Malware Fighting - Lucha contra el Ciber-crimen

8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen

1/75

1

Malware Fighting

Luis Corrons

PandaLabs Technical Director


2/75


3/75


4/75


5/75

Infection SourcesInfection Sources

Malware Fighting


6/75

WebWeb

SpamSpam

Social NetworksSocial Networks

Infection Sources


7/75

Social NetworksSocial Networks

Infection Sources


8/75

Infection Sources


9/75

Infection Sources


10/75

Infection Sources


11/75

SpamSpam

Infection Sources


12/75

Infection Sources


13/75

Infection Sources


14/75

Fuentes de infeccin


15/75

Infection Sources


16/75

Fuentes de infeccin


17/75

Fuentes de infeccin


18/75


19/75

WebWeb

Infection Sources

M l


20/75

Infection Sources Malware server


21/75

MPack

Infection Sources


22/75

MPack

Tracking Mpack for 2 months (April & MayTracking Mpack for 2 months (April & May

2007):2007):

41 different servers with Mpack running41 different servers with Mpack running

366,717 web pages iframed366,717 web pages iframed

More than 1 million users infected (1,217,741)More than 1 million users infected (1,217,741)

Infection Sources


23/75

MPack

Infection Sources


24/75

Who is behind this?Who is behind this?

Infection Sources


25/75

Yesterdays Bad GuysYesterdays Bad Guys

Blaster.B Nestky / Sasser CIH 29-A

Jeffrey Lee Parson Sven Jaschan Chen Ing-Hau Benny

Infection Sources


26/75

Todays Bad GuysTodays Bad Guys

Jeremy JaynesAndrew SchwarmkoffJames Ancheta

Phishing SpamSpam

Infection Sources


27/75

A Real CaseA Real Case

Malware Fighting


28/75


29/75

The Infected TeamThe Infected Team

Malware Fighting

MPackMPack

Dream DownloaderDream Downloader

LimboLimbo

Total Investment: 1,500$Total Investment: 1,500$

M l Fi hti


30/75


Malware Fighting

M l Fi hti


31/75


Lets do some mathsLets do some mathsChina, Korea, Japan:China, Korea, Japan: $0.01 * 70,300 = $703$0.01 * 70,300 = $703Finland, Norway:Finland, Norway: $0.05 * 70,300 = $3,515$0.05 * 70,300 = $3,515UK, France:UK, France: $0.20 * 70,300 = $14,060$0.20 * 70,300 = $14,060USA, Canada:USA, Canada: $0.40 * 70,300 = $28,120$0.40 * 70,300 = $28,120

And the same numbers in 30 daysAnd the same numbers in 30 daysChina, Korea, Japan:China, Korea, Japan: $0.01 * 70,300 * 30 = $21,090$0.01 * 70,300 * 30 = $21,090Finland, Norway:Finland, Norway: $0.05 * 70,300 * 30 = $105,450$0.05 * 70,300 * 30 = $105,450UK, France:UK, France: $0.20 * 70,300 * 30 = $421,800$0.20 * 70,300 * 30 = $421,800USA, Canada:USA, Canada: $0.40 * 70,300 * 30 = $843,600$0.40 * 70,300 * 30 = $843,600

Malware Fighting

M l Fi hti


32/75


Whos paying the Infected Team?Whos paying the Infected Team?

Rogue AntiSpywareRogue AntiSpyware

Malware Fighting

M l Fi hti


33/75

Malware Fighting

M l Fi hti


34/75

Malware Fighting

Malware Fighting


35/75

Hows the money being handled?Hows the money being handled?

Malware Fighting

The Business of Cybercrime


36/75

The Business of Cybercrime

Malware Fighting


37/75

Malware Fighting

Malware Fighting


38/75

Malware Fighting

Malware Fighting


39/75

Malware Fighting

Malware Fighting


40/75

Malware Fighting

Malware Fighting


41/75

Malware Fighting

Malware Fighting


42/75

Malware Fighting

Malware Fighting


43/75

Malware Fighting


44/75

Malware Fighting


45/75

Malware Fighting

Malware Fighting


46/75

Underground Shopping CartUnderground Shopping Cart

Malware Fighting

Malware Fighting


47/75


Stolen AccountsStolen Accounts FTP accounts:FTP accounts:

US$1 per accountUS$1 per account

Icq numbers:Icq numbers:

From US$1 to US$10 (depending on the ICQ number)From US$1 to US$10 (depending on the ICQ number) RapidShare premium accounts:RapidShare premium accounts:

1 month1 month - US$5- US$5

3 months3 months - US$12- US$12

6 months6 months - US$18- US$18

1 year1 year - US$28- US$28 Online Shop accountsOnline Shop accounts

(megashop.ru, bolero.ru, cup.ru, etc. ALL RUSSIAN): US$50 each(megashop.ru, bolero.ru, cup.ru, etc. ALL RUSSIAN): US$50 each

50MB of Limbo Trojan logs50MB of Limbo Trojan logs US$30 (contains email accounts, bank account numbers, credit cardUS$30 (contains email accounts, bank account numbers, credit card

numbers, etc. A percentage is guaranteed)numbers, etc. A percentage is guaranteed)

Malware Fighting

Malware Fighting


48/75


Stolen AccountsStolen Accounts Credit CardsCredit Cards

VISA / MASTERCARDVISA / MASTERCARD

1 - 10 cards1 - 10 cards US$2 (per card)US$2 (per card)

10 - 100 cards10 - 100 cards US$1.5 (per card)US$1.5 (per card) AMEXAMEX

1 - 10 cards1 - 10 cards US$2.5 (per card)US$2.5 (per card)

10 - 100 cards10 - 100 cards US$2 (per card)US$2 (per card)

Passports:Passports: Black and white:Black and white: US$2US$2 Color:Color: US$5US$5

Malware Fighting

Malware Fighting


49/75

Where to buy?Where to buy?

g g

Malware Fighting


50/75

g g

Malware Fighting


51/75

g g

Malware Fighting


52/75

Malware figuresMalware figures

g g

Malware Feeds


53/75

AntimalwareAntimalware

CompaniesCompaniesOnline ServicesOnline Services HoneypotsHoneypots

Panda UsersPanda Users

HoneymonkeysHoneymonkeys

Malicious URLsMalicious URLs

Malware RepositoryMalware Repository

Collective IntelligenceCollective Intelligence

CERTsCERTs



54/75

g

Source: PandaLabs



55/75

Source: PandaLabs


56/75



57/75

Malware samples received at PandaLabsData up to December 2008


58/75

2003 2004 2005 2006 2007 2008

20 M.

Data up to December 2008

X10

X2X2 X2

Malware samples received at PandaLabsForecast 2009


59/75

Forecast 2009

2003 2004 2005 2006 2007 2008

20 M.

X10X2X2 X2

40 M.

2009


60/75

60Source: University of Michigan, 2008

Theres a gap indetection of 1-monthold malware. This is

the malware thatcauses 90% of the

infections.


61/75


62/75

62

Collective Intelligence


63/75

Multi-ScannersMulti-Scanners

Automagic detectionsDetection signatures are added

based on what other realiable

AV scanners detect.

Good for comparativesNo classification (verification)High False PositivesMalware nomenclature

Some cloud-scanningtechnologies work like this.

Collective Intelligence


64/75


65/75

Proceso de Anlisis Esttico:

Anlisis esttico profundo

Data Mining colectivo y anlisis

estadstico Otras tecnologas

Proceso de

AnlisisProceso de

Clasificacin

Proceso de Anlisis Dinmico:

Automatizacin

Emulacin y Virtualizacin

Clasificadores

Clasificacin

Meta Clasificador

S iS napsis


66/75

SynapsisSynapsis

Rule-based malware family ID

Identification of malware families basedin rules.

Consisting of binary and/or text stringsand a logic expression relating each other.

Traditional logical operators (and, or, not),arithmetical (+,-,*,/) and of comparison(,==).

File properties: size, characteristics ofthe sections, functions that it exportsor imports, and all the data of the header

Fil P t D t tiFile Property Detection


67/75

File Property DetectionFile Property Detection

DETECTOR.EXE (1.2MB)

Drivers Entry Point = 0 Too many sections Non Portable-Executable (PE)

Digital Signatures File Infectors EPO, Polymorphic HLL, HLLW or PE Binder Distant PE Header Postpending Unordered last section

Installers (Inno Setup, InstallShield, Nullsoft, Thinstall, Wise, Generic) Runtime Packers

By signature (ASPack, EXEStealth, EXECryptor, UPX, MEW,PeCompact, Themida, Upack, Yoda, ..)

Generic & Unknown !!!

E l ti &U kiEmulation &Unpacking


68/75

Emulation &UnpackingEmulation &Unpacking

Types of Unpacking: Runtime:

Driver Memory dump

Static Specific Unpacking Routines Generic Unpacking Emulation

PVA.EXE (48kb) Specific Unpacking Routines

Over 50 packer brands & variants ASPack, ASProtect, BeRoEXEPacker, Cexe, CryptoCrack, EXEShield,

EXECryptor, FSG, MEW, MoleBox, NSPack, Obsidium, PCShrink, PECrypt,

PECompact, PENinja, PESpin, Petite, Themida WinLicense, UPX, Upack,Yodas, eXPressor, tElock, y0das Crypter, y0das Protector.

Generic Unpacking Signature-less static unpacking Emulation

Clustered GroupingClustered Grouping


69/75

Clustered GroupingClustered Grouping

FLUSTER.EXE (24kb)

Agglomerative Single Linkage ClusteringAlgorithm for Grouping Similar Binary Files

1.Each object (file) starts in its own cluster

2.Two closest clusters merged together3.Distance dbetween twoclusters is defined as theminimum distance betweenany object (file) from eachof the clusters.

4.Result of algorithm is ahierarchical representationcalled a dendogram.

Source: Victor Alvarez. Published in Virus Bulletin, May 2008

Automatic Malware ClassificationAutomatic Malware Classification


70/75

Automatic Malware ClassificationAutomatic Malware Classification

Malware GenomeMalware GenomeGraph, Entropy and Grid Computing

Sample Analysis

1. IDAPro + IDAPython2. Flow Control

3. Functions Control Flow Graph (CFG)

signatures [Blocks:Axis:FunctionCalls]

4. Functions CRC32

5. Functions names

6. Operating System & Library Calls (API)

Source: Ismael Briones. Virus Bulletin 2008, Ottawa.

Adjacency MatrixAdjacency Matrix

Columns & rows = graph nodes


71/75

Variants ofVariants of

BankolimbBankolimbFamilyFamily



72/75


Specialized HeuristicsSpecialized Heuristics


73/75

Specialized HeuristicsSpecialized Heuristics

Very good for specific threats to keep low false positive rates.

Implemented in product specialized heuristics for phishing websites andBanking Trojans.

Banking TrojansWspoem 94.56%Sinowal 96.78%

Torpig 92.79%Goldun 84.60%Abwiz 94.95%Briz 91.08%Bancolimb (Limbo) 91.38%Dumador 95.58%Bankpatch 100.00%Banco 73.98%

Banbra 74.21%

Wh t ll thiWh t ll thi


74/75

Whats all thisWhats all this

geeky stuff forgeeky stuff for

anyway?anyway?PandaLabss ObjectivePandaLabss Objective

To be the #1 in classificationTo be the #1 in classification

& detection of new malware.& detection of new malware.


75/75

Thanks!Thanks!Luis Corrons

[email protected]

PandaLabs Blog:

http://www.pandalabs.com

Malware Fighting - Lucha contra el Ciber-crimen

Documents

Transcript of Malware Fighting - Lucha contra el Ciber-crimen