In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year.
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats.
Resources
Presented at
- BruCon Keynote Address, September 2013, Ghent, Belgium
- DARPA, October 2013, Arlington, VA
- CIO Global Forum, October 2013, Philadelphia, PA
Author
- Dan Guido
Note: The original EIP research was conducted while Dan was employed at iSEC Partners, but the work was revisited while at Trail of Bits. This page only tracks the work done on EIP post-iSEC.