![Page 1: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/1.jpg)
Matthias Schmidt
TECHNICAL SECURITY
AT A LARGE COMPANY
![Page 2: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/2.jpg)
Studied CS @ Univ Marburg 2001 - 2007
Diploma thesis about Network Security
5 years assistant at Distributed
Systems Group 2007 - 2012
Security
Virtualization
Grid Computing
Head of Technical Security Joined 1&1 in 2012
Security Architecture
Operating Systems Security
Digital Forensics
Malware/Reverse Engineering
Trainings
2
Welcome, Who am I!
18.01.2018
![Page 3: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/3.jpg)
Why we care about Information Security
3
Figures
7 Data Centers on 2 continents
90,000 server at 1&1
60,000 server at Strato
Hosting of more than 20 million domains
Networking
Global connectivity more than 300 GBit/s
70 GBit/s outbound peak load traffic
About 9 billion page impressions per month
More than 5 billion e-mails per month
9,000 TeraByte monthly traffic volume
3
18.01.2018
![Page 4: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/4.jpg)
TECHNICAL SECURITY
General Introduction
4
Flickr. CarbonNYC. CC-BY-2.0
18.01.2018
![Page 5: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/5.jpg)
Focus Topics & Services
5
Technical Security
Cross-Sectional
Consulting
Legacy Migration Projects
PKI
My Secure Workday
Secure Services
…
Application Security
SSLC
Maturity Model
Pentests
Network
Security
Infrastructure Scan
VLAN hardening
Pentests
Office Security
Malware protection
Sandbox Analysis
Memory forensics
Pentests
Infrastructure Security
Hardening
Forensics
SIEM
Pentests
IDS
Comm
CERT
Trainings
Incident Management
18.01.2018
![Page 6: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/6.jpg)
Application Security and its Challenges in corporate Environments
6
Secure Software Development Lifecycle (SSDLC)
Structured way of developing secure software
Predefined set of Life-Cycle Tasks and requirements
Developed an own tool for it https://securityrat.github.io/
Penetration tests
For new applications
For legacy applications
Cover recurring events (PCI DSS/De-Mail re-certification)
Challenges
Secure development in agile environments
Pentests scalability
Third-party software/dependencies
Remember, the cloud is just someone else’s computer
18.01.2018
![Page 7: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/7.jpg)
Infrastructure Security and Digital Forensics
7
Are we affected by $vulnerability?
Simple for hundreds, complex for tens of thousands of systems
We scan at large scale
Zmap, nmap, SSL/TLS scanner, enterprise solutions, …
Volatile and non-volatile Forensic investigations on
Servers
Workstations
Mobile devices
18.01.2018
![Page 8: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/8.jpg)
ADVANCED WORKSTATION
PROTECTION
Signature-based Anti-Virus is dead or …
9 18.01.2018
![Page 9: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/9.jpg)
Office Security
10 18.01.2018
![Page 10: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/10.jpg)
Incident Response Process
18.01.201811
Detection
Prevention
Mitigation Assessment
AnalysisGoal:
Automated
Threat
Treatment
Reduce
Response
Time
Reduce
Resolution
Time
Reduce
Incident
Impact
Reduce
Incident
Probability
![Page 11: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/11.jpg)
There is an Entire Industry behind it…
18.01.201812
![Page 12: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/12.jpg)
So, what do you think that you are worth?
18.01.201813
![Page 13: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/13.jpg)
Now, why does this happen? Don‘t we have anti-virus scanners?
2 18.01.2018
![Page 14: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/14.jpg)
They sometimes fail…
18.01.201815
• Different names
• Different strings
• Different hashes
• Damn!
![Page 15: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/15.jpg)
Poly- and metamorphic malware and the obfuscation curse
18.01.201816
Most modern malware is polymorphic and uses anti-analysis and anti-
detection techniques like
Encryption
Packing
Code/Binary Obfuscation
Virtualization
Anti-debugging
…
Many malware families even are metamorphic (= self-mutating)
Use a new encryption key with every replication cycle
Rotate different obfuscation schemes
Reload code at runtime
Use self-modifying code practices
…
![Page 16: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/16.jpg)
Long story short…
18.01.201817
![Page 17: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/17.jpg)
18.01.201818
Incident Response Infrastructure
Anti-Virus
Server
Malware
Analysis
System
IDS
Ticket System
alerts
IOCs
Alert Database
Operator
IOC Server
request
Workstation
SIEM
Live Forensics
System
![Page 18: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/18.jpg)
Generic Incident Analysis Procedure
18.01.201821
• Anti-Virus \IDS Alert
• User reports„weird“ behavior
AL
E
R
T
• Check forobviousFP signs
• Assessvictimcriticality
• Assesspotentialthreatimpact
TR
I
A
G
E
• Gatherevidence(memorydump, networktraces, …)
• Filter, correlate, andanalyzeevidence
AN
A
L
Y
S
I
S
![Page 19: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/19.jpg)
A typical Incident Analysis Case (1)
18.01.201822
Email with link
to alleged
Winrar installer
Download
trojanized
Winrar ISO
Extract
Winrar.exe
from Winrar.iso
\Users\xxx\Downloads\WinRAR.iso
\Windows\Prefetch\7ZFM.EXE-7C92DCA0.pf\Users\xxx\AppData\Local\Temp\7zOC95DD566\WinRAR.exe\Users\xxx\Downloads\WinRAR\WinRAR.exe
![Page 20: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/20.jpg)
A typical Incident Analysis Case (2)
18.01.201823
Drop, install,
and start
malicious
Service
\Windows\Prefetch\WINRAR.EXE-72EEBF17.pf
\Users\xxx\AppData\Local\Temp\103191234\ic-0.ba8738946c7218.exe\Windows\Prefetch\SC.EXE-4502142D.pf\Windows\Prefetch\NET.EXE-7F832A3A.pf\Windows\Prefetch\IC-0.0C4A2901A2643.EXE-653CBD5D.pf
#Im System wurde ein Dienst installiert.#Dienstname: --#Dienstdateiname: C:\Users\xxx\AppData\Local\Temp\103191234\ic-0.0c4a2901a2643.exe /wl 1#Diensttyp: Benutzermodusdienst#Dienststarttyp: Manuell starten#Dienstkonto: LocalSystem
Execute
trojanized
Winrar.exe
![Page 21: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/21.jpg)
A typical Incident Analysis Case (3)
18.01.201824
Drop and
deploy kernel-
mode Rootkit
Establish C2
Channel
Disable AV via
Powershell
Script
\Windows\Prefetch\POWERSHELL.EXE-59FC8F3D.pf
#PowerShell#HostName=ConsoleHost#HostApplication=powershell.exe -Command & {Add-MpPreference -ExclusionPath@('C:\WINDOWS\system32\drivers\3ee09e28c6d8f3de176caff9ab413c18.sys')}
#Im System wurde ein Dienst installiert.#Dienstname: 3ee09e28c6d8f3de176caff9ab413c18#Dienstdateiname: C:\WINDOWS\system32\drivers\3ee09e28c6d8f3de176caff9ab413c18.sys#Diensttyp: Kernelmodustreiber#Dienststarttyp: Systemstart
172.xxx.xxx.xxx:63401 45.32.xxx.xxx:80 CLOSED 8708 svchost.exe
![Page 22: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/22.jpg)
Incident Response Toolchain - Threat Intelligence Handling with MISP
18.01.201825
![Page 23: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/23.jpg)
Incident Response Toolchain - Impact Assessment with Bloodhound
18.01.201826
![Page 24: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/24.jpg)
Incident Response Toolchain - Live Forensics with Rekall and GRR
18.01.201827
![Page 25: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/25.jpg)
Some Facts & Figures
18.01.201828
Category Type Records
Malware Analyzed unique malware samples 20.995
Malware Malware samples and analysis results 4,6 TB
Threat Intelligence Gathered Threat Intelligence 40 GB
Threat Intelligence Extracted Indicators of Compromise (IOCs) 478.000
Threat Intelligence Generated IDS Rules (SNORT) 26.600
Privilege Monitoring Monitored user and service accounts 13.200
Privilege Monitoring Monitored workstation and servers objects 9.900
Privilege Monitoring Monitored privilege-groups 28.000
Privilege Monitoring Recorded user sessions 11.000
Privilege Monitoring Monitored privilege relations 806.000
![Page 26: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/26.jpg)
TLS CIPHER DISTRIBUTION
Of Ciphers, Key length and more
18.01.201831
![Page 27: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/27.jpg)
History, Statements and Challenges
18.01.201832
In 2013 Edward Snowden revealed top secret documents to the public
Xkeyscore, PRISM, Tempora, …
The world reacted with “Let’s encrypt everything”
![Page 28: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/28.jpg)
Encrypt everything – Does it work?
Incoming SMTP Connections Europe
30%
37%
70%70%
63%
30%
0%
10%
20%
30%
40%
50%
60%
70%
80%
2013 2016 2018
TLS PLAIN
18.01.201833
![Page 29: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/29.jpg)
Encrypt everything – Does it work? (2)
Outgoing SMTP Connections (CW 3/2018)
93%
86%
7%
14%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
EU US
TLS PLAIN
18.01.201834
![Page 30: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/30.jpg)
TLS Cipher Distribution – Incoming
Top 3 TLS cipher suites, one MX incoming
69%
23%
8%ECDHE-RSA/AES-128-GCM/AEAD
DHE-RSA/AES-128-CBC/SHA1
ECDHE-RSA/AES-128-CBC/SHA1
209766
70542
23445
0
50000
100000
150000
200000
250000
1 2 318.01.201835
![Page 31: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/31.jpg)
TLS Cipher Distribution – Incoming (2)
… everything else
54%
11%
9%
9%
4%
4%
3%3%
2%1%
0%DHE-RSA/AES-128-GCM/AEAD
RSA/AES-128-CBC/SHA1
RSA/3DES-CBC/SHA1
RSA/AES-128-GCM/AEAD
ECDHE-RSA/AES-256-CBC/SHA1
DHE-RSA/AES-256-CBC/SHA1
RSA/AES-256-CBC/SHA1
ECDHE-RSA/AES-256-GCM/AEAD
ECDHE-RSA/3DES-CBC/SHA1
ECDHE-RSA/AES-128-CBC/SHA256
DHE-RSA/3DES-CBC/SHA1
18.01.201836
![Page 32: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/32.jpg)
TLS Cipher Distribution – Outgoing
Top 4 TLS cipher suites, one mailer outgoing
72%
13%
10%
5%
ECDHE-RSA/AES-128-GCM/AEAD
ECDHE-RSA/AES-256-CBC/SHA384
ECDHE-RSA/AES-256-GCM/AEAD
DHE-RSA/AES-128-GCM/AEAD
1714309
299244 233268127030
0
200000
400000
600000
800000
1000000
1200000
1400000
1600000
1800000
2000000
1 2 3 418.01.201837
![Page 33: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/33.jpg)
TLS Cipher Distribution – Outgoing (2)
… everything else
35%
23%
8%
8%
7%
5%
5%
3%
2%1%
1% 1% 0% 0%0% 0% 0%
DHE-RSA/AES-128-CBC/SHA1
DHE-RSA/AES-256-GCM/AEAD
RSA/AES-128-CBC/SHA1
DHE-RSA/AES-256-CBC/SHA256
ECDHE-RSA/AES-128-CBC/SHA1RSA/AES-128-GCM/AEAD
ECDHE-RSA/AES-256-CBC/SHA1DHE-RSA/AES-256-CBC/SHA1
RSA/AES-256-CBC/SHA256
RSA/AES-256-GCM/AEAD
RSA/AES-128-CBC/SHA256
ECDHE-RSA/AES-128-CBC/SHA256DHE-RSA/CAMELLIA-256-CBC/SHA1ECDHE-RSA/3DES-CBC/SHA1
18.01.201838
![Page 34: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/34.jpg)
Certificates signed by an official CA?
90%
10%
Valid CA
"Invalid CA"
18.01.201839
![Page 35: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/35.jpg)
WIDE AREA NETWORK
40
Flickr. Abode of Chaos. CC-BY-2.0
18.01.2018
![Page 36: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/36.jpg)
Denial Of Service Attacks
41
Denial of Service (DoS) attacks are known since 20 years
Academia solved the problem decades ago
Google Scholar shows > 540k results for DoS protection
However, they are not gone as of today
Different Types of Attacks
SYN Floods
UDP Floods
• NTP Amplification Attacks
• DNS Amplification Attacks
18.01.2018
![Page 37: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/37.jpg)
Denial Of Service Attacks (cont.)
42
Selected Examples of incoming (D)DoS attacks
UDP NTP Amplification
34 GBit/s with 7M Packets/s
10 GBit/s with 1M Packets/s
Simple UDP Floods
15 GBit/s with 2M Packets/s
DNS Amplification
98 Gbit/s with 9M Packets/s
18.01.2018
![Page 38: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/38.jpg)
Denial Of Service Attacks (cont.)
18.01.201843
![Page 39: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/39.jpg)
Denial Of Service Attacks – Countermeasures
44
QoS enabled on the local switch
Filter malicious traffic on the local distribution router
Blackhole the target’s IP address
Scrub traffic
18.01.2018
![Page 40: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/40.jpg)
CONCLUSIONS
45 18.01.2018
![Page 41: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/41.jpg)
Conclusions
46
Technical measures are good,
security awareness is better
18.01.2018
![Page 42: Technical security at 1&1 - Ruhr University Bochum · Poly- and metamorphic malware and the obfuscation curse 16 18.01.2018 Most modern malware is polymorphic and uses anti-analysis](https://reader034.vdocuments.us/reader034/viewer/2022042308/5ed47995753c9203c911001e/html5/thumbnails/42.jpg)
The End and thanks for your Attention
47
Dr. Matthias SchmidtHead of Technical Security
Q & A
18.01.2018