to a persistent threat
play

to a Persistent Threat Jagadeesh Chandraiah DeepSec 2011 Agenda - PowerPoint PPT Presentation

May 24, 2023 •266 likes •794 views

Fake Antivirus- Journey from Trojan to a Persistent Threat Jagadeesh Chandraiah DeepSec 2011 Agenda FakeAV Trends Infection Vectors Packer Evolution How do they work ? DeepSec 2011 Introduction Fake AntiVirus (FakeAV) is a

  1. Fake Antivirus- Journey from Trojan to a Persistent Threat Jagadeesh Chandraiah DeepSec 2011

  2. Agenda • FakeAV Trends • Infection Vectors • Packer Evolution • How do they work ? DeepSec 2011

  3. Introduction Fake AntiVirus (FakeAV) is a malware which displays fake warnings to the users to trick them to buy illegitimate software . DeepSec 2011

  4. Introduction DeepSec 2011

  5. FakeAV Trends Analyse the major events over the last three and half years. DeepSec 2011

  6. FakeAV Trends • Dramatic Rise of FakeAV in 2009 • Black Hat SEO was heavily used. • Popular websites were used to serve FakeAV. • ex: New York Times news paper Website in 2009. • Government Embassy website Attacks . • Social Networking Sites were used (Facebook and Twitter). DeepSec 2011

  7. FakeAV Trends 2010 continued to see the spike in FakeAV detections. • More Spam redirects to FakeAV. • More unpatched PDF and Java Vulnerabilities were used to deliver FakeAV. • Black Hat SEO on hot topics, still remained the popular infection method. DeepSec 2011

  8. FakeAV Trends Significant events in 2011. • Mac users were infected with Mac Defender in big scale around May 2011. DeepSec 2011

  9. Sharp Decline Significant events in 2011. • Sharp Decline in FakeAV detections, due to law enforcement actions in Aug 2011. DeepSec 2011

  10. Sharp Decline ● ChronoPay’s server were compromised and details were reported online. ● Several FakeAV programs had credit card processing issues. DeepSec 2011

  11. FakeAV is down, but still active Sophos Top Five FakeAV Detection rate between Mar-Oct 2011. DeepSec 2011

  12. FakeAV is down, but still active FakeAV infection between 1 st Quarter of 2010 and 2 nd Quarter of 2011, according to Microsoft Security Intelligence Report. DeepSec 2011

  13. Infection Methods We will analyse popular Infection methods and how they work. DeepSec 2011

  14. Black Hat SEO Poisoning search engine optimization. • Illegitimate way of increasing search engine ranking. DeepSec 2011

  15. Black Hat SEO Pictorial Representation of Black Hat SEO attack DeepSec 2011

  16. Black Hat SEO • Step1: Identify and compromise legitimate websites. • Step2: Upload multifunctional PHP script to the compromised website. • Step3: Feed crawlers with specially stuffed webpage with keywords. • Step4: Redirect users coming through search engine to FakeAV website. DeepSec 2011

  17. Malvertising Serving FakeAV through Advertising networks. DeepSec 2011

  18. Malvertising JavaScript used in New York Times newspaper website. DeepSec 2011

  19. Cold Calling Fake tech support centre’s are used to scam users. DeepSec 2011

  20. Spam Campaigns FakeAV served through email attachments and drive by download links. DeepSec 2011

  21. Spam Campaigns DeepSec 2011

  22. Fake Codecs Users are social engineered to download FakeAV as Codecs. DeepSec 2011

  23. Exploit Kit Use Blackhole Exploit kit as an example to see how exploit kit works. DeepSec 2011

  24. Exploit Kit Black Hole Exploit Kit panel showing Infections by country and vulnerabilities.

  25. Exploit kit Blacklisting mechanism used by Black Hole. DeepSec 2011

  26. Exploit Kit Infection mechanism using Exploit kit. DeepSec 2011

  27. Exploit Kit Obfuscated Black Hole Exploit Script DeepSec 2011

  28. Exploit Kit Decrypted Exploit script checking version and creating Iframe element. DeepSec 2011

  29. Packer Evolution • Anti Emulation API • Process Environment Block • Thread Information Block • Kuser Shared Data DeepSec 2011

  30. Packer Evolution FakeAV without packed layer DeepSec 2011

  31. Anti Emulation • Emulator is a piece of Software used to simulate the behaviour of a system. • Windows X86 emulator is used to simulate the behaviour of X86 processor. • Malware authors use tricks to break emulation. DeepSec 2011

  32. Anti Emulation API DeepSec 2011

  33. Anti Emulation API DeepSec 2011

  34. FS:30 Process Environment Block DeepSec 2011

  35. FS:18 Thread Information Block DeepSec 2011

  36. KUSER_SHARED_DATA ● Usually mapped at 0x7FFE0000 ● Checking the presence of value at 0x7FFE0004 (TickCountMultiplier). ● Values at this structure are also known to be used in obfuscated calls and decryption strings. DeepSec 2011

  37. How is this Done ? Understand Packing using a Polymorphic Cryptor. DeepSec 2011

  38. Packer Evolution Cryptors available in underground forums. Click icon to add table DeepSec 2011

  39. Packer Evolution Crum Polymorphic Cryptor DeepSec 2011

  40. Packer Evolution. Crum Polymorphic Cryptor with different icons. DeepSec 2011

  41. Packer Evolution Testing Crum Polymorphic Cryptor DeepSec 2011

  42. Packer Evolution Testing Crum Polymorphic Cryptor DeepSec 2011

  43. Packer Evolution Anti Emulation stuff inserted by Crum Polymorphic Cryptor DeepSec 2011

  44. What Drives FakeAV ? DeepSec 2011

  45. What Drives FakeAV ? DeepSec 2011

  46. What Drives FakeAV ? DeepSec 2011

  47. What Drives FakeAV ? • FakeAV developers use affiliate networks to distribute and advertise FakeAV. • Affiliates in turn recruit meta affiliates to distribute FakeAV links and binaries. • Money is paid in Pay per Install scheme, for driving traffic to FakeAV Landing Pages and FakeAV purchases. • University of California research study reveals that FakeAV business earned more than 130 million dollars. DeepSec 2011

  48. AV vs FakeAV DeepSec 2011

  49. Conclusion • FakeAV is still one of the big threats actively infecting users. • Better understanding of operations used. • Able to study the different tricks used by FakeAV code. • Use this knowledge to better protect users from FakeAV Infection . DeepSec 2011

  50. Acknowledgements DeepSec 2011

  51. DeepSec 2011

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Survivability Analysis of a Computer System under an Advanced Persistent Threat Attack guez

Survivability Analysis of a Computer System under an Advanced Persistent Threat Attack guez

Survivability Analysis of a Computer System under an Advanced Persistent Threat Attack guez , Xiaolin Chang , Xiaodan Li , Kishor S. Trivedi Ricardo J. Rodr rjrodriguez@unizar.es , xlchang@bjtu.edu.cn , { xiaodan.li,ktrivedi }

420 views • 26 slides
Aleatory Persistent Threat A short story by Nico Waisman nicolas@immunityinc.com Twitter:

Aleatory Persistent Threat A short story by Nico Waisman nicolas@immunityinc.com Twitter:

Aleatory Persistent Threat A short story by Nico Waisman nicolas@immunityinc.com Twitter: @nicowaisman Aleatoricism is the creation of art by chance, exploiting the principle of randomness. The word derives from the Latin word alea, the

862 views • 82 slides
(or Informa5onized Force Opera5ons) Michael K. Daly November 4, 2009 What is meant by Advanced,

(or Informa5onized Force Opera5ons) Michael K. Daly November 4, 2009 What is meant by Advanced,

The Advanced Persistent Threat (or Informa5onized Force Opera5ons) Michael K. Daly November 4, 2009 What is meant by Advanced, Persistent Threat? Increasingly sophis5cated cyber aIacks by hos5le organiza5ons with the goal of: Gaining

872 views • 50 slides
Portable Passive Detection of Advanced Persistent Threats APT Catcher Author: Guido Kroon

Portable Passive Detection of Advanced Persistent Threats APT Catcher Author: Guido Kroon

Portable Passive Detection of Advanced Persistent Threats APT Catcher Author: Guido Kroon Supervisors: Marco Davids, Christian Hesselman (SIDN) About Advanced Persistent Threats Advanced Persistent Threat (APT) [2]; Highly skilled and

342 views • 32 slides
Persistent Reference on the Web Jonathan Rees Creative Commons W3C TAG F2F 20 October 2010

Persistent Reference on the Web Jonathan Rees Creative Commons W3C TAG F2F 20 October 2010

Persistent Reference on the Web Jonathan Rees Creative Commons W3C TAG F2F 20 October 2010 Wednesday, October 20, 2010 Outline of the memo you read Persistence and persistent reference Gambling / trust Threat model Prevention

612 views • 20 slides
Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
Assessment What is Threat Assessment Threat assessment is the process of gathering

Assessment What is Threat Assessment Threat assessment is the process of gathering

Threat Assessment What is Threat Assessment Threat assessment is the process of gathering information to understand the threat of violence posed by a person. Threat management is the process of developing and executing plans to mitigate

332 views • 15 slides
Phases of Disaster Despair Threat Threat Phase: Small events serve as a warning or threat to

Phases of Disaster Despair Threat Threat Phase: Small events serve as a warning or threat to

Honeymoon Threat Restoration Rescue Phases of Disaster Despair Threat Threat Phase: Small events serve as a warning or threat to normal living. A disaster has not yet oc- curred, but there is a sense of impending doom. Individual

604 views • 6 slides
What Does This Advanced Threat Landscape Look Like? Advanced Threat Landscape

What Does This Advanced Threat Landscape Look Like? Advanced Threat Landscape

DDoS & Modern Threat Motives Dan Holden Director, ASERT What Does This Advanced Threat Landscape Look Like? Advanced Threat Landscape Geo-poli:cal More defenses ? App/Content t a

1.13k views • 44 slides
Distributed Shared Persistent Memory (SoCC 17) Yizhou Shan, Yiying Zhang Persistent Memory

Distributed Shared Persistent Memory (SoCC 17) Yizhou Shan, Yiying Zhang Persistent Memory

Distributed Shared Persistent Memory (SoCC 17) Yizhou Shan, Yiying Zhang Persistent Memory (PM/NVM) CPU Byte Addressable Persistent Cache Low Latency Capacity Cost effective PM DRAM 2 Many PM Work, but All in Single Machine

712 views • 33 slides
Active Threat on Campus Prevention & Response Active threat defined An active threat can be

Active Threat on Campus Prevention & Response Active threat defined An active threat can be

Active Threat on Campus Prevention & Response Active threat defined An active threat can be defined as: A person whose immediate activity can cause death and/or serious injury An active threat can involve a firearm or another

395 views • 15 slides
Assessment of sinoatrial node function at patients with persistent and long-standing persistent

Assessment of sinoatrial node function at patients with persistent and long-standing persistent

Assessment of sinoatrial node function at patients with persistent and long-standing persistent forms of atrial fibrillation after Maze III procedure combined with a mitral valve operation A.A. Kulikov, L.A. Bokeria Bakoulev Scientific Center

267 views • 12 slides
Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los Chief Security Evangelist HP Software Shane MacDougall Principal Tactical Intelligence Modern threat modeling is a defensive response to

783 views • 52 slides
Cyber Kill Chain Jay Chen, Ruben Ocana, Senna Alsadam, Andrew Shi Modern Security Threats

Cyber Kill Chain Jay Chen, Ruben Ocana, Senna Alsadam, Andrew Shi Modern Security Threats

Cyber Kill Chain Jay Chen, Ruben Ocana, Senna Alsadam, Andrew Shi Modern Security Threats New class of threat actors called Advanced Persistent Threat (APT) Data compromised for economic or military advancement Conventional

701 views • 32 slides
Hardware Support for ACID Transactions in Persistent Memory Arpit Joshi , Vijay Nagarajan, Marcelo

Hardware Support for ACID Transactions in Persistent Memory Arpit Joshi , Vijay Nagarajan, Marcelo

Hardware Support for ACID Transactions in Persistent Memory Arpit Joshi , Vijay Nagarajan, Marcelo Cintra, Stratis Viglas NVMW 2019 Persistent Memory Systems L1 L1 LLC Persistent Memory 2 Persistent Memory Systems L1 L1 Persistent

1.1k views • 70 slides
Threat Modeling and S haring S ummary Proposal to kick off Threat Modeling proj ect

Threat Modeling and S haring S ummary Proposal to kick off Threat Modeling proj ect

Threat Modeling and S haring S ummary Proposal to kick off Threat Modeling proj ect Multi-phase approach Initially: create Cyber Domain PIM and S TIX PS M with UML Profile for NIEM Expand to other PS M, create Threat Meta

211 views • 10 slides
Reverse Mortgages The opportunity for brokers post major bank exits 13 March 2019 Agenda

Reverse Mortgages The opportunity for brokers post major bank exits 13 March 2019 Agenda

Reverse Mortgages The opportunity for brokers post major bank exits 13 March 2019 Agenda Heartland overview Growing demand Market insights Heartland Reverse Mortgage Criteria Fulfilment process and client safeguards

493 views • 28 slides
RETAIL SECURITY Characteristics, challenges and solutions for retail security High street and

RETAIL SECURITY Characteristics, challenges and solutions for retail security High street and

RETAIL SECURITY Characteristics, challenges and solutions for retail security High street and mall stores Different types of retail require different security Low-high value goods systems, but there are Medium volume of goods several

598 views • 11 slides
Securing Information Systems Barbarians at the Gateway Learning Objectives Security breaches

Securing Information Systems Barbarians at the Gateway Learning Objectives Security breaches

10/16/2013 Securing Information Systems Barbarians at the Gateway Learning Objectives Security breaches are on the rise Understand the potentially damaging impact of security breaches Security must be made a top organizational

610 views • 20 slides
What is Social n Information Engineering? n Access to computer system n Revenge 2/15/12

What is Social n Information Engineering? n Access to computer system n Revenge 2/15/12

Thompson Consulting Group, LLC Disclaimer WWW.TgroupOnline.Com This course provides a basic overview of Social Engineering, and is not legal advice. There is no warranty, expressed or implied, in connection with making this program

340 views • 6 slides
Nobel Laureates 2007 Physics: Chemistry: Prof. Peter Grnberg, Prof. Gerhard Ertl, FZ Jlich

Nobel Laureates 2007 Physics: Chemistry: Prof. Peter Grnberg, Prof. Gerhard Ertl, FZ Jlich

Nobel Laureates 2007 Physics: Chemistry: Prof. Peter Grnberg, Prof. Gerhard Ertl, FZ Jlich Fritz Haber Institut der and MPG, Berlin Prof. Albert Fert, Paris Giant Magneto Resistance: GMR Electrical resistance of stacked magnetic

1.07k views • 48 slides
The South Jersey Regional Traffic Signal Inventory Andrew Tracy Transportation Engineer

The South Jersey Regional Traffic Signal Inventory Andrew Tracy Transportation Engineer

The South Jersey Regional Traffic Signal Inventory Andrew Tracy Transportation Engineer atracy@sjtpo.org SOUTH JERSEY TRANSPORTATION PLANNING ORGANIZATION Background 55 47 The Friendly MPO Background Project purpose & need:

373 views • 18 slides
IODEF Extensions for Phishing and Other E-Crimeware Patrick Cain Latest Status New draft

IODEF Extensions for Phishing and Other E-Crimeware Patrick Cain Latest Status New draft

IODEF Extensions for Phishing and Other E-Crimeware Patrick Cain Latest Status New draft out. Missed deadline by a little; should show up in repository soon. draft-ietf-inch-phishingextns-02 One Technical change Many

452 views • 5 slides
Bridging the Gap on Breaches: What Makes the Difference? Sponsored By: Bridging the Gap on

Bridging the Gap on Breaches: What Makes the Difference? Sponsored By: Bridging the Gap on

Bridging the Gap on Breaches: What Makes the Difference? Sponsored By: Bridging the Gap on Breaches: What Makes the Difference? Visit www.advisenltd.com at the end of this webinar to download: Copy of these slides Recording of

423 views • 21 slides

More recommend