This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Coordinated Malware Eradication & Remediation
Project (CMEP) – The Way Forward
Dr Aswami Ariffin (Dr AA)Vice President & Digital Forensics Scientist Cyber Security Responsive Services Division
CMERP ObjectivesMissionTo address the computer security concerns of Malaysian Internet users
VisionTo reduce the probability of successful attacks and lower the risk of consequential damage
Objectives•To reduce the number of bot/malware infection in Malaysia•Provide proactive measure to safeguard and mitigate malware infection•Collaboration with industry and academia (national and international) to ensure success of the project
APT modus operandi
Victim 1
Victim 3
Victim 2
Hacker
C&C Server
Contact List Victim 1
Contact List Victim 2
Contact List Victim 3
1. Send spear phishing email to
targeted victims
1. Send spear
phishing email to
targeted victims
1. S
end
spea
r
phish
ing
emai
l to
targ
eted
vict
ims
3.Uploads tools and request data
4. Send requested data
2. RAT communicate with C&C Server and grabbing order
2. RAT communicate with C&C Server and grabbing order
2. RAT communicate with C&C Server and grabbing order
5. Send spear phishing email to contact list
5. Send spear phishing email to contact list
5. Send spear phishing email to contact list
RAT installation:Victim open malicious attachment
Online bank malware case,Online bank malware case,Sept 2014Sept 2014
Modus operandi banker malware
Hacker
1.Malware coder write a malicious softwareTo exploit a computer vulnerability and installs a trojan
2.Victim infected with credential stealing malware
1.Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. Alert level: Severe
2. Jenxcus is a worm coded in VBScript that is capable of propagating via removable drives. Its payload opens a backdoor on an infected machine, allowing it to be controlled by a remote attacker. 3.Alert level: Severe
1. JS/Facelikeris a Javascript that does 'likejacking' attacks. A 'likejacking' attack is when this threat 'likes' Facebook content without your knowledge or consent. This threat might be included in malicious or hacked webpages. Alert Level: Severe
4. Gamarue, this malware family can give a malicious hacker control of your PC. They can also steal your sensitive information and change your PC security settings. We've seen them installed by exploit kits and other malware. They can also be attached to spam emails. Alert Level: SevereSo
urce
: Mic
roso
ft
CMERP - 2014
CMERP framework
15
CMERP matrix – detect, respond & prevent
Constantly monitors traffic/security
feed/incident alert.
Constantly monitors traffic/security
feed/incident alert.
When Infection detected, the customer is identified and system automatically fetches contact information.
When Infection detected, the customer is identified and system automatically fetches contact information.
Customer is automatically alerted that their system appears have been compromised and follow up action will be taken.
Customer is automatically alerted that their system appears have been compromised and follow up action will be taken.
WallGarden – The customer's device is been removed/quarantined/ restricted access from network.
WallGarden – The customer's device is been removed/quarantined/ restricted access from network.
Customer can download tools made available at isolation portal to remove the infection (also patches and bug fixes).
Customer can download tools made available at isolation portal to remove the infection (also patches and bug fixes).
PC/IP detected to be clean can rejoins the network. If infection is still present, the problem is automatically flagged.
PC/IP detected to be clean can rejoins the network. If infection is still present, the problem is automatically flagged.