Embed Size (px)
Citation preview
Chronicles of Malwares and Detection SystemsBy:
Amit Malik
Member @ Cysinfo
Researcher @ FireEye Labs© Cysinfo Research Group
Disclaimer
The Content, Demonstration, Source Code and Programs presented here is "AS IS" without
any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are
solely of the mine and nothing to do with the company or the organization in which I am
currently working.
However in no circumstances neither I or Cysinfo is responsible for any damage or loss
caused due to use or misuse of the information presented here.
Agenda
Phases
The common thingsData TheftCode protection/obfuscation
Code protection and obfuscation – the view (PE Only)
Detection systems
Final thoughts
PhasesFun
The early stageBirth of antivirus
Fun and ProfitSecond stageCode obfuscation/evasion – the innovation
The gods – themda, vmprotect etc.Knowledge sharing
Antivirus heuristics etc. (the failure)
ProfitCurrent stage
Targeted attacks
Offensive and defensive both are fully commercial
Sophistication in exploits is increased exponentially
Malwares are either sophisticated (duqu, stuxnet etc.) or easy ( rebirth of RAT)
Modules (DLL etc.)
New technologies for detection – execute and detect, machine learning etc.
The common thingsAt problem level, these things are common in malwares
Data theft (real problem)Code obfuscation/evasion (antivirus failure)
Data theft This is the problem actually…. Malware itself is not a problem.Remember “data” is the key thing here.
Code obfuscation/evasionReal challenge for detection systemsPacking, protectors, encryptors.. Etc etc.
Code protection/evasion – the view
Real challenge to detection technologiesMaking true real time protection nearly impossible.Couple of interesting things about this behavior.In unpacked binaries the execution will be within the section (ep) boundaries and the address space will be less tense.
Code protection/evasion – the view
In packed binaries the execution can fluctuate across multiple sections and the address space will look more stressed (especially in malwares due to multiple packing layers).
Graph for malicious samples (exmp.)
Graph for malicious samples (exmp.)
Graph AnalysisTwo things are most important:
Origin of call?Tension in the address space.
Meaning return address and use of “data” are the two most important things.
Actually tracking the use of “data” is not an easy task.
But what if we monitor the user interaction with system instead of monitoring the use of data blindly?
Why a specific event/activity is happening in the system?
What is the scope of interaction of user to start that event.
How the user is using/receiving the event output.
Detection SystemsAntivirus
Actually I don’t want to blame antivirus.. Things at endpoints are very messy.
A significant enhancement in the model is required.
Home users are in real danger.. No other option.
Execute and Detect:New technology to detect the malwares – actually it is not new, people just experimented it recently for detection and it is working?
Infection is ok for customer but data should be protected.
Considering the security problems people are ok even if you detect the malware after the actual infection.
Detection Systems (cont.)
Execute and Detect:Pros:
Inspection of malware in a controlled environment.You don’t have to worry about the user and experience.You know the state and health of the system so detection is relatively easy. (on endpoint it is an entirely different game – poor antivirus).
Cons:Expensive?
Large infrastructureHuge maintenance overhead.
Logic bombs – I know I am in sandbox Oh boy.. First it is really difficult to port this thing or its variations on endpoint.. And even if we can achieve that, it will be extremely expensive for home users.
Final ThoughtsMalware is a problem and will always be.
Security is human + technology breach, we can’t fix both.
Antivirus is failing and right now there is no other solution for its replacement for home users.
Execute and detect is a good new technology for detection but it is expensive and not truly reactive (true real time protection?, post infection alerts.).
THANK YOU!
