a bestiary of
play

A Bestiary of Ugly Malware A non-scientific survey of current day - PowerPoint PPT Presentation

Nov 01, 2022 •240 likes •472 views

A Bestiary of Ugly Malware A non-scientific survey of current day malicious software, as seen in the wild Marion Marschalek | marion@0x1338.at | @pinkflawd Software that steals your data Software that destroys your data Software that abuses

  1. A Bestiary of Ugly Malware A non-scientific survey of current day malicious software, as seen in the wild Marion Marschalek | marion@0x1338.at | @pinkflawd

  2. Software that steals your data Software that destroys your data Software that abuses your machine Windows PE executables / DLLs C /C++, Delphi, .NET, VisualBasic, Java Javascript Word Macros Powershell Shellcode or commands in Windows Registry

  3. Threat Detection and Classification Issues Packers and crypters Installers Binary formats Compilers and compiler settings Programming languages Coding habits Target platforms

  4. Malware Nature benign EP section name abnormal EP section entropy too high/low Use of TLS sections API calls / KB ratio Section count too low Imphash missing targeted random

  5. Poking for Registry interaction Benign 54% - Targeted 55% - (Random 23%) Functionality File system interaction Benign 61% - Targeted 70% - (Random 34%) MS CryptoAPI Benign 5% - Targeted 2% - (Random <1%) Windows hooks Benign 5% - Targeted 31% - (Random 6%) Windows image capture APIs Benign 10% - Targeted 33% - (Random 13%)

  6. Drivers are somewhat likely to be legitimate Packed samples are somewhat likely to be malicious Non-packed files are not necessarily benign Targeted malware is more likely written in C++ than random malware Malicious files are unlikely to use UI APIs Targeted malware performs about as much Registry interaction as benign samples

  7. Ransomware Enumerate files on disk or network Encrypt any or all of it Place a ransom note

  8. Ransomware: GPCode Written in C Only 22KB big Packed with UPX Linear execution Enumerates and encrypts file shares

  9. RATs Off-the-shelf malware commercially available Primary use: Targeted espionage

  10. Peering inside a Commodity RAT XTremeRAT All traits of standard malware Multiple packer layers Code injection to system processes for stealth Persistence methods are not outstanding Functionality is straight forward No code obfuscation

  11. Peering inside a Commodity RAT XTremeRAT Sniffing of clipboard data through keylogger window by installing a viewer to receive WM_DRAWCLIPBOARD messages Download and execution of binaries via HTTP Data exfiltration via FTP Comes with a configuration file, encrypted with RC4, embedded in the .rsrc section

  12. Peering inside a Commodity RAT XTremeRAT Logs keystrokes through an invisible window, placing a global hook

  13. The Beasts in the Bestiary

  14. True Implants Compiled between 2007 - 2011 Registers as an icon handler shell extension for .lnk files Shell in this case means the program manager Server registration sets up COM server Objects being served perform actual work "You can write one in C if you (somewhat likely) written in pure C really want to, although that's a violation of the Geneva Convention on Programmer's Rights in most jurisdictions.“ – Unknown Stackoverflow user

  15. Sensitive Implants OS version detection Redundant code for different versions Fine-grained decision making - during setup - for evasion Avoids keylogging, code injection or registry interaction when certain security software is present

  16. Execution flow Terminal services notification Function arrays for execution flow obfuscation Configuration data in queues Massive amount of global variables, critical sections, pipes, etc. etc.

  17. init TEARDOWN +3 +3 +3 ... SETUP

  18. + Search for index, specified 7 + by global variable 7 + Load respective 7 .. init/handler functions . Craft arguments Call init, then handler

  19. Kaspersky evasion Diffing

  20. GPCode XtremeRAT CheshireCat Development Cheap Fair Expensive Motivation Profit oriented Potentially profit Pretty sure not oriented profit oriented Stealth Not at all Trying Super stealthy stealthy Code C C C < 100KB < 100KB < 100KB Simple Simple Complex/careful Packing „ Packed “ Packed! Not packed Distribution Manual placement E-Mail N/A

  21. Th Thre reat at De Detec tection tion File hashes System behavior Known-bad File fragments Network patterns Non known-good File behavior Abnormal system behavior Known-bad origin File properties Abnormal network Non known-good origin patterns Threat detection metrics heavily build on known fragments , while aiming to find the largely unknown .

  22. Tak akin ing Pat atter tern n Mat atch chin ing to to th the ne next Le Level el Threat evaluation vs. detection Dynamic patterns, packer detection, functionality detection Custom encryption algorithms / obfuscation Custom evasion, persistence APT research: binary similarity is nice, authorship similarity be more interesting Threat detection vs. threat development ratio trouble

  23. Thank you! Marion Marschalek | marion@0x1338.at | @pinkflawd

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

GrimoireLab: Bestiary CHAOSS Con, February 2nd, 2018 Miguel ngel Fernndez @mghfdez mafesan

GrimoireLab: Bestiary CHAOSS Con, February 2nd, 2018 Miguel ngel Fernndez @mghfdez mafesan

GrimoireLab: Bestiary CHAOSS Con, February 2nd, 2018 Miguel ngel Fernndez @mghfdez mafesan at bitergia dot com https://speakerdeck.com/bitergia /introducing /introducing Bestiary Analytics scope configuration made simple

391 views • 6 slides
A Bestiary of Sets and Relations arXiv:1506.05025 Stefano Gogioso Quantum Group University of

A Bestiary of Sets and Relations arXiv:1506.05025 Stefano Gogioso Quantum Group University of

Pure State Quantum Mechanics CPM and Decoherence Measurements and Locality A Bestiary of Sets and Relations arXiv:1506.05025 Stefano Gogioso Quantum Group University of Oxford 17 July 2015 Stefano Gogioso A Bestiary of Sets and Relations

1.21k views • 84 slides
The Bestiary Mindmaps Rationale My project is a Mythological Animal Museum that houses

The Bestiary Mindmaps Rationale My project is a Mythological Animal Museum that houses

Amely Koenigs VCD102 Presentation Mythological Animal Museum- The Bestiary Mindmaps Rationale My project is a Mythological Animal Museum that houses skeletons and collections of mythical animals (they are assumed to be real

180 views • 7 slides
Tools for Supersymmetric Phenomenology by Ben Allanach (University of Cambridge) Talk outline

Tools for Supersymmetric Phenomenology by Ben Allanach (University of Cambridge) Talk outline

Tools for Supersymmetric Phenomenology by Ben Allanach (University of Cambridge) Talk outline SPA project http://spa.desy.de/spa/ , http://www.ippp.dur.ac.uk/montecarlo/BSM/ Bestiary of public codes only: supposedly impartial

937 views • 36 slides
Creativity in confinement Arvid&amp;Marie S.A.M. The Symbiotic Autonomous Machine 2017 Alve

Creativity in confinement Arvid&amp;Marie S.A.M. The Symbiotic Autonomous Machine 2017 Alve

Creativity in confinement Arvid&amp;Marie S.A.M. The Symbiotic Autonomous Machine 2017 Alve 2018 The Bestiary of Autonomous Machines 2018 What is art in confinement Art in prison Russian prisoner tattoos Art in prison Art in prison

1.31k views • 32 slides
Science Overview - 1 ! GSFC Astrophysics on the International Space Station &quot;

Science Overview - 1 ! GSFC Astrophysics on the International Space Station &quot;

Science Overview - 1 ! GSFC Astrophysics on the International Space Station &quot; Understanding ultra-dense matter through soft X-ray timing ! Science: A proposed International Space Station (ISS) payload dedicated to the study of neutron

235 views • 12 slides
WEKA Machine Learning Use Case Breast Cancer Stephan Mgaya TERNET Tanzania

WEKA Machine Learning Use Case Breast Cancer Stephan Mgaya TERNET Tanzania

WEKA Machine Learning Use Case Breast Cancer Stephan Mgaya TERNET Tanzania smgayanath@gmail.com e-Research Summer Hackfest Catania (Italy) This project has received funding from the European Unions Horizon 2020 research and

291 views • 8 slides
On evasion attacks against machine learning in practical settings Lujo Bauer Professor,

On evasion attacks against machine learning in practical settings Lujo Bauer Professor,

On evasion attacks against machine learning in practical settings Lujo Bauer Professor, Electrical &amp; Computer Engineering + Computer Science Director, Cyber Autonomy Research Center Collaborators: Mahmood Sharif, Sruti Bhagavatula, Mike

754 views • 31 slides
PlatPal: Detecting Malicious Documents with Platform Diversity Meng Xu and Taesoo Kim Georgia

PlatPal: Detecting Malicious Documents with Platform Diversity Meng Xu and Taesoo Kim Georgia

PlatPal: Detecting Malicious Documents with Platform Diversity Meng Xu and Taesoo Kim Georgia Institute of Technology 1 Malicious Documents On the Rise 2 3 4 Adobe Components Exploited Element parser JavaScript engine 137 CVEs in 2015

883 views • 62 slides
Improving the Security of Quantum Protocols via Commit&amp;Open Ivan Damgrd (Aarhus University,

Improving the Security of Quantum Protocols via Commit&amp;Open Ivan Damgrd (Aarhus University,

Improving the Security of Quantum Protocols via Commit&amp;Open Ivan Damgrd (Aarhus University, DK) Serge Fehr (CWI, NL) Carolin Lunemann (Aarhus University, DK) Louis Salvail (Universit de Montral, CA) Christian Schaffner (CWI, NL) CRYPTO

255 views • 23 slides
SinkMiner Mining Botnet Sinkholes for Fun and Profit Babak

SinkMiner Mining Botnet Sinkholes for Fun and Profit Babak

SinkMiner Mining Botnet Sinkholes for Fun and Profit Babak Rahbarinia 1 , Roberto Perdisci 1,2 , Manos Antonakakis 3 , David Dagon 2 1 University of Georgia 2 Georgia

179 views • 15 slides
Q&amp;A Please submit all questions concerning webinar content through the Q&amp;A panel.

Q&amp;A Please submit all questions concerning webinar content through the Q&amp;A panel.

Collecting Cancer Data:CNS 2/7/12 Collecting Cancer Data Central Nervous System NAACCR 2012 2013 Webinar Series 2/7/2013 Q&amp;A Please submit all questions concerning webinar content through the Q&amp;A panel. Reminder: If you have

791 views • 33 slides
Analyzing DNS Activities of Bot Processes Dr. Jose Andre Morales Areej Al-Bataineh Dr. Shouhuai

Analyzing DNS Activities of Bot Processes Dr. Jose Andre Morales Areej Al-Bataineh Dr. Shouhuai

4th International Conference on Malicious and Unwanted Software (Malware 2009) October 13-14 2009 Montreal, Canada Analyzing DNS Activities of Bot Processes Dr. Jose Andre Morales Areej Al-Bataineh Dr. Shouhuai Xu Dr.Ravi Sandhu Overview

211 views • 19 slides
Statistical Learning Theory: A Hitchhikers Guide John Shawe-Taylor UCL Omar Rivasplata UCL /

Statistical Learning Theory: A Hitchhikers Guide John Shawe-Taylor UCL Omar Rivasplata UCL /

Statistical Learning Theory: A Hitchhikers Guide John Shawe-Taylor UCL Omar Rivasplata UCL / DeepMind December 2018 Neural Information Processing Systems Slide 1 / 52 Why SLT NeurIPS 2018 Slide 2 / 52 Error distribution picture 20 Parzen

889 views • 52 slides
DEBRA Members Weekend 2017 EB therapy research in Dundee: an update Knocking out the faulty

DEBRA Members Weekend 2017 EB therapy research in Dundee: an update Knocking out the faulty

DEBRA Members Weekend 2017 EB therapy research in Dundee: an update Knocking out the faulty gene &amp; Skipping the faulty exon Peter van den Akker Premium sponsors: EB therapy research in Dundee: an update Knocking out the faulty gene

794 views • 43 slides
Bias-Stress Instability in GaN Field-Effect Transistors Jess A. del Alamo and Alex Guo

Bias-Stress Instability in GaN Field-Effect Transistors Jess A. del Alamo and Alex Guo

Bias-Stress Instability in GaN Field-Effect Transistors Jess A. del Alamo and Alex Guo Microsystems Technology Laboratories Massachusetts Institute of Technology MRS Spring Meeting Phoenix, AZ, April 2-6, 2018 Acknowledgements: S.

771 views • 37 slides
F UNCTION C ALL T RACING ( CONTINUE ) We adds two more members to TB data structure to

F UNCTION C ALL T RACING ( CONTINUE ) We adds two more members to TB data structure to

T OWARD R EVEALING K ERNEL M ALWARE B EHAVIOR IN V IRTUAL E XECUTION E NVIRONMENTS Chaoting Xuan, John Copeland, Raheem Beyah Department of Electric and Computer Engineering Georgia Institute of Technology 09/25/2009 M OTIVATION Rootkits are

371 views • 25 slides
Introducing Space and Time in Local Feature-Based Endomicroscopic Image Retrieval January 25,

Introducing Space and Time in Local Feature-Based Endomicroscopic Image Retrieval January 25,

Introducing Space and Time in Local Feature-Based Endomicroscopic Image Retrieval January 25, 2010 Barbara Andr Supervision Tom Vercauteren Nicholas Ayache 1 B. Andr B. Andr , MSR , MSR- -INRIA Workshop 2010 INRIA Workshop 2010

595 views • 41 slides
George Karabatis 1 , Jianwu Wang 1 , Ahmed AlEroud 2 {georgek, jianwu, ahmed21}@umbc.edu 1

George Karabatis 1 , Jianwu Wang 1 , Ahmed AlEroud 2 {georgek, jianwu, ahmed21}@umbc.edu 1

Towards Adaptive Big Data Cyber-attack Detection via Semantic Link Networks George Karabatis 1 , Jianwu Wang 1 , Ahmed AlEroud 2 {georgek, jianwu, ahmed21}@umbc.edu 1 Department of Information Systems University of Maryland, Baltimore County 2

233 views • 22 slides
Best Practices for Diagnosis and Treatment of Headache Sadly, I still have nothing new to

Best Practices for Diagnosis and Treatment of Headache Sadly, I still have nothing new to

Disclosures Best Practices for Diagnosis and Treatment of Headache Sadly, I still have nothing new to disclose from yesterday John Engstrom, M.D. April 2017 Old Headaches vs. New Headaches (HA) Headaches Severity or location of

181 views • 14 slides
Beneficiary Engagement and Incentives (BEI) Models Shared Decision Making (SDM) Model January

Beneficiary Engagement and Incentives (BEI) Models Shared Decision Making (SDM) Model January

Beneficiary Engagement and Incentives (BEI) Models Shared Decision Making (SDM) Model January 2017 Navigating the Webinar Platform 2 Questions during the Presentation Please submit questions for the model team in the Q&amp;A box throughout

531 views • 36 slides
37 th Annual JP Morgan Healthcare Conference Mike Mahoney Chairman &amp; Chief Executive Officer

37 th Annual JP Morgan Healthcare Conference Mike Mahoney Chairman &amp; Chief Executive Officer

37 th Annual JP Morgan Healthcare Conference Mike Mahoney Chairman &amp; Chief Executive Officer Safe Harbor for Forward-Looking Statements This presentation contains forward-looking statements within the meaning of Section 27A of the Securities

566 views • 27 slides
Ensembled Multivariate Adaptive Regression Splines Ensembled Multivariate Adaptive Regression

Ensembled Multivariate Adaptive Regression Splines Ensembled Multivariate Adaptive Regression

CO COMPSTAT2010 in Paris S 2010 Ensembled Multivariate Adaptive Regression Splines Ensembled Multivariate Adaptive Regression Splines with Nonnegative Garrote Estimator ith N ti G t E ti t Hiroki Motogaito g Osaka University Osaka

922 views • 25 slides
Design of experiments for the NIPS 2003 variable selection benchmark Isabelle Guyon July 2003

Design of experiments for the NIPS 2003 variable selection benchmark Isabelle Guyon July 2003

Design of experiments for the NIPS 2003 variable selection benchmark Isabelle Guyon July 2003 isabelle@clopinet.com Background: Results published in the field of feature or variable selection (see e.g. the special issue of JMLR on variable

542 views • 30 slides

More recommend