1 / 0

Onion, not parfait: Today's security check-up and malware for the rest of us

Onion, not parfait: Today's security check-up and malware for the rest of us. Jared DeMott, lifelong haX0r. Qualified for this talk?. You decide … rounded out by groups, cons, and talks like this NSA My deep dive into a whole new world - security focused Booz Allen Hamilton

odell
Download Presentation

Onion, not parfait: Today's security check-up and malware for the rest of us

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Onion, not parfait:Today's security check-up and malware for the rest of us

    Jared DeMott, lifelong haX0r
  2. Qualified for this talk? You decide … rounded out by groups, cons, and talks like this NSA My deep dive into a whole new world - security focused Booz Allen Hamilton Level 3 consultant - Reverse Engineering Applied Security, Inc. GPF sprung to life VDA Labs, LLC Founder - Further opened the eyes of many to the effects of fuzzing Defcon CTF Campion Was part of the l@stplace team during another winning 2007 season HBGary, Inc. All but the kitchen sink guy, started working with Malware Author and Speaker (Black Hat, Defcon, and Toorcon) Ari Takanen, Charlie Miller, and I have a book coming out very soon! Ferris State University Assistant Professor - focus on OS, security, programming, and more Crucial Secuity, Inc Security Researcher
  3. Layers of Security Computer Science as a field is growing all the time More and more users each year Security is one such sub-field and it is growing as well High level Policy Technology Users Low Level Policy Low Level Technical Threats
  4. High Level Policy Decision making and risk management Should come from above Are CIOs, CSO, etc always qualified for this? For example did anyone follow DailyDave thread on AV being dead, that occurred a while ago? Sandboxing to be discussed later Need formal processes to make good decisions Business continuity Disaster recovery Data security Are Nation-states really our threat? For big business and government contractors … YES! Booz allen spear-fish that went public a bit ago Not so much for small to mids, schools, etc … they worry about keeping their head above water, and hoping the network works.
  5. Technology What’s it good for? How has it improved our lives? I’m waiting for my RFID tag and mark of the beast Who knows, but it can transform business Just ask people in health care Technology is exploding in this field and is changing the way people are able to receive care Just ask online sales, which didn’t really exists pre-1990’s Usage We need security to be sure technology is used well, or to perform the Incident Response (IR) when it’s not Yes even though current security solutions aren’t perfect
  6. Some current working Attacks 0day to the desktop In 2008, client side bugs are alive and kicking! The old thumb drive outside the bank trick Rootkit Insider payoff Rootkit Stealing and modifying hardware (supply chain) Rootkit Simple .exe in email Run this file for pics of whoever == Rootkit .com was one of the best I’ve ever received
  7. Defense Can technology defend against technology? Application filtering firewall with a buffer overflow, what were we thinking there? Same for IDS, AV, Wireshark, etc. Clearly we’ve got to rid ourselves of the buffer overflow to have a real shot at reliable computing We’re finally seeing this begin to happen Modern protections in 64 bit machines are impressive But, weak passwords, sniffing, lost hardware, social engineering, hardware modified in transit Defenders have to think of it all! The attacker need only find one route in
  8. Users Average Users Just want to do their job, play games, edit pictures of the grand kids, whatever. Need security training. Power Users Growing. Many users have complex needs and those annoying Vista pop-ups, personal firewalls issues, etc. Just disable all that stuff, right? Need Policies and training. Either way, 0day to the desktop We still can’t trust our software
  9. So what’s to be done? Totally depends on the scope of your organization Someone has to sit down and think about these issues, and do the best you can with available money ah… risk management, my favorite oxymoron Also totally depends on the layer at which you work CIO response should differ from software developer or incident responder, or secretary
  10. Lets discuss some lower layer examples(more on each of these) Security at the Desktop is a MUST! Who knows how to do this? Auditing the internal and external network policy is, at minimum, a show of due diligence Penetration Tests are great for raising internal awareness Watch your website Web auditing Fuzzing for security and robustness Securing software … we hope the OS will continue to get stronger as well Responding to Security Incidents (IR) Being prepared or know who to call
  11. Desktop Security Could we go to a thin client that doesn’t save settings Pwned on Monday, clean on Tuesday? Probably would save desktop support costs AV Does it really help? Show proof. DLP Does it really work? Show proof. Host hardening Local policy lockdown, registry tweaks, etc No local Admin? Looks like XP might hang on until Windows 7?
  12. Network Management Wireless security WEP, right? (not … how about WPA2 with AES) Database security Talk to our British friend, Mr. Litchfield Server security Lock ‘em down in VLANs while you’re at it Failover (Disaster/Continuity) Redundant Internet links Multiple servers Nightly backups
  13. Net Admin (Cont.) Network auditing: Yesterday protection (not 0day) Think something like Nessus to be sure your hosts are all up-to-date Is there a better way to be sure boxes are built right the first time? Imaging type solution Allow real time updates from M$? Network activity monitoring and logging The network is hostile, can your IDS find the needle? Probably not … though anomaly could work on SCADA or other “quiet” networks Keep good system logs anyway, this will be important again someday, when IDS finds a way to add value again
  14. Web Auditing Think about all the issues we’ve seen SQL injections Input sanitization is the root problem for many bug types PHP file inclusions Old school CGI command injections XSS Insecure permissions on pages Weak login schemes Etc. Some one needs to be thinking about this for your organization http://www.owasp.org/
  15. Fuzzing Fuzzing for security and robustness Since many application still have to be developed in C type languages (able to manually manage memory) For bonus pts, why isn’t the Vista Kernel dev’ed in .py? Other languages could have stability issues if not exploitable overflows A telecoms 0day == interruption of service Mutation vs. Generation One is often quicker while the other tends to get better coverage. Boils down to cost. Read our book.
  16. Incident Response (IR) Responding to Security Incidents. (How big is this onion anyway?) 1st response team The key here is handling information well Disk forensics Remember when the FBI came knocking? Old-school preservation style. Snag disk. Image it. Search it. Send you to jail. Do not pass go. Do not collect $200. E-discovery Live memory analysis Malware analysis Can these actions be scaled to the Enterprise? Probably, for the right price… but, process is key for court.
  17. Enterprise Tools You can’t physically pull the disk off each workstation, can you? No, but virtually you can: Agent based Push kernel module to desired hosts via SMS or PsExec Host code is called “the servlet” by Guidance, Inc (EnCase). Used to suck off permanent storage (hard disk data) and “live” memory (RAM) Catalogs; only does full suckage when required Scan disk for anomalous files Guidance uses bit9 database; good, bad, or unknown lots Rate which ones look “worst” Mandiant’s red curtain is freeware … I’m surprised EnCase Enterprise doesn’t have this feature
  18. E-Discovery Key word searching across file, email, and even memory in some cases Used to discover interesting data An example might be searching for the text string “SECRET” on an UNCLASSIFIED network Why would we do that? Litigation is the word you’ll hear The way hip Lawyers role Indicates a search for evidence during a particular court case to support one side or the other
  19. Live Memory Analysis The kernel agent can collect all or some of running memory as well A tool like HBGary’s Responder could be used to analyze this memory Memory-only Rootkits are TODAYS threat Good malware/rootkits maybe able to avoid dirtying the disk altogether If that’s so, how are you going to detect them with your current forensic toolkit?
  20. Malware Analysis This is where it gets interesting So, you’ve found some executable code and you either don’t know if it’s malware, or you know it is, but aren’t sure what it’s doing How can you understand what this nasty business is doing to/on your host/network?? Perhaps like other fields an “Art+Science” but here I think we need more science. We need a repeatable methodology that holds water in court if need be
  21. High level thoughts on Malware For malware to be doing something useful (like stealing data) it’s likely got to be doing some type of network comms Will likely use a covert channel, such as DNS or HTTP. Think Command & Control to do Data Exfil It will likely not want to be discovered May download and install a rootkit and delete itself Might just hide in plain sight … what’s in your sys32 dir? If discovered it desires to make analysis difficult Packed, obfuscated, encrypted, jacked up in some other interesting way
  22. Malware Analysis != IR So as we stated before IR includes many steps Analyzing potential malware is just one of the steps Some guys at Intel have done some cool new work addressing the IR information handling problem at large Rapid Assessment & Potential Incident Examination Report http://code.google.com/p/rapier
  23. My Home Grown Malware Analysis(Not an exhaustive or “best” list) Document how the malware was discovered Get the filename(s) of malware View the file properties for kicks, though this information can easily be spoofed. Note if much file property information is included Vendor, etc What is the modified time? What is the file size? File hash? Use the WinMD5 utility Google for this hash, you might get lucky Mandiant’s Freeware Red Curtain will give you a threat score guess as to whether or not the file is Malicious If you’re not worried about sharing, you can upload to http://www.virustotal.com (multiple virus scans) http://www.norman.com/microsites/nsic/Technology/en-us (see in a bit)
  24. Home Grown: File Inspection If possible, determine how the file was created and if it includes obfuscation. Open the file in PEid. If possible, determine if the PE headers look normal. Open the file in PEView. Open the file in IDA pro Are there any interesting strings? Are the strings visible or obfuscated? Is the code flow normal or does is start with funny decryption/unpacking routines? Save further REing for later unless something really sticks out. A dynamic run trace is the next best step in understanding your malware.
  25. Home Grown: Execution Prepare to execute in your test lab Take a VM snapshot so you can roll back after execution Launch Wireshark. Launch other utilities such as process explorer, file explorer, and filemon if desired Execute RegShot to get a baseline of the system Launch the malware and note Registry changes and Network connections Note whatever else interesting happens. CAUTION: At this point you are probably infected with something. If it’s dialing out, it may be desirable to set up a fake server to play with command and control plus any data exfiltration it may have.
  26. Home Grown: Dynamic Investigation Reversing the Malware with Immunity debugger, windbg, Responder Yes, we’re talking just about Windows here Roll back to the previous snap shot For Inspector Open the Wintel Node Agent Debugger in the VM Start a new Inspector project Connect to the debugger with Inspector Start the malware via Inspector Analyze the binary (may set bps) Run the malware analysis plugin script to see what pops out Cool freeware tools like: Malware Unpacking Framework For ImmDbg http://muffi.googlecode.com/ by JMS
  27. Home Grown: Dynamic Investigation Analyze key .dlls and set further breakpoints W32_32.dll and winsock.dll for network activity WSARecvFrom, WSASendTo, etc. Kernel32.dll for process manipulation and file modification LoadLibrary, CreateProces, FindFile, etc. advapi32.dll for registry modifications CreateNewKey, SetKeyValue, etc Execute the software to begin a runtrace A graph will begin to appear as the software is executed Could be useful to search runtrace samples for strings such as IP address, passwords, etc How to proceed depends on the nature of the investigation/malware … more of an Art … ooops…
  28. However, SandBoxes are cool A Sandbox/Sandnet attempts to automate prior steps and boil down results Quicker/Scales No hardcore RE person required Repeatable (Hold water in court?) However, could fail if Too tricky Virtualization detection and/or escape Would be a problem for VM home grown solution too Only an air gapped net solves this slow to use network, like 1 week after install Will only run if in, for example, the Outlook directory, etc Manual/Static RE is required for complete analysis
  29. Sample Output from Norman [Name]: W32/Backdoor. Sig Name: Suspicious_P.gen [ Detection Info ] * Compressed: NO. TLS hooks: NO * Executable type: Application * Executable file structure: OK [ General information ] * Drops files in %WINSYS% folder. * File length: 237562 bytes. [ Changes to filesystem ] * Creates file C:\WINDOWS\SYSTEM32\service.exe. * Deletes file 256. [ Changes to registry ] * Creates key "HKLM\Software\\Microsoft\\Windows". * Sets value "Microsoft Update"="service.exe" in key “HKLM\Software\\Microsoft\\Windows". * Creates key "HKCU\Software\". * Sets value "Microsoft Update"="service.exe" in key “HKCU\Software\".
  30. Sample Norman Output (cont.) [ Network services ] * Looks for an Internet connection. * Connects to [REMOVED] on port 6667 (TCP). * Connects to [REMOVED] * IRC: Uses password [REMOVED] * IRC: Uses nickname [REMOVED] * IRC: Uses username [REMOVED] * IRC: Joins channel [REMOVED] with password [REMOVED] * IRC: Sets the usermode for user [REMOVED] to i. [ Process/window information ] * Creates a mutex By Crash. * Creates process "C:\WINDOWS\SYSTEM32\service.exe". [ Signature Scanning ] * C:\WINDOWS\SYSTEM32\service.exe (237562 bytes) : Suspicious_P.gen.
  31. Case Study Got a file called sample.exe from a friend He wanted me to take a quick peek at it, since he though it was ugly but no AV product he had could confirm that Lets see what Norman says…
  32. Hmm… in this case Norman pooped sample.exe : Not detected by Sandbox (Signature: NO_VIRUS) [ DetectionInfo ] * Sandbox name: NO_MALWARE * Signature name: NO_VIRUS * Compressed: NO TLS hooks: NO * Executable type: Application * Executable file structure: OK [ General information ] * File length: 210944 bytes. * MD5 hash: 27f4b3938997383576137cd7036dda25. [ Process/window information ] * Attempts to open CLSID {148BD52A-A2AB-11CE-B11F-00AA00530503}.
  33. Case study: Try my home brew Received a file from a friend Name = “sample.exe” File properties Not much listed Time: Looks unreliable Size: 206KB MD5: 27f4b3938997383576137cd7036dda25 Red Curtain reports that it looks malicious, as the threat score is over 1.0. See next slide.
  34. Hash and Properties: Fairly normal here
  35. Mandiant Red Curtain: >1 == badness
  36. Case Study (cont.) PEid No build type detectable, Win32 GUI PEView Looks Normal IDA Pro Initial Interesting Strings: Looks like a bunch of strings are present but are unreadable statically Code looks funny … a lot of moving, XORing, etc and than a LoadLibraryA + GetProcAddress to begin with First func from main took ~100 int’s as parameters
  37. PEID and PEView
  38. IDA Pro
  39. Case Study (cont.) Upon Execution Regshot noticed a bunch of changes Wireshark snagged an outbound connection Very suspect here “GET /upd/check?version=0.1unk&fxp=1d8af2a6eeb2863b26ca5ac162b60d5c784b0f4e5d972acacad8d535529e5ac14f14a867 HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: KRSystem v1.0 Host: upd.host-domain-lookup.com Connection: Keep-Alive” “HTTP/1.1 304 Not Modified Connection: close Server: Yaws/1.68 Yet Another Web Server Date: Wed, 30 Jan 2008 13:59:05 GMT Content-Length: 13 Content-Type: text/html not modified”
  40. Case Study (cont.) Inspector Reverted to clean snapshoot, started remote debugger, started new project, connected to debugger, analyzed sample (this is cool can bypass anti debugging and packing), analyzed .dlls, viewed strings, etc… Difficult to know which API calls to hook MAP script provided convoluted results Run trace not trivial to apply correctly Graph unclear All-in-all, not a great tool for a “first pass” look Better for very advanced users I am looking forward to their new “Responder” product, which attempts to find rootkits in running memory
  41. Inspector Screen Shot
  42. Other Sandboxes Norman pooped on this one This one did better CWSandbox Tried some others as well ThreatExpert Joebox Etc.
  43. Sample XML from CWSandBox <connections_outgoing> <connection transportprotocol="TCP" remoteaddr="66.220.17.200" remoteport="80" protocol="HTTP" connectionestablished="1" socket="1692"> <http_data> <http_cmd method="GET" url="66.220.17.200/upd/check&#x3F;version=0.1unk&#x26;fxp=34725efb44b6c53a0f323af08723c7209ddec5327818c6c9ef573936c1303af0f542640b" http_version="HTTP/1.1"><header_data><header>Accept: &#x2A;/&#x2A;</header><header>Accept-Encoding: gzip, deflate</header><header>User-Agent: KRSystem v1.0</header><header>Host: upd.host-domain-lookup.com</header><header>Connection: Keep-Alive</header></header_data></http_cmd> </http_data> Small sampling of the total CW output
  44. New CW Look
  45. Hmm… states one of it’s primary actions, but have hunch it’s worse than that. Didn’t provide as much information as CWSandbox.
  46. Joebox Gave some good information But doesn’t include network information, etc. yet Seems to have good potential, but lacks robustness as of now
  47. Boiling down results For large corps, scalability is important and Sandboxes give us that However, like anything else, they’re not fail proof Norman boils down the results well But didn’t work in this case ThreatExpert Seemed ok Joebox has great potential Missing key features CWSandbox did the best here IMHO XML is busy, so new web interface is nice Recent work to escape CW has been made public for kiddies
  48. Summary Onions smell … security can to, but we keep at it.  We need to find ways to stem the tide of 0days We need to find ways to detect memory-only Rootkits Responder via Encase? Or Mandiant’s MIR technology? Once we do, malware won’t go away Insider threat, thumb drive, hacked hardware in transit, etc We’ll need some sort of reliable computing help from our operating system/hardware Hypervisor protection? Monitoring, IR, and many other branches will always be important, even as roles and technology change
More Related