Presented by Amit in our quarterly system security meet. visit: http://www.securitytrainings.net for more information.

1. Chronicles of Malwares and
Detection Systems
By:
Amit Malik
Member @ SecurityXploded Research Group
Researcher @ FireEye Labs
© SecurityXploded Research Group

2. Disclaimer
The Content, Demonstration, Source Code and Programs presented here is "AS IS" without
any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are
solely of the mine and nothing to do with the company or the organization in which I am
currently working.
However in no circumstances neither I or SecurityXploded is responsible for any damage or
loss caused due to use or misuse of the information presented here.

3. Agenda
Phases
The common things
Data Theft
Code protection/obfuscation
Code protection and obfuscation – the view (PE Only)
Detection systems
Final thoughts

4. Phases
Fun
The early stage
Birth of antivirus
Fun and Profit
Second stage
Code obfuscation/evasion – the innovation
The gods – themda, vmprotect etc.
Knowledge sharing
Antivirus heuristics etc. (the failure)
Profit
Current stage
Targeted attacks
Offensive and defensive both are fully commercial
Sophistication in exploits is increased exponentially
Malwares are either sophisticated (duqu, stuxnet etc.) or easy ( rebirth of RAT)
Modules (DLL etc.)
New technologies for detection – execute and detect, machine learning etc.

5. The common things
At problem level, these things are common in malwares
Data theft (real problem)
Code obfuscation/evasion (antivirus failure)
Data theft
This is the problem actually…. Malware itself is not a problem.
Remember “data” is the key thing here.
Code obfuscation/evasion
Real challenge for detection systems
Packing, protectors, encryptors.. Etc etc.

6. Code protection/evasion – the view
Real challenge to detection technologies
Making true real time protection nearly impossible.
Couple of interesting things about this behavior.
In unpacked binaries the execution will be within the section (ep)
boundaries and the address space will be less tense.

7. Code protection/evasion – the view
In packed binaries the execution can fluctuate across multiple sections and the
address space will look more stressed (especially in malwares due to multiple
packing layers).

8. Graph for malicious samples
(exmp.)

9. Graph for malicious samples
(exmp.)

10. Graph Analysis
Two things are most important:
Origin of call?
Tension in the address space.
Meaning return address and use of “data” are the two most important things.
Actually tracking the use of “data” is not an easy task.
But what if we monitor the user interaction with system instead of monitoring the use
of data blindly?
Why a specific event/activity is happening in the system?
What is the scope of interaction of user to start that event.
How the user is using/receiving the event output.

11. Detection Systems
Antivirus
Actually I don’t want to blame antivirus.. Things at endpoints are very
messy.
A significant enhancement in the model is required.
Home users are in real danger.. No other option.
Execute and Detect:
New technology to detect the malwares – actually it is not new, people
just experimented it recently for detection and it is working?
Infection is ok for customer but data should be protected.
Considering the security problems people are ok even if you detect the malware
after the actual infection.

12. Detection Systems (cont.)
Execute and Detect:
Pros:
Inspection of malware in a controlled environment.
You don’t have to worry about the user and experience.
You know the state and health of the system so detection is relatively
easy. (on endpoint it is an entirely different game – poor antivirus).
Cons:
Expensive?
Large infrastructure
Huge maintenance overhead.
Logic bombs – I know I am in sandbox 
Oh boy.. First it is really difficult to port this thing or its variations on
endpoint.. And even if we can achieve that, it will be extremely
expensive for home users.

13. Final Thoughts
Malware is a problem and will always be. 
Security is human + technology breach, we can’t fix both.
Antivirus is failing and right now there is no other solution for its replacement
for home users.
Execute and detect is a good new technology for detection but it is expensive
and not truly reactive (true real time protection?, post infection alerts.).
THANK YOU!