SlideShare a Scribd company logo

Spo2 t19 spo2-t19

S
SelectedPresentations

This document summarizes an expert talk on advanced malware detection techniques. It discusses how malware exploits constraints on analysis time and memory space to evade detection. Current detection methods are outlined along with ways malware bypass them, such as packing, obfuscation, and anti-analysis techniques. The talk then presents novel detection techniques such as detecting internal data structure modifications, subverting malware attempts to enumerate security processes, tapping browsers to detect obfuscated drive-by downloads, and preemptively subverting analysis machines to detect anti-VM techniques. Future directions discussed include using machine learning to detect internal threats based on behavioral profiles.

1 of 38
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Session ID: Session Classification: Tomer Teller Check Point SoftwareTechnologies SP02-T19 Intermediate Detectingthe One Percent: AdvancedTargetedMalware Detection
Antivirus 20th+ Anniversary
Spo2 t19 spo2-t19
The Halting Problem
The Malware Problem
Spo2 t19 spo2-t19
The Constraints TIME Cannot analyze program forever • Slow down loops • Sleep • Time-consuming operations (Encryption/Packing) SPACE Cannot maintain unlimited states • “Run out the clock” OpenProcess  VirtualAllocEx  WriteProcessMemory  LOOP  ..  CreateRemoteThread
Exploiting the Constraints Advanced malware exploits these constraints Thwart static analysis --> SPACE Thwart dynamic analysis --> TIME + SPACE
► Elevation of privilege to kernel mode ► Bypassing security products ► Stolen certificate authorities ► Breaking the trust ► Automatic static analysis is hard! ► Packing / obfuscation / encryption ► Manual static analysis ► Unpacking / time consuming / not scalable ► Dynamic analysis ► The malware problem! More Depressing News
Relax!
Pattern Based Static Analysis Dynamic Analysis Hybrid Approach Current Detection Methods (partial) • MD5 / SHA1 / SHA256 • Fuzzy hashing • Pattern-based • PCRE/ Regex • Proprietary language • Malware classifiers (J48, J48 Graft, PART) • Anti-VM • Anti-debugging • Anti-disassembly • Obfuscation • Reverse engineering **Rodrigo Rubira Branco BH12 • API call trace analysis • Network activities • Registry modifications • Process creation/injections • File activities What you see is what you get! • Semantic-aware detectors • Extract dynamic trace • Transform into IR • Compare to pre-defined templates • Memory dump analysis (packers)
The Sample Lifecycle Sample Arrives Unknown Static Analysis # Flags < Threshold Dynamic Analysis Classification Benign Not Classified Generic Threat Family Threat Classified Manual Analysis Malicious Interesting # Flags < Threshold
Bypassing Detection Methods Pattern Based Static Analysis Dynamic Analysis Hybrid Approach • Build variants (e.g. Zeus) • Append garbage • Encoding • “Stay compliant” • Packing • Obfuscation • Encryption • Anti-reversing techniques • Detect analysis* • Detect emulation* • Detect security product* • Beat the clock (AV sandbox) • “Split the maliciousness” *Could be detected during static analysis • Avoid using the same executable template • Metasploit AV-evasion • Reuse “trusted templates” • PowerShell • In-memory exploits
MYTH #1 Malware executes immediately
Spo2 t19 spo2-t19
MYTH #2 Malware is usually small
Spo2 t19 spo2-t19
*Size in MB Malware Detection Based on File Size Ref: http://www.fortiguard.com/sites/default/files/DetectingMalwareThreats.pdf
Malware Bypassing Detections Static Analysis Dynamic Analysis 4 x Zero-Days Obfuscated Entry Point (Needs a special Loader) 2 x Stolen Certificates (Break the trust) Multiple Files (lesser maliciousness entropy) Unknown DLL loading technique Execution depends on host Static Analysis Dynamic Analysis 20 MB of Code! Does not execute immediately Breakthrough in cryptography (Break the trust) Multiple Files (lesser maliciousness entropy) Legitimate Libraries (LUA) Obfuscated Entry Point (Needs a special Loader) Stuxnet Flame
MalwareThwarting Analysis Mac OSX C&C Infected with FlashFake Send Hardware UUID (Unique) Exploit Java Vulnerability Encrypted Malware Executable will only run on the original host UUID Encryption Key Encrypt Malware and Obfuscate
Problem Detection is good but not great
Data-Structure Modifications Problem: Malware modifies internal data-structures to avoid detection Solution: Subvert the malware! Modify the data-structure before the malware does
Detecting Internal DS Modifications push ebp mov ebp,esp push ebx push esi . . <Internal DS> . . TRAP PAGE F F Clone push ebp mov ebp,esp push ebx push esi . . <Internal DS> . . jmp F_clone . . <Internal DS> . . Normal ExecutionMalware Execution Detected
Internal DS Linear search for a signature PsSetCreateProcessNotifyRoutine
PAGE Guard Example::PsSetCreateProcessNotifyRoutine Original Clone
► Detect function hooking tempering ► Hook a function and monitor the hook ► Protect the monitor routine ► Detection of linear memory scanning ► Staged attacks ► Egg hunt ► Detection of internal data-structure manipulation ► Basic DKOM Detection ► Place calls to Page Guard in strategic places ► Detect Heap Spraying (“canary”value) Technique Usage
Process Enumeration Problem: Malware checks for the existence of a security product process Solution: Process enumeration using weight based mechanism taint analysis
► Monitor EPROCESS structure access ► Track process name usage (taint analysis) ► Score the process based on“weird”usage ► HASH ► Encryption ► Encoding ► Etc. Detecting“weird”Process Enumerations
Obfuscation! Problem: Malware uses obfuscation to hide malicious code during Drive-by-download attacks Solution: Hook the browser at strategic places and inspect the de-obfuscated buffers
► Obfuscation is a problem! ► Network devices are blind ► Possible solution on the network side ► Analyze data entropy to detect possible obfuscation ► Google uses obfuscation -> massive FP ► Better solution on the end point ► Hook the browsers (IE/Chrome/Firefox) at strategic places ► Eval, Document.write, innerhtml, etc’ ► Let the browser do the“heavy lifting” ► Communicate the information back to the network devices TappingThe Browser
DEMO: BrowserTapper
Anti-VM OUT, Anti-Analysis IN Problem: Malware drop anti-VM technique and focus on anti- Analysis techniques Solution: Subvert the analysis machine with a Rootkit before executing the malware
► Malware usually cannot detect Rootkit! ► Install a rootkit on the analysis machine ► Hide files/processes/drivers ► Hide open ports ► Hide registry values ► Malware is not aware that it is being subverted ► Results in higher detection rate of advanced malware Subvert the Analysis Machine
► Easy-to-use rootkit generator ► Choose the process/files/ports/registry values you wish to hide ► Generates a customize rootkit ► Install rootkit ► Benefit! DEMO:Tool-B-Gone
► Detecting internal threats using ML ► Most network behavior analysis tools fail to deliver ► Bad feature sets that results in massive FP ► Feature set focus on user behavioral profile and not malware ► Data entropy / Working hours / Keyboard typing speed’ ► Based on the protoleak project (RSA 12’) ► Profile-based decision tree per node ► Focus on data exfiltration and behavior deviations ► Malware Interaction ► Click/Move Mouse ► Open Applications FutureDirections
► Force malware mistakes, don’t wait for them to strike ► Raise attackers cost by innovating mitigations ► Download & try the tools ► Help fighting the 1% and suggest improvements How to Apply
Questions
ThankYou @djteller

More Related Content

PPTX
Basic Malware Analysis
Albert Hui
 
PPTX
Malware analysis
Prakashchand Suthar
 
PPTX
Basic Dynamic Analysis of Malware
Natraj G
 
PDF
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
PDF
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
PDF
Malware classification and detection
Chong-Kuan Chen
 
PDF
The Hunter Games: How to Find the Adversary with Event Query Language
Ross Wolf
 
PPTX
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
grecsl
 
Basic Malware Analysis
Albert Hui
 
Malware analysis
Prakashchand Suthar
 
Basic Dynamic Analysis of Malware
Natraj G
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Malware classification and detection
Chong-Kuan Chen
 
The Hunter Games: How to Find the Adversary with Event Query Language
Ross Wolf
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
grecsl
 

What's hot (19)

PDF
Fileless Malware Infections
Ramon
 
PDF
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
PDF
CNIT 152: 1 Real-World Incidents
Sam Bowne
 
PPT
Analysis Of Adverarial Code - The Role of Malware Kits
Rahul Mohandas
 
PPTX
Sticky Keys to the Kingdom
Dennis Maldonado
 
PDF
Automatic tool for static analysis
Chong-Kuan Chen
 
PPT
Malware Analysis Made Simple
Paul Melson
 
PPTX
Exploitation techniques and fuzzing
Prachi Gulihar
 
PPTX
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
CODE BLUE
 
PPT
The Future of Automated Malware Generation
Stephan Chenette
 
PDF
CNIT 152: 6. Scope & 7. Live Data Collection
Sam Bowne
 
PPTX
Lateral Movement - Phreaknik 2016
Xavier Ashe
 
PPT
Malware Classification Using Structured Control Flow
Silvio Cesare
 
PDF
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash
 
PDF
CNIT 126 11. Malware Behavior
Sam Bowne
 
PPTX
Malicious Client Detection Using Machine Learning
securityxploded
 
PDF
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
SegInfo
 
PPTX
Virtual Machine Introspection - Future of the Cloud
Tjylen Veselyj
 
PDF
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
BlueHat Security Conference
 
Fileless Malware Infections
Ramon
 
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
CNIT 152: 1 Real-World Incidents
Sam Bowne
 
Analysis Of Adverarial Code - The Role of Malware Kits
Rahul Mohandas
 
Sticky Keys to the Kingdom
Dennis Maldonado
 
Automatic tool for static analysis
Chong-Kuan Chen
 
Malware Analysis Made Simple
Paul Melson
 
Exploitation techniques and fuzzing
Prachi Gulihar
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
CODE BLUE
 
The Future of Automated Malware Generation
Stephan Chenette
 
CNIT 152: 6. Scope & 7. Live Data Collection
Sam Bowne
 
Lateral Movement - Phreaknik 2016
Xavier Ashe
 
Malware Classification Using Structured Control Flow
Silvio Cesare
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash
 
CNIT 126 11. Malware Behavior
Sam Bowne
 
Malicious Client Detection Using Machine Learning
securityxploded
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
SegInfo
 
Virtual Machine Introspection - Future of the Cloud
Tjylen Veselyj
 
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
BlueHat Security Conference
 
Ad

Viewers also liked (20)

PDF
Applying Anti-Reversing Techniques to Machine Code
Teodoro Cipresso
 
PPT
Intrusion detection and prevention
Nicholas Davis
 
PDF
Desofuscando um webshell em php h2hc Ed.9
Ricardo L0gan
 
PDF
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
frank2
 
PDF
(130216) #fitalk potentially malicious ur ls
INSIGHT FORENSIC
 
PDF
Generic attack detection engine
Vikrant Kansal
 
PPT
Applciation footprinting, discovery and enumeration
Blueinfy Solutions
 
PDF
Obfuscation, Golfing and Secret Operators in Perl
José Castro
 
PDF
EvasionTechniques
Candan BOLUKBAS
 
PPTX
Back to the CORE
Peter Hlavaty
 
PPTX
Attack on the Core
Peter Hlavaty
 
PDF
CSIRT_16_Jun
Candan BOLUKBAS
 
PPTX
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
EC-Council
 
PPTX
Endpoint Security Evasion
Invincea, Inc.
 
PDF
Deobfuscation and beyond (ZeroNights, 2014)
ReCrypt
 
PPT
Top Tactics For Endpoint Security
Ben Rothke
 
PPTX
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
TechSecIT
 
PDF
Got database access? Own the network!
Bernardo Damele A. G.
 
PPTX
Roadsec 2016 Mach-o A New Threat
Ricardo L0gan
 
PPTX
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Applying Anti-Reversing Techniques to Machine Code
Teodoro Cipresso
 
Intrusion detection and prevention
Nicholas Davis
 
Desofuscando um webshell em php h2hc Ed.9
Ricardo L0gan
 
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
frank2
 
(130216) #fitalk potentially malicious ur ls
INSIGHT FORENSIC
 
Generic attack detection engine
Vikrant Kansal
 
Applciation footprinting, discovery and enumeration
Blueinfy Solutions
 
Obfuscation, Golfing and Secret Operators in Perl
José Castro
 
EvasionTechniques
Candan BOLUKBAS
 
Back to the CORE
Peter Hlavaty
 
Attack on the Core
Peter Hlavaty
 
CSIRT_16_Jun
Candan BOLUKBAS
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
EC-Council
 
Endpoint Security Evasion
Invincea, Inc.
 
Deobfuscation and beyond (ZeroNights, 2014)
ReCrypt
 
Top Tactics For Endpoint Security
Ben Rothke
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
TechSecIT
 
Got database access? Own the network!
Bernardo Damele A. G.
 
Roadsec 2016 Mach-o A New Threat
Ricardo L0gan
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Ad

Similar to Spo2 t19 spo2-t19 (20)

PPTX
CheckPoint: Anatomy of an evolving bot
Group of company MUK
 
PPTX
Understand How Machine Learning Defends Against Zero-Day Threats
Rahul Mohandas
 
PPTX
Understand How Machine Learning Defends Against Zero-Day Threats
Rahul Mohandas
 
PPTX
Building next gen malware behavioural analysis environment
isc2-hellenic
 
PDF
CH1- Introduction to malware analysis-v2.pdf
WajdiElhamzi3
 
PPTX
Malware analysis as a hobby (Owasp Göteborg)
Michael Boman
 
PPT
Active Testing
frisksoftware
 
PDF
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Sandeep Kumar Seeram
 
PPTX
Basic malware analysis
securityxploded
 
PDF
Hunting malware via memory forensics
Sriram Krishnan
 
PPTX
Basic malware analysis
Cysinfo Cyber Security Community
 
PDF
CheckPlease: Payload-Agnostic Targeted Malware
Brandon Arvanaghi
 
PPTX
Reversing malware analysis trainingpart9 advanced malware analysis
Cysinfo Cyber Security Community
 
PDF
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Malachi Jones
 
PPTX
Countering Innovative Sandbox Evasion Techniques Used by Malware
Tyler Borosavage
 
PDF
Malware Analysis on a Shoestring Budget
Michael Boman
 
PDF
Analisis Estatico y de Comportamiento de un Binario Malicioso
Conferencias FIST
 
PDF
Malware Evasion Techniques
Thomas Roccia
 
PDF
Modern Malware and Threats
MarketingArrowECS_CZ
 
PPTX
Malware Analysis as a Hobby - 44CON 2012
44CON
 
CheckPoint: Anatomy of an evolving bot
Group of company MUK
 
Understand How Machine Learning Defends Against Zero-Day Threats
Rahul Mohandas
 
Understand How Machine Learning Defends Against Zero-Day Threats
Rahul Mohandas
 
Building next gen malware behavioural analysis environment
isc2-hellenic
 
CH1- Introduction to malware analysis-v2.pdf
WajdiElhamzi3
 
Malware analysis as a hobby (Owasp Göteborg)
Michael Boman
 
Active Testing
frisksoftware
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Sandeep Kumar Seeram
 
Basic malware analysis
securityxploded
 
Hunting malware via memory forensics
Sriram Krishnan
 
Basic malware analysis
Cysinfo Cyber Security Community
 
CheckPlease: Payload-Agnostic Targeted Malware
Brandon Arvanaghi
 
Reversing malware analysis trainingpart9 advanced malware analysis
Cysinfo Cyber Security Community
 
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Malachi Jones
 
Countering Innovative Sandbox Evasion Techniques Used by Malware
Tyler Borosavage
 
Malware Analysis on a Shoestring Budget
Michael Boman
 
Analisis Estatico y de Comportamiento de un Binario Malicioso
Conferencias FIST
 
Malware Evasion Techniques
Thomas Roccia
 
Modern Malware and Threats
MarketingArrowECS_CZ
 
Malware Analysis as a Hobby - 44CON 2012
44CON
 

More from SelectedPresentations (20)

PDF
Длительное архивное хранение ЭД: правовые аспекты и технологические решения
SelectedPresentations
 
PDF
Трансграничное пространство доверия. Доверенная третья сторона.
SelectedPresentations
 
PDF
Варианты реализации атак через мобильные устройства
SelectedPresentations
 
PDF
Новые технологические возможности и безопасность мобильных решений
SelectedPresentations
 
PDF
Управление безопасностью мобильных устройств
SelectedPresentations
 
PDF
Современные технологии контроля и защиты мобильных устройств, тенденции рынка...
SelectedPresentations
 
PDF
Кадровое агентство отрасли информационной безопасности
SelectedPresentations
 
PDF
Основное содержание профессионального стандарта «Специалист по безопасности и...
SelectedPresentations
 
PDF
Основное содержание профессионального стандарта «Специалист по безопасности а...
SelectedPresentations
 
PDF
Основное содержание профессионального стандарта «Специалист по технической за...
SelectedPresentations
 
PDF
Основное содержание профессионального стандарта «Специалист по безопасности т...
SelectedPresentations
 
PDF
О профессиональных стандартах по группе занятий (профессий) «Специалисты в об...
SelectedPresentations
 
PDF
Запись активности пользователей с интеллектуальным анализом данных
SelectedPresentations
 
PDF
Импортозамещение в системах ИБ банков. Практические аспекты перехода на росси...
SelectedPresentations
 
PDF
Обеспечение защиты информации на стадиях жизненного цикла ИС
SelectedPresentations
 
PDF
Документ, как средство защиты: ОРД как основа обеспечения ИБ
SelectedPresentations
 
PDF
Чего не хватает в современных ids для защиты банковских приложений
SelectedPresentations
 
PDF
Об участии МОО «АЗИ» в разработке профессиональных стандартов в области инфор...
SelectedPresentations
 
PDF
Оценка состояния, меры формирования индустрии информационной безопасности Рос...
SelectedPresentations
 
PDF
Об угрозах информационной безопасности, актуальных для разработчика СЗИ
SelectedPresentations
 
Длительное архивное хранение ЭД: правовые аспекты и технологические решения
SelectedPresentations
 
Трансграничное пространство доверия. Доверенная третья сторона.
SelectedPresentations
 
Варианты реализации атак через мобильные устройства
SelectedPresentations
 
Новые технологические возможности и безопасность мобильных решений
SelectedPresentations
 
Управление безопасностью мобильных устройств
SelectedPresentations
 
Современные технологии контроля и защиты мобильных устройств, тенденции рынка...
SelectedPresentations
 
Кадровое агентство отрасли информационной безопасности
SelectedPresentations
 
Основное содержание профессионального стандарта «Специалист по безопасности и...
SelectedPresentations
 
Основное содержание профессионального стандарта «Специалист по безопасности а...
SelectedPresentations
 
Основное содержание профессионального стандарта «Специалист по технической за...
SelectedPresentations
 
Основное содержание профессионального стандарта «Специалист по безопасности т...
SelectedPresentations
 
О профессиональных стандартах по группе занятий (профессий) «Специалисты в об...
SelectedPresentations
 
Запись активности пользователей с интеллектуальным анализом данных
SelectedPresentations
 
Импортозамещение в системах ИБ банков. Практические аспекты перехода на росси...
SelectedPresentations
 
Обеспечение защиты информации на стадиях жизненного цикла ИС
SelectedPresentations
 
Документ, как средство защиты: ОРД как основа обеспечения ИБ
SelectedPresentations
 
Чего не хватает в современных ids для защиты банковских приложений
SelectedPresentations
 
Об участии МОО «АЗИ» в разработке профессиональных стандартов в области инфор...
SelectedPresentations
 
Оценка состояния, меры формирования индустрии информационной безопасности Рос...
SelectedPresentations
 
Об угрозах информационной безопасности, актуальных для разработчика СЗИ
SelectedPresentations
 

Spo2 t19 spo2-t19

  • 1. Session ID: Session Classification: Tomer Teller Check Point SoftwareTechnologies SP02-T19 Intermediate Detectingthe One Percent: AdvancedTargetedMalware Detection
  • 7. The Constraints TIME Cannot analyze program forever • Slow down loops • Sleep • Time-consuming operations (Encryption/Packing) SPACE Cannot maintain unlimited states • “Run out the clock” OpenProcess  VirtualAllocEx  WriteProcessMemory  LOOP  ..  CreateRemoteThread
  • 8. Exploiting the Constraints Advanced malware exploits these constraints Thwart static analysis --> SPACE Thwart dynamic analysis --> TIME + SPACE
  • 9. ► Elevation of privilege to kernel mode ► Bypassing security products ► Stolen certificate authorities ► Breaking the trust ► Automatic static analysis is hard! ► Packing / obfuscation / encryption ► Manual static analysis ► Unpacking / time consuming / not scalable ► Dynamic analysis ► The malware problem! More Depressing News
  • 11. Pattern Based Static Analysis Dynamic Analysis Hybrid Approach Current Detection Methods (partial) • MD5 / SHA1 / SHA256 • Fuzzy hashing • Pattern-based • PCRE/ Regex • Proprietary language • Malware classifiers (J48, J48 Graft, PART) • Anti-VM • Anti-debugging • Anti-disassembly • Obfuscation • Reverse engineering **Rodrigo Rubira Branco BH12 • API call trace analysis • Network activities • Registry modifications • Process creation/injections • File activities What you see is what you get! • Semantic-aware detectors • Extract dynamic trace • Transform into IR • Compare to pre-defined templates • Memory dump analysis (packers)
  • 12. The Sample Lifecycle Sample Arrives Unknown Static Analysis # Flags < Threshold Dynamic Analysis Classification Benign Not Classified Generic Threat Family Threat Classified Manual Analysis Malicious Interesting # Flags < Threshold
  • 13. Bypassing Detection Methods Pattern Based Static Analysis Dynamic Analysis Hybrid Approach • Build variants (e.g. Zeus) • Append garbage • Encoding • “Stay compliant” • Packing • Obfuscation • Encryption • Anti-reversing techniques • Detect analysis* • Detect emulation* • Detect security product* • Beat the clock (AV sandbox) • “Split the maliciousness” *Could be detected during static analysis • Avoid using the same executable template • Metasploit AV-evasion • Reuse “trusted templates” • PowerShell • In-memory exploits
  • 16. MYTH #2 Malware is usually small
  • 18. *Size in MB Malware Detection Based on File Size Ref: http://www.fortiguard.com/sites/default/files/DetectingMalwareThreats.pdf
  • 19. Malware Bypassing Detections Static Analysis Dynamic Analysis 4 x Zero-Days Obfuscated Entry Point (Needs a special Loader) 2 x Stolen Certificates (Break the trust) Multiple Files (lesser maliciousness entropy) Unknown DLL loading technique Execution depends on host Static Analysis Dynamic Analysis 20 MB of Code! Does not execute immediately Breakthrough in cryptography (Break the trust) Multiple Files (lesser maliciousness entropy) Legitimate Libraries (LUA) Obfuscated Entry Point (Needs a special Loader) Stuxnet Flame
  • 20. MalwareThwarting Analysis Mac OSX C&C Infected with FlashFake Send Hardware UUID (Unique) Exploit Java Vulnerability Encrypted Malware Executable will only run on the original host UUID Encryption Key Encrypt Malware and Obfuscate
  • 21. Problem Detection is good but not great
  • 22. Data-Structure Modifications Problem: Malware modifies internal data-structures to avoid detection Solution: Subvert the malware! Modify the data-structure before the malware does
  • 23. Detecting Internal DS Modifications push ebp mov ebp,esp push ebx push esi . . <Internal DS> . . TRAP PAGE F F Clone push ebp mov ebp,esp push ebx push esi . . <Internal DS> . . jmp F_clone . . <Internal DS> . . Normal ExecutionMalware Execution Detected
  • 24. Internal DS Linear search for a signature PsSetCreateProcessNotifyRoutine
  • 26. ► Detect function hooking tempering ► Hook a function and monitor the hook ► Protect the monitor routine ► Detection of linear memory scanning ► Staged attacks ► Egg hunt ► Detection of internal data-structure manipulation ► Basic DKOM Detection ► Place calls to Page Guard in strategic places ► Detect Heap Spraying (“canary”value) Technique Usage
  • 27. Process Enumeration Problem: Malware checks for the existence of a security product process Solution: Process enumeration using weight based mechanism taint analysis
  • 28. ► Monitor EPROCESS structure access ► Track process name usage (taint analysis) ► Score the process based on“weird”usage ► HASH ► Encryption ► Encoding ► Etc. Detecting“weird”Process Enumerations
  • 29. Obfuscation! Problem: Malware uses obfuscation to hide malicious code during Drive-by-download attacks Solution: Hook the browser at strategic places and inspect the de-obfuscated buffers
  • 30. ► Obfuscation is a problem! ► Network devices are blind ► Possible solution on the network side ► Analyze data entropy to detect possible obfuscation ► Google uses obfuscation -> massive FP ► Better solution on the end point ► Hook the browsers (IE/Chrome/Firefox) at strategic places ► Eval, Document.write, innerhtml, etc’ ► Let the browser do the“heavy lifting” ► Communicate the information back to the network devices TappingThe Browser
  • 32. Anti-VM OUT, Anti-Analysis IN Problem: Malware drop anti-VM technique and focus on anti- Analysis techniques Solution: Subvert the analysis machine with a Rootkit before executing the malware
  • 33. ► Malware usually cannot detect Rootkit! ► Install a rootkit on the analysis machine ► Hide files/processes/drivers ► Hide open ports ► Hide registry values ► Malware is not aware that it is being subverted ► Results in higher detection rate of advanced malware Subvert the Analysis Machine
  • 34. ► Easy-to-use rootkit generator ► Choose the process/files/ports/registry values you wish to hide ► Generates a customize rootkit ► Install rootkit ► Benefit! DEMO:Tool-B-Gone
  • 35. ► Detecting internal threats using ML ► Most network behavior analysis tools fail to deliver ► Bad feature sets that results in massive FP ► Feature set focus on user behavioral profile and not malware ► Data entropy / Working hours / Keyboard typing speed’ ► Based on the protoleak project (RSA 12’) ► Profile-based decision tree per node ► Focus on data exfiltration and behavior deviations ► Malware Interaction ► Click/Move Mouse ► Open Applications FutureDirections
  • 36. ► Force malware mistakes, don’t wait for them to strike ► Raise attackers cost by innovating mitigations ► Download & try the tools ► Help fighting the 1% and suggest improvements How to Apply