Your SlideShare is downloading. ×
Chronicles of Malwares and Detection Systems_SecurityXploded_Meet_june14
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Chronicles of Malwares and Detection Systems_SecurityXploded_Meet_june14


Published on

Presented by Amit in our quarterly system security meet. visit: for more information.

Presented by Amit in our quarterly system security meet. visit: for more information.

Published in: Technology, Business

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Chronicles of Malwares and Detection Systems By: Amit Malik Member @ SecurityXploded Research Group Researcher @ FireEye Labs © SecurityXploded Research Group
  • 2. Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the mine and nothing to do with the company or the organization in which I am currently working. However in no circumstances neither I or SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here.
  • 3. Agenda Phases The common things Data Theft Code protection/obfuscation Code protection and obfuscation – the view (PE Only) Detection systems Final thoughts
  • 4. Phases Fun The early stage Birth of antivirus Fun and Profit Second stage Code obfuscation/evasion – the innovation The gods – themda, vmprotect etc. Knowledge sharing Antivirus heuristics etc. (the failure) Profit Current stage Targeted attacks Offensive and defensive both are fully commercial Sophistication in exploits is increased exponentially Malwares are either sophisticated (duqu, stuxnet etc.) or easy ( rebirth of RAT) Modules (DLL etc.) New technologies for detection – execute and detect, machine learning etc.
  • 5. The common things At problem level, these things are common in malwares Data theft (real problem) Code obfuscation/evasion (antivirus failure) Data theft This is the problem actually…. Malware itself is not a problem. Remember “data” is the key thing here. Code obfuscation/evasion Real challenge for detection systems Packing, protectors, encryptors.. Etc etc.
  • 6. Code protection/evasion – the view Real challenge to detection technologies Making true real time protection nearly impossible. Couple of interesting things about this behavior. In unpacked binaries the execution will be within the section (ep) boundaries and the address space will be less tense.
  • 7. Code protection/evasion – the view In packed binaries the execution can fluctuate across multiple sections and the address space will look more stressed (especially in malwares due to multiple packing layers).
  • 8. Graph for malicious samples (exmp.)
  • 9. Graph for malicious samples (exmp.)
  • 10. Graph Analysis Two things are most important: Origin of call? Tension in the address space. Meaning return address and use of “data” are the two most important things. Actually tracking the use of “data” is not an easy task. But what if we monitor the user interaction with system instead of monitoring the use of data blindly? Why a specific event/activity is happening in the system? What is the scope of interaction of user to start that event. How the user is using/receiving the event output.
  • 11. Detection Systems Antivirus Actually I don’t want to blame antivirus.. Things at endpoints are very messy. A significant enhancement in the model is required. Home users are in real danger.. No other option. Execute and Detect: New technology to detect the malwares – actually it is not new, people just experimented it recently for detection and it is working? Infection is ok for customer but data should be protected. Considering the security problems people are ok even if you detect the malware after the actual infection.
  • 12. Detection Systems (cont.) Execute and Detect: Pros: Inspection of malware in a controlled environment. You don’t have to worry about the user and experience. You know the state and health of the system so detection is relatively easy. (on endpoint it is an entirely different game – poor antivirus). Cons: Expensive? Large infrastructure Huge maintenance overhead. Logic bombs – I know I am in sandbox  Oh boy.. First it is really difficult to port this thing or its variations on endpoint.. And even if we can achieve that, it will be extremely expensive for home users.
  • 13. Final Thoughts Malware is a problem and will always be.  Security is human + technology breach, we can’t fix both. Antivirus is failing and right now there is no other solution for its replacement for home users. Execute and detect is a good new technology for detection but it is expensive and not truly reactive (true real time protection?, post infection alerts.). THANK YOU!