From app sec to malsec malware hooked, criminal crooked alok gupta
1. OWASP InfoSec India Conference 2012
August 24th – 25th, 2012 The OWASP Foundation
Hotel Crowne Plaza, Gurgaon http://www.owasp.org
http://www.owasp.in
From AppSec to MalSec
Malware hooked, criminal
crooked!
Alok Gupta
Founder & Managing Director
Pyramid Cyber Security & Forensic
(P) Limited
Email:alok.gupta@pyramidcyber.com
+91-9999189650
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
2. Alok Gupta
Experience: 20+ years in the Information and
Communications Technology (ICT) industry
Serial Entrepreneur , Founder & Managing Director,
Pyramid Cyber Security & Forensic, a boutique Digital
Forensic and specialised Information Security solution
and services provider
Past member of the National Committee on Information
Technology for Confederation of Indian Industries (CII)
Advised several Enterprises and Government agencies
leverage use of ICT and Information Security to compete
and grow in the global economy.
Board of Members of the Amity Institute of Cyber Law &
Cyber Crimes
Member of IMS Law advisory committee
Writes Columns, frequently quoted in IT, Security &
Forensic media , regularly speaks at several events,
workshops, seminars and forums in India and
Internationally
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
3. Abstract & Agenda
“Malware is everywhere “and will continue to spread.
Over the years, malware has infected every corner of the internet, and
has branched out to industrial espionage to social networks and mobile
devices too.
Given the tremendous success cyber criminals enjoy, they will continue
to use legitimate websites as a primary delivery mode for malware.
Malware are becoming more sophisticated and customizable. Emergence
of anti-malware technologies is constantly attempting to tackle such
threats.
After all it is bad guys verses the good guys and the battle is on!
Today’s talk will address what it is, how it infects and spreads, how
widespread is the problem and what enterprises, governments and
individuals should do in order to stay protected.
The discussion will cover analysis, latest trends, strategies for mitigation
and recent case studies.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 3
4. Disclaimer
Everything, I state here is
my opinion and is based
on my limited knowledge
& reseacrh
I am sure that some of you
will already know most of
it so do not get angry!
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 4
5. Malware Basics
Malware, is a malicious
software used or created to
disrupt computer
operation, gather sensitive
information, or gain access
to computer network and
mobile systems.
Malware can appear in the
form of code, scripts, active
content, and other
software.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 5
7. Type of Cyber Malware & attack mode
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
8. Malware History
40 years ago Bob Thomas began experimenting with
the concept of a mobile application and developed the
Creeper program, which had the ability to move from
machine to machine. Creeper quickly proliferated
through ARPANET infecting everything in its path, and
the emergence of the computer virus
By 1988, the Morris Worm had taken hold and shown
the power of relatively simple programs to use
applications and the Internet to rapidly infect large
numbers of machines in very short periods of time.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
9. Malware Evolution
Throughout the 1990s and early 2000s, malware
continued to evolve, adding new functions and infection
rates. The power of the malware was largely
predetermined at the time it was written and logic of
threat was largely contained within the malware’s code
itself
By 2007 first botnets began to appear, and
fundamentally changed the world of malware. Infected
hosts could now be centrally controlled by a remote
attacker, allowing all the individual machines to
cooperate as one massive distributed malware
application
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
10. Malware Synthesis
The attention shifted to designing a platform that could
sustain an ongoing and dynamic attack. Stealth became
a primary objective because intruders could now control
and take advantage of an infected machine for an
indefinite period of time
The attacker could now update the malware program at
will in order to send spam one day and steal credit card
numbers the next day and so on.
The strength of a piece of malware came to rest on the
quality of its communication, management and ability to
avoid detection.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
11. Malware Modernization
Malware development is big business due to associated
economics. It is no longer a backyard of computer
hackers. Modern Malware is used for extorting money,
collecting confidential and proprietary information,
industrial espionage, social engineering etc. Fraud and
scare tactics are a major priority of current malware
creation.
Affordable massively parallel computing capabilities
have further fuelled activities such as spam mail
transmission, DDoS and advanced persistent threats.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
12. Malware: Key Questions?
Infection: How is the malware delivered? Via an
executable, packed into a file, delivered via an infected
webpage? How does the malware communicate?
Persistence: Once on the host, how is the host able to
persist on the infected host without triggering host-based
security? Does it use a rootkit? Does it disable antivirus?
Does it install backdoors?
Communication: The ability to communicate largely
represents the power of the malware. Does it communicate
on non-standard ports, encrypt its traffic, use proxies, or
tunnel within other approved applications?
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
13. Malware Key Questions?
Command and Control: How is the command-and-
control managed? Does it get updated configuration files,
or send and receive messages from peer-to-peer networks?
How does the malware cope with the loss of a command-
and-control server?
Malicious Functions: How to we keep track of the end
behaviour of the malware. Some malware will remain very
focused, targeting a specific type of information within a
specific organization. Others will vary over time, shifting
with the needs and desires of bot owner.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
14. Malware Explosion!
Malware continues to grow in terms of
infection rate and new targets. Last year,
there were 25 million new, unique strains of
malware released and that number is
projected to grow to 87 million by the end of
2015.
The shift toward BYOD workplace practices
contributes to increased risk that corporate
assets will be lost in addition to traditional
attacks on e-commerce.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
15. Malware Trends
SSL no more safe. Cybercriminals can grab your
username / password before the encryption technology
kicks in
Targeted malware is on the rise; malware that accesses
your browser history will infect you if you meet certain
criteria
New malware is hard to spot and remove
Ransomware is increasing, would not go away unless
you pay!
Old problems resurface
Mobile malware increasing
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
16. Industrial Espionage
and
Weaponized Malware
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
17. Stuxnet
Targets industrial control
systems and PLC’s such as
Siemens Simatic
Vast array of components used
Zero-day exploits
Windows rootkit
PLC rootkit (first ever)
Antivirus evasion
Peer-to-Peer updates
Signed driver with a valid
certificate
Code changes are hidden
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
18. Duqu
Duqu is a computer
worm discovered on 1
September 2011,
thought to be related
to the Stuxnet worm.
Duqu gathers
information that is useful
in attacking industrial
control systems.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
19. Flame
Flame is a
sophisticated
attack toolkit
“Flame’s mission is
not about stealing
identities. It is
about gathering
intelligence
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
20. Gauss
Gauss is a new class of threat
that swarms over systems
searching for private
information, mostly on
banking
Gauss can steal access
credentials for various online
banking systems and
payment methods and various
information such as network
interfaces, computer’s drives
and BIOS
Gauss can steal browser
history, social network and
instant messaging info
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
21. Latest from the Malware Stable
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
23. Shamoon malware infects, steals data and wipes
Overwrites the
master boot record Steals data from the
of a computer, and 'Users', 'Documents and
which they suspect Settings', and
is being used in 'System32/Drivers' and
targeted attacks 'System32/Config' folders
against specific
on Windows computers..
companies.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
24. New Android Malware Steals Your Money Via SMS
Trojan!SMSZombie.A
in china affected
5,00,000 mobiles
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
25. Frankenstein virus creates malware by pilfering code
Frankenstein Virus Can
build itself on any
computer from stolen
snippets of code
Potential for hard-to-
detect viruses that are
stitched together from
benign code pilfered
from ordinary programs
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
26. Crisis
The recently discovered Crisis financial malware can spread
using capabilities built into VMware virtual machines
Also known as Morcut, the malicious rootkit spreads via an
installer that's disguised as an Adobe Flash Player installer
First malware that attempts to spread onto a virtual
machine
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
27. Mobile Users-Watch out!
6 out of every 10 cyber-security breaches occur as a
result of a mobile device*
In 2011, malware targeting smartphones increased
155%
In a span of just 10 months, the volume of malware
targeting Android phones increased 3,325%
A typical security breach costs a business more than
a half a million dollars*
In a world of 7 billion people, there are now 5.9
billion mobile-phone subscribers.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 27
28. Mobile Malware Trends
Mobile Automated
Pickpocketing Repackaging
Mobile botnets Browser Attacks
Malvertising Vulnerable Smart
Devices
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 28
29. Top malware email attacks in past 30 days.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
30. Early Warning!
Treat fraud prevention and
malware detection in a single
context
Analyse crucial information
for all targeted systems
Deploy Cyber Intelligence
that includes host and
network forensics, data
auditing and non signature
based malware detection.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
31. Sandboxing
Sandboxing is a
popular technique
for creating confined
execution
environments, which
could be used for
running un trusted
programs.
A sandbox limits, or
reduces, the level of
access its
applications have. It
is a container.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
32. Analyze Suspicious Files Online
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
33. Thanks for your time and attention!
Alok Gupta
alok.gupta@pyramidcyber.com
+91-9999189650
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
34. Subscribe mailing list
www.owasp.be
Keep up to date!
34
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)