Malformity BsidesBoston2013

Uploaded on


More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • ----- Meeting Notes (4/19/13 20:08) -----Out of the box, Maltego is an Open-source information gathering tool. It can assist in taking disparate pieces of information about websites, companies, network infrastructure, social media profiles, and lots more and getting it all in one place. It does not create intelligence, it assists you in gathering information to formulate intelligence. There won't (or at least shouldn't) be a situation in which human analysis isn't required while using Maltego. It's java based, which many may groan at, but that means it runs in Windows/OSX/Linux. As you'll see, it can be easily customized and extended to meet many different needs.
  • ----- Meeting Notes (4/19/13 20:08) -----Best of all, when you're done, you have a pretty graph that you can show management, but it also helps identify relationships more quickly. This particular example is the enumeration of a malicious infrastructure with domains, IPs, and registrant information, which is probably my most common use case at the moment.
  • ----- Meeting Notes (4/19/13 20:08) -----There are 3 basic concepts in Maltego that are important to understand for analysis purposes. The first is the base building block for anything. Every item on a Maltego graph is an entity. There are lots of entities included by default in Maltego such as domains, IPs, Companies, etc. and Malformity installs additional malware specific entities. Transforms do just that, they transform one entity in to another. They use an input entity, do some work, and produce an output entity. Some basic default examples include domains to email address (using whois data), IPs to domains and vice versa using resolution information, and emails to related emails using a search engine. Machines are a newer concept in Maltego and use the Maltego Scripting language. They essentially allow an analyst to chain transforms together, which can be useful for automating common tasks and more automatically producing certain graphs.
  • ----- Meeting Notes (4/19/13 20:40) -----Another important point is that there are two different types of transforms that can be developed. Transform distribution servers can be used to house transforms remotely. Default transforms use the Paterva transform servers, and Malformity is currently composed of all local transforms. Each has a set of pros and cons though.Local transforms allow each analyst complete control over how data is handled and what the transforms do. They can be used for transforms that require a machine specific value (such as IP address filtering), and can be written in any language. However, that means that all dependencies must be installed on every box the transforms run on. It also makes version control a pain since transforms have to be installed on every box individually, and aren't automatically updated. Additionally, Maltego doesn't support certain features for local transforms, such as the slider bar, which limits the number of output entities that can be returned (more about that issue later). Lastly, it requires things like API keys and UN/PW combinations be stored on each box, which isn't ideal in many situations.It's probably not a surprise that many of the pros/cons are reversed for remote transforms. The remote nature makes the transforms easier to install (once) and easier to maintain since they aren't present on disparate systems. Additionally, all features, such as limiting the number of returned entities, are supported. However, you still have a data sensitivity issue since the data could potentially be traveling over the Internet. You've also introduced a single POF, such that if your server goes down, all analysts are out of luck. Lastly, you can't as closely integrate Maltego with anything system specific, and analysts can't edit transforms as easily should the need arise. You can counteract some of these problems, but that is going to require you to buy your own TDS, which indtroduces the money con.
  • ----- Meeting Notes (4/19/13 20:40) -----In their basic form, machines chain transforms together to produce additional output. For instance, I could start with a domain, resolve the IP, and then turn than in to a netblock. When I'm done, I've run two transforms and have three entities on the graph. However, MSL allows you to make machines more complex. I'm not going in depth since this isn't a Maltego course, but basically, there are two types of complex machines. The first runs transforms in serial operation. Given one input entity, you can run multiple transforms that produce multiple types of output entities, and continue to run each pipe individually. This can produce multiple types of entities and the pipes don't merge.Parallel machines still run multiple transforms on an input entity, but they're transforms that produce the same types of output entities, which can then be run through another transform to produce the final output entity.
  • ----- Meeting Notes (4/19/13 21:05) -----Dev: For default Maltego development, transforms would require handling lots of XML. Paterva does put out some resources to assist with this, but they don't offer the same additional functionality as Canari.Distro: Everyone can grab a Canari project collection and ensure a standard baselineInstall: Instead of having to manually configure X number of transforms, the package can be easily installed with a few commands. This especially comes in handy if updating multiple transforms, grabbing new versions, etc.
  • ----- Meeting Notes (4/19/13 21:05) -----So what is Malformity then? It's a Canari project that consists of Malware focused transforms and entities. At present, it contains transforms for VirusTotal checks (including the new Passive DNS lookup), hash checks through bit9 FileAdvisor, multiple passive DNS transforms using ISC, ASN checks from the Internet Storm Center, TeamCYMRU Hash checks, and report details from viCheck and ThreatExpert.There were several check in previous versions, but the website underwent a fairly heavy change recently and that resulted in those transforms becoming inoperable. They now have an API, but it's not available for wide use. I've exchanged a few emails and I'm hoping that it eventually opens up a bit so it can be added back as a source.
  • ----- Meeting Notes (4/19/13 22:26) -----Of course, you need Maltego first. After grabbing and installing for your OS, you can clone the git repository for Malformity. Moving in to the directory and running the install routine should download and install the dependencies required for Malformity, which include canari. If for some reason this fails, the dependencies are listed in the readme and can be downloaded individually.You have to start Maltego once prior to installing any packages because it has to initialize all of its files, and if it's your first time running, you'll have to click through some prompts and create an account. After completely the initialization, exit Maltego.Once that's done, you can install the Malformity package from the command line. *NOTE* - Do NOT use sudo when you install the Malformity package. Maltego is particularly picky about permissions and doing so will most likely results in some sort of malfunction. If you have more than one version of Maltego (or any other Paterva product) installed, select the appropriate one and proceed.
  • ----- Meeting Notes (4/19/13 22:28) -----If all goes well, you'll see something like this in the command window.
  • ----- Meeting Notes (4/19/13 22:48) -----And when you start Maltego, you can click either of these buttons and see either of these things. If you're good until this point, you should be good to start using Malformity.
  • ----- Meeting Notes (4/19/13 21:05) -----Quick example: An email is flagged due to a malicious attachment, which ended up stripped, but the hash was reported. Grab that hash and throw it in to Maltego.----- Meeting Notes (4/19/13 22:48) -----Quick Disclaimer: This example was planned prior to Malwr changing format and I had planned to do it live. Unfortunately, that isn't possible anymore :-(
  • ----- Meeting Notes (4/19/13 22:48) -----Running that hash through VirusTotal didn't turn up any results.
  • ----- Meeting Notes (4/19/13 22:48) -----Continuing to the other resources, ThreatExpert and viCheck also came up negative, but Malwr returned results.I find situations like this particularly useful because I don't have to visit and search each site individually, I can do it all from one location.
  • ----- Meeting Notes (4/19/13 22:48) -----I proceeded to run the remaining Malwr, which provided a series of IP addresses, some service names, a handful of domains, and some dropped hashes. It also returned a UserAgent, which could be useful in cases that the Malware uses a malformed string.Based on this information, I've got a pretty good idea that I don't want this on my network, even if it's not overtly malicious.
  • ----- Meeting Notes (4/19/13 22:48) -----Continuing down the line, we get some detection hits from VirusTotal based on one of the dropped files. Perhaps the original file was a newer lure not yet delivered to VirusTotal, but it re-used the same payload as previous campaigns.
  • ----- Meeting Notes (4/19/13 22:48) -----So I've made the determination that the file is malicious and I have a few indicators to look for. However, I can quickly grab additional network indicators using passive DNS. In this case, it yields several additional IPs and Domains to investigate with. I can now institute blocks for these, as well as check logs to see if any emails made it to a user's inbox.
  • ----- Meeting Notes (4/19/13 22:48) -----I don't currently have any machines in Malformity, but they're next on my list. I'd like to get at least a few basic ones developed so I can get some feedback from the community. My biggest concern with these at the moment is the lack of result limiting for local transforms. At present, there is no undo button in Maltego. It's due out in the next release. In some situations, such as with passive dns, this can lead to an explosion of entities on a graph, which for most machines, will basically kill it.I also plan on developing host-based transforms, versus the primarily web-based ones that I currently have. I think there could be some interesting uses for visualizing relationships among binaries using some light-weight static analysis methods. Additionally, I'd love to build out transforms for other vendor tools and APIs so that analysts can use Malformity in daily work. My largest hurdle with this is just getting access to the tools.As mentioned, I hope to re-introduce the malwr transforms at some point in the future. I also want to add some more sources, as well as build out additional transforms for sources already in the project.Suggestions/Requests are always welcome!


  • 1. MalformityYour Malware and Malicious Infrastructure OSINTAssistant
  • 2. Who Am I?• BS/MS in Information Assurance from Norwich University• Background in Forensics & IR• Started career in the .gov, moved to the MS-ISAC, and nowwork on the Verizon RISK Team• Primary author/maintainer of Malformity!All opinions are my own and do not reflect or represent those of my current or past employers.
  • 3. Agenda• What is Malformity?• What is Maltego?• Who’s Familiar?• Groundwork• What is Canari?• Malformity• Installation• Current Status• Examples!• Future Development Plans• Linkage
  • 4. Before we Start…• Maltego is a product developed by Paterva and it’s prettyawesome. The guys at Paterva are too. If you’re usingMaltego in a commercial capacity (or have some freecash), please consider purchasing a license.• Canari is developed and maintained by Nadeem Douba. Heprovides awesome support, so if you see himanywhere, throw a drink of his choice his way.• Thanks to Ohdae for letting me include his entity set inMalformity.• David Bressler is also presenting on Maltego in the nexttime slot so check it out!
  • 5. What is Malformity?Malformity is a local transform package for Maltegothat was developed using the Canari Framework toassist in gathering data about malware and maliciousinfrastructure.
  • 6. Ok…What does that mean?
  • 7. Maltego• Open-source information gathering tool• Websites, Companies, Infrastructure, Social Media, etc.• Cross platform & customizable• GUI provides graphical representation of data to identifyrelationships
  • 8. Maltego
  • 9. Maltego• Entities• Company• IPv4 Address• Domain• Transforms• Domain to Email Address• IPv4 to Domains• Email to related Email Addresses• Machines• Domain to Email to Related Email to Person• Macro vs. Timed
  • 10. Maltego TransformsLocal• Pros• Complete Control• Machine Specific• Language Independent• Cons• Dependencies• Version Control• Missing Features• Data SensitivityRemote• Pros• Ease of Use• Universal Updates• More Features• Cons• Data Sensitivity• Single POF• Integration & ControlParaphrased from and more information available at:
  • 11. Maltego MachinesSerialInputEntityxForm 1axForm 2aOutputEntity axForm 1bxForm 2bOutputEntity bParallelInputEntityxForm axForm dOutputEntityxForm b
  • 12. Canari• Framework for transform development• Cross Platform• Local & remote transforms now supported• Multiple language support• So what?
  • 13. Canari• Greatly simplifies:• Development• Distribution• Installation• Makes projects like Malformity easier for people to use!
  • 14. Malformity• MALware transFORMs and entITY• Collection of transforms to assist with conducting malwareand malicious infrastructure researchAll trademarks belong to their respective owners and Malformity is not associated with any of these organizations.
  • 15. Malformity Install1. Download & Install Maltego if you haven’t already2. Grab Malformity• $ git clone Set up Malformity• $ cd Malformity• $ sudo python install4. Start Maltego to initialize it fully, and then exit out of theapplication5. Install Malformity• $ canari install-package Malformity• Select the installation you’d like it to apply to
  • 16. Malformity Install
  • 17. Malformity Install
  • 18. UC#1 – Individual Hash Lookup1. Hash Entity -> Portal Searches
  • 19. UC#1 – Individual Hash Lookup2. ThreatExpert Success!
  • 20. UC#1 – Individual Hash Lookup3. Viewing TE report confirms badness
  • 21. UC#2 – Is this Domain/IP Bad?1. For some reason I’m interested in
  • 22. UC#2 – Is this Domain/IP Bad?2. Yea… it’s recognized
  • 23. UC#2 – Is this Domain/IP Bad?3. But as what?
  • 24. UC#2 – Is this Domain/IP Bad?4. Well… this one probably doesn’t require a deep diveTROJ_GEN.F47V0425 – Skodna.Casino.CH – GAME/Casino.Gen – WS.Reputation.1
  • 25. UC#2 – Is this Domain/IP Bad?5. Grab some additional indicatorsUser Agents, Port, IP Address, URL, etc.
  • 26. UC#3 – Threat Tracking/Mapping1. Assume we start with one verified domain
  • 27. UC#3 – Threat Tracking/Mapping2. Limited results – but results nonetheless
  • 28. UC#3 – Threat Tracking/Mapping3. Continuing, we can actually get carried away
  • 29. UC#3 – Threat Tracking/Mapping• Do NOT assume results are infallible• This type of research is an iterative process• You should be building in other data sources (Not allautomated)• Weeding out false positives is a requirement• Sinkholes• Parking Pages• Random Abnormalities
  • 30. Future Development• Machines!• Automate common transform chains• Take one step closer to Intelligence• Host-based / Local Net transforms• Binary Analysis & Correlation• Vendor tools & APIs• MOAR WEB SOURCES!!!• New & Buildout• Community Suggestions
  • 31. Linkage• Malformity:• Maltego:• Canari:• Canari & Project Forums:• Installing Malformity:
  • 32. Questions?