Randy Lee FireEye Labs. Understanding Modern Malware.

Similar documents
Threat Intelligence. Darien Kindlund 11/25/2013 Copyright (c) 2013, FireEye, Inc. All rights reserved.

Computer Security DD2395

ANTIVIRUS BEST PRACTICES

Malicious Software. Malicious Software. Overview. Backdoor or Trapdoor. Raj Jain. Washington University in St. Louis

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

CS 356 Lecture 9 Malicious Code. Spring 2013

Networking for Caribbean Development

White Paper. Advantage FireEye. Debunking the Myth of Sandbox Security

Spear Phishing Attacks Why They are Successful and How to Stop Them

Protecting Your Data, Intellectual Property, and Brand from Cyber Attacks

Is Your Network a Sitting Duck? 3 Secrets to Securing Your Information Systems. Presenter: Matt Harkrider. Founder, Alert Logic

Research in Computer Viruses and Worms. Tom Chen SMU

Deep Security/Intrusion Defense Firewall - IDS/IPS Coverage Statistics and Comparison

Overview. Common Internet Threats. Spear Phishing / Whaling. Phishing Sites. Virus: Pentagon Attack. Viruses & Worms

Defending Against Cyber Attacks with SessionLevel Network Security

Information Security Threat Trends

SECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

Winning the Cyber Security Small-Medium Business Opportunity. Steve Pataky VP, WW Channels & Alliances

Deep Security Intrusion Detection & Prevention (IDS/IPS) Coverage Statistics and Comparison

1949 Self-reproducing cellular automata Core Wars

ACS-3921/ Computer Security And Privacy. Lecture Note 5 October 7 th 2015 Chapter 5 Database and Cloud Security

Cryptography and Network Security Chapter 21. Malicious Software. Backdoor or Trapdoor. Logic Bomb 4/19/2010. Chapter 21 Malicious Software

CSE509 System Security

The Ostrich Effect In Search Of A Realistic Model For Cybersecurity

you us MSSP are a Managed Security Service Provider looking to offer Advanced Malware Protection Services

Advanced Targeted Attacks

Cybercrime: evoluzione del malware e degli attacchi. Cesare Radaelli Regional Sales Manager, Italy cradaelli@paloaltonetworks.com

Data Center security trends

White Paper. Why Next-Generation Firewalls Don t Stop Advanced Malware and Targeted APT Attacks

WHITE PAPER ADVANCED TARGETED ATTACKS: How to Protect Against the New Generation of Cyber Attacks SECURITY REIMAGINED

Integrated Approach to Network Security. Lee Klarich Senior Vice President, Product Management March 2013

Integrated Protection for Systems. João Batista Territory Manager

Unknown threats in Sweden. Study publication August 27, 2014

5 Design Principles for Advanced Malware Protection

Current counter-measures and responses by CERTs

SPEAR-PHISHING ATTACKS

WORMS : attacks, defense and models. Presented by: Abhishek Sharma Vijay Erramilli

Evolving Threat Landscape

Advanced Persistent Threats

The Hillstone and Trend Micro Joint Solution

Cisco & Big Data Security

Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them

An Analysis of the Capabilities Of Cybersecurity Defense

Jort Kollerie SonicWALL

Next Generation Security Strategies. Marc Sarrias Regional Sales Manager

WHITE PAPER. Understanding How File Size Affects Malware Detection

Office 365 Cloud App Security MARKO DJORDJEVIC CLOUD BUSINESS LEAD EE TREND MICRO EMEA LTD.

Threat Landscape. Threat Landscape. Israel 2013

Trend Micro Cloud App Security for Office 365. October 27, 2015 Trevor Richmond

Dragonfly: Energy Companies Under Sabotage Threat Symantec Security Response

Agenda , Palo Alto Networks. Confidential and Proprietary.

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

Data Centers Protection from DoS attacks. Trends and solutions. Michael Soukonnik, Radware Ltd Riga. Baltic IT&T

Cloud Services Prevent Zero-day and Targeted Attacks

Stop advanced targeted attacks, identify high risk users and control Insider Threats

BOTNETS. Douwe Leguit, Manager Knowledge Center GOVCERT.NL

Using big data analytics to identify malicious content: a case study on spam s

Combating the Next Generation of Advanced Malware

Tespok Kenya icsirt: Enterprise Cyber Threat Attack Targets Report

McAfee Network Security Platform

A Survey Paper on Malicious Computer Worms

Security Solutions for the New Threads

WEB APPLICATION SECURITY

isheriff CLOUD SECURITY

Total Cost of Ownership: Benefits of Comprehensive, Real-Time Gateway Security

What are Viruses, Trojans, Worms & Spyware:

CONTINUOUS MONITORING THE MISSING PIECE TO SECURITY OPERATION (SOC) TODAY

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

Advanced Persistent Threats

Cyb T er h Threat D f e ense S l o uti tion Moritz Wenz, Lancope 1

CISO Guide to Next Generation Threats

Deep Security Vulnerability Protection Summary

The Evolution of Computer Security Attacks and Defenses. Angelos D. Keromytis Columbia University

Knowlton Project Analysis Study: Examining Trends in Cyber Security: Merging Network Defense and Analysis

Zscaler Cloud Web Gateway Test

Deep Discovery. Technical details

Post-Access Cyber Defense

Stallion SIA Seminar PREVENTION FIRST. Introducing the Enterprise Security Platform. Sami Walle Regional Sales Manager

Next-Generation Firewalls: Critical to SMB Network Security

A New Approach to Assessing Advanced Threat Solutions

Comprehensive Advanced Threat Defense

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

Virtual Desktops Security Test Report

Transcription:

Randy Lee FireEye Labs Understanding Modern Malware.

History Of Malware 1971 1975 1986 1990 Creeper Virus - Experimental self replicating worm Rabbit - The Fork Bomb 1974 Pervading Animal - First Trojan Elk Cloner - Storage Vulnerability 1981 Brain - Boot sector virus Morris Worm - Buffer Overrun 1988 Chameleon - Polymorphic virus Michelangelo Leandro & Kelly OneHalf Concept Ply CIH Happy 99 Melissa ExploreZip Kak Worm ILOVEYOU Anna Kournikova Sadmind Worm Sircam Code Red Code Red II Nimda Klez Simile Virus Beast Mylife Optix Pro SQL Slammer Graybird ProRat Blaster Welchia 2000-2013 Sobig Sober Agobot Bolgimo Bagle L10n MyDoom Netsky Witty Sasser Cabir Torpig Koobface W32.Dozer Stuxnet Kenzero The list goes on 1991-1999

APT The New Threat Landscape Cyber-espionage and Cybercrime Coordinated Persistent Threat Actors Dynamic, Polymorphic Malware Damage of Attacks Disruption Cybercrime Spyware/ Bots Advanced Persistent Threats Zero-day Targeted Attacks Dynamic Trojans Stealth Bots New Threat Landscape Worms Viruses 2005 2007 2009 2011 2013 Multi-Vector Attacks Multi-Staged Attacks

Cyber Attacks Percent of Deployments Incidents/Week at Normalized Bandwidth 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 98.5% of deployments see at least 10 incidents*/week/gbps 20% of deployments have thousands of incidents*/week Average is about 221 incidents*/week 1 Gbps 0% 10 100 1,000 10,000 100,000 Source: FireEye Advanced Threat Report, March, 2013 * Incidents include inbound and outbound activity

Old Model Everywhere The New Breed of Attacks Evade Signature-Based Defenses IPS Anti-Spam Gateways Firewalls /NGFWs Secure Web Gateways Desktop AV

Multiple Stages of a Next Generation Attack 1. Exploitation of System Exploit Server Server 2. Malware Executable Download NGFW 3. s and Control Established File Share 2 IPS 4. Data Exfiltration 5. Malware Spreads Laterally File Share 1 Exploit Detection is Critical All Subsequent Stages can be Hidden or Obfuscated

What is an exploit? Compromised webpage with exploit object Exploit object can be in ANY web page An exploit is NOT the same as the malware executable file! 1. Exploit object rendered by vulnerable software 2. Exploit injects code into running program memory 3. Control transfers to exploit code

Structure of a multi-flow APT attack Exploit Server Embedded Exploit Alters Endpoint

Structure of a multi-flow APT attack Exploit Server Server Embedded Exploit Alters Endpoint

Structure of a multi-flow APT attack Exploit Server Server Encrypted Malware Embedded Exploit Alters Endpoint Encrypted malware downloads

Structure of a multi-flow APT attack Exploit Server Server Encrypted Malware Command and Control Server Embedded Exploit Alters Endpoint Encrypted malware downloads and data exfiltration

Structure of a multi-flow APT attack Exploit Server Server Encrypted malware Command and Control Server Embedded Exploit Alters Endpoint Encrypted malware downloads and data exfiltration

Multi-Flow Structure of APT Attacks (Aurora, Beebus, CFR, etc.) Exploit injects code in Web browser Exploit in compromised Web page Encrypted Malware Command and Control Server Exploit code downloads encrypted malware (not SSL!) Exploit code decrypts malware Target end point connects to C&C server

Multi-Vector Structure Weaponized email attachment with zero-day exploit Email with weaponized document, opened by user, causing exploit Weaponized Email (2011 Recruitment Plan.xls) Server Backdoor C&C Server Client endpoint calls back to infection server Backdoor DLL dropped Encrypted callback over HTTP to command and control server

Multi-Vector Analysis of RSA Attack 2 1 SMTP Weaponized Email (2011 Recruitment Plan.xls) Backdoor 3 Backdoor 1 Email/Web with weaponized malware 2 User opens attachment causing exploit 3 Backdoor DLL dropped 4 Encrypted callback over HTTP to C&C 4 Encrypted callback Multi-vectored attack C&C Server

Multi-Vector Analysis of Operation Beebus Attack Defense Industry UAV/UAS Backdoor Manufacturers Aerospace Industry 1 Email/Web with weaponized malware 2 Backdoor DLL dropped on user opening email 3 Encrypted callback over HTTP to C&C 1 SMTP / HTTP 2 3 Multi-vectored attack update.exe Weaponized Email UKNOWN (RHT_SalaryGuide_2012.pdf) RHT_SalaryGuide_2012.pdf install_flash_player.tmp2 Conflict-Minerals-Overview-for-KPMG.doc dodd-frank-conflict-minerals.doc update.exe Boeing_Current_Market_Outlook_ pdf Understand your blood test report.pdf RHT_SalaryGuide_2012.pdf sensor environments.doc Backdoor FY2013_Budget_Request.doc Dept of Defense FY12 Boeing.pdf April is the Cruelest Month.pdf National Human Rights China.pdf Encrypted callback C&C Server: worldnews.alldownloads.ftpserver.biz Security Predictions 2013.pdf rundll32.exe UKNOWN сообщить.doc install_flash_player.ex install_flash_player.tmp2 Global_A&D_outlook_2012.pdf Apr 2011 Sept 2011 Dec 2011 Feb 2012 Mar 2012 Apr 2012 May 2012 Jul 2012 Aug 2012 Sept 2012 Nov 2012 Jan 2013 Timeline of attack multiple vectors, multiple campaigns

Security. Re-imagined. Questions?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information