Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
The Malware Self-Protection Matrix
Marion Marschalek
Senior Malware Researcher at Cyphort Labs
Your speakers today
Marion Marschalek
Senior Malware Researcher
Cyphort Labs
Shelendra Sharma
Product Marketing Director
Agenda
o Malware detection evolution
o Malware self-protection
o Wrap-up and Q&A
CyphortLabsT-shirt
Threat Monitoring &
Research team
________
24X7 monitoring for
malware events
________
Assist customers with
their Forensi...
HOW DO YOU FIND
http://1ms.net/
A Digital
Threat
History
http://www.hdbackgroundpoint.com
VIRUS
EXPLOIT
WORM
TROJAN
MULTI-COMPONENT
MALWARE
ADWARE ROOTKIT...
A THREAT
DETECTION
HISTORY
www.crane.com
Your signature update.
Checksums
Byte Patterns
Behavior Patterns
Static / Dynamic Heuristics
Whitelisting
Anomalies
Network Streams
Cloud Protect...
Virus
Detection
Signature
Product
Computer
Server
Malware Self-Protection
Debugging
Disassembly
Static
Emulation
Sandboxing
Reputation
Anomalies
12
 Debugger detection, su...
Gladly, most threats make mistakes themselves.
ZEUS
why can‘t
detection
work
%APP%Uwirpa 10.12.2013 23:50
%APP%Woyxhi 10.12.2013 23:50
%APP%Hibyo 19.12.2013 00:10
%APP%N...
Sandbox
Detection
16
Persistence Mechanisms
File Names
Network Connection
Big Picture Detection &
Combination Static/Dynamic Features
SILVER BU...
ARMOURING http://hdwallpapersimage.com/
SAZOORA
being picky
Code Obfuscation
20
Virtual Machine Code Execution
handler13:
ExitProcHresult
...
handler14:
ExitProc
...
handler15:
ExitProcI2
...
... FC C8 ...
Various packer layers – no static detection
Static detection won‘t work
Reputation & Metadata Features
SILVER BULLET ...?
EXPLOITATION
http://themovieandme.blogspot.com/
Endpoint protection built to detect
repetitive patterns of evil.
Exploit = system corruption
Exploit vs. vulnerability
htt...
TYPICAL DRIVE-BY INFECTION
o hxxp://www.insertyourwebsitehere.com/js/responsive/min/main-
b87ba20746a80e1104da210172b634c4...
hxxp://www.insertyourwebsitehere.com/js/responsive/
min/main-b87ba20746a80e1104da210172b634c4.min.js
TYPICAL DRIVE-BY INFE...
hxxp://stat.litecsys.com/d2.php?ds=true&dr=2711950755
TYPICAL DRIVE-BY INFECTION
hxxp://vstat.feared.eu/pop2.php?acc=%7E%BE%CE%F5%01%8D%AC%B2
%26%C6%DC%5B%E7n4%D0%16%A3L%99%03%BB%D8%08&
nrk=5992423910
IE...
hxxp://g12z4pj3k4k9y4wd517-
ll6.dienami.ru/f/1398361080/5/x007cf6b534e5208
04090407000700080150050f0304045106565
601;1;5
T...
(There is none.)
Patching, patching and more patching
An exploit will seldom come alone!
SILVER BULLET ...?
VISIBILITY – KNOW HOW – ACTIONABILITY
LURE
EXPLOIT
INFECT
CALL
HOME
STEAL
DATA
Follow the
kill chain
Q&A
Thank You!
Malware self protection-matrix
Malware self protection-matrix
Malware self protection-matrix
Upcoming SlideShare
Loading in …5
×

Malware self protection-matrix

707 views

Published on

In this Malware's Most Wanted, Cyphort Lab's Marion Marschalek will shed light on malware self-protection. The audience will get an overview of how malware evasion evolved over the years and how malware defense evolved with it, or vice versa as it occasionally happens in the digital arms race. The various observed anti-analysis tricks will be put in relation to the respective counter measures in order to showcase challenges of modern day security products.

Marion recently won a speaking contest at Komintern Sect in Stockholm.

Published in: Technology
  • Be the first to comment

Malware self protection-matrix

  1. 1. The Malware Self-Protection Matrix Marion Marschalek Senior Malware Researcher at Cyphort Labs
  2. 2. Your speakers today Marion Marschalek Senior Malware Researcher Cyphort Labs Shelendra Sharma Product Marketing Director
  3. 3. Agenda o Malware detection evolution o Malware self-protection o Wrap-up and Q&A CyphortLabsT-shirt
  4. 4. Threat Monitoring & Research team ________ 24X7 monitoring for malware events ________ Assist customers with their Forensics and Incident Response We enhance malware detection accuracy ________ False positives/negatives ________ Deep-dive research We work with the security ecosystem ________ Contribute to and learn from malware KB ________ Best of 3rd Party threat data
  5. 5. HOW DO YOU FIND http://1ms.net/
  6. 6. A Digital Threat History http://www.hdbackgroundpoint.com VIRUS EXPLOIT WORM TROJAN MULTI-COMPONENT MALWARE ADWARE ROOTKIT SPYWARE APT TARGETED THREAT SURVEILLANCE SOFTWARE INSIDE THREAT
  7. 7. A THREAT DETECTION HISTORY
  8. 8. www.crane.com Your signature update.
  9. 9. Checksums Byte Patterns Behavior Patterns Static / Dynamic Heuristics Whitelisting Anomalies Network Streams Cloud Protection
  10. 10. Virus Detection Signature Product Computer Server
  11. 11. Malware Self-Protection Debugging Disassembly Static Emulation Sandboxing Reputation Anomalies 12  Debugger detection, sub-processes, thread injection  Obfuscation  Packer and crypter  Emulator detection, time based evasion  VM detection, modular malware  Binary updates, targeted malware  Binary padding, use of legitimate tools
  12. 12. Gladly, most threats make mistakes themselves.
  13. 13. ZEUS why can‘t detection work %APP%Uwirpa 10.12.2013 23:50 %APP%Woyxhi 10.12.2013 23:50 %APP%Hibyo 19.12.2013 00:10 %APP%Nezah 19.12.2013 00:10 %APP%Afqag 19.12.2013 23:29 %APP%Zasi 19.12.2013 23:29 %APP%Eqzauf 20.12.2013 22:23 %APP%Ubapo 20.12.2013 22:23 %APP%Ydgowa 20.12.2013 22:23 %APP%Olosu 20.12.2013 23:03 %APP%Taal 20.12.2013 23:03 %APP%Taosep 20.12.2013 23:03 %APP%Wokyco 16.01.2014 13:22 %APP%Semi 17.01.2014 16:34 %APP%Uheh 17.01.2014 16:34
  14. 14. Sandbox Detection 16
  15. 15. Persistence Mechanisms File Names Network Connection Big Picture Detection & Combination Static/Dynamic Features SILVER BULLET ...?
  16. 16. ARMOURING http://hdwallpapersimage.com/
  17. 17. SAZOORA being picky
  18. 18. Code Obfuscation 20
  19. 19. Virtual Machine Code Execution handler13: ExitProcHresult ... handler14: ExitProc ... handler15: ExitProcI2 ... ... FC C8 13 76 ...
  20. 20. Various packer layers – no static detection Static detection won‘t work Reputation & Metadata Features SILVER BULLET ...?
  21. 21. EXPLOITATION http://themovieandme.blogspot.com/
  22. 22. Endpoint protection built to detect repetitive patterns of evil. Exploit = system corruption Exploit vs. vulnerability http://www.wikipedia.com/
  23. 23. TYPICAL DRIVE-BY INFECTION o hxxp://www.insertyourwebsitehere.com/js/responsive/min/main- b87ba20746a80e1104da210172b634c4.min.js o hxxp://stat.litecsys.com/d2.php?ds=true&dr=2711950755 o hxxp://vstat.feared.eu/pop2.php?acc=%7E%BE%CE%F5%01%8D%AC %B2%26%C6%DC%5B%E7n4%D0%16%A3L%99%03%BB%D8%08&nrk =5992423910 o hxxp://g12z4pj3k4k9y4wd517- ll6.dienami.ru/f/1398361080/5/x007cf6b534e5208040904070007000 80150050f0304045106565601;1;5 o BOOM.
  24. 24. hxxp://www.insertyourwebsitehere.com/js/responsive/ min/main-b87ba20746a80e1104da210172b634c4.min.js TYPICAL DRIVE-BY INFECTION
  25. 25. hxxp://stat.litecsys.com/d2.php?ds=true&dr=2711950755 TYPICAL DRIVE-BY INFECTION
  26. 26. hxxp://vstat.feared.eu/pop2.php?acc=%7E%BE%CE%F5%01%8D%AC%B2 %26%C6%DC%5B%E7n4%D0%16%A3L%99%03%BB%D8%08& nrk=5992423910 IE 6, 7, 8 or 9, 10, 11 TYPICAL DRIVE-BY INFECTION
  27. 27. hxxp://g12z4pj3k4k9y4wd517- ll6.dienami.ru/f/1398361080/5/x007cf6b534e5208 04090407000700080150050f0304045106565 601;1;5 TYPICAL DRIVE-BY INFECTION
  28. 28. (There is none.) Patching, patching and more patching An exploit will seldom come alone! SILVER BULLET ...?
  29. 29. VISIBILITY – KNOW HOW – ACTIONABILITY LURE EXPLOIT INFECT CALL HOME STEAL DATA Follow the kill chain
  30. 30. Q&A
  31. 31. Thank You!

×