demystifying a malware attack - rootcon 10/talks/rootcon... · – damballa – f-secure – trend...

Demystifying a Malware AttackChristopher Elisan

Principal Malware Scientist RSA

About Me•  Principal Malware

Scientist / Sr. Manager MIT•  Past Adventures– Damballa– F-Secure– Trend Micro

•  @Tophs

Author of

20152012

Co-Author of

2016

Agenda•  The Attack•  Behind the Scenes•  Lessons Learned

The Attack

We Are All Under Attack

OPPORTUNISTIC TARGETED

Opportunistic Attack

Opportunistic Attack

Opportunistic Attack

Targeted Attack

Regardless of the attack, the threat infrastructure and the people behind them

are similar

Behind the Scenes

©ChristopherElisan-Malware,Rootkits&Botnets:ABeginner’sGuide(McGraw-HillProfessional) ChristopherC.Elisan

MalwareInstaller

RootkitComponent

A4ackComponent

Regenera7onComponent

Configura7onFile BotAgent

DeploymentTechnology

InstallsMalwareComponents

DeploystheMalwareInstaller

MalwareServingDomains

Command&ControlDomain

DropZone

DropZones

Checksforupdatesbeforeinstalla7on

MalwareComponents

Dropsstoleninforma7on MCsendsstatus/C&Csendscommands

MCchecksforupdates/MSDdownloadsupdates

Attack Infrastructure

Sponsor•  Government•  CommercialOrganiza7on•  Non-commercialOrganiza7on•  Ac7vistGroups•  Individual•  TerroristOrganiza7on

MoneyMules•  Unsuspec7ngPublic•  Workfromhome

CrimeBoss•  Runstheshow•  Individualororganiza7on•  Middlemanbetweensponsor

andTPs•  Canbeasponsor

MalwareWriters•  Originalmalwarecreator(s)•  Offermalware“off-the-rack”

orcustombuilt•  MayofferDIYconstruc7onkits•  Money-backguaranteeifdetected•  24x7support

DeploymentProvider•  Specializeddistribu7onnetwork•  A4ractsandinfectsvic7ms•  Global&targetedcontentdelivery•  DeliverythroughSpam/drive-by/USB/etc.•  Offers24x7support

BotnetOperator•  Operatesasec7onofthebotnet

fordirectfinancialgain•  Issuescommandstothebotagents•  MaybetheBotnetMaster

BotnetMaster•  Individualorcriminalteamthat

ownsthebotnet•  Maintainsandcontrolsthebotnet•  Holdsadmincreden7alsforCnC

ResilienceProvider(MSP)•  ProvidesCnCresilienceservices•  An7-takedownnetworkconstruc7on•  Bullet-proofdomainhos7ng•  Fast-fluxDNSservices•  Offers24x7Support

The Attackers

Malware Tools•  DiY Kits•  Armoring Tools

DiY Kits

DiY Kits

ChristopherC.Elisan

ChristopherC.Elisan

Armoring Tools

Armoring Tools

ChristopherC.Elisan

The Malware Factory

The Malware Factory

Lessons Learned

The Whole Picture•  To fully understand the

threat, we need to look at the following…– Target (Roles, systems)–  Infrastructure– Different roles required

to support the infrastructure

Sometimes it is hard, so we collaborate

•  Technical– Research– Scientific approach– Knowledge Sharing

•  Legal– Work with LEOs– Share evidence to

appropriate entities

*ImagesarecopiedfromtheInternetandareownedbytheirrespec:veauthors

Thank You!!!