The document discusses techniques used by attackers and defenders in the malware landscape. It covers topics like game theory in attacks and defenses, evasion techniques used by malware like polymorphism and code obfuscation, stealth methods, and persistence. It also outlines a multi-layered approach to detection and mitigation including behavioral monitoring across disk, memory, and kernel with analytics and machine learning to identify anomalies pre-and post-breach.
3. Game Theory
Attackers and defenders watch and
adapt to the opponents’ behavior to
improve their strategies in response to
the other’s behavior.
Technology
Defender
Attacker
Overlap is Defender
Advantage
4. Malicious Behaviors
This level of sophistication requires a proactive, multi-layer detection and mitigation
approach
Polymorphis
m
Stealth
Code
Obfuscation
Persistence
Evasion
Evade pattern matching detection
Prevents detection and takes longer to
analyze
Hiding execution traces
Ability to respawn
Environmental Awareness reaction
6. Malware Timeline
2013
2014
2015
Attacker
• Email Attachment downloads the
payload instead, runs in memory
• Browser Exploit – bypassing the
email payload
Example: Trojan.APT.BaneChant,
Trojan.APT.9002
Defender
• Static analysis on web browser
memory
• Tighter analysis on opened
browser sessions
7. Malware Timeline
2013
2014
2015
Defender
• Static analysis on open pages
• Beginning of cross-platform
detection for
Windows/Linux/OSX
Attacker
• Socially Engineered email with html links
to compromised sites
• The malicious website contains a number
of exploits
• Effective on Windows/Linux/OSX
Example: The Mask (Careto)
8. Malware Timeline
2013
2014
2015
Attacker
• More email campaigns that use
watering holes
• Utilizing public services for payload
downloads
Example: CozyDuke,CloudDuke
Defender
• Improve analysis of 3rd party
Services
• Strengthen cross-platform
detection
15. Stealth
File Hiding
File Attributes
Process will
change the file’s
hidden attributes.
Compartmentalizati
onThe malicious
payload will
remain in
separate pieces
for a benign
controller to
execute.
File
ExtensionsProcess will
change the file
type associations
to turn a benign
file extension into
an executable
binary.
Steganograph
yMalicious
payloads reside in
images or other
binary files that
may appear as
benign to the
user.
19. Code Obfuscation
Dridex VBA
Downloader
Set obsCgkbrjo = WScript.CreateObject(yyTrankxt("ŸÕÿ‹∏†‹flfl◊–¥ "))
Set sDcqujpwd = CreateObject(yyTrankxt("·ƒÿfi«¡’‘ÍÿÊ¥ÿ‡Œ∏ñ÷‰Œ·—‹Ê»≈"))
If NOT (sDcqujpwd.FolderExists(yyTrankxt("Œ’‘∏“”⁄÷Â◊ΩΩ≠∑"))) Then
sDcqujpwd.CreateFolder(yyTrankxt("Œ’‘∏“”⁄÷Â◊ΩΩ≠∑"))
End If
If NOT (sDcqujpwd.FolderExists(yyTrankxt("‘ÏÁ«Ÿƒ–Í∆±Œ‘Ê÷⁄ø“ü∞")))
Then
sDcqujpwd.CreateFolder(yyTrankxt("‘ÏÁ«Ÿƒ–Í∆±Œ‘Ê÷⁄ø“ü∞"))
End If
sXtrIusxm = yyTrankxt("…‘ÿ‡Œ∏à‹◊◊‘–ƒ¡¨´")
sXtr2Iusxm = yyTrankxt("‡∆fl›´í’–ËË”√–üµ") & " (x86)"
23. Evasion
NOP Functions
Looping of a
function that does
nothing important
to confuse the
analysis
Timeout/Sleeps
Process will wait
until a certain
time or outwait
VM analysis
Environmental Awareness
Process is able to identify
obstacles in the
environment and react
accordingly by removing
obstacles
User interaction
User interaction is
required to continue
execution
Encryption
Encryption of
code components
and traffic avoid
analysis
Dynamic C&C
Domain
Generation
Algorithm (DGA)
to avoid static
detection
Memory Only
Process will avoid
file system type
detection by only
running in
memory
Stolen Signing Certificates
Malware will use stolen
certs to sign their own
binaries and bypass AV
detection
24. 1. Accept that attacks will
adapt to changes in the
environment
2. Focus on the
anomaly rather than
the signature
Pre and Post Breach
Methodology
25. Polymorphis
m
Stealth
Code
Obfuscation
Persistence
Evasion
Mitigation & Multi-Layer Detection
Malicious Behaviors Mitigation
Provide Data Analytics and Machine Learning
Services to Identify, Detect, and Prevent
Dynamic Analysis and Data Science
Overcomes Anti-Analysis
Monitor All Layers Disk, Memory and Kernel
Analytics to Identify and Collect Anomalies
in Pre-Breach and Post-Breach context
Remaining Stealthy in the Environment to
Prevent Attacker Discovery
29. Malware Timeline
2009-2010
2011
Attacker
• Socially engineered emails
• Attachments wit Doc
exploits
• Attachments are
Compressed
• User Interaction required
Example: GhostNet
Defender
• Static analysis
• File extension
identification
• Decompression when
not password protected
30. Malware Timeline
2009-2010
2011-2012
Attacker
• Socially engineered emails
• HTML links to fake websites
• Search order hijacking
• Resilience gets more interesting
Example: ETSO APT, PushDo
Botnet
Defender
• Static analysis of
webpages
• Domain research
• Becomes harder to
catch
Editor's Notes
Its variants usually arrive onto systems as malicious files attached to spammed messages, or as a link to a malicious website hosting the malware itself.UPATRE malware, upon installation,, will download and execute additional malware on the affected system. Some of the downloaded malware by UPATRE are ZEUS, CRILOCK, DYREZA and ROVNIX variants. Such malware severely compromises the security of the system they affect, and in CRILOCK's case, render it useless due to its file-encrypting routines. New variants of UPATRE are now capable of stealing system information such as the affected system’s computer name and operating system.
Plugx
APT 9002
Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.