SlideShare a Scribd company logo
1 of 52
© Copyright 2013 EMC Corporation. All rights reserved.
© Copyright 2013 EMC Corporation. All rights reserved.
Introducing Intelligence
Into Your Malware Analysis
Presented by
Brian Baskin
Advisory Practice Consultant
RSA Incident Response
5 Jun 14
© Copyright 2013 EMC Corporation. All rights reserved.
# whoami
• Consultant with RSA IR/D team
• Digital Forensics for 15 years
• Incident Response for 10 years
• Personal Blog: www.GhettoForensics.com
• Co-Author: Dissecting the Hack
© Copyright 2013 EMC Corporation. All rights reserved.
Where do we start…
• Many attack analysis methods are outdated
• Emphasis on system-by-system analysis
• Teams are broken up by specialized skills
© Copyright 2013 EMC Corporation. All rights reserved.
Skill Segregation
Memory AnalysisNetwork Analysis
Dynamic AnalysisStatic Analysis
© Copyright 2013 EMC Corporation. All rights reserved.
Difficulty in Current Processes
• Skill-Based Approach vs. Indicator-Based
• Going down rabbit holes that do not help
overall security posture
• You do not need to deep dive every sample!
• Difficult to segregate and emphasize
critical indicators in reports
© Copyright 2013 EMC Corporation. All rights reserved.
The Cyber Kill Chaintm
© Copyright 2013 EMC Corporation. All rights reserved.
Relevance of the Cyber Kill Chain
Each chain link has indicators that
can be potentially extracted or
deduced from malware analysis
Use to:
• Identify Indicators
• Collect Indicators
• Reuse Indicators
© Copyright 2013 EMC Corporation. All rights reserved.
What Indicators?
Go Beyond the IOCs
• File MD5s
• URLs, IPs
Intel Indicators
• Encryption keys
• Campaign Identifiers
• Evidence of custom tools
• Who is performing the attack
© Copyright 2013 EMC Corporation. All rights reserved.
Relevance of the Cyber Kill Chain
– Signs of intelligence gathering
– Technical exploit used in attack
– Transfer method
– Vulnerability on victim system
– Entrenchment/Persistence artifacts
– Data collection, network beacon
– Actor-issued commands, exfil, lateral movement
© Copyright 2013 EMC Corporation. All rights reserved.
Fishing for Indicators
– Carrier themes
– Buffer overrun, RCE, malicious Flash w/in DOCX
– Email, Watering Hole, P2P, USB
– CVE-2010-3333, CVE-2012-0158, etc
– File / Registry / File artifacts
– DNS, HTTP beacons
– RAR archives, psexec, pwdump
© Copyright 2013 EMC Corporation. All rights reserved.
Reconnaissance – Decoy Details
http://contagiodump.blogspot.com/2010/10/oct-08-cve-2010-2883-pdf-nuclear.html
© Copyright 2013 EMC Corporation. All rights reserved.
Reconnaissance – ExifTool
ExifTool Version Number : 9.36
File Modification Date/Time : 2010:10:08 07:15:54-04:00
File Type : PDF
MIME Type : application/pdf
PDF Version : 1.6
Linearized : Yes
Encryption : Standard V2.3 (128-bit)
User Access : Extract
Tagged PDF : Yes
XMP Toolkit : 3.1-701
Producer : Acrobat Distiller 8.1.0 (Windows)
Company : Dell Computer Corporation
Source Modified : D:20101001111200
Creator Tool : Word8墁 Acrobat PDFMaker 8.1
Modify Date : 2010:10:08 09:35:31+09:00
Create Date : 2010:10:01 20:12:17+09:00
Metadata Date : 2010:10:08 09:35:31+09:00
Document ID : uuid:c425871d-1bc1-4ccc-8235-ce20615daded
Instance ID : uuid:2b9f24a5-1e10-40c0-9d92-9a74bae84d32
Subject : 4
Format : application/pdf
Creator : Arlene Goldberg
Title : President Clinton Event Request Form
Page Count : 5
Page Layout : OneColumn
Author : Arlene Goldberg
© Copyright 2013 EMC Corporation. All rights reserved.
Weaponization – Hex view of .DOC file
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
0000 7B 5C 72 74 66 31 7B 5C 73 68 70 7B 5C 2A 5C 73 {rtf1{shp{*s
0010 68 70 69 6E 73 74 7B 5C 73 70 7B 5C 73 6E 20 70 hpinst{sp{sn p
0020 46 72 61 67 6D 65 6E 74 73 7D 7B 5C 73 76 20 31 Fragments}{sv 1
4130 33 63 35 35 65 35 66 35 64 63 32 30 38 30 30 65 3c55e5f5dc20800e
4140 38 63 37 66 64 66 66 66 66 36 33 33 61 35 63 36 8c7fdffff633a5c6
4150 34 36 66 36 33 37 35 36 64 36 35 37 65 33 31 35 46f63756d657e315
4160 63 36 31 36 63 36 63 37 35 37 33 36 35 37 65 33 c616c6c7573657e3
4170 31 35 63 36 31 37 30 37 30 36 63 36 39 36 33 37 15c6170706c69637
4180 65 33 31 35 63 36 39 36 66 37 33 37 39 37 33 30 e315c696f7379730
4190 30 7D 7D 7D 7D 5C 61 64 65 66 6C 61 6E 67 31 30 0}}}}adeflang10
41A0 32 35 58 58 58 58 59 59 59 59 7A 78 77 76 71 74 25XXXXYYYYzxwvqt
4620 03 02 01 00 FF FE FD FC FB FA F9 F8 F7 F6 F5 F4 ....ÿþýüûúùø÷öõô
4630 F3 F2 F1 F0 EF EE ED EC EB EA E9 E8 E7 E6 E5 E4 óòñðïîíìëêéèçæåä
4640 E3 E2 E1 E0 DF DE DD DC DB DA D9 D8 D7 D6 D5 D4 ãâáàßÞÝÜÛÚÙØ×ÖÕÔ
4650 D3 D2 D1 D0 CF CE CD CC CB CA C9 C8 C7 C6 C5 C4 ÓÒÑÐÏÎÍÌËÊÉÈÇÆÅÄ
4660 C3 C2 C1 C0 BF BE BD BC BB BA B9 B8 B7 B6 B5 B4 ÃÂÁÀ¿¾½¼»º¹¸·¶µ´
4670 B3 B2 B1 B0 AF AE AD AC AB AA A9 A8 A7 A6 A5 A4 ³²±°¯®¬«ª©¨§¦¥¤
© Copyright 2013 EMC Corporation. All rights reserved.
Weaponization – Hex view of .DOC file
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
0000 7B 5C 72 74 66 31 7B 5C 73 68 70 7B 5C 2A 5C 73 {rtf1{shp{*s
0010 68 70 69 6E 73 74 7B 5C 73 70 7B 5C 73 6E 20 70 hpinst{sp{sn p
0020 46 72 61 67 6D 65 6E 74 73 7D 7B 5C 73 76 20 31 Fragments}{sv 1
The actual exploit in use (CVE-2010-3333) noted
also by the pFragments string. Used to initiate
the loading of shellcode.
© Copyright 2013 EMC Corporation. All rights reserved.
Weaponization – Hex view of .DOC file
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
4130 33 63 35 35 65 35 66 35 64 63 32 30 38 30 30 65 3c55e5f5dc20800e
4140 38 63 37 66 64 66 66 66 66 36 33 33 61 35 63 36 8c7fdffff633a5c6
4150 34 36 66 36 33 37 35 36 64 36 35 37 65 33 31 35 46f63756d657e315
4160 63 36 31 36 63 36 63 37 35 37 33 36 35 37 65 33 c616c6c7573657e3
4170 31 35 63 36 31 37 30 37 30 36 63 36 39 36 33 37 15c6170706c69637
4180 65 33 31 35 63 36 39 36 66 37 33 37 39 37 33 30 e315c696f7379730
4190 30 7D 7D 7D 7D 5C 61 64 65 66 6C 61 6E 67 31 30 0}}}}adeflang10
41A0 32 35 58 58 58 58 59 59 59 59 7A 78 77 76 71 74 25XXXXYYYYzxwvqt
Shellcode of the attack. Mostly unique, but many
shared aspects between malicious carrier files
Uses multi 4-byte “eggs” as markers for
shellcode or malware payload
© Copyright 2013 EMC Corporation. All rights reserved.
Weaponization – Hex view of .DOC file
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
4620 03 02 01 00 FF FE FD FC FB FA F9 F8 F7 F6 F5 F4 ....ÿþýüûúùø÷öõô
4630 F3 F2 F1 F0 EF EE ED EC EB EA E9 E8 E7 E6 E5 E4 óòñðïîíìëêéèçæåä
4640 E3 E2 E1 E0 DF DE DD DC DB DA D9 D8 D7 D6 D5 D4 ãâáàßÞÝÜÛÚÙØ×ÖÕÔ
4650 D3 D2 D1 D0 CF CE CD CC CB CA C9 C8 C7 C6 C5 C4 ÓÒÑÐÏÎÍÌËÊÉÈÇÆÅÄ
4660 C3 C2 C1 C0 BF BE BD BC BB BA B9 B8 B7 B6 B5 B4 ÃÂÁÀ¿¾½¼»º¹¸·¶µ´
4670 B3 B2 B1 B0 AF AE AD AC AB AA A9 A8 A7 A6 A5 A4 ³²±°¯®¬«ª©¨§¦¥¤
Actual malware payload, encoded. By finding
null spaces, this can be identified as a
decrementing single-byte XOR (FF>00). Routine,
and starting byte of key, can be unique to
attacker.
© Copyright 2013 EMC Corporation. All rights reserved.
Weaponization – ExifTool
ExifTool Version Number : 9.36
File Modification Date/Time : 2010:10:08 07:15:54-04:00
File Type : PDF
MIME Type : application/pdf
PDF Version : 1.6
Linearized : Yes
Encryption : Standard V2.3 (128-bit)
User Access : Extract
Tagged PDF : Yes
XMP Toolkit : 3.1-701
Producer : Acrobat Distiller 8.1.0 (Windows)
Company : Dell Computer Corporation
Source Modified : D:20101001111200
Creator Tool : Word8墁 Acrobat PDFMaker 8.1
Modify Date : 2010:10:08 09:35:31+09:00
Create Date : 2010:10:01 20:12:17+09:00
Metadata Date : 2010:10:08 09:35:31+09:00
Document ID : uuid:c425871d-1bc1-4ccc-8235-ce20615daded
Instance ID : uuid:2b9f24a5-1e10-40c0-9d92-9a74bae84d32
Subject : 4
Format : application/pdf
Creator : Arlene Goldberg
Title : President Clinton Event Request Form
Page Count : 5
Page Layout : OneColumn
Author : Arlene Goldberg
© Copyright 2013 EMC Corporation. All rights reserved.
Reconnaissance / Weaponization Collection
• EXIFTool
• http://www.sno.phy.queensu.ca/~phil/exiftool/
• OfficeMalScanner / RTFscan
• http://www.reconstructer.org/code.html
• Cerbero PE Insider / PE Explorer
• http://icerbero.com/peinsider
• http://www.heaventools.com
• Revelo / Malzilla / PdfStreamDumper
• http://www.ntcore.com/exsuite.php
• http://malzilla.sourceforge.net
• Malware Tracker Doc/PDF Scanners
• https://www.malwaretracker.com
© Copyright 2013 EMC Corporation. All rights reserved.
Delivery – Email Attack
http://contagiodump.blogspot.com/2011/06/may-31-cve-2010-3333-doc-q-and-adoc.html
© Copyright 2013 EMC Corporation. All rights reserved.
Delivery – Watering Hole Attack
http://arstechnica.com/security/2014/02/new-zero-day-bug-in-ie-10-exploited-in-
active-malware-attack-ms-warns/
© Copyright 2013 EMC Corporation. All rights reserved.
Delivery – Watering Hole Attack
• Function names appear random, but can
actually be hardcoded and shared across
multiple attacks
• Referenced filenames can also be used as
indicative of an attack
© Copyright 2013 EMC Corporation. All rights reserved.
Exploitation
CVE-2014-1761 (MS14-017)
http://blogs.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-
attackers
© Copyright 2013 EMC Corporation. All rights reserved.
Exploitation
CVE-2014-1761 (MS14-017)
http://blogs.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-
attackers
• Metadata (ismail) copy/pasted multiple times
• Shellcode stored as ?u-##### Integer-casted
Unicode bytes
• If RTF & # of same Metadata fields > 2 & “?u-”
© Copyright 2013 EMC Corporation. All rights reserved.
Delivery / Exploitation Collection
• VirusTotal
• https://www.virustotal.com
• Jotti
• http://virusscan.jotti.org
• URLQuery
• http://urlquery.net
• Joe Sandbox URL Analyzer
• http://www.url-analyzer.net
• YARA / SignSrch Rules
© Copyright 2013 EMC Corporation. All rights reserved.
Installation
Typical domain of forensics
• File system activity
• Registry activity
• Entrenchment / Persistence
• Anti-Forensics
© Copyright 2013 EMC Corporation. All rights reserved.
Installation – Collection Tools
• Noriben
• https://github.com/Rurik/Noriben
• CaptureBAT
• Cuckoo Sandbox
• Web-based:
• Anubis - https://anubis.iseclab.org
• Eureka! - http://eureka.cyber-ta.org
• Malwr - https://malwr.com
• ThreatExpert - http://www.threatexpert.com
© Copyright 2013 EMC Corporation. All rights reserved.
Noriben v1.6 (Beta – Stable release in Aug)
Processes Created:
==================
[CreateProcess] Explorer.EXE:1432 > ”%UserProfile%Desktopmalware.exe" [Child PID: 2520]
[CreateProcess] malware.exe:2520 > "C:WINDOWSsystem32cmd.exe" [Child PID: 3444]
[CreateProcess] services.exe:680 > "C:WINDOWSSystem32svchost.exe -k HTTPFilter" [Child PID: 3512]
File Activity:
==================
[New Folder] malware.exe:2520 > C:RECYCLERS-1-5-21-861567501-412668190-725345543-500$fab110457830839344b58457ddd1f357
[New Folder] malware.exe:2520 > C:RECYCLERS-1-5-21-861567501-412668190-725345543-
500$fab110457830839344b58457ddd1f357L
[New Folder] malware.exe:2520 > C:RECYCLERS-1-5-21-861567501-412668190-725345543-
500$fab110457830839344b58457ddd1f357U
[CreateFile] malware.exe:2520 > C:RECYCLERS-1-5-21-861567501-412668190-725345543-
500$fab110457830839344b58457ddd1f357@ [MD5: 814c3536c2aab13763ac0beb7847a71f] [VT: Not Scanned]
[CreateFile] malware.exe:2520 > C:RECYCLERS-1-5-21-861567501-412668190-725345543-
500$fab110457830839344b58457ddd1f357n [MD5: cfaddbb43ba973f8d15d7d2e50c63476] [YARA: ZeroAccess] [VT:42/46]
[New Folder] malware.exe:2520 > C:RECYCLERS-1-5-18
[New Folder] malware.exe:2520 > C:RECYCLERS-1-5-18$fab110457830839344b58457ddd1f357
[New Folder] malware.exe:2520 > C:RECYCLERS-1-5-18$fab110457830839344b58457ddd1f357L
[New Folder] malware.exe:2520 > C:RECYCLERS-1-5-18$fab110457830839344b58457ddd1f357U
[CreateFile] malware.exe:2520 > C:RECYCLERS-1-5-18$fab110457830839344b58457ddd1f357@ [MD5:
d1993f38046a68cc78a20560e8de9ad8] [VT: Not Scanned]
[CreateFile] malware.exe:2520 > C:RECYCLERS-1-5-18$fab110457830839344b58457ddd1f357n [MD5:
cfaddbb43ba973f8d15d7d2e50c63476] [YARA: ZeroAccess] [VT:42/46]
[CreateFile] services.exe:680 > C:RECYCLERS-1-5-18$fab110457830839344b58457ddd1f357@ [MD5:
d1993f38046a68cc78a20560e8de9ad8] [VT: Not Scanned]
[New Folder] services.exe:680 > C:RECYCLERS-1-5-18$fab110457830839344b58457ddd1f357U
[DeleteFile] cmd.exe:3444 %UserProfile%Desktopmalware.exe
© Copyright 2013 EMC Corporation. All rights reserved.
Command and Control (C2)
http://<DOMAIN>/kys_allow_get.asp?name=getkys.jpg&ho
stname=HOSTNAME-192.168.1.120130623SCRyyy
http://<DOMAIN>/web/movie.swf?apple=8A969692D8CDCDD0
D0D0CCD0D0DACCD0D0D0CCD0D1D7CD958780CD96878F92CC879A
87E2E2E2E2
256-byte seemingly random beacons:
00000000 F9 B5 A0 96 DE 35 E0 33 F8 BD 9C 49 E2 3E E4 EF ùµ –Þ5à3ø½œIâ>äï
00000016 D6 FD 8D 60 03 22 A0 52 0E FC 0B C9 35 70 9A AC Öý•`." R.ü.É5pš¬
00000032 34 16 95 67 90 CB F5 34 76 F5 DC 99 04 73 7E E2 4.•gËõ4võÜ™.s~â
00000048 FB 90 45 82 65 3A AC 44 C0 EC 0A 6A E0 6E 90 B7 ûE‚e:¬DÀì.jàn•·
00000064 0D CC BF EC 5E 6B 32 6F 08 84 09 8E 46 C9 3C 48 .Ì¿ì^k2o.„.ŽFÉ<H
00000080 75 CD 21 56 0C 0B A9 E4 96 37 D9 64 93 33 D7 43 uÍ!V..©ä–7Ùd“3×C
00000096 BA E0 A1 C8 CB BB A7 4B D3 ED AF 4D 1C 28 87 FD ºà¡ÈË»§KÓí¯M.(‡ý
00000112 65 33 97 8D 20 3D 88 B6 B5 CE 10 CA CC 4D 27 76 e3—=ˆ¶µÎ.ÊÌM'v
00000128 63 19 63 7B ED 98 EE 0A 6A 5D 71 AC B9 10 BD C6 c.c{í˜î.j]q¬¹.½Æ
00000144 A7 9A 86 EB 17 D0 97 E7 86 D5 9A FD D4 12 27 01 §š†ë.Зç†ÕšýÔ.'.
00000160 4E 6A 20 D8 B0 55 02 E8 1C 44 9C 35 8F AC C4 0A Nj Ø°U.è.Dœ5•¬Ä.
00000176 0A 19 70 E3 4C E6 B9 3B 6B C1 73 E2 1B C0 27 CD ..pãLæ¹;kÁsâ.À'Í
00000192 BF 5D E8 6E 68 02 27 50 5D C6 35 EB F5 44 8C 45 ¿]ènh.'P]Æ5ëõDŒE
00000208 B7 B4 08 D6 BE B0 9E 3E F8 D8 A9 79 EC D3 19 50 ·´.Ö¾°ž>øØ©yìÓ.P
00000224 19 5F 22 BE 00 A8 36 6B FA 35 9E BF 3F 86 E1 F4 ._"¾.¨6kú5ž¿?†áô
00000240 EF CB 33 09 48 5D A8 05 8C 57 A1 CC E8 F4 6B 31 ïË3.H]¨.ŒW¡Ìèôk1
© Copyright 2013 EMC Corporation. All rights reserved.
Command and Control (C2) Identification
DeepEnd Research Library of Malware
Traffic Patterns
© Copyright 2013 EMC Corporation. All rights reserved.
Command and Control (C2) Collection
• WireShark
• FakeNET
• practicalmalwareanalysis.com/fakenet
• Netcat
• Known C2 Clients
• Commodity RAT / Custom RAT
• Python / Perl
• On-the-fly C2 clients
© Copyright 2013 EMC Corporation. All rights reserved.
Command and Control (C2) Collection
• Host an array of known and custom-
made C2 servers
• If you think malware is known, let it beacon
against that server and check for a
handshake
• Extract victim info from beacon handshake
and move on to the next sample!
© Copyright 2013 EMC Corporation. All rights reserved.
Command and Control (C2) Collection
• What if you can get all intel-based artifacts
without even running it?
• Search for configuration data, decrypt, and
archive.
• Extract:
• Beacon domains
• Beacon ports
• Campaign IDs
• Mutexes
• And all statically!
© Copyright 2013 EMC Corporation. All rights reserved.
Command and Control (C2) Collection
• Configuration Dumpers (Static)
e.g. github.com/MalwareLu/config_extractor/
$ config_jRAT.py malware.jar
port=31337
os=win mac
mport=-1
perms=-1
error=true
reconsec=10
ti=false
ip=www.malware.com
pass=password
id=CAMPAIGN
mutex=false
toms=-1
per=false
name=
timeout=false
debugmsg=true
© Copyright 2013 EMC Corporation. All rights reserved.
Command and Control (C2) Collection
What if it’s encrypted?!
• Reverse once to determine decryption routine
They keep changing encryption!
• Look for its decrypted structure in memory
• Write YARA rule targeting that structure
• Dump from memory
• Encryption routine is easy to change, decrypted
structure typically stays the same
© Copyright 2013 EMC Corporation. All rights reserved.
Command and Control (C2) Collection
Configuration Dumpers (Memory)
E:VMs> vol.py -f WinXP_Malware.vmem pslist
Offset(V) Name PID PPID Start
---------- -------- ------ ------ --------------------
0x81efc550 java.exe 1920 660 2013-09-18 22:23:10
E:VMs> vol.py -f WinXP_Malware.vmem memdump -p 1920 -D dump
Writing java.exe [ 1920] to 1920.dmp
E:VMs> vol.py -f WinXP_Malware.vmem yarascan -p 1920 –Y “SPLIT”
Owner: Process java.exe Pid 1920
0x2abadbec 53 50 4c 49 54 03 03 03 69 70 3d 77 77 77 2e 6d SPLIT...ip=www.m
0x2abadbfc 61 6c 77 61 72 65 2e 63 6f 6d 53 50 4c 49 54 09 alware.comSPLIT.
0x2abadc0c 09 09 09 09 09 09 09 09 70 61 73 73 3d 70 61 73 ........pass=pas
0x2abadc1c 73 77 6f 72 64 53 50 4c 49 54 0e 0e 0e 0e 0e 0e swordSPLIT......
0x2abadc21 53 50 4c 49 54 0e 0e 0e 0e 0e 0e 0e 0e 0e 0e 0e SPLIT...........
0x2abadc31 0e 0e 0e 69 64 3d 43 41 4d 50 41 49 47 4e 53 50 ...id=CAMPAIGNSP
0x2abadc41 4c 49 54 10 10 10 10 10 10 10 10 10 10 10 10 10 LIT.............
0x2abadc51 10 10 10 6d 75 74 65 78 3d 66 61 6c 73 65 53 50 ...mutex=falseSP
© Copyright 2013 EMC Corporation. All rights reserved.
Command and Control (C2) Collection
Configuration Dumpers (Memory)
http://www.ghettoforensics.com/2013/10/dumping-malware-
configuration-data-from.html
© Copyright 2013 EMC Corporation. All rights reserved.
Actions
Reconnaissance
• Network sweeps
Privilege Escalation
• pwdump#, mimikatz, keyloggers
Exfiltration
• Keyloggers
• Directory Listings
• Archives (rar –hp | rar –p)
Remote Execution
• psexec
© Copyright 2013 EMC Corporation. All rights reserved.
Actions
Malware C2
• Decrypt/Decode Malware communications
beyond a simple beacon
Requires:
• Reversing C2 code from malware
• PCAP of traffic to compromised system
• MITRE ChopShop or equivalent tool
© Copyright 2013 EMC Corporation. All rights reserved.
Enumerating Indicators
• Hashes (MD5, fuzzy, imphash, …)
• File
• PE sections
• PE imports
• Entrenchment / Persistence
• File locations
• Registry keys (*Run*, Shimcache)
• C2 communication
• Hashes, sizes
• Dynamic vs static bytes
© Copyright 2013 EMC Corporation. All rights reserved.
Collecting Indicators
• Store results in database
• RTIR / CRITS
• Custom-programmed
• Per-incident data archives
• Emails, files
• Residual artifacts
• Memory dumps
• PCAPs / Proxy logs
© Copyright 2013 EMC Corporation. All rights reserved.
Reusing Indicators
Do analysis once, reuse indicators
• Static Signatures
• YARA
• SignSrch / ClamSrch
• Dynamic Signatures
• CybOX/STIX/MAEC
• IOCs
• Network Signatures
• Snort
• ChopShop
© Copyright 2013 EMC Corporation. All rights reserved.
Static Signatures – YARA
rule CoreFlood_ldr_decoder
{
strings:
$strRegKey = "MlLrqtuhA3x0WmjwNM27"
$strAPI = "3etProcAddr"
$codeSub_85BA = { 81 EA BA 85 00 00 }
$codeXOR_85BC = { 05 BC 85 00 00 }
condition:
all of ($str*) and any of ($code*)
}
© Copyright 2013 EMC Corporation. All rights reserved.
Static Signatures
Write multiple signatures for each file
• Write a sig for each notable item
• Catches subtle modifications
• Detect when capabilities change
PDB string
Unique strings
Encryption routines
MATH!
© Copyright 2013 EMC Corporation. All rights reserved.
Make Indicators Intelligent
Indicators are just a raw set of data
Intelligence comes through:
• Grouping indicators
• Indexing all edges (files) AND vertices (activity)
• File1 is a dropper, File2 is a driver
• File2 is a binary resource of BIN222 in File1
• File2 is stored as encrypted (XOR by 0xBB)
• File1 drops File2
© Copyright 2013 EMC Corporation. All rights reserved.
Example: Attack 1
© Copyright 2013 EMC Corporation. All rights reserved.
Example: Attack 2
© Copyright 2013 EMC Corporation. All rights reserved.
Correlate the Attacks
© Copyright 2013 EMC Corporation. All rights reserved.
Take-Aways
• Standardize on a signature format (YARA, IOC,
STIX)
• Write as many signatures as possible for each
item to track variations over time
• Try to automate, e.g. cuckoo2STIX
• Spend downtime reanalyzing old incidents with
new data / intel
© Copyright 2013 EMC Corporation. All rights reserved.
Take-Aways
• Use VirusTotal Intelligence
• Create feeds for YARA to find new variants
• Acknowledge weaknesses of Cyber Kill Chain
• It focuses on initial and holistic attack flow
• Simplistic design means everything is thrown into
Actions
• It doesn’t scale to varied and orchestrated attacks
© Copyright 2013 EMC Corporation. All rights reserved.
Questions/Comments?
Brian.Baskin@RSA.com
Introducing Intelligence Into Your Malware Analysis

More Related Content

What's hot

Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...ufpb
 
[CB19] MalConfScan with Cuckoo: Automatic Malware Configuration Extraction Sy...
[CB19] MalConfScan with Cuckoo: Automatic Malware Configuration Extraction Sy...[CB19] MalConfScan with Cuckoo: Automatic Malware Configuration Extraction Sy...
[CB19] MalConfScan with Cuckoo: Automatic Malware Configuration Extraction Sy...CODE BLUE
 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission ModelGeorgia Weidman
 
The Joy of Sandbox Mitigations
The Joy of Sandbox MitigationsThe Joy of Sandbox Mitigations
The Joy of Sandbox MitigationsJames Forshaw
 
My Null Android Penetration Session
My Null  Android Penetration Session My Null  Android Penetration Session
My Null Android Penetration Session Avinash Sinha
 
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
 RING 0/-2 ROOKITS : COMPROMISING DEFENSES RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSESPriyanka Aash
 
Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh TâmTriển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh TâmSecurity Bootcamp
 
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses  -- DEF CON 2018 USARing 0/-2 Rootkits: bypassing defenses  -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USAAlexandre Borges
 
Troubleshooting the Windows Installer
Troubleshooting the Windows Installer Troubleshooting the Windows Installer
Troubleshooting the Windows Installer AppDetails
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineAditya K Sood
 
Hack.Lu 2010 - Escaping Protected Mode Internet Explorer
Hack.Lu 2010 - Escaping Protected Mode Internet ExplorerHack.Lu 2010 - Escaping Protected Mode Internet Explorer
Hack.Lu 2010 - Escaping Protected Mode Internet ExplorerTom Keetch
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005Rich Helton
 
Android Vulnerability: Fake ID
Android Vulnerability: Fake ID Android Vulnerability: Fake ID
Android Vulnerability: Fake ID Blueboxer2014
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
 

What's hot (20)

The Hookshot: Runtime Exploitation
The Hookshot: Runtime ExploitationThe Hookshot: Runtime Exploitation
The Hookshot: Runtime Exploitation
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
 
[CB19] MalConfScan with Cuckoo: Automatic Malware Configuration Extraction Sy...
[CB19] MalConfScan with Cuckoo: Automatic Malware Configuration Extraction Sy...[CB19] MalConfScan with Cuckoo: Automatic Malware Configuration Extraction Sy...
[CB19] MalConfScan with Cuckoo: Automatic Malware Configuration Extraction Sy...
 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission Model
 
Android Secure Coding
Android Secure CodingAndroid Secure Coding
Android Secure Coding
 
The Joy of Sandbox Mitigations
The Joy of Sandbox MitigationsThe Joy of Sandbox Mitigations
The Joy of Sandbox Mitigations
 
My Null Android Penetration Session
My Null  Android Penetration Session My Null  Android Penetration Session
My Null Android Penetration Session
 
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
 RING 0/-2 ROOKITS : COMPROMISING DEFENSES RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
 
Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh TâmTriển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
 
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses  -- DEF CON 2018 USARing 0/-2 Rootkits: bypassing defenses  -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
 
Troubleshooting the Windows Installer
Troubleshooting the Windows Installer Troubleshooting the Windows Installer
Troubleshooting the Windows Installer
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
 
Hack.Lu 2010 - Escaping Protected Mode Internet Explorer
Hack.Lu 2010 - Escaping Protected Mode Internet ExplorerHack.Lu 2010 - Escaping Protected Mode Internet Explorer
Hack.Lu 2010 - Escaping Protected Mode Internet Explorer
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005
 
Android Vulnerability: Fake ID
Android Vulnerability: Fake ID Android Vulnerability: Fake ID
Android Vulnerability: Fake ID
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполнения
 

Viewers also liked

Black Hat 2015 Arsenal: Noriben Malware Analysis
Black Hat 2015 Arsenal: Noriben Malware AnalysisBlack Hat 2015 Arsenal: Noriben Malware Analysis
Black Hat 2015 Arsenal: Noriben Malware AnalysisBrian Baskin
 
DEVIEW - 오픈소스를 활용한 분산아키텍처 구현기술
DEVIEW - 오픈소스를 활용한 분산아키텍처 구현기술DEVIEW - 오픈소스를 활용한 분산아키텍처 구현기술
DEVIEW - 오픈소스를 활용한 분산아키텍처 구현기술John Kim
 
2013년 html5 총정리 (Summary of HTML5 Trend in 2013)
2013년 html5 총정리 (Summary of HTML5 Trend in 2013)2013년 html5 총정리 (Summary of HTML5 Trend in 2013)
2013년 html5 총정리 (Summary of HTML5 Trend in 2013)Wonsuk Lee
 
Yet Another YARA Allocution (YAYA)
Yet Another YARA Allocution (YAYA) Yet Another YARA Allocution (YAYA)
Yet Another YARA Allocution (YAYA) John Laycock
 
Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive TacticsHollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive Tacticssecurityxploded
 
Casual Cyber Crime
Casual Cyber CrimeCasual Cyber Crime
Casual Cyber CrimeBrian Baskin
 
svn 능력자를 위한 git 개념 가이드
svn 능력자를 위한 git 개념 가이드svn 능력자를 위한 git 개념 가이드
svn 능력자를 위한 git 개념 가이드Insub Lee
 

Viewers also liked (7)

Black Hat 2015 Arsenal: Noriben Malware Analysis
Black Hat 2015 Arsenal: Noriben Malware AnalysisBlack Hat 2015 Arsenal: Noriben Malware Analysis
Black Hat 2015 Arsenal: Noriben Malware Analysis
 
DEVIEW - 오픈소스를 활용한 분산아키텍처 구현기술
DEVIEW - 오픈소스를 활용한 분산아키텍처 구현기술DEVIEW - 오픈소스를 활용한 분산아키텍처 구현기술
DEVIEW - 오픈소스를 활용한 분산아키텍처 구현기술
 
2013년 html5 총정리 (Summary of HTML5 Trend in 2013)
2013년 html5 총정리 (Summary of HTML5 Trend in 2013)2013년 html5 총정리 (Summary of HTML5 Trend in 2013)
2013년 html5 총정리 (Summary of HTML5 Trend in 2013)
 
Yet Another YARA Allocution (YAYA)
Yet Another YARA Allocution (YAYA) Yet Another YARA Allocution (YAYA)
Yet Another YARA Allocution (YAYA)
 
Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive TacticsHollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
 
Casual Cyber Crime
Casual Cyber CrimeCasual Cyber Crime
Casual Cyber Crime
 
svn 능력자를 위한 git 개념 가이드
svn 능력자를 위한 git 개념 가이드svn 능력자를 위한 git 개념 가이드
svn 능력자를 위한 git 개념 가이드
 

Similar to Introducing Intelligence Into Your Malware Analysis

Real practice of Networking design on specialized for ARM Cortex-M
Real practice of Networking design on specialized for ARM Cortex-MReal practice of Networking design on specialized for ARM Cortex-M
Real practice of Networking design on specialized for ARM Cortex-MBenux Wei
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
 
What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018Ken DeSouza
 
DEF CON 27 - workshop - JOSH REYNOLDS - from ek to dek slides
DEF CON 27 - workshop - JOSH REYNOLDS - from ek to dek slidesDEF CON 27 - workshop - JOSH REYNOLDS - from ek to dek slides
DEF CON 27 - workshop - JOSH REYNOLDS - from ek to dek slidesFelipe Prado
 
Network OS Code Coverage demo using Bullseye tool
Network OS Code Coverage demo using Bullseye toolNetwork OS Code Coverage demo using Bullseye tool
Network OS Code Coverage demo using Bullseye toolVikram G Hosakote
 
[1C2]webrtc 개발, 현재와 미래
[1C2]webrtc 개발, 현재와 미래[1C2]webrtc 개발, 현재와 미래
[1C2]webrtc 개발, 현재와 미래NAVER D2
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Tzung-Bi Shih
 
A New Framework for Detection
A New Framework for DetectionA New Framework for Detection
A New Framework for DetectionSourcefire VRT
 
IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hackSlawomir Jasek
 
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdfdino715195
 
Engineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the CloudEngineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the Cloudrandomuserid
 
Crossing the Production Barrier: Development at Scale
Crossing the Production Barrier: Development at ScaleCrossing the Production Barrier: Development at Scale
Crossing the Production Barrier: Development at Scalejgoulah
 
3DConsulting_Presentation
3DConsulting_Presentation3DConsulting_Presentation
3DConsulting_PresentationJoseph Baca
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...JPCERT Coordination Center
 
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...Felipe Prado
 
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...YuChianWu
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The EnterpriseJason Ross
 
Sandbox kiev
Sandbox kievSandbox kiev
Sandbox kievuisgslide
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON
 
IS3220 Project Network Design Chris Wig Essay
IS3220 Project Network Design Chris Wig EssayIS3220 Project Network Design Chris Wig Essay
IS3220 Project Network Design Chris Wig EssayNavy Savchenko
 

Similar to Introducing Intelligence Into Your Malware Analysis (20)

Real practice of Networking design on specialized for ARM Cortex-M
Real practice of Networking design on specialized for ARM Cortex-MReal practice of Networking design on specialized for ARM Cortex-M
Real practice of Networking design on specialized for ARM Cortex-M
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
 
What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018
 
DEF CON 27 - workshop - JOSH REYNOLDS - from ek to dek slides
DEF CON 27 - workshop - JOSH REYNOLDS - from ek to dek slidesDEF CON 27 - workshop - JOSH REYNOLDS - from ek to dek slides
DEF CON 27 - workshop - JOSH REYNOLDS - from ek to dek slides
 
Network OS Code Coverage demo using Bullseye tool
Network OS Code Coverage demo using Bullseye toolNetwork OS Code Coverage demo using Bullseye tool
Network OS Code Coverage demo using Bullseye tool
 
[1C2]webrtc 개발, 현재와 미래
[1C2]webrtc 개발, 현재와 미래[1C2]webrtc 개발, 현재와 미래
[1C2]webrtc 개발, 현재와 미래
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
 
A New Framework for Detection
A New Framework for DetectionA New Framework for Detection
A New Framework for Detection
 
IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hack
 
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
 
Engineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the CloudEngineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the Cloud
 
Crossing the Production Barrier: Development at Scale
Crossing the Production Barrier: Development at ScaleCrossing the Production Barrier: Development at Scale
Crossing the Production Barrier: Development at Scale
 
3DConsulting_Presentation
3DConsulting_Presentation3DConsulting_Presentation
3DConsulting_Presentation
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
 
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
 
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
 
Sandbox kiev
Sandbox kievSandbox kiev
Sandbox kiev
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
 
IS3220 Project Network Design Chris Wig Essay
IS3220 Project Network Design Chris Wig EssayIS3220 Project Network Design Chris Wig Essay
IS3220 Project Network Design Chris Wig Essay
 

Recently uploaded

Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTopCSSGallery
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4DianaGray10
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3DianaGray10
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTxtailishbaloch
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FESTBillieHyde
 
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxNeo4j
 
Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...DianaGray10
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingFrancesco Corti
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfInfopole1
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechProduct School
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)IES VE
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationKnoldus Inc.
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2DianaGray10
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updateadam112203
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0DanBrown980551
 
Novo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNovo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNeo4j
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxKaustubhBhavsar6
 
2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdfThe Good Food Institute
 

Recently uploaded (20)

Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development Companies
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FEST
 
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
 
Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is going
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdf
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)
 
SheDev 2024
SheDev 2024SheDev 2024
SheDev 2024
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its application
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 update
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0
 
Novo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNovo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4j
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptx
 
2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf
 

Introducing Intelligence Into Your Malware Analysis

  • 1. © Copyright 2013 EMC Corporation. All rights reserved.
  • 2. © Copyright 2013 EMC Corporation. All rights reserved. Introducing Intelligence Into Your Malware Analysis Presented by Brian Baskin Advisory Practice Consultant RSA Incident Response 5 Jun 14
  • 3. © Copyright 2013 EMC Corporation. All rights reserved. # whoami • Consultant with RSA IR/D team • Digital Forensics for 15 years • Incident Response for 10 years • Personal Blog: www.GhettoForensics.com • Co-Author: Dissecting the Hack
  • 4. © Copyright 2013 EMC Corporation. All rights reserved. Where do we start… • Many attack analysis methods are outdated • Emphasis on system-by-system analysis • Teams are broken up by specialized skills
  • 5. © Copyright 2013 EMC Corporation. All rights reserved. Skill Segregation Memory AnalysisNetwork Analysis Dynamic AnalysisStatic Analysis
  • 6. © Copyright 2013 EMC Corporation. All rights reserved. Difficulty in Current Processes • Skill-Based Approach vs. Indicator-Based • Going down rabbit holes that do not help overall security posture • You do not need to deep dive every sample! • Difficult to segregate and emphasize critical indicators in reports
  • 7. © Copyright 2013 EMC Corporation. All rights reserved. The Cyber Kill Chaintm
  • 8. © Copyright 2013 EMC Corporation. All rights reserved. Relevance of the Cyber Kill Chain Each chain link has indicators that can be potentially extracted or deduced from malware analysis Use to: • Identify Indicators • Collect Indicators • Reuse Indicators
  • 9. © Copyright 2013 EMC Corporation. All rights reserved. What Indicators? Go Beyond the IOCs • File MD5s • URLs, IPs Intel Indicators • Encryption keys • Campaign Identifiers • Evidence of custom tools • Who is performing the attack
  • 10. © Copyright 2013 EMC Corporation. All rights reserved. Relevance of the Cyber Kill Chain – Signs of intelligence gathering – Technical exploit used in attack – Transfer method – Vulnerability on victim system – Entrenchment/Persistence artifacts – Data collection, network beacon – Actor-issued commands, exfil, lateral movement
  • 11. © Copyright 2013 EMC Corporation. All rights reserved. Fishing for Indicators – Carrier themes – Buffer overrun, RCE, malicious Flash w/in DOCX – Email, Watering Hole, P2P, USB – CVE-2010-3333, CVE-2012-0158, etc – File / Registry / File artifacts – DNS, HTTP beacons – RAR archives, psexec, pwdump
  • 12. © Copyright 2013 EMC Corporation. All rights reserved. Reconnaissance – Decoy Details http://contagiodump.blogspot.com/2010/10/oct-08-cve-2010-2883-pdf-nuclear.html
  • 13. © Copyright 2013 EMC Corporation. All rights reserved. Reconnaissance – ExifTool ExifTool Version Number : 9.36 File Modification Date/Time : 2010:10:08 07:15:54-04:00 File Type : PDF MIME Type : application/pdf PDF Version : 1.6 Linearized : Yes Encryption : Standard V2.3 (128-bit) User Access : Extract Tagged PDF : Yes XMP Toolkit : 3.1-701 Producer : Acrobat Distiller 8.1.0 (Windows) Company : Dell Computer Corporation Source Modified : D:20101001111200 Creator Tool : Word8墁 Acrobat PDFMaker 8.1 Modify Date : 2010:10:08 09:35:31+09:00 Create Date : 2010:10:01 20:12:17+09:00 Metadata Date : 2010:10:08 09:35:31+09:00 Document ID : uuid:c425871d-1bc1-4ccc-8235-ce20615daded Instance ID : uuid:2b9f24a5-1e10-40c0-9d92-9a74bae84d32 Subject : 4 Format : application/pdf Creator : Arlene Goldberg Title : President Clinton Event Request Form Page Count : 5 Page Layout : OneColumn Author : Arlene Goldberg
  • 14. © Copyright 2013 EMC Corporation. All rights reserved. Weaponization – Hex view of .DOC file Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0000 7B 5C 72 74 66 31 7B 5C 73 68 70 7B 5C 2A 5C 73 {rtf1{shp{*s 0010 68 70 69 6E 73 74 7B 5C 73 70 7B 5C 73 6E 20 70 hpinst{sp{sn p 0020 46 72 61 67 6D 65 6E 74 73 7D 7B 5C 73 76 20 31 Fragments}{sv 1 4130 33 63 35 35 65 35 66 35 64 63 32 30 38 30 30 65 3c55e5f5dc20800e 4140 38 63 37 66 64 66 66 66 66 36 33 33 61 35 63 36 8c7fdffff633a5c6 4150 34 36 66 36 33 37 35 36 64 36 35 37 65 33 31 35 46f63756d657e315 4160 63 36 31 36 63 36 63 37 35 37 33 36 35 37 65 33 c616c6c7573657e3 4170 31 35 63 36 31 37 30 37 30 36 63 36 39 36 33 37 15c6170706c69637 4180 65 33 31 35 63 36 39 36 66 37 33 37 39 37 33 30 e315c696f7379730 4190 30 7D 7D 7D 7D 5C 61 64 65 66 6C 61 6E 67 31 30 0}}}}adeflang10 41A0 32 35 58 58 58 58 59 59 59 59 7A 78 77 76 71 74 25XXXXYYYYzxwvqt 4620 03 02 01 00 FF FE FD FC FB FA F9 F8 F7 F6 F5 F4 ....ÿþýüûúùø÷öõô 4630 F3 F2 F1 F0 EF EE ED EC EB EA E9 E8 E7 E6 E5 E4 óòñðïîíìëêéèçæåä 4640 E3 E2 E1 E0 DF DE DD DC DB DA D9 D8 D7 D6 D5 D4 ãâáàßÞÝÜÛÚÙØ×ÖÕÔ 4650 D3 D2 D1 D0 CF CE CD CC CB CA C9 C8 C7 C6 C5 C4 ÓÒÑÐÏÎÍÌËÊÉÈÇÆÅÄ 4660 C3 C2 C1 C0 BF BE BD BC BB BA B9 B8 B7 B6 B5 B4 ÃÂÁÀ¿¾½¼»º¹¸·¶µ´ 4670 B3 B2 B1 B0 AF AE AD AC AB AA A9 A8 A7 A6 A5 A4 ³²±°¯®¬«ª©¨§¦¥¤
  • 15. © Copyright 2013 EMC Corporation. All rights reserved. Weaponization – Hex view of .DOC file Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0000 7B 5C 72 74 66 31 7B 5C 73 68 70 7B 5C 2A 5C 73 {rtf1{shp{*s 0010 68 70 69 6E 73 74 7B 5C 73 70 7B 5C 73 6E 20 70 hpinst{sp{sn p 0020 46 72 61 67 6D 65 6E 74 73 7D 7B 5C 73 76 20 31 Fragments}{sv 1 The actual exploit in use (CVE-2010-3333) noted also by the pFragments string. Used to initiate the loading of shellcode.
  • 16. © Copyright 2013 EMC Corporation. All rights reserved. Weaponization – Hex view of .DOC file Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 4130 33 63 35 35 65 35 66 35 64 63 32 30 38 30 30 65 3c55e5f5dc20800e 4140 38 63 37 66 64 66 66 66 66 36 33 33 61 35 63 36 8c7fdffff633a5c6 4150 34 36 66 36 33 37 35 36 64 36 35 37 65 33 31 35 46f63756d657e315 4160 63 36 31 36 63 36 63 37 35 37 33 36 35 37 65 33 c616c6c7573657e3 4170 31 35 63 36 31 37 30 37 30 36 63 36 39 36 33 37 15c6170706c69637 4180 65 33 31 35 63 36 39 36 66 37 33 37 39 37 33 30 e315c696f7379730 4190 30 7D 7D 7D 7D 5C 61 64 65 66 6C 61 6E 67 31 30 0}}}}adeflang10 41A0 32 35 58 58 58 58 59 59 59 59 7A 78 77 76 71 74 25XXXXYYYYzxwvqt Shellcode of the attack. Mostly unique, but many shared aspects between malicious carrier files Uses multi 4-byte “eggs” as markers for shellcode or malware payload
  • 17. © Copyright 2013 EMC Corporation. All rights reserved. Weaponization – Hex view of .DOC file Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 4620 03 02 01 00 FF FE FD FC FB FA F9 F8 F7 F6 F5 F4 ....ÿþýüûúùø÷öõô 4630 F3 F2 F1 F0 EF EE ED EC EB EA E9 E8 E7 E6 E5 E4 óòñðïîíìëêéèçæåä 4640 E3 E2 E1 E0 DF DE DD DC DB DA D9 D8 D7 D6 D5 D4 ãâáàßÞÝÜÛÚÙØ×ÖÕÔ 4650 D3 D2 D1 D0 CF CE CD CC CB CA C9 C8 C7 C6 C5 C4 ÓÒÑÐÏÎÍÌËÊÉÈÇÆÅÄ 4660 C3 C2 C1 C0 BF BE BD BC BB BA B9 B8 B7 B6 B5 B4 ÃÂÁÀ¿¾½¼»º¹¸·¶µ´ 4670 B3 B2 B1 B0 AF AE AD AC AB AA A9 A8 A7 A6 A5 A4 ³²±°¯®¬«ª©¨§¦¥¤ Actual malware payload, encoded. By finding null spaces, this can be identified as a decrementing single-byte XOR (FF>00). Routine, and starting byte of key, can be unique to attacker.
  • 18. © Copyright 2013 EMC Corporation. All rights reserved. Weaponization – ExifTool ExifTool Version Number : 9.36 File Modification Date/Time : 2010:10:08 07:15:54-04:00 File Type : PDF MIME Type : application/pdf PDF Version : 1.6 Linearized : Yes Encryption : Standard V2.3 (128-bit) User Access : Extract Tagged PDF : Yes XMP Toolkit : 3.1-701 Producer : Acrobat Distiller 8.1.0 (Windows) Company : Dell Computer Corporation Source Modified : D:20101001111200 Creator Tool : Word8墁 Acrobat PDFMaker 8.1 Modify Date : 2010:10:08 09:35:31+09:00 Create Date : 2010:10:01 20:12:17+09:00 Metadata Date : 2010:10:08 09:35:31+09:00 Document ID : uuid:c425871d-1bc1-4ccc-8235-ce20615daded Instance ID : uuid:2b9f24a5-1e10-40c0-9d92-9a74bae84d32 Subject : 4 Format : application/pdf Creator : Arlene Goldberg Title : President Clinton Event Request Form Page Count : 5 Page Layout : OneColumn Author : Arlene Goldberg
  • 19. © Copyright 2013 EMC Corporation. All rights reserved. Reconnaissance / Weaponization Collection • EXIFTool • http://www.sno.phy.queensu.ca/~phil/exiftool/ • OfficeMalScanner / RTFscan • http://www.reconstructer.org/code.html • Cerbero PE Insider / PE Explorer • http://icerbero.com/peinsider • http://www.heaventools.com • Revelo / Malzilla / PdfStreamDumper • http://www.ntcore.com/exsuite.php • http://malzilla.sourceforge.net • Malware Tracker Doc/PDF Scanners • https://www.malwaretracker.com
  • 20. © Copyright 2013 EMC Corporation. All rights reserved. Delivery – Email Attack http://contagiodump.blogspot.com/2011/06/may-31-cve-2010-3333-doc-q-and-adoc.html
  • 21. © Copyright 2013 EMC Corporation. All rights reserved. Delivery – Watering Hole Attack http://arstechnica.com/security/2014/02/new-zero-day-bug-in-ie-10-exploited-in- active-malware-attack-ms-warns/
  • 22. © Copyright 2013 EMC Corporation. All rights reserved. Delivery – Watering Hole Attack • Function names appear random, but can actually be hardcoded and shared across multiple attacks • Referenced filenames can also be used as indicative of an attack
  • 23. © Copyright 2013 EMC Corporation. All rights reserved. Exploitation CVE-2014-1761 (MS14-017) http://blogs.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication- attackers
  • 24. © Copyright 2013 EMC Corporation. All rights reserved. Exploitation CVE-2014-1761 (MS14-017) http://blogs.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication- attackers • Metadata (ismail) copy/pasted multiple times • Shellcode stored as ?u-##### Integer-casted Unicode bytes • If RTF & # of same Metadata fields > 2 & “?u-”
  • 25. © Copyright 2013 EMC Corporation. All rights reserved. Delivery / Exploitation Collection • VirusTotal • https://www.virustotal.com • Jotti • http://virusscan.jotti.org • URLQuery • http://urlquery.net • Joe Sandbox URL Analyzer • http://www.url-analyzer.net • YARA / SignSrch Rules
  • 26. © Copyright 2013 EMC Corporation. All rights reserved. Installation Typical domain of forensics • File system activity • Registry activity • Entrenchment / Persistence • Anti-Forensics
  • 27. © Copyright 2013 EMC Corporation. All rights reserved. Installation – Collection Tools • Noriben • https://github.com/Rurik/Noriben • CaptureBAT • Cuckoo Sandbox • Web-based: • Anubis - https://anubis.iseclab.org • Eureka! - http://eureka.cyber-ta.org • Malwr - https://malwr.com • ThreatExpert - http://www.threatexpert.com
  • 28. © Copyright 2013 EMC Corporation. All rights reserved. Noriben v1.6 (Beta – Stable release in Aug) Processes Created: ================== [CreateProcess] Explorer.EXE:1432 > ”%UserProfile%Desktopmalware.exe" [Child PID: 2520] [CreateProcess] malware.exe:2520 > "C:WINDOWSsystem32cmd.exe" [Child PID: 3444] [CreateProcess] services.exe:680 > "C:WINDOWSSystem32svchost.exe -k HTTPFilter" [Child PID: 3512] File Activity: ================== [New Folder] malware.exe:2520 > C:RECYCLERS-1-5-21-861567501-412668190-725345543-500$fab110457830839344b58457ddd1f357 [New Folder] malware.exe:2520 > C:RECYCLERS-1-5-21-861567501-412668190-725345543- 500$fab110457830839344b58457ddd1f357L [New Folder] malware.exe:2520 > C:RECYCLERS-1-5-21-861567501-412668190-725345543- 500$fab110457830839344b58457ddd1f357U [CreateFile] malware.exe:2520 > C:RECYCLERS-1-5-21-861567501-412668190-725345543- 500$fab110457830839344b58457ddd1f357@ [MD5: 814c3536c2aab13763ac0beb7847a71f] [VT: Not Scanned] [CreateFile] malware.exe:2520 > C:RECYCLERS-1-5-21-861567501-412668190-725345543- 500$fab110457830839344b58457ddd1f357n [MD5: cfaddbb43ba973f8d15d7d2e50c63476] [YARA: ZeroAccess] [VT:42/46] [New Folder] malware.exe:2520 > C:RECYCLERS-1-5-18 [New Folder] malware.exe:2520 > C:RECYCLERS-1-5-18$fab110457830839344b58457ddd1f357 [New Folder] malware.exe:2520 > C:RECYCLERS-1-5-18$fab110457830839344b58457ddd1f357L [New Folder] malware.exe:2520 > C:RECYCLERS-1-5-18$fab110457830839344b58457ddd1f357U [CreateFile] malware.exe:2520 > C:RECYCLERS-1-5-18$fab110457830839344b58457ddd1f357@ [MD5: d1993f38046a68cc78a20560e8de9ad8] [VT: Not Scanned] [CreateFile] malware.exe:2520 > C:RECYCLERS-1-5-18$fab110457830839344b58457ddd1f357n [MD5: cfaddbb43ba973f8d15d7d2e50c63476] [YARA: ZeroAccess] [VT:42/46] [CreateFile] services.exe:680 > C:RECYCLERS-1-5-18$fab110457830839344b58457ddd1f357@ [MD5: d1993f38046a68cc78a20560e8de9ad8] [VT: Not Scanned] [New Folder] services.exe:680 > C:RECYCLERS-1-5-18$fab110457830839344b58457ddd1f357U [DeleteFile] cmd.exe:3444 %UserProfile%Desktopmalware.exe
  • 29. © Copyright 2013 EMC Corporation. All rights reserved. Command and Control (C2) http://<DOMAIN>/kys_allow_get.asp?name=getkys.jpg&ho stname=HOSTNAME-192.168.1.120130623SCRyyy http://<DOMAIN>/web/movie.swf?apple=8A969692D8CDCDD0 D0D0CCD0D0DACCD0D0D0CCD0D1D7CD958780CD96878F92CC879A 87E2E2E2E2 256-byte seemingly random beacons: 00000000 F9 B5 A0 96 DE 35 E0 33 F8 BD 9C 49 E2 3E E4 EF ùµ –Þ5à3ø½œIâ>äï 00000016 D6 FD 8D 60 03 22 A0 52 0E FC 0B C9 35 70 9A AC Öý•`." R.ü.É5pš¬ 00000032 34 16 95 67 90 CB F5 34 76 F5 DC 99 04 73 7E E2 4.•gËõ4võÜ™.s~â 00000048 FB 90 45 82 65 3A AC 44 C0 EC 0A 6A E0 6E 90 B7 ûE‚e:¬DÀì.jàn•· 00000064 0D CC BF EC 5E 6B 32 6F 08 84 09 8E 46 C9 3C 48 .Ì¿ì^k2o.„.ŽFÉ<H 00000080 75 CD 21 56 0C 0B A9 E4 96 37 D9 64 93 33 D7 43 uÍ!V..©ä–7Ùd“3×C 00000096 BA E0 A1 C8 CB BB A7 4B D3 ED AF 4D 1C 28 87 FD ºà¡ÈË»§KÓí¯M.(‡ý 00000112 65 33 97 8D 20 3D 88 B6 B5 CE 10 CA CC 4D 27 76 e3—=ˆ¶µÎ.ÊÌM'v 00000128 63 19 63 7B ED 98 EE 0A 6A 5D 71 AC B9 10 BD C6 c.c{í˜î.j]q¬¹.½Æ 00000144 A7 9A 86 EB 17 D0 97 E7 86 D5 9A FD D4 12 27 01 §š†ë.Зç†ÕšýÔ.'. 00000160 4E 6A 20 D8 B0 55 02 E8 1C 44 9C 35 8F AC C4 0A Nj Ø°U.è.Dœ5•¬Ä. 00000176 0A 19 70 E3 4C E6 B9 3B 6B C1 73 E2 1B C0 27 CD ..pãLæ¹;kÁsâ.À'Í 00000192 BF 5D E8 6E 68 02 27 50 5D C6 35 EB F5 44 8C 45 ¿]ènh.'P]Æ5ëõDŒE 00000208 B7 B4 08 D6 BE B0 9E 3E F8 D8 A9 79 EC D3 19 50 ·´.Ö¾°ž>øØ©yìÓ.P 00000224 19 5F 22 BE 00 A8 36 6B FA 35 9E BF 3F 86 E1 F4 ._"¾.¨6kú5ž¿?†áô 00000240 EF CB 33 09 48 5D A8 05 8C 57 A1 CC E8 F4 6B 31 ïË3.H]¨.ŒW¡Ìèôk1
  • 30. © Copyright 2013 EMC Corporation. All rights reserved. Command and Control (C2) Identification DeepEnd Research Library of Malware Traffic Patterns
  • 31. © Copyright 2013 EMC Corporation. All rights reserved. Command and Control (C2) Collection • WireShark • FakeNET • practicalmalwareanalysis.com/fakenet • Netcat • Known C2 Clients • Commodity RAT / Custom RAT • Python / Perl • On-the-fly C2 clients
  • 32. © Copyright 2013 EMC Corporation. All rights reserved. Command and Control (C2) Collection • Host an array of known and custom- made C2 servers • If you think malware is known, let it beacon against that server and check for a handshake • Extract victim info from beacon handshake and move on to the next sample!
  • 33. © Copyright 2013 EMC Corporation. All rights reserved. Command and Control (C2) Collection • What if you can get all intel-based artifacts without even running it? • Search for configuration data, decrypt, and archive. • Extract: • Beacon domains • Beacon ports • Campaign IDs • Mutexes • And all statically!
  • 34. © Copyright 2013 EMC Corporation. All rights reserved. Command and Control (C2) Collection • Configuration Dumpers (Static) e.g. github.com/MalwareLu/config_extractor/ $ config_jRAT.py malware.jar port=31337 os=win mac mport=-1 perms=-1 error=true reconsec=10 ti=false ip=www.malware.com pass=password id=CAMPAIGN mutex=false toms=-1 per=false name= timeout=false debugmsg=true
  • 35. © Copyright 2013 EMC Corporation. All rights reserved. Command and Control (C2) Collection What if it’s encrypted?! • Reverse once to determine decryption routine They keep changing encryption! • Look for its decrypted structure in memory • Write YARA rule targeting that structure • Dump from memory • Encryption routine is easy to change, decrypted structure typically stays the same
  • 36. © Copyright 2013 EMC Corporation. All rights reserved. Command and Control (C2) Collection Configuration Dumpers (Memory) E:VMs> vol.py -f WinXP_Malware.vmem pslist Offset(V) Name PID PPID Start ---------- -------- ------ ------ -------------------- 0x81efc550 java.exe 1920 660 2013-09-18 22:23:10 E:VMs> vol.py -f WinXP_Malware.vmem memdump -p 1920 -D dump Writing java.exe [ 1920] to 1920.dmp E:VMs> vol.py -f WinXP_Malware.vmem yarascan -p 1920 –Y “SPLIT” Owner: Process java.exe Pid 1920 0x2abadbec 53 50 4c 49 54 03 03 03 69 70 3d 77 77 77 2e 6d SPLIT...ip=www.m 0x2abadbfc 61 6c 77 61 72 65 2e 63 6f 6d 53 50 4c 49 54 09 alware.comSPLIT. 0x2abadc0c 09 09 09 09 09 09 09 09 70 61 73 73 3d 70 61 73 ........pass=pas 0x2abadc1c 73 77 6f 72 64 53 50 4c 49 54 0e 0e 0e 0e 0e 0e swordSPLIT...... 0x2abadc21 53 50 4c 49 54 0e 0e 0e 0e 0e 0e 0e 0e 0e 0e 0e SPLIT........... 0x2abadc31 0e 0e 0e 69 64 3d 43 41 4d 50 41 49 47 4e 53 50 ...id=CAMPAIGNSP 0x2abadc41 4c 49 54 10 10 10 10 10 10 10 10 10 10 10 10 10 LIT............. 0x2abadc51 10 10 10 6d 75 74 65 78 3d 66 61 6c 73 65 53 50 ...mutex=falseSP
  • 37. © Copyright 2013 EMC Corporation. All rights reserved. Command and Control (C2) Collection Configuration Dumpers (Memory) http://www.ghettoforensics.com/2013/10/dumping-malware- configuration-data-from.html
  • 38. © Copyright 2013 EMC Corporation. All rights reserved. Actions Reconnaissance • Network sweeps Privilege Escalation • pwdump#, mimikatz, keyloggers Exfiltration • Keyloggers • Directory Listings • Archives (rar –hp | rar –p) Remote Execution • psexec
  • 39. © Copyright 2013 EMC Corporation. All rights reserved. Actions Malware C2 • Decrypt/Decode Malware communications beyond a simple beacon Requires: • Reversing C2 code from malware • PCAP of traffic to compromised system • MITRE ChopShop or equivalent tool
  • 40. © Copyright 2013 EMC Corporation. All rights reserved. Enumerating Indicators • Hashes (MD5, fuzzy, imphash, …) • File • PE sections • PE imports • Entrenchment / Persistence • File locations • Registry keys (*Run*, Shimcache) • C2 communication • Hashes, sizes • Dynamic vs static bytes
  • 41. © Copyright 2013 EMC Corporation. All rights reserved. Collecting Indicators • Store results in database • RTIR / CRITS • Custom-programmed • Per-incident data archives • Emails, files • Residual artifacts • Memory dumps • PCAPs / Proxy logs
  • 42. © Copyright 2013 EMC Corporation. All rights reserved. Reusing Indicators Do analysis once, reuse indicators • Static Signatures • YARA • SignSrch / ClamSrch • Dynamic Signatures • CybOX/STIX/MAEC • IOCs • Network Signatures • Snort • ChopShop
  • 43. © Copyright 2013 EMC Corporation. All rights reserved. Static Signatures – YARA rule CoreFlood_ldr_decoder { strings: $strRegKey = "MlLrqtuhA3x0WmjwNM27" $strAPI = "3etProcAddr" $codeSub_85BA = { 81 EA BA 85 00 00 } $codeXOR_85BC = { 05 BC 85 00 00 } condition: all of ($str*) and any of ($code*) }
  • 44. © Copyright 2013 EMC Corporation. All rights reserved. Static Signatures Write multiple signatures for each file • Write a sig for each notable item • Catches subtle modifications • Detect when capabilities change PDB string Unique strings Encryption routines MATH!
  • 45. © Copyright 2013 EMC Corporation. All rights reserved. Make Indicators Intelligent Indicators are just a raw set of data Intelligence comes through: • Grouping indicators • Indexing all edges (files) AND vertices (activity) • File1 is a dropper, File2 is a driver • File2 is a binary resource of BIN222 in File1 • File2 is stored as encrypted (XOR by 0xBB) • File1 drops File2
  • 46. © Copyright 2013 EMC Corporation. All rights reserved. Example: Attack 1
  • 47. © Copyright 2013 EMC Corporation. All rights reserved. Example: Attack 2
  • 48. © Copyright 2013 EMC Corporation. All rights reserved. Correlate the Attacks
  • 49. © Copyright 2013 EMC Corporation. All rights reserved. Take-Aways • Standardize on a signature format (YARA, IOC, STIX) • Write as many signatures as possible for each item to track variations over time • Try to automate, e.g. cuckoo2STIX • Spend downtime reanalyzing old incidents with new data / intel
  • 50. © Copyright 2013 EMC Corporation. All rights reserved. Take-Aways • Use VirusTotal Intelligence • Create feeds for YARA to find new variants • Acknowledge weaknesses of Cyber Kill Chain • It focuses on initial and holistic attack flow • Simplistic design means everything is thrown into Actions • It doesn’t scale to varied and orchestrated attacks
  • 51. © Copyright 2013 EMC Corporation. All rights reserved. Questions/Comments? Brian.Baskin@RSA.com

Editor's Notes

  1. Sudit et al, Towards Impact Assessment Automation for Multi-Stage Cyber Attacks - http://www.rit.edu/~w-cmmc/research/Sudit.pdf
  2. This is a CVE-2010-3333 exploit, but what we should focus on is the shellcode used as part of the attack. Is it unique? How is the payload encoded? Is it unique? Is there a file marker? For decrementing 256 byte XOR, what’s the starting byte? Are there payload markers (4-byte strings)
  3. This is a CVE-2010-3333 exploit, but what we should focus on is the shellcode used as part of the attack. Is it unique? How is the payload encoded? Is it unique? Is there a file marker? For decrementing 256 byte XOR, what’s the starting byte? Are there payload markers (4-byte strings)
  4. This is a CVE-2010-3333 exploit, but what we should focus on is the shellcode used as part of the attack. Is it unique? How is the payload encoded? Is it unique? Is there a file marker? For decrementing 256 byte XOR, what’s the starting byte? Are there payload markers (4-byte strings)
  5. This is a CVE-2010-3333 exploit, but what we should focus on is the shellcode used as part of the attack. Is it unique? How is the payload encoded? Is it unique? Is there a file marker? For decrementing 256 byte XOR, what’s the starting byte? Are there payload markers (4-byte strings)
  6. http://contagiodump.blogspot.com/2011/06/may-31-cve-2010-3333-doc-q-and-adoc.html
  7. http://arstechnica.com/security/2014/02/new-zero-day-bug-in-ie-10-exploited-in-active-malware-attack-ms-warns/
  8. http://arstechnica.com/security/2014/02/new-zero-day-bug-in-ie-10-exploited-in-active-malware-attack-ms-warns/
  9. CVE-2014-1761 (MS14-017) http://blogs.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-attackers
  10. CVE-2014-1761 (MS14-017) http://blogs.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-attackers
  11. http://www.deependresearch.org/2013/04/library-of-malware-traffic-patterns.html
  12. http://www.ghettoforensics.com/2013/10/dumping-malware-configuration-data-from.html