malware self protection-matrix

The Malware Self-Protection Matrix

Marion MarschalekSenior Malware Researcher at Cyphort Labs

Your speakers today

Marion Marschalek Senior Malware Researcher

Cyphort Labs

Shelendra SharmaProduct Marketing Director

Agenda

o Malware detection evolutiono Malware self-protectiono Wrap-up and Q&A

Cyph

ort L

abs T

-shi

rt

Threat Monitoring & Research team

________24X7 monitoring for

malware events

________Assist customers with

their Forensics and Incident Response

We enhance malware detection accuracy

________False positives/negatives

________Deep-dive research

We work with the security ecosystem

________Contribute to and learn

from malware KB

________Best of 3rd Party threat

data

HOW DO YOU FIND WHAT YOU CAN‘T SEE?

http://1ms.net/

A Digital Threat History

http://www.hdbackgroundpoint.com

VIRUS

EXPLOITWORM

TROJAN

MULTI-COMPONENTMALWARE

ADWARE ROOTKIT

SPYWAREAPT

TARGETED THREAT

SURVEILLANCESOFTWARE

INSIDETHREAT

A THREAT DETECTION HISTORY

www.crane.com

Your signature update.

Checksums

Byte Patterns

Behavior Patterns

Static / Dynamic Heuristics

Whitelisting

Anomalies

Network Streams

Cloud Protection

2015

And many, many more!

Endpoint

VirusDetectionSignatureProductComputerServer

THINGS HAVE CHANGEDThreat

Prevention

DefinitionSolution

Cloud

12

Malware Self-Protection

DebuggingDisassembly

StaticEmulation

SandboxingReputationAnomalies

Debugger detection, sub-processes, thread injection Obfuscation Packer and crypter Emulator detection, time based evasion VM detection, modular malware Binary updates, targeted malware Binary padding, use of legitimate tools

Gladly, most threats make mistakes themselves.

ZEUS why can‘t detection work

%APP%\Uwirpa 10.12.2013 23:50

%APP%\Woyxhi 10.12.2013 23:50

%APP%\Hibyo 19.12.2013 00:10

%APP%\Nezah 19.12.2013 00:10

%APP%\Afqag 19.12.2013 23:29

%APP%\Zasi 19.12.2013 23:29

%APP%\Eqzauf 20.12.2013 22:23

%APP%\Ubapo 20.12.2013 22:23

%APP%\Ydgowa 20.12.2013 22:23

%APP%\Olosu 20.12.2013 23:03

%APP%\Taal 20.12.2013 23:03

%APP%\Taosep 20.12.2013 23:03

%APP%\Wokyco 16.01.2014 13:22

%APP%\Semi 17.01.2014 16:34

%APP%\Uheh 17.01.2014 16:34

16

Sandbox Detection

Persistence Mechanisms

File Names

Network ConnectionBig Picture Detection & Combination Static/Dynamic Features

SILVER BULLET ...?

ARMOURINGhttp://hdwallpapersimage.com/

SAZOORA being picky

20

Code Obfuscation

Virtual Machine Code Execution

handler13:ExitProcHresult...

handler14:ExitProc...

handler15:ExitProcI2...

... FC C8 13 76 ...

Various packer layers – no static detection

Static detection won‘t work

Reputation & Metadata Features

SILVER BULLET ...?

EXPLOITATION

http://themovieandme.blogspot.com/

Endpoint protection built to detect repetitive patterns of evil.

Exploit = system corruption

Exploit vs. vulnerability

http://www.wikipedia.com/

TYPICAL DRIVE-BY INFECTION

o hxxp://www.insertyourwebsitehere.com/js/responsive/min/main-b87ba20746a80e1104da210172b634c4.min.js

o hxxp://stat.litecsys.com/d2.php?ds=true&dr=2711950755o hxxp://vstat.feared.eu/pop2.php?acc=%7E%BE%CE%F5%01%8D%AC

%B2%26%C6%DC%5B%E7n4%D0%16%A3L%99%03%BB%D8%08&nrk=5992423910

o hxxp://g12z4pj3k4k9y4wd517-ll6.dienami.ru/f/1398361080/5/x007cf6b534e520804090407000700080150050f0304045106565601;1;5

o BOOM.

hxxp://www.insertyourwebsitehere.com/js/responsive/min/main-

b87ba20746a80e1104da210172b634c4.min.js


hxxp://stat.litecsys.com/d2.php?ds=true&dr=2711950755


hxxp://vstat.feared.eu/pop2.php?acc=%7E%BE%CE%F5%01%8D%AC%B2%26%C6%DC%5B%E7n4%D0%16%A3L%99%03%BB%D8%08&

nrk=5992423910

IE 6, 7, 8 or 9, 10, 11


hxxp://g12z4pj3k4k9y4wd517-ll6.dienami.ru/f/1398361080/5/

x007cf6b534e520804090407000700080150050f0304045106565601;1;5


(There is none.)

Patching, patching and more patching

An exploit will seldom come alone!

SILVER BULLET ...?

VISIBILITY – KNOW HOW – ACTIONABILITY

LURE

EXPLOIT

INFECTCALL HOME

STEAL DATA

Follow the kill chain

Thank You!

malware self protection-matrix

Technology