MalformityYour Malware and Malicious Infrastructure OSINTAssistant
Who Am I?• BS/MS in Information Assurance from Norwich University• Background in Forensics & IR• Started career in the .gov, moved to the MS-ISAC, and nowwork on the Verizon RISK Team• Primary author/maintainer of Malformity!All opinions are my own and do not reflect or represent those of my current or past employers.
Agenda• What is Malformity?• What is Maltego?• Who’s Familiar?• Groundwork• What is Canari?• Malformity• Installation• Current Status• Examples!• Future Development Plans• Linkage
Before we Start…• Maltego is a product developed by Paterva and it’s prettyawesome. The guys at Paterva are too. If you’re usingMaltego in a commercial capacity (or have some freecash), please consider purchasing a license.• Canari is developed and maintained by Nadeem Douba. Heprovides awesome support, so if you see himanywhere, throw a drink of his choice his way.• Thanks to Ohdae for letting me include his entity set inMalformity.• David Bressler is also presenting on Maltego in the nexttime slot so check it out!
What is Malformity?Malformity is a local transform package for Maltegothat was developed using the Canari Framework toassist in gathering data about malware and maliciousinfrastructure.
Maltego• Open-source information gathering tool• Websites, Companies, Infrastructure, Social Media, etc.• Cross platform & customizable• GUI provides graphical representation of data to identifyrelationships
Maltego• Entities• Company• IPv4 Address• Domain• Transforms• Domain to Email Address• IPv4 to Domains• Email to related Email Addresses• Machines• Domain to Email to Related Email to Person• Macro vs. Timed
Maltego TransformsLocal• Pros• Complete Control• Machine Specific• Language Independent• Cons• Dependencies• Version Control• Missing Features• Data SensitivityRemote• Pros• Ease of Use• Universal Updates• More Features• Cons• Data Sensitivity• Single POF• Integration & ControlParaphrased from and more information available at: http://paterva.com/web6/documentation/developer.php
Canari• Framework for transform development• Cross Platform• Local & remote transforms now supported• Multiple language support• So what?
Canari• Greatly simplifies:• Development• Distribution• Installation• Makes projects like Malformity easier for people to use!
Malformity• MALware transFORMs and entITY• Collection of transforms to assist with conducting malwareand malicious infrastructure researchAll trademarks belong to their respective owners and Malformity is not associated with any of these organizations.
Malformity Install1. Download & Install Maltego if you haven’t already2. Grab Malformity• $ git clone http://github.com/digital4rensics/Malformity3. Set up Malformity• $ cd Malformity• $ sudo python setup.py install4. Start Maltego to initialize it fully, and then exit out of theapplication5. Install Malformity• $ canari install-package Malformity• Select the installation you’d like it to apply to
UC#3 – Threat Tracking/Mapping3. Continuing, we can actually get carried away
UC#3 – Threat Tracking/Mapping• Do NOT assume results are infallible• This type of research is an iterative process• You should be building in other data sources (Not allautomated)• Weeding out false positives is a requirement• Sinkholes• Parking Pages• Random Abnormalities
Future Development• Machines!• Automate common transform chains• Take one step closer to Intelligence• Host-based / Local Net transforms• Binary Analysis & Correlation• Vendor tools & APIs• MOAR WEB SOURCES!!!• New & Buildout• Community Suggestions