La détection des nouvelles variantes doit se faire extrêmement rapidement car ils apparaissent maintenant au rythme de 1 toutes les 1,5 secondes. Nous ne pouvons pas nous fier juste à la soumission des fichiers suspects par nos clients ou nos partenaires. Nous avons donc du développer un vaste réseau de sondes (honey pots) et développer des nouvelles façons de trouver le malware. Nous allons discuter des différentes techniques et de leur efficacité dans le monde réel.
2. Correlation Technology
• A network behavior correlation technology used to detect known and unknown
malware.
• Currently implemented in an out-of-band network sensor appliance called the “Threat
Discovery Appliance” which is bundled with a series of different service packages
known collectively as “Threat Management Services”.
• Adoption of this technology in other Trend Micro products is ongoing.
Copyright 2007 - Trend Micro Inc.
Paramount Q1 2008 - 2
4. How Do We Analyze Network Traffic?
Assemble packets into one stream
Extract embedded files & send to scanning engines
Extract embedded URLs and perform WRS check
Scan the traffic stream for exploits and network worms
Perform single-session correlation on the traffic stream
Copyright 2007 - Trend Micro Inc.
Paramount Q1 2008 - 4
5. Protocol Support
We currently support over 40 protocols using port agnostic protocol detection to accurately
identify protocols regardless of the port used
Network Services Web Traffic
DNS HTTP
DCE-RPC SSH
Telnet AIM
RDP IRC
VNC
Supported
Protocols
File Transfer Email and Messaging
FTP SMTP
TFTP POP3
SMB Gmail
Yahoo Mail
Hotmail
Copyright 2007 - Trend Micro Inc.
Paramount Q1 2008 - 5
6. What We Do
• The Threat Analysis Group is a department of the Network Content Security Group and is
responsible for the operations that utilize our correlation technology.
• Over the years we have developed and improved upon several dedicated malware
replication systems, also known as “sandboxes”. These systems are responsible for executing
malware and logging all of their activities.
• Early on, we processed current malware along with a few years backlog of older samples.
Analysis of this network traffic provided us with the data used to create a majority of our early
ruleset. These rules are generic in nature and based upon the common behavior of different
malware types.
• Due to the volatile nature of malware, we determined that older samples were not worth our
time any longer and now focus solely on brand new malware, utilizing various feeds of
malware samples. Nowadays, the majority of our new rules focus on specific malware families.
Copyright 2007 - Trend Micro Inc.
Paramount Q1 2008 - 6
7. What characteristics are we looking for
Downloaders
Packed / Compressed Executables
Names of downloaded files
belong to system files
svchost.exe winlogon.exe lsass.exe
File extension do not match
expected file type
JPG extension but file is actually EXE
Unique / Unknown
HTTP user-agents
7 Copyright 2007 - Trend Micro Inc.
8. What characteristics are we looking for
Spyware/Grayware
Unique / Unknown
HTTP user-agents
Names of downloaded
files belong to trademarked/copyrighted
spyware applications
Gain, Media Motor, Hotbar, SpySherrif
8 Copyright 2007 - Trend Micro Inc.
9. What characteristics are we looking for
Backdoors
Rogue services
Un-authorized SMTP, HTTP servers
Opened ports
Loopback commands shells
Loopback command shells
DOS Shell visible at the network traffic
Non standard service ports
HTTP Traffic on non HTTP port
9 Copyright 2007 - Trend Micro Inc.
10. What characteristics are we looking for
Mass mailers
Attachments with long filenames
(space padded)
File extensions do not match
expected file type
File inside archive attachment
contains double extension
Packed files
Suspicious URLs in message body
10 Copyright 2007 - Trend Micro Inc.
11. What characteristics are we looking for
Bots
IRC traffic
Bad NICKs, channelnames, bot commands
Non-standard service ports
Typically HTTP or IRC
Ex. IRC traffic on port 8080 (HTTP proxy)
File transfers to
blacklisted domains
11 Copyright 2007 - Trend Micro Inc.
12. Scenario
Corporate Network
Rule 8 - Packed executable
file dropped on a network
share
C$
WORM_AGOBOT,
Admin$
PE_LOOKED
12 Copyright 2007 - Trend Micro Inc.
13. Scenario
External Mail Server
Internet
Corporate Network
Internal Mail Server
WORM_NETSKY,
WORM_MYTOB,
WORM_AGOBOT
13 Copyright 2007 - Trend Micro Inc.
14. Scenario
IRC Server
Internet
Corporate Network
Rule 26 - IRC session
Rule 7 - IRC BOT established with a known
commands found bad C&C
WORM_IRCBOT.EN
14 Copyright 2007 - Trend Micro Inc.
15. Scenario
Malicious
Website
Internet
Corporate Network
Rule 88 - HTTP requests
attempted to download known
Malware-
Malware-used filenames
TROJ_DLOADER,
TROJ_AGENT
15 Copyright 2007 - Trend Micro Inc.
16. Rule Descriptions
Monitored client is receiving email with phishing link (External)
Rule ID: 72
Scenario: SMTP server receives phishing emails
Email sender domain is in list of commonly phished domains and email contains
IP address
The email will trigger rule ID 72, direction is external
Sender: customerservice@ebay.com
URL: http://70.88.210.45:81/ebay.com/index.html
Monitored Network
Copyright 2007 - Trend Micro Inc.
17. Rule Descriptions
Monitored client is sending out phishing email (Internal)
Rule ID: 72
Scenario: Infected host is sending phishing emails
Email sender domain is in list of commonly phished domains and email contains
IP address
The email will trigger rule ID 72, direction is internal
Sender: customerservice@ebay.com
URL: http://70.88.210.45:81/ebay.com/index.html
Monitored Network
Copyright 2007 - Trend Micro Inc.
18. Rule Descriptions
Hacking attempt
Rule ID: 38 & 15
Fields of interest: username (not SMB)
• This rule is triggered when a certain threshold of failed login attempts is
reached. Below are the details of these thresholds per protocol.
• For the SMB protocol, the possible attacker is the destination IP address.
Rule ID 38 Rule ID 15
Protocol (threshold trigger) (threshold trigger)
FTP =4x =20x
POP3 =4x =20x
*Cisco Telnet =3x =6x
**SMB =12x =18x
Copyright 2007 - Trend Micro Inc.
19. Rule Descriptions
Hacking attempt
Rule ID: 38 & 15
Scenario: Infected Host brute force attacks other hosts within monitored network
There are a high number of failed login attempts on each attacked host
The attacks will trigger rule IDs 38 & 15, direction is internal for both
15 failed SMB logins
21 failed SMB logins
Monitored Network
Copyright 2007 - Trend Micro Inc.
20. Rule Descriptions
Monitored client is downloading a suspicious file.
Rule ID: 66
Scenario: Host downloads an executable file from web site
Web server reports content type as image/gif
This event will trigger rule ID 66, direction is external
HTTP Response reports
content type as: image/gif
But file is actually executable
Monitored Network
Copyright 2007 - Trend Micro Inc.
21. Rule Descriptions
Monitored client is using a protocol on a non-standard port.
Rule ID: 33
Fields of interest: nickname, channelname
• The Internet Relay Chat (IRC) protocol typically uses a port in the
range of 6665-6669. It is common for malicious IRC bots to use non-
standard ports for their communication.
• This rule is triggered when an incoming or outgoing connection is
detected using the IRC protocol on a port outside of this range. There
is still a chance this is legitimate IRC traffic, but more likely it is a “bot”
communication.
Copyright 2007 - Trend Micro Inc.
22. Rule Descriptions
Monitored client has a malware that is communicating to an external
party.
Rule ID: 33
Scenario: Infected host is communicating with an IRC C&C server using the IRC
protocol, but using port 8080 instead of one of the standard ports in the range
of 6665-6669.
This communication will trigger rule ID 33, direction is internal but could just as
well be external if the response was captured instead.
Port: 8080
Monitored Network
Copyright 2007 - Trend Micro Inc.
23. Relevance Rules
How It Works (Zeus)
Create a profile based Relevance Pattern! differences
Group the packet captures of the same family
Create the on similarities and
23 Copyright 2007 - Trend Micro Inc.
24. Relevance Rules
Possible Relevance Rule for Hupigon
MD5: 5e3831266f8d68bc3713c35963a39f75
MD5: fbdc7c613fb23527929c18eb55fad5f0
GET /*.txt HTTP/1.0rnUser-Agent: *rnHost: *rnPragma: no-cachern
MD5: 5e5c3e7cbc5ca7ecb48964494519068d
Note: * wildcard for any
MD5: 46fd78ea03e2e8a6a07196f791fbb03c
24 Copyright 2007 - Trend Micro Inc.
25. Relevance Rules
• With the power and flexibility of the scripting language we use to create rules,
we are able to perform calculations and bitwise operations in order to validate
custom malware protocols such as the one used by the Palevo
(Mariposa/Butterfly) bot.
Copyright 2007 - Trend Micro Inc.
26. Rule Correlation
• We are limited to correlating only the data within a single
session, and in a single direction. For example, we can
correlate the data within an HTTP request or an HTTP
response, but not between the two.
• To address this issue, further correlation is performed in a
separate process on these initial events generated.
• With this approach, any type of correlation is possible, and the
results are quite powerful. Reports are delivered that can
pinpoint confirmed malware infections so the customer does not
have to analyze logs and make his own determinations.
Copyright 2007 - Trend Micro Inc.
27. Our Threat Assessment Results
Despite having the most current industry standard security
technology…
• 100% of companies had active malware
• 72% of companies had one or more IRC bots
• 56% of companies had information stealing malware
• 50% of companies had 4 or more IRC bots
• 80% of companies had malware web downloads
• 42% of companies had a network worm (1)
• $6M = average total cost of a major data breach in 2008 (2)
1 Based on 130 assessments worldwide at company’s averaging over 7,484
employees and included representatives from the manufacturing, government,
education, financial services, retail, and healthcare industries.
2 Ponemon Institute
27
Copyright 2007 - Trend Micro Inc.