Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Malware Management - HouSecCon 2014

950 views

Published on

Practicing this method will help you detect even the most advanced malware. Example of the Target Breach and others.

Published in: Technology
  • Be the first to comment

Malware Management - HouSecCon 2014

  1. 1. Malware Management YOU CAN FIND THE MOST ADVANCED MALWARE, EVEN THE SNEAKY NSA STUFF WITH THIS METHOD Michael Gough – Founder Malware Archaeology.com
  2. 2. Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • @HackerHurricane • Inventor of the Malware Management Framework • I love malware and malware discovery – send me your good stuff ;-) • I love logs – they tell us Who, What, Where, When and hopefully How – Created the “Windows Logging Cheat Sheet”
  3. 3. • We discovered this May 2012 • Met with the Feds ;-) We know a bit about this one
  4. 4. Why we are here • To learn something you CAN take this back to work and do it tomorrow! • Learn actionable Malware Management • Provide you resources • Education - Security 101 • And to avoid….
  5. 5. You’re Next 97,000 76 Mil + 8 Mil 1000+ Businesses395 Stores 4.5 Million 25,000 4.9 Million 4.03 Million 105k trans 40 Million 40+70 Million $148 Mil 33 locations 650k - 2010 ?????? 76,000 670,000 1900 locations 145 Million 20,000 3 Million 35,000 60,000 alerts 990,000 56 Mil 550,000 TBD Citigroup, E*Trade Financial Corp., Regions Financial Crop, HSBC Holdings and ADP ??????
  6. 6. Malware Management • Anyone NOT practice Vulnerability Management? • Malware Management is basically the same thing • Review Malware Analysis, Reports, Descriptions to tweak your tools and logs of where to look/monitor first
  7. 7. Create a Matrix of Indicators
  8. 8. RECENT EXAMPLES
  9. 9. CryptoLocker • Ransomware • Stupid malware • Dropped executable in %AppData% root – C:Users<username>AppDataRoaming • There are NEVER any .EXE’s here • User initiated by clicking on something or Email – But drive by infection possible too
  10. 10. Crypto Variants
  11. 11. Log for CryptoLocker type event Dropped in the root of %AppData% AppDataRoaming Enable Auditing – EventID 4663
  12. 12. BlackPoS • Target… YAY • Many others • After getting some stuff for the house (Target) I went to get a Sub for lunch (Jimmy John’s) and then shopping for a new suit (Neiman Marcus) and then off to the craft store to get kids stuff for school (Michael’s) and after all that running around I needed a drink (Spec’s)
  13. 13. BlackPoS
  14. 14. BlackPoS
  15. 15. BlackPoS iSight Recommendations
  16. 16. BackOff • Home Depot – Got Toliet? • Many others, possibly 1000+ • And then after dinner (P.F. Changs) I went to the building supply (Home Depot) to pick up some studs… and then did a night deposit at the bank (Chase, Citi..)
  17. 17. BackOff – Great Reporting Example US-CERT Alert (TA14-212A)
  18. 18. BackOff US-CERT Alert (TA14-212A)
  19. 19. BackOff US-CERT Alert (TA14-212A)
  20. 20. Actionable PoS Detection • %AppData% (RoamingNew Dir) • Looks like Java, Adobe, but its not normally installed to these locations • Installs Service • Updates the Run Key
  21. 21. Now ATM’s??? - Tyupkin • More Stoopid malware • Dropped in System32 • EventID 4663 • Run Key
  22. 22. Works for Linux too - Mayhem • Jedi Tip • Compare: • proc to items running with ps • Things in proc not in ps are suspicious
  23. 23. Windows is broken • You don’t need an 0-Day • Just a credential (Users click on stuff) • Or just visit a website – drive-bys • Targeted phish • Etc, etc, etc. • Drop a DLL next to any .EXE and BAM! Infected (DLL injection) • If you have the creds, just execute it and move on
  24. 24. What is your strategy? • Do you believe you can prevent a breach? • Do you believe you can detect a breach – Within the average 210 days? – Within 30 days? – Within a week? – Within a few days? – Within a day? – Within hours?
  25. 25. What is your strategy • Or are you going to be told by a third party (90%+) • How do you address advanced attacks? • Does your strategy include being proactive at looking for attacks targeting your specific industry?
  26. 26. The Malware Management Framework • How do you validate your systems are clean of something like BlackPos or BackOff? • Stuxnet, Flame, Duqu, SkyWiper, etc. • The next thing… • Did you look for these?
  27. 27. You’re Next 97,000 76 Mil + 8 Mil 1000+ Businesses395 Stores 4.5 Million 25,000 4.9 Million 4.03 Million 105k trans 40 Million 40+70 Million $148 Mil 33 locations 650k - 2010 ?????? 76,000 670,000 1900 locations 145 Million 20,000 3 Million 35,000 60,000 alerts 990,000 56 Mil 550,000 TBD Citigroup, E*Trade Financial Corp., Regions Financial Crop, HSBC Holdings and ADP ??????
  28. 28. Malware Management • You will see patterns • %AppData% • %Temp% • Windows, WindowsSystem32, WindowsSystem32WBEM • Reg Keys, Domains, IP’s, etc. • Many other indicators • Build a Malware Matrix • Tweak your tools or scripts… or pick 1 or 10 systems and do it manually!
  29. 29. Malware Management • Do you know what is Good vs. Bad on your systems? • Do you re-image suspect or confirmed systems with malware?
  30. 30. In Summary • Malware is noisy • We can detect it • Malware Management Framework WORKS • Create a Malware Matrix • Tweak your tools and logging • It only takes an hour or two a week • YOU CAN DO IT!
  31. 31. Resources • Our Website – www.MalwareArchaeology.com • The Malware Management Framework – MalwareManagementFramework.Org • Malware Report Standard – To consistently report on what you found to others • MalwareArchaeology.com/resources – Windows Logging Cheat Sheet • HackerHurricane.com - BLOG – List of most malware analysis I read – Send me more!
  32. 32. Questions? You can find us at: • Michael@MalwareArchaeology.com • MalwareArchaeology.com • @HackerHurricane • HackerHurricane.com (Blog) • Yes – We do consulting ;-)

×