demystifying a malware attack - rootcon 10/talks/rootcon... · – damballa – f-secure – trend...
TRANSCRIPT
Demystifying a Malware AttackChristopher Elisan
Principal Malware Scientist RSA
About Me• Principal Malware
Scientist / Sr. Manager MIT• Past Adventures– Damballa– F-Secure– Trend Micro
• @Tophs
Author of
20152012
Co-Author of
2016
Agenda• The Attack• Behind the Scenes• Lessons Learned
The Attack
We Are All Under Attack
OPPORTUNISTIC TARGETED
Opportunistic Attack
Opportunistic Attack
Opportunistic Attack
Targeted Attack
Regardless of the attack, the threat infrastructure and the people behind them
are similar
Behind the Scenes
©ChristopherElisan-Malware,Rootkits&Botnets:ABeginner’sGuide(McGraw-HillProfessional) ChristopherC.Elisan
MalwareInstaller
RootkitComponent
A4ackComponent
Regenera7onComponent
Configura7onFile BotAgent
DeploymentTechnology
InstallsMalwareComponents
DeploystheMalwareInstaller
MalwareServingDomains
Command&ControlDomain
DropZone
DropZones
Checksforupdatesbeforeinstalla7on
MalwareComponents
Dropsstoleninforma7on MCsendsstatus/C&Csendscommands
MCchecksforupdates/MSDdownloadsupdates
Attack Infrastructure
Sponsor• Government• CommercialOrganiza7on• Non-commercialOrganiza7on• Ac7vistGroups• Individual• TerroristOrganiza7on
MoneyMules• Unsuspec7ngPublic• Workfromhome
CrimeBoss• Runstheshow• Individualororganiza7on• Middlemanbetweensponsor
andTPs• Canbeasponsor
MalwareWriters• Originalmalwarecreator(s)• Offermalware“off-the-rack”
orcustombuilt• MayofferDIYconstruc7onkits• Money-backguaranteeifdetected• 24x7support
DeploymentProvider• Specializeddistribu7onnetwork• A4ractsandinfectsvic7ms• Global&targetedcontentdelivery• DeliverythroughSpam/drive-by/USB/etc.• Offers24x7support
BotnetOperator• Operatesasec7onofthebotnet
fordirectfinancialgain• Issuescommandstothebotagents• MaybetheBotnetMaster
BotnetMaster• Individualorcriminalteamthat
ownsthebotnet• Maintainsandcontrolsthebotnet• Holdsadmincreden7alsforCnC
ResilienceProvider(MSP)• ProvidesCnCresilienceservices• An7-takedownnetworkconstruc7on• Bullet-proofdomainhos7ng• Fast-fluxDNSservices• Offers24x7Support
The Attackers
Malware Tools• DiY Kits• Armoring Tools
DiY Kits
DiY Kits
ChristopherC.Elisan
ChristopherC.Elisan
Armoring Tools
Armoring Tools
ChristopherC.Elisan
The Malware Factory
The Malware Factory
Lessons Learned
The Whole Picture• To fully understand the
threat, we need to look at the following…– Target (Roles, systems)– Infrastructure– Different roles required
to support the infrastructure
Sometimes it is hard, so we collaborate
• Technical– Research– Scientific approach– Knowledge Sharing
• Legal– Work with LEOs– Share evidence to
appropriate entities
*ImagesarecopiedfromtheInternetandareownedbytheirrespec:veauthors
Thank You!!!