Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analyzing Malware Behavior

Published byRebecca Black Modified over 6 years ago

Similar presentations

Presentation on theme: "Analyzing Malware Behavior"— Presentation transcript:

1 Analyzing Malware Behavior
The Secret to a More secure World

2 New malicious code is introduced into networks through Internet and insider threats daily.
Traditional anti-virus and host IDS can’t detect most new malware, especially new variants, polymorphic code, and malware residing only in memory or hiding using rootkits. This session will describe the 55,000 malware variants seen daily, explain why new cyberattack techniques are actually based on a small number of malware, and discuss how to analyze malware behavior, critical to protecting the enterprise.

3 Fact Malware is the single greatest threat to enterprise security today Existing security isn’t stopping it Over 80% of corporate intellectual property is stored online, digitally

4 Scale Over 100,000 malware are released daily
Signature-based security solutions simply can’t keep up More malware was released in the last year than all malware combined previous XXXX million unique samples in 2009

5 Economy Russian Mafia made more money in online banking fraud last year than the drug cartels made selling cocaine An entire industry has cropped up to support the theft of digital information with players in all aspects of the marketplace

6 Not an antivirus problem
Malware isn’t released until it bypasses all the AV products Testing against AV is part of the QA process AV doesn’t address the actual threat – the human who is targeting you AV has been shown as nearly useless in stopping the threat AV has been diminished to a regulatory checkbox – it’s not even managed by the security organization, it’s an IT problem

7 XXX Completely reactionary Fixation of the year
Attack will never be used again (TSA , airplane attacks) Past the vehicle, - get to technology and relationships

8 The True Threat Malware is a human issue
Bad guys are targeting your digital information, intellectual property, and personal identity Malware is a reflection of human intent Theft of Intellectual Property Business Intelligence for Competitive Advantage Identity Theft for Online Fraud

9 Staged reinfection server
Machine that gots the APT, in memory, on disk Infector machine in the same network, memory resident only Just re-infects the endnode This machine has no on-disk code

10 The human is continuous and evolving
If you detect a malware that is part of an targeted operation and you remove it from the computer, the risk has not been eliminated – the bad guys are still operating Tomorrow the bad guy will be back again You have not shut down the operation

11 Digital Fingerprints Several actors in the underground economy will leave digital fingerprints What is represented digitally Distribution system Exploitation capability Command and Control Payload (what does it do once its in)

12 Follow the Motive

13 XXX Criminal element (money) State sponsored (economic power)
Stealing of state secrets (intelligence & advantage) Info, eastern wartime / scada Info on people (not economic)

14 XXX Persona’s and mechanisms that are common to those persona
Persona - some kid in a basement, I wont have money, I will have to use open source, I cant even afford poison ivy Motive will drive persona

15 Economics of Malware The underground economy supporting espionage and fraud

16 State Sponsored Involvement
Using crimeware collected from the underground makes it harder to attribute the attack, since it looks like every other criminal attack - no custom code that can be fingerprinted China like to use poison ivy

17 Examples…

18 Affiliate Networks

19 CaaS Crimeware as a Service

20 XXX The exploiter of the end nodes, sets up the XSS or javascript injections to force redirects

21 Netmaster??? Pays for numbers of collected credentials
Owns the box that accepts inbound infection requests, pays out by ID ??

22 Affiliate Master??? Collect stolen identities and resell
Sets up exploited websites to cause redirection to exploit pack Accounting system for all successful infections

23 XXX Buy stolen creds from the collectors
Use stolen credentials to move money out of victim bank accounts These guys touch the victim accounts Use TOR / HackTOR, Use of botnet to redirect, etc. This part is audited, so …

24 Mules Accept stolen money into accounts in the native country of the subverted bank and redirect that money back out into foreign accounts These transactions must stay below XXtrigger levelsXX $5,000 or less

25 Wizards Move E-Gold into ATM accounts that can be withdrawn in the masters home country Will take a percentage of the money for himself ( %XX )

26 Developers Sell bot systems for four figures
$4,000 - $8,000 with complete C&C and SQL backend Sell advanced rootkits for low five figures Typically sold to a bot system developer who integrates into their bot package, $10,000 or more easily for this

27 Vuln Researchers Paid well into the five figures for a good, reliable exploit $20,000 or more for a dependable IE exploit on latest version

28 Forgers Make fake identities for mules
About 50 dollars per ID (brazil)

29 Digital Fingerprints Any development of a method for communication, infection, or operation Who sells it, when did that capability first emerge? Where is it sold, does that location have a social space? Native language of the software, expected keyboard layout, etc – intended for use by a specific nationality

30 Link Analysis Each individual fingerprint, when viewed alone, may only identify the original developer of the software When all fingerprints are viewed together, a more complete picture forms about the ‘operation’ – who is running the operation that targets you

31 Difference between APT and Banking Malware
Banking malware targets stored digital identity and authentication tokens Bank transaction systems (internal, funds transfers) A lot of money is leaving the banks Manipulate trades on the markets Manipulate the digits on the trading boards

32 Stolen VPN concentrators (from banks)
Shipped to russia, insider

33 Chinese Cyber Blackwater
Citizen cyber soldiers Hackers being directed at specific targets & missions

34 Reverse Engineering Malware Fingerprints

35 Malware Distribution Systems
, Instant Message, and Exploited Web Boobytrapped documents Rogueware & trojan downloads Clientside exploits Injected javascript Command and Control server

36 Examples…

37 Trap Postings

38 Injected IFrames

39 Subverted Websites

40 Subverted Download Sites

41 Boobytrapped Documents

42 Rogueware

43 Exploit Packs…

44 Command and Control

45 Advanced Persistent Threat

46 Operational Analysis These info ops have a fingerprint
Bad guys have a specific way they write code They have specific targets in mind Stealing XLS or PDF files Preference for a particular bot framework These fingerprints will be specific to an operation

47 Operational Analysis Each individual fingerprint, when viewed alone, may only identify the original developer of the software When all fingerprints are viewed together, a more complete picture forms about the ‘operation’ – who is running the operation that targets you

48 Operational Analysis Do they pack their software
Do they rename DLL’s to hide in plain site? Which toolkit do they use Did they bypass the accounting department and go straight for the developers? What triggers a malware to wake up? How was the payload delivered? Spearphish attachment?

49 Attribution

50 Sharing and collaboration required for attribution
Various sources of data (TSA)

51 XXX Intent originted FROM CHINA Down to the individuals
Social networking, open source, etc.

52 Njinx web server

53 Using Threat Intelligence
Risk intelligence Lower the bar Accept that some amount of forensic work must be done What is there,

54 Problems Lack of govn. Intervention No consequences
Russia as a crime state

55 No Global Law Enforcement
No cooperation between LE in various countries, no sharing of information

56 Sluggish Response from Registrars
Takes a long time to bring down a domain

57

58

Download ppt "Analyzing Malware Behavior"

Similar presentations

HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.

HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.
Introduction and Overview of Digital Crime and Digital Terrorism

Introduction and Overview of Digital Crime and Digital Terrorism
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
S CENARIOS FOR THE F UTURE OF THE C ANADIAN P AYMENTS S YSTEM A UTHENTICATION AND I DENTITY W ORKSHOP N OVEMBER 3, 2010 Greg Wolfond.

S CENARIOS FOR THE F UTURE OF THE C ANADIAN P AYMENTS S YSTEM A UTHENTICATION AND I DENTITY W ORKSHOP N OVEMBER 3, 2010 Greg Wolfond.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
The development of Internet A cow was lost in Jan 14th 2003. If you know where it is, please contact with me. My QQ number is 87881405. QQ is one of the.

The development of Internet A cow was lost in Jan 14th If you know where it is, please contact with me. My QQ number is QQ is one of the.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
Security for Internet Every Day Use Standard Security Practices and New Threats.

Security for Internet Every Day Use Standard Security Practices and New Threats.
Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.

Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.
BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.

BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.
What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:

What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.
First Community Bank www.fcbnm.com Prevx Safe Online Rollout & Best Practice Presentation.

First Community Bank Prevx Safe Online Rollout & Best Practice Presentation.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
Viruses.

Viruses.
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.
Malware  Viruses  E-mail Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.

Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.
Online Game Trojan SecurityLabs.websense.com Hermes Li.

Online Game Trojan SecurityLabs.websense.com Hermes Li.
CYBER CRIME.

CYBER CRIME.

Similar presentations

Ads by Google