Download - The A and the P of the T
![Page 1: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/1.jpg)
THE A
AND THE P
OF THE T
![Page 2: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/2.jpg)
#APT
#APT
#APT#APwot
![Page 3: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/3.jpg)
ADVANCED
[ədˈvɑ:n(t)st]
PERSISTENT
[pəˈsɪstənt]
we don‘t understand it
we detected it too late
![Page 5: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/5.jpg)
A Digital Threat Historyhttp://www.hdbackgroundpoint.com
VIRUS
EXPLOITWORM
TROJAN
MULTI-COMPONENTMALWARE
ADWARE ROOTKIT
SPYWARE
APT
TARGETED THREAT
SURVEILLANCE
SOFTWARE
INSIDETHREAT
![Page 6: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/6.jpg)
Source:
obsoletemedia.org
A THREAT
DETECTION
HISTORY
![Page 7: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/7.jpg)
www.crane.com
Your signature update.
![Page 8: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/8.jpg)
Virus
Detection
Signature
Product
Computer
Server
![Page 9: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/9.jpg)
Checksums
Byte Patterns
Behavior Patterns
Static / Dynamic Heuristics
Whitelisting
Network Streams
Cloud Protection
![Page 10: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/10.jpg)
BOILS DOWN TO
The binary is known.
The binary is recognized.
The behavior of the binary is recognized.
![Page 11: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/11.jpg)
KNOWLEDGE BASEDTHREAT DETECTION
BOILS DOWN TO
PREDICTIVETHREAT
DETECTION
![Page 12: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/12.jpg)
NOT BEING UNIQUE
Runtime packer trigger heuristics!
Altered compiler settings don‘t ...
Dynamic API resolving
Character-wise string recovery
http://www.dvd-ppt-slideshow.com
![Page 13: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/13.jpg)
jump table FTW
spot the string
FindNextFileA
![Page 14: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/14.jpg)
ONE BINARY TO RULE FOREVER
Filehash-based detection
Updating of binaries in irregular intervals
Route traffic through local proxy
![Page 15: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/15.jpg)
ZEUS
E(DDIE)
VASION
%APP%\Uwirpa 10.12.2013 23:50
%APP%\Woyxhi 10.12.2013 23:50
%APP%\Hibyo 19.12.2013 00:10
%APP%\Nezah 19.12.2013 00:10
%APP%\Afqag 19.12.2013 23:29
%APP%\Zasi 19.12.2013 23:29
%APP%\Eqzauf 20.12.2013 22:23
%APP%\Ubapo 20.12.2013 22:23
%APP%\Ydgowa 20.12.2013 22:23
%APP%\Olosu 20.12.2013 23:03
%APP%\Taal 20.12.2013 23:03
%APP%\Taosep 20.12.2013 23:03
%APP%\Wokyco 16.01.2014 13:22
%APP%\Semi 17.01.2014 16:34
%APP%\Uheh 17.01.2014 16:34
![Page 16: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/16.jpg)
REPETITIVE ARTIFACTSFile names
Domain names
Registry key names / value names
Infiltration methods
Persistence methods
![Page 17: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/17.jpg)
ENVIRONMENTALINSENSITIVITY
Might want to refuse executing in sandboxes, emulators &
analyst‘s machines
Potentially targeted systems usually homogeneous
![Page 18: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/18.jpg)
Only
infecting
Tuesdays,
sorry.
Or 16, 17 and 18next month?
![Page 19: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/19.jpg)
SINGULAR PERSISTENCE
Remember the P?
Registry & service list monitoredOne process easy to killMBR regularly scanned
Why not do all?
![Page 20: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/20.jpg)
SEPARATION OF LAYERS
Runtime packers trigger heuristics!
In-memory scanning identifies equal payloads
Consistent evasion tricks multiply success
![Page 21: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/21.jpg)
KNOWN SPHERESRemember the A?
Find new battle fields
Virtual machine executionKernel land code
Bootkits
BIOS
![Page 22: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/22.jpg)
BATTLE
FIELD
you said?
![Page 23: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/23.jpg)
That moment a researcher tells you what‘s wrong with your system, an attacker is already exploiting it.
![Page 24: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/24.jpg)
BlackEnergy
Crimeware going APT: Sandworm
Runtime Packer
Malware-like startup & infiltration
Driven by plugins
![Page 25: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/25.jpg)
Havex
RAT used by EnergeticBear
Targets ICS data, accessed via Windows COM/DCOM
Standard system infiltration
No protection
(T)EDDIE
![Page 26: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/26.jpg)
Target‘s Network
BLACK POS anatomy of a genius hack
Los Angeles Russia
![Page 27: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/27.jpg)
Big Boss
Worker2
Worker1
Worker0
Worker3
MainThread
PerfMon
CommandParsing
ScriptExecution
ManageWorkerThreads
FileMan/InetEvil Bunny
![Page 28: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/28.jpg)
1. Unique binaries2. Irregular updates3. No repetitive artifacts4. Environmental sensitivity5. Multiple persistence techniques6. Consistent evasion7. Unknown spheres
![Page 29: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/29.jpg)
The A and the P of the T
1 2 3 4 5 6 7
BlackEnergy
Havex
BlackPOS
EvilBunny
estimated 56 Mio.
credit cards compromised
![Page 30: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/30.jpg)
http://wall.alphacoders.com/big.php?i=318353
![Page 31: The A and the P of the T](https://reader034.vdocuments.us/reader034/viewer/2022042816/559459781a28ab65728b4586/html5/thumbnails/31.jpg)
RESOURCES
• Havex - http://www.cyphort.com/windows-meets-industrial-control-systems-ics-
havex-rat-spells-security-risks-2/
• BlackPOS - http://www.cyphort.com/parallels-among-three-notorious-pos-
malwares-attacking-u-s-retailers/
• EvilBunny - https://drive.google.com/a/cyphort.com/file/d/0B9Mrr-
en8FX4M2lXN1B4eElHcE0/view
• Eddie - http://maiden-world.com/downloads/wallpaper.html