Malware self protection-matrix

•Transferir como PPTX, PDF•

6 gostaram•869 visualizações

In this Malware's Most Wanted, Cyphort Lab's Marion Marschalek will shed light on malware self-protection. The audience will get an overview of how malware evasion evolved over the years and how malware defense evolved with it, or vice versa as it occasionally happens in the digital arms race. The various observed anti-analysis tricks will be put in relation to the respective counter measures in order to showcase challenges of modern day security products. Marion recently won a speaking contest at Komintern Sect in Stockholm.

Tecnologia

The Malware Self-Protection Matrix
Marion Marschalek
Senior Malware Researcher at Cyphort Labs

Your speakers today
Marion Marschalek
Senior Malware Researcher
Cyphort Labs
Shelendra Sharma
Product Marketing Director

Agenda
o Malware detection evolution
o Malware self-protection
o Wrap-up and Q&A
CyphortLabsT-shirt

Threat Monitoring &
Research team
________
24X7 monitoring for
malware events
________
Assist customers with
their Forensics and
Incident Response
We enhance malware
detection accuracy
________
False positives/negatives
________
Deep-dive research
We work with the
security ecosystem
________
Contribute to and learn
from malware KB
________
Best of 3rd Party threat
data

A Digital
Threat
History
http://www.hdbackgroundpoint.com
VIRUS
EXPLOIT
WORM
TROJAN
MULTI-COMPONENT
MALWARE
ADWARE ROOTKIT
SPYWARE
APT
TARGETED
THREAT
SURVEILLANCE
SOFTWARE
INSIDE
THREAT

Checksums
Byte Patterns
Behavior Patterns
Static / Dynamic Heuristics
Whitelisting
Anomalies
Network Streams
Cloud Protection

Virus
Detection
Signature
Product
Computer
Server

Malware Self-Protection
Debugging
Disassembly
Static
Emulation
Sandboxing
Reputation
Anomalies
12
 Debugger detection, sub-processes, thread injection
 Obfuscation
 Packer and crypter
 Emulator detection, time based evasion
 VM detection, modular malware
 Binary updates, targeted malware
 Binary padding, use of legitimate tools

Gladly, most threats make mistakes themselves.

ZEUS
why can‘t
detection
work
%APP%Uwirpa 10.12.2013 23:50
%APP%Woyxhi 10.12.2013 23:50
%APP%Hibyo 19.12.2013 00:10
%APP%Nezah 19.12.2013 00:10
%APP%Afqag 19.12.2013 23:29
%APP%Zasi 19.12.2013 23:29
%APP%Eqzauf 20.12.2013 22:23
%APP%Ubapo 20.12.2013 22:23
%APP%Ydgowa 20.12.2013 22:23
%APP%Olosu 20.12.2013 23:03
%APP%Taal 20.12.2013 23:03
%APP%Taosep 20.12.2013 23:03
%APP%Wokyco 16.01.2014 13:22
%APP%Semi 17.01.2014 16:34
%APP%Uheh 17.01.2014 16:34

Persistence Mechanisms
File Names
Network Connection
Big Picture Detection &
Combination Static/Dynamic Features
SILVER BULLET ...?

Virtual Machine Code Execution
handler13:
ExitProcHresult
...
handler14:
ExitProc
...
handler15:
ExitProcI2
...
... FC C8 13 76 ...

Various packer layers – no static detection
Static detection won‘t work
Reputation & Metadata Features
SILVER BULLET ...?

EXPLOITATION
http://themovieandme.blogspot.com/

Endpoint protection built to detect
repetitive patterns of evil.
Exploit = system corruption
Exploit vs. vulnerability
http://www.wikipedia.com/

TYPICAL DRIVE-BY INFECTION
o hxxp://www.insertyourwebsitehere.com/js/responsive/min/main-
b87ba20746a80e1104da210172b634c4.min.js
o hxxp://stat.litecsys.com/d2.php?ds=true&dr=2711950755
o hxxp://vstat.feared.eu/pop2.php?acc=%7E%BE%CE%F5%01%8D%AC
%B2%26%C6%DC%5B%E7n4%D0%16%A3L%99%03%BB%D8%08&nrk
=5992423910
o hxxp://g12z4pj3k4k9y4wd517-
ll6.dienami.ru/f/1398361080/5/x007cf6b534e5208040904070007000
80150050f0304045106565601;1;5
o BOOM.

hxxp://www.insertyourwebsitehere.com/js/responsive/
min/main-b87ba20746a80e1104da210172b634c4.min.js
TYPICAL DRIVE-BY INFECTION

hxxp://stat.litecsys.com/d2.php?ds=true&dr=2711950755
TYPICAL DRIVE-BY INFECTION

hxxp://vstat.feared.eu/pop2.php?acc=%7E%BE%CE%F5%01%8D%AC%B2
%26%C6%DC%5B%E7n4%D0%16%A3L%99%03%BB%D8%08&
nrk=5992423910
IE 6, 7, 8 or 9, 10, 11
TYPICAL DRIVE-BY INFECTION

hxxp://g12z4pj3k4k9y4wd517-
ll6.dienami.ru/f/1398361080/5/x007cf6b534e5208
04090407000700080150050f0304045106565
601;1;5
TYPICAL DRIVE-BY INFECTION

(There is none.)
Patching, patching and more patching
An exploit will seldom come alone!
SILVER BULLET ...?

VISIBILITY – KNOW HOW – ACTIONABILITY
LURE
EXPLOIT
INFECT
CALL
HOME
STEAL
DATA
Follow the
kill chain

Mais conteúdo relacionado

Mais procurados

MMW June 2016: The Rise and Fall of Angler Marci Bontadelli

Malware's Most Wanted: Financial TrojansCyphort

Understanding Malware Lateral Spread Used in High Value AttacksCyphort

Malware's Most Wanted: Linux and Internet of Things MalwareCyphort

MMW April 2016 Ransomware Resurgence Cyphort

Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Cyphort

Dissecting CryptowallCyphort

Cyber espionage nation state-apt_attacks_on_the_riseCyphort

MMW Anti-Sandbox TechniquesCyphort

Malware Evasion TechniquesThomas Roccia

42 - Malware - Understand the Threat and How to RespondThomas Roccia

Sophos Day Belgium - The IT Threat Landscape and what to look out forSophos Benelux

Wannacry | Technical Insight and Lessons LearnedThomas Roccia

BSides IR in Heterogeneous EnvironmentStefano Maccaglia

CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacNCCOMMS

Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...HackIT Ukraine

Top 10 exploited vulnerabilities 2019 (thus far...) Jonathan Cran

Malware's Most Wanted: CryptoLocker—The Ransomware TrojanCyphort

CoinMiners are Evasive - BsidesTLVThomas Roccia

Mais procurados (19)

MMW June 2016: The Rise and Fall of Angler

Malware's Most Wanted: Financial Trojans

Understanding Malware Lateral Spread Used in High Value Attacks

Malware's Most Wanted: Linux and Internet of Things Malware

MMW April 2016 Ransomware Resurgence

Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.

Dissecting Cryptowall

Cyber espionage nation state-apt_attacks_on_the_rise

MMW Anti-Sandbox Techniques

Malware Evasion Techniques

42 - Malware - Understand the Threat and How to Respond

Sophos Day Belgium - The IT Threat Landscape and what to look out for

Wannacry | Technical Insight and Lessons Learned

BSides IR in Heterogeneous Environment

CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac

Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...

Top 10 exploited vulnerabilities 2019 (thus far...)

Malware's Most Wanted: CryptoLocker—The Ransomware Trojan

CoinMiners are Evasive - BsidesTLV

Semelhante a Malware self protection-matrix

Malware's most wanted-zberp-the_financial_trojanCyphort

Threat Huntersinfosec train

Cyber Security protection by MultiPoint Ltd.Ricardo Resnik

Symantec cyber-resilienceSymantec

Kaseya Connect 2011 - Malwarebytes - Marcin KleczynskiKaseya

Declaration of Mal(WAR)eNetSPI

Maturing Endpoint Security: 5 Key ConsiderationsSirius

Malware detection how to spot infections early with alien vault usmAlienVault

The Modern Malware Review March 2013- Mark - Fullbright

Problems With Battling Malware Have Been Discussed, Moving...Deb Birch

Security O365 Using AI-based Advanced Threat ProtectionBitglass

Automated Emerging Cyber Threat Identification and Profiling Based on Natural...Shakas Technologies

Unveiling the Shadows: A Comprehensive Guide to Malware Analysis for Ensuring...cyberprosocial

Cyber Security Conference - Microsoft public sector incident response and re...Microsoft

201512 - Vulnerability Management -PCI Best Practices - stepbystepAllan Crowe PCIP

The modern-malware-review-march-2013 Комсс Файквэе

OSB50: Operational Security: State of the UnionIvanti

Why managed detection and response is more important now than everG’SECURE LABS

How to Build and Validate Ransomware Attack Detections (Secure360)Scott Sutherland

sophos-four-key-tips-from-incident-response-experts.pdfDennis Reyes

Semelhante a Malware self protection-matrix (20)

Malware's most wanted-zberp-the_financial_trojan

Threat Hunters

Cyber Security protection by MultiPoint Ltd.

Symantec cyber-resilience

Kaseya Connect 2011 - Malwarebytes - Marcin Kleczynski

Declaration of Mal(WAR)e

Maturing Endpoint Security: 5 Key Considerations

Malware detection how to spot infections early with alien vault usm

The Modern Malware Review March 2013

Problems With Battling Malware Have Been Discussed, Moving...

Security O365 Using AI-based Advanced Threat Protection

Automated Emerging Cyber Threat Identification and Profiling Based on Natural...

Unveiling the Shadows: A Comprehensive Guide to Malware Analysis for Ensuring...

Cyber Security Conference - Microsoft public sector incident response and re...

201512 - Vulnerability Management -PCI Best Practices - stepbystep

The modern-malware-review-march-2013

OSB50: Operational Security: State of the Union

Why managed detection and response is more important now than ever

How to Build and Validate Ransomware Attack Detections (Secure360)

sophos-four-key-tips-from-incident-response-experts.pdf

Mais de Cyphort

MMW June 2016: The Rise and Fall of Angler Cyphort

Machine learning cyphort_malware_most_wantedCyphort

Mmw anti sandbox_techniquesCyphort

Mmw anti sandboxtricksCyphort

If you have three wishesCyphort

The A and the P of the TCyphort

Malware's Most Wanted: How to tell BADware from adwareCyphort

Zeus DissectedCyphort

ISC2014 Beijing KeynoteCyphort

Malware's Most Wanted (MMW): Backoff POS Malware Cyphort

Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials R...Cyphort

Digging deeper into the IE vulnerability CVE-2014-1776 with CyphortCyphort

Mais de Cyphort (12)

MMW June 2016: The Rise and Fall of Angler

Machine learning cyphort_malware_most_wanted

Mmw anti sandbox_techniques

Mmw anti sandboxtricks

If you have three wishes

The A and the P of the T

Malware's Most Wanted: How to tell BADware from adware

Zeus Dissected

ISC2014 Beijing Keynote

Malware's Most Wanted (MMW): Backoff POS Malware

Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials R...

Digging deeper into the IE vulnerability CVE-2014-1776 with Cyphort

Último

"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays

WordPress Websites for Engineers: Elevate Your Brandgvaughan

Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation

"ML in Production",Oleksandr BaganFwdays

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays

"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106

Gen AI in Business - Global Trends Report 2024.pdfAddepto

Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited

My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar

What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett

Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed

CloudStudio User manual (basic edition):comworks

Artificial intelligence in cctv survelliance.pptxhariprasad279825

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada

Training state-of-the-art general text embeddingZilliz

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada

My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer

DevEX - reference for building teams, processes, and platformsSergiu Bodiu

Malware self protection-matrix

2. The Malware Self-Protection Matrix Marion Marschalek Senior Malware Researcher at Cyphort Labs

3. Your speakers today Marion Marschalek Senior Malware Researcher Cyphort Labs Shelendra Sharma Product Marketing Director

4. Agenda o Malware detection evolution o Malware self-protection o Wrap-up and Q&A CyphortLabsT-shirt

5. Threat Monitoring & Research team ________ 24X7 monitoring for malware events ________ Assist customers with their Forensics and Incident Response We enhance malware detection accuracy ________ False positives/negatives ________ Deep-dive research We work with the security ecosystem ________ Contribute to and learn from malware KB ________ Best of 3rd Party threat data

6. HOW DO YOU FIND http://1ms.net/

7. A Digital Threat History http://www.hdbackgroundpoint.com VIRUS EXPLOIT WORM TROJAN MULTI-COMPONENT MALWARE ADWARE ROOTKIT SPYWARE APT TARGETED THREAT SURVEILLANCE SOFTWARE INSIDE THREAT

8. A THREAT DETECTION HISTORY

9. www.crane.com Your signature update.

10. Checksums Byte Patterns Behavior Patterns Static / Dynamic Heuristics Whitelisting Anomalies Network Streams Cloud Protection

11. Virus Detection Signature Product Computer Server

12. Malware Self-Protection Debugging Disassembly Static Emulation Sandboxing Reputation Anomalies 12  Debugger detection, sub-processes, thread injection  Obfuscation  Packer and crypter  Emulator detection, time based evasion  VM detection, modular malware  Binary updates, targeted malware  Binary padding, use of legitimate tools

13. Gladly, most threats make mistakes themselves.

14.

15. ZEUS why can‘t detection work %APP%Uwirpa 10.12.2013 23:50 %APP%Woyxhi 10.12.2013 23:50 %APP%Hibyo 19.12.2013 00:10 %APP%Nezah 19.12.2013 00:10 %APP%Afqag 19.12.2013 23:29 %APP%Zasi 19.12.2013 23:29 %APP%Eqzauf 20.12.2013 22:23 %APP%Ubapo 20.12.2013 22:23 %APP%Ydgowa 20.12.2013 22:23 %APP%Olosu 20.12.2013 23:03 %APP%Taal 20.12.2013 23:03 %APP%Taosep 20.12.2013 23:03 %APP%Wokyco 16.01.2014 13:22 %APP%Semi 17.01.2014 16:34 %APP%Uheh 17.01.2014 16:34

16. Sandbox Detection 16

17. Persistence Mechanisms File Names Network Connection Big Picture Detection & Combination Static/Dynamic Features SILVER BULLET ...?

18. ARMOURING http://hdwallpapersimage.com/

19. SAZOORA being picky

20. Code Obfuscation 20

21. Virtual Machine Code Execution handler13: ExitProcHresult ... handler14: ExitProc ... handler15: ExitProcI2 ... ... FC C8 13 76 ...

22. Various packer layers – no static detection Static detection won‘t work Reputation & Metadata Features SILVER BULLET ...?

23. EXPLOITATION http://themovieandme.blogspot.com/

24. Endpoint protection built to detect repetitive patterns of evil. Exploit = system corruption Exploit vs. vulnerability http://www.wikipedia.com/

25. TYPICAL DRIVE-BY INFECTION o hxxp://www.insertyourwebsitehere.com/js/responsive/min/main- b87ba20746a80e1104da210172b634c4.min.js o hxxp://stat.litecsys.com/d2.php?ds=true&dr=2711950755 o hxxp://vstat.feared.eu/pop2.php?acc=%7E%BE%CE%F5%01%8D%AC %B2%26%C6%DC%5B%E7n4%D0%16%A3L%99%03%BB%D8%08&nrk =5992423910 o hxxp://g12z4pj3k4k9y4wd517- ll6.dienami.ru/f/1398361080/5/x007cf6b534e5208040904070007000 80150050f0304045106565601;1;5 o BOOM.

26. hxxp://www.insertyourwebsitehere.com/js/responsive/ min/main-b87ba20746a80e1104da210172b634c4.min.js TYPICAL DRIVE-BY INFECTION

27. hxxp://stat.litecsys.com/d2.php?ds=true&dr=2711950755 TYPICAL DRIVE-BY INFECTION

28. hxxp://vstat.feared.eu/pop2.php?acc=%7E%BE%CE%F5%01%8D%AC%B2 %26%C6%DC%5B%E7n4%D0%16%A3L%99%03%BB%D8%08& nrk=5992423910 IE 6, 7, 8 or 9, 10, 11 TYPICAL DRIVE-BY INFECTION

29. hxxp://g12z4pj3k4k9y4wd517- ll6.dienami.ru/f/1398361080/5/x007cf6b534e5208 04090407000700080150050f0304045106565 601;1;5 TYPICAL DRIVE-BY INFECTION

30. (There is none.) Patching, patching and more patching An exploit will seldom come alone! SILVER BULLET ...?

31. VISIBILITY – KNOW HOW – ACTIONABILITY LURE EXPLOIT INFECT CALL HOME STEAL DATA Follow the kill chain

32. Q&A

33. Thank You!