Dynamic Detection of Malicious Activity

Amanda Rousseau, Malware Researcher

Computer Forensics

IR & Intrusion Forensics

Malware Research

Malware Research

WHOAMI?

Game TheoryAttackers and defenders watch and adapt to the opponents’ behavior to improve their strategies in response to the other’s behavior.

Technology

Defender

Attacker

Overlap is Defender

Advantage

Malicious Behaviors

This level of sophistication requires a proactive, multi-layer detection and mitigation approach

Polymorphism

Stealth

Code Obfuscation

Persistence

Evasion

Evade pattern matching detection

Prevents detection and takes longer to analyze

Hiding execution traces

Ability to respawn

Environmental Awareness reaction

Attack FlowInfiltration Entrenchmen

tInternal

Reconnaissance

Exfiltration PurgePerimeter

Reconnaissance

Rapid Evolution

Malware Timeline

2013

2014

2015

Attacker• Email Attachment downloads

the payload instead, runs in memory

• Browser Exploit – bypassing the email payload

Example: Trojan.APT.BaneChant, Trojan.APT.9002Defender• Static analysis on web

browser memory• Tighter analysis on opened

browser sessions

Malware Timeline

2013

2014

2015Defender• Static analysis on open

pages• Beginning of cross-

platform detection for Windows/Linux/OSX

Attacker• Socially Engineered email with

html links to compromised sites• The malicious website contains a

number of exploits• Effective on Windows/Linux/OSXExample: The Mask (Careto)

Malware Timeline

2013

2014

2015

Attacker• More email campaigns that

use watering holes• Utilizing public services for

payload downloadsExample: CozyDuke,CloudDukeDefender• Improve analysis of 3rd

party Services• Strengthen cross-platform

detection

Why is Anti-Virus so obsolete?

Evade pattern matching detection

Polymorphism

PolymorphismUpatre Downloader

http://binvis.io/#/

Sample A

Sample B

Upatre Downloader

Sample A

Sample B

Polymorphism

StealthHiding execution traces

StealthHiding execution traces

A

BProcess Injection

File Hiding

C Diskless Execution

StealthFile Hiding

File AttributesProcess will change the file’s hidden attributes.

CompartmentalizationThe malicious payload will remain in separate pieces for a benign controller to execute.

File ExtensionsProcess will change the file type associations to turn a benign file extension into an executable binary.

SteganographyMalicious payloads reside in images or other binary files that may appear as benign to the user.

GoodGuy.exe

Thread

Thread

Memory

StealthProcess Injection

OpenProcess VirtualAllocEx WriteProcessMemory ReadProcessMemory CreateRemoteThread

BadGuyInjector.exe

Memory

Thread

StealthDiskless Execution

File System

GoodGuy Browser

Thread

Thread

Memory

BadGuy Code

Memory

ThreadExploitati

on

GoodGuyWebsite

Code ObfuscationPrevents detection and takes longer

to analyze

Code Obfuscation

Dridex VBA Downloader

Set obsCgkbrjo = WScript.CreateObject(yyTrankxt("ŸÕÿ‹∏†‹flfl◊–¥ "))Set sDcqujpwd = CreateObject(yyTrankxt("·ƒÿfi«¡’‘ÍÿÊ¥ÿ‡Œ∏ñ÷‰Œ·—‹Ê»≈"))

If NOT (sDcqujpwd.FolderExists(yyTrankxt("Œ’‘∏“”÷Â◊ΩΩ≠∑"⁄ ))) Then sDcqujpwd.CreateFolder(yyTrankxt("Œ’‘∏“”÷Â◊ΩΩ≠∑"))⁄End If

If NOT (sDcqujpwd.FolderExists(yyTrankxt("‘ÏÁ«Ÿƒ–Í∆±Œ‘Ê÷ø“ü∞"))) Then⁄ sDcqujpwd.CreateFolder(yyTrankxt("‘ÏÁ«Ÿƒ–Í∆±Œ‘Ê÷ø“ü∞"))⁄End If

sXtrIusxm = yyTrankxt("…‘ÿ‡Œ∏à‹◊◊‘–ƒ¡¨´") sXtr2Iusxm = yyTrankxt("‡∆fl›´í’–ËË”√–üµ") & " (x86)\"

PersistenceAbility to respawn

PersistenceScheduled

tasksLogon/

WinlogonFile Classes Services/Drivers

Image File Execution

ShellExecuteHooksAutoruns InprocServer32

Installed Components

DLL Load/Hijacking

Browser Plugins Boot Execution

Rare

Com

mon

SophisticatedSimple

EvasionEnvironmental Awareness reaction

Evasion

NOP FunctionsLooping of a function that does nothing important to confuse the analysis

Timeout/SleepsProcess will wait until a certain time or outwait VM analysis

Environmental AwarenessProcess is able to identify obstacles in the environment and react accordingly by removing obstacles

User interactionUser interaction is required to continue execution

EncryptionEncryption of code components and traffic avoid analysis

Dynamic C&CDomain Generation Algorithm (DGA) to avoid static detection

Memory OnlyProcess will avoid file system type detection by only running in memory

Stolen Signing CertificatesMalware will use stolen certs to sign their own binaries and bypass AV detection

1. Accept that attacks will adapt to changes in the environment

2. Focus on the anomaly rather than the signature

Pre and Post Breach Methodology

PolymorphismStealth

Code Obfuscation

Persistence

Evasion

Mitigation & Multi-Layer DetectionMalicious

Behaviors MitigationProvide Data Analytics and Machine Learning Services to Identify, Detect, and Prevent

Dynamic Analysis and Data Science Overcomes Anti-Analysis

Monitor All Layers Disk, Memory and Kernel

Analytics to Identify and Collect Anomalies in Pre-Breach and Post-Breach contextRemaining Stealthy in the Environment to Prevent Attacker Discovery

Questions?

Thank Youamanda@endgame.com

Appendix

Malware Timeline

2009-2010

2011

Attacker• Socially engineered

emails• Attachments wit Doc

exploits• Attachments are

Compressed• User Interaction

requiredExample: GhostNet Defender• Static analysis• File extension

identification• Decompression

when not password protected

Malware Timeline

2009-2010

2011-2012

Attacker• Socially engineered emails• HTML links to fake

websites• Search order hijacking• Resilience gets more

interestingExample: ETSO APT, PushDo Botnet Defender• Static analysis of

webpages• Domain research• Becomes harder to

catch