SlideShare ist ein Scribd-Unternehmen logo

Detecting Evasive Malware in Sandbox

Als PPTX, PDF herunterladen
Rahul Mohandas
Rahul Mohandas

This presentation talk about some of the challenges in detecting advanced malware which uses evasion techniques such as inline assembly or previously unknown approaches. The presentation also focuses on leveraging the static code analysis as an opportunity to detect these evasive malware in the sandbox

Technologie
1 von 27
Detecting Evasive Malware in the Sandbox—The Latest from McAfee and Intel Labs McAfee Confidential . Rahul Mohandas | Intel Security Ravi Sahita | Intel Labs
McAfee Confidential . Speakers 2 Rahul Mohandas Research Manager Intel Security Ravi Sahita Principal Engineer Intel Labs
McAfee Confidential . Agenda • Evolution of Targeted Malware Attacks and Defenses • Sandboxing Challenges • McAfee Advanced Threat Defense Technology • Use Cases: Sandbox Evasion • Platform Opportunities • Summary 3 McAfee, and the McAfee logo are registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2014 McAfee, Inc.
Evolution of Malware Attacks and Defenses McAfee Confidential . How did we get here? 4 Reactive • md5/URL blacklists Proactive • Heuristics/ protocol analysis A large number of enterprises had breaches over the past year. What can be done to better protect the network against these cyberthreats? Predictive • Static/ behavioral and predictive analytics • Malware attribution Evolution of defenses shown as Attack [Defense]
15-AUG-2012 Shamoon SAFE SunShop JUN--2013 2010 2011 2012 2013 2014 McAfee Confidential APR-2014 . State of Targeted Attacks 5 Duqu Flame 02-MAY-2012 Gauss 01-JUN-2012 Mahdi VOHO 01-SEP-2011 JUL-2012 Beebus Ladyboyle MiniDuke Intel & McAfee Confidential RSA hack MAR-2011 FEB-2013 Naikon NetTraveler MAY--2013 30-MAY--2012 Gotham ZEGOST APR-2013 DeputyDog 19-AUG-2013 EvilGrab IceFog Kimsuky Guodl Taidoor The3bug Web2Crew DEC-2012 Project Blitzkrieg Shiqiang Quarian OCT-2013 AUG-2014 Havex Pittytiger July-2014 Intel Confidential -- Internal Use Only Quarian v2
McAfee Confidential . Sandboxing Challenges 6 Evasion • Hook-detection/skipping. • Self/VM fingerprinting. • System tampering. • Interaction-based. • Latent behavior. • Timing analysis. • And so on …
McAfee Confidential . 7 Advanced Threat Defense Technology Sandboxing approach and future challenges
McAfee Confidential Sample Sample Sample VM1 VM2 VM N . McAfee Advanced Threat Defense • Using static and dynamically derived program behavior. • Provides advanced sandboxing capabilities: • Virtual CPUs. • Anti-anti-debugging. • Need to unpack to get to original executable code for analysis: • Detect variants. • Understand potential paths. • Provide unpacked code for further analysis. 8 VM 1 VM 2 VM N VMM
Runtime DLLs Operations File Operations Operations Delayed Execution McAfee Confidential Unpacking Disassembly of Code Calculate Latent Code Familial Resemblance . Dynamic and Static Code Analysis 9 Analyze Analyze Network Process Dynamic Analysis Static Analysis
McAfee Confidential . Sandbox Evasion 10 Advanced: inline assembly • Use assembly code to bypass hooks: • Replace sleep() with an induced delay loop. • Bypasses sandboxes that have default analysis timeouts. • Family classification to the rescue.
McAfee Confidential . 11 Sandbox Evasion: Inline Assembly
McAfee Confidential . 12
McAfee Confidential . Quarian Evolution: Timeline 13 Sample: ce1ef Similarity: 97% Prototype Added Similarity: 100% Sample: 1d6b587 Similarity: 83.54% Sample: c0e5746dd Similarity: 68.09% Sample: 93807cff6 Similarity: 68.18% Dec ’11 March ’12 Jan ’12 August ’13 July ’12 March ’14 Sample: f3862 Similarity: 66.72%
McAfee Confidential . Sandbox Evasion 14 Quarian: AppId Check • APT actor active since 2011. • Checks presence of registry key, exits if not found. • Evades all known sandboxes relying on behavior only. • Detected by McAfee® Advanced Threat Defense using static code analysis.
McAfee Confidential . 15 Quarian Evolution: Static Code Analysis
McAfee Confidential . 16 Platform Opportunities Improving malware analysis
McAfee Confidential . Improving Malware Sandbox: Goals 17 VMM VM1 Enhance Instrumentation to Observe Zero-Day/Obfuscated Behavior. VM 2 VM n • Memory access and execution analysis. • Kernel/user rootkit-like behavior. • API, control flow attacks. • Unpacking, de-obfuscating code. … without impacting analysis throughput Intel CPUs
OS-Independent Behavioral Memory Monitoring McAfee Confidential DLL Code (RO) . CPU extended page tables (EPTs) as memory monitoring domains 18 VM0 CPU0 Hypervisor Intel® VT-x with EPT Extended Page Table (EPT) Domains EPT Walker Execution Crossing EPT Domains or Data Data (NP) host physical Accesses Cause Events. address Intel® Virtualization Technology for IA-32, Intel® 64 and Intel® Architecture (Intel® VT-x) Application Code/Data (RX/RW) DLL Code (RX) Application Code/Data (RO/NP) Data (RW) • Observe read, write, or execution from memory. • Critical data structure tracking. • Critical API execution tracking without circumvention.
McAfee Confidential . Addressing Technical Challenges • Factors limiting memory monitoring: • Hardware context-switch time. • Filtering uninteresting events with minimal overhead: • Monitoring data accesses requires filtering due to 4,000 page sharing. • Analyzing execution patterns: • Without requiring single-stepping of all execution. 19
Hardware-Accelerated Behavioral Memory Analysis • VM Function (VMFUNC) to switch EPTs or memory views without VMExits. • Virtualization Exceptions (#VE) to directly notify guest of EPT access violations without VMExits. McAfee Confidential . Minimize exposure of VMM to reduce malware evasion opportunities 20 CPU0 Hypervisor Intel® VT-x with EPT VM0 Extended Page Tables EPT Walker Report EPT violations via #VE. EPTP list is indexed by VMFUNC. Memory View 1 Memory View 2 VMFUNC Intel® Virtualization Technology for IA-32, Intel® 64 and Intel® Architecture (Intel® VT-x) #VE Physical pages
McAfee Confidential . Accelerating Behavior-Induced Events 21 • Behavioral memory monitoring policies setup via EPT domains. • VMM opts in to convert induced EPT violation (observed events) to #VE. • Monitoring software can use VMFUNC to switch views in order to analyze memory accesses and continue sandboxed execution. VMM VM Sandbox VMFUNC VMFUNC EPT Domains Monitoring Service Monitored App 1. Handle #VE 3. Complete analysis WRITE Access Policy #VE #VE info EPT Domains Intel CPUs 2. Set up single step or emulate
McAfee Confidential . Hardware Extensions for Improving Malware Sandbox 22 VMM w/ Introspection Extensions Intel CPUs Windows/ Android VM1 Enhanced Instrumentation to Observe Zero-Day/Obfuscated Behavior • Memory access and execution analysis. • Kernel/user rootkit behavior. • API, control flow attacks. • Unpacking, de-obfuscating code. Sandboxing Engine Memory Views Enhanced Sandboxing Processor Features Pass-Through VM 2 VM n CPU Extensions - VMFUNC (low latency memory view switching). - Virtualization Exceptions (low latency memory monitoring). - … Memory Views Sandboxing Engine Sandboxing Engine
Addressing Evasion Challenges McAfee Confidential . 4 Malware Monitored API VM Tools OS 23 Intel CPUs Capabilites that can be enabled via hardware-enhanced introspection and family classification: 1. Hook-detection/skip avoidance. 2. Fingerprinting mitigation. 3. Kernel tamper detection. 4. User detection. 5. Latent behavior detection. 6. Timing virtualization. 1 2 3 VMM 6 Microsoft Windows/ Android VM1 5
McAfee Confidential . 24 Looking Ahead Concluding thoughts
McAfee Confidential . Future Directions and Research • Finer-grain memory monitoring CPU primitives. • Processor capabilities to detect/prevent malicious behavior via strong control-flow tracking. • Machine-learning techniques to automate deeper analysis. • Human interactivity modeling to expose latent code. • Exploration of native hardware sandbox to reduce malware evasion opportunities. 25
McAfee Confidential . Conclusion • Combination of behavior and family classification addresses gaps to detect advanced malware. • Hardware and software co-design to stay ahead of malware approaches. • Evolving the McAfee Advanced Threat Defense platform: • Software improvements via open hypervisors. • Hardware-based differentiation to improve analysis. • Ongoing research to stay ahead of evasion techniques. 26
McAfee Confidential . 27 Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2014 McAfee, Inc.

Empfohlen

Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Lastline, Inc.
 
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareUsing Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareLastline, Inc.
 
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna Lastline, Inc.
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseLuca Simonelli
 
Malware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade DetectionMalware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade DetectionLastline, Inc.
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware GenerationStephan Chenette
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Lastline, Inc.
 

Empfohlen

Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Lastline, Inc.
 
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareUsing Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareLastline, Inc.
 
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna Lastline, Inc.
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseLuca Simonelli
 
Malware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade DetectionMalware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade DetectionLastline, Inc.
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware GenerationStephan Chenette
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Lastline, Inc.
 
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesIoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesPriyanka Aash
 
Introduction to Malware - Part 1
Introduction to Malware - Part 1 Introduction to Malware - Part 1
Introduction to Malware - Part 1 Lastline, Inc.
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseStephan Chenette
 
Setup Your Personal Malware Lab
Setup Your Personal Malware LabSetup Your Personal Malware Lab
Setup Your Personal Malware LabDigit Oktavianto
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysisCharles Lim
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware AnalysisRamin Farajpour Cami
 
The Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined NetworksThe Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined NetworksPriyanka Aash
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveChong-Kuan Chen
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detectionChong-Kuan Chen
 
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Malachi Jones
 
Talos
TalosTalos
TalosMuhammad ilyas
 
DeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI LocksmithingDeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI LocksmithingPriyanka Aash
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingWon Ju Jub
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application SecurityChong-Kuan Chen
 
Lastline Case Study
Lastline Case StudyLastline Case Study
Lastline Case StudyLastline, Inc.
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityDragos, Inc.
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
Spotlight - The human behind the machine
Spotlight - The human behind the machineSpotlight - The human behind the machine
Spotlight - The human behind the machineWirehive 100
 
Staged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business SuiteStaged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business Suitevasuballa
 
Clientside attack using HoneyClient Technology
Clientside attack using HoneyClient TechnologyClientside attack using HoneyClient Technology
Clientside attack using HoneyClient TechnologyJulia Yu-Chin Cheng
 

Weitere ähnliche Inhalte

Was ist angesagt?

IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesIoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesPriyanka Aash
 
Introduction to Malware - Part 1
Introduction to Malware - Part 1 Introduction to Malware - Part 1
Introduction to Malware - Part 1 Lastline, Inc.
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseStephan Chenette
 
Setup Your Personal Malware Lab
Setup Your Personal Malware LabSetup Your Personal Malware Lab
Setup Your Personal Malware LabDigit Oktavianto
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysisCharles Lim
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
 
The Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined NetworksThe Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined NetworksPriyanka Aash
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveChong-Kuan Chen
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detectionChong-Kuan Chen
 
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Malachi Jones
 
DeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI LocksmithingDeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI LocksmithingPriyanka Aash
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingWon Ju Jub
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application SecurityChong-Kuan Chen
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityDragos, Inc.
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 

Was ist angesagt? (19)

IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesIoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
 
Introduction to Malware - Part 1
Introduction to Malware - Part 1 Introduction to Malware - Part 1
Introduction to Malware - Part 1
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive Defense
 
Setup Your Personal Malware Lab
Setup Your Personal Malware LabSetup Your Personal Malware Lab
Setup Your Personal Malware Lab
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysis
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day Threats
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
The Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined NetworksThe Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined Networks
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning Perspective
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detection
 
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
 
Talos
TalosTalos
Talos
 
DeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI LocksmithingDeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI Locksmithing
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application Security
 
Lastline Case Study
Lastline Case StudyLastline Case Study
Lastline Case Study
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial Security
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
 

Andere mochten auch

Spotlight - The human behind the machine
Spotlight - The human behind the machineSpotlight - The human behind the machine
Spotlight - The human behind the machineWirehive 100
 
Staged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business SuiteStaged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business Suitevasuballa
 
Clientside attack using HoneyClient Technology
Clientside attack using HoneyClient TechnologyClientside attack using HoneyClient Technology
Clientside attack using HoneyClient TechnologyJulia Yu-Chin Cheng
 
Cyber Security Visualization
Cyber Security VisualizationCyber Security Visualization
Cyber Security VisualizationDoug Cogswell
 
Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)Dashti Abdullah
 
The Beginning Of World War Ii
The Beginning Of World War IiThe Beginning Of World War Ii
The Beginning Of World War Iikathomas
 
The real and another
The real and anotherThe real and another
The real and anotherIshika Biswas
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
 
Let Your Mach-O Fly, Black Hat DC 2009
Let Your Mach-O Fly, Black Hat DC 2009Let Your Mach-O Fly, Black Hat DC 2009
Let Your Mach-O Fly, Black Hat DC 2009Vincenzo Iozzo
 
3 Enablers of Successful Cyber Attacks and How to Thwart Them
3 Enablers of Successful Cyber Attacks and How to Thwart Them3 Enablers of Successful Cyber Attacks and How to Thwart Them
3 Enablers of Successful Cyber Attacks and How to Thwart ThemIBM Security
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemTamas K Lengyel
 
How to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall AuditHow to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall Auditkeyuradmin
 
Firewall Penetration Testing
Firewall Penetration TestingFirewall Penetration Testing
Firewall Penetration TestingChirag Jain
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicJulia Yu-Chin Cheng
 

Andere mochten auch (20)

Spotlight - The human behind the machine
Spotlight - The human behind the machineSpotlight - The human behind the machine
Spotlight - The human behind the machine
 
Staged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business SuiteStaged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business Suite
 
Clientside attack using HoneyClient Technology
Clientside attack using HoneyClient TechnologyClientside attack using HoneyClient Technology
Clientside attack using HoneyClient Technology
 
Cyber Security Visualization
Cyber Security VisualizationCyber Security Visualization
Cyber Security Visualization
 
Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)
 
Honeywall roo 2
Honeywall roo 2Honeywall roo 2
Honeywall roo 2
 
The Beginning Of World War Ii
The Beginning Of World War IiThe Beginning Of World War Ii
The Beginning Of World War Ii
 
The real and another
The real and anotherThe real and another
The real and another
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day Threats
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
 
Ldap injection
Ldap injectionLdap injection
Ldap injection
 
Let Your Mach-O Fly, Black Hat DC 2009
Let Your Mach-O Fly, Black Hat DC 2009Let Your Mach-O Fly, Black Hat DC 2009
Let Your Mach-O Fly, Black Hat DC 2009
 
3 Enablers of Successful Cyber Attacks and How to Thwart Them
3 Enablers of Successful Cyber Attacks and How to Thwart Them3 Enablers of Successful Cyber Attacks and How to Thwart Them
3 Enablers of Successful Cyber Attacks and How to Thwart Them
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
 
How to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall AuditHow to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall Audit
 
Client Side Honeypots
Client Side HoneypotsClient Side Honeypots
Client Side Honeypots
 
Veil Evasion and Client Side Attacks
Veil Evasion and Client Side AttacksVeil Evasion and Client Side Attacks
Veil Evasion and Client Side Attacks
 
Firewall Penetration Testing
Firewall Penetration TestingFirewall Penetration Testing
Firewall Penetration Testing
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
 

Ähnlich wie Detecting Evasive Malware in Sandbox

XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...The Linux Foundation
 
Malware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationTamas K Lengyel
 
Data Center Server security
Data Center Server securityData Center Server security
Data Center Server securityxband
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentationisc2-hellenic
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security PresentationSimplex
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself Alert Logic
 
Cyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical OverviewCyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical OverviewSymantec
 
Cansec West 2009
Cansec West 2009Cansec West 2009
Cansec West 2009abhicc285
 
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Distil Networks
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesAtif Ghauri
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...Aditya K Sood
 
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...CODE BLUE
 
Zero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xenZero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xenBitdefender Enterprise
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protectionxband
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012jakobkorherr
 
Electronic Access Control Security / Безопасность электронных систем контроля...
Electronic Access Control Security / Безопасность электронных систем контроля...Electronic Access Control Security / Безопасность электронных систем контроля...
Electronic Access Control Security / Безопасность электронных систем контроля...Positive Hack Days
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021lior mazor
 

Ähnlich wie Detecting Evasive Malware in Sandbox (20)

XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
 
Malware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware Virtualization
 
Data Center Server security
Data Center Server securityData Center Server security
Data Center Server security
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentation
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security Presentation
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
Cyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical OverviewCyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical Overview
 
Cansec West 2009
Cansec West 2009Cansec West 2009
Cansec West 2009
 
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
 
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
 
Zero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xenZero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xen
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protection
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012
 
Electronic Access Control Security / Безопасность электронных систем контроля...
Electronic Access Control Security / Безопасность электронных систем контроля...Electronic Access Control Security / Безопасность электронных систем контроля...
Electronic Access Control Security / Безопасность электронных систем контроля...
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 

Kürzlich hochgeladen

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Kürzlich hochgeladen (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

Detecting Evasive Malware in Sandbox

  • 1. Detecting Evasive Malware in the Sandbox—The Latest from McAfee and Intel Labs McAfee Confidential . Rahul Mohandas | Intel Security Ravi Sahita | Intel Labs
  • 2. McAfee Confidential . Speakers 2 Rahul Mohandas Research Manager Intel Security Ravi Sahita Principal Engineer Intel Labs
  • 3. McAfee Confidential . Agenda • Evolution of Targeted Malware Attacks and Defenses • Sandboxing Challenges • McAfee Advanced Threat Defense Technology • Use Cases: Sandbox Evasion • Platform Opportunities • Summary 3 McAfee, and the McAfee logo are registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2014 McAfee, Inc.
  • 4. Evolution of Malware Attacks and Defenses McAfee Confidential . How did we get here? 4 Reactive • md5/URL blacklists Proactive • Heuristics/ protocol analysis A large number of enterprises had breaches over the past year. What can be done to better protect the network against these cyberthreats? Predictive • Static/ behavioral and predictive analytics • Malware attribution Evolution of defenses shown as Attack [Defense]
  • 5. 15-AUG-2012 Shamoon SAFE SunShop JUN--2013 2010 2011 2012 2013 2014 McAfee Confidential APR-2014 . State of Targeted Attacks 5 Duqu Flame 02-MAY-2012 Gauss 01-JUN-2012 Mahdi VOHO 01-SEP-2011 JUL-2012 Beebus Ladyboyle MiniDuke Intel & McAfee Confidential RSA hack MAR-2011 FEB-2013 Naikon NetTraveler MAY--2013 30-MAY--2012 Gotham ZEGOST APR-2013 DeputyDog 19-AUG-2013 EvilGrab IceFog Kimsuky Guodl Taidoor The3bug Web2Crew DEC-2012 Project Blitzkrieg Shiqiang Quarian OCT-2013 AUG-2014 Havex Pittytiger July-2014 Intel Confidential -- Internal Use Only Quarian v2
  • 6. McAfee Confidential . Sandboxing Challenges 6 Evasion • Hook-detection/skipping. • Self/VM fingerprinting. • System tampering. • Interaction-based. • Latent behavior. • Timing analysis. • And so on …
  • 7. McAfee Confidential . 7 Advanced Threat Defense Technology Sandboxing approach and future challenges
  • 8. McAfee Confidential Sample Sample Sample VM1 VM2 VM N . McAfee Advanced Threat Defense • Using static and dynamically derived program behavior. • Provides advanced sandboxing capabilities: • Virtual CPUs. • Anti-anti-debugging. • Need to unpack to get to original executable code for analysis: • Detect variants. • Understand potential paths. • Provide unpacked code for further analysis. 8 VM 1 VM 2 VM N VMM
  • 9. Runtime DLLs Operations File Operations Operations Delayed Execution McAfee Confidential Unpacking Disassembly of Code Calculate Latent Code Familial Resemblance . Dynamic and Static Code Analysis 9 Analyze Analyze Network Process Dynamic Analysis Static Analysis
  • 10. McAfee Confidential . Sandbox Evasion 10 Advanced: inline assembly • Use assembly code to bypass hooks: • Replace sleep() with an induced delay loop. • Bypasses sandboxes that have default analysis timeouts. • Family classification to the rescue.
  • 11. McAfee Confidential . 11 Sandbox Evasion: Inline Assembly
  • 13. McAfee Confidential . Quarian Evolution: Timeline 13 Sample: ce1ef Similarity: 97% Prototype Added Similarity: 100% Sample: 1d6b587 Similarity: 83.54% Sample: c0e5746dd Similarity: 68.09% Sample: 93807cff6 Similarity: 68.18% Dec ’11 March ’12 Jan ’12 August ’13 July ’12 March ’14 Sample: f3862 Similarity: 66.72%
  • 14. McAfee Confidential . Sandbox Evasion 14 Quarian: AppId Check • APT actor active since 2011. • Checks presence of registry key, exits if not found. • Evades all known sandboxes relying on behavior only. • Detected by McAfee® Advanced Threat Defense using static code analysis.
  • 15. McAfee Confidential . 15 Quarian Evolution: Static Code Analysis
  • 16. McAfee Confidential . 16 Platform Opportunities Improving malware analysis
  • 17. McAfee Confidential . Improving Malware Sandbox: Goals 17 VMM VM1 Enhance Instrumentation to Observe Zero-Day/Obfuscated Behavior. VM 2 VM n • Memory access and execution analysis. • Kernel/user rootkit-like behavior. • API, control flow attacks. • Unpacking, de-obfuscating code. … without impacting analysis throughput Intel CPUs
  • 18. OS-Independent Behavioral Memory Monitoring McAfee Confidential DLL Code (RO) . CPU extended page tables (EPTs) as memory monitoring domains 18 VM0 CPU0 Hypervisor Intel® VT-x with EPT Extended Page Table (EPT) Domains EPT Walker Execution Crossing EPT Domains or Data Data (NP) host physical Accesses Cause Events. address Intel® Virtualization Technology for IA-32, Intel® 64 and Intel® Architecture (Intel® VT-x) Application Code/Data (RX/RW) DLL Code (RX) Application Code/Data (RO/NP) Data (RW) • Observe read, write, or execution from memory. • Critical data structure tracking. • Critical API execution tracking without circumvention.
  • 19. McAfee Confidential . Addressing Technical Challenges • Factors limiting memory monitoring: • Hardware context-switch time. • Filtering uninteresting events with minimal overhead: • Monitoring data accesses requires filtering due to 4,000 page sharing. • Analyzing execution patterns: • Without requiring single-stepping of all execution. 19
  • 20. Hardware-Accelerated Behavioral Memory Analysis • VM Function (VMFUNC) to switch EPTs or memory views without VMExits. • Virtualization Exceptions (#VE) to directly notify guest of EPT access violations without VMExits. McAfee Confidential . Minimize exposure of VMM to reduce malware evasion opportunities 20 CPU0 Hypervisor Intel® VT-x with EPT VM0 Extended Page Tables EPT Walker Report EPT violations via #VE. EPTP list is indexed by VMFUNC. Memory View 1 Memory View 2 VMFUNC Intel® Virtualization Technology for IA-32, Intel® 64 and Intel® Architecture (Intel® VT-x) #VE Physical pages
  • 21. McAfee Confidential . Accelerating Behavior-Induced Events 21 • Behavioral memory monitoring policies setup via EPT domains. • VMM opts in to convert induced EPT violation (observed events) to #VE. • Monitoring software can use VMFUNC to switch views in order to analyze memory accesses and continue sandboxed execution. VMM VM Sandbox VMFUNC VMFUNC EPT Domains Monitoring Service Monitored App 1. Handle #VE 3. Complete analysis WRITE Access Policy #VE #VE info EPT Domains Intel CPUs 2. Set up single step or emulate
  • 22. McAfee Confidential . Hardware Extensions for Improving Malware Sandbox 22 VMM w/ Introspection Extensions Intel CPUs Windows/ Android VM1 Enhanced Instrumentation to Observe Zero-Day/Obfuscated Behavior • Memory access and execution analysis. • Kernel/user rootkit behavior. • API, control flow attacks. • Unpacking, de-obfuscating code. Sandboxing Engine Memory Views Enhanced Sandboxing Processor Features Pass-Through VM 2 VM n CPU Extensions - VMFUNC (low latency memory view switching). - Virtualization Exceptions (low latency memory monitoring). - … Memory Views Sandboxing Engine Sandboxing Engine
  • 23. Addressing Evasion Challenges McAfee Confidential . 4 Malware Monitored API VM Tools OS 23 Intel CPUs Capabilites that can be enabled via hardware-enhanced introspection and family classification: 1. Hook-detection/skip avoidance. 2. Fingerprinting mitigation. 3. Kernel tamper detection. 4. User detection. 5. Latent behavior detection. 6. Timing virtualization. 1 2 3 VMM 6 Microsoft Windows/ Android VM1 5
  • 24. McAfee Confidential . 24 Looking Ahead Concluding thoughts
  • 25. McAfee Confidential . Future Directions and Research • Finer-grain memory monitoring CPU primitives. • Processor capabilities to detect/prevent malicious behavior via strong control-flow tracking. • Machine-learning techniques to automate deeper analysis. • Human interactivity modeling to expose latent code. • Exploration of native hardware sandbox to reduce malware evasion opportunities. 25
  • 26. McAfee Confidential . Conclusion • Combination of behavior and family classification addresses gaps to detect advanced malware. • Hardware and software co-design to stay ahead of malware approaches. • Evolving the McAfee Advanced Threat Defense platform: • Software improvements via open hypervisors. • Hardware-based differentiation to improve analysis. • Ongoing research to stay ahead of evasion techniques. 26
  • 27. McAfee Confidential . 27 Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2014 McAfee, Inc.

Hinweis der Redaktion

  1. Rahul works with the Advanced Threat Defense product development and research team. He brings over 10 years of security experience and specializes in APT detection and attribution. He holds two patents in the security space and has presented at security conferences around the world. Ravi Sahita is a security researcher at Intel Labs (Security & Privacy Research). He is working on CPU and software co-design techniques for computer security, with a focus on Virtualization. Ravi has developed the DeepSAFE* technology, and designed new CPU and firmware (Intel® AMT) features for system security.
  2. - * http://www.mcafee.com/in/resources/reports/rp-economic-impact-cybercrime2.pdf Increasing incidents of APT attacks year over year. Co-ordinated persistent threat actors Multi vector and multi staged attacks 85% increase in the growth of malware H1’13 vs H114 300k new samples every day Target breach 146 million - http://cir.ca/news/target-stores-hacking-investigation
  3. - * http://www.mcafee.com/in/resources/reports/rp-economic-impact-cybercrime2.pdf Increasing incidents of APT attacks year over year. Co-ordinated persistent threat actors Multi vector and multi staged attacks 85% increase in the growth of malware H1’13 vs H114 300k new samples every day Target breach 146 million - http://cir.ca/news/target-stores-hacking-investigation
  4. Hook-detection/skipping CwSandbox bypass Self/VM fingerprinting Vmware tools Kernel tampering Pushdo accesses PsCreateProcessNotifyRoutine to remove all registered callbacks; then can create and terminate processes without raising any red flags User detection UpClicker, a trojan analyzed in December 2012, was among the earliest-discovered malware samples that used mouse clicks to detect human activity* Latent behavior Trojan Nap, uncovered in February 2013 takes this approach* Execution after reboot Timing analysis Ref
  5. Hook-detection/skipping CwSandbox bypass Self/VM fingerprinting Vmware tools Kernel tampering Pushdo accesses PsCreateProcessNotifyRoutine to remove all registered callbacks; then can create and terminate processes without raising any red flags User detection UpClicker, a trojan analyzed in December 2012, was among the earliest-discovered malware samples that used mouse clicks to detect human activity* Latent behavior Trojan Nap, uncovered in February 2013 takes this approach* Execution after reboot Timing analysis Ref
  6. Hook-detection/skipping CwSandbox bypass Self/VM fingerprinting Vmware tools Kernel tampering Pushdo accesses PsCreateProcessNotifyRoutine to remove all registered callbacks; then can create and terminate processes without raising any red flags User detection UpClicker, a trojan analyzed in December 2012, was among the earliest-discovered malware samples that used mouse clicks to detect human activity* Latent behavior Trojan Nap, uncovered in February 2013 takes this approach* Execution after reboot Timing analysis Ref