SlideShare une entreprise Scribd logo

Malware in the Wild: Evolving to Evade Detection

Télécharger en tant que PPTX, PDF
Lastline, Inc.
Lastline, Inc.

Lastline co-founder and chief architect Engin Kirda presents new insights into malware in the wild including new research coming out of Lastline Labs on high resolution dynamic analysis of Windows kernel root kits at SXSW Interactive.

Logiciels
1  sur  44
Malware in the Wild: Evolving to Evade Detection Engin Kirda Co-Founder and Chief Architect engin@lastline.com 3/17/2015
Copyright ©2015 Lastline, Inc. All rights reserved. Engin Kirda, Ph.D. • Professor at Northeastern University, Boston – started malware research in about 2004 – Helped build and release popular malware analysis and detection systems (Anubis, Wepawet, …) • Co-founder of Lastline, Inc. – Lastline offers protection against zero-day threats and advanced malware – Commercialization of many years of advanced research 2
Copyright ©2015 Lastline, Inc. All rights reserved. Key Takeaways • Traditional malware detection tech now ineffective • Security automation and stealthy analysis critical to protection • Security professionals in high- demand – Need to attract, train and retain talented people 3
Copyright ©2015 Lastline, Inc. All rights reserved. You Will Learn • How has malware evolved in the last decade? • How have security technologies changed to address the threat? • What are some key characteristics of advanced malware behaviors? • Can we stop this threat? Is this a lost war? 4
How Has Malware Evolved?
Cyber-espionage and Cyber-war !!! Cyberattack (R)Evolution Time $$ Damage Millions Hundreds of Thousands Thousands Hundreds Billions Cybercrime $$$Cybervandalism #@! 6
Copyright ©2015 Lastline, Inc. All rights reserved. The Nature of the Threat Has Changed • Intruders are more prepared and organized • Attack attribution on the Internet is incredibly difficult • Intruder tools are increasingly sophisticated yet easy 7
Copyright ©2015 Lastline, Inc. All rights reserved. A Little Bit of History… • End of the 80s, viruses came out – First form of malware – Often destructive, but no financial incentive • In the 90s, worms became popular – Often destructive, but no financial incentive 8
Copyright ©2015 Lastline, Inc. All rights reserved. A Little Bit of History… • As of 2000, financial incentives became increasingly dominant – Phishing, Farming, Banking Trojans, Key-loggers… • As of 2010, targeted attacks gaining more attention in media – Attacks against companies like Google, RSA – Espionage as a major incentive 9
Copyright ©2015 Lastline, Inc. All rights reserved. Excerpts from 2014 • Dairy Queen International – Backoff, more than 300 stores, credit card infos stolen • J.P. Morgan Chase – Customer information for millions of customers compromised • Home Depot – Credit card infos stolen for more than 50 million customers • UPS – Backoff, 60 stores compromised • Target – Millions of credit card infos stolen 10
How Have Security Technologies Evolved? Emergence of Signature-Based Detection
Copyright ©2015 Lastline, Inc. All rights reserved. Traditional Malware Detection • Imagine you are identifying people based on their looks – Are they wearing a hat? – What color is their hair? – How tall are they? – What is their eye color? – How old are they? – Do we have their fingerprint? 12 Walter White
Copyright ©2015 Lastline, Inc. All rights reserved. 5B 00 00 00 00 pop ebx 8D 4B 42 lea ecx, [ebx + 42h] 51 push ecx 50 push eax 50 push eax 0F 01 4C 24 FE sidt [esp - 02h] 5B pop ebx 83 C3 1C add ebx, 1Ch FA cli 8B 2B mov ebp, [ebx] 5B 00 00 00 00 8D 4B 42 51 50 50 0F 01 4C 24 FE 5B 83 C3 1C FA 8B 2B Example: Chernobyl (CIH) Virus SIGNATURE 13
Copyright ©2015 Lastline, Inc. All rights reserved. The Problem of Evasion 14 • What if the criminal is wearing a black hat and sun glasses for disguise? • What if the criminal is also able to change his fingerprints on the fly, after every crime? • We’d be in a lot of trouble at airports. Unfortunately, we have this situation happening in the cyber- world right now Heisenberg
Copyright ©2015 Lastline, Inc. All rights reserved. 5B 00 00 00 00 pop ebx 8D 4B 42 lea ecx, [ebx + 42h] 51 push ecx 50 push eax 90 nop 50 push eax 40 inc eax 0F 01 4C 24 FE sidt [esp - 02h] 48 dec eax 5B pop ebx 83 C3 1C add ebx, 1Ch FA cli 8B 2B mov ebp, [ebx] 5B 00 00 00 00 8D 4B 42 51 50 90 50 40 0F 01 4C 24 FE 48 5B 83 C3 1C FA 8B 2B Disguising: Chernobyl (CIH) Virus DIFFERENT SIGNATURE 15
Copyright ©2015 Lastline, Inc. All rights reserved. Malware Uses Disguise • It does the same thing, but it looks different each time • Detecting malware just based on its “looks” does not work anymore 16
Malware is Now a Problem of Scale… • The number of new malware out there has been increasing exponentially • It might be the same malware sample you are dealing with, but it looks different to the naked eye… 17
Summary of traditional approaches: 1998 compared to 2015 18
Lastline Labs: AV Can’t Keep Up Antivirus systems take months to catch up to highly evasive threats. 19
Copyright ©2015 Lastline, Inc. All rights reserved. 20 Current State of Affairs • Anti-virus systems are not enough – Malware modifies itself to evade detection • Manual analysis of threats requires an enormous amount of resources – Cannot scale, reaction time in the order of days or weeks • We need to be leading in the arms-race 20
How Have Security Technologies Evolved? Emergence of Behavior-Based Detection
Copyright ©2015 Lastline, Inc. All rights reserved. Key Idea 22 • Why not just run or open the suspicious file and see how it behaves? • This approach is generally-known as sandboxing • The sandbox typically uses a virtualized, instrumented environment • The system logs the behaviors of the file
Copyright ©2015 Lastline, Inc. All rights reserved. Sandbox-Based Detection Is Popular • There are many security products now – Sandboxing is often a component that is used for unknown files • These sandboxes often vary in quality – A sandbox can be very simple, or can be more sophisticated based on its design 23
Copyright ©2015 Lastline, Inc. All rights reserved. Evasion of Behavior-Based Detection • Bad guys are not stupid • They have received the news that behavior-based detection is what everyone’s using now • Just like signature-based detection systems were evaded in the past • Behavioral evasions tricks have emerged 24
Copyright ©2015 Lastline, Inc. All rights reserved. One of The First Tricks That Emerged: Red Pill (Remember Matrix?) • A Virtual Machine (VM) is often used to run the code during analysis and detection • The red pill test allows you to find out if you’re running in a VM • There are many ways of launching evasions like that 25
Copyright ©2015 Lastline, Inc. All rights reserved. Some Dynamic Evasion Tricks • Checking for specific artifacts in the virtualized OS • Checks on CPU features that indicate VM • Looking for running processes and imitating them • Waiting for someone to click on something • Delaying the execution until analysis system gives up 26
Copyright ©2015 Lastline, Inc. All rights reserved. An Emerging Trick: Stalling Loops 27 • Simple piece of code that takes milliseconds to execute on your laptop, but hours to run in a virtualized detection system
What are some key characteristics of advanced malware behaviors? Oh Internet, where are we headed?
Copyright ©2015 Lastline, Inc. All rights reserved. Key Characteristics of Malware Today • The majority of the malware is “noise” – 50%-80% • A smaller portion is nasty – 15%-20% • An even smaller portion is very nasty – 1%-5% 29
Copyright ©2015 Lastline, Inc. All rights reserved. You’ve Probably Read This: Recent Payment Breaches • The last year has seen a dramatic escalation in the number of breached Point of Sale (PoS) systems • Many of these PoS payloads, like Backoff, evaded installed defenses and alarms • In few cases an early alarm was received, but it was ignored since indistinguishable from the background noise 30
Copyright ©2015 Lastline, Inc. All rights reserved. What is Backoff? • Malware used in numerous breaches in the last year • Secret Service estimated 1,000+ U.S. businesses affected • Targeted to Point of Sale (PoS) systems • Evades analysis 31
Copyright ©2015 Lastline, Inc. All rights reserved. How are the attackers deploying it? • Scan for Internet facing Remote Desktop applications • Brute force login credentials • Often successfully find administrative credentials • Use admin credentials to deploy Backoff to remote PoS systems 32
Copyright ©2015 Lastline, Inc. All rights reserved. Carbanak Malware • Bank robbing, raked in as much as 1 billion $ – Banks infiltrated, ATMs were taken over – Balances adjusted and funds transferred remotely • Most Carbanak samples exhibit stealthy behavior (90%) – 17% display evasive behavior (detecting sandbox) – Samples are environmentally-aware – Stealthy sandbox is needed that can detect evasions 33
Copyright ©2015 Lastline, Inc. All rights reserved. In Recent Research… • We looked at a Non- Governmental Organization (NGO) – Representing the Uyghur minority in China – Many suspicious emails were being sent – Many targeted hacking attempts • Key finding – The attacks were surprisingly simple – Malware not very sophisticated – No unknown vulnerabilities used 34
Can we stop this threat? Is this war winnable?
Copyright ©2015 Lastline, Inc. All rights reserved. The Reality is That the Threat Will Continue to Exist • The right question should be: How can we keep this threat under check and limit damage? • Similar to protecting your home – Locks can be broken – But you can use a good lock, build in alarm systems, and lock away your valuables 36
Copyright ©2015 Lastline, Inc. All rights reserved. Technology plays a crucial role, but… • Integration is very important – Whatever solutions we deploy must be easy to integrate and interoperate with existing systems • Proposed solutions need to be scalable – Organizations typically have thousands of users and multiple nodes that need protection 37
Copyright ©2015 Lastline, Inc. All rights reserved. Correlation is the key • There is no silver bullet in security! • You need to correlate information coming from different sources • Network nodes, domain names used, connections opened… • There are is a large attack surface… 38
Copyright ©2015 Lastline, Inc. All rights reserved. • It is not a question of if, but only when you’ll be breached • Getting breached is not the end of the world if… 1. … you can detect the breach quickly 2. … understand how you were breached 3. … can share this breach knowledge automatically with other components and business units Thinking like the attacker 39
Copyright ©2015 Lastline, Inc. All rights reserved. It’s Not Only a Technology Problem • Security systems sometimes fail because people fail – Education is a key component of any security solution • We need to educate students, train employees – Student hacking contents are a great example 40
Copyright ©2015 Lastline, Inc. All rights reserved. Student Hacking Competitions • Help educate and train students – Hacking contests where the aim is defense and offense – They’re fun! ;) And useful – 6 years ago, some companies were against them… now they’re organizing their own ;) 41
Copyright ©2015 Lastline, Inc. All rights reserved. New Research: Kernel-Level Detection • Operating system kernel is the blind-spot for detection – Kernel-level malware is typically invisible to sandboxes • At least one malware component often executes in kernel-space – I’m happy to announce novel techniques to automate the analysis of such malware today – http://www.lastline.com/labs 42
Copyright ©2015 Lastline, Inc. All rights reserved. Key Takeaways • Traditional malware detection tech now ineffective • Security automation and stealthy analysis critical to protection • Security professionals in high- demand – Need to attract, train and retain talented people 43
Copyright ©2015 Lastline, Inc. All rights reserved. 44 THANK YOU! For more information visit www.lastline.com or contact us at info@lastline.com.

Recommandé

Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Lastline, Inc.
 
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Lastline, Inc.
 
Introduction to Malware - Part 1
Introduction to Malware - Part 1 Introduction to Malware - Part 1
Introduction to Malware - Part 1
Lastline, Inc.
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Lastline, Inc.
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and Defense
Luca Simonelli
 
Lastline Case Study
Lastline Case StudyLastline Case Study
Lastline Case Study
Lastline, Inc.
 
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareUsing Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Lastline, Inc.
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Lastline, Inc.
 

Recommandé

Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Lastline, Inc.
 
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Lastline, Inc.
 
Introduction to Malware - Part 1
Introduction to Malware - Part 1 Introduction to Malware - Part 1
Introduction to Malware - Part 1
Lastline, Inc.
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Lastline, Inc.
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and Defense
Luca Simonelli
 
Lastline Case Study
Lastline Case StudyLastline Case Study
Lastline Case Study
Lastline, Inc.
 
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareUsing Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Lastline, Inc.
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Lastline, Inc.
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
Rahul Mohandas
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysis
Charles Lim
 
My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)
Andrew Case
 
2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat Review
ESET
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
Greg Foss
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
SecurityMetrics
 
Setup Your Personal Malware Lab
Setup Your Personal Malware LabSetup Your Personal Malware Lab
Setup Your Personal Malware Lab
Digit Oktavianto
 
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesIoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
Priyanka Aash
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
RootedCON
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Rod Soto
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent Threats
ESET
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
EC-Council
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
EC-Council
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
EC-Council
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)
Dan Morrill
 
How Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for BusinessHow Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for Business
SecurityMetrics
 
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent Threats
Sameer Thadani
 
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
FRSecure
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learning
Security Bootcamp
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
Claus Cramon Houmann
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
Claus Cramon Houmann
 

Contenu connexe

Tendances

Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
SecurityMetrics
 
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesIoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
Priyanka Aash
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
RootedCON
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
EC-Council
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
EC-Council
 

Tendances (20)

Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysis
 
My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)
 
2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat Review
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
 
Setup Your Personal Malware Lab
Setup Your Personal Malware LabSetup Your Personal Malware Lab
Setup Your Personal Malware Lab
 
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesIoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent Threats
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)
 
How Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for BusinessHow Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for Business
 
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent Threats
 
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learning
 

En vedette

(Lovern tamra historyingraphicdesign)powerpoint
(Lovern tamra historyingraphicdesign)powerpoint(Lovern tamra historyingraphicdesign)powerpoint
(Lovern tamra historyingraphicdesign)powerpoint
Tamra Lovern
 
KCB101 Not Your Mothers' Storyboard
KCB101 Not Your Mothers' StoryboardKCB101 Not Your Mothers' Storyboard
KCB101 Not Your Mothers' Storyboard
francesliam
 

En vedette (16)

Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...
Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...
Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...
 
APT - Project
APT - Project APT - Project
APT - Project
 
Intelligence Driven Security
Intelligence Driven SecurityIntelligence Driven Security
Intelligence Driven Security
 
The cavalry is us i tdays-luxembourg 2014.11.20 v1.0
The cavalry is us i tdays-luxembourg 2014.11.20 v1.0The cavalry is us i tdays-luxembourg 2014.11.20 v1.0
The cavalry is us i tdays-luxembourg 2014.11.20 v1.0
 
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
 
Mayerlin
MayerlinMayerlin
Mayerlin
 
Alvaro
AlvaroAlvaro
Alvaro
 
(Lovern tamra historyingraphicdesign)powerpoint
(Lovern tamra historyingraphicdesign)powerpoint(Lovern tamra historyingraphicdesign)powerpoint
(Lovern tamra historyingraphicdesign)powerpoint
 
How to prevent joint problem in dogs
How to prevent joint problem in dogsHow to prevent joint problem in dogs
How to prevent joint problem in dogs
 
Realmadrid-Atleticodemadrid
Realmadrid-AtleticodemadridRealmadrid-Atleticodemadrid
Realmadrid-Atleticodemadrid
 
Produsele Tiens - prezentare generala (romana)
Produsele Tiens - prezentare generala (romana)Produsele Tiens - prezentare generala (romana)
Produsele Tiens - prezentare generala (romana)
 
JLF
JLFJLF
JLF
 
Life media powerpoint
Life media powerpointLife media powerpoint
Life media powerpoint
 
KCB101 Not Your Mothers' Storyboard
KCB101 Not Your Mothers' StoryboardKCB101 Not Your Mothers' Storyboard
KCB101 Not Your Mothers' Storyboard
 

Similaire à Malware in the Wild: Evolving to Evade Detection

Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
CODE BLUE
 
Symantec_2-4-5 nov 2010
Symantec_2-4-5 nov 2010Symantec_2-4-5 nov 2010
Symantec_2-4-5 nov 2010
Agora Group
 
Artificial Intelligence (AI) – Two Paths to ISO Compliance
Artificial Intelligence (AI) – Two Paths to ISO ComplianceArtificial Intelligence (AI) – Two Paths to ISO Compliance
Artificial Intelligence (AI) – Two Paths to ISO Compliance
PECB
 
Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022
PECB
 
How to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMHow to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USM
AlienVault
 

Similaire à Malware in the Wild: Evolving to Evade Detection (20)

A Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses
A Profile of the Backoff PoS Malware that Hit 1000+ Retail BusinessesA Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses
A Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses
 
Emerging Threats and Trends in Online Security
Emerging Threats and Trends in Online SecurityEmerging Threats and Trends in Online Security
Emerging Threats and Trends in Online Security
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
 
Hacking Portugal v1.1
Hacking Portugal v1.1Hacking Portugal v1.1
Hacking Portugal v1.1
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer Security
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer SecurityEthical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security
 
Scot Secure 2016
Scot Secure 2016Scot Secure 2016
Scot Secure 2016
 
Symantec_2-4-5 nov 2010
Symantec_2-4-5 nov 2010Symantec_2-4-5 nov 2010
Symantec_2-4-5 nov 2010
 
The Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our CommunityThe Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our Community
 
Artificial Intelligence (AI) – Two Paths to ISO Compliance
Artificial Intelligence (AI) – Two Paths to ISO ComplianceArtificial Intelligence (AI) – Two Paths to ISO Compliance
Artificial Intelligence (AI) – Two Paths to ISO Compliance
 
APT or not - does it make a difference if you are compromised?
APT or not - does it make a difference if you are compromised?APT or not - does it make a difference if you are compromised?
APT or not - does it make a difference if you are compromised?
 
Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022
 
APT in the Financial Sector
APT in the Financial SectorAPT in the Financial Sector
APT in the Financial Sector
 
Kaseya Connect 2012 – A Kaspersky Researcher Perspective
Kaseya Connect 2012 – A Kaspersky Researcher PerspectiveKaseya Connect 2012 – A Kaspersky Researcher Perspective
Kaseya Connect 2012 – A Kaspersky Researcher Perspective
 
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
 
CRI Cyber Board Briefing
CRI Cyber Board Briefing CRI Cyber Board Briefing
CRI Cyber Board Briefing
 
How to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMHow to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USM
 
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From CyberthreatsCybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
 

Dernier

AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
software pro Development
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 

Dernier (20)

5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 

Malware in the Wild: Evolving to Evade Detection

  • 1. Malware in the Wild: Evolving to Evade Detection Engin Kirda Co-Founder and Chief Architect engin@lastline.com 3/17/2015
  • 2. Copyright ©2015 Lastline, Inc. All rights reserved. Engin Kirda, Ph.D. • Professor at Northeastern University, Boston – started malware research in about 2004 – Helped build and release popular malware analysis and detection systems (Anubis, Wepawet, …) • Co-founder of Lastline, Inc. – Lastline offers protection against zero-day threats and advanced malware – Commercialization of many years of advanced research 2
  • 3. Copyright ©2015 Lastline, Inc. All rights reserved. Key Takeaways • Traditional malware detection tech now ineffective • Security automation and stealthy analysis critical to protection • Security professionals in high- demand – Need to attract, train and retain talented people 3
  • 4. Copyright ©2015 Lastline, Inc. All rights reserved. You Will Learn • How has malware evolved in the last decade? • How have security technologies changed to address the threat? • What are some key characteristics of advanced malware behaviors? • Can we stop this threat? Is this a lost war? 4
  • 5. How Has Malware Evolved?
  • 6. Cyber-espionage and Cyber-war !!! Cyberattack (R)Evolution Time $$ Damage Millions Hundreds of Thousands Thousands Hundreds Billions Cybercrime $$$Cybervandalism #@! 6
  • 7. Copyright ©2015 Lastline, Inc. All rights reserved. The Nature of the Threat Has Changed • Intruders are more prepared and organized • Attack attribution on the Internet is incredibly difficult • Intruder tools are increasingly sophisticated yet easy 7
  • 8. Copyright ©2015 Lastline, Inc. All rights reserved. A Little Bit of History… • End of the 80s, viruses came out – First form of malware – Often destructive, but no financial incentive • In the 90s, worms became popular – Often destructive, but no financial incentive 8
  • 9. Copyright ©2015 Lastline, Inc. All rights reserved. A Little Bit of History… • As of 2000, financial incentives became increasingly dominant – Phishing, Farming, Banking Trojans, Key-loggers… • As of 2010, targeted attacks gaining more attention in media – Attacks against companies like Google, RSA – Espionage as a major incentive 9
  • 10. Copyright ©2015 Lastline, Inc. All rights reserved. Excerpts from 2014 • Dairy Queen International – Backoff, more than 300 stores, credit card infos stolen • J.P. Morgan Chase – Customer information for millions of customers compromised • Home Depot – Credit card infos stolen for more than 50 million customers • UPS – Backoff, 60 stores compromised • Target – Millions of credit card infos stolen 10
  • 11. How Have Security Technologies Evolved? Emergence of Signature-Based Detection
  • 12. Copyright ©2015 Lastline, Inc. All rights reserved. Traditional Malware Detection • Imagine you are identifying people based on their looks – Are they wearing a hat? – What color is their hair? – How tall are they? – What is their eye color? – How old are they? – Do we have their fingerprint? 12 Walter White
  • 13. Copyright ©2015 Lastline, Inc. All rights reserved. 5B 00 00 00 00 pop ebx 8D 4B 42 lea ecx, [ebx + 42h] 51 push ecx 50 push eax 50 push eax 0F 01 4C 24 FE sidt [esp - 02h] 5B pop ebx 83 C3 1C add ebx, 1Ch FA cli 8B 2B mov ebp, [ebx] 5B 00 00 00 00 8D 4B 42 51 50 50 0F 01 4C 24 FE 5B 83 C3 1C FA 8B 2B Example: Chernobyl (CIH) Virus SIGNATURE 13
  • 14. Copyright ©2015 Lastline, Inc. All rights reserved. The Problem of Evasion 14 • What if the criminal is wearing a black hat and sun glasses for disguise? • What if the criminal is also able to change his fingerprints on the fly, after every crime? • We’d be in a lot of trouble at airports. Unfortunately, we have this situation happening in the cyber- world right now Heisenberg
  • 15. Copyright ©2015 Lastline, Inc. All rights reserved. 5B 00 00 00 00 pop ebx 8D 4B 42 lea ecx, [ebx + 42h] 51 push ecx 50 push eax 90 nop 50 push eax 40 inc eax 0F 01 4C 24 FE sidt [esp - 02h] 48 dec eax 5B pop ebx 83 C3 1C add ebx, 1Ch FA cli 8B 2B mov ebp, [ebx] 5B 00 00 00 00 8D 4B 42 51 50 90 50 40 0F 01 4C 24 FE 48 5B 83 C3 1C FA 8B 2B Disguising: Chernobyl (CIH) Virus DIFFERENT SIGNATURE 15
  • 16. Copyright ©2015 Lastline, Inc. All rights reserved. Malware Uses Disguise • It does the same thing, but it looks different each time • Detecting malware just based on its “looks” does not work anymore 16
  • 17. Malware is Now a Problem of Scale… • The number of new malware out there has been increasing exponentially • It might be the same malware sample you are dealing with, but it looks different to the naked eye… 17
  • 18. Summary of traditional approaches: 1998 compared to 2015 18
  • 19. Lastline Labs: AV Can’t Keep Up Antivirus systems take months to catch up to highly evasive threats. 19
  • 20. Copyright ©2015 Lastline, Inc. All rights reserved. 20 Current State of Affairs • Anti-virus systems are not enough – Malware modifies itself to evade detection • Manual analysis of threats requires an enormous amount of resources – Cannot scale, reaction time in the order of days or weeks • We need to be leading in the arms-race 20
  • 21. How Have Security Technologies Evolved? Emergence of Behavior-Based Detection
  • 22. Copyright ©2015 Lastline, Inc. All rights reserved. Key Idea 22 • Why not just run or open the suspicious file and see how it behaves? • This approach is generally-known as sandboxing • The sandbox typically uses a virtualized, instrumented environment • The system logs the behaviors of the file
  • 23. Copyright ©2015 Lastline, Inc. All rights reserved. Sandbox-Based Detection Is Popular • There are many security products now – Sandboxing is often a component that is used for unknown files • These sandboxes often vary in quality – A sandbox can be very simple, or can be more sophisticated based on its design 23
  • 24. Copyright ©2015 Lastline, Inc. All rights reserved. Evasion of Behavior-Based Detection • Bad guys are not stupid • They have received the news that behavior-based detection is what everyone’s using now • Just like signature-based detection systems were evaded in the past • Behavioral evasions tricks have emerged 24
  • 25. Copyright ©2015 Lastline, Inc. All rights reserved. One of The First Tricks That Emerged: Red Pill (Remember Matrix?) • A Virtual Machine (VM) is often used to run the code during analysis and detection • The red pill test allows you to find out if you’re running in a VM • There are many ways of launching evasions like that 25
  • 26. Copyright ©2015 Lastline, Inc. All rights reserved. Some Dynamic Evasion Tricks • Checking for specific artifacts in the virtualized OS • Checks on CPU features that indicate VM • Looking for running processes and imitating them • Waiting for someone to click on something • Delaying the execution until analysis system gives up 26
  • 27. Copyright ©2015 Lastline, Inc. All rights reserved. An Emerging Trick: Stalling Loops 27 • Simple piece of code that takes milliseconds to execute on your laptop, but hours to run in a virtualized detection system
  • 28. What are some key characteristics of advanced malware behaviors? Oh Internet, where are we headed?
  • 29. Copyright ©2015 Lastline, Inc. All rights reserved. Key Characteristics of Malware Today • The majority of the malware is “noise” – 50%-80% • A smaller portion is nasty – 15%-20% • An even smaller portion is very nasty – 1%-5% 29
  • 30. Copyright ©2015 Lastline, Inc. All rights reserved. You’ve Probably Read This: Recent Payment Breaches • The last year has seen a dramatic escalation in the number of breached Point of Sale (PoS) systems • Many of these PoS payloads, like Backoff, evaded installed defenses and alarms • In few cases an early alarm was received, but it was ignored since indistinguishable from the background noise 30
  • 31. Copyright ©2015 Lastline, Inc. All rights reserved. What is Backoff? • Malware used in numerous breaches in the last year • Secret Service estimated 1,000+ U.S. businesses affected • Targeted to Point of Sale (PoS) systems • Evades analysis 31
  • 32. Copyright ©2015 Lastline, Inc. All rights reserved. How are the attackers deploying it? • Scan for Internet facing Remote Desktop applications • Brute force login credentials • Often successfully find administrative credentials • Use admin credentials to deploy Backoff to remote PoS systems 32
  • 33. Copyright ©2015 Lastline, Inc. All rights reserved. Carbanak Malware • Bank robbing, raked in as much as 1 billion $ – Banks infiltrated, ATMs were taken over – Balances adjusted and funds transferred remotely • Most Carbanak samples exhibit stealthy behavior (90%) – 17% display evasive behavior (detecting sandbox) – Samples are environmentally-aware – Stealthy sandbox is needed that can detect evasions 33
  • 34. Copyright ©2015 Lastline, Inc. All rights reserved. In Recent Research… • We looked at a Non- Governmental Organization (NGO) – Representing the Uyghur minority in China – Many suspicious emails were being sent – Many targeted hacking attempts • Key finding – The attacks were surprisingly simple – Malware not very sophisticated – No unknown vulnerabilities used 34
  • 35. Can we stop this threat? Is this war winnable?
  • 36. Copyright ©2015 Lastline, Inc. All rights reserved. The Reality is That the Threat Will Continue to Exist • The right question should be: How can we keep this threat under check and limit damage? • Similar to protecting your home – Locks can be broken – But you can use a good lock, build in alarm systems, and lock away your valuables 36
  • 37. Copyright ©2015 Lastline, Inc. All rights reserved. Technology plays a crucial role, but… • Integration is very important – Whatever solutions we deploy must be easy to integrate and interoperate with existing systems • Proposed solutions need to be scalable – Organizations typically have thousands of users and multiple nodes that need protection 37
  • 38. Copyright ©2015 Lastline, Inc. All rights reserved. Correlation is the key • There is no silver bullet in security! • You need to correlate information coming from different sources • Network nodes, domain names used, connections opened… • There are is a large attack surface… 38
  • 39. Copyright ©2015 Lastline, Inc. All rights reserved. • It is not a question of if, but only when you’ll be breached • Getting breached is not the end of the world if… 1. … you can detect the breach quickly 2. … understand how you were breached 3. … can share this breach knowledge automatically with other components and business units Thinking like the attacker 39
  • 40. Copyright ©2015 Lastline, Inc. All rights reserved. It’s Not Only a Technology Problem • Security systems sometimes fail because people fail – Education is a key component of any security solution • We need to educate students, train employees – Student hacking contents are a great example 40
  • 41. Copyright ©2015 Lastline, Inc. All rights reserved. Student Hacking Competitions • Help educate and train students – Hacking contests where the aim is defense and offense – They’re fun! ;) And useful – 6 years ago, some companies were against them… now they’re organizing their own ;) 41
  • 42. Copyright ©2015 Lastline, Inc. All rights reserved. New Research: Kernel-Level Detection • Operating system kernel is the blind-spot for detection – Kernel-level malware is typically invisible to sandboxes • At least one malware component often executes in kernel-space – I’m happy to announce novel techniques to automate the analysis of such malware today – http://www.lastline.com/labs 42
  • 43. Copyright ©2015 Lastline, Inc. All rights reserved. Key Takeaways • Traditional malware detection tech now ineffective • Security automation and stealthy analysis critical to protection • Security professionals in high- demand – Need to attract, train and retain talented people 43
  • 44. Copyright ©2015 Lastline, Inc. All rights reserved. 44 THANK YOU! For more information visit www.lastline.com or contact us at info@lastline.com.