-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
1/75
1
Malware Fighting
Luis Corrons
PandaLabs Technical Director
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
2/75
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
3/75
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
4/75
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
5/75
Infection SourcesInfection Sources
Malware Fighting
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
6/75
WebWeb
SpamSpam
Social NetworksSocial Networks
Infection Sources
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
7/75
Social NetworksSocial Networks
Infection Sources
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
8/75
Infection Sources
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
9/75
Infection Sources
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
10/75
Infection Sources
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
11/75
SpamSpam
Infection Sources
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
12/75
Infection Sources
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
13/75
Infection Sources
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
14/75
Fuentes de infeccin
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
15/75
Infection Sources
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
16/75
Fuentes de infeccin
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
17/75
Fuentes de infeccin
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
18/75
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
19/75
WebWeb
Infection Sources
M l
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
20/75
Infection Sources Malware server
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
21/75
MPack
Infection Sources
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
22/75
MPack
Tracking Mpack for 2 months (April & MayTracking Mpack for 2 months (April & May
2007):2007):
41 different servers with Mpack running41 different servers with Mpack running
366,717 web pages iframed366,717 web pages iframed
More than 1 million users infected (1,217,741)More than 1 million users infected (1,217,741)
Infection Sources
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
23/75
MPack
Infection Sources
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
24/75
Who is behind this?Who is behind this?
Infection Sources
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
25/75
Yesterdays Bad GuysYesterdays Bad Guys
Blaster.B Nestky / Sasser CIH 29-A
Jeffrey Lee Parson Sven Jaschan Chen Ing-Hau Benny
Infection Sources
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
26/75
Todays Bad GuysTodays Bad Guys
Jeremy JaynesAndrew SchwarmkoffJames Ancheta
Phishing SpamSpam
Infection Sources
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
27/75
A Real CaseA Real Case
Malware Fighting
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
28/75
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
29/75
The Infected TeamThe Infected Team
Malware Fighting
MPackMPack
Dream DownloaderDream Downloader
LimboLimbo
Total Investment: 1,500$Total Investment: 1,500$
M l Fi hti
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
30/75
The Infected TeamThe Infected Team
Malware Fighting
M l Fi hti
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
31/75
The Infected TeamThe Infected Team
Lets do some mathsLets do some mathsChina, Korea, Japan:China, Korea, Japan: $0.01 * 70,300 = $703$0.01 * 70,300 = $703Finland, Norway:Finland, Norway: $0.05 * 70,300 = $3,515$0.05 * 70,300 = $3,515UK, France:UK, France: $0.20 * 70,300 = $14,060$0.20 * 70,300 = $14,060USA, Canada:USA, Canada: $0.40 * 70,300 = $28,120$0.40 * 70,300 = $28,120
And the same numbers in 30 daysAnd the same numbers in 30 daysChina, Korea, Japan:China, Korea, Japan: $0.01 * 70,300 * 30 = $21,090$0.01 * 70,300 * 30 = $21,090Finland, Norway:Finland, Norway: $0.05 * 70,300 * 30 = $105,450$0.05 * 70,300 * 30 = $105,450UK, France:UK, France: $0.20 * 70,300 * 30 = $421,800$0.20 * 70,300 * 30 = $421,800USA, Canada:USA, Canada: $0.40 * 70,300 * 30 = $843,600$0.40 * 70,300 * 30 = $843,600
Malware Fighting
M l Fi hti
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
32/75
The Infected TeamThe Infected Team
Whos paying the Infected Team?Whos paying the Infected Team?
Rogue AntiSpywareRogue AntiSpyware
Malware Fighting
M l Fi hti
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
33/75
Malware Fighting
M l Fi hti
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
34/75
Malware Fighting
Malware Fighting
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
35/75
Hows the money being handled?Hows the money being handled?
Malware Fighting
The Business of Cybercrime
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
36/75
The Business of Cybercrime
Malware Fighting
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
37/75
Malware Fighting
Malware Fighting
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
38/75
Malware Fighting
Malware Fighting
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
39/75
Malware Fighting
Malware Fighting
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
40/75
Malware Fighting
Malware Fighting
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
41/75
Malware Fighting
Malware Fighting
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
42/75
Malware Fighting
Malware Fighting
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
43/75
Malware Fighting
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
44/75
Malware Fighting
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
45/75
Malware Fighting
Malware Fighting
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
46/75
Underground Shopping CartUnderground Shopping Cart
Malware Fighting
Malware Fighting
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
47/75
Underground Shopping CartUnderground Shopping Cart
Stolen AccountsStolen Accounts FTP accounts:FTP accounts:
US$1 per accountUS$1 per account
Icq numbers:Icq numbers:
From US$1 to US$10 (depending on the ICQ number)From US$1 to US$10 (depending on the ICQ number) RapidShare premium accounts:RapidShare premium accounts:
1 month1 month - US$5- US$5
3 months3 months - US$12- US$12
6 months6 months - US$18- US$18
1 year1 year - US$28- US$28 Online Shop accountsOnline Shop accounts
(megashop.ru, bolero.ru, cup.ru, etc. ALL RUSSIAN): US$50 each(megashop.ru, bolero.ru, cup.ru, etc. ALL RUSSIAN): US$50 each
50MB of Limbo Trojan logs50MB of Limbo Trojan logs US$30 (contains email accounts, bank account numbers, credit cardUS$30 (contains email accounts, bank account numbers, credit card
numbers, etc. A percentage is guaranteed)numbers, etc. A percentage is guaranteed)
Malware Fighting
Malware Fighting
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
48/75
Underground Shopping CartUnderground Shopping Cart
Stolen AccountsStolen Accounts Credit CardsCredit Cards
VISA / MASTERCARDVISA / MASTERCARD
1 - 10 cards1 - 10 cards US$2 (per card)US$2 (per card)
10 - 100 cards10 - 100 cards US$1.5 (per card)US$1.5 (per card) AMEXAMEX
1 - 10 cards1 - 10 cards US$2.5 (per card)US$2.5 (per card)
10 - 100 cards10 - 100 cards US$2 (per card)US$2 (per card)
Passports:Passports: Black and white:Black and white: US$2US$2 Color:Color: US$5US$5
Malware Fighting
Malware Fighting
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
49/75
Where to buy?Where to buy?
g g
Malware Fighting
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
50/75
g g
Malware Fighting
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
51/75
g g
Malware Fighting
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
52/75
Malware figuresMalware figures
g g
Malware Feeds
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
53/75
AntimalwareAntimalware
CompaniesCompaniesOnline ServicesOnline Services HoneypotsHoneypots
Panda UsersPanda Users
HoneymonkeysHoneymonkeys
Malicious URLsMalicious URLs
Malware RepositoryMalware Repository
Collective IntelligenceCollective Intelligence
CERTsCERTs
Malware figuresMalware figures
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
54/75
g
Source: PandaLabs
Malware figuresMalware figures
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
55/75
Source: PandaLabs
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
56/75
Malware figuresMalware figures
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
57/75
Malware samples received at PandaLabsData up to December 2008
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
58/75
2003 2004 2005 2006 2007 2008
20 M.
Data up to December 2008
X10
X2X2 X2
Malware samples received at PandaLabsForecast 2009
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
59/75
Forecast 2009
2003 2004 2005 2006 2007 2008
20 M.
X10X2X2 X2
40 M.
2009
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
60/75
60Source: University of Michigan, 2008
Theres a gap indetection of 1-monthold malware. This is
the malware thatcauses 90% of the
infections.
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
61/75
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
62/75
62
Collective Intelligence
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
63/75
Multi-ScannersMulti-Scanners
Automagic detectionsDetection signatures are added
based on what other realiable
AV scanners detect.
Good for comparativesNo classification (verification)High False PositivesMalware nomenclature
Some cloud-scanningtechnologies work like this.
Collective Intelligence
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
64/75
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
65/75
Proceso de Anlisis Esttico:
Anlisis esttico profundo
Data Mining colectivo y anlisis
estadstico Otras tecnologas
Proceso de
AnlisisProceso de
Clasificacin
Proceso de Anlisis Dinmico:
Automatizacin
Emulacin y Virtualizacin
Clasificadores
Clasificacin
Meta Clasificador
S iS napsis
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
66/75
SynapsisSynapsis
Rule-based malware family ID
Identification of malware families basedin rules.
Consisting of binary and/or text stringsand a logic expression relating each other.
Traditional logical operators (and, or, not),arithmetical (+,-,*,/) and of comparison(,==).
File properties: size, characteristics ofthe sections, functions that it exportsor imports, and all the data of the header
Fil P t D t tiFile Property Detection
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
67/75
File Property DetectionFile Property Detection
DETECTOR.EXE (1.2MB)
Drivers Entry Point = 0 Too many sections Non Portable-Executable (PE)
Digital Signatures File Infectors EPO, Polymorphic HLL, HLLW or PE Binder Distant PE Header Postpending Unordered last section
Installers (Inno Setup, InstallShield, Nullsoft, Thinstall, Wise, Generic) Runtime Packers
By signature (ASPack, EXEStealth, EXECryptor, UPX, MEW,PeCompact, Themida, Upack, Yoda, ..)
Generic & Unknown !!!
E l ti &U kiEmulation &Unpacking
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
68/75
Emulation &UnpackingEmulation &Unpacking
Types of Unpacking: Runtime:
Driver Memory dump
Static Specific Unpacking Routines Generic Unpacking Emulation
PVA.EXE (48kb) Specific Unpacking Routines
Over 50 packer brands & variants ASPack, ASProtect, BeRoEXEPacker, Cexe, CryptoCrack, EXEShield,
EXECryptor, FSG, MEW, MoleBox, NSPack, Obsidium, PCShrink, PECrypt,
PECompact, PENinja, PESpin, Petite, Themida WinLicense, UPX, Upack,Yodas, eXPressor, tElock, y0das Crypter, y0das Protector.
Generic Unpacking Signature-less static unpacking Emulation
Clustered GroupingClustered Grouping
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
69/75
Clustered GroupingClustered Grouping
FLUSTER.EXE (24kb)
Agglomerative Single Linkage ClusteringAlgorithm for Grouping Similar Binary Files
1.Each object (file) starts in its own cluster
2.Two closest clusters merged together3.Distance dbetween twoclusters is defined as theminimum distance betweenany object (file) from eachof the clusters.
4.Result of algorithm is ahierarchical representationcalled a dendogram.
Source: Victor Alvarez. Published in Virus Bulletin, May 2008
Automatic Malware ClassificationAutomatic Malware Classification
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
70/75
Automatic Malware ClassificationAutomatic Malware Classification
Malware GenomeMalware GenomeGraph, Entropy and Grid Computing
Sample Analysis
1. IDAPro + IDAPython2. Flow Control
3. Functions Control Flow Graph (CFG)
signatures [Blocks:Axis:FunctionCalls]
4. Functions CRC32
5. Functions names
6. Operating System & Library Calls (API)
Source: Ismael Briones. Virus Bulletin 2008, Ottawa.
Adjacency MatrixAdjacency Matrix
Columns & rows = graph nodes
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
71/75
Variants ofVariants of
BankolimbBankolimbFamilyFamily
Source: Ismael Briones. Virus Bulletin 2008, Ottawa.
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
72/75
Source: Ismael Briones. Virus Bulletin 2008, Ottawa.
Specialized HeuristicsSpecialized Heuristics
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
73/75
Specialized HeuristicsSpecialized Heuristics
Very good for specific threats to keep low false positive rates.
Implemented in product specialized heuristics for phishing websites andBanking Trojans.
Banking TrojansWspoem 94.56%Sinowal 96.78%
Torpig 92.79%Goldun 84.60%Abwiz 94.95%Briz 91.08%Bancolimb (Limbo) 91.38%Dumador 95.58%Bankpatch 100.00%Banco 73.98%
Banbra 74.21%
Wh t ll thiWh t ll thi
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
74/75
Whats all thisWhats all this
geeky stuff forgeeky stuff for
anyway?anyway?PandaLabss ObjectivePandaLabss Objective
To be the #1 in classificationTo be the #1 in classification
& detection of new malware.& detection of new malware.
-
8/14/2019 Malware Fighting - Lucha contra el Ciber-crimen
75/75
Thanks!Thanks!Luis Corrons
PandaLabs Blog:
http://www.pandalabs.com