Your SlideShare is downloading. ×
0
SESSION ID:
MALWARE UNDER THE HOOD
KEEPING YOUR
INTELLECTUAL PROPERTY SAFE
ANF-F01
Marion Marschalek Mike Kendzierski
Malw...
#RSAC
#RSAC
BIG GOALS - ARE YOU MALWARED?
 Provide Insight
 Demonstrate
 Conclude
Back At You: Questionnaire
3
#RSAC
4
NO WE ARE NOT
#RSAC
REAL HACKERS.
5
#RSAC
CALL TO ACTION
6
 Think and adapt as the bad guys do
 Better tools to identify and attribute malware
 Use threat ...
#RSAC
YOUR TRADE SECRETS
7
ECONOMIC
SHORTCUTS
#RSAC
Cultural
9
NOT ALL
CULTURES VALUE
INTELLECTUAL
PROPERTY
#RSAC
11
85% OF BREACHES
involve the use of
MALICIOUS SOFTWARE
#RSAC
WORLD has become scarier in 2014
12
http://www.websense.com/assets/reports/websense-2013-threat-report.pdf
http://ww...
#RSAC
WORLD has become scarier in 2014
13
 The number of malicious websites grew nearly 600%
 85% of these sites on legi...
#RSAC
YESTERDAY
 FOCUSED
 SIMPLE
 PREDICTABLE
 EASY DETECTION
#RSAC
#RSAC
 COMPLEX
 STEALTHY
 HIGHLY
SOPHISTICATED
 ENOUGH SAID!
TODAY
#RSAC
#RSAC
mass malware
for the masses
SOPHISTICATED
MALWARE
FOR THE BIG
FISH
#RSAC
17
/səˈfistiˌkātid/ adjective
“If you can’t explain it
simply, you don’t
understand it well
enough”
- Albert Einstei...
UNDER
THE
HOOD
#RSAC
ATTACK
INSIGHTS
19
LURE
EXPLOIT
INFECT
CALL
HOME
STEAL
DATA
THE MALWARE KILL CHAIN
have measures in place to
disrupt...
#RSAC
INFECTION VECTORS
20
 Social Engineering
 Web Drive-By
 E-Mail
 Spear Phishing
 Waterholing Attacks
 Old Schoo...
#RSAC
21
MALWARE
CORE
MODULES CATCH ME
IF YOU CAN
PROTECTION
PERSISTANCE
STEALTH
PROPAGATION
COMMUNI-
CATION
ACTION
#RSAC
22
ANALYSIS
BOOTCAMP
#RSAC
HANDS ON
#RSAC
Google Aided Reversing
From Amazon With Malware
The Big Evil In Small Pieces
#RSAC
#1 GOOGLE RESPONDED MY INCIDENT
 Malwared Hard Disk:
Trojan.Win32.Skynet & Java CVE-2012-4681
1. String search in m...
#RSAC
#2 WOLF IN
SHEEP OUTFIT
25
WOLF
20KB of Wolf
#RSAC
v
26
ProcDOT
Processes &
Threads
Domains &
IP Addresses
Files &
Registry Keys
#RSAC
27
#RSAC
#3 THE BIG EVIL IN SMALL PIECES
 Google didn’t prove helpful this time.
 Dynamic Analysis didn’t give any useful i...
#RSAC
#3 THE BIG EVIL IN SMALL PIECES
 Anti-Analysis
 Multi-Threaded
 File Infector
 Timing Defence – C++ – Virtual Fu...
#RSAC
30
#3 THE BIG EVIL IN SMALL PIECES
 Clearly targeted
 Complex software
 Author had good understanding
of AV inter...
#RSAC
31
#3 THE BIG EVIL IN SMALL PIECES
#RSAC
#3 THE BIG EVIL IN SMALL PIECES
 Domain Name
 IP-Address
 E-Mail Address
 Name, for what its worth
 Geo Locatio...
LESSONS
LEARNED
#RSAC
RE-Tool #1: google.com
Online Analysis Tools
Virtual Machine / Sandbox
SysInternals Toolsuite
Wireshark
RunAlyzer
ID...
#RSAC
35
Accept culturally different viewpoints on IP
Acquire the right skills
Adapt just like the bad guys do
IN A
NUTSHE...
SESSION ID:
MALWARE UNDER THE HOOD
KEEPING YOUR IP SAFE
ANF-F01
THANK
YOU!
Marion Marschalek Mike Kendzierski
Malware Anal...
#RSAC
RESOURCES
 http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/ – Target
Data Breach Dec. 2...
#RSAC
RESOURCES
 http://0x1338.blogspot.co.at – write-up of case study #2
 https://docs.google.com/file/d/0B5hBKwgSgYFaV...
BACK AT YOU:
QUESTIONNAIRE
39
#RSAC
YOUR INTELLECTUAL PROPERTY
1. Have you identified your Intellectual
Property & data classification strategy?
2. Do y...
#RSAC
MOBILE DEVICES
4. Do you have measures in place to monitor
access to your company data from outside
your company net...
#RSAC
WEB & E-MAIL SECURITY
6. Do you have security measures that secure
every link in the malware infection kill-chain?
7...
#RSAC
INFRASTRUCTURE
8. Do you have data encryption in place
where it is needed? And even there where
you don’t yet think ...
#RSAC
ALL COMES DOWN TO THE PEOPLE
10. Are your employees trained on what personal
or company related information to keep
...
Upcoming SlideShare
Loading in...5
×

Fighting malware - keeping your Intellectual Property safe

845

Published on

Protect your IP, now...

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
845
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Fighting malware - keeping your Intellectual Property safe"

  1. 1. SESSION ID: MALWARE UNDER THE HOOD KEEPING YOUR INTELLECTUAL PROPERTY SAFE ANF-F01 Marion Marschalek Mike Kendzierski Malware Analyst IKARUS @pinkflawd Technology Researcher SHOSHN Ventures
  2. 2. #RSAC
  3. 3. #RSAC BIG GOALS - ARE YOU MALWARED?  Provide Insight  Demonstrate  Conclude Back At You: Questionnaire 3
  4. 4. #RSAC 4 NO WE ARE NOT
  5. 5. #RSAC REAL HACKERS. 5
  6. 6. #RSAC CALL TO ACTION 6  Think and adapt as the bad guys do  Better tools to identify and attribute malware  Use threat intelligence  Win the war – not the battle
  7. 7. #RSAC YOUR TRADE SECRETS 7
  8. 8. ECONOMIC SHORTCUTS
  9. 9. #RSAC Cultural 9 NOT ALL CULTURES VALUE INTELLECTUAL PROPERTY
  10. 10. #RSAC 11 85% OF BREACHES involve the use of MALICIOUS SOFTWARE
  11. 11. #RSAC WORLD has become scarier in 2014 12 http://www.websense.com/assets/reports/websense-2013-threat-report.pdf http://www.sophos.com/en-us/medialibrary/PDFs/other/sophos-security-threat-report-2014.pdf  The number of malicious websites grew nearly 600%  85% of these sites on legitimate hosts  Social media is increasingly used for spreading of malware  Attacks become more targetted  Growth of mobile malware of nearly 800% in 2013  Malware adapts to the host it is infecting
  12. 12. #RSAC WORLD has become scarier in 2014 13  The number of malicious websites grew nearly 600%  85% of these sites on legitimate hosts  Social media is increasingly used for spreading of malware  Attacks become more targetted  Growth of mobile malware of nearly 800% in 2013  Malware adapts to the host it is infecting http://www.websense.com/assets/reports/websense-2013-threat-report.pdf http://www.sophos.com/en-us/medialibrary/PDFs/other/sophos-security-threat-report-2014.pdf ARE YOU PREPARED? with the right skills holistic security solutions
  13. 13. #RSAC YESTERDAY  FOCUSED  SIMPLE  PREDICTABLE  EASY DETECTION #RSAC
  14. 14. #RSAC  COMPLEX  STEALTHY  HIGHLY SOPHISTICATED  ENOUGH SAID! TODAY #RSAC
  15. 15. #RSAC mass malware for the masses SOPHISTICATED MALWARE FOR THE BIG FISH
  16. 16. #RSAC 17 /səˈfistiˌkātid/ adjective “If you can’t explain it simply, you don’t understand it well enough” - Albert Einstein SOPHISTICATED #RSAC
  17. 17. UNDER THE HOOD
  18. 18. #RSAC ATTACK INSIGHTS 19 LURE EXPLOIT INFECT CALL HOME STEAL DATA THE MALWARE KILL CHAIN have measures in place to disrupt any of these links
  19. 19. #RSAC INFECTION VECTORS 20  Social Engineering  Web Drive-By  E-Mail  Spear Phishing  Waterholing Attacks  Old School Hacking Understanding is the first crucial step towards protection!
  20. 20. #RSAC 21 MALWARE CORE MODULES CATCH ME IF YOU CAN PROTECTION PERSISTANCE STEALTH PROPAGATION COMMUNI- CATION ACTION
  21. 21. #RSAC 22 ANALYSIS BOOTCAMP
  22. 22. #RSAC HANDS ON #RSAC Google Aided Reversing From Amazon With Malware The Big Evil In Small Pieces
  23. 23. #RSAC #1 GOOGLE RESPONDED MY INCIDENT  Malwared Hard Disk: Trojan.Win32.Skynet & Java CVE-2012-4681 1. String search in memory at runtime 2. Let Google do the rest… 3. Hit at blogpost from rapid7 with FULL ANALYSIS 24
  24. 24. #RSAC #2 WOLF IN SHEEP OUTFIT 25 WOLF 20KB of Wolf
  25. 25. #RSAC v 26 ProcDOT Processes & Threads Domains & IP Addresses Files & Registry Keys
  26. 26. #RSAC 27
  27. 27. #RSAC #3 THE BIG EVIL IN SMALL PIECES  Google didn’t prove helpful this time.  Dynamic Analysis didn’t give any useful insight.  Reverse Engineering proved to be painful. It is never possible to entirely prevent reversing. - “REVERSING Secrets of Reverse Engineering” by Eldad Eilam
  28. 28. #RSAC #3 THE BIG EVIL IN SMALL PIECES  Anti-Analysis  Multi-Threaded  File Infector  Timing Defence – C++ – Virtual Function Calls – Junk Code – Headache
  29. 29. #RSAC 30 #3 THE BIG EVIL IN SMALL PIECES  Clearly targeted  Complex software  Author had good understanding of AV internals  Related to other malware
  30. 30. #RSAC 31 #3 THE BIG EVIL IN SMALL PIECES
  31. 31. #RSAC #3 THE BIG EVIL IN SMALL PIECES  Domain Name  IP-Address  E-Mail Address  Name, for what its worth  Geo Location  Related Malware 32  Infection Mechanism  Stealth Mechanism  Communication Protocol  Data Compression  Hint which Data was stolen KEY FINDINGS
  32. 32. LESSONS LEARNED
  33. 33. #RSAC RE-Tool #1: google.com Online Analysis Tools Virtual Machine / Sandbox SysInternals Toolsuite Wireshark RunAlyzer IDA Pro / OllyDebug Step 1 Gather Information Step 2 Use this Information to gather more Information Step 3 Build the BIG PICTURE
  34. 34. #RSAC 35 Accept culturally different viewpoints on IP Acquire the right skills Adapt just like the bad guys do IN A NUTSHELL
  35. 35. SESSION ID: MALWARE UNDER THE HOOD KEEPING YOUR IP SAFE ANF-F01 THANK YOU! Marion Marschalek Mike Kendzierski Malware Analyst IKARUS @pinkflawd Technology Researcher SHOSHN Ventures
  36. 36. #RSAC RESOURCES  http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/ – Target Data Breach Dec. 2013  http://www.washingtonpost.com/business/technology/hackers-break-into-washington- post-servers/2013/12/18/dff8c362-682c-11 – Washington Post Hack Dec. 2013  http://www.sophos.com/en-us/medialibrary/PDFs/other/sophos-security-threat-report- 2014.pdf – Sophos Threat Report 2014  http://www.websense.com/assets/reports/websense-2013-threat-report.pdf – Websense Threat Report 2013  http://www.microsoft.com/security/sir/story/default.aspx?_escaped_fragment_=10year_ malware#!10year_malware – Malware Evolution, MMPC 37
  37. 37. #RSAC RESOURCES  http://0x1338.blogspot.co.at – write-up of case study #2  https://docs.google.com/file/d/0B5hBKwgSgYFaVmxTaFk3OXl4cjg/edit?usp=sharing – analysis report of case study #3  https://malwr.com/ – online malware analysis platform running cuckoo sandbox  http://anubis.iseclab.org/ – online malware analysis platform  http://zeltser.com/reverse-malware/ – link to SANS course and list of tools  http://technet.microsoft.com/de-de/sysinternals/bb545021.aspx - Sysinternals Tools 38
  38. 38. BACK AT YOU: QUESTIONNAIRE 39
  39. 39. #RSAC YOUR INTELLECTUAL PROPERTY 1. Have you identified your Intellectual Property & data classification strategy? 2. Do you know exactly where it resides? 3. Do you know what systems and individuals access it?
  40. 40. #RSAC MOBILE DEVICES 4. Do you have measures in place to monitor access to your company data from outside your company network? 5. Do you still have control over your companies mobile devices, even when they get lost/stolen? 41
  41. 41. #RSAC WEB & E-MAIL SECURITY 6. Do you have security measures that secure every link in the malware infection kill-chain? 7. Do your security systems incorporate intelligence data to identify compromised web links in real-time? 42
  42. 42. #RSAC INFRASTRUCTURE 8. Do you have data encryption in place where it is needed? And even there where you don’t yet think it is necessary? 9. Is your system’s documentation safe? 43
  43. 43. #RSAC ALL COMES DOWN TO THE PEOPLE 10. Are your employees trained on what personal or company related information to keep confidential? 11. Do you have someone on your team who knows how to react in case of a malware incident? 12. Does he know how to analyze malware? 44
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×