This document discusses modern malware threats and techniques. It defines malware and describes traditional vs modern malware approaches. Modern malware uses stealthy techniques like obfuscation and rootkits to avoid detection. It communicates through various protocols and services to command and control systems. The document outlines threat actors like cybercriminals, nation-states and hacktivists and recommends defenses like antivirus, firewalls, and employee training to mitigate risks.

1. Modern Malware and
Threats
Martin Čmelík
www.security-portal.cz
Moderní malware a možnosti obrany, Hotel Panorama, Praha - 28.05.2015

2. What is malware?
Malware, short for malicious
software, is any software used
to disrupt computer operation,
gather sensitive information, or
gain access to private computer
systems.
'Malware' is a general term used
to refer to a variety of forms of
hostile or intrusive software.
source: wikipedia

3. Text
Value of hacked computer
source: krebsonsecurity.com

4. Threat Landscape
Motivation Actors Targets
CYBER WAR Military/Political
Advance Cyber
Nation - States
Critical
Infrastructure
TERRORISM Political Change
Terrorist Networks
and Groups
Infrastructure and
Public Assets
ESPIONAGE
Intellectual
Property Gain
Nation-States
and Enterprises
Governments,
Companies and
Individuals
ORGANIZED
CRIME
Financial Gain Criminals
Companies and
Individuals
HACKTIVISM
Ego, Curiosity
and Change
Groups and
Individuals
Governments,
Companies and
Individuals

5. Types of malware
Viruses
Worms
Trojan Horses
Spyware
Crimeware
Bankers
Backdoors
Exploits
RAT (Remote Access Toolkit)
Bootkits
Rootkits
Ransomware
Zombie/Bot, Dropper, …
source: http://www.kaspersky.com/internet-security-center/malware-tree.jpg
Malware classification tree

6. Traditional vs Modern malware
Traditional Malware:
- Open channels
- Known detection and patches available
- Broad & Noisy
- Single
- Centralized infrastructure
Modern Malware:
- Stealthy & Covert
- Unknown detection and Zero Day
- Targeted & Personalize
- Persistent
- Distributed infrastructure

7. Sources of infection
Spear phishing & Spam
Social Media
Infected websites (drive-by-download, watering hole, …)
Exploit Kits (Blackhole - not active, SweetOrange, Angler, Magnitude, …)
Infected media - USB stick (autorun.inf, BadUSB)
Infected host on network
Dynamic binary patching
Pirated Software & Key Generators
Human error

8. Persistence
Backdoor
- enable an attacker to bypass normal authentication procedure to
gain access to system
Rootkit
- admin-level type of access
- hiding existence in system
- blocking AV/Malware scanners or providing spoofed data
- firmware (network card, disk, BIOS, VGA, …) rootkits are
resistant to OS reinstallation
Bootkit
- kernel-mode type of rootkit
- infect MBR, VBR or boot sector
- can be used to attack full disk encryption

9. Communication
Common (allowed) protocols: HTTP, HTTPS, SSH, DNS
Proprietary protocols and encryption
Communication via proxies, tunnels, IRC
Through public services like Facebook, Reddit, Twitter, Google
Steganography (image EXIF metadata)
TOR hidden services (e.g. Mevade)
P2P network (e.g. Alureon, GameOver)
Computer speakers and microphones to bridge air gaps (badBIOS PoC)
Fast Flux (or DDNS) - combination of P2P, distributed CnC, load
balancing and proxy redirection (e.g. Storm Worm)

10. Single vs Double Fast Flux network
source: http://www.honeynet.org/node/136

11. Bredolab Botnet
source: http://securelist.com/analysis/publications/36335/end-of-the-line-for-the-bredolab-botnet/

12. Anti-Detection techniques
Obfuscation - deliberate act of creating source or machine code that is difficult for humans
to understand.
Packers - comparable to obfuscation. Uses executable data compression algorithm and
combine compressed data with decompression code into single executable. Still could
provide quite good results when you will combine more of them together.
Olygomorphic code - randomly selecting each piece of the decryptor from several
predefined alternatives (+,-,/,XOR). Limited to just a few hundred different decryptors.
Polymorphic code - uses polymorphic engine to mutate while keeping original algorithm
intact. Code changes encryptor/decryptor each time it runs, but the function will remain
same.
Metamorphic code - no part of malware stays the same. Metamorphic viruses often
translate their own binary code into a temporary representation, editing the temporary
representation of themselves and then translate the edited form back to machine code
again.
Steganography - concealment of information within computer files (images, videos, …).
Used sporadically at this time, but seems to be weapon of choice for droppers which can
download and extract from image/youtube video/whatever malware payload.

13. Example of obfuscated JavaScript
Result? Redirect to google.com website
source: http://www.kahusecurity.com/2011/making-wacky-redirect-scripts-part-i/

14. Example of obfuscated PHP script
source: http://ddecode.com/phpdecoder/?results=e0719289a4608ed4ef4efa66375337ef

15. Exploit Kit services
Dashboard - statistics, infected computers, traffic flow summary, infection rate in % by OS,
used exploit, country, browser, affiliate/partner, …
Available exploits to use and exploits which you can buy
AntiVirus evasion techniques + virustotal-like service to verify results
Code obfuscation service (HTML, JavaScript, ActionScript/Flash, PDF, Java, …)
Landing pages and details about used obfuscation, iframes etc. if website is on any kind of
blacklist (URL scanner), …
Random domain generator (changing every X hours)
Tool for sending spams and spear phishing campaigns (mail lists included)
DDoS attacks service
CnC control-like panel
…and much more
24/7 support (!)

16. Blackhole Exploit kit

17. Threat Detection
and Mitigation

18. Malware analysis
Static (code) Analysis - signature (virustotal.com) and string analysis,
reverse engineering performed using disassemblers (e.g. IDA Pro,
OllyDbg), debuggers and decompilers. Analysis without running the
code.
RE is time consuming
Dynamic (behavioral) Analysis - executing malware in sandboxed/
virtualized OS environment and looking how malware behaves
(monitoring system/library calls). What has been changed in system,
which connection attempts been made, which files created, etc.
Quick method which can detect APT attacks, spear phishing
campaigns and 0day exploits.
Memory Analysis - simple rule: malware must run, if it runs, it has to
be in memory. Dumping memory and searching for malicious artifacts
(e.g. Volatility Framework, Memoryze).

19. Example of Hybrid Analysis
One of Tor Exit node in Russia has been performing dynamic
binary patching and injecting its own malware to EXE files
downloaded via HTTP protocol. This is report of one file
modified by this exit node.
Regular application downloaded from microsoft.com website (isn't it?)

20. source: https://malwr.com/analysis/ZmY0ZGFlY2ZjMWMzNDNkZmE3YzE1MzhjNWEyNjlhNTk/

21. Analyzing Web-Based malware
urlQuery.net is a free online
service for testing and
analyzing URLs, helping with
identification of malicious
content on websites. The
main focus of urlQuery is to
find and detect suspicious
and malicious content on
webpages, to help improve
the security industry and
make the internet a safer
place.

22. source: http://urlquery.net/report.php?id=1413821943900

24. General Recommendations
have a good antivirus on computers and servers
have HIPS on computers and servers
IPS on the core of the network with Anti-Malware and Anti-Botnet engine can
help a lot. Even if engine wouldn't be able detect malicious file itself, it can
recognize communication to CnC servers by deep packet inspection or by
monitoring of DNS requests.
If you can use appliances which can recognize specific applications in network
flow. Strict policies allowing communication just from known applications can
mitigate malware infection and communication to CnC as well.
Correlate all security events and audit logs in robust SIEM solution
Invest money in good employees. Someone has to read and understand the
output of logs and SIEM events.

25. General Recommendations
Every piece of network equipment has to be properly setup and
secured. Starting with switches and ending with personal computers.
All systems has to be regularly updated
Strict policies and new technologies for malware detection has to be
enforced in order to avoid contact with malware distribution websites
and mail attachments coming from spear phishing and spam
campaigns.
…in best case uninstall Adobe Reader, Adobe Flash and Java
Consider OS level hardening
Windows - EMET (The Enhanced Mitigation Experience Toolkit)
Linux - SELinux, Grsecurity

26. EMET (The Enhanced Mitigation Experience Toolkit)
EMET force
applications to use key
security defenses
which could potentially
block malware during
its execution.
Defense mechanisms:
ASLR (buffer overflow)
DEP (no-exec memory)
SEHOP (stack overflow)
ROP (DEP bypass)

27. Are you still hungry?
Flame - most complex, sophisticated and interesting piece of malware
(developed by US and Israel)
Dexter - POS malware with ability to search credit card information in
memory (Target data breach - 40 million credit cards)
Gapz - dropper using non-standard technique for code injection, bypassing
security software
The Mask - targets government, diplomatic offices and embassies, oil and
gas companies, research organizations and activists (state sponsored
malware)
Recommended sources
http://blog.kaspersky.com/
http://nakedsecurity.sophos.com/
http://www.welivesecurity.com/

28. Questions?

29. Thank you!
Martin Čmelík
~ security consultant ~
martin.cmelik (at) gmail.com
www.linkedin.com/in/martincmelik
www.security-portal.cz | www.securix.org | www.security-session.cz