Chester WisniewskiSenior Security Advisor@chetwisniewski

The ins and outs of stopping The ins and outs of stopping unwanted softwareunwanted software

2

Agenda• What exactly are we talking about?• History• Evasion• Tactics for detection• Isn't anti-virus dead?

3

Terms• PE• Macro• Mach-O• ELF• DEX/ART

4

Viruses• Generic term, specific meaning• Macro• Boot sector• Executables• Need a “host”• Self-replicating

PE FileHeader Virus Footer

5

Worms

• Self-replicating• Self-contained• Utilize exploits or purloined privilege• USB/Network/Email• Stuxnet/Conficker/Qbot/Koobface

6

Trojans

• Don't self-replicate• Often “dropped”• Not always trickery• Pirated content rampant with

Trojans• Email attachments• Rootkits (more later)

77

TacticsTactics

8

Signatures• Original approach from mid-1980s

9

A brief history• 1980 – Elk Cloner

10

A brief history• 1991 – Casino

11

A brief history• 1991 – Cannabis

12

A brief history• 1996 – Tentacle

13

A brief history• 2001 – Septer

14

A brief history• 2010 – Fake Anti-Virus

15

A brief history• 2012 – Cryptolocker

16

Packers• UPX• ASPack• Shrinker• Neolite• Self-extracting archives

PKZip/PKLite• A program within a

program

17

Polymorphism• 1990 – “1260” virus• Mutation code self-contained• Signatures work at first…• Need a more sophisticated approach

18

Server-side polymorphism• Self-decrypting malware• Generating code unknown• Crypto-wrapper• Key available• Slow

Originalmalcode

EncryptionAlgorithm

Dynamically generated

encryption key

Self-decrypting malware blob

19

Rootkits• Named after “root”

access on Unix-like systems

• Hides presence: processes, files, etc.

Anti-virusOperating System

List files

App.exe

File.docx

malware.exe

Preso.pptxFile list

20

Rootkits• Named after “root”

access on Unix-like systems

• Hides presence: processes, files, etc.

Anti-virusOperating System

List files List files

App.exe

File.docx

malware.exe

Preso.pptx

App.exe

File.docx

Preso.pptx

Rootkit

21

Certificate abuse

22

No need to steal certificates… Commandeer them

23

MWI

24

Zero-day vulnerabilities• Someone got there before we did

Product Type Targeted? Date Notes

Firefox Info Disc No 2015-Aug Stolen from Bugtraq

Internet Exp RCE Yes 2015-Jul Hacking Team

Flash RCE Yes 2015-Jul Hacking Team

Internet Exp XSS No 2015-Feb Bypass SoP, RD

Flash RCE Yes 2015-Jan Out of band

Flash RCE Yes 2015-Jan Out of band

Win 8.1 EoP No 2015-Jan Project 0 day

Win Server EoP Yes 2014-Nov Kerberos

2525

How we failHow we fail

26

Accuracy

27

Bob and weave

28

Evaluating risk effectively• Distracted by noise• Press hype• People• Process• Tools

2929

Defense = mitigationDefense = mitigation

30

Beyond signatures - VDL• Nothing wrong with looking for bytes, but need more sophistication • Sophos developed the VDL, Virus Description Language• Files are often containers or archives and can contain other files

within (Office-Macro, HTML-JavaScript, Zip-EXE)• Need to only apply detection logic to appropriate streams, efficiency

critical

31

ASLR/DEP/BOPS• Drive-by attacks need silent, but deadly efficiency• Make exploits tough, look for tell-tale signs• Increase attack difficulty

3232

RisksRisks

33

Challenges• VT• Attack surface• Whitelisting?• Social

34

Endpoint protection isn't anti-virus.

35

Comments/Questions?

36© Sophos Ltd. All rights reserved.