to a persistent threat
play

to a Persistent Threat Jagadeesh Chandraiah DeepSec 2011 Agenda - PowerPoint PPT Presentation

May 24, 2023 •266 likes •794 views

Fake Antivirus- Journey from Trojan to a Persistent Threat Jagadeesh Chandraiah DeepSec 2011 Agenda FakeAV Trends Infection Vectors Packer Evolution How do they work ? DeepSec 2011 Introduction Fake AntiVirus (FakeAV) is a

  1. Fake Antivirus- Journey from Trojan to a Persistent Threat Jagadeesh Chandraiah DeepSec 2011

  2. Agenda • FakeAV Trends • Infection Vectors • Packer Evolution • How do they work ? DeepSec 2011

  3. Introduction Fake AntiVirus (FakeAV) is a malware which displays fake warnings to the users to trick them to buy illegitimate software . DeepSec 2011

  4. Introduction DeepSec 2011

  5. FakeAV Trends Analyse the major events over the last three and half years. DeepSec 2011

  6. FakeAV Trends • Dramatic Rise of FakeAV in 2009 • Black Hat SEO was heavily used. • Popular websites were used to serve FakeAV. • ex: New York Times news paper Website in 2009. • Government Embassy website Attacks . • Social Networking Sites were used (Facebook and Twitter). DeepSec 2011

  7. FakeAV Trends 2010 continued to see the spike in FakeAV detections. • More Spam redirects to FakeAV. • More unpatched PDF and Java Vulnerabilities were used to deliver FakeAV. • Black Hat SEO on hot topics, still remained the popular infection method. DeepSec 2011

  8. FakeAV Trends Significant events in 2011. • Mac users were infected with Mac Defender in big scale around May 2011. DeepSec 2011

  9. Sharp Decline Significant events in 2011. • Sharp Decline in FakeAV detections, due to law enforcement actions in Aug 2011. DeepSec 2011

  10. Sharp Decline ● ChronoPay’s server were compromised and details were reported online. ● Several FakeAV programs had credit card processing issues. DeepSec 2011

  11. FakeAV is down, but still active Sophos Top Five FakeAV Detection rate between Mar-Oct 2011. DeepSec 2011

  12. FakeAV is down, but still active FakeAV infection between 1 st Quarter of 2010 and 2 nd Quarter of 2011, according to Microsoft Security Intelligence Report. DeepSec 2011

  13. Infection Methods We will analyse popular Infection methods and how they work. DeepSec 2011

  14. Black Hat SEO Poisoning search engine optimization. • Illegitimate way of increasing search engine ranking. DeepSec 2011

  15. Black Hat SEO Pictorial Representation of Black Hat SEO attack DeepSec 2011

  16. Black Hat SEO • Step1: Identify and compromise legitimate websites. • Step2: Upload multifunctional PHP script to the compromised website. • Step3: Feed crawlers with specially stuffed webpage with keywords. • Step4: Redirect users coming through search engine to FakeAV website. DeepSec 2011

  17. Malvertising Serving FakeAV through Advertising networks. DeepSec 2011

  18. Malvertising JavaScript used in New York Times newspaper website. DeepSec 2011

  19. Cold Calling Fake tech support centre’s are used to scam users. DeepSec 2011

  20. Spam Campaigns FakeAV served through email attachments and drive by download links. DeepSec 2011

  21. Spam Campaigns DeepSec 2011

  22. Fake Codecs Users are social engineered to download FakeAV as Codecs. DeepSec 2011

  23. Exploit Kit Use Blackhole Exploit kit as an example to see how exploit kit works. DeepSec 2011

  24. Exploit Kit Black Hole Exploit Kit panel showing Infections by country and vulnerabilities.

  25. Exploit kit Blacklisting mechanism used by Black Hole. DeepSec 2011

  26. Exploit Kit Infection mechanism using Exploit kit. DeepSec 2011

  27. Exploit Kit Obfuscated Black Hole Exploit Script DeepSec 2011

  28. Exploit Kit Decrypted Exploit script checking version and creating Iframe element. DeepSec 2011

  29. Packer Evolution • Anti Emulation API • Process Environment Block • Thread Information Block • Kuser Shared Data DeepSec 2011

  30. Packer Evolution FakeAV without packed layer DeepSec 2011

  31. Anti Emulation • Emulator is a piece of Software used to simulate the behaviour of a system. • Windows X86 emulator is used to simulate the behaviour of X86 processor. • Malware authors use tricks to break emulation. DeepSec 2011

  32. Anti Emulation API DeepSec 2011

  33. Anti Emulation API DeepSec 2011

  34. FS:30 Process Environment Block DeepSec 2011

  35. FS:18 Thread Information Block DeepSec 2011

  36. KUSER_SHARED_DATA ● Usually mapped at 0x7FFE0000 ● Checking the presence of value at 0x7FFE0004 (TickCountMultiplier). ● Values at this structure are also known to be used in obfuscated calls and decryption strings. DeepSec 2011

  37. How is this Done ? Understand Packing using a Polymorphic Cryptor. DeepSec 2011

  38. Packer Evolution Cryptors available in underground forums. Click icon to add table DeepSec 2011

  39. Packer Evolution Crum Polymorphic Cryptor DeepSec 2011

  40. Packer Evolution. Crum Polymorphic Cryptor with different icons. DeepSec 2011

  41. Packer Evolution Testing Crum Polymorphic Cryptor DeepSec 2011

  42. Packer Evolution Testing Crum Polymorphic Cryptor DeepSec 2011

  43. Packer Evolution Anti Emulation stuff inserted by Crum Polymorphic Cryptor DeepSec 2011

  44. What Drives FakeAV ? DeepSec 2011

  45. What Drives FakeAV ? DeepSec 2011

  46. What Drives FakeAV ? DeepSec 2011

  47. What Drives FakeAV ? • FakeAV developers use affiliate networks to distribute and advertise FakeAV. • Affiliates in turn recruit meta affiliates to distribute FakeAV links and binaries. • Money is paid in Pay per Install scheme, for driving traffic to FakeAV Landing Pages and FakeAV purchases. • University of California research study reveals that FakeAV business earned more than 130 million dollars. DeepSec 2011

  48. AV vs FakeAV DeepSec 2011

  49. Conclusion • FakeAV is still one of the big threats actively infecting users. • Better understanding of operations used. • Able to study the different tricks used by FakeAV code. • Use this knowledge to better protect users from FakeAV Infection . DeepSec 2011

  50. Acknowledgements DeepSec 2011

  51. DeepSec 2011

Recommend

Survivability Analysis of a Computer System under an Advanced Persistent Threat Attack guez

Survivability Analysis of a Computer System under an Advanced Persistent Threat Attack guez

Survivability Analysis of a Computer System under an Advanced Persistent Threat Attack guez , Xiaolin Chang , Xiaodan Li , Kishor S. Trivedi Ricardo J. Rodr rjrodriguez@unizar.es , xlchang@bjtu.edu.cn , { xiaodan.li,ktrivedi }

420 views • 26 slides
Aleatory Persistent Threat A short story by Nico Waisman nicolas@immunityinc.com Twitter:

Aleatory Persistent Threat A short story by Nico Waisman nicolas@immunityinc.com Twitter:

Aleatory Persistent Threat A short story by Nico Waisman nicolas@immunityinc.com Twitter: @nicowaisman Aleatoricism is the creation of art by chance, exploiting the principle of randomness. The word derives from the Latin word alea, the

862 views • 82 slides
(or Informa5onized Force Opera5ons) Michael K. Daly November 4, 2009 What is meant by Advanced,

(or Informa5onized Force Opera5ons) Michael K. Daly November 4, 2009 What is meant by Advanced,

The Advanced Persistent Threat (or Informa5onized Force Opera5ons) Michael K. Daly November 4, 2009 What is meant by Advanced, Persistent Threat? Increasingly sophis5cated cyber aIacks by hos5le organiza5ons with the goal of: Gaining

872 views • 50 slides
Portable Passive Detection of Advanced Persistent Threats APT Catcher Author: Guido Kroon

Portable Passive Detection of Advanced Persistent Threats APT Catcher Author: Guido Kroon

Portable Passive Detection of Advanced Persistent Threats APT Catcher Author: Guido Kroon Supervisors: Marco Davids, Christian Hesselman (SIDN) About Advanced Persistent Threats Advanced Persistent Threat (APT) [2]; Highly skilled and

342 views • 32 slides
Persistent Reference on the Web Jonathan Rees Creative Commons W3C TAG F2F 20 October 2010

Persistent Reference on the Web Jonathan Rees Creative Commons W3C TAG F2F 20 October 2010

Persistent Reference on the Web Jonathan Rees Creative Commons W3C TAG F2F 20 October 2010 Wednesday, October 20, 2010 Outline of the memo you read Persistence and persistent reference Gambling / trust Threat model Prevention

612 views • 20 slides
Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
Assessment What is Threat Assessment Threat assessment is the process of gathering

Assessment What is Threat Assessment Threat assessment is the process of gathering

Threat Assessment What is Threat Assessment Threat assessment is the process of gathering information to understand the threat of violence posed by a person. Threat management is the process of developing and executing plans to mitigate

332 views • 15 slides
Phases of Disaster Despair Threat Threat Phase: Small events serve as a warning or threat to

Phases of Disaster Despair Threat Threat Phase: Small events serve as a warning or threat to

Honeymoon Threat Restoration Rescue Phases of Disaster Despair Threat Threat Phase: Small events serve as a warning or threat to normal living. A disaster has not yet oc- curred, but there is a sense of impending doom. Individual

604 views • 6 slides
What Does This Advanced Threat Landscape Look Like? Advanced Threat Landscape

What Does This Advanced Threat Landscape Look Like? Advanced Threat Landscape

DDoS & Modern Threat Motives Dan Holden Director, ASERT What Does This Advanced Threat Landscape Look Like? Advanced Threat Landscape Geo-poli:cal More defenses ? App/Content t a

1.13k views • 44 slides
Distributed Shared Persistent Memory (SoCC 17) Yizhou Shan, Yiying Zhang Persistent Memory

Distributed Shared Persistent Memory (SoCC 17) Yizhou Shan, Yiying Zhang Persistent Memory

Distributed Shared Persistent Memory (SoCC 17) Yizhou Shan, Yiying Zhang Persistent Memory (PM/NVM) CPU Byte Addressable Persistent Cache Low Latency Capacity Cost effective PM DRAM 2 Many PM Work, but All in Single Machine

712 views • 33 slides
Active Threat on Campus Prevention & Response Active threat defined An active threat can be

Active Threat on Campus Prevention & Response Active threat defined An active threat can be

Active Threat on Campus Prevention & Response Active threat defined An active threat can be defined as: A person whose immediate activity can cause death and/or serious injury An active threat can involve a firearm or another

395 views • 15 slides
Assessment of sinoatrial node function at patients with persistent and long-standing persistent

Assessment of sinoatrial node function at patients with persistent and long-standing persistent

Assessment of sinoatrial node function at patients with persistent and long-standing persistent forms of atrial fibrillation after Maze III procedure combined with a mitral valve operation A.A. Kulikov, L.A. Bokeria Bakoulev Scientific Center

267 views • 12 slides
Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los Chief Security Evangelist HP Software Shane MacDougall Principal Tactical Intelligence Modern threat modeling is a defensive response to

783 views • 52 slides
Cyber Kill Chain Jay Chen, Ruben Ocana, Senna Alsadam, Andrew Shi Modern Security Threats

Cyber Kill Chain Jay Chen, Ruben Ocana, Senna Alsadam, Andrew Shi Modern Security Threats

Cyber Kill Chain Jay Chen, Ruben Ocana, Senna Alsadam, Andrew Shi Modern Security Threats New class of threat actors called Advanced Persistent Threat (APT) Data compromised for economic or military advancement Conventional

701 views • 32 slides
Hardware Support for ACID Transactions in Persistent Memory Arpit Joshi , Vijay Nagarajan, Marcelo

Hardware Support for ACID Transactions in Persistent Memory Arpit Joshi , Vijay Nagarajan, Marcelo

Hardware Support for ACID Transactions in Persistent Memory Arpit Joshi , Vijay Nagarajan, Marcelo Cintra, Stratis Viglas NVMW 2019 Persistent Memory Systems L1 L1 LLC Persistent Memory 2 Persistent Memory Systems L1 L1 Persistent

1.1k views • 70 slides
Threat Modeling and S haring S ummary Proposal to kick off Threat Modeling proj ect

Threat Modeling and S haring S ummary Proposal to kick off Threat Modeling proj ect

Threat Modeling and S haring S ummary Proposal to kick off Threat Modeling proj ect Multi-phase approach Initially: create Cyber Domain PIM and S TIX PS M with UML Profile for NIEM Expand to other PS M, create Threat Meta

211 views • 10 slides
Logging in Persistent Memory: to Cache, or Not to Cache? Mengjie Li, Matheus Ogleari , Jishen Zhao

Logging in Persistent Memory: to Cache, or Not to Cache? Mengjie Li, Matheus Ogleari , Jishen Zhao

Logging in Persistent Memory: to Cache, or Not to Cache? Mengjie Li, Matheus Ogleari , Jishen Zhao Persistent Memory STT-RAM, PCM, Memory CPU CPU ReRAM, NVDIMM, Battery-backed Load/store DRAM NVRAM DRAM, etc. Not persistent Persistent

308 views • 20 slides
Proposed Low-Threat Petroleum UST Closure Policy SWRCB Low-Threat UST Closure Policy Task Force

Proposed Low-Threat Petroleum UST Closure Policy SWRCB Low-Threat UST Closure Policy Task Force

Proposed Low-Threat Petroleum UST Closure Policy SWRCB Low-Threat UST Closure Policy Task Force Los Angeles RWQCB Presentation September 15, 2011 Prologue Low-Threat Policy: An Evolutionary Process STATE WATER RESOURCES CONTROL BOARD

528 views • 31 slides
Persistent Handles: approaches Ralph Bhme, Samba Team, SerNet 2018-06-08 Outline Persistent

Persistent Handles: approaches Ralph Bhme, Samba Team, SerNet 2018-06-08 Outline Persistent

Persistent Handles: approaches Ralph Bhme, Samba Team, SerNet 2018-06-08 Outline Persistent Handles: Recap Persistent Handles: Samba dbwrap approach ctdb approach Persistent Handles: implementation (with dbwrap) VFS approach Outlook The

586 views • 43 slides
Web Security What should be the Threat Model for the Web? Goal and Threat Model Much can go

Web Security What should be the Threat Model for the Web? Goal and Threat Model Much can go

Web Security What should be the Threat Model for the Web? Goal and Threat Model Much can go wrong on the web! Clients encounter malicious content Web servers are target of break-ins Fake content/servers trick users Data sent

446 views • 16 slides
Integrated Threat Management Appliance 1 http://www.youtube.com/watch?v=F 7pYHN9iC9I 2 3

Integrated Threat Management Appliance 1 http://www.youtube.com/watch?v=F 7pYHN9iC9I 2 3

Integrated Threat Management Appliance 1 http://www.youtube.com/watch?v=F 7pYHN9iC9I 2 3 Denial of Service Attack (DoS) 4 THREAT CATEGORY THREAT ACTION TYPE Malware/Badware Send data to the external entity/site, Trapdoor/Backdoor Entry,

719 views • 23 slides
Persistent Bioperl Persistent Bioperl BOSC 2003 Hilmar Lapp Genomics Institute Of The Novartis

Persistent Bioperl Persistent Bioperl BOSC 2003 Hilmar Lapp Genomics Institute Of The Novartis

Persistent Bioperl Persistent Bioperl BOSC 2003 Hilmar Lapp Genomics Institute Of The Novartis Research Foundation San Diego, USA Acknowledgements Acknowledgements Bio* contributors and core developers Aaron, Ewan, ThomasD, Matthew,

534 views • 30 slides
Threat Models CS 5431 February 10, 2017 Threat Models Threats (CS 5430)

Threat Models CS 5431 February 10, 2017 Threat Models Threats (CS 5430)

Introduction Threat Models CS 5431 February 10, 2017 Threat Models Threats (CS 5430) Inquisitive people, unintentional blunders Hackers driven by technical challenges Disgruntled employees or

357 views • 23 slides
How to use soft OA methods to explore future IED threat and their countermeasures 27 ISMOR

How to use soft OA methods to explore future IED threat and their countermeasures 27 ISMOR

How to use soft OA methods to explore future IED threat and their countermeasures 27 ISMOR 2010 Introduction Cause Current threat around IEDs is continuously changing Little known about possible future threat Goal List

210 views • 16 slides

More recommend