Paul RoyalPaul RoyalCollege of ComputingCollege of ComputingGeorgia Institute of TechnologyGeorgia Institute of Technology

• Overview- Platform, Installation, Activities

- Propagation Studies

• Evolution- Traditional Defense-in-Depth

- Obfuscation, Server-side Polymorphism

• Analysis

• Takedown

AgendaAgenda

• Platform- Predominantly Microsoft Windows- Emergent threats beginning to target Mac OS X

and mobile devices • Propagation

- Social engineering• Standard (emails with ecards), innovative (torrents

offering key generators slipstreamed with malware), or novel (Kraken’s use of MSN Messenger)

- Rapid, short-term exploitation of critical vulnerabilities

• Conficker/Downadup’s use of MS08-067 allowed it to grow to 500,000 hosts in a single week

Malware OverviewMalware Overview

• Installation- Thread injection into a benign/trusted process

• Can be part of the unpacking process (code is deobfuscated into a newly allocated section)

• Internet Explorer is a common target for malware that need to get out using an (authenticated) web proxy

• Activities- Information theft, spam, DDoS

- RogueAV software sales• Affiliate programs offer commissions as high as 90%

• Using botnets as installation medium can earn individuals $100,000/week

Overview Cont’dOverview Cont’d

• Malicious software is the centerpiece of current threats on the Internet- Botnets (spamming, DDOS, etc.)

- Information Theft

- Surveillance and Espionage

• Used by Criminals- Criminal Infrastructure

- Domain of Organized Crime

• Used by Nations- Cyber Warfare

Functional DefinitionFunctional Definition

• Visiting “Safe” Websites- Reading USAToday.com results in malware on your computer

• What happened?- USAToday.com ad network compromised- Visitors served malicious javascript bundled with ad for Roxio Creator 2009- Automatically directed users to Rogue AV website through malicious traffic

distribution system• Neither clicking nor hovering over ad required to activate code

Propagation StrategiesPropagation Strategies

• Case Study: Alexa Top-ranked Domains- System created to examine Alexa top 25,000 domains

each day

- Browser inside virtual machine (VM) forced to visit domain

- Network actions following visit used to determine whether drive-by download occurred

• February 2012- 58 of Alexa top 25,000 domains resulted in drive-by

downloads

- 10.5M users served malicious content

- 1.6M likely compromised

Propagation StrategiesPropagation Strategies

• “Feature-minded” Software Vendors- Executive receives email with PDF attachment

• Email’s subject, recipient’s ethnicity compels him to view attachment - PDF contains embedded, malicious Flash movie which exploits Acrobat Reader’s flash

interpreter, compromises the system and phones home to controller

- Soon after, compromised, legitimate websites found hosting drive-by attacks that use the same flaw to exploit Flash Player

- Vulnerability traced back to bug reported to Adobe eight months prior

Propagation Strategies Cont’dPropagation Strategies Cont’d

• “Uninformed” Users- Waledac’s email campaigns

• Use of geo-location, temporally relevant events (e.g., bomb blast in <your city>, July 4th fireworks videos) to make attacks more compelling

Propagation Strategies Cont’dPropagation Strategies Cont’d

• Network-Level Protection- Firewall

• Evaded by C&C protocol congruency

- IPS/IDS• Evaded by custom encodings

• Host-Level Protection- User Access Control

• Analogous to “informed consent”

- AntiVirus• Uses complex, heuristics-based detection along with

signature matching

Traditional Defense-in-DepthTraditional Defense-in-Depth

• Often referred to as “packing”- A technique whereby parts or all of an executable file are

compressed, encrypted, or transformed in some fashion

- Code that reverses the pre-runtime transformation is included in the executable

Malware ObfuscationMalware Obfuscation

Push EBPMOV EBP, ESPSUB ESP, 8CALL 00401170…

Program A

Encrypt/Compress/Transform

ObfuscationTool

<Deobs Code>

…

Program A’

Machine CodeTransformed Machine Code

(Appears as Data)

• Novel obfuscations easily evade AV• Example: Project ZeroPack

- Proof-of-Concept obfuscation tool• Makes malware appear benign to AV tools

- Developed for DefCon 16’s Race to Zero contest

Obfuscation Impact on AntiVirusObfuscation Impact on AntiVirus

ZeroPackZeroPack

• Server-side Polymorphism- Attacks the heart of the traditional host-based

AV model by automating mutations

• When done professionally: Waledac

Scalable, Effective Malware DistributionScalable, Effective Malware Distribution

Collected on 12/30/2008

Collected on 2/25/2009

• Stuxnet- Nation-state created malware- Multiple zero day arbitrary code execution exploits

• Private network, removable media propagation

- Multiple zero day privilege escalation exploits• Rootkit components with stolen code-signing certificates from Realtek

and Jmicron

• Botnet ‘T’ (now known as Shady RAT)- Used for data exfiltration- No packing obfuscations

• AV detections still < 50%

- Centralized C&C• Hosted on four-year-old legitimate, compromised realty website• Commands via HTTP comments

Malware ComplexityMalware Complexity

• There is a pronounced need to understand malicious software behavior

• Malware analysis is the basis for understanding the intentions of malicious programs- Threat Discovery and Analysis

- Compromise Detection

- Forensics and Asset Remediation

• Malware authors incentivized to make analysis challenging- Direct financial motivation

Malware AnalysisMalware Analysis

• Analysis tool/environment detection is a standard malware feature

Analyzer Detection PrevalenceAnalyzer Detection Prevalence

• Case Study: Mariposa- Large, data-stealing botnet

- Used to steal credit card, banking information

• Compromises in half of Fortune 1000- Before takedown, over 1M members

Malware Network Takedowns Cont’dMalware Network Takedowns Cont’d

• Takedown Timeline- Spring 2009: Mariposa discovery

- Fall 2009: International Mariposa Working Group (MWG) formed

• Defence Intelligence, GTISC, Panda Antivirus, FBI, Guardia Civil (Spanish LEO)

- December 2009: All C&C domains shutdown and sinkholed within hours of the first

• Operators panic; log into domain management services from home systems

• Warrants issued to operators’ ISP

- January 2010: Operators arrested• 800,000 financial credentials found on one operator’s home systems

Mariposa Cont’dMariposa Cont’d

• Today’s malware author/operator is more motivated and resourceful than ever before

• The increasing complexity of systems and software prohibits compartmentalization to a single person or group

• Understanding modern malicious software can promote the creation of malware resistant systems

Closing ThoughtsClosing Thoughts

Questions?