trend micro confidential 9/23/2015 threat rules sharing advanced threats research
TRANSCRIPT
Trend Micro Confidential04/19/23
Threat Rules SharingAdvanced Threats Research
Copyright 2007 - Trend Micro Inc.04/19/23 2Classification
• Prevalent Threat Types:• Downloaders• BOTs• Spyware / Grayware• Backdoors• Mass Mailers• Phishing• Exploits• Hacking
What threats do we cover?What threats do we cover?
Copyright 2007 - Trend Micro Inc.04/19/23 3Classification
Detection Threat Categories and Sub Categories:– Known Security Risks
• Virus/Malware– VSAPI– Network Virus Patterns
• Spyware/Grayware– VSAPI/SSAPI
– Potential Security Risks• Virus/Malware• Spyware/Grayware• Fraud• Other
How detections are organizedHow detections are organized
Copyright 2007 - Trend Micro Inc.4
Downloaders
Packed / Compressed Executables
Names of downloaded files
belong to system filessvchost.exe winlogon.exe lsass.exe
File extension do not match
expected file typeJPG extension but file is actually EXE
What characteristics are we looking forWhat characteristics are we looking for
Copyright 2007 - Trend Micro Inc.5
Spyware/Grayware
Unique / Unknown
HTTP user-agents
Names of downloaded
files belong to trademarked/copyrighted
spyware applicationsGain, Media Motor, Hotbar, SpySherrif
Un-expected type of traffic SMTP relay traffic, DNS MX Queries appear
on workstations
What characteristics are we looking forWhat characteristics are we looking for
Copyright 2007 - Trend Micro Inc.6
Backdoors
Rogue servicesUn-authorized SMTP, HTTP servers
Opened ports
Loopback commands shellsLoopback command shells
DOS Shell visible at the network traffic
Non standard service portsHTTP Traffic on non HTTP port
What characteristics are we looking forWhat characteristics are we looking for
Copyright 2007 - Trend Micro Inc.7
Mass mailers
Attachments with long filenames
(space padded)
File extensions do not match
expected file type
File inside archive attachment
contains double extension
Packed files
What characteristics are we looking forWhat characteristics are we looking for
Copyright 2007 - Trend Micro Inc.8
Bots
IRC trafficPolicy violations
Protocol mismatchesIRC traffic on port 8080 (HTTP proxy)
Non-standard service portsHTTP traffic on non HTTP ports
File transfers to
blacklisted domains
What characteristics are we looking forWhat characteristics are we looking for
Copyright 2007 - Trend Micro Inc.9
Hacking
Password guessing
Exploit attempts
DNS poisoning
Network flooding
What characteristics are we looking forWhat characteristics are we looking for
Copyright 2007 - Trend Micro Inc.10
Mitigable Threat RulesMitigable Threat Rules
Policy ID
Mitigation Condition
1 Known external attacks Internal computer downloading Malware/Spyware via HTTP protocol
2 Internal computer downloading Malware via FTP protocol
3 Known internal detections Internal computer propagating Malware via SMB (network share) protocol
4 Internal computer propagating Malware via SMTP protocol
5 Internal computer propagating Malware via IM protocols
6 Internal computer attacking the network with network viruses
7 Potential external attacks Internal computer downloading potential threats via HTTP protocol
8 Potential internal detections Internal computer propagating via SMB (network share) protocol
9 Internal computer propagating potential threats via SMTP protocol
10Internal computer attacking the network with potential network viruses/exploits
11 Internal computer infected by BOT
12 Internal computer compromised by Exploit or infected by Backdoor
13 Internal computer infected by potential Downloader
Copyright 2007 - Trend Micro Inc.11
Internal computer downloading potential threats via HTTP protocol
Rule 23 - Downloaded file matches malware-used filenames
Rule 66 - HTTP download found file type mismatch & file content is EXE
Policy 7Policy 7
Copyright 2007 - Trend Micro Inc.12
ScenarioScenario
M a l i c i o u s M a l i c i o u s WebsiteWebsite
Corporate Network
Internet
Rule 23 - Downloaded file Rule 23 - Downloaded file matches malware-used matches malware-used
filenames filenames
Rule 66 - HTTP download found Rule 66 - HTTP download found file type mismatch & file file type mismatch & file
content is EXEcontent is EXE
TROJ_DLOADER, TROJ_DLOADER,
TROJ_AGENT, TROJ_AGENT,
WORM_STRATWORM_STRAT
Copyright 2007 - Trend Micro Inc.13
Internal computer propagating via SMB (network share) protocol
Rule 8 - Packed executable file dropped on a network share
Policy 8Policy 8
Copyright 2007 - Trend Micro Inc.14
ScenarioScenario
Corporate Network
Rule 8 - Packed executable file dropped on a network
share
Admin$WORM_AGOBOT,
PE_LOOKED
C$
Copyright 2007 - Trend Micro Inc.15
Internal computer propagating potential threats via SMTP protocol
Rule 9 - Suspicious archive file found & file type mismatched & file content is EXE
Rule 12 - Suspicious archive file found & filename found with suspicious double-extensions
Rule 13 - Suspicious archive file found & filename found with suspicious long filename
Rule 55 - Suspicious filename found & filename found with suspicious long filename & file content is EXE
Rule 72 - Email contains a suspicious link to a possible Phishing site
Policy 9Policy 9
Copyright 2007 - Trend Micro Inc.16
ScenarioScenario
Internal Mail ServerInternal Mail Server
Corporate Network
Internet
External Mail ServerExternal Mail Server
WORM_NETSKY, WORM_NETSKY, WORM_MYTOB, WORM_MYTOB, WORM_AGOBOTWORM_AGOBOT
Copyright 2007 - Trend Micro Inc.17
Internal computer attacking the network with potential network viruses/exploits
Rule 67 - Cross-Site Scripting (XSS) found
Rule 68 - Oracle HTTP Exploit found
Policy 10Policy 10
Copyright 2007 - Trend Micro Inc.18
ScenarioScenario
Corporate Network
Command Shell
Exploit
HACKER TOOLS
Copyright 2007 - Trend Micro Inc.19
Internal computer infected by BOT
Rule 7 - IRC BOT commands found
Rule 26 - IRC session established with a known bad C&C
Policy 11Policy 11
Copyright 2007 - Trend Micro Inc.20
ScenarioScenario
Corporate Network
Internet
IRC ServerIRC Server
Rule 7 - IRC BOT Rule 7 - IRC BOT commands foundcommands found
Rule 26 - IRC session Rule 26 - IRC session established with a established with a known bad C&Cknown bad C&C
WORM_IRCBOT.ENWORM_IRCBOT.EN
Copyright 2007 - Trend Micro Inc.21
Internal computer compromised by Exploit or infected by Backdoor
Rule 17 - Suspicious Remote Command Shell found
Policy 12Policy 12
Copyright 2007 - Trend Micro Inc.22
ScenarioScenario
Corporate Network
Command Shell
Exploit
WORM_MSBLAST,
WORM_SASSER
Copyright 2007 - Trend Micro Inc.23
Internal computer infected by potential Downloader
Rule 88 - HTTP requests attempted to download known Malware-used filenames
Policy 13Policy 13
Copyright 2007 - Trend Micro Inc.24
ScenarioScenario
M a l i c i o u s M a l i c i o u s WebsiteWebsite
Corporate Network
Internet
Rule 88 - HTTP requests Rule 88 - HTTP requests attempted to download known attempted to download known
Malware-used filenamesMalware-used filenames
TROJ_DLOADER,TROJ_DLOADER,
TROJ_AGENTTROJ_AGENT
Copyright 2007 - Trend Micro Inc.04/19/23 25Classification
Thank You