![Page 1: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack](https://reader035.vdocument.in/reader035/viewer/2022070211/61000ca40a45bb43692a99ae/html5/thumbnails/1.jpg)
Demystifying a Malware AttackChristopher Elisan
Principal Malware Scientist RSA
![Page 2: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack](https://reader035.vdocument.in/reader035/viewer/2022070211/61000ca40a45bb43692a99ae/html5/thumbnails/2.jpg)
About Me• Principal Malware
Scientist / Sr. Manager MIT• Past Adventures– Damballa– F-Secure– Trend Micro
• @Tophs
![Page 3: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack](https://reader035.vdocument.in/reader035/viewer/2022070211/61000ca40a45bb43692a99ae/html5/thumbnails/3.jpg)
Author of
20152012
![Page 4: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack](https://reader035.vdocument.in/reader035/viewer/2022070211/61000ca40a45bb43692a99ae/html5/thumbnails/4.jpg)
Co-Author of
2016
![Page 5: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack](https://reader035.vdocument.in/reader035/viewer/2022070211/61000ca40a45bb43692a99ae/html5/thumbnails/5.jpg)
Agenda• The Attack• Behind the Scenes• Lessons Learned
![Page 6: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack](https://reader035.vdocument.in/reader035/viewer/2022070211/61000ca40a45bb43692a99ae/html5/thumbnails/6.jpg)
The Attack
![Page 7: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack](https://reader035.vdocument.in/reader035/viewer/2022070211/61000ca40a45bb43692a99ae/html5/thumbnails/7.jpg)
We Are All Under Attack
OPPORTUNISTIC TARGETED
![Page 8: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack](https://reader035.vdocument.in/reader035/viewer/2022070211/61000ca40a45bb43692a99ae/html5/thumbnails/8.jpg)
Opportunistic Attack
![Page 9: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack](https://reader035.vdocument.in/reader035/viewer/2022070211/61000ca40a45bb43692a99ae/html5/thumbnails/9.jpg)
Opportunistic Attack
![Page 10: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack](https://reader035.vdocument.in/reader035/viewer/2022070211/61000ca40a45bb43692a99ae/html5/thumbnails/10.jpg)
Opportunistic Attack
![Page 11: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack](https://reader035.vdocument.in/reader035/viewer/2022070211/61000ca40a45bb43692a99ae/html5/thumbnails/11.jpg)
Targeted Attack
![Page 12: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack](https://reader035.vdocument.in/reader035/viewer/2022070211/61000ca40a45bb43692a99ae/html5/thumbnails/12.jpg)
Regardless of the attack, the threat infrastructure and the people behind them
are similar
![Page 13: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack](https://reader035.vdocument.in/reader035/viewer/2022070211/61000ca40a45bb43692a99ae/html5/thumbnails/13.jpg)
Behind the Scenes
![Page 14: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack](https://reader035.vdocument.in/reader035/viewer/2022070211/61000ca40a45bb43692a99ae/html5/thumbnails/14.jpg)
©ChristopherElisan-Malware,Rootkits&Botnets:ABeginner’sGuide(McGraw-HillProfessional) ChristopherC.Elisan
MalwareInstaller
RootkitComponent
A4ackComponent
Regenera7onComponent
Configura7onFile BotAgent
DeploymentTechnology
InstallsMalwareComponents
DeploystheMalwareInstaller
MalwareServingDomains
Command&ControlDomain
DropZone
DropZones
Checksforupdatesbeforeinstalla7on
MalwareComponents
Dropsstoleninforma7on MCsendsstatus/C&Csendscommands
MCchecksforupdates/MSDdownloadsupdates
Attack Infrastructure
![Page 15: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack](https://reader035.vdocument.in/reader035/viewer/2022070211/61000ca40a45bb43692a99ae/html5/thumbnails/15.jpg)
Sponsor• Government• CommercialOrganiza7on• Non-commercialOrganiza7on• Ac7vistGroups• Individual• TerroristOrganiza7on
MoneyMules• Unsuspec7ngPublic• Workfromhome
CrimeBoss• Runstheshow• Individualororganiza7on• Middlemanbetweensponsor
andTPs• Canbeasponsor
MalwareWriters• Originalmalwarecreator(s)• Offermalware“off-the-rack”
orcustombuilt• MayofferDIYconstruc7onkits• Money-backguaranteeifdetected• 24x7support
DeploymentProvider• Specializeddistribu7onnetwork• A4ractsandinfectsvic7ms• Global&targetedcontentdelivery• DeliverythroughSpam/drive-by/USB/etc.• Offers24x7support
BotnetOperator• Operatesasec7onofthebotnet
fordirectfinancialgain• Issuescommandstothebotagents• MaybetheBotnetMaster
BotnetMaster• Individualorcriminalteamthat
ownsthebotnet• Maintainsandcontrolsthebotnet• Holdsadmincreden7alsforCnC
ResilienceProvider(MSP)• ProvidesCnCresilienceservices• An7-takedownnetworkconstruc7on• Bullet-proofdomainhos7ng• Fast-fluxDNSservices• Offers24x7Support
The Attackers
![Page 16: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack](https://reader035.vdocument.in/reader035/viewer/2022070211/61000ca40a45bb43692a99ae/html5/thumbnails/16.jpg)
Malware Tools• DiY Kits• Armoring Tools
![Page 17: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack](https://reader035.vdocument.in/reader035/viewer/2022070211/61000ca40a45bb43692a99ae/html5/thumbnails/17.jpg)
DiY Kits
![Page 18: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack](https://reader035.vdocument.in/reader035/viewer/2022070211/61000ca40a45bb43692a99ae/html5/thumbnails/18.jpg)
DiY Kits
ChristopherC.Elisan
![Page 19: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack](https://reader035.vdocument.in/reader035/viewer/2022070211/61000ca40a45bb43692a99ae/html5/thumbnails/19.jpg)
ChristopherC.Elisan
Armoring Tools
![Page 20: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack](https://reader035.vdocument.in/reader035/viewer/2022070211/61000ca40a45bb43692a99ae/html5/thumbnails/20.jpg)
Armoring Tools
ChristopherC.Elisan
![Page 21: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack](https://reader035.vdocument.in/reader035/viewer/2022070211/61000ca40a45bb43692a99ae/html5/thumbnails/21.jpg)
The Malware Factory
![Page 22: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack](https://reader035.vdocument.in/reader035/viewer/2022070211/61000ca40a45bb43692a99ae/html5/thumbnails/22.jpg)
The Malware Factory
![Page 23: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack](https://reader035.vdocument.in/reader035/viewer/2022070211/61000ca40a45bb43692a99ae/html5/thumbnails/23.jpg)
Lessons Learned
![Page 24: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack](https://reader035.vdocument.in/reader035/viewer/2022070211/61000ca40a45bb43692a99ae/html5/thumbnails/24.jpg)
The Whole Picture• To fully understand the
threat, we need to look at the following…– Target (Roles, systems)– Infrastructure– Different roles required
to support the infrastructure
![Page 25: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack](https://reader035.vdocument.in/reader035/viewer/2022070211/61000ca40a45bb43692a99ae/html5/thumbnails/25.jpg)
Sometimes it is hard, so we collaborate
• Technical– Research– Scientific approach– Knowledge Sharing
• Legal– Work with LEOs– Share evidence to
appropriate entities
![Page 26: Demystifying a Malware Attack - ROOTCON 10/Talks/ROOTCON... · – Damballa – F-Secure – Trend Micro • @Tophs. Author of 2012 2015. Co-Author of 2016. Agenda • The Attack](https://reader035.vdocument.in/reader035/viewer/2022070211/61000ca40a45bb43692a99ae/html5/thumbnails/26.jpg)
*ImagesarecopiedfromtheInternetandareownedbytheirrespec:veauthors
Thank You!!!