Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Chester WisniewskiSenior Security Advisor@chetwisniewski
The ins and outs of stopping The ins and outs of stopping unwanted softwareunwanted software
2
Agenda• What exactly are we talking about?• History• Evasion• Tactics for detection• Isn't anti-virus dead?
4
Viruses• Generic term, specific meaning• Macro• Boot sector• Executables• Need a “host”• Self-replicating
PE FileHeader Virus Footer
5
Worms
• Self-replicating• Self-contained• Utilize exploits or purloined privilege• USB/Network/Email• Stuxnet/Conficker/Qbot/Koobface
6
Trojans
• Don't self-replicate• Often “dropped”• Not always trickery• Pirated content rampant with
Trojans• Email attachments• Rootkits (more later)
16
Packers• UPX• ASPack• Shrinker• Neolite• Self-extracting archives
PKZip/PKLite• A program within a
program
17
Polymorphism• 1990 – “1260” virus• Mutation code self-contained• Signatures work at first…• Need a more sophisticated approach
18
Server-side polymorphism• Self-decrypting malware• Generating code unknown• Crypto-wrapper• Key available• Slow
Originalmalcode
EncryptionAlgorithm
Dynamically generated
encryption key
Self-decrypting malware blob
19
Rootkits• Named after “root”
access on Unix-like systems
• Hides presence: processes, files, etc.
Anti-virusOperating System
List files
App.exe
File.docx
malware.exe
Preso.pptxFile list
20
Rootkits• Named after “root”
access on Unix-like systems
• Hides presence: processes, files, etc.
Anti-virusOperating System
List files List files
App.exe
File.docx
malware.exe
Preso.pptx
App.exe
File.docx
Preso.pptx
Rootkit
24
Zero-day vulnerabilities• Someone got there before we did
Product Type Targeted? Date Notes
Firefox Info Disc No 2015-Aug Stolen from Bugtraq
Internet Exp RCE Yes 2015-Jul Hacking Team
Flash RCE Yes 2015-Jul Hacking Team
Internet Exp XSS No 2015-Feb Bypass SoP, RD
Flash RCE Yes 2015-Jan Out of band
Flash RCE Yes 2015-Jan Out of band
Win 8.1 EoP No 2015-Jan Project 0 day
Win Server EoP Yes 2014-Nov Kerberos
30
Beyond signatures - VDL• Nothing wrong with looking for bytes, but need more sophistication • Sophos developed the VDL, Virus Description Language• Files are often containers or archives and can contain other files
within (Office-Macro, HTML-JavaScript, Zip-EXE)• Need to only apply detection logic to appropriate streams, efficiency
critical
31
ASLR/DEP/BOPS• Drive-by attacks need silent, but deadly efficiency• Make exploits tough, look for tell-tale signs• Increase attack difficulty