The document discusses techniques used by attackers and defenders in the malware landscape. It covers topics like game theory in attacks and defenses, evasion techniques used by malware like polymorphism and code obfuscation, stealth methods, and persistence. It also outlines a multi-layered approach to detection and mitigation including behavioral monitoring across disk, memory, and kernel with analytics and machine learning to identify anomalies pre-and post-breach.

2. Computer Forensics
IR & Intrusion Forensics
Malware
Research
Malware Research
WHOAMI?

3. Game Theory
Attackers and defenders watch and
adapt to the opponents’ behavior to
improve their strategies in response to
the other’s behavior.
Technology
Defender
Attacker
Overlap is Defender
Advantage

4. Malicious Behaviors
This level of sophistication requires a proactive, multi-layer detection and mitigation
approach
Polymorphis
m
Stealth
Code
Obfuscation
Persistence
Evasion
Evade pattern matching detection
Prevents detection and takes longer to
analyze
Hiding execution traces
Ability to respawn
Environmental Awareness reaction

5. Attack Flow
Infiltration Entrenchment
Internal
Reconnaissanc
e
Exfiltration Purge
Perimeter
Reconnaissanc
e
Rapid Evolution

6. Malware Timeline
2013
2014
2015
Attacker
• Email Attachment downloads the
payload instead, runs in memory
• Browser Exploit – bypassing the
email payload
Example: Trojan.APT.BaneChant,
Trojan.APT.9002
Defender
• Static analysis on web browser
memory
• Tighter analysis on opened
browser sessions

7. Malware Timeline
2013
2014
2015
Defender
• Static analysis on open pages
• Beginning of cross-platform
detection for
Windows/Linux/OSX
Attacker
• Socially Engineered email with html links
to compromised sites
• The malicious website contains a number
of exploits
• Effective on Windows/Linux/OSX
Example: The Mask (Careto)

8. Malware Timeline
2013
2014
2015
Attacker
• More email campaigns that use
watering holes
• Utilizing public services for payload
downloads
Example: CozyDuke,CloudDuke
Defender
• Improve analysis of 3rd party
Services
• Strengthen cross-platform
detection

9. Why is Anti-Virus so obsolete?

10. Evade pattern matching detection
Polymorphism

11. Polymorphism
Upatre Downloader
http://binvis.io/#/
Sample
A
Sample
B

12. Upatre Downloader
Sample
A
Sample
B
Polymorphism

13. Stealth
Hiding execution traces

14. Stealth
Hiding execution traces
A
BProcess Injection
File Hiding
C Diskless Execution

15. Stealth
File Hiding
File Attributes
Process will
change the file’s
hidden attributes.
Compartmentalizati
onThe malicious
payload will
remain in
separate pieces
for a benign
controller to
execute.
File
ExtensionsProcess will
change the file
type associations
to turn a benign
file extension into
an executable
binary.
Steganograph
yMalicious
payloads reside in
images or other
binary files that
may appear as
benign to the
user.

16. GoodGuy.exe
Thread
Thread
Memory
Stealth
Process Injection
OpenProcess  VirtualAllocEx  WriteProcessMemory  ReadProcessMemory  CreateRemoteThread
BadGuyInjector.exe
Memory
Thread

17. Stealth
Diskless Execution
File System
GoodGuy Browser
Thread
Thread
Memory
BadGuy Code
Memory
Thread
Exploitation
GoodGuy
Website

18. Code Obfuscation
Prevents detection and takes longer to
analyze

19. Code Obfuscation
Dridex VBA
Downloader
Set obsCgkbrjo = WScript.CreateObject(yyTrankxt("ŸÕÿ‹∏†‹flfl◊–¥ "))
Set sDcqujpwd = CreateObject(yyTrankxt("·ƒÿfi«¡’‘ÍÿÊ¥ÿ‡Œ∏ñ÷‰Œ·—‹Ê»≈"))
If NOT (sDcqujpwd.FolderExists(yyTrankxt("Œ’‘∏“”⁄÷Â◊ΩΩ≠∑"))) Then
sDcqujpwd.CreateFolder(yyTrankxt("Œ’‘∏“”⁄÷Â◊ΩΩ≠∑"))
End If
If NOT (sDcqujpwd.FolderExists(yyTrankxt("‘ÏÁ«Ÿƒ–Í∆±Œ‘Ê÷⁄ø“ü∞")))
Then
sDcqujpwd.CreateFolder(yyTrankxt("‘ÏÁ«Ÿƒ–Í∆±Œ‘Ê÷⁄ø“ü∞"))
End If
sXtrIusxm = yyTrankxt("…‘ÿ‡Œ∏à‹◊◊‘–ƒ¡¨´")
sXtr2Iusxm = yyTrankxt("‡∆fl›´í’–ËË”√–üµ") & " (x86)"

20. Persistence
Ability to respawn

21. Persistence
Scheduled tasks Logon/WinlogonFile Classes Services/Drivers
Image File
Execution
ShellExecuteHooksAutoruns InprocServer32
Installed
Components
DLL
Load/Hijacking
Browser Plugins Boot Execution
RareCommon
SophisticatedSimple

22. Evasion
Environmental Awareness reaction

23. Evasion
NOP Functions
Looping of a
function that does
nothing important
to confuse the
analysis
Timeout/Sleeps
Process will wait
until a certain
time or outwait
VM analysis
Environmental Awareness
Process is able to identify
obstacles in the
environment and react
accordingly by removing
obstacles
User interaction
User interaction is
required to continue
execution
Encryption
Encryption of
code components
and traffic avoid
analysis
Dynamic C&C
Domain
Generation
Algorithm (DGA)
to avoid static
detection
Memory Only
Process will avoid
file system type
detection by only
running in
memory
Stolen Signing Certificates
Malware will use stolen
certs to sign their own
binaries and bypass AV
detection

24. 1. Accept that attacks will
adapt to changes in the
environment
2. Focus on the
anomaly rather than
the signature
Pre and Post Breach
Methodology

25. Polymorphis
m
Stealth
Code
Obfuscation
Persistence
Evasion
Mitigation & Multi-Layer Detection
Malicious Behaviors Mitigation
Provide Data Analytics and Machine Learning
Services to Identify, Detect, and Prevent
Dynamic Analysis and Data Science
Overcomes Anti-Analysis
Monitor All Layers Disk, Memory and Kernel
Analytics to Identify and Collect Anomalies
in Pre-Breach and Post-Breach context
Remaining Stealthy in the Environment to
Prevent Attacker Discovery

27. Thank You
amanda@endgame.com

28. Appendix

29. Malware Timeline
2009-2010
2011
Attacker
• Socially engineered emails
• Attachments wit Doc
exploits
• Attachments are
Compressed
• User Interaction required
Example: GhostNet
Defender
• Static analysis
• File extension
identification
• Decompression when
not password protected

30. Malware Timeline
2009-2010
2011-2012
Attacker
• Socially engineered emails
• HTML links to fake websites
• Search order hijacking
• Resilience gets more interesting
Example: ETSO APT, PushDo
Botnet
Defender
• Static analysis of
webpages
• Domain research
• Becomes harder to
catch