Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
An Introduction to Malware Classification
Next
Download to read offline and view in fullscreen.

0

Share

Download to read offline

Computer malware anti malware coevolution

Download to read offline

Cyber security & malware have co-evolved over last three decades. This deck covers some of the major milestones in that journey

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Computer malware anti malware coevolution

  1. 1. Compute Malware-AntiMalware Coevolution Thirty Years of Battle Himanshu Dubey
  2. 2. Wave #1 Problem – Simple Computer Viruses Today1986 Wave #1: Simple Computer Viruses
  3. 3. Wave #1 Problem – Simple Computer Viruses
  4. 4. Wave #1 Problem – Simple Computer Viruses
  5. 5. Program Instructions: 1. Go to step #100 2. Print “Welcome to PACMan!” 3. Play music “pacman.wav” 4. Display maze on screen 5. ... 100. Locate a new EXE file on disk 101. Insert “Go to step #100” at the top of the new file. 102. Append lines 100 through 104 to the end of the new file. 103. If it’s Jan 1st, format hard drive! 104. Go back to step #2 PACMAN.COM Wave #1 Problem – Simple Computer Viruses 100. Locate a new EXE file on disk 101. Insert “Go to step #100” at the top of the new file. 102. Append lines 100 through 104 to the end of the new file. 103. If it’s Jan 1st, format hard drive! 104. Go back to step #2 Go to step #100
  6. 6. Program Instructions: 1. Go to step #100 2. Print “Welcome to PACMan!” 3. Play music “pacman.wav” 4. Display maze on screen 5. ... 100. Locate a new EXE file on disk 101. Insert “Go to step #100” at the top of the new file. 102. Append lines 100 through 104 to the end of the new file. 103. If it’s Jan 1st, format hard drive! 104. Go back to step #2 PACMAN.COM Wave #1 Problem – Simple Computer Viruses 100. Locate a new EXE file on disk 101. Insert “Go to step #100” at the top of the new file. 102. Append lines 100 through 104 to the end of the new file. 103. If it’s Jan 1st, format hard drive! 104. Go back to step #2 Go to step #100
  7. 7. Program Instructions: 1. Go to step #100 2. Print “Welcome to PACMan!” 3. Play music “pacman.wav” 4. Display maze on screen 5. ... 100. Locate a new EXE file on disk 101. Insert “Go to step #100” at the top of the new file. 102. Append lines 100 through 104 to the end of the new file. 103. If it’s Jan 1st, format hard drive! 104. Go back to step #2 PACMAN.COM Wave #1 Problem – Simple Computer Viruses 100. Locate a new EXE file on disk 101. Insert “Go to step #100” at the top of the new file. 102. Append lines 100 through 104 to the end of the new file. 103. If it’s Jan 1st, format hard drive! 104. Go back to step #2 Go to step #100
  8. 8. Program Instructions: 1. Go to step #100 2. Print “Welcome to PACMan!” 3. Play music “pacman.wav” 4. Display maze on screen 5. ... 100. Locate a new EXE file on disk 101. Insert “Go to step #100” at the top of the new file. 102. Append lines 100 through 104 to the end of the new file. 103. If it’s Jan 1st, format hard drive! 104. Go back to step #2 PACMAN.COM Wave #1 Problem – Simple Computer Viruses 100. Locate a new EXE file on disk 101. Insert “Go to step #100” at the top of the new file. 102. Append lines 100 through 104 to the end of the new file. 103. If it’s Jan 1st, format hard drive! 104. Go back to step #2 Go to step #100 Program Instructions: 1. 2. 3. 4. 5. … CALC.EXE Print “Calculator version 1.1” Print “Copyright 1990 by Joe Shmo” Print “Enter your first number: “ Prompt the user for a number. …
  9. 9. Program Instructions: 1. Go to step #100 2. Print “Welcome to PACMan!” 3. Play music “pacman.wav” 4. Display maze on screen 5. ... 100. Locate a new EXE file on disk 101. Insert “Go to step #100” at the top of the new file. 102. Append lines 100 through 104 to the end of the new file. 103. If it’s Jan 1st, format hard drive! 104. Go back to step #2 PACMAN.COM Wave #1 Problem – Simple Computer Viruses CALC.EXE Program Instructions: 1. 2. 3. 4. 5. … Print “Calculator version 1.1” Print “Copyright 1990 by Joe Shmo” Print “Enter your first number: “ Prompt the user for a number. … 100. Locate a new EXE file on disk 101. Insert “Go to step #100” at the top of the new file. 102. Append lines 100 through 104 to the end of the new file. 103. If it’s Jan 1st, format hard drive! 104. Go back to step #2 Go to step #100
  10. 10. Program Instructions: 1. Go to step #100 2. Print “Welcome to PACMan!” 3. Play music “pacman.wav” 4. Display maze on screen 5. ... 100. Locate a new EXE file on disk 101. Insert “Go to step #100” at the top of the new file. 102. Append lines 100 through 104 to the end of the new file. 103. If it’s Jan 1st, format hard drive! 104. Go back to step #2 PACMAN.COM Wave #1 Problem – Simple Computer Viruses CALC.EXE Program Instructions: 1. 2. 3. 4. 5. … Go to step #100 Print “Calculator version 1.1” Print “Copyright 1990 by Joe Shmo” Print “Enter your first number: “ Prompt the user for a number. … 100. Locate a new EXE file on disk 101. Insert “Go to step #100” at the top of the new file. 102. Append lines 100 through 104 to the end of the new file. 103. If it’s Jan 1st, format hard drive! 104. Go back to step #2 Go to step #100
  11. 11. Program Instructions: 1. Go to step #100 2. Print “Welcome to PACMan!” 3. Play music “pacman.wav” 4. Display maze on screen 5. ... 100. Locate a new EXE file on disk 101. Insert “Go to step #100” at the top of the new file. 102. Append lines 100 through 104 to the end of the new file. 103. If it’s Jan 1st, format hard drive! 104. Go back to step #2 PACMAN.COM Wave #1 Problem – Simple Computer Viruses CALC.EXE Program Instructions: 1. 2. 3. 4. 5. … Go to step #100 Print “Calculator version 1.1” Print “Copyright 1990 by Joe Shmo” Print “Enter your first number: “ Prompt the user for a number. … 100. Locate a new EXE file on disk 101. Insert “Go to step #100” at the top of the new file. 102. Append lines 100 through 104 to the end of the new file. 103. If it’s Jan 1st, format hard drive! 104. Go back to step #2 Go to step #100
  12. 12. Program Instructions: 1. Go to step #100 2. Print “Welcome to PACMan!” 3. Play music “pacman.wav” 4. Display maze on screen 5. ... 100. Locate a new EXE file on disk 101. Insert “Go to step #100” at the top of the new file. 102. Append lines 100 through 104 to the end of the new file. 103. If it’s Jan 1st, format hard drive! 104. Go back to step #2 PACMAN.COM Wave #1 Problem – Simple Computer Viruses CALC.EXE Program Instructions: 1. 2. 3. 4. 5. … 100. Locate a new EXE file on disk 101. Insert “Go to step #100” at the top of the new file. 102. Append lines 100 through 104 to the end of the new file. 103. If it’s Jan 1st, format hard drive! 104. Go back to step #2 Go to step #100 Print “Calculator version 1.1” Print “Copyright 1990 by Joe Shmo” Print “Enter your first number: “ Prompt the user for a number. … 100. Locate a new EXE file on disk 101. Insert “Go to step #100” at the top of the new file. 102. Append lines 100 through 104 to the end of the new file. 103. If it’s Jan 1st, format hard drive! 104. Go back to step #2 Go to step #100
  13. 13. Program Instructions: 1. Go to step #100 2. Print “Welcome to PACMan!” 3. Play music “pacman.wav” 4. Display maze on screen 5. ... 100. Locate a new EXE file on disk 101. Insert “Go to step #100” at the top of the new file. 102. Append lines 100 through 104 to the end of the new file. 103. If it’s Jan 1st, format hard drive! 104. Go back to step #2 PACMAN.COM Wave #1 Problem – Simple Computer Viruses CALC.EXE Program Instructions: 1. 2. 3. 4. 5. … 100. Locate a new EXE file on disk 101. Insert “Go to step #100” at the top of the new file. 102. Append lines 100 through 104 to the end of the new file. 103. If it’s Jan 1st, format hard drive! 104. Go back to step #2 Go to step #100 Print “Calculator version 1.1” Print “Copyright 1990 by Joe Shmo” Print “Enter your first number: “ Prompt the user for a number. … 100. Locate a new EXE file on disk 101. Insert “Go to step #100” at the top of the new file. 102. Append lines 100 through 104 to the end of the new file. 103. If it’s Jan 1st, format hard drive! 104. Go back to step #2 Go to step #100
  14. 14. Program Instructions: 1. Go to step #100 2. Print “Welcome to PACMan!” 3. Play music “pacman.wav” 4. Display maze on screen 5. ... 100. Locate a new EXE file on disk 101. Insert “Go to step #100” at the top of the new file. 102. Append lines 100 through 104 to the end of the new file. 103. If it’s Jan 1st, format hard drive! 104. Go back to step #2 PACMAN.COM Wave #1 Problem – Simple Computer Viruses CALC.EXE Program Instructions: 1. 2. 3. 4. 5. … 100. Locate a new EXE file on disk 101. Insert “Go to step #100” at the top of the new file. 102. Append lines 100 through 104 to the end of the new file. 103. If it’s Jan 1st, format hard drive! 104. Go back to step #2 Go to step #100 Print “Calculator version 1.1” Print “Copyright 1990 by Joe Shmo” Print “Enter your first number: “ Prompt the user for a number. … 100. Locate a new EXE file on disk 101. Insert “Go to step #100” at the top of the new file. 102. Append lines 100 through 104 to the end of the new file. 103. If it’s Jan 1st, format hard drive! 104. Go back to step #2 Go to step #100
  15. 15. Program Instructions: 1. Go to step #100 2. Print “Welcome to PACMan!” 3. Play music “pacman.wav” 4. Display maze on screen 5. ... 100. Locate a new EXE file on disk 101. Insert “Go to step #100” at the top of the new file. 102. Append lines 100 through 104 to the end of the new file. 103. If it’s Jan 1st, format hard drive! 104. Go back to step #2 PACMAN.COM Wave #1 Problem – Simple Computer Viruses 100. Locate a new EXE file on disk 101. Insert “Go to step #100” at the top of the new file. 102. Append lines 100 through 104 to the end of the new file. 103. If it’s Jan 1st, format hard drive! 104. Go back to step #2 Go to step #100
  16. 16. Wave #1 Solution – Antivirus Signatures
  17. 17. Wave #1 Solution – Antivirus Signatures
  18. 18. Wave #1 Solution – Antivirus Signatures
  19. 19. Wave #1 Solution – Antivirus Signatures
  20. 20. Wave #1 Solution – Antivirus Signatures
  21. 21. Wave #1 Solution – Antivirus SignaturesProgram Instructions: 1. 2. 3. 4. 5. … CALC.EXE Print “Calculator version 1.1” Print “Copyright 1990 by Joe Shmo” Print “Enter your first number: “ Prompt the user for a number. … Go to step #100 100. Locate a new EXE file on disk 101. Insert “Go to step #100” at the top of the new file. 102. Append lines 100 through 104 to the end of the new file. 103. If it’s Jan 1st, format hard drive! 104. Go back to step #2
  22. 22. Wave #1 Solution – Antivirus SignaturesProgram Instructions: 1. 2. 3. 4. 5. … CALC.EXE Print “Calculator version 1.1” Print “Copyright 1990 by Joe Shmo” Print “Enter your first number: “ Prompt the user for a number. … Go to step #100 100. Locate a new EXE file on disk 101. Insert “Go to step #100” at the top of the new file. 102. Append lines 100 through 104 to the end of the new file. 103. If it’s Jan 1st, format hard drive! 104. Go back to step #2
  23. 23. Wave #1 Solution – Antivirus Signatures Virus Fingerprint FileVirus Fingerprint File Name Virus Fingerprint (aka signature) Killer print “Killer wuz here!” Loser If it’s Feb 28, delete files Jerusalem Delete all files on june 6th … Hijack If it’s Jan 1st, format hard drive!
  24. 24. Wave #1 Solution – Antivirus Signatures
  25. 25. Wave #1 Solution – Antivirus Signatures
  26. 26. Wave #1 Solution – Antivirus Signatures
  27. 27. Wave #1 Solution – Antivirus Signatures
  28. 28. Wave #1 Solution – Antivirus Signatures Today1986 Wave #1: Simple Computer Viruses Solution: Antivirus Signatures
  29. 29. Wave #2 Problem – Polymorphic Viruses Today Wave #2: Polymorphic Viruses 1990
  30. 30. Wave #2 Problem – Polymorphic Viruses 1. On lines 2-5 below: Replace every T with a Z Shift all letters back 3 spots Remove every Q Replace every M with an R 2. Xqrmzae t gwr PMP gorf xz splrzy 3. Pyzytyte t pmq kncqwyzanw pqaewe 4. Pne zge uye zhaea za dbvphkt klpgwz %-@ 5. Pkja wqr mzr pgayn pg wrq mvc zx htw plmk 6. Print “Welcome to PACMan!” 7. Play music “pacman.wav” 8. Display maze on screen 9. ... PACMAN.COM 2. Xqrmzae t gwr PMP gorf xz splrzy 3. Pyzytyte t pmq kncqwyzanw pqaewe 4. Pne zge uye zhaea za dbvphkt klpgwz %-@ 5. Pkja wqr mzr pgayn pg wrq mvc zx htw plmk 1. 2. 3. 4. … 30
  31. 31. Wave #2 Problem – Polymorphic Viruses 1. On lines 2-5 below: Replace every T with a Z Shift all letters back 3 spots Remove every Q Replace every M with an R 2. Xqrmzae t gwr PMP gorf xz splrzy 3. Pyzytyte t pmq kncqwyzanw pqaewe 4. Pne zge uye zhaea za dbvphkt klpgwz %-@ 5. Pkja wqr mzr pgayn pg wrq mvc zx htw plmk 6. Print “Welcome to PACMan!” 7. Play music “pacman.wav” 8. Display maze on screen 9. ... PACMAN.COM 2. Xqrmzae t gwr PMP gorf xz splrzy 3. Pyzytyte t pmq kncqwyzanw pqaewe 4. Pne zge uye zhaea za dbvphkt klpgwz %-@ 5. Pkja wqr mzr pgayn pg wrq mvc zx htw plmk 1. 2. 3. 4. … 31
  32. 32. Wave #2 Problem – Polymorphic Viruses 1. On lines 2-5 below: Replace every T with a Z Shift all letters back 3 spots Remove every Q Replace every M with an R 2. Xqrmzae t gwr PMP gorf xz splrzy 3. Pyzytyte t pmq kncqwyzanw pqaewe 4. Pne zge uye zhaea za dbvphkt klpgwz %-@ 5. Pkja wqr mzr pgayn pg wrq mvc zx htw plmk 6. Print “Welcome to PACMan!” 7. Play music “pacman.wav” 8. Display maze on screen 9. ... PACMAN.COM 2. Locate a new EXE file to infect 3. Generate a new encryption scheme 4. Use the new scheme to encrypt lines 2-5 5. Copy the new strain to the top of the file 1. 2. 3. 4. … 32
  33. 33. Wave #2 Problem – Polymorphic Viruses 1. On lines 2-5 below: Replace every T with a Z Shift all letters back 3 spots Remove every Q Replace every M with an R 2. Xqrmzae t gwr PMP gorf xz splrzy 3. Pyzytyte t pmq kncqwyzanw pqaewe 4. Pne zge uye zhaea za dbvphkt klpgwz %-@ 5. Pkja wqr mzr pgayn pg wrq mvc zx htw plmk 6. Print “Welcome to PACMan!” 7. Play music “pacman.wav” 8. Display maze on screen 9. ... PACMAN.COM 2. Locate a new EXE file to infect 3. Generate a new encryption scheme 4. Use the new scheme to encrypt lines 2-5 5. Copy the new strain to the top of the file 1. 2. 3. 4. … 33 CALC.EXE Print “Calculator version 1.1” Print “Copyright 1990 by Joe Shmo” Print “Enter your first number: “ Prompt the user for a number. …
  34. 34. Wave #2 Problem – Polymorphic Viruses 1. On lines 2-5 below: Replace every T with a Z Shift all letters back 3 spots Remove every Q Replace every M with an R 2. Xqrmzae t gwr PMP gorf xz splrzy 3. Pyzytyte t pmq kncqwyzanw pqaewe 4. Pne zge uye zhaea za dbvphkt klpgwz %-@ 5. Pkja wqr mzr pgayn pg wrq mvc zx htw plmk 6. Print “Welcome to PACMan!” 7. Play music “pacman.wav” 8. Display maze on screen 9. ... PACMAN.COM 2. Locate a new EXE file to infect 3. Generate a new encryption scheme 4. Use the new scheme to encrypt lines 2-5 5. Copy the new strain to the top of the file 1. 2. 3. 4. … 34 CALC.EXE Print “Calculator version 1.1” Print “Copyright 1990 by Joe Shmo” Print “Enter your first number: “ Prompt the user for a number. … The virus generates a totally new encryption scheme for each new infection! This is done using a built-in module called a “mutation engine.”
  35. 35. Wave #2 Problem – Polymorphic Viruses 1. On lines 2-5 below: Replace every T with a Z Shift all letters back 3 spots Remove every Q Replace every M with an R 2. Xqrmzae t gwr PMP gorf xz splrzy 3. Pyzytyte t pmq kncqwyzanw pqaewe 4. Pne zge uye zhaea za dbvphkt klpgwz %-@ 5. Pkja wqr mzr pgayn pg wrq mvc zx htw plmk 6. Print “Welcome to PACMan!” 7. Play music “pacman.wav” 8. Display maze on screen 9. ... PACMAN.COM 2. Locate a new EXE file to infect 3. Generate a new encryption scheme 4. Use the new scheme to encrypt lines 2-5 5. Copy the new strain to the top of the file 1. 2. 3. 4. … 35 CALC.EXE Print “Calculator version 1.1” Print “Copyright 1990 by Joe Shmo” Print “Enter your first number: “ Prompt the user for a number. …
  36. 36. Wave #2 Problem – Polymorphic Viruses 1. On lines 2-5 below: Replace every T with a Z Shift all letters back 3 spots Remove every Q Replace every M with an R 2. Xqrmzae t gwr PMP gorf xz splrzy 3. Pyzytyte t pmq kncqwyzanw pqaewe 4. Pne zge uye zhaea za dbvphkt klpgwz %-@ 5. Pkja wqr mzr pgayn pg wrq mvc zx htw plmk 6. Print “Welcome to PACMan!” 7. Play music “pacman.wav” 8. Display maze on screen 9. ... PACMAN.COM 2. Locate a new EXE file to infect 3. Generate a new encryption scheme 4. Use the new scheme to encrypt lines 2-5 5. Copy the new strain to the top of the file 1. 2. 3. 4. … 36 CALC.EXE Print “Calculator version 1.1” Print “Copyright 1990 by Joe Shmo” Print “Enter your first number: “ Prompt the user for a number. …
  37. 37. Wave #2 Problem – Polymorphic Viruses 1. On lines 2-5 below: Replace every T with a Z Shift all letters back 3 spots Remove every Q Replace every M with an R 2. Xqrmzae t gwr PMP gorf xz splrzy 3. Pyzytyte t pmq kncqwyzanw pqaewe 4. Pne zge uye zhaea za dbvphkt klpgwz %-@ 5. Pkja wqr mzr pgayn pg wrq mvc zx htw plmk 6. Print “Welcome to PACMan!” 7. Play music “pacman.wav” 8. Display maze on screen 9. ... PACMAN.COM 2. Locate a new EXE file to infect 3. Generate a new encryption scheme 4. Use the new scheme to encrypt lines 2-5 5. Copy the new strain to the top of the file 1. 2. 3. 4. … 37 CALC.EXE Print “Calculator version 1.1” Print “Copyright 1990 by Joe Shmo” Print “Enter your first number: “ Prompt the user for a number. … Jiwawn p oys PQZ nbhe dn penzec Bzqhwugk t dwh xicyzhpenq lakwnz Skv qmi lwm kbibrf ki iazouyt abzyt ^-# Rzoi gha pqi gnaneh pn ode aqz iu loi zxvy
  38. 38. Wave #2 Problem – Polymorphic Viruses 1. On lines 2-5 below: Replace every T with a Z Shift all letters back 3 spots Remove every Q Replace every M with an R 2. Xqrmzae t gwr PMP gorf xz splrzy 3. Pyzytyte t pmq kncqwyzanw pqaewe 4. Pne zge uye zhaea za dbvphkt klpgwz %-@ 5. Pkja wqr mzr pgayn pg wrq mvc zx htw plmk 6. Print “Welcome to PACMan!” 7. Play music “pacman.wav” 8. Display maze on screen 9. ... PACMAN.COM 2. Locate a new EXE file to infect 3. Generate a new encryption scheme 4. Use the new scheme to encrypt lines 2-5 5. Copy the new strain to the top of the file 1. 2. 3. 4. … 38 CALC.EXE Print “Calculator version 1.1” Print “Copyright 1990 by Joe Shmo” Print “Enter your first number: “ Prompt the user for a number. … Jiwawn p oys PQZ nbhe dn penzec Bzqhwugk t dwh xicyzhpenq lakwnz Skv qmi lwm kbibrf ki iazouyt abzyt ^-# Rzoi gha pqi gnaneh pn ode aqz iu loi zxvy
  39. 39. Wave #2 Problem – Polymorphic Viruses 1. On lines 2-5 below: Replace every T with a Z Shift all letters back 3 spots Remove every Q Replace every M with an R 2. Xqrmzae t gwr PMP gorf xz splrzy 3. Pyzytyte t pmq kncqwyzanw pqaewe 4. Pne zge uye zhaea za dbvphkt klpgwz %-@ 5. Pkja wqr mzr pgayn pg wrq mvc zx htw plmk 6. Print “Welcome to PACMan!” 7. Play music “pacman.wav” 8. Display maze on screen 9. ... PACMAN.COM 2. Locate a new EXE file to infect 3. Generate a new encryption scheme 4. Use the new scheme to encrypt lines 2-5 5. Copy the new strain to the top of the file 1. 2. 3. 4. … 39 CALC.EXE 6. Print “Calculator version 1.1” 7. Print “Copyright 1990 by Joe Shmo” 8. Print “Enter your first number: “… 1. On lines 2-5 below: Shift all letters back 7 slots Replace every S with N Replace every E with U Shift all letters forward by 9 slots Shift all letters back by 2 slots Replace every W with a C 2. Jiwawn p oys PQZ nbhe dn penzec 3. Bzqhwugk t dwh xicyzhpenq lakwnz 4. Skv qmi lwm kbibrf ki iazouyt abzyt ^-# 5. Rzoi gha pqi gnaneh pn ode aqz iu loi zxvy
  40. 40. Wave #2 Problem – Polymorphic Viruses 1. On lines 2-5 below: Replace every T with a Z Shift all letters back 3 spots Remove every Q Replace every M with an R 2. Xqrmzae t gwr PMP gorf xz splrzy 3. Pyzytyte t pmq kncqwyzanw pqaewe 4. Pne zge uye zhaea za dbvphkt klpgwz %-@ 5. Pkja wqr mzr pgayn pg wrq mvc zx htw plmk 6. Print “Welcome to PACMan!” 7. Play music “pacman.wav” 8. Display maze on screen 9. ... PACMAN.COM 2. Locate a new EXE file to infect 3. Generate a new encryption scheme 4. Use the new scheme to encrypt lines 2-5 5. Copy the new strain to the top of the file 1. 2. 3. 4. … 40 CALC.EXE 6. Print “Calculator version 1.1” 7. Print “Copyright 1990 by Joe Shmo” 8. Print “Enter your first number: “… 1. On lines 2-5 below: Shift all letters back 7 slots Replace every S with N Replace every E with U Shift all letters forward by 9 slots Shift all letters back by 2 slots Replace every W with a C 2. Jiwawn p oys PQZ nbhe dn penzec 3. Bzqhwugk t dwh xicyzhpenq lakwnz 4. Skv qmi lwm kbibrf ki iazouyt abzyt ^-# 5. Rzoi gha pqi gnaneh pn ode aqz iu loi zxvy The decryption algorithms share no instructions in common… … and every copy of the virus body is encrypted differently! … and every copy of the virus body is encrypted differently!
  41. 41. Wave #2 Solution – The Universal Decoder? Fix-O-Matic Antivirus “We fix it good”
  42. 42. Fix-O-Matic Antivirus “We fix it good” Wave #2 Solution – The Universal Decoder?1. On lines 2-5 below: Replace every T with a Z Shift all letters back 3 spots Replace every M with an R 2. Xqrmzae t gwr PMP gorf xz splrzy 3. Pyzytyte t pmq kncqwyzanw pqaewe 4. Pne zge uye zhaea za lpgwz %-@ 5. Pkja wqr mzr pgayn pg mvc zx htw plmk 6. ... PACMAN.COM
  43. 43. Fix-O-Matic Antivirus “We fix it good” Wave #2 Solution – The Universal Decoder?1. On lines 2-5 below: Replace every T with a Z Shift all letters back 3 spots Replace every M with an R 2. Xqrmzae t gwr PMP gorf xz splrzy 3. Pyzytyte t pmq kncqwyzanw pqaewe 4. Pne zge uye zhaea za lpgwz %-@ 5. Pkja wqr mzr pgayn pg mvc zx htw plmk 6. ... PACMAN.COM 1. On lines 2-5 below: Replace every T with a Z Shift all letters back 3 spots Replace every M with an R 2. Locate a new EXE file to infect 3. Generate a new encryption scheme 4. Use the new scheme to encrypt lines 2-5 5. Copy the new strain to the top of the file 6. … PACMAN.COM
  44. 44. Fix-O-Matic Antivirus “We fix it good” Wave #2 Solution – The Universal Decoder?1. On lines 2-5 below: Replace every T with a Z Shift all letters back 3 spots Replace every M with an R 2. Xqrmzae t gwr PMP gorf xz splrzy 3. Pyzytyte t pmq kncqwyzanw pqaewe 4. Pne zge uye zhaea za lpgwz %-@ 5. Pkja wqr mzr pgayn pg mvc zx htw plmk 6. ... PACMAN.COM 1. On lines 2-5 below: Replace every T with a Z Shift all letters back 3 spots Replace every M with an R 2. Locate a new EXE file to infect 3. Generate a new encryption scheme 4. Use the new scheme to encrypt lines 2-5 5. Copy the new strain to the top of the file 6. … PACMAN.COM Virus Definition FileVirus Definition File Name Virus Fingerprint (aka signature) Killer print “Killer wuz here!” Loser If it’s Jan 1st, format hard drive! … Anthrax Generate a new encryption scheme
  45. 45. Fix-O-Matic Antivirus “We fix it good” Wave #2 Solution – The Universal Decoder?1. On lines 2-5 below: Replace every T with a Z Shift all letters back 3 spots Replace every M with an R 2. Xqrmzae t gwr PMP gorf xz splrzy 3. Pyzytyte t pmq kncqwyzanw pqaewe 4. Pne zge uye zhaea za lpgwz %-@ 5. Pkja wqr mzr pgayn pg mvc zx htw plmk 6. ... PACMAN.COM 1. On lines 2-5 below: Replace every T with a Z Shift all letters back 3 spots Replace every M with an R 2. Locate a new EXE file to infect 3. Generate a new encryption scheme 4. Use the new scheme to encrypt lines 2-5 5. Copy the new strain to the top of the file 6. … PACMAN.COM Virus Definition FileVirus Definition File Name Virus Fingerprint (aka signature) Killer print “Killer wuz here!” Loser If it’s Jan 1st, format hard drive! … Anthrax Generate a new encryption scheme X
  46. 46. Wave #2 Solution – Emulation-based Scanning Computer Virus-Antivirus Co-evolution Part 2 Today1986 Wave #1: Simple Computer Viruses Solution: Antivirus Signatures Wave #2: Polymorphic Viruses 1990 Solution: Emulation-based Scanning
  47. 47. Wave #3 Problem – Macro Viruses Virus Macro Virus? Today1995 Wave #3: Macro Viruses
  48. 48. Wave #3 Problem – Macro Viruses Computer Virus-Antivirus Co-evolution Part 2 The world’s first Document-based “macro” virus, called Concept, hit cyberspace in July of ‘95.
  49. 49. Wave #3 Problem – Macro Viruses Computer Virus-Antivirus Co-evolution Part 2 The world’s first Document-based “macro” virus, called Concept, hit cyberspace in July of ‘95.
  50. 50. Wave #3 Problem – Macro Viruses Computer Virus-Antivirus Co-evolution Part 2 The world’s first Document-based “macro” virus, called Concept, hit cyberspace in July of ‘95.
  51. 51. Computer Virus-Antivirus Co-evolution Part 2 Strategic Plan Version 1.0 This document details our new strategic plan for FY’95. This document should Payload Macro AutoExec Macro AutoOpen Macro Wave #3 Problem – Macro Viruses AutoOpen Macro Payload Macro
  52. 52. Computer Virus-Antivirus Co-evolution Part 2 Strategic Plan Version 1.0 This document details our new strategic plan for FY’95. This document should Payload Macro AutoExec Macro AutoOpen Macro Wave #3 Problem – Macro Viruses AutoOpen Macro Payload Macro Run the following instructions any time the user opens this document in Word: 1. Pop up a window stating: “This is a confidential document. Do not copy.” 2. Disable cut and paste from this document. 3. Flag document as read-only to prevent modifications.
  53. 53. Computer Virus-Antivirus Co-evolution Part 2 Strategic Plan Version 1.0 This document details our new strategic plan for FY’95. This document should Payload Macro AutoExec Macro AutoOpen Macro Wave #3 Problem – Macro Viruses AutoOpen Macro Payload Macro Run the following instructions any time the user opens this document in Word: 1. Enumerate all DOCS that are currently open in Word and: copy my AutoOpen and Payload macros into them. 2. If the date is July 28th, run the “Payload” macro.
  54. 54. Computer Virus-Antivirus Co-evolution Part 2 Strategic Plan Version 1.0 This document details our new strategic plan for FY’95. This document should Payload Macro AutoExec Macro AutoOpen Macro Wave #3 Problem – Macro Viruses AutoOpen Macro Payload Macro Run the following instructions only when instructed to do so by another macro: 1. Pop up a window saying: “Happy Birthday!” 2. Play “happybday.wav”
  55. 55. Wave #3 Solution: Coopetition
  56. 56. Wave #3 {Real} Solution:
  57. 57. Wave #3 (The Real) Solution – Microsoft Requires Digital Signatures
  58. 58. Wave #3: Macro Viruses Today Wave #1: Simple Computer Viruses Solution: Antivirus Signatures Wave #2: Polymorphic Viruses Solution: Emulation-based Scanning 1990 19951986 Wave #3 (The Real) Solution – Microsoft Requires Digital Signatures Solution: Microsoft requires digital signaturesWave #3: Macro Viruses
  59. 59. Today Wave #4 Problem – Worms Wave #4: Worms 1999 FILE1. EXE Virus logic JUMP FILE2. EXE Virus logic JUMP Traditional viruses spread from file to file on a single computer. Worms spread from computer to computer over the network. WORM. EXE WORM. EXE WORM. EXE
  60. 60. Today Wave #4 Problem – Worms Wave #4: Worms 1999 In 1999 and 2000, computer worms like Melissa and ILOVEYOU flooded the Internet!
  61. 61. Wave #4 Problem – Worms ACME 1.5 Server Logic 1. Wait for another computer to connect over the ‘net to me 2. Accept data sent by the other computer & save it on lines 5, 6, … 3. Process the data and return a result to the other computer 4. Skip to line 9 5. 6. 7. 8. 9. Go back to line 1
  62. 62. Wave #4 Problem – Worms ACME 1.5 Server Logic 1. Wait for another computer to connect over the ‘net to me 2. Accept data sent by the other computer & save it on lines 5, 6, … 3. Process the data and return a result to the other computer 4. Skip to line 9 5. 6. 7. 8. 9. Go back to line 1 This line of code is vulnerable to attack! It expects the user to send up to four lines of data! But what if an attacker sends more? There’s room here for four lines of data!
  63. 63. Wave #4 Problem – Worms ACME 1.5 Server Logic 1. Wait for another computer to connect over the ‘net to me 2. Accept data sent by the other computer & save it on lines 5, 6, … 3. Process the data and return a result to the other computer 4. Skip to line 9 5. 6. 7. 8. 9. Go back to line 1 <invalid command> Pick a random target server Connect to the target server Send lines 5-9 to the server Go back to line 6
  64. 64. Wave #4 Problem – Worms ACME 1.5 Server Logic 1. Wait for another computer to connect over the ‘net to me 2. Accept data sent by the other computer & save it on lines 5, 6, … 3. Process the data and return a result to the other computer 4. Skip to line 9 5. 6. 7. 8. 9. Go back to line 1 <invalid command> Pick a random target server Connect to the target server Send lines 5-9 to the server Go back to line 6
  65. 65. Wave #4 Problem – Worms ACME 1.5 Server Logic 1. Wait for another computer to connect over the ‘net to me 2. Accept data sent by the other computer & save it on lines 5, 6, … 3. Process the data and return a result to the other computer 4. Skip to line 9 5. 6. 7. 8. 9. <invalid command> Pick a random target server Connect to the target server Send lines 5-9 to the server Go back to line 6
  66. 66. Wave #4 Problem – Worms ACME 1.5 Server Logic 1. Wait for another computer to connect over the ‘net to me 2. Accept data sent by the other computer & save it on lines 5, 6, … 3. Process the data and return a result to the other computer 4. Skip to line 9 5. 6. 7. 8. 9. <invalid command> Pick a random target server Connect to the target server Send lines 5-9 to the server Go back to line 6 Wait a second! This line was altered by the attacker!
  67. 67. Network worms spread from machine to machine… Wave #4 Problem – Worms ACME 1.5 Server Logic 1. Wait for another computer to connect over the ‘net to me 2. Accept data sent by the other computer & save it on lines 5, 6, … 3. Process the data and return a result to the other computer 4. Skip to line 9 5. 6. 7. 8. 9. Go back to line 1 without human interaction… by exploiting logic flaws in software! <invalid command> Pick a random target server Connect to the target server Send lines 5-9 to the server Let’s see how! Go back to line 6
  68. 68. Network worms spread from machine to machine… Wave #4 Problem – Worms ACME 1.5 Server Logic 1. Wait for another computer to connect over the ‘net to me 2. Accept data sent by the other computer & save it on lines 5, 6, … 3. Process the data and return a result to the other computer 4. Skip to line 9 5. 6. 7. 8. 9. Go back to line 1 without human interaction… by exploiting logic flaws in software! <invalid command> Pick a random target server Connect to the target server Send lines 5-9 to the server Let’s see how! Go back to line 6
  69. 69. Network worms spread from machine to machine… Wave #4 Problem – Worms ACME 1.5 Server Logic 1. Wait for another computer to connect over the ‘net to me 2. Accept data sent by the other computer & save it on lines 5, 6, … 3. Process the data and return a result to the other computer 4. Skip to line 9 5. 6. 7. 8. 9. Go back to line 1 without human interaction… by exploiting logic flaws in software! <invalid command> Pick a random target server Connect to the target server Send lines 5-9 to the server Let’s see how! Go back to line 6 <invalid command> Pick a random target server Connect to the target server Send lines 5-9 to the server Go back to line 6
  70. 70. Network worms spread from machine to machine… Wave #4 Problem – Worms ACME 1.5 Server Logic 1. Wait for another computer to connect over the ‘net to me 2. Accept data sent by the other computer & save it on lines 5, 6, … 3. Process the data and return a result to the other computer 4. Skip to line 9 5. 6. 7. 8. 9. Go back to line 1 without human interaction… by exploiting logic flaws in software! <invalid command> Pick a random target server Connect to the target server Send lines 5-9 to the server Let’s see how! Go back to line 6 <invalid command> Pick a random target server Connect to the target server Send lines 5-9 to the server Go back to line 6
  71. 71. Network worms spread from machine to machine… Wave #4 Problem – Worms ACME 1.5 Server Logic 1. Wait for another computer to connect over the ‘net to me 2. Accept data sent by the other computer & save it on lines 5, 6, … 3. Process the data and return a result to the other computer 4. Skip to line 9 5. 6. 7. 8. 9. Go back to line 1 without human interaction… by exploiting logic flaws in software! <invalid command> Pick a random target server Connect to the target server Send lines 5-9 to the server Let’s see how! Go back to line 6 <invalid command> Pick a random target server Connect to the target server Send lines 5-9 to the server Go back to line 6
  72. 72. ACME 1.5 Server Logic 1. Wait for another computer to connect over the ‘net to me 2. Accept data sent by the other computer & save it on lines 5, 6, … 3. Process the data and return a result to the other computer 4. Skip to line 9 5. 6. 7. 8. 9. Go back to line 1 The solution: DON’T fingerprint each worm! Wave #4 Solution – Vulnerability-centric Signatures Instead, determine the minimal criteria required to attack the vulnerability. Then look for these criteria in a signature.
  73. 73. ACME 1.5 Server Logic 1. Wait for another computer to connect over the ‘net to me 2. Accept data sent by the other computer & save it on lines 5, 6, … 3. Process the data and return a result to the other computer 4. Skip to line 9 5. 6. 7. 8. 9. Go back to line 1 The solution: DON’T fingerprint each worm! Wave #4 Solution – Vulnerability-centric Signatures Instead, determine the minimal criteria required to attack the vulnerability. Then look for these criteria in a signature. First, to attack this flaw, an attacker MUST send a network packet to an ACME v1.5 server. Sending the same data to a Google Server or even an Acme v1.6 Server won’t have any effect! So let’s add this as a requirement in our signature!
  74. 74. ACME 1.5 Server Logic 1. Wait for another computer to connect over the ‘net to me 2. Accept data sent by the other computer & save it on lines 5, 6, … 3. Process the data and return a result to the other computer 4. Skip to line 9 5. 6. 7. 8. 9. Go back to line 1 The solution: DON’T fingerprint each worm! Signature: First, to attack this flaw, an attacker MUST send a network packet to an ACME v1.5 server. If a network packet is being sent to an ACME v1.5 Server… Wave #4 Solution – Vulnerability-centric Signatures Instead, determine the minimal criteria required to attack the vulnerability. Then look for these criteria in a signature. Sending the same data to a Google Server or even an Acme v1.6 Server won’t have any effect! So let’s add this as a requirement in our signature!
  75. 75. ACME 1.5 Server Logic 1. Wait for another computer to connect over the ‘net to me 2. Accept data sent by the other computer & save it on lines 5, 6, … 3. Process the data and return a result to the other computer 4. Skip to line 9 5. 6. 7. 8. 9. Go back to line 1 The solution: DON’T fingerprint each worm! Signature: If a network packet is being sent to an ACME v1.5 Server… Wave #4 Solution – Vulnerability-centric Signatures Instead, determine the minimal criteria required to attack the vulnerability. Then look for these criteria in a signature. Second, for an attack to succeed, the packet MUST have MORE than four lines of data… The content of the lines doesn’t matter! If the packet has more than four lines, it will overwrite our server’s instructions/logic! So let’s add this to our signature as well!
  76. 76. ACME 1.5 Server Logic 1. Wait for another computer to connect over the ‘net to me 2. Accept data sent by the other computer & save it on lines 5, 6, … 3. Process the data and return a result to the other computer 4. Skip to line 9 5. 6. 7. 8. 9. Go back to line 1 The solution: DON’T fingerprint each worm! Signature: If a network packet is being sent to an ACME v1.5 Server… Wave #4 Solution – Vulnerability-centric Signatures Instead, determine the minimal criteria required to attack the vulnerability. Then look for these criteria in a signature. Second, for an attack to succeed, the packet MUST have MORE than four lines of data… The content of the lines doesn’t matter! If the packet has more than four lines, it will overwrite our server’s instructions/logic! So let’s add this to our signature as well! and the packet has MORE than 4 lines…
  77. 77. ACME 1.5 Server Logic 1. Wait for another computer to connect over the ‘net to me 2. Accept data sent by the other computer & save it on lines 5, 6, … 3. Process the data and return a result to the other computer 4. Skip to line 9 5. 6. 7. 8. 9. Go back to line 1 The solution: DON’T fingerprint each worm! Signature: If a network packet is being sent to an ACME v1.5 Server… Wave #4 Solution – Vulnerability-centric Signatures Instead, determine the minimal criteria required to attack the vulnerability. Then look for these criteria in a signature. and the packet has MORE than 4 lines… Now if we find a network packet that meets both of these requirements… It’s almost certainly an attack and we should block the packet from reaching the server!
  78. 78. ACME 1.5 Server Logic 1. Wait for another computer to connect over the ‘net to me 2. Accept data sent by the other computer & save it on lines 5, 6, … 3. Process the data and return a result to the other computer 4. Skip to line 9 5. 6. 7. 8. 9. Go back to line 1 The solution: DON’T fingerprint each worm! Signature: If a network packet is being sent to an ACME v1.5 Server… Wave #4 Solution – Vulnerability-centric Signatures Instead, determine the minimal criteria required to attack the vulnerability. Then look for these criteria in a signature. and the packet has MORE than 4 lines… Now if we find a network packet that meets both of these requirements… It’s almost certainly an attack and we should block the packet from reaching the server! then BLOCK the packet!
  79. 79. Signature: If a network packet is being sent to an ACME v1.5 Server… Wave #4 Solution – Vulnerability-centric Signatures and the packet has MORE than 4 lines… then BLOCK the packet!
  80. 80. Signature: If a network packet is being sent to an ACME v1.5 Server… Wave #4 Solution – Vulnerability-centric Signatures and the packet has MORE than 4 lines… then BLOCK the packet! Our new signature makes NO reference to the content of the packet other than its length. It’s worm-agnostic! And we can write such a signature the moment we learn about a new vulnerability! Before the hacker can even create a worm! Instead, it specifies the minimum criteria a packet must meet to succeed in an attack.
  81. 81. Solution: Microsoft requires digital signatures Wave #1: Simple Computer Viruses Solution: Antivirus Signatures Wave #2: Polymorphic Viruses Solution: Emulation-based Scanning Wave #3: Macro Viruses Today1990 19951986 Wave #4: Worms 1999 Solution: Vulnerability-centric Signatures Wave #4 Solution – Vulnerability-centric Signatures
  82. 82. Wave #5 Problem – Web-based Malware Today Wave #5: Web-based Malware 2004
  83. 83. Attacks: The “Buffer Overflow” Hack Wave #5 Problem – Web-based Malware Using a New Kind of Attacker-side Polymorphism Malware Attack File Malware Attack File
  84. 84. Attacks: The “Buffer Overflow” Hack Wave #5 Problem – Web-based Malware Using a New Kind of Attacker-side Polymorphism Malware Attack File Malware Attack File
  85. 85. Attacks: The “Buffer Overflow” Hack Wave #5 Problem – Web-based Malware Using a New Kind of Attacker-side Polymorphism Malware Attack File Malware Attack File
  86. 86. Attacks: The “Buffer Overflow” Hack Wave #5 Problem – Web-based Malware Using a New Kind of Attacker-side Polymorphism Malware Attack File Malware Attack File Compressed (obfuscated) Malware Unpacker (e.g., LZW)
  87. 87. Attacks: The “Buffer Overflow” Hack Wave #5 Problem – Web-based Malware Using a New Kind of Attacker-side Polymorphism Compressed (obfuscated) Malware Unpacker (e.g., LZW)
  88. 88. Attacks: The “Buffer Overflow” Hack Wave #5 Problem – Web-based Malware Using a New Kind of Attacker-side Polymorphism Compressed (obfuscated) Malware Unpacker (e.g., LZW)
  89. 89. Attacks: The “Buffer Overflow” Hack Wave #5 Problem – Web-based Malware Using a New Kind of Attacker-side Polymorphism (original) Malware Attack Logic
  90. 90. Attacks: The “Buffer Overflow” Hack Wave #5 Problem – Web-based Malware Using a New Kind of Attacker-side Polymorphism (original) Malware Attack Logic The attackers can tightly control and update their polymorphism!
  91. 91. Wave #5 Solution – ???? These threats may have looked different on the surface…
  92. 92. Wave #5 Solution – ???? These threats may have looked different on the surface… And their instructions may have differed substantially… 00101110 00000111 11101010 11000010 00011001 01000011 11111011 11011101
  93. 93. Wave #5 Solution – ???? But their underlying behavioral patterns were strikingly similar! These threats may have looked different on the surface… And their instructions may have differed substantially… 00101110 00000111 11101010 11000010 00011001 01000011 11111011 11011101 1. Lower security settings 2. Create a new file in the system folder 3. Modify the settings to auto-load this file 4. Do NOT display anything on the screen 1. Lower security settings 2. Create a new file in the system folder 3. Modify the settings to auto-load this file 4. Do NOT display anything on the screen 1. Lower security settings 2. Create a new file in the system folder 3. Modify the settings to auto-load this file 4. Do NOT display anything on the screen 1. Lower security settings 2. Create a new file in the system folder 3. Modify the settings to auto-load this file 4. Do NOT display anything on the screen 1. Lower security settings 2. Create a new file in the system folder 3. Modify the settings to auto-load this file 4. Do NOT display anything on the screen
  94. 94. But their underlying behavioral patterns were strikingly similar! These threats may have looked different on the surface… And their instructions may have differed substantially… 00101110 00000111 11101010 11000010 00011001 01000011 11111011 11011101 1. Lower security settings 2. Create a new file in the system folder 3. Modify the settings to auto-load this file 4. Do NOT display anything on the screen 1. Lower security settings 2. Create a new file in the system folder 3. Modify the settings to auto-load this file 4. Do NOT display anything on the screen 1. Lower security settings 2. Create a new file in the system folder 3. Modify the settings to auto-load this file 4. Do NOT display anything on the screen 1. Lower security settings 2. Create a new file in the system folder 3. Modify the settings to auto-load this file 4. Do NOT display anything on the screen 1. Lower security settings 2. Create a new file in the system folder 3. Modify the settings to auto-load this file 4. Do NOT display anything on the screen Idea: Why not monitor all software as it runs… and block programs with known patterns of malicious behavior? Wave #5 Solution – Behavior Blocking
  95. 95. Question: How do we identify malicious patterns of behavior?
  96. 96. Question: How do we identify malicious patterns of behavior? Answer: We create a decision tree based on an analysis of millions of malware samples!
  97. 97. Question: How do we identify malicious patterns of behavior? Creates system file? Creates autoload setting? 92% chance of malware NO YES NO YES NO YES NO YES NO YES …Displays data on screen? 85% chance of malware NO YES … Answer: We create a decision tree based on an analysis of millions of malware samples! NO YES Deletes password database? Lowers security settings? Displays data on screen? Creates admin account? 87% chance it’s a normal program 95% chance it’s a normal program 83% chance it’s a normal program 97% chance it’s a normal program
  98. 98. Today1990 1995 1999 Solution: Microsoft requires digital signatures Wave #2: Polymorphic Viruses Solution: Emulation-based Scanning Wave #3: Macro Viruses Wave #4: Worms Solution: Vulnerability-centric Signatures Wave #5: Web-based Malware 2004 Solution: Behavior Blocking Wave #5 Solution – Behavior Blocking
  99. 99. In the mid-late 2000s, attackers shifted into high gear, using automation to generate millions of unique malware strains, each tailored to evade antivirus protection. Wave #6 Problem – Auto-generated Malware Explosion Today Wave #6: Auto-generated Malware 2007
  100. 100. 00011001 01000011
  101. 101. 00011001 01000011 00011001 01000011 00011001 01000011
  102. 102. 00011001 01000011
  103. 103. 00011001 01000011 00011001 01000011 00011001 01000011
  104. 104. How could we possibly detect these millions of threats? So we didn’t know about them… No one reported them… So we couldn’t fingerprint them… They were all but invisible! Wave #6 Problem – Auto-generated Malware Explosion ?
  105. 105. Wave #6 Solution – ?????
  106. 106. Wave #6 Solution – ????? Could we somehow leverage the wisdom of hundreds of millions of users to compute a safety rating for every single file, good or bad, on the Internet?
  107. 107. But then it hit us… Some internet users are riskier than others…
  108. 108. BAD GOOD Internet Hygiene But then it hit us… Some internet users are riskier than others… Some are infected frequently…
  109. 109. BAD GOOD Internet Hygiene But then it hit us… Some internet users are riskier than others… Some are infected frequently… Others are really safe… BAD GOOD Internet Hygiene
  110. 110. What if we took each new file which of our millions of users adopted it and which avoided it? and looked at… And all our users have to do is be themselves!
  111. 111. FILE B FILE A What if we took each new file which of our millions of users adopted it and which avoided it? and looked at… And all our users have to do is be themselves!
  112. 112. Wave #6 Solution – A Fundamental Shift Traditional approaches detect malware based on its instructions or how it behaves. Computer Virus-Antivirus Co-evolution Part 2
  113. 113. Wave #6 Solution – A Fundamental Shift The Hygiene-based approach is fundamentally different! It classifies software based its associations, not its content. Traditional approaches detect malware based on its instructions or how it behaves. Computer Virus-Antivirus Co-evolution Part 2
  114. 114. Wave #6 Solution – Hygiene-based Reputation Today1999 2004 Wave #4: Worms Solution: Vulnerability-centric Signatures Wave #5: Web-based Malware Wave #6: Auto-generated Malware 2007 Solution: Behavior Blocking Solution: Hygiene-based Reputation
  115. 115. Wave #7 Problem – Targeted Attacks 115 Today Wave #7: Targeted Attacks ????
  116. 116. How do you block a state-sponsored attacker with nearly unlimited resources from compromising your intellectual property? Wave #7 Problem – Targeted Attacks
  117. 117. Wave #7 Solution – ??? ? 50/50 “They modify [their malware] until we don't detect so it is almost irrelevant what happens from a static scanning perspective.” – Eric Chien, Distinguished Engineer, Symantec
  118. 118. Our proposal has three parts: Wave #7 Solution – A big-data-driven Security Service 1. Security products must become collectors of security-relevant data in addition to detecting obvious attacks.
  119. 119. Our proposal has three parts: Wave #7 Solution – A big-data-driven Security Service 1. Security products must become collectors of security-relevant data in addition to detecting obvious attacks. 2. This telemetry will be hosted in a secure, elastic, multi-tenant big-data platform.
  120. 120. Our proposal has three parts: Wave #7 Solution – A big-data-driven Security Service 1. Security products must become collectors of security-relevant data in addition to detecting obvious attacks. 2. This telemetry will be hosted in a secure, elastic, multi-tenant big-data platform. 3. We will then leverage a combination of manual and automated, intra- and inter-enterprise mining to identify attacks.
  121. 121. Network connections Anonymization Layer Wave #7 Solution – A big-data-driven Security Service Acme Corp Bravo Corp …
  122. 122. Email metadata Anonymization Layer Wave #7 Solution – A big-data-driven Security Service Acme Corp Bravo Corp …
  123. 123. Anonymization Layer Wave #7 Solution – A big-data-driven Security Service Acme Corp Bravo Corp … Log file deletions
  124. 124. Anonymization Layer Wave #7 Solution – A big-data-driven Security Service Acme Corp Bravo Corp … Settings changes
  125. 125. Anonymization Layer Wave #7 Solution – A big-data-driven Security Service Acme Corp Bravo Corp … Files adopted
  126. 126. Anonymization Layer Wave #7 Solution – A big-data-driven Security Service Acme Corp Bravo Corp … Logins (incl. failed logins)
  127. 127. Anonymization Layer Wave #7 Solution – A big-data-driven Security Service Acme Corp Bravo Corp … Secure, Siloed Big-data Store CONNECTION HISTORY … Source Destination File ACME CO. LOGINHISTORY … Source Destination File EMAIL HISTORY … Source Destination File CONNECTION HISTORY … Source Destination File BRAVO CO. LOGINHISTORY … Source Destination File EMAIL HISTORY … Source Destination File
  128. 128. Anonymization Layer Wave #7 Solution – A big-data-driven Security Service Acme Corp Bravo Corp … Secure, Siloed Big-data Store CONNECTION HISTORY … Source Destination File ACME CO. LOGINHISTORY … Source Destination File EMAIL HISTORY … Source Destination File CONNECTION HISTORY … Source Destination File BRAVO CO. LOGINHISTORY … Source Destination File EMAIL HISTORY … Source Destination File
  129. 129. Anonymization Layer Wave #7 Solution – A big-data-driven Security Service Acme Corp Bravo Corp … Secure, Siloed Big-data Store CONNECTION HISTORY … Source Destination File ACME CO. LOGINHISTORY … Source Destination File EMAIL HISTORY … Source Destination File CONNECTION HISTORY … Source Destination File BRAVO CO. LOGINHISTORY … Source Destination File EMAIL HISTORY … Source Destination File As security researchers discover new indications of compromise… They can mine the big-data store to discover related in-progress attacks. And the telemetry can then be used for forensic purposes – to identify the who/what/when/where/how of an intrusion.
  130. 130. Wave #7 Solution – Big Data driven Security Service Today2004 2007 Wave #5: Web-based Malware Solution: Behavior Blocking Wave #6: Auto-Generated Malware Wave #7: Targeted Attacks ???? Solution: Hygiene-based Reputation Solution: Big-Data driven Security Service
  131. 131. Wave #8 Problem – Crypto Ransomware 131 Today Wave #8: Crypto Ransomware 2013
  132. 132. Ransomware on mobile
  133. 133. Wave #8 Solution – ??? Detect attempts to encrypt Other Ideas? Raise cyber security awareness
  134. 134. Credits • Carey Nachenberg • Original creator of this deck
  135. 135. Thank You

Cyber security & malware have co-evolved over last three decades. This deck covers some of the major milestones in that journey

Views

Total views

265

On Slideshare

0

From embeds

0

Number of embeds

1

Actions

Downloads

16

Shares

0

Comments

0

Likes

0

×