Cybersecurity: Malware & Protecting Your Business From Cyberthreats


Published on -The recent increase in high-profile cyberattacks has made online security a hot topic, and rightfully so. Companies from The New York Times to Facebook have fallen victim to attacks by cybercriminals, highlighting just how vulnerable any business is. In the past few years, malware has evolved dramatically and is a serious threat to all organizations, both big and small.

This presentation covers what advanced malware is and the impact it can have on an organization. Learn how to protect your business from this type of threat.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Case of espionage with likely political motivationAttacks start around time of investigation critical of Chinese prime ministerAttackers use compromised computers at several US universities to cover their tracksMalware initially installed via spear-phishing emailsPerform a deep reconnaissance of the Times networkIdentify domain controller serversBreak passwords for journalists accountsAccess reserved email accounts and steal information from email server45 distinct pieces of malware used: only 1 detected by Symantec
  • The nortel case: had apparently obtained the passwords of seven top officials, including a previous CEO. The hackers had been infiltrating Nortel's network, from China-based Internet addresses, at least as early as 2000.Hackers had almost complete access to the company's systems […] Once you were on the inside of the network, it was soft and gooey.Every month or so, a few computers on the network were sending small bursts of data to one of the same Internet addresses in Shanghai involved in the password-hacking episodes.The spyware unearthed in 2009 was a sophisticated mix. On both computers, researchers found a particularly malicious and hard-to-spot spying tool, namely "rootkit" software that can give a hacker full control over a computer and enables them to conceal their spying campaign. On one computer, hackers had set up an encrypted communications channel to an Internet address near Beijing. On the other computer, the investigators found a program that hackers were likely using to sniff out other security weaknesses within Nortel's networks. The hackers had created a "reliable back door," A top U.S. intelligence official said Nortel's hacking experience is representative of the types of incidents he sees. "That is consistent with what we've seen in long-term, multipronged attacks," he said. "If I'm looking to get a jump on my R&D, that's a good way to do it."
  • This slide highlights the difference explained before. The graphic shows astream of instructions that might be part of a malware sample. The two sidesshow the subset of instructions that the individual systems are able toobserve.On the left-hand side, one can see introspection offered by a traditionalanalysis engine, as it can only observe instructions that make calls to thelibrary or native system interface. That is, the system might observe that thesample under analysis creates or opens a file and reads data from this file. Itcannot observe, however, what the sample does with the read data.On the right-hand side, one can see the entire trace of execution as seen bythe emulated CPU of an advanced analysis system. The virtual CPU is also able tosee what files are being read, but in addition, it associates data read from thesystem with CPU registers or memory locations and thus track the usage of theread information.
  • Cybersecurity: Malware & Protecting Your Business From Cyberthreats

    1. 1. Cybersecurity: UnderstandingMalware and How to ProtectYour Business
    2. 2. About AppFolio SecureDocsAppFolio SecureDocs is a virtual data room for sharing andstoring sensitive documents both internally and withoutside parties.AppFolio, Inc. Company Basics:• Founded by the team that created and launched GoToMyPCand GoToMeeting• Backed by leading technology companies and investors• Web-based business software for financial and legalprofessionals
    3. 3. About Lastline, Inc.Lastline’s security products synthesize and bring tocommercial standards award-winning, world-renownedacademic research on malware analysis andcountermeasures.• Founded in 2011 by university researchers Engin Kirda,Christopher Kruegel and Giovanni Vigna• Considered to be today’s thought leaders on automated, high-resolution malware analysis and detection• Focused on real-time analysis of advanced malware and bigdata analytics; leverages this threat intelligence to createsolutions to protect companies of all sizes.
    4. 4. About Giovanni VignaFaculty member of the Computer ScienceDepartment at the University of California, SantaBarbara and the CTO/Founder of Lastline, Inc.• Recognized expertise in web security, vulnerability analysis,malware countermeasures, and intrusion detection.• Published more than 100 papers on the subject of network securityand evasive
    5. 5. Targeted Attacksand Cyberwar!!!Cyberattack (R)EvolutionTime$$ DamageMillionsHundreds ofThousandsThousandsHundredsBillionsCybercrime$$$Cybervandalism#@!
    6. 6. Polling Question #1
    7. 7. Targeted attacks are mainstream news.Every week, new breaches are reported.In the last few months alone …Nobody Is Safe…
    8. 8. Once Upon a Time…
    9. 9. Unhappily Ever After…• Proliferation of cybercrime for financial profit– ZeuS• Targeted attacks look for intelligence– Aurora (Google and others)– RSA SecureID• Emerging cyber warfare– Stuxnet– Flame “Steal something valuable”
    10. 10. Financial Malware• What can be monetized?– Financial data– Usernames and passwords– Virtual goods– Online identities– Computational power– Emails
    11. 11. Targeted Attacks
    12. 12. Polling Question #2
    13. 13. Targeted Attacks• What can be monetized?– Intellectual property– Financial information– Bids and contracts– Organization structure– Visited sites
    14. 14. State-level Attacks• What can be gained?– Intelligence– Destruction of expensiveequipment– Influence on financial markets– Shut down of critical infrastructure– Fear, insecurity, lack of trust
    15. 15. Attribution, Once Upon a Time
    16. 16. Attribution, Today
    17. 17. Criminal Groups• Well-organized groups with efficient division of roles andlabor– Programmers: develop malware code (malware, exploit kits)– Testers: QA and AV evasion– Traffic generators– Botmasters– Bot renters– Money mules• Budget for acquisition of zero-day exploits“We are setting aside a $100K budget to purchase browserand browser plug-in vulnerabilities”(Cool exploitkit group)
    18. 18. Underground Markets• Virtual places for advertisement and exchange ofgoods and offering of services• IRC channels and online forums• Activities– Advertisements“i have boa wells and barclays bank logins....”“i need 1 mastercard i give 1 linux hacked root”– Sensitive data“CHECKING 123-456-XXXX $51,337.31SAVINGS 987-654-XXXX $75,299.64”
    19. 19. Making Sense of Attacks• Lots of different vectors, tactics, specific tricks• Two fundamental things to keep in mind:– How do attackers get in?– How do they get valuable information out?
    20. 20. Drive-by-download /update?id=5’,’<iframe>..’)--<iframe src=“”height=“0” width=“0”></iframe>Personal Data, Docs
    21. 21. Malicious JavaScript Code
    22. 22. Exploit
    23. 23. Anatomy of Exploit• The code determines that the victim has installed avulnerable ActiveX control, e.g., QuickTime• The control is loaded into memory• The environment is prepared for the exploit, forexample, for memory corruption exploits– The shellcode is loaded into memory– The heap is sprayed to ensure that control eventuallyreaches the shellcode• The vulnerability is triggered, by invoking thevulnerable method/property of the ActiveX control
    24. 24. Luring Users: SEORead more:
    25. 25. Luring Users: Emails• Email messages containing links…
    26. 26. Luring Users: Parking Tickets
    27. 27. Luring Users: Watering Holes• Sometimes it is difficult toexploit the target of an attackdirectly– Instead compromise a site thatis likely to be visited by thetarget• Council on foreign relations→ governmental officials• Unaligned Chinese news site→ Chinese dissidents• iPhone dev web site→ developers at Apple,Facebook, Twitter, etc.• Nation Journal web site→ Political insiders inWashington
    28. 28. Document-based Attacks• Vulnerabilities in document viewers can beexploited by malicious documents– Office docs– PDFs– Images
    29. 29. What Happens in the Background• Analysis engine provides full emulation of an operating systemenvironment and can detect what is actually happening in thesystem when a document is opened• Process winword.exe was created:– "C:Program Files (x86)Microsoft OfficeOffice12winword.exe”– The arguments of this process: "/q /f"C:UsersuserAppDataRoamingdflt_sample.doc”• Process winword.exe drops new files:– "C:UsersuserAppDataLocalTempmsmx21.exe”• Process winword.exe starts a new process:– "C:UsersuserAppDataLocalTempmsmx21.exe”• Running Task analyzes analysis result...• ReportScanner: 80 (set([Document: Writes a file then executes it]))• Detections 1 (100.00%, 0 not detected)
    30. 30. Spear PhishingFrom: Monday February 6, 2012 05:51:24Attachment: 23 fdp.scr23/---- Msg sent via @Mail - in the code office,Please acknowledge the receipt of thetelegram No. 23 in attachment.Thanks,Embassy / Abu Dhabi
    31. 31. • Deceive the user into thinking that somethinguseful is installed– Video players– Anti-virus– Screen savers– …Social Engineering Attacks
    32. 32. After the Infection:A Botnet Case Study
    33. 33. Hijacking the Botnet• Reverse engineered the DGA used in Torpig andthe C&C protocol– Noticed that domains generated for 1/25/2009 –2/15/2009 were unregistered– Registered these domains• Controlled the botnet for 10 days– Unique visibility into a botnet’s operation– 180,000 infected hosts– 8.7 GB of Apache logs– 69 GB pcap data (containing stolen information)
    34. 34. Threats• 8,310 unique accounts from 410 financialinstitutions– Top 5: PayPal (1,770), Poste Italiane, Capital One,E*Trade, Chase– 38% of credentials stolen from browser’s passwordmanager• 1,660 credit cards– Top 3: Visa (1,056), Mastercard, American Express,Maestro, Discover– US (49%), Italy (12%), Spain (8%)– Typically, one CC per victim, but there are exceptions …
    35. 35. 35Value of the Financial Information• Symantec [2008] estimates– Credit card value at $.10 to $25.00– Bank account at $10.00 to $1,000.00• Using Symantec estimates,10 days of Torpigdata valued at $83K to $8.3M
    36. 36. Financial DamageRead more:
    37. 37. Ideal WorldSecure code• Software we use containsno vulnerability, or• Vulnerabilities are mitigatedusing sound security andengineering principles (leastprivilege, containment, etc.)Unfortunately currently only ahandful of “secure programs”and often in specializedsectors (regulations vs.innovation)User awareness• Users are aware of securitythreats• They always make the rightdecisionUnfortunately experimentsshow users extremely bad atmaking security decisions(security vs. usability)
    38. 38. Law Enforcement authorities arrestthe co-founder ofChronoPay, the largestonline payment processor
    39. 39. Law Enforcement
    40. 40. Law Enforcement
    41. 41. Polling Question #3
    42. 42. Common Sense Defenses• Keep software up to date• However, ineffective against 0-day
    43. 43. Common Sense Defenses• Don’t open links/attachment from unknown sources• However, ineffective against social/targeted attacks
    44. 44. Common Sense Defenses• Limit web accesses to trusted/reputable sites• However, ineffective against waterholeattacks, malicious advertisements, web sitecompromises
    45. 45. Common Sense Defenses• Access sensitive services (e.g., online banking)from dedicated machine• However, inconvenient
    46. 46. Current Solutions Are Not Enough• Firewalls are not enough– Users actively (and unsuspectingly) go out to the attacker– Attackers use port 80• Intrusion Detection/Prevention (IDS/IPS) systems are notenough– Signatures and blacklists only catch known attacks– Limited insight into downloaded artifacts(binaries, spear-phishing links, …) and outbound network activity• Anti-virus systems are not enough– Artifacts change their appearance at a fast pace(Signatures and blacklists insufficient, manual analysis of threatsrequires an enormous amount of resources)– AV vendors do not see the binary used in targeted attacks(They cannot create any signature)
    47. 47. Solutions To Advanced Malware• Analysis of incoming artifacts (what gets in)– Web downloads, mail attachments• Analysis of outgoing traffic (what gets out)– DNS traffic, web traffic• What gets out• Where it goes• How it is sent• Use of correlation to present complete picture tothe system administrator• But how good is the analysis?
    48. 48. Polling Question #4
    49. 49. The Malware (R)evolutionSimple ThreatsOpportunisticAttacksAPTSolutionsAntivirusSolutionsTargetedAttacksPackingSophisticated ThreatsPlainVirusPoly-morphicC&CFluxingPersistentThreatsEvasiveThreats
    50. 50. Nature of Advanced Malware• Static CodeObfuscationandPolymorphismSource: Binary-CodeObfuscations in PrevalentPacker Tools, Tech Report,University of Wisconsin, 2012Number of times a hash is seen> 93% of all samples are uniqueDefeats signature-based anti-virus
    51. 51. Nature of Advanced Malware• Dynamic evasion – checks for environmentDefeats sandbox andvirtual machines
    52. 52. Nature of Advanced Malware• Dynamic evasion – stalling loopsDefeats sandbox andvirtual machines
    53. 53. Lessons Learned• Attacks are increasingly targeted• “Attackers no longer go after your firewall. They goafter your employees”• Attackers are persistent and patient• Need for constant monitoring approach to defense• Attackers develop custom tools and attacks after theyhave gained access to a target• Global landscape still matters, but…• Defenses tailored to local characteristics and activityare critical• Evasive malware• Need for next-generation tools
    54. 54. Questions?
    55. 55. Backup Slides
    56. 56. Lastline• Started in 2011 by team of professors andPhDs from University of California, SantaBarbara and Northeastern University, Boston• Located in Santa Barbara, CA• Technology based on 8+ years of research onadvanced malware• Founders include the creators of Anubis andWepawet analysis tools
    57. 57. Previct Anti-Malware SolutionSentinel scans traffic for signs andanomalies that reveal C&Cconnections and infectionsLastline proactively scouts theInternet for threats andupdates the Sentinelknowledge base Manager receivesand correlates alerts,and producesactionable intelligenceSentinel sends unknownobjects (programs anddocuments) for highresolution analysis
    58. 58. Key Technology1. High resolution analysis engines– CPU emulation provides deep insights into malware execution– Necessary to detect and bypass evasive checks– Expose malicious behaviors that existing sandboxes don’t see2. Big data analytics– Anomaly detection of suspicious outboundcommand-and-control (C&C) flows– Internet-scale, active discovery of threats– Correlation of low-level events into actionable threat intelligence
    59. 59. High-Resolution Malware AnalysisVisibility without code emulation(traditional sandboxing technology)Important behaviors andevasion happens hereVisibility with code emulation(Lastline technology)
    60. 60. Competitive LandscapeSimple ThreatsOpportunisticAttacksAPTSolutionsAntivirusSolutionsTargetedAttacksSophisticated ThreatsPackingPlainVirusPoly-morphicC&CFluxingPersistentThreatsEvasiveThreats