Scribd Logo
Importer

Bienvenue sur Scribd !

  • CyberSecurity Challenges Course-P2 - L2+ModernMalware

    Transféré par

    fer
    92 vues9 pages
    CyberSecurity Challenges

    Titre original

    CyberSecurity Challenges Course-P2_L2+ModernMalware

    Copyright

    © © All Rights Reserved

    Formats disponibles

    PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    CyberSecurity Challenges

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    92 vues9 pages

    CyberSecurity Challenges Course-P2 - L2+ModernMalware

    Transféré par

    fer
    CyberSecurity Challenges

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 9

    P2L2ModernMalware

    PastMalware
    Inthepastmalwarewasforfunandfame.Itwasusedtodamagewebsitesorcausedenialof
    service(DoS)attacks.

    ModernMalware
    Now,oftenforprofitandpoliticalgains.

    Nowthatmoneyandpoliticsareinvolved:
    malwareistechnicallysophisticatedandisbasedonthelatesttechnologies.
    malwarenowisdesignedforefficiency,robustness,andevasiveness.

    Botnet
    Botnetsarethemostprevalentformofmalware.Mostattacksandfraudsareduetobotnet.

    Botalsoknownasazombieiscompromisedcomputerunderthecontrolofanattacker.
    BotCode(malware)onthecompromisedcomputercommunicateswiththeattackersserver
    andcarriesoutmaliciousactivitiespertheattackersinstructions.

    Botnetanetworkofbotscontrolledbyanattackertoperformcoordinatedmaliciousactivities.
    Thecombinedpowerofthebotnetmeanstheattackercontrolsaverylargeandpowerful
    computerplatform.Whichallowstheattackertolaunchawidevarietyofmaliciousactivities.

    Spamming=infectedmachinessendoutunsolicitedemails.
    ClickFraud=usedbybotmasterstofraudulentlyincreaserevenuefromadvertisers
    Phishing=usedtogathervaluablefinancialinformation

    AttacksandFraudsbyBotnets
    Botnetsusuallyhaveoneoftwogoals:monetaryprofitorpoliticalactivism.
    Botnetsareresponsiblefor:
    Spamnearlyallspamisfrombotnets
    DDOS(distributeddenialofservice)attacks
    Clickfraud
    Phishingandpharming
    KeyloggingandData/IDtheft
    Key/PasswordCracking
    Anonymizedterroristandcriminalcommunication
    Cheatinonlinegamesandpolls

    DDoSUsingBotnets
    1. Theattackerchoosesavictim
    2. Theattackercommandeersabotnet.Thezombieshavethebotcodeandcommunicate
    withthebotmasterregularly.
    3. Theattackersendsacommandtoallthebotsinthebotnettoattackatthesametime.
    Forexample:arequestforconnection
    4. Thevictimisthenoverloadedwithrequestsandmustdenyservice.

    AmplifiedDistributedReflectiveAttacks
    Tocountertheattack,victimscanincreasetheirnumberofservers,buttheattackercanamplify
    theattack.



    OpenrecursiveDNSServersareserversthatanymachinecanquery.Acommonqueryisto
    lookuptheIPaddressofadomainname.TheyalsoanswerqueriesaboutlargeTXTrecords,
    theseare1500ormorebytes.

    TheattackersusetheDNSservers:
    1. thebotmastercommandsthebotstoquerytheopenrecursiveDNSserversaboutthe
    TXTrecords.
    2. Theaddressthequeryiscomingfromisspoofeditisthevictimsaddress.
    3. Whenallthebotsrequestthesameinformationbesenttothevictim.

    DDos
    theattackerdoesnothavetousehisowncomputerintheattack
    therearesomanycomputersinvolvedintheattack,itisdifficulttodistinguishlegitimate
    frommalicioustraffic.


    BotnetCommandandControl
    Botnetisanetworkofcompromisedcomputersthatthebotmasterusesformaliciouspurposes.
    Thebotmasterneedstocontrolthebots,socontrolandcommunicationisrequired.

    BotnetC&CProblem
    Howcanthebotmasterknowwhichcomputershavebeeninfectedandhowtocommunicate
    withthem.

    Method1:
    Thevictimcomputerscancontactthebotmaster.
    Createmalware(vx)
    Downloadvxcodefiddlewithitcompileit
    Usesemailpropagation/socialengineering
    Spreadingistheeasypart,nowhowdoweusethecompromisedcomputers(victims)?

    Theproblemswiththismethod:
    Theaddressofthebotmastermustbehardcodedintothemalware.
    Whenasysadmindiscoversthebot,theywillbeabletotraceit
    Thismethodisnotstealthy.
    Thereisonlyonerallypointforcontrol
    Oncetheemailaccountisknown,itiseasytoban.Therebycuttingoffthebotmaster
    fromthebot.
    Thismethodisnotrobust

    BotnetC&CDesign
    Howcanbotscontacttheirmastersafely?

    SimpleNaiveApproachdoesnotwork.Thismethodisforscriptkiddies,firsttimemalware
    authors.
    Utilityandsafetyareimportanttothebotmasters.
    Designconsiderations:
    Mustbeefficientandreliable.Itmustbeabletoreachasizeable
    Stealthyhardtodetect(i.e.itmustblendwithnormal/regulartraffic)
    ResilientitshouldbehardtodisableorblockC&Ctraffic

    C&CDesignQuiz
    Botshavemoresophisticatedcommunicationcapabilitiesthanwormsandviruses.
    BotsdoNOTrequiredirectcommunicationwiththeC&Cserverbeforebeginninganattack.
    Abotshouldnotusecustomcommunicationprotocolsbecausethatisnotstealthy.

    DNSBasedBotnetC&C


    Inthisillustrationthebotmaster
    releasesmalware.Thedomainname
    oftheC&Cserverishardcoded.

    WhenitistimeforthebotC&C:the
    botwillasktheDNSfortheaddressof
    thedomainname.Thenthebotswill
    communicatewiththeDNCserver.

    BotmasterspreferdynamicDNS
    serversbecauseofthefrequent
    changebetweendomainnameandIP
    address.Sothebotmastercanchange
    themachineusedforC&C.HecanjustchangetheDNSmappingquickly.

    UsingDNSforC&CisagoodideabecauseDNSisusedanytimeacomputerneedstotalkto
    anothercomputer.DNSstoresthemappingbetweenthedomainnameandtheIPaddress.
    DNSisalwaysallowedonanetwork.

    Anomalydetection: thewaybotslookupadomainsuggestadomainsuggestthedomainis
    mostlikelyusedforC&C.

    Forexample:ifadomainnameisreferencedbyhundredsofmachineacrosstheinternet,but
    thedomainisnotknowntoGooglesearch,thereisagoodchanceitisabot.

    OncethedomainnamehasbeenidentifiedasabotmasterandusedforC&C,anumberof
    responsesarepossible:


    DynDNScanmapthedomainnametoasinkhole.Whenabotaskedforthedynamic
    addressofthedomain,theDNSwillgivetheaddressofthesinkholeinsteadofthe
    botmaster.
    Theadvantageofasinkhole:itallowsresearcherstodiscoverwherethebotsareinthe
    net.
    BotnetC&CQuiz
    AC&Cschememustprovide:
    Efficient/reliablecommunications
    Stealthcommunications
    Resilientcommunications

    AdvancedPersistentThreat(APT)
    Tendtotargetspecificorganizations.
    Advanced:
    Usespecialmalware.Thismalwareisusuallycommonmalwarethathasbeenadapted
    forspecialoperationsandoperators.Theadvantageofusingcommonmalwareis,ifa
    sysadmindetectsit,itwillnotberecognizedasAPT.
    Itisusedforhighvaluetheftsuchasstealingtheplansofanewairplane.
    Persistent:
    Longtermpresence,multistep,lowandslow
    Oncethemalwaregetsintoanorganization,itwillbethereforalongtime
    Itwillalsotakemanysmallstepsthatwillnotbedetected
    Threat:
    Thedatatargetedishighvalue

    APTLifecycle

    Itbeginsbydefiningattarget.
    Thenresearchthetargetanddeterminethe
    vulnerabilitiesofitsnetworkservices.
    testfordetectionandusetheknowledgeofthe
    organizationsinfrastructure.Forexample,oncethe
    attackerhasthenameofahighlevelofficerinthe
    company,hecansendanemailwithembedded
    malwaretothisperson.
    NowtheAPThasafootholdintheorganization.The
    malwarecannowestablishoutboundconnectionsand
    begintogatherinformationandpassittothe
    botmasters.
    TheAPTwillbecarefultoavoiddetection,bykeeping
    itsfootprintassmallaspossible.

    APTCharacteristics

    Zerodayexploitoraspeciallycraftedmalware.
    Azerodayexploittakesadvantageofapreviouslyunknownweaknessorvulnerabilityina
    system.Thereisnopatchorfixforthesystemorpreventionfortheattack.

    Azerodayexploitwilloftengoundetected.Itisusuallydesignedtodetectthesignaturesand
    behaviorpatternsinasystem.

    SocialEngineering APTsaredesignedtotrickeventhemostsophisticatedusers.
    Forexample:AnAPTwillfirstcompromisecoreinternalnetworkcontrolelementssuchas
    routersandwebserverstolearnaboutvaluabletargets.
    OncetheAPTlearnswhoemailswhoandwhatattachmentsandtopicsarediscussed,itcan
    forgeemailsfromusers,thisiscalledSpearPhishingbecauseitistargetedagainstaspecific
    individual.

    APTscanalsoplaymaninthemiddle(MITM)onthecompromisedrouters/servertomake
    socialengineeringattacksveryconvincing.ForexampleAPTscanforgeanswerstochallenges
    orinquirybysuspectingusers.

    APTsaredesignedinalowandslowfashiontocompletelyblendinwithnormalactivities.
    Forthisreasonitisveryhardtodetectanomaliesbyexistingapproaches.

    APTsareapersistentoperationthatinvolvesmultipledeliberatestepsovertime,ratherthana
    singleattack.

    APTAttacksandCharacteristics
    BoyintheMiddlecovertlychangesacomputersnetworkrouting
    Clickjackingwebusersunknowinglyclickonsomethingthatisnotasitisportrayed.
    ManintheBrowsermodifieswebpagescovertly
    ManintheMiddleeavesdrops
    Keyloggerscovertlyrecordskeystrokes

    APTExample
    ACEOgetsanemailwithaPDFdocumentattached.Whenheopensthedocument,thereis
    attackdataembeddedinit.Itbreaksoutthepluginsandboxinthebrowserandcompromised
    thebrowserbyaddinganextension.
    Fromthispointon,thebrowserextensionwillembedthemalwareintothePDFdocument.Thus
    spreadingitalloverthecompany.Eventuallyfindingthesysadminuserwhohasauthorization
    overtheserver.Itcangrantitselfaccessoverdataontheserver,allowingtostealvaluabledata
    offtheservers.
    ThesignificantcharacteristicsofthisAPT:
    1. Thesysadminandusersdonotrealizetheirsystemhasbeencompromised.
    2. TheAPTactivitiesblendinwithnormaluseractivity.
    3. TheAPTmovesincrementallyandtakestimetogettothekeyindividuals.

    MalwareAnalysis
    Analysisthatisperformedfordetection/response
    MethodofAnalysis:
    StaticAnalysis:attemptstounderstandwhatamalwareinstancewoulddoifexecuted.
    Thisisdonewithoutactuallyrunningthemalware.
    DynamicAnalysis:attemptstounderstandwhataprogramdoeswhenexecuted.
    Differentgranularitiesofanalysis:
    Finegrained(egautomatedunpacking)lookingatinstructionbyinstruction
    Coarsegrained(systemcalltracing)lookingatfunctioncalls
    Dynamicanalysisdownfalls:onlyrevealbehaviouroftheprogramduringaspecificruns.On
    anyparticularrun,themalwaremaybewaitingforspecificconditionstoberightbefore
    executingsomeofitscode.

    MalwareObfuscation
    Packing:atechniquewherebypartsorallofanexecutablefilearecompressed,encrypted,or
    transformedinsomefashion.Thismakespartoftheprogramdatainsteadofcode.Thecode
    thatreversesthepreruntimetransformationisincludedintheexecutableandiscalled
    unpacking.

    Afterusingthepackingtooltheprogramlookslikeitcontainsrandomdata.Eachtimethe
    packingisperformed,itisdifferent.Soasignatureapproachwillnotworkondetectingthe
    malware.
    Eventhoughtheprogramcontainsthecodetounpackthiscannotbeusedasasignature
    sinceanumberoflegitimateprogramsusepacking/unpacking.

    Unpacking
    Manymodernmalwareprogramsusepacking.
    Leadingtothousandsofpackers,countlesswaystoobfuscatecode.
    Volumeofmalwaresamplesmakesmanualunpackinguntenable.
    Sothereisaneedforautomatedunpackingthatdoesnotrequirepriorknowledgeofthecode.
    Italsoneedstobefinegrainedtracingbaseduniversalautomatedunpackingalgorithms.

    Onemethoddetecttheexecutionofcodenotinthestaticcodemodel.
    Runthemalware.
    Determinethecodethatwasnotintheprogrambeforeunpacking.Thesemustbe
    instructionsthatwereunpackedjustbeforeexecution.
    Theothertechniquescanbeusedtoidentifythelogicofthemalwarecode.

    MalwareAnalysisQuiz
    Theseapproachescanbeusedtodetectthemaliciousbrowserextensionmalware.
    anetworkmonitorthatanalyzestraffictodetectanomaliesorknownbadtraffic.
    ahostmonitorthatexaminesoperatingsystemsactivities
    amalwareanalysissystemthatidentifiesmaliciouslogic

    Vous aimerez peut-être aussi