There has been extensive research done on malware code structures and system behaviors, often times hidden from unsuspecting eyes. Screen shots of malware execution have been shared in the passing, but were rarely the focus. It will be remiss if we did not pay enough attention to what malware looks like in their victims’ face. Nick Bilogorskiy, Director of Security Research at Cyphort has studied a representative set of malware samples, including Adware and PUPs (potentially unwanted programs) and shares the screenshots from the perspective of how they interact with users, and how they can be helpful in identifying such malware.

2. The Many Faces
of Malware
@belogor

3. Your speakers today
Nick Bilogorskiy
@belogor
Director of Security Research
Shel Sharma
Product Marketing Director

4. Agenda
o Fake Antivirus
o Ransomware
o APTs
o Adware
o Web Exploits
o Wrap-up and Q&A
CyphortLabsT-shirt

5. Threat Monitoring &
Research team
________
24X7 monitoring for
malware events
________
Assist customers with
their Forensics and
Incident Response
We enhance malware
detection accuracy
________
False positives/negatives
________
Deep-dive research
We work with the
security ecosystem
________
Contribute to and learn
from malware KB
________
Best of 3rd Party threat
data

7. Fake Antivirus timeline
Mac Defender
Antivirus XP 2008
2005 2008 2009 2010 2011 2012 2013 2014
WinFixer
PC Optimizer Pro

8. WinFixer

9. XP Antivirus 2008
Affiliate Username Account Balance (USD)
nenastniy $158,568.86
krab $105,955.76
rstwm $95,021.16
newforis $93,260.64
slyers $85,220.22
ultra $82,174.54
cosma2k $78,824.88
dp322 $75,631.26
iamthevip $61,552.63
dp32 $58,160.20

10. 2011 - Mac Defender

11. 2011 - Mac Defender
o Pavel Vrublevsky Sentenced to 2.5 Years

12. 2015 Adware PcOptimizerPro
o PcOptimizerPro
shows fake alerts
of performance
problems
o Fixing only
possible with
commercial
version
o Offers user to
buy an upgrade

13. PC Optimizer Pro

15. PGPCoder Trojan – 1024 RSA key, collects money via EGOLD
Bitcoin was invented by Satoshi Nakamoto
Reveton Trojan, aka Police Trojan. collects money via Moneypak
BitCoin becomes popular, Cryptolocker appears
Cryptowall, TeslaCrypt
Ransomware History
2005
2009
2012
2013
2014

17. TeslaCrypt

18. TeslaCrypt

19. Kovter

20. CryptoWall

21. CryptoWall 3.0 example

22. Lockers

23. Koobface solves CAPTCHAs

25. DarkSeoul
o DarkSeoul, a hacking group
with suspected links to
North Korea, performed a
delayed wipe on 32,000
systems at South Korean
banks and media companies
o Credit claimed by Whois

26. Sony Wiper

27. DarkComet RAT

28. BlackShades RAT Trojan

29. BlackShades RAT Trojan

30. BlackEnergy/Sandworm
o CVE-2014-4114
o “complete list
of Members of
Parliament”.

31. Asprox/Kuluoz

33. Groovorio Spyware

34. SafeSear.ch Adware

35. Browser Hijacker BrowseIgnite

36. OSX – Genieo
o MD5: 11f085fdfca46a4b446760a0e68dc2c3
o Browser Hijacker

37. Outbrowse

38. Hack Tools

39. Hack Tools

41. Web Exploits running

42. Web Exploits running

43. Summary
o Most malware runs silently
o Some malware uses GUI for monetization
o Error windows are very common in malware
output, both real and fake
o APTs display fake documents for misdirection

44. Thank You!
Twitter: @belogor
Previous MMW slides on
http://cyphort.com/labs/
malwares-wanted/