How to Troubleshoot Apps for the Modern Connected Worker
End of Studies project: Malware Repsonse Center
1. Malware ResponseCenter
MrRAOUFLAMARI
PrivateHigherSchoolof Computer Science and Technologies
End of StudiesProject
National Agency for Computer Security
ABDESSABOUR AROUS
MrFOUEDZGHIDI
3. Motivation
Anti malware products can’t handle all infections (specially new ones)
200,000 newly unique malicious artifacts are collected per day (*)
Getting infected is a matter of time
Formatting the system disk is not always possible (production server)
We need a complete checkup of the system
* Source: http://www.sophos.com/en-us/support/knowledgebase/119112.aspx
3
4. Motivation 4
Microsoft Security Intelligence Report: Trends for the five locations with the highest malware infection rates in 2H13, by CCM (100,000 MSRT executions minimum)
Tunisia is the second !!!
5. CurrentWorkflow (1/2)
Security Analyst
Email: assistance@ansi.tn
Phone: 71 843 200
On site assistance: 94 Jughurtaavenue, MutuelleVille, Tunis, Tunisia
“My device performance is slowing down”
“My AV has detected a malware called WIN32.X but he was unable to remove it !”
“I have a window telling me that I need to pay some money to unlock my Computer”
NACS Assistance activity
Requests
Citizen/Company
5
6. Current Workflow (2/2)
Email
On site
Phone
Ask user to download and run an external tool
User send tool report by email
Usually no precise result
Ask user to run a bootable AV solution
Citizen
Company
1
2
3
4
5
Askfor help via
6
7. Goals & Objectives 7
Build a system that provides all the facilities that the manual service already provides.
Automate the hole process.
Build a national capability in malware analysis field.
Online, Easy to use, efficient, …
8. Proposedsolution 8
Login/Register
Download the scanner
Upload the report
Device
Scan
Generate a report
Download a dedicated script
Create a ticket
Analyze the report
Check externals resources
Run the removal kit
9. Methodology 9
SPRINT 0
SPRINT 1
SPRINT 2
SPRINT 3
SPRINT 4
Project Start
Modeling Architecture and Graphical User Interface
Web App:
Back Office
Web App:
Front Office
Client:
Windows Application
We are AGILE
SCRUM Based
11. Solution comparison 11
Collect running applications
Blacklist database
Whitelist database
Real time scanner
System Scanner tools
Antivirus
Malware Response Center
Ticketing system
Malware Removal tools
Cloud Analysis
Remove Malicious codes
12. Why a new Cleaner/Scanner? 12
Why building our own tank?
National Information Security is like National territorial security!
The improvement of non proprietary tool is not in your hand!
13. Overallarchitecture 13
User
Security Analyst
Web Server
Front End DB
Back End DB
External Resources
Internals Resources
Modules
Remote Storage
17. Overallarchitecture (Client side) 17
Processes
Threads
Loaded modules
Device Drivers
Graphical User Interface
Dynamic Link Libraries
Low level programming = C
But C is not the reference in UI
18. Technologies used
Client side:
C# WPF UI
C/C++/Assemblymodules (DLL)
Server side:
Nginxweb server
Symfony2 framework
Python
MySQL front database
MongoDB+ GridFsas backenddatabase
Microsoft Azure Storage
18
19. Source code management
Gitkey features
Distributed
Speed
Data integrity
Gitlabkey features
Free and open source
Ticket management
Request management
Repositories, Users management
19
20. Testing
Unit testing(whateverrelevant)
Client side( .NET ): Visual Studio Unit test framework
Server side( PHP SYMFONY ): Symfony2 unit test
BDD for acceptancetest
Behat(PHP)
Specflow(C#)
20
22. Deploiement
Currently in beta test version
Looking to work with pioneer partners:
To try the scanner and the online portal
Features improvement
Estimate system workload
22
25. At the end
We succeed to:
Develop a solution that covers the assistance workflow (from the client to the ticketing system)
More accurate Data about Tunisian Cyberspace:
Operating systems distribution
Infection distribution
Device use evolution
25
Operating Systems
Windows 7
Windows XP
Android
Linux
0
2
4
6
First Quarter
SecondQuarter
Third Quarter
FourthQuarter
Top malwares
Windows
Linux
Android
26. Future works
More scalable:
Message Queuing
Databasereplicationand clustering
More automated:
Learning mode: ArtificialIntelligence, Expert System
More defensein depth:
More granularsecurity
MandatoryAccess Controleimplementation
Support more devices: iOS –Mac OS –etc…
Feedback system and Social media integration.
26