jeff brynerfinding malwarewithout antivirus
the problem#you hear about an 0-day#or malware coming your way
THE problem?#maybe its already inside your enterprise?
how do youhear about it?#how do you get notified of a new threat?#internal? external? word of mouth?
how do you fight?#what tools do you have to fight?
safe?#antivirus doesnt cover the primary phase of IR: identification#when antivirus fires, youre already in containment#prep...
#what if there is no signature
#do you just wait it out?
#do you panic?
help!#what if folks want to help and share info?
sharing=hard#email is too informal, may not reach everyone?#logs only hold what they were told to log#pen/paper?#every sec...
answer=open IOC?openioc.org#IOC=Indicator of Compromise
<ioc >  <short_description>firefox running</short_description>  <description>Is firefox in the list of running processes</...
xml + malware=two problems?#I know..now we have two problems: a compromise and an xml format.#       IOC format is a reaso...
<ioc >  <short_description>firefox running</short_description>  <description>Is firefox in the list of running processes</...
automation advantages:Flame filename IOCs:                FileItem/FileName is ~a28.tmp or                FileItem/FileNam...
IOC collection and analysis toolset is limited:IOCFinder,IOCEditor are free but:        -Windows only, no unix/linux/mac  ...
No support for IOCs in common agents:        BigFix        ncircle        tripwire        SCCM        nessus        ...#yo...
open source to the rescue?#maybe we can ease the burden with some open source tools?
What if we could createa system for centrallyissuing indicatorsof compromise?What if hosts we suspectas being compromisedu...
portability,accessibility,price,readability#proposal: a simple python-based client/server system to rapidly deploy agents ...
zero-install; copy and paste a single .exe#simple zero-install python client#compiled to native executable on linux/window...
simple server for issuing IOCsin realtime#simple python server to dish out IOCs and receive results
demos
simple IOC client/server examples
small server$ wc -l pyiocServer.py141 pyiocServer.py
small-ish client$ wc -l *.py */*.py  249 pyiocClient.py  118 iocItems/FileItem.py   47 iocItems/PortItem.py   82 iocItems/...
server folder structure:$ find iocs/iocs/iocs/172.16.0.0-16iocs/172.18.6.0-24iocs/172.18.6.0-24/pybackdoor.iociocs/10.83-1...
simple ioc detection demowindows.iocfirefox.ioc
our malware#what good is a malware finding tool without malware? Lets create some#create python back-door
ioc creation using IOC Editor
ioc distribution via the ioc server#CIDR mask directory names to control what IOCs go to what servers
ioc client push#simple xcopy installation#wmiFileTransfer demo
ioc client run#run once or run via at job for recurring checks.
next steps:        Publish: github.com/jeffbryner        Is it useful?        Will it be used?        Whats missing?      ...
jeff brynerjeffbryner.comjeff@jeffbryner.comgithub.com/jeffbryner
Upcoming SlideShare
Loading in …5
×

Fighting Malware Without Antivirus

1,931 views

Published on

When it comes to actual, real-world, active malware detection there are surprisingly few choices. Most companies invest in one anti-virus vendor and when they suspect a compromise they simply wait for them to issue signatures.

If a company thinks they may be compromised but there is no AV signature, then what?

What if we could use basic python scripting to identify malware based on signatures we produce in real time? There are plenty of python tools, scripts and frameworks for malware identification including yara, pefile, nsrl hash db, pyemu, hachoir, volatility and pyew.

What if we could integrate these together into a system for centrally issuing
indicators of compromise? What if hosts we suspect as being compromised used this system to check themselves for compromise? Lets find out...

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,931
On SlideShare
0
From Embeds
0
Number of Embeds
618
Actions
Shares
0
Downloads
20
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Fighting Malware Without Antivirus

  1. 1. jeff brynerfinding malwarewithout antivirus
  2. 2. the problem#you hear about an 0-day#or malware coming your way
  3. 3. THE problem?#maybe its already inside your enterprise?
  4. 4. how do youhear about it?#how do you get notified of a new threat?#internal? external? word of mouth?
  5. 5. how do you fight?#what tools do you have to fight?
  6. 6. safe?#antivirus doesnt cover the primary phase of IR: identification#when antivirus fires, youre already in containment#preparation,identification,containment,eradication,recovery,lessons learned
  7. 7. #what if there is no signature
  8. 8. #do you just wait it out?
  9. 9. #do you panic?
  10. 10. help!#what if folks want to help and share info?
  11. 11. sharing=hard#email is too informal, may not reach everyone?#logs only hold what they were told to log#pen/paper?#every security tool has its own unique format
  12. 12. answer=open IOC?openioc.org#IOC=Indicator of Compromise
  13. 13. <ioc > <short_description>firefox running</short_description> <description>Is firefox in the list of running processes</description> <authored_by>jab</authored_by> <authored_date>2012-08-14T21:46:51</authored_date> <links /> <definition> <Indicator operator="OR"> <IndicatorItem condition="contains"> <Context document="ProcessItem" search="ProcessItem/name" /> <Content type="string">firefox</Content> </IndicatorItem> </Indicator> </definition></ioc>#ioc is just xml
  14. 14. xml + malware=two problems?#I know..now we have two problems: a compromise and an xml format.# IOC format is a reasonable approach, but not many tools support it.# IOC too complex to do by hand (see flame.ioc)# IOC collection and analysis toolset is limited:
  15. 15. <ioc > <short_description>firefox running</short_description> <description>Is firefox in the list of running processes</description> <authored_by>jab</authored_by> <authored_date>2012-08-14T21:46:51</authored_date> <links /> <definition> <Indicator operator="OR"> <IndicatorItem condition="contains"> <Context document="ProcessItem" search="ProcessItem/name" /> <Content type="string">firefox</Content> </IndicatorItem> </Indicator> </definition></ioc>#sample ioc to see if firefox is running..could be svch0st.exe, etc.
  16. 16. automation advantages:Flame filename IOCs: FileItem/FileName is ~a28.tmp or FileItem/FileName is ~DFL542.tmp or FileItem/FileName is ~DFL543.tmp or FileItem/FileName is ~DFL544.tmp or FileItem/FileName is ~DFL545.tmp or FileItem/FileName is ~DFL546.tmp or FileItem/FileName is ~dra51.tmp or FileItem/FileName is ~dra52.tmp or FileItem/FileName is ~fghz.tmp or FileItem/FileName is ~rei524.tmp or FileItem/FileName is ~rei525.tmp or FileItem/FileName is ~TFL848.tmp or FileItem/FileName is ~TFL842.tmp or FileItem/FileName is GRb2M2.bat or FileItem/FileName is indsvc32.ocx or FileItem/FileName is scaud32.exe or FileItem/FileName is scsec32.exe or FileItem/FileName is sdclt32.exe or FileItem/FileName is sstab.dat or FileItem/FileName is sstab15.dat or FileItem/FileName is winrt32.dll or FileItem/FileName is winrt32.ocx or FileItem/FileName is wpab32.bat or FileItem/FileName is commgr32.dll or FileItem/FileName is comspol32.dll or FileItem/FileName is comspol32.ocx or...73 different filenames!125 different IOC items total!#malware is way beyond the point where we can hope to discover it#by just poking around a system
  17. 17. IOC collection and analysis toolset is limited:IOCFinder,IOCEditor are free but: -Windows only, no unix/linux/mac -time consuming -(45 mins to collect data on a win2k8r2 vanilla install) -manual process: -run iocfinder -collect xml data (lots) -process iocs on data#OK, if its so great why arent we using it#existing IOC tools have some gaps
  18. 18. No support for IOCs in common agents: BigFix ncircle tripwire SCCM nessus ...#you probably have one of these agents#in addition to AV running on your hosts#no love for IOCs...
  19. 19. open source to the rescue?#maybe we can ease the burden with some open source tools?
  20. 20. What if we could createa system for centrallyissuing indicatorsof compromise?What if hosts we suspectas being compromisedused this systemto check themselvesfor compromise?Lets find out...
  21. 21. portability,accessibility,price,readability#proposal: a simple python-based client/server system to rapidly deploy agents to search for IOCs when necessary.##complimentary to AV, not a replacement
  22. 22. zero-install; copy and paste a single .exe#simple zero-install python client#compiled to native executable on linux/windows. 32 and 64bit.
  23. 23. simple server for issuing IOCsin realtime#simple python server to dish out IOCs and receive results
  24. 24. demos
  25. 25. simple IOC client/server examples
  26. 26. small server$ wc -l pyiocServer.py141 pyiocServer.py
  27. 27. small-ish client$ wc -l *.py */*.py 249 pyiocClient.py 118 iocItems/FileItem.py 47 iocItems/PortItem.py 82 iocItems/ProcessItem.py 77 iocItems/RegistryItem.py 0 iocItems/__init__.py 0 lib/__init__.py 55 lib/log.py 18 lib/settings.py 37 lib/util.py 683 total#client is fairly small with support for#commonfiles, processes and registry IOCs.
  28. 28. server folder structure:$ find iocs/iocs/iocs/172.16.0.0-16iocs/172.18.6.0-24iocs/172.18.6.0-24/pybackdoor.iociocs/10.83-16iocs/10.83-16/sshto10.83.222.50.iociocs/10.83-16/windows.iociocs/10.83-16/duqu.iociocs/172.21-16iocs/172.21-16/firefox.iociocs/10.200-16iocs/10.200-16/firefox.iociocs/10.200-16/windows.iociocs/10.200-16/duqu.ioc#uses netblock cidr masks as folders to determine#what iocs to send to what clients
  29. 29. simple ioc detection demowindows.iocfirefox.ioc
  30. 30. our malware#what good is a malware finding tool without malware? Lets create some#create python back-door
  31. 31. ioc creation using IOC Editor
  32. 32. ioc distribution via the ioc server#CIDR mask directory names to control what IOCs go to what servers
  33. 33. ioc client push#simple xcopy installation#wmiFileTransfer demo
  34. 34. ioc client run#run once or run via at job for recurring checks.
  35. 35. next steps: Publish: github.com/jeffbryner Is it useful? Will it be used? Whats missing? Vendor support in their tools?
  36. 36. jeff brynerjeffbryner.comjeff@jeffbryner.comgithub.com/jeffbryner

×