d2 - tareq saade - a perspective of the middle eastern malware landscape
TRANSCRIPT
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 1/36
A PERSPECTIVE OF THEMIDDLE EASTERN MALWARELANDSCAPETareq SaadeMicrosoft Security Research & Response
Hack In The Box ‘07
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 2/36
Intro
Tareq SaadeProgram ManagerMicrosoft Security Research & Response
Design tools & technologies for malware analysis &responseMember of the Windows Defender product group
Recreational Malware Reverse EngineerParticularly IRC-related threatsInvolved with various informal groups & task forces
2
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 3/36
Agenda
The sceneAgenda, terminology, background
The cast
TechnologiesThe back story
How data is collectedThe data
Telemetry & analysisThe Finale
Conclusion + Q&A
3
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 4/36
Terms & Technologies
Gulf Cooperation Community (GCC)Saudi Arabia, UAE, Kuwait, Qatar, Bahrain & Oman
Geographic ID (GeoID)OS regional identifier defined by customers
Locale ID (LocID)
OS language localeUseful for highly targeted data setsMost people run US-EN
Microsoft Windows Malicious Software Removal Tool (MSRT/MRT)Microsoft SpyNet
The Windows Defender component responsible for collecting telemetry
‘Removals’Removals are reports sent back by clients indicating that a particular threat or piece ofunwanted software has been removed from the systemThis is not the same as a ‘detection’, which indicates the presence of said software
4
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 5/36
Viruses, worms, trojans, rootkits, bots
Adware, spyware, monitoring software,remote control software
Harmless
PotentiallyUnwanted
Malicious
Malware Spectrum5
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 6/36
Harmless
PotentiallyUnwanted
Malicious
Malware Spectrum (cont.)
• Windows LiveOneCare
• MicrosoftForefront ClientSecurity
•
Windows LiveOneCare safetyscanner
• WindowsDefender
• Windows MaliciousSoftware Removal
Tool
6
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 7/36
Products & Technologies
Product Name Main CustomerSegment
Malicious Software Spyware andPotentially Unwanted
Software
Available atNo
AdditionalCharge
MainDistributionMethods
Consumers Businesses Scanand
Remove
Real-TimeProtection
Scanand
Remove
Real-TimeProtection
Windows
MaliciousSoftwareRemoval Tool
• Partial • WU / AU,
DownloadCenter
WindowsDefender
• • • • DownloadCenter
Windows Live
OneCare SafetyScanner
• • • • Web
Windows LiveOneCare
• • • • • Web / storepurchase
MicrosoftForeFront ClientSecurity
• • • • • Web / storepurchase
7
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 8/36
Windows Defender8
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 9/36
Windows DefenderReporting
Reports are sent when:An unknown file triggers some ‘suspicious’ trigger suchas writing itself to a system startup location
A known bad file is detected on diskA known bad file is detected in memory
Two member tiers
BasicAdvanced(and ‘off’)
9
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 10/36
Malicious Software Removal Tool10
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 11/36
Malicious Software Removal ToolReporting
Reports are sent when:A threat is detectedA threat is removed
11
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 12/36
MRT Usage
Deployed monthly via Windows Update /Automatic Updates since January 2005Available in 24 languages5+ billion executions, 300 million unique computersDetection for 80+ malware families, 135k+different variants
Mostly targets client / consumer threats300+ million downloads per month
12
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 13/36
Telemetry Collection Summary
All telemetry reporting requires some for of useropt-inRead the EULA/Privacy PolicyData used strictly by analysts to help makedeterminations about software
Global outbreak? Localized outbreak?
‘Controlling Communication with the Internet’ forVista & XP SP2
13
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 14/36
Anti-Malware Lifecycle
MalwareCollection
Analysis andSignatureCreation
SignatureTesting andDeployment
TelemetryCollection
14
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 15/36
SpyNet Spyware Telemetry15
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 16/36
Windows DefenderTop Removals – January 2007
ZlobNewDotNetRenosZangoSearchAssistantClickSpring.PuritySCANCometSystems
WhenU.SaveNowStarwareHotbarTVMediaDisplay
ZlobStarwareWhenU.SaveNowNewDotNetZangoSearchAssistantBearShare
KaZaAHotbarC2.LopCometSystems
Worldwide GCC
16
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 17/36
Windows DefenderRemovals – January 2007
0
5
10
15
20
25
SpyNet 01/07 Common SampleGCC / Worldwide
Worldwide
GCC
17
*Based on reports
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 18/36
Windows DefenderGCC Top 11 (Reports) – Nov’06 -Feb’07
18
GCC Worldwide
Ignore Quarantine Remove Ignore Quarantine Remove
Zlob 25.55% 1.03% 73.42% 22.98% 0.73% 76.29%
NewDotNet 33.38% 1.54% 65.08% 22.83% 2.45% 74.70%
WhenU.SaveNow 44.90% 10.80% 44.30% 46.19% 12.33% 41.47%
Starware 61.25% 12.40% 26.36% 64.60% 11.50% 23.88%
180Solutions.Zango.SearchAssistant 56.79% 6.41% 36.80% 57.12% 10.91% 31.95%
BearShare 83.72% 5.77% 10.51% 82.53% 6.87% 10.60%
KaZaA 47.25% 6.91% 45.83% 41.17% 15.90% 42.88%
RealVNC 81.70% 3.72% 14.57% 88.62% 2.55% 8.82%
C2.Lop 22.98% 0.84% 76.17% 15.77% 4.19% 80.01%
Altnet 58.02% 8.45% 33.53% 44.98% 17.24% 37.76%
CnsMin 94.10% 0.17% 5.73% 37.40% 1.64% 60.96%
*Based on reports
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 19/36
MSRT Telemetry19
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 20/36
MSRT Top10 Removals(Nov’06 -Feb’07)
Brontok*ZlobJeefoRbotPariteHupigon
Wukill*BankerAlcanTibs*
Brontok*Wukill*JeefoMywife*PariteZlob
RbotTibs*GaelSinowal
Worldwide Arabic Locale
20
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 21/36
MSRT: Top ThreatsAll Arabic Locales
0%
2%
4%
6%
8%
10%
12%
14%
Nov Dec Jan Feb
Win32/Wukill
Win32/Jeefo
Win32/Mywife
Win32/Parite
Win32/Zlob
Win32/Rbot
Win32/Tibs
Win32/Gael
Win32/Sinowal
win32/sdbot
21
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 22/36
MSRT: Top ThreatsAll Arabic Locales
0%
10%
20%
30%
40%
50%
60%
70%
Nov Dec Jan Feb
Win32/Brontok
Win32/Wukill
Win32/JeefoWin32/Mywife
Win32/Parite
Win32/Zlob
Win32/Rbot
Win32/Tibs
Win32/Gael
Win32/Sinowal
win32/sdbot
22
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 23/36
MSRT Top ThreatsArabic/Global Comparison
Brontok61%Wukill
13%
Jeefo10%
Mywife4%
Parite3%
Zlob2%
Rbot2%
Tibs1%
Other4%
Brontok13%
Zlob11%
Jeefo11%
Rbot10%
Parite9%
Hupigon7%
Wukill6%
Banker4%
Alcan4%
Tibs3%
Other22%
Top Threats (Ar)11/06-2/07
Top Threats (Global)11/06-2/07
23
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 24/36
MSRT: Top Threats (Ar)
Brontok61%Wukill
13%
Jeefo10%
Mywife4%
Parite3%
Zlob2%
Rbot2%
Tibs1% Gael
0%
Other4%
Brontok61%
Win32/Wukill
13%
Jeefo9%
Mywife5%
Zlob4%
Other8%
Brontok59%Wukill
12%
Jeefo10%
Mywife4%
Parite4% Other
11%
Brontok60%
Wukill13%
Jeefo10%
Mywife5%
Parite3%
Other9%
Brontok66%
Wukill12%
Jeefo
9%
Mywife4%
Parite2%
Other7%
11/06
12/062/07
1/07
Top Threats (Ar)11/06-2/07
24
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 25/36
What is Win32/Brontok?
Mass mailing wormIndonesian e-mailIncludes an attachment containing malware
People still open random attachments?!?!?!?
Carries out ping flood against several websites
25
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 26/36
Exploit vs. Social EngineeringOverview
DiscoveredMay 1, 2004
Exploited vulnerabilitypresent in Windows2000, Windows XP
450,000 disinfections infirst 7 days
DiscoveredMarch 21, 2004
Multi-vector socialengineering
E-mailPeer-to-peer
<450,000 disinfections infirst 7 days
26
Exploit: Win32/Sasser.B Social Engineering: Win32/Netsky.P
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 27/36
What is Zotob?27
IRC BotBot herders based in Turkey & MoroccoExploits MS05-039 (PnP Vuln)Aug 9 - Microsoft AdvisoryAug 13 – Zotob first detectedAug 26 – Moroccan and Turkish police make arrests
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 28/36
MitigationIt’s not all bad news…
28
0
50,000,000
100,000,000
150,000,000
200,000,000
250,000,000
300,000,000
350,000,000
M o n
t h l y M S R T E x e c u
t i o n s
Month
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 29/36
Mitigation (cont.)It’s not all bad news…
MicrosoftSecurity engineeringAutomatic updatesISA Firewall
Data Execute Prevention (DEP)Stack protectionSystem / service hardeningAnti-malware tools & technologies
Security ISVsIntrusion prevention / detectionEnhanced antimalware response times
User educationUsage of security products
Accelerated patch adoption
29
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 30/36
Conclusions
Global aggregates generalize into virtually all locales withsufficient dataDynamics of individual threats varies depending on the threat itself
Targeted threats exist (ex. Brontok)More granularly targeted threats exist (ex. Antinny)Even more granularly targeted threats are perceivable (ex. ‘spearphishing’ applied to malware propagation)
Education & awareness are key components to online safetyParticularly in countries with developing internet infrastructure
Anti-malware scanners are an absolute necessity in today'snetworked environment
30
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 31/36
Q&A31
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 32/36
Tareq SaadeMicrosoft Security Research & Response
Hack In The Box ‘07
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not
be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 33/36
Reference33
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 34/36
Resources
Microsoft Malware Removal Tool (MRT)http://www.microsoft.com/security/malwareremove/default.mspxWindows Defenderhttp://www.microsoft.com/athome/security/spyware/software/default.mspx
Windows Live Safety Scannerhttp://onecare.live.com/scanMicrosoft Forefront Client Securityhttp://www.microsoft.com/forefront/clientsecurity/default.mspxWindows Live OneCare
http://onecare.live.comAnti-Malware Engineering Team Bloghttp://blogs.technet.com/antimalware/
34
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 35/36
PapersUsing Windows Vista or Using Windows XP with Service Pack 2: Controlling Communication with the Internethttp://www.microsoft.com/downloads/details.aspx?FamilyID=e6a35441-918f-4022-b973-e7fc0d1d2917&DisplayLang=en
Defeating Polymorphism: Beyond Emulationhttp://go.microsoft.com/fwlink/?LinkId=57019
Win32/Blaster: A Case Study From Microsoft's Perspectivehttp://go.microsoft.com/fwlink/?LinkId=57018
Behavioral Classificationhttp://www.microsoft.com/downloads/details.aspx?FamilyID=7b5d8cc8-b336-4091-abb5-2cc500a6c41a&DisplayLang=en
Windows Malicious Software Removal Tool: Progress Made, Trends Observedhttp://go.microsoft.com/fwlink/?linkid=67998
Microsoft Security Intelligence Report (H106)http://www.microsoft.com/downloads/details.aspx?FamilyID=1c443104-5b3f-4c3a-868e-36a553fe2a02&DisplayLang=en
I Know What You Did Last Logonhttp://www.microsoft.com/downloads/details.aspx?FamilyID=0b6321d4-0e65-4133-85e7-44e666cc245a&displaylang=en
Behavioral Modeling of Social Engineering-Based Malicious Softwarehttp://www.microsoft.com/downloads/details.aspx?FamilyID=e0f27260-58da-40db-8785-689cf6a05c73&displaylang=en
An Automated Virus Classification Systemhttp://www.microsoft.com/downloads/details.aspx?FamilyId=D61708BD-EF96-4A53-A8F8-8A1F00C79747&displaylang=en
35
8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape
http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 36/36
What is Win32/Antinny?
Worm that spreads over the Winny p2p systemWinny is a Japanese p2p client
No localized builds of WinnyVery localized threatCopies random files on an infected host into the Winnyshared folderIdentified as a localized outbreak and integrated into MRTLots of positive press over working with the Japanesecommunity to remove Antinny:
http://www.microsoft.com/japan/presspass/detail.aspx?newsid=2434http://www.msnbc.msn.com/id/13283771/
36