Online Mind Mapping and Brainstorming

Create your own awesome maps

Online Mind Mapping and Brainstorming

Even on the go

with our free apps for iPhone, iPad and Android

Get Started

Already have an account? Log In

Malwares Demystified and Simplified by Mind Map: Malwares Demystified and Simplified
5.0 stars - 2 reviews range from 0 to 5

Malwares Demystified and Simplified

Detection, Prevention & Response

AV/Firewall/OS regularly updated & patched

DMZ/Restrictions

Antis

Honeywall

IDPS

Application Execution Blockers

Web/email filtering

DNS Revooked

Education/Research/Social awareness about online security & privacy trends

Following the best practices for managing and using online host

Reword for reporting/Information exchange

Nullrouting DNS Entries

Greylisting (anti-smap)

Traffic Control (Firewalls, NAC, Proxis)

Detection

Tracking

Mitigation

How do botnets get taken down?

New node

r ́vention et d ́tection e e Cˆt ́ utilisateur et poste client oe Installation d’outils de d ́tection : e logiciel antivirus pare-feu personnel outil de d ́tection de logiciels espions e Mise ` jour r ́guli`re : a e e syst`me d’exploitation e logiciel antivirus (et s’assurer de la validit ́ de celle-ci : e d ́sactivation possible par le botnet) e navigateur web (ne pas installer de plugins non sign ́s) e client de messagerie logiciel de messagerie instantan ́ e logiciels de bureautique 27/38 D ́finition Motivations Fonctionnement Evolution Pr ́vention et d ́tection Commerce de botnets D ́monstration Conclusion S e e e e Pr ́vention et d ́tection e e Cˆt ́ utilisateur et poste client oe Pr ́cautions : e ne pas travailler en mode administrateur ne pas d ́sactiver les mises ` jour automatiques e a ne pas suivre les liens contenus dans les spam ˆtre vigilant sur les pi`ces jointes e e les correctifs logiciels ne sont jamais envoy ́s par mail e droit de lecture sur les ex ́cutables si possible et contrˆle e o d’int ́grit ́ e e ne pas t ́l ́charger n’importe quoi (cracks, etc.) ! ee 28/38 D ́finition Motivations Fonctionnement Evolution Pr ́vention et d ́tection Commerce de botnets D ́monstration Conclusion S e e e e Pr ́vention et d ́tection e e Cˆt ́ administrateur oe existence de listes noires : RBLs (Real-time Black Lists) ⇒ g ́n ́ration de filtres e e surveillance du trafic r ́seau (protocole IRC, P2P) ⇒ NDIS e (Network Intrusion Detection System) ˆtre vigilant avec les applications PHP sur serveur WEB e (failles de s ́curit ́) e e gestion stricte des mots de passe d ́finition d’une politique pour la gestion des correctifs de e s ́curit ́ e e ne pas laisser de cot ́ les ordinateurs nomades e droit restreint pour les utilisateurs analyse des journaux apr`s infections (d ́couverte nouvelles e e machines infect ́es, trouver le C&C) e mise en place de pare-feu, proxy, filtrage SMTP, VLAN

detection methods

 No single method  Use defense in depth  Watch anti-virus/anti-spyware logs   Many bots are caught by anti-virus Not a 100% fool-proof plan  Monitor firewall logs for C&C traffic   Watch FW logs for both allowed and denied connections to common C&C services IRC (TCP 6667), P2P (varies), odd ports Use IDS to watch for:   IRC/P2P/Botnet activity Attacks and DoS traffic coming FROM your network  Network flow analysis   Watch for increase in traffic Unusual traffic patterns  Your users

Advanced Response

 Can you get forensic information on the malware?  Got a copy of the executable?   Submit it to anti-virus vendors http://www.virustotal.com  Command and control information?  Send it to the Shadowserver Foundation, ISC Handlers DO NOT CONNECT TO THE C&C CHANNEL!

Roadmap to Botnet Prevention

 Patch, patch, patch   Both workstations AND servers Bots were using MS06-40 exploits 2 days after patches were released  Teach users safe computing habits   Safe browsing habits Not running unknown files will help prevent bot infection  Maintain up to date anti-virus signatures  Its not 100% effective, but important!

You’ve detected it, now what?

Why should you care?

Bot infections can be costly  Cleaning up 1 infection is easy. How about 1,000?  Better understanding = better protection  Botmasters are organized. We need to be as well.

High level of activity by botmaster makes them easier to detect than their bots

Network signatures can becreated without malware analysis, but signatures created with the help of malware analysis are usually far more effective, offering a higher detection rate and fewer false positives.

Hunting the ecosystem

Defending against Bots & Botnets

Botnets are moviong targets

No technique is perfect

All networks are not the same

Malware Taxonomy and Evolution

Remote Access Tools

TeamViewer / Hamachi / Mikpo

Auto-Routers

Botnets

alias : (Zombies/Drones) / Loaders Similar to a backdoor, in that it allows the attacker access to the system, but all computers infected with the same botnet receive the same instructions from a single command-and-control server.

Browser Hijackers

Dialers

Downloaders

Malicious code that exists only to download other mali-cious code. Downloaders are commonly installed by attackers when they first gain access to a system. The downloader program will download and install additional malicious code.

Droppers

Exploits

Flooders

Germs

HackTool/RiskTool

Hoaxes: Chain Letters

Joke Programs

Kits (Virus Generators)

Logic Bombs

Potential Unwanted Program

Ransomeware

Malware designed to frighten aninfected user into buying something. It usually has a user interface that makes it look like an anti-virus or other security program. It informs users that there is malicious code on their system and that the only way to get rid of it is to buy their “software,” when in reality, the software it’s selling does nothing more than remove the scareware.

Rootkits

Shadow Walker, NTIllusion, NT Rootkit, and Hacker Defender are popular and widely used, other user mode rootkits exist, such as AFX. Malicious code designed to conceal the existence of other code. Rootkits are usually paired withother malware, such as a backdoor, to allow remote access to the attacker and make the code difficult for the victim to detect. A rootkit is a set of programs and code that allows a permanent and undetectable presence on a computer. The ability to hide files, directories, drivers, processes, and registry entries are likely to be requirements of your rootkit.  and config files.  

Scareware (Rogue) or (Blackmailwaire)

Spammer Programs

Malware that infects a user’s machine and then uses that machine to send spam. This malware generates income for attackers by allowing them tosell spam-sending services.

Spywares

Trojan Horses

Worms

CodeRed SQLSlammer

Malware often spans multiple categories. For example, a program might have a keylogger that collects passwords and a worm component that sends spam. Don’t get too caught up inclassifying malware according to its functionality.

Malware Analysis

What is Malware Analysis ?

What is a Malware Lab ?

Why Malware Analysis ?

How can we get the malware ?

acquisition of samples from sandboxed machines working in a honeypot samples sent in via customers either automatically or manually samples acquired from third parties including competing vendors

Lab Elements

Lab hardware

Build the lab

Malware Analysis Methodology/Process

Malware Analysis Report

Malware Analysis Tools

General Rules for Malware Analysis

Infection Vectors and Spreading Mechanisms

Malvertising

SPAM / eMail-Attach

Freeware

Instant Messaging

Social Networks

Warez/P2P Networks

Trojan Horses/Backdoors

Drive-by Download/Install

Exploits / Exploit Kits

Trusted Products/Services

Links in Social Networks / Blogs that leads to Malicious Web Pages

Combined with Social-Engineering Attacks

References/Resources

Certifications

eBooks

Links

Forums

Some Notes ...

Malware is tricky, and creators of it are trickier. 

Malware can be detected from user PCs / Mail traffic

Click fraud appears to be comparatively easy to manipulate with the further advantage of drawing little attention from law enforcement, unlike banking trojans.

Spam-botnet

According to the MSDN, WNet* functions are used to enumerate networks resources and connections.

To sum up: Rob a bank and face a one-in-four or one-in-five chance of doing hard time. Steal someone's identity and your odds of being caught are almost infinitesimal. Consider, too, that identity theft comprises only 9.8 percent of all Internet crime, not including the likes of intellectual property theft. Factor in all Internet crime, and the numbers are likely to be far, far worse -- which is saying a lot.

Why botnets owners stop making money

Type of people

steal gauss data

Injecting its own modules into different browsers in order to intercept user sessions and steal passwords, cookies and browser history. Collecting information about the computer's network connections. Collecting information about processes and folders. Collecting information about BIOS, CMOS RAM. Collecting information about local, network and removable drives. Infecting USB drives with a spy module in order to steal information from other computers. Installing the custom Palida Narrow font (purpose unknown). Ensuring the entire toolkit's loading and operation. Interacting with the command and control server, sending the information collected to it, downloading additional modules.

Defense mechanisms of Malware

Anti-Reversing Tools

Anti-Sandbox / Anti-VM

Anti-Dumping

Anti-Intercepting

Anti-Emulating

Anti-Breakpoint

Anti-Tampering

Anti-Attaching/Debugging

Self-Modifying Code

Garbage/Junk Code Insertion and Permutation

Rootkitting

Malformed PE Header

Erase PE header if reversing detected

System FIle Protection Hiding

System Hardening

Bypass, Block, Blacklist or Kill AntiVirus / Firewalls / Desinfinctinf Forums

DDNS - Dynamic DNS Domain Name (Fast Fluxing)

Dynamic DNS services often used : Service which allows changing IP address of a hostnae at will allow attackers to move their c&c servers quicly and easy

Managed malware crypting services

Quality Assurance

windows native API in NTDLL.DLL and NTFS ADSs, Alternate Data Streams. Malware will frequently  abuse these rather helpful tools to keep itself from being discovered. 

DDos Whos Studying it

Quality Assurance

Server side polymorphism

File Extension Manipulation / Double Extention

Rallying mechanisms

Modification du système (changeùment de regle de filtrage réseau, désactivation d'outils de sécurité.

To evade signature-based detection systems, it appends some randomly generated bytes to the end of the file.

Double Checks in separate places / on each startup

Do-it-yourself malwares cryptors

Hijack HOSTS file to point to the local host120.0.0.1

Delete SafeBoot Key to make access to the Safe Mode impossible

Disable CMD / Regedit / TaskManager / SystemRestore

Hide Folder Options in the explorer Menu to prevent show hidden files

Hook Mouse event to check if it is an automated system

SLeep for evading automated systems : NtDelayExecution() or SLeepEx ()

In order to hide itself, the bot duplicates the Modification, Access, and Creation times (MAC times) information from Ntdll.dll library, and applies them to the sdra64.exe. The intent of this is to make sdra64.exe appears to be a system file that has been around since Windows was first installed

In another level of hiding the created file, it sets the sdra64.exe file attributes to system and hidden, so that the user cannot see the file using the standard file explorer

Anti Cracking

malware drop another malware than load VBS script from its ressources then inject it to another process

Throw BSOD

Known malwares techniques

persistence to reboot