyber soldiers Hackers being directed at specific targets & missions by the government Because this model does not have much structure and oversight, Chinese attacks are somewhat sloppy No use of cutouts – direct C&C to China Use of poorly coded bot systems (i.e., GhostNET)

30 Crimeware Affiliate Networks
Grown out of older adware business models TODO – some more focused research on current c.a.n.’s

31 Pay-per-install.org

32 InstallsCash Pays per 1000 infections
*

33 YA!Bucks 75% profit share Bi-weekly payouts
*

34 Earning4u Pays per 1,000 infections
*

35 CaaS TODO: Crimeware as a Service

36 Fingerprinting Actors within the Theatre

37 Digital Fingerprints Several actors in the underground economy will leave digital fingerprints What is represented digitally Distribution system Exploitation capability Command and Control Payload (what does it do once its in)

38 Same malware compiled in three different ways
DISK FILE IN MEMORY IMAGE Same malware compiled in three different ways OS Loader MD5 Checksums all different Code idioms remains consistent

39 In-memory analysis tends to defeat packers
IN MEMORY IMAGE Packer #1 Packer #2 Decrypted Original OS Loader In-memory analysis tends to defeat packers Starting Malware Packed Malware Unpacked portions remains consistent

40 Toolkits and developer signatures can be detected
IN MEMORY IMAGE OS Loader Toolkits and developer signatures can be detected Malware Tookit Different Malware Authors Using Same Toolkit Toolkit Marks Detected Packed

41 Language Native language of the software, expected keyboard layout, etc – intended for use by a specific nationality Be aware some technologies have multiple language support

42 Actor: Endpoint Exploiter
Endpoint Exploiters $ per 1000 infections The exploiter of the end nodes, sets up the XSS or javascript injections to force redirects Newcomers can learns various attack methods from their PPI affiliate site (mini-training) These are generally recruited hackers from forums (social space) The malware will have an affiliate ID “somesite.com/something?aflid=23857  look for potential ID’s – this ID’s the individual endpoint exploiter

43 Link Analysis URL artifact Unique Affiliate ID’s Codenamed Botmaster
C&C Fingerprint Endpoints Link Analysis

44 Actor: Bot Master Owns the box that accepts inbound infection requests, pays out by ID Pays for numbers of collected credentials Collect stolen identities and resell Accounting system for all successful infections Pay-per-infection business model This implies a social space Configuration settings on server will be reflected in client infections (additional resolution to differentiate multiple actors using the same bot technology) Version of bot system offers more resolution, and potential indicator of when it was stood up The Bot Master will have a preference for a particular bot control system – can be softlinked to this actor

45 Actor: Account Buyer Buy stolen creds from the collectors
Use stolen credentials to move money out of victim bank accounts These guys touch the victim accounts Source IP of transaction, Use of TOR / HackTOR, Use of botnet to redirect, etc. This part is audited in your network logs, so … Multiple attacks by the same person are likely to be cross-referenced Not a very strong fingerprint

46 Actor: Mules & Cashiers
Accept stolen money into accounts in the native country of the subverted bank and redirect that money back out into foreign accounts These transactions must stay below trigger levels $5,000 or less These actors do not leave forensic marks on the malware chain Banking records only

47 Actor: Wizards Move E-Gold into ATM accounts that can be withdrawn in the masters home country Will take a percentage of the money for himself This actor does not leave a forensic mark on the malware chain Banking records typically don’t even work here, as the transaction has already been processed thru e-Gold

48 Actor: Developers Sell bot systems for four figures
$4,000 - $8,000 with complete C&C and SQL backend Sell advanced rootkits for low five figures Possibly integrated into a bot system Possibly used as a custom extension to a bot, integrated by a botmaster, $10,000 or more easily for this All of this development is strongly fingerprinted in the malware chain

49 The developer != operator
The developer may not have any relation to those who operate the malware The operation is what’s important We need to form a complete picture of the ‘operation’ – who is running the operation that targets you and what their intent is

50 Link Analysis We want to find a connection here C&C Fingerprint
Botmaster URL artifact Affiliate ID Developer Protocol Fingerprint Endpoints Developer C&C products Link Analysis

51 Softlinking into the Social Space
Where is it sold, does that location have a social space? If it has a social space, then this can be targeted Forum, IRC, instant messaging Using link-analysis, softlink can be created between the developer of a malware product and anyone else in the social space Slightly harder link if the two have communicated directly If someone asks for tech support, indicates they have purchased If someone queries price, etc, then possibly they have purchased

52 Link Analysis Software Author Software Author Social Space

53 Working back the timeline
Who sells it, when did that capability first emerge? Requires ongoing monitoring of all open-source intelligence, presence within underground marketplaces Requires budget for acquisition of emerging malware products

54 Software Author Social Space i.e., Technical Support Query made AFTER version 1.4 Release Use of timeline to differentiate links Link Analysis

55 Actor: Vuln Researchers
Paid well into the five figures for a good, reliable exploit $20,000 or more for a dependable IE exploit on latest version Injection vector & activation point can be fingerprinted Method for heap grooming, etc Delivery vehicle

56 Fingerprinting Malware Distribution Systems

57 Malware Distribution Systems
, Instant Message, and Exploited Web Boobytrapped documents Rogueware & trojan downloads Clientside exploits Injected javascript Command and Control server

58 Freed Memory (endpoint)
Freed memory will still contain evidence Blocks of obfuscated javascript that can be tied to specific exploit packs (redirectors) Leftover HTML remnants of subverted websites URL paths to the exploit server itself These are key to identification TODO: put a few examples here

59 Spearphishes Email archives may contain boobytrapped documents
These can be detonated with a deep tracer attached (packet sniffer at a minimum, REcon if you’re really hard core, CW sandbox & Norman also options)

60 Detonate & Trace Getting the exploit to detonate allows you to observe the secondary download step Malware payload will be sent to you, command and control IP will be established, communication with exploit server and C&C can be sniffed

61 Boobytrapped Documents
This is the current trend NOT COMPLETE

62 Spear-phishing / Whaling
Single most effective attack today Focused attacks Human is involved in crafting the text .DOC Tell stories about Penny

63 Social Networking Space
Joe Social Networking Space Injected Javascript credentials X:URL POST RBN NOT COMPLETE

64 Trap Postings TODO

65 Injected IFrames TODO

66 Subverted Websites TODO

67 Subverted Download Sites
TODO

68 Rogueware 35 million computers infected every month with rogueware*
Many victims pay for these programs, $50-$70, and stats show bad guys are making upwards of $34 million dollars a month with this scam* Many are fake anti-virus scanners *

69 WinAntivirusPro

70 SaveKeep

71 Exploit Packs… No skill needed, buy and use auto-exploiter systems
Highly effective These types of systems are extremely dangerous Consider that Islamic Terrorists, who until now haven’t had strong technical abilities in cyber, can now just buy an attack kit for $1000

72 Eleonore (exploit pack)

73 Tornado (exploit pack)

74 Neosploit (exploit pack)

75 Napoleon (exploit pack)

76 Siberia (exploit pack)
Note: a different version of Napoleon

77 Advanced Pack (exploit pack)

78 Fingerprinting Command and Control

79 TODO: Njinx web server

80 IRC C&C IRC control channel for a DDOS botnet
Most of the C&C has moved to the web.

81 Triad (botnet)

82 ZeuS (botnet)

83

84 Fragus (botnet)

85 Fingerprinting Malware Implants

86 TODO: be sure to mention server-side polymorphism

87 Social Networking Space
Joe Social Networking Space Steve’s BLOG Fred X:URL RBN NOT COMPLETE POST

88 NOT COMPLETE Joe Fred BIGCHEMICAL, INC. Outlook Email Password
Generic stored passwords NOT COMPLETE

89 Drop-point is in Reston, VA in the AOL netblock
NOT COMPLETE

90 All the file types that are exfiltrated
NOT COMPLETE

91 NOT COMPLETE $ RBN Joe Fred BIGCHEMICAL, INC. Covert Channel
SOURCE COMPUTER USERNAME VICTIM IP ADMIN? How big? How many systems per day? HD SERIAL NUMBER OS VERSION TIMESTAMP DIRECTORY WHERE FILE WAS FOUND NOT COMPLETE FILE (COMPRESSED)

92 NOT COMPLETE Legit HTTP $ “AdClick” ?? Some Webpage Internet Explorer
Fred INJECTED CODE $ Completely effective at exfiltrating data without detection “AdClick” ?? NOT COMPLETE

93 Staged reinfection server
Machine that gots the APT, in memory, on disk Infector machine in the same network, memory resident only Just re-infects the endnode This machine has no on-disk code

94 Poison Ivy (implant)

95 CRUM (protector)

96 Advanced Persistent Threat

97 Difference between APT and Banking Malware
Banking malware targets stored digital identity and authentication tokens Bank transaction systems (internal, funds transfers) A lot of money is leaving the banks Manipulate trades on the markets Manipulate the digits on the trading boards

98 Polymer Materials Group
Joe BIGCHEMICAL, INC. Fulfillment Fred BadGuy Polymer Materials Group Sally Bob Adam Waits for Fred to be AFK NOT COMPLETE

99 Polymer Materials Group
Joe RBN Fred BIGCHEMICAL, INC. Polymer Materials Group Sally Bob Adam Priceless $ NOT COMPLETE

100 APT Operational Analysis
These info ops have a fingerprint Bad guys have a specific way they write code They have specific targets in mind Stealing XLS or PDF files Preference for a particular bot framework These fingerprints will be specific to an operation

101 APT Operational Analysis
Each individual fingerprint, when viewed alone, may only identify the original developer of the software When all fingerprints are viewed together, a more complete picture forms about the ‘operation’ – who is running the operation that targets you

102 APT Operational Analysis
Do they pack their software Do they rename DLL’s to hide in plain site? Which toolkit do they use Did they bypass the accounting department and go straight for the developers? What triggers a malware to wake up? How was the payload delivered? Spearphish attachment?

103 Conclusions

104

105

Download ppt "Analyzing Malware Behavior"

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
ECE-6612 Prof. John A. Copeland 404 894-5177 Advanced Persistent Threat Material.

ECE Prof. John A. Copeland Advanced Persistent Threat Material.
The development of Internet A cow was lost in Jan 14th 2003. If you know where it is, please contact with me. My QQ number is 87881405. QQ is one of the.

The development of Internet A cow was lost in Jan 14th If you know where it is, please contact with me. My QQ number is QQ is one of the.
Cyber X-Force-SMS alert system for E-mail threats.

Cyber X-Force-SMS alert system for threats.
BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.

BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
First Community Bank www.fcbnm.com Prevx Safe Online Rollout & Best Practice Presentation.

First Community Bank Prevx Safe Online Rollout & Best Practice Presentation.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
Confidential On-line Banking Risks & Countermeasures By Vishal Salvi – CISO HDFC Bank IBA Banking Security Summit 2009.

Confidential On-line Banking Risks & Countermeasures By Vishal Salvi – CISO HDFC Bank IBA Banking Security Summit 2009.
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.
Online Game Trojan SecurityLabs.websense.com Hermes Li.

Online Game Trojan SecurityLabs.websense.com Hermes Li.
XP New Perspectives on Browser and E-mail Basics Tutorial 1 1 Browser and E-mail Basics Tutorial 1.

XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.
Electronic Commerce & Marketing. What is E-Commerce? Business communications and transactions over networks and through computers, specifically –The buying.

Electronic Commerce & Marketing. What is E-Commerce? Business communications and transactions over networks and through computers, specifically –The buying.
Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title,

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title,
Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.

Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.
Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.
2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.

2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Similar presentations

Ads by Google