Professional Documents
Culture Documents
Luis Corrons
PandaLabs Technical Director
1
Malware Fighting
Infection Sources
Infection Sources
Web
Spam
Social Networks
Infection Sources
Social Networks
Infection Sources
Infection Sources
Infection Sources
Infection Sources
Spam
Infection Sources
Infection Sources
Fuentes de infección
Infection Sources
Fuentes de infección
Fuentes de infección
Infection Sources
Infection Sources
Web
Malware server
Infection Sources
Infection Sources
MPack
Infection Sources
MPack
MPack
Infection Sources
A Real Case
Malware Fighting
Malware Fighting
Rogue AntiSpyware
Malware Fighting
Malware Fighting
Malware Fighting
– Stolen Accounts
• FTP accounts:
– US$1 per account
• Icq numbers:
– From US$1 to US$10 (depending on the ICQ number)
• RapidShare premium accounts:
– 1 month - US$5
– 3 months - US$12
– 6 months - US$18
– 1 year - US$28
• Online Shop accounts
– (megashop.ru, bolero.ru, cup.ru, etc. ALL RUSSIAN): US$50 each
• 50MB of Limbo Trojan logs
– US$30 (contains email accounts, bank account numbers, credit card
numbers, etc. A percentage is guaranteed)
Malware Fighting
– Stolen Accounts
• Credit Cards
– VISA / MASTERCARD
» 1 - 10 cards US$2 (per card)
» 10 - 100 cards US$1.5 (per card)
– AMEX
» 1 - 10 cards US$2.5 (per card)
» 10 - 100 cards US$2 (per card)
• Passports:
– Black and white: US$2
– Color: US$5
Malware Fighting
Where to buy?
Malware Fighting
Malware Fighting
Malware Fighting
Malware figures
Malware Feeds
Antimalware Online Services Honeypots
Companies
Honeymonkeys
Malicious URLs
Malware Repository
Collective Intelligence
CERTs
Panda Users
Malware figures
Source: PandaLabs
Malware figures
Source: PandaLabs
Malware figures
40000
35000
30000
Samples
25000
20000
15000
10000
5000
0
y
ne
ry
t
ly
r
ch
er
r
ay
r
ril
be
ar
be
be
Ju
gu
ua
Ap
ob
Ju
M
ar
nu
m
m
m
Au
br
ct
e
e
e
Ja
Fe
ov
O
pt
ec
Se
D
Source: PandaLabs
Malware figures
Malware samples received at PandaLabs
Data up to December 2008
20 M.
X10
X2
X2 X2
40 M.
20 M.
X10
X2 X2 X2
61
62
Collective Intelligence
Multi-Scanners
•“Automagic detections”
Detection signatures are added
based on what other realiable
AV scanners detect.
• Some “cloud-scanning”
technologies work like this.
Collective Intelligence
<Program<Program
ID:XXXXXID:XXXXX
Status:unknown.
Behavioral
<Program ID:XXXXX Status:Malware W32/XY.
traces: log2,… Date/time
Status:Malware W32/XY.
Status:unknown. Behavioral
of appearance: HHMMDDMMYY
Behavioral traces:log1,…
Behavioral traces:log1,… traces:log2,… Date/time
…
Date/time of appearance: HHMMDDMMYY of appearance: HHMMDDMMYY
Date/time of appearance: HHMMDDMMYY …
…
…
Collective Intelligence
Proceso de Análisis Estático: Meta Clasificador
• Análisis estático profundo
• Data Mining colectivo y análisis
estadístico
• Otras tecnologías
Proceso de Proceso de
Análisis Clasificación
Clasificación
• Drivers
• Entry Point = 0
• Too many sections
• Non Portable-Executable (PE)
• Digital Signatures
• File Infectors
• EPO, Polymorphic
• HLL, HLLW or PE Binder
• Distant PE Header
• Postpending
• Unordered last section
• Installers (Inno Setup, InstallShield, Nullsoft, Thinstall, Wise, Generic)
• Runtime Packers
• By signature (ASPack, EXEStealth, EXECryptor, UPX, MEW,
PeCompact, Themida, Upack, Yoda, ..)
• Generic & Unknown !!!
Emulation &Unpacking
•Types of Unpacking:
• Runtime:
• Driver
• Memory dump
• Static
• Specific Unpacking Routines
• Generic Unpacking
• Emulation
•PVA.EXE (48kb)
• Specific Unpacking Routines
• Over 50 packer brands & variants
• ASPack, ASProtect, BeRoEXEPacker, Cexe, CryptoCrack, EXEShield,
EXECryptor, FSG, MEW, MoleBox, NSPack, Obsidium, PCShrink, PECrypt,
PECompact, PENinja, PESpin, Petite, Themida WinLicense, UPX, Upack,
Yoda’s, eXPressor, tElock, y0da’s Crypter, y0da’s Protector.
• Generic Unpacking
• Signature-less static unpacking
• Emulation
Clustered Grouping
•FLUSTER.EXE (24kb)
•Malware Genome
Graph, Entropy and Grid Computing
•Sample Analysis
1. IDAPro + IDAPython
2. Flow Control
3. Functions “Control Flow Graph” (CFG)
signatures [Blocks:Axis:FunctionCalls]
4. Function’s CRC32 Adjacency Matrix
5. Function’s names
6. Operating System & Library Calls (API)
•Banking Trojans
•Wspoem 94.56%
•Sinowal 96.78%
•Torpig 92.79%
•Goldun 84.60%
•Abwiz 94.95%
•Briz 91.08%
•Bancolimb (Limbo) 91.38%
•Dumador 95.58%
•Bankpatch 100.00%
•Banco 73.98%
•Banbra 74.21%
•…
What’s all this
geeky stuff for
anyway?
PandaLabs’s Objective
To be the #1 in classification
& detection of new malware.
Thanks!
Luis Corrons
luis.corrons@pandasecurity.com
PandaLabs Blog:
http://www.pandalabs.com
75