Zero Day Malware Detection/Prevention Using Open Source Software

Copyright © 2015 CyberSecurity MalaysiaCopyright © 2015 CyberSecurity Malaysia
ZERO DAY MALWARE
DETECTION/PREVENTION USING
OPEN SOURCE SOFTWARE
PROOF OF CONCEPT
Malware Research
Center
MyCERT

Copyright © 2015 CyberSecurity Malaysia
Outline
• Introduction
• Motivations
• Objective
• Process Flow
• The Open Source components
• Moving Forward
2

Introduction
• Fathi Kamil Bin Mohad Zainuddin.
• Senior Analyst in Malware Research
Centre, MyCERT.
3

Introduction
• Computer security issues have emerged ever since the
Internet was introduced. Organizations and security
researchers have increased the efforts in ensuring that
security threats are detected and mitigated in a timely
manner. Today, as computer attacks tend to be malware-
centric, the cyber criminals have introduced
sophistication in their attack techniques that makes the
traditional way of protecting the enterprise with firewalls,
intrusion detection systems and antivirus software at the
network perimeter ineffective.
4

Introduction
• To produce tools or capability on 0-day malware
detection / prevention using open source software.
• There are many Open Source network security
components doing their purpose very well in the market.
• Known Open Source network security product such as
Snort, Suricata, Dionaea, Kippo, Glastopf, Ntop, Xplico,
Wireshark, etc.
• All we need is to glue them to achieve our purpose.
5

Motivations
• We have deployed LebahNet (Honeynet) previously, but
later we found out that:
– Dionaea plugins are difficult to maintain in order to follow
the vulnerability trends to get new malware binaries.
– We need an expert to maintain the plugins.
– We have done some attack simulation using Metasploit but
produced poor results. Not all vulnerability attacks
captured by Dionaea.
• Network packets contains many information which might
also include malicious documents, binaries and web
communication which are not extracted from the
network.
6

Objective
• Capture & identify the malicious documents,
binaries, and web accesses from the network
through packet capturing.
• Simulating the malicious files / webs in sandbox
environment.
• Collect known malicious information provided by
sandbox into a central database.
• Generate callback signature from sandbox result to
detect/prevent further malicious activities.
• Distribute malicious information among sensors.
7

Components – Network IDS / IPS
8
• Suricata is a high performance Network IDS, IPS and
Network Security Monitoring engine.
• Top 3 reasons:
– Highly Scalable.
– Protocol Identification.
– File Identification, MD5 Checksums, and File Extraction.
• For the purpose, Suricata can produce:
– Alert log.
– File extraction based on signature within HTTP & SMTP.
http://blog.inliniac.net/2011/11/29/file-extraction-in-suricata/
http://blog.inliniac.net/2014/11/11/smtp-file-extraction-in-suricata/
– HTTP log.

• Enabling file extraction - /etc/suricata/suricata.yml
9

• Suricata file extraction rules -
/etc/suricata/rules/files.rules
10

• File extraction output - /var/log/suricata/files/
11

• HTTP Logs
12

• Drawback - High CPU processing
• Suricata is a high performance NIDS/NIPS and utilizing all
CPU cores compared to Snort NIDS/NIPS. It will utilizing
GPU cores.
• PF_RING can be used to bypass Linux OS TCP/IP stack.
Suricata running in userspace will get direct access to the
network buffer from the network card (kernelspace) without
going through most of OS layers.
• You might want to read an article in 2012 “Suricata, to
10Gbps and beyond”
https://home.regit.org/2012/07/suricata-to-10gbps-and-
beyond/
13

Components – Sandboxing
14
• Cuckoo Sandbox is a malware analysis system.
• It produces native functions and Windows API calls
traces, copies of files created and deleted from the file
system, dump of the memory of the selected process,
full memory dump of the analysis machine, screenshots
of the desktop during the execution of the malware
analysis, network dump generated by the machine used
for the analysis.
• For the purpose, extracted files / web access from the
Suricata will be tested in simulation environment using
Cuckoo Sandbox.

Components – Sandboxing (Anti-
VM)
• Nowadays malware equipped with anti-VM code to
detect if it is running inside sandbox environment
through registry, CPU flags, BIOS, file system, etc.
• Bypassing Sandboxes For Fun
https://www.botconf.eu/bypassing-sandboxes-for-fun/
• Defeat anti-VM malware, refer VMCloak,
VBoxAntiVMDetectHardened, etc.
• You can try using Pafish to detect whether you are
running inside virtualization / sandbox environment.
https://github.com/a0rtega/pafish
15

VM)
• Hardened Anti-VM Detection
16

VM)
• Sandbox detection using Pafish
17

Components – SSL Decryption
• viewssld - SSL Decryption for Network Monitoring.
• Nowadays malware exploiting SSL encryption to bypass
network security detection.
• IT security admin can enforce HTTPS / SSL interception
by registering Firewall / Proxy root certificate for every
PC inside an organization.
• By providing private key to viewssld, it can decrypt every
HTTPS communication and send to Network IDS for
malware collection & intrusion alert.
18

Process Flow
19

Moving Forward
• Enhancing Cuckoo sandbox environment
• Defeating Anti-VM / Sandbox Hardening
• Exploitation detection (Buffer/Heap Overflow,
Payload)
• Produce more valuable information
• Improve the process flow
20

Malware Research Lab (Tools)
• Our team has also developed tools for our daily operation:
– BotNet Checker: Botnet detection based on IP address.
– LebahNet: Distributed Honeynet.
– MyKotakPasir: Virtualization sandboxing.
– AndBox: Android sandboxing.
– ESPot: ElasticSearch Honeypot.
– DontExploitMe: Browser Based IPS.
– DontPhishMe: Phishing Site Blocker for Browser (Firefox,
Chrome, Internet Explorer).
– MyLipas: Web Defacement Crawler.
– Many others.
21

• BotNet Checker –
http://botnet.honeynet.org.my/
22

• DontPhishMe & Antiphishing.My –
https://www.antiphishing.my/
23

• Coordinated Malware Eradication And Remediation Project
(CMERP) & CyberDEF (Detection, Eradication & Forensics)
What is it?
• A comprehensive solution for
detection, eradication and forensic
of malware in cyberspace
What are the benefits?
• Helps organization to strengthen
and defend their organisation by
preparing the CSIRT team with
required skill, policy and procedure
in place
• The capability of the team will be
strengthen by participating in
cyber exercise activity tailored for
the organization
• With the necessary resources and
skills in place, steps and measures
can be taken to eradicate threat
24

Contacts
• Web: http://www.cybersecurity.my
• Web: http://www.mycert.org.my
• Web: www.cybersafe.my
• Report Incident:
cyber999@cybersecurity.my
25

Zero Day Malware Detection/Prevention Using Open Source Software

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Zero Day Malware Detection/Prevention Using Open Source Software

Similar to Zero Day Malware Detection/Prevention Using Open Source Software (20)

More from MyNOG

More from MyNOG (20)

Recently uploaded

Recently uploaded (16)

Zero Day Malware Detection/Prevention Using Open Source Software