Hossein Ghannad Mohammad Rasoul Safarkhani Mehran Fallah What is it? Continuous and chained Creative uses and inventions Not like ordinary malwares Targeted Stealthy Targets Targets Wait ! To name a few A Simple Sample ! The PiuPiu oversharing site allows users to create PiuPiu accounts and post 140-character messages. The federal government wants PiuPiu to surveil user activity on the site, by archiving any posts that match certain patterns outlined in a national security letter. Subject to the nondisclosure constraints of the letter, PiuPiu may not inform anyone of the surveillance request. Data Structure Goal Write code to scan incoming Pius before they are posted, to see if they match any patterns requested in a national security letter The current system has a function called int preprocess( piu * entry ), to determine if a Piu is suitable for display, or to alter it if necessary; before it returns, it will call a function the programmer will write called void surveil( piu * entry ). Goal (cntd) a surveillance request is an array of N user-Piu patterns. If the input Piu matches one of these patterns, archive (fwrite) the Piu to the FILE handle The Good (Or Evil?) Part Write surveil() in such a way that the act of surveillance is subtly leaked to the user or to the outside world in such a way that an informed outsider can tell if someone is being archived. Codes
uses *m += 1 in place of m += 1 or *m++
assigns p->piu_length if the user record matched a surveillance request
The Winner! APT Lifecycle Case Studies The Infamous Stuxnet Flame Reign Duqu Sony Attack Facts : StuxNet Activity Start : 2009 , Discovered : 2012 Can inject code into PLC. Spreads by using USB & 4 different 0-day exploits. Updated it self across the LAN. Manages to remain hidden by mutating itself. 58.85% rate of critical infrastructure infection. Used a hardcoded Manipulated sensor reports. Facts : Flame Very Huge, Over 20 MB in size, 23 modules. So many variants. Records audio, logs keys, takes screenshots, attacks Bluetooth devices. 80 C&C servers across Asia. 1000-5000 Infected machines Facts : Regin Many spread vectors. USB Devices, Browser Exploits etc Multi Target. ISP, Telecom.s, Energy, research, airliners, hospitality etc Five stages of attacks Self mutating, customizable modules. Distributed . Facts : DUQU 12 completely different variants. Sophisticated cover tracking mechanisms. Exploited a font. ( Dexter Regular) Stayed silent until you walked away ! (Thats my boy ;) ) Used disposable C&C . P2P Architecture. ( Thats innovative!) Facts : Sony Malware Unknown. Possibly committed suicide. Wiped all the data after doing its job. Heavily manipulated monitoring systems. Not convinced? Heres More Thanks for attending.