malware and the modern threat landscape
DESCRIPTION
Malware and the Modern Threat Landscape. Paul Royal College of Computing Georgia Institute of Technology. Agenda. Overview Platform, Installation, Activities Propagation Studies Evolution Traditional Defense-in-Depth Obfuscation, Server-side Polymorphism Analysis Takedown. - PowerPoint PPT PresentationTRANSCRIPT
Paul RoyalPaul RoyalCollege of ComputingCollege of ComputingGeorgia Institute of TechnologyGeorgia Institute of Technology
• Overview- Platform, Installation, Activities
- Propagation Studies
• Evolution- Traditional Defense-in-Depth
- Obfuscation, Server-side Polymorphism
• Analysis
• Takedown
AgendaAgenda
• Platform- Predominantly Microsoft Windows- Emergent threats beginning to target Mac OS X
and mobile devices • Propagation
- Social engineering• Standard (emails with ecards), innovative (torrents
offering key generators slipstreamed with malware), or novel (Kraken’s use of MSN Messenger)
- Rapid, short-term exploitation of critical vulnerabilities
• Conficker/Downadup’s use of MS08-067 allowed it to grow to 500,000 hosts in a single week
Malware OverviewMalware Overview
• Installation- Thread injection into a benign/trusted process
• Can be part of the unpacking process (code is deobfuscated into a newly allocated section)
• Internet Explorer is a common target for malware that need to get out using an (authenticated) web proxy
• Activities- Information theft, spam, DDoS
- RogueAV software sales• Affiliate programs offer commissions as high as 90%
• Using botnets as installation medium can earn individuals $100,000/week
Overview Cont’dOverview Cont’d
• Malicious software is the centerpiece of current threats on the Internet- Botnets (spamming, DDOS, etc.)
- Information Theft
- Surveillance and Espionage
• Used by Criminals- Criminal Infrastructure
- Domain of Organized Crime
• Used by Nations- Cyber Warfare
Functional DefinitionFunctional Definition
• Visiting “Safe” Websites- Reading USAToday.com results in malware on your computer
• What happened?- USAToday.com ad network compromised- Visitors served malicious javascript bundled with ad for Roxio Creator 2009- Automatically directed users to Rogue AV website through malicious traffic
distribution system• Neither clicking nor hovering over ad required to activate code
Propagation StrategiesPropagation Strategies
• Case Study: Alexa Top-ranked Domains- System created to examine Alexa top 25,000 domains
each day
- Browser inside virtual machine (VM) forced to visit domain
- Network actions following visit used to determine whether drive-by download occurred
• February 2012- 58 of Alexa top 25,000 domains resulted in drive-by
downloads
- 10.5M users served malicious content
- 1.6M likely compromised
Propagation StrategiesPropagation Strategies
• “Feature-minded” Software Vendors- Executive receives email with PDF attachment
• Email’s subject, recipient’s ethnicity compels him to view attachment - PDF contains embedded, malicious Flash movie which exploits Acrobat Reader’s flash
interpreter, compromises the system and phones home to controller
- Soon after, compromised, legitimate websites found hosting drive-by attacks that use the same flaw to exploit Flash Player
- Vulnerability traced back to bug reported to Adobe eight months prior
Propagation Strategies Cont’dPropagation Strategies Cont’d
• “Uninformed” Users- Waledac’s email campaigns
• Use of geo-location, temporally relevant events (e.g., bomb blast in <your city>, July 4th fireworks videos) to make attacks more compelling
Propagation Strategies Cont’dPropagation Strategies Cont’d
• Network-Level Protection- Firewall
• Evaded by C&C protocol congruency
- IPS/IDS• Evaded by custom encodings
• Host-Level Protection- User Access Control
• Analogous to “informed consent”
- AntiVirus• Uses complex, heuristics-based detection along with
signature matching
Traditional Defense-in-DepthTraditional Defense-in-Depth
• Often referred to as “packing”- A technique whereby parts or all of an executable file are
compressed, encrypted, or transformed in some fashion
- Code that reverses the pre-runtime transformation is included in the executable
Malware ObfuscationMalware Obfuscation
Push EBPMOV EBP, ESPSUB ESP, 8CALL 00401170…
Program A
Encrypt/Compress/Transform
ObfuscationTool
<Deobs Code>
…
Program A’
Machine CodeTransformed Machine Code
(Appears as Data)
• Novel obfuscations easily evade AV• Example: Project ZeroPack
- Proof-of-Concept obfuscation tool• Makes malware appear benign to AV tools
- Developed for DefCon 16’s Race to Zero contest
Obfuscation Impact on AntiVirusObfuscation Impact on AntiVirus
ZeroPackZeroPack
• Server-side Polymorphism- Attacks the heart of the traditional host-based
AV model by automating mutations
• When done professionally: Waledac
Scalable, Effective Malware DistributionScalable, Effective Malware Distribution
Collected on 12/30/2008
Collected on 2/25/2009
• Stuxnet- Nation-state created malware- Multiple zero day arbitrary code execution exploits
• Private network, removable media propagation
- Multiple zero day privilege escalation exploits• Rootkit components with stolen code-signing certificates from Realtek
and Jmicron
• Botnet ‘T’ (now known as Shady RAT)- Used for data exfiltration- No packing obfuscations
• AV detections still < 50%
- Centralized C&C• Hosted on four-year-old legitimate, compromised realty website• Commands via HTTP comments
Malware ComplexityMalware Complexity
• There is a pronounced need to understand malicious software behavior
• Malware analysis is the basis for understanding the intentions of malicious programs- Threat Discovery and Analysis
- Compromise Detection
- Forensics and Asset Remediation
• Malware authors incentivized to make analysis challenging- Direct financial motivation
Malware AnalysisMalware Analysis
• Analysis tool/environment detection is a standard malware feature
Analyzer Detection PrevalenceAnalyzer Detection Prevalence
• Case Study: Mariposa- Large, data-stealing botnet
- Used to steal credit card, banking information
• Compromises in half of Fortune 1000- Before takedown, over 1M members
Malware Network Takedowns Cont’dMalware Network Takedowns Cont’d
• Takedown Timeline- Spring 2009: Mariposa discovery
- Fall 2009: International Mariposa Working Group (MWG) formed
• Defence Intelligence, GTISC, Panda Antivirus, FBI, Guardia Civil (Spanish LEO)
- December 2009: All C&C domains shutdown and sinkholed within hours of the first
• Operators panic; log into domain management services from home systems
• Warrants issued to operators’ ISP
- January 2010: Operators arrested• 800,000 financial credentials found on one operator’s home systems
Mariposa Cont’dMariposa Cont’d
• Today’s malware author/operator is more motivated and resourceful than ever before
• The increasing complexity of systems and software prohibits compartmentalization to a single person or group
• Understanding modern malicious software can promote the creation of malware resistant systems
Closing ThoughtsClosing Thoughts
Questions?