Proofing against malware
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Proofing against malware

on

  • 561 views

Presentation by Marco Slaviero at Tshwane University Of Technology. ...

Presentation by Marco Slaviero at Tshwane University Of Technology.

This presentation is about protecting your
your computer against malware. The presentation
begins with a look at different types of malware.
Determining program intent in a general way is discussed. The presentation ends with discussions on practice strategies for both home and enterprise users to protect their computers from infection.

Statistics

Views

Total Views
561
Views on SlideShare
512
Embed Views
49

Actions

Likes
0
Downloads
12
Comments
0

5 Embeds 49

http://www.sensepost.com 33
http://research.sensepost.com 12
http://sensepost.com 2
http://localhost:5000 1
http://localhost 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Dual purpose tools: remote access, HTC’s logging app on AndroidIgnoring basic questions. Are you being targetted specifically? Is the malware custom? What is its purpose? All of these impact on the question of whether they are (easily) prevented.
  • i.e. a program could be malicious in the hands of one user, but a useful tool to another.e.g. remote access tools or even adware. What’s clear is that some software has no discernible benefit to the user. If the user is unaware of the software and it does not benefit the user, we can term it malware.
  • No. Thus the definition of malware is fuzzy. Let’s look at a few way that it can be installed
  • We treat virii and most malware as an infection, but not as an attack.Why is it that the solution to malware is disinfect, but solution to attack is reinstall? What’s different?If we reinstalled every virus infected machine, companies would close down.
  • Not really, not only ethernet connections
  • What about firewire, bluetooth, and other interconnects? Stuxnet
  • Fending off thousands of new, “public”, malware samples
  • Not looking at custom modifications and targetting
  • So, can we malware-proof a computer?Since we:Require connectivity and interactioncan’t exactly define malwareHave masses of identical machinesImplement detection and prevention in easily bypassable mannersWe can conclude that the answer is NO.
  • A few options.Improve monitoring, lengthen the attack graphs, focus on the organisation.
  • Sequence of steps sketching out the attacker’s path
  • i.e, increase complexity. Your information should not be one malware infection away from disclosure.
  • Break in any one lock opens the gate
  • Original object is unusable
  • Most secure line of code is the one never written.
  • i.e, increase complexity
  • The tradeoff means that eventually you’ll hit security controls that aren’t worth it.Are you spending more on the controls than the data is worth? Are you causing an impact to the business worth more than the data?
  • Security by isolation
  • Increases the length of the attack chain. Does not close it off.
  • i.e, increase complexity

Proofing against malware Presentation Transcript

  • 1. Marco SlavieroProofing against malware attacks PROOF AGAINST MALWARE
  • 2. Summary• State of anti-malware• Chronic malware treatment PROOF AGAINST MALWARE
  • 3. Malware? What‟s that?• Obvious • Less obvious – Virii – “Legal” rootkits (ala – Spyware Sony) – Worms – EULA-protected tools – Trojans – Dual purpose tools – Poorly designed tools PROOF AGAINST MALWARE
  • 4. INTENT MATTERS PROOF AGAINST MALWARE
  • 5. CAN WE DETERMINEPROGRAM INTENT IN A GENERAL WAY? PROOF AGAINST MALWARE
  • 6. Specific solutions• Real-time / point-in-time• Signatures – Byte sequences on disk – Byte sequences over the network – Known suspicious system calls PROOF AGAINST MALWARE
  • 7. Antimalware fails• Polymorphic malware – Encrypt the virus, and include a tiny decryption engine that runs first. – Response: virtualise the first couple of hundred instructions, then see if known signatures are present• Metamorphic malware – Alter the instruction sequence such that it remains semantically identical, but syntactically different PROOF AGAINST MALWARE
  • 8. Examples• Signature stream: “Our computing systems are generally very insecure.”• Polymorphic manipulation: “Replace each „ZZ‟ with an „e‟ in the next sentence. Our computing systZZms arZZ gZZnZZrally vZZry insZZcurZZ”.• Metamorphic manipulation: “Mankind‟s information systems do not exhibit safe security practices.” PROOF AGAINST MALWARE
  • 9. Dan Geer‟s security monoculture PROOF AGAINST MALWARE
  • 10. Artificial distinctions PROOF AGAINST MALWARE
  • 11. SO, CAN WE MALWARE- PROOF A COMPUTER? PROOF AGAINST MALWARE
  • 12. Safe from infection PROOF AGAINST MALWARE
  • 13. Safe from infection #2 PROOF AGAINST MALWARE
  • 14. Safe from infection #3 & PROOF AGAINST MALWARE
  • 15. State of the art PROOF AGAINST MALWARE
  • 16. And it ignores the unexpected PROOF AGAINST MALWARE
  • 17. Verdict NOPROOF AGAINST MALWARE
  • 18. DOES IT GET LESS GLOOMY? PROOF AGAINST MALWARE
  • 19. Side bar: Attack GraphsCreate and host malicious Obtain target‟s Entice user to website contact details click on link Exploit flaw in unpatched Download body Execute Adobe Flash of malware malware Player UploadSearch disk for documents via information configured proxy PROOF AGAINST MALWARE
  • 20. LENGTHEN THE ATTACK GRAPH PROOF AGAINST MALWARE
  • 21. Not like this PROOF AGAINST MALWARE
  • 22. Or thisPROOF AGAINST MALWARE
  • 23. Better…PROOF AGAINST MALWARE
  • 24. MOST IMPORTANT: PROTECT THE ORGANISATION, NOT THE COMPUTER PROOF AGAINST MALWARE
  • 25. Where does your risk lie? PROOF AGAINST MALWARE
  • 26. Practical strategies: Home users• Not much infrastructure to lengthen attack chains• Consider – Decentralising your online life – Multiple (virtual) machines, each devoted to a single level of task – Security by isolation – Examples: VMWare, Qubes PROOF AGAINST MALWARE
  • 27. Qubes http://qubes-os.org/Architecture.htmlPROOF AGAINST MALWARE
  • 28. Practical strategies: Enterprise users• Regular stuff (remove unneeded software, patch, segregated networks, etc)• Expect that you‟re infected• Develop rapid response measures to detect and isolate infection using signatures on both the host and network.• Monitor and log process execution• Whitelist binaries• Close access channels (no browsing, severe email limitations, no flash disks)• Risk management: loss is inevitable, absorb the cost• Introduce heterogeneity PROOF AGAINST MALWARE
  • 29. Side bar: walled gardens PROOF AGAINST MALWARE
  • 30. BUT DON’T FOOL YOURSELF. YOU’RE STILL NOT MALWARE-PROOF. PROOF AGAINST MALWARE
  • 31. Thank you to Prof. Ojo and TUT for the opportunity marco@sensepost.comQuestions? PROOF AGAINST MALWARE