Ethical Hackers Are Your Best Friends

Modern Malwares... Only a few clicks away from you!Xavier Mertens - Principal Security Consultant

We worried for decades about WMDs Weapons of Mass Destruction. Now it is time to worry about a new kind of WMDs Weapons of Mass Disruption. (John Mariotti)

Telenet for BusinessTelenet for Business# whoamiXavier Mertens, again!AgendaIntroductionHow to fight?Quick winsReal time analysisSolutionsLimitationsConclusions

Lets Avoid This!

Me? Breached?In 66% of investigated incidents, detection was a matter of months or even more69% of data breaches are discovered by third parties(Source: Verizon DBIR 2012)Malicious Code is not New2003 - The SQL Slammer worm 2010 Stuxnet is the first worm to attack SCADA systems2011 - SpyEye and Zeus merged code is seen.2013 - The CryptoLocker trojan horse is discovered.1971 - The Creeper system, an experimental self-replicating program, infected DEC PDP-10 computers.1986 - The Brain boot sector virus is released1999 - The Melissa worm targeted Microsoft Word and Outlook systems2000 - The ILOVEYOU worm, also known as Love Letter2014?

Fridge sends spamemails as attack hitssmart gadgets

2014?Target PoS werecompromised

2014?Yahoo! ads networkcompromised toredirect users tomalicious websites

Malware?A malware, or malicious code, is defined assoftware or firmware intended to perform anunauthorized process that will have anadverse impact on confidentiality, integrityand availability of an information system.Understanding ThreatsAttack actors$$$Espionage (industrial or political)HacktivismAttack vectorsMainly: HTTP / SMTPLocal access (USB CIFS)Interactions with humans

WMP

Weapon of Mass PwnageBackdoors in Software

Backdoors in Software

Golden TipsAlways download from official repositories

Always cross-check the MD5/SHA1 hash

Deploy in a lab

Bulk VS. TargetedBulk attacks use a well-known vulnerability in a piece of softwareEx: CVE-2012-4681Lot of computers infected, low revenueMassive pwnage

Targeted attacks uses a 0-day vulnerability in a piece of softwareEx: CVE-2011-0609Limited amount of victims but potentially huge revenue

Easy as 1, 2, 3, ... 4, 5!Step 1 : 0-day attack via phishingStep 2 : Backdoor installed and accessedStep 3 : Privileges escalation & pivotStep 4 : Gather dataStep 5 : ExfiltrateCallbacks...A malware without C&C communications is useless...Callbacks are used to phone homeTo send interesting dataTo ask for what to do?

Below the Radar...Callbacks must be stealthyObfuscated, encrypted and look very commonMultiple channelsJPEG imagesTwitterTorGoogle Drive... Theoretically any web 2.0 app!

AgendaIntroductionHow to fight?Quick winsReal time analysisSolutionsLimitationsConclusions

Step 1 InfectionRogue e-mailsSecurity awarenessLimit / scan attachmentsMalicious websitesCan be your favourite website visited daily Scan web trafficTrust nobodyPrevent the click-o-mania

Step 2 - Malware BehaviorAlter the OSCreate/alter filesCreate/kill processesWait for eventsWork stealthyNetwork flowContact the C&C

Step 3 Escalation & PivotHardeningRestrict users privilegesUses OS security featuresNetwork segmentationDont put all your eggs in the same bag

Step 4 Data Are ValuableProtect your dataEncrypt themRestrict access to themData at restData in motionData in use

Step 5 ExfiltrationClassify dataNetwork flows

Due Diligence

AgendaIntroductionHow to fight?Quick winsReal time analysisSolutionsLimitationsConclusions

RRD

NetFlow / Firewall LogsWhy is this server trying to connect to the wild Internet?Why is this laptop trying to connect to China?Why does this protocol suddenly appear?

DNSNo DNS, no Internet!Malwares need DNS to communicate with C&CAlert on any traffic to untrusted DNSInvestigate for suspicious domainsTrack suspicious requests (TXT)

DNS

virustotal.com

urlquery.net

IntelligenceLocal logfilesPublic resourcesSuspicious behaviorAction... Reaction!

IncidentHandlingAgendaIntroductionHow to fight?Quick winsReal time analysisSolutionsLimitationsConclusions

Two Approaches

VS.Hashing

Files are extracted fromnetwork flowsHash is computedHash is compared to adatabase (local or remote)File is blocked(know hash) or allowedHashing

Sandbox (Live)

Files are extracted fromnetwork flowsFiles are executed in a sandboxBehavior is analyzed andscore is computedFile is blocked(>score) or allowedSandbox (Live)Score is computed based on actions performed by the malware

If ($score > $threshold) { alert(); }

ActionScoreTry to find a debugger+1Connect to a known IP+2Perform multiple sleep()+1Inject itself into a DLL+3TOTAL+7So what?ProConHashing Speed Privacy Integrated into modern firewalls Less reliable Database growingdaily 0-day or targeted malwares not detectedLive Analysis More reliable Targeted malware detected Resources usage intensive Requires dedicated hardware Privacy issue?AgendaIntroductionHow to fight?Quick winsReal time analysisSolutionsLimitationsConclusions

Some productsPalo Alto Networks WildfireCheck Point Anti-bot & Threat EmulationFireEye (core-business)Cuckoo (open source project)

AdvantagesPA & CP integrate smoothly with existing infrastructureData is captured live Cloud or Appliance basedData sharingWeb traffic, email protocols (SMTP, IMAP, POP), FTP, and SMB.

Mix Technologies!Inspect traffic with the product proposed by your firewall vendorMix this with off-line tools to inspect network shares or suspicious computersOn demand analysis

AgendaIntroductionHow to fight?Quick winsReal time analysisSolutionsLimitationsConclusions

Cat & Mouse Game

Evasive TechniquesWait for user interactionsLooks at the $ENV: HW devices, MAC addresses, disk size, processes, Use non-standard protocolsUse encryption

Lets tap!Access to malwares in motion?Where to capture the traffic?Malware could be already installed and stealthySandboxesOS & software restricted to Windows

Difficult to deploy your own images with commercial products

Only droppers are analyzed, and after?AgendaIntroductionHow to fight?Quick WinsLive AnalysisSolutionsLimitationsConclusions

ConclusionsYou will be hit by a malware! Be ready or maybe already infected?You already have valuable data, use them to track suspicious activityBest practices might reduce risksBackdoors in software arent reported as suspiciousPatch, patch and patch again

Thank You!

Interested?Contact your AccountManager for moreinformation!