Adatbiztonság. Targeted malware. Dr. Bencsáth Boldizsár. adjunktus BME Hálózati Rendszerek és Szolgáltatások Tanszék

Size: px
Start display at page:

Download "Adatbiztonság. Targeted malware. Dr. Bencsáth Boldizsár. adjunktus BME Hálózati Rendszerek és Szolgáltatások Tanszék bencsath@crysys.hit.bme."

Transcription

1 Adatbiztonság Targeted malware május 5. Budapest Dr. Bencsáth Boldizsár adjunktus BME Hálózati Rendszerek és Szolgáltatások Tanszék

2 Targeted Attacks Although many expected, nobody knew how the era of targeted attack, cyber warfare will start. Hype began with Stuxnet, but maybe not the first case (Hydraq, DoS attacks, etc.) Lot of new cases: Stuxnet, Duqu, RSA, Chemical plants, Mitsubishi Heavy Industries, Illinois water system (?), (Additionally: Anonymous, Lulzsec, etc..) APT: Advanced Persistent Threat -> this definition emphasizes power of the attacker over of our inability to have control on our system New approach is needed against APT, Targeted Attacks Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 2

3 CrySyS Lab - activities 09/2011 discovery, naming, and first analysis of Duqu malware 05/2012 published detailed technical analysis on Flame (skywiper) malware 02/2013 Together with Kaspersky Labs, we published information on the MiniDuke malware 03/2013 After the joint work with NSA HUN, we published results of investigations on the TeamSpy campaign 3

4 Our main contributions / Duqu Discovery, naming, and first analysis of Duqu wrote the first 60-pages report show the striking similarities with Stuxnet shared our analysis with major anti-virus vendors and with Microsoft an anonymized and shortened version of this report was published as an appendix of the first Symantec report on Duqu Identification of the dropper MS word document with a 0-day Windows kernel exploit made the dropper available to Symantec that sanitized and shared it with other anti-virus vendors and Microsoft Development and open-source distribution of a Duqu detector toolkit based on heuristics, follows a different approach than signature based malware detection detects live Duqu instances and remains of an earlier infection by Duqu a real-life experiment resulting in much insight on the whole case Mediators of information sharing for efficient security response delicate position lot of trust needed How and what to share? Conflict of interest among parties Successful sharing of the sample from a private company privacy, anonymity concerns Took the most time Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 4

5 Flame In May/2012 we participated in an international collaboration to investigate a novel malware, we called it skywiper 27/05 National CERT of IRAN (Maher) disclosed they are investigating a malware Flamer 28/05 CrySyS released initial tech report on Flame/sKyWIper; Kasperksy released details about their work on Flame. ~ victims, Middle East (Iran, Sudan), corresponding malware samples: Gauss, SPE/MiniFlame. Check out C&C analysis made by Symantec and Kaspersky Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 5

6 Miniduke FireEye found a document with 0-day PDF exploit on 12/02/2013 PDF documents that use the same 0-day vulnerability, but the different malware module were found The documents were suspicious we expected that the attackers use them against high-profile targets ~60 victim IP addresses found, many high profile targets in governments and organizations (even NATO) Investigations were finished within a week, we disclosed all relevant information about the malware and the victims to the appropriate organizations Not the malware, but the attack campaign is of main interest Relation to Ukraine?!

7 Teamspy In March 2013 Hungarian National Security Authority (NSA HUN) asked for our support to further work on an already identified attack We obtained and analyzed many new malware samples, investigated a number of C&C servers and obtained victim lists There are multiple waves of attack campaigns done by some group in the last 8 years Two main malware technologies: One standard proprietary botnet client, one based on TeamViewer abuse Main goal of the attackers: targeted attacks to steal information Traces show that attackers were active from 2004 Some of their tools were already known for years by A/V companies, but the whole story was never identified (missing threat intelligence) Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 7

8 What we have done in Duqu case? Yes, we are the Lab who discovered Duqu. In early September, during the investigation of an incident CrySyS Lab found a suspicious executable, the reference info stealer / keylogger component of Duqu. Later during forensics activities we identified components used for the incident. We made an initial analysis and disclosed results with researchers and limited number of companies. The cut-down version of our analysis was embedded into Symantec s report as an appendix (18/Oct/2011) The dopper/installer component in this case was recovered late October. After proving that it contains a 0-day vulnerability, we organized the collaborated handling of the threat, this resulted public disclosure of the information on 01/Nov/2011 More information on the ongoing case is under NDA. Technical details are already public. Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 8

9 Duqu/Stuxnet comparison at a glance Feature Stuxnet Duqu Modular malware Kernel driver based rootkit very similar Valid digital signature on driver Realtek, JMicron C-Media Injection based on A/V list seems based on Stux. Imports based on checksum different alg. 3 Config files, all encrypted, etc. almost the same Keylogger module Duqu PLC functionality (different goal) Stuxnet Infection through local shares Possible Symantec Exploits, 0-day Zero-day word, win32k.sys DLL with modules as resources (many) (one) RPC communication Port 80/443, TLS based C&C? similar Special magic keys, e.g , AE lots of similar Virtual file based access to modules Careful error handling Initial, dropper, deactivation timer Configurable starting in safe mode/dbg (exactly same mech.) Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 9

10 Other features Communication module used to send information to and receive commands from a remote Command and Control (C&C) center in our case the C&C server was (India) later evidence shows that they use one server per victim the communication protocol uses both HTTP port 80 and HTTPS port 443 the communication through port 80 starts with a valid HTTP request, followed by the transmission of (possibly encrypted) binary data obfuscated as JPEG images Keylogger module logs keystrokes, regularly saves screenshots, and packs other types of information stores data in the %TEMP% directory in a compressed format contains an embedded jpeg file: Interacting Galaxy System NGC 6745 Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 10 10

11 Interacting Galaxy System NGC 6745 relation to the Stars malware in April 2011? Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 11 11

12 Modular structure of Duqu Registry data Keylogger Registry data jminet7.sys (loader) internal DLL (keylogger) cmi4432.sys (loader) netp191.pnf (payload) netp192.pnf (config) cmi4432.pnf (payload) cmi4464.pnf (config) nep191_ res302.dll cmi4432_ res302.dll netp191.zdata. mz cmi4432_ (exe?) (comm module) Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 12

13 Duqu decryptor SUB_L : push esi mov ecx, h xor esi,esi jmp L Align 8 L : xor [esi+l ],cl ror ecx,03h mov edx,ecx imul edx,ecx mov eax,1e2d6da3h mul edx mov eax,ecx imul eax, h shr edx,0ch lea edx,[edx+eax+01h] add esi, h xor ecx,edx cmp esi,000001ach jc L mov ax,[l ] test ax,ax pop esi jnz L movzx ecx,[edi] mov edx,[edi+04h] push ecx push edx push L call jmp_ntoskrnl.exe!memcpy add esp, ch L : retn Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 13

14 Stuxnet decryptor SUB_L00011C42: push ebp mov ebp,esp sub esp, h mov edx,eax xor edx,d h xor eax,a36ecd00h mov [ebp-04h],esi shr dword ptr [ebp-04h],1 push ebx mov [ebp-10h],edx mov [ebp-0ch],eax mov dword ptr [ebp-08h], h push edi L00011C6A: xor edx,edx test esi,esi jbe L00011C87 mov al,[ebp-0ch] imul [ebp-08h] mov bl,al L00011C78: mov al,[ebp-10h] imul dl add al,bl xor [edx+ecx],al inc edx cmp edx,esi jc L00011C78 Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 14

15 Calling the decryption routine Stuxnet s 1 st decryption call Duqu s 1 st decryption call L000103E1: L000103EF: L : L : L B: L : mov byte ptr [L ],01h mov dword ptr [ebp-1ch],l00013e80 cmp dword ptr [ebp-1ch],l00013e84 jnc L mov eax,[ebp-1ch] mov eax,[eax] cmp eax,ebx jz L call eax add dword ptr [ebp-1ch], h jmp L000103EF xor eax,eax cmp eax,ebx jnz L000104BA mov al,[l00013e98] test al,al jz L xor eax,eax mov esi, h mov ecx,l00013e99 call SUB_L00011C42 mov [L00013E98],bl mov eax,[l00013e99] test al,01h jz L C mov eax,[ntoskrnl.exe!initsafebootmode] cmp [eax],ebx jz L C L000105C4: L000105D0: L000105E3: L000105E8: L000105EA: mov mov mov cmp jnc mov test jz call add jmp xor test jnz mov call mov test jz mov byte ptr [L ],01h esi,l [ebp-1ch],esi esi,l L000105E8 eax,[esi] eax,eax L000105E3 eax esi, h L000105D0 eax,eax eax,eax L edi,[ebp+0ch] SUB_L eax,[l ] al,01h L ecx,[ntoskrnl.exe!initsafebootmode] Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 15

16 Feature oem7a.pnf (Stuxnet) netp191.pnf (Duqu) Packer UPX UPX Size bytes bytes Exported functions # ntdll.dll hooks 21 8 ZwMapViewOfSection ZwCreateSection ZwOpenFile ZwClose ZwQueryAttributesFile ZwQuerySection ZwMapViewOfSection ZwCreateSection ZwOpenFile ZwClose ZwQueryAttributesFile ZwQuerySection Resources 13 (201, 202, 203,205, 208, 209, 210, 220, 221,222, 240,241,242, 250) 1 (302) Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 16

17 PE headers-file dates File Date CMI4432.PNF 17/07/ :12:41 cmi4432_res302.dll 21/12/ :41:03 cmi4432_ dll 21/12/ :41:29 netp191.pnf 04/11/ :48:28 nep191_res302.dll 21/12/ :41:03 Keylogger.exe 01/06/ :25:18 Keylogger internal DLL 01/06/ :25:16 Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 17

18 GMER Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 18

19 Duqu registry key data [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JmiNET3] "Description"="JmiNET3" "DisplayName"="JmiNET3" "ErrorControl"=dword: "Group"="Network" "ImagePath"="\\??\\C:\\WINDOWS\\system32\\Drivers\\jminet7.sys" "Start"=dword: "Type"=dword: "FILTER"=hex:a0,35,58,da,32,ee,d5,01,c0,15,8b,1f,4b,5c,d1,a1,0b,8b,e7,85,1c,7f,\ 6e,f2,ef,31,6a,18,3c,80,78,c7,d4,c5,50,90,7a,78,66,9d,6b,93,00,a1,f5,3d,26,\ ce,cb,1c,1e,45,b0,ff,a0,dd,c0,a3,e8,58,31,0c,b2,a1,dd,11,37,ba,aa,1e,66,d3,\ 1f,b4,2f,e1,7c,eb,b6,a2,58,a0,25,62,77,b5,41,d3,71,02,1a,be,cb,bb,52,43,76,\ 43,b6,d0,67,25,19,10,27,67,a5,15,38,9f,8f [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JmiNET3\Enum] "0"="Root\\LEGACY_JMINET3\\0000" "Count"=dword: "NextInstance"=dword: Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 19

20 Description Compiled-in configuration (Config-1) Variable configuration in registry (Config-2) Decryption key for netp191.pnf Duqu Key No key set, fixed decryption routine (essentially the same as key=0) 0xAE (loaded from Config-1) 0xAE (loaded from Config-2) Description Stuxnet Key Compiled-in configuration (Config-1) key=0 Variable configuration in registry (Config-2) 0xAE (loaded from Config-1) Decryption key for oem7a.pnf 0x01AE0000 (loaded from Config-2) Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 20

21 Description Key Compiled-in configuration (Config-1) key=0 Variable configuration in registry (Config- 2) Decryption key for oem7a.pnf 0xAE (loaded from Config-1) 0x01AE0000 (loaded from Config-2) Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 21

22 Targeted attacks what s new? Targeted attacks are asymmetric attacks (like sniper attacks) The sniper can aim at any time, any means, any target, any vulnerability, etc. consumer grade products cannot protect against them Traditional tools can help, but don t solve the problem (firewalls, IDS, IPS, UTM, spam filtering, etc.) Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 22 22

23 Duqu Detector Toolkit design principles instead of signature based identification, focus on heuristics based anomaly detection Duqu left some traces even after deleting itself used PNF files without corresponding INF files used encrypted components false positives are acceptable, given the critical nature of potential targets simple components (tools) provided in C source code (under GPL) easy to verify and re-compile can be used in special environments too (e.g., critical infrastructures) Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 23 23

24 Duqu Detector Toolkit components FindDuquSys signature based scanner that recursively tries to find the kernel driver file of Duqu signature components were selected in a way that modified versions of Duqu might be detected as well FindDuquTmp looks for Duqu related temporary files: ~DN1.tmp files starting with ~DQ files starting with ~DF (there are other file names used in some Duqu cases) FindPNFnoINF looks for PNF files that do not have a related INF file Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 24 24

25 Cmi4432.sys signature info Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 25

26 Duqu Detector Toolkit components CalcPNFEntropy tries to find encrypted PNF files encrypted and compressed files have a larger entropy than standard binary (executable) files entropy of real-life Duqu samples is typical around 0.9 standard binaries have entropy below 0.6 FindDuquReg looks up the registry recursively to identify entries with high entropy FindInjectedSections Duqu uses code injection, and it starts itself from a memory region that it previously wrote this tool looks for memory sections with read/write/execute rights to limit false positives, we only consider specific processes where Duqu typically injects itself Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 26 26

27 Duqu Detector Toolkit usage and evaluation we tested the toolkit with the Duqu sample that we had all six tools generated alarms we tested the toolkit with Stuxnet.A too the Duqu signature scanner and the temporary file detectors did not signal any problems (as expected) however, the remaining four tools raised alarms toolkit tested by security vendors against their samples we encountered a low number of false positive alarms found a few innocent PNF files without the corresponding INF files the toolkit has been downloaded from distinct IP addresses distributed in 150+ countries Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 27 27

28 Discussion on code signing code signing is extensively used today to authenticate the identity of the producer of a software and the integrity of the code unsigned software can no longer be installed on recent and future versions of Windows without warning messages a common assumption is that if code is signed then it can be trusted FALSE!!! signature key may be compromised a valid signature does not tell anything about the trustworthiness of the signer (even if the signature key is intact) there are multiple ways to get a piece of malware signed in practice (see CARO 10 slides of Jarno Niemela, F-Secure) Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 28 28

29 Problems with code signing misplaced incentives and scalability issues negligent key management limited effectiveness in establishing trust in software Software companies do not really care: CAs have strict authentication policies when evaluating a certicate request, but no periodic audits aiming at the verication of how the private keys are handled and used by the certificate owner has there been any case when the certificate of a software maker was revoked due to its negligence in key management and code signing procedures??? as a consequence, software companies have no real incentives to follow strict key management policies code signing keys are often stored on development machines without strong protection Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 29 29

30 Problems with code signing misplaced incentives and scalability issues negligent key management limited effectiveness in establishing trust in software CA s do not really care either: who actually should perform the auditing of software companies? CA s may be interested, but it would not be scalable, and it would be too costly for them what if a software company is detected negligent? CA revokes its keys and does not issue new certificates company obtains certificates from another CA with weaker requirements strict CAs lose their customers CAs have no incentive to do strict verifications Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 30 30

31 Discussion on signature based detection signature based malware detection is important, as it is the most effective way of detecting known malware not good to targeted attacks however, Duqu and other recent targeted attacks clearly show that it is not sufficient creators of high-profile targeted threats have the resources to finetune their malware until it passes the verication of all known antivirus products, such threats will basically never be detected by signature based tools before they are identified and their signatures are added to the signature database possible approach: heuristic anomaly detection main problem is false positive alarms more work on white listing techniques and cloud based information sharing may improve the situation academic research could contribute a lot in this area In some application domains, false positives are acceptable Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 31 31

32 Discussion on information sharing in our Duqu project, the biggest challenge in threat mitigation was to establish trust between our client and the selected security vendors for information sharing we immediately realized that information needs to be shared with the AV industry for global defense however, our client had different objectives recover from the incident preserve anonymity we emerged as a trusted mediator this led to effective incident response at a global scale certificate of C-Media was revoked in 1 day C&C server was shut down (sink-holed) Duqu sample was shared within the AV industry AV signature databases were updated in a short amount of time new infections (samples) were discovered dropper was identified, anonymized, and shared Microsoft issued a quick fix (workaround) and later a patch Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 32 32

33 Discussion on information sharing anecdotal evidence suggests that, unlike in our case, security vendors are often unable to obtain forensics information even when their product detected infection e.g., only one additional dropper file was found, although there were more than 20 identified infections dependable and safe information sharing is challenging how to keep anonymity and preserve reputation? how to obtain assistance for incident handling? how to provide anonymized forensics data? full disk images contain lot of private information even single files are hard to sanitize sometimes Dr. Bencsáth Boldizsár, Hálózati Rendszerek és Sz. Tsz. Budapesti targeted attacks Műszaki és Gazdaságtudományi Egyetem 33 33

34 A mask sample 11/46, different names 34

35 35 Mask sample VT uploads

36 36 Submissions page 2

37 37 Analyses p.1.

38 38 Analyses p.2.

39 39

40 Remarks No matter what is the malware, Virus scanner tags do not help now ~3/50 means maybe APT ~40/50 means it is not APT You always want to find any similar malware for investigations Finding one turns you back to the start of the analysis process You can start digging for signed malware: e.g. positives:5+ positives:15- tag:signed Lot of the samples have valid digital signature, many of them are adware It is not the duty of the CA to find rogue publishers then who is responsible to do so? 40

41 TecSystem code - features Code already submitted to VT months ago Signsrch: offset num description [bits.endian.size] MD5 digest [32.le.272&] RIPEMD-128 InitState [32.le.16&] 00008ec classical random incrementer 0x343FD 0x269EC3 [32.le.8&] 00014fc zinflate_lengthstarts [16.le.58] zinflate_distancestarts [16.le.60] c8 648 CRC-32-IEEE [crc32.0xedb88320 lenorev ] c8 641 CRC-32-IEEE [crc32.0x04c11db7 le rev int_min.1024] c8 129 Adler CRC32 (0x191b3141) [32.le.1024] c8 131 Adler CRC32 (0x01c26a37) [32.le.1024] 00015cc8 133 Adler CRC32 (0xb8bc6765) [32.le.1024] c8 652 CRC-32-IEEE [crc32.0xedb88320 benorev ] c8 645 CRC-32-IEEE [crc32.0x04c11db7 be rev int_min.1024] c8 130 Adler CRC32 (0x191b3141) [32.be.1024] c8 132 Adler CRC32 (0x01c26a37) [32.be.1024] 00016cc8 134 Adler CRC32 (0xb8bc6765) [32.be.1024] 0001a0e anti-debug: IsDebuggerPresent [..17] 0001b7c PADDINGXXPADDING [..16] SSH RSA id-sha1 OBJ.ID. oiw(14) secsig(3) algorithms(2) 26 [..15] 41

42 TecSystem cont d Some part of Careto was signed by TecSystem Recognized by ~ 3/50 VT Signature was not revoked Things like isdebuggerpresents makes it more suspicious 42

43 The Mask file names yara rules rule themask_fn : themask_fn { strings: $a = "objframe.dll" $b = "shlink32.dll" $c = "shlink64.dll" $d = "cdllait32.dll" $e = "cdllait64.dll" $f = "dlluninstallws32.dll" $g = "cdlluninstallws64.dll" $h = "cdlluninstallsgh32.dll" $i = "cdlluninstallsgh64.dll" $j = /c_5[0-9]{4}.nls/ $k = "cdgext32.dll" $l = "cfgbkmgrs.dll" $m = "cfgmgr64.dll" $n = "comsvrpcs.dll" $o = "d3dx8_20.dll" $p = "dllcomm.dll" $q = "dllcomm.dll" $s = "wmimgr.sys" $t = "drvinfo.bin" $u = "FCache.bin" $v = "FFExtendedCommand.dll" $w = "gpktcsp32.dll" } condition: any of them 43

44 Finding signed code rule themask_sig : themask_sig { meta: description = "the mask file sig" threat_level = 3 in_the_wild = true strings: $a = {0e 80 8f bc 51 9e ea 1a 73 cd f3 26 6f} $b = "TecSystem Ltd" $c = {36 be 4a d4 57 f0 62 fa 77 d b8 cc c8 cf} condition: $a or $b or $c } 44

45 The Mask related finding wmimgr.sys related Finding always raise new questions D:\test.. What is wmisrmgr.dll Identifier in The mask 45

46 46 Another one

47 47 And a third

48 Mask kernel drivers The kernel drivers found are related to the WinNti campaign WinNti campaign was attacking the gaming industry and used signed code multiple times Maybe it is a false trace, maybe not More work is needed 48

49 Threat Intelligence the process of discovering malicious activity through internal monitoring tools or external services that publish information about detected incidents before an attack succeeds situational awareness to understand what is going on, technical analysis just one point in that process Information is needed from as many sources as possible One finding might open the way for another (cyclic approach) As long the attack is not fully understood, the work done should not be exposed (too much) don t leak info towards the attackers 49

50 Questions of threat intelligence What is the threat we are facing? What tools are used by the attackers? What are the possible capabilities, resources of the attacker? What is the goal of the attacker? Attribution who is the attacker is just a way to understand it better What is the risk at our side? What are our assets that need to be protected? What if the attack continues? What should be the response? What is the most efficient way to handle the problem? How to notify others, what to share? What could happen after a response on the attack? 50

51 Threat intelligence process - a model Collect Dig Malware repo Info query Act Analyze Decide 51

52 Threat intelligence gathering - sources internal monitoring tools AV (anti-virus) products IDSs (Intrusion Detection Systems) and SIEMs (Security Incident and Event Management systems) log analysis tools DNS monitoring honeypots external services run by various security organizations, projects, vendors, universities, CERTs, non-profit initiatives, or even enthusiastic individuals public, closed, or commercial access examples: collection of malware samples, malicious domains, IP blacklists 52

53 Some of the most important sources Virus Total Shadowserver s databases URLQuery OpenDNS Umbrella Security Graph Different malware feeds Our own malware repo Size: number of samples ~10s of millions, size: ~8-10 TB and growing (~expected daily k samples) 53

54 Snake/Uroburos BAE Hungarian victim Nem biztosan áldozat! 1 HU upload 54

55 VT uploads Sample: 2eb233a759642abaae2e3b29b7c85b89 Submissions: :12:18 3 add5c61e (web) CN :26:32 vti-rescan c98a3f59 (community) FR :39:34 vti-rescan 7d422d74 (community) US :20:30 vti-rescan fe3ba116 (community) IN :32:10 wileman.dll 883db971 (web) UA :45:16 wileman.dll a1bf5bda (community) UA :42:36 wileman.dll c2c2a9a8 (web) UA :40:12 blbtes.dll 11ea2c5b (web) HU Only a hash is known for the sumbission It can be anybody, even security researchers, or Tor endpoint 55

56 56 What is 2eb233a759642abaae2e3b29b7c85b89?

57 What is the C&C The version uploaded from Hungary has 3 C&C servers hardcoded of which just 2 are online for now: winter.site11.com - offline swim.onlinewebshop.net - online july.mypressonline.com - online (source: obtained from the sample) The only alive CC server might contain information about the possible HU victim No known method exists to extract this information Most likely it is impossible to find the victim through this channel 57

58 Malware repository why? For APTs malware samples may only differ by configuration options E.g. CC information Every sample will be different Different samples might be very similar Families of malicious code might have common basics Finding out corresponding pieces of malware helps understanding better Nobody can immediately state what is corresponding and what is not 58

59 RCApp VNCDLL C&C server RCApp is related to some Zeus botnet campaign Written in Delphi C&C server is hard coded as seen below Finding related samples helps to find new C&C servers C&C servers leaked information about victims 59

60 Found in another sample of RCApp ; Файл инициализации для VNCDLL. Прикрепляется к DLL посредством утилиты FJ. ; При загрузке DLL ищется этот файл, и если он найдет, ативируется сервер с заданными в файле параметрами. ; Адрес бэкконект сервера BcServer = :443 ; Время, через которое повторять подключение если бэкконект недоступен (секунд) BcTimeout = Translation (Google): ; The initialization file for VNCDLL. Attached to the DLL using a utility FJ., When you download this DLL file is searched, and if he finds ativiruetsya server with the specified parameters in the file. 60

61 61 Related sample in original form

62 62 Mapping an ATP by domains sample info from TeamSpy

63 Kérdések? KÖSZÖNÖM A FIGYELMET! Dr. Bencsáth Boldizsár adjunktus BME Híradástechnikai Tanszék Dr. Bencsáth Boldizsár, Hálózati Rendszerek és targeted attacks Sz. Tsz. Budapesti Műszaki és Gazdaságtudományi 63 Egyetem

Kusza szálak: Miért nehéz a célzott támadások kivizsgálása?

Kusza szálak: Miért nehéz a célzott támadások kivizsgálása? Kusza szálak: Miért nehéz a célzott támadások kivizsgálása? Boldizsár Bencsáth PhD Budapest University of Technology and Economics Department of Networked Systems and Services (CrySyS Lab) CrySyS Lab -

More information

Absolute Backdoor Revisited. Vitaliy Kamlyuk, Kaspersky Lab Sergey Belov, Kaspersky Lab Anibal Sacco, Cubica Labs

Absolute Backdoor Revisited. Vitaliy Kamlyuk, Kaspersky Lab Sergey Belov, Kaspersky Lab Anibal Sacco, Cubica Labs Absolute Backdoor Revisited Vitaliy Kamlyuk, Kaspersky Lab Sergey Belov, Kaspersky Lab Anibal Sacco, Cubica Labs BlackHat, Las Vegas August, 2014 What is Computrace? Computrace is an Anti-Theft software

More information

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4) Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus February 3, 2015 (Revision 4) Table of Contents Overview... 3 Malware, Botnet Detection, and Anti-Virus Auditing... 3 Malware

More information

Fighting malware on your own

Fighting malware on your own Fighting malware on your own Vitaliy Kamlyuk Senior Virus Analyst Kaspersky Lab Vitaly.Kamluk@kaspersky.com Why fight malware on your own? 5 reasons: 1. Touch 100% of protection yourself 2. Be prepared

More information

Operation Liberpy : Keyloggers and information theft in Latin America

Operation Liberpy : Keyloggers and information theft in Latin America Operation Liberpy : Keyloggers and information theft in Latin America Diego Pérez Magallanes Malware Analyst Pablo Ramos HEAD of LATAM Research Lab 7/7/2015 version 1.1 Contents Introduction... 3 Operation

More information

Getting Ahead of Malware

Getting Ahead of Malware IT@Intel White Paper Intel Information Technology Security December 2009 Getting Ahead of Malware Executive Overview Since implementing our security event monitor and detection processes two years ago,

More information

Abysssec Research. 1) Advisory information. 2) Vulnerable version

Abysssec Research. 1) Advisory information. 2) Vulnerable version Abysssec Research 1) Advisory information Title Version Discovery Vendor Impact Contact Twitter CVE : Apple QuickTime FlashPix NumberOfTiles Remote Code Execution Vulnerability : QuickTime player 7.6.5

More information

The Value of Physical Memory for Incident Response

The Value of Physical Memory for Incident Response The Value of Physical Memory for Incident Response MCSI 3604 Fair Oaks Blvd Suite 250 Sacramento, CA 95864 www.mcsi.mantech.com 2003-2015 ManTech Cyber Solutions International, All Rights Reserved. Physical

More information

Analyzing HTTP/HTTPS Traffic Logs

Analyzing HTTP/HTTPS Traffic Logs Advanced Threat Protection Automatic Traffic Log Analysis APTs, advanced malware and zero-day attacks are designed to evade conventional perimeter security defenses. Today, there is wide agreement that

More information

TitanMist: Your First Step to Reversing Nirvana TitanMist. mist.reversinglabs.com

TitanMist: Your First Step to Reversing Nirvana TitanMist. mist.reversinglabs.com TitanMist: Your First Step to Reversing Nirvana TitanMist mist.reversinglabs.com Contents Introduction to TitanEngine.. 3 Introduction to TitanMist 4 Creating an unpacker for TitanMist.. 5 References and

More information

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst ESG Lab Review RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst Abstract: This ESG Lab review documents

More information

Challenges in Critical Infrastructure Security

Challenges in Critical Infrastructure Security Challenges in Critical Infrastructure Security Corrado Leita Symantec Research Labs DIMVA 2012 - Heraklion, Greece - 26-27 July 2012 1 Symantec Research Labs Symantec Research Labs Sophia Antipolis, FR

More information

Self Protection Techniques in Malware

Self Protection Techniques in Malware DSIE 10 5 th Doctoral lsymposium on Informatics Engineering i January 28 29, 2010 Porto, Portugal Self Protection Techniques in Malware Tiago Santos Overview Introduction Malware Types Why Self Protection?

More information

24/7 Visibility into Advanced Malware on Networks and Endpoints

24/7 Visibility into Advanced Malware on Networks and Endpoints WHITEPAPER DATA SHEET 24/7 Visibility into Advanced Malware on Networks and Endpoints Leveraging threat intelligence to detect malware and exploitable vulnerabilities Oct. 24, 2014 Table of Contents Introduction

More information

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team Symantec Cyber Threat Analysis Program Symantec Cyber Threat Analysis Program Team White Paper: Symantec Security Intelligence Services Symantec Cyber Threat Analysis Program Contents Overview...............................................................................................

More information

Networking for Caribbean Development

Networking for Caribbean Development Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n

More information

Software Fingerprinting for Automated Malicious Code Analysis

Software Fingerprinting for Automated Malicious Code Analysis Software Fingerprinting for Automated Malicious Code Analysis Philippe Charland Mission Critical Cyber Security Section October 25, 2012 Terms of Release: This document is approved for release to Defence

More information

ADVANCED THREATS IN THE ENTERPRISE. Finding an Evil in the Haystack with RSA ECAT. White Paper

ADVANCED THREATS IN THE ENTERPRISE. Finding an Evil in the Haystack with RSA ECAT. White Paper ADVANCED THREATS IN THE ENTERPRISE Finding an Evil in the Haystack with RSA ECAT White Paper With thousands of workstations and servers under management, most enterprises have no way to effectively make

More information

Technical Trends in Recent Targeted Attacks

Technical Trends in Recent Targeted Attacks Technical Trends in Recent Targeted Attacks Gábor Pék (CrySyS) Budapest University of Technology and Economics joint work with Boldizsár Bencsáth, Levente Buttyán, and Márk Félegyházi HOW DID I GET HERE?

More information

Detecting the One Percent: Advanced Targeted Malware Detection

Detecting the One Percent: Advanced Targeted Malware Detection Detecting the One Percent: Advanced Targeted Malware Detection Tomer Teller Check Point Software Technologies Session ID: SP02-T19 Session Classification: Intermediate Antivirus 20 th+ Anniversary The

More information

End-user Security Analytics Strengthens Protection with ArcSight

End-user Security Analytics Strengthens Protection with ArcSight Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security

More information

Storm Worm & Botnet Analysis

Storm Worm & Botnet Analysis Storm Worm & Botnet Analysis Jun Zhang Security Researcher, Websense Security Labs June 2008 Introduction This month, we caught a new Worm/Trojan sample on ours labs. This worm uses email and various phishing

More information

The Hillstone and Trend Micro Joint Solution

The Hillstone and Trend Micro Joint Solution The Hillstone and Trend Micro Joint Solution Advanced Threat Defense Platform Overview Hillstone and Trend Micro offer a joint solution the Advanced Threat Defense Platform by integrating the industry

More information

Hide and seek - how targeted attacks hide behind clean applications Szappanos Gábor

Hide and seek - how targeted attacks hide behind clean applications Szappanos Gábor Hide and seek - how targeted attacks hide behind clean applications Szappanos Gábor Principal Malware Researcher 1 Honourable mentions: 2010. Stuxnet digitally signed drivers: stolen certificate June 2012.

More information

Concierge SIEM Reporting Overview

Concierge SIEM Reporting Overview Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts

More information

Beyond the Hype: Advanced Persistent Threats

Beyond the Hype: Advanced Persistent Threats Advanced Persistent Threats and Real-Time Threat Management The Essentials Series Beyond the Hype: Advanced Persistent Threats sponsored by Dan Sullivan Introduction to Realtime Publishers by Don Jones,

More information

A perspective to incident response or another set of recommendations for malware authors

A perspective to incident response or another set of recommendations for malware authors A perspective to incident response or another set of recommendations for malware authors Alexandre Dulaunoy - TLP:WHITE alexandre.dulaunoy@circl.lu June 7, 2013 CIRCL, national CERT of Luxembourg CIRCL

More information

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com A number of devices are running Linux due to its flexibility and open source nature. This has made Linux platform

More information

Botnet Analysis Leveraging Domain Ratio Analysis Uncovering malicious activity through statistical analysis of web log traffic

Botnet Analysis Leveraging Domain Ratio Analysis Uncovering malicious activity through statistical analysis of web log traffic The Leader in Cloud Security RESEARCH REPORT Botnet Analysis Leveraging Domain Ratio Analysis Uncovering malicious activity through statistical analysis of web log traffic ABSTRACT Zscaler is a cloud-computing,

More information

Deep Discovery. Technical details

Deep Discovery. Technical details Deep Discovery Technical details Deep Discovery Technologies DETECT Entry point Lateral Movement Exfiltration 360 Approach Network Monitoring Content Inspection Document Emulation Payload Download Behavior

More information

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam JK0 015 CompTIA E2C Security+ (2008 Edition) Exam Version 4.1 QUESTION NO: 1 Which of the following devices would be used to gain access to a secure network without affecting network connectivity? A. Router

More information

Security Intelligence Services. www.kaspersky.com

Security Intelligence Services. www.kaspersky.com Kaspersky Security Intelligence Services. Threat Intelligence Services www.kaspersky.com THREAT INTELLIGENCE SERVICES Tracking, analyzing, interpreting and mitigating constantly evolving IT security threats

More information

Detecting Unknown Malware: Security Analytics & Memory Forensics. Fahad Ehsan. Cyber Security Researcher @memfors4all #RSAC

Detecting Unknown Malware: Security Analytics & Memory Forensics. Fahad Ehsan. Cyber Security Researcher @memfors4all #RSAC SESSION ID: ANF-T09 Detecting Unknown Malware: Security Analytics & Memory Forensics Fahad Ehsan Cyber Security Researcher @memfors4all Where it all Started ------------------------------------------------------------------------------------------

More information

Security. 2014 Yokogawa Users Group Conference & Exhibition Copyright Yokogawa Electric Corporation Sept. 9-11, 2014 Houston, TX - 1 -

Security. 2014 Yokogawa Users Group Conference & Exhibition Copyright Yokogawa Electric Corporation Sept. 9-11, 2014 Houston, TX - 1 - Security - 1 - OPC UA - Security Security Access control Wide adoption of OPC SCADA & DCS Embedded devices Performance Internet Scalability MES Firewalls ERP Communication between distributed systems OPC

More information

How Lastline Has Better Breach Detection Capabilities. By David Strom December 2014 david@strom.com

How Lastline Has Better Breach Detection Capabilities. By David Strom December 2014 david@strom.com How Lastline Has Better Breach Detection Capabilities By David Strom December 2014 david@strom.com The Internet is a nasty place, and getting nastier. Current breach detection products using traditional

More information

5 Steps to Advanced Threat Protection

5 Steps to Advanced Threat Protection 5 Steps to Advanced Threat Protection Agenda Endpoint Protection Gap Profile of Advanced Threats Consensus Audit Guidelines 5 Steps to Advanced Threat Protection Resources 20 Years of Chasing Malicious

More information

Reverse Engineering and Computer Security

Reverse Engineering and Computer Security Reverse Engineering and Computer Security Alexander Sotirov alex@sotirov.net Introduction Security researcher at Determina, working on our LiveShield product Responsible for vulnerability analysis and

More information

This report is a detailed analysis of the dropper and the payload of the HIMAN malware.

This report is a detailed analysis of the dropper and the payload of the HIMAN malware. PAGE 5 Check Point Malware Research Group HIMAN Malware Analysis December 12, 2013 Researcher: Overview This report is a detailed analysis of the dropper and the payload of the HIMAN malware. This malware

More information

What Do You Mean My Cloud Data Isn t Secure?

What Do You Mean My Cloud Data Isn t Secure? Kaseya White Paper What Do You Mean My Cloud Data Isn t Secure? Understanding Your Level of Data Protection www.kaseya.com As today s businesses transition more critical applications to the cloud, there

More information

RSA Incident Response: Threat Detection Techniques - Point of Sale Attacks

RSA Incident Response: Threat Detection Techniques - Point of Sale Attacks RSA Incident Response incident response RSA Incident Response: Threat Detection Techniques - Point of Sale Attacks RSA Security January 2014 RSA Threat Detection Techniques - - Point of Sale Attacks Table

More information

INTERNET ATTACKS AGAINST NUCLEAR POWER PLANTS

INTERNET ATTACKS AGAINST NUCLEAR POWER PLANTS INTERNET ATTACKS AGAINST NUCLEAR POWER PLANTS Kleissner & Associates IAEA, 1-5 June 2015, Vienna/Austria International Conference on Computer Security in a Nuclear World Programmer and security researcher

More information

Secure Your Mobile Workplace

Secure Your Mobile Workplace Secure Your Mobile Workplace Sunny Leung Senior System Engineer Symantec 3th Dec, 2013 1 Agenda 1. The Threats 2. The Protection 3. Q&A 2 The Mobile Workplaces The Threats 4 Targeted Attacks up 42% in

More information

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION Prepared for the NRC Fuel Cycle Cyber Security Threat Conference Presented by: Jon Chugg, Ken Rohde Organization(s): INL Date: May 30, 2013 Disclaimer

More information

Can We Become Resilient to Cyber Attacks?

Can We Become Resilient to Cyber Attacks? Can We Become Resilient to Cyber Attacks? Nick Coleman, Global Head Cyber Security Intelligence Services December 2014 Can we become resilient National Security, Economic Espionage Nation-state actors,

More information

RSA Security Analytics

RSA Security Analytics RSA Security Analytics This is what SIEM was Meant to Be 1 The Original Intent of SIEM Single compliance & security interface Compliance yes, but security? Analyze & prioritize alerts across various sources

More information

From Georgia, with Love Win32/Georbot. Is someone trying to spy on Georgians?

From Georgia, with Love Win32/Georbot. Is someone trying to spy on Georgians? From Georgia, with Love Win32/Georbot Is someone trying to spy on Georgians? At the beginning of the year, a curious piece of malware came to our attention. An analyst in our virus laboratory noticed that

More information

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

2. From a control perspective, the PRIMARY objective of classifying information assets is to: MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected

More information

VISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE. Summary. Distribution and Installation

VISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE. Summary. Distribution and Installation VISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE Distribution: Merchants, Acquirers Who should read this: Information security, incident response, cyber intelligence staff Summary Kuhook

More information

Memory Forensics & Security Analytics: Detecting Unknown Malware

Memory Forensics & Security Analytics: Detecting Unknown Malware Memory Forensics & Security Analytics: Detecting Unknown Malware SESSION ID: SEC-T09 Fahad Ehsan Associate Director Security Research and Analytics UBS AG Where it all started. ------------------------------------------------------------------------------------------

More information

Post-Stuxnet Industrial Security: Zero-Day Discovery and Risk Containment of Industrial Malware

Post-Stuxnet Industrial Security: Zero-Day Discovery and Risk Containment of Industrial Malware Post-Stuxnet Industrial Security: Zero-Day Discovery and Risk Containment of Industrial Malware A White Paper presented by: Torsten Rössel Director of Business Development Innominate Security Technologies

More information

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix Cybercrime myths, challenges and how to protect our business Vladimir Kantchev Managing Partner Service Centrix Agenda Cybercrime today Sources and destinations of the attacks Breach techniques How to

More information

Alert (TA14-212A) Backoff Point-of-Sale Malware

Alert (TA14-212A) Backoff Point-of-Sale Malware Alert (TA14-212A) Backoff Point-of-Sale Malware Original release date: July 31, 2014 Systems Affected Point-of-Sale Systems Overview This advisory was prepared in collaboration with the National Cybersecurity

More information

GRC & Cyber Security Conference - Bringing the Silos Together ISACA Ireland 3 Oct 2014 Fahad Ehsan

GRC & Cyber Security Conference - Bringing the Silos Together ISACA Ireland 3 Oct 2014 Fahad Ehsan Fahad Ehsan Cyber Security Researcher Where it all started. ------------------------------------------------------------------------------------------ Welcome to the Dungeon (c) 1986 Basit & Amjad (pvt)

More information

Evolving Threat Landscape

Evolving Threat Landscape Evolving Threat Landscape Briefing Overview Changing Threat Landscape Profile of the Attack Bit9 Solution Architecture Demonstartion Questions Growing Risks of Advanced Threats APT is on the rise 71% increase

More information

The Epic Turla Operation: Information on Command and Control Server infrastructure

The Epic Turla Operation: Information on Command and Control Server infrastructure The Epic Turla Operation: Information on Command and Control Server infrastructure v1.00 (August 7, 2014) Short Report by Laboratory of Cryptography and System Security (CrySyS Lab) http://www.crysys.hu/

More information

Fighting Advanced Persistent Threats (APT) with Open Source Tools

Fighting Advanced Persistent Threats (APT) with Open Source Tools Fighting Advanced Persistent Threats (APT) with Open Source Tools What is APT? The US Air Force invented the term in 2006 APT refers to advanced techniques used to gain access to an intelligence objective

More information

Next Generation IPS and Reputation Services

Next Generation IPS and Reputation Services Next Generation IPS and Reputation Services Richard Stiennon Chief Research Analyst IT-Harvest 2011 IT-Harvest 1 IPS and Reputation Services REPUTATION IS REQUIRED FOR EFFECTIVE IPS Reputation has become

More information

1. General function and functionality of the malware

1. General function and functionality of the malware 1. General function and functionality of the malware The malware executes in a command shell, it begins by checking to see if the executing file contains the MZP file extension, and then continues to access

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

More information

Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice

Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice Introduction There are numerous statistics published by security vendors, Government

More information

Fighting Advanced Persistent Threats (APT) with Open Source Tools

Fighting Advanced Persistent Threats (APT) with Open Source Tools Fighting Advanced Persistent Threats (APT) with Open Source Tools What is APT? The US Air Force invented the term in 2006 APT refers to advanced techniques used to gain access to an intelligence objective

More information

Integrating MSS, SEP and NGFW to catch targeted APTs

Integrating MSS, SEP and NGFW to catch targeted APTs #SymVisionEmea #SymVisionEmea Integrating MSS, SEP and NGFW to catch targeted APTs Tom Davison Information Security Practice Manager, UK&I Antonio Forzieri EMEA Solution Lead, Cyber Security 2 Information

More information

Acano solution. Security Considerations. August 2015 76-1026-01-E

Acano solution. Security Considerations. August 2015 76-1026-01-E Acano solution Security Considerations August 2015 76-1026-01-E Contents Contents 1 Introduction... 3 2 Acano Secure Development Lifecycle... 3 3 Acano Security Points... 4 Acano solution: Security Consideration

More information

DNS Firewall Overview Speaker Name. Date

DNS Firewall Overview Speaker Name. Date DNS Firewall Overview Speaker Name 1 1 Date Reserved. Agenda DNS Security Challenges DNS Firewall Solution Customers Call to Action 2 2 Reserved. APTs: The New Threat Landscape Nation-state or organized-crime

More information

Current counter-measures and responses by CERTs

Current counter-measures and responses by CERTs Current counter-measures and responses by CERTs Jeong, Hyun Cheol hcjung@kisa.or.kr April. 2007 Contents I. Malware Trends in Korea II. Malware from compromised Web sites III. Case Study : Malware countermeasure

More information

Fighting Advanced Threats

Fighting Advanced Threats Fighting Advanced Threats With FortiOS 5 Introduction In recent years, cybercriminals have repeatedly demonstrated the ability to circumvent network security and cause significant damages to enterprises.

More information

CopyKittens Attack Group

CopyKittens Attack Group CopyKittens Attack Group Version 1.0 23/11/2015 All Rights Reserved To Minerva Labs LTD and ClearSky Cyber Security, 2015 Contents Executive Summary... 3 The Group Attack Cycle... 4 Step One Spear Phishing...

More information

Malware Trend Report, Q2 2014 April May June

Malware Trend Report, Q2 2014 April May June Malware Trend Report, Q2 2014 April May June 5 August 2014 Copyright RedSocks B.V. 2014. All Rights Reserved. Table of Contents 1. Introduction... 3 2. Overview... 4 2.1. Collecting Malware... 5 2.2. Processing...

More information

Advanced Persistent Threats

Advanced Persistent Threats Emilio Tonelli Senior Sales Engineer South Europe WatchGuard Technologies, Inc. Advanced Persistent Threats the new security challenge Are you protected? Current Threat Landscape 2 Global Threat Landscape:

More information

The Benefits of SSL Content Inspection ABSTRACT

The Benefits of SSL Content Inspection ABSTRACT The Benefits of SSL Content Inspection ABSTRACT SSL encryption is the de-facto encryption technology for delivering secure Web browsing and the benefits it provides is driving the levels of SSL traffic

More information

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka Taxonomy of Botnet Threats Trend Micro Inc. Presented by Tushar Ranka Agenda Summary Background Taxonomy Attacking Behavior Command & Control Rallying Mechanisms Communication Protocols Evasion Techniques

More information

Projectplace: A Secure Project Collaboration Solution

Projectplace: A Secure Project Collaboration Solution Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the

More information

Locking down a Hitachi ID Suite server

Locking down a Hitachi ID Suite server Locking down a Hitachi ID Suite server 2016 Hitachi ID Systems, Inc. All rights reserved. Organizations deploying Hitachi ID Identity and Access Management Suite need to understand how to secure its runtime

More information

Analysis and Diversion of Duqu s Driver

Analysis and Diversion of Duqu s Driver Analysis and Diversion of Duqu s Driver Guillaume Bonfante, Jean-Yves Marion, Fabrice Sabatier, Aurélien Thierry To cite this version: Guillaume Bonfante, Jean-Yves Marion, Fabrice Sabatier, Aurélien Thierry.

More information

UNMASKCONTENT: THE CASE STUDY

UNMASKCONTENT: THE CASE STUDY DIGITONTO LLC. UNMASKCONTENT: THE CASE STUDY The mystery UnmaskContent.com v1.0 Contents I. CASE 1: Malware Alert... 2 a. Scenario... 2 b. Data Collection... 2 c. Data Aggregation... 3 d. Data Enumeration...

More information

Inside a killer IMBot. Wei Ming Khoo University of Cambridge 19 Nov 2010

Inside a killer IMBot. Wei Ming Khoo University of Cambridge 19 Nov 2010 Do you? or Inside a killer IMBot Wei Ming Khoo University of Cambridge 19 Nov 2010 Background Tracking a botnet propagating over Skype & Yahoo IM. Bait is Foto Exploits social connectivity (friend

More information

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies Cyber Security in Taiwan's Government Institutions: From APT To Investigation Policies Ching-Yu, Hung Investigation Bureau, Ministry of Justice, Taiwan, R.O.C. Abstract In this article, we introduce some

More information

Protecting Your Organisation from Targeted Cyber Intrusion

Protecting Your Organisation from Targeted Cyber Intrusion Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology

More information

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION How ThreatBLADES add real-time threat scanning and alerting to the Analytics Platform INTRODUCTION: analytics solutions have become an essential weapon

More information

Certified Ethical Hacker Exam 312-50 Version Comparison. Version Comparison

Certified Ethical Hacker Exam 312-50 Version Comparison. Version Comparison CEHv8 vs CEHv7 CEHv7 CEHv8 19 Modules 20 Modules 90 Labs 110 Labs 1700 Slides 1770 Slides Updated information as per the latest developments with a proper flow Classroom friendly with diagrammatic representation

More information

How Attackers are Targeting Your Mobile Devices. Wade Williamson

How Attackers are Targeting Your Mobile Devices. Wade Williamson How Attackers are Targeting Your Mobile Devices Wade Williamson Today s Agenda Brief overview of mobile computing today Understanding the risks Analysis of recently discovered malware Protections and best

More information

HoneyBOT User Guide A Windows based honeypot solution

HoneyBOT User Guide A Windows based honeypot solution HoneyBOT User Guide A Windows based honeypot solution Visit our website at http://www.atomicsoftwaresolutions.com/ Table of Contents What is a Honeypot?...2 How HoneyBOT Works...2 Secure the HoneyBOT Computer...3

More information

Security workshop Protection against botnets. Belnet Aris Adamantiadis Brussels 18 th April 2013

Security workshop Protection against botnets. Belnet Aris Adamantiadis Brussels 18 th April 2013 Security workshop Belnet Aris Adamantiadis Brussels 18 th April 2013 Agenda What is a botnet? Symptoms How does it work? Life cycle How to fight against botnets? Proactive and reactive NIDS 2 What is a

More information

Security Intelligence Services. Cybersecurity training. www.kaspersky.com

Security Intelligence Services. Cybersecurity training. www.kaspersky.com Kaspersky Security Intelligence Services. Cybersecurity training www.kaspersky.com CYBERSECURITY TRAINING Leverage Kaspersky Lab s cybersecurity knowledge, experience and intelligence through these innovative

More information

Hotpatching and the Rise of Third-Party Patches

Hotpatching and the Rise of Third-Party Patches Hotpatching and the Rise of Third-Party Patches Alexander Sotirov asotirov@determina.com BlackHat USA 2006 Overview In the next one hour, we will cover: Third-party security patches _ recent developments

More information

Spear Phishing Attacks Why They are Successful and How to Stop Them

Spear Phishing Attacks Why They are Successful and How to Stop Them White Paper Spear Phishing Attacks Why They are Successful and How to Stop Them Combating the Attack of Choice for Cybercriminals White Paper Contents Executive Summary 3 Introduction: The Rise of Spear

More information

WildFire Overview. WildFire Administrator s Guide 1. Copyright 2007-2015 Palo Alto Networks

WildFire Overview. WildFire Administrator s Guide 1. Copyright 2007-2015 Palo Alto Networks WildFire Overview WildFire provides detection and prevention of zero-day malware using a combination of malware sandboxing and signature-based detection and blocking of malware. WildFire extends the capabilities

More information

Second-generation (GenII) honeypots

Second-generation (GenII) honeypots Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they

More information

McAfee Network Security Platform

McAfee Network Security Platform McAfee Network Security Platform Next Generation Network Security Youssef AGHARMINE, Network Security, McAfee Network is THE Security Battleground Who is behind the data breaches? 81% some form of hacking

More information

WildFire Reporting. WildFire Administrator s Guide 55. Copyright 2007-2015 Palo Alto Networks

WildFire Reporting. WildFire Administrator s Guide 55. Copyright 2007-2015 Palo Alto Networks WildFire Reporting When malware is discovered on your network, it is important to take quick action to prevent spread of the malware to other systems. To ensure immediate alerts to malware discovered on

More information

Computer Security DD2395

Computer Security DD2395 Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh11/ Fall 2011 Sonja Buchegger buc@kth.se Lecture 7 Malicious Software DD2395 Sonja Buchegger 1 Course Admin Lab 2: - prepare

More information

Enterprise Incident Response: Network Intrusion Case Studies and Countermeasures

Enterprise Incident Response: Network Intrusion Case Studies and Countermeasures Enterprise Incident Response: Network Intrusion Case Studies and Countermeasures Eric J. Eifert Vice President, Cyber Defense Division ManTech s Mission, Cyber, & Technology Solutions Presentation Overview

More information

Executable Integrity Verification

Executable Integrity Verification Executable Integrity Verification Abstract Background Determining if a given executable has been trojaned is a tedious task. It is beyond the capabilities of the average end user and even many network

More information

Persistence Mechanisms as Indicators of Compromise

Persistence Mechanisms as Indicators of Compromise Persistence Persistence Mechanisms as Indicators of Compromise An automated technology for identifying cyber attacks designed to survive indefinitely the reboot process on PCs White Paper Date: October

More information

The Peak of Chaos Shane D. Shook, PhD 10/31/2012

The Peak of Chaos Shane D. Shook, PhD 10/31/2012 w h a c k e r n a v k n d n h m y a w h o? n r h p e n c n o s a n w s o v y i d u n n n r n m s r k d e a i k o w i r c d i o m u t w e t w s u t s i v i t c a Shane D. Shook, PhD 10/31/2012 Cyber Crime

More information

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS INCONVENIENT STATISTICS 70% of ALL threats are at the Web application layer. Gartner 73% of organizations have been hacked in the past two

More information

LASTLINE WHITEPAPER. In-Depth Analysis of Malware

LASTLINE WHITEPAPER. In-Depth Analysis of Malware LASTLINE WHITEPAPER In-Depth Analysis of Malware Abstract Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse).

More information

Information Security Basic Concepts

Information Security Basic Concepts Information Security Basic Concepts 1 What is security in general Security is about protecting assets from damage or harm Focuses on all types of assets Example: your body, possessions, the environment,

More information

Driving Company Security is Challenging. Centralized Management Makes it Simple.

Driving Company Security is Challenging. Centralized Management Makes it Simple. Driving Company Security is Challenging. Centralized Management Makes it Simple. Overview - P3 Security Threats, Downtime and High Costs - P3 Threats to Company Security and Profitability - P4 A Revolutionary

More information