http://www.securedocs.com -The recent increase in high-profile cyberattacks has made online security a hot topic, and rightfully so. Companies from The New York Times to Facebook have fallen victim to attacks by cybercriminals, highlighting just how vulnerable any business is. In the past few years, malware has evolved dramatically and is a serious threat to all organizations, both big and small. This presentation covers what advanced malware is and the impact it can have on an organization. Learn how to protect your business from this type of threat.

1. Cybersecurity: Understanding
Malware and How to Protect
Your Business

2. About AppFolio SecureDocs
AppFolio SecureDocs is a virtual data room for sharing and
storing sensitive documents both internally and with
outside parties.
AppFolio, Inc. Company Basics:
• Founded by the team that created and launched GoToMyPC
and GoToMeeting
• Backed by leading technology companies and investors
• Web-based business software for financial and legal
professionals

3. About Lastline, Inc.
Lastline’s security products synthesize and bring to
commercial standards award-winning, world-renowned
academic research on malware analysis and
countermeasures.
• Founded in 2011 by university researchers Engin Kirda,
Christopher Kruegel and Giovanni Vigna
• Considered to be today’s thought leaders on automated, high-
resolution malware analysis and detection
• Focused on real-time analysis of advanced malware and big
data analytics; leverages this threat intelligence to create
solutions to protect companies of all sizes.

4. About Giovanni Vigna
Faculty member of the Computer Science
Department at the University of California, Santa
Barbara and the CTO/Founder of Lastline, Inc.
• Recognized expertise in web security, vulnerability analysis,
malware countermeasures, and intrusion detection.
• Published more than 100 papers on the subject of network security
and evasive malware
vigna@lastline.com vigna@cs.ucsb.edu

5. Targeted Attacks
and Cyberwar
!!!
Cyberattack (R)Evolution
Time
$$ Damage
Millions
Hundreds of
Thousands
Thousands
Hundreds
Billions
Cybercrime
$$$Cybervandalism
#@!

6. Polling Question #1

7. Targeted attacks are mainstream news.
Every week, new breaches are reported.
In the last few months alone …
Nobody Is Safe…

8. Once Upon a Time…
http://www.ted.com/talks/mikko_hypponen_fighting_viruses_defending_the_net.html

9. Unhappily Ever After…
• Proliferation of cybercrime for financial profit
– ZeuS
• Targeted attacks look for intelligence
– Aurora (Google and others)
– RSA SecureID
• Emerging cyber warfare
– Stuxnet
– Flame “Steal something valuable”

10. Financial Malware
• What can be monetized?
– Financial data
– Usernames and passwords
– Virtual goods
– Online identities
– Computational power
– Emails

11. Targeted Attacks
http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

12. Polling Question #2

13. Targeted Attacks
• What can be monetized?
– Intellectual property
– Financial information
– Bids and contracts
– Organization structure
– Visited sites

14. State-level Attacks
• What can be gained?
– Intelligence
– Destruction of expensive
equipment
– Influence on financial markets
– Shut down of critical infrastructure
– Fear, insecurity, lack of trust

15. Attribution, Once Upon a Time

16. Attribution, Today

17. Criminal Groups
• Well-organized groups with efficient division of roles and
labor
– Programmers: develop malware code (malware, exploit kits)
– Testers: QA and AV evasion
– Traffic generators
– Botmasters
– Bot renters
– Money mules
• Budget for acquisition of zero-day exploits
“We are setting aside a $100K budget to purchase browser
and browser plug-in vulnerabilities”
(Cool exploitkit group)
http://krebsonsecurity.com/2013/01/crimeware-author-funds-exploit-buying-spree/

18. Underground Markets
• Virtual places for advertisement and exchange of
goods and offering of services
• IRC channels and online forums
• Activities
– Advertisements
“i have boa wells and barclays bank logins....”
“i need 1 mastercard i give 1 linux hacked root”
– Sensitive data
“CHECKING 123-456-XXXX $51,337.31
SAVINGS 987-654-XXXX $75,299.64”
http://www.cs.cmu.edu/~jfrankli/acmccs07/ccs07_franklin_eCrime.pdf
http://cseweb.ucsd.edu/~voelker/pubs/forums-imc11.pdf
http://www.cs.ucsb.edu/~vigna/publications/fakeav_market.pdf

19. Making Sense of Attacks
• Lots of different vectors, tactics, specific tricks
• Two fundamental things to keep in mind:
– How do attackers get in?
– How do they get valuable information out?

20. Drive-by-download Attack
www.badware.com
www.semilegit.com
www.grayhat.com
www.evilbastard.com
www.bank.com
POST /update?id=5’,’<iframe>..’)--
<iframe src=“http://semilegit.com”
height=“0” width=“0”></iframe>
Personal Data, Docs

21. Malicious JavaScript Code

22. Exploit

23. Anatomy of Exploit
• The code determines that the victim has installed a
vulnerable ActiveX control, e.g., QuickTime
• The control is loaded into memory
• The environment is prepared for the exploit, for
example, for memory corruption exploits
– The shellcode is loaded into memory
– The heap is sprayed to ensure that control eventually
reaches the shellcode
• The vulnerability is triggered, by invoking the
vulnerable method/property of the ActiveX control
http://www.cs.ucsb.edu/~vigna/publications/iframe11.pdf
http://cseweb.ucsd.edu/~savage/papers/CCS12Exploit.pdf

24. Luring Users: SEO
Read more:
http://cseweb.ucsd.edu/users/voelker/pubs/juice-ndss13.pdf
http://faculty.cs.tamu.edu/guofei/paper/PoisonAmplifier-RAID12.pdf

25. Luring Users: Emails
• Email messages containing links…

26. Luring Users: Parking Tickets

27. Luring Users: Watering Holes
• Sometimes it is difficult to
exploit the target of an attack
directly
– Instead compromise a site that
is likely to be visited by the
target
• Council on foreign relations
→ governmental officials
• Unaligned Chinese news site
→ Chinese dissidents
• iPhone dev web site
→ developers at Apple,
Facebook, Twitter, etc.
• Nation Journal web site
→ Political insiders in
Washington

28. Document-based Attacks
• Vulnerabilities in document viewers can be
exploited by malicious documents
– Office docs
– PDFs
– Images

29. What Happens in the Background
• Analysis engine provides full emulation of an operating system
environment and can detect what is actually happening in the
system when a document is opened
• Process winword.exe was created:
– "C:Program Files (x86)Microsoft OfficeOffice12winword.exe”
– The arguments of this process: "/q /f
"C:UsersuserAppDataRoamingdflt_sample.doc”
• Process winword.exe drops new files:
– "C:UsersuserAppDataLocalTempmsmx21.exe”
• Process winword.exe starts a new process:
– "C:UsersuserAppDataLocalTempmsmx21.exe”
• Running Task analyzes analysis result...
• ReportScanner: 80 (set(['Document: Writes a file then executes it']))
• Detections 1 (100.00%, 0 not detected)

30. Spear Phishing
From: abudhabi@mofa.gov.sy
To: tehran@mofa.gov.sy
Date: Monday February 6, 2012 05:51:24
Attachment: 23 fdp.scr
23
/
---- Msg sent via @Mail - http://atmail.com/
Colleagues in the code office,
Please acknowledge the receipt of the
telegram No. 23 in attachment.
Thanks,
Embassy / Abu Dhabi

31. • Deceive the user into thinking that something
useful is installed
– Video players
– Anti-virus
– Screen savers
– …
Social Engineering Attacks

32. After the Infection:
A Botnet Case Study
http://www.cs.ucsb.edu/~vigna/publications/ccs09_torpig.pdf

33. Hijacking the Botnet
• Reverse engineered the DGA used in Torpig and
the C&C protocol
– Noticed that domains generated for 1/25/2009 –
2/15/2009 were unregistered
– Registered these domains
• Controlled the botnet for 10 days
– Unique visibility into a botnet’s operation
– 180,000 infected hosts
– 8.7 GB of Apache logs
– 69 GB pcap data (containing stolen information)

34. Threats
• 8,310 unique accounts from 410 financial
institutions
– Top 5: PayPal (1,770), Poste Italiane, Capital One,
E*Trade, Chase
– 38% of credentials stolen from browser’s password
manager
• 1,660 credit cards
– Top 3: Visa (1,056), Mastercard, American Express,
Maestro, Discover
– US (49%), Italy (12%), Spain (8%)
– Typically, one CC per victim, but there are exceptions …

35. 35
Value of the Financial Information
• Symantec [2008] estimates
– Credit card value at $.10 to $25.00
– Bank account at $10.00 to $1,000.00
• Using Symantec estimates,10 days of Torpig
data valued at $83K to $8.3M

36. Financial Damage
Read more: http://krebsonsecurity.com/category/smallbizvictims/

37. Ideal World
Secure code
• Software we use contains
no vulnerability, or
• Vulnerabilities are mitigated
using sound security and
engineering principles (least
privilege, containment, etc.)
Unfortunately currently only a
handful of “secure programs”
and often in specialized
sectors (regulations vs.
innovation)
User awareness
• Users are aware of security
threats
• They always make the right
decision
Unfortunately experiments
show users extremely bad at
making security decisions
(security vs. usability)

38. Law Enforcement
http://www.zdnet.com/blog/bott/who-killed-the-fake-antivirus-business/3832
Russian authorities arrest
the co-founder of
ChronoPay, the largest
online payment processor

39. Law Enforcement

40. Law Enforcement

41. Polling Question #3

42. Common Sense Defenses
• Keep software up to date
• However, ineffective against 0-day

43. Common Sense Defenses
• Don’t open links/attachment from unknown sources
• However, ineffective against social/targeted attacks

44. Common Sense Defenses
• Limit web accesses to trusted/reputable sites
• However, ineffective against waterhole
attacks, malicious advertisements, web site
compromises

45. Common Sense Defenses
• Access sensitive services (e.g., online banking)
from dedicated machine
• However, inconvenient

46. Current Solutions Are Not Enough
• Firewalls are not enough
– Users actively (and unsuspectingly) go out to the attacker
– Attackers use port 80
• Intrusion Detection/Prevention (IDS/IPS) systems are not
enough
– Signatures and blacklists only catch known attacks
– Limited insight into downloaded artifacts
(binaries, spear-phishing links, …) and outbound network activity
• Anti-virus systems are not enough
– Artifacts change their appearance at a fast pace
(Signatures and blacklists insufficient, manual analysis of threats
requires an enormous amount of resources)
– AV vendors do not see the binary used in targeted attacks
(They cannot create any signature)

47. Solutions To Advanced Malware
• Analysis of incoming artifacts (what gets in)
– Web downloads, mail attachments
• Analysis of outgoing traffic (what gets out)
– DNS traffic, web traffic
• What gets out
• Where it goes
• How it is sent
• Use of correlation to present complete picture to
the system administrator
• But how good is the analysis?

48. Polling Question #4

49. The Malware (R)evolution
Simple Threats
OpportunisticAttacks
APT
Solutions
Antivirus
Solutions
TargetedAttacks
Packing
Sophisticated Threats
Plain
Virus
Poly-
morphic
C&C
Fluxing
Persistent
Threats
Evasive
Threats

50. Nature of Advanced Malware
• Static Code
Obfuscation
and
Polymorphism
Source: Binary-Code
Obfuscations in Prevalent
Packer Tools, Tech Report,
University of Wisconsin, 2012
Number of times a hash is seen
> 93% of all samples are unique
Defeats signature-based anti-virus

51. Nature of Advanced Malware
• Dynamic evasion – checks for environment
Defeats sandbox and
virtual machines

52. Nature of Advanced Malware
• Dynamic evasion – stalling loops
Defeats sandbox and
virtual machines

53. Lessons Learned
• Attacks are increasingly targeted
• “Attackers no longer go after your firewall. They go
after your employees”
• Attackers are persistent and patient
• Need for constant monitoring approach to defense
• Attackers develop custom tools and attacks after they
have gained access to a target
• Global landscape still matters, but…
• Defenses tailored to local characteristics and activity
are critical
• Evasive malware
• Need for next-generation tools

54. Questions?

55. Backup Slides

56. Lastline
• Started in 2011 by team of professors and
PhDs from University of California, Santa
Barbara and Northeastern University, Boston
• Located in Santa Barbara, CA
• Technology based on 8+ years of research on
advanced malware
• Founders include the creators of Anubis and
Wepawet analysis tools

57. Previct Anti-Malware Solution
Sentinel scans traffic for signs and
anomalies that reveal C&C
connections and infections
Lastline proactively scouts the
Internet for threats and
updates the Sentinel
knowledge base Manager receives
and correlates alerts,
and produces
actionable intelligence
Sentinel sends unknown
objects (programs and
documents) for high
resolution analysis

58. Key Technology
1. High resolution analysis engines
– CPU emulation provides deep insights into malware execution
– Necessary to detect and bypass evasive checks
– Expose malicious behaviors that existing sandboxes don’t see
2. Big data analytics
– Anomaly detection of suspicious outbound
command-and-control (C&C) flows
– Internet-scale, active discovery of threats
– Correlation of low-level events into actionable threat intelligence

59. High-Resolution Malware Analysis
Visibility without code emulation
(traditional sandboxing technology)
Important behaviors and
evasion happens here
Visibility with code emulation
(Lastline technology)

60. Competitive Landscape
Simple Threats
OpportunisticAttacks
APT
Solutions
Antivirus
Solutions
TargetedAttacks
Sophisticated Threats
Packing
Plain
Virus
Poly-
morphic
C&C
Fluxing
Persistent
Threats
Evasive
Threats