Академический Документы
Профессиональный Документы
Культура Документы
Threat Landscape Attack Graphing Protection Graphing Anti-Virus? HTML 5 Malware with Evasion Advanced Malware Detection
New malware samples grew 22% from Q412 to Q113 2012 new malware sample discoveries increased 50% over 2011.
6,000,000
4,000,000
2,000,000
0
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 2010 2010 2010 2010 2011 2011 2011 2011 2012 2012 2012 2012 2013
Blackhat SEO Malicious ad URL in forum posting Clickjacking User visits page with malicious content
etc...
etc...
Browser vulnerability ActiveX or BHO/plugin exploits
Download and install additional malware Convince user to run executable Malicious code execution
Persist on the system Modify existing service Install service Add BHO or explorer extension Etc... Malware remains active in system
User visits untrusted web site User visits trusted web site Man in the middle Wired User visits page with malicious content
Selfpreservation Propagate another system Copy to file share Network Service Exploit Disrupt security software or updates Rootkit techniques Process Injection Etc...
Man-in-the browser
etc.
Phishing attack
Example: Stuxnet
Physical Access to HW E.g.: Stolen laptop Evil Maid attack Insert Physical Media E.g.: USB drive Send Unsolicited message Facebook IM email User visits untrusted site E.G.: Blackhat SEO User visits trusted web site E.G.: XSS vuln Access targets LAN Public WAP Compromise another system User visits page with malicious content Message reader vulnerability Malicious code execution Execute from removable media Autorun OS Exploit LNK exploit (0 day) CVE-2010-2568
Windows Server Service RPC exploit CVE-2008-4250 Modify server filesystem/ Use default password database on WinCC MS SQL database
Example: Stuxnet
Propagate to the system Persist on the system Install service Add BHO or explorer extension Download & Install additional malware Malicious code execution Registry chance (e.g. Applnit_DLLs) Etc... Self-preservation Disrupt security software or updates Disable admin apps (task manager, safe mode etc. Hide User-mode hook
Hides malicious LNK files Updates and other code can be run Uses RPC to propagate updates to other systems on the LAN
Bot services Remote access DDOS Send spam Open proxy Command control IRC, HTTP, P2P, twitter etc.
Ads displayed, click fraud User pays for Fake AV Identity Theft/ Financial Fraud Transmit captured data Industrial, espionage, sabotage
Privilege escalation
Injects code into Step7 Alters code blocks written out to PLC and hides changes from user
Kernel hookSSDT, IDT, IRP etc. Process Injection Use signed driver or binary
First Contact
Physical Access Unsolicited Message
Malicious Website Network Access
How the attacker first crosses path with target.
Local Execution
Exploit
Establish Presence
Download Malware
Malicious Activity
Propagation
Bot Activities Adware and Adware & Scareware Identity and Financial Fraud Tampering
The business logic, what the attacker wants to accomplish, steal passwords, bank fraud, purchase Fake AV.
Social Engineering
Configuration Error
Escalate Privilege
Persist on System SelfPreservation
How the attacker gets code running first time on target machine.
How the attacker persists code on the system, to survive reboot, stay hidden, hide from user and security software.
Protection Graph
First Contact
Local Execution
Establish Presence
Malicious Activity
Exploit
Download Malware
Escalate Privilege Social Engineering Adware & Scareware Persist on System Configuration Error Identity & Financial Fraud Tampering
Website
Network Access
Self-Preservation
Local Execution
Establish Presence
McAfee VirusScan Enterprise File Scanning
Malicious Activity
Write Blocking
McAfee Application Control for Servers or Desktops Install and Execution Prevention Change Protection
What is Sandboxing?
UNKNOWN
Sandboxing ?
Run suspect file in safe (virtual) environment Analyze actual behavior of any unknown file Report on intent of any file malicious or not
SANDBOXING
SAFE
MALWARE
MALWARE
Dynamic Analysis ?
Observe Registry Modifications Observe network communications Observe process activities Observe file system changes
MALWARE
Unpacking Static Analysis of disassembled code Discover of latent code Hidden logic paths Graphing
SAFE
MALWARE
Duration of Analysis
Advanced Sandboxing Static and dynamic code analysis Emulation engine Anti- Malware
Depth of Analysis
Conclusion
Attacks follow four phases Step 1 Lower cost by catching threats earlier Better, Cheaper AV is not sufficient for todays threats Serves its purpose Not all Anti-Malware engines are created equal Multi-Layer protection is needed Defense in Depth