Modern cybercrime operates highly-sophisticated campaigns that challenge, or even evade, the state-of-art in defense and protection. On a daily basis, users worldwide are fooled by new techniques and threats that went under the radar, like new 0-days or attack vectors. We passively monitored how these attacks are conducted on real installations, and unveiled the modus operandi of malware operators. In this presentation, we share with the audience our recent findings and trends that we observed in-the-wild from the analysis we conducted on 3 million software downloads, involving hundreds of thousands of Internet connected machines. During the talk, we provide insights on our investigation like the effect of code signing abuse, the compromise of cloud providers' operations, the use of domains generated automatically via social engineering, and the business model behind modern malware campaigns. We also discuss the problem of "unknown threats", showing how the Internet's threats landscape is still largely unexplored and how it badly impacts on million of users. We conclude with a proof-of-concept system that we designed and that uses machine-learning to generate human-readable rules for detection. Our system represents a potential mitigation to the problem of "unknown threats" and an assistance tool for analysts globally.
6. Experiment
●
3 Million software (binaries)
– Downloaded and Executed
– Not white-listed
●
From hundreds of thousands Internet machines
●
2 years after: best-effort labeling
– Internal DBs + VT
10. APPROACH
Learn from the visible, the ‘known’
Condense this knowledge into an intelligent
system
Let the system deciding for us
11. What users download and execute?
●
Very “unprevalent”
software
●
The download URL is
not white-listed
– E.g., Microsoft updates
12. Distribution Model
●
Popular websites house
more malicious files
than benign
●
Heavy use of file hosting
providers like softonic,
cloudfront and
mediafire
14. Social Engineering will Never Die!
●
Adware
●
Domains resembling
media streaming
websites
●
Observed as well in
malverstising
15. Social Engineering will Never Die!
●
FakeAV
●
Domains resembling
antivirus software
companies
●
wmicrodefender27.nl offers
malware concealed as
Windows Defender Antivirus
to Dutch users
16. Code Signing Adoption in Malware
●
Malware signed more
than Benign
●
Browser-downloaded
malware signed most
●
First-stage vs
second-stage
malware
17. Code Signing Abuse
●
StuxNet
– Targets SIMATIC WinCC, i.e. a SCADA and
HMI system for Siemens
●
Signature from Realtek Semiconductor
– Then revoked
●
Signature from JMicron Technology
18. Code Signing Abuse
●
Massive hack against
Sony Pictures (2014)
●
Valid certificates sold in
the underground
●
Acquired by actors
operating the Destover
campaign
29. Business Model of Operators
●
Campaign 1 → Campaign 2 → Campaign 3 ?
30. Business Model of Operators
●
Malware operators stick to malware campaign of
choice
●
Case: Ransomware→Ransomware is 80%
●
Reasons:
– Technological bar higher than early 2000s
– Different economical model, i.e. monetization and
operational costs
36. Category Feature
Downloaded File Signer Name
CA Name
Packer Name
Downloading
Process
Signer Name
CA Name
Packer Name
Category
Downloading
Domain
Popularity (Alexa)
37. IF
File Signer = “Apps Installer
S.L.”
AND
File CA = “thawte code signing
ca g2”
AND
Process Signer = “Microsoft
Windows”
→ MALICIOUS
Category Feature
Downloaded File Signer Name
CA Name
Packer Name
Downloading
Process
Signer Name
CA Name
Packer Name
Category
Downloading
Domain
Popularity (Alexa)
41. Training Set
(Month X)
~1500
Rules
PART ~1000
Subset Rules
PRUNING
(τ=0)
Testing Set
(Month X+1)
APPLY
TP / FP
EVALUATION
Training Set
(Month X)
Configuration: Features +
Parameters
42. Training Set
(Month X)
~1500
Rules
PART ~1000
Subset Rules
PRUNING
(τ=0)
Testing Set
(Month X+1)
APPLY
TP / FP
EVALUATION
Training Set
(Month X)
Configuration: Features +
Parameters
Operational
Rules
43. Training Set
(Month X)
~1500
Rules
PART ~1000
Subset Rules
PRUNING
(τ=0)
Testing Set
(Month X+1)
APPLY
TP / FP
EVALUATION
Training Set
(Month X)
Configuration: Features +
Parameters
Operational
Rules
Unknown Set
APPLY
47. File Signer = None AND Domain = unpopular [*]
AND
Process Signer = “Microsoft Windows” AND
Process = Benign
→ Malicious
[*] over position 100,000 in Alexa
50. Discussion
●
Our approach can be evaded, but?
●
Would require a change of signature and/or packer,
for each polymorphic variant
●
Signature:
– Acquiring valid certificates is “no trivial”
●
Packer:
– Attackers can switch to benign packers (instead of
custom) → Code analysis trivial!.