Scribd
Upload
34 views45 pages

SIS Malware

The document provides an overview of cybersecurity threats and techniques used by malicious actors. It discusses prominent ransomware attacks like WannaCry and NotPetya. It describes types of malware like viruses, worms, trojans and potentially unwanted applications. Advanced malware techniques like polymorphism, metamorphism and rootkits are also covered. The document highlights defense evasion tactics used by adversaries to avoid detection.

Uploaded by

Shporet
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
34 views45 pages

SIS Malware

The document provides an overview of cybersecurity threats and techniques used by malicious actors. It discusses prominent ransomware attacks like WannaCry and NotPetya. It describes types of malware like viruses, worms, trojans and potentially unwanted applications. Advanced malware techniques like polymorphism, metamorphism and rootkits are also covered. The document highlights defense evasion tactics used by adversaries to avoid detection.

Uploaded by

Shporet
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 45

Sigurnost

informacijskog
sustava
mr.sc. Dražen Pranić
Agenda

• Uvod
• Vrste malicioznog softvera
Wannacry

• Svibanj 2017.
• Više od 230.000 zaraženih računala u jednom danu
• “WannaCry je bio prekretnica. Svjedočili smo prvom globalnom,
multivektorskom napadu koji se temeljio na državno
potpomognutim alatima.”
• Ovaj napad prouzročio je povećanje broja napada
zlonamjernim ransomware sadržajem te su mnogi napadi
kasnije koristili iste ranjivosti koje su se koristile u ovom
napadu. 
WannaCry
• Znate li možda čemu su služili ovi URLovi?
• http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
• http://ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
WannaCry akteri

Znate li tko stoji iza Wannacry kampanje?


a) Rusija
b) Kina
c) Iran
d) Sjeverna Koreja
NotPetya (mjesec dana kasnije)

• Lipanj 2017 – Ukrajina


• The original infection vector appears to be via a backdoor
planted in M.E.Doc, an accounting software package that's
used by almost every company Ukraine.
NotPetya

• Worm komponenta
• Širenje putem SMB protokola (Koristi Eternal Blue ranjivost)
• Krađa kredencijala (Mimikatz funkcionalnost)  WMI
• Destroyer ne ransomware
Chinese Hackers Were Using NSA Hacking
Tool a Year Before it was Leaked by
Shadow Brokers
• Research from Symantec shows that a Chinese hacking group
were using NSA hacking tools a year before Shadow Brokers
leaked the cache of tools to the Internet.
• The Chinese hackers appear to have captured and reverse-
engineered the tools, illustrating a lesson of cyberwarfare:
hacking an adversary gives them access to the cyber tools
used.
• Created by the NSA, intercepted by China, later stolen and
leaked by another mysterious hacker group known as the
Shadow Brokers, and ultimately used by North Korea and
Russia in two of the most damaging and costly cyberattacks in
history.
• https://www.wired.com/story/nsa-zero-day-symantec-buckeye-c
hina/
Fokus stavljen na krajnjeg korisnika,
vanjske partnere i vanjsku infrastrukuturu
• Drive-by Compromise
• Adversaries may gain access to a system through a user visiting a website over the normal course
of browsing. With this technique, the user's web browser is typically targeted for exploitation
• Watering hole (pojilište) napadi, Malicious Ads…
• Exploit Public-Facing Application
• Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or
program using software, data, or commands in order to cause unintended or unanticipated
behavior.
• External Remote Services
• Adversaries may leverage external-facing remote services to initially access and/or persist within a
network.
• Hardware Additions
• Adversaries may introduce computer accessories, networking hardware, or other computing
devices into a system or network that can be used as a vector to gain access.
• Phishing
• Adversaries may send phishing messages to gain access to victim systems. All forms of phishing
are electronically delivered social engineering
• Valid Accounts
• Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial
Access, Persistence, Privilege Escalation, or Defense Evasion.
• Replication Through Removable Media
• Supply Chain Compromise / Trusted Relationship
RSA slučaj
• RSA – tvrtka koji se bavi sigurnosnim rješenjima i
između ostalog proizvodi autentikacijski softver
• 2011. godine hakeri su upali u RSA i kompromitirali
Secureid tokene te upali u Lockhed Martin
• Način upada zaražena HR proračunska tablica u e-
mail poruci od „pouzdanog izvora”
Vrste malicioznih programa
• Definicije prihvaćene od AV industrije
• Vrsta malicioznog programa ovisi o dvije karakteristike
• metoda širenja i/ili
• aktivnosti na inficiranom računalu
• Četiri glavne vrste malicioznih programa
• Virusi
• Crvi
• Trojanski konji
• Potencijalno neželjene aplikacije (engl. PUA)
• Spyware, ransomware, fileless malware
Virusi
• Najstarija vrsta malicioznih programa
• Virus se “priljepljuje” na legitiman program i izvršuje
prilikom pokretanja

Izvorni Inficirani
program program
Virusi
• Prema načinu inficiranja :
• Virusi koji inficiraju datoteke (eng. file infectors)
• Batch datoteke i shell skripte
• Boot sector virusi
• Inficiraju sektor na mediju koji se prvi čita
• Macro virusi
• Koriste macro jezik aplikacije
• Microsoft Office (Word, Excel)

• Kombinirane kategorije (eng. multipartite)


• Npr. boot sector i file infector u jednom
• Otežavaju uklanjanje virusa (nije dovoljno ukloniti
samo jedan izvor zaraze)
Crvi

• Glavna karakteristike:
• Šire se putem računalnih mreža
• NE inficiraju druge datoteke
• Kako se crvi šire putem mreže:
• Iskorištavaju protokole za udaljeno
spajanje/administraciju (npr. RDP, SSH)
• Iskorištavaju slabosti u lozinkama (npr. Stuxnet koristio
defaultne zaporke za Siemens PLC, pogađaju lozinke)
• Iskorištavaju sigurnosne ranjivosti u mrežnim servisima
(npr. SQL Slammer, Blaster, Code Red, Nimda,…)
• Iskorištavaju sigurnosne ranjivosti u aplikacijama
Trojanski konji
• Glavna karakteristika:
• Nisu se u stanju sami širiti
• Ne inficiraju druge datoteke
• Potreban drugi maliciozni program za samu instalaciju
• Napadaču omogućavaju kontrolu preko Interneta
• Danas najčešći maliciozni programi
• Kradu osjetljive informacije ili koriste lokalne resurse
• Omogućuju potpunu kontrolu računala od strane napadača
Trojanski konj - klijent
• Povratna veza (reverse connection) – standardni portovi
(80, 443)
Dridex
Dridex
Dridex

• Upload files
• Download files
• Execute files
• Monitor network traffic
• Browser screenshot taking
• Add the compromised computer to a botnet
• Communicate with other peer nodes through the peer-to-peer (P2P)
protocol to retrieve configuration details
• Download and execute additional modules
• Download and execute additional files
• Inject itself into browser processes for Internet Explorer, Chrome, and
Firefox in order to monitor communications and steal information.
Potencijalno neželjene aplikacije

• Aplikacije koje mogu imati neželjeni utjecaj na sigurnost i


privatnost korisnika (engl. grayware)
• Aplikacije koje instaliraju druge tijekom instalacije
• Toolbar u Web pregledniku, mijenja postavke (npr. tražilica)
• Adware – neželjene reklame
• Spyware – preveliko prikupljanje podataka
Mreže malicioznih programa (Botneti)

• Autori malicioznih programa žele kontrolirati


inficirana računala
• Mreže inficiranih računala nazivaju se botneti
• Trojanski programi s komponentom udaljene
kontrole
• Centralni poslužitelji nazivaju se Command &
Control (C&C)
• Jednostavno davanje naredbi velikom broju
inficiranih računala
• DDOS napadi, slanje spam poruka i sl.
Napredne mogućnosti malicioznih
programa

• Cilj napadača: otežati detekciju i/ili analizu malicioznog


programa
• Napredne mogućnosti:
• Polimorfizam
• Metamorfizam
• Rootkit tehnologije
• Kriptiranje koda
• Emulacija korištenjem virtualnih strojeva
• Fileless
Polimorfizam

•Promjena tijela programa uz zadržavanje iste


funkcionalnosti
•Detekcija temeljena na potpisima promatra tijelo
programa  promjena tijela  potpis neučinkovit
•Kriptiranje ili komprimiranje tijela pomoću specijalnih
programa (engl. packer)  njihov kod jedino vidljiv 
u memoriji računala dekriptiraju/dekomprimiraju
izvorni maliciozni program
•Promjena enkripcijskog ključa  promjena tijela
programa
Rootkit tehnologije
• Integriranje malicioznog programa s ključnim
funkcijama i strukturama jezgre OS-a
• Postalo popularno u 2007.
• Presreće pozive jezgri (eng. function hooking)
• Npr. kada se želi otvoriti neku datoteku ili direktorij
• Provjerava se ime željene datoteke te ako je na
popisu vraća se lažni ili modificirani rezultat 
javlja AV softveru da ne postoji
• U protivnom izvršava se legitimni dio koda
Rootkit tehnologije

• Primjer Stuxneta
• Worm dio – odgovoran za širenje malvera
• Izvršni dio – izvođenje malvera
• Rotkit dio – skrivanje malvera
Fileless malware persistence

• https://www.comparitech.com/blog/information-security/fileless-
malware-attacks/
• When you turn off a computer, all active processes shut
down. Processes that are services of the operating system
are started up again when you turn the computer on.
• Fileless malware writes its script into the Registry of
Windows. This is a function of the operating system that
launches programs either at system startup or on a
schedule.  The code that runs the fileless malware is actually a
script. A script is a plain text list of commands, rather than a
compiled executable file.
• Short lists of instructions don’t have to be stored in a file.
However, longer and more complicated scripts do get stored for
relaunch at system start up. In these case, although the
program is classified as “fileless,” there is actually a file
involved.
Fileless Malware

• Ostaje rezistentan na računalu temeljem promjena


registry postavki
• Nemoguće detektirati s tradicionalnim AV rješenjima
• Analiza anomalija  Strojno učenje
• Endpoint detection and response rješenja ili EDR
funkcionalnosti u antivirusnom softveru
Defense evasion

• The adversary is trying to avoid being detected.

• Defense Evasion consists of techniques that adversaries use to


avoid detection throughout their compromise.
• Techniques used for defense evasion include
uninstalling/disabling security software or
obfuscating/encrypting data and scripts.
• Adversaries also leverage and abuse trusted processes to hide
and masquerade their malware. Other tactics’ techniques are
cross-listed here when those techniques include the added
benefit of subverting defenses.
Defense evasion
Anti-virusni programi
• Osnovna zaštita od malicioznih programa
• Korištenje AV programa propisuju razni standardi
• CIS Top 18, ISO 27001, PCI DSS,…
• Integriraju se s operacijskim sustavom kako bi
presreli rizične operacije
• Pokretanje programa
• Otvaranje datoteka
• Komunikacija preko Interneta
Detekcija potpisima

• Klasičan način rada anti-virusnih programa


• Korištena od samih početaka
• Maliciozni programi detektiraju se prema potpisu
• Potpis se može smatrati jedinstvenim uzorkom
• Obično jedinstveni dio programskog koda
• Omogućava detekciju porodica malicioznih
programa
• “Generički potpisi”
• Neučinkoviti za 0-day malware, polimorfizam, fileless
malware,…
• Zapravo samo neučinkoviti
Platforme za analizu malicioznog
softvera
ReversingLabs analyzes 5x more files weekly and finds over 2x more
new malware samples weekly than VirusTotal.
Antivirusna rješenja nove generacije

• Leaderi koji su kupili, dodali nove funkcionalnosti


• Izazivači koji su promijenili koncept zaštite na klijentu
• AV rješenja nove generacije moraju biti u stanju osigurati
primjerenu:
• Prevenciju
• Detekciju
• Forenziku
Zahtjevi
• The solution must protect against known and unknown malware without
relying on daily agent/definition updates.
• There must be a facility to detect malicious activity based on the behavior of a
process.
• The solution must store indicator of compromise (IOC)/indicator of attack
(IOA) data in a central location for retrospective analysis.
• The capability must be provided to detect and block fileless malware attacks.
• The solution must be able to remove malware automatically when detected,
i.e., delete/quarantine files/kill processes
• The primary EPP console must use a cloud-based, SaaS-
style, multitenant infrastructure that is operated, managed and maintained by
the vendor.
• Threat hunting must be provided including the facility to search for an
IOC/IOA (e.g., file hash, source/destination IP, registry key) across multiple
endpoints from the management console even if machines are not connected.
•…
Primjer
Sandbox tehnike

• Dynamic analysis – observes files as they detonate in a


purpose-built, evasion-resistant virtual environment,
• Static analysis – effective detection of malware and exploits
that compliments dynamic analysis
• Machine learning – extracts thousands of unique features
from each file, training apredictive machine learning model to
identify new malware, which is not possible with static or
dynamic analysis alone
• Bare metal analysis – evasive threats are automatically sent
to a real hardware environment for detonation, entirely
removing an adversary’s ability to deploy anti-VM analysis
techniques.
Strojno učenje

• Danas svi proizvođači tvrde da imaju implementirano strojno


učenje
• nadzirano učenje
• nenadzirano učenje
• Prevladava nadzirano učenje jer se temelji na analizi ogromne
količine strukturiranih podataka
• Izazov lažne pozitivne detekcije
Nadzirano strojno učenje
MITRE evaluacija

• https://attackevals.mitre-engenuity.org/enterprise/wizard-spider-
sandworm/
Zaključak

• Malware je bio, je i biti će ozbiljna prijetnja


• Tvrtke moraju ulagati u prevenciju, detekciju i forenziku
• Nova i stara rješenja  nova generacija antivirusnih rješenja
• MITRE evaluacija
• Napredne funkcionalnosti
• Strojno učenje
• Automatska analiza malwera u sandbox okruženju

You might also like