(Beta version) My End of Studies Project presentation to get an Engineer degree in Computer Science. Abdessabour Arous - ESPRIT 2014

1. Malware ResponseCenter
MrRAOUFLAMARI
PrivateHigherSchoolof Computer Science and Technologies
End of StudiesProject
National Agency for Computer Security
ABDESSABOUR AROUS
MrFOUEDZGHIDI

2. 2

3. Motivation
Anti malware products can’t handle all infections (specially new ones)
200,000 newly unique malicious artifacts are collected per day (*)
Getting infected is a matter of time
Formatting the system disk is not always possible (production server)
We need a complete checkup of the system
* Source: http://www.sophos.com/en-us/support/knowledgebase/119112.aspx
3

4. Motivation 4
Microsoft Security Intelligence Report: Trends for the five locations with the highest malware infection rates in 2H13, by CCM (100,000 MSRT executions minimum)
Tunisia is the second !!!

5. CurrentWorkflow (1/2)
Security Analyst
Email: assistance@ansi.tn
Phone: 71 843 200
On site assistance: 94 Jughurtaavenue, MutuelleVille, Tunis, Tunisia
“My device performance is slowing down”
“My AV has detected a malware called WIN32.X but he was unable to remove it !”
“I have a window telling me that I need to pay some money to unlock my Computer”
NACS Assistance activity
Requests
Citizen/Company
5

6. Current Workflow (2/2)
Email
On site
Phone
Ask user to download and run an external tool
User send tool report by email
Usually no precise result
Ask user to run a bootable AV solution
Citizen
Company
1
2
3
4
5
Askfor help via
6

7. Goals & Objectives 7
Build a system that provides all the facilities that the manual service already provides.
Automate the hole process.
Build a national capability in malware analysis field.
Online, Easy to use, efficient, …

8. Proposedsolution 8
Login/Register
Download the scanner
Upload the report
Device
Scan
Generate a report
Download a dedicated script
Create a ticket
Analyze the report
Check externals resources
Run the removal kit

9. Methodology 9
SPRINT 0
SPRINT 1
SPRINT 2
SPRINT 3
SPRINT 4
Project Start
Modeling Architecture and Graphical User Interface
Web App:
Back Office
Web App:
Front Office
Client:
Windows Application
We are AGILE
SCRUM Based

10. Overallarchitecture 10
Collect running applications
Users management
Tickets management
Artifacts management
Modules management
Security Analysts management
www
Device Specific Code
Web Application

11. Solution comparison 11
Collect running applications
Blacklist database
Whitelist database
Real time scanner
System Scanner tools
Antivirus
Malware Response Center
Ticketing system
Malware Removal tools
Cloud Analysis
Remove Malicious codes

12. Why a new Cleaner/Scanner? 12
Why building our own tank?
National Information Security is like National territorial security!
The improvement of non proprietary tool is not in your hand!

13. Overallarchitecture 13
User
Security Analyst
Web Server
Front End DB
Back End DB
External Resources
Internals Resources
Modules
Remote Storage

14. External & Internal resources
Online Malware database
Sandboxes
Local Malware database
14
MD5 : 5f62962605b4858e20bfaf6edc8eb521

15. Database 15
Report{
Created At :
TICKET_ID :
OS_VERSION :
MACHINE_UNIQUE_ID :
PROCESSES : [
{
PROCESS_ID :
EXE_FILE :
PRIORITY_BASE :
MODULES : [
{
MODULE_NAME :
HASH :
SIZE :
}
]
}
]
}
Ticket_Status
•Id
•Label
Ticket
•Id
•Created At
•Status_Id
•Agent_Id
•Citizen_Id
•Description
Agent
•Id
•Name
•Firstname
•Email
•Password
•Mobile
Schema-less data
Different Workload
NOSQL+NOSQL OR SQL+NOSQL

16. Database 16
Object Document mapper
Doctrine
Object Relational mapper
class Ticket
{
/**
* @varinteger
*
* @ORMId
*/
private $id;
}
Report{
Created At :
TICKET_ID :
OS_VERSION :
MACHINE_UNIQUE_ID :
}
Class Report
{
/**
* @MongoDBId
*/
protected $id;
}
Agent
•Id
•Name
•Firstname
•Email

17. Overallarchitecture (Client side) 17
Processes
Threads
Loaded modules
Device Drivers
Graphical User Interface
Dynamic Link Libraries
Low level programming = C
But C is not the reference in UI

18. Technologies used
Client side:
C# WPF UI
C/C++/Assemblymodules (DLL)
Server side:
Nginxweb server
Symfony2 framework
Python
MySQL front database
MongoDB+ GridFsas backenddatabase
Microsoft Azure Storage
18

19. Source code management
Gitkey features
Distributed
Speed
Data integrity
Gitlabkey features
Free and open source
Ticket management
Request management
Repositories, Users management
19

20. Testing
Unit testing(whateverrelevant)
Client side( .NET ): Visual Studio Unit test framework
Server side( PHP SYMFONY ): Symfony2 unit test
BDD for acceptancetest
Behat(PHP)
Specflow(C#)
20

21. Security
OWASP TOP 10 Security flaws:
Input sanitazing
Anti CSRF token
Confidentiality: SSL
Vulnerabilityassesment
Via automatedscanner
21

22. Deploiement
Currently in beta test version
Looking to work with pioneer partners:
To try the scanner and the online portal
Features improvement
Estimate system workload
22

23. Implementation 23

24. Implementation 24

25. At the end
We succeed to:
Develop a solution that covers the assistance workflow (from the client to the ticketing system)
More accurate Data about Tunisian Cyberspace:
Operating systems distribution
Infection distribution
Device use evolution
25
Operating Systems
Windows 7
Windows XP
Android
Linux
0
2
4
6
First Quarter
SecondQuarter
Third Quarter
FourthQuarter
Top malwares
Windows
Linux
Android

26. Future works
More scalable:
Message Queuing
Databasereplicationand clustering
More automated:
Learning mode: ArtificialIntelligence, Expert System
More defensein depth:
More granularsecurity
MandatoryAccess Controleimplementation
Support more devices: iOS –Mac OS –etc…
Feedback system and Social media integration.
26

27. 27

28. 28
Question