Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Malware Analysis Made Simple

"Malware Analysis Made Simple" from SecureWorld Expo Detroit, 11/05/2008

  • Be the first to comment

Malware Analysis Made Simple

  1. 1. Malware Analysis Made Simple SecureWorld Expo Detroit Wednesday, November 5, 2008 Paul Melson
  2. 2. Security Incident Response
  3. 3. Why Not Focus On Prevention? <ul><li>You Should! But… </li></ul><ul><li>Nothing is 100% secure, blah blah </li></ul><ul><li>When (not “if”) an incident occurs, a responsible team with a plan will: </li></ul><ul><ul><li>Respond quickly </li></ul></ul><ul><ul><li>Be thorough </li></ul></ul><ul><ul><li>Keep costs down </li></ul></ul>
  4. 4. You’re Probably Required To <ul><li>An Incident Response Plan is a requirement of: </li></ul><ul><ul><li>FISMA </li></ul></ul><ul><ul><li>HIPAA </li></ul></ul><ul><ul><li>ISO/IEC 27002 </li></ul></ul><ul><ul><li>PCI-DSS </li></ul></ul>
  5. 5. Why Do Malware Analysis In-House?
  6. 6. Malware is Number 1! Yay! <ul><li>Client-side attacks that install malware are the #1 external threat. </li></ul><ul><li>It’s not slowing down any time soon: </li></ul><ul><ul><li>“ Symantec observed an average of 61,940 active bot-infected computers per day, a 17% increase from the previous period.” </li></ul></ul><ul><ul><li>“ In the second half of 2007, 499,811 new malicious code threats were reported, a 136% increase over the first half of 2007.” </li></ul></ul><ul><ul><li>(Source: Symantec Internet Threat Report, April 2008) </li></ul></ul>
  7. 7. Malware Trends
  8. 8. Firewalls & Antivirus Have Lost <ul><li>Client-side attacks, web browsing and e-mail, go right through most firewall policies. </li></ul><ul><li>Antivirus detection rates for current malware files are averaging 30-50%. </li></ul><ul><li>If you’re not adapting some other way, you’ve lost. </li></ul>
  9. 9. Malware is Adapting Quickly <ul><li>Take away Local Admin? </li></ul><ul><ul><li>Malware that persists in non-admin accounts via HKLU Registry hive </li></ul></ul><ul><li>Whitelist apps with Windows Firewall? </li></ul><ul><ul><li>Malware that hooks into browser plugin APIs </li></ul></ul><ul><li>Block IRC at the firewall? </li></ul><ul><ul><li>Malware that uses encrypted HTTP/HTTPS back-channels </li></ul></ul>
  10. 10. “ But it’s just spyware, right?” <ul><li>Our security analysts found samples in the past 18 months that: </li></ul><ul><ul><li>Send spam or launch DDoS attacks </li></ul></ul><ul><ul><li>Give full desktop remote control </li></ul></ul><ul><ul><li>Search “Documents and Settings” for SSNs, credit cards, and saved IE passwords </li></ul></ul><ul><ul><li>Record all screen text and input and report it in near-real time to servers in Russia </li></ul></ul>
  11. 11. Detection
  12. 12. Anatomy of a Drive-By Download Dropper Malware Servers More Malware JScript Exploit
  13. 13. Log Files <ul><li>Firewall Logs </li></ul><ul><ul><li>Outbound SMTP from workstations (lots!) </li></ul></ul><ul><ul><li>Outbound IRC connections </li></ul></ul><ul><ul><li>Peer-to-peer file sharing traffic, esp. Winny </li></ul></ul><ul><ul><li>Sustained high-volume traffic from workstations </li></ul></ul><ul><li>Proxy / Web Filter Logs </li></ul><ul><ul><li>Monitor URL’s ending in “.exe” </li></ul></ul>
  14. 15. IDS/IPS Alerts <ul><li>Most products attempt to detect post-infection traffic, such as IRC or Winny C&C channels </li></ul><ul><li> for Snort, huge list of trojan/malware signatures, all free </li></ul><ul><li>If your IDS can, write some custom rules: </li></ul><ul><ul><li>Look for “.exe” downloads on ports where web filters won’t </li></ul></ul><ul><ul><li>Win32 PE headers in HTTP traffic (renamed files) </li></ul></ul><ul><ul><li>JavaScript obfuscation techniques </li></ul></ul>
  15. 16. Snort Rules <ul><ul><li>alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg: &quot;LOCAL .exe file download on port other than 80&quot;; flow:established; content: &quot;GET&quot;; depth:4; content:&quot;.exe&quot;; nocase; classtype:misc-activity; sid:9000160; rev:1;) </li></ul></ul><ul><ul><li>alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:&quot;LOCAL Obfuscated JavaScript document.write&quot;; flow:from_server,established; content:&quot;document.write“; nocase; pcre:&quot;/document.write(&quot;0-9][0-9]/i&quot;; classtype:trojan-activity; sid:9000110; rev:1;) </li></ul></ul><ul><ul><li>alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:&quot;LOCAL Obfuscated JavaScript unescape&quot;; flow:from_server,established; content:&quot;script>&quot;; nocase; content:&quot;unescape(&quot;; nocase; classtype:trojan-activity; sid:9000111; rev:2;) </li></ul></ul><ul><ul><li>alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:&quot;LOCAL Obfuscated JavaScript eval&quot;; flow:from_server,established; content:&quot;script>&quot;; nocase; content:&quot;eval(&quot;; nocase; classtype:trojan-activity; sid:9000112; rev:2;) </li></ul></ul>
  16. 17. Antivirus?! Yes, Antivirus! <ul><li>Many droppers will install multiple pieces of malware. Your antivirus might detect 1 or 2 of them. </li></ul><ul><li>When you see AV alerts from a workstation, check proxy logs for what else was downloaded. </li></ul>
  17. 18. Analysis
  18. 19. For Starters <ul><li>VirusTotal </li></ul><ul><ul><li> </li></ul></ul><ul><li>Norman Sandbox </li></ul><ul><ul><li> </li></ul></ul><ul><li>CWSandbox </li></ul><ul><ul><li> </li></ul></ul>
  19. 21. Detecting Packed Files <ul><li>Packers are used to obfuscate malware executables from antivirus scanners. </li></ul><ul><li>PEiD </li></ul><ul><ul><li> </li></ul></ul><ul><li>pefile </li></ul><ul><ul><li> </li></ul></ul><ul><li>Jim Clausing’s </li></ul><ul><ul><li> </li></ul></ul>
  20. 22. Analyzing Binary Files <ul><li>Utilities perform deeper scans of executables to determine the likelihood that they are suspicious/malicious </li></ul><ul><li>Mandiant Red Curtain </li></ul><ul><ul><li> </li></ul></ul><ul><li>Resource Hacker </li></ul><ul><ul><li> </li></ul></ul>
  21. 24. Behavioral Analysis <ul><li>Utilities analyze system activity while malware is running to identify suspicious or malicious behavior </li></ul><ul><li>SysAnalyzer </li></ul><ul><ul><li> </li></ul></ul><ul><li>AMIR </li></ul><ul><ul><li> </li></ul></ul>
  22. 26. Network Analysis <ul><li>Analyzing network traffic can identify the presence of malware based on the connections the machine is generating. </li></ul><ul><li>SniffHit </li></ul><ul><ul><li> </li></ul></ul><ul><li>WireShark </li></ul><ul><ul><li> </li></ul></ul><ul><li>TCPView </li></ul><ul><ul><li> </li></ul></ul>
  23. 27. Analyzing System Hooks <ul><li>Analyzing system startup/execution hooks can determine if malware/rootkits are present. </li></ul><ul><li>OSAM Autorun Manager </li></ul><ul><ul><li> </li></ul></ul><ul><li>StartupCPL </li></ul><ul><ul><li> </li></ul></ul><ul><li>HiJackThis! And StartupList </li></ul><ul><ul><li> </li></ul></ul>
  24. 29. Building Toolkits
  25. 30. Response Toolkit: CD <ul><li>You could use a thumb drive, but read-only media is helpful here. </li></ul><ul><li>Trusted Shell </li></ul><ul><ul><li>Copy of Windows CMD.EXE on CD </li></ul></ul><ul><li>Behavioral Analysis: AMIR </li></ul><ul><li>Network Analysis: TCPView </li></ul><ul><li>Startup Analysis: OSAM, HiJackThis! </li></ul>
  26. 31. Analysis Toolkit: VM <ul><li>Use a VM tool that supports snapshots </li></ul><ul><li>“ Thwarting VM Detection” by Ed Skoudis </li></ul><ul><li>Packer Analysis: PEiD, </li></ul><ul><li>Behavioral Analysis: SysAnalyzer </li></ul><ul><li>Network Analysis: Wireshark on HOST </li></ul><ul><li>Binary Analysis: Mandiant Red Curtain </li></ul>
  27. 32. Prevention & Recovery
  28. 33. Prevention – Whack-a-Mole <ul><li>Add malicious web sites and file names to your web content filter rules. </li></ul><ul><li>Block malicious web site addresses with your firewall. </li></ul><ul><li>If your AV/HIPS supports it, blacklist malicious file names and hashes as you find them. </li></ul>
  29. 34. Prevention: Local Admin? <ul><li>Restricting local admin access used to work well to prevent malware from persisting on a machine. Some won’t run at all. </li></ul><ul><li>More and more malware can persist in user space via HKLU Registry and StartUp group. </li></ul><ul><li>But recovery is still easier! </li></ul><ul><li>Develop & test a procedure for renaming local user profiles in Windows to enable quick recovery from infection for non-admins. </li></ul><ul><li>Save downtime costs by not re-imaging. </li></ul>
  30. 35. Parting Shot: Best Practices <ul><li>Active monitoring by security staff. </li></ul><ul><li>Develop response procedures for malware incidents. Focus on response times. </li></ul><ul><li>Contain potential incidents first, then analyze to determine impact. </li></ul>
  31. 36. Q & A Session