emrg1 wildfire ilta seminar presentationilta.personifycloud.com/webfiles/productfiles... · injects...
TRANSCRIPT
![Page 1: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/1.jpg)
Modern Malware
James SherlowSE Manager NEUR
![Page 2: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/2.jpg)
![Page 3: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/3.jpg)
•data breach mythology
![Page 4: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/4.jpg)
•we invest in protecting our data centers
![Page 5: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/5.jpg)
•rarely the datacenter is attacked directly
![Page 6: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/6.jpg)
no more vulnerability scanning
![Page 7: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/7.jpg)
•the new attacker
![Page 8: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/8.jpg)
the attacker is not a bored geek
![Page 9: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/9.jpg)
nation states and organized crime
![Page 10: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/10.jpg)
•data breaches in 2011
![Page 11: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/11.jpg)
step one: bait an end‐user
![Page 12: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/12.jpg)
step one: bait an end‐user
spear phishing
![Page 13: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/13.jpg)
step one: bait an end‐user
![Page 14: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/14.jpg)
step two: exploit a vulnerability
![Page 15: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/15.jpg)
step three: download a backdoor
![Page 16: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/16.jpg)
step four: establish a back channel
![Page 17: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/17.jpg)
step five: explore and steal
![Page 18: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/18.jpg)
•the state of malware protection
![Page 19: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/19.jpg)
•blueprint for stopping modern malware
![Page 20: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/20.jpg)
need to protect all applications
![Page 21: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/21.jpg)
•response time is key
![Page 22: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/22.jpg)
•automation is a must
![Page 23: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/23.jpg)
•a sandbox at the core
![Page 24: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/24.jpg)
•perform the analysis for all devices centrally
![Page 25: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/25.jpg)
•automatically generate multiple signatures
• Anti-malware download signatures
• IPS back-channel signatures
• Malware URLs
• IPS signatures for identified new vulnerabilities
![Page 26: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/26.jpg)
•need to protect at all stages
bait exploit download back channel steal
![Page 27: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/27.jpg)
•© 2010 Palo Alto Networks. Proprietary and Confidential. •Page 27 |
![Page 28: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/28.jpg)
Case Study: Jericho Banking Trojan
• Passwords and Credentials for Websites– Username/Login Pairs– Website Cookies– Keystrokes
• Targets Credentials for 100+ Websites– Vast majority of targeted sites are banking
and financial sites– Hiring and employment sites also targeted– Small number of technology sites targeted
![Page 29: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/29.jpg)
Injects Into Common Applications
• Injects malicious code into common application processes– Browsers – Heavy focus on Firefox,
but also targets, IE, Chrome and Opera
– Email Clients – Outlook and WinMail– Other Apps – Skype, Java, and
Reader_sl.exe
• Allows the malware to make use of functions in those target applications– No need for the malware to import
networking libraries, it can simply use the ones already imported by the target app.
![Page 30: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/30.jpg)
Ierihon Samples Delivered From Israel
![Page 31: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/31.jpg)
Poor Coverage by Traditional AV• Tested malware against the top 6 antivirus
vendors• Repeated tests daily to track improvements
coverage
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
70.0%
80.0%
90.0%
100.0%
Day‐0 Day‐1 Day‐2 Day‐3 Day‐4 Day‐5 Day‐6
![Page 32: EMRG1 WildFire ILTA Seminar Presentationilta.personifycloud.com/webfiles/productfiles... · Injects Into Common Applications • Injects malicious code into common application processes](https://reader034.vdocuments.mx/reader034/viewer/2022050313/5f7544e7083f562ee449e09b/html5/thumbnails/32.jpg)
the role of NGFW in stopping modern malware
© 2012 Palo Alto Networks. Proprietary and Confidential.Page 32 |