Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Commodity malware means YOU

1,282 views

Published on

Background of commodity malware and how you can learn from the past and detect the future.
MalwareArchaeology
LOG-MD

Published in: Technology
  • Be the first to comment

Commodity malware means YOU

  1. 1. Commodity malware means YOU! And everybody in this room, let’s look at one called Dridex Michael Gough – Founder MalwareArchaeology.com MalwareArchaeology.com
  2. 2. Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet” “Windows PowerShell Logging Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Malware Management Framework” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • @HackerHurricane also my Blog MalwareArchaeology.com
  3. 3. Goal • Interaction – Don’t be a Ding Dong, ask a question… you WILL be rewarded for positive synergy! • Learn how us Ninja’s do it so you can too • We have a NEW Tool for YOU!!! MalwareArchaeology.com
  4. 4. Total Malware Total Malware 2015 • 470 Million MalwareArchaeology.com
  5. 5. New Malware NEW Malware 2015 • 140 million MalwareArchaeology.com
  6. 6. The Panda Says MalwareArchaeology.com
  7. 7. It’s only getting worse MalwareArchaeology.com
  8. 8. Symantec says… MalwareArchaeology.com
  9. 9. Top 8 threats • These are what we see most • What all of YOU see most • The 20% of what AV focuses on • We can learn a lot from this MalwareArchaeology.com
  10. 10. Dridex movin on up MalwareArchaeology.com Mandiant M-Trends2016 Report
  11. 11. More of the same According to CheckPoint’s ThreatCloud in 2015… • 3000 different malware ‘families’ • 80% have been active for years, some for 8 years • Top 100 which accounted for 90% of all attacks in 2015, only 3 were new and were outside the Top 40 • More proof Malware Management works MalwareArchaeology.com
  12. 12. SANS says… MalwareArchaeology.com
  13. 13. Sophos Says… • 70% of malware is unique to 1 company (APT) • 80% of malware is unique to 10 or less (APT) • That means… • 20% of malware is what the AV industry focuses on, but it is what most of you and everyone in this room sees and gets by: – Attachments in email – URL in email – Surfing the web • Ads • WordPress, Drupal, Joomla… MalwareArchaeology.com
  14. 14. Types of Malware I say there are basically two types of malware: • Commodity malware – The 20% the AV industry focuses on • Advanced malware – The 80% that the AV industry does not focus on and “may” get around to IF you force them by being a client or if they have multiple customers that receive it in a particular industry (e.g. retail PoS) MalwareArchaeology.com
  15. 15. Commodity malware • This is the stuff you and everyone in the room gets and sees, your family, friends and clients too • Emails, URL’s surfing • Most is Commodity malware • Pwned Ad networks • Some will be NEW • Some will be APT MalwareArchaeology.com
  16. 16. VirusTotal • Commodity malware will be detected within a few days • APT… not so much • I still have samples from 2012 that have ZERO detection ;-( • And I gave 12 AV companies a copy of it • Shows how much they care about APT MalwareArchaeology.com
  17. 17. Malware evolves • So must we • Darwin says so • Evolve or die • Well… Evolve or get breached anyways • Which means an RGE !!! – Resume Generating Event MalwareArchaeology.com
  18. 18. Before Dridex • Zeus – 2007 – SpyEye evolved from Zeus – Bugat/Cridex evolved from Zeus – Gameover Zeus taken down 2014 • Bugat & Cridex - 2012 • Dridex – Late 2014 – Generated 15,000 emails daily • C2 Servers taken down Dec 2015 • Now we have Locky MalwareArchaeology.com
  19. 19. Locky, the next BIG thing MalwareArchaeology.com
  20. 20. Locky.. Today and tomorrow MalwareArchaeology.com
  21. 21. Locky MalwareArchaeology.com
  22. 22. BlackEnergy • More Malware Management proof MalwareArchaeology.com
  23. 23. Ha Ha Ha Hollywoood • Darwin said… Pay up or DIE !!! • Ottawa Hospital also hit MalwareArchaeology.com
  24. 24. DRIDEX MalwareArchaeology.com
  25. 25. Dridex • We have probably all seen one of these • Did I say Commodity Malware? • Uses Word documents that are hard for email gateways to detect • Yes, users have to “Enable Macroses” but they would NEVER do that… MalwareArchaeology.com
  26. 26. Commodity Malware Smarter than ever • In 2015 I have witnessed things with commodity malware usually reserved for APT – Because they are evolving from APT • More use of scripts to avoid AV detection • More use of PowerShell backdoors! • More stealthy persistence MalwareArchaeology.com
  27. 27. Dridex Artifacts MalwareArchaeology.com
  28. 28. Dridex Artifacts .BAT • Do I have a network connection • What language am I • Set variables for the name of the .VBS script MalwareArchaeology.com
  29. 29. Dridex Artifacts .VBS • Notice the path %temp% • Ah Hell… • Build the PowerShell script execution MalwareArchaeology.com
  30. 30. Dridex Artifacts - .VBS #2 MalwareArchaeology.com
  31. 31. Dridex Artifacts #3 • Script • Using math • Easy variants MalwareArchaeology.com
  32. 32. Dridex Artifacts - .PS1 • Domains to phone home to • Path - %temp% MalwareArchaeology.com
  33. 33. Dridex Artifacts - .PS1 • 8 + .exe – Payload name • 444.jpg – Stats file looks like >>>> • User Agent to emulate a browser • Download the files • Assemble the names .vbs, .jpg, .bat, .PS1 • Sleep 15 • Execute the payload - cmd.exe %file% • Remove the files MalwareArchaeology.com
  34. 34. VM Aware… What do I say? • Use Bare Bones to do analysis MalwareArchaeology.com
  35. 35. Persistence • New method towards the end of 2015 • Nothing in the Registry showing persistence while system was running • In memory only until system shutdown • Then we caught the bugger, with good auditing of course and MalwareArchaeology.com
  36. 36. Malware Management • Proof it works • If you look at Zeus, Cridex and Dridex, you are better prepared for Locky • Learn from History • Your defenses and detection MUST evolve too • Read the malware analysis and breach reports • Tweak your tools • Focus on new kewl hooks and artifacts MalwareArchaeology.com
  37. 37. How we harvested malware • Yay Email!!! • Since the primary delivery was Phishing, we were able to grab copies of the Word documents • Executed in the Lab • Grabbed the artifacts • Updated our Detection • We knew if anyone fell for it and opened them • We knew what to cleanup MalwareArchaeology.com
  38. 38. How we harvested malware • File Copy loop in Directories discovered – @echo off – cls – md captured – :Redo – robocopy . Captured /E /B /r:0 /w:1 /np /xo /xd Captured – Goto Redo – :End • Ninja Tip: – Great to do in Labs for User space AppData MalwareArchaeology.com
  39. 39. INTERMISSION MalwareArchaeology.com
  40. 40. Announcing the release of… MalwareArchaeology.com FREE! $299 AND Version 1.0
  41. 41. MalwareArchaeology.com • Log and Malicious Discovery tool • When you run the tool, it tells you what auditing and settings to configure that it requires. LOG-MD won’t harvest anything until you configure the system! • Once the system and/or GPO is configured 1. Clear the logs 2. Infect the system 3. Run Log-MD 4. Review “Report.csv” in Excel
  42. 42. Functions MalwareArchaeology.com • Audit Report of log settings compared to: – The “Windows Logging Cheat Sheet” – Center for Internet Security (CIS) Benchmarks – Also USGCB and AU ACSC • White lists to filter out the known good – By IP Address – By Process Command Line and/or Process Name – By File and Registry locations (requires File and Registry auditing to be set) • Report.csv - data from logs specific to security
  43. 43. Purpose MalwareArchaeology.com • Malware Analysis Lab • Investigate a suspect system • Audit Advanced Audit Policy settings • Help MOVE or PUSH security forward • Give the IR folks what they need and the Feds too • Take a full system (File and Reg) snapshot to compare to another system and report the differences • Discover tricky malware artifacts • SPEED ! • Deploy with anything you want, SCCM, LanDesk, PSExec, PS, etc… • Replace several tools we use today with one easy to use utility that does much more • To answer the question: Is this system infected or clean? • And do it quickly !
  44. 44. Free Edition MalwareArchaeology.com • Harvest security relevant log data • Whitelist log events by IP, Cmd Line, Process and File / Registry audit locations • Perform a full File Baseline of a system • Compare a suspect system to a Baseline or Dir • Perform a full Registry snapshot of a system • Compare a suspect system to a Reg Baseline • Look for Large Registry Keys for hidden payloads
  45. 45. MalwareArchaeology.com • Everything the Free Edition does and… • More reports, breakdown of things to look for • Specify the Output directory • Harvest Sysmon logs • Harvest WLS Logs • Whitelist Hash compare results • Whitelist Registry compare results • Create a Master-Digest to exclude unique files • Free updates for 1 year, expect a new release every quarter • Manual – How to use LOG-MD Professional
  46. 46. MalwareArchaeology.com Future Versions – In the works! • WhoIs lookups of IP Addresses called • VirusTotal lookups of discovered files • Find parent-less processes • Assess all processes and create a Whitelist • Assess all services and create a Whitelist • VirusTotal lookups of unknown or new processes and services • PowerShell details • Other API calls to security vendors
  47. 47. MalwareArchaeology.com Let’s look at some LOG-MD RESULTS
  48. 48. Crypto Event MalwareArchaeology.com • C:UsersBobAppDataRoamingvcwixk.exe • C:UsersBobAppDataRoamingvcwpir.exe • C:WINDOWSsystem32cmd.exe /c del C:UsersBobAppDataRoamingvcwixk.exe >> NUL • C:WindowsSystem32vssadmin.exe delete shadows /all /Quiet
  49. 49. Malicious Word Doc MalwareArchaeology.com DRIDEX
  50. 50. Malicious Word Doc con’t MalwareArchaeology.com More DRIDEX
  51. 51. Use the power of Excel MalwareArchaeology.com • The reports are in .CSV format • Excel has sorting and Filters • Filters are AWESOME to thin out your results • You might take filtered results and add them to your whitelist once vetted • Save to .XLS and format, color code and produce your report • For .TXT files use NotePad++
  52. 52. So what do we get? MalwareArchaeology.com • WHAT Processes executed • WHERE it executed from • IP’s to enter into Log Management to see WHO else opened the malware • Details needed to remediate infection • Details to improve your Active Defense! • I did this in… 15 Minutes!
  53. 53. Resources MalwareArchaeology.com • Websites – Log-MD.com The tool • The “Windows Logging Cheat Sheet” – MalwareArchaeology.com • Malware Analysis Report links too – To start your Malware Management program • This presentation is on SlideShare – Search for MalwareArchaeology or LOG-MD
  54. 54. Testers for RC-1 MalwareArchaeology.com • May 1st 2016 - launch date • Looking for a few good testers… – of LOG-MD Professional • Test the manual and tool and provide feedback • You WILL be rewarded for the effort ;-) • You heard it here first ! • A gift from your local Austin Security Professionals
  55. 55. Questions? MalwareArchaeology.com You can find us at: • Log-MD.com • @HackerHurricane • @Boettcherpwned • MalwareArchaeology.com • HackerHurricane.com (blog) • http://www.slideshare.net – LinkedIn now

×