chronicles of malwares and detection systems
TRANSCRIPT
![Page 1: Chronicles of Malwares and Detection Systems](https://reader035.vdocuments.us/reader035/viewer/2022070523/58ed464f1a28abcc268b46df/html5/thumbnails/1.jpg)
Chronicles of Malwares and Detection SystemsBy:
Amit Malik
Member @ Cysinfo
Researcher @ FireEye Labs© Cysinfo Research Group
![Page 2: Chronicles of Malwares and Detection Systems](https://reader035.vdocuments.us/reader035/viewer/2022070523/58ed464f1a28abcc268b46df/html5/thumbnails/2.jpg)
Disclaimer
The Content, Demonstration, Source Code and Programs presented here is "AS IS" without
any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are
solely of the mine and nothing to do with the company or the organization in which I am
currently working.
However in no circumstances neither I or Cysinfo is responsible for any damage or loss
caused due to use or misuse of the information presented here.
![Page 3: Chronicles of Malwares and Detection Systems](https://reader035.vdocuments.us/reader035/viewer/2022070523/58ed464f1a28abcc268b46df/html5/thumbnails/3.jpg)
Agenda
Phases
The common thingsData TheftCode protection/obfuscation
Code protection and obfuscation – the view (PE Only)
Detection systems
Final thoughts
![Page 4: Chronicles of Malwares and Detection Systems](https://reader035.vdocuments.us/reader035/viewer/2022070523/58ed464f1a28abcc268b46df/html5/thumbnails/4.jpg)
PhasesFun
The early stageBirth of antivirus
Fun and ProfitSecond stageCode obfuscation/evasion – the innovation
The gods – themda, vmprotect etc.Knowledge sharing
Antivirus heuristics etc. (the failure)
ProfitCurrent stage
Targeted attacks
Offensive and defensive both are fully commercial
Sophistication in exploits is increased exponentially
Malwares are either sophisticated (duqu, stuxnet etc.) or easy ( rebirth of RAT)
Modules (DLL etc.)
New technologies for detection – execute and detect, machine learning etc.
![Page 5: Chronicles of Malwares and Detection Systems](https://reader035.vdocuments.us/reader035/viewer/2022070523/58ed464f1a28abcc268b46df/html5/thumbnails/5.jpg)
The common thingsAt problem level, these things are common in malwares
Data theft (real problem)Code obfuscation/evasion (antivirus failure)
Data theft This is the problem actually…. Malware itself is not a problem.Remember “data” is the key thing here.
Code obfuscation/evasionReal challenge for detection systemsPacking, protectors, encryptors.. Etc etc.
![Page 6: Chronicles of Malwares and Detection Systems](https://reader035.vdocuments.us/reader035/viewer/2022070523/58ed464f1a28abcc268b46df/html5/thumbnails/6.jpg)
Code protection/evasion – the view
Real challenge to detection technologiesMaking true real time protection nearly impossible.Couple of interesting things about this behavior.In unpacked binaries the execution will be within the section (ep) boundaries and the address space will be less tense.
![Page 7: Chronicles of Malwares and Detection Systems](https://reader035.vdocuments.us/reader035/viewer/2022070523/58ed464f1a28abcc268b46df/html5/thumbnails/7.jpg)
Code protection/evasion – the view
In packed binaries the execution can fluctuate across multiple sections and the address space will look more stressed (especially in malwares due to multiple packing layers).
![Page 8: Chronicles of Malwares and Detection Systems](https://reader035.vdocuments.us/reader035/viewer/2022070523/58ed464f1a28abcc268b46df/html5/thumbnails/8.jpg)
Graph for malicious samples (exmp.)
![Page 9: Chronicles of Malwares and Detection Systems](https://reader035.vdocuments.us/reader035/viewer/2022070523/58ed464f1a28abcc268b46df/html5/thumbnails/9.jpg)
Graph for malicious samples (exmp.)
![Page 10: Chronicles of Malwares and Detection Systems](https://reader035.vdocuments.us/reader035/viewer/2022070523/58ed464f1a28abcc268b46df/html5/thumbnails/10.jpg)
Graph AnalysisTwo things are most important:
Origin of call?Tension in the address space.
Meaning return address and use of “data” are the two most important things.
Actually tracking the use of “data” is not an easy task.
But what if we monitor the user interaction with system instead of monitoring the use of data blindly?
Why a specific event/activity is happening in the system?
What is the scope of interaction of user to start that event.
How the user is using/receiving the event output.
![Page 11: Chronicles of Malwares and Detection Systems](https://reader035.vdocuments.us/reader035/viewer/2022070523/58ed464f1a28abcc268b46df/html5/thumbnails/11.jpg)
Detection SystemsAntivirus
Actually I don’t want to blame antivirus.. Things at endpoints are very messy.
A significant enhancement in the model is required.
Home users are in real danger.. No other option.
Execute and Detect:New technology to detect the malwares – actually it is not new, people just experimented it recently for detection and it is working?
Infection is ok for customer but data should be protected.
Considering the security problems people are ok even if you detect the malware after the actual infection.
![Page 12: Chronicles of Malwares and Detection Systems](https://reader035.vdocuments.us/reader035/viewer/2022070523/58ed464f1a28abcc268b46df/html5/thumbnails/12.jpg)
Detection Systems (cont.)
Execute and Detect:Pros:
Inspection of malware in a controlled environment.You don’t have to worry about the user and experience.You know the state and health of the system so detection is relatively easy. (on endpoint it is an entirely different game – poor antivirus).
Cons:Expensive?
Large infrastructureHuge maintenance overhead.
Logic bombs – I know I am in sandbox Oh boy.. First it is really difficult to port this thing or its variations on endpoint.. And even if we can achieve that, it will be extremely expensive for home users.
![Page 13: Chronicles of Malwares and Detection Systems](https://reader035.vdocuments.us/reader035/viewer/2022070523/58ed464f1a28abcc268b46df/html5/thumbnails/13.jpg)
Final ThoughtsMalware is a problem and will always be.
Security is human + technology breach, we can’t fix both.
Antivirus is failing and right now there is no other solution for its replacement for home users.
Execute and detect is a good new technology for detection but it is expensive and not truly reactive (true real time protection?, post infection alerts.).
THANK YOU!