© Copyright 2013 EMC Corporation. All rights reserved.
Introducing Intelligence
Into Your Malware Analysis
Presented by
Brian Baskin
Advisory Practice Consultant
RSA Incident Response
© Copyright 2013 EMC Corporation. All rights reserved.
# whoami
•
•
•
•
Consultant with RSA IR/D team
Digital Forensics for 15 years
Incident Response for 10 years
Former Intrusions analyst – DCFL / DC3
GhettoForensics.com
© Copyright 2013 EMC Corporation. All rights reserved.
Where do we start…
• Many attack analysis methods are outdated
• Emphasis on system-by-system analysis
• Teams are broken up by specialized skills
© Copyright 2013 EMC Corporation. All rights reserved.
Skill Segregation
Static Analysis
Dynamic Analysis
Network Analysis
Memory Analysis
© Copyright 2013 EMC Corporation. All rights reserved.
Difficulty in Current Processes
• Skill-Based Approach vs. Indicator-Based
• Going down rabbit holes that do not help
overall security posture
• You do not need to deep dive every sample!
• Difficult to segregate and emphasize
critical indicators in reports
© Copyright 2013 EMC Corporation. All rights reserved.
How Do You Currently Hire For This?
5+ years in the following:
C, C++, Java, .NET
X86 / ARM Assembly Bit-Level Analysis
Working knowledge of common TCP/IP protocols
Expert report-writing
Reverse engineering with IDA Pro, IDA Python
PyDbg, or OllyDbg, as well as forensic software
such as EnCase, FTK, or Sleuth Kit/Autopsy
© Copyright 2013 EMC Corporation. All rights reserved.
How Should We Hire For This?
3+ years in the following:
Extracting encrypted data sets through static
/dynamic methods
Documenting minutiae artifacts from malware
runtime
Identifying and decoding malware network
protocols
© Copyright 2013 EMC Corporation. All rights reserved.
The Cyber Kill Chaintm
© Copyright 2013 EMC Corporation. All rights reserved.
Relevance of the Cyber Kill Chain
Each chain link has indicators that
can be potentially extracted or
deduced from malware analysis
Use to:
• Identify Indicators
• Collect Indicators
• Reuse Indicators
© Copyright 2013 EMC Corporation. All rights reserved.
Relevance of the Cyber Kill Chain
– Signs of intelligence gathering
– Technical exploit used in attack
– Transfer method
– Vulnerability on victim system
– Entrenchment/Persistence artifacts
– Data collection, network beacon
– Actor-issued commands, exfil, lateral movement
© Copyright 2013 EMC Corporation. All rights reserved.
Fishing for Indicators
– Carrier themes
– Buffer overrun, RCE, malicious Flash w/in DOCX
– Email, Watering Hole, P2P, USB
– CVE-2010-3333, CVE-2012-0158, etc
– File / Registry / File artifacts
– DNS, HTTP beacons
– RAR archives, psexec, pwdump
© Copyright 2013 EMC Corporation. All rights reserved.
Reconnaissance – Decoy Details
http://contagiodump.blogspot.com/2010/10/oct-08-cve-2010-2883-pdf-nuclear.html
© Copyright 2013 EMC Corporation. All rights reserved.
Reconnaissance – ExifTool
ExifTool Version Number
File Modification Date/Time
File Type
MIME Type
PDF Version
Linearized
Encryption
User Access
Tagged PDF
XMP Toolkit
Producer
Company
Source Modified
Creator Tool
Modify Date
Create Date
Metadata Date
Document ID
Instance ID
Subject
Format
Creator
Title
Page Count
Page Layout
Author
© Copyright 2013 EMC Corporation. All rights reserved.
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
9.36
2010:10:08 07:15:54-04:00
PDF
application/pdf
1.6
Yes
Standard V2.3 (128-bit)
Extract
Yes
3.1-701
Acrobat Distiller 8.1.0 (Windows)
Dell Computer Corporation
D:20101001111200
Word8墁 Acrobat PDFMaker 8.1
2010:10:08 09:35:31+09:00
2010:10:01 20:12:17+09:00
2010:10:08 09:35:31+09:00
uuid:c425871d-1bc1-4ccc-8235-ce20615daded
uuid:2b9f24a5-1e10-40c0-9d92-9a74bae84d32
4
application/pdf
Arlene Goldberg
President Clinton Event Request Form
5
OneColumn
Arlene Goldberg
Weaponization – Hex view of .DOC file
Offset
0
1
2
3
4
5
6
7
8
9
A
B
C
D
E
F
0000
0010
0020
7B 5C 72 74 66 31 7B 5C
68 70 69 6E 73 74 7B 5C
46 72 61 67 6D 65 6E 74
73 68 70 7B 5C 2A 5C 73
73 70 7B 5C 73 6E 20 70
73 7D 7B 5C 73 76 20 31
{\rtf1{\shp{\*\s
hpinst{\sp{\sn p
Fragments}{\sv 1
4130
4140
4150
4160
4170
4180
4190
41A0
33
38
34
63
31
65
30
32
63
63
36
36
35
33
7D
35
35
37
66
31
63
31
7D
58
35
66
36
36
36
35
7D
58
65
64
33
63
31
63
7D
58
35
66
37
36
37
36
5C
58
66
66
35
63
30
39
61
59
35
66
36
37
37
36
64
59
64
66
64
35
30
66
65
59
63
36
36
37
36
37
66
59
32
33
35
33
63
33
6C
7A
30
33
37
36
36
37
61
78
38
61
65
35
39
39
6E
77
30
35
33
37
36
37
67
76
30
63
31
65
33
33
31
71
65
36
35
33
37
30
30
74
3c55e5f5dc20800e
8c7fdffff633a5c6
46f63756d657e315
c616c6c7573657e3
15c6170706c69637
e315c696f7379730
0}}}}\adeflang10
25XXXXYYYYzxwvqt
4620
4630
4640
4650
4660
4670
03
F3
E3
D3
C3
B3
02
F2
E2
D2
C2
B2
01
F1
E1
D1
C1
B1
00
F0
E0
D0
C0
B0
FF
EF
DF
CF
BF
AF
FE
EE
DE
CE
BE
AE
FD
ED
DD
CD
BD
AD
FC
EC
DC
CC
BC
AC
FB
EB
DB
CB
BB
AB
FA
EA
DA
CA
BA
AA
F9
E9
D9
C9
B9
A9
F8
E8
D8
C8
B8
A8
F7
E7
D7
C7
B7
A7
F6
E6
D6
C6
B6
A6
F5
E5
D5
C5
B5
A5
F4
E4
D4
C4
B4
A4
....ÿþýüûúùø÷öõô
óòñðïîíìëêéèçæåä
ãâáàßÞÝÜÛÚÙØ×ÖÕÔ
ÓÒÑÐÏÎÍÌËÊÉÈÇÆÅÄ
ÃÂÁÀ¿¾½¼»º¹¸·¶µ´
³²±°¯®¬«ª©¨§¦¥¤
© Copyright 2013 EMC Corporation. All rights reserved.
Weaponization – ExifTool
ExifTool Version Number
File Modification Date/Time
File Type
MIME Type
PDF Version
Linearized
Encryption
User Access
Tagged PDF
XMP Toolkit
Producer
Company
Source Modified
Creator Tool
Modify Date
Create Date
Metadata Date
Document ID
Instance ID
Subject
Format
Creator
Title
Page Count
Page Layout
Author
© Copyright 2013 EMC Corporation. All rights reserved.
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
9.36
2010:10:08 07:15:54-04:00
PDF
application/pdf
1.6
Yes
Standard V2.3 (128-bit)
Extract
Yes
3.1-701
Acrobat Distiller 8.1.0 (Windows)
Dell Computer Corporation
D:20101001111200
Word8墁 Acrobat PDFMaker 8.1
2010:10:08 09:35:31+09:00
2010:10:01 20:12:17+09:00
2010:10:08 09:35:31+09:00
uuid:c425871d-1bc1-4ccc-8235-ce20615daded
uuid:2b9f24a5-1e10-40c0-9d92-9a74bae84d32
4
application/pdf
Arlene Goldberg
President Clinton Event Request Form
5
OneColumn
Arlene Goldberg
Reconnaissance / Weaponization Collection
•
EXIFTool
•
•
OfficeMalScanner / RTFscan
•
•
http://icerbero.com/peinsider
http://www.heaventools.com
Revelo / Malzilla / PdfStreamDumper
•
•
•
http://www.reconstructer.org/code.html
Cerbero PE Insider / PE Explorer
•
•
•
http://www.sno.phy.queensu.ca/~phil/exiftool/
http://www.ntcore.com/exsuite.php
http://malzilla.sourceforge.net
Malware Tracker Doc/PDF Scanners
•
© Copyright 2013 EMC Corporation. All rights reserved.
https://www.malwaretracker.com
Delivery – Email Attack
http://contagiodump.blogspot.com/2011/06/may-31-cve-2010-3333-doc-q-and-adoc.html
© Copyright 2013 EMC Corporation. All rights reserved.
Delivery – Watering Hole Attack
http://arstechnica.com/security/2014/02/new-zero-day-bug-in-ie-10-exploited-inactive-malware-attack-ms-warns/
© Copyright 2013 EMC Corporation. All rights reserved.
Exploitation
CVE-2014-1761 (MS14-017)
http://blogs.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophisticationattackers
© Copyright 2013 EMC Corporation. All rights reserved.
Delivery / Exploitation Collection
• VirusTotal
• https://www.virustotal.com
• Jotti
• http://virusscan.jotti.org
• URLQuery
• http://urlquery.net
• Joe Sandbox URL Analyzer
• http://www.url-analyzer.net
• YARA / SignSrch Rules
© Copyright 2013 EMC Corporation. All rights reserved.
Installation
Typical domain of forensics
•
•
•
•
© Copyright 2013 EMC Corporation. All rights reserved.
File system activity
Registry activity
Entrenchment / Persistence
Anti-Forensics
Installation – Collection Tools
• Noriben
• https://github.com/Rurik/Noriben
• CaptureBAT
• Cuckoo Sandbox
• Web-based:
•
•
•
•
© Copyright 2013 EMC Corporation. All rights reserved.
Anubis - https://anubis.iseclab.org
Eureka! - http://eureka.cyber-ta.org
Malwr - https://malwr.com
ThreatExpert - http://www.threatexpert.com
Noriben v1.6 (Beta release)
Processes Created:
==================
[CreateProcess] Explorer.EXE:1432 > ”%UserProfile%\Desktop\malware.exe"
[Child PID: 2520]
[CreateProcess] malware.exe:2520 > "C:\WINDOWS\system32\cmd.exe" [Child PID: 3444]
[CreateProcess] services.exe:680 > "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" [Child PID: 3512]
File Activity:
==================
[New Folder] malware.exe:2520 > C:\RECYCLER\S-1-5-21-861567501-412668190-725345543-500\$fab110457830839344b58457ddd1f357
[New Folder] malware.exe:2520 > C:\RECYCLER\S-1-5-21-861567501-412668190-725345543500\$fab110457830839344b58457ddd1f357\L
[New Folder] malware.exe:2520 > C:\RECYCLER\S-1-5-21-861567501-412668190-725345543500\$fab110457830839344b58457ddd1f357\U
[CreateFile] malware.exe:2520 > C:\RECYCLER\S-1-5-21-861567501-412668190-725345543500\$fab110457830839344b58457ddd1f357\@ [MD5: 814c3536c2aab13763ac0beb7847a71f] [VT: Not Scanned]
[CreateFile] malware.exe:2520 > C:\RECYCLER\S-1-5-21-861567501-412668190-725345543500\$fab110457830839344b58457ddd1f357\n [MD5: cfaddbb43ba973f8d15d7d2e50c63476] [YARA: ZeroAccess] [VT:42/46]
[New Folder] malware.exe:2520 > C:\RECYCLER\S-1-5-18
[New Folder] malware.exe:2520 > C:\RECYCLER\S-1-5-18\$fab110457830839344b58457ddd1f357
[New Folder] malware.exe:2520 > C:\RECYCLER\S-1-5-18\$fab110457830839344b58457ddd1f357\L
[New Folder] malware.exe:2520 > C:\RECYCLER\S-1-5-18\$fab110457830839344b58457ddd1f357\U
[CreateFile] malware.exe:2520 > C:\RECYCLER\S-1-5-18\$fab110457830839344b58457ddd1f357\@ [MD5:
d1993f38046a68cc78a20560e8de9ad8] [VT: Not Scanned]
[CreateFile] malware.exe:2520 > C:\RECYCLER\S-1-5-18\$fab110457830839344b58457ddd1f357\n [MD5:
cfaddbb43ba973f8d15d7d2e50c63476] [YARA: ZeroAccess] [VT:42/46]
[CreateFile] services.exe:680 > C:\RECYCLER\S-1-5-18\$fab110457830839344b58457ddd1f357\@ [MD5:
d1993f38046a68cc78a20560e8de9ad8] [VT: Not Scanned]
[New Folder] services.exe:680 > C:\RECYCLER\S-1-5-18\$fab110457830839344b58457ddd1f357\U
[DeleteFile] cmd.exe:3444 %UserProfile%\Desktop\malware.exe
© Copyright 2013 EMC Corporation. All rights reserved.
Command and Control (C2)
http://<DOMAIN>/kys_allow_get.asp?name=getkys.jpg&ho
stname=HOSTNAME-192.168.1.120130623SCRyyy
http://<DOMAIN>/web/movie.swf?apple=8A969692D8CDCDD0
D0D0CCD0D0DACCD0D0D0CCD0D1D7CD958780CD96878F92CC879A
87E2E2E2E2
256-byte seemingly random beacons:
00000000
00000016
00000032
00000048
00000064
00000080
00000096
00000112
00000128
00000144
00000160
00000176
00000192
00000208
00000224
00000240
© Copyright 2013 EMC Corporation. All rights reserved.
F9
D6
34
FB
0D
75
BA
65
63
A7
4E
0A
BF
B7
19
EF
B5
FD
16
90
CC
CD
E0
33
19
9A
6A
19
5D
B4
5F
CB
A0
8D
95
45
BF
21
A1
97
63
86
20
70
E8
08
22
33
96
60
67
82
EC
56
C8
8D
7B
EB
D8
E3
6E
D6
BE
09
DE
03
90
65
5E
0C
CB
20
ED
17
B0
4C
68
BE
00
48
35
22
CB
3A
6B
0B
BB
3D
98
D0
55
E6
02
B0
A8
5D
E0
A0
F5
AC
32
A9
A7
88
EE
97
02
B9
27
9E
36
A8
33
52
34
44
6F
E4
4B
B6
0A
E7
E8
3B
50
3E
6B
05
F8
0E
76
C0
08
96
D3
B5
6A
86
1C
6B
5D
F8
FA
8C
BD
FC
F5
EC
84
37
ED
CE
5D
D5
44
C1
C6
D8
35
57
9C
0B
DC
0A
09
D9
AF
10
71
9A
9C
73
35
A9
9E
A1
49
C9
99
6A
8E
64
4D
CA
AC
FD
35
E2
EB
79
BF
CC
E2
35
04
E0
46
93
1C
CC
B9
D4
8F
1B
F5
EC
3F
E8
3E
70
73
6E
C9
33
28
4D
10
12
AC
C0
44
D3
86
F4
E4
9A
7E
90
3C
D7
87
27
BD
27
C4
27
8C
19
E1
6B
EF
AC
E2
B7
48
43
FD
76
C6
01
0A
CD
45
50
F4
31
ùµ –Þ5à3ø½œIâ>äï
Öý•
`." R.ü.É5pš¬
4.•g
Ëõ4võÜ™.s~â
û
E‚e:¬DÀì.jàn•
·
.Ì¿ì^k2o.„.ŽFÉ<H
uÍ!V..©ä–7Ùd“3×C
ºà¡ÈË»§KÓí¯M.(‡ý
e3—=ˆ¶µÎ.ÊÌM'v
c.c{í˜
î.j]q¬¹.½Æ
§š†ë.Зç†ÕšýÔ.'.
Nj Ø°U.è.Dœ5•
€.
..pãLæ¹;kÁsâ.À'Í
¿]ènh.'P]Æ5ëõDŒE
·´.Ö¾°ž>øØ©yìÓ.P
._"¾.¨6kú5ž¿?†áô
ïË3.H]¨.ŒW¡Ìèôk1
Command and Control (C2) Identification
DeepEnd Research Library of Malware
Traffic Patterns
© Copyright 2013 EMC Corporation. All rights reserved.
Command and Control (C2) Collection
• WireShark
• FakeNET
•
practicalmalwareanalysis.com/fakenet
• Netcat
• Known C2 Clients
•
Commodity RAT / Custom RAT
• Python / Perl
•
© Copyright 2013 EMC Corporation. All rights reserved.
On-the-fly C2 clients
Command and Control (C2) Collection
• Configuration Dumpers (Static)
e.g. github.com/MalwareLu/config_extractor/
$ config_jRAT.py malware.jar
port=31337
os=win mac
mport=-1
perms=-1
error=true
reconsec=10
ti=false
ip=www.malware.com
pass=password
id=CAMPAIGN
mutex=false
toms=-1
per=false
name=
timeout=false
debugmsg=true
© Copyright 2013 EMC Corporation. All rights reserved.
Command and Control (C2) Collection
Configuration Dumpers (Memory)
E:\VMs> vol.py -f WinXP_Malware.vmem pslist
Offset(V) Name
PID
PPID
Start
---------- -------- ------ ------ -------------------0x81efc550 java.exe
1920
660 2013-09-18 22:23:10
E:\VMs> vol.py -f WinXP_Malware.vmem memdump -p 1920 -D dump
Writing java.exe [ 1920] to 1920.dmp
E:\VMs> vol.py
Owner: Process
0x2abadbec 53
0x2abadbfc 61
0x2abadc0c 09
0x2abadc1c 73
-f WinXP_Malware.vmem yarascan -p 1920
java.exe Pid 1920
50 4c 49 54 03 03 03 69 70 3d 77 77 77
6c 77 61 72 65 2e 63 6f 6d 53 50 4c 49
09 09 09 09 09 09 09 70 61 73 73 3d 70
77 6f 72 64 53 50 4c 49 54 0e 0e 0e 0e
2e
54
61
0e
6d
09
73
0e
SPLIT...ip=www.m
alware.comSPLIT.
........pass=pas
swordSPLIT......
0x2abadc21
0x2abadc31
0x2abadc41
0x2abadc51
50
0e
49
10
0e
53
10
53
0e
50
10
50
SPLIT...........
...id=CAMPAIGNSP
LIT.............
...mutex=falseSP
© Copyright 2013 EMC Corporation. All rights reserved.
53
0e
4c
10
4c
0e
54
10
49
69
10
6d
54
64
10
75
0e
3d
10
74
0e
43
10
65
0e
41
10
78
0e
4d
10
3d
0e
50
10
66
0e
41
10
61
0e
49
10
6c
0e
47
10
73
0e
4e
10
65
–Y “SPLIT”
Command and Control (C2) Collection
Configuration Dumpers (Memory)
http://www.ghettoforensics.com/2013/10/dumping-malwareconfiguration-data-from.html
© Copyright 2013 EMC Corporation. All rights reserved.
Actions
Reconnaissance
• Network sweeps
Privilege Escalation
• pwdump#, mimikatz, keyloggers
Exfiltration
• Keyloggers
• Directory Listings
• Archives (rar –hp | rar –p)
Remote Execution
• psexec
© Copyright 2013 EMC Corporation. All rights reserved.
Actions
Malware C2
•
Decrypt/Decode Malware communications
beyond a simple beacon
Requires:
• Reversing C2 code from malware
• PCAP of traffic to compromised system
• MITRE ChopShop or equivalent tool
© Copyright 2013 EMC Corporation. All rights reserved.
Enumerating Indicators
• Hashes (MD5, fuzzy, imphash, …)
• File
• PE sections
• PE imports
• Entrenchment / Persistence
• File locations
• Registry keys (*\Run*, Shimcache)
• C2 communication
•
•
Hashes, sizes
Dynamic vs static bytes
© Copyright 2013 EMC Corporation. All rights reserved.
Collecting Indicators
• Store results in database
• RTIR / CRITS
• Custom-programmed
• Per-incident data archives
•
•
•
•
Emails, files
Residual artifacts
Memory dumps
PCAPs / Proxy logs
© Copyright 2013 EMC Corporation. All rights reserved.
Reusing Indicators
Do analysis once, reuse indicators
• Static Signatures
• YARA
• SignSrch / ClamSrch
• Dynamic Signatures
• CybOX/STIX/MAEC
• IOCs
• Network Signatures
• Snort
• ChopShop
© Copyright 2013 EMC Corporation. All rights reserved.
Static Signatures – YARA
rule Encryption_DES_Targeted
{
strings:
$password1 = "asdfzxcv"
$password2 = "1029qpwo”
...
$DES_table_odd = { 01 01 02 02 04 04 07 07 08 08 11 11 13 13 }
...
condition:
any of ($password*) and all of (DES_*)
}
© Copyright 2013 EMC Corporation. All rights reserved.
Static Signatures
Write multiple signatures for each file
• Easier to catch subtle modifications
PDB string
Unique strings
Encryption routines
MATH!
© Copyright 2013 EMC Corporation. All rights reserved.
Make Indicators Intelligent
Indicators are just a raw set of data
Intelligence comes through:
• Grouping indicators
• Indexing all edges (files) AND vertices (activity)
•
•
•
•
File1 is a dropper, File2 is a driver
File2 is a binary resource of BIN\222 in File1
File2 is stored as encrypted (XOR by 0xBB)
File1 drops File2
© Copyright 2013 EMC Corporation. All rights reserved.
Example: Attack 1
© Copyright 2013 EMC Corporation. All rights reserved.
Example: Attack 2
© Copyright 2013 EMC Corporation. All rights reserved.
Correlate the Attacks
© Copyright 2013 EMC Corporation. All rights reserved.
Take-Aways
• Standardize on a signature format (YARA, IOC,
STIX)
• Write as many signatures as possible for each
item to track variations over time
•
Try to automate, e.g. cuckoo2STIX
• Spend downtime reanalyzing old incidents with
new data / intel
© Copyright 2013 EMC Corporation. All rights reserved.
Take-Aways
• Use VirusTotal Intelligence
•
Create feeds for YARA to find new variants
• Acknowledge the weaknesses of the Cyber Kill
Chain
•
•
Focuses on initial and holistic attack flow
Simplistic design means everything is thrown into
Actions
© Copyright 2013 EMC Corporation. All rights reserved.
Questions/Comments?
Brian.Baskin@RSA.com
© Copyright 2013 EMC Corporation. All rights reserved.