Upload
ashwini-almad
View
114
Download
4
Embed Size (px)
Citation preview
Dynamic Detection of Malicious Activity
Amanda Rousseau, Malware Researcher
Computer Forensics
IR & Intrusion Forensics
Malware Research
Malware Research
WHOAMI?
Game TheoryAttackers and defenders watch and adapt to the opponents’ behavior to improve their strategies in response to the other’s behavior.
Technology
Defender
Attacker
Overlap is Defender
Advantage
Malicious Behaviors
This level of sophistication requires a proactive, multi-layer detection and mitigation approach
Polymorphism
Stealth
Code Obfuscation
Persistence
Evasion
Evade pattern matching detection
Prevents detection and takes longer to analyze
Hiding execution traces
Ability to respawn
Environmental Awareness reaction
Attack FlowInfiltration Entrenchmen
tInternal
Reconnaissance
Exfiltration PurgePerimeter
Reconnaissance
Rapid Evolution
Malware Timeline
2013
2014
2015
Attacker• Email Attachment downloads
the payload instead, runs in memory
• Browser Exploit – bypassing the email payload
Example: Trojan.APT.BaneChant, Trojan.APT.9002Defender• Static analysis on web
browser memory• Tighter analysis on opened
browser sessions
Malware Timeline
2013
2014
2015Defender• Static analysis on open
pages• Beginning of cross-
platform detection for Windows/Linux/OSX
Attacker• Socially Engineered email with
html links to compromised sites• The malicious website contains a
number of exploits• Effective on Windows/Linux/OSXExample: The Mask (Careto)
Malware Timeline
2013
2014
2015
Attacker• More email campaigns that
use watering holes• Utilizing public services for
payload downloadsExample: CozyDuke,CloudDukeDefender• Improve analysis of 3rd
party Services• Strengthen cross-platform
detection
Why is Anti-Virus so obsolete?
Evade pattern matching detection
Polymorphism
PolymorphismUpatre Downloader
http://binvis.io/#/
Sample A
Sample B
Upatre Downloader
Sample A
Sample B
Polymorphism
StealthHiding execution traces
StealthHiding execution traces
A
BProcess Injection
File Hiding
C Diskless Execution
StealthFile Hiding
File AttributesProcess will change the file’s hidden attributes.
CompartmentalizationThe malicious payload will remain in separate pieces for a benign controller to execute.
File ExtensionsProcess will change the file type associations to turn a benign file extension into an executable binary.
SteganographyMalicious payloads reside in images or other binary files that may appear as benign to the user.
GoodGuy.exe
Thread
Thread
Memory
StealthProcess Injection
OpenProcess VirtualAllocEx WriteProcessMemory ReadProcessMemory CreateRemoteThread
BadGuyInjector.exe
Memory
Thread
StealthDiskless Execution
File System
GoodGuy Browser
Thread
Thread
Memory
BadGuy Code
Memory
ThreadExploitati
on
GoodGuyWebsite
Code ObfuscationPrevents detection and takes longer
to analyze
Code Obfuscation
Dridex VBA Downloader
Set obsCgkbrjo = WScript.CreateObject(yyTrankxt("ŸÕÿ‹∏†‹flfl◊–¥ "))Set sDcqujpwd = CreateObject(yyTrankxt("·ƒÿfi«¡’‘ÍÿÊ¥ÿ‡Œ∏ñ÷‰Œ·—‹Ê»≈"))
If NOT (sDcqujpwd.FolderExists(yyTrankxt("Œ’‘∏“”÷Â◊ΩΩ≠∑"⁄ ))) Then sDcqujpwd.CreateFolder(yyTrankxt("Œ’‘∏“”÷Â◊ΩΩ≠∑"))⁄End If
If NOT (sDcqujpwd.FolderExists(yyTrankxt("‘ÏÁ«Ÿƒ–Í∆±Œ‘Ê÷ø“ü∞"))) Then⁄ sDcqujpwd.CreateFolder(yyTrankxt("‘ÏÁ«Ÿƒ–Í∆±Œ‘Ê÷ø“ü∞"))⁄End If
sXtrIusxm = yyTrankxt("…‘ÿ‡Œ∏à‹◊◊‘–ƒ¡¨´") sXtr2Iusxm = yyTrankxt("‡∆fl›´í’–ËË”√–üµ") & " (x86)\"
PersistenceAbility to respawn
PersistenceScheduled
tasksLogon/
WinlogonFile Classes Services/Drivers
Image File Execution
ShellExecuteHooksAutoruns InprocServer32
Installed Components
DLL Load/Hijacking
Browser Plugins Boot Execution
Rare
Com
mon
SophisticatedSimple
EvasionEnvironmental Awareness reaction
Evasion
NOP FunctionsLooping of a function that does nothing important to confuse the analysis
Timeout/SleepsProcess will wait until a certain time or outwait VM analysis
Environmental AwarenessProcess is able to identify obstacles in the environment and react accordingly by removing obstacles
User interactionUser interaction is required to continue execution
EncryptionEncryption of code components and traffic avoid analysis
Dynamic C&CDomain Generation Algorithm (DGA) to avoid static detection
Memory OnlyProcess will avoid file system type detection by only running in memory
Stolen Signing CertificatesMalware will use stolen certs to sign their own binaries and bypass AV detection
1. Accept that attacks will adapt to changes in the environment
2. Focus on the anomaly rather than the signature
Pre and Post Breach Methodology
PolymorphismStealth
Code Obfuscation
Persistence
Evasion
Mitigation & Multi-Layer DetectionMalicious
Behaviors MitigationProvide Data Analytics and Machine Learning Services to Identify, Detect, and Prevent
Dynamic Analysis and Data Science Overcomes Anti-Analysis
Monitor All Layers Disk, Memory and Kernel
Analytics to Identify and Collect Anomalies in Pre-Breach and Post-Breach contextRemaining Stealthy in the Environment to Prevent Attacker Discovery
Questions?
Thank [email protected]
Appendix
Malware Timeline
2009-2010
2011
Attacker• Socially engineered
emails• Attachments wit Doc
exploits• Attachments are
Compressed• User Interaction
requiredExample: GhostNet Defender• Static analysis• File extension
identification• Decompression
when not password protected
Malware Timeline
2009-2010
2011-2012
Attacker• Socially engineered emails• HTML links to fake
websites• Search order hijacking• Resilience gets more
interestingExample: ETSO APT, PushDo Botnet Defender• Static analysis of
webpages• Domain research• Becomes harder to
catch