1 ©2014 check point software technologies ltd. modern threats and malware kierk sanderlin regional...

1©2014 Check Point Software Technologies Ltd.

Modern Threats and Malware

Kierk Sanderlin

Regional Engineering Manager

2©2014 Check Point Software Technologies Ltd. 2©2014 Check Point Software Technologies Ltd.

We are surrounded by buzzwords

but what do they all mean?


A Little History


Behind The Scenes

Who would write a virus?A

Why would they write it?B


Behind The Scenes

‘80s and ‘90s

Nerds

Show OffCause Damage

Who

Why


Examples

Ping Pong Videohttp://www.youtube.com/watch?v=yxHalzuPyi8

Cascade Videohttp://www.youtube.com/watch?v=z7g-v3d7-Gk

Other Celebrities:

CIHMelissa

ILOVEYOU

http://www.youtube.com/watch?v=yxHalzuPyi8

http://www.youtube.com/watch?v=yxHalzuPyi8

http://www.youtube.com/watch?v=z7g-v3d7-Gk

http://www.youtube.com/watch?v=z7g-v3d7-Gk


Behind the Scenes

‘80s and ‘90s 21st Century

NerdsCriminals

Nation-State

Steal MoneySteal Data

Show OffCause Damage

Who

Why

Cause Damage


Examples

Criminals Nation-State

• Zeus• Spy-Eye• ZeroAccess/Sirefef• Carberp• Cridex• [more to come]

• Stuxnet• Duqu• Flame• Gauss• Shamoon• APT1• [more to come]


One Ware to Rule Them All

Steal Damage

• Spyware • Ransomware

Harass

• Adware• Scareware• Fake AV

Generic Names

• Virus• Trojan• Worm• Malware

M A L W

A R E


• Someone else’s code running on your server without your permission or knowledge is bad

• Malware can change functionality, based on collected information

• Malware can download other malware

• Bot-herders rent out parts of their network

• Bot-herders can change their mind

Why Do That?


• Was trademarked by

• Describes the phases of an attack

• Has become an industry standard

• We’ll get back to this later…

Cyber Kill Chain™


Attack Scenario

Spearphishing1Malware-bearing Spam2Link-bearing Spam3Pirated Software4Drive-By Download5Infected Media6


Attack Scenario



Spearphishing1Phishing Example #1: Completely Generic


Spearphishing1


Spearphishing1Spearphishing

A Phishing email aimed at a particular victim. The email is crafted using information that the victim is most likely to respond to. Might contain actual actionable content.

• Examples:

• CV’s sent to HR personnel

• A business proposal based on the victim’s previous work

• A request for opinion, decision or help



Most of the times, the emailwill contain a malicious document. The document, in turn, contains an Exploit targeting a vulnerability, whether Disclosed or Undisclosed (also known as a 0-Day Vulnerability)



Most of the times, the emailwill contain a malicious document.

ActualContent



Most of the times, the emailwill contain a malicious document. The document, in turn, contains an Exploit targeting a vulnerability, whether Disclosed or Undisclosed (also known as a 0-Day Vulnerability),

Exploit

ActualContent



Most of the times, the emailwill contain a malicious document. The document, in turn, contains an Exploit targeting a vulnerability, whether Disclosed or Undisclosed (also known as a 0-Day Vulnerability), and aPayload,

Exploit

ActualContent

Payload



Most of the times, the emailwill contain a malicious document. The document, in turn, contains an Exploit targeting a vulnerability, whether Disclosed or Undisclosed (also known as a 0-Day Vulnerability), and aPayload, which installs aMalware on the computer.

Exploit

ActualContent

Payload

Malware


Attack Scenario

Spearphishing1

Link-bearing Spam3Pirated Software4Drive-By Download5Infected Media6

Malware-bearing Spam2


Malware-bearing Spam2


Malware-bearing Spam20-Day Vulnerability

When a vulnerability is published or disclosed, the days until it’s patched are counted. This is the age of the vulnerability. If the vulnerability was never disclosed, it is still unpatched. 0 days have passed since its disclosure.

An Exploit is a piece of code and data that takes advantage of an unpatched vulnerability, in order to gain Code Execution or Privilege Escalation.


Attack Scenario

Spearphishing1

Pirated Software4Drive-By Download5Infected Media6

Malware-bearing Spam2Link-bearing Spam3


Link-bearing Spam3


Link-bearing Spam3Exploit Kit

A collection of Exploits, usually Web-oriented, that are used to infect a computer through its browser or associated plugins. The exploits will usually target JavaScript, Java or Flash vulnerabilities.

An Exploit Kit is a good example for CaaS – Crime as a Service.


Attack Scenario

Spearphishing1

Drive-By Download5Infected Media6

Malware-bearing Spam2Link-bearing Spam3Pirated Software4


Pirated Software4


Pirated Software4Bundled Malware

A lot of today’s software is not free. If you don’t pay, you can’t use it properly. People try to bypass this protection by looking for a Cracked Copy of the software, or a KeyGen (Key Generator).

When you use cracked software, it is actually a modified software. You may think that the only change is the removal of the protection, but nothing prevents the attacker from including whatever additional functionality they desire.


Pirated Software4Bundled Malware

The same applies to KeyGens. They really do generate a valid serial number, but at the same time they install a malware in the background.

The most famous example is Android Apps. Hackers take a software that costs money, repackage it with malware and put it back on the store, under the same name, for free.


Attack Scenario

Spearphishing1

Infected Media6

Malware-bearing Spam2Link-bearing Spam3Pirated Software4Drive-By Download5


Drive-By Download5


Drive-By Download5Watering Hole Attack

Borrowed from the Wild Life world, it describes an attack on a website that attracts many visitors, just like the watering hole.

Instead of spending agreat deal of resourcesin order to attack manyvictims, the attackeronly has to attack onevictim – the popularwebsite.


Attack Scenario



Infected Media6


Back to the Cyber Kill Chain™

Code Execution

Privilege EscalationExploit Kit

SpamSpearphishing

Pirated Software

Bundled Malware

KeyGen

Cracked Software

Watering Hole Attack

Drive-By Download

0-Day Vulnerability

Payload

Malware


Alternate Topic

Advanced Persistent Threat

Another Pointless Term?

OR


Advanced Persistent Threat

Nation-State

Targeted Attack

0-Day Vulnerability

Unknown Tools

Spearphishing

Compromised PC


Random Attack

Hacker / Criminal

Wide Campaign

0-Day / Unpatched

New / Existing Tool

Spam / Drive-By

Compromised PC


Nation-State

Targeted Attack

Unknown Vulnerability

Unknown Tools

Spearphishing

Compromised PC

Hacker / Criminal

Wide Campaign

0-Day / Unpatched

New / Existing Tool

Spam / Drive-By

Compromised PC

Now Let’s Compare…


And…on October 21st, 2012


What it looks like…


Summary

“I’m not interesting, no one will attack me” and “It’s too complicated” are irrelevant responses.A


Summary


The balance is shifting from Prevention to Detection. B


Summary


The balance is shifting from Prevention to Detection. B

There is no silver bullet. You must have layered security covering all fronts.C

1 ©2014 check point software technologies ltd. modern threats and malware kierk sanderlin regional...

Documents

pirated software

generic slide

b slide

cause damage slide

little history slide

r e slide

cih melissa iloveyou

cyber kill chain slide