Coordinated Malware Eradication & Remediation

Project (CMEP) – The Way Forward

Dr Aswami Ariffin (Dr AA)

Vice President & Digital Forensics Scientist

Cyber Security Responsive Services Division

CyberSecurity Malaysiaaswami@cybersecurity.my

Copyright © 2015 CyberSecurity Malaysia

About me…

Agenda

1. CMERP Objectives2. Incidents & Statistics3. CMERP Framework/Matrix/System 4. Industry & Academia Collaborator5. Research, Development and Commercialization6. Big Data Forensics & Honeynet7. Conclusion

CMERP ObjectivesMissionTo address the computer security concerns of Malaysian Internet users

VisionTo reduce the probability of successful attacks and lower the risk of consequential damage

Objectives•To reduce the number of bot/malware infection in Malaysia•Provide proactive measure to safeguard and mitigate malware infection•Collaboration with industry and academia (national and international) to ensure success of the project

APT modus operandi

Victim 1

Victim 3

Victim 2

Hacker

C&C Server

Contact List Victim 1

Contact List Victim 2

Contact List Victim 3

1. Send spear phishing email to

targeted victims

1. Send spear

phishing email to

targeted victims

1. Se

nd sp

ear

phish

ing e

mail

to

targ

eted

victi

ms

3.Uploads tools and request data

4. Send requested data

2. RAT communicate with C&C Server and grabbing order

2. RAT communicate with C&C Server and grabbing order

2. RAT communicate with C&C Server and grabbing order

5. Send spear phishing email to contact list

5. Send spear phishing email to contact list

5. Send spear phishing email to contact list

RAT installation:Victim open malicious attachment

Online bank malware case,Online bank malware case,Sept 2014Sept 2014

Modus operandi banker malware

Hacker

1.Malware coder write a malicious softwareTo exploit a computer vulnerability and installs a trojan

2.Victim infected with credential stealing malware

3.Banking credential + phone no stolen

4.Hacker retrieve banking info + phone no

5.Send SMS containing link

to a malicious APK

6.Download malware

7.Hacker access banking site

8.Transaction approval SMS

9.Malware forwards approval SMS

11.Transaction approve using

stolen SMS

10.Hacker retrieve stolen SMS

12.Money transfer to mule

13.Money transfer from mule to organizer

Malware coder

Victim Machine CnC Server Hacker

Legitimate site

Victim phone

Money mule

Scam organizer

Incidents handled in 2014

Incidents handled in 2015

Year 20132.8 Million Infected IP

Year 20143.2 Million Infected IP

Popular malware family in Malaysia

12

Daily Counts Past 60 Days  Family MalaysiaDonxRef 89Conficker 40,064Obfuscator 7,469Autorun 36,602Comisproc 30,079Msidebar 275Jenxcus 97,543Dynamer 5,596Bursted 2,972Axpergle 2,043Filcout 22,453Sefnit 14,891Faceliker 63,216Nitol 1,699Zbot 3,115Redirector 2,168Orsam 1,926Gamarue 51,206IframeRef 3,631Passdoc 171Bumat 1,506FlyAgent 2,363Clikug 13,741Dorkbot 37,375Neclu 581Rotbrow 10,213Sality 26,721VB 1,376Wysotot 3,078Neyer 197Brantall 7,685Kenilfe 538Qfas 480Malagent 3,098Sulunch 989Spacekito 2,120DelfInject 1,167Ramnit 15,981Mailcab 23Necurs 3,377Jpgiframe 374Sisproc 1,843Rimecud 4,174Xyligan 3FlyStudio 798CplLnk 13,265Startpage 208Dunik 511Fynloski 6,560Almanahe 582Total 548135

1.Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. Alert level: Severe

2. Jenxcus is a worm coded in VBScript that is capable of propagating via removable drives. Its payload opens a backdoor on an infected machine, allowing it to be controlled by a remote attacker. 3.Alert level: Severe

1. JS/Facelikeris a Javascript that does 'likejacking' attacks. A 'likejacking' attack is when this threat 'likes' Facebook content without your knowledge or consent. This threat might be included in malicious or hacked webpages. Alert Level: Severe

4. Gamarue, this malware family can give a malicious hacker control of your PC. They can also steal your sensitive information and change your PC security settings. We've seen them installed by exploit kits and other malware. They can also be attached to spam emails. Alert Level: SevereSo

urce

: Mic

roso

ft

CMERP - 2014

CMERP framework

15

CMERP matrix – detect, respond & prevent

Constantly monitors traffic/security

feed/incident alert.

Constantly monitors traffic/security

feed/incident alert.

When Infection detected, the customer is identified and system automatically fetches contact information.

When Infection detected, the customer is identified and system automatically fetches contact information.

Customer is automatically alerted that their system appears have been compromised and follow up action will be taken.

Customer is automatically alerted that their system appears have been compromised and follow up action will be taken.

WallGarden – The customer's device is been removed/quarantined/ restricted access from network.

WallGarden – The customer's device is been removed/quarantined/ restricted access from network.

Customer can download tools made available at isolation portal to remove the infection (also patches and bug fixes).

Customer can download tools made available at isolation portal to remove the infection (also patches and bug fixes).

PC/IP detected to be clean can rejoins the network. If infection is still present, the problem is automatically flagged.

PC/IP detected to be clean can rejoins the network. If infection is still present, the problem is automatically flagged.

CMERP system concept

Project phases

Industry collaborator

Academia collaborator

R&D&C

iOS forensics – vulnerability research

Big data forensics & honeynet

Conclusion

1. Cyber threat intelligence report; malware biometrics2. National/International cooperation to combat against

cybercrime; analytics dashboard.3. Enforcement; cyber laws4. Lower the cost of combating cybercrime5. More efficient through strategic alliances6. Capacity and capability building7. Emergency readiness

24