My presentation on how to use malware indicators of compromise to create rootcheck signatures for OSSEC. Explains different malware collection and analysis techniques.
Honeypot
Dionaea: Low interaction honeypot that
emulates vulnerable network services.
https://github.com/rep/dionaea (written in C)
@santiagobassett
santiago@cuckoo:~$ nmap dionaea
Starting Nmap 6.00 ( http://nmap.org ) at 2014-09-07 21:04 PDT
Nmap scan report for dionaea (54.235.216.XXX)
Host is up (0.070s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
21/tcp open ftp
42/tcp open nameserver
80/tcp open http
135/tcp open msrpc
443/tcp open https
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 1.16 seconds
Honeypot results
• Captured 126 unique binaries in 3 months
• Highly detected by clamav (80%)
@santiagobassett
santiago@dionaea:/opt/dionaea/var/dionaea/binaries# clamscan *
022aeb126d2d80e683f7f2a3ee920874: Trojan.Spy-78857 FOUND
05800e1eb163994359e4c946d4a0fecb: Backdoor.Floder-3 FOUND
06267149140c0bc9ba51222c165f2d61: Worm.Autorun-7683 FOUND
0682f3dfbdab7c040ac9307c50792d0a: Trojan.Buzus-9369 FOUND
074b815d9ded01b516a62e3b739caa10: Win.Trojan.Agent-372503 FOUND
07fea379703307c5addc20e237cdd0f0: Win.Trojan.Jorik-1388 FOUND
09481313331ff5a8b8bfa4e25cbaa524: Worm.Autorun-7516 FOUND
0a9f1cd12f1b34ca71fa585e87e91c7d: OK
0b4c4078231ee36731080858187a49b8: Win.Trojan.Injector-8166 FOUND
0feae931ee71a495614f14f3c1d37246: Trojan.Mybot-5073 FOUND
10ec7cb47314a2c08decb25e53fedcfa: Trojan.Injector-558 FOUND
1205a52e42687c922aa4d3700d778398: Trojan.Kazy-1372 FOUND
12fb7332920a7797c2d02df29b57c640: Trojan.Spy-78857 FOUND
16b0357b804d9651d9057b61d78bee08: Win.Trojan.Agent-368816 FOUND
1a813b6ea08a47f2997e2e4215eba96b: WIN.Trojan.IRCBot-1225 FOUND
…
----------- SCAN SUMMARY -----------
Known viruses: 3517573
Engine version: 0.98.1
Scanned directories: 0
Scanned files: 126
Infected files: 101
Data scanned: 17.65 MB
Data read: 18.11 MB (ratio 0.97:1)
Time: 56.447 sec (0 m 56 s)
Honeyclient
Thug: Low interaction honeyclient, used to detect
drive-by-download attacks.
https://github.com/buffer/thug (Python)
Thug emulates:
• Core browser functionality
• ActiveX controls
• Browser plugins
@santiagobassett
Drive by download attack
@santiagobassett
http://urlquery.net/report.php?id=1410227505197
Malware crawlers results
• Captured 345 unique binaries in 15 minutes
• Poorly detected by clamav (16%)
@santiagobassett
santiago@mwcollector:~/binaries/maltrieve$
clamscan *
02d36dff08b63b123d2d2a36089e3d97: OK
03a6ac145099cf77bf5c7af127696687: OK
03e49fb415aacf9d2c90821ff0596024: OK
0568a72d4c5a2eb510207ca45b8d8799: OK
06ddb91e1d5f056590dfeef71a2da264: JS.Iframe-2
FOUND
074fbceca8fe84bae582a7a114b2ce94: HTML.Iframe-63
FOUND
0889504acc370f2adec7869b9bc5bc5c: OK
08d53833d032d71c1e7ffd3cddcd2a5e: JS.Iframe-2
FOUND
0ac790c459a0ef9bb4959321918a2d57: OK
0cc1c5c2ef510bd9f587abbc402d04a3: OK
0e3c692048a35c06ffe81a473ffd1d41: OK
136264a09b94bf8f08278b0045a84905: OK
13e78b2bab4a0ae9a3c2003d3f004dd1: JS.Obfus-31
FOUND
----------- SCAN SUMMARY ----------
-
Known viruses: 3517100
Engine version: 0.98.4
Scanned directories: 0
Scanned files: 235
Infected files: 38
Data scanned: 164.24 MB
Data read: 143.86 MB (ratio 1.14:1)
Time: 254.462 sec (4 m 14 s)
Dynamic Analysis - Cuckoo
Automated malware analysis. Runs binary files in
virtual machines to study their behavior.
@santiagobassett
• Traces Win32 API calls
• Files created, deleted and downloaded
• Memory dumps of malicious processes
• Network traffic pcaps
Integrated with yara, virustotal and volatility among
other tools. Supports Virtualbox KVM and Vmware.
OSSEC - Rootcheck
Used for rootkits and malware detection. It can be
used to:
• Look for suspicious files.
• Inspect files and registry keys for common
rootkits/malware entries.
• Look for hidden processes and network ports.
@santiagobassett
Future Work
• Use/create Cuckoo signatures to identify different
malware patterns (droppers, downloaders, trojans,
rootkits, …)
• Create Cuckoo reporting module to report (JSON)
on those patterns that OSSEC can detect.
• Python tool to parse module output and generate
rootcheck rules.
• Add/improve OSSEC malware detection capabilities.
@santiagobassett