Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enhancing Malware Detection

Published byMarta Stachowiak Modified over 6 years ago

Similar presentations

Presentation on theme: "Enhancing Malware Detection"— Presentation transcript:

1 Enhancing Malware Detection
Doug Cooke Director, Sales Engineering Canada September 19, 2018

2 Malware Evolution Early Days Financially Motivated Targeted Attacks
Aurora, Conflicker Spy, Adware Autorun worms Web 2.0 attacks Obfuscation StuxNet, Shamoon Poly patching Trojans Hacktivism worms File infectors, macro viruses Floppy disk attacks 1992-3 1998 2002 2005 2010 2008 Future 2012 Early Days Financially Motivated Targeted Attacks

3 Time To React Time to React Early Days Financially Motivated
Aurora, Conflicker Spy, Adware Autorun worms Web 2.0 attacks Obfuscation StuxNet, Shamoon Poly patching Trojans Hacktivism worms File infectors, macro viruses Floppy disk attacks 1992-3 1998 2002 2005 2010 2008 Future 2012 Early Days Financially Motivated Targeted Attacks

4 Case Study: What is Project Blitzkrieg
Code name for a McAfee Labs project monitoring an attack against NA banking community RAS identified the malware as belonging to the Gozi family and labeled it Prinimalka Man in the Middle attack targeting banking customers Banks security measures could not detect or prevent Incorporates “web injects” – code injected into the browser based on URL Campaign of attacks started in Spring 2012, continued activity with new variants had continued into 2013. How can we monitor these attack campaigns? How quickly can we identify Patient Zero and stop propagation?

5 Four Phases of an Attack
First Contact Physical Access Unsolicited Message Malicious Website Network Access Local Execution Exploit Social Engineering Configuration Error Establish Presence Download Malware Escalate Privilege Persist on System Self-Preservation Malicious Activity Propagation Bot Activities Adware & Scareware Identity & Financial Fraud Tampering At McAfee, our years of experience and worldwide research teams continually analyze the threat landscape. In this presentation, we will share some research showing the 4 phases of every malicious attack and how you can protect yourself and your business • First malware needs a way to come in contact with unsuspecting users. Second, they then use a diversity of ways to enter your system and begin to write files to disk and modify your system. Third, they use several means to hide from detection before they even begin to do their dirty work of stealing personal information or scare you into buying useless security software. Its not until the fourth phase do they really start to do their unscrupulous business. • First, lets look at the first phase of how modern threats operate; How the attacker first crosses path with its victim. The most common form of first contact is via a malicious web site. The web continues to be a dangerous place for the uninformed and unprotected. Websites can become malicious on purpose or by infection and host malware, potentially unwanted programs, or phishing sites. In 2011, McAfee Labs recorded an average of 6,500 new bad sites per day; in one quarter that figure shot up to 9,300. We also noticed that about one in every 400 URLs we attempted to load were malicious; some days that number was one in every 200 URLs! Protecting users from these sites becomes essential to protection and actually offers the least expensive way to maintain a secure environment. Other important methods include physical access such as thumb drives used by Advances Persistent Threats or APT’s, unsolicited messages from social media sites, and network access from misconfigured or unsecure wireless networks. • Phase 2 is the ways the attacker gets code running first time on target machine. The vast majority of the time the code will exploit one or more of the thousands of vulnerabilities in common, legitimate applications or in the operating system itself. If the malware can take down or otherwise subvert the protections in existing software it can write its code to disk and move onto phase three. • In phase 3, the goal is to persist the malicious code on the system, so that it can survive reboot, stay hidden from security measures as well as hide itself from the user. The code can hide itself in known good processes, block access to security software updates, disable the Windows task manager, Windows Safe Mode, System Restore, the Firewall, Microsoft Security Center as well as change browser security settings. Rootkits and other advanced attacks have been particularly difficult to stop as they will many times load prior to the operating system, effectively hiding from security software • And finally in phase 4, we get to the real reason for the malware, its ‘business logic’; what the attacker wants to accomplish. This could be stealing identities, passwords, bank fraud, force the purchase Fake AntiVirus software, steal intellectual property, or sell bot network services. How the attacker first crosses path with target. How the attacker gets code running first time on target machine How the attacker persists code on the system, to survive reboot, stay hidden, Hide from user and security software The business logic, what the attacker wants to accomplish, steal passwords, bank fraud, purchase Fake AV

6 Four Phases of an Attack
Example: Fake AV First Contact Physical Access Unsolicited Message Malicious Website Network Access Local Execution Exploit Social Engineering Configuration Error Establish Presence Download Malware Escalate Privilege Persist on System Self-Preservation Malicious Activity Propagation Bot Activities Adware & Scareware Identity & Financial Fraud Tampering At McAfee, our years of experience and worldwide research teams continually analyze the threat landscape. In this presentation, we will share some research showing the 4 phases of every malicious attack and how you can protect yourself and your business • First malware needs a way to come in contact with unsuspecting users. Second, they then use a diversity of ways to enter your system and begin to write files to disk and modify your system. Third, they use several means to hide from detection before they even begin to do their dirty work of stealing personal information or scare you into buying useless security software. Its not until the fourth phase do they really start to do their unscrupulous business. • First, lets look at the first phase of how modern threats operate; How the attacker first crosses path with its victim. The most common form of first contact is via a malicious web site. The web continues to be a dangerous place for the uninformed and unprotected. Websites can become malicious on purpose or by infection and host malware, potentially unwanted programs, or phishing sites. In 2011, McAfee Labs recorded an average of 6,500 new bad sites per day; in one quarter that figure shot up to 9,300. We also noticed that about one in every 400 URLs we attempted to load were malicious; some days that number was one in every 200 URLs! Protecting users from these sites becomes essential to protection and actually offers the least expensive way to maintain a secure environment. Other important methods include physical access such as thumb drives used by Advances Persistent Threats or APT’s, unsolicited messages from social media sites, and network access from misconfigured or unsecure wireless networks. • Phase 2 is the ways the attacker gets code running first time on target machine. The vast majority of the time the code will exploit one or more of the thousands of vulnerabilities in common, legitimate applications or in the operating system itself. If the malware can take down or otherwise subvert the protections in existing software it can write its code to disk and move onto phase three. • In phase 3, the goal is to persist the malicious code on the system, so that it can survive reboot, stay hidden from security measures as well as hide itself from the user. The code can hide itself in known good processes, block access to security software updates, disable the Windows task manager, Windows Safe Mode, System Restore, the Firewall, Microsoft Security Center as well as change browser security settings. Rootkits and other advanced attacks have been particularly difficult to stop as they will many times load prior to the operating system, effectively hiding from security software • And finally in phase 4, we get to the real reason for the malware, its ‘business logic’; what the attacker wants to accomplish. This could be stealing identities, passwords, bank fraud, force the purchase Fake AntiVirus software, steal intellectual property, or sell bot network services. How the attacker first crosses path with target. How the attacker gets code running first time on target machine How the attacker persists code on the system, to survive reboot, stay hidden, Hide from user and security software The business logic, what the attacker wants to accomplish, steal passwords, bank fraud, purchase Fake AV

7 Phase Protection Methods
Local Execution Establish Presence Malicious Activity First Contact Website Filtering File Scanning On Access Scanning Write Blocking Endpoint Health Rootkit Prevention Physical File Transfer Firewall Lets take a look at protection technologies and where they are effective. In phase one, effective tools are those that limit or block first contact with a victim. These include host or network based web filtering products for the majority of today’s threats. For protection against physical compromise, such as with APT’s, device control is needed. Host based NAC products can ensure that only ‘healthy’ endpoints are allowed to connect to a network. Even host based firewalls can protect against misconfigured network security or unsecured internet connections like roaming users might find. In phase two, the job gets harder, especially when trying to stop previously unknown threats from exploiting new or recent vulnerabilities. Typical here is some type of buffer overflow attack which requires some type of memory protection or system call interception techniques to watch for buffer overflow attack. What is also required is scanning memory and network traffic upon access, sometimes called on-access scanning. Relatively new are file whitelisting or application control products, which limit use a ‘deny by default’ approach so that only known files or applications can be installed. In phase three, traditional AV has played the strongest role by scanning the disk for known malicious files. This method has the advantage of being very deterministic in detecting and cleaning all areas of the file and operating system, but remediation costs are higher. New technologies like McAfee’s Deep Defender protect attacks prior to the OS loading, providing new protections for this critical threat. Uses McAfee DeepSAFE technology to operate beyond the OS and the first solution to provide real-time kernel memory protection to stop zero-day threats before they have chance to hide. What is interesting about these four phases is that various security technologies usually have a narrow role to play in disrupting malware. It also shows that traditional Antivirus techniques stop malware very late in the infection process, usually after software has been written to disk. In phase four, change control techniques like Whitelisting and access protection rules can prevent malicious software from changing known good application files, preventing the execution of many activities. Also hosts based firewalls can prevent connections to known malicious bot networks and limit the loss of sensitive data. Note: encryption, DLP not shown here for clarity’s sake, but when to use them is more straightforward Buffer Overflow Prevention Behavioral Prevention Web Filtering Whitelisting Change Protection

8 Evolution of Content Time to Protect Reactive Signatures Early Days
Months Days Hours 1992-3 1998 2002 2005 2010 2008 Future 2012 Early Days Financially Motivated Targeted Attacks

9 Evolution of Content Signatures + Reactive Cloud Reputation Signatures
1992-3 1998 2002 2005 2010 2008 Future 2011 Early Days Financially Motivated Targeted Attacks

10 Cloud Based Reputation
File, Mail IP, Domain Geo Location Malicious Code – Anti-Malware – Anti-Spyware – Whitelisting Mobility Protection – Anti Malware Servers Network IPS Mail Gateway Web Gateway IP and Domain Reputation Queries Internet Network ATMs Mobile Devices Workstations Hashed File Look Ups Time to Protect – Minutes!

11 Evolution of Content Signatures + Cloud Reputation Signatures +
Telemetry Signatures + Cloud Reputation Reactive Signatures 1992-3 1998 2002 2005 2010 2008 Future 2011 Early Days Financially Motivated Targeted Attacks

12 US Campaign (victims) – Oct 1st – Nov 30th, 2012

13 Distribution of C&C Servers

14 Adding Context to the Content
Leverage 100M+ consumers base plus opt-in enterprises Enhanced scanning engines to collect further data during scanning activities – HASH of malware file & originating IP – file paths, processes, features of the file etc. – upload suspicious file Enhanced scanning drivers allow specific data to be pulled from specific types of malware – e.g. Blitzkrieg – establish cloud based data for FI to monitor attacking IPs – e.g. SpyEye - pull institution specific data from java scripts The enriched data introduces the opportunity for greater analysis and correlation of collected data Expose this data to customers through a service offering Access to Zero Day Attacks as Quickly as Possible

15 Getting Out in Front!

16 Summary Will use these talking point for previous slide
The malware community will continue to find creative approaches to wreak havoc around the computing community. New technologies (whitelisting etc.) will help but the opportunity still exists to leverage more sophisticated detection capabilities. Pulling contextual information from active systems will enhance the effectiveness of cloud based reputation databases.

Download ppt "Enhancing Malware Detection"

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.

Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Computer Viruses.

Computer Viruses.
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
Viruses, Hacking, and AntiVirus. What is a Virus? A type of Malware – Malware is short for malicious software A virus – a computer program – Can replicate.

Viruses, Hacking, and AntiVirus. What is a Virus? A type of Malware – Malware is short for malicious software A virus – a computer program – Can replicate.
SHASHANK MASHETTY Email security. Introduction Electronic mail most commonly referred to as email or e- mail. Electronic mail is one of the most commonly.

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.
Internet Safety Basics Being responsible -- and safer -- online Visit age-appropriate sites Minimize chatting with strangers. Think critically about.

Internet Safety Basics Being responsible -- and safer -- online Visit age-appropriate sites Minimize chatting with strangers. Think critically about.
Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.

Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.
eScan Total Security Suite with Cloud Security

eScan Total Security Suite with Cloud Security
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Protecting Your Computer & Your Information

Protecting Your Computer & Your Information
THREATS TO MOBILE NETWORK SECURITY

THREATS TO MOBILE NETWORK SECURITY
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Hacker Zombie Computer Reflectors Target.

Hacker Zombie Computer Reflectors Target.

Similar presentations

Ads by Google