IT Professions in the Anti-Malware Industry

Roberto Sponchioni

Sr. Anti-Malware Engineer

Who am I?

Working as a Senior Anti-Malware Engineer @ Symantec

Worked as a Security Consultant (PT/VA, Incident Response)

Graduated from University of Milan (DTI)

Copyright 2014 Symantec Corporation2

A long series of data breachesSome examples

Copyright 2014 Symantec Corporation 3

A long series of data breaches in the US

Copyright 2014 Symantec Corporation4Ref.: http://www.bloomberg.com/graphics/2014-data-breaches/

A long series of data breaches in the US

Copyright 2014 Symantec Corporation5Ref.: http://www.bloomberg.com/graphics/2014-data-breaches/

A long series of data breaches in the US

Copyright 2014 Symantec Corporation6Ref.: http://www.bloomberg.com/graphics/2014-data-breaches/

Malware, its everywhereWhat is it? Whats its purpose? Whos behind it?

Copyright 2014 Symantec Corporation 7

Different types of malware, different purposes

DDoS botnet (Backdoor.Zemra, Linux.Shelldos, Linux.Xnote, etc.)

Banking malware (Zbot, Carberp, etc.)

Ransomlock & Cryptolocker

Mobile malware

Information-stealing malware (Rodagose, Rawpos, Steem, etc.)

APT (zero-day-exploits, ad-hoc malware, spearphishing, etc.)

State sponsored / cyberespionage (Stuxnet, etc.)

Exploit kits (Blackhole, Angler, Rig, etc.)

Copyright 2014 Symantec Corporation8

Its easy to build your own malware

Copyright 2014 Symantec Corporation9

What would you do to protect yourself / your company?

User education

Antivirus / security products

Reputation systems

Firewall

IDS/IPS sensors within the network

Follow best practices (ISO-27001, etc.)

Copyright 2014 Symantec Corporation10

Lets look at some figures

Copyright 2014 Symantec Corporation 11

Lets look at some figures

How much malware/adware/PUAs do we see?

Copyright 2014 Symantec Corporation12

Its ~190M in 1 month. Its ~ 6M per day

Lets look at some figures

In total: network and files are...

Copyright 2014 Symantec Corporation13

Its ~250M in 1 month. Its ~ 8M per day

Lets look at some figures

Number of reputation queries?

Copyright 2014 Symantec Corporation14

~ 40 + 35 billion (URLs + Files)

The need for specialists!

IT professionals work hard to protect our data

Malware Researchers, QA, Developers, Network Security Specialists, IR

Symantec Security Response - 24/7

Copyright 2014 Symantec Corporation16

What do we do in Security Response?Lets have a look at some examples

Copyright 2014 Symantec Corporation 17

Lets try to identify a malware sample What would you do to identify a malicious file?

Copyright 2014 Symantec Corporation18

File structure analysis

Behavioural analysis

Network analysis

File system changes

Registry changes

Etc.

Code analysis & debugging

Identify hidden functionalities

Forcing the code to follow different branches

Etc.

File structure analysisWhat would you do to identify a malicious file?

Copyright 2014 Symantec Corporation19

EXE icon

Packer identification

Header

Code

Data

Header

Compressed / encrypted

code + data

Packerscode

Normal executable Packed executable

Suspicious data

Behavioural analysisWhat would you do to identify a malicious behavior?

Copyright 2014 Symantec Corporation20

File system (e.g. Lower security settings)

Registry changes (e.g.. Autorun keys)

Network Traffic

Code analysis & debuggingWhat can you do if you have the ASM code?

Copyright 2014 Symantec Corporation21

Identify hidden functionalities

Identify malware capabilities such as propagation, load points, infection, and C&C server communications

Identify encryption and compression algorithms used

Identify portion of code/data that can be used to identify the threat

Malware is getting smarter

Copyright 2014 Symantec Corporation 22

Examples of evasions are

Sandbox evasion

Anti-VM tricks

Anti-analysis tricks

Signature evasion

Copyright 2014 Symantec Corporation23

How can they do that?

What we do in Symantec Security Response

Analyse new malware (e.g.. Stuxnet, Regin)

Analyse malware submitted by customers

Analyse and write reports for internal use and for customers

Write automation tools and systems

Write decryptors, decoders, and DGA-decoders

Write generic detections and remediation routines

Develop FixTools (e.g. Poweliks, Ramnit)

Write blog entries about new malware and trends

Copyright 2014 Symantec Corporation24

What we do in Symantec Security ResponseDecryptors. Just an example

Copyright 2014 Symantec Corporation25

What we do in Symantec Security ResponseDecryptors. Just an example

Copyright 2014 Symantec Corporation26

What we do in Symantec Security ResponseDecryptors. Just an example

Copyright 2014 Symantec Corporation27

What we do in Symantec Security ResponseDecryptors. Just an example

Copyright 2014 Symantec Corporation28

IT professionals involved in malware protection

Malware Researchers

Automation Developers

Network Analysis Specialists

QA Engineers

Incident Responders / Incident Handlers

Engine Developers

Copyright 2014 Symantec Corporation29

On-site analysisIncident Handlers/Responders

Copyright 2014 Symantec Corporation 30

Incident Responders on-siteWere not talking about Event Analysts here

Copyright 2014 Symantec Corporation31

Data collection (order of volatility must be preserved)

Timeline of operations

Chain of custody

Data analysis

Memory analysis (live analysis)

Log analysis

File analysis (EnCase, FTK, Sleuthkit, malware analysis)

Network traffic analysis

Customer machine replication on VMWare

How to get a job in IT securitySome tips

Copyright 2014 Symantec Corporation 32

Some tips

Be passionate

Work on external projects

Work hard on your university projects

Work hard on your dissertation

Copyright 2014 Symantec Corporation33

We are hiring!

Lets talk! Scenario time!Youre a security specialist now

Copyright 2014 Symantec Corporation 34

&Q A

Copyright 2014 Symantec Corporation 35

Roberto Sponchioni

Thank you!

Roberto_Sponchioni@Symantec.com