SlideShare a Scribd company logo

Modern malware and threats

Martin Holovský
Martin Holovský

Used during conference about Modern malware and threats and how to protect against them.

Internet
1 of 29
Download to read offline
Modern Malware and Threats Martin Čmelík www.security-portal.cz Moderní malware a možnosti obrany, Hotel Barceló, Praha - 4.11.2014
What is malware? Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. 'Malware' is a general term used to refer to a variety of forms of hostile or intrusive software. source: wikipedia
Value of hacked computer Text source: krebsonsecurity.com
Threat Landscape Motivation Actors Targets CYBER WAR Military/Political Advance Cyber Nation - States Critical Infrastructure TERRORISM Political Change Terrorist Networks and Groups Infrastructure and Public Assets ESPIONAGE Intellectual Property Gain Nation-States and Enterprises Governments, Companies and Individuals ORGANIZED CRIME Financial Gain Criminals Companies and Individuals HACKTIVISM Ego, Curiosity and Change Groups and Individuals Governments, Companies and Individuals
Types of malware Viruses Worms Trojan Horses Spyware Crimeware Bankers Backdoors Exploits RAT (Remote Access Toolkit) Bootkits Rootkits Ransomware Zombie/Bot, Dropper, … Malware classification tree source: http://www.kaspersky.com/internet-security-center/malware-tree.jpg
Traditional vs Modern malware Traditional Malware: - Open channels - Known detection and patches available - Broad & Noisy - Single - Centralized infrastructure Modern Malware: - Stealthy & Covert - Unknown detection and Zero Day - Targeted & Personalize - Persistent - Distributed infrastructure
Sources of infection Spear phishing & Spam Social Media Infected websites (drive-by-download, watering hole, …) Exploit Kits (Blackhole - not active, Crime Pack, Magnitude, Fiesta, …) Infected media - USB stick (autorun.inf, BadUSB) Infected host on network Dynamic binary patching Pirated Software & Key Generators Human error
Persistence Backdoor - enable an attacker to bypass normal authentication procedure to gain access to system Rootkit - admin-level type of access - hiding existence in system - blocking AV/Malware scanners or providing spoofed data - firmware (network card, disk, BIOS, VGA, …) rootkits are resistant to OS reinstallation Bootkit - kernel-mode type of rootkit - infect MBR, VBR or boot sector - can be used to attack full disk encryption
Communication Common (allowed) protocols: HTTP, HTTPS, SSH, DNS Proprietary protocols and encryption Communication via proxies, tunnels, IRC Through public services like Facebook, Reddit, Twitter, Google Steganography (image EXIF metadata) TOR hidden services (e.g. Mevade) P2P network (e.g. Alureon, GameOver) Computer speakers and microphones to bridge air gaps (badBIOS PoC) Fast Flux (or DDNS) - combination of P2P, distributed CnC, load balancing and proxy redirection (e.g. Storm Worm)
Single vs Double Fast Flux network source: http://www.honeynet.org/node/136
Bredolab Botnet source: http://securelist.com/analysis/publications/36335/end-of-the-line-for-the-bredolab-botnet/
Anti-Detection techniques Obfuscation - deliberate act of creating source or machine code that is difficult for humans to understand. Packers - comparable to obfuscation. Uses executable data compression algorithm and combine compressed data with decompression code into single executable. Still could provide quite good results when you will combine more of them together. Olygomorphic code - randomly selecting each piece of the decryptor from several predefined alternatives (+,-,/,XOR). Limited to just a few hundred different decryptors. Polymorphic code - uses polymorphic engine to mutate while keeping original algorithm intact. Code changes encryptor/decryptor each time it runs, but the function will remain same. Metamorphic code - no part of malware stays the same. Metamorphic viruses often translate their own binary code into a temporary representation, editing the temporary representation of themselves and then translate the edited form back to machine code again. Steganography - concealment of information within computer files (images, videos, …). Used sporadically at this time, but seems to be weapon of choice for droppers which can download and extract from image/youtube video/whatever malware payload.
Example of obfuscated PHP script source: http://ddecode.com/phpdecoder/?results=e0719289a4608ed4ef4efa66375337ef
Example of obfuscated JavaScript Result? Redirect to google.com website source: http://www.kahusecurity.com/2011/making-wacky-redirect-scripts-part-i/
Exploit Kit services Dashboard - statistics, infected computers, traffic flow summary, infection rate in % by OS, used exploit, country, browser, affiliate/partner, … Available exploits to use and exploits which you can buy AntiVirus evasion techniques + virustotal-like service to verify results Code obfuscation service (HTML, JavaScript, ActionScript/Flash, PDF, Java, …) Landing pages and details about used obfuscation, iframes etc. if website is on any kind of blacklist (URL scanner), … Random domain generator (changing every X hours) Tool for sending spams and spear phishing campaigns (mail lists included) DDoS attacks service CnC control-like panel …and much more 24/7 support (!)
Blackhole Exploit kit
Threat Detection and Mitigation
Malware analysis Static (code) Analysis - signature (virustotal.com) and string analysis, reverse engineering performed using disassemblers (e.g. IDA Pro, OllyDbg), debuggers and decompilers. RE is time consuming Dynamic (behavioral) Analysis - executing malware in sandboxed/ virtualized OS environment and looking how malware behaves (monitoring system/library calls). What has been changed in system, which connection attempts been made, which files created, etc. Quick method which can detect APT attacks, spear phishing campaigns and 0day exploits. Memory Analysis - simple rule: malware must run, if it runs, it has to be in memory. Dumping memory and searching for malicious artifacts (e.g. Volatility Framework, Memoryze).
Example of Hybrid Analysis One of Tor Exit node in Russia has been performing dynamic binary patching and injecting its own malware to EXE files downloaded via HTTP protocol. This is report of one file modified by this exit node. Regular application downloaded from microsoft.com website (isn't it?)
source: https://malwr.com/analysis/ZmY0ZGFlY2ZjMWMzNDNkZmE3YzE1MzhjNWEyNjlhNTk/
Analyzing Web-Based malware urlQuery.net is a free online service for testing and analyzing URLs, helping with identification of malicious content on websites. The main focus of urlQuery is to find and detect suspicious and malicious content on webpages, to help improve the security industry and make the internet a safer place.
source: http://urlquery.net/report.php?id=1413821943900
General Recommendations have a good antivirus on computers and servers have HIPS on computers and servers IPS on the core of the network with Anti-Malware and Anti-Botnet engine can help a lot. Even if engine wouldn't be able detect malicious file itself, it can recognize communication to CnC servers by deep packet inspection or by monitoring of DNS requests. If you can use appliances which can recognize specific applications in network flow. Strict policies allowing communication just from known applications can mitigate malware infection and communication to CnC as well. Correlate all security events and audit logs in robust SIEM solution Invest money in good employees. Someone has to read and understand the output of logs and SIEM events.
General Recommendations Every piece of network equipment has to be properly setup and secured. Starting with switches and ending with personal computers. All systems has to be regularly updated Strict policies and new technologies for malware detection has to be enforced in order to avoid contact with malware distribution websites and mail attachments coming from spear phishing and spam campaigns. …in best case uninstall Adobe Reader, Adobe Flash and Java Consider OS level hardening Windows - EMET (The Enhanced Mitigation Experience Toolkit) Linux - SELinux, Grsecurity
EMET (The Enhanced Mitigation Experience Toolkit) EMET force applications to use key security defenses which could potentially block malware during its execution. Defense mechanisms: ASLR (buffer overflow) DEP (no-exec memory) SEHOP (stack overflow) ROP (DEP bypass)
Are you still hungry? Flame - most complex, sophisticated and interesting piece of malware (developed by US and Israel) Dexter - POS malware with ability to search credit card information in memory (Target data breach - 40 million credit cards) Gapz - dropper using non-standard technique for code injection, bypassing security software The Mask - targets government, diplomatic offices and embassies, oil and gas companies, research organizations and activists (state sponsored malware) Recommended sources http://blog.kaspersky.com/ http://nakedsecurity.sophos.com/ http://www.welivesecurity.com/
Questions?
Thank you! Martin Čmelík www.linkedin.com/in/martincmelik www.security-portal.cz | www.securix.org | www.security-session.cz

Recommended

Mobile Malware
Mobile MalwareMobile Malware
Mobile MalwareMartin Holovský
 
Dickmaster
DickmasterDickmaster
DickmasterDickMaster1
 
Types of malware threats
Types of malware threatsTypes of malware threats
Types of malware threatsEC-Council
 
Malware
MalwareMalware
Malwarezelkan19
 
Viruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksViruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksDiane M. Metcalf
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec Technology and Consulting
 
Type of Malware and its different analysis and its types !
Type of Malware and its different analysis and its types !Type of Malware and its different analysis and its types !
Type of Malware and its different analysis and its types !Mohammed Jaseem Tp
 
Social engineering
Social engineeringSocial engineering
Social engineeringlokenra
 

Recommended

Mobile Malware
Mobile MalwareMobile Malware
Mobile MalwareMartin Holovský
 
Dickmaster
DickmasterDickmaster
DickmasterDickMaster1
 
Types of malware threats
Types of malware threatsTypes of malware threats
Types of malware threatsEC-Council
 
Malware
MalwareMalware
Malwarezelkan19
 
Viruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksViruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksDiane M. Metcalf
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec Technology and Consulting
 
Type of Malware and its different analysis and its types !
Type of Malware and its different analysis and its types !Type of Malware and its different analysis and its types !
Type of Malware and its different analysis and its types !Mohammed Jaseem Tp
 
Social engineering
Social engineeringSocial engineering
Social engineeringlokenra
 
Botnet
BotnetBotnet
Botnetlokenra
 
Detection of running backdoors
Detection of running backdoorsDetection of running backdoors
Detection of running backdoorsmridulahuja
 
Malware and Anti-Malware Seminar by Benny Czarny
Malware and Anti-Malware Seminar by Benny CzarnyMalware and Anti-Malware Seminar by Benny Czarny
Malware and Anti-Malware Seminar by Benny CzarnyOPSWAT
 
Program and System Threats
Program and System ThreatsProgram and System Threats
Program and System ThreatsReddhi Basu
 
Malware
MalwareMalware
MalwareAnoushka Srivastava
 
Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)AP DealFlow
 
IRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET Journal
 
OS-Project-Report-Team-8
OS-Project-Report-Team-8OS-Project-Report-Team-8
OS-Project-Report-Team-8shriram suryanarayanan
 
Mod2 wfbs new starter
Mod2 wfbs new starterMod2 wfbs new starter
Mod2 wfbs new starterIan Thiele
 
Software security
Software securitySoftware security
Software securityjes_d
 
Report on Rogue Security Software
Report on Rogue Security SoftwareReport on Rogue Security Software
Report on Rogue Security SoftwareSymantec Italia
 
Ch02 System Threats and Risks
Ch02 System Threats and RisksCh02 System Threats and Risks
Ch02 System Threats and RisksInformation Technology
 
Evolutionand impactofhiddenmobilethreats wandera
Evolutionand impactofhiddenmobilethreats wanderaEvolutionand impactofhiddenmobilethreats wandera
Evolutionand impactofhiddenmobilethreats wanderaAnjoum .
 
Computer security
Computer securityComputer security
Computer securityINGAMULE SIRAJI
 
Security News bytes October 2013
Security News bytes October 2013Security News bytes October 2013
Security News bytes October 2013n|u - The Open Security Community
 
Program Threats
Program ThreatsProgram Threats
Program Threatsguestab0ee0
 
BackDoors Seminar
BackDoors SeminarBackDoors Seminar
BackDoors SeminarChaitali Patel
 
BETTER- Threat Whitepaper- PoS
BETTER- Threat Whitepaper- PoSBETTER- Threat Whitepaper- PoS
BETTER- Threat Whitepaper- PoSPurna Bhat
 
trojon horse Seminar report
trojon horse Seminar report trojon horse Seminar report
trojon horse Seminar reportNamanKikani
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...Aditya K Sood
 
Modern Malware and Threats
Modern Malware and ThreatsModern Malware and Threats
Modern Malware and ThreatsMarketingArrowECS_CZ
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious CodeSatria Ady Pradana
 

More Related Content

What's hot

Detection of running backdoors
Detection of running backdoorsDetection of running backdoors
Detection of running backdoorsmridulahuja
 
Malware and Anti-Malware Seminar by Benny Czarny
Malware and Anti-Malware Seminar by Benny CzarnyMalware and Anti-Malware Seminar by Benny Czarny
Malware and Anti-Malware Seminar by Benny CzarnyOPSWAT
 
Program and System Threats
Program and System ThreatsProgram and System Threats
Program and System ThreatsReddhi Basu
 
Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)AP DealFlow
 
IRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET Journal
 
Mod2 wfbs new starter
Mod2 wfbs new starterMod2 wfbs new starter
Mod2 wfbs new starterIan Thiele
 
Software security
Software securitySoftware security
Software securityjes_d
 
Report on Rogue Security Software
Report on Rogue Security SoftwareReport on Rogue Security Software
Report on Rogue Security SoftwareSymantec Italia
 
Evolutionand impactofhiddenmobilethreats wandera
Evolutionand impactofhiddenmobilethreats wanderaEvolutionand impactofhiddenmobilethreats wandera
Evolutionand impactofhiddenmobilethreats wanderaAnjoum .
 
BETTER- Threat Whitepaper- PoS
BETTER- Threat Whitepaper- PoSBETTER- Threat Whitepaper- PoS
BETTER- Threat Whitepaper- PoSPurna Bhat
 
trojon horse Seminar report
trojon horse Seminar report trojon horse Seminar report
trojon horse Seminar reportNamanKikani
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...Aditya K Sood
 

What's hot (20)

Botnet
BotnetBotnet
Botnet
 
Detection of running backdoors
Detection of running backdoorsDetection of running backdoors
Detection of running backdoors
 
Malware and Anti-Malware Seminar by Benny Czarny
Malware and Anti-Malware Seminar by Benny CzarnyMalware and Anti-Malware Seminar by Benny Czarny
Malware and Anti-Malware Seminar by Benny Czarny
 
Program and System Threats
Program and System ThreatsProgram and System Threats
Program and System Threats
 
Malware
MalwareMalware
Malware
 
Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)
 
IRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection Methods
 
OS-Project-Report-Team-8
OS-Project-Report-Team-8OS-Project-Report-Team-8
OS-Project-Report-Team-8
 
Mod2 wfbs new starter
Mod2 wfbs new starterMod2 wfbs new starter
Mod2 wfbs new starter
 
Software security
Software securitySoftware security
Software security
 
Report on Rogue Security Software
Report on Rogue Security SoftwareReport on Rogue Security Software
Report on Rogue Security Software
 
Ch02 System Threats and Risks
Ch02 System Threats and RisksCh02 System Threats and Risks
Ch02 System Threats and Risks
 
Evolutionand impactofhiddenmobilethreats wandera
Evolutionand impactofhiddenmobilethreats wanderaEvolutionand impactofhiddenmobilethreats wandera
Evolutionand impactofhiddenmobilethreats wandera
 
Computer security
Computer securityComputer security
Computer security
 
Security News bytes October 2013
Security News bytes October 2013Security News bytes October 2013
Security News bytes October 2013
 
Program Threats
Program ThreatsProgram Threats
Program Threats
 
BackDoors Seminar
BackDoors SeminarBackDoors Seminar
BackDoors Seminar
 
BETTER- Threat Whitepaper- PoS
BETTER- Threat Whitepaper- PoSBETTER- Threat Whitepaper- PoS
BETTER- Threat Whitepaper- PoS
 
trojon horse Seminar report
trojon horse Seminar report trojon horse Seminar report
trojon horse Seminar report
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
 

Similar to Modern malware and threats

(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious CodeSatria Ady Pradana
 
Battling Malware In The Enterprise
Battling Malware In The EnterpriseBattling Malware In The Enterprise
Battling Malware In The EnterpriseAyed Al Qartah
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasAditya K Sood
 
Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)Satria Ady Pradana
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitRaghav Bisht
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical HackingRaghav Bisht
 
Security threats explained
Security threats explained Security threats explained
Security threats explained Abhijeet Karve
 
Advanced Threats in the Enterprise: Finding an Evil in the Haystack
Advanced Threats in the Enterprise: Finding an Evil in the HaystackAdvanced Threats in the Enterprise: Finding an Evil in the Haystack
Advanced Threats in the Enterprise: Finding an Evil in the HaystackEMC
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshortVincent Ohprecio
 
Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9koolkampus
 
RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5CAS
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)Wail Hassan
 

Similar to Modern malware and threats (20)

Modern Malware and Threats
Modern Malware and ThreatsModern Malware and Threats
Modern Malware and Threats
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
 
Battling Malware In The Enterprise
Battling Malware In The EnterpriseBattling Malware In The Enterprise
Battling Malware In The Enterprise
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
 
Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & Metasploit
 
Mitppt
MitpptMitppt
Mitppt
 
Pentesting with linux
Pentesting with linuxPentesting with linux
Pentesting with linux
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
 
Security threats explained
Security threats explained Security threats explained
Security threats explained
 
Advanced Threats in the Enterprise: Finding an Evil in the Haystack
Advanced Threats in the Enterprise: Finding an Evil in the HaystackAdvanced Threats in the Enterprise: Finding an Evil in the Haystack
Advanced Threats in the Enterprise: Finding an Evil in the Haystack
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshort
 
Computer crimes
Computer crimesComputer crimes
Computer crimes
 
Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9
 
RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5
 
Final malacious softwares
Final malacious softwaresFinal malacious softwares
Final malacious softwares
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
 
NetWitness
NetWitnessNetWitness
NetWitness
 

Recently uploaded

Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleanscorenetworkseo
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationMarko4394
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 

Recently uploaded (20)

Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleans
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentation
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 

Modern malware and threats

  • 1. Modern Malware and Threats Martin Čmelík www.security-portal.cz Moderní malware a možnosti obrany, Hotel Barceló, Praha - 4.11.2014
  • 2. What is malware? Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. 'Malware' is a general term used to refer to a variety of forms of hostile or intrusive software. source: wikipedia
  • 3. Value of hacked computer Text source: krebsonsecurity.com
  • 4. Threat Landscape Motivation Actors Targets CYBER WAR Military/Political Advance Cyber Nation - States Critical Infrastructure TERRORISM Political Change Terrorist Networks and Groups Infrastructure and Public Assets ESPIONAGE Intellectual Property Gain Nation-States and Enterprises Governments, Companies and Individuals ORGANIZED CRIME Financial Gain Criminals Companies and Individuals HACKTIVISM Ego, Curiosity and Change Groups and Individuals Governments, Companies and Individuals
  • 5. Types of malware Viruses Worms Trojan Horses Spyware Crimeware Bankers Backdoors Exploits RAT (Remote Access Toolkit) Bootkits Rootkits Ransomware Zombie/Bot, Dropper, … Malware classification tree source: http://www.kaspersky.com/internet-security-center/malware-tree.jpg
  • 6. Traditional vs Modern malware Traditional Malware: - Open channels - Known detection and patches available - Broad & Noisy - Single - Centralized infrastructure Modern Malware: - Stealthy & Covert - Unknown detection and Zero Day - Targeted & Personalize - Persistent - Distributed infrastructure
  • 7. Sources of infection Spear phishing & Spam Social Media Infected websites (drive-by-download, watering hole, …) Exploit Kits (Blackhole - not active, Crime Pack, Magnitude, Fiesta, …) Infected media - USB stick (autorun.inf, BadUSB) Infected host on network Dynamic binary patching Pirated Software & Key Generators Human error
  • 8. Persistence Backdoor - enable an attacker to bypass normal authentication procedure to gain access to system Rootkit - admin-level type of access - hiding existence in system - blocking AV/Malware scanners or providing spoofed data - firmware (network card, disk, BIOS, VGA, …) rootkits are resistant to OS reinstallation Bootkit - kernel-mode type of rootkit - infect MBR, VBR or boot sector - can be used to attack full disk encryption
  • 9. Communication Common (allowed) protocols: HTTP, HTTPS, SSH, DNS Proprietary protocols and encryption Communication via proxies, tunnels, IRC Through public services like Facebook, Reddit, Twitter, Google Steganography (image EXIF metadata) TOR hidden services (e.g. Mevade) P2P network (e.g. Alureon, GameOver) Computer speakers and microphones to bridge air gaps (badBIOS PoC) Fast Flux (or DDNS) - combination of P2P, distributed CnC, load balancing and proxy redirection (e.g. Storm Worm)
  • 10. Single vs Double Fast Flux network source: http://www.honeynet.org/node/136
  • 11. Bredolab Botnet source: http://securelist.com/analysis/publications/36335/end-of-the-line-for-the-bredolab-botnet/
  • 12. Anti-Detection techniques Obfuscation - deliberate act of creating source or machine code that is difficult for humans to understand. Packers - comparable to obfuscation. Uses executable data compression algorithm and combine compressed data with decompression code into single executable. Still could provide quite good results when you will combine more of them together. Olygomorphic code - randomly selecting each piece of the decryptor from several predefined alternatives (+,-,/,XOR). Limited to just a few hundred different decryptors. Polymorphic code - uses polymorphic engine to mutate while keeping original algorithm intact. Code changes encryptor/decryptor each time it runs, but the function will remain same. Metamorphic code - no part of malware stays the same. Metamorphic viruses often translate their own binary code into a temporary representation, editing the temporary representation of themselves and then translate the edited form back to machine code again. Steganography - concealment of information within computer files (images, videos, …). Used sporadically at this time, but seems to be weapon of choice for droppers which can download and extract from image/youtube video/whatever malware payload.
  • 13. Example of obfuscated PHP script source: http://ddecode.com/phpdecoder/?results=e0719289a4608ed4ef4efa66375337ef
  • 14. Example of obfuscated JavaScript Result? Redirect to google.com website source: http://www.kahusecurity.com/2011/making-wacky-redirect-scripts-part-i/
  • 15. Exploit Kit services Dashboard - statistics, infected computers, traffic flow summary, infection rate in % by OS, used exploit, country, browser, affiliate/partner, … Available exploits to use and exploits which you can buy AntiVirus evasion techniques + virustotal-like service to verify results Code obfuscation service (HTML, JavaScript, ActionScript/Flash, PDF, Java, …) Landing pages and details about used obfuscation, iframes etc. if website is on any kind of blacklist (URL scanner), … Random domain generator (changing every X hours) Tool for sending spams and spear phishing campaigns (mail lists included) DDoS attacks service CnC control-like panel …and much more 24/7 support (!)
  • 17. Threat Detection and Mitigation
  • 18. Malware analysis Static (code) Analysis - signature (virustotal.com) and string analysis, reverse engineering performed using disassemblers (e.g. IDA Pro, OllyDbg), debuggers and decompilers. RE is time consuming Dynamic (behavioral) Analysis - executing malware in sandboxed/ virtualized OS environment and looking how malware behaves (monitoring system/library calls). What has been changed in system, which connection attempts been made, which files created, etc. Quick method which can detect APT attacks, spear phishing campaigns and 0day exploits. Memory Analysis - simple rule: malware must run, if it runs, it has to be in memory. Dumping memory and searching for malicious artifacts (e.g. Volatility Framework, Memoryze).
  • 19. Example of Hybrid Analysis One of Tor Exit node in Russia has been performing dynamic binary patching and injecting its own malware to EXE files downloaded via HTTP protocol. This is report of one file modified by this exit node. Regular application downloaded from microsoft.com website (isn't it?)
  • 21. Analyzing Web-Based malware urlQuery.net is a free online service for testing and analyzing URLs, helping with identification of malicious content on websites. The main focus of urlQuery is to find and detect suspicious and malicious content on webpages, to help improve the security industry and make the internet a safer place.
  • 23.
  • 24. General Recommendations have a good antivirus on computers and servers have HIPS on computers and servers IPS on the core of the network with Anti-Malware and Anti-Botnet engine can help a lot. Even if engine wouldn't be able detect malicious file itself, it can recognize communication to CnC servers by deep packet inspection or by monitoring of DNS requests. If you can use appliances which can recognize specific applications in network flow. Strict policies allowing communication just from known applications can mitigate malware infection and communication to CnC as well. Correlate all security events and audit logs in robust SIEM solution Invest money in good employees. Someone has to read and understand the output of logs and SIEM events.
  • 25. General Recommendations Every piece of network equipment has to be properly setup and secured. Starting with switches and ending with personal computers. All systems has to be regularly updated Strict policies and new technologies for malware detection has to be enforced in order to avoid contact with malware distribution websites and mail attachments coming from spear phishing and spam campaigns. …in best case uninstall Adobe Reader, Adobe Flash and Java Consider OS level hardening Windows - EMET (The Enhanced Mitigation Experience Toolkit) Linux - SELinux, Grsecurity
  • 26. EMET (The Enhanced Mitigation Experience Toolkit) EMET force applications to use key security defenses which could potentially block malware during its execution. Defense mechanisms: ASLR (buffer overflow) DEP (no-exec memory) SEHOP (stack overflow) ROP (DEP bypass)
  • 27. Are you still hungry? Flame - most complex, sophisticated and interesting piece of malware (developed by US and Israel) Dexter - POS malware with ability to search credit card information in memory (Target data breach - 40 million credit cards) Gapz - dropper using non-standard technique for code injection, bypassing security software The Mask - targets government, diplomatic offices and embassies, oil and gas companies, research organizations and activists (state sponsored malware) Recommended sources http://blog.kaspersky.com/ http://nakedsecurity.sophos.com/ http://www.welivesecurity.com/
  • 29. Thank you! Martin Čmelík www.linkedin.com/in/martincmelik www.security-portal.cz | www.securix.org | www.security-session.cz