Malwares in Cyber Space – Threat landscape, Emerging trends, Solutions and Challenges Atul Kabra, Solutions Architect
CyberSpace – The good, the bad and the ugly • Internet is an unsafe neighborhood – right in your office space – your living room, cell phones – And god knows where all • Plenty of bad guys out there to steal your data, money, identity and anything else they can by infecting your devices • Some bad guys have turned ugly and they don’t care about your money anymore. don’t care about your money anymore. – They are out to spread cyber destruction/warfare • Lucky for you – There are some “good” guys out there too, working to keep you safe
Zero-Day attacks – Rise of the ‘Malwares’ • Quarter-On-Quarter growth in Malware Samples – We now have more than 80 million samples. • Population of Bangalore ~ 8 million
Malware growth • Growth in ‘New’ Malware
Security Measures by OS vendors • Widen the adoption of ‘digital signatures’ – ‘Digital Signature/Certificate’ is a means of establishing ‘trust’ • ‘trust’ = “You are who you claim to be you are” • Windows is by and large the biggest target of PC based malwares • Microsoft’s response to tighten security in the OS – Enforce digital signature • Mandatory on all 64 bit platforms. 32 bit is excluded for legacy reasons • Mandatory on all 64 bit platforms. 32 bit is excluded for legacy reasons – Enhanced security in Windows 8 • UEFI boot – Ensures a secure boot through digital signatures • Early Launch of Anti Malware (ELAM) – Allows Anti-Malware driver to get launched ahead of any other kernel driver. – AM driver can allow/deny load of subsequent kernel modules based on their digital signature
Now and interesting new trend – Digitally Signed Malwares
Digitally signed malwares • How the ‘heck’ do the malwares get signed? – Doesn’t the digital signing process involve a trusted root? – What exactly is a ‘digital signature’? • A primer on digital signature might help – Technology built on asymmetric cryptography • Public + private key • Signed document contains – hash (md5) » Encrypted using private key » Encrypted using private key – Public Key of the signer • Decrypted at run time using public key – Verify the entity. • Malwares get signed using – Stolen certificates (Social Engineering) – Algorithmic Weaknesses (MD5) – Package a genuinely signed binary • Misuse it
Example – Stolen certificates • Have you heard of ‘StuxNet’?? – Arguably the most sensational virus attack of the recent times • Seems like right from a Hollywood Sci-Fi Movie • Indication of change in motivation for malware authors (or their sponsors) • Here is what ‘Wikipedia’ has to say • Stealing Certificates happens all the time – Recent breach at security firm ‘bit9’ (https://blog.bit9.com/2013/02/08/bit9-and-our-customers- security/)
Example – Algorithm Weaknesses • Flame – Also known as SkyWiper – Designed for cyber espionage, it could record audio, capture key strokes, screen shots and even skype traffic – Another malware discovered in Middle eastern geographies (largely Iran) • Main module of flame – A signed rootkit driver – The signature exploited a weakness (collision) in MD5 algorithm Image Src: http://www.wired.com • Inserted specially computed blocks in a file to produce two files with different contents and matching MD5 hashes – Used this weakness to generate dummy keys that matched the certificate of Microsoft Terminal Services – Roughly speaking, to generate this collision it would take about $20K of computing power on Amazon EC2
Example – Mis(ab)using commercial drivers • Shamoon – Also known as Disttrack – Another Targeted attack • Energy companies in Mid-East – Corrupts files, MBR, and destroys the data so that it can't be recovered – Does it with the help of a signed driver called ‘drdisk.sys’ – Drdisk.sys is a commercially available, legitimately signed driver by ElDos Corp (http://eldos.com/rawdisk/)
End Notes – Future of security and challenges ahead • Malwares are getting increasingly smarter • Challenges the Industry faces – With access to digital signatures, – Risk of high false positives they have broken a strong fort of – Difficult to run in a virtual security environment that uses offloaded • Traditional black-listing based detection engines solutions alone may not be sufficient anymore • Performance penalties – Especially for zero-day attacks – Newer attacks – ROP (Return • Need for futuristic solutions • Need for futuristic solutions Oriented Programming) – Heuristic/behavior based detection – WhiteListing can be too – Sandboxing based solutions restrictive for end users – Hardware assisted solutions • W Or X memory pages – DEP (Data Execution Prevention) • Hypervisor based security – SecVisor/MicroVisor – White Listing based solutions
THANK YOU
Recommend
More recommend
