• Save
Comment détecter des virus inconnus en utilisant des « honey pots » et d’autres technologies (David Girard & Anthony Arrott)
Upcoming SlideShare
Loading in...5
×
 

Comment détecter des virus inconnus en utilisant des « honey pots » et d’autres technologies (David Girard & Anthony Arrott)

on

  • 1,664 views

La détection des nouvelles variantes doit se faire extrêmement rapidement car ils apparaissent maintenant au rythme de 1 toutes les 1,5 secondes. Nous ne pouvons pas nous fier juste à la soumission ...

La détection des nouvelles variantes doit se faire extrêmement rapidement car ils apparaissent maintenant au rythme de 1 toutes les 1,5 secondes. Nous ne pouvons pas nous fier juste à la soumission des fichiers suspects par nos clients ou nos partenaires. Nous avons donc du développer un vaste réseau de sondes (honey pots) et développer des nouvelles façons de trouver le malware. Nous allons discuter des différentes techniques et de leur efficacité dans le monde réel.

Statistics

Views

Total Views
1,664
Views on SlideShare
1,196
Embed Views
468

Actions

Likes
0
Downloads
0
Comments
0

2 Embeds 468

http://www.hackfest.ca 436
http://hackfest.ca 32

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Comment détecter des virus inconnus en utilisant des « honey pots » et d’autres technologies (David Girard & Anthony Arrott) Comment détecter des virus inconnus en utilisant des « honey pots » et d’autres technologies (David Girard & Anthony Arrott) Presentation Transcript

    • Detecting Unknown Malware using NetworkBehavior Correlation
    • Correlation Technology• A network behavior correlation technology used to detect known and unknownmalware.• Currently implemented in an out-of-band network sensor appliance called the “ThreatDiscovery Appliance” which is bundled with a series of different service packagesknown collectively as “Threat Management Services”.• Adoption of this technology in other Trend Micro products is ongoing. Copyright 2007 - Trend Micro Inc.Paramount Q1 2008 - 2
    • Correlation Technology Copyright 2007 - Trend Micro Inc.Paramount Q1 2008 - 3
    • How Do We Analyze Network Traffic? Assemble packets into one stream Extract embedded files & send to scanning engines Extract embedded URLs and perform WRS check Scan the traffic stream for exploits and network worms Perform single-session correlation on the traffic stream Copyright 2007 - Trend Micro Inc.Paramount Q1 2008 - 4
    • Protocol Support We currently support over 40 protocols using port agnostic protocol detection to accurately identify protocols regardless of the port used Network Services Web Traffic DNS HTTP DCE-RPC SSH Telnet AIM RDP IRC VNC Supported Protocols File Transfer Email and Messaging FTP SMTP TFTP POP3 SMB Gmail Yahoo Mail Hotmail Copyright 2007 - Trend Micro Inc.Paramount Q1 2008 - 5
    • What We Do• The Threat Analysis Group is a department of the Network Content Security Group and isresponsible for the operations that utilize our correlation technology.• Over the years we have developed and improved upon several dedicated malwarereplication systems, also known as “sandboxes”. These systems are responsible for executingmalware and logging all of their activities.• Early on, we processed current malware along with a few years backlog of older samples.Analysis of this network traffic provided us with the data used to create a majority of our earlyruleset. These rules are generic in nature and based upon the common behavior of differentmalware types.• Due to the volatile nature of malware, we determined that older samples were not worth ourtime any longer and now focus solely on brand new malware, utilizing various feeds ofmalware samples. Nowadays, the majority of our new rules focus on specific malware families. Copyright 2007 - Trend Micro Inc. Paramount Q1 2008 - 6
    • What characteristics are we looking for Downloaders Packed / Compressed Executables Names of downloaded files belong to system files svchost.exe winlogon.exe lsass.exe File extension do not match expected file type JPG extension but file is actually EXE Unique / Unknown HTTP user-agents 7 Copyright 2007 - Trend Micro Inc.
    • What characteristics are we looking for Spyware/Grayware Unique / Unknown HTTP user-agents Names of downloaded files belong to trademarked/copyrighted spyware applications Gain, Media Motor, Hotbar, SpySherrif 8 Copyright 2007 - Trend Micro Inc.
    • What characteristics are we looking for Backdoors Rogue services Un-authorized SMTP, HTTP servers Opened ports Loopback commands shells Loopback command shells DOS Shell visible at the network traffic Non standard service ports HTTP Traffic on non HTTP port 9 Copyright 2007 - Trend Micro Inc.
    • What characteristics are we looking for Mass mailers Attachments with long filenames (space padded) File extensions do not match expected file type File inside archive attachment contains double extension Packed files Suspicious URLs in message body 10 Copyright 2007 - Trend Micro Inc.
    • What characteristics are we looking for Bots IRC traffic Bad NICKs, channelnames, bot commands Non-standard service ports Typically HTTP or IRC Ex. IRC traffic on port 8080 (HTTP proxy) File transfers to blacklisted domains 11 Copyright 2007 - Trend Micro Inc.
    • Scenario Corporate Network Rule 8 - Packed executable file dropped on a network share C$ WORM_AGOBOT, Admin$ PE_LOOKED 12 Copyright 2007 - Trend Micro Inc.
    • Scenario External Mail Server Internet Corporate Network Internal Mail Server WORM_NETSKY, WORM_MYTOB, WORM_AGOBOT 13 Copyright 2007 - Trend Micro Inc.
    • Scenario IRC Server Internet Corporate Network Rule 26 - IRC session Rule 7 - IRC BOT established with a known commands found bad C&C WORM_IRCBOT.EN 14 Copyright 2007 - Trend Micro Inc.
    • Scenario Malicious Website Internet Corporate Network Rule 88 - HTTP requests attempted to download known Malware- Malware-used filenames TROJ_DLOADER, TROJ_AGENT 15 Copyright 2007 - Trend Micro Inc.
    • Rule DescriptionsMonitored client is receiving email with phishing link (External)Rule ID: 72Scenario: SMTP server receives phishing emailsEmail sender domain is in list of commonly phished domains and email contains IP addressThe email will trigger rule ID 72, direction is external Sender: customerservice@ebay.com URL: http://70.88.210.45:81/ebay.com/index.html Monitored Network Copyright 2007 - Trend Micro Inc.
    • Rule DescriptionsMonitored client is sending out phishing email (Internal)Rule ID: 72Scenario: Infected host is sending phishing emailsEmail sender domain is in list of commonly phished domains and email contains IP addressThe email will trigger rule ID 72, direction is internal Sender: customerservice@ebay.com URL: http://70.88.210.45:81/ebay.com/index.html Monitored Network Copyright 2007 - Trend Micro Inc.
    • Rule DescriptionsHacking attemptRule ID: 38 & 15Fields of interest: username (not SMB)• This rule is triggered when a certain threshold of failed login attempts is reached. Below are the details of these thresholds per protocol.• For the SMB protocol, the possible attacker is the destination IP address. Rule ID 38 Rule ID 15 Protocol (threshold trigger) (threshold trigger) FTP =4x =20x POP3 =4x =20x *Cisco Telnet =3x =6x **SMB =12x =18x Copyright 2007 - Trend Micro Inc.
    • Rule DescriptionsHacking attemptRule ID: 38 & 15Scenario: Infected Host brute force attacks other hosts within monitored networkThere are a high number of failed login attempts on each attacked hostThe attacks will trigger rule IDs 38 & 15, direction is internal for both 15 failed SMB logins 21 failed SMB logins Monitored Network Copyright 2007 - Trend Micro Inc.
    • Rule DescriptionsMonitored client is downloading a suspicious file.Rule ID: 66Scenario: Host downloads an executable file from web siteWeb server reports content type as image/gifThis event will trigger rule ID 66, direction is external HTTP Response reports content type as: image/gif But file is actually executable Monitored Network Copyright 2007 - Trend Micro Inc.
    • Rule DescriptionsMonitored client is using a protocol on a non-standard port.Rule ID: 33Fields of interest: nickname, channelname• The Internet Relay Chat (IRC) protocol typically uses a port in the range of 6665-6669. It is common for malicious IRC bots to use non- standard ports for their communication.• This rule is triggered when an incoming or outgoing connection is detected using the IRC protocol on a port outside of this range. There is still a chance this is legitimate IRC traffic, but more likely it is a “bot” communication. Copyright 2007 - Trend Micro Inc.
    • Rule DescriptionsMonitored client has a malware that is communicating to an external party.Rule ID: 33Scenario: Infected host is communicating with an IRC C&C server using the IRC protocol, but using port 8080 instead of one of the standard ports in the range of 6665-6669.This communication will trigger rule ID 33, direction is internal but could just as well be external if the response was captured instead. Port: 8080 Monitored Network Copyright 2007 - Trend Micro Inc.
    • Relevance RulesHow It Works (Zeus) Create a profile based Relevance Pattern! differences Group the packet captures of the same family Create the on similarities and 23 Copyright 2007 - Trend Micro Inc.
    • Relevance RulesPossible Relevance Rule for HupigonMD5: 5e3831266f8d68bc3713c35963a39f75 MD5: fbdc7c613fb23527929c18eb55fad5f0 GET /*.txt HTTP/1.0rnUser-Agent: *rnHost: *rnPragma: no-cachernMD5: 5e5c3e7cbc5ca7ecb48964494519068d Note: * wildcard for any MD5: 46fd78ea03e2e8a6a07196f791fbb03c 24 Copyright 2007 - Trend Micro Inc.
    • Relevance Rules• With the power and flexibility of the scripting language we use to create rules, we are able to perform calculations and bitwise operations in order to validate custom malware protocols such as the one used by the Palevo (Mariposa/Butterfly) bot. Copyright 2007 - Trend Micro Inc.
    • Rule Correlation• We are limited to correlating only the data within a single session, and in a single direction. For example, we can correlate the data within an HTTP request or an HTTP response, but not between the two.• To address this issue, further correlation is performed in a separate process on these initial events generated.• With this approach, any type of correlation is possible, and the results are quite powerful. Reports are delivered that can pinpoint confirmed malware infections so the customer does not have to analyze logs and make his own determinations. Copyright 2007 - Trend Micro Inc.
    • Our Threat Assessment ResultsDespite having the most current industry standard securitytechnology… • 100% of companies had active malware • 72% of companies had one or more IRC bots • 56% of companies had information stealing malware • 50% of companies had 4 or more IRC bots • 80% of companies had malware web downloads • 42% of companies had a network worm (1)• $6M = average total cost of a major data breach in 2008 (2) 1 Based on 130 assessments worldwide at company’s averaging over 7,484 employees and included representatives from the manufacturing, government, education, financial services, retail, and healthcare industries. 2 Ponemon Institute 27 Copyright 2007 - Trend Micro Inc.
    • Detection SamplesVirut propagating via brute force login attempts and open shares Copyright 2007 - Trend Micro Inc.
    • Detection SamplesIRC bot communicating with its C&C server Copyright 2007 - Trend Micro Inc.
    • Detection SamplesBot sending spam Copyright 2007 - Trend Micro Inc.
    • Detection SamplesDrive-by download and downloaders Copyright 2007 - Trend Micro Inc.
    • Detection SamplesStuxnet!! Copyright 2007 - Trend Micro Inc.
    • Thank YouClassification 11/8/2010 33 Copyright 2007 - Trend Micro Inc.