Modern Malware

James SherlowSE Manager NEUR

•data breach mythology

•we invest in protecting our data centers

•rarely the datacenter is attacked directly

no more vulnerability scanning

•the new attacker

the attacker is not a bored geek

nation states and organized crime

•data breaches in 2011

step one: bait an end‐user

step one: bait an end‐user

spear phishing

step one: bait an end‐user

step two: exploit a vulnerability

step three: download a backdoor

step four: establish a back channel

step five: explore and steal

•the state of malware protection

•blueprint for stopping modern malware

need to protect all applications

•response time is key

•automation is a must

•a sandbox at the core

•perform the analysis for all devices centrally

•automatically generate multiple signatures

• Anti-malware download signatures

• IPS back-channel signatures

• Malware URLs

• IPS signatures for identified new vulnerabilities

•need to protect at all stages

bait exploit download back channel steal

•© 2010 Palo Alto Networks. Proprietary and Confidential. •Page 27 |

Case Study: Jericho Banking Trojan

• Passwords and Credentials for Websites– Username/Login Pairs– Website Cookies– Keystrokes

• Targets Credentials for 100+ Websites– Vast majority of targeted sites are banking

and financial sites– Hiring and employment sites also targeted– Small number of technology sites targeted

Injects Into Common Applications

• Injects malicious code into common application processes– Browsers – Heavy focus on Firefox,

but also targets, IE, Chrome and Opera

– Email Clients – Outlook and WinMail– Other Apps – Skype, Java, and

Reader_sl.exe

• Allows the malware to make use of functions in those target applications– No need for the malware to import

networking libraries, it can simply use the ones already imported by the target app.

Ierihon Samples Delivered From Israel

Poor Coverage by Traditional AV• Tested malware against the top 6 antivirus

vendors• Repeated tests daily to track improvements

coverage

0.0%

10.0%

20.0%

30.0%

40.0%

50.0%

60.0%

70.0%

80.0%

90.0%

100.0%

Day‐0 Day‐1 Day‐2 Day‐3 Day‐4 Day‐5 Day‐6

the role of NGFW in stopping modern malware

© 2012 Palo Alto Networks. Proprietary and Confidential.Page 32 |