Upload
cyphort
View
178
Download
3
Tags:
Embed Size (px)
Citation preview
http://hqwallbase.com/28103-lego-stormtroopers-wallpaper-2560x1600
Marion Marschalek
@pinkflawd
www.ilikewallpaper.net
Did Highschool for
Software Engineering
Malware Analyst in
Anti-Virus Industry
Studied Information
Security
Thought Malware
sounds cool ...
Female Reverse
Engineering Challenge
BOOM.
THE INNOVATION GAP
challenges
interesting
characters
more $
more
freedomfun
less personal
competition
ridiculous
appreciation
hdwallpapercorner.com
NOT BEING UNIQUE
Runtime packer trigger heuristics!
Altered compiler settings don‘t ...
Dynamic API resolving
String obfuscation
ONE BINARY TO RULE FOREVER
Filehash-based detection
Updating of binaries in irregular intervals
Route traffic through local proxy
REPETITIVE ARTIFACTSFile names
Domain names
Registry key names / value names
Infiltration methods
Persistence methods
ENVIRONMENTALINSENSITIVITY
Might want to refuse executing in sandboxes, emulators &
analyst‘s machines
Potentially targeted systems usually homogeneous
SINGULAR PERSISTENCERemember the P?
Registry & service list monitored
One process easy to kill
MBR regularly scanned
Why not do all?
SEPARATION OF LAYERS
In-memory scanning identifies equal payloads
Consistent evasion tricks multiply success
KNOWN SPHERESRemember the A?
Find new battle fields
Virtual machine executionKernel land code
Bootkits
BIOS
1. Unique binaries2. Irregular updates3. No repetitive artifacts4. Environmental sensitivity5. Multiple persistence techniques6. Consistent evasion7. Unknown spheres
The A and the P of the T1 2 3 4 5 6 7
BlackEnergy
Havex
BlackPOS
EvilBunny
estimated 56 Mio.
credit cards compromised
THREAT DETECTION 101
The binary has to be known.
The binary has to be recognized.
The behavior of the binary has to be recognized.
So what (now)?
‘I have to learn this.‘
‘I'm not sure about this.‘
‘Some day I will.‘
‘I am not good at X.'
or plainly 'I can't.'
IF I HAD THREE WISHES ...
1. Everyone would have unbiased choices.
2. We would all be free to think whatever we want.
3. We would have secure systems which would assure integrated safety and privacy.