250 likes | 398 Views
Instant Situational Awareness: Finding Malware like a HoneyBadger. John ‘JB’ Bisaillon, CISSP Digital Scepter Corporation. Agenda. Malware capabilities and uses Malware behavior Evidence of malware infection Rootkits – special methods needed
E N D
Instant Situational Awareness: Finding Malware like a HoneyBadger John ‘JB’ Bisaillon, CISSP Digital Scepter Corporation
Agenda • Malware capabilities and uses • Malware behavior • Evidence of malware infection • Rootkits – special methods needed • Introducing a new tool that can find evidence of malware on your network in 15 seconds And plenty of demos…
About the Presenter • John ‘JB’ Bisaillon, CISSP • Sales Engineer for Digital Scepter • Previously: • Sr. Information Assurance Engineer for DoD contractor • Nationwide technical trainer of penetration testing and ‘ethical hacking’ courses
About Digital Scepter • Boutique Security-Focused Systems Integrator and Value-Added Reseller • http://digitalscepter.com
What is a HoneyBadger? • “The world’s most fearless creature” according to the Guinness Book of World Records • Going up against a nest of bees or a king cobra: “I don’t care” attitude
Malware Distribution Methods • E-Mail Attachments & Links • Web downloads for Freeware Software • Browser and E-mail Software Bugs (‘drive-by downloads’) • Physical Access/ Storage Media (CDs, USB drives) • Peer to Peer File Sharing • Network Shares • IM / IRC Chat Rooms • Usenet Newsgroups
Malware Capabilities • Remote Access / Backdoors • Password stealing & sending • Keyloggers • Surveillance • Destruction of data • Denial Of Service • Spamming • Security software detection and termination
Ultimate Purposes of Malware • Industrial espionage / Intellectual property theft • Nation-state cyber warfare • Monetary gain • Hacktivism • Just for Fun? - not so important nowadays
Finding Malware • You first need to know what it does in order to look for evidence of it. • But how do you know what a piece of malware does? • You could execute it yourself in a sandboxed environment and monitor: • New network connections • New processes • Registry changes • File system changes • Etc…
Sample Zero-Day Malware Analysis • Wildfire feature found on Palo Alto Networks firewalls
Common Behaviors We Can Look For • AutoStart methods • New listening ports • New services • Weakened OS or web browser security • New executable or dll files in Windows System directory
AutoStart Methods Modifications to any of these can cause malware to keep running after reboots: • System files (autoexec.bat, system.ini, win.ini, etc) • Registry Keys • Startup folder
BackDoor: SubSeven SubSeven is a backdoor program that enables hackers to gain full access to Windows systems through a network connection. The attacker can delete and modify files, kill running processes, start new processes, capture keystrokes, and even image the remote system’s desktop.
Advanced Trojans: Process Injection • Some trojans like Back Orifice and Beast inject their DLL process into some other running process • The result is that the trojan is harder to detect as their process doesn’t show up in Task Manager • Countermeasures: • Use a hidden process viewer like Inzider • Prevent injection using Process Guard
Advanced Trojans: Beast • Beast is a powerful trojan incorporating DLL injection • It has built-in anti-virus killing features • The client, server, and server editor are contained in one file
Port Monitoring Software • To quickly reveal what active connections are established, as well as any listening ports, use the built-in netstat command • When a suspicious port is found, use one of the following tools to map the open port to a running executable and process name or id: • Port Explorer • Fport • TCPview Beast trojan running on port 6666
Process Monitoring Software • Listing running processes and associated DLLs and attributes can help identify malicious software. • One should become familiar with standard Windows processes so that suspicious processes can be easily identified. • Beware that malware will often rename processes with the same name that existing Windows processes uses! Process Monitoring Software: • Process Viewer • Process Monitor • Process Explorer • Task Manager
RootKits The primary purpose of a rootkit is to allow an attacker unregulated and undetected access to a compromised system repeatedly. Rootkitsare used by a hacker for various reasons: • Hide a backdoor processes • Elevate process privileges • Hide files • Hide registry entries • Disable auditing and edit event logs • Redirect executable files • Hide device drivers • Hide user accounts
Windows XP Rootkit • Hides processes, files, registry entries, and network sockets
Search for Evidence Everywhere, Instantly • What if you could search for evidence not on a single machine, but for thousands of machines at the same time?