APT: Hunting ÖDay Malware

Mustafa Qasim

Since this presentation started

of organizations will have some malware event successfully evade their IT defenses.

On average, malware events occur at a single organization once every

3 MIN

UT

ES

Introduction

Once upon a time...

According to IDC, between 2003 and 2011, total IT security spend grew from $12 billion to $28 billion.

$12 Billion2003

$28 Billion2011

reActive

Vs

proActive

Fear of False Positive!

So called Defenders!

Firewalls

- Yes/No

- NexGen Firewall Buzz

- Latency Impact

IPS

- Traffic Signatures

- 0Day Prevention Buzz (Exploit > Vulnerability)

- Network Services vs. Client Side Attacks

Web Gateways

Called: Defense In-depth

In Actual: Iteration

Anti-Virus (L0L)

- Signatures

- Heuristics

- Sandbox

Anti-Virus (L0L)

- VIP entry via signed binary– Flame by Microsoft ;-)

Signatures

- Binary / Traffic

- Morphing, Obfuscation, Encryption

Heuristics Dilemma

Heuristics Dilemma

Isn't Sandbox made up of sand?

Disheartened by Backward Looking Defenders?

The highest technique is to have no technique.

My technique is a result of your technique; my movement is a result of your movement.

APT Malware vs. Traditional

APT Attack Life Cycle

Stage 1

Intrusion through exploitation

- Remote Exploit / Local Exploit

- Social Engineering

Stage 2

Malware is dropped

- Single Click

- 64base Encrypted Hidden Link

- Java revoke list check disabled

- Legacy vs Advanced

* pdf not exe

* DLL search order hijacking

Stage 3

Phones Home

- RAT

- Outbound Encrypted Connection

- Proxy CnC for a network

Stage 4

Spreads laterally

- Not always hits target

- Clear entry point

Stage 5

Data extraction

- Small Chunks

- Staged Host

- Encrypted RAR

Case Studies

- RSA breach

- Operation Aurora

Forensics & Challenges

- Behavior

- Code

* Packed

* Obfuscated

* Anti Debugger

* Anti VM

* Time

NGTP

- Signature less

- Protection not Detection

- Virtual Execution Engine

Pakistan Cyber Space

First things FIRST!

“ If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.”

— Sun Tzu, The Art of War

Honeynet Pakistan

- 6 Deployments

- Avg. 400 malware per day

- Around 100 Unique

ISPs

FinancialInstitutions

NADRA

Government Organizations

Honeytoken Snort Rule

alert ip any any -> any any (msg:"Alert! Token c86"; content:"r71p@g3r";)

Catch Me

Twitter: mustafaqasim

Freenode: mustu @ #offsec