Presentation by Marco Slaviero at Tshwane University Of Technology.
This presentation is about protecting your
your computer against malware. The presentation
begins with a look at different types of malware.
Determining program intent in a general way is discussed. The presentation ends with discussions on practice strategies for both home and enterprise users to protect their computers from infection.
6. Specific solutions
• Real-time / point-in-time
• Signatures
– Byte sequences on disk
– Byte sequences over the network
– Known suspicious system calls
PROOF AGAINST MALWARE
7. Antimalware fails
• Polymorphic malware
– Encrypt the virus, and include a tiny
decryption engine that runs first.
– Response: virtualise the first couple of
hundred instructions, then see if known
signatures are present
• Metamorphic malware
– Alter the instruction sequence such that it
remains semantically identical, but
syntactically different
PROOF AGAINST MALWARE
8. Examples
• Signature stream:
“Our computing systems are generally very
insecure.”
• Polymorphic manipulation:
“Replace each „ZZ‟ with an „e‟ in the next sentence.
Our computing systZZms arZZ gZZnZZrally vZZry
insZZcurZZ”.
• Metamorphic manipulation:
“Mankind‟s information systems do not exhibit safe
security practices.”
PROOF AGAINST MALWARE
18. DOES IT GET LESS GLOOMY?
PROOF AGAINST MALWARE
19. Side bar: Attack Graphs
Create and host
malicious Obtain target‟s Entice user to
website contact details click on link
Exploit flaw in
unpatched Download body Execute
Adobe Flash of malware malware
Player
Upload
Search disk for documents via
information configured
proxy
PROOF AGAINST MALWARE
26. Practical strategies: Home users
• Not much infrastructure to lengthen attack
chains
• Consider
– Decentralising your online life
– Multiple (virtual) machines, each devoted to a
single level of task
– Security by isolation
– Examples: VMWare, Qubes
PROOF AGAINST MALWARE
27. Qubes
http://qubes-os.org/Architecture.html
PROOF AGAINST MALWARE
28. Practical strategies: Enterprise users
• Regular stuff (remove unneeded software, patch,
segregated networks, etc)
• Expect that you‟re infected
• Develop rapid response measures to detect and
isolate infection using signatures on both the host
and network.
• Monitor and log process execution
• Whitelist binaries
• Close access channels (no browsing, severe email
limitations, no flash disks)
• Risk management: loss is inevitable, absorb the
cost
• Introduce heterogeneity
PROOF AGAINST MALWARE
30. BUT DON’T FOOL YOURSELF.
YOU’RE STILL NOT
MALWARE-PROOF.
PROOF AGAINST MALWARE
31. Thank you to Prof. Ojo and TUT for the
opportunity
marco@sensepost.com
Questions? PROOF AGAINST MALWARE
Notes de l'éditeur
Dual purpose tools: remote access, HTC’s logging app on AndroidIgnoring basic questions. Are you being targetted specifically? Is the malware custom? What is its purpose? All of these impact on the question of whether they are (easily) prevented.
i.e. a program could be malicious in the hands of one user, but a useful tool to another.e.g. remote access tools or even adware. What’s clear is that some software has no discernible benefit to the user. If the user is unaware of the software and it does not benefit the user, we can term it malware.
No. Thus the definition of malware is fuzzy. Let’s look at a few way that it can be installed
We treat virii and most malware as an infection, but not as an attack.Why is it that the solution to malware is disinfect, but solution to attack is reinstall? What’s different?If we reinstalled every virus infected machine, companies would close down.
Not really, not only ethernet connections
What about firewire, bluetooth, and other interconnects? Stuxnet
Fending off thousands of new, “public”, malware samples
Not looking at custom modifications and targetting
So, can we malware-proof a computer?Since we:Require connectivity and interactioncan’t exactly define malwareHave masses of identical machinesImplement detection and prevention in easily bypassable mannersWe can conclude that the answer is NO.
A few options.Improve monitoring, lengthen the attack graphs, focus on the organisation.
Sequence of steps sketching out the attacker’s path
i.e, increase complexity. Your information should not be one malware infection away from disclosure.
Break in any one lock opens the gate
Original object is unusable
Most secure line of code is the one never written.
i.e, increase complexity
The tradeoff means that eventually you’ll hit security controls that aren’t worth it.Are you spending more on the controls than the data is worth? Are you causing an impact to the business worth more than the data?
Security by isolation
Increases the length of the attack chain. Does not close it off.