Post on 26-Jul-2020
Modern Malware
James SherlowSE Manager NEUR
•data breach mythology
•we invest in protecting our data centers
•rarely the datacenter is attacked directly
no more vulnerability scanning
•the new attacker
the attacker is not a bored geek
nation states and organized crime
•data breaches in 2011
step one: bait an end‐user
step one: bait an end‐user
spear phishing
step one: bait an end‐user
step two: exploit a vulnerability
step three: download a backdoor
step four: establish a back channel
step five: explore and steal
•the state of malware protection
•blueprint for stopping modern malware
need to protect all applications
•response time is key
•automation is a must
•a sandbox at the core
•perform the analysis for all devices centrally
•automatically generate multiple signatures
• Anti-malware download signatures
• IPS back-channel signatures
• Malware URLs
• IPS signatures for identified new vulnerabilities
•need to protect at all stages
bait exploit download back channel steal
•© 2010 Palo Alto Networks. Proprietary and Confidential. •Page 27 |
Case Study: Jericho Banking Trojan
• Passwords and Credentials for Websites– Username/Login Pairs– Website Cookies– Keystrokes
• Targets Credentials for 100+ Websites– Vast majority of targeted sites are banking
and financial sites– Hiring and employment sites also targeted– Small number of technology sites targeted
Injects Into Common Applications
• Injects malicious code into common application processes– Browsers – Heavy focus on Firefox,
but also targets, IE, Chrome and Opera
– Email Clients – Outlook and WinMail– Other Apps – Skype, Java, and
Reader_sl.exe
• Allows the malware to make use of functions in those target applications– No need for the malware to import
networking libraries, it can simply use the ones already imported by the target app.
Ierihon Samples Delivered From Israel
Poor Coverage by Traditional AV• Tested malware against the top 6 antivirus
vendors• Repeated tests daily to track improvements
coverage
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
70.0%
80.0%
90.0%
100.0%
Day‐0 Day‐1 Day‐2 Day‐3 Day‐4 Day‐5 Day‐6
the role of NGFW in stopping modern malware
© 2012 Palo Alto Networks. Proprietary and Confidential.Page 32 |