8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 1/36

A PERSPECTIVE OF THEMIDDLE EASTERN MALWARELANDSCAPETareq SaadeMicrosoft Security Research & Response

Hack In The Box ‘07

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 2/36

Intro

Tareq SaadeProgram ManagerMicrosoft Security Research & Response

Design tools & technologies for malware analysis &responseMember of the Windows Defender product group

Recreational Malware Reverse EngineerParticularly IRC-related threatsInvolved with various informal groups & task forces

tareq.saade@microsoft.com

2

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 3/36

Agenda

The sceneAgenda, terminology, background

The cast

TechnologiesThe back story

How data is collectedThe data

Telemetry & analysisThe Finale

Conclusion + Q&A

3

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 4/36

Terms & Technologies

Gulf Cooperation Community (GCC)Saudi Arabia, UAE, Kuwait, Qatar, Bahrain & Oman

Geographic ID (GeoID)OS regional identifier defined by customers

Locale ID (LocID)

OS language localeUseful for highly targeted data setsMost people run US-EN

Microsoft Windows Malicious Software Removal Tool (MSRT/MRT)Microsoft SpyNet

The Windows Defender component responsible for collecting telemetry

‘Removals’Removals are reports sent back by clients indicating that a particular threat or piece ofunwanted software has been removed from the systemThis is not the same as a ‘detection’, which indicates the presence of said software

4

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 5/36

Viruses, worms, trojans, rootkits, bots

Adware, spyware, monitoring software,remote control software

Harmless

PotentiallyUnwanted

Malicious

Malware Spectrum5

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 6/36

Harmless

PotentiallyUnwanted

Malicious

Malware Spectrum (cont.)

• Windows LiveOneCare

• MicrosoftForefront ClientSecurity

•

Windows LiveOneCare safetyscanner

• WindowsDefender

• Windows MaliciousSoftware Removal

Tool

6

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 7/36

Products & Technologies

Product Name Main CustomerSegment

Malicious Software Spyware andPotentially Unwanted

Software

Available atNo

AdditionalCharge

MainDistributionMethods

Consumers Businesses Scanand

Remove

Real-TimeProtection

Scanand

Remove

Real-TimeProtection

Windows

MaliciousSoftwareRemoval Tool

• Partial • WU / AU,

DownloadCenter

WindowsDefender

• • • • DownloadCenter

Windows Live

OneCare SafetyScanner

• • • • Web

Windows LiveOneCare

• • • • • Web / storepurchase

MicrosoftForeFront ClientSecurity

• • • • • Web / storepurchase

7

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 8/36

Windows Defender8

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 9/36

Windows DefenderReporting

Reports are sent when:An unknown file triggers some ‘suspicious’ trigger suchas writing itself to a system startup location

A known bad file is detected on diskA known bad file is detected in memory

Two member tiers

BasicAdvanced(and ‘off’)

9

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 10/36

Malicious Software Removal Tool10

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 11/36

Malicious Software Removal ToolReporting

Reports are sent when:A threat is detectedA threat is removed

11

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 12/36

MRT Usage

Deployed monthly via Windows Update /Automatic Updates since January 2005Available in 24 languages5+ billion executions, 300 million unique computersDetection for 80+ malware families, 135k+different variants

Mostly targets client / consumer threats300+ million downloads per month

12

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 13/36

Telemetry Collection Summary

All telemetry reporting requires some for of useropt-inRead the EULA/Privacy PolicyData used strictly by analysts to help makedeterminations about software

Global outbreak? Localized outbreak?

‘Controlling Communication with the Internet’ forVista & XP SP2

13

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 14/36

Anti-Malware Lifecycle

MalwareCollection

Analysis andSignatureCreation

SignatureTesting andDeployment

TelemetryCollection

14

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 15/36

SpyNet Spyware Telemetry15

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 16/36

Windows DefenderTop Removals – January 2007

ZlobNewDotNetRenosZangoSearchAssistantClickSpring.PuritySCANCometSystems

WhenU.SaveNowStarwareHotbarTVMediaDisplay

ZlobStarwareWhenU.SaveNowNewDotNetZangoSearchAssistantBearShare

KaZaAHotbarC2.LopCometSystems

Worldwide GCC

16

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 17/36

Windows DefenderRemovals – January 2007

0

5

10

15

20

25

SpyNet 01/07 Common SampleGCC / Worldwide

Worldwide

GCC

17

*Based on reports

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 18/36

Windows DefenderGCC Top 11 (Reports) – Nov’06 -Feb’07

18

GCC Worldwide

Ignore Quarantine Remove Ignore Quarantine Remove

Zlob 25.55% 1.03% 73.42% 22.98% 0.73% 76.29%

NewDotNet 33.38% 1.54% 65.08% 22.83% 2.45% 74.70%

WhenU.SaveNow 44.90% 10.80% 44.30% 46.19% 12.33% 41.47%

Starware 61.25% 12.40% 26.36% 64.60% 11.50% 23.88%

180Solutions.Zango.SearchAssistant 56.79% 6.41% 36.80% 57.12% 10.91% 31.95%

BearShare 83.72% 5.77% 10.51% 82.53% 6.87% 10.60%

KaZaA 47.25% 6.91% 45.83% 41.17% 15.90% 42.88%

RealVNC 81.70% 3.72% 14.57% 88.62% 2.55% 8.82%

C2.Lop 22.98% 0.84% 76.17% 15.77% 4.19% 80.01%

Altnet 58.02% 8.45% 33.53% 44.98% 17.24% 37.76%

CnsMin 94.10% 0.17% 5.73% 37.40% 1.64% 60.96%

*Based on reports

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 19/36

MSRT Telemetry19

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 20/36

MSRT Top10 Removals(Nov’06 -Feb’07)

Brontok*ZlobJeefoRbotPariteHupigon

Wukill*BankerAlcanTibs*

Brontok*Wukill*JeefoMywife*PariteZlob

RbotTibs*GaelSinowal

Worldwide Arabic Locale

20

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 21/36

MSRT: Top ThreatsAll Arabic Locales

0%

2%

4%

6%

8%

10%

12%

14%

Nov Dec Jan Feb

Win32/Wukill

Win32/Jeefo

Win32/Mywife

Win32/Parite

Win32/Zlob

Win32/Rbot

Win32/Tibs

Win32/Gael

Win32/Sinowal

win32/sdbot

21

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 22/36

MSRT: Top ThreatsAll Arabic Locales

0%

10%

20%

30%

40%

50%

60%

70%

Nov Dec Jan Feb

Win32/Brontok

Win32/Wukill

Win32/JeefoWin32/Mywife

Win32/Parite

Win32/Zlob

Win32/Rbot

Win32/Tibs

Win32/Gael

Win32/Sinowal

win32/sdbot

22

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 23/36

MSRT Top ThreatsArabic/Global Comparison

Brontok61%Wukill

13%

Jeefo10%

Mywife4%

Parite3%

Zlob2%

Rbot2%

Tibs1%

Other4%

Brontok13%

Zlob11%

Jeefo11%

Rbot10%

Parite9%

Hupigon7%

Wukill6%

Banker4%

Alcan4%

Tibs3%

Other22%

Top Threats (Ar)11/06-2/07

Top Threats (Global)11/06-2/07

23

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 24/36

MSRT: Top Threats (Ar)

Brontok61%Wukill

13%

Jeefo10%

Mywife4%

Parite3%

Zlob2%

Rbot2%

Tibs1% Gael

0%

Other4%

Brontok61%

Win32/Wukill

13%

Jeefo9%

Mywife5%

Zlob4%

Other8%

Brontok59%Wukill

12%

Jeefo10%

Mywife4%

Parite4% Other

11%

Brontok60%

Wukill13%

Jeefo10%

Mywife5%

Parite3%

Other9%

Brontok66%

Wukill12%

Jeefo

9%

Mywife4%

Parite2%

Other7%

11/06

12/062/07

1/07

Top Threats (Ar)11/06-2/07

24

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 25/36

What is Win32/Brontok?

Mass mailing wormIndonesian e-mailIncludes an attachment containing malware

People still open random attachments?!?!?!?

Carries out ping flood against several websites

25

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 26/36

Exploit vs. Social EngineeringOverview

DiscoveredMay 1, 2004

Exploited vulnerabilitypresent in Windows2000, Windows XP

450,000 disinfections infirst 7 days

DiscoveredMarch 21, 2004

Multi-vector socialengineering

E-mailPeer-to-peer

<450,000 disinfections infirst 7 days

26

Exploit: Win32/Sasser.B Social Engineering: Win32/Netsky.P

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 27/36

What is Zotob?27

IRC BotBot herders based in Turkey & MoroccoExploits MS05-039 (PnP Vuln)Aug 9 - Microsoft AdvisoryAug 13 – Zotob first detectedAug 26 – Moroccan and Turkish police make arrests

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 28/36

MitigationIt’s not all bad news…

28

0

50,000,000

100,000,000

150,000,000

200,000,000

250,000,000

300,000,000

350,000,000

M o n

t h l y M S R T E x e c u

t i o n s

Month

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 29/36

Mitigation (cont.)It’s not all bad news…

MicrosoftSecurity engineeringAutomatic updatesISA Firewall

Data Execute Prevention (DEP)Stack protectionSystem / service hardeningAnti-malware tools & technologies

Security ISVsIntrusion prevention / detectionEnhanced antimalware response times

User educationUsage of security products

Accelerated patch adoption

29

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 30/36

Conclusions

Global aggregates generalize into virtually all locales withsufficient dataDynamics of individual threats varies depending on the threat itself

Targeted threats exist (ex. Brontok)More granularly targeted threats exist (ex. Antinny)Even more granularly targeted threats are perceivable (ex. ‘spearphishing’ applied to malware propagation)

Education & awareness are key components to online safetyParticularly in countries with developing internet infrastructure

Anti-malware scanners are an absolute necessity in today'snetworked environment

30

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 31/36

Q&A31

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 32/36

Tareq SaadeMicrosoft Security Research & Response

Hack In The Box ‘07

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not

be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 33/36

Reference33

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 34/36

Resources

Microsoft Malware Removal Tool (MRT)http://www.microsoft.com/security/malwareremove/default.mspxWindows Defenderhttp://www.microsoft.com/athome/security/spyware/software/default.mspx

Windows Live Safety Scannerhttp://onecare.live.com/scanMicrosoft Forefront Client Securityhttp://www.microsoft.com/forefront/clientsecurity/default.mspxWindows Live OneCare

http://onecare.live.comAnti-Malware Engineering Team Bloghttp://blogs.technet.com/antimalware/

34

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 35/36

PapersUsing Windows Vista or Using Windows XP with Service Pack 2: Controlling Communication with the Internethttp://www.microsoft.com/downloads/details.aspx?FamilyID=e6a35441-918f-4022-b973-e7fc0d1d2917&DisplayLang=en

Defeating Polymorphism: Beyond Emulationhttp://go.microsoft.com/fwlink/?LinkId=57019

Win32/Blaster: A Case Study From Microsoft's Perspectivehttp://go.microsoft.com/fwlink/?LinkId=57018

Behavioral Classificationhttp://www.microsoft.com/downloads/details.aspx?FamilyID=7b5d8cc8-b336-4091-abb5-2cc500a6c41a&DisplayLang=en

Windows Malicious Software Removal Tool: Progress Made, Trends Observedhttp://go.microsoft.com/fwlink/?linkid=67998

Microsoft Security Intelligence Report (H106)http://www.microsoft.com/downloads/details.aspx?FamilyID=1c443104-5b3f-4c3a-868e-36a553fe2a02&DisplayLang=en

I Know What You Did Last Logonhttp://www.microsoft.com/downloads/details.aspx?FamilyID=0b6321d4-0e65-4133-85e7-44e666cc245a&displaylang=en

Behavioral Modeling of Social Engineering-Based Malicious Softwarehttp://www.microsoft.com/downloads/details.aspx?FamilyID=e0f27260-58da-40db-8785-689cf6a05c73&displaylang=en

An Automated Virus Classification Systemhttp://www.microsoft.com/downloads/details.aspx?FamilyId=D61708BD-EF96-4A53-A8F8-8A1F00C79747&displaylang=en

35

8/8/2019 D2 - Tareq Saade - A Perspective of the Middle Eastern Malware Landscape

http://slidepdf.com/reader/full/d2-tareq-saade-a-perspective-of-the-middle-eastern-malware-landscape 36/36

What is Win32/Antinny?

Worm that spreads over the Winny p2p systemWinny is a Japanese p2p client

No localized builds of WinnyVery localized threatCopies random files on an infected host into the Winnyshared folderIdentified as a localized outbreak and integrated into MRTLots of positive press over working with the Japanesecommunity to remove Antinny:

http://www.microsoft.com/japan/presspass/detail.aspx?newsid=2434http://www.msnbc.msn.com/id/13283771/

36