Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Copyright © 2015 CyberSecurity MalaysiaCopyright © 2015 CyberSecurity Malaysia
ZERO DAY MALWARE
DETECTION/PREVENTION USING...
Copyright © 2015 CyberSecurity Malaysia
Outline
• Introduction
• Motivations
• Objective
• Process Flow
• The Open Source ...
Copyright © 2015 CyberSecurity Malaysia
Introduction
• Fathi Kamil Bin Mohad Zainuddin.
• Senior Analyst in Malware Resear...
Copyright © 2015 CyberSecurity Malaysia
Introduction
• Computer security issues have emerged ever since the
Internet was i...
Copyright © 2015 CyberSecurity Malaysia
Introduction
• To produce tools or capability on 0-day malware
detection / prevent...
Copyright © 2015 CyberSecurity Malaysia
Motivations
• We have deployed LebahNet (Honeynet) previously, but
later we found ...
Copyright © 2015 CyberSecurity Malaysia
Objective
• Capture & identify the malicious documents,
binaries, and web accesses...
Copyright © 2015 CyberSecurity Malaysia
Components – Network IDS / IPS
8
• Suricata is a high performance Network IDS, IPS...
Copyright © 2015 CyberSecurity Malaysia
Components – Network IDS / IPS
• Enabling file extraction - /etc/suricata/suricata...
Copyright © 2015 CyberSecurity Malaysia
Components – Network IDS / IPS
• Suricata file extraction rules -
/etc/suricata/ru...
Copyright © 2015 CyberSecurity Malaysia
Components – Network IDS / IPS
• File extraction output - /var/log/suricata/files/...
Copyright © 2015 CyberSecurity Malaysia
Components – Network IDS / IPS
• HTTP Logs
12
Copyright © 2015 CyberSecurity Malaysia
Components – Network IDS / IPS
• Drawback - High CPU processing
• Suricata is a hi...
Copyright © 2015 CyberSecurity Malaysia
Components – Sandboxing
14
• Cuckoo Sandbox is a malware analysis system.
• It pro...
Copyright © 2015 CyberSecurity Malaysia
Components – Sandboxing (Anti-
VM)
• Nowadays malware equipped with anti-VM code t...
Copyright © 2015 CyberSecurity Malaysia
Components – Sandboxing (Anti-
VM)
• Hardened Anti-VM Detection
16
Copyright © 2015 CyberSecurity Malaysia
Components – Sandboxing (Anti-
VM)
• Sandbox detection using Pafish
17
Copyright © 2015 CyberSecurity Malaysia
Components – SSL Decryption
• viewssld - SSL Decryption for Network Monitoring.
• ...
Copyright © 2015 CyberSecurity Malaysia
Process Flow
19
Copyright © 2015 CyberSecurity Malaysia
Moving Forward
• Enhancing Cuckoo sandbox environment
• Defeating Anti-VM / Sandbo...
Copyright © 2015 CyberSecurity Malaysia
Malware Research Lab (Tools)
• Our team has also developed tools for our daily ope...
Copyright © 2015 CyberSecurity Malaysia
Malware Research Lab (Tools)
• BotNet Checker –
http://botnet.honeynet.org.my/
22
Copyright © 2015 CyberSecurity Malaysia
Malware Research Lab (Tools)
• DontPhishMe & Antiphishing.My –
https://www.antiphi...
Copyright © 2015 CyberSecurity Malaysia
• Coordinated Malware Eradication And Remediation Project
(CMERP) & CyberDEF (Dete...
Copyright © 2015 CyberSecurity Malaysia
Contacts
• Web: http://www.cybersecurity.my
• Web: http://www.mycert.org.my
• Web:...
Copyright © 2015 CyberSecurity Malaysia26
Q&A
Copyright © 2015 CyberSecurity MalaysiaCopyright © 2015 CyberSecurity Malaysia
Upcoming SlideShare
Loading in …5
×

Zero Day Malware Detection/Prevention Using Open Source Software

2,995 views

Published on

Zero Day Malware Detection/Prevention Using Open Source Software – Proof of Concept
Fathi Kamil Mohad Zainuddin
Senior Analyst (Malware Research Centre, MyCERT)

Published in: Internet

Zero Day Malware Detection/Prevention Using Open Source Software

  1. 1. Copyright © 2015 CyberSecurity MalaysiaCopyright © 2015 CyberSecurity Malaysia ZERO DAY MALWARE DETECTION/PREVENTION USING OPEN SOURCE SOFTWARE PROOF OF CONCEPT Malware Research Center MyCERT
  2. 2. Copyright © 2015 CyberSecurity Malaysia Outline • Introduction • Motivations • Objective • Process Flow • The Open Source components • Moving Forward 2
  3. 3. Copyright © 2015 CyberSecurity Malaysia Introduction • Fathi Kamil Bin Mohad Zainuddin. • Senior Analyst in Malware Research Centre, MyCERT. 3
  4. 4. Copyright © 2015 CyberSecurity Malaysia Introduction • Computer security issues have emerged ever since the Internet was introduced. Organizations and security researchers have increased the efforts in ensuring that security threats are detected and mitigated in a timely manner. Today, as computer attacks tend to be malware- centric, the cyber criminals have introduced sophistication in their attack techniques that makes the traditional way of protecting the enterprise with firewalls, intrusion detection systems and antivirus software at the network perimeter ineffective. 4
  5. 5. Copyright © 2015 CyberSecurity Malaysia Introduction • To produce tools or capability on 0-day malware detection / prevention using open source software. • There are many Open Source network security components doing their purpose very well in the market. • Known Open Source network security product such as Snort, Suricata, Dionaea, Kippo, Glastopf, Ntop, Xplico, Wireshark, etc. • All we need is to glue them to achieve our purpose. 5
  6. 6. Copyright © 2015 CyberSecurity Malaysia Motivations • We have deployed LebahNet (Honeynet) previously, but later we found out that: – Dionaea plugins are difficult to maintain in order to follow the vulnerability trends to get new malware binaries. – We need an expert to maintain the plugins. – We have done some attack simulation using Metasploit but produced poor results. Not all vulnerability attacks captured by Dionaea. • Network packets contains many information which might also include malicious documents, binaries and web communication which are not extracted from the network. 6
  7. 7. Copyright © 2015 CyberSecurity Malaysia Objective • Capture & identify the malicious documents, binaries, and web accesses from the network through packet capturing. • Simulating the malicious files / webs in sandbox environment. • Collect known malicious information provided by sandbox into a central database. • Generate callback signature from sandbox result to detect/prevent further malicious activities. • Distribute malicious information among sensors. 7
  8. 8. Copyright © 2015 CyberSecurity Malaysia Components – Network IDS / IPS 8 • Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. • Top 3 reasons: – Highly Scalable. – Protocol Identification. – File Identification, MD5 Checksums, and File Extraction. • For the purpose, Suricata can produce: – Alert log. – File extraction based on signature within HTTP & SMTP. http://blog.inliniac.net/2011/11/29/file-extraction-in-suricata/ http://blog.inliniac.net/2014/11/11/smtp-file-extraction-in-suricata/ – HTTP log.
  9. 9. Copyright © 2015 CyberSecurity Malaysia Components – Network IDS / IPS • Enabling file extraction - /etc/suricata/suricata.yml 9
  10. 10. Copyright © 2015 CyberSecurity Malaysia Components – Network IDS / IPS • Suricata file extraction rules - /etc/suricata/rules/files.rules 10
  11. 11. Copyright © 2015 CyberSecurity Malaysia Components – Network IDS / IPS • File extraction output - /var/log/suricata/files/ 11
  12. 12. Copyright © 2015 CyberSecurity Malaysia Components – Network IDS / IPS • HTTP Logs 12
  13. 13. Copyright © 2015 CyberSecurity Malaysia Components – Network IDS / IPS • Drawback - High CPU processing • Suricata is a high performance NIDS/NIPS and utilizing all CPU cores compared to Snort NIDS/NIPS. It will utilizing GPU cores. • PF_RING can be used to bypass Linux OS TCP/IP stack. Suricata running in userspace will get direct access to the network buffer from the network card (kernelspace) without going through most of OS layers. • You might want to read an article in 2012 “Suricata, to 10Gbps and beyond” https://home.regit.org/2012/07/suricata-to-10gbps-and- beyond/ 13
  14. 14. Copyright © 2015 CyberSecurity Malaysia Components – Sandboxing 14 • Cuckoo Sandbox is a malware analysis system. • It produces native functions and Windows API calls traces, copies of files created and deleted from the file system, dump of the memory of the selected process, full memory dump of the analysis machine, screenshots of the desktop during the execution of the malware analysis, network dump generated by the machine used for the analysis. • For the purpose, extracted files / web access from the Suricata will be tested in simulation environment using Cuckoo Sandbox.
  15. 15. Copyright © 2015 CyberSecurity Malaysia Components – Sandboxing (Anti- VM) • Nowadays malware equipped with anti-VM code to detect if it is running inside sandbox environment through registry, CPU flags, BIOS, file system, etc. • Bypassing Sandboxes For Fun https://www.botconf.eu/bypassing-sandboxes-for-fun/ • Defeat anti-VM malware, refer VMCloak, VBoxAntiVMDetectHardened, etc. • You can try using Pafish to detect whether you are running inside virtualization / sandbox environment. https://github.com/a0rtega/pafish 15
  16. 16. Copyright © 2015 CyberSecurity Malaysia Components – Sandboxing (Anti- VM) • Hardened Anti-VM Detection 16
  17. 17. Copyright © 2015 CyberSecurity Malaysia Components – Sandboxing (Anti- VM) • Sandbox detection using Pafish 17
  18. 18. Copyright © 2015 CyberSecurity Malaysia Components – SSL Decryption • viewssld - SSL Decryption for Network Monitoring. • Nowadays malware exploiting SSL encryption to bypass network security detection. • IT security admin can enforce HTTPS / SSL interception by registering Firewall / Proxy root certificate for every PC inside an organization. • By providing private key to viewssld, it can decrypt every HTTPS communication and send to Network IDS for malware collection & intrusion alert. 18
  19. 19. Copyright © 2015 CyberSecurity Malaysia Process Flow 19
  20. 20. Copyright © 2015 CyberSecurity Malaysia Moving Forward • Enhancing Cuckoo sandbox environment • Defeating Anti-VM / Sandbox Hardening • Exploitation detection (Buffer/Heap Overflow, Payload) • Produce more valuable information • Improve the process flow 20
  21. 21. Copyright © 2015 CyberSecurity Malaysia Malware Research Lab (Tools) • Our team has also developed tools for our daily operation: – BotNet Checker: Botnet detection based on IP address. – LebahNet: Distributed Honeynet. – MyKotakPasir: Virtualization sandboxing. – AndBox: Android sandboxing. – ESPot: ElasticSearch Honeypot. – DontExploitMe: Browser Based IPS. – DontPhishMe: Phishing Site Blocker for Browser (Firefox, Chrome, Internet Explorer). – MyLipas: Web Defacement Crawler. – Many others. 21
  22. 22. Copyright © 2015 CyberSecurity Malaysia Malware Research Lab (Tools) • BotNet Checker – http://botnet.honeynet.org.my/ 22
  23. 23. Copyright © 2015 CyberSecurity Malaysia Malware Research Lab (Tools) • DontPhishMe & Antiphishing.My – https://www.antiphishing.my/ 23
  24. 24. Copyright © 2015 CyberSecurity Malaysia • Coordinated Malware Eradication And Remediation Project (CMERP) & CyberDEF (Detection, Eradication & Forensics) What is it? • A comprehensive solution for detection, eradication and forensic of malware in cyberspace What are the benefits? • Helps organization to strengthen and defend their organisation by preparing the CSIRT team with required skill, policy and procedure in place • The capability of the team will be strengthen by participating in cyber exercise activity tailored for the organization • With the necessary resources and skills in place, steps and measures can be taken to eradicate threat 24
  25. 25. Copyright © 2015 CyberSecurity Malaysia Contacts • Web: http://www.cybersecurity.my • Web: http://www.mycert.org.my • Web: www.cybersafe.my • Report Incident: cyber999@cybersecurity.my 25
  26. 26. Copyright © 2015 CyberSecurity Malaysia26 Q&A
  27. 27. Copyright © 2015 CyberSecurity MalaysiaCopyright © 2015 CyberSecurity Malaysia

×