http://www.securedocs.com -The recent increase in high-profile cyberattacks has made online security a hot topic, and rightfully so. Companies from The New York Times to Facebook have fallen victim to attacks by cybercriminals, highlighting just how vulnerable any business is. In the past few years, malware has evolved dramatically and is a serious threat to all organizations, both big and small.
This presentation covers what advanced malware is and the impact it can have on an organization. Learn how to protect your business from this type of threat.
2. About AppFolio SecureDocs
AppFolio SecureDocs is a virtual data room for sharing and
storing sensitive documents both internally and with
outside parties.
AppFolio, Inc. Company Basics:
• Founded by the team that created and launched GoToMyPC
and GoToMeeting
• Backed by leading technology companies and investors
• Web-based business software for financial and legal
professionals
3. About Lastline, Inc.
Lastline’s security products synthesize and bring to
commercial standards award-winning, world-renowned
academic research on malware analysis and
countermeasures.
• Founded in 2011 by university researchers Engin Kirda,
Christopher Kruegel and Giovanni Vigna
• Considered to be today’s thought leaders on automated, high-
resolution malware analysis and detection
• Focused on real-time analysis of advanced malware and big
data analytics; leverages this threat intelligence to create
solutions to protect companies of all sizes.
4. About Giovanni Vigna
Faculty member of the Computer Science
Department at the University of California, Santa
Barbara and the CTO/Founder of Lastline, Inc.
• Recognized expertise in web security, vulnerability analysis,
malware countermeasures, and intrusion detection.
• Published more than 100 papers on the subject of network security
and evasive malware
vigna@lastline.com vigna@cs.ucsb.edu
7. Targeted attacks are mainstream news.
Every week, new breaches are reported.
In the last few months alone …
Nobody Is Safe…
8. Once Upon a Time…
http://www.ted.com/talks/mikko_hypponen_fighting_viruses_defending_the_net.html
9. Unhappily Ever After…
• Proliferation of cybercrime for financial profit
– ZeuS
• Targeted attacks look for intelligence
– Aurora (Google and others)
– RSA SecureID
• Emerging cyber warfare
– Stuxnet
– Flame “Steal something valuable”
10. Financial Malware
• What can be monetized?
– Financial data
– Usernames and passwords
– Virtual goods
– Online identities
– Computational power
– Emails
13. Targeted Attacks
• What can be monetized?
– Intellectual property
– Financial information
– Bids and contracts
– Organization structure
– Visited sites
14. State-level Attacks
• What can be gained?
– Intelligence
– Destruction of expensive
equipment
– Influence on financial markets
– Shut down of critical infrastructure
– Fear, insecurity, lack of trust
17. Criminal Groups
• Well-organized groups with efficient division of roles and
labor
– Programmers: develop malware code (malware, exploit kits)
– Testers: QA and AV evasion
– Traffic generators
– Botmasters
– Bot renters
– Money mules
• Budget for acquisition of zero-day exploits
“We are setting aside a $100K budget to purchase browser
and browser plug-in vulnerabilities”
(Cool exploitkit group)
http://krebsonsecurity.com/2013/01/crimeware-author-funds-exploit-buying-spree/
18. Underground Markets
• Virtual places for advertisement and exchange of
goods and offering of services
• IRC channels and online forums
• Activities
– Advertisements
“i have boa wells and barclays bank logins....”
“i need 1 mastercard i give 1 linux hacked root”
– Sensitive data
“CHECKING 123-456-XXXX $51,337.31
SAVINGS 987-654-XXXX $75,299.64”
http://www.cs.cmu.edu/~jfrankli/acmccs07/ccs07_franklin_eCrime.pdf
http://cseweb.ucsd.edu/~voelker/pubs/forums-imc11.pdf
http://www.cs.ucsb.edu/~vigna/publications/fakeav_market.pdf
19. Making Sense of Attacks
• Lots of different vectors, tactics, specific tricks
• Two fundamental things to keep in mind:
– How do attackers get in?
– How do they get valuable information out?
23. Anatomy of Exploit
• The code determines that the victim has installed a
vulnerable ActiveX control, e.g., QuickTime
• The control is loaded into memory
• The environment is prepared for the exploit, for
example, for memory corruption exploits
– The shellcode is loaded into memory
– The heap is sprayed to ensure that control eventually
reaches the shellcode
• The vulnerability is triggered, by invoking the
vulnerable method/property of the ActiveX control
http://www.cs.ucsb.edu/~vigna/publications/iframe11.pdf
http://cseweb.ucsd.edu/~savage/papers/CCS12Exploit.pdf
24. Luring Users: SEO
Read more:
http://cseweb.ucsd.edu/users/voelker/pubs/juice-ndss13.pdf
http://faculty.cs.tamu.edu/guofei/paper/PoisonAmplifier-RAID12.pdf
27. Luring Users: Watering Holes
• Sometimes it is difficult to
exploit the target of an attack
directly
– Instead compromise a site that
is likely to be visited by the
target
• Council on foreign relations
→ governmental officials
• Unaligned Chinese news site
→ Chinese dissidents
• iPhone dev web site
→ developers at Apple,
Facebook, Twitter, etc.
• Nation Journal web site
→ Political insiders in
Washington
29. What Happens in the Background
• Analysis engine provides full emulation of an operating system
environment and can detect what is actually happening in the
system when a document is opened
• Process winword.exe was created:
– "C:Program Files (x86)Microsoft OfficeOffice12winword.exe”
– The arguments of this process: "/q /f
"C:UsersuserAppDataRoamingdflt_sample.doc”
• Process winword.exe drops new files:
– "C:UsersuserAppDataLocalTempmsmx21.exe”
• Process winword.exe starts a new process:
– "C:UsersuserAppDataLocalTempmsmx21.exe”
• Running Task analyzes analysis result...
• ReportScanner: 80 (set(['Document: Writes a file then executes it']))
• Detections 1 (100.00%, 0 not detected)
30. Spear Phishing
From: abudhabi@mofa.gov.sy
To: tehran@mofa.gov.sy
Date: Monday February 6, 2012 05:51:24
Attachment: 23 fdp.scr
23
/
---- Msg sent via @Mail - http://atmail.com/
Colleagues in the code office,
Please acknowledge the receipt of the
telegram No. 23 in attachment.
Thanks,
Embassy / Abu Dhabi
31. • Deceive the user into thinking that something
useful is installed
– Video players
– Anti-virus
– Screen savers
– …
Social Engineering Attacks
32. After the Infection:
A Botnet Case Study
http://www.cs.ucsb.edu/~vigna/publications/ccs09_torpig.pdf
33. Hijacking the Botnet
• Reverse engineered the DGA used in Torpig and
the C&C protocol
– Noticed that domains generated for 1/25/2009 –
2/15/2009 were unregistered
– Registered these domains
• Controlled the botnet for 10 days
– Unique visibility into a botnet’s operation
– 180,000 infected hosts
– 8.7 GB of Apache logs
– 69 GB pcap data (containing stolen information)
34. Threats
• 8,310 unique accounts from 410 financial
institutions
– Top 5: PayPal (1,770), Poste Italiane, Capital One,
E*Trade, Chase
– 38% of credentials stolen from browser’s password
manager
• 1,660 credit cards
– Top 3: Visa (1,056), Mastercard, American Express,
Maestro, Discover
– US (49%), Italy (12%), Spain (8%)
– Typically, one CC per victim, but there are exceptions …
35. 35
Value of the Financial Information
• Symantec [2008] estimates
– Credit card value at $.10 to $25.00
– Bank account at $10.00 to $1,000.00
• Using Symantec estimates,10 days of Torpig
data valued at $83K to $8.3M
37. Ideal World
Secure code
• Software we use contains
no vulnerability, or
• Vulnerabilities are mitigated
using sound security and
engineering principles (least
privilege, containment, etc.)
Unfortunately currently only a
handful of “secure programs”
and often in specialized
sectors (regulations vs.
innovation)
User awareness
• Users are aware of security
threats
• They always make the right
decision
Unfortunately experiments
show users extremely bad at
making security decisions
(security vs. usability)
43. Common Sense Defenses
• Don’t open links/attachment from unknown sources
• However, ineffective against social/targeted attacks
44. Common Sense Defenses
• Limit web accesses to trusted/reputable sites
• However, ineffective against waterhole
attacks, malicious advertisements, web site
compromises
45. Common Sense Defenses
• Access sensitive services (e.g., online banking)
from dedicated machine
• However, inconvenient
46. Current Solutions Are Not Enough
• Firewalls are not enough
– Users actively (and unsuspectingly) go out to the attacker
– Attackers use port 80
• Intrusion Detection/Prevention (IDS/IPS) systems are not
enough
– Signatures and blacklists only catch known attacks
– Limited insight into downloaded artifacts
(binaries, spear-phishing links, …) and outbound network activity
• Anti-virus systems are not enough
– Artifacts change their appearance at a fast pace
(Signatures and blacklists insufficient, manual analysis of threats
requires an enormous amount of resources)
– AV vendors do not see the binary used in targeted attacks
(They cannot create any signature)
47. Solutions To Advanced Malware
• Analysis of incoming artifacts (what gets in)
– Web downloads, mail attachments
• Analysis of outgoing traffic (what gets out)
– DNS traffic, web traffic
• What gets out
• Where it goes
• How it is sent
• Use of correlation to present complete picture to
the system administrator
• But how good is the analysis?
50. Nature of Advanced Malware
• Static Code
Obfuscation
and
Polymorphism
Source: Binary-Code
Obfuscations in Prevalent
Packer Tools, Tech Report,
University of Wisconsin, 2012
Number of times a hash is seen
> 93% of all samples are unique
Defeats signature-based anti-virus
51. Nature of Advanced Malware
• Dynamic evasion – checks for environment
Defeats sandbox and
virtual machines
52. Nature of Advanced Malware
• Dynamic evasion – stalling loops
Defeats sandbox and
virtual machines
53. Lessons Learned
• Attacks are increasingly targeted
• “Attackers no longer go after your firewall. They go
after your employees”
• Attackers are persistent and patient
• Need for constant monitoring approach to defense
• Attackers develop custom tools and attacks after they
have gained access to a target
• Global landscape still matters, but…
• Defenses tailored to local characteristics and activity
are critical
• Evasive malware
• Need for next-generation tools
56. Lastline
• Started in 2011 by team of professors and
PhDs from University of California, Santa
Barbara and Northeastern University, Boston
• Located in Santa Barbara, CA
• Technology based on 8+ years of research on
advanced malware
• Founders include the creators of Anubis and
Wepawet analysis tools
57. Previct Anti-Malware Solution
Sentinel scans traffic for signs and
anomalies that reveal C&C
connections and infections
Lastline proactively scouts the
Internet for threats and
updates the Sentinel
knowledge base Manager receives
and correlates alerts,
and produces
actionable intelligence
Sentinel sends unknown
objects (programs and
documents) for high
resolution analysis
58. Key Technology
1. High resolution analysis engines
– CPU emulation provides deep insights into malware execution
– Necessary to detect and bypass evasive checks
– Expose malicious behaviors that existing sandboxes don’t see
2. Big data analytics
– Anomaly detection of suspicious outbound
command-and-control (C&C) flows
– Internet-scale, active discovery of threats
– Correlation of low-level events into actionable threat intelligence
59. High-Resolution Malware Analysis
Visibility without code emulation
(traditional sandboxing technology)
Important behaviors and
evasion happens here
Visibility with code emulation
(Lastline technology)
Case of espionage with likely political motivationAttacks start around time of investigation critical of Chinese prime ministerAttackers use compromised computers at several US universities to cover their tracksMalware initially installed via spear-phishing emailsPerform a deep reconnaissance of the Times networkIdentify domain controller serversBreak passwords for journalists accountsAccess reserved email accounts and steal information from email server45 distinct pieces of malware used: only 1 detected by Symantechttp://www.symantec.com/connect/blogs/symantec-statement-regarding-new-york-times-cyber-attack
The nortel case: http://online.wsj.com/article/SB10001424052970203363504577187502201577054.htmlHackers had apparently obtained the passwords of seven top officials, including a previous CEO. The hackers had been infiltrating Nortel's network, from China-based Internet addresses, at least as early as 2000.Hackers had almost complete access to the company's systems […] Once you were on the inside of the network, it was soft and gooey.Every month or so, a few computers on the network were sending small bursts of data to one of the same Internet addresses in Shanghai involved in the password-hacking episodes.The spyware unearthed in 2009 was a sophisticated mix. On both computers, researchers found a particularly malicious and hard-to-spot spying tool, namely "rootkit" software that can give a hacker full control over a computer and enables them to conceal their spying campaign. On one computer, hackers had set up an encrypted communications channel to an Internet address near Beijing. On the other computer, the investigators found a program that hackers were likely using to sniff out other security weaknesses within Nortel's networks. The hackers had created a "reliable back door," A top U.S. intelligence official said Nortel's hacking experience is representative of the types of incidents he sees. "That is consistent with what we've seen in long-term, multipronged attacks," he said. "If I'm looking to get a jump on my R&D, that's a good way to do it."
This slide highlights the difference explained before. The graphic shows astream of instructions that might be part of a malware sample. The two sidesshow the subset of instructions that the individual systems are able toobserve.On the left-hand side, one can see introspection offered by a traditionalanalysis engine, as it can only observe instructions that make calls to thelibrary or native system interface. That is, the system might observe that thesample under analysis creates or opens a file and reads data from this file. Itcannot observe, however, what the sample does with the read data.On the right-hand side, one can see the entire trace of execution as seen bythe emulated CPU of an advanced analysis system. The virtual CPU is also able tosee what files are being read, but in addition, it associates data read from thesystem with CPU registers or memory locations and thus track the usage of theread information.