Commodity malware means YOU

1 109 vues

Publié le

Background of commodity malware and how you can learn from the past and detect the future.
MalwareArchaeology
LOG-MD

Publié dans : Technologie
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Commodity malware means YOU

  1. 1. Commodity malware means YOU! And everybody in this room, let’s look at one called Dridex Michael Gough – Founder MalwareArchaeology.com MalwareArchaeology.com
  2. 2. Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet” “Windows PowerShell Logging Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Malware Management Framework” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • @HackerHurricane also my Blog MalwareArchaeology.com
  3. 3. Goal • Interaction – Don’t be a Ding Dong, ask a question… you WILL be rewarded for positive synergy! • Learn how us Ninja’s do it so you can too • We have a NEW Tool for YOU!!! MalwareArchaeology.com
  4. 4. Total Malware Total Malware 2015 • 470 Million MalwareArchaeology.com
  5. 5. New Malware NEW Malware 2015 • 140 million MalwareArchaeology.com
  6. 6. The Panda Says MalwareArchaeology.com
  7. 7. It’s only getting worse MalwareArchaeology.com
  8. 8. Symantec says… MalwareArchaeology.com
  9. 9. Top 8 threats • These are what we see most • What all of YOU see most • The 20% of what AV focuses on • We can learn a lot from this MalwareArchaeology.com
  10. 10. Dridex movin on up MalwareArchaeology.com Mandiant M-Trends2016 Report
  11. 11. More of the same According to CheckPoint’s ThreatCloud in 2015… • 3000 different malware ‘families’ • 80% have been active for years, some for 8 years • Top 100 which accounted for 90% of all attacks in 2015, only 3 were new and were outside the Top 40 • More proof Malware Management works MalwareArchaeology.com
  12. 12. SANS says… MalwareArchaeology.com
  13. 13. Sophos Says… • 70% of malware is unique to 1 company (APT) • 80% of malware is unique to 10 or less (APT) • That means… • 20% of malware is what the AV industry focuses on, but it is what most of you and everyone in this room sees and gets by: – Attachments in email – URL in email – Surfing the web • Ads • WordPress, Drupal, Joomla… MalwareArchaeology.com
  14. 14. Types of Malware I say there are basically two types of malware: • Commodity malware – The 20% the AV industry focuses on • Advanced malware – The 80% that the AV industry does not focus on and “may” get around to IF you force them by being a client or if they have multiple customers that receive it in a particular industry (e.g. retail PoS) MalwareArchaeology.com
  15. 15. Commodity malware • This is the stuff you and everyone in the room gets and sees, your family, friends and clients too • Emails, URL’s surfing • Most is Commodity malware • Pwned Ad networks • Some will be NEW • Some will be APT MalwareArchaeology.com
  16. 16. VirusTotal • Commodity malware will be detected within a few days • APT… not so much • I still have samples from 2012 that have ZERO detection ;-( • And I gave 12 AV companies a copy of it • Shows how much they care about APT MalwareArchaeology.com
  17. 17. Malware evolves • So must we • Darwin says so • Evolve or die • Well… Evolve or get breached anyways • Which means an RGE !!! – Resume Generating Event MalwareArchaeology.com
  18. 18. Before Dridex • Zeus – 2007 – SpyEye evolved from Zeus – Bugat/Cridex evolved from Zeus – Gameover Zeus taken down 2014 • Bugat & Cridex - 2012 • Dridex – Late 2014 – Generated 15,000 emails daily • C2 Servers taken down Dec 2015 • Now we have Locky MalwareArchaeology.com
  19. 19. Locky, the next BIG thing MalwareArchaeology.com
  20. 20. Locky.. Today and tomorrow MalwareArchaeology.com
  21. 21. Locky MalwareArchaeology.com
  22. 22. BlackEnergy • More Malware Management proof MalwareArchaeology.com
  23. 23. Ha Ha Ha Hollywoood • Darwin said… Pay up or DIE !!! • Ottawa Hospital also hit MalwareArchaeology.com
  24. 24. DRIDEX MalwareArchaeology.com
  25. 25. Dridex • We have probably all seen one of these • Did I say Commodity Malware? • Uses Word documents that are hard for email gateways to detect • Yes, users have to “Enable Macroses” but they would NEVER do that… MalwareArchaeology.com
  26. 26. Commodity Malware Smarter than ever • In 2015 I have witnessed things with commodity malware usually reserved for APT – Because they are evolving from APT • More use of scripts to avoid AV detection • More use of PowerShell backdoors! • More stealthy persistence MalwareArchaeology.com
  27. 27. Dridex Artifacts MalwareArchaeology.com
  28. 28. Dridex Artifacts .BAT • Do I have a network connection • What language am I • Set variables for the name of the .VBS script MalwareArchaeology.com
  29. 29. Dridex Artifacts .VBS • Notice the path %temp% • Ah Hell… • Build the PowerShell script execution MalwareArchaeology.com
  30. 30. Dridex Artifacts - .VBS #2 MalwareArchaeology.com
  31. 31. Dridex Artifacts #3 • Script • Using math • Easy variants MalwareArchaeology.com
  32. 32. Dridex Artifacts - .PS1 • Domains to phone home to • Path - %temp% MalwareArchaeology.com
  33. 33. Dridex Artifacts - .PS1 • 8 + .exe – Payload name • 444.jpg – Stats file looks like >>>> • User Agent to emulate a browser • Download the files • Assemble the names .vbs, .jpg, .bat, .PS1 • Sleep 15 • Execute the payload - cmd.exe %file% • Remove the files MalwareArchaeology.com
  34. 34. VM Aware… What do I say? • Use Bare Bones to do analysis MalwareArchaeology.com
  35. 35. Persistence • New method towards the end of 2015 • Nothing in the Registry showing persistence while system was running • In memory only until system shutdown • Then we caught the bugger, with good auditing of course and MalwareArchaeology.com
  36. 36. Malware Management • Proof it works • If you look at Zeus, Cridex and Dridex, you are better prepared for Locky • Learn from History • Your defenses and detection MUST evolve too • Read the malware analysis and breach reports • Tweak your tools • Focus on new kewl hooks and artifacts MalwareArchaeology.com
  37. 37. How we harvested malware • Yay Email!!! • Since the primary delivery was Phishing, we were able to grab copies of the Word documents • Executed in the Lab • Grabbed the artifacts • Updated our Detection • We knew if anyone fell for it and opened them • We knew what to cleanup MalwareArchaeology.com
  38. 38. How we harvested malware • File Copy loop in Directories discovered – @echo off – cls – md captured – :Redo – robocopy . Captured /E /B /r:0 /w:1 /np /xo /xd Captured – Goto Redo – :End • Ninja Tip: – Great to do in Labs for User space AppData MalwareArchaeology.com
  39. 39. INTERMISSION MalwareArchaeology.com
  40. 40. Announcing the release of… MalwareArchaeology.com FREE! $299 AND Version 1.0
  41. 41. MalwareArchaeology.com • Log and Malicious Discovery tool • When you run the tool, it tells you what auditing and settings to configure that it requires. LOG-MD won’t harvest anything until you configure the system! • Once the system and/or GPO is configured 1. Clear the logs 2. Infect the system 3. Run Log-MD 4. Review “Report.csv” in Excel
  42. 42. Functions MalwareArchaeology.com • Audit Report of log settings compared to: – The “Windows Logging Cheat Sheet” – Center for Internet Security (CIS) Benchmarks – Also USGCB and AU ACSC • White lists to filter out the known good – By IP Address – By Process Command Line and/or Process Name – By File and Registry locations (requires File and Registry auditing to be set) • Report.csv - data from logs specific to security
  43. 43. Purpose MalwareArchaeology.com • Malware Analysis Lab • Investigate a suspect system • Audit Advanced Audit Policy settings • Help MOVE or PUSH security forward • Give the IR folks what they need and the Feds too • Take a full system (File and Reg) snapshot to compare to another system and report the differences • Discover tricky malware artifacts • SPEED ! • Deploy with anything you want, SCCM, LanDesk, PSExec, PS, etc… • Replace several tools we use today with one easy to use utility that does much more • To answer the question: Is this system infected or clean? • And do it quickly !
  44. 44. Free Edition MalwareArchaeology.com • Harvest security relevant log data • Whitelist log events by IP, Cmd Line, Process and File / Registry audit locations • Perform a full File Baseline of a system • Compare a suspect system to a Baseline or Dir • Perform a full Registry snapshot of a system • Compare a suspect system to a Reg Baseline • Look for Large Registry Keys for hidden payloads
  45. 45. MalwareArchaeology.com • Everything the Free Edition does and… • More reports, breakdown of things to look for • Specify the Output directory • Harvest Sysmon logs • Harvest WLS Logs • Whitelist Hash compare results • Whitelist Registry compare results • Create a Master-Digest to exclude unique files • Free updates for 1 year, expect a new release every quarter • Manual – How to use LOG-MD Professional
  46. 46. MalwareArchaeology.com Future Versions – In the works! • WhoIs lookups of IP Addresses called • VirusTotal lookups of discovered files • Find parent-less processes • Assess all processes and create a Whitelist • Assess all services and create a Whitelist • VirusTotal lookups of unknown or new processes and services • PowerShell details • Other API calls to security vendors
  47. 47. MalwareArchaeology.com Let’s look at some LOG-MD RESULTS
  48. 48. Crypto Event MalwareArchaeology.com • C:UsersBobAppDataRoamingvcwixk.exe • C:UsersBobAppDataRoamingvcwpir.exe • C:WINDOWSsystem32cmd.exe /c del C:UsersBobAppDataRoamingvcwixk.exe >> NUL • C:WindowsSystem32vssadmin.exe delete shadows /all /Quiet
  49. 49. Malicious Word Doc MalwareArchaeology.com DRIDEX
  50. 50. Malicious Word Doc con’t MalwareArchaeology.com More DRIDEX
  51. 51. Use the power of Excel MalwareArchaeology.com • The reports are in .CSV format • Excel has sorting and Filters • Filters are AWESOME to thin out your results • You might take filtered results and add them to your whitelist once vetted • Save to .XLS and format, color code and produce your report • For .TXT files use NotePad++
  52. 52. So what do we get? MalwareArchaeology.com • WHAT Processes executed • WHERE it executed from • IP’s to enter into Log Management to see WHO else opened the malware • Details needed to remediate infection • Details to improve your Active Defense! • I did this in… 15 Minutes!
  53. 53. Resources MalwareArchaeology.com • Websites – Log-MD.com The tool • The “Windows Logging Cheat Sheet” – MalwareArchaeology.com • Malware Analysis Report links too – To start your Malware Management program • This presentation is on SlideShare – Search for MalwareArchaeology or LOG-MD
  54. 54. Testers for RC-1 MalwareArchaeology.com • May 1st 2016 - launch date • Looking for a few good testers… – of LOG-MD Professional • Test the manual and tool and provide feedback • You WILL be rewarded for the effort ;-) • You heard it here first ! • A gift from your local Austin Security Professionals
  55. 55. Questions? MalwareArchaeology.com You can find us at: • Log-MD.com • @HackerHurricane • @Boettcherpwned • MalwareArchaeology.com • HackerHurricane.com (blog) • http://www.slideshare.net – LinkedIn now

×