My Company'S Trade Secrets Went To China And All I Got Was This Lousy Pink Slip - Defending Against Data-Exfiltrating Malware presented at ShmooCon 2007

by Joe Stewart,

Tags: Security Malware

Summary : For over three years, a concerted effort has existed to use malware to exfiltrate data from companies and governments in the USA and Europe. Although little is known about just who is bankrolling these efforts, it is clear that they are after trade and state secrets, and the end destination for most of these documents is somewhere in China. At the same time, Eastern European hackers use malware in a similar fashion to steal banking and other credentials from end-users to commit fraud.
Little defense against these schemes is provided by conventional anti-virus, as the bad guys evade the anti-virus signatures as quickly as they are written. Extrusion detection and prevention is proving itself to be more valuable by detecting the exfiltration of data by the unique fingerprints of traffic generated by the malware - something that changes less often than with each variant. But, if the bad guys have access to the same signature set, they can evade network detection as well.
This presentation is designed to give network administators the tools to develop their own private extrusion detection ruleset by expanding on the concept of the sandnet as presented by this speaker at last year's ShmooCon. This year, speed is the focus of our automated malware analysis and Snort-based extrusion detection rules are the product. With a relatively simple one-system sandnet, time from obtaining a malware sample to packet capture can be measured in seconds, allowing custom Snort rules to be written with minimal effort.