Upload File

demystifying a malware attack - rootcon 10/talks/rootcon... · – damballa – f-secure – trend...

  • Home
  • Documents
  • Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack
26
Demystifying a Malware Attack Christopher Elisan Principal Malware Scientist RSA

Upload: others

Post on 01-Mar-2021

2 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack

Demystifying a Malware AttackChristopher Elisan

Principal Malware Scientist RSA

Page 2: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack

About Me•  Principal Malware

Scientist / Sr. Manager MIT•  Past Adventures– Damballa– F-Secure– Trend Micro

•  @Tophs

Page 3: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack

Author of

20152012

Page 4: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack

Co-Author of

2016

Page 5: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack

Agenda•  The Attack•  Behind the Scenes•  Lessons Learned

Page 6: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack

The Attack

Page 7: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack

We Are All Under Attack

OPPORTUNISTIC TARGETED

Page 8: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack

Opportunistic Attack

Page 9: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack

Opportunistic Attack

Page 10: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack

Opportunistic Attack

Page 11: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack

Targeted Attack

Page 12: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack

Regardless of the attack, the threat infrastructure and the people behind them

are similar

Page 13: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack

Behind the Scenes

Page 14: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack

©ChristopherElisan-Malware,Rootkits&Botnets:ABeginner’sGuide(McGraw-HillProfessional) ChristopherC.Elisan

MalwareInstaller

RootkitComponent

A4ackComponent

Regenera7onComponent

Configura7onFile BotAgent

DeploymentTechnology

InstallsMalwareComponents

DeploystheMalwareInstaller

MalwareServingDomains

Command&ControlDomain

DropZone

DropZones

Checksforupdatesbeforeinstalla7on

MalwareComponents

Dropsstoleninforma7on MCsendsstatus/C&Csendscommands

MCchecksforupdates/MSDdownloadsupdates

Attack Infrastructure

Page 15: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack

Sponsor•  Government•  CommercialOrganiza7on•  Non-commercialOrganiza7on•  Ac7vistGroups•  Individual•  TerroristOrganiza7on

MoneyMules•  Unsuspec7ngPublic•  Workfromhome

CrimeBoss•  Runstheshow•  Individualororganiza7on•  Middlemanbetweensponsor

andTPs•  Canbeasponsor

MalwareWriters•  Originalmalwarecreator(s)•  Offermalware“off-the-rack”

orcustombuilt•  MayofferDIYconstruc7onkits•  Money-backguaranteeifdetected•  24x7support

DeploymentProvider•  Specializeddistribu7onnetwork•  A4ractsandinfectsvic7ms•  Global&targetedcontentdelivery•  DeliverythroughSpam/drive-by/USB/etc.•  Offers24x7support

BotnetOperator•  Operatesasec7onofthebotnet

fordirectfinancialgain•  Issuescommandstothebotagents•  MaybetheBotnetMaster

BotnetMaster•  Individualorcriminalteamthat

ownsthebotnet•  Maintainsandcontrolsthebotnet•  Holdsadmincreden7alsforCnC

ResilienceProvider(MSP)•  ProvidesCnCresilienceservices•  An7-takedownnetworkconstruc7on•  Bullet-proofdomainhos7ng•  Fast-fluxDNSservices•  Offers24x7Support

The Attackers

Page 16: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack

Malware Tools•  DiY Kits•  Armoring Tools

Page 17: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack

DiY Kits

Page 18: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack

DiY Kits

ChristopherC.Elisan

Page 19: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack

ChristopherC.Elisan

Armoring Tools

Page 20: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack

Armoring Tools

ChristopherC.Elisan

Page 21: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack

The Malware Factory

Page 22: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack

The Malware Factory

Page 23: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack

Lessons Learned

Page 24: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack

The Whole Picture•  To fully understand the

threat, we need to look at the following…– Target (Roles, systems)–  Infrastructure– Different roles required

to support the infrastructure

Page 25: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack

Sometimes it is hard, so we collaborate

•  Technical– Research– Scientific approach– Knowledge Sharing

•  Legal– Work with LEOs– Share evidence to

appropriate entities

Page 26: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack

*ImagesarecopiedfromtheInternetandareownedbytheirrespec:veauthors

Thank You!!!


Attack Nysius (wheat bug) · Herbicide only Herbicide1 Attack + Herbicide + 2 Attack Herbicide + 3 Attack Leaves Bulbs Total Dry Matter Yields (kg/ha) Application Apply Attack in

Identifying critical attack assets in dependency …xou/publications/drdc08.pdf · Identifying critical attack assets in ... Identifying critical attack assets in dependency attack

Damballa automated breach defense june 2014

Supply Chain Attack Framework and Attack Patterns

Popular Protocol attack Smurf Attack Introduction: … Protocol attack!Smurf Attack!SYN attack!UDP Attack, ICMP Attack!CGI request attack!Authentication server attack!Attack using

Side-Channel Attack: timing attack Hiroki Morimoto

AV is Dead! - ROOTCON 10/Talks/ROOTCON 10 - Is AV D… · winresume.exe Load kernel and other drivers MBR Master Boot Record Loads the VBR VBR Volume Boot Record Loads the Bootmgr

Popular Protocol attack Smurf Attack Introduction: …jeffay/courses/nidsS05/slides/5-Protocol-Attacks.pdf · Popular Protocol attack!Smurf Attack!SYN attack!UDP Attack, ... Features

Understanding the Attack Surface and Attack Resilience … · Understanding the Attack Surface and Attack Resilience of ... (internals, audit, fuzzing, ... Understanding the Attack

Introduction Google Hacking Techniques - media.rootcon.org 1/Talks/ROOTCON 2 - Google... · Google Hacking Techniques How to Protect your Websites •First step in attacking websites

Deloitte’s 2014 Technology Fast 500 Ranking · Technology Fast 500™ 2014 Ranking 2 ... 170 Damballa Software 617% Atlanta GA David Scholtz ... Deloitte’s 2014 Technology Fast

Burp Suite Introduction - ROOTCON 12/Trainings... · Burp Suite Introduction Bugcrowd University Jason Haddix - @jhaddix VP of Trust and Security @Bugcrowd Father, hacker, blogger,

Side-Channel Attack: timing attack

SESSION ID: #RSAC Chaz Lever Characterizing Malicious Traffic on Cellular Networks A Retrospective MBS-W01 Researcher Damballa, Inc @chazlever

Section 3.4: Buffer Overflow Attack: Attack Techniques 1

S5500-48T8SP DoS Attack Prevention Configuration | FS ... · Chapter 1 DoS Attack Prevention Configuration 1.1 DoS Attack Overview 1.1.1 Concept of DoS Attack The DoS attack is also

2017 School List - MBSSE...110501210Primary East Kailahun District Council 5 ROMAN CATHOLIC PRIMARY DAMBALLA DAMBALLA Mission 110501211Primary East Kailahun District Council 5 COMMUNITY

Diving To ReconNG (Read-Only) - ROOTCON® Media Server 7/Talks/ROOTCON 7... · 2017-03-25 · lookups, enumerating hostnames, enumerating subdomains,enumeratingcompanyemails,etc

OARC Update€¦ · • Damballa • DENIC • eNom • EP.net • F-root • Georgia Tech • Google • ICANN • II-F • Internet Perils • ISC • ISoc-IL • JPRS • Microsoft

RC11 Sponsorship Kit - ROOTCON 11/Docs/ROOTCON 11 Sponsors… · Universal Robina Corporation ... has a long history of digital threat and malware ... Major Sponsorship Add-ons Logo

Android Reversing - ROOTCON

Val Rahmani CEO Damballa Inc.. #SINET Connection The Internet is dynamic. The threats are agile. Neither are shrinking or slowing!

Penguin attack and counter attack

- ROOTCON 10/Trainings/ROOTCON 10...• Authentication is only as strong as your user management processes • Use the most appropriate form of authentication suitable for your asset

REMOTE CODE EXECUTION - ROOTCON 10/Talks/ROOTCON... · RCE – binary deserialization • Java contains a native serialization mechanism, that converts objects to binary data •

DAMBALLA Failsafe - Asgent, Inc....DAMBALLA Failsafe 究極のCSIRT支援ツール 巧妙化する脅威による不正アクセスや情報漏洩などの被害が後を絶ちません。ゲートウェイやエンドポイントで予防的セキュリ

Confronting the Threat - Disaster Recovery Journal · 2019-11-26 · xChemical Attack xBiological Attack xNuclear/Radiological Attack xAircraftAttackAircraft Attack. Taj Mahal Hotel

C3G Punisher - Heroscape€¦ · times. Roll 1 fewer attack die for each subsequent attack AUTO SHOTGUN SPECIAL ATTACK Range 4. Attack 3. Choose a figure to attack. Any figures adjacent

UNDERSTANDINGS ANDBOXES - ROOTCON 6/Talks/ROOTCON 6 - Understan… · s andboxes $ see+ $ $

Unconventional Privilege Escalation - ROOTCON › ROOTCON 2 › Talks › ROOTCON 2...nessus ROOTKITS JRMES ß4CK SHOV oo COWRGHr VI 999; CULT Coe, 10.0.0.1 MAC: modified ARP points:

Identifying Critical Attack Assets in Dependency Attack Graphsxou/publications/esorics08.pdf · Identifying Critical Attack Assets in Dependency Attack Graphs ... This paper introduces

An Introduction to Recommendation Systemsfiles.meetup.com/3924342/Recommendation Systems.pdfAn Introduction to Recommendation Systems Raj Bandyopadhyay Damballa Thursday, December

Basic Fire Attack Dallas Fire Rescue Explorers. Basic Fire Attack Overview of Fire Attack Overview of Fire Attack Rescue Activities Rescue Activities

bug hunting 101 - ROOTCON 11/Trainings...• Jay Turla a.k.a The Jetman • Application Security Engineer @Bugcrowd • Metasploit Contributor: Host Header Injection Detection, BisonWare

Characterizing Malicious Traffic on Cellular Networks...Characterizing Malicious Traffic on Cellular Networks A Retrospective MBS-W01 Researcher Damballa, Inc @chazlever . #RSAC Mobile