malware self protection-matrix
TRANSCRIPT
![Page 1: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/1.jpg)
![Page 2: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/2.jpg)
The Malware Self-Protection Matrix
Marion MarschalekSenior Malware Researcher at Cyphort Labs
![Page 3: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/3.jpg)
Your speakers today
Marion Marschalek Senior Malware Researcher
Cyphort Labs
Shelendra SharmaProduct Marketing Director
![Page 4: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/4.jpg)
Agenda
o Malware detection evolutiono Malware self-protectiono Wrap-up and Q&A
Cyph
ort L
abs T
-shi
rt
![Page 5: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/5.jpg)
Threat Monitoring & Research team
________24X7 monitoring for
malware events
________Assist customers with
their Forensics and Incident Response
We enhance malware detection accuracy
________False positives/negatives
________Deep-dive research
We work with the security ecosystem
________Contribute to and learn
from malware KB
________Best of 3rd Party threat
data
![Page 6: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/6.jpg)
HOW DO YOU FIND WHAT YOU CAN‘T SEE?
http://1ms.net/
![Page 7: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/7.jpg)
A Digital Threat History
http://www.hdbackgroundpoint.com
VIRUS
EXPLOITWORM
TROJAN
MULTI-COMPONENTMALWARE
ADWARE ROOTKIT
SPYWAREAPT
TARGETED THREAT
SURVEILLANCESOFTWARE
INSIDETHREAT
![Page 8: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/8.jpg)
A THREAT DETECTION HISTORY
![Page 9: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/9.jpg)
www.crane.com
Your signature update.
![Page 10: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/10.jpg)
Checksums
Byte Patterns
Behavior Patterns
Static / Dynamic Heuristics
Whitelisting
Anomalies
Network Streams
Cloud Protection
2015
And many, many more!
![Page 11: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/11.jpg)
Endpoint
VirusDetectionSignatureProductComputerServer
THINGS HAVE CHANGEDThreat
Prevention
DefinitionSolution
Cloud
![Page 12: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/12.jpg)
12
Malware Self-Protection
DebuggingDisassembly
StaticEmulation
SandboxingReputationAnomalies
Debugger detection, sub-processes, thread injection Obfuscation Packer and crypter Emulator detection, time based evasion VM detection, modular malware Binary updates, targeted malware Binary padding, use of legitimate tools
![Page 13: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/13.jpg)
Gladly, most threats make mistakes themselves.
![Page 14: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/14.jpg)
![Page 15: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/15.jpg)
ZEUS why can‘t detection work
%APP%\Uwirpa 10.12.2013 23:50
%APP%\Woyxhi 10.12.2013 23:50
%APP%\Hibyo 19.12.2013 00:10
%APP%\Nezah 19.12.2013 00:10
%APP%\Afqag 19.12.2013 23:29
%APP%\Zasi 19.12.2013 23:29
%APP%\Eqzauf 20.12.2013 22:23
%APP%\Ubapo 20.12.2013 22:23
%APP%\Ydgowa 20.12.2013 22:23
%APP%\Olosu 20.12.2013 23:03
%APP%\Taal 20.12.2013 23:03
%APP%\Taosep 20.12.2013 23:03
%APP%\Wokyco 16.01.2014 13:22
%APP%\Semi 17.01.2014 16:34
%APP%\Uheh 17.01.2014 16:34
![Page 16: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/16.jpg)
16
Sandbox Detection
![Page 17: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/17.jpg)
Persistence Mechanisms
File Names
Network ConnectionBig Picture Detection & Combination Static/Dynamic Features
SILVER BULLET ...?
![Page 18: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/18.jpg)
ARMOURINGhttp://hdwallpapersimage.com/
![Page 19: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/19.jpg)
SAZOORA being picky
![Page 20: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/20.jpg)
20
Code Obfuscation
![Page 21: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/21.jpg)
Virtual Machine Code Execution
handler13:ExitProcHresult...
handler14:ExitProc...
handler15:ExitProcI2...
... FC C8 13 76 ...
![Page 22: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/22.jpg)
Various packer layers – no static detection
Static detection won‘t work
Reputation & Metadata Features
SILVER BULLET ...?
![Page 23: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/23.jpg)
EXPLOITATION
http://themovieandme.blogspot.com/
![Page 24: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/24.jpg)
Endpoint protection built to detect repetitive patterns of evil.
Exploit = system corruption
Exploit vs. vulnerability
http://www.wikipedia.com/
![Page 25: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/25.jpg)
TYPICAL DRIVE-BY INFECTION
o hxxp://www.insertyourwebsitehere.com/js/responsive/min/main-b87ba20746a80e1104da210172b634c4.min.js
o hxxp://stat.litecsys.com/d2.php?ds=true&dr=2711950755o hxxp://vstat.feared.eu/pop2.php?acc=%7E%BE%CE%F5%01%8D%AC
%B2%26%C6%DC%5B%E7n4%D0%16%A3L%99%03%BB%D8%08&nrk=5992423910
o hxxp://g12z4pj3k4k9y4wd517-ll6.dienami.ru/f/1398361080/5/x007cf6b534e520804090407000700080150050f0304045106565601;1;5
o BOOM.
![Page 26: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/26.jpg)
hxxp://www.insertyourwebsitehere.com/js/responsive/min/main-
b87ba20746a80e1104da210172b634c4.min.js
TYPICAL DRIVE-BY INFECTION
![Page 27: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/27.jpg)
hxxp://stat.litecsys.com/d2.php?ds=true&dr=2711950755
TYPICAL DRIVE-BY INFECTION
![Page 28: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/28.jpg)
hxxp://vstat.feared.eu/pop2.php?acc=%7E%BE%CE%F5%01%8D%AC%B2%26%C6%DC%5B%E7n4%D0%16%A3L%99%03%BB%D8%08&
nrk=5992423910
IE 6, 7, 8 or 9, 10, 11
TYPICAL DRIVE-BY INFECTION
![Page 29: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/29.jpg)
hxxp://g12z4pj3k4k9y4wd517-ll6.dienami.ru/f/1398361080/5/
x007cf6b534e520804090407000700080150050f0304045106565601;1;5
TYPICAL DRIVE-BY INFECTION
![Page 30: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/30.jpg)
(There is none.)
Patching, patching and more patching
An exploit will seldom come alone!
SILVER BULLET ...?
![Page 31: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/31.jpg)
VISIBILITY – KNOW HOW – ACTIONABILITY
LURE
EXPLOIT
INFECTCALL HOME
STEAL DATA
Follow the kill chain
![Page 32: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/32.jpg)
Q&A
![Page 33: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/33.jpg)
Thank You!
![Page 34: Malware self protection-matrix](https://reader036.vdocument.in/reader036/viewer/2022070519/58ecb5c91a28ab83558b46ef/html5/thumbnails/34.jpg)