0
Marco SlavieroProofing against malware         attacks        PROOF AGAINST MALWARE
Summary• State of anti-malware• Chronic malware treatment                 PROOF AGAINST MALWARE
Malware? What‟s that?• Obvious                   • Less obvious  –   Virii                      – “Legal” rootkits (ala  –...
INTENT MATTERS    PROOF AGAINST MALWARE
CAN WE DETERMINEPROGRAM INTENT IN A  GENERAL WAY?      PROOF AGAINST MALWARE
Specific solutions• Real-time / point-in-time• Signatures  – Byte sequences on disk  – Byte sequences over the network  – ...
Antimalware fails• Polymorphic malware  – Encrypt the virus, and include a tiny    decryption engine that runs first.  – R...
Examples• Signature stream:  “Our computing systems are generally very  insecure.”• Polymorphic manipulation:  “Replace ea...
Dan Geer‟s security monoculture           PROOF AGAINST MALWARE
Artificial distinctions       PROOF AGAINST MALWARE
SO, CAN WE MALWARE- PROOF A COMPUTER?      PROOF AGAINST MALWARE
Safe from infection     PROOF AGAINST MALWARE
Safe from infection #2       PROOF AGAINST MALWARE
Safe from infection #3                        &       PROOF AGAINST MALWARE
State of the art   PROOF AGAINST MALWARE
And it ignores the unexpected          PROOF AGAINST MALWARE
Verdict NOPROOF AGAINST MALWARE
DOES IT GET LESS GLOOMY?        PROOF AGAINST MALWARE
Side bar: Attack GraphsCreate and host   malicious        Obtain target‟s        Entice user to   website          contact...
LENGTHEN THE ATTACK      GRAPH      PROOF AGAINST MALWARE
Not like this  PROOF AGAINST MALWARE
Or thisPROOF AGAINST MALWARE
Better…PROOF AGAINST MALWARE
MOST IMPORTANT: PROTECT THE ORGANISATION, NOT     THE COMPUTER        PROOF AGAINST MALWARE
Where does your risk lie?        PROOF AGAINST MALWARE
Practical strategies: Home users• Not much infrastructure to lengthen attack  chains• Consider  – Decentralising your onli...
Qubes         http://qubes-os.org/Architecture.htmlPROOF AGAINST MALWARE
Practical strategies: Enterprise users• Regular stuff (remove unneeded software, patch,  segregated networks, etc)• Expect...
Side bar: walled gardens        PROOF AGAINST MALWARE
BUT DON’T FOOL YOURSELF.    YOU’RE STILL NOT    MALWARE-PROOF.        PROOF AGAINST MALWARE
Thank you to Prof. Ojo and TUT for the             opportunity       marco@sensepost.comQuestions? PROOF AGAINST MALWARE
Upcoming SlideShare
Loading in...5
×

Proofing against malware

362

Published on

Presentation by Marco Slaviero at Tshwane University Of Technology.

This presentation is about protecting your
your computer against malware. The presentation
begins with a look at different types of malware.
Determining program intent in a general way is discussed. The presentation ends with discussions on practice strategies for both home and enterprise users to protect their computers from infection.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
362
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
16
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Dual purpose tools: remote access, HTC’s logging app on AndroidIgnoring basic questions. Are you being targetted specifically? Is the malware custom? What is its purpose? All of these impact on the question of whether they are (easily) prevented.
  • i.e. a program could be malicious in the hands of one user, but a useful tool to another.e.g. remote access tools or even adware. What’s clear is that some software has no discernible benefit to the user. If the user is unaware of the software and it does not benefit the user, we can term it malware.
  • No. Thus the definition of malware is fuzzy. Let’s look at a few way that it can be installed
  • We treat virii and most malware as an infection, but not as an attack.Why is it that the solution to malware is disinfect, but solution to attack is reinstall? What’s different?If we reinstalled every virus infected machine, companies would close down.
  • Not really, not only ethernet connections
  • What about firewire, bluetooth, and other interconnects? Stuxnet
  • Fending off thousands of new, “public”, malware samples
  • Not looking at custom modifications and targetting
  • So, can we malware-proof a computer?Since we:Require connectivity and interactioncan’t exactly define malwareHave masses of identical machinesImplement detection and prevention in easily bypassable mannersWe can conclude that the answer is NO.
  • A few options.Improve monitoring, lengthen the attack graphs, focus on the organisation.
  • Sequence of steps sketching out the attacker’s path
  • i.e, increase complexity. Your information should not be one malware infection away from disclosure.
  • Break in any one lock opens the gate
  • Original object is unusable
  • Most secure line of code is the one never written.
  • i.e, increase complexity
  • The tradeoff means that eventually you’ll hit security controls that aren’t worth it.Are you spending more on the controls than the data is worth? Are you causing an impact to the business worth more than the data?
  • Security by isolation
  • Increases the length of the attack chain. Does not close it off.
  • i.e, increase complexity
  • Transcript of "Proofing against malware"

    1. 1. Marco SlavieroProofing against malware attacks PROOF AGAINST MALWARE
    2. 2. Summary• State of anti-malware• Chronic malware treatment PROOF AGAINST MALWARE
    3. 3. Malware? What‟s that?• Obvious • Less obvious – Virii – “Legal” rootkits (ala – Spyware Sony) – Worms – EULA-protected tools – Trojans – Dual purpose tools – Poorly designed tools PROOF AGAINST MALWARE
    4. 4. INTENT MATTERS PROOF AGAINST MALWARE
    5. 5. CAN WE DETERMINEPROGRAM INTENT IN A GENERAL WAY? PROOF AGAINST MALWARE
    6. 6. Specific solutions• Real-time / point-in-time• Signatures – Byte sequences on disk – Byte sequences over the network – Known suspicious system calls PROOF AGAINST MALWARE
    7. 7. Antimalware fails• Polymorphic malware – Encrypt the virus, and include a tiny decryption engine that runs first. – Response: virtualise the first couple of hundred instructions, then see if known signatures are present• Metamorphic malware – Alter the instruction sequence such that it remains semantically identical, but syntactically different PROOF AGAINST MALWARE
    8. 8. Examples• Signature stream: “Our computing systems are generally very insecure.”• Polymorphic manipulation: “Replace each „ZZ‟ with an „e‟ in the next sentence. Our computing systZZms arZZ gZZnZZrally vZZry insZZcurZZ”.• Metamorphic manipulation: “Mankind‟s information systems do not exhibit safe security practices.” PROOF AGAINST MALWARE
    9. 9. Dan Geer‟s security monoculture PROOF AGAINST MALWARE
    10. 10. Artificial distinctions PROOF AGAINST MALWARE
    11. 11. SO, CAN WE MALWARE- PROOF A COMPUTER? PROOF AGAINST MALWARE
    12. 12. Safe from infection PROOF AGAINST MALWARE
    13. 13. Safe from infection #2 PROOF AGAINST MALWARE
    14. 14. Safe from infection #3 & PROOF AGAINST MALWARE
    15. 15. State of the art PROOF AGAINST MALWARE
    16. 16. And it ignores the unexpected PROOF AGAINST MALWARE
    17. 17. Verdict NOPROOF AGAINST MALWARE
    18. 18. DOES IT GET LESS GLOOMY? PROOF AGAINST MALWARE
    19. 19. Side bar: Attack GraphsCreate and host malicious Obtain target‟s Entice user to website contact details click on link Exploit flaw in unpatched Download body Execute Adobe Flash of malware malware Player UploadSearch disk for documents via information configured proxy PROOF AGAINST MALWARE
    20. 20. LENGTHEN THE ATTACK GRAPH PROOF AGAINST MALWARE
    21. 21. Not like this PROOF AGAINST MALWARE
    22. 22. Or thisPROOF AGAINST MALWARE
    23. 23. Better…PROOF AGAINST MALWARE
    24. 24. MOST IMPORTANT: PROTECT THE ORGANISATION, NOT THE COMPUTER PROOF AGAINST MALWARE
    25. 25. Where does your risk lie? PROOF AGAINST MALWARE
    26. 26. Practical strategies: Home users• Not much infrastructure to lengthen attack chains• Consider – Decentralising your online life – Multiple (virtual) machines, each devoted to a single level of task – Security by isolation – Examples: VMWare, Qubes PROOF AGAINST MALWARE
    27. 27. Qubes http://qubes-os.org/Architecture.htmlPROOF AGAINST MALWARE
    28. 28. Practical strategies: Enterprise users• Regular stuff (remove unneeded software, patch, segregated networks, etc)• Expect that you‟re infected• Develop rapid response measures to detect and isolate infection using signatures on both the host and network.• Monitor and log process execution• Whitelist binaries• Close access channels (no browsing, severe email limitations, no flash disks)• Risk management: loss is inevitable, absorb the cost• Introduce heterogeneity PROOF AGAINST MALWARE
    29. 29. Side bar: walled gardens PROOF AGAINST MALWARE
    30. 30. BUT DON’T FOOL YOURSELF. YOU’RE STILL NOT MALWARE-PROOF. PROOF AGAINST MALWARE
    31. 31. Thank you to Prof. Ojo and TUT for the opportunity marco@sensepost.comQuestions? PROOF AGAINST MALWARE
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×