Threat Landscape

John ShierSr. Security Advisor@john_shierMarch 2017, Infosec BE

The Problem

Symptoms and Causes

ANNUAL NEW MALWARE

SAMPLES100,000,000’s

ANNUAL KNOWN EXPLOITS (CVE’S) 1,000’s

CUMULATIVE KNOWN EXPLOIT TECHNIQUES 10’s

5

Top 10 detections: BelgiumMalformed doc

Infected archive

Conficker

Browser hijacker

Jenxcus botnet

Shortcut trojan

IRC bot

Bundpil worm

Dropper

Phishing

6

What are we facing?

The Tools

7

Phishing

9

How not to phish

10

Modern phishing

11

Modern phishing

http://www.kbc.be.vvsmbk.info/bestellen

12

HD phishing

13

Paypal

14

Amazon

15

Apple

Document malware

16

17

Curiosity infected the cat

18

Curiosity infected the cat

19

Curiosity infected the cat

20

It’s guaranteed!

21

Build Your Own 2.0

The Infrastructure

Malvertising

Exploit kits

25

26

A decade of misery

2006 2013 2016

27

Angler EK

28

Lurk banking trojan

Exploit Kits (2016)1H2016

Angler Nuclear NeutrinoMagnitude RIG Other

2H2016

RIG Neutrino Other

Exploits (January 2017)• Magnitude• Neutrino-v

• RIG, RIG-E

• Sundown

• Bizarro Sundown

CVE-2016-0189

CVE-2014-6332

CVE-2016-4117

CVE-2016-1019

CVE-2015-8651

CVE-2016-4117

CVE-2016-0189

CVE-2016-7200

CVE-2016-7201

CVE-2016-0189

CVE-2015-8651

CVE-2015-5122

CVE-2013-2551

CVE-2014-6332

CVE-2015-2419

CVE-2016-4117

CVE-2015-5119

CVE-2016-0034

CVE-2016-7200

CVE-2016-7201

CVE-2016-0189 CVE-2016-4117

CVE-2015-5119

Flash Edge Silverlight IE Windows LPE

The Payloads

31

32

Remote access trojans

33

Honour amongst thieves

34

Dridex

BetaBot

Ransomware

36

37

Ransomware

</>

Command andControl Server

Malware Distribution

Server

38

Ransomware

abc exe abc

abc abc dll

Private Key Public Key

RAM

Malware Distribution

Server

Command andControl Server

0100101011010110101010

39

Ransomware

abc exe abc

abc abc dll

Private Key Public Key

Malware Distribution

ServerRAM

#$! exe #$!

#$! #$! dllCommand andControl Server