logo
allArticlesConferencesPresentations

Malproxying: Leave Your Malware at Home

Conference:  Defcon 27

2019-08-01

Summary

The presentation discusses the evolution of endpoint security solutions and the three main mechanisms used to protect against cyber attacks: static signatures, heuristic rules, and behavioral signatures.
  • Static signatures look for indications of compromise in binary sequences or strings in a file or memory dump.
  • Heuristic rules calculate a heuristic score based on properties of a file, such as location or API usage, to determine if it is malicious.
  • Behavioral signatures monitor API calls and analyze the impact of a piece of code on a system to detect unknown malware.
  • The presentation provides examples of creating static signatures and the limitations of relying solely on them.
  • The speaker also discusses the challenges of creating accurate behavioral signatures and the need for continued improvement in endpoint security solutions.
The speaker uses the analogy of a cat and mouse game to illustrate the ongoing battle between cyber attackers and endpoint security solutions. They explain that while endpoint security solutions have evolved significantly, there are still successful penetrations of defenses. The presentation emphasizes the importance of using a combination of mechanisms to protect against cyber attacks and the need for continued improvement in endpoint security solutions.

Abstract

During a classic cyber attack, one of the major offensive goals is to execute code remotely on valuable machines. The purpose of that code varies on the spectrum from information extraction to physical damage. As defenders, our goal is to detect and eliminate any malicious code activity, while hackers continuously find ways to bypass the most advanced detection mechanisms. It’s an endless cat-and-mouse game where new mitigations and features are continuously added to the endpoint protection solutions and even the OS itself in order to protect the users against newly discovered attack techniques. In this talk, we present a new approach for malicious code to bypass most of endpoint protection measures. Our approach covertly proxies the malicious code operations over the network, never deploying the actual malicious code on the victim side. We are going to execute code on an endpoint, without really storing the code on disk or loading it to memory. This technique potentially allows attackers to run malicious code on remote victims, in such a way that the code is undetected by the victim’s security solutions. We denote this technique as “malproxying”.
Materials:
Tags:

Post a comment

Related work

Greybox Program Synthesis: A New Approach to Attack Dataflow Obfuscation

Conference:  BlackHat USA 2021
Authors:
2021-08-05

Unveiling the Underground World of Anti-Cheats

Conference:  BlackHat EU 2019
Authors:
2019-12-05

The Bad Guys Win – Analysis of 10,000 Magecart Vulnerabilities

Conference:  BlackHat USA 2021
Authors:
2021-11-10

Man-In-The-Disk

Conference:  Defcon 26
Authors:
2018-08-01

Edge Side Include Injection: Abusing Caching Servers into SSRF and Transparent Session Hijacking

Conference:  BlackHat USA 2018
Authors:
2018-08-08

Apple's Predicament: NSPredicate Exploitation on macOS and iOS

Conference:  Defcon 31
Authors: Austin Emmitt Senior Security Researcher at Trellix Advanced Research Center
2023-08-01