Evolution of Malware and the Next Generation Endpoint Protection against Targeted Attacks
Evolution of Malware and the Next
Generation Endpoint Protection against
Targeted Attacks
02/07/2015Malware Evolution 2
Index
1. Malware volume evolution
2. Malware Eras
3. Panda Adaptive Defense
1. What is it
2. Features & Benefits
3. How does it work
4. Successs Story
02/07/2015Malware Evolution 3
Malware samples evolution
Malware
volume
evolution
02/07/2015Malware Evolution 4
02/07/2015Malware Evolution 5
Malware Eras
1st Era
• Very little samples and Malware families
• Virus created for fun, some very harmful, others harmless, but no ultimate goal
• Slow propagation (months, years) through floppy disks. Some virus are named after the city where it was created or discovered
• All samples are analysed by technicians
• Sample static analysis and disassembling (reversing)
02/07/2015Malware Evolution 6
02/07/2015Malware Evolution 7
W32.Kriz Jerusalem
2nd Era
• Volume of samples starts growing
• Internet slowly grows popular, macro
viruses appears, mail worm, etc…
• In general terms, low complexity
viruses, using social engineering via
email, limited distribution, they are not
massively distributed
• Heuristic Techniques
• Increased update frequency
02/07/2015Malware Evolution 8
02/07/2015Malware Evolution 9
Melissa Happy 99
3rd Era• Massive worms apparition overloads the
internet
• Via mail: I Love You
• Via exploits: Blaster, Sasser, SqlSlammer
• Proactive Technologies
• Dynamic: Proteus
• Static: KRE & Heuristics Machine Learning
• Malware process identification by events
analysis of the process:
• Access to mail contact list
• Internet connection through non-standard
port
• Multiple connections through port 25
• Auto run key addition
• Web browsers hook
02/07/2015Malware Evolution 10
02/07/2015Malware Evolution 11
I love you Blaster
Sasser
02/07/2015Malware Evolution 12
Static proactive
technologies
Response times reduced to 0 detecting
unknown malware
Machine Learning algorithms applied to
classic classification problems
Ours is ALSO a “class” problem: malware
vs goodware.
02/07/2015Malware Evolution 13
4th Era• Hackers switched their profile: the main
motivation of malware is now an economic
benefit, using bank trojans and phishing
attacks.
• Generalization of
droppers/downloaders/EK
• The move to Collective Intelligence
• Massive file classification.
• Knowledge is delivered from the cloud
02/07/2015Malware Evolution 14
02/07/2015Malware Evolution 15
Banbra Tinba
02/07/2015Malware Evolution 16
El salto a la
Inteligencia
Colectiva
La entrega del conocimiento desde la
nube como alternativa al fichero de
firmas.
Escalabilidad de los servicios de
entrega de firmas de malware a los
clientes mediante la automatización
completa de todos los procesos de
backend (procesado, clasificación y
detección).
Big Data
arrival
Current working set of 12 TB
400K million registries
600 GB of samples per day
400 million samples stored
Innovation: to make viable the data
processing derived from Collective
Intelligence strategy, applying Big Data
technologies.
02/07/2015Malware Evolution 17
5th Era• First massive cyber-attack against a country,
Estonia from Russia.
• Anonymous starts a campaign against
several organizations (RIAA, MPAA, SGAE, and
others)
• Malware professionalization
• Use of marketing techniques in spam
campaigns
• Country/Time based malware variant
distribution
• Ransomware
• APTs
• Detection by context
• Apart from analysing what a process does,
the context of execution is also taken into
account…
02/07/2015Malware Evolution 18
02/07/2015Malware Evolution 19
Reveton Ransomware
02/07/2015Malware Evolution 20
APTs…
02/07/2015Malware Evolution 21
02/07/2015Malware Evolution 22
- November / December 2013
- 40 millions credit/debit cards stolen
- Attack made through the A/C
maintenance company
- POS
- Unknown author
- Information deletion
- TB of information stolen
Sony Pictures computer system down after reported hackHackers threaten to release 'secrets' onto web
02/07/2015Malware Evolution 23
Carbanak
- Year 2013/2014
- 100 affected entities
- Countries affected: Russia, Ukraine,
USA, Germany, China
- ATMs: 7.300.000 US$
- Transfer: 10.000.000 US$
- Total estimated: 1.000.000.000 US$
02/07/2015Adaptive Defense 24
What is Panda Adaptive Defense?
The Next Generation Endpoint Protection
02/07/2015Adaptive Defense 25
Panda Adaptive Defense is a new security model
which can guarantee complete protection for
devices and servers by classifying 100% of the
processes running on every computer throughout
the organization and monitoring and controlling
their behavior.
More than 1.2 billion applications already classified.
Adaptive Defense new version (1.5) also includes
AV engine, adding the disinfection capability.
Adaptive Defense could even replace the
company antivirus.
RESPONSE…
and forensic
information
to analyze
each
attempted
attack in
detail
VISIBILITY… and
traceability of each
action taken by the
applications running on a
system
PREVENTION… and
blockage of applications
and isolation of systems to
prevent future attacks
DETECTION…
and blockage
of Zero-day and
targeted
attacks in real-
time without the
need for
signature files
02/07/2015Adaptive Defense 26
Features and benefits
Daily and on-demand reports
Simple, centralized
administration from a Web
console
Better service, simpler
management
Detailed and configurable monitoring
of running applications
Protection of vulnerable systems
Protection of intellectual assets against
targeted attacks
Forensic report
Protection
ProductivityIdentification and blocking of
unauthorized programs
Light, easy-to-deploy solution
Management
Key Differentiators- Categorizes all running processes on the endpoint
minimizing risk of unknown malware: Continuous
monitoring and attestation of all processes fills the
detection gap of AV products.
- Automated investigation of events significantly
reduces manual intervention by the security team:
Machine learning and collective intelligence in the
cloud definitively identifies goodware & blocks
malware.
- Integrated remediation of identified malware:
Instant access to real time and historical data
provides full visibility into the timeline of malicious
endpoint activity.
- Minimal endpoint performance impact (<3%)
02/07/2015Adaptive Defense 28
02/07/2015Adaptive Defense 29
New malware detection capability*Traditional
Antivirus (25)
Standard Model Extended Model
New malware blocked during the first 24 hours 82% 98,8% 100%
New malware blocked during the first 7 days 93% 100% 100%
New malware blocked during the first 3 months 98% 100% 100%
% detections by Adaptive Defense detected by no other antivirus 3,30%
Suspicious detections YES NO (no uncertainty)
File ClassificationUniversal
Agent**
Files classified automatically 60,25% 99,56%
Classification certainty level 99,928% 99,9991%
< 1 error / 100.000 files
* Viruses, Trojans, spyware and ransomware received in our Collective Intelligence platform. Hacking tools, PUPS and cookies were not included in this study.
Adaptive Defense vs Traditional Antivirus
** Universal Agent technology is included as endpoint protection in all Panda Security solutions
02/07/2015Adaptive Defense 30
Adaptive Defense vs Other Approaches
AV vendors WL vendors* New ATD vendors**
Detection gap
Do not classify all applicationsManagement of WLs required
Not all infection vectors covered
(i.e. USB drives)
No transparent to end-users and admin (false
positives, quarantine administration,… )Complex deployments required
Monitoring sandboxes is not as effective as
monitoring real environments
Expensive work overhead involved ATD vendors do not prevent/block attacks
* WL=Whitelisting. Bit9, Lumension, etc
** ATD= Advanced Threat Defense. FireEye, Palo Alto, Sourcefire, etc
02/07/2015Adaptive Defense 31
How does Adaptive Defense work?
A brand-new three phased cloud-based
security model
02/07/2015Adaptive Defense 32
1st Phase:
Comprehensive monitoring of all
the actions triggered by
programs on endpoints
2nd Phase:
Analysis and correlation of all
actions monitored on customers'
systems thanks to Data Mining
and Big Data Analytics
techniques
3rd Phase:
Endpoint hardening &
enforcement: Blocking of all
suspicious or dangerous
processes, with notifications to
alert network administrators
02/07/2015Adaptive Defense 33
Panda
Adaptive
Defense
Architecture
02/07/2015Adaptive Defense 34
Success Story
Adaptive Defense
in figures
+1,2 billion applications already
categorized
+100 deployments. Malware
detected in 100% of scenarios
+100,000 endpoints and servers
protected
+200,000 security breaches mitigated
in the past year
+230,000 hours of IT resources saved
estimated cost reduction of
14,2M€
Lest’s see an example…
02/07/2015Adaptive Defense 35
02/07/2015Adaptive Defense 36
Scenario
Description
Concept Value
PoC length 60 days
Machines currently monitored +/- 690
Machines with malware 73
Machines with malware executed 15
Machines with PUP found 91
Executed PUP files 13
Executed files classified 27.942
Concept Value
Malware blocked 160
PUP blocked 623
TOTAL threats mitigated 783
02/07/2015Adaptive Defense 37
Software vendor distribution over 100% of
executable files
02/07/2015Adaptive Defense 38
Skillbrains Igor Pavilov
02/07/2015Adaptive Defense 39
Sandboxie Holdings
LLCEolsoft
02/07/2015Adaptive Defense 40
Opera SoftwareDropbox Inc.
02/07/2015Adaptive Defense 41
Vulnerable
applications
Vulnerable applications activity:
- …
- (22 vulnerable applications in ALL seats = 2074)
Vulnerable applications inventory:
- Excel v14.0.7 - v15.0 (279)
- Firefox v34.0 - v36 (178)
- Java v6 – v7 (80)
02/07/2015Adaptive Defense 42
Top Malware
02/07/2015Adaptive Defense 43
Top Malware
02/07/2015Adaptive Defense 44
PUP (Spigot)
02/07/2015Adaptive Defense 45
Potentially confidential information extraction
02/07/2015Adaptive Defense 46
+
Thank you