SlideShare a Scribd company logo

Commodity malware means YOU

Michael Gough
Michael Gough

Background of commodity malware and how you can learn from the past and detect the future. MalwareArchaeology LOG-MD

Technology
1 of 55
Download to read offline
Commodity malware means YOU! And everybody in this room, let’s look at one called Dridex Michael Gough – Founder MalwareArchaeology.com MalwareArchaeology.com
Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet” “Windows PowerShell Logging Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Malware Management Framework” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • @HackerHurricane also my Blog MalwareArchaeology.com
Goal • Interaction – Don’t be a Ding Dong, ask a question… you WILL be rewarded for positive synergy! • Learn how us Ninja’s do it so you can too • We have a NEW Tool for YOU!!! MalwareArchaeology.com
Total Malware Total Malware 2015 • 470 Million MalwareArchaeology.com
New Malware NEW Malware 2015 • 140 million MalwareArchaeology.com
The Panda Says MalwareArchaeology.com
It’s only getting worse MalwareArchaeology.com
Symantec says… MalwareArchaeology.com
Top 8 threats • These are what we see most • What all of YOU see most • The 20% of what AV focuses on • We can learn a lot from this MalwareArchaeology.com
Dridex movin on up MalwareArchaeology.com Mandiant M-Trends2016 Report
More of the same According to CheckPoint’s ThreatCloud in 2015… • 3000 different malware ‘families’ • 80% have been active for years, some for 8 years • Top 100 which accounted for 90% of all attacks in 2015, only 3 were new and were outside the Top 40 • More proof Malware Management works MalwareArchaeology.com
SANS says… MalwareArchaeology.com
Sophos Says… • 70% of malware is unique to 1 company (APT) • 80% of malware is unique to 10 or less (APT) • That means… • 20% of malware is what the AV industry focuses on, but it is what most of you and everyone in this room sees and gets by: – Attachments in email – URL in email – Surfing the web • Ads • WordPress, Drupal, Joomla… MalwareArchaeology.com
Types of Malware I say there are basically two types of malware: • Commodity malware – The 20% the AV industry focuses on • Advanced malware – The 80% that the AV industry does not focus on and “may” get around to IF you force them by being a client or if they have multiple customers that receive it in a particular industry (e.g. retail PoS) MalwareArchaeology.com
Commodity malware • This is the stuff you and everyone in the room gets and sees, your family, friends and clients too • Emails, URL’s surfing • Most is Commodity malware • Pwned Ad networks • Some will be NEW • Some will be APT MalwareArchaeology.com
VirusTotal • Commodity malware will be detected within a few days • APT… not so much • I still have samples from 2012 that have ZERO detection ;-( • And I gave 12 AV companies a copy of it • Shows how much they care about APT MalwareArchaeology.com
Malware evolves • So must we • Darwin says so • Evolve or die • Well… Evolve or get breached anyways • Which means an RGE !!! – Resume Generating Event MalwareArchaeology.com
Before Dridex • Zeus – 2007 – SpyEye evolved from Zeus – Bugat/Cridex evolved from Zeus – Gameover Zeus taken down 2014 • Bugat & Cridex - 2012 • Dridex – Late 2014 – Generated 15,000 emails daily • C2 Servers taken down Dec 2015 • Now we have Locky MalwareArchaeology.com
Locky, the next BIG thing MalwareArchaeology.com
Locky.. Today and tomorrow MalwareArchaeology.com
Locky MalwareArchaeology.com
BlackEnergy • More Malware Management proof MalwareArchaeology.com
Ha Ha Ha Hollywoood • Darwin said… Pay up or DIE !!! • Ottawa Hospital also hit MalwareArchaeology.com
DRIDEX MalwareArchaeology.com
Dridex • We have probably all seen one of these • Did I say Commodity Malware? • Uses Word documents that are hard for email gateways to detect • Yes, users have to “Enable Macroses” but they would NEVER do that… MalwareArchaeology.com
Commodity Malware Smarter than ever • In 2015 I have witnessed things with commodity malware usually reserved for APT – Because they are evolving from APT • More use of scripts to avoid AV detection • More use of PowerShell backdoors! • More stealthy persistence MalwareArchaeology.com
Dridex Artifacts MalwareArchaeology.com
Dridex Artifacts .BAT • Do I have a network connection • What language am I • Set variables for the name of the .VBS script MalwareArchaeology.com
Dridex Artifacts .VBS • Notice the path %temp% • Ah Hell… • Build the PowerShell script execution MalwareArchaeology.com
Dridex Artifacts - .VBS #2 MalwareArchaeology.com
Dridex Artifacts #3 • Script • Using math • Easy variants MalwareArchaeology.com
Dridex Artifacts - .PS1 • Domains to phone home to • Path - %temp% MalwareArchaeology.com
Dridex Artifacts - .PS1 • 8 + .exe – Payload name • 444.jpg – Stats file looks like >>>> • User Agent to emulate a browser • Download the files • Assemble the names .vbs, .jpg, .bat, .PS1 • Sleep 15 • Execute the payload - cmd.exe %file% • Remove the files MalwareArchaeology.com
VM Aware… What do I say? • Use Bare Bones to do analysis MalwareArchaeology.com
Persistence • New method towards the end of 2015 • Nothing in the Registry showing persistence while system was running • In memory only until system shutdown • Then we caught the bugger, with good auditing of course and MalwareArchaeology.com
Malware Management • Proof it works • If you look at Zeus, Cridex and Dridex, you are better prepared for Locky • Learn from History • Your defenses and detection MUST evolve too • Read the malware analysis and breach reports • Tweak your tools • Focus on new kewl hooks and artifacts MalwareArchaeology.com
How we harvested malware • Yay Email!!! • Since the primary delivery was Phishing, we were able to grab copies of the Word documents • Executed in the Lab • Grabbed the artifacts • Updated our Detection • We knew if anyone fell for it and opened them • We knew what to cleanup MalwareArchaeology.com
How we harvested malware • File Copy loop in Directories discovered – @echo off – cls – md captured – :Redo – robocopy . Captured /E /B /r:0 /w:1 /np /xo /xd Captured – Goto Redo – :End • Ninja Tip: – Great to do in Labs for User space AppData MalwareArchaeology.com
INTERMISSION MalwareArchaeology.com
Announcing the release of… MalwareArchaeology.com FREE! $299 AND Version 1.0
MalwareArchaeology.com • Log and Malicious Discovery tool • When you run the tool, it tells you what auditing and settings to configure that it requires. LOG-MD won’t harvest anything until you configure the system! • Once the system and/or GPO is configured 1. Clear the logs 2. Infect the system 3. Run Log-MD 4. Review “Report.csv” in Excel
Functions MalwareArchaeology.com • Audit Report of log settings compared to: – The “Windows Logging Cheat Sheet” – Center for Internet Security (CIS) Benchmarks – Also USGCB and AU ACSC • White lists to filter out the known good – By IP Address – By Process Command Line and/or Process Name – By File and Registry locations (requires File and Registry auditing to be set) • Report.csv - data from logs specific to security
Purpose MalwareArchaeology.com • Malware Analysis Lab • Investigate a suspect system • Audit Advanced Audit Policy settings • Help MOVE or PUSH security forward • Give the IR folks what they need and the Feds too • Take a full system (File and Reg) snapshot to compare to another system and report the differences • Discover tricky malware artifacts • SPEED ! • Deploy with anything you want, SCCM, LanDesk, PSExec, PS, etc… • Replace several tools we use today with one easy to use utility that does much more • To answer the question: Is this system infected or clean? • And do it quickly !
Free Edition MalwareArchaeology.com • Harvest security relevant log data • Whitelist log events by IP, Cmd Line, Process and File / Registry audit locations • Perform a full File Baseline of a system • Compare a suspect system to a Baseline or Dir • Perform a full Registry snapshot of a system • Compare a suspect system to a Reg Baseline • Look for Large Registry Keys for hidden payloads
MalwareArchaeology.com • Everything the Free Edition does and… • More reports, breakdown of things to look for • Specify the Output directory • Harvest Sysmon logs • Harvest WLS Logs • Whitelist Hash compare results • Whitelist Registry compare results • Create a Master-Digest to exclude unique files • Free updates for 1 year, expect a new release every quarter • Manual – How to use LOG-MD Professional
MalwareArchaeology.com Future Versions – In the works! • WhoIs lookups of IP Addresses called • VirusTotal lookups of discovered files • Find parent-less processes • Assess all processes and create a Whitelist • Assess all services and create a Whitelist • VirusTotal lookups of unknown or new processes and services • PowerShell details • Other API calls to security vendors
MalwareArchaeology.com Let’s look at some LOG-MD RESULTS
Crypto Event MalwareArchaeology.com • C:UsersBobAppDataRoamingvcwixk.exe • C:UsersBobAppDataRoamingvcwpir.exe • C:WINDOWSsystem32cmd.exe /c del C:UsersBobAppDataRoamingvcwixk.exe >> NUL • C:WindowsSystem32vssadmin.exe delete shadows /all /Quiet
Malicious Word Doc MalwareArchaeology.com DRIDEX
Malicious Word Doc con’t MalwareArchaeology.com More DRIDEX
Use the power of Excel MalwareArchaeology.com • The reports are in .CSV format • Excel has sorting and Filters • Filters are AWESOME to thin out your results • You might take filtered results and add them to your whitelist once vetted • Save to .XLS and format, color code and produce your report • For .TXT files use NotePad++
So what do we get? MalwareArchaeology.com • WHAT Processes executed • WHERE it executed from • IP’s to enter into Log Management to see WHO else opened the malware • Details needed to remediate infection • Details to improve your Active Defense! • I did this in… 15 Minutes!
Resources MalwareArchaeology.com • Websites – Log-MD.com The tool • The “Windows Logging Cheat Sheet” – MalwareArchaeology.com • Malware Analysis Report links too – To start your Malware Management program • This presentation is on SlideShare – Search for MalwareArchaeology or LOG-MD
Testers for RC-1 MalwareArchaeology.com • May 1st 2016 - launch date • Looking for a few good testers… – of LOG-MD Professional • Test the manual and tool and provide feedback • You WILL be rewarded for the effort ;-) • You heard it here first ! • A gift from your local Austin Security Professionals
Questions? MalwareArchaeology.com You can find us at: • Log-MD.com • @HackerHurricane • @Boettcherpwned • MalwareArchaeology.com • HackerHurricane.com (blog) • http://www.slideshare.net – LinkedIn now

Recommended

Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thief
Michael Gough
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014
Michael Gough
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
Michael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
Michael Gough
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1
Michael Gough
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
Michael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Michael Gough
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCON
Michael Gough
 

Recommended

Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thief
Michael Gough
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014
Michael Gough
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
Michael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
Michael Gough
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1
Michael Gough
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
Michael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Michael Gough
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCON
Michael Gough
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
Michael Gough
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
Michael Gough
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0
Michael Gough
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0
Michael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
Michael Gough
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackers
Michael Gough
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
Michael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
Michael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
Michael Gough
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
Michael Gough
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1
Michael Gough
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
Michael Gough
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014
Michael Gough
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0
Michael Gough
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015
Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1
Michael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
Michael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
Michael Gough
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomware
Michael Gough
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
Michael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
Michael Gough
 
2 introduccion al direccionamiento
2 introduccion al direccionamiento2 introduccion al direccionamiento
2 introduccion al direccionamiento
Alexander Hernandez
 

More Related Content

What's hot

What's hot (20)

Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackers
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomware
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
 

Viewers also liked

2 introduccion al direccionamiento
2 introduccion al direccionamiento2 introduccion al direccionamiento
2 introduccion al direccionamiento
Alexander Hernandez
 
Técnicas para el desarrollo de malware funcionamiento de los antivirus y sandbox
Técnicas para el desarrollo de malware funcionamiento de los antivirus y sandboxTécnicas para el desarrollo de malware funcionamiento de los antivirus y sandbox
Técnicas para el desarrollo de malware funcionamiento de los antivirus y sandbox
Juan Salas Santillana
 
WHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of RansomwareWHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of Ransomware
Symantec
 

Viewers also liked (11)

Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
2 introduccion al direccionamiento
2 introduccion al direccionamiento2 introduccion al direccionamiento
2 introduccion al direccionamiento
 
Técnicas para el desarrollo de malware funcionamiento de los antivirus y sandbox
Técnicas para el desarrollo de malware funcionamiento de los antivirus y sandboxTécnicas para el desarrollo de malware funcionamiento de los antivirus y sandbox
Técnicas para el desarrollo de malware funcionamiento de los antivirus y sandbox
 
Tipos de malware
Tipos de malwareTipos de malware
Tipos de malware
 
Caso Éxito SAP & Stratesys - Penguin Random House Grupo Editorial - JUL2014
Caso Éxito SAP & Stratesys - Penguin Random House Grupo Editorial - JUL2014Caso Éxito SAP & Stratesys - Penguin Random House Grupo Editorial - JUL2014
Caso Éxito SAP & Stratesys - Penguin Random House Grupo Editorial - JUL2014
 
Risque cyber
Risque cyberRisque cyber
Risque cyber
 
Où sont mes données ? | Résowest
Où sont mes données ? | RésowestOù sont mes données ? | Résowest
Où sont mes données ? | Résowest
 
Comment se protéger contre les menaces de CTB Locker (ransomware)?
Comment se protéger contre les menaces de CTB Locker (ransomware)?Comment se protéger contre les menaces de CTB Locker (ransomware)?
Comment se protéger contre les menaces de CTB Locker (ransomware)?
 
WHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of RansomwareWHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of Ransomware
 
Ransomware
RansomwareRansomware
Ransomware
 
Ransomware
Ransomware Ransomware
Ransomware
 

Similar to Commodity malware means YOU

Similar to Commodity malware means YOU (16)

When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
Defending against Ransomware and what you can do about it
Defending against Ransomware and what you can do about itDefending against Ransomware and what you can do about it
Defending against Ransomware and what you can do about it
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malware
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 
Ch0 1
Ch0 1Ch0 1
Ch0 1
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Commodity malware means YOU

  • 1. Commodity malware means YOU! And everybody in this room, let’s look at one called Dridex Michael Gough – Founder MalwareArchaeology.com MalwareArchaeology.com
  • 2. Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet” “Windows PowerShell Logging Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Malware Management Framework” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • @HackerHurricane also my Blog MalwareArchaeology.com
  • 3. Goal • Interaction – Don’t be a Ding Dong, ask a question… you WILL be rewarded for positive synergy! • Learn how us Ninja’s do it so you can too • We have a NEW Tool for YOU!!! MalwareArchaeology.com
  • 4. Total Malware Total Malware 2015 • 470 Million MalwareArchaeology.com
  • 5. New Malware NEW Malware 2015 • 140 million MalwareArchaeology.com
  • 7. It’s only getting worse MalwareArchaeology.com
  • 9. Top 8 threats • These are what we see most • What all of YOU see most • The 20% of what AV focuses on • We can learn a lot from this MalwareArchaeology.com
  • 10. Dridex movin on up MalwareArchaeology.com Mandiant M-Trends2016 Report
  • 11. More of the same According to CheckPoint’s ThreatCloud in 2015… • 3000 different malware ‘families’ • 80% have been active for years, some for 8 years • Top 100 which accounted for 90% of all attacks in 2015, only 3 were new and were outside the Top 40 • More proof Malware Management works MalwareArchaeology.com
  • 13. Sophos Says… • 70% of malware is unique to 1 company (APT) • 80% of malware is unique to 10 or less (APT) • That means… • 20% of malware is what the AV industry focuses on, but it is what most of you and everyone in this room sees and gets by: – Attachments in email – URL in email – Surfing the web • Ads • WordPress, Drupal, Joomla… MalwareArchaeology.com
  • 14. Types of Malware I say there are basically two types of malware: • Commodity malware – The 20% the AV industry focuses on • Advanced malware – The 80% that the AV industry does not focus on and “may” get around to IF you force them by being a client or if they have multiple customers that receive it in a particular industry (e.g. retail PoS) MalwareArchaeology.com
  • 15. Commodity malware • This is the stuff you and everyone in the room gets and sees, your family, friends and clients too • Emails, URL’s surfing • Most is Commodity malware • Pwned Ad networks • Some will be NEW • Some will be APT MalwareArchaeology.com
  • 16. VirusTotal • Commodity malware will be detected within a few days • APT… not so much • I still have samples from 2012 that have ZERO detection ;-( • And I gave 12 AV companies a copy of it • Shows how much they care about APT MalwareArchaeology.com
  • 17. Malware evolves • So must we • Darwin says so • Evolve or die • Well… Evolve or get breached anyways • Which means an RGE !!! – Resume Generating Event MalwareArchaeology.com
  • 18. Before Dridex • Zeus – 2007 – SpyEye evolved from Zeus – Bugat/Cridex evolved from Zeus – Gameover Zeus taken down 2014 • Bugat & Cridex - 2012 • Dridex – Late 2014 – Generated 15,000 emails daily • C2 Servers taken down Dec 2015 • Now we have Locky MalwareArchaeology.com
  • 19. Locky, the next BIG thing MalwareArchaeology.com
  • 20. Locky.. Today and tomorrow MalwareArchaeology.com
  • 22. BlackEnergy • More Malware Management proof MalwareArchaeology.com
  • 23. Ha Ha Ha Hollywoood • Darwin said… Pay up or DIE !!! • Ottawa Hospital also hit MalwareArchaeology.com
  • 25. Dridex • We have probably all seen one of these • Did I say Commodity Malware? • Uses Word documents that are hard for email gateways to detect • Yes, users have to “Enable Macroses” but they would NEVER do that… MalwareArchaeology.com
  • 26. Commodity Malware Smarter than ever • In 2015 I have witnessed things with commodity malware usually reserved for APT – Because they are evolving from APT • More use of scripts to avoid AV detection • More use of PowerShell backdoors! • More stealthy persistence MalwareArchaeology.com
  • 28. Dridex Artifacts .BAT • Do I have a network connection • What language am I • Set variables for the name of the .VBS script MalwareArchaeology.com
  • 29. Dridex Artifacts .VBS • Notice the path %temp% • Ah Hell… • Build the PowerShell script execution MalwareArchaeology.com
  • 30. Dridex Artifacts - .VBS #2 MalwareArchaeology.com
  • 31. Dridex Artifacts #3 • Script • Using math • Easy variants MalwareArchaeology.com
  • 32. Dridex Artifacts - .PS1 • Domains to phone home to • Path - %temp% MalwareArchaeology.com
  • 33. Dridex Artifacts - .PS1 • 8 + .exe – Payload name • 444.jpg – Stats file looks like >>>> • User Agent to emulate a browser • Download the files • Assemble the names .vbs, .jpg, .bat, .PS1 • Sleep 15 • Execute the payload - cmd.exe %file% • Remove the files MalwareArchaeology.com
  • 34. VM Aware… What do I say? • Use Bare Bones to do analysis MalwareArchaeology.com
  • 35. Persistence • New method towards the end of 2015 • Nothing in the Registry showing persistence while system was running • In memory only until system shutdown • Then we caught the bugger, with good auditing of course and MalwareArchaeology.com
  • 36. Malware Management • Proof it works • If you look at Zeus, Cridex and Dridex, you are better prepared for Locky • Learn from History • Your defenses and detection MUST evolve too • Read the malware analysis and breach reports • Tweak your tools • Focus on new kewl hooks and artifacts MalwareArchaeology.com
  • 37. How we harvested malware • Yay Email!!! • Since the primary delivery was Phishing, we were able to grab copies of the Word documents • Executed in the Lab • Grabbed the artifacts • Updated our Detection • We knew if anyone fell for it and opened them • We knew what to cleanup MalwareArchaeology.com
  • 38. How we harvested malware • File Copy loop in Directories discovered – @echo off – cls – md captured – :Redo – robocopy . Captured /E /B /r:0 /w:1 /np /xo /xd Captured – Goto Redo – :End • Ninja Tip: – Great to do in Labs for User space AppData MalwareArchaeology.com
  • 40. Announcing the release of… MalwareArchaeology.com FREE! $299 AND Version 1.0
  • 41. MalwareArchaeology.com • Log and Malicious Discovery tool • When you run the tool, it tells you what auditing and settings to configure that it requires. LOG-MD won’t harvest anything until you configure the system! • Once the system and/or GPO is configured 1. Clear the logs 2. Infect the system 3. Run Log-MD 4. Review “Report.csv” in Excel
  • 42. Functions MalwareArchaeology.com • Audit Report of log settings compared to: – The “Windows Logging Cheat Sheet” – Center for Internet Security (CIS) Benchmarks – Also USGCB and AU ACSC • White lists to filter out the known good – By IP Address – By Process Command Line and/or Process Name – By File and Registry locations (requires File and Registry auditing to be set) • Report.csv - data from logs specific to security
  • 43. Purpose MalwareArchaeology.com • Malware Analysis Lab • Investigate a suspect system • Audit Advanced Audit Policy settings • Help MOVE or PUSH security forward • Give the IR folks what they need and the Feds too • Take a full system (File and Reg) snapshot to compare to another system and report the differences • Discover tricky malware artifacts • SPEED ! • Deploy with anything you want, SCCM, LanDesk, PSExec, PS, etc… • Replace several tools we use today with one easy to use utility that does much more • To answer the question: Is this system infected or clean? • And do it quickly !
  • 44. Free Edition MalwareArchaeology.com • Harvest security relevant log data • Whitelist log events by IP, Cmd Line, Process and File / Registry audit locations • Perform a full File Baseline of a system • Compare a suspect system to a Baseline or Dir • Perform a full Registry snapshot of a system • Compare a suspect system to a Reg Baseline • Look for Large Registry Keys for hidden payloads
  • 45. MalwareArchaeology.com • Everything the Free Edition does and… • More reports, breakdown of things to look for • Specify the Output directory • Harvest Sysmon logs • Harvest WLS Logs • Whitelist Hash compare results • Whitelist Registry compare results • Create a Master-Digest to exclude unique files • Free updates for 1 year, expect a new release every quarter • Manual – How to use LOG-MD Professional
  • 46. MalwareArchaeology.com Future Versions – In the works! • WhoIs lookups of IP Addresses called • VirusTotal lookups of discovered files • Find parent-less processes • Assess all processes and create a Whitelist • Assess all services and create a Whitelist • VirusTotal lookups of unknown or new processes and services • PowerShell details • Other API calls to security vendors
  • 48. Crypto Event MalwareArchaeology.com • C:UsersBobAppDataRoamingvcwixk.exe • C:UsersBobAppDataRoamingvcwpir.exe • C:WINDOWSsystem32cmd.exe /c del C:UsersBobAppDataRoamingvcwixk.exe >> NUL • C:WindowsSystem32vssadmin.exe delete shadows /all /Quiet
  • 50. Malicious Word Doc con’t MalwareArchaeology.com More DRIDEX
  • 51. Use the power of Excel MalwareArchaeology.com • The reports are in .CSV format • Excel has sorting and Filters • Filters are AWESOME to thin out your results • You might take filtered results and add them to your whitelist once vetted • Save to .XLS and format, color code and produce your report • For .TXT files use NotePad++
  • 52. So what do we get? MalwareArchaeology.com • WHAT Processes executed • WHERE it executed from • IP’s to enter into Log Management to see WHO else opened the malware • Details needed to remediate infection • Details to improve your Active Defense! • I did this in… 15 Minutes!
  • 53. Resources MalwareArchaeology.com • Websites – Log-MD.com The tool • The “Windows Logging Cheat Sheet” – MalwareArchaeology.com • Malware Analysis Report links too – To start your Malware Management program • This presentation is on SlideShare – Search for MalwareArchaeology or LOG-MD
  • 54. Testers for RC-1 MalwareArchaeology.com • May 1st 2016 - launch date • Looking for a few good testers… – of LOG-MD Professional • Test the manual and tool and provide feedback • You WILL be rewarded for the effort ;-) • You heard it here first ! • A gift from your local Austin Security Professionals
  • 55. Questions? MalwareArchaeology.com You can find us at: • Log-MD.com • @HackerHurricane • @Boettcherpwned • MalwareArchaeology.com • HackerHurricane.com (blog) • http://www.slideshare.net – LinkedIn now