Coordinated Malware Eradication & Remediation Project (CMEP) – The Way Forward Dr Aswami Ariffin (Dr AA) Vice President & Digital Forensics Scientist Cyber.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
1. CMERP Objectives2. Incidents & Statistics3. CMERP Framework/Matrix/System 4. Industry & Academia Collaborator5. Research, Development and Commercialization6. Big Data Forensics & Honeynet7. Conclusion
CMERP ObjectivesMissionTo address the computer security concerns of Malaysian Internet users
VisionTo reduce the probability of successful attacks and lower the risk of consequential damage
Objectives•To reduce the number of bot/malware infection in Malaysia•Provide proactive measure to safeguard and mitigate malware infection•Collaboration with industry and academia (national and international) to ensure success of the project
APT modus operandi
Victim 1
Victim 3
Victim 2
Hacker
C&C Server
Contact List Victim 1
Contact List Victim 2
Contact List Victim 3
1. Send spear phishing email to
targeted victims
1. Send spear
phishing email to
targeted victims
1. Se
nd sp
ear
phish
ing e
mail
to
targ
eted
victi
ms
3.Uploads tools and request data
4. Send requested data
2. RAT communicate with C&C Server and grabbing order
2. RAT communicate with C&C Server and grabbing order
2. RAT communicate with C&C Server and grabbing order
5. Send spear phishing email to contact list
5. Send spear phishing email to contact list
5. Send spear phishing email to contact list
RAT installation:Victim open malicious attachment
Online bank malware case,Online bank malware case,Sept 2014Sept 2014
Modus operandi banker malware
Hacker
1.Malware coder write a malicious softwareTo exploit a computer vulnerability and installs a trojan
2.Victim infected with credential stealing malware
1.Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. Alert level: Severe
2. Jenxcus is a worm coded in VBScript that is capable of propagating via removable drives. Its payload opens a backdoor on an infected machine, allowing it to be controlled by a remote attacker. 3.Alert level: Severe
1. JS/Facelikeris a Javascript that does 'likejacking' attacks. A 'likejacking' attack is when this threat 'likes' Facebook content without your knowledge or consent. This threat might be included in malicious or hacked webpages. Alert Level: Severe
4. Gamarue, this malware family can give a malicious hacker control of your PC. They can also steal your sensitive information and change your PC security settings. We've seen them installed by exploit kits and other malware. They can also be attached to spam emails. Alert Level: SevereSo
urce
: Mic
roso
ft
CMERP - 2014
CMERP framework
15
CMERP matrix – detect, respond & prevent
Constantly monitors traffic/security
feed/incident alert.
Constantly monitors traffic/security
feed/incident alert.
When Infection detected, the customer is identified and system automatically fetches contact information.
When Infection detected, the customer is identified and system automatically fetches contact information.
Customer is automatically alerted that their system appears have been compromised and follow up action will be taken.
Customer is automatically alerted that their system appears have been compromised and follow up action will be taken.
WallGarden – The customer's device is been removed/quarantined/ restricted access from network.
WallGarden – The customer's device is been removed/quarantined/ restricted access from network.
Customer can download tools made available at isolation portal to remove the infection (also patches and bug fixes).
Customer can download tools made available at isolation portal to remove the infection (also patches and bug fixes).
PC/IP detected to be clean can rejoins the network. If infection is still present, the problem is automatically flagged.
PC/IP detected to be clean can rejoins the network. If infection is still present, the problem is automatically flagged.
CMERP system concept
Project phases
Industry collaborator
Academia collaborator
R&D&C
iOS forensics – vulnerability research
Big data forensics & honeynet
Conclusion
1. Cyber threat intelligence report; malware biometrics2. National/International cooperation to combat against
cybercrime; analytics dashboard.3. Enforcement; cyber laws4. Lower the cost of combating cybercrime5. More efficient through strategic alliances6. Capacity and capability building7. Emergency readiness