SESSION ID: SPO3-R11 Protecting You Better with Advanced Malware Research
Robert Lipovsky Juraj Janosik Senior Malware Researcher Head of AI/ML team ESET ESET
#RSAC #RSAC
Robert Lipovsky Juraj Janosik Senior Malware Researcher Head of AI/ML team #RSAC #RSAC 300,000+ unique malware samples daily #RSAC Malware researcher
What my friends think I do. What my mom thinks I do. What users think I do.
What Finance thinks I do. What I think I do. What I really do. Fighting cybercrime #RSAC ESET works with cybercrime-fighting units #RSAC #RSAC #RSAC #RSAC 25,000+ infected servers 35m+ spam messages per day #RSAC Internet of ThingsTargets #RSAC Smart Home in the Lab #RSAC #RSAC Malware attack firsts…
Brain Storm BlackEnergy 1st PC virus 1st major botnet 1st power grid cyberattack 1986 2006 2015
1989 2010 2018 1st ransomware 1st cyberweapon 1st UEFI rootkit AIDS trojan Stuxnet in-the-wild Lojax #RSAC UEFI Scanner #RSAC
Do you trust your providers…? … for example ISPs? #RSAC#RSAACC #RSAC
BlackEnergy #RSAC
Credit: Andy Greenberg from Wired #RSAC Industroyer #RSAC Industroyer #RSAC
BlackEnergy Te l e B o t s GreyEnergy
2015 GreyEnergy targets BlackEnergy attack Industroyer attack Attacks on (Not)Petya attack Exaramel backdoor Polish energy company causing a blackout causing a blackout financial via the M.E.Doc discovered in Ukraine in Ukraine sector backdoor in the wild 2016 GreyEnergy deploys predecessor DEC 2015 DEC 2016 DEC 2016 JUN 2017 APRIL 2018 of (Not)Petya MAR 2017 2017 – 2018 Most recent GreyEnergy activity recorded in Ukraine
2015 2016 2017 2018 #RSAC #RSAC
BlackEnergy Te l e B o t s GreyEnergy
2015 GreyEnergy targets BlackEnergy attack Industroyer attack Attacks on (Not)Petya attack Exaramel backdoor Polish energy company causing a blackout causing a blackout financial via the M.E.Doc discovered in Ukraine in Ukraine sector backdoor in the wild 2016 GreyEnergy deploys predecessor DEC 2015 DEC 2016 DEC 2016 JUN 2017 APRIL 2018 of (Not)Petya MAR 2017 2017 – 2018 Most recent GreyEnergy activity recorded in Ukraine
2015 2016 2017 2018 #RSAC
Pety…ent Zero #RSAC #RSAC #RSAC $129m $300m
$870m $400m #RSAC
$10 BILLION total estimated damage from NotPetya
Source: U.S.White House as quoted by Wired #RSAC
EternalBlue detection Network Attack Protection #RSAC Petya Chimera PadCrypt TeslaCrypt GandCrab Crysis NanoLocker ZeroLock Rokku DMALocker CryptoWall KeRanger Tox TorrentLocker WannaCryptor Mischa CryptVault CryptoJoker 7ev3n CTBLocker
Locky SynoLocker NotPetya HydraCrypt RotoCrypt Ransom32 CryptoLocker Cerber Juraj Janosik Head of ESET AI/ML team #RSAC #RSAC DNA detection model
Endpoint DNA detections DNA Detections #RSAC 100% 7.7 million detected Emotet attacks 80% 3 million attacks covered with 60% single DNA detection
40%
20%
0% Artificial Intelligence Artificial Intelligence Machine Learning #RSAC Machine Learning evolution
Neural Networks DNA Detections Expert System for AutomatedAutomated ThreatThreat in Product (Online Learning) Mass Processing Mapping
1998 2005 2006 2012 #RSAC
+˒ =
„panda“ „gibbon“ 57.7% confidence 99.3% confidence
Source: OpenAI #RSAC #RSAC Old ML model vs. new malware samples
200+ ransomware Detection ratio samples NotPetya BadRabbit Crysis 99.7% WannaCryptor #RSAC
“Public” ESET ML VirusTotal model samples from October 2018 December 2018 #RSAC
Detection ratio
99.65 100% 91.69 90% 87.92 79.55 78.78 80%
70%
60% 53.02 50%
40%
30%
20% 13.97 10%
0% Vendor A Vendor B Vendor C Vendor D Vendor E Vendor F Vendor G #RSAC
25,65%
False positives
8% 7.43%
7%
6%
5%
4% 3.17% 3% 2.52% 2.42% 2.11% 2%
1% 0.10% 0% Vendor A Vendor B Vendor C Vendor D Vendor E Vendor F Vendor G #RSAC
Big Data Machine Human Expertise Learning #RSAC
UEFI Scanner Dynamic Threat Exploit Defense Blocker Network Attack Protection Botnet Ransomware Protection Shield Reputation & Cache
Advanced Memory In-Product Scanner Script Sandbox Scanner DNA Detections (AMSI)