Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research

Trend Micro Confidential04/19/23

Threat Rules SharingAdvanced Threats Research

Copyright 2007 - Trend Micro Inc.04/19/23 2Classification

• Prevalent Threat Types:• Downloaders• BOTs• Spyware / Grayware• Backdoors• Mass Mailers• Phishing• Exploits• Hacking

What threats do we cover?What threats do we cover?


Detection Threat Categories and Sub Categories:– Known Security Risks

• Virus/Malware– VSAPI– Network Virus Patterns

• Spyware/Grayware– VSAPI/SSAPI

– Potential Security Risks• Virus/Malware• Spyware/Grayware• Fraud• Other

How detections are organizedHow detections are organized

Copyright 2007 - Trend Micro Inc.4

Downloaders

Packed / Compressed Executables

Names of downloaded files

belong to system filessvchost.exe winlogon.exe lsass.exe

File extension do not match

expected file typeJPG extension but file is actually EXE

What characteristics are we looking forWhat characteristics are we looking for


Spyware/Grayware

Unique / Unknown

HTTP user-agents

Names of downloaded

files belong to trademarked/copyrighted

spyware applicationsGain, Media Motor, Hotbar, SpySherrif

Un-expected type of traffic SMTP relay traffic, DNS MX Queries appear

on workstations



Backdoors

Rogue servicesUn-authorized SMTP, HTTP servers

Opened ports

Loopback commands shellsLoopback command shells

DOS Shell visible at the network traffic

Non standard service portsHTTP Traffic on non HTTP port



Mass mailers

Attachments with long filenames

(space padded)

File extensions do not match

expected file type

File inside archive attachment

contains double extension

Packed files



Bots

IRC trafficPolicy violations

Protocol mismatchesIRC traffic on port 8080 (HTTP proxy)

Non-standard service portsHTTP traffic on non HTTP ports

File transfers to

blacklisted domains



Hacking

Password guessing

Exploit attempts

DNS poisoning

Network flooding



Mitigable Threat RulesMitigable Threat Rules

Policy ID

Mitigation Condition

1 Known external attacks Internal computer downloading Malware/Spyware via HTTP protocol

2 Internal computer downloading Malware via FTP protocol

3 Known internal detections Internal computer propagating Malware via SMB (network share) protocol

4 Internal computer propagating Malware via SMTP protocol

5 Internal computer propagating Malware via IM protocols

6 Internal computer attacking the network with network viruses

7 Potential external attacks Internal computer downloading potential threats via HTTP protocol

8 Potential internal detections Internal computer propagating via SMB (network share) protocol

9 Internal computer propagating potential threats via SMTP protocol

10Internal computer attacking the network with potential network viruses/exploits

11 Internal computer infected by BOT

12 Internal computer compromised by Exploit or infected by Backdoor

13 Internal computer infected by potential Downloader


Internal computer downloading potential threats via HTTP protocol

Rule 23 - Downloaded file matches malware-used filenames

Rule 66 - HTTP download found file type mismatch & file content is EXE

Policy 7Policy 7


ScenarioScenario

M a l i c i o u s M a l i c i o u s WebsiteWebsite

Corporate Network

Internet

Rule 23 - Downloaded file Rule 23 - Downloaded file matches malware-used matches malware-used

filenames filenames

Rule 66 - HTTP download found Rule 66 - HTTP download found file type mismatch & file file type mismatch & file

content is EXEcontent is EXE

TROJ_DLOADER, TROJ_DLOADER,

TROJ_AGENT, TROJ_AGENT,

WORM_STRATWORM_STRAT


Internal computer propagating via SMB (network share) protocol

Rule 8 - Packed executable file dropped on a network share

Policy 8Policy 8


ScenarioScenario

Corporate Network

Rule 8 - Packed executable file dropped on a network

share

Admin$WORM_AGOBOT,

PE_LOOKED

C$


Internal computer propagating potential threats via SMTP protocol

Rule 9 - Suspicious archive file found & file type mismatched & file content is EXE

Rule 12 - Suspicious archive file found & filename found with suspicious double-extensions

Rule 13 - Suspicious archive file found & filename found with suspicious long filename

Rule 55 - Suspicious filename found & filename found with suspicious long filename & file content is EXE

Rule 72 - Email contains a suspicious link to a possible Phishing site

Policy 9Policy 9


ScenarioScenario

Internal Mail ServerInternal Mail Server

Corporate Network

Internet

External Mail ServerExternal Mail Server

WORM_NETSKY, WORM_NETSKY, WORM_MYTOB, WORM_MYTOB, WORM_AGOBOTWORM_AGOBOT


Internal computer attacking the network with potential network viruses/exploits

Rule 67 - Cross-Site Scripting (XSS) found

Rule 68 - Oracle HTTP Exploit found

Policy 10Policy 10


ScenarioScenario

Corporate Network

Command Shell

Exploit

HACKER TOOLS


Internal computer infected by BOT

Rule 7 - IRC BOT commands found

Rule 26 - IRC session established with a known bad C&C

Policy 11Policy 11


ScenarioScenario

Corporate Network

Internet

IRC ServerIRC Server

Rule 7 - IRC BOT Rule 7 - IRC BOT commands foundcommands found

Rule 26 - IRC session Rule 26 - IRC session established with a established with a known bad C&Cknown bad C&C

WORM_IRCBOT.ENWORM_IRCBOT.EN


Internal computer compromised by Exploit or infected by Backdoor

Rule 17 - Suspicious Remote Command Shell found

Policy 12Policy 12


ScenarioScenario

Corporate Network

Command Shell

Exploit

WORM_MSBLAST,

WORM_SASSER


Internal computer infected by potential Downloader

Rule 88 - HTTP requests attempted to download known Malware-used filenames

Policy 13Policy 13


ScenarioScenario

M a l i c i o u s M a l i c i o u s WebsiteWebsite

Corporate Network

Internet

Rule 88 - HTTP requests Rule 88 - HTTP requests attempted to download known attempted to download known

Malware-used filenamesMalware-used filenames

TROJ_DLOADER,TROJ_DLOADER,

TROJ_AGENTTROJ_AGENT


Thank You

Documents

Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research