Post on 24-Dec-2015
Paul RoyalPaul RoyalCollege of ComputingCollege of ComputingGeorgia Institute of TechnologyGeorgia Institute of Technology
• Overview- Platform, Installation, Activities
- Propagation Studies
• Evolution- Traditional Defense-in-Depth
- Obfuscation, Server-side Polymorphism
• Analysis
• Takedown
AgendaAgenda
• Platform- Predominantly Microsoft Windows- Emergent threats beginning to target Mac OS X
and mobile devices • Propagation
- Social engineering• Standard (emails with ecards), innovative (torrents
offering key generators slipstreamed with malware), or novel (Kraken’s use of MSN Messenger)
- Rapid, short-term exploitation of critical vulnerabilities
• Conficker/Downadup’s use of MS08-067 allowed it to grow to 500,000 hosts in a single week
Malware OverviewMalware Overview
• Installation- Thread injection into a benign/trusted process
• Can be part of the unpacking process (code is deobfuscated into a newly allocated section)
• Internet Explorer is a common target for malware that need to get out using an (authenticated) web proxy
• Activities- Information theft, spam, DDoS
- RogueAV software sales• Affiliate programs offer commissions as high as 90%
• Using botnets as installation medium can earn individuals $100,000/week
Overview Cont’dOverview Cont’d
• Malicious software is the centerpiece of current threats on the Internet- Botnets (spamming, DDOS, etc.)
- Information Theft
- Surveillance and Espionage
• Used by Criminals- Criminal Infrastructure
- Domain of Organized Crime
• Used by Nations- Cyber Warfare
Functional DefinitionFunctional Definition
• Visiting “Safe” Websites- Reading USAToday.com results in malware on your computer
• What happened?- USAToday.com ad network compromised- Visitors served malicious javascript bundled with ad for Roxio Creator 2009- Automatically directed users to Rogue AV website through malicious traffic
distribution system• Neither clicking nor hovering over ad required to activate code
Propagation StrategiesPropagation Strategies
• Case Study: Alexa Top-ranked Domains- System created to examine Alexa top 25,000 domains
each day
- Browser inside virtual machine (VM) forced to visit domain
- Network actions following visit used to determine whether drive-by download occurred
• February 2012- 58 of Alexa top 25,000 domains resulted in drive-by
downloads
- 10.5M users served malicious content
- 1.6M likely compromised
Propagation StrategiesPropagation Strategies
• “Feature-minded” Software Vendors- Executive receives email with PDF attachment
• Email’s subject, recipient’s ethnicity compels him to view attachment - PDF contains embedded, malicious Flash movie which exploits Acrobat Reader’s flash
interpreter, compromises the system and phones home to controller
- Soon after, compromised, legitimate websites found hosting drive-by attacks that use the same flaw to exploit Flash Player
- Vulnerability traced back to bug reported to Adobe eight months prior
Propagation Strategies Cont’dPropagation Strategies Cont’d
• “Uninformed” Users- Waledac’s email campaigns
• Use of geo-location, temporally relevant events (e.g., bomb blast in <your city>, July 4th fireworks videos) to make attacks more compelling
Propagation Strategies Cont’dPropagation Strategies Cont’d
• Network-Level Protection- Firewall
• Evaded by C&C protocol congruency
- IPS/IDS• Evaded by custom encodings
• Host-Level Protection- User Access Control
• Analogous to “informed consent”
- AntiVirus• Uses complex, heuristics-based detection along with
signature matching
Traditional Defense-in-DepthTraditional Defense-in-Depth
• Often referred to as “packing”- A technique whereby parts or all of an executable file are
compressed, encrypted, or transformed in some fashion
- Code that reverses the pre-runtime transformation is included in the executable
Malware ObfuscationMalware Obfuscation
Push EBPMOV EBP, ESPSUB ESP, 8CALL 00401170…
Program A
Encrypt/Compress/Transform
ObfuscationTool
<Deobs Code>
…
Program A’
Machine CodeTransformed Machine Code
(Appears as Data)
• Novel obfuscations easily evade AV• Example: Project ZeroPack
- Proof-of-Concept obfuscation tool• Makes malware appear benign to AV tools
- Developed for DefCon 16’s Race to Zero contest
Obfuscation Impact on AntiVirusObfuscation Impact on AntiVirus
ZeroPackZeroPack
• Server-side Polymorphism- Attacks the heart of the traditional host-based
AV model by automating mutations
• When done professionally: Waledac
Scalable, Effective Malware DistributionScalable, Effective Malware Distribution
Collected on 12/30/2008
Collected on 2/25/2009
• Stuxnet- Nation-state created malware- Multiple zero day arbitrary code execution exploits
• Private network, removable media propagation
- Multiple zero day privilege escalation exploits• Rootkit components with stolen code-signing certificates from Realtek
and Jmicron
• Botnet ‘T’ (now known as Shady RAT)- Used for data exfiltration- No packing obfuscations
• AV detections still < 50%
- Centralized C&C• Hosted on four-year-old legitimate, compromised realty website• Commands via HTTP comments
Malware ComplexityMalware Complexity
• There is a pronounced need to understand malicious software behavior
• Malware analysis is the basis for understanding the intentions of malicious programs- Threat Discovery and Analysis
- Compromise Detection
- Forensics and Asset Remediation
• Malware authors incentivized to make analysis challenging- Direct financial motivation
Malware AnalysisMalware Analysis
• Analysis tool/environment detection is a standard malware feature
Analyzer Detection PrevalenceAnalyzer Detection Prevalence
• Case Study: Mariposa- Large, data-stealing botnet
- Used to steal credit card, banking information
• Compromises in half of Fortune 1000- Before takedown, over 1M members
Malware Network Takedowns Cont’dMalware Network Takedowns Cont’d
• Takedown Timeline- Spring 2009: Mariposa discovery
- Fall 2009: International Mariposa Working Group (MWG) formed
• Defence Intelligence, GTISC, Panda Antivirus, FBI, Guardia Civil (Spanish LEO)
- December 2009: All C&C domains shutdown and sinkholed within hours of the first
• Operators panic; log into domain management services from home systems
• Warrants issued to operators’ ISP
- January 2010: Operators arrested• 800,000 financial credentials found on one operator’s home systems
Mariposa Cont’dMariposa Cont’d
• Today’s malware author/operator is more motivated and resourceful than ever before
• The increasing complexity of systems and software prohibits compartmentalization to a single person or group
• Understanding modern malicious software can promote the creation of malware resistant systems
Closing ThoughtsClosing Thoughts
Questions?