anatomy of attacks - university of british columbia...anatomy of attacks dmitry samosseiko,...
TRANSCRIPT
![Page 1: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/1.jpg)
Anatomy of Attacks Dmitry Samosseiko, SophosLabs
![Page 2: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/2.jpg)
SophosLabs Team
• One global team – UK, US, Canada, Australia • 24/7, 365 days/year • ~100 Researchers and Developers globally Threat Operations Systems Development Advanced Research and Detection Development
• Highly trained ~6 month training program for new hires Strong focus on Software Reverse Engineering Broad skills set – malware, spam, web, exploits
2
![Page 3: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/3.jpg)
WHO WRITES COMPUTER VIRUSES?
3
![Page 4: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/4.jpg)
The good old days…
4
![Page 5: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/5.jpg)
Today’s motives
5
![Page 6: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/6.jpg)
Monetizing on malware?
• Spam bots • Spyware (keyloggers, “phishing” password stealers) • Ransomware • Scareware • Denial of service attacks • Corporate data theft • …
6
![Page 7: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/7.jpg)
The value of “zombie” PC
Source: krebsonsecurity.com
![Page 8: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/8.jpg)
Exponential growth
8 Source: av-test.org
![Page 9: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/9.jpg)
Variants and volumes
9
33% more than in 2011
SophosLabs sees 200,000 samples
per day
80% were compromised
legitimate sites
And 20,000 new malicious URLs
![Page 10: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/10.jpg)
MALWARE DIVERSITY
10
![Page 11: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/11.jpg)
Viruses
• Spread by infecting other files, executables • Parasitic • Not as common today as other forms of malware • May require a special cleanup approach
![Page 12: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/12.jpg)
Worms
• Spread via network connection • Attack network shares, weak passwords/security
![Page 13: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/13.jpg)
Trojan horses
• The most prevalent kind of malware today • Often relies on social engineering • Needs to be disguised as something normal
![Page 14: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/14.jpg)
“Bankers”
• Steal banking account information • Prevalent in South America • Attempt to bypass online banking security measures
![Page 15: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/15.jpg)
Rootkits
• Stealthy, avoid detection • Subverts the OS operations • Hard to detect and remove • Bootkits – rootkits attacks MBRs, loads before OS kernel • Examples: TDSS/TDL ZeroAccess Alureon
![Page 16: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/16.jpg)
Botnets
Botnets for: 1. Email spam “Grum” ~ 200,000 PCs “Rustock” ~ 815,000 PCs
2. Web spam 3. DDoS 4. “Installs” 5. Info stealers (Zeus, Citadel)
16 Picture source: http://en.wikipedia.org/wiki/Botnet
![Page 17: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/17.jpg)
Scareware / FakeAV
#1 threat today by prevalence
17 Videos at http://youtube.com/SophosLabs
• Fake anti-virus • Fake anti-spyware • System “optimizers”
![Page 18: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/18.jpg)
Scareware for Macs
18
![Page 19: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/19.jpg)
Ransomware
• Encrypts documents or • Blocks screen/mouse/keyboard access • Demands money to unlock (SMS, e-currency, prepaid
cards)
19
![Page 20: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/20.jpg)
![Page 21: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/21.jpg)
Main vectors
• Web • Email spam • Removable media (USB, phones)
21
![Page 22: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/22.jpg)
• Spam often used to distribute threats • Attachments to the message • Links in the message body • Executable often in ZIP or RAR • HTML attachments. • Social engineering throughout
Spam for malware distribution Email messages containing malicious attachments
22
![Page 23: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/23.jpg)
Social engineering
• “You need to install this codec to watch that video” • “You are infected! Install XP Antivirus 2012!” • “OMG! Your private video is online. Watch it here.” • “Open the attachment to see your pay raise details!” • “You’ve got a PayPal payment. Open to see” • … there is one for everybody … Forces you to act, not think…
23
![Page 24: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/24.jpg)
Ok, we’re too smart to fall for this…
24
![Page 25: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/25.jpg)
Software has “bugs”
• Bugs create vulnerabilities • Vulnerabilities get exploited • It may take weeks to patch a hole • Exploit packs are sold online
25
![Page 26: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/26.jpg)
They also have “holes”
26
Browsers & browser plugins: • Java • Flash • PDF •Quicktime •Media players • ActiveX •Office documents • Even images
![Page 27: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/27.jpg)
Exploit packs = Silent installs
“drive-by” infections
27
Adpack Exploit Pack
Armitage Exploit Pack Bleeding Life CrimePack Cry Exploit Pack Datalife Exploit
Pack
Eleonore Fiesta Exploit Pack Fire Pack Exploit Fragus Exploit
Pack Gpack Ice Exploit Pack
Impact (aka 'seo sploit')
Infector Exploit Pack
Mpack Exploit Pack
Multi Exploit Pack
Ninja Phishing Framework
Phoenix Exploit Pack
Poly Exploit Pack Red Exploit Pack SEO Exploit Kit
(Numerous, names unknown)
Siberia Pack Smart Exploit Pack
Target Exploit Pack
Tors Exploit Pack Unique Exploit Pack Yes Exploit Pack Zero Exploit
Pack Zeus Exploit
Pack
![Page 28: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/28.jpg)
BlackHole
• The most successful and prevalent exploit kit • $1500 per year or from $50 a day • PHP/MySQL backend • Management console • Version 2 (Oct 2012) includes Windows8 and mobile
devices
![Page 30: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/30.jpg)
IT’S ALL ABOUT WEB TRAFFIC
30
![Page 31: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/31.jpg)
Web traffic generation
• Black SEO (doorways, content farms) • Traffic hijacking • “Malvertizing” • …
31
![Page 32: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/32.jpg)
SEO – How they do it? Doorway – A web page that is designed to attract traffic from a search engine and then redirect it to another site or page
32
Google results Googlebot sees
Firefox/Chome/IE
![Page 33: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/33.jpg)
Social networking malware
33
![Page 34: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/34.jpg)
Myth: I’m a safe surfer
34
Do you ever visit these sites?
![Page 35: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/35.jpg)
Even those we trust most
35
![Page 36: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/36.jpg)
Website infections
• FTP account hacking • cPanel exploits • SQL Injections • Vulnerable webservers, CMS (Wordpress, Drupal, …), PHP, …
![Page 37: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/37.jpg)
Pharma profitability
37
Date Orders 01 30 02 74 03 216 04 193 05 231 06 191 07 189 08 78 09 99 10 128 11 52 12 7 Average sales per day
124
This affiliate used 66 unique domains referencing his AffID • 124 orders per day • Average sale = $160 • 40% commission
124*160 = $19840 * 40% =
$7936/day
![Page 38: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/38.jpg)
Fake anti-virus profitability Statistics from topsale2.ru
38
![Page 39: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/39.jpg)
Fake AV recruitment – Topsale.ru
39
25$ per AV sale
Exe + Exploit pack for IFRAME
traffic
PROMO: Fake scanner
to redirect traffic
“light” exe that wouldn’t hurt and kill your golden US
bots
10% referral
![Page 40: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/40.jpg)
Top fake anti-virus affiliates
40
Affiliate ID Affiliate Username
Account Balance (USD)
4928 nenastniy $158,568.86 56 krab $105,955.76 2 rstwm $95,021.16 4748 newforis $93,260.64 5016 slyers $85,220.22 3684 ultra $82,174.54 3750 cosma2k $78,824.88 5050 dp322 $75,631.26 3886 iamthevip $61,552.63 4048 dp32 $58,160.20
![Page 41: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/41.jpg)
Ransomware profitability
![Page 42: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/42.jpg)
Arms Race …
42
![Page 43: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/43.jpg)
Evasion Techniques
• IP/network blocking • HTTP_REFERRER/cookie check • “Time attacks” • JavaScript obfuscations for redirect chain • Browser detection • Delays • DOM tricks • “Click to download” images
43
![Page 44: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/44.jpg)
JavaScript Obfuscation
44
![Page 45: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/45.jpg)
Exploit Code
45
![Page 46: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/46.jpg)
Evasion Techniques
• Binaries repackaged every 20 min (!) and AV tested + server side polymorphism • 100s of payload domains created daily + payload sites hosted on “free TLDs” (.cz.cc …) • 10,000s of new infected websites stealing legitimate traffic,
found daily • TDS domain turn over (relatively slow) • IP hopping
Everything is a moving target
46
![Page 47: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/47.jpg)
AV Scanners for Virus writers
![Page 48: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/48.jpg)
Crypto services for virus writers
• Meant to hide the payload behind a layer of packer/crypto • Could include multiple layers, i.e. a VB malware wrapped
in a C packer • Service model • • + Legitimate commercial packers
![Page 49: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/49.jpg)
SSP
• SSP - Server-side polymorphism • New binary for every download
![Page 50: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/50.jpg)
Non-traditional malware
• APTs • State-sponsored “cyber weapons” (Duqu, Stuxnet, Flame)
![Page 51: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/51.jpg)
APT – What does it mean? • A fancy name for targeted attacks • A term describing the “daily onslaught of digital assaults
launched by attackers who are considered highly-skilled, determined and possessed of a long-term perspective on their mission” (Wikipedia)
Advanced Persistent Threat
51
![Page 52: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/52.jpg)
APT highlights for 2010/11
Threats left undiscovered for months, even years: • Nov 2010 – operation “Aurora” – Google • Jan 2011 – Canadian government organizations • Feb 2011 - “Knight Dragon” – energy industries • Mar 2011 - RSA • Jun 2011 – Northrop Grumman (RSA hack) • Jun 2011 - IMF • Aug 2011 - “ShadyRat” – MANY governments and
corporations worldwide • Sept 2011 – Mitsubishi (nuclear plant, defense secrets)
52
![Page 53: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/53.jpg)
Intellectual property is the new gold
53
Zero day Flash vulnerability Inadequate monitoring Victims of their own success
Zero day IE6 vulnerability All systems “trustworthy” Allowed intruders too much privilege
![Page 54: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/54.jpg)
What can be done?
Awareness Security measures Legal actions
54
![Page 55: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/55.jpg)
Legal actions and takedown efforts • Nov 2009 – “Mega-D” (30-35% of spam). Arrested • Feb 2010 – “Mariposa” botnet, 12M PCs. Arrested. • Mar 2010 – “Zeus” botnet. Arrested • Oct 2010 – “Bredolab” botnet, 30M PCs! • Sep 2011 – “Kelihos” botnet • Mar 2011 – “Rustock” botnet. On the run. • … • Nov 2012 – “Nitol”
Takedown highlights
55
![Page 56: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/56.jpg)
Anatomy of Defences
56
![Page 57: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/57.jpg)
Modern AV
• Not just about viruses • Not just about signatures • Not just about executables
![Page 58: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/58.jpg)
• Multi-layer defenses • Static and runtime protection • Behavioral malware profiles • Malicious scripts, PDFs, Flash, Java, docs, exploits, packers, … • Emulation, unpacking • “Cloud”-based reputation services • .
![Page 59: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/59.jpg)
A typical web attack
59
Doorways / Infected • Set the trap for users and draw them in
Traffic Distribution • Directs victims to selected attacks
Penetration • Getting around environmental defenses
Infection • Binary threats downloaded and installed
Execution • The threat is doing its dirty work
![Page 60: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/60.jpg)
Layered protection 60
Stop attacks and breaches
![Page 61: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/61.jpg)
AV Lab Tasks
61
Threat Visibility
Sample Collection Analysis Protection
![Page 62: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/62.jpg)
Threat Discovery
• Product feedback • Web crawling • Spam traps • Industry sharing
Through SophosLabs systems and products
62
Threat Visibility
Sample Collection Analysis Protection
![Page 63: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/63.jpg)
URL Analysis
• URL Patterns • Domain age • Popularity • Location • Network reputation • Name servers (DNS) • Scan results from various content engines • Sources • Manual analysis
Website URLs
63
Threat Visibility
Sample Collection Analysis Protection
![Page 64: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/64.jpg)
File Analysis
• Samples executed • Behavior observed, recorded and analyzed • Dropped samples submitted for analysis • Outbound network traffic (URLs, domains) captured and
sent for analysis • All analysis results are sent to correlation system for
decision making
Dynamic Files Analysis
64
Threat Visibility
Sample Collection Analysis Protection
![Page 65: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/65.jpg)
![Page 66: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/66.jpg)
Static Analysis Human Analysis
66
Threat Visibility
Sample Collection Analysis Protection
• Reverse Engineering with IDAPro • Many internal tools JS unpacking File entropy Strings extraction File format handling, i.e. PDF tools
![Page 67: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/67.jpg)
Reversing…
67
![Page 68: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/68.jpg)
Automation is key
• “Big data” problems • Fast turn around time • Anti-anti-anti-* techniques
![Page 69: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/69.jpg)
Attack Examples A typical web attack and levels of protection offered
69
![Page 70: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/70.jpg)
Doorways
70
Doorway
TDS
Redirector
Promo
Payload
Install
Payment
• Filled with keywords • Look different to Googlebots (cloaking) • SEO Kits
Detection: • Template detection, i.e. Mal/SEORed-*
![Page 71: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/71.jpg)
Typical FakeAV
71
Doorway page
Payload site
Redirect sites
Doorway
TDS
Redirector
Promo
Payload
Install
Payment
![Page 72: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/72.jpg)
72
Doorway
TDS
Redirector
Promo
Payload
Install
Payment
![Page 73: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/73.jpg)
Typical FakeAV
73
Doorway
TDS
Redirector
Promo
Payload
Install
Payment
• SutraTDS, SimpleTDS, … • Run on dedicated domains • Redirecting traffic based on:
country/city, browser, OS, search keywords, etc
Detection: • TDS domain blocking
![Page 74: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/74.jpg)
Typical FakeAV
74
Doorway
TDS
Redirector
Promo
Payload
Install
Payment
Just another obfuscation layer Detection: • Domain/URL blocking • JavaScript detection Mal/ObfJS Mal/JSRedir
![Page 75: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/75.jpg)
Typical FakeAV
75
Doorway
TDS
Redirector
Promo
Payload
Install
Payment
• Fake “My Computer” (or Finder) scanner page
Detection: • URL/domain blocking • HTML/JS content: Mal/FakeAvJS
![Page 76: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/76.jpg)
Typical FakeAV
76
Doorway
TDS
Redirector
Promo
Payload
Install
Payment
• Often hosted on the same page as “promo”
• Hard to get to • SSP
Detection: • URL/domain blocking • Binary detection Mal/FakeAvJS EnkPack Cloud
![Page 77: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/77.jpg)
Typical FakeAV
77
Doorway
TDS
Redirector
Promo
Payload
Install
Payment
On endpoints: • Context based detection – correlating
registry keys, file names with binary “genes”
• HIPS – runtime behavior analysis
![Page 78: Anatomy of Attacks - University of British Columbia...Anatomy of Attacks Dmitry Samosseiko, SophosLabs . SophosLabs Team •One global team – UK, US, Canada, Australia ... Adpack](https://reader033.vdocuments.us/reader033/viewer/2022060209/5f045c307e708231d40d9814/html5/thumbnails/78.jpg)
Thank you! Some recommended resources
78
http://nakedsecurity.sophos.com
http://www.facebook.com/SophosSecurity
http://krebsonsecurity.com