malware in the wild: evolving to evade detection
Post on 19-Jul-2015
524 Views
Preview:
TRANSCRIPT
Malware in the Wild:Evolving to Evade Detection
Engin KirdaCo-Founder and Chief Architect
engin@lastline.com
3/17/2015
Copyright ©2015 Lastline, Inc. All rights reserved.
Engin Kirda, Ph.D.
• Professor at Northeastern University, Boston
– started malware research in about 2004
– Helped build and release popular malware analysis and detection systems (Anubis, Wepawet, …)
• Co-founder of Lastline, Inc.
– Lastline offers protection against zero-day threats and advanced malware
– Commercialization of many years of advanced research
2
Copyright ©2015 Lastline, Inc. All rights reserved.
Key Takeaways
• Traditional malware detection tech now ineffective
• Security automation and stealthy analysis critical to protection
• Security professionals in high-demand
– Need to attract, train and retain talented people
3
Copyright ©2015 Lastline, Inc. All rights reserved.
You Will Learn
• How has malware evolved in the last decade?
• How have security technologies changed to address the threat?
• What are some key characteristics of advanced malware behaviors?
• Can we stop this threat? Is this a lost war?
4
Cyber-espionageand Cyber-war
!!!
Cyberattack (R)Evolution
Time
$$ Damage
Millions
Hundreds of Thousands
Thousands
Hundreds
Billions
Cybercrime
$$$Cybervandalism
#@!
6
Copyright ©2015 Lastline, Inc. All rights reserved.
The Nature of the Threat Has Changed
• Intruders are more prepared and organized
• Attack attribution on the Internet is incredibly difficult
• Intruder tools are increasingly sophisticated yet easy
7
Copyright ©2015 Lastline, Inc. All rights reserved.
A Little Bit of History…
• End of the 80s, viruses came out
– First form of malware
– Often destructive, but no financial incentive
• In the 90s, worms became popular
– Often destructive, but no financial incentive
8
Copyright ©2015 Lastline, Inc. All rights reserved.
A Little Bit of History…• As of 2000, financial incentives became increasingly
dominant
– Phishing, Farming, Banking Trojans, Key-loggers…
• As of 2010, targeted attacks gaining more attention in media
– Attacks against companies like Google, RSA
– Espionage as a major incentive
9
Copyright ©2015 Lastline, Inc. All rights reserved.
Excerpts from 2014• Dairy Queen International
– Backoff, more than 300 stores, credit card infos stolen
• J.P. Morgan Chase– Customer information for millions of customers compromised
• Home Depot– Credit card infos stolen for more than 50 million customers
• UPS– Backoff, 60 stores compromised
• Target– Millions of credit card infos stolen
10
Copyright ©2015 Lastline, Inc. All rights reserved.
Traditional Malware Detection
• Imagine you are identifying people based on their looks
– Are they wearing a hat?
– What color is their hair?
– How tall are they?
– What is their eye color?
– How old are they?
– Do we have their fingerprint?
12
Walter White
Copyright ©2015 Lastline, Inc. All rights reserved.
5B 00 00 00 00 pop ebx
8D 4B 42 lea ecx, [ebx + 42h]
51 push ecx
50 push eax
50 push eax
0F 01 4C 24 FE sidt [esp - 02h]
5B pop ebx
83 C3 1C add ebx, 1Ch
FA cli
8B 2B mov ebp, [ebx]
5B 00 00 00 00 8D 4B 42 51 50 50 0F 01 4C 24 FE 5B
83 C3 1C FA 8B 2B
Example: Chernobyl (CIH) Virus
SIGNATURE
13
Copyright ©2015 Lastline, Inc. All rights reserved.
The Problem of Evasion
14
• What if the criminal is wearing a black hat and sun glasses for disguise?
• What if the criminal is also able to change his fingerprints on the fly, after every crime?
• We’d be in a lot of trouble at airports. Unfortunately, we have this situationhappening in the cyber-world right now
Heisenberg
Copyright ©2015 Lastline, Inc. All rights reserved.
5B 00 00 00 00 pop ebx
8D 4B 42 lea ecx, [ebx + 42h]
51 push ecx
50 push eax
90 nop
50 push eax
40 inc eax
0F 01 4C 24 FE sidt [esp - 02h]
48 dec eax
5B pop ebx
83 C3 1C add ebx, 1Ch
FA cli
8B 2B mov ebp, [ebx]
5B 00 00 00 00 8D 4B 42 51 50 90 50 40 0F 01 4C 24
FE 48 5B 83 C3 1C FA 8B 2B
Disguising: Chernobyl (CIH) Virus
DIFFERENTSIGNATURE
15
Copyright ©2015 Lastline, Inc. All rights reserved.
Malware Uses Disguise• It does the same
thing, but it looks different each time
• Detecting malware just based on its “looks” does not work anymore
16
Malware is Now a Problem of Scale…• The number of new
malware out there has been increasing exponentially
• It might be the same malware sample you are dealing with, but it looks different to the naked eye…
17
Lastline Labs: AV Can’t Keep UpAntivirus systems take months to catch up to highly evasive threats.
19
Copyright ©2015 Lastline, Inc. All rights reserved.20
Current State of Affairs• Anti-virus systems are not enough
– Malware modifies itself to evade detection
• Manual analysis of threats requires an enormous amount of resources
– Cannot scale, reaction time in the order of days or weeks
• We need to be leading in the arms-race
20
Copyright ©2015 Lastline, Inc. All rights reserved.
Key Idea
22
• Why not just run or open the suspicious file and see how it behaves?
• This approach is generally-known as sandboxing• The sandbox typically uses a virtualized,
instrumented environment• The system logs the behaviors of the file
Copyright ©2015 Lastline, Inc. All rights reserved.
Sandbox-Based Detection Is Popular
• There are many security products now
– Sandboxing is often a component that is used for unknown files
• These sandboxes often vary in quality
– A sandbox can be very simple, or can be more sophisticated based on its design
23
Copyright ©2015 Lastline, Inc. All rights reserved.
Evasion of Behavior-Based
Detection• Bad guys are not stupid
• They have received the news that behavior-baseddetection is what everyone’s using now
• Just like signature-based detection systems were evaded in the past
• Behavioral evasions tricks have emerged
24
Copyright ©2015 Lastline, Inc. All rights reserved.
One of The First Tricks That Emerged: Red Pill (Remember Matrix?)
• A Virtual Machine (VM) is often used to run the code during analysis and detection
• The red pill test allows you to find out if you’re running in a VM
• There are many ways of launching evasions like that
25
Copyright ©2015 Lastline, Inc. All rights reserved.
Some Dynamic Evasion Tricks• Checking for specific artifacts in the virtualized OS
• Checks on CPU features that indicate VM
• Looking for running processes and imitating them
• Waiting for someone to click on something
• Delaying the execution until analysis system gives up
26
Copyright ©2015 Lastline, Inc. All rights reserved.
An Emerging Trick: Stalling Loops
27
• Simple piece of code that takes milliseconds to execute on your laptop, but hours to run in a virtualized detection system
Copyright ©2015 Lastline, Inc. All rights reserved.
Key Characteristics of Malware Today
• The majority of the malware is “noise”– 50%-80%
• A smaller portion is nasty– 15%-20%
• An even smaller portion is very nasty– 1%-5%
29
Copyright ©2015 Lastline, Inc. All rights reserved.
You’ve Probably Read This:Recent Payment Breaches
• The last year has seen a dramatic escalation in the number of
breached Point of Sale (PoS) systems
• Many of these PoS payloads, like Backoff, evaded installed
defenses and alarms
• In few cases an early alarm was received, but it was ignored
since indistinguishable from the background noise
30
Copyright ©2015 Lastline, Inc. All rights reserved.
What is Backoff?
• Malware used in numerous breaches in the last year
• Secret Service estimated 1,000+ U.S. businesses affected
• Targeted to Point of Sale (PoS) systems
• Evades analysis
31
Copyright ©2015 Lastline, Inc. All rights reserved.
How are the attackers deploying it?
• Scan for Internet facing Remote Desktop applications
• Brute force login credentials
• Often successfully find administrative credentials
• Use admin credentials to deploy Backoff to remote PoS
systems
32
Copyright ©2015 Lastline, Inc. All rights reserved.
Carbanak Malware
• Bank robbing, raked in as much as 1 billion $– Banks infiltrated, ATMs were taken
over– Balances adjusted and funds
transferred remotely
• Most Carbanak samples exhibit stealthy behavior (90%)– 17% display evasive behavior
(detecting sandbox)– Samples are environmentally-aware– Stealthy sandbox is needed that can
detect evasions
33
Copyright ©2015 Lastline, Inc. All rights reserved.
In Recent Research…
• We looked at a Non-Governmental Organization (NGO)– Representing the Uyghur
minority in China– Many suspicious emails were
being sent– Many targeted hacking attempts
• Key finding– The attacks were surprisingly
simple– Malware not very sophisticated– No unknown vulnerabilities used
34
Copyright ©2015 Lastline, Inc. All rights reserved.
The Reality is That the Threat Will Continue to Exist
• The right question should be: How can we keep this threat under check and limit damage?
• Similar to protecting your home
– Locks can be broken
– But you can use a good lock, build in alarm systems, and lock away your valuables
36
Copyright ©2015 Lastline, Inc. All rights reserved.
Technology plays a crucial role, but…
• Integration is very important– Whatever solutions we deploy must be easy to
integrate and interoperate with existing systems• Proposed solutions need to be scalable
– Organizations typically have thousands of users and multiple nodes that need protection
37
Copyright ©2015 Lastline, Inc. All rights reserved.
Correlation is the key
• There is no silver bullet in security!
• You need to correlate information coming from different sources• Network nodes,
domain names used, connections opened…
• There are is a large attack surface…
38
Copyright ©2015 Lastline, Inc. All rights reserved.
• It is not a question of if, but only when you’ll be breached• Getting breached is not the end of the world if…
1. … you can detect the breach quickly2. … understand how you were breached3. … can share this breach knowledge automatically with other
components and business units
Thinking like the attacker
39
Copyright ©2015 Lastline, Inc. All rights reserved.
It’s Not Only a Technology Problem
• Security systems sometimes fail because people fail
– Education is a key component of any security solution
• We need to educate students, train employees
– Student hacking contents are a great example
40
Copyright ©2015 Lastline, Inc. All rights reserved.
Student Hacking Competitions
• Help educate and train students– Hacking contests where
the aim is defense and offense
– They’re fun! ;) And useful
– 6 years ago, some companies were against them… now they’re organizing their own ;)
41
Copyright ©2015 Lastline, Inc. All rights reserved.
New Research: Kernel-Level Detection
• Operating system kernel is the blind-spot for detection
– Kernel-level malware is typically invisible to sandboxes
• At least one malware component often executes in kernel-space
– I’m happy to announce novel techniques to automate the analysis of such malware today
– http://www.lastline.com/labs
42
Copyright ©2015 Lastline, Inc. All rights reserved.
Key Takeaways
• Traditional malware detection tech now ineffective
• Security automation and stealthy analysis critical to protection
• Security professionals in high-demand
– Need to attract, train and retain talented people
43
Copyright ©2015 Lastline, Inc. All rights reserved. 44
THANK YOU!For more information visit www.lastline.com
or contact us at info@lastline.com.
top related