Thursday, May 17, 2012

CISSP CPE6: Threat Review: Deconstructing Modern Trojans

Webinar by paloalto Length: 01:00:00

Analyzing samples collected by WildFire

Prevalence port/protocol evasion in malware as compare to non-malicious

Common tricks of evasive traffic:
1. use existing protocol in unexpected way (example IRC in port 80)
2. use standard protocol over non-standard ports to avoid signature

Example, DNS tunneling:

Take advantage of recursive query to pass encapsulate TPC message to a remote DNS server and send responses back.

App-ID address the Evasion Problem.

WildFirew analysis center, sand box-based analysis looks over samples
- detect new and unknown malware samples
- Use appip to analyze traffic generated by malware
- focus on evasive traffic behavior an unusual traffic that could not be detected by APP-ID

16,497 newly discovered malware samples - in April 2012:
66% traffic were undetected by traditional AV vendor
80% traffic generated to Internet
59% 7,918 generated evasive traffic

Common evasive behavior:
sort http headers
Unknown traffic
ddyn, fastflux domain
Fake http
Non standard http
IRC on regular port
IRC on non standard port
(surprisingly little use of IRC - it's becoming obsolete for malware)

Unknown  traffic is significantly high rate in malware as oppose to valid network traffic
11% of malware session presented as unknown
0.6% of legitimate traffic present as unknown

Enterprise can progressive reduce the amount of unknown traffic:
Custom APP-IDs

I raised questions:
You mentioned that 66% of malware traffic is not detected by major AV software, how did you test it?
Did you involve AV company to test it?
There is a common mistake of AV testing simply using using the AV CLI functionality, such using VirusTotal, whereas AV have has multiple layers of protection that might not detect via CLI functionality.
The common mistake of AV testing is simply using the CLI engine without, whereas AV has many layers of protection that cannot be access via CLI.

Labels: ,


Post a Comment

Subscribe to Post Comments [Atom]

<< Home